Kubernetes Comparisons

ConfigMaps store non-sensitive configuration data like feature flags, config files, and environment variables in plain text. Secrets store sensitive data like passwords, tokens, and TLS certificates with base64 encoding and additional access controls. Both inject configuration into Pods, but Secrets provide extra safeguards for sensitive information.

containerd is a lightweight, industry-standard container runtime that Kubernetes uses directly via the CRI to manage container lifecycle. Docker is a full container platform that includes containerd internally plus additional tooling for building images, managing volumes, and developer experience. Since Kubernetes 1.24, Docker is no longer supported as a runtime — containerd (or CRI-O) is used directly.

DaemonSets ensure exactly one Pod runs on every (or selected) node in the cluster, making them ideal for node-level agents like log collectors and monitoring daemons. Deployments manage a specified number of identical Pod replicas distributed across the cluster, making them the standard choice for stateless application workloads.

Deployments manage stateless applications where Pods are interchangeable and can be replaced freely. StatefulSets manage stateful applications that need stable network identities, ordered deployment, and persistent storage that survives Pod rescheduling.

A ClusterIP Service assigns a virtual IP that load-balances traffic across backend Pods through kube-proxy. A headless Service (clusterIP: None) skips the virtual IP and returns the individual Pod IPs directly in DNS lookups, giving clients direct access to specific Pods. Headless Services are essential for StatefulSets and applications that need peer discovery.

Helm is a package manager that uses Go templates to generate Kubernetes manifests from parameterized charts with values files. Kustomize is a template-free tool that patches and overlays plain Kubernetes YAML files to customize them for different environments. Helm excels at packaging and distributing reusable applications; Kustomize excels at customizing existing manifests without templating.

A Service provides stable network access to a set of Pods within the cluster using L4 (TCP/UDP) load balancing. An Ingress operates at L7 (HTTP/HTTPS) and routes external traffic to Services based on hostnames and URL paths. Services are required for any Pod networking; Ingress adds HTTP-aware routing on top.

Init containers run to completion before the main containers start — they perform one-time setup tasks like waiting for dependencies, loading configuration, or initializing databases. Sidecar containers run alongside the main container for the lifetime of the Pod, providing ongoing support like log shipping, proxy routing, or metrics collection.

A Job runs a task to completion — it creates one or more Pods and ensures they finish successfully. A CronJob creates Jobs on a recurring schedule defined by a cron expression. Use a Job for one-time tasks like database migrations; use a CronJob for recurring tasks like nightly backups or periodic cleanup.

kubectl apply is declarative — it creates or updates resources by comparing the desired state in your YAML file with the current state in the cluster. kubectl create is imperative — it creates a resource and fails if it already exists. Use apply for production workflows and GitOps; use create for quick one-off resource creation.

Docker builds and runs containers on a single machine. Kubernetes orchestrates containers across a cluster of machines, handling scheduling, scaling, self-healing, and service discovery. They are complementary — Docker (or containerd) creates the containers, and Kubernetes manages where and how they run at scale.

A liveness probe detects if a container is stuck or deadlocked and restarts it to recover. A readiness probe detects if a container is ready to handle traffic and adds or removes it from Service endpoints. Liveness answers 'is this container alive?' while readiness answers 'should this container receive requests?'

ClusterIP is the default Service type that exposes Pods internally within the cluster. NodePort extends ClusterIP by opening a static port on every node for external access. LoadBalancer extends NodePort by provisioning an external cloud load balancer that routes traffic to the NodePorts. Choose based on whether traffic is internal-only, needs basic external access, or requires production-grade external load balancing.

A container is a single isolated process running from a container image. A Pod is a Kubernetes abstraction that wraps one or more containers, giving them a shared network namespace, shared storage volumes, and a common lifecycle. Kubernetes schedules Pods, not containers — the Pod is the smallest deployable unit.

A PersistentVolume is a piece of cluster storage provisioned by an admin or dynamically by a StorageClass — it represents the actual storage resource. A PersistentVolumeClaim is a request for storage by a user — it specifies how much storage and what access mode is needed. PVs are the supply; PVCs are the demand. Pods consume storage by referencing PVCs, not PVs directly.

A ReplicaSet ensures a specified number of identical Pods are running at all times. A Deployment is a higher-level abstraction that manages ReplicaSets and adds declarative updates, rollback history, and rollout strategies. In practice, you almost never create a ReplicaSet directly — you use a Deployment.

Requests define the minimum resources a container is guaranteed — the scheduler uses them to find a node with enough capacity. Limits define the maximum resources a container can use — exceeding CPU limits causes throttling, and exceeding memory limits causes an OOM kill. Set requests for scheduling and guaranteed baseline; set limits to prevent runaway resource consumption.

A Role defines permissions within a single namespace — it can only grant access to resources in the namespace where it is created. A ClusterRole defines permissions cluster-wide and can grant access to cluster-scoped resources (nodes, namespaces), non-resource endpoints, or be reused across multiple namespaces via RoleBindings.

Rolling Update gradually replaces old Pods with new ones, ensuring zero downtime by keeping some old Pods running while new ones start. Recreate kills all existing Pods before creating new ones, causing a brief downtime window. Rolling Update is the default and preferred strategy for most production workloads; Recreate is used when running two versions simultaneously would cause data corruption or conflicts.

Taints repel Pods from nodes — a node with a taint rejects all Pods that do not tolerate it. Node affinity attracts Pods to nodes — a Pod with node affinity is scheduled on nodes that match its label selector. Taints work from the node's perspective (push), while affinity works from the Pod's perspective (pull). Use taints to reserve nodes for specific workloads; use affinity to guide Pods toward preferred nodes.