1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2Eric Paris Jan 2015
6
9 kube-scheduler -
10
14 kube-scheduler [OPTIONS]
15
19 The Kubernetes scheduler is a control plane process which assigns Pods
20 to Nodes. The scheduler determines which Nodes are valid placements for
21 each Pod in the scheduling queue according to constraints and available
22 resources. The scheduler then ranks each valid Node and binds the Pod
23 to a suitable Node. Multiple different schedulers may be used within a
24 cluster; kube-scheduler is the reference implementation. See schedul‐
25 ing ⟨https://kubernetes.io/docs/concepts/scheduling-eviction/⟩ for more
26 information about scheduling and the kube-scheduler component.
27
31 --allow-metric-labels=[] The map from metric-label to value allow-
32 list of this label. The key's format is ,. The value's format is
33 ,...e.g. metric1,label1='v1,v2,v3', metric1,label2='v1,v2,v3' met‐
34 ric2,label1='v1,v2,v3'.
35 --authentication-kubeconfig="" kubeconfig file pointing at the
38 'core' kubernetes server with enough rights to create tokenreviews.au‐
39 thentication.k8s.io. This is optional. If empty, all token requests are
40 considered to be anonymous and no client CA is looked up in the clus‐
41 ter.
42 --authentication-skip-lookup=false If false, the authentication-
45 kubeconfig will be used to lookup missing authentication configuration
46 from the cluster.
47 --authentication-token-webhook-cache-ttl=10s The duration to cache
50 responses from the webhook token authenticator.
51 --authentication-tolerate-lookup-failure=true If true, failures to
54 look up missing authentication configuration from the cluster are not
55 considered fatal. Note that this can result in authentication that
56 treats all requests as anonymous.
57 --authorization-always-allow-paths=[/healthz,/readyz,/livez] A
60 list of HTTP paths to skip during authorization, i.e. these are autho‐
61 rized without contacting the 'core' kubernetes server.
62 --authorization-kubeconfig="" kubeconfig file pointing at the
65 'core' kubernetes server with enough rights to create subjectaccessre‐
66 views.authorization.k8s.io. This is optional. If empty, all requests
67 not skipped by authorization are forbidden.
68 --authorization-webhook-cache-authorized-ttl=10s The duration to
71 cache 'authorized' responses from the webhook authorizer.
72 --authorization-webhook-cache-unauthorized-ttl=10s The duration to
75 cache 'unauthorized' responses from the webhook authorizer.
76 --azure-container-registry-config="" Path to the file containing
79 Azure container registry configuration information.
80 --bind-address=0.0.0.0 The IP address on which to listen for the
83 --secure-port port. The associated interface(s) must be reachable by
84 the rest of the cluster, and by CLI/web clients. If blank or an unspec‐
85 ified address (0.0.0.0 or ::), all interfaces will be used.
86 --cert-dir="" The directory where the TLS certs are located. If
89 --tls-cert-file and --tls-private-key-file are provided, this flag will
90 be ignored.
91 --client-ca-file="" If set, any request presenting a client cer‐
94 tificate signed by one of the authorities in the client-ca-file is au‐
95 thenticated with an identity corresponding to the CommonName of the
96 client certificate.
97 --config="" The path to the configuration file.
100 --contention-profiling=true DEPRECATED: enable lock contention
103 profiling, if profiling is enabled. This parameter is ignored if a con‐
104 fig file is specified in --config.
105 --disabled-metrics=[] This flag provides an escape hatch for mis‐
108 behaving metrics. You must provide the fully qualified metric name in
109 order to disable it. Disclaimer: disabling metrics is higher in prece‐
110 dence than showing hidden metrics.
111 --feature-gates= A set of key=value pairs that describe feature
114 gates for alpha/experimental features. Options are: APIListChunk‐
115 ing=true|false (BETA - default=true) APIPriorityAndFairness=true|false
116 (BETA - default=true) APIResponseCompression=true|false (BETA - de‐
117 fault=true) APISelfSubjectReview=true|false (ALPHA - default=false)
118 APIServerIdentity=true|false (BETA - default=true) APIServerTrac‐
119 ing=true|false (ALPHA - default=false) AggregatedDiscoveryEnd‐
120 point=true|false (ALPHA - default=false) AllAlpha=true|false (ALPHA -
121 default=false) AllBeta=true|false (BETA - default=false) AnyVolumeData‐
122 Source=true|false (BETA - default=true) AppArmor=true|false (BETA - de‐
123 fault=true) CPUManagerPolicyAlphaOptions=true|false (ALPHA - de‐
124 fault=false) CPUManagerPolicyBetaOptions=true|false (BETA - de‐
125 fault=true) CPUManagerPolicyOptions=true|false (BETA - default=true)
126 CSIMigrationPortworx=true|false (BETA - default=false) CSIMigra‐
127 tionRBD=true|false (ALPHA - default=false) CSINodeExpandSe‐
128 cret=true|false (ALPHA - default=false) CSIVolumeHealth=true|false (AL‐
129 PHA - default=false) ComponentSLIs=true|false (ALPHA - default=false)
130 ContainerCheckpoint=true|false (ALPHA - default=false) ContextualLog‐
131 ging=true|false (ALPHA - default=false) CronJobTimeZone=true|false
132 (BETA - default=true) CrossNamespaceVolumeDataSource=true|false (ALPHA
133 - default=false) CustomCPUCFSQuotaPeriod=true|false (ALPHA - de‐
134 fault=false) CustomResourceValidationExpressions=true|false (BETA - de‐
135 fault=true) DisableCloudProviders=true|false (ALPHA - default=false)
136 DisableKubeletCloudCredentialProviders=true|false (ALPHA - de‐
137 fault=false) DownwardAPIHugePages=true|false (BETA - default=true) Dy‐
138 namicResourceAllocation=true|false (ALPHA - default=false) EventedP‐
139 LEG=true|false (ALPHA - default=false) ExpandedDNSConfig=true|false
140 (BETA - default=true) ExperimentalHostUserNamespaceDefault‐
141 ing=true|false (BETA - default=false) GRPCContainerProbe=true|false
142 (BETA - default=true) GracefulNodeShutdown=true|false (BETA - de‐
143 fault=true) GracefulNodeShutdownBasedOnPodPriority=true|false (BETA -
144 default=true) HPAContainerMetrics=true|false (ALPHA - default=false)
145 HPAScaleToZero=true|false (ALPHA - default=false) HonorPVReclaimPol‐
146 icy=true|false (ALPHA - default=false) IPTablesOwnership‐
147 Cleanup=true|false (ALPHA - default=false) InTreePluginAWSUnregis‐
148 ter=true|false (ALPHA - default=false) InTreePluginAzureDiskUnregis‐
149 ter=true|false (ALPHA - default=false) InTreePluginAzureFileUnregis‐
150 ter=true|false (ALPHA - default=false) InTreePluginGCEUnregis‐
151 ter=true|false (ALPHA - default=false) InTreePluginOpenStackUnregis‐
152 ter=true|false (ALPHA - default=false) InTreePluginPortworxUnregis‐
153 ter=true|false (ALPHA - default=false) InTreePluginRBDUnregis‐
154 ter=true|false (ALPHA - default=false) InTreePluginvSphereUnregis‐
155 ter=true|false (ALPHA - default=false) JobMutableNodeSchedulingDirec‐
156 tives=true|false (BETA - default=true) JobPodFailurePolicy=true|false
157 (BETA - default=true) JobReadyPods=true|false (BETA - default=true)
158 KMSv2=true|false (ALPHA - default=false) KubeletInUserNames‐
159 pace=true|false (ALPHA - default=false) KubeletPodResources=true|false
160 (BETA - default=true) KubeletPodResourcesGetAllocatable=true|false
161 (BETA - default=true) KubeletTracing=true|false (ALPHA - default=false)
162 LegacyServiceAccountTokenTracking=true|false (ALPHA - default=false)
163 LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - de‐
164 fault=false) LogarithmicScaleDown=true|false (BETA - default=true) Log‐
165 gingAlphaOptions=true|false (ALPHA - default=false) LoggingBetaOp‐
166 tions=true|false (BETA - default=true) MatchLabelKeysInPodTopolo‐
167 gySpread=true|false (ALPHA - default=false) MaxUnavailableState‐
168 fulSet=true|false (ALPHA - default=false) MemoryManager=true|false
169 (BETA - default=true) MemoryQoS=true|false (ALPHA - default=false) Min‐
170 DomainsInPodTopologySpread=true|false (BETA - default=false) Mini‐
171 mizeIPTablesRestore=true|false (ALPHA - default=false) MultiCIDR‐
172 RangeAllocator=true|false (ALPHA - default=false) NetworkPolicySta‐
173 tus=true|false (ALPHA - default=false) NodeInclusionPolicyInPodTopolo‐
174 gySpread=true|false (BETA - default=true) NodeOutOfServiceVolumeDe‐
175 tach=true|false (BETA - default=true) NodeSwap=true|false (ALPHA - de‐
176 fault=false) OpenAPIEnums=true|false (BETA - default=true) Ope‐
177 nAPIV3=true|false (BETA - default=true) PDBUnhealthyPodEvictionPol‐
178 icy=true|false (ALPHA - default=false) PodAndContainerStatsFrom‐
179 CRI=true|false (ALPHA - default=false) PodDeletionCost=true|false (BETA
180 - default=true) PodDisruptionConditions=true|false (BETA - de‐
181 fault=true) PodHasNetworkCondition=true|false (ALPHA - default=false)
182 PodSchedulingReadiness=true|false (ALPHA - default=false) ProbeTermina‐
183 tionGracePeriod=true|false (BETA - default=true) ProcMount‐
184 Type=true|false (ALPHA - default=false) ProxyTerminatingEnd‐
185 points=true|false (BETA - default=true) QOSReserved=true|false (ALPHA -
186 default=false) ReadWriteOncePod=true|false (ALPHA - default=false) Re‐
187 coverVolumeExpansionFailure=true|false (ALPHA - default=false) Remain‐
188 ingItemCount=true|false (BETA - default=true) RetroactiveDefaultStor‐
189 ageClass=true|false (BETA - default=true) RotateKubeletServerCertifi‐
190 cate=true|false (BETA - default=true) SELinuxMountReadWriteOnce‐
191 Pod=true|false (ALPHA - default=false) SeccompDefault=true|false (BETA
192 - default=true) ServerSideFieldValidation=true|false (BETA - de‐
193 fault=true) SizeMemoryBackedVolumes=true|false (BETA - default=true)
194 StatefulSetAutoDeletePVC=true|false (ALPHA - default=false) State‐
195 fulSetStartOrdinal=true|false (ALPHA - default=false) StorageVersion‐
196 API=true|false (ALPHA - default=false) StorageVersionHash=true|false
197 (BETA - default=true) TopologyAwareHints=true|false (BETA - de‐
198 fault=true) TopologyManager=true|false (BETA - default=true) Topology‐
199 ManagerPolicyAlphaOptions=true|false (ALPHA - default=false) Topology‐
200 ManagerPolicyBetaOptions=true|false (BETA - default=false) TopologyMan‐
201 agerPolicyOptions=true|false (ALPHA - default=false) Unauthenticated‐
202 HTTP2DOSMitigation=true|false (BETA - default=false) UserNames‐
203 pacesStatelessPodsSupport=true|false (ALPHA - default=false) Validatin‐
204 gAdmissionPolicy=true|false (ALPHA - default=false) VolumeCapacityPri‐
205 ority=true|false (ALPHA - default=false) WinDSR=true|false (ALPHA - de‐
206 fault=false) WinOverlay=true|false (BETA - default=true) WindowsHost‐
207 Network=true|false (ALPHA - default=true)
208 -h, --help=false help for kube-scheduler
211 --http2-max-streams-per-connection=0 The limit that the server
214 gives to clients for the maximum number of streams in an HTTP/2 connec‐
215 tion. Zero means to use golang's default.
216 --kube-api-burst=100 DEPRECATED: burst to use while talking with
219 kubernetes apiserver. This parameter is ignored if a config file is
220 specified in --config.
221 --kube-api-content-type="application/vnd.kubernetes.protobuf" DEP‐
224 RECATED: content type of requests sent to apiserver. This parameter is
225 ignored if a config file is specified in --config.
226 --kube-api-qps=50 DEPRECATED: QPS to use while talking with kuber‐
229 netes apiserver. This parameter is ignored if a config file is speci‐
230 fied in --config.
231 --kubeconfig="" DEPRECATED: path to kubeconfig file with autho‐
234 rization and master location information. This parameter is ignored if
235 a config file is specified in --config.
236 --leader-elect=true Start a leader election client and gain lead‐
239 ership before executing the main loop. Enable this when running repli‐
240 cated components for high availability.
241 --leader-elect-lease-duration=15s The duration that non-leader
244 candidates will wait after observing a leadership renewal until at‐
245 tempting to acquire leadership of a led but unrenewed leader slot. This
246 is effectively the maximum duration that a leader can be stopped before
247 it is replaced by another candidate. This is only applicable if leader
248 election is enabled.
249 --leader-elect-renew-deadline=10s The interval between attempts by
252 the acting master to renew a leadership slot before it stops leading.
253 This must be less than the lease duration. This is only applicable if
254 leader election is enabled.
255 --leader-elect-resource-lock="leases" The type of resource object
258 that is used for locking during leader election. Supported options are
259 'leases', 'endpointsleases' and 'configmapsleases'.
260 --leader-elect-resource-name="kube-scheduler" The name of resource
263 object that is used for locking during leader election.
264 --leader-elect-resource-namespace="kube-system" The namespace of
267 resource object that is used for locking during leader election.
268 --leader-elect-retry-period=2s The duration the clients should
271 wait between attempting acquisition and renewal of a leadership. This
272 is only applicable if leader election is enabled.
273 --lock-object-name="kube-scheduler" DEPRECATED: define the name of
276 the lock object. Will be removed in favor of leader-elect-resource-
277 name. This parameter is ignored if a config file is specified in --con‐
278 fig.
279 --lock-object-namespace="kube-system" DEPRECATED: define the name‐
282 space of the lock object. Will be removed in favor of leader-elect-re‐
283 source-namespace. This parameter is ignored if a config file is speci‐
284 fied in --config.
285 --log-flush-frequency=5s Maximum number of seconds between log
288 flushes
289 --logging-format="text" Sets the log format. Permitted formats:
292 "text".
293 --master="" The address of the Kubernetes API server (overrides
296 any value in kubeconfig)
297 --permit-address-sharing=false If true, SO_REUSEADDR will be used
300 when binding the port. This allows binding to wildcard IPs like 0.0.0.0
301 and specific IPs in parallel, and it avoids waiting for the kernel to
302 release sockets in TIME_WAIT state. [default=false]
303 --permit-port-sharing=false If true, SO_REUSEPORT will be used
306 when binding the port, which allows more than one instance to bind on
307 the same address and port. [default=false]
308 --pod-max-in-unschedulable-pods-duration=5m0s DEPRECATED: the max‐
311 imum time a pod can stay in unschedulablePods. If a pod stays in un‐
312 schedulablePods for longer than this value, the pod will be moved from
313 unschedulablePods to backoffQ or activeQ. This flag is deprecated and
314 will be removed in 1.26
315 --profiling=true DEPRECATED: enable profiling via web interface
318 host:port/debug/pprof/. This parameter is ignored if a config file is
319 specified in --config.
320 --requestheader-allowed-names=[] List of client certificate common
323 names to allow to provide usernames in headers specified by --request‐
324 header-username-headers. If empty, any client certificate validated by
325 the authorities in --requestheader-client-ca-file is allowed.
326 --requestheader-client-ca-file="" Root certificate bundle to use
329 to verify client certificates on incoming requests before trusting
330 usernames in headers specified by --requestheader-username-headers.
331 WARNING: generally do not depend on authorization being already done
332 for incoming requests.
333 --requestheader-extra-headers-prefix=[x-remote-extra-] List of re‐
336 quest header prefixes to inspect. X-Remote-Extra- is suggested.
337 --requestheader-group-headers=[x-remote-group] List of request
340 headers to inspect for groups. X-Remote-Group is suggested.
341 --requestheader-username-headers=[x-remote-user] List of request
344 headers to inspect for usernames. X-Remote-User is common.
345 --secure-port=10259 The port on which to serve HTTPS with authen‐
348 tication and authorization. If 0, don't serve HTTPS at all.
349 --show-hidden-metrics-for-version="" The previous version for
352 which you want to show hidden metrics. Only the previous minor version
353 is meaningful, other values will not be allowed. The format is ., e.g.:
354 '1.16'. The purpose of this format is make sure you have the opportu‐
355 nity to notice if the next release hides additional metrics, rather
356 than being surprised when they are permanently removed in the release
357 after that.
358 --tls-cert-file="" File containing the default x509 Certificate
361 for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS
362 serving is enabled, and --tls-cert-file and --tls-private-key-file are
363 not provided, a self-signed certificate and key are generated for the
364 public address and saved to the directory specified by --cert-dir.
365 --tls-cipher-suites=[] Comma-separated list of cipher suites for
368 the server. If omitted, the default Go cipher suites will be used.
369 Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
370 TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
371 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
372 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
373 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
374 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
375 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
376 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
377 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
378 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
379 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
380 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
381 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
382 TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,
383 TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384. Inse‐
384 cure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
385 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
386 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
387 TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,
388 TLS_RSA_WITH_RC4_128_SHA.
389 --tls-min-version="" Minimum TLS version supported. Possible val‐
392 ues: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
393 --tls-private-key-file="" File containing the default x509 private
396 key matching --tls-cert-file.
397 --tls-sni-cert-key=[] A pair of x509 certificate and private key
400 file paths, optionally suffixed with a list of domain patterns which
401 are fully qualified domain names, possibly with prefixed wildcard seg‐
402 ments. The domain patterns also allow IP addresses, but IPs should only
403 be used if the apiserver has visibility to the IP address requested by
404 a client. If no domain patterns are provided, the names of the certifi‐
405 cate are extracted. Non-wildcard matches trump over wildcard matches,
406 explicit domain patterns trump over extracted names. For multiple
407 key/certificate pairs, use the --tls-sni-cert-key multiple times. Exam‐
408 ples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com".
409 -v, --v=0 number for the log level verbosity
412 --version=false Print version information and quit
415 --vmodule= comma-separated list of pattern=N settings for file-
418 filtered logging (only works for text log format)
419 --write-config-to="" If set, write the configuration values to
422 this file and exit.
423
427 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
428 com) based on the kubernetes source material, but hopefully they have
429 been automatically generated since!
430Manuals User KUBERNETES(1)(kubernetes)