Skip to main content
Back to Library
mastering ckad certified kubernetes application developer

Ingress and Network Policies

2 min read Chapter 34 of 87
Summary

Introduces Ingress as the Layer 7 routing mechanism...

Introduces Ingress as the Layer 7 routing mechanism that maps HTTP paths and hostnames to backend Services, and NetworkPolicies as the firewall rules that control which Pods can communicate. Previews the practical exercises covering Service creation, Ingress routing, and Network Policy isolation.

Ingress and Network Policies

Chapter 11 established how Services give Pods stable internal endpoints. But stable internal endpoints are only part of the story. Two questions remain: how does external HTTP traffic reach the right Service, and how do you prevent Pods from talking to each other when they shouldn’t?

Ingress answers the first question. A NodePort Service can expose an application externally, but it gives you one port per Service and no path-based routing. If you run ten microservices, you need ten NodePorts — and your users need to know which port maps to which service. Ingress provides Layer 7 (HTTP/HTTPS) routing: a single entry point that maps URL paths and hostnames to different backend Services. /api goes to the API service. /web goes to the frontend. api.example.com and web.example.com route to entirely different backends. One load balancer, many routes.

NetworkPolicies answer the second question. By default, every Pod in a Kubernetes cluster can communicate with every other Pod — there is no isolation. This is convenient for development but dangerous in production. A compromised frontend Pod can reach the database directly. A logging agent can probe internal services it has no business touching. NetworkPolicies let you define firewall-like rules: which Pods can receive traffic (ingress rules), which Pods can send traffic (egress rules), and from/to which sources and destinations.

Both topics fall squarely within the CKAD “Services & Networking” domain (20% weight). Exam tasks may require you to create an Ingress resource with path-based routing and TLS termination, or write a NetworkPolicy that allows only specific Pods to reach a backend on a specific port.

What This Chapter Covers

The following sections provide:

  • Ingress Rules and TLS Termination: Creating Ingress resources with path-based and host-based routing, understanding path types, configuring TLS with Secrets, and setting up the NGINX Ingress Controller on Kind.

  • Network Policies and Connectivity Debugging: Writing NetworkPolicies to isolate Pods, controlling ingress and egress traffic with podSelector, namespaceSelector, and ipBlock rules, and debugging connectivity with exec/curl.

Each section concludes with hands-on exercises. Work through them on your Kind cluster before checking the solutions in Chapter 13.