Skip to main content

Architecture

Control Plane Architecture

Detailed architecture and component interactions of the Control Plane

Architecture Overview

Modular design

The Control Plane follows a modular architecture with specialized components that work together to provide a complete platform for API management and workload orchestration. This approach enables extensibility, maintainability, and scalability.

The Control Plane architecture is built on cloud-native principles, using Kubernetes as its foundation and extending it with custom controllers and resources to create a comprehensive platform for managing APIs and workloads.

Component Architecture

The diagram below illustrates how the different components of the Control Plane interact with each other and with external systems:

Component Architecture

The Control Plane consists of operators, API servers, and libraries that interact with Kubernetes and external infrastructure components:

Architecture Diagram

Architectural Layers

The Control Plane architecture is organized into several logical layers:

API Layer

REST APIs

RESTful interfaces that expose Control Plane functionality to clients, allowing them to create, read, update, and delete resources.

Authentication & Authorization

Security mechanisms that ensure only authorized users and services can access Control Plane resources.

Controller Layer

Operators

Custom controllers that implement domain-specific logic for managing Control Plane resources.

Reconciliation Loops

Continuous processes that ensure the actual state of resources matches the desired state.

Resource Layer

Custom Resources

Domain-specific resources defined by Custom Resource Definitions (CRDs) that represent Control Plane concepts.

Resource Relationships

Connections between resources that define their hierarchy and interactions.

Storage Layer

etcd

Distributed key-value store used by Kubernetes to store all cluster data, including Control Plane custom resources.

Object Storage

S3-compatible storage used for storing files and other binary data that doesn't fit well in etcd.

Data Flow Architecture

Data Flow

Understanding the data flow between components helps in troubleshooting and optimizing the Control Plane.

The following diagram illustrates the data flow between major components of the Control Plane:

Security Architecture

Security is a fundamental aspect of the Control Plane architecture, implemented at multiple levels:

Authentication

Uses OAuth 2.0 for secure authentication of users and services. Integrates with identity providers like Keycloak.

Authorization

Role-Based Access Control (RBAC) determines what actions users and services can perform on resources.

Network Security

Network Policies restrict communication between components, ensuring that only authorized traffic is allowed.

TLS Encryption

All communication between components is encrypted using TLS certificates managed by cert-manager.

High Availability Architecture

For production deployments, the Control Plane supports a high availability configuration:

Key aspects of the high availability design:

  1. Multi-Zone Deployment: Components are deployed across multiple availability zones
  2. Stateless Design: Core components are stateless, storing all state in Kubernetes resources
  3. Redundant Components: Multiple replicas of each component ensure continued operation if some fail
  4. Load Balancing: Distributes requests across available replicas

Scalability Architecture

The Control Plane is designed for horizontal scalability:

Component Scaling

Individual components can be scaled independently based on load and performance requirements.

Resource Efficiency

Components are designed to use resources efficiently, with configurable resource requests and limits.

Stateless Design

Stateless components can be scaled out without coordination, simplifying scaling operations.

Controlled Dependencies

Minimal dependencies between components reduce the coordination required during scaling events.

Integration Architecture

The Control Plane integrates with various external systems:

Integration

The Control Plane provides standardized integration points for connecting with external systems and services.

API Gateway Integration

Integration with Kong Gateway for API management, routing, and policy enforcement.

Identity Provider Integration

Integration with Keycloak for authentication, authorization, and identity management.

Monitoring Integration

Integration with Prometheus for metrics collection and monitoring.

Logging Integration

Integration with logging systems for centralized log collection and analysis.

Deployment Architecture

The Control Plane can be deployed in various configurations:

Single Cluster

All components deployed in a single Kubernetes cluster, suitable for development and small-scale deployments.

Multi-Cluster

Components distributed across multiple Kubernetes clusters for improved isolation and scalability.

Hybrid Cloud

Components deployed across both on-premises and cloud environments, leveraging the strengths of each.

  • Components: Detailed information about Control Plane components
  • Operators: Specialized controllers that manage Control Plane resources
  • Infrastructure: Infrastructure components required by the Control Plane