Kubernetes Overview Diagrams

Kubernetes Architecture

reads from / 
writes to

API server

tracking state of all cluster components and managing interactions between them

watches for changes

Controller Manager

runs all built-in controllers, like Node or Replication Controller r r%3CmxGraphModel%3E%3Croot%3E%3CmxCell%20id%3D%220%22%2F%3E%3CmxCell%20id%3D%221%22%20parent%3D%220%22%2F%3E%3CmxCell%20id%3D%222%22%20value%3D%22%26lt%3Bb%26gt%3BCluster%20DNS%26lt%3B%2Fb%26gt%3B%22%20style%3D%22rounded%3D1%3BwhiteSpace%3Dwrap%3Bhtml%3D1%3BlabelBorderColor%3Dnone%3BstrokeColor%3D%232875E2%3BstrokeWidth%3D2%3Bshadow%3D1%3B%22%20vertex%3D%221%22%20parent%3D%221%22%3E%3CmxGeometry%20x%3D%22180%22%20y%3D%22570%22%20width%3D%22145%22%20height%3D%2290%22%20as%3D%22geometry%22%2F%3E%3C%2FmxCell%3E%3C%2Froot%3E%3C%2FmxGraphModel%3E runru

etcd

key value store for all cluster configuration data

Scheduler

distributes unscheduled workloads across the available worker nodes

  talks to

watches for changes

Cloud Controller Manager*

runs cloud controller processes that take care of e.g. 
Load Balancer endpoint or Storage volume allocation

watches for changes

Cluster DNS*

provides in-cluster DNS for Pods and Services, usually provided using CoreDNS' K8s plugin

Worker Node(s)

kubelet

manages containers based on incoming Pod specifications
%3CmxGraphModel%3E%3Croot%3E%3CmxCell%20id%3D%220%22%2F%3E%3CmxCell%20id%3D%221%22%20parent%3D%220%22%2F%3E%3CmxCell%20id%3D%222%22%20value%3D%22%26lt%3Bb%26gt%3BCluster%20DNS%26lt%3B%2Fb%26gt%3B%22%20style%3D%22rounded%3D1%3BwhiteSpace%3Dwrap%3Bhtml%3D1%3BlabelBorderColor%3Dnone%3BstrokeColor%3D%232875E2%3BstrokeWidth%3D2%3Bshadow%3D1%3B%22%20vertex%3D%221%22%20parent%3D%221%22%3E%3CmxGeometry%20x%3D%22180%22%20y%3D%22570%22%20width%3D%22145%22%20height%3D%2290%22%20as%3D%22geometry%22%2F%3E%3C%2FmxCell%3E%3C%2Froot%3E%3C%2FmxGraphModel%3E

kube-proxy

manages network connections to the node's Pods, e.g. using iptables rules

Container Runtime

runtime that implements the CRI, like CRI-O or containerd

uses

watches for

changes

Cloud provider API*

API to manage cloud (AWS, Azure, GCP, ...) resources

*

Optional Component

Control Plane

Pod

smallest K8s compute resource containing 1..n containers

Deployment

creates a ReplicaSet and takes care of rollouts and rollbacks

ReplicaSet

creates the desired amount of Pod instances

Job

creates short living Pods for one time executions

CronJob


creates Jobs based on a time schedule

StatefulSet

creates Pods while handling the needs of stateful applications

ReplicationController

predecessor of Deployment, don't use it anymore

Horizontal Pod Autoscaler

scales the number of Pods based on various metrics

DaemonSet


creates exactly one Pod per Node

Kubernetes Workload Objects

Init Container

container executing startup tasks, like e.g. database migration

Container

container with main or sidecar application

contains

Pod

exposes ports and communicates with other internal or external entities

distributes traffic to

Service

load balances traffic between a number of selected Pods

exposes

refers to

Ingress

makes a Service accessible from the outside of the cluster

Kubernetes Networking Objects

Endpoint

holds information about IP addresses of Pods and open ports they expose

Endpoint Slice

successor of Endpoint, provides functional and scalability improvements

Network Policy

allows to whitelist ingress and egress traffic from and to Pods based on IP addresses, namespaces and pods

refers to

Ingress Class

allows to specify which Ingress controller should implement an Ingress

collects endpoints of

Ingress Controller

implements specifications of Ingress resources

whitelists

traffic from / to

Cluster IP

makes the Service accessible only from within the cluster

Node Port

exposes the Service at each node's IP at a static port

Load Balancer

exposes the Service using an external load balancer

External Name

maps the service to an existing DNS FQDN

uses one of

mounts

Pod

compute unit that reads/writes from/to the filesystem

refers to

Storage Class

configuration for different types of storage, e.g Local, NFS, GlusterFs, ...

refers to

Persistent Volume

abstraction of a storage container including size and capabilities

Kubernetes Storage Objects

can be initialized from

creates

Volume Snapshot Content

a snapshot containing existing PVC
or pre-provisioned data

refers to

refers to

Volume Snapshot

requests to create a snapshot from a PVC with the given VSC

Volume Snapshot Class

same as Storage Class but for Volume Snapshots

requests part of

Persistent Volume Claim

requests storage from a PV including required amount and access mode

Storage Class Provisioner

service that creates PVs for a certain SC

mounts

emptyDir

acts as a temporary local storage during the lifespan of a Pod

ConfigMap / Secret

contains data that can be read-only mounted to a filesystem

Generic Ephemeral Volumes

creates temporary PVCs using already existing Storage Classes

(Aggregated) Cluster Role

a collection of cluster global rules

Kubernetes RBAC Objects

contains

Role

a collection of namespace scoped rules

collects rules from

Cluster Role Binding

attaches rules from one Cluster Role to Users, Groups or SAs

assigns rules to

assigns rules to

collects rules from

Role Binding

attaches rules from one Role or Cluster Role to Users, Groups or SAs

Group

a collection of Users

can be part of 1..x

User

a User that authenticates against the Kubernetes API server

uses credentials of

Pod

compute unit that can interact with the Kubernetes API server

Service Account

namespaced Kubernetes managed user that is intended to be used by in-cluster processes

Rule

Verb(s)

Get, List, ...

Resource(s)

Pod, Service, ...

Kubernetes Resource Requests and Limits

4000m
(=4 cores)
CPU

Total node capacity

Allocatable capacity

3700m

8000Mi
(= 8GB)
RAM

7400Mi

150m

300Mi

150m

300Mi

kube reserved

reserv. for sshd, init system, etc.

system reserved

reserv. for kubelet, container runtime

800m

2900Mi

Requests

Limits

2100Mi

1500m

1600Mi

800m

800Mi

600m

Pod B

Pod A

Pod C

Leftover

1000m

3000Mi

3000Mi

1800m

1700Mi

1100m

Pod B

Pod A

Pod C

Overcom-mitment

- pods' requests are being guaranteed
- overcommitment is not possible
- values used for pod scheduling

- pods will get killed / throttled when reaching limit
- on overcommitment this may occur even before that

- kubelet determines the node's CPU and memory capacity

- kubelet retains memory and CPU reservations