diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3f11ac0c88..9b2a23b8ad 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,8 @@
 Note: Breaking changes between versions are indicated by "💥".
 
 ## Unreleased
+
+- [Security] On Kubernetes, convert all NodePort services to ClusterIP to guarantee network isolation from outside the cluster.
 - [Bugfix] Remove trailing slashes in docker-compose files for [compatibility with docker-compose v2 in WSL](https://github.com/docker/compose/issues/8558).
 - [Improvement] `settheme` now works with preview domain.
 
diff --git a/tutor/templates/k8s/services.yml b/tutor/templates/k8s/services.yml
index f50da216db..c515fda4e4 100644
--- a/tutor/templates/k8s/services.yml
+++ b/tutor/templates/k8s/services.yml
@@ -21,7 +21,7 @@ kind: Service
 metadata:
   name: cms
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 8000
       protocol: TCP
@@ -35,7 +35,7 @@ kind: Service
 metadata:
   name: forum
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 4567
       protocol: TCP
@@ -49,7 +49,7 @@ kind: Service
 metadata:
   name: lms
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 8000
       protocol: TCP
@@ -63,7 +63,7 @@ kind: Service
 metadata:
   name: elasticsearch
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 9200
       protocol: TCP
@@ -77,7 +77,7 @@ kind: Service
 metadata:
   name: mongodb
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 27017
       protocol: TCP
@@ -91,7 +91,7 @@ kind: Service
 metadata:
   name: mysql
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 3306
       protocol: TCP
@@ -104,7 +104,7 @@ kind: Service
 metadata:
   name: nginx
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 80
       name: http
@@ -117,7 +117,7 @@ kind: Service
 metadata:
   name: redis
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: {{ REDIS_PORT }}
       protocol: TCP
@@ -131,11 +131,11 @@ kind: Service
 metadata:
   name: smtp
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 25
       protocol: TCP
   selector:
     app.kubernetes.io/name: smtp
 {% endif %}
-{{ patch("k8s-services") }}
\ No newline at end of file
+{{ patch("k8s-services") }}