Controllers execute on the control plane, in the Controller Manager. They're reconciliation loops: continually monitoring the desired and actual states of the cluster to identify and execute changes to bring the two in line.

  1. Watch state, either via watch mechanism or polling.
  2. Determine and perform operations to reconcile the current state with the desired state.
  3. Submit deltas to the API Server.

Controller Manager

The Controller Manager is made up of two components:

  • kube-controller-manager runs the core controllers. There's only one instance per cluster.
  • cloud-controller-manager was farmed out to enable easier implementation of integrations with the host cloud platform environment at the vendor's own pace.


Admission controllers intercept write requests to the Kubernetes API server after authentication and authorisation but before an object is persisted. There are two types of admission controller, and some controllers are both types:

  • MutatingAdmissionWebhook run first, and can modify admitted objects.
  • ValidatingAdmissionWebhook run later, and can reject admitted objects.

A rejection from any admission controller rejects the request.

Admission controllers are enabled with the API server's --enable-admission-plugins switch. Controllers enabled by default can be disabled with --disable-admission-plugins. The list of plugins enabled by default can be obtained from the help output:

kube-apiserver -h | grep enable-admission-plugins


Deploys and maintains a defined number of pods matching the supplied template.


Enables declarative updates of pods and ReplicaSets, providing managed roll forward and back.


DaemonSet allows running a copy of the specified pod on all, or all matching, nodes. It's commonly used for cluster components and monitoring/maintenance agents.


Allows management of stateful applications, providing unique network names, persistent storage and ordered operations for scaling and rolling updates.


Facilitates batch workloads, creating one or more pods and ensures a defined number of them terminate successfully.


Runs a Job on a defined schedule.


Monitors the up/down state of nodes and resources running on them.


Manages the creation and deletion of load balancers.


Manages the endpoints for Kubernetes services based on the configured selectors and readiness states of pods.

  1. Admission controllers