Skip to content

Canonical Texts

CRD Lifecycle Discipline for Teams That Intend to Survive

A CRD becomes a platform contract. Lifecycle discipline is how you keep that contract stable through upgrades, incidents, and team turnover.

Return to ArchiveGovernanceInitiation

Text

Authored as doctrine; evaluated as systems craft.

Doctrine

The first CRD is easy. The fifth is expensive. By the tenth, you are operating an API surface with uptime expectations. Without lifecycle discipline, you create a permanent migration crisis.

Kubblai doctrine: you do not publish an API you are unwilling to maintain.

  • Define deprecation windows and compatibility guarantees.
  • Treat schema evolution as governance with review standards.
  • Instrument controllers and enforce backpressure.

Deprecation policy as institutional law

Deprecation is where trust is tested. If you break tenants without warning, they route around your platform. If you never deprecate, you accumulate dead weight until upgrades become impossible.

The Order expects a published deprecation policy and an enforced cadence.

  • Mark fields and versions deprecated with clear timelines.
  • Provide migration tools or examples; measure adoption progress.
  • Keep old versions long enough to support safe rollout across the fleet.

Conversion: test the one-way doors

If you support multiple versions, you need conversion. Conversion failures are catastrophic: they can brick reads, block writes, and stall controllers.

Conversion must be deterministic, bounded, and tested on real objects.

  • Test round-trip conversion across versions (A→B→A) where possible.
  • Avoid lossy conversions; if unavoidable, document the loss explicitly.
  • Budget conversion latency; it sits on the API request path.

Status contracts and conditions

A stable status contract is how humans and automation understand convergence. If you change status shape casually, you break dashboards, alerts, and runbooks.

Conditions are the lingua franca. Use them with discipline.

  • Standardize condition types across CRDs where possible.
  • Keep status small and meaningful; avoid dumping large payloads.
  • Document meanings and transitions; treat them as API docs.

Controller behavior under load

CRDs multiply watch fanout and reconcile work. Controllers must be backpressure-aware and must avoid status spam.

Operational discipline includes rate limiting, idempotence, and graceful degradation.

  • Bound reconcile concurrency and implement exponential backoff.
  • Avoid requeue storms; treat systemic failure as a reason to slow down.
  • Instrument hot keys and reconcile duration by object key.

Canonical Link

Canonical URL: /library/crd-lifecycle-discipline-for-teams-that-intend-to-survive

Related Readings

Canonical Texts

Library

Principal Lessons on Kubernetes API Design and CRD Discipline

A CRD is not a schema. It is a contract between humans, controllers, and the control plane. The strongest designs assume failure and make drift legible.

Advanced Disciplines

Library

CRDs as New Scripture

CRDs extend the cluster’s language. They also extend its liabilities: storage, watch load, and governance surface area.

Advanced Disciplines

Library

Controllers as Living Interpreters of Intent

A controller is the interpreter that turns declarations into durable outcomes—if it is designed to survive conflict and load.

Doctrine / Theology

Library

How Reconciliation Loops Fail in Practice

Controllers fail by thrashing, stalling, or lying. Mature operators read the shape of convergence: queue depth, reconcile duration, and conflict rates.

Sacred Systems

Library

The API Server as the Gate of Truth

The API is the only public reality in Kubernetes. Everything else is implementation detail and transient effect.