Core Concepts

Pod

The smallest deployable unit. A Pod wraps one or more containers that share the same network and storage.

One Pod = one instance of your app (usually one container)
Pods are ephemeral — if they die, they don't come back on their own
You almost never create Pods directly; a Deployment manages them for you

apiVersion: v1
kind: Pod
metadata:
  name: my-app
spec:
  containers:
    - name: my-app
      image: nginx:latest
      ports:
        - containerPort: 80

Deployment

Manages a set of identical Pods. Handles rolling updates, rollbacks, and scaling.

Defines how many replicas (copies) of your Pod to run
If a Pod crashes, the Deployment creates a new one automatically
Use this instead of creating Pods manually

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  replicas: 3
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
        - name: my-app
          image: nginx:latest

Service

Gives your Pods a stable network address. Pods die and get new IPs — a Service stays constant.

Type	When to use
`ClusterIP`	Internal traffic only (default)
`NodePort`	Expose on each node's IP at a static port
`LoadBalancer`	Cloud load balancer (AWS ELB, etc.)

apiVersion: v1
kind: Service
metadata:
  name: my-app
spec:
  selector:
    app: my-app
  ports:
    - port: 80
      targetPort: 80
  type: ClusterIP

Namespace

A virtual cluster inside your cluster. Isolates resources by team, environment, or app.

kubectl get namespaces
kubectl create namespace staging
kubectl get pods -n staging

Common pattern: default, staging, production, monitoring

ConfigMap

Stores non-sensitive configuration as key-value pairs. Injected into Pods as env vars or files.

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  LOG_LEVEL: "info"
  REGION: "eu-west-1"

Inject as env vars:

envFrom:
  - configMapRef:
      name: app-config

Secret

Like ConfigMap but for sensitive data (passwords, tokens, keys). Values are base64-encoded.

kubectl create secret generic db-secret \
  --from-literal=password=mysecretpassword

env:
  - name: DB_PASSWORD
    valueFrom:
      secretKeyRef:
        name: db-secret
        key: password

Base64 is not encryption. Use Sealed Secrets or AWS Secrets Manager for real security.

Ingress

Routes external HTTP/HTTPS traffic to Services inside the cluster. Requires an Ingress Controller (e.g. nginx, AWS ALB).

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-app
spec:
  rules:
    - host: myapp.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: my-app
                port:
                  number: 80

PersistentVolume (PV) & PersistentVolumeClaim (PVC)

Storage that survives Pod restarts.

PV — the actual storage (provisioned by admin or dynamically)
PVC — a request for storage by a Pod

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: my-storage
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi

Mount in a Pod:

volumes:
  - name: data
    persistentVolumeClaim:
      claimName: my-storage
volumeMounts:
  - mountPath: /data
    name: data

Node

A physical or virtual machine in the cluster. Pods run on Nodes.

kubectl get nodes
kubectl describe node <node-name>
kubectl top nodes          # CPU/memory usage

Pod​

Deployment​

Service​

Namespace​

ConfigMap​

Secret​

Ingress​

PersistentVolume (PV) & PersistentVolumeClaim (PVC)​

Node​

Pod