Master Kubernetes Basics: Pods, Services, Deployments, and More

Pod – Instance

A Pod is a tightly coupled group of containers that share network and filesystem namespaces, enabling inter‑process communication via localhost. Each Pod receives a unique IP address.

Multiple containers share IPC, network, and UTS namespaces.

All containers can access shared volumes.

Graceful termination: SIGTERM is sent, then after a grace period the pod is force‑stopped.

Privileged containers (via securityContext) can modify system settings.

Restart policies: Always, OnFailure, Never.

Image pull policies: Always, IfNotPresent, Never.

Resource limits: requests and limits for CPU and memory.

Health checks: livenessProbe (container alive) and readinessProbe (ready to receive traffic).

Init containers run before app containers for initialization.

Lifecycle hooks: postStart and preStop.

Namespace – Logical Partition

Namespaces group resources such as Pods, Services, ReplicaSets, and Deployments, allowing multi‑tenant isolation. System‑wide resources like Nodes and PersistentVolumes are not namespaced.

Common commands:

# List all namespaces
kubectl get namespace</code>
<code># Create a namespace
kubectl create namespace ns-name</code>
<code># Delete a namespace
kubectl delete namespace ns-name

When deleting a namespace, remember:

All resources within the namespace are removed.

The default and kube-system namespaces cannot be deleted.

PersistentVolumes are cluster‑wide; only PersistentVolumeClaims belong to a namespace.

Events belong to the namespace of the object that generated them.

Node – Host Machine

A Node is the physical or virtual host where Pods run. Each Node must run a container runtime (e.g., Docker), kubelet, and kube-proxy.

Common node commands:

# List all nodes
kubectl get nodes</code>
<code># Mark a node unschedulable
kubectl cordon $nodename</code>
<code># Mark a node schedulable again
kubectl uncordon $nodename

Taint & Toleration

Use kubectl taint to add a taint to a node, preventing Pods without matching tolerations from being scheduled. NoSchedule: Pods are not scheduled onto the node. PreferNoSchedule: Scheduler tries to avoid the node. NoExecute: Existing Pods are evicted and new Pods are not scheduled.

Pods can declare tolerations to accept these taints.

Service – Stable Network Endpoint

Services expose a set of Pods via a stable virtual IP and optional DNS name, enabling service discovery and load balancing. ClusterIP (default): internal virtual IP. NodePort: exposes NodeIP:NodePort externally. LoadBalancer: provisions an external load balancer via the cloud provider. ExternalName: maps to an external DNS name.

Existing services can be added to a cluster by creating the Service object without a label selector and manually adding endpoints.

Volume – Data Persistence

Volumes provide persistent storage for containers. Their lifecycle is tied to the Pod; data survives container restarts but is deleted when the Pod is removed (except for certain volume types). emptyDir: lives as long as the Pod exists. hostPath: mounts a directory from the Node. NFS, glusterfs, cephfs: network file systems with durable data. subPath: shares a volume among multiple containers. secret: stores sensitive data. persistentVolumeClaim: binds a PersistentVolume to a Pod.

PersistentVolume (PV) – Cluster‑Wide Storage

PV is a cluster‑level storage resource. PVCs request storage from PVs.

Access modes: ReadWriteOnce, ReadOnlyMany, ReadWriteMany.

Reclaim policies: Retain, Recycle (NFS/HostPath only), Delete.

Deployment – Managing Stateless Applications

Deployments create and manage ReplicaSets, handling rolling updates, rollbacks, scaling, and pause/resume.

Typical commands:

# Create a Deployment
kubectl run www --image=10.0.0.183:5000/hanker/www:0.0.1 --port=8080</code>
<code># List Deployments
kubectl get deployment --all-namespaces</code>
<code># Describe a Deployment
kubectl describe deployment www</code>
<code># Edit a Deployment
kubectl edit deployment www</code>
<code># Delete a Deployment
kubectl delete deployment www</code>
<code># Scale replicas
kubectl scale deployment/www --replicas=2</code>
<code># Update image
kubectl set image deployment/nginx-deployment nginx=nginx:1.9.1</code>
<code># Rollback
kubectl rollout undo deployment/nginx-deployment</code>
<code># Check rollout status
kubectl rollout status deployment/nginx-deployment</code>
<code># Enable HPA
kubectl autoscale deployment nginx-deployment --min=10 --max=15 --cpu-percent=80</code>
<code># Pause update
kubectl rollout pause deployment/nginx-deployment</code>
<code># Resume update
kubectl rollout resume deployment/nginx-deployment

Update strategy ( .spec.strategy) can be RollingUpdate (default) or Recreate. Deployments manage ReplicaSets: a new ReplicaSet is created on update, and Pods are migrated from the old to the new set.

StatefulSet – Managing Stateful Applications

StatefulSets provide stable network IDs, stable storage via PVCs, ordered deployment and scaling, and ordered termination.

Update policies: OnDelete (manual pod deletion) and RollingUpdate (automatic, reverse‑order).

DaemonSet – Run a Pod on Every Node

DaemonSets ensure a copy of a Pod runs on each (or selected) Node, useful for log collection, monitoring, or system services.

Node selection can use nodeSelector, nodeAffinity, or podAffinity. Update strategies are OnDelete and RollingUpdate.

Ingress – External Load Balancing

Ingress provides external HTTP/HTTPS routing to Services, requiring an Ingress Controller (e.g., nginx, traefik, Kong, OpenResty) to implement the rules.

Job & CronJob – Batch and Scheduled Tasks

Jobs run short‑lived one‑off tasks until completion. CronJobs schedule Jobs similarly to Linux crontab.

Horizontal Pod Autoscaler (HPA) – Automatic Scaling

HPA adjusts the number of Pods based on CPU, memory, or custom metrics. The controller checks metrics every 30 seconds (configurable).

Supported metric types: resource metrics (CPU, memory), custom pod metrics, custom object metrics.

Metric sources: Heapster or custom REST APIs.

Example command:

kubectl autoscale deployment php-apache --cpu-percent=50 --min=1 --max=10

Service Account – Pod Identity

Service Accounts provide an identity for Pods to call the Kubernetes API. Authorization is handled via RBAC (Roles, RoleBindings, ClusterRoles, ClusterRoleBindings).

Secret – Storing Sensitive Data

ServiceAccount

token (auto‑mounted). Opaque (base64‑encoded key/value). kubernetes.io/dockerconfigjson (Docker registry credentials).

ConfigMap – Non‑Sensitive Configuration

ConfigMaps store key‑value configuration data and can be consumed as environment variables, command‑line arguments, or mounted as files.

# Create a ConfigMap from a file, directory, or literal
kubectl create configmap my-config --from-file=path/
kubectl create -f configmap.yaml

Resource Quota – Limiting Resource Consumption

ResourceQuotas restrict the amount of compute, storage, and object counts a Namespace can consume.

Compute: cpu, memory (requests and limits).

Storage: requests.storage, PVC count, storage class usage.

Object counts: Pods, ReplicationControllers, ConfigMaps, Secrets, Services, etc.

Quotas are applied per Namespace; only one ResourceQuota object can exist per Namespace.