1KUBERNETES(1)(kubernetes)                            KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7

NAME

9       kube-apiserver -
10
11
12

SYNOPSIS

14       kube-apiserver [OPTIONS]
15
16
17

DESCRIPTION

19       The Kubernetes API server validates and configures data for the api ob‐
20       jects which include pods, services, replicationcontrollers, and others.
21       The  API  Server  services REST operations and provides the frontend to
22       the cluster's shared state through which all other components interact.
23
24
25

OPTIONS

27       --add-dir-header=false      If true, adds the  file  directory  to  the
28       header of the log messages
29
30
31       --address=127.0.0.1       The IP address on which to serve the insecure
32       port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 inter‐
33       faces).
34
35
36       --admission-control=[]       Admission  is  divided into two phases. In
37       the first phase, only mutating admission plugins  run.  In  the  second
38       phase,  only  validating  admission plugins run. The names in the below
39       list may represent a validating plugin, a mutating plugin, or both. The
40       order of plugins in which they are passed to this flag does not matter.
41       Comma-delimited list  of:  AlwaysAdmit,  AlwaysDeny,  AlwaysPullImages,
42       CertificateApproval, CertificateSigning, CertificateSubjectRestriction,
43       DefaultIngressClass,   DefaultStorageClass,   DefaultTolerationSeconds,
44       DenyEscalatingExec,   DenyExecOnPrivileged,   EventRateLimit,  Extende‐
45       dResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopol‐
46       ogy,   LimitRanger,  MutatingAdmissionWebhook,  NamespaceAutoProvision,
47       NamespaceExists, NamespaceLifecycle, NodeRestriction,  OwnerReferences‐
48       PermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLa‐
49       bel, PodNodeSelector, PodSecurityPolicy, PodTolerationRestriction, Pri‐
50       ority,  ResourceQuota,  RuntimeClass,  SecurityContextDeny,  ServiceAc‐
51       count, StorageObjectInUseProtection, TaintNodesByCondition,  Validatin‐
52       gAdmissionWebhook.
53
54
55       --admission-control-config-file=""       File  with  admission  control
56       configuration.
57
58
59       --advertise-address=      The IP address  on  which  to  advertise  the
60       apiserver  to members of the cluster. This address must be reachable by
61       the rest of the cluster. If blank, the --bind-address will be used.  If
62       --bind-address  is  unspecified,  the  host's default interface will be
63       used.
64
65
66       --allow-privileged=false      If  true,  allow  privileged  containers.
67       [default=false]
68
69
70       --alsologtostderr=false      log to standard error as well as files
71
72
73       --anonymous-auth=true       Enables  anonymous  requests  to the secure
74       port of the API server. Requests that are not rejected by  another  au‐
75       thentication  method  are  treated as anonymous requests. Anonymous re‐
76       quests have a username of system:anonymous, and a group  name  of  sys‐
77       tem:unauthenticated.
78
79
80       --api-audiences=[]      Identifiers of the API. The service account to‐
81       ken authenticator will validate that tokens used against  the  API  are
82       bound  to at least one of these audiences. If the --service-account-is‐
83       suer flag is configured and this flag is not, this field defaults to  a
84       single element list containing the issuer URL.
85
86
87       --apiserver-count=1       The number of apiservers running in the clus‐
88       ter,  must  be  a  positive  number.  (In  use  when  --endpoint-recon‐
89       ciler-type=master-count is enabled.)
90
91
92       --audit-log-batch-buffer-size=10000       The  size  of  the  buffer to
93       store events before batching and writing. Only used in batch mode.
94
95
96       --audit-log-batch-max-size=1      The maximum size  of  a  batch.  Only
97       used in batch mode.
98
99
100       --audit-log-batch-max-wait=0s       The  amount  of time to wait before
101       force writing the batch that hadn't reached the max size. Only used  in
102       batch mode.
103
104
105       --audit-log-batch-throttle-burst=0      Maximum number of requests sent
106       at the same moment if ThrottleQPS was not utilized before. Only used in
107       batch mode.
108
109
110       --audit-log-batch-throttle-enable=false       Whether  batching  throt‐
111       tling is enabled. Only used in batch mode.
112
113
114       --audit-log-batch-throttle-qps=0      Maximum average number of batches
115       per second. Only used in batch mode.
116
117
118       --audit-log-compress=false       If  set, the rotated log files will be
119       compressed using gzip.
120
121
122       --audit-log-format="json"      Format of saved audits.  "legacy"  indi‐
123       cates  1-line  text  format for each event. "json" indicates structured
124       json format. Known formats are legacy,json.
125
126
127       --audit-log-maxage=0      The maximum number of days to retain old  au‐
128       dit log files based on the timestamp encoded in their filename.
129
130
131       --audit-log-maxbackup=0       The maximum number of old audit log files
132       to retain.
133
134
135       --audit-log-maxsize=0      The maximum size in megabytes of  the  audit
136       log file before it gets rotated.
137
138
139       --audit-log-mode="blocking"       Strategy  for  sending  audit events.
140       Blocking indicates sending events should block server responses.  Batch
141       causes  the  backend  to  buffer and write events asynchronously. Known
142       modes are batch,blocking,blocking-strict.
143
144
145       --audit-log-path=""      If set, all requests coming to  the  apiserver
146       will be logged to this file.  '-' means standard out.
147
148
149       --audit-log-truncate-enabled=false       Whether  event and batch trun‐
150       cating is enabled.
151
152
153       --audit-log-truncate-max-batch-size=10485760      Maximum size  of  the
154       batch  sent  to  the  underlying backend. Actual serialized size can be
155       several hundreds of bytes greater. If a batch exceeds this limit, it is
156       split into several batches of smaller size.
157
158
159       --audit-log-truncate-max-event-size=102400      Maximum size of the au‐
160       dit event sent to the underlying backend. If the size of  an  event  is
161       greater  than  this number, first request and response are removed, and
162       if this doesn't reduce the size enough, event is discarded.
163
164
165       --audit-log-version="audit.k8s.io/v1"      API group and  version  used
166       for serializing audit events written to log.
167
168
169       --audit-policy-file=""       Path  to  the  file that defines the audit
170       policy configuration.
171
172
173       --audit-webhook-batch-buffer-size=10000      The size of the buffer  to
174       store events before batching and writing. Only used in batch mode.
175
176
177       --audit-webhook-batch-initial-backoff=10s       The  amount  of time to
178       wait before retrying the first failed request.
179
180
181       --audit-webhook-batch-max-size=400      The maximum size  of  a  batch.
182       Only used in batch mode.
183
184
185       --audit-webhook-batch-max-wait=30s       The amount of time to wait be‐
186       fore force writing the batch that hadn't reached  the  max  size.  Only
187       used in batch mode.
188
189
190       --audit-webhook-batch-throttle-burst=15      Maximum number of requests
191       sent at the same moment if ThrottleQPS was not  utilized  before.  Only
192       used in batch mode.
193
194
195       --audit-webhook-batch-throttle-enable=true      Whether batching throt‐
196       tling is enabled. Only used in batch mode.
197
198
199       --audit-webhook-batch-throttle-qps=10      Maximum  average  number  of
200       batches per second. Only used in batch mode.
201
202
203       --audit-webhook-config-file=""      Path to a kubeconfig formatted file
204       that defines the audit webhook configuration.
205
206
207       --audit-webhook-initial-backoff=10s      The amount of time to wait be‐
208       fore retrying the first failed request.
209
210
211       --audit-webhook-mode="batch"       Strategy  for  sending audit events.
212       Blocking indicates sending events should block server responses.  Batch
213       causes  the  backend  to  buffer and write events asynchronously. Known
214       modes are batch,blocking,blocking-strict.
215
216
217       --audit-webhook-truncate-enabled=false       Whether  event  and  batch
218       truncating is enabled.
219
220
221       --audit-webhook-truncate-max-batch-size=10485760       Maximum  size of
222       the batch sent to the underlying backend. Actual serialized size can be
223       several hundreds of bytes greater. If a batch exceeds this limit, it is
224       split into several batches of smaller size.
225
226
227       --audit-webhook-truncate-max-event-size=102400      Maximum size of the
228       audit  event sent to the underlying backend. If the size of an event is
229       greater than this number, first request and response are  removed,  and
230       if this doesn't reduce the size enough, event is discarded.
231
232
233       --audit-webhook-version="audit.k8s.io/v1"       API  group  and version
234       used for serializing audit events written to webhook.
235
236
237       --authentication-token-webhook-cache-ttl=2m0s       The   duration   to
238       cache responses from the webhook token authenticator.
239
240
241       --authentication-token-webhook-config-file=""       File  with  webhook
242       configuration for token authentication in kubeconfig  format.  The  API
243       server  will  query  the remote service to determine authentication for
244       bearer tokens.
245
246
247       --authentication-token-webhook-version="v1beta1"      The  API  version
248       of the authentication.k8s.io TokenReview to send to and expect from the
249       webhook.
250
251
252       --authorization-mode=[AlwaysAllow]      Ordered list of plug-ins to  do
253       authorization  on secure port. Comma-delimited list of: AlwaysAllow,Al‐
254       waysDeny,ABAC,Webhook,RBAC,Node.
255
256
257       --authorization-policy-file=""      File with authorization  policy  in
258       json  line  by line format, used with --authorization-mode=ABAC, on the
259       secure port.
260
261
262       --authorization-webhook-cache-authorized-ttl=5m0s      The duration  to
263       cache 'authorized' responses from the webhook authorizer.
264
265
266       --authorization-webhook-cache-unauthorized-ttl=30s      The duration to
267       cache 'unauthorized' responses from the webhook authorizer.
268
269
270       --authorization-webhook-config-file=""      File with webhook  configu‐
271       ration  in  kubeconfig  format, used with --authorization-mode=Webhook.
272       The API server will query the remote service to determine access on the
273       API server's secure port.
274
275
276       --authorization-webhook-version="v1beta1"       The  API version of the
277       authorization.k8s.io SubjectAccessReview to send to and expect from the
278       webhook.
279
280
281       --azure-container-registry-config=""       Path  to the file containing
282       Azure container registry configuration information.
283
284
285       --bind-address=0.0.0.0      The IP address on which to listen  for  the
286       --secure-port  port.  The  associated interface(s) must be reachable by
287       the rest of the cluster, and by CLI/web clients. If blank or an unspec‐
288       ified address (0.0.0.0 or ::), all interfaces will be used.
289
290
291       --cert-dir="/var/run/kubernetes"      The directory where the TLS certs
292       are located. If --tls-cert-file  and  --tls-private-key-file  are  pro‐
293       vided, this flag will be ignored.
294
295
296       --client-ca-file=""       If  set, any request presenting a client cer‐
297       tificate signed by one of the authorities in the client-ca-file is  au‐
298       thenticated  with  an  identity  corresponding to the CommonName of the
299       client certificate.
300
301
302       --cloud-config=""      The path to  the  cloud  provider  configuration
303       file. Empty string for no configuration file.
304
305
306       --cloud-provider=""       The provider for cloud services. Empty string
307       for no provider.
308
309
310       --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
311            CIDRs  opened  in  GCE  firewall  for  L7 LB traffic proxy  health
312       checks
313
314
315       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
316            CIDRs  opened  in  GCE  firewall  for  L4 LB traffic proxy  health
317       checks
318
319
320       --contention-profiling=false      Enable lock contention profiling,  if
321       profiling is enabled
322
323
324       --cors-allowed-origins=[]       List of allowed origins for CORS, comma
325       separated.  An allowed origin can be a regular  expression  to  support
326       subdomain matching. If this list is empty CORS will not be enabled.
327
328
329       --default-not-ready-toleration-seconds=300       Indicates  the tolera‐
330       tionSeconds of the toleration for notReady:NoExecute that is  added  by
331       default to every pod that does not already have such a toleration.
332
333
334       --default-unreachable-toleration-seconds=300      Indicates the tolera‐
335       tionSeconds of the toleration for unreachable:NoExecute that  is  added
336       by default to every pod that does not already have such a toleration.
337
338
339       --default-watch-cache-size=100       Default watch cache size. If zero,
340       watch cache will be disabled for resources that do not have  a  default
341       watch size set.
342
343
344       --delete-collection-workers=1        Number   of  workers  spawned  for
345       DeleteCollection call. These are used to speed up namespace cleanup.
346
347
348       --deserialization-cache-size=0      Number of deserialized json objects
349       to cache in memory.
350
351
352       --disable-admission-plugins=[]       admission  plugins  that should be
353       disabled although they are in the default enabled plugins list  (Names‐
354       paceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Pri‐
355       ority, DefaultTolerationSeconds,  DefaultStorageClass,  StorageObjectI‐
356       nUseProtection,   PersistentVolumeClaimResize,  RuntimeClass,  Certifi‐
357       cateApproval,  CertificateSigning,  CertificateSubjectRestriction,  De‐
358       faultIngressClass,   MutatingAdmissionWebhook,  ValidatingAdmissionWeb‐
359       hook, ResourceQuota). Comma-delimited list of  admission  plugins:  Al‐
360       waysAdmit,  AlwaysDeny, AlwaysPullImages, CertificateApproval, Certifi‐
361       cateSigning,  CertificateSubjectRestriction,  DefaultIngressClass,  De‐
362       faultStorageClass,     DefaultTolerationSeconds,    DenyEscalatingExec,
363       DenyExecOnPrivileged, EventRateLimit,  ExtendedResourceToleration,  Im‐
364       agePolicyWebhook,  LimitPodHardAntiAffinityTopology,  LimitRanger,  Mu‐
365       tatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, Names‐
366       paceLifecycle,  NodeRestriction,  OwnerReferencesPermissionEnforcement,
367       PersistentVolumeClaimResize,  PersistentVolumeLabel,   PodNodeSelector,
368       PodSecurityPolicy,  PodTolerationRestriction,  Priority, ResourceQuota,
369       RuntimeClass, SecurityContextDeny, ServiceAccount,  StorageObjectInUse‐
370       Protection,  TaintNodesByCondition, ValidatingAdmissionWebhook. The or‐
371       der of plugins in this flag does not matter.
372
373
374       --egress-selector-config-file=""      File with apiserver egress selec‐
375       tor configuration.
376
377
378       --enable-admission-plugins=[]      admission plugins that should be en‐
379       abled in addition to default enabled  ones  (NamespaceLifecycle,  Limi‐
380       tRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultToler‐
381       ationSeconds, DefaultStorageClass,  StorageObjectInUseProtection,  Per‐
382       sistentVolumeClaimResize,  RuntimeClass,  CertificateApproval, Certifi‐
383       cateSigning,  CertificateSubjectRestriction,  DefaultIngressClass,  Mu‐
384       tatingAdmissionWebhook,   ValidatingAdmissionWebhook,   ResourceQuota).
385       Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, Al‐
386       waysPullImages,  CertificateApproval,  CertificateSigning, Certificate‐
387       SubjectRestriction, DefaultIngressClass, DefaultStorageClass,  Default‐
388       TolerationSeconds, DenyEscalatingExec, DenyExecOnPrivileged, EventRate‐
389       Limit, ExtendedResourceToleration, ImagePolicyWebhook,  LimitPodHardAn‐
390       tiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAu‐
391       toProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, Own‐
392       erReferencesPermissionEnforcement, PersistentVolumeClaimResize, Persis‐
393       tentVolumeLabel, PodNodeSelector,  PodSecurityPolicy,  PodTolerationRe‐
394       striction,  Priority, ResourceQuota, RuntimeClass, SecurityContextDeny,
395       ServiceAccount,  StorageObjectInUseProtection,   TaintNodesByCondition,
396       ValidatingAdmissionWebhook.  The order of plugins in this flag does not
397       matter.
398
399
400       --enable-aggregator-routing=false      Turns on aggregator routing  re‐
401       quests to endpoints IP rather than cluster IP.
402
403
404       --enable-bootstrap-token-auth=false       Enable  to  allow  secrets of
405       type 'bootstrap.kubernetes.io/token' in the 'kube-system' namespace  to
406       be used for TLS bootstrapping authentication.
407
408
409       --enable-garbage-collector=true       Enables  the generic garbage col‐
410       lector. MUST be synced with the corresponding  flag  of  the  kube-con‐
411       troller-manager.
412
413
414       --enable-logs-handler=true       If  true,  install a /logs handler for
415       the apiserver logs.
416
417
418       --enable-priority-and-fairness=true       If  true  and  the  APIPrior‐
419       ityAndFairness  feature gate is enabled, replace the max-in-flight han‐
420       dler with an enhanced one that queues and dispatches with priority  and
421       fairness
422
423
424       --enable-swagger-ui=false       Enables  swagger ui on the apiserver at
425       /swagger-ui
426
427
428       --encryption-provider-config=""      The file containing  configuration
429       for encryption providers to be used for storing secrets in etcd
430
431
432       --endpoint-reconciler-type="lease"        Use  an  endpoint  reconciler
433       (master-count, lease, none)
434
435
436       --etcd-cafile=""      SSL Certificate Authority  file  used  to  secure
437       etcd communication.
438
439
440       --etcd-certfile=""      SSL certification file used to secure etcd com‐
441       munication.
442
443
444       --etcd-compaction-interval=5m0s      The  interval  of  compaction  re‐
445       quests. If 0, the compaction request from apiserver is disabled.
446
447
448       --etcd-count-metric-poll-period=1m0s      Frequency of polling etcd for
449       number of resources per type. 0 disables the metric collection.
450
451
452       --etcd-db-metric-poll-interval=30s      The  interval  of  requests  to
453       poll etcd and update metric. 0 disables the metric collection
454
455
456       --etcd-healthcheck-timeout=2s       The  timeout  to  use when checking
457       etcd health.
458
459
460       --etcd-keyfile=""      SSL key file used to secure etcd communication.
461
462
463       --etcd-prefix="/registry"      The prefix to prepend  to  all  resource
464       paths in etcd.
465
466
467       --etcd-servers=[]        List   of   etcd   servers   to  connect  with
468       (scheme://ip:port), comma separated.
469
470
471       --etcd-servers-overrides=[]      Per-resource etcd  servers  overrides,
472       comma    separated.   The   individual   override   format:   group/re‐
473       source#servers, where servers are URLs, semicolon separated.
474
475
476       --event-ttl=1h0m0s      Amount of time to retain events.
477
478
479       --experimental-encryption-provider-config=""      The  file  containing
480       configuration  for  encryption providers to be used for storing secrets
481       in etcd
482
483
484       --experimental-logging-sanitization=false      [Experimental] When  en‐
485       abled  prevents logging of fields tagged as sensitive (passwords, keys,
486       tokens).  Runtime log sanitization may introduce  significant  computa‐
487       tion overhead and therefore should not be enabled in production.
488
489
490       --external-hostname=""       The hostname to use when generating exter‐
491       nalized URLs for this master (e.g. Swagger API Docs or  OpenID  Discov‐
492       ery).
493
494
495       --feature-gates=       A  set  of key=value pairs that describe feature
496       gates  for  alpha/experimental  features.  Options  are:  APIListChunk‐
497       ing=true|false  (BETA - default=true) APIPriorityAndFairness=true|false
498       (BETA - default=true)  APIResponseCompression=true|false  (BETA  -  de‐
499       fault=true) APIServerIdentity=true|false (ALPHA - default=false) AllAl‐
500       pha=true|false (ALPHA - default=false) AllBeta=true|false (BETA  -  de‐
501       fault=false) AllowInsecureBackendProxy=true|false (BETA - default=true)
502       AnyVolumeDataSource=true|false   (ALPHA   -    default=false)    AppAr‐
503       mor=true|false    (BETA    -    default=true)   BalanceAttachedNodeVol‐
504       umes=true|false (ALPHA  -  default=false)  BoundServiceAccountTokenVol‐
505       ume=true|false  (ALPHA  -  default=false) CPUManager=true|false (BETA -
506       default=true) CRIContainerLogRotation=true|false (BETA -  default=true)
507       CSIInlineVolume=true|false     (BETA    -    default=true)    CSIMigra‐
508       tion=true|false (BETA - default=true) CSIMigrationAWS=true|false  (BETA
509       -   default=false)   CSIMigrationAWSComplete=true|false  (ALPHA  -  de‐
510       fault=false) CSIMigrationAzureDisk=true|false  (BETA  -  default=false)
511       CSIMigrationAzureDiskComplete=true|false (ALPHA - default=false) CSIMi‐
512       grationAzureFile=true|false (ALPHA - default=false)  CSIMigrationAzure‐
513       FileComplete=true|false     (ALPHA     -    default=false)    CSIMigra‐
514       tionGCE=true|false   (BETA   -    default=false)    CSIMigrationGCECom‐
515       plete=true|false     (ALPHA    -    default=false)    CSIMigrationOpen‐
516       Stack=true|false  (BETA  -   default=false)   CSIMigrationOpenStackCom‐
517       plete=true|false (ALPHA - default=false) CSIMigrationvSphere=true|false
518       (BETA - default=false) CSIMigrationvSphereComplete=true|false  (BETA  -
519       default=false)    CSIServiceAccountToken=true|false    (ALPHA   -   de‐
520       fault=false)  CSIStorageCapacity=true|false  (ALPHA  -   default=false)
521       CSIVolumeFSGroupPolicy=true|false (BETA - default=true) ConfigurableFS‐
522       GroupPolicy=true|false    (BETA     -     default=true)     CronJobCon‐
523       trollerV2=true|false   (ALPHA   -  default=false)  CustomCPUCFSQuotaPe‐
524       riod=true|false    (ALPHA    -     default=false)     DefaultPodTopolo‐
525       gySpread=true|false   (BETA  -  default=true)  DevicePlugins=true|false
526       (BETA - default=true) DisableAcceleratorUsageMetrics=true|false (BETA -
527       default=true)  DownwardAPIHugePages=true|false  (ALPHA - default=false)
528       DynamicKubeletConfig=true|false (BETA - default=true) EfficientWatchRe‐
529       sumption=true|false  (ALPHA  -  default=false) EndpointSlice=true|false
530       (BETA - default=true)  EndpointSliceNodeName=true|false  (ALPHA  -  de‐
531       fault=false)  EndpointSliceProxying=true|false  (BETA  -  default=true)
532       EndpointSliceTerminatingCondition=true|false  (ALPHA  -  default=false)
533       EphemeralContainers=true|false  (ALPHA  -  default=false) ExpandCSIVol‐
534       umes=true|false   (BETA   -   default=true)   ExpandInUsePersistentVol‐
535       umes=true|false     (BETA    -    default=true)    ExpandPersistentVol‐
536       umes=true|false (BETA - default=true)  ExperimentalHostUserNamespaceDe‐
537       faulting=true|false   (BETA   -   default=false)   GenericEphemeralVol‐
538       ume=true|false (ALPHA - default=false)  GracefulNodeShutdown=true|false
539       (ALPHA  -  default=false)  HPAContainerMetrics=true|false  (ALPHA - de‐
540       fault=false)   HPAScaleToZero=true|false   (ALPHA   -    default=false)
541       HugePageStorageMediumSize=true|false  (BETA  -  default=true) IPv6Dual‐
542       Stack=true|false   (ALPHA   -   default=false)   ImmutableEphemeralVol‐
543       umes=true|false     (BETA     -     default=true)    KubeletCredential‐
544       Providers=true|false     (ALPHA     -     default=false)     KubeletPo‐
545       dResources=true|false   (BETA   -   default=true)  LegacyNodeRoleBehav‐
546       ior=true|false   (BETA   -   default=true)   LocalStorageCapacityIsola‐
547       tion=true|false  (BETA  - default=true) LocalStorageCapacityIsolationF‐
548       SQuotaMonitoring=true|false (ALPHA - default=false) MixedProtocolLBSer‐
549       vice=true|false    (ALPHA    -    default=false)   NodeDisruptionExclu‐
550       sion=true|false (BETA - default=true)  NonPreemptingPriority=true|false
551       (BETA   -  default=true)  PodDisruptionBudget=true|false  (BETA  -  de‐
552       fault=true) PodOverhead=true|false  (BETA  -  default=true)  ProcMount‐
553       Type=true|false (ALPHA - default=false) QOSReserved=true|false (ALPHA -
554       default=false) RemainingItemCount=true|false (BETA - default=true)  Re‐
555       moveSelfLink=true|false     (BETA     -     default=true)    RootCACon‐
556       figMap=true|false  (BETA  -  default=true)  RotateKubeletServerCertifi‐
557       cate=true|false (BETA - default=true) RunAsGroup=true|false (BETA - de‐
558       fault=true) ServerSideApply=true|false (BETA - default=true) ServiceAc‐
559       countIssuerDiscovery=true|false  (BETA  -  default=true) ServiceLBNode‐
560       PortControl=true|false  (ALPHA   -   default=false)   ServiceNodeExclu‐
561       sion=true|false (BETA - default=true) ServiceTopology=true|false (ALPHA
562       - default=false)  SetHostnameAsFQDN=true|false  (BETA  -  default=true)
563       SizeMemoryBackedVolumes=true|false  (ALPHA - default=false) StorageVer‐
564       sionAPI=true|false    (ALPHA    -    default=false)     StorageVersion‐
565       Hash=true|false  (BETA  -  default=true) Sysctls=true|false (BETA - de‐
566       fault=true) TTLAfterFinished=true|false (ALPHA - default=false) Topolo‐
567       gyManager=true|false    (BETA    -   default=true)   ValidateProxyRedi‐
568       rects=true|false (BETA - default=true) WarningHeaders=true|false  (BETA
569       -  default=true)  WinDSR=true|false  (ALPHA  -  default=false) WinOver‐
570       lay=true|false   (BETA   -   default=true)   WindowsEndpointSliceProxy‐
571       ing=true|false (ALPHA - default=false)
572
573
574       --goaway-chance=0       To prevent HTTP/2 clients from getting stuck on
575       a single apiserver, randomly close a connection (GOAWAY). The  client's
576       other  in-flight requests won't be affected, and the client will recon‐
577       nect, likely landing on a different apiserver after going  through  the
578       load  balancer  again. This argument sets the fraction of requests that
579       will be sent a GOAWAY. Clusters with single apiservers, or which  don't
580       use a load balancer, should NOT enable this. Min is 0 (off), Max is .02
581       (1/50 requests); .001 (1/1000) is a recommended starting point.
582
583
584       -h, --help=false      help for kube-apiserver
585
586
587       --http2-max-streams-per-connection=0      The  limit  that  the  server
588       gives to clients for the maximum number of streams in an HTTP/2 connec‐
589       tion. Zero means to use golang's default.
590
591
592       --identity-lease-duration-seconds=3600      The duration of  kube-apis‐
593       erver  lease  in  seconds,  must be a positive number. (In use when the
594       APIServerIdentity feature gate is enabled.)
595
596
597       --identity-lease-renew-interval-seconds=10        The    interval    of
598       kube-apiserver  renewing  its lease in seconds, must be a positive num‐
599       ber. (In use when the APIServerIdentity feature gate is enabled.)
600
601
602       --insecure-bind-address=127.0.0.1      The IP address on which to serve
603       the  insecure  port  (set to 0.0.0.0 for all IPv4 interfaces and :: for
604       all IPv6 interfaces).
605
606
607       --insecure-port=0      The port on which to serve unsecured,  unauthen‐
608       ticated access.
609
610
611       --kubelet-certificate-authority=""       Path  to  a  cert file for the
612       certificate authority.
613
614
615       --kubelet-client-certificate=""      Path to a  client  cert  file  for
616       TLS.
617
618
619       --kubelet-client-key=""      Path to a client key file for TLS.
620
621
622       --kubelet-https=true      Use https for kubelet connections.
623
624
625       --kubelet-port=10250      DEPRECATED: kubelet port.
626
627
628       --kubelet-preferred-address-types=[Hostname,InternalDNS,InternalIP,Ex‐
629       ternalDNS,ExternalIP]      List of the  preferred  NodeAddressTypes  to
630       use for kubelet connections.
631
632
633       --kubelet-read-only-port=10255      DEPRECATED: kubelet read only port.
634
635
636       --kubelet-timeout=5s      Timeout for kubelet operations.
637
638
639       --kubernetes-service-node-port=0       If non-zero, the Kubernetes mas‐
640       ter service (which apiserver creates/maintains) will be of  type  Node‐
641       Port, using this as the value of the port. If zero, the Kubernetes mas‐
642       ter service will be of type ClusterIP.
643
644
645       --livez-grace-period=0s      This option represents the maximum  amount
646       of  time  it should take for apiserver to complete its startup sequence
647       and become live. From apiserver's start time to  when  this  amount  of
648       time  has  elapsed, /livez will assume that unfinished post-start hooks
649       will complete successfully and therefore return true.
650
651
652       --log-backtrace-at=:0      when logging hits line file:N, emit a  stack
653       trace
654
655
656       --log-dir=""      If non-empty, write log files in this directory
657
658
659       --log-file=""      If non-empty, use this log file
660
661
662       --log-file-max-size=1800       Defines  the maximum size a log file can
663       grow to. Unit is megabytes. If the value is 0, the maximum file size is
664       unlimited.
665
666
667       --log-flush-frequency=5s       Maximum  number  of  seconds between log
668       flushes
669
670
671       --logging-format="text"      Sets the log  format.  Permitted  formats:
672       "json",   "text".    Non-default   formats  don't  honor  these  flags:
673       --add_dir_header,  --alsologtostderr,  --log_backtrace_at,   --log_dir,
674       --log_file,     --log_file_max_size,    --logtostderr,    --one_output,
675       --skip_headers,   --skip_log_headers,   --stderrthreshold,   --vmodule,
676       --log-flush-frequency.   Non-default  choices  are  currently alpha and
677       subject to change without warning.
678
679
680       --logtostderr=true      log to standard error instead of files
681
682
683       --master-service-namespace="default"       DEPRECATED:  the   namespace
684       from which the Kubernetes master services should be injected into pods.
685
686
687       --max-connection-bytes-per-sec=0       If  non-zero, throttle each user
688       connection to this number  of  bytes/sec.  Currently  only  applies  to
689       long-running requests.
690
691
692       --max-mutating-requests-inflight=200       The maximum number of mutat‐
693       ing requests in flight at a given time. When the server  exceeds  this,
694       it rejects requests. Zero for no limit.
695
696
697       --max-requests-inflight=400      The maximum number of non-mutating re‐
698       quests in flight at a given time. When the server exceeds this, it  re‐
699       jects requests. Zero for no limit.
700
701
702       --min-request-timeout=1800       An optional field indicating the mini‐
703       mum number of seconds a handler must keep a request open before  timing
704       it  out.  Currently  only  honored  by the watch request handler, which
705       picks a randomized value above this number as the  connection  timeout,
706       to spread out load.
707
708
709       --oidc-ca-file=""       If set, the OpenID server's certificate will be
710       verified by one of the authorities in the oidc-ca-file,  otherwise  the
711       host's root CA set will be used.
712
713
714       --oidc-client-id=""       The  client ID for the OpenID Connect client,
715       must be set if oidc-issuer-url is set.
716
717
718       --oidc-groups-claim=""      If provided, the name of  a  custom  OpenID
719       Connect  claim  for specifying user groups. The claim value is expected
720       to be a string or array of strings. This flag is  experimental,  please
721       see the authentication documentation for further details.
722
723
724       --oidc-groups-prefix=""       If  provided, all groups will be prefixed
725       with this value to prevent conflicts with other authentication  strate‐
726       gies.
727
728
729       --oidc-issuer-url=""       The  URL  of  the  OpenID issuer, only HTTPS
730       scheme will be accepted. If set, it will be used  to  verify  the  OIDC
731       JSON Web Token (JWT).
732
733
734       --oidc-required-claim=       A key=value pair that describes a required
735       claim in the ID Token. If set, the claim is verified to be  present  in
736       the  ID Token with a matching value. Repeat this flag to specify multi‐
737       ple claims.
738
739
740       --oidc-signing-algs=[RS256]      Comma-separated list of  allowed  JOSE
741       asymmetric  signing  algorithms.  JWTs with a 'alg' header value not in
742       this  list  will  be  rejected.  Values  are  defined   by   RFC   7518
743       https://tools.ietf.org/html/rfc7518#section-3.1.
744
745
746       --oidc-username-claim="sub"       The  OpenID  claim to use as the user
747       name. Note that claims other than the default ('sub') is not guaranteed
748       to  be  unique and immutable. This flag is experimental, please see the
749       authentication documentation for further details.
750
751
752       --oidc-username-prefix=""      If provided, all usernames will be  pre‐
753       fixed  with  this  value.  If  not provided, username claims other than
754       'email' are prefixed by the issuer URL to avoid clashes.  To  skip  any
755       prefixing, provide the value '-'.
756
757
758       --one-output=false      If true, only write logs to their native sever‐
759       ity level (vs also writing to each lower severity level
760
761
762       --permit-port-sharing=false      If true,  SO_REUSEPORT  will  be  used
763       when  binding  the port, which allows more than one instance to bind on
764       the same address and port. [default=false]
765
766
767       --port=0      The port on which to serve unsecured, unauthenticated ac‐
768       cess.
769
770
771       --profiling=true       Enable profiling via web interface host:port/de‐
772       bug/pprof/
773
774
775       --proxy-client-cert-file=""      Client certificate used to  prove  the
776       identity of the aggregator or kube-apiserver when it must call out dur‐
777       ing a request. This includes proxying requests to a user api-server and
778       calling out to webhook admission plugins. It is expected that this cert
779       includes a signature from the CA in the  --requestheader-client-ca-file
780       flag.  That CA is published in the 'extension-apiserver-authentication'
781       configmap in the kube-system namespace. Components receiving calls from
782       kube-aggregator  should use that CA to perform their half of the mutual
783       TLS verification.
784
785
786       --proxy-client-key-file=""      Private key for the client  certificate
787       used  to prove the identity of the aggregator or kube-apiserver when it
788       must call out during a request. This includes proxying  requests  to  a
789       user api-server and calling out to webhook admission plugins.
790
791
792       --request-timeout=1m0s      An optional field indicating the duration a
793       handler must keep a request open before timing it out. This is the  de‐
794       fault  request timeout for requests but may be overridden by flags such
795       as --min-request-timeout for specific types of requests.
796
797
798       --requestheader-allowed-names=[]      List of client certificate common
799       names  to allow to provide usernames in headers specified by --request‐
800       header-username-headers. If empty, any client certificate validated  by
801       the authorities in --requestheader-client-ca-file is allowed.
802
803
804       --requestheader-client-ca-file=""       Root  certificate bundle to use
805       to verify client certificates  on  incoming  requests  before  trusting
806       usernames  in  headers  specified  by --requestheader-username-headers.
807       WARNING: generally do not depend on authorization  being  already  done
808       for incoming requests.
809
810
811       --requestheader-extra-headers-prefix=[]       List  of  request  header
812       prefixes to inspect. X-Remote-Extra- is suggested.
813
814
815       --requestheader-group-headers=[]      List of request  headers  to  in‐
816       spect for groups. X-Remote-Group is suggested.
817
818
819       --requestheader-username-headers=[]      List of request headers to in‐
820       spect for usernames. X-Remote-User is common.
821
822
823       --runtime-config=      A set of key=value pairs that enable or  disable
824       built-in  APIs.  Supported  options are: v1=true|false for the core API
825       group  /=true|false  for  a  specific  API  group  and  version   (e.g.
826       apps/v1=true)    api/all=true|false    controls    all   API   versions
827       api/ga=true|false  controls  all  API  versions  of  the  form  v[0-9]+
828       api/beta=true|false   controls   all   API   versions   of   the   form
829       v[0-9]+beta[0-9]+ api/alpha=true|false controls all API versions of the
830       form  v[0-9]+alpha[0-9]+  api/legacy is deprecated, and will be removed
831       in a future version
832
833
834       --secure-port=6443      The port on which to serve HTTPS with authenti‐
835       cation and authorization. It cannot be switched off with 0.
836
837
838       --service-account-api-audiences=[]       Identifiers  of  the  API. The
839       service account token authenticator  will  validate  that  tokens  used
840       against the API are bound to at least one of these audiences.
841
842
843       --service-account-extend-token-expiration=true       Turns on projected
844       service account expiration extension  during  token  generation,  which
845       helps  safe transition from legacy token to bound service account token
846       feature. If this flag is enabled, admission injected  tokens  would  be
847       extended  up to 1 year to prevent unexpected failure during transition,
848       ignoring value of service-account-max-token-expiration.
849
850
851       --service-account-issuer=""      Identifier of the service account  to‐
852       ken  issuer.  The  issuer will assert this identifier in "iss" claim of
853       issued tokens. This value is a string or URI. If this option is  not  a
854       valid  URI  per  the  OpenID  Discovery 1.0 spec, the ServiceAccountIs‐
855       suerDiscovery feature will remain disabled, even if the feature gate is
856       set  to  true. It is highly recommended that this value comply with the
857       OpenID      spec:       https://openid.net/specs/openid-connect-discov
858       ery-1_0.html.  In practice, this means that service-account-issuer must
859       be an https URL. It is also highly recommended that this URL be capable
860       of   serving   OpenID   discovery   documents  at  {service-account-is‐
861       suer}/.well-known/openid-configuration.
862
863
864       --service-account-jwks-uri=""      Overrides the URI for the  JSON  Web
865       Key  Set  in the discovery doc served at /.well-known/openid-configura‐
866       tion. This flag is useful if the discovery docand key set are served to
867       relying  parties  from  a  URL other than the API server's external (as
868       auto-detected or overridden with external-hostname). Only valid if  the
869       ServiceAccountIssuerDiscovery feature gate is enabled.
870
871
872       --service-account-key-file=[]      File containing PEM-encoded x509 RSA
873       or ECDSA private or public keys, used to verify ServiceAccount  tokens.
874       The specified file can contain multiple keys, and the flag can be spec‐
875       ified multiple times with different files. If  unspecified,  --tls-pri‐
876       vate-key-file  is  used. Must be specified when --service-account-sign‐
877       ing-key is provided
878
879
880       --service-account-lookup=true      If true, validate ServiceAccount to‐
881       kens exist in etcd as part of authentication.
882
883
884       --service-account-max-token-expiration=0s      The maximum validity du‐
885       ration of a token created by the service account token  issuer.  If  an
886       otherwise  valid TokenRequest with a validity duration larger than this
887       value is requested, a token will be issued with a validity duration  of
888       this value.
889
890
891       --service-account-signing-key-file=""       Path  to the file that con‐
892       tains the current private key of the service account token issuer.  The
893       issuer will sign issued ID tokens with this private key.
894
895
896       --service-cluster-ip-range=""       A CIDR notation IP range from which
897       to assign service cluster IPs. This must not overlap with any IP ranges
898       assigned to nodes or pods.
899
900
901       --service-node-port-range=30000-32767       A port range to reserve for
902       services with NodePort visibility. Example: '30000-32767'. Inclusive at
903       both ends of the range.
904
905
906       --show-hidden-metrics-for-version=""        The  previous  version  for
907       which you want to show hidden metrics. Only the previous minor  version
908       is meaningful, other values will not be allowed. The format is ., e.g.:
909       '1.16'. The purpose of this format is make sure you have  the  opportu‐
910       nity  to  notice  if  the next release hides additional metrics, rather
911       than being surprised when they are permanently removed in  the  release
912       after that.
913
914
915       --shutdown-delay-duration=0s      Time to delay the termination. During
916       that time the server keeps serving  requests  normally.  The  endpoints
917       /healthz  and  /livez  will return success, but /readyz immediately re‐
918       turns  failure.  Graceful  termination  starts  after  this  delay  has
919       elapsed.  This can be used to allow load balancer to stop sending traf‐
920       fic to this server.
921
922
923       --skip-headers=false      If true, avoid header  prefixes  in  the  log
924       messages
925
926
927       --skip-log-headers=false       If  true, avoid headers when opening log
928       files
929
930
931       --ssh-keyfile=""      If non-empty, use secure SSH proxy to the  nodes,
932       using this user keyfile
933
934
935       --ssh-user=""      If non-empty, use secure SSH proxy to the nodes, us‐
936       ing this user name
937
938
939       --stderrthreshold=2      logs at or above this threshold go to stderr
940
941
942       --storage-backend=""      The storage backend for persistence. Options:
943       'etcd3' (default).
944
945
946       --storage-media-type="application/vnd.kubernetes.protobuf"      The me‐
947       dia type to use to store objects in storage. Some resources or  storage
948       backends  may  only  support a specific media type and will ignore this
949       setting.
950
951
952       --target-ram-mb=0      DEPRECATED: Memory limit  for  apiserver  in  MB
953       (used to configure sizes of caches, etc.)
954
955
956       --tls-cert-file=""       File  containing  the default x509 Certificate
957       for HTTPS. (CA cert, if any, concatenated after server cert). If  HTTPS
958       serving  is enabled, and --tls-cert-file and --tls-private-key-file are
959       not provided, a self-signed certificate and key are generated  for  the
960       public address and saved to the directory specified by --cert-dir.
961
962
963       --tls-cipher-suites=[]       Comma-separated  list of cipher suites for
964       the server. If omitted, the default Go  cipher  suites  will  be  used.
965       Preferred   values:   TLS_AES_128_GCM_SHA256,   TLS_AES_256_GCM_SHA384,
966       TLS_CHACHA20_POLY1305_SHA256,     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
967       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
968       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
969       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
970       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
971       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
972       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
973       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
974       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
975       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
976       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
977       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
978       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
979       TLS_RSA_WITH_3DES_EDE_CBC_SHA,            TLS_RSA_WITH_AES_128_CBC_SHA,
980       TLS_RSA_WITH_AES_128_GCM_SHA256,          TLS_RSA_WITH_AES_256_CBC_SHA,
981       TLS_RSA_WITH_AES_256_GCM_SHA384.             Insecure           values:
982       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
983       TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
984       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,  TLS_ECDHE_RSA_WITH_RC4_128_SHA,
985       TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA.
986
987
988       --tls-min-version=""       Minimum TLS version supported. Possible val‐
989       ues: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
990
991
992       --tls-private-key-file=""      File containing the default x509 private
993       key matching --tls-cert-file.
994
995
996       --tls-sni-cert-key=[]       A  pair of x509 certificate and private key
997       file paths, optionally suffixed with a list of  domain  patterns  which
998       are  fully qualified domain names, possibly with prefixed wildcard seg‐
999       ments. The domain patterns also allow IP addresses, but IPs should only
1000       be  used if the apiserver has visibility to the IP address requested by
1001       a client. If no domain patterns are provided, the names of the certifi‐
1002       cate  are  extracted. Non-wildcard matches trump over wildcard matches,
1003       explicit domain patterns  trump  over  extracted  names.  For  multiple
1004       key/certificate pairs, use the --tls-sni-cert-key multiple times. Exam‐
1005       ples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com".
1006
1007
1008       --token-auth-file=""      If set, the file that will be used to  secure
1009       the secure port of the API server via token authentication.
1010
1011
1012       -v, --v=0      number for the log level verbosity
1013
1014
1015       --version=false      Print version information and quit
1016
1017
1018       --vmodule=        comma-separated   list   of  pattern=N  settings  for
1019       file-filtered logging
1020
1021
1022       --watch-cache=true      Enable watch caching in the apiserver
1023
1024
1025       --watch-cache-sizes=[]      Watch cache  size  settings  for  some  re‐
1026       sources  (pods,  nodes,  etc.), comma separated. The individual setting
1027       format: resource[.group]#size, where resource is lowercase  plural  (no
1028       version),  group  is omitted for resources of apiVersion v1 (the legacy
1029       core API) and included for others, and size is a number. It  takes  ef‐
1030       fect  when  watch-cache  is  enabled.  Some  resources (replicationcon‐
1031       trollers, endpoints, nodes,  pods,  services,  apiservices.apiregistra‐
1032       tion.k8s.io)  have system defaults set by heuristics, others default to
1033       default-watch-cache-size
1034
1035
1036

HISTORY

1038       January 2015, Originally compiled by Eric Paris (eparis at  redhat  dot
1039       com)  based  on the kubernetes source material, but hopefully they have
1040       been automatically generated since!
1041
1042
1043
1044Manuals                              User            KUBERNETES(1)(kubernetes)
Impressum