Differences

This shows you the differences between two versions of the page.

--- k8s:core:kind [2026/05/31 03:43] – phong2018
+++ k8s:core:kind [2026/05/31 04:07] (current) – [Here's the relationship diagram.] phong2018
@@ Line 1: / Line 1: @@
-====== Kubernetes kind: complete reference ======
+====== Kubernetes ''kind'' Field — Complete Guide ======
-''kind'' tells Kubernetes what type of object to create.
+===== Overview =====
-Each kind has its own controller, behavior, and lifecycle.
+In Kubernetes, every resource manifest (written in YAML or JSON) must declare four top-level fields:
+<code yaml>
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: my-app
+spec:
+  ...
+</code>
+The ''kind'' field tells Kubernetes **what type of resource** you are creating or managing. It maps to a specific API object within Kubernetes, and each kind has its own schema, behavior, and lifecycle.
 ----
-===== ConfigMap =====
+===== Core Resource Kinds =====
-Stores non-sensitive configuration data as key-value pairs.
+==== 1. Pod ====
-Injected into Pods as environment variables or mounted as files.
-**apiVersion:** ''v1''
+The **smallest deployable unit** in Kubernetes. A Pod wraps one or more containers that share network and storage.
 <code yaml>
 apiVersion: v1
-kind: ConfigMap
+kind: Pod
 metadata:
-  name: app-config
+  name: nginx-pod
-  namespace: default
+  labels:
-data:
+    app: nginx
-  APP_ENV: "production"
+spec:
-  LOG_LEVEL: "info"
+  containers:
-  config.yaml: |
+    - name: nginx
-    timeout: 30
+      image: nginx:1.25
-    retries: 3
+      ports:
-    debug: false
+        - containerPort: 80
 </code>
-**Use as env vars:**
+^ Field       ^ Description                                  ^
-<code yaml>
+| ''kind''    | ''Pod'' — declares a single pod resource     |
-envFrom:
+| ''metadata'' | Name and labels for identifying the pod     |
-  - configMapRef:
+| ''spec.containers'' | List of containers inside the pod   |
-      name: app-config
-</code>
+> **Note:** Pods are rarely created directly. Use Deployments or StatefulSets instead for resilience.
+----
+==== 2. Deployment ====
+Manages a **ReplicaSet** to ensure a specified number of Pod replicas are running at all times. Supports rolling updates and rollbacks.
-**Use as mounted file:**
 <code yaml>
-volumes:
+apiVersion: apps/v1
-  - name: config-vol
+kind: Deployment
-    configMap:
+metadata:
-      name: app-config
+  name: web-app
-volumeMounts:
+  namespace: default
-  - name: config-vol
+spec:
-    mountPath: /etc/config
+  replicas: 3
+  selector:
+    matchLabels:
+      app: web-app
+  template:
+    metadata:
+      labels:
+        app: web-app
+    spec:
+      containers:
+        - name: web
+          image: nginx:1.25
+          ports:
+            - containerPort: 80
 </code>
-> ''config.yaml'' appears as a real file at ''/etc/config/config.yaml'' inside the container.
+^ Field         ^ Description                                          ^
+| ''kind''      | ''Deployment'' — manages a set of identical pods     |
-^ Field ^ Purpose ^
+| ''replicas''  | Number of desired Pod instances                      |
-| ''data'' | Plain text key-value pairs |
+| ''selector''  | Labels used to identify which Pods belong here       |
-| ''binaryData'' | Base64-encoded binary data |
+| ''template''  | Pod template used to create new Pods                 |
-> Use case: app settings, feature flags, config files, environment differences (dev/staging/prod).
 ----
-===== Secret =====
+==== 3. Service ====
-Stores sensitive data. Values are base64-encoded at rest.
+Exposes a set of Pods as a **stable network endpoint**. Handles load balancing across all matching Pods.
-Works like ConfigMap but with access restrictions and audit logging.
-**apiVersion:** ''v1''
 <code yaml>
 apiVersion: v1
-kind: Secret
+kind: Service
 metadata:
-  name: db-secret
+  name: web-service
-  namespace: default
+spec:
-type: Opaque
+  selector:
-data:
+    app: web-app
-  username: YWRtaW4=        # echo -n "admin" | base64
+  ports:
-  password: c2VjcmV0MTIz    # echo -n "secret123" | base64
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+  type: ClusterIP
 </code>
-**Secret types:**
+^ Service Type    ^ Description                                              ^
+| ''ClusterIP''   | Default. Internal cluster access only                    |
+| ''NodePort''    | Exposes on each node's IP at a static port               |
+| ''LoadBalancer'' | Creates an external load balancer (cloud providers)     |
+| ''ExternalName'' | Maps to an external DNS name                            |
+----
+==== 4. ConfigMap ====
-^ Type ^ Use case ^
+Stores **non-sensitive configuration** as key-value pairs, decoupling config from container images.
-| ''Opaque'' | General-purpose (default) |
-| ''kubernetes.io/tls'' | TLS certificates (tls.crt + tls.key) |
-| ''kubernetes.io/dockerconfigjson'' | Docker registry credentials |
-| ''kubernetes.io/service-account-token'' | ServiceAccount tokens |
-| ''kubernetes.io/basic-auth'' | Basic username/password |
-| ''kubernetes.io/ssh-auth'' | SSH private key |
-**TLS Secret example:**
 <code yaml>
 apiVersion: v1
-kind: Secret
+kind: ConfigMap
 metadata:
-  name: tls-secret
+  name: app-config
-type: kubernetes.io/tls
 data:
-  tls.crt: <base64-encoded-cert>
+  APP_ENV: production
-  tls.key: <base64-encoded-key>
+  APP_PORT: "8080"
+  log_level: info
 </code>
-**Use in Pod:**
+Use in a Pod:
 <code yaml>
-env:
+envFrom:
-  - name: DB_PASSWORD
+  - configMapRef:
-    valueFrom:
+      name: app-config
-      secretKeyRef:
-        name: db-secret
-        key: password
 </code>
-> Use case: passwords, API keys, TLS certs, Docker pull credentials.
-<note warning>
-Base64 is encoding, NOT encryption. Use tools like Sealed Secrets or Vault for real encryption at rest.
-</note>
 ----
-===== Namespace =====
+==== 5. Secret ====
-Logical partition inside a cluster.
+Like ConfigMap, but for **sensitive data** (passwords, tokens, TLS certs). Values are base64-encoded.
-Isolates resources between teams, environments, or projects.
-**apiVersion:** ''v1''
 <code yaml>
 apiVersion: v1
-kind: Namespace
+kind: Secret
 metadata:
-  name: team-backend
+  name: db-credentials
-  labels:
+type: Opaque
-    team: backend
+data:
-    env: production
+  username: YWRtaW4=        # base64 of "admin"
+  password: cGFzc3dvcmQ=   # base64 of "password"
 </code>
-**Built-in namespaces:**
+> **Security note:** base64 is encoding, not encryption. Use tools like Sealed Secrets or Vault for production.
-^ Namespace ^ Purpose ^
+----
-| ''default'' | Resources with no namespace specified go here |
-| ''kube-system'' | Core Kubernetes components (DNS, scheduler, controller-manager) |
+==== 6. StatefulSet ====
-| ''kube-public'' | Publicly readable data (cluster info) |
-| ''kube-node-lease'' | Node heartbeat lease objects |
+Like Deployment, but designed for **stateful applications** (databases, message queues) that need:
+  * Stable, persistent network identity
+  * Ordered, graceful deployment and scaling
+  * Persistent storage per pod
-**Deploy to a namespace:**
 <code yaml>
+apiVersion: apps/v1
+kind: StatefulSet
 metadata:
-  name: my-app
+  name: mysql
-  namespace: team-backend
+spec:
+  serviceName: "mysql"
+  replicas: 3
+  selector:
+    matchLabels:
+      app: mysql
+  template:
+    metadata:
+      labels:
+        app: mysql
+    spec:
+      containers:
+        - name: mysql
+          image: mysql:8.0
+          env:
+            - name: MYSQL_ROOT_PASSWORD
+              value: "secret"
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/mysql
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 10Gi
 </code>
-**Namespace-scoped vs cluster-scoped:**
+----
-^ Namespace-scoped ^ Cluster-scoped ^
+==== 7. DaemonSet ====
-| Pod, Deployment, Service | Node, PersistentVolume |
-| ConfigMap, Secret | ClusterRole, StorageClass |
-| Role, RoleBinding | Namespace itself |
-> Use case: isolate dev/staging/prod, separate teams, apply ResourceQuota per namespace.
+Ensures a **copy of a Pod runs on every node** (or selected nodes). Used for cluster-level services like log collectors, monitoring agents, or network plugins.
+<code yaml>
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: fluentd
+spec:
+  selector:
+    matchLabels:
+      name: fluentd
+  template:
+    metadata:
+      labels:
+        name: fluentd
+    spec:
+      containers:
+        - name: fluentd
+          image: fluent/fluentd:v1.16
+</code>
 ----
-===== Job =====
+==== 8. Job ====
-Runs a Pod to completion. Guarantees the task finishes successfully.
+Runs a **one-off task** to completion. Kubernetes ensures the Pod runs successfully at least once.
-Retries automatically on failure.
-**apiVersion:** ''batch/v1''
 <code yaml>
@@ Line 171: / Line 233: @@
   name: db-migration
 spec:
-  completions: 1         # how many successful completions needed
-  parallelism: 1         # how many Pods run at the same time
-  backoffLimit: 4        # retry up to 4 times on failure
   template:
     spec:
       containers:
         - name: migrate
-          image: myapp:v2
+          image: myapp:latest
           command: ["python", "manage.py", "migrate"]
-      restartPolicy: OnFailure   # required: Never or OnFailure
+      restartPolicy: OnFailure
 </code>
-**Parallel Job example (process 5 items, 2 at a time):**
-<code yaml>
-spec:
-  completions: 5
-  parallelism: 2
-</code>
-^ Field ^ Purpose ^
-| ''completions'' | Total successful Pods needed to finish the Job |
-| ''parallelism'' | Max Pods running simultaneously |
-| ''backoffLimit'' | Max retries before Job is marked failed |
-| ''activeDeadlineSeconds'' | Kill Job if it runs longer than N seconds |
-| ''ttlSecondsAfterFinished'' | Auto-delete Job N seconds after completion |
-> Use case: database migrations, data imports, report generation, ML training runs, batch processing.
 ----
-===== CronJob =====
+==== 9. CronJob ====
-Runs a Job on a time-based schedule. Same as Linux ''cron''.
-**apiVersion:** ''batch/v1''
+Runs Jobs on a **scheduled (cron) basis**.
 <code yaml>
@@ Line 211: / Line 252: @@
 kind: CronJob
 metadata:
-  name: nightly-backup
+  name: backup-job
 spec:
-  schedule: "0 2 * * *"            # every day at 02:00
+  schedule: "0 2 * * *"   # Every day at 2:00 AM
-  timeZone: "Asia/Ho_Chi_Minh"     # optional, requires k8s 1.27+
-  concurrencyPolicy: Forbid         # don't run if previous is still running
-  successfulJobsHistoryLimit: 3
-  failedJobsHistoryLimit: 1
   jobTemplate:
     spec:
@@ Line 225: / Line 262: @@
             - name: backup
               image: backup-tool:latest
-              command: ["sh", "-c", "/scripts/backup.sh"]
+              command: ["/bin/sh", "-c", "run-backup.sh"]
           restartPolicy: OnFailure
 </code>
-**Cron syntax:**
+----
-<code>
-┌───── minute (0-59)
-│ ┌─── hour (0-23)
-│ │ ┌─ day of month (1-31)
-│ │ │ ┌ month (1-12)
-│ │ │ │ ┌ day of week (0-6, Sun=0)
-│ │ │ │ │
-* * * * *
-Examples:
+==== 10. Namespace ====
-"0 2 * * *"     → every day at 02:00
-"*/15 * * * *"  → every 15 minutes
+Creates a **virtual cluster** within a Kubernetes cluster, providing isolation between teams or environments.
-"0 9 * * 1"     → every Monday at 09:00
-"0 0 1 * *"     → first day of every month at midnight
+<code yaml>
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: staging
 </code>
-**concurrencyPolicy values:**
+----
-^ Value ^ Behavior ^
+==== 11. PersistentVolumeClaim (PVC) ====
-| ''Allow'' | Run overlapping Jobs (default) |
-| ''Forbid'' | Skip new Job if previous still running |
-| ''Replace'' | Cancel previous Job, start new one |
-> Use case: backups, log rotation, cleanup tasks, scheduled reports, cache warming.
+Requests **persistent storage** from the cluster for a Pod.
+<code yaml>
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: my-storage
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+</code>
 ----
-===== Ingress =====
+==== 12. Ingress ====
-HTTP/HTTPS routing rules.
+Manages **external HTTP/HTTPS access** to services, routing rules, TLS termination.
-Routes external traffic to internal Services based on hostname or URL path.
-Requires an Ingress Controller (nginx, traefik, etc.) to be installed.
-**apiVersion:** ''networking.k8s.io/v1''
 <code yaml>
@@ Line 269: / Line 308: @@
 kind: Ingress
 metadata:
-  name: main-ingress
+  name: web-ingress
   annotations:
     nginx.ingress.kubernetes.io/rewrite-target: /
 spec:
-  ingressClassName: nginx
-  tls:
-    - hosts:
-        - myapp.example.com
-      secretName: tls-secret        # Secret of type kubernetes.io/tls
   rules:
     - host: myapp.example.com
       http:
         paths:
-          - path: /api
-            pathType: Prefix
-            backend:
-              service:
-                name: api-service
-                port:
-                  number: 8080
           - path: /
             pathType: Prefix
             backend:
               service:
-                name: frontend-service
+                name: web-service
                 port:
                   number: 80
 </code>
-**pathType values:**
-^ Value ^ Behavior ^
-| ''Exact'' | Match exact path only (e.g. ''/api'' only) |
-| ''Prefix'' | Match path and all sub-paths (e.g. ''/api/v1'', ''/api/v2'') |
-| ''ImplementationSpecific'' | Behavior depends on Ingress Controller |
-**Traffic flow:**
-<code>
-Client
-  └── Ingress Controller (nginx/traefik)
-        └── Ingress rules
-              ├── /api   → api-service → api Pods
-              └── /      → frontend-service → frontend Pods
-</code>
-> Use case: expose multiple services under one domain, TLS termination, path-based routing, virtual hosting.
 ----
-===== ClusterRole =====
+===== Summary Table =====
-Defines permissions that apply cluster-wide (all namespaces + cluster-scoped resources).
+^ Kind                   ^ API Version         ^ Purpose                                      ^
-Part of Kubernetes RBAC (Role-Based Access Control).
+| ''Pod''                | ''v1''              | Smallest deployable unit                     |
+| ''Deployment''         | ''apps/v1''         | Stateless app, rolling updates               |
-**apiVersion:** ''rbac.authorization.k8s.io/v1''
+| ''StatefulSet''        | ''apps/v1''         | Stateful app with stable identity            |
+| ''DaemonSet''          | ''apps/v1''         | One pod per node                             |
-<code yaml>
+| ''Job''                | ''batch/v1''        | One-off task                                 |
-apiVersion: rbac.authorization.k8s.io/v1
+| ''CronJob''            | ''batch/v1''        | Scheduled recurring task                     |
-kind: ClusterRole
+| ''Service''            | ''v1''              | Network endpoint for pods                    |
-metadata:
+| ''Ingress''            | ''networking.k8s.io/v1'' | HTTP routing / TLS termination         |
-  name: pod-reader
+| ''ConfigMap''          | ''v1''              | Non-sensitive config data                    |
-rules:
+| ''Secret''             | ''v1''              | Sensitive config data                        |
-  - apiGroups: [""]             # "" = core API group
+| ''Namespace''          | ''v1''              | Cluster isolation                            |
-    resources: ["pods", "pods/log"]
+| ''PersistentVolumeClaim'' | ''v1''           | Request for persistent storage               |
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["apps"]
-    resources: ["deployments"]
-    verbs: ["get", "list", "watch", "create", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["nodes"]        # cluster-scoped — only ClusterRole can grant this
-    verbs: ["get", "list"]
-</code>
-**All available verbs:**
-^ Verb ^ HTTP method equivalent ^
-| ''get'' | GET (single resource) |
-| ''list'' | GET (collection) |
-| ''watch'' | GET with ?watch=true (streaming) |
-| ''create'' | POST |
-| ''update'' | PUT |
-| ''patch'' | PATCH |
-| ''delete'' | DELETE |
-| ''deletecollection'' | DELETE (collection) |
-**Wildcard (grant all):**
-<code yaml>
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
-</code>
-**ClusterRole vs Role:**
-^ ^ Role ^ ClusterRole ^
-| Scope | Single namespace | All namespaces + cluster resources |
-| Can access Nodes | No | Yes |
-| Can access PersistentVolumes | No | Yes |
-| Bound with | RoleBinding | ClusterRoleBinding (or RoleBinding) |
-> Use case: read-only cluster monitoring, CI/CD pipelines, operators, admin access.
-<note>
-ClusterRole alone does nothing. It must be bound via ''ClusterRoleBinding'' or ''RoleBinding''.
-</note>
 ----
-===== ClusterRoleBinding =====
+===== How ''kind'' Connects to ''apiVersion'' =====
-Grants a ClusterRole to a user, group, or ServiceAccount across the entire cluster.
+The ''apiVersion'' determines which API group and version handles your ''kind'':
-**apiVersion:** ''rbac.authorization.k8s.io/v1''
+^ apiVersion              ^ Kinds included                                       ^
+| ''v1''                  | Pod, Service, ConfigMap, Secret, Namespace, PVC      |
-<code yaml>
+| ''apps/v1''             | Deployment, StatefulSet, DaemonSet, ReplicaSet       |
-apiVersion: rbac.authorization.k8s.io/v1
+| ''batch/v1''            | Job, CronJob                                         |
-kind: ClusterRoleBinding
+| ''networking.k8s.io/v1'' | Ingress, NetworkPolicy                              |
-metadata:
+| ''rbac.authorization.k8s.io/v1'' | Role, ClusterRole, RoleBinding           |
-  name: pod-reader-binding
-subjects:
-  - kind: ServiceAccount
-    name: monitoring-agent
-    namespace: monitoring
-  - kind: User
-    name: jane@example.com
-    apiGroup: rbac.authorization.k8s.io
-  - kind: Group
-    name: devops-team
-    apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: ClusterRole
-  name: pod-reader
-  apiGroup: rbac.authorization.k8s.io
-</code>
-**subjects kinds:**
-^ Kind ^ Example ^
-| ''ServiceAccount'' | Pod identity inside cluster |
-| ''User'' | Human user (managed externally) |
-| ''Group'' | Group of users |
-> Use case: grant monitoring agent read access to all Pods cluster-wide.
 ----
-===== HorizontalPodAutoscaler =====
+===== Here's the relationship diagram. =====
+Hierarchy flows top-down:
-Automatically scales Pod count up or down based on metrics.
+Deployment → ReplicaSet → Pod (Deployment manages replicas, which manage pods)
-Watches a target (Deployment, StatefulSet) and adjusts ''replicas''.
-**apiVersion:** ''autoscaling/v2''
+StatefulSet and DaemonSet go straight to their own Pods
-<code yaml>
+CronJob → Job (CronJob triggers Jobs on a schedule)
-apiVersion: autoscaling/v2
-kind: HorizontalPodAutoscaler
-metadata:
-  name: web-hpa
-spec:
-  scaleTargetRef:
-    apiVersion: apps/v1
-    kind: Deployment
-    name: web-app
-  minReplicas: 2
-  maxReplicas: 20
-  metrics:
-    - type: Resource
-      resource:
-        name: cpu
-        target:
-          type: Utilization
-          averageUtilization: 70     # scale up if avg CPU > 70%
-    - type: Resource
-      resource:
-        name: memory
-        target:
-          type: AverageValue
-          averageValue: 512Mi
-</code>
-**Custom metrics example (requests per second):**
+Networking routes traffic inward:
-<code yaml>
-metrics:
-  - type: Pods
-    pods:
-      metric:
-        name: requests_per_second
-      target:
-        type: AverageValue
-        averageValue: "1000"
-</code>
-**Scale behavior (control speed of scaling):**
+Ingress → Service → Pod (external HTTP traffic funneled down to running containers)
-<code yaml>
-behavior:
-  scaleUp:
-    stabilizationWindowSeconds: 0       # scale up immediately
-    policies:
-      - type: Pods
-        value: 4
-        periodSeconds: 60               # add max 4 pods per minute
-  scaleDown:
-    stabilizationWindowSeconds: 300     # wait 5 min before scaling down
-</code>
-^ Field ^ Purpose ^
+NetworkPolicy applies traffic rules at the Pod level
-| ''minReplicas'' | Never go below this count |
-| ''maxReplicas'' | Never exceed this count |
-| ''averageUtilization'' | Target CPU/memory percentage across all Pods |
-| ''stabilizationWindowSeconds'' | Cooldown window to prevent flapping |
-**How it works:**
+Config and Storage are mounted into Pods:
-<code>
-Metrics Server
-  └── HPA checks metrics every 15s
-        ├── CPU > 70%  → scale UP   (add Pods)
-        └── CPU < 70%  → scale DOWN (remove Pods)
-              └── Deployment adjusts replicas
-</code>
-> Use case: web traffic spikes, variable batch load, cost optimization (scale down at night).
+ConfigMap and Secret are injected as env vars or volume mounts (dashed lines)
-<note important>
+PVC (PersistentVolumeClaim) binds to a PV (PersistentVolume) and mounts into Pods
-HPA requires Metrics Server installed in the cluster. Resource requests must be set on containers for CPU/memory HPA to work.
-</note>
-----
+Everything lives inside a `Namespace for isolation.
-===== Quick comparison =====
+{{ :k8s:core:kind-in-kubenetes.png?600 |}}
-^ Kind ^ apiVersion ^ Scope ^ Controller ^
-| ''ConfigMap'' | ''v1'' | Namespace | — |
-| ''Secret'' | ''v1'' | Namespace | — |
-| ''Namespace'' | ''v1'' | Cluster | — |
-| ''Job'' | ''batch/v1'' | Namespace | Job Controller |
-| ''CronJob'' | ''batch/v1'' | Namespace | CronJob Controller |
-| ''Ingress'' | ''networking.k8s.io/v1'' | Namespace | Ingress Controller |
-| ''ClusterRole'' | ''rbac.authorization.k8s.io/v1'' | Cluster | — |
-| ''ClusterRoleBinding'' | ''rbac.authorization.k8s.io/v1'' | Cluster | — |
-| ''HorizontalPodAutoscaler'' | ''autoscaling/v2'' | Namespace | HPA Controller |
-----
-===== Key rule =====
+===== See Also =====
-<note important>
+  * [[https://kubernetes.io/docs/concepts/|Kubernetes Concepts]]
-Every ''kind'' requires a matching ''apiVersion''.
+  * [[https://kubernetes.io/docs/reference/kubernetes-api/|Kubernetes API Reference]]
-Wrong ''apiVersion'' = object creation fails, even if all other fields are correct.
+  * ''kubectl api-resources'' — list all available kinds in your cluster
-</note>