Kube Controller Manager
🧠 What is kube-controller-manager?¶
It is the automation engine of Kubernetes.
It runs dozens of controllers, such as:
- Node controller (detects node failure)
- Replication controller (ensures right number of pod replicas)
- Service account controller
- Token controller
- Persistent volume binder
- Garbage collector
- Job controller
- Many more...
In short: When something deviates from the desired state, controllers act to bring it back.
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-controller-manager
tier: control-plane
name: kube-controller-manager
namespace: kube-system
spec:
containers:
- command:
- kube-controller-manager
- --allocate-node-cidrs=true
- --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf
- --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf
- --bind-address=127.0.0.1
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --cluster-cidr=172.17.0.0/16
- --cluster-name=kubernetes
- --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt
- --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
- --controllers=*,bootstrapsigner,tokencleaner
- --kubeconfig=/etc/kubernetes/controller-manager.conf
- --leader-elect=true
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --root-ca-file=/etc/kubernetes/pki/ca.crt
- --service-account-private-key-file=/etc/kubernetes/pki/sa.key
- --service-cluster-ip-range=172.20.0.0/16
- --use-service-account-credentials=true
image: registry.k8s.io/kube-controller-manager:v1.33.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 8
httpGet:
host: 127.0.0.1
path: /healthz
port: 10257
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
name: kube-controller-manager
resources:
requests:
cpu: 200m
startupProbe:
failureThreshold: 24
httpGet:
host: 127.0.0.1
path: /healthz
port: 10257
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
volumeMounts:
- mountPath: /etc/ssl/certs
name: ca-certs
readOnly: true
- mountPath: /etc/ca-certificates
name: etc-ca-certificates
readOnly: true
- mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
name: flexvolume-dir
- mountPath: /etc/kubernetes/pki
name: k8s-certs
readOnly: true
- mountPath: /etc/kubernetes/controller-manager.conf
name: kubeconfig
readOnly: true
- mountPath: /usr/local/share/ca-certificates
name: usr-local-share-ca-certificates
readOnly: true
- mountPath: /usr/share/ca-certificates
name: usr-share-ca-certificates
readOnly: true
hostNetwork: true
priority: 2000001000
priorityClassName: system-node-critical
securityContext:
seccompProfile:
type: RuntimeDefault
volumes:
- hostPath:
path: /etc/ssl/certs
type: DirectoryOrCreate
name: ca-certs
- hostPath:
path: /etc/ca-certificates
type: DirectoryOrCreate
name: etc-ca-certificates
- hostPath:
path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
type: DirectoryOrCreate
name: flexvolume-dir
- hostPath:
path: /etc/kubernetes/pki
type: DirectoryOrCreate
name: k8s-certs
- hostPath:
path: /etc/kubernetes/controller-manager.conf
type: FileOrCreate
name: kubeconfig
- hostPath:
path: /usr/local/share/ca-certificates
type: DirectoryOrCreate
name: usr-local-share-ca-certificates
- hostPath:
path: /usr/share/ca-certificates
type: DirectoryOrCreate
name: usr-share-ca-certificates
status: {}
🔹 KEY FLAGS — Deep Explanation¶
✅ --allocate-node-cidrs=true¶
📌 Purpose: Tells the controller-manager to assign CIDR ranges (IP ranges) to nodes for pod IPs.
🧠 Required for --cluster-cidr (next flag). This is mostly used in cloud-native CNI like Calico, Weave, etc.
✅ --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf¶
✅ --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf¶
✅ --kubeconfig=/etc/kubernetes/controller-manager.conf¶
🔐 All of these deal with API communication:
| Flag | Purpose |
|---|---|
authentication-... | Proves identity of controller-manager |
authorization-... | Defines what it's allowed to do |
kubeconfig | General API client config (endpoint, certs, etc.) |
All use the same file (controller-manager.conf).
✅ --bind-address=127.0.0.1¶
Locks down the API server listener to localhost only (security best practice). You’ll see this for all control plane components.
✅ --client-ca-file=/etc/kubernetes/pki/ca.crt¶
📜 Verifies client certs presented by other components. Only trusted clients are allowed to connect.
✅ --cluster-cidr=172.17.0.0/16¶
🌐 Defines the IP address range allocated for pods across the cluster.
Example:
- If Node A gets 172.17.1.0/24
- Node B gets 172.17.2.0/24
- All pods get IPs from this pool
Required for:
- IP assignment logic
- Network policies
✅ --cluster-name=kubernetes¶
A label for multi-cluster federation. Mostly defaults to kubernetes. Rarely changed.
✅ --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt¶
✅ --cluster-signing-key-file=/etc/kubernetes/pki/ca.key¶
🔐 Used to sign certificates automatically during:
- Node bootstrapping
- CSR approvals (if automated)
- Service accounts
This is how Kubernetes offers internal certificate management.
✅ --controllers=*,bootstrapsigner,tokencleaner¶
Controls which controllers run.
*means: Run all default controllersbootstrapsigner: Signs bootstrap tokens used by new nodestokencleaner: Periodically removes expired tokens
You can disable controllers if needed in custom setups, like:
--controllers=*,-garbagecollector
✅ --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt¶
📨 Used when the API server is fronted by a proxy (e.g., kube-aggregator). This CA validates incoming requests via proxy headers.
✅ --root-ca-file=/etc/kubernetes/pki/ca.crt¶
📎 Injected into service account secrets as ca.crt.
- Lets pods verify the identity of the kube-apiserver.
- Ensures secure communication.
✅ --service-account-private-key-file=/etc/kubernetes/pki/sa.key¶
🔑 Used to sign service account tokens, so the kube-apiserver can validate them.
- Every pod with a service account gets a token.
- This token is signed by this key.
✅ --service-cluster-ip-range=172.20.0.0/16¶
🎯 Defines the IP range for ClusterIP Services.
- Every Kubernetes Service gets a virtual IP from this pool.
- Must not overlap with pod CIDRs.
✅ --use-service-account-credentials=true¶
🔐 Ensures that individual controllers use service account tokens (rather than the main kubeconfig).
Security Best Practice: → Each controller acts under its own identity with limited permissions.
🔹 HEALTH CHECKS¶
✅ startupProbe and livenessProbe¶
- Both check:
https://127.0.0.1:10257/healthz - Periodically monitored by kubelet.
- Failure triggers restart.
⚠️ These endpoints are only accessible locally.
🔹 VOLUME MOUNTS¶
| Volume | Purpose |
|---|---|
/etc/kubernetes/pki | Contains all certs and keys |
/etc/kubernetes/controller-manager.conf | Kubeconfig file |
/usr/libexec/kubernetes/kubelet-plugins/volume/exec | For legacy FlexVolume plugins |
/etc/ssl/certs, /etc/ca-certificates, etc. | Standard Linux CA locations |
All these allow controller-manager to:
- Talk securely to the API server
- Access CA certificates
- Sign tokens and CSRs
🔹 OTHER IMPORTANT FIELDS¶
| Field | Description |
|---|---|
hostNetwork: true | Shares host's network stack. Needed for localhost binding to work. |
priorityClassName: system-node-critical | Ensures highest scheduling priority. Won't be evicted easily. |
seccompProfile: RuntimeDefault | Enables syscall filtering for better security. |
🧠 Summary Table (Plain English)¶
| What it does | Why it matters |
|---|---|
| Talks to kube-apiserver securely | Needed to watch and act on cluster events |
| Runs all internal controllers | Ensures auto-repair, replication, token mgmt, etc. |
| Assigns Pod CIDRs to nodes | Needed for pod networking |
| Signs certs and tokens | For node/pod authentication |
| Handles service IP range | Ensures unique service IPs |
| Uses service account tokens | Improves granularity and security |
| Health probed via /healthz | Lets kubelet restart if unresponsive |