July 7, 2025 - Control Plane node pools and unmanaged auth
Control Plane node pools and unmanaged authentication now available for enhanced cluster management
Update CKS Control Plane Node Pools are now available for CKS clusters, providing dedicated compute resources for Kubernetes control plane components. This release also introduces a new Kubernetes API endpoint for unmanaged auth API.
This release introduces two significant features for CoreWeave Kubernetes Service (CKS): Control Plane Node Pools for dedicated compute resources and a new Kubernetes API endpoint for unmanaged authentication workflows.
Control Plane Node Pools
Control Plane Node Pools provide dedicated compute resources for Kubernetes control plane components in CKS clusters. This feature ensures that critical Kubernetes system components have dedicated resources separate from application workloads.
Key benefits
- Dedicated resources: Control Plane components run on dedicated Nodes, preventing resource contention with application workloads
- Improved stability: Isolates Control Plane operations from user workloads for enhanced cluster reliability
- Better performance: Control Plane components have guaranteed access to CPU and memory resources
- Enhanced monitoring: Clear separation allows for better monitoring and troubleshooting of Control Plane vs. application workloads
Implementation details
Control Plane Node Pools are automatically provisioned when creating new CKS clusters. The Control Plane components include:
- API Server: Handles all API requests and provides the Kubernetes API
- etcd: Distributed key-value store that stores all cluster data
- Scheduler: Assigns Pods to Nodes based on resource availability and constraints
- Controller Manager: Runs controller processes that regulate the state of the cluster
Configuration
Control Plane Node Pools are managed automatically by CKS and do not require manual configuration. The system automatically:
- Provisions the appropriate number of Nodes based on cluster size
- Applies necessary taints and tolerations to ensure only Control Plane workloads are scheduled
- Monitors and maintains the health of Control Plane Nodes
- Scales the Control Plane as needed based on cluster requirements
For more information about Node Pools in general, see Introduction to Node Pools.
Kubernetes API Endpoint for Unmanaged Auth
A new Kubernetes API endpoint for unmanaged authentication is now available in CKS, enabling custom authentication workflows and integration with external identity providers.
Use cases
This endpoint enables several advanced authentication scenarios:
- Custom authentication providers: Integrate with enterprise identity systems not supported by standard OIDC
- Multi-factor authentication: Implement custom MFA workflows
- Conditional access policies: Apply custom logic for authentication decisions
- Audit and compliance: Custom authentication logging and compliance requirements
API details
The unmanaged auth endpoint allows custom authentication webhooks to be configured for CKS clusters. This provides flexibility for organizations with specific authentication requirements that cannot be met through standard OIDC integration.
Configuration
To configure unmanaged authentication:
- Deploy your authentication webhook: Host your custom authentication service that implements the Kubernetes authentication webhook interface
- Configure the webhook in CKS: Use the CKS API to configure the authentication webhook endpoint
- Test the integration: Verify that your custom authentication workflow functions correctly
For detailed API reference information, see CKS API Reference.
Migration considerations
Existing clusters
- Control Plane Node Pools: Existing clusters will continue to function normally. The new Control Plane Node Pool feature is primarily beneficial for new clusters or when recreating existing clusters
- Unmanaged Auth: Can be configured on existing clusters without requiring cluster recreation
Best practices
- Testing: Test custom authentication workflows in a development environment before deploying to production
- Monitoring: Monitor Control Plane Node health and custom authentication webhook performance
- Documentation: Document custom authentication configurations for team members and compliance purposes
Support
For questions about Control Plane Node Pools or the unmanaged authentication endpoint, contact CoreWeave Support.