1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7
9 kube-controller-manager -
10
11
12
14 kube-controller-manager [OPTIONS]
15
16
17
19 The Kubernetes controller manager is a daemon that embeds the core con‐
20 trol loops shipped with Kubernetes. In applications of robotics and au‐
21 tomation, a control loop is a non-terminating loop that regulates the
22 state of the system. In Kubernetes, a controller is a control loop that
23 watches the shared state of the cluster through the apiserver and makes
24 changes attempting to move the current state towards the desired state.
25 Examples of controllers that ship with Kubernetes today are the repli‐
26 cation controller, endpoints controller, namespace controller, and ser‐
27 viceaccounts controller.
28
29
30
32 --add_dir_header=false If true, adds the file directory to the
33 header of the log messages
34
35
36 --allocate-node-cidrs=false Should CIDRs for Pods be allocated and
37 set on the cloud provider.
38
39
40 --allow-metric-labels=[] The map from metric-label to value allow-
41 list of this label. The key's format is ,. The value's format is
42 ,...e.g. metric1,label1='v1,v2,v3', metric1,label2='v1,v2,v3' met‐
43 ric2,label1='v1,v2,v3'.
44
45
46 --allow-untagged-cloud=false Allow the cluster to run without the
47 cluster-id on cloud instances. This is a legacy mode of operation and a
48 cluster-id will be required in the future.
49
50
51 --alsologtostderr=false log to standard error as well as files
52
53
54 --attach-detach-reconcile-sync-period=1m0s The reconciler sync
55 wait time between volume attach detach. This duration must be larger
56 than one second, and increasing this value from the default may allow
57 for volumes to be mismatched with pods.
58
59
60 --authentication-kubeconfig="" kubeconfig file pointing at the
61 'core' kubernetes server with enough rights to create tokenreviews.au‐
62 thentication.k8s.io. This is optional. If empty, all token requests are
63 considered to be anonymous and no client CA is looked up in the clus‐
64 ter.
65
66
67 --authentication-skip-lookup=false If false, the authentication-
68 kubeconfig will be used to lookup missing authentication configuration
69 from the cluster.
70
71
72 --authentication-token-webhook-cache-ttl=10s The duration to cache
73 responses from the webhook token authenticator.
74
75
76 --authentication-tolerate-lookup-failure=false If true, failures
77 to look up missing authentication configuration from the cluster are
78 not considered fatal. Note that this can result in authentication that
79 treats all requests as anonymous.
80
81
82 --authorization-always-allow-paths=[/healthz,/readyz,/livez] A
83 list of HTTP paths to skip during authorization, i.e. these are autho‐
84 rized without contacting the 'core' kubernetes server.
85
86
87 --authorization-kubeconfig="" kubeconfig file pointing at the
88 'core' kubernetes server with enough rights to create subjectaccessre‐
89 views.authorization.k8s.io. This is optional. If empty, all requests
90 not skipped by authorization are forbidden.
91
92
93 --authorization-webhook-cache-authorized-ttl=10s The duration to
94 cache 'authorized' responses from the webhook authorizer.
95
96
97 --authorization-webhook-cache-unauthorized-ttl=10s The duration to
98 cache 'unauthorized' responses from the webhook authorizer.
99
100
101 --azure-container-registry-config="" Path to the file containing
102 Azure container registry configuration information.
103
104
105 --bind-address=0.0.0.0 The IP address on which to listen for the
106 --secure-port port. The associated interface(s) must be reachable by
107 the rest of the cluster, and by CLI/web clients. If blank or an unspec‐
108 ified address (0.0.0.0 or ::), all interfaces will be used.
109
110
111 --cert-dir="" The directory where the TLS certs are located. If
112 --tls-cert-file and --tls-private-key-file are provided, this flag will
113 be ignored.
114
115
116 --cidr-allocator-type="RangeAllocator" Type of CIDR allocator to
117 use
118
119
120 --client-ca-file="" If set, any request presenting a client cer‐
121 tificate signed by one of the authorities in the client-ca-file is au‐
122 thenticated with an identity corresponding to the CommonName of the
123 client certificate.
124
125
126 --cloud-config="" The path to the cloud provider configuration
127 file. Empty string for no configuration file.
128
129
130 --cloud-provider="" The provider for cloud services. Empty string
131 for no provider.
132
133
134 --cloud-provider-gce-lb-src-
135 cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
136 CIDRs opened in GCE firewall for L4 LB traffic proxy & health
137 checks
138
139
140 --cluster-cidr="" CIDR Range for Pods in cluster. Requires --allo‐
141 cate-node-cidrs to be true
142
143
144 --cluster-name="kubernetes" The instance prefix for the cluster.
145
146
147 --cluster-signing-cert-file="" Filename containing a PEM-encoded
148 X509 CA certificate used to issue cluster-scoped certificates. If
149 specified, no more specific --cluster-signing-* flag may be specified.
150
151
152 --cluster-signing-duration=8760h0m0s The max length of duration
153 signed certificates will be given. Individual CSRs may request shorter
154 certs by setting spec.expirationSeconds.
155
156
157 --cluster-signing-key-file="" Filename containing a PEM-encoded
158 RSA or ECDSA private key used to sign cluster-scoped certificates. If
159 specified, no more specific --cluster-signing-* flag may be specified.
160
161
162 --cluster-signing-kube-apiserver-client-cert-file="" Filename con‐
163 taining a PEM-encoded X509 CA certificate used to issue certificates
164 for the kubernetes.io/kube-apiserver-client signer. If specified,
165 --cluster-signing-{cert,key}-file must not be set.
166
167
168 --cluster-signing-kube-apiserver-client-key-file="" Filename con‐
169 taining a PEM-encoded RSA or ECDSA private key used to sign certifi‐
170 cates for the kubernetes.io/kube-apiserver-client signer. If speci‐
171 fied, --cluster-signing-{cert,key}-file must not be set.
172
173
174 --cluster-signing-kubelet-client-cert-file="" Filename containing
175 a PEM-encoded X509 CA certificate used to issue certificates for the
176 kubernetes.io/kube-apiserver-client-kubelet signer. If specified,
177 --cluster-signing-{cert,key}-file must not be set.
178
179
180 --cluster-signing-kubelet-client-key-file="" Filename containing a
181 PEM-encoded RSA or ECDSA private key used to sign certificates for the
182 kubernetes.io/kube-apiserver-client-kubelet signer. If specified,
183 --cluster-signing-{cert,key}-file must not be set.
184
185
186 --cluster-signing-kubelet-serving-cert-file="" Filename containing
187 a PEM-encoded X509 CA certificate used to issue certificates for the
188 kubernetes.io/kubelet-serving signer. If specified, --cluster-sign‐
189 ing-{cert,key}-file must not be set.
190
191
192 --cluster-signing-kubelet-serving-key-file="" Filename containing
193 a PEM-encoded RSA or ECDSA private key used to sign certificates for
194 the kubernetes.io/kubelet-serving signer. If specified, --cluster-
195 signing-{cert,key}-file must not be set.
196
197
198 --cluster-signing-legacy-unknown-cert-file="" Filename containing
199 a PEM-encoded X509 CA certificate used to issue certificates for the
200 kubernetes.io/legacy-unknown signer. If specified, --cluster-sign‐
201 ing-{cert,key}-file must not be set.
202
203
204 --cluster-signing-legacy-unknown-key-file="" Filename containing a
205 PEM-encoded RSA or ECDSA private key used to sign certificates for the
206 kubernetes.io/legacy-unknown signer. If specified, --cluster-sign‐
207 ing-{cert,key}-file must not be set.
208
209
210 --concurrent-deployment-syncs=5 The number of deployment objects
211 that are allowed to sync concurrently. Larger number = more responsive
212 deployments, but more CPU (and network) load
213
214
215 --concurrent-endpoint-syncs=5 The number of endpoint syncing oper‐
216 ations that will be done concurrently. Larger number = faster endpoint
217 updating, but more CPU (and network) load
218
219
220 --concurrent-ephemeralvolume-syncs=5 The number of ephemeral vol‐
221 ume syncing operations that will be done concurrently. Larger number =
222 faster ephemeral volume updating, but more CPU (and network) load
223
224
225 --concurrent-gc-syncs=20 The number of garbage collector workers
226 that are allowed to sync concurrently.
227
228
229 --concurrent-namespace-syncs=10 The number of namespace objects
230 that are allowed to sync concurrently. Larger number = more responsive
231 namespace termination, but more CPU (and network) load
232
233
234 --concurrent-replicaset-syncs=5 The number of replica sets that
235 are allowed to sync concurrently. Larger number = more responsive
236 replica management, but more CPU (and network) load
237
238
239 --concurrent-resource-quota-syncs=5 The number of resource quotas
240 that are allowed to sync concurrently. Larger number = more responsive
241 quota management, but more CPU (and network) load
242
243
244 --concurrent-service-endpoint-syncs=5 The number of service end‐
245 point syncing operations that will be done concurrently. Larger number
246 = faster endpoint slice updating, but more CPU (and network) load. De‐
247 faults to 5.
248
249
250 --concurrent-service-syncs=1 The number of services that are al‐
251 lowed to sync concurrently. Larger number = more responsive service
252 management, but more CPU (and network) load
253
254
255 --concurrent-serviceaccount-token-syncs=5 The number of service
256 account token objects that are allowed to sync concurrently. Larger
257 number = more responsive token generation, but more CPU (and network)
258 load
259
260
261 --concurrent-statefulset-syncs=5 The number of statefulset objects
262 that are allowed to sync concurrently. Larger number = more responsive
263 statefulsets, but more CPU (and network) load
264
265
266 --concurrent-ttl-after-finished-syncs=5 The number of TTL-after-
267 finished controller workers that are allowed to sync concurrently.
268
269
270 --concurrent_rc_syncs=5 The number of replication controllers that
271 are allowed to sync concurrently. Larger number = more responsive
272 replica management, but more CPU (and network) load
273
274
275 --configure-cloud-routes=true Should CIDRs allocated by allocate-
276 node-cidrs be configured on the cloud provider.
277
278
279 --contention-profiling=false Enable lock contention profiling, if
280 profiling is enabled
281
282
283 --controller-start-interval=0s Interval between starting con‐
284 troller managers.
285
286
287 --controllers=[] A list of controllers to enable. '' enables all
288 on-by-default controllers, 'foo' enables the controller named 'foo',
289 '-foo' disables the controller named 'foo'. All controllers: attachde‐
290 tach, bootstrapsigner, cloud-node-lifecycle, clusterrole-aggregation,
291 cronjob, csrapproving, csrcleaner, csrsigning, daemonset, deployment,
292 disruption, endpoint, endpointslice, endpointslicemirroring, ephemeral-
293 volume, garbagecollector, horizontalpodautoscaling, job, namespace,
294 nodeipam, nodelifecycle, persistentvolume-binder, persistentvolume-ex‐
295 pander, podgc, pv-protection, pvc-protection, replicaset, replication‐
296 controller, resourcequota, root-ca-cert-publisher, route, service, ser‐
297 viceaccount, serviceaccount-token, statefulset, tokencleaner, ttl, ttl-
298 after-finished Disabled-by-default controllers: bootstrapsigner, token‐
299 cleaner
300
301
302 --deleting-pods-burst=0 Number of nodes on which pods are bursty
303 deleted in case of node failure. For more details look into RateLim‐
304 iter.
305
306
307 --deleting-pods-qps=0.1 Number of nodes per second on which pods
308 are deleted in case of node failure.
309
310
311 --disable-attach-detach-reconcile-sync=false Disable volume attach
312 detach reconciler sync. Disabling this may cause volumes to be mis‐
313 matched with pods. Use wisely.
314
315
316 --disabled-metrics=[] This flag provides an escape hatch for mis‐
317 behaving metrics. You must provide the fully qualified metric name in
318 order to disable it. Disclaimer: disabling metrics is higher in prece‐
319 dence than showing hidden metrics.
320
321
322 --enable-dynamic-provisioning=true Enable dynamic provisioning for
323 environments that support it.
324
325
326 --enable-garbage-collector=true Enables the generic garbage col‐
327 lector. MUST be synced with the corresponding flag of the kube-apis‐
328 erver.
329
330
331 --enable-hostpath-provisioner=false Enable HostPath PV provision‐
332 ing when running without a cloud provider. This allows testing and de‐
333 velopment of provisioning features. HostPath provisioning is not sup‐
334 ported in any way, won't work in a multi-node cluster, and should not
335 be used for anything other than testing or development.
336
337
338 --enable-leader-migration=false Whether to enable controller
339 leader migration.
340
341
342 --enable-taint-manager=true WARNING: Beta feature. If set to true
343 enables NoExecute Taints and will evict all not-tolerating Pod running
344 on Nodes tainted with this kind of Taints.
345
346
347 --endpoint-updates-batch-period=0s The length of endpoint updates
348 batching period. Processing of pod changes will be delayed by this du‐
349 ration to join them with potential upcoming updates and reduce the
350 overall number of endpoints updates. Larger number = higher endpoint
351 programming latency, but lower number of endpoints revision generated
352
353
354 --endpointslice-updates-batch-period=0s The length of endpoint
355 slice updates batching period. Processing of pod changes will be de‐
356 layed by this duration to join them with potential upcoming updates and
357 reduce the overall number of endpoints updates. Larger number = higher
358 endpoint programming latency, but lower number of endpoints revision
359 generated
360
361
362 --experimental-cluster-signing-duration=8760h0m0s The max length
363 of duration signed certificates will be given. Individual CSRs may re‐
364 quest shorter certs by setting spec.expirationSeconds.
365
366
367 --external-cloud-volume-plugin="" The plugin to use when cloud
368 provider is set to external. Can be empty, should only be set when
369 cloud-provider is external. Currently used to allow node and volume
370 controllers to work for in tree cloud providers.
371
372
373 --feature-gates= A set of key=value pairs that describe feature
374 gates for alpha/experimental features. Options are: APIListChunk‐
375 ing=true|false (BETA - default=true) APIPriorityAndFairness=true|false
376 (BETA - default=true) APIResponseCompression=true|false (BETA - de‐
377 fault=true) APIServerIdentity=true|false (ALPHA - default=false) APIS‐
378 erverTracing=true|false (ALPHA - default=false) AllAlpha=true|false
379 (ALPHA - default=false) AllBeta=true|false (BETA - default=false)
380 AnyVolumeDataSource=true|false (BETA - default=true) AppAr‐
381 mor=true|false (BETA - default=true) CPUManager=true|false (BETA - de‐
382 fault=true) CPUManagerPolicyAlphaOptions=true|false (ALPHA - de‐
383 fault=false) CPUManagerPolicyBetaOptions=true|false (BETA - de‐
384 fault=true) CPUManagerPolicyOptions=true|false (BETA - default=true)
385 CSIInlineVolume=true|false (BETA - default=true) CSIMigra‐
386 tion=true|false (BETA - default=true) CSIMigrationAWS=true|false (BETA
387 - default=true) CSIMigrationAzureFile=true|false (BETA - default=true)
388 CSIMigrationGCE=true|false (BETA - default=true) CSIMigrationPort‐
389 worx=true|false (ALPHA - default=false) CSIMigrationRBD=true|false (AL‐
390 PHA - default=false) CSIMigrationvSphere=true|false (BETA - de‐
391 fault=false) CSIVolumeHealth=true|false (ALPHA - default=false) Contex‐
392 tualLogging=true|false (ALPHA - default=false) CronJobTime‐
393 Zone=true|false (ALPHA - default=false) CustomCPUCFSQuotaPe‐
394 riod=true|false (ALPHA - default=false) CustomResourceValidationExpres‐
395 sions=true|false (ALPHA - default=false) DaemonSetUp‐
396 dateSurge=true|false (BETA - default=true) DelegateFSGroupToC‐
397 SIDriver=true|false (BETA - default=true) DevicePlugins=true|false
398 (BETA - default=true) DisableAcceleratorUsageMetrics=true|false (BETA -
399 default=true) DisableCloudProviders=true|false (ALPHA - default=false)
400 DisableKubeletCloudCredentialProviders=true|false (ALPHA - de‐
401 fault=false) DownwardAPIHugePages=true|false (BETA - default=true) End‐
402 pointSliceTerminatingCondition=true|false (BETA - default=true)
403 EphemeralContainers=true|false (BETA - default=true) ExpandedDNSCon‐
404 fig=true|false (ALPHA - default=false) ExperimentalHostUserNamespaceDe‐
405 faulting=true|false (BETA - default=false) GRPCContainer‐
406 Probe=true|false (BETA - default=true) GracefulNodeShutdown=true|false
407 (BETA - default=true) GracefulNodeShutdownBasedOnPodPriority=true|false
408 (BETA - default=true) HPAContainerMetrics=true|false (ALPHA - de‐
409 fault=false) HPAScaleToZero=true|false (ALPHA - default=false) Honor‐
410 PVReclaimPolicy=true|false (ALPHA - default=false) IdentifyPo‐
411 dOS=true|false (BETA - default=true) InTreePluginAWSUnregis‐
412 ter=true|false (ALPHA - default=false) InTreePluginAzureDiskUnregis‐
413 ter=true|false (ALPHA - default=false) InTreePluginAzureFileUnregis‐
414 ter=true|false (ALPHA - default=false) InTreePluginGCEUnregis‐
415 ter=true|false (ALPHA - default=false) InTreePluginOpenStackUnregis‐
416 ter=true|false (ALPHA - default=false) InTreePluginPortworxUnregis‐
417 ter=true|false (ALPHA - default=false) InTreePluginRBDUnregis‐
418 ter=true|false (ALPHA - default=false) InTreePluginvSphereUnregis‐
419 ter=true|false (ALPHA - default=false) JobMutableNodeSchedulingDirec‐
420 tives=true|false (BETA - default=true) JobReadyPods=true|false (BETA -
421 default=true) JobTrackingWithFinalizers=true|false (BETA - de‐
422 fault=false) KubeletCredentialProviders=true|false (BETA - de‐
423 fault=true) KubeletInUserNamespace=true|false (ALPHA - default=false)
424 KubeletPodResources=true|false (BETA - default=true) KubeletPo‐
425 dResourcesGetAllocatable=true|false (BETA - default=true) LegacySer‐
426 viceAccountTokenNoAutoGeneration=true|false (BETA - default=true) Lo‐
427 calStorageCapacityIsolation=true|false (BETA - default=true) LocalStor‐
428 ageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - de‐
429 fault=false) LogarithmicScaleDown=true|false (BETA - default=true) Max‐
430 UnavailableStatefulSet=true|false (ALPHA - default=false) MemoryMan‐
431 ager=true|false (BETA - default=true) MemoryQoS=true|false (ALPHA - de‐
432 fault=false) MinDomainsInPodTopologySpread=true|false (ALPHA - de‐
433 fault=false) MixedProtocolLBService=true|false (BETA - default=true)
434 NetworkPolicyEndPort=true|false (BETA - default=true) NetworkPolicySta‐
435 tus=true|false (ALPHA - default=false) NodeOutOfServiceVolumeDe‐
436 tach=true|false (ALPHA - default=false) NodeSwap=true|false (ALPHA -
437 default=false) OpenAPIEnums=true|false (BETA - default=true) Ope‐
438 nAPIV3=true|false (BETA - default=true) PodAndContainerStatsFrom‐
439 CRI=true|false (ALPHA - default=false) PodDeletionCost=true|false (BETA
440 - default=true) PodSecurity=true|false (BETA - default=true) ProbeTer‐
441 minationGracePeriod=true|false (BETA - default=false) ProcMount‐
442 Type=true|false (ALPHA - default=false) ProxyTerminatingEnd‐
443 points=true|false (ALPHA - default=false) QOSReserved=true|false (ALPHA
444 - default=false) ReadWriteOncePod=true|false (ALPHA - default=false)
445 RecoverVolumeExpansionFailure=true|false (ALPHA - default=false) Re‐
446 mainingItemCount=true|false (BETA - default=true) RotateKubelet‐
447 ServerCertificate=true|false (BETA - default=true) SeccompDe‐
448 fault=true|false (ALPHA - default=false) ServerSideFieldValida‐
449 tion=true|false (ALPHA - default=false) ServiceIPStaticSub‐
450 range=true|false (ALPHA - default=false) ServiceInternalTrafficPol‐
451 icy=true|false (BETA - default=true) SizeMemoryBackedVolumes=true|false
452 (BETA - default=true) StatefulSetAutoDeletePVC=true|false (ALPHA - de‐
453 fault=false) StatefulSetMinReadySeconds=true|false (BETA - de‐
454 fault=true) StorageVersionAPI=true|false (ALPHA - default=false) Stor‐
455 ageVersionHash=true|false (BETA - default=true) TopologyAware‐
456 Hints=true|false (BETA - default=true) TopologyManager=true|false (BETA
457 - default=true) VolumeCapacityPriority=true|false (ALPHA - de‐
458 fault=false) WinDSR=true|false (ALPHA - default=false) WinOver‐
459 lay=true|false (BETA - default=true) WindowsHostProcessContain‐
460 ers=true|false (BETA - default=true)
461
462
463 --flex-volume-plugin-dir="/usr/libexec/kubernetes/kubelet-plugins/vol‐
464 ume/exec/" Full path of the directory in which the flex volume
465 plugin should search for additional third party volume plugins.
466
467
468 -h, --help=false help for kube-controller-manager
469
470
471 --horizontal-pod-autoscaler-cpu-initialization-period=5m0s The pe‐
472 riod after pod start when CPU samples might be skipped.
473
474
475 --horizontal-pod-autoscaler-downscale-delay=5m0s The period since
476 last downscale, before another downscale can be performed in horizontal
477 pod autoscaler.
478
479
480 --horizontal-pod-autoscaler-downscale-stabilization=5m0s The pe‐
481 riod for which autoscaler will look backwards and not scale down below
482 any recommendation it made during that period.
483
484
485 --horizontal-pod-autoscaler-initial-readiness-delay=30s The period
486 after pod start during which readiness changes will be treated as ini‐
487 tial readiness.
488
489
490 --horizontal-pod-autoscaler-sync-period=15s The period for syncing
491 the number of pods in horizontal pod autoscaler.
492
493
494 --horizontal-pod-autoscaler-tolerance=0.1 The minimum change (from
495 1.0) in the desired-to-actual metrics ratio for the horizontal pod au‐
496 toscaler to consider scaling.
497
498
499 --horizontal-pod-autoscaler-upscale-delay=3m0s The period since
500 last upscale, before another upscale can be performed in horizontal pod
501 autoscaler.
502
503
504 --http2-max-streams-per-connection=0 The limit that the server
505 gives to clients for the maximum number of streams in an HTTP/2 connec‐
506 tion. Zero means to use golang's default.
507
508
509 --kube-api-burst=30 Burst to use while talking with kubernetes
510 apiserver.
511
512
513 --kube-api-content-type="application/vnd.kubernetes.protobuf" Con‐
514 tent type of requests sent to apiserver.
515
516
517 --kube-api-qps=20 QPS to use while talking with kubernetes apis‐
518 erver.
519
520
521 --kubeconfig="" Path to kubeconfig file with authorization and
522 master location information.
523
524
525 --large-cluster-size-threshold=50 Number of nodes from which Node‐
526 Controller treats the cluster as large for the eviction logic purposes.
527 --secondary-node-eviction-rate is implicitly overridden to 0 for clus‐
528 ters this size or smaller.
529
530
531 --leader-elect=true Start a leader election client and gain lead‐
532 ership before executing the main loop. Enable this when running repli‐
533 cated components for high availability.
534
535
536 --leader-elect-lease-duration=15s The duration that non-leader
537 candidates will wait after observing a leadership renewal until at‐
538 tempting to acquire leadership of a led but unrenewed leader slot. This
539 is effectively the maximum duration that a leader can be stopped before
540 it is replaced by another candidate. This is only applicable if leader
541 election is enabled.
542
543
544 --leader-elect-renew-deadline=10s The interval between attempts by
545 the acting master to renew a leadership slot before it stops leading.
546 This must be less than or equal to the lease duration. This is only ap‐
547 plicable if leader election is enabled.
548
549
550 --leader-elect-resource-lock="leases" The type of resource object
551 that is used for locking during leader election. Supported options are
552 'leases', 'endpointsleases' and 'configmapsleases'.
553
554
555 --leader-elect-resource-name="kube-controller-manager" The name of
556 resource object that is used for locking during leader election.
557
558
559 --leader-elect-resource-namespace="kube-system" The namespace of
560 resource object that is used for locking during leader election.
561
562
563 --leader-elect-retry-period=2s The duration the clients should
564 wait between attempting acquisition and renewal of a leadership. This
565 is only applicable if leader election is enabled.
566
567
568 --leader-migration-config="" Path to the config file for con‐
569 troller leader migration, or empty to use the value that reflects de‐
570 fault configuration of the controller manager. The config file should
571 be of type LeaderMigrationConfiguration, group controllermanager.con‐
572 fig.k8s.io, version v1alpha1.
573
574
575 --log-flush-frequency=5s Maximum number of seconds between log
576 flushes
577
578
579 --log_backtrace_at=:0 when logging hits line file:N, emit a stack
580 trace
581
582
583 --log_dir="" If non-empty, write log files in this directory
584
585
586 --log_file="" If non-empty, use this log file
587
588
589 --log_file_max_size=1800 Defines the maximum size a log file can
590 grow to. Unit is megabytes. If the value is 0, the maximum file size is
591 unlimited.
592
593
594 --logging-format="text" Sets the log format. Permitted formats:
595 "text". Non-default formats don't honor these flags: --add-dir-header,
596 --alsologtostderr, --log-backtrace-at, --log-dir, --log-file, --log-
597 file-max-size, --logtostderr, --one-output, --skip-headers, --skip-log-
598 headers, --stderrthreshold, --vmodule. Non-default choices are cur‐
599 rently alpha and subject to change without warning.
600
601
602 --logtostderr=true log to standard error instead of files
603
604
605 --master="" The address of the Kubernetes API server (overrides
606 any value in kubeconfig).
607
608
609 --max-endpoints-per-slice=100 The maximum number of endpoints that
610 will be added to an EndpointSlice. More endpoints per slice will result
611 in less endpoint slices, but larger resources. Defaults to 100.
612
613
614 --min-resync-period=12h0m0s The resync period in reflectors will
615 be random between MinResyncPeriod and 2*MinResyncPeriod.
616
617
618 --mirroring-concurrent-service-endpoint-syncs=5 The number of ser‐
619 vice endpoint syncing operations that will be done concurrently by the
620 EndpointSliceMirroring controller. Larger number = faster endpoint
621 slice updating, but more CPU (and network) load. Defaults to 5.
622
623
624 --mirroring-endpointslice-updates-batch-period=0s The length of
625 EndpointSlice updates batching period for EndpointSliceMirroring con‐
626 troller. Processing of EndpointSlice changes will be delayed by this
627 duration to join them with potential upcoming updates and reduce the
628 overall number of EndpointSlice updates. Larger number = higher end‐
629 point programming latency, but lower number of endpoints revision gen‐
630 erated
631
632
633 --mirroring-max-endpoints-per-subset=1000 The maximum number of
634 endpoints that will be added to an EndpointSlice by the End‐
635 pointSliceMirroring controller. More endpoints per slice will result in
636 less endpoint slices, but larger resources. Defaults to 100.
637
638
639 --namespace-sync-period=5m0s The period for syncing namespace
640 life-cycle updates
641
642
643 --node-cidr-mask-size=0 Mask size for node cidr in cluster. De‐
644 fault is 24 for IPv4 and 64 for IPv6.
645
646
647 --node-cidr-mask-size-ipv4=0 Mask size for IPv4 node cidr in dual-
648 stack cluster. Default is 24.
649
650
651 --node-cidr-mask-size-ipv6=0 Mask size for IPv6 node cidr in dual-
652 stack cluster. Default is 64.
653
654
655 --node-eviction-rate=0.1 Number of nodes per second on which pods
656 are deleted in case of node failure when a zone is healthy (see --un‐
657 healthy-zone-threshold for definition of healthy/unhealthy). Zone
658 refers to entire cluster in non-multizone clusters.
659
660
661 --node-monitor-grace-period=40s Amount of time which we allow run‐
662 ning Node to be unresponsive before marking it unhealthy. Must be N
663 times more than kubelet's nodeStatusUpdateFrequency, where N means num‐
664 ber of retries allowed for kubelet to post node status.
665
666
667 --node-monitor-period=5s The period for syncing NodeStatus in
668 NodeController.
669
670
671 --node-startup-grace-period=1m0s Amount of time which we allow
672 starting Node to be unresponsive before marking it unhealthy.
673
674
675 --node-sync-period=0s This flag is deprecated and will be removed
676 in future releases. See node-monitor-period for Node health checking or
677 route-reconciliation-period for cloud provider's route configuration
678 settings.
679
680
681 --one_output=false If true, only write logs to their native sever‐
682 ity level (vs also writing to each lower severity level)
683
684
685 --permit-address-sharing=false If true, SO_REUSEADDR will be used
686 when binding the port. This allows binding to wildcard IPs like 0.0.0.0
687 and specific IPs in parallel, and it avoids waiting for the kernel to
688 release sockets in TIME_WAIT state. [default=false]
689
690
691 --permit-port-sharing=false If true, SO_REUSEPORT will be used
692 when binding the port, which allows more than one instance to bind on
693 the same address and port. [default=false]
694
695
696 --pod-eviction-timeout=5m0s The grace period for deleting pods on
697 failed nodes.
698
699
700 --profiling=true Enable profiling via web interface host:port/de‐
701 bug/pprof/
702
703
704 --pv-recycler-increment-timeout-nfs=30 the increment of time added
705 per Gi to ActiveDeadlineSeconds for an NFS scrubber pod
706
707
708 --pv-recycler-minimum-timeout-hostpath=60 The minimum ActiveDead‐
709 lineSeconds to use for a HostPath Recycler pod. This is for develop‐
710 ment and testing only and will not work in a multi-node cluster.
711
712
713 --pv-recycler-minimum-timeout-nfs=300 The minimum ActiveDeadli‐
714 neSeconds to use for an NFS Recycler pod
715
716
717 --pv-recycler-pod-template-filepath-hostpath="" The file path to a
718 pod definition used as a template for HostPath persistent volume recy‐
719 cling. This is for development and testing only and will not work in a
720 multi-node cluster.
721
722
723 --pv-recycler-pod-template-filepath-nfs="" The file path to a pod
724 definition used as a template for NFS persistent volume recycling
725
726
727 --pv-recycler-timeout-increment-hostpath=30 the increment of time
728 added per Gi to ActiveDeadlineSeconds for a HostPath scrubber pod.
729 This is for development and testing only and will not work in a multi-
730 node cluster.
731
732
733 --pvclaimbinder-sync-period=15s The period for syncing persistent
734 volumes and persistent volume claims
735
736
737 --register-retry-count=10 The number of retries for initial node
738 registration. Retry interval equals node-sync-period.
739
740
741 --requestheader-allowed-names=[] List of client certificate common
742 names to allow to provide usernames in headers specified by --request‐
743 header-username-headers. If empty, any client certificate validated by
744 the authorities in --requestheader-client-ca-file is allowed.
745
746
747 --requestheader-client-ca-file="" Root certificate bundle to use
748 to verify client certificates on incoming requests before trusting
749 usernames in headers specified by --requestheader-username-headers.
750 WARNING: generally do not depend on authorization being already done
751 for incoming requests.
752
753
754 --requestheader-extra-headers-prefix=[x-remote-extra-] List of re‐
755 quest header prefixes to inspect. X-Remote-Extra- is suggested.
756
757
758 --requestheader-group-headers=[x-remote-group] List of request
759 headers to inspect for groups. X-Remote-Group is suggested.
760
761
762 --requestheader-username-headers=[x-remote-user] List of request
763 headers to inspect for usernames. X-Remote-User is common.
764
765
766 --resource-quota-sync-period=5m0s The period for syncing quota us‐
767 age status in the system
768
769
770 --root-ca-file="" If set, this root certificate authority will be
771 included in service account's token secret. This must be a valid PEM-
772 encoded CA bundle.
773
774
775 --route-reconciliation-period=10s The period for reconciling
776 routes created for Nodes by cloud provider.
777
778
779 --secondary-node-eviction-rate=0.01 Number of nodes per second on
780 which pods are deleted in case of node failure when a zone is unhealthy
781 (see --unhealthy-zone-threshold for definition of healthy/unhealthy).
782 Zone refers to entire cluster in non-multizone clusters. This value is
783 implicitly overridden to 0 if the cluster size is smaller than --large-
784 cluster-size-threshold.
785
786
787 --secure-port=10257 The port on which to serve HTTPS with authen‐
788 tication and authorization. If 0, don't serve HTTPS at all.
789
790
791 --service-account-private-key-file="" Filename containing a PEM-
792 encoded private RSA or ECDSA key used to sign service account tokens.
793
794
795 --service-cluster-ip-range="" CIDR Range for Services in cluster.
796 Requires --allocate-node-cidrs to be true
797
798
799 --show-hidden-metrics-for-version="" The previous version for
800 which you want to show hidden metrics. Only the previous minor version
801 is meaningful, other values will not be allowed. The format is ., e.g.:
802 '1.16'. The purpose of this format is make sure you have the opportu‐
803 nity to notice if the next release hides additional metrics, rather
804 than being surprised when they are permanently removed in the release
805 after that.
806
807
808 --skip_headers=false If true, avoid header prefixes in the log
809 messages
810
811
812 --skip_log_headers=false If true, avoid headers when opening log
813 files
814
815
816 --stderrthreshold=2 logs at or above this threshold go to stderr
817
818
819 --terminated-pod-gc-threshold=12500 Number of terminated pods that
820 can exist before the terminated pod garbage collector starts deleting
821 terminated pods. If <= 0, the terminated pod garbage collector is dis‐
822 abled.
823
824
825 --tls-cert-file="" File containing the default x509 Certificate
826 for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS
827 serving is enabled, and --tls-cert-file and --tls-private-key-file are
828 not provided, a self-signed certificate and key are generated for the
829 public address and saved to the directory specified by --cert-dir.
830
831
832 --tls-cipher-suites=[] Comma-separated list of cipher suites for
833 the server. If omitted, the default Go cipher suites will be used.
834 Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
835 TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
836 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
837 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
838 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
839 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
840 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
841 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
842 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
843 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
844 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
845 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
846 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
847 TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,
848 TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384. Inse‐
849 cure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
850 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
851 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
852 TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,
853 TLS_RSA_WITH_RC4_128_SHA.
854
855
856 --tls-min-version="" Minimum TLS version supported. Possible val‐
857 ues: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
858
859
860 --tls-private-key-file="" File containing the default x509 private
861 key matching --tls-cert-file.
862
863
864 --tls-sni-cert-key=[] A pair of x509 certificate and private key
865 file paths, optionally suffixed with a list of domain patterns which
866 are fully qualified domain names, possibly with prefixed wildcard seg‐
867 ments. The domain patterns also allow IP addresses, but IPs should only
868 be used if the apiserver has visibility to the IP address requested by
869 a client. If no domain patterns are provided, the names of the certifi‐
870 cate are extracted. Non-wildcard matches trump over wildcard matches,
871 explicit domain patterns trump over extracted names. For multiple
872 key/certificate pairs, use the --tls-sni-cert-key multiple times. Exam‐
873 ples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com".
874
875
876 --unhealthy-zone-threshold=0.55 Fraction of Nodes in a zone which
877 needs to be not Ready (minimum 3) for zone to be treated as unhealthy.
878
879
880 --use-service-account-credentials=false If true, use individual
881 service account credentials for each controller.
882
883
884 -v, --v=0 number for the log level verbosity
885
886
887 --version=false Print version information and quit
888
889
890 --vmodule= comma-separated list of pattern=N settings for file-
891 filtered logging (only works for text log format)
892
893
894 --volume-host-allow-local-loopback=true If false, deny local loop‐
895 back IPs in addition to any CIDR ranges in --volume-host-cidr-denylist
896
897
898 --volume-host-cidr-denylist=[] A comma-separated list of CIDR
899 ranges to avoid from volume plugins.
900
901
902
904 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
905 com) based on the kubernetes source material, but hopefully they have
906 been automatically generated since!
907
908
909
910Manuals User KUBERNETES(1)(kubernetes)