SH
SHELL
AI Powered Learning Portal
Kubelet, kube-proxy, and the container runtime

Kubelet, kube-proxy, and the container runtime

Meet the residents of the worker node. Understand how the Kubelet, kube-proxy, and runtime work together to turn API instructions into running software.

The Worker Node Internals: Kubelet, kube-proxy, and the Container Runtime

In the previous lesson, we explored the "Brain" of Kubernetes. Now, it is time to look at the "Body"—the Worker Nodes. This is where your code actually executes, where your FastAPI endpoints listen, and where your AI models perform inference.

While the Control Plane is high-level and orchestrates the big picture, the Worker Node components are "Low-Level." They are responsible for the nitty-gritty details of Linux process management, network packet routing, and container image isolation.

In this lesson, we will deep dive into the three residents of every worker node: the Kubelet, the kube-proxy, and the Container Runtime. By the end of this article, you will understand how a message from the API Server is translated into a running process that your users can access.

1. The Kubelet: The Node's Captain and Secret Agent

The Kubelet is the primary "Node Agent" that runs on every machine in the cluster. It is the bridge between the Control Plane and the local machine.

The Lifecycle of a Container through the Kubelet's Eyes

The Kubelet's mission is simple: "Make sure that the containers mentioned in the PodSpecs assigned to this node are running and healthy."

It does this through a series of complex loops:

  1. The Watch Loop: The Kubelet maintains a persistent connection to the API Server. When a Pod is scheduled to its node, the Kubelet receives an event.
  2. The Pulling Phase: The Kubelet doesn't "have" your code. It asks the Container Runtime to pull the specific image (e.g., my-fastapi-app:v2) from a registry like Amazon ECR.
  3. The Environment Setup: The Kubelet creates the local directories for volumes, injects ConfigMaps and Secrets as files or environment variables, and configures the network namespace.
  4. The Execution: It tells the runtime to start the container.
  5. The Status Report: Once the container is up, the Kubelet reports back to the API Server: "Pod A is now Running."

Health Monitoring (Probes)

The Kubelet is also your cluster's "First Responder." It monitors the health of your app using three types of probes:

  • Liveness Probe: "Is the app still stuck in a deadlock?" If this fails, the Kubelet kills the container and starts a fresh one.
  • Readiness Probe: "Is the app ready to handle traffic?" (e.g., has the AI model finished loading into memory?). If this fails, K8s stops sending user traffic to this pod.
  • Startup Probe: Used for slow-starting apps to prevent them from being killed by the liveness probe before they even finish booting.

Example: Configuring Probes for a FastAPI AI Service

AI models can take 30-60 seconds to load. You need a robust probe strategy to avoid "CrashLoopBackOff" errors.

# A K8s snippet for a LangChain/Bedrock app
spec:
  containers:
  - name: ai-service
    image: myrepo/ai-service:latest
    startupProbe:
      httpGet:
        path: /healthz
        port: 8000
      failureThreshold: 30 # Give it 30 tries...
      periodSeconds: 10     # ...every 10 seconds. (5 mins max)
    livenessProbe:
      httpGet:
        path: /healthz
        port: 8000
      initialDelaySeconds: 5
      periodSeconds: 15

2. kube-proxy: The Network Magician

If the Kubelet is the Captain, the kube-proxy is the "Communications Officer." Its job is to manage the networking rules on the node to ensure that traffic reaches the right pod.

The Problem: Pods are Mortal

In K8s, pods are created and destroyed constantly. Their IP addresses change every time. You can't hardcode an IP address into your frontend. Instead, you use a Service (A stable IP).

How kube-proxy Solves It

kube-proxy doesn't actually "Proxy" the traffic himself (that would be too slow). Instead, he manages the Linux Kernel's networking tables.

The Modes of kube-proxy:

  1. iptables (Default): kube-proxy creates "Rules" in the kernel. When a packet arrives for 10.0.0.5 (The Service IP), the kernel immediately rewrites the destination to 10.244.1.10 (A healthy Pod IP). This happens at the system level and is incredibly fast.
  2. IPVS (IP Virtual Server): Used in massive clusters. It uses a specialized hash table in the kernel that is much faster than iptables when you have thousands of services.
  3. Userspace: (Legacy) kube-proxy actually received the traffic and forwarded it. This is very slow and almost never used today.

Visualizing the Traffic Flow

graph LR
    User["Internet User"] --> LB["Global Load Balancer"]
    LB --> Node["Worker Node IP"]
    Node --> KP["kube-proxy (IPTables)"]
    KP -- "Forward to" --> Pod1["Pod A (Healthy)"]
    KP -- "Load Balance to" --> Pod2["Pod B (Healthy)"]
    
    style KP fill:#f96,stroke:#333
    style Pod1 fill:#9cf,stroke:#333Msg
    style Pod2 fill:#9cf,stroke:#333Msg

3. The Container Runtime: The Engine Room

The Container Runtime is the software that actually runs the containers. For a long time, this was synonymous with Docker. However, as Kubernetes grew, it needed something more specialized.

The Container Runtime Interface (CRI)

Kubernetes created the CRI standard so it could talk to any runtime. This allowed the community to build runtimes specifically optimized for orchestration.

The Big Players:

  • containerd: This is the industry standard today. It is actually the core engine inside Docker, but stripped of all the "Desktop/User" features that K8s doesn't need. It’s light, fast, and rock-solid.
  • CRI-O: A runtime built by Red Hat specifically for Kubernetes. It follows the philosophy of "Only what K8s needs, nothing more."
  • Docker Engine: (Legacy in K8s) Still used by many developers locally, but most managed clouds (AWS EKS, GKE) have switched to containerd for better performance.

How K8s talks to the Runtime

When the Kubelet wants to start a pod:

  1. Kubelet calls the CRI gRPC API.
  2. The Runtime (containerd) talks to the Linux Kernel to create a "Namespace" (for isolation) and a "Cgroup" (for resource limits).
  3. The Runtime executes the application process inside that sandbox.

4. Resource Management: Cgroups and Requests/Limits

One of the most powerful features of the Node components is how they prevent "Noisy Neighbor" syndrome. This is handled by a Linux kernel feature called Control Groups (cgroups).

Requests vs. Limits

As a developer, you MUST define these in your YAML:

  • Requests: The minimum amount of CPU/RAM the Kubelet promises the app. The Scheduler uses this to place the pod.
  • Limits: The maximum the app is allowed to take.
    • If the app hits its CPU Limit, K8s "throttles" it (it slows down).
    • If the app hits its Memory Limit, the Kubelet Kills the container immediately (OOMKill).

Why this is critical for AI

AI workloads are "Memory Hungry." If your LangChain app tries to load a huge model into RAM without a memory limit, it might take down the entire Worker Node, killing every other app on that machine. Kubernetes prevents this by isolating your AI "Blast Radius."

5. Security: The Node-Level Defense

The Worker Node is the "Front Line" of security.

  • Rootless Containers: Modern runtimes allow you to run containers without "Root" privileges. This means that even if a hacker takes over your FastAPI app, they can't delete files on the host server.
  • AppArmor / SE Linux: The Kubelet can apply strict security profiles to your pods, preventing them from accessing sensitive parts of the node's filesystem.

6. Summary and Key Takeaways

  • Kubelet: The manager on the ground. It ensures Pods match their specs and performs health checks.
  • kube-proxy: The network router. It translates Service IPs into Pod IPs using fast kernel rules.
  • Container Runtime: The engine. It handles the actual process isolation using namespaces and cgroups.
  • CRI: The standard that allows K8s to work with any runtime (containerd being the champion).

In the next lesson, we will step back and look at the "Nervous System" of the entire cluster: Cluster Networking Basics.

7. SEO Metadata & Keywords

Focus Keywords: Kubelet vs kube-proxy, Container Runtime Interface CRI, Kubernetes health probes tutorial, K8s networking iptables vs ipvs, Resource requests and limits K8s, containerd vs Docker Kubernetes.

Meta Description: Deep dive into the Worker Node components of Kubernetes. Master the Kubelet sync loop, understand how kube-proxy manages cluster-wide networking, and explore why containerd has replaced Docker as the engine of modern production orchestration.

Previous LessonAPI server, etcd, controller manager, and scheduler
Next LessonCluster networking basics

Subscribe to our newsletter

Get the latest posts delivered right to your inbox.

Subscribe on LinkedIn