karmada/docs/userguide/configure-controllers.md

120 lines
6.3 KiB
Markdown

<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
**Table of Contents** *generated with [DocToc](https://github.com/thlorenz/doctoc)*
- [Configure Controllers](#configure-controllers)
- [Karmada Controllers](#karmada-controllers)
- [Configure Karmada Controllers](#configure-karmada-controllers)
- [Kubernetes Controllers](#kubernetes-controllers)
- [Recommended Controllers](#recommended-controllers)
- [namespace](#namespace)
- [garbagecollector](#garbagecollector)
- [serviceaccount-token](#serviceaccount-token)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
# Configure Controllers
Karmada maintains a bunch of controllers which are control loops that watch the state of your system, then make or
request changes where needed. Each controller tries to move the current state closer to the desired state.
See [Kubernetes Controller Concepts][1] for more details.
## Karmada Controllers
The controllers are embedded into components of `karmada-controller-manager` or `karmada-agent` and will be launched
along with components startup. Some controllers may be shared by `karmada-controller-manager` and `karmada-agent`.
| Controller | In karmada-controller-manager | In karmada-agent |
|---------------|-------------------------------|------------------|
| cluster | Y | N |
| clusterStatus | Y | Y |
| binding | Y | N |
| execution | Y | Y |
| workStatus | Y | Y |
| namespace | Y | N |
| serviceExport | Y | Y |
| endpointSlice | Y | N |
| serviceImport | Y | N |
| unifiedAuth | Y | N |
| hpa | Y | N |
### Configure Karmada Controllers
You can use `--controllers` flag to specify the enabled controller list for `karmada-controller-manager` and
`karmada-agent`, or disable some of them in addition to the default list.
E.g. Specify a controller list:
```bash
--controllers=cluster,clusterStatus,binding,xxx
```
E.g. Disable some controllers:
```bash
--controllers=-hpa,-unifiedAuth
```
Use `-foo` to disable the controller named `foo`.
> Note: The default controller list might be changed in the future releases. The controllers enabled in the last release
> might be disabled or deprecated and new controllers might be introduced too. Users who are using this flag should
> check the release notes before system upgrade.
## Kubernetes Controllers
In addition to the controllers that are maintained by the Karmada community, Karmada also requires some controllers from
Kubernetes. These controllers run as part of `kube-controller-manager` and are maintained by the Kubernetes community.
Users are recommended to deploy the `kube-controller-manager` along with Karmada components. And the installation
methods list in [installation guide][2] would help you deploy it as well as Karmada components.
### Recommended Controllers
Not all controllers in `kube-controller-manager` are necessary for Karmada, if you are deploying
Karmada using other tools, you might have to configure the controllers by `--controllers` flag just like what we did in
[example of kube-controller-manager deployment][3].
The following controllers are tested and recommended by Karmada.
#### namespace
The `namespace` controller runs as part of `kube-controller-manager`. It watches `Namespace` deletion and deletes
all resources in the given namespace.
For the Karmada control plane, we inherit this behavior to keep a consistent user experience. More than that, we also
rely on this feature in the implementation of Karmada controllers, for example, when un-registering a cluster,
Karmada would delete the `execution namespace`(named `karmada-es-<cluster name>`) that stores all the resources
propagated to that cluster, to ensure all the resources could be cleaned up from both the Karmada control plane and the
given cluster.
More details about the `namespace` controller, please refer to
[namespace controller sync logic](https://github.com/kubernetes/kubernetes/blob/v1.23.4/pkg/controller/namespace/deletion/namespaced_resources_deleter.go#L82-L94).
#### garbagecollector
The `garbagecollector` controller runs as part of `kube-controller-manager`. It is used to clean up garbage resources.
It manages [owner reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/owners-dependents/) and
deletes the resources once all owners are absent.
For the Karmada control plane, we also use `owner reference` to link objects to each other. For example, each
`ResourceBinding` has an owner reference that link to the `resource template`. Once the `resource template` is removed,
the `ResourceBinding` will be removed by `garbagecollector` controller automatically.
For more details about garbage collection mechanisms, please refer to
[Garbage Collection](https://kubernetes.io/docs/concepts/architecture/garbage-collection/).
#### serviceaccount-token
The `serviceaccount-token` controller runs as part of `kube-controller-manager`.
It watches `ServiceAccount` creation and creates a corresponding ServiceAccount token Secret to allow API access.
For the Karmada control plane, after a `ServiceAccount` object is created by the administrator, we also need
`serviceaccount-token` controller to generate the ServiceAccount token `Secret`, which will be a relief for
administrator as he/she doesn't need to manually prepare the token.
More details please refer to:
- [service account token controller](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#token-controller)
- [service account tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens)
[1]: https://kubernetes.io/docs/concepts/architecture/controller/
[2]: https://github.com/karmada-io/karmada/blob/master/docs/installation/installation.md
[3]: https://github.com/karmada-io/karmada/blob/master/artifacts/deploy/kube-controller-manager.yaml