1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7
9 kube-apiserver -
10
11
12
14 kube-apiserver [OPTIONS]
15
16
17
19 The Kubernetes API server validates and configures data for the api ob‐
20 jects which include pods, services, replicationcontrollers, and others.
21 The API Server services REST operations and provides the frontend to
22 the cluster's shared state through which all other components interact.
23
24
25
27 --add-dir-header=false If true, adds the file directory to the
28 header of the log messages
29
30
31 --address=127.0.0.1 The IP address on which to serve the insecure
32 port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 inter‐
33 faces).
34
35
36 --admission-control=[] Admission is divided into two phases. In
37 the first phase, only mutating admission plugins run. In the second
38 phase, only validating admission plugins run. The names in the below
39 list may represent a validating plugin, a mutating plugin, or both. The
40 order of plugins in which they are passed to this flag does not matter.
41 Comma-delimited list of: AlwaysAdmit, AlwaysDeny, AlwaysPullImages,
42 CertificateApproval, CertificateSigning, CertificateSubjectRestriction,
43 DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds,
44 DenyEscalatingExec, DenyExecOnPrivileged, EventRateLimit, Extende‐
45 dResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopol‐
46 ogy, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision,
47 NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferences‐
48 PermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLa‐
49 bel, PodNodeSelector, PodSecurityPolicy, PodTolerationRestriction, Pri‐
50 ority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAc‐
51 count, StorageObjectInUseProtection, TaintNodesByCondition, Validatin‐
52 gAdmissionWebhook.
53
54
55 --admission-control-config-file="" File with admission control
56 configuration.
57
58
59 --advertise-address= The IP address on which to advertise the
60 apiserver to members of the cluster. This address must be reachable by
61 the rest of the cluster. If blank, the --bind-address will be used. If
62 --bind-address is unspecified, the host's default interface will be
63 used.
64
65
66 --allow-privileged=false If true, allow privileged containers.
67 [default=false]
68
69
70 --alsologtostderr=false log to standard error as well as files
71
72
73 --anonymous-auth=true Enables anonymous requests to the secure
74 port of the API server. Requests that are not rejected by another au‐
75 thentication method are treated as anonymous requests. Anonymous re‐
76 quests have a username of system:anonymous, and a group name of sys‐
77 tem:unauthenticated.
78
79
80 --api-audiences=[] Identifiers of the API. The service account to‐
81 ken authenticator will validate that tokens used against the API are
82 bound to at least one of these audiences. If the --service-account-is‐
83 suer flag is configured and this flag is not, this field defaults to a
84 single element list containing the issuer URL.
85
86
87 --apiserver-count=1 The number of apiservers running in the clus‐
88 ter, must be a positive number. (In use when --endpoint-recon‐
89 ciler-type=master-count is enabled.)
90
91
92 --audit-log-batch-buffer-size=10000 The size of the buffer to
93 store events before batching and writing. Only used in batch mode.
94
95
96 --audit-log-batch-max-size=1 The maximum size of a batch. Only
97 used in batch mode.
98
99
100 --audit-log-batch-max-wait=0s The amount of time to wait before
101 force writing the batch that hadn't reached the max size. Only used in
102 batch mode.
103
104
105 --audit-log-batch-throttle-burst=0 Maximum number of requests sent
106 at the same moment if ThrottleQPS was not utilized before. Only used in
107 batch mode.
108
109
110 --audit-log-batch-throttle-enable=false Whether batching throt‐
111 tling is enabled. Only used in batch mode.
112
113
114 --audit-log-batch-throttle-qps=0 Maximum average number of batches
115 per second. Only used in batch mode.
116
117
118 --audit-log-compress=false If set, the rotated log files will be
119 compressed using gzip.
120
121
122 --audit-log-format="json" Format of saved audits. "legacy" indi‐
123 cates 1-line text format for each event. "json" indicates structured
124 json format. Known formats are legacy,json.
125
126
127 --audit-log-maxage=0 The maximum number of days to retain old au‐
128 dit log files based on the timestamp encoded in their filename.
129
130
131 --audit-log-maxbackup=0 The maximum number of old audit log files
132 to retain.
133
134
135 --audit-log-maxsize=0 The maximum size in megabytes of the audit
136 log file before it gets rotated.
137
138
139 --audit-log-mode="blocking" Strategy for sending audit events.
140 Blocking indicates sending events should block server responses. Batch
141 causes the backend to buffer and write events asynchronously. Known
142 modes are batch,blocking,blocking-strict.
143
144
145 --audit-log-path="" If set, all requests coming to the apiserver
146 will be logged to this file. '-' means standard out.
147
148
149 --audit-log-truncate-enabled=false Whether event and batch trun‐
150 cating is enabled.
151
152
153 --audit-log-truncate-max-batch-size=10485760 Maximum size of the
154 batch sent to the underlying backend. Actual serialized size can be
155 several hundreds of bytes greater. If a batch exceeds this limit, it is
156 split into several batches of smaller size.
157
158
159 --audit-log-truncate-max-event-size=102400 Maximum size of the au‐
160 dit event sent to the underlying backend. If the size of an event is
161 greater than this number, first request and response are removed, and
162 if this doesn't reduce the size enough, event is discarded.
163
164
165 --audit-log-version="audit.k8s.io/v1" API group and version used
166 for serializing audit events written to log.
167
168
169 --audit-policy-file="" Path to the file that defines the audit
170 policy configuration.
171
172
173 --audit-webhook-batch-buffer-size=10000 The size of the buffer to
174 store events before batching and writing. Only used in batch mode.
175
176
177 --audit-webhook-batch-initial-backoff=10s The amount of time to
178 wait before retrying the first failed request.
179
180
181 --audit-webhook-batch-max-size=400 The maximum size of a batch.
182 Only used in batch mode.
183
184
185 --audit-webhook-batch-max-wait=30s The amount of time to wait be‐
186 fore force writing the batch that hadn't reached the max size. Only
187 used in batch mode.
188
189
190 --audit-webhook-batch-throttle-burst=15 Maximum number of requests
191 sent at the same moment if ThrottleQPS was not utilized before. Only
192 used in batch mode.
193
194
195 --audit-webhook-batch-throttle-enable=true Whether batching throt‐
196 tling is enabled. Only used in batch mode.
197
198
199 --audit-webhook-batch-throttle-qps=10 Maximum average number of
200 batches per second. Only used in batch mode.
201
202
203 --audit-webhook-config-file="" Path to a kubeconfig formatted file
204 that defines the audit webhook configuration.
205
206
207 --audit-webhook-initial-backoff=10s The amount of time to wait be‐
208 fore retrying the first failed request.
209
210
211 --audit-webhook-mode="batch" Strategy for sending audit events.
212 Blocking indicates sending events should block server responses. Batch
213 causes the backend to buffer and write events asynchronously. Known
214 modes are batch,blocking,blocking-strict.
215
216
217 --audit-webhook-truncate-enabled=false Whether event and batch
218 truncating is enabled.
219
220
221 --audit-webhook-truncate-max-batch-size=10485760 Maximum size of
222 the batch sent to the underlying backend. Actual serialized size can be
223 several hundreds of bytes greater. If a batch exceeds this limit, it is
224 split into several batches of smaller size.
225
226
227 --audit-webhook-truncate-max-event-size=102400 Maximum size of the
228 audit event sent to the underlying backend. If the size of an event is
229 greater than this number, first request and response are removed, and
230 if this doesn't reduce the size enough, event is discarded.
231
232
233 --audit-webhook-version="audit.k8s.io/v1" API group and version
234 used for serializing audit events written to webhook.
235
236
237 --authentication-token-webhook-cache-ttl=2m0s The duration to
238 cache responses from the webhook token authenticator.
239
240
241 --authentication-token-webhook-config-file="" File with webhook
242 configuration for token authentication in kubeconfig format. The API
243 server will query the remote service to determine authentication for
244 bearer tokens.
245
246
247 --authentication-token-webhook-version="v1beta1" The API version
248 of the authentication.k8s.io TokenReview to send to and expect from the
249 webhook.
250
251
252 --authorization-mode=[AlwaysAllow] Ordered list of plug-ins to do
253 authorization on secure port. Comma-delimited list of: AlwaysAllow,Al‐
254 waysDeny,ABAC,Webhook,RBAC,Node.
255
256
257 --authorization-policy-file="" File with authorization policy in
258 json line by line format, used with --authorization-mode=ABAC, on the
259 secure port.
260
261
262 --authorization-webhook-cache-authorized-ttl=5m0s The duration to
263 cache 'authorized' responses from the webhook authorizer.
264
265
266 --authorization-webhook-cache-unauthorized-ttl=30s The duration to
267 cache 'unauthorized' responses from the webhook authorizer.
268
269
270 --authorization-webhook-config-file="" File with webhook configu‐
271 ration in kubeconfig format, used with --authorization-mode=Webhook.
272 The API server will query the remote service to determine access on the
273 API server's secure port.
274
275
276 --authorization-webhook-version="v1beta1" The API version of the
277 authorization.k8s.io SubjectAccessReview to send to and expect from the
278 webhook.
279
280
281 --azure-container-registry-config="" Path to the file containing
282 Azure container registry configuration information.
283
284
285 --bind-address=0.0.0.0 The IP address on which to listen for the
286 --secure-port port. The associated interface(s) must be reachable by
287 the rest of the cluster, and by CLI/web clients. If blank or an unspec‐
288 ified address (0.0.0.0 or ::), all interfaces will be used.
289
290
291 --cert-dir="/var/run/kubernetes" The directory where the TLS certs
292 are located. If --tls-cert-file and --tls-private-key-file are pro‐
293 vided, this flag will be ignored.
294
295
296 --client-ca-file="" If set, any request presenting a client cer‐
297 tificate signed by one of the authorities in the client-ca-file is au‐
298 thenticated with an identity corresponding to the CommonName of the
299 client certificate.
300
301
302 --cloud-config="" The path to the cloud provider configuration
303 file. Empty string for no configuration file.
304
305
306 --cloud-provider="" The provider for cloud services. Empty string
307 for no provider.
308
309
310 --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
311 CIDRs opened in GCE firewall for L7 LB traffic proxy health
312 checks
313
314
315 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
316 CIDRs opened in GCE firewall for L4 LB traffic proxy health
317 checks
318
319
320 --contention-profiling=false Enable lock contention profiling, if
321 profiling is enabled
322
323
324 --cors-allowed-origins=[] List of allowed origins for CORS, comma
325 separated. An allowed origin can be a regular expression to support
326 subdomain matching. If this list is empty CORS will not be enabled.
327
328
329 --default-not-ready-toleration-seconds=300 Indicates the tolera‐
330 tionSeconds of the toleration for notReady:NoExecute that is added by
331 default to every pod that does not already have such a toleration.
332
333
334 --default-unreachable-toleration-seconds=300 Indicates the tolera‐
335 tionSeconds of the toleration for unreachable:NoExecute that is added
336 by default to every pod that does not already have such a toleration.
337
338
339 --default-watch-cache-size=100 Default watch cache size. If zero,
340 watch cache will be disabled for resources that do not have a default
341 watch size set.
342
343
344 --delete-collection-workers=1 Number of workers spawned for
345 DeleteCollection call. These are used to speed up namespace cleanup.
346
347
348 --deserialization-cache-size=0 Number of deserialized json objects
349 to cache in memory.
350
351
352 --disable-admission-plugins=[] admission plugins that should be
353 disabled although they are in the default enabled plugins list (Names‐
354 paceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Pri‐
355 ority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectI‐
356 nUseProtection, PersistentVolumeClaimResize, RuntimeClass, Certifi‐
357 cateApproval, CertificateSigning, CertificateSubjectRestriction, De‐
358 faultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionWeb‐
359 hook, ResourceQuota). Comma-delimited list of admission plugins: Al‐
360 waysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, Certifi‐
361 cateSigning, CertificateSubjectRestriction, DefaultIngressClass, De‐
362 faultStorageClass, DefaultTolerationSeconds, DenyEscalatingExec,
363 DenyExecOnPrivileged, EventRateLimit, ExtendedResourceToleration, Im‐
364 agePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, Mu‐
365 tatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, Names‐
366 paceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement,
367 PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector,
368 PodSecurityPolicy, PodTolerationRestriction, Priority, ResourceQuota,
369 RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUse‐
370 Protection, TaintNodesByCondition, ValidatingAdmissionWebhook. The or‐
371 der of plugins in this flag does not matter.
372
373
374 --egress-selector-config-file="" File with apiserver egress selec‐
375 tor configuration.
376
377
378 --enable-admission-plugins=[] admission plugins that should be en‐
379 abled in addition to default enabled ones (NamespaceLifecycle, Limi‐
380 tRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultToler‐
381 ationSeconds, DefaultStorageClass, StorageObjectInUseProtection, Per‐
382 sistentVolumeClaimResize, RuntimeClass, CertificateApproval, Certifi‐
383 cateSigning, CertificateSubjectRestriction, DefaultIngressClass, Mu‐
384 tatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota).
385 Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, Al‐
386 waysPullImages, CertificateApproval, CertificateSigning, Certificate‐
387 SubjectRestriction, DefaultIngressClass, DefaultStorageClass, Default‐
388 TolerationSeconds, DenyEscalatingExec, DenyExecOnPrivileged, EventRate‐
389 Limit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAn‐
390 tiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAu‐
391 toProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, Own‐
392 erReferencesPermissionEnforcement, PersistentVolumeClaimResize, Persis‐
393 tentVolumeLabel, PodNodeSelector, PodSecurityPolicy, PodTolerationRe‐
394 striction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny,
395 ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition,
396 ValidatingAdmissionWebhook. The order of plugins in this flag does not
397 matter.
398
399
400 --enable-aggregator-routing=false Turns on aggregator routing re‐
401 quests to endpoints IP rather than cluster IP.
402
403
404 --enable-bootstrap-token-auth=false Enable to allow secrets of
405 type 'bootstrap.kubernetes.io/token' in the 'kube-system' namespace to
406 be used for TLS bootstrapping authentication.
407
408
409 --enable-garbage-collector=true Enables the generic garbage col‐
410 lector. MUST be synced with the corresponding flag of the kube-con‐
411 troller-manager.
412
413
414 --enable-logs-handler=true If true, install a /logs handler for
415 the apiserver logs.
416
417
418 --enable-priority-and-fairness=true If true and the APIPrior‐
419 ityAndFairness feature gate is enabled, replace the max-in-flight han‐
420 dler with an enhanced one that queues and dispatches with priority and
421 fairness
422
423
424 --enable-swagger-ui=false Enables swagger ui on the apiserver at
425 /swagger-ui
426
427
428 --encryption-provider-config="" The file containing configuration
429 for encryption providers to be used for storing secrets in etcd
430
431
432 --endpoint-reconciler-type="lease" Use an endpoint reconciler
433 (master-count, lease, none)
434
435
436 --etcd-cafile="" SSL Certificate Authority file used to secure
437 etcd communication.
438
439
440 --etcd-certfile="" SSL certification file used to secure etcd com‐
441 munication.
442
443
444 --etcd-compaction-interval=5m0s The interval of compaction re‐
445 quests. If 0, the compaction request from apiserver is disabled.
446
447
448 --etcd-count-metric-poll-period=1m0s Frequency of polling etcd for
449 number of resources per type. 0 disables the metric collection.
450
451
452 --etcd-db-metric-poll-interval=30s The interval of requests to
453 poll etcd and update metric. 0 disables the metric collection
454
455
456 --etcd-healthcheck-timeout=2s The timeout to use when checking
457 etcd health.
458
459
460 --etcd-keyfile="" SSL key file used to secure etcd communication.
461
462
463 --etcd-prefix="/registry" The prefix to prepend to all resource
464 paths in etcd.
465
466
467 --etcd-servers=[] List of etcd servers to connect with
468 (scheme://ip:port), comma separated.
469
470
471 --etcd-servers-overrides=[] Per-resource etcd servers overrides,
472 comma separated. The individual override format: group/re‐
473 source#servers, where servers are URLs, semicolon separated.
474
475
476 --event-ttl=1h0m0s Amount of time to retain events.
477
478
479 --experimental-encryption-provider-config="" The file containing
480 configuration for encryption providers to be used for storing secrets
481 in etcd
482
483
484 --experimental-logging-sanitization=false [Experimental] When en‐
485 abled prevents logging of fields tagged as sensitive (passwords, keys,
486 tokens). Runtime log sanitization may introduce significant computa‐
487 tion overhead and therefore should not be enabled in production.
488
489
490 --external-hostname="" The hostname to use when generating exter‐
491 nalized URLs for this master (e.g. Swagger API Docs or OpenID Discov‐
492 ery).
493
494
495 --feature-gates= A set of key=value pairs that describe feature
496 gates for alpha/experimental features. Options are: APIListChunk‐
497 ing=true|false (BETA - default=true) APIPriorityAndFairness=true|false
498 (BETA - default=true) APIResponseCompression=true|false (BETA - de‐
499 fault=true) APIServerIdentity=true|false (ALPHA - default=false) AllAl‐
500 pha=true|false (ALPHA - default=false) AllBeta=true|false (BETA - de‐
501 fault=false) AllowInsecureBackendProxy=true|false (BETA - default=true)
502 AnyVolumeDataSource=true|false (ALPHA - default=false) AppAr‐
503 mor=true|false (BETA - default=true) BalanceAttachedNodeVol‐
504 umes=true|false (ALPHA - default=false) BoundServiceAccountTokenVol‐
505 ume=true|false (ALPHA - default=false) CPUManager=true|false (BETA -
506 default=true) CRIContainerLogRotation=true|false (BETA - default=true)
507 CSIInlineVolume=true|false (BETA - default=true) CSIMigra‐
508 tion=true|false (BETA - default=true) CSIMigrationAWS=true|false (BETA
509 - default=false) CSIMigrationAWSComplete=true|false (ALPHA - de‐
510 fault=false) CSIMigrationAzureDisk=true|false (BETA - default=false)
511 CSIMigrationAzureDiskComplete=true|false (ALPHA - default=false) CSIMi‐
512 grationAzureFile=true|false (ALPHA - default=false) CSIMigrationAzure‐
513 FileComplete=true|false (ALPHA - default=false) CSIMigra‐
514 tionGCE=true|false (BETA - default=false) CSIMigrationGCECom‐
515 plete=true|false (ALPHA - default=false) CSIMigrationOpen‐
516 Stack=true|false (BETA - default=false) CSIMigrationOpenStackCom‐
517 plete=true|false (ALPHA - default=false) CSIMigrationvSphere=true|false
518 (BETA - default=false) CSIMigrationvSphereComplete=true|false (BETA -
519 default=false) CSIServiceAccountToken=true|false (ALPHA - de‐
520 fault=false) CSIStorageCapacity=true|false (ALPHA - default=false)
521 CSIVolumeFSGroupPolicy=true|false (BETA - default=true) ConfigurableFS‐
522 GroupPolicy=true|false (BETA - default=true) CronJobCon‐
523 trollerV2=true|false (ALPHA - default=false) CustomCPUCFSQuotaPe‐
524 riod=true|false (ALPHA - default=false) DefaultPodTopolo‐
525 gySpread=true|false (BETA - default=true) DevicePlugins=true|false
526 (BETA - default=true) DisableAcceleratorUsageMetrics=true|false (BETA -
527 default=true) DownwardAPIHugePages=true|false (ALPHA - default=false)
528 DynamicKubeletConfig=true|false (BETA - default=true) EfficientWatchRe‐
529 sumption=true|false (ALPHA - default=false) EndpointSlice=true|false
530 (BETA - default=true) EndpointSliceNodeName=true|false (ALPHA - de‐
531 fault=false) EndpointSliceProxying=true|false (BETA - default=true)
532 EndpointSliceTerminatingCondition=true|false (ALPHA - default=false)
533 EphemeralContainers=true|false (ALPHA - default=false) ExpandCSIVol‐
534 umes=true|false (BETA - default=true) ExpandInUsePersistentVol‐
535 umes=true|false (BETA - default=true) ExpandPersistentVol‐
536 umes=true|false (BETA - default=true) ExperimentalHostUserNamespaceDe‐
537 faulting=true|false (BETA - default=false) GenericEphemeralVol‐
538 ume=true|false (ALPHA - default=false) GracefulNodeShutdown=true|false
539 (ALPHA - default=false) HPAContainerMetrics=true|false (ALPHA - de‐
540 fault=false) HPAScaleToZero=true|false (ALPHA - default=false)
541 HugePageStorageMediumSize=true|false (BETA - default=true) IPv6Dual‐
542 Stack=true|false (ALPHA - default=false) ImmutableEphemeralVol‐
543 umes=true|false (BETA - default=true) KubeletCredential‐
544 Providers=true|false (ALPHA - default=false) KubeletPo‐
545 dResources=true|false (BETA - default=true) LegacyNodeRoleBehav‐
546 ior=true|false (BETA - default=true) LocalStorageCapacityIsola‐
547 tion=true|false (BETA - default=true) LocalStorageCapacityIsolationF‐
548 SQuotaMonitoring=true|false (ALPHA - default=false) MixedProtocolLBSer‐
549 vice=true|false (ALPHA - default=false) NodeDisruptionExclu‐
550 sion=true|false (BETA - default=true) NonPreemptingPriority=true|false
551 (BETA - default=true) PodDisruptionBudget=true|false (BETA - de‐
552 fault=true) PodOverhead=true|false (BETA - default=true) ProcMount‐
553 Type=true|false (ALPHA - default=false) QOSReserved=true|false (ALPHA -
554 default=false) RemainingItemCount=true|false (BETA - default=true) Re‐
555 moveSelfLink=true|false (BETA - default=true) RootCACon‐
556 figMap=true|false (BETA - default=true) RotateKubeletServerCertifi‐
557 cate=true|false (BETA - default=true) RunAsGroup=true|false (BETA - de‐
558 fault=true) ServerSideApply=true|false (BETA - default=true) ServiceAc‐
559 countIssuerDiscovery=true|false (BETA - default=true) ServiceLBNode‐
560 PortControl=true|false (ALPHA - default=false) ServiceNodeExclu‐
561 sion=true|false (BETA - default=true) ServiceTopology=true|false (ALPHA
562 - default=false) SetHostnameAsFQDN=true|false (BETA - default=true)
563 SizeMemoryBackedVolumes=true|false (ALPHA - default=false) StorageVer‐
564 sionAPI=true|false (ALPHA - default=false) StorageVersion‐
565 Hash=true|false (BETA - default=true) Sysctls=true|false (BETA - de‐
566 fault=true) TTLAfterFinished=true|false (ALPHA - default=false) Topolo‐
567 gyManager=true|false (BETA - default=true) ValidateProxyRedi‐
568 rects=true|false (BETA - default=true) WarningHeaders=true|false (BETA
569 - default=true) WinDSR=true|false (ALPHA - default=false) WinOver‐
570 lay=true|false (BETA - default=true) WindowsEndpointSliceProxy‐
571 ing=true|false (ALPHA - default=false)
572
573
574 --goaway-chance=0 To prevent HTTP/2 clients from getting stuck on
575 a single apiserver, randomly close a connection (GOAWAY). The client's
576 other in-flight requests won't be affected, and the client will recon‐
577 nect, likely landing on a different apiserver after going through the
578 load balancer again. This argument sets the fraction of requests that
579 will be sent a GOAWAY. Clusters with single apiservers, or which don't
580 use a load balancer, should NOT enable this. Min is 0 (off), Max is .02
581 (1/50 requests); .001 (1/1000) is a recommended starting point.
582
583
584 -h, --help=false help for kube-apiserver
585
586
587 --http2-max-streams-per-connection=0 The limit that the server
588 gives to clients for the maximum number of streams in an HTTP/2 connec‐
589 tion. Zero means to use golang's default.
590
591
592 --identity-lease-duration-seconds=3600 The duration of kube-apis‐
593 erver lease in seconds, must be a positive number. (In use when the
594 APIServerIdentity feature gate is enabled.)
595
596
597 --identity-lease-renew-interval-seconds=10 The interval of
598 kube-apiserver renewing its lease in seconds, must be a positive num‐
599 ber. (In use when the APIServerIdentity feature gate is enabled.)
600
601
602 --insecure-bind-address=127.0.0.1 The IP address on which to serve
603 the insecure port (set to 0.0.0.0 for all IPv4 interfaces and :: for
604 all IPv6 interfaces).
605
606
607 --insecure-port=0 The port on which to serve unsecured, unauthen‐
608 ticated access.
609
610
611 --kubelet-certificate-authority="" Path to a cert file for the
612 certificate authority.
613
614
615 --kubelet-client-certificate="" Path to a client cert file for
616 TLS.
617
618
619 --kubelet-client-key="" Path to a client key file for TLS.
620
621
622 --kubelet-https=true Use https for kubelet connections.
623
624
625 --kubelet-port=10250 DEPRECATED: kubelet port.
626
627
628 --kubelet-preferred-address-types=[Hostname,InternalDNS,InternalIP,Ex‐
629 ternalDNS,ExternalIP] List of the preferred NodeAddressTypes to
630 use for kubelet connections.
631
632
633 --kubelet-read-only-port=10255 DEPRECATED: kubelet read only port.
634
635
636 --kubelet-timeout=5s Timeout for kubelet operations.
637
638
639 --kubernetes-service-node-port=0 If non-zero, the Kubernetes mas‐
640 ter service (which apiserver creates/maintains) will be of type Node‐
641 Port, using this as the value of the port. If zero, the Kubernetes mas‐
642 ter service will be of type ClusterIP.
643
644
645 --livez-grace-period=0s This option represents the maximum amount
646 of time it should take for apiserver to complete its startup sequence
647 and become live. From apiserver's start time to when this amount of
648 time has elapsed, /livez will assume that unfinished post-start hooks
649 will complete successfully and therefore return true.
650
651
652 --log-backtrace-at=:0 when logging hits line file:N, emit a stack
653 trace
654
655
656 --log-dir="" If non-empty, write log files in this directory
657
658
659 --log-file="" If non-empty, use this log file
660
661
662 --log-file-max-size=1800 Defines the maximum size a log file can
663 grow to. Unit is megabytes. If the value is 0, the maximum file size is
664 unlimited.
665
666
667 --log-flush-frequency=5s Maximum number of seconds between log
668 flushes
669
670
671 --logging-format="text" Sets the log format. Permitted formats:
672 "json", "text". Non-default formats don't honor these flags:
673 --add_dir_header, --alsologtostderr, --log_backtrace_at, --log_dir,
674 --log_file, --log_file_max_size, --logtostderr, --one_output,
675 --skip_headers, --skip_log_headers, --stderrthreshold, --vmodule,
676 --log-flush-frequency. Non-default choices are currently alpha and
677 subject to change without warning.
678
679
680 --logtostderr=true log to standard error instead of files
681
682
683 --master-service-namespace="default" DEPRECATED: the namespace
684 from which the Kubernetes master services should be injected into pods.
685
686
687 --max-connection-bytes-per-sec=0 If non-zero, throttle each user
688 connection to this number of bytes/sec. Currently only applies to
689 long-running requests.
690
691
692 --max-mutating-requests-inflight=200 The maximum number of mutat‐
693 ing requests in flight at a given time. When the server exceeds this,
694 it rejects requests. Zero for no limit.
695
696
697 --max-requests-inflight=400 The maximum number of non-mutating re‐
698 quests in flight at a given time. When the server exceeds this, it re‐
699 jects requests. Zero for no limit.
700
701
702 --min-request-timeout=1800 An optional field indicating the mini‐
703 mum number of seconds a handler must keep a request open before timing
704 it out. Currently only honored by the watch request handler, which
705 picks a randomized value above this number as the connection timeout,
706 to spread out load.
707
708
709 --oidc-ca-file="" If set, the OpenID server's certificate will be
710 verified by one of the authorities in the oidc-ca-file, otherwise the
711 host's root CA set will be used.
712
713
714 --oidc-client-id="" The client ID for the OpenID Connect client,
715 must be set if oidc-issuer-url is set.
716
717
718 --oidc-groups-claim="" If provided, the name of a custom OpenID
719 Connect claim for specifying user groups. The claim value is expected
720 to be a string or array of strings. This flag is experimental, please
721 see the authentication documentation for further details.
722
723
724 --oidc-groups-prefix="" If provided, all groups will be prefixed
725 with this value to prevent conflicts with other authentication strate‐
726 gies.
727
728
729 --oidc-issuer-url="" The URL of the OpenID issuer, only HTTPS
730 scheme will be accepted. If set, it will be used to verify the OIDC
731 JSON Web Token (JWT).
732
733
734 --oidc-required-claim= A key=value pair that describes a required
735 claim in the ID Token. If set, the claim is verified to be present in
736 the ID Token with a matching value. Repeat this flag to specify multi‐
737 ple claims.
738
739
740 --oidc-signing-algs=[RS256] Comma-separated list of allowed JOSE
741 asymmetric signing algorithms. JWTs with a 'alg' header value not in
742 this list will be rejected. Values are defined by RFC 7518
743 https://tools.ietf.org/html/rfc7518#section-3.1.
744
745
746 --oidc-username-claim="sub" The OpenID claim to use as the user
747 name. Note that claims other than the default ('sub') is not guaranteed
748 to be unique and immutable. This flag is experimental, please see the
749 authentication documentation for further details.
750
751
752 --oidc-username-prefix="" If provided, all usernames will be pre‐
753 fixed with this value. If not provided, username claims other than
754 'email' are prefixed by the issuer URL to avoid clashes. To skip any
755 prefixing, provide the value '-'.
756
757
758 --one-output=false If true, only write logs to their native sever‐
759 ity level (vs also writing to each lower severity level
760
761
762 --permit-port-sharing=false If true, SO_REUSEPORT will be used
763 when binding the port, which allows more than one instance to bind on
764 the same address and port. [default=false]
765
766
767 --port=0 The port on which to serve unsecured, unauthenticated ac‐
768 cess.
769
770
771 --profiling=true Enable profiling via web interface host:port/de‐
772 bug/pprof/
773
774
775 --proxy-client-cert-file="" Client certificate used to prove the
776 identity of the aggregator or kube-apiserver when it must call out dur‐
777 ing a request. This includes proxying requests to a user api-server and
778 calling out to webhook admission plugins. It is expected that this cert
779 includes a signature from the CA in the --requestheader-client-ca-file
780 flag. That CA is published in the 'extension-apiserver-authentication'
781 configmap in the kube-system namespace. Components receiving calls from
782 kube-aggregator should use that CA to perform their half of the mutual
783 TLS verification.
784
785
786 --proxy-client-key-file="" Private key for the client certificate
787 used to prove the identity of the aggregator or kube-apiserver when it
788 must call out during a request. This includes proxying requests to a
789 user api-server and calling out to webhook admission plugins.
790
791
792 --request-timeout=1m0s An optional field indicating the duration a
793 handler must keep a request open before timing it out. This is the de‐
794 fault request timeout for requests but may be overridden by flags such
795 as --min-request-timeout for specific types of requests.
796
797
798 --requestheader-allowed-names=[] List of client certificate common
799 names to allow to provide usernames in headers specified by --request‐
800 header-username-headers. If empty, any client certificate validated by
801 the authorities in --requestheader-client-ca-file is allowed.
802
803
804 --requestheader-client-ca-file="" Root certificate bundle to use
805 to verify client certificates on incoming requests before trusting
806 usernames in headers specified by --requestheader-username-headers.
807 WARNING: generally do not depend on authorization being already done
808 for incoming requests.
809
810
811 --requestheader-extra-headers-prefix=[] List of request header
812 prefixes to inspect. X-Remote-Extra- is suggested.
813
814
815 --requestheader-group-headers=[] List of request headers to in‐
816 spect for groups. X-Remote-Group is suggested.
817
818
819 --requestheader-username-headers=[] List of request headers to in‐
820 spect for usernames. X-Remote-User is common.
821
822
823 --runtime-config= A set of key=value pairs that enable or disable
824 built-in APIs. Supported options are: v1=true|false for the core API
825 group /=true|false for a specific API group and version (e.g.
826 apps/v1=true) api/all=true|false controls all API versions
827 api/ga=true|false controls all API versions of the form v[0-9]+
828 api/beta=true|false controls all API versions of the form
829 v[0-9]+beta[0-9]+ api/alpha=true|false controls all API versions of the
830 form v[0-9]+alpha[0-9]+ api/legacy is deprecated, and will be removed
831 in a future version
832
833
834 --secure-port=6443 The port on which to serve HTTPS with authenti‐
835 cation and authorization. It cannot be switched off with 0.
836
837
838 --service-account-api-audiences=[] Identifiers of the API. The
839 service account token authenticator will validate that tokens used
840 against the API are bound to at least one of these audiences.
841
842
843 --service-account-extend-token-expiration=true Turns on projected
844 service account expiration extension during token generation, which
845 helps safe transition from legacy token to bound service account token
846 feature. If this flag is enabled, admission injected tokens would be
847 extended up to 1 year to prevent unexpected failure during transition,
848 ignoring value of service-account-max-token-expiration.
849
850
851 --service-account-issuer="" Identifier of the service account to‐
852 ken issuer. The issuer will assert this identifier in "iss" claim of
853 issued tokens. This value is a string or URI. If this option is not a
854 valid URI per the OpenID Discovery 1.0 spec, the ServiceAccountIs‐
855 suerDiscovery feature will remain disabled, even if the feature gate is
856 set to true. It is highly recommended that this value comply with the
857 OpenID spec: https://openid.net/specs/openid-connect-discov‐
858 ery-1_0.html. In practice, this means that service-account-issuer must
859 be an https URL. It is also highly recommended that this URL be capable
860 of serving OpenID discovery documents at {service-account-is‐
861 suer}/.well-known/openid-configuration.
862
863
864 --service-account-jwks-uri="" Overrides the URI for the JSON Web
865 Key Set in the discovery doc served at /.well-known/openid-configura‐
866 tion. This flag is useful if the discovery docand key set are served to
867 relying parties from a URL other than the API server's external (as
868 auto-detected or overridden with external-hostname). Only valid if the
869 ServiceAccountIssuerDiscovery feature gate is enabled.
870
871
872 --service-account-key-file=[] File containing PEM-encoded x509 RSA
873 or ECDSA private or public keys, used to verify ServiceAccount tokens.
874 The specified file can contain multiple keys, and the flag can be spec‐
875 ified multiple times with different files. If unspecified, --tls-pri‐
876 vate-key-file is used. Must be specified when --service-account-sign‐
877 ing-key is provided
878
879
880 --service-account-lookup=true If true, validate ServiceAccount to‐
881 kens exist in etcd as part of authentication.
882
883
884 --service-account-max-token-expiration=0s The maximum validity du‐
885 ration of a token created by the service account token issuer. If an
886 otherwise valid TokenRequest with a validity duration larger than this
887 value is requested, a token will be issued with a validity duration of
888 this value.
889
890
891 --service-account-signing-key-file="" Path to the file that con‐
892 tains the current private key of the service account token issuer. The
893 issuer will sign issued ID tokens with this private key.
894
895
896 --service-cluster-ip-range="" A CIDR notation IP range from which
897 to assign service cluster IPs. This must not overlap with any IP ranges
898 assigned to nodes or pods.
899
900
901 --service-node-port-range=30000-32767 A port range to reserve for
902 services with NodePort visibility. Example: '30000-32767'. Inclusive at
903 both ends of the range.
904
905
906 --show-hidden-metrics-for-version="" The previous version for
907 which you want to show hidden metrics. Only the previous minor version
908 is meaningful, other values will not be allowed. The format is ., e.g.:
909 '1.16'. The purpose of this format is make sure you have the opportu‐
910 nity to notice if the next release hides additional metrics, rather
911 than being surprised when they are permanently removed in the release
912 after that.
913
914
915 --shutdown-delay-duration=0s Time to delay the termination. During
916 that time the server keeps serving requests normally. The endpoints
917 /healthz and /livez will return success, but /readyz immediately re‐
918 turns failure. Graceful termination starts after this delay has
919 elapsed. This can be used to allow load balancer to stop sending traf‐
920 fic to this server.
921
922
923 --skip-headers=false If true, avoid header prefixes in the log
924 messages
925
926
927 --skip-log-headers=false If true, avoid headers when opening log
928 files
929
930
931 --ssh-keyfile="" If non-empty, use secure SSH proxy to the nodes,
932 using this user keyfile
933
934
935 --ssh-user="" If non-empty, use secure SSH proxy to the nodes, us‐
936 ing this user name
937
938
939 --stderrthreshold=2 logs at or above this threshold go to stderr
940
941
942 --storage-backend="" The storage backend for persistence. Options:
943 'etcd3' (default).
944
945
946 --storage-media-type="application/vnd.kubernetes.protobuf" The me‐
947 dia type to use to store objects in storage. Some resources or storage
948 backends may only support a specific media type and will ignore this
949 setting.
950
951
952 --target-ram-mb=0 DEPRECATED: Memory limit for apiserver in MB
953 (used to configure sizes of caches, etc.)
954
955
956 --tls-cert-file="" File containing the default x509 Certificate
957 for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS
958 serving is enabled, and --tls-cert-file and --tls-private-key-file are
959 not provided, a self-signed certificate and key are generated for the
960 public address and saved to the directory specified by --cert-dir.
961
962
963 --tls-cipher-suites=[] Comma-separated list of cipher suites for
964 the server. If omitted, the default Go cipher suites will be used.
965 Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
966 TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
967 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
968 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
969 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
970 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
971 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
972 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
973 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
974 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
975 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
976 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
977 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
978 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
979 TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
980 TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
981 TLS_RSA_WITH_AES_256_GCM_SHA384. Insecure values:
982 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
983 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
984 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
985 TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA.
986
987
988 --tls-min-version="" Minimum TLS version supported. Possible val‐
989 ues: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
990
991
992 --tls-private-key-file="" File containing the default x509 private
993 key matching --tls-cert-file.
994
995
996 --tls-sni-cert-key=[] A pair of x509 certificate and private key
997 file paths, optionally suffixed with a list of domain patterns which
998 are fully qualified domain names, possibly with prefixed wildcard seg‐
999 ments. The domain patterns also allow IP addresses, but IPs should only
1000 be used if the apiserver has visibility to the IP address requested by
1001 a client. If no domain patterns are provided, the names of the certifi‐
1002 cate are extracted. Non-wildcard matches trump over wildcard matches,
1003 explicit domain patterns trump over extracted names. For multiple
1004 key/certificate pairs, use the --tls-sni-cert-key multiple times. Exam‐
1005 ples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com".
1006
1007
1008 --token-auth-file="" If set, the file that will be used to secure
1009 the secure port of the API server via token authentication.
1010
1011
1012 -v, --v=0 number for the log level verbosity
1013
1014
1015 --version=false Print version information and quit
1016
1017
1018 --vmodule= comma-separated list of pattern=N settings for
1019 file-filtered logging
1020
1021
1022 --watch-cache=true Enable watch caching in the apiserver
1023
1024
1025 --watch-cache-sizes=[] Watch cache size settings for some re‐
1026 sources (pods, nodes, etc.), comma separated. The individual setting
1027 format: resource[.group]#size, where resource is lowercase plural (no
1028 version), group is omitted for resources of apiVersion v1 (the legacy
1029 core API) and included for others, and size is a number. It takes ef‐
1030 fect when watch-cache is enabled. Some resources (replicationcon‐
1031 trollers, endpoints, nodes, pods, services, apiservices.apiregistra‐
1032 tion.k8s.io) have system defaults set by heuristics, others default to
1033 default-watch-cache-size
1034
1035
1036
1038 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
1039 com) based on the kubernetes source material, but hopefully they have
1040 been automatically generated since!
1041
1042
1043
1044Manuals User KUBERNETES(1)(kubernetes)