#Kubernetes
136 posts

Deployment and ReplicaSet
Cover declarative deployment and rolling updates. Build the relationship among the three tiers Deployment / ReplicaSet / Pod, self-healing with replicas: 3, RollingUpdate's maxSurge / maxUnavailable, rollout undo rollback, and the workloads Deployment doesn't solve (StatefulSet · DaemonSet · Job) — all together.

Health Checks
A walkthrough of how Kubernetes judges whether a container is alive and ready to receive traffic. It covers the role separation of the three probes, liveness · readiness · startup; the httpGet · tcpSocket · exec check methods; tuning parameters such as initialDelaySeconds · periodSeconds · failureThreshold; the cascading failure that happens when you put an external dependency in liveness; and graceful shutdown with terminationGracePeriodSeconds and the preStop hook.

Ingress and the Ingress Controller
An abstraction for how external traffic reaches a Service inside the cluster. It covers the two-layer separation of the Ingress object and the Ingress Controller, host · path · pathType-based routing, TLS termination and cert-manager, IngressClass, and the successor standard, the Gateway API.

kubectl and Your First Pod
Build the mental model of kubectl and bring up your first Pod. From one imperative cycle of kubectl run to the declarative YAML manifest, the everyday commands get / describe / logs / exec, the Pod lifecycle, and common failure patterns like ImagePullBackOff · CrashLoopBackOff.

Local Environment
Choose between minikube · kind · Docker Desktop k8s. Compare how each option works and the pros and cons of each, then install kubectl and bring up your first cluster with kind to check the nodes and system Pods — all in one pass.

Namespace and Labels
Organize the model of splitting one cluster with namespaces and the syntax of labels · selectors. The limits of `default`, the four system namespaces, the namespace as the unit of RBAC · ResourceQuota · NetworkPolicy, the `kubens` operational tip, the `app.kubernetes.io/*` standard labels, and the selector syntax of `kubectl -l` — closing Part 1.

PV / PVC / StorageClass
A walkthrough of the persistent-data model that survives beyond a Pod's lifecycle. The PV · PVC · StorageClass triangle, static · dynamic provisioning, accessModes (RWO · RWX · RWOP), reclaimPolicy, volumeBindingMode's WaitForFirstConsumer, allowVolumeExpansion, and what a StatefulSet's volumeClaimTemplates creates on top of this model.

resources.requests / limits
A walkthrough of the model of how a container requests CPU and memory and how it's given an upper bound. The separation of requests and limits, the QoS classes (Guaranteed · Burstable · BestEffort), the difference in behavior between CPU throttling and memory OOMKilled, the cgroup awareness of the JVM · Go runtimes, the namespace policies of LimitRange · ResourceQuota, and the operational cycle of setting initial values and adjusting them.

Service
The abstraction that solves the problem of Pod IPs being temporary — the Service. A stable ClusterIP · selector · Endpoints / EndpointSlice, the criteria for choosing among the three types ClusterIP · NodePort · LoadBalancer, kube-proxy's DNAT, and CoreDNS's short-name resolution.

StatefulSet / DaemonSet / Job / CronJob
A walkthrough of the controllers that handle the four kinds of workload Deployment's stateless assumption cannot express. StatefulSet's identity and 1:1 PVC, DaemonSet's one-per-node model, Job's termination model, and CronJob's cron scheduling with the concurrencyPolicy · startingDeadlineSeconds safeguards.

What Kubernetes Is
Why you need a container orchestrator. Starting from a reader who has used Docker / docker-compose, this chapter lays out the five limits of single-container tooling, the declarative desired state + reconcile loop model, the big picture of control plane / worker node, and the scope of the book.
Certified Kubernetes Administrator (CKA) #9 RBAC: Role/ClusterRole, RoleBinding, ServiceAccount, kubectl auth can-i
The ninth post in the Certified Kubernetes Administrator (CKA) series. We dig deep into RBAC — what decides who can do what — from an operator's perspective. We'll cover the combination rules of Role and ClusterRole, RoleBinding and ClusterRoleBinding, the structure of subjects (User/Group/ServiceAccount) and rules (apiGroups/resources/verbs), how to build them fast with kubectl create, how to verify permissions with kubectl auth can-i and --as, and the flow of wiring the user we created in [#8](/en/posts/cka-8) into RBAC.