Kubernetes Networking
Discipline Track | 5 Modules | ~5-6 hours total
Overview
Section titled “Overview”Kubernetes networking is deceptively simple on the surface — every Pod gets an IP, Services provide stable endpoints, and Ingress handles external traffic. Underneath, a complex web of CNI plugins, iptables/eBPF rules, DNS resolution, and overlay networks makes it all work. When it breaks, the blast radius is everything.
This discipline covers the applied networking decisions platform engineers face daily: choosing and operating CNI plugins, designing network policies for zero-trust segmentation, evaluating service mesh trade-offs, configuring Gateway API for traffic management, and connecting clusters across regions and clouds.
This is NOT general networking theory. For DNS fundamentals, CDN architecture, WAF concepts, BGP routing, and zero-trust networking principles, see the Advanced Networking foundation track. This discipline assumes you understand those concepts and focuses on how they manifest inside Kubernetes.
Prerequisites
Section titled “Prerequisites”Before starting this track:
- Kubernetes Basics — Pods, Services, Deployments, Namespaces
- Advanced Networking foundations — DNS, load balancing, TLS, network models
- Container networking basics (network namespaces, veth pairs, bridges)
- Comfort with
kubectl, YAML manifests, and Helm charts
Modules
Section titled “Modules”| # | Module | Complexity | Time |
|---|---|---|---|
| 1.1 | CNI Architecture & Selection | [COMPLEX] | 55-65 min |
| 1.2 | Network Policy Design Patterns | [COMPLEX] | 60-70 min |
| 1.3 | Service Mesh Architecture & Strategy | [COMPLEX] | 60-75 min |
| 1.4 | Ingress, Gateway API & Traffic Management | [COMPLEX] | 55-65 min |
| 1.5 | Multi-Cluster & Hybrid Networking | [COMPLEX] | 60-70 min |
Total Time: ~5-6 hours
Learning Outcomes
Section titled “Learning Outcomes”After completing this track, you will be able to:
- Select and operate CNI plugins — Evaluate Calico, Cilium, Flannel based on your performance, security, and operational requirements
- Design network policies — Implement default-deny, namespace isolation, and zero-trust microsegmentation
- Make service mesh decisions — Know when you need a mesh, which to choose, and how to operate it without drowning in complexity
- Configure modern traffic management — Use Gateway API, choose ingress controllers, implement rate limiting and circuit breaking
- Connect clusters — Design multi-cluster and hybrid networking with DNS discovery, mesh federation, and cross-cluster connectivity
Learning Path
Section titled “Learning Path”Module 1.1: CNI Architecture & Selection | ├── How CNI plugins work under the hood ├── Compare Calico vs Cilium vs Flannel └── Choose the right CNI for your cluster | vModule 1.2: Network Policy Design Patterns | ├── Default-deny and namespace isolation ├── K8s vs Cilium vs Calico policies └── Zero-trust microsegmentation | vModule 1.3: Service Mesh Architecture & Strategy | ├── When you need a mesh (and when you don't) ├── Istio vs Linkerd vs Cilium mesh └── Sidecar vs ambient (sidecarless) | vModule 1.4: Ingress, Gateway API & Traffic Management | ├── Ingress controllers compared ├── Gateway API HTTPRoute, GRPCRoute, TLSRoute └── Rate limiting, circuit breaking, retries | vModule 1.5: Multi-Cluster & Hybrid Networking | ├── Flat vs overlay across clusters ├── Submariner, ClusterMesh, Skupper └── DNS discovery and hybrid connectivityKey Concepts
Section titled “Key Concepts”The Kubernetes Networking Model
Section titled “The Kubernetes Networking Model”Every Kubernetes networking implementation must satisfy three fundamental requirements:
- Pod-to-Pod — Every Pod can communicate with every other Pod without NAT
- Pod-to-Service — Pods can reach Services via ClusterIP, and kube-proxy (or eBPF) handles routing
- External-to-Service — External traffic reaches Pods via NodePort, LoadBalancer, or Ingress/Gateway API
┌──────────────────────────────────────────────────────────────┐│ External Traffic ││ (Ingress / Gateway API / LB) │└──────────────────────┬───────────────────────────────────────┘ │ v┌──────────────────────────────────────────────────────────────┐│ Service Layer ││ (ClusterIP, NodePort, LoadBalancer) ││ kube-proxy / eBPF / IPVS │└──────────────────────┬───────────────────────────────────────┘ │ v┌──────────────────────────────────────────────────────────────┐│ CNI Layer ││ Pod-to-Pod networking (bridge, vxlan, eBPF) ││ Network Policies (deny/allow rules) ││ IPAM (IP address management) │└──────────────────────────────────────────────────────────────┘Decision Matrix: What To Use When
Section titled “Decision Matrix: What To Use When”| Need | Solution | Module |
|---|---|---|
| Pod networking and IP management | CNI plugin | 1.1 |
| East-west traffic control | Network Policies | 1.2 |
| mTLS, observability, traffic shaping | Service Mesh | 1.3 |
| External HTTP/HTTPS routing | Gateway API / Ingress | 1.4 |
| Cross-cluster communication | Multi-cluster networking | 1.5 |
Related Tracks
Section titled “Related Tracks”Foundations (Start here if new to these concepts):
- Advanced Networking — DNS, CDN, WAF, BGP, load balancing, zero trust
- Security Principles — Defense in depth, least privilege
Disciplines (Apply networking in context):
- DevSecOps Discipline — Network security in CI/CD
- SRE Discipline — Network reliability and incident response
- Platform Engineering — Self-service networking abstractions
Toolkits (Deep dive into specific tools):
- Networking Toolkit — Cilium, service mesh, DNS, and more
Tools You’ll Encounter
Section titled “Tools You’ll Encounter”| Tool | Purpose |
|---|---|
| Calico | CNI with BGP routing and rich network policy |
| Cilium | eBPF-based CNI with L7 policies and service mesh |
| Flannel | Simple overlay CNI for basic clusters |
| Istio | Full-featured service mesh with Envoy sidecar |
| Linkerd | Lightweight, Rust-based service mesh |
| Gateway API | Kubernetes-native traffic routing (successor to Ingress) |
| NGINX Ingress | Most widely deployed ingress controller |
| Submariner | Cross-cluster L3 connectivity |
| CoreDNS | Cluster DNS with plugin architecture |
Progress Checklist
Section titled “Progress Checklist”- Module 1.1: CNI Architecture & Selection
- Module 1.2: Network Policy Design Patterns
- Module 1.3: Service Mesh Architecture & Strategy
- Module 1.4: Ingress, Gateway API & Traffic Management
- Module 1.5: Multi-Cluster & Hybrid Networking
Further Reading
Section titled “Further Reading”- Kubernetes Networking Model
- CNI Specification
- Gateway API Documentation
- Cilium Documentation
- Network Policy Editor — Visual network policy builder