Blog
Thoughts on engineering, design, and building great products.
controller-manager and scheduler: Control Loops and Leader Election
The two components that turn desired state into action: kube-controller-manager runs dozens of control loops, kube-scheduler picks the node for a pod. This article stands up both on three controllers, explains how the scheduler filters and scores nodes, then watches leader election work for real — three instances running, but only one doing the work.
kube-apiserver: The Cluster's Entry Point and the Request Pipeline
The component that sits right in front of etcd and is the cluster's single entry point. This article digs into the authn → authz → admission chain every request must pass through, then stands up kube-apiserver on all three controllers: connecting to etcd over TLS, enabling Secret encryption, and actually verifying a Secret is encrypted by reading the raw bytes in etcd.
etcd: Quorum, Raft, and Standing Up a Three-Node Cluster
The first control plane component, and the foundation for everything above it: etcd. This article explains what etcd stores, why it needs an odd number of nodes, and what quorum means via the Raft algorithm — then stands up a three-node etcd cluster on the controllers with TLS, and verifies the leader and cluster health.
Bundle Certs into kubeconfig and Configure Secret Encryption
The certificates are ready, but the Kubernetes binaries read them through a pre-bundled format: kubeconfig. This article generates kubeconfigs for admin, controller-manager, scheduler, kube-proxy and each kubelet — explaining the cluster/user/context model and why the control plane points at 127.0.0.1 while workers go through the load balancer. It ends by creating the Secret-at-rest encryption file for etcd.
Sign Every Certificate by Hand with cfssl
The core of 'from scratch': use cfssl to create three CAs (Kubernetes, etcd, front-proxy) then sign all the certificates for each component — apiserver with a full SAN, a kubelet per worker with special CN/O, controller-manager, scheduler, kube-proxy, the etcd client, and the service-account key pair. Each one done individually, each field correct, then verify the trust chain.
Stand Up Six EC2 Machines and Prepare the OS
The first hands-on article: stand up a dedicated VPC on AWS with six EC2 machines (1 load balancer, 3 controllers, 2 workers), assign fixed private IPs, then prepare the OS — hostname, /etc/hosts, kernel modules, sysctl, disable swap — and install the kubectl and cfssl tooling. All done step by step, run for real.
PKI and TLS: Why a Cluster Needs So Many Certificates
A Kubernetes cluster needs a dozen certificates and three separate CAs. This article explains the PKI/TLS model underpinning every connection in the cluster: who the CA signs for, how two-way mTLS works, and one easily-forgotten point — the CN and O fields in a certificate are the very identity and RBAC group the api-server trusts.