The Deckhouse Kubernetes Platform installs CRDs but does not remove them when a module is disabled. If you no longer need the created CRDs, delete them.

The module lifecycle stageGeneral Availability

ControlPlaneNode

Scope: Namespaced
Version: v1alpha1

Describes the desired and observed state of control plane components on a single node: etcd, kube-apiserver, kube-controller-manager, kube-scheduler.

The resource is created and updated by the control-plane-manager module automatically. Users do not need to create or edit it.

Useful for diagnosing the health of the control plane on the node:

  • ETCD, APISERVER, CONTROLLERMANAGER and SCHEDULER columns of kubectl get cpn show component readiness.
  • CERTIFICATES column shows overall certificate health.
  • spec.components contains desired fingerprints, while status.components contains the actually applied ones.
  • apiVersion
    string
  • kind
    string
  • metadata
    object
  • spec
    object

    Describes the desired state of control plane components on the node.

    • spec.caChecksum
      string

      Checksum of the d8-pki Secret containing CA certificates that must be applied to all components on the node.

    • spec.components
      object

      Contains the desired configuration and PKI checksums for each control plane component.

      If a value in spec.components.<component>.checksums differs from the corresponding value in status.components.<component>.checksums, the module starts a ControlPlaneOperation to bring the component to the desired state.

      • spec.components.etcd
        object

        Desired state of the etcd component.

        • spec.components.etcd.checksums
          object

          Desired checksums for the component.

          • spec.components.etcd.checksums.ca
            string

            Checksum of the CA certificates applied to the component.

            Absent in spec because CA configuration is global.

            Set in status after the component pod restarts with the new CA certificates.

          • spec.components.etcd.checksums.config
            string

            Checksum of the component static pod manifest and associated configuration files.

          • spec.components.etcd.checksums.pki
            string

            Checksum of the component PKI settings (certSANs, encryption-algorithm).

      • spec.components.kube-apiserver
        object

        Desired state of the kube-apiserver component.

        • spec.components.kube-apiserver.checksums
          object

          Desired checksums for the component.

          • spec.components.kube-apiserver.checksums.ca
            string

            Checksum of the CA certificates applied to the component.

            Absent in spec because CA configuration is global.

            Set in status after the component pod restarts with the new CA certificates.

          • spec.components.kube-apiserver.checksums.config
            string

            Checksum of the component static pod manifest and associated configuration files.

          • spec.components.kube-apiserver.checksums.pki
            string

            Checksum of the component PKI settings (certSANs, encryption-algorithm).

      • spec.components.kube-controller-manager
        object

        Desired state of the kube-controller-manager component.

        • spec.components.kube-controller-manager.checksums
          object

          Desired checksums for the component.

          • spec.components.kube-controller-manager.checksums.ca
            string

            Checksum of the CA certificates applied to the component.

            Absent in spec because CA configuration is global.

            Set in status after the component pod restarts with the new CA certificates.

          • spec.components.kube-controller-manager.checksums.config
            string

            Checksum of the component static pod manifest and associated configuration files.

          • spec.components.kube-controller-manager.checksums.pki
            string

            Checksum of the component PKI settings (certSANs, encryption-algorithm).

      • spec.components.kube-scheduler
        object

        Desired state of the kube-scheduler component.

        • spec.components.kube-scheduler.checksums
          object

          Desired checksums for the component.

          • spec.components.kube-scheduler.checksums.ca
            string

            Checksum of the CA certificates applied to the component.

            Absent in spec because CA configuration is global.

            Set in status after the component pod restarts with the new CA certificates.

          • spec.components.kube-scheduler.checksums.config
            string

            Checksum of the component static pod manifest and associated configuration files.

          • spec.components.kube-scheduler.checksums.pki
            string

            Checksum of the component PKI settings (certSANs, encryption-algorithm).

  • status
    object

    Describes the observed state of control plane components on the node.

    • status.caChecksum
      string

      Actually applied checksum of CA certificates.

    • status.components
      object

      Contains the observed state for each component: applied checksums and certificate expiration dates.

      • status.components.etcd
        object

        Observed state of the etcd component.

        • status.components.etcd.certificatesExpirationTime
          object

          Maps each component certificate file name to its NotAfter timestamp.

          Populated during the CertObserve step.

        • status.components.etcd.checksums
          object

          Applied checksums for the component.

          • status.components.etcd.checksums.ca
            string

            Checksum of the CA certificates applied to the component.

            Absent in spec because CA configuration is global.

            Set in status after the component pod restarts with the new CA certificates.

          • status.components.etcd.checksums.config
            string

            Applied checksum of the component static pod manifest and associated configuration files.

          • status.components.etcd.checksums.pki
            string

            Applied checksum of the component PKI settings (certSANs, encryption-algorithm).

        • status.components.etcd.lastCertObserveTime
          string

          Time of the last successful CertObserve step for the component.

      • status.components.kube-apiserver
        object

        Observed state of the kube-apiserver component.

        • status.components.kube-apiserver.certificatesExpirationTime
          object

          Maps each component certificate file name to its NotAfter timestamp.

          Populated during the CertObserve step.

        • status.components.kube-apiserver.checksums
          object

          Applied checksums for the component.

          • status.components.kube-apiserver.checksums.ca
            string

            Checksum of the CA certificates applied to the component.

            Absent in spec because CA configuration is global.

            Set in status after the component pod restarts with the new CA certificates.

          • status.components.kube-apiserver.checksums.config
            string

            Applied checksum of the component static pod manifest and associated configuration files.

          • status.components.kube-apiserver.checksums.pki
            string

            Applied checksum of the component PKI settings (certSANs, encryption-algorithm).

        • status.components.kube-apiserver.lastCertObserveTime
          string

          Time of the last successful CertObserve step for the component.

      • status.components.kube-controller-manager
        object

        Observed state of the kube-controller-manager component.

        • status.components.kube-controller-manager.certificatesExpirationTime
          object

          Maps each component certificate file name to its NotAfter timestamp.

          Populated during the CertObserve step.

        • status.components.kube-controller-manager.checksums
          object

          Applied checksums for the component.

          • status.components.kube-controller-manager.checksums.ca
            string

            Checksum of the CA certificates applied to the component.

            Absent in spec because CA configuration is global.

            Set in status after the component pod restarts with the new CA certificates.

          • status.components.kube-controller-manager.checksums.config
            string

            Applied checksum of the component static pod manifest and associated configuration files.

          • status.components.kube-controller-manager.checksums.pki
            string

            Applied checksum of the component PKI settings (certSANs, encryption-algorithm).

        • status.components.kube-controller-manager.lastCertObserveTime
          string

          Time of the last successful CertObserve step for the component.

      • status.components.kube-scheduler
        object

        Observed state of the kube-scheduler component.

        • status.components.kube-scheduler.certificatesExpirationTime
          object

          Maps each component certificate file name to its NotAfter timestamp.

          Populated during the CertObserve step.

        • status.components.kube-scheduler.checksums
          object

          Applied checksums for the component.

          • status.components.kube-scheduler.checksums.ca
            string

            Checksum of the CA certificates applied to the component.

            Absent in spec because CA configuration is global.

            Set in status after the component pod restarts with the new CA certificates.

          • status.components.kube-scheduler.checksums.config
            string

            Applied checksum of the component static pod manifest and associated configuration files.

          • status.components.kube-scheduler.checksums.pki
            string

            Applied checksum of the component PKI settings (certSANs, encryption-algorithm).

        • status.components.kube-scheduler.lastCertObserveTime
          string

          Time of the last successful CertObserve step for the component.

    • status.conditions
      array of objects

      List of conditions reflecting the readiness of control plane components on the node.

      Possible condition types:

      • EtcdReady: etcd is running and accepting requests (ETCD column).
      • APIServerReady: kube-apiserver is running and accepting requests (APISERVER column).
      • ControllerManagerReady: kube-controller-manager is running (CONTROLLERMANAGER column).
      • SchedulerReady: kube-scheduler is running (SCHEDULER column).
      • CertificatesHealthy: All component certificates are valid and have enough lifetime left (CERTIFICATES column).

      When status is False, the cause is described in reason and message.

      • status.conditions.lastTransitionTime
        string

        Required value

        Time of the last condition status transition.

      • status.conditions.message
        string

        Required value

        Human-readable description of the current condition state.

        Maximum length: 32768

      • status.conditions.observedGeneration
        integer

        The .metadata.generation value used to calculate the current condition state.

        Allowed values: 0 <= X

      • status.conditions.reason
        string

        Required value

        Machine-readable reason for the current condition state.

        Pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$

        Length: 1..1024

      • status.conditions.status
        string

        Required value

        Status of the condition.

        Allowed values: True, False, Unknown

      • status.conditions.type
        string

        Required value

        Type of the condition in CamelCase or in the foo.example.com/CamelCase format.

        Pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

        Maximum length: 316

ControlPlaneOperation

Scope: Namespaced
Version: v1alpha1

ControlPlaneOperation describes a single update operation for a control plane component on a specific node — for example, certificate renewal or applying a new manifest.

The resource is created and updated by the control-plane-manager module automatically; users do not need to create or edit it.

Useful for diagnostics: shows which operation is running on the node, which step is currently active and whether the operation completed successfully (see Phase and CurrentStep columns of kubectl get cpo).

  • apiVersion
    string
  • kind
    string
  • metadata
    object
  • spec
    object

    Describes the desired state of an operation.

    • spec.approved
      boolean

      Required value

      Indicates whether the operation is allowed to run.

      Only one approved operation may run on a node at a time. The approver controller sets this automatically based on the current control plane state.

      Default: false

    • spec.component
      string

      Required value

      Control plane component the operation targets.

      Allowed values: Etcd, KubeAPIServer, KubeControllerManager, KubeScheduler

    • spec.desiredCaChecksum
      string

      Expected CA certificate checksum once the operation completes.

      Populated only for steps that update the root CA certificate (SyncCA and related).

    • spec.desiredConfigChecksum
      string

      Expected component configuration checksum (static pod manifest and associated configuration files) once the operation completes.

      Used to confirm that the operation actually applied the intended configuration. After the pod restarts the checksum in ControlPlaneNode.status must match this value.

    • spec.desiredPkiChecksum
      string

      Expected component PKI fingerprint (certSANs, encryption-algorithm) once the operation completes.

      Populated only for steps that change PKI (RenewPKICerts and related).

    • spec.nodeName
      string

      Required value

      Name of the control plane node on which the operation must be executed.

    • spec.steps
      array of strings

      Required value

      Ordered list of steps to perform within the operation.

      Possible values:

      • Backup: Backs up the current component configuration (static pod manifest, associated configuration files) into /etc/kubernetes/deckhouse/backup before any changes.
      • SyncCA: Synchronizes CA certificates (ca.crt, ca.key) with the current d8-pki Secret.
      • RenewPKICerts: Re-issues component certificates (server, peer, client).
      • RenewKubeconfigs: Re-issues kubeconfig files used by the component to authenticate against the API.
      • SyncManifests: Updates the static pod manifest and accompanying files (/etc/kubernetes/manifests, associated configuration files) and records changes in /etc/kubernetes/deckhouse/diffs.
      • JoinEtcdCluster: Joins a new member to the etcd cluster.
      • DefragEtcd: Defragments the etcd data store on the target node to reclaim disk space.
      • WaitPodReady: Waits for the component static pod to become Ready after a restart.
      • CertObserve: Collects the current certificate expiration dates for the component and publishes them to status.observedState.
      • RenewSignature: Re-issues the signature key for the kube-apiserver.
      • Element of the array
        string

        Name of a single step performed within an operation.

        Allowed values: Backup, SyncCA, RenewPKICerts, RenewKubeconfigs, SyncManifests, JoinEtcdCluster, DefragEtcd, WaitPodReady, CertObserve, RenewSignature

  • status
    object

    Observed state of an operation.

    • status.conditions
      array of objects

      Reflects the operation progress.

      The primary condition is Completed. Its reason field is shown in the Phase column of kubectl get cpo:

      • InProgress: Operation is running. The current step name is shown in the CurrentStep column.
      • Succeeded: Operation finished successfully.
      • Failed: Operation finished with an error. See details in message.
      • status.conditions.lastTransitionTime
        string

        Required value

        Last time the condition transitioned from one status to another.

      • status.conditions.message
        string

        Required value

        Human-readable description of the current condition state. If there is an error, this field contains the last error output on a step.

        Maximum length: 32768

      • status.conditions.observedGeneration
        integer

        The .metadata.generation value that the condition was set based upon.

        Allowed values: 0 <= X

      • status.conditions.reason
        string

        Required value

        Machine-readable reason for the current condition state (for example, InProgress, Succeeded, or Failed).

        Pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$

        Length: 1..1024

      • status.conditions.status
        string

        Required value

        Status of the condition.

        Allowed values: True, False, Unknown

      • status.conditions.type
        string

        Required value

        Type of condition.

        In addition to Completed, a separate condition is created for each executed step, where type equals the step name (for example, RenewPKICerts, SyncManifests).

        Pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

        Maximum length: 316

    • status.observedState
      object

      Contains the component state collected by the CertObserve step.

      Populated only for static pod components (etcd, kube-apiserver, kube-controller-manager, kube-scheduler).

      • status.observedState.certificatesExpirationTime
        object

        Maps each component certificate file name to its NotAfter timestamp.

        Used by the module for certificate re-issuing and alerting.

KubeSchedulerWebhookConfiguration

Scope: Cluster
Version: v1alpha1

Defines the configuration for connecting a third-party kube-scheduler extender webhook.

An external kube-scheduler webhook allows expanding the capabilities of the scheduler and consider more complex conditions when planning the load in the Kubernetes cluster.

  • webhooks
    array of objects

    Required value

    • webhooks.clientConfig
      object

      Required value

      ClientConfig defines how to communicate with the webhook.

      • webhooks.clientConfig.caBundle
        string

        Required value

        caBundle is a PEM encoded CA bundle which will be used to validate the webhook’s server certificate.

        Pattern: ^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}={2})$

      • webhooks.clientConfig.service
        object

        Required value

        Access to webhook via cluster service.

        • webhooks.clientConfig.service.name
          string

          Required value

          Service name.

          Pattern: ^[0-9a-z\-]+$

          Length: 1..255

        • webhooks.clientConfig.service.namespace
          string

          Required value

          Service namespace.

          Pattern: ^[0-9a-z\-]+$

          Length: 1..255

        • webhooks.clientConfig.service.path
          string

          Required value

          URI path.

          Pattern: ^[0-9a-zA-Z._\/-]+$

          Length: 1..255

        • webhooks.clientConfig.service.port
          integer

          Required value

          Service port.

          Allowed values: 1 <= X <= 65535

    • webhooks.failurePolicy
      string

      Specifies scheduling should fail or not fail when the extender returns an error or is not reachable.

      Default: Fail

      Allowed values: Fail, Ignore

    • webhooks.filterVerb
      string

      Verb appended to URLPrefix when issuing a filter call to the scheduler extender. If omitted, defaults to filter(for backward compatibility, avoid making changes unless necessary). Set to an empty string "" to disable filter calls for this extender.

    • webhooks.preemptVerb
      string

      Verb appended to URLPrefix when issuing a preempt call to this extender. Leave empty ("") to disable preempt calls for this extender.

    • webhooks.prioritizeVerb
      string

      Verb appended to URLPrefix when issuing a prioritize call to this extender. If omitted, defaults to prioritize(for backward compatibility, avoid making changes unless necessary). Set to an empty string "" to disable prioritize calls for this extender.

    • webhooks.timeoutSeconds
      integer

      Webhook timeout in seconds.

      Default: 10

      Allowed values: 1 <= X <= 60

    • webhooks.weight
      integer

      Required value

      The numeric multiplier for the node scores that the prioritize call generates.

      Allowed values: 1 <= X