Manager nodes

Manager nodes manage a swarm and persist the swarm state. Using several containers per node, the ucp-manager-agent automatically deploys all MKE components on manager nodes, including the MKE web UI and the data stores that MKE uses.

The following table details the MKE services that run on manager nodes:

MKE components on manager nodes

MKE component



A cluster-scoped Kubernetes controller used to coordinate Calico networking. Runs on one manager node only.


The Calico node agent, which coordinates networking fabric according to the cluster-wide Calico configuration. Part of the calico-node DaemonSet. Runs on all nodes. Configure the container network interface (CNI) plugin using the --cni-installer-url flag. If this flag is not set, MKE uses Calico as the default CNI plugin.


A container in which the Calico CNI plugin binaries are installed and configured on each host. Part of the calico-node DaemonSet. Runs on all nodes.


The Pause containers for the calico-node pod.


The Pause containers for the calico-kube-controllers pod.


The Pause containers for the compose pod.


The Pause containers for the kube-dns pod.


A dnsmasq instance used in the Kubernetes DNS Service. Part of the kube-dns deployment. Runs on one manager node only.


A custom Kubernetes resource component that translates Compose files into Kubernetes constructs. Part of the compose deployment. Runs on one manager node only.


The main Kubernetes DNS Service, used by pods to resolve service names. Part of the kube-dns deployment, a set of three containers deployed through Kubernetes as a single pod. Provides service discovery for Kubernetes services and pods. Runs on one manager node only.


A daemon of the Kubernetes DNS Service responsible for health checking and metrics. Part of the kube-dns deployment. Runs on one manager node only.


The centralized service for identity and authentication used by MKE and MSR.


A container that stores authentication configurations and data for users, organizations, and teams.


A container that performs scheduled LDAP synchronizations and cleans authentication and authorization data.


A certificate authority to sign client bundles.


A certificate authority used for TLS communication between MKE components.


The MKE web server.


A Docker system script for collecting troubleshooting information. Named ucp-dsinfo-win on Windows nodes.


A container for collecting disk/hardware information about the host.


A container that monitors Swarm workloads configured to use layer 7 routing. Only runs when you enable layer 7 routing.


A service that provides load balancing and proxying for Swarm workloads. Only runs when you enable layer 7 routing.


A master component that serves the Kubernetes API. It persists its state in etcd directly, and all other components communicate directly with the API server. The Kubernetes API server is configured to encrypt Secrets using AES-CBC with a 256-bit key. The encryption key is never rotated, and the encryption key is stored on manager nodes, in a file on disk.


A master component that manages the desired state of controllers and other Kubernetes objects. It monitors the API server and performs background tasks when needed.


The Kubernetes node agent running on every node, which is responsible for running Kubernetes pods, reporting the health of the node, and monitoring resource usage.


The networking proxy running on every node, which enables pods to contact Kubernetes services and other pods by way of cluster IP addresses.


A master component that handles pod scheduling. It communicates with the API server only to obtain workloads that need to be scheduled.


A container used to store the MKE configurations. Do not use it in your applications, as it is for internal use only. Also used by Kubernetes components.


The agent that monitors the manager node and ensures that the right MKE services are running.


A container used to collect and process metrics for a node, such as the disk space available.


A container that provides node feature discovery labels for Kubernetes nodes.


A container that provides GPU feature discovery to automatically label nodes with NVIDIA hardware devices.


A container that allows GPU-enabled Kubernetes workloads to run on MKE.


A TLS proxy that allows secure access from the local Mirantis Container Runtime to MKE components.


A container that converges the node to its desired state whenever the ucp-manager-agent service detects that the node is not running the correct MKE components. This container should remain in an exited state when the node is healthy.


A container used to provide backwards compatibility with Docker Swarm.

See also