1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2
6 kube-controller-manager - Enforces kubernetes services.
7
11 kube-controller-manager [OPTIONS]
12
16 The Kubernetes controller manager is a daemon that embeds the core con‐
17 trol loops shipped with Kubernetes. In applications of robotics and au‐
18 tomation, a control loop is a non-terminating loop that regulates the
19 state of the system. In Kubernetes, a controller is a control loop that
20 watches the shared state of the cluster through the apiserver and makes
21 changes attempting to move the current state towards the desired state.
22 Examples of controllers that ship with Kubernetes today are the repli‐
23 cation controller, endpoints controller, namespace controller, and ser‐
24 viceaccounts controller.
25 kube-controller-manager [flags]
28
32 --add-dir-header If true, adds the file directory to the header
33 **--address ip The
37 IP address on which to serve the insecure --port (set to 0.0.0.0 for
38 all IPv4 interfaces and ** : for all IPv6 interfaces). (default
39 0.0.0.0) (DEPRECATED: see --bind-address instead.)
40 --allocate-node-cidrs Should CIDRs for Pods be allocated and set on the cloud provider.
43 --alsologtostderr log to standard error as well as files
44 --attach-detach-reconcile-sync-period duration The reconciler sync wait time between volume attach detach. This duration must be larger than one second, and increasing this value from the default may allow for volumes to be mismatched with pods. (default 1m0s)
45 --authentication-kubeconfig string kubeconfig file pointing at the 'core' kubernetes server with enough rights to create tokenreviews.authentication.k8s.io. This is optional. If empty, all token requests are considered to be anonymous and no client CA is looked up in the cluster.
46 --authentication-skip-lookup If false, the authentication-kubeconfig will be used to lookup missing authentication configuration from the cluster.
47 --authentication-token-webhook-cache-ttl duration The duration to cache responses from the webhook token authenticator. (default 10s)
48 --authentication-tolerate-lookup-failure If true, failures to look up missing authentication configuration from the cluster are not considered fatal. Note that this can result in authentication that treats all requests as anonymous.
49 --authorization-always-allow-paths strings A list of HTTP paths to skip during authorization, i.e. these are authorized without contacting the 'core' kubernetes server. (default [/healthz])
50 --authorization-kubeconfig string kubeconfig file pointing at the 'core' kubernetes server with enough rights to create subjectaccessreviews.authorization.k8s.io. This is optional. If empty, all requests not skipped by authorization are forbidden.
51 --authorization-webhook-cache-authorized-ttl duration The duration to cache 'authorized' responses from the webhook authorizer. (default 10s)
52 --authorization-webhook-cache-unauthorized-ttl duration The duration to cache 'unauthorized' responses from the webhook authorizer. (default 10s)
53 --azure-container-registry-config string Path to the file containing Azure container registry configuration information.
54 **--bind-address ip The
58 IP address on which to listen for the --secure-port port. The associ‐
59 ated interface(s) must be reachable by the rest of the cluster, and by
60 CLI/web clients. If blank or an unspecified address (0.0.0.0 or **
61 :), all interfaces will be used. (default 0.0.0.0)
62 --cert-dir string The directory where the TLS certs are located. If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored.
65 --cidr-allocator-type string Type of CIDR allocator to use (default "RangeAllocator")
66 --client-ca-file string If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate.
67 --cloud-config string The path to the cloud provider configuration file. Empty string for no configuration file.
68 --cloud-provider string The provider for cloud services. Empty string for no provider.
69 --cluster-cidr string CIDR Range for Pods in cluster. Requires --allocate-node-cidrs to be true
70 --cluster-name string The instance prefix for the cluster. (default "kubernetes")
71 --cluster-signing-cert-file string Filename containing a PEM-encoded X509 CA certificate used to issue cluster-scoped certificates (default "/etc/kubernetes/ca/ca.pem")
72 --cluster-signing-key-file string Filename containing a PEM-encoded RSA or ECDSA private key used to sign cluster-scoped certificates (default "/etc/kubernetes/ca/ca.key")
73 --concurrent-deployment-syncs int32 The number of deployment objects that are allowed to sync concurrently. Larger number = more responsive deployments, but more CPU (and network) load (default 5)
74 --concurrent-endpoint-syncs int32 The number of endpoint syncing operations that will be done concurrently. Larger number = faster endpoint updating, but more CPU (and network) load (default 5)
75 --concurrent-gc-syncs int32 The number of garbage collector workers that are allowed to sync concurrently. (default 20)
76 --concurrent-namespace-syncs int32 The number of namespace objects that are allowed to sync concurrently. Larger number = more responsive namespace termination, but more CPU (and network) load (default 10)
77 --concurrent-replicaset-syncs int32 The number of replica sets that are allowed to sync concurrently. Larger number = more responsive replica management, but more CPU (and network) load (default 5)
78 --concurrent-resource-quota-syncs int32 The number of resource quotas that are allowed to sync concurrently. Larger number = more responsive quota management, but more CPU (and network) load (default 5)
79 --concurrent-service-endpoint-syncs int32 The number of service endpoint syncing operations that will be done concurrently. Larger number = faster endpoint slice updating, but more CPU (and network) load. Defaults to 5. (default 5)
80 --concurrent-service-syncs int32 The number of services that are allowed to sync concurrently. Larger number = more responsive service management, but more CPU (and network) load (default 1)
81 --concurrent-serviceaccount-token-syncs int32 The number of service account token objects that are allowed to sync concurrently. Larger number = more responsive token generation, but more CPU (and network) load (default 5)
82 --concurrent-statefulset-syncs int32 The number of statefulset objects that are allowed to sync concurrently. Larger number = more responsive statefulsets, but more CPU (and network) load (default 5)
83 --concurrent-ttl-after-finished-syncs int32 The number of TTL-after-finished controller workers that are allowed to sync concurrently. (default 5)
84 --concurrent_rc_syncs int32 The number of replication controllers that are allowed to sync concurrently. Larger number = more responsive replica management, but more CPU (and network) load (default 5)
85 --configure-cloud-routes Should CIDRs allocated by allocate-node-cidrs be configured on the cloud provider. (default true)
86 --contention-profiling Enable lock contention profiling, if profiling is enabled
87 --controller-start-interval duration Interval between starting controller managers.
88 --controllers strings A list of controllers to enable. '*' enables all on-by-default controllers, 'foo' enables the controller named 'foo', '-foo' disables the controller named 'foo'.
89 All controllers: attachdetach, bootstrapsigner, cloud-node-lifecycle, clusterrole-aggregation, cronjob, csrapproving, csrcleaner, csrsigning, daemonset, deployment, disruption, endpoint, endpointslice, garbagecollector, horizontalpodautoscaling, job, namespace, nodeipam, nodelifecycle, persistentvolume-binder, persistentvolume-expander, podgc, pv-protection, pvc-protection, replicaset, replicationcontroller, resourcequota, root-ca-cert-publisher, route, service, serviceaccount, serviceaccount-token, statefulset, tokencleaner, ttl, ttl-after-finished
90 Disabled-by-default controllers: bootstrapsigner, tokencleaner (default [*])
91 --deployment-controller-sync-period duration Period for syncing the deployments. (default 30s)
92 --disable-attach-detach-reconcile-sync Disable volume attach detach reconciler sync. Disabling this may cause volumes to be mismatched with pods. Use wisely.
93 --enable-dynamic-provisioning Enable dynamic provisioning for environments that support it. (default true)
94 --enable-garbage-collector Enables the generic garbage collector. MUST be synced with the corresponding flag of the kube-apiserver. (default true)
95 --enable-hostpath-provisioner Enable HostPath PV provisioning when running without a cloud provider. This allows testing and development of provisioning features. HostPath provisioning is not supported in any way, won't work in a multi-node cluster, and should not be used for anything other than testing or development.
96 --enable-taint-manager WARN‐
100 ING Beta feature. If set to true enables NoExecute Taints and
101 will evict all not-tolerating Pod running on Nodes tainted with this
102 kind of Taints. (default true)
103 --endpoint-updates-batch-period duration The length of endpoint updates batching period. Processing of pod changes will be delayed by this duration to join them with potential upcoming updates and reduce the overall number of endpoints updates. Larger number = higher endpoint programming latency, but lower number of endpoints revision generated
106 --endpointslice-updates-batch-period duration The length of endpoint slice updates batching period. Processing of pod changes will be delayed by this duration to join them with potential upcoming updates and reduce the overall number of endpoints updates. Larger number = higher endpoint programming latency, but lower number of endpoints revision generated
107 --experimental-cluster-signing-duration duration The length of duration signed certificates will be given. (default 8760h0m0s)
108 --external-cloud-volume-plugin string The plugin to use when cloud provider is set to external. Can be empty, should only be set when cloud-provider is external. Currently used to allow node and volume controllers to work for in tree cloud providers.
109 --feature-gates mapStringBool A set
113 of key=value pairs that describe feature gates for alpha/experimental
114 features. Options are
115 APIListChunking=true|false (BETA - default=true)
118 APIPriorityAndFairness=true|false (ALPHA - default=false)
119 APIResponseCompression=true|false (BETA - default=true)
120 AllAlpha=true|false (ALPHA - default=false)
121 AllBeta=true|false (BETA - default=false)
122 AllowInsecureBackendProxy=true|false (BETA - default=true)
123 AnyVolumeDataSource=true|false (ALPHA - default=false)
124 AppArmor=true|false (BETA - default=true)
125 BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
126 BoundServiceAccountTokenVolume=true|false (ALPHA - default=false)
127 CPUManager=true|false (BETA - default=true)
128 CRIContainerLogRotation=true|false (BETA - default=true)
129 CSIInlineVolume=true|false (BETA - default=true)
130 CSIMigration=true|false (BETA - default=true)
131 CSIMigrationAWS=true|false (BETA - default=false)
132 CSIMigrationAWSComplete=true|false (ALPHA - default=false)
133 CSIMigrationAzureDisk=true|false (ALPHA - default=false)
134 CSIMigrationAzureDiskComplete=true|false (ALPHA - default=false)
135 CSIMigrationAzureFile=true|false (ALPHA - default=false)
136 CSIMigrationAzureFileComplete=true|false (ALPHA - default=false)
137 CSIMigrationGCE=true|false (BETA - default=false)
138 CSIMigrationGCEComplete=true|false (ALPHA - default=false)
139 CSIMigrationOpenStack=true|false (BETA - default=false)
140 CSIMigrationOpenStackComplete=true|false (ALPHA - default=false)
141 ConfigurableFSGroupPolicy=true|false (ALPHA - default=false)
142 CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
143 DefaultIngressClass=true|false (BETA - default=true)
144 DevicePlugins=true|false (BETA - default=true)
145 DryRun=true|false (BETA - default=true)
146 DynamicAuditing=true|false (ALPHA - default=false)
147 DynamicKubeletConfig=true|false (BETA - default=true)
148 EndpointSlice=true|false (BETA - default=true)
149 EndpointSliceProxying=true|false (ALPHA - default=false)
150 EphemeralContainers=true|false (ALPHA - default=false)
151 EvenPodsSpread=true|false (BETA - default=true)
152 ExpandCSIVolumes=true|false (BETA - default=true)
153 ExpandInUsePersistentVolumes=true|false (BETA - default=true)
154 ExpandPersistentVolumes=true|false (BETA - default=true)
155 ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
156 HPAScaleToZero=true|false (ALPHA - default=false)
157 HugePageStorageMediumSize=true|false (ALPHA - default=false)
158 HyperVContainer=true|false (ALPHA - default=false)
159 IPv6DualStack=true|false (ALPHA - default=false)
160 ImmutableEphemeralVolumes=true|false (ALPHA - default=false)
161 KubeletPodResources=true|false (BETA - default=true)
162 LegacyNodeRoleBehavior=true|false (ALPHA - default=true)
163 LocalStorageCapacityIsolation=true|false (BETA - default=true)
164 LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
165 NodeDisruptionExclusion=true|false (ALPHA - default=false)
166 NonPreemptingPriority=true|false (ALPHA - default=false)
167 PodDisruptionBudget=true|false (BETA - default=true)
168 PodOverhead=true|false (BETA - default=true)
169 ProcMountType=true|false (ALPHA - default=false)
170 QOSReserved=true|false (ALPHA - default=false)
171 RemainingItemCount=true|false (BETA - default=true)
172 RemoveSelfLink=true|false (ALPHA - default=false)
173 ResourceLimitsPriorityFunction=true|false (ALPHA - default=false)
174 RotateKubeletClientCertificate=true|false (BETA - default=true)
175 RotateKubeletServerCertificate=true|false (BETA - default=true)
176 RunAsGroup=true|false (BETA - default=true)
177 RuntimeClass=true|false (BETA - default=true)
178 SCTPSupport=true|false (ALPHA - default=false)
179 SelectorIndex=true|false (ALPHA - default=false)
180 ServerSideApply=true|false (BETA - default=true)
181 ServiceAccountIssuerDiscovery=true|false (ALPHA - default=false)
182 ServiceAppProtocol=true|false (ALPHA - default=false)
183 ServiceNodeExclusion=true|false (ALPHA - default=false)
184 ServiceTopology=true|false (ALPHA - default=false)
185 StartupProbe=true|false (BETA - default=true)
186 StorageVersionHash=true|false (BETA - default=true)
187 SupportNodePidsLimit=true|false (BETA - default=true)
188 SupportPodPidsLimit=true|false (BETA - default=true)
189 Sysctls=true|false (BETA - default=true)
190 TTLAfterFinished=true|false (ALPHA - default=false)
191 TokenRequest=true|false (BETA - default=true)
192 TokenRequestProjection=true|false (BETA - default=true)
193 TopologyManager=true|false (BETA - default=true)
194 ValidateProxyRedirects=true|false (BETA - default=true)
195 VolumeSnapshotDataSource=true|false (BETA - default=true)
196 WinDSR=true|false (ALPHA - default=false)
197 WinOverlay=true|false (ALPHA - default=false)
198 --flex-volume-plugin-dir string Full path of the directory in which the flex volume plugin should search for additional third party volume plugins. (default "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/")
199 -h, --help
203 help for kube-controller-manager
204 --horizontal-pod-autoscaler-cpu-initialization-period duration
205 The period after pod start when CPU samples might be skipped. (default
206 5m0s)
207 --horizontal-pod-autoscaler-downscale-stabilization duration
208 The period for which autoscaler will look backwards and not scale down
209 below any recommendation it made during that period. (default 5m0s)
210 --horizontal-pod-autoscaler-initial-readiness-delay duration
211 The period after pod start during which readiness changes will be
212 treated as initial readiness. (default 30s)
213 --horizontal-pod-autoscaler-sync-period duration
214 The period for syncing the number of pods in horizontal pod autoscaler.
215 (default 15s)
216 --horizontal-pod-autoscaler-tolerance float
217 The minimum change (from 1.0) in the desired-to-actual metrics ratio
218 for the horizontal pod autoscaler to consider scaling. (default 0.1)
219 --http2-max-streams-per-connection int
220 The limit that the server gives to clients for the maximum number of
221 streams in an HTTP/2 connection. Zero means to use golang's default.
222 --kube-api-burst int32
223 Burst to use while talking with kubernetes apiserver. (default 30)
224 --kube-api-content-type string
225 Content type of requests sent to apiserver. (default "applica‐
226 tion/vnd.kubernetes.protobuf")
227 --kube-api-qps float32
228 QPS to use while talking with kubernetes apiserver. (default 20)
229 --kubeconfig string
230 Path to kubeconfig file with authorization and master location informa‐
231 tion.
232 --large-cluster-size-threshold int32
233 Number of nodes from which NodeController treats the cluster as large
234 for the eviction logic purposes. --secondary-node-eviction-rate is
235 implicitly overridden to 0 for clusters this size or smaller. (default
236 50)
237 --leader-elect
238 Start a leader election client and gain leadership before executing the
239 main loop. Enable this when running replicated components for high
240 availability. (default true)
241 --leader-elect-lease-duration duration
242 The duration that non-leader candidates will wait after observing a
243 leadership renewal until attempting to acquire leadership of a led but
244 unrenewed leader slot. This is effectively the maximum duration that a
245 leader can be stopped before it is replaced by another candidate. This
246 is only applicable if leader election is enabled. (default 15s)
247 --leader-elect-renew-deadline duration
248 The interval between attempts by the acting master to renew a leader‐
249 ship slot before it stops leading. This must be less than or equal to
250 the lease duration. This is only applicable if leader election is
251 enabled. (default 10s)
252 --leader-elect-resource-lock endpoints
253 The type of resource object that is used for locking during leader
254 election. Supported options are endpoints (default) and configmaps.
255 (default "endpointsleases")
256 --leader-elect-resource-name string
257 The name of resource object that is used for locking during leader
258 election. (default "kube-controller-manager")
259 --leader-elect-resource-namespace string
260 The namespace of resource object that is used for locking during leader
261 election. (default "kube-system")
262 --leader-elect-retry-period duration
263 The duration the clients should wait between attempting acquisition and
264 renewal of a leadership. This is only applicable if leader election is
265 enabled. (default 2s) --log-backtrace-at traceLocation
266 when logging hits line file N, emit a stack trace (default :0)
267 --log-dir string If non-empty, write log files in this directory
270 --log-file string If non-empty, use this log file
271 --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
272 --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s)
273 --logtostderr log to standard error instead of files (default true)
274 --master string The address of the Kubernetes API server (overrides any value in kubeconfig).
275 --max-endpoints-per-slice int32 The maximum number of endpoints that will be added to an EndpointSlice. More endpoints per slice will result in less endpoint slices, but larger resources. Defaults to 100. (default 100)
276 --min-resync-period duration The resync period in reflectors will be random between MinResyncPeriod and 2*MinResyncPeriod. (default 12h0m0s)
277 --namespace-sync-period duration The period for syncing namespace life-cycle updates (default 5m0s)
278 --node-cidr-mask-size int32 Mask size for node cidr in cluster. Default is 24 for IPv4 and 64 for IPv6.
279 --node-cidr-mask-size-ipv4 int32 Mask size for IPv4 node cidr in dual-stack cluster. Default is 24.
280 --node-cidr-mask-size-ipv6 int32 Mask size for IPv6 node cidr in dual-stack cluster. Default is 64.
281 --node-eviction-rate float32 Number of nodes per second on which pods are deleted in case of node failure when a zone is healthy (see --unhealthy-zone-threshold for definition of healthy/unhealthy). Zone refers to entire cluster in non-multizone clusters. (default 0.1)
282 --node-monitor-grace-period duration Amount of time which we allow running Node to be unresponsive before marking it unhealthy. Must be N times more than kubelet's nodeStatusUpdateFrequency, where N means number of retries allowed for kubelet to post node status. (default 40s)
283 --node-monitor-period duration The period for syncing NodeStatus in NodeController. (default 5s)
284 --node-startup-grace-period duration Amount of time which we allow starting Node to be unresponsive before marking it unhealthy. (default 1m0s)
285 --pod-eviction-timeout duration The grace period for deleting pods on failed nodes. (default 5m0s)
286 --port int The
290 port on which to serve unsecured, unauthenticated access. Set to 0 to
291 disable. (default 10252) (DEPRECATED see --secure-port instead.)
292 --profiling Enable
295 profiling via web interface host port/debug/pprof/ (default true)
296 --pv-recycler-increment-timeout-nfs int32 the increment of time added per Gi to ActiveDeadlineSeconds for an NFS scrubber pod (default 30)
299 --pv-recycler-minimum-timeout-hostpath int32 The minimum ActiveDeadlineSeconds to use for a HostPath Recycler pod. This is for development and testing only and will not work in a multi-node cluster. (default 60)
300 --pv-recycler-minimum-timeout-nfs int32 The minimum ActiveDeadlineSeconds to use for an NFS Recycler pod (default 300)
301 --pv-recycler-pod-template-filepath-hostpath string The file path to a pod definition used as a template for HostPath persistent volume recycling. This is for development and testing only and will not work in a multi-node cluster.
302 --pv-recycler-pod-template-filepath-nfs string The file path to a pod definition used as a template for NFS persistent volume recycling
303 --pv-recycler-timeout-increment-hostpath int32 the increment of time added per Gi to ActiveDeadlineSeconds for a HostPath scrubber pod. This is for development and testing only and will not work in a multi-node cluster. (default 30)
304 --pvclaimbinder-sync-period duration The period for syncing persistent volumes and persistent volume claims (default 15s)
305 --requestheader-allowed-names strings List of client certificate common names to allow to provide usernames in headers specified by --requestheader-username-headers. If empty, any client certificate validated by the authorities in --requestheader-client-ca-file is allowed.
306 --requestheader-client-ca-file string Root
310 certificate bundle to use to verify client certificates on incoming
311 requests before trusting usernames in headers specified by --request‐
312 header-username-headers. WARNING generally do not depend on
313 authorization being already done for incoming requests.
314 --requestheader-extra-headers-prefix strings List of request header prefixes to inspect. X-Remote-Extra- is suggested. (default [x-remote-extra-])
317 --requestheader-group-headers strings List of request headers to inspect for groups. X-Remote-Group is suggested. (default [x-remote-group])
318 --requestheader-username-headers strings List of request headers to inspect for usernames. X-Remote-User is common. (default [x-remote-user])
319 --resource-quota-sync-period duration The period for syncing quota usage status in the system (default 5m0s)
320 --root-ca-file string If set, this root certificate authority will be included in service account's token secret. This must be a valid PEM-encoded CA bundle.
321 --route-reconciliation-period duration The period for reconciling routes created for Nodes by cloud provider. (default 10s)
322 --secondary-node-eviction-rate float32 Number of nodes per second on which pods are deleted in case of node failure when a zone is unhealthy (see --unhealthy-zone-threshold for definition of healthy/unhealthy). Zone refers to entire cluster in non-multizone clusters. This value is implicitly overridden to 0 if the cluster size is smaller than --large-cluster-size-threshold. (default 0.01)
323 --secure-port int The port on which to serve HTTPS with authentication and authorization. If 0, don't serve HTTPS at all. (default 10257)
324 --service-account-private-key-file string Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.
325 --service-cluster-ip-range string CIDR Range for Services in cluster. Requires --allocate-node-cidrs to be true
326 --show-hidden-metrics-for-version string The
330 previous version for which you want to show hidden metrics. Only the
331 previous minor version is meaningful, other values will not be allowed.
332 The format is ., e.g. '1.16'. The purpose of this format is make
333 sure you have the opportunity to notice if the next release hides addi‐
334 tional metrics, rather than being surprised when they are permanently
335 removed in the release after that.
336 --skip-headers If true, avoid header prefixes in the log messages
339 --skip-log-headers If true, avoid headers when opening log files
340 --stderrthreshold severity logs at or above this threshold go to stderr (default 2)
341 --terminated-pod-gc-threshold int32 Number of terminated pods that can exist before the terminated pod garbage collector starts deleting terminated pods. If <= 0, the terminated pod garbage collector is disabled. (default 12500)
342 --tls-cert-file string File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir.
343 --tls-cipher-suites strings
347 Comma-separated list of cipher suites for the server. If omitted, the
348 default Go cipher suites will be use. Possible values
349 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA
350 --tls-min-version string Mini‐
353 mum TLS version supported. Possible values VersionTLS10, Ver‐
354 sionTLS11, VersionTLS12, VersionTLS13
355 --tls-private-key-file string File containing the default x509 private key matching --tls-cert-file.
358 --tls-sni-cert-key namedCertKey A pair
362 of x509 certificate and private key file paths, optionally suffixed
363 with a list of domain patterns which are fully qualified domain names,
364 possibly with prefixed wildcard segments. The domain patterns also
365 allow IP addresses, but IPs should only be used if the apiserver has
366 visibility to the IP address requested by a client. If no domain pat‐
367 terns are provided, the names of the certificate are extracted.
368 Non-wildcard matches trump over wildcard matches, explicit domain pat‐
369 terns trump over extracted names. For multiple key/certificate pairs,
370 use the --tls-sni-cert-key multiple times. Examples "exam‐
371 ple.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com". (default
372 [])
373 --unhealthy-zone-threshold float32 Fraction of Nodes in a zone which needs to be not Ready (minimum 3) for zone to be treated as unhealthy. (default 0.55)
376 --use-service-account-credentials If true, use individual service account credentials for each controller.
377 -v, --v Level
381 number for the log level verbosity
382 --version version[=true]
383 Print version information and quit
384 --vmodule moduleSpec
385 comma-separated list of pattern=N settings for file-filtered logging
386
390 /usr/bin/kube-controller-manager --logtostderr=true --v=0 --mas‐
391 ter=127.0.0.1:8080
392Manuals User KUBERNETES(1)(kubernetes)