01 · Why this mental model
There are many Kubernetes tutorials. This one is about memory.
There are already many excellent articles, videos and training materials on Kubernetes. This article is not trying to say something completely new. Instead, it explains Kubernetes in a way that is easier to remember.
When I learn something complex, I like to create a mental map. A mental map helps me connect concepts together instead of memorizing them as separate definitions. Kubernetes has many terms: control plane, worker node, namespace, Pod, Deployment, Service, Ingress, StorageClass, PVC, PV, NetworkPolicy, requests and limits.
Each term is manageable by itself. The challenge is connecting them. So for this article, let us use one simple mental model: Kubernetes is like a smart shopping mall.
By the end, you should be able to explain Kubernetes using one connected story: the mall, the management office, the floors, the brands, the counters, the directory, the storage room, and the access rules.
02 · Kubernetes architecture
The cluster is the entire mall. The control plane manages it.
A Kubernetes cluster is the full environment where applications run. It includes the management system, the machines, the applications, the network, the storage, and the policies. In our analogy, the Kubernetes cluster is the entire shopping mall.
Every mall needs a management office. The management office does not sell coffee, clothes or electronics. It manages the mall. The Kubernetes control plane works in the same way. It decides what should run, where it should run, how many copies should exist, and what to do when something fails.
The scheduler is like the leasing and space allocation team. If a brand wants a new counter, the mall checks which floor has space, power, and the right conditions. Kubernetes does the same when placing a Pod on a worker node.
The controller manager is like the operations supervisor. If the desired plan says three counters should be open and only two are running, Kubernetes works to restore the expected state.
03 · Worker node vs namespace
Worker node is where it runs. Namespace is who owns it.
This is one of the most important distinctions for infrastructure and platform practitioners. A namespace is not a place where Pods run. It is a logical ownership boundary.
Imagine a business unit called Payments. Payments may have one counter on Level 1, one reconciliation counter on Level 2, and one payment-api counter in the East Wing. The brand is not the floor. The brand uses space on one or more floors.
- Namespace: payments — who owns the workload.
- Pod: payment-api — the running outlet or counter.
- Worker node: worker-node-03 — where that Pod is running.
- Container: the actual payment-api application process inside the Pod.
The same namespace can have Pods on many worker nodes. At the same time, one worker node can run Pods from many namespaces. That is why the short memory hook is: namespace equals ownership; worker node equals runtime location.
04 · Pods, containers and Deployments
The counter is the Pod. The business inside it is the container.
A Pod is the smallest deployable unit in Kubernetes. Most of the time, one Pod runs one main container. In the mall analogy, the Pod is the outlet or counter. The container is the business function running inside that counter.
A Deployment is not a single Pod. A Deployment is a plan. It creates a behind-the-scenes manager called a ReplicaSet.
This ReplicaSet ensures that if the Deployment says replicas: 3, exactly three Pods stay running.
Think of the Payments business unit saying: during normal hours, keep three Payments counters open. During a campaign, increase to five counters. When upgrading the counter setup, replace counters gradually so service does not stop.
kubectl get all, you may see a replicaset.apps/payment-api-xxxxx object. That is expected. The Deployment owns the ReplicaSet, and the ReplicaSet keeps the Pods running.
05 · Services and Ingress
Use the mall directory, not the temporary counter location.
Pods are temporary. They can be created, deleted, moved or replaced. Their IP addresses can change. A Service gives a stable way to reach those changing Pods, just like a fixed mall directory number points visitors to the right counter even when staff or counters change.
Ingress is the main mall entrance. A user enters from outside, Ingress receives the request, the Service routes it to the right set of Pods, and the container handles the actual application logic.
06 · Storage fundamentals
StorageClass is the blueprint. PVC is the request. PV is the room.
Not every application is stateless. Databases, file upload services, message queues and stateful applications need data to survive even if a Pod restarts. Kubernetes uses StorageClass, PersistentVolumeClaim and PersistentVolume to make storage consumable.
The important idea is dynamic provisioning. Without a StorageClass, a platform admin may need to prepare storage manually ahead of time. That is like the mall admin building every storage room before any tenant asks for it.
With a StorageClass, the platform has a blueprint. When a tenant submits a request through a PVC, Kubernetes can dynamically provision a suitable PersistentVolume. In mall language, the storage room is created or assigned when the tenant submits the request.
07 · Networking fundamentals
Kubernetes networking is about reachability and control.
Kubernetes networking answers four simple questions: how Pods talk to each other, how applications find changing Pods, how outside traffic enters the cluster, and how we control who can talk to whom.
NetworkPolicy is like mall access control. Customers can enter public shops. Delivery staff can access loading bays. Vendors can enter approved areas. Visitors cannot enter the mall control room. In Kubernetes, policies can allow frontend Pods to talk to backend Pods, while preventing frontend Pods from directly reaching the database.
08 · Resource requests and limits
Requests help placement. Limits protect shared capacity.
Every Pod needs CPU and memory. But a Kubernetes cluster has limited capacity. If one workload consumes too much, it can affect others. That is why Kubernetes uses resource requests and limits.
A request tells Kubernetes what the Pod needs for placement. In the image, the Pod requests 1 vCPU and 2Gi memory. Kubernetes uses this information to decide which worker node has enough space.
A limit controls maximum usage. CPU and memory behave differently when they hit limits. If a Pod tries to use too much CPU, Kubernetes throttles it, which means it slows down. If it tries to pass its memory limit, the container is terminated with an OOMKilled error to protect the rest of the node.
09 · Config, secrets and health checks
Not everything belongs inside the application image.
Applications need configuration: environment names, API endpoints, feature flags, passwords, tokens and certificates. Kubernetes separates normal configuration from sensitive configuration. ConfigMaps are like mall notice boards. Secrets are like secure lockers.
Kubernetes can also check whether an application is healthy. A liveness probe asks, “Is it alive?” A readiness probe asks, “Can it serve traffic now?” A counter may be open but not ready to serve customers. A Pod may be running but not ready to receive traffic.
10 · Hands-on example
Read the YAML like a mall story.
This example creates a namespace, a Deployment and a Service. The names are intentionally consistent so the story is easy to follow.
apiVersion: v1
kind: Namespace
metadata:
name: payments
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: payment-api
namespace: payments
spec:
replicas: 3
selector:
matchLabels:
app: payment-api
template:
metadata:
labels:
app: payment-api
spec:
containers:
- name: payment-api
image: nginx:latest
ports:
- containerPort: 80
resources:
requests:
cpu: "1"
memory: "2Gi"
limits:
cpu: "2"
memory: "4Gi"
---
apiVersion: v1
kind: Service
metadata:
name: payment-api-service
namespace: payments
spec:
selector:
app: payment-api
ports:
- port: 80
targetPort: 80
- Namespace payments = Payments brand or tenant account.
- Deployment payment-api = counter availability plan.
- replicas: 3 = keep three counters running.
- ReplicaSet = behind-the-scenes manager that keeps the three Pods running.
- Container payment-api = business function inside each counter.
- Service payment-api-service = stable directory number for the counters.
11 · Knowledge reinforcement
Test the mental model.
1. Which statement best explains the difference between a Worker Node and a Namespace?
- Why B is correct: Worker Node provides real runtime capacity. Namespace provides logical ownership and separation.
- Why A is wrong: It reverses the meaning.
- Why C is wrong: Pods run containers; namespaces do not.
- Why D is wrong: Worker nodes provide compute capacity for Pods, not only storage.
2. What does a Deployment create behind the scenes to keep Pods running?
- Why B is correct: A Deployment manages a ReplicaSet, and the ReplicaSet maintains the requested Pods.
- Why A is wrong: A Service gives stable network access; it does not keep replicas running.
- Why C is wrong: StorageClass is related to storage provisioning.
- Why D is wrong: Ingress handles external HTTP/HTTPS traffic routing.
3. Why do we use a Service in Kubernetes?
- Why B is correct: Pods can be replaced and IPs can change. A Service gives a stable identity for reaching them.
- Why A is wrong: Storage is handled by PV, PVC and StorageClass.
- Why C is wrong: Services do not create worker nodes.
- Why D is wrong: Deployment and Service solve different problems.
4. What is the role of a StorageClass in dynamic provisioning?
- Why B is correct: A StorageClass defines the storage type and provisioning behavior used to dynamically create or assign a PV for a PVC.
- Why A is wrong: Container images are defined in Pod specs.
- Why C is wrong: Services and Ingress expose applications.
- Why D is wrong: Namespace ownership is separate from storage provisioning.
5. What happens when a Pod hits CPU and Memory limits?
- Why B is correct: CPU is compressible, so excess usage is throttled. Memory is not compressible in the same way, so crossing the limit can terminate the container with OOMKilled.
- Why A is wrong: Resource limits are enforced by Kubernetes and the container runtime.
- Why C is wrong: CPU and memory limits do not delete namespaces or create Services.
- Why D is wrong: CPU and memory limits affect compute resources, not storage.
11 · Architecture challenge
Design a mall for Payments, Risk and Reporting.
A company has three application teams: Payments, Risk and Reporting. Each team wants to deploy applications on Kubernetes.
- Would you create separate namespaces for Payments, Risk and Reporting?
- Which applications should use Deployments?
- Which applications need Services?
- Which workloads need PVCs?
- Where would NetworkPolicy be useful?
- What resource requests and limits would you define?
- What should the platform team manage?
- What should the application team manage?
12 · Key takeaways
The foundation stays the same when we move to VKS.
- Kubernetes is easier to understand when concepts are connected together.
- A Kubernetes cluster is like a smart shopping mall.
- The control plane is the mall management office.
- Worker nodes are the physical floors or zones where workloads run.
- Namespaces are brand or tenant accounts, not physical locations.
- Pods are outlets or counters where containers run.
- A Deployment creates a ReplicaSet, and the ReplicaSet keeps the requested Pods running.
- Services provide stable access to changing Pods.
- StorageClass, PVC and PV make storage consumable through static or dynamic provisioning.
- CPU limits can throttle. Memory limits can cause OOMKilled restarts.
- Kubernetes is a desired-state system, not just a container launcher.
VKS builds on Kubernetes. It does not remove these concepts. When we later discuss Supervisor, VCF Namespace, Workload Cluster, VKr, storage policy and NSX/VDS networking, we will connect them back to this foundation.