DevOps & CI

Kubernetes

A to-the-point review of the Kubernetes an SDET gets asked about: what the control plane does, Pods / Deployments / Services / Ingress, ConfigMaps & Secrets, health probes, scaling & self-healing, and how you deploy and test apps on a cluster. Builds on the Docker page — containers are the unit K8s schedules. Short explanations, short examples.

Take the 12-question quiz →

01What Kubernetes Is — and Why

Docker runs a container on a host. Kubernetes (K8s) runs thousands across a fleet of machines — scheduling them, restarting failures, scaling on load, and rolling out new versions with zero downtime.

You declare the desired state (“3 replicas of this image”); Kubernetes continuously reconciles reality to match it.

Self-healing — a crashed Pod is recreated; a dead node’s Pods are rescheduled.
Horizontal scaling — add/remove replicas by hand or automatically on CPU/metrics.
Rolling updates & rollback — ship a new version gradually, revert instantly if it’s bad.
Service discovery & load balancing — stable names and traffic spreading across replicas.

Mental model: Docker is the package; Kubernetes is the operations team that runs the packages and keeps them alive.

02Cluster Architecture

A cluster = a control plane (the brain) + worker nodes (where Pods run).

Component	Role
API server	the front door — every command/tool talks to it
etcd	key-value store holding the whole cluster state
scheduler	decides which node a new Pod runs on
controller manager	reconciliation loops driving actual → desired state
kubelet	agent on each node that runs & reports on Pods
kube-proxy	node networking rules for Services

The core idea — control loops: controllers constantly compare desired state (your YAML) to actual state and act to close the gap. That loop is why K8s self-heals.

03Pods, ReplicaSets & Deployments

Pod — the smallest unit: one (or a few tightly-coupled) containers sharing a network/IP and storage. Pods are ephemeral — they come and go with new IPs.
ReplicaSet — keeps N identical Pods running.
Deployment — manages ReplicaSets to give you rolling updates and rollbacks; what you actually write for stateless apps.
StatefulSet — for stateful apps (databases) needing stable identity and storage; DaemonSet — one Pod per node (agents); Job/CronJob — run-to-completion / scheduled tasks.

apiVersion: apps/v1
kind: Deployment
metadata: { name: web }
spec:
  replicas: 3                 # desired state
  selector: { matchLabels: { app: web } }
  template:
    metadata: { labels: { app: web } }
    spec:
      containers:
        - name: web
          image: myapp:1.2
          ports: [{ containerPort: 3000 }]

Say this: you rarely create Pods directly — you create a Deployment, and it manages the Pods (and their replacement on update or failure) for you.

04Services & Ingress

Pods are ephemeral with changing IPs, so you never talk to a Pod directly. A Service gives a stable virtual IP + DNS name and load-balances across the matching Pods.

Type	Reachable from
ClusterIP (default)	inside the cluster only
NodePort	a fixed port on every node
LoadBalancer	an external cloud load balancer

Ingress sits in front of Services as an HTTP(S) router — host/path rules, TLS termination — so many apps share one external entry point instead of one LoadBalancer each.

Selector glue: a Service finds its Pods by label selector (app: web), not by IP — which is how it keeps working as Pods are replaced.

05ConfigMaps & Secrets

ConfigMap — non-sensitive config (URLs, feature flags) injected as env vars or mounted files. Keeps config out of the image.
Secret — same idea for sensitive data (passwords, tokens, TLS keys); base64-encoded and access-controlled (enable encryption-at-rest / external secret stores in prod).
Namespaces — virtual partitions of one cluster (e.g. dev, staging, test) for isolation and quotas.

env:
  - name: LOG_LEVEL
    valueFrom: { configMapKeyRef: { name: app-config, key: log_level } }
  - name: DB_PASSWORD
    valueFrom: { secretKeyRef: { name: db-secret, key: password } }

Interview note: a Secret is only base64-encoded, not encrypted by default — call that out and mention RBAC, encryption-at-rest, and tools like Sealed Secrets / Vault.

06Health Probes & Self-Healing

K8s keeps apps healthy using probes — periodic checks the kubelet runs against each container.

Liveness — “is it alive?” Fails → container is restarted. Catches deadlocks.
Readiness — “can it serve traffic?” Fails → Pod is pulled from the Service’s load balancer (but not killed). Catches warm-up/dependency waits.
Startup — guards slow-starting apps so liveness doesn’t kill them prematurely.

readinessProbe:
  httpGet: { path: /healthz, port: 3000 }
  initialDelaySeconds: 5
  periodSeconds: 10

Liveness vs readiness — the classic question: liveness failing restarts the container; readiness failing only removes it from rotation until it recovers. Mixing them up causes restart loops.

07Scaling & Rollouts

Manual scale — kubectl scale deploy/web --replicas=5.
HPA (Horizontal Pod Autoscaler) — adds/removes replicas automatically on CPU/memory/custom metrics.
Rolling update — the default: replace Pods gradually so there’s no downtime; kubectl rollout undo reverts.
Resource requests/limits — requests guide scheduling; limits cap usage (over the memory limit → the container is OOM-killed).

kubectl set image deploy/web web=myapp:1.3   # trigger a rolling update
kubectl rollout status deploy/web            # watch it
kubectl rollout undo  deploy/web             # roll back if bad

08Kubernetes for Testing & CI

Where an SDET actually touches K8s:

Ephemeral test environments — spin up a namespace (or a whole throwaway cluster) per branch/PR, deploy the app, run E2E, tear it down.
Local clusters — kind (Kubernetes-in-Docker) or minikube to run a real cluster in CI or on your laptop.
kubectl for debugging — get, describe, logs, exec, port-forward are your triage toolkit when a test deployment misbehaves.
Helm — templated, versioned manifests (“charts”) so the same deploy is parameterized across dev/test/prod.

kubectl get pods -n test                 # what's running
kubectl describe pod web-xyz -n test     # events: why is it pending/crashing?
kubectl logs -f web-xyz -n test          # app output
kubectl port-forward svc/web 8080:80     # hit the service locally for a test

First triage move: a Pod stuck Pending or CrashLoopBackOff? kubectl describe pod — the Events section almost always names the cause (no node fits, image pull failed, failing probe).

09Rapid-Fire Q&A

Reveal each answer to self-check, then test yourself with the quiz.

Docker vs Kubernetes?

Docker builds and runs a container on a host; Kubernetes orchestrates many containers across a cluster — scheduling, self-healing, scaling, and rollouts.

What is a Pod?

The smallest deployable unit: one or more tightly-coupled containers sharing a network/IP and storage. Pods are ephemeral.

Pod vs Deployment?

A Deployment manages a ReplicaSet of identical Pods and gives you rolling updates, rollbacks, and self-healing — you create the Deployment, not Pods directly.

Why do you need a Service?

Pods are ephemeral with changing IPs; a Service provides a stable IP/DNS name and load-balances across the Pods matching its label selector.

ClusterIP vs NodePort vs LoadBalancer?

ClusterIP = internal only; NodePort = a fixed port on each node; LoadBalancer = an external cloud LB. Ingress routes HTTP across many Services.

Liveness vs readiness probe?

Liveness failing restarts the container; readiness failing removes the Pod from the Service load balancer until it recovers (no restart).

ConfigMap vs Secret?

Both inject config as env/files; ConfigMap is for non-sensitive data, Secret for sensitive — but a Secret is only base64-encoded, not encrypted by default.

How does self-healing work?

Controllers run reconciliation loops comparing actual to desired state and recreate/reschedule Pods to close the gap.

How do you scale?

kubectl scale, or an HPA that adjusts replicas automatically based on CPU/memory/custom metrics.

How do you do a zero-downtime deploy?

A rolling update replaces Pods gradually behind a readiness probe; kubectl rollout undo reverts to the previous version.

requests vs limits?

requests reserve resources for scheduling; limits cap them — exceeding the memory limit gets the container OOM-killed.

How do you debug a failing Pod?

kubectl describe pod (read the Events), kubectl logs, and exec/port-forward — Pending/CrashLoopBackOff usually explains itself in the events.