K8S Services¶
58 cards ā š¢ 13 easy | š” 25 medium | š“ 13 hard
š¢ Easy (13)¶
1. How to create a service for an existing deployment called "alle" on port 8080 so the Pod(s) accessible via a Load Balancer?
Show answer
The imperative way:`kubectl expose deployment alle --type=LoadBalancer --port 8080`
Example: `kubectl expose deployment web --port=80 --target-port=8080 --type=ClusterIP`
Remember: `--port`=Service port, `--target-port`=container port. Two distinct values.
2. How to create a service that exposes a deployment?
Show answer
kubectl expose deploy some-deployment --port=80 --target-port=8080Example: `kubectl expose deployment web --port=80 --target-port=8080 --type=ClusterIP`
Remember: `--port`=Service port, `--target-port`=container port. Two distinct values.
3. How to list Ingress in your namespace?
Show answer
`kubectl get ingress` lists all Ingress resources in the current namespace showing hosts, paths, and backends. Add `-o wide` for additional details like the ingress class and address.Gotcha: Ingress requires an Ingress Controller (nginx, traefik, ALB) to be installed ā without one, Ingress resources exist but do not route traffic.
4. What is ClusterIP service type in Kubernetes?
Show answer
ClusterIP is the default Kubernetes service that provides a service inside a cluster (with no external access) that other apps inside your cluster can access. It exposes the service on an internal IP in the cluster, making the service only reachable from within the cluster.Remember: ClusterIP = default, internal only. "Cluster Internal Protocol."
Under the hood: kube-proxy programs iptables/IPVS to load-balance to pods.
5. What is a headless service?
Show answer
A headless service is used to interface with service discovery mechanisms without being tied to a ClusterIP, therefore allowing you to directly reach pods without having to access them through a proxy. It is useful when neither load balancing nor a single Service IP is required. You create a headless service by setting clusterIP to None.Remember: Headless = ClusterIP:None. DNS returns pod IPs, not VIP. For StatefulSets.
Example: `nslookup my-headless-svc` returns individual pod A records.
6. What is a Kubernetes Service and how does it enable networking?
Show answer
Provides a stable IP address and DNS name for a set of pods.Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
7. How to create a pod and a service with one command?
Show answer
kubectl run nginx --image=nginx --restart=Never --port 80 --exposeExample: `kubectl expose deployment web --port=80 --target-port=8080 --type=ClusterIP`
Remember: `--port`=Service port, `--target-port`=container port. Two distinct values.
8. What is the default service type in Kubernetes and what is it used for?
Show answer
The default is ClusterIP and it's used for exposing a port internally. It's useful when you want to enable internal communication between Pods and prevent any external access.Remember: 4 types: ClusterIP, NodePort, LoadBalancer, ExternalName. Mnemonic: "CNLE."
9. How to list the endpoints of a certain app?
Show answer
`kubectl get epUnder the hood: Endpoints object tracks matching pod IPs. No pods = empty Endpoints = no traffic.
10. What is a CNI (Container Networking Interface) in Kubernetes?
Show answer
* CNI (Container Networking Interface): CNI is a standard for configuring network interfaces of container workloads.* It defines a set of APIs for network plugins to enable container communication.
* CNI plugins facilitate the creation of network namespaces, IP addresses, routes, and iptables rules.
* CNI provides a standardized way for container runtimes like Docker and containerd to interact with network plugins. These plugins enable the setup of networking resources for containers, allowing them to communicate with each other and external networks.
11. What is a Service in Kubernetes?
Show answer
An abstract way to expose an application running on a set of Pods as a network service. - read more [here](https://kubernetes.io/docs/concepts/services-networking/service)In simpler words, it allows you to add an internal or external connectivity to a certain application running in a container.
Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
12. What is an "Ingress"?
Show answer
Manages external access to services, typically via HTTP.Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
13. What's the default Service type?
Show answer
ClusterIP is the default Service type, providing an internal-only virtual IP accessible only within the cluster. Used for service-to-service communication (e.g., frontend pods talking to backend pods). Access it by service name via cluster DNS: `http://my-service.my-namespace.svc.cluster.local`. To expose externally, use NodePort or LoadBalancer instead.š” Medium (25)¶
1. What are the different services within Kubernetes?
Show answer
Different types of Kubernetes services include:* ClusterIP service - Exposes the service on a cluster-internal IP
* NodePort service - Exposes the service on each Node's IP at a static port
* LoadBalancer service - Exposes the service externally using a cloud provider's load balancer
* ExternalName service - Maps the service to the contents of the externalName field
Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
2. How readiness probe status affect Services when they are combined?
Show answer
Only containers whose state set to Success will be able to receive requests sent to the Service.Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
3. How to configure TLS with Ingress?
Show answer
Add tls and secretName entries.```\nspec:\n tls:\n - hosts:\n - some_app.com\n secretName: someapp-secret-tls\n```
Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
4. How make an app accessible on private or external network?
Show answer
Using a Kubernetes Service, which provides a stable virtual IP and DNS name that routes traffic to a set of pods matched by label selectors. Four types: ClusterIP (internal), NodePort (external via node ports), LoadBalancer (cloud LB), ExternalName (DNS alias). Services decouple consumers from individual pod IPs, which change on restart.5. How would you map a service to an external address?
Show answer
Use the ExternalName service type, which maps a service to an external DNS name (e.g., an RDS endpoint or external API).Example: `type: ExternalName` with `externalName: my.database.example.com`. This creates a CNAME record in cluster DNS.
Gotcha: ExternalName services do not proxy traffic ā they only provide DNS resolution.
6. What are important steps in defining/adding a Service?
Show answer
1. Making sure that targetPort of the Service is matching the containerPort of the Pod2. Making sure that selector matches at least one of the Pod's labels
Remember: port=Service port, targetPort=container port, nodePort=external. Three distinct values.
7. After creating a service that forwards incoming external traffic to the containerized application, how to make sure it works?
Show answer
You can run `curlRemember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
8. True or False? the target port, in the case of running the following command, will be exposed only on one of the Kubernetes cluster nodes but it will routed to all the pods
Show answer
False. It will be exposed on every node of the cluster and will be routed to one of the Pods (which belong to the ReplicaSet)Example: `kubectl expose deployment web --port=80 --target-port=8080 --type=ClusterIP`
Remember: `--port`=Service port, `--target-port`=container port. Two distinct values.
9. How to get information on a certain service?
Show answer
`kubectl describe serviceIt's more common to use `kubectl describe svc ...`
Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
10. In case of two pods, if there is an egress policy on the source denining traffic and ingress policy on the destination that allows traffic then, traffic will be allowed or denied?
Show answer
Denied. Both source and destination policies has to allow traffic for it to be allowed.Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
11. What is the LoadBalancer in Kubernetes?
Show answer
The LoadBalancer service is used to expose services to the internet. A Network load balancer creates a single IP address that forwards all traffic to your service. It exposes the service externally using a cloud provider's load balancer.Remember: LoadBalancer = NodePort + cloud LB. Auto-provisions on cloud providers.
Gotcha: Bare-metal ā stays Pending. Use MetalLB for on-prem.
12. How to turn the following service into an external one?
Show answer
Adding `type: LoadBalancer` and `nodePort````\nspec:\n selector:\n app: some-app\n type: LoadBalancer\n ports:\n - protocol: TCP\n port: 8081\n targetPort: 8081\n nodePort: 32412\n```
Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
13. What are some use cases for using Ingress?
Show answer
* Multiple sub-domains (multiple host entries, each with its own service)* One domain with multiple services (multiple paths where each one is mapped to a different service/application)
Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
14. An internal load balancer in Kubernetes is called _ and an external load balancer is called _
Show answer
An internal load balancer in Kubernetes is called Service and an external load balancer is IngressRemember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
15. Why using a wildcard in ingress host may lead to issues?
Show answer
The reason you should not wildcard value in a host (like `- host: *`) is because you basically tell your Kubernetes cluster to forward all the traffic to the container where you used this ingress. This may cause the entire cluster to go down.Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
16. How to expose a ReplicaSet as a new service?
Show answer
`kubectl expose rsFew notes:
- the target port depends on which port the app is using in the container
- type can be different and doesn't has to be specifically "NodePort"
Example: `kubectl expose deployment web --port=80 --target-port=8080 --type=ClusterIP`
Remember: `--port`=Service port, `--target-port`=container port. Two distinct values.
17. Complete the following configuration file to make it Ingress
Show answer
There are several ways to answer this question.```\napiVersion: networking.k8s.io/v1\nkind: Ingress\nmetadata:\n name: someapp-ingress\nspec:\n rules:\n - host: my.host\n http:\n paths:\n - path: /\n pathType: Prefix\n backend:\n service:\n name: someapp-internal-service\n port:\n number: 8080\n```
Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
18. What is Ingress Controller?
Show answer
An implementation for Ingress. It's basically another pod (or set of pods) that does evaluates and processes Ingress rules and this it manages all the redirections.There are multiple Ingress Controller implementations (the one from Kubernetes is Kubernetes Nginx Ingress Controller).
Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
19. When would you use the "LoadBalancer" type
Show answer
Mostly when you would like to combine it with cloud provider's load balancerRemember: LoadBalancer = NodePort + cloud LB. Auto-provisions on cloud providers.
Gotcha: Bare-metal ā stays Pending. Use MetalLB for on-prem.
20. What is the Ingress network, and how does it work?
Show answer
An Ingress is an API object that allows users to access your Kubernetes services from outside the Kubernetes cluster. Users can configure the access by creating rules that define which inbound connections reach which services.How it works: This is an API object that provides the routing rules to manage the external users' access to the services in the Kubernetes cluster through HTTPS/HTTP. With this, users can easily set up the rules for routing traffic without creating a bunch of load balancers or exposing each service to the nodes.
21. What is NodePort service type in Kubernetes?
Show answer
The NodePort service is the most fundamental way to get external traffic directly to your service. It opens a specific port on all Nodes and forwards any traffic sent to this port to the service. NodePort exposes the service on each Node's IP at a static port (the NodePort).Remember: NodePort: 30000-32767. "30K to 32K." Opens on ALL nodes.
Gotcha: NodePort on every node, even without target pods. Traffic forwarded internally.
22. How to verify that a certain service configured to forward the requests to a given pod
Show answer
Run `kubectl describe service` and see if the IPs from "Endpoints" match any IPs from the output of `kubectl get pod -o wide`Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
23. What is Ingress Default Backend?
Show answer
It specifies what do with an incoming request to the Kubernetes cluster that isn't mapped to any backend (= no rule to for mapping the request to a service). If the default backend service isn't defined, it's recommended to define so users still see some kind of message instead of nothing or unclear error.Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
24. What is a Kubernetes Ingress resource and how does it route external traffic?
Show answer
From Kubernetes docs: "Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource."Read more [here](https://kubernetes.io/docs/concepts/services-networking/ingress/)
Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
25. What would you use to route traffic from outside the Kubernetes cluster to services within a cluster?
Show answer
Ingress. It exposes HTTP/HTTPS routes to services inside the cluster, with support for host/path-based routing, TLS termination, and load balancing ā managed by an Ingress Controller (nginx, traefik, etc.).Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
š“ Hard (13)¶
1. How does Kubernetes handle DNS resolution for services and pods?
Show answer
**DNS Resolution in Kubernetes:*** Pods are assigned a DNS name based on their name and namespace.
* The internal DNS service in Kubernetes resolves these names to corresponding pod IP addresses.
* Services also have DNS names based on their name and namespace, enabling easy service discovery.
* Kubernetes has an internal DNS service that automatically assigns DNS names to pods and services. This allows for easy and dynamic DNS-based service discovery within the cluster.
Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
2. Describe what happens when a container tries to connect with its corresponding Service for the first time. Explain who added each of the components you include in your description
Show answer
- The container looks at the nameserver defined in /etc/resolv.conf- The container queries the nameserver so the address is resolved to the Service IP
- Requests sent to the Service IP are forwarded with iptables rules (or other chosen software) to the endpoint(s).
Explanation as to who added them:
- The nameserver in the container is added by kubelet during the scheduling of the Pod, by using kube-dns
- The DNS record of the service is added by kube-dns during the Service creation
- iptables rules are added by kube-proxy during Endpoint and Service creation
3. Explain what will happen when running apply on the following block
Show answer
It creates a new Service of the type "NodePort" which means it can be used for internal and external communication with the app.The port of the application is 8080 and the requests will forwarded to this port. The exposed port is 2017. As a note, this is not a common practice, to specify the nodePort.
The port used TCP (instead of UDP) and this is also the default so you don't have to specify it.
The selector used by the Service to know to which Pods to forward the requests. In this case, Pods with the label "type: backend" and "service: some-app".
4. Discuss the concept of Ingress in Kubernetes.
Show answer
* Ingress: Kubernetes resource that manages external access to services within the cluster.* Acts as an API object that defines how external HTTP/S traffic should be routed to services.
* Supports features like path-based routing, SSL termination, and load balancing.
* Ingress provides a flexible and configurable way to expose services to the external world. It allows for the definition of rules that govern how external requests are directed to different services within the cluster.
Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
5. What Service types are there?
Show answer
Four Kubernetes Service types: ClusterIP (internal-only, default), NodePort (exposes on each node's IP at a static port 30000-32767), LoadBalancer (provisions a cloud load balancer), and ExternalName (maps to an external DNS CNAME). Mnemonic: CNLE ā ClusterIP, NodePort, LoadBalancer, ExternalName, ordered from most internal to most external.6. How can you get a static IP for a Kubernetes load balancer?
Show answer
A static IP for the Kubernetes load balancer can be achieved by changing DNS records since the Kubernetes Master can assign a new static IP address. You can also specify a loadBalancerIP in your service spec when using cloud providers that support it, or reserve a static IP through your cloud provider and then reference it in your service configuration.Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
7. Describe in high level what happens when you run kubectl expose deployment remo --type=LoadBalancer --port 8080
Show answer
1. Kubectl sends a request to Kubernetes API to create a Service object2. Kubernetes asks the cloud provider (e.g. AWS, GCP, Azure) to provision a load balancer
3. The newly created load balancer forwards incoming traffic to relevant worker node(s) which forwards the traffic to the relevant containers
Remember: LoadBalancer = NodePort + cloud LB. Auto-provisions on cloud providers.
Gotcha: Bare-metal ā stays Pending. Use MetalLB for on-prem.
8. Describe in detail what happens when you create a service
Show answer
1. Kubectl sends a request to the API server to create a Service2. The controller detects there is a new Service
3. Endpoint objects created with the same name as the service, by the controller
4. The controller is using the Service selector to identify the endpoints
5. kube-proxy detects there is a new endpoint object + new service and adds iptables rules to capture traffic to the Service port and redirect it to endpoints
6. kube-dns detects there is a new Service and adds the container record to the dns server
9. Explain the differences between ClusterIP, NodePort, and LoadBalancer service types.
Show answer
**Service Types in Kubernetes:**ā¢ ClusterIP:
ā¢ Exposes the service on an internal IP within the cluster.
ā¢ Suitable for intra-cluster communication.
ā¢ NodePort:
ā¢ Exposes the service on a static port on each node's IP.
ā¢ Makes the service accessible externally.
ā¢ LoadBalancer:
ā¢ Requests an external load balancer to manage the service.
ā¢ Useful for exposing services externally in cloud environments.
Different service types provide varying levels of accessibility. projects/knowledge/interview/kubernetes/350-explain-the-differences-between-clusterip-nodeport.txt
Remember: ClusterIP = default, internal only. "Cluster Internal Protocol."
Under the hood: kube-proxy programs iptables/IPVS to load-balance to pods.
10. Explain the meaning of "http", "host" and "backend" directives
Show answer
host is the entry point of the cluster so basically a valid domain address that maps to cluster's node IP addressthe http line used for specifying that incoming requests will be forwarded to the internal service using http.
backend is referencing the internal service (serviceName is the name under metadata and servicePort is the port under the ports section).
Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
11. How to configure a default backend?
Show answer
Create Service resource that specifies the name of the default backend as reflected in `kubectl describe ingress ...` and the port under the ports section.Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
12. Why is conntrack critical in Kubernetes?
Show answer
Conntrack (connection tracking) is essential for Kubernetes service networking:**How services work**:
* ClusterIP services use iptables/IPVS for load balancing
* Every connection to a service gets NAT'd to a pod
* Conntrack tracks these NAT translations
**Why it matters**:
* Without conntrack, return packets can't find their way back
* Every active connection uses a conntrack entry
* Table has fixed size (default often 65536 or 131072)
**Failure mode**:
* Table fills up ā new connections fail
* Packets dropped silently
* Affects ENTIRE cluster, not just one service
\
Remember: Services use label selectors to find pods. Change labelsāchange which pods get traffic.
13. Explain the different Service types in Kubernetes and when to use each.
Show answer
Kubernetes Services expose Pods to network traffic. Four types exist:1. ClusterIP (default):
- Internal cluster IP only
- Not accessible from outside
- Use: Internal microservice communication
2. NodePort:
- Exposes service on each node's IP at a static port (30000-32767)
- Accessible from outside via
- Use: Development, simple external access
3. LoadBalancer:
- Creates external load balancer (cloud provider)
- Automatically creates NodePort and ClusterIP
- Use: Production external access in cloud environments
4.
Remember: 4 types: ClusterIP, NodePort, LoadBalancer, ExternalName. Mnemonic: "CNLE."