1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7
9 kube-controller-manager -
10
11
12
14 kube-controller-manager [OPTIONS]
15
16
17
19 The Kubernetes controller manager is a daemon that embeds the core con‐
20 trol loops shipped with Kubernetes. In applications of robotics and au‐
21 tomation, a control loop is a non-terminating loop that regulates the
22 state of the system. In Kubernetes, a controller is a control loop that
23 watches the shared state of the cluster through the apiserver and makes
24 changes attempting to move the current state towards the desired state.
25 Examples of controllers that ship with Kubernetes today are the repli‐
26 cation controller, endpoints controller, namespace controller, and ser‐
27 viceaccounts controller.
28
29
30
32 --add_dir_header=false If true, adds the file directory to the
33 header of the log messages
34
35
36 --address=0.0.0.0 The IP address on which to serve the insecure
37 --port (set to '0.0.0.0' or '::' for listening in all interfaces and IP
38 families).
39
40
41 --allocate-node-cidrs=false Should CIDRs for Pods be allocated and
42 set on the cloud provider.
43
44
45 --allow-metric-labels=[] The map from metric-label to value al‐
46 low-list of this label. The key's format is ,. The value's format is
47 ,...e.g. metric1,label1='v1,v2,v3', metric1,label2='v1,v2,v3' met‐
48 ric2,label1='v1,v2,v3'.
49
50
51 --allow-untagged-cloud=false Allow the cluster to run without the
52 cluster-id on cloud instances. This is a legacy mode of operation and a
53 cluster-id will be required in the future.
54
55
56 --alsologtostderr=false log to standard error as well as files
57
58
59 --attach-detach-reconcile-sync-period=1m0s The reconciler sync
60 wait time between volume attach detach. This duration must be larger
61 than one second, and increasing this value from the default may allow
62 for volumes to be mismatched with pods.
63
64
65 --authentication-kubeconfig="" kubeconfig file pointing at the
66 'core' kubernetes server with enough rights to create tokenreviews.au‐
67 thentication.k8s.io. This is optional. If empty, all token requests are
68 considered to be anonymous and no client CA is looked up in the clus‐
69 ter.
70
71
72 --authentication-skip-lookup=false If false, the authentica‐
73 tion-kubeconfig will be used to lookup missing authentication configu‐
74 ration from the cluster.
75
76
77 --authentication-token-webhook-cache-ttl=10s The duration to cache
78 responses from the webhook token authenticator.
79
80
81 --authentication-tolerate-lookup-failure=false If true, failures
82 to look up missing authentication configuration from the cluster are
83 not considered fatal. Note that this can result in authentication that
84 treats all requests as anonymous.
85
86
87 --authorization-always-allow-paths=[/healthz,/readyz,/livez] A
88 list of HTTP paths to skip during authorization, i.e. these are autho‐
89 rized without contacting the 'core' kubernetes server.
90
91
92 --authorization-kubeconfig="" kubeconfig file pointing at the
93 'core' kubernetes server with enough rights to create subjectaccessre‐
94 views.authorization.k8s.io. This is optional. If empty, all requests
95 not skipped by authorization are forbidden.
96
97
98 --authorization-webhook-cache-authorized-ttl=10s The duration to
99 cache 'authorized' responses from the webhook authorizer.
100
101
102 --authorization-webhook-cache-unauthorized-ttl=10s The duration to
103 cache 'unauthorized' responses from the webhook authorizer.
104
105
106 --azure-container-registry-config="" Path to the file containing
107 Azure container registry configuration information.
108
109
110 --bind-address=0.0.0.0 The IP address on which to listen for the
111 --secure-port port. The associated interface(s) must be reachable by
112 the rest of the cluster, and by CLI/web clients. If blank or an unspec‐
113 ified address (0.0.0.0 or ::), all interfaces will be used.
114
115
116 --cert-dir="" The directory where the TLS certs are located. If
117 --tls-cert-file and --tls-private-key-file are provided, this flag will
118 be ignored.
119
120
121 --cidr-allocator-type="RangeAllocator" Type of CIDR allocator to
122 use
123
124
125 --client-ca-file="" If set, any request presenting a client cer‐
126 tificate signed by one of the authorities in the client-ca-file is au‐
127 thenticated with an identity corresponding to the CommonName of the
128 client certificate.
129
130
131 --cloud-config="" The path to the cloud provider configuration
132 file. Empty string for no configuration file.
133
134
135 --cloud-provider="" The provider for cloud services. Empty string
136 for no provider.
137
138
139 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
140 CIDRs opened in GCE firewall for L4 LB traffic proxy health
141 checks
142
143
144 --cluster-cidr="" CIDR Range for Pods in cluster. Requires --allo‐
145 cate-node-cidrs to be true
146
147
148 --cluster-name="kubernetes" The instance prefix for the cluster.
149
150
151 --cluster-signing-cert-file="" Filename containing a PEM-encoded
152 X509 CA certificate used to issue cluster-scoped certificates. If
153 specified, no more specific --cluster-signing-* flag may be specified.
154
155
156 --cluster-signing-duration=8760h0m0s The length of duration signed
157 certificates will be given.
158
159
160 --cluster-signing-key-file="" Filename containing a PEM-encoded
161 RSA or ECDSA private key used to sign cluster-scoped certificates. If
162 specified, no more specific --cluster-signing-* flag may be specified.
163
164
165 --cluster-signing-kube-apiserver-client-cert-file="" Filename con‐
166 taining a PEM-encoded X509 CA certificate used to issue certificates
167 for the kubernetes.io/kube-apiserver-client signer. If specified,
168 --cluster-signing-{cert,key}-file must not be set.
169
170
171 --cluster-signing-kube-apiserver-client-key-file="" Filename con‐
172 taining a PEM-encoded RSA or ECDSA private key used to sign certifi‐
173 cates for the kubernetes.io/kube-apiserver-client signer. If speci‐
174 fied, --cluster-signing-{cert,key}-file must not be set.
175
176
177 --cluster-signing-kubelet-client-cert-file="" Filename containing
178 a PEM-encoded X509 CA certificate used to issue certificates for the
179 kubernetes.io/kube-apiserver-client-kubelet signer. If specified,
180 --cluster-signing-{cert,key}-file must not be set.
181
182
183 --cluster-signing-kubelet-client-key-file="" Filename containing a
184 PEM-encoded RSA or ECDSA private key used to sign certificates for the
185 kubernetes.io/kube-apiserver-client-kubelet signer. If specified,
186 --cluster-signing-{cert,key}-file must not be set.
187
188
189 --cluster-signing-kubelet-serving-cert-file="" Filename containing
190 a PEM-encoded X509 CA certificate used to issue certificates for the
191 kubernetes.io/kubelet-serving signer. If specified, --cluster-sign‐
192 ing-{cert,key}-file must not be set.
193
194
195 --cluster-signing-kubelet-serving-key-file="" Filename containing
196 a PEM-encoded RSA or ECDSA private key used to sign certificates for
197 the kubernetes.io/kubelet-serving signer. If specified, --clus‐
198 ter-signing-{cert,key}-file must not be set.
199
200
201 --cluster-signing-legacy-unknown-cert-file="" Filename containing
202 a PEM-encoded X509 CA certificate used to issue certificates for the
203 kubernetes.io/legacy-unknown signer. If specified, --cluster-sign‐
204 ing-{cert,key}-file must not be set.
205
206
207 --cluster-signing-legacy-unknown-key-file="" Filename containing a
208 PEM-encoded RSA or ECDSA private key used to sign certificates for the
209 kubernetes.io/legacy-unknown signer. If specified, --cluster-sign‐
210 ing-{cert,key}-file must not be set.
211
212
213 --concurrent-deployment-syncs=5 The number of deployment objects
214 that are allowed to sync concurrently. Larger number = more responsive
215 deployments, but more CPU (and network) load
216
217
218 --concurrent-endpoint-syncs=5 The number of endpoint syncing oper‐
219 ations that will be done concurrently. Larger number = faster endpoint
220 updating, but more CPU (and network) load
221
222
223 --concurrent-gc-syncs=20 The number of garbage collector workers
224 that are allowed to sync concurrently.
225
226
227 --concurrent-namespace-syncs=10 The number of namespace objects
228 that are allowed to sync concurrently. Larger number = more responsive
229 namespace termination, but more CPU (and network) load
230
231
232 --concurrent-replicaset-syncs=5 The number of replica sets that
233 are allowed to sync concurrently. Larger number = more responsive
234 replica management, but more CPU (and network) load
235
236
237 --concurrent-resource-quota-syncs=5 The number of resource quotas
238 that are allowed to sync concurrently. Larger number = more responsive
239 quota management, but more CPU (and network) load
240
241
242 --concurrent-service-endpoint-syncs=5 The number of service end‐
243 point syncing operations that will be done concurrently. Larger number
244 = faster endpoint slice updating, but more CPU (and network) load. De‐
245 faults to 5.
246
247
248 --concurrent-service-syncs=1 The number of services that are al‐
249 lowed to sync concurrently. Larger number = more responsive service
250 management, but more CPU (and network) load
251
252
253 --concurrent-serviceaccount-token-syncs=5 The number of service
254 account token objects that are allowed to sync concurrently. Larger
255 number = more responsive token generation, but more CPU (and network)
256 load
257
258
259 --concurrent-statefulset-syncs=5 The number of statefulset objects
260 that are allowed to sync concurrently. Larger number = more responsive
261 statefulsets, but more CPU (and network) load
262
263
264 --concurrent-ttl-after-finished-syncs=5 The number of TTL-af‐
265 ter-finished controller workers that are allowed to sync concurrently.
266
267
268 --concurrent_rc_syncs=5 The number of replication controllers that
269 are allowed to sync concurrently. Larger number = more responsive
270 replica management, but more CPU (and network) load
271
272
273 --configure-cloud-routes=true Should CIDRs allocated by allo‐
274 cate-node-cidrs be configured on the cloud provider.
275
276
277 --contention-profiling=false Enable lock contention profiling, if
278 profiling is enabled
279
280
281 --controller-start-interval=0s Interval between starting con‐
282 troller managers.
283
284
285 --controllers=[] A list of controllers to enable. '' enables all
286 on-by-default controllers, 'foo' enables the controller named 'foo',
287 '-foo' disables the controller named 'foo'. All controllers: attachde‐
288 tach, bootstrapsigner, cloud-node-lifecycle, clusterrole-aggregation,
289 cronjob, csrapproving, csrcleaner, csrsigning, daemonset, deployment,
290 disruption, endpoint, endpointslice, endpointslicemirroring,
291 ephemeral-volume, garbagecollector, horizontalpodautoscaling, job,
292 namespace, nodeipam, nodelifecycle, persistentvolume-binder, persis‐
293 tentvolume-expander, podgc, pv-protection, pvc-protection, replicaset,
294 replicationcontroller, resourcequota, root-ca-cert-publisher, route,
295 service, serviceaccount, serviceaccount-token, statefulset, token‐
296 cleaner, ttl, ttl-after-finished Disabled-by-default controllers: boot‐
297 strapsigner, tokencleaner
298
299
300 --deleting-pods-burst=0 Number of nodes on which pods are bursty
301 deleted in case of node failure. For more details look into RateLim‐
302 iter.
303
304
305 --deleting-pods-qps=0.1 Number of nodes per second on which pods
306 are deleted in case of node failure.
307
308
309 --deployment-controller-sync-period=30s Period for syncing the de‐
310 ployments.
311
312
313 --disable-attach-detach-reconcile-sync=false Disable volume attach
314 detach reconciler sync. Disabling this may cause volumes to be mis‐
315 matched with pods. Use wisely.
316
317
318 --disabled-metrics=[] This flag provides an escape hatch for mis‐
319 behaving metrics. You must provide the fully qualified metric name in
320 order to disable it. Disclaimer: disabling metrics is higher in prece‐
321 dence than showing hidden metrics.
322
323
324 --enable-dynamic-provisioning=true Enable dynamic provisioning for
325 environments that support it.
326
327
328 --enable-garbage-collector=true Enables the generic garbage col‐
329 lector. MUST be synced with the corresponding flag of the kube-apis‐
330 erver.
331
332
333 --enable-hostpath-provisioner=false Enable HostPath PV provision‐
334 ing when running without a cloud provider. This allows testing and de‐
335 velopment of provisioning features. HostPath provisioning is not sup‐
336 ported in any way, won't work in a multi-node cluster, and should not
337 be used for anything other than testing or development.
338
339
340 --enable-leader-migration=false Whether to enable controller
341 leader migration.
342
343
344 --enable-taint-manager=true WARNING: Beta feature. If set to true
345 enables NoExecute Taints and will evict all not-tolerating Pod running
346 on Nodes tainted with this kind of Taints.
347
348
349 --endpoint-updates-batch-period=0s The length of endpoint updates
350 batching period. Processing of pod changes will be delayed by this du‐
351 ration to join them with potential upcoming updates and reduce the
352 overall number of endpoints updates. Larger number = higher endpoint
353 programming latency, but lower number of endpoints revision generated
354
355
356 --endpointslice-updates-batch-period=0s The length of endpoint
357 slice updates batching period. Processing of pod changes will be de‐
358 layed by this duration to join them with potential upcoming updates and
359 reduce the overall number of endpoints updates. Larger number = higher
360 endpoint programming latency, but lower number of endpoints revision
361 generated
362
363
364 --experimental-cluster-signing-duration=8760h0m0s The length of
365 duration signed certificates will be given.
366
367
368 --experimental-logging-sanitization=false [Experimental] When en‐
369 abled prevents logging of fields tagged as sensitive (passwords, keys,
370 tokens). Runtime log sanitization may introduce significant computa‐
371 tion overhead and therefore should not be enabled in production.
372
373
374 --external-cloud-volume-plugin="" The plugin to use when cloud
375 provider is set to external. Can be empty, should only be set when
376 cloud-provider is external. Currently used to allow node and volume
377 controllers to work for in tree cloud providers.
378
379
380 --feature-gates= A set of key=value pairs that describe feature
381 gates for alpha/experimental features. Options are: APIListChunk‐
382 ing=true|false (BETA - default=true) APIPriorityAndFairness=true|false
383 (BETA - default=true) APIResponseCompression=true|false (BETA - de‐
384 fault=true) APIServerIdentity=true|false (ALPHA - default=false) AllAl‐
385 pha=true|false (ALPHA - default=false) AllBeta=true|false (BETA - de‐
386 fault=false) AnyVolumeDataSource=true|false (ALPHA - default=false) Ap‐
387 pArmor=true|false (BETA - default=true) BalanceAttachedNodeVol‐
388 umes=true|false (ALPHA - default=false) BoundServiceAccountTokenVol‐
389 ume=true|false (BETA - default=true) CPUManager=true|false (BETA - de‐
390 fault=true) CSIInlineVolume=true|false (BETA - default=true) CSIMigra‐
391 tion=true|false (BETA - default=true) CSIMigrationAWS=true|false (BETA
392 - default=false) CSIMigrationAzureDisk=true|false (BETA - de‐
393 fault=false) CSIMigrationAzureFile=true|false (BETA - default=false)
394 CSIMigrationGCE=true|false (BETA - default=false) CSIMigrationOpen‐
395 Stack=true|false (BETA - default=true) CSIMigrationvSphere=true|false
396 (BETA - default=false) CSIMigrationvSphereComplete=true|false (BETA -
397 default=false) CSIServiceAccountToken=true|false (BETA - default=true)
398 CSIStorageCapacity=true|false (BETA - default=true) CSIVolumeFSGroup‐
399 Policy=true|false (BETA - default=true) CSIVolumeHealth=true|false (AL‐
400 PHA - default=false) ConfigurableFSGroupPolicy=true|false (BETA - de‐
401 fault=true) ControllerManagerLeaderMigration=true|false (ALPHA - de‐
402 fault=false) CronJobControllerV2=true|false (BETA - default=true) Cus‐
403 tomCPUCFSQuotaPeriod=true|false (ALPHA - default=false) DaemonSetUp‐
404 dateSurge=true|false (ALPHA - default=false) DefaultPodTopolo‐
405 gySpread=true|false (BETA - default=true) DevicePlugins=true|false
406 (BETA - default=true) DisableAcceleratorUsageMetrics=true|false (BETA -
407 default=true) DownwardAPIHugePages=true|false (BETA - default=false)
408 DynamicKubeletConfig=true|false (BETA - default=true) EfficientWatchRe‐
409 sumption=true|false (BETA - default=true) EndpointSliceProxy‐
410 ing=true|false (BETA - default=true) EndpointSliceTerminatingCondi‐
411 tion=true|false (ALPHA - default=false) EphemeralContainers=true|false
412 (ALPHA - default=false) ExpandCSIVolumes=true|false (BETA - de‐
413 fault=true) ExpandInUsePersistentVolumes=true|false (BETA - de‐
414 fault=true) ExpandPersistentVolumes=true|false (BETA - default=true)
415 ExperimentalHostUserNamespaceDefaulting=true|false (BETA - de‐
416 fault=false) GenericEphemeralVolume=true|false (BETA - default=true)
417 GracefulNodeShutdown=true|false (BETA - default=true) HPAContainerMet‐
418 rics=true|false (ALPHA - default=false) HPAScaleToZero=true|false (AL‐
419 PHA - default=false) HugePageStorageMediumSize=true|false (BETA - de‐
420 fault=true) IPv6DualStack=true|false (BETA - default=true) InTreePlugi‐
421 nAWSUnregister=true|false (ALPHA - default=false) InTreePluginAzure‐
422 DiskUnregister=true|false (ALPHA - default=false) InTreePluginAzure‐
423 FileUnregister=true|false (ALPHA - default=false) InTreePluginGCEUnreg‐
424 ister=true|false (ALPHA - default=false) InTreePluginOpenStackUnregis‐
425 ter=true|false (ALPHA - default=false) InTreePluginvSphereUnregis‐
426 ter=true|false (ALPHA - default=false) IndexedJob=true|false (ALPHA -
427 default=false) IngressClassNamespacedParams=true|false (ALPHA - de‐
428 fault=false) KubeletCredentialProviders=true|false (ALPHA - de‐
429 fault=false) KubeletPodResources=true|false (BETA - default=true)
430 KubeletPodResourcesGetAllocatable=true|false (ALPHA - default=false)
431 LocalStorageCapacityIsolation=true|false (BETA - default=true) Local‐
432 StorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - de‐
433 fault=false) LogarithmicScaleDown=true|false (ALPHA - default=false)
434 MemoryManager=true|false (ALPHA - default=false) MixedProtocolLBSer‐
435 vice=true|false (ALPHA - default=false) NamespaceDefaultLabel‐
436 Name=true|false (BETA - default=true) NetworkPolicyEndPort=true|false
437 (ALPHA - default=false) NonPreemptingPriority=true|false (BETA - de‐
438 fault=true) PodAffinityNamespaceSelector=true|false (ALPHA - de‐
439 fault=false) PodDeletionCost=true|false (ALPHA - default=false)
440 PodOverhead=true|false (BETA - default=true) PreferNominat‐
441 edNode=true|false (ALPHA - default=false) ProbeTerminationGracePe‐
442 riod=true|false (ALPHA - default=false) ProcMountType=true|false (ALPHA
443 - default=false) QOSReserved=true|false (ALPHA - default=false) Remain‐
444 ingItemCount=true|false (BETA - default=true) RemoveSelfLink=true|false
445 (BETA - default=true) RotateKubeletServerCertificate=true|false (BETA -
446 default=true) ServerSideApply=true|false (BETA - default=true) Servi‐
447 ceInternalTrafficPolicy=true|false (ALPHA - default=false) ServiceLBN‐
448 odePortControl=true|false (ALPHA - default=false) ServiceLoadBalancer‐
449 Class=true|false (ALPHA - default=false) ServiceTopology=true|false
450 (ALPHA - default=false) SetHostnameAsFQDN=true|false (BETA - de‐
451 fault=true) SizeMemoryBackedVolumes=true|false (ALPHA - default=false)
452 StorageVersionAPI=true|false (ALPHA - default=false) StorageVersion‐
453 Hash=true|false (BETA - default=true) SuspendJob=true|false (ALPHA -
454 default=false) TTLAfterFinished=true|false (BETA - default=true) Topol‐
455 ogyAwareHints=true|false (ALPHA - default=false) TopologyMan‐
456 ager=true|false (BETA - default=true) ValidateProxyRedirects=true|false
457 (BETA - default=true) VolumeCapacityPriority=true|false (ALPHA - de‐
458 fault=false) WarningHeaders=true|false (BETA - default=true)
459 WinDSR=true|false (ALPHA - default=false) WinOverlay=true|false (BETA -
460 default=true) WindowsEndpointSliceProxying=true|false (BETA - de‐
461 fault=true)
462
463
464 --flex-volume-plugin-dir="/usr/libexec/kubernetes/kubelet-plugins/vol‐
465 ume/exec/" Full path of the directory in which the flex volume
466 plugin should search for additional third party volume plugins.
467
468
469 -h, --help=false help for kube-controller-manager
470
471
472 --horizontal-pod-autoscaler-cpu-initialization-period=5m0s The pe‐
473 riod after pod start when CPU samples might be skipped.
474
475
476 --horizontal-pod-autoscaler-downscale-delay=5m0s The period since
477 last downscale, before another downscale can be performed in horizontal
478 pod autoscaler.
479
480
481 --horizontal-pod-autoscaler-downscale-stabilization=5m0s The pe‐
482 riod for which autoscaler will look backwards and not scale down below
483 any recommendation it made during that period.
484
485
486 --horizontal-pod-autoscaler-initial-readiness-delay=30s The period
487 after pod start during which readiness changes will be treated as ini‐
488 tial readiness.
489
490
491 --horizontal-pod-autoscaler-sync-period=15s The period for syncing
492 the number of pods in horizontal pod autoscaler.
493
494
495 --horizontal-pod-autoscaler-tolerance=0.1 The minimum change (from
496 1.0) in the desired-to-actual metrics ratio for the horizontal pod au‐
497 toscaler to consider scaling.
498
499
500 --horizontal-pod-autoscaler-upscale-delay=3m0s The period since
501 last upscale, before another upscale can be performed in horizontal pod
502 autoscaler.
503
504
505 --horizontal-pod-autoscaler-use-rest-clients=true If set to true,
506 causes the horizontal pod autoscaler controller to use REST clients
507 through the kube-aggregator, instead of using the legacy metrics client
508 through the API server proxy. This is required for custom metrics sup‐
509 port in the horizontal pod autoscaler.
510
511
512 --http2-max-streams-per-connection=0 The limit that the server
513 gives to clients for the maximum number of streams in an HTTP/2 connec‐
514 tion. Zero means to use golang's default.
515
516
517 --kube-api-burst=30 Burst to use while talking with kubernetes
518 apiserver.
519
520
521 --kube-api-content-type="application/vnd.kubernetes.protobuf" Con‐
522 tent type of requests sent to apiserver.
523
524
525 --kube-api-qps=20 QPS to use while talking with kubernetes apis‐
526 erver.
527
528
529 --kubeconfig="" Path to kubeconfig file with authorization and
530 master location information.
531
532
533 --large-cluster-size-threshold=50 Number of nodes from which Node‐
534 Controller treats the cluster as large for the eviction logic purposes.
535 --secondary-node-eviction-rate is implicitly overridden to 0 for clus‐
536 ters this size or smaller.
537
538
539 --leader-elect=true Start a leader election client and gain lead‐
540 ership before executing the main loop. Enable this when running repli‐
541 cated components for high availability.
542
543
544 --leader-elect-lease-duration=15s The duration that non-leader
545 candidates will wait after observing a leadership renewal until at‐
546 tempting to acquire leadership of a led but unrenewed leader slot. This
547 is effectively the maximum duration that a leader can be stopped before
548 it is replaced by another candidate. This is only applicable if leader
549 election is enabled.
550
551
552 --leader-elect-renew-deadline=10s The interval between attempts by
553 the acting master to renew a leadership slot before it stops leading.
554 This must be less than or equal to the lease duration. This is only ap‐
555 plicable if leader election is enabled.
556
557
558 --leader-elect-resource-lock="leases" The type of resource object
559 that is used for locking during leader election. Supported options are
560 'endpoints', 'configmaps', 'leases', 'endpointsleases' and 'configmap‐
561 sleases'.
562
563
564 --leader-elect-resource-name="kube-controller-manager" The name of
565 resource object that is used for locking during leader election.
566
567
568 --leader-elect-resource-namespace="kube-system" The namespace of
569 resource object that is used for locking during leader election.
570
571
572 --leader-elect-retry-period=2s The duration the clients should
573 wait between attempting acquisition and renewal of a leadership. This
574 is only applicable if leader election is enabled.
575
576
577 --leader-migration-config="" Path to the config file for con‐
578 troller leader migration, or empty to use the value that reflects de‐
579 fault configuration of the controller manager. The config file should
580 be of type LeaderMigrationConfiguration, group controllermanager.con‐
581 fig.k8s.io, version v1alpha1.
582
583
584 --log-flush-frequency=5s Maximum number of seconds between log
585 flushes
586
587
588 --log_backtrace_at=:0 when logging hits line file:N, emit a stack
589 trace
590
591
592 --log_dir="" If non-empty, write log files in this directory
593
594
595 --log_file="" If non-empty, use this log file
596
597
598 --log_file_max_size=1800 Defines the maximum size a log file can
599 grow to. Unit is megabytes. If the value is 0, the maximum file size is
600 unlimited.
601
602
603 --logging-format="text" Sets the log format. Permitted formats:
604 "json", "text". Non-default formats don't honor these flags:
605 --add_dir_header, --alsologtostderr, --log_backtrace_at, --log_dir,
606 --log_file, --log_file_max_size, --logtostderr, --one_output,
607 --skip_headers, --skip_log_headers, --stderrthreshold, --vmodule,
608 --log-flush-frequency. Non-default choices are currently alpha and
609 subject to change without warning.
610
611
612 --logtostderr=true log to standard error instead of files
613
614
615 --master="" The address of the Kubernetes API server (overrides
616 any value in kubeconfig).
617
618
619 --max-endpoints-per-slice=100 The maximum number of endpoints that
620 will be added to an EndpointSlice. More endpoints per slice will result
621 in less endpoint slices, but larger resources. Defaults to 100.
622
623
624 --min-resync-period=12h0m0s The resync period in reflectors will
625 be random between MinResyncPeriod and 2*MinResyncPeriod.
626
627
628 --mirroring-concurrent-service-endpoint-syncs=5 The number of ser‐
629 vice endpoint syncing operations that will be done concurrently by the
630 EndpointSliceMirroring controller. Larger number = faster endpoint
631 slice updating, but more CPU (and network) load. Defaults to 5.
632
633
634 --mirroring-endpointslice-updates-batch-period=0s The length of
635 EndpointSlice updates batching period for EndpointSliceMirroring con‐
636 troller. Processing of EndpointSlice changes will be delayed by this
637 duration to join them with potential upcoming updates and reduce the
638 overall number of EndpointSlice updates. Larger number = higher end‐
639 point programming latency, but lower number of endpoints revision gen‐
640 erated
641
642
643 --mirroring-max-endpoints-per-subset=1000 The maximum number of
644 endpoints that will be added to an EndpointSlice by the End‐
645 pointSliceMirroring controller. More endpoints per slice will result in
646 less endpoint slices, but larger resources. Defaults to 100.
647
648
649 --namespace-sync-period=5m0s The period for syncing namespace
650 life-cycle updates
651
652
653 --node-cidr-mask-size=0 Mask size for node cidr in cluster. De‐
654 fault is 24 for IPv4 and 64 for IPv6.
655
656
657 --node-cidr-mask-size-ipv4=0 Mask size for IPv4 node cidr in
658 dual-stack cluster. Default is 24.
659
660
661 --node-cidr-mask-size-ipv6=0 Mask size for IPv6 node cidr in
662 dual-stack cluster. Default is 64.
663
664
665 --node-eviction-rate=0.1 Number of nodes per second on which pods
666 are deleted in case of node failure when a zone is healthy (see --un‐
667 healthy-zone-threshold for definition of healthy/unhealthy). Zone
668 refers to entire cluster in non-multizone clusters.
669
670
671 --node-monitor-grace-period=40s Amount of time which we allow run‐
672 ning Node to be unresponsive before marking it unhealthy. Must be N
673 times more than kubelet's nodeStatusUpdateFrequency, where N means num‐
674 ber of retries allowed for kubelet to post node status.
675
676
677 --node-monitor-period=5s The period for syncing NodeStatus in
678 NodeController.
679
680
681 --node-startup-grace-period=1m0s Amount of time which we allow
682 starting Node to be unresponsive before marking it unhealthy.
683
684
685 --node-sync-period=0s This flag is deprecated and will be removed
686 in future releases. See node-monitor-period for Node health checking or
687 route-reconciliation-period for cloud provider's route configuration
688 settings.
689
690
691 --one_output=false If true, only write logs to their native sever‐
692 ity level (vs also writing to each lower severity level)
693
694
695 --permit-address-sharing=false If true, SO_REUSEADDR will be used
696 when binding the port. This allows binding to wildcard IPs like 0.0.0.0
697 and specific IPs in parallel, and it avoids waiting for the kernel to
698 release sockets in TIME_WAIT state. [default=false]
699
700
701 --permit-port-sharing=false If true, SO_REUSEPORT will be used
702 when binding the port, which allows more than one instance to bind on
703 the same address and port. [default=false]
704
705
706 --pod-eviction-timeout=5m0s The grace period for deleting pods on
707 failed nodes.
708
709
710 --port=10252 The port on which to serve unsecured, unauthenticated
711 access. Set to 0 to disable.
712
713
714 --profiling=true Enable profiling via web interface host:port/de‐
715 bug/pprof/
716
717
718 --pv-recycler-increment-timeout-nfs=30 the increment of time added
719 per Gi to ActiveDeadlineSeconds for an NFS scrubber pod
720
721
722 --pv-recycler-minimum-timeout-hostpath=60 The minimum ActiveDead‐
723 lineSeconds to use for a HostPath Recycler pod. This is for develop‐
724 ment and testing only and will not work in a multi-node cluster.
725
726
727 --pv-recycler-minimum-timeout-nfs=300 The minimum ActiveDeadli‐
728 neSeconds to use for an NFS Recycler pod
729
730
731 --pv-recycler-pod-template-filepath-hostpath="" The file path to a
732 pod definition used as a template for HostPath persistent volume recy‐
733 cling. This is for development and testing only and will not work in a
734 multi-node cluster.
735
736
737 --pv-recycler-pod-template-filepath-nfs="" The file path to a pod
738 definition used as a template for NFS persistent volume recycling
739
740
741 --pv-recycler-timeout-increment-hostpath=30 the increment of time
742 added per Gi to ActiveDeadlineSeconds for a HostPath scrubber pod.
743 This is for development and testing only and will not work in a
744 multi-node cluster.
745
746
747 --pvclaimbinder-sync-period=15s The period for syncing persistent
748 volumes and persistent volume claims
749
750
751 --register-retry-count=10 The number of retries for initial node
752 registration. Retry interval equals node-sync-period.
753
754
755 --requestheader-allowed-names=[] List of client certificate common
756 names to allow to provide usernames in headers specified by --request‐
757 header-username-headers. If empty, any client certificate validated by
758 the authorities in --requestheader-client-ca-file is allowed.
759
760
761 --requestheader-client-ca-file="" Root certificate bundle to use
762 to verify client certificates on incoming requests before trusting
763 usernames in headers specified by --requestheader-username-headers.
764 WARNING: generally do not depend on authorization being already done
765 for incoming requests.
766
767
768 --requestheader-extra-headers-prefix=[x-remote-extra-] List of re‐
769 quest header prefixes to inspect. X-Remote-Extra- is suggested.
770
771
772 --requestheader-group-headers=[x-remote-group] List of request
773 headers to inspect for groups. X-Remote-Group is suggested.
774
775
776 --requestheader-username-headers=[x-remote-user] List of request
777 headers to inspect for usernames. X-Remote-User is common.
778
779
780 --resource-quota-sync-period=5m0s The period for syncing quota us‐
781 age status in the system
782
783
784 --root-ca-file="" If set, this root certificate authority will be
785 included in service account's token secret. This must be a valid
786 PEM-encoded CA bundle.
787
788
789 --route-reconciliation-period=10s The period for reconciling
790 routes created for Nodes by cloud provider.
791
792
793 --secondary-node-eviction-rate=0.01 Number of nodes per second on
794 which pods are deleted in case of node failure when a zone is unhealthy
795 (see --unhealthy-zone-threshold for definition of healthy/unhealthy).
796 Zone refers to entire cluster in non-multizone clusters. This value is
797 implicitly overridden to 0 if the cluster size is smaller than
798 --large-cluster-size-threshold.
799
800
801 --secure-port=10257 The port on which to serve HTTPS with authen‐
802 tication and authorization. If 0, don't serve HTTPS at all.
803
804
805 --service-account-private-key-file="" Filename containing a
806 PEM-encoded private RSA or ECDSA key used to sign service account to‐
807 kens.
808
809
810 --service-cluster-ip-range="" CIDR Range for Services in cluster.
811 Requires --allocate-node-cidrs to be true
812
813
814 --show-hidden-metrics-for-version="" The previous version for
815 which you want to show hidden metrics. Only the previous minor version
816 is meaningful, other values will not be allowed. The format is ., e.g.:
817 '1.16'. The purpose of this format is make sure you have the opportu‐
818 nity to notice if the next release hides additional metrics, rather
819 than being surprised when they are permanently removed in the release
820 after that.
821
822
823 --skip_headers=false If true, avoid header prefixes in the log
824 messages
825
826
827 --skip_log_headers=false If true, avoid headers when opening log
828 files
829
830
831 --stderrthreshold=2 logs at or above this threshold go to stderr
832
833
834 --terminated-pod-gc-threshold=12500 Number of terminated pods that
835 can exist before the terminated pod garbage collector starts deleting
836 terminated pods. If <= 0, the terminated pod garbage collector is dis‐
837 abled.
838
839
840 --tls-cert-file="" File containing the default x509 Certificate
841 for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS
842 serving is enabled, and --tls-cert-file and --tls-private-key-file are
843 not provided, a self-signed certificate and key are generated for the
844 public address and saved to the directory specified by --cert-dir.
845
846
847 --tls-cipher-suites=[] Comma-separated list of cipher suites for
848 the server. If omitted, the default Go cipher suites will be used.
849 Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
850 TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
851 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
852 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
853 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
854 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
855 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
856 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
857 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
858 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
859 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
860 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
861 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
862 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
863 TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
864 TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
865 TLS_RSA_WITH_AES_256_GCM_SHA384. Insecure values:
866 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
867 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
868 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
869 TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA.
870
871
872 --tls-min-version="" Minimum TLS version supported. Possible val‐
873 ues: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
874
875
876 --tls-private-key-file="" File containing the default x509 private
877 key matching --tls-cert-file.
878
879
880 --tls-sni-cert-key=[] A pair of x509 certificate and private key
881 file paths, optionally suffixed with a list of domain patterns which
882 are fully qualified domain names, possibly with prefixed wildcard seg‐
883 ments. The domain patterns also allow IP addresses, but IPs should only
884 be used if the apiserver has visibility to the IP address requested by
885 a client. If no domain patterns are provided, the names of the certifi‐
886 cate are extracted. Non-wildcard matches trump over wildcard matches,
887 explicit domain patterns trump over extracted names. For multiple
888 key/certificate pairs, use the --tls-sni-cert-key multiple times. Exam‐
889 ples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com".
890
891
892 --unhealthy-zone-threshold=0.55 Fraction of Nodes in a zone which
893 needs to be not Ready (minimum 3) for zone to be treated as unhealthy.
894
895
896 --use-service-account-credentials=false If true, use individual
897 service account credentials for each controller.
898
899
900 -v, --v=0 number for the log level verbosity
901
902
903 --version=false Print version information and quit
904
905
906 --vmodule= comma-separated list of pattern=N settings for
907 file-filtered logging
908
909
910 --volume-host-allow-local-loopback=true If false, deny local loop‐
911 back IPs in addition to any CIDR ranges in --volume-host-cidr-denylist
912
913
914 --volume-host-cidr-denylist=[] A comma-separated list of CIDR
915 ranges to avoid from volume plugins.
916
917
918
920 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
921 com) based on the kubernetes source material, but hopefully they have
922 been automatically generated since!
923
924
925
926Manuals User KUBERNETES(1)(kubernetes)