Kubernetes is an API and reconciliation engine on top of Linux control primitives. The control plane decides what should exist; the node runtime and kernel decide how it is isolated and enforced.
flowchart LR
subgraph ControlPlane[Control Plane]
API[API Server]
Controllers[Controllers]
Scheduler[Scheduler]
end
subgraph Node[Node]
Kubelet[Kubelet]
Runtime[CRI Runtime]
Kernel[Linux Kernel Primitives]
end
API --> Controllers --> Scheduler --> Kubelet --> Runtime --> Kernel
Namespaces give a process a restricted view of the host:
net: separate network stack (IP, routes, ports)
pid: process tree isolation
mnt: mount table isolation
ipc/uts/user: IPC, hostname, user mapping isolation
A Pod's "sandbox" is essentially a shared set of namespaces. Containers inside a Pod usually share the same net namespace and optionally pid/uts namespaces.
flowchart TB
Pod[Pod Sandbox] --> NetNS[net ns]
Pod --> PidNS[pid ns]
Pod --> MntNS[mnt ns]
Pod --> IpcNS[ipc ns]
Pod --> UtsNS[uts ns]
Pod --> UserNS[user ns]
App1[App Container] --> Pod
App2[Sidecar Container] --> Pod
OOM killer + eviction (example):
If a Burstable pod exceeds its memory limit, the kernel may OOM‑kill the container process. If node memory pressure stays high, kubelet can evict BestEffort/Burstable pods first to restore headroom.
sequenceDiagram
participant Pod
participant Resolv as /etc/resolv.conf
participant CoreDNS
participant Cache as CoreDNS cache
participant Zones as CoreDNS zones
participant API as API Server
participant Upstream as Upstream DNS
Pod->>Resolv: lookup service.namespace.svc
Resolv->>CoreDNS: UDP/TCP 53 query
CoreDNS->>Cache: check cache
alt cache hit
Cache-->>CoreDNS: response
else cache miss
CoreDNS->>Zones: query zone chain
Zones->>API: watch Services/Endpoints
end
CoreDNS-->>Resolv: returns ClusterIP
Resolv-->>Pod: reply to libc resolver
opt external name
CoreDNS->>Upstream: forward external query
Upstream-->>CoreDNS: answer
end
DNS knobs (quick):
DNSPolicy: ClusterFirst / Default / None
ndots: affects short-name search order
stubDomains: split DNS to custom upstreams
Additional reality:
DNS: CoreDNS + resolv.conf injection
Policy: NetworkPolicy enforced by iptables or eBPF
Run these on a node to confirm what the kernel sees:
Network focus:
bash
ip linkss -tulpn | head -n 20nft list ruleset | head -n 40iptables -S | head -n 20conntrack -Sconntrack -L | head -n 20tc qdisc showtc filter show dev <iface>bpftool prog show | head -n 20bpftool map dump id <map-id> | head -n 20
Performance focus:
bash
cat /proc/<pid>/cgrouptop -H -p <pid>cat /sys/fs/cgroup/kubepods.slice/*/memory.current | head -n 5
Security focus:
bash
lsns | head -n 5nsenter -t <pid> -n ip addrcrictl podscrictl inspectp <pod-id>crictl inspect <container-id>
If you understand namespaces + cgroups + kernel security, you understand the core of Kubernetes execution. Kubernetes is the control plane; Linux is the enforcement layer.
Series: Kubernetes Internals: How the Cluster Actually Works
homelabird
Sharing hands-on cloud infrastructure and DevOps experience. Writing about Kubernetes, Terraform, and observability, and documenting lessons learned as a solo operator.
