Kubernetes & Container Orchestration
Pod, Deployment, Service, Ingress, CRD, Operator, and the essential vocabulary for running containerised workloads in Kubernetes.
- Pod /pɒd/
The smallest deployable unit in Kubernetes: one or more containers sharing the same network namespace and storage volumes, scheduled together on a single node.
"Each pod runs a single application container plus a sidecar container for log shipping — they share localhost so the sidecar can scrape the app's /metrics endpoint."
- Deployment /dɪˈplɔɪmənt/
A Kubernetes controller that manages a ReplicaSet — declaring the desired number of pod replicas, rollout strategy, and update behaviour. Supports rolling updates and rollbacks.
"The Deployment is configured with maxSurge: 1 and maxUnavailable: 0 — during a rolling update, one new pod must be ready before an old one is terminated, ensuring zero-downtime deploys."
- Service /ˈsɜːvɪs/
A stable virtual IP and DNS name that load-balances traffic to a set of pods selected by label. Abstracts away individual pod IPs, which change on restarts.
"The backend Service selects pods with app=api — when a pod crashes and is replaced, the new pod's IP is automatically added to the Service's endpoint slice and traffic resumes without DNS changes."
- Ingress /ˈɪŋɡres/
A Kubernetes API object that manages external HTTP/HTTPS access to services inside the cluster — defining routing rules (host/path), TLS termination, and load balancing using an Ingress Controller (nginx, Traefik, ALB).
"The Ingress routes api.example.com/v2/ to the v2-api Service and api.example.com/v1/ to the legacy-api Service — path-based routing lets us run both versions simultaneously during the migration."
- ConfigMap /ˈkɒnfɪɡmæp/
A Kubernetes object for storing non-sensitive configuration data as key-value pairs, mounted into pods as environment variables or files.
"The application reads its database host and port from a ConfigMap mounted as environment variables — changing the config only requires updating the ConfigMap and restarting the deployment, not rebuilding the image."
- Secret /ˈsiːkrɪt/
A Kubernetes object for storing sensitive data (passwords, tokens, TLS certificates) — base64-encoded and optionally encrypted at rest via etcd encryption or an external KMS.
"The database password is stored in a Kubernetes Secret and injected as an environment variable — it's never in the container image or ConfigMap. We use Sealed Secrets to safely commit the encrypted secret to git."
- Namespace /ˈneɪmspeɪs/
A virtual cluster within a Kubernetes cluster — providing isolation of resources, RBAC scope boundaries, and resource quota enforcement. Different teams or environments (dev, staging) can share a cluster via namespaces.
"Each team has its own namespace with ResourceQuota limits: max 20 CPUs and 40Gi memory. NetworkPolicy rules prevent pods in different namespaces from communicating unless explicitly allowed."
- HorizontalPodAutoscaler (HPA) /hɒrɪˈzɒntəl pɒd ˈɔːtəskeɪlər/
A Kubernetes controller that automatically scales the number of pod replicas based on observed CPU/memory utilisation or custom metrics, maintaining a target utilisation threshold.
"The HPA is configured to maintain 60% CPU utilisation — during a traffic spike, it scaled the API deployment from 3 to 11 replicas in under 90 seconds, keeping response times within SLO."
- CRD (Custom Resource Definition) /siː ɑː diː/
An extension to the Kubernetes API that defines a new custom resource type — allowing teams to introduce domain-specific objects (DatabaseCluster, KafkaTopic) managed by Kubernetes.
"We defined a CRD for DatabaseCluster — platform teams can declare spec: replicas: 3, version: 14.2 and the operator handles provisioning, HA configuration, and automated backups, just like a native Kubernetes resource."
- Operator Pattern /ˈɒpəreɪtər ˈpætən/
A method of packaging operational knowledge as a controller that watches CRs and reconciles actual state with desired state — automating complex Day 2 operations (failover, scaling, backups) that would otherwise require human expertise.
"The PostgreSQL operator watches DatabaseCluster resources and runs a reconciliation loop every 30 seconds: if the actual replica count doesn't match the desired count, it provisions or deprovisions replicas automatically."
- StatefulSet /ˈsteɪtfəl set/
A Kubernetes controller for stateful applications (databases, message queues) that provides stable pod names, ordered deployment/scaling, and persistent volume claims tied to each pod instance.
"Kafka runs as a StatefulSet — pods are named kafka-0, kafka-1, kafka-2 with stable DNS entries. Each pod has its own PersistentVolumeClaim so pod restarts don't lose partition data."
- PersistentVolumeClaim (PVC) /pɜːsɪstənt ˈvɒljuːm kleɪm/
A request for storage by a pod — declaring size, access mode, and optional storage class. Kubernetes binds it to a PersistentVolume (physical storage), abstracting the underlying storage provider.
"Each database pod has a 100Gi PVC with ReadWriteOnce access mode and the fast-ssd StorageClass. When the pod is rescheduled to another node, the PVC re-attaches and the data is preserved."
- Readiness / Liveness Probe /ˈredinɪs / ˈlaɪvnɪs prəʊb/
HTTP, TCP, or exec health checks Kubernetes runs against containers. Liveness probe: restart if unhealthy. Readiness probe: remove from Service endpoints if not ready (preventing traffic to pods still initialising).
"The liveness probe hits /healthz every 10 seconds — if it fails 3 times, Kubernetes restarts the container. The readiness probe checks /ready — during startup, the pod is excluded from the Service load balancer until the database connection pool is warmed up."
- Resource Requests and Limits /rɪˈsɔːs rɪˈkwests ænd ˈlɪmɪts/
Requests: the guaranteed resources reserved for a container, used by the scheduler to place pods. Limits: the maximum a container can consume — exceeding CPU limits results in throttling; exceeding memory limits results in OOMKill.
"Setting requests: cpu: 250m, memory: 256Mi ensures the scheduler places the pod on a node with that capacity. The limit: cpu: 1000m, memory: 1Gi prevents a runaway pod from starving neighbours — if it exceeds memory, it's OOMKilled and restarted."
- Helm Chart /helm tʃɑːt/
A package manager format for Kubernetes — a collection of YAML templates with configurable values.yaml, enabling versioned, repeatable deployments of complex applications.
"We ship our microservice as a Helm chart — consumers install it with helm install --set ingress.host=api.customer.com. The chart version is pinned in CD pipelines and upgrades are applied with helm upgrade, with rollback via helm rollback."
- Node Affinity / Taints and Tolerations /nəʊd əˈfɪnɪti / teɪnts ænd ˌtɒləˈreɪʃənz/
Scheduling controls. Node affinity: prefer or require pods on nodes with specific labels (e.g., GPU nodes). Taints mark nodes as unsuitable for general pods; tolerations allow specific pods to override the restriction.
"GPU nodes are tainted gpu=true:NoSchedule — only ML training pods with the matching toleration are scheduled there. Node affinity rules also require the pod to land on a node with zone=eu-west-1a for data residency compliance."
Quick Quiz — Kubernetes & Container Orchestration
Test yourself on these 16 terms. You'll answer 10 multiple-choice questions — each shows a term, you pick the correct definition.
What does this term mean?