Kubernetes (K8s): Pods, Deployments, Services and Running Applications

Kubernetes schedules containers onto machines while hiding their churn. It exposes a declarative API for desired state—replicas, images, mounts—and reconciles reality continuously. Understanding pods, workloads, and networking is enough to build, but production also demands quotas, policies, and observability.

Pods group tightly coupled containers sharing network and optional volumes. Prefer one main container per pod except for sidecars doing logging, mTLS, or envoy-style proxying. Pods are disposable; controllers recreate them—design statelessness into app tiers.

Deployments manage ReplicaSets to roll out new pod templates gradually. Configure maxUnavailable and maxSurge to balance availability with rollout speed. Paused deployments help when debugging bad releases without tearing the whole stack.

Probes differentiate “running” from “ready.” Liveness avoids wedged processes; readiness gates traffic until dependencies warm. Misconfigured probes cause restart loops or silent traffic drops—validate them against real startup curves.

Services present stable virtual IPs and DNS inside the cluster. ClusterIP suits internal east-west traffic; NodePort and LoadBalancer expose north-south. Headless services support service discovery patterns for stateful sets.

Ingress (or Gateway API) centralizes HTTP routing, TLS termination, and host/path rules. Pick a maintained controller and understand how it handles large headers, websockets, and rate limits common to your apps.

ConfigMaps and Secrets should separate non-secret config from credentials, but remember Secrets are not magical encryption—protect etcd at rest, rotate regularly, and integrate with External Secrets or cloud KMS providers. Git stores references, not values.

Resource requests and limits influence scheduling fairness and noisy-neighbor containment. Under-provisioned CPU leads to throttling; missing memory limits risk node pressure evictions. Measure actual usage before copying examples from blog posts.

Horizontal Pod Autoscaler scales on CPU, memory, or custom metrics—often queue depth or latency proxies. Pair with cluster autoscaler carefully; scaling pods without nodes buys nothing. Vertical scaling still matters for JVM heaps and batch jobs.

Namespaces and RBAC isolate teams. Default deny with explicit RoleBindings beats wide cluster-admin sharing. Audit who can exec into pods or read secrets—those are production access paths.

NetworkPolicies add firewall semantics between pods. Without them, any compromised pod can scan neighbors. Start with default deny egress/ingress on sensitive namespaces, then allow minimal edges.

StatefulSets, Operators, and CRDs appear when you run databases or queue controllers on Kubernetes—but weigh whether managed services off-cluster reduce toil.

In summary: master Deployments, Services, probes, ingress, secrets management, and resource hygiene before chasing exotic features. Stable clusters come from modest manifests operated consistently, not from the largest Helm chart collection.