1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2Eric Paris Jan 2015
6
9 kube-controller-manager -
10
14 kube-controller-manager [OPTIONS]
15
19 The Kubernetes controller manager is a daemon that embeds the core con‐
20 trol loops shipped with Kubernetes. In applications of robotics and au‐
21 tomation, a control loop is a non-terminating loop that regulates the
22 state of the system. In Kubernetes, a controller is a control loop that
23 watches the shared state of the cluster through the apiserver and makes
24 changes attempting to move the current state towards the desired state.
25 Examples of controllers that ship with Kubernetes today are the repli‐
26 cation controller, endpoints controller, namespace controller, and ser‐
27 viceaccounts controller.
28
32 --add_dir_header=false If true, adds the file directory to the
33 header of the log messages
34 --allocate-node-cidrs=false Should CIDRs for Pods be allocated and
37 set on the cloud provider.
38 --allow-metric-labels=[] The map from metric-label to value allow-
41 list of this label. The key's format is ,. The value's format is
42 ,...e.g. metric1,label1='v1,v2,v3', metric1,label2='v1,v2,v3' met‐
43 ric2,label1='v1,v2,v3'.
44 --allow-untagged-cloud=false Allow the cluster to run without the
47 cluster-id on cloud instances. This is a legacy mode of operation and a
48 cluster-id will be required in the future.
49 --alsologtostderr=false log to standard error as well as files
52 --attach-detach-reconcile-sync-period=1m0s The reconciler sync
55 wait time between volume attach detach. This duration must be larger
56 than one second, and increasing this value from the default may allow
57 for volumes to be mismatched with pods.
58 --authentication-kubeconfig="" kubeconfig file pointing at the
61 'core' kubernetes server with enough rights to create tokenreviews.au‐
62 thentication.k8s.io. This is optional. If empty, all token requests are
63 considered to be anonymous and no client CA is looked up in the clus‐
64 ter.
65 --authentication-skip-lookup=false If false, the authentication-
68 kubeconfig will be used to lookup missing authentication configuration
69 from the cluster.
70 --authentication-token-webhook-cache-ttl=10s The duration to cache
73 responses from the webhook token authenticator.
74 --authentication-tolerate-lookup-failure=false If true, failures
77 to look up missing authentication configuration from the cluster are
78 not considered fatal. Note that this can result in authentication that
79 treats all requests as anonymous.
80 --authorization-always-allow-paths=[/healthz,/readyz,/livez] A
83 list of HTTP paths to skip during authorization, i.e. these are autho‐
84 rized without contacting the 'core' kubernetes server.
85 --authorization-kubeconfig="" kubeconfig file pointing at the
88 'core' kubernetes server with enough rights to create subjectaccessre‐
89 views.authorization.k8s.io. This is optional. If empty, all requests
90 not skipped by authorization are forbidden.
91 --authorization-webhook-cache-authorized-ttl=10s The duration to
94 cache 'authorized' responses from the webhook authorizer.
95 --authorization-webhook-cache-unauthorized-ttl=10s The duration to
98 cache 'unauthorized' responses from the webhook authorizer.
99 --azure-container-registry-config="" Path to the file containing
102 Azure container registry configuration information.
103 --bind-address=0.0.0.0 The IP address on which to listen for the
106 --secure-port port. The associated interface(s) must be reachable by
107 the rest of the cluster, and by CLI/web clients. If blank or an unspec‐
108 ified address (0.0.0.0 or ::), all interfaces will be used.
109 --cert-dir="" The directory where the TLS certs are located. If
112 --tls-cert-file and --tls-private-key-file are provided, this flag will
113 be ignored.
114 --cidr-allocator-type="RangeAllocator" Type of CIDR allocator to
117 use
118 --client-ca-file="" If set, any request presenting a client cer‐
121 tificate signed by one of the authorities in the client-ca-file is au‐
122 thenticated with an identity corresponding to the CommonName of the
123 client certificate.
124 --cloud-config="" The path to the cloud provider configuration
127 file. Empty string for no configuration file.
128 --cloud-provider="" The provider for cloud services. Empty string
131 for no provider.
132 --cloud-provider-gce-lb-src-
135 cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
136 CIDRs opened in GCE firewall for L4 LB traffic proxy & health
137 checks
138 --cluster-cidr="" CIDR Range for Pods in cluster. Requires --allo‐
141 cate-node-cidrs to be true
142 --cluster-name="kubernetes" The instance prefix for the cluster.
145 --cluster-signing-cert-file="" Filename containing a PEM-encoded
148 X509 CA certificate used to issue cluster-scoped certificates. If
149 specified, no more specific --cluster-signing-* flag may be specified.
150 --cluster-signing-duration=8760h0m0s The max length of duration
153 signed certificates will be given. Individual CSRs may request shorter
154 certs by setting spec.expirationSeconds.
155 --cluster-signing-key-file="" Filename containing a PEM-encoded
158 RSA or ECDSA private key used to sign cluster-scoped certificates. If
159 specified, no more specific --cluster-signing-* flag may be specified.
160 --cluster-signing-kube-apiserver-client-cert-file="" Filename con‐
163 taining a PEM-encoded X509 CA certificate used to issue certificates
164 for the kubernetes.io/kube-apiserver-client signer. If specified,
165 --cluster-signing-{cert,key}-file must not be set.
166 --cluster-signing-kube-apiserver-client-key-file="" Filename con‐
169 taining a PEM-encoded RSA or ECDSA private key used to sign certifi‐
170 cates for the kubernetes.io/kube-apiserver-client signer. If speci‐
171 fied, --cluster-signing-{cert,key}-file must not be set.
172 --cluster-signing-kubelet-client-cert-file="" Filename containing
175 a PEM-encoded X509 CA certificate used to issue certificates for the
176 kubernetes.io/kube-apiserver-client-kubelet signer. If specified,
177 --cluster-signing-{cert,key}-file must not be set.
178 --cluster-signing-kubelet-client-key-file="" Filename containing a
181 PEM-encoded RSA or ECDSA private key used to sign certificates for the
182 kubernetes.io/kube-apiserver-client-kubelet signer. If specified,
183 --cluster-signing-{cert,key}-file must not be set.
184 --cluster-signing-kubelet-serving-cert-file="" Filename containing
187 a PEM-encoded X509 CA certificate used to issue certificates for the
188 kubernetes.io/kubelet-serving signer. If specified, --cluster-sign‐
189 ing-{cert,key}-file must not be set.
190 --cluster-signing-kubelet-serving-key-file="" Filename containing
193 a PEM-encoded RSA or ECDSA private key used to sign certificates for
194 the kubernetes.io/kubelet-serving signer. If specified, --cluster-
195 signing-{cert,key}-file must not be set.
196 --cluster-signing-legacy-unknown-cert-file="" Filename containing
199 a PEM-encoded X509 CA certificate used to issue certificates for the
200 kubernetes.io/legacy-unknown signer. If specified, --cluster-sign‐
201 ing-{cert,key}-file must not be set.
202 --cluster-signing-legacy-unknown-key-file="" Filename containing a
205 PEM-encoded RSA or ECDSA private key used to sign certificates for the
206 kubernetes.io/legacy-unknown signer. If specified, --cluster-sign‐
207 ing-{cert,key}-file must not be set.
208 --concurrent-deployment-syncs=5 The number of deployment objects
211 that are allowed to sync concurrently. Larger number = more responsive
212 deployments, but more CPU (and network) load
213 --concurrent-endpoint-syncs=5 The number of endpoint syncing oper‐
216 ations that will be done concurrently. Larger number = faster endpoint
217 updating, but more CPU (and network) load
218 --concurrent-ephemeralvolume-syncs=5 The number of ephemeral vol‐
221 ume syncing operations that will be done concurrently. Larger number =
222 faster ephemeral volume updating, but more CPU (and network) load
223 --concurrent-gc-syncs=20 The number of garbage collector workers
226 that are allowed to sync concurrently.
227 --concurrent-namespace-syncs=10 The number of namespace objects
230 that are allowed to sync concurrently. Larger number = more responsive
231 namespace termination, but more CPU (and network) load
232 --concurrent-replicaset-syncs=5 The number of replica sets that
235 are allowed to sync concurrently. Larger number = more responsive
236 replica management, but more CPU (and network) load
237 --concurrent-resource-quota-syncs=5 The number of resource quotas
240 that are allowed to sync concurrently. Larger number = more responsive
241 quota management, but more CPU (and network) load
242 --concurrent-service-endpoint-syncs=5 The number of service end‐
245 point syncing operations that will be done concurrently. Larger number
246 = faster endpoint slice updating, but more CPU (and network) load. De‐
247 faults to 5.
248 --concurrent-service-syncs=1 The number of services that are al‐
251 lowed to sync concurrently. Larger number = more responsive service
252 management, but more CPU (and network) load
253 --concurrent-serviceaccount-token-syncs=5 The number of service
256 account token objects that are allowed to sync concurrently. Larger
257 number = more responsive token generation, but more CPU (and network)
258 load
259 --concurrent-statefulset-syncs=5 The number of statefulset objects
262 that are allowed to sync concurrently. Larger number = more responsive
263 statefulsets, but more CPU (and network) load
264 --concurrent-ttl-after-finished-syncs=5 The number of TTL-after-
267 finished controller workers that are allowed to sync concurrently.
268 --concurrent_rc_syncs=5 The number of replication controllers that
271 are allowed to sync concurrently. Larger number = more responsive
272 replica management, but more CPU (and network) load
273 --configure-cloud-routes=true Should CIDRs allocated by allocate-
276 node-cidrs be configured on the cloud provider.
277 --contention-profiling=false Enable lock contention profiling, if
280 profiling is enabled
281 --controller-start-interval=0s Interval between starting con‐
284 troller managers.
285 --controllers=[] A list of controllers to enable. '' enables all
288 on-by-default controllers, 'foo' enables the controller named 'foo',
289 '-foo' disables the controller named 'foo'. All controllers: attachde‐
290 tach, bootstrapsigner, cloud-node-lifecycle, clusterrole-aggregation,
291 cronjob, csrapproving, csrcleaner, csrsigning, daemonset, deployment,
292 disruption, endpoint, endpointslice, endpointslicemirroring, ephemeral-
293 volume, garbagecollector, horizontalpodautoscaling, job, namespace,
294 nodeipam, nodelifecycle, persistentvolume-binder, persistentvolume-ex‐
295 pander, podgc, pv-protection, pvc-protection, replicaset, replication‐
296 controller, resourcequota, root-ca-cert-publisher, route, service, ser‐
297 viceaccount, serviceaccount-token, statefulset, tokencleaner, ttl, ttl-
298 after-finished Disabled-by-default controllers: bootstrapsigner, token‐
299 cleaner
300 --deleting-pods-burst=0 Number of nodes on which pods are bursty
303 deleted in case of node failure. For more details look into RateLim‐
304 iter.
305 --deleting-pods-qps=0.1 Number of nodes per second on which pods
308 are deleted in case of node failure.
309 --disable-attach-detach-reconcile-sync=false Disable volume attach
312 detach reconciler sync. Disabling this may cause volumes to be mis‐
313 matched with pods. Use wisely.
314 --disabled-metrics=[] This flag provides an escape hatch for mis‐
317 behaving metrics. You must provide the fully qualified metric name in
318 order to disable it. Disclaimer: disabling metrics is higher in prece‐
319 dence than showing hidden metrics.
320 --enable-dynamic-provisioning=true Enable dynamic provisioning for
323 environments that support it.
324 --enable-garbage-collector=true Enables the generic garbage col‐
327 lector. MUST be synced with the corresponding flag of the kube-apis‐
328 erver.
329 --enable-hostpath-provisioner=false Enable HostPath PV provision‐
332 ing when running without a cloud provider. This allows testing and de‐
333 velopment of provisioning features. HostPath provisioning is not sup‐
334 ported in any way, won't work in a multi-node cluster, and should not
335 be used for anything other than testing or development.
336 --enable-leader-migration=false Whether to enable controller
339 leader migration.
340 --enable-taint-manager=true WARNING: Beta feature. If set to true
343 enables NoExecute Taints and will evict all not-tolerating Pod running
344 on Nodes tainted with this kind of Taints.
345 --endpoint-updates-batch-period=0s The length of endpoint updates
348 batching period. Processing of pod changes will be delayed by this du‐
349 ration to join them with potential upcoming updates and reduce the
350 overall number of endpoints updates. Larger number = higher endpoint
351 programming latency, but lower number of endpoints revision generated
352 --endpointslice-updates-batch-period=0s The length of endpoint
355 slice updates batching period. Processing of pod changes will be de‐
356 layed by this duration to join them with potential upcoming updates and
357 reduce the overall number of endpoints updates. Larger number = higher
358 endpoint programming latency, but lower number of endpoints revision
359 generated
360 --experimental-cluster-signing-duration=8760h0m0s The max length
363 of duration signed certificates will be given. Individual CSRs may re‐
364 quest shorter certs by setting spec.expirationSeconds.
365 --external-cloud-volume-plugin="" The plugin to use when cloud
368 provider is set to external. Can be empty, should only be set when
369 cloud-provider is external. Currently used to allow node and volume
370 controllers to work for in tree cloud providers.
371 --feature-gates= A set of key=value pairs that describe feature
374 gates for alpha/experimental features. Options are: APIListChunk‐
375 ing=true|false (BETA - default=true) APIPriorityAndFairness=true|false
376 (BETA - default=true) APIResponseCompression=true|false (BETA - de‐
377 fault=true) APIServerIdentity=true|false (ALPHA - default=false) APIS‐
378 erverTracing=true|false (ALPHA - default=false) AllAlpha=true|false
379 (ALPHA - default=false) AllBeta=true|false (BETA - default=false)
380 AnyVolumeDataSource=true|false (BETA - default=true) AppAr‐
381 mor=true|false (BETA - default=true) CPUManager=true|false (BETA - de‐
382 fault=true) CPUManagerPolicyAlphaOptions=true|false (ALPHA - de‐
383 fault=false) CPUManagerPolicyBetaOptions=true|false (BETA - de‐
384 fault=true) CPUManagerPolicyOptions=true|false (BETA - default=true)
385 CSIInlineVolume=true|false (BETA - default=true) CSIMigra‐
386 tion=true|false (BETA - default=true) CSIMigrationAWS=true|false (BETA
387 - default=true) CSIMigrationAzureFile=true|false (BETA - default=true)
388 CSIMigrationGCE=true|false (BETA - default=true) CSIMigrationPort‐
389 worx=true|false (ALPHA - default=false) CSIMigrationRBD=true|false (AL‐
390 PHA - default=false) CSIMigrationvSphere=true|false (BETA - de‐
391 fault=false) CSIVolumeHealth=true|false (ALPHA - default=false) Contex‐
392 tualLogging=true|false (ALPHA - default=false) CronJobTime‐
393 Zone=true|false (ALPHA - default=false) CustomCPUCFSQuotaPe‐
394 riod=true|false (ALPHA - default=false) CustomResourceValidationExpres‐
395 sions=true|false (ALPHA - default=false) DaemonSetUp‐
396 dateSurge=true|false (BETA - default=true) DelegateFSGroupToC‐
397 SIDriver=true|false (BETA - default=true) DevicePlugins=true|false
398 (BETA - default=true) DisableAcceleratorUsageMetrics=true|false (BETA -
399 default=true) DisableCloudProviders=true|false (ALPHA - default=false)
400 DisableKubeletCloudCredentialProviders=true|false (ALPHA - de‐
401 fault=false) DownwardAPIHugePages=true|false (BETA - default=true) End‐
402 pointSliceTerminatingCondition=true|false (BETA - default=true)
403 EphemeralContainers=true|false (BETA - default=true) ExpandedDNSCon‐
404 fig=true|false (ALPHA - default=false) ExperimentalHostUserNamespaceDe‐
405 faulting=true|false (BETA - default=false) GRPCContainer‐
406 Probe=true|false (BETA - default=true) GracefulNodeShutdown=true|false
407 (BETA - default=true) GracefulNodeShutdownBasedOnPodPriority=true|false
408 (BETA - default=true) HPAContainerMetrics=true|false (ALPHA - de‐
409 fault=false) HPAScaleToZero=true|false (ALPHA - default=false) Honor‐
410 PVReclaimPolicy=true|false (ALPHA - default=false) IdentifyPo‐
411 dOS=true|false (BETA - default=true) InTreePluginAWSUnregis‐
412 ter=true|false (ALPHA - default=false) InTreePluginAzureDiskUnregis‐
413 ter=true|false (ALPHA - default=false) InTreePluginAzureFileUnregis‐
414 ter=true|false (ALPHA - default=false) InTreePluginGCEUnregis‐
415 ter=true|false (ALPHA - default=false) InTreePluginOpenStackUnregis‐
416 ter=true|false (ALPHA - default=false) InTreePluginPortworxUnregis‐
417 ter=true|false (ALPHA - default=false) InTreePluginRBDUnregis‐
418 ter=true|false (ALPHA - default=false) InTreePluginvSphereUnregis‐
419 ter=true|false (ALPHA - default=false) JobMutableNodeSchedulingDirec‐
420 tives=true|false (BETA - default=true) JobReadyPods=true|false (BETA -
421 default=true) JobTrackingWithFinalizers=true|false (BETA - de‐
422 fault=false) KubeletCredentialProviders=true|false (BETA - de‐
423 fault=true) KubeletInUserNamespace=true|false (ALPHA - default=false)
424 KubeletPodResources=true|false (BETA - default=true) KubeletPo‐
425 dResourcesGetAllocatable=true|false (BETA - default=true) LegacySer‐
426 viceAccountTokenNoAutoGeneration=true|false (BETA - default=true) Lo‐
427 calStorageCapacityIsolation=true|false (BETA - default=true) LocalStor‐
428 ageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - de‐
429 fault=false) LogarithmicScaleDown=true|false (BETA - default=true) Max‐
430 UnavailableStatefulSet=true|false (ALPHA - default=false) MemoryMan‐
431 ager=true|false (BETA - default=true) MemoryQoS=true|false (ALPHA - de‐
432 fault=false) MinDomainsInPodTopologySpread=true|false (ALPHA - de‐
433 fault=false) MixedProtocolLBService=true|false (BETA - default=true)
434 NetworkPolicyEndPort=true|false (BETA - default=true) NetworkPolicySta‐
435 tus=true|false (ALPHA - default=false) NodeOutOfServiceVolumeDe‐
436 tach=true|false (ALPHA - default=false) NodeSwap=true|false (ALPHA -
437 default=false) OpenAPIEnums=true|false (BETA - default=true) Ope‐
438 nAPIV3=true|false (BETA - default=true) PodAndContainerStatsFrom‐
439 CRI=true|false (ALPHA - default=false) PodDeletionCost=true|false (BETA
440 - default=true) PodSecurity=true|false (BETA - default=true) ProbeTer‐
441 minationGracePeriod=true|false (BETA - default=false) ProcMount‐
442 Type=true|false (ALPHA - default=false) ProxyTerminatingEnd‐
443 points=true|false (ALPHA - default=false) QOSReserved=true|false (ALPHA
444 - default=false) ReadWriteOncePod=true|false (ALPHA - default=false)
445 RecoverVolumeExpansionFailure=true|false (ALPHA - default=false) Re‐
446 mainingItemCount=true|false (BETA - default=true) RotateKubelet‐
447 ServerCertificate=true|false (BETA - default=true) SeccompDe‐
448 fault=true|false (ALPHA - default=false) ServerSideFieldValida‐
449 tion=true|false (ALPHA - default=false) ServiceIPStaticSub‐
450 range=true|false (ALPHA - default=false) ServiceInternalTrafficPol‐
451 icy=true|false (BETA - default=true) SizeMemoryBackedVolumes=true|false
452 (BETA - default=true) StatefulSetAutoDeletePVC=true|false (ALPHA - de‐
453 fault=false) StatefulSetMinReadySeconds=true|false (BETA - de‐
454 fault=true) StorageVersionAPI=true|false (ALPHA - default=false) Stor‐
455 ageVersionHash=true|false (BETA - default=true) TopologyAware‐
456 Hints=true|false (BETA - default=true) TopologyManager=true|false (BETA
457 - default=true) VolumeCapacityPriority=true|false (ALPHA - de‐
458 fault=false) WinDSR=true|false (ALPHA - default=false) WinOver‐
459 lay=true|false (BETA - default=true) WindowsHostProcessContain‐
460 ers=true|false (BETA - default=true)
461 --flex-volume-plugin-dir="/usr/libexec/kubernetes/kubelet-plugins/vol‐
464 ume/exec/" Full path of the directory in which the flex volume
465 plugin should search for additional third party volume plugins.
466 -h, --help=false help for kube-controller-manager
469 --horizontal-pod-autoscaler-cpu-initialization-period=5m0s The pe‐
472 riod after pod start when CPU samples might be skipped.
473 --horizontal-pod-autoscaler-downscale-delay=5m0s The period since
476 last downscale, before another downscale can be performed in horizontal
477 pod autoscaler.
478 --horizontal-pod-autoscaler-downscale-stabilization=5m0s The pe‐
481 riod for which autoscaler will look backwards and not scale down below
482 any recommendation it made during that period.
483 --horizontal-pod-autoscaler-initial-readiness-delay=30s The period
486 after pod start during which readiness changes will be treated as ini‐
487 tial readiness.
488 --horizontal-pod-autoscaler-sync-period=15s The period for syncing
491 the number of pods in horizontal pod autoscaler.
492 --horizontal-pod-autoscaler-tolerance=0.1 The minimum change (from
495 1.0) in the desired-to-actual metrics ratio for the horizontal pod au‐
496 toscaler to consider scaling.
497 --horizontal-pod-autoscaler-upscale-delay=3m0s The period since
500 last upscale, before another upscale can be performed in horizontal pod
501 autoscaler.
502 --http2-max-streams-per-connection=0 The limit that the server
505 gives to clients for the maximum number of streams in an HTTP/2 connec‐
506 tion. Zero means to use golang's default.
507 --kube-api-burst=30 Burst to use while talking with kubernetes
510 apiserver.
511 --kube-api-content-type="application/vnd.kubernetes.protobuf" Con‐
514 tent type of requests sent to apiserver.
515 --kube-api-qps=20 QPS to use while talking with kubernetes apis‐
518 erver.
519 --kubeconfig="" Path to kubeconfig file with authorization and
522 master location information.
523 --large-cluster-size-threshold=50 Number of nodes from which Node‐
526 Controller treats the cluster as large for the eviction logic purposes.
527 --secondary-node-eviction-rate is implicitly overridden to 0 for clus‐
528 ters this size or smaller.
529 --leader-elect=true Start a leader election client and gain lead‐
532 ership before executing the main loop. Enable this when running repli‐
533 cated components for high availability.
534 --leader-elect-lease-duration=15s The duration that non-leader
537 candidates will wait after observing a leadership renewal until at‐
538 tempting to acquire leadership of a led but unrenewed leader slot. This
539 is effectively the maximum duration that a leader can be stopped before
540 it is replaced by another candidate. This is only applicable if leader
541 election is enabled.
542 --leader-elect-renew-deadline=10s The interval between attempts by
545 the acting master to renew a leadership slot before it stops leading.
546 This must be less than or equal to the lease duration. This is only ap‐
547 plicable if leader election is enabled.
548 --leader-elect-resource-lock="leases" The type of resource object
551 that is used for locking during leader election. Supported options are
552 'leases', 'endpointsleases' and 'configmapsleases'.
553 --leader-elect-resource-name="kube-controller-manager" The name of
556 resource object that is used for locking during leader election.
557 --leader-elect-resource-namespace="kube-system" The namespace of
560 resource object that is used for locking during leader election.
561 --leader-elect-retry-period=2s The duration the clients should
564 wait between attempting acquisition and renewal of a leadership. This
565 is only applicable if leader election is enabled.
566 --leader-migration-config="" Path to the config file for con‐
569 troller leader migration, or empty to use the value that reflects de‐
570 fault configuration of the controller manager. The config file should
571 be of type LeaderMigrationConfiguration, group controllermanager.con‐
572 fig.k8s.io, version v1alpha1.
573 --log-flush-frequency=5s Maximum number of seconds between log
576 flushes
577 --log_backtrace_at=:0 when logging hits line file:N, emit a stack
580 trace
581 --log_dir="" If non-empty, write log files in this directory
584 --log_file="" If non-empty, use this log file
587 --log_file_max_size=1800 Defines the maximum size a log file can
590 grow to. Unit is megabytes. If the value is 0, the maximum file size is
591 unlimited.
592 --logging-format="text" Sets the log format. Permitted formats:
595 "text". Non-default formats don't honor these flags: --add-dir-header,
596 --alsologtostderr, --log-backtrace-at, --log-dir, --log-file, --log-
597 file-max-size, --logtostderr, --one-output, --skip-headers, --skip-log-
598 headers, --stderrthreshold, --vmodule. Non-default choices are cur‐
599 rently alpha and subject to change without warning.
600 --logtostderr=true log to standard error instead of files
603 --master="" The address of the Kubernetes API server (overrides
606 any value in kubeconfig).
607 --max-endpoints-per-slice=100 The maximum number of endpoints that
610 will be added to an EndpointSlice. More endpoints per slice will result
611 in less endpoint slices, but larger resources. Defaults to 100.
612 --min-resync-period=12h0m0s The resync period in reflectors will
615 be random between MinResyncPeriod and 2*MinResyncPeriod.
616 --mirroring-concurrent-service-endpoint-syncs=5 The number of ser‐
619 vice endpoint syncing operations that will be done concurrently by the
620 EndpointSliceMirroring controller. Larger number = faster endpoint
621 slice updating, but more CPU (and network) load. Defaults to 5.
622 --mirroring-endpointslice-updates-batch-period=0s The length of
625 EndpointSlice updates batching period for EndpointSliceMirroring con‐
626 troller. Processing of EndpointSlice changes will be delayed by this
627 duration to join them with potential upcoming updates and reduce the
628 overall number of EndpointSlice updates. Larger number = higher end‐
629 point programming latency, but lower number of endpoints revision gen‐
630 erated
631 --mirroring-max-endpoints-per-subset=1000 The maximum number of
634 endpoints that will be added to an EndpointSlice by the End‐
635 pointSliceMirroring controller. More endpoints per slice will result in
636 less endpoint slices, but larger resources. Defaults to 100.
637 --namespace-sync-period=5m0s The period for syncing namespace
640 life-cycle updates
641 --node-cidr-mask-size=0 Mask size for node cidr in cluster. De‐
644 fault is 24 for IPv4 and 64 for IPv6.
645 --node-cidr-mask-size-ipv4=0 Mask size for IPv4 node cidr in dual-
648 stack cluster. Default is 24.
649 --node-cidr-mask-size-ipv6=0 Mask size for IPv6 node cidr in dual-
652 stack cluster. Default is 64.
653 --node-eviction-rate=0.1 Number of nodes per second on which pods
656 are deleted in case of node failure when a zone is healthy (see --un‐
657 healthy-zone-threshold for definition of healthy/unhealthy). Zone
658 refers to entire cluster in non-multizone clusters.
659 --node-monitor-grace-period=40s Amount of time which we allow run‐
662 ning Node to be unresponsive before marking it unhealthy. Must be N
663 times more than kubelet's nodeStatusUpdateFrequency, where N means num‐
664 ber of retries allowed for kubelet to post node status.
665 --node-monitor-period=5s The period for syncing NodeStatus in
668 NodeController.
669 --node-startup-grace-period=1m0s Amount of time which we allow
672 starting Node to be unresponsive before marking it unhealthy.
673 --node-sync-period=0s This flag is deprecated and will be removed
676 in future releases. See node-monitor-period for Node health checking or
677 route-reconciliation-period for cloud provider's route configuration
678 settings.
679 --one_output=false If true, only write logs to their native sever‐
682 ity level (vs also writing to each lower severity level)
683 --permit-address-sharing=false If true, SO_REUSEADDR will be used
686 when binding the port. This allows binding to wildcard IPs like 0.0.0.0
687 and specific IPs in parallel, and it avoids waiting for the kernel to
688 release sockets in TIME_WAIT state. [default=false]
689 --permit-port-sharing=false If true, SO_REUSEPORT will be used
692 when binding the port, which allows more than one instance to bind on
693 the same address and port. [default=false]
694 --pod-eviction-timeout=5m0s The grace period for deleting pods on
697 failed nodes.
698 --profiling=true Enable profiling via web interface host:port/de‐
701 bug/pprof/
702 --pv-recycler-increment-timeout-nfs=30 the increment of time added
705 per Gi to ActiveDeadlineSeconds for an NFS scrubber pod
706 --pv-recycler-minimum-timeout-hostpath=60 The minimum ActiveDead‐
709 lineSeconds to use for a HostPath Recycler pod. This is for develop‐
710 ment and testing only and will not work in a multi-node cluster.
711 --pv-recycler-minimum-timeout-nfs=300 The minimum ActiveDeadli‐
714 neSeconds to use for an NFS Recycler pod
715 --pv-recycler-pod-template-filepath-hostpath="" The file path to a
718 pod definition used as a template for HostPath persistent volume recy‐
719 cling. This is for development and testing only and will not work in a
720 multi-node cluster.
721 --pv-recycler-pod-template-filepath-nfs="" The file path to a pod
724 definition used as a template for NFS persistent volume recycling
725 --pv-recycler-timeout-increment-hostpath=30 the increment of time
728 added per Gi to ActiveDeadlineSeconds for a HostPath scrubber pod.
729 This is for development and testing only and will not work in a multi-
730 node cluster.
731 --pvclaimbinder-sync-period=15s The period for syncing persistent
734 volumes and persistent volume claims
735 --register-retry-count=10 The number of retries for initial node
738 registration. Retry interval equals node-sync-period.
739 --requestheader-allowed-names=[] List of client certificate common
742 names to allow to provide usernames in headers specified by --request‐
743 header-username-headers. If empty, any client certificate validated by
744 the authorities in --requestheader-client-ca-file is allowed.
745 --requestheader-client-ca-file="" Root certificate bundle to use
748 to verify client certificates on incoming requests before trusting
749 usernames in headers specified by --requestheader-username-headers.
750 WARNING: generally do not depend on authorization being already done
751 for incoming requests.
752 --requestheader-extra-headers-prefix=[x-remote-extra-] List of re‐
755 quest header prefixes to inspect. X-Remote-Extra- is suggested.
756 --requestheader-group-headers=[x-remote-group] List of request
759 headers to inspect for groups. X-Remote-Group is suggested.
760 --requestheader-username-headers=[x-remote-user] List of request
763 headers to inspect for usernames. X-Remote-User is common.
764 --resource-quota-sync-period=5m0s The period for syncing quota us‐
767 age status in the system
768 --root-ca-file="" If set, this root certificate authority will be
771 included in service account's token secret. This must be a valid PEM-
772 encoded CA bundle.
773 --route-reconciliation-period=10s The period for reconciling
776 routes created for Nodes by cloud provider.
777 --secondary-node-eviction-rate=0.01 Number of nodes per second on
780 which pods are deleted in case of node failure when a zone is unhealthy
781 (see --unhealthy-zone-threshold for definition of healthy/unhealthy).
782 Zone refers to entire cluster in non-multizone clusters. This value is
783 implicitly overridden to 0 if the cluster size is smaller than --large-
784 cluster-size-threshold.
785 --secure-port=10257 The port on which to serve HTTPS with authen‐
788 tication and authorization. If 0, don't serve HTTPS at all.
789 --service-account-private-key-file="" Filename containing a PEM-
792 encoded private RSA or ECDSA key used to sign service account tokens.
793 --service-cluster-ip-range="" CIDR Range for Services in cluster.
796 Requires --allocate-node-cidrs to be true
797 --show-hidden-metrics-for-version="" The previous version for
800 which you want to show hidden metrics. Only the previous minor version
801 is meaningful, other values will not be allowed. The format is ., e.g.:
802 '1.16'. The purpose of this format is make sure you have the opportu‐
803 nity to notice if the next release hides additional metrics, rather
804 than being surprised when they are permanently removed in the release
805 after that.
806 --skip_headers=false If true, avoid header prefixes in the log
809 messages
810 --skip_log_headers=false If true, avoid headers when opening log
813 files
814 --stderrthreshold=2 logs at or above this threshold go to stderr
817 --terminated-pod-gc-threshold=12500 Number of terminated pods that
820 can exist before the terminated pod garbage collector starts deleting
821 terminated pods. If <= 0, the terminated pod garbage collector is dis‐
822 abled.
823 --tls-cert-file="" File containing the default x509 Certificate
826 for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS
827 serving is enabled, and --tls-cert-file and --tls-private-key-file are
828 not provided, a self-signed certificate and key are generated for the
829 public address and saved to the directory specified by --cert-dir.
830 --tls-cipher-suites=[] Comma-separated list of cipher suites for
833 the server. If omitted, the default Go cipher suites will be used.
834 Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
835 TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
836 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
837 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
838 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
839 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
840 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
841 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
842 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
843 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
844 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
845 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
846 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
847 TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,
848 TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384. Inse‐
849 cure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
850 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
851 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
852 TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,
853 TLS_RSA_WITH_RC4_128_SHA.
854 --tls-min-version="" Minimum TLS version supported. Possible val‐
857 ues: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
858 --tls-private-key-file="" File containing the default x509 private
861 key matching --tls-cert-file.
862 --tls-sni-cert-key=[] A pair of x509 certificate and private key
865 file paths, optionally suffixed with a list of domain patterns which
866 are fully qualified domain names, possibly with prefixed wildcard seg‐
867 ments. The domain patterns also allow IP addresses, but IPs should only
868 be used if the apiserver has visibility to the IP address requested by
869 a client. If no domain patterns are provided, the names of the certifi‐
870 cate are extracted. Non-wildcard matches trump over wildcard matches,
871 explicit domain patterns trump over extracted names. For multiple
872 key/certificate pairs, use the --tls-sni-cert-key multiple times. Exam‐
873 ples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com".
874 --unhealthy-zone-threshold=0.55 Fraction of Nodes in a zone which
877 needs to be not Ready (minimum 3) for zone to be treated as unhealthy.
878 --use-service-account-credentials=false If true, use individual
881 service account credentials for each controller.
882 -v, --v=0 number for the log level verbosity
885 --version=false Print version information and quit
888 --vmodule= comma-separated list of pattern=N settings for file-
891 filtered logging (only works for text log format)
892 --volume-host-allow-local-loopback=true If false, deny local loop‐
895 back IPs in addition to any CIDR ranges in --volume-host-cidr-denylist
896 --volume-host-cidr-denylist=[] A comma-separated list of CIDR
899 ranges to avoid from volume plugins.
900
904 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
905 com) based on the kubernetes source material, but hopefully they have
906 been automatically generated since!
907Manuals User KUBERNETES(1)(kubernetes)