KCNA: Kubernetes and Cloud Native Associate Fundamentals

Cloud-native applications are designed to run in dynamic, distributed cloud environments — exploiting the cloud's elasticity, scalability, and resilience. The CNCF Cloud Native Trail Map guides adoption through containers, CI/CD, orchestration, observability, service mesh, and policy. Containers: lightweight isolated runtime environments sharing the host OS kernel — unlike VMs, containers do not include their own OS. Docker builds container images from Dockerfiles (layered filesystem, each instruction adds a layer). Images are stored in registries (Docker Hub, GitHub Container Registry, cloud-native registries like ECR, GCR, ACR). OCI (Open Container Initiative) standardises image format and runtime specification — Kubernetes uses container runtimes that implement the CRI (Container Runtime Interface): containerd (default in modern Kubernetes), CRI-O (Kubernetes-native). The twelve-factor app methodology defines best practices for cloud-native applications: stateless processes, configuration from environment, backing services via URL, explicit dependencies, and more.

Kubernetes (K8s) is an open-source container orchestration platform — it manages the lifecycle of containerised workloads across a cluster of nodes. Control plane components (run on master node): kube-apiserver (the API gateway — all kubectl commands go here), etcd (distributed key-value store — the single source of truth for cluster state), kube-scheduler (assigns pods to nodes based on resource requirements and constraints), kube-controller-manager (runs control loops: node controller, replication controller, endpoints controller). Worker node components: kubelet (ensures pods are running on the node, talks to container runtime), kube-proxy (manages iptables/IPVS rules for Service networking), container runtime (containerd or CRI-O). Core API objects: Pod (smallest deployable unit — one or more containers sharing network and storage), Deployment (manages replicated, rolling-update-capable pods), Service (stable network endpoint for pods — ClusterIP, NodePort, LoadBalancer, ExternalName), ConfigMap (non-sensitive configuration as key-value or files), Secret (sensitive data — base64 encoded, RBAC-controlled), Namespace (logical cluster partition — resource quotas and RBAC per namespace).

Kubernetes networking model: every Pod gets a unique IP, all pods can communicate with all other pods without NAT (flat network model). CNI (Container Network Interface) plugins implement this: Calico (supports Network Policies, IPIP or BGP routing), Flannel (simple overlay network), Cilium (eBPF-based, Layer 7 visibility, strong Network Policy support). Services: ClusterIP (internal load balancer within cluster), NodePort (expose on each node's IP at a fixed port — for external access without cloud load balancer), LoadBalancer (provision a cloud load balancer automatically — cloud-provider specific), Ingress (layer 7 HTTP routing — paths and hostnames to different services — requires Ingress controller like nginx or Traefik). Storage: Volumes (ephemeral — tied to Pod lifecycle), PersistentVolume (PV — pre-provisioned storage resource), PersistentVolumeClaim (PVC — request for storage by a pod — dynamically provisioned via StorageClass). Kubernetes security: RBAC (Role and ClusterRole + RoleBinding and ClusterRoleBinding — control who can do what to which resources), Network Policies (restrict pod-to-pod traffic — Calico or Cilium required), Pod Security Admission (enforce pod security standards — restricted, baseline, privileged).

The CNCF (Cloud Native Computing Foundation) hosts hundreds of projects organised by maturity: Graduated (production-ready — Kubernetes, Prometheus, Envoy, Helm, Flux, Argo, OpenTelemetry), Incubating (growing adoption — Kyverno, Buildpacks), Sandbox (early stage). Key CNCF projects: Prometheus (metrics — pull-based scraping, PromQL query language, Alertmanager for alerts), Grafana (dashboards for Prometheus metrics — visualise SLOs and SLIs), Jaeger and Tempo (distributed tracing), Fluentd and Fluent Bit (log aggregation), OpenTelemetry (unified observability instrumentation standard — traces, metrics, logs from one SDK). Service mesh: Istio (sidecar-based, feature-rich — mutual TLS between services, traffic management, telemetry) and Linkerd (lightweight alternative, eBPF-based in Linkerd 2.x). GitOps: Flux and Argo CD implement GitOps — desired cluster state is declared in Git, the operator continuously reconciles actual state to match. Helm: Kubernetes package manager — charts bundle Kubernetes manifests with templating, versioning, and upgrade management.