Mastering Kubernetes: A Complete Knowledge Map for Cloud‑Native Engineers

Docker fundamentals

KVM → ECS – virtual machine layer used by Alibaba Cloud Elastic Compute Service. (https://blog.csdn.net/weixin_43695104/article/details/88554443#32_kvm_web_192)

Network tunnel → VPC – virtual private cloud networking. (https://blog.csdn.net/wangjianno2/article/details/75208036)

Namespace – Linux kernel isolation mechanism that limits the view of processes to a subset of system resources. (https://www.atatech.org/articles/81800)

CGroup – controls CPU, memory, disk and network bandwidth for a group of processes. (https://blog.csdn.net/wudongxu/article/details/8474198)

RootFS (UnionFS) – the file set of an OS without the kernel; containers share a read‑only image layer plus a writable overlay. (https://coolshell.cn/articles/17061.html)

Windows Server 2019 – adds Namespace support for Windows containers.

Cluster deployment tools

Docker Desktop – convenient local Docker engine for macOS/Windows learning. (https://www.docker.com/products/docker-desktop)

Kubernetes – Alibaba Cloud Container Service provides standard Kubernetes clusters. (http://docs.kubernetes.org.cn/)

Kubernetes Dashboard – web UI for cluster inspection and resource management. (https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/)

EasyPack – collection of scripts to automate Kubernetes and related component installation. (https://github.com/liumiaocn/easypack)

Minikube – lightweight single‑node Kubernetes for local testing. (https://kubernetes.io/docs/tasks/tools/install-minikube/)

Kubernetes command‑line tools

kubectl

– primary CLI for interacting with the API server. (http://docs.kubernetes.org.cn/61.html) kubeadm – fast, opinionated installer for creating a secure cluster. (https://kubernetes.io/docs/reference/setup-tools/kubeadm/)

Helm – package manager for Kubernetes charts (similar to rpm/yum).

APP Hub – Alibaba Cloud native application center that syncs official Helm charts. (https://developer.aliyun.com/hub)

CFSSL – open‑source PKI/TLS toolkit for generating cluster certificates. (https://github.com/cloudflare/cfssl)

Image registries

Alibaba Cloud Container Registry – enterprise‑grade private image store. (https://cr.console.aliyun.com/aliyun)

Cloud‑Effect configuration registry – integrates with Alibaba private registry for CI/CD pipelines. (https://cn.aliyun.com/product/yunxiao)

Harbor – open‑source, on‑premise registry for storing and distributing Docker images. (https://goharbor.io)

Master‑node components

kube-apiserver – front‑end static pod that validates and configures the cluster state. (https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/)

etcd – distributed key‑value store based on the Raft consensus algorithm. (https://etcd.io)

kube-scheduler – assigns pods to suitable nodes according to resource constraints. (https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/)

kube-controller-manager – runs core controllers such as replication, endpoint, and service account. (https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/)

cloud-controller-manager – integrates cloud provider APIs (e.g., SLB, EIP) with the cluster. (https://kubernetes.io/docs/reference/command-line-tools-reference/cloud-controller-manager/)

kubelet – node agent that ensures containers are running as defined by pods. (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/)

kube-proxy – network proxy implementing Service IP virtual routing on each node. (https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/)

Container runtime (CRI) – Docker, containerd, or other CRI‑compatible runtimes.

CoreDNS – cluster DNS service for service discovery. (https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/)

Ingress controller – Nginx‑based controller used by Alibaba Cloud for HTTP(S) routing. (https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/)

Core API objects

Pod – smallest deployable unit that runs one or more containers. (http://docs.kubernetes.org.cn/312.html)

Node – worker machine that runs pods. (http://docs.kubernetes.org.cn/304.html)

Namespace – logical partition for isolating resources. (http://docs.kubernetes.org.cn/242.html)

Deployment – declarative controller for stateless applications; supports rolling updates. (http://docs.kubernetes.org.cn/317.html)

DaemonSet – ensures a copy of a pod runs on every node. (https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/)

StatefulSet – manages stateful workloads with stable network IDs. (http://docs.kubernetes.org.cn/443.html)

Job / CronJob – one‑off or scheduled batch tasks. (https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/)

Static Pod – pod defined directly on the master node’s filesystem, not managed by the API server. (https://kubernetes.io/docs/tasks/configure-pod-container/static-pod/)

Horizontal Pod Autoscaler (HPA) – automatically scales pod replicas based on CPU or custom metrics. (https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/)

Service – stable network endpoint exposing a set of pods (ClusterIP, NodePort, LoadBalancer). (https://kubernetes.io/docs/concepts/services-networking/service/)

Ingress – HTTP(S) routing rules; Alibaba Cloud provides an Nginx implementation. (https://www.kubernetes.org.cn/1885.html)

Secret – stores sensitive data such as TLS keys or registry credentials. (https://kubernetes.io/docs/concepts/configuration/secret/)

ServiceAccount – identity for pods to interact with the API server. (https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/)

RBAC – role‑based access control for API permissions. (https://kubernetes.io/docs/reference/access-authn-authz/rbac/)

Volume – abstracts storage resources that can be mounted into pods. (https://kubernetes.io/docs/concepts/storage/volumes/)

StorageClass – defines provisioner and parameters for dynamic volume provisioning. (https://kubernetes.io/docs/concepts/storage/storage-classes/)

CustomResourceDefinition (CRD) – extends the Kubernetes API with user‑defined resources.

Network and storage plugins

CNI plugins (Flannel, Terway) – implement container networking. (https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)

FlexVolume – open‑source volume plugin used by Alibaba Cloud for SMB/CIFS mounts. (https://github.com/fstab/cifs)

Cloud Provider interface – enables Kubernetes to provision cloud resources (e.g., SLB, disks) via the cloud‑controller-manager.

Best‑practice recommendations for Alibaba Cloud Container Service

Choose master instance types and disk sizes according to workload I/O and HA requirements. (https://yq.aliyun.com/articles/599169, https://yq.aliyun.com/articles/621108)

Select VPC networking mode (VPC‑CNI or classic) that matches pod IP requirements. (https://yq.aliyun.com/articles/594943)

Pick worker node specifications (CPU, memory, local SSD) based on pod density and performance targets. (https://yq.aliyun.com/articles/602932)

Deploy an independent Ingress controller when custom routing or TLS termination is needed.

Adjust master configuration (e.g., API server audit, etcd backup) via the console or CLI. (https://help.aliyun.com/document_detail/123661.html)

Scale worker nodes, restart, remove or add nodes using the Alibaba Cloud console or kubectl scale commands.

Build custom base images and push them to the private registry for faster image pulls.

Integrate Services with Alibaba Cloud SLB for external load balancing.

Enable cluster audit logging for security compliance. (https://help.aliyun.com/document_detail/91406.html)

Use rolling updates for Deployments and StatefulSets to achieve zero‑downtime releases. (https://yq.aliyun.com/articles/622898)

Configure bastion host permissions per application to restrict SSH access. (https://yq.aliyun.com/articles/715809)

Apply pod anti‑affinity rules or the topologySpreadConstraints field to ensure even pod distribution. (https://yq.aliyun.com/articles/715808)

Implement graceful shutdown hooks in containers to allow in‑flight requests to complete.

Service governance and CI/CD ecosystem

Istio – leading service mesh for traffic management, security, and observability; supported on Alibaba Cloud. (https://istio.io)

Linkerd – early‑adopted service mesh implementation. (https://linkerd.io/2/overview/)

Cloud‑Effect – Alibaba Cloud CI/CD platform that integrates with Container Service. (https://www.aliyun.com/product/yunxiao)

Jenkins – widely used open‑source CI/CD server; can be installed with one‑click on Alibaba Cloud. (https://jenkins.io/zh/)

Original technical reference: https://developer.aliyun.com/article/715805