Portal | Level: L1: Foundations | Topics: Kubernetes Core, Probes (Liveness/Readiness), HPA / Autoscaling | Domain: Kubernetes

Kubernetes - Skill Check

Mental model (bottom-up)

Kubernetes is a set of controllers that keep actual cluster state matching desired state stored in the API server. Networking is mostly: Service VIP -> endpoints -> pod IP, plus an Ingress controller for HTTP routing.

Visual stack

[Workloads          ]  Deployments/StatefulSets/Jobs manage Pods
|
[Service discovery  ]  Services select Pods via labels
|
[Controllers        ]  reconcile desired -> actual
|
[API server / etcd  ]  stores desired state; provides API
|
[Nodes              ]  kubelet runs containers via container runtime
|
[CNI/CSI            ]  network/storage plugins

Glossary

• controller - reconciliation loop enforcing desired state
• pod - smallest deployable unit; one or more containers
• deployment - rollout manager for stateless pods
• service - stable virtual IP/DNS for changing pods
• ingress - HTTP routing rules (needs a controller)
• pvc/pv - claim vs provisioned persistent volume

Roadmap core (10, easy -> hard)

• What is Kubernetes (one line)?
• Orchestrates containers: scheduling, scaling, service discovery, rollout.
• Pod vs Deployment?
• Pod = unit of running containers; Deployment manages replicas/rollouts.
• Service vs Ingress (conceptually)?
• Service = stable endpoint; Ingress = HTTP routing layer.
• ConfigMap vs Secret?
• ConfigMap for non-secret config; Secret for sensitive data (handle carefully).
• Liveness vs readiness probes?
• Liveness restarts; readiness controls traffic routing.
• Teardown/cleanup basics?
• Delete what you created: kubectl delete -f <manifests> or kubectl delete ... -l app=<x>; namespace cleanup: kubectl delete ns <name>.
• Image vs container?
• Image template; container running instance.
• Volume used for?
• Persist data outside container lifecycle.
• Port mapping meaning?
• Host port forwards to container port (K8s does this differently via Services).
• Why "works on my machine" happens?
• Missing deps/env/config; containers help pin runtime.

Core API objects (easy -> hard)

• What is a "desired state" controller?
• A loop that continuously reconciles actual -> desired (Deployments, etc.).
• Pod vs ReplicaSet vs Deployment?
• Pod runs; RS ensures replica count; Deployment manages RS revisions/rollouts.
• StatefulSet is for what?
• Stable identity/storage per replica (ordered, sticky).
• DaemonSet is for what?
• One pod per node (agents: logging, CNI, metrics).
• Job vs CronJob?
• Job runs to completion; CronJob schedules Jobs.
• What's a label selector?
• Matching mechanism (Services/Deployments) using labels.
• Why "immutability" matters in specs?
• Some fields force replacement; design with updates/rollouts in mind.
• What's a "reconciliation storm" smell?
• Flapping probes/config causing constant restarts/rollouts.

Services & Ingress (easy -> hard)

• Why Services exist?
• Stable virtual IP/DNS for changing pods.
• ClusterIP vs NodePort vs LoadBalancer?
• Internal VIP vs node-exposed port vs external LB integration.
• ExternalName does what?
• DNS CNAME-style mapping to external hostname.
• What does kube-proxy do (conceptually)?
• Implements Service routing (iptables/ipvs depending).
• Ingress does what?
• L7 HTTP(S) routing by host/path to Services.
• What's the missing piece for Ingress?
• An Ingress controller (Ingress object alone doesn't route traffic).
• TLS termination in Ingress?
• Controller presents cert and routes decrypted HTTP to backend.
• Common "why can't I reach it" checklist?
• Service selector, endpoints exist, ports match, Ingress rules/hosts, controller running, DNS points at LB.

Config & Secrets (easy -> hard)

• ConfigMap use cases?
• Non-secret config files, env vars, flags.
• Secret use cases?
• Passwords/tokens/certs (treat as sensitive; restrict RBAC).
• Env var vs mounted file?
• Env good for small values; files for certs/large config.
• Why secrets leak?
• Dumped env, logs, debug endpoints, mis-scoped RBAC.
• What is "immutable ConfigMap/Secret" benefit?
• Prevent surprise changes; forces rollout/versioning.

Storage: Volumes, PV/PVC, StorageClass (easy -> hard)

• Ephemeral volume vs persistent?
• Ephemeral dies with Pod; persistent survives Pod replacement.
• PV vs PVC?
• PV = provisioned storage; PVC = claim/request bound to PV.
• StorageClass is for what?
• Defines classes/policies and enables dynamic provisioning.
• Access modes (conceptually)?
• ReadWriteOnce/Many etc: how pods can mount (backend-dependent).
• Reclaim policy meaning?
• What happens after release: retain/delete/recycle (recycle is legacy).
• Why dynamic provisioning is popular?
• No manual PV creation; PVC triggers provisioning automatically.
• Common storage failure mode?
• Missing CSI driver / wrong class / permissions; PVC stuck Pending.
• Debug PVC bind quickly?
• kubectl describe pvc/pv, check StorageClass, events, CSI controller logs.

Probes & rollout safety (easy -> hard)

• Readiness probe controls what?
• Whether pod receives traffic.
• Liveness probe controls what?
• Whether kubelet restarts container.
• Startup probe is for what?
• Slow-start apps; prevents premature liveness failures.
• What's a bad probe?
• One that restarts healthy pods or marks ready too early.
• Rolling updates: what gates safety?
• Readiness, maxUnavailable/maxSurge, and good timeouts.
• Rollback: what it really does?
• Switch to previous ReplicaSet revision.
• Why "crashloop" happens after deploy?
• Bad config/secret, image pull, missing deps, probe too strict.
• How to debug rollout fast?
• kubectl rollout status, describe deploy/rs/pod, events, logs.

Scheduling & resources (easy -> hard)

• Requests vs limits?
• Requests schedule capacity; limits cap (OOM/throttle).
• Why do OOMKills happen?
• Container exceeded memory limit; killed by kernel.
• HPA is based on what?
• Metrics (CPU/memory/custom) via metrics pipeline.
• Taints/tolerations used for?
• Keep certain workloads off nodes unless allowed.
• Node/pod affinity used for?
• Prefer/require placement rules.
• Pod disruption budget (PDB) does what?
• Limits voluntary disruptions to maintain availability.

Security: RBAC & service accounts (easy -> hard)

• ServiceAccount does what?
• Identity for pods to call the API.
• Role vs ClusterRole?
• Namespace-scoped vs cluster-scoped rules.
• RoleBinding vs ClusterRoleBinding?
• Attach role rules to subjects in namespace vs cluster-wide.
• Why "least privilege" matters here?
• Overbroad SA tokens become cluster takeover paths.
• Common RBAC escalation footgun?
• Allowing create on roles/bindings or secrets in sensitive namespaces.
• What to lock down first?
• Default service accounts, secrets access, and cluster-admin bindings.

Debugging & operations (easy -> hard)

• Fast "what's broken" commands?
• kubectl get, describe, logs, events, top (if metrics).
• kubectl exec vs kubectl debug?
• Exec runs in container; debug can attach ephemeral containers.
• Port-forward when?
• Access pod/service locally for quick testing.
• Why events matter?
• Scheduling/image pull/probe failures show up there first.
• Common networking root cause?
• Service selector mismatch -> no endpoints.
• Common auth root cause?
• RBAC denies; check kubectl auth can-i ... and bindings.

Teardown / cleanup

• Delete everything you applied:
• kubectl delete -f <manifests-dir-or-file>
• Delete by label:
• kubectl delete deploy,sts,ds,job,cronjob,svc,ing,cm,secret -l app=<name>
• Nuke a sandbox namespace:
• kubectl delete ns <name>
• Remove stuck finalizers (last resort):
• Patch out finalizers only if you understand the blast radius.

Key correctness notes

• Ingress resources require an Ingress controller to actually route traffic.
• Persistent storage is typically expressed as PVCs bound to PVs (often via a StorageClass with dynamic provisioning).
• Probes have distinct roles: readiness gates traffic; liveness restarts; startup handles slow-start apps.
• RBAC uses Roles/ClusterRoles plus RoleBindings/ClusterRoleBindings to attach permissions.

Sources

• Kubernetes official docs: Services, Ingress, Persistent Volumes, StorageClasses, RBAC, Probes.
• https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/
• https://kubernetes.io/docs/concepts/storage/persistent-volumes/

---

Wiki Navigation

Next Steps

• Skillcheck: Kubernetes Under the Covers (Assessment, L2)

Related Content

• Kubernetes Exercises (Quest Ladder) (CLI) (Exercise Set, L1) — HPA / Autoscaling, Kubernetes Core, Probes (Liveness/Readiness)
• Incident Simulator (18 scenarios) (CLI) (Exercise Set, L2) — HPA / Autoscaling, Probes (Liveness/Readiness)
• Interview: Deployment Stuck Progressing (Scenario, L2) — Kubernetes Core, Probes (Liveness/Readiness)
• Kubernetes Ops (Production) (Topic Pack, L2) — HPA / Autoscaling, Probes (Liveness/Readiness)
• Lab: HPA Live Scaling (CLI) (Lab, L1) — HPA / Autoscaling, Kubernetes Core
• Lab: Readiness Probe Failure (CLI) (Lab, L1) — Kubernetes Core, Probes (Liveness/Readiness)
• Runbook: HPA Thrashing (Rapid Scale Up/Down) (Runbook, L2) — HPA / Autoscaling, Kubernetes Core
• Runbook: Readiness Probe Failed (Runbook, L1) — Kubernetes Core, Probes (Liveness/Readiness)
• Track: Kubernetes Core (Reference, L1) — Kubernetes Core, Probes (Liveness/Readiness)
• Adversarial Interview Gauntlet (30 sequences) (Scenario, L2) — Kubernetes Core

Pages that link here

• Kubernetes Ops Domain
• Kubernetes Under the Covers
• Kubernetes_Core
• Level 3: Production Kubernetes
• Master Curriculum: 40 Weeks
• Primer
• Runbook: HPA Not Scaling
• Runbook: HPA Thrashing (Rapid Scale Up/Down)
• Runbook: Readiness Probe Failed
• Scenario: Deployment Stuck Progressing
• Scenario: HPA Not Scaling Under Load