Skip to content
kubestart

Networking

Every kubestart cluster has its own isolated network. Your pods can talk to each other freely, but traffic to and from the outside world follows the rules below.

Inbound traffic

Section titled “Inbound traffic”

Your pods can receive traffic from:

  • Other pods in the same cluster — standard Kubernetes networking applies.
  • The platform ingress layer — traffic arriving through your cluster’s Ingress resources is forwarded to your services.

Direct inbound connections from the internet to individual pods are not supported. Use an Ingress to expose your services.

Outbound traffic

Section titled “Outbound traffic”

Your pods have full internet access. Common outbound ports (80, 443, 587, and others) are open by default. There is no outbound firewall restricting which hosts you can reach.

Outbound traffic counts toward your monthly transfer cap.

Blocked traffic

Section titled “Blocked traffic”

For security and isolation, the following traffic is blocked:

  • Other tenants — pods in your cluster cannot communicate with pods in other customers’ clusters.
  • Host infrastructure — access to the underlying host nodes and management services is denied.
  • Cloud metadata services — instance metadata endpoints are not reachable from within your cluster.

Service types

Section titled “Service types”
Service typeSupported
ClusterIPYes
IngressYes
LoadBalancerNo
NodePortNo

LoadBalancer and NodePort services are not available. Use Ingress to expose HTTP/HTTPS services to the internet.

DNS

Section titled “DNS”

Standard Kubernetes DNS (CoreDNS) runs inside your cluster. Services are resolvable by their in-cluster names (e.g., my-service.my-namespace.svc.cluster.local). External DNS resolution works normally.

Cluster endpoints

Section titled “Cluster endpoints”

Each cluster gets two DNS names:

  • Wildcard domain: *.{cluster-id}.kubestart.xyz — used for Ingress hostnames.
  • API endpoint: {cluster-id}.k8s.kubestart.io — used by kubectl and other Kubernetes clients.

Both endpoints are provisioned automatically when your cluster is created.

API access firewall

Section titled “API access firewall”

The Kubernetes API endpoint is protected by an IP allowlist. By default, no IPs are allowed — you must add at least one CIDR range before you can connect with kubectl.

Manage your allowlist from the cluster detail page on the dashboard:

  1. Navigate to your cluster in the dashboard.
  2. Find the API Access section.
  3. Use Add my IP to allowlist your current IP address, or add CIDR ranges manually.
  4. Save your changes.

Changes take approximately 2 minutes to propagate. You can add up to 20 CIDR ranges per cluster.

See Kubeconfig for connecting to your cluster after configuring access.