1KUBERNETES(1) General Commands Manual KUBERNETES(1)
2
3
4
6 kube-controller-manager - Enforces kubernetes services.
7
8
9
11 kube-controller-manager [OPTIONS]
12
13
14
16 The Kubernetes controller manager is a daemon that embeds the core
17 control loops shipped with Kubernetes. In applications of robotics and
18 automation, a control loop is a non-terminating loop that regulates the
19 state of the system. In Kubernetes, a controller is a control loop that
20 watches the shared state of the cluster through the apiserver and makes
21 changes attempting to move the current state towards the desired state.
22 Examples of controllers that ship with Kubernetes today are the
23 replication controller, endpoints controller, namespace controller, and
24 serviceaccounts controller.
25
26
27 kube-controller-manager [flags]
28
29
30
32 **--address ip The
33 IP address on which to serve the insecure --port (set to 0.0.0.0 for
34 all IPv4 interfaces and **
35 : for all IPv6 interfaces). (default 0.0.0.0) (DEPRECATED: see
36 --bind-address instead.)
37
38
39 --allocate-node-cidrs Should CIDRs for Pods be allocated and set on the cloud provider.
40 --alsologtostderr log to standard error as well as files
41 --attach-detach-reconcile-sync-period duration The reconciler sync wait time between volume attach detach. This duration must be larger than one second, and increasing this value from the default may allow for volumes to be mismatched with pods. (default 1m0s)
42 --authentication-kubeconfig string kubeconfig file pointing at the 'core' kubernetes server with enough rights to create tokenaccessreviews.authentication.k8s.io. This is optional. If empty, all token requests are considered to be anonymous and no client CA is looked up in the cluster.
43 --authentication-skip-lookup If false, the authentication-kubeconfig will be used to lookup missing authentication configuration from the cluster.
44 --authentication-token-webhook-cache-ttl duration The duration to cache responses from the webhook token authenticator. (default 10s)
45 --authentication-tolerate-lookup-failure If true, failures to look up missing authentication configuration from the cluster are not considered fatal. Note that this can result in authentication that treats all requests as anonymous.
46 --authorization-always-allow-paths strings A list of HTTP paths to skip during authorization, i.e. these are authorized without contacting the 'core' kubernetes server. (default [/healthz])
47 --authorization-kubeconfig string kubeconfig file pointing at the 'core' kubernetes server with enough rights to create subjectaccessreviews.authorization.k8s.io. This is optional. If empty, all requests not skipped by authorization are forbidden.
48 --authorization-webhook-cache-authorized-ttl duration The duration to cache 'authorized' responses from the webhook authorizer. (default 10s)
49 --authorization-webhook-cache-unauthorized-ttl duration The duration to cache 'unauthorized' responses from the webhook authorizer. (default 10s)
50 --azure-container-registry-config string Path to the file containing Azure container registry configuration information.
51
52
53
54 **--bind-address ip The
55 IP address on which to listen for the --secure-port port. The
56 associated interface(s) must be reachable by the rest of the cluster,
57 and by CLI/web clients. If blank, all interfaces will be used (0.0.0.0
58 for all IPv4 interfaces and **
59 : for all IPv6 interfaces). (default 0.0.0.0)
60
61
62 --cert-dir string The directory where the TLS certs are located. If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored.
63 --cidr-allocator-type string Type of CIDR allocator to use (default "RangeAllocator")
64 --client-ca-file string If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate.
65 --cloud-config string The path to the cloud provider configuration file. Empty string for no configuration file.
66 --cloud-provider string The provider for cloud services. Empty string for no provider.
67 --cloud-provider-gce-lb-src-cidrs cidrs CIDRs opened in GCE firewall for LB traffic proxy health checks (default 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16)
68 --cluster-cidr string CIDR Range for Pods in cluster. Requires --allocate-node-cidrs to be true
69 --cluster-name string The instance prefix for the cluster. (default "kubernetes")
70 --cluster-signing-cert-file string Filename containing a PEM-encoded X509 CA certificate used to issue cluster-scoped certificates (default "/etc/kubernetes/ca/ca.pem")
71 --cluster-signing-key-file string Filename containing a PEM-encoded RSA or ECDSA private key used to sign cluster-scoped certificates (default "/etc/kubernetes/ca/ca.key")
72 --concurrent-deployment-syncs int32 The number of deployment objects that are allowed to sync concurrently. Larger number = more responsive deployments, but more CPU (and network) load (default 5)
73 --concurrent-endpoint-syncs int32 The number of endpoint syncing operations that will be done concurrently. Larger number = faster endpoint updating, but more CPU (and network) load (default 5)
74 --concurrent-gc-syncs int32 The number of garbage collector workers that are allowed to sync concurrently. (default 20)
75 --concurrent-namespace-syncs int32 The number of namespace objects that are allowed to sync concurrently. Larger number = more responsive namespace termination, but more CPU (and network) load (default 10)
76 --concurrent-replicaset-syncs int32 The number of replica sets that are allowed to sync concurrently. Larger number = more responsive replica management, but more CPU (and network) load (default 5)
77 --concurrent-resource-quota-syncs int32 The number of resource quotas that are allowed to sync concurrently. Larger number = more responsive quota management, but more CPU (and network) load (default 5)
78 --concurrent-service-syncs int32 The number of services that are allowed to sync concurrently. Larger number = more responsive service management, but more CPU (and network) load (default 1)
79 --concurrent-serviceaccount-token-syncs int32 The number of service account token objects that are allowed to sync concurrently. Larger number = more responsive token generation, but more CPU (and network) load (default 5)
80 --concurrent-ttl-after-finished-syncs int32 The number of TTL-after-finished controller workers that are allowed to sync concurrently. (default 5)
81 --concurrent_rc_syncs int32 The number of replication controllers that are allowed to sync concurrently. Larger number = more responsive replica management, but more CPU (and network) load (default 5)
82 --configure-cloud-routes Should CIDRs allocated by allocate-node-cidrs be configured on the cloud provider. (default true)
83 --contention-profiling Enable lock contention profiling, if profiling is enabled
84 --controller-start-interval duration Interval between starting controller managers.
85 --controllers strings A list of controllers to enable. '*' enables all on-by-default controllers, 'foo' enables the controller named 'foo', '-foo' disables the controller named 'foo'.
86 All controllers: attachdetach, bootstrapsigner, clusterrole-aggregation, cronjob, csrapproving, csrcleaner, csrsigning, daemonset, deployment, disruption, endpoint, garbagecollector, horizontalpodautoscaling, job, namespace, nodeipam, nodelifecycle, persistentvolume-binder, persistentvolume-expander, podgc, pv-protection, pvc-protection, replicaset, replicationcontroller, resourcequota, root-ca-cert-publisher, route, service, serviceaccount, serviceaccount-token, statefulset, tokencleaner, ttl, ttl-after-finished
87 Disabled-by-default controllers: bootstrapsigner, tokencleaner (default [*])
88 --deployment-controller-sync-period duration Period for syncing the deployments. (default 30s)
89 --disable-attach-detach-reconcile-sync Disable volume attach detach reconciler sync. Disabling this may cause volumes to be mismatched with pods. Use wisely.
90 --enable-dynamic-provisioning Enable dynamic provisioning for environments that support it. (default true)
91 --enable-garbage-collector Enables the generic garbage collector. MUST be synced with the corresponding flag of the kube-apiserver. (default true)
92 --enable-hostpath-provisioner Enable HostPath PV provisioning when running without a cloud provider. This allows testing and development of provisioning features. HostPath provisioning is not supported in any way, won't work in a multi-node cluster, and should not be used for anything other than testing or development.
93
94
95
96 --enable-taint-manager
97 WARNING
98 Beta feature. If set to true enables NoExecute Taints and will
99 evict all not-tolerating Pod running on Nodes tainted with this kind of
100 Taints. (default true)
101
102
103 --experimental-cluster-signing-duration duration The length of duration signed certificates will be given. (default 8760h0m0s)
104 --external-cloud-volume-plugin string The plugin to use when cloud provider is set to external. Can be empty, should only be set when cloud-provider is external. Currently used to allow node and volume controllers to work for in tree cloud providers.
105
106
107
108 --feature-gates mapStringBool A set
109 of key=value pairs that describe feature gates for alpha/experimental
110 features. Options are
111
112
113 APIListChunking=true|false (BETA - default=true)
114 APIResponseCompression=true|false (ALPHA - default=false)
115 AllAlpha=true|false (ALPHA - default=false)
116 AppArmor=true|false (BETA - default=true)
117 AttachVolumeLimit=true|false (BETA - default=true)
118 BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
119 BlockVolume=true|false (BETA - default=true)
120 BoundServiceAccountTokenVolume=true|false (ALPHA - default=false)
121 CPUManager=true|false (BETA - default=true)
122 CRIContainerLogRotation=true|false (BETA - default=true)
123 CSIBlockVolume=true|false (ALPHA - default=false)
124 CSIDriverRegistry=true|false (ALPHA - default=false)
125 CSINodeInfo=true|false (ALPHA - default=false)
126 CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
127 CustomPodDNS=true|false (BETA - default=true)
128 CustomResourceSubresources=true|false (BETA - default=true)
129 CustomResourceValidation=true|false (BETA - default=true)
130 CustomResourceWebhookConversion=true|false (ALPHA - default=false)
131 DebugContainers=true|false (ALPHA - default=false)
132 DevicePlugins=true|false (BETA - default=true)
133 DryRun=true|false (BETA - default=true)
134 DynamicAuditing=true|false (ALPHA - default=false)
135 DynamicKubeletConfig=true|false (BETA - default=true)
136 EnableEquivalenceClassCache=true|false (ALPHA - default=false)
137 ExpandInUsePersistentVolumes=true|false (ALPHA - default=false)
138 ExpandPersistentVolumes=true|false (BETA - default=true)
139 ExperimentalCriticalPodAnnotation=true|false (ALPHA - default=false)
140 ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
141 HugePages=true|false (BETA - default=true)
142 HyperVContainer=true|false (ALPHA - default=false)
143 Initializers=true|false (ALPHA - default=false)
144 KubeletPodResources=true|false (ALPHA - default=false)
145 LocalStorageCapacityIsolation=true|false (BETA - default=true)
146 MountContainers=true|false (ALPHA - default=false)
147 NodeLease=true|false (ALPHA - default=false)
148 PersistentLocalVolumes=true|false (BETA - default=true)
149 PodPriority=true|false (BETA - default=true)
150 PodReadinessGates=true|false (BETA - default=true)
151 PodShareProcessNamespace=true|false (BETA - default=true)
152 ProcMountType=true|false (ALPHA - default=false)
153 QOSReserved=true|false (ALPHA - default=false)
154 ResourceLimitsPriorityFunction=true|false (ALPHA - default=false)
155 ResourceQuotaScopeSelectors=true|false (BETA - default=true)
156 RotateKubeletClientCertificate=true|false (BETA - default=true)
157 RotateKubeletServerCertificate=true|false (BETA - default=true)
158 RunAsGroup=true|false (ALPHA - default=false)
159 RuntimeClass=true|false (ALPHA - default=false)
160 SCTPSupport=true|false (ALPHA - default=false)
161 ScheduleDaemonSetPods=true|false (BETA - default=true)
162 ServiceNodeExclusion=true|false (ALPHA - default=false)
163 StreamingProxyRedirects=true|false (BETA - default=true)
164 SupportPodPidsLimit=true|false (ALPHA - default=false)
165 Sysctls=true|false (BETA - default=true)
166 TTLAfterFinished=true|false (ALPHA - default=false)
167 TaintBasedEvictions=true|false (BETA - default=true)
168 TaintNodesByCondition=true|false (BETA - default=true)
169 TokenRequest=true|false (BETA - default=true)
170 TokenRequestProjection=true|false (BETA - default=true)
171 ValidateProxyRedirects=true|false (ALPHA - default=false)
172 VolumeSnapshotDataSource=true|false (ALPHA - default=false)
173 VolumeSubpathEnvExpansion=true|false (ALPHA - default=false)
174 --flex-volume-plugin-dir string Full path of the directory in which the flex volume plugin should search for additional third party volume plugins. (default "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/")
175
176
177
178 -h, --help
179 help for kube-controller-manager
180 --horizontal-pod-autoscaler-cpu-initialization-period duration
181 The period after pod start when CPU samples might be skipped. (default
182 5m0s)
183 --horizontal-pod-autoscaler-downscale-stabilization duration
184 The period for which autoscaler will look backwards and not scale down
185 below any recommendation it made during that period. (default 5m0s)
186 --horizontal-pod-autoscaler-initial-readiness-delay duration
187 The period after pod start during which readiness changes will be
188 treated as initial readiness. (default 30s)
189 --horizontal-pod-autoscaler-sync-period duration
190 The period for syncing the number of pods in horizontal pod autoscaler.
191 (default 15s)
192 --horizontal-pod-autoscaler-tolerance float
193 The minimum change (from 1.0) in the desired-to-actual metrics ratio
194 for the horizontal pod autoscaler to consider scaling. (default 0.1)
195 --http2-max-streams-per-connection int
196 The limit that the server gives to clients for the maximum number of
197 streams in an HTTP/2 connection. Zero means to use golang's default.
198 --kube-api-burst int32
199 Burst to use while talking with kubernetes apiserver. (default 30)
200 --kube-api-content-type string
201 Content type of requests sent to apiserver. (default
202 "application/vnd.kubernetes.protobuf")
203 --kube-api-qps float32
204 QPS to use while talking with kubernetes apiserver. (default 20)
205 --kubeconfig string
206 Path to kubeconfig file with authorization and master location
207 information.
208 --large-cluster-size-threshold int32
209 Number of nodes from which NodeController treats the cluster as large
210 for the eviction logic purposes. --secondary-node-eviction-rate is
211 implicitly overridden to 0 for clusters this size or smaller. (default
212 50)
213 --leader-elect
214 Start a leader election client and gain leadership before executing the
215 main loop. Enable this when running replicated components for high
216 availability. (default true)
217 --leader-elect-lease-duration duration
218 The duration that non-leader candidates will wait after observing a
219 leadership renewal until attempting to acquire leadership of a led but
220 unrenewed leader slot. This is effectively the maximum duration that a
221 leader can be stopped before it is replaced by another candidate. This
222 is only applicable if leader election is enabled. (default 15s)
223 --leader-elect-renew-deadline duration
224 The interval between attempts by the acting master to renew a
225 leadership slot before it stops leading. This must be less than or
226 equal to the lease duration. This is only applicable if leader election
227 is enabled. (default 10s)
228 --leader-elect-resource-lock endpoints
229 The type of resource object that is used for locking during leader
230 election. Supported options are endpoints (default) and configmaps.
231 (default "endpoints")
232 --leader-elect-retry-period duration
233 The duration the clients should wait between attempting acquisition and
234 renewal of a leadership. This is only applicable if leader election is
235 enabled. (default 2s) --log-backtrace-at traceLocation
236 when logging hits line file
237 N, emit a stack trace (default :0)
238
239
240 --log-dir string If non-empty, write log files in this directory
241 --log-file string If non-empty, use this log file
242 --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s)
243 --logtostderr log to standard error instead of files (default true)
244 --master string The address of the Kubernetes API server (overrides any value in kubeconfig).
245 --min-resync-period duration The resync period in reflectors will be random between MinResyncPeriod and 2*MinResyncPeriod. (default 12h0m0s)
246 --namespace-sync-period duration The period for syncing namespace life-cycle updates (default 5m0s)
247 --node-cidr-mask-size int32 Mask size for node cidr in cluster. (default 24)
248 --node-eviction-rate float32 Number of nodes per second on which pods are deleted in case of node failure when a zone is healthy (see --unhealthy-zone-threshold for definition of healthy/unhealthy). Zone refers to entire cluster in non-multizone clusters. (default 0.1)
249 --node-monitor-grace-period duration Amount of time which we allow running Node to be unresponsive before marking it unhealthy. Must be N times more than kubelet's nodeStatusUpdateFrequency, where N means number of retries allowed for kubelet to post node status. (default 40s)
250 --node-monitor-period duration The period for syncing NodeStatus in NodeController. (default 5s)
251 --node-startup-grace-period duration Amount of time which we allow starting Node to be unresponsive before marking it unhealthy. (default 1m0s)
252 --pod-eviction-timeout duration The grace period for deleting pods on failed nodes. (default 5m0s)
253
254
255
256 --port int The
257 port on which to serve unsecured, unauthenticated access. Set to 0 to
258 disable. (default 10252) (DEPRECATED
259 see --secure-port instead.)
260
261
262 --profiling Enable
263 profiling via web interface host
264 port/debug/pprof/
265
266
267 --pv-recycler-increment-timeout-nfs int32 the increment of time added per Gi to ActiveDeadlineSeconds for an NFS scrubber pod (default 30)
268 --pv-recycler-minimum-timeout-hostpath int32 The minimum ActiveDeadlineSeconds to use for a HostPath Recycler pod. This is for development and testing only and will not work in a multi-node cluster. (default 60)
269 --pv-recycler-minimum-timeout-nfs int32 The minimum ActiveDeadlineSeconds to use for an NFS Recycler pod (default 300)
270 --pv-recycler-pod-template-filepath-hostpath string The file path to a pod definition used as a template for HostPath persistent volume recycling. This is for development and testing only and will not work in a multi-node cluster.
271 --pv-recycler-pod-template-filepath-nfs string The file path to a pod definition used as a template for NFS persistent volume recycling
272 --pv-recycler-timeout-increment-hostpath int32 the increment of time added per Gi to ActiveDeadlineSeconds for a HostPath scrubber pod. This is for development and testing only and will not work in a multi-node cluster. (default 30)
273 --pvclaimbinder-sync-period duration The period for syncing persistent volumes and persistent volume claims (default 15s)
274 --requestheader-allowed-names strings List of client certificate common names to allow to provide usernames in headers specified by --requestheader-username-headers. If empty, any client certificate validated by the authorities in --requestheader-client-ca-file is allowed.
275
276
277
278 --requestheader-client-ca-file string Root
279 certificate bundle to use to verify client certificates on incoming
280 requests before trusting usernames in headers specified by
281 --requestheader-username-headers. WARNING
282 generally do not depend on authorization being already done for
283 incoming requests.
284
285
286 --requestheader-extra-headers-prefix strings List of request header prefixes to inspect. X-Remote-Extra- is suggested. (default [x-remote-extra-])
287 --requestheader-group-headers strings List of request headers to inspect for groups. X-Remote-Group is suggested. (default [x-remote-group])
288 --requestheader-username-headers strings List of request headers to inspect for usernames. X-Remote-User is common. (default [x-remote-user])
289 --resource-quota-sync-period duration The period for syncing quota usage status in the system (default 5m0s)
290 --root-ca-file string If set, this root certificate authority will be included in service account's token secret. This must be a valid PEM-encoded CA bundle.
291 --route-reconciliation-period duration The period for reconciling routes created for Nodes by cloud provider. (default 10s)
292 --secondary-node-eviction-rate float32 Number of nodes per second on which pods are deleted in case of node failure when a zone is unhealthy (see --unhealthy-zone-threshold for definition of healthy/unhealthy). Zone refers to entire cluster in non-multizone clusters. This value is implicitly overridden to 0 if the cluster size is smaller than --large-cluster-size-threshold. (default 0.01)
293 --secure-port int The port on which to serve HTTPS with authentication and authorization.If 0, don't serve HTTPS at all. (default 10257)
294 --service-account-private-key-file string Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.
295 --service-cluster-ip-range string CIDR Range for Services in cluster. Requires --allocate-node-cidrs to be true
296 --skip-headers If true, avoid header prefixes in the log messages
297 --stderrthreshold severity logs at or above this threshold go to stderr (default 2)
298 --terminated-pod-gc-threshold int32 Number of terminated pods that can exist before the terminated pod garbage collector starts deleting terminated pods. If <= 0, the terminated pod garbage collector is disabled. (default 12500)
299 --tls-cert-file string File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir.
300
301
302
303 --tls-cipher-suites strings
304 Comma-separated list of cipher suites for the server. If omitted, the
305 default Go cipher suites will be use. Possible values
306 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA
307
308
309 --tls-min-version string
310 Minimum TLS version supported. Possible values
311 VersionTLS10, VersionTLS11, VersionTLS12
312
313
314 --tls-private-key-file string File containing the default x509 private key matching --tls-cert-file.
315
316
317
318 --tls-sni-cert-key namedCertKey A pair
319 of x509 certificate and private key file paths, optionally suffixed
320 with a list of domain patterns which are fully qualified domain names,
321 possibly with prefixed wildcard segments. If no domain patterns are
322 provided, the names of the certificate are extracted. Non-wildcard
323 matches trump over wildcard matches, explicit domain patterns trump
324 over extracted names. For multiple key/certificate pairs, use the
325 --tls-sni-cert-key multiple times. Examples
326 "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com".
327 (default [])
328
329
330 --unhealthy-zone-threshold float32 Fraction of Nodes in a zone which needs to be not Ready (minimum 3) for zone to be treated as unhealthy. (default 0.55)
331 --use-service-account-credentials If true, use individual service account credentials for each controller.
332
333
334
335 -v, --v Level
336 log level for V logs
337 --version version[=true]
338 Print version information and quit
339 --vmodule moduleSpec
340 comma-separated list of pattern=N settings for file-filtered logging
341
342
343
345 /usr/bin/kube-controller-manager --logtostderr=true --v=0
346 --master=127.0.0.1:8080
347
348
349
350 kubernetes User Manuals KUBERNETES(1)