July 7, 2025
Control Plane Node Pools
As of July 7, 2025, new CKS clusters no longer provision a cpu-control-plane
Node Pool. This change improves cluster provisioning speed and reliability by moving managed components out-of-band to the CKS Control Plane.
Some CKS-managed components will continue to be scheduled onto customer-owned Node Pools. The deployment location of the following CKS-managed components have changed:
Affected Component | Runs on CKS Control Plane | Runs on Customer Nodes |
---|---|---|
Cilium | Cilium Operator | Cilium Agent |
EventRouter | EventRouter | N/A |
HPC Verification | HPC Verification Workflow Controller | HPC Verification Workflows |
KubeStateMetrics | KubeStateMetrics | N/A |
Victoria Metrics | Victoria Metrics Operator | VM Agents |
Clusters deployed before this date continue to use a cpu-control-plane
Node Pool. These older clusters are fully supported, and CoreWeave's Support Team will assist with migration on a per-customer basis.
App Deprecations
Prometheus Operator and Kubernetes Metrics Server are no longer installed in new clusters but remain on any cluster created before July 7, 2025.
CKS: New Kubernetes API endpoint for unmanaged auth
CoreWeave Kubernetes Service (CKS) now supports a new Kubernetes API endpoint for unmanaged authentication. This endpoint allows users to authenticate with the Kubernetes API without relying on CoreWeave's managed authentication service.
Managed vs. unmanaged authentication
Managed authentication
The managed authentication endpoint follows the format https://<id>.k8s.<zone>.coreweave.com
and can be found on the Cluster Status page of the CoreWeave Cloud Console by clicking Copy public address.
Kubeconfigs generated by the CoreWeave Cloud Console for CKS clusters use this endpoint by default. The managed authentication service handles user authentication and authorization only for user identities in the CoreWeave Cloud Console. It does not support Kubernetes Service Account Tokens, OIDC access tokens, or anonymous API server URIs.
Unmanaged authentication
The new unmanaged authentication endpoint is available at https://api.<id>.k8s.<zone>.coreweave.com
. You can create this URL by adding the api.
prefix after clicking Copy public address on the Cluster Status page.
Unmanaged authentication allows users to authenticate with the Kubernetes API using Kubernetes Service Account Tokens, OIDC access tokens, or anonymous API server URIs. This endpoint is intended for users who prefer to manage their own authentication and authorization mechanisms. Kubeconfigs and access tokens generated by the CoreWeave Cloud Console for CKS clusters are not supported by this endpoint.
CKS clusters previously offered an undocumented unmanaged authentication endpoint at https://api.<orgId>-<clusterName>.k8s.<zone>.coreweave.com
. This endpoint is now deprecated.