🎯Fundamentals

Fundamental concepts, architecture, and core components of Kubernetes container orchestration platform.

📋 Table of Contents

• 🏗️ Architecture Overview

• 🔧 Key Components

• 📦 Objects & Resources

• 🔄 Control Loops

• 🌐 Networking Model

• 📁 Storage Model

• 🔒 Security Model

---

🏗️ Architecture Overview

Master-Worker Architecture

Kubernetes mengikuti arsitektur master-worker dengan komponen-komponen utama:

┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
│   Control Plane │    │    Worker Nodes │    │   External      │
│                 │    │                 │    │   Components    │
│ ┌─────────────┐ │    │ ┌─────────────┐ │    │ ┌─────────────┐ │
│ │ API Server  │ │◄──►│ │  kubelet    │ │◄──►│ │    kubectl   │ │
│ └─────────────┘ │    │ └─────────────┘ │    │ └─────────────┘ │
│ ┌─────────────┐ │    │ ┌─────────────┐ │    │ ┌─────────────┐ │
│ │   etcd      │ │    │ │ kube-proxy  │ │    │ │    Helm     │ │
│ └─────────────┘ │    │ └─────────────┘ │    │ └─────────────┘ │
│ ┌─────────────┐ │    │ ┌─────────────┐ │    │ ┌─────────────┐ │
│ │Scheduler    │ │    │ │ Containers  │ │    │ │   Cloud UI   │ │
│ └─────────────┘ │    │ └─────────────┘ │    │ └─────────────┘ │
│ ┌─────────────┐ │    └─────────────────┘    └─────────────────┘
│ │ Controller  │ │
│ │ Manager     │ │
│ └─────────────┘ │
└─────────────────┘

Control Plane Components

Component	Fungsi	Deskripsi
API Server	Central Management	Entry point untuk semua interaksi, validasi, dan authentication
etcd	Data Store	Distributed key-value store untuk menyimpan cluster state
Scheduler	Pod Placement	Menentukan node yang tepat untuk setiap pod
Controller Manager	State Management	Monitor dan maintain cluster state melalui controller loops

Worker Node Components

Component	Fungsi	Deskripsi
kubelet	Node Agent	Interface antara control plane dan node, manages containers
kube-proxy	Network Proxy	Handle network routing dan load balancing untuk services
Container Runtime	Container Engine	Run containers (Docker, containerd, CRI-O)

---

🔧 Key Components

API Server

Fungsi Utama:

• Central management point untuk semua Kubernetes operations

• Validation dan authentication dari semua requests

• Provides RESTful API untuk external tools (kubectl, UI, etc.)

Key Features:

• Authentication: Membuat siapa yang mengakses cluster

• Authorization: Menentukan apa yang boleh dilakukan

• Admission Control: Validasi dan mutation dari requests

• Audit Logging: Track semua API calls

Example Request Flow:

kubectl run nginx --image=nginx
         ↓
    API Server
         ↓ (validate + authenticate)
    etcd (store)
         ↓ (notify)
    Scheduler
         ↓ (assign node)
    kubelet (create pod)
         ↓ (update status)
    etcd (update state)

etcd

Fungsi Utama:

• Distributed consistent key-value store

• Single source of truth untuk cluster state

• Handles configuration data, service state, secrets

Key Properties:

• Consistent: Guarantees consistent data across cluster

• Available: High availability through clustering

• Partition-tolerant: Continues operating during network partitions

• Secure: TLS encryption, RBAC, authentication

Data Structure:

/registry/
├── pods/
│   ├── default/
│   │   ├── nginx-xyz123
│   │   └── app-abc456
│   └── kube-system/
├── services/
├── deployments/
├── configmaps/
└── secrets/

Scheduler

Fungsi Utama:

• Watch untuk newly created pods dengan no assigned node

• Selects optimal node untuk pod berdasarkan requirements

• Uses multiple scheduling algorithms dan fitur

Scheduling Process:

1. Filter: Eliminate nodes yang tidak memenuhi requirements

2. Score: Rank remaining nodes berdasarkan preferences

3. Bind: Assign pod ke highest-scoring node

Scheduling Factors:

• Resource requests (CPU, memory, storage)

• Node constraints (taints, labels, affinity)

• Pod constraints (affinity, anti-affinity)

• Quality of Service requirements

• Data locality, network topology

Controller Manager

Fungsi Utama:

• Runs multiple controller processes

• Maintains desired state melalui control loops

• Handles various aspects of cluster management

Built-in Controllers:

• Node Controller: Monitor node health, handle failures

• Replication Controller: Maintains correct replica count

• Endpoint Controller: Populates endpoint objects

• Service Account Controller: Manages service accounts

• Namespace Controller: Manages namespace lifecycle

Control Loop Pattern:

1. Observe current state (GET from API Server)
2. Compare with desired state
3. Take corrective actions (POST/PUT/DELETE to API Server)
4. Repeat

---

📦 Objects & Resources

Workload Resources

Pod

• Definition: Smallest deployable unit dalam Kubernetes

• Purpose: Satu atau lebih containers yang share storage dan network

• Lifecycle: Ephemeral, dapat di-recreate kapan saja

Pod Characteristics:

• Shared network namespace (IP address, ports)

• Shared storage (volumes)

• Unique ID dalam cluster

• Can have multiple containers

• Ephemeral nature

Use Cases:

• Single container applications

• Multi-container applications (main + sidecar)

• Batch jobs

• Initialization containers

Deployment

• Definition: Manages ReplicaSets untuk declarative application updates

• Purpose: Manages rollout strategy, scaling, dan application lifecycle

• Features: Rolling updates, rollbacks, scaling, pause/resume

Deployment Workflow:

Deployment → ReplicaSet → Pod → Container

Key Features:

• Declarative updates

• Rolling update strategy

• Automatic rollback

• Scaling (manual dan HPA)

• Pause/resume rollouts

StatefulSet

• Definition: Manages stateful applications dengan unique network identities

• Purpose: Deploy stateful applications yang memerlukan stable network identity

• Features: Stable, unique network identifiers, stable persistent storage

StatefulSet Characteristics:

• Predictable pod names (web-0, web-1, web-2)

• Stable network identities

• Ordered deployment and scaling

• Stable persistent storage

Use Cases:

• Databases (MySQL, PostgreSQL)

• Message queues (Kafka, RabbitMQ)

• Distributed systems (ZooKeeper, etcd)

• Applications requiring stable identity

DaemonSet

• Definition: Ensures semua (atau beberapa) node menjalankan pod copy

• Purpose: Deploy daemon atau background services di semua nodes

• Features: Automatic pod creation/deletion dengan node lifecycle

DaemonSet Use Cases:

• Cluster storage daemon (Ceph, GlusterFS)

• Log collection daemon (Fluentd, Logstash)

• Node monitoring daemon (Prometheus node-exporter)

• Network plugins (Calico, Flannel)

Job

• Definition: Creates pods yang berjalan hingga completion

• Purpose: Run batch jobs atau one-time tasks

• Features: Track completion, retry failures, parallel execution

Job Types:

• Non-parallel Job: Single pod until completion

• Parallel Job with fixed count: Multiple pods until specified count completes

• Parallel Job with work queue: Multiple pods until no work remains

CronJob

• Definition: Runs Jobs pada schedule (cron-like)

• Purpose: Scheduled tasks, backups, maintenance

• Features: Time-based scheduling, retry policies, concurrency control

Configuration Resources

ConfigMap

• Definition: Stores configuration data sebagai key-value pairs

• Purpose: Inject configuration data ke containers

• Features: Environment variables, volume mounts, configuration files

ConfigMap Usage:

# Environment variables
envFrom:
  - configMapRef:
      name: app-config

# Single environment variable
env:
  - name: DATABASE_URL
    valueFrom:
      configMapKeyRef:
        name: app-config
        key: database_url

# Volume mount
volumes:
  - name: config-volume
    configMap:
      name: app-config

Secret

• Definition: Stores sensitive data (passwords, tokens, certificates)

• Purpose: Securely manage sensitive information

• Features: Base64 encoding, RBAC access control, encryption at rest

Secret Types:

• Opaque: Arbitrary key-value pairs

• kubernetes.io/service-account-token: Service account tokens

• kubernetes.io/dockercfg: Docker registry credentials

• kubernetes.io/tls: TLS certificate data

Network Resources

Service

• Definition: Stable network endpoint untuk pods

• Purpose: Load balancing, service discovery

• Types: ClusterIP, NodePort, LoadBalancer, ExternalName

Service Types:

• ClusterIP: Internal service only

• NodePort: Expose service pada node port

• LoadBalancer: External load balancer (cloud provider)

• ExternalName: CNAME record ke external service

Ingress

• Definition: HTTP/HTTPS routing rules untuk services

• Purpose: External access, TLS termination, host-based routing

• Features: Path-based routing, TLS, authentication

NetworkPolicy

• Definition: Controls network traffic antar pods

• Purpose: Network security, traffic segmentation

• Features: Ingress/egress rules, namespace isolation

Storage Resources

PersistentVolume (PV)

• Definition: Storage resource dalam cluster

• Purpose: Provide storage volumes independent of pod lifecycle

• Types: Local, NFS, iSCSI, cloud storage

PersistentVolumeClaim (PVC)

• Definition: Request untuk storage resources

• Purpose: User request untuk storage dengan specific requirements

• Features: Dynamic provisioning, access modes, storage classes

StorageClass

• Definition: Defines storage provisioning methods

• Purpose: Dynamic volume provisioning dengan different quality of service

• Features: Provisioners, parameters, reclaim policies

---

🔄 Control Loops

Reconciliation Loop Pattern

Kubernetes menggunakan reconciliation loop pattern untuk maintain desired state:

┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
│  Desired State  │───→│  Current State  │───→│  Take Action    │
│  (Spec)         │    │  (Status)       │    │  (Reconcile)    │
└─────────────────┘    └─────────────────┘    └─────────────────┘
         ↑                                               ↓
         └───────────────────────────────────────────────┘

Example: Deployment Controller

func (dc *DeploymentController) syncDeployment(d *apps.Deployment) error {
    // 1. Get current state
    rsList, err := dc.getReplicaSetsForDeployment(d)
    if err != nil {
        return err
    }

    // 2. Compare with desired state
    newRS, oldRSs, err := dc.getAllReplicaSetsAndSyncRevision(d, rsList...)
    if err != nil {
        return err
    }

    // 3. Take corrective actions
    if err := dc.scaleReplicaSet(d, newRS, oldRSs); err != nil {
        return err
    }

    if util.IsDeploymentRollingUpdate(d) {
        return dc.rolloutRolling(d, newRS, oldRSs)
    }

    return dc.rolloutRecreate(d, newRS, oldRSs)
}

Controller Types

Controller	Responsibility	Key Actions
Deployment Controller	Manages deployment lifecycle	Create/update ReplicaSets, handle rollouts
ReplicaSet Controller	Maintains pod replica count	Create/delete pods based on desired replicas
StatefulSet Controller	Manages stateful applications	Ordered deployment, stable identity
DaemonSet Controller	Ensures pod per node	Create pods on new nodes, delete on node removal
Job Controller	Manages job completion	Track pod completion, retry failures
CronJob Controller	Manages scheduled jobs	Create Jobs on schedule, handle concurrency
Endpoint Controller	Manages service endpoints	Update endpoint IPs based on pod IPs
ServiceAccount Controller	Manages service accounts	Create tokens, manage permissions
Namespace Controller	Manages namespaces	Cleanup resources on namespace deletion

---

🌐 Networking Model

Kubernetes Network Requirements

1. All pods can communicate with all other pods without NAT

2. All nodes can communicate with all pods without NAT

3. Pod IP address is the same from all perspectives

Network Architecture

┌─────────────────────────────────────────────────────────────┐
│                     Kubernetes Cluster                      │
│                                                             │
│  ┌─────────────┐    ┌─────────────┐    ┌─────────────┐      │
│  │    Pod A    │    │    Pod B    │    │    Pod C    │      │
│  │ 10.244.1.2  │    │ 10.244.1.3  │    │ 10.244.2.2  │      │
│  └─────────────┘    └─────────────┘    └─────────────┘      │
│         │                   │                   │          │
│         └───────────────────┼───────────────────┘          │
│                             │                              │
│                    ┌─────────────┐                         │
│                    │ kube-proxy  │                         │
│                    └─────────────┘                         │
│                             │                              │
│                    ┌─────────────┐                         │
│                    │   Service   │                         │
│                    │ 10.96.0.1   │                         │
│                    └─────────────┘                         │
└─────────────────────────────────────────────────────────────┘

Network Components

Pod Network

• CNI (Container Network Interface): Standard untuk network plugins

• Implementations: Calico, Flannel, Weave Net, Cilium

• Features: IP allocation, routing, network policies

Service Network

• ClusterIP: Virtual IP untuk internal services

• kube-proxy: Implements service routing

• Load Balancing: Client-side load balancing untuk pods

Ingress Network

• Ingress Controller: Manages external access (NGINX, Traefik)

• TLS Termination: SSL/TLS handling

• Path/Host Routing: HTTP/HTTPS routing rules

Service Discovery

DNS Resolution:

service-name.namespace.svc.cluster.local

Example:

• redis.default.svc.cluster.local - Redis service di default namespace

• api.kube-system.svc.cluster.local - Kubernetes API service

Environment Variables:

REDIS_SERVICE_HOST=10.96.0.10
REDIS_SERVICE_PORT=6379
REDIS_PORT=tcp://10.96.0.10:6379
REDIS_PORT_6379_TCP=tcp://10.96.0.10:6379

---

📁 Storage Model

Storage Architecture

┌─────────────────────────────────────────────────────────────┐
│                    Kubernetes Storage Model                   │
│                                                             │
│  ┌─────────────┐    ┌─────────────┐    ┌─────────────┐      │
│  │    Pod      │    │    PVC      │    │     PV      │      │
│  │             │    │             │    │             │      │
│  │ ┌─────────┐ │    │ ┌─────────┐ │    │ ┌─────────┐ │      │
│  │ │Volume  │ │    │ │Claim   │ │    │ │Volume  │ │      │
│  │ │Mount   │ │◄───┤ │        │ │◄───┤ │        │ │      │
│  │ └─────────┘ │    │ └─────────┘ │    │ └─────────┘ │      │
│  └─────────────┘    └─────────────┘    └─────────────┘      │
│                                                             │
│  ┌─────────────┐    ┌─────────────┐                        │
│  │StorageClass │    │  Physical   │                        │
│  │             │    │   Storage   │                        │
│  └─────────────┘    └─────────────┘                        │
└─────────────────────────────────────────────────────────────┘

Volume Types

Temporary Volumes

• emptyDir: Temporary storage yang created saat pod created

• configMap: Configuration data sebagai volume

• secret: Sensitive data sebagai volume

• downwardAPI: Pod metadata sebagai volume

Persistent Volumes

• hostPath: File/directory di host node

• NFS: Network File System

• iSCSI: iSCSI block storage

• AWS EBS: Elastic Block Store

• GCE PD: Google Persistent Disk

• Azure Disk: Azure Disk Storage

Access Modes

Access Mode	Description	Use Case
ReadWriteOnce	Volume dapat di-mount sebagai read-write oleh single node	Single-node applications, databases
ReadOnlyMany	Volume dapat di-mount sebagai read-only oleh multiple nodes	Configuration files, static content
ReadWriteMany	Volume dapat di-mount sebagai read-write oleh multiple nodes	Shared storage, distributed applications
ReadWriteOncePod	Volume dapat di-mount oleh single pod (v1.22+)	Enhanced security, single-writer workloads

Storage Class Features

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: fast-ssd
provisioner: kubernetes.io/aws-ebs
parameters:
  type: gp3
  iops: "3000"
  throughput: "125"
  encrypted: "true"
allowVolumeExpansion: true
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer
mountOptions:
  - debug
  - noatime

---

🔒 Security Model

Authentication & Authorization

Authentication Methods

• X.509 Client Certificates: Default untuk service accounts

• Bearer Tokens: Static tokens, OIDC tokens, service account tokens

• Authentication Plugins: External authentication systems

• Webhook Token Authentication: Custom token validation

Authorization Models

• ABAC (Attribute-Based Access Control): Legacy, deprecated

• RBAC (Role-Based Access Control): Current standard

• Webhook Authorization: External authorization systems

• Node Authorization: Node-specific permissions

RBAC Fundamentals

Core Concepts

• Subject: User, Group, or ServiceAccount

• Role: Rules untuk resources dalam namespace

• ClusterRole: Rules untuk resources cluster-wide

• RoleBinding: Bind Role ke subjects dalam namespace

• ClusterRoleBinding: Bind ClusterRole ke subjects cluster-wide

RBAC Example

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: production
  name: developer
rules:
- apiGroups: [""]
  resources: ["pods", "services", "configmaps"]
  verbs: ["get", "list", "create", "update", "patch", "delete"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "create", "update", "patch", "delete"]

Security Contexts

Pod Security Context

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    runAsGroup: 2000
    fsGroup: 2000
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: app
    image: nginx:1.21
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
        - ALL
      volumeMounts:
      - name: tmp
        mountPath: /tmp

Container Security Context

• runAsUser: Run container sebagai specific user

• runAsGroup: Run container sebagai specific group

• privileged: Run container dalam privileged mode

• capabilities: Add/drop Linux capabilities

• readOnlyRootFilesystem: Mount root filesystem sebagai read-only

Pod Security Standards

Security Levels

• Privileged: No restrictions, fully privileged

• Baseline: Minimal security restrictions

• Restricted: Strict security controls

Security Controls

• Privilege escalation: Prevent privilege escalation

• Linux capabilities: Drop unnecessary capabilities

• SELinux/AppArmor: Mandatory access control

• Filesystem: Read-only root filesystem

• Run as non-root: Prevent running as root user

Network Security

Network Policies

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: app-network-policy
spec:
  podSelector:
    matchLabels:
      app: my-app
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 80
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: database
    ports:
    - protocol: TCP
      port: 5432

Service Mesh Security

• mTLS: Mutual TLS authentication

• Authorization Policies: Service-to-service authorization

• Network segmentation: Isolate services based on identity

---

📅 Last Updated: November 2024 🔗 Related: Setup & Installation | Application Deployment | Cheatsheets