Kubernetes Service Without Selector
Detect Services that are missing a selector, which means they won't automatically route traffic to any Pods. Understand when selectorless Services are intentional.
Networking
Detailed Explanation
Service Selector Validation
A Kubernetes Service uses spec.selector to determine which Pods receive traffic. Without a selector, the Service creates no Endpoints automatically, which is usually a mistake.
Example with Missing Selector
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
ports:
- port: 80
targetPort: 8080
What the Validator Flags
- Warning: No selector defined. The Service won't match any Pods.
- Info: No labels defined on metadata.
When a Selectorless Service Is Intentional
There are legitimate cases for Services without selectors:
- External Services: Manually creating Endpoints to route to external IPs
- ExternalName Services: DNS CNAME for external services
- Headless Services for StatefulSets: When combined with a StatefulSet that manages its own Endpoints
Correct Service Configuration
apiVersion: v1
kind: Service
metadata:
name: my-service
labels:
app: myapp
spec:
selector:
app: myapp
ports:
- name: http
port: 80
targetPort: 8080
protocol: TCP
type: ClusterIP
Service Port Best Practices
- Always include
namefor each port (required when multiple ports exist) - Specify
protocolexplicitly (defaults to TCP) - Use named
targetPortmatching container port names when possible - For external access, use
type: LoadBalanceror an Ingress resource
Use Case
Debugging connectivity issues where a Service exists but no traffic reaches the Pods. A missing or incorrect selector is one of the most common causes of Service routing failures.