Kubernetes Lesson 4 – Kubernetes Architecture | Dataplexa

Kubernetes Course

I. Kubernetes Fundamentals
1. What is Kubernetes 2. Why Kubernetes is Needed 3. Kubernetes vs Docker 4. Kubernetes Architecture 5. Master Node Components 6. Worker Node Components 7. Kubernetes Objects Overview 8. Pods Explained 9. ReplicaSets 10. Deployments 11. Services Overview 12. Cluster Networking Basics 13. kubectl Introduction 14. Kubernetes YAML Basics 15. First Kubernetes Deployment
II. Core Kubernetes Concepts
16. Pod Lifecycle 17. Labels and Selectors 18. Namespaces 19. ConfigMaps 20. Secrets 21. Environment Variables 22. Resource Requests and Limits 23. Health Checks 24. Scaling Applications 25. Rolling Updates 26. Rollbacks 27. Kubernetes Volumes 28. Persistent Volumes 29. Persistent Volume Claims 30. StatefulSets
III. Networking, Ingress & Security
31. Kubernetes Networking Deep Dive 32. ClusterIP, NodePort, LoadBalancer 33. Ingress Controllers 34. Ingress Rules 35. DNS in Kubernetes 36. Network Policies 37. RBAC Introduction 38. Roles and RoleBindings 39. Service Accounts 40. Security Contexts 41. Pod Security Policies 42. Secrets Management Best Practices 43. Image Pull Secrets 44. TLS in Kubernetes 45. Kubernetes Security Best Practices
IV. Advanced, Cloud & Operations
46. Kubernetes Scheduling 47. Taints and Tolerations 48. Node & Pod Affinity 49. Horizontal Pod Autoscaler 50. Vertical Pod Autoscaler 51. Cluster Autoscaling 52. Kubernetes Logging 53. Kubernetes Monitoring 54. Helm Introduction 55. Helm Charts 56. Kubernetes Upgrades 57. Backup and Restore 58. Kubernetes Troubleshooting 59. Kubernetes on AWS (EKS) 60. Mini Project
Kubernetes Fundamentals · Lesson 4

Kubernetes Architecture

Every time you deploy an app to Kubernetes, a whole chain of components springs into action — talking to each other, making decisions, moving containers around machines. This lesson pulls back the curtain on all of it. By the end, you'll be able to draw the architecture from memory.

Start With the Big Picture

A Kubernetes cluster is a group of machines working together as one. Some machines are in charge — they make all the decisions. Others just do the work — they run your application containers. We call these two groups the Control Plane and the Worker Nodes.

Think of it like a company. The control plane is head office — strategy, decisions, monitoring. Worker nodes are the branch offices — they just execute the work that head office assigns them.

Kubernetes Cluster — Full Architecture
YOU
kubectl commands
Control Plane — The Brain
🚪
API Server
Front door. All requests go through here first.
🗄️
etcd
The cluster's memory. Stores everything.
📅
Scheduler
Decides which node runs each Pod.
🔁
Controller Manager
Watches reality. Fixes any drift from desired state.
Worker Node 1
kubelet
kube-proxy
Container Runtime
Pods Running
payment-api
auth-svc
redis
Worker Node 2
kubelet
kube-proxy
Container Runtime
Pods Running
payment-api
frontend
notif-svc
postgres
Worker Node 3
kubelet
kube-proxy
Container Runtime
Pods Running
frontend
analytics

Now let's go through every component in that diagram and understand exactly what it does — in plain English, with no glossing over anything.

The Control Plane — Four Components, One Brain

The control plane is the decision-making layer of Kubernetes. In a managed cluster (like EKS on AWS or GKE on Google Cloud) you never even see these machines — the cloud provider runs them for you. In a self-managed cluster, they live on a dedicated set of servers that you never deploy your application containers onto.

🚪
API Server
kube-apiserver

The API Server is the single entry point for everything in Kubernetes. Every single request — from you running a kubectl command, from the scheduler placing a Pod, from the controller manager checking state — goes through the API Server first.

It's a REST API. When you type kubectl get pods, kubectl is really making an HTTP GET request to the API Server. The API Server authenticates your request, checks if you have permission to do it, and then reads from or writes to etcd.

The real-world way to think about it: It's the receptionist of a secure building. Everyone has to sign in through the front desk — no back doors, no sneaking in. The receptionist checks your ID, checks whether you're allowed to go to that floor, and only then buzzes you through.
🗄️
etcd
Distributed key-value store

etcd (pronounced "et-see-dee") is the cluster's single source of truth. Every piece of state in your Kubernetes cluster — every Pod, every Deployment, every ConfigMap, every Service, every node — is stored as a key-value pair inside etcd.

Only the API Server talks to etcd directly. No other component is allowed to read or write to it — they all have to go through the API Server. This keeps etcd consistent and protected.

etcd is distributed, which means it typically runs as a cluster of three or five nodes itself. If one of them fails, the others can still serve reads and elect a new leader. Losing etcd without a backup means losing your entire cluster's state — which is why backing up etcd is one of the most important operational habits you'll learn in Lesson 57.

The real-world way to think about it: It's the company's filing system. Every contract, every employee record, every decision ever made — all stored here. The API Server is the only person with a key to the filing room.
📅
Scheduler
kube-scheduler

The Scheduler has one job: when a new Pod needs to run, the Scheduler decides which worker node it goes on. It looks at each Pod's resource requirements (how much CPU and memory it needs), checks which nodes have enough spare capacity, considers any rules you've set (like "this Pod must run in a specific zone"), and then assigns the Pod to the best available node.

Importantly, the Scheduler doesn't start the Pod. It just writes the assignment into etcd via the API Server. The kubelet on the chosen node notices this assignment and actually starts the container.

The real-world way to think about it: It's a hospital bed coordinator. When a new patient arrives needing a specific type of room, the coordinator checks which wards have the right beds available, which rooms match the patient's needs, and assigns them — but a nurse actually wheels the patient to the room.
🔁
Controller Manager
kube-controller-manager

The Controller Manager runs a collection of background processes called controllers. Each controller watches a specific type of Kubernetes object and makes sure reality matches what you declared. The most important ones are:

ReplicaSet Controller
You said "run 3 copies." If one crashes, this controller notices and asks the scheduler to create a replacement.
Node Controller
Watches the health of all nodes. If a node stops responding for 5 minutes, it marks its Pods for rescheduling.
Deployment Controller
Manages rolling updates — replaces old Pods with new ones gradually, one at a time.
Endpoints Controller
Keeps the list of healthy Pod IPs behind each Service up to date so traffic only goes to live containers.
The real-world way to think about it: It's the quality control team on a factory floor. They walk the floor constantly checking that every workstation has the right number of workers, all machinery is running, and every output matches the spec. If something's off — they fix it.

The Worker Nodes — Three Components Each

Every worker node — whether you have two of them or two hundred — runs exactly three components. These are the agents that let the control plane manage the node remotely and actually run your containers.

🤝
kubelet
The node agent

The kubelet is the main agent that runs on every worker node. It's the only control plane component that runs on worker nodes rather than the dedicated control plane machines.

The kubelet watches the API Server for any Pods that have been assigned to its node. When it sees a new assignment, it tells the container runtime (containerd or Docker) to pull the image and start the container. It then monitors the container's health, reports back to the API Server regularly, and restarts containers that fail their health checks.

If the kubelet on a node stops responding, the control plane assumes that node is dead and begins rescheduling its Pods to other healthy nodes.

The real-world way to think about it: It's the shift supervisor at a branch office. Head office (control plane) sends instructions. The shift supervisor receives them, makes sure the work gets done, and phones in status reports every few minutes.
🔀
kube-proxy
Network rules manager

kube-proxy runs on every node and maintains the network rules that allow Pods to communicate with each other across the cluster — and allow traffic from outside the cluster to reach your Pods.

When you create a Kubernetes Service (a stable address for a group of Pods), kube-proxy sets up routing rules on every node so that any Pod on any node can reach that Service. It also handles load balancing — spreading traffic across all the healthy Pods behind a Service.

In modern clusters, kube-proxy often works using iptables or ipvs rules in the Linux kernel — it's doing all of this at a very low level, which is what makes it fast.

The real-world way to think about it: It's the telephone switchboard operator on every floor of the building. When a call comes in for the payments team, the switchboard routes it to whichever payments rep is free — no matter which desk they're sitting at.
📦
Container Runtime
containerd / CRI-O / Docker Engine

The container runtime is the software that actually pulls container images and starts containers on the node. The kubelet tells it what to do — the runtime does the low-level work of creating isolated processes, setting up the filesystem, and managing network namespaces.

Most clusters today use containerd. It's lightweight, fast, and purpose-built for this job. You as a developer rarely interact with it directly — the kubelet handles that layer.

The real-world way to think about it: It's the actual machinery on the factory floor. The kubelet (supervisor) tells it what to produce, and the runtime just builds it. No opinions, no decisions — pure execution.

How It All Flows Together — A Real Request

Let's trace what actually happens from the moment you type a command to the moment your container is running. This is the full internal journey:

You run: kubectl apply -f payment-deployment.yaml
kubectl converts the YAML file into a REST API request and sends it to the API Server over HTTPS.
API Server authenticates and validates the request
It checks: Are you allowed to create Deployments? Is the YAML valid? If yes — it writes the Deployment object into etcd and responds "created."
Controller Manager notices the new Deployment
The Deployment Controller sees the new object in etcd. It creates a ReplicaSet, which in turn creates 3 Pod objects — all in etcd, none running yet. They're just intentions at this point.
Scheduler assigns each Pod to a node
The Scheduler sees 3 unscheduled Pods. It checks each node's available CPU and memory, picks the best fit for each Pod, and writes the node assignment into etcd. Still no containers running.
kubelet on each assigned node sees its new Pod
Each kubelet is constantly watching the API Server for new Pods assigned to its node. It sees the assignment, tells containerd to pull the image from the registry, and starts the container.
Container Runtime pulls the image and starts the container
containerd downloads the image, creates an isolated container process, sets up its filesystem and network interface, and starts it. The container is now running.
kubelet reports back — Pod is Running
The kubelet sends a status update to the API Server: "Pod payment-api-7d4b9c8f6-x2p9k is now Running." That status gets written to etcd and you can see it when you run kubectl get pods.
The key insight about how Kubernetes works

Notice that at no point did any component directly tell another component what to do in real time. Every component just watches the API Server (which reads from etcd) and reacts to what it sees. The Scheduler doesn't call the kubelet. The kubelet doesn't call containerd and wait for confirmation. They all independently watch for their piece of the puzzle.

This pattern is called level-triggered reconciliation — each component continuously checks "is reality matching what etcd says it should be?" and takes action when it's not. This is what makes Kubernetes resilient — any component can crash and restart without losing state, because the state lives in etcd, not in the components themselves.

Quick Reference — All Seven Components

Component Lives on One-line job
API Server Control Plane Front door for all requests — authenticates, validates, reads/writes etcd
etcd Control Plane Stores the entire cluster state — the single source of truth
Scheduler Control Plane Assigns new Pods to the most suitable worker node
Controller Manager Control Plane Watches desired state vs real state — fixes any gaps continuously
kubelet Worker Node Receives Pod assignments and makes the container runtime start them
kube-proxy Worker Node Manages network routing rules so Pods can talk to each other
Container Runtime Worker Node Pulls images and actually starts and stops containers on the node
The thing most beginners miss about Kubernetes architecture

A lot of people learn the component names and think they understand the architecture. The deeper insight is this: Kubernetes never directly issues commands. It stores intentions in etcd, and every component independently acts to make reality match those intentions. There's no central orchestrator barking orders in real time.

This is why Kubernetes is so resilient. You can lose the Scheduler, restart it, and it just picks up where it left off. You can lose the Controller Manager and restart it — same thing. Even if the entire control plane goes offline temporarily, all the containers already running on worker nodes keep running. The kubelet doesn't need the control plane to keep existing containers alive — it only needs it to receive new instructions.

Practice Questions

Write from memory — the architecture diagram is there to help you build a mental map, not just look at.

1. Which component stores the entire state of a Kubernetes cluster — every Pod, every Service, every Deployment — and is the single source of truth?



2. Which component runs on every worker node, watches for new Pod assignments, and tells the container runtime to start containers?



3. A new Pod has been created but isn't running yet — it's just stored in etcd. Which control plane component decides which worker node it should run on?



Knowledge Check

Pick the best answer.

1. You declared 3 replicas of your app. One Pod crashes. What happens next inside Kubernetes?


2. Which components are allowed to read and write directly to etcd?


3. The control plane goes offline for 10 minutes due to a network issue. What happens to containers already running on worker nodes?


Up Next · Lesson 5

Master Node Components

We zoom right in on the control plane and go deep on each component — how they're configured, how they fail, and how to keep them healthy in production.

← Previous Course Index Next →