1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7
9 kube-controller-manager -
10
11
12
14 kube-controller-manager [OPTIONS]
15
16
17
19 The Kubernetes controller manager is a daemon that embeds the core con‐
20 trol loops shipped with Kubernetes. In applications of robotics and au‐
21 tomation, a control loop is a non-terminating loop that regulates the
22 state of the system. In Kubernetes, a controller is a control loop that
23 watches the shared state of the cluster through the apiserver and makes
24 changes attempting to move the current state towards the desired state.
25 Examples of controllers that ship with Kubernetes today are the repli‐
26 cation controller, endpoints controller, namespace controller, and ser‐
27 viceaccounts controller.
28
29
30
32 --add_dir_header=false If true, adds the file directory to the
33 header of the log messages
34
35
36 --allocate-node-cidrs=false Should CIDRs for Pods be allocated and
37 set on the cloud provider.
38
39
40 --allow-metric-labels=[] The map from metric-label to value allow-
41 list of this label. The key's format is ,. The value's format is
42 ,...e.g. metric1,label1='v1,v2,v3', metric1,label2='v1,v2,v3' met‐
43 ric2,label1='v1,v2,v3'.
44
45
46 --allow-untagged-cloud=false Allow the cluster to run without the
47 cluster-id on cloud instances. This is a legacy mode of operation and a
48 cluster-id will be required in the future.
49
50
51 --alsologtostderr=false log to standard error as well as files (no
52 effect when -logtostderr=true)
53
54
55 --attach-detach-reconcile-sync-period=1m0s The reconciler sync
56 wait time between volume attach detach. This duration must be larger
57 than one second, and increasing this value from the default may allow
58 for volumes to be mismatched with pods.
59
60
61 --authentication-kubeconfig="" kubeconfig file pointing at the
62 'core' kubernetes server with enough rights to create tokenreviews.au‐
63 thentication.k8s.io. This is optional. If empty, all token requests are
64 considered to be anonymous and no client CA is looked up in the clus‐
65 ter.
66
67
68 --authentication-skip-lookup=false If false, the authentication-
69 kubeconfig will be used to lookup missing authentication configuration
70 from the cluster.
71
72
73 --authentication-token-webhook-cache-ttl=10s The duration to cache
74 responses from the webhook token authenticator.
75
76
77 --authentication-tolerate-lookup-failure=false If true, failures
78 to look up missing authentication configuration from the cluster are
79 not considered fatal. Note that this can result in authentication that
80 treats all requests as anonymous.
81
82
83 --authorization-always-allow-paths=[/healthz,/readyz,/livez] A
84 list of HTTP paths to skip during authorization, i.e. these are autho‐
85 rized without contacting the 'core' kubernetes server.
86
87
88 --authorization-kubeconfig="" kubeconfig file pointing at the
89 'core' kubernetes server with enough rights to create subjectaccessre‐
90 views.authorization.k8s.io. This is optional. If empty, all requests
91 not skipped by authorization are forbidden.
92
93
94 --authorization-webhook-cache-authorized-ttl=10s The duration to
95 cache 'authorized' responses from the webhook authorizer.
96
97
98 --authorization-webhook-cache-unauthorized-ttl=10s The duration to
99 cache 'unauthorized' responses from the webhook authorizer.
100
101
102 --azure-container-registry-config="" Path to the file containing
103 Azure container registry configuration information.
104
105
106 --bind-address=0.0.0.0 The IP address on which to listen for the
107 --secure-port port. The associated interface(s) must be reachable by
108 the rest of the cluster, and by CLI/web clients. If blank or an unspec‐
109 ified address (0.0.0.0 or ::), all interfaces will be used.
110
111
112 --cert-dir="" The directory where the TLS certs are located. If
113 --tls-cert-file and --tls-private-key-file are provided, this flag will
114 be ignored.
115
116
117 --cidr-allocator-type="RangeAllocator" Type of CIDR allocator to
118 use
119
120
121 --client-ca-file="" If set, any request presenting a client cer‐
122 tificate signed by one of the authorities in the client-ca-file is au‐
123 thenticated with an identity corresponding to the CommonName of the
124 client certificate.
125
126
127 --cloud-config="" The path to the cloud provider configuration
128 file. Empty string for no configuration file.
129
130
131 --cloud-provider="" The provider for cloud services. Empty string
132 for no provider.
133
134
135 --cloud-provider-gce-lb-src-
136 cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
137 CIDRs opened in GCE firewall for L4 LB traffic proxy & health
138 checks
139
140
141 --cluster-cidr="" CIDR Range for Pods in cluster. Requires --allo‐
142 cate-node-cidrs to be true
143
144
145 --cluster-name="kubernetes" The instance prefix for the cluster.
146
147
148 --cluster-signing-cert-file="" Filename containing a PEM-encoded
149 X509 CA certificate used to issue cluster-scoped certificates. If
150 specified, no more specific --cluster-signing-* flag may be specified.
151
152
153 --cluster-signing-duration=8760h0m0s The max length of duration
154 signed certificates will be given. Individual CSRs may request shorter
155 certs by setting spec.expirationSeconds.
156
157
158 --cluster-signing-key-file="" Filename containing a PEM-encoded
159 RSA or ECDSA private key used to sign cluster-scoped certificates. If
160 specified, no more specific --cluster-signing-* flag may be specified.
161
162
163 --cluster-signing-kube-apiserver-client-cert-file="" Filename con‐
164 taining a PEM-encoded X509 CA certificate used to issue certificates
165 for the kubernetes.io/kube-apiserver-client signer. If specified,
166 --cluster-signing-{cert,key}-file must not be set.
167
168
169 --cluster-signing-kube-apiserver-client-key-file="" Filename con‐
170 taining a PEM-encoded RSA or ECDSA private key used to sign certifi‐
171 cates for the kubernetes.io/kube-apiserver-client signer. If speci‐
172 fied, --cluster-signing-{cert,key}-file must not be set.
173
174
175 --cluster-signing-kubelet-client-cert-file="" Filename containing
176 a PEM-encoded X509 CA certificate used to issue certificates for the
177 kubernetes.io/kube-apiserver-client-kubelet signer. If specified,
178 --cluster-signing-{cert,key}-file must not be set.
179
180
181 --cluster-signing-kubelet-client-key-file="" Filename containing a
182 PEM-encoded RSA or ECDSA private key used to sign certificates for the
183 kubernetes.io/kube-apiserver-client-kubelet signer. If specified,
184 --cluster-signing-{cert,key}-file must not be set.
185
186
187 --cluster-signing-kubelet-serving-cert-file="" Filename containing
188 a PEM-encoded X509 CA certificate used to issue certificates for the
189 kubernetes.io/kubelet-serving signer. If specified, --cluster-sign‐
190 ing-{cert,key}-file must not be set.
191
192
193 --cluster-signing-kubelet-serving-key-file="" Filename containing
194 a PEM-encoded RSA or ECDSA private key used to sign certificates for
195 the kubernetes.io/kubelet-serving signer. If specified, --cluster-
196 signing-{cert,key}-file must not be set.
197
198
199 --cluster-signing-legacy-unknown-cert-file="" Filename containing
200 a PEM-encoded X509 CA certificate used to issue certificates for the
201 kubernetes.io/legacy-unknown signer. If specified, --cluster-sign‐
202 ing-{cert,key}-file must not be set.
203
204
205 --cluster-signing-legacy-unknown-key-file="" Filename containing a
206 PEM-encoded RSA or ECDSA private key used to sign certificates for the
207 kubernetes.io/legacy-unknown signer. If specified, --cluster-sign‐
208 ing-{cert,key}-file must not be set.
209
210
211 --concurrent-deployment-syncs=5 The number of deployment objects
212 that are allowed to sync concurrently. Larger number = more responsive
213 deployments, but more CPU (and network) load
214
215
216 --concurrent-endpoint-syncs=5 The number of endpoint syncing oper‐
217 ations that will be done concurrently. Larger number = faster endpoint
218 updating, but more CPU (and network) load
219
220
221 --concurrent-ephemeralvolume-syncs=5 The number of ephemeral vol‐
222 ume syncing operations that will be done concurrently. Larger number =
223 faster ephemeral volume updating, but more CPU (and network) load
224
225
226 --concurrent-gc-syncs=20 The number of garbage collector workers
227 that are allowed to sync concurrently.
228
229
230 --concurrent-namespace-syncs=10 The number of namespace objects
231 that are allowed to sync concurrently. Larger number = more responsive
232 namespace termination, but more CPU (and network) load
233
234
235 --concurrent-replicaset-syncs=5 The number of replica sets that
236 are allowed to sync concurrently. Larger number = more responsive
237 replica management, but more CPU (and network) load
238
239
240 --concurrent-resource-quota-syncs=5 The number of resource quotas
241 that are allowed to sync concurrently. Larger number = more responsive
242 quota management, but more CPU (and network) load
243
244
245 --concurrent-service-endpoint-syncs=5 The number of service end‐
246 point syncing operations that will be done concurrently. Larger number
247 = faster endpoint slice updating, but more CPU (and network) load. De‐
248 faults to 5.
249
250
251 --concurrent-service-syncs=1 The number of services that are al‐
252 lowed to sync concurrently. Larger number = more responsive service
253 management, but more CPU (and network) load
254
255
256 --concurrent-serviceaccount-token-syncs=5 The number of service
257 account token objects that are allowed to sync concurrently. Larger
258 number = more responsive token generation, but more CPU (and network)
259 load
260
261
262 --concurrent-statefulset-syncs=5 The number of statefulset objects
263 that are allowed to sync concurrently. Larger number = more responsive
264 statefulsets, but more CPU (and network) load
265
266
267 --concurrent-ttl-after-finished-syncs=5 The number of TTL-after-
268 finished controller workers that are allowed to sync concurrently.
269
270
271 --concurrent_rc_syncs=5 The number of replication controllers that
272 are allowed to sync concurrently. Larger number = more responsive
273 replica management, but more CPU (and network) load
274
275
276 --configure-cloud-routes=true Should CIDRs allocated by allocate-
277 node-cidrs be configured on the cloud provider.
278
279
280 --contention-profiling=false Enable lock contention profiling, if
281 profiling is enabled
282
283
284 --controller-start-interval=0s Interval between starting con‐
285 troller managers.
286
287
288 --controllers=[] A list of controllers to enable. '' enables all
289 on-by-default controllers, 'foo' enables the controller named 'foo',
290 '-foo' disables the controller named 'foo'. All controllers: attachde‐
291 tach, bootstrapsigner, cloud-node-lifecycle, clusterrole-aggregation,
292 cronjob, csrapproving, csrcleaner, csrsigning, daemonset, deployment,
293 disruption, endpoint, endpointslice, endpointslicemirroring, ephemeral-
294 volume, garbagecollector, horizontalpodautoscaling, job, namespace,
295 nodeipam, nodelifecycle, persistentvolume-binder, persistentvolume-ex‐
296 pander, podgc, pv-protection, pvc-protection, replicaset, replication‐
297 controller, resourcequota, root-ca-cert-publisher, route, service, ser‐
298 viceaccount, serviceaccount-token, statefulset, tokencleaner, ttl, ttl-
299 after-finished Disabled-by-default controllers: bootstrapsigner, token‐
300 cleaner
301
302
303 --disable-attach-detach-reconcile-sync=false Disable volume attach
304 detach reconciler sync. Disabling this may cause volumes to be mis‐
305 matched with pods. Use wisely.
306
307
308 --disabled-metrics=[] This flag provides an escape hatch for mis‐
309 behaving metrics. You must provide the fully qualified metric name in
310 order to disable it. Disclaimer: disabling metrics is higher in prece‐
311 dence than showing hidden metrics.
312
313
314 --enable-dynamic-provisioning=true Enable dynamic provisioning for
315 environments that support it.
316
317
318 --enable-garbage-collector=true Enables the generic garbage col‐
319 lector. MUST be synced with the corresponding flag of the kube-apis‐
320 erver.
321
322
323 --enable-hostpath-provisioner=false Enable HostPath PV provision‐
324 ing when running without a cloud provider. This allows testing and de‐
325 velopment of provisioning features. HostPath provisioning is not sup‐
326 ported in any way, won't work in a multi-node cluster, and should not
327 be used for anything other than testing or development.
328
329
330 --enable-leader-migration=false Whether to enable controller
331 leader migration.
332
333
334 --enable-taint-manager=true If set to true enables NoExecute
335 Taints and will evict all not-tolerating Pod running on Nodes tainted
336 with this kind of Taints.
337
338
339 --endpoint-updates-batch-period=0s The length of endpoint updates
340 batching period. Processing of pod changes will be delayed by this du‐
341 ration to join them with potential upcoming updates and reduce the
342 overall number of endpoints updates. Larger number = higher endpoint
343 programming latency, but lower number of endpoints revision generated
344
345
346 --endpointslice-updates-batch-period=0s The length of endpoint
347 slice updates batching period. Processing of pod changes will be de‐
348 layed by this duration to join them with potential upcoming updates and
349 reduce the overall number of endpoints updates. Larger number = higher
350 endpoint programming latency, but lower number of endpoints revision
351 generated
352
353
354 --external-cloud-volume-plugin="" The plugin to use when cloud
355 provider is set to external. Can be empty, should only be set when
356 cloud-provider is external. Currently used to allow node and volume
357 controllers to work for in tree cloud providers.
358
359
360 --feature-gates= A set of key=value pairs that describe feature
361 gates for alpha/experimental features. Options are: APIListChunk‐
362 ing=true|false (BETA - default=true) APIPriorityAndFairness=true|false
363 (BETA - default=true) APIResponseCompression=true|false (BETA - de‐
364 fault=true) APIServerIdentity=true|false (ALPHA - default=false) APIS‐
365 erverTracing=true|false (ALPHA - default=false) AllAlpha=true|false
366 (ALPHA - default=false) AllBeta=true|false (BETA - default=false)
367 AnyVolumeDataSource=true|false (BETA - default=true) AppAr‐
368 mor=true|false (BETA - default=true) CPUManager=true|false (BETA - de‐
369 fault=true) CPUManagerPolicyAlphaOptions=true|false (ALPHA - de‐
370 fault=false) CPUManagerPolicyBetaOptions=true|false (BETA - de‐
371 fault=true) CPUManagerPolicyOptions=true|false (BETA - default=true)
372 CSIMigrationAzureFile=true|false (BETA - default=true) CSIMigra‐
373 tionPortworx=true|false (BETA - default=false) CSIMigra‐
374 tionRBD=true|false (ALPHA - default=false) CSIMigrationv‐
375 Sphere=true|false (BETA - default=true) CSINodeExpandSecret=true|false
376 (ALPHA - default=false) CSIVolumeHealth=true|false (ALPHA - de‐
377 fault=false) ContainerCheckpoint=true|false (ALPHA - default=false)
378 ContextualLogging=true|false (ALPHA - default=false) CronJobTime‐
379 Zone=true|false (BETA - default=true) CustomCPUCFSQuotaPe‐
380 riod=true|false (ALPHA - default=false) CustomResourceValidationExpres‐
381 sions=true|false (BETA - default=true) DelegateFSGroupToC‐
382 SIDriver=true|false (BETA - default=true) DevicePlugins=true|false
383 (BETA - default=true) DisableCloudProviders=true|false (ALPHA - de‐
384 fault=false) DisableKubeletCloudCredentialProviders=true|false (ALPHA -
385 default=false) DownwardAPIHugePages=true|false (BETA - default=true)
386 EndpointSliceTerminatingCondition=true|false (BETA - default=true) Ex‐
387 pandedDNSConfig=true|false (ALPHA - default=false) ExperimentalHos‐
388 tUserNamespaceDefaulting=true|false (BETA - default=false) GRPCContain‐
389 erProbe=true|false (BETA - default=true) GracefulNodeShut‐
390 down=true|false (BETA - default=true) GracefulNodeShutdownBasedOnPod‐
391 Priority=true|false (BETA - default=true) HPAContainerMet‐
392 rics=true|false (ALPHA - default=false) HPAScaleToZero=true|false (AL‐
393 PHA - default=false) HonorPVReclaimPolicy=true|false (ALPHA - de‐
394 fault=false) IPTablesOwnershipCleanup=true|false (ALPHA - de‐
395 fault=false) InTreePluginAWSUnregister=true|false (ALPHA - de‐
396 fault=false) InTreePluginAzureDiskUnregister=true|false (ALPHA - de‐
397 fault=false) InTreePluginAzureFileUnregister=true|false (ALPHA - de‐
398 fault=false) InTreePluginGCEUnregister=true|false (ALPHA - de‐
399 fault=false) InTreePluginOpenStackUnregister=true|false (ALPHA - de‐
400 fault=false) InTreePluginPortworxUnregister=true|false (ALPHA - de‐
401 fault=false) InTreePluginRBDUnregister=true|false (ALPHA - de‐
402 fault=false) InTreePluginvSphereUnregister=true|false (ALPHA - de‐
403 fault=false) JobMutableNodeSchedulingDirectives=true|false (BETA - de‐
404 fault=true) JobPodFailurePolicy=true|false (ALPHA - default=false) Jo‐
405 bReadyPods=true|false (BETA - default=true) JobTrackingWithFinaliz‐
406 ers=true|false (BETA - default=true) KMSv2=true|false (ALPHA - de‐
407 fault=false) KubeletCredentialProviders=true|false (BETA - de‐
408 fault=true) KubeletInUserNamespace=true|false (ALPHA - default=false)
409 KubeletPodResources=true|false (BETA - default=true) KubeletPo‐
410 dResourcesGetAllocatable=true|false (BETA - default=true) KubeletTrac‐
411 ing=true|false (ALPHA - default=false) LegacyServiceAccountTokenNoAuto‐
412 Generation=true|false (BETA - default=true) LocalStorageCapacityIsola‐
413 tionFSQuotaMonitoring=true|false (ALPHA - default=false) Logarithmic‐
414 ScaleDown=true|false (BETA - default=true) LoggingAlphaOp‐
415 tions=true|false (ALPHA - default=false) LoggingBetaOptions=true|false
416 (BETA - default=true) MatchLabelKeysInPodTopologySpread=true|false (AL‐
417 PHA - default=false) MaxUnavailableStatefulSet=true|false (ALPHA - de‐
418 fault=false) MemoryManager=true|false (BETA - default=true) Memo‐
419 ryQoS=true|false (ALPHA - default=false) MinDomainsInPodTopolo‐
420 gySpread=true|false (BETA - default=false) MixedProtocolLBSer‐
421 vice=true|false (BETA - default=true) MultiCIDRRangeAlloca‐
422 tor=true|false (ALPHA - default=false) NetworkPolicyStatus=true|false
423 (ALPHA - default=false) NodeInclusionPolicyInPodTopolo‐
424 gySpread=true|false (ALPHA - default=false) NodeOutOfServiceVolumeDe‐
425 tach=true|false (ALPHA - default=false) NodeSwap=true|false (ALPHA -
426 default=false) OpenAPIEnums=true|false (BETA - default=true) Ope‐
427 nAPIV3=true|false (BETA - default=true) PodAndContainerStatsFrom‐
428 CRI=true|false (ALPHA - default=false) PodDeletionCost=true|false (BETA
429 - default=true) PodDisruptionConditions=true|false (ALPHA - de‐
430 fault=false) PodHasNetworkCondition=true|false (ALPHA - default=false)
431 ProbeTerminationGracePeriod=true|false (BETA - default=true) ProcMount‐
432 Type=true|false (ALPHA - default=false) ProxyTerminatingEnd‐
433 points=true|false (ALPHA - default=false) QOSReserved=true|false (ALPHA
434 - default=false) ReadWriteOncePod=true|false (ALPHA - default=false)
435 RecoverVolumeExpansionFailure=true|false (ALPHA - default=false) Re‐
436 mainingItemCount=true|false (BETA - default=true) RetroactiveDefault‐
437 StorageClass=true|false (ALPHA - default=false) RotateKubeletServerCer‐
438 tificate=true|false (BETA - default=true) SELinuxMountReadWriteOnce‐
439 Pod=true|false (ALPHA - default=false) SeccompDefault=true|false (BETA
440 - default=true) ServerSideFieldValidation=true|false (BETA - de‐
441 fault=true) ServiceIPStaticSubrange=true|false (BETA - default=true)
442 ServiceInternalTrafficPolicy=true|false (BETA - default=true) SizeMemo‐
443 ryBackedVolumes=true|false (BETA - default=true) StatefulSetAu‐
444 toDeletePVC=true|false (ALPHA - default=false) StorageVersion‐
445 API=true|false (ALPHA - default=false) StorageVersionHash=true|false
446 (BETA - default=true) TopologyAwareHints=true|false (BETA - de‐
447 fault=true) TopologyManager=true|false (BETA - default=true) UserNames‐
448 pacesStatelessPodsSupport=true|false (ALPHA - default=false) VolumeCa‐
449 pacityPriority=true|false (ALPHA - default=false) WinDSR=true|false
450 (ALPHA - default=false) WinOverlay=true|false (BETA - default=true)
451 WindowsHostProcessContainers=true|false (BETA - default=true)
452
453
454 --flex-volume-plugin-dir="/usr/libexec/kubernetes/kubelet-plugins/vol‐
455 ume/exec/" Full path of the directory in which the flex volume
456 plugin should search for additional third party volume plugins.
457
458
459 -h, --help=false help for kube-controller-manager
460
461
462 --horizontal-pod-autoscaler-cpu-initialization-period=5m0s The pe‐
463 riod after pod start when CPU samples might be skipped.
464
465
466 --horizontal-pod-autoscaler-downscale-delay=5m0s The period since
467 last downscale, before another downscale can be performed in horizontal
468 pod autoscaler.
469
470
471 --horizontal-pod-autoscaler-downscale-stabilization=5m0s The pe‐
472 riod for which autoscaler will look backwards and not scale down below
473 any recommendation it made during that period.
474
475
476 --horizontal-pod-autoscaler-initial-readiness-delay=30s The period
477 after pod start during which readiness changes will be treated as ini‐
478 tial readiness.
479
480
481 --horizontal-pod-autoscaler-sync-period=15s The period for syncing
482 the number of pods in horizontal pod autoscaler.
483
484
485 --horizontal-pod-autoscaler-tolerance=0.1 The minimum change (from
486 1.0) in the desired-to-actual metrics ratio for the horizontal pod au‐
487 toscaler to consider scaling.
488
489
490 --horizontal-pod-autoscaler-upscale-delay=3m0s The period since
491 last upscale, before another upscale can be performed in horizontal pod
492 autoscaler.
493
494
495 --http2-max-streams-per-connection=0 The limit that the server
496 gives to clients for the maximum number of streams in an HTTP/2 connec‐
497 tion. Zero means to use golang's default.
498
499
500 --kube-api-burst=30 Burst to use while talking with kubernetes
501 apiserver.
502
503
504 --kube-api-content-type="application/vnd.kubernetes.protobuf" Con‐
505 tent type of requests sent to apiserver.
506
507
508 --kube-api-qps=20 QPS to use while talking with kubernetes apis‐
509 erver.
510
511
512 --kubeconfig="" Path to kubeconfig file with authorization and
513 master location information.
514
515
516 --large-cluster-size-threshold=50 Number of nodes from which Node‐
517 Controller treats the cluster as large for the eviction logic purposes.
518 --secondary-node-eviction-rate is implicitly overridden to 0 for clus‐
519 ters this size or smaller.
520
521
522 --leader-elect=true Start a leader election client and gain lead‐
523 ership before executing the main loop. Enable this when running repli‐
524 cated components for high availability.
525
526
527 --leader-elect-lease-duration=15s The duration that non-leader
528 candidates will wait after observing a leadership renewal until at‐
529 tempting to acquire leadership of a led but unrenewed leader slot. This
530 is effectively the maximum duration that a leader can be stopped before
531 it is replaced by another candidate. This is only applicable if leader
532 election is enabled.
533
534
535 --leader-elect-renew-deadline=10s The interval between attempts by
536 the acting master to renew a leadership slot before it stops leading.
537 This must be less than or equal to the lease duration. This is only ap‐
538 plicable if leader election is enabled.
539
540
541 --leader-elect-resource-lock="leases" The type of resource object
542 that is used for locking during leader election. Supported options are
543 'leases', 'endpointsleases' and 'configmapsleases'.
544
545
546 --leader-elect-resource-name="kube-controller-manager" The name of
547 resource object that is used for locking during leader election.
548
549
550 --leader-elect-resource-namespace="kube-system" The namespace of
551 resource object that is used for locking during leader election.
552
553
554 --leader-elect-retry-period=2s The duration the clients should
555 wait between attempting acquisition and renewal of a leadership. This
556 is only applicable if leader election is enabled.
557
558
559 --leader-migration-config="" Path to the config file for con‐
560 troller leader migration, or empty to use the value that reflects de‐
561 fault configuration of the controller manager. The config file should
562 be of type LeaderMigrationConfiguration, group controllermanager.con‐
563 fig.k8s.io, version v1alpha1.
564
565
566 --log-flush-frequency=5s Maximum number of seconds between log
567 flushes
568
569
570 --log_backtrace_at=:0 when logging hits line file:N, emit a stack
571 trace
572
573
574 --log_dir="" If non-empty, write log files in this directory (no
575 effect when -logtostderr=true)
576
577
578 --log_file="" If non-empty, use this log file (no effect when
579 -logtostderr=true)
580
581
582 --log_file_max_size=1800 Defines the maximum size a log file can
583 grow to (no effect when -logtostderr=true). Unit is megabytes. If the
584 value is 0, the maximum file size is unlimited.
585
586
587 --logging-format="text" Sets the log format. Permitted formats:
588 "text". Non-default formats don't honor these flags: --add-dir-header,
589 --alsologtostderr, --log-backtrace-at, --log-dir, --log-file, --log-
590 file-max-size, --logtostderr, --one-output, --skip-headers, --skip-log-
591 headers, --stderrthreshold, --vmodule. Non-default choices are cur‐
592 rently alpha and subject to change without warning.
593
594
595 --logtostderr=true log to standard error instead of files
596
597
598 --master="" The address of the Kubernetes API server (overrides
599 any value in kubeconfig).
600
601
602 --max-endpoints-per-slice=100 The maximum number of endpoints that
603 will be added to an EndpointSlice. More endpoints per slice will result
604 in less endpoint slices, but larger resources. Defaults to 100.
605
606
607 --min-resync-period=12h0m0s The resync period in reflectors will
608 be random between MinResyncPeriod and 2*MinResyncPeriod.
609
610
611 --mirroring-concurrent-service-endpoint-syncs=5 The number of ser‐
612 vice endpoint syncing operations that will be done concurrently by the
613 EndpointSliceMirroring controller. Larger number = faster endpoint
614 slice updating, but more CPU (and network) load. Defaults to 5.
615
616
617 --mirroring-endpointslice-updates-batch-period=0s The length of
618 EndpointSlice updates batching period for EndpointSliceMirroring con‐
619 troller. Processing of EndpointSlice changes will be delayed by this
620 duration to join them with potential upcoming updates and reduce the
621 overall number of EndpointSlice updates. Larger number = higher end‐
622 point programming latency, but lower number of endpoints revision gen‐
623 erated
624
625
626 --mirroring-max-endpoints-per-subset=1000 The maximum number of
627 endpoints that will be added to an EndpointSlice by the End‐
628 pointSliceMirroring controller. More endpoints per slice will result in
629 less endpoint slices, but larger resources. Defaults to 100.
630
631
632 --namespace-sync-period=5m0s The period for syncing namespace
633 life-cycle updates
634
635
636 --node-cidr-mask-size=0 Mask size for node cidr in cluster. De‐
637 fault is 24 for IPv4 and 64 for IPv6.
638
639
640 --node-cidr-mask-size-ipv4=0 Mask size for IPv4 node cidr in dual-
641 stack cluster. Default is 24.
642
643
644 --node-cidr-mask-size-ipv6=0 Mask size for IPv6 node cidr in dual-
645 stack cluster. Default is 64.
646
647
648 --node-eviction-rate=0.1 Number of nodes per second on which pods
649 are deleted in case of node failure when a zone is healthy (see --un‐
650 healthy-zone-threshold for definition of healthy/unhealthy). Zone
651 refers to entire cluster in non-multizone clusters.
652
653
654 --node-monitor-grace-period=40s Amount of time which we allow run‐
655 ning Node to be unresponsive before marking it unhealthy. Must be N
656 times more than kubelet's nodeStatusUpdateFrequency, where N means num‐
657 ber of retries allowed for kubelet to post node status.
658
659
660 --node-monitor-period=5s The period for syncing NodeStatus in
661 NodeController.
662
663
664 --node-startup-grace-period=1m0s Amount of time which we allow
665 starting Node to be unresponsive before marking it unhealthy.
666
667
668 --node-sync-period=0s This flag is deprecated and will be removed
669 in future releases. See node-monitor-period for Node health checking or
670 route-reconciliation-period for cloud provider's route configuration
671 settings.
672
673
674 --one_output=false If true, only write logs to their native sever‐
675 ity level (vs also writing to each lower severity level; no effect when
676 -logtostderr=true)
677
678
679 --permit-address-sharing=false If true, SO_REUSEADDR will be used
680 when binding the port. This allows binding to wildcard IPs like 0.0.0.0
681 and specific IPs in parallel, and it avoids waiting for the kernel to
682 release sockets in TIME_WAIT state. [default=false]
683
684
685 --permit-port-sharing=false If true, SO_REUSEPORT will be used
686 when binding the port, which allows more than one instance to bind on
687 the same address and port. [default=false]
688
689
690 --pod-eviction-timeout=5m0s The grace period for deleting pods on
691 failed nodes.
692
693
694 --profiling=true Enable profiling via web interface host:port/de‐
695 bug/pprof/
696
697
698 --pv-recycler-increment-timeout-nfs=30 the increment of time added
699 per Gi to ActiveDeadlineSeconds for an NFS scrubber pod
700
701
702 --pv-recycler-minimum-timeout-hostpath=60 The minimum ActiveDead‐
703 lineSeconds to use for a HostPath Recycler pod. This is for develop‐
704 ment and testing only and will not work in a multi-node cluster.
705
706
707 --pv-recycler-minimum-timeout-nfs=300 The minimum ActiveDeadli‐
708 neSeconds to use for an NFS Recycler pod
709
710
711 --pv-recycler-pod-template-filepath-hostpath="" The file path to a
712 pod definition used as a template for HostPath persistent volume recy‐
713 cling. This is for development and testing only and will not work in a
714 multi-node cluster.
715
716
717 --pv-recycler-pod-template-filepath-nfs="" The file path to a pod
718 definition used as a template for NFS persistent volume recycling
719
720
721 --pv-recycler-timeout-increment-hostpath=30 the increment of time
722 added per Gi to ActiveDeadlineSeconds for a HostPath scrubber pod.
723 This is for development and testing only and will not work in a multi-
724 node cluster.
725
726
727 --pvclaimbinder-sync-period=15s The period for syncing persistent
728 volumes and persistent volume claims
729
730
731 --requestheader-allowed-names=[] List of client certificate common
732 names to allow to provide usernames in headers specified by --request‐
733 header-username-headers. If empty, any client certificate validated by
734 the authorities in --requestheader-client-ca-file is allowed.
735
736
737 --requestheader-client-ca-file="" Root certificate bundle to use
738 to verify client certificates on incoming requests before trusting
739 usernames in headers specified by --requestheader-username-headers.
740 WARNING: generally do not depend on authorization being already done
741 for incoming requests.
742
743
744 --requestheader-extra-headers-prefix=[x-remote-extra-] List of re‐
745 quest header prefixes to inspect. X-Remote-Extra- is suggested.
746
747
748 --requestheader-group-headers=[x-remote-group] List of request
749 headers to inspect for groups. X-Remote-Group is suggested.
750
751
752 --requestheader-username-headers=[x-remote-user] List of request
753 headers to inspect for usernames. X-Remote-User is common.
754
755
756 --resource-quota-sync-period=5m0s The period for syncing quota us‐
757 age status in the system
758
759
760 --root-ca-file="" If set, this root certificate authority will be
761 included in service account's token secret. This must be a valid PEM-
762 encoded CA bundle.
763
764
765 --route-reconciliation-period=10s The period for reconciling
766 routes created for Nodes by cloud provider.
767
768
769 --secondary-node-eviction-rate=0.01 Number of nodes per second on
770 which pods are deleted in case of node failure when a zone is unhealthy
771 (see --unhealthy-zone-threshold for definition of healthy/unhealthy).
772 Zone refers to entire cluster in non-multizone clusters. This value is
773 implicitly overridden to 0 if the cluster size is smaller than --large-
774 cluster-size-threshold.
775
776
777 --secure-port=10257 The port on which to serve HTTPS with authen‐
778 tication and authorization. If 0, don't serve HTTPS at all.
779
780
781 --service-account-private-key-file="" Filename containing a PEM-
782 encoded private RSA or ECDSA key used to sign service account tokens.
783
784
785 --service-cluster-ip-range="" CIDR Range for Services in cluster.
786 Requires --allocate-node-cidrs to be true
787
788
789 --show-hidden-metrics-for-version="" The previous version for
790 which you want to show hidden metrics. Only the previous minor version
791 is meaningful, other values will not be allowed. The format is ., e.g.:
792 '1.16'. The purpose of this format is make sure you have the opportu‐
793 nity to notice if the next release hides additional metrics, rather
794 than being surprised when they are permanently removed in the release
795 after that.
796
797
798 --skip_headers=false If true, avoid header prefixes in the log
799 messages
800
801
802 --skip_log_headers=false If true, avoid headers when opening log
803 files (no effect when -logtostderr=true)
804
805
806 --stderrthreshold=2 logs at or above this threshold go to stderr
807 when writing to files and stderr (no effect when -logtostderr=true or
808 -alsologtostderr=false)
809
810
811 --terminated-pod-gc-threshold=12500 Number of terminated pods that
812 can exist before the terminated pod garbage collector starts deleting
813 terminated pods. If <= 0, the terminated pod garbage collector is dis‐
814 abled.
815
816
817 --tls-cert-file="" File containing the default x509 Certificate
818 for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS
819 serving is enabled, and --tls-cert-file and --tls-private-key-file are
820 not provided, a self-signed certificate and key are generated for the
821 public address and saved to the directory specified by --cert-dir.
822
823
824 --tls-cipher-suites=[] Comma-separated list of cipher suites for
825 the server. If omitted, the default Go cipher suites will be used.
826 Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
827 TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
828 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
829 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
830 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
831 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
832 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
833 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
834 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
835 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
836 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
837 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
838 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
839 TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,
840 TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384. Inse‐
841 cure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
842 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
843 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
844 TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,
845 TLS_RSA_WITH_RC4_128_SHA.
846
847
848 --tls-min-version="" Minimum TLS version supported. Possible val‐
849 ues: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
850
851
852 --tls-private-key-file="" File containing the default x509 private
853 key matching --tls-cert-file.
854
855
856 --tls-sni-cert-key=[] A pair of x509 certificate and private key
857 file paths, optionally suffixed with a list of domain patterns which
858 are fully qualified domain names, possibly with prefixed wildcard seg‐
859 ments. The domain patterns also allow IP addresses, but IPs should only
860 be used if the apiserver has visibility to the IP address requested by
861 a client. If no domain patterns are provided, the names of the certifi‐
862 cate are extracted. Non-wildcard matches trump over wildcard matches,
863 explicit domain patterns trump over extracted names. For multiple
864 key/certificate pairs, use the --tls-sni-cert-key multiple times. Exam‐
865 ples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com".
866
867
868 --unhealthy-zone-threshold=0.55 Fraction of Nodes in a zone which
869 needs to be not Ready (minimum 3) for zone to be treated as unhealthy.
870
871
872 --use-service-account-credentials=false If true, use individual
873 service account credentials for each controller.
874
875
876 -v, --v=0 number for the log level verbosity
877
878
879 --version=false Print version information and quit
880
881
882 --vmodule= comma-separated list of pattern=N settings for file-
883 filtered logging (only works for text log format)
884
885
886 --volume-host-allow-local-loopback=true If false, deny local loop‐
887 back IPs in addition to any CIDR ranges in --volume-host-cidr-denylist
888
889
890 --volume-host-cidr-denylist=[] A comma-separated list of CIDR
891 ranges to avoid from volume plugins.
892
893
894
896 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
897 com) based on the kubernetes source material, but hopefully they have
898 been automatically generated since!
899
900
901
902Manuals User KUBERNETES(1)(kubernetes)