knowledge/technology/tools/kubernetes.md

---
obj: concept
website: https://kubernetes.io
---

# Kubernetes

## Overview

Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. It groups containers into logical units called **Pods**, which run on **Nodes** in a cluster. A simple solution to get up and running is [k3s](k3s.md).

You can manage k8s clusters via `kubectl`. Most things are defined via yaml manifest files decleratively. You can throw these into your cluster with `kubectl apply -f FILE`.

## Resources

### Namespace

Logical separation of resources within a cluster.

```yaml
apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace
```

### Pod

The smallest deployable unit in Kubernetes.

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: full-example-pod
  namespace: example-namespace
  labels:
    app: web
    tier: frontend
  annotations:
    description: "A full-featured pod example for demonstration purposes"
spec:
  restartPolicy: Always

  # Init container (runs before main containers)
  initContainers:
    - name: init-permissions
      image: busybox
      command: ["sh", "-c", "chmod 777 /mnt/data"]
      volumeMounts:
        - name: data-volume
          mountPath: /mnt/data

  containers:
    - name: main-app
      image: nginx:1.25
      imagePullPolicy: IfNotPresent
      ports:
        - containerPort: 80
          name: http
      env:
        # Environment
        - name: ENVIRONMENT
          value: production
        
        # Env from ConfigMap
        - name: CONFIG_TIMEOUT
          valueFrom:
            configMapKeyRef:
              name: example-config
              key: TIMEOUT
        
        # Env from Secret
        - name: SECRET_PASSWORD
          valueFrom:
            secretKeyRef:
              name: example-secret
              key: password
      volumeMounts:
        - name: data-volume
          mountPath: /usr/share/nginx/html
        - name: config-volume
          mountPath: /etc/config
          readOnly: true
      resources:
        limits:
          cpu: "500m"
          memory: "256Mi"
        requests:
          cpu: "250m"
          memory: "128Mi"
      livenessProbe:
        httpGet:
          path: /
          port: 80
        initialDelaySeconds: 10
        periodSeconds: 10
      readinessProbe:
        httpGet:
          path: /
          port: 80
        initialDelaySeconds: 5
        periodSeconds: 5
      lifecycle:
        preStop:
          exec:
            command: ["sh", "-c", "echo stopping..."]

    - name: sidecar-logger
      image: busybox
      args: ["sh", "-c", "tail -f /var/log/app.log"]
      volumeMounts:
        - name: log-volume
          mountPath: /var/log

  # Volumes
  volumes:
    # ConfigMap - inject config files
    - name: config-volume
      configMap:
        name: example-config
        items:
          - key: config.json
            path: config.json

    # Secret - inject sensitive data
    - name: secret-volume
      secret:
        secretName: example-secret
        items:
          - key: password
            path: password.txt

    # EmptyDir - ephemeral shared storage between containers
    - name: log-volume
      emptyDir:
        medium: ""
        sizeLimit: 500Mi

    # HostPath - access host node's filesystem (example: logs)
    - name: host-logs
      hostPath:
        path: /var/log
        type: Directory
```

### Deployment

Ensures a specified number of identical Pods are running and up-to-date. Supports rolling updates and rollbacks.

```yml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: example-deployment
  namespace: example-namespace
spec:
  replicas: 3
  selector:
    matchLabels:
      app: example
  template:
    metadata:
      labels:
        app: example
    spec:
      containers:
        - name: web
          image: nginx:alpine
          ports:
            - containerPort: 80
```

### StatefulSet

Like a Deployment, but for workloads requiring stable network IDs, persistent storage, and ordered startup/shutdown.

```yml
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: example-statefulset
  namespace: example-namespace
spec:
  serviceName: "example"
  replicas: 2
  selector:
    matchLabels:
      app: stateful-app
  template:
    metadata:
      labels:
        app: stateful-app
    spec:
      containers:
        - name: web
          image: nginx:alpine
          volumeMounts:
            - name: data
              mountPath: /usr/share/nginx/html
```

### DaemonSet

Ensures a copy of a Pod runs on all (or some) Nodes in the cluster. Ideal for log collectors or system-level agents.

```yml
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: example-daemonset
  namespace: example-namespace
spec:
  selector:
    matchLabels:
      name: ds-app
  template:
    metadata:
      labels:
        name: ds-app
    spec:
      containers:
        - name: node-monitor
          image: busybox
          args: ["sh", "-c", "while true; do echo hello; sleep 10; done"]
```

### Job

Runs a Pod (or multiple) to completion. Used for batch processing or one-off tasks.

```yml
apiVersion: batch/v1
kind: Job
metadata:
  name: example-job
  namespace: example-namespace
spec:
  template:
    spec:
      containers:
        - name: pi
          image: perl
          command: ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"]
      restartPolicy: Never
  backoffLimit: 4
```

### CronJob

Schedules Jobs to run periodically, similar to [UNIX cron](../linux/cron.md).

```yml
apiVersion: batch/v1
kind: CronJob
metadata:
  name: example-cronjob
  namespace: example-namespace
spec:
  schedule: "*/5 * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
            - name: hello
              image: busybox
              args: ["echo", "Hello from the CronJob"]
          restartPolicy: OnFailure
```

> Note: You can quickly run CronJobs as a job with: `kubectl create job --from=cronjob.batch/my_cron_job new_job`

### Service

Defines a stable network endpoint to access a set of Pods. Supports different types like `ClusterIP`, `NodePort`, and `LoadBalancer`.

```yml
apiVersion: v1
kind: Service
metadata:
  name: example-service
  namespace: example-namespace
spec:
  selector:
    app: example
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
  type: ClusterIP
```

### ConfigMap

Injects configuration data (as key-value pairs) into Pods, keeping config decoupled from code.

```yml
apiVersion: v1
kind: ConfigMap
metadata:
  name: example-config
  namespace: example-namespace
data:
  APP_ENV: production
  TIMEOUT: "30"
```

Usage in a Pod:

```yml
envFrom:
  - configMapRef:
      name: example-config
```

### Secret

Similar to ConfigMap, but for sensitive data like passwords, tokens, or keys.
If you want encryption on rest for your manifests, look at [sops](../tools/sops.md).

```yml
apiVersion: v1
kind: Secret
metadata:
  name: example-secret
  namespace: example-namespace
type: Opaque
data:
  username: YWRtaW4=   # base64 of 'admin'
  password: cGFzc3dvcmQ=   # base64 of 'password'
```

Usage in a Pod:

```yml
env:
  - name: USERNAME
    valueFrom:
      secretKeyRef:
        name: example-secret
        key: username
```