Skip to content
SSE reading notes

Kubernetes — Basics

Kubernetes — Basics

Section titled “Kubernetes — Basics”

Architecture

Section titled “Architecture”

Control plane (master):

  • API server — front door, validates and persists to etcd.
  • etcd — KV store, cluster state.
  • Scheduler — decides which node runs a new pod.
  • Controller manager — runs core controllers (deployment, replicaset, node, job, …).
  • Cloud controller manager — talks to cloud APIs.

Node (worker):

  • kubelet — runs pods, talks to API server.
  • kube-proxy — service networking (iptables / IPVS).
  • Container runtime — containerd / cri-o.
  • CNI plugin — pod networking (Calico, Cilium, Flannel).

Core objects

Section titled “Core objects”
  • Pod — smallest unit. One or more containers sharing network + storage. Ephemeral.
  • ReplicaSet — N replicas of a pod.
  • Deployment — declarative updates over ReplicaSets. Strategy: RollingUpdate / Recreate.
  • StatefulSet — ordered, persistent identity (e.g. databases). Pods named pod-0, pod-1.
  • DaemonSet — one pod per node (log shipper, node exporter).
  • Job — run to completion.
  • CronJob — scheduled jobs.
  • Service — stable virtual IP for pod set:
    • ClusterIP (default) — internal only.
    • NodePort — exposes on each node port.
    • LoadBalancer — provisions cloud LB.
    • ExternalName — DNS CNAME.
  • Ingress — HTTP(S) router (nginx-ingress, Traefik, AWS ALB controller).
  • Gateway API — successor to Ingress, more expressive.
  • ConfigMap — non-secret config (env / files).
  • Secret — base64 (not encrypted by default — enable etcd encryption + RBAC).
  • PersistentVolume / PersistentVolumeClaim — storage abstraction.
  • StorageClass — dynamic provisioner.
  • Namespace — logical partition.
  • NetworkPolicy — pod-level firewall.
  • Role / ClusterRole + RoleBinding / ClusterRoleBinding — RBAC.
  • HorizontalPodAutoscaler (HPA) — scale by CPU / mem / custom metric.
  • VerticalPodAutoscaler (VPA) — adjust requests/limits.
  • CustomResourceDefinition (CRD) — extend the API.
  • Operator — controller for a CRD (Postgres operator, Cert-Manager, Prometheus operator).

Pod lifecycle

Section titled “Pod lifecycle”

PendingRunningSucceeded / Failed / Unknown.

Containers in pod also have states (waiting, running, terminated) and restartPolicy (Always default).

Probes:

  • liveness — restart container if unhealthy.
  • readiness — remove from Service endpoints if not ready.
  • startup — first probe with longer grace; suspends liveness until first success.

Resource model

Section titled “Resource model”
  • requests — guaranteed; scheduler uses for placement.
  • limits — hard cap; CPU throttled, memory OOM-killed.
  • QoS classes: Guaranteed (req=lim), Burstable (req<lim), BestEffort (none).
  • Pods evicted in BestEffort → Burstable → Guaranteed order under pressure.

Networking

Section titled “Networking”
  • Every pod gets an IP. Pod-to-pod direct (no NAT) by CNI.
  • Services route via virtual IP (kube-proxy iptables/IPVS).
  • DNS: pods resolve service.namespace.svc.cluster.local.
  • Ingress / Gateway = L7 entry from outside.

Storage

Section titled “Storage”
  • Container fs is ephemeral.
  • emptyDir — pod-local scratch (RAM or disk).
  • hostPath — node fs (avoid).
  • PVC referencing a StorageClass provisions a PV (EBS, Cloud Disk, NFS, Ceph).
  • StatefulSet pods get stable PVC per ordinal.

Common workflows

Section titled “Common workflows”
Terminal window
kubectl get pods -A
kubectl describe pod <p>
kubectl logs <p> -c <container> -f --since=10m
kubectl exec -it <p> -- sh
kubectl apply -f manifest.yaml
kubectl edit deploy app
kubectl rollout status deploy/app
kubectl rollout undo  deploy/app
kubectl scale deploy app --replicas=5
kubectl top pods
kubectl port-forward svc/app 3000:80
kubectl create secret generic db --from-literal=password=...
kubectl explain deployment.spec.strategy

Manifest skeleton (Deployment + Service)

Section titled “Manifest skeleton (Deployment + Service)”
apiVersion: apps/v1
kind: Deployment
metadata: { name: api }
spec:
  replicas: 3
  selector: { matchLabels: { app: api } }
  template:
    metadata: { labels: { app: api } }
    spec:
      containers:
        - name: api
          image: ghcr.io/org/api:1.2.3
          ports: [{ containerPort: 8080 }]
          env:
            - name: PG_HOST
              valueFrom: { configMapKeyRef: { name: app-cfg, key: pg_host } }
          resources:
            requests: { cpu: 100m, memory: 256Mi }
            limits:   { cpu: 500m, memory: 512Mi }
          readinessProbe:
            httpGet: { path: /readyz, port: 8080 }
            initialDelaySeconds: 5
          livenessProbe:
            httpGet: { path: /healthz, port: 8080 }
            initialDelaySeconds: 15
---
apiVersion: v1
kind: Service
metadata: { name: api }
spec:
  type: ClusterIP
  selector: { app: api }
  ports: [{ port: 80, targetPort: 8080 }]

Config & secrets

Section titled “Config & secrets”
  • ConfigMap: kubectl create configmap app --from-file=config.yaml.
  • Secret: best wrapped via External Secrets Operator from Vault / SecretsManager. Stop committing.
  • Mount as env var or file.

RBAC essentials

Section titled “RBAC essentials”
kind: Role
metadata: { name: pod-reader, namespace: default }
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get","list","watch"]
---
kind: RoleBinding
metadata: { name: alice-pod-reader, namespace: default }
subjects: [{ kind: User, name: alice }]
roleRef: { kind: Role, name: pod-reader, apiGroup: rbac.authorization.k8s.io }

ClusterRole/Binding = cluster-wide.