Services and Endpoints
A Service is a stable front door to a changing set of Pods. The datapath is implemented by kube-proxy (or a CNI that replaces it) plus EndpointSlices that track ready backends.
For a cloud-agnostic view of how pod IPs move across nodes (overlay vs underlay), see Networking — Pod-to-pod traffic (cross-node, generic).
ClusterIP datapath (mental model)
Section titled “ClusterIP datapath (mental model)”- Client Pod resolves the Service DNS name to the ClusterIP (or uses cluster IP directly).
- kube-proxy (or eBPF equivalent) programs rules so traffic to
ClusterIP:portis DNAT’d to a Pod IP:targetPort. - EndpointSlices hold the current ready Pod endpoints; kube-proxy watches them and refreshes rules.
When pods churn during rollouts, EndpointSlices update; brief windows of empty endpoints can cause 503 if clients retry against backends that no longer exist.
EndpointSlices
Section titled “EndpointSlices”kubectl get endpointslices -n <ns> -l kubernetes.io/service-name=<svc>Slices split endpoints for scale; only Ready pods appear for Services with selectors. Readiness probe flapping directly shows up as endpoint churn.
kube-proxy modes
Section titled “kube-proxy modes”| Mode | Characteristics |
|---|---|
| iptables | Default on many clusters; rule count grows with services/backends |
| ipvs | Hash-based dispatch; better behavior at very large service counts |
| eBPF / no kube-proxy | Cilium and similar programs datapath in kernel; rich observability (for example Hubble) |
kubectl get cm kube-proxy-config -n kube-system -o yaml | grep modeHeadless Services
Section titled “Headless Services”clusterIP: None — DNS returns per-pod A records (StatefulSet identity). No virtual ClusterIP; clients talk directly to pod IPs.
Session affinity
Section titled “Session affinity”sessionAffinity: ClientIP pins a client source IP to one backend for sessionAffinityConfig.clientIP.timeoutSeconds. Useful for legacy state; prefer sticky cookies at L7 when using Ingress.
Debugging checklist
Section titled “Debugging checklist”kubectl get endpoints <svc>(legacy view) or EndpointSlices as above — non-empty?- Labels on pods match Service selector?
- Readiness passing? (Unready pods are omitted.)
- NetworkPolicy allowing the path?
- For mesh clusters, confirm whether traffic is captured by sidecars and whether mTLS breaks health checks.
Related
Section titled “Related”- Networking — Ingress, DNS, and policy overview.
- Network policies — Default deny and allowlists.
- Architecture review answers — Prompts this page deepens.