Add reference documentation for built-in controllers #15374
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| --- | ||
| title: "Controllers" | ||
| weight: 20 | ||
| --- | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| --- | ||
| title: PodPreset controller | ||
| content_template: templates/concept | ||
| --- | ||
|
|
||
| {{% capture overview %}} | ||
|
|
||
| The PodPreset admission controller injects configuration data into | ||
| {{< glossary_tooltip text="pods" term_id="pod" >}} when they are created. | ||
|
|
||
| The configuration data can include {{< glossary_tooltip text="Secrets" term_id="secret" >}}, | ||
| {{< glossary_tooltip text="Volumes" term_id="volume" >}}, volume mounts, | ||
| and {{< glossary_tooltip text="environment variables" term_id="container-env-variables" >}}. | ||
|
|
||
| {{% /capture %}} | ||
|
|
||
| {{% capture body %}} | ||
|
|
||
| ## Controller behavior | ||
|
|
||
| This is a mutating | ||
| [admission controller](/docs/reference/access-authn-authz/admission-controllers/#what-are-they) | ||
| that acts on Pod creation requests. | ||
|
|
||
| When a pod creation request arrives for processing, the controller: | ||
|
|
||
| 1. Retrieves all `PodPresets` available for use. | ||
| 1. Checks if the label selectors of any `PodPreset` match the labels on the | ||
| Pod being created. | ||
| 1. Attempts to merge the various resources defined by the `PodPreset` into the | ||
| Pod being created. | ||
| 1. On error, throws an event documenting the merge error on the Pod, and then | ||
| allows creation of the the Pod _without_ any injected resources from the `PodPreset`. | ||
| 1. Annotates the resulting modified Pod spec to indicate that it has been | ||
| modified by a `PodPreset`. The annotation is of the form | ||
| `podpreset.admission.kubernetes.io/podpreset-<pod-preset name>: "<resource version>"`. | ||
|
|
||
| Each Pod can be matched by zero or more Pod Presets; and each `PodPreset` can be | ||
| applied to zero or more pods. When a `PodPreset` is applied to one or more | ||
| Pods, Kubernetes modifies the Pod Spec. For changes to `Env`, `EnvFrom`, and | ||
| `VolumeMounts`, Kubernetes modifies the container spec for all containers in | ||
| the Pod; for changes to `Volume`, Kubernetes modifies the Pod Spec. | ||
|
|
||
| {{< note >}} | ||
| A Pod Preset is capable of modifying the following fields in a Pod spec when appropriate: | ||
| - The `.spec.containers` field. | ||
| - The `initContainers` field (requires Kubernetes version 1.14.0 or later). | ||
| {{< /note >}} | ||
|
|
||
| {{% /capture %}} | ||
|
|
||
| {{% capture whatsnext %}} | ||
|
|
||
| * Learn how to [enable PodPreset](/docs/concepts/workloads/pods/podpreset/#enable-pod-preset) | ||
| * Try to [inject information into Pods Using a PodPreset](/docs/tasks/inject-data-application/podpreset/) | ||
|
|
||
| {{% /capture %}} | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,155 @@ | ||
| --- | ||
| title: Built-in controllers | ||
| content_template: templates/concept | ||
| weight: 10 | ||
| --- | ||
|
|
||
| {{% capture overview %}} | ||
|
|
||
| This page lists the {{< glossary_tooltip text="controllers" term_id="controller" >}} | ||
sftim marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| that come as part of Kubernetes itself. | ||
| {{% /capture %}} | ||
|
|
||
|
|
||
| {{% capture body %}} | ||
|
|
||
| Kubernetes comes with a number of built-in controllers that run as part | ||
| of the {{< glossary_tooltip term_id="kube-controller-manager" >}}. | ||
|
|
||
| If your cluster is deployed against a cloud service provider, you can | ||
| use the cloud-controller-manager to run additional provider-specific | ||
| controllers such as | ||
| [Route](/docs/concepts/architecture/cloud-controller/#route-controller). | ||
|
|
||
| The cloud controller manager provides an abstract API (in Go) that | ||
| allows cloud vendors to plug in their custom implementation. | ||
|
|
||
| The built-in {{< glossary_tooltip term_id="kube-scheduler" text="scheduler" >}} | ||
| is itself a specialized controller. The scheduler's purpose is to reconcile the | ||
| desired set of running Pods and match that against the available Nodes, | ||
| optimizing against discovered constraints. | ||
| {{< glossary_tooltip term_id="kubelet" >}} will update the actual state each | ||
| time it starts or stops a scheduled Pod. | ||
|
|
||
| Because its work is essential to Kubernetes' operation, the scheduler | ||
| runs separately from the kube-controller-manager. This separation helps | ||
| with control plane performance. | ||
|
|
||
| The controllers that run inside kube-controller-manager are: | ||
|
There was a problem hiding this comment. The transition on the page from "The controllers that run inside kube-controller-manager are:" to then going to a bold heading of "Controllers for running workloads on Kubernetes" looks really weird. Check out https://kubernetes.io/docs/setup/ which shows a nice transition from a list of topics (Learning Environment, Production environment) to their sections below the introductory paragraph. The https://kubernetes.io/docs/concepts/ also as some nice examples of how to do this as well There was a problem hiding this comment. Thanks for your feedback on this. |
||
|
|
||
|
There was a problem hiding this comment. Possible buckets to categorize the controllers (left nav), in no specific order? |
||
| ## Controllers for running workloads on Kubernetes {#controllers-workloads} | ||
|
|
||
| * [CronJob controller](/docs/reference/controllers/cronjob/) | ||
| * [DaemonSet controller](/docs/reference/controllers/daemonset/) | ||
| * [Deployment controller](/docs/reference/controllers/deployment/) | ||
| * [Job controller](/docs/reference/controllers/job/) | ||
| * [ReplicaSet controller](/docs/reference/controllers/replicaset/) | ||
| * [StatefulSet controller](/docs/reference/controllers/statefulset/) | ||
| * [Service controller](/docs/reference/controllers/service/) | ||
|
|
||
| ## Pod management controllers {#controllers-pod-management} | ||
|
|
||
| * [Horizontal Pod Autoscaler](/docs/reference/controllers/horizontal-pod-autoscaler/) | ||
| * [PodDisruptionBudget controller](/docs/reference/controllers/poddisruptionbudget/) | ||
| * [PodPreset controller](/docs/reference/access-authn-authz/admission-controllers/#podpreset) | ||
|
|
||
| ## Resource management controllers {#controllers-resource-management} | ||
|
|
||
| * [Resource quota controller](/docs/reference/access-authn-authz/admission-controllers/#resourcequota) | ||
|
|
||
| ## Certificate controllers {#controllers-certificates} | ||
|
|
||
| * [Root CA controller](/docs/reference/controllers/certificate-root-ca-publisher/) | ||
|
|
||
| There are also a set of three controllers that work together to provide signed | ||
| {{< glossary_tooltip text="certificates" term_id="certificate" >}} on demand, for use within your cluster: | ||
|
|
||
| [Certificate signer](/docs/reference/controllers/certificate-signer) | ||
| : A controller that signs certificates based on a certificate signing request (CSR), | ||
| once approved. The issued certificates will have a signing chain back to the root CA. | ||
|
|
||
| [Certificate signature approver](/docs/reference/controllers/certificate-approver/) | ||
| : An automated approver for valid certificate signing requests. Requests are approved | ||
| automatically if the request came from a Node known to Kubernetes. | ||
|
|
||
| [CSR cleaner](/docs/reference/controllers/certificate-cleaner/) | ||
| : The CSRs within your cluster have a lifetime. This controller removes CSRs that have | ||
| expired without being approved. | ||
|
|
||
| {{< note >}} | ||
| If you wanted to have something that isn't a Node use a signing request to obtain valid | ||
| cluster certificates, you can implement that in your own custom controller. | ||
| The built-in controller will automatically know not to intervene, because it only acts | ||
| on signing requests that come from nodes. | ||
| {{< /note >}} | ||
|
|
||
| ## Storage controllers {#controllers-storage} | ||
|
|
||
| There are a set of built-in controllers for storage management. | ||
|
|
||
| * [Volume attach / detach controller](/docs/reference/controllers/volume-attach-detach/) | ||
| * [PersistentVolume controller](/docs/reference/controllers/volume-persistentvolume/) | ||
| * [PersistentVolumeClaim controller](/docs/reference/controllers/volume-persistentvolumeclaim/) | ||
| * [PersistentVolumeClaim in-use protection controller](/docs/reference/controllers/volume-persistentvolumeclaim-protection/) | ||
|
|
||
| ## Networking controllers {#controllers-networking} | ||
|
|
||
| * [Endpoint controller](/docs/reference/controllers/endpoint) | ||
| * [Service controller](/docs/reference/controllers/service) | ||
| * [Node IP address management controller](/docs/reference/controllers/node-ipam/) | ||
|
|
||
| ## Cluster orchestration controllers {#controllers-cluster-orchestration} | ||
|
|
||
| * [ServiceAccount controller](/docs/reference/controllers/serviceaccount/) | ||
| * [ServiceAccount token controller](/docs/reference/controllers/serviceaccount-token/) | ||
| * [ClusterRole aggregation controller](/docs/reference/controllers/clusterrole-aggregation) | ||
|
|
||
| ## Garbage collection & expiry controllers {#controllers-gc-expiry} | ||
|
|
||
| ### Time-to-live (TTL) controller {#controller-ttl} | ||
|
|
||
| The [TTL controller](/docs/reference/controllers/ttl/) sets TTL | ||
| annotations on Nodes based on cluster size. | ||
| kubelet consumes these annotations as a hint about how long it can cache | ||
| object data that it has fetched from the | ||
| {{< glossary_tooltip text="API server" term_id="kube-apiserver" >}}. | ||
|
|
||
| ### TTL-after-finished controller {#controller-ttl-after-finished} | ||
|
|
||
| The [TTL-after-finished controller](/docs/reference/controllers/ttl-after-finished) | ||
| cleans up finished task objects; currently, just Jobs. | ||
|
|
||
| ### Garbage collector {#controller-garbagecollector} | ||
|
|
||
| The [garbage collector](/docs/reference/controllers/garbage-collector/) watches | ||
| for changes to objects that have dependencies, and spots objects that are eligible | ||
| for garbage collection. Once identified these are queued for (attempts at) deletion. | ||
|
|
||
| Other controllers can rely on this behavior to take care of cascading deletion | ||
| of objects via parent-child relationships. | ||
|
|
||
| ### Pod garbage collector {#controller-pod-garbage-collector} | ||
|
|
||
| The [pod garbage collector](/docs/reference/controllers/pod-garbage-collector/) | ||
| takes care of cleaning up {{< glossary_tooltip text="Pods" term_id="pod" >}} that | ||
| are terminated, so that the resources for tracking those Pods can be reclaimed. | ||
|
|
||
| ### Certificate signing request cleaner {#controller-certificate-cleaner} | ||
|
|
||
| The [CSR cleaner](/docs/reference/controllers/certificate-cleaner/) | ||
| removes old certificate signing requests that haven't been approved and signed. | ||
|
|
||
| ### Node lifecycle controller {#controller-node-lifecycle} | ||
|
|
||
| The [node lifecycle controller](/docs/reference/controllers/node-lifecycle) | ||
| observes the behavior of kubelet on a node, and sets (potentially also removes) | ||
| {{< glossary_tooltip text="taints" term_id="taint" >}} on Nodes that reflect its | ||
| findings. | ||
|
|
||
| ### Namespace lifecycle controller {#controller-namespace} | ||
|
|
||
| When you (or any Kubernetes API client) remove a {{< glossary_tooltip term_id="namespace" >}}, | ||
|
There was a problem hiding this comment. Perhaps it's just a vestige, but I find it kind of odd that there's a specialized namespace lifecycle controller that does the job that the garbage collector controller is ostensibly responsible for, which you describe above as "cascading deletion of objects via parent-child relationships." This is just a question, of course. Nothing wrong with the content here, I'm just curious. Maybe @lavalamp might know the answer here. There was a problem hiding this comment. Namespace / object is a container / containee relationship. The ordinary GC is an owner / owned relationship, which can cross object types. The namespace lifecycle controller deletes entire collections; the regular GC deletes individual objects. The namespace lifecycle controller acts on a single level relationship (even if expanded in some distant future, it'd remain a short tree); the regular GC acts on a graph. |
||
| the [namespace controller](/docs/reference/controllers/namespace/) makes sure that objects in | ||
| that namespace are removed before the namespace itself is removed. | ||
|
|
||
| {{% /capture %}} | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| --- | ||
| title: Certificate signature approver | ||
| content_template: templates/concept | ||
| --- | ||
|
|
||
| {{% capture overview %}} | ||
|
|
||
| The CertificateSigningRequest approver controller (aka CSR approver) is | ||
| part of a set of built-in controllers for certificate management. | ||
|
|
||
| {{% /capture %}} | ||
|
|
||
|
|
||
| {{% capture body %}} | ||
| The CSR approver is built in to kube-controller-manager. | ||
|
|
||
| ## Controller behavior | ||
|
|
||
| This controller acts specifically on CertificateSigningRequests (CSR) that come from | ||
| kubelet (or that purport to come from kubelet). | ||
|
|
||
| When kubelet is setting up on a new node, kubelet will generate a CSR and submit it | ||
| to the Kubernetes API server using its | ||
| [bootstrap](/docs/reference/access-authn-authz/bootstrap-tokens/) | ||
| authentication and authorization. | ||
|
|
||
| This controller watches for CertificateSigningRequests from kubelet. For each submitted | ||
| CertificateSigningRequest, this controller creates a SubjectAccessReview to verify | ||
| whether this Node's kubelet is allowed to have its certificate signed. | ||
|
|
||
| If the request is authentic and the SubjectAccessReview passes, the controller marks the | ||
| CSR as approved. This approval allows the Certificate signer to issue a certificate. | ||
|
|
||
| {{% /capture %}} | ||
| {{% capture whatsnext %}} | ||
| * Read about the [certificate signer](/docs/reference/controllers/certificate-signer/) | ||
| {{% /capture %}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| --- | ||
| title: Certificate signing request cleaner | ||
| content_template: templates/concept | ||
| --- | ||
|
|
||
| {{% capture overview %}} | ||
|
|
||
| This controller removes certificate signing requests that have expired without being approved. | ||
|
|
||
| {{% /capture %}} | ||
|
|
||
| {{% capture body %}} | ||
|
|
||
| The CSR cleaner is built in to kube-controller-manager. | ||
|
|
||
| ## Controller behavior | ||
|
|
||
| This controller watches for CertificateSigningRequest (CSR) objects and their approvals. | ||
|
|
||
| After a CSR has been in the system for a certain amount of time, without being approved, | ||
| this controller will delete it. | ||
|
|
||
| {{% /capture %}} | ||
| {{% capture whatsnext %}} | ||
| * Read about the [certificate approver](/docs/reference/controllers/certificate-approver/) | ||
| * Read about the [certificate signer](/docs/reference/controllers/certificate-signer/) | ||
| {{% /capture %}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| --- | ||
| title: Root CA controller | ||
| content_template: templates/concept | ||
| --- | ||
|
|
||
| {{% capture overview %}} | ||
|
|
||
| Kubernetes clusters have a [certificate authority](/docs/concepts/cluster-administration/certificates/) | ||
| (CA) that the control plane uses to authenticate different components. This | ||
| controller manages a ConfigMap in every configured namespace, so that Pods | ||
| in that namespace have access to the cluster's root CA and can validate other | ||
| components' identity. | ||
|
|
||
| {{% /capture %}} | ||
|
|
||
| {{% capture body %}} | ||
|
|
||
| The root CA controller is built in to kube-controller-manager. | ||
|
|
||
| ## Controller behavior | ||
|
|
||
| This controller watches for namespaces being created. For every new namespace the | ||
| controller adds a ConfigMap containing the cluster's root certificate. | ||
|
|
||
| {{% /capture %}} | ||
| {{% capture whatsnext %}} | ||
| * Read about the [certificate approver](/docs/reference/controllers/certificate-approver/) | ||
| {{% /capture %}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| --- | ||
| title: Certificate signer controller | ||
| content_template: templates/concept | ||
| --- | ||
|
|
||
| {{% capture overview %}} | ||
|
|
||
| A controller that signs {{< glossary_tooltip text="certificates" term_id="certificate" >}}, | ||
| based on a certificate signing request (CSR), once approved. The issued | ||
| certificates will have a signing chain back to the cluster's root CA. | ||
|
|
||
| {{% /capture %}} | ||
|
|
||
| {{% capture body %}} | ||
|
|
||
| The certificate signer is built in to kube-controller-manager. You can add your own controller, | ||
| either to work alongside this built-in controller, or to work in its place. | ||
|
|
||
| ## Controller behavior | ||
|
|
||
| This controller watches for CertificateSigningRequest (CSR) objects and their approvals. | ||
| When the certificate signer sees an approved request, it signs the request using the | ||
| configured certificate and key (typically, this will be the cluster root CA). | ||
|
|
||
| The controller stores the issued certificate in the `status.certificate` field of the | ||
| CertificateSigningRequest object. | ||
|
|
||
| {{% /capture %}} | ||
| {{% capture whatsnext %}} | ||
| * Read about the [certificate approver](/docs/reference/controllers/certificate-approver/) | ||
| {{% /capture %}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| --- | ||
| title: ClusterRole aggregation controller | ||
| content_template: templates/concept | ||
| --- | ||
|
|
||
| {{% capture overview %}} | ||
|
|
||
| This controller implements the `aggregationRule` property for [ClusterRoles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole), which are used in connection with | ||
| {{< glossary_tooltip text="Role-Based Access Control" term_id="rbac" >}} (RBAC). | ||
|
|
||
|
|
||
| {{% /capture %}} | ||
|
|
||
| {{% capture body %}} | ||
|
|
||
| The ClusterRole aggregation controller is built in to kube-controller-manager. | ||
|
There was a problem hiding this comment. Is it worth putting a glossary tooltip or a link explaining what an "aggregation controller" is, compared to other controllers? There was a problem hiding this comment. AIUI it's There was a problem hiding this comment. Ah, I see... :) Hmm, yeah, I think maybe a quick sentence explaining what is meant by "ClusterRole aggregation" might be useful. Can always be added in a followup though, of course. There was a problem hiding this comment. Any suggestions? It's tricky to word well. |
||
|
|
||
| ## Controller behavior | ||
|
|
||
| This controller manages the permissions of aggregated ClusterRoles. The controller | ||
| watches ClusterRoles for changes. | ||
|
|
||
| If the controller sees changes (add / remove / update) to a ClusterRole that matches | ||
| the clusterRoleSelectors for any existing ClusterRole, it will calcluate the rules | ||
| for the ClusterRole that had clusterRoleSelectors set. | ||
|
|
||
| See [Aggregated ClusterRoles](/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles) | ||
| for more information on this. | ||
|
|
||
| {{% /capture %}} | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sftim, general comment for all pages:
I think the title text should capitalize the first letter of each major word. Also, the titles should be consistently named, contain
Controllerin the title?, and closely match the actual controller name? Are all controllers available asstablein current version of k8s?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I looked at https://kubernetes.io/docs/contribute/style/ and didn't see a clear steer on whether or not to capitalize titles.