What is the core mental model of Kubernetes?

Declarative desired state plus controllers that continuously reconcile the actual state toward it. Most features are variations on that idea.

How should I set resource requests and limits?

From profiling: requests drive scheduling and guaranteed capacity; limits cap blast radius. Too high wastes cost and causes Pending; too low causes OOM kills.

When should a staff engineer avoid Kubernetes?

For small workloads where ECS, Fargate, or serverless deliver the same outcome with far less operational and cognitive complexity.

← Back to Writing

ArticleJune 20, 2026· 4 min read· Last updated June 20, 2026

Kubernetes Concepts Every Staff Engineer Should Understand

KubernetesStaff EngineerArchitectureCloud-Native EngineeringAWS

Diagram of staff-level Kubernetes concerns: reconciliation, multi-AZ pods, scaling, security, and managed databases

Summary

Beyond YAML: the reconciliation model, resource requests, failure design, security, scaling, and cost trade-offs that staff engineers are expected to reason about.

Short answer: At the staff level, Kubernetes is less about YAML and more about judgment: understanding the reconciliation model, designing for failure and scale, getting resource requests/limits right, securing workloads (RBAC, secrets, network policy), and knowing the cost and complexity trade-offs. You are expected to make architecture decisions, not just deploy.

Part 15 of the series. Previous: Why Pods Get Stuck in Pending.

Introduction

Junior engineers learn commands; staff engineers learn trade-offs. This article is the mental model I would want a senior or staff engineer on my team to carry — the concepts that show up in design reviews, incidents, and architecture decisions.

The problem

A team can "use Kubernetes" and still build something fragile and expensive: no resource limits, no probes, secrets in plain manifests, a single availability zone, and a cluster nobody understands during an incident. The gap between using Kubernetes and using it well is judgment.

The concepts that matter at staff level

1. Declarative reconciliation is the whole game. Everything is "desired state + a controller closing the gap." Once this clicks, custom controllers/operators and tools like ReplicaSets, HPA, and GitOps all become the same idea applied differently.

2. Requests and limits are an SLO and cost lever. Requests drive scheduling and guaranteed capacity; limits cap blast radius. Set them deliberately — too high wastes money and causes `Pending`; too low causes OOM kills and noisy-neighbor problems.

3. Design for failure. Spread Pods across availability zones and Nodes (anti-affinity, topology spread), set PodDisruptionBudgets, and assume any Node can vanish. Self-healing only helps if you gave it room to reschedule.

4. Security is layered. Use RBAC for least privilege, keep secrets out of manifests (Secrets Manager + IRSA), apply NetworkPolicies to limit east-west traffic, and run containers as non-root. In finance, this is table stakes, not optional.

5. Scaling has two axes. HPA scales Pods on metrics; Cluster Autoscaler/Karpenter scales Nodes. They must be configured together or one bottlenecks the other.

6. Stateful is harder than stateless. Prefer managed databases (RDS, DynamoDB) over self-hosting databases in-cluster unless you have a strong reason; StatefulSets and storage operations carry real operational weight.

Finance example

For a trading platform, staff-level decisions look like: run Trade and Risk APIs across three availability zones with anti-affinity so one zone outage cannot take the service down; use PodDisruptionBudgets so node upgrades never drop below quorum; keep broker keys in Secrets Manager via IRSA; isolate the payment namespace with NetworkPolicies; and put the order database in RDS rather than a self-managed StatefulSet. None of this is YAML trivia — it is risk management.

C# example

The application-side contract a staff engineer enforces across services: every service exposes health endpoints and fails fast on bad config, so the platform can manage it predictably.

app.MapGet("/healthz", () => Results.Ok());          // liveness
app.MapGet("/readyz", (IDependencies d) =>           // readiness
    d.AllReady ? Results.Ok() : Results.StatusCode(503));

// Fail fast: never start in a misconfigured state.
_ = builder.Configuration["Broker:ApiKey"]
    ?? throw new InvalidOperationException("Broker:ApiKey missing");

AWS example

On EKS the staff checklist includes: multi-AZ node groups, IRSA for all AWS access (zero static keys), Cluster Autoscaler/Karpenter sized for peak market hours, Container Insights for observability, and cost guardrails (right-sized requests, spot Nodes for non-critical workloads). The control plane is AWS's problem; everything above it is yours to design.

Architecture diagram

Production reality

The difference between a senior and a staff engineer is usually visible in the failure modes they design against:

The most expensive mistake is a cluster nobody owns. It works until an upgrade or incident, then becomes a multi-team scramble. Staff engineers insist on platform ownership, runbooks, and golden paths.
"It scaled fine in the demo" hides single-AZ risk. Without anti-affinity and topology spread, all replicas can land in one AZ, and one zone event is an outage. Design for the zone failure, not the happy path.
Default-open networking is a finding waiting to happen. Auditors will ask why the payments namespace is reachable from a dev tool. NetworkPolicies and least-privilege RBAC are baseline, not hardening.
Cost is an architecture concern. Right-sized requests, Spot for non-critical workloads, fewer multi-tenant clusters, and Karpenter are how staff engineers keep the AWS bill sane without sacrificing reliability.
Know when not to use Kubernetes. Choosing ECS, Fargate, or serverless for a small surface is a senior judgment call, not a failure.

AI Engineering connection

These same judgments govern AI platforms: where to put GPU node groups, how to isolate an experimental agent from production data, how to cap the cost of always-on model serving, and when a managed model API beats self-hosting. The reconciliation-plus-trade-offs mindset is exactly what you bring to running MCP servers and AI agents responsibly.

Interview questions

What is the core mental model of Kubernetes? Declarative desired state plus controllers that continuously reconcile actual state toward it.
How do you decide resource requests and limits? From profiling: requests for guaranteed scheduling, limits to cap blast radius; balance reliability against cost.
How do you design a service to survive a zone failure? Spread replicas across AZs with anti-affinity/topology spread and protect rollouts with PodDisruptionBudgets.
How do you secure workloads? RBAC least privilege, secrets via Secrets Manager/IRSA, NetworkPolicies, non-root containers.
When would you avoid Kubernetes? For small workloads where ECS/Fargate or serverless deliver the same outcome with far less complexity.

Key takeaways

Staff-level Kubernetes is judgment and trade-offs, not command memorization.
Internalize reconciliation; set requests/limits deliberately.
Design for failure, scale (Pods and Nodes), and security from day one.
Prefer managed state (RDS) and know when not to use Kubernetes.

Next: Running MCP Servers on Kubernetes — applying all of this to AI infrastructure. Previous: Why Pods Get Stuck in Pending.

Frequently asked questions

What is the core mental model of Kubernetes?: Declarative desired state plus controllers that continuously reconcile the actual state toward it. Most features are variations on that idea.
How should I set resource requests and limits?: From profiling: requests drive scheduling and guaranteed capacity; limits cap blast radius. Too high wastes cost and causes Pending; too low causes OOM kills.
When should a staff engineer avoid Kubernetes?: For small workloads where ECS, Fargate, or serverless deliver the same outcome with far less operational and cognitive complexity.