====== EKS Pod (Kubernetes Pod) ======

**What it is:** The smallest deployable unit in Kubernetes. A Pod runs one or more containers that share the same network namespace and storage volumes.

**What it’s for:**
  * Run your application containers (microservices) on EKS.
  * Group tightly-coupled containers together (sidecar pattern).

**Key ideas:**
  * A Pod is scheduled onto a worker node (EC2 node group or Fargate).
  * Pods get a network identity (IP) and use Kubernetes service discovery.
  * Pods use a [[aws:containers:eks:service-account|Kubernetes Service Account]] for identity inside the cluster.
  * For AWS permissions (S3/DynamoDB/etc.), Pods should use [[aws:containers:eks:irsa|IRSA]] (not the node instance role).

**Exam cues:**
  * “UI Pods must access DynamoDB only” → Pod identity must map to a restricted IAM role (IRSA).
  * “Pods run on EC2 worker nodes” → Pod scheduled on nodes; node role is shared, so avoid broad permissions there.

**Hard words (English + IPA + Vietnamese meaning):**
  * *pod* /pɑːd/: pod (đơn vị chạy nhỏ nhất trong Kubernetes)
  * *container* /kənˈteɪnər/: container
  * *namespace* /ˈneɪmˌspeɪs/: không gian tên (phạm vi chia tách tài nguyên)
  * *volume* /ˈvɑːljuːm/: volume (ổ/khối lưu trữ)
  * *sidecar* /ˈsaɪdˌkɑːr/: container “đi kèm” hỗ trợ (log, proxy…)

**Child pages:**
  * [[aws:containers:eks:pod:service-account-binding|Pod ↔ Service Account Binding]]
  * [[aws:containers:eks:pod:aws-permissions|Pod AWS Permissions (Node Role vs IRSA)]]
  * [[aws:containers:eks:pod:networking|Pod Networking Basics]]
  * [[aws:containers:eks:pod:no-direct-iam-policy|No “Direct IAM Policy on Pod]]