Lifecycle: from spec to running#

1) Scheduling#

The Pod spec is stored in etcd. The scheduler watches unscheduled Pods, picks a node, and writes a binding. The kubelet on that node takes over.

Scheduler internals (scan)

2) Sandbox creation (CRI)#

Kubelet calls the CRI runtime (containerd, CRI-O, etc.) to create a PodSandbox. This typically:

• Creates namespaces (net, pid, ipc, uts)
• Prepares cgroups and resource limits
• Starts the pause container to hold those namespaces

3) Networking (CNI)#

The runtime or kubelet invokes CNI to wire the Pod into the cluster network:

• Assign an IP address and configure routes
• Create veth pair to the host namespace
• Populate DNS (/etc/resolv.conf)
• Apply network policy rules (iptables/eBPF) if enabled

From here, all containers in the Pod share the same IP and port space.

4) Volumes and init containers#

Kubelet attaches/mounts volumes into the Pod’s filesystem. Then init containers start sequentially. Only after they complete successfully do the main containers start.

5) App containers, probes, and readiness#

Main containers start in parallel. Kubelet evaluates:

• Readiness probes (controls Service endpoints)
• Liveness probes (triggers restart on failure)
• Startup probes (gates liveness during slow boot)

Readiness controls traffic routing; liveness controls restart behavior. Startup probes prevent premature liveness restarts during slow initialization.

6) Steady state#

At steady state, the Pod is mostly managed by:

• Kubelet (health checks, restarts)
• Runtime (container processes)
• CNI/iptables/eBPF (data plane)

The node enforces resource isolation via cgroups, and QoS class is derived from the Pod’s requests/limits.

7) Termination#

When a Pod is deleted:

• Kubelet sends SIGTERM to containers
• The grace period (terminationGracePeriodSeconds) starts
• preStop hooks run (if defined)
• Unfinished containers receive SIGKILL
• CNI cleanup and volume unmount follow

Grace period and preStop control clean shutdowns for stateful workloads.

A minimal Pod to observe the lifecycle#

Apply and inspect:

Verification checklist#

• Pod transitions: Pending → ContainerCreating → Running
• Pod IP is assigned (kubectl get pod -o wide)
• Readiness gate flips to Ready once probes pass

Troubleshooting quick hits#

• Pending: unschedulable (resources, taints, node selectors)
• ContainerCreating: CNI or image pull issues
• CrashLoopBackOff: app exits, bad config, failing liveness probe
• NotReady: readiness probe failing, endpoints removed

Wrap-up#

A Pod is a runtime sandbox, not a single container. Understanding the sandbox creation, CNI wiring, init flow, probes, and termination sequence makes debugging 10x easier.

Previous: Part 2 — Linux Control Primitives. Next up: Part 4 — Service Networking.

Series: Kubernetes Internals: How the Cluster Actually Works