CustomResourceDefinition (CRD) is a Kubernetes API extension mechanism that lets teams define new resource types and APIs inside a cluster. Analogy: CRD is like adding a new appliance to a smart-home platform that the controller can manage. Formal: CRD registers custom API kinds with the Kubernetes API server and enables controllers to reconcile them.<\/p>\n\n\n\n
CustomResourceDefinition (CRD) is a Kubernetes-native way to extend the API by declaring a new resource kind. It is not a controller or operator by itself; it is a schema + API registration. A CRD provides declarative schema, versioning, validation, and OpenAPI metadata; controllers or operators implement behavior for those resources.<\/p>\n\n\n\n
Key properties and constraints:<\/p>\n\n\n\n
Where it fits in modern cloud\/SRE workflows:<\/p>\n\n\n\n
Text-only diagram description:<\/p>\n\n\n\n
CRD defines a new Kubernetes API resource type and schema so controllers can implement custom behavior and platform primitives.<\/p>\n\n\n\n
ID | Term | How it differs from CustomResourceDefinition CRD | Common confusion\nT1 | Kubernetes API Server | Server hosts CRD but is not the CRD itself | Confused as controller\nT2 | Custom Resource | Instance of CRD not the CRD definition | Treated as definition by mistake\nT3 | Operator | Implements logic for CRs not the schema provider | Called CRD interchangeably\nT4 | Admission Webhook | Enforces policy not defining new kind | Thought to enable kind creation\nT5 | APIAggregation | Extends API via proxy not via CRD | Mixed up with CRD-based extension\nT6 | apiextensions.k8s.io | API group hosting CRD resources not CRDs values | Assumed equivalent to CRs\nT7 | CRD Conversion | Mechanism for versions not controller logic | Confused with controller migration\nT8 | CustomResourceValidation | Schema validation in CRD not runtime checks | Mistaken as full validation\nT9 | CR Status Subresource | Stores status not spec and not required | Mistaken as mandatory\nT10 | etcd | Stores serialized CRs not the API semantics | Treated as a CRD component<\/p>\n\n\n\n
Business impact:<\/p>\n\n\n\n
Engineering impact:<\/p>\n\n\n\n
SRE framing:<\/p>\n\n\n\n
What breaks in production \u2014 realistic examples:<\/p>\n\n\n\n
ID | Layer\/Area | How CustomResourceDefinition CRD appears | Typical telemetry | Common tools\nL1 | Edge | CRDs model edge workloads and configs | Creation rate and reconcile latency | K8s controllers and metrics\nL2 | Network | CRDs define network policies and virtual appliances | Policy apply lag and drop rates | CNI integrations and controllers\nL3 | Service | CRDs represent service-level features like canaries | Deployment success and error rate | Service mesh controllers\nL4 | Application | CRDs model app config objects | Spec vs status drift and update rate | GitOps and operators\nL5 | Data | CRDs manage backups and DB lifecycle | Snapshot success and storage usage | Statefulset operators\nL6 | IaaS | CRDs map to infra resources via controllers | Provision success and cost metrics | Cloud controllers\nL7 | PaaS | CRDs expose platform services as APIs | Provision latency and quota usage | Platform operators\nL8 | SaaS | CRDs model SaaS connectors and secrets | Connector health and API errors | Integration controllers\nL9 | Kubernetes | Native extension point for APIs | API request count and etcd size | kubectl kubebuilder apiextensions\nL10 | Serverless | CRDs model functions and triggers | Invocation latency and cold starts | Function controllers and autoscalers\nL11 | CI\/CD | CRDs store pipeline definitions or runs | Pipeline success rate and duration | GitOps and CI controllers\nL12 | Observability | CRDs configure collection and alerting rules | Metric ingest and alert firing | Monitoring operators\nL13 | Security | CRDs represent policies and scans | Violation counts and audit events | Policy engines and webhooks<\/p>\n\n\n\n
When it\u2019s necessary:<\/p>\n\n\n\n
When it\u2019s optional:<\/p>\n\n\n\n
When NOT to use \/ overuse:<\/p>\n\n\n\n
Decision checklist:<\/p>\n\n\n\n
Maturity ladder:<\/p>\n\n\n\n
Components and workflow:<\/p>\n\n\n\n
Data flow and lifecycle:<\/p>\n\n\n\n
Edge cases and failure modes:<\/p>\n\n\n\n
ID | Failure mode | Symptom | Likely cause | Mitigation | Observability signal\nF1 | Controller crashloop | Reconcile fails repeatedly | Bug or resource starvation | Restart policy and backoff and fix bug | CrashloopCount metric\nF2 | Finalizer stuck | CR cannot be deleted | Controller absence or error | Add cleanup controller and timeout | DeletionPending events\nF3 | Schema rejection | CR creations rejected | Schema mismatch | Update schema or conversion | apiServer validation error\nF4 | Conversion failure | Old version unreadable | Broken conversion webhook | Fix webhook and enable fallback | ConversionError logs\nF5 | Etcd pressure | API slow or timeouts | High cardinality CRs | Shard data or use external store | apiserver latency and etcd metrics\nF6 | RBAC misconfig | Unauthorized access errors | Wrong RBAC for controller | Correct roles and bindings | auth denied events\nF7 | Admission webhook block | All CR ops blocked | Misconfigured webhook | Disable or fix webhook | webhook error count\nF8 | Memory growth | API server OOM or high MEM | Many open watches | Reduce watch cardinality | apiserver memory metric\nF9 | Event storms | High API QPS | Unbounded reconcile loops | Add rate limiting and dedupe | API request rate<\/p>\n\n\n\n
Create a glossary of 40+ terms:\nTerm \u2014 1\u20132 line definition \u2014 why it matters \u2014 common pitfall<\/p>\n\n\n\n
ID | Metric\/SLI | What it tells you | How to measure | Starting target | Gotchas\nM1 | API availability | CRD endpoints reachable | Synthetic requests to list CRs | 99.9% monthly | Intermittent auth failures\nM2 | Reconcile success rate | Controller completes intents | Count successful reconciles \/ total | 99% daily | Partial success semantics\nM3 | Reconcile latency | Time from event to desired state | Histogram of reconcile durations | p95 < 5s for small workloads | Large ops skew p95\nM4 | CR creation failure rate | CRs rejected by API | Rejected creates \/ total creates | <1% | Validation schema false positives\nM5 | Finalizer backlog | CRs pending deletion | Count CRs with finalizers and deletionTimestamp | 0 ideally | Controller downtime causes backlog\nM6 | Controller restarts | Health of controller process | Pod restart count | <1 per month | Crashloops hidden by pod restarts\nM7 | apiserver request latency | API responsiveness | p95 p99 latency from api server metrics | p95 < 200ms | Etcd pressure skews numbers\nM8 | Etcd storage usage | Storage consumed by CRs | Etcd metrics filtered by prefix | Keep growth steady | High-cardinality CRs inflate usage\nM9 | Watch count per controller | Scale impact of watchers | Count of open watches | Keep minimal | Informer design increases watches\nM10 | Admission webhook errors | Webhook availability and errors | Error rate in webhook logs | 0% errors | Certificate issues cause failures\nM11 | Unauthorized access attempts | RBAC violations | Audit log events count | Investigate every attempt | Noisy false positives\nM12 | Drift events | Spec vs actual mismatch | Count of corrective reconciles | Low rate | Noisy self-healing can hide bugs\nM13 | API request rate | Load on api server | Requests per second for CR endpoints | Observe baseline | Spikes from automation\nM14 | Forbidden changes rate | Attempts to change immutable fields | Error events count | 0% | UX causing retries\nM15 | Status update latency | How quickly status reflects reality | Time between action and status change | p95 < 10s | Controller batching delays<\/p>\n\n\n\n
Executive dashboard:<\/p>\n\n\n\n
On-call dashboard:<\/p>\n\n\n\n
Debug dashboard:<\/p>\n\n\n\n
Alerting guidance:<\/p>\n\n\n\n
1) Prerequisites:\n– Kubernetes cluster with API access and RBAC controls.\n– CI\/CD pipeline for CRD and controller artifacts.\n– Observability stack: metrics, logs, traces.\n– Backup solution for CRDs and CRs.<\/p>\n\n\n\n
2) Instrumentation plan:\n– Export controller metrics: reconciliation counts, errors, latency.\n– Add structured logging with request IDs and CR identifiers.\n– Emit events to K8s events and record traces for reconciliation.<\/p>\n\n\n\n
3) Data collection:\n– Scrape apiserver and controller metrics.\n– Centralize logs and traces.\n– Collect etcd storage and compaction metrics.<\/p>\n\n\n\n
4) SLO design:\n– Define SLOs for CR API availability and reconcile success.\n– Set realistic error budgets and alert thresholds.<\/p>\n\n\n\n
5) Dashboards:\n– Build dashboards for exec, on-call, and debug as described earlier.<\/p>\n\n\n\n
6) Alerts & routing:\n– Implement alert rules in Prometheus and route to Alertmanager.\n– Configure escalation policies and runbooks.<\/p>\n\n\n\n
7) Runbooks & automation:\n– Create runbooks for controller restart, schema rollback, webhook disable.\n– Automate common remediation like scaling controllers and cert rotation.<\/p>\n\n\n\n
8) Validation (load\/chaos\/game days):\n– Run load tests for CR creation rates and watch counts.\n– Chaostest controllers to ensure finalizer cleanup.\n– Game days for admission webhook failure scenarios.<\/p>\n\n\n\n
9) Continuous improvement:\n– Review incidents monthly.\n– Update schema and conversion plans based on observed usage.\n– Automate migration paths and client library generation.<\/p>\n\n\n\n
Pre-production checklist:<\/p>\n\n\n\n
Production readiness checklist:<\/p>\n\n\n\n
Incident checklist specific to CustomResourceDefinition CRD:<\/p>\n\n\n\n
Provide 8\u201312 use cases:<\/p>\n\n\n\n
1) Self-service database provisioning\n– Context: Teams need databases provisioned on demand.\n– Problem: Manual tickets slow down delivery.\n– Why CRD helps: CRDs model databases as resources that a controller provisions and manages.\n– What to measure: Provision success rate, time-to-ready, cost per instance.\n– Typical tools: Database operator, Prometheus, GitOps.<\/p>\n\n\n\n
2) Canary release controller\n– Context: Releasing features incrementally across services.\n– Problem: Manual traffic shifting error-prone.\n– Why CRD helps: CRD defines canary objects, controller orchestrates traffic splits.\n– What to measure: Error rate during canary, rollback time, reconciliation latency.\n– Typical tools: Service mesh controller, CRD operator, observability.<\/p>\n\n\n\n
3) Backup and restore for stateful apps\n– Context: Need scheduled backups for StatefulSets.\n– Problem: Ad-hoc backups inconsistent.\n– Why CRD helps: CRD expresses backup schedules and retention; operator runs snapshots.\n– What to measure: Snapshot success rate, restore success time, backup storage consumed.\n– Typical tools: Velero-like operator, object storage, metrics.<\/p>\n\n\n\n
4) Multi-tenant platform APIs\n– Context: Platform exposes managed services to tenants.\n– Problem: Enforce isolation and quotas.\n– Why CRD helps: CRDs model tenant resources and quotas; controllers enforce limits.\n– What to measure: Quota usage, isolation violations, request latency.\n– Typical tools: Quota controllers, RBAC, policy engines.<\/p>\n\n\n\n
5) Network policy orchestration\n– Context: Complex network policies across teams.\n– Problem: Inconsistent security posture.\n– Why CRD helps: CRDs express higher-level intent and controllers generate concrete network policies.\n– What to measure: Policy apply latency, dropped packet rate, policy drift.\n– Typical tools: CNI controllers, policy CRDs.<\/p>\n\n\n\n
6) SaaS connector lifecycle\n– Context: Integrating external SaaS services into platform.\n– Problem: Credential rotation and provisioning complexity.\n– Why CRD helps: CRD models connectors; controllers manage provisioning and secrets.\n– What to measure: Connector health, auth failures, rotation success.\n– Typical tools: Integration operator, secret manager.<\/p>\n\n\n\n
7) Autoscaling policies beyond HPA\n– Context: Custom metrics or complex scaling rules.\n– Problem: HPA limitations for custom logic.\n– Why CRD helps: CRD defines scaling policies and custom controller executes them.\n– What to measure: Scaling event success rate, CPU\/latency improvements.\n– Typical tools: Custom autoscaler controller, metrics pipeline.<\/p>\n\n\n\n
8) Data pipeline orchestration\n– Context: Complex ETL pipelines with dependencies.\n– Problem: Manual orchestration and retries.\n– Why CRD helps: CRD models pipeline phases and controller orchestrates jobs.\n– What to measure: Pipeline success rate, time to complete, reprocessing counts.\n– Typical tools: Workflow operator, job controller.<\/p>\n\n\n\n
9) Certificate lifecycle management\n– Context: TLS cert issuance and rotation.\n– Problem: Manual cert PRs and expiries.\n– Why CRD helps: CRD requests and operator renews certs, stores in secrets.\n– What to measure: Renewal success, expiry events, outage count.\n– Typical tools: Cert manager operator, secret store.<\/p>\n\n\n\n
10) Feature flags\n– Context: Centralized feature control across services.\n– Problem: Inconsistent flag rollout.\n– Why CRD helps: CRDs model flags and controllers broadcast or enforce policies.\n– What to measure: Flag propagation latency, mismatch rates.\n– Typical tools: Flag operators and config controllers.<\/p>\n\n\n\n
Context:<\/strong> Platform wants self-service Postgres for developer teams.\nGoal:<\/strong> Allow developers to create Postgres instances declaratively.\nWhy CustomResourceDefinition CRD matters here:<\/strong> CRD defines database resource and controller automates provisioning and backups.\nArchitecture \/ workflow:<\/strong> CRD definition -> Developer creates DB CR -> Controller provisions StatefulSet and storage -> Controller handles snapshots and restores -> Status updated.\nStep-by-step implementation:<\/strong><\/p>\n\n\n\n Context:<\/strong> Managed PaaS offering functions as a service backed by cluster.\nGoal:<\/strong> Expose function resources to users declaratively.\nWhy CustomResourceDefinition CRD matters here:<\/strong> CRD models the function with triggers, and controller integrates with cloud-managed autoscaler.\nArchitecture \/ workflow:<\/strong> CRD for Function -> Controller packages and deploys function as Knative or FaaS runtime -> Autoscaler adjusts pods.\nStep-by-step implementation:<\/strong><\/p>\n\n\n\n Context:<\/strong> Cluster-wide admission webhook blocks all CR creations.\nGoal:<\/strong> Restore API functionality and minimize business impact.\nWhy CustomResourceDefinition CRD matters here:<\/strong> Many workflows rely on CR creation; blocked CRs cause cascading failures.\nArchitecture \/ workflow:<\/strong> API server calls webhook -> Webhook errors -> Requests blocked.\nStep-by-step implementation:<\/strong><\/p>\n\n\n\n Context:<\/strong> Teams create many short-lived CRs as telemetry proxies.\nGoal:<\/strong> Reduce cost and improve apiserver stability.\nWhy CustomResourceDefinition CRD matters here:<\/strong> CRs stored in etcd increase storage and watch overhead.\nArchitecture \/ workflow:<\/strong> Automation writes lots of CRs -> Etcd grows -> API latency increases.\nStep-by-step implementation:<\/strong><\/p>\n\n\n\n List 15\u201325 mistakes with: Symptom -> Root cause -> Fix<\/p>\n\n\n\n Observability pitfalls (at least 5 included above):<\/p>\n\n\n\n Ownership and on-call:<\/p>\n\n\n\n Runbooks vs playbooks:<\/p>\n\n\n\n Safe deployments:<\/p>\n\n\n\n Toil reduction and automation:<\/p>\n\n\n\n Security basics:<\/p>\n\n\n\n Weekly\/monthly routines:<\/p>\n\n\n\n What to review in postmortems related to CustomResourceDefinition CRD:<\/p>\n\n\n\n ID | Category | What it does | Key integrations | Notes\nI1 | Operator SDK | Scaffolds controllers and CRDs | kubebuilder and client-go | Speeds development\nI2 | kubebuilder | Code generation for APIs | controller-runtime | Standard pattern\nI3 | Prometheus | Metrics collection and alerting | Alertmanager and Grafana | Core observability for controllers\nI4 | Grafana | Dashboarding and visualization | Prometheus and logs | Multi-source dashboards\nI5 | OpenTelemetry | Tracing for reconcilers | Tracing backends | Cross-service tracing\nI6 | Velero | Backup and restore for CRs | Cloud storage | Include CRDs and CRs\nI7 | Gatekeeper | Policy enforcement via OPA | Admission controller | Enforces constraints\nI8 | cert-manager | Manages TLS for webhooks | Kubernetes secrets | Automates webhook certs\nI9 | GitOps | Declarative management of CRs | CI\/CD pipelines | Ensures VCS source of truth\nI10 | Fluentd | Log collection | Log stores like Loki | Structured logging is important\nI11 | Loki | Log aggregation | Grafana visualizations | Useful for controller logs\nI12 | KEDA | Event-driven autoscaling | CRDs for scaling configs | Integrates with custom metrics<\/p>\n\n\n\n CRD defines the API type, CustomResource is an instance of that type. The CRD is the schema and API registration; the CR is the data.<\/p>\n\n\n\n No. CRDs only define schema and API endpoints. Controllers provide the runtime behavior and may run arbitrary code.<\/p>\n\n\n\n No. Security depends on RBAC, admission policies, and webhook configuration. Default cluster setups may be permissive.<\/p>\n\n\n\n Varies \/ depends. Performance depends on API server, etcd capacity, and watch patterns. Monitor metrics for scale warnings.<\/p>\n\n\n\n Yes. Schema changes can block updates and cause data incompatibilities. Use versioned CRDs and conversion strategies.<\/p>\n\n\n\n Only if you support multiple versions and stored objects need transformation. Otherwise choose a single storage version.<\/p>\n\n\n\n Include both CRD manifests and CR instances in backup tooling. Test restores to ensure compatibility.<\/p>\n\n\n\n No. Use Secret references and avoid embedding sensitive data in CR specs to prevent leakage.<\/p>\n\n\n\n Status holds controller-observed state separate from spec. Use it to report readiness and conditions.<\/p>\n\n\n\n Ensure controllers handle finalizer cleanup even on restarts and provide timeouts or manual cleanup runbooks.<\/p>\n\n\n\n Not for high-frequency events; CRs are persisted. Use eventing systems or external stores for high-cardinality telemetry.<\/p>\n\n\n\n Create a migration plan, use canary clusters, add conversion webhooks, and test round-trip conversions.<\/p>\n\n\n\n Yes, but design must ensure ownership and idempotency. Use owner references and clear boundaries.<\/p>\n\n\n\n Keep additive changes only, use defaulting, and implement conversion webhooks when changing storage versions.<\/p>\n\n\n\n Start with reconcile counts, errors, and latency. Then add status metrics and API server request metrics.<\/p>\n\n\n\n Reduce CR churn, avoid high-cardinality fields, use shared controllers with informers, and batch updates.<\/p>\n\n\n\n Yes, with patterns like central control plane or multi-cluster controllers. Consider federation or mesh solutions when needed.<\/p>\n\n\n\n A misconfigured webhook can block cluster operations. Always test webhooks in audit mode first.<\/p>\n\n\n\n CustomResourceDefinition CRD is a foundational extension mechanism in Kubernetes that enables platform teams to create consistent, declarative APIs. Properly designed CRDs, paired with robust controllers, observability, and operational practices, accelerate developer productivity while maintaining SRE guardrails. However, CRDs introduce new operational dimensions, including API server load, etcd storage concerns, schema migration complexity, and security considerations.<\/p>\n\n\n\n Next 7 days plan (5 bullets):<\/p>\n\n\n\n Primary keywords<\/p>\n\n\n\n Secondary keywords<\/p>\n\n\n\n Long-tail questions<\/p>\n\n\n\n Related terminology<\/p>\n\n\n\n —<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[149],"tags":[],"class_list":["post-1991","post","type-post","status-publish","format-standard","hentry","category-terminology"],"yoast_head":"\n\n
Scenario #2 \u2014 Serverless function lifecycle on managed PaaS<\/h3>\n\n\n\n
\n
Scenario #3 \u2014 Incident response: Admission webhook outage<\/h3>\n\n\n\n
\n
Scenario #4 \u2014 Cost\/performance trade-off for high-cardinality CRs<\/h3>\n\n\n\n
\n
\n\n\n\nCommon Mistakes, Anti-patterns, and Troubleshooting<\/h2>\n\n\n\n
\n
\n
\n\n\n\nBest Practices & Operating Model<\/h2>\n\n\n\n
\n
\n
\n
\n
\n
\n
\n
\n\n\n\nTooling & Integration Map for CustomResourceDefinition CRD (TABLE REQUIRED)<\/h2>\n\n\n\n
Row Details (only if needed)<\/h4>\n\n\n\n
\n
\n\n\n\nFrequently Asked Questions (FAQs)<\/h2>\n\n\n\n
What is the difference between a CRD and a CustomResource?<\/h3>\n\n\n\n
Can CRDs run arbitrary code?<\/h3>\n\n\n\n
Are CRDs secure by default?<\/h3>\n\n\n\n
How many CRDs are too many?<\/h3>\n\n\n\n
Can CRD schema changes break existing CRs?<\/h3>\n\n\n\n
Do I need a conversion webhook?<\/h3>\n\n\n\n
How do I back up CRDs and CRs?<\/h3>\n\n\n\n
Should I store secrets in CR specs?<\/h3>\n\n\n\n
What are status subresources used for?<\/h3>\n\n\n\n
How can I avoid finalizer lockups?<\/h3>\n\n\n\n
Is CRD a good place for telemetry events?<\/h3>\n\n\n\n
How to test CRD upgrades safely?<\/h3>\n\n\n\n
Can multiple controllers act on same CR?<\/h3>\n\n\n\n
How to handle schema backward compatibility?<\/h3>\n\n\n\n
What observability should I add first?<\/h3>\n\n\n\n
How do I minimize apiserver load caused by CRDs?<\/h3>\n\n\n\n
Are CRDs suitable for multi-cluster applications?<\/h3>\n\n\n\n
What is a common pitfall with admission webhooks?<\/h3>\n\n\n\n
\n\n\n\nConclusion<\/h2>\n\n\n\n
\n
\n\n\n\nAppendix \u2014 CustomResourceDefinition CRD Keyword Cluster (SEO)<\/h2>\n\n\n\n
\n
\n
\n
\n