Skip to main content

Kubernetes Basics

Kubernetes (K8s) is an open-source platform for automating deployment, scaling, and management of containerized applications. This document explains the basic concepts and key resources of Kubernetes, as well as the architecture specific to Azure Kubernetes Service (AKS).

What is Kubernetes?

Kubernetes was developed based on the knowledge gained from the Borg system used internally by Google. It is an orchestration tool that bundles multiple hosts (nodes) to form a cluster and efficiently runs containers on them.

Key Features:

  • Service Discovery and Load Balancing: Distributes traffic to containers.
  • Storage Orchestration: Automatically mounts local storage or cloud provider storage.
  • Automated Rollouts and Rollbacks: Updates applications incrementally and rolls back if problems occur.
  • Self-healing: Restarts failed containers and replaces unresponsive containers.

AKS Architecture and MC_ Resource Group

Azure Kubernetes Service (AKS) is a managed Kubernetes service provided by Azure. With AKS, you can offload the management of the control plane (master nodes) to Azure.

Control Plane and Nodes

  • Control Plane: Managed by Azure and provided free of charge (except for Standard Tier with SLA). Includes API Server, Scheduler, etcd, etc.
  • Nodes (Agent Pools): Virtual machines where user applications actually run. These are created within the user's subscription.

System Nodes and User Nodes

AKS node pools have two modes depending on their role.

  • System Node Pool:
    • Hosts critical system Pods such as CoreDNS and Metrics Server.
    • An AKS cluster requires at least one system node pool.
    • Only Linux OS is supported.
  • User Node Pool:
    • Node pools dedicated to hosting user application Pods.
    • You can create multiple user node pools as needed.
    • Supports both Linux and Windows nodes.

About MC_ Resource Group

When you create an AKS cluster, a node resource group is automatically created separately from the resource group you specified. The default naming convention is MC_<ResourceGroupName>_<ClusterName>_<Location>.

The following Azure resources required for cluster operation are automatically placed in this MC_ resource group:

  1. Virtual Machine Scale Sets (VMSS): A group of virtual machines that make up the node pool.
  2. Virtual Network (VNet) & Subnets: Network providing communication between nodes and external connections (if not using BYO VNet).
  3. Load Balancer: Load balancer to distribute traffic to Services (type: LoadBalancer) or Ingress Controllers.
  4. Network Security Groups (NSG): Security groups for traffic control.
  5. Managed Identities: IDs for AKS to operate other Azure resources (ACR, Network, etc.).
  6. Public IP Addresses: IP addresses for external exposure.
  7. Disks: Managed Disks used as Persistent Volumes (PV).
Note

Directly modifying or deleting resources in this MC_ resource group manually may cause the AKS cluster to malfunction. In principle, please operate through Kubernetes manifests or the AKS management screen in Azure CLI/Portal.

Key Resources

In Kubernetes, "objects" or "resources" are used to define the state of the cluster. These are usually defined in YAML format files called Manifests.

Manifest

A configuration file describing the "Desired State" of Kubernetes resources. Apply it to the cluster with commands like kubectl apply -f <filename>.yaml.

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  containers:
  - name: nginx
    image: nginx:latest

Pod

The smallest unit of deployment in Kubernetes. Contains one or more containers. Containers in the same Pod share IP addresses and storage volumes. Usually, Pods are rarely created directly but managed through higher-level resources like Deployments.

ReplicaSet

A resource that guarantees that a specified number of Pod replicas are always running. If a Pod stops, it automatically creates a new Pod to maintain the specified number.

Deployment

A resource for managing stateless applications. It manages ReplicaSets and facilitates rolling updates and rollbacks of applications. Most commonly used for deploying web servers and API servers.

StatefulSet

A resource for managing stateful applications like databases.

  • Assigns a unique ID (ordered index) to the Pod.
  • Persistent storage is tied to each Pod, and the same storage is reattached even if the Pod is recreated.

Service

A resource that abstracts network access to a set of Pods. While Pod IPs may change upon restart, Service provides a fixed IP (ClusterIP) or DNS name.

  • ClusterIP: Accessible only from within the cluster (default).
  • NodePort: Exposed externally on a specific port of each node.
  • LoadBalancer: Exposed externally using a cloud provider's load balancer (Azure Load Balancer is created in AKS).

Ingress

A resource that manages rules for routing HTTP/HTTPS traffic from outside the cluster to Services within the cluster.

  • Path-based or host-based routing is possible.
  • Provides SSL/TLS termination.
  • Implementation requires an Ingress Controller (Nginx Ingress Controller, Application Gateway Ingress Controller, etc.).

PVC (Persistent Volume Claim)

A resource for Pods to request persistent storage.

  • PV (Persistent Volume): The actual storage entity (Azure Disk, Azure Files, etc.).
  • PVC: A "bill" where the user specifies the required capacity and access mode to request a PV.
  • By using StorageClass, PVs (Azure Disk, etc.) can be dynamically provisioned when creating a PVC.

Secret

A resource for storing and managing sensitive information such as passwords, OAuth tokens, and SSH keys.

  • Stored encoded in Base64 (not encrypted, so protection with RBAC or KMS is important).
  • Used by mounting as environment variables or volumes from Pods.

ServiceAccount

An identity used by processes running inside a Pod to communicate with the Kubernetes API server.

  • Authentication and Authorization: When a Pod accesses the API server, it is authenticated based on the ServiceAccount it uses, and permissions (authorization) are controlled by RBAC (Role-Based Access Control).
  • Default: If not specified when creating a Pod, the default ServiceAccount of that Namespace is automatically mounted.
  • Workload Identity: In AKS, by linking a ServiceAccount with a Microsoft Entra ID (formerly Azure AD) identity, it is possible to securely access Azure resources (such as Key Vault and SQL Database) without passwords.

HPA (Horizontal Pod Autoscaler)

A feature that automatically scales the number of Pod replicas (scale of Deployment or StatefulSet) based on metrics such as CPU utilization and memory usage.

  • Automatically scales out/in according to traffic fluctuations, improving resource efficiency and availability.
  • Requires Metrics Server to be installed in the cluster to use.

Summary

Kubernetes has many resource types and may seem complex at first, but understanding the relationship between the basic Pod, Deployment, and Service is the first step. By using AKS, you can reduce the burden of infrastructure management while leveraging these powerful features to build scalable applications.