Skip to content

Tenet IV

Service and Network

Communication, discovery, ingress, and boundaries. The sacred geometry of traffic.

Ceremonial Statement

Paths, gates, and boundaries.

“A service is a name sworn in the dark. An ingress is a gate. Boundaries are mercy—so noise cannot become catastrophe.”

Plain-language Explanation

Kubernetes networking is about stable names and controlled exposure.

Pods are ephemeral. Services provide stable virtual IPs and DNS names that route to healthy endpoints. Ingress exposes HTTP(S) routes into the cluster through a controller. Network boundaries—namespace isolation, Network Policies, and ingress rules—limit blast radius.

Tenet IV focuses on trust: what can talk to what, through which gate, with which identity. When you encode boundaries, you trade chaos for clarity.

Kubernetes Mapping

Objects that define communication.

  • Service: ClusterIP / NodePort / LoadBalancer; stable addressing over changing Pods.
  • Endpoints / EndpointSlices: the actual backends a Service routes to.
  • Ingress: HTTP(S) routing at the edge (requires an Ingress Controller).
  • NetworkPolicy: L3/L4 allow-lists for pod-to-pod traffic (CNI-dependent).
  • DNS: Service discovery via CoreDNS; names are contracts.

Operator Mindset

Boundaries are how you sleep.

Choose a default posture

If your CNI supports NetworkPolicy, decide whether namespaces are “open by default” or “deny by default.” Either way, document it and enforce it.

Ingress is a system

Ingress isn’t a magic object. It’s a contract interpreted by a controller. Know your controller, know its annotations and failure modes, and observe it like production infrastructure.

Names matter

Services and labels form the address book of your platform. A sloppy label schema becomes a traffic incident.