Kubernetes Architecture Overview
KubernetesArchitectureControl PlaneWorker NodeEtcdAPI Server Beginner 9 min read

Kubernetes Architecture Overview

Understand the complete Kubernetes architecture — Control Plane components (API Server, etcd, Scheduler, Controller Manager) and Worker Node components (kubelet, kube-proxy, container runtime).

07 — Kubernetes Architecture Overview

“To understand how to use Kubernetes effectively, you must first understand how it is built.”

📌 Table of Contents

High-Level Architecture

A Kubernetes cluster consists of two types of machines:

  1. Control Plane (Master) — the brain that manages the cluster
  2. Worker Nodes — the machines that run your application containers
graph TD subgraph "☸️ Kubernetes Cluster" subgraph "🧠 Control Plane (Master Node)" API["🔌 API Server\n(kube-apiserver)"] ETCD[("🗄️ etcd\n(Cluster Store)")] SCH["📅 Scheduler\n(kube-scheduler)"] CM["🎛️ Controller Manager\n(kube-controller-manager)"] CCM["☁️ Cloud Controller\nManager"] API <--> ETCD API --> SCH API --> CM API --> CCM end subgraph "🖥️ Worker Node 1" K1["⚙️ kubelet"] KP1["🔀 kube-proxy"] CR1["🐳 Container Runtime"] P1["📦 Pod A"] P2["📦 Pod B"] K1 --> CR1 CR1 --> P1 & P2 end subgraph "🖥️ Worker Node 2" K2["⚙️ kubelet"] KP2["🔀 kube-proxy"] CR2["🐳 Container Runtime"] P3["📦 Pod C"] P4["📦 Pod D"] K2 --> CR2 CR2 --> P3 & P4 end subgraph "🖥️ Worker Node 3" K3["⚙️ kubelet"] KP3["🔀 kube-proxy"] CR3["🐳 Container Runtime"] P5["📦 Pod E"] K3 --> CR3 CR3 --> P5 end API <-->|"Watch &\nReport"| K1 & K2 & K3 end DEV["👨‍💻 Developer\nkubectl"] -->|"HTTPS\nREST API"| API style API fill:#326ce5,color:#fff style ETCD fill:#e74c3c,color:#fff style SCH fill:#8e44ad,color:#fff style CM fill:#27ae60,color:#fff style DEV fill:#f0f0f0,stroke:#999

The Control Plane

The Control Plane is the set of components that manage the overall state of the cluster. In production, the control plane is typically run on dedicated machines, separate from worker nodes.

graph LR subgraph "🧠 Control Plane Components" A["🔌 kube-apiserver\n─────────────────\nFront door to K8s\nAll REST calls go here\nAuthentication · Validation"] B[("🗄️ etcd\n─────────────────\nKey-value store\nAll cluster state\nSource of truth")] C["📅 kube-scheduler\n─────────────────\nWatches for unscheduled pods\nPicks best node\nBased on resources + constraints"] D["🎛️ kube-controller-manager\n─────────────────\nRuns control loops\nNode · Replication\nEndpoints · Service Account"] E["☁️ cloud-controller-manager\n─────────────────\nCloud-specific logic\nLoad Balancers · Volumes\nNode lifecycle"] A <--> B A --> C A --> D A --> E end

1. API Server (kube-apiserver)

The API Server is the single entry point for all operations in the Kubernetes cluster. Every component communicates through it.

flowchart TD subgraph "Everyone talks to the API Server" CLI["💻 kubectl\n(Developer)"] UI["🖥️ Dashboard\n(Web UI)"] SCHED["📅 Scheduler"] CTRL["🎛️ Controller Manager"] KUBELET["⚙️ kubelet\n(on each node)"] EXTERNAL["🔌 External Tools\n(Helm, Argo CD)"] end API["🔌 kube-apiserver\n─────────────────────\n✅ Authentication (who are you?)\n✅ Authorisation (what can you do?)\n✅ Admission Control (is this valid?)\n✅ Read/Write from etcd"] CLI & UI & SCHED & CTRL & KUBELET & EXTERNAL --> API style API fill:#326ce5,color:#fff

Key responsibilities:

  • Exposes the Kubernetes API (REST + gRPC)
  • Authenticates and authorises all requests (RBAC)
  • Validates and stores objects in etcd
  • Horizontally scalable (can run multiple API server instances)

2. etcd

etcd is a distributed, consistent key-value store that serves as Kubernetes’ backing store for all cluster state.

graph TD subgraph "What's Stored in etcd?" E1["📋 All Pod specs"] E2["📋 Node information"] E3["📋 ConfigMaps & Secrets"] E4["📋 Service accounts & RBAC rules"] E5["📋 Deployment configurations"] E6["📋 Current cluster state"] end ETCD[("🗄️ etcd\n(Distributed KV Store)\nConsistency: Raft consensus\nBacked up for DR")] E1 & E2 & E3 & E4 & E5 & E6 --> ETCD WARN["⚠️ CRITICAL: etcd is the\nsource of truth.\nAlways back it up!"] style ETCD fill:#e74c3c,color:#fff style WARN fill:#f39c12,color:#fff

⚠️ If etcd data is lost, the entire cluster state is lost. In production, run etcd as a highly available cluster (3 or 5 nodes) and take regular backups.

3. Scheduler (kube-scheduler)

The Scheduler decides which node a newly created pod should run on.

flowchart TD NEW_POD["📦 New Pod Created\n(No node assigned yet)"] FILTER["🔍 Filtering Phase\nEliminate nodes that\ncannot run the pod:\n• Not enough CPU/memory\n• Taints & tolerations\n• Node affinity rules\n• Port conflicts"] SCORE["📊 Scoring Phase\nRank remaining nodes:\n• Least resource usage\n• Data locality\n• Pod spread / affinity\n• Custom priorities"] ASSIGN["✅ Bind Pod to\nHighest-Scoring Node"] NEW_POD --> FILTER --> SCORE --> ASSIGN style NEW_POD fill:#326ce5,color:#fff style ASSIGN fill:#27ae60,color:#fff

Scheduling Constraints You Can Set

ConstraintWhat it Does
Resource requests“I need at least 500m CPU and 256Mi RAM”
Node selector“Run only on nodes labelled gpu=true
Node affinity“Prefer nodes in us-east-1a
Pod affinity“Run near my cache pod”
Pod anti-affinity“Don’t run two replicas on the same node”
Taints & Tolerations“Avoid GPU nodes unless I explicitly tolerate it”

4. Controller Manager (kube-controller-manager)

The Controller Manager runs a collection of control loops that watch the cluster state and make changes to move it toward the desired state.

graph TD subgraph "🎛️ kube-controller-manager\n(One binary, many controllers)" NC["🖥️ Node Controller\nMonitors node health\nMarks nodes as NotReady"] RC["📋 Replication Controller\nEnsures correct number\nof pod replicas"] EP["🔌 Endpoints Controller\nPopulates Service endpoints\n(Pod IPs)"] SA["🔑 Service Account\nController\nCreates default accounts\nfor new namespaces"] JOB["📋 Job Controller\nManages batch jobs\nand their pods"] end LOOP["♾️ Control Loop Pattern:\nWatch → Diff → Act"] NC & RC & EP & SA & JOB --> LOOP style LOOP fill:#326ce5,color:#fff

The Control Loop Pattern

flowchart LR WATCH["👁️ WATCH\nObserve current\ncluster state"] --> DIFF["⚖️ DIFF\nCompare with\ndesired state"] DIFF -->|"Drift detected"| ACT["🔧 ACT\nMake changes to\nreconcile state"] ACT --> WATCH style WATCH fill:#3498db,color:#fff style DIFF fill:#f39c12,color:#fff style ACT fill:#27ae60,color:#fff

5. Cloud Controller Manager

Manages cloud-provider-specific integrations — creating load balancers, volumes, and handling node lifecycle with the cloud API.

Cloud OperationExample
Load BalancerCreates an AWS ELB when you create a LoadBalancer Service
Node lifecycleRemoves a node from the cluster when its cloud VM is deleted
Storage volumesProvisions an EBS volume for a PersistentVolumeClaim
Route configurationSets up VPC routes for pod networking

Worker Nodes

Worker Nodes (also called data-plane nodes) are the machines where your application containers actually run. Each node runs three key components:

graph TD subgraph "🖥️ Worker Node" KB["⚙️ kubelet\n─────────────────\nNode agent\nTalks to API Server\nManages Pods on this node\nRuns health probes"] KP["🔀 kube-proxy\n─────────────────\nNetwork proxy\nManages iptables rules\nEnables Service networking\nLoad balances pod traffic"] CR["🐳 Container Runtime\n─────────────────\nActually runs containers\ncontainerd · CRI-O · Docker"] P1["📦 Pod 1\n├── Container A\n└── Container B"] P2["📦 Pod 2\n└── Container C"] KB --> CR --> P1 & P2 KP -.->|"Network rules\nfor Services"| P1 & P2 end API["🔌 API Server"] API <-->|"Watch pod specs\nReport status"| KB API -->|"Watch services\nUpdate rules"| KP

1. kubelet

The kubelet is the primary node agent running on every worker node. It is responsible for everything on its node.

flowchart TD API_SERVER["🔌 API Server\n(Control Plane)"] KUBELET["⚙️ kubelet"] API_SERVER -->|"Assigned PodSpec\n(YAML)"| KUBELET KUBELET --> PULL["📥 Pull container\nimage (if not cached)"] KUBELET --> START["▶️ Start container\nvia Container Runtime"] KUBELET --> PROBE["🏥 Run liveness &\nreadiness probes"] KUBELET --> REPORT["📊 Report pod status\nback to API Server"] KUBELET --> VOL["💾 Mount volumes\nand secrets"] style KUBELET fill:#326ce5,color:#fff

Key facts about kubelet:

  • Registers the node with the API Server
  • Does NOT manage containers not created by Kubernetes
  • Runs as a system daemon (not as a pod)

2. kube-proxy

kube-proxy runs on every node and maintains network rules (iptables / IPVS) that enable the Kubernetes Service abstraction.

graph TD subgraph "kube-proxy Networking" SVC["🌐 Service\nproduct-service:8080\nClusterIP: 10.96.45.23"] KP["🔀 kube-proxy\nMaintains iptables rules"] P1["📦 Pod 1\n10.244.1.5:8080"] P2["📦 Pod 2\n10.244.2.8:8080"] P3["📦 Pod 3\n10.244.3.2:8080"] CLIENT["📱 Any Pod\ncurl product-service:8080"] CLIENT -->|"Traffic to ClusterIP"| KP KP -->|"Rule: forward to\none of these pods"| P1 KP -->|"Round-robin\nload balance"| P2 KP --> P3 SVC -->|"Watches endpoint\nchanges"| KP end style KP fill:#8e44ad,color:#fff style SVC fill:#326ce5,color:#fff

3. Container Runtime

The Container Runtime is the software that actually runs containers on the node. Kubernetes uses the Container Runtime Interface (CRI) to support multiple runtimes.

RuntimeDescriptionUsed By
containerdLightweight, CNCF graduatedMost clusters (default in K8s 1.20+)
CRI-OOCI-compliant, minimalRed Hat OpenShift
Docker EngineVia dockershim (deprecated K8s 1.24+)Legacy setups
graph TD KUBELET["⚙️ kubelet"] CRI["🔌 CRI Interface\n(Container Runtime Interface)"] CONTAINERD["🐳 containerd"] CRIO["🔵 CRI-O"] OCI["📋 OCI Spec\n(Open Container Initiative)"] RUNC["⚙️ runc\n(Low-level container runtime)"] KUBELET --> CRI CRI --> CONTAINERD & CRIO CONTAINERD & CRIO --> OCI --> RUNC style CRI fill:#326ce5,color:#fff style RUNC fill:#27ae60,color:#fff

Add-ons

Add-ons extend the functionality of Kubernetes. Some are essential (like DNS), others are optional.

Add-onPurposeRequired?
CoreDNSDNS resolution within the cluster✅ Essential
kube-dashboardWeb UI for cluster managementOptional
Metrics ServerCPU/memory metrics for HPAOptional (needed for HPA)
CNI Plugin (Calico/Flannel)Pod networking✅ Essential
Ingress ControllerHTTP routing for ServicesOptional
cert-managerTLS certificate automationOptional

Communication Flow

How a kubectl apply Actually Works

sequenceDiagram participant USER as 👨‍💻 Developer participant CTL as 💻 kubectl participant API as 🔌 API Server participant ETCD as 🗄️ etcd participant SCHED as 📅 Scheduler participant CM as 🎛️ Controller Manager participant KUBELET as ⚙️ kubelet participant CR as 🐳 Container Runtime participant POD as 📦 Pod USER->>CTL: kubectl apply -f deployment.yaml CTL->>API: POST /apis/apps/v1/deployments\n(with auth token) API->>API: Authenticate + Authorise + Validate API->>ETCD: Store Deployment object ETCD-->>API: Stored ✅ API->>CM: Deployment created event CM->>CM: ReplicaSet controller fires\nCreate 3 pods CM->>API: Create Pod objects (no node assigned) API->>ETCD: Store Pod objects API->>SCHED: Unscheduled pods detected SCHED->>SCHED: Filter + Score nodes SCHED->>API: Bind Pod → Node 2 API->>KUBELET: (Node 2 kubelet watches API)\nNew pod assigned KUBELET->>CR: Pull image + create container CR-->>KUBELET: Container started ✅ KUBELET->>API: Report pod status = Running API->>ETCD: Update pod status API-->>CTL: Deployment ready ✅ CTL-->>USER: deployment.apps/my-app created

kubectl — Your Interface to Kubernetes

kubectl is the command-line tool that allows you to interact with the Kubernetes cluster via the API Server.

# Cluster information
kubectl cluster-info
kubectl get nodes

# Working with pods
kubectl get pods
kubectl get pods -n kube-system          # System pods
kubectl describe pod <pod-name>
kubectl logs <pod-name>
kubectl exec -it <pod-name> -- /bin/sh

# Deploying applications
kubectl apply -f deployment.yaml
kubectl delete -f deployment.yaml

# Scaling
kubectl scale deployment my-app --replicas=5

# Rolling update
kubectl set image deployment/my-app my-app=myimage:v2.0
kubectl rollout status deployment/my-app
kubectl rollout undo deployment/my-app

Architecture Summary

graph TD subgraph "📋 Control Plane — The Brain" APIS["🔌 API Server\nAll communication hub"] ECTD[("🗄️ etcd\nCluster state store")] SCHD["📅 Scheduler\nDecides where pods run"] CTRLM["🎛️ Controller Manager\nReconciles desired state"] CCMGR["☁️ Cloud Controller\nCloud integrations"] end subgraph "🖥️ Worker Nodes — The Muscles" KBL["⚙️ kubelet\nNode agent, runs pods"] KPXY["🔀 kube-proxy\nNetwork rules"] CRT["🐳 Container Runtime\nRuns containers"] end subgraph "👨‍💻 Clients" KCLT["💻 kubectl"] DASH["🖥️ Dashboard"] HELM["📦 Helm / Argo CD"] end KCLT & DASH & HELM -->|REST API| APIS APIS <--> ECTD APIS --> SCHD & CTRLM & CCMGR APIS <-->|"Watch & Report"| KBL APIS --> KPXY KBL --> CRT style APIS fill:#326ce5,color:#fff style ECTD fill:#e74c3c,color:#fff style SCHD fill:#8e44ad,color:#fff style CTRLM fill:#27ae60,color:#fff

Component Quick Reference

ComponentTypeRole
kube-apiserverControl PlaneREST API gateway — all requests go through here
etcdControl PlaneKey-value store — source of truth for cluster state
kube-schedulerControl PlaneAssigns pods to nodes
kube-controller-managerControl PlaneRuns reconciliation control loops
cloud-controller-managerControl PlaneManages cloud-provider integrations
kubeletWorker NodeNode agent — manages pods on the node
kube-proxyWorker NodeManages network rules for Services
Container RuntimeWorker NodeActually runs the containers (containerd, CRI-O)
kubectlClientCLI to interact with the cluster

🔗 Further Reading

← Previous: 06 - Kubernetes Features

🎉 Congratulations! You’ve completed Module 1 — Introduction to Kubernetes. You now understand what Kubernetes is, why it exists, and how it is architecturally structured. In the next module, we’ll set up a local Kubernetes cluster and deploy your first application!