Plain-English Glossary
Every piece of jargon in this guide, explained the way you’d explain it to a friend.
No prior knowledge assumed. If a word in another chapter confused you, it’s here.
Terms are grouped so related ideas sit together.
The big building blocks
| Term |
What it actually means |
| Container |
A lightweight box that holds one app and everything it needs to run, isolated from the rest of the machine. Like a shipping container: standardized, sealed, movable. |
| Image |
The frozen blueprint a container is started from — the app plus its files. You “pull” an image and “run” it as a container. |
| Kubernetes (k8s) |
The software that runs and babysits lots of containers across one or more machines — starting them, restarting crashes, networking them together. Think “air-traffic control for containers.” |
| k3s |
A small, single-file version of Kubernetes, perfect for one machine or a Raspberry Pi. Same ideas, far less weight. The star of this guide. |
| Pod |
The smallest unit Kubernetes runs: one (or a few tightly-coupled) containers sharing an address. You don’t run containers directly; you run pods. |
| Node |
A machine (physical or virtual) that Kubernetes runs pods on. Our cluster is mostly one node. |
| Cluster |
The whole Kubernetes system — all the nodes and everything running on them — treated as one. |
| kubectl |
The command-line remote control for the cluster. You type kubectl ... to ask Kubernetes to do things. Pronounced “cube-cuttle” or “cube-control.” |
| Manifest |
A YAML text file describing something you want Kubernetes to create (a pod, a rule, a volume). You “apply” manifests. |
| Helm |
A package manager for Kubernetes — installs complex apps (like the monitoring stack) from a “chart” with one command. |
Security ideas
| Term |
What it actually means |
| Defense-in-depth |
Using many independent layers of protection so one failure isn’t fatal. The core idea of this whole guide. |
| Assume breach |
Designing as if attackers will get in, and making sure that when they do, they’re trapped and spotted. |
| Least privilege |
Giving every person, app, and connection the minimum access it needs and nothing more. |
| Default-deny |
Blocking everything by default and only opening exactly what you choose. The opposite of leaving doors open “just in case.” |
| Attack surface |
The total set of ways in that an attacker could try. Smaller is safer; much of hardening is shrinking it. |
| Hardening |
The act of making a system more secure — closing doors, tightening settings, removing what isn’t needed. |
| Blast radius |
How much damage a single compromise can do. We design to keep it tiny. |
| Zero-trust |
Trust nothing automatically — not even things “inside” the network. Verify every connection every time. |
| Threat model |
An honest description of who might attack you and how, used to decide what to defend. |
Isolation & the runtime
| Term |
What it actually means |
| Virtual machine (VM) |
A whole fake computer running inside a real one. Strong isolation: software in the VM can’t easily touch the real machine. |
| Hypervisor / KVM |
The software that runs virtual machines. KVM is the one built into Linux. |
| Immutable OS |
An operating system whose core files are read-only and can’t be changed while running (e.g. Talos, Flatcar). Tampering simply doesn’t stick. |
| Sandbox |
An extra cage around a container so that even if the app is hacked, it can’t reach the real system. |
| gVisor |
A sandbox that puts a tiny fake “kernel” between the container and the real one, intercepting its system calls. Stops most container escapes. |
| Kata Containers |
A sandbox that wraps each pod in its own tiny virtual machine for hardware-level isolation. Stronger, but needs special CPU support. |
| Runtime |
The lower-level software that actually starts and runs containers (here, containerd). The “runtime class” picks which sandbox to use. |
| seccomp |
A Linux feature that limits which low-level system calls a program may make — a short, safe menu instead of the whole kitchen. |
| Capabilities |
Fine-grained slices of “root” power. We drop all of them by default so containers run with the bare minimum. |
| User namespace |
A trick that makes “root” inside a container map to a powerless user outside it. Root in the box ≠ root on the machine. |
| Distroless |
A container image stripped down to just your app — no shell, no package manager, almost nothing for an attacker to use. |
Networking
| Term |
What it actually means |
| CNI |
“Container Network Interface” — the plug-in that gives pods their networking. We use Cilium. |
| Cilium |
A modern, fast networking layer built on eBPF that also enforces security rules and encrypts traffic. |
| eBPF |
A way to safely run tiny custom programs inside the Linux kernel. Powers our networking and our security sensor. Think “programmable kernel superpowers.” |
| Network policy |
A firewall rule for pods: who may talk to whom, on which ports. Ours start as deny-all. |
| WireGuard |
A simple, fast, modern VPN. We use it both to encrypt pod traffic and as the only way you remotely reach the cluster. |
| Ingress / Egress |
Traffic coming in to the cluster (ingress) and going out (egress). We control both tightly. |
| FQDN |
“Fully-qualified domain name” — a full hostname like api.github.com. We can allow egress to specific FQDNs only. |
| nftables |
The Linux host firewall we configure to deny-all except the WireGuard port. |
| Hubble |
Cilium’s companion that lets you see every network connection in the cluster, live. |
Storage
| Term |
What it actually means |
| Volume |
Storage attached to a pod. Without one, anything a container writes vanishes when it restarts. |
| Persistent volume (PV/PVC) |
Storage that survives restarts and reschedules. A “PVC” is your request for some; a “PV” is the actual storage granted. |
| Ephemeral storage |
Scratch space that’s meant to disappear when the pod stops — temporary by design. |
| Object storage / S3 |
Storage for whole files (“objects”) reached over a web API, ideal for backups and large blobs. “S3” is the common API standard. |
| Garage |
The lightweight S3-compatible object store we run on the USB drive. |
| Longhorn / TopoLVM |
Tools that hand out persistent volumes to pods, with encryption. Longhorn for capable machines, TopoLVM for tiny ones. |
| LUKS2 |
The Linux standard for full-disk encryption. Scrambles everything on the USB drive so a stolen drive is unreadable. |
| TPM |
A small security chip that can store an encryption key and only release it if the machine hasn’t been tampered with. |
Watching & trust
| Term |
What it actually means |
| Observability |
Being able to see what a system is doing from the outside — through metrics, logs, and traces. |
| Prometheus / Grafana |
Prometheus collects numbers (metrics) over time; Grafana draws them as dashboards. |
| Loki |
A log database — keeps the text messages your apps and the system produce, searchable. |
| Falco / Tetragon |
Security sensors that watch the kernel live and alert (or act) when something behaves like an attack. |
| Trivy |
A scanner that checks your images and cluster for known vulnerabilities and misconfigurations. |
| Audit log |
A tamper-evident record of every action taken against the cluster — who did what, when. |
| RBAC |
“Role-Based Access Control” — the rules deciding who is allowed to do what in the cluster. |
| Admission control |
A gatekeeper that inspects every new pod before it runs and rejects ones that break the rules (e.g. unsigned images). |
| Kyverno |
Our admission-control policy engine — the gatekeeper that enforces those rules. |
| cosign / signing |
Cryptographically stamping an image so the cluster can verify it’s genuine and untampered before running it. |
| SBOM |
“Software Bill of Materials” — an ingredient list of everything inside an image, so you know what you’re running. |
| Secret |
Sensitive data (passwords, keys) Kubernetes stores for apps. We encrypt these and never put them in Git as plain text. |
| SOPS / age |
Tools that encrypt secrets so they’re safe to store in Git; only your private key can decrypt them. |
| GitOps / Flux |
Running the cluster from a Git repository: change a file, and Flux makes the cluster match. Reproducible and auditable. |
What this page bought you
A shared vocabulary. Every term the other chapters use is defined here in plain
words — keep it open in a tab while you build, and the rest of the guide reads much
more easily.