1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2Eric Paris Jan 2015
6
9 kube-controller-manager -
10
14 kube-controller-manager [OPTIONS]
15
19 The Kubernetes controller manager is a daemon that embeds the core con‐
20 trol loops shipped with Kubernetes. In applications of robotics and au‐
21 tomation, a control loop is a non-terminating loop that regulates the
22 state of the system. In Kubernetes, a controller is a control loop that
23 watches the shared state of the cluster through the apiserver and makes
24 changes attempting to move the current state towards the desired state.
25 Examples of controllers that ship with Kubernetes today are the repli‐
26 cation controller, endpoints controller, namespace controller, and ser‐
27 viceaccounts controller.
28
32 --add-dir-header=false If true, adds the file directory to the
33 header of the log messages
34 --address=0.0.0.0 The IP address on which to serve the insecure
37 --port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 in‐
38 terfaces).
39 --allocate-node-cidrs=false Should CIDRs for Pods be allocated and
42 set on the cloud provider.
43 --allow-untagged-cloud=false Allow the cluster to run without the
46 cluster-id on cloud instances. This is a legacy mode of operation and a
47 cluster-id will be required in the future.
48 --alsologtostderr=false log to standard error as well as files
51 --attach-detach-reconcile-sync-period=1m0s The reconciler sync
54 wait time between volume attach detach. This duration must be larger
55 than one second, and increasing this value from the default may allow
56 for volumes to be mismatched with pods.
57 --authentication-kubeconfig="" kubeconfig file pointing at the
60 'core' kubernetes server with enough rights to create tokenreviews.au‐
61 thentication.k8s.io. This is optional. If empty, all token requests are
62 considered to be anonymous and no client CA is looked up in the clus‐
63 ter.
64 --authentication-skip-lookup=false If false, the authentica‐
67 tion-kubeconfig will be used to lookup missing authentication configu‐
68 ration from the cluster.
69 --authentication-token-webhook-cache-ttl=10s The duration to cache
72 responses from the webhook token authenticator.
73 --authentication-tolerate-lookup-failure=false If true, failures
76 to look up missing authentication configuration from the cluster are
77 not considered fatal. Note that this can result in authentication that
78 treats all requests as anonymous.
79 --authorization-always-allow-paths=[/healthz] A list of HTTP paths
82 to skip during authorization, i.e. these are authorized without con‐
83 tacting the 'core' kubernetes server.
84 --authorization-kubeconfig="" kubeconfig file pointing at the
87 'core' kubernetes server with enough rights to create subjectaccessre‐
88 views.authorization.k8s.io. This is optional. If empty, all requests
89 not skipped by authorization are forbidden.
90 --authorization-webhook-cache-authorized-ttl=10s The duration to
93 cache 'authorized' responses from the webhook authorizer.
94 --authorization-webhook-cache-unauthorized-ttl=10s The duration to
97 cache 'unauthorized' responses from the webhook authorizer.
98 --azure-container-registry-config="" Path to the file containing
101 Azure container registry configuration information.
102 --bind-address=0.0.0.0 The IP address on which to listen for the
105 --secure-port port. The associated interface(s) must be reachable by
106 the rest of the cluster, and by CLI/web clients. If blank or an unspec‐
107 ified address (0.0.0.0 or ::), all interfaces will be used.
108 --cert-dir="" The directory where the TLS certs are located. If
111 --tls-cert-file and --tls-private-key-file are provided, this flag will
112 be ignored.
113 --cidr-allocator-type="RangeAllocator" Type of CIDR allocator to
116 use
117 --client-ca-file="" If set, any request presenting a client cer‐
120 tificate signed by one of the authorities in the client-ca-file is au‐
121 thenticated with an identity corresponding to the CommonName of the
122 client certificate.
123 --cloud-config="" The path to the cloud provider configuration
126 file. Empty string for no configuration file.
127 --cloud-provider="" The provider for cloud services. Empty string
130 for no provider.
131 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
134 CIDRs opened in GCE firewall for L4 LB traffic proxy health
135 checks
136 --cluster-cidr="" CIDR Range for Pods in cluster. Requires --allo‐
139 cate-node-cidrs to be true
140 --cluster-name="kubernetes" The instance prefix for the cluster.
143 --cluster-signing-cert-file="" Filename containing a PEM-encoded
146 X509 CA certificate used to issue cluster-scoped certificates. If
147 specified, no more specific --cluster-signing-* flag may be specified.
148 --cluster-signing-duration=8760h0m0s The length of duration signed
151 certificates will be given.
152 --cluster-signing-key-file="" Filename containing a PEM-encoded
155 RSA or ECDSA private key used to sign cluster-scoped certificates. If
156 specified, no more specific --cluster-signing-* flag may be specified.
157 --cluster-signing-kube-apiserver-client-cert-file="" Filename con‐
160 taining a PEM-encoded X509 CA certificate used to issue certificates
161 for the kubernetes.io/kube-apiserver-client signer. If specified,
162 --cluster-signing-{cert,key}-file must not be set.
163 --cluster-signing-kube-apiserver-client-key-file="" Filename con‐
166 taining a PEM-encoded RSA or ECDSA private key used to sign certifi‐
167 cates for the kubernetes.io/kube-apiserver-client signer. If speci‐
168 fied, --cluster-signing-{cert,key}-file must not be set.
169 --cluster-signing-kubelet-client-cert-file="" Filename containing
172 a PEM-encoded X509 CA certificate used to issue certificates for the
173 kubernetes.io/kube-apiserver-client-kubelet signer. If specified,
174 --cluster-signing-{cert,key}-file must not be set.
175 --cluster-signing-kubelet-client-key-file="" Filename containing a
178 PEM-encoded RSA or ECDSA private key used to sign certificates for the
179 kubernetes.io/kube-apiserver-client-kubelet signer. If specified,
180 --cluster-signing-{cert,key}-file must not be set.
181 --cluster-signing-kubelet-serving-cert-file="" Filename containing
184 a PEM-encoded X509 CA certificate used to issue certificates for the
185 kubernetes.io/kubelet-serving signer. If specified, --cluster-sign‐
186 ing-{cert,key}-file must not be set.
187 --cluster-signing-kubelet-serving-key-file="" Filename containing
190 a PEM-encoded RSA or ECDSA private key used to sign certificates for
191 the kubernetes.io/kubelet-serving signer. If specified, --clus‐
192 ter-signing-{cert,key}-file must not be set.
193 --cluster-signing-legacy-unknown-cert-file="" Filename containing
196 a PEM-encoded X509 CA certificate used to issue certificates for the
197 kubernetes.io/legacy-unknown signer. If specified, --cluster-sign‐
198 ing-{cert,key}-file must not be set.
199 --cluster-signing-legacy-unknown-key-file="" Filename containing a
202 PEM-encoded RSA or ECDSA private key used to sign certificates for the
203 kubernetes.io/legacy-unknown signer. If specified, --cluster-sign‐
204 ing-{cert,key}-file must not be set.
205 --concurrent-deployment-syncs=5 The number of deployment objects
208 that are allowed to sync concurrently. Larger number = more responsive
209 deployments, but more CPU (and network) load
210 --concurrent-endpoint-syncs=5 The number of endpoint syncing oper‐
213 ations that will be done concurrently. Larger number = faster endpoint
214 updating, but more CPU (and network) load
215 --concurrent-gc-syncs=20 The number of garbage collector workers
218 that are allowed to sync concurrently.
219 --concurrent-namespace-syncs=10 The number of namespace objects
222 that are allowed to sync concurrently. Larger number = more responsive
223 namespace termination, but more CPU (and network) load
224 --concurrent-replicaset-syncs=5 The number of replica sets that
227 are allowed to sync concurrently. Larger number = more responsive
228 replica management, but more CPU (and network) load
229 --concurrent-resource-quota-syncs=5 The number of resource quotas
232 that are allowed to sync concurrently. Larger number = more responsive
233 quota management, but more CPU (and network) load
234 --concurrent-service-endpoint-syncs=5 The number of service end‐
237 point syncing operations that will be done concurrently. Larger number
238 = faster endpoint slice updating, but more CPU (and network) load. De‐
239 faults to 5.
240 --concurrent-service-syncs=1 The number of services that are al‐
243 lowed to sync concurrently. Larger number = more responsive service
244 management, but more CPU (and network) load
245 --concurrent-serviceaccount-token-syncs=5 The number of service
248 account token objects that are allowed to sync concurrently. Larger
249 number = more responsive token generation, but more CPU (and network)
250 load
251 --concurrent-statefulset-syncs=5 The number of statefulset objects
254 that are allowed to sync concurrently. Larger number = more responsive
255 statefulsets, but more CPU (and network) load
256 --concurrent-ttl-after-finished-syncs=5 The number of TTL-af‐
259 ter-finished controller workers that are allowed to sync concurrently.
260 --concurrent_rc_syncs=5 The number of replication controllers that
263 are allowed to sync concurrently. Larger number = more responsive
264 replica management, but more CPU (and network) load
265 --configure-cloud-routes=true Should CIDRs allocated by allo‐
268 cate-node-cidrs be configured on the cloud provider.
269 --contention-profiling=false Enable lock contention profiling, if
272 profiling is enabled
273 --controller-start-interval=0s Interval between starting con‐
276 troller managers.
277 --controllers=[] A list of controllers to enable. '' enables all
280 on-by-default controllers, 'foo' enables the controller named 'foo',
281 '-foo' disables the controller named 'foo'. All controllers: attachde‐
282 tach, bootstrapsigner, cloud-node-lifecycle, clusterrole-aggregation,
283 cronjob, csrapproving, csrcleaner, csrsigning, daemonset, deployment,
284 disruption, endpoint, endpointslice, endpointslicemirroring,
285 ephemeral-volume, garbagecollector, horizontalpodautoscaling, job,
286 namespace, nodeipam, nodelifecycle, persistentvolume-binder, persis‐
287 tentvolume-expander, podgc, pv-protection, pvc-protection, replicaset,
288 replicationcontroller, resourcequota, root-ca-cert-publisher, route,
289 service, serviceaccount, serviceaccount-token, statefulset, token‐
290 cleaner, ttl, ttl-after-finished Disabled-by-default controllers: boot‐
291 strapsigner, tokencleaner
292 --deleting-pods-burst=0 Number of nodes on which pods are bursty
295 deleted in case of node failure. For more details look into RateLim‐
296 iter.
297 --deleting-pods-qps=0.1 Number of nodes per second on which pods
300 are deleted in case of node failure.
301 --deployment-controller-sync-period=30s Period for syncing the de‐
304 ployments.
305 --disable-attach-detach-reconcile-sync=false Disable volume attach
308 detach reconciler sync. Disabling this may cause volumes to be mis‐
309 matched with pods. Use wisely.
310 --enable-dynamic-provisioning=true Enable dynamic provisioning for
313 environments that support it.
314 --enable-garbage-collector=true Enables the generic garbage col‐
317 lector. MUST be synced with the corresponding flag of the kube-apis‐
318 erver.
319 --enable-hostpath-provisioner=false Enable HostPath PV provision‐
322 ing when running without a cloud provider. This allows testing and de‐
323 velopment of provisioning features. HostPath provisioning is not sup‐
324 ported in any way, won't work in a multi-node cluster, and should not
325 be used for anything other than testing or development.
326 --enable-taint-manager=true WARNING: Beta feature. If set to true
329 enables NoExecute Taints and will evict all not-tolerating Pod running
330 on Nodes tainted with this kind of Taints.
331 --endpoint-updates-batch-period=0s The length of endpoint updates
334 batching period. Processing of pod changes will be delayed by this du‐
335 ration to join them with potential upcoming updates and reduce the
336 overall number of endpoints updates. Larger number = higher endpoint
337 programming latency, but lower number of endpoints revision generated
338 --endpointslice-updates-batch-period=0s The length of endpoint
341 slice updates batching period. Processing of pod changes will be de‐
342 layed by this duration to join them with potential upcoming updates and
343 reduce the overall number of endpoints updates. Larger number = higher
344 endpoint programming latency, but lower number of endpoints revision
345 generated
346 --experimental-cluster-signing-duration=8760h0m0s The length of
349 duration signed certificates will be given.
350 --experimental-logging-sanitization=false [Experimental] When en‐
353 abled prevents logging of fields tagged as sensitive (passwords, keys,
354 tokens). Runtime log sanitization may introduce significant computa‐
355 tion overhead and therefore should not be enabled in production.
356 --external-cloud-volume-plugin="" The plugin to use when cloud
359 provider is set to external. Can be empty, should only be set when
360 cloud-provider is external. Currently used to allow node and volume
361 controllers to work for in tree cloud providers.
362 --feature-gates= A set of key=value pairs that describe feature
365 gates for alpha/experimental features. Options are: APIListChunk‐
366 ing=true|false (BETA - default=true) APIPriorityAndFairness=true|false
367 (BETA - default=true) APIResponseCompression=true|false (BETA - de‐
368 fault=true) APIServerIdentity=true|false (ALPHA - default=false) AllAl‐
369 pha=true|false (ALPHA - default=false) AllBeta=true|false (BETA - de‐
370 fault=false) AllowInsecureBackendProxy=true|false (BETA - default=true)
371 AnyVolumeDataSource=true|false (ALPHA - default=false) AppAr‐
372 mor=true|false (BETA - default=true) BalanceAttachedNodeVol‐
373 umes=true|false (ALPHA - default=false) BoundServiceAccountTokenVol‐
374 ume=true|false (ALPHA - default=false) CPUManager=true|false (BETA -
375 default=true) CRIContainerLogRotation=true|false (BETA - default=true)
376 CSIInlineVolume=true|false (BETA - default=true) CSIMigra‐
377 tion=true|false (BETA - default=true) CSIMigrationAWS=true|false (BETA
378 - default=false) CSIMigrationAWSComplete=true|false (ALPHA - de‐
379 fault=false) CSIMigrationAzureDisk=true|false (BETA - default=false)
380 CSIMigrationAzureDiskComplete=true|false (ALPHA - default=false) CSIMi‐
381 grationAzureFile=true|false (ALPHA - default=false) CSIMigrationAzure‐
382 FileComplete=true|false (ALPHA - default=false) CSIMigra‐
383 tionGCE=true|false (BETA - default=false) CSIMigrationGCECom‐
384 plete=true|false (ALPHA - default=false) CSIMigrationOpen‐
385 Stack=true|false (BETA - default=false) CSIMigrationOpenStackCom‐
386 plete=true|false (ALPHA - default=false) CSIMigrationvSphere=true|false
387 (BETA - default=false) CSIMigrationvSphereComplete=true|false (BETA -
388 default=false) CSIServiceAccountToken=true|false (ALPHA - de‐
389 fault=false) CSIStorageCapacity=true|false (ALPHA - default=false)
390 CSIVolumeFSGroupPolicy=true|false (BETA - default=true) ConfigurableFS‐
391 GroupPolicy=true|false (BETA - default=true) CronJobCon‐
392 trollerV2=true|false (ALPHA - default=false) CustomCPUCFSQuotaPe‐
393 riod=true|false (ALPHA - default=false) DefaultPodTopolo‐
394 gySpread=true|false (BETA - default=true) DevicePlugins=true|false
395 (BETA - default=true) DisableAcceleratorUsageMetrics=true|false (BETA -
396 default=true) DownwardAPIHugePages=true|false (ALPHA - default=false)
397 DynamicKubeletConfig=true|false (BETA - default=true) EfficientWatchRe‐
398 sumption=true|false (ALPHA - default=false) EndpointSlice=true|false
399 (BETA - default=true) EndpointSliceNodeName=true|false (ALPHA - de‐
400 fault=false) EndpointSliceProxying=true|false (BETA - default=true)
401 EndpointSliceTerminatingCondition=true|false (ALPHA - default=false)
402 EphemeralContainers=true|false (ALPHA - default=false) ExpandCSIVol‐
403 umes=true|false (BETA - default=true) ExpandInUsePersistentVol‐
404 umes=true|false (BETA - default=true) ExpandPersistentVol‐
405 umes=true|false (BETA - default=true) ExperimentalHostUserNamespaceDe‐
406 faulting=true|false (BETA - default=false) GenericEphemeralVol‐
407 ume=true|false (ALPHA - default=false) GracefulNodeShutdown=true|false
408 (ALPHA - default=false) HPAContainerMetrics=true|false (ALPHA - de‐
409 fault=false) HPAScaleToZero=true|false (ALPHA - default=false)
410 HugePageStorageMediumSize=true|false (BETA - default=true) IPv6Dual‐
411 Stack=true|false (ALPHA - default=false) ImmutableEphemeralVol‐
412 umes=true|false (BETA - default=true) KubeletCredential‐
413 Providers=true|false (ALPHA - default=false) KubeletPo‐
414 dResources=true|false (BETA - default=true) LegacyNodeRoleBehav‐
415 ior=true|false (BETA - default=true) LocalStorageCapacityIsola‐
416 tion=true|false (BETA - default=true) LocalStorageCapacityIsolationF‐
417 SQuotaMonitoring=true|false (ALPHA - default=false) MixedProtocolLBSer‐
418 vice=true|false (ALPHA - default=false) NodeDisruptionExclu‐
419 sion=true|false (BETA - default=true) NonPreemptingPriority=true|false
420 (BETA - default=true) PodDisruptionBudget=true|false (BETA - de‐
421 fault=true) PodOverhead=true|false (BETA - default=true) ProcMount‐
422 Type=true|false (ALPHA - default=false) QOSReserved=true|false (ALPHA -
423 default=false) RemainingItemCount=true|false (BETA - default=true) Re‐
424 moveSelfLink=true|false (BETA - default=true) RootCACon‐
425 figMap=true|false (BETA - default=true) RotateKubeletServerCertifi‐
426 cate=true|false (BETA - default=true) RunAsGroup=true|false (BETA - de‐
427 fault=true) ServerSideApply=true|false (BETA - default=true) ServiceAc‐
428 countIssuerDiscovery=true|false (BETA - default=true) ServiceLBNode‐
429 PortControl=true|false (ALPHA - default=false) ServiceNodeExclu‐
430 sion=true|false (BETA - default=true) ServiceTopology=true|false (ALPHA
431 - default=false) SetHostnameAsFQDN=true|false (BETA - default=true)
432 SizeMemoryBackedVolumes=true|false (ALPHA - default=false) StorageVer‐
433 sionAPI=true|false (ALPHA - default=false) StorageVersion‐
434 Hash=true|false (BETA - default=true) Sysctls=true|false (BETA - de‐
435 fault=true) TTLAfterFinished=true|false (ALPHA - default=false) Topolo‐
436 gyManager=true|false (BETA - default=true) ValidateProxyRedi‐
437 rects=true|false (BETA - default=true) WarningHeaders=true|false (BETA
438 - default=true) WinDSR=true|false (ALPHA - default=false) WinOver‐
439 lay=true|false (BETA - default=true) WindowsEndpointSliceProxy‐
440 ing=true|false (ALPHA - default=false)
441 --flex-volume-plugin-dir="/usr/libexec/kubernetes/kubelet-plugins/vol‐
444 ume/exec/" Full path of the directory in which the flex volume
445 plugin should search for additional third party volume plugins.
446 -h, --help=false help for kube-controller-manager
449 --horizontal-pod-autoscaler-cpu-initialization-period=5m0s The pe‐
452 riod after pod start when CPU samples might be skipped.
453 --horizontal-pod-autoscaler-downscale-delay=5m0s The period since
456 last downscale, before another downscale can be performed in horizontal
457 pod autoscaler.
458 --horizontal-pod-autoscaler-downscale-stabilization=5m0s The pe‐
461 riod for which autoscaler will look backwards and not scale down below
462 any recommendation it made during that period.
463 --horizontal-pod-autoscaler-initial-readiness-delay=30s The period
466 after pod start during which readiness changes will be treated as ini‐
467 tial readiness.
468 --horizontal-pod-autoscaler-sync-period=15s The period for syncing
471 the number of pods in horizontal pod autoscaler.
472 --horizontal-pod-autoscaler-tolerance=0.1 The minimum change (from
475 1.0) in the desired-to-actual metrics ratio for the horizontal pod au‐
476 toscaler to consider scaling.
477 --horizontal-pod-autoscaler-upscale-delay=3m0s The period since
480 last upscale, before another upscale can be performed in horizontal pod
481 autoscaler.
482 --horizontal-pod-autoscaler-use-rest-clients=true If set to true,
485 causes the horizontal pod autoscaler controller to use REST clients
486 through the kube-aggregator, instead of using the legacy metrics client
487 through the API server proxy. This is required for custom metrics sup‐
488 port in the horizontal pod autoscaler.
489 --http2-max-streams-per-connection=0 The limit that the server
492 gives to clients for the maximum number of streams in an HTTP/2 connec‐
493 tion. Zero means to use golang's default.
494 --kube-api-burst=30 Burst to use while talking with kubernetes
497 apiserver.
498 --kube-api-content-type="application/vnd.kubernetes.protobuf" Con‐
501 tent type of requests sent to apiserver.
502 --kube-api-qps=20 QPS to use while talking with kubernetes apis‐
505 erver.
506 --kubeconfig="" Path to kubeconfig file with authorization and
509 master location information.
510 --large-cluster-size-threshold=50 Number of nodes from which Node‐
513 Controller treats the cluster as large for the eviction logic purposes.
514 --secondary-node-eviction-rate is implicitly overridden to 0 for clus‐
515 ters this size or smaller.
516 --leader-elect=true Start a leader election client and gain lead‐
519 ership before executing the main loop. Enable this when running repli‐
520 cated components for high availability.
521 --leader-elect-lease-duration=15s The duration that non-leader
524 candidates will wait after observing a leadership renewal until at‐
525 tempting to acquire leadership of a led but unrenewed leader slot. This
526 is effectively the maximum duration that a leader can be stopped before
527 it is replaced by another candidate. This is only applicable if leader
528 election is enabled.
529 --leader-elect-renew-deadline=10s The interval between attempts by
532 the acting master to renew a leadership slot before it stops leading.
533 This must be less than or equal to the lease duration. This is only ap‐
534 plicable if leader election is enabled.
535 --leader-elect-resource-lock="leases" The type of resource object
538 that is used for locking during leader election. Supported options are
539 'endpoints', 'configmaps', 'leases', 'endpointsleases' and 'configmap‐
540 sleases'.
541 --leader-elect-resource-name="kube-controller-manager" The name of
544 resource object that is used for locking during leader election.
545 --leader-elect-resource-namespace="kube-system" The namespace of
548 resource object that is used for locking during leader election.
549 --leader-elect-retry-period=2s The duration the clients should
552 wait between attempting acquisition and renewal of a leadership. This
553 is only applicable if leader election is enabled.
554 --log-backtrace-at=:0 when logging hits line file:N, emit a stack
557 trace
558 --log-dir="" If non-empty, write log files in this directory
561 --log-file="" If non-empty, use this log file
564 --log-file-max-size=1800 Defines the maximum size a log file can
567 grow to. Unit is megabytes. If the value is 0, the maximum file size is
568 unlimited.
569 --log-flush-frequency=5s Maximum number of seconds between log
572 flushes
573 --logging-format="text" Sets the log format. Permitted formats:
576 "json", "text". Non-default formats don't honor these flags:
577 --add_dir_header, --alsologtostderr, --log_backtrace_at, --log_dir,
578 --log_file, --log_file_max_size, --logtostderr, --one_output,
579 --skip_headers, --skip_log_headers, --stderrthreshold, --vmodule,
580 --log-flush-frequency. Non-default choices are currently alpha and
581 subject to change without warning.
582 --logtostderr=true log to standard error instead of files
585 --master="" The address of the Kubernetes API server (overrides
588 any value in kubeconfig).
589 --max-endpoints-per-slice=100 The maximum number of endpoints that
592 will be added to an EndpointSlice. More endpoints per slice will result
593 in less endpoint slices, but larger resources. Defaults to 100.
594 --min-resync-period=12h0m0s The resync period in reflectors will
597 be random between MinResyncPeriod and 2*MinResyncPeriod.
598 --mirroring-concurrent-service-endpoint-syncs=5 The number of ser‐
601 vice endpoint syncing operations that will be done concurrently by the
602 EndpointSliceMirroring controller. Larger number = faster endpoint
603 slice updating, but more CPU (and network) load. Defaults to 5.
604 --mirroring-endpointslice-updates-batch-period=0s The length of
607 EndpointSlice updates batching period for EndpointSliceMirroring con‐
608 troller. Processing of EndpointSlice changes will be delayed by this
609 duration to join them with potential upcoming updates and reduce the
610 overall number of EndpointSlice updates. Larger number = higher end‐
611 point programming latency, but lower number of endpoints revision gen‐
612 erated
613 --mirroring-max-endpoints-per-subset=1000 The maximum number of
616 endpoints that will be added to an EndpointSlice by the End‐
617 pointSliceMirroring controller. More endpoints per slice will result in
618 less endpoint slices, but larger resources. Defaults to 100.
619 --namespace-sync-period=5m0s The period for syncing namespace
622 life-cycle updates
623 --node-cidr-mask-size=0 Mask size for node cidr in cluster. De‐
626 fault is 24 for IPv4 and 64 for IPv6.
627 --node-cidr-mask-size-ipv4=0 Mask size for IPv4 node cidr in
630 dual-stack cluster. Default is 24.
631 --node-cidr-mask-size-ipv6=0 Mask size for IPv6 node cidr in
634 dual-stack cluster. Default is 64.
635 --node-eviction-rate=0.1 Number of nodes per second on which pods
638 are deleted in case of node failure when a zone is healthy (see --un‐
639 healthy-zone-threshold for definition of healthy/unhealthy). Zone
640 refers to entire cluster in non-multizone clusters.
641 --node-monitor-grace-period=40s Amount of time which we allow run‐
644 ning Node to be unresponsive before marking it unhealthy. Must be N
645 times more than kubelet's nodeStatusUpdateFrequency, where N means num‐
646 ber of retries allowed for kubelet to post node status.
647 --node-monitor-period=5s The period for syncing NodeStatus in
650 NodeController.
651 --node-startup-grace-period=1m0s Amount of time which we allow
654 starting Node to be unresponsive before marking it unhealthy.
655 --node-sync-period=0s This flag is deprecated and will be removed
658 in future releases. See node-monitor-period for Node health checking or
659 route-reconciliation-period for cloud provider's route configuration
660 settings.
661 --one-output=false If true, only write logs to their native sever‐
664 ity level (vs also writing to each lower severity level
665 --permit-port-sharing=false If true, SO_REUSEPORT will be used
668 when binding the port, which allows more than one instance to bind on
669 the same address and port. [default=false]
670 --pod-eviction-timeout=5m0s The grace period for deleting pods on
673 failed nodes.
674 --port=10252 The port on which to serve unsecured, unauthenticated
677 access. Set to 0 to disable.
678 --profiling=true Enable profiling via web interface host:port/de‐
681 bug/pprof/
682 --pv-recycler-increment-timeout-nfs=30 the increment of time added
685 per Gi to ActiveDeadlineSeconds for an NFS scrubber pod
686 --pv-recycler-minimum-timeout-hostpath=60 The minimum ActiveDead‐
689 lineSeconds to use for a HostPath Recycler pod. This is for develop‐
690 ment and testing only and will not work in a multi-node cluster.
691 --pv-recycler-minimum-timeout-nfs=300 The minimum ActiveDeadli‐
694 neSeconds to use for an NFS Recycler pod
695 --pv-recycler-pod-template-filepath-hostpath="" The file path to a
698 pod definition used as a template for HostPath persistent volume recy‐
699 cling. This is for development and testing only and will not work in a
700 multi-node cluster.
701 --pv-recycler-pod-template-filepath-nfs="" The file path to a pod
704 definition used as a template for NFS persistent volume recycling
705 --pv-recycler-timeout-increment-hostpath=30 the increment of time
708 added per Gi to ActiveDeadlineSeconds for a HostPath scrubber pod.
709 This is for development and testing only and will not work in a
710 multi-node cluster.
711 --pvclaimbinder-sync-period=15s The period for syncing persistent
714 volumes and persistent volume claims
715 --register-retry-count=10 The number of retries for initial node
718 registration. Retry interval equals node-sync-period.
719 --requestheader-allowed-names=[] List of client certificate common
722 names to allow to provide usernames in headers specified by --request‐
723 header-username-headers. If empty, any client certificate validated by
724 the authorities in --requestheader-client-ca-file is allowed.
725 --requestheader-client-ca-file="" Root certificate bundle to use
728 to verify client certificates on incoming requests before trusting
729 usernames in headers specified by --requestheader-username-headers.
730 WARNING: generally do not depend on authorization being already done
731 for incoming requests.
732 --requestheader-extra-headers-prefix=[x-remote-extra-] List of re‐
735 quest header prefixes to inspect. X-Remote-Extra- is suggested.
736 --requestheader-group-headers=[x-remote-group] List of request
739 headers to inspect for groups. X-Remote-Group is suggested.
740 --requestheader-username-headers=[x-remote-user] List of request
743 headers to inspect for usernames. X-Remote-User is common.
744 --resource-quota-sync-period=5m0s The period for syncing quota us‐
747 age status in the system
748 --root-ca-file="" If set, this root certificate authority will be
751 included in service account's token secret. This must be a valid
752 PEM-encoded CA bundle.
753 --route-reconciliation-period=10s The period for reconciling
756 routes created for Nodes by cloud provider.
757 --secondary-node-eviction-rate=0.01 Number of nodes per second on
760 which pods are deleted in case of node failure when a zone is unhealthy
761 (see --unhealthy-zone-threshold for definition of healthy/unhealthy).
762 Zone refers to entire cluster in non-multizone clusters. This value is
763 implicitly overridden to 0 if the cluster size is smaller than
764 --large-cluster-size-threshold.
765 --secure-port=10257 The port on which to serve HTTPS with authen‐
768 tication and authorization. If 0, don't serve HTTPS at all.
769 --service-account-private-key-file="" Filename containing a
772 PEM-encoded private RSA or ECDSA key used to sign service account to‐
773 kens.
774 --service-cluster-ip-range="" CIDR Range for Services in cluster.
777 Requires --allocate-node-cidrs to be true
778 --show-hidden-metrics-for-version="" The previous version for
781 which you want to show hidden metrics. Only the previous minor version
782 is meaningful, other values will not be allowed. The format is ., e.g.:
783 '1.16'. The purpose of this format is make sure you have the opportu‐
784 nity to notice if the next release hides additional metrics, rather
785 than being surprised when they are permanently removed in the release
786 after that.
787 --skip-headers=false If true, avoid header prefixes in the log
790 messages
791 --skip-log-headers=false If true, avoid headers when opening log
794 files
795 --stderrthreshold=2 logs at or above this threshold go to stderr
798 --terminated-pod-gc-threshold=12500 Number of terminated pods that
801 can exist before the terminated pod garbage collector starts deleting
802 terminated pods. If <= 0, the terminated pod garbage collector is dis‐
803 abled.
804 --tls-cert-file="" File containing the default x509 Certificate
807 for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS
808 serving is enabled, and --tls-cert-file and --tls-private-key-file are
809 not provided, a self-signed certificate and key are generated for the
810 public address and saved to the directory specified by --cert-dir.
811 --tls-cipher-suites=[] Comma-separated list of cipher suites for
814 the server. If omitted, the default Go cipher suites will be used.
815 Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
816 TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
817 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
818 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
819 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
820 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
821 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
822 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
823 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
824 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
825 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
826 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
827 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
828 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
829 TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
830 TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
831 TLS_RSA_WITH_AES_256_GCM_SHA384. Insecure values:
832 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
833 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
834 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
835 TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA.
836 --tls-min-version="" Minimum TLS version supported. Possible val‐
839 ues: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
840 --tls-private-key-file="" File containing the default x509 private
843 key matching --tls-cert-file.
844 --tls-sni-cert-key=[] A pair of x509 certificate and private key
847 file paths, optionally suffixed with a list of domain patterns which
848 are fully qualified domain names, possibly with prefixed wildcard seg‐
849 ments. The domain patterns also allow IP addresses, but IPs should only
850 be used if the apiserver has visibility to the IP address requested by
851 a client. If no domain patterns are provided, the names of the certifi‐
852 cate are extracted. Non-wildcard matches trump over wildcard matches,
853 explicit domain patterns trump over extracted names. For multiple
854 key/certificate pairs, use the --tls-sni-cert-key multiple times. Exam‐
855 ples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com".
856 --unhealthy-zone-threshold=0.55 Fraction of Nodes in a zone which
859 needs to be not Ready (minimum 3) for zone to be treated as unhealthy.
860 --use-service-account-credentials=false If true, use individual
863 service account credentials for each controller.
864 -v, --v=0 number for the log level verbosity
867 --version=false Print version information and quit
870 --vmodule= comma-separated list of pattern=N settings for
873 file-filtered logging
874 --volume-host-allow-local-loopback=true If false, deny local loop‐
877 back IPs in addition to any CIDR ranges in --volume-host-cidr-denylist
878 --volume-host-cidr-denylist=[] A comma-separated list of CIDR
881 ranges to avoid from volume plugins.
882
886 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
887 com) based on the kubernetes source material, but hopefully they have
888 been automatically generated since!
889Manuals User KUBERNETES(1)(kubernetes)