Kubernetes guide

What Kubernetes does in production

Kubernetes (K8s) automates deployment, scaling, and operations of containerized applications. You declare desired state in YAML; controllers continuously reconcile actual state toward that target. It abstracts individual machines into a pool of compute — you think in terms of pods and services, not which VM runs which process.

Cluster architecture

Control plane (master components):

• kube-apiserver — REST API front door; all kubectl commands go here
• etcd — persistent key-value store for all cluster data
• kube-scheduler — assigns pods to nodes
• kube-controller-manager — runs controllers (Deployments, ReplicaSets, etc.)
• cloud-controller-manager — cloud-specific integrations (optional)

Worker nodes:

• kubelet — agent that runs pods on the node
• kube-proxy — network rules for Services
• Container runtime — containerd, CRI-O, or Docker (via shim)

Managed clusters (EKS, GKE, AKS) hide the control plane; you still debug the same workload objects with kubectl.

How kubectl interacts with the cluster

1. Config — ~/.kube/config holds clusters, users, contexts, namespaces
2. Request — kubectl sends HTTPS to the API server (auth via cert, token, or OIDC)
3. Admission / validation — API server checks schema, RBAC, and webhooks
4. Persist — object written to etcd
5. Reconcile — controllers and kubelet react to watches and update status

Core workload objects

• Pod — smallest deployable unit; one or more containers sharing network/storage
• Deployment — declarative rolling updates for stateless apps
• StatefulSet — stable identity and storage for stateful apps
• DaemonSet — one pod per node (agents, log collectors)
• Job / CronJob — run-to-completion and scheduled tasks

Networking and exposure

• Service — stable virtual IP/DNS for a set of pods (ClusterIP, NodePort, LoadBalancer)
• Ingress — HTTP/S routing into the cluster (needs an ingress controller)
• NetworkPolicy — firewall rules between pods (if CNI supports it)

DNS inside the cluster resolves service.namespace.svc.cluster.local. Ingress and TLS patterns are covered in the Traefik lab and Nginx lab.

Configuration and secrets

• ConfigMap — non-sensitive config as key/value or files
• Secret — sensitive data (base64-encoded at rest; not encryption by itself)
• Volume mounts — inject ConfigMaps/Secrets into pods as env or files

Namespaces and RBAC

Namespaces isolate resources (teams, environments). Production often uses prod, staging, kube-system, etc.

RBAC controls who can do what — Roles/ClusterRoles bound to users, groups, or ServiceAccounts. Forbidden errors are almost always RBAC or wrong namespace.

Helm (brief)

Helm packages Kubernetes manifests into versioned charts for install and upgrade. Use it for third-party apps (ingress controllers, monitoring stacks) rather than hand-applying dozens of YAML files. Charts, values, and release troubleshooting are covered in the dedicated Helm lab — not duplicated here.

Helper tooling (krew and friends)

krew is the plugin manager for kubectl. Popular plugins speed up day-to-day ops:

• stern — tail logs from multiple pods/containers at once
• ctx (kubectx) — switch cluster contexts quickly
• ns (kubens) — switch default namespace
• tree — show object ownership hierarchy
• view-secret — decode Secret contents safely on the CLI

Install krew, then plugins: kubectl krew install stern. See the cheatsheet for more plugin examples.

etcd and the control plane

When the API server is slow or down, etcd is a common root cause on self-managed clusters. See the etcd lab for quorum, backups, and apiserver connectivity.

Learning resources

• Kubernetes documentation — kubernetes.io/docs
• Concepts — kubernetes.io/docs/concepts
• kubectl reference — kubernetes.io — kubectl
• krew plugin index — krew.sigs.k8s.io — plugins
• SadServers playgrounds — Kubernetes playgrounds