The Deckhouse Kubernetes Platform installs CRDs but does not remove them when a module is disabled. If you no longer need the created CRDs, delete them.
The module lifecycle stage: General Availability
ControlPlaneNode
Scope: Namespaced
Version: v1alpha1
Describes the desired and observed state of control plane components on a single node: etcd, kube-apiserver, kube-controller-manager, kube-scheduler.
The resource is created and updated by the control-plane-manager module automatically. Users do not need to create or edit it.
Useful for diagnosing the health of the control plane on the node:
ETCD,APISERVER,CONTROLLERMANAGERandSCHEDULERcolumns ofkubectl get cpnshow component readiness.CERTIFICATEScolumn shows overall certificate health.spec.componentscontains desired fingerprints, whilestatus.componentscontains the actually applied ones.
- stringapiVersion
- stringkind
- objectmetadata
- objectspec
Describes the desired state of control plane components on the node.
- stringspec.caChecksum
Checksum of the
d8-pkiSecret containing CA certificates that must be applied to all components on the node. - objectspec.components
Contains the desired configuration and PKI checksums for each control plane component.
If a value in
spec.components.<component>.checksumsdiffers from the corresponding value instatus.components.<component>.checksums, the module starts a ControlPlaneOperation to bring the component to the desired state.- objectspec.components.etcd
Desired state of the etcd component.
- objectspec.components.etcd.checksums
Desired checksums for the component.
- stringspec.components.etcd.checksums.ca
Checksum of the CA certificates applied to the component.
Absent in
specbecause CA configuration is global.Set in
statusafter the component pod restarts with the new CA certificates. - stringspec.components.etcd.checksums.config
Checksum of the component static pod manifest and associated configuration files.
- stringspec.components.etcd.checksums.pki
Checksum of the component PKI settings (
certSANs,encryption-algorithm).
- objectspec.components.kube-apiserver
Desired state of the kube-apiserver component.
- objectspec.components.kube-apiserver.checksums
Desired checksums for the component.
- stringspec.components.kube-apiserver.checksums.ca
Checksum of the CA certificates applied to the component.
Absent in
specbecause CA configuration is global.Set in
statusafter the component pod restarts with the new CA certificates. - stringspec.components.kube-apiserver.checksums.config
Checksum of the component static pod manifest and associated configuration files.
- stringspec.components.kube-apiserver.checksums.pki
Checksum of the component PKI settings (
certSANs,encryption-algorithm).
- objectspec.components.kube-controller-manager
Desired state of the kube-controller-manager component.
- objectspec.components.kube-controller-manager.checksums
Desired checksums for the component.
- stringspec.components.kube-controller-manager.checksums.ca
Checksum of the CA certificates applied to the component.
Absent in
specbecause CA configuration is global.Set in
statusafter the component pod restarts with the new CA certificates. - stringspec.components.kube-controller-manager.checksums.config
Checksum of the component static pod manifest and associated configuration files.
- stringspec.components.kube-controller-manager.checksums.pki
Checksum of the component PKI settings (
certSANs,encryption-algorithm).
- objectspec.components.kube-scheduler
Desired state of the kube-scheduler component.
- objectspec.components.kube-scheduler.checksums
Desired checksums for the component.
- stringspec.components.kube-scheduler.checksums.ca
Checksum of the CA certificates applied to the component.
Absent in
specbecause CA configuration is global.Set in
statusafter the component pod restarts with the new CA certificates. - stringspec.components.kube-scheduler.checksums.config
Checksum of the component static pod manifest and associated configuration files.
- stringspec.components.kube-scheduler.checksums.pki
Checksum of the component PKI settings (
certSANs,encryption-algorithm).
- objectstatus
Describes the observed state of control plane components on the node.
- stringstatus.caChecksum
Actually applied checksum of CA certificates.
- objectstatus.components
Contains the observed state for each component: applied checksums and certificate expiration dates.
- objectstatus.components.etcd
Observed state of the etcd component.
- objectstatus.components.etcd.certificatesExpirationTime
Maps each component certificate file name to its
NotAftertimestamp.Populated during the
CertObservestep. - objectstatus.components.etcd.checksums
Applied checksums for the component.
- stringstatus.components.etcd.checksums.ca
Checksum of the CA certificates applied to the component.
Absent in
specbecause CA configuration is global.Set in
statusafter the component pod restarts with the new CA certificates. - stringstatus.components.etcd.checksums.config
Applied checksum of the component static pod manifest and associated configuration files.
- stringstatus.components.etcd.checksums.pki
Applied checksum of the component PKI settings (
certSANs,encryption-algorithm).
- stringstatus.components.etcd.lastCertObserveTime
Time of the last successful
CertObservestep for the component.
- objectstatus.components.kube-apiserver
Observed state of the kube-apiserver component.
- objectstatus.components.kube-apiserver.certificatesExpirationTime
Maps each component certificate file name to its
NotAftertimestamp.Populated during the
CertObservestep. - objectstatus.components.kube-apiserver.checksums
Applied checksums for the component.
- stringstatus.components.kube-apiserver.checksums.ca
Checksum of the CA certificates applied to the component.
Absent in
specbecause CA configuration is global.Set in
statusafter the component pod restarts with the new CA certificates. - stringstatus.components.kube-apiserver.checksums.config
Applied checksum of the component static pod manifest and associated configuration files.
- stringstatus.components.kube-apiserver.checksums.pki
Applied checksum of the component PKI settings (
certSANs,encryption-algorithm).
- stringstatus.components.kube-apiserver.lastCertObserveTime
Time of the last successful
CertObservestep for the component.
- objectstatus.components.kube-controller-manager
Observed state of the kube-controller-manager component.
- objectstatus.components.kube-controller-manager.certificatesExpirationTime
Maps each component certificate file name to its
NotAftertimestamp.Populated during the
CertObservestep. - objectstatus.components.kube-controller-manager.checksums
Applied checksums for the component.
- stringstatus.components.kube-controller-manager.checksums.ca
Checksum of the CA certificates applied to the component.
Absent in
specbecause CA configuration is global.Set in
statusafter the component pod restarts with the new CA certificates. - stringstatus.components.kube-controller-manager.checksums.config
Applied checksum of the component static pod manifest and associated configuration files.
- stringstatus.components.kube-controller-manager.checksums.pki
Applied checksum of the component PKI settings (
certSANs,encryption-algorithm).
- stringstatus.components.kube-controller-manager.lastCertObserveTime
Time of the last successful
CertObservestep for the component.
- objectstatus.components.kube-scheduler
Observed state of the kube-scheduler component.
- objectstatus.components.kube-scheduler.certificatesExpirationTime
Maps each component certificate file name to its
NotAftertimestamp.Populated during the
CertObservestep. - objectstatus.components.kube-scheduler.checksums
Applied checksums for the component.
- stringstatus.components.kube-scheduler.checksums.ca
Checksum of the CA certificates applied to the component.
Absent in
specbecause CA configuration is global.Set in
statusafter the component pod restarts with the new CA certificates. - stringstatus.components.kube-scheduler.checksums.config
Applied checksum of the component static pod manifest and associated configuration files.
- stringstatus.components.kube-scheduler.checksums.pki
Applied checksum of the component PKI settings (
certSANs,encryption-algorithm).
- stringstatus.components.kube-scheduler.lastCertObserveTime
Time of the last successful
CertObservestep for the component.
- array of objectsstatus.conditions
List of conditions reflecting the readiness of control plane components on the node.
Possible condition types:
EtcdReady: etcd is running and accepting requests (ETCDcolumn).APIServerReady: kube-apiserver is running and accepting requests (APISERVERcolumn).ControllerManagerReady: kube-controller-manager is running (CONTROLLERMANAGERcolumn).SchedulerReady: kube-scheduler is running (SCHEDULERcolumn).CertificatesHealthy: All component certificates are valid and have enough lifetime left (CERTIFICATEScolumn).
When
statusisFalse, the cause is described inreasonandmessage.- stringstatus.conditions.lastTransitionTime
Required value
Time of the last condition status transition.
- stringstatus.conditions.message
Required value
Human-readable description of the current condition state.
Maximum length:
32768 - integerstatus.conditions.observedGeneration
The
.metadata.generationvalue used to calculate the current condition state.Allowed values:
0 <= X - stringstatus.conditions.reason
Required value
Machine-readable reason for the current condition state.
Pattern:
^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$Length:
1..1024 - stringstatus.conditions.status
Required value
Status of the condition.
Allowed values:
True,False,Unknown - stringstatus.conditions.type
Required value
Type of the condition in CamelCase or in the
foo.example.com/CamelCaseformat.Pattern:
^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$Maximum length:
316
ControlPlaneOperation
Scope: Namespaced
Version: v1alpha1
ControlPlaneOperation describes a single update operation for a control plane component on a specific node — for example, certificate renewal or applying a new manifest.
The resource is created and updated by the control-plane-manager module automatically; users do not need to create or edit it.
Useful for diagnostics: shows which operation is running on the node, which step is currently active and
whether the operation completed successfully (see Phase and CurrentStep columns of kubectl get cpo).
- stringapiVersion
- stringkind
- objectmetadata
- objectspec
Describes the desired state of an operation.
- booleanspec.approved
Required value
Indicates whether the operation is allowed to run.
Only one approved operation may run on a node at a time. The approver controller sets this automatically based on the current control plane state.
Default:
false - stringspec.component
Required value
Control plane component the operation targets.
Allowed values:
Etcd,KubeAPIServer,KubeControllerManager,KubeScheduler - stringspec.desiredCaChecksum
Expected CA certificate checksum once the operation completes.
Populated only for steps that update the root CA certificate (
SyncCAand related). - stringspec.desiredConfigChecksum
Expected component configuration checksum (static pod manifest and associated configuration files) once the operation completes.
Used to confirm that the operation actually applied the intended configuration. After the pod restarts the checksum in
ControlPlaneNode.statusmust match this value. - stringspec.desiredPkiChecksum
Expected component PKI fingerprint (
certSANs,encryption-algorithm) once the operation completes.Populated only for steps that change PKI (
RenewPKICertsand related). - stringspec.nodeName
Required value
Name of the control plane node on which the operation must be executed.
- array of stringsspec.steps
Required value
Ordered list of steps to perform within the operation.
Possible values:
Backup: Backs up the current component configuration (static pod manifest, associated configuration files) into/etc/kubernetes/deckhouse/backupbefore any changes.SyncCA: Synchronizes CA certificates (ca.crt,ca.key) with the currentd8-pkiSecret.RenewPKICerts: Re-issues component certificates (server,peer,client).RenewKubeconfigs: Re-issues kubeconfig files used by the component to authenticate against the API.SyncManifests: Updates the static pod manifest and accompanying files (/etc/kubernetes/manifests, associated configuration files) and records changes in/etc/kubernetes/deckhouse/diffs.JoinEtcdCluster: Joins a new member to the etcd cluster.DefragEtcd: Defragments the etcd data store on the target node to reclaim disk space.WaitPodReady: Waits for the component static pod to becomeReadyafter a restart.CertObserve: Collects the current certificate expiration dates for the component and publishes them tostatus.observedState.RenewSignature: Re-issues the signature key for the kube-apiserver.
- stringElement of the array
Name of a single step performed within an operation.
Allowed values:
Backup,SyncCA,RenewPKICerts,RenewKubeconfigs,SyncManifests,JoinEtcdCluster,DefragEtcd,WaitPodReady,CertObserve,RenewSignature
- objectstatus
Observed state of an operation.
- array of objectsstatus.conditions
Reflects the operation progress.
The primary condition is
Completed. Itsreasonfield is shown in thePhasecolumn ofkubectl get cpo:InProgress: Operation is running. The current step name is shown in theCurrentStepcolumn.Succeeded: Operation finished successfully.Failed: Operation finished with an error. See details inmessage.
- stringstatus.conditions.lastTransitionTime
Required value
Last time the condition transitioned from one status to another.
- stringstatus.conditions.message
Required value
Human-readable description of the current condition state. If there is an error, this field contains the last error output on a step.
Maximum length:
32768 - integerstatus.conditions.observedGeneration
The
.metadata.generationvalue that the condition was set based upon.Allowed values:
0 <= X - stringstatus.conditions.reason
Required value
Machine-readable reason for the current condition state (for example,
InProgress,Succeeded, orFailed).Pattern:
^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$Length:
1..1024 - stringstatus.conditions.status
Required value
Status of the condition.
Allowed values:
True,False,Unknown - stringstatus.conditions.type
Required value
Type of condition.
In addition to
Completed, a separate condition is created for each executed step, wheretypeequals the step name (for example,RenewPKICerts,SyncManifests).Pattern:
^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$Maximum length:
316
- objectstatus.observedState
Contains the component state collected by the
CertObservestep.Populated only for static pod components (etcd, kube-apiserver, kube-controller-manager, kube-scheduler).
- objectstatus.observedState.certificatesExpirationTime
Maps each component certificate file name to its
NotAftertimestamp.Used by the module for certificate re-issuing and alerting.
KubeSchedulerWebhookConfiguration
Scope: Cluster
Version: v1alpha1
Defines the configuration for connecting a third-party kube-scheduler extender webhook.
An external kube-scheduler webhook allows expanding the capabilities of the scheduler and consider more complex conditions when planning the load in the Kubernetes cluster.
- array of objectswebhooks
Required value
- objectwebhooks.clientConfig
Required value
ClientConfig defines how to communicate with the webhook.
- stringwebhooks.clientConfig.caBundle
Required value
caBundle is a PEM encoded CA bundle which will be used to validate the webhook’s server certificate.
Pattern:
^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}={2})$ - objectwebhooks.clientConfig.service
Required value
Access to webhook via cluster service.
- stringwebhooks.clientConfig.service.name
Required value
Service name.
Pattern:
^[0-9a-z\-]+$Length:
1..255 - stringwebhooks.clientConfig.service.namespace
Required value
Service namespace.
Pattern:
^[0-9a-z\-]+$Length:
1..255 - stringwebhooks.clientConfig.service.path
Required value
URI path.
Pattern:
^[0-9a-zA-Z._\/-]+$Length:
1..255 - integerwebhooks.clientConfig.service.port
Required value
Service port.
Allowed values:
1 <= X <= 65535
- stringwebhooks.failurePolicy
Specifies scheduling should fail or not fail when the extender returns an error or is not reachable.
Default:
FailAllowed values:
Fail,Ignore - stringwebhooks.filterVerb
Verb appended to
URLPrefixwhen issuing afiltercall to the scheduler extender. If omitted, defaults tofilter(for backward compatibility, avoid making changes unless necessary). Set to an empty string""to disablefiltercalls for this extender. - stringwebhooks.preemptVerb
Verb appended to
URLPrefixwhen issuing apreemptcall to this extender. Leave empty ("") to disablepreemptcalls for this extender. - stringwebhooks.prioritizeVerb
Verb appended to
URLPrefixwhen issuing aprioritizecall to this extender. If omitted, defaults toprioritize(for backward compatibility, avoid making changes unless necessary). Set to an empty string""to disableprioritizecalls for this extender. - integerwebhooks.timeoutSeconds
Webhook timeout in seconds.
Default:
10Allowed values:
1 <= X <= 60 - integerwebhooks.weight
Required value
The numeric multiplier for the node scores that the prioritize call generates.
Allowed values:
1 <= X