1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7
9 kube-scheduler -
10
11
12
14 kube-scheduler [OPTIONS]
15
16
17
19 The Kubernetes scheduler is a control plane process which assigns Pods
20 to Nodes. The scheduler determines which Nodes are valid placements for
21 each Pod in the scheduling queue according to constraints and available
22 resources. The scheduler then ranks each valid Node and binds the Pod
23 to a suitable Node. Multiple different schedulers may be used within a
24 cluster; kube-scheduler is the reference implementation. See schedul‐
25 ing ⟨https://kubernetes.io/docs/concepts/scheduling-eviction/⟩ for more
26 information about scheduling and the kube-scheduler component.
27
28
29
31 --add-dir-header=false If true, adds the file directory to the
32 header of the log messages
33
34
35 --address="0.0.0.0" DEPRECATED: the IP address on which to listen
36 for the --port port (set to 0.0.0.0 for all IPv4 interfaces and :: for
37 all IPv6 interfaces). See --bind-address instead. This parameter is ig‐
38 nored if a config file is specified in --config.
39
40
41 --algorithm-provider="" DEPRECATED: the scheduling algorithm
42 provider to use, this sets the default plugins for component config
43 profiles. Choose one of: ClusterAutoscalerProvider | DefaultProvider
44
45
46 --alsologtostderr=false log to standard error as well as files
47
48
49 --authentication-kubeconfig="" kubeconfig file pointing at the
50 'core' kubernetes server with enough rights to create tokenreviews.au‐
51 thentication.k8s.io. This is optional. If empty, all token requests are
52 considered to be anonymous and no client CA is looked up in the clus‐
53 ter.
54
55
56 --authentication-skip-lookup=false If false, the authentica‐
57 tion-kubeconfig will be used to lookup missing authentication configu‐
58 ration from the cluster.
59
60
61 --authentication-token-webhook-cache-ttl=10s The duration to cache
62 responses from the webhook token authenticator.
63
64
65 --authentication-tolerate-lookup-failure=true If true, failures to
66 look up missing authentication configuration from the cluster are not
67 considered fatal. Note that this can result in authentication that
68 treats all requests as anonymous.
69
70
71 --authorization-always-allow-paths=[/healthz] A list of HTTP paths
72 to skip during authorization, i.e. these are authorized without con‐
73 tacting the 'core' kubernetes server.
74
75
76 --authorization-kubeconfig="" kubeconfig file pointing at the
77 'core' kubernetes server with enough rights to create subjectaccessre‐
78 views.authorization.k8s.io. This is optional. If empty, all requests
79 not skipped by authorization are forbidden.
80
81
82 --authorization-webhook-cache-authorized-ttl=10s The duration to
83 cache 'authorized' responses from the webhook authorizer.
84
85
86 --authorization-webhook-cache-unauthorized-ttl=10s The duration to
87 cache 'unauthorized' responses from the webhook authorizer.
88
89
90 --azure-container-registry-config="" Path to the file containing
91 Azure container registry configuration information.
92
93
94 --bind-address=0.0.0.0 The IP address on which to listen for the
95 --secure-port port. The associated interface(s) must be reachable by
96 the rest of the cluster, and by CLI/web clients. If blank or an unspec‐
97 ified address (0.0.0.0 or ::), all interfaces will be used.
98
99
100 --cert-dir="" The directory where the TLS certs are located. If
101 --tls-cert-file and --tls-private-key-file are provided, this flag will
102 be ignored.
103
104
105 --client-ca-file="" If set, any request presenting a client cer‐
106 tificate signed by one of the authorities in the client-ca-file is au‐
107 thenticated with an identity corresponding to the CommonName of the
108 client certificate.
109
110
111 --config="" The path to the configuration file. The following
112 flags can overwrite fields in this file:
113 --algorithm-provider
114 --policy-config-file
115 --policy-configmap
116 --policy-configmap-namespace
117
118
119 --contention-profiling=true DEPRECATED: enable lock contention
120 profiling, if profiling is enabled. This parameter is ignored if a con‐
121 fig file is specified in --config.
122
123
124 --experimental-logging-sanitization=false [Experimental] When en‐
125 abled prevents logging of fields tagged as sensitive (passwords, keys,
126 tokens). Runtime log sanitization may introduce significant computa‐
127 tion overhead and therefore should not be enabled in production.
128
129
130 --feature-gates= A set of key=value pairs that describe feature
131 gates for alpha/experimental features. Options are: APIListChunk‐
132 ing=true|false (BETA - default=true) APIPriorityAndFairness=true|false
133 (BETA - default=true) APIResponseCompression=true|false (BETA - de‐
134 fault=true) APIServerIdentity=true|false (ALPHA - default=false) AllAl‐
135 pha=true|false (ALPHA - default=false) AllBeta=true|false (BETA - de‐
136 fault=false) AllowInsecureBackendProxy=true|false (BETA - default=true)
137 AnyVolumeDataSource=true|false (ALPHA - default=false) AppAr‐
138 mor=true|false (BETA - default=true) BalanceAttachedNodeVol‐
139 umes=true|false (ALPHA - default=false) BoundServiceAccountTokenVol‐
140 ume=true|false (ALPHA - default=false) CPUManager=true|false (BETA -
141 default=true) CRIContainerLogRotation=true|false (BETA - default=true)
142 CSIInlineVolume=true|false (BETA - default=true) CSIMigra‐
143 tion=true|false (BETA - default=true) CSIMigrationAWS=true|false (BETA
144 - default=false) CSIMigrationAWSComplete=true|false (ALPHA - de‐
145 fault=false) CSIMigrationAzureDisk=true|false (BETA - default=false)
146 CSIMigrationAzureDiskComplete=true|false (ALPHA - default=false) CSIMi‐
147 grationAzureFile=true|false (ALPHA - default=false) CSIMigrationAzure‐
148 FileComplete=true|false (ALPHA - default=false) CSIMigra‐
149 tionGCE=true|false (BETA - default=false) CSIMigrationGCECom‐
150 plete=true|false (ALPHA - default=false) CSIMigrationOpen‐
151 Stack=true|false (BETA - default=false) CSIMigrationOpenStackCom‐
152 plete=true|false (ALPHA - default=false) CSIMigrationvSphere=true|false
153 (BETA - default=false) CSIMigrationvSphereComplete=true|false (BETA -
154 default=false) CSIServiceAccountToken=true|false (ALPHA - de‐
155 fault=false) CSIStorageCapacity=true|false (ALPHA - default=false)
156 CSIVolumeFSGroupPolicy=true|false (BETA - default=true) ConfigurableFS‐
157 GroupPolicy=true|false (BETA - default=true) CronJobCon‐
158 trollerV2=true|false (ALPHA - default=false) CustomCPUCFSQuotaPe‐
159 riod=true|false (ALPHA - default=false) DefaultPodTopolo‐
160 gySpread=true|false (BETA - default=true) DevicePlugins=true|false
161 (BETA - default=true) DisableAcceleratorUsageMetrics=true|false (BETA -
162 default=true) DownwardAPIHugePages=true|false (ALPHA - default=false)
163 DynamicKubeletConfig=true|false (BETA - default=true) EfficientWatchRe‐
164 sumption=true|false (ALPHA - default=false) EndpointSlice=true|false
165 (BETA - default=true) EndpointSliceNodeName=true|false (ALPHA - de‐
166 fault=false) EndpointSliceProxying=true|false (BETA - default=true)
167 EndpointSliceTerminatingCondition=true|false (ALPHA - default=false)
168 EphemeralContainers=true|false (ALPHA - default=false) ExpandCSIVol‐
169 umes=true|false (BETA - default=true) ExpandInUsePersistentVol‐
170 umes=true|false (BETA - default=true) ExpandPersistentVol‐
171 umes=true|false (BETA - default=true) ExperimentalHostUserNamespaceDe‐
172 faulting=true|false (BETA - default=false) GenericEphemeralVol‐
173 ume=true|false (ALPHA - default=false) GracefulNodeShutdown=true|false
174 (ALPHA - default=false) HPAContainerMetrics=true|false (ALPHA - de‐
175 fault=false) HPAScaleToZero=true|false (ALPHA - default=false)
176 HugePageStorageMediumSize=true|false (BETA - default=true) IPv6Dual‐
177 Stack=true|false (ALPHA - default=false) ImmutableEphemeralVol‐
178 umes=true|false (BETA - default=true) KubeletCredential‐
179 Providers=true|false (ALPHA - default=false) KubeletPo‐
180 dResources=true|false (BETA - default=true) LegacyNodeRoleBehav‐
181 ior=true|false (BETA - default=true) LocalStorageCapacityIsola‐
182 tion=true|false (BETA - default=true) LocalStorageCapacityIsolationF‐
183 SQuotaMonitoring=true|false (ALPHA - default=false) MixedProtocolLBSer‐
184 vice=true|false (ALPHA - default=false) NodeDisruptionExclu‐
185 sion=true|false (BETA - default=true) NonPreemptingPriority=true|false
186 (BETA - default=true) PodDisruptionBudget=true|false (BETA - de‐
187 fault=true) PodOverhead=true|false (BETA - default=true) ProcMount‐
188 Type=true|false (ALPHA - default=false) QOSReserved=true|false (ALPHA -
189 default=false) RemainingItemCount=true|false (BETA - default=true) Re‐
190 moveSelfLink=true|false (BETA - default=true) RootCACon‐
191 figMap=true|false (BETA - default=true) RotateKubeletServerCertifi‐
192 cate=true|false (BETA - default=true) RunAsGroup=true|false (BETA - de‐
193 fault=true) ServerSideApply=true|false (BETA - default=true) ServiceAc‐
194 countIssuerDiscovery=true|false (BETA - default=true) ServiceLBNode‐
195 PortControl=true|false (ALPHA - default=false) ServiceNodeExclu‐
196 sion=true|false (BETA - default=true) ServiceTopology=true|false (ALPHA
197 - default=false) SetHostnameAsFQDN=true|false (BETA - default=true)
198 SizeMemoryBackedVolumes=true|false (ALPHA - default=false) StorageVer‐
199 sionAPI=true|false (ALPHA - default=false) StorageVersion‐
200 Hash=true|false (BETA - default=true) Sysctls=true|false (BETA - de‐
201 fault=true) TTLAfterFinished=true|false (ALPHA - default=false) Topolo‐
202 gyManager=true|false (BETA - default=true) ValidateProxyRedi‐
203 rects=true|false (BETA - default=true) WarningHeaders=true|false (BETA
204 - default=true) WinDSR=true|false (ALPHA - default=false) WinOver‐
205 lay=true|false (BETA - default=true) WindowsEndpointSliceProxy‐
206 ing=true|false (ALPHA - default=false)
207
208
209 --hard-pod-affinity-symmetric-weight=1 DEPRECATED: RequiredDur‐
210 ingScheduling affinity is not symmetric, but there is an implicit Pre‐
211 ferredDuringScheduling affinity rule corresponding to every Required‐
212 DuringScheduling affinity rule. --hard-pod-affinity-symmetric-weight
213 represents the weight of implicit PreferredDuringScheduling affinity
214 rule. Must be in the range 0-100.This parameter is ignored if a config
215 file is specified in --config.
216
217
218 -h, --help=false help for kube-scheduler
219
220
221 --http2-max-streams-per-connection=0 The limit that the server
222 gives to clients for the maximum number of streams in an HTTP/2 connec‐
223 tion. Zero means to use golang's default.
224
225
226 --kube-api-burst=100 DEPRECATED: burst to use while talking with
227 kubernetes apiserver. This parameter is ignored if a config file is
228 specified in --config.
229
230
231 --kube-api-content-type="application/vnd.kubernetes.protobuf" DEP‐
232 RECATED: content type of requests sent to apiserver. This parameter is
233 ignored if a config file is specified in --config.
234
235
236 --kube-api-qps=50 DEPRECATED: QPS to use while talking with kuber‐
237 netes apiserver. This parameter is ignored if a config file is speci‐
238 fied in --config.
239
240
241 --kubeconfig="" DEPRECATED: path to kubeconfig file with autho‐
242 rization and master location information. This parameter is ignored if
243 a config file is specified in --config.
244
245
246 --leader-elect=true Start a leader election client and gain lead‐
247 ership before executing the main loop. Enable this when running repli‐
248 cated components for high availability.
249
250
251 --leader-elect-lease-duration=15s The duration that non-leader
252 candidates will wait after observing a leadership renewal until at‐
253 tempting to acquire leadership of a led but unrenewed leader slot. This
254 is effectively the maximum duration that a leader can be stopped before
255 it is replaced by another candidate. This is only applicable if leader
256 election is enabled.
257
258
259 --leader-elect-renew-deadline=10s The interval between attempts by
260 the acting master to renew a leadership slot before it stops leading.
261 This must be less than or equal to the lease duration. This is only ap‐
262 plicable if leader election is enabled.
263
264
265 --leader-elect-resource-lock="leases" The type of resource object
266 that is used for locking during leader election. Supported options are
267 'endpoints', 'configmaps', 'leases', 'endpointsleases' and 'configmap‐
268 sleases'.
269
270
271 --leader-elect-resource-name="kube-scheduler" The name of resource
272 object that is used for locking during leader election.
273
274
275 --leader-elect-resource-namespace="kube-system" The namespace of
276 resource object that is used for locking during leader election.
277
278
279 --leader-elect-retry-period=2s The duration the clients should
280 wait between attempting acquisition and renewal of a leadership. This
281 is only applicable if leader election is enabled.
282
283
284 --lock-object-name="kube-scheduler" DEPRECATED: define the name of
285 the lock object. Will be removed in favor of leader-elect-re‐
286 source-name. This parameter is ignored if a config file is specified in
287 --config.
288
289
290 --lock-object-namespace="kube-system" DEPRECATED: define the name‐
291 space of the lock object. Will be removed in favor of leader-elect-re‐
292 source-namespace. This parameter is ignored if a config file is speci‐
293 fied in --config.
294
295
296 --log-backtrace-at=:0 when logging hits line file:N, emit a stack
297 trace
298
299
300 --log-dir="" If non-empty, write log files in this directory
301
302
303 --log-file="" If non-empty, use this log file
304
305
306 --log-file-max-size=1800 Defines the maximum size a log file can
307 grow to. Unit is megabytes. If the value is 0, the maximum file size is
308 unlimited.
309
310
311 --log-flush-frequency=5s Maximum number of seconds between log
312 flushes
313
314
315 --logging-format="text" Sets the log format. Permitted formats:
316 "json", "text". Non-default formats don't honor these flags:
317 --add_dir_header, --alsologtostderr, --log_backtrace_at, --log_dir,
318 --log_file, --log_file_max_size, --logtostderr, --one_output,
319 --skip_headers, --skip_log_headers, --stderrthreshold, --vmodule,
320 --log-flush-frequency. Non-default choices are currently alpha and
321 subject to change without warning.
322
323
324 --logtostderr=true log to standard error instead of files
325
326
327 --master="" The address of the Kubernetes API server (overrides
328 any value in kubeconfig)
329
330
331 --one-output=false If true, only write logs to their native sever‐
332 ity level (vs also writing to each lower severity level
333
334
335 --permit-port-sharing=false If true, SO_REUSEPORT will be used
336 when binding the port, which allows more than one instance to bind on
337 the same address and port. [default=false]
338
339
340 --policy-config-file="" DEPRECATED: file with scheduler policy
341 configuration. This file is used if policy ConfigMap is not provided or
342 --use-legacy-policy-config=true. Note: The scheduler will fail if this
343 is combined with Plugin configs
344
345
346 --policy-configmap="" DEPRECATED: name of the ConfigMap object
347 that contains scheduler's policy configuration. It must exist in the
348 system namespace before scheduler initialization if --use-legacy-pol‐
349 icy-config=false. The config must be provided as the value of an ele‐
350 ment in 'Data' map with the key='policy.cfg'. Note: The scheduler will
351 fail if this is combined with Plugin configs
352
353
354 --policy-configmap-namespace="kube-system" DEPRECATED: the name‐
355 space where policy ConfigMap is located. The kube-system namespace will
356 be used if this is not provided or is empty. Note: The scheduler will
357 fail if this is combined with Plugin configs
358
359
360 --port=10251 DEPRECATED: the port on which to serve HTTP inse‐
361 curely without authentication and authorization. If 0, don't serve
362 plain HTTP at all. See --secure-port instead. This parameter is ignored
363 if a config file is specified in --config.
364
365
366 --profiling=true DEPRECATED: enable profiling via web interface
367 host:port/debug/pprof/. This parameter is ignored if a config file is
368 specified in --config.
369
370
371 --requestheader-allowed-names=[] List of client certificate common
372 names to allow to provide usernames in headers specified by --request‐
373 header-username-headers. If empty, any client certificate validated by
374 the authorities in --requestheader-client-ca-file is allowed.
375
376
377 --requestheader-client-ca-file="" Root certificate bundle to use
378 to verify client certificates on incoming requests before trusting
379 usernames in headers specified by --requestheader-username-headers.
380 WARNING: generally do not depend on authorization being already done
381 for incoming requests.
382
383
384 --requestheader-extra-headers-prefix=[x-remote-extra-] List of re‐
385 quest header prefixes to inspect. X-Remote-Extra- is suggested.
386
387
388 --requestheader-group-headers=[x-remote-group] List of request
389 headers to inspect for groups. X-Remote-Group is suggested.
390
391
392 --requestheader-username-headers=[x-remote-user] List of request
393 headers to inspect for usernames. X-Remote-User is common.
394
395
396 --scheduler-name="default-scheduler" DEPRECATED: name of the
397 scheduler, used to select which pods will be processed by this sched‐
398 uler, based on pod's "spec.schedulerName".This parameter is ignored if
399 a config file is specified in --config.
400
401
402 --secure-port=10259 The port on which to serve HTTPS with authen‐
403 tication and authorization. If 0, don't serve HTTPS at all.
404
405
406 --show-hidden-metrics-for-version="" The previous version for
407 which you want to show hidden metrics. Only the previous minor version
408 is meaningful, other values will not be allowed. The format is ., e.g.:
409 '1.16'. The purpose of this format is make sure you have the opportu‐
410 nity to notice if the next release hides additional metrics, rather
411 than being surprised when they are permanently removed in the release
412 after that.
413
414
415 --skip-headers=false If true, avoid header prefixes in the log
416 messages
417
418
419 --skip-log-headers=false If true, avoid headers when opening log
420 files
421
422
423 --stderrthreshold=2 logs at or above this threshold go to stderr
424
425
426 --tls-cert-file="" File containing the default x509 Certificate
427 for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS
428 serving is enabled, and --tls-cert-file and --tls-private-key-file are
429 not provided, a self-signed certificate and key are generated for the
430 public address and saved to the directory specified by --cert-dir.
431
432
433 --tls-cipher-suites=[] Comma-separated list of cipher suites for
434 the server. If omitted, the default Go cipher suites will be used.
435 Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
436 TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
437 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
438 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
439 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
440 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
441 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
442 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
443 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
444 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
445 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
446 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
447 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
448 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
449 TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
450 TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
451 TLS_RSA_WITH_AES_256_GCM_SHA384. Insecure values:
452 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
453 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
454 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
455 TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA.
456
457
458 --tls-min-version="" Minimum TLS version supported. Possible val‐
459 ues: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
460
461
462 --tls-private-key-file="" File containing the default x509 private
463 key matching --tls-cert-file.
464
465
466 --tls-sni-cert-key=[] A pair of x509 certificate and private key
467 file paths, optionally suffixed with a list of domain patterns which
468 are fully qualified domain names, possibly with prefixed wildcard seg‐
469 ments. The domain patterns also allow IP addresses, but IPs should only
470 be used if the apiserver has visibility to the IP address requested by
471 a client. If no domain patterns are provided, the names of the certifi‐
472 cate are extracted. Non-wildcard matches trump over wildcard matches,
473 explicit domain patterns trump over extracted names. For multiple
474 key/certificate pairs, use the --tls-sni-cert-key multiple times. Exam‐
475 ples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com".
476
477
478 --use-legacy-policy-config=false DEPRECATED: when set to true,
479 scheduler will ignore policy ConfigMap and uses policy config file.
480 Note: The scheduler will fail if this is combined with Plugin configs
481
482
483 -v, --v=0 number for the log level verbosity
484
485
486 --version=false Print version information and quit
487
488
489 --vmodule= comma-separated list of pattern=N settings for
490 file-filtered logging
491
492
493 --write-config-to="" If set, write the configuration values to
494 this file and exit.
495
496
497
499 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
500 com) based on the kubernetes source material, but hopefully they have
501 been automatically generated since!
502
503
504
505Manuals User KUBERNETES(1)(kubernetes)