Kubernetes Isn’t Hard. You’re Learning It Backwards.

Share

Here’s every major Kubernetes concept, explained the way it actually happened.

Photo by Olav Ahrens Røtne on Unsplash

Most people memorize Kubernetes concepts. That’s why none of it sticks.

Every Kubernetes concept has a story, and every concept in Kubernetes exists to solve a problem.

Give me 5 minutes, and you will never forget it.

Kubernetes is beautiful. It’s a neatly crafted machine that runs the popular platforms everyone loves.

You run your app as a pod.

It crashes. Nobody restarts it. It’s just gone.

So you use a Deployment. One pod dies, another comes back. You want 3 running, it keeps 3 running.

Every pod gets a new IP when it restarts.

Another service needs to talk to your app, but the IPs keep changing. You can’t hardcode them at scale.

So you use a Service. One stable IP that always finds your pods using labels, not IPs. Pods die and come back. The Service doesn’t care.

Now you have 10 services and 10 load balancers.

Your cloud bill doesn’t care that 6 of them handle almost no traffic.

So you use Ingress. One load balancer, all services behind it, smart routing. But Ingress is just rules. Nobody executes them.

So you add an Ingress Controller. Nginx, Traefik, AWS Load Balancer Controller. Now the rules actually work.

Your app needs a config, so you hardcode it inside the container.

Wrong database in staging. Wrong API key in production. You rebuild the image every time the config changes.

So you use a ConfigMap. Config lives outside the container, injected at runtime. Same image runs in dev, staging, and prod with different configs.

But now your database password is sitting in a ConfigMap, unencrypted. Anyone with basic kubectl access can read it.

That’s not a mistake. That’s a security incident.

So you use a Secret. Sensitive data stored separately, with its own access controls. Your image never sees it.

Some days 100 users. Some days 10,000.

You manually scale to 8 pods during the spike and watch them sit idle all night. You can’t babysit your cluster forever.

So you use HPA. CPU crosses 70%, pods are added automatically. Traffic drops, they scale back down. You stop getting woken up at 2am.

But now your nodes are full. New pods sit in Pending. HPA did its job. Your cluster had nowhere to put them.

So you use Karpenter. Pods are stuck in Pending, a new node appears. Load drops, the node is gone. You pay for what you actually use.

One pod starts consuming 4GB of memory. Nobody told Kubernetes it wasn’t supposed to.

It starves every other pod on that node. A cascade begins. One rogue pod with no limits takes down everything around it.

So you use Resource Requests and Limits. Requests tell Kubernetes the minimum your pod needs. Limits make sure no pod can steal from everything around it. Your cluster runs predictably.

You deploy a new image and every pod restarts at the same time.

For 30 seconds, your app is completely down. Users see errors. Your on-call phone starts ringing.

So you use a RollingUpdate strategy. Kubernetes kills one pod, starts a new one, waits for it to be healthy, then moves to the next. Your users never notice the deploy happened.

But your new version has a silent bug. Health checks pass, but the app returns wrong data. By the time you notice, the old version is completely gone.

So you use a Readiness Probe. Kubernetes only sends traffic to a pod when it’s actually ready to handle it. Bad pods stay out of rotation automatically.

Your database pod restarts and loses all its data.

Containers are stateless. Every restart is a fresh start with an empty disk. That’s fine for your API. Not fine for Postgres.

So you use PersistentVolumes and PVCs. Storage exists outside the pod lifecycle. Your data survives crashes, restarts, and rescheduling.

But you have one database pod. It gets rescheduled to a different node and needs the same disk to follow it. PVCs work for Deployments, but ordered, sticky identities don’t.

So you use a StatefulSet. Each pod gets a stable name, a stable identity, a stable volume that follows it. pod-0 is always pod-0, not some random hash.

Your ML training job runs for 6 hours. You need exactly one run.

A Deployment would keep restarting it forever after it finishes.

So you use a Job. Kubernetes runs it to completion and stops. No restarts after success. No babysitting. One clean run.

You want a log collector or monitoring agent on every single node. A Deployment doesn’t guarantee one pod per node.

So you use a DaemonSet. One pod lands on every node automatically, including new nodes Karpenter just added. No manual scheduling, no missed nodes.

Your team keeps accidentally deploying to the wrong namespace and wiping production configs.

No guardrails. One bad kubectl command causes real damage.

So you use RBAC. Roles define what actions are allowed. RoleBindings attach them to users or service accounts. Your junior dev can read logs but can’t delete deployments in prod.

You have a critical payment service and a batch analytics job running on the same node. The batch job spikes and steals CPU from payments. Your checkout latency triples during every report run.

So you use PriorityClasses. Payment pods get high priority, batch pods get low. When nodes run out of resources, Kubernetes evicts the batch job first. Not the thing making you money.

Three teams share one cluster. One team’s runaway pods keep starving the others.

So you use ResourceQuota. Each namespace gets a hard ceiling on CPU, memory, and object counts. One team can’t blow up the cluster for everyone else.

You need to run Kafka in Kubernetes.

Kafka has brokers, topics, partition leadership, and a very specific idea of how it wants to be operated. StatefulSets alone don’t know any of that.

So you use a CRD. You teach Kubernetes what a Kafka cluster is. Now kubectl understands Kafka as a first-class object.

But the CRD is just a schema. Nobody acts on it. You create a KafkaCluster resource and nothing happens.

So you add an Operator. It watches your custom resources and takes action — provisioning brokers, handling rebalancing, managing rolling upgrades. It encodes the operational knowledge a human expert would have. Strimzi does this for Kafka. The Prometheus Operator does it for monitoring stacks.

Your GPU nodes are expensive. Regular API pods keep landing on them.

$8 per hour wasted serving JSON.

So you use Taints and Tolerations. GPU nodes are tainted, so only pods that explicitly tolerate that taint can land there. Your API pods never touch the GPU nodes again.

But toleration is just permission, not a guarantee. Your ML pods can land on GPU nodes, but they might still end up on CPU nodes.

So you add Node Affinity. Your ML pods now declare a hard requirement for nodes with the gpu=true label. Permission plus preference becomes a guarantee.

Every concept in Kubernetes exists because someone got paged at 3am and had to invent a way out.

Learn the why, and you will never forget the what.

If you are planning to transition into Devops/MLops/AIops from another domain, then consider my real-world production projects and live, troubleshooting-based, 25-week bootcamp

25-Week AWS DevOps + MLOPS + AIOPS Bootcamp By Akhilesh Mishra ( Living Devops )

Share
Akhilesh Mishra

Akhilesh Mishra

I am Akhilesh Mishra, a self-taught Devops engineer with 11+ years working on private and public cloud (GCP & AWS)technologies.

I also mentor DevOps aspirants in their journey to devops by providing guided learning and Mentorship.

Topmate: https://topmate.io/akhilesh_mishra/