1KUBERNETES(1)(kubernetes)                            KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7

NAME

9       kube-apiserver -
10
11
12

SYNOPSIS

14       kube-apiserver [OPTIONS]
15
16
17

DESCRIPTION

19       The Kubernetes API server validates and configures data for the api ob‐
20       jects which include pods, services, replicationcontrollers, and others.
21       The  API  Server  services REST operations and provides the frontend to
22       the cluster's shared state through which all other components interact.
23
24
25

OPTIONS

27       --add_dir_header=false      If true, adds the  file  directory  to  the
28       header of the log messages
29
30
31       --admission-control=[]       Admission  is  divided into two phases. In
32       the first phase, only mutating admission plugins  run.  In  the  second
33       phase,  only  validating  admission plugins run. The names in the below
34       list may represent a validating plugin, a mutating plugin, or both. The
35       order of plugins in which they are passed to this flag does not matter.
36       Comma-delimited list  of:  AlwaysAdmit,  AlwaysDeny,  AlwaysPullImages,
37       CertificateApproval, CertificateSigning, CertificateSubjectRestriction,
38       DefaultIngressClass,   DefaultStorageClass,   DefaultTolerationSeconds,
39       DenyServiceExternalIPs, EventRateLimit, ExtendedResourceToleration, Im‐
40       agePolicyWebhook,  LimitPodHardAntiAffinityTopology,  LimitRanger,  Mu‐
41       tatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, Names‐
42       paceLifecycle,  NodeRestriction,  OwnerReferencesPermissionEnforcement,
43       PersistentVolumeClaimResize,   PersistentVolumeLabel,  PodNodeSelector,
44       PodSecurity, PodSecurityPolicy, PodTolerationRestriction, Priority, Re‐
45       sourceQuota,  RuntimeClass, SecurityContextDeny, ServiceAccount, Stora‐
46       geObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWeb‐
47       hook.
48
49
50       --admission-control-config-file=""       File  with  admission  control
51       configuration.
52
53
54       --advertise-address=      The IP address  on  which  to  advertise  the
55       apiserver  to members of the cluster. This address must be reachable by
56       the rest of the cluster. If blank, the --bind-address will be used.  If
57       --bind-address  is  unspecified,  the  host's default interface will be
58       used.
59
60
61       --allow-metric-labels=[]      The map from metric-label to value allow-
62       list  of  this  label.  The  key's  format  is ,. The value's format is
63       ,...e.g.  metric1,label1='v1,v2,v3',   metric1,label2='v1,v2,v3'   met‐
64       ric2,label1='v1,v2,v3'.
65
66
67       --allow-privileged=false       If  true,  allow  privileged containers.
68       [default=false]
69
70
71       --alsologtostderr=false      log to standard error as well as files
72
73
74       --anonymous-auth=true      Enables anonymous  requests  to  the  secure
75       port  of  the API server. Requests that are not rejected by another au‐
76       thentication method are treated as anonymous  requests.  Anonymous  re‐
77       quests  have  a  username of system:anonymous, and a group name of sys‐
78       tem:unauthenticated.
79
80
81       --api-audiences=[]      Identifiers of the API. The service account to‐
82       ken  authenticator  will  validate that tokens used against the API are
83       bound to at least one of these audiences. If the  --service-account-is‐
84       suer  flag is configured and this flag is not, this field defaults to a
85       single element list containing the issuer URL.
86
87
88       --apiserver-count=1      The number of apiservers running in the  clus‐
89       ter,  must  be  a  positive number. (In use when --endpoint-reconciler-
90       type=master-count is enabled.)
91
92
93       --audit-log-batch-buffer-size=10000      The  size  of  the  buffer  to
94       store events before batching and writing. Only used in batch mode.
95
96
97       --audit-log-batch-max-size=1       The  maximum  size  of a batch. Only
98       used in batch mode.
99
100
101       --audit-log-batch-max-wait=0s      The amount of time  to  wait  before
102       force  writing the batch that hadn't reached the max size. Only used in
103       batch mode.
104
105
106       --audit-log-batch-throttle-burst=0      Maximum number of requests sent
107       at the same moment if ThrottleQPS was not utilized before. Only used in
108       batch mode.
109
110
111       --audit-log-batch-throttle-enable=false       Whether  batching  throt‐
112       tling is enabled. Only used in batch mode.
113
114
115       --audit-log-batch-throttle-qps=0      Maximum average number of batches
116       per second. Only used in batch mode.
117
118
119       --audit-log-compress=false      If set, the rotated log files  will  be
120       compressed using gzip.
121
122
123       --audit-log-format="json"       Format  of saved audits. "legacy" indi‐
124       cates 1-line text format for each event.  "json"  indicates  structured
125       json format. Known formats are legacy,json.
126
127
128       --audit-log-maxage=0       The maximum number of days to retain old au‐
129       dit log files based on the timestamp encoded in their filename.
130
131
132       --audit-log-maxbackup=0      The maximum number of old audit log  files
133       to retain. Setting a value of 0 will mean there's no restriction on the
134       number of files.
135
136
137       --audit-log-maxsize=0      The maximum size in megabytes of  the  audit
138       log file before it gets rotated.
139
140
141       --audit-log-mode="blocking"       Strategy  for  sending  audit events.
142       Blocking indicates sending events should block server responses.  Batch
143       causes  the  backend  to  buffer and write events asynchronously. Known
144       modes are batch,blocking,blocking-strict.
145
146
147       --audit-log-path=""      If set, all requests coming to  the  apiserver
148       will be logged to this file.  '-' means standard out.
149
150
151       --audit-log-truncate-enabled=false       Whether  event and batch trun‐
152       cating is enabled.
153
154
155       --audit-log-truncate-max-batch-size=10485760      Maximum size  of  the
156       batch  sent  to  the  underlying backend. Actual serialized size can be
157       several hundreds of bytes greater. If a batch exceeds this limit, it is
158       split into several batches of smaller size.
159
160
161       --audit-log-truncate-max-event-size=102400      Maximum size of the au‐
162       dit event sent to the underlying backend. If the size of  an  event  is
163       greater  than  this number, first request and response are removed, and
164       if this doesn't reduce the size enough, event is discarded.
165
166
167       --audit-log-version="audit.k8s.io/v1"      API group and  version  used
168       for serializing audit events written to log.
169
170
171       --audit-policy-file=""       Path  to  the  file that defines the audit
172       policy configuration.
173
174
175       --audit-webhook-batch-buffer-size=10000      The size of the buffer  to
176       store events before batching and writing. Only used in batch mode.
177
178
179       --audit-webhook-batch-initial-backoff=10s       The  amount  of time to
180       wait before retrying the first failed request.
181
182
183       --audit-webhook-batch-max-size=400      The maximum size  of  a  batch.
184       Only used in batch mode.
185
186
187       --audit-webhook-batch-max-wait=30s       The amount of time to wait be‐
188       fore force writing the batch that hadn't reached  the  max  size.  Only
189       used in batch mode.
190
191
192       --audit-webhook-batch-throttle-burst=15      Maximum number of requests
193       sent at the same moment if ThrottleQPS was not  utilized  before.  Only
194       used in batch mode.
195
196
197       --audit-webhook-batch-throttle-enable=true      Whether batching throt‐
198       tling is enabled. Only used in batch mode.
199
200
201       --audit-webhook-batch-throttle-qps=10      Maximum  average  number  of
202       batches per second. Only used in batch mode.
203
204
205       --audit-webhook-config-file=""      Path to a kubeconfig formatted file
206       that defines the audit webhook configuration.
207
208
209       --audit-webhook-initial-backoff=10s      The amount of time to wait be‐
210       fore retrying the first failed request.
211
212
213       --audit-webhook-mode="batch"       Strategy  for  sending audit events.
214       Blocking indicates sending events should block server responses.  Batch
215       causes  the  backend  to  buffer and write events asynchronously. Known
216       modes are batch,blocking,blocking-strict.
217
218
219       --audit-webhook-truncate-enabled=false       Whether  event  and  batch
220       truncating is enabled.
221
222
223       --audit-webhook-truncate-max-batch-size=10485760       Maximum  size of
224       the batch sent to the underlying backend. Actual serialized size can be
225       several hundreds of bytes greater. If a batch exceeds this limit, it is
226       split into several batches of smaller size.
227
228
229       --audit-webhook-truncate-max-event-size=102400      Maximum size of the
230       audit  event sent to the underlying backend. If the size of an event is
231       greater than this number, first request and response are  removed,  and
232       if this doesn't reduce the size enough, event is discarded.
233
234
235       --audit-webhook-version="audit.k8s.io/v1"       API  group  and version
236       used for serializing audit events written to webhook.
237
238
239       --authentication-token-webhook-cache-ttl=2m0s       The   duration   to
240       cache responses from the webhook token authenticator.
241
242
243       --authentication-token-webhook-config-file=""       File  with  webhook
244       configuration for token authentication in kubeconfig  format.  The  API
245       server  will  query  the remote service to determine authentication for
246       bearer tokens.
247
248
249       --authentication-token-webhook-version="v1beta1"      The  API  version
250       of the authentication.k8s.io TokenReview to send to and expect from the
251       webhook.
252
253
254       --authorization-mode=[AlwaysAllow]      Ordered list of plug-ins to  do
255       authorization  on secure port. Comma-delimited list of: AlwaysAllow,Al‐
256       waysDeny,ABAC,Webhook,RBAC,Node.
257
258
259       --authorization-policy-file=""      File with authorization  policy  in
260       json  line  by line format, used with --authorization-mode=ABAC, on the
261       secure port.
262
263
264       --authorization-webhook-cache-authorized-ttl=5m0s      The duration  to
265       cache 'authorized' responses from the webhook authorizer.
266
267
268       --authorization-webhook-cache-unauthorized-ttl=30s      The duration to
269       cache 'unauthorized' responses from the webhook authorizer.
270
271
272       --authorization-webhook-config-file=""      File with webhook  configu‐
273       ration  in  kubeconfig  format, used with --authorization-mode=Webhook.
274       The API server will query the remote service to determine access on the
275       API server's secure port.
276
277
278       --authorization-webhook-version="v1beta1"       The  API version of the
279       authorization.k8s.io SubjectAccessReview to send to and expect from the
280       webhook.
281
282
283       --azure-container-registry-config=""       Path  to the file containing
284       Azure container registry configuration information.
285
286
287       --bind-address=0.0.0.0      The IP address on which to listen  for  the
288       --secure-port  port.  The  associated interface(s) must be reachable by
289       the rest of the cluster, and by CLI/web clients. If blank or an unspec‐
290       ified address (0.0.0.0 or ::), all interfaces will be used.
291
292
293       --cert-dir="/var/run/kubernetes"      The directory where the TLS certs
294       are located. If --tls-cert-file  and  --tls-private-key-file  are  pro‐
295       vided, this flag will be ignored.
296
297
298       --client-ca-file=""       If  set, any request presenting a client cer‐
299       tificate signed by one of the authorities in the client-ca-file is  au‐
300       thenticated  with  an  identity  corresponding to the CommonName of the
301       client certificate.
302
303
304       --cloud-config=""      The path to  the  cloud  provider  configuration
305       file. Empty string for no configuration file.
306
307
308       --cloud-provider=""       The provider for cloud services. Empty string
309       for no provider.
310
311
312       --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
313            CIDRs  opened  in  GCE  firewall  for L7 LB traffic proxy & health
314       checks
315
316
317       --cloud-provider-gce-lb-src-
318       cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
319            CIDRs opened in GCE firewall for L4  LB  traffic  proxy  &  health
320       checks
321
322
323       --contention-profiling=false       Enable lock contention profiling, if
324       profiling is enabled
325
326
327       --cors-allowed-origins=[]      List of allowed origins for CORS,  comma
328       separated.   An  allowed  origin can be a regular expression to support
329       subdomain matching. If this list is empty CORS will not be enabled.
330
331
332       --default-not-ready-toleration-seconds=300      Indicates  the  tolera‐
333       tionSeconds  of  the toleration for notReady:NoExecute that is added by
334       default to every pod that does not already have such a toleration.
335
336
337       --default-unreachable-toleration-seconds=300      Indicates the tolera‐
338       tionSeconds  of  the toleration for unreachable:NoExecute that is added
339       by default to every pod that does not already have such a toleration.
340
341
342       --default-watch-cache-size=100      Default watch cache size. If  zero,
343       watch  cache  will be disabled for resources that do not have a default
344       watch size set.
345
346
347       --delete-collection-workers=1       Number  of  workers   spawned   for
348       DeleteCollection call. These are used to speed up namespace cleanup.
349
350
351       --disable-admission-plugins=[]       admission  plugins  that should be
352       disabled although they are in the default enabled plugins list  (Names‐
353       paceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Pod‐
354       Security,  Priority,   DefaultTolerationSeconds,   DefaultStorageClass,
355       StorageObjectInUseProtection,   PersistentVolumeClaimResize,   Runtime‐
356       Class, CertificateApproval,  CertificateSigning,  CertificateSubjectRe‐
357       striction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAd‐
358       missionWebhook, ResourceQuota). Comma-delimited list of admission plug‐
359       ins:  AlwaysAdmit,  AlwaysDeny,  AlwaysPullImages, CertificateApproval,
360       CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass,
361       DefaultStorageClass,  DefaultTolerationSeconds, DenyServiceExternalIPs,
362       EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook,  Limit‐
363       PodHardAntiAffinityTopology,   LimitRanger,   MutatingAdmissionWebhook,
364       NamespaceAutoProvision,  NamespaceExists,  NamespaceLifecycle,  NodeRe‐
365       striction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaim‐
366       Resize, PersistentVolumeLabel, PodNodeSelector, PodSecurity, PodSecuri‐
367       tyPolicy,  PodTolerationRestriction,  Priority, ResourceQuota, Runtime‐
368       Class, SecurityContextDeny,  ServiceAccount,  StorageObjectInUseProtec‐
369       tion,  TaintNodesByCondition,  ValidatingAdmissionWebhook. The order of
370       plugins in this flag does not matter.
371
372
373       --disabled-metrics=[]      This flag provides an escape hatch for  mis‐
374       behaving  metrics.  You must provide the fully qualified metric name in
375       order to disable it. Disclaimer: disabling metrics is higher in  prece‐
376       dence than showing hidden metrics.
377
378
379       --egress-selector-config-file=""      File with apiserver egress selec‐
380       tor configuration.
381
382
383       --enable-admission-plugins=[]      admission plugins that should be en‐
384       abled  in  addition  to default enabled ones (NamespaceLifecycle, Limi‐
385       tRanger, ServiceAccount, TaintNodesByCondition, PodSecurity,  Priority,
386       DefaultTolerationSeconds,  DefaultStorageClass,  StorageObjectInUsePro‐
387       tection,  PersistentVolumeClaimResize,   RuntimeClass,   CertificateAp‐
388       proval,  CertificateSigning,  CertificateSubjectRestriction, DefaultIn‐
389       gressClass, MutatingAdmissionWebhook,  ValidatingAdmissionWebhook,  Re‐
390       sourceQuota).  Comma-delimited  list of admission plugins: AlwaysAdmit,
391       AlwaysDeny, AlwaysPullImages, CertificateApproval,  CertificateSigning,
392       CertificateSubjectRestriction,   DefaultIngressClass,   DefaultStorage‐
393       Class,  DefaultTolerationSeconds,  DenyServiceExternalIPs,   EventRate‐
394       Limit,  ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAn‐
395       tiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAu‐
396       toProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, Own‐
397       erReferencesPermissionEnforcement, PersistentVolumeClaimResize, Persis‐
398       tentVolumeLabel,  PodNodeSelector, PodSecurity, PodSecurityPolicy, Pod‐
399       TolerationRestriction, Priority, ResourceQuota, RuntimeClass, Security‐
400       ContextDeny,  ServiceAccount, StorageObjectInUseProtection, TaintNodes‐
401       ByCondition, ValidatingAdmissionWebhook. The order of plugins  in  this
402       flag does not matter.
403
404
405       --enable-aggregator-routing=false       Turns on aggregator routing re‐
406       quests to endpoints IP rather than cluster IP.
407
408
409       --enable-bootstrap-token-auth=false      Enable  to  allow  secrets  of
410       type  'bootstrap.kubernetes.io/token' in the 'kube-system' namespace to
411       be used for TLS bootstrapping authentication.
412
413
414       --enable-garbage-collector=true      Enables the generic  garbage  col‐
415       lector.  MUST  be  synced  with the corresponding flag of the kube-con‐
416       troller-manager.
417
418
419       --enable-logs-handler=true      If true, install a  /logs  handler  for
420       the apiserver logs.
421
422
423       --enable-priority-and-fairness=true       If  true  and  the  APIPrior‐
424       ityAndFairness feature gate is enabled, replace the max-in-flight  han‐
425       dler  with an enhanced one that queues and dispatches with priority and
426       fairness
427
428
429       --encryption-provider-config=""      The file containing  configuration
430       for encryption providers to be used for storing secrets in etcd
431
432
433       --endpoint-reconciler-type="lease"        Use  an  endpoint  reconciler
434       (master-count, lease, none) master-count is deprecated, and will be re‐
435       moved in a future version.
436
437
438       --etcd-cafile=""       SSL  Certificate  Authority  file used to secure
439       etcd communication.
440
441
442       --etcd-certfile=""      SSL certification file used to secure etcd com‐
443       munication.
444
445
446       --etcd-compaction-interval=5m0s       The  interval  of  compaction re‐
447       quests. If 0, the compaction request from apiserver is disabled.
448
449
450       --etcd-count-metric-poll-period=1m0s      Frequency of polling etcd for
451       number of resources per type. 0 disables the metric collection.
452
453
454       --etcd-db-metric-poll-interval=30s       The  interval  of  requests to
455       poll etcd and update metric. 0 disables the metric collection
456
457
458       --etcd-healthcheck-timeout=2s      The timeout  to  use  when  checking
459       etcd health.
460
461
462       --etcd-keyfile=""      SSL key file used to secure etcd communication.
463
464
465       --etcd-prefix="/registry"       The  prefix  to prepend to all resource
466       paths in etcd.
467
468
469       --etcd-servers=[]       List  of   etcd   servers   to   connect   with
470       (scheme://ip:port), comma separated.
471
472
473       --etcd-servers-overrides=[]       Per-resource  etcd servers overrides,
474       comma   separated.   The   individual   override   format:    group/re‐
475       source#servers,  where servers are URLs, semicolon separated. Note that
476       this applies only to resources compiled into this server binary.
477
478
479       --event-ttl=1h0m0s      Amount of time to retain events.
480
481
482       --external-hostname=""      The hostname to use when generating  exter‐
483       nalized  URLs  for this master (e.g. Swagger API Docs or OpenID Discov‐
484       ery).
485
486
487       --feature-gates=      A set of key=value pairs  that  describe  feature
488       gates  for  alpha/experimental  features.  Options  are:  APIListChunk‐
489       ing=true|false (BETA - default=true)  APIPriorityAndFairness=true|false
490       (BETA  -  default=true)  APIResponseCompression=true|false  (BETA - de‐
491       fault=true) APIServerIdentity=true|false (ALPHA - default=false)  APIS‐
492       erverTracing=true|false  (ALPHA  -  default=false)  AllAlpha=true|false
493       (ALPHA  -  default=false)  AllBeta=true|false  (BETA  -  default=false)
494       AnyVolumeDataSource=true|false    (BETA    -    default=true)    AppAr‐
495       mor=true|false (BETA - default=true) CPUManager=true|false (BETA -  de‐
496       fault=true)   CPUManagerPolicyAlphaOptions=true|false   (ALPHA   -  de‐
497       fault=false)   CPUManagerPolicyBetaOptions=true|false   (BETA   -   de‐
498       fault=true)  CPUManagerPolicyOptions=true|false  (BETA  - default=true)
499       CSIInlineVolume=true|false    (BETA    -    default=true)     CSIMigra‐
500       tion=true|false  (BETA - default=true) CSIMigrationAWS=true|false (BETA
501       - default=true) CSIMigrationAzureFile=true|false (BETA -  default=true)
502       CSIMigrationGCE=true|false   (BETA  -  default=true)  CSIMigrationPort‐
503       worx=true|false (ALPHA - default=false) CSIMigrationRBD=true|false (AL‐
504       PHA   -   default=false)  CSIMigrationvSphere=true|false  (BETA  -  de‐
505       fault=false) CSIVolumeHealth=true|false (ALPHA - default=false) Contex‐
506       tualLogging=true|false    (ALPHA    -    default=false)    CronJobTime‐
507       Zone=true|false   (ALPHA    -    default=false)    CustomCPUCFSQuotaPe‐
508       riod=true|false (ALPHA - default=false) CustomResourceValidationExpres‐
509       sions=true|false     (ALPHA     -      default=false)      DaemonSetUp‐
510       dateSurge=true|false    (BETA   -   default=true)   DelegateFSGroupToC‐
511       SIDriver=true|false  (BETA  -  default=true)   DevicePlugins=true|false
512       (BETA - default=true) DisableAcceleratorUsageMetrics=true|false (BETA -
513       default=true) DisableCloudProviders=true|false (ALPHA -  default=false)
514       DisableKubeletCloudCredentialProviders=true|false    (ALPHA    -    de‐
515       fault=false) DownwardAPIHugePages=true|false (BETA - default=true) End‐
516       pointSliceTerminatingCondition=true|false    (BETA    -   default=true)
517       EphemeralContainers=true|false (BETA  -  default=true)  ExpandedDNSCon‐
518       fig=true|false (ALPHA - default=false) ExperimentalHostUserNamespaceDe‐
519       faulting=true|false    (BETA    -     default=false)     GRPCContainer‐
520       Probe=true|false  (BETA - default=true) GracefulNodeShutdown=true|false
521       (BETA - default=true) GracefulNodeShutdownBasedOnPodPriority=true|false
522       (BETA  -  default=true)  HPAContainerMetrics=true|false  (ALPHA  -  de‐
523       fault=false) HPAScaleToZero=true|false (ALPHA -  default=false)  Honor‐
524       PVReclaimPolicy=true|false    (ALPHA   -   default=false)   IdentifyPo‐
525       dOS=true|false   (BETA    -    default=true)    InTreePluginAWSUnregis‐
526       ter=true|false  (ALPHA  -  default=false) InTreePluginAzureDiskUnregis‐
527       ter=true|false (ALPHA  -  default=false)  InTreePluginAzureFileUnregis‐
528       ter=true|false    (ALPHA   -   default=false)   InTreePluginGCEUnregis‐
529       ter=true|false (ALPHA  -  default=false)  InTreePluginOpenStackUnregis‐
530       ter=true|false  (ALPHA  -  default=false)  InTreePluginPortworxUnregis‐
531       ter=true|false   (ALPHA   -   default=false)    InTreePluginRBDUnregis‐
532       ter=true|false   (ALPHA  -  default=false)  InTreePluginvSphereUnregis‐
533       ter=true|false (ALPHA -  default=false)  JobMutableNodeSchedulingDirec‐
534       tives=true|false  (BETA - default=true) JobReadyPods=true|false (BETA -
535       default=true)   JobTrackingWithFinalizers=true|false   (BETA   -    de‐
536       fault=false)    KubeletCredentialProviders=true|false   (BETA   -   de‐
537       fault=true) KubeletInUserNamespace=true|false (ALPHA  -  default=false)
538       KubeletPodResources=true|false   (BETA   -   default=true)   KubeletPo‐
539       dResourcesGetAllocatable=true|false (BETA  -  default=true)  LegacySer‐
540       viceAccountTokenNoAutoGeneration=true|false  (BETA  - default=true) Lo‐
541       calStorageCapacityIsolation=true|false (BETA - default=true) LocalStor‐
542       ageCapacityIsolationFSQuotaMonitoring=true|false     (ALPHA    -    de‐
543       fault=false) LogarithmicScaleDown=true|false (BETA - default=true) Max‐
544       UnavailableStatefulSet=true|false  (ALPHA  -  default=false) MemoryMan‐
545       ager=true|false (BETA - default=true) MemoryQoS=true|false (ALPHA - de‐
546       fault=false)   MinDomainsInPodTopologySpread=true|false  (ALPHA  -  de‐
547       fault=false) MixedProtocolLBService=true|false  (BETA  -  default=true)
548       NetworkPolicyEndPort=true|false (BETA - default=true) NetworkPolicySta‐
549       tus=true|false  (ALPHA   -   default=false)   NodeOutOfServiceVolumeDe‐
550       tach=true|false  (ALPHA  -  default=false) NodeSwap=true|false (ALPHA -
551       default=false)  OpenAPIEnums=true|false  (BETA  -  default=true)   Ope‐
552       nAPIV3=true|false   (BETA   -  default=true)  PodAndContainerStatsFrom‐
553       CRI=true|false (ALPHA - default=false) PodDeletionCost=true|false (BETA
554       -  default=true) PodSecurity=true|false (BETA - default=true) ProbeTer‐
555       minationGracePeriod=true|false  (BETA   -   default=false)   ProcMount‐
556       Type=true|false    (ALPHA    -    default=false)   ProxyTerminatingEnd‐
557       points=true|false (ALPHA - default=false) QOSReserved=true|false (ALPHA
558       -  default=false)  ReadWriteOncePod=true|false  (ALPHA - default=false)
559       RecoverVolumeExpansionFailure=true|false (ALPHA  -  default=false)  Re‐
560       mainingItemCount=true|false   (BETA   -   default=true)  RotateKubelet‐
561       ServerCertificate=true|false   (BETA   -    default=true)    SeccompDe‐
562       fault=true|false   (ALPHA   -   default=false)   ServerSideFieldValida‐
563       tion=true|false    (ALPHA    -    default=false)    ServiceIPStaticSub‐
564       range=true|false  (ALPHA  -  default=false)  ServiceInternalTrafficPol‐
565       icy=true|false (BETA - default=true) SizeMemoryBackedVolumes=true|false
566       (BETA  - default=true) StatefulSetAutoDeletePVC=true|false (ALPHA - de‐
567       fault=false)   StatefulSetMinReadySeconds=true|false   (BETA   -    de‐
568       fault=true)  StorageVersionAPI=true|false (ALPHA - default=false) Stor‐
569       ageVersionHash=true|false   (BETA   -   default=true)    TopologyAware‐
570       Hints=true|false (BETA - default=true) TopologyManager=true|false (BETA
571       -  default=true)   VolumeCapacityPriority=true|false   (ALPHA   -   de‐
572       fault=false)   WinDSR=true|false   (ALPHA   -  default=false)  WinOver‐
573       lay=true|false   (BETA   -   default=true)   WindowsHostProcessContain‐
574       ers=true|false (BETA - default=true)
575
576
577       --goaway-chance=0       To prevent HTTP/2 clients from getting stuck on
578       a single apiserver, randomly close a connection (GOAWAY). The  client's
579       other  in-flight requests won't be affected, and the client will recon‐
580       nect, likely landing on a different apiserver after going  through  the
581       load  balancer  again. This argument sets the fraction of requests that
582       will be sent a GOAWAY. Clusters with single apiservers, or which  don't
583       use a load balancer, should NOT enable this. Min is 0 (off), Max is .02
584       (1/50 requests); .001 (1/1000) is a recommended starting point.
585
586
587       -h, --help=false      help for kube-apiserver
588
589
590       --http2-max-streams-per-connection=0      The  limit  that  the  server
591       gives to clients for the maximum number of streams in an HTTP/2 connec‐
592       tion. Zero means to use golang's default.
593
594
595       --identity-lease-duration-seconds=3600      The duration of  kube-apis‐
596       erver  lease  in  seconds,  must be a positive number. (In use when the
597       APIServerIdentity feature gate is enabled.)
598
599
600       --identity-lease-renew-interval-seconds=10      The interval  of  kube-
601       apiserver renewing its lease in seconds, must be a positive number. (In
602       use when the APIServerIdentity feature gate is enabled.)
603
604
605       --kubelet-certificate-authority=""      Path to a  cert  file  for  the
606       certificate authority.
607
608
609       --kubelet-client-certificate=""       Path  to  a  client cert file for
610       TLS.
611
612
613       --kubelet-client-key=""      Path to a client key file for TLS.
614
615
616       --kubelet-port=10250      DEPRECATED: kubelet port.
617
618
619       --kubelet-preferred-address-types=[Hostname,InternalDNS,InternalIP,Ex‐
620       ternalDNS,ExternalIP]       List  of  the preferred NodeAddressTypes to
621       use for kubelet connections.
622
623
624       --kubelet-read-only-port=10255      DEPRECATED: kubelet read only port.
625
626
627       --kubelet-timeout=5s      Timeout for kubelet operations.
628
629
630       --kubernetes-service-node-port=0      If non-zero, the Kubernetes  mas‐
631       ter  service  (which apiserver creates/maintains) will be of type Node‐
632       Port, using this as the value of the port. If zero, the Kubernetes mas‐
633       ter service will be of type ClusterIP.
634
635
636       --lease-reuse-duration-seconds=60       The  time  in seconds that each
637       lease is reused. A lower value could  avoid  large  number  of  objects
638       reusing the same lease. Notice that a too small value may cause perfor‐
639       mance problems at storage layer.
640
641
642       --livez-grace-period=0s      This option represents the maximum  amount
643       of  time  it should take for apiserver to complete its startup sequence
644       and become live. From apiserver's start time to  when  this  amount  of
645       time  has  elapsed, /livez will assume that unfinished post-start hooks
646       will complete successfully and therefore return true.
647
648
649       --log-flush-frequency=5s      Maximum number  of  seconds  between  log
650       flushes
651
652
653       --log_backtrace_at=:0       when logging hits line file:N, emit a stack
654       trace
655
656
657       --log_dir=""      If non-empty, write log files in this directory
658
659
660       --log_file=""      If non-empty, use this log file
661
662
663       --log_file_max_size=1800      Defines the maximum size a log  file  can
664       grow to. Unit is megabytes. If the value is 0, the maximum file size is
665       unlimited.
666
667
668       --logging-format="text"      Sets the log  format.  Permitted  formats:
669       "text".  Non-default formats don't honor these flags: --add-dir-header,
670       --alsologtostderr, --log-backtrace-at,  --log-dir,  --log-file,  --log-
671       file-max-size, --logtostderr, --one-output, --skip-headers, --skip-log-
672       headers, --stderrthreshold, --vmodule.  Non-default  choices  are  cur‐
673       rently alpha and subject to change without warning.
674
675
676       --logtostderr=true      log to standard error instead of files
677
678
679       --master-service-namespace="default"        DEPRECATED:  the  namespace
680       from which the Kubernetes master services should be injected into pods.
681
682
683       --max-connection-bytes-per-sec=0      If non-zero, throttle  each  user
684       connection to this number of bytes/sec. Currently only applies to long-
685       running requests.
686
687
688       --max-mutating-requests-inflight=200      This  and  --max-requests-in‐
689       flight  are  summed  to  determine the server's total concurrency limit
690       (which must be positive)  if  --enable-priority-and-fairness  is  true.
691       Otherwise,  this flag limits the maximum number of mutating requests in
692       flight, or a zero value disables the limit completely.
693
694
695       --max-requests-inflight=400      This  and  --max-mutating-requests-in‐
696       flight  are  summed  to  determine the server's total concurrency limit
697       (which must be positive)  if  --enable-priority-and-fairness  is  true.
698       Otherwise, this flag limits the maximum number of non-mutating requests
699       in flight, or a zero value disables the limit completely.
700
701
702       --min-request-timeout=1800      An optional field indicating the  mini‐
703       mum  number of seconds a handler must keep a request open before timing
704       it out. Currently only honored by  the  watch  request  handler,  which
705       picks  a  randomized value above this number as the connection timeout,
706       to spread out load.
707
708
709       --oidc-ca-file=""      If set, the OpenID server's certificate will  be
710       verified  by  one of the authorities in the oidc-ca-file, otherwise the
711       host's root CA set will be used.
712
713
714       --oidc-client-id=""      The client ID for the OpenID  Connect  client,
715       must be set if oidc-issuer-url is set.
716
717
718       --oidc-groups-claim=""       If  provided,  the name of a custom OpenID
719       Connect claim for specifying user groups. The claim value  is  expected
720       to  be  a string or array of strings. This flag is experimental, please
721       see the authentication documentation for further details.
722
723
724       --oidc-groups-prefix=""      If provided, all groups will  be  prefixed
725       with  this value to prevent conflicts with other authentication strate‐
726       gies.
727
728
729       --oidc-issuer-url=""      The URL of  the  OpenID  issuer,  only  HTTPS
730       scheme  will  be  accepted.  If set, it will be used to verify the OIDC
731       JSON Web Token (JWT).
732
733
734       --oidc-required-claim=      A key=value pair that describes a  required
735       claim  in  the ID Token. If set, the claim is verified to be present in
736       the ID Token with a matching value. Repeat this flag to specify  multi‐
737       ple claims.
738
739
740       --oidc-signing-algs=[RS256]       Comma-separated  list of allowed JOSE
741       asymmetric signing algorithms. JWTs with a supported 'alg' header  val‐
742       ues are: RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512.
743       Values are defined by RFC 7518 https://tools.ietf.org/html/rfc7518#sec‐
744       tion-3.1.
745
746
747       --oidc-username-claim="sub"       The  OpenID  claim to use as the user
748       name. Note that claims other than the default ('sub') is not guaranteed
749       to  be  unique and immutable. This flag is experimental, please see the
750       authentication documentation for further details.
751
752
753       --oidc-username-prefix=""      If provided, all usernames will be  pre‐
754       fixed  with  this  value.  If  not provided, username claims other than
755       'email' are prefixed by the issuer URL to avoid clashes.  To  skip  any
756       prefixing, provide the value '-'.
757
758
759       --one_output=false      If true, only write logs to their native sever‐
760       ity level (vs also writing to each lower severity level)
761
762
763       --permit-address-sharing=false      If true, SO_REUSEADDR will be  used
764       when binding the port. This allows binding to wildcard IPs like 0.0.0.0
765       and specific IPs in parallel, and it avoids waiting for the  kernel  to
766       release sockets in TIME_WAIT state. [default=false]
767
768
769       --permit-port-sharing=false       If  true,  SO_REUSEPORT  will be used
770       when binding the port, which allows more than one instance to  bind  on
771       the same address and port. [default=false]
772
773
774       --profiling=true       Enable profiling via web interface host:port/de‐
775       bug/pprof/
776
777
778       --proxy-client-cert-file=""      Client certificate used to  prove  the
779       identity of the aggregator or kube-apiserver when it must call out dur‐
780       ing a request. This includes proxying requests to a user api-server and
781       calling out to webhook admission plugins. It is expected that this cert
782       includes a signature from the CA in the  --requestheader-client-ca-file
783       flag.  That CA is published in the 'extension-apiserver-authentication'
784       configmap in the kube-system namespace. Components receiving calls from
785       kube-aggregator  should use that CA to perform their half of the mutual
786       TLS verification.
787
788
789       --proxy-client-key-file=""      Private key for the client  certificate
790       used  to prove the identity of the aggregator or kube-apiserver when it
791       must call out during a request. This includes proxying  requests  to  a
792       user api-server and calling out to webhook admission plugins.
793
794
795       --request-timeout=1m0s      An optional field indicating the duration a
796       handler must keep a request open before timing it out. This is the  de‐
797       fault  request timeout for requests but may be overridden by flags such
798       as --min-request-timeout for specific types of requests.
799
800
801       --requestheader-allowed-names=[]      List of client certificate common
802       names  to allow to provide usernames in headers specified by --request‐
803       header-username-headers. If empty, any client certificate validated  by
804       the authorities in --requestheader-client-ca-file is allowed.
805
806
807       --requestheader-client-ca-file=""       Root  certificate bundle to use
808       to verify client certificates  on  incoming  requests  before  trusting
809       usernames  in  headers  specified  by --requestheader-username-headers.
810       WARNING: generally do not depend on authorization  being  already  done
811       for incoming requests.
812
813
814       --requestheader-extra-headers-prefix=[]       List  of  request  header
815       prefixes to inspect. X-Remote-Extra- is suggested.
816
817
818       --requestheader-group-headers=[]      List of request  headers  to  in‐
819       spect for groups. X-Remote-Group is suggested.
820
821
822       --requestheader-username-headers=[]      List of request headers to in‐
823       spect for usernames. X-Remote-User is common.
824
825
826       --runtime-config=      A set of key=value pairs that enable or  disable
827       built-in  APIs.  Supported  options are: v1=true|false for the core API
828       group  /=true|false  for  a  specific  API  group  and  version   (e.g.
829       apps/v1=true)    api/all=true|false    controls    all   API   versions
830       api/ga=true|false  controls  all  API  versions  of  the  form  v[0-9]+
831       api/beta=true|false   controls   all   API   versions   of   the   form
832       v[0-9]+beta[0-9]+ api/alpha=true|false controls all API versions of the
833       form  v[0-9]+alpha[0-9]+  api/legacy is deprecated, and will be removed
834       in a future version
835
836
837       --secure-port=6443      The port on which to serve HTTPS with authenti‐
838       cation and authorization. It cannot be switched off with 0.
839
840
841       --service-account-api-audiences=[]       Identifiers  of  the  API. The
842       service account token authenticator  will  validate  that  tokens  used
843       against the API are bound to at least one of these audiences.
844
845
846       --service-account-extend-token-expiration=true       Turns on projected
847       service account expiration extension  during  token  generation,  which
848       helps  safe transition from legacy token to bound service account token
849       feature. If this flag is enabled, admission injected  tokens  would  be
850       extended  up to 1 year to prevent unexpected failure during transition,
851       ignoring value of service-account-max-token-expiration.
852
853
854       --service-account-issuer=[]      Identifier of the service account  to‐
855       ken  issuer.  The  issuer will assert this identifier in "iss" claim of
856       issued tokens. This value is a string or URI. If this option is  not  a
857       valid  URI  per  the  OpenID  Discovery 1.0 spec, the ServiceAccountIs‐
858       suerDiscovery feature will remain disabled, even if the feature gate is
859       set  to  true. It is highly recommended that this value comply with the
860       OpenID      spec:       https://openid.net/specs/openid-connect-discov
861       ery-1_0.html.  In practice, this means that service-account-issuer must
862       be an https URL. It is also highly recommended that this URL be capable
863       of   serving   OpenID   discovery   documents  at  {service-account-is‐
864       suer}/.well-known/openid-configuration. When  this  flag  is  specified
865       multiple  times,  the first is used to generate tokens and all are used
866       to determine which issuers are accepted.
867
868
869       --service-account-jwks-uri=""      Overrides the URI for the  JSON  Web
870       Key  Set  in the discovery doc served at /.well-known/openid-configura‐
871       tion. This flag is useful if the discovery docand key set are served to
872       relying  parties  from  a  URL other than the API server's external (as
873       auto-detected or overridden with external-hostname).
874
875
876       --service-account-key-file=[]      File containing PEM-encoded x509 RSA
877       or  ECDSA private or public keys, used to verify ServiceAccount tokens.
878       The specified file can contain multiple keys, and the flag can be spec‐
879       ified  multiple  times with different files. If unspecified, --tls-pri‐
880       vate-key-file is used. Must be specified  when  --service-account-sign‐
881       ing-key-file is provided
882
883
884       --service-account-lookup=true      If true, validate ServiceAccount to‐
885       kens exist in etcd as part of authentication.
886
887
888       --service-account-max-token-expiration=0s      The maximum validity du‐
889       ration  of  a  token created by the service account token issuer. If an
890       otherwise valid TokenRequest with a validity duration larger than  this
891       value  is requested, a token will be issued with a validity duration of
892       this value.
893
894
895       --service-account-signing-key-file=""      Path to the file  that  con‐
896       tains  the current private key of the service account token issuer. The
897       issuer will sign issued ID tokens with this private key.
898
899
900       --service-cluster-ip-range=""      A CIDR notation IP range from  which
901       to assign service cluster IPs. This must not overlap with any IP ranges
902       assigned to nodes or pods. Max of two dual-stack CIDRs is allowed.
903
904
905       --service-node-port-range=30000-32767      A port range to reserve  for
906       services with NodePort visibility. Example: '30000-32767'. Inclusive at
907       both ends of the range.
908
909
910       --show-hidden-metrics-for-version=""       The  previous  version   for
911       which  you want to show hidden metrics. Only the previous minor version
912       is meaningful, other values will not be allowed. The format is ., e.g.:
913       '1.16'.  The  purpose of this format is make sure you have the opportu‐
914       nity to notice if the next release  hides  additional  metrics,  rather
915       than  being  surprised when they are permanently removed in the release
916       after that.
917
918
919       --shutdown-delay-duration=0s      Time to delay the termination. During
920       that  time  the  server  keeps serving requests normally. The endpoints
921       /healthz and /livez will return success, but  /readyz  immediately  re‐
922       turns  failure.  Graceful  termination  starts  after  this  delay  has
923       elapsed. This can be used to allow load balancer to stop sending  traf‐
924       fic to this server.
925
926
927       --shutdown-send-retry-after=false       If  true  the  HTTP Server will
928       continue listening until all non long running request(s) in flight have
929       been drained, during this window all incoming requests will be rejected
930       with a status code 429 and a 'Retry-After' response header, in addition
931       'Connection:  close'  response  header is set in order to tear down the
932       TCP connection when idle.
933
934
935       --skip_headers=false      If true, avoid header  prefixes  in  the  log
936       messages
937
938
939       --skip_log_headers=false       If  true, avoid headers when opening log
940       files
941
942
943       --stderrthreshold=2      logs at or above this threshold go to stderr
944
945
946       --storage-backend=""      The storage backend for persistence. Options:
947       'etcd3' (default).
948
949
950       --storage-media-type="application/vnd.kubernetes.protobuf"      The me‐
951       dia type to use to store objects in storage. Some resources or  storage
952       backends  may  only  support a specific media type and will ignore this
953       setting.
954
955
956       --strict-transport-security-directives=[]      List of  directives  for
957       HSTS, comma separated. If this list is empty, then HSTS directives will
958       not be added. Example: 'max-age=31536000,includeSubDomains,preload'
959
960
961       --tls-cert-file=""      File containing the  default  x509  Certificate
962       for  HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS
963       serving is enabled, and --tls-cert-file and --tls-private-key-file  are
964       not  provided,  a self-signed certificate and key are generated for the
965       public address and saved to the directory specified by --cert-dir.
966
967
968       --tls-cipher-suites=[]      Comma-separated list of cipher  suites  for
969       the  server.  If  omitted,  the  default Go cipher suites will be used.
970       Preferred   values:   TLS_AES_128_GCM_SHA256,   TLS_AES_256_GCM_SHA384,
971       TLS_CHACHA20_POLY1305_SHA256,     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
972       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
973       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
974       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
975       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
976       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
977       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
978       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
979       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
980       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
981       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
982       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
983       TLS_RSA_WITH_AES_128_CBC_SHA,          TLS_RSA_WITH_AES_128_GCM_SHA256,
984       TLS_RSA_WITH_AES_256_CBC_SHA,  TLS_RSA_WITH_AES_256_GCM_SHA384.   Inse‐
985       cure          values:          TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
986       TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,  TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
987       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,  TLS_ECDHE_RSA_WITH_RC4_128_SHA,
988       TLS_RSA_WITH_3DES_EDE_CBC_SHA,         TLS_RSA_WITH_AES_128_CBC_SHA256,
989       TLS_RSA_WITH_RC4_128_SHA.
990
991
992       --tls-min-version=""       Minimum TLS version supported. Possible val‐
993       ues: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
994
995
996       --tls-private-key-file=""      File containing the default x509 private
997       key matching --tls-cert-file.
998
999
1000       --tls-sni-cert-key=[]       A  pair of x509 certificate and private key
1001       file paths, optionally suffixed with a list of  domain  patterns  which
1002       are  fully qualified domain names, possibly with prefixed wildcard seg‐
1003       ments. The domain patterns also allow IP addresses, but IPs should only
1004       be  used if the apiserver has visibility to the IP address requested by
1005       a client. If no domain patterns are provided, the names of the certifi‐
1006       cate  are  extracted. Non-wildcard matches trump over wildcard matches,
1007       explicit domain patterns  trump  over  extracted  names.  For  multiple
1008       key/certificate pairs, use the --tls-sni-cert-key multiple times. Exam‐
1009       ples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com".
1010
1011
1012       --token-auth-file=""      If set, the file that will be used to  secure
1013       the secure port of the API server via token authentication.
1014
1015
1016       --tracing-config-file=""       File  with  apiserver tracing configura‐
1017       tion.
1018
1019
1020       -v, --v=0      number for the log level verbosity
1021
1022
1023       --version=false      Print version information and quit
1024
1025
1026       --vmodule=      comma-separated list of pattern=N  settings  for  file-
1027       filtered logging (only works for text log format)
1028
1029
1030       --watch-cache=true      Enable watch caching in the apiserver
1031
1032
1033       --watch-cache-sizes=[]       Watch  cache  size  settings  for some re‐
1034       sources (pods, nodes, etc.), comma separated.  The  individual  setting
1035       format:  resource[.group]#size,  where resource is lowercase plural (no
1036       version), group is omitted for resources of apiVersion v1  (the  legacy
1037       core  API)  and included for others, and size is a number. It takes ef‐
1038       fect when  watch-cache  is  enabled.  Some  resources  (replicationcon‐
1039       trollers,  endpoints,  nodes,  pods, services, apiservices.apiregistra‐
1040       tion.k8s.io) have system defaults set by heuristics, others default  to
1041       default-watch-cache-size
1042
1043
1044

HISTORY

1046       January  2015,  Originally compiled by Eric Paris (eparis at redhat dot
1047       com) based on the kubernetes source material, but hopefully  they  have
1048       been automatically generated since!
1049
1050
1051
1052Manuals                              User            KUBERNETES(1)(kubernetes)
Impressum