Kubernetes has become the standard platform for running containerized workloads in production. This guide covers the concepts you need to understand, the patterns that work at scale, and the mistakes to avoid.
Core Concepts
- Pods. The smallest deployable unit. A pod wraps one or more containers that share networking and storage.
- Deployments. Declare your desired state, replica count, image version, update strategy, and Kubernetes makes it so.
- Services. Stable networking endpoint for a set of pods. Handles load balancing and service discovery automatically.
- ConfigMaps & Secrets. Externalize configuration and sensitive data from your container images. Inject them at runtime.
- Horizontal Pod Autoscaler. Automatically scale pod replicas based on CPU, memory, or custom metrics.
- Namespaces. Logical isolation for teams, environments, or applications within a single cluster.
Kubernetes Adoption
| 96% | Organizations using or evaluating K8s (CNCF 2024) |
| 5.6M+ | Kubernetes developers worldwide |
| 200+ | CNCF ecosystem projects |
| 10 yrs | Since Kubernetes 1.0 release |
Architecture Overview
Control plane manages the cluster state: the API server handles all requests, etcd stores cluster data, the scheduler places pods on nodes, and controllers reconcile desired state with actual state.
Worker nodes run your workloads: the kubelet manages pods on each node, kube-proxy handles networking rules, and the container runtime (containerd or CRI-O) runs containers.
Declarative model. You describe what you want in YAML manifests, and Kubernetes controllers continuously work to make reality match your declaration. This reconciliation loop is what makes Kubernetes self-healing.
Production Best Practices
Set resource requests and limits. Every container should declare CPU and memory requests (for scheduling) and limits (for protection). Without these, a single pod can starve the node.
Use liveness and readiness probes. Liveness probes restart unhealthy containers. Readiness probes remove pods from service endpoints until they are ready to accept traffic.
Implement pod disruption budgets. PDBs ensure that voluntary disruptions (node upgrades, scaling down) do not take out too many pods at once.
Use network policies. By default, all pods can talk to all other pods. Network policies let you restrict traffic to only what is necessary, defense in depth.
Manage secrets properly. Do not bake secrets into images. Use Kubernetes Secrets with encryption at rest, or integrate with an external secret manager like HashiCorp Vault.
Cost & Right-sizing
Most production clusters waste 30–40% of their compute. The four levers that bring it back: right-sized requests/limits, autoscaler tuning (HPA + Cluster Autoscaler or Karpenter), bin-packed nodes via topology spread and PriorityClasses, and shutting down non-prod overnight.
Start with requests calibrated to real p95 usage — overcommitted nodes pack better and the scheduler stops over-provisioning. Pair that with an autoscaler that scales down aggressively (10–15 min idle, not the default 30) and you typically recover 25–35% inside a sprint.
Security
Defence-in-depth without friction: RBAC scoped to namespaces (no cluster-admin in CI), network policies default-deny, image signing (cosign) verified at admission, and runtime protection via Falco or eBPF tracers for the workloads that warrant it.
The two cheapest wins: turn on Pod Security Standards (`restricted` on application namespaces) and gate `imagePullPolicy: Always` with image-tag mutation prevention. Both close more real-world attack paths than most teams realise.
Common Questions
What is Kubernetes used for? Kubernetes is an open-source container orchestration platform that automates deploying, scaling, and managing containerized applications across clusters of machines.
When should I use Kubernetes? Kubernetes is a good fit when you run multiple containerized services that need automated scaling, self-healing, rolling updates, and service discovery. For a single simple app, it may be overkill.
What is the difference between Kubernetes and Docker? Docker is a container runtime that packages and runs individual containers. Kubernetes is an orchestration platform that manages many containers across multiple machines, handling scheduling, scaling, and networking.