Kubernetes Services: Expose Your Applications

Kubernetes services are the native mechanism to expose Kubernetes applications to other Pods, to the cluster, or to the outside world. A Service provides a stable IP address and a permanent DNS name, regardless of the ephemeral lifecycle of Pods. With 82% of container users in production, understanding Services becomes essential.

TL;DR: A Service selects Pods via labels and assigns them a stable virtual IP. Four types exist: ClusterIP (internal), NodePort (port on each node), LoadBalancer (cloud provider), and ExternalName (DNS alias). This guide covers the creation, configuration, and use cases of each Kubernetes service type.

This topic is covered in the Kubernetes Fundamentals training.

Why Use Kubernetes Services?

Pods are ephemeral. They receive dynamic IP addresses that change with each recreation. A Service solves this problem by providing:

Stable IP: fixed virtual address (ClusterIP)
DNS: resolvable name service-name.namespace.svc.cluster.local
Load balancing: automatic traffic distribution between Pods
Discovery: Pods find Services via DNS or environment variables

Key takeaway: never hardcode a Pod's IP. Always use a Service as a stable entry point.

Consult our Kubernetes Training: Complete Guide to understand the complete ecosystem.

What are the Types of Kubernetes Services?

Kubernetes offers four types of Services, each suited to a specific use case.

Type	Scope	Use Case	External IP
ClusterIP	Internal cluster	Inter-pod communication	No
NodePort	External via nodes	Testing, direct access	Port 30000-32767
LoadBalancer	External cloud	Cloud production	Public IP
ExternalName	DNS alias	External services	Not applicable

ClusterIP: Internal Communication

Default type. Creates a virtual IP accessible only from inside the cluster.

apiVersion: v1
kind: Service
metadata:
name: api-service
spec:
type: ClusterIP
selector:
app: api-backend
ports:
- port: 80
targetPort: 8080

Usage: databases, Redis caches, internal services.

NodePort: Direct External Access

Exposes the Service on a static port of each Node in the cluster.

apiVersion: v1
kind: Service
metadata:
name: web-nodeport
spec:
type: NodePort
selector:
app: web-frontend
ports:
- port: 80
targetPort: 8080
nodePort: 30080

Access: http://:30080

Key takeaway: NodePort is suitable for development and testing. Avoid it in production where a LoadBalancer or Ingress is preferable.

LoadBalancer: Cloud Production

Automatically provisions a cloud load balancer (AWS ELB, GCP LB, Azure LB).

apiVersion: v1
kind: Service
metadata:
name: web-loadbalancer
spec:
type: LoadBalancer
selector:
app: web-frontend
ports:
- port: 443
targetPort: 8080

With 80% of organizations using Kubernetes in production, LoadBalancer remains the standard choice to publicly expose Kubernetes applications.

ExternalName: External DNS Alias

Creates a CNAME alias to an external service.

apiVersion: v1
kind: Service
metadata:
name: external-db
spec:
type: ExternalName
externalName: database.example.com

Usage: integrate SaaS services or managed databases.

To create these Services via CLI, first master essential kubectl commands.

How to Create a Service with Selectors?

A Service uses selectors to target Pods to expose. The selector labels must match the Pods' labels.

Create a Deployment and its associated Service:

# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: api-backend
spec:
replicas: 3
selector:
matchLabels:
app: api-backend
tier: backend
template:
metadata:
labels:
app: api-backend
tier: backend
spec:
containers:
- name: api
image: my-registry/api:v1.0.0
ports:
- containerPort: 8080
---
# service.yaml
apiVersion: v1
kind: Service
metadata:
name: api-service
spec:
selector:
app: api-backend
tier: backend
ports:
- name: http
port: 80
targetPort: 8080
protocol: TCP

Verify the Service-Pods connection:

# View endpoints (selected Pods)
kubectl get endpoints api-service

# Service details
kubectl describe service api-service

Key takeaway: if Endpoints is empty, verify that Service labels match Pod labels and that Pods are in Running state.

IT teams spend 34 working days per year on Kubernetes issues. A good understanding of selectors saves hours of debugging.

How to Configure Kubernetes Service Ports?

Port configuration determines how traffic reaches your containers.

Field	Description	Example
port	Service port (ClusterIP)	80
targetPort	Container port	8080
nodePort	Port on Nodes (NodePort/LB)	30080
protocol	TCP or UDP	TCP

Multi-Port Service

Expose multiple ports on the same Service:

apiVersion: v1
kind: Service
metadata:
name: app-service
spec:
selector:
app: my-app
ports:
- name: http
port: 80
targetPort: 8080
- name: https
port: 443
targetPort: 8443
- name: metrics
port: 9090
targetPort: 9090

Key takeaway: always name your ports when defining multiple. The name allows referencing the port in other resources (Ingress, NetworkPolicy).

To manage exposed applications, learn about Kubernetes Deployments and ReplicaSets.

How to Use the Cluster's Internal DNS?

Kubernetes includes a DNS server (CoreDNS) that automatically resolves Service names.

DNS Formats

Format	Example	Scope
short	`api-service`	Same namespace
qualified	`api-service.production`	Cross-namespace
FQDN	`api-service.production.svc.cluster.local`	Complete

Test DNS resolution from a Pod:

# Create a debug pod
kubectl run debug --image=busybox --rm -it -- sh

# Inside the pod
nslookup api-service
nslookup api-service.production.svc.cluster.local
wget -qO- http://api-service/health

Environment Variables

Kubernetes automatically injects variables for each active Service:

# Inside a Pod
echo $API_SERVICE_SERVICE_HOST
echo $API_SERVICE_SERVICE_PORT

How to Expose Kubernetes Applications with an Ingress?

An Ingress manages external HTTP/HTTPS access to cluster Services. It provides:

URL/host-based routing
TLS termination
L7 load balancing

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
tls:
- hosts:
- app.example.com
secretName: tls-secret
rules:
- host: app.example.com
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: api-service
port:
number: 80
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80

Key takeaway: Ingress requires an Ingress Controller (nginx, traefik, etc.) installed in the cluster.

With 71% of Fortune 100 companies on Kubernetes, Ingress has become the standard for web exposure.

Debugging Kubernetes Services

Diagnose Service connectivity issues:

# Check that the Service exists
kubectl get svc api-service

# Check endpoints
kubectl get endpoints api-service

# If endpoints empty, check Pods
kubectl get pods -l app=api-backend

# Test from a pod
kubectl run debug --image=curlimages/curl --rm -it -- \
curl -v http://api-service/health

Symptom	Probable Cause	Solution
Empty Endpoints	Incorrect labels	Align Service/Pods labels
Connection refused	Pod not ready	Check readinessProbe
Timeout	NetworkPolicy blocks	Check network policies
No route to host	Service deleted	Recreate the Service

For advanced debugging, consult Kubernetes Fundamentals for Beginners.

Summary Table: Service Commands

Action	Command
Create	`kubectl apply -f service.yaml`
List	`kubectl get services`
Details	`kubectl describe svc name`
Endpoints	`kubectl get endpoints name`
Expose Deployment	`kubectl expose deployment/name --port=80`
Delete	`kubectl delete svc name`
Port-forward	`kubectl port-forward svc/name 8080:80`
Test DNS	`kubectl run debug --image=busybox --rm -it -- nslookup name`

Take Action: SFEIR Kubernetes Training

Kubernetes Services are essential for any cloud-native architecture. To progress:

Discover Kubernetes in 1 day with Kubernetes Fundamentals: Pods, Services, Deployments, architecture
Develop applications with LFD459 Kubernetes for Developers: 3 days of intensive practice for CKAD
Administer clusters with LFS458 Kubernetes Administration: 4 days to master networking, storage, and security

Contact our advisors to define your training path.

Key Takeaways