Kubernetes
Kubernetes is a distributed reconcile loop: a database of desired state (etcd) and controllers grinding reality toward it. Every feature is that loop plus a Linux primitive you already know.
kind (Kubernetes in Docker) and kubectl on a real Linux host. kind create cluster gives you a real multi-component cluster locally, no cloud.The control plane is a set of processes: API server (the front door), etcd (the state store), scheduler (placement), controller-manager (the reconcile loops).
Create a cluster and list the control-plane components running as pods.
$ kubectl get pods -n kube-systemYou'll see etcd, kube-apiserver, kube-scheduler, kube-controller-manager, coredns, and kube-proxy — the whole machine, laid out.
Reveal solution
$ kind create cluster --name gw $ kubectl get pods -n kube-system
Containers in a Pod share one network namespace (and one IP) held open by a tiny pause container — the same namespace sharing you did with ip netns.
Run a 2-container pod and confirm both see the same IP.
$ kubectl exec pod/shared -c a -- hostname -iBoth containers report the same pod IP — because they share one net namespace, just like your hand-wired namespaces.
Reveal solution
$ kubectl apply -f - <<EOF apiVersion: v1 kind: Pod metadata: {name: shared} spec: containers: - {name: a, image: busybox, command: ["sleep","3600"]} - {name: b, image: busybox, command: ["sleep","3600"]} EOF $ kubectl exec pod/shared -c a -- hostname -i $ kubectl exec pod/shared -c b -- hostname -i
A Deployment declares "I want N replicas." A controller continuously makes reality match. Delete a pod and watch desired-state win.
Create a 2-replica Deployment, delete a pod, watch it come back.
$ kubectl get pods -l app=webKill one pod and a replacement appears within seconds — the reconcile loop restoring desired state. This is the idea Terraform shares.
Reveal solution
$ kubectl create deploy web --image=nginx --replicas=2 $ kubectl delete pod -l app=web --field-selector=status.phase=Running | head -1 $ kubectl get pods -l app=web -w
Reach engineers who read the man page
Native, contextual, no tracking — this is how the curriculum stays free.
A ClusterIP Service is a virtual IP with no process behind it. kube-proxy programs iptables so packets to that IP get DNAT'd to a real pod — the same netfilter Docker used for -p.
Expose the Deployment and find the iptables rules kube-proxy wrote.
$ docker exec gw-control-plane iptables -t nat -L KUBE-SERVICES -n | grep webThe Service ClusterIP appears in the KUBE-SERVICES chain, routing to pod endpoints. Services are netfilter, all the way down.
Reveal solution
$ kubectl expose deploy web --port 80 $ kubectl get svc web $ docker exec gw-control-plane iptables -t nat -L KUBE-SERVICES -n | grep web
Pods find Services by name through cluster DNS (CoreDNS), which maps web.default.svc.cluster.local to the ClusterIP.
From a throwaway pod, resolve the Service name.
$ kubectl run t --rm -it --image=busybox --restart=Never -- nslookup webIt resolves web.default.svc.cluster.local to the ClusterIP — DNS + Services working together.
Reveal solution
$ kubectl run t --rm -it --image=busybox --restart=Never -- nslookup webA Service sends traffic to Pods matched by its selector. If the selector's labels don't match any ready pod, the Service has zero endpoints and silently blackholes traffic — the single most common K8s networking bug.
Create a Service whose selector matches nothing, see empty endpoints, then fix the labels.
$ kubectl get endpoints web2Endpoints start empty (selector mismatch). Fix the selector to match the pod labels and endpoints populate — traffic flows.
Reveal solution
Always check kubectl get endpoints <svc> first when a Service "doesn't work". Empty endpoints = selector/label mismatch.
$ kubectl create svc clusterip web2 --tcp=80:80 # selector app=web2, but pods are app=web $ kubectl get endpoints web2 # empty! $ kubectl label pods -l app=web app=web2 --overwrite $ kubectl get endpoints web2 # now populated
Reconcile loop + etcd + shared namespaces + iptables Services + CoreDNS + CNI — Kubernetes is orchestration over the exact primitives from Linux and Docker. The magic is gone; the understanding stays.