Kubernetes Demystified

Learn K8s through mental models, not memorization

← Back to Portfolio

The Big Lie About Containers

You've been told containers are "lightweight VMs." You've seen diagrams showing neat little boxes stacked on top of a hypervisor. You've nodded along when someone said Docker "spins up" a container.

Here's the uncomfortable truth: containers aren't VMs at all. Not even close.

They're processes. Regular Linux processes with fancy isolation. Understanding this changes everything.

Why This Matters

When you think containers are VMs, you expect VM-level isolation. You expect a kernel exploit in one container to be contained. You expect complete separation between workloads.

But standard containers share the host kernel. A kernel vulnerability can escape container boundaries. This is why Kata containers and gVisor exist — to bridge this gap. We'll explore all of this.

🐧

Same Kernel

Containers share the host's Linux kernel

📦

Process Isolation

Namespaces control what processes can see

📊

Resource Limits

Cgroups control what processes can use

What You'll Learn

  • What containers actually are (spoiler: just processes)
  • The 7 Linux namespaces that make containers possible
  • The isolation spectrum: standard containers vs Kata vs gVisor vs VMs
  • Why Kubernetes uses Pods (not just containers)
  • The control loop — the heartbeat that makes everything work
  • Services, Deployments, and the complete mental model

Ready to see what's really happening when you run a container?
Let's start by looking inside the Linux kernel.

Built with React, TypeScript, and deep knowledge of Kubernetes internals.
Based on the principle that understanding beats memorization.

Git Demystified →