etcd — the cluster store
The single source of truth, and why it is guarded.
In plain terms
etcd is the cluster’s notebook — it writes down everything the cluster is supposed to be. Lose the notebook with no photocopy and you’ve lost the entire plan, which is why you guard it and back it up.
etcd is a distributed key-value store, and it holds the entire cluster: every object, every status, every secret. If the API server is the brain, etcd is its memory. Protecting and backing it up is the most consequential thing an administrator does.
terminal
# etcd speaks only over mutual TLS — you need its certs$ ETCDCTL_API=3 etcdctl member list \--endpoints=https://127.0.0.1:2379 \--cacert=/etc/kubernetes/pki/etcd/ca.crt \--cert=/etc/kubernetes/pki/etcd/server.crt \--key=/etc/kubernetes/pki/etcd/server.key8e9e05c52164694d, started, cp-1, https://10.0.0.1:2380, https://10.0.0.1:2379
etcd agrees on data by consensus (the Raft protocol), which is why a highly-available control plane uses an odd number of members — three or five. A majority must agree on every write; lose the majority and the cluster stops accepting changes entirely.
A snapshot is the whole cluster
By default secrets sit in etcd base64-encoded, not encrypted — a stolen snapshot is a full breach. Snapshot on a schedule (covered in Cluster Maintenance) and enable encryption at rest (covered in Security).