Master Kubernetes: From Core Concepts to Advanced Deployments and Autoscaling

1. Kubernetes Overview

Kubernetes (K8s) is an open‑source platform for automating deployment, scaling, and management of containerized applications. It consists of a control plane (kube‑apiserver, etcd, scheduler, controller‑manager, cloud‑controller‑manager) and worker nodes (kubelet, kube‑proxy, container runtime).

External Interfaces

kubectl : command‑line client for the API server.

CI/CD systems : invoke the API to automate deployments.

SDKs : integrate applications with the API.

Control Plane Components

kube‑apiserver – unified REST entry point.

etcd – distributed key‑value store for cluster state.

kube‑scheduler – assigns new Pods to Nodes.

kube‑controller‑manager – runs built‑in controllers (ReplicaSet, Job, etc.).

cloud‑controller‑manager – integrates cloud provider services.

Worker Node Components

kubelet – communicates with the API server and starts Pods.

kube‑proxy – maintains network rules for Service discovery and load balancing.

Container runtime – Docker, containerd, or CRI‑O.

2. Installing Kubernetes Tools

Install kubectl

curl -LO "https://dl.k8s.io/release/$(curl -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
chmod +x kubectl
sudo mv kubectl /usr/local/bin/
kubectl version --client

Install Minikube

curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64
sudo install minikube-linux-amd64 /usr/local/bin/minikube

Start a Local Cluster

minikube start

Verify Nodes

kubectl get nodes

3. Core Kubernetes Resources

Pod

A Pod is the smallest deployable unit; it encapsulates one or more containers that share network, storage, and lifecycle.

apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod
spec:
  containers:
  - name: nginx
    image: nginx:1.24
    ports:
    - containerPort: 80

Pod lifecycle phases: Pending, Running, Succeeded, Failed, Unknown.

# Create
kubectl apply -f nginx-pod.yaml
# List
kubectl get pods
# Describe
kubectl describe pod nginx-pod
# Delete
kubectl delete pod nginx-pod

Deployment

Deployments manage stateless applications, ensuring a desired replica count, supporting rolling updates, rollbacks, and self‑healing.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.24
        ports:
        - containerPort: 80

# Apply
kubectl apply -f nginx-deploy.yaml
# View
kubectl get deployments
kubectl describe deployment my-nginx
# List Pods managed by the Deployment
kubectl get pods -l app=nginx

Rolling update example (upgrade to nginx 1.25): modify the image field, then re‑apply and optionally view rollout history or undo.

# Update image
kubectl set image deployment/my-nginx nginx=nginx:1.25
# View history
kubectl rollout history deployment my-nginx
# Roll back if needed
kubectl rollout undo deployment my-nginx

Service

Services provide a stable network endpoint for a set of Pods, handling service discovery and load balancing.

apiVersion: v1
kind: Service
metadata:
  name: nginx-service
spec:
  selector:
    app: nginx
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
  type: ClusterIP

Common Service types:

ClusterIP – internal virtual IP (default).

NodePort – exposes the Service on each Node’s port.

LoadBalancer – provisions an external cloud load balancer.

ExternalName – maps to an external DNS name.

Ingress

Ingress resources define HTTP/HTTPS routing rules that map external requests to Services. An Ingress controller (e.g., Nginx, Traefik) implements the actual traffic handling.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: web-ingress
spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: /web
        pathType: Prefix
        backend:
          service:
            name: my-web
            port:
              number: 80

HTTPS support requires a TLS secret:

kubectl create secret tls tls-secret \
  --cert=example.com.crt \
  --key=example.com.key -n default

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: web-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: "/"
spec:
  tls:
  - hosts:
    - example.com
    secretName: tls-secret
  rules:
  - host: example.com
    http:
      paths:
      - path: "/"
        pathType: Prefix
        backend:
          service:
            name: my-web
            port:
              number: 80

ConfigMap

ConfigMap stores non‑sensitive configuration data.

apiVersion: v1
kind: ConfigMap
metadata:
  name: my-config
data:
  color: blue
  lang: zh

Inject as environment variables:

env:
- name: COLOR
  valueFrom:
    configMapKeyRef:
      name: my-config
      key: color

Or mount as a file:

volumeMounts:
- name: config-volume
  mountPath: /etc/config
volumes:
- name: config-volume
  configMap:
    name: my-config

Secret

Secret stores sensitive data (Base64‑encoded).

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  password: MTIzNDU2   # "123456" encoded

Inject as environment variable:

env:
- name: DB_PASSWORD
  valueFrom:
    secretKeyRef:
      name: my-secret
      key: password

Or mount as a file:

volumeMounts:
- name: secret-volume
  mountPath: /etc/secret
volumes:
- name: secret-volume
  secret:
    secretName: my-secret

PersistentVolumeClaim (PVC)

PVC requests persistent storage for Pods, abstracting the underlying PersistentVolume (PV).

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: my-pvc
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi

Use the PVC in a Pod:

apiVersion: v1
kind: Pod
metadata:
  name: nginx-with-pvc
spec:
  containers:
  - name: nginx
    image: nginx
    volumeMounts:
    - mountPath: "/usr/share/nginx/html"
      name: web-data
  volumes:
  - name: web-data
    persistentVolumeClaim:
      claimName: my-pvc

Namespace

Namespaces provide logical isolation for resources, enabling separate environments (dev, test, prod) and scoped RBAC.

# Create a namespace
kubectl create namespace dev
# Deploy into the namespace
kubectl run nginx --image=nginx -n dev
# List Pods in the namespace
kubectl get pods -n dev

RBAC (Role‑Based Access Control)

RBAC defines who can perform which actions on which resources.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
  namespace: dev
rules:
- apiGroups: [""]
  resources: ["pods", "services"]
  verbs: ["get", "list", "watch"]

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods-binding
  namespace: dev
subjects:
- kind: User
  name: alice
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

CronJob

CronJob runs periodic tasks similar to Linux crontab.

apiVersion: batch/v1
kind: CronJob
metadata:
  name: hello-cronjob
spec:
  schedule: "0 0 * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: hello
            image: busybox
            args:
            - /bin/sh
            - -c
            - "echo \"Hello from CronJob at $(date)\""
          restartPolicy: OnFailure

Horizontal Pod Autoscaler (HPA)

HPA automatically scales the number of Pod replicas based on CPU utilization or custom metrics.

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: php-apache-hpa
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: php-apache
  minReplicas: 1
  maxReplicas: 10
  metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 50

Ensure the Metrics Server is installed:

kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml

Deploy a sample workload and apply the HPA:

kubectl apply -f deployment.yaml
kubectl apply -f hpa.yaml
kubectl get hpa

If the cluster lacks sufficient Node capacity, pending Pods appear. Resolve by adding Nodes manually or enabling a Cluster Autoscaler, which automatically provisions additional Nodes in supported cloud environments.