Interview Advanced

Advanced Kubernetes Interview Questions — Internals, Edge Cases & Production Gotchas

📅 March 06, 2026 ⏱ 4 min read 🎯 Advanced

Where developers are forged. · Structured learning · Free forever.

📍 Part of: DevOps Interview → Topic 3 of 5

Kubernetes interview questions for senior DevOps roles — covering scheduler internals, etcd, networking, resource limits, autoscaling edge cases, and production-grade answers.

🔥 Advanced — solid Interview foundation required

In this tutorial, you'll learn

Kubernetes interview questions for senior DevOps roles — covering scheduler internals, etcd, networking, resource limits, autoscaling edge cases, and production-grade answers.

Kubernetes is a state-reconciliation engine; controllers constantly work to drive 'Current State' toward the 'Desired State' stored in etcd.
The Control Plane request flow (Auth -> Mutating -> Validating -> Etcd) is the gatekeeper of cluster stability.
Resource management isn't just about avoiding OOMKills; it's about defining 'Requests' accurately so the Scheduler can make intelligent placement decisions.

✦ Plain-English analogy ✦ Real code with output ✦ Interview questions

⚡Quick Answer

Control Plane request lifecycle: Auth -> Mutating Webhook -> Validation -> etcd -> Controllers -> Scheduler -> Kubelet
etcd: Raft consensus, split-brain scenarios, compaction, and why disk latency kills clusters
Networking: CNI overlay vs flat networking, kube-proxy iptables vs IPVS, NetworkPolicy enforcement
Resource Management: Requests vs Limits, QoS classes, OOMKill behavior, CPU throttling
Autoscaling: HPA algorithm, stabilization windows, KEDA, HPA/VPA conflict
RBAC and Admission: Webhook chains, OPA/Gatekeeper, service account token risks

🚨 START HERE

Advanced Kubernetes Triage Commands

Rapid commands for diagnosing complex Kubernetes failures.

🟡Pod stuck in Pending.

Immediate ActionCheck scheduler events and node capacity.

Commands

kubectl describe pod <pod> | grep -A 20 Events

kubectl describe nodes | grep -A 5 Allocatable -B 2

Fix NowIf 'Insufficient cpu/memory', scale cluster or reduce requests. If 'node(s) had taint', add tolerations or remove taints.

🟡Namespace stuck in Terminating.

Immediate ActionIdentify resources with finalizers blocking deletion.

Commands

kubectl get namespace <ns> -o json | jq .spec.finalizers

kubectl api-resources --verbs=list -o name | xargs -I{} kubectl get {} -n <ns> --ignore-not-found -o json 2>/dev/null | jq '.items[] | select(.metadata.finalizers) | {kind, name, finalizers}'

Fix NowPatch the blocking resource: `kubectl patch <kind>/<name> -n <ns> -p '{"metadata":{"finalizers":null}}' --type=merge`. Only do this if you understand the cleanup implications.

🟡Service returning 503.

Immediate ActionCheck endpoints and readiness probes.

Commands

kubectl get endpoints <service-name> -n <ns>

kubectl get pods -n <ns> -l app=<label> -o wide | grep -v Running

Fix NowIf endpoints are empty, no pods are passing readiness probes. Fix the readiness probe or the application. If endpoints exist but 503 persists, check kube-proxy.

🟡etcd cluster degraded.

Immediate ActionCheck member health and disk latency.

Commands

etcdctl endpoint health --cluster --write-out=table

etcdctl endpoint status --write-out=table

Fix NowIf a member is unhealthy, check its disk latency (`iostat -x 1`). If leader is changing frequently, increase `election-timeout` and `heartbeat-interval`. Restart the unhealthy member.

🟡RBAC permission denied errors in application logs.

Immediate ActionTest the service account's permissions.

Commands

kubectl auth can-i <verb> <resource> --as=system:serviceaccount:<ns>:<sa-name> -n <ns>

kubectl get clusterrolebinding,rolebinding -A -o json | jq '.items[] | select(.subjects[]?.name=="<sa-name>") | .metadata.name'

Fix NowCreate a Role/ClusterRole with the required permissions and bind it to the service account via RoleBinding/ClusterRoleBinding.

Production IncidentNamespace Stuck in Terminating: Finalizer Blocking Cluster DecommissionA namespace containing a LoadBalancer Service could not be deleted. It hung in 'Terminating' state for 72 hours, blocking a cluster decommission migration. The cloud load balancer was already deleted manually, but the Service finalizer kept waiting for the cloud controller to acknowledge deletion.

Symptomkubectl delete namespace <ns> returned successfully but namespace remained in Terminating state. No new resources could be created in the namespace. Cluster decommission timeline slipped by 3 days.

AssumptionThe namespace deletion was stuck due to remaining resources (Pods, PVCs) that had not been fully cleaned up.

Root causeThe Service of type LoadBalancer had a finalizer (service.kubernetes.io/load-balancer-cleanup). The cloud controller manager (CCM) was responsible for removing this finalizer after deleting the cloud load balancer. However, the CCM had been redeployed with a new service account that lacked IAM permissions to delete load balancers. The CCM silently failed to remove the finalizer, and Kubernetes refused to complete namespace deletion because finalizers were still present on resources within the namespace.

Fix1. Restored IAM permissions for the CCM service account to manage load balancers. 2. Patched the Service to remove the finalizer manually: kubectl patch service <name> -p '{"metadata":{"finalizers":null}}'. 3. Verified the cloud load balancer was already deleted (no orphaned resources). 4. Namespace deletion completed immediately after finalizer removal. 5. Added monitoring for namespaces in Terminating state for more than 5 minutes.

Key Lesson

Finalizers block deletion until the responsible controller acknowledges cleanup. If the controller is broken, deletion hangs indefinitely.Never manually delete cloud resources (load balancers, volumes) without ensuring the controller can reconcile. Orphaned resources cost money.Monitor for resources stuck in Terminating state. It is always a sign of a broken controller or missing permissions.When debugging Terminating hangs, check kubectl get <resource> -o json | jq .metadata.finalizers to identify which controller is blocking.

Production Debug GuideSymptom-first investigation path for senior-level Kubernetes failures.

Pod stuck in Pending with no events.→Check if the scheduler is running and healthy. Verify node resources are sufficient. Check for taints/tolerations mismatches. Look for PVC binding failures if the Pod uses persistent volumes.

Pod stuck in ImagePullBackOff despite image existing.→Check ImagePullSecrets on the Pod's ServiceAccount. Verify node IAM roles for private registries. Check disk pressure on the node. Inspect kubelet logs for the actual pull error.

Namespace stuck in Terminating.→List all resources in the namespace with finalizers:

kubectl api-resources --verbs=list -o name | xargs -n 1 kubectl get -n <ns> --ignore-not-found -o json | jq '.items[] | select(.metadata.finalizers) | {kind: .kind, name: .metadata.name, finalizers: .metadata.finalizers}'

. Patch or investigate each blocking resource.

Service returns 503 intermittently.→Check readiness probes. Pods failing readiness are removed from endpoints but existing connections may still be routed. Check externalTrafficPolicy — if set to Local, traffic only routes to nodes with local pods. Check kube-proxy mode and logs.

Deployment rollout hangs at 'Waiting for rollout'.→Check kubectl rollout status deployment/<name>. If maxUnavailable is 0 and a new pod cannot be scheduled, the rollout blocks forever. Check for resource quota limits, PDB conflicts, and node capacity.

etcd cluster unhealthy, leader elections failing.→Check etcd member health: etcdctl endpoint health --cluster. Check disk latency on etcd nodes (iostat -x 1). High fsync latency causes Raft timeouts. Check network connectivity between etcd members.

Kubernetes has become the de facto operating system for cloud-native infrastructure. At senior and staff-level interviews, nobody is going to ask you what a Pod is. They want to know what happens inside the API server when you run kubectl apply, why your HPA isn't scaling when CPU is clearly spiking, or how etcd consistency guarantees affect your cluster's behaviour under partition.

The gap between 'I know Kubernetes' and 'I understand Kubernetes' comes down to internals. When something breaks at 3am — a node drains but Pods stay Pending, a Deployment rolls out but traffic never shifts, a namespace hangs in Terminating forever — the engineers who can diagnose and fix fast are the ones who understand the watch-loop reconciliation model, the scheduler predicates and priorities, and how the CNI interacts with kube-proxy.

This guide covers the failure modes, edge cases, and architectural decisions that surface in real senior/staff-level interviews at companies running Kubernetes at scale. Every question maps to a production incident you will eventually encounter.

The Anatomy of a Request: What Happens When You Run 'kubectl apply'?

A senior candidate must articulate the journey of a manifest from the CLI to the Kubelet. It isn't just 'the API server saves it.' The lifecycle involves Authentication/Authorization, Mutating Admission Webhooks (which might inject sidecars like Istio or Linkerd), Schema Validation, and finally, Validating Admission Webhooks (like OPA/Gatekeeper).

Once persisted in etcd, the Control Plane controllers see the state change via a watch event. The Deployment controller creates a ReplicaSet, which creates Pod objects. These Pods remain in a 'Pending' state with an empty nodeName until the Kube-Scheduler performs its two-step dance: Filtering (Predicates) to find capable nodes, and Scoring (Priorities) to find the best node. Only then does the Kubelet on the target node see the Pod and instruct the Container Runtime (CRI) to pull images and start containers.

io/thecodeforge/k8s/production-pod.yaml · YAML

1234567891011121314151617181920212223242526272829303132333435

apiVersion: v1
kind: Pod
metadata:
  name: forge-app
  namespace: production
  labels:
    app: forge-api
    tier: backend
spec:
  containers:
  - name: forge-container
    image: io.thecodeforge/api:v1.2.0
    resources:
      requests:
        memory: "256Mi"
        cpu: "500m"
      limits:
        memory: "512Mi"
        cpu: "1"
    livenessProbe:
      httpGet:
        path: /healthz
        port: 8080
      initialDelaySeconds: 15
    readinessProbe:
      httpGet:
        path: /ready
        port: 8080
  topologySpreadConstraints:
    - maxSkew: 1
      topologyKey: kubernetes.io/hostname
      whenUnsatisfiable: DoNotSchedule
      labelSelector:
        matchLabels:
          app: forge-api

▶ Output

pod/forge-app created

Mental Model

The Request Lifecycle Chain

This chain is why debugging 'access denied' errors requires checking both RBAC (authorization) and admission webhooks (validating). They fail at different stages.

Authentication: Service account tokens, OIDC, certificates.
Authorization: RBAC, ABAC, Webhook authorizers.
Mutating Webhooks: Istio sidecar injection, default resource limits, label injection.
Validating Webhooks: OPA/Gatekeeper policies, image signature verification, namespace quotas.
etcd: Only persisted after all gates pass. The API Server is the only component that writes to etcd.

📊 Production Insight

Mutating admission webhooks can cause cascading failures. If a webhook is unavailable (timeout or crash), the API Server cannot complete the admission chain and all create/update operations for affected resources fail. This is a common cause of 'the entire cluster stopped accepting changes' incidents. Mitigate with: failurePolicy: Ignore for non-critical webhooks, webhook HA (multiple replicas), and monitoring webhook latency. Never set failurePolicy: Fail on a webhook that is not absolutely critical.

🎯 Key Takeaway

The kubectl apply lifecycle is a chain of gates, not a single write. Each gate can fail independently. Understanding which gate failed (auth, mutating webhook, validation, etcd) is the key to debugging API Server errors.

Networking Internals: Services, Kube-Proxy, and the CNI

A Service in Kubernetes is not a process; it's a virtual IP (VIP) managed by kube-proxy. You should be prepared to explain the difference between the legacy iptables mode and the modern IPVS mode. While iptables uses sequential rule checking (O(n) complexity), IPVS uses hash tables (O(1) complexity), making it significantly more performant for clusters with thousands of services.

Furthermore, the CNI (Container Network Interface) is responsible for the 'plumbing' — assigning IPs to Pods and ensuring they can talk across nodes. If an interviewer asks why a Pod can't reach another Pod, your answer should start with the CNI overlay (Calico/Cilium) and move to NetworkPolicies, rather than just 'checking the app logs.'

io/thecodeforge/k8s/debug-network.sh · BASH

12345678910111213141516171819

# TheCodeForge Network Debugging Toolkit
# Package: io.thecodeforge.k8s

# 1. Check if the Service IP is active in iptables
iptables -L -t nat | grep FORGE-SERVICE-NAME

# 2. Inspect the CNI logs on the specific node
journalctl -u kubelet | grep cni

# 3. Test Pod-to-Pod connectivity bypassing the Service VIP
kubectl exec -it debug-pod -- curl <target-pod-ip>:8080/healthz

# 4. Check kube-proxy mode and health
kubectl get configmap kube-proxy -n kube-system -o yaml | grep mode
kubectl logs -n kube-system -l k8s-app=kube-proxy | tail -50

# 5. Verify NetworkPolicy is not blocking traffic
kubectl get networkpolicy -n <namespace> -o yaml
# If policies exist, check ingress/egress rules against the Pod's labels

▶ Output

Chain KUBE-SERVICES (2 references)
DNAT tcp -- 0.0.0.0/0 10.96.0.10 tcp dpt:53

Mental Model

iptables vs IPVS: The Performance Trade-off

The rule of thumb: use iptables for clusters under 1,000 Services. Switch to IPVS for larger clusters or when you need advanced load balancing algorithms.

iptables: Simple, well-understood, but O(n) rule matching. No native load balancing algorithms.
IPVS: O(1) hash matching, native LB algorithms (rr, lc, sh), but more complex debugging.
eBPF (Cilium): Bypasses both iptables and IPVS entirely. Kernel-level packet processing. The future.
kube-proxy is being replaced by eBPF-based CNIs in high-performance clusters.

📊 Production Insight

The externalTrafficPolicy field on a Service controls how traffic from outside the cluster is routed. externalTrafficPolicy: Cluster (default) distributes traffic evenly across all nodes, then to pods. This loses the client source IP. externalTrafficPolicy: Local only routes traffic to nodes that have local pods, preserving the source IP but risking uneven load distribution if pods are not evenly spread. This is a common interview question and a common production misconfiguration.

🎯 Key Takeaway

Kubernetes networking has three layers: CNI (pod-to-pod), kube-proxy (service VIP to pod), and NetworkPolicy (traffic filtering). Debugging connectivity requires checking all three. The industry is moving from iptables to eBPF-based CNIs (Cilium) for performance and observability.

etcd Internals: Raft, Consistency, and Failure Modes

etcd is the single source of truth for all Kubernetes cluster state. It uses the Raft consensus algorithm to replicate data across an odd number of members (typically 3 or 5). Understanding Raft is essential for diagnosing cluster-wide failures.

io/thecodeforge/k8s/etcd-debug.sh · BASH

1234567891011121314151617181920

# etcd Diagnostic Commands
# Package: io.thecodeforge.k8s

# 1. Check cluster member health
etcdctl endpoint health --cluster --write-out=table

# 2. Check member status (leader, DB size, Raft index)
etcdctl endpoint status --write-out=table

# 3. Check for alarm conditions (e.g., NOSPACE)
etcdctl alarm list

# 4. Defragment a member (reclaims space after compaction)
etcdctl defrag --endpoints=<endpoint>

# 5. Compact old revisions (prevents unbounded DB growth)
etcdctl compact $(etcdctl endpoint status --write-out=json | jq '.[0].Status.header.revision')

# 6. Snapshot backup
etcdctl snapshot save /backup/etcd-$(date +%Y%m%d-%H%M%S).db

▶ Output

etcd cluster diagnostics complete.

Mental Model

Raft Consensus: How etcd Handles Partitions

If you lose quorum (e.g., 2 of 3 members go down), the entire cluster becomes read-only. No new pods, no deployments, no updates. Existing workloads continue running because the kubelet caches the last-known state.

Raft leader: Elected by members. All writes go through the leader.
Heartbeat interval: Leader sends heartbeats (default 100ms). If a follower misses elections (default 1000ms), it starts a new election.
Disk latency: etcd requires fsync on every write. Slow disks cause leader elections and cluster instability.
Compaction: Old revisions accumulate. Periodic compaction and defragmentation are required to prevent unbounded growth.

📊 Production Insight

etcd's --quota-backend-bytes (default 2GB, max 8GB) is the hard limit on the database size. If exceeded, etcd enters a maintenance mode that rejects all writes, effectively halting the cluster. Monitor etcd_mvcc_db_total_size_in_bytes and alert at 75%. Run compaction and defragmentation regularly. In large clusters with many ConfigMaps/Secrets, etcd can grow quickly. Consider externalizing large data (e.g., Helm charts) to object storage.

🎯 Key Takeaway

etcd is the cluster's single point of failure. Raft consensus prevents split-brain but requires quorum. Disk latency is the most common cause of etcd instability. Monitor, compact, defragment, and backup etcd as critical infrastructure.

Resource Management: Requests, Limits, and QoS Classes

Resource requests and limits are not just about preventing OOMKills. They define the contract between the application and the scheduler. Requests are used for scheduling decisions (can this Pod fit on this node?). Limits are enforced by the kernel cgroup (can this Pod use more than allocated?).

io/thecodeforge/k8s/resource-qos.yaml · YAML

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950

# QoS Class: Guaranteed (requests == limits for all containers)
# Highest priority during eviction. Never OOMKilled unless node is under extreme pressure.
apiVersion: v1
kind: Pod
metadata:
  name: critical-service
  namespace: production
spec:
  containers:
    - name: app
      image: io.thecodeforge/api:stable
      resources:
        requests:
          cpu: "500m"
          memory: "512Mi"
        limits:
          cpu: "500m"      # Equal to request = Guaranteed QoS
          memory: "512Mi"   # Equal to request = Guaranteed QoS
---
# QoS Class: Burstable (requests < limits)
# Medium priority. Can burst above request but may be evicted under pressure.
apiVersion: v1
kind: Pod
metadata:
  name: web-frontend
  namespace: production
spec:
  containers:
    - name: app
      image: io.thecodeforge/frontend:latest
      resources:
        requests:
          cpu: "200m"
          memory: "256Mi"
        limits:
          cpu: "1"          # Can use up to 1 CPU core
          memory: "1Gi"     # Can use up to 1Gi RAM
---
# QoS Class: BestEffort (no requests or limits set)
# Lowest priority. First to be evicted. Not recommended for production.
apiVersion: v1
kind: Pod
metadata:
  name: debug-tool
  namespace: development
spec:
  containers:
    - name: debug
      image: io.thecodeforge/debug:latest
      # No resources defined = BestEffort QoS

▶ Output

Pods created with different QoS classes.

Mental Model

QoS Classes and Eviction Priority

Setting CPU limits equal to requests (Guaranteed QoS) prevents CPU throttling but also prevents bursting. For bursty workloads, use Burstable QoS with high/no CPU limits.

Guaranteed: requests == limits for all containers. Highest eviction priority.
Burstable: requests < limits (or only requests set). Medium priority.
BestEffort: No requests or limits. Lowest priority. First to be evicted.
CPU throttling: If CPU limit is set, the container is throttled when it exceeds the limit. This is NOT an eviction — it is a performance penalty.
Memory OOMKill: If memory usage exceeds the limit, the kernel kills the container (OOMKill, exit code 137).

📊 Production Insight

CPU limits cause throttling, not eviction. When a container exceeds its CPU limit, the kernel throttles it (reduces CPU time), which increases latency. For latency-sensitive services, consider removing CPU limits entirely and relying on CPU requests for scheduling. This allows the application to burst when node CPU is available, at the cost of potential noisy-neighbor effects. Monitor CPU throttling via container_cpu_cfs_throttled_periods_total in cAdvisor metrics.

🎯 Key Takeaway

Resource requests drive scheduling. Limits drive enforcement. QoS classes determine eviction order. For production, use Guaranteed QoS for critical services and Burstable for variable workloads. Never use BestEffort in production.

RBAC, Service Accounts, and Admission Control

RBAC (Role-Based Access Control) is the primary authorization mechanism in Kubernetes. It defines who (Subject) can do what (Verb) on which resources (Resource) in which scope (Namespace or Cluster). Understanding RBAC is critical for security and for debugging 'access denied' errors.

io/thecodeforge/k8s/rbac-least-privilege.yaml · YAML

1234567891011121314151617181920212223242526272829303132333435363738394041

# Least-privilege RBAC for a microservice
# Package: io.thecodeforge.k8s

# 1. Dedicated ServiceAccount (not default)
apiVersion: v1
kind: ServiceAccount
metadata:
  name: order-service
  namespace: production
automountServiceAccountToken: false  # Disable unless API access needed
---
# 2. Namespace-scoped Role with minimal permissions
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: order-service-role
  namespace: production
rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["order-service-config"]  # Only specific configmap
    verbs: ["get", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["db-credentials"]  # Only specific secret
    verbs: ["get"]
---
# 3. Bind Role to ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: order-service-binding
  namespace: production
subjects:
  - kind: ServiceAccount
    name: order-service
    namespace: production
roleRef:
  kind: Role
  name: order-service-role
  apiGroup: rbac.authorization.k8s.io

▶ Output

Least-privilege RBAC configured for order-service.

Mental Model

RBAC Evaluation: How Authorization Decisions Are Made

For deny-based policies, use OPA/Gatekeeper or Kyverno as validating admission webhooks. They can enforce policies that RBAC cannot express.

Role: Namespace-scoped. RoleBinding binds it to subjects within the namespace.
ClusterRole: Cluster-scoped. ClusterRoleBinding binds it to subjects across all namespaces.
ServiceAccount: The identity for a Pod. Default SA is mounted into every Pod unless automountServiceAccountToken: false.
Aggregated ClusterRoles: Combine multiple ClusterRoles using label selectors. Used by operators to extend permissions dynamically.

📊 Production Insight

The default ServiceAccount in every namespace has minimal permissions, but its token is mounted into every Pod by default. If an attacker compromises a Pod, they can use this token to query the Kubernetes API. In many clusters, the default SA has been granted additional permissions over time, expanding the blast radius. Mitigate by: setting automountServiceAccountToken: false as the namespace default, creating dedicated ServiceAccounts per workload, and auditing ClusterRoleBindings regularly with kubectl auth can-i --list --as=system:serviceaccount:<ns>:<sa>.

🎯 Key Takeaway

RBAC is additive with no deny mechanism. Least-privilege design is the only defense. Disable automounting, use dedicated ServiceAccounts, and audit permissions regularly. For deny-based policies, layer OPA/Gatekeeper on top of RBAC.

Scheduler Internals: Filtering, Scoring, and Custom Schedulers

The Kubernetes scheduler is a control loop that watches for Pods with an empty nodeName and assigns them to nodes. It does not actually run Pods — it only sets the nodeName field, and the kubelet on that node picks up the Pod. The scheduler's decision process has two phases: Filtering (formerly Predicates) and Scoring (formerly Priorities).

io/thecodeforge/k8s/scheduling/SchedulerDecisionModel.java · JAVA

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950

// Simplified scheduler decision model
// Package: io.thecodeforge.k8s.scheduling
package io.thecodeforge.k8s.scheduling;

import java.util.List;
import java.util.Map;

public class SchedulerDecisionModel {

    /**
     * Phase 1: Filtering — Eliminate nodes that cannot run the Pod.
     * Filters are applied in order. If no nodes pass, the Pod stays Pending.
     */
    public List<String> filterNodes(List<String> allNodes, Pod pod) {
        return allNodes.stream()
            .filter(node -> hasEnoughResources(node, pod))     // NodeResourcesFit
            .filter(node -> matchesNodeAffinity(node, pod))    // NodeAffinity
            .filter(node -> toleratesTaints(node, pod))        // TaintToleration
            .filter(node -> matchesPodTopology(node, pod))     // PodTopologySpread
            .filter(node -> hasVolumeCapacity(node, pod))      // VolumeBinding
            .toList();
    }

    /**
     * Phase 2: Scoring — Rank feasible nodes by desirability.
     * Each scoring plugin assigns 0-100 points. Scores are summed.
     * The node with the highest total score wins.
     */
    public Map<String, Integer> scoreNodes(List<String> feasibleNodes, Pod pod) {
        // Simplified: In reality, each plugin scores independently
        return feasibleNodes.stream()
            .collect(java.util.stream.Collectors.toMap(
                node -> node,
                node -> scoreResourceBalancing(node, pod)    // NodeResourcesBalancedAllocation
                      + scorePodSpread(node, pod)             // PodTopologySpread
                      + scoreInterPodAffinity(node, pod)      // InterPodAffinity
                      + scoreImageLocality(node, pod)         // ImageLocality
            ));
    }

    private boolean hasEnoughResources(String node, Pod pod) { return true; }
    private boolean matchesNodeAffinity(String node, Pod pod) { return true; }
    private boolean toleratesTaints(String node, Pod pod) { return true; }
    private boolean matchesPodTopology(String node, Pod pod) { return true; }
    private boolean hasVolumeCapacity(String node, Pod pod) { return true; }
    private int scoreResourceBalancing(String node, Pod pod) { return 50; }
    private int scorePodSpread(String node, Pod pod) { return 50; }
    private int scoreInterPodAffinity(String node, Pod pod) { return 50; }
    private int scoreImageLocality(String node, Pod pod) { return 50; }
}

▶ Output

Scheduler decision model: filter then score.

Mental Model

Filtering vs Scoring: The Two-Phase Dance

When a Pod is Pending, always check kubectl describe pod <name> for the scheduling failure event. It tells you exactly which filter failed.

NodeResourcesFit: Checks if the node has enough CPU/memory for the Pod's requests.
NodeAffinity: Matches nodeSelector and nodeAffinity rules.
TaintToleration: Ensures the Pod tolerates all taints on the node.
PodTopologySpread: Enforces topology spread constraints (zone, hostname).
VolumeBinding: Ensures required PVs can be bound on the node.
ImageLocality: Prefers nodes that already have the container image cached.

📊 Production Insight

The scheduler's scoring phase includes an ImageLocality scorer that prefers nodes with pre-pulled images. This can cause scheduling skew: nodes that have run a Pod before score higher for the same Pod, leading to uneven distribution. To counter this, use topologySpreadConstraints or podAntiAffinity to force spread. Also, the scheduler's --percentage-of-nodes-to-score flag (default 50%) limits scoring to a subset of feasible nodes for performance. In small clusters, set this to 100% to ensure optimal placement.

🎯 Key Takeaway

The scheduler is a filter-then-score pipeline. Pending Pods always have a reason — check the events. Custom scheduling can be achieved via scheduler plugins or a second scheduler. Image locality scoring can cause unexpected skew.

Probes Deep Dive: Liveness, Readiness, and Startup

Probes are the kubelet's mechanism for monitoring container health. Misconfigured probes are one of the most common causes of production incidents: liveness probes that kill healthy-but-slow containers, readiness probes that flap during cache warm-up, and missing startup probes that cause crash loops on legacy applications.

io/thecodeforge/k8s/probes-production.yaml · YAML

123456789101112131415161718192021222324252627282930313233343536373839404142434445

# Production-grade probe configuration
# Package: io.thecodeforge.k8s
apiVersion: v1
kind: Pod
metadata:
  name: api-server
  namespace: production
spec:
  containers:
    - name: api
      image: io.thecodeforge/api:3.0.0
      # Startup probe: Gates liveness/readiness until app boots
      # Critical for apps with slow startup (>30s)
      startupProbe:
        httpGet:
          path: /healthz
          port: 8080
        initialDelaySeconds: 5
        periodSeconds: 5
        failureThreshold: 30    # 30 * 5s = 150s max startup time
        successThreshold: 1
      # Liveness probe: Detects deadlocks and hung processes
      # Only active after startup probe succeeds
      livenessProbe:
        httpGet:
          path: /healthz
          port: 8080
        periodSeconds: 10
        failureThreshold: 3     # 3 failures = restart after 30s
        successThreshold: 1
        timeoutSeconds: 5
      # Readiness probe: Controls traffic routing
      # Failing = removed from Service endpoints
      readinessProbe:
        httpGet:
          path: /ready
          port: 8080
        periodSeconds: 5
        failureThreshold: 2     # 2 failures = remove from endpoints after 10s
        successThreshold: 1     # 1 success = add back to endpoints
        timeoutSeconds: 3
      resources:
        requests:
          cpu: "500m"
          memory: "512Mi"

▶ Output

Pod created with production-grade probe configuration.

Mental Model

Probe Interaction: The Startup Gate

If your application takes more than 30 seconds to start, you MUST use a startup probe. Without it, the liveness probe will kill the container during startup, creating a crash loop.

Startup probe: Only runs during boot. Gates liveness/readiness.
Liveness probe: Runs continuously. Failure = container restart.
Readiness probe: Runs continuously. Failure = remove from Service endpoints.
Probe types: httpGet, tcpSocket, exec (command).
timeoutSeconds: Must be less than periodSeconds, or the probe is always considered failed.

📊 Production Insight

Liveness probes that check downstream dependencies (database, cache) cause cascading failures. If the database is slow, the liveness probe fails, the container restarts, and the restart increases load on the database, causing more liveness failures. The fix: liveness probes should check ONLY the application's internal health (is the process responsive?). Readiness probes can check dependencies (is the application ready to serve traffic?). This separation prevents dependency failures from causing container restarts.

🎯 Key Takeaway

Use startup probes for slow-booting applications. Liveness probes check internal health only. Readiness probes can check dependencies. Never let a liveness probe check downstream services — it causes cascading restart storms.

🗂 Probe Types: Liveness vs Readiness vs Startup

Understanding when each probe runs, what failure means, and typical use cases.

Aspect	Liveness Probe	Readiness Probe	Startup Probe
Primary Goal	Detect deadlocks and hung processes	Control traffic routing to the Pod	Gate liveness/readiness until boot completes
Failure Action	Kubelet kills the container; triggers restart	Pod removed from Service endpoints; no traffic	If it fails, container is restarted like liveness
Success Action	Container continues running	Pod added to Service endpoints; receives traffic	Liveness and readiness probes are activated
Runs When	After startup probe succeeds (or immediately if no startup probe)	After startup probe succeeds (or immediately if no startup probe)	Immediately when container starts
Typical Use Case	Catching deadlocks, memory leaks, infinite loops	Waiting for cache warm-up, DB connection pool init	Legacy apps with 2+ minute startup times
Failure Threshold	3 (default) — restart after 3 failures	3 (default) — remove from endpoints after 3 failures	30 (recommended) — allows up to 150s startup with 5s period
Common Mistake	Checking downstream dependencies (DB, cache) — causes cascading restarts	Too aggressive — causes endpoint flapping during transient load	Missing entirely — causes CrashLoopBackOff for slow-starting apps

🎯 Key Takeaways

Kubernetes is a state-reconciliation engine; controllers constantly work to drive 'Current State' toward the 'Desired State' stored in etcd.
The Control Plane request flow (Auth -> Mutating -> Validating -> Etcd) is the gatekeeper of cluster stability.
Resource management isn't just about avoiding OOMKills; it's about defining 'Requests' accurately so the Scheduler can make intelligent placement decisions.
Networking in K8s relies on a combination of the CNI (Pod-to-Pod) and kube-proxy (Service abstraction) to handle the ephemeral nature of IPs.
etcd is the single point of failure. Raft consensus prevents split-brain but requires quorum. Disk latency is the most common cause of instability.
RBAC is additive with no deny mechanism. Least-privilege design, dedicated ServiceAccounts, and admission webhooks for policy enforcement are the production standard.
Probes are the difference between a resilient service and a cascading failure. Liveness checks internal health only. Readiness can check dependencies. Startup gates both.
Every production Kubernetes failure has a root cause in one of: etcd, scheduler, kubelet, CNI, or admission webhooks. Knowing which component to check first is the skill.

⚠ Common Mistakes to Avoid

✕Setting CPU Limits equal to CPU Requests on bursty apps — This leads to unnecessary throttling. In production, it is often better to have high/no CPU limits and rely on CPU Requests for scheduling weight.

✕Missing PodDisruptionBudgets — During cluster upgrades, Kubernetes will evict Pods. Without a PDB, you might lose all replicas of a service simultaneously, causing an outage during a routine node drain.

✕Storing state in the root filesystem — K8s containers are ephemeral. If you aren't using PersistentVolumes (PVs), any data written to the container layer vanishes on restart. Senior devs always check the StorageClass and ReclaimPolicy.

✕Liveness probes that check downstream dependencies — If the database is slow, the probe fails, the container restarts, and the restart increases database load, causing a cascading failure loop.

✕No startup probe for legacy applications — Applications that take 2+ minutes to boot will be killed by the liveness probe during startup, creating a CrashLoopBackOff loop.

✕Using the default ServiceAccount in production — The default SA token is mounted into every Pod. If compromised, it can query the Kubernetes API. Always create dedicated SAs with `automountServiceAccountToken: false`.

✕Ignoring etcd maintenance — Without periodic compaction and defragmentation, etcd grows unbounded. If it hits `--quota-backend-bytes`, the cluster halts all writes.

✕Setting `failurePolicy: Fail` on non-critical admission webhooks — If the webhook is unavailable, the entire cluster stops accepting create/update operations for affected resources.

✕Not monitoring for resources stuck in Terminating — A namespace or Pod stuck in Terminating for hours is always a sign of a broken controller or finalizer. Monitor and alert on it.

✕Using `externalTrafficPolicy: Local` without ensuring Pod spread — This preserves client source IP but risks uneven load distribution if Pods are not evenly spread across nodes.

Interview Questions on This Topic

QExplain the 'Etcd Split Brain' scenario. How does the Raft consensus algorithm handle a network partition between three master nodes?
QA Pod is stuck in 'ImagePullBackOff', but you've verified the image exists in the registry. What are the next three things you check? (Hint: Node IAM roles, ImagePullSecrets, and Disk Pressure).
QDescribe the 'Thundering Herd' problem in the context of Horizontal Pod Autoscaling (HPA) and how 'Cool Down' periods or scale-down stabilization windows mitigate it.
QWhat is the difference between an Ingress Controller and a Service of type LoadBalancer? When would you choose one over the other for a multi-tenant cluster?
QTrace the full lifecycle of a kubectl apply command from the CLI to a running container. What admission webhooks are involved?
QExplain the difference between iptables and IPVS kube-proxy modes. When would you switch to IPVS?
QA namespace is stuck in Terminating. Walk me through your debugging process and how you would resolve it.
QHow does the Kubernetes scheduler decide where to place a Pod? What happens if no nodes pass the filtering phase?
QWhat is the difference between a liveness probe and a readiness probe? What happens if you use a liveness probe to check database connectivity?
QExplain QoS classes in Kubernetes. How does the kubelet decide which Pods to evict when a node is under resource pressure?
QHow does RBAC evaluation work? Can you deny a permission that has been granted by another role?
QWhat is envelope encryption for Kubernetes Secrets? Why is base64 encoding not sufficient?
QDescribe the interaction between HPA, VPA, and Cluster Autoscaler. What happens if HPA and VPA both operate on CPU?
QWhat is a PodDisruptionBudget and why is it critical during cluster upgrades?
QHow would you design a zero-downtime deployment strategy in Kubernetes? What configuration parameters matter?
QExplain the admission webhook chain. What happens if a mutating webhook times out?
QWhat is the 'thundering herd' problem during HPA scale-up and how do stabilization windows solve it?
QHow do you debug a Pod that is stuck in Pending with no scheduling events?
QWhat is the difference between a Deployment, a StatefulSet, and a DaemonSet? When would you use each?
QExplain how NetworkPolicies work. What happens if you create a deny-all policy without allowing DNS?

Frequently Asked Questions

Why is my Pod OOMKilled even if the node has plenty of free RAM?

OOMKill (Exit Code 137) is enforced at the container level by the Cgroup, not the node level. If your container's memory usage exceeds its defined 'Limit' in the YAML, the kernel will kill the process to protect the rest of the node, regardless of how much 'free' RAM the physical machine has.

What is the difference between a 'Taint' and a 'NodeSelector'?

A NodeSelector (or NodeAffinity) is a preference or requirement for a Pod to go to a specific node (the Pod wants the Node). A Taint is the opposite: it allows a Node to repel a set of Pods (the Node rejects the Pod) unless those Pods have a specific 'Toleration'.

What happens if etcd goes down?

If etcd is unavailable, the cluster becomes 'read-only.' Existing workloads will continue to run, but no new Pods can be scheduled, no Deployments can be updated, and the API server will return 500 errors for any write operations. High availability for etcd (3 or 5 nodes) is critical for production clusters.

How does the scheduler decide where to place a Pod?

The scheduler uses a two-phase process: Filtering (eliminates nodes that cannot run the Pod based on resource availability, taints, affinity, topology constraints) and Scoring (ranks feasible nodes by desirability using resource balance, image locality, pod spread). The highest-scoring node wins.

What is the admission webhook chain and why does it matter?

Every Kubernetes write request passes through: Authentication -> Authorization -> Mutating Admission Webhooks -> Schema Validation -> Validating Admission Webhooks -> etcd. Mutating webhooks can modify objects (e.g., inject sidecars). Validating webhooks can reject objects (e.g., OPA policies). If a webhook is unavailable and has failurePolicy: Fail, the entire operation is rejected.

How do I debug a namespace stuck in Terminating?

List all resources in the namespace and check for finalizers: kubectl api-resources --verbs=list -o name | xargs -n 1 kubectl get -n <ns> --ignore-not-found -o json | jq '.items[] | select(.metadata.finalizers)'. Each finalizer blocks deletion until the responsible controller acknowledges cleanup. If the controller is broken, you may need to patch the finalizer to null manually.

🔥

Naren Founder & Author

Developer and founder of TheCodeForge. I built this site because I was tired of tutorials that explain what to type without explaining why it works. Every article here is written to make concepts actually click.

About Naren Get in touch

Forged with 🔥 at TheCodeForge.io — Where Developers Are Forged