A collection of diagrams explaining kubernetes, extracted from our trainings, articles and talks (k8s sec, k8s intro).
The diagrams are realized using PlantUML, so they're basically text and can be adjusted easily.
Note that the diagrams don't use UML notation. They are rather box and line diagrams.
- Deployment ➜ Pod ➜ Container
- Pod ➜ Node
- Services, Nodes and Pods explained
- Services, Nodes and Pods explained (including IP addresses)
- Ingresses explained
- Rolling Updates explained
- Authentication and Authorization
- Role Based Access Control (RBAC) Resources
- PodSecurityPolicy Activation via RBAC
- Troubleshooting Kubernetes PodSecurityPolicies
Relationship between Deployment, Pod and Container.
Simplified - leaves out ReplicaSets for brevity.
Relationship between Pod and Node.
Traffic flow from Cloud LoadBalancer via Service to Pods running on Nodes.
Traffic flow from Cloud LoadBalancer via Service to Pods running on Nodes. Including different address IP address ranges and ports:
- external IP,
- node internal and external IP and node port,
- service IP,
- pod IP and target port (on container)
Progress of a requests from the ingress controller's service to the actual pod, illustrating the role of the ingress
resource.
Flow from user API server request to response: check authn via identity provider, then authz via RBAC.
A simplified display of resources involved in RBAC and their correlations.
Note that
Permission
is not a k8s resource, but a list of rules inside the (Cluster-)roles that make up a kind of permission.
It consits of resources and verbs granted on it. For example:- resources: "secrets"
- verbs: "get"
Subject
can be a serviceAccount, user or group
Connection from Pod to PSP via RBAC (Role, RoleBinding, ServiceAccount).
A diagram to help debugging Kubernetes PodSecurityPolicies.