Implementation:Kserve Kserve Controller Manager Deployment
| Knowledge Sources | |
|---|---|
| Domains | Kubernetes, Model Serving |
| Last Updated | 2026-02-13 00:00 GMT |
Overview
Concrete Kubernetes Deployment for the KServe controller-manager and associated webhook server secret provided by the KServe project.
Description
This file defines the base Kubernetes Deployment for the main KServe controller-manager along with an associated kserve-webhook-server-secret Secret resource. The controller reconciles core KServe resources including InferenceService, InferenceGraph, TrainedModel, and ServingRuntime. It runs with leader election, health and readiness probes on port 8081, a webhook server on port 9443, and TLS certificate volume mounts from the kserve-webhook-server-cert secret. The controller is configured with strict security context (non-root, read-only filesystem, dropped capabilities), with 100m CPU and 200-300Mi memory resource requests and limits.
Usage
Apply this Deployment to the kserve namespace as the core component of a KServe installation. This is the primary controller that watches and reconciles all KServe custom resources. It must be running for any KServe functionality to work, including inference service creation, runtime management, and model serving.
Code Reference
Source Location
- Repository: Kserve_Kserve
- File: config/manager/manager.yaml
- Lines: 1-95
Signature
apiVersion: apps/v1
kind: Deployment
metadata:
name: kserve-controller-manager
namespace: kserve
labels:
app.kubernetes.io/name: kserve-controller-manager
control-plane: kserve-controller-manager
spec:
selector:
matchLabels:
control-plane: kserve-controller-manager
template:
spec:
serviceAccountName: kserve-controller-manager
containers:
- command:
- /manager
args:
- "--leader-elect"
image: ko://github.com/kserve/kserve/cmd/manager
name: manager
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: SECRET_NAME
value: kserve-webhook-server-cert
ports:
- containerPort: 9443
name: webhook-server
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
volumes:
- name: cert
secret:
defaultMode: 420
secretName: kserve-webhook-server-cert
---
apiVersion: v1
kind: Secret
metadata:
name: kserve-webhook-server-secret
namespace: kserve
Import
kubectl apply -f config/manager/manager.yaml
I/O Contract
Inputs
| Name | Type | Required | Description |
|---|---|---|---|
| kserve-controller-manager | ServiceAccount | Yes | ServiceAccount for the controller pod |
| kserve-webhook-server-cert | Secret | Yes | TLS certificate secret for the webhook server |
| POD_NAMESPACE | env (fieldRef) | Yes | Injected from the pod metadata namespace |
| SECRET_NAME | env (static) | Yes | Name of the webhook server cert secret (kserve-webhook-server-cert) |
Outputs
| Name | Type | Description |
|---|---|---|
| kserve-controller-manager Deployment | Deployment | Runs the main KServe controller manager |
| kserve-webhook-server-secret | Secret | Empty secret resource for webhook server credentials |
| Webhook server | TCP port 9443 | Admission webhook endpoint for KServe resources |
| Health endpoints | HTTP port 8081 | Liveness (/healthz) and readiness (/readyz) probe endpoints |
Usage Examples
Apply the Deployment
kubectl apply -f config/manager/manager.yaml
Verify the controller is running
kubectl get deployment kserve-controller-manager -n kserve
kubectl get pods -n kserve -l control-plane=kserve-controller-manager