Skip to main content
Kubernetes Introduction
CHAPTER 03 Intermediate

Kubernetes Architecture Explained

Updated: May 15, 2026
20 min read

# CHAPTER 3

Kubernetes Architecture Explained

1. Introduction

Kubernetes can feel like "magic" when you first use it. You type kubectl run nginx, and instantly a web server appears. But what actually happened behind the scenes? If a server crashes in production, you cannot fix it if you do not understand the underlying mechanics. In this chapter, we will rip the roof off the Kubernetes cluster and examine the internal organs of the Master Node (Control Plane) and the Worker Nodes.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Identify the 4 core components of the Control Plane (Master Node).
  • Understand the critical role of the kube-apiserver.
  • Understand how etcd acts as the cluster's absolute source of truth.
  • Identify the 3 core components of a Worker Node (kubelet, kube-proxy, Container Runtime).
  • Trace the lifecycle of a kubectl command from terminal to execution.

3. Beginner-Friendly Explanation

Imagine a massive, automated restaurant.
  • You (The User): You are outside. You use your phone (kubectl) to send an order: "I want 3 pizzas."
  • The Manager (API Server): Receives your order. They are the only person allowed to talk to the outside world.
  • The Ledger Book (etcd): The Manager writes down in a permanent, locked book: "Customer A requires 3 pizzas."
  • The Floor Supervisor (Controller Manager): Constantly looks at the Ledger Book. They notice the book says "3 pizzas required," but there are currently 0 pizzas. They raise an alarm: "We need 3 pizzas!"
  • The Dispatcher (Scheduler): Hears the alarm. They look at the kitchen. "Oven 1 is full. Oven 2 is empty. Send the pizza orders to Oven 2!"
  • The Chefs (Worker Nodes / Kubelet): The chefs at Oven 2 receive the order from the Dispatcher. They cook the pizzas (Run the Pods) and report back to the Manager: "3 pizzas are ready."

4. The Control Plane (Master Node) Components

The Control Plane is the brain of the cluster. It contains 4 vital organs:
  1. 1. kube-apiserver: The front door. Every single command you type, and every internal communication between nodes, MUST pass through the API server.
  1. 2. etcd: The database. It is a highly-available, key-value store. It holds the "Desired State" of your entire cluster. If a Pod is running, it is recorded in etcd. If etcd is deleted, your cluster essentially suffers total amnesia and dies.
  1. 3. kube-scheduler: The matchmaker. When a new Pod needs to be created, the scheduler looks at the CPU and RAM of all Worker Nodes and decides which Node is the best fit to host the Pod.
  1. 4. kube-controller-manager: The enforcer. It runs continuous loops comparing the "Current State" to the "Desired State." If the Desired State is 5 Pods, and the Current State drops to 4 (because a node crashed), the Controller Manager orders the creation of a new Pod.

5. The Worker Node Components

Worker nodes do the heavy lifting. Every worker node runs 3 things:
  1. 1. Container Runtime: The engine that actually runs the containers (e.g., containerd, Docker, CRI-O).
  1. 2. kubelet: The captain of the ship. It is an agent running on the node that listens to the kube-apiserver. When the API Server says "Run this Pod," the kubelet tells the Container Runtime to start it. It also constantly reports the health of the Node back to the Master.
  1. 3. kube-proxy: The network routing cop. It maintains network rules on the node, ensuring that if a user requests a web page, the network traffic is successfully routed to the correct Pod on that specific node.

6. Tracing a Command

What happens when you type kubectl create deployment web --image=nginx?
  1. 1. kubectl authenticates with the API Server.
  1. 2. The API Server writes the request into etcd.
  1. 3. The Controller Manager notices a new deployment in etcd and creates a "ReplicaSet" requiring 1 Pod.
  1. 4. The Scheduler sees an unassigned Pod. It analyzes the cluster and assigns the Pod to "Worker Node 2".
  1. 5. The API server updates etcd with the assignment.
  1. 6. The kubelet on Worker Node 2 sees its name in the API Server.
  1. 7. The kubelet orders the Container Runtime to pull the Nginx image and start the container.
  1. 8. The kube-proxy updates network rules so the Pod can be reached.

7. Mini Project: Explore Cluster Components

Let's use kubectl to prove these components actually exist.

Step-by-Step Tutorial:

  1. 1. Ensure your Minikube cluster is running.
  1. 2. By default, Kubernetes hides its own internal brain components in a special "Namespace" called kube-system. Let's look inside it:

bash
1 
kubectl get pods -n kube-system
  1. 3. *The Proof:* You will see a list of Pods running the cluster itself! You will clearly see kube-apiserver-minikube, etcd-minikube, kube-scheduler-minikube, and kube-proxy. You are looking at the bare metal of the Control Plane!

8. Real-World Scenarios

In an enterprise AWS EKS (Elastic Kubernetes Service) cluster, you actually never see or manage the Control Plane. AWS hides the Master Nodes from you, manages their backups, and scales the etcd databases for you automatically. You only manage the Worker Nodes (EC2 instances) and pay AWS a management fee for handling the brain.

9. Best Practices

  • Protect etcd: In self-hosted, bare-metal Kubernetes clusters, taking regular, encrypted backups of the etcd database is the most critical operational task. Without an etcd backup, a catastrophic failure means rebuilding your entire infrastructure from memory.

10. Common Mistakes

  • Connecting Directly to Nodes: Beginners often try to SSH directly into a Worker Node to see what containers are running or to restart a crashed Docker container manually. Never do this. Kubernetes is the orchestrator. If you manually kill a container on a node, the Controller Manager will instantly notice the discrepancy and spawn a new one to replace it, fighting your manual actions!

11. Exercises

  1. 1. If a Worker Node experiences a total hardware failure and loses power, which component on the Master Node notices, and which component decides where the replacement Pods will be launched?
  1. 2. Why is the kube-apiserver considered the single point of entry for the entire cluster?

12. FAQs

Q: Does the Master Node run application containers? A: By default, no. Kubernetes places a "Taint" on the Master Nodes to prevent the Scheduler from placing user applications (like your PHP code) on them. This ensures the brain is never starved of CPU by a buggy user application.

13. Interview Questions

  • Q: Describe the step-by-step internal architectural process that occurs within a Kubernetes cluster when a deployment YAML file is applied via kubectl.
  • Q: Explain the role of etcd in a Kubernetes cluster. Why must an enterprise etcd deployment be configured in a highly-available, odd-numbered quorum?

14. Summary

In Chapter 3, we dissected the complex anatomy of a Kubernetes cluster. We divided the architecture into the Control Plane (the brain) and the Worker Nodes (the muscle). We traced how the kube-apiserver acts as the sole gateway, how etcd maintains the immutable source of truth, and how continuous control loops generated by the Controller Manager and Scheduler ensure that the physical reality of the cluster always matches the desired state.

15. Next Chapter Recommendation

We understand the factory, but what are we actually manufacturing? Proceed to Chapter 4: Understanding Pods in Kubernetes.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Installing Kubernetes and Minikube
Next Chapter Understanding Pods in Kubernetes

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 5

Related Quizzes 6