Kubernetes Deep Dive: Kubelet
Source: Dev.to
Introduction
In a Kubernetes cluster, the Kubelet is responsible for starting and stopping containers and managing the state of the node. It is a standalone binary that runs directly on the node’s operating system, typically started as a systemd service. In development environments such as kind, the node itself runs inside a Docker container, and kubelet is launched as a child process of the container’s init system.
When the kubelet stops, the control plane marks the node as NotReady, preventing new workloads from being scheduled there.
Kubelet Responsibilities
Kubelet continuously reconciles the actual containers on the node with the desired state defined in the PodSpec obtained from the API server. It does this through several specialized managers that operate autonomously:
- Pod Lifecycle Management – Handles pod creation, updates, and deletion via the
SyncPodlogic. - Storage Bridge – The
VolumeManagermounts external storage on the host and makes it available to containers. - Secret Delivery –
TokenManagerandSecretManagerfetch ServiceAccount tokens and secrets, injecting them into the appropriate locations. - Status Reporting – Periodically pushes node resource usage and pod health status to the API server.
- Health Checks – Executes liveness and readiness probes, restarting containers when necessary.
- Node Self‑Defense – Performs pod eviction when resource limits are approached, protecting the node from a total crash.
All of these components coordinate around a central event loop known as the SyncLoop.
Runtime Stack: CRI → containerd → runc
When kubelet issues a “create container” command, the request flows through a layered stack:
- CRI (Container Runtime Interface) – The protocol kubelet uses to communicate with the container runtime.
- containerd (CRI Runtime) – Receives CRI commands, handles image pulls, and manages higher‑level container lifecycle operations.
- runc (OCI Runtime) – Interacts directly with the kernel to create and run the container process.
Kubelet instructs containerd, which in turn invokes runc to perform the low‑level actions.
Eviction vs. OOM Killer
| Feature | Eviction (Node‑pressure) | OOM Killer (Cgroup / Global) |
|---|---|---|
| Perpetrator | Kubelet (manager) | Linux kernel (police) |
| Timing | When resource usage crosses a defined threshold | When a cgroup or the system exceeds its hard limit |
| Behavior | Gracefully terminates pods to free resources | Sends SIGKILL to the offending process immediately |
| Purpose | Preventive measure to keep the node alive | Enforcement to protect the OS or cgroup limits |
Pods can be terminated for memory shortage due to either:
- Violation of their own limits – the pod exceeds the resources it requested.
- Node‑wide crisis – the entire node is under pressure.
Kubelet aims to perform organized eviction before the kernel’s OOM Killer intervenes.
SyncPod Flow (Pod Startup)
- Context Preparation – Retrieve the latest pod definition from the API server.
- Volume Mount – Instruct
VolumeManagerto mount required storage on the host. - Secret/ConfigMap Preparation –
TokenManagerfetches service account tokens and places them as files on the host. - Sandbox Creation – Create the “pause” container (
RunPodSandbox) that provides the pod’s network and namespace frame. - Container Startup –
- Bind‑mount the prepared token or volume into the container’s filesystem (e.g.,
/var/run/secrets/...). - Launch the application container.
- Bind‑mount the prepared token or volume into the container’s filesystem (e.g.,
Summary
Kubelet is more than a simple agent; it is an autonomous control system that:
- Runs as a process on the host (or inside a kind node container).
- Translates high‑level pod specifications into concrete containers using the CRI → containerd → runc stack.
- Defends node health by evicting pods before the kernel’s OOM Killer can cause abrupt failures.
Understanding this “brain” of the node is essential when troubleshooting pod deaths (OOMKilled vs. Evicted) or volume‑mount issues.