Kubernetes:Foundations and Why It Matters – IT Exams Training

Kubernetes is an open-source container orchestration platform that automates the deployment, scaling, and management of containerized applications. Originally developed by Google, it is now maintained by the Cloud Native Computing Foundation (CNCF). It has become the de facto standard for managing modern, cloud-native applications at scale. At its core, Kubernetes provides a “control plane” that acts as the brain of a cluster, and a set of “worker nodes” that act as the brawn. Developers provide the control plane with a declarative configuration file, and Kubernetes takes over, ensuring the real-world state of the applications matches this desired state.

The Problem: Life Before Orchestration

To understand the importance of Kubernetes, we must first look at the problems it solves. In the past, applications were often large, monolithic codebases. They were deployed on bare-metal servers, which were expensive, slow to provision, and difficult to scale. If an application needed more power, an administrator had to manually provision and configure a new, physical server. This process was slow, error-prone, and led to massive resource waste. A server running at only 15% capacity still consumed 100% of its power and maintenance costs. Different applications on the same server often had conflicting dependencies, leading to the “matrix from hell” for system administrators.

The First Solution: Virtual Machines

Virtual Machines (VMs) emerged as a solution to this problem. A “hypervisor” allows a single physical server to be sliced into multiple, independent VMs. Each VM runs its own complete guest operating system, totally isolated from the others. This was a huge improvement. It allowed for better resource utilization, as multiple apps could run on the same hardware. It solved the dependency conflict problem. However, VMs are “heavy.” Each one includes a full OS, which can be gigabytes in size, consume significant resources, and take several minutes to boot. This is still far from the agile, fast-moving world of modern software.

The Second Solution: What is a Container?

Containers, popularized by Docker, offered a revolutionary alternative. A container packages an application and all its dependencies—such as libraries and configuration files—into a single, runnable unit. Unlike a VM, a container does not bundle a full guest operating system. Instead, containers on a single host share the host’s operating system kernel. They use Linux kernel features called “namespaces” for isolation (to keep processes separate) and “cgroups” to limit resource usage (CPU, memory). This makes containers incredibly lightweight, often just megabytes in size. They can boot in seconds, not minutes. This portability finally solved the “it works on my machine” problem, as the container runs identically on a developer’s laptop, a testing server, or in production.

The New Problem: The Microservice Explosion

Containers were so effective that they enabled a new architectural pattern: microservices. Instead of one giant monolith, developers began breaking applications into dozens or even hundreds of small, independent services. Each service could be developed, deployed, and scaled independently. This created a new, complex problem. If one application now consists of 50 microservices, how do you manage 50, 100, or 1000 running containers? What happens when a container crashes? How do all these services find and talk to each other? How do you roll out an update to just one service without taking the whole application down? Manually managing this complexity was impossible. A new tool was needed: an orchestrator.

What is Container Orchestration?

Container orchestration is the automated management of this containerized environment. Think of an orchestrator as the “conductor” of an orchestra. Each container is a musician. The conductor does not play an instrument, but tells all the musicians what to play, when to start, and when to stop. If a musician faints (a container crashes), the conductor points to a backup musician to take their place immediately. If a section needs to be louder (an application needs to scale), the conductor brings in more musicians for that section. Kubernetes is the most popular and powerful orchestration “conductor” available today. It handles all this complex management automatically, allowing developers to focus on writing code, not managing infrastructure.

The History of Kubernetes (K8s)

Kubernetes (from the Greek for “helmsman” or “pilot”) was born at Google. For over a decade, Google ran its massive, global services on an internal container orchestration system called Borg. Borg was a “cluster manager that runs hundreds of thousands of jobs, from thousands of different applications, across a number of clusters each with up to tens of thousands of machines.” In 2014, Google decided to open-source a new system, Kubernetes, which was built using the lessons learned from Borg. The “K8s” abbreviation is a common nickname, where the “8” represents the eight letters between “K” and “s.” Crucially, Google donated Kubernetes to the newly formed Cloud Native Computing Foundation (CNCF) in 2015. This “vendor-neutral” governance, free from the control of a single company, was a major reason it gained universal adoption over its competitors.

Core Benefit: Scalability

One of the primary benefits of Kubernetes is its ability to scale applications on demand. Kubernetes allows for “horizontal scaling,” which means increasing or decreasing the number of running copies (called “replicas”) of your application. This can be done with a single command. More importantly, Kubernetes can do this automatically using a component called the “Horizontal Pod Autoscaler” (HPA). The HPA can be configured to watch a metric, such as CPU utilization. If the average CPU load across your application’s replicas exceeds a threshold, like 75%, Kubernetes will automatically deploy new replicas to handle the load. When the traffic dies down, it will automatically terminate the extra replicas, saving resources and money.

Core Benefit: Self-Healing

Kubernetes provides powerful self-healing capabilities. Developers define a “desired state” in a configuration file—for example, “I want 3 replicas of my web server running at all times.” Kubernetes then works tirelessly to ensure the “actual state” of the cluster matches this desired state. If a worker machine (a “node”) in the cluster fails, Kubernetes detects this. It will automatically reschedule the containers that were running on the failed node onto other, healthy nodes. If a single container crashes but the node is still healthy, Kubernetes will detect the failed container and restart it. If an application fails its “health check,” Kubernetes will stop sending traffic to it until it recovers. This all happens automatically, without human intervention.

Core Benefit: Portability and Abstraction

Kubernetes provides a powerful layer of abstraction over the underlying infrastructure. This means you can run your Kubernetes cluster on your local laptop, on your own “on-premises” bare-metal servers, or in any major public cloud (like AWS, Azure, or Google Cloud). Your application’s configuration files, which define how it should run, are portable. You can take the same configuration file and deploy your application to any of these environments without changing it. This prevents “vendor lock-in,” giving companies the flexibility to move their workloads between different cloud providers to optimize for cost or features. It creates a single, consistent “API” for managing applications, regardless of where they run.

Core Benefit: Service Discovery and Load Balancing

In a dynamic microservice environment, containers are ephemeral. They are created and destroyed constantly, and their IP addresses change all the time. If “Service A” needs to talk to “Service B,” how does it find its IP address? Kubernetes solves this with a built-in “Service” object. A Service provides a single, stable IP address and DNS name for a group of containers. When “Service A” wants to talk to “Service B,” it simply sends its request to the stable “service-b” hostname. Kubernetes automatically intercepts this request and acts as a load balancer, distributing the traffic to one of the healthy, running containers for “Service B.” This allows the system to be dynamic and resilient, as containers can be added or removed without the calling service ever knowing.

Kubernetes vs. Other Orchestrators

When Kubernetes was first released, it was not the only orchestrator. Its main competitors were Docker Swarm and Apache Mesos. Docker Swarm, created by the makers of Docker, was praised for its simplicity and ease of use. It was tightly integrated with the Docker ecosystem. However, it was far less flexible and powerful than Kubernetes, and its feature development could not keep pace. Apache Mesos was a more general-purpose “data center kernel” that could orchestrate both containerized and non-containerized workloads. It was incredibly powerful and scalable, used by companies like Twitter. However, it was notoriously complex to set up and manage. Kubernetes hit the “goldilocks” sweet spot. It was more powerful and flexible than Swarm, but far easier to use and more application-focused than Mesos. Its neutral governance under the CNCF and its massive, rapidly growing community cemented its victory.

Key Use Cases for Kubernetes

While Kubernetes is a general-purpose platform, it has become the foundation for several key use cases. The most obvious is running applications built on a microservice architecture, for all the reasons already listed. It is also a core engine of modern DevOps and CI/CD (Continuous Integration/Continuous Delivery) pipelines. Developers can package their code as a container, and an automated pipeline can deploy it to Kubernetes, enabling rapid, reliable, and “immutable” deployments. Kubernetes is also increasingly used for big data and machine learning workloads. It can manage complex, distributed data processing jobs (like Apache Spark) and can schedule ML training jobs on nodes equipped with expensive, specialized hardware like GPUs. Finally, lightweight Kubernetes distributions are now being used in “edge computing.” This involves running small clusters on-site in places like retail stores, factory floors, or 5G cell towers to process data locally, reducing latency.

The Kubernetes Cluster

A running Kubernetes environment is called a “cluster.” A cluster is a set of machines, called “nodes,” that work together to run your containerized applications. A cluster is divided into two main parts: the “Control Plane” and the “Worker Nodes.” The Control Plane is the “brain” of the operation. It makes all the global decisions about the cluster, such as scheduling applications and responding to cluster events. The Worker Nodes are the “brawn.” They are the machines that do the actual work of running your applications.

A production-grade cluster will always have multiple worker nodes. For high availability, it will also typically have multiple “master” nodes that make up the control plane, ensuring that if one “brain” fails, another can take over.

The Control Plane: The “Brain”

The Control Plane is responsible for maintaining the “desired state” of the cluster. When you interact with Kubernetes, for example by using the kubectl command-line tool, you are communicating with the Control Plane. It is not a single component, but rather a collection of critical processes that run on one or more “master” nodes. These components are the kube-apiserver, etcd, kube-scheduler, and kube-controller-manager. Understanding what each of these components does is the key to understanding how Kubernetes actually works. In a high-availability setup, these components run on three or five master nodes, with etcd forming a “quorum” to ensure data consistency.

Component Deep Dive: kube-apiserver

The kube-apiserver is the front-door, or “storefront,” for the entire control plane. It is the only component that you, and all other components, interact with directly. It exposes a RESTful API that allows you to query and manipulate the state of Kubernetes objects. When you type kubectl get pods, your command is converted into an HTTP request sent to the kube-apiserver. The API server is responsible for three main tasks. First, it authenticates and authorizes the request, checking who you are and if you have permission to do what you are asking. Second, it retrieves the requested information from etcd. Third, if you are changing something (like creating a new application), it validates your request and writes the new “desired state” into etcd. It is the single source of truth for the cluster.

Component Deep Dive: etcd

If the API server is the “storefront,” etcd is the “vault” or the “database.” It is a consistent and highly-available distributed key-value store. This is the single, persistent memory of the entire Kubernetes cluster. etcd stores the “desired state” of every single object in the cluster, as defined by you. It also stores the “actual state” of those objects, as reported by the worker nodes. The entire job of Kubernetes is to make the “actual state” match the “desired state,” and etcd is where both are stored. This makes etcd the most critical component. Losing etcd data means losing the entire state of your cluster. This is why it is always run in a “stacked” or “clustered” way (on 3 or 5 nodes) to be fault-tolerant.

Component Deep Dive: kube-scheduler

The kube-scheduler is a specialized control plane component with one job: matchmaking. It watches the API server for newly created “Pods” (the basic unit for running containers) that do not yet have a node assigned to them. When it finds one, the scheduler’s job is to find the best worker node to run that Pod on. To do this, it performs a complex filtering and scoring process. First, it “filters” the list of available nodes, removing any that cannot run the Pod. This includes nodes that do not have enough CPU or memory, or nodes that do not match specific requirements set by the Pod (like “must have a GPU”). Second, it “scores” the remaining, eligible nodes. It gives points for things like “is on a node with fewer running pods” or “is on a node that already has the container image cached.” It then assigns the Pod to the node with the highest score.

Component Deep Dive: kube-controller-manager

The kube-controller-manager is a single binary that contains multiple “controller” processes. Think of a controller as a “thermostat.” A thermostat has one job: it watches the “desired state” (the temperature you set) and the “actual state” (the current room temperature). If they do not match, it takes action (turns on the heat). Kubernetes controllers do the same thing. Each controller is responsible for a specific “resource” in the cluster. The “Node Controller” watches for nodes to go offline and marks them as “unhealthy.” The “Replication Controller” (which is part of a “Deployment”) watches to ensure the correct number of replicas for an application are running. If it sees 3 are desired but only 2 are running, it takes action by creating a new one. These “reconciliation loops” are the core “self-healing” mechanism of Kubernetes. The controller manager is the engine that runs all of these loops.

The Concept of Reconciliation Loops

The “controller” pattern is the most important concept in Kubernetes. Almost everything in Kubernetes is managed by a controller that is running a “reconciliation loop.” This loop is simple:

Get the “desired state” (from the API server, which reads from etcd).
Get the “actual state” (from the API server, which is reported by the workers).
Compare the two.
If they are different, take action to make the “actual state” look like the “desired state.”
Repeat. This is a “declarative” system. You do not tell Kubernetes how to do something; you simply declare what you want the end result to be. The controllers take over and make it happen. This is why the system is so resilient. You do not have to manually restart a failed Pod; the controller does it for you.

The Cloud Controller Manager

There is one other component that is often part of the control plane: the cloud-controller-manager. This component is only used when running Kubernetes on a public cloud provider, like AWS, Azure, or Google Cloud. In the early days, cloud-specific code was built directly into the main Kubernetes components. This was slow and violated the “vendor-neutral” principal. The cloud-controller-manager was created to abstract this away. It is a separate component that knows how to “talk” to the specific cloud’s API. For example, if you create a Kubernetes “Service” of type “LoadBalancer,” this controller will talk to the AWS API to provision an “Elastic Load Balancer.” It acts as the bridge between Kubernetes-native objects and cloud-specific resources.

The Worker Nodes: The “Brawn”

The worker nodes are the “muscle” of the cluster. They are the servers (virtual or physical) that do the actual work of running your applications. A worker node has a few key components that allow it to communicate with the control plane and manage the containers assigned to it. The three main components on every worker node are the kubelet, the kube-proxy, and the “container runtime.” The worker nodes are constantly “heartbeating” back to the control plane, reporting their health and the status of the containers they are running. This is how the control plane gets the “actual state” of the cluster.

Worker Component: The Kubelet

The kubelet is the primary “agent” that runs on every single worker node. It is the component that talks directly to the control plane’s API server. Its main job is to watch the API server for Pods that have been scheduled to its node (the job of the scheduler). When it sees a Pod assigned to it, the kubelet’s job is to make that Pod a reality. It does this by communicating with the “container runtime” (like Docker) to tell it to “please pull this image and start this container with these settings.” It also continuously monitors the health of the containers it is managing. It runs “liveness” and “readiness” probes to check if the application is healthy, and it reports this status back to the API server.

Worker Component: The Kube-Proxy

The kube-proxy is a network proxy that runs on every worker node. Its job is to make the Kubernetes “Service” networking magic actually work. As we learned, a “Service” provides a single, stable IP address for a group of dynamic, changing Pods. kube-proxy is the component that enforces these networking rules on the node itself. It watches the API server for changes to “Service” and “Pod” objects. When a new Service is created, kube-proxy will update the networking rules on the node (using iptables or IPVS in Linux) to forward any traffic destined for the “Service IP” to one of the actual, healthy “Pod IPs.” It is a small but critical component that makes microservice communication possible.

Worker Component: The Container Runtime

Finally, each worker node must have a “container runtime.” This is the low-level software that is responsible for actually running containers. For a long time, the only runtime used was Docker. However, Kubernetes later developed an open standard called the “Container Runtime Interface” (CRI). This allows Kubernetes to be pluggable and use any runtime that implements the standard. Today, common runtimes include containerd (which was originally the core of Docker) and CRI-O. The kubelet does not care which one is used; it simply speaks the CRI standard to the runtime, which then does the heavy lifting of pulling images and starting containers.

How it All Works Together: An Example

Let’s trace the life of a request:

You type kubectl run my-app –image=nginx and hit enter.
kubectl sends an HTTP POST request to the kube-apiserver to create a “Deployment” object.
The API server validates your request and writes the new “Deployment” object into etcd.
The controller-manager (specifically, the Deployment controller) sees the new Deployment object. It sees the “desired state” is 1 replica. It creates a “Pod” object and writes it to etcd.
The kube-scheduler sees a new Pod with no node assigned. It runs its algorithm, picks “Worker Node 2,” and updates the Pod object in etcd with this assignment.
The kubelet on Worker Node 2, which is always watching the API server, sees the Pod assigned to it.
The kubelet tells the “container runtime” (like containerd) to pull the “nginx” image and start the container.
The kubelet reports the Pod’s status (e.g., “Running”) back to the API server, which writes this “actual state” into etcd. At this point, the “desired state” and “actual state” match, and the loop is stable.

The Kubernetes API and Objects

Kubernetes is an API-driven system. Everything in Kubernetes is an “object” that represents your “desired state.” These objects are “first-class” citizens in the API. When you create an object, you are telling Kubernetes what you want the state of your cluster to be. You create, read, update, or delete these objects by making calls to the kube-apiserver. You can do this directly via a REST API call, but most commonly you use the kubectl command-line tool, which is just a convenient wrapper for that API. These objects are defined in “manifest” files, which are almost always written in a format called YAML. This “declarative” approach is key: you define the “what,” and Kubernetes controllers figure out the “how.” This part will cover the most fundamental and essential objects.

The Core Unit: What is a Pod?

The “Pod” is the smallest and most basic deployable object in Kubernetes. It is the “atom” of the Kubernetes ecosystem. A Pod is not a container. Instead, it is a “wrapper” or “grouping” for one or more tightly-coupled containers.

All containers within a single Pod share the same “namespace.” This means they share the same network (the same IP address and port space) and can communicate with each other via localhost. They can also share the same storage “volumes.” This co-location is by design. A Pod represents a single “instance” of an application. While you can put multiple containers in a Pod, the vast majority of Pods contain only a single container.

Single-Container vs. Multi-Container Pods

The single-container Pod is the most common use case. You have one application, like a web server, and you put its container into one Pod. Kubernetes will manage the Pod as a single unit. Multi-container Pods are reserved for specific patterns where containers are “tightly coupled” and need to share resources. The most common pattern is the “sidecar.” A sidecar is a secondary container that runs alongside your main application container. Its purpose is to help the main application. For example, you might have a sidecar container that collects logs from the main application and forwards them to a central logging system. Or you might have a “service mesh” sidecar that manages all network traffic for the main container.

The Pod Lifecycle

Pods are “ephemeral,” or “mortal.” They are not designed to live forever. They are created, they run, and then they are terminated. They are never “restarted” or “healed.” If a Pod fails, Kubernetes does not fix it; it terminates it and creates a new, replacement Pod with a new IP address. This is a critical concept. You should never, ever create a “naked” Pod directly. If you do, and the node it is running on fails, the Pod is gone forever. Instead, you must always use a “controller” object, like a “Deployment” or “StatefulSet.” These higher-level objects will manage the Pods for you, ensuring that if a Pod dies, the controller will automatically create a new one to replace it, maintaining your “desired state.” A Pod has a simple lifecycle, and its status is always visible. It can be “Pending” (being scheduled), “ContainerCreating” (image is pulling), “Running” (it is healthy), “Succeeded” (a batch job finished), or “Failed” (the job crashed).

Labels and Selectors

How does Kubernetes know which Pods belong to which application? How does a “Service” know which Pods to send traffic to? The answer is a simple but brilliant key-value system called “Labels and Selectors.” A “Label” is a key-value pair that you attach to any object, like a Pod. For example, you could label your web server Pods with app: my-web-app and environment: production. These are just metadata; they do not do anything on their own. A “Selector” is a query that uses those labels. A higher-level object, like a “Service,” will have a selector that says “find all Pods with the label app: my-web-app.” This loose-coupling mechanism is what allows Kubernetes to be so flexible. The Service does not care about individual Pods, only about the label that identifies them.

Annotations

While labels are used for “selecting” objects, “Annotations” are another key-value system used to attach “non-identifying” metadata. This is a place for “human-readable” information or instructions for other tools. Annotations are used for things that are not meant to be used by the core Kubernetes selectors. Examples include a description of what the application does, a contact email for the team that owns it, or a timestamp of the last deployment. Third-party tools also use annotations heavily. For example, an “Ingress” controller (which manages web traffic) might use an annotation on a Service object to get specific configuration instructions.

Abstracting the Network: What is a Service?

We have established that Pods are ephemeral and their IP addresses change. This creates a problem for communication. This is solved by the “Service” object. A Service is a stable, virtual abstraction that provides a single, unchanging IP address (called the “ClusterIP”) and a DNS hostname for a group of Pods.

When a “frontend” Pod wants to talk to a “backend” Pod, it does not try to find a Pod IP. It simply sends its request to the stable DNS name of the “backend-service.” The kube-proxy on the node intercepts this request and automatically routes it to one of the healthy backend Pods that match the Service’s “selector.” This is the core mechanism for “service discovery” and “load balancing” within the cluster.

Types of Services

The “ClusterIP” is the default and most common type of Service. It provides a stable IP address that is only reachable from inside the cluster. This is perfect for internal, microservice-to-microservice communication. But what if you need to expose your application to the outside world? Kubernetes provides other Service types for this. A “NodePort” service exposes the application on a high-numbered port on every worker node’s IP address. This is a simple way to get external traffic in, but it is clunky and not ideal for production. A “LoadBalancer” service is the standard way to expose an application in a cloud environment. When you create this type of Service, the “cloud-controller-manager” will automatically provision a real, external cloud load balancer (like an AWS ELB) and configure it to send traffic to your Pods. An “ExternalName” service is a special type that does not point to Pods. Instead, it creates an internal DNS CNAME record that points to an external service, like a database managed outside of Kubernetes.

Organizing the Cluster: Namespaces

What happens when multiple teams, with multiple applications, all need to share the same Kubernetes cluster? If everyone creates objects in the same “space,” it will quickly become a chaotic mess of naming conflicts. “Namespaces” are the solution. A Namespace provides a “virtual cluster” or a “scope” for Kubernetes objects. It allows you to partition a single physical cluster into multiple, logically isolated environments. Commonly, organizations create Namespaces like development, staging, and production. Or they create Namespaces for each team, like team-billing, team-frontend, and team-payments. Names in one Namespace must be unique, but you can have an object named my-app in both the development and production Namespaces without any conflict. Namespaces are also the primary way to implement “ResourceQuotas” (to limit a team’s CPU/memory usage) and “NetworkPolicies” (to firewall teams from each other).

Viewing Your Namespaces

When you first start using Kubernetes, you are in the default Namespace. Most kubectl commands are “scoped” to your current Namespace. To see all the Namespaces in your cluster, you can run the command kubectl get namespaces. You will see default, but also several Namespaces that start with kube-. These are kube-system (where the Control Plane components live), kube-public (for public, readable data), and kube-node-lease (for node health). You should never create your own applications in the kube-system Namespace. To run a command in a different Namespace, you use the -n flag, such as kubectl get pods -n production. To permanently switch your context to a different Namespace, you use a longer command: kubectl config set-context –current –namespace=production.

Declarative vs. Imperative Management

There are two ways to “talk” to the Kubernetes API. The “imperative” way is to give direct commands, like “run this container” or “scale this app.” The kubectl run and kubectl scale commands are examples of this. It is fast, easy, and good for one-off tasks or learning. The “declarative” way is to write a “manifest” file (a YAML file) that describes the entire desired state of an object. You then tell Kubernetes, “here is the file, make the cluster look like this.” You do this with the kubectl apply -f my-file.yaml command. This is the professional, standard way to manage applications. The YAML file becomes your “source of truth.” You can store it in “git” (version control), review changes, and have a repeatable, auditable deployment process. All controllers in this section are designed to be managed declaratively.

Introduction to YAML Manifests

A YAML file is the “blueprint” for a Kubernetes object. Every single manifest file, regardless of what it describes, must contain four top-level fields: apiVersion: Which version of the Kubernetes API to use to create this object (e.g., apps/v1 for a Deployment, v1 for a Service). kind: The type of object this file is describing (e.g., Deployment, Service, Pod, ConfigMap). metadata: This is a dictionary of “data about the data.” It must include a name for the object, and it is also where you put your labels and annotations. spec: This is the most important field. “Spec” is short for “specification,” and it is where you define the desired state of the object. The contents of spec are different for every kind. For a Deployment, it would include the container image and replica count. For a Service, it would include the ports and the selector.

The Problem with Naked Pods

As discussed in Part 3, you should never create a “naked” Pod directly. A Pod is a mortal, ephemeral object. If the node it is running on fails, the Pod is gone, and it will not be replaced. There is no self-healing. To solve this, Kubernetes provides a set of “controller” objects. These controllers are “managers” that you create. Their job is to create, manage, and scale Pods on your behalf, ensuring your application is always running in its desired state. The most important of these controllers is the “Deployment.” When you want to run a stateless application, you do not create a Pod; you create a Deployment, and the Deployment creates and manages the Pods for you.

The Workhorse: What is a Deployment?

A “Deployment” is a high-level API object designed to manage “stateless” applications. A stateless application is one that does not store any persistent data or state within itself. A web server, a front-end application, or a simple API are perfect examples. In a Deployment’s YAML file, you define a “template” for the Pods you want to run. This template includes the container image, the ports to open, and the labels to attach. You also tell the Deployment how many copies, or “replicas,” of this Pod you want running. The Deployment’s controller will then create a “ReplicaSet” to make this a reality.

Understanding ReplicaSets

You almost never create a “ReplicaSet” directly, but it is important to understand what it is. A ReplicaSet is a simpler controller whose only job is to ensure that a specified number of Pod replicas are running at all times. A Deployment uses a ReplicaSet to manage its Pods. When you create a Deployment, it creates a ReplicaSet. The ReplicaSet then creates the Pods. The reason for this separation is to enable updates. When you update your Deployment (e.g., to use a new container image), the Deployment controller does not modify the old ReplicaSet. Instead, it creates a brand new ReplicaSet with the new image, and it slowly “rolls” the deployment from the old one to the new one.

Rolling Updates and Rollbacks

This “rolling update” strategy is one of the most powerful features of a Deployment. When you change your Deployment’s spec (like updating the image:), the controller kicks off a rolling update. It will create a new Pod (from the new ReplicaSet) and wait for it to be healthy. Once it is healthy, it will terminate one Pod from the old ReplicaSet. It repeats this “one at a time” process until all the old Pods are gone and have been replaced by new, healthy Pods. This ensures a “zero-downtime” deployment. Your application remains available and continues to serve traffic during the entire update. Even better, every Deployment keeps a “revision history.” If you discover the new code has a bug, you can run a single command (kubectl rollout undo) and the Deployment will perform a “rollback,” rolling back to the previous, stable ReplicaSet in the same, safe, zero-downtime fashion.

Handling Stateful Applications: What is a StatefulSet?

A Deployment is perfect for stateless apps, but what about stateful applications like databases (e.g., MySQL, PostgreSQL, etcd) or message queues (e.g., Kafka)? These applications have unique requirements that Deployments cannot handle. These applications require “stable, unique network identifiers” and “stable, persistent storage.” A Pod in a Deployment is one of many identical “cattle.” A Pod in a stateful application is a “pet” that needs a unique identity. For this, Kubernetes provides the “StatefulSet” controller. A StatefulSet manages Pods, but unlike a Deployment, it gives each Pod a stable, predictable identity.

Stable Identity in StatefulSets

A StatefulSet named my-db with 3 replicas will create Pods with unique, ordinal names: my-db-0, my-db-1, and my-db-2. These names are stable. If my-db-1 fails, its replacement will be guaranteed to be named my-db-1. This stable naming also applies to the network. A special “Headless Service” is used with the StatefulSet, which gives each Pod its own stable DNS record (e.g., my-db-1.my-service.my-namespace…). This “stable identity” is crucial for distributed systems like databases, where “leader” election and “peer-to-peer” communication require each member of the cluster to have a stable, findable address. A StatefulSet also provides ordering guarantees. It will deploy my-db-0 and wait for it to be healthy before it even starts deploying my-db-1. This is critical for database “bootstrapping.”

Decoupling Configuration: What is a ConfigMap?

You should never “hard-code” configuration details—like a database URL or a theme color—directly into your application’s container image. This is inflexible. If you want to change one variable, you have to rebuild and redeploy the entire image. Kubernetes solves this with the “ConfigMap” object. A ConfigMap is a simple object that stores configuration data as key-value pairs. It is designed to store “non-sensitive” configuration data. You create the ConfigMap in Kubernetes, and then you “inject” that data into your Pod at runtime. You can inject it as “environment variables” (the most common way) or as a “volume file,” mounting the key-value pairs as a configuration file inside the container’s filesystem. This decouples the configuration from the application. To change the config, you just update the ConfigMap and restart the Deployment, with no need to build a new container image.

Managing Sensitive Data: What is a Secret?

A “Secret” object is identical to a ConfigMap in its function: it stores key-value pairs that can be injected into a Pod as environment variables or volume files. The one and only difference is that a Secret is intended for “sensitive” data, like passwords, API keys, or TLS certificates. The data in a Secret is stored as “base64” encoded strings. It is very important to understand that this is “encoding,” not “encryption.” It is trivial to decode. The primary purpose of a Secret is to semantically separate sensitive data from non-sensitive data, which allows Kubernetes to apply different policies to it (e.g., “do not print the contents of a Secret to the logs”). For true security, sensitive data should be stored in an external “vault” system, but Secrets are the default, built-in mechanism.

Running One-off Tasks: What is a Job?

A Deployment is designed to run applications “forever.” If a Pod exits, it is restarted. But what about a task that needs to run once and then stop? For example, a batch script to process a file, or a database migration script that needs to run one time before a new application version is deployed. For this, Kubernetes provides the “Job” object. A Job is a controller that creates one or more Pods and ensures that a specified number of them “successfully” complete. When the Pod’s main process exits with a “0” (success) exit code, the Job considers it complete. It does not restart the Pod. The Job is now “done.” This is the perfect tool for “run-to-completion” batch workloads.

Running Scheduled Tasks: What is a CronJob?

The “CronJob” object builds on top of the “Job” object. A CronJob is a controller that creates Jobs on a repeating schedule. It uses the classic “cron” syntax from Linux. You define a schedule in your CronJob manifest, for example, 0 5 * * *, which means “at 5:00 AM, every single day.” At that specified time, the CronJob controller will “wake up” and create a new “Job” object. That Job object will then create a Pod to run your task (e.g., a “daily backup script” or a “nightly report generator”). This is a simple, reliable way to manage all of your scheduled, recurring tasks directly within Kubernetes, using the same declarative YAML format as the rest of your applications.

The Kubernetes Network Model

Kubernetes makes a fundamental assumption about networking: all Pods can communicate with all other Pods, regardless of which node they are on, without needing “Network Address Translation” (NAT). This is the “flat network” model. This means every Pod in the cluster gets its own unique, real IP address. A Pod on “Node 1” can directly address a Pod on “Node 5” using its IP. Kubernetes itself does not implement this model; it only requires it. The actual implementation of this flat network is handled by a “Container Network Interface” (CNI) plugin. This is a separate piece of software you must install in your cluster that takes care of assigning IP addresses to Pods and routing the traffic between nodes.

What is the Container Network Interface (CNI)?

The CNI is a specification that defines a standard interface between the “container runtime” (like containerd) and the “networking logic.” When the kubelet requests to start a new Pod, the runtime calls the CNI plugin. The CNI plugin is responsible for several key tasks. First, it “assigns” an IP address to the new Pod’s network namespace, usually from a pre-configured IP “pool.” Second, it “connects” that namespace to the “node’s” network, often by creating a “virtual ethernet pair.” Popular CNI plugins include Calico, Flannel, and Weave. Each one implements the flat network model in a different way. Flannel is simple and uses “overlay” networks (like VXLAN) to wrap up traffic. Calico is more complex and uses “BGP” to create a true, routed network, which is more performant.

Revisiting kube-proxy: iptables vs. IPVS

As we learned in Part 2, kube-proxy is the agent on every node that makes “Service” networking possible. It watches the API server and translates the “virtual” Service IP into real Pod IPs. For many years, kube-proxy did this by managing complex rules in iptables, a packet-filtering framework built into the Linux kernel. This is very robust but can become slow and unmanageable if you have thousands of Services. A more modern, high-performance mode for kube-proxy uses IPVS (IP Virtual Server). IPVS is also part of the Linux kernel but is designed specifically for load balancing at scale. It is much faster and more efficient than iptables for clusters with a large number of Services. Most modern clusters now use IPVS mode.

Managing External Access: What is an Ingress?

We learned that a “Service” of type “LoadBalancer” is one way to expose an application. This is a “Layer 4” (TCP) load balancer. It is simple, but it has a big drawback: every Service you expose creates a new, expensive cloud load balancer. This is not ideal for “Layer 7” (HTTP/HTTPS) traffic. You might have 50 different microservices (like my-app.com/api, my-app.com/blog, my-app.com/shop) that you want to expose, but you want them all to run through a single external load balancer and IP address. For this, Kubernetes provides the “Ingress” object. An Ingress is a “smart router” for HTTP traffic. It is a set of rules that maps external hostnames and paths to internal Kubernetes Services.

How Ingress Controllers Work

Creating an “Ingress” object on its own does nothing. The Ingress object is just a set of rules. You must also install an “Ingress Controller” in your cluster to act on those rules. The Ingress Controller is the actual “engine” or “reverse proxy” that does the work. Popular controllers include Nginx, Traefik, and HAProxy.

Your workflow is this:

You deploy your applications (Deployments) and expose them internally with “ClusterIP” Services.
You install an Ingress Controller (like Nginx) into your cluster.
You expose the Ingress Controller itself using a single “LoadBalancer” Service. This is the only cloud load balancer you pay for.
You create “Ingress” objects that define the rules, such as “requests for my-app.com/api should go to the api-service.” The Ingress Controller watches the API server, sees your new Ingress object, and automatically reconfigures itself to route the traffic.

Network Security: What are NetworkPolicies?

The default “flat network” model is great for simplicity, but it is bad for security. By default, any Pod can talk to any other Pod in the cluster. A “frontend” Pod can talk directly to a “database” Pod. This is a huge security risk. A “NetworkPolicy” object acts as a “firewall” for your Pods. It allows you to define “ingress” (incoming) and “egress” (outgoing) traffic rules at the Pod level. You can create rules like:

“Only Pods with the label role: frontend can connect to Pods with the label role: api on port 8080.”
“Pods with the label role: api can only make ‘egress’ connections to Pods with the label role: database.”
“This Pod is not allowed to make any ‘egress’ connections to the public internet.” Like Ingress, a NetworkPolicy object does nothing on its own. Your CNI plugin (like Calico) must support and enforce these policies.

The Problem of Storage

We have established that Pods are ephemeral. If a Pod is terminated and replaced, its filesystem is destroyed with it. This is fine for stateless apps, but disastrous for a database. Kubernetes provides a few simple “Volume” types for storage. The most basic is emptyDir. This is an “ephemeral” volume that is created with the Pod and is deleted when the Pod is terminated. Its only purpose is to share files between containers in a single multi-container Pod. To save data permanently, we need “persistent” storage.

Persistent Storage: PersistentVolume (PV)

A “PersistentVolume” (PV) is an object that represents a “piece of storage” in the cluster. It is an abstraction for a real storage device, like an “AWS Elastic Block Store (EBS) volume,” a “Google Persistent Disk,” or an “NFS” (Network File System) share. A cluster administrator is responsible for “provisioning” this storage. They might manually create a 100GB EBS volume in AWS, and then create a “PersistentVolume” object in Kubernetes to represent that volume. The PV object contains the details about the storage: its size (100GB), its “access mode” (e.g., “can be mounted by one node at a time”), and the technical details of how to mount it.

Persistent Storage: PersistentVolumeClaim (PVC)

This separation of concerns is key. A developer running an application does not, and should not, care how the storage is provisioned. They do not care if it is an EBS volume or a Google disk. They just need to request storage. A “PersistentVolumeClaim” (PVC) is an object a developer creates. It is a “request” for storage. The developer’s YAML manifest says, “I need 20GB of storage that has ‘fast’ performance.” The Kubernetes control plane then tries to “bind” this “Claim” (the request) to a “Volume” (the available resource). It will look for an “unbound” PersistentVolume that meets the PVC’s requirements (e.g., is at least 20GB). If it finds one, it “binds” them together, and the Pod can now “claim” and “mount” that volume.

Dynamic Provisioning: StorageClasses

The PV/PVC model is great, but it still requires an administrator to manually “pre-provision” storage. This is slow. “Dynamic Provisioning” automates this. A “StorageClass” object is an object that describes a “type” or “class” of storage. An administrator might create a “fast” StorageClass that provisions “Premium SSD” disks, and a “slow” StorageClass that provisions “Standard HDD” disks. Now, the developer’s “PersistentVolumeClaim” simply requests a “StorageClass” by name. When the control plane sees this PVC, it will dynamically call the cloud provider’s API, automatically provision a new 20GB Premium SSD disk, automatically create the “PersistentVolume” object for it, and then bind it to the PVC. This is the standard, modern way to handle persistent storage in Kubernetes. It is fully automated and on-demand.

The kubectl Command Line Interface

The primary tool for interacting with a Kubernetes cluster is kubectl, a powerful command-line interface. This tool communicates with the kube-apiserver to manage your cluster’s resources. kubectl works based on a “kubeconfig” file, which is typically stored in your home directory. This file contains the API server’s address, your user credentials, and the cluster “context.” This allows you. to manage multiple clusters (e.g., “dev,” “prod,” “local”) and switch between them. Common imperative commands include kubectl get pods (to view running pods), kubectl describe pod <name> (to get detailed, human-readable information about a pod), and kubectl logs <pod-name> (to stream the logs from a container). The most important command is kubectl apply -f <filename.yaml>, which is the declarative command to apply a manifest file and create or update a resource in the cluster.

Getting Started: Minikube

Reading about Kubernetes is one thing; using it is another. One of the easiest ways to get started is with “Minikube.” Minikube is a tool that provisions a complete, single-node Kubernetes cluster inside a virtual machine (or container) on your local computer. This means all the control plane components (API server, scheduler, etc.) and the worker components (kubelet) run on a single “node.” Minikube is incredibly easy to set up and tear down. It is the perfect environment for learning, local development, and testing your YAML manifest files before you deploy them to a real, multi-node cluster. It provides the full Kubernetes API, so your configurations will work exactly the same way in a large cloud cluster.

Getting Started: Kind (Kubernetes in Docker)

Another popular tool for local development is “Kind,” which stands for “Kubernetes in Docker.” This tool takes a different approach. Instead of running Kubernetes in a heavy virtual machine, Kind runs each Kubernetes “node” as a “Docker container.” This is a very clever and lightweight solution. You can boot a complete, multi-node cluster on your laptop in under two minutes, with the control plane running in one container and your “worker nodes” running as other containers. Kind is faster to start and stop than Minikube and is particularly popular for use in automated testing pipelines (CI/CD), as you can instantly create a “clean” cluster, run your tests against it, and then tear it down.

Kubernetes in the Cloud: Managed Services

While local clusters are great for learning, production applications run in the cloud. Running a “self-managed” Kubernetes cluster in the cloud (e.g., on raw EC2 instances) is notoriously complex. You are responsible for managing etcd backups, control plane upgrades, and node health. To solve this, every major cloud provider offers a “Managed Kubernetes Service.” In this model, the cloud provider manages the entire control plane for you. They take care of its availability, scaling, and upgrades. You are only responsible for provisioning and paying for your “worker nodes.” This is the standard way to use Kubernetes in production, as it removes 90% of the operational burden.

Provider: Amazon Elastic Kubernetes Service (EKS)

Amazon EKS is Amazon Web Services’ managed Kubernetes offering. It provides a fully managed, highly available control plane that runs across multiple “Availability Zones.” EKS is known for its deep integration with the AWS ecosystem. It integrates natively with AWS “IAM” for authentication, “VPC” for networking, and “Elastic Load Balancers” (ELBs) for services. It provides a “vanilla” Kubernetes experience, meaning Amazon does not modify the open-source Kubernetes code. This ensures high compatibility. You manage your worker nodes using “EKS Node Groups” or a more advanced service called “Fargate,” which provides a “serverless” way to run pods without managing nodes at all.

Provider: Google Kubernetes Engine (GKE)

Google Kubernetes Engine (GKE) is Google’s managed offering. Given that Google created Kubernetes, GKE is often considered the most “mature” and “feature-rich” managed service. GKE has pioneered features like “Autopilot,” a mode where Google manages everything—both the control plane and the worker nodes. You are billed “per-pod,” making it a truly serverless Kubernetes experience. GKE also offers features like best-in-class auto-scaling, automatic node upgrades, and a simple, intuitive web interface. It is known for its strong opinions and ease of use, making it a favorite for many developers.

Provider: Azure Kubernetes Service (AKS)

Azure Kubernetes Service (AKS) is Microsoft’s fully managed solution. Like its competitors, it offers a free, managed control plane and deep integration with the Azure ecosystem. AKS integrates natively with “Azure Active Directory” for authentication, “Azure Monitor” for logging, and “Azure Disks” for persistent storage. AKS has a strong focus on enterprise and developer-friendly features. It has excellent integrations with development tools like “Visual Studio Code” and “GitHub,” and it offers robust “virtual node” capabilities, allowing you to “burst” your workloads into the “Azure Container Instances” serverless platform to handle sudden spikes in traffic.

Package Management: What is Helm?

As your applications become more complex, your list of YAML files will grow. A single application might require a Deployment, a Service, a ConfigMap, a Secret, and an Ingress. Managing these five separate files for “dev,” “staging,” and “prod” becomes a nightmare. “Helm” is the “package manager” for Kubernetes. It is like “apt” for Ubuntu or “Homebrew” for macOS. Helm allows you to bundle all of your application’s YAML files into a single, managed package called a “Chart.” A Helm Chart is a “template” of your application. You can then deploy this chart multiple times, providing a “values” file to customize it for each environment. For example, you can deploy the same chart to “dev” (with replicaCount: 1) and to “prod” (with replicaCount: 10). This is the standard way to manage complex applications.

Monitoring and Observability

Once your application is running, how do you know if it is healthy? How do you debug it when it fails? This is the domain of “observability.” The de facto standard for monitoring in the Kubernetes world is “Prometheus” and “Grafana.” Prometheus is an open-source “time-series database” and “monitoring” system. It is designed to “scrape” (pull) metrics from your applications and Kubernetes components at regular intervals. Grafana is an open-source “visualization” platform. It connects to Prometheus as a data source and allows you to build powerful, beautiful dashboards to visualize your metrics, showing CPU usage, memory, request latency, and application-specific metrics.

Extending Kubernetes: What is an Operator?

What if you want to manage a complex application, like a PostgreSQL database, using Kubernetes-native “declarative” principles? A simple StatefulSet is not enough. A real database requires complex actions like “perform a backup,” “orchestrate a failover,” or “seed a new replica.” The “Operator Pattern” is the solution. An Operator is a “custom controller” that you install into your cluster. It extends the Kubernetes API with “Custom Resource Definitions” (CRDs). For example, you can install the “Postgres Operator.” It will create new “kinds” of objects, like PostgresCluster. You can then create a YAML file with kind: PostgresCluster and spec: {replicas: 3, backup: true}. The Operator’s controller, which is running in your cluster, will see this and perform all the complex, stateful actions to make it a reality.

Advanced Networking: What is a Service Mesh?

In a large microservice architecture, you start to have new, complex problems. How do you enforce “mTLS” (mutual, encrypted communication) between all services? How do you perform “canary” deployments (sending 1% of traffic to a new version)? How do you get detailed latency metrics for every service-to-service call? A “Service Mesh,” like “Istio” or “Linkerd,” is an advanced networking layer that solves this. It works by injecting a “sidecar” proxy (like “Envoy”) into every single Pod in your application. This proxy intercepts all incoming and outgoing network traffic. This allows a central control plane to manage, secure, and monitor all network communication without the application code even knowing it is happening.

Conclusion

“Serverless” or “Function-as-a-Service” (FaaS) platforms offer an event-driven model where you deploy code as “functions” that scale to zero. Kubernetes is a container-based, not function-based, platform. However, projects like “Knative” build on top of Kubernetes to provide a serverless experience. Knative can watch for events (like an HTTP request) and “scale up” your application from zero pods to handle it. When the traffic stops, it will automatically scale your application back down to zero, saving significant resources. This provides the best of both worlds: the serverless, event-driven model combined with the portable, open-source Kubernetes foundation.