DEV Community

AWS Community Builders profile image Huỳnh Lê Nhất Nghĩa
Huỳnh Lê Nhất Nghĩa for AWS Community Builders

Posted on

Kubernetes From Scratch: build an HA cluster by hand (no kubeadm), then deep-dive every concept

#devops #kubernetes #linux #tutorial

Most Kubernetes tutorials start with kubeadm init or a managed cluster. You get a working cluster and almost no idea why it works.

So I did the opposite. Kubernetes From Scratch builds a complete, highly-available cluster by hand — no kubeadm, no scripts — starting from the very first TLS certificate, all the way to a real HA control plane. Then it uses that cluster as a lab to deep-dive every concept in Kubernetes: 73 chapters.

👉 Read it free (English): https://kkloudtarus.net/en/blog/series/kubernetes-from-scratch
💻 Manifests & scripts: https://github.com/nghiadaulau/kubernetes-from-scratch

What makes it different

  • You build it by hand. cfssl-signed certs, etcd quorum, apiserver/controller-manager/scheduler wired up yourself, kubelet + containerd on the workers, pod networking with the CNI bridge + VPC routes, CoreDNS — then a smoke test of the whole thing running together.
  • Then it goes deep. Once the cluster is up, every concept gets explained from the inside and configured by hand — not just "apply this YAML".
  • Tested for real on AWS EC2 with Kubernetes v1.36, grounded in the official kubernetes.io docs.
  • Fully bilingual (English + Vietnamese).

The journey

Part 1 — Build the cluster from nothing (chapters 0–17)
PKI/TLS and why a cluster needs so many certificates → etcd (quorum, Raft) → kube-apiserver and the request pipeline → controller-manager & scheduler (control loops, leader election) → HAProxy in front of 3 API servers → containerd/CRI → kubelet → kube-proxy → the Kubernetes network model → wiring pod networking by hand → CoreDNS → a full smoke test → and finally, the lifecycle of a request: from kubectl apply to a running pod.

Part 2 — Deep-dive every concept (chapters 18–72)
Using the cluster you built:

  • Workloads: Pod lifecycle, init/sidecar containers, probes, Deployment/StatefulSet/DaemonSet/Job, requests/limits/QoS, PodDisruptionBudgets
  • Scheduling: the scheduling framework, affinity/taints/tolerations, topology spread, priority & preemption, node-pressure eviction, HPA/VPA
  • Storage: volumes, PV/PVC, StorageClass + dynamic provisioning (EBS CSI), VolumeSnapshots
  • Networking: why replace kube-proxy, migrating to kube-proxy-less Cilium (eBPF), NetworkPolicy, Ingress, Gateway API, LB IPAM
  • Security: authentication → RBAC → ServiceAccounts & bound tokens, Pod Security Standards, seccomp/AppArmor/capabilities, Secrets hardening
  • Extending K8s: CRDs, admission webhooks, the operator pattern, API aggregation, device plugins
  • Operations: etcd backup & cert rotation, upgrades & version skew, logging, metrics/traces/APF, CEL admission policy, in-place pod resize, and a full teardown

Who it's for

Anyone who can use Kubernetes but wants to truly understand it — for the CKA/CKS, for debugging production with confidence, or just to finally kill the "it's magic" feeling. Comfortable-with-Linux is the only prerequisite.

If this helps you, a ⭐ on the repo means a lot — and I'd love to hear which chapter clicked for you.

Start here → https://kkloudtarus.net/en/blog/series/kubernetes-from-scratch

Top comments (0)