So you type kubectl run nginx --image nginx . One line, one pod. About a second later on a warm cluster, the pod is Running. But what actually happens behind the scenes? Let us walk through it, step by step, step by step. %[ https://www.youtube.com/watch?v=LLuUhU3SwJo&t=4s ] TL;DR, the 23 steps kubectl parses argv and builds a minimal Pod object. It reads ~/.kube/config for cluster, user, and context. A TCP connection is opened to the API server. TLS 1.3 negotiates keys in one round trip with mutual cert auth. kubectl sends POST /api/v1/namespaces/default/pods with a JSON body over HTTP/2. The API server authenticates the caller (x509, bearer token, OIDC, or webhook). It authorizes the request against RBAC. Can this user create pods in default? Mutating admission runs. ServiceAccount injects a projected token volume, LimitRanger fills in default requests and limits, and so on.…