NodePort and LoadBalancer Services

Most NodePort explanations stop at "it opens a port on the node." That's accurate and almost useless. The decisions that matter are one level deeper: which node actually processes the packet, what happens to the source IP as it passes through kube-proxy, and what breaks when there is no cloud controller. Those three things determine whether your rate limiting works and whether your access logs reflect real client IPs.

ClusterIP services are invisible outside the cluster. NodePort opens a port on every node's network interface. LoadBalancer adds a managed IP in front of those ports. Each type is a superset of the previous: a LoadBalancer service always allocates a NodePort and a ClusterIP underneath. On the exam, external access tasks are usually a kubectl expose call or a two-field YAML edit — the interesting part is what happens after the packet arrives at the node.