Just-in

Kagent Tutorial: Build Cloud-Native AI Agents on Kubernetes

Running Ollama LLM on Kubernetes: A Complete Guide

From Docker to Kubernetes: The Orchestration Journey You Didn’t Know You Needed

What is Kubeflow and how can it be used?

Getting Started with Kubeflow: A Complete Beginner’s Guide

Orchestration

Master Kubernetes StatefulSets: Deploy & Manage Apps.

Introduction

Deploying stateless applications in Kubernetes is a breeze. You define a Deployment, specify your replica count, and Kubernetes handles the rest, scaling pods up and down, restarting failed instances, and distributing traffic effortlessly. But what happens when your application needs persistent storage, unique network identities, and ordered startup/shutdown? This is where traditional Deployments fall short, leading to data loss, inconsistent behavior, and operational headaches for stateful workloads like databases, message queues, and distributed key-value stores.

Enter Kubernetes StatefulSets. Designed specifically for stateful applications, StatefulSets provide a robust mechanism to manage a set of pods that require stable, unique network identifiers, persistent storage, and ordered, graceful deployment and scaling. They ensure that even when pods are rescheduled or restarted, their associated storage and identity remain intact, making them indispensable for critical data-centric services. In this comprehensive guide, we’ll dive deep into StatefulSets, exploring their core features, best practices, and how to effectively deploy and manage your stateful applications on Kubernetes.

TL;DR: Kubernetes StatefulSets Essentials

StatefulSets are crucial for stateful applications in Kubernetes, offering stable network identities, persistent storage, and ordered operations. Here’s what you need to know:

  • Stable Identity: Each Pod gets a unique, sticky identity (e.g., web-0, web-1) that persists across rescheduling.
  • Persistent Storage: Automatically provisions PersistentVolumeClaims (PVCs) for each Pod, ensuring data durability.
  • Ordered Operations: Guarantees ordered startup, shutdown, and scaling (e.g., web-0 starts before web-1).
  • Headless Service: Often paired with a Headless Service for stable network identities and direct Pod communication.

Key Commands:


# Apply a StatefulSet manifest
kubectl apply -f my-statefulset.yaml

# Check StatefulSet status
kubectl get statefulset my-statefulset

# Check Pods managed by the StatefulSet
kubectl get pods -l app=my-statefulset

# Scale a StatefulSet
kubectl scale statefulset my-statefulset --replicas=3

# Delete a StatefulSet (careful with data!)
kubectl delete statefulset my-statefulset

# Delete a StatefulSet without deleting its PVCs
kubectl delete statefulset my-statefulset --cascade=orphan

Prerequisites

Before you embark on your StatefulSet journey, ensure you have the following:

  • Kubernetes Cluster: A running Kubernetes cluster (local like Minikube/Kind, or cloud-based like EKS, GKE, AKS). We’ll assume a basic cluster is already set up.
  • kubectl: The Kubernetes command-line tool, configured to connect to your cluster. You can find installation instructions in the official Kubernetes documentation.
  • Basic Kubernetes Knowledge: Familiarity with core Kubernetes concepts such as Pods, Deployments, Services, and PersistentVolumes/PersistentVolumeClaims.
  • Storage Class: Your cluster must have at least one StorageClass configured, which is essential for dynamic provisioning of PersistentVolumes. You can check available StorageClasses with kubectl get storageclass.

Step-by-Step Guide: Deploying a Stateful Application with StatefulSets

Step 1: Understanding the StatefulSet Components

A StatefulSet doesn’t operate in isolation. It typically works in conjunction with a Headless Service to provide stable network identities and PersistentVolumeClaims for durable storage. We’ll start by defining these components.


# headless-service.yaml
apiVersion: v1
kind: Service
metadata:
  name: nginx-headless
  labels:
    app: nginx-statefulset
spec:
  ports:
  - port: 80
    name: web
  clusterIP: None # This makes it a Headless Service
  selector:
    app: nginx-statefulset
---
# statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: web
spec:
  serviceName: "nginx-headless" # Must match the Headless Service name
  replicas: 2
  selector:
    matchLabels:
      app: nginx-statefulset
  template:
    metadata:
      labels:
        app: nginx-statefulset
    spec:
      containers:
      - name: nginx
        image: k8s.gcr.io/nginx-slim:0.8
        ports:
        - containerPort: 80
          name: web
        volumeMounts:
        - name: www
          mountPath: /usr/share/nginx/html
  volumeClaimTemplates: # Defines PVCs for each Pod
  - metadata:
      name: www
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: standard # Replace with your cluster's StorageClass
      resources:
        requests:
          storage: 1Gi

In this example, we’re defining a simple Nginx StatefulSet. The nginx-headless Service is crucial because its clusterIP: None configuration tells Kubernetes not to assign a ClusterIP, but instead to return the IPs of the Pods in the set directly. This allows each Pod to have a stable and predictable DNS entry (e.g., web-0.nginx-headless.default.svc.cluster.local, web-1.nginx-headless.default.svc.cluster.local). The volumeClaimTemplates section is where the magic happens for storage. For each replica, Kubernetes will dynamically provision a PersistentVolumeClaim (and an underlying PersistentVolume) based on this template, ensuring each Pod gets its own durable storage.

Verify

Save the above YAML as nginx-statefulset.yaml and apply it:


kubectl apply -f nginx-statefulset.yaml

You should see output similar to:


service/nginx-headless created
statefulset.apps/web created

Step 2: Observing StatefulSet Pods and Their Identities

Once the StatefulSet is applied, Kubernetes will begin creating the Pods in an ordered fashion. You’ll notice unique, stable names for each Pod and their associated PersistentVolumeClaims.


kubectl get pods -l app=nginx-statefulset

Expected Output:


NAME    READY   STATUS    RESTARTS   AGE
web-0   1/1     Running   0          2m
web-1   1/1     Running   0          1m

Notice the Pods are named web-0 and web-1. This ordinal index is a key feature of StatefulSets, providing a stable, unique identity. If a Pod fails and is recreated, it will retain its original ordinal and associated storage.

Now, let’s look at the PersistentVolumeClaims created:


kubectl get pvc -l app=nginx-statefulset

Expected Output:


NAME        STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
www-web-0   Bound    pvc-12345678-abcd-1234-abcd-1234567890ab   1Gi        RWO            standard       2m
www-web-1   Bound    pvc-98765432-efgh-9876-efgh-9876543210ef   1Gi        RWO            standard       1m

Each Pod (web-0, web-1) has its own dedicated PersistentVolumeClaim (www-web-0, www-web-1), ensuring data isolation and persistence.

Step 3: Testing Stable Network Identity

The Headless Service enables direct communication with individual StatefulSet Pods using their stable DNS names.


# Create a temporary Pod to test DNS resolution
kubectl run -it --rm --restart=Never busybox --image=busybox:1.28 -- sh

Once inside the busybox pod, run:


nslookup web-0.nginx-headless

Expected Output (IP addresses will vary):


Name:      web-0.nginx-headless.default.svc.cluster.local
Address 1: 10.42.0.5

Then try connecting to it:


wget -O- web-0.nginx-headless

You should get the default Nginx welcome page HTML. This demonstrates that web-0 has a stable, resolvable network identity. Exit the busybox pod when done.

Step 4: Scaling a StatefulSet

Scaling a StatefulSet is similar to Deployments but adheres to the ordered guarantees. When scaling up, new Pods are created sequentially; when scaling down, Pods are terminated in reverse ordinal order.


kubectl scale statefulset web --replicas=3

Monitor the Pods:


kubectl get pods -l app=nginx-statefulset -w

You’ll observe that web-2 is created after web-1 is fully running and ready.


NAME    READY   STATUS    RESTARTS   AGE
web-0   1/1     Running   0          5m
web-1   1/1     Running   0          4m
web-2   0/1     Pending   0          0s
web-2   0/1     ContainerCreating   0          0s
web-2   1/1     Running   0          10s

Check the new PVC:


kubectl get pvc -l app=nginx-statefulset

Expected Output:


NAME        STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
www-web-0   Bound    pvc-12345678-abcd-1234-abcd-1234567890ab   1Gi        RWO            standard       5m
www-web-1   Bound    pvc-98765432-efgh-9876-efgh-9876543210ef   1Gi        RWO            standard       4m
www-web-2   Bound    pvc-abcdef01-1234-5678-90ab-cdef01234567   1Gi        RWO            standard       1m

Now, let’s scale down to 1 replica:


kubectl scale statefulset web --replicas=1

Monitor the Pods:


kubectl get pods -l app=nginx-statefulset -w

You’ll see web-2 terminated first, followed by web-1, leaving only web-0.


NAME    READY   STATUS        RESTARTS   AGE
web-0   1/1     Running       0          7m
web-1   1/1     Running       0          6m
web-2   1/1     Terminating   0          3m
web-2   0/1     Terminating   0          3m
web-2   0/1     Terminating   0          3m
web-2   0/1     Terminating   0          3m
web-1   1/1     Terminating   0          6m
web-1   0/1     Terminating   0          6m
web-1   0/1     Terminating   0          6m
web-1   0/1     Terminating   0          6m

Crucially, scaling down a StatefulSet does not delete the associated PersistentVolumeClaims. This is a safety mechanism to prevent accidental data loss. You must manually delete the PVCs if you no longer need the data. This behavior is a key difference from Deployments and requires careful management.

Step 5: Updating a StatefulSet

StatefulSets support rolling updates, similar to Deployments. You can change the image, environment variables, or other pod template specifications. By default, StatefulSets use RollingUpdate strategy.

Let’s update our Nginx image to a different version:


# statefulset-update.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: web
spec:
  serviceName: "nginx-headless"
  replicas: 2 # Scale back to 2 for the update
  selector:
    matchLabels:
      app: nginx-statefulset
  template:
    metadata:
      labels:
        app: nginx-statefulset
    spec:
      containers:
      - name: nginx
        image: nginx:1.21.6 # Updated image version
        ports:
        - containerPort: 80
          name: web
        volumeMounts:
        - name: www
          mountPath: /usr/share/nginx/html
  volumeClaimTemplates:
  - metadata:
      name: www
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: standard
      resources:
        requests:
          storage: 1Gi

Apply the updated manifest:


kubectl apply -f statefulset-update.yaml

Monitor the rollout status:


kubectl rollout status statefulset/web

Expected Output:


Waiting for 2 pods to be ready...
statefulset "web" successfully rolled out

During a rolling update, Pods are updated in reverse ordinal order (e.g., web-1 then web-0). Each Pod is terminated and recreated with the new configuration, ensuring that the older Pod is fully terminated and its replacement is ready before the next Pod starts updating. This ordered update minimizes disruption to stateful applications.

You can verify the image version of the running Pods:


kubectl get pods -l app=nginx-statefulset -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.containers[0].image}{"\n"}{end}'

Expected Output:


web-0    nginx:1.21.6
web-1    nginx:1.21.6

Production Considerations

Deploying StatefulSets in production requires careful planning beyond just the basic YAML. Here are critical aspects to consider:

  1. StorageClass Selection:

    Choose an appropriate StorageClass that meets your application’s performance (IOPS, throughput) and durability requirements. For critical databases, consider high-performance SSD-backed storage classes. Understand the underlying storage provider’s capabilities (e.g., AWS EBS, GCP Persistent Disk, Azure Disk Storage). For enhanced data security and resilience, explore options like Longhorn or Ceph for distributed storage solutions within your cluster.

  2. PersistentVolumeClaim (PVC) Management:

    Remember that PVCs are not automatically deleted when a StatefulSet scales down or is deleted (unless you use --cascade=orphan on deletion or set volumeClaimTemplates‘s spec.persistentVolumeReclaimPolicy to Delete, which is often not recommended for critical data). Implement a clear strategy for managing PVC lifecycles. This often involves manual deletion or automated scripts for cleanup to prevent orphaned volumes and associated costs. For advanced cost optimization strategies, consider tools like Karpenter for node management, which can indirectly impact storage costs by optimizing node utilization.

  3. Backup and Restore Strategy:

    Persistent storage is only half the battle. A robust backup and restore strategy is paramount for disaster recovery. Tools like Velero can back up Kubernetes resources, including PVCs, to object storage. For databases, consider application-specific backup tools that can perform consistent snapshots or logical backups.

  4. Resource Limits and Requests:

    Define accurate CPU and memory requests and limits for your Pods. This is crucial for performance, stability, and efficient scheduling. Undefined limits can lead to resource contention and unstable applications, while over-provisioning wastes resources.

  5. Readiness and Liveness Probes:

    Implement readiness and liveness probes to ensure your application is truly healthy and ready to serve traffic. For stateful applications, readiness probes should check database connections, data integrity, or other application-specific health indicators before marking a Pod as ready.

  6. Network Policies:

    Secure your stateful applications using Kubernetes Network Policies. Restrict ingress and egress traffic to only necessary components. For example, a database StatefulSet should only accept connections from application Pods, not from external sources directly. Advanced CNI solutions like Cilium with WireGuard encryption can provide even finer-grained network control and secure communication channels.

  7. Monitoring and Observability:

    Comprehensive monitoring is non-negotiable. Collect metrics (Prometheus, Grafana), logs (Fluentd, ELK stack, Loki), and traces (Jaeger, Zipkin) from your StatefulSet Pods. Monitor storage utilization, IOPS, and application-specific metrics. Tools leveraging eBPF, such as eBPF Observability with Hubble, can provide deep insights into network and application performance without modifying your application code.

  8. Configuration Management:

    Manage application configurations using ConfigMaps and Secrets. For sensitive data, always use Secrets and consider external secret management solutions like HashiCorp Vault or cloud provider secret stores.

  9. Security Contexts:

    Apply Security Contexts to restrict container privileges, such as running as a non-root user, dropping unnecessary capabilities, and enforcing SELinux/AppArmor profiles, enhancing the overall security posture.

  10. Service Mesh Integration:

    For complex stateful applications that require advanced traffic management, security, and observability features, consider integrating a service mesh like Istio Ambient Mesh. This can provide features like mTLS, fine-grained traffic routing, and advanced circuit breaking for your stateful services.

Troubleshooting StatefulSets

StatefulSets can be tricky. Here are common issues and their solutions:

  1. Pods Stuck in Pending State

    Problem: Your StatefulSet Pods remain in the Pending state and don’t start.

    Likely Cause: This almost always indicates an issue with PersistentVolumeClaim provisioning or scheduling.

    Solution:

    • Check PVCs: 
      
kubectl describe pvc www-web-0

      Look for events indicating why the PVC isn’t binding (e.g., no StorageClass, insufficient capacity, StorageClass not found).

    • Check StorageClass: Ensure your cluster has a default StorageClass or that the one specified in your volumeClaimTemplates exists and is healthy. 
      
kubectl get storageclass
    • Check Events: 
      
kubectl describe pod web-0

      Look for scheduler events that might indicate resource constraints (CPU, memory) or other scheduling failures.

  2. StatefulSet Pods Not Starting in Order

    Problem: You expect web-0 to be ready before web-1 starts, but they seem to be starting out of order or concurrently.

    Likely Cause: Misconfiguration of the Headless Service or readiness probes.

    Solution:

    • Verify Headless Service: Ensure the serviceName in your StatefulSet matches the name of a Headless Service (clusterIP: None). StatefulSets rely on this service for ordered creation. 
      
kubectl get service nginx-headless -o yaml | grep clusterIP

      It should output clusterIP: None.

    • Implement Robust Readiness Probes: Without a proper readiness probe, Kubernetes might consider a Pod “ready” even if the application inside isn’t fully initialized. Ensure your probes accurately reflect application readiness.
  3. Data Loss on StatefulSet Deletion

    Problem: You deleted a StatefulSet, and now your data is gone.

    Likely Cause: Accidental deletion of PVCs or not understanding the cascade deletion behavior.

    Solution:

    • Understand PVC Reclaim Policy: By default, dynamically provisioned PVs have a Delete reclaim policy. If you delete the PVC, the PV (and thus the underlying storage) will also be deleted. For critical data, consider a Retain policy on the StorageClass, but this requires manual PV cleanup.
    • --cascade=orphan: When deleting a StatefulSet, use kubectl delete statefulset --cascade=orphan to prevent the associated Pods (and thus their volume mounts to PVCs) from being deleted immediately. You can then manage the PVCs manually.
    • Backup Strategy: As mentioned in Production Considerations, always have a robust backup strategy in place.
  4. Application Not Accessible via Service

    Problem: Your StatefulSet Pods are running, but you can’t access your application using a regular ClusterIP Service.

    Likely Cause: Misunderstanding how StatefulSet Pods are exposed, especially with a Headless Service.

    Solution:

    • Headless Service for Direct Access: The Headless Service (e.g., nginx-headless) is for direct Pod-to-Pod communication or for clients that need to resolve individual Pod IPs. Use web-0.nginx-headless, web-1.nginx-headless, etc.
    • ClusterIP Service for Load Balancing: If you need a single, stable IP to load balance traffic across your StatefulSet Pods (like a database cluster where any node can serve reads), you need a separate ClusterIP Service that selects the same Pods. 
      
apiVersion: v1
kind: Service
metadata:
  name: my-app-service
spec:
  selector:
    app: nginx-statefulset # Matches StatefulSet Pod labels
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
  type: ClusterIP # Or LoadBalancer for external access
  5. Slow Rolling Updates

    Problem: Rolling updates for your StatefulSet take an excessively long time.

    Likely Cause: Aggressive terminationGracePeriodSeconds, slow application shutdown, or insufficient resources.

    Solution:

    • Optimize Application Shutdown: Ensure your application can gracefully shut down quickly. Handle SIGTERM signals to release resources and connections.
    • Adjust terminationGracePeriodSeconds: If your application needs more time to shut down, increase this value in the Pod template, but be mindful of the impact on update speed. 
      
spec:
  template:
    spec:
      terminationGracePeriodSeconds: 30 # Default is 30 seconds
      containers:
      # ...
    • Check Readiness Probes: Ensure your new Pods become ready quickly. A slow startup or readiness check will delay the rollout.
    • Resource Availability: Ensure sufficient cluster resources (nodes, IP addresses) for new Pods to start while old ones are still running during the update.
  6. Pods Enter CrashLoopBackOff After Restart/Update

    Problem: Pods fail to start after an update or node failure, repeatedly crashing.

    Likely Cause: Data corruption, incompatible application version with existing data, or incorrect configuration related to persistent storage.

    Solution:

    • Check Logs: 
      
kubectl logs web-0
kubectl describe pod web-0

      Look for application errors, database connection failures, or issues accessing the mounted volume.

    • Inspect Volume Contents: If possible, exec into a healthy Pod or temporarily mount the PVC to a debug Pod to inspect the data on the PersistentVolume. 
      
kubectl exec -it web-0 -- ls /usr/share/nginx/html
    • Version Compatibility: Ensure the new application version is compatible with the data format stored on the existing PersistentVolume. Database upgrades often require specific migration steps.
    • Rollback: If an update caused the issue, consider rolling back to the previous stable version. 
      
kubectl rollout undo statefulset/web

FAQ Section

  1. What’s the main difference between a Deployment and a StatefulSet?

    The core difference lies in how they handle identity and state. Deployments manage stateless applications; their Pods are interchangeable, and their storage is ephemeral. StatefulSets manage stateful applications, providing stable, unique network identities (e.g., web-0, web-1), ordered deployment/scaling, and persistent storage via PersistentVolumeClaims that stick with individual Pods even if they are rescheduled. For more on networking, see our guide on Kubernetes Gateway API vs Ingress.

  2. When should I use a StatefulSet over a Deployment?

    You should use a StatefulSet when your application requires:

    • Stable, unique network identifiers (e.g., for a clustered database where nodes need to find each other by name).
    • Persistent, unique storage for each replica.
    • Ordered, graceful deployment, scaling, and termination (e.g., ensuring a primary database node is up before secondaries, or draining traffic before shutting down).

    Common use cases include databases (MySQL, PostgreSQL, MongoDB, Cassandra), message queues (Kafka, RabbitMQ), and distributed key-value stores (ZooKeeper, etcd).

  3. How do StatefulSets provide stable network identity?

    StatefulSets achieve stable network identity by partnering with a Headless Service (a Service with clusterIP: None). This service doesn’t get a single ClusterIP but instead returns the IP addresses of all Pods directly. Coupled with the StatefulSet’s ordered naming convention (-), each Pod gets a stable DNS entry like ...svc.cluster.local (e.g., web-0.nginx-headless.default.svc.cluster.local).

  4. Do I need to manually create PersistentVolumeClaims (PVCs) for a StatefulSet?

    No, you don’t. StatefulSets use volumeClaimTemplates to automatically provision a PersistentVolumeClaim for each replica. Kubernetes then uses a StorageClass to dynamically provision a PersistentVolume for each PVC. This ensures each Pod gets its own dedicated, persistent storage.

  5. What happens to the data if I delete a StatefulSet?

    By default, when you delete a StatefulSet, its associated Pods are terminated, but the PersistentVolumeClaims (and thus the underlying PersistentVolumes) are not deleted. This is a safety mechanism to prevent accidental data loss. You must manually delete the PVCs if you want to remove the data. If you need to delete the StatefulSet and its associated PVCs, you need to first delete the StatefulSet, then delete the PVCs. Alternatively, you can use kubectl delete statefulset --cascade=orphan to leave the Pods running after the StatefulSet is deleted, allowing you to manually drain and delete them, and then deal with the PVCs.

Cleanup Commands

To clean up the resources created in this tutorial, follow these steps:

First, delete the StatefulSet. Remember that this will terminate the Pods, but the PersistentVolumeClaims will remain.


kubectl delete statefulset web

Expected Output:


statefulset.apps "web" deleted

Next, delete the Headless Service:


kubectl delete service nginx-headless

Expected Output:


service "nginx-headless" deleted

Finally, and most importantly for stateful applications, you must manually delete the PersistentVolumeClaims if you no longer need the data. Be absolutely sure you want to delete them, as this will result in data loss.


kubectl get pvc -l app=nginx-statefulset

Example Output (your PVC names might vary):


NAME        STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
www-web-0   Bound    pvc-12345678-abcd-1234-abcd-1234567890ab   1Gi        RWO            standard       15m
www-web-1   Bound    pvc-98765432-efgh-9876-efgh-9876543210ef   1Gi        RWO            standard       14m

Now, delete them:


kubectl delete pvc www-web-0 www-web-1

Expected Output:


persistentvolumeclaim "www-web-0" deleted
persistentvolumeclaim "www-web-1" deleted

Next Steps / Further Reading

You’ve successfully deployed

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *