Home > DevSecOps

Kubernetes Architecture

Kubernetes architecture defines how containerized applications are deployed, scheduled, networked, scaled, and secured across distributed nodes. Understanding this architecture is essential before applying DevSecOps controls, since every security layer in Kubernetes depends on how the control plane, worker nodes, networking, volumes, and cluster components communicate.

Kubernetes Cluster Overview

A Kubernetes cluster consists of two major layers:

Control Plane – the brain of the cluster
Worker Nodes – machines that run your applications

Each layer contains components that coordinate scheduling, networking, storage, workload orchestration, and health checks. The architecture is fully API-driven.

Kubernetes architecture is declarative. You define the desired state, and Kubernetes continuously ensures the actual state matches it.

Control Plane Components

The control plane manages the entire cluster. It makes all decisions such as scheduling pods, maintaining cluster state, and handling API requests.

API Server

The API Server is the entry point for all interactions. Every command, kubectl action, CI pipeline request, controller action, and automation tool communicates with the API server.

It handles:

• authentication
• authorization
• admission control
• resource validation
• request routing

It is the heart of Kubernetes operations.

etcd

etcd is the cluster’s key-value store. It holds:

• all cluster data
• workloads
• secrets (if not externalized)
• configurations
• events

If etcd is compromised or corrupted, the entire cluster is at risk.

Scheduler

The scheduler decides where pods run. It assigns pods to worker nodes based on:

• resource availability
• taints and tolerations
• affinity/anti-affinity
• constraints
• node health

It ensures workload distribution and optimal resource usage.

Controller Manager

The controller manager runs controllers that monitor the cluster’s desired state. Examples include:

• node controller
• replica controller
• deployment controller
• service controller

Each controller constantly reconciles the actual state with the desired state defined in manifests.

Cloud Controller Manager

Separates cloud provider logic from core Kubernetes. It manages:

• load balancers
• storage provisioning
• cloud routes
• cloud-specific node lifecycle

Used mainly in public cloud clusters.

Worker Node Architecture

Worker nodes run actual application containers. Each node contains a runtime, networking components, and local agents.

Kubelet

Kubelet is the node agent. It:

• registers the node with the API server
• ensures containers are running
• executes pod specs
• reports node status

Kubelet enforces the desired state at the node level.

Container Runtime

Container runtimes run the containers. Kubernetes supports:

• containerd
• CRI-O
• Docker (deprecated for direct use)

The runtime creates and manages container processes.

Kube-Proxy

Kube-proxy handles network routing. It:

• manages virtual IPs
• forwards cluster traffic
• maintains service-to-pod connectivity

Implements iptables or IPVS rules to route traffic.

Node Exporter / Metrics Agents

Nodes often have extra agents that collect:

• metrics
• logs
• health data

Used by DevSecOps monitoring pipelines.

Pod and Workload Architecture

Pods are the smallest deployable units. They contain one or more containers sharing:

• network namespace
• storage volumes
• resources

Higher-level objects manage pods:

• Deployments
• StatefulSets
• DaemonSets
• CronJobs

These controllers ensure scaling and lifecycle management.

Kubernetes Networking Architecture

Kubernetes networking is a flat, cluster-wide network. Core principles:

• every pod gets its own IP
• pods can talk to each other without NAT
• services expose stable endpoints
• ingress exposes apps externally

Components include:

• CNI plugin (Calico, Flannel, Cilium)
• Services (ClusterIP, NodePort, LoadBalancer)
• Ingress controllers
• NetworkPolicies

Network security heavily depends on CNI behavior and NetworkPolicies.

Kubernetes Storage Architecture

Applications need persistent data. Kubernetes handles storage using:

• PersistentVolumes
• PersistentVolumeClaims
• StorageClasses
• dynamic provisioning

Backends include:

• EBS
• GCE Persistent Disk
• Azure Disk
• NFS
• Ceph
• local drives

Storage security is critical for sensitive workloads.

Kubernetes Security Model

Security layers include:

• API server authentication
• RBAC authorization
• admission controllers
• Pod Security Standards
• runtime security on nodes
• network segmentation
• secrets encryption
• image security

Security spans both cluster architecture and application layers.

Kubernetes Deployment Flow

A typical flow:

  1. CI pipeline builds container images

  2. Image stored in registry

  3. CD pipeline applies manifests

  4. API server validates and stores them

  5. Scheduler assigns pods

  6. Kubelet runs containers

  7. Cluster self-heals when failures occur

Every step is influenced by control plane and node architecture.

Full-Length Practical Section

Hands-on Kubernetes architecture exercises.

Practical 1: View Control Plane Components

Check API server, scheduler, controllers:

kubectl get componentstatuses

Observe health of core components.

Practical 2: Inspect etcd Data

Access etcd pod (in managed clusters you cannot):

etcdctl get / --prefix --keys-only

Understand Kubernetes state storage.

Practical 3: View Node Information

kubectl get nodes -o wide
kubectl describe node <node>

Inspect kubelet version, runtimes, conditions, taints.

Practical 4: Inspect Pod Networking

Deploy a pod:

kubectl run test --image=busybox -- sleep 3600

Check pod IP:

kubectl get pod -o wide

Practical 5: Inspect Service Networking

Create service:

kubectl expose pod test --port 80 --target-port 80

List service details:

kubectl describe svc test

See cluster routing.

Practical 6: Inspect Ingress Controller Setup

kubectl get ingressclass
kubectl get pods -n ingress-nginx

Understand external routing.

Practical 7: Inspect CNI Plugin

kubectl get pods -n kube-system

Identify Calico/Cilium/Flannel.

Practical 8: Debug Pod-to-Pod Connectivity

kubectl exec -it test -- ping <another-pod-ip>

Confirms flat network.

Practical 9: List All Controllers Running

kubectl get deploy -n kube-system

Observe core cluster controllers.

Practical 10: Inspect Scheduler Decisions

Enable scheduler logs or events:

kubectl describe pod <scheduled-pod>

Shows why a pod was placed on a node.

Practical 11: View Control Plane Logs

On self-managed clusters:

journalctl -u kubelet
journalctl -u kube-apiserver

Observe decision-making.

Practical 12: Inspect Pod Storage Architecture

Create PersistentVolumeClaim:

kubectl apply -f pvc.yaml

View bindings:

kubectl get pv
kubectl get pvc

Practical 13: Examine Admission Controllers

Check API server flags:

kubectl api-resources

Enable Pod Security Admission for testing.

Practical 14: Analyze Deployment Controller Behavior

Scale Deployment:

kubectl scale deploy app --replicas=5

Observe rolling updates.

Practical 15: Inspect Node Resource Usage

kubectl top node
kubectl top pod

View resource allocation.

Practical 16: Understand Failover

Kill pod:

kubectl delete pod test

Observe automatic recreation.

Practical 17: Understand Kubelet Pod Lifecycle

Describe pod conditions:

kubectl describe pod test

View provisioning, scheduling, running lifecycle.

Practical 18: Inspect Runtime Logs

If using containerd:

crictl ps
crictl logs <container-id>

Understand runtime behavior.

Practical 19: Deploy Multi-Container Pod

apiVersion: v1
kind: Pod
...
containers:
  - name: app
  - name: sidecar

Observe shared volume and network.

Practical 20: Build Full Kubernetes Architecture Understanding

Map all architecture layers:

• API server
• etcd
• controllers
• scheduler
• kubelet
• container runtime
• kube-proxy
• CNI plugin
• ingress
• storage classes
• workload controllers

This forms the foundation of Kubernetes DevSecOps.

Intel Dump

• Kubernetes architecture consists of control plane and worker nodes
• API server handles all cluster operations
• etcd stores all cluster state
• scheduler assigns pods to nodes
• controllers enforce desired state
• kubelet runs containers
• kube-proxy manages service networking
• pods run on CNI-based flat network
• storage architecture supports PV/PVC/StorageClasses
• practicals demonstrated cluster inspection, networking, scheduling, controllers, CNI, and storage fundamentals

HOME LEARN COMMUNITY DASHBOARD