Kubernetes API Server — Deep Dive
Learn Kubernetes API Server — Deep Dive with plain-English explanations and real examples..
20+ years shipping production infrastructure and CI/CD at scale. Everything here is grounded in real deployments.
- ✓Kubernetes cluster (v1.28+), kubectl, basic understanding of Kubernetes architecture, familiarity with YAML, access to a cluster with admin privileges, etcdctl (for etcd queries), Go (for code examples)
Think of Kubernetes API Server — Deep Dive like a tool in your DevOps toolkit — once you understand what it does and when to reach for it, managing Kubernetes clusters becomes second nature.
A misconfigured API Server can bring down a production cluster faster than any node failure. I've seen teams spend hours debugging why their deployments hang, only to find the API Server's etcd connection pool exhausted due to a single misbehaving controller. The API Server is not just a REST API — it's the gatekeeper that validates every mutation, enforces every policy, and serializes every state change. If you don't understand its request lifecycle, admission webhooks, and etcd interaction, you're flying blind. This deep dive covers the internals you need to know to operate, tune, and troubleshoot the API Server in production.
The Request Lifecycle: From kubectl to etcd
Every API request follows a strict pipeline: authentication, authorization, admission (mutating then validating), validation, and finally persistence to etcd. The API Server is built on a generic HTTP handler chain that processes each request through these stages. Understanding this flow is critical because a failure at any stage can silently drop requests or corrupt state. For example, a mutating webhook that hangs will block all resource creation until the webhook timeout (default 30s) expires. The API Server uses a watch-based cache to serve reads without hitting etcd, but writes always go through the full pipeline. This design ensures consistency at the cost of latency — a trade-off you must account for when designing controllers or operators.
Authentication: Who Are You?
The API Server supports multiple authentication strategies: client certificates, bearer tokens (static, service account, OIDC), and webhook token authentication. They are tried in order until one succeeds. A common pitfall is misconfiguring OIDC discovery URL or certificate validation, causing all OIDC-authenticated requests to fail. Service account tokens are automatically mounted into pods and are the primary identity for workloads. For production, use OIDC for human users and service accounts for workloads. Avoid static tokens — they are a security risk. The API Server logs authentication failures, but the verbosity is low by default; enable --v=4 to see detailed auth decisions.
--oidc-ca-file with the CA bundle. Otherwise, all OIDC logins will fail with 'x509: certificate signed by unknown authority'.Authorization: What Can You Do?
After authentication, the API Server checks authorization. The default mode is RBAC (Role-Based Access Control), but it also supports ABAC, Node, and Webhook authorization. RBAC uses Roles and ClusterRoles bound to subjects via RoleBindings and ClusterRoleBindings. The API Server evaluates all authorizers in order; if any grants access, the request proceeds. A common mistake is forgetting that * verbs or resources in a ClusterRole grant access across all namespaces. Always use the principle of least privilege. For production, enable --authorization-mode=Node,RBAC to ensure node identities are restricted. The API Server caches authorization decisions for 5 seconds by default, which can lead to stale permissions for a short window.
kubectl auth can-i create pods --as=jane to verify permissions before deploying.* verbs on pods/exec — this allows arbitrary command execution in containers. Always restrict pods/exec to specific users.kubectl auth can-i.Admission Controllers: The Policy Enforcers
Admission controllers intercept requests after authorization but before persistence. They can mutate (modify) or validate (reject) requests. Built-in controllers like NamespaceLifecycle, LimitRanger, and ResourceQuota enforce cluster policies. Custom admission webhooks allow extending this with external services. Mutating webhooks run first, then validating webhooks. A critical detail: webhooks can fail open or fail closed. In production, always set failurePolicy: Fail for critical validations to prevent bypassing policies. However, if your webhook service goes down, all API requests will be blocked. Use failurePolicy: Ignore for non-critical mutations. The API Server has a default timeout of 30s for webhooks; set lower timeouts to avoid request pileup.
timeoutSeconds, the API Server returns an error. Set timeouts low (e.g., 5s) and implement async validation if needed.failurePolicy: Fail blocked all pod creations. Always have a backup webhook or use failurePolicy: Ignore for non-critical checks.etcd: The Source of Truth
The API Server is the only component that writes to etcd, which stores all cluster state. etcd is a distributed key-value store that uses the Raft consensus algorithm. The API Server serializes Kubernetes objects into JSON or Protobuf and stores them under keys like /registry/pods/default/my-pod. Reads are served from the API Server's watch cache (an in-memory cache that mirrors etcd), but writes always go to etcd. This cache reduces etcd load but introduces a small staleness window (default 1 second). For production, use etcd clusters with odd numbers of members (3 or 5) and enable TLS. Monitor etcd latency — if p99 latency exceeds 100ms, the API Server will start returning errors.
fsync duration.Watch Caching and Resource Versioning
The API Server maintains an in-memory watch cache that subscribes to etcd events and serves list/watch requests without hitting etcd. Each object has a resourceVersion that increments on every change. Clients use this to perform efficient watches. The cache is updated asynchronously, so there is a brief inconsistency window. For production, this is usually fine, but if you need strong consistency, use resourceVersion=0 (which forces a direct etcd read) or use the --cache-ttl flag (default 5 minutes). A common bug is controllers that rely on list responses being immediately consistent — they may miss updates. Always use watches with a resourceVersion from a recent list to avoid missing events.
resourceVersion from a recent list to avoid missing events. Use resourceVersion=0 only if you need a full snapshot.API Priority and Fairness (APF)
APF is the built-in mechanism to prevent a single misbehaving client from starving others. It categorizes requests into priority levels (e.g., system, workload-high, workload-low) and applies concurrency limits. Each priority level has a guaranteed share of the API Server's concurrency capacity. If a level exceeds its share, requests are queued and eventually rejected with HTTP 429 (Too Many Requests). In production, you must tune APF to match your workload patterns. Default settings are conservative; for high-throughput clusters, increase globalDefault concurrency. Monitor apiserver_flowcontrol_request_concurrency_limit and apiserver_flowcontrol_request_wait_duration_seconds metrics.
assuredConcurrencyShares too low for critical controllers, they may be throttled. Monitor apiserver_flowcontrol_rejected_requests_total.TLS and Certificate Management
The API Server serves HTTPS and requires proper TLS configuration. It uses a serving certificate for the API endpoint and a client certificate to authenticate with etcd. In production, use a trusted CA for the serving certificate to avoid insecure-skip-tls-verify. The API Server also supports client certificate authentication. A common issue is certificate rotation: if the serving certificate expires, all API calls fail. Use cert-manager or kubeadm's automatic rotation. For etcd, use separate client certificates with the CN matching the expected username. The API Server's --tls-cert-file and --tls-private-key-file flags specify the serving cert.
kubeadm certs check-expiration or Prometheus metrics from cert-manager.Audit Logging: Tracking Every Request
Audit logging records every API request with metadata like user, timestamp, verb, and response code. It's essential for security and troubleshooting. The API Server supports multiple audit backends: log file, webhook, and dynamic. In production, enable audit logging with a policy that captures mutating requests and denies. Be careful with log volume — a busy cluster can generate gigabytes per hour. Use a policy that filters out reads from service accounts. The audit log can be shipped to a SIEM for analysis. A common mistake is not rotating audit logs, causing disk full issues.
Scaling the API Server
The API Server is stateless and can be scaled horizontally behind a load balancer. However, each instance has its own watch cache, so clients may see slightly different views. For writes, all instances go to the same etcd cluster, so write throughput is limited by etcd. To scale reads, add more API Server instances. For writes, scale etcd (faster disks, more nodes). The API Server's concurrency is controlled by --max-requests-inflight (default 400) and --max-mutating-requests-inflight (default 200). In production, monitor apiserver_request_total and apiserver_request_duration_seconds to know when to scale. A common bottleneck is the watch cache memory — each watched object consumes memory.
process_resident_memory_bytes.Troubleshooting Common API Server Failures
Common failures include: etcd connection refused (check etcd health), certificate expiry (check certs), admission webhook timeouts (check webhook service), and resource exhaustion (check --max-requests-inflight). The API Server logs to stderr; use kubectl logs -n kube-system kube-apiserver-<node> to view them. Enable --v=4 for detailed debugging. A classic symptom: kubectl commands hang or return 503. Check API Server health at /healthz and /readyz. For etcd issues, check etcd endpoints and disk latency. Always have a backup API Server configuration and practice recovery.
/healthz checks liveness; /readyz checks readiness (including etcd connection). Use /readyz for load balancer probes.--max-requests-inflight being hit. We increased it from 400 to 800 and added more replicas.Production Hardening Checklist
To harden the API Server in production: 1) Enable TLS with a trusted CA and rotate certificates automatically. 2) Use RBAC with least privilege and audit all permissions. 3) Enable admission controllers like PodSecurity, NodeRestriction, and AlwaysPullImages. 4) Configure APF to protect against request storms. 5) Enable audit logging with a policy that captures mutations. 6) Use etcd with TLS and dedicated SSDs. 7) Set resource limits on the API Server container. 8) Monitor key metrics: request latency, error rates, etcd latency, and watch cache size. 9) Have a disaster recovery plan for etcd backup and restore. 10) Regularly test failover by killing an API Server instance.
--insecure-port=0 is set to disable the unencrypted localhost port. It's off by default in v1.24+.| File | Command / Code | Purpose |
|---|---|---|
| request-lifecycle.sh | TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) | The Request Lifecycle |
| kube-apiserver-auth.yaml | apiVersion: v1 | Authentication |
| rbac-role.yaml | apiVersion: rbac.authorization.k8s.io/v1 | Authorization |
| validating-webhook.yaml | apiVersion: admissionregistration.k8s.io/v1 | Admission Controllers |
| etcd-query.sh | ETCDCTL_API=3 etcdctl --endpoints=https://127.0.0.1:2379 \ | etcd |
| watch-example.go | "context" | Watch Caching and Resource Versioning |
| priority-level-config.yaml | apiVersion: flowcontrol.apiserver.k8s.io/v1beta3 | API Priority and Fairness (APF) |
| apiserver-tls.yaml | apiVersion: v1 | TLS and Certificate Management |
| audit-policy.yaml | apiVersion: audit.k8s.io/v1 | Audit Logging |
| apiserver-hpa.yaml | apiVersion: autoscaling/v2 | Scaling the API Server |
| troubleshoot.sh | kubectl get --raw /healthz | Troubleshooting Common API Server Failures |
| apiserver-hardened.yaml | apiVersion: v1 | Production Hardening Checklist |
Key takeaways
failurePolicy: Ignore for non-critical checks.Interview Questions on This Topic
What happens if the API Server goes down?
Frequently Asked Questions
20+ years shipping production infrastructure and CI/CD at scale. Everything here is grounded in real deployments.
That's Kubernetes. Mark it forged?
5 min read · try the examples if you haven't