Kubernetes networking is abstract by design: any conformant CNI (Container Network Interface) plugin can provide pod networking. The choice of CNI and the enforcement of Network Policies are production decisions with security and performance implications.
CNI plugin selection
The major CNI plugins have different trade-offs: Azure CNI assigns Azure VNet IPs to pods (enabling direct VM-to-pod routing, Azure Private Link compatibility, but consuming more IP addresses per node); kubenet uses a simpler overlay network (fewer IPs per node, but not directly routable from the VNet). Calico provides rich Network Policy enforcement alongside pod networking. Cilium uses eBPF for high-performance networking and native Network Policy support without iptables.
Network Policies for microsegmentation
Kubernetes Network Policies are the mechanism for microsegmentation: allow ingress from specific namespaces and pods, deny all by default. The default-deny pattern: create a NetworkPolicy in each namespace that denies all ingress and egress, then create explicit allow policies for each permitted communication path. The default-deny posture ensures that a new pod has no network access until explicitly granted.
CoreDNS configuration
CoreDNS is the default DNS server in Kubernetes, resolving service names to cluster IPs. CoreDNS performance is critical: every pod DNS query goes through CoreDNS. Performance tuning: enable DNS caching with the cache plugin, use ndots:5 in pod resolv.conf to reduce unnecessary search domain queries for external names, and scale CoreDNS replicas based on cluster size (the default 2 replicas are insufficient for large clusters).
Service and Ingress networking
Kubernetes Services expose pods to network traffic: ClusterIP (internal only), NodePort (host port forwarding), and LoadBalancer (cloud provider load balancer). Ingress controllers (Nginx, Traefik, Azure Application Gateway) provide HTTP/HTTPS routing to Services based on host and path rules. Production Ingress should include: TLS termination with cert-manager for automatic certificate management, rate limiting, and WAF integration for public endpoints.