Kubernetes
Kubernetes has become the de facto standard for container orchestration, providing a declarative platform to deploy, scale, and operate application containers across clusters of hosts. It abstracts the underlying infrastructure and gives engineering teams a common control plane for workload scheduling, service discovery, and automated operations.
For modern DevOps and platform engineering, Kubernetes is not merely a toolβit is the foundation upon which internal developer platforms, GitOps workflows, and self-healing production systems are built. This section of DevOpsDevPro provides a structured guide to Kubernetes architecture, core objects, deployment patterns, security practices, and production operations, connecting container orchestration to the broader DevOps ecosystem.
What Is Kubernetes?β
Before Kubernetes, engineering teams managed containers manually or with basic scripting. Scaling required manual intervention, deployments were complex and error-prone, and maintaining application health across many hosts was operationally heavy.
Kubernetes solves these challenges by providing:
- Automated scheduling: Pods are placed onto nodes based on resource requirements and constraints.
- Self-healing: Failed containers are restarted, unresponsive nodes are drained, and desired state is continuously maintained.
- Declarative deployment: Desired application state is defined in YAML manifests, and Kubernetes controllers reconcile the cluster to match that state.
- Horizontal scaling: Workloads can be scaled out or in automatically based on CPU, memory, or custom metrics.
- Service discovery and load balancing: Services provide stable networking endpoints and distribute traffic to healthy Pods.
Kubernetes shifts operations from imperative commands to a desired-state model, where engineers specify what should run, not how to run it.
Kubernetes Architecture Overviewβ
A Kubernetes cluster consists of a control plane that manages the cluster state and a set of worker nodes that run application workloads. The control plane makes global decisions, while node components execute container lifecycle operations.
Kubernetes Cluster
ββββββββββββββββββββββ
β Control Plane β
β β
β API Server β
β etcd β
β Scheduler β
β Controller Managerβ
ββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββ
β Worker Nodes β
β β
β kubelet β
β Container Runtime β
β kube-proxy β
ββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββ
β Containers & β
β Applications β
ββββββββββββββββββββββ
Control Plane Componentsβ
API Serverβ
The API server is the front-end to the Kubernetes control plane. All internal and external interactionsβkubectl commands, controller reconciliations, scheduler decisionsβgo through the API server. It validates and processes RESTful requests, updating etcd accordingly.
etcdβ
etcd is a distributed key-value store that holds the entire cluster configuration and state. Every objectβPods, Services, Deploymentsβis persisted in etcd. Backup and recovery of etcd are critical operational tasks for cluster reliability.
Schedulerβ
The scheduler watches for newly created Pods that have no node assigned and selects an optimal node for them to run on. It considers resource requirements, affinity and anti-affinity rules, taints and tolerations, and other scheduling constraints.
Controller Managerβ
The controller manager runs a set of controllers that continuously reconcile the actual cluster state toward the desired state. Examples include the Deployment controller, ReplicaSet controller, and Node controller. Each controller watches the API server for changes and takes action to converge on the declared configuration.
Cloud Controller Managerβ
This optional component integrates Kubernetes with cloud provider APIs. It manages cloud-specific resources like load balancers, persistent storage volumes, and node lifecycles, allowing the core Kubernetes components to remain cloud-agnostic.
Node Componentsβ
kubeletβ
The kubelet is the agent running on every node. It receives Pod specifications from the API server and ensures the containers described in those Pods are running and healthy. The kubelet reports node and Pod status back to the control plane.
Container Runtimeβ
The container runtime is the software responsible for running containers. Kubernetes supports any runtime conforming to the Container Runtime Interface (CRI), such as containerd or CRI-O.
kube-proxyβ
kube-proxy maintains network rules on each node, enabling network communication to Pods through Services. It handles the forwarding of traffic to the correct backend Pods based on Service definitions.
Kubernetes Core Objectsβ
Podsβ
The Pod is the smallest deployable unit in Kubernetes. A Pod wraps one or more tightly coupled containers, sharing network namespace and storage volumes. Pods are ephemeral and are typically managed by higher-level controllers rather than created directly.
Deploymentsβ
Deployments manage stateless application workloads. They define a desired number of Pod replicas and provide declarative updates through rolling updates. If a Pod fails, the Deployment controller ensures a replacement is created.
StatefulSetsβ
StatefulSets are designed for stateful applications that require stable network identities and persistent storage. Each Pod in a StatefulSet maintains a consistent hostname and can be associated with dedicated PersistentVolumes.
DaemonSetsβ
DaemonSets ensure that a copy of a specific Pod runs on every node (or a subset of nodes). Common use cases include log collectors, monitoring agents, and node-level security daemons.
Jobs and CronJobsβ
Jobs run a Pod to completion a specified number of times, suitable for batch processing. CronJobs extend Jobs with time-based scheduling, similar to Unix cron.
Kubernetes Networkingβ
Pod Networkingβ
Kubernetes imposes a flat, routable network model: every Pod gets its own IP address, and Pods on any node can communicate directly without network address translation (NAT). This simplifies service discovery and application communication.
Servicesβ
Services provide stable networking endpoints for a set of Pods. Three main types exist:
- ClusterIP: Exposes the service on an internal cluster IP; reachable only within the cluster.
- NodePort: Opens a specific port on every node's IP, forwarding traffic to the service.
- LoadBalancer: Provisions an external cloud load balancer and maps it to the service.
Ingressβ
Ingress resources manage external HTTP and HTTPS access to services, providing host-based and path-based routing. Ingress controllers (such as NGINX Ingress or Traefik) implement the defined rules.
Service Meshβ
Service meshes like Istio and Linkerd add a transparent infrastructure layer for traffic management, security (mTLS), and observability. They operate at the application layer without requiring code changes, providing fine-grained control over service-to-service communication.
Kubernetes Storageβ
Volumesβ
Ephemeral volumes share the lifetime of a Pod and are used for temporary data sharing between containers.
PersistentVolumes (PV)β
PVs represent a piece of storage in the cluster that has been provisioned by an administrator or dynamically via StorageClasses. They have a lifecycle independent of any individual Pod.
PersistentVolumeClaims (PVC)β
A PVC is a request for storage by a user. It consumes PV resources, binding to an available PV that matches the claim's requirements (size, access mode).
StorageClassβ
StorageClasses enable dynamic provisioning of persistent volumes. They define the provisioner, parameters, and reclaim policy, allowing applications to request storage on-demand without manual administrator intervention.
Kubernetes Application Configurationβ
ConfigMapsβ
ConfigMaps decouple non-sensitive configuration from Pod specifications. Configuration data is stored in key-value pairs and can be mounted as files or exposed as environment variables.
Secretsβ
Secrets hold sensitive information such as passwords and tokens. While Kubernetes Secrets offer base64 encoding and limited access control, for stronger security, many teams integrate external secret managers (HashiCorp Vault, AWS Secrets Manager) and use tools like External Secrets Operator to sync secrets into the cluster.
Kubernetes Deployment Lifecycleβ
The lifecycle of a Kubernetes application proceeds through several stages:
Container Image
β
Manifest Definition
β
Deployment Creation
β
Pod Scheduling
β
Service Exposure
β
Monitoring
β
Scaling and Updates
- Container Image: A container image is built and pushed to a registry.
- Manifest Definition: Kubernetes YAML (Deployment, Service, ConfigMap) is written to define the desired state.
- Deployment Creation: The manifest is applied, and the Deployment controller creates a ReplicaSet.
- Pod Scheduling: The scheduler assigns Pods to appropriate worker nodes.
- Service Exposure: A Service is created to provide stable access, and optionally an Ingress routes external traffic.
- Monitoring: Observability tooling collects metrics, logs, and traces from running Pods.
- Scaling and Updates: Based on load or new image versions, deployments are scaled or updated using rolling update strategies.
Kubernetes Deployment Strategiesβ
Rolling Updatesβ
The default Kubernetes strategy. Pods are replaced gradually, with new Pods becoming ready before old ones are terminated. This provides zero-downtime updates but can lead to mixed versions serving traffic temporarily.
Blue-Green Deploymentβ
Two complete environments are maintained. The new version is deployed to the "green" environment while the "blue" environment serves production traffic. A Service selector switch moves traffic instantly. Rollback is equally fast by switching back.
Canary Deploymentβ
The new version is deployed alongside the old version, but only a fraction of traffic is routed to it initially. Traffic is increased gradually while monitoring error rates and latency. This limits the blast radius of a bad release.
Progressive Deliveryβ
Progressive delivery combines canary deployments with automated metric analysis. Tools like Argo Rollouts or Flagger watch Prometheus metrics during a canary deployment and automatically promote or roll back the release based on defined success criteria.
Kubernetes Package Managementβ
Helmβ
Helm is the package manager for Kubernetes. It bundles related Kubernetes manifests into chartsβreusable, versioned templates parameterized via values files. Helm manages the full lifecycle of a release: installation, upgrade, rollback, and deletion. Charts reduce duplication and enable organizations to standardize application deployment across teams.
Kubernetes GitOpsβ
GitOps applies DevOps best practices to Kubernetes operations by using a Git repository as the single source of truth for cluster desired state. Declarative manifests are stored in Git. A GitOps operator (such as Argo CD or Flux) running inside the cluster continuously monitors the repository and reconciles the live cluster state with the desired state.
Git Repository (desired state)
β
GitOps Controller
β
Kubernetes Cluster (live state)
This model provides audit trails, change traceability, and fast recovery from failures by simply reverting a Git commit.
Kubernetes Securityβ
Production Kubernetes requires a multi-layered security posture:
Authentication and Authorizationβ
Kubernetes supports multiple authentication methods and implements Role-Based Access Control (RBAC) to restrict API operations. Service accounts provide identities for Pods, and each workload should be assigned the minimum permissions necessary.
Network Securityβ
Network Policies control traffic flow between Pods and namespaces. They define ingress and egress rules, enabling micro-segmentation and reducing lateral movement if a service is compromised.
Image Securityβ
Container images should be scanned for vulnerabilities before deployment and sourced from trusted registries. Admission controllers can enforce that only signed or scanned images run in the cluster.
Secrets Managementβ
Sensitive data should not be stored in plaintext Kubernetes Secrets alone. Integrate external secrets management systems, encrypt secrets at rest in etcd, and rotate credentials regularly.
Kubernetes Observabilityβ
Metricsβ
Prometheus scrapes Pod and cluster metrics, which Grafana dashboards visualize. Metrics provide insight into resource usage, request rates, error rates, and latencyβthe foundational data for SLO monitoring.
Loggingβ
Centralized logging with tools like Fluent Bit, Loki, or Elasticsearch aggregates logs from all containers. Structured logging simplifies searching and correlation during incidents.
Tracingβ
Distributed tracing (OpenTelemetry, Jaeger) tracks a request across microservices, helping identify latency bottlenecks and pinpoint failures in complex call chains.
Kubernetes observability feeds directly into SRE practices, providing the data needed to define SLIs, set SLOs, and trigger alerts that support error budgets.
Kubernetes and DevOps Integrationβ
CI/CDβ
Automated pipelines build container images and update Kubernetes manifests with new image tags. Integration with GitOps controllers automates deployments, while progressive delivery techniques reduce risk. See the CI/CD section.
Infrastructure as Codeβ
The underlying Kubernetes clusterβnodes, networking, IAM rolesβis provisioned and managed with IaC tools like Terraform. Application-level configuration is then layered on top. See the IaC section.
Operations and SREβ
Kubernetes observability data informs incident response and reliability engineering. SLOs, error budgets, and automated runbooks help operate production clusters with discipline. See the Operations section.
Kubernetes Learning Pathβ
A structured path to build Kubernetes expertise:
Containers Fundamentals
β
Kubernetes Architecture
β
Core Objects
β
Networking and Storage
β
Application Deployment
β
Helm
β
GitOps
β
Security
β
Production Operations
Common Kubernetes Mistakesβ
Learning Kubernetes Without Containersβ
Docker and container fundamentals are prerequisites. Without understanding images, registries, and runtime behavior, troubleshooting Kubernetes becomes guesswork.
Treating Kubernetes as a Simple Deployment Toolβ
Kubernetes is a full application platform. Using it as a raw deployment target without leveraging its scheduling, scaling, and service discovery capabilities misses the value.
Ignoring Networkingβ
Pod CIDR conflicts, Service types, and Ingress behavior require a solid networking foundation. Many production incidents trace back to misconfigured networking.
Running Production Workloads Without Observabilityβ
Deploying applications without metrics, logs, and alerts leaves teams blind to performance issues and failures. Observability must be part of the initial deployment.
Overcomplicating Early Designsβ
Begin with simple Deployments and Services. Adopt service meshes, complex schedulers, and multi-cluster topologies only when the operational need is clear.
Kubernetes Tools Landscapeβ
Container Runtimeβ
- containerd
- CRI-O
Kubernetes Distributionsβ
- Amazon EKS
- Azure AKS
- Google GKE
- Red Hat OpenShift
Package Managementβ
- Helm
- Kustomize
GitOpsβ
- Argo CD
- Flux
Observabilityβ
- Prometheus
- Grafana
- OpenTelemetry
Related DevOpsDevPro Sectionsβ
- Getting Started β DevOps overview and roadmap.
- Foundations β Core principles and lifecycle.
- CI/CD β Automated delivery pipelines.
- Infrastructure as Code β Provisioning cloud resources.
- Operations β Observability, SRE, incident management.
Kubernetes is not just a container scheduler; it is the foundation for building scalable, automated, and reliable cloud-native platforms. Successful adoption requires combining architecture knowledge, automation, security, observability, and operational discipline. The articles in this section provide practical, production-oriented guidance to help you master Kubernetes and integrate it into your DevOps practices.