Advanced Kubernetes Vocabulary for IT Professionals
Master advanced Kubernetes terms: CRD, operator pattern, admission webhooks, RBAC, and network policies with clear definitions and usage examples.
Kubernetes has evolved from a container scheduler into a full platform-engineering backbone. If you work with it at an advanced level — or if you discuss architecture with SREs and platform teams — you need precise English vocabulary for its more powerful abstractions.
Custom Resource Definitions (CRDs)
A Custom Resource Definition (CRD) extends the Kubernetes API with new object types your cluster can manage. Instead of being limited to built-in objects like Pod or Service, teams can define their own:
- “We created a CRD to represent a DatabaseCluster object.”
- “The CRD schema validates fields on every create or update.”
- “Deleting a CRD removes all instances of that resource from the cluster.”
Key phrases
- define a CRD — register a new resource type
- a custom resource instance — one object of a CRD type
- the CRD schema — the validation rules for the new type
The Operator Pattern
An operator is a controller that encodes operational knowledge about a stateful application. It watches custom resources and reconciles the real cluster state toward the desired state.
“An operator automates what a human operator would do — backups, failovers, scaling — based on the resource spec.”
Common phrases:
- write an operator — build the controller logic
- the reconcile loop — the cycle where the operator checks and corrects state
- a level-triggered operator — one that acts on current state, not event history
Describing operator maturity
Operators are often described using a five-level maturity model:
- Basic install — automates deployment
- Seamless upgrades — manages version upgrades
- Full lifecycle — handles backups and recovery
- Deep insights — exposes metrics and alerting
- Auto-pilot — horizontal scaling, tuning, anomaly detection
Admission Webhooks
Admission webhooks intercept API requests before objects are persisted. They let you enforce policy or mutate objects dynamically.
Two types:
- Validating admission webhook — rejects requests that violate policy (e.g., “deny any pod without resource limits”)
- Mutating admission webhook — modifies requests before they are written (e.g., “inject a sidecar container automatically”)
Usage in sentences
- “The validating webhook rejected the deployment because the image tag was
latest.” - “We use a mutating webhook to inject the logging sidecar into every pod.”
- “The webhook timed out, so the API server fell back to the failure policy.”
Useful collocations
| Verb | Object |
|---|---|
| register | a webhook |
| configure | the failure policy |
| bypass | the webhook (in an emergency) |
| respond within | the timeout window |
Role-Based Access Control (RBAC)
RBAC governs what subjects (users, groups, service accounts) can do with which resources.
Four core objects:
- Role — grants permissions within a namespace
- ClusterRole — grants permissions cluster-wide
- RoleBinding — binds a Role to a subject in a namespace
- ClusterRoleBinding — binds a ClusterRole to a subject cluster-wide
Talking about RBAC
- “The service account lacks the
get podspermission in theproductionnamespace.” - “We bound the
viewClusterRole to the on-call team’s group.” - “Grant least-privilege access — only what the workload needs.”
- “The pipeline impersonates the deployment service account.”
Tip: In English, you grant permissions, bind roles, and revoke access. Do not say “give permission” in formal docs — “grant” is the precise verb.
Network Policies
A NetworkPolicy resource declares which pods can communicate with which other pods (and external endpoints) over the network.
- Ingress rules — control inbound traffic to a pod
- Egress rules — control outbound traffic from a pod
- Pod selector — identifies the pods the policy applies to
- Namespace selector — extends rules across namespaces
Sample sentences
- “The NetworkPolicy denies all ingress by default, then allows traffic only from the frontend pods.”
- “We added an egress rule to permit DNS lookups on port 53.”
- “The policy isolates the payment service from the rest of the cluster.”
- “Without a NetworkPolicy, pods are non-isolated — all traffic is allowed.”
Putting It All Together
Here is how these terms combine in a real conversation:
“We wrote an operator backed by a CRD for our message broker. The mutating webhook injects a sidecar that exports metrics. RBAC ensures only the operator’s service account can manage broker instances, and NetworkPolicies restrict broker pods to communicate only with the queue consumers.”
Key Takeaways
- CRD — extends the Kubernetes API with new resource types
- Operator — automates operational tasks using a reconcile loop
- Admission webhook — intercepts API calls to validate or mutate objects
- RBAC — controls who can do what with which resources
- NetworkPolicy — restricts pod-to-pod and pod-to-external traffic
Precision in these terms signals seniority. Use the exact vocabulary above in architecture discussions, code reviews, and incident retrospectives.