A pod cannot connect to a service because the service port is wrong, the application isn't listening, or there are no healthy endpoints. The connection is refused at the network level, typically because the service has no running pods or the pod is listening on a different port than configured. Fix by verifying endpoints, application ports, and readiness probes.
When a client tries to connect to a service, Kubernetes routes traffic to endpoints (backend pods). Connection refused occurs when no endpoints exist (pods down/not ready), the pod listens on a different port, or the service targets the wrong port. Unlike DNS failures, the connection reaches the pod but the pod refuses it.
Verify service has running, ready pods:
kubectl get endpoints <service-name> -n <namespace>
kubectl describe service <service-name> -n <namespace>Look at the Endpoints field. If it shows <none>, no pods match the selector or all are not ready.
Service selector must match pod labels exactly (case-sensitive):
kubectl get pods --show-labels -n <namespace>
kubectl describe service <service-name> -n <namespace> | grep -i selectorEnsure pod labels include all key=value pairs from service selector.
Pods must be Ready for traffic to reach them:
kubectl get pods -n <namespace>
kubectl describe pod <pod-name> -n <namespace>If status is not Running or Ready is False, the pod won't receive traffic. Check readiness probe configuration and logs.
Service and pod port must align:
kubectl get service <service-name> -n <namespace> -o yaml | grep -A5 ports
kubectl get pod <pod-name> -n <namespace> -o yaml | grep -A3 containerPortExample:
# Service
ports:
- port: 80 # External port
targetPort: 8080 # Container port
# Pod
containerPort: 8080Connect to pod directly and check if port is listening:
kubectl exec -it <pod-name> -n <namespace> -- sh
netstat -tlnp | grep <port>
# or
lsof -i :<port>If port not listed, the application isn't listening. Check application logs and startup configuration.
Failing readiness probes remove pods from endpoints:
kubectl describe pod <pod-name> -n <namespace> | grep -A5 "Readiness"
kubectl logs <pod-name> -n <namespace>If readiness probe is too strict or has wrong port/path, pods won't be marked as ready. Adjust timeoutSeconds, initialDelaySeconds, or probe path.
Use port-forward to bypass service routing:
kubectl port-forward pod/<pod-name> 8080:8080 -n <namespace> &
curl localhost:8080/healthIf port-forward works but service doesn't, the issue is service routing/endpoints, not the application.
Service discovery happens via CoreDNS; connection refused is a networking issue, not DNS. Use tcpdump on nodes to capture traffic: tcpdump -i any -n port 8080. For debugging without altering pods, use kubectl logs and kubectl exec. Headless services (clusterIP: None) bypass service IP and connect directly to pod IPs, useful for StatefulSets. Session affinity (clientIP) can appear to break connectivity if not configured correctly.
No subnets found for EKS cluster
How to fix "eks subnet not found" in Kubernetes
unable to compute replica count
How to fix "unable to compute replica count" in Kubernetes HPA
error: context not found
How to fix "error: context not found" in Kubernetes
default backend - 404
How to fix "default backend - 404" in Kubernetes Ingress
serviceaccount cannot list resource
How to fix "serviceaccount cannot list resource" in Kubernetes