00: Kubernetes Architecture Overview
00: Kubernetes Architecture Overview
Overview
This exercise introduces the fundamental architecture of Kubernetes and how Azure Kubernetes Service (AKS) implements it as a managed platform. You will learn about control plane components, worker node components, and AKS-specific features before diving into hands-on exercises.
Objective
- Understand the high-level architecture of a Kubernetes cluster
- Learn how AKS manages the control plane on your behalf
- Familiarize yourself with key Kubernetes concepts and terminology
- Get oriented with the training map and exercise structure
Theory
Kubernetes Architecture
A Kubernetes cluster consists of two main parts: the control plane and worker nodes.
Control Plane Components
| Component | Responsibility |
|---|---|
| kube-apiserver | Front-end for the Kubernetes API. All communication (kubectl, controllers, kubelets) goes through the API server. |
| etcd | Distributed key-value store that holds all cluster state and configuration. |
| kube-scheduler | Watches for newly created Pods with no assigned node and selects a node for them to run on. |
| kube-controller-manager | Runs controller loops (ReplicaSet controller, Deployment controller, Node controller, etc.) that regulate cluster state. |
| cloud-controller-manager | Integrates with the underlying cloud provider (Azure) to manage load balancers, routes, and node lifecycle. |
Worker Node Components
| Component | Responsibility |
|---|---|
| kubelet | Agent running on each node. Ensures containers described in PodSpecs are running and healthy. |
| kube-proxy | Maintains network rules on nodes, enabling Service abstraction (iptables/IPVS rules). |
| Container runtime | Software responsible for running containers (containerd on AKS). |
Cluster Architecture Diagram
graph TB
subgraph ControlPlane["Control Plane (Managed by Microsoft in AKS)"]
API[kube-apiserver]
ETCD[etcd]
SCHED[kube-scheduler]
CM[kube-controller-manager]
CCM[cloud-controller-manager]
end
subgraph WorkerNode1["Worker Node 1"]
K1[kubelet]
KP1[kube-proxy]
CR1[containerd]
P1[Pod A]
P2[Pod B]
end
subgraph WorkerNode2["Worker Node 2"]
K2[kubelet]
KP2[kube-proxy]
CR2[containerd]
P3[Pod C]
P4[Pod D]
end
API --> ETCD
SCHED --> API
CM --> API
CCM --> API
K1 --> API
K2 --> API
KP1 --> API
KP2 --> API
AKS Specifics
Managed Control Plane
In AKS, Microsoft manages the entire control plane for you. This means:
- You do not have access to the control plane VMs or etcd directly.
- Microsoft handles upgrades, patching, and high availability of control plane components.
- You interact with the cluster exclusively through the kube-apiserver endpoint.
- The control plane is free in the Free tier; you only pay for worker node VMs.
AKS Pricing Tiers
| Tier | SLA | Features |
|---|---|---|
| Free | No SLA | Suitable for development/testing. No uptime guarantee. |
| Standard | 99.95% (availability zones) / 99.9% (no AZ) | Financially backed SLA. Recommended for production workloads. |
| Premium | 99.95% (availability zones) / 99.9% (no AZ) | Includes Long Term Support (LTS), advanced features, and Microsoft-maintained compliance controls. |
Azure Linux 3.0 as Default Node OS
Starting in recent AKS versions, Azure Linux 3.0 (previously known as CBL-Mariner) is the default node operating system. Key points:
- Optimized for container workloads with a minimal footprint.
- Faster boot times and reduced attack surface compared to Ubuntu.
- Microsoft-maintained and security-patched.
- You can still choose Ubuntu if needed via
--os-skuflag.
AKS Managed vs Customer-Managed Components
graph LR
subgraph Microsoft["Managed by Microsoft"]
direction TB
CP[Control Plane]
ETCD2[etcd]
API2[API Server]
UP[Upgrades & Patches]
HA[High Availability]
end
subgraph Customer["Managed by Customer"]
direction TB
NP[Node Pools & VMs]
APP[Application Workloads]
NET[Virtual Network Config]
MON[Monitoring & Logging]
SEC[RBAC & Security Policies]
REG[Container Registry]
end
Microsoft --- Customer
kubectl and kubeconfig
kubectl is the command-line tool for interacting with Kubernetes clusters. It communicates with the kube-apiserver using REST API calls.
kubeconfig is a configuration file (default location: ~/.kube/config) that contains:
- Clusters โ API server addresses and CA certificates.
- Users โ Authentication credentials (tokens, certificates, or Azure AD integration in AKS).
- Contexts โ A combination of cluster + user + namespace. You switch contexts to target different clusters or namespaces.
# Download AKS credentials into your kubeconfig (or receive kubeconfig from instructor)
az aks get-credentials --resource-group <RG> --name <CLUSTER> --overwrite-existing
# View current context
kubectl config current-context
# List all contexts
kubectl config get-contexts
# Set default namespace for the current context
kubectl config set-context --current --namespace=student-XX
Training note: In this training, the instructor provides you with a kubeconfig for the shared cluster. Each participant works in their own pre-created namespace
student-XX.
Component Communication Flow
sequenceDiagram
participant User as kubectl / User
participant API as kube-apiserver
participant ETCD as etcd
participant Sched as kube-scheduler
participant Kubelet as kubelet (node)
User->>API: kubectl apply -f pod.yaml
API->>ETCD: Store Pod spec
API->>Sched: Notify: unscheduled Pod
Sched->>API: Assign Pod to Node
API->>ETCD: Update Pod with node assignment
API->>Kubelet: Pod scheduled to your node
Kubelet->>Kubelet: Pull image, start container
Kubelet->>API: Report Pod status: Running
Glossary of Terms
| Term | Description | Exercise Reference |
|---|---|---|
| Pod | Smallest deployable unit in Kubernetes. Contains one or more containers sharing network and storage. | Exercise 03 |
| Namespace | Virtual cluster within a physical cluster. Provides isolation and scope for resources. | Exercise 02 |
| ConfigMap | Stores non-confidential configuration data as key-value pairs. Decouples configuration from container images. | Exercise 09 |
| Secret | Stores sensitive data (passwords, tokens, keys). Base64-encoded, can be encrypted at rest in AKS. | Exercise 10 |
| Volume | Provides persistent or ephemeral storage to Pods. Survives container restarts (persistent volumes survive Pod deletion). | Exercise 11 |
| Deployment | Declares desired state for Pods and ReplicaSets. Manages rolling updates and rollbacks. | Exercise 06 |
| Service | Stable network endpoint that routes traffic to a set of Pods. Types: ClusterIP, NodePort, LoadBalancer. | Exercise 13 |
| Ingress | Manages external HTTP/HTTPS access to Services. Provides routing rules, TLS termination, and virtual hosting. | Exercise 15 |
| ReplicaSet | Ensures a specified number of Pod replicas are running at all times. Usually managed by a Deployment. | Exercise 06 |
| DaemonSet | Ensures a copy of a Pod runs on every (or selected) node. Used for monitoring agents, log collectors. | Exercise 08 |
| StatefulSet | Like a Deployment but provides stable network identities and persistent storage for each Pod. | Exercise 12 |
| Job / CronJob | Runs tasks to completion (Job) or on a schedule (CronJob). | Exercise 07 |
| HPA | Horizontal Pod Autoscaler. Automatically scales the number of Pod replicas based on CPU/memory or custom metrics. | Exercise 20 |
| NetworkPolicy | Controls traffic flow between Pods at the network level (Layer 3/4). | Exercise 16 |
| RBAC | Role-Based Access Control. Defines who can perform what actions on which resources. | Exercise 17 |
Training Map
This training consists of 11 modules and 31 exercises (numbered 00 through 30).
| Module | Exercises | Topic |
|---|---|---|
| Introduction | 00 | Architecture Overview |
| Cluster Basics | 01-02 | AKS Cluster Exploration, Namespaces |
| Pods & Workloads | 03-08 | Pods, Labels, Multi-container Pods, Deployments, Jobs, DaemonSets |
| Configuration | 09-10 | ConfigMaps, Secrets |
| Storage | 11-12 | Volumes, StatefulSets |
| Networking | 13-16 | Services, DNS, Ingress, Network Policies |
| Security | 17-18 | RBAC, Pod Security |
| Scaling | 19-20 | Resource Requests/Limits, HPA |
| Observability | 21-23 | Probes, Logging, Monitoring |
| CI/CD & Registry | 24-26 | ACR, Helm, GitOps |
| Advanced Topics | 27-30 | Node management, Troubleshooting, Cost optimization, Cluster upgrades |
Summary
Kubernetes provides a robust platform for container orchestration, and AKS simplifies operations by managing the control plane. Throughout this training, you will progress from exploring the cluster architecture to deploying, configuring, scaling, and troubleshooting real workloads in your student-XX namespace.
Proceed to Exercise 01 to explore the AKS cluster hands-on.