Mastering Kubernetes: Core Concepts from Pods to Network Architecture

Container Operations Goal

Kubernetes (k8s) is an open‑source platform that automates container operations such as deployment, replication, scaling, and scheduling across a cluster of nodes.

Key Functions

Automated container deployment and replication.

Real‑time elastic scaling of container workloads.

Container orchestration with built‑in load balancing.

Core Components

kubectl : command‑line client that serves as the entry point for cluster operations.

kube‑apiserver : REST API server that acts as the control plane’s front end.

kube‑controller‑manager : runs background controllers that maintain node status, pod counts, and service‑pod relationships.

kube‑scheduler : assigns newly created pods to suitable nodes based on resource availability.

etcd : highly available, strongly consistent key‑value store used for configuration sharing and service discovery.

kube‑proxy : runs on each node to implement pod network proxying, periodically syncing service information from etcd.

kubelet : node‑level agent that receives pod assignments, manages container lifecycles, and reports status to the apiserver.

DNS (optional) : provides DNS records for each Service so pods can reach services via DNS names.

Four‑Layer Service Discovery

Kubernetes offers two native service‑discovery methods:

Environment variables : when a pod is created, kubelet injects environment variables for every Service in the cluster. This requires the Service to exist before the pod, limiting practical use.

DNS : a cluster add‑on (e.g., CoreDNS) creates DNS entries for Services, enabling pods to resolve service names via standard DNS queries.

Both methods operate at the transport layer (TCP/UDP) and rely on the underlying four‑layer network.

Five Pod Shared Resources

A pod is the smallest deployable unit in Kubernetes, grouping one or more tightly coupled containers that share several namespaces and storage resources.

PID namespace : containers in the same pod can see each other's process IDs.

Network namespace : containers share a single IP address and port range.

IPC namespace : containers can communicate via SystemV IPC or POSIX message queues.

UTS namespace : containers share the same hostname.

Volumes : containers can mount the same persistent storage defined at the pod level.

Six Common CNI Plugins

The Container Network Interface (CNI) defines a standard for configuring network interfaces in Linux containers. It focuses on network connectivity and resource cleanup, allowing many different networking models to be implemented as plugins.

Seven‑Layer Load Balancing

Load balancing in an IDC (Internet Data Center) involves multiple network devices. Kubernetes originally exposed services via NodePort, binding a port on each node, which has drawbacks such as port exhaustion and limited firewall rule applicability.

Ingress provides a Layer‑7 (application‑layer) solution, typically backed by an external load balancer like Nginx, allowing a single external port (e.g., 80) to route traffic based on host or URL to the appropriate service.

Layer 2 : MAC‑address based balancing.

Layer 3 : IP‑address based balancing.

Layer 4 : IP + port based balancing.

Layer 7 : URL or application‑layer information based balancing (Ingress).

Eight Isolation Dimensions

Kubernetes scheduling must respect isolation at multiple granularities, from coarse‑grained data‑center boundaries down to fine‑grained pod‑level constraints.

Nine Network Model Principles

The Kubernetes network model follows several foundational principles:

Every pod receives a unique IP address (IP‑per‑Pod model) and can communicate directly with any other pod without NAT.

Pods share a network stack, allowing containers within the same pod to reach each other via localhost.

Service discovery, load balancing, and port allocation are built on this flat, routable IP space.

The accompanying architecture diagram illustrates how external traffic enters the cluster, traverses the various isolation layers, and reaches the pod‑level IP addresses.