Rolling Updates
Your web-app Deployment has three Pods running nginx:1.28. You want to release nginx:1.26. With a ReplicaSet, you would delete all Pods and accept the downtime. With a Deployment, you change one line and Kubernetes handles the rest: new Pods replace old ones one at a time, always keeping the application running.
Triggering an update
If web-app is not running from the previous lesson, recreate it first:
kubectl apply -f web-deployment.yamlThen change the image:
kubectl set image deployment/web-app web=nginx:1.26kubectl rollout status deployment/web-appWatch rollout status report each step as new Pods become ready and old ones terminate. When it exits cleanly, the update is complete.
What happens internally
The Deployment controller does not modify the existing ReplicaSet. It creates a new one for nginx:1.26, then scales the two ReplicaSets in alternating steps until the old one reaches zero.
At each step, a new Pod becomes Ready before an old one is terminated. Traffic is always served by healthy Pods. This is what “zero-downtime” means in practice: the application never fully stops.
After the rollout, check the ReplicaSets:
kubectl get replicaset -l app=webTwo ReplicaSets: one at 3 replicas (active), one at 0 (preserved for rollback). Their hashes differ because they represent different Pod templates.
Why does Kubernetes create a new ReplicaSet instead of modifying Pods in place?
Reveal answer
Because modifying a running Pod in place is not possible for most spec fields, they are immutable after creation. And even if it were possible, it would not give you rollback capability. A separate ReplicaSet for each version means you can always scale an old version back up without rebuilding anything.
Updating via the manifest
kubectl set image is quick but it changes the cluster without touching your file. A better approach is to edit the manifest and re-apply:
nano web-deployment.yamlChange the image to nginx:1.25, then:
kubectl apply -f web-deployment.yamlkubectl rollout status deployment/web-appThe file now reflects what is running. In a team setting, the manifest is the source of truth, not the cluster state.
kubectl set image is imperative and does not update your YAML file. After running it, web-deployment.yaml is out of sync with the cluster. In a team setting this leads to confusion and accidental overwrites. Prefer editing the file and re-applying.
Controlling the pace with maxSurge and maxUnavailable
These two fields in the rolling update strategy control how fast and how safely the update proceeds.
# illustrative onlyspec: strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 maxSurge: 1maxUnavailable sets how many Pods can be unavailable at once during the update. A lower value means slower but safer: fewer Pods are out of rotation at any given moment.
maxSurge sets how many extra Pods (above replicas) can exist during the update. A lower value means less capacity used, which is useful on resource-constrained clusters.
Both default to 25% of replicas, rounded down for maxUnavailable and up for maxSurge.
During a rolling update with replicas: 4, maxUnavailable: 1, maxSurge: 1, what is the maximum number of Pods that can exist simultaneously?
- 4: the desired count is never exceeded during a rolling update
- 5: maxSurge allows one extra Pod above the desired count
- 6: both maxSurge and maxUnavailable add to the total Pod count
Reveal answer
5. maxSurge adds one extra above the desired count (4 + 1 = 5). maxUnavailable controls the availability floor (at least 3 must be Ready), not the total Pod count.
Leave web-app running. The next lesson uses it to demonstrate rollback.