What happens when you kubectl apply?

Presented at Cloud Native Wermland meetup, May 2026.

A live trace of one Pod, from keystroke to running process. This talk follows a single kubectl apply -f pod.yaml all the way down the stack: through the apiserver, etcd, the scheduler, the kubelet, containerd, runc, and CNI — until a humble sleep is finally executing inside its own cgroup and network namespace.

The demo uses four tmux panes side by side: the top row shows the Kubernetes view (kubectl, kubelet logs), the bottom row shows the Linux view (cgroup slices, bpftrace kernel execs).

Key Topics Covered

• The pod sandbox: why every Pod has a pause container holding the network and IPC namespaces open
• What each layer does: containerd, containerd-shim, runc, pause
• cgroups for resource accounting vs. namespaces for isolation
• CNI plugin creating the veth pair, assigning the IP, adding the route
• App container start: runc reusing the existing sandbox, the command execs

Files

• what_happens_when_you_kubectl_apply.pdf