The Control Plane

The control plane is Kubernetes’ authority: the API, persistence, scheduling decisions, and controller loops that observe and act. Tenet I is a reminder to treat the API as the source of truth and to encode intent declaratively, not as ad-hoc imperative steps.

If you can’t describe your platform in objects and constraints, you don’t control it—you negotiate with it.

• kube-apiserver: the front door and contract; everything is mediated through it.
• etcd: persistence of desired state; your archive of truth.
• kube-scheduler: placement decisions; the rite of stewardship (see Tenet III).
• kube-controller-manager: reconciliation loops; convergence toward intent (see Tenet II).
• Admission control: policy gates that protect the archive from unsafe objects.

Protect the API contract

Treat the API server and etcd as sacred infrastructure: secure them, observe them, back them up, and understand failure modes. If the control plane is unstable, everything else is theatre.

Prefer declarative change

Favor GitOps-like workflows, manifests, and repeatable pipelines. Imperative commands are fine for diagnosis, but lasting change should be recorded as intent.

Governance is kindness

Policies (RBAC, Pod Security Admission, resource quotas, admission controllers) aren’t bureaucracy—they prevent accidental harm and preserve cluster stability.

1. Inspect the control plane components in your cluster (managed or self-hosted). Identify where API server metrics and logs live.
2. Write a minimal RBAC Role + RoleBinding that grants read-only access to Pods in a namespace. Verify it withkubectl auth can-i.
3. Add resource requests/limits to a Deployment and confirm the scheduler’s decisions align with your intent.