What's REALLY Inside a Kubernetes Service? (All 5 Types Explained)

Description

What's actually inside a Kubernetes Service? You think it has pod IPs. It doesn't. Here's what really routes your traffic. A Kubernetes Service is one virtual IP and a label selector. Behind one `kubectl expose` command, three controllers and a DNS server cooperate, and the kernel on every node gets reprogrammed — all in under a second. This deep dive walks every step end-to-end on a real kind v1.35.1 cluster. Six parts: 1. Why Services exist (pod IPs are ephemeral, you need a stable target) 2. What happens when you create one (API server allocates the ClusterIP, EndpointSlice controller fills it, kube-proxy programs iptables on every node, CoreDNS makes the name resolvable) 3. What happens when traffic calls it (DNS, KUBE-SERVICES match, --mode random pick, DNAT, the conntrack reply trick) 4. All 5 Service types — ClusterIP, NodePort, LoadBalancer, ExternalName, Headless — with real production use cases 5. Live demo on a kind v1.35.1 cluster — apply Deployment + Service, dump iptables, curl through it, scale to 10 and watch every node reprogram 6. Recap — it's not magic, it's well-organized iptables rules 🎬 Companion blog (full terminal output, real iptables dumps): https://blog.kubesimplify.com/services-deep-dive 🔎 What you'll learn • Why pod IPs are ephemeral by design • How the API server allocates ClusterIPs (now GA in 1.33 with IPAddress objects) • What the EndpointSlice controller actually does — and the 100-endpoint cap • How kube-proxy diffs and reprograms the kernel: iptables-restore on every node, in milliseconds • The KUBE-SERVICES → KUBE-SVC → KUBE-SEP chain structure • Why -m statistic --mode random gives each backend exactly 1/n of traffic — for any n • How conntrack rewrites the reply path so the abstraction stays invisible to the application • When to use ExternalName instead of a ConfigMap • When to use Headless instead of ClusterIP (StatefulSets, peer discovery) 📚 References • Service docs: https://kubernetes.io/docs/concepts/services-networking/service/ • EndpointSlices: https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/ • kube-proxy nftables backend: https://kubernetes.io/blog/2025/02/28/nftables-kube-proxy/ • KEP-1880 (multiple ServiceCIDRs, IPAddress object): https://github.com/kubernetes/enhancements/issues/1880 ⏱️ Chapters 0:00 Intro · pods come and go 0:15 Every pod is ephemeral 0:36 A Service is the answer 0:56 Recap — moving target → fixed target 1:13 Part 2 · what happens when you create one 1:28 API server allocates the ClusterIP 1:57 EndpointSlice controller fills in backends 2:23 kube-proxy reprograms every node in parallel 2:45 Three chains — KUBE-SERVICES → KUBE-SVC → KUBE-SEP 3:10 CoreDNS makes the name resolvable 3:39 Part 3 · what happens when traffic calls it 3:56 Step 1 · DNS resolution 4:19 Step 2 · TCP SYN packet leaves the pod 4:37 Step 3 · KUBE-SERVICES match 4:57 Step 4 · --mode random picks one (1/n math, any n) 5:32 Step 5 · DNAT — kernel rewrites the destination 5:55 Step 6 · backend pod replies 6:15 Step 7 · the conntrack reply trick 6:50 Part 4 · the 5 Service types 7:04 ClusterIP 7:23 NodePort 7:50 LoadBalancer 8:14 ExternalName 8:54 Headless 9:25 When to pick which 9:48 Part 5 · live cluster demo 9:59 Apply Deployment + Service 10:14 Get EndpointSlice — backends already filled in 10:28 iptables-save — KUBE-SVC and KUBE-SEP rules 10:50 curl through the Service — Welcome to nginx 11:09 Scale to 10 — kube-proxy reprograms every node 11:31 Recap — the kernel does the work 11:48 Outro 🔗 Kubesimplify Website: https://kubesimplify.com X: https://twitter.com/kubesimplify YouTube: https://youtube.com/@kubesimplify — — — Demo cluster: kind v1.35.1 with 3 worker nodes, iptables proxy mode. #Kubernetes #KubernetesService #DevOps #CloudNative #K8s #Kubesimplify #ClusterIP #LoadBalancer #EndpointSlice #kubeproxy