Imperative vs. declarative Kubernetes commands: What's the difference?

Declarative and imperative configuration commands

One of the interesting features of the Kubernetes container orchestration technology is that it’s state-based.

Under Kubernetes, once you define how the various resources within a cluster of virtual or physical machines are supposed to be configured, Kubernetes ensures that configuration is always in force.

Under Kubernetes is etcd, a database that keeps track of the state of the given Kubernetes cluster. If you declare a pod deployment of three replicas, Kubernetes guarantees that three pods are always running. If you declare a namespace with the name coolspace, Kubernetes ensures that the namespace is always there.

Ensuring state is one of the reasons that Kubernetes is a compelling technology.

Imperative and declarative compared

There are two ways you can configure a resource under Kubernetes: imperatively or declaratively.

Imperative configuration means that to describe the configuration of the resource, you execute a command from a terminal’s command prompt. Of course, the terminal’s machine must have permission to access the Kubernetes cluster of interest.

Apache and Docker Tutorials

Master the fundamentals of Apache, Docker and Kubernetes.

Declarative configuration means that you create a file that describes the configuration for the particular resource and then apply the content of the file to the Kubernetes cluster. To apply the configuration, you use the command kubectl apply at the command prompt as you would for an imperative command, but that’s where the similarity ends.

Let’s look at some examples of imperative and declarative configuration for commonly used Kubernetes resources: pods, deployments, namespaces and services.

Imperative K8s pod configuration

The first example we’ll look at is creating a pod. To create a pod imperatively, execute the kubectl run command set in a terminal window:

kubectl run nicepod --image=nginx

Execute the command set kubectl get pods, and you’ll see the following result which indicates the pod has been created and is running.

nicepod   1/1     Running   0          26s

To create a pod declaratively, you create a manifest file, either in JSON or YAML. Once the file is created, execute the command set kubectl apply -f <FILENAME> from the command prompt.

The following example is a manifest file in YAML, named nicepod.yaml, that creates a pod with the name nicepod.

apiVersion: v1
kind: Pod
  name: nicepod
    App: dev
    - name: web
      image: nginx
        - name: web
          containerPort: 80
          protocol: TCP

Kubernetes resource creation

To create the source, run the following command in a terminal window:

kubectl apply -f nicepod.yaml

The command above essentially says, “Apply this declaration defined in the file nicepod.yaml to create the resource within the Kubernetes cluster.”

Once the YAML file is applied, the resource is created. To verify all is as intended, execute the command kubectl get pods. You’ll see the following output:

nicepod   1/1     Running   0          50s

As you can see, both imperative and declarative configuration produce the same outcome.

Configuring Kubernetes deployments

Let’s do an imperative configuration of a Kubernetes deployment.

A deployment is a Kubernetes resource that is a collection of one or many pods. A deployment is guaranteed to always be running. Creation of a Kubernetes deployment requires execution of two imperative commands. The first command, shown below, creates the deployment named cooldeploy which is a collection of pods that run the Nginx web server:

kubectl create deploy cooldeploy --image nginx

The second imperative command scales the deployment up to three replicas of the pod:

kubectl scale --replicas=3 deployment/cooldeploy

Thus, deployment using the command kubectl get deployment cooldeploy generates the following output:

cooldeploy   3/3     3            3           85s

To create the same deployment declaratively, construct a manifest file in YAML named mydeployment.yaml as follows:

apiVersion: apps/v1
kind: Deployment
  name: cooldeploy
    app: nginx
  replicas: 3
      app: nginx
        app: nginx
      - name: nginx
        image: nginx:1.14.2
        - containerPort: 80

Next, run the command kubectl apply -f mydeployment.yaml to apply the resource definition to the Kubernetes cluster. Then, run the command kubectl get deployment cooldeploy, and you get output similar to the following:

cooldeploy   3/3     3            3           85s

As with the Kubernetes resource creation, the result is the same regardless of whether you take an imperative approach or declarative approach.

Imperative K8s namespace configuration

Let’s configure a Kubernetes namespace imperatively. Execute the command kubectl create namespace coolspace in a terminal window on a machine that’s configured to access a Kubernetes cluster.

Voila! You’ve just created a namespace. Run the command kubectl get ns to see the result. You’ll see the following output:

NAME              STATUS   AGE
coolspace         Active   11s
default           Active   39m
kube-node-lease   Active   39m
kube-public       Active   39m
kube-system       Active   39m

Notice that the namespace we defined, coolspace, is now one of the namespaces in this particular Kubernetes cluster.

Declarative K8s namespace configuration

To create the namespace declaratively, create a YAML file named coolspace.yaml as shown below:

kind: Namespace
apiVersion: v1
  name: coolspace
    name: dev

Then execute the command kubectl apply -f coolspace.yaml to create the namespace. The command kubectl get ns returns output similar to the response we got when doing the imperative configuration:

NAME              STATUS   AGE
coolspace         Active   7s
default           Active   43m
kube-node-lease   Active   43m
kube-public       Active   43m
kube-system       Active   43m

Imperative service configuration

Finally, let’s configure a Kubernetes service.

Implementing a Kubernetes service is a bit more complex because a service has many configuration parameters. Take a look at the following imperative configuration:

kubectl expose deployment cooldeploy --port=8080 --target-port=80 --type=LoadBalancer

The kubectl expose command set creates a Kubernetes service that exposes the deployment named cooldeploy. Specifically, the service exposes port 8080 to the public by using a service type, LoadBalancer, and the public port 8080 is bound to the pods running internally on port 80 in deployment.

Thus, when we run the imperative declaration shown above, we get the following output:

NAME         TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
cooldeploy   LoadBalancer   8080:32402/TCP   52s

Notice the name of the service is the same as the name of the deployment, cooldeploy. Also, that service is exposed on the public URL With an imperative approach such as the one shown above the service is named by default. Nevertheless, the service does work. In this case, when you CURL the IP address and port, you get output from one of the web servers in the deployment as represented by the service:


The above CURL command generates the following output:

<!DOCTYPE html>
    <title>Welcome to nginx!</title>
    body {
      width: 35em;
      margin: 0 auto;
      font-family: Tahoma, Verdana, Arial, sans-serif;

Now, let’s configure the service declaratively. Create a YAML file named myservice.yaml as shown below:

apiVersion: v1
kind: Service
  name: my-service
    app: nginx
    - protocol: TCP
    port: 8080
    targetPort: 80
  type: LoadBalancer

Apply the service to the Kubernetes cluster like so:

kubectl apply -f myservice-yaml

Then you’ll get the following output:

NAME         TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
my-service   LoadBalancer   8080:30798/TCP   23s

Notice that the service named my-service is up and running in the cluster. Where did the name come from? Look at the manifest file listed above. The file defines the service declaratively. Notice the name attribute underneath the attribute metadata. That’s where the name of the service is defined.

Declarative vs imperative: Which one should I choose?

Imperative and declarative configuration are two distinctly different approaches to create Kubernetes resources. Both techniques are useful, but they have tradeoffs.

The most important tradeoff is one of security. Under the right conditions, creating resources by executing imperative commands can be a security nightmare. For starters,  there is no audit trail. Once an imperative command executes, the state of the cluster changes. Without significant access control precautions within the Kubernetes cluster, anybody can alter the cluster and the resulting change is not apparent.

The declarative approach has an intrinsic level of security, because you need a manifest file to alter the state of the cluster. Companies usually store manifest files within a source control management system (SCM) like Git or GitHub. This provides a rudimentary audit trail. At the least, if something goes haywire in the cluster, admins can go to the SCM and see the latest manifest file that altered the state of the cluster to figure out what happened

That said, imperative configuration of a Kubernetes cluster is useful for developers and system administrators that want to experiment. You don’t need to go through all the details of creating and maintaining manifests files to implement elementary designs. You simply create the resources you need, when you need them.

Imperative configuration involves creating Kubernetes resources directly at the command line against a Kubernetes cluster. Declarative configuration defines resources within manifest files and then applies those definitions to the cluster. Once you understand the benefits and tradeoffs to the imperative and declarative approaches, you can start to understand the best approach given the situation at hand.