Nerd Level Tech logo
Lesson 14 of 24

Kubernetes & Container Orchestration

Kubernetes Architecture Deep Dive

4 min read

Understanding K8s architecture is essential for any DevOps/SRE interview. Let's explore every component.

Control Plane Components

┌─────────────────── Control Plane ───────────────────┐
│                                                      │
│  ┌──────────────┐  ┌──────────────┐                │
│  │ kube-apiserver│  │    etcd      │                │
│  └──────────────┘  └──────────────┘                │
│                                                      │
│  ┌──────────────┐  ┌──────────────┐                │
│  │ kube-scheduler│ │kube-controller│                │
│  │               │  │   -manager   │                │
│  └──────────────┘  └──────────────┘                │
│                                                      │
└──────────────────────────────────────────────────────┘

kube-apiserver

The front door to Kubernetes:

ResponsibilityDetails
API endpointAll K8s communication goes through it
AuthenticationValidates user/service identity
AuthorizationRBAC policy enforcement
Admission controlMutating and validating webhooks
etcd communicationOnly component that talks to etcd

etcd

Distributed key-value store for all cluster data:

# etcd stores everything:
# - Pod definitions
# - Service configurations
# - Secrets
# - ConfigMaps
# - Cluster state

# Check etcd health (if you have access)
etcdctl endpoint health
etcdctl endpoint status

Interview question: "What happens if etcd goes down?"

Answer: The cluster becomes read-only. Running workloads continue, but no changes can be made. This is why etcd should be highly available (odd number of nodes: 3, 5, 7).

kube-scheduler

Decides which node runs each pod:

Scheduling steps:

  1. Filtering: Exclude nodes that can't run the pod
    • Insufficient resources
    • Node selectors don't match
    • Taints not tolerated
  2. Scoring: Rank remaining nodes
    • Resource balance
    • Pod affinity/anti-affinity
    • Data locality
  3. Binding: Assign pod to highest-scored node

kube-controller-manager

Runs controller loops:

ControllerWhat It Manages
Node ControllerNode health, evictions
Deployment ControllerReplicaSets, rolling updates
ReplicaSet ControllerPod count maintenance
Service ControllerLoadBalancer provisioning
Endpoints ControllerService endpoint updates

Node Components

┌─────────────────── Worker Node ─────────────────────┐
│                                                      │
│  ┌──────────────┐  ┌──────────────┐                │
│  │   kubelet    │  │  kube-proxy  │                │
│  └──────────────┘  └──────────────┘                │
│                                                      │
│  ┌──────────────────────────────────┐              │
│  │     Container Runtime (containerd)│              │
│  │  ┌─────┐ ┌─────┐ ┌─────┐        │              │
│  │  │ Pod │ │ Pod │ │ Pod │        │              │
│  │  └─────┘ └─────┘ └─────┘        │              │
│  └──────────────────────────────────┘              │
│                                                      │
└──────────────────────────────────────────────────────┘

kubelet

The node agent:

# kubelet responsibilities:
# - Registers node with cluster
# - Watches API for pod assignments
# - Starts/stops containers via CRI
# - Reports node and pod status
# - Executes liveness/readiness probes

# Check kubelet logs
journalctl -u kubelet -f

kube-proxy

Network proxy on each node:

ModeHow It WorksUse Case
iptablesCreates iptables rulesDefault, most clusters
IPVSUses kernel IPVSHigh-scale clusters
userspaceLegacy, userspace proxyDeprecated
# Check kube-proxy mode
kubectl get configmap kube-proxy -n kube-system -o yaml | grep mode

API Request Flow

kubectl apply → API Server → Authentication → Authorization
            Admission Controllers (mutating → validating)
                  etcd
            Controller notices change
            Scheduler assigns to node
            kubelet on node starts pod

Interview Questions

Q: "Walk me through what happens when you run kubectl create deployment nginx --image=nginx"

  1. kubectl sends POST to /apis/apps/v1/namespaces/default/deployments
  2. API server authenticates (kubeconfig) and authorizes (RBAC)
  3. Admission controllers process (mutate, validate)
  4. Deployment object stored in etcd
  5. Deployment controller sees new deployment, creates ReplicaSet
  6. ReplicaSet controller sees new RS, creates Pod objects
  7. Scheduler sees unscheduled pods, assigns to nodes
  8. kubelet on target node sees assigned pod
  9. kubelet tells containerd to pull image and start container
  10. kubelet reports pod status back to API server

Q: "How does Kubernetes achieve high availability?"

ComponentHA Strategy
etcdOdd number cluster (3, 5, 7), Raft consensus
API serverMultiple replicas behind load balancer
ControllersLeader election (only one active)
SchedulerLeader election (only one active)
NodesMultiple, workloads spread across

Q: "What's the difference between a Deployment and a StatefulSet?"

FeatureDeploymentStatefulSet
Pod namesRandom suffixOrdered (pod-0, pod-1)
ScalingParallelSequential
StorageShared or nonePer-pod PVC
Network identityRandomStable DNS names
Use caseStateless appsDatabases, Kafka

Next, we'll cover workloads and networking in Kubernetes. :::

Quick check: how does this lesson land for you?

Quiz

Module 4: Kubernetes & Container Orchestration

Take Quiz
FREE WEEKLY NEWSLETTER

Stay on the Nerd Track

One email per week — courses, deep dives, tools, and AI experiments.

No spam. Unsubscribe anytime.