# Fundamentals

> Fundamental concepts, architecture, and core components of Kubernetes container orchestration platform.

## 📋 Table of Contents

* [🏗️ Architecture Overview](#architecture-overview)
* [🔧 Key Components](#key-components)
* [📦 Objects & Resources](#objects--resources)
* [🔄 Control Loops](#control-loops)
* [🌐 Networking Model](#networking-model)
* [📁 Storage Model](#storage-model)
* [🔒 Security Model](#security-model)

***

## 🏗️ Architecture Overview

### **Master-Worker Architecture**

Kubernetes mengikuti arsitektur **master-worker** dengan komponen-komponen utama:

```
┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
│   Control Plane │    │    Worker Nodes │    │   External      │
│                 │    │                 │    │   Components    │
│ ┌─────────────┐ │    │ ┌─────────────┐ │    │ ┌─────────────┐ │
│ │ API Server  │ │◄──►│ │  kubelet    │ │◄──►│ │    kubectl   │ │
│ └─────────────┘ │    │ └─────────────┘ │    │ └─────────────┘ │
│ ┌─────────────┐ │    │ ┌─────────────┐ │    │ ┌─────────────┐ │
│ │   etcd      │ │    │ │ kube-proxy  │ │    │ │    Helm     │ │
│ └─────────────┘ │    │ └─────────────┘ │    │ └─────────────┘ │
│ ┌─────────────┐ │    │ ┌─────────────┐ │    │ ┌─────────────┐ │
│ │Scheduler    │ │    │ │ Containers  │ │    │ │   Cloud UI   │ │
│ └─────────────┘ │    │ └─────────────┘ │    │ └─────────────┘ │
│ ┌─────────────┐ │    └─────────────────┘    └─────────────────┘
│ │ Controller  │ │
│ │ Manager     │ │
│ └─────────────┘ │
└─────────────────┘
```

### **Control Plane Components**

| Component              | Fungsi             | Deskripsi                                                       |
| ---------------------- | ------------------ | --------------------------------------------------------------- |
| **API Server**         | Central Management | Entry point untuk semua interaksi, validasi, dan authentication |
| **etcd**               | Data Store         | Distributed key-value store untuk menyimpan cluster state       |
| **Scheduler**          | Pod Placement      | Menentukan node yang tepat untuk setiap pod                     |
| **Controller Manager** | State Management   | Monitor dan maintain cluster state melalui controller loops     |

### **Worker Node Components**

| Component             | Fungsi           | Deskripsi                                                   |
| --------------------- | ---------------- | ----------------------------------------------------------- |
| **kubelet**           | Node Agent       | Interface antara control plane dan node, manages containers |
| **kube-proxy**        | Network Proxy    | Handle network routing dan load balancing untuk services    |
| **Container Runtime** | Container Engine | Run containers (Docker, containerd, CRI-O)                  |

***

## 🔧 Key Components

### **API Server**

**Fungsi Utama:**

* Central management point untuk semua Kubernetes operations
* Validation dan authentication dari semua requests
* Provides RESTful API untuk external tools (kubectl, UI, etc.)

**Key Features:**

* **Authentication**: Membuat siapa yang mengakses cluster
* **Authorization**: Menentukan apa yang boleh dilakukan
* **Admission Control**: Validasi dan mutation dari requests
* **Audit Logging**: Track semua API calls

**Example Request Flow:**

```
kubectl run nginx --image=nginx
         ↓
    API Server
         ↓ (validate + authenticate)
    etcd (store)
         ↓ (notify)
    Scheduler
         ↓ (assign node)
    kubelet (create pod)
         ↓ (update status)
    etcd (update state)
```

### **etcd**

**Fungsi Utama:**

* Distributed consistent key-value store
* Single source of truth untuk cluster state
* Handles configuration data, service state, secrets

**Key Properties:**

* **Consistent**: Guarantees consistent data across cluster
* **Available**: High availability through clustering
* **Partition-tolerant**: Continues operating during network partitions
* **Secure**: TLS encryption, RBAC, authentication

**Data Structure:**

```
/registry/
├── pods/
│   ├── default/
│   │   ├── nginx-xyz123
│   │   └── app-abc456
│   └── kube-system/
├── services/
├── deployments/
├── configmaps/
└── secrets/
```

### **Scheduler**

**Fungsi Utama:**

* Watch untuk newly created pods dengan no assigned node
* Selects optimal node untuk pod berdasarkan requirements
* Uses multiple scheduling algorithms dan fitur

**Scheduling Process:**

1. **Filter**: Eliminate nodes yang tidak memenuhi requirements
2. **Score**: Rank remaining nodes berdasarkan preferences
3. **Bind**: Assign pod ke highest-scoring node

**Scheduling Factors:**

* Resource requests (CPU, memory, storage)
* Node constraints (taints, labels, affinity)
* Pod constraints (affinity, anti-affinity)
* Quality of Service requirements
* Data locality, network topology

### **Controller Manager**

**Fungsi Utama:**

* Runs multiple controller processes
* Maintains desired state melalui control loops
* Handles various aspects of cluster management

**Built-in Controllers:**

* **Node Controller**: Monitor node health, handle failures
* **Replication Controller**: Maintains correct replica count
* **Endpoint Controller**: Populates endpoint objects
* **Service Account Controller**: Manages service accounts
* **Namespace Controller**: Manages namespace lifecycle

**Control Loop Pattern:**

```
1. Observe current state (GET from API Server)
2. Compare with desired state
3. Take corrective actions (POST/PUT/DELETE to API Server)
4. Repeat
```

***

## 📦 Objects & Resources

### **Workload Resources**

#### **Pod**

* **Definition**: Smallest deployable unit dalam Kubernetes
* **Purpose**: Satu atau lebih containers yang share storage dan network
* **Lifecycle**: Ephemeral, dapat di-recreate kapan saja

**Pod Characteristics:**

* Shared network namespace (IP address, ports)
* Shared storage (volumes)
* Unique ID dalam cluster
* Can have multiple containers
* Ephemeral nature

**Use Cases:**

* Single container applications
* Multi-container applications (main + sidecar)
* Batch jobs
* Initialization containers

#### **Deployment**

* **Definition**: Manages ReplicaSets untuk declarative application updates
* **Purpose**: Manages rollout strategy, scaling, dan application lifecycle
* **Features**: Rolling updates, rollbacks, scaling, pause/resume

**Deployment Workflow:**

```
Deployment → ReplicaSet → Pod → Container
```

**Key Features:**

* Declarative updates
* Rolling update strategy
* Automatic rollback
* Scaling (manual dan HPA)
* Pause/resume rollouts

#### **StatefulSet**

* **Definition**: Manages stateful applications dengan unique network identities
* **Purpose**: Deploy stateful applications yang memerlukan stable network identity
* **Features**: Stable, unique network identifiers, stable persistent storage

**StatefulSet Characteristics:**

* Predictable pod names (web-0, web-1, web-2)
* Stable network identities
* Ordered deployment and scaling
* Stable persistent storage

**Use Cases:**

* Databases (MySQL, PostgreSQL)
* Message queues (Kafka, RabbitMQ)
* Distributed systems (ZooKeeper, etcd)
* Applications requiring stable identity

#### **DaemonSet**

* **Definition**: Ensures semua (atau beberapa) node menjalankan pod copy
* **Purpose**: Deploy daemon atau background services di semua nodes
* **Features**: Automatic pod creation/deletion dengan node lifecycle

**DaemonSet Use Cases:**

* Cluster storage daemon (Ceph, GlusterFS)
* Log collection daemon (Fluentd, Logstash)
* Node monitoring daemon (Prometheus node-exporter)
* Network plugins (Calico, Flannel)

#### **Job**

* **Definition**: Creates pods yang berjalan hingga completion
* **Purpose**: Run batch jobs atau one-time tasks
* **Features**: Track completion, retry failures, parallel execution

**Job Types:**

* **Non-parallel Job**: Single pod until completion
* **Parallel Job with fixed count**: Multiple pods until specified count completes
* **Parallel Job with work queue**: Multiple pods until no work remains

#### **CronJob**

* **Definition**: Runs Jobs pada schedule (cron-like)
* **Purpose**: Scheduled tasks, backups, maintenance
* **Features**: Time-based scheduling, retry policies, concurrency control

### **Configuration Resources**

#### **ConfigMap**

* **Definition**: Stores configuration data sebagai key-value pairs
* **Purpose**: Inject configuration data ke containers
* **Features**: Environment variables, volume mounts, configuration files

**ConfigMap Usage:**

```yaml
# Environment variables
envFrom:
  - configMapRef:
      name: app-config

# Single environment variable
env:
  - name: DATABASE_URL
    valueFrom:
      configMapKeyRef:
        name: app-config
        key: database_url

# Volume mount
volumes:
  - name: config-volume
    configMap:
      name: app-config
```

#### **Secret**

* **Definition**: Stores sensitive data (passwords, tokens, certificates)
* **Purpose**: Securely manage sensitive information
* **Features**: Base64 encoding, RBAC access control, encryption at rest

**Secret Types:**

* **Opaque**: Arbitrary key-value pairs
* **kubernetes.io/service-account-token**: Service account tokens
* **kubernetes.io/dockercfg**: Docker registry credentials
* **kubernetes.io/tls**: TLS certificate data

### **Network Resources**

#### **Service**

* **Definition**: Stable network endpoint untuk pods
* **Purpose**: Load balancing, service discovery
* **Types**: ClusterIP, NodePort, LoadBalancer, ExternalName

**Service Types:**

* **ClusterIP**: Internal service only
* **NodePort**: Expose service pada node port
* **LoadBalancer**: External load balancer (cloud provider)
* **ExternalName**: CNAME record ke external service

#### **Ingress**

* **Definition**: HTTP/HTTPS routing rules untuk services
* **Purpose**: External access, TLS termination, host-based routing
* **Features**: Path-based routing, TLS, authentication

#### **NetworkPolicy**

* **Definition**: Controls network traffic antar pods
* **Purpose**: Network security, traffic segmentation
* **Features**: Ingress/egress rules, namespace isolation

### **Storage Resources**

#### **PersistentVolume (PV)**

* **Definition**: Storage resource dalam cluster
* **Purpose**: Provide storage volumes independent of pod lifecycle
* **Types**: Local, NFS, iSCSI, cloud storage

#### **PersistentVolumeClaim (PVC)**

* **Definition**: Request untuk storage resources
* **Purpose**: User request untuk storage dengan specific requirements
* **Features**: Dynamic provisioning, access modes, storage classes

#### **StorageClass**

* **Definition**: Defines storage provisioning methods
* **Purpose**: Dynamic volume provisioning dengan different quality of service
* **Features**: Provisioners, parameters, reclaim policies

***

## 🔄 Control Loops

### **Reconciliation Loop Pattern**

Kubernetes menggunakan **reconciliation loop** pattern untuk maintain desired state:

```
┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
│  Desired State  │───→│  Current State  │───→│  Take Action    │
│  (Spec)         │    │  (Status)       │    │  (Reconcile)    │
└─────────────────┘    └─────────────────┘    └─────────────────┘
         ↑                                               ↓
         └───────────────────────────────────────────────┘
```

### **Example: Deployment Controller**

```go
func (dc *DeploymentController) syncDeployment(d *apps.Deployment) error {
    // 1. Get current state
    rsList, err := dc.getReplicaSetsForDeployment(d)
    if err != nil {
        return err
    }

    // 2. Compare with desired state
    newRS, oldRSs, err := dc.getAllReplicaSetsAndSyncRevision(d, rsList...)
    if err != nil {
        return err
    }

    // 3. Take corrective actions
    if err := dc.scaleReplicaSet(d, newRS, oldRSs); err != nil {
        return err
    }

    if util.IsDeploymentRollingUpdate(d) {
        return dc.rolloutRolling(d, newRS, oldRSs)
    }

    return dc.rolloutRecreate(d, newRS, oldRSs)
}
```

### **Controller Types**

| Controller                    | Responsibility                | Key Actions                                      |
| ----------------------------- | ----------------------------- | ------------------------------------------------ |
| **Deployment Controller**     | Manages deployment lifecycle  | Create/update ReplicaSets, handle rollouts       |
| **ReplicaSet Controller**     | Maintains pod replica count   | Create/delete pods based on desired replicas     |
| **StatefulSet Controller**    | Manages stateful applications | Ordered deployment, stable identity              |
| **DaemonSet Controller**      | Ensures pod per node          | Create pods on new nodes, delete on node removal |
| **Job Controller**            | Manages job completion        | Track pod completion, retry failures             |
| **CronJob Controller**        | Manages scheduled jobs        | Create Jobs on schedule, handle concurrency      |
| **Endpoint Controller**       | Manages service endpoints     | Update endpoint IPs based on pod IPs             |
| **ServiceAccount Controller** | Manages service accounts      | Create tokens, manage permissions                |
| **Namespace Controller**      | Manages namespaces            | Cleanup resources on namespace deletion          |

***

## 🌐 Networking Model

### **Kubernetes Network Requirements**

1. **All pods can communicate with all other pods without NAT**
2. **All nodes can communicate with all pods without NAT**
3. **Pod IP address is the same from all perspectives**

### **Network Architecture**

```
┌─────────────────────────────────────────────────────────────┐
│                     Kubernetes Cluster                      │
│                                                             │
│  ┌─────────────┐    ┌─────────────┐    ┌─────────────┐      │
│  │    Pod A    │    │    Pod B    │    │    Pod C    │      │
│  │ 10.244.1.2  │    │ 10.244.1.3  │    │ 10.244.2.2  │      │
│  └─────────────┘    └─────────────┘    └─────────────┘      │
│         │                   │                   │          │
│         └───────────────────┼───────────────────┘          │
│                             │                              │
│                    ┌─────────────┐                         │
│                    │ kube-proxy  │                         │
│                    └─────────────┘                         │
│                             │                              │
│                    ┌─────────────┐                         │
│                    │   Service   │                         │
│                    │ 10.96.0.1   │                         │
│                    └─────────────┘                         │
└─────────────────────────────────────────────────────────────┘
```

### **Network Components**

#### **Pod Network**

* **CNI (Container Network Interface)**: Standard untuk network plugins
* **Implementations**: Calico, Flannel, Weave Net, Cilium
* **Features**: IP allocation, routing, network policies

#### **Service Network**

* **ClusterIP**: Virtual IP untuk internal services
* **kube-proxy**: Implements service routing
* **Load Balancing**: Client-side load balancing untuk pods

#### **Ingress Network**

* **Ingress Controller**: Manages external access (NGINX, Traefik)
* **TLS Termination**: SSL/TLS handling
* **Path/Host Routing**: HTTP/HTTPS routing rules

### **Service Discovery**

**DNS Resolution:**

```
service-name.namespace.svc.cluster.local
```

**Example:**

* `redis.default.svc.cluster.local` - Redis service di default namespace
* `api.kube-system.svc.cluster.local` - Kubernetes API service

**Environment Variables:**

```
REDIS_SERVICE_HOST=10.96.0.10
REDIS_SERVICE_PORT=6379
REDIS_PORT=tcp://10.96.0.10:6379
REDIS_PORT_6379_TCP=tcp://10.96.0.10:6379
```

***

## 📁 Storage Model

### **Storage Architecture**

```
┌─────────────────────────────────────────────────────────────┐
│                    Kubernetes Storage Model                   │
│                                                             │
│  ┌─────────────┐    ┌─────────────┐    ┌─────────────┐      │
│  │    Pod      │    │    PVC      │    │     PV      │      │
│  │             │    │             │    │             │      │
│  │ ┌─────────┐ │    │ ┌─────────┐ │    │ ┌─────────┐ │      │
│  │ │Volume  │ │    │ │Claim   │ │    │ │Volume  │ │      │
│  │ │Mount   │ │◄───┤ │        │ │◄───┤ │        │ │      │
│  │ └─────────┘ │    │ └─────────┘ │    │ └─────────┘ │      │
│  └─────────────┘    └─────────────┘    └─────────────┘      │
│                                                             │
│  ┌─────────────┐    ┌─────────────┐                        │
│  │StorageClass │    │  Physical   │                        │
│  │             │    │   Storage   │                        │
│  └─────────────┘    └─────────────┘                        │
└─────────────────────────────────────────────────────────────┘
```

### **Volume Types**

#### **Temporary Volumes**

* **emptyDir**: Temporary storage yang created saat pod created
* **configMap**: Configuration data sebagai volume
* **secret**: Sensitive data sebagai volume
* **downwardAPI**: Pod metadata sebagai volume

#### **Persistent Volumes**

* **hostPath**: File/directory di host node
* **NFS**: Network File System
* **iSCSI**: iSCSI block storage
* **AWS EBS**: Elastic Block Store
* **GCE PD**: Google Persistent Disk
* **Azure Disk**: Azure Disk Storage

### **Access Modes**

| Access Mode          | Description                                                  | Use Case                                   |
| -------------------- | ------------------------------------------------------------ | ------------------------------------------ |
| **ReadWriteOnce**    | Volume dapat di-mount sebagai read-write oleh single node    | Single-node applications, databases        |
| **ReadOnlyMany**     | Volume dapat di-mount sebagai read-only oleh multiple nodes  | Configuration files, static content        |
| **ReadWriteMany**    | Volume dapat di-mount sebagai read-write oleh multiple nodes | Shared storage, distributed applications   |
| **ReadWriteOncePod** | Volume dapat di-mount oleh single pod (v1.22+)               | Enhanced security, single-writer workloads |

### **Storage Class Features**

```yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: fast-ssd
provisioner: kubernetes.io/aws-ebs
parameters:
  type: gp3
  iops: "3000"
  throughput: "125"
  encrypted: "true"
allowVolumeExpansion: true
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer
mountOptions:
  - debug
  - noatime
```

***

## 🔒 Security Model

### **Authentication & Authorization**

#### **Authentication Methods**

* **X.509 Client Certificates**: Default untuk service accounts
* **Bearer Tokens**: Static tokens, OIDC tokens, service account tokens
* **Authentication Plugins**: External authentication systems
* **Webhook Token Authentication**: Custom token validation

#### **Authorization Models**

* **ABAC (Attribute-Based Access Control)**: Legacy, deprecated
* **RBAC (Role-Based Access Control)**: Current standard
* **Webhook Authorization**: External authorization systems
* **Node Authorization**: Node-specific permissions

### **RBAC Fundamentals**

#### **Core Concepts**

* **Subject**: User, Group, or ServiceAccount
* **Role**: Rules untuk resources dalam namespace
* **ClusterRole**: Rules untuk resources cluster-wide
* **RoleBinding**: Bind Role ke subjects dalam namespace
* **ClusterRoleBinding**: Bind ClusterRole ke subjects cluster-wide

#### **RBAC Example**

```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: production
  name: developer
rules:
- apiGroups: [""]
  resources: ["pods", "services", "configmaps"]
  verbs: ["get", "list", "create", "update", "patch", "delete"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "create", "update", "patch", "delete"]
```

### **Security Contexts**

#### **Pod Security Context**

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    runAsGroup: 2000
    fsGroup: 2000
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: app
    image: nginx:1.21
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
        - ALL
      volumeMounts:
      - name: tmp
        mountPath: /tmp
```

#### **Container Security Context**

* **runAsUser**: Run container sebagai specific user
* **runAsGroup**: Run container sebagai specific group
* **privileged**: Run container dalam privileged mode
* **capabilities**: Add/drop Linux capabilities
* **readOnlyRootFilesystem**: Mount root filesystem sebagai read-only

### **Pod Security Standards**

#### **Security Levels**

* **Privileged**: No restrictions, fully privileged
* **Baseline**: Minimal security restrictions
* **Restricted**: Strict security controls

#### **Security Controls**

* **Privilege escalation**: Prevent privilege escalation
* **Linux capabilities**: Drop unnecessary capabilities
* **SELinux/AppArmor**: Mandatory access control
* **Filesystem**: Read-only root filesystem
* **Run as non-root**: Prevent running as root user

### **Network Security**

#### **Network Policies**

```yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: app-network-policy
spec:
  podSelector:
    matchLabels:
      app: my-app
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 80
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: database
    ports:
    - protocol: TCP
      port: 5432
```

#### **Service Mesh Security**

* **mTLS**: Mutual TLS authentication
* **Authorization Policies**: Service-to-service authorization
* **Network segmentation**: Isolate services based on identity

***

*📅 **Last Updated**: November 2024* *🔗 **Related**:* [*Setup & Installation*](https://mahbubzulkarnain.gitbook.io/catatan-seekor-the-series/catatan-seekor-devops/kubernetes/setup-installation) *|* [*Application Deployment*](https://mahbubzulkarnain.gitbook.io/catatan-seekor-the-series/catatan-seekor-devops/kubernetes/application-deployment) *|* [*Cheatsheets*](https://mahbubzulkarnain.gitbook.io/catatan-seekor-the-series/catatan-seekor-devops/kubernetes/cheatsheets)