When you build Kubernetes-aware policy constructs, “groups” are commonly used to collect objects so you can apply consistent controls (security posture, traffic rules, observability scope, etc.) to a set of endpoints. In VCF 9.0 documentation, the Kubernetes member types that can be used for group-based collection includeKubernetes NodeandKubernetes Serviceas supported member object categories. Nodes represent the worker compute endpoints that run workloads, while Services represent stable networking front-ends for sets of pods (and are often the anchoring object for policy and routing decisions at the Kubernetes layer). Using Node-based grouping helps apply policies to the infrastructure execution points where workloads run, and Service-based grouping helps apply policies consistently to application entry points and east-west communication targets, regardless of pod churn. This combination is especially useful in Kubernetes-centric operational models because it aligns policy scope with both (1) where workloads execute (nodes) and (2) how workloads are exposed and discovered (services).