Skip to main content

Kubernetes Glossary

Key Takeaways for AI & Readers
  • Centralized Terminology: This glossary provides a comprehensive reference for 80+ Kubernetes terms, concepts, and acronyms.
  • Quick Definitions: Each entry offers a concise, accurate explanation with links to official documentation and relevant handbook pages.
  • Foundation for Learning: Familiarity with these terms is essential for understanding Kubernetes architecture, networking, security, and operations.

A comprehensive reference of Kubernetes terminology. Each term includes a concise definition and links to official documentation.

A

Admission Controller

A piece of code that intercepts requests to the Kubernetes API Server before the object is persisted to etcd. Admission controllers can validate (reject invalid requests) or mutate (modify requests). Examples include LimitRanger, PodSecurity, and custom webhooks.

Affinity

Scheduling rules that attract Pods to specific Nodes (node affinity) or co-locate/separate Pods relative to each other (pod affinity/anti-affinity). Affinities can be required (hard) or preferred (soft).

Annotation

Key-value pairs attached to objects that store non-identifying metadata. Unlike Labels, annotations are not used for selection. Common uses include build info, tool configuration, and ingress controller settings.

API Server (kube-apiserver)

The front door to the Kubernetes cluster. All communication — from kubectl, controllers, and nodes — goes through the API Server. It is the only component that communicates directly with etcd.

B

Blue-Green Deployment

A deployment strategy that runs two identical environments (Blue = current, Green = new). Traffic is switched from Blue to Green after the new version is verified healthy. Not natively built into Kubernetes but achievable with Service selector switching.

C

Canary Deployment

A deployment strategy where a new version is rolled out to a small subset of users first. If the canary is healthy, traffic is gradually shifted to it. Tools like Argo Rollouts and Flagger automate this process.

CephFS

A distributed filesystem from the Ceph storage system. Supports ReadWriteMany access mode, allowing multiple Pods on multiple Nodes to mount the same volume simultaneously.

CertManager

A Kubernetes addon that automates the management and issuance of TLS certificates from various sources (Let's Encrypt, Vault, self-signed). Commonly used with Ingress for automatic HTTPS.

Cilium

A CNI plugin that uses eBPF (extended Berkeley Packet Filter) to provide networking, security, and observability for Kubernetes. Can replace kube-proxy entirely for better performance.

Cluster

A set of machines (Nodes) managed by Kubernetes. Every cluster has at least one Control Plane node and one or more Worker Nodes.

ClusterRole / ClusterRoleBinding

Cluster-scoped RBAC resources. A ClusterRole defines permissions across the entire cluster (all namespaces), and a ClusterRoleBinding grants those permissions to a user, group, or ServiceAccount.

CNI (Container Network Interface)

A specification and set of plugins that configure networking for containers. Kubernetes uses CNI plugins (Calico, Cilium, Flannel) to assign IPs to Pods, set up routes, and enforce network policies.

ConfigMap

An API object used to store non-confidential data in key-value pairs. Pods can consume ConfigMaps as environment variables, command-line arguments, or as configuration files mounted in a volume.

Container

A lightweight, portable executable unit that packages application code with all its dependencies. Kubernetes orchestrates containers, but does not build them.

containerd

The industry-standard container runtime. A graduated CNCF project used by most Kubernetes distributions (EKS, GKE, Kind). It implements the CRI (Container Runtime Interface).

Controller Pattern

The core architectural pattern of Kubernetes. A controller watches the shared state (API Server), compares it to the desired state, and makes changes to the world to bring the actual state closer to the desired state.

Control Plane

The set of components that manage the cluster: API Server, etcd, Scheduler, and Controller Manager. The Control Plane makes global decisions about scheduling, scaling, and responding to cluster events.

Controller

A control loop that watches the state of your cluster via the API Server, then makes or requests changes to move the current state toward the desired state. Examples: Deployment Controller, ReplicaSet Controller, Job Controller.

CRD (Custom Resource Definition)

An extension of the Kubernetes API that allows you to define custom resource types. Combined with a custom controller, CRDs enable the Operator pattern.

Desired State

The configuration you declare in your YAML manifests (e.g., "I want 3 replicas"). Kubernetes constantly works to ensure the Actual State matches this Desired State.

CRI (Container Runtime Interface)

The interface between the kubelet and the container runtime. CRI-compliant runtimes include containerd and CRI-O.

CRI-O

A lightweight container runtime built specifically for Kubernetes. Used by OpenShift.

CronJob

A controller that creates Jobs on a repeating schedule, similar to a Linux crontab. Supports concurrency policies and deadline handling.

CSI (Container Storage Interface)

A standard for exposing block and file storage systems to container orchestrators. CSI drivers enable Kubernetes to use storage from various providers (AWS EBS, GCE PD, Ceph, NetApp).

D

DaemonSet

A workload that ensures a copy of a Pod runs on every Node (or a specific subset). Common use cases include log collectors, monitoring agents, and CNI plugins.

Deployment

An API object that manages ReplicaSets to provide declarative updates for Pods. Supports rolling updates, rollbacks, scaling, and pause/resume.

E

eBPF (extended Berkeley Packet Filter)

A Linux kernel technology that allows running sandboxed programs in kernel space without changing kernel source code. Used by Cilium for high-performance networking and by Falco/Tetragon for security monitoring.

EndpointSlice

A scalable replacement for the Endpoints resource. EndpointSlices break the list of backend Pod IPs for a Service into chunks of ~100, reducing API Server load in large clusters.

Ephemeral Container

A temporary container added to a running Pod for debugging purposes. Created via kubectl debug and cannot be restarted or have ports exposed.

etcd

A consistent, highly-available distributed key-value store that serves as the single source of truth for all Kubernetes cluster state. Uses the RAFT consensus algorithm.

F-G

Finalizer

A key on a Kubernetes object that tells the system to perform specific cleanup actions before deleting the object. Objects with active finalizers remain in a "Terminating" state until the finalizer is removed.

Gateway API

The next-generation API for routing in Kubernetes, designed to replace Ingress. Provides role-oriented resource model (GatewayClass, Gateway, HTTPRoute) with richer traffic management.

H

Headless Service

A Service with clusterIP: None. Instead of a single virtual IP, DNS returns the individual Pod IPs directly. Used with StatefulSets for direct Pod addressing.

Helm

The package manager for Kubernetes. Helm uses "Charts" (bundles of templated YAML) to install, upgrade, and manage applications.

HPA (Horizontal Pod Autoscaler)

Automatically scales the number of Pod replicas based on observed metrics (CPU, memory, or custom metrics). Uses the formula: desiredReplicas = ceil(currentReplicas * currentMetric / targetMetric).

I-J

Init Container

A container that runs to completion before the main application containers start. Used for setup tasks like waiting for a database, downloading configuration, or running migrations.

Ingress

An API object that manages external HTTP(S) access to Services. Requires an Ingress Controller (NGINX, Traefik, etc.) to function. Being gradually replaced by the Gateway API.

IPVS (IP Virtual Server)

A Linux kernel module for Layer 4 load balancing. Used as an alternative to iptables by kube-proxy for better performance in clusters with many Services.

Job

A workload that creates Pods and ensures a specified number of them successfully complete. Used for batch processing, data migrations, and one-time tasks.

K

Karpenter

An open-source Kubernetes node provisioner that automatically launches right-sized compute resources in response to unschedulable Pods. Faster and more flexible than the Cluster Autoscaler.

Knative

A platform built on Kubernetes for deploying and managing serverless workloads. Provides scale-to-zero, revision management, and event-driven architectures.

kubeadm

The official tool for bootstrapping Kubernetes clusters. Handles certificate generation, Control Plane static pod creation, and worker node joining.

kubectl

The command-line tool for communicating with the Kubernetes API Server. Supports resource management, debugging, and cluster administration.

kubelet

An agent running on every Node that ensures containers described in PodSpecs are running and healthy. Communicates with the API Server and the container runtime.

kube-proxy

A network component running on every Node that maintains networking rules for Service routing. Typically uses iptables or IPVS.

Kustomize

A template-free configuration management tool built into kubectl. Uses bases, overlays, and patches to customize YAML for different environments.

L

Label

Key-value pairs attached to objects (Pods, Services, Nodes) used for identification and selection. Labels power Service routing, scheduling, and resource grouping.

LimitRange

A policy object that constrains resource allocations (CPU, memory) for Pods and containers in a Namespace. Can set defaults, minimums, and maximums.

Liveness Probe

A health check that determines if a container is alive. If the probe fails, the kubelet kills the container and it is restarted according to its restart policy.

M-N

Namespace

A virtual partition of the cluster for resource isolation. Namespaces scope names, RBAC, resource quotas, and network policies. Default namespaces include default, kube-system, and kube-public.

Network Policy

An API object that controls Layer 3/4 traffic flow between Pods. Requires a CNI plugin that supports Network Policies (Calico, Cilium). Without any policies, all traffic is allowed.

Node

A worker machine (VM or physical) in the cluster. Each Node runs a kubelet, kube-proxy, and container runtime.

O-P

OCI (Open Container Initiative)

A governance structure for creating open standards for container formats and runtimes. Defines the Image Specification and Runtime Specification.

Operator

A pattern that combines a CRD with a custom controller to encode operational knowledge (install, upgrade, backup, failover) for a specific application. Examples: Prometheus Operator, cert-manager, Strimzi.

PersistentVolume (PV)

A piece of storage provisioned in the cluster, either manually by an admin or dynamically via a StorageClass. PVs have a lifecycle independent of any Pod.

PersistentVolumeClaim (PVC)

A request for storage by a user. Pods reference PVCs, and PVCs bind to PVs that satisfy the requested capacity and access mode.

Pod

The smallest deployable unit in Kubernetes. A Pod wraps one or more containers that share networking (same IP) and storage (shared volumes).

PodDisruptionBudget (PDB)

A policy that limits the number of Pods of a replicated application that can be voluntarily disrupted at the same time. Ensures minimum availability during drains, upgrades, and autoscaling.

PriorityClass

Defines the importance of a Pod relative to others. Higher-priority Pods can preempt (evict) lower-priority Pods when resources are scarce.

Q-R

QoS Class (Quality of Service)

Kubernetes assigns one of three QoS classes to Pods based on their resource configuration: Guaranteed (requests == limits), Burstable (requests < limits), BestEffort (no requests/limits). QoS class determines eviction priority.

RBAC (Role-Based Access Control)

The authorization system in Kubernetes. Uses Roles/ClusterRoles to define permissions and RoleBindings/ClusterRoleBindings to assign them to users, groups, or ServiceAccounts.

Readiness Probe

A health check that determines if a container is ready to serve traffic. If it fails, the Pod is removed from Service endpoints but not restarted.

Reconciliation Loop

The process of moving the current state towards the desired state. "Observe -> Diff -> Act". This loop runs continuously for every object in the cluster.

ReplicaSet

Maintains a stable set of replica Pods. The ReplicaSet controller continuously reconciles the actual Pod count with the desired count. Typically managed by a Deployment.

ResourceQuota

A policy that limits the total resource consumption (CPU, memory, object count) in a Namespace. Prevents a single team from consuming all cluster resources.

Role / RoleBinding

Namespace-scoped RBAC resources. A Role defines permissions within a specific Namespace, and a RoleBinding grants those permissions to subjects.

S

Scheduler (kube-scheduler)

The Control Plane component that assigns Pods to Nodes. Uses a two-phase process: filtering (eliminate unsuitable nodes) and scoring (rank remaining nodes).

Secret

An API object for storing sensitive data (passwords, tokens, keys). Secrets are base64-encoded by default — not encrypted. Enable encryption at rest for true security.

Selector

A query mechanism that filters objects based on Labels. Services use selectors to route traffic to matching Pods. ReplicaSets use selectors to identify which Pods they manage.

Service

A stable network abstraction that provides a fixed IP and DNS name for a dynamic set of Pods. Types: ClusterIP (internal), NodePort (node-level port), LoadBalancer (cloud LB), ExternalName (DNS alias).

ServiceAccount

An identity for Pods within the cluster. Used for RBAC authorization and for Pods to authenticate with the API Server or external services (e.g., via IRSA on AWS, Workload Identity on GCP).

Sidecar

A container that runs alongside the main application container in the same Pod. Common uses: service mesh proxy (Envoy), log forwarding, configuration reloading. Since Kubernetes 1.28, native sidecar containers are supported with the restartPolicy: Always field on init containers.

Startup Probe

A health check for slow-starting containers. While the startup probe is running, liveness and readiness probes are disabled, preventing premature container kills.

StatefulSet

A workload controller for stateful applications. Provides stable network identity (pod-0, pod-1), stable persistent storage (per-Pod PVCs), and ordered deployment/scaling.

StorageClass

A template for dynamically provisioning PersistentVolumes. Defines the provisioner (e.g., ebs.csi.aws.com), parameters, and reclaim policy.

T

Taint / Toleration

Taints are applied to Nodes to repel Pods. Tolerations are applied to Pods to allow scheduling on tainted Nodes. Effects: NoSchedule, PreferNoSchedule, NoExecute.

TopologySpreadConstraint

A Pod-level constraint that controls how Pods are distributed across topology domains (nodes, zones, regions). Ensures high availability by preventing concentration in a single failure domain.

V-Z

Velero

An open-source tool for backing up and restoring Kubernetes cluster resources and persistent volumes. Supports scheduled backups, migration, and disaster recovery.

Volume

A directory accessible to containers in a Pod. Volumes have a lifecycle tied to the Pod and can be backed by various storage types (emptyDir, hostPath, PVC, ConfigMap, Secret).

VPA (Vertical Pod Autoscaler)

Automatically adjusts CPU and memory requests for Pods based on observed usage. Operates in recommendation-only, initial, or auto mode.