DEV Community: Shashank Palakurthi

Getting Started with Kubernetes

Shashank Palakurthi — Mon, 16 Jun 2025 22:03:24 +0000

Getting Started with Kubernetes

What is Kubernetes?

Kubernetes (often abbreviated as K8s) is an open-source container orchestration platform designed to automate the deployment, scaling, and management of containerized applications. It helps you run apps across multiple machines, taking care of things like load balancing, service discovery, scaling, and making sure everything stays up and running.

Kubernetes helps you easily manage containerized applications, making sure they run reliably and can scale well in changing environments. It takes care of the underlying infrastructure complexity and gives developers and operations teams a consistent and dependable platform to work with.

Kubernetes Architecture and Core Concepts

At its core, Kubernetes follows a master-worker architecture. The control plane is responsible for maintaining the desired state of the cluster - such as which applications should be running and how they're configured. The worker nodes are where the actual applications and workloads run inside containers.

Organizations use managed Kubernetes services to simplify operations. One popular option is Amazon Elastic Kubernetes Service (EKS). It takes care of the control plane for you, so you don't have to manually install or manage the core components. This lets teams focus more on deploying and managing applications rather than the infrastructure.

Key components in an EKS environment include:

API Server: The main entry point for all Kubernetes operations. You interact with it using tools like kubectl or the AWS CLI. This is fully managed by the service provider.

Scheduler : Assigns pods to available nodes based on resource needs and defined constraints.

Controller Manager : Works behind the scenes to make sure the actual state of the cluster matches the desired state. It ensures things like replicas and configurations stay consistent.

etcd: A distributed key-value store used by Kubernetes to store all cluster data. In managed environments, this is typically maintained and backed up by the platform provider.

Kubelet: Runs on each node, making sure containers are up and running and remain healthy.

Common Kubernetes Concepts

Pods: The smallest deployable unit in Kubernetes. A pod usually contains one or more containers that share the same network and storage resources, along with specifications on how to run them.

Deployments: Manage the lifecycle of pods, making sure the desired number of replicas are always running and replacing failed ones automatically.

Services: Define a logical group of pods and a way to access them. Services can be exposed internally or externally, depending on how they're configured.

ConfigMaps: Store non-sensitive configuration data in key-value pairs. Useful for separating config from application code.

Secrets: Store sensitive data like passwords, tokens, or API keys.

Where Do I Start?

Does Kubernetes Fit Your Use Case?

Before getting started with Kubernetes, it's important to ask a few key questions to see if it fits your needs:

Scalability: Does your application need to scale automatically based on traffic or resource usage? Kubernetes handles dynamic scaling efficiently, making it easy to scale up or down as needed.

Distributed Architecture: Are you running microservices or distributed systems? Kubernetes is well-suited for managing containers spread across multiple machines or environments.

High Availability: Does your application require consistent uptime and resilience? Kubernetes includes features like self-healing, rolling updates, and automatic failover to keep your services running even during issues.

Containerized Workloads: Are your apps already containerized, or are you planning to containerize them? Kubernetes is built to manage containerized applications, helping you deploy, monitor, and scale them smoothly.

Complex Infrastructure Needs: Does your setup involve load balancing, service discovery, or microservice communication? Kubernetes offers built-in solutions to simplify these tasks and manage them efficiently at scale.

Ready to Proceed?

If your application matches the criteria above and you're ready to use Kubernetes for container orchestration.

Happy clustering!

Getting Started with Kyverno: Kubernetes Policy Made Simple

Shashank Palakurthi — Fri, 13 Jun 2025 05:43:29 +0000

What is Kyverno?

Kyverno is a policy admission controller that helps you manage and enforce rules across your clusters. It works by validating, mutating, or even blocking incoming requests to the Kubernetes API server based on a set of policies. In simple terms, Kyverno lets you automatically check whether resources meet certain standards before they’re created or updated. This helps ensure consistency, improve security, and catch misconfigurations early — without writing custom code.

Why Do We Need Kyverno?

As Kubernetes environments grow more complex, maintaining security and consistency becomes harder. Kyverno helps by providing a structured way to enforce policies that define what’s allowed and what’s not — making it easier to follow security best practices and organizational standards.

For instance, you can create a policy that only permits pods to use images from an approved container registry. This ensures that teams deploy trusted, verified images — while blocking unapproved or potentially harmful workloads before they even start.

Kyverno Custom Resources

Kyverno uses Custom Resource Definitions (CRDs) to define and manage policies within Kubernetes environments. These CRDs help you control how resources are created, modified, or validated — ensuring that workloads follow security and operational standards. Whether you’re working at the namespace level or managing your entire cluster, Kyverno provides flexible tools to help you enforce rules consistently.

Policy vs ClusterPolicy

Kyverno provides two main types of policy resources:

Policy — Applied within a specific namespace.
ClusterPolicy — Applied cluster-wide and not tied to any particular namespace.

Both types allow you to define one or more rules, each of which includes:

Match conditions: which resources the rule applies to.
Exclude conditions: which resources to ignore.

Each rule can perform actions such as:

Mutate resources (e.g., add a label to a pod).
Validate values (e.g., ensure a label or annotation exists).
Verify images (e.g., check if a container uses an approved image hash).
Generate other resources (e.g., auto-create ConfigMaps or roles).

You can run these policies in two modes:

Audit mode: Logs violations without blocking the request — ideal for testing.
Enforce mode: Actively blocks resources that don’t meet policy requirements.

Tip: Kyverno also supports PolicyExceptions to allow specific resources to bypass a policy when needed — useful for controlled flexibility.

Audit Mode

In audit mode, Kyverno scans existing resources across namespaces to check if they comply with defined policies. This mode doesn’t block or modify anything — it simply reports violations. It’s a safe and practical way to test new policies before enforcing them in production, helping teams understand the potential impact without disrupting workloads.

Enforce Mode

Enforce mode is used to apply policies to newly created or modified resources. When a resource doesn’t meet policy requirements, Kyverno will block it. This ensures that all new workloads follow security and operational standards from the start.

Note that enforce mode does not affect existing resources. Even if something already running violates a policy, it won’t be removed or changed unless the policy is also applied in another way.

Some namespaces can be excluded from enforcement if needed — for example, system or exempted dev namespaces.

PolicyException

There may be cases where a workload intentionally needs to bypass a policy — for example, a temporary or special-use deployment. That’s where PolicyException comes in.

A PolicyException lets you create a rule to skip validation or mutation for specific resources. These exceptions are defined using match selectors based on namespace, resource type, or resource name.

Tip: Use exceptions sparingly. If you find yourself needing too many exceptions, it may be a sign that the policy itself needs to be updated or made more flexible.

Understanding PolicyReport in Kyverno

Kyverno automatically generates PolicyReports that summarize which resources in your cluster are compliant or non-compliant with the defined policies. These reports help you track which workloads pass or fail validation checks based on your current policies.

Note: PolicyReports only reflect results from audit mode. Since audit mode evaluates existing resources without blocking them, the reports provide a live snapshot of what’s happening in the cluster.

Resources blocked in enforce mode don’t appear in these reports — because they never get created in the first place.

PolicyReports are especially helpful when testing new policies, as they show the potential impact before enforcement is turned on.

Final Thoughts

Kyverno makes Kubernetes policy management approachable by using familiar YAML syntax and integrating seamlessly with cluster operations. Whether you’re just starting with audit mode or rolling out enforcement in production, Kyverno helps teams maintain consistency, security, and governance — without introducing unnecessary complexity.

As you begin experimenting with Kyverno, start small: test your policies in audit mode, review PolicyReports, and gradually move toward enforcement. And remember — policies are not just guardrails, they’re a powerful way to encode best practices into your infrastructure.

Resources

About Kyverno — Official Website: https://kyverno.io/#about-kyverno
Kyverno Policy Samples: https://kyverno.io/policies/