Rakesh's Brain

Kubernetes Architecture

7 min read

Kubernetes Architecture

The definitive breakdown of how Kubernetes clusters work — Control Plane (brain), Worker Nodes (muscle), and the communication flows between them. Critical for the ~25% “Cluster Architecture” CKA domain.

The Two Halves of a Cluster

HalfRoleAnalogy
Control PlaneMakes global decisions, detects & responds to cluster eventsThe brain
Worker NodesRuns the actual application containersThe muscle
┌─────────────────────────────────────────────────────────────┐
│                    Control Plane (Brain)                     │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐   │
│  │ kube-       │  │   etcd      │  │ kube-controller-    │   │
│  │ apiserver   │  │ (Data Store)│  │ manager             │   │
│  │ (Front Door)│  │             │  │ (State Reconciler)  │   │
│  └──────┬──────┘  └──────┬──────┘  └─────────────────────┘   │
│         │                │                                   │
│         │         ┌──────┴──────┐                            │
│         │         │ kube-       │                            │
│         │         │ scheduler   │                            │
│         │         │ (Assigner)  │                            │
│         │         └─────────────┘                            │
│         │                                                     │
│         │    ┌─────────────────────────────┐                 │
│         │    │ cloud-controller-manager    │                 │
│         │    │ (Cloud Provider Bridge)     │                 │
│         │    └─────────────────────────────┘                 │
└─────────┼───────────────────────────────────────────────────┘
          │
          │ REST API + etcd watch streams
          │
┌─────────┼───────────────────────────────────────────────────┐
│         │              Worker Nodes (Muscle)                 │
│  ┌──────▼──────┐  ┌─────────────┐  ┌─────────────────────┐  │
│  │   kubelet   │  │  kube-proxy │  │ Container Runtime   │  │
│  │  (Node Agent)│  │ (Network)   │  │ (containerd/CRI-O)  │  │
│  └─────────────┘  └─────────────┘  └─────────────────────┘  │
│                                                               │
│  ┌─────────────────────────────────────────────────────────┐  │
│  │                    Pods (Workloads)                      │  │
│  │  ┌─────────┐  ┌─────────┐  ┌─────────┐                 │  │
│  │  │Container│  │Container│  │Container│  ...             │  │
│  │  │   1     │  │   2     │  │   3     │                 │  │
│  │  └─────────┘  └─────────┘  └─────────┘                 │  │
│  └─────────────────────────────────────────────────────────┘  │
└───────────────────────────────────────────────────────────────┘

Control Plane Components (The Brain)

1. kube-apiserver (API Server)

AttributeDetail
RoleFront door and gatekeeper of the cluster
What It DoesValidates all requests (auth, authz, admission), serves the REST API, is the only component that writes to etcd
ScalingCan be horizontally scaled behind a load balancer for HA
CKA Exam RelevanceIf API Server is down → cluster is frozen. You must know how to check its status and certificates.

Key Exam Commands:

kubectl get componentstatuses  # Check control plane health
kubectl get --raw /healthz     # API Server health endpoint

2. etcd

AttributeDetail
RoleDistributed, consistent key-value store for all cluster data
What It StoresAll Kubernetes objects (pods, nodes, config maps, secrets, RBAC, events)
ConsistencyRaft consensus algorithm — requires majority (quorum) for writes
CKA Exam RelevanceBackup (etcdctl snapshot save) and restore (etcdctl snapshot restore) are guaranteed exam tasks.

Key Exam Commands:

ETCDCTL_API=3 etcdctl snapshot save snapshot.db \
  --endpoints=https://127.0.0.1:2379 \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/server.crt \
  --key=/etc/kubernetes/pki/etcd/server.key

3. kube-scheduler

AttributeDetail
RoleWatches for unscheduled pods and assigns them to the best node
Scheduling FactorsResource requests/limits, taints/tolerations, affinity/anti-affinity, node conditions, data locality
ExtensibilityCustom schedulers can be written and specified per-pod via schedulerName
CKA Exam RelevanceYou may need to configure PriorityClass, PodTopologySpread, or debug why a pod is stuck Pending.

4. kube-controller-manager

AttributeDetail
RoleRuns continuous controller loops that reconcile actual state with desired state
Key ControllersNode Lifecycle, Replication, Endpoints, Service Account & Token, Deployment, StatefulSet
What It DoesIf a pod dies → creates replacement. If a node fails → marks NotReady and reschedules pods.
CKA Exam RelevanceUnderstand that controllers are the “automation” behind Kubernetes self-healing.

5. cloud-controller-manager

AttributeDetail
RoleBridges Kubernetes with cloud-provider APIs (AWS, GCP, Azure)
What It ManagesCloud load balancers, storage volumes (EBS, GCE PD), node routes, node lifecycle in cloud
CKA Exam RelevanceOn-prem clusters often lack this. Managed clusters (EKS, GKE, AKS) rely on it heavily.

Worker Node Components (The Muscle)

1. kubelet

AttributeDetail
RoleNode agent — registers the node, reports status, ensures pods are running
What It DoesReceives PodSpecs from API Server, instructs Container Runtime to create/maintain/destroy containers
HealthIf kubelet stops → node becomes NotReady; existing pods keep running but no new ones scheduled
CKA Exam RelevanceDebugging NotReady nodes often starts with checking kubelet: systemctl status kubelet, journalctl -u kubelet

2. kube-proxy

AttributeDetail
RoleNetwork proxy — maintains network rules for Service-to-Pod communication
Implementationiptables mode (default) or IPVS mode (better performance at scale)
What It DoesRoutes traffic hitting a Service IP to one of the healthy backend pods
CKA Exam RelevanceIf Services aren’t routing → check kube-proxy logs and iptables/IPVS rules.

3. Container Runtime

AttributeDetail
RoleActually creates and runs containers
CRI StandardKubernetes speaks to runtimes via the Container Runtime Interface
Common Runtimescontainerd (default in modern clusters), CRI-O (Red Hat), Docker (deprecated as direct runtime)
CKA Exam RelevanceUse crictl to inspect containers when docker CLI doesn’t work. crictl ps, crictl logs, crictl exec.

Communication Flows

Creating a New Pod (User Request)

1. User runs: kubectl apply -f pod.yaml
         │
         ▼
2. kubectl sends YAML to kube-apiserver
         │
         ▼
3. API Server validates, writes PodSpec to etcd
         │
         ▼
4. kube-scheduler watches etcd, sees unscheduled pod
         │
         ▼
5. Scheduler selects best node, writes node assignment back to etcd
         │
         ▼
6. API Server notifies kubelet on selected node
         │
         ▼
7. kubelet instructs Container Runtime to pull image and create container
         │
         ▼
8. Container Runtime reports status back to kubelet → API Server → etcd
         │
         ▼
9. kube-proxy updates iptables rules so Service can route to new pod

Self-Healing When a Pod Dies

1. kubelet detects container exited (via runtime health checks)
         │
         ▼
2. kubelet reports pod status to API Server → etcd
         │
         ▼
3. kube-controller-manager (Replication Controller) sees mismatch:
         desired replicas = 3, actual running = 2
         │
         ▼
4. Controller creates replacement pod spec, writes to etcd
         │
         ▼
5. Scheduler assigns new pod to available node
         │
         ▼
6. kubelet creates replacement container
         │
         ▼
7. kube-proxy updates iptables rules so Service routes to new pod
         │
         ▼
8. Cluster returns to desired state (3 replicas running)

Service Routing Note: When the replacement Pod gets a new IP, the Endpoints controller automatically updates the Service’s backend list. kube-proxy then programs new iptables rules so traffic to the Service IP is forwarded to the new Pod. Clients using the Service never notice the change. Source: CKA Day 9

Default Namespaces and Component Placement

Kubernetes automatically creates four Namespaces on cluster bootstrap. The Control Plane components themselves run as Pods (in most modern installations) inside the kube-system Namespace:

ComponentNamespaceNotes
kube-apiserverkube-systemStatic Pod or DaemonSet on control plane nodes
etcdkube-systemEither stacked (Pod) or external to cluster
kube-schedulerkube-systemStatic Pod on control plane nodes
kube-controller-managerkube-systemStatic Pod on control plane nodes
kube-proxykube-systemDaemonSet running on every node
CoreDNSkube-systemDeployment providing cluster DNS

Exam Trap: When asked to “list all pods in the cluster,” remember that kubectl get pods only shows the default Namespace. Use kubectl get pods -A or kubectl get pods --all-namespaces to see system components in kube-system. Source: CKA Day 10

Pods vs. Containers

AspectDocker ContainerKubernetes Pod
Unit of DeploymentSingle containerOne or more containers
NetworkingIsolated (by default)Shared IP, shared port space; containers talk via localhost
StorageIsolated volumesShared volumes between containers
LifecycleManaged by Docker daemonManaged by kubelet + controllers
ScalingManualManaged by ReplicaSet/Deployment

Key Insight: You almost never create bare Pods in production. You create Deployments that manage ReplicaSets that manage Pods.

High Availability (HA) Control Plane

For production clusters, the Control Plane must survive node failures:

ComponentHA Strategy
kube-apiserverMultiple instances behind a load balancer
etcd3+ nodes in a Raft cluster (tolerates (n-1)/2 failures)
kube-schedulerMultiple instances, only one active leader at a time (leader election)
kube-controller-managerMultiple instances, only one active leader

CKA Tip: The exam typically uses a single control plane node, but you must understand HA concepts for real-world operations.

Sources

Tags: kubernetes k8s-architecture control-plane worker-nodes cka devops etcd kubelet kube-apiserver

Graph View

Latest Blog Posts

  • Loading posts...
Read more on Medium →

Backlinks