惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Project Zero
Project Zero
Apple Machine Learning Research
Apple Machine Learning Research
博客园 - 【当耐特】
Hugging Face - Blog
Hugging Face - Blog
Jina AI
Jina AI
V
V2EX
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园 - 叶小钗
GbyAI
GbyAI
阮一峰的网络日志
阮一峰的网络日志
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Hacker News: Ask HN
Hacker News: Ask HN
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
P
Privacy & Cybersecurity Law Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
A
About on SuperTechFans
D
DataBreaches.Net
The Cloudflare Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
大猫的无限游戏
大猫的无限游戏
Know Your Adversary
Know Your Adversary
T
Tenable Blog
N
News and Events Feed by Topic
PCI Perspectives
PCI Perspectives
The Register - Security
The Register - Security
O
OpenAI News
G
Google Developers Blog
T
The Blog of Author Tim Ferriss
C
CERT Recently Published Vulnerability Notes
U
Unit 42
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Application and Cybersecurity Blog
Application and Cybersecurity Blog
P
Palo Alto Networks Blog
人人都是产品经理
人人都是产品经理
酷 壳 – CoolShell
酷 壳 – CoolShell
N
Netflix TechBlog - Medium
V
Vulnerabilities – Threatpost
月光博客
月光博客
Recorded Future
Recorded Future
P
Proofpoint News Feed
Cisco Talos Blog
Cisco Talos Blog
P
Privacy International News Feed
Security Archives - TechRepublic
Security Archives - TechRepublic
WordPress大学
WordPress大学
有赞技术团队
有赞技术团队
T
The Exploit Database - CXSecurity.com
博客园 - Franky
Latest news
Latest news
MongoDB | Blog
MongoDB | Blog
V
Visual Studio Blog

LearnKube

Server-side apply: what happens when you run kubectl apply Kubelet Metrics: How cAdvisor and CRI Collect Kubernetes Stats How does the Kubernetes controller manager work? Why etcd breaks at scale in Kubernetes How does the Kubernetes scheduler work? What happens inside the Kubernetes API server? From Linux Primitives to Kubernetes Security Contexts Kubernetes networking: service, kube-proxy, load balancing Load balancing and scaling long-lived connections in Kubernetes Kubernetes Authentication: Users and Workload Identities The mechanics of Kubernetes RBAC and how it connects users to permissions How etcd works with and without Kubernetes Provisioning Kubernetes clusters on GCP with Terraform and GKE Authentication between microservices using Kubernetes identities Provisioning Kubernetes clusters on AWS with Terraform and EKS Graceful shutdown in Kubernetes Allocatable memory and CPU in Kubernetes Nodes A visual guide on troubleshooting Kubernetes deployments Developing and packaging Node.js app with Docker Deploying Node.js apps in a local Kubernetes cluster How to Rollback a Deployment in Kubernetes Architecting Kubernetes clusters — choosing a worker node size
How the Kubernetes control plane works
LearnKube · 2026-04-17 · via LearnKube

Map of the Kubernetes control plane


Articles in this series

The Kubernetes control plane is the part of the cluster that accepts changes, stores the desired state, and decides what happens next.

When you create a Deployment, update a Service, or delete a Pod, you interact with the control plane instead of the worker nodes.

This layer manages the entire cluster, and it helps answer questions like:

  • Is this request allowed?
  • Where should this Pod run?
  • Why are there only 2 Pods when the Deployment asked for 3?
  • Which Pods should receive traffic for this Service?

While worker nodes run your containers, the control plane tracks the plan and works to keep the cluster aligned with it.

That is why Kubernetes feels declarative: you do not need to tell a node to start a specific container.

Instead, you set the desired state in the control plane, and the control plane handles the rest.

What are the control plane components?

At a high level, the Kubernetes control plane has four main parts:

  • the API server, which is the front door to the cluster
  • etcd, which stores the cluster state
  • the scheduler, which picks a node for each Pod
  • the controller manager, which runs loops to keep the actual state in line with the desired state
Diagram of the Kubernetes control plane showing kubectl sending a Deployment to the API server, while the scheduler and controller manager watch through the API server and only the API server talks to etcd.

Each component has a specific job:

  • The API server handles the request path: authentication, authorization, admission, and storage.
  • etcd keeps a durable, strongly consistent record of cluster state.
  • The controller manager runs the reconciliation loops behind Deployments, ReplicaSets, StatefulSets, etc.
  • The scheduler focuses on one decision: where each unscheduled Pod should run.

In other words, the API server acts as the gateway, etcd stores the records, the controller manager moves objects toward the desired state, and the scheduler decides where to place them.

Suppose you run:

kubectl apply -f deployment.yaml

This command triggers a series of actions inside the control plane.

The API server is the entry point

Kubernetes does not save that Deployment directly to storage.

It first decides:

  • Who you are.
  • Whether you are allowed to do this.
  • Whether the object should be modified before it is stored.
  • Whether the final object is valid.
Diagram of the API server request path showing kubectl entering API aggregation, then authentication, authorization, mutation admission, schema validation, validation admission, resource handlers, and finally etcd, with Metrics Server and external webhooks attached.

The API server checks the request for authentication, authorization, mutation, schema validation, and admission before storing it.

Only then does it hand the request to the relevant resource handler and persist it in etcd.

The API server also manages API aggregation, which lets some APIs, like Metrics Server, look native even if another component serves them.

This full request path (from authentication to admission to storage) is at the heart of the API server's job.

You can explore the API server in this article.

etcd stores the desired state

Once the API server accepts a change, it writes it to etcd.

Only the API server communicates directly with etcd: the scheduler and controller manager watch the API server instead of connecting to the database themselves.

etcd is a small, consistent key-value store built around Raft.

The leader accepts writes, replicates them to followers, and commits a new revision once a quorum agrees.

Diagram of etcd Raft replication with a leader receiving a write for MY_KEY equals 1 and replicating it to multiple follower nodes.

This design gives Kubernetes not only durability, but also ordered revisions and efficient change tracking.

That combination gives Kubernetes ordered updates and efficient change notifications because the control plane is built around etcd revisions and watches.

In large clusters, these strengths can have drawbacks: consensus is costly, the database uses a single bbolt file, every change creates a new revision, and the API server increases the load with its caches and watches.

That is also where etcd can become a scaling bottleneck.

You can explore how etcd works (inside and outside) Kubernetes in this article.

You can also explore how etcd (and API server) break at scale in this other article.

The controller manager turns intent into actions

After the Deployment is stored, the controller manager picks up the change.

At this point, Kubernetes shifts from just storing objects to acting as an automated system.

The controller manager runs many smaller control loops.

Diagram of the ReplicaSet controller reconciliation loop: observe Pods, compare the current Pod count with spec.replicas, then create or delete Pods.

Each loop handles a specific part of the system: some create Pods, some respond to node or endpoint changes, some manage storage, and others clean up unused objects.

All these loops follow the same pattern: they observe the current state, compare it to the desired state, act to close the gap, and repeat the process.

You create a Deployment, and the Deployment controller creates a ReplicaSet.

The ReplicaSet controller sees that the ReplicaSet wants three Pods and currently has zero, so it creates three Pods.

Under the hood, controllers watch for changes, queue the affected object, and reconcile from the cache rather than reading etcd directly on every pass.

You can explore how the controller manager works in this article.

You can learn how to leverage informers to build your own reconciliaiton loops by building a simple live Kubernetes dashboard.

The scheduler turns Pods into placements

The scheduler also runs in a loop, but its role is more focused.

It looks for Pods without a node, removes nodes that cannot run them, ranks the remaining options, and then assigns the Pod to a chosen node.

In practice, scheduling mostly involves eliminating unsuitable nodes first, then ranking the rest.

This is why features like node affinity, taints and tolerations, topology spread constraints, and resource requests are important: they influence how the scheduler filters and ranks nodes.

You can learn about the scheduler in this article.

Read the control plane as a chain reaction

The simplest way to see how everything connects is to follow a Deployment as it moves through the control plane:

  1. kubectl apply sends a request to the API server.
  2. The API server authenticates, authorizes, mutates, validates, and stores the Deployment in etcd.
  3. The Deployment controller notices the new Deployment and creates a ReplicaSet.
  4. The ReplicaSet controller notices the ReplicaSet and creates Pods.
  5. The scheduler notices the Pods without a node and assigns each one to a machine.
  6. The kubelet starts the containers.
  7. The EndpointSlice controller notices readiness changes and updates service routing.

By the time the Pod starts, the original Deployment has already gone through storage, reconciliation, and scheduling.