Skip to content


Switch branches/tags


Failed to load latest commit information.
Latest commit message
Commit time


A collection of diagrams explaining kubernetes, extracted from our

For questions or suggestions you are welcome to join us at our myCloudogu community forum.

Discuss it on myCloudogu

The diagrams are realized using PlantUML, so they're basically text and can be adjusted easily.
Note that the diagrams don't use UML notation. They are rather box and line diagrams.

Table of contents

Deployment ➜ Pod ➜ Container

Relationship between Deployment, Pod and Container.
Simplified - leaves out ReplicaSets for brevity.

Pod ➜ Node

Relationship between Pod and Node.

Services, Nodes and Pods explained

Traffic flow from Cloud LoadBalancer via Service to Pods running on Nodes.

Services, Nodes and Pods explained (including IP addresses)

Traffic flow from Cloud LoadBalancer via Service to Pods running on Nodes. Including different address IP address ranges and ports:

  • external IP,
  • node internal and external IP and node port,
  • service IP,
  • pod IP and target port (on container)

Ingresses explained

Progress of a requests from the ingress controller's service to the actual pod, illustrating the role of the ingress resource.

Rolling Updates explained

Authentication and Authorization

Flow from user API server request to response: check authn via identity provider, then authz via RBAC.

Role Based Access Control (RBAC) Resources

A simplified display of resources involved in RBAC and their correlations.

Note that

  • Permission is not a k8s resource, but a list of rules inside the (Cluster-)roles that make up a kind of permission.
    It consits of resources and verbs granted on it. For example:
    • resources: "secrets"
    • verbs: "get"
  • Subject can be a serviceAccount, user or group

PodSecurityPolicy Activation via RBAC

Connection from Pod to PSP via RBAC (Role, RoleBinding, ServiceAccount).

Troubleshooting Kubernetes PodSecurityPolicies

A diagram to help debugging Kubernetes PodSecurityPolicies.


Diagrams describing the general concepts of gitOps and distinguishing it from "ciOps".

See also our

High-level overview


There are different options when implementing GitOps. Some of them are depicted bellow.

CI Server writes image version to GitOps Repo.

CI Server read-only on GitOps Repo; GitOps Operator writes image version to GitOps Repo.

Infra as Code stays in app repo, CI Server writes to GitOps repo.