Introduction to k8s
March 6, 2025
Kubernetes vs Docker
- Docker is a containerization platform and runtime. K8s is a container orchestration platform. k8s may use Docker as underlying container runtime (or
containerd,CRI-Oetc). - k8s pros:
- coordinates and schedules containers across multiple servers
- extensive API (
kubectlcli, language bindings); imperative commands + declarative config - container grouping into pods
- container health monitoring, self-healing
- abstraction of networking, persistent volumes etc., cloud provider integrations
- extensible, reach ecosystem
- k8s cons: complicated
Cluster Architecture
Based on official kubernetes documentation
Control plane components
kube-apiserverexposes k8s APIetcd– consistent and highly-available key value store used as Kubernetes’ backing store for all cluster datakube-scheduler– control plane component that watches for newly created Pods with no assigned node, and selects a node for them to run onkube-controller-managerruns controller processes. Controllers – control loop that reconciles the state of a cluster with the desired onecloud-controller-manager
Node components
kubelet– takes a set of PodSpecs that are provided through various mechanisms and ensures that the containers described in those PodSpecs are running and healthykube-proxymaintains network rules on nodes. These network rules allow network communication to your Pods from network sessions inside or outside of your cluster (optional if a network plugin implements functionality)- container runtime – containerd/CRI-O/Docker
Kubernetes workload resources
pods
Pods are basic workload of k8s. Represents several containers that work together.
- containers in pod share storage and network resources
- may wrap one container or several:
- init containers
- sidecar containers
- ephemeral containers
Minimal pod definition example
simple-pod.yaml
Apply declarative definition imperatively
Note
Pods are rarely created directly. They are normally managed by workload resources.
Deployment
The most common way to run applications. Best fit for stateless, scalable applications.
DeploymentrollsoutReplicaSet. It manages copies of pods in the background.- Each change in
Deploymentis saved inetcdas a revision- may rollback to earlier revision
- Allows scaling up and down the number of pods (creates new
ReplicaSet)
Example Deployment
Other workloads
StatefulSetis used to manage stateful applications (e.g DB)- sticky identity for pods (stable names / network identifiers)
- ordered deployment/scaling
DaemonSetruns a copy of a Pod on every (or defined set of) node of a cluster. Used for daemons, add-ons, helper tools necessary for operation.Jobsrepresent one-off task that runs to completion and then stopCronJobsare scheduled Jobs
Kubernetes networking
- Each
Podhas unique cluster-wide IP (volatile if pod is restarted)- inside a Pod there is a local private network. Processes in different containers can communicate over
localhost
- inside a Pod there is a local private network. Processes in different containers can communicate over
ServiceAPI provides a stable long-lived IP address / hostname for aplication- ClusterIP
- NodePort
- LoadBalancer (if supported by cloud provider)
- ExternalName
IngressAPI (superseeded byGateway) manages external HTTP/HTTPS access to the services- uses dedicated add-on (nginx/traefik)
- load-balancing / SSL termination
- understands URIs, hostnames / paths …
Service example
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
selector:
app.kubernetes.io/name: MyApp
ports:
- protocol: TCP
port: 80
targetPort: 9376Note
- Matches pod label with selector
ClusterIPby default
Ingress
Ingress
Configuration resources
ConfigMap
ConfigMap for setting configuration data separately from application code
apiVersion: v1
kind: ConfigMap
metadata:
name: game-demo
data:
config-option0: value0
config-option1: value1
binaryData:
image-file.jpg: <base64 encoded>Exposed to pod as:
- environment variables
- volume: dir / file mount
Secrets
Secrets are used to store sensitive configuration / data. Similar to ConfigMap otherwise.
Different types of Secrets, e.g.
Opaquedefault general-use for arbitrary datakubernetes.io/ssh-authssh credentialskubernetes.io/tlsdata for a TLS client or server- …
Warning
Kubernetes Secrets are, by default, stored unencrypted in the API server’s underlying data store (etcd). Anyone with API access can retrieve or modify a Secret, and so can anyone with access to etcd.
Additional configuration is needed to effectively protect Secrets in multi-user production deployments.
Storage
Volumes
- populating a configuration file based on a ConfigMap or a Secret
- providing some temporary scratch space for a pod
- sharing a filesystem between two different containers in the same pod
- sharing a filesystem between two different pods (even if those Pods run on different nodes)
- durably storing data so that it stays available even if the Pod restarts or is replaced
- passing configuration information to an app running in a container, based on details of the Pod the container is in (for example: telling a sidecar container what namespace the Pod is running in)
- providing read-only access to data in a different container image
PersistentVolumeClaim
Volumes can be statically created by cluster admin. More often are dynamically provisioned
StorageClasses are pre-created by cluster admin. Determine mechanisms forPersistentVolumecreation.Provisioneradd-on creates volumes.local-path/ cloud-backed add-ons (e.g.cinder-csiwith OpenStack) / nfs storage provider /Longhorn…
- User defines
PersistentVolumeClaimasking to create a volume with specificStorageClass