Skip to content

Week 12 - Operator Patterns: Finalizers, External Resources, Multi-Cluster

12.1 Conceptual Core

  • The "operator" pattern: a controller that encapsulates operational knowledge for a specific application. Examples: Postgres operator (provisions DBs, handles backups, failover), Cert-Manager (ACME-driven cert lifecycle), Prometheus operator (manages Prometheus + Alertmanager + ServiceMonitor stack).
  • An operator is a controller plus one or more CRDs representing the application's domain concepts.
  • Production operators handle: leader election, finalizers, status conditions, observability, RBAC, upgrades, multi-tenant isolation, external-system reconciliation, retries with backoff.

12.2 Mechanical Detail

  • External resources (cloud APIs, SaaS): the controller's reconcile loop calls outward. Idempotency is essential-assume your reconcile may run multiple times before the external API confirms.
  • Crossplane (week 19) generalizes this: every external resource is itself a Kubernetes object backed by a controller that talks to the cloud. You compose them.
  • Cluster-scoped vs namespace-scoped operators: namespace-scoped is safer (lower blast radius) but limits multi-tenant operator deployment.
  • Operator SDK vs Kubebuilder: largely converged today; pick whichever your team prefers. The patterns are identical.

12.3 Lab-"An Operator That Manages an External Resource"

Build an operator with a GitHubRepo CRD: spec includes a repo name and visibility; the controller calls the GitHub API to create/update/delete the repo to match. Includes: - Authentication via a Secret referenced by the CR. - Finalizers for cleanup. - Status conditions: Ready, Synced, Error with reasons. - Rate-limited reconciles with exponential backoff. - E2E test using a fake GitHub API server.

12.4 Hardening Drill

  • Define an OPA/Kyverno policy: every GitHubRepo must reference a Secret in the same namespace; cross-namespace references denied. Tests for the policy.

12.5 Operations Slice

  • Add tracing to the reconcile path; export traces via OTel. The operator's hop into GitHub appears as an external span-useful for diagnosing outages.

Month 3 Capstone Deliverable

A controllers-and-operators/ workspace: 1. mirror-controller-clientgo/ (week 9). 2. mirror-controller-cr/ (week 10). 3. versioned-crd/ (week 11). 4. github-repo-operator/ (week 12).

Comments