1KUBERNETES(1) General Commands Manual KUBERNETES(1)
2
3
4
6 kube-controller-manager - Enforces kubernetes services.
7
8
9
11 kube-controller-manager [OPTIONS]
12
13
14
16 The Kubernetes controller manager is a daemon that embeds the core
17 control loops shipped with Kubernetes. In applications of robotics and
18 automation, a control loop is a non-terminating loop that regulates the
19 state of the system. In Kubernetes, a controller is a control loop that
20 watches the shared state of the cluster through the apiserver and makes
21 changes attempting to move the current state towards the desired state.
22 Examples of controllers that ship with Kubernetes today are the
23 replication controller, endpoints controller, namespace controller, and
24 serviceaccounts controller.
25
26
27 kube-controller-manager [flags]
28
29
30
32 **--address ip
33 The IP address on which to serve the insecure --port (set to 0.0.0.0
34 for all IPv4 interfaces and **
35 : for all IPv6 interfaces). (default 0.0.0.0) (DEPRECATED: see
36 --bind-address instead.)
37
38
39 --allocate-node-cidrs Should CIDRs for Pods be allocated and set on the cloud provider.
40 --attach-detach-reconcile-sync-period duration The reconciler sync wait time between volume attach detach. This duration must be larger than one second, and increasing this value from the default may allow for volumes to be mismatched with pods. (default 1m0s)
41 --authentication-kubeconfig string kubeconfig file pointing at the 'core' kubernetes server with enough rights to create tokenaccessreviews.authentication.k8s.io. This is optional. If empty, all token requests are considered to be anonymous and no client CA is looked up in the cluster.
42 --authentication-skip-lookup If false, the authentication-kubeconfig will be used to lookup missing authentication configuration from the cluster.
43 --authentication-token-webhook-cache-ttl duration The duration to cache responses from the webhook token authenticator. (default 10s)
44 --authorization-always-allow-paths strings A list of HTTP paths to skip during authorization, i.e. these are authorized without contacting the 'core' kubernetes server. (default [/healthz])
45 --authorization-kubeconfig string kubeconfig file pointing at the 'core' kubernetes server with enough rights to create subjectaccessreviews.authorization.k8s.io. This is optional. If empty, all requests not skipped by authorization are forbidden.
46 --authorization-webhook-cache-authorized-ttl duration The duration to cache 'authorized' responses from the webhook authorizer. (default 10s)
47 --authorization-webhook-cache-unauthorized-ttl duration The duration to cache 'unauthorized' responses from the webhook authorizer. (default 10s)
48 --azure-container-registry-config string Path to the file containing Azure container registry configuration information.
49
50
51
52 **--bind-address ip
53 The IP address on which to listen for the --secure-port port. The
54 associated interface(s) must be reachable by the rest of the cluster,
55 and by CLI/web clients. If blank, all interfaces will be used (0.0.0.0
56 for all IPv4 interfaces and **
57 : for all IPv6 interfaces). (default 0.0.0.0)
58
59
60 --cert-dir string The directory where the TLS certs are located. If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored. (default "/var/run/kubernetes")
61 --cidr-allocator-type string Type of CIDR allocator to use (default "RangeAllocator")
62 --client-ca-file string If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate.
63 --cloud-config string The path to the cloud provider configuration file. Empty string for no configuration file.
64 --cloud-provider string The provider for cloud services. Empty string for no provider.
65 --cluster-cidr string CIDR Range for Pods in cluster. Requires --allocate-node-cidrs to be true
66 --cluster-name string The instance prefix for the cluster. (default "kubernetes")
67 --cluster-signing-cert-file string Filename containing a PEM-encoded X509 CA certificate used to issue cluster-scoped certificates (default "/etc/kubernetes/ca/ca.pem")
68 --cluster-signing-key-file string Filename containing a PEM-encoded RSA or ECDSA private key used to sign cluster-scoped certificates (default "/etc/kubernetes/ca/ca.key")
69 --concurrent-deployment-syncs int32 The number of deployment objects that are allowed to sync concurrently. Larger number = more responsive deployments, but more CPU (and network) load (default 5)
70 --concurrent-endpoint-syncs int32 The number of endpoint syncing operations that will be done concurrently. Larger number = faster endpoint updating, but more CPU (and network) load (default 5)
71 --concurrent-gc-syncs int32 The number of garbage collector workers that are allowed to sync concurrently. (default 20)
72 --concurrent-namespace-syncs int32 The number of namespace objects that are allowed to sync concurrently. Larger number = more responsive namespace termination, but more CPU (and network) load (default 10)
73 --concurrent-replicaset-syncs int32 The number of replica sets that are allowed to sync concurrently. Larger number = more responsive replica management, but more CPU (and network) load (default 5)
74 --concurrent-resource-quota-syncs int32 The number of resource quotas that are allowed to sync concurrently. Larger number = more responsive quota management, but more CPU (and network) load (default 5)
75 --concurrent-service-syncs int32 The number of services that are allowed to sync concurrently. Larger number = more responsive service management, but more CPU (and network) load (default 1)
76 --concurrent-serviceaccount-token-syncs int32 The number of service account token objects that are allowed to sync concurrently. Larger number = more responsive token generation, but more CPU (and network) load (default 5)
77 --concurrent-ttl-after-finished-syncs int32 The number of TTL-after-finished controller workers that are allowed to sync concurrently. (default 5)
78 --concurrent_rc_syncs int32 The number of replication controllers that are allowed to sync concurrently. Larger number = more responsive replica management, but more CPU (and network) load (default 5)
79 --configure-cloud-routes Should CIDRs allocated by allocate-node-cidrs be configured on the cloud provider. (default true)
80 --contention-profiling Enable lock contention profiling, if profiling is enabled
81 --controller-start-interval duration Interval between starting controller managers.
82 --controllers strings A list of controllers to enable. '*' enables all on-by-default controllers, 'foo' enables the controller named 'foo', '-foo' disables the controller named 'foo'.
83 All controllers: attachdetach, bootstrapsigner, clusterrole-aggregation, cronjob, csrapproving, csrcleaner, csrsigning, daemonset, deployment, disruption, endpoint, garbagecollector, horizontalpodautoscaling, job, namespace, nodeipam, nodelifecycle, persistentvolume-binder, persistentvolume-expander, podgc, pv-protection, pvc-protection, replicaset, replicationcontroller, resourcequota, route, service, serviceaccount, serviceaccount-token, statefulset, tokencleaner, ttl, ttl-after-finished
84 Disabled-by-default controllers: bootstrapsigner, tokencleaner (default [*])
85 --deployment-controller-sync-period duration Period for syncing the deployments. (default 30s)
86 --disable-attach-detach-reconcile-sync Disable volume attach detach reconciler sync. Disabling this may cause volumes to be mismatched with pods. Use wisely.
87 --enable-dynamic-provisioning Enable dynamic provisioning for environments that support it. (default true)
88 --enable-garbage-collector Enables the generic garbage collector. MUST be synced with the corresponding flag of the kube-apiserver. (default true)
89 --enable-hostpath-provisioner Enable HostPath PV provisioning when running without a cloud provider. This allows testing and development of provisioning features. HostPath provisioning is not supported in any way, won't work in a multi-node cluster, and should not be used for anything other than testing or development.
90
91
92
93 --enable-taint-manager
94 WARNING
95 Beta feature. If set to true enables NoExecute Taints and will
96 evict all not-tolerating Pod running on Nodes tainted with this kind of
97 Taints. (default true)
98
99
100 --experimental-cluster-signing-duration duration The length of duration signed certificates will be given. (default 8760h0m0s)
101 --external-cloud-volume-plugin string The plugin to use when cloud provider is set to external. Can be empty, should only be set when cloud-provider is external. Currently used to allow node and volume controllers to work for in tree cloud providers.
102
103
104
105 --feature-gates mapStringBool A
106 set of key=value pairs that describe feature gates for
107 alpha/experimental features. Options are
108
109
110 APIListChunking=true|false (BETA - default=true)
111 APIResponseCompression=true|false (ALPHA - default=false)
112 AllAlpha=true|false (ALPHA - default=false)
113 AppArmor=true|false (BETA - default=true)
114 AttachVolumeLimit=true|false (BETA - default=true)
115 BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
116 BlockVolume=true|false (ALPHA - default=false)
117 CPUManager=true|false (BETA - default=true)
118 CRIContainerLogRotation=true|false (BETA - default=true)
119 CSIBlockVolume=true|false (ALPHA - default=false)
120 CSIDriverRegistry=true|false (ALPHA - default=false)
121 CSINodeInfo=true|false (ALPHA - default=false)
122 CSIPersistentVolume=true|false (BETA - default=true)
123 CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
124 CustomPodDNS=true|false (BETA - default=true)
125 CustomResourceSubresources=true|false (BETA - default=true)
126 CustomResourceValidation=true|false (BETA - default=true)
127 DebugContainers=true|false (ALPHA - default=false)
128 DevicePlugins=true|false (BETA - default=true)
129 DryRun=true|false (ALPHA - default=false)
130 DynamicKubeletConfig=true|false (BETA - default=true)
131 EnableEquivalenceClassCache=true|false (ALPHA - default=false)
132 ExpandInUsePersistentVolumes=true|false (ALPHA - default=false)
133 ExpandPersistentVolumes=true|false (BETA - default=true)
134 ExperimentalCriticalPodAnnotation=true|false (ALPHA - default=false)
135 ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
136 GCERegionalPersistentDisk=true|false (BETA - default=true)
137 HugePages=true|false (BETA - default=true)
138 HyperVContainer=true|false (ALPHA - default=false)
139 Initializers=true|false (ALPHA - default=false)
140 KubeletPluginsWatcher=true|false (BETA - default=true)
141 LocalStorageCapacityIsolation=true|false (BETA - default=true)
142 MountContainers=true|false (ALPHA - default=false)
143 NodeLease=true|false (ALPHA - default=false)
144 PersistentLocalVolumes=true|false (BETA - default=true)
145 PodPriority=true|false (BETA - default=true)
146 PodReadinessGates=true|false (BETA - default=true)
147 PodShareProcessNamespace=true|false (BETA - default=true)
148 ProcMountType=true|false (ALPHA - default=false)
149 QOSReserved=true|false (ALPHA - default=false)
150 ResourceLimitsPriorityFunction=true|false (ALPHA - default=false)
151 ResourceQuotaScopeSelectors=true|false (BETA - default=true)
152 RotateKubeletClientCertificate=true|false (BETA - default=true)
153 RotateKubeletServerCertificate=true|false (BETA - default=true)
154 RunAsGroup=true|false (ALPHA - default=false)
155 RuntimeClass=true|false (ALPHA - default=false)
156 SCTPSupport=true|false (ALPHA - default=false)
157 ScheduleDaemonSetPods=true|false (BETA - default=true)
158 ServiceNodeExclusion=true|false (ALPHA - default=false)
159 StreamingProxyRedirects=true|false (BETA - default=true)
160 SupportPodPidsLimit=true|false (ALPHA - default=false)
161 Sysctls=true|false (BETA - default=true)
162 TTLAfterFinished=true|false (ALPHA - default=false)
163 TaintBasedEvictions=true|false (ALPHA - default=false)
164 TaintNodesByCondition=true|false (BETA - default=true)
165 TokenRequest=true|false (BETA - default=true)
166 TokenRequestProjection=true|false (BETA - default=true)
167 ValidateProxyRedirects=true|false (ALPHA - default=false)
168 VolumeScheduling=true|false (BETA - default=true)
169 VolumeSnapshotDataSource=true|false (ALPHA - default=false)
170 VolumeSubpathEnvExpansion=true|false (ALPHA - default=false)
171 --flex-volume-plugin-dir string Full path of the directory in which the flex volume plugin should search for additional third party volume plugins. (default "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/")
172
173
174
175 -h, --help
176 help for kube-controller-manager
177 --horizontal-pod-autoscaler-cpu-initialization-period duration
178 The period after pod start when CPU samples might be skipped. (default
179 5m0s)
180 --horizontal-pod-autoscaler-downscale-stabilization duration
181 The period for which autoscaler will look backwards and not scale down
182 below any recommendation it made during that period. (default 5m0s)
183 --horizontal-pod-autoscaler-initial-readiness-delay duration
184 The period after pod start during which readiness changes will be
185 treated as initial readiness. (default 30s)
186 --horizontal-pod-autoscaler-sync-period duration
187 The period for syncing the number of pods in horizontal pod autoscaler.
188 (default 15s)
189 --horizontal-pod-autoscaler-tolerance float
190 The minimum change (from 1.0) in the desired-to-actual metrics ratio
191 for the horizontal pod autoscaler to consider scaling. (default 0.1)
192 --http2-max-streams-per-connection int
193 The limit that the server gives to clients for the maximum number of
194 streams in an HTTP/2 connection. Zero means to use golang's default.
195 --insecure-experimental-approve-all-kubelet-csrs-for-group string
196 This flag does nothing.
197 --kube-api-burst int32
198 Burst to use while talking with kubernetes apiserver. (default 30)
199 --kube-api-content-type string
200 Content type of requests sent to apiserver. (default
201 "application/vnd.kubernetes.protobuf")
202 --kube-api-qps float32
203 QPS to use while talking with kubernetes apiserver. (default 20)
204 --kubeconfig string
205 Path to kubeconfig file with authorization and master location
206 information.
207 --large-cluster-size-threshold int32
208 Number of nodes from which NodeController treats the cluster as large
209 for the eviction logic purposes. --secondary-node-eviction-rate is
210 implicitly overridden to 0 for clusters this size or smaller. (default
211 50)
212 --leader-elect
213 Start a leader election client and gain leadership before executing the
214 main loop. Enable this when running replicated components for high
215 availability. (default true)
216 --leader-elect-lease-duration duration
217 The duration that non-leader candidates will wait after observing a
218 leadership renewal until attempting to acquire leadership of a led but
219 unrenewed leader slot. This is effectively the maximum duration that a
220 leader can be stopped before it is replaced by another candidate. This
221 is only applicable if leader election is enabled. (default 15s)
222 --leader-elect-renew-deadline duration
223 The interval between attempts by the acting master to renew a
224 leadership slot before it stops leading. This must be less than or
225 equal to the lease duration. This is only applicable if leader election
226 is enabled. (default 10s)
227 --leader-elect-resource-lock endpoints
228 The type of resource object that is used for locking during leader
229 election. Supported options are endpoints (default) and configmaps.
230 (default "endpoints")
231 --leader-elect-retry-period duration
232 The duration the clients should wait between attempting acquisition and
233 renewal of a leadership. This is only applicable if leader election is
234 enabled. (default 2s)
235 --log-flush-frequency duration
236 Maximum number of seconds between log flushes (default 5s)
237 --master string
238 The address of the Kubernetes API server (overrides any value in
239 kubeconfig).
240 --min-resync-period duration
241 The resync period in reflectors will be random between MinResyncPeriod
242 and 2*MinResyncPeriod. (default 12h0m0s)
243 --namespace-sync-period duration
244 The period for syncing namespace life-cycle updates (default 5m0s)
245 --node-cidr-mask-size int32
246 Mask size for node cidr in cluster. (default 24)
247 --node-eviction-rate float32
248 Number of nodes per second on which pods are deleted in case of node
249 failure when a zone is healthy (see --unhealthy-zone-threshold for
250 definition of healthy/unhealthy). Zone refers to entire cluster in
251 non-multizone clusters. (default 0.1)
252 --node-monitor-grace-period duration
253 Amount of time which we allow running Node to be unresponsive before
254 marking it unhealthy. Must be N times more than kubelet's
255 nodeStatusUpdateFrequency, where N means number of retries allowed for
256 kubelet to post node status. (default 40s)
257 --node-monitor-period duration
258 The period for syncing NodeStatus in NodeController. (default 5s)
259 --node-startup-grace-period duration
260 Amount of time which we allow starting Node to be unresponsive before
261 marking it unhealthy. (default 1m0s)
262 --pod-eviction-timeout duration
263 The grace period for deleting pods on failed nodes. (default 5m0s)
264 --port int The
265 port on which to serve unsecured, unauthenticated access. Set to 0 to
266 disable. (default 10252) (DEPRECATED
267 see --secure-port instead.)
268
269
270 --profiling
271 Enable profiling via web interface host
272 port/debug/pprof/
273
274
275 --pv-recycler-increment-timeout-nfs int32 the increment of time added per Gi to ActiveDeadlineSeconds for an NFS scrubber pod (default 30)
276 --pv-recycler-minimum-timeout-hostpath int32 The minimum ActiveDeadlineSeconds to use for a HostPath Recycler pod. This is for development and testing only and will not work in a multi-node cluster. (default 60)
277 --pv-recycler-minimum-timeout-nfs int32 The minimum ActiveDeadlineSeconds to use for an NFS Recycler pod (default 300)
278 --pv-recycler-pod-template-filepath-hostpath string The file path to a pod definition used as a template for HostPath persistent volume recycling. This is for development and testing only and will not work in a multi-node cluster.
279 --pv-recycler-pod-template-filepath-nfs string The file path to a pod definition used as a template for NFS persistent volume recycling
280 --pv-recycler-timeout-increment-hostpath int32 the increment of time added per Gi to ActiveDeadlineSeconds for a HostPath scrubber pod. This is for development and testing only and will not work in a multi-node cluster. (default 30)
281 --pvclaimbinder-sync-period duration The period for syncing persistent volumes and persistent volume claims (default 15s)
282 --requestheader-allowed-names strings List of client certificate common names to allow to provide usernames in headers specified by --requestheader-username-headers. If empty, any client certificate validated by the authorities in --requestheader-client-ca-file is allowed.
283
284
285
286 --requestheader-client-ca-file string
287 Root certificate bundle to use to verify client certificates on
288 incoming requests before trusting usernames in headers specified by
289 --requestheader-username-headers. WARNING
290 generally do not depend on authorization being already done for
291 incoming requests.
292
293
294 --requestheader-extra-headers-prefix strings List of request header prefixes to inspect. X-Remote-Extra- is suggested. (default [x-remote-extra-])
295 --requestheader-group-headers strings List of request headers to inspect for groups. X-Remote-Group is suggested. (default [x-remote-group])
296 --requestheader-username-headers strings List of request headers to inspect for usernames. X-Remote-User is common. (default [x-remote-user])
297 --resource-quota-sync-period duration The period for syncing quota usage status in the system (default 5m0s)
298 --root-ca-file string If set, this root certificate authority will be included in service account's token secret. This must be a valid PEM-encoded CA bundle.
299 --route-reconciliation-period duration The period for reconciling routes created for Nodes by cloud provider. (default 10s)
300 --secondary-node-eviction-rate float32 Number of nodes per second on which pods are deleted in case of node failure when a zone is unhealthy (see --unhealthy-zone-threshold for definition of healthy/unhealthy). Zone refers to entire cluster in non-multizone clusters. This value is implicitly overridden to 0 if the cluster size is smaller than --large-cluster-size-threshold. (default 0.01)
301 --secure-port int The port on which to serve HTTPS with authentication and authorization.If 0, don't serve HTTPS at all. (default 10257)
302 --service-account-private-key-file string Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.
303 --service-cluster-ip-range string CIDR Range for Services in cluster. Requires --allocate-node-cidrs to be true
304 --terminated-pod-gc-threshold int32 Number of terminated pods that can exist before the terminated pod garbage collector starts deleting terminated pods. If <= 0, the terminated pod garbage collector is disabled. (default 12500)
305 --tls-cert-file string File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir.
306
307
308
309 --tls-cipher-suites strings
310 Comma-separated list of cipher suites for the server. If omitted, the
311 default Go cipher suites will be use. Possible values
312 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA
313
314
315 --tls-min-version string
316 Minimum TLS version supported. Possible values
317 VersionTLS10, VersionTLS11, VersionTLS12
318
319
320 --tls-private-key-file string File containing the default x509 private key matching --tls-cert-file.
321
322
323
324 --tls-sni-cert-key namedCertKey A
325 pair of x509 certificate and private key file paths, optionally
326 suffixed with a list of domain patterns which are fully qualified
327 domain names, possibly with prefixed wildcard segments. If no domain
328 patterns are provided, the names of the certificate are extracted.
329 Non-wildcard matches trump over wildcard matches, explicit domain
330 patterns trump over extracted names. For multiple key/certificate
331 pairs, use the --tls-sni-cert-key multiple times. Examples
332 "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com".
333 (default [])
334
335
336 --unhealthy-zone-threshold float32 Fraction of Nodes in a zone which needs to be not Ready (minimum 3) for zone to be treated as unhealthy. (default 0.55)
337 --use-service-account-credentials If true, use individual service account credentials for each controller.
338 --version version[=true] Print version information and quit
339
340
341
342
344 /usr/bin/kube-controller-manager --logtostderr=true --v=0
345 --master=127.0.0.1:8080
346
347
348
349 kubernetes User Manuals KUBERNETES(1)