Kubernetes Overview – Architecture & Core Concepts

Kubernetes Overview

  • Kubernetes is a portable, extensible, open-source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation.
  • Kubernetes originates from Greek, meaning helmsman or pilot.
  • Kubernetes provides an orchestration framework to run distributed systems resiliently. It takes care of scaling and failover for the application, provides deployment patterns, and more.
  • Kubernetes is currently at version 1.36 (latest: 1.36.2, released June 2026), with three releases per year following a ~4-month cadence.
  • Kubernetes 1.19 and newer receive approximately 1 year of patch support from the community.

Container Deployment Model

Deployment evolution

  • Containers are similar to VMs, but they have relaxed isolation properties to share the Operating System (OS) among the applications.
  • Containers are lightweight and have their own filesystem, share of CPU, memory, process space, and more.
  • Containers are decoupled from the underlying infrastructure, they are portable across clouds and OS distributions.
  • Containers provide the following benefits
    • Agile application creation and deployment
    • Continuous development, integration, and deployment
    • Dev and Ops separation of concerns
    • Observability
    • Environmental consistency across development, testing, and production
    • Cloud and OS distribution portability
    • Application-centric management
    • Loosely coupled, distributed, elastic, liberated micro-services
    • Resource isolation & utilization

Kubernetes Features

  • Service discovery and load balancing
    • Kubernetes can expose a container using the DNS name or using their own IP address.
    • If traffic to a container is high, Kubernetes is able to load balance and distribute the network traffic so that the deployment is stable.
  • Storage orchestration
    • Kubernetes allows you to automatically mount a storage system of your choice, such as local storage, public cloud providers, and more.
  • Automated rollouts and rollbacks
    • Kubernetes can change the actual state of the deployed containers to the desired state at a controlled rate ensuring zero downtime.
  • Automatic bin packing
    • Kubernetes can fit containers onto the available nodes to make the best use of the resources as per the specified container specification.
  • Self-healing & High Availability
    • Kubernetes restarts containers that fail, replaces containers, kills containers that don’t respond to the user-defined health check, and doesn’t advertise them to clients until they are ready to serve.
  • Scalability
    • Kubernetes can help scale the application as per the load.
    • Supports Horizontal Pod Autoscaler (HPA), Vertical Pod Autoscaler (VPA), and Cluster Autoscaler.
  • In-Place Pod Vertical Scaling (GA in v1.35)
    • Allows changing CPU and memory requests/limits on a running pod without restarting it.
    • The kubelet updates the container’s Linux cgroup directly, avoiding pod deletion or container restart.
    • Graduated to Stable (GA) in Kubernetes v1.35 (December 2025).
  • Secret and configuration management
    • Kubernetes helps store and manage sensitive information, such as passwords, OAuth tokens, and SSH keys.
    • Secrets and application configuration can be deployed without rebuilding the container images, and without exposing secrets in the stack configuration.
  • Dynamic Resource Allocation – DRA (GA in v1.34)
    • Provides a flexible, request-based model for managing hardware resources like GPUs, FPGAs, and other specialized devices.
    • Kubernetes automatically matches claims with available devices, applies CEL expressions for flexible filtering, and schedules pods onto nodes with access to the allocated devices.
    • Replaces static device plugin assignments with a more flexible paradigm.
    • Critical for AI/ML workloads requiring GPU scheduling and multi-tenant GPU sharing.

Kubernetes Architecture

Refer to detailed blog post @ Kubernetes Architecture

Kubernetes Architecture

Control Plane Components

  • Control plane components (previously referred to as “master components”) provide the cluster’s control plane.
  • Control plane components make global decisions about the cluster (for example, scheduling), and detect and respond to cluster events (for example, beginning a replacement pod when a deployment’s replicas field is unsatisfied).
  • Control plane components include:
    • kube-apiserver – Exposes the Kubernetes API. It is the front-end for the control plane.
    • etcd – Consistent and highly-available key-value store for all cluster data. (Can be co-located with control plane nodes or run on a dedicated cluster.)
    • kube-scheduler – Watches for newly created pods with no assigned node, and selects a node for them to run on.
    • kube-controller-manager – Runs the controller processes (Node controller, Job controller, EndpointSlice controller, ServiceAccount controller).
    • cloud-controller-manager – Embeds cloud-specific control logic, letting you link your cluster into your cloud provider’s API.

Node Components

  • Node components run on every node, maintaining running pods and providing the Kubernetes runtime environment.
    • kubelet – Agent that ensures containers in a pod are running and healthy.
    • kube-proxy – Maintains network rules on nodes and performs connection forwarding. Supports iptables and nftables modes (nftables mode stable since v1.31).
    • Container runtime – Software responsible for running containers. Must implement the Kubernetes Container Runtime Interface (CRI). Examples: containerd, CRI-O.
📝 Note: Docker Engine support via dockershim was removed in Kubernetes v1.24 (May 2022). All supported Kubernetes versions now require a CRI-compliant runtime such as containerd or CRI-O. Docker-built images still work — only the dockershim runtime interface was removed.

Key Features (2024-2026 Updates)

Native Sidecar Containers (GA in v1.33)

  • Sidecar containers are declared in initContainers with restartPolicy: Always.
  • Kubernetes starts them before the main app containers, keeps them running alongside the app, and terminates them after the app on shutdown.
  • Jobs complete correctly even with sidecars running — a long-standing pain point now resolved.
  • Common use cases: service mesh proxies, log shippers, observability agents.
  • Graduated to Stable (GA) in v1.33 (April 2025).

Gateway API (Successor to Ingress)

  • Gateway API is the modern, role-oriented replacement for the Kubernetes Ingress resource.
  • Core resources (Gateway, HTTPRoute) have been GA/stable since Kubernetes 1.21+, with Gateway API v1.5 released in 2026.
  • Provides role separation: infrastructure teams manage Gateways, application teams manage HTTPRoutes.
  • Supports cross-namespace references, header-based routing, traffic splitting, and multi-protocol support.
  • Ingress-NGINX was retired in March 2026 — no further releases, bugfixes, or security patches.
  • Migration tool: Ingress2Gateway 1.0 released to help migrate Ingress resources to Gateway API.

User Namespaces (GA in v1.36)

  • Provides enhanced security isolation by mapping container UIDs to different host UIDs.
  • Prevents container breakout attacks from gaining root access on the host.
  • Graduated to GA in Kubernetes v1.36 (April 2026).

AI/ML Workload Support

  • Kubernetes has become the primary platform for AI/ML infrastructure with GPU orchestration capabilities.
  • Dynamic Resource Allocation (DRA) enables first-class GPU scheduling (GA in v1.34).
  • KAI Scheduler and Kueue provide advanced GPU-aware scheduling for multi-tenant environments.
  • NVIDIA donated its DRA driver to CNCF at KubeCon Europe 2026.
  • Supports gang scheduling for distributed training via Volcano and Kueue.
  • Agent Sandbox feature introduced in v1.36 for running AI agents securely on Kubernetes.

Volume Group Snapshots (GA in v1.36)

  • Enables crash-consistent snapshots of multiple volumes simultaneously.
  • Critical for stateful applications (databases, distributed storage) requiring point-in-time consistency.
  • Graduated to GA in v1.36 (April 2026).

Mutating Admission Policies (GA in v1.36)

  • Extends ValidatingAdmissionPolicy (GA since v1.30) to support mutation using CEL expressions.
  • Reduces the need for external webhook-based admission controllers.
  • Enables policy-as-code without third-party tools for common mutation scenarios.

Managed Kubernetes Services

  • Amazon EKS (Elastic Kubernetes Service) – Managed Kubernetes on AWS. Supports 14 months of standard support + 12 months extended support (26 months total) per version. Currently supports up to Kubernetes 1.36.
  • Google GKE (Google Kubernetes Engine) – Managed Kubernetes on GCP. Offers Regular, Rapid, and Stable release channels.
  • Azure AKS (Azure Kubernetes Service) – Managed Kubernetes on Azure. Supports community-supported versions plus additional Long Term Support.
  • Other Options – Red Hat OpenShift, Rancher (SUSE), DigitalOcean DOKS, Oracle OKE, IBM Cloud Kubernetes Service.

Kubernetes Components

Refer to blog post @ Kubernetes Components

Kubernetes Security

Refer to blog post @ Kubernetes Security

Kubernetes Certifications

  • CKA (Certified Kubernetes Administrator) – Validates skills in cluster administration, networking, storage, security, and troubleshooting. Updated curriculum includes Gateway API (2025-2026).
  • CKAD (Certified Kubernetes Application Developer) – Validates skills in designing, building, and deploying cloud-native applications on Kubernetes.
  • CKS (Certified Kubernetes Security Specialist) – Focuses on security hardening, supply chain, runtime security, and network policies. Updated September 2024 — CKA prerequisite no longer requires active status (passed at any time suffices).
  • All exams are 2-hour, performance-based, hands-on lab environments.

Kubernetes Version History (Recent)

Version Release Date Key Features
v1.36 April 2026 User Namespaces GA, Volume Group Snapshots GA, Mutating Admission Policies GA, DRA enhancements, Sidecar containers for pod-level resources (beta)
v1.35 December 2025 In-Place Pod Resize GA, PSI Metrics GA, Fine-Grained Kubelet API Authorization GA
v1.34 August 2025 Dynamic Resource Allocation (DRA) GA, Structured Authorization Configuration GA
v1.33 April 2025 Native Sidecar Containers GA, In-Place Pod Resize Beta, User Namespaces enabled by default
v1.32 December 2024 Memory Manager GA, DRA v1beta1, Volume Group Snapshots Beta
v1.31 August 2024 AppArmor GA, nftables kube-proxy mode, Pod Failure Policy for Jobs GA
v1.30 April 2024 ValidatingAdmissionPolicy GA, Recursive Read-Only Mounts, Traffic Distribution for Services