Kubernetes (K8s) Notes
Kubernetes is an orchestration system for automating software deployment, scaling, and management.
Problems That Kubernetes Solves
Single Host
K8s works as clusters, which have a group of computing nodes that run containerized applications.Auto Scaling
K8s usesHPA(Horizontal Pod Autoscaling) to accommodate load changes.Auto Healing
K8s fixes damage by creating new containers with the help of the K8s control plane.Enterprise Level
Solves enterprise-level problems like orchestration, firewall management, etc.
K8s Cluster Architecture
Data Plane (Worker Nodes)
-
Container Runtime — Required to run container applications like Docker:
dockershimcontainerdCRI-O
-
Pod
- Smallest unit in K8s; acts as a wrapper for containers.
- Represents a single instance of a running process in the cluster.
- Provides a declarative way (YAML) to define containers.
- Can run more than one container in a pod.
CRI (Container Runtime Interface)
An API that allowskubeletto communicate with different container runtimes.kubelet
Responsible for pod monitoring, deletion, and creation.kube-proxy
Responsible for pod networking, IP assignment, and load balancing.
Control Plane (Master Nodes)
kube-api-server
Acts as the central management hub of the control plane. Exposes the K8s API to the external world, enabling communication between control plane components and worker nodes.scheduler
Responsible for assigning newly created pods to nodes, ensuring workloads are evenly distributed and resource requirements are met.etcd
A key-value data store responsible for storing all cluster state and configuration data. Acts as the backup of the K8s cluster.Controller Manager
Responsible for managing and maintaining the desired state of the cluster. Runs a set of controllers that perform various cluster management tasks.Cloud Controller Manager (CCM)
Responsible for managing cloud-specific resources and interacting with the cloud provider's API.
K8s Namespace
A namespace provides logical isolation of resources, networking, policies, and RBAC.
KOPS (Kubernetes Operations)
KOPS is an open-source tool that simplifies the creation, management, and upgrading of K8s clusters on cloud providers such as AWS, GCE, and Azure.
Installation
kubectl (K8s CLI)
For further reference: kubectl documentation
1. Download the latest release:
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
2. Install kubectl:
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
minikube (Local K8s Cluster)
For further reference: minikube documentation
1. Install minikube:
curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64
sudo install minikube-linux-amd64 /usr/local/bin/minikube && rm minikube-linux-amd64
2. Start minikube:
# Creates a VM with a single-node K8s cluster
minikube start
kubectl Commands
Cluster Commands
# Get clusters and filter by region
kubectl config get-contexts | grep ap-south-1
# Select a cluster
kubectl config use-context <user-name>@<k8s-cluster-name>
# Check current cluster
kubectl config current-context
Node Commands
# Get number of nodes
kubectl get nodes
Pod Commands
# Create a pod
kubectl create -f pod.yml
# List pods
kubectl get pods
# List pods with details
kubectl get pods -o wide
# Delete a pod
kubectl delete pod nginx
# Describe a pod
kubectl describe pod nginx
Deployment Commands
# Create a deployment
kubectl create deployment <deployment-name>
# Edit a deployment
kubectl edit deployment <deployment-name>
# Delete a deployment
kubectl delete deployment <deployment-name>
Status Commands
kubectl get nodes
kubectl get pods
kubectl get services
kubectl get replicaset
kubectl get deployment
Debugging Commands
# View pod logs
kubectl logs <pod-name>
# Open interactive terminal inside a pod
kubectl exec -it <pod-name> -- /bin/bash
# Describe a pod
kubectl describe pod <pod-name>
Configuration File Commands
# Apply a configuration file
kubectl apply -f <file-name>
# Delete resources using a configuration file
kubectl delete -f <file-name>
Kubernetes YAML — Core Concepts
1. The 3 Parts of Every K8s YAML
Every Kubernetes manifest has 3 top-level sections:
| Section | Who writes it? | Purpose |
|---|---|---|
metadata |
You | Name, namespace, labels |
spec |
You | Desired state (what you want) |
status |
Kubernetes | Actual state (what exists) — auto-generated |
apiVersion: apps/v1
kind: Deployment
metadata: # ← YOU write this
name: nginx-deployment
labels:
app: nginx
spec: # ← YOU write this
replicas: 3
...
status: # ← K8s writes this (never in your file)
availableReplicas: 3
readyReplicas: 3
Note: You never write
statusin your YAML file. Kubernetes auto-generates and manages it at runtime.
2. The template Field in a Deployment
The template is a Pod blueprint embedded inside a Deployment. It tells Kubernetes exactly what Pod to create when scaling or healing.
spec:
replicas: 3
template: # ← Pod template (blueprint for each replica)
metadata:
labels:
app: nginx # ← Label stamped on every Pod created
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
- The Deployment uses this template to spin up 3 identical Pods.
- If a Pod dies, the ReplicaSet re-creates it using this same template.
3. Labels & Selectors
Labels (in metadata)
Labels are key-value tags attached to objects (Pods, Deployments, etc.).
metadata:
labels:
app: nginx # ← "Tag this object as app=nginx"
Selectors (in spec)
Selectors are queries that find objects by their labels.
spec:
selector:
matchLabels:
app: nginx # ← "Find all objects where app=nginx"
4. Connecting Deployment → Pods (via Labels & Selectors)
The Deployment's selector must match the template.metadata.labels. This is how the Deployment owns and manages its Pods.
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 3
selector:
matchLabels:
app: nginx # ← Step 2: Deployment looks for Pods with this label
template:
metadata:
labels:
app: nginx # ← Step 1: Each Pod gets this label stamped on it
spec:
containers:
- name: nginx
image: nginx:1.14.2
Deployment
└── selector: app=nginx ──────────────────┐
▼
template → creates Pods with label: app=nginx ✅
If these labels don't match, the Deployment cannot manage the Pods — they become orphaned.
5. Connecting Service → Deployment (via Labels & Selectors)
A Service routes traffic to Pods. It uses its own selector to find the right Pods — the same labels used in the Deployment's template.
# service.yml
apiVersion: v1
kind: Service
metadata:
name: nginx-service
spec:
selector:
app: nginx # ← Matches Pod labels from the Deployment template
ports:
- protocol: TCP
port: 80 # Port the Service exposes
targetPort: 80 # Port on the Pod to forward to
Client Request
│
▼
Service (port: 80)
└── selector: app=nginx ──────────────────┐
▼
Pods with label: app=nginx
(Pod 1, Pod 2, Pod 3)
The Service doesn't connect to the Deployment directly — it connects to Pods via label matching.
6. Understanding Ports
Three different port concepts — easy to confuse:
| Field | Where | Meaning |
|---|---|---|
containerPort |
Pod/Deployment spec | Port the app inside the container listens on (documentation only, doesn't expose it) |
port |
Service spec | Port the Service exposes to the cluster |
targetPort |
Service spec | Port on the Pod the Service forwards traffic to |
nodePort |
Service spec | Port exposed on the Node's IP (only for NodePort type Services) |
# In Deployment — documents what port the app uses
containers:
- name: nginx
ports:
- containerPort: 80 # nginx listens on 80 inside the container
# In Service — controls how traffic reaches the Pod
spec:
ports:
- port: 80 # Cluster-internal clients hit this port on the Service
targetPort: 80 # Forwarded to port 80 on the matched Pods
7. Debugging: View Full Config with status
Since status is auto-generated by Kubernetes, you can inspect the live state of any object using:
kubectl get pod nginx -o yaml
kubectl get deployment nginx-deployment -o yaml
kubectl get service nginx-service -o yaml
This outputs the complete YAML including the status block Kubernetes manages:
# kubectl get deployment nginx-deployment -o yaml
status:
availableReplicas: 3
conditions:
- type: Available
status: "True"
observedGeneration: 1
readyReplicas: 3
replicas: 3
updatedReplicas: 3
Use this to diagnose issues — if readyReplicas < replicas, something is wrong with your Pods.
8. K8s Service
A K8s Service provides:
- Load balancing
- Service (network) discovery using labels and selectors
- External exposure to the world
+-------------------+ +----------------+ +-----------------+ +-----------+ +-----------+
| Service | --> | Deployment | --> | ReplicaSet | --> | Pod | --> | Container |
| (Load Balancer) | | | | | | | | |
+-------------------+ +----------------+ +-----------------+ +-----------+ +-----------+
Service Types
| Type | Access Scope |
|---|---|
ClusterIP |
Within the cluster network only |
NodePort |
Outside the cluster: organization, VPC, or nodes |
LoadBalancer |
Public access from outside |
service.yml
apiVersion: v1
kind: Service
metadata:
name: my-loadbalancer-service
spec:
type: LoadBalancer
selector:
app: my-app
ports:
- protocol: TCP
port: 80 # Service port
targetPort: 8080 # Pod port
Full Picture
[You write] [K8s manages]
─────────────────────────────────────────────────────────
Deployment
├── metadata.labels → identifies the Deployment itself
├── spec.selector → finds Pods to manage
├── spec.template → blueprint to create Pods
│ └── metadata.labels → stamped on every created Pod
└── status ← auto-generated by K8s
Service
├── spec.selector → finds Pods to send traffic to (matches Pod labels)
└── spec.ports → port / targetPort / nodePort mapping
Kubeshark
A tool that provides real-time visibility into K8s cluster API traffic.
K8s Ingress
K8s Ingress addresses the following enterprise challenges:
- Security
- Advanced load balancing (various types)
Ingress Controller
Watches for Ingress resources and enforces routing rules by updating the underlying load balancer or proxy configuration.
Common Ingress Controllers:
- NGINX
- HAProxy
Ingress Resource
Defines the routing rules.
Load Balancing Types:
- Host: Directs traffic based on the hostname.
- Paths: Directs traffic based on URL paths.
- TLS: Handles HTTPS traffic with SSL certificates.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
spec:
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-service
port:
number: 80
K8s RBAC (Role-Based Access Control)
RBAC is a flexible method for managing access control in systems, OSes, databases, and applications. It improves security and ensures compliance. Unlike AWS IAM, RBAC is a general access control manager, not cloud-specific.
- Service Account: Provides an identity for processes running in a pod.
- Role: Defines a set of permissions.
- Role Binding: Associates a role with a service account (or user/group).
K8s CRD, CR & Custom Controller
CRD (Custom Resource Definition)
- Extends the Kubernetes API to allow creation of custom resources.
- Enables definition of new resource types beyond built-ins like Pods, Services, and Deployments.
CR (Custom Resource)
- An instance of a Custom Resource Definition.
- Once a CRD is applied, you can create, read, update, and delete its instances.
Custom Controller
- Watches for changes to custom resources (or other K8s resources).
- Reconciles the current cluster state with the desired state specified by those resources.
K8s ConfigMaps & Secrets
Solves ENV variable problems:
- Decoupling configuration from code
- Dynamic updates
- Reusability across multiple pods
ConfigMaps
Used to store non-confidential configuration data in key-value pairs.
Secrets
Used to store sensitive data such as passwords, OAuth tokens, and SSH keys. Data is encrypted at rest. Use RBAC for least-privilege access.
Dynamic Configuration: ConfigMaps/Secrets as Volumes
configmap.yml
apiVersion: v1
kind: ConfigMap
metadata:
name: example-config
data:
database_url: "mongodb://localhost:27017"
feature_flag: "true"
deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: example-deployment
spec:
replicas: 3
selector:
matchLabels:
app: example-app
template:
metadata:
labels:
app: example-app
spec:
containers:
- name: example-container
image: example-image
envFrom:
- configMapRef:
name: example-config
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
configMap:
name: example-config
K8s Operators & Helm
Both tools help manage complex (stateful) K8s applications.
K8s Operator
- Manages tasks with minimal or no restarts.
- Automates operational tasks: upgrades, backups, failover, and scaling.
- Functions as a controller that extends K8s capabilities using Custom Resource Definitions.
Helm
- May trigger restarts during deployments/upgrades.
- A package manager for Kubernetes that simplifies deployment using charts — collections of YAML files describing K8s resources.
- Helm helps with:
- Defining, Installing, and Upgrading Applications: Standardizes application lifecycle management.
- Customizing Deployments: Enables environment-specific configurations through value overrides.
- Release Management: Tracks application releases for rollbacks or updates.
- Versioning: Manages versioned manifest files for repeatable deployments.
- Sharing Charts: Facilitates reuse and collaboration across teams.
K8s Monitoring: Prometheus & Grafana
Prometheus
Monitors and alerts cloud-native environments by collecting metrics from applications and infrastructure.
Grafana
Allows users to visualize and monitor data through dashboards and charts, using Prometheus as a data source.
Top comments (0)