Forem: James Lee The latest articles on Forem by James Lee (@jamesli). https://forem.com/jamesli https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2415836%2Fb3164384-9e59-4018-8224-c72be9619c2e.jpg Forem: James Lee https://forem.com/jamesli en Full Observability in Istio: Metrics with Prometheus/Grafana + Distributed Tracing with Jaeger James Lee Fri, 22 May 2026 10:16:22 +0000 https://forem.com/jamesli/full-observability-in-istio-metrics-with-prometheusgrafana-distributed-tracing-with-jaeger-3b8g https://forem.com/jamesli/full-observability-in-istio-metrics-with-prometheusgrafana-distributed-tracing-with-jaeger-3b8g <p>Observability is the ability to understand the internal state of a system from its external outputs. In a microservices architecture — where a single API call may fan out to dozens of services and hundreds of DB queries — observability is not optional. It's survival.</p> <p>Istio provides three pillars of observability out of the box:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Pillar</th> <th>Tool</th> <th>Best For</th> </tr> </thead> <tbody> <tr> <td><strong>Metrics</strong></td> <td>Prometheus + Grafana</td> <td>Trend analysis, QPS, latency, error rate</td> </tr> <tr> <td><strong>Distributed Tracing</strong></td> <td>Jaeger</td> <td>Root cause analysis of slow/failed requests</td> </tr> <tr> <td><strong>Logging</strong></td> <td>ELK Stack</td> <td>Detailed per-request log investigation</td> </tr> </tbody> </table></div> <p>This article covers the first two in depth.</p> <h2> Part 1: Metrics with Prometheus + Grafana </h2> <h3> Why Prometheus Over StatsD or InfluxDB? </h3> <p>Three metrics systems are commonly used in modern infrastructure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>StatsD + Graphite → UDP push model, lightweight, limited ecosystem InfluxDB + Telegraf → Rich system-level plugins, custom app metrics need manual work Prometheus → Pull model, native K8s/Consul service discovery, full alerting stack </code></pre> </div> <p>Prometheus wins in cloud-native environments for two reasons:</p> <ol> <li> <strong>Pull model</strong> — Prometheus scrapes targets over HTTP. This simplifies client code and makes debugging trivial (just <code>curl</code> the <code>/metrics</code> endpoint).</li> <li> <strong>Native service discovery</strong> — No static IP lists. Prometheus discovers targets from Kubernetes, Consul, or DNS automatically.</li> </ol> <h3> Prometheus Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────┐ │ Prometheus Server │ │ ┌──────────────┐ ┌──────────────┐ ┌─────────────┐ │ │ │ Scraper │ │ TSDB │ │ Rule Engine │ │ │ │ (pull HTTP) │ │ (storage) │ │ (alerts) │ │ │ └──────┬───────┘ └──────────────┘ └──────┬──────┘ │ └──────────┼────────────────────────────────────────┼─────────┘ │ scrape /metrics │ fire alerts ▼ ▼ ┌─────────────────────┐ ┌──────────────────────┐ │ Service Discovery │ │ Alertmanager │ │ (K8s / Consul/DNS) │ │ (dedup, group, │ └─────────────────────┘ │ notify: DingTalk / │ │ WeCom / Email) │ ┌─────────────────────┐ └──────────────────────┘ │ PushGateway │ ← for short-lived jobs (batch, PHP scripts) └─────────────────────┘ ┌─────────────────────┐ │ Exporters │ ← Node Exporter, Blackbox Exporter, etc. └─────────────────────┘ </code></pre> </div> <blockquote> <p><strong>PushGateway</strong> exists specifically for short-lived processes (batch jobs, PHP scripts) that won't survive long enough to be scraped.</p> </blockquote> <h3> Prometheus Data Model </h3> <p>Every metric is a combination of a <strong>name</strong> + <strong>labels</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight prometheus"><code><span class="n">negri_http_request_total</span><span class="p">{</span><span class="na">client</span><span class="o">=</span><span class="s2">"serviceA"</span><span class="p">,</span> <span class="na">code</span><span class="o">=</span><span class="s2">"200"</span><span class="p">,</span> <span class="na">exported_service</span><span class="o">=</span><span class="s2">"serviceB"</span><span class="p">,</span> <span class="na">path</span><span class="o">=</span><span class="s2">"/ping"</span><span class="p">}</span> </code></pre> </div> <ul> <li> <code>negri_http_request_total</code> — metric name (describes what it measures)</li> <li> <code>{client, code, exported_service, path}</code> — labels (dimensions for filtering/aggregation)</li> </ul> <h3> The Four Metric Types </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Type</th> <th>Computed By</th> <th>Best For</th> <th>Example</th> </tr> </thead> <tbody> <tr> <td><strong>Counter</strong></td> <td>Server-side</td> <td>QPS, total requests (monotonically increasing)</td> <td><code>negri_http_request_total</code></td> </tr> <tr> <td><strong>Gauge</strong></td> <td>Client-side</td> <td>Instantaneous values, event flags (circuit breaker open/closed)</td> <td><code>degrade_events{event="eventBreakerOpenStatus"}</code></td> </tr> <tr> <td><strong>Histogram</strong></td> <td>Server-side</td> <td>Latency percentiles (p90/p95/p99), response size distribution</td> <td><code>negri_http_response_time_us_bucket{le="0.5"}</code></td> </tr> <tr> <td><strong>Summary</strong></td> <td>Client-side</td> <td>Precise percentiles, but less flexible at query time</td> <td>Similar to Histogram</td> </tr> </tbody> </table></div> <blockquote> <p><strong>Counter vs Gauge:</strong> If your value only goes up → use Counter (cheaper, server-side). If it goes up and down → use Gauge.</p> <p><strong>Histogram vs Summary:</strong> Histogram is more flexible (percentiles calculated at query time in Grafana). Summary is more precise but percentiles are fixed at instrumentation time.</p> </blockquote> <h3> Grafana Dashboard: What to Look At </h3> <p>Istio ships with pre-built Grafana dashboards. Here's how to navigate them effectively.</p> <h4> Services Dashboard </h4> <p>Key filter parameters:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Parameter</th> <th>What It Means</th> </tr> </thead> <tbody> <tr> <td><code>Service</code></td> <td>The Kubernetes service name (e.g. <code>details.default.svc.cluster.local</code>)</td> </tr> <tr> <td><code>Client Workload Namespace</code></td> <td>The K8s namespace where the client lives</td> </tr> <tr> <td><code>Client Workload</code></td> <td>The upstream caller — e.g. <code>productpage-v1</code> calling <code>details</code> </td> </tr> <tr> <td><code>Service Workload</code></td> <td>The specific version of the service — e.g. <code>reviews-v1</code>, <code>reviews-v2</code>, <code>reviews-v3</code> </td> </tr> </tbody> </table></div> <blockquote> <p><strong>Why <code>Client Workload</code> matters:</strong> Traditional microservice SDKs often struggle to reliably inject the caller's service name into metrics. Developers might hardcode the wrong name or copy-paste from another service. Istio eliminates this entirely — the control plane injects the caller identity automatically via the sidecar. No human error possible.</p> </blockquote> <p>Key panels in the dashboard:</p> <ul> <li> <strong>QPS</strong> (client-side vs server-side) — client-side is more accurate as it includes network latency</li> <li> <strong>Success Rate</strong> — percentage of non-5xx responses</li> <li> <strong>Latency</strong> — p50/p90/p99 breakdown</li> </ul> <h4> Workload Dashboard </h4> <p>The Workload dashboard adds a critical dimension: <strong>inbound vs outbound traffic</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>reviews-v3 Workload ├── INBOUND ← traffic FROM productpage-v1 └── OUTBOUND ← traffic TO ratings.default.svc.cluster.local </code></pre> </div> <p>This dual-direction view is invaluable for root cause analysis. When <code>reviews-v3</code> is slow, you can immediately see:</p> <ul> <li>Is it slow because <em>incoming</em> traffic is high? (upstream pressure)</li> <li>Or is it slow because <em>outgoing</em> calls to <code>ratings</code> are slow? (downstream dependency)</li> </ul> <h2> Part 2: Distributed Tracing with Jaeger </h2> <h3> The Three Pillars of Observability — Compared </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Metrics → "Something is wrong with reviews-v3 (p99 latency spiked to 2s)" Tracing → "The spike is caused by the ratings service call at step 4 of this specific request" Logging → "Here's the exact SQL query and stack trace that caused it" </code></pre> </div> <p>Each tool answers a different question. Tracing is the bridge between "something is wrong" and "here's exactly why."</p> <h3> How Distributed Tracing Works (Dapper Model) </h3> <p>Tracing originates from Google's <strong>Dapper</strong> paper. The core concepts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>TraceId: 5f1db306ef459b2f (unique per request, generated at the gateway) │ ├── Span A (SpanId: aaa, ParentSpanId: null) ← root span (productpage) │ │ │ ├── Span B (SpanId: bbb, ParentSpanId: aaa) ← details service call │ │ │ └── Span C (SpanId: ccc, ParentSpanId: aaa) ← reviews service call │ │ │ └── Span D (SpanId: ddd, ParentSpanId: ccc) ← ratings service call </code></pre> </div> <p>Trace context is propagated via <strong>HTTP headers</strong>:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Header</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>x-request-id</code></td> <td>Unique request ID for log correlation</td> </tr> <tr> <td><code>x-b3-traceid</code></td> <td>64-bit global trace identifier</td> </tr> <tr> <td><code>x-b3-spanid</code></td> <td>Current span position in the trace tree</td> </tr> <tr> <td><code>x-b3-parentspanid</code></td> <td>Parent span (absent = root node)</td> </tr> <tr> <td><code>x-b3-sampled</code></td> <td>Sampling flag (<code>1</code> = record this trace)</td> </tr> </tbody> </table></div> <h3> A Real Trace Record </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"traceID"</span><span class="p">:</span><span class="w"> </span><span class="s2">"5f1db306ef459b2f"</span><span class="p">,</span><span class="w"> </span><span class="nl">"spanID"</span><span class="p">:</span><span class="w"> </span><span class="s2">"5f1db306ef459b2f"</span><span class="p">,</span><span class="w"> </span><span class="nl">"parentSpanID"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"operationName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/ping"</span><span class="p">,</span><span class="w"> </span><span class="nl">"duration"</span><span class="p">:</span><span class="w"> </span><span class="mi">2065</span><span class="p">,</span><span class="w"> </span><span class="nl">"startTime"</span><span class="p">:</span><span class="w"> </span><span class="mi">1609241265147010</span><span class="p">,</span><span class="w"> </span><span class="nl">"process"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"serviceName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"negri.sidecarserverlistener.myapp"</span><span class="p">,</span><span class="w"> </span><span class="nl">"tags"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"hostname"</span><span class="p">:</span><span class="w"> </span><span class="s2">"MacBook-Pro-3.local"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"192.168.1.88"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"tags"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"http.method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GET"</span><span class="p">,</span><span class="w"> </span><span class="nl">"http.status_code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"200"</span><span class="p">,</span><span class="w"> </span><span class="nl">"http.url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/ping"</span><span class="p">,</span><span class="w"> </span><span class="nl">"peer.address"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://127.0.0.1:8888"</span><span class="p">,</span><span class="w"> </span><span class="nl">"span.kind"</span><span class="p">:</span><span class="w"> </span><span class="s2">"server"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Jaeger Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Application Code │ UDP ▼ ┌──────────────┐ ┌──────────────────┐ ┌──────────────┐ │ jaeger-client│────▶│ jaeger-agent │────▶│jaeger- │ │ (SDK) │ │ (per-host │ │collector │ └──────────────┘ │ daemon) │ │(validate + │ └──────────────────┘ │ process) │ └──────┬───────┘ │ ▼ ┌──────────────┐ │ jaeger-db │ │ (Cassandra / │ │ Elasticsearch│ └──────┬───────┘ │ ▼ ┌──────────────┐ │ jaeger-query │ │ (UI + API) │ └──────────────┘ </code></pre> </div> <blockquote> <p><strong>Why jaeger-agent?</strong> Same philosophy as Istio's sidecar — it offloads service discovery and routing complexity from the client SDK. The app just sends UDP to localhost and forgets about it.</p> </blockquote> <h3> The One Thing Your Code Must Do </h3> <p>Envoy automatically generates spans and propagates B3 headers to upstream services. <strong>But</strong> — it cannot read the incoming headers and pass them downstream on your behalf. Your application code must forward the trace headers manually.</p> <p>Here's the pattern from the Bookinfo sample app (Python):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/productpage</span><span class="sh">'</span><span class="p">)</span> <span class="nd">@trace</span><span class="p">()</span> <span class="k">def</span> <span class="nf">front</span><span class="p">():</span> <span class="n">headers</span> <span class="o">=</span> <span class="nf">getForwardHeaders</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="c1"># extract + forward trace headers </span> <span class="n">details</span> <span class="o">=</span> <span class="nf">getProductDetails</span><span class="p">(</span><span class="n">product_id</span><span class="p">,</span> <span class="n">headers</span><span class="p">)</span> <span class="c1"># pass them downstream </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">getForwardHeaders</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{}</span> <span class="c1"># B3 headers — extracted automatically via OpenTracing library </span> <span class="n">span</span> <span class="o">=</span> <span class="nf">get_current_span</span><span class="p">()</span> <span class="n">carrier</span> <span class="o">=</span> <span class="p">{}</span> <span class="n">tracer</span><span class="p">.</span><span class="nf">inject</span><span class="p">(</span><span class="n">span_context</span><span class="o">=</span><span class="n">span</span><span class="p">.</span><span class="n">context</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="n">Format</span><span class="p">.</span><span class="n">HTTP_HEADERS</span><span class="p">,</span> <span class="n">carrier</span><span class="o">=</span><span class="n">carrier</span><span class="p">)</span> <span class="n">headers</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">carrier</span><span class="p">)</span> <span class="c1"># Other headers that must be forwarded manually </span> <span class="n">incoming_headers</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">'</span><span class="s">x-request-id</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">x-ot-span-context</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">traceparent</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">tracestate</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">x-cloud-trace-context</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">grpc-trace-bin</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">user-agent</span><span class="sh">'</span><span class="p">,</span> <span class="p">]</span> <span class="k">for</span> <span class="n">h</span> <span class="ow">in</span> <span class="n">incoming_headers</span><span class="p">:</span> <span class="n">val</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">h</span><span class="p">)</span> <span class="k">if</span> <span class="n">val</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span><span class="p">:</span> <span class="n">headers</span><span class="p">[</span><span class="n">h</span><span class="p">]</span> <span class="o">=</span> <span class="n">val</span> <span class="k">return</span> <span class="n">headers</span> </code></pre> </div> <blockquote> <p><strong>Key insight:</strong> Envoy handles span <em>creation</em> and <em>injection</em> automatically. Your app only needs to <em>forward</em> the headers it receives. This is a much lighter instrumentation burden than traditional APM agents.</p> </blockquote> <h3> What Jaeger Shows You </h3> <p><strong>Trace List View</strong> — All traces for a service, sortable by duration. Immediately surfaces the slowest requests.</p> <p><strong>Trace Detail View</strong> — Full waterfall of every span in a single request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>productpage ────────────────────────────── 450ms details ─── 45ms reviews ────────────────── 380ms ratings ──────────── 310ms ← bottleneck identified </code></pre> </div> <p><strong>System Architecture View</strong> — Auto-generated service dependency graph derived from trace data. No manual diagram maintenance needed.</p> <h2> Summary: Metrics vs Tracing — When to Use Which </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>Use</th> </tr> </thead> <tbody> <tr> <td>"Is the service healthy right now?"</td> <td>Metrics (Grafana dashboard)</td> </tr> <tr> <td>"Has latency been trending up this week?"</td> <td>Metrics (Prometheus query)</td> </tr> <tr> <td>"Why did <em>this specific request</em> take 3 seconds?"</td> <td>Tracing (Jaeger)</td> </tr> <tr> <td>"Which service is the bottleneck in my call chain?"</td> <td>Tracing (Jaeger waterfall)</td> </tr> <tr> <td>"What exact error did service X return at 14:32?"</td> <td>Logging (ELK)</td> </tr> </tbody> </table></div> <p>The power of Istio is that <strong>you get all of this without modifying your application</strong> — except for the minimal header forwarding shown above. The sidecar handles metric collection, span generation, and header injection automatically.</p> <blockquote> <p>💻 Explore the full implementation:<br> <a href="https://github.com/muzinan123/servicemesh" rel="noopener noreferrer">github.com/muzinan123/servicemesh</a></p> </blockquote> devops kubernetes microservices monitoring Traffic Management in Istio: Circuit Breaking & Rate Limiting with DestinationRule James Lee Fri, 22 May 2026 10:15:40 +0000 https://forem.com/jamesli/traffic-management-in-istio-circuit-breaking-rate-limiting-with-destinationrule-1oim https://forem.com/jamesli/traffic-management-in-istio-circuit-breaking-rate-limiting-with-destinationrule-1oim <p>One of Istio's most powerful features is the ability to configure <strong>circuit breaking</strong> and <strong>rate limiting</strong> declaratively — without touching a single line of application code. Everything is controlled through a single CRD: <code>DestinationRule</code>.</p> <p>In this article, I'll break down exactly how <code>connectionPool</code> (rate limiting) and <code>outlierDetection</code> (circuit breaking) work, with real YAML examples.</p> <h2> The Entry Point: TrafficPolicy in DestinationRule </h2> <p>Both circuit breaking and rate limiting are configured under the <code>trafficPolicy</code> field of a <code>DestinationRule</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1alpha3</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">DestinationRule</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-service-dr</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">my-service</span> <span class="na">trafficPolicy</span><span class="pi">:</span> <span class="na">connectionPool</span><span class="pi">:</span> <span class="c1"># ← Rate limiting config</span> <span class="na">tcp</span><span class="pi">:</span> <span class="na">maxConnections</span><span class="pi">:</span> <span class="m">100</span> <span class="na">http</span><span class="pi">:</span> <span class="na">http1MaxPendingRequests</span><span class="pi">:</span> <span class="m">100</span> <span class="na">http2MaxRequests</span><span class="pi">:</span> <span class="m">1000</span> <span class="na">outlierDetection</span><span class="pi">:</span> <span class="c1"># ← Circuit breaking config</span> <span class="na">consecutiveErrors</span><span class="pi">:</span> <span class="m">5</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">baseEjectionTime</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">maxEjectionPercent</span><span class="pi">:</span> <span class="m">10</span> </code></pre> </div> <h2> Part 1: Rate Limiting with <code>connectionPool</code> </h2> <p><code>connectionPool</code> controls <strong>how many concurrent connections and requests</strong> are allowed to reach an upstream service. It has two sub-sections: <code>tcp</code> and <code>http</code>.</p> <h3> TCP Settings </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Field</th> <th>Description</th> <th>Default</th> </tr> </thead> <tbody> <tr> <td><code>maxConnections</code></td> <td>Max number of HTTP1/TCP connections to the destination</td> <td>unlimited</td> </tr> <tr> <td><code>connectTimeout</code></td> <td>TCP connection timeout</td> <td>10s</td> </tr> </tbody> </table></div> <blockquote> <p>⚠️ <strong>Important:</strong> <code>maxConnections</code> only limits <strong>HTTP/1.1 and TCP</strong> connections. It does <strong>not</strong> affect HTTP/2, because HTTP/2 multiplexes all requests over a single connection.</p> </blockquote> <h3> HTTP Settings </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Field</th> <th>Description</th> <th>Default</th> </tr> </thead> <tbody> <tr> <td><code>http1MaxPendingRequests</code></td> <td>Max queued HTTP/1.1 requests waiting to be processed</td> <td>1024</td> </tr> <tr> <td><code>http2MaxRequests</code></td> <td>Max concurrent HTTP/2 requests</td> <td>1024</td> </tr> <tr> <td><code>maxRequestsPerConnection</code></td> <td>How many requests can reuse one TCP connection. Set to <code>1</code> to disable keepalive</td> <td>unlimited</td> </tr> </tbody> </table></div> <h3> Full connectionPool Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">trafficPolicy</span><span class="pi">:</span> <span class="na">connectionPool</span><span class="pi">:</span> <span class="na">tcp</span><span class="pi">:</span> <span class="na">maxConnections</span><span class="pi">:</span> <span class="m">100</span> <span class="na">connectTimeout</span><span class="pi">:</span> <span class="s">3s</span> <span class="na">http</span><span class="pi">:</span> <span class="na">http1MaxPendingRequests</span><span class="pi">:</span> <span class="m">100</span> <span class="na">http2MaxRequests</span><span class="pi">:</span> <span class="m">1000</span> <span class="na">maxRequestsPerConnection</span><span class="pi">:</span> <span class="m">10</span> </code></pre> </div> <p><strong>What this does:</strong> Limits the service to 100 concurrent TCP connections, queues at most 100 pending HTTP/1.1 requests, and allows up to 1000 concurrent HTTP/2 requests. Each TCP connection can serve up to 10 requests before being recycled.</p> <h2> Part 2: Circuit Breaking with <code>outlierDetection</code> </h2> <p><code>outlierDetection</code> implements the <strong>circuit breaker pattern</strong> at the Envoy level. When a service instance starts returning errors, Istio automatically ejects it from the load balancing pool.</p> <h3> How It Works </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Request → Envoy → Load Balancer Pool ├── Instance A (healthy) ✅ ├── Instance B (healthy) ✅ └── Instance C (5xx × 5) ❌ → Ejected for 30s </code></pre> </div> <p>When Instance C is ejected, traffic is only routed to A and B. After <code>baseEjectionTime</code>, Instance C gets a chance to re-enter the pool.</p> <h3> Configuration Fields </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Field</th> <th>Description</th> <th>Default</th> </tr> </thead> <tbody> <tr> <td><code>consecutiveErrors</code></td> <td>Number of consecutive 5xx errors (502/503/504) before ejection</td> <td>5</td> </tr> <tr> <td><code>interval</code></td> <td>Time window for counting errors</td> <td>10s</td> </tr> <tr> <td><code>baseEjectionTime</code></td> <td>Minimum ejection duration. Actual time = <code>baseEjectionTime × ejection count</code> </td> <td>30s</td> </tr> <tr> <td><code>maxEjectionPercent</code></td> <td>Max % of instances that can be ejected at once</td> <td>10%</td> </tr> <tr> <td><code>minHealthPercent</code></td> <td>If healthy instances drop below this %, circuit breaking is <strong>disabled</strong> entirely</td> <td>50%</td> </tr> </tbody> </table></div> <h3> Full outlierDetection Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">trafficPolicy</span><span class="pi">:</span> <span class="na">outlierDetection</span><span class="pi">:</span> <span class="na">consecutiveErrors</span><span class="pi">:</span> <span class="m">5</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">baseEjectionTime</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">maxEjectionPercent</span><span class="pi">:</span> <span class="m">10</span> <span class="na">minHealthPercent</span><span class="pi">:</span> <span class="m">50</span> </code></pre> </div> <h2> Key Design Decisions Worth Understanding </h2> <h3> 1. Progressive Ejection Time </h3> <p>The actual ejection time is not fixed — it grows with each ejection:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1st ejection: 30s × 1 = 30s 2nd ejection: 30s × 2 = 60s 3rd ejection: 30s × 3 = 90s </code></pre> </div> <p>This is intentional: a repeatedly failing instance gets longer and longer timeouts, giving it more time to recover.</p> <h3> 2. The Safety Net: <code>maxEjectionPercent</code> + <code>minHealthPercent</code> </h3> <p>These two fields work together to prevent a cascade failure from taking down your entire service:</p> <ul> <li> <strong><code>maxEjectionPercent: 10</code></strong> — Even if 50 instances are all returning 5xx errors, only 10% will be ejected at any one time.</li> <li> <strong><code>minHealthPercent: 50</code></strong> — If healthy instances drop below 50%, Istio <strong>disables</strong> outlier detection entirely and allows all instances (including unhealthy ones) to receive traffic.</li> </ul> <blockquote> <p><strong>Why disable circuit breaking when too many instances are unhealthy?</strong><br> Because at that point, the problem is likely systemic (e.g., a bad deployment, downstream dependency failure). Ejecting more instances would only make things worse. It's better to let all instances handle traffic and surface the real error.</p> </blockquote> <h2> Putting It All Together </h2> <p>Here's a production-ready <code>DestinationRule</code> combining both features:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1alpha3</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">DestinationRule</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">reviews-dr</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">reviews</span> <span class="na">trafficPolicy</span><span class="pi">:</span> <span class="na">connectionPool</span><span class="pi">:</span> <span class="na">tcp</span><span class="pi">:</span> <span class="na">maxConnections</span><span class="pi">:</span> <span class="m">100</span> <span class="na">connectTimeout</span><span class="pi">:</span> <span class="s">3s</span> <span class="na">http</span><span class="pi">:</span> <span class="na">http1MaxPendingRequests</span><span class="pi">:</span> <span class="m">100</span> <span class="na">http2MaxRequests</span><span class="pi">:</span> <span class="m">1000</span> <span class="na">maxRequestsPerConnection</span><span class="pi">:</span> <span class="m">10</span> <span class="na">outlierDetection</span><span class="pi">:</span> <span class="na">consecutiveErrors</span><span class="pi">:</span> <span class="m">5</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">baseEjectionTime</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">maxEjectionPercent</span><span class="pi">:</span> <span class="m">10</span> <span class="na">minHealthPercent</span><span class="pi">:</span> <span class="m">50</span> </code></pre> </div> <h2> Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Config Field</th> <th>Mechanism</th> </tr> </thead> <tbody> <tr> <td><strong>Rate Limiting</strong></td> <td><code>connectionPool.tcp</code></td> <td>Limit TCP connections</td> </tr> <tr> <td><strong>Rate Limiting</strong></td> <td><code>connectionPool.http</code></td> <td>Limit concurrent HTTP requests</td> </tr> <tr> <td><strong>Circuit Breaking</strong></td> <td><code>outlierDetection.consecutiveErrors</code></td> <td>Eject on N consecutive errors</td> </tr> <tr> <td><strong>Safety Net</strong></td> <td><code>outlierDetection.maxEjectionPercent</code></td> <td>Cap max ejected instances</td> </tr> <tr> <td><strong>Safety Net</strong></td> <td><code>outlierDetection.minHealthPercent</code></td> <td>Disable CB when cluster is too unhealthy</td> </tr> </tbody> </table></div> <p>The beauty of Istio's approach: <strong>all of this happens at the proxy layer</strong>. Your application code doesn't need to implement Hystrix, Resilience4j, or any circuit breaker library. The infrastructure handles it.</p> <blockquote> <p>💻 Explore the full implementation:<br> <a href="https://github.com/muzinan123/servicemesh" rel="noopener noreferrer">github.com/muzinan123/servicemesh</a></p> <p>📖 Next in this series: Full Observability in Istio: Metrics + Distributed Tracing</p> </blockquote> devops kubernetes microservices networking Istio & Envoy Service Mesh Architecture: How the Control Plane and Data Plane Work Together James Lee Fri, 22 May 2026 10:14:51 +0000 https://forem.com/jamesli/istio-envoy-service-mesh-architecture-how-the-control-plane-and-data-plane-work-together-2nd6 https://forem.com/jamesli/istio-envoy-service-mesh-architecture-how-the-control-plane-and-data-plane-work-together-2nd6 <p>If you've worked with Istio, you've probably heard terms like "control plane," "data plane," "Pilot," and "Envoy sidecar." But how do they actually fit together? In this article, I'll walk through the full architecture — from how Pilot discovers services to how a client request is processed inside Envoy.</p> <h2> Part 1: How Pilot and Envoy Work Together </h2> <p>The Istio control plane component <strong>Pilot</strong> is responsible for bridging Kubernetes and Envoy. Here's the three-step flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────┐ │ API Server │ └──────────────────────┬──────────────────────────────┘ │ 1. Service discovery │ (Services + Endpoints via client-go Informer) │ 2. Fetch Istio CRDs │ (VirtualService, DestinationRule, etc.) ▼ ┌─────────────────────────────────────────────────────┐ │ Istio Pilot │ │ │ │ Convert: Endpoints + governance policies │ │ → Envoy-compatible xDS format │ └──────────────────────┬──────────────────────────────┘ │ 3. Push via xDS ▼ ┌─────────────────────────────────────────────────────┐ │ Envoy Sidecar │ │ (Listener → Route → Cluster → Endpoint) │ └─────────────────────────────────────────────────────┘ </code></pre> </div> <p><strong>Step 1 — Service Discovery:</strong><br> Pilot uses the <code>client-go</code> Informer to watch the Kubernetes API Server, collecting all <code>Service</code> and <code>Endpoints</code> resources across the cluster.</p> <p><strong>Step 2 — Policy Discovery:</strong><br> Pilot also watches for user-defined Istio CRD objects: <code>VirtualService</code>, <code>DestinationRule</code>, <code>Gateway</code>, etc. These define the traffic governance policies.</p> <p><strong>Step 3 — xDS Push:</strong><br> Pilot converts the combined service topology and governance policies into Envoy's native xDS format, then pushes the config to each Envoy sidecar via gRPC streaming.</p> <h2> Part 2: The Four Core Resources in Envoy </h2> <p>Once config is pushed to Envoy, how does a client request actually get processed? It flows through four core resource types:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Client Request │ ▼ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌────────────┐ │ Listener │────▶│ Route │────▶│ Cluster │──LB▶│ Endpoint │ │ (LDS) │ │ (RDS) │ │ (CDS) │ │ (EDS) │ └──────────┘ └──────────┘ └──────────┘ └────────────┘ │ │ L3/L4 Filters Upstream Service </code></pre> </div> <h3> 1. Listener (LDS) </h3> <p>A <strong>Listener</strong> is a port that Envoy opens to accept incoming connections. Multiple Listeners are fully isolated from each other. Beyond port binding, each Listener is configured with L3/L4 filters.</p> <blockquote> <p>Config is managed via <strong>LDS</strong> (Listener Discovery Service).</p> </blockquote> <h3> 2. Cluster (CDS + EDS) </h3> <p>A <strong>Cluster</strong> is the abstraction for an upstream service. Every upstream service maps to exactly one Cluster. Cluster config includes:</p> <ul> <li>Connection timeout</li> <li>Connection pool settings</li> <li>Load balancing policy</li> <li>Health check config</li> <li>Endpoint list</li> </ul> <blockquote> <p>Config is managed via <strong>CDS</strong> (Cluster Discovery Service) + <strong>EDS</strong> (Endpoint Discovery Service).</p> </blockquote> <h3> 3. Route (RDS) </h3> <p><strong>Route</strong> is the bridge between Listeners and Clusters:</p> <ul> <li>Listener receives the request</li> <li>Route decides <em>which Cluster</em> to forward it to</li> <li>Route also handles: Virtual Host definitions, HTTP header manipulation (add/remove/modify), timeout &amp; retry policies</li> </ul> <blockquote> <p>Config is managed via <strong>RDS</strong> (Route Discovery Service).</p> </blockquote> <h3> 4. Filter (Envoy Filter) </h3> <p>Filters are Envoy's <strong>plugin mechanism</strong> — they allow powerful extensions without modifying source code. There are three layers:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Filter Layer</th> <th>Scope</th> <th>Examples</th> </tr> </thead> <tbody> <tr> <td><strong>Listener Filter</strong></td> <td>Pre-routing, L3/L4</td> <td>TLS Inspector, HTTP Inspector, Original Destination</td> </tr> <tr> <td><strong>Network Filter</strong></td> <td>L3/L4 connection handling</td> <td>Dubbo proxy, Kafka filter, MySQL proxy, Redis proxy, HTTP Connection Manager</td> </tr> <tr> <td><strong>HTTP Filter</strong></td> <td>L7 HTTP traffic</td> <td>Route matching, Health check, Lua, CSRF, VHDS</td> </tr> </tbody> </table></div> <blockquote> <p><strong>Key insight:</strong> The <strong>HTTP Connection Manager (HCM)</strong> is itself a special Network Filter that manages all HTTP Filters. This layered design is what gives Envoy the ability to support virtually any protocol — and even perform protocol conversion.</p> </blockquote> <h2> Full Architecture: Putting It All Together </h2> <p>Here's how the complete picture looks — from API Server down to upstream services:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────────────────────────────────┐ │ API Server │ └────────────────────────────┬─────────────────────────────────────┘ │ Services, Endpoints, Istio CRDs ▼ ┌──────────────────────────────────────────────────────────────────┐ │ Istio Pilot │ │ ① Service discovery ② Fetch CRDs ③ Convert &amp; push xDS │ └────────────────────────────┬─────────────────────────────────────┘ │ xDS (gRPC streaming) ▼ ┌──────────────────────────────────────────────────────────────────┐ │ Envoy │ │ │ │ Listener0 ┐ Cluster0 ┐ Endpoint0 │ │ Listener1 ├──Route──────────▶Cluster1 ├──LB────▶Endpoint1 │ │ Listener2 ┘ Cluster2 ┘ Endpoint2 │ │ Endpoint3 │ │ │ │ [Listener Filter] → [Network Filter] → [HTTP Filter] │ └──────────────────────────────────────────────────────────────────┘ │ ▼ Upstream Application Services </code></pre> </div> <h2> Why This Architecture Matters </h2> <p>This design gives Istio several powerful properties:</p> <ol> <li> <strong>Zero-touch config updates</strong> — Envoy never needs to restart. All config changes are pushed via xDS streaming.</li> <li> <strong>Protocol agnostic</strong> — Through Network Filters, Envoy natively supports HTTP, gRPC, Dubbo, Kafka, MySQL, Redis, and more.</li> <li> <strong>Policy separation</strong> — Traffic governance rules (VirtualService, DestinationRule) live in the control plane. The data plane (Envoy) just executes them.</li> <li> <strong>Extensibility</strong> — Custom Envoy Filters allow teams to add any behavior (auth, rate limiting, tracing) without touching application code.</li> </ol> <h2> Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Role</th> </tr> </thead> <tbody> <tr> <td><strong>Pilot</strong></td> <td>Discovers services + policies, converts to xDS, pushes to Envoy</td> </tr> <tr> <td><strong>Envoy Listener</strong></td> <td>Accepts client connections on configured ports</td> </tr> <tr> <td><strong>Envoy Route</strong></td> <td>Decides which Cluster handles each request</td> </tr> <tr> <td><strong>Envoy Cluster</strong></td> <td>Abstracts upstream services with LB + health check</td> </tr> <tr> <td><strong>Envoy Endpoint</strong></td> <td>The actual upstream instance IP:port</td> </tr> <tr> <td><strong>Envoy Filter</strong></td> <td>Plugin mechanism for L4/L7 traffic manipulation</td> </tr> </tbody> </table></div> <p>Understanding this architecture is the foundation for everything else in Istio — circuit breaking, canary releases, observability. They all build on top of these primitives.</p> <blockquote> <p>💻 Explore the full implementation:<br> <a href="https://github.com/muzinan123/servicemesh" rel="noopener noreferrer">github.com/muzinan123/servicemesh</a></p> <p>📖 Next in this series: Traffic Management in Istio: Circuit Breaking &amp; Rate Limiting</p> </blockquote> architecture kubernetes microservices networking xDS Protocol Deep Dive: The Universal Control Plane API Behind Envoy and Istio James Lee Fri, 22 May 2026 10:13:12 +0000 https://forem.com/jamesli/xds-protocol-deep-dive-the-universal-control-plane-api-behind-envoy-and-istio-2de9 https://forem.com/jamesli/xds-protocol-deep-dive-the-universal-control-plane-api-behind-envoy-and-istio-2de9 <p>When we talk about Istio or Envoy, we often hear terms like "dynamic configuration" and "control plane push." But what exactly is the underlying protocol that makes all of this work? The answer is <strong>xDS</strong>.</p> <p>In this article, I'll do a deep dive into the xDS protocol — what it is, how it works, and why it matters beyond just Service Mesh.</p> <h2> What is xDS? </h2> <p>xDS is a family of <strong>discovery service APIs</strong> that allow a data plane proxy (like Envoy) to dynamically fetch configuration from a management server — without any restart or file reload.</p> <p>The "x" in xDS is a wildcard. It covers:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>API</th> <th>Full Name</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><strong>LDS</strong></td> <td>Listener Discovery Service</td> <td>Dynamically manage listeners (ports)</td> </tr> <tr> <td><strong>RDS</strong></td> <td>Route Discovery Service</td> <td>Dynamically manage routing rules</td> </tr> <tr> <td><strong>CDS</strong></td> <td>Cluster Discovery Service</td> <td>Dynamically manage upstream clusters</td> </tr> <tr> <td><strong>EDS</strong></td> <td>Endpoint Discovery Service</td> <td>Dynamically manage cluster endpoints</td> </tr> <tr> <td><strong>SDS</strong></td> <td>Secret Discovery Service</td> <td>Dynamically manage TLS certificates</td> </tr> </tbody> </table></div> <blockquote> <p><strong>Key insight:</strong> xDS is not just for Service Mesh. gRPC also uses xDS for service discovery. It defines a universal, extensible control API for microservices — any configuration can be resolved through discovery.</p> </blockquote> <h2> The Four Core Resources in Envoy </h2> <p>Each xDS type corresponds to a specific resource type. The type is stored in the <code>TypeUrl</code> field of every <code>DiscoveryRequest</code> and <code>DiscoveryResponse</code>, in the format:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>type.googleapis.com/&lt;resource type&gt; </code></pre> </div> <p>For example: <code>type.googleapis.com/envoy.api.v2.Cluster</code> means this is a CDS (Cluster) resource.</p> <h3> 1. LDS — Listener Discovery Service </h3> <p>A Listener is a port that Envoy opens to accept incoming connections. It can be configured with L3/L4 filters.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"address"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{...}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"filter_chains"</span><span class="p">:</span><span class="w"> </span><span class="p">[],</span><span class="w"> </span><span class="nl">"listener_filters"</span><span class="p">:</span><span class="w"> </span><span class="p">[],</span><span class="w"> </span><span class="nl">"traffic_direction"</span><span class="p">:</span><span class="w"> </span><span class="s2">"..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"access_log"</span><span class="p">:</span><span class="w"> </span><span class="p">[]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 2. RDS — Route Discovery Service </h3> <p>Routes act as the bridge between Listeners and Clusters. They define traffic distribution rules, virtual hosts, header manipulation, timeouts, and retries.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"virtual_hosts"</span><span class="p">:</span><span class="w"> </span><span class="p">[],</span><span class="w"> </span><span class="nl">"response_headers_to_add"</span><span class="p">:</span><span class="w"> </span><span class="p">[],</span><span class="w"> </span><span class="nl">"request_headers_to_add"</span><span class="p">:</span><span class="w"> </span><span class="p">[],</span><span class="w"> </span><span class="nl">"validate_clusters"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{...}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 3. CDS — Cluster Discovery Service </h3> <p>A Cluster is an abstraction of an upstream service. It includes load balancing policy, health checks, circuit breaker config, and TLS settings.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"eds_cluster_config"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{...}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"lb_policy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"health_checks"</span><span class="p">:</span><span class="w"> </span><span class="p">[],</span><span class="w"> </span><span class="nl">"circuit_breakers"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{...}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"outlier_detection"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{...}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 4. EDS — Endpoint Discovery Service </h3> <p>EDS is the actual service discovery layer. It returns the live endpoints (IP + port) for a given cluster.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"cluster_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"endpoints"</span><span class="p">:</span><span class="w"> </span><span class="p">[],</span><span class="w"> </span><span class="nl">"policy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{...}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 5. SDS — Secret Discovery Service </h3> <p>SDS enables <strong>dynamic TLS certificate rotation</strong> without restarting Envoy. In early Istio versions, certificate updates required a hot restart — SDS eliminated that entirely.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"tls_certificate"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{...}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"validation_context"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{...}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> How xDS Works: gRPC Streaming Subscription </h2> <p>Early xDS used REST/JSON polling. Starting from v2, it switched to <strong>gRPC bidirectional streaming</strong>, which provides:</p> <ul> <li>Lower latency for config updates</li> <li>Better performance under high churn</li> <li>Native support for ACK/NACK flow control</li> </ul> <h3> Request Flow for a Typical HTTP Route </h3> <p>The API request order follows the dependency chain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>LDS → RDS → CDS → EDS </code></pre> </div> <ol> <li>Envoy fetches <strong>Listeners</strong> (LDS) to know which ports to open</li> <li>From the Listener config, it gets the <strong>Route</strong> name → fetches Routes (RDS)</li> <li>Routes reference <strong>Clusters</strong> → fetches Clusters (CDS)</li> <li>Clusters need live <strong>Endpoints</strong> → fetches Endpoints (EDS)</li> </ol> <h3> Full Subscription vs. Delta (Incremental) Subscription </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Mode</th> <th>Behavior</th> </tr> </thead> <tbody> <tr> <td><strong>Full (SotW)</strong></td> <td>Management server returns all subscribed resources on every update</td> </tr> <tr> <td><strong>Delta (Incremental)</strong></td> <td>Only changed resources are sent — much more efficient at scale</td> </tr> </tbody> </table></div> <h2> xDS Protocol Deep Dive </h2> <h3> Request Message Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version_info</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="c1"># empty = first request</span> <span class="na">node</span><span class="pi">:</span> <span class="na">id</span><span class="pi">:</span> <span class="s">envoy</span> <span class="c1"># unique node identifier (e.g. hostname)</span> <span class="na">resource_names</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">foo</span> <span class="pi">-</span> <span class="s">bar</span> <span class="na">type_url</span><span class="pi">:</span> <span class="s">type.googleapis.com/envoy.api.v2.ClusterLoadAssignment</span> <span class="na">response_nonce</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="c1"># empty = first request</span> </code></pre> </div> <p>Key fields:</p> <ul> <li> <strong><code>version_info</code></strong>: empty on first request; subsequent requests echo the server's version</li> <li> <strong><code>node.id</code></strong>: only required on the first message per stream</li> <li> <strong><code>resource_names</code></strong>: the specific resources being subscribed to</li> <li> <strong><code>response_nonce</code></strong>: used to correlate ACK/NACK with a specific server push</li> </ul> <h3> Response Message Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version_info</span><span class="pi">:</span> <span class="s">X</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">foo ClusterLoadAssignment proto encoding</span> <span class="pi">-</span> <span class="s">bar ClusterLoadAssignment proto encoding</span> <span class="na">type_url</span><span class="pi">:</span> <span class="s">type.googleapis.com/envoy.api.v2.ClusterLoadAssignment</span> <span class="na">nonce</span><span class="pi">:</span> <span class="s">A</span> </code></pre> </div> <h2> ACK and NACK </h2> <p>After receiving a push from the management server, Envoy responds with either:</p> <ul> <li>✅ <strong>ACK</strong>: Config applied successfully → sends back the <strong>new</strong> <code>version_info</code> </li> <li>❌ <strong>NACK</strong>: Config failed to apply → sends back the <strong>old</strong> <code>version_info</code> with an error detail</li> </ul> <p>This gives the control plane full visibility into whether each Envoy instance has successfully adopted a new config.</p> <h2> Resource Update &amp; The Nonce Problem </h2> <p>Here's where it gets interesting. Consider this scenario:</p> <ol> <li>Envoy subscribes to cluster <code>foo</code> (version X, nonce A)</li> <li>Management server pushes a new version Y (nonce B) because <code>foo</code>'s endpoints changed</li> <li> <strong>At the same time</strong>, Envoy wants to add a new subscription to cluster <code>bar</code> </li> </ol> <p>If Envoy sends a new <code>DiscoveryRequest</code> with <code>version_info=X</code> and <code>resource_names=[foo, bar]</code>, the management server might misinterpret this as a <strong>NACK for version Y</strong>.</p> <p><strong>Solution: Nonce</strong></p> <p>The nonce uniquely identifies each push. Envoy's new subscription request carries <code>nonce=A</code> (from its last ACK), while the version Y push has <code>nonce=B</code>. The management server can distinguish between them unambiguously.</p> <blockquote> <p><strong>Istio's pragmatic approach:</strong> Istio's control plane (Pilot) doesn't strictly follow the nonce/version_info spec. Instead, it checks whether the <code>resource_names</code> (Clusters list) has actually changed. If yes, it treats the request as a resource update rather than ACK/NACK. Simpler and easier to reason about.</p> </blockquote> <h2> Summary </h2> <p>xDS is the backbone of Envoy's dynamic configuration system. Understanding it is essential for anyone working with Istio, Envoy-based gateways, or building custom control planes.</p> <p>Key takeaways:</p> <ul> <li> <strong>LDS → RDS → CDS → EDS</strong> is the standard dependency chain</li> <li> <strong>gRPC streaming</strong> replaced REST polling for real-time, low-latency updates</li> <li> <strong>Nonce</strong> solves the ACK/NACK ambiguity problem in concurrent update scenarios</li> <li> <strong>SDS</strong> enables zero-downtime certificate rotation</li> <li>xDS is <strong>not Istio-specific</strong> — gRPC and other frameworks use it too</li> </ul> <blockquote> <p>💻 Explore the full Istio + Envoy implementation:<br> <a href="https://github.com/muzinan123/servicemesh" rel="noopener noreferrer">github.com/muzinan123/servicemesh</a></p> <p>📖 Next in this series: Istio &amp; Envoy Service Mesh Architecture</p> </blockquote> api distributedsystems microservices networking client-go Deep Dive: Operator in Practice — Building a Canary Release Controller James Lee Tue, 19 May 2026 10:10:38 +0000 https://forem.com/jamesli/client-go-deep-dive-operator-in-practice-building-a-canary-release-controller-1pia https://forem.com/jamesli/client-go-deep-dive-operator-in-practice-building-a-canary-release-controller-1pia <p>In the previous article we defined the Canary CRD. Now we build the <strong>Operator</strong>: the controller that watches Canary resources and drives the actual release process. This is the final article in the series — everything we've covered comes together here.</p> <h2> 1. What Is an Operator? </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Operator = CRD (schema) + Controller (reconciliation logic) ┌──────────────────────────────────────────────────────┐ │ Kubernetes Controller Manager │ │ manages built-in controllers: │ │ DeploymentController, ReplicaSetController, ... │ └──────────────────────────────────────────────────────┘ + ┌──────────────────────────────────────────────────────┐ │ Your Operator │ │ = CRD (Canary) + CanaryController │ │ encodes domain knowledge: │ │ "how to safely roll out a new version in batches" │ └──────────────────────────────────────────────────────┘ </code></pre> </div> <blockquote> <p><strong>Operator = a Kubernetes extension that solves domain-specific problems the platform itself doesn't know how to solve.</strong></p> </blockquote> <h2> 2. Project Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>canary-controller/ ├── main.go ← controller entrypoint ├── go.mod ├── manifests/ │ └── crd-canary.yaml ← CRD definition (Part 8) └── pkg/ ├── apis/ │ └── canarycontroller/ │ ├── register.go ← GroupName constant │ └── v1alpha1/ │ ├── doc.go ← code-gen annotations │ ├── types.go ← Canary/CanarySpec/CanaryStatus │ └── register.go ← register types with runtime.Scheme ├── controllers/ │ └── canary_controller.go ← all reconciliation logic ├── generated/ ← auto-generated by code-generator │ ├── clientset/ ← typed Canary clientset │ ├── informers/ ← typed Canary informer │ └── listers/ ← typed Canary lister └── signals/ ← OS signal handling (SIGTERM/SIGINT) </code></pre> </div> <h2> 3. Generating the Typed Client Code </h2> <p>The built-in <code>kubernetes.Clientset</code> only supports built-in resources. For your CRD, you need a generated typed client:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/kubernetes/code-generator <span class="nv">$GOPATH</span>/src/k8s.io/code-generator <span class="nb">cd</span> <span class="nv">$GOPATH</span>/src/k8s.io/code-generator <span class="o">&amp;&amp;</span> ./generate-groups.sh all <span class="se">\</span> canary-controller/pkg/client <span class="se">\ </span> ← output canary-controller/pkg/apis <span class="se">\ </span> ← input: your types canarycontroller:v1alpha1 </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Generated output</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>zz_generated.deepcopy.go</code></td> <td> <code>DeepCopy()</code> for all types</td> </tr> <tr> <td><code>generated/clientset/</code></td> <td> <code>CanarycontrollerV1alpha1().Canaries(ns)</code> — typed CRUD</td> </tr> <tr> <td><code>generated/informers/</code></td> <td>Typed <code>CanaryInformer</code> with <code>Lister()</code> and <code>HasSynced()</code> </td> </tr> <tr> <td><code>generated/listers/</code></td> <td> <code>CanaryLister</code> — fast local cache queries</td> </tr> </tbody> </table></div> <h2> 4. Controller Struct &amp; Wiring </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Controller</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">kubeclientset</span> <span class="n">kubernetes</span><span class="o">.</span><span class="n">Interface</span> <span class="c">// for built-in resources (Deployment)</span> <span class="n">canaryclientset</span> <span class="n">clientset</span><span class="o">.</span><span class="n">Interface</span> <span class="c">// for Canary resources (generated)</span> <span class="n">deploymentsLister</span> <span class="n">appslisters</span><span class="o">.</span><span class="n">DeploymentLister</span> <span class="n">deploymentsSynced</span> <span class="n">cache</span><span class="o">.</span><span class="n">InformerSynced</span> <span class="n">canariesLister</span> <span class="n">listers</span><span class="o">.</span><span class="n">CanaryLister</span> <span class="n">canariesSynced</span> <span class="n">cache</span><span class="o">.</span><span class="n">InformerSynced</span> <span class="n">workqueue</span> <span class="n">workqueue</span><span class="o">.</span><span class="n">RateLimitingInterface</span> <span class="n">recorder</span> <span class="n">record</span><span class="o">.</span><span class="n">EventRecorder</span> <span class="p">}</span> </code></pre> </div> <p>In <code>NewController</code>, two event subscriptions are registered:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>① Canary Add/Update → enqueueCanary() → workqueue.Add(key) Direct: user changed Canary spec → reconcile immediately ② Deployment Add/Update/Delete → handleObject() → find owning Canary by name prefix → enqueueCanary() Indirect: managed Deployment changed state → re-check Canary </code></pre> </div> <h2> 5. Run → Worker → syncHandler </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>controller.Run(threadiness=2, stopCh) │ ├── cache.WaitForCacheSync() ← block until Indexer ready │ └── 2× goroutine: runWorker() └── processNextWorkItem() ├── workqueue.Get(key) ├── syncHandler(key) │ ├── OK → workqueue.Forget(key) │ └── ERR → workqueue.AddRateLimited(key) ← backoff retry └── workqueue.Done(key) </code></pre> </div> <p><code>syncHandler</code> is the reconciliation core — it reads the Canary spec and routes to the correct release strategy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">Controller</span><span class="p">)</span> <span class="n">syncHandler</span><span class="p">(</span><span class="n">key</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="c">// ① Fetch from local cache — no API Server call</span> <span class="n">canary</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">c</span><span class="o">.</span><span class="n">canariesLister</span><span class="o">.</span><span class="n">Canaries</span><span class="p">(</span><span class="n">namespace</span><span class="p">)</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">name</span><span class="p">)</span> <span class="c">// ② Route to release strategy</span> <span class="k">switch</span> <span class="n">canary</span><span class="o">.</span><span class="n">Spec</span><span class="o">.</span><span class="n">Info</span><span class="p">[</span><span class="s">"type"</span><span class="p">]</span> <span class="p">{</span> <span class="k">case</span> <span class="s">"NormalDeploy"</span><span class="o">:</span> <span class="n">c</span><span class="o">.</span><span class="n">normalDeploy</span><span class="p">(</span><span class="o">...</span><span class="p">)</span> <span class="k">case</span> <span class="s">"CanaryDeploy"</span><span class="o">:</span> <span class="n">c</span><span class="o">.</span><span class="n">firstCanaryDeploy</span><span class="p">(</span><span class="o">...</span><span class="p">)</span> <span class="n">or</span> <span class="n">c</span><span class="o">.</span><span class="n">notFirstCanaryDeploy</span><span class="p">(</span><span class="o">...</span><span class="p">)</span> <span class="k">case</span> <span class="s">"CanaryRollback"</span><span class="o">:</span> <span class="n">c</span><span class="o">.</span><span class="n">canaryRollback</span><span class="p">(</span><span class="o">...</span><span class="p">)</span> <span class="p">}</span> <span class="c">// ③ Update status + emit Event</span> <span class="n">c</span><span class="o">.</span><span class="n">updateCanaryStatus</span><span class="p">(</span><span class="n">canary</span><span class="p">,</span> <span class="n">deployment</span><span class="p">)</span> <span class="n">c</span><span class="o">.</span><span class="n">recorder</span><span class="o">.</span><span class="n">Event</span><span class="p">(</span><span class="n">canary</span><span class="p">,</span> <span class="n">corev1</span><span class="o">.</span><span class="n">EventTypeNormal</span><span class="p">,</span> <span class="n">SuccessSynced</span><span class="p">,</span> <span class="o">...</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h2> 6. The Three Release Strategies </h2> <h3> NormalDeploy — Rolling Update </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Deployment exists? ├── No → Create └── Yes → image / replicas / CPU / memory drifted? → Update </code></pre> </div> <p>Standard Kubernetes rolling update. No batching, no pause. The controller simply ensures the Deployment matches what's declared in the Canary spec.</p> <h3> CanaryDeploy — Batched Release </h3> <p>Splits the rollout into N batches. <strong>Batch 1 always pauses</strong> for human approval; subsequent batches auto-advance (when <code>pauseType=First</code>).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Example: 4 replicas, 2 batches, pauseType=First Start: [v1][v1][v1][v1] old=4, new=0 Batch 1: [v2][v1][v1][v1] old=3, new=1 │ └── PAUSE — wait for: kubectl patch canary ... currentBatch=2 Batch 2: [v2][v2][v2][v2] old=0, new=4 → old Deployment deleted ✅ </code></pre> </div> <p><strong>Replica calculation per batch:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>everyAddReplicas = round(totalReplicas / totalBatches) batch N target replicas = 1 + (N-1) × everyAddReplicas final batch = totalReplicas (full rollout) old replicas = totalReplicas - new.AvailableReplicas </code></pre> </div> <p>The controller continuously reconciles both Deployments — if anything drifts (pod crash, manual edit), the next reconcile loop corrects it automatically.</p> <h3> CanaryRollback — Reverse the Canary </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Rollback type? ├── NormalDeploy rollback: │ old.Name == new.Name → just update image back, no second Deployment │ └── CanaryDeploy rollback: Restore old version replicas while draining new version new.AvailableReplicas → 0 → delete new Deployment ✅ </code></pre> </div> <h2> 7. Status Reporting: updateCanaryStatus </h2> <p>After every reconcile, the controller updates the Canary's <code>status</code> subresource to reflect real-time progress:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>CanaryDeploy: batch N running → status.info["batchNStatus"] = "Ing" batch N complete → status.info["batchNStatus"] = "Finished" availableReplicas updated on every loop CanaryRollback: old Deployment still exists → status.info["rollbackStatus"] = "Ing" old Deployment deleted → status.info["rollbackStatus"] = "Finished" NormalDeploy: no status update needed </code></pre> </div> <blockquote> <p><strong>Always <code>DeepCopy()</code> before mutating</strong> — the object from Lister is a read-only reference to the Indexer cache. Modifying it directly corrupts the local cache.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">canaryCopy</span> <span class="o">:=</span> <span class="n">canary</span><span class="o">.</span><span class="n">DeepCopy</span><span class="p">()</span> <span class="c">// ✅ safe to mutate</span> <span class="n">canaryCopy</span><span class="o">.</span><span class="n">Status</span><span class="o">.</span><span class="n">Info</span><span class="p">[</span><span class="o">...</span><span class="p">]</span> <span class="o">=</span> <span class="s">"Finished"</span> <span class="n">c</span><span class="o">.</span><span class="n">canaryclientset</span><span class="o">.</span><span class="n">CanarycontrollerV1alpha1</span><span class="p">()</span><span class="o">.</span> <span class="n">Canaries</span><span class="p">(</span><span class="n">ns</span><span class="p">)</span><span class="o">.</span><span class="n">UpdateStatus</span><span class="p">(</span><span class="n">canaryCopy</span><span class="p">,</span> <span class="o">...</span><span class="p">)</span> </code></pre> </div> <h2> 8. Complete Execution Flow </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">main</span><span class="o">.</span><span class="k">go</span> <span class="err">└──</span> <span class="n">NewController</span><span class="p">(</span><span class="n">kubeclientset</span><span class="p">,</span> <span class="n">canaryclientset</span><span class="p">,</span> <span class="n">deployInformer</span><span class="p">,</span> <span class="n">canaryInformer</span><span class="p">)</span> <span class="err">├──</span> <span class="n">AddEventHandler</span><span class="p">(</span><span class="n">Canary</span><span class="p">)</span> <span class="err">→</span> <span class="n">enqueueCanary</span> <span class="err">└──</span> <span class="n">AddEventHandler</span><span class="p">(</span><span class="n">Deployment</span><span class="p">)</span> <span class="err">→</span> <span class="n">handleObject</span> <span class="err">→</span> <span class="n">enqueueCanary</span> <span class="n">factory</span><span class="o">.</span><span class="n">Start</span><span class="p">(</span><span class="n">stopCh</span><span class="p">)</span> <span class="err">→</span> <span class="n">Reflector</span> <span class="n">List</span><span class="o">/</span><span class="n">Watch</span> <span class="p">(</span><span class="n">Deployment</span> <span class="o">+</span> <span class="n">Canary</span><span class="p">)</span> <span class="n">cache</span><span class="o">.</span><span class="n">WaitForCacheSync</span><span class="p">(</span><span class="o">...</span><span class="p">)</span> <span class="err">→</span> <span class="n">wait</span> <span class="k">for</span> <span class="n">Indexer</span> <span class="n">fully</span> <span class="n">populated</span> <span class="n">controller</span><span class="o">.</span><span class="n">Run</span><span class="p">(</span><span class="m">2</span><span class="p">,</span> <span class="n">stopCh</span><span class="p">)</span> <span class="err">└──</span> <span class="n">syncHandler</span><span class="p">(</span><span class="s">"tech-prod/go-hello-canary"</span><span class="p">)</span> <span class="err">│</span> <span class="err">├──</span> <span class="n">canariesLister</span><span class="o">.</span><span class="n">Get</span><span class="p">()</span> <span class="err">←</span> <span class="n">Indexer</span> <span class="p">(</span><span class="n">no</span> <span class="n">API</span> <span class="n">call</span><span class="p">)</span> <span class="err">├──</span> <span class="k">switch</span> <span class="k">type</span><span class="o">:</span> <span class="err">│</span> <span class="n">NormalDeploy</span> <span class="err">→</span> <span class="n">Create</span> <span class="n">or</span> <span class="n">Update</span> <span class="n">Deployment</span> <span class="err">│</span> <span class="n">CanaryDeploy</span> <span class="err">→</span> <span class="n">Batch</span> <span class="m">1</span><span class="o">:</span> <span class="nb">new</span><span class="o">=</span><span class="m">1</span><span class="p">,</span> <span class="n">old</span><span class="o">=</span><span class="n">N</span><span class="o">-</span><span class="m">1</span><span class="p">,</span> <span class="n">PAUSE</span> <span class="err">│</span> <span class="n">Batch</span> <span class="n">N</span><span class="o">:</span> <span class="nb">new</span><span class="o">=</span><span class="n">total</span><span class="p">,</span> <span class="n">old</span><span class="o">=</span><span class="m">0</span><span class="p">,</span> <span class="n">DELETE</span> <span class="n">old</span> <span class="err">│</span> <span class="n">CanaryRollback</span> <span class="err">→</span> <span class="n">drain</span> <span class="nb">new</span><span class="p">,</span> <span class="n">restore</span> <span class="n">old</span> <span class="err">│</span> <span class="err">├──</span> <span class="n">updateCanaryStatus</span><span class="p">()</span> <span class="err">←</span> <span class="n">PATCH</span> <span class="o">/</span><span class="n">status</span> <span class="err">└──</span> <span class="n">recorder</span><span class="o">.</span><span class="n">Event</span><span class="p">(</span><span class="n">SuccessSynced</span><span class="p">)</span> </code></pre> </div> <h2> 9. Key Design Principles </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Principle</th> <th>How</th> </tr> </thead> <tbody> <tr> <td><strong>Never mutate cache objects</strong></td> <td>Always <code>DeepCopy()</code> before modifying</td> </tr> <tr> <td><strong>Read cache, write API</strong></td> <td> <code>Lister.Get()</code> for reads; <code>clientset.Update()</code> for writes</td> </tr> <tr> <td><strong>Idempotent reconciliation</strong></td> <td>Every loop checks actual vs desired — safe to re-run</td> </tr> <tr> <td><strong>Ownership</strong></td> <td> <code>OwnerReferences</code> ensures Deployments are GC'd with their Canary</td> </tr> <tr> <td><strong>Error → retry</strong></td> <td> <code>workqueue.AddRateLimited(key)</code> — exponential backoff on failure</td> </tr> </tbody> </table></div> <h2> Series Complete 🎉 </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>#</th> <th>Article</th> <th>Key concept</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>Informer</td> <td>List/Watch, SharedInformerFactory</td> </tr> <tr> <td>2</td> <td>Reflector</td> <td>ListerWatcher, ListAndWatch, ResourceVersion</td> </tr> <tr> <td>3</td> <td>DeltaFIFO</td> <td>queue+items, produce/consume, HandleDeltas</td> </tr> <tr> <td>4</td> <td>Indexer</td> <td>ThreadSafeMap, IndexFunc, ByIndex</td> </tr> <tr> <td>5</td> <td>WorkQueue</td> <td>Deduplication, Exponential Backoff, Token Bucket</td> </tr> <tr> <td>6</td> <td>EventBroadcaster</td> <td>Event resource, Recorder, Sink</td> </tr> <tr> <td>7</td> <td>Controller (internal)</td> <td>Run, processLoop, WaitForCacheSync</td> </tr> <tr> <td>8</td> <td>CRD</td> <td>Schema, Go types, spec/status contract</td> </tr> <tr> <td>9</td> <td><strong>Operator in Practice</strong></td> <td><strong>Full canary release controller end-to-end</strong></td> </tr> </tbody> </table></div> <p><em>Thank you for following the series. If you found it useful, share it with your team!</em></p> <p>📦 Source Code: <a href="https://github.com/muzinan123/operator" rel="noopener noreferrer">github.com/muzinan123/operator</a></p> devops go kubernetes tutorial client-go Deep Dive: CRD — Extending the Kubernetes API with Custom Resources James Lee Tue, 19 May 2026 10:10:13 +0000 https://forem.com/jamesli/client-go-deep-dive-crd-extending-the-kubernetes-api-with-custom-resources-5cc3 https://forem.com/jamesli/client-go-deep-dive-crd-extending-the-kubernetes-api-with-custom-resources-5cc3 <p>In the previous seven articles we've thoroughly explored the Informer framework — Reflector, DeltaFIFO, Indexer, WorkQueue, EventBroadcaster, and the internal Controller. Now we shift from framework internals to <strong>application development</strong>: building your own Kubernetes extensions with <strong>CRD</strong> and <strong>Operator</strong>.</p> <p>This article covers CRD — the foundation. The next article will build the Operator (controller) on top of it.</p> <h2> 1. The Kubernetes Declarative Model </h2> <p>Before defining a CRD, it's worth understanding <em>why</em> CRDs exist.</p> <p>Kubernetes is built on a <strong>declarative model</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────┐ │ Kubernetes Declarative Model │ │ │ │ User declares desired state: │ │ "I want 3 replicas of nginx running" │ │ │ │ │ ▼ │ │ API Server stores it in etcd │ │ │ │ │ ▼ │ │ Controller Manager watches for drift: │ │ actual state ≠ desired state → take action │ │ │ │ │ ▼ │ │ Actual state converges to desired state │ │ (user never specifies HOW — only WHAT) │ └─────────────────────────────────────────────────────────────┘ </code></pre> </div> <p>Built-in resources (Deployment, StatefulSet, DaemonSet, Service, Ingress, ConfigMap…) cover most use cases. But when they don't, Kubernetes provides two extension mechanisms:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Mechanism</th> <th>What it provides</th> </tr> </thead> <tbody> <tr> <td> <strong>CRD</strong> (Custom Resource Definition)</td> <td>A new resource type — defines the schema</td> </tr> <tr> <td> <strong>Operator</strong> (Custom Controller)</td> <td>The reconciliation logic — watches the CRD and acts on it</td> </tr> </tbody> </table></div> <blockquote> <p><strong>CRD = the "what". Operator = the "how".</strong></p> </blockquote> <h2> 2. Anatomy of a CRD YAML </h2> <p>Here's a complete CRD definition for a canary deployment resource:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apiextensions.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">CustomResourceDefinition</span> <span class="na">metadata</span><span class="pi">:</span> <span class="c1"># Format: {plural}.{group}</span> <span class="na">name</span><span class="pi">:</span> <span class="s">canaries.canarycontroller.tech.com</span> <span class="na">annotations</span><span class="pi">:</span> <span class="s2">"</span><span class="s">api-approved.kubernetes.io"</span><span class="err">:</span> <span class="s2">"</span><span class="s">https://github.com/kubernetes/kubernetes/pull/78458"</span> <span class="na">spec</span><span class="pi">:</span> <span class="c1"># API group — appears in REST path: /apis/{group}/{version}</span> <span class="na">group</span><span class="pi">:</span> <span class="s">canarycontroller.tech.com</span> <span class="na">versions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">v1alpha1</span> <span class="na">served</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># this version is active and served by the API Server</span> <span class="na">storage</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># this version is used for storage in etcd (only one allowed)</span> <span class="c1"># Namespaced: resource belongs to a specific namespace</span> <span class="c1"># Cluster: resource is cluster-wide (like Node, PersistentVolume)</span> <span class="na">scope</span><span class="pi">:</span> <span class="s">Namespaced</span> <span class="na">names</span><span class="pi">:</span> <span class="na">plural</span><span class="pi">:</span> <span class="s">canaries</span> <span class="c1"># kubectl get canaries</span> <span class="na">singular</span><span class="pi">:</span> <span class="s">canary</span> <span class="c1"># kubectl get canary</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Canary</span> <span class="c1"># used in YAML: kind: Canary</span> <span class="na">shortNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">can</span> <span class="c1"># kubectl get can</span> <span class="na">subresources</span><span class="pi">:</span> <span class="na">status</span><span class="pi">:</span> <span class="pi">{}</span> <span class="c1"># enables /status subresource (separate update endpoint)</span> </code></pre> </div> <h3> Key fields explained </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────────────────────────────────┐ │ metadata.name = "canaries.canarycontroller.tech.com" │ │ ──────── ────────────────────── │ │ plural group │ │ name name │ └──────────────────────────────────────────────────────────────────┘ ┌──────────────────────────────────────────────────────────────────┐ │ REST API path after registration: │ │ /apis/canarycontroller.tech.com/v1alpha1/namespaces/{ns}/canaries│ │ ──────────────────────── ──────── │ │ group version │ └──────────────────────────────────────────────────────────────────┘ ┌──────────────────────────────────────────────────────────────────┐ │ subresources.status: {} │ │ → enables separate /status endpoint │ │ → controller updates status via PATCH /status │ │ → user updates spec via PATCH /spec │ │ → prevents spec/status update conflicts │ └──────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h3> Register the CRD with the cluster </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Apply the CRD definition</span> kubectl create <span class="nt">-f</span> crd-canary.yaml <span class="c"># Verify it's registered</span> kubectl get crd canaries.canarycontroller.tech.com <span class="c"># The new resource type is now available</span> kubectl get canaries <span class="nt">--all-namespaces</span> kubectl get can <span class="nt">-n</span> tech-prod </code></pre> </div> <h2> 3. A Custom Resource Instance </h2> <p>Once the CRD is registered, you can create instances of it — just like built-in resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">canarycontroller.tech.com/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Canary</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">go-hello-canary</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">tech-prod</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">go-hello</span> <span class="na">tech.com/clusterId</span><span class="pi">:</span> <span class="s">prod</span> <span class="c1"># Auto-populated by API Server:</span> <span class="c1"># resourceVersion: "430698608"</span> <span class="c1"># uid: c5bb13a2-b2be-11ea-8fef-e4434b7c7170</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">info</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">CanaryDeploy</span> <span class="na">totalBatches</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="c1"># deploy in 2 batches</span> <span class="na">currentBatch</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="na">pauseType</span><span class="pi">:</span> <span class="s">First</span> <span class="c1"># pause after first batch — wait for human approval</span> <span class="na">newDeploymentYaml</span><span class="pi">:</span> <span class="pi">|</span> <span class="c1"># full YAML of the new version deployment</span> <span class="s">...</span> <span class="na">oldDeploymentYaml</span><span class="pi">:</span> <span class="pi">|</span> <span class="c1"># full YAML of the current version deployment</span> <span class="s">...</span> <span class="na">status</span><span class="pi">:</span> <span class="na">info</span><span class="pi">:</span> <span class="na">availableReplicas</span><span class="pi">:</span> <span class="s2">"</span><span class="s">4"</span> <span class="na">batch2Status</span><span class="pi">:</span> <span class="s">Finished</span> </code></pre> </div> <p><strong>What this describes:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>go-hello application canary release strategy: ┌─────────────────────────────────────────────────────────┐ │ Total instances: 4 │ │ Release strategy: 2 batches │ │ Batch 1: deploy 2 new instances → PAUSE │ │ (wait for human approval via kubectl patch) │ │ Batch 2: deploy remaining 2 instances → DONE │ └─────────────────────────────────────────────────────────┘ </code></pre> </div> <h2> 4. Go Type Definitions for the CRD </h2> <p>To build a controller for this CRD, you need to define the corresponding Go types. These are what <code>code-generator</code> will use to generate the typed client, informer, and lister code.</p> <h3> Directory structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pkg/ └── apis/ └── canarycontroller/ ├── register.go ← group name constant └── v1alpha1/ ├── doc.go ← code-gen annotations ├── types.go ← CRD Go type definitions ← main file └── register.go ← register types with scheme </code></pre> </div> <h3> register.go — group name </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// pkg/apis/canarycontroller/register.go</span> <span class="k">package</span> <span class="n">canarycontroller</span> <span class="k">const</span> <span class="p">(</span> <span class="n">GroupName</span> <span class="o">=</span> <span class="s">"canarycontroller.tech.com"</span> <span class="p">)</span> </code></pre> </div> <h3> doc.go — code generation annotations </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// pkg/apis/canarycontroller/v1alpha1/doc.go</span> <span class="c">// +k8s:deepcopy-gen=package</span> <span class="c">// +groupName=canarycontroller.tech.com</span> <span class="k">package</span> <span class="n">v1alpha1</span> </code></pre> </div> <h3> types.go — the core type definitions </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// pkg/apis/canarycontroller/v1alpha1/types.go</span> <span class="k">package</span> <span class="n">v1alpha1</span> <span class="k">import</span> <span class="n">metav1</span> <span class="s">"k8s.io/apimachinery/pkg/apis/meta/v1"</span> <span class="c">// +genclient</span> <span class="c">// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object</span> <span class="c">// Canary is the Schema for the canaries API</span> <span class="k">type</span> <span class="n">Canary</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">metav1</span><span class="o">.</span><span class="n">TypeMeta</span> <span class="s">`json:",inline"`</span> <span class="n">metav1</span><span class="o">.</span><span class="n">ObjectMeta</span> <span class="s">`json:"metadata,omitempty"`</span> <span class="n">Spec</span> <span class="n">CanarySpec</span> <span class="s">`json:"spec,omitempty"`</span> <span class="n">Status</span> <span class="n">CanaryStatus</span> <span class="s">`json:"status,omitempty"`</span> <span class="p">}</span> <span class="c">// CanarySpec defines the desired state of a Canary release</span> <span class="k">type</span> <span class="n">CanarySpec</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Info</span> <span class="n">CanaryInfo</span> <span class="s">`json:"info"`</span> <span class="p">}</span> <span class="k">type</span> <span class="n">CanaryInfo</span> <span class="k">struct</span> <span class="p">{</span> <span class="c">// "CanaryDeploy" or "ABTest"</span> <span class="n">Type</span> <span class="kt">string</span> <span class="s">`json:"type"`</span> <span class="c">// Total number of batches to roll out</span> <span class="n">TotalBatches</span> <span class="kt">string</span> <span class="s">`json:"totalBatches"`</span> <span class="c">// Current batch being processed</span> <span class="n">CurrentBatch</span> <span class="kt">string</span> <span class="s">`json:"currentBatch"`</span> <span class="c">// "First": pause after first batch and wait for approval</span> <span class="c">// "None": roll out all batches automatically</span> <span class="n">PauseType</span> <span class="kt">string</span> <span class="s">`json:"pauseType"`</span> <span class="c">// Full YAML of the new version Deployment</span> <span class="n">NewDeploymentYaml</span> <span class="kt">string</span> <span class="s">`json:"newDeploymentYaml"`</span> <span class="c">// Full YAML of the current version Deployment</span> <span class="n">OldDeploymentYaml</span> <span class="kt">string</span> <span class="s">`json:"oldDeploymentYaml"`</span> <span class="p">}</span> <span class="c">// CanaryStatus defines the observed state (written by the controller)</span> <span class="k">type</span> <span class="n">CanaryStatus</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Info</span> <span class="n">CanaryStatusInfo</span> <span class="s">`json:"info,omitempty"`</span> <span class="p">}</span> <span class="k">type</span> <span class="n">CanaryStatusInfo</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">AvailableReplicas</span> <span class="kt">string</span> <span class="s">`json:"availableReplicas,omitempty"`</span> <span class="n">Batch1Status</span> <span class="kt">string</span> <span class="s">`json:"batch1Status,omitempty"`</span> <span class="n">Batch2Status</span> <span class="kt">string</span> <span class="s">`json:"batch2Status,omitempty"`</span> <span class="p">}</span> <span class="c">// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object</span> <span class="c">// CanaryList is required by the API machinery for List operations</span> <span class="k">type</span> <span class="n">CanaryList</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">metav1</span><span class="o">.</span><span class="n">TypeMeta</span> <span class="s">`json:",inline"`</span> <span class="n">metav1</span><span class="o">.</span><span class="n">ListMeta</span> <span class="s">`json:"metadata"`</span> <span class="n">Items</span> <span class="p">[]</span><span class="n">Canary</span> <span class="s">`json:"items"`</span> <span class="p">}</span> </code></pre> </div> <h3> Code generation annotations explained </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Annotation</th> <th>Effect</th> </tr> </thead> <tbody> <tr> <td><code>// +genclient</code></td> <td>Generate a typed client (<code>CanaryInterface</code>) for this type</td> </tr> <tr> <td><code>// +k8s:deepcopy-gen:interfaces=...</code></td> <td>Generate <code>DeepCopyObject()</code> — required by <code>runtime.Object</code> </td> </tr> <tr> <td><code>// +k8s:deepcopy-gen=package</code></td> <td>Generate <code>DeepCopy()</code> for all types in this package</td> </tr> <tr> <td><code>// +groupName=...</code></td> <td>Set the API group for generated code</td> </tr> </tbody> </table></div> <h2> 5. Spec vs Status: The Controller Contract </h2> <p>The separation of <code>spec</code> and <code>status</code> is a fundamental Kubernetes design pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────┐ │ spec — desired state │ │ Written by: the user (kubectl apply) │ │ Read by: the controller │ │ │ │ status — observed state │ │ Written by: the controller (via /status subresource) │ │ Read by: the user (kubectl get/describe) │ └─────────────────────────────────────────────────────────────┘ Controller reconciliation loop: ┌──────────────────────────────────────────────────────────────┐ │ │ │ Read spec → compare with status → take action │ │ │ │ │ ▼ │ │ update status │ │ (reflect new reality) │ └──────────────────────────────────────────────────────────────┘ </code></pre> </div> <p>Enabling <code>subresources.status: {}</code> in the CRD YAML is critical — it creates a separate <code>/status</code> API endpoint, which means:</p> <ul> <li>Users updating <code>spec</code> won't accidentally overwrite <code>status</code> </li> <li>Controllers updating <code>status</code> won't accidentally overwrite <code>spec</code> </li> <li>RBAC can grant different permissions for spec vs status updates</li> </ul> <h2> 6. The CRD Lifecycle </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Step 1: Define the CRD schema (YAML) kubectl create -f crd-canary.yaml → API Server registers new resource type → REST endpoint /apis/canarycontroller.tech.com/v1alpha1/... becomes available Step 2: Define Go types (types.go) → mirrors the CRD schema in Go structs Step 3: Run code-generator → generates typed client (Clientset) → generates typed Informer + Lister → generates DeepCopy methods Step 4: Create resource instances kubectl apply -f canary-go-hello.yaml → Canary object stored in etcd Step 5: Controller watches and reconciles → Informer watches Canary resources → Controller reads spec, takes action, updates status → Desired state converges to actual state </code></pre> </div> <h2> 7. Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Concept</th> <th>Detail</th> </tr> </thead> <tbody> <tr> <td><strong>CRD</strong></td> <td>Registers a new resource type with the API Server — no code required</td> </tr> <tr> <td><strong>Custom Resource</strong></td> <td>An instance of a CRD — stored in etcd, managed via kubectl</td> </tr> <tr> <td><strong>spec</strong></td> <td>Desired state — written by users, read by controllers</td> </tr> <tr> <td><strong>status</strong></td> <td>Observed state — written by controllers, read by users</td> </tr> <tr> <td><strong>subresources.status</strong></td> <td>Separates spec/status update paths — prevents conflicts</td> </tr> <tr> <td><strong>scope</strong></td> <td> <code>Namespaced</code> or <code>Cluster</code> — determines resource visibility</td> </tr> <tr> <td><strong>group/version</strong></td> <td>Forms the REST API path: <code>/apis/{group}/{version}/...</code> </td> </tr> <tr> <td><strong>code-generator</strong></td> <td>Generates typed client, Informer, Lister, and DeepCopy from Go types</td> </tr> </tbody> </table></div> <p>CRD is the "schema" half of the Operator pattern. It extends the Kubernetes API with your domain-specific resource types — giving you the same declarative, watch-driven, etcd-backed machinery that built-in resources enjoy. The controller (Operator) is what brings those resources to life.</p> <p><em>Next in this series: Operator in Practice: Building a Canary Release Controller (Part 9 — Final)</em></p> <p><em>Follow the series for more deep dives into Kubernetes development.</em></p> <p>📦 Source Code: <a href="https://github.com/muzinan123/operator" rel="noopener noreferrer">github.com/muzinan123/operator</a></p> api go kubernetes tutorial client-go Deep Dive: Controller — The Central Hub That Wires the Informer Framework Together James Lee Tue, 19 May 2026 10:09:48 +0000 https://forem.com/jamesli/client-go-deep-dive-controller-the-central-hub-that-wires-the-informer-framework-together-1p1d https://forem.com/jamesli/client-go-deep-dive-controller-the-central-hub-that-wires-the-informer-framework-together-1p1d <p>Over the past six articles we've examined each component of the Informer framework individually. Now it's time to look at the component that <strong>wires them all together</strong>: the Informer-internal <strong>Controller</strong>.</p> <blockquote> <p>⚠️ <strong>Naming clarification:</strong> The "Controller" in this article is <code>k8s.io/client-go/tools/cache/controller.go</code> — the <strong>Informer-internal orchestrator</strong>. It is NOT the same as the business-logic controller you write to reconcile custom resources. We'll call it the <strong>Informer Controller</strong> throughout this article to avoid confusion.</p> </blockquote> <p>Source: <code>k8s.io/client-go/tools/cache/controller.go</code></p> <h2> 1. The Two Types of "Controller" in Kubernetes </h2> <p>Before diving in, let's be precise about terminology:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────────────────────────────────┐ │ Type A: Informer Controller (this article) │ │ Package: k8s.io/client-go/tools/cache │ │ Role: internal orchestrator — starts Reflector, drives │ │ processLoop, connects DeltaFIFO → Indexer + callbacks │ │ You never instantiate this directly. │ └──────────────────────────────────────────────────────────────────┘ ┌──────────────────────────────────────────────────────────────────┐ │ Type B: Your Application Controller │ │ Package: your codebase │ │ Role: business logic — reconciles desired vs actual state │ │ using WorkQueue + Lister + Clientset │ │ You write and own this. │ └──────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h2> 2. The Controller Struct </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// k8s.io/client-go/tools/cache/controller.go</span> <span class="k">type</span> <span class="n">controller</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">config</span> <span class="n">Config</span> <span class="c">// all dependencies injected here</span> <span class="n">reflector</span> <span class="o">*</span><span class="n">Reflector</span> <span class="c">// created from config at startup</span> <span class="n">reflectorMutex</span> <span class="n">sync</span><span class="o">.</span><span class="n">RWMutex</span> <span class="n">clock</span> <span class="n">clock</span><span class="o">.</span><span class="n">Clock</span> <span class="p">}</span> </code></pre> </div> <p>The controller itself is intentionally thin — all meaningful configuration lives in <code>Config</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Config</span> <span class="k">struct</span> <span class="p">{</span> <span class="c">// DeltaFIFO — the event queue (producer: Reflector, consumer: processLoop)</span> <span class="n">Queue</span> <span class="c">// Provides List() and Watch() — injected into Reflector at startup</span> <span class="n">ListerWatcher</span> <span class="c">// The callback invoked by processLoop for each item popped from DeltaFIFO</span> <span class="c">// In practice: sharedIndexInformer.HandleDeltas</span> <span class="n">Process</span> <span class="n">ProcessFunc</span> <span class="c">// The resource type being watched (e.g. *v1.Pod)</span> <span class="n">ObjectType</span> <span class="n">runtime</span><span class="o">.</span><span class="n">Object</span> <span class="c">// How often to force a full resync (0 = never)</span> <span class="n">FullResyncPeriod</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span> <span class="c">// Optional: custom function to decide whether to resync on each tick</span> <span class="n">ShouldResync</span> <span class="n">ShouldResyncFunc</span> <span class="c">// If true: when Process() returns an error, re-enqueue the item</span> <span class="n">RetryOnError</span> <span class="kt">bool</span> <span class="c">// Called when Watch() returns an error</span> <span class="n">WatchErrorHandler</span> <span class="n">WatchErrorHandler</span> <span class="c">// Pagination size for Watch requests</span> <span class="n">WatchListPageSize</span> <span class="kt">int64</span> <span class="p">}</span> </code></pre> </div> <h3> Config field map </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Field</th> <th>Provided by</th> <th>Used for</th> </tr> </thead> <tbody> <tr> <td><code>Queue</code></td> <td>DeltaFIFO</td> <td>Event buffer between Reflector and processLoop</td> </tr> <tr> <td><code>ListerWatcher</code></td> <td>Pod/Deployment Informer's ListFunc+WatchFunc</td> <td>Injected into Reflector</td> </tr> <tr> <td><code>Process</code></td> <td><code>sharedIndexInformer.HandleDeltas</code></td> <td>Callback for each popped event batch</td> </tr> <tr> <td><code>ObjectType</code></td> <td>e.g. <code>&amp;v1.Pod{}</code> </td> <td>Tells Reflector what type to deserialize</td> </tr> <tr> <td><code>FullResyncPeriod</code></td> <td>User config (e.g. <code>30*time.Minute</code>)</td> <td>Periodic forced re-List</td> </tr> <tr> <td><code>RetryOnError</code></td> <td>Usually <code>false</code> </td> <td>Re-enqueue on Process() failure</td> </tr> <tr> <td><code>WatchErrorHandler</code></td> <td>Optional custom handler</td> <td>React to Watch connection errors</td> </tr> </tbody> </table></div> <h2> 3. How the Informer Controller Starts: Run() </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">controller</span><span class="p">)</span> <span class="n">Run</span><span class="p">(</span><span class="n">stopCh</span> <span class="o">&lt;-</span><span class="k">chan</span> <span class="k">struct</span><span class="p">{})</span> <span class="p">{</span> <span class="k">defer</span> <span class="n">utilruntime</span><span class="o">.</span><span class="n">HandleCrash</span><span class="p">()</span> <span class="k">go</span> <span class="k">func</span><span class="p">()</span> <span class="p">{</span> <span class="o">&lt;-</span><span class="n">stopCh</span> <span class="n">c</span><span class="o">.</span><span class="n">config</span><span class="o">.</span><span class="n">Queue</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> <span class="p">}()</span> <span class="c">// ① Create Reflector from Config</span> <span class="n">r</span> <span class="o">:=</span> <span class="n">NewReflector</span><span class="p">(</span> <span class="n">c</span><span class="o">.</span><span class="n">config</span><span class="o">.</span><span class="n">ListerWatcher</span><span class="p">,</span> <span class="n">c</span><span class="o">.</span><span class="n">config</span><span class="o">.</span><span class="n">ObjectType</span><span class="p">,</span> <span class="n">c</span><span class="o">.</span><span class="n">config</span><span class="o">.</span><span class="n">Queue</span><span class="p">,</span> <span class="c">// DeltaFIFO is passed as the Store</span> <span class="n">c</span><span class="o">.</span><span class="n">config</span><span class="o">.</span><span class="n">FullResyncPeriod</span><span class="p">,</span> <span class="p">)</span> <span class="n">r</span><span class="o">.</span><span class="n">ShouldResync</span> <span class="o">=</span> <span class="n">c</span><span class="o">.</span><span class="n">config</span><span class="o">.</span><span class="n">ShouldResync</span> <span class="n">r</span><span class="o">.</span><span class="n">WatchListPageSize</span> <span class="o">=</span> <span class="n">c</span><span class="o">.</span><span class="n">config</span><span class="o">.</span><span class="n">WatchListPageSize</span> <span class="n">r</span><span class="o">.</span><span class="n">clock</span> <span class="o">=</span> <span class="n">c</span><span class="o">.</span><span class="n">clock</span> <span class="k">if</span> <span class="n">c</span><span class="o">.</span><span class="n">config</span><span class="o">.</span><span class="n">WatchErrorHandler</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">r</span><span class="o">.</span><span class="n">watchErrorHandler</span> <span class="o">=</span> <span class="n">c</span><span class="o">.</span><span class="n">config</span><span class="o">.</span><span class="n">WatchErrorHandler</span> <span class="p">}</span> <span class="n">c</span><span class="o">.</span><span class="n">reflectorMutex</span><span class="o">.</span><span class="n">Lock</span><span class="p">()</span> <span class="n">c</span><span class="o">.</span><span class="n">reflector</span> <span class="o">=</span> <span class="n">r</span> <span class="n">c</span><span class="o">.</span><span class="n">reflectorMutex</span><span class="o">.</span><span class="n">Unlock</span><span class="p">()</span> <span class="k">var</span> <span class="n">wg</span> <span class="n">wait</span><span class="o">.</span><span class="n">Group</span> <span class="k">defer</span> <span class="n">wg</span><span class="o">.</span><span class="n">Wait</span><span class="p">()</span> <span class="c">// ② Start Reflector in a goroutine — runs List/Watch forever</span> <span class="n">wg</span><span class="o">.</span><span class="n">StartWithChannel</span><span class="p">(</span><span class="n">stopCh</span><span class="p">,</span> <span class="n">r</span><span class="o">.</span><span class="n">Run</span><span class="p">)</span> <span class="c">// ③ Start processLoop — consumes DeltaFIFO forever</span> <span class="n">wait</span><span class="o">.</span><span class="n">Until</span><span class="p">(</span><span class="n">c</span><span class="o">.</span><span class="n">processLoop</span><span class="p">,</span> <span class="n">time</span><span class="o">.</span><span class="n">Second</span><span class="p">,</span> <span class="n">stopCh</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><strong>Startup sequence:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">controller</span><span class="o">.</span><span class="n">Run</span><span class="p">(</span><span class="n">stopCh</span><span class="p">)</span> <span class="err">│</span> <span class="err">├──</span> <span class="err">①</span> <span class="n">NewReflector</span><span class="p">(</span><span class="n">ListerWatcher</span><span class="p">,</span> <span class="n">ObjectType</span><span class="p">,</span> <span class="n">DeltaFIFO</span><span class="p">,</span> <span class="n">resyncPeriod</span><span class="p">)</span> <span class="err">│</span> <span class="err">→</span> <span class="n">Reflector</span> <span class="n">is</span> <span class="n">wired</span> <span class="n">to</span> <span class="n">DeltaFIFO</span> <span class="n">as</span> <span class="n">its</span> <span class="n">Store</span> <span class="err">│</span> <span class="err">├──</span> <span class="err">②</span> <span class="k">go</span> <span class="n">r</span><span class="o">.</span><span class="n">Run</span><span class="p">(</span><span class="n">stopCh</span><span class="p">)</span> <span class="err">│</span> <span class="err">→</span> <span class="n">Reflector</span><span class="o">.</span><span class="n">ListAndWatch</span><span class="p">()</span> <span class="n">starts</span> <span class="n">in</span> <span class="n">background</span> <span class="n">goroutine</span> <span class="err">│</span> <span class="err">→</span> <span class="n">Phase</span> <span class="m">1</span><span class="o">:</span> <span class="n">List</span> <span class="err">→</span> <span class="n">syncWith</span><span class="p">()</span> <span class="err">→</span> <span class="n">DeltaFIFO</span> <span class="n">seeded</span> <span class="err">│</span> <span class="err">→</span> <span class="n">Phase</span> <span class="m">2</span><span class="o">:</span> <span class="n">Watch</span> <span class="err">→</span> <span class="n">watchHandler</span><span class="p">()</span> <span class="err">→</span> <span class="n">events</span> <span class="n">stream</span> <span class="n">into</span> <span class="n">DeltaFIFO</span> <span class="err">│</span> <span class="err">└──</span> <span class="err">③</span> <span class="n">wait</span><span class="o">.</span><span class="n">Until</span><span class="p">(</span><span class="n">c</span><span class="o">.</span><span class="n">processLoop</span><span class="p">,</span> <span class="m">1</span><span class="n">s</span><span class="p">,</span> <span class="n">stopCh</span><span class="p">)</span> <span class="err">→</span> <span class="n">processLoop</span> <span class="n">runs</span> <span class="n">in</span> <span class="n">foreground</span><span class="p">,</span> <span class="n">restarted</span> <span class="n">every</span> <span class="m">1</span><span class="n">s</span> <span class="k">if</span> <span class="n">it</span> <span class="n">exits</span> </code></pre> </div> <h2> 4. The processLoop: Consuming DeltaFIFO </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">controller</span><span class="p">)</span> <span class="n">processLoop</span><span class="p">()</span> <span class="p">{</span> <span class="k">for</span> <span class="p">{</span> <span class="c">// Pop() blocks until DeltaFIFO has an item</span> <span class="c">// Passes each item to c.config.Process (= HandleDeltas)</span> <span class="n">obj</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">c</span><span class="o">.</span><span class="n">config</span><span class="o">.</span><span class="n">Queue</span><span class="o">.</span><span class="n">Pop</span><span class="p">(</span><span class="n">PopProcessFunc</span><span class="p">(</span><span class="n">c</span><span class="o">.</span><span class="n">config</span><span class="o">.</span><span class="n">Process</span><span class="p">))</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">if</span> <span class="n">err</span> <span class="o">==</span> <span class="n">ErrFIFOClosed</span> <span class="p">{</span> <span class="k">return</span> <span class="c">// queue was shut down — exit cleanly</span> <span class="p">}</span> <span class="k">if</span> <span class="n">c</span><span class="o">.</span><span class="n">config</span><span class="o">.</span><span class="n">RetryOnError</span> <span class="p">{</span> <span class="c">// Re-enqueue the item if RetryOnError is set</span> <span class="n">c</span><span class="o">.</span><span class="n">config</span><span class="o">.</span><span class="n">Queue</span><span class="o">.</span><span class="n">AddIfNotPresent</span><span class="p">(</span><span class="n">obj</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>processLoop flow:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">processLoop</span> <span class="p">(</span><span class="n">runs</span> <span class="n">forever</span><span class="p">)</span> <span class="err">│</span> <span class="err">└──</span> <span class="n">DeltaFIFO</span><span class="o">.</span><span class="n">Pop</span><span class="p">(</span><span class="n">HandleDeltas</span><span class="p">)</span> <span class="err">│</span> <span class="err">├──</span> <span class="n">blocks</span> <span class="n">on</span> <span class="n">cond</span><span class="o">.</span><span class="n">Wait</span><span class="p">()</span> <span class="k">if</span> <span class="n">queue</span> <span class="n">is</span> <span class="n">empty</span> <span class="err">├──</span> <span class="n">dequeues</span> <span class="n">next</span> <span class="n">key</span> <span class="p">(</span><span class="n">FIFO</span> <span class="n">order</span><span class="p">)</span> <span class="err">└──</span> <span class="n">calls</span> <span class="n">HandleDeltas</span><span class="p">([]</span><span class="n">Delta</span><span class="p">)</span> <span class="err">│</span> <span class="err">├──</span> <span class="n">Indexer</span><span class="o">.</span><span class="n">Add</span><span class="o">/</span><span class="n">Update</span><span class="o">/</span><span class="n">Delete</span> <span class="err">←</span> <span class="n">keep</span> <span class="n">local</span> <span class="n">cache</span> <span class="n">in</span> <span class="n">sync</span> <span class="err">└──</span> <span class="n">sharedProcessor</span><span class="o">.</span><span class="n">distribute</span><span class="p">()</span> <span class="err">←</span> <span class="n">fan</span><span class="o">-</span><span class="n">out</span> <span class="n">to</span> <span class="n">user</span> <span class="n">callbacks</span> </code></pre> </div> <h2> 5. The Complete Informer Framework — All Components Together </h2> <p>Now that we've covered every component, here is the complete picture:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────────────────────────────────────────┐ │ Informer Framework (full picture) │ │ │ │ ┌──────────────────────────────────────────────────────────────────┐ │ │ │ sharedIndexInformer │ │ │ │ │ │ │ │ ┌─────────────────────────────────────────────────────────┐ │ │ │ │ │ Informer Controller (internal) │ │ │ │ │ │ │ │ │ │ │ │ API Server │ │ │ │ │ │ │ List/Watch (HTTP chunked) │ │ │ │ │ │ ▼ │ │ │ │ │ │ ┌──────────┐ events ┌──────────────┐ │ │ │ │ │ │ │ Reflector│ ────────► │ DeltaFIFO │ │ │ │ │ │ │ │(goroutine│ │ queue+items │ │ │ │ │ │ │ └──────────┘ └──────┬───────┘ │ │ │ │ │ │ │ Pop() │ │ │ │ │ │ ▼ │ │ │ │ │ │ processLoop() │ │ │ │ │ │ │ │ │ │ │ │ └────────────────────────────────┼────────────────────────┘ │ │ │ │ │ HandleDeltas │ │ │ │ ┌──────────────┴──────────────┐ │ │ │ │ ▼ ▼ │ │ │ │ ┌────────────┐ ┌──────────────────┐ │ │ │ │ │ Indexer │ │ sharedProcessor │ │ │ │ │ │(ThreadSafe │ │ distribute() │ │ │ │ │ │ Map) │ └────────┬─────────┘ │ │ │ │ └────────────┘ │ │ │ │ │ ▲ ▼ │ │ │ │ │ Lister AddEventHandler │ │ │ └────────────────────┼───────────────────────────┼───────────────┘ │ │ │ │ │ │ ┌────────┴──────────────────────────▼──────────────┐ │ │ │ Your Application Controller │ │ │ │ │ │ │ │ podsLister.Pods(ns).Get(name) ← read from cache │ │ │ │ clientset.CoreV1().Pods().Update() ← write to API│ │ │ │ workqueue.AddRateLimited(key) ← retry on error │ │ │ │ recorder.Eventf(obj, ...) ← emit events │ │ │ └───────────────────────────────────────────────────┘ │ └──────────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h2> 6. Data Flow: End to End </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="err">①</span> <span class="n">factory</span><span class="o">.</span><span class="n">Start</span><span class="p">(</span><span class="n">stopCh</span><span class="p">)</span> <span class="err">└──</span> <span class="k">for</span> <span class="n">each</span> <span class="n">registered</span> <span class="n">informer</span><span class="o">:</span> <span class="k">go</span> <span class="n">sharedIndexInformer</span><span class="o">.</span><span class="n">Run</span><span class="p">(</span><span class="n">stopCh</span><span class="p">)</span> <span class="err">└──</span> <span class="n">controller</span><span class="o">.</span><span class="n">Run</span><span class="p">(</span><span class="n">stopCh</span><span class="p">)</span> <span class="err">├──</span> <span class="k">go</span> <span class="n">Reflector</span><span class="o">.</span><span class="n">Run</span><span class="p">(</span><span class="n">stopCh</span><span class="p">)</span> <span class="p">[</span><span class="n">goroutine</span> <span class="n">A</span><span class="p">]</span> <span class="err">└──</span> <span class="n">processLoop</span><span class="p">()</span> <span class="p">[</span><span class="n">goroutine</span> <span class="n">B</span><span class="p">,</span> <span class="n">main</span><span class="p">]</span> <span class="err">②</span> <span class="n">Goroutine</span> <span class="n">A</span> <span class="err">—</span> <span class="n">Reflector</span> <span class="err">└──</span> <span class="n">ListAndWatch</span><span class="p">()</span> <span class="err">├──</span> <span class="n">Phase</span> <span class="m">1</span><span class="o">:</span> <span class="n">List</span> <span class="err">→</span> <span class="n">syncWith</span><span class="p">()</span> <span class="err">→</span> <span class="n">DeltaFIFO</span><span class="o">.</span><span class="n">Replace</span><span class="p">()</span> <span class="err">│</span> <span class="n">all</span> <span class="n">existing</span> <span class="n">objects</span> <span class="n">enqueued</span> <span class="n">as</span> <span class="s">"Added"</span> <span class="n">or</span> <span class="s">"Replaced"</span> <span class="err">└──</span> <span class="n">Phase</span> <span class="m">2</span><span class="o">:</span> <span class="n">Watch</span> <span class="err">→</span> <span class="n">watchHandler</span><span class="p">()</span> <span class="err">→</span> <span class="n">DeltaFIFO</span><span class="o">.</span><span class="n">Add</span><span class="o">/</span><span class="n">Update</span><span class="o">/</span><span class="n">Delete</span> <span class="n">incremental</span> <span class="n">events</span> <span class="n">stream</span> <span class="n">in</span> <span class="n">continuously</span> <span class="err">③</span> <span class="n">Goroutine</span> <span class="n">B</span> <span class="err">—</span> <span class="n">processLoop</span> <span class="err">└──</span> <span class="n">DeltaFIFO</span><span class="o">.</span><span class="n">Pop</span><span class="p">(</span><span class="n">HandleDeltas</span><span class="p">)</span> <span class="p">[</span><span class="n">blocks</span> <span class="n">when</span> <span class="n">empty</span><span class="p">]</span> <span class="err">└──</span> <span class="n">HandleDeltas</span><span class="p">([]</span><span class="n">Delta</span><span class="p">)</span> <span class="k">for</span> <span class="n">each</span> <span class="n">Delta</span><span class="o">:</span> <span class="err">├──</span> <span class="n">Indexer</span><span class="o">.</span><span class="n">Add</span><span class="o">/</span><span class="n">Update</span><span class="o">/</span><span class="n">Delete</span> <span class="err">→</span> <span class="n">local</span> <span class="n">cache</span> <span class="n">updated</span> <span class="err">└──</span> <span class="n">sharedProcessor</span><span class="o">.</span><span class="n">distribute</span><span class="p">()</span> <span class="err">└──</span> <span class="k">for</span> <span class="n">each</span> <span class="n">listener</span> <span class="p">(</span><span class="n">AddEventHandler</span><span class="p">)</span><span class="o">:</span> <span class="err">├──</span> <span class="n">OnAdd</span><span class="p">(</span><span class="n">newObj</span><span class="p">)</span> <span class="err">├──</span> <span class="n">OnUpdate</span><span class="p">(</span><span class="n">oldObj</span><span class="p">,</span> <span class="n">newObj</span><span class="p">)</span> <span class="err">└──</span> <span class="n">OnDelete</span><span class="p">(</span><span class="n">oldObj</span><span class="p">)</span> <span class="err">└──</span> <span class="n">workqueue</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="err">④</span> <span class="n">Your</span> <span class="n">controller</span> <span class="n">worker</span> <span class="n">goroutine</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="err">└──</span> <span class="n">workqueue</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="err">└──</span> <span class="n">reconcile</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="err">├──</span> <span class="n">lister</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="err">→</span> <span class="n">read</span> <span class="n">from</span> <span class="n">Indexer</span> <span class="p">(</span><span class="n">no</span> <span class="n">API</span> <span class="n">call</span><span class="p">)</span> <span class="err">├──</span> <span class="n">clientset</span><span class="o">.</span><span class="n">Update</span><span class="o">/</span><span class="n">Patch</span><span class="o">/</span><span class="n">Delete</span> <span class="err">→</span> <span class="n">write</span> <span class="n">to</span> <span class="n">API</span> <span class="n">Server</span> <span class="err">├──</span> <span class="n">recorder</span><span class="o">.</span><span class="n">Eventf</span><span class="p">(</span><span class="o">...</span><span class="p">)</span> <span class="err">→</span> <span class="n">emit</span> <span class="n">Event</span> <span class="n">to</span> <span class="n">etcd</span> <span class="err">└──</span> <span class="n">on</span> <span class="kt">error</span><span class="o">:</span> <span class="n">workqueue</span><span class="o">.</span><span class="n">AddRateLimited</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> </code></pre> </div> <h2> 7. WaitForCacheSync: Why It Matters </h2> <p>Before your controller starts processing, the local cache must be fully populated from the initial List. <code>WaitForCacheSync</code> blocks until this is complete:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">kc</span> <span class="o">*</span><span class="n">KubeController</span><span class="p">)</span> <span class="n">Run</span><span class="p">(</span><span class="n">stopCh</span> <span class="k">chan</span> <span class="k">struct</span><span class="p">{})</span> <span class="p">{</span> <span class="c">// Start all informers</span> <span class="n">kc</span><span class="o">.</span><span class="n">factory</span><span class="o">.</span><span class="n">Start</span><span class="p">(</span><span class="n">stopCh</span><span class="p">)</span> <span class="c">// Block until initial List is complete and DeltaFIFO is drained</span> <span class="c">// HasSynced() returns true when initialPopulationCount reaches 0</span> <span class="k">if</span> <span class="o">!</span><span class="n">cache</span><span class="o">.</span><span class="n">WaitForCacheSync</span><span class="p">(</span><span class="n">stopCh</span><span class="p">,</span> <span class="n">kc</span><span class="o">.</span><span class="n">podsSynced</span><span class="p">,</span> <span class="n">kc</span><span class="o">.</span><span class="n">deploymentsSynced</span><span class="p">,</span> <span class="p">)</span> <span class="p">{</span> <span class="n">utilruntime</span><span class="o">.</span><span class="n">HandleError</span><span class="p">(</span><span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"timed out waiting for caches to sync"</span><span class="p">))</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// Safe to start workers now — Indexer has a complete snapshot</span> <span class="k">for</span> <span class="n">i</span> <span class="o">:=</span> <span class="m">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">workers</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span> <span class="p">{</span> <span class="k">go</span> <span class="n">wait</span><span class="o">.</span><span class="n">Until</span><span class="p">(</span><span class="n">kc</span><span class="o">.</span><span class="n">runWorker</span><span class="p">,</span> <span class="n">time</span><span class="o">.</span><span class="n">Second</span><span class="p">,</span> <span class="n">stopCh</span><span class="p">)</span> <span class="p">}</span> <span class="o">&lt;-</span><span class="n">stopCh</span> <span class="p">}</span> </code></pre> </div> <p><strong>What <code>HasSynced()</code> tracks internally:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">DeltaFIFO</span><span class="o">.</span><span class="n">initialPopulationCount</span> <span class="err">│</span> <span class="err">├──</span> <span class="n">set</span> <span class="n">to</span> <span class="n">N</span> <span class="n">during</span> <span class="n">Replace</span><span class="p">()</span> <span class="p">(</span><span class="n">initial</span> <span class="n">List</span> <span class="n">result</span><span class="o">:</span> <span class="n">N</span> <span class="n">objects</span><span class="p">)</span> <span class="err">├──</span> <span class="n">decremented</span> <span class="n">by</span> <span class="m">1</span> <span class="n">on</span> <span class="n">each</span> <span class="n">Pop</span><span class="p">()</span> <span class="err">└──</span> <span class="n">HasSynced</span><span class="p">()</span> <span class="o">=</span> <span class="no">true</span> <span class="n">when</span> <span class="n">initialPopulationCount</span> <span class="o">==</span> <span class="m">0</span> <span class="n">AND</span> <span class="n">at</span> <span class="n">least</span> <span class="n">one</span> <span class="n">Replace</span><span class="p">()</span> <span class="n">has</span> <span class="n">been</span> <span class="n">called</span> </code></pre> </div> <blockquote> <p><strong>Never start reconciliation workers before <code>WaitForCacheSync</code> returns.</strong> If you do, your Lister queries will return incomplete results and your controller will make incorrect decisions based on a partial view of cluster state.</p> </blockquote> <h2> 8. Series Summary: The Complete Component Map </h2> <p>We've now covered every component in the Informer framework. Here's the complete reference:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Package</th> <th>Role</th> <th>Article</th> </tr> </thead> <tbody> <tr> <td><strong>Reflector</strong></td> <td><code>tools/cache</code></td> <td>List/Watch against API Server; feeds DeltaFIFO</td> <td>Part 2</td> </tr> <tr> <td><strong>DeltaFIFO</strong></td> <td><code>tools/cache</code></td> <td>FIFO event queue; stores <code>{type, object}</code> deltas</td> <td>Part 3</td> </tr> <tr> <td><strong>Indexer</strong></td> <td><code>tools/cache</code></td> <td>Thread-safe in-memory cache with custom indexing</td> <td>Part 4</td> </tr> <tr> <td><strong>WorkQueue</strong></td> <td><code>util/workqueue</code></td> <td>Rate-limited, deduplicated task queue for workers</td> <td>Part 5</td> </tr> <tr> <td><strong>EventBroadcaster</strong></td> <td><code>tools/record</code></td> <td>Emits structured Events to API Server / logs</td> <td>Part 6</td> </tr> <tr> <td> <strong>Controller</strong> (internal)</td> <td><code>tools/cache</code></td> <td>Orchestrates Reflector + DeltaFIFO + processLoop</td> <td>Part 7 (this)</td> </tr> <tr> <td><strong>sharedProcessor</strong></td> <td><code>tools/cache</code></td> <td>Fan-out: delivers events to all AddEventHandler listeners</td> <td>—</td> </tr> <tr> <td><strong>SharedInformerFactory</strong></td> <td><code>informers</code></td> <td>Ensures one Reflector per resource type across all controllers</td> <td>Part 1</td> </tr> </tbody> </table></div> <h2> 9. Summary </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">Informer</span> <span class="n">Controller</span> <span class="o">=</span> <span class="n">orchestrator</span><span class="p">,</span> <span class="n">not</span> <span class="n">business</span> <span class="n">logic</span> <span class="n">controller</span><span class="o">.</span><span class="n">Run</span><span class="p">(</span><span class="n">stopCh</span><span class="p">)</span> <span class="err">│</span> <span class="err">├──</span> <span class="n">NewReflector</span><span class="p">(</span><span class="n">ListerWatcher</span><span class="p">,</span> <span class="n">ObjectType</span><span class="p">,</span> <span class="n">DeltaFIFO</span><span class="p">)</span> <span class="err">│</span> <span class="err">→</span> <span class="n">wires</span> <span class="n">API</span> <span class="n">Server</span> <span class="n">connection</span> <span class="n">to</span> <span class="n">event</span> <span class="n">queue</span> <span class="err">│</span> <span class="err">├──</span> <span class="k">go</span> <span class="n">Reflector</span><span class="o">.</span><span class="n">Run</span><span class="p">()</span> <span class="err">│</span> <span class="err">→</span> <span class="n">List</span> <span class="p">(</span><span class="n">seed</span> <span class="n">cache</span><span class="p">)</span> <span class="o">+</span> <span class="n">Watch</span> <span class="p">(</span><span class="n">stream</span> <span class="n">events</span><span class="p">)</span> <span class="n">forever</span> <span class="err">│</span> <span class="err">└──</span> <span class="n">processLoop</span><span class="p">()</span> <span class="err">→</span> <span class="n">Pop</span> <span class="n">from</span> <span class="n">DeltaFIFO</span> <span class="err">→</span> <span class="n">HandleDeltas</span><span class="o">:</span> <span class="n">Indexer</span> <span class="p">(</span><span class="n">storage</span><span class="p">)</span> <span class="o">+</span> <span class="n">sharedProcessor</span> <span class="p">(</span><span class="n">callbacks</span><span class="p">)</span> </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Concept</th> <th>Detail</th> </tr> </thead> <tbody> <tr> <td><strong>controller struct</strong></td> <td>Thin wrapper — holds Config + Reflector reference</td> </tr> <tr> <td><strong>Config.Queue</strong></td> <td>DeltaFIFO — the handoff point between Reflector and processLoop</td> </tr> <tr> <td><strong>Config.Process</strong></td> <td> <code>HandleDeltas</code> — routes events to Indexer and sharedProcessor</td> </tr> <tr> <td><strong>Config.RetryOnError</strong></td> <td>Re-enqueues items when HandleDeltas returns an error</td> </tr> <tr> <td><strong>processLoop</strong></td> <td>Infinite loop: Pop → HandleDeltas → repeat</td> </tr> <tr> <td><strong>WaitForCacheSync</strong></td> <td>Safety gate — ensures Indexer is fully populated before workers start</td> </tr> </tbody> </table></div> <p>The Informer Controller is the invisible backbone of every Kubernetes controller. By orchestrating Reflector, DeltaFIFO, Indexer, and sharedProcessor into a single coherent pipeline, it gives you a reliable, consistent, and efficient view of cluster state — so your application controller can focus entirely on reconciliation logic.</p> <p><em>Next in this series: CRD: Extending the Kubernetes API with Custom Resources (Part 8)</em></p> <p><em>Follow the series for more deep dives into Kubernetes development.</em></p> <p>📦 Source Code: <a href="https://github.com/muzinan123/operator" rel="noopener noreferrer">github.com/muzinan123/operator</a></p> architecture go kubernetes tutorial client-go Deep Dive: EventBroadcaster — How Kubernetes Records and Distributes Cluster Events James Lee Tue, 19 May 2026 10:09:20 +0000 https://forem.com/jamesli/client-go-deep-dive-eventbroadcaster-how-kubernetes-records-and-distributes-cluster-events-582m https://forem.com/jamesli/client-go-deep-dive-eventbroadcaster-how-kubernetes-records-and-distributes-cluster-events-582m <p>In the previous article we covered WorkQueue — the retry and rate-limiting backbone of controllers. In this article we look at a different but equally important mechanism: <strong>EventBroadcaster</strong>. It's how Kubernetes components record what they're doing, and how you can do the same in your own controllers.</p> <p>Source: <code>k8s.io/client-go/tools/record/</code></p> <h2> 1. What Is a Kubernetes Event? </h2> <p>A Kubernetes <strong>Event</strong> is a first-class resource object — stored in etcd, queryable via kubectl, and subject to the same API machinery as Pods or Deployments.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># View recent events in a namespace</span> kubectl get events <span class="nt">-n</span> default <span class="c"># View events for a specific Pod (shown in describe output)</span> kubectl describe pod nginx-deployment-7d8ff89d87-25kb4 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">LAST SEEN TYPE REASON OBJECT MESSAGE 2m Normal Scheduled pod/nginx-7d8ff89d87-25kb4 Successfully assigned default/nginx to node-1 2m Normal Pulling pod/nginx-7d8ff89d87-25kb4 Pulling image "nginx:1.21" 1m Normal Pulled pod/nginx-7d8ff89d87-25kb4 Successfully pulled image in 3.2s 1m Normal Created pod/nginx-7d8ff89d87-25kb4 Created container nginx 1m Normal Started pod/nginx-7d8ff89d87-25kb4 Started container nginx </span></code></pre> </div> <blockquote> <p>⚠️ <strong>Important distinction:</strong> Kubernetes Events are <strong>resource objects managed by the API Server</strong>. They are NOT the same as the etcd watch callback events used internally by Informer/Reflector. Don't confuse the two.</p> </blockquote> <h2> 2. The Event Resource Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// k8s.io/api/core/v1/types.go</span> <span class="k">type</span> <span class="n">Event</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">metav1</span><span class="o">.</span><span class="n">TypeMeta</span> <span class="n">metav1</span><span class="o">.</span><span class="n">ObjectMeta</span> <span class="c">// The object this event is about (e.g. the Pod that was scheduled)</span> <span class="n">InvolvedObject</span> <span class="n">ObjectReference</span> <span class="c">// Short machine-readable reason string (e.g. "Scheduled", "Pulling", "Failed")</span> <span class="n">Reason</span> <span class="kt">string</span> <span class="c">// Human-readable description of what happened</span> <span class="n">Message</span> <span class="kt">string</span> <span class="c">// Component that generated this event</span> <span class="n">Source</span> <span class="n">EventSource</span> <span class="c">// {Component: "scheduler", Host: "master-1"}</span> <span class="c">// Timing</span> <span class="n">FirstTimestamp</span> <span class="n">metav1</span><span class="o">.</span><span class="n">Time</span> <span class="c">// when this event first occurred</span> <span class="n">LastTimestamp</span> <span class="n">metav1</span><span class="o">.</span><span class="n">Time</span> <span class="c">// most recent occurrence</span> <span class="n">Count</span> <span class="kt">int32</span> <span class="c">// how many times this event has occurred</span> <span class="c">// "Normal" or "Warning"</span> <span class="n">Type</span> <span class="kt">string</span> <span class="c">// High-precision timestamp (for newer event API)</span> <span class="n">EventTime</span> <span class="n">metav1</span><span class="o">.</span><span class="n">MicroTime</span> <span class="c">// For aggregated/series events</span> <span class="n">Series</span> <span class="o">*</span><span class="n">EventSeries</span> <span class="c">// What action was taken</span> <span class="n">Action</span> <span class="kt">string</span> <span class="c">// Secondary object involved (e.g. the Node a Pod was scheduled to)</span> <span class="n">Related</span> <span class="o">*</span><span class="n">ObjectReference</span> <span class="c">// For audit: which controller generated this event</span> <span class="n">ReportingController</span> <span class="kt">string</span> <span class="n">ReportingInstance</span> <span class="kt">string</span> <span class="p">}</span> </code></pre> </div> <h3> Key fields explained </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Field</th> <th>Example value</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>InvolvedObject</code></td> <td><code>{Kind:"Pod", Name:"nginx-xxx"}</code></td> <td>The resource this event describes</td> </tr> <tr> <td><code>Reason</code></td> <td> <code>"Scheduled"</code>, <code>"Pulling"</code>, <code>"BackOff"</code> </td> <td>Machine-readable event category</td> </tr> <tr> <td><code>Message</code></td> <td><code>"Successfully assigned to node-1"</code></td> <td>Human-readable detail</td> </tr> <tr> <td><code>Type</code></td> <td> <code>"Normal"</code> or <code>"Warning"</code> </td> <td>Severity indicator</td> </tr> <tr> <td><code>Count</code></td> <td><code>5</code></td> <td>Deduplication counter — same event aggregated</td> </tr> <tr> <td> <code>FirstTimestamp</code> / <code>LastTimestamp</code> </td> <td>timestamps</td> <td>When it first/last occurred</td> </tr> <tr> <td><code>Source.Component</code></td> <td> <code>"kubelet"</code>, <code>"scheduler"</code> </td> <td>Which Kubernetes component fired it</td> </tr> </tbody> </table></div> <h2> 3. Event Retention Policy </h2> <p>Since Events are stored in etcd, unchecked growth would fill disk space. Kubernetes enforces a strict retention policy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────┐ │ Event Retention Rules │ │ │ │ • Default TTL: 1 hour after last occurrence │ │ • kubectl get events shows only last-hour events │ │ • Identical events are AGGREGATED (Count++ instead │ │ of creating duplicate objects) │ │ • etcd stores events in a separate keyspace to │ │ prevent them from crowding out other resources │ └─────────────────────────────────────────────────────────┘ </code></pre> </div> <p>This is why <code>kubectl describe pod</code> shows "Events: " for Pods that have been running stably for more than an hour — the events existed, but have been garbage collected.</p> <h2> 4. The EventBroadcaster Pipeline </h2> <p>EventBroadcaster is the mechanism that takes an event generated by a component and delivers it to one or more sinks (e.g. the API Server, a log file, stdout).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────────────────────────────────┐ │ EventBroadcaster Pipeline │ │ │ │ Your Controller │ │ │ │ │ │ recorder.Eventf(obj, type, reason, message) │ │ ▼ │ │ ┌──────────────┐ │ │ │EventRecorder │ generates Event object │ │ └──────┬───────┘ │ │ │ │ │ ▼ │ │ ┌──────────────────┐ │ │ │ EventBroadcaster │ fan-out to multiple sinks │ │ └──────┬───────────┘ │ │ │ │ │ ┌────┴──────────────────────────┐ │ │ ▼ ▼ │ │ ┌──────────────────┐ ┌──────────────────────────┐ │ │ │ API Server Sink │ │ Logging Sink │ │ │ │ (writes Event │ │ (prints to stdout/log) │ │ │ │ to etcd) │ │ │ │ │ └──────────────────┘ └──────────────────────────┘ │ └──────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h3> The three actors </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Actor</th> <th>Role</th> </tr> </thead> <tbody> <tr> <td><strong>EventRecorder</strong></td> <td>The interface your code calls — <code>Event()</code>, <code>Eventf()</code>, <code>AnnotatedEventf()</code> </td> </tr> <tr> <td><strong>EventBroadcaster</strong></td> <td>Receives events from recorders, fans out to registered sinks</td> </tr> <tr> <td><strong>EventSink</strong></td> <td>The destination — API Server (etcd), log output, or custom handler</td> </tr> </tbody> </table></div> <h2> 5. Using EventBroadcaster in a Custom Controller </h2> <p>Here's the complete setup pattern used in real Kubernetes controllers:</p> <h3> Step 1 — Create the broadcaster and recorder </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="p">(</span> <span class="s">"k8s.io/client-go/tools/record"</span> <span class="s">"k8s.io/client-go/kubernetes/scheme"</span> <span class="n">corev1</span> <span class="s">"k8s.io/api/core/v1"</span> <span class="s">"k8s.io/apimachinery/pkg/runtime"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">NewController</span><span class="p">(</span><span class="n">clientset</span> <span class="n">kubernetes</span><span class="o">.</span><span class="n">Interface</span><span class="p">,</span> <span class="o">...</span><span class="p">)</span> <span class="o">*</span><span class="n">Controller</span> <span class="p">{</span> <span class="c">// Create the broadcaster</span> <span class="n">eventBroadcaster</span> <span class="o">:=</span> <span class="n">record</span><span class="o">.</span><span class="n">NewBroadcaster</span><span class="p">()</span> <span class="c">// Sink 1: write events to the API Server (persisted in etcd)</span> <span class="n">eventBroadcaster</span><span class="o">.</span><span class="n">StartRecordingToSink</span><span class="p">(</span><span class="o">&amp;</span><span class="n">typedcorev1</span><span class="o">.</span><span class="n">EventSinkImpl</span><span class="p">{</span> <span class="n">Interface</span><span class="o">:</span> <span class="n">clientset</span><span class="o">.</span><span class="n">CoreV1</span><span class="p">()</span><span class="o">.</span><span class="n">Events</span><span class="p">(</span><span class="s">""</span><span class="p">),</span> <span class="p">})</span> <span class="c">// Sink 2: also log events to stdout (useful for debugging)</span> <span class="n">eventBroadcaster</span><span class="o">.</span><span class="n">StartEventWatcher</span><span class="p">(</span><span class="k">func</span><span class="p">(</span><span class="n">e</span> <span class="o">*</span><span class="n">corev1</span><span class="o">.</span><span class="n">Event</span><span class="p">)</span> <span class="p">{</span> <span class="n">klog</span><span class="o">.</span><span class="n">V</span><span class="p">(</span><span class="m">4</span><span class="p">)</span><span class="o">.</span><span class="n">Infof</span><span class="p">(</span><span class="s">"Event: %s %s %s"</span><span class="p">,</span> <span class="n">e</span><span class="o">.</span><span class="n">Type</span><span class="p">,</span> <span class="n">e</span><span class="o">.</span><span class="n">Reason</span><span class="p">,</span> <span class="n">e</span><span class="o">.</span><span class="n">Message</span><span class="p">)</span> <span class="p">})</span> <span class="c">// Create a recorder scoped to this controller</span> <span class="c">// "my-canary-controller" will appear in Event.Source.Component</span> <span class="n">recorder</span> <span class="o">:=</span> <span class="n">eventBroadcaster</span><span class="o">.</span><span class="n">NewRecorder</span><span class="p">(</span> <span class="n">scheme</span><span class="o">.</span><span class="n">Scheme</span><span class="p">,</span> <span class="n">corev1</span><span class="o">.</span><span class="n">EventSource</span><span class="p">{</span><span class="n">Component</span><span class="o">:</span> <span class="s">"my-canary-controller"</span><span class="p">},</span> <span class="p">)</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">Controller</span><span class="p">{</span> <span class="n">recorder</span><span class="o">:</span> <span class="n">recorder</span><span class="p">,</span> <span class="o">...</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Step 2 — Emit events during reconciliation </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">Controller</span><span class="p">)</span> <span class="n">reconcile</span><span class="p">(</span><span class="n">key</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">namespace</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">cache</span><span class="o">.</span><span class="n">SplitMetaNamespaceKey</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="c">// Fetch the resource from local cache</span> <span class="n">canary</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">c</span><span class="o">.</span><span class="n">canaryLister</span><span class="o">.</span><span class="n">Canaries</span><span class="p">(</span><span class="n">namespace</span><span class="p">)</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">name</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="c">// --- Normal event: record a successful action ---</span> <span class="n">c</span><span class="o">.</span><span class="n">recorder</span><span class="o">.</span><span class="n">Event</span><span class="p">(</span> <span class="n">canary</span><span class="p">,</span> <span class="c">// InvolvedObject</span> <span class="n">corev1</span><span class="o">.</span><span class="n">EventTypeNormal</span><span class="p">,</span> <span class="s">"TrafficShifted"</span><span class="p">,</span> <span class="c">// Reason</span> <span class="s">"Shifted 10% traffic to canary deployment"</span><span class="p">,</span> <span class="p">)</span> <span class="c">// --- Warning event: record a problem ---</span> <span class="k">if</span> <span class="n">canary</span><span class="o">.</span><span class="n">Status</span><span class="o">.</span><span class="n">ErrorRate</span> <span class="o">&gt;</span> <span class="n">threshold</span> <span class="p">{</span> <span class="n">c</span><span class="o">.</span><span class="n">recorder</span><span class="o">.</span><span class="n">Eventf</span><span class="p">(</span> <span class="n">canary</span><span class="p">,</span> <span class="n">corev1</span><span class="o">.</span><span class="n">EventTypeWarning</span><span class="p">,</span> <span class="s">"HighErrorRate"</span><span class="p">,</span> <span class="s">"Canary error rate %.2f%% exceeds threshold %.2f%%, rolling back"</span><span class="p">,</span> <span class="n">canary</span><span class="o">.</span><span class="n">Status</span><span class="o">.</span><span class="n">ErrorRate</span><span class="p">,</span> <span class="n">threshold</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="n">c</span><span class="o">.</span><span class="n">rollback</span><span class="p">(</span><span class="n">canary</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <h3> What the emitted Event looks like in kubectl </h3> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">LAST SEEN TYPE REASON OBJECT MESSAGE 30s Normal TrafficShifted canary/my-app-canary Shifted 10% traffic to canary deployment 10s Warning HighErrorRate canary/my-app-canary Canary error rate 5.23% exceeds threshold 1.00%, rolling back </span></code></pre> </div> <h2> 6. Pod Lifecycle Events: The Most Important Events in Practice </h2> <p>Since Kubernetes is Pod-centric — Deployments, StatefulSets, DaemonSets, CronJobs all ultimately create Pods — Pod events are the most frequently used events in production operations.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Pod lifecycle → key events: ┌─────────────────────────────────────────────────────────────────┐ │ Phase │ Reason │ Type │ Source │ ├─────────────────┼──────────────────┼─────────┼──────────────────┤ │ Scheduling │ Scheduled │ Normal │ scheduler │ │ │ FailedScheduling │ Warning │ scheduler │ ├─────────────────┼──────────────────┼─────────┼──────────────────┤ │ Image pull │ Pulling │ Normal │ kubelet │ │ │ Pulled │ Normal │ kubelet │ │ │ Failed │ Warning │ kubelet │ │ │ ErrImagePull │ Warning │ kubelet │ ├─────────────────┼──────────────────┼─────────┼──────────────────┤ │ Container │ Created │ Normal │ kubelet │ │ lifecycle │ Started │ Normal │ kubelet │ │ │ Killing │ Normal │ kubelet │ │ │ BackOff │ Warning │ kubelet │ ├─────────────────┼──────────────────┼─────────┼──────────────────┤ │ Node │ Evicted │ Warning │ kubelet │ │ │ OOMKilling │ Warning │ kernel/kubelet │ └─────────────────┴──────────────────┴─────────┴──────────────────┘ </code></pre> </div> <p><strong>Practical use cases:</strong></p> <ul> <li> <strong>Slow startup diagnosis:</strong> Compare <code>Pulling</code> → <code>Pulled</code> timestamps to measure image pull time</li> <li> <strong>Crash analysis:</strong> <code>BackOff</code> events with increasing intervals signal <code>CrashLoopBackOff</code> </li> <li> <strong>Scheduling failures:</strong> <code>FailedScheduling</code> with reason message explains why a Pod is <code>Pending</code> </li> <li> <strong>Eviction tracking:</strong> <code>Evicted</code> events identify nodes under memory pressure</li> </ul> <h2> 7. Summary </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">EventBroadcaster</span> <span class="n">flow</span><span class="o">:</span> <span class="n">recorder</span><span class="o">.</span><span class="n">Eventf</span><span class="p">(</span><span class="n">obj</span><span class="p">,</span> <span class="k">type</span><span class="p">,</span> <span class="n">reason</span><span class="p">,</span> <span class="n">msg</span><span class="p">)</span> <span class="err">│</span> <span class="err">▼</span> <span class="n">EventBroadcaster</span><span class="o">.</span><span class="n">ActionOrDrop</span><span class="p">(</span><span class="n">event</span><span class="p">)</span> <span class="err">│</span> <span class="err">├──</span> <span class="n">StartRecordingToSink</span><span class="p">()</span> <span class="err">→</span> <span class="n">clientset</span><span class="o">.</span><span class="n">CoreV1</span><span class="p">()</span><span class="o">.</span><span class="n">Events</span><span class="p">()</span><span class="o">.</span><span class="n">Create</span><span class="o">/</span><span class="n">Patch</span> <span class="err">│</span> <span class="p">(</span><span class="n">aggregates</span> <span class="n">duplicate</span> <span class="n">events</span> <span class="n">via</span> <span class="n">Count</span><span class="o">++</span><span class="p">)</span> <span class="err">│</span> <span class="err">└──</span> <span class="n">StartEventWatcher</span><span class="p">()</span> <span class="err">→</span> <span class="n">custom</span> <span class="n">handler</span> <span class="p">(</span><span class="n">logging</span><span class="p">,</span> <span class="n">metrics</span><span class="p">,</span> <span class="n">alerting</span><span class="p">)</span> </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Concept</th> <th>Detail</th> </tr> </thead> <tbody> <tr> <td><strong>Event</strong></td> <td>A core API resource — stored in etcd, queryable via kubectl</td> </tr> <tr> <td><strong>Type</strong></td> <td> <code>Normal</code> (informational) or <code>Warning</code> (something needs attention)</td> </tr> <tr> <td><strong>Reason</strong></td> <td>Short machine-readable string — used for filtering and alerting</td> </tr> <tr> <td><strong>Count</strong></td> <td>Identical events are aggregated — prevents etcd flooding</td> </tr> <tr> <td><strong>Retention</strong></td> <td>Events are deleted 1 hour after last occurrence</td> </tr> <tr> <td><strong>EventRecorder</strong></td> <td>Your controller's interface for emitting events</td> </tr> <tr> <td><strong>EventBroadcaster</strong></td> <td>Fan-out hub — delivers events to all registered sinks</td> </tr> <tr> <td><strong>EventSink</strong></td> <td>Destination: API Server (etcd), stdout log, or custom handler</td> </tr> </tbody> </table></div> <p>EventBroadcaster closes the observability loop for Kubernetes controllers. By emitting structured events at key decision points in your reconciliation logic, you give operators the same visibility into your custom controller that they have for built-in Kubernetes components — making your controller production-ready and debuggable.</p> <p><em>Next in this series: Controller: The Central Hub of the Informer Framework (Part 7)</em></p> <p><em>Follow the series for more deep dives into Kubernetes development.</em></p> <p>📦 Source Code: <a href="https://github.com/muzinan123/operator" rel="noopener noreferrer">github.com/muzinan123/operator</a></p> architecture go kubernetes tutorial client-go Deep Dive: WorkQueue — The Reliable Task Queue for Kubernetes Controllers James Lee Tue, 19 May 2026 10:08:43 +0000 https://forem.com/jamesli/client-go-deep-dive-workqueue-the-reliable-task-queue-for-kubernetes-controllers-3pjc https://forem.com/jamesli/client-go-deep-dive-workqueue-the-reliable-task-queue-for-kubernetes-controllers-3pjc <p>In the previous article we saw how Indexer stores and indexes resource objects for fast local queries. Now we look at the other half of the controller pattern: <strong>WorkQueue</strong> — the component that bridges event callbacks and controller reconciliation workers.</p> <p>Source: <code>k8s.io/client-go/util/workqueue/</code></p> <h2> 1. Where WorkQueue Fits </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">informer</span><span class="o">.</span><span class="n">AddEventHandler</span><span class="p">(</span><span class="n">ResourceEventHandlerFuncs</span><span class="p">{</span> <span class="n">AddFunc</span><span class="o">:</span> <span class="k">func</span><span class="p">(</span><span class="n">obj</span><span class="p">)</span> <span class="p">{</span> <span class="n">queue</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="n">keyOf</span><span class="p">(</span><span class="n">obj</span><span class="p">))</span> <span class="p">},</span> <span class="n">UpdateFunc</span><span class="o">:</span> <span class="k">func</span><span class="p">(</span><span class="n">old</span><span class="p">,</span> <span class="nb">new</span><span class="p">)</span> <span class="p">{</span> <span class="n">queue</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="n">keyOf</span><span class="p">(</span><span class="nb">new</span><span class="p">))</span> <span class="p">},</span> <span class="n">DeleteFunc</span><span class="o">:</span> <span class="k">func</span><span class="p">(</span><span class="n">obj</span><span class="p">)</span> <span class="p">{</span> <span class="n">queue</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="n">keyOf</span><span class="p">(</span><span class="n">obj</span><span class="p">))</span> <span class="p">},</span> <span class="p">})</span> <span class="err">│</span> <span class="err">│</span> <span class="n">event</span> <span class="n">fires</span> <span class="err">→</span> <span class="n">key</span> <span class="n">enqueued</span> <span class="err">▼</span> <span class="err">┌─────────────────────────────────────────────────┐</span> <span class="err">│</span> <span class="n">WorkQueue</span> <span class="err">│</span> <span class="err">│</span> <span class="o">-</span> <span class="n">deduplicates</span> <span class="n">keys</span> <span class="err">│</span> <span class="err">│</span> <span class="o">-</span> <span class="n">rate</span> <span class="n">limits</span> <span class="n">re</span><span class="o">-</span><span class="n">enqueues</span> <span class="n">on</span> <span class="kt">error</span> <span class="err">│</span> <span class="err">│</span> <span class="o">-</span> <span class="n">supports</span> <span class="n">multiple</span> <span class="n">concurrent</span> <span class="n">workers</span> <span class="err">│</span> <span class="err">└─────────────────────────────────────────────────┘</span> <span class="err">│</span> <span class="err">│</span> <span class="n">worker</span> <span class="n">goroutine</span> <span class="n">calls</span> <span class="n">queue</span><span class="o">.</span><span class="n">Get</span><span class="p">()</span> <span class="err">▼</span> <span class="n">Controller</span> <span class="n">reconciliation</span> <span class="n">logic</span> <span class="err">├──</span> <span class="n">success</span> <span class="err">→</span> <span class="n">queue</span><span class="o">.</span><span class="n">Done</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="err">└──</span> <span class="kt">error</span> <span class="err">→</span> <span class="n">queue</span><span class="o">.</span><span class="n">AddRateLimited</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="err">←</span> <span class="n">retry</span> <span class="n">with</span> <span class="n">backoff</span> </code></pre> </div> <blockquote> <p><strong>Key pattern:</strong> Event handlers only enqueue the <strong>key</strong> (e.g. <code>"default/nginx"</code>), never the full object. The worker fetches the latest object from Indexer at processing time — ensuring it always works with the most current state.</p> </blockquote> <h2> 2. WorkQueue vs Plain FIFO </h2> <p>WorkQueue is not a simple queue. It adds critical properties that make it production-safe for controller development:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Property</th> <th>Plain FIFO</th> <th>WorkQueue</th> </tr> </thead> <tbody> <tr> <td>Ordered (FIFO)</td> <td>✅</td> <td>✅</td> </tr> <tr> <td>Concurrent producers &amp; consumers</td> <td>❌</td> <td>✅</td> </tr> <tr> <td><strong>Deduplication</strong></td> <td>❌</td> <td>✅</td> </tr> <tr> <td><strong>Rate limiting on retry</strong></td> <td>❌</td> <td>✅</td> </tr> <tr> <td><strong>Prometheus metrics</strong></td> <td>❌</td> <td>✅</td> </tr> <tr> <td>Graceful shutdown (SIGTERM)</td> <td>❌</td> <td>✅</td> </tr> </tbody> </table></div> <h3> Deduplication in detail </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Event burst: Pod "nginx" Updated 5 times in 100ms Plain FIFO: [nginx, nginx, nginx, nginx, nginx] ← processed 5 times WorkQueue: [nginx] ← processed once ✅ Rule: if a key is already in the queue (not yet processed), subsequent Add() calls for the same key are silently dropped. The key is only re-eligible after Done() is called. </code></pre> </div> <h2> 3. Three Queue Types </h2> <p>client-go ships three queue implementations, each building on the previous:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────┐ │ Type 1: FIFO Queue │ │ k8s.io/client-go/util/workqueue/queue.go │ │ Basic ordered queue with deduplication │ └─────────────────────────────┬───────────────────────────┘ │ extends ┌─────────────────────────────▼───────────────────────────┐ │ Type 2: Delaying Queue │ │ k8s.io/client-go/util/workqueue/delaying_queue.go │ │ Adds: AddAfter(item, duration) — insert after a delay │ └─────────────────────────────┬───────────────────────────┘ │ extends ┌─────────────────────────────▼───────────────────────────┐ │ Type 3: RateLimiting Queue ← used in custom controllers│ │ k8s.io/client-go/util/workqueue/rate_limiting_queue.go │ │ Adds: AddRateLimited, Forget, NumRequeues │ │ Uses a RateLimiter to compute delay before re-insert │ └─────────────────────────────────────────────────────────┘ </code></pre> </div> <p>In practice, <strong>custom controllers always use the RateLimiting Queue</strong>.</p> <h2> 4. The RateLimiting Queue Interface </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// The rate limiter: decides HOW LONG to delay a re-enqueue</span> <span class="k">type</span> <span class="n">RateLimiter</span> <span class="k">interface</span> <span class="p">{</span> <span class="n">When</span><span class="p">(</span><span class="n">item</span> <span class="k">interface</span><span class="p">{})</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span> <span class="c">// return delay for this item</span> <span class="n">Forget</span><span class="p">(</span><span class="n">item</span> <span class="k">interface</span><span class="p">{})</span> <span class="c">// reset the item's failure history</span> <span class="n">NumRequeues</span><span class="p">(</span><span class="n">item</span> <span class="k">interface</span><span class="p">{})</span> <span class="kt">int</span> <span class="c">// how many times has this item failed</span> <span class="p">}</span> <span class="c">// The queue interface: wraps DelayingInterface + rate limiting methods</span> <span class="k">type</span> <span class="n">RateLimitingInterface</span> <span class="k">interface</span> <span class="p">{</span> <span class="n">DelayingInterface</span> <span class="c">// inherits Add, Get, Done, Len, etc.</span> <span class="n">AddRateLimited</span><span class="p">(</span><span class="n">item</span> <span class="k">interface</span><span class="p">{})</span> <span class="c">// enqueue with rate-limited delay</span> <span class="n">Forget</span><span class="p">(</span><span class="n">item</span> <span class="k">interface</span><span class="p">{})</span> <span class="c">// clear failure history for this item</span> <span class="n">NumRequeues</span><span class="p">(</span><span class="n">item</span> <span class="k">interface</span><span class="p">{})</span> <span class="kt">int</span> <span class="c">// query failure count</span> <span class="p">}</span> </code></pre> </div> <h3> Typical controller worker pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">Controller</span><span class="p">)</span> <span class="n">runWorker</span><span class="p">()</span> <span class="p">{</span> <span class="k">for</span> <span class="n">c</span><span class="o">.</span><span class="n">processNextItem</span><span class="p">()</span> <span class="p">{}</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">Controller</span><span class="p">)</span> <span class="n">processNextItem</span><span class="p">()</span> <span class="kt">bool</span> <span class="p">{</span> <span class="c">// Block until an item is available</span> <span class="n">key</span><span class="p">,</span> <span class="n">quit</span> <span class="o">:=</span> <span class="n">c</span><span class="o">.</span><span class="n">queue</span><span class="o">.</span><span class="n">Get</span><span class="p">()</span> <span class="k">if</span> <span class="n">quit</span> <span class="p">{</span> <span class="k">return</span> <span class="no">false</span> <span class="p">}</span> <span class="k">defer</span> <span class="n">c</span><span class="o">.</span><span class="n">queue</span><span class="o">.</span><span class="n">Done</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="c">// MUST call Done() when finished</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">c</span><span class="o">.</span><span class="n">reconcile</span><span class="p">(</span><span class="n">key</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">))</span> <span class="k">if</span> <span class="n">err</span> <span class="o">==</span> <span class="no">nil</span> <span class="p">{</span> <span class="c">// Success: clear the failure history</span> <span class="n">c</span><span class="o">.</span><span class="n">queue</span><span class="o">.</span><span class="n">Forget</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="k">return</span> <span class="no">true</span> <span class="p">}</span> <span class="k">if</span> <span class="n">c</span><span class="o">.</span><span class="n">queue</span><span class="o">.</span><span class="n">NumRequeues</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="o">&lt;</span> <span class="n">maxRetries</span> <span class="p">{</span> <span class="c">// Transient error: re-enqueue with rate-limited delay</span> <span class="n">c</span><span class="o">.</span><span class="n">queue</span><span class="o">.</span><span class="n">AddRateLimited</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="k">return</span> <span class="no">true</span> <span class="p">}</span> <span class="c">// Too many retries: give up and clear history</span> <span class="n">c</span><span class="o">.</span><span class="n">queue</span><span class="o">.</span><span class="n">Forget</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="n">utilruntime</span><span class="o">.</span><span class="n">HandleError</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="k">return</span> <span class="no">true</span> <span class="p">}</span> </code></pre> </div> <h2> 5. Three Rate-Limiting Algorithms </h2> <h3> Algorithm 1: Exponential Backoff (ItemExponentialFailureRateLimiter) </h3> <p>When the same item fails repeatedly, the delay grows <strong>exponentially</strong> with each failure.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Failure count → delay: 1st failure: base delay × 2^0 = 5ms 2nd failure: base delay × 2^1 = 10ms 3rd failure: base delay × 2^2 = 20ms 4th failure: base delay × 2^3 = 40ms ... nth failure: min(base × 2^(n-1), maxDelay) ← capped at maxDelay </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Default values used in most controllers</span> <span class="n">workqueue</span><span class="o">.</span><span class="n">NewItemExponentialFailureRateLimiter</span><span class="p">(</span> <span class="m">5</span><span class="o">*</span><span class="n">time</span><span class="o">.</span><span class="n">Millisecond</span><span class="p">,</span> <span class="c">// base delay</span> <span class="m">1000</span><span class="o">*</span><span class="n">time</span><span class="o">.</span><span class="n">Second</span><span class="p">,</span> <span class="c">// max delay cap</span> <span class="p">)</span> </code></pre> </div> <p><strong>Rate-limiting period:</strong> starts at <code>AddRateLimited()</code>, ends at <code>Forget()</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Timeline: t=0ms AddRateLimited("nginx") → delay 5ms → enqueued at t=5ms t=5ms Get("nginx") → reconcile → fails t=5ms AddRateLimited("nginx") → delay 10ms → enqueued at t=15ms t=15ms Get("nginx") → reconcile → fails t=15ms AddRateLimited("nginx") → delay 20ms → enqueued at t=35ms ... t=Xms Get("nginx") → reconcile → SUCCESS Forget("nginx") → failure count reset to 0 </code></pre> </div> <blockquote> <p><strong>Real-world example:</strong> Kubernetes Pod restart policy <code>Always</code> uses exponential backoff — that's why a crash-looping Pod shows increasing restart intervals (the familiar <code>CrashLoopBackOff</code> state).</p> </blockquote> <h3> Algorithm 2: Token Bucket (BucketRateLimiter) </h3> <p>The token bucket algorithm controls the <strong>overall throughput</strong> of the queue, regardless of which specific items are being enqueued.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────┐ │ Token Bucket │ │ │ │ ┌──┬──┬──┬──┬──┐ │ │ │🪙│🪙│🪙│🪙│🪙│ ← bucket (fixed capacity) │ │ └──┴──┴──┴──┴──┘ │ │ ▲ ▲ │ │ tokens refilled bucket full: │ │ at fixed rate r/s stop refilling │ │ │ │ Each AddRateLimited() consumes one token │ │ No token available → item must wait │ └─────────────────────────────────────────────────────────┘ </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Uses golang.org/x/time/rate under the hood</span> <span class="n">workqueue</span><span class="o">.</span><span class="n">NewMaxOfRateLimiter</span><span class="p">(</span> <span class="n">workqueue</span><span class="o">.</span><span class="n">NewItemExponentialFailureRateLimiter</span><span class="p">(</span><span class="m">5</span><span class="o">*</span><span class="n">time</span><span class="o">.</span><span class="n">Millisecond</span><span class="p">,</span> <span class="m">1000</span><span class="o">*</span><span class="n">time</span><span class="o">.</span><span class="n">Second</span><span class="p">),</span> <span class="o">&amp;</span><span class="n">workqueue</span><span class="o">.</span><span class="n">BucketRateLimiter</span><span class="p">{</span> <span class="n">Limiter</span><span class="o">:</span> <span class="n">rate</span><span class="o">.</span><span class="n">NewLimiter</span><span class="p">(</span><span class="n">rate</span><span class="o">.</span><span class="n">Limit</span><span class="p">(</span><span class="m">10</span><span class="p">),</span> <span class="m">100</span><span class="p">),</span> <span class="c">// 10 tokens/second refill rate, bucket capacity 100</span> <span class="p">},</span> <span class="p">)</span> </code></pre> </div> <p><strong>How it works:</strong></p> <ul> <li>Tokens are added to the bucket at a fixed rate (e.g. 10/sec)</li> <li>Bucket has a maximum capacity — once full, new tokens are discarded</li> <li>Each <code>AddRateLimited()</code> call requires one token</li> <li>If no token is available, the item is delayed until a token is refilled</li> </ul> <blockquote> <p><strong>Used in:</strong> Nginx rate limiting, Envoy Ratelimit, Sentinel — token bucket is one of the most widely adopted rate-limiting algorithms in distributed systems.</p> </blockquote> <h3> Algorithm 3: Counter with Fast/Slow Lanes (ItemFastSlowRateLimiter) </h3> <p>The counter algorithm limits how many items can be enqueued within a time window. WorkQueue extends the basic counter with <strong>two insertion rates</strong>: a fast lane and a slow lane.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Configuration: fastDelay = 5ms ← interval between items in fast lane slowDelay = 1000ms ← interval between items in slow lane maxFastAttempts = 3 ← how many failures use fast lane before switching Failure timeline for one item: ┌──────────────────────────────────────────────────────────┐ │ Attempt 1 → delay 5ms (fast lane, attempt 1/3) │ │ Attempt 2 → delay 5ms (fast lane, attempt 2/3) │ │ Attempt 3 → delay 5ms (fast lane, attempt 3/3) │ │ Attempt 4 → delay 1000ms (slow lane — maxFastAttempts │ │ exceeded) │ │ Attempt 5 → delay 1000ms (slow lane) │ │ ... │ └──────────────────────────────────────────────────────────┘ </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">workqueue</span><span class="o">.</span><span class="n">NewItemFastSlowRateLimiter</span><span class="p">(</span> <span class="m">5</span><span class="o">*</span><span class="n">time</span><span class="o">.</span><span class="n">Millisecond</span><span class="p">,</span> <span class="c">// fastDelay</span> <span class="m">1000</span><span class="o">*</span><span class="n">time</span><span class="o">.</span><span class="n">Millisecond</span><span class="p">,</span><span class="c">// slowDelay</span> <span class="m">3</span><span class="p">,</span> <span class="c">// maxFastAttempts</span> <span class="p">)</span> </code></pre> </div> <p><strong>Use case:</strong> Suitable for scenarios where a few quick retries are acceptable (transient network blips), but sustained failures should back off aggressively to avoid resource exhaustion.</p> <h2> 6. Choosing a Rate Limiter </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Algorithm</th> <th>Best for</th> <th>Behavior</th> </tr> </thead> <tbody> <tr> <td><strong>Exponential Backoff</strong></td> <td>Per-item retry (most common)</td> <td>Delay doubles with each failure; resets on success</td> </tr> <tr> <td><strong>Token Bucket</strong></td> <td>Global throughput cap</td> <td>Smooth rate limit across all items; burst-friendly</td> </tr> <tr> <td><strong>Fast/Slow Counter</strong></td> <td>Tiered retry strategy</td> <td>Quick retries first, then aggressive backoff</td> </tr> </tbody> </table></div> <p>In practice, the <strong>default rate limiter</strong> used by <code>controller-runtime</code> and most Kubernetes controllers combines exponential backoff and token bucket via <code>NewMaxOfRateLimiter</code> — taking the <strong>maximum delay</strong> from both algorithms:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Default: use whichever algorithm gives the LONGER delay</span> <span class="c">// This ensures both per-item backoff AND global rate cap are respected</span> <span class="n">workqueue</span><span class="o">.</span><span class="n">DefaultControllerRateLimiter</span><span class="p">()</span> <span class="c">// = NewMaxOfRateLimiter(</span> <span class="c">// NewItemExponentialFailureRateLimiter(5ms, 1000s),</span> <span class="c">// &amp;BucketRateLimiter{rate.NewLimiter(rate.Limit(10), 100)},</span> <span class="c">// )</span> </code></pre> </div> <h2> 7. Summary </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>WorkQueue lifecycle in a controller: Event fires (Add/Update/Delete) │ ▼ queue.Add(key) ← deduplicated: same key added once │ ▼ worker: queue.Get(key) ← blocks until item available │ ├── reconcile OK → queue.Forget(key) + queue.Done(key) │ └── reconcile ERR → queue.AddRateLimited(key) │ └── RateLimiter.When(key) → delay AddAfter(key, delay) → DelayingQueue → re-enters queue after delay </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Role</th> </tr> </thead> <tbody> <tr> <td><strong>FIFO Queue</strong></td> <td>Base: ordered, deduplicated, concurrent-safe</td> </tr> <tr> <td><strong>Delaying Queue</strong></td> <td>Adds <code>AddAfter(item, duration)</code> for time-delayed insertion</td> </tr> <tr> <td><strong>RateLimiting Queue</strong></td> <td>Adds <code>AddRateLimited</code> — computes delay via RateLimiter before calling AddAfter</td> </tr> <tr> <td><strong>Exponential Backoff</strong></td> <td>Per-item delay that doubles on each failure — prevents hammering a broken resource</td> </tr> <tr> <td><strong>Token Bucket</strong></td> <td>Global throughput cap — prevents queue from overwhelming the API Server</td> </tr> <tr> <td><strong>Fast/Slow Counter</strong></td> <td>Tiered retry — fast initial retries, slow sustained retries</td> </tr> </tbody> </table></div> <p>WorkQueue is the safety net of every Kubernetes controller. Its combination of deduplication, rate limiting, and retry semantics ensures that controllers converge to desired state reliably — even under API Server failures, network partitions, or event storms.</p> <p><em>Next in this series: EventBroadcaster: How Kubernetes Records and Distributes Cluster Events (Part 6)</em></p> <p><em>Follow the series for more deep dives into Kubernetes development.</em></p> <p>📦 Source Code: <a href="https://github.com/muzinan123/operator" rel="noopener noreferrer">github.com/muzinan123/operator</a></p> architecture go kubernetes tutorial client-go Deep Dive: Indexer — Fast In-Memory Resource Storage with Custom Indexing James Lee Tue, 19 May 2026 10:08:05 +0000 https://forem.com/jamesli/client-go-deep-dive-indexer-fast-in-memory-resource-storage-with-custom-indexing-37jc https://forem.com/jamesli/client-go-deep-dive-indexer-fast-in-memory-resource-storage-with-custom-indexing-37jc <p>In the previous article we saw that <code>HandleDeltas</code> routes every event to two destinations — one of them is <strong>Indexer</strong>. Indexer is the local in-memory cache that makes resource queries fast and keeps the API Server load-free. In this article we'll look at how it's built and how to extend it with custom index functions.</p> <p>Source: <code>k8s.io/client-go/tools/cache/index.go</code></p> <h2> 1. What Is Indexer? </h2> <p>Indexer is the <strong>local read cache</strong> of the Informer framework. Once the initial List completes and the cache is synced, all resource queries go through Indexer — never hitting the API Server.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────┐ │ Indexer │ │ │ │ ┌───────────────────────────────────────────────┐ │ │ │ ThreadSafeMap │ │ │ │ (concurrent-safe storage backend) │ │ │ │ │ │ │ │ items: map[string]interface{} │ │ │ │ key = "namespace/name" value = resource obj │ │ │ └───────────────────────────────────────────────┘ │ │ │ │ ┌───────────────────────────────────────────────┐ │ │ │ Index Layer (on top) │ │ │ │ Indexers: map[indexName]IndexFunc │ │ │ │ Indices: map[indexName]Index │ │ │ │ Index: map[indexKey]sets.String │ │ │ └───────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────┘ </code></pre> </div> <p>Indexer has two layers:</p> <ul> <li> <strong>ThreadSafeMap</strong> — the raw concurrent-safe key/value store</li> <li> <strong>Index layer</strong> — pluggable custom index functions for efficient filtered queries</li> </ul> <h2> 2. ThreadSafeMap: The Storage Backend </h2> <p>Source: <code>k8s.io/client-go/tools/cache/thread_safe_store.go</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">threadSafeMap</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">lock</span> <span class="n">sync</span><span class="o">.</span><span class="n">RWMutex</span> <span class="c">// read-write lock for concurrent safety</span> <span class="n">items</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{}</span> <span class="c">// primary storage: key → resource object</span> <span class="n">indexers</span> <span class="n">Indexers</span> <span class="c">// registered index functions</span> <span class="n">indices</span> <span class="n">Indices</span> <span class="c">// computed index data</span> <span class="p">}</span> </code></pre> </div> <h3> Key format </h3> <p>The default key function is <code>MetaNamespaceKeyFunc</code>, which produces keys in the format:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>namespace/name → "default/nginx-pod" cluster-scoped → "my-node" (no namespace prefix) </code></pre> </div> <h3> CRUD operations </h3> <p>ThreadSafeMap exposes standard storage operations, all protected by <code>sync.RWMutex</code>:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Operation</th> <th>Lock type</th> <th>What it does</th> </tr> </thead> <tbody> <tr> <td><code>Add(key, obj)</code></td> <td>Write</td> <td>Insert object + update all index entries</td> </tr> <tr> <td><code>Update(key, obj)</code></td> <td>Write</td> <td>Replace object + rebuild index entries</td> </tr> <tr> <td><code>Delete(key)</code></td> <td>Write</td> <td>Remove object + clean up index entries</td> </tr> <tr> <td><code>Get(key)</code></td> <td>Read</td> <td>Fetch single object by key</td> </tr> <tr> <td><code>List()</code></td> <td>Read</td> <td>Return all objects</td> </tr> <tr> <td><code>ListKeys()</code></td> <td>Read</td> <td>Return all keys</td> </tr> <tr> <td><code>ByIndex(indexName, indexKey)</code></td> <td>Read</td> <td>Return all objects matching an index query</td> </tr> </tbody> </table></div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Write path (Add/Update/Delete): ┌─────────────────────────────────────────────────┐ │ lock.Lock() │ │ ├── modify items map │ │ ├── updateIndices() or deleteFromIndices() │ │ └── lock.Unlock() │ └─────────────────────────────────────────────────┘ Read path (Get/List/ByIndex): ┌─────────────────────────────────────────────────┐ │ lock.RLock() ← multiple readers in parallel │ │ ├── read from items or indices │ │ └── lock.RUnlock() │ └─────────────────────────────────────────────────┘ </code></pre> </div> <h2> 3. The Four Index Data Structures </h2> <p>Indexer's power comes from its pluggable index system. Four types work together:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// A registry of named index functions</span> <span class="k">type</span> <span class="n">Indexers</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="n">IndexFunc</span> <span class="c">// An index function: given an object, return the index keys it belongs to</span> <span class="k">type</span> <span class="n">IndexFunc</span> <span class="k">func</span><span class="p">(</span><span class="n">obj</span> <span class="k">interface</span><span class="p">{})</span> <span class="p">([]</span><span class="kt">string</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="c">// A registry of computed index data (one per registered IndexFunc)</span> <span class="k">type</span> <span class="n">Indices</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="n">Index</span> <span class="c">// The actual index: maps an index key to the set of object keys that match</span> <span class="k">type</span> <span class="n">Index</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="n">sets</span><span class="o">.</span><span class="n">String</span> </code></pre> </div> <h3> How they relate </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Indexers["byNamespace"] = namespaceIndexFunc Indexers["byLabel"] = labelIndexFunc │ │ when an object is added/updated, each IndexFunc is called ▼ Indices["byNamespace"] = Index{ "default": {"default/nginx", "default/redis"}, "kube-system": {"kube-system/coredns"}, } Indices["byLabel"] = Index{ "app=web": {"default/nginx", "default/frontend"}, "app=cache": {"default/redis"}, } │ │ query: ByIndex("byLabel", "app=web") ▼ returns: [nginx object, frontend object] ← O(1) lookup via set </code></pre> </div> <h3> Visual summary </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────────────────────────────┐ │ Indexers (function registry) │ │ ┌────────────────┬──────────────────────────────────────┐ │ │ │ "byNamespace" │ func(obj) → [namespace] │ │ │ │ "byLabel/foo" │ func(obj) → [label value of "foo"] │ │ │ └────────────────┴──────────────────────────────────────┘ │ │ │ applied on every Add/Update │ │ ▼ │ │ Indices (computed data) │ │ ┌────────────────┬──────────────────────────────────────┐ │ │ │ "byNamespace" │ {"default": {"ns/pod1","ns/pod2"}} │ │ │ │ "byLabel/foo" │ {"bar": {"ns/pod1"}, "biz":{"ns/pod3"}} │ │ └────────────────┴──────────────────────────────────────┘ │ └──────────────────────────────────────────────────────────────┘ </code></pre> </div> <h2> 4. Custom Index Functions in Practice </h2> <p>The real power of Indexer is that you can register <strong>any index function</strong> at initialization time. Here's the complete example from the client-go test suite:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Custom index function: index Pods by the value of their "foo" label</span> <span class="k">func</span> <span class="n">testIndexFunc</span><span class="p">(</span><span class="n">obj</span> <span class="k">interface</span><span class="p">{})</span> <span class="p">([]</span><span class="kt">string</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">pod</span> <span class="o">:=</span> <span class="n">obj</span><span class="o">.</span><span class="p">(</span><span class="o">*</span><span class="n">v1</span><span class="o">.</span><span class="n">Pod</span><span class="p">)</span> <span class="k">return</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span><span class="n">pod</span><span class="o">.</span><span class="n">Labels</span><span class="p">[</span><span class="s">"foo"</span><span class="p">]},</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestGetIndexFuncValues</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="c">// Initialize Indexer with:</span> <span class="c">// key function: MetaNamespaceKeyFunc → "namespace/name"</span> <span class="c">// index function: testIndexFunc → registered as "testmodes"</span> <span class="n">index</span> <span class="o">:=</span> <span class="n">NewIndexer</span><span class="p">(</span><span class="n">MetaNamespaceKeyFunc</span><span class="p">,</span> <span class="n">Indexers</span><span class="p">{</span><span class="s">"testmodes"</span><span class="o">:</span> <span class="n">testIndexFunc</span><span class="p">})</span> <span class="n">pod1</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">v1</span><span class="o">.</span><span class="n">Pod</span><span class="p">{</span><span class="n">ObjectMeta</span><span class="o">:</span> <span class="n">metav1</span><span class="o">.</span><span class="n">ObjectMeta</span><span class="p">{</span> <span class="n">Name</span><span class="o">:</span> <span class="s">"one"</span><span class="p">,</span> <span class="n">Labels</span><span class="o">:</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">string</span><span class="p">{</span><span class="s">"foo"</span><span class="o">:</span> <span class="s">"bar"</span><span class="p">}}}</span> <span class="n">pod2</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">v1</span><span class="o">.</span><span class="n">Pod</span><span class="p">{</span><span class="n">ObjectMeta</span><span class="o">:</span> <span class="n">metav1</span><span class="o">.</span><span class="n">ObjectMeta</span><span class="p">{</span> <span class="n">Name</span><span class="o">:</span> <span class="s">"two"</span><span class="p">,</span> <span class="n">Labels</span><span class="o">:</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">string</span><span class="p">{</span><span class="s">"foo"</span><span class="o">:</span> <span class="s">"bar"</span><span class="p">}}}</span> <span class="n">pod3</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">v1</span><span class="o">.</span><span class="n">Pod</span><span class="p">{</span><span class="n">ObjectMeta</span><span class="o">:</span> <span class="n">metav1</span><span class="o">.</span><span class="n">ObjectMeta</span><span class="p">{</span> <span class="n">Name</span><span class="o">:</span> <span class="s">"tre"</span><span class="p">,</span> <span class="n">Labels</span><span class="o">:</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">string</span><span class="p">{</span><span class="s">"foo"</span><span class="o">:</span> <span class="s">"biz"</span><span class="p">}}}</span> <span class="n">index</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="n">pod1</span><span class="p">)</span> <span class="n">index</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="n">pod2</span><span class="p">)</span> <span class="n">index</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="n">pod3</span><span class="p">)</span> <span class="c">// List all distinct values produced by the "testmodes" index function</span> <span class="n">keys</span> <span class="o">:=</span> <span class="n">index</span><span class="o">.</span><span class="n">ListIndexFuncValues</span><span class="p">(</span><span class="s">"testmodes"</span><span class="p">)</span> <span class="c">// keys = ["bar", "biz"] — the two distinct label values</span> <span class="c">// Query all Pods where label "foo" == "bar"</span> <span class="n">pods</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">index</span><span class="o">.</span><span class="n">ByIndex</span><span class="p">(</span><span class="s">"testmodes"</span><span class="p">,</span> <span class="s">"bar"</span><span class="p">)</span> <span class="c">// pods = [pod1, pod2]</span> <span class="p">}</span> </code></pre> </div> <h3> What happens internally when <code>index.Add(pod1)</code> is called </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">index</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="n">pod1</span><span class="p">)</span> <span class="err">│</span> <span class="err">├──</span> <span class="n">items</span><span class="p">[</span><span class="s">"default/one"</span><span class="p">]</span> <span class="o">=</span> <span class="n">pod1</span> <span class="err">←</span> <span class="n">store</span> <span class="n">in</span> <span class="n">primary</span> <span class="k">map</span> <span class="err">│</span> <span class="err">└──</span> <span class="k">for</span> <span class="n">each</span> <span class="n">registered</span> <span class="n">IndexFunc</span><span class="o">:</span> <span class="n">testIndexFunc</span><span class="p">(</span><span class="n">pod1</span><span class="p">)</span> <span class="err">→</span> <span class="p">[</span><span class="s">"bar"</span><span class="p">]</span> <span class="n">Indices</span><span class="p">[</span><span class="s">"testmodes"</span><span class="p">][</span><span class="s">"bar"</span><span class="p">]</span><span class="o">.</span><span class="n">Insert</span><span class="p">(</span><span class="s">"default/one"</span><span class="p">)</span> <span class="n">After</span> <span class="n">adding</span> <span class="n">all</span> <span class="m">3</span> <span class="n">pods</span><span class="o">:</span> <span class="n">items</span> <span class="o">=</span> <span class="p">{</span> <span class="s">"default/one"</span><span class="o">:</span> <span class="n">pod1</span><span class="p">,</span> <span class="s">"default/two"</span><span class="o">:</span> <span class="n">pod2</span><span class="p">,</span> <span class="s">"default/tre"</span><span class="o">:</span> <span class="n">pod3</span><span class="p">,</span> <span class="p">}</span> <span class="n">Indices</span><span class="p">[</span><span class="s">"testmodes"</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="s">"bar"</span><span class="o">:</span> <span class="p">{</span><span class="s">"default/one"</span><span class="p">,</span> <span class="s">"default/two"</span><span class="p">},</span> <span class="s">"biz"</span><span class="o">:</span> <span class="p">{</span><span class="s">"default/tre"</span><span class="p">},</span> <span class="p">}</span> </code></pre> </div> <h3> Query flow: <code>ByIndex("testmodes", "bar")</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">ByIndex</span><span class="p">(</span><span class="s">"testmodes"</span><span class="p">,</span> <span class="s">"bar"</span><span class="p">)</span> <span class="err">│</span> <span class="err">├──</span> <span class="n">look</span> <span class="n">up</span> <span class="n">Indices</span><span class="p">[</span><span class="s">"testmodes"</span><span class="p">][</span><span class="s">"bar"</span><span class="p">]</span> <span class="err">│</span> <span class="err">→</span> <span class="n">set</span><span class="o">:</span> <span class="p">{</span><span class="s">"default/one"</span><span class="p">,</span> <span class="s">"default/two"</span><span class="p">}</span> <span class="err">│</span> <span class="err">└──</span> <span class="k">for</span> <span class="n">each</span> <span class="n">key</span> <span class="n">in</span> <span class="n">set</span><span class="o">:</span> <span class="n">items</span><span class="p">[</span><span class="s">"default/one"</span><span class="p">]</span> <span class="err">→</span> <span class="n">pod1</span> <span class="n">items</span><span class="p">[</span><span class="s">"default/two"</span><span class="p">]</span> <span class="err">→</span> <span class="n">pod2</span> <span class="n">Result</span><span class="o">:</span> <span class="p">[</span><span class="n">pod1</span><span class="p">,</span> <span class="n">pod2</span><span class="p">]</span> <span class="err">←</span> <span class="n">O</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="n">index</span> <span class="n">lookup</span> <span class="o">+</span> <span class="n">O</span><span class="p">(</span><span class="n">k</span><span class="p">)</span> <span class="n">object</span> <span class="n">fetch</span> </code></pre> </div> <h2> 5. Built-in Index Functions </h2> <p>client-go ships with a standard index function for the most common query pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// MetaNamespaceIndexFunc — index objects by namespace</span> <span class="c">// This is the default index registered in most Informers</span> <span class="k">func</span> <span class="n">MetaNamespaceIndexFunc</span><span class="p">(</span><span class="n">obj</span> <span class="k">interface</span><span class="p">{})</span> <span class="p">([]</span><span class="kt">string</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">meta</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">meta</span><span class="o">.</span><span class="n">Accessor</span><span class="p">(</span><span class="n">obj</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span><span class="s">""</span><span class="p">},</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"object has no meta: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span><span class="n">meta</span><span class="o">.</span><span class="n">GetNamespace</span><span class="p">()},</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>Usage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Get all Pods in the "production" namespace — from local cache, no API call</span> <span class="n">pods</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">podsLister</span><span class="o">.</span><span class="n">Pods</span><span class="p">(</span><span class="s">"production"</span><span class="p">)</span><span class="o">.</span><span class="n">List</span><span class="p">(</span><span class="n">labels</span><span class="o">.</span><span class="n">Everything</span><span class="p">())</span> <span class="c">// Internally this calls:</span> <span class="c">// indexer.ByIndex("namespace", "production")</span> </code></pre> </div> <h2> 6. Indexer vs Direct API Query </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>Indexer (local cache)</th> <th>Direct API Server call</th> </tr> </thead> <tbody> <tr> <td><strong>Speed</strong></td> <td>Microseconds (in-memory)</td> <td>Milliseconds (network + etcd)</td> </tr> <tr> <td><strong>API Server load</strong></td> <td>Zero</td> <td>One request per query</td> </tr> <tr> <td><strong>Consistency</strong></td> <td>Eventually consistent (synced via Watch)</td> <td>Strongly consistent</td> </tr> <tr> <td><strong>Best for</strong></td> <td>Controller reconciliation loops</td> <td>One-time admin queries</td> </tr> </tbody> </table></div> <blockquote> <p><strong>Rule of thumb:</strong> In any controller hot path — reconciliation loops, event handlers, health checks — always use the Lister (backed by Indexer). Only use Clientset for <strong>writes</strong> (Create/Update/Delete/Patch).</p> </blockquote> <h2> 7. Summary </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Indexer = ThreadSafeMap + pluggable Index functions ┌──────────────────────────────────────────────────────────┐ │ Write path (from HandleDeltas): │ │ Add/Update/Delete → update items + rebuild index data │ │ │ │ Read path (from your controller via Lister): │ │ Get(key) → O(1) direct lookup │ │ List() → O(n) full scan │ │ ByIndex(name, value) → O(1) index lookup + O(k) fetch │ └──────────────────────────────────────────────────────────┘ </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Concept</th> <th>Detail</th> </tr> </thead> <tbody> <tr> <td><strong>ThreadSafeMap</strong></td> <td> <code>sync.RWMutex</code> + <code>map[string]interface{}</code> — the raw storage layer</td> </tr> <tr> <td><strong>MetaNamespaceKeyFunc</strong></td> <td>Default key function: produces <code>"namespace/name"</code> keys</td> </tr> <tr> <td><strong>Indexers</strong></td> <td>Registry of named index functions — define what you can query by</td> </tr> <tr> <td><strong>IndexFunc</strong></td> <td>User-defined function: <code>obj → []indexKey</code> </td> </tr> <tr> <td><strong>Indices</strong></td> <td>Computed index data: <code>indexName → indexKey → set of object keys</code> </td> </tr> <tr> <td><strong>ByIndex</strong></td> <td>Efficient filtered query: O(1) index lookup + O(k) object retrieval</td> </tr> </tbody> </table></div> <p>Indexer is what makes Kubernetes controllers fast. By keeping a fully indexed in-memory snapshot of cluster state, it eliminates the need for controllers to poll the API Server — turning what would be thousands of network calls per second into zero-latency local memory reads.</p> <p><em>Next in this series: WorkQueue: The Reliable Task Queue for Kubernetes Controllers (Part 5)</em></p> <p><em>Follow the series for more deep dives into Kubernetes development.</em></p> <p>📦 Source Code: <a href="https://github.com/muzinan123/operator" rel="noopener noreferrer">github.com/muzinan123/operator</a></p> architecture go kubernetes performance client-go Deep Dive: DeltaFIFO — The Event Queue Behind Informer James Lee Tue, 19 May 2026 10:07:34 +0000 https://forem.com/jamesli/client-go-deep-dive-deltafifo-the-event-queue-behind-informer-38l https://forem.com/jamesli/client-go-deep-dive-deltafifo-the-event-queue-behind-informer-38l <p>In the previous article we saw how Reflector calls <code>List/Watch</code> and feeds events downstream. The immediate destination of those events is <strong>DeltaFIFO</strong> — the event queue that sits at the heart of the Informer framework.</p> <p>Source: <code>k8s.io/client-go/tools/cache/delta_fifo.go</code></p> <h2> 1. What Is DeltaFIFO? </h2> <p>The name has two parts:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Part</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td><strong>FIFO</strong></td> <td>First-In-First-Out queue — supports <code>Add</code>, <code>Update</code>, <code>Delete</code>, <code>List</code>, <code>Pop</code> operations</td> </tr> <tr> <td><strong>Delta</strong></td> <td>Each entry stores not just the object, but also the <strong>type of change</strong> (Added / Updated / Deleted / Sync / Replaced)</td> </tr> </tbody> </table></div> <p>Together, DeltaFIFO is a queue where each item carries both <strong>what changed</strong> and <strong>how it changed</strong> — giving downstream consumers the full context they need to act correctly.</p> <h2> 2. The Data Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// k8s.io/client-go/tools/cache/delta_fifo.go</span> <span class="k">type</span> <span class="n">DeltaFIFO</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">lock</span> <span class="n">sync</span><span class="o">.</span><span class="n">RWMutex</span> <span class="n">cond</span> <span class="n">sync</span><span class="o">.</span><span class="n">Cond</span> <span class="c">// used to block/unblock consumers</span> <span class="n">items</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="n">Deltas</span> <span class="c">// key → list of deltas for that object</span> <span class="n">queue</span> <span class="p">[]</span><span class="kt">string</span> <span class="c">// ordered list of keys (FIFO ordering)</span> <span class="n">populated</span> <span class="kt">bool</span> <span class="n">initialPopulationCount</span> <span class="kt">int</span> <span class="c">// tracks how many items came from the initial List</span> <span class="n">keyFunc</span> <span class="n">KeyFunc</span> <span class="c">// computes the key for a given object</span> <span class="n">knownObjects</span> <span class="n">KeyListerGetter</span> <span class="c">// reference to Indexer (for deletion detection)</span> <span class="n">closed</span> <span class="kt">bool</span> <span class="n">emitDeltaTypeReplaced</span> <span class="kt">bool</span> <span class="p">}</span> <span class="k">type</span> <span class="n">Deltas</span> <span class="p">[]</span><span class="n">Delta</span> <span class="k">type</span> <span class="n">Delta</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Type</span> <span class="n">DeltaType</span> <span class="c">// Added | Updated | Deleted | Replaced | Sync</span> <span class="n">Object</span> <span class="k">interface</span><span class="p">{}</span> <span class="c">// the actual Kubernetes resource object</span> <span class="p">}</span> </code></pre> </div> <h3> The Three Core Fields </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">queue:</span><span class="w"> </span><span class="p">[</span><span class="s2">"pod/default/nginx"</span><span class="p">,</span><span class="w"> </span><span class="s2">"pod/default/redis"</span><span class="p">,</span><span class="w"> </span><span class="s2">"deploy/default/app"</span><span class="p">]</span><span class="w"> </span><span class="err">↑</span><span class="w"> </span><span class="err">ordered</span><span class="w"> </span><span class="err">slice</span><span class="w"> </span><span class="err">of</span><span class="w"> </span><span class="err">object</span><span class="w"> </span><span class="err">keys</span><span class="w"> </span><span class="err">(FIFO</span><span class="w"> </span><span class="err">order)</span><span class="w"> </span><span class="err">items:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"pod/default/nginx"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="err">Added</span><span class="p">,</span><span class="w"> </span><span class="err">PodObj_v</span><span class="mi">1</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="err">Updated</span><span class="p">,</span><span class="w"> </span><span class="err">PodObj_v</span><span class="mi">2</span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"pod/default/redis"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="err">Deleted</span><span class="p">,</span><span class="w"> </span><span class="err">PodObj_v</span><span class="mi">1</span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"deploy/default/app"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="err">Added</span><span class="p">,</span><span class="w"> </span><span class="err">DeployObj_v</span><span class="mi">1</span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">↑</span><span class="w"> </span><span class="err">map:</span><span class="w"> </span><span class="err">key</span><span class="w"> </span><span class="err">→</span><span class="w"> </span><span class="p">[]</span><span class="err">Delta</span><span class="w"> </span><span class="err">(all</span><span class="w"> </span><span class="err">pending</span><span class="w"> </span><span class="err">changes</span><span class="w"> </span><span class="err">for</span><span class="w"> </span><span class="err">that</span><span class="w"> </span><span class="err">object)</span><span class="w"> </span><span class="err">Delta:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">Type:</span><span class="w"> </span><span class="s2">"Updated"</span><span class="p">,</span><span class="w"> </span><span class="err">Object:</span><span class="w"> </span><span class="err">&lt;Pod</span><span class="w"> </span><span class="err">nginx</span><span class="w"> </span><span class="err">v</span><span class="mi">2</span><span class="err">&gt;</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">↑</span><span class="w"> </span><span class="err">a</span><span class="w"> </span><span class="err">single</span><span class="w"> </span><span class="err">change</span><span class="w"> </span><span class="err">event:</span><span class="w"> </span><span class="err">what</span><span class="w"> </span><span class="err">happened</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="err">the</span><span class="w"> </span><span class="err">object</span><span class="w"> </span><span class="err">snapshot</span><span class="w"> </span></code></pre> </div> <h3> Visualizing the Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────┐ │ DeltaFIFO │ │ │ │ queue (FIFO order): │ │ ┌──────────────────┬──────────────────┬─────────────────┐ │ │ │ "pod/default/ │ "pod/default/ │ "deploy/default │ │ │ │ nginx" │ redis" │ /app" │ │ │ └──────────────────┴──────────────────┴─────────────────┘ │ │ │ │ │ │ │ ▼ ▼ ▼ │ │ items (map): │ │ ┌──────────────────┐ ┌────────────────┐ ┌──────────────┐ │ │ │ [{Added, nginx} │ │[{Deleted, │ │[{Added, │ │ │ │ {Updated,nginx}]│ │ redis}] │ │ deploy}] │ │ │ └──────────────────┘ └────────────────┘ └──────────────┘ │ └─────────────────────────────────────────────────────────────┘ </code></pre> </div> <blockquote> <p><strong>Key design insight:</strong> <code>queue</code> maintains ordering (which object to process next), while <code>items</code> accumulates all pending deltas per object. Multiple changes to the same object are batched — but never reordered relative to other objects.</p> </blockquote> <h2> 3. Producing Messages: queueActionLocked </h2> <p>Every time Reflector calls <code>syncWith()</code> (from List) or <code>watchHandler()</code> (from Watch), it ultimately calls <code>queueActionLocked</code> to enqueue an event:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">f</span> <span class="o">*</span><span class="n">DeltaFIFO</span><span class="p">)</span> <span class="n">queueActionLocked</span><span class="p">(</span><span class="n">actionType</span> <span class="n">DeltaType</span><span class="p">,</span> <span class="n">obj</span> <span class="k">interface</span><span class="p">{})</span> <span class="kt">error</span> <span class="p">{</span> <span class="c">// ① Compute the object's key (e.g. "default/nginx")</span> <span class="n">id</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">f</span><span class="o">.</span><span class="n">KeyOf</span><span class="p">(</span><span class="n">obj</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">KeyError</span><span class="p">{</span><span class="n">obj</span><span class="p">,</span> <span class="n">err</span><span class="p">}</span> <span class="p">}</span> <span class="c">// ② Append new Delta to the existing list for this key</span> <span class="n">oldDeltas</span> <span class="o">:=</span> <span class="n">f</span><span class="o">.</span><span class="n">items</span><span class="p">[</span><span class="n">id</span><span class="p">]</span> <span class="n">newDeltas</span> <span class="o">:=</span> <span class="nb">append</span><span class="p">(</span><span class="n">oldDeltas</span><span class="p">,</span> <span class="n">Delta</span><span class="p">{</span><span class="n">actionType</span><span class="p">,</span> <span class="n">obj</span><span class="p">})</span> <span class="c">// ③ Deduplicate consecutive identical events</span> <span class="n">newDeltas</span> <span class="o">=</span> <span class="n">dedupDeltas</span><span class="p">(</span><span class="n">newDeltas</span><span class="p">)</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">newDeltas</span><span class="p">)</span> <span class="o">&gt;</span> <span class="m">0</span> <span class="p">{</span> <span class="c">// ④ If this key is new, add it to the queue (maintain FIFO order)</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">exists</span> <span class="o">:=</span> <span class="n">f</span><span class="o">.</span><span class="n">items</span><span class="p">[</span><span class="n">id</span><span class="p">];</span> <span class="o">!</span><span class="n">exists</span> <span class="p">{</span> <span class="n">f</span><span class="o">.</span><span class="n">queue</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">f</span><span class="o">.</span><span class="n">queue</span><span class="p">,</span> <span class="n">id</span><span class="p">)</span> <span class="p">}</span> <span class="c">// ⑤ Update items map with the new delta list</span> <span class="n">f</span><span class="o">.</span><span class="n">items</span><span class="p">[</span><span class="n">id</span><span class="p">]</span> <span class="o">=</span> <span class="n">newDeltas</span> <span class="c">// ⑥ Wake up all blocked consumers</span> <span class="n">f</span><span class="o">.</span><span class="n">cond</span><span class="o">.</span><span class="n">Broadcast</span><span class="p">()</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p><strong>Production flow:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Reflector (r.syncWith / r.watchHandler) │ ▼ queueActionLocked(actionType, obj) │ ├── ① KeyOf(obj) → compute key (e.g. "default/nginx") ├── ② append Delta → add {type, obj} to existing delta list ├── ③ dedupDeltas() → remove redundant consecutive events ├── ④ queue = append(key) → add key to FIFO queue (if new) ├── ⑤ items[key] = newDeltas → store updated delta list └── ⑥ cond.Broadcast() → wake up Pop() consumers </code></pre> </div> <h3> Delta Types </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">const</span> <span class="p">(</span> <span class="n">Added</span> <span class="n">DeltaType</span> <span class="o">=</span> <span class="s">"Added"</span> <span class="c">// object newly appeared (from Watch or initial List)</span> <span class="n">Updated</span> <span class="n">DeltaType</span> <span class="o">=</span> <span class="s">"Updated"</span> <span class="c">// object was modified</span> <span class="n">Deleted</span> <span class="n">DeltaType</span> <span class="o">=</span> <span class="s">"Deleted"</span> <span class="c">// object was removed</span> <span class="n">Replaced</span> <span class="n">DeltaType</span> <span class="o">=</span> <span class="s">"Replaced"</span> <span class="c">// full re-list replaced the object (resync)</span> <span class="n">Sync</span> <span class="n">DeltaType</span> <span class="o">=</span> <span class="s">"Sync"</span> <span class="c">// periodic resync — object unchanged but re-delivered</span> <span class="p">)</span> </code></pre> </div> <h3> Deduplication: dedupDeltas </h3> <p><code>dedupDeltas</code> prevents redundant back-to-back <code>Deleted</code> events for the same object:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Before dedup: [{Updated, obj}, {Deleted, obj}, {Deleted, obj}] After dedup: [{Updated, obj}, {Deleted, obj}] </code></pre> </div> <p>Only the <strong>last two deltas</strong> are considered for deduplication — older history is always preserved.</p> <h2> 4. Consuming Messages: Pop </h2> <p>The consumer side is driven by the Informer's internal Controller, which calls <code>Pop()</code> in its <code>processLoop</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">f</span> <span class="o">*</span><span class="n">DeltaFIFO</span><span class="p">)</span> <span class="n">Pop</span><span class="p">(</span><span class="n">process</span> <span class="n">PopProcessFunc</span><span class="p">)</span> <span class="p">(</span><span class="k">interface</span><span class="p">{},</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">f</span><span class="o">.</span><span class="n">lock</span><span class="o">.</span><span class="n">Lock</span><span class="p">()</span> <span class="k">defer</span> <span class="n">f</span><span class="o">.</span><span class="n">lock</span><span class="o">.</span><span class="n">Unlock</span><span class="p">()</span> <span class="k">for</span> <span class="p">{</span> <span class="c">// ① Block if queue is empty — wait for producer to signal</span> <span class="k">for</span> <span class="nb">len</span><span class="p">(</span><span class="n">f</span><span class="o">.</span><span class="n">queue</span><span class="p">)</span> <span class="o">==</span> <span class="m">0</span> <span class="p">{</span> <span class="k">if</span> <span class="n">f</span><span class="o">.</span><span class="n">closed</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">ErrFIFOClosed</span> <span class="p">}</span> <span class="n">f</span><span class="o">.</span><span class="n">cond</span><span class="o">.</span><span class="n">Wait</span><span class="p">()</span> <span class="c">// releases lock and sleeps until cond.Broadcast()</span> <span class="p">}</span> <span class="c">// ② Dequeue the first key (FIFO order)</span> <span class="n">id</span> <span class="o">:=</span> <span class="n">f</span><span class="o">.</span><span class="n">queue</span><span class="p">[</span><span class="m">0</span><span class="p">]</span> <span class="n">f</span><span class="o">.</span><span class="n">queue</span> <span class="o">=</span> <span class="n">f</span><span class="o">.</span><span class="n">queue</span><span class="p">[</span><span class="m">1</span><span class="o">:</span><span class="p">]</span> <span class="k">if</span> <span class="n">f</span><span class="o">.</span><span class="n">initialPopulationCount</span> <span class="o">&gt;</span> <span class="m">0</span> <span class="p">{</span> <span class="n">f</span><span class="o">.</span><span class="n">initialPopulationCount</span><span class="o">--</span> <span class="p">}</span> <span class="c">// ③ Retrieve and remove the delta list for this key</span> <span class="n">item</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">f</span><span class="o">.</span><span class="n">items</span><span class="p">[</span><span class="n">id</span><span class="p">]</span> <span class="k">if</span> <span class="o">!</span><span class="n">ok</span> <span class="p">{</span> <span class="k">continue</span> <span class="c">// key was already processed (race condition guard)</span> <span class="p">}</span> <span class="nb">delete</span><span class="p">(</span><span class="n">f</span><span class="o">.</span><span class="n">items</span><span class="p">,</span> <span class="n">id</span><span class="p">)</span> <span class="c">// ④ Pass the delta list to the callback function (HandleDeltas)</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">process</span><span class="p">(</span><span class="n">item</span><span class="p">)</span> <span class="c">// ⑤ If processing failed, re-enqueue for retry</span> <span class="k">if</span> <span class="n">e</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">err</span><span class="o">.</span><span class="p">(</span><span class="n">ErrRequeue</span><span class="p">);</span> <span class="n">ok</span> <span class="p">{</span> <span class="n">f</span><span class="o">.</span><span class="n">addIfNotPresent</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="n">item</span><span class="p">)</span> <span class="n">err</span> <span class="o">=</span> <span class="n">e</span><span class="o">.</span><span class="n">Err</span> <span class="p">}</span> <span class="k">return</span> <span class="n">item</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Consumption flow:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Controller.processLoop() │ └── DeltaFIFO.Pop(HandleDeltas) │ ├── ① cond.Wait() → sleep if queue empty ├── ② dequeue key → take first key from FIFO queue ├── ③ delete(items,id) → remove delta list from map ├── ④ process(item) → call HandleDeltas callback └── ⑤ on error: addIfNotPresent() → re-enqueue for retry </code></pre> </div> <h2> 5. HandleDeltas: Routing Events Downstream </h2> <p>Once <code>Pop()</code> delivers a delta list to the callback, <code>HandleDeltas</code> routes each event to <strong>two destinations</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// k8s.io/client-go/tools/cache/shared_informer.go</span> <span class="k">func</span> <span class="p">(</span><span class="n">s</span> <span class="o">*</span><span class="n">sharedIndexInformer</span><span class="p">)</span> <span class="n">HandleDeltas</span><span class="p">(</span><span class="n">obj</span> <span class="k">interface</span><span class="p">{})</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">s</span><span class="o">.</span><span class="n">blockDeltas</span><span class="o">.</span><span class="n">Lock</span><span class="p">()</span> <span class="k">defer</span> <span class="n">s</span><span class="o">.</span><span class="n">blockDeltas</span><span class="o">.</span><span class="n">Unlock</span><span class="p">()</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">d</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">obj</span><span class="o">.</span><span class="p">(</span><span class="n">Deltas</span><span class="p">)</span> <span class="p">{</span> <span class="k">switch</span> <span class="n">d</span><span class="o">.</span><span class="n">Type</span> <span class="p">{</span> <span class="k">case</span> <span class="n">Sync</span><span class="p">,</span> <span class="n">Replaced</span><span class="p">,</span> <span class="n">Added</span><span class="p">,</span> <span class="n">Updated</span><span class="o">:</span> <span class="k">if</span> <span class="n">old</span><span class="p">,</span> <span class="n">exists</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">s</span><span class="o">.</span><span class="n">indexer</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">d</span><span class="o">.</span><span class="n">Object</span><span class="p">);</span> <span class="n">err</span> <span class="o">==</span> <span class="no">nil</span> <span class="o">&amp;&amp;</span> <span class="n">exists</span> <span class="p">{</span> <span class="c">// Object already in cache → Update</span> <span class="n">s</span><span class="o">.</span><span class="n">indexer</span><span class="o">.</span><span class="n">Update</span><span class="p">(</span><span class="n">d</span><span class="o">.</span><span class="n">Object</span><span class="p">)</span> <span class="n">isSync</span> <span class="o">:=</span> <span class="p">(</span><span class="n">d</span><span class="o">.</span><span class="n">Type</span> <span class="o">==</span> <span class="n">Sync</span><span class="p">)</span> <span class="o">||</span> <span class="p">(</span><span class="n">d</span><span class="o">.</span><span class="n">Type</span> <span class="o">==</span> <span class="n">Replaced</span> <span class="o">&amp;&amp;</span> <span class="n">sameResourceVersion</span><span class="p">(</span><span class="n">d</span><span class="o">.</span><span class="n">Object</span><span class="p">,</span> <span class="n">old</span><span class="p">))</span> <span class="c">// Route to ShareInformer listeners</span> <span class="n">s</span><span class="o">.</span><span class="n">processor</span><span class="o">.</span><span class="n">distribute</span><span class="p">(</span><span class="n">updateNotification</span><span class="p">{</span><span class="n">oldObj</span><span class="o">:</span> <span class="n">old</span><span class="p">,</span> <span class="n">newObj</span><span class="o">:</span> <span class="n">d</span><span class="o">.</span><span class="n">Object</span><span class="p">},</span> <span class="n">isSync</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c">// Object not in cache → Add</span> <span class="n">s</span><span class="o">.</span><span class="n">indexer</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="n">d</span><span class="o">.</span><span class="n">Object</span><span class="p">)</span> <span class="n">s</span><span class="o">.</span><span class="n">processor</span><span class="o">.</span><span class="n">distribute</span><span class="p">(</span><span class="n">addNotification</span><span class="p">{</span><span class="n">newObj</span><span class="o">:</span> <span class="n">d</span><span class="o">.</span><span class="n">Object</span><span class="p">},</span> <span class="no">false</span><span class="p">)</span> <span class="p">}</span> <span class="k">case</span> <span class="n">Deleted</span><span class="o">:</span> <span class="n">s</span><span class="o">.</span><span class="n">indexer</span><span class="o">.</span><span class="n">Delete</span><span class="p">(</span><span class="n">d</span><span class="o">.</span><span class="n">Object</span><span class="p">)</span> <span class="n">s</span><span class="o">.</span><span class="n">processor</span><span class="o">.</span><span class="n">distribute</span><span class="p">(</span><span class="n">deleteNotification</span><span class="p">{</span><span class="n">oldObj</span><span class="o">:</span> <span class="n">d</span><span class="o">.</span><span class="n">Object</span><span class="p">},</span> <span class="no">false</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <h3> The Two Destinations </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">HandleDeltas</span><span class="p">(</span><span class="n">Deltas</span><span class="p">)</span> <span class="err">│</span> <span class="err">├──</span> <span class="err">①</span> <span class="n">Indexer</span> <span class="p">(</span><span class="n">local</span> <span class="n">cache</span><span class="p">)</span> <span class="err">│</span> <span class="err">├──</span> <span class="n">Added</span><span class="o">/</span><span class="n">Updated</span><span class="o">/</span><span class="n">Replaced</span><span class="o">/</span><span class="n">Sync</span> <span class="err">→</span> <span class="n">indexer</span><span class="o">.</span><span class="n">Add</span><span class="p">()</span> <span class="n">or</span> <span class="n">indexer</span><span class="o">.</span><span class="n">Update</span><span class="p">()</span> <span class="err">│</span> <span class="err">└──</span> <span class="n">Deleted</span> <span class="err">→</span> <span class="n">indexer</span><span class="o">.</span><span class="n">Delete</span><span class="p">()</span> <span class="err">│</span> <span class="err">└──</span> <span class="err">②</span> <span class="n">processor</span><span class="o">.</span><span class="n">distribute</span><span class="p">()</span> <span class="p">(</span><span class="n">ShareInformer</span> <span class="n">fan</span><span class="o">-</span><span class="n">out</span><span class="p">)</span> <span class="err">├──</span> <span class="n">addNotification</span> <span class="err">→</span> <span class="n">triggers</span> <span class="n">OnAdd</span> <span class="n">callbacks</span> <span class="err">├──</span> <span class="n">updateNotification</span> <span class="err">→</span> <span class="n">triggers</span> <span class="n">OnUpdate</span> <span class="n">callbacks</span> <span class="err">└──</span> <span class="n">deleteNotification</span> <span class="err">→</span> <span class="n">triggers</span> <span class="n">OnDelete</span> <span class="n">callbacks</span> <span class="err">│</span> <span class="err">▼</span> <span class="n">informer</span><span class="o">.</span><span class="n">AddEventHandler</span><span class="p">(</span><span class="n">ResourceEventHandlerFuncs</span><span class="p">{</span> <span class="n">AddFunc</span><span class="o">:</span> <span class="k">func</span><span class="p">(</span><span class="n">obj</span><span class="p">)</span> <span class="p">{</span> <span class="n">workqueue</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="p">},</span> <span class="n">UpdateFunc</span><span class="o">:</span> <span class="k">func</span><span class="p">(</span><span class="n">old</span><span class="p">,</span> <span class="nb">new</span><span class="p">)</span> <span class="p">{</span> <span class="n">workqueue</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="p">},</span> <span class="n">DeleteFunc</span><span class="o">:</span> <span class="k">func</span><span class="p">(</span><span class="n">obj</span><span class="p">)</span> <span class="p">{</span> <span class="n">workqueue</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="p">},</span> <span class="p">})</span> </code></pre> </div> <h2> 6. The Complete DeltaFIFO Lifecycle </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────┐ │ DeltaFIFO Lifecycle │ │ │ │ PRODUCER (Reflector) │ │ ┌──────────────────────────────────────────────────────────┐ │ │ │ r.syncWith() → queueActionLocked(Added, obj) │ │ │ │ r.watchHandler() → queueActionLocked(Updated/Deleted…) │ │ │ └──────────────────────────────────────────────────────────┘ │ │ │ cond.Broadcast() │ │ ▼ │ │ ┌──────────────────────────────────────────────────────────┐ │ │ │ DeltaFIFO │ │ │ │ queue: [key1, key2, key3, ...] (FIFO order) │ │ │ │ items: {key1: [Δ,Δ], key2: [Δ], key3: [Δ,Δ,Δ]} │ │ │ └──────────────────────────────────────────────────────────┘ │ │ │ cond.Wait → unblock │ │ ▼ │ │ CONSUMER (Controller.processLoop) │ │ ┌──────────────────────────────────────────────────────────┐ │ │ │ Pop(HandleDeltas) │ │ │ │ → HandleDeltas │ │ │ │ ├── Indexer.Add/Update/Delete (local cache) │ │ │ │ └── processor.distribute() (event callbacks) │ │ │ └──────────────────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h2> 7. Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Concept</th> <th>Detail</th> </tr> </thead> <tbody> <tr> <td><strong>queue</strong></td> <td>Ordered slice of object keys — guarantees FIFO processing order</td> </tr> <tr> <td><strong>items</strong></td> <td>Map of key → <code>[]Delta</code> — accumulates all pending changes per object</td> </tr> <tr> <td><strong>Delta</strong></td> <td> <code>{Type, Object}</code> — carries both the change type and the full object snapshot</td> </tr> <tr> <td><strong>queueActionLocked</strong></td> <td>Producer entry point — appends delta, deduplicates, signals consumers</td> </tr> <tr> <td><strong>dedupDeltas</strong></td> <td>Removes redundant back-to-back Deleted events</td> </tr> <tr> <td><strong>Pop</strong></td> <td>Consumer entry point — blocks when empty, dequeues FIFO, calls HandleDeltas</td> </tr> <tr> <td><strong>HandleDeltas</strong></td> <td>Routes each delta to Indexer (storage) AND processor.distribute (callbacks)</td> </tr> <tr> <td><strong>cond.Broadcast/Wait</strong></td> <td>Efficient producer-consumer synchronization — no busy polling</td> </tr> </tbody> </table></div> <p>DeltaFIFO is the reliable handoff point between Reflector (producer) and the Informer's internal Controller (consumer). Its dual structure — an ordered queue for sequencing plus a map for delta accumulation — ensures that no event is lost, no object is processed out of order, and downstream consumers always receive the full change context.</p> <p><em>Next in this series: Indexer: Fast In-Memory Resource Storage with Thread-Safe Indexing (Part 4)</em></p> <p><em>Follow the series for more deep dives into Kubernetes development.</em></p> <p>📦 Source Code: <a href="https://github.com/muzinan123/operator" rel="noopener noreferrer">github.com/muzinan123/operator</a></p> architecture go kubernetes softwareengineering client-go Deep Dive: Reflector — How Kubernetes Syncs Resources from the API Server James Lee Tue, 19 May 2026 10:06:09 +0000 https://forem.com/jamesli/client-go-deep-dive-reflector-how-kubernetes-syncs-resources-from-the-api-server-42l6 https://forem.com/jamesli/client-go-deep-dive-reflector-how-kubernetes-syncs-resources-from-the-api-server-42l6 <p>In the previous article we saw that Informer's core mechanism is <strong>List/Watch</strong>. The component responsible for executing that mechanism is <strong>Reflector</strong>. Every time an Informer starts up, it's Reflector that connects to the API Server, fetches the full resource snapshot, and then keeps watching for changes.</p> <p>Source: <code>k8s.io/client-go/tools/cache/reflector.go</code></p> <h2> 1. Where Reflector Fits </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Informer starts │ ▼ ┌──────────────────────────────────────────────────┐ │ Reflector │ │ │ │ Phase 1: LIST │ │ ├── call listerWatcher.List() │ │ ├── get ResourceVersion │ │ ├── extract object list │ │ └── syncWith() → store all objects in DeltaFIFO │ │ │ │ Phase 2: WATCH │ │ ├── call listerWatcher.Watch() │ │ ├── receive incremental events (HTTP chunked) │ │ └── watchHandler() → push events to DeltaFIFO │ └──────────────────────────────────────────────────┘ │ ▼ DeltaFIFO (event queue) </code></pre> </div> <h2> 2. The Reflector Struct </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// k8s.io/client-go/tools/cache/reflector.go</span> <span class="k">type</span> <span class="n">Reflector</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">name</span> <span class="kt">string</span> <span class="n">expectedTypeName</span> <span class="kt">string</span> <span class="n">expectedType</span> <span class="n">reflect</span><span class="o">.</span><span class="n">Type</span> <span class="c">// the resource type being watched (e.g. *v1.Pod)</span> <span class="n">expectedGVK</span> <span class="o">*</span><span class="n">schema</span><span class="o">.</span><span class="n">GroupVersionKind</span> <span class="n">store</span> <span class="n">Store</span> <span class="c">// DeltaFIFO — where events are written</span> <span class="n">listerWatcher</span> <span class="n">ListerWatcher</span> <span class="c">// the actual List/Watch implementation</span> <span class="n">backoffManager</span> <span class="n">wait</span><span class="o">.</span><span class="n">BackoffManager</span> <span class="c">// retry backoff for Watch reconnects</span> <span class="n">initConnBackoffManager</span> <span class="n">wait</span><span class="o">.</span><span class="n">BackoffManager</span> <span class="c">// backoff for initial connection</span> <span class="n">resyncPeriod</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span> <span class="c">// how often to force a full resync (0 = never)</span> <span class="n">ShouldResync</span> <span class="k">func</span><span class="p">()</span> <span class="kt">bool</span> <span class="c">// optional: custom resync decision function</span> <span class="n">clock</span> <span class="n">clock</span><span class="o">.</span><span class="n">Clock</span> <span class="n">paginatedResult</span> <span class="kt">bool</span> <span class="c">// ResourceVersion tracking — critical for Watch correctness</span> <span class="n">lastSyncResourceVersion</span> <span class="kt">string</span> <span class="n">isLastSyncResourceVersionUnavailable</span> <span class="kt">bool</span> <span class="n">lastSyncResourceVersionMutex</span> <span class="n">sync</span><span class="o">.</span><span class="n">RWMutex</span> <span class="n">WatchListPageSize</span> <span class="kt">int64</span> <span class="n">watchErrorHandler</span> <span class="n">WatchErrorHandler</span> <span class="p">}</span> </code></pre> </div> <p><strong>Key fields explained:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Field</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>store</code></td> <td>The DeltaFIFO queue — Reflector writes all events here</td> </tr> <tr> <td><code>listerWatcher</code></td> <td>Interface that provides the actual <code>List()</code> and <code>Watch()</code> calls</td> </tr> <tr> <td><code>lastSyncResourceVersion</code></td> <td>Tracks the latest version seen — Watch resumes from this point after reconnect</td> </tr> <tr> <td><code>resyncPeriod</code></td> <td>If &gt; 0, Reflector periodically forces a full re-List to catch any missed events</td> </tr> <tr> <td><code>backoffManager</code></td> <td>Exponential backoff when Watch connection drops</td> </tr> </tbody> </table></div> <h2> 3. The ListerWatcher Interface </h2> <p><code>listerWatcher</code> is an interface — Reflector doesn't know or care which resource type it's watching. The concrete implementation is injected per resource type.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">ListerWatcher</span> <span class="k">interface</span> <span class="p">{</span> <span class="n">Lister</span> <span class="n">Watcher</span> <span class="p">}</span> <span class="k">type</span> <span class="n">Lister</span> <span class="k">interface</span> <span class="p">{</span> <span class="n">List</span><span class="p">(</span><span class="n">options</span> <span class="n">metav1</span><span class="o">.</span><span class="n">ListOptions</span><span class="p">)</span> <span class="p">(</span><span class="n">runtime</span><span class="o">.</span><span class="n">Object</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">}</span> <span class="k">type</span> <span class="n">Watcher</span> <span class="k">interface</span> <span class="p">{</span> <span class="n">Watch</span><span class="p">(</span><span class="n">options</span> <span class="n">metav1</span><span class="o">.</span><span class="n">ListOptions</span><span class="p">)</span> <span class="p">(</span><span class="n">watch</span><span class="o">.</span><span class="n">Interface</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>For a Pod Informer, the concrete implementation looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// k8s.io/client-go/informers/core/v1/pods.go</span> <span class="k">func</span> <span class="n">NewFilteredPodInformer</span><span class="p">(</span> <span class="n">client</span> <span class="n">kubernetes</span><span class="o">.</span><span class="n">Interface</span><span class="p">,</span> <span class="n">namespace</span> <span class="kt">string</span><span class="p">,</span> <span class="n">resyncPeriod</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span><span class="p">,</span> <span class="n">indexers</span> <span class="n">cache</span><span class="o">.</span><span class="n">Indexers</span><span class="p">,</span> <span class="n">tweakListOptions</span> <span class="n">internalinterfaces</span><span class="o">.</span><span class="n">TweakListOptionsFunc</span><span class="p">,</span> <span class="p">)</span> <span class="n">cache</span><span class="o">.</span><span class="n">SharedIndexInformer</span> <span class="p">{</span> <span class="k">return</span> <span class="n">cache</span><span class="o">.</span><span class="n">NewSharedIndexInformer</span><span class="p">(</span> <span class="o">&amp;</span><span class="n">cache</span><span class="o">.</span><span class="n">ListWatch</span><span class="p">{</span> <span class="c">// List: calls the real Kubernetes API</span> <span class="n">ListFunc</span><span class="o">:</span> <span class="k">func</span><span class="p">(</span><span class="n">options</span> <span class="n">metav1</span><span class="o">.</span><span class="n">ListOptions</span><span class="p">)</span> <span class="p">(</span><span class="n">runtime</span><span class="o">.</span><span class="n">Object</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">tweakListOptions</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">tweakListOptions</span><span class="p">(</span><span class="o">&amp;</span><span class="n">options</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">client</span><span class="o">.</span><span class="n">CoreV1</span><span class="p">()</span><span class="o">.</span><span class="n">Pods</span><span class="p">(</span><span class="n">namespace</span><span class="p">)</span><span class="o">.</span><span class="n">List</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">TODO</span><span class="p">(),</span> <span class="n">options</span><span class="p">)</span> <span class="p">},</span> <span class="c">// Watch: opens a long-lived HTTP connection to the API Server</span> <span class="n">WatchFunc</span><span class="o">:</span> <span class="k">func</span><span class="p">(</span><span class="n">options</span> <span class="n">metav1</span><span class="o">.</span><span class="n">ListOptions</span><span class="p">)</span> <span class="p">(</span><span class="n">watch</span><span class="o">.</span><span class="n">Interface</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">tweakListOptions</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">tweakListOptions</span><span class="p">(</span><span class="o">&amp;</span><span class="n">options</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">client</span><span class="o">.</span><span class="n">CoreV1</span><span class="p">()</span><span class="o">.</span><span class="n">Pods</span><span class="p">(</span><span class="n">namespace</span><span class="p">)</span><span class="o">.</span><span class="n">Watch</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">TODO</span><span class="p">(),</span> <span class="n">options</span><span class="p">)</span> <span class="p">},</span> <span class="p">},</span> <span class="o">&amp;</span><span class="n">corev1</span><span class="o">.</span><span class="n">Pod</span><span class="p">{},</span> <span class="n">resyncPeriod</span><span class="p">,</span> <span class="n">indexers</span><span class="p">,</span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>This is why Clientset must be created before SharedInformerFactory.</strong> The <code>ListFunc</code> and <code>WatchFunc</code> are closures over the Clientset — without it, Reflector has no way to talk to the API Server.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">NewKubeController</span><span class="p">(</span><span class="o">...</span><span class="p">)</span> <span class="o">*</span><span class="n">KubeController</span> <span class="p">{</span> <span class="n">kc</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">KubeController</span><span class="p">{</span><span class="n">clientset</span><span class="o">:</span> <span class="n">clientset</span><span class="p">}</span> <span class="c">// Clientset is passed in here — it flows down into every ListFunc/WatchFunc</span> <span class="n">kc</span><span class="o">.</span><span class="n">factory</span> <span class="o">=</span> <span class="n">informers</span><span class="o">.</span><span class="n">NewSharedInformerFactory</span><span class="p">(</span><span class="n">clientset</span><span class="p">,</span> <span class="n">defaultResync</span><span class="p">)</span> <span class="n">kc</span><span class="o">.</span><span class="n">podInformer</span> <span class="o">=</span> <span class="n">kc</span><span class="o">.</span><span class="n">factory</span><span class="o">.</span><span class="n">Core</span><span class="p">()</span><span class="o">.</span><span class="n">V1</span><span class="p">()</span><span class="o">.</span><span class="n">Pods</span><span class="p">()</span> <span class="n">kc</span><span class="o">.</span><span class="n">podsLister</span> <span class="o">=</span> <span class="n">kc</span><span class="o">.</span><span class="n">podInformer</span><span class="o">.</span><span class="n">Lister</span><span class="p">()</span> <span class="n">kc</span><span class="o">.</span><span class="n">podsSynced</span> <span class="o">=</span> <span class="n">kc</span><span class="o">.</span><span class="n">podInformer</span><span class="o">.</span><span class="n">Informer</span><span class="p">()</span><span class="o">.</span><span class="n">HasSynced</span> <span class="n">kc</span><span class="o">.</span><span class="n">deploymentInformer</span> <span class="o">=</span> <span class="n">kc</span><span class="o">.</span><span class="n">factory</span><span class="o">.</span><span class="n">Apps</span><span class="p">()</span><span class="o">.</span><span class="n">V1</span><span class="p">()</span><span class="o">.</span><span class="n">Deployments</span><span class="p">()</span> <span class="n">kc</span><span class="o">.</span><span class="n">deploymentsLister</span> <span class="o">=</span> <span class="n">kc</span><span class="o">.</span><span class="n">deploymentInformer</span><span class="o">.</span><span class="n">Lister</span><span class="p">()</span> <span class="n">kc</span><span class="o">.</span><span class="n">deploymentsSynced</span> <span class="o">=</span> <span class="n">kc</span><span class="o">.</span><span class="n">deploymentInformer</span><span class="o">.</span><span class="n">Informer</span><span class="p">()</span><span class="o">.</span><span class="n">HasSynced</span> <span class="k">return</span> <span class="n">kc</span> <span class="p">}</span> </code></pre> </div> <h2> 4. ListAndWatch: Phase 1 — Full List </h2> <p>The <code>ListAndWatch</code> method is the heart of Reflector. Phase 1 fetches the complete current state:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">r</span> <span class="o">*</span><span class="n">Reflector</span><span class="p">)</span> <span class="n">ListAndWatch</span><span class="p">(</span><span class="n">stopCh</span> <span class="o">&lt;-</span><span class="k">chan</span> <span class="k">struct</span><span class="p">{})</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">var</span> <span class="n">resourceVersion</span> <span class="kt">string</span> <span class="n">options</span> <span class="o">:=</span> <span class="n">metav1</span><span class="o">.</span><span class="n">ListOptions</span><span class="p">{</span><span class="n">ResourceVersion</span><span class="o">:</span> <span class="n">r</span><span class="o">.</span><span class="n">relistResourceVersion</span><span class="p">()}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="k">func</span><span class="p">()</span> <span class="kt">error</span> <span class="p">{</span> <span class="c">// ① Fetch all resources (with pagination support)</span> <span class="k">go</span> <span class="k">func</span><span class="p">()</span> <span class="p">{</span> <span class="n">pager</span> <span class="o">:=</span> <span class="n">pager</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="n">pager</span><span class="o">.</span><span class="n">SimplePageFunc</span><span class="p">(</span><span class="k">func</span><span class="p">(</span><span class="n">opts</span> <span class="n">metav1</span><span class="o">.</span><span class="n">ListOptions</span><span class="p">)</span> <span class="p">(</span><span class="n">runtime</span><span class="o">.</span><span class="n">Object</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">r</span><span class="o">.</span><span class="n">listerWatcher</span><span class="o">.</span><span class="n">List</span><span class="p">(</span><span class="n">opts</span><span class="p">)</span> <span class="c">// → calls ListFunc → Clientset.CoreV1().Pods().List()</span> <span class="p">}))</span> <span class="n">list</span><span class="p">,</span> <span class="n">paginatedResult</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">pager</span><span class="o">.</span><span class="n">List</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">(),</span> <span class="n">options</span><span class="p">)</span> <span class="c">// handle expired ResourceVersion: retry with fresh version</span> <span class="k">if</span> <span class="n">isExpiredError</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="o">||</span> <span class="n">isTooLargeResourceVersionError</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">{</span> <span class="n">list</span><span class="p">,</span> <span class="n">paginatedResult</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">pager</span><span class="o">.</span><span class="n">List</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">(),</span> <span class="n">metav1</span><span class="o">.</span><span class="n">ListOptions</span><span class="p">{</span><span class="n">ResourceVersion</span><span class="o">:</span> <span class="n">r</span><span class="o">.</span><span class="n">relistResourceVersion</span><span class="p">()})</span> <span class="p">}</span> <span class="nb">close</span><span class="p">(</span><span class="n">listCh</span><span class="p">)</span> <span class="p">}()</span> <span class="c">// wait for list to complete or stop signal</span> <span class="k">select</span> <span class="p">{</span> <span class="k">case</span> <span class="o">&lt;-</span><span class="n">stopCh</span><span class="o">:</span> <span class="k">return</span> <span class="no">nil</span> <span class="k">case</span> <span class="n">r</span> <span class="o">:=</span> <span class="o">&lt;-</span><span class="n">panicCh</span><span class="o">:</span> <span class="nb">panic</span><span class="p">(</span><span class="n">r</span><span class="p">)</span> <span class="k">case</span> <span class="o">&lt;-</span><span class="n">listCh</span><span class="o">:</span> <span class="p">}</span> <span class="c">// ② Extract ResourceVersion from the list response</span> <span class="n">listMetaInterface</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">meta</span><span class="o">.</span><span class="n">ListAccessor</span><span class="p">(</span><span class="n">list</span><span class="p">)</span> <span class="n">resourceVersion</span> <span class="o">=</span> <span class="n">listMetaInterface</span><span class="o">.</span><span class="n">GetResourceVersion</span><span class="p">()</span> <span class="c">// ③ Convert list result into a slice of runtime.Object</span> <span class="n">items</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">meta</span><span class="o">.</span><span class="n">ExtractList</span><span class="p">(</span><span class="n">list</span><span class="p">)</span> <span class="c">// ④ Store all objects + ResourceVersion into DeltaFIFO</span> <span class="n">r</span><span class="o">.</span><span class="n">syncWith</span><span class="p">(</span><span class="n">items</span><span class="p">,</span> <span class="n">resourceVersion</span><span class="p">)</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}();</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="c">// ⑤ Record the latest ResourceVersion — Watch will resume from here</span> <span class="n">r</span><span class="o">.</span><span class="n">setLastSyncResourceVersion</span><span class="p">(</span><span class="n">resourceVersion</span><span class="p">)</span> <span class="o">...</span> <span class="p">}</span> </code></pre> </div> <p><strong>Phase 1 call chain:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ListAndWatch() │ ├── ① r.listerWatcher.List() → fetch all objects from API Server ├── ② listMetaInterface.GetResourceVersion() → extract version stamp ├── ③ meta.ExtractList() → convert to []runtime.Object ├── ④ r.syncWith() → write all objects into DeltaFIFO └── ⑤ r.setLastSyncResourceVersion() → save version for Watch resume point </code></pre> </div> <h2> 5. ListAndWatch: Phase 2 — Continuous Watch </h2> <p>After the full List completes, Reflector enters an infinite loop watching for incremental changes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// Periodic resync goroutine (if resyncPeriod &gt; 0)</span> <span class="k">go</span> <span class="k">func</span><span class="p">()</span> <span class="p">{</span> <span class="k">for</span> <span class="p">{</span> <span class="k">select</span> <span class="p">{</span> <span class="k">case</span> <span class="o">&lt;-</span><span class="n">resyncCh</span><span class="o">:</span> <span class="k">if</span> <span class="n">r</span><span class="o">.</span><span class="n">ShouldResync</span> <span class="o">==</span> <span class="no">nil</span> <span class="o">||</span> <span class="n">r</span><span class="o">.</span><span class="n">ShouldResync</span><span class="p">()</span> <span class="p">{</span> <span class="n">r</span><span class="o">.</span><span class="n">store</span><span class="o">.</span><span class="n">Resync</span><span class="p">()</span> <span class="c">// force re-sync of Indexer from DeltaFIFO</span> <span class="p">}</span> <span class="k">case</span> <span class="o">&lt;-</span><span class="n">stopCh</span><span class="o">:</span> <span class="k">return</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}()</span> <span class="c">// Main Watch loop</span> <span class="k">for</span> <span class="p">{</span> <span class="k">select</span> <span class="p">{</span> <span class="k">case</span> <span class="o">&lt;-</span><span class="n">stopCh</span><span class="o">:</span> <span class="k">return</span> <span class="no">nil</span> <span class="k">default</span><span class="o">:</span> <span class="p">}</span> <span class="c">// Add randomized timeout to prevent thundering herd on reconnect</span> <span class="n">timeoutSeconds</span> <span class="o">:=</span> <span class="kt">int64</span><span class="p">(</span><span class="n">minWatchTimeout</span><span class="o">.</span><span class="n">Seconds</span><span class="p">()</span> <span class="o">*</span> <span class="p">(</span><span class="n">rand</span><span class="o">.</span><span class="n">Float64</span><span class="p">()</span> <span class="o">+</span> <span class="m">1.0</span><span class="p">))</span> <span class="n">options</span> <span class="o">=</span> <span class="n">metav1</span><span class="o">.</span><span class="n">ListOptions</span><span class="p">{</span> <span class="n">ResourceVersion</span><span class="o">:</span> <span class="n">resourceVersion</span><span class="p">,</span> <span class="c">// resume from last known version</span> <span class="n">TimeoutSeconds</span><span class="o">:</span> <span class="o">&amp;</span><span class="n">timeoutSeconds</span><span class="p">,</span> <span class="n">AllowWatchBookmarks</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="p">}</span> <span class="c">// ① Open a long-lived Watch connection to the API Server</span> <span class="n">w</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">r</span><span class="o">.</span><span class="n">listerWatcher</span><span class="o">.</span><span class="n">Watch</span><span class="p">(</span><span class="n">options</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">if</span> <span class="n">utilnet</span><span class="o">.</span><span class="n">IsConnectionRefused</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">{</span> <span class="o">&lt;-</span><span class="n">r</span><span class="o">.</span><span class="n">initConnBackoffManager</span><span class="o">.</span><span class="n">Backoff</span><span class="p">()</span><span class="o">.</span><span class="n">C</span><span class="p">()</span> <span class="c">// backoff and retry</span> <span class="k">continue</span> <span class="p">}</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="c">// ② Process incoming events: write to DeltaFIFO + update ResourceVersion</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">r</span><span class="o">.</span><span class="n">watchHandler</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">w</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">resourceVersion</span><span class="p">,</span> <span class="n">resyncerrc</span><span class="p">,</span> <span class="n">stopCh</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">if</span> <span class="o">!</span><span class="n">isExpiredError</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">{</span> <span class="c">// log unexpected errors</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Phase 2 call chain:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ListAndWatch() — Watch loop │ ├── ① r.listerWatcher.Watch() → open HTTP long-poll to API Server │ (passes ResourceVersion to resume from) └── ② r.watchHandler() → for each incoming event: write object to DeltaFIFO update lastSyncResourceVersion </code></pre> </div> <h2> 6. ResourceVersion: The Key to Reliable Watch </h2> <p><code>ResourceVersion</code> is a monotonically increasing version stamp that etcd assigns to every resource object. It's the mechanism that makes Watch reliable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>List response: ResourceVersion = "1000" (all objects as of version 1000) │ ▼ Watch request: ResourceVersion = "1000" (give me all events AFTER version 1000) │ ▼ API Server streams: - Pod "nginx" Updated (RV=1001) - Pod "redis" Deleted (RV=1002) - ... If Watch connection drops: │ ▼ Reflector reconnects with: ResourceVersion = "1002" (resumes exactly where it left off — no events missed, no duplicates) </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>ResourceVersion behavior</th> </tr> </thead> <tbody> <tr> <td>Fresh start</td> <td> <code>""</code> or <code>"0"</code> — get latest snapshot</td> </tr> <tr> <td>After List</td> <td>Set to the version returned by List response</td> </tr> <tr> <td>After each Watch event</td> <td>Updated to the event's ResourceVersion</td> </tr> <tr> <td>Watch reconnect</td> <td>Resumes from <code>lastSyncResourceVersion</code> </td> </tr> <tr> <td>Expired version (too old)</td> <td>Triggers a fresh List from scratch</td> </tr> </tbody> </table></div> <h2> 7. Under the Hood: How Watch Works (HTTP Chunked Transfer) </h2> <p>The Watch connection is not a WebSocket or gRPC stream — it's a plain <strong>HTTP/1.1 long-lived connection</strong> using <strong>Chunked Transfer Encoding</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Client (Reflector) API Server │ │ │ GET /api/v1/pods?watch=true │ │ ResourceVersion=1000 │ │ ──────────────────────────────────► │ │ │ │ HTTP/1.1 200 OK │ │ Transfer-Encoding: chunked │ │ ◄────────────────────────────────── │ │ │ │ chunk: {"type":"ADDED","object":…} │ │ ◄────────────────────────────────── │ │ │ │ chunk: {"type":"MODIFIED","object":…} │ ◄────────────────────────────────── │ │ │ │ (connection stays open…) │ │ (new chunks arrive as events occur)│ </code></pre> </div> <p><strong>Why Chunked Transfer Encoding?</strong></p> <p>In standard HTTP, the <code>Content-Length</code> header tells the client how many bytes to expect. But for a Watch stream, the server doesn't know in advance how many events will occur — the stream is open-ended.</p> <p>Chunked Transfer Encoding solves this:</p> <ul> <li>The response body is split into <strong>variable-size chunks</strong> </li> <li>Each chunk is prefixed with its size in hex</li> <li>The server sends chunks as events arrive — no pre-declared content length needed</li> <li>A zero-length chunk signals the end of the stream </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="m">200</span> <span class="ne">OK</span> <span class="na">Transfer-Encoding</span><span class="p">:</span> <span class="s">chunked</span> 1a\r\n ← chunk size (hex) {"type":"ADDED","object":…}\r\n ← chunk data \r\n 2f\r\n {"type":"MODIFIED","object":…}\r\n \r\n 0\r\n ← end of stream \r\n </code></pre> </div> <blockquote> <p>This is only available in <strong>HTTP/1.1</strong> and later. It's what makes Kubernetes Watch efficient — a single persistent connection replaces thousands of polling requests.</p> </blockquote> <h2> 8. Summary </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Reflector.Run() │ └── ListAndWatch() │ ├── Phase 1: LIST │ ├── listerWatcher.List() → full snapshot from API Server │ ├── GetResourceVersion() → stamp the snapshot version │ ├── meta.ExtractList() → parse into objects │ └── syncWith() → DeltaFIFO → seed the local cache │ └── Phase 2: WATCH (infinite loop) ├── listerWatcher.Watch(RV) → HTTP chunked long-poll ├── watchHandler() → DeltaFIFO → stream events to queue └── on disconnect: backoff + retry on expired RV: re-List from scratch </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Concept</th> <th>Detail</th> </tr> </thead> <tbody> <tr> <td><strong>ListerWatcher</strong></td> <td>Interface injected per resource type; backed by Clientset API calls</td> </tr> <tr> <td><strong>ResourceVersion</strong></td> <td>etcd version stamp; enables Watch to resume without missing events</td> </tr> <tr> <td><strong>DeltaFIFO</strong></td> <td>The downstream queue; Reflector is its sole producer</td> </tr> <tr> <td><strong>Chunked Transfer</strong></td> <td>HTTP/1.1 mechanism that keeps the Watch connection open indefinitely</td> </tr> <tr> <td><strong>Backoff</strong></td> <td>Exponential retry when Watch connection drops or API Server is unavailable</td> </tr> </tbody> </table></div> <p>Reflector is the bridge between the Kubernetes API Server and the local Informer cache. Once you understand its List → syncWith → Watch → watchHandler pipeline, the reliability guarantees of the entire Informer framework become clear.</p> <p><em>Next in this series: DeltaFIFO: The Event Queue Behind Informer (Part 3)</em></p> <p><em>Follow the series for more deep dives into Kubernetes development.</em></p> <p>📦 Source Code: <a href="https://github.com/muzinan123/operator" rel="noopener noreferrer">github.com/muzinan123/operator</a></p> architecture go kubernetes tutorial