1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2Eric Paris Jan 2015
6
9 kube-controller-manager -
10
14 kube-controller-manager [OPTIONS]
15
19 The Kubernetes controller manager is a daemon that embeds the core con‐
20 trol loops shipped with Kubernetes. In applications of robotics and au‐
21 tomation, a control loop is a non-terminating loop that regulates the
22 state of the system. In Kubernetes, a controller is a control loop that
23 watches the shared state of the cluster through the apiserver and makes
24 changes attempting to move the current state towards the desired state.
25 Examples of controllers that ship with Kubernetes today are the repli‐
26 cation controller, endpoints controller, namespace controller, and ser‐
27 viceaccounts controller.
28
32 --allocate-node-cidrs=false Should CIDRs for Pods be allocated and
33 set on the cloud provider.
34 --allow-metric-labels=[] The map from metric-label to value allow-
37 list of this label. The key's format is ,. The value's format is
38 ,...e.g. metric1,label1='v1,v2,v3', metric1,label2='v1,v2,v3' met‐
39 ric2,label1='v1,v2,v3'.
40 --allow-untagged-cloud=false Allow the cluster to run without the
43 cluster-id on cloud instances. This is a legacy mode of operation and a
44 cluster-id will be required in the future.
45 --attach-detach-reconcile-sync-period=1m0s The reconciler sync
48 wait time between volume attach detach. This duration must be larger
49 than one second, and increasing this value from the default may allow
50 for volumes to be mismatched with pods.
51 --authentication-kubeconfig="" kubeconfig file pointing at the
54 'core' kubernetes server with enough rights to create tokenreviews.au‐
55 thentication.k8s.io. This is optional. If empty, all token requests are
56 considered to be anonymous and no client CA is looked up in the clus‐
57 ter.
58 --authentication-skip-lookup=false If false, the authentication-
61 kubeconfig will be used to lookup missing authentication configuration
62 from the cluster.
63 --authentication-token-webhook-cache-ttl=10s The duration to cache
66 responses from the webhook token authenticator.
67 --authentication-tolerate-lookup-failure=false If true, failures
70 to look up missing authentication configuration from the cluster are
71 not considered fatal. Note that this can result in authentication that
72 treats all requests as anonymous.
73 --authorization-always-allow-paths=[/healthz,/readyz,/livez] A
76 list of HTTP paths to skip during authorization, i.e. these are autho‐
77 rized without contacting the 'core' kubernetes server.
78 --authorization-kubeconfig="" kubeconfig file pointing at the
81 'core' kubernetes server with enough rights to create subjectaccessre‐
82 views.authorization.k8s.io. This is optional. If empty, all requests
83 not skipped by authorization are forbidden.
84 --authorization-webhook-cache-authorized-ttl=10s The duration to
87 cache 'authorized' responses from the webhook authorizer.
88 --authorization-webhook-cache-unauthorized-ttl=10s The duration to
91 cache 'unauthorized' responses from the webhook authorizer.
92 --azure-container-registry-config="" Path to the file containing
95 Azure container registry configuration information.
96 --bind-address=0.0.0.0 The IP address on which to listen for the
99 --secure-port port. The associated interface(s) must be reachable by
100 the rest of the cluster, and by CLI/web clients. If blank or an unspec‐
101 ified address (0.0.0.0 or ::), all interfaces will be used.
102 --cert-dir="" The directory where the TLS certs are located. If
105 --tls-cert-file and --tls-private-key-file are provided, this flag will
106 be ignored.
107 --cidr-allocator-type="RangeAllocator" Type of CIDR allocator to
110 use
111 --client-ca-file="" If set, any request presenting a client cer‐
114 tificate signed by one of the authorities in the client-ca-file is au‐
115 thenticated with an identity corresponding to the CommonName of the
116 client certificate.
117 --cloud-config="" The path to the cloud provider configuration
120 file. Empty string for no configuration file.
121 --cloud-provider="" The provider for cloud services. Empty string
124 for no provider.
125 --cloud-provider-gce-lb-src-
128 cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
129 CIDRs opened in GCE firewall for L4 LB traffic proxy & health
130 checks
131 --cluster-cidr="" CIDR Range for Pods in cluster. Requires --allo‐
134 cate-node-cidrs to be true
135 --cluster-name="kubernetes" The instance prefix for the cluster.
138 --cluster-signing-cert-file="" Filename containing a PEM-encoded
141 X509 CA certificate used to issue cluster-scoped certificates. If
142 specified, no more specific --cluster-signing-* flag may be specified.
143 --cluster-signing-duration=8760h0m0s The max length of duration
146 signed certificates will be given. Individual CSRs may request shorter
147 certs by setting spec.expirationSeconds.
148 --cluster-signing-key-file="" Filename containing a PEM-encoded
151 RSA or ECDSA private key used to sign cluster-scoped certificates. If
152 specified, no more specific --cluster-signing-* flag may be specified.
153 --cluster-signing-kube-apiserver-client-cert-file="" Filename con‐
156 taining a PEM-encoded X509 CA certificate used to issue certificates
157 for the kubernetes.io/kube-apiserver-client signer. If specified,
158 --cluster-signing-{cert,key}-file must not be set.
159 --cluster-signing-kube-apiserver-client-key-file="" Filename con‐
162 taining a PEM-encoded RSA or ECDSA private key used to sign certifi‐
163 cates for the kubernetes.io/kube-apiserver-client signer. If speci‐
164 fied, --cluster-signing-{cert,key}-file must not be set.
165 --cluster-signing-kubelet-client-cert-file="" Filename containing
168 a PEM-encoded X509 CA certificate used to issue certificates for the
169 kubernetes.io/kube-apiserver-client-kubelet signer. If specified,
170 --cluster-signing-{cert,key}-file must not be set.
171 --cluster-signing-kubelet-client-key-file="" Filename containing a
174 PEM-encoded RSA or ECDSA private key used to sign certificates for the
175 kubernetes.io/kube-apiserver-client-kubelet signer. If specified,
176 --cluster-signing-{cert,key}-file must not be set.
177 --cluster-signing-kubelet-serving-cert-file="" Filename containing
180 a PEM-encoded X509 CA certificate used to issue certificates for the
181 kubernetes.io/kubelet-serving signer. If specified, --cluster-sign‐
182 ing-{cert,key}-file must not be set.
183 --cluster-signing-kubelet-serving-key-file="" Filename containing
186 a PEM-encoded RSA or ECDSA private key used to sign certificates for
187 the kubernetes.io/kubelet-serving signer. If specified, --cluster-
188 signing-{cert,key}-file must not be set.
189 --cluster-signing-legacy-unknown-cert-file="" Filename containing
192 a PEM-encoded X509 CA certificate used to issue certificates for the
193 kubernetes.io/legacy-unknown signer. If specified, --cluster-sign‐
194 ing-{cert,key}-file must not be set.
195 --cluster-signing-legacy-unknown-key-file="" Filename containing a
198 PEM-encoded RSA or ECDSA private key used to sign certificates for the
199 kubernetes.io/legacy-unknown signer. If specified, --cluster-sign‐
200 ing-{cert,key}-file must not be set.
201 --concurrent-deployment-syncs=5 The number of deployment objects
204 that are allowed to sync concurrently. Larger number = more responsive
205 deployments, but more CPU (and network) load
206 --concurrent-endpoint-syncs=5 The number of endpoint syncing oper‐
209 ations that will be done concurrently. Larger number = faster endpoint
210 updating, but more CPU (and network) load
211 --concurrent-ephemeralvolume-syncs=5 The number of ephemeral vol‐
214 ume syncing operations that will be done concurrently. Larger number =
215 faster ephemeral volume updating, but more CPU (and network) load
216 --concurrent-gc-syncs=20 The number of garbage collector workers
219 that are allowed to sync concurrently.
220 --concurrent-horizontal-pod-autoscaler-syncs=5 The number of hori‐
223 zontal pod autoscaler objects that are allowed to sync concurrently.
224 Larger number = more responsive horizontal pod autoscaler objects pro‐
225 cessing, but more CPU (and network) load.
226 --concurrent-namespace-syncs=10 The number of namespace objects
229 that are allowed to sync concurrently. Larger number = more responsive
230 namespace termination, but more CPU (and network) load
231 --concurrent-replicaset-syncs=5 The number of replica sets that
234 are allowed to sync concurrently. Larger number = more responsive
235 replica management, but more CPU (and network) load
236 --concurrent-resource-quota-syncs=5 The number of resource quotas
239 that are allowed to sync concurrently. Larger number = more responsive
240 quota management, but more CPU (and network) load
241 --concurrent-service-endpoint-syncs=5 The number of service end‐
244 point syncing operations that will be done concurrently. Larger number
245 = faster endpoint slice updating, but more CPU (and network) load. De‐
246 faults to 5.
247 --concurrent-service-syncs=1 The number of services that are al‐
250 lowed to sync concurrently. Larger number = more responsive service
251 management, but more CPU (and network) load
252 --concurrent-serviceaccount-token-syncs=5 The number of service
255 account token objects that are allowed to sync concurrently. Larger
256 number = more responsive token generation, but more CPU (and network)
257 load
258 --concurrent-statefulset-syncs=5 The number of statefulset objects
261 that are allowed to sync concurrently. Larger number = more responsive
262 statefulsets, but more CPU (and network) load
263 --concurrent-ttl-after-finished-syncs=5 The number of TTL-after-
266 finished controller workers that are allowed to sync concurrently.
267 --concurrent_rc_syncs=5 The number of replication controllers that
270 are allowed to sync concurrently. Larger number = more responsive
271 replica management, but more CPU (and network) load
272 --configure-cloud-routes=true Should CIDRs allocated by allocate-
275 node-cidrs be configured on the cloud provider.
276 --contention-profiling=false Enable lock contention profiling, if
279 profiling is enabled
280 --controller-start-interval=0s Interval between starting con‐
283 troller managers.
284 --controllers=[] A list of controllers to enable. '' enables all
287 on-by-default controllers, 'foo' enables the controller named 'foo',
288 '-foo' disables the controller named 'foo'. All controllers: attachde‐
289 tach, bootstrapsigner, cloud-node-lifecycle, clusterrole-aggregation,
290 cronjob, csrapproving, csrcleaner, csrsigning, daemonset, deployment,
291 disruption, endpoint, endpointslice, endpointslicemirroring, ephemeral-
292 volume, garbagecollector, horizontalpodautoscaling, job, namespace,
293 nodeipam, nodelifecycle, persistentvolume-binder, persistentvolume-ex‐
294 pander, podgc, pv-protection, pvc-protection, replicaset, replication‐
295 controller, resourcequota, root-ca-cert-publisher, route, service, ser‐
296 viceaccount, serviceaccount-token, statefulset, tokencleaner, ttl, ttl-
297 after-finished Disabled-by-default controllers: bootstrapsigner, token‐
298 cleaner
299 --disable-attach-detach-reconcile-sync=false Disable volume attach
302 detach reconciler sync. Disabling this may cause volumes to be mis‐
303 matched with pods. Use wisely.
304 --disabled-metrics=[] This flag provides an escape hatch for mis‐
307 behaving metrics. You must provide the fully qualified metric name in
308 order to disable it. Disclaimer: disabling metrics is higher in prece‐
309 dence than showing hidden metrics.
310 --enable-dynamic-provisioning=true Enable dynamic provisioning for
313 environments that support it.
314 --enable-garbage-collector=true Enables the generic garbage col‐
317 lector. MUST be synced with the corresponding flag of the kube-apis‐
318 erver.
319 --enable-hostpath-provisioner=false Enable HostPath PV provision‐
322 ing when running without a cloud provider. This allows testing and de‐
323 velopment of provisioning features. HostPath provisioning is not sup‐
324 ported in any way, won't work in a multi-node cluster, and should not
325 be used for anything other than testing or development.
326 --enable-leader-migration=false Whether to enable controller
329 leader migration.
330 --enable-taint-manager=true If set to true enables NoExecute
333 Taints and will evict all not-tolerating Pod running on Nodes tainted
334 with this kind of Taints.
335 --endpoint-updates-batch-period=0s The length of endpoint updates
338 batching period. Processing of pod changes will be delayed by this du‐
339 ration to join them with potential upcoming updates and reduce the
340 overall number of endpoints updates. Larger number = higher endpoint
341 programming latency, but lower number of endpoints revision generated
342 --endpointslice-updates-batch-period=0s The length of endpoint
345 slice updates batching period. Processing of pod changes will be de‐
346 layed by this duration to join them with potential upcoming updates and
347 reduce the overall number of endpoints updates. Larger number = higher
348 endpoint programming latency, but lower number of endpoints revision
349 generated
350 --external-cloud-volume-plugin="" The plugin to use when cloud
353 provider is set to external. Can be empty, should only be set when
354 cloud-provider is external. Currently used to allow node and volume
355 controllers to work for in tree cloud providers.
356 --feature-gates= A set of key=value pairs that describe feature
359 gates for alpha/experimental features. Options are: APIListChunk‐
360 ing=true|false (BETA - default=true) APIPriorityAndFairness=true|false
361 (BETA - default=true) APIResponseCompression=true|false (BETA - de‐
362 fault=true) APISelfSubjectReview=true|false (ALPHA - default=false)
363 APIServerIdentity=true|false (BETA - default=true) APIServerTrac‐
364 ing=true|false (ALPHA - default=false) AggregatedDiscoveryEnd‐
365 point=true|false (ALPHA - default=false) AllAlpha=true|false (ALPHA -
366 default=false) AllBeta=true|false (BETA - default=false) AnyVolumeData‐
367 Source=true|false (BETA - default=true) AppArmor=true|false (BETA - de‐
368 fault=true) CPUManagerPolicyAlphaOptions=true|false (ALPHA - de‐
369 fault=false) CPUManagerPolicyBetaOptions=true|false (BETA - de‐
370 fault=true) CPUManagerPolicyOptions=true|false (BETA - default=true)
371 CSIMigrationPortworx=true|false (BETA - default=false) CSIMigra‐
372 tionRBD=true|false (ALPHA - default=false) CSINodeExpandSe‐
373 cret=true|false (ALPHA - default=false) CSIVolumeHealth=true|false (AL‐
374 PHA - default=false) ComponentSLIs=true|false (ALPHA - default=false)
375 ContainerCheckpoint=true|false (ALPHA - default=false) ContextualLog‐
376 ging=true|false (ALPHA - default=false) CronJobTimeZone=true|false
377 (BETA - default=true) CrossNamespaceVolumeDataSource=true|false (ALPHA
378 - default=false) CustomCPUCFSQuotaPeriod=true|false (ALPHA - de‐
379 fault=false) CustomResourceValidationExpressions=true|false (BETA - de‐
380 fault=true) DisableCloudProviders=true|false (ALPHA - default=false)
381 DisableKubeletCloudCredentialProviders=true|false (ALPHA - de‐
382 fault=false) DownwardAPIHugePages=true|false (BETA - default=true) Dy‐
383 namicResourceAllocation=true|false (ALPHA - default=false) EventedP‐
384 LEG=true|false (ALPHA - default=false) ExpandedDNSConfig=true|false
385 (BETA - default=true) ExperimentalHostUserNamespaceDefault‐
386 ing=true|false (BETA - default=false) GRPCContainerProbe=true|false
387 (BETA - default=true) GracefulNodeShutdown=true|false (BETA - de‐
388 fault=true) GracefulNodeShutdownBasedOnPodPriority=true|false (BETA -
389 default=true) HPAContainerMetrics=true|false (ALPHA - default=false)
390 HPAScaleToZero=true|false (ALPHA - default=false) HonorPVReclaimPol‐
391 icy=true|false (ALPHA - default=false) IPTablesOwnership‐
392 Cleanup=true|false (ALPHA - default=false) InTreePluginAWSUnregis‐
393 ter=true|false (ALPHA - default=false) InTreePluginAzureDiskUnregis‐
394 ter=true|false (ALPHA - default=false) InTreePluginAzureFileUnregis‐
395 ter=true|false (ALPHA - default=false) InTreePluginGCEUnregis‐
396 ter=true|false (ALPHA - default=false) InTreePluginOpenStackUnregis‐
397 ter=true|false (ALPHA - default=false) InTreePluginPortworxUnregis‐
398 ter=true|false (ALPHA - default=false) InTreePluginRBDUnregis‐
399 ter=true|false (ALPHA - default=false) InTreePluginvSphereUnregis‐
400 ter=true|false (ALPHA - default=false) JobMutableNodeSchedulingDirec‐
401 tives=true|false (BETA - default=true) JobPodFailurePolicy=true|false
402 (BETA - default=true) JobReadyPods=true|false (BETA - default=true)
403 KMSv2=true|false (ALPHA - default=false) KubeletInUserNames‐
404 pace=true|false (ALPHA - default=false) KubeletPodResources=true|false
405 (BETA - default=true) KubeletPodResourcesGetAllocatable=true|false
406 (BETA - default=true) KubeletTracing=true|false (ALPHA - default=false)
407 LegacyServiceAccountTokenTracking=true|false (ALPHA - default=false)
408 LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - de‐
409 fault=false) LogarithmicScaleDown=true|false (BETA - default=true) Log‐
410 gingAlphaOptions=true|false (ALPHA - default=false) LoggingBetaOp‐
411 tions=true|false (BETA - default=true) MatchLabelKeysInPodTopolo‐
412 gySpread=true|false (ALPHA - default=false) MaxUnavailableState‐
413 fulSet=true|false (ALPHA - default=false) MemoryManager=true|false
414 (BETA - default=true) MemoryQoS=true|false (ALPHA - default=false) Min‐
415 DomainsInPodTopologySpread=true|false (BETA - default=false) Mini‐
416 mizeIPTablesRestore=true|false (ALPHA - default=false) MultiCIDR‐
417 RangeAllocator=true|false (ALPHA - default=false) NetworkPolicySta‐
418 tus=true|false (ALPHA - default=false) NodeInclusionPolicyInPodTopolo‐
419 gySpread=true|false (BETA - default=true) NodeOutOfServiceVolumeDe‐
420 tach=true|false (BETA - default=true) NodeSwap=true|false (ALPHA - de‐
421 fault=false) OpenAPIEnums=true|false (BETA - default=true) Ope‐
422 nAPIV3=true|false (BETA - default=true) PDBUnhealthyPodEvictionPol‐
423 icy=true|false (ALPHA - default=false) PodAndContainerStatsFrom‐
424 CRI=true|false (ALPHA - default=false) PodDeletionCost=true|false (BETA
425 - default=true) PodDisruptionConditions=true|false (BETA - de‐
426 fault=true) PodHasNetworkCondition=true|false (ALPHA - default=false)
427 PodSchedulingReadiness=true|false (ALPHA - default=false) ProbeTermina‐
428 tionGracePeriod=true|false (BETA - default=true) ProcMount‐
429 Type=true|false (ALPHA - default=false) ProxyTerminatingEnd‐
430 points=true|false (BETA - default=true) QOSReserved=true|false (ALPHA -
431 default=false) ReadWriteOncePod=true|false (ALPHA - default=false) Re‐
432 coverVolumeExpansionFailure=true|false (ALPHA - default=false) Remain‐
433 ingItemCount=true|false (BETA - default=true) RetroactiveDefaultStor‐
434 ageClass=true|false (BETA - default=true) RotateKubeletServerCertifi‐
435 cate=true|false (BETA - default=true) SELinuxMountReadWriteOnce‐
436 Pod=true|false (ALPHA - default=false) SeccompDefault=true|false (BETA
437 - default=true) ServerSideFieldValidation=true|false (BETA - de‐
438 fault=true) SizeMemoryBackedVolumes=true|false (BETA - default=true)
439 StatefulSetAutoDeletePVC=true|false (ALPHA - default=false) State‐
440 fulSetStartOrdinal=true|false (ALPHA - default=false) StorageVersion‐
441 API=true|false (ALPHA - default=false) StorageVersionHash=true|false
442 (BETA - default=true) TopologyAwareHints=true|false (BETA - de‐
443 fault=true) TopologyManager=true|false (BETA - default=true) Topology‐
444 ManagerPolicyAlphaOptions=true|false (ALPHA - default=false) Topology‐
445 ManagerPolicyBetaOptions=true|false (BETA - default=false) TopologyMan‐
446 agerPolicyOptions=true|false (ALPHA - default=false) Unauthenticated‐
447 HTTP2DOSMitigation=true|false (BETA - default=false) UserNames‐
448 pacesStatelessPodsSupport=true|false (ALPHA - default=false) Validatin‐
449 gAdmissionPolicy=true|false (ALPHA - default=false) VolumeCapacityPri‐
450 ority=true|false (ALPHA - default=false) WinDSR=true|false (ALPHA - de‐
451 fault=false) WinOverlay=true|false (BETA - default=true) WindowsHost‐
452 Network=true|false (ALPHA - default=true)
453 --flex-volume-plugin-dir="/usr/libexec/kubernetes/kubelet-plugins/vol‐
456 ume/exec/" Full path of the directory in which the flex volume
457 plugin should search for additional third party volume plugins.
458 -h, --help=false help for kube-controller-manager
461 --horizontal-pod-autoscaler-cpu-initialization-period=5m0s The pe‐
464 riod after pod start when CPU samples might be skipped.
465 --horizontal-pod-autoscaler-downscale-delay=5m0s The period since
468 last downscale, before another downscale can be performed in horizontal
469 pod autoscaler.
470 --horizontal-pod-autoscaler-downscale-stabilization=5m0s The pe‐
473 riod for which autoscaler will look backwards and not scale down below
474 any recommendation it made during that period.
475 --horizontal-pod-autoscaler-initial-readiness-delay=30s The period
478 after pod start during which readiness changes will be treated as ini‐
479 tial readiness.
480 --horizontal-pod-autoscaler-sync-period=15s The period for syncing
483 the number of pods in horizontal pod autoscaler.
484 --horizontal-pod-autoscaler-tolerance=0.1 The minimum change (from
487 1.0) in the desired-to-actual metrics ratio for the horizontal pod au‐
488 toscaler to consider scaling.
489 --horizontal-pod-autoscaler-upscale-delay=3m0s The period since
492 last upscale, before another upscale can be performed in horizontal pod
493 autoscaler.
494 --http2-max-streams-per-connection=0 The limit that the server
497 gives to clients for the maximum number of streams in an HTTP/2 connec‐
498 tion. Zero means to use golang's default.
499 --kube-api-burst=30 Burst to use while talking with kubernetes
502 apiserver.
503 --kube-api-content-type="application/vnd.kubernetes.protobuf" Con‐
506 tent type of requests sent to apiserver.
507 --kube-api-qps=20 QPS to use while talking with kubernetes apis‐
510 erver.
511 --kubeconfig="" Path to kubeconfig file with authorization and
514 master location information.
515 --large-cluster-size-threshold=50 Number of nodes from which Node‐
518 Controller treats the cluster as large for the eviction logic purposes.
519 --secondary-node-eviction-rate is implicitly overridden to 0 for clus‐
520 ters this size or smaller.
521 --leader-elect=true Start a leader election client and gain lead‐
524 ership before executing the main loop. Enable this when running repli‐
525 cated components for high availability.
526 --leader-elect-lease-duration=15s The duration that non-leader
529 candidates will wait after observing a leadership renewal until at‐
530 tempting to acquire leadership of a led but unrenewed leader slot. This
531 is effectively the maximum duration that a leader can be stopped before
532 it is replaced by another candidate. This is only applicable if leader
533 election is enabled.
534 --leader-elect-renew-deadline=10s The interval between attempts by
537 the acting master to renew a leadership slot before it stops leading.
538 This must be less than the lease duration. This is only applicable if
539 leader election is enabled.
540 --leader-elect-resource-lock="leases" The type of resource object
543 that is used for locking during leader election. Supported options are
544 'leases', 'endpointsleases' and 'configmapsleases'.
545 --leader-elect-resource-name="kube-controller-manager" The name of
548 resource object that is used for locking during leader election.
549 --leader-elect-resource-namespace="kube-system" The namespace of
552 resource object that is used for locking during leader election.
553 --leader-elect-retry-period=2s The duration the clients should
556 wait between attempting acquisition and renewal of a leadership. This
557 is only applicable if leader election is enabled.
558 --leader-migration-config="" Path to the config file for con‐
561 troller leader migration, or empty to use the value that reflects de‐
562 fault configuration of the controller manager. The config file should
563 be of type LeaderMigrationConfiguration, group controllermanager.con‐
564 fig.k8s.io, version v1alpha1.
565 --log-flush-frequency=5s Maximum number of seconds between log
568 flushes
569 --logging-format="text" Sets the log format. Permitted formats:
572 "text".
573 --master="" The address of the Kubernetes API server (overrides
576 any value in kubeconfig).
577 --max-endpoints-per-slice=100 The maximum number of endpoints that
580 will be added to an EndpointSlice. More endpoints per slice will result
581 in less endpoint slices, but larger resources. Defaults to 100.
582 --min-resync-period=12h0m0s The resync period in reflectors will
585 be random between MinResyncPeriod and 2*MinResyncPeriod.
586 --mirroring-concurrent-service-endpoint-syncs=5 The number of ser‐
589 vice endpoint syncing operations that will be done concurrently by the
590 EndpointSliceMirroring controller. Larger number = faster endpoint
591 slice updating, but more CPU (and network) load. Defaults to 5.
592 --mirroring-endpointslice-updates-batch-period=0s The length of
595 EndpointSlice updates batching period for EndpointSliceMirroring con‐
596 troller. Processing of EndpointSlice changes will be delayed by this
597 duration to join them with potential upcoming updates and reduce the
598 overall number of EndpointSlice updates. Larger number = higher end‐
599 point programming latency, but lower number of endpoints revision gen‐
600 erated
601 --mirroring-max-endpoints-per-subset=1000 The maximum number of
604 endpoints that will be added to an EndpointSlice by the End‐
605 pointSliceMirroring controller. More endpoints per slice will result in
606 less endpoint slices, but larger resources. Defaults to 100.
607 --namespace-sync-period=5m0s The period for syncing namespace
610 life-cycle updates
611 --node-cidr-mask-size=0 Mask size for node cidr in cluster. De‐
614 fault is 24 for IPv4 and 64 for IPv6.
615 --node-cidr-mask-size-ipv4=0 Mask size for IPv4 node cidr in dual-
618 stack cluster. Default is 24.
619 --node-cidr-mask-size-ipv6=0 Mask size for IPv6 node cidr in dual-
622 stack cluster. Default is 64.
623 --node-eviction-rate=0.1 Number of nodes per second on which pods
626 are deleted in case of node failure when a zone is healthy (see --un‐
627 healthy-zone-threshold for definition of healthy/unhealthy). Zone
628 refers to entire cluster in non-multizone clusters.
629 --node-monitor-grace-period=40s Amount of time which we allow run‐
632 ning Node to be unresponsive before marking it unhealthy. Must be N
633 times more than kubelet's nodeStatusUpdateFrequency, where N means num‐
634 ber of retries allowed for kubelet to post node status.
635 --node-monitor-period=5s The period for syncing NodeStatus in
638 NodeController.
639 --node-startup-grace-period=1m0s Amount of time which we allow
642 starting Node to be unresponsive before marking it unhealthy.
643 --node-sync-period=0s This flag is deprecated and will be removed
646 in future releases. See node-monitor-period for Node health checking or
647 route-reconciliation-period for cloud provider's route configuration
648 settings.
649 --permit-address-sharing=false If true, SO_REUSEADDR will be used
652 when binding the port. This allows binding to wildcard IPs like 0.0.0.0
653 and specific IPs in parallel, and it avoids waiting for the kernel to
654 release sockets in TIME_WAIT state. [default=false]
655 --permit-port-sharing=false If true, SO_REUSEPORT will be used
658 when binding the port, which allows more than one instance to bind on
659 the same address and port. [default=false]
660 --pod-eviction-timeout=5m0s The grace period for deleting pods on
663 failed nodes.
664 --profiling=true Enable profiling via web interface host:port/de‐
667 bug/pprof/
668 --pv-recycler-increment-timeout-nfs=30 the increment of time added
671 per Gi to ActiveDeadlineSeconds for an NFS scrubber pod
672 --pv-recycler-minimum-timeout-hostpath=60 The minimum ActiveDead‐
675 lineSeconds to use for a HostPath Recycler pod. This is for develop‐
676 ment and testing only and will not work in a multi-node cluster.
677 --pv-recycler-minimum-timeout-nfs=300 The minimum ActiveDeadli‐
680 neSeconds to use for an NFS Recycler pod
681 --pv-recycler-pod-template-filepath-hostpath="" The file path to a
684 pod definition used as a template for HostPath persistent volume recy‐
685 cling. This is for development and testing only and will not work in a
686 multi-node cluster.
687 --pv-recycler-pod-template-filepath-nfs="" The file path to a pod
690 definition used as a template for NFS persistent volume recycling
691 --pv-recycler-timeout-increment-hostpath=30 the increment of time
694 added per Gi to ActiveDeadlineSeconds for a HostPath scrubber pod.
695 This is for development and testing only and will not work in a multi-
696 node cluster.
697 --pvclaimbinder-sync-period=15s The period for syncing persistent
700 volumes and persistent volume claims
701 --requestheader-allowed-names=[] List of client certificate common
704 names to allow to provide usernames in headers specified by --request‐
705 header-username-headers. If empty, any client certificate validated by
706 the authorities in --requestheader-client-ca-file is allowed.
707 --requestheader-client-ca-file="" Root certificate bundle to use
710 to verify client certificates on incoming requests before trusting
711 usernames in headers specified by --requestheader-username-headers.
712 WARNING: generally do not depend on authorization being already done
713 for incoming requests.
714 --requestheader-extra-headers-prefix=[x-remote-extra-] List of re‐
717 quest header prefixes to inspect. X-Remote-Extra- is suggested.
718 --requestheader-group-headers=[x-remote-group] List of request
721 headers to inspect for groups. X-Remote-Group is suggested.
722 --requestheader-username-headers=[x-remote-user] List of request
725 headers to inspect for usernames. X-Remote-User is common.
726 --resource-quota-sync-period=5m0s The period for syncing quota us‐
729 age status in the system
730 --root-ca-file="" If set, this root certificate authority will be
733 included in service account's token secret. This must be a valid PEM-
734 encoded CA bundle.
735 --route-reconciliation-period=10s The period for reconciling
738 routes created for Nodes by cloud provider.
739 --secondary-node-eviction-rate=0.01 Number of nodes per second on
742 which pods are deleted in case of node failure when a zone is unhealthy
743 (see --unhealthy-zone-threshold for definition of healthy/unhealthy).
744 Zone refers to entire cluster in non-multizone clusters. This value is
745 implicitly overridden to 0 if the cluster size is smaller than --large-
746 cluster-size-threshold.
747 --secure-port=10257 The port on which to serve HTTPS with authen‐
750 tication and authorization. If 0, don't serve HTTPS at all.
751 --service-account-private-key-file="" Filename containing a PEM-
754 encoded private RSA or ECDSA key used to sign service account tokens.
755 --service-cluster-ip-range="" CIDR Range for Services in cluster.
758 Requires --allocate-node-cidrs to be true
759 --show-hidden-metrics-for-version="" The previous version for
762 which you want to show hidden metrics. Only the previous minor version
763 is meaningful, other values will not be allowed. The format is ., e.g.:
764 '1.16'. The purpose of this format is make sure you have the opportu‐
765 nity to notice if the next release hides additional metrics, rather
766 than being surprised when they are permanently removed in the release
767 after that.
768 --terminated-pod-gc-threshold=12500 Number of terminated pods that
771 can exist before the terminated pod garbage collector starts deleting
772 terminated pods. If <= 0, the terminated pod garbage collector is dis‐
773 abled.
774 --tls-cert-file="" File containing the default x509 Certificate
777 for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS
778 serving is enabled, and --tls-cert-file and --tls-private-key-file are
779 not provided, a self-signed certificate and key are generated for the
780 public address and saved to the directory specified by --cert-dir.
781 --tls-cipher-suites=[] Comma-separated list of cipher suites for
784 the server. If omitted, the default Go cipher suites will be used.
785 Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
786 TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
787 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
788 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
789 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
790 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
791 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
792 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
793 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
794 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
795 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
796 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
797 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
798 TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,
799 TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384. Inse‐
800 cure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
801 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
802 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
803 TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,
804 TLS_RSA_WITH_RC4_128_SHA.
805 --tls-min-version="" Minimum TLS version supported. Possible val‐
808 ues: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
809 --tls-private-key-file="" File containing the default x509 private
812 key matching --tls-cert-file.
813 --tls-sni-cert-key=[] A pair of x509 certificate and private key
816 file paths, optionally suffixed with a list of domain patterns which
817 are fully qualified domain names, possibly with prefixed wildcard seg‐
818 ments. The domain patterns also allow IP addresses, but IPs should only
819 be used if the apiserver has visibility to the IP address requested by
820 a client. If no domain patterns are provided, the names of the certifi‐
821 cate are extracted. Non-wildcard matches trump over wildcard matches,
822 explicit domain patterns trump over extracted names. For multiple
823 key/certificate pairs, use the --tls-sni-cert-key multiple times. Exam‐
824 ples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com".
825 --unhealthy-zone-threshold=0.55 Fraction of Nodes in a zone which
828 needs to be not Ready (minimum 3) for zone to be treated as unhealthy.
829 --use-service-account-credentials=false If true, use individual
832 service account credentials for each controller.
833 -v, --v=0 number for the log level verbosity
836 --version=false Print version information and quit
839 --vmodule= comma-separated list of pattern=N settings for file-
842 filtered logging (only works for text log format)
843 --volume-host-allow-local-loopback=true If false, deny local loop‐
846 back IPs in addition to any CIDR ranges in --volume-host-cidr-denylist
847 --volume-host-cidr-denylist=[] A comma-separated list of CIDR
850 ranges to avoid from volume plugins.
851
855 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
856 com) based on the kubernetes source material, but hopefully they have
857 been automatically generated since!
858Manuals User KUBERNETES(1)(kubernetes)