Kubernetes Architecture Explained: Control Plane, Worker Nodes, Pods, CNI Networks and raft consensus and Quorum and max failure and Split-Brain!

What is Orchestration

The Conductor Analogy 🎶

1. Think of a symphony orchestra. You have many different musicians (violins, cellos, trumpets), each a skilled expert at their instrument.
2. These are your individual containers or services. Without a conductor, if they all just started playing, it would be chaos.
3. The orchestration tool is the conductor. The conductor doesn't play an instrument but instead:

• Tells everyone when to start and stop (deployment and scheduling).
• Controls the volume and tempo (scaling and resource management).
• Brings in different sections when needed (service discovery and load balancing).
• Notices if a musician is playing out of tune and corrects them (self-healing and monitoring).

Now let's See the Kubernetes (K8s) Architecture Overview

Now Let's Understand The (Control Plane) And It's Components

What is API Server (API Gateway)?

• The front door to the Kubernetes cluster. All communication (internal and external) goes through here. It is a RESTful API endpoint that processes every REST request (POST, PUT, DELETE, GET) within the cluster. This is the central communication hub of your entire cluster. It is the absolute core where the control plane and worker nodes talk to each other; without it, nothing in the system could connect or communicate. It is the central management hub.
• How it works: When you run a command like kubectl apply, you are sending a JSON/YAML payload to this API. It authenticates the request (checks your identity), validates the payload (checks if the code is correct), and prepares it for processing. It is the only component that directly talks to the database

What is etcd (Database)?

What is Scheduler?

Now what is Controller Manager?

Now It's Time To Understand (Worker Node) And It's Components

What is Kubelet?

• Kubelet is the node agent of Kubernetes. It is essentially your on-site manager. It is the process responsible for making sure containers defined in a PodSpec are actually running on that node. In practical terms, kubelet acts as the executor of instructions coming from the Kubernetes control plane. Core responsibility: Ensure the pods assigned to its node are created, running, and healthy. It is responsible for handling all Pod-related tasks, like keeping a close eye on their daily health and ensuring their overall conditions run smoothly on the node. So kubelet is not about networking or exposing apps. It is about running and maintaining containers on the worker node.
• How it works: It constantly polls the API Server asking, "Do you have any work for my node?". When the API Server (via the Scheduler) assigns a task to that node, the Kubelet accepts the specification and interacts with the underlying hardware.

What is Kube-proxy?

• A network proxy that maintains network rules on each node. It acts like a helpful traffic cop, securely routing network requests so your applications are successfully made visible across the internet to your clients. Basically services need stable IP addresses to communicate, regardless of where they are running.
• How it works: It manages the IP Tables (network routing rules) on the machine. It ensures that traffic sent to a virtual Service IP is correctly routed to the specific backend Pod (application instance) running on that machine.

What does mean by the Container Runtime?

• The software responsible for actually running the binary application (e.g., Docker Engine, containerd, CRI-O).
• How it works: The Kubelet instructs the Container Runtime to pull the specific Container Image (the software package) from a registry and start the process.

What is Pods?

• What they are: In Kubernetes, a Pod is the smallest and simplest unit that runs your application. Think of a Pod as a wrapper for one or more containers (usually one container). Simple example: If your app is a Docker container, Kubernetes does not run the container directly. It runs inside a Pod.
• How they work: All containers inside a Pod run on the same machine (node). They share the same IP address and ports. They share storage (if defined). So in short: Pod = Smallest deployable unit in Kubernetes that holds your application container(s).

Now Let's Dive Into Kubernetes Networking?

• The flow looks like this: Kubernetes → Container Runtime → CNI Plugin → Network Setup.
• When a new pod starts, Kubernetes schedules the pod on a node.The container runtime (containerd / CRI-O) calls the CNI plugin.
• The plugin assigns an IP address, network routes, and connectivity with other pods. This ensures that pods can communicate seamlessly across nodes.

1. Every Pod gets its own IP address.
2. Pods can communicate with other pods without NAT.
3. Nodes and pods can communicate freely.
4. CNI plugins are responsible for implementing these rules.

• Calico – High-performance networking with built-in network policies. Very common in production clusters.
• Flannel – Simple overlay networking, beginner-friendly.
• Weave Net – Easy to deploy with automatic mesh networking.
• Cilium – Advanced networking powered by eBPF, strong security and observability.
• AWS VPC CNI – Used in EKS, assigns AWS VPC IPs directly to pods.
• Each plugin handles IP allocation, routing, and security policies differently.

• Suppose you deploy a pod: kubectl run nginx --image=nginx.
• Behind the scenes: Pod gets scheduled to a node. Container runtime creates the container. Kubernetes calls the CNI plugin.
• The plugin creates a network interface, assigns an IP address, and configures routing rules.
• Now that pod can communicate with other pods, services, and external networks.

• Pod
• Network Namespace
• CNI Plugin
• Node Networking
• Cluster Networking
• So essentially, CNI is the networking layer that makes pod-to-pod communication possible in Kubernetes clusters.

What is Pod Communication?

Now It's Time To Learn About Distributed Systems Concepts

1. Leader Election: Initially, everyone is a regular committee member (Follower). After a short, random amount of time, one member, Alice, decides to run for chairperson (Candidate). She sends a message to everyone: "Vote for me.". The other members receive the message. Since they haven't voted for anyone else yet, they vote for Alice and send back a "Yes" vote. Once Alice receives a "Yes" from a majority of the committee (e.g., 3 out of 5 votes), she becomes the official chairperson (Leader). She is now the only one who can make official decisions.
2. Making a Decision (Log Replication): Now, a decision needs to be made: "Our project leader will be Bob.". The Leader, Alice, is the only one who can propose this. She writes it down in her notebook (her log) and sends the proposal to all the other committee members (the Followers). The Followers receive the proposal. They write it in their own notebooks and send an "Acknowledged" message back to Alice.
3. Reaching Agreement (Consensus): Once Alice receives an "Acknowledged" message from a majority of the members, she knows the decision is safely recorded. She "commits" the decision, making it final. She then informs the entire committee that the decision is final and "Bob is the project leader.". This process ensures that a single, consistent decision is made and recorded by a majority of the group, preventing confusion and chaos.

Now what does mean by the Quorum?

What is Failure Tolerance?

Scenario 1: 3 Managers (An Odd Number)

• Total Managers (n): 3
• Quorum Needed: (3 / 2) + 1 = 1.5 + 1 = 2.5. Since we can't have half a vote, we round up. A majority of 3 is 2. Quorum Needed: 2 votes.
• How many can we lose? If one manager goes offline for lunch, we still have 2 managers left. They can still vote and form a majority (2 out of 2 votes). The system keeps working. Max Failures Tolerated: 1.

Scenario 2: 4 Managers (An Even Number)

• Total Managers (n): 4
• Quorum Needed: (4 / 2) + 1 = 2 + 1 = 3 votes.
• How many can we lose? If one manager goes offline, we have 3 managers left. They can still vote and form a majority (3 out of 3 votes). The system keeps working. Max Failures Tolerated: 1.
• Look at that! We paid for a whole extra server (going from 3 to 4 managers), but we didn't gain any extra safety. We can still only tolerate one failure. This is why adding just one server to an odd-numbered cluster is often a waste of money and resources. Let's do one more.

Scenario 3: 5 Managers (An Odd Number)

• Total Managers (n): 5
• Quorum Needed: (5 / 2) + 1 = 2.5 + 1 = 3 votes.
• How many can we lose? We can lose two managers and still have 3 left to vote and form a majority. Max Failures Tolerated: 2.
• This is the "why". You only gain more fault tolerance when you reach the next odd number. Let’s See the example in table.
• Example: 1 = 1 / 2 + 1/1 = 1 + 2 / 2 = 3 / 2 = 2 / 3 = 1 = 1 - 1 = 0.

Let’s See the example in table: -

Now it's time learn about Split-Brain Problem?

• The managers in Room A think the others are gone. They hold a vote. They have 2 out of 2 votes, so they elect a new leader and start giving instructions to the engineers.
• The managers in Room B do the exact same thing. They elect their own leader and start giving different instructions.

• The group with 3 managers has the quorum. They can elect a leader and continue working normally.