BLOG03: Kubernetes Cluster Administration

BLOG02: Kubernetes Cluster Administration and Maintainance

Kubernetes Cluster Administration & Maintenance — Full Topic List

1. Node Lifecycle Management

✦ Joining New Nodes

• kubeadm join workflow

• bootstrap tokens

• discovery token CA hash

• adding worker vs control plane

• validating API endpoint connectivity

• rotating join tokens

✦ Removing Nodes

• kubectl drain <node>

• kubectl cordon <node>

• kubectl delete node <node>

• cleaning kubelet & CNI

✦ Draining Nodes

• evicting workloads safely

• respecting PodDisruptionBudgets (PDBs)

• draining with/without force

• handling daemonsets during drain

✦ Cordon & Uncordon

• marking nodes unschedulable

• maintenance windows

✦ Node Taints & Tolerations

• NoSchedule / PreferNoSchedule / NoExecute

• dedicating nodes to workloads

• preventing scheduling of specific pods

• taint-based node isolation

• tolerationSeconds

✦ Node Affinity

• required vs preferred affinity

• nodeSelector, affinity, anti-affinity

• co-locating or spreading workloads for HA

2. Cluster High Availability & Failover

Control Plane HA

• Multi-master setup

• kubeadm HA topology (stacked vs external etcd)

• API server load balancing

• etcd cluster quorum & fault tolerance

Failover Mechanisms

• Node failure detection (node leases)

• pod rescheduling

• controller-manager reconciliation

• static pod failover for control-plane

Ensuring Reliability

• health checks for control-plane

• monitoring API server availability

• etcd backup & disaster recovery

3. Upgrades & Version Management

kubeadm Upgrade Process

• upgrading control-plane nodes

• upgrading worker nodes

• performing version skew checks

• upgrading kubelet & kubectl

• draining nodes before upgrade

Safe Rollbacks

• detecting upgrade failure

• restoring etcd snapshot

• reverting kubeadm configs

Add-on Upgrades

• CNI upgrade strategy (Calico, Cilium)

• Ingress controller updates

• CoreDNS, kube-proxy upgrade

4. Networking & CNI Operations

CNI plugin management

• Calico / Cilium / Flannel

• how to reinstall or repair CNI

• troubleshooting networking pods

• kube-proxy (IPTables/IPVS)

Advanced Networking

• network policies (deny-all, allow rules)

• pod-to-pod encryption

• BGP peering with Calico

• cluster DNS debugging

5. Storage & Volume Management

Persistent Volumes

• dynamic provisioning

• storage classes

• reclaim policies

CSI Operations

• installing CSI drivers

• resizing volumes

• volume snapshots

• handling stuck PV/PVC

6. Security & Hardening

RBAC Administration

• roles, rolebindings, clusterroles

• least privilege design

• service accounts

Pod Security

• Pod Security Standards (Baseline, Restricted)

• seccomp, AppArmor

• rootless pods

Secrets Management

• encrypt secrets at rest

• external KMS (AWS KMS, HashiCorp Vault)

• rotating service account tokens

7. Certificate & PKI Management (Advanced)

Kubernetes CA Internals

• kubeadm PKI structure

• apiserver certificates

• front-proxy CA

• etcd client/server certs

• kubelet client cert rotation

External CA Integration

• signing cluster certs with Let’s Encrypt

• using cert-manager + ACME

• API server behind HTTPS LB with LE certs

• external front-proxy CA

Certificate Rotation

• manual rotation with kubeadm

• kubeadm cert renew

• renewing etcd certificates

• rotating kubelet certs

8. Monitoring, Logging & Health

Monitoring

• Metrics-server

• Prometheus + Grafana

• kube-state-metrics

• node exporter

Logging

• Fluentd, Fluent-bit, Loki

• troubleshooting kubelet logs

• API server/audit logs

Health Probes

• liveness/readiness/startup probes

• pod lifecycle events

9. Backup & Disaster Recovery

etcd Backup

• snapshot save & restore

• restoring cluster from etcd disaster

• scheduled backups

Cluster DR Strategy

• control plane recovery

• worker node recovery

• disaster recovery automation

• backup of cluster manifests (GitOps)

10. Cluster Scaling

Horizontal Scaling

• adding nodes

• cluster autoscaler

• HPA / VPA

Vertical Scaling

• resizing nodes

• adjusting kube-reserved/system-reserved

• controlling eviction thresholds

11. Add-on & Component Maintenance

Core Add-ons

• CoreDNS

• kube-proxy

• Ingress Controller (Nginx, Traefik)

• Dashboard

Cluster Services

• metrics-server

• cert-manager

• external-dns

• sealed-secrets

12. Advanced Scheduling Concepts

Node Affinity / Anti-Affinity

• required/preferred scheduling

• topology spread constraints

Pod Affinity

• co-locating workloads

Topology

• multi-zone

• multi-region

• zone-aware scheduling

Resource Reservations

• requests vs limits

• admission control

13. GitOps-Based Cluster Management

• ArgoCD

• FluxCD

• self-healing desired state

• environment promotion

14. Advanced Networking & Security

Service Mesh

• Istio / Linkerd / Consul

• mTLS between pods

• traffic shaping

• canary deployment

Ingress & Gateway API

• Layer 7 routing

• TLS termination

• rate limiting

• WAF integration

15. Node & Control Plane Deep Internals

kubelet Internals

• pod lifecycle

• CRI (containerd, CRI-O)

• image garbage collection

• eviction policies

Control Plane Internals

• controller-manager loops

• scheduler decision-making

• API server request flow

16. Cluster Hardening for Production

• CIS Benchmark for Kubernetes

• disabling anonymous access

• enforcing TLS everywhere

• network isolation

• audit log policy

• securing kubelet API

• disabling insecure port