Orchestration using Kubernetes
Kubernetes (abbreviated as K8s) is a portable, extensible, open-source platform for managing containerized applications at scale. Kubernetes abstracts infrastructure away from application logic and provides powerful primitives for deploying, scaling, and maintaining containerized workloads. It provides high availability, scalability, resilience for the application. Kuberenetes was originally developed at Google as Bord task scheduler, it's origin story and the journey to getting open sourced is quite fascinating!
This guide walks through Kubernetes by demonstrating foundational concepts using kubectl to advanced architecture and operational strategies.
Core concepts with Kubectl
Before running commands below, make sure to:
- Install kubectl on using the official installation guide.
- Install docker desktop and enable Kubernetes in settings for starting a local kubernetes server. Other options include k3d (fast, lightweight), kind (quick local testing), MicroK8s (full k8s experience with low resource usage) and minikube (full VM style k8s experience).
Cluster
A Kubernetes deployment consists of multiple nodes managed by a centralized control plane.
kubectl cluster-infoNodes
Worker machines (VMs or physical) where pods are scheduled and run. Nodes are managed by the Kubernetes control plane.
kubectl get nodesPods
The smallest deployable unit in Kubernetes. A pod encapsulates one or more containers with shared networking and storage. Pods are ephemeral – they can die and be replaced.
kubectl run my-nginx --image=nginx # Creates a pod using nginx
kubectl get pods # See your pod
kubectl describe pod my-nginx # Get detailed infoDeployments
Provide declarative updates for pods and replica sets. They manage rollout, rollback, and scaling of applications.
- ReplicaSets ensure a specified number of pod replicas are running at any given time.
- Deployment strategies include
- Rolling updates: Gradually replace pods with new ones
- Blue/Green deployments: Maintain two environments and switch traffic
- Canary releases: Release to a subset of users to test changes safely
kubectl create deployment my-nginx-deploy --image=nginx
kubectl get deployments
kubectl scale deployment my-nginx-deploy --replicas=3
kubectl get podsServices
A Service exposes your Pods to the network – internally or externally - providing stable DNS names and load balancing. Service types: ClusterIP (internal), NodePort (access via node IP:port), LoadBalancer (cloud load balancer).
kubectl expose deployment my-nginx-deploy --port=80 --type=LoadBalancer
kubectl get servicesNamespaces
A Namespace separates resources logically, useful when you have multiple teams, apps, or environments.
kubectl create namespace my-namespace
kubectl run test-pod --image=nginx --namespace=my-namespace
kubectl get pods -n my-namespaceConfigMaps and Secrets
ConfigMaps store non-sensitive configuration. Secrets store sensitive data like passwords.
kubectl create configmap my-config --from-literal=APP_MODE=production
kubectl create secret generic my-secret --from-literal=DB_PASSWORD=secret123
kubectl get configmaps
kubectl get secretsConfiguring a basic pod yaml
Instead of using commands, you can define Pods declaratively with YAML. YAML is how real-world Kubernetes works.
Example pod.yaml:
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mycontainer
image: nginx
ports:
- containerPort: 80- Apply it to create the pod and delete once done
kubectl apply -f pod.yaml
kubectl delete -f pod.yamlKubernetes Architecture
Control Plane Components
- API Server: Frontend for the Kubernetes control plane
- Scheduler: Assigns pods to nodes based on resource availability
- Controller Manager: Runs background reconciliation loops
- etcd: Consistent and highly available key-value store used as Kubernetes' backing store
Node Components
- Kubelet: Agent running on each node that manages pod lifecycles
- Kube-proxy: Maintains network rules for pod communication
- Container runtime: Software responsible for running containers (e.g., containerd, CRI-O)
Advanced Features
-
Horizontal Pod Autoscaler (HPA): Auto-scales Pods up or down based on CPU, memory, or custom metrics. Helps optimize resources during traffic spikes or low-load periods.
-
Persistent Volumes (PV) and Storage Classes: Persistent Volumes (PV) are pre-provisioned or dynamically created storage. Persistent Volume Claims (PVC) requests for storage by applications. Storage Classes define different types of storage (e.g., SSDs vs. HDDs) dynamically.
-
Network Policies: Set rules for which Pods or Namespaces can communicate with each other. Crucial for zero-trust networking and cluster security hardening.
-
Ingress and Traffic Management: Ingress Controllers (NGINX, Traefik) expose Services externally via HTTP(S). It supports path-based and host-based routing, SSL/TLS termination, load balancing, authentication, rate-limiting, and WAF (Web Application Firewall) features.
-
Security and RBAC (Role-Based Access Control): RBAC provides fine-grained permissions for users, groups, and services. Service Accounts secure identities for Pods accessing APIs. Pod Security Admission control security settings like running as non-root & preventing privilege escalation. Network Policies further reinforce communication restrictions.
Observability
Monitoring and logging are critical in production Kubernetes environments.
Popular tools include:
PrometheusandGrafanafor metricsFluentd,Logstash,Lokifor loggingJaeger,OpenTelemetryfor tracing
Helm and Operators
- Helm: Kubernetes package manager that simplifies deployment of complex applications using charts.
- Operators: Custom controllers that extend Kubernetes to manage application lifecycles, especially for stateful apps like databases.
Best Practices
- Use readiness and liveness probes for better pod health checks
- Implement resource requests and limits to manage cluster resources
- Avoid anti-patterns like monolithic pods or tight coupling
- Organize workloads using namespaces, labels, and annotations
- Regularly audit RBAC roles and permissions