1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2Eric Paris Jan 2015
6
9 kube-controller-manager -
10
14 kube-controller-manager [OPTIONS]
15
19 The Kubernetes controller manager is a daemon that embeds the core con‐
20 trol loops shipped with Kubernetes. In applications of robotics and au‐
21 tomation, a control loop is a non-terminating loop that regulates the
22 state of the system. In Kubernetes, a controller is a control loop that
23 watches the shared state of the cluster through the apiserver and makes
24 changes attempting to move the current state towards the desired state.
25 Examples of controllers that ship with Kubernetes today are the repli‐
26 cation controller, endpoints controller, namespace controller, and ser‐
27 viceaccounts controller.
28
32 --add_dir_header=false If true, adds the file directory to the
33 header of the log messages
34 --allocate-node-cidrs=false Should CIDRs for Pods be allocated and
37 set on the cloud provider.
38 --allow-metric-labels=[] The map from metric-label to value allow-
41 list of this label. The key's format is ,. The value's format is
42 ,...e.g. metric1,label1='v1,v2,v3', metric1,label2='v1,v2,v3' met‐
43 ric2,label1='v1,v2,v3'.
44 --allow-untagged-cloud=false Allow the cluster to run without the
47 cluster-id on cloud instances. This is a legacy mode of operation and a
48 cluster-id will be required in the future.
49 --alsologtostderr=false log to standard error as well as files (no
52 effect when -logtostderr=true)
53 --attach-detach-reconcile-sync-period=1m0s The reconciler sync
56 wait time between volume attach detach. This duration must be larger
57 than one second, and increasing this value from the default may allow
58 for volumes to be mismatched with pods.
59 --authentication-kubeconfig="" kubeconfig file pointing at the
62 'core' kubernetes server with enough rights to create tokenreviews.au‐
63 thentication.k8s.io. This is optional. If empty, all token requests are
64 considered to be anonymous and no client CA is looked up in the clus‐
65 ter.
66 --authentication-skip-lookup=false If false, the authentication-
69 kubeconfig will be used to lookup missing authentication configuration
70 from the cluster.
71 --authentication-token-webhook-cache-ttl=10s The duration to cache
74 responses from the webhook token authenticator.
75 --authentication-tolerate-lookup-failure=false If true, failures
78 to look up missing authentication configuration from the cluster are
79 not considered fatal. Note that this can result in authentication that
80 treats all requests as anonymous.
81 --authorization-always-allow-paths=[/healthz,/readyz,/livez] A
84 list of HTTP paths to skip during authorization, i.e. these are autho‐
85 rized without contacting the 'core' kubernetes server.
86 --authorization-kubeconfig="" kubeconfig file pointing at the
89 'core' kubernetes server with enough rights to create subjectaccessre‐
90 views.authorization.k8s.io. This is optional. If empty, all requests
91 not skipped by authorization are forbidden.
92 --authorization-webhook-cache-authorized-ttl=10s The duration to
95 cache 'authorized' responses from the webhook authorizer.
96 --authorization-webhook-cache-unauthorized-ttl=10s The duration to
99 cache 'unauthorized' responses from the webhook authorizer.
100 --azure-container-registry-config="" Path to the file containing
103 Azure container registry configuration information.
104 --bind-address=0.0.0.0 The IP address on which to listen for the
107 --secure-port port. The associated interface(s) must be reachable by
108 the rest of the cluster, and by CLI/web clients. If blank or an unspec‐
109 ified address (0.0.0.0 or ::), all interfaces will be used.
110 --cert-dir="" The directory where the TLS certs are located. If
113 --tls-cert-file and --tls-private-key-file are provided, this flag will
114 be ignored.
115 --cidr-allocator-type="RangeAllocator" Type of CIDR allocator to
118 use
119 --client-ca-file="" If set, any request presenting a client cer‐
122 tificate signed by one of the authorities in the client-ca-file is au‐
123 thenticated with an identity corresponding to the CommonName of the
124 client certificate.
125 --cloud-config="" The path to the cloud provider configuration
128 file. Empty string for no configuration file.
129 --cloud-provider="" The provider for cloud services. Empty string
132 for no provider.
133 --cloud-provider-gce-lb-src-
136 cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
137 CIDRs opened in GCE firewall for L4 LB traffic proxy & health
138 checks
139 --cluster-cidr="" CIDR Range for Pods in cluster. Requires --allo‐
142 cate-node-cidrs to be true
143 --cluster-name="kubernetes" The instance prefix for the cluster.
146 --cluster-signing-cert-file="" Filename containing a PEM-encoded
149 X509 CA certificate used to issue cluster-scoped certificates. If
150 specified, no more specific --cluster-signing-* flag may be specified.
151 --cluster-signing-duration=8760h0m0s The max length of duration
154 signed certificates will be given. Individual CSRs may request shorter
155 certs by setting spec.expirationSeconds.
156 --cluster-signing-key-file="" Filename containing a PEM-encoded
159 RSA or ECDSA private key used to sign cluster-scoped certificates. If
160 specified, no more specific --cluster-signing-* flag may be specified.
161 --cluster-signing-kube-apiserver-client-cert-file="" Filename con‐
164 taining a PEM-encoded X509 CA certificate used to issue certificates
165 for the kubernetes.io/kube-apiserver-client signer. If specified,
166 --cluster-signing-{cert,key}-file must not be set.
167 --cluster-signing-kube-apiserver-client-key-file="" Filename con‐
170 taining a PEM-encoded RSA or ECDSA private key used to sign certifi‐
171 cates for the kubernetes.io/kube-apiserver-client signer. If speci‐
172 fied, --cluster-signing-{cert,key}-file must not be set.
173 --cluster-signing-kubelet-client-cert-file="" Filename containing
176 a PEM-encoded X509 CA certificate used to issue certificates for the
177 kubernetes.io/kube-apiserver-client-kubelet signer. If specified,
178 --cluster-signing-{cert,key}-file must not be set.
179 --cluster-signing-kubelet-client-key-file="" Filename containing a
182 PEM-encoded RSA or ECDSA private key used to sign certificates for the
183 kubernetes.io/kube-apiserver-client-kubelet signer. If specified,
184 --cluster-signing-{cert,key}-file must not be set.
185 --cluster-signing-kubelet-serving-cert-file="" Filename containing
188 a PEM-encoded X509 CA certificate used to issue certificates for the
189 kubernetes.io/kubelet-serving signer. If specified, --cluster-sign‐
190 ing-{cert,key}-file must not be set.
191 --cluster-signing-kubelet-serving-key-file="" Filename containing
194 a PEM-encoded RSA or ECDSA private key used to sign certificates for
195 the kubernetes.io/kubelet-serving signer. If specified, --cluster-
196 signing-{cert,key}-file must not be set.
197 --cluster-signing-legacy-unknown-cert-file="" Filename containing
200 a PEM-encoded X509 CA certificate used to issue certificates for the
201 kubernetes.io/legacy-unknown signer. If specified, --cluster-sign‐
202 ing-{cert,key}-file must not be set.
203 --cluster-signing-legacy-unknown-key-file="" Filename containing a
206 PEM-encoded RSA or ECDSA private key used to sign certificates for the
207 kubernetes.io/legacy-unknown signer. If specified, --cluster-sign‐
208 ing-{cert,key}-file must not be set.
209 --concurrent-deployment-syncs=5 The number of deployment objects
212 that are allowed to sync concurrently. Larger number = more responsive
213 deployments, but more CPU (and network) load
214 --concurrent-endpoint-syncs=5 The number of endpoint syncing oper‐
217 ations that will be done concurrently. Larger number = faster endpoint
218 updating, but more CPU (and network) load
219 --concurrent-ephemeralvolume-syncs=5 The number of ephemeral vol‐
222 ume syncing operations that will be done concurrently. Larger number =
223 faster ephemeral volume updating, but more CPU (and network) load
224 --concurrent-gc-syncs=20 The number of garbage collector workers
227 that are allowed to sync concurrently.
228 --concurrent-namespace-syncs=10 The number of namespace objects
231 that are allowed to sync concurrently. Larger number = more responsive
232 namespace termination, but more CPU (and network) load
233 --concurrent-replicaset-syncs=5 The number of replica sets that
236 are allowed to sync concurrently. Larger number = more responsive
237 replica management, but more CPU (and network) load
238 --concurrent-resource-quota-syncs=5 The number of resource quotas
241 that are allowed to sync concurrently. Larger number = more responsive
242 quota management, but more CPU (and network) load
243 --concurrent-service-endpoint-syncs=5 The number of service end‐
246 point syncing operations that will be done concurrently. Larger number
247 = faster endpoint slice updating, but more CPU (and network) load. De‐
248 faults to 5.
249 --concurrent-service-syncs=1 The number of services that are al‐
252 lowed to sync concurrently. Larger number = more responsive service
253 management, but more CPU (and network) load
254 --concurrent-serviceaccount-token-syncs=5 The number of service
257 account token objects that are allowed to sync concurrently. Larger
258 number = more responsive token generation, but more CPU (and network)
259 load
260 --concurrent-statefulset-syncs=5 The number of statefulset objects
263 that are allowed to sync concurrently. Larger number = more responsive
264 statefulsets, but more CPU (and network) load
265 --concurrent-ttl-after-finished-syncs=5 The number of TTL-after-
268 finished controller workers that are allowed to sync concurrently.
269 --concurrent_rc_syncs=5 The number of replication controllers that
272 are allowed to sync concurrently. Larger number = more responsive
273 replica management, but more CPU (and network) load
274 --configure-cloud-routes=true Should CIDRs allocated by allocate-
277 node-cidrs be configured on the cloud provider.
278 --contention-profiling=false Enable lock contention profiling, if
281 profiling is enabled
282 --controller-start-interval=0s Interval between starting con‐
285 troller managers.
286 --controllers=[] A list of controllers to enable. '' enables all
289 on-by-default controllers, 'foo' enables the controller named 'foo',
290 '-foo' disables the controller named 'foo'. All controllers: attachde‐
291 tach, bootstrapsigner, cloud-node-lifecycle, clusterrole-aggregation,
292 cronjob, csrapproving, csrcleaner, csrsigning, daemonset, deployment,
293 disruption, endpoint, endpointslice, endpointslicemirroring, ephemeral-
294 volume, garbagecollector, horizontalpodautoscaling, job, namespace,
295 nodeipam, nodelifecycle, persistentvolume-binder, persistentvolume-ex‐
296 pander, podgc, pv-protection, pvc-protection, replicaset, replication‐
297 controller, resourcequota, root-ca-cert-publisher, route, service, ser‐
298 viceaccount, serviceaccount-token, statefulset, tokencleaner, ttl, ttl-
299 after-finished Disabled-by-default controllers: bootstrapsigner, token‐
300 cleaner
301 --disable-attach-detach-reconcile-sync=false Disable volume attach
304 detach reconciler sync. Disabling this may cause volumes to be mis‐
305 matched with pods. Use wisely.
306 --disabled-metrics=[] This flag provides an escape hatch for mis‐
309 behaving metrics. You must provide the fully qualified metric name in
310 order to disable it. Disclaimer: disabling metrics is higher in prece‐
311 dence than showing hidden metrics.
312 --enable-dynamic-provisioning=true Enable dynamic provisioning for
315 environments that support it.
316 --enable-garbage-collector=true Enables the generic garbage col‐
319 lector. MUST be synced with the corresponding flag of the kube-apis‐
320 erver.
321 --enable-hostpath-provisioner=false Enable HostPath PV provision‐
324 ing when running without a cloud provider. This allows testing and de‐
325 velopment of provisioning features. HostPath provisioning is not sup‐
326 ported in any way, won't work in a multi-node cluster, and should not
327 be used for anything other than testing or development.
328 --enable-leader-migration=false Whether to enable controller
331 leader migration.
332 --enable-taint-manager=true If set to true enables NoExecute
335 Taints and will evict all not-tolerating Pod running on Nodes tainted
336 with this kind of Taints.
337 --endpoint-updates-batch-period=0s The length of endpoint updates
340 batching period. Processing of pod changes will be delayed by this du‐
341 ration to join them with potential upcoming updates and reduce the
342 overall number of endpoints updates. Larger number = higher endpoint
343 programming latency, but lower number of endpoints revision generated
344 --endpointslice-updates-batch-period=0s The length of endpoint
347 slice updates batching period. Processing of pod changes will be de‐
348 layed by this duration to join them with potential upcoming updates and
349 reduce the overall number of endpoints updates. Larger number = higher
350 endpoint programming latency, but lower number of endpoints revision
351 generated
352 --external-cloud-volume-plugin="" The plugin to use when cloud
355 provider is set to external. Can be empty, should only be set when
356 cloud-provider is external. Currently used to allow node and volume
357 controllers to work for in tree cloud providers.
358 --feature-gates= A set of key=value pairs that describe feature
361 gates for alpha/experimental features. Options are: APIListChunk‐
362 ing=true|false (BETA - default=true) APIPriorityAndFairness=true|false
363 (BETA - default=true) APIResponseCompression=true|false (BETA - de‐
364 fault=true) APIServerIdentity=true|false (ALPHA - default=false) APIS‐
365 erverTracing=true|false (ALPHA - default=false) AllAlpha=true|false
366 (ALPHA - default=false) AllBeta=true|false (BETA - default=false)
367 AnyVolumeDataSource=true|false (BETA - default=true) AppAr‐
368 mor=true|false (BETA - default=true) CPUManager=true|false (BETA - de‐
369 fault=true) CPUManagerPolicyAlphaOptions=true|false (ALPHA - de‐
370 fault=false) CPUManagerPolicyBetaOptions=true|false (BETA - de‐
371 fault=true) CPUManagerPolicyOptions=true|false (BETA - default=true)
372 CSIMigrationAzureFile=true|false (BETA - default=true) CSIMigra‐
373 tionPortworx=true|false (BETA - default=false) CSIMigra‐
374 tionRBD=true|false (ALPHA - default=false) CSIMigrationv‐
375 Sphere=true|false (BETA - default=true) CSINodeExpandSecret=true|false
376 (ALPHA - default=false) CSIVolumeHealth=true|false (ALPHA - de‐
377 fault=false) ContainerCheckpoint=true|false (ALPHA - default=false)
378 ContextualLogging=true|false (ALPHA - default=false) CronJobTime‐
379 Zone=true|false (BETA - default=true) CustomCPUCFSQuotaPe‐
380 riod=true|false (ALPHA - default=false) CustomResourceValidationExpres‐
381 sions=true|false (BETA - default=true) DelegateFSGroupToC‐
382 SIDriver=true|false (BETA - default=true) DevicePlugins=true|false
383 (BETA - default=true) DisableCloudProviders=true|false (ALPHA - de‐
384 fault=false) DisableKubeletCloudCredentialProviders=true|false (ALPHA -
385 default=false) DownwardAPIHugePages=true|false (BETA - default=true)
386 EndpointSliceTerminatingCondition=true|false (BETA - default=true) Ex‐
387 pandedDNSConfig=true|false (ALPHA - default=false) ExperimentalHos‐
388 tUserNamespaceDefaulting=true|false (BETA - default=false) GRPCContain‐
389 erProbe=true|false (BETA - default=true) GracefulNodeShut‐
390 down=true|false (BETA - default=true) GracefulNodeShutdownBasedOnPod‐
391 Priority=true|false (BETA - default=true) HPAContainerMet‐
392 rics=true|false (ALPHA - default=false) HPAScaleToZero=true|false (AL‐
393 PHA - default=false) HonorPVReclaimPolicy=true|false (ALPHA - de‐
394 fault=false) IPTablesOwnershipCleanup=true|false (ALPHA - de‐
395 fault=false) InTreePluginAWSUnregister=true|false (ALPHA - de‐
396 fault=false) InTreePluginAzureDiskUnregister=true|false (ALPHA - de‐
397 fault=false) InTreePluginAzureFileUnregister=true|false (ALPHA - de‐
398 fault=false) InTreePluginGCEUnregister=true|false (ALPHA - de‐
399 fault=false) InTreePluginOpenStackUnregister=true|false (ALPHA - de‐
400 fault=false) InTreePluginPortworxUnregister=true|false (ALPHA - de‐
401 fault=false) InTreePluginRBDUnregister=true|false (ALPHA - de‐
402 fault=false) InTreePluginvSphereUnregister=true|false (ALPHA - de‐
403 fault=false) JobMutableNodeSchedulingDirectives=true|false (BETA - de‐
404 fault=true) JobPodFailurePolicy=true|false (ALPHA - default=false) Jo‐
405 bReadyPods=true|false (BETA - default=true) JobTrackingWithFinaliz‐
406 ers=true|false (BETA - default=true) KMSv2=true|false (ALPHA - de‐
407 fault=false) KubeletCredentialProviders=true|false (BETA - de‐
408 fault=true) KubeletInUserNamespace=true|false (ALPHA - default=false)
409 KubeletPodResources=true|false (BETA - default=true) KubeletPo‐
410 dResourcesGetAllocatable=true|false (BETA - default=true) KubeletTrac‐
411 ing=true|false (ALPHA - default=false) LegacyServiceAccountTokenNoAuto‐
412 Generation=true|false (BETA - default=true) LocalStorageCapacityIsola‐
413 tionFSQuotaMonitoring=true|false (ALPHA - default=false) Logarithmic‐
414 ScaleDown=true|false (BETA - default=true) LoggingAlphaOp‐
415 tions=true|false (ALPHA - default=false) LoggingBetaOptions=true|false
416 (BETA - default=true) MatchLabelKeysInPodTopologySpread=true|false (AL‐
417 PHA - default=false) MaxUnavailableStatefulSet=true|false (ALPHA - de‐
418 fault=false) MemoryManager=true|false (BETA - default=true) Memo‐
419 ryQoS=true|false (ALPHA - default=false) MinDomainsInPodTopolo‐
420 gySpread=true|false (BETA - default=false) MixedProtocolLBSer‐
421 vice=true|false (BETA - default=true) MultiCIDRRangeAlloca‐
422 tor=true|false (ALPHA - default=false) NetworkPolicyStatus=true|false
423 (ALPHA - default=false) NodeInclusionPolicyInPodTopolo‐
424 gySpread=true|false (ALPHA - default=false) NodeOutOfServiceVolumeDe‐
425 tach=true|false (ALPHA - default=false) NodeSwap=true|false (ALPHA -
426 default=false) OpenAPIEnums=true|false (BETA - default=true) Ope‐
427 nAPIV3=true|false (BETA - default=true) PodAndContainerStatsFrom‐
428 CRI=true|false (ALPHA - default=false) PodDeletionCost=true|false (BETA
429 - default=true) PodDisruptionConditions=true|false (ALPHA - de‐
430 fault=false) PodHasNetworkCondition=true|false (ALPHA - default=false)
431 ProbeTerminationGracePeriod=true|false (BETA - default=true) ProcMount‐
432 Type=true|false (ALPHA - default=false) ProxyTerminatingEnd‐
433 points=true|false (ALPHA - default=false) QOSReserved=true|false (ALPHA
434 - default=false) ReadWriteOncePod=true|false (ALPHA - default=false)
435 RecoverVolumeExpansionFailure=true|false (ALPHA - default=false) Re‐
436 mainingItemCount=true|false (BETA - default=true) RetroactiveDefault‐
437 StorageClass=true|false (ALPHA - default=false) RotateKubeletServerCer‐
438 tificate=true|false (BETA - default=true) SELinuxMountReadWriteOnce‐
439 Pod=true|false (ALPHA - default=false) SeccompDefault=true|false (BETA
440 - default=true) ServerSideFieldValidation=true|false (BETA - de‐
441 fault=true) ServiceIPStaticSubrange=true|false (BETA - default=true)
442 ServiceInternalTrafficPolicy=true|false (BETA - default=true) SizeMemo‐
443 ryBackedVolumes=true|false (BETA - default=true) StatefulSetAu‐
444 toDeletePVC=true|false (ALPHA - default=false) StorageVersion‐
445 API=true|false (ALPHA - default=false) StorageVersionHash=true|false
446 (BETA - default=true) TopologyAwareHints=true|false (BETA - de‐
447 fault=true) TopologyManager=true|false (BETA - default=true) UserNames‐
448 pacesStatelessPodsSupport=true|false (ALPHA - default=false) VolumeCa‐
449 pacityPriority=true|false (ALPHA - default=false) WinDSR=true|false
450 (ALPHA - default=false) WinOverlay=true|false (BETA - default=true)
451 WindowsHostProcessContainers=true|false (BETA - default=true)
452 --flex-volume-plugin-dir="/usr/libexec/kubernetes/kubelet-plugins/vol‐
455 ume/exec/" Full path of the directory in which the flex volume
456 plugin should search for additional third party volume plugins.
457 -h, --help=false help for kube-controller-manager
460 --horizontal-pod-autoscaler-cpu-initialization-period=5m0s The pe‐
463 riod after pod start when CPU samples might be skipped.
464 --horizontal-pod-autoscaler-downscale-delay=5m0s The period since
467 last downscale, before another downscale can be performed in horizontal
468 pod autoscaler.
469 --horizontal-pod-autoscaler-downscale-stabilization=5m0s The pe‐
472 riod for which autoscaler will look backwards and not scale down below
473 any recommendation it made during that period.
474 --horizontal-pod-autoscaler-initial-readiness-delay=30s The period
477 after pod start during which readiness changes will be treated as ini‐
478 tial readiness.
479 --horizontal-pod-autoscaler-sync-period=15s The period for syncing
482 the number of pods in horizontal pod autoscaler.
483 --horizontal-pod-autoscaler-tolerance=0.1 The minimum change (from
486 1.0) in the desired-to-actual metrics ratio for the horizontal pod au‐
487 toscaler to consider scaling.
488 --horizontal-pod-autoscaler-upscale-delay=3m0s The period since
491 last upscale, before another upscale can be performed in horizontal pod
492 autoscaler.
493 --http2-max-streams-per-connection=0 The limit that the server
496 gives to clients for the maximum number of streams in an HTTP/2 connec‐
497 tion. Zero means to use golang's default.
498 --kube-api-burst=30 Burst to use while talking with kubernetes
501 apiserver.
502 --kube-api-content-type="application/vnd.kubernetes.protobuf" Con‐
505 tent type of requests sent to apiserver.
506 --kube-api-qps=20 QPS to use while talking with kubernetes apis‐
509 erver.
510 --kubeconfig="" Path to kubeconfig file with authorization and
513 master location information.
514 --large-cluster-size-threshold=50 Number of nodes from which Node‐
517 Controller treats the cluster as large for the eviction logic purposes.
518 --secondary-node-eviction-rate is implicitly overridden to 0 for clus‐
519 ters this size or smaller.
520 --leader-elect=true Start a leader election client and gain lead‐
523 ership before executing the main loop. Enable this when running repli‐
524 cated components for high availability.
525 --leader-elect-lease-duration=15s The duration that non-leader
528 candidates will wait after observing a leadership renewal until at‐
529 tempting to acquire leadership of a led but unrenewed leader slot. This
530 is effectively the maximum duration that a leader can be stopped before
531 it is replaced by another candidate. This is only applicable if leader
532 election is enabled.
533 --leader-elect-renew-deadline=10s The interval between attempts by
536 the acting master to renew a leadership slot before it stops leading.
537 This must be less than or equal to the lease duration. This is only ap‐
538 plicable if leader election is enabled.
539 --leader-elect-resource-lock="leases" The type of resource object
542 that is used for locking during leader election. Supported options are
543 'leases', 'endpointsleases' and 'configmapsleases'.
544 --leader-elect-resource-name="kube-controller-manager" The name of
547 resource object that is used for locking during leader election.
548 --leader-elect-resource-namespace="kube-system" The namespace of
551 resource object that is used for locking during leader election.
552 --leader-elect-retry-period=2s The duration the clients should
555 wait between attempting acquisition and renewal of a leadership. This
556 is only applicable if leader election is enabled.
557 --leader-migration-config="" Path to the config file for con‐
560 troller leader migration, or empty to use the value that reflects de‐
561 fault configuration of the controller manager. The config file should
562 be of type LeaderMigrationConfiguration, group controllermanager.con‐
563 fig.k8s.io, version v1alpha1.
564 --log-flush-frequency=5s Maximum number of seconds between log
567 flushes
568 --log_backtrace_at=:0 when logging hits line file:N, emit a stack
571 trace
572 --log_dir="" If non-empty, write log files in this directory (no
575 effect when -logtostderr=true)
576 --log_file="" If non-empty, use this log file (no effect when
579 -logtostderr=true)
580 --log_file_max_size=1800 Defines the maximum size a log file can
583 grow to (no effect when -logtostderr=true). Unit is megabytes. If the
584 value is 0, the maximum file size is unlimited.
585 --logging-format="text" Sets the log format. Permitted formats:
588 "text". Non-default formats don't honor these flags: --add-dir-header,
589 --alsologtostderr, --log-backtrace-at, --log-dir, --log-file, --log-
590 file-max-size, --logtostderr, --one-output, --skip-headers, --skip-log-
591 headers, --stderrthreshold, --vmodule. Non-default choices are cur‐
592 rently alpha and subject to change without warning.
593 --logtostderr=true log to standard error instead of files
596 --master="" The address of the Kubernetes API server (overrides
599 any value in kubeconfig).
600 --max-endpoints-per-slice=100 The maximum number of endpoints that
603 will be added to an EndpointSlice. More endpoints per slice will result
604 in less endpoint slices, but larger resources. Defaults to 100.
605 --min-resync-period=12h0m0s The resync period in reflectors will
608 be random between MinResyncPeriod and 2*MinResyncPeriod.
609 --mirroring-concurrent-service-endpoint-syncs=5 The number of ser‐
612 vice endpoint syncing operations that will be done concurrently by the
613 EndpointSliceMirroring controller. Larger number = faster endpoint
614 slice updating, but more CPU (and network) load. Defaults to 5.
615 --mirroring-endpointslice-updates-batch-period=0s The length of
618 EndpointSlice updates batching period for EndpointSliceMirroring con‐
619 troller. Processing of EndpointSlice changes will be delayed by this
620 duration to join them with potential upcoming updates and reduce the
621 overall number of EndpointSlice updates. Larger number = higher end‐
622 point programming latency, but lower number of endpoints revision gen‐
623 erated
624 --mirroring-max-endpoints-per-subset=1000 The maximum number of
627 endpoints that will be added to an EndpointSlice by the End‐
628 pointSliceMirroring controller. More endpoints per slice will result in
629 less endpoint slices, but larger resources. Defaults to 100.
630 --namespace-sync-period=5m0s The period for syncing namespace
633 life-cycle updates
634 --node-cidr-mask-size=0 Mask size for node cidr in cluster. De‐
637 fault is 24 for IPv4 and 64 for IPv6.
638 --node-cidr-mask-size-ipv4=0 Mask size for IPv4 node cidr in dual-
641 stack cluster. Default is 24.
642 --node-cidr-mask-size-ipv6=0 Mask size for IPv6 node cidr in dual-
645 stack cluster. Default is 64.
646 --node-eviction-rate=0.1 Number of nodes per second on which pods
649 are deleted in case of node failure when a zone is healthy (see --un‐
650 healthy-zone-threshold for definition of healthy/unhealthy). Zone
651 refers to entire cluster in non-multizone clusters.
652 --node-monitor-grace-period=40s Amount of time which we allow run‐
655 ning Node to be unresponsive before marking it unhealthy. Must be N
656 times more than kubelet's nodeStatusUpdateFrequency, where N means num‐
657 ber of retries allowed for kubelet to post node status.
658 --node-monitor-period=5s The period for syncing NodeStatus in
661 NodeController.
662 --node-startup-grace-period=1m0s Amount of time which we allow
665 starting Node to be unresponsive before marking it unhealthy.
666 --node-sync-period=0s This flag is deprecated and will be removed
669 in future releases. See node-monitor-period for Node health checking or
670 route-reconciliation-period for cloud provider's route configuration
671 settings.
672 --one_output=false If true, only write logs to their native sever‐
675 ity level (vs also writing to each lower severity level; no effect when
676 -logtostderr=true)
677 --permit-address-sharing=false If true, SO_REUSEADDR will be used
680 when binding the port. This allows binding to wildcard IPs like 0.0.0.0
681 and specific IPs in parallel, and it avoids waiting for the kernel to
682 release sockets in TIME_WAIT state. [default=false]
683 --permit-port-sharing=false If true, SO_REUSEPORT will be used
686 when binding the port, which allows more than one instance to bind on
687 the same address and port. [default=false]
688 --pod-eviction-timeout=5m0s The grace period for deleting pods on
691 failed nodes.
692 --profiling=true Enable profiling via web interface host:port/de‐
695 bug/pprof/
696 --pv-recycler-increment-timeout-nfs=30 the increment of time added
699 per Gi to ActiveDeadlineSeconds for an NFS scrubber pod
700 --pv-recycler-minimum-timeout-hostpath=60 The minimum ActiveDead‐
703 lineSeconds to use for a HostPath Recycler pod. This is for develop‐
704 ment and testing only and will not work in a multi-node cluster.
705 --pv-recycler-minimum-timeout-nfs=300 The minimum ActiveDeadli‐
708 neSeconds to use for an NFS Recycler pod
709 --pv-recycler-pod-template-filepath-hostpath="" The file path to a
712 pod definition used as a template for HostPath persistent volume recy‐
713 cling. This is for development and testing only and will not work in a
714 multi-node cluster.
715 --pv-recycler-pod-template-filepath-nfs="" The file path to a pod
718 definition used as a template for NFS persistent volume recycling
719 --pv-recycler-timeout-increment-hostpath=30 the increment of time
722 added per Gi to ActiveDeadlineSeconds for a HostPath scrubber pod.
723 This is for development and testing only and will not work in a multi-
724 node cluster.
725 --pvclaimbinder-sync-period=15s The period for syncing persistent
728 volumes and persistent volume claims
729 --requestheader-allowed-names=[] List of client certificate common
732 names to allow to provide usernames in headers specified by --request‐
733 header-username-headers. If empty, any client certificate validated by
734 the authorities in --requestheader-client-ca-file is allowed.
735 --requestheader-client-ca-file="" Root certificate bundle to use
738 to verify client certificates on incoming requests before trusting
739 usernames in headers specified by --requestheader-username-headers.
740 WARNING: generally do not depend on authorization being already done
741 for incoming requests.
742 --requestheader-extra-headers-prefix=[x-remote-extra-] List of re‐
745 quest header prefixes to inspect. X-Remote-Extra- is suggested.
746 --requestheader-group-headers=[x-remote-group] List of request
749 headers to inspect for groups. X-Remote-Group is suggested.
750 --requestheader-username-headers=[x-remote-user] List of request
753 headers to inspect for usernames. X-Remote-User is common.
754 --resource-quota-sync-period=5m0s The period for syncing quota us‐
757 age status in the system
758 --root-ca-file="" If set, this root certificate authority will be
761 included in service account's token secret. This must be a valid PEM-
762 encoded CA bundle.
763 --route-reconciliation-period=10s The period for reconciling
766 routes created for Nodes by cloud provider.
767 --secondary-node-eviction-rate=0.01 Number of nodes per second on
770 which pods are deleted in case of node failure when a zone is unhealthy
771 (see --unhealthy-zone-threshold for definition of healthy/unhealthy).
772 Zone refers to entire cluster in non-multizone clusters. This value is
773 implicitly overridden to 0 if the cluster size is smaller than --large-
774 cluster-size-threshold.
775 --secure-port=10257 The port on which to serve HTTPS with authen‐
778 tication and authorization. If 0, don't serve HTTPS at all.
779 --service-account-private-key-file="" Filename containing a PEM-
782 encoded private RSA or ECDSA key used to sign service account tokens.
783 --service-cluster-ip-range="" CIDR Range for Services in cluster.
786 Requires --allocate-node-cidrs to be true
787 --show-hidden-metrics-for-version="" The previous version for
790 which you want to show hidden metrics. Only the previous minor version
791 is meaningful, other values will not be allowed. The format is ., e.g.:
792 '1.16'. The purpose of this format is make sure you have the opportu‐
793 nity to notice if the next release hides additional metrics, rather
794 than being surprised when they are permanently removed in the release
795 after that.
796 --skip_headers=false If true, avoid header prefixes in the log
799 messages
800 --skip_log_headers=false If true, avoid headers when opening log
803 files (no effect when -logtostderr=true)
804 --stderrthreshold=2 logs at or above this threshold go to stderr
807 when writing to files and stderr (no effect when -logtostderr=true or
808 -alsologtostderr=false)
809 --terminated-pod-gc-threshold=12500 Number of terminated pods that
812 can exist before the terminated pod garbage collector starts deleting
813 terminated pods. If <= 0, the terminated pod garbage collector is dis‐
814 abled.
815 --tls-cert-file="" File containing the default x509 Certificate
818 for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS
819 serving is enabled, and --tls-cert-file and --tls-private-key-file are
820 not provided, a self-signed certificate and key are generated for the
821 public address and saved to the directory specified by --cert-dir.
822 --tls-cipher-suites=[] Comma-separated list of cipher suites for
825 the server. If omitted, the default Go cipher suites will be used.
826 Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
827 TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
828 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
829 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
830 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
831 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
832 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
833 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
834 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
835 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
836 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
837 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
838 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
839 TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,
840 TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384. Inse‐
841 cure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
842 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
843 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
844 TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,
845 TLS_RSA_WITH_RC4_128_SHA.
846 --tls-min-version="" Minimum TLS version supported. Possible val‐
849 ues: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
850 --tls-private-key-file="" File containing the default x509 private
853 key matching --tls-cert-file.
854 --tls-sni-cert-key=[] A pair of x509 certificate and private key
857 file paths, optionally suffixed with a list of domain patterns which
858 are fully qualified domain names, possibly with prefixed wildcard seg‐
859 ments. The domain patterns also allow IP addresses, but IPs should only
860 be used if the apiserver has visibility to the IP address requested by
861 a client. If no domain patterns are provided, the names of the certifi‐
862 cate are extracted. Non-wildcard matches trump over wildcard matches,
863 explicit domain patterns trump over extracted names. For multiple
864 key/certificate pairs, use the --tls-sni-cert-key multiple times. Exam‐
865 ples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com".
866 --unhealthy-zone-threshold=0.55 Fraction of Nodes in a zone which
869 needs to be not Ready (minimum 3) for zone to be treated as unhealthy.
870 --use-service-account-credentials=false If true, use individual
873 service account credentials for each controller.
874 -v, --v=0 number for the log level verbosity
877 --version=false Print version information and quit
880 --vmodule= comma-separated list of pattern=N settings for file-
883 filtered logging (only works for text log format)
884 --volume-host-allow-local-loopback=true If false, deny local loop‐
887 back IPs in addition to any CIDR ranges in --volume-host-cidr-denylist
888 --volume-host-cidr-denylist=[] A comma-separated list of CIDR
891 ranges to avoid from volume plugins.
892
896 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
897 com) based on the kubernetes source material, but hopefully they have
898 been automatically generated since!
899Manuals User KUBERNETES(1)(kubernetes)