Blog
Thoughts on engineering, design, and building great products.
Node Log Query and Fine-grained Kubelet Authorization
Article 65 viewed system logs by SSHing into each node to run journalctl. v1.36 lets you query those logs straight through the kubelet API, no SSH. And it comes with a security change: kubelet API access, previously lumped under nodes/proxy, is now split per endpoint — letting you grant exactly nodes/metrics to a monitoring agent without handing over logs or exec. The final article of Part XIV, both touching components we built in Part I.
GC, cgroup v2, Swap, and Graceful Node Shutdown
Kubelet does a lot at the node level that we rarely look at while things run fine. This article inspects four of those on a real worker: cleaning up old images when the disk fills, placing each pod in the right cgroup v2 branch and enforcing limits via memory.max/cpu.max, why swap is blocked by default, and graceful node shutdown — the thing that decides whether pods get yanked or shut down cleanly when a node powers off.
kubelet: Bringing the Workers Into the Cluster
The kubelet is the only process on a worker that talks to the api-server and gives orders to containerd. This article distributes the certificate for each node, writes a KubeletConfiguration pointing at the containerd socket, builds the systemd unit, then watches the two workers register into the cluster — and understands why they show up as NotReady rather than Ready.