How Kubernetes
actually works.
The control plane, the data plane, and every protocol that binds them. For infrastructure engineers building the platform, SREs running it in production, and the people writing the next generation of operators and controllers.
Fourteen sub-pages, all live below. Each is a 4,000-word deep dive with sequence diagrams, code excerpts, and links into the source tree.
Every component, every wire.
Kubernetes is not one program; it is roughly a dozen, each with a single responsibility, talking to each other over a small set of well-defined protocols. The diagram below is the whole system from above. Every sub-page deep-dives into one slice of it.
The api-server is the only component that talks to etcd. Everything else watches the api-server. That single property is the most important architectural fact in Kubernetes.
Start here.
Architecture
The control plane (api-server, etcd, scheduler, controller-manager, cloud-controller-manager) and the data plane (kubelet, kube-proxy, container runtime, CNI). Who calls whom, on which port, with which protocol.
The lifecycle of `kubectl apply`
A complete trace from the moment you press Enter on the kubectl command to the moment the pod is Running. Twelve hops, named, timed, and explained.
Pod scheduling, end to end
How the scheduler picks a node — predicates, priorities, the scheduling framework, plugin order. Then how the kubelet on that node actually starts the containers via the CRI.
The controller pattern
Informers, listers, work queues, reconciliation loops. The pattern that every built-in and custom controller follows. Pseudocode you can ship.
The scheduler framework
PreFilter, Filter, PreScore, Score, NormalizeScore, Reserve, Permit, PreBind, Bind, PostBind. The plugin chain a Pod walks through, in order.
etcd — the consistent store
Raft consensus, MVCC, watch streams, compaction. Why an etcd disaster makes the API server useless. Backups, restores, and the lease model.
The API server pipeline
Authentication chain, authorisation chain, mutating + validating admission webhooks, conversion, storage. The 11-stage request handler.
CRDs and operators
Defining a custom resource, building a controller for it with kubebuilder, the OperatorHub maturity model, when to ship a CRD vs a Helm chart.
Networking — CNI to kube-proxy
The four assumptions in the K8s networking model. CNI plugin spec. kube-proxy in iptables / IPVS / nftables / eBPF. Service IPs that are not IPs.
kubelet internals
Sync loop, CRI calls, image pull, volume mount, probe execution, eviction signals, cgroups setup. How a pod actually starts on a node.
Storage — CSI, PV / PVC, attach / detach
CSI plugin lifecycle. Volume binding modes. The provisioner / attacher / resizer split. Why StatefulSet pods stick to their volume.
Authentication & authorisation
The auth chain — client certs, bearer tokens (ServiceAccount, OIDC), webhook authn. The authz chain — RBAC, ABAC, Webhook, Node. ServiceAccount projection.
Informers and the shared cache
The list-watch loop, the DeltaFIFO, the thread-safe store, and the work queue. How every controller reads cluster state without hammering the API server.
client-go internals
The Go client every controller is built on. RESTClient, typed clientsets, the discovery client, informers, and the work queue, from the bottom up.