1KUBERNETES(1)(kubernetes)                            KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7

NAME

9       kube-controller-manager -
10
11
12

SYNOPSIS

14       kube-controller-manager [OPTIONS]
15
16
17

DESCRIPTION

19       The Kubernetes controller manager is a daemon that embeds the core con‐
20       trol loops shipped with Kubernetes. In applications of robotics and au‐
21       tomation,  a  control loop is a non-terminating loop that regulates the
22       state of the system. In Kubernetes, a controller is a control loop that
23       watches the shared state of the cluster through the apiserver and makes
24       changes attempting to move the current state towards the desired state.
25       Examples  of controllers that ship with Kubernetes today are the repli‐
26       cation controller, endpoints controller, namespace controller, and ser‐
27       viceaccounts controller.
28
29
30

OPTIONS

32       --add-dir-header=false       If  true,  adds  the file directory to the
33       header of the log messages
34
35
36       --address=0.0.0.0      The IP address on which to  serve  the  insecure
37       --port  (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 in‐
38       terfaces).
39
40
41       --allocate-node-cidrs=false      Should CIDRs for Pods be allocated and
42       set on the cloud provider.
43
44
45       --allow-untagged-cloud=false       Allow the cluster to run without the
46       cluster-id on cloud instances. This is a legacy mode of operation and a
47       cluster-id will be required in the future.
48
49
50       --alsologtostderr=false      log to standard error as well as files
51
52
53       --attach-detach-reconcile-sync-period=1m0s        The  reconciler  sync
54       wait time between volume attach detach. This duration  must  be  larger
55       than  one  second, and increasing this value from the default may allow
56       for volumes to be mismatched with pods.
57
58
59       --authentication-kubeconfig=""      kubeconfig  file  pointing  at  the
60       'core'  kubernetes server with enough rights to create tokenreviews.au‐
61       thentication.k8s.io. This is optional. If empty, all token requests are
62       considered  to  be anonymous and no client CA is looked up in the clus‐
63       ter.
64
65
66       --authentication-skip-lookup=false       If  false,   the   authentica‐
67       tion-kubeconfig  will be used to lookup missing authentication configu‐
68       ration from the cluster.
69
70
71       --authentication-token-webhook-cache-ttl=10s      The duration to cache
72       responses from the webhook token authenticator.
73
74
75       --authentication-tolerate-lookup-failure=false       If  true, failures
76       to look up missing authentication configuration from  the  cluster  are
77       not  considered fatal. Note that this can result in authentication that
78       treats all requests as anonymous.
79
80
81       --authorization-always-allow-paths=[/healthz]      A list of HTTP paths
82       to  skip  during  authorization, i.e. these are authorized without con‐
83       tacting the 'core' kubernetes server.
84
85
86       --authorization-kubeconfig=""       kubeconfig  file  pointing  at  the
87       'core'  kubernetes server with enough rights to create subjectaccessre‐
88       views.authorization.k8s.io. This is optional. If  empty,  all  requests
89       not skipped by authorization are forbidden.
90
91
92       --authorization-webhook-cache-authorized-ttl=10s       The  duration to
93       cache 'authorized' responses from the webhook authorizer.
94
95
96       --authorization-webhook-cache-unauthorized-ttl=10s      The duration to
97       cache 'unauthorized' responses from the webhook authorizer.
98
99
100       --azure-container-registry-config=""       Path  to the file containing
101       Azure container registry configuration information.
102
103
104       --bind-address=0.0.0.0      The IP address on which to listen  for  the
105       --secure-port  port.  The  associated interface(s) must be reachable by
106       the rest of the cluster, and by CLI/web clients. If blank or an unspec‐
107       ified address (0.0.0.0 or ::), all interfaces will be used.
108
109
110       --cert-dir=""       The  directory  where the TLS certs are located. If
111       --tls-cert-file and --tls-private-key-file are provided, this flag will
112       be ignored.
113
114
115       --cidr-allocator-type="RangeAllocator"       Type  of CIDR allocator to
116       use
117
118
119       --client-ca-file=""      If set, any request presenting a  client  cer‐
120       tificate  signed by one of the authorities in the client-ca-file is au‐
121       thenticated with an identity corresponding to  the  CommonName  of  the
122       client certificate.
123
124
125       --cloud-config=""       The  path  to  the cloud provider configuration
126       file. Empty string for no configuration file.
127
128
129       --cloud-provider=""      The provider for cloud services. Empty  string
130       for no provider.
131
132
133       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
134            CIDRs opened in GCE firewall for  L4  LB  traffic  proxy    health
135       checks
136
137
138       --cluster-cidr=""      CIDR Range for Pods in cluster. Requires --allo‐
139       cate-node-cidrs to be true
140
141
142       --cluster-name="kubernetes"      The instance prefix for the cluster.
143
144
145       --cluster-signing-cert-file=""      Filename containing  a  PEM-encoded
146       X509  CA  certificate  used  to  issue cluster-scoped certificates.  If
147       specified, no more specific --cluster-signing-* flag may be specified.
148
149
150       --cluster-signing-duration=8760h0m0s      The length of duration signed
151       certificates will be given.
152
153
154       --cluster-signing-key-file=""       Filename  containing  a PEM-encoded
155       RSA or ECDSA private key used to sign cluster-scoped certificates.   If
156       specified, no more specific --cluster-signing-* flag may be specified.
157
158
159       --cluster-signing-kube-apiserver-client-cert-file=""      Filename con‐
160       taining a PEM-encoded X509 CA certificate used  to  issue  certificates
161       for  the  kubernetes.io/kube-apiserver-client  signer.   If  specified,
162       --cluster-signing-{cert,key}-file must not be set.
163
164
165       --cluster-signing-kube-apiserver-client-key-file=""      Filename  con‐
166       taining  a  PEM-encoded  RSA or ECDSA private key used to sign certifi‐
167       cates for the kubernetes.io/kube-apiserver-client  signer.   If  speci‐
168       fied, --cluster-signing-{cert,key}-file must not be set.
169
170
171       --cluster-signing-kubelet-client-cert-file=""       Filename containing
172       a PEM-encoded X509 CA certificate used to issue  certificates  for  the
173       kubernetes.io/kube-apiserver-client-kubelet   signer.    If  specified,
174       --cluster-signing-{cert,key}-file must not be set.
175
176
177       --cluster-signing-kubelet-client-key-file=""      Filename containing a
178       PEM-encoded  RSA or ECDSA private key used to sign certificates for the
179       kubernetes.io/kube-apiserver-client-kubelet  signer.    If   specified,
180       --cluster-signing-{cert,key}-file must not be set.
181
182
183       --cluster-signing-kubelet-serving-cert-file=""      Filename containing
184       a PEM-encoded X509 CA certificate used to issue  certificates  for  the
185       kubernetes.io/kubelet-serving  signer.   If  specified, --cluster-sign‐
186       ing-{cert,key}-file must not be set.
187
188
189       --cluster-signing-kubelet-serving-key-file=""      Filename  containing
190       a  PEM-encoded  RSA  or ECDSA private key used to sign certificates for
191       the  kubernetes.io/kubelet-serving  signer.   If   specified,   --clus‐
192       ter-signing-{cert,key}-file must not be set.
193
194
195       --cluster-signing-legacy-unknown-cert-file=""       Filename containing
196       a PEM-encoded X509 CA certificate used to issue  certificates  for  the
197       kubernetes.io/legacy-unknown  signer.   If  specified,  --cluster-sign‐
198       ing-{cert,key}-file must not be set.
199
200
201       --cluster-signing-legacy-unknown-key-file=""      Filename containing a
202       PEM-encoded  RSA or ECDSA private key used to sign certificates for the
203       kubernetes.io/legacy-unknown  signer.   If  specified,  --cluster-sign‐
204       ing-{cert,key}-file must not be set.
205
206
207       --concurrent-deployment-syncs=5       The  number of deployment objects
208       that are allowed to sync concurrently. Larger number = more  responsive
209       deployments, but more CPU (and network) load
210
211
212       --concurrent-endpoint-syncs=5      The number of endpoint syncing oper‐
213       ations that will be done concurrently. Larger number = faster  endpoint
214       updating, but more CPU (and network) load
215
216
217       --concurrent-gc-syncs=20       The  number of garbage collector workers
218       that are allowed to sync concurrently.
219
220
221       --concurrent-namespace-syncs=10      The number  of  namespace  objects
222       that  are allowed to sync concurrently. Larger number = more responsive
223       namespace termination, but more CPU (and network) load
224
225
226       --concurrent-replicaset-syncs=5      The number of  replica  sets  that
227       are  allowed  to  sync  concurrently.  Larger  number = more responsive
228       replica management, but more CPU (and network) load
229
230
231       --concurrent-resource-quota-syncs=5      The number of resource  quotas
232       that  are allowed to sync concurrently. Larger number = more responsive
233       quota management, but more CPU (and network) load
234
235
236       --concurrent-service-endpoint-syncs=5      The number of  service  end‐
237       point  syncing operations that will be done concurrently. Larger number
238       = faster endpoint slice updating, but more CPU (and network) load.  De‐
239       faults to 5.
240
241
242       --concurrent-service-syncs=1       The  number of services that are al‐
243       lowed to sync concurrently. Larger number  =  more  responsive  service
244       management, but more CPU (and network) load
245
246
247       --concurrent-serviceaccount-token-syncs=5       The  number  of service
248       account token objects that are allowed  to  sync  concurrently.  Larger
249       number  =  more responsive token generation, but more CPU (and network)
250       load
251
252
253       --concurrent-statefulset-syncs=5      The number of statefulset objects
254       that  are allowed to sync concurrently. Larger number = more responsive
255       statefulsets, but more CPU (and network) load
256
257
258       --concurrent-ttl-after-finished-syncs=5       The  number  of   TTL-af‐
259       ter-finished controller workers that are allowed to sync concurrently.
260
261
262       --concurrent_rc_syncs=5      The number of replication controllers that
263       are allowed to sync  concurrently.  Larger  number  =  more  responsive
264       replica management, but more CPU (and network) load
265
266
267       --configure-cloud-routes=true       Should  CIDRs  allocated  by  allo‐
268       cate-node-cidrs be configured on the cloud provider.
269
270
271       --contention-profiling=false      Enable lock contention profiling,  if
272       profiling is enabled
273
274
275       --controller-start-interval=0s        Interval  between  starting  con‐
276       troller managers.
277
278
279       --controllers=[]      A list of controllers to enable. ''  enables  all
280       on-by-default  controllers,  'foo'  enables the controller named 'foo',
281       '-foo' disables the controller named 'foo'.  All controllers: attachde‐
282       tach,  bootstrapsigner,  cloud-node-lifecycle, clusterrole-aggregation,
283       cronjob, csrapproving, csrcleaner, csrsigning,  daemonset,  deployment,
284       disruption,     endpoint,     endpointslice,    endpointslicemirroring,
285       ephemeral-volume,  garbagecollector,   horizontalpodautoscaling,   job,
286       namespace,  nodeipam,  nodelifecycle,  persistentvolume-binder, persis‐
287       tentvolume-expander, podgc, pv-protection, pvc-protection,  replicaset,
288       replicationcontroller,  resourcequota,  root-ca-cert-publisher,  route,
289       service,  serviceaccount,  serviceaccount-token,  statefulset,   token‐
290       cleaner, ttl, ttl-after-finished Disabled-by-default controllers: boot‐
291       strapsigner, tokencleaner
292
293
294       --deleting-pods-burst=0      Number of nodes on which pods  are  bursty
295       deleted  in  case  of node failure. For more details look into RateLim‐
296       iter.
297
298
299       --deleting-pods-qps=0.1      Number of nodes per second on  which  pods
300       are deleted in case of node failure.
301
302
303       --deployment-controller-sync-period=30s      Period for syncing the de‐
304       ployments.
305
306
307       --disable-attach-detach-reconcile-sync=false      Disable volume attach
308       detach  reconciler  sync.  Disabling  this may cause volumes to be mis‐
309       matched with pods. Use wisely.
310
311
312       --enable-dynamic-provisioning=true      Enable dynamic provisioning for
313       environments that support it.
314
315
316       --enable-garbage-collector=true       Enables  the generic garbage col‐
317       lector. MUST be synced with the corresponding flag  of  the  kube-apis‐
318       erver.
319
320
321       --enable-hostpath-provisioner=false       Enable HostPath PV provision‐
322       ing when running without a cloud provider. This allows testing and  de‐
323       velopment  of provisioning features.  HostPath provisioning is not sup‐
324       ported in any way, won't work in a multi-node cluster, and  should  not
325       be used for anything other than testing or development.
326
327
328       --enable-taint-manager=true       WARNING: Beta feature. If set to true
329       enables NoExecute Taints and will evict all not-tolerating Pod  running
330       on Nodes tainted with this kind of Taints.
331
332
333       --endpoint-updates-batch-period=0s       The length of endpoint updates
334       batching period. Processing of pod changes will be delayed by this  du‐
335       ration  to  join  them  with  potential upcoming updates and reduce the
336       overall number of endpoints updates. Larger number  =  higher  endpoint
337       programming latency, but lower number of endpoints revision generated
338
339
340       --endpointslice-updates-batch-period=0s       The  length  of  endpoint
341       slice updates batching period. Processing of pod changes  will  be  de‐
342       layed by this duration to join them with potential upcoming updates and
343       reduce the overall number of endpoints updates. Larger number =  higher
344       endpoint  programming  latency,  but lower number of endpoints revision
345       generated
346
347
348       --experimental-cluster-signing-duration=8760h0m0s       The  length  of
349       duration signed certificates will be given.
350
351
352       --experimental-logging-sanitization=false       [Experimental] When en‐
353       abled prevents logging of fields tagged as sensitive (passwords,  keys,
354       tokens).   Runtime  log sanitization may introduce significant computa‐
355       tion overhead and therefore should not be enabled in production.
356
357
358       --external-cloud-volume-plugin=""      The plugin  to  use  when  cloud
359       provider  is  set  to  external.  Can be empty, should only be set when
360       cloud-provider is external. Currently used to  allow  node  and  volume
361       controllers to work for in tree cloud providers.
362
363
364       --feature-gates=       A  set  of key=value pairs that describe feature
365       gates  for  alpha/experimental  features.  Options  are:  APIListChunk‐
366       ing=true|false  (BETA - default=true) APIPriorityAndFairness=true|false
367       (BETA - default=true)  APIResponseCompression=true|false  (BETA  -  de‐
368       fault=true) APIServerIdentity=true|false (ALPHA - default=false) AllAl‐
369       pha=true|false (ALPHA - default=false) AllBeta=true|false (BETA  -  de‐
370       fault=false) AllowInsecureBackendProxy=true|false (BETA - default=true)
371       AnyVolumeDataSource=true|false   (ALPHA   -    default=false)    AppAr‐
372       mor=true|false    (BETA    -    default=true)   BalanceAttachedNodeVol‐
373       umes=true|false (ALPHA  -  default=false)  BoundServiceAccountTokenVol‐
374       ume=true|false  (ALPHA  -  default=false) CPUManager=true|false (BETA -
375       default=true) CRIContainerLogRotation=true|false (BETA -  default=true)
376       CSIInlineVolume=true|false     (BETA    -    default=true)    CSIMigra‐
377       tion=true|false (BETA - default=true) CSIMigrationAWS=true|false  (BETA
378       -   default=false)   CSIMigrationAWSComplete=true|false  (ALPHA  -  de‐
379       fault=false) CSIMigrationAzureDisk=true|false  (BETA  -  default=false)
380       CSIMigrationAzureDiskComplete=true|false (ALPHA - default=false) CSIMi‐
381       grationAzureFile=true|false (ALPHA - default=false)  CSIMigrationAzure‐
382       FileComplete=true|false     (ALPHA     -    default=false)    CSIMigra‐
383       tionGCE=true|false   (BETA   -    default=false)    CSIMigrationGCECom‐
384       plete=true|false     (ALPHA    -    default=false)    CSIMigrationOpen‐
385       Stack=true|false  (BETA  -   default=false)   CSIMigrationOpenStackCom‐
386       plete=true|false (ALPHA - default=false) CSIMigrationvSphere=true|false
387       (BETA - default=false) CSIMigrationvSphereComplete=true|false  (BETA  -
388       default=false)    CSIServiceAccountToken=true|false    (ALPHA   -   de‐
389       fault=false)  CSIStorageCapacity=true|false  (ALPHA  -   default=false)
390       CSIVolumeFSGroupPolicy=true|false (BETA - default=true) ConfigurableFS‐
391       GroupPolicy=true|false    (BETA     -     default=true)     CronJobCon‐
392       trollerV2=true|false   (ALPHA   -  default=false)  CustomCPUCFSQuotaPe‐
393       riod=true|false    (ALPHA    -     default=false)     DefaultPodTopolo‐
394       gySpread=true|false   (BETA  -  default=true)  DevicePlugins=true|false
395       (BETA - default=true) DisableAcceleratorUsageMetrics=true|false (BETA -
396       default=true)  DownwardAPIHugePages=true|false  (ALPHA - default=false)
397       DynamicKubeletConfig=true|false (BETA - default=true) EfficientWatchRe‐
398       sumption=true|false  (ALPHA  -  default=false) EndpointSlice=true|false
399       (BETA - default=true)  EndpointSliceNodeName=true|false  (ALPHA  -  de‐
400       fault=false)  EndpointSliceProxying=true|false  (BETA  -  default=true)
401       EndpointSliceTerminatingCondition=true|false  (ALPHA  -  default=false)
402       EphemeralContainers=true|false  (ALPHA  -  default=false) ExpandCSIVol‐
403       umes=true|false   (BETA   -   default=true)   ExpandInUsePersistentVol‐
404       umes=true|false     (BETA    -    default=true)    ExpandPersistentVol‐
405       umes=true|false (BETA - default=true)  ExperimentalHostUserNamespaceDe‐
406       faulting=true|false   (BETA   -   default=false)   GenericEphemeralVol‐
407       ume=true|false (ALPHA - default=false)  GracefulNodeShutdown=true|false
408       (ALPHA  -  default=false)  HPAContainerMetrics=true|false  (ALPHA - de‐
409       fault=false)   HPAScaleToZero=true|false   (ALPHA   -    default=false)
410       HugePageStorageMediumSize=true|false  (BETA  -  default=true) IPv6Dual‐
411       Stack=true|false   (ALPHA   -   default=false)   ImmutableEphemeralVol‐
412       umes=true|false     (BETA     -     default=true)    KubeletCredential‐
413       Providers=true|false     (ALPHA     -     default=false)     KubeletPo‐
414       dResources=true|false   (BETA   -   default=true)  LegacyNodeRoleBehav‐
415       ior=true|false   (BETA   -   default=true)   LocalStorageCapacityIsola‐
416       tion=true|false  (BETA  - default=true) LocalStorageCapacityIsolationF‐
417       SQuotaMonitoring=true|false (ALPHA - default=false) MixedProtocolLBSer‐
418       vice=true|false    (ALPHA    -    default=false)   NodeDisruptionExclu‐
419       sion=true|false (BETA - default=true)  NonPreemptingPriority=true|false
420       (BETA   -  default=true)  PodDisruptionBudget=true|false  (BETA  -  de‐
421       fault=true) PodOverhead=true|false  (BETA  -  default=true)  ProcMount‐
422       Type=true|false (ALPHA - default=false) QOSReserved=true|false (ALPHA -
423       default=false) RemainingItemCount=true|false (BETA - default=true)  Re‐
424       moveSelfLink=true|false     (BETA     -     default=true)    RootCACon‐
425       figMap=true|false  (BETA  -  default=true)  RotateKubeletServerCertifi‐
426       cate=true|false (BETA - default=true) RunAsGroup=true|false (BETA - de‐
427       fault=true) ServerSideApply=true|false (BETA - default=true) ServiceAc‐
428       countIssuerDiscovery=true|false  (BETA  -  default=true) ServiceLBNode‐
429       PortControl=true|false  (ALPHA   -   default=false)   ServiceNodeExclu‐
430       sion=true|false (BETA - default=true) ServiceTopology=true|false (ALPHA
431       - default=false)  SetHostnameAsFQDN=true|false  (BETA  -  default=true)
432       SizeMemoryBackedVolumes=true|false  (ALPHA - default=false) StorageVer‐
433       sionAPI=true|false    (ALPHA    -    default=false)     StorageVersion‐
434       Hash=true|false  (BETA  -  default=true) Sysctls=true|false (BETA - de‐
435       fault=true) TTLAfterFinished=true|false (ALPHA - default=false) Topolo‐
436       gyManager=true|false    (BETA    -   default=true)   ValidateProxyRedi‐
437       rects=true|false (BETA - default=true) WarningHeaders=true|false  (BETA
438       -  default=true)  WinDSR=true|false  (ALPHA  -  default=false) WinOver‐
439       lay=true|false   (BETA   -   default=true)   WindowsEndpointSliceProxy‐
440       ing=true|false (ALPHA - default=false)
441
442
443       --flex-volume-plugin-dir="/usr/libexec/kubernetes/kubelet-plugins/vol‐
444       ume/exec/"      Full path of the directory in  which  the  flex  volume
445       plugin should search for additional third party volume plugins.
446
447
448       -h, --help=false      help for kube-controller-manager
449
450
451       --horizontal-pod-autoscaler-cpu-initialization-period=5m0s      The pe‐
452       riod after pod start when CPU samples might be skipped.
453
454
455       --horizontal-pod-autoscaler-downscale-delay=5m0s      The period  since
456       last downscale, before another downscale can be performed in horizontal
457       pod autoscaler.
458
459
460       --horizontal-pod-autoscaler-downscale-stabilization=5m0s       The  pe‐
461       riod  for which autoscaler will look backwards and not scale down below
462       any recommendation it made during that period.
463
464
465       --horizontal-pod-autoscaler-initial-readiness-delay=30s      The period
466       after  pod start during which readiness changes will be treated as ini‐
467       tial readiness.
468
469
470       --horizontal-pod-autoscaler-sync-period=15s      The period for syncing
471       the number of pods in horizontal pod autoscaler.
472
473
474       --horizontal-pod-autoscaler-tolerance=0.1      The minimum change (from
475       1.0) in the desired-to-actual metrics ratio for the horizontal pod  au‐
476       toscaler to consider scaling.
477
478
479       --horizontal-pod-autoscaler-upscale-delay=3m0s       The  period  since
480       last upscale, before another upscale can be performed in horizontal pod
481       autoscaler.
482
483
484       --horizontal-pod-autoscaler-use-rest-clients=true       If set to true,
485       causes the horizontal pod autoscaler controller  to  use  REST  clients
486       through the kube-aggregator, instead of using the legacy metrics client
487       through the API server proxy.  This is required for custom metrics sup‐
488       port in the horizontal pod autoscaler.
489
490
491       --http2-max-streams-per-connection=0       The  limit  that  the server
492       gives to clients for the maximum number of streams in an HTTP/2 connec‐
493       tion. Zero means to use golang's default.
494
495
496       --kube-api-burst=30       Burst  to  use  while talking with kubernetes
497       apiserver.
498
499
500       --kube-api-content-type="application/vnd.kubernetes.protobuf"      Con‐
501       tent type of requests sent to apiserver.
502
503
504       --kube-api-qps=20       QPS  to use while talking with kubernetes apis‐
505       erver.
506
507
508       --kubeconfig=""      Path to kubeconfig  file  with  authorization  and
509       master location information.
510
511
512       --large-cluster-size-threshold=50      Number of nodes from which Node‐
513       Controller treats the cluster as large for the eviction logic purposes.
514       --secondary-node-eviction-rate  is implicitly overridden to 0 for clus‐
515       ters this size or smaller.
516
517
518       --leader-elect=true      Start a leader election client and gain  lead‐
519       ership  before executing the main loop. Enable this when running repli‐
520       cated components for high availability.
521
522
523       --leader-elect-lease-duration=15s       The  duration  that  non-leader
524       candidates  will  wait  after  observing a leadership renewal until at‐
525       tempting to acquire leadership of a led but unrenewed leader slot. This
526       is effectively the maximum duration that a leader can be stopped before
527       it is replaced by another candidate. This is only applicable if  leader
528       election is enabled.
529
530
531       --leader-elect-renew-deadline=10s      The interval between attempts by
532       the acting master to renew a leadership slot before it  stops  leading.
533       This must be less than or equal to the lease duration. This is only ap‐
534       plicable if leader election is enabled.
535
536
537       --leader-elect-resource-lock="leases"      The type of resource  object
538       that  is used for locking during leader election. Supported options are
539       'endpoints', 'configmaps', 'leases', 'endpointsleases' and  'configmap‐
540       sleases'.
541
542
543       --leader-elect-resource-name="kube-controller-manager"      The name of
544       resource object that is used for locking during leader election.
545
546
547       --leader-elect-resource-namespace="kube-system"      The  namespace  of
548       resource object that is used for locking during leader election.
549
550
551       --leader-elect-retry-period=2s       The  duration  the  clients should
552       wait between attempting acquisition and renewal of a  leadership.  This
553       is only applicable if leader election is enabled.
554
555
556       --log-backtrace-at=:0       when logging hits line file:N, emit a stack
557       trace
558
559
560       --log-dir=""      If non-empty, write log files in this directory
561
562
563       --log-file=""      If non-empty, use this log file
564
565
566       --log-file-max-size=1800      Defines the maximum size a log  file  can
567       grow to. Unit is megabytes. If the value is 0, the maximum file size is
568       unlimited.
569
570
571       --log-flush-frequency=5s      Maximum number  of  seconds  between  log
572       flushes
573
574
575       --logging-format="text"       Sets  the  log format. Permitted formats:
576       "json",  "text".   Non-default  formats  don't   honor   these   flags:
577       --add_dir_header,   --alsologtostderr,  --log_backtrace_at,  --log_dir,
578       --log_file,    --log_file_max_size,    --logtostderr,     --one_output,
579       --skip_headers,   --skip_log_headers,   --stderrthreshold,   --vmodule,
580       --log-flush-frequency.  Non-default choices  are  currently  alpha  and
581       subject to change without warning.
582
583
584       --logtostderr=true      log to standard error instead of files
585
586
587       --master=""       The  address  of the Kubernetes API server (overrides
588       any value in kubeconfig).
589
590
591       --max-endpoints-per-slice=100      The maximum number of endpoints that
592       will be added to an EndpointSlice. More endpoints per slice will result
593       in less endpoint slices, but larger resources. Defaults to 100.
594
595
596       --min-resync-period=12h0m0s      The resync period in  reflectors  will
597       be random between MinResyncPeriod and 2*MinResyncPeriod.
598
599
600       --mirroring-concurrent-service-endpoint-syncs=5      The number of ser‐
601       vice endpoint syncing operations that will be done concurrently by  the
602       EndpointSliceMirroring  controller.  Larger  number  =  faster endpoint
603       slice updating, but more CPU (and network) load. Defaults to 5.
604
605
606       --mirroring-endpointslice-updates-batch-period=0s       The  length  of
607       EndpointSlice  updates  batching period for EndpointSliceMirroring con‐
608       troller. Processing of EndpointSlice changes will be  delayed  by  this
609       duration  to  join  them with potential upcoming updates and reduce the
610       overall number of EndpointSlice updates. Larger number  =  higher  end‐
611       point  programming latency, but lower number of endpoints revision gen‐
612       erated
613
614
615       --mirroring-max-endpoints-per-subset=1000      The  maximum  number  of
616       endpoints   that  will  be  added  to  an  EndpointSlice  by  the  End‐
617       pointSliceMirroring controller. More endpoints per slice will result in
618       less endpoint slices, but larger resources. Defaults to 100.
619
620
621       --namespace-sync-period=5m0s       The  period  for  syncing  namespace
622       life-cycle updates
623
624
625       --node-cidr-mask-size=0      Mask size for node cidr  in  cluster.  De‐
626       fault is 24 for IPv4 and 64 for IPv6.
627
628
629       --node-cidr-mask-size-ipv4=0       Mask  size  for  IPv4  node  cidr in
630       dual-stack cluster. Default is 24.
631
632
633       --node-cidr-mask-size-ipv6=0      Mask  size  for  IPv6  node  cidr  in
634       dual-stack cluster. Default is 64.
635
636
637       --node-eviction-rate=0.1       Number of nodes per second on which pods
638       are deleted in case of node failure when a zone is healthy  (see  --un‐
639       healthy-zone-threshold   for  definition  of  healthy/unhealthy).  Zone
640       refers to entire cluster in non-multizone clusters.
641
642
643       --node-monitor-grace-period=40s      Amount of time which we allow run‐
644       ning  Node  to  be  unresponsive before marking it unhealthy. Must be N
645       times more than kubelet's nodeStatusUpdateFrequency, where N means num‐
646       ber of retries allowed for kubelet to post node status.
647
648
649       --node-monitor-period=5s       The  period  for  syncing  NodeStatus in
650       NodeController.
651
652
653       --node-startup-grace-period=1m0s      Amount of  time  which  we  allow
654       starting Node to be unresponsive before marking it unhealthy.
655
656
657       --node-sync-period=0s       This flag is deprecated and will be removed
658       in future releases. See node-monitor-period for Node health checking or
659       route-reconciliation-period  for  cloud  provider's route configuration
660       settings.
661
662
663       --one-output=false      If true, only write logs to their native sever‐
664       ity level (vs also writing to each lower severity level
665
666
667       --permit-port-sharing=false       If  true,  SO_REUSEPORT  will be used
668       when binding the port, which allows more than one instance to  bind  on
669       the same address and port. [default=false]
670
671
672       --pod-eviction-timeout=5m0s       The grace period for deleting pods on
673       failed nodes.
674
675
676       --port=10252      The port on which to serve unsecured, unauthenticated
677       access. Set to 0 to disable.
678
679
680       --profiling=true       Enable profiling via web interface host:port/de‐
681       bug/pprof/
682
683
684       --pv-recycler-increment-timeout-nfs=30      the increment of time added
685       per Gi to ActiveDeadlineSeconds for an NFS scrubber pod
686
687
688       --pv-recycler-minimum-timeout-hostpath=60       The minimum ActiveDead‐
689       lineSeconds to use for a HostPath Recycler pod.  This is  for  develop‐
690       ment and testing only and will not work in a multi-node cluster.
691
692
693       --pv-recycler-minimum-timeout-nfs=300       The  minimum  ActiveDeadli‐
694       neSeconds to use for an NFS Recycler pod
695
696
697       --pv-recycler-pod-template-filepath-hostpath=""      The file path to a
698       pod  definition used as a template for HostPath persistent volume recy‐
699       cling. This is for development and testing only and will not work in  a
700       multi-node cluster.
701
702
703       --pv-recycler-pod-template-filepath-nfs=""       The file path to a pod
704       definition used as a template for NFS persistent volume recycling
705
706
707       --pv-recycler-timeout-increment-hostpath=30      the increment of  time
708       added  per  Gi  to  ActiveDeadlineSeconds  for a HostPath scrubber pod.
709       This is for development and  testing  only  and  will  not  work  in  a
710       multi-node cluster.
711
712
713       --pvclaimbinder-sync-period=15s       The period for syncing persistent
714       volumes and persistent volume claims
715
716
717       --register-retry-count=10      The number of retries for  initial  node
718       registration.  Retry interval equals node-sync-period.
719
720
721       --requestheader-allowed-names=[]      List of client certificate common
722       names to allow to provide usernames in headers specified by  --request‐
723       header-username-headers.  If empty, any client certificate validated by
724       the authorities in --requestheader-client-ca-file is allowed.
725
726
727       --requestheader-client-ca-file=""      Root certificate bundle  to  use
728       to  verify  client  certificates  on  incoming requests before trusting
729       usernames in  headers  specified  by  --requestheader-username-headers.
730       WARNING:  generally  do  not depend on authorization being already done
731       for incoming requests.
732
733
734       --requestheader-extra-headers-prefix=[x-remote-extra-]      List of re‐
735       quest header prefixes to inspect. X-Remote-Extra- is suggested.
736
737
738       --requestheader-group-headers=[x-remote-group]        List  of  request
739       headers to inspect for groups. X-Remote-Group is suggested.
740
741
742       --requestheader-username-headers=[x-remote-user]      List  of  request
743       headers to inspect for usernames. X-Remote-User is common.
744
745
746       --resource-quota-sync-period=5m0s      The period for syncing quota us‐
747       age status in the system
748
749
750       --root-ca-file=""      If set, this root certificate authority will  be
751       included  in  service  account's  token  secret.  This  must be a valid
752       PEM-encoded CA bundle.
753
754
755       --route-reconciliation-period=10s       The  period   for   reconciling
756       routes created for Nodes by cloud provider.
757
758
759       --secondary-node-eviction-rate=0.01       Number of nodes per second on
760       which pods are deleted in case of node failure when a zone is unhealthy
761       (see  --unhealthy-zone-threshold  for definition of healthy/unhealthy).
762       Zone refers to entire cluster in non-multizone clusters. This value  is
763       implicitly  overridden  to  0  if  the  cluster  size  is  smaller than
764       --large-cluster-size-threshold.
765
766
767       --secure-port=10257      The port on which to serve HTTPS with  authen‐
768       tication and authorization. If 0, don't serve HTTPS at all.
769
770
771       --service-account-private-key-file=""         Filename   containing   a
772       PEM-encoded private RSA or ECDSA key used to sign service  account  to‐
773       kens.
774
775
776       --service-cluster-ip-range=""       CIDR Range for Services in cluster.
777       Requires --allocate-node-cidrs to be true
778
779
780       --show-hidden-metrics-for-version=""       The  previous  version   for
781       which  you want to show hidden metrics. Only the previous minor version
782       is meaningful, other values will not be allowed. The format is ., e.g.:
783       '1.16'.  The  purpose of this format is make sure you have the opportu‐
784       nity to notice if the next release  hides  additional  metrics,  rather
785       than  being  surprised when they are permanently removed in the release
786       after that.
787
788
789       --skip-headers=false      If true, avoid header  prefixes  in  the  log
790       messages
791
792
793       --skip-log-headers=false       If  true, avoid headers when opening log
794       files
795
796
797       --stderrthreshold=2      logs at or above this threshold go to stderr
798
799
800       --terminated-pod-gc-threshold=12500      Number of terminated pods that
801       can  exist  before the terminated pod garbage collector starts deleting
802       terminated pods. If <= 0, the terminated pod garbage collector is  dis‐
803       abled.
804
805
806       --tls-cert-file=""       File  containing  the default x509 Certificate
807       for HTTPS. (CA cert, if any, concatenated after server cert). If  HTTPS
808       serving  is enabled, and --tls-cert-file and --tls-private-key-file are
809       not provided, a self-signed certificate and key are generated  for  the
810       public address and saved to the directory specified by --cert-dir.
811
812
813       --tls-cipher-suites=[]       Comma-separated  list of cipher suites for
814       the server. If omitted, the default Go  cipher  suites  will  be  used.
815       Preferred   values:   TLS_AES_128_GCM_SHA256,   TLS_AES_256_GCM_SHA384,
816       TLS_CHACHA20_POLY1305_SHA256,     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
817       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
818       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
819       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
820       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
821       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
822       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
823       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
824       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
825       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
826       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
827       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
828       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
829       TLS_RSA_WITH_3DES_EDE_CBC_SHA,            TLS_RSA_WITH_AES_128_CBC_SHA,
830       TLS_RSA_WITH_AES_128_GCM_SHA256,          TLS_RSA_WITH_AES_256_CBC_SHA,
831       TLS_RSA_WITH_AES_256_GCM_SHA384.             Insecure           values:
832       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
833       TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
834       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,  TLS_ECDHE_RSA_WITH_RC4_128_SHA,
835       TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA.
836
837
838       --tls-min-version=""       Minimum TLS version supported. Possible val‐
839       ues: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
840
841
842       --tls-private-key-file=""      File containing the default x509 private
843       key matching --tls-cert-file.
844
845
846       --tls-sni-cert-key=[]       A  pair of x509 certificate and private key
847       file paths, optionally suffixed with a list of  domain  patterns  which
848       are  fully qualified domain names, possibly with prefixed wildcard seg‐
849       ments. The domain patterns also allow IP addresses, but IPs should only
850       be  used if the apiserver has visibility to the IP address requested by
851       a client. If no domain patterns are provided, the names of the certifi‐
852       cate  are  extracted. Non-wildcard matches trump over wildcard matches,
853       explicit domain patterns  trump  over  extracted  names.  For  multiple
854       key/certificate pairs, use the --tls-sni-cert-key multiple times. Exam‐
855       ples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com".
856
857
858       --unhealthy-zone-threshold=0.55      Fraction of Nodes in a zone  which
859       needs to be not Ready (minimum 3) for zone to be treated as unhealthy.
860
861
862       --use-service-account-credentials=false       If  true,  use individual
863       service account credentials for each controller.
864
865
866       -v, --v=0      number for the log level verbosity
867
868
869       --version=false      Print version information and quit
870
871
872       --vmodule=       comma-separated  list  of   pattern=N   settings   for
873       file-filtered logging
874
875
876       --volume-host-allow-local-loopback=true      If false, deny local loop‐
877       back IPs in addition to any CIDR ranges in --volume-host-cidr-denylist
878
879
880       --volume-host-cidr-denylist=[]       A  comma-separated  list  of  CIDR
881       ranges to avoid from volume plugins.
882
883
884

HISTORY

886       January  2015,  Originally compiled by Eric Paris (eparis at redhat dot
887       com) based on the kubernetes source material, but hopefully  they  have
888       been automatically generated since!
889
890
891
892Manuals                              User            KUBERNETES(1)(kubernetes)
Impressum