Debugging Kubernetes Networking Issues: Essential Techniques

Debug Kubernetes networking issues across pod connectivity, services, DNS, NetworkPolicies, and Ingress routing.

Debugging Kubernetes Networking Issues: Essential Techniques

Kubernetes networking issues usually look like timeouts, Connection refused, DNS failures, empty Service endpoints, or bad Ingress responses. To fix them quickly, trace the path: source pod, destination pod, Service, DNS, NetworkPolicy, and then Ingress or load balancer.

This guide gives you a practical sequence of checks and the kubectl commands that expose where traffic stops.

Understanding Kubernetes Networking Fundamentals

Before diving into debugging, it's important to grasp the core networking concepts in Kubernetes:

  • Pod Networking: Each pod gets its own unique IP address. Pods within the same node can communicate directly. Pods on different nodes communicate via a virtual network (CNI plugin).
  • Services: Services provide a stable IP address and DNS name for a set of pods. They act as an abstraction layer, allowing other pods or external clients to access application backends without needing to know the individual pod IPs.
  • DNS: Kubernetes DNS (usually CoreDNS) resolves Service names to cluster IPs, enabling service discovery.
  • Network Policies: These resources control pod traffic when your CNI plugin enforces them. A cluster without NetworkPolicy support will accept the objects but may not enforce the rules.
  • Ingress: Ingress controllers manage external access to services within the cluster, typically HTTP and HTTPS. They provide routing, load balancing, and SSL termination.

Common Networking Issues and Debugging Strategies

1. Pod-to-Pod Communication Failures

When pods cannot communicate with each other, even within the same namespace, it's a primary indicator of a networking problem.

Symptoms:

  • Application errors indicating connection timeouts or refusals.
  • curl or ping commands from one pod to another fail.

Debugging Steps:

  1. Verify Pod IPs: Ensure both source and destination pods have valid IP addresses. Use kubectl exec <pod-name> -- ip addr.
  2. Check Network Connectivity (within the pod): From the source pod, try to ping the destination pod's IP address. If this fails, the issue might be with the CNI plugin or node networking.
    kubectl exec <source-pod-name> -- ping <destination-pod-ip>
    
  3. Inspect Network Policies: Network Policies are a common culprit. Check if any policies are inadvertently blocking traffic between the pods.
    kubectl get networkpolicies -n <namespace>
    
    Examine the podSelector and ingress/egress rules to understand what traffic is allowed or denied. Once a pod is selected by an ingress policy, only explicitly allowed ingress traffic is permitted.
  4. CNI Plugin Status: Ensure your Container Network Interface (CNI) plugin (e.g., Calico, Flannel, Cilium) is running correctly on all nodes. Check the logs of the CNI daemonset pods.
    kubectl get pods -n kube-system -l k8s-app=<cni-plugin-label>
    kubectl logs <cni-plugin-pod-name> -n kube-system
    

2. Service Discovery Problems

When pods can't reach other services by their DNS names or cluster IPs, it indicates an issue with Kubernetes DNS or Service object configuration.

Symptoms:

  • Application errors like Name or service not known.
  • nslookup or dig commands within a pod fail to resolve service names.

Debugging Steps:

  1. Verify DNS Resolution: From a pod, test DNS resolution for a known service.
    kubectl exec <pod-name> -- nslookup <service-name>.<namespace>.svc.cluster.local
    
    If this fails, check the CoreDNS pods for errors.
    kubectl get pods -n kube-system -l k8s-app=kube-dns
    kubectl logs <coredns-pod-name> -n kube-system
    
  2. Check Service Object: Ensure the Service object is correctly configured and has endpoints pointing to healthy pods.
    kubectl get service <service-name> -n <namespace> -o yaml
    kubectl get endpoints <service-name> -n <namespace>
    
    The endpoints output should list the IP addresses of the pods backing the service.
  3. Pod Readiness Probes: If pods are not passing their readiness probes, they won't be added to the Service's endpoints. Check readiness probe configurations and pod logs for issues.

3. Ingress Controller Issues

External access to your services is managed by Ingress resources and Ingress controllers. Problems here can make your application inaccessible from outside the cluster.

Symptoms:

  • 502 Bad Gateway, 404 Not Found, or 503 Service Unavailable errors when accessing applications via their external URL.
  • Ingress controller logs showing errors related to backend services.

Debugging Steps:

  1. Check Ingress Controller Pods: Ensure the Ingress controller pods (e.g., Nginx Ingress, Traefik) are running and healthy.
    kubectl get pods -l app.kubernetes.io/component=controller # Adjust label based on your ingress controller
    kubectl logs <ingress-controller-pod-name> -n <ingress-namespace>
    
  2. Verify Ingress Resource: Check the configuration of your Ingress resource.
    kubectl get ingress <ingress-name> -n <namespace> -o yaml
    
    Ensure the rules section correctly maps hostnames and paths to the appropriate service.name and service.port.
  3. Check Service and Endpoints: Just like with service discovery, ensure the backend service the Ingress points to is correctly configured and has healthy endpoints.
    kubectl get service <backend-service-name> -n <namespace>
    kubectl get endpoints <backend-service-name> -n <namespace>
    
  4. Firewall and Load Balancer: If accessing from outside the cluster, ensure any external firewalls or cloud provider load balancers are correctly configured to forward traffic to the Ingress controller's service (often a LoadBalancer type service).

4. Network Policy Enforcement

Network Policies can be powerful but also a source of connectivity issues if misconfigured. They operate by the principle of least privilege; if a policy doesn't explicitly allow traffic, it's denied.

Debugging Steps:

  1. Identify Applied Policies: Determine which Network Policies are affecting the pods in question.
    kubectl get networkpolicy -n <namespace>
    
  2. Inspect Policy Selectors: Carefully examine the podSelector in each relevant NetworkPolicy. This selector determines which pods the policy applies to. If a pod is selected by multiple policies, allowed traffic is the union of those policy rules, not the most restrictive single rule.
  3. Review Ingress/Egress Rules: Analyze the ingress and egress sections of the Network Policy. If you're trying to establish a connection from Pod A to Pod B, you need to ensure:
    • A Network Policy applied to Pod B allows ingress traffic from Pod A (or a broader label selector that includes Pod A).
    • A Network Policy applied to Pod A allows egress traffic to Pod B (or a broader label selector that includes Pod B).
  4. Test with a Wide-Open Policy: As a temporary troubleshooting step, you can create a Network Policy that allows all traffic to and from specific pods or namespaces to see if connectivity is restored. This helps isolate whether the issue is indeed with Network Policies.
    # Example: Allow all ingress and egress for pods with label app=my-app
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: allow-all-for-my-app
      namespace: default
    spec:
      podSelector:
        matchLabels:
          app: my-app
      policyTypes:
      - Ingress
      - Egress
      ingress:
        - {}
      egress:
        - {}
    
    Warning: This allow-all policy should only be used for temporary debugging. Remove it as soon as you finish the test.

Essential Tools and Commands

  • kubectl exec: Run commands inside a pod (e.g., ping, curl, nslookup).
  • kubectl logs: View logs of pods, especially for control plane components and network plugins.
  • kubectl describe: Get detailed information about pods, services, ingress, and network policies, which often reveals status and events.
  • kubectl get: List resources and their basic status.
  • tcpdump: A powerful command-line packet analyzer. You can run it inside a pod or on a node to capture network traffic.
    # Example: Capture traffic on eth0 interface within a pod
    kubectl exec <pod-name> -- tcpdump -i eth0 -nn port 80
    

Takeaway

Debug Kubernetes networking from the inside out. Prove pod IP connectivity first, then Service endpoints, then DNS, then NetworkPolicy, and finally Ingress or external load balancer behavior. That order keeps you from chasing an Ingress symptom when the Service has no ready endpoints.