GUIDE / KUBERNETES · BUSINESS WORKLOADS

    Stateful Applications on Kubernetes: Protect the State, Not Just the Pod

    Kubernetes is very good at replacing failed Pods. Replacing a Pod is not the same as recovering the application state behind it.

    Updated July 2026·14 min read·Business Workload series
    01

    StatefulSet is a building block, not a data platform

    A StatefulSet maintains a stable identity for each Pod and can associate individual replicas with persistent storage — Kubernetes documentation describes it as suitable for workloads requiring stable network identity, persistent storage, or ordered lifecycle behavior. That makes it an important building block. It is not a complete data platform.

    StatefulSet providesThe application still owns
    Stable Pod names and network identitiesApplication replication (PostgreSQL streaming, Kafka partitions, etc.)
    Ordered creation and terminationTransaction consistency
    Controlled rolling updatesBackup and disaster recovery
    Replica-specific volume claimsQuorum and split-brain prevention
    ×Do not select StatefulSet merely because an application writes data. Choose it because the application lifecycle requires the guarantees it provides — a Deployment with a single PVC may be simpler when stable identity and ordered scaling are unnecessary.
    02

    Which stateful workloads commonly run on Kubernetes

    CategoryKey considerations
    Relational databasesPostgreSQL, MySQL — operator automation helps, but storage latency, failover and split-brain risk remain
    Distributed databasesCassandra, MongoDB, CockroachDB — often already understand replica identity and quorum; align topology with the DB's own model
    Message platformsKafka, RabbitMQ, NATS — partition placement, queue durability and storage throughput matter
    Search & analyticsElasticsearch, OpenSearch, ClickHouse — high IOPS, careful shard allocation, snapshot repositories
    Caches & session storesRedis, Memcached — classify data as disposable, rebuildable, or required for continuity before choosing persistence
    Kubernetes-hosted VMsKubeVirt disks in PersistentVolumes — a volume snapshot may be crash-consistent while the guest app stays inconsistent
    03

    When a stateful service should remain outside Kubernetes

    1A managed service provides stronger availability
    2Vendor support excludes Kubernetes
    3Storage latency requirements are strict
    4The team lacks database-operating expertise
    5A dedicated platform already works reliably
    6Licensing is tied to hosts or sockets

    The correct comparison is not Kubernetes versus old technology — compare a Kubernetes operator against a managed service, dedicated VMs, and existing enterprise platforms.

    04

    Operators: automate carefully

    An Operator extends Kubernetes with application-specific controllers and custom resources — it can automate cluster creation, failover, backup, restore, scaling and upgrades. It can also become a critical dependency.

    SOURCE / Evaluate the Operator, not only the database

    Review the maintainer, release frequency, supported Kubernetes and database versions, backup and restore methods, failure handling, and disaster-recovery documentation. A mature database running through an immature Operator may create more risk than running it on a well-managed VM.

    Test what happens when the Operator Pod is unavailable, the Operator is upgraded, the CRD changes, or an administrator edits the underlying StatefulSet directly — the application should not become unrecoverable merely because its Operator installation was lost.

    05

    Persistent storage design

    Storage typeFit
    Block storageRelational databases, message brokers, single-writer applications — Longhorn, Ceph RBD, cloud block storage
    Shared file storageDocument repositories, media workflows — CephFS, NFS, enterprise NAS; test locking and concurrent writers
    Object storageUser uploads, media, archives — often a better fit than a shared filesystem for portability and multi-replica access
    Local persistent volumesStrong performance, tighter node dependency — only when the app's own replication model can handle node/disk loss

    StorageClasses should represent real service levels, documented per class: CSI driver, replication, failure domain, performance expectation, snapshot capability and backup method. Do not let applications select storage classes from names alone.

    06

    Application consistency and snapshots

    Kubernetes VolumeSnapshots provide a standardized interface for point-in-time copies through supported CSI drivers. A snapshot can support fast rollback and pre-upgrade protection — it does not automatically provide offsite protection, application consistency, or ransomware protection.

    Some applications recover through journals; others require a flush, checkpoint, filesystem freeze, or database-native backup with transaction-log protection. The application owner must define the required consistency model — a PVC object without data is not a backup, and a volume snapshot without Kubernetes resources is not a complete application recovery set.

    07

    High availability, quorum and PodDisruptionBudget

    A stateful application has at least two availability layers: process availability and data availability. Replacing a failed database Pod does not help if its volume is unavailable, the database lost quorum, or replicas contain stale data.

    SOURCE / Quorum planning

    A three-member cluster may tolerate one member failure — it may still fail when two members share one node or zone, network policy blocks replication, or maintenance removes another member. Document voting rules, failure tolerance and split-brain prevention.

    ×A PodDisruptionBudget limits concurrent voluntary disruption; it does not prevent involuntary failures or create spare capacity. Test node drains before production.
    ×Kubernetes warns that force-deleting StatefulSet Pods can violate at-most-one semantics and may lead to data loss in clustered systems — do not force-delete stateful Pods casually.
    08

    Backup architecture and recovery order

    Protect every required layer: Kubernetes resources, operator CRDs, persistent-volume data, database-native backup, transaction logs, object storage, encryption keys, container images and recovery documentation. Use database-native protection when transaction consistency, point-in-time recovery, or log replay is required.

    Test progressively: one file, one volume, one database, the Operator, custom resources, a complete namespace, and finally a restore into another cluster — validating business transactions and measuring RPO/RTO at each level. A running StatefulSet does not prove usable data.

    A practical recovery order: recovery credentials → replacement cluster → CNI/CSI → snapshot controller → StorageClasses → CRDs → Operator → backup platform → database/persistent data → custom resources → dependent applications → Services/ingress → monitoring. Test the exact product — Operator behaviour may require a different order.

    09

    Scaling and upgrades

    Stateful scaling is not the same as adding stateless web replicas — scale-out may require membership changes, data rebalancing and shard movement; scale-in may require data evacuation and quorum validation. Do not allow automatic scaling until the application's data movement and failure behavior are understood.

    Separate upgrade changes where practical — a combined Kubernetes, Operator, database and storage upgrade creates a difficult rollback problem. Confirm old and new versions can coexist, the replication protocol is compatible, and a backup exists before any rolling update.

    10

    Common mistakes

    ×Treating StatefulSet as a database platform

    It supplies identity and lifecycle behavior — not replication, backup, or consistency.

    ×Selecting storage from a generic class name

    The class may not meet latency, failure-domain, snapshot or recovery requirements. Document its real behaviour.

    ×Using three replicas on one node

    Replica count without failure-domain separation provides weak availability. Spread replicas deliberately.

    ×Adding a PDB without spare capacity

    Maintenance may become blocked because no replacement Pod can schedule. Maintain headroom.

    ×Using snapshots as the only backup

    The snapshot may remain on the source storage system. Create an independent copy.

    ×Backing up only volumes

    The Operator, custom resources, Secrets and service configuration may be missing. Protect the full application.

    ×Autoscaling without understanding data movement

    Adding or removing replicas may trigger expensive rebalancing or data loss. Test manually first.

    ×Declaring success when Pods are Running

    Validate quorum, replication, data consistency and business transactions.

    11

    Stateful workload readiness checklist

    0 / 24
    12

    Frequently asked questions

    It is an application that must preserve data, identity, membership or other state across Pod replacement and rescheduling.

    It provides stable Pod identity, ordered lifecycle behavior, and stable persistent-volume relationships.

    No. Data replication belongs to the application, database, storage system or Operator.

    No. A single-instance application may use a Deployment with a PVC when stable identity and ordered lifecycle behavior are unnecessary.

    Not automatically. Compare Kubernetes operation with managed services, virtual machines and dedicated database platforms.

    It is an application-specific controller that uses custom resources and Kubernetes control loops to manage an application.

    No. It can automate procedures, but teams still need to understand consistency, replication, backup, failure and recovery.

    They can be part of a backup strategy, but they may remain on the source storage system and may not be application-consistent.

    It limits concurrent voluntary disruption to selected Pods. It does not prevent involuntary failure or create spare capacity.

    Some can, but scaling may require membership changes, rebalancing and storage provisioning. Test the application's specific behavior.

    Protect Kubernetes resources, persistent data, application-native backups, transaction logs, encryption keys, Operators and external dependencies.

    It must survive Pod and node failure, maintain consistent data, support controlled upgrades, restore into the required recovery environment, and pass business validation.

    Run the data platform, not only the Pods

    Kubernetes can provide a strong operating platform for stateful business applications — declarative management, consistent automation, storage integration and repeatable operations. Its risks appear when teams confuse process replacement with data recovery.

    Choose the storage deliberately, evaluate the Operator, understand quorum and failure domains, protect Kubernetes resources and application data separately, and restore the full application into a replacement cluster before trusting it in production. Run the workload on Kubernetes when the organization can operate the entire data lifecycle there more reliably — keep it elsewhere when Kubernetes adds another control plane without improving availability, recovery or ownership.