I always thought kubelet was a worker-node component.
Not because someone drilled it into me. It just made sense from every diagram I saw. The master node had the big-brain stuff β API Server, Scheduler, Controller Manager, etcd. The worker node had kubelet. Clean separation. Logical.
Then one afternoon, I was poking around a kubeadm cluster β no particular reason, just getting familiar with a new setup. I logged into the control-plane node and ran something out of habit:
systemctl status kubeletβ Terminal Output β
β kubelet.service - kubelet: The Kubernetes Node Agent
Β Β Β Loaded: loaded (/usr/lib/systemd/system/kubelet.service)
Β Β Β Active: active (running) since Mon 2026-06-14 09:42:11 UTC
Running. On the master node. Definitely not what I expected.
I stared at it for a second. Ran it again. Same result.
kubelet was running on the control-plane node. But the diagram said it lived on worker nodes. So either the diagram was wrong, or I was missing something.
Turns out it was the second one. And the explanation opened up something I hadn't understood about how Kubernetes actually works.
The Assumption Most Beginners Make
Here's the diagram that started the confusion. You've probably seen some version of it:
What every tutorial shows: Master Node Worker Node βββ API Server βββ kubelet βββ Scheduler βββ kube-proxy βββ Controller Manager βββ Application Pods βββ etcd Logical conclusion: kubelet = worker-node thing.
Makes sense, right? The master handles orchestration. Workers run the actual workloads, and kubelet is the thing on workers that manages those pods. It's presented that way in almost every intro course.
The problem is that this diagram is a simplification. It shows roles, not the full picture of what actually runs on each node. And that gap causes a lot of confusion when you start looking at real clusters.
The Discovery
When I found kubelet running on the control-plane node, my first thought was that something was misconfigured. My second thought was that kubeadm just does weird things.
But then I started checking other clusters. Cloud-managed ones. Bare-metal setups from docs. kubelet was on the control-plane node in all of them.
So clearly this wasn't an accident. kubelet was supposed to be there.
But if kubelet is a worker-node component β what was it actually doing on the master?
The Question Gets Bigger
Here's where it got more interesting.
I ran kubectl get pods -n kube-system and looked at what was running on the control-plane node. There they were β the core components:
kubectl get pods -n kube-system
NAME READY STATUS NODE
kube-apiserver-control-plane 1/1 Running control-plane
kube-controller-manager-control-plane 1/1 Running control-plane
kube-scheduler-control-plane 1/1 Running control-plane
etcd-control-plane 1/1 Running control-planeThey're pods. Running on the control-plane node.
Pods need something to manage them. On worker nodes, that's kubelet's job. So if kubelet only lives on worker nodes β who's managing these pods on the master?
I had no good answer. And that question kept bugging me until I finally sat down and traced through how it actually works.
What kubelet Actually Is
Here's the thing the diagrams don't tell you: kubelet isn't a worker-node component.
It's a node agent. Its job is to manage pods on whatever node it runs on. It doesn't know or care whether that node is labeled βmasterβ or βworker.β It just does its job β on the node it's installed on.
And kubelet runs on every node in a Kubernetes cluster. That includes the control-plane node.
The corrected picture looks like this:
What is actually on each node: Control Plane Node Worker Node βββ kube-apiserver βββ kubelet βββ kube-scheduler βββ kube-proxy βββ kube-controller-manager βββ Application Pods βββ etcd βββ kubelet β yes, it's here too βββ kube-proxy
The difference between a control-plane node and a worker node isn't about which components are installed. It's about what workloads run there, and which control-plane services are present. kubelet is on both.
π§ Memory Trick
Once I understood this, the question shifted. It wasn't βwhy is kubelet on the master node?β anymore. It became: βokay, so how does kubelet on the control-plane node know which pods to run β before the API Server even exists?β
That's where Static Pods come in.
Static Pods
Normally, when you want a pod to run, you talk to the API Server. You apply a YAML file, the Scheduler picks a node, and kubelet on that node starts the pod. That's the standard flow.
Static Pods skip all of that.
kubelet watches a specific directory on the node:
/etc/kubernetes/manifestsAny YAML file you drop into that directory β kubelet picks it up and creates the pod. No kubectl apply. No API Server call. No Scheduler involved. Just kubelet reading a file from disk and making it happen.
You drop a YAML file into: /etc/kubernetes/manifests/nginx-static.yaml kubelet is watching that directory. β kubelet detects the new file β Pod starts. No kubectl apply. No API Server call. β You can see it with: kubectl get pods
That's it. That's the whole mechanism. Simple, almost surprisingly so.
Create Your First Static Pod
The best way to understand this is to try it. On your control-plane node, create this file:
sudo nano /etc/kubernetes/manifests/nginx-static.yamlapiVersion: v1
kind: Pod
metadata:
name: nginx-static
spec:
containers:
- name: nginx
image: nginx:latestSave the file. That's all you do.
You don't run kubectl apply. You don't restart anything. You just drop the file in that directory, and kubelet does the rest. Within a few seconds, the pod starts.
This surprises a lot of people the first time they see it, because it goes against how you normally think about pods in Kubernetes.
Verify the Static Pod
kubectl get pods
NAME READY STATUS NODE
nginx-static-control-plane 1/1 Running control-planeNotice the name: nginx-static-control-plane.
The node name gets appended automatically. That's how you spot a Static Pod β the suffix matches the node it's running on. It's Kubernetes telling you: βthis one isn't managed by the scheduler, it's managed by kubelet directly.β
You can also see it under kube-system. What you're looking at there is called a mirror pod β a read-only copy in the API Server so you can observe the static pod using kubectl. But the API Server doesn't control it. kubelet does.
π¨ Interview Trap
Where Are Static Pods Stored?
Now go look at what's already in that directory:
ls /etc/kubernetes/manifests/
etcd.yaml
kube-apiserver.yaml
kube-controller-manager.yaml
kube-scheduler.yamlThose four YAML files are running the entire cluster.
Not a deployment. Not a Helm chart. Just four files in a directory that kubelet is watching. When kubelet sees them on startup, it creates the pods. The control plane comes up. The cluster is alive.
Sit with that for a second. Four files. That's the foundation.
The Bootstrap Problem
This is the part that finally made everything click for me.
Here's the problem: in Kubernetes, pods are created through the API Server. The Scheduler assigns them to nodes. kubelet starts them. That's the normal flow.
But the API Server is itself a pod. So is etcd. So is the Scheduler.
If those pods need the API Server to be created β but the API Server is one of those pods β then how does any of this ever start? You can't use the API Server to create the API Server. That's a circular dependency. The cluster could never boot.
Static Pods are the answer.
Node boots up
β
kubelet starts (it's a systemd service β runs on its own)
β
kubelet reads /etc/kubernetes/manifests/
β
etcd.yaml found β etcd pod starts
kube-apiserver.yaml β API Server starts
kube-scheduler.yaml β Scheduler starts
kube-controller-manager.yaml β Controller Manager starts
β
Cluster is ready to accept your workloads
kubelet starts as a regular systemd service β it doesn't need the API Server. It reads the manifest files from disk. Those files tell it to start etcd, kube-apiserver, kube-scheduler, and kube-controller-manager. kubelet starts all four directly. No API Server involved in that step.
Once those pods are running, the cluster is live. From that point on, the API Server handles everything else β scheduling application workloads, accepting your kubectl commands, the whole normal flow.
But the first boot? That's kubelet, working alone, reading files.
β‘ Pro Tip
kube-apiserver-control-plane, etcd-control-plane). That's the static pod naming convention β kubelet's signature on the pods it manages directly.How to Delete a Static Pod
This is where a lot of people get caught out the first time.
You decide to remove the nginx static pod. You run:
kubectl delete pod nginx-static-control-planeThe pod disappears. For about three seconds. Then it comes back.
Because kubelet is still watching /etc/kubernetes/manifests/. The manifest file is still there. As far as kubelet is concerned, that pod should exist. So it recreates it. Your kubectl delete didn't actually delete anything β it just deleted the mirror pod, and kubelet immediately put it back.
The only way to actually delete a static pod is to remove the manifest file:
sudo rm /etc/kubernetes/manifests/nginx-static.yamlFile gone β kubelet stops managing it β pod shuts down. That's the correct sequence.
What Happens If a Static Pod Crashes?
kubelet doesn't just start static pods β it keeps watching them.
If a container inside a static pod crashes, kubelet detects it and restarts it automatically. Same as it does for regular pods, but without needing the API Server to tell it to.
Container inside static pod crashes
β
kubelet detects the failure
β
kubelet restarts the container automatically
β
No intervention needed β kubelet reconciles continuously
This matters a lot for the control plane. If kube-apiserver crashes at 3 AM, kubelet on the control-plane node catches it and restarts it β entirely on its own. No human needed. No other Kubernetes component needed. Just kubelet doing its job.
Verify Everything Yourself
If you have a kubeadm cluster or a lab environment, run these three commands on your control-plane node:
# 1. Confirm kubelet is running on the control-plane node
systemctl status kubelet# 2. See the static pod manifests
ls /etc/kubernetes/manifests/
# etcd.yaml
# kube-apiserver.yaml
# kube-controller-manager.yaml
# kube-scheduler.yaml# 3. See the static pods running in kube-system
# Notice the -<node-name> suffix on each one
kubectl get pods -n kube-systemInterview Corner
Questions You Should Be Able to Answer
Q: Does kubelet run only on worker nodes?
No. kubelet runs on every node β worker and control-plane alike. It's a node agent. Its job is to manage pods on whatever node it's installed on.
Q: What are Static Pods?
Pods defined by manifest files in a directory that kubelet watches (usually /etc/kubernetes/manifests/). kubelet creates and manages them directly, without going through the API Server or Scheduler.
Q: Who manages Static Pods?
kubelet. Not the API Server, not the Scheduler. kubelet watches the manifests directory and handles the full lifecycle β create, restart, delete.
Q: Who starts kube-apiserver when the cluster boots?
kubelet. It reads kube-apiserver.yaml from /etc/kubernetes/manifests/ and starts it as a static pod. The API Server doesn't start itself.
Q: Why are control-plane components deployed as Static Pods?
Because of the bootstrapping problem. You can't use the API Server to create the API Server β it doesn't exist yet. Static Pods let kubelet bring everything up from disk without needing any other Kubernetes component to be running first.
Q: Can you delete a Static Pod using kubectl?
Not permanently. kubectl delete pod removes the mirror object, but kubelet immediately recreates the pod because the manifest file is still there. To actually delete a static pod, remove the file from /etc/kubernetes/manifests/.
Q: What is the default location of Static Pod manifests?
/etc/kubernetes/manifests/ β configurable in the kubelet config, but this is the default for kubeadm clusters and most standard setups.
π€ The 60-Second Answer
π€ Say This Out Loud Until You Own It
βThe question contains a misconception. kubelet isn't a worker-node component β it's a node agent that runs on every Kubernetes node, including control-plane nodes.
On control-plane nodes, kubelet manages Static Pods: pods defined by YAML files in /etc/kubernetes/manifests/. kubelet watches that directory and creates or deletes pods as files appear or are removed β no API Server needed.
This is how Kubernetes bootstraps itself. The control-plane components β etcd, kube-apiserver, kube-scheduler, kube-controller-manager β are all Static Pods. When the node boots, kubelet reads their manifests from disk and starts them directly. The API Server can't start itself. kubelet starts it.
If you try to delete a static pod with kubectl, it immediately comes back. The only way to stop it is to remove the manifest file from disk.β
If you can say that without looking at notes, you've genuinely understood it.
Key Takeaways
- βkubelet is a node agent β it runs on every node in the cluster, not just worker nodes.
- βStatic Pods are defined by YAML files in /etc/kubernetes/manifests/ and managed directly by kubelet.
- βkubelet watches that directory. A file appears β pod starts. File is removed β pod stops.
- βThe control-plane components (etcd, API Server, Scheduler, Controller Manager) are all Static Pods.
- βThis solves the bootstrapping problem: kubelet starts everything from disk, before the API Server exists.
- βkubectl delete on a static pod does nothing permanent β remove the file instead.
- βStatic pods get the node name appended to their name (e.g., kube-apiserver-control-plane).
So β if kubelet is a worker-node component, how does it manage Static Pods on the master node?
The question itself is the wrong framing. kubelet isn't a worker-node component. It's a node agent that runs on every node. Once that clicks, everything else follows: kubelet is on the control-plane node, it watches /etc/kubernetes/manifests/, and those four files are what bring the entire cluster to life on every boot.
You weren't missing something complicated. You were missing one sentence that the beginner diagrams quietly leave out.
Targeting a Kubernetes or DevOps Role?
AiResumeFit matches your resume to Kubernetes, cloud, and DevOps job descriptions β improving your ATS score in seconds.
Optimize My Resume β