English Vocabulary for Kubernetes Operators
Master the language of Kubernetes operators: CRD, reconciliation loop, admission webhook, custom controller — with definitions and real-world usage examples.
Kubernetes operators extend the platform’s native capabilities by encoding operational knowledge directly into the cluster. Working with operators — whether building them, reviewing them, or discussing them in architecture meetings — requires a precise vocabulary. This guide covers the core terms you’ll encounter and explains how to use them naturally in technical English.
Core Operator Concepts
Custom Resource Definition (CRD)
A Custom Resource Definition (CRD) is a Kubernetes API extension that lets you define your own resource types. Once a CRD is registered, the Kubernetes API treats instances of that resource just like built-in objects such as Pods or Services.
“We defined a CRD called
DatabaseClusterso that teams can request managed Postgres instances using standardkubectlcommands.”
“Before deploying the operator, make sure the CRD is installed — otherwise the controller won’t have a type to watch.”
Custom Resource (CR)
A custom resource is an instance of a type defined by a CRD. It is the object that users create to express their desired state.
“The team created a custom resource specifying a three-node Redis cluster. The operator detected the new CR and started provisioning.”
Operator
In Kubernetes, an operator is a software extension that uses custom resources to manage applications and their components. The term was coined by CoreOS in 2016.
“We wrote an operator to handle backup scheduling, failover, and version upgrades for our Kafka clusters automatically.”
The Reconciliation Pattern
Reconciliation Loop
The reconciliation loop (also called the control loop) is the core mechanism of a Kubernetes operator. The controller watches for changes to resources, compares the desired state (the spec) with the actual state (the status), and takes action to bring them into alignment.
“The reconciliation loop detected that the replica count in the spec was three, but only two pods were running, so it created a third.”
“Our controller’s reconciliation loop runs every thirty seconds and also triggers on any change to the watched resource.”
Desired State vs Actual State
These two concepts underpin all of Kubernetes:
- Desired state — what you declare in your resource spec
- Actual state — what is currently running in the cluster
“The reconciler’s job is to close the gap between desired state and actual state. If they match, it does nothing.”
Idempotency
A reconciliation loop must be idempotent — running it multiple times with the same input must produce the same result without unintended side effects.
“We had a bug where the reconciler created a duplicate ConfigMap on every loop. The fix was to check for existence before creating — making the operation idempotent.”
Controller Internals
Custom Controller
A custom controller is the Go (or other language) component that implements the reconciliation logic. It watches the Kubernetes API for changes and reacts accordingly.
“The custom controller listens on an informer cache and enqueues work items whenever a watched resource changes.”
Informer and Watch
An informer is a cached, event-driven mechanism for observing resource changes without polling the API server directly.
“We use an informer to watch for changes to our CRD and to related ConfigMaps, so the controller only runs when something relevant changes.”
Finalizer
A finalizer is a field on a resource that prevents it from being deleted until the controller has completed cleanup tasks.
“We added a finalizer so that when a user deletes a
DatabaseCluster, the operator first takes a final backup before allowing Kubernetes to remove the object.”
Admission Webhooks
Admission Webhook
An admission webhook is an HTTP callback that the Kubernetes API server calls before persisting a resource. There are two types:
- Validating admission webhook — inspects a request and accepts or rejects it
- Mutating admission webhook — can modify the object before it is stored
“Our mutating webhook automatically injects a sidecar container into every Pod that requests the
observability: enabledannotation.”
“The validating webhook rejects any Deployment that doesn’t set CPU and memory limits — enforcing our resource policy across all namespaces.”
Webhook Certificate Management
Admission webhooks require TLS certificates. In practice, teams use cert-manager to automate this.
“We used cert-manager to provision and rotate the TLS certificate for our admission webhook, so we don’t have to manage certificate expiry manually.”
Operator Maturity and Patterns
Operator Maturity Model
The Operator Maturity Model describes five levels of operator capability, from basic installation through full automation:
- Basic Install — automated application provisioning
- Seamless Upgrades — managed upgrade and rollback
- Full Lifecycle — backup, recovery, scaling
- Deep Insights — metrics, dashboards, alerting
- Auto Pilot — automatic scaling and tuning
“Our database operator is at Level 3 — it handles backup and restore automatically, but we haven’t implemented auto-tuning yet.”
Owner References
Owner references create a parent-child relationship between resources. When the parent is deleted, Kubernetes garbage-collects the children automatically.
“The operator sets owner references on the ConfigMaps and Services it creates, so they’re cleaned up automatically when the parent CRD instance is deleted.”
Practical Phrases for Operator Work
- “The reconciler detected drift between the desired and actual state and is re-converging.”
- “We need to add a finalizer to ensure clean-up runs before the object is removed from etcd.”
- “The admission webhook is rejecting requests that don’t include the required labels.”
- “Our CRD schema uses OpenAPI validation to reject invalid field values at admission time.”
- “The operator is idempotent — you can re-run reconciliation safely without side effects.”
Operators are one of the most powerful patterns in the Kubernetes ecosystem. Using this vocabulary precisely will help you write clearer design documents, contribute more effectively to operator codebases, and participate confidently in cloud-native architecture discussions.