Manager nodes

Manager nodes manage a swarm and persist the swarm state. Using several containers per node, the ucp-manager-agent automatically deploys all MKE components on manager nodes, including the MKE web UI and the data stores that MKE uses.

Note

Some Kubernetes components are run as Swarm services because the MKE control plane is itself a Docker Swarm cluster.

The following tables detail the MKE services that run on manager nodes:

Swarm services
MKE component	Description
`ucp-auth-api`	The centralized service for identity and authentication used by MKE and MSR.
`ucp-auth-store`	A container that stores authentication configurations and data for users, organizations, and teams.
`ucp-auth-worker`	A container that performs scheduled LDAP synchronizations and cleans authentication and authorization data.
`ucp-client-root-ca`	A certificate authority to sign client bundles.
`ucp-cluster-agent`	The agent that monitors the cluster-wide MKE components. Runs on only one manager node.
`ucp-cluster-root-ca`	A certificate authority used for TLS communication between MKE components.
`ucp-controller`	The MKE web server.
`ucp-hardware-info`	A container for collecting disk/hardware information about the host.
`ucp-interlock`	A container that monitors Swarm workloads configured to use layer 7 routing. Only runs when you enable layer 7 routing.
`ucp-interlock-config`	A service that manages Interlock configuration.
`ucp-interlock-extension`	A service that verifies the run status of the Interlock extension.
`ucp-interlock-proxy`	A service that provides load balancing and proxying for Swarm workloads. Runs only when layer 7 routing is enabled.
`ucp-kube-apiserver`	A master component that serves the Kubernetes API. It persists its state in `etcd` directly, and all other components communicate directly with the API server. The Kubernetes API server is configured to encrypt Secrets using AES-CBC with a 256-bit key. The encryption key is never rotated, and the encryption key is stored on manager nodes, in a file on disk.
`ucp-kube-controller-manager`	A master component that manages the desired state of controllers and other Kubernetes objects. It monitors the API server and performs background tasks when needed.
`ucp-kubelet`	The Kubernetes node agent running on every node, which is responsible for running Kubernetes pods, reporting the health of the node, and monitoring resource usage.
`ucp-kube-proxy`	The networking proxy running on every node, which enables pods to contact Kubernetes services and other pods by way of cluster IP addresses.
`ucp-kube-scheduler`	A master component that manages Pod scheduling, which communicates with the API server only to obtain workloads that need to be scheduled.
`ucp-kv`	A container used to store the MKE configurations. Do not use it in your applications, as it is for internal use only. Also used by Kubernetes components.
`ucp-manager-agent`	The agent that monitors the manager node and ensures that the right MKE services are running.
`ucp-proxy`	A TLS proxy that allows secure access from the local Mirantis Container Runtime to MKE components.
`ucp-sf-notifier`	A Swarm service that sends notifications to Salesforce when alerts are configured by OpsCare, and later when they are triggered.
`ucp-swarm-manager`	A container used to provide backward compatibility with Docker Swarm.

Kubernetes components
MKE component	Description
`cri-dockerd-mke`	An MKE service that accounts for the removal of dockershim from Kubernetes as of version 1.24, thus enabling MKE to continue using Docker as the container runtime.
`k8s_calico-kube-controllers`	A cluster-scoped Kubernetes controller used to coordinate Calico networking. Runs on one manager node only.
`k8s_calico-node`	The Calico node agent, which coordinates networking fabric according to the cluster-wide Calico configuration. Part of the `calico-node` DaemonSet. Runs on all nodes. Configure the container network interface (CNI) plugin using the `--cni-installer-url` flag. If this flag is not set, MKE uses Calico as the default CNI plugin.
`k8s_enable-strictaffinity`	An init container for Calico controller that sets the StrictAffinity in Calico networking according to the configured boolean value.
`k8s_firewalld-policy_calico-node`	An init container for `calico-node` that verifies whether systems with firewalld are compatible with Calico.
`k8s_install-cni_calico-node`	A container in which the Calico CNI plugin binaries are installed and configured on each host. Part of the calico-node DaemonSet. Runs on all nodes.
`k8s_ucp-coredns_coredns`	The CoreDNS plugin, which provides service discovery for Kubernetes services and Pods.
`k8s_ucp-gatekeeper_gatekeeper-controller-manager`	The Gatekeeper manager controller for Kubernetes that provides policy enforcement. Only runs when OPA Gatekeeper is enabled in MKE.
`k8s_ucp-gatekeeper-audit_gatekeeper-audit`	The audit controller for Kubernetes that provides audit functionality of OPA Gatekeeper. Only runs when OPA Gatekeeper is enabled in MKE.
`k8s_ucp-kube-compose`	A custom Kubernetes resource component that translates Compose files into Kubernetes constructs. Part of the Compose deployment. Runs on one manager node only.
`k8s_ucp-kube-compose-api`	The API server for Kube Compose, which is part of the compose deployment. Runs on one manager node only.
`k8s_ucp-kube-ingress-controller`	The Ingress controller for Kubernetes, which provides layer 7 routing for Kubernertes services. Only runs with Ingress for Kubernetes enabled.
`k8s_ucp-metrics-inventory`	A container that generates the inventory targets for Prometheus server. Part of the Kubernetes Prometheus Metrics plugin.
`k8s_ucp-metrics-prometheus`	A container used to collect and process metrics for a node. Part of the Kubernetes Prometheus Metrics plugin.
`k8s_ucp-metrics-proxy`	A container that runs a proxy for the metrics server. Part of the Kubernetes Prometheus Metrics plugin.
`k8s_ucp-node-feature-discovery-master`	A container that provides node feature discovery labels for Kubernetes nodes.
`k8s_ucp-node-feature-discovery-worker`	A container that provides node feature discovery labels for Kubernetes nodes.
`k8s_ucp-nvidia-device-partitioner`	A container that provides support for Multi Instance GPU (MIG) on NVIDIA GPUs.
`k8s_ucp-secureoverlay-agent`	A container that provides a per-node service that manages the encryption state of the data plane.
`k8s_POD_ucp-secureoverlay-mgr`	A container that provides the key management process that configures and periodically rotates the encryption keys.

Kubernetes pause containers
MKE component	Description
`k8s_POD_calico-node`	The pause container for the `calico-node` pod.
`k8s_POD_calico-kube-controllers`	The pause container for the `calico-kube-controllers` pod.
`k8s_POD_compose`	The pause container for the `compose` pod.
`k8s_POD_compose-api`	The pause container for `ucp-kube-compose-api`.
`k8s_POD_coredns`	The pause container for the ucp-coredns Pod.
`k8s_POD_ingress-nginx-controller`	The pause container for `ucp-kube-ingress-controller`.
`k8s_POD_gatekeeper-audit`	The pause container for `ucp-gatekeeper-audit`.
`k8s_POD_gatekeeper-controller-manager`	The pause container for `ucp-gatekeeper`.
`k8s_POD_ucp-metrics`	The pause container for the ucp-metrics.
`k8s_POD_ucp-node-feature-discovery`	The pause container for the node feature discovery labels on Kubernetes nodes.
`k8s_POD_ucp-nvidia-device-partitioner`	A pause container for `ucp-nvidia-device-partitioner`.
`k8s_ucp-pause_ucp-nvidia-device-partitioner`	A pause container for `ucp-nvidia-device-partitioner`.