Every kubectl apply command triggers a complex journey through authentication, authorization, admission controllers, and etcd - but most engineers never see what happens behind the scenes.
This session explores how the Kubernetes API processes requests from initial submission to final storage.
We'll trace the complete path of an API request through authentication plugins, RBAC authorization, mutation and validation admission controllers, and finally to the resource handlers that persist objects in etcd.
You'll learn how the API aggregator enables extensions like the metrics server and how kubectl discovers available resources through the API.
In the second part, we'll examine Server-Side Apply (SSA), introduced in Kubernetes v1.18.
We'll compare the three client-side patch strategies (Strategic Merge, JSON Merge, and JSON Patch) with SSA's field-level ownership model.
Through practical examples, you'll understand how SSA manages field ownership, detects conflicts between multiple writers (GitOps tools, operators, controllers), and enables safer collaborative resource management.
Topics covered include:
- API request flow: discovery, authentication, authorization, admission control
- How RBAC rules and admission webhooks protect cluster resources
- Client-side vs server-side patching mechanisms
- Field ownership and conflict resolution in SSA
- Practical patterns for multi-writer scenarios
- Debugging patch conflicts and GitOps synchronization issues
👤 Who is this for? DevOps engineers, SREs, platform engineers, and software developers looking to strengthen their Kubernetes knowledge.
🧑🏻🏫 Who is the speaker? Daniele is an instructor at Learnk8s, teaching Kubernetes and containers to small and large enterprises.