TIL - You do not need Kubernetes API Server to spin up Pods

kubernetes Apr 13, 2022

Yes, you heard it correctly! When I read about it, it blew my mind. 🤯

In Kubernetes, the control plane manages the Pods. To run a Pod with an Nginx container, we run the following command -

> kubectl run nginx --image nginx

Kubernetes will make sure that a Pod with the "nginx" name is spun-up and uses the "nginx:latest" image. But let me tell you that there are other ways to run Pods in Kubernetes. These Pods are called Static Pods.

Static Pods are managed directly by the kubelet daemon running on a specific node, without requiring an API server to observe or manage them. Unlike Pods managed by the control plane, kubelet manages Static Pods. In a way, Static Pods are always bound to one kubelet running on a specific node in the cluster.

The below example uses minikube to demonstrate how Static Pods work. Kubernetes clusters instantiated using minikube use the path /etc/kubernetes/manifests to store the pre-configured manifest files of etcd, api-server, controller-manager, and scheduler. The kubelet daemon running on this node constantly watches for any changes in this directory. When I save the nginx.yaml file, the kubelet picks up the nginx.yaml Pod manifest file and deploys it instantly.

The concept of Static Pod is not a weakness per se, but do you think that a malicious actor can exploit it in any way?

Kubernetes documentation below mentions other ways to deploy Static Pods -

Create static Pods
Static Pods are managed directly by the kubelet daemon on a specific node, without the API server observing them. Unlike Pods that are managed by the control plane (for example, a Deployment); instead, the kubelet watches each static Pod (and restarts it if it fails).Static Pods are always bound to…


Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.