01-Kubernetes Architecture Deep Dive
DockerContainersDevOps Beginner 9 min read

01-Kubernetes Architecture Deep Dive

Understand what Docker is, why it exists, and how it solves the 'it works on my machine' problem with containerization.

What is Kubernetes?

Kubernetes (K8s) is an open-source container orchestration platform that automates the deployment, scaling, and management of containerized applications. Originally developed by Google and now maintained by the Cloud Native Computing Foundation (CNCF), Kubernetes provides a robust framework for running distributed systems resiliently.

Key Capabilities:

  • Container Orchestration: Manages containers across multiple hosts
  • Self-Healing: Automatically restarts failed containers and reschedules them
  • Auto-Scaling: Scales applications based on resource utilization
  • Load Balancing: Distributes network traffic across containers
  • Rolling Updates: Enables zero-downtime deployments
  • Service Discovery: Automatically assigns DNS names and IPs to services
  • Storage Orchestration: Mounts storage systems of your choice
  • Secret & Configuration Management: Manages sensitive information securely

Kubernetes Architecture Overview

Kubernetes follows a master-worker architecture (also called control plane-worker node architecture). The cluster consists of:

  1. Control Plane: The brain of the cluster that manages the cluster state
  2. Worker Nodes: Machines that run your containerized applications
┌──────────────────────────────────────────────────────────────────────────────┐
│                     CONTROL PLANE                                            │
│  ┌──────────────┐  ┌──────┐  ┌───────────┐  ┌────────────┐                   │
│  │  API Server  │  │ etcd │  │ Scheduler │  │ Controller │                   │
│  │              │  │      │  │           │  │  Manager   │                   │
│  └──────────────┘  └──────┘  └───────────┘  └────────────┘                   │
└──────────────────────────────────────────────────────────────────────────────┘
                              │
                              │ (Control)
                              │
        ┌─────────────────────┼─────────────────────┐
        │                     │                     │
┌───────▼────────┐    ┌───────▼────────┐    ┌──────▼─────────┐
│  Worker Node 1 │    │  Worker Node 2 │    │  Worker Node 3 │
│  ┌──────────┐  │    │  ┌──────────┐  │    │  ┌──────────┐  │
│  │ kubelet  │  │    │  │ kubelet  │  │    │  │ kubelet  │  │
│  │kube-proxy│  │    │  │kube-proxy│  │    │  │kube-proxy│  │
│  │Container │  │    │  │Container │  │    │  │Container │  │
│  │ Runtime  │  │    │  │ Runtime  │  │    │  │ Runtime  │  │
│  └──────────┘  │    │  └──────────┘  │    │  └──────────┘  │
│   [PODs]       │    │   [PODs]       │    │   [PODs]       │
└────────────────┘    └────────────────┘    └────────────────┘

Control Plane Components

The Control Plane makes global decisions about the cluster (like scheduling) and detects and responds to cluster events. It can run on any machine in the cluster, but typically runs on dedicated master nodes for high availability.

1. kube-apiserver

Role: The front-end of the Kubernetes control plane and the primary management point for the cluster.

Detailed Functions:

  • RESTful API Gateway: Exposes Kubernetes API that all other components interact with
  • Authentication & Authorization: Validates and authorizes all API requests
  • Admission Control: Enforces policies and mutates/validates objects before persistence
  • API Request Handler: Processes REST operations (GET, POST, PUT, DELETE, PATCH)
  • Only Component that Talks to etcd: All cluster state modifications go through API server

Example Interaction:

# When you run:
kubectl create deployment nginx --image=nginx

# The API server:
# 1. Authenticates your request
# 2. Authorizes based on RBAC rules
# 3. Validates the deployment specification
# 4. Stores the deployment spec in etcd
# 5. Notifies watchers (scheduler, controller manager)

How it Works:

kubectl → API Server → Authentication → Authorization → Admission Controllers → etcd
  1. Receives request from kubectl.
  2. Authenticates the user.
  3. Checks authorization and RBAC permissions.
  4. Validates the request object.
  5. Runs Admission Controllers for additional checks/modifications.
  6. Stores the Deployment object in etcd.
  7. Exposes APIs for other Kubernetes components.
  8. Sends updated cluster information to:
  • Controller Manager
  • Scheduler
  • Kubelet
  1. Receives status updates from cluster components.
  2. Returns response/status back to kubectl.

Key Characteristics:

  1. Stateless and horizontally scalable
  2. Listens on port 6443 (HTTPS) by default
  3. All component communication flows through API server (hub-and-spoke model)
  4. Implements watch mechanism for real-time updates

2. etcd

Role: Distributed key-value store that serves as Kubernetes’ backing store for all cluster data.

Detailed Functions:

  • Cluster State Database: Stores the entire cluster state and configuration
  • Source of Truth: The only persistent storage in the cluster
  • Configuration Storage: Stores all resource definitions (Pods, Services, ConfigMaps, etc.)
  • Distributed Consensus: Uses Raft consensus algorithm for consistency

What’s Stored in etcd:

  • Cluster configuration and metadata
  • Resource specifications (Deployments, Services, ConfigMaps, Secrets)
  • Current state of all resources
  • Network policies and RBAC rules
  • Node information and health status

Key Characteristics:

  • Strongly consistent and highly available
  • Requires odd number of nodes (3, 5, 7) for quorum
  • Listens on port 2379 for client requests
  • Port 2380 for peer communication
  • Regular backups are critical (disaster recovery)

3. kube-scheduler

Role: The kube-scheduler is responsible for deciding on which worker node a Pod should run. It continuously watches the Kubernetes API Server for newly created Pods that do not yet have a node assigned. When it finds an unscheduled Pod, it checks all available worker nodes in the cluster and evaluates them based on factors such as CPU, memory, resource availability, taints and tolerations, affinity rules, and other scheduling policies. After comparing the nodes, the scheduler selects the most suitable worker node for the Pod and updates this assignment through the API Server. Once the Pod is assigned, the kubelet on that worker node starts creating and running the container.

Detailed Functions:

  • Pod Placement: Decides which node should run each Pod
  • Resource Optimization: Balances resource utilization across nodes
  • Constraint Evaluation: Considers requirements, policies, and affinities
  • Scoring Mechanism: Ranks suitable nodes and picks the best one

Scheduler Workflow:

1. Watch API server for unscheduled Pods (nodeName == "")
2. Filter nodes based on constraints
3. Score remaining nodes
4. Select highest-scoring node
5. Bind Pod to node via API server
6. API server updates Pod spec with nodeName
7. kubelet on selected node creates containers

How it works?

  1. Watches for newly created Pods without assigned nodes.
  2. Detects unscheduled Pods from the API Server.
  3. Checks available worker nodes in the cluster.
  4. Evaluates nodes based on:
  • CPU
  • Memory
  • Resource availability
  • Taints and tolerations
  • Affinity rules
  1. Selects the best suitable worker node.
  2. Assigns the Pod to that node.
  3. Updates the node assignment information through the API Server.

4. kube-controller-manager

Role: The kube-controller-manager is responsible for maintaining the desired state of the Kubernetes cluster. It continuously watches the API Server for changes in cluster objects such as Deployments, Pods, Nodes, and ReplicaSets. When it detects a difference between the desired state and the actual state, it takes corrective action automatically.

Detailed Functions:

  • State Reconciliation: Continuously monitors and corrects cluster state
  • Multiple Controllers: Runs various controllers as separate processes
  • Watch-Act Loop: Watches API server for changes and takes corrective actions

How it Works?

  1. Continuously watches the API Server for cluster changes.
  2. Compares desired state with actual cluster state.
  3. Creates missing resources automatically.
  4. Ensures required number of Pods are running.
  5. Recreates Pods if any Pod fails or gets deleted.
  6. Manages Deployments, ReplicaSets, Nodes, Jobs, and Endpoints.
  7. Detects node failures and takes corrective actions.
  8. Maintains overall cluster health and desired state.

5. cloud-controller-manager (Optional)

Role: The Cloud Controller Manager is responsible for integrating Kubernetes with cloud platforms such as Amazon Web Services, Microsoft Azure, and Google Cloud. It communicates with the cloud provider APIs to manage cloud resources automatically. It handles tasks such as creating and managing load balancers, attaching storage volumes, managing node information, and checking the status of cloud instances.

Example For example, when you create a Kubernetes Service of type LoadBalancer, the Cloud Controller Manager automatically requests the cloud provider to create an external load balancer and connects it to the Kubernetes Service. It helps Kubernetes interact with cloud infrastructure without directly embedding cloud-specific code inside the core Kubernetes components.

Detailed Functions:

  • Node Controller: Updates node information from cloud provider
  • Route Controller: Configures routes in cloud network
  • Service Controller: Creates/deletes cloud load balancers for LoadBalancer Services
  • Volume Controller: Creates, attaches, and mounts cloud volumes

How it Works?

  1. Connects Kubernetes with cloud platforms like Amazon Web Services, Microsoft Azure, and Google Cloud.
  2. Communicates with cloud provider APIs.
  3. Create external resources for cluster
  • Creates and manages external Load Balancers.
  • Manages cloud-based storage volumes.
  • Retrieves node and instance information from cloud platform.
  • Monitors cloud node status.
  1. Updates Kubernetes about cloud resource changes.
  2. Separates cloud-specific operations from core Kubernetes components.

Worker Node Components

Worker nodes are the machines that run containerized applications. Each node contains the necessary services to run Pods and is managed by the control plane.

1. kubelet

Role: The kubelet is an agent that runs on every worker node in the Kubernetes cluster. Its main job is to ensure that the containers defined in the Pod specifications are running properly on that node. It continuously communicates with the Kubernetes API Server and watches for Pods assigned to its node. When a Pod is assigned, the kubelet pulls the required container image, asks the container runtime such as containerd or Docker to create and start the container, and monitors the health of the Pod. It also sends regular status updates like Pending, Running, or Failed back to the API Server. If a container crashes, the kubelet tries to restart it according to the Pod configuration.

Detailed Functions:

  • Pod Lifecycle Management: Creates, starts, stops, and monitors containers
  • Node Registration: Registers node with API server
  • Health Monitoring: Reports node and Pod status to control plane
  • Resource Management: Enforces resource limits and requests
  • Volume Management: Mounts volumes into containers

How it Works?

  1. Runs on every worker node.
  2. Communicates with the Kubernetes API Server.
  3. Watches for Pods assigned to its node.
  4. Pulls required container images.
  5. Instructs container runtime to create and start containers.
  6. Monitors Pod and container health.
  7. Restarts failed containers if needed.
  8. Sends Pod status updates to the API Server.
  9. Ensures Pods are running as defined in the Pod specification.

2. kube-proxy

Role: The kube-proxy is a network component that runs on every worker node in a Kubernetes cluster. Its main job is to manage network communication for Kubernetes Services. It watches the Kubernetes API Server for Service and Endpoint changes and creates networking rules on the node using iptables or IPVS. These rules help route incoming traffic to the correct backend Pods. When a user or application accesses a Service IP, kube-proxy forwards the request to one of the available Pods behind that Service using load balancing. It enables communication between Pods, Services, and external clients inside the Kubernetes cluster.

Detailed Functions:

  • Service Abstraction: Implements Kubernetes Service concept
  • Load Balancing: Distributes traffic across Pod replicas
  • Network Rules Management: Creates iptables/IPVS rules
  • Cluster Networking: Enables Pod-to-Pod and external communication

How kube-proxy Works:

  1. Runs on every worker node.
  2. Watches Services and Endpoints from the API Server.
  3. Creates networking rules using iptables or IPVS.
  4. Routes traffic to the correct backend Pods.
  5. Provides load balancing between Pods.
  6. Enables communication between Services and Pods.
  7. Manages cluster network traffic flow.
  8. Allows external and internal access to Kubernetes Services.

3. Container Runtime

Role: Software responsible for running containers on the node.

Detailed Functions:

  • Container Lifecycle: Pull images, create, start, stop, delete containers
  • Image Management: Store and manage container images
  • Resource Isolation: Use namespaces and cgroups
  • Networking: Set up container network interfaces

Container Runtime Interface (CRI):

  • Standard API for container runtimes
  • kubelet uses CRI to communicate with runtime
  • Allows pluggable runtimes

Supported Runtimes:

a) containerd:

  • Industry-standard runtime
  • CNCF graduated project
  • Default in Kubernetes 1.24+
  • Lightweight and efficient
  • Used by Docker Desktop

b) CRI-O:

  • Lightweight runtime specifically for Kubernetes
  • OCI-compliant
  • Optimized for Kubernetes workloads

c) Docker Engine (deprecated):

  • Uses dockershim (removed in K8s 1.24)
  • Must use cri-dockerd adapter now
  • Still widely used but not recommended

This architecture enables Kubernetes to manage thousands of containers across hundreds of nodes while maintaining high availability and reliability.