What it is: The smallest deployable unit in Kubernetes. A Pod runs one or more containers that share the same network namespace and storage volumes.

What it’s for:

• Run your application containers (microservices) on EKS.
• Group tightly-coupled containers together (sidecar pattern).

Key ideas:

• A Pod is scheduled onto a worker node (EC2 node group or Fargate).
• Pods get a network identity (IP) and use Kubernetes service discovery.
• Pods use a Kubernetes Service Account for identity inside the cluster.
• For AWS permissions (S3/DynamoDB/etc.), Pods should use IRSA (not the node instance role).

Exam cues:

• “UI Pods must access DynamoDB only” → Pod identity must map to a restricted IAM role (IRSA).
• “Pods run on EC2 worker nodes” → Pod scheduled on nodes; node role is shared, so avoid broad permissions there.

Hard words (English + IPA + Vietnamese meaning):

• *pod* /pɑːd/: pod (đơn vị chạy nhỏ nhất trong Kubernetes)
• *container* /kənˈteɪnər/: container
• *namespace* /ˈneɪmˌspeɪs/: không gian tên (phạm vi chia tách tài nguyên)
• *volume* /ˈvɑːljuːm/: volume (ổ/khối lưu trữ)
• *sidecar* /ˈsaɪdˌkɑːr/: container “đi kèm” hỗ trợ (log, proxy…)

Child pages:

• Pod ↔ Service Account Binding
• Pod AWS Permissions (Node Role vs IRSA)
• Pod Networking Basics
• No “Direct IAM Policy on Pod