A collection of diagrams explaining kubernetes, extracted from our
For questions or suggestions you are welcome to join us at our myCloudogu community forum.
The diagrams are realized using PlantUML, so they're basically text and can be adjusted easily.
Note that the diagrams don't use UML notation. They are rather box and line diagrams.
Table of contents
- Deployment ➜ Pod ➜ Container
- Pod ➜ Node
- Services, Nodes and Pods explained
- Services, Nodes and Pods explained (including IP addresses)
- Ingresses explained
- Rolling Updates explained
- Authentication and Authorization
- Role Based Access Control (RBAC) Resources
- PodSecurityPolicy Activation via RBAC
- Troubleshooting Kubernetes PodSecurityPolicies
Deployment ➜ Pod ➜ Container
Relationship between Deployment, Pod and Container.
Simplified - leaves out ReplicaSets for brevity.
Pod ➜ Node
Relationship between Pod and Node.
Services, Nodes and Pods explained
Traffic flow from Cloud LoadBalancer via Service to Pods running on Nodes.
Services, Nodes and Pods explained (including IP addresses)
Traffic flow from Cloud LoadBalancer via Service to Pods running on Nodes. Including different address IP address ranges and ports:
- external IP,
- node internal and external IP and node port,
- service IP,
- pod IP and target port (on container)
Progress of a requests from the ingress controller's service to the actual pod, illustrating the role of the
Rolling Updates explained
Authentication and Authorization
Flow from user API server request to response: check authn via identity provider, then authz via RBAC.
Role Based Access Control (RBAC) Resources
A simplified display of resources involved in RBAC and their correlations.
Permissionis not a k8s resource, but a list of rules inside the (Cluster-)roles that make up a kind of permission.
It consits of resources and verbs granted on it. For example:
- resources: "secrets"
- verbs: "get"
Subjectcan be a serviceAccount, user or group
PodSecurityPolicy Activation via RBAC
Connection from Pod to PSP via RBAC (Role, RoleBinding, ServiceAccount).
Troubleshooting Kubernetes PodSecurityPolicies
A diagram to help debugging Kubernetes PodSecurityPolicies.
Diagrams describing the general concepts of gitOps and distinguishing it from "ciOps".
See also our
- GitOps playground (to experience argocd and flux hands-on in a local k8s cluster),
- GitOps glossary and
- offerings for consulting.
There are different options when implementing GitOps. Some of them are depicted bellow.
CI Server writes image version to GitOps Repo.
CI Server read-only on GitOps Repo; GitOps Operator writes image version to GitOps Repo.
Infra as Code stays in app repo, CI Server writes to GitOps repo.