Back to Blog
KubernetesFeatured

Learning Kubernetes - Architecture

Learn Kubernetes basics with this clear guide to its architecture and key components — including Pods, Services, Deployments, and more. Understand how the Control Plane, Worker Nodes, and networking work together to run containerized applications at scale.

Wajahat Zia
Wajahat Zia
8/10/2025
0 views

Kubernetes (often abbreviated as K8s) is an open-source system for managing containerized applications. At a high level, a Kubernetes Cluster is made up of:

1.
Control Plane Node (often called the “Master Node”)
2.
Worker Nodes (one or many)

Each Node has a kubelet process running on it. Kubelet communicates with the API server to register the node and manage pods assigned to it.

Control Plane Node

Control Plane Node runs several necessary kubernetes processes that allow to run and manage the cluster. Some processes running on the master node:

API Server: kube-apiserver
Controller Manager: kube-controller-manager
Scheduler: kube-scheduler
Etcd

Worker Nodes

Worker nodes run your application workloads. Each node has:

kubelet
kube-proxy
Container runtime

Virtual Network

Kubernetes provides a flat network — every pod gets its own IP, and pods can communicate with each other without NAT, regardless of the node they’re on.

A Virtual Network essentially turns all the cluster’s nodes into one big machine for communication.

Kubernetes Components

1.
Pod: Abstraction of containers
2.
Service: Communication
3.
Ingress: Route traffic into cluster
4.
ConfigMap: External Configuration
5.
Secret: External Configuration
6.
Deployment: Replication
7.
StatefulSet: Replication
8.
Volumes: Data Persistence
9.
DaemonSet

Node and Pod

A Pod is the smallest deployable unit in Kubernetes and can contain one or more containers. It is an abstraction over a container. Pod allows you to create a layer over the container so you can replace the container technology (i.e. you don’t have to use Docker for your containers, you can use any other container service).

Each Pod gets its own IP address. Pods are ephemeral (can die very easily). So if a pod dies, a new pod is created in its place and gets assigned a new IP address. This sounds rather inconvenient because it seems you’ll have to change the IP address in other services to communicate with this pod if gets recreated. To overcome this inconvenience, we use a component called Service

Service and Ingress

Each group of pods is assigned its own Service (usually replica pods). Lifecycles of a pod and service and decoupled. If a pods dies, the service stays alive and vice-versa.

External Service: This allows you to connect to the pod from external sources (i.e. through a web browser)
Internal Service: This allows you to connect to the pod internally in the cluster (i.e. between two pods or nodes)

Service has 4 types:

ClusterIP (default): Internal-only access between pods.
NodePort: Exposes a service on a port of each node’s IP for external access.
LoadBalancer: Integrates with cloud providers’ load balancers for external access.
ExternalName: Maps the service to an external DNS name.

Ingress forwards external requests to internal services.

Routes external HTTP/HTTPS traffic into services inside the cluster.
Requires an Ingress Controller (e.g., NGINX, Traefik) to work.
Allows for advanced routing (e.g., /api → backend service, / → frontend service).

A Service is like a persistant static IP address and DNS name.

ConfigMap and Secret

ConfigMap is a component that allows you to assign and modify environment variables to each pod without having to rebuild the pod image. Traditionally, if you were to, lets say, change the db url, you would then have to rebuild the db image, push it to the repo and then deploy it to the pod. However with ConfigMap, all you have to do is modify the key value in ConfigMap and your db url will change accordingly.

Secret is another component that allows you to store sensitive variables. These could include username, passwords, API keys, tokens, certificates etc. Secret is just like ConfigMap but instead of storing as plain text, Secret stores data as base64 encoded format. This is still insecure so we use third party tools to encrypt the secrets and then store them as base64.

Data is base64-encoded by default (not encryption).
Kubernetes can be configured to encrypt secrets at rest, and third-party tools (like HashiCorp Vault, SOPS) are often used for extra security.

Volume

A Volume attaches a physical storage to your pod. The storage could be on your local machine or a remote storage such as cloud storage which is an external reference to your storage. K8 cluster does not manage data persistance. So its our job to manage data outside of a k8 cluster.

Attaches storage to pods.
Can be local or from external storage providers (AWS EBS, GCP Persistent Disk, NFS, etc.).
PersistentVolume (PV) and PersistentVolumeClaim (PVC) provide abstraction over the actual storage.

Deployment and StatefulSet

Deployment is a component which acts like a blueprint for setting up replicas for pods. In practice, we work with Deployments rather than pods directly. Each replica is connected to the same service. For example, if we have a node with an app pod and database pod. We create two replicas of the node. Now for both the nods, both app pods are connected to the same service and database pods are connected to the same service.

However, there is a flaw in this approach. App pods are stateless and hence accessing and performing an action on any app pod is fine. For the database pods, that is not the case. Database pods are stateful pods. Clones of database are accessing shared volumes for data. We’ll have to manage how which pods are writing to the storage or reading from the storage to prevent data inconsistencies. For this we have StatefulSet component

StatefulSet components should be used for stateful pods. We would ideally use StatefulSets for databases rather than Deployments. A point to consider, deploying databases using StatefulSets is cumbersome and we usually practice hosting database outside of our cluster for simplicity.

DaemonSet

Ensures a copy of a pod runs on every node (or selected nodes).
Common for logging, monitoring, and node-level agents.

Kubernetes Configuration

All configuration goes through the master node via the API Server Container. This request is in the form of yaml or json format.

3 Parts of a K8 configuration file

1.
metadata – Identifiers like name, labels.
2.
spec – Desired state.
3.
status – Current state (managed by Kubernetes).
yaml
apiVersion: apps/v1
kind: Deployment
metadata:
 name: backend-deployment
 labels: ...
spec:
 replicas: 2
 selector: ...
 template: ...
Example of a YAML Configuration File

YAML files are strict indentation. Indentations in the yaml file matter and not having proper indentation can lead to incorrect configuration.

We usually store the config file with our code in the code repo.

Summary

ComponentPurpose
PodSmallest deployable unit
ServiceStable networking for pods
IngressHTTP/S routing into the cluster
ConfigMapNon-sensitive configuration
SecretSensitive configuration
VolumeData persistence
DeploymentStateless workloads
StatefulSetStateful workloads
DaemonSetRun pods on all nodes
KubernetesArchitecture