1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2Eric Paris Jan 2015
6
9 kube-controller-manager -
10
14 kube-controller-manager [OPTIONS]
15
19 The Kubernetes controller manager is a daemon that embeds the core con‐
20 trol loops shipped with Kubernetes. In applications of robotics and au‐
21 tomation, a control loop is a non-terminating loop that regulates the
22 state of the system. In Kubernetes, a controller is a control loop that
23 watches the shared state of the cluster through the apiserver and makes
24 changes attempting to move the current state towards the desired state.
25 Examples of controllers that ship with Kubernetes today are the repli‐
26 cation controller, endpoints controller, namespace controller, and ser‐
27 viceaccounts controller.
28
32 --allocate-node-cidrs=false Should CIDRs for Pods be allocated and
33 set on the cloud provider.
34 --allow-metric-labels=[] The map from metric-label to value allow-
37 list of this label. The key's format is ,. The value's format is
38 ,...e.g. metric1,label1='v1,v2,v3', metric1,label2='v1,v2,v3' met‐
39 ric2,label1='v1,v2,v3'.
40 --allow-untagged-cloud=false Allow the cluster to run without the
43 cluster-id on cloud instances. This is a legacy mode of operation and a
44 cluster-id will be required in the future.
45 --attach-detach-reconcile-sync-period=1m0s The reconciler sync
48 wait time between volume attach detach. This duration must be larger
49 than one second, and increasing this value from the default may allow
50 for volumes to be mismatched with pods.
51 --authentication-kubeconfig="" kubeconfig file pointing at the
54 'core' kubernetes server with enough rights to create tokenreviews.au‐
55 thentication.k8s.io. This is optional. If empty, all token requests are
56 considered to be anonymous and no client CA is looked up in the clus‐
57 ter.
58 --authentication-skip-lookup=false If false, the authentication-
61 kubeconfig will be used to lookup missing authentication configuration
62 from the cluster.
63 --authentication-token-webhook-cache-ttl=10s The duration to cache
66 responses from the webhook token authenticator.
67 --authentication-tolerate-lookup-failure=false If true, failures
70 to look up missing authentication configuration from the cluster are
71 not considered fatal. Note that this can result in authentication that
72 treats all requests as anonymous.
73 --authorization-always-allow-paths=[/healthz,/readyz,/livez] A
76 list of HTTP paths to skip during authorization, i.e. these are autho‐
77 rized without contacting the 'core' kubernetes server.
78 --authorization-kubeconfig="" kubeconfig file pointing at the
81 'core' kubernetes server with enough rights to create subjectaccessre‐
82 views.authorization.k8s.io. This is optional. If empty, all requests
83 not skipped by authorization are forbidden.
84 --authorization-webhook-cache-authorized-ttl=10s The duration to
87 cache 'authorized' responses from the webhook authorizer.
88 --authorization-webhook-cache-unauthorized-ttl=10s The duration to
91 cache 'unauthorized' responses from the webhook authorizer.
92 --azure-container-registry-config="" Path to the file containing
95 Azure container registry configuration information.
96 --bind-address=0.0.0.0 The IP address on which to listen for the
99 --secure-port port. The associated interface(s) must be reachable by
100 the rest of the cluster, and by CLI/web clients. If blank or an unspec‐
101 ified address (0.0.0.0 or ::), all interfaces will be used.
102 --cert-dir="" The directory where the TLS certs are located. If
105 --tls-cert-file and --tls-private-key-file are provided, this flag will
106 be ignored.
107 --cidr-allocator-type="RangeAllocator" Type of CIDR allocator to
110 use
111 --client-ca-file="" If set, any request presenting a client cer‐
114 tificate signed by one of the authorities in the client-ca-file is au‐
115 thenticated with an identity corresponding to the CommonName of the
116 client certificate.
117 --cloud-config="" The path to the cloud provider configuration
120 file. Empty string for no configuration file.
121 --cloud-provider="" The provider for cloud services. Empty string
124 for no provider.
125 --cloud-provider-gce-lb-src-
128 cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
129 CIDRs opened in GCE firewall for L4 LB traffic proxy & health
130 checks
131 --cluster-cidr="" CIDR Range for Pods in cluster. Requires --allo‐
134 cate-node-cidrs to be true
135 --cluster-name="kubernetes" The instance prefix for the cluster.
138 --cluster-signing-cert-file="" Filename containing a PEM-encoded
141 X509 CA certificate used to issue cluster-scoped certificates. If
142 specified, no more specific --cluster-signing-* flag may be specified.
143 --cluster-signing-duration=8760h0m0s The max length of duration
146 signed certificates will be given. Individual CSRs may request shorter
147 certs by setting spec.expirationSeconds.
148 --cluster-signing-key-file="" Filename containing a PEM-encoded
151 RSA or ECDSA private key used to sign cluster-scoped certificates. If
152 specified, no more specific --cluster-signing-* flag may be specified.
153 --cluster-signing-kube-apiserver-client-cert-file="" Filename con‐
156 taining a PEM-encoded X509 CA certificate used to issue certificates
157 for the kubernetes.io/kube-apiserver-client signer. If specified,
158 --cluster-signing-{cert,key}-file must not be set.
159 --cluster-signing-kube-apiserver-client-key-file="" Filename con‐
162 taining a PEM-encoded RSA or ECDSA private key used to sign certifi‐
163 cates for the kubernetes.io/kube-apiserver-client signer. If speci‐
164 fied, --cluster-signing-{cert,key}-file must not be set.
165 --cluster-signing-kubelet-client-cert-file="" Filename containing
168 a PEM-encoded X509 CA certificate used to issue certificates for the
169 kubernetes.io/kube-apiserver-client-kubelet signer. If specified,
170 --cluster-signing-{cert,key}-file must not be set.
171 --cluster-signing-kubelet-client-key-file="" Filename containing a
174 PEM-encoded RSA or ECDSA private key used to sign certificates for the
175 kubernetes.io/kube-apiserver-client-kubelet signer. If specified,
176 --cluster-signing-{cert,key}-file must not be set.
177 --cluster-signing-kubelet-serving-cert-file="" Filename containing
180 a PEM-encoded X509 CA certificate used to issue certificates for the
181 kubernetes.io/kubelet-serving signer. If specified, --cluster-sign‐
182 ing-{cert,key}-file must not be set.
183 --cluster-signing-kubelet-serving-key-file="" Filename containing
186 a PEM-encoded RSA or ECDSA private key used to sign certificates for
187 the kubernetes.io/kubelet-serving signer. If specified, --cluster-
188 signing-{cert,key}-file must not be set.
189 --cluster-signing-legacy-unknown-cert-file="" Filename containing
192 a PEM-encoded X509 CA certificate used to issue certificates for the
193 kubernetes.io/legacy-unknown signer. If specified, --cluster-sign‐
194 ing-{cert,key}-file must not be set.
195 --cluster-signing-legacy-unknown-key-file="" Filename containing a
198 PEM-encoded RSA or ECDSA private key used to sign certificates for the
199 kubernetes.io/legacy-unknown signer. If specified, --cluster-sign‐
200 ing-{cert,key}-file must not be set.
201 --concurrent-deployment-syncs=5 The number of deployment objects
204 that are allowed to sync concurrently. Larger number = more responsive
205 deployments, but more CPU (and network) load
206 --concurrent-endpoint-syncs=5 The number of endpoint syncing oper‐
209 ations that will be done concurrently. Larger number = faster endpoint
210 updating, but more CPU (and network) load
211 --concurrent-ephemeralvolume-syncs=5 The number of ephemeral vol‐
214 ume syncing operations that will be done concurrently. Larger number =
215 faster ephemeral volume updating, but more CPU (and network) load
216 --concurrent-gc-syncs=20 The number of garbage collector workers
219 that are allowed to sync concurrently.
220 --concurrent-horizontal-pod-autoscaler-syncs=5 The number of hori‐
223 zontal pod autoscaler objects that are allowed to sync concurrently.
224 Larger number = more responsive horizontal pod autoscaler objects pro‐
225 cessing, but more CPU (and network) load.
226 --concurrent-namespace-syncs=10 The number of namespace objects
229 that are allowed to sync concurrently. Larger number = more responsive
230 namespace termination, but more CPU (and network) load
231 --concurrent-replicaset-syncs=5 The number of replica sets that
234 are allowed to sync concurrently. Larger number = more responsive
235 replica management, but more CPU (and network) load
236 --concurrent-resource-quota-syncs=5 The number of resource quotas
239 that are allowed to sync concurrently. Larger number = more responsive
240 quota management, but more CPU (and network) load
241 --concurrent-service-endpoint-syncs=5 The number of service end‐
244 point syncing operations that will be done concurrently. Larger number
245 = faster endpoint slice updating, but more CPU (and network) load. De‐
246 faults to 5.
247 --concurrent-service-syncs=1 The number of services that are al‐
250 lowed to sync concurrently. Larger number = more responsive service
251 management, but more CPU (and network) load
252 --concurrent-serviceaccount-token-syncs=5 The number of service
255 account token objects that are allowed to sync concurrently. Larger
256 number = more responsive token generation, but more CPU (and network)
257 load
258 --concurrent-statefulset-syncs=5 The number of statefulset objects
261 that are allowed to sync concurrently. Larger number = more responsive
262 statefulsets, but more CPU (and network) load
263 --concurrent-ttl-after-finished-syncs=5 The number of TTL-after-
266 finished controller workers that are allowed to sync concurrently.
267 --concurrent_rc_syncs=5 The number of replication controllers that
270 are allowed to sync concurrently. Larger number = more responsive
271 replica management, but more CPU (and network) load
272 --configure-cloud-routes=true Should CIDRs allocated by allocate-
275 node-cidrs be configured on the cloud provider.
276 --contention-profiling=false Enable block profiling, if profiling
279 is enabled
280 --controller-start-interval=0s Interval between starting con‐
283 troller managers.
284 --controllers=[] A list of controllers to enable. '' enables all
287 on-by-default controllers, 'foo' enables the controller named 'foo',
288 '-foo' disables the controller named 'foo'. All controllers: attachde‐
289 tach, bootstrapsigner, cloud-node-lifecycle, clusterrole-aggregation,
290 cronjob, csrapproving, csrcleaner, csrsigning, daemonset, deployment,
291 disruption, endpoint, endpointslice, endpointslicemirroring, ephemeral-
292 volume, garbagecollector, horizontalpodautoscaling, job, namespace,
293 nodeipam, nodelifecycle, persistentvolume-binder, persistentvolume-ex‐
294 pander, podgc, pv-protection, pvc-protection, replicaset, replication‐
295 controller, resourcequota, root-ca-cert-publisher, route, service, ser‐
296 viceaccount, serviceaccount-token, statefulset, tokencleaner, ttl, ttl-
297 after-finished Disabled-by-default controllers: bootstrapsigner, token‐
298 cleaner
299 --disable-attach-detach-reconcile-sync=false Disable volume attach
302 detach reconciler sync. Disabling this may cause volumes to be mis‐
303 matched with pods. Use wisely.
304 --disabled-metrics=[] This flag provides an escape hatch for mis‐
307 behaving metrics. You must provide the fully qualified metric name in
308 order to disable it. Disclaimer: disabling metrics is higher in prece‐
309 dence than showing hidden metrics.
310 --enable-dynamic-provisioning=true Enable dynamic provisioning for
313 environments that support it.
314 --enable-garbage-collector=true Enables the generic garbage col‐
317 lector. MUST be synced with the corresponding flag of the kube-apis‐
318 erver.
319 --enable-hostpath-provisioner=false Enable HostPath PV provision‐
322 ing when running without a cloud provider. This allows testing and de‐
323 velopment of provisioning features. HostPath provisioning is not sup‐
324 ported in any way, won't work in a multi-node cluster, and should not
325 be used for anything other than testing or development.
326 --enable-leader-migration=false Whether to enable controller
329 leader migration.
330 --endpoint-updates-batch-period=0s The length of endpoint updates
333 batching period. Processing of pod changes will be delayed by this du‐
334 ration to join them with potential upcoming updates and reduce the
335 overall number of endpoints updates. Larger number = higher endpoint
336 programming latency, but lower number of endpoints revision generated
337 --endpointslice-updates-batch-period=0s The length of endpoint
340 slice updates batching period. Processing of pod changes will be de‐
341 layed by this duration to join them with potential upcoming updates and
342 reduce the overall number of endpoints updates. Larger number = higher
343 endpoint programming latency, but lower number of endpoints revision
344 generated
345 --external-cloud-volume-plugin="" The plugin to use when cloud
348 provider is set to external. Can be empty, should only be set when
349 cloud-provider is external. Currently used to allow node and volume
350 controllers to work for in tree cloud providers.
351 --feature-gates= A set of key=value pairs that describe feature
354 gates for alpha/experimental features. Options are: APIListChunk‐
355 ing=true|false (BETA - default=true) APIPriorityAndFairness=true|false
356 (BETA - default=true) APIResponseCompression=true|false (BETA - de‐
357 fault=true) APISelfSubjectReview=true|false (BETA - default=true) APIS‐
358 erverIdentity=true|false (BETA - default=true) APIServerTrac‐
359 ing=true|false (BETA - default=true) AdmissionWebhookMatchCondi‐
360 tions=true|false (ALPHA - default=false) AggregatedDiscoveryEnd‐
361 point=true|false (BETA - default=true) AllAlpha=true|false (ALPHA - de‐
362 fault=false) AllBeta=true|false (BETA - default=false) AnyVolumeData‐
363 Source=true|false (BETA - default=true) AppArmor=true|false (BETA - de‐
364 fault=true) CPUManagerPolicyAlphaOptions=true|false (ALPHA - de‐
365 fault=false) CPUManagerPolicyBetaOptions=true|false (BETA - de‐
366 fault=true) CPUManagerPolicyOptions=true|false (BETA - default=true)
367 CSIMigrationPortworx=true|false (BETA - default=false) CSIMigra‐
368 tionRBD=true|false (ALPHA - default=false) CSINodeExpandSe‐
369 cret=true|false (BETA - default=true) CSIVolumeHealth=true|false (ALPHA
370 - default=false) CloudControllerManagerWebhook=true|false (ALPHA - de‐
371 fault=false) CloudDualStackNodeIPs=true|false (ALPHA - default=false)
372 ClusterTrustBundle=true|false (ALPHA - default=false) Compo‐
373 nentSLIs=true|false (BETA - default=true) ContainerCheck‐
374 point=true|false (ALPHA - default=false) ContextualLogging=true|false
375 (ALPHA - default=false) CrossNamespaceVolumeDataSource=true|false (AL‐
376 PHA - default=false) CustomCPUCFSQuotaPeriod=true|false (ALPHA - de‐
377 fault=false) CustomResourceValidationExpressions=true|false (BETA - de‐
378 fault=true) DisableCloudProviders=true|false (ALPHA - default=false)
379 DisableKubeletCloudCredentialProviders=true|false (ALPHA - de‐
380 fault=false) DynamicResourceAllocation=true|false (ALPHA - de‐
381 fault=false) ElasticIndexedJob=true|false (BETA - default=true) Event‐
382 edPLEG=true|false (BETA - default=false) ExpandedDNSConfig=true|false
383 (BETA - default=true) ExperimentalHostUserNamespaceDefault‐
384 ing=true|false (BETA - default=false) GracefulNodeShutdown=true|false
385 (BETA - default=true) GracefulNodeShutdownBasedOnPodPriority=true|false
386 (BETA - default=true) HPAContainerMetrics=true|false (BETA - de‐
387 fault=true) HPAScaleToZero=true|false (ALPHA - default=false) Honor‐
388 PVReclaimPolicy=true|false (ALPHA - default=false) IPTablesOwnership‐
389 Cleanup=true|false (BETA - default=true) InPlacePodVerticalScal‐
390 ing=true|false (ALPHA - default=false) InTreePluginAWSUnregis‐
391 ter=true|false (ALPHA - default=false) InTreePluginAzureDiskUnregis‐
392 ter=true|false (ALPHA - default=false) InTreePluginAzureFileUnregis‐
393 ter=true|false (ALPHA - default=false) InTreePluginGCEUnregis‐
394 ter=true|false (ALPHA - default=false) InTreePluginOpenStackUnregis‐
395 ter=true|false (ALPHA - default=false) InTreePluginPortworxUnregis‐
396 ter=true|false (ALPHA - default=false) InTreePluginRBDUnregis‐
397 ter=true|false (ALPHA - default=false) InTreePluginvSphereUnregis‐
398 ter=true|false (ALPHA - default=false) JobPodFailurePolicy=true|false
399 (BETA - default=true) JobReadyPods=true|false (BETA - default=true)
400 KMSv2=true|false (BETA - default=true) KubeletInUserNames‐
401 pace=true|false (ALPHA - default=false) KubeletPodResources=true|false
402 (BETA - default=true) KubeletPodResourcesDynamicResources=true|false
403 (ALPHA - default=false) KubeletPodResourcesGet=true|false (ALPHA - de‐
404 fault=false) KubeletPodResourcesGetAllocatable=true|false (BETA - de‐
405 fault=true) KubeletTracing=true|false (BETA - default=true) LegacySer‐
406 viceAccountTokenTracking=true|false (BETA - default=true) LocalStorage‐
407 CapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
408 LogarithmicScaleDown=true|false (BETA - default=true) LoggingAlphaOp‐
409 tions=true|false (ALPHA - default=false) LoggingBetaOptions=true|false
410 (BETA - default=true) MatchLabelKeysInPodTopologySpread=true|false
411 (BETA - default=true) MaxUnavailableStatefulSet=true|false (ALPHA - de‐
412 fault=false) MemoryManager=true|false (BETA - default=true) Memo‐
413 ryQoS=true|false (ALPHA - default=false) MinDomainsInPodTopolo‐
414 gySpread=true|false (BETA - default=true) MinimizeIPTablesRe‐
415 store=true|false (BETA - default=true) MultiCIDRRangeAlloca‐
416 tor=true|false (ALPHA - default=false) MultiCIDRServiceAlloca‐
417 tor=true|false (ALPHA - default=false) NetworkPolicyStatus=true|false
418 (ALPHA - default=false) NewVolumeManagerReconstruction=true|false (BETA
419 - default=false) NodeInclusionPolicyInPodTopologySpread=true|false
420 (BETA - default=true) NodeLogQuery=true|false (ALPHA - default=false)
421 NodeOutOfServiceVolumeDetach=true|false (BETA - default=true)
422 NodeSwap=true|false (ALPHA - default=false) OpenAPIEnums=true|false
423 (BETA - default=true) PDBUnhealthyPodEvictionPolicy=true|false (BETA -
424 default=true) PodAndContainerStatsFromCRI=true|false (ALPHA - de‐
425 fault=false) PodDeletionCost=true|false (BETA - default=true) PodDis‐
426 ruptionConditions=true|false (BETA - default=true) PodHasNetworkCondi‐
427 tion=true|false (ALPHA - default=false) PodSchedulingReadi‐
428 ness=true|false (BETA - default=true) ProbeTerminationGracePe‐
429 riod=true|false (BETA - default=true) ProcMountType=true|false (ALPHA -
430 default=false) ProxyTerminatingEndpoints=true|false (BETA - de‐
431 fault=true) QOSReserved=true|false (ALPHA - default=false) ReadWriteOn‐
432 cePod=true|false (BETA - default=true) RecoverVolumeExpansionFail‐
433 ure=true|false (ALPHA - default=false) RemainingItemCount=true|false
434 (BETA - default=true) RetroactiveDefaultStorageClass=true|false (BETA -
435 default=true) RotateKubeletServerCertificate=true|false (BETA - de‐
436 fault=true) SELinuxMountReadWriteOncePod=true|false (BETA - de‐
437 fault=false) SecurityContextDeny=true|false (ALPHA - default=false)
438 ServiceNodePortStaticSubrange=true|false (ALPHA - default=false) Size‐
439 MemoryBackedVolumes=true|false (BETA - default=true) StableLoadBal‐
440 ancerNodeSet=true|false (BETA - default=true) StatefulSetAu‐
441 toDeletePVC=true|false (BETA - default=true) StatefulSetStartOrdi‐
442 nal=true|false (BETA - default=true) StorageVersionAPI=true|false (AL‐
443 PHA - default=false) StorageVersionHash=true|false (BETA - de‐
444 fault=true) TopologyAwareHints=true|false (BETA - default=true) Topolo‐
445 gyManagerPolicyAlphaOptions=true|false (ALPHA - default=false) Topolo‐
446 gyManagerPolicyBetaOptions=true|false (BETA - default=false) Topology‐
447 ManagerPolicyOptions=true|false (ALPHA - default=false) Unauthenticat‐
448 edHTTP2DOSMitigation=true|false (BETA - default=false) UserNames‐
449 pacesStatelessPodsSupport=true|false (ALPHA - default=false) Validatin‐
450 gAdmissionPolicy=true|false (ALPHA - default=false) VolumeCapacityPri‐
451 ority=true|false (ALPHA - default=false) WatchList=true|false (ALPHA -
452 default=false) WinDSR=true|false (ALPHA - default=false) WinOver‐
453 lay=true|false (BETA - default=true) WindowsHostNetwork=true|false (AL‐
454 PHA - default=true)
455 --flex-volume-plugin-dir="/usr/libexec/kubernetes/kubelet-plugins/vol‐
458 ume/exec/" Full path of the directory in which the flex volume
459 plugin should search for additional third party volume plugins.
460 -h, --help=false help for kube-controller-manager
463 --horizontal-pod-autoscaler-cpu-initialization-period=5m0s The pe‐
466 riod after pod start when CPU samples might be skipped.
467 --horizontal-pod-autoscaler-downscale-delay=5m0s The period since
470 last downscale, before another downscale can be performed in horizontal
471 pod autoscaler.
472 --horizontal-pod-autoscaler-downscale-stabilization=5m0s The pe‐
475 riod for which autoscaler will look backwards and not scale down below
476 any recommendation it made during that period.
477 --horizontal-pod-autoscaler-initial-readiness-delay=30s The period
480 after pod start during which readiness changes will be treated as ini‐
481 tial readiness.
482 --horizontal-pod-autoscaler-sync-period=15s The period for syncing
485 the number of pods in horizontal pod autoscaler.
486 --horizontal-pod-autoscaler-tolerance=0.1 The minimum change (from
489 1.0) in the desired-to-actual metrics ratio for the horizontal pod au‐
490 toscaler to consider scaling.
491 --horizontal-pod-autoscaler-upscale-delay=3m0s The period since
494 last upscale, before another upscale can be performed in horizontal pod
495 autoscaler.
496 --http2-max-streams-per-connection=0 The limit that the server
499 gives to clients for the maximum number of streams in an HTTP/2 connec‐
500 tion. Zero means to use golang's default.
501 --kube-api-burst=30 Burst to use while talking with kubernetes
504 apiserver.
505 --kube-api-content-type="application/vnd.kubernetes.protobuf" Con‐
508 tent type of requests sent to apiserver.
509 --kube-api-qps=20 QPS to use while talking with kubernetes apis‐
512 erver.
513 --kubeconfig="" Path to kubeconfig file with authorization and
516 master location information (the master location can be overridden by
517 the master flag).
518 --large-cluster-size-threshold=50 Number of nodes from which Node‐
521 Controller treats the cluster as large for the eviction logic purposes.
522 --secondary-node-eviction-rate is implicitly overridden to 0 for clus‐
523 ters this size or smaller.
524 --leader-elect=true Start a leader election client and gain lead‐
527 ership before executing the main loop. Enable this when running repli‐
528 cated components for high availability.
529 --leader-elect-lease-duration=15s The duration that non-leader
532 candidates will wait after observing a leadership renewal until at‐
533 tempting to acquire leadership of a led but unrenewed leader slot. This
534 is effectively the maximum duration that a leader can be stopped before
535 it is replaced by another candidate. This is only applicable if leader
536 election is enabled.
537 --leader-elect-renew-deadline=10s The interval between attempts by
540 the acting master to renew a leadership slot before it stops leading.
541 This must be less than the lease duration. This is only applicable if
542 leader election is enabled.
543 --leader-elect-resource-lock="leases" The type of resource object
546 that is used for locking during leader election. Supported options are
547 'leases', 'endpointsleases' and 'configmapsleases'.
548 --leader-elect-resource-name="kube-controller-manager" The name of
551 resource object that is used for locking during leader election.
552 --leader-elect-resource-namespace="kube-system" The namespace of
555 resource object that is used for locking during leader election.
556 --leader-elect-retry-period=2s The duration the clients should
559 wait between attempting acquisition and renewal of a leadership. This
560 is only applicable if leader election is enabled.
561 --leader-migration-config="" Path to the config file for con‐
564 troller leader migration, or empty to use the value that reflects de‐
565 fault configuration of the controller manager. The config file should
566 be of type LeaderMigrationConfiguration, group controllermanager.con‐
567 fig.k8s.io, version v1alpha1.
568 --log-flush-frequency=5s Maximum number of seconds between log
571 flushes
572 --logging-format="text" Sets the log format. Permitted formats:
575 "text".
576 --master="" The address of the Kubernetes API server (overrides
579 any value in kubeconfig).
580 --max-endpoints-per-slice=100 The maximum number of endpoints that
583 will be added to an EndpointSlice. More endpoints per slice will result
584 in less endpoint slices, but larger resources. Defaults to 100.
585 --min-resync-period=12h0m0s The resync period in reflectors will
588 be random between MinResyncPeriod and 2*MinResyncPeriod.
589 --mirroring-concurrent-service-endpoint-syncs=5 The number of ser‐
592 vice endpoint syncing operations that will be done concurrently by the
593 EndpointSliceMirroring controller. Larger number = faster endpoint
594 slice updating, but more CPU (and network) load. Defaults to 5.
595 --mirroring-endpointslice-updates-batch-period=0s The length of
598 EndpointSlice updates batching period for EndpointSliceMirroring con‐
599 troller. Processing of EndpointSlice changes will be delayed by this
600 duration to join them with potential upcoming updates and reduce the
601 overall number of EndpointSlice updates. Larger number = higher end‐
602 point programming latency, but lower number of endpoints revision gen‐
603 erated
604 --mirroring-max-endpoints-per-subset=1000 The maximum number of
607 endpoints that will be added to an EndpointSlice by the End‐
608 pointSliceMirroring controller. More endpoints per slice will result in
609 less endpoint slices, but larger resources. Defaults to 100.
610 --namespace-sync-period=5m0s The period for syncing namespace
613 life-cycle updates
614 --node-cidr-mask-size=0 Mask size for node cidr in cluster. De‐
617 fault is 24 for IPv4 and 64 for IPv6.
618 --node-cidr-mask-size-ipv4=0 Mask size for IPv4 node cidr in dual-
621 stack cluster. Default is 24.
622 --node-cidr-mask-size-ipv6=0 Mask size for IPv6 node cidr in dual-
625 stack cluster. Default is 64.
626 --node-eviction-rate=0.1 Number of nodes per second on which pods
629 are deleted in case of node failure when a zone is healthy (see --un‐
630 healthy-zone-threshold for definition of healthy/unhealthy). Zone
631 refers to entire cluster in non-multizone clusters.
632 --node-monitor-grace-period=40s Amount of time which we allow run‐
635 ning Node to be unresponsive before marking it unhealthy. Must be N
636 times more than kubelet's nodeStatusUpdateFrequency, where N means num‐
637 ber of retries allowed for kubelet to post node status.
638 --node-monitor-period=5s The period for syncing NodeStatus in
641 NodeController.
642 --node-startup-grace-period=1m0s Amount of time which we allow
645 starting Node to be unresponsive before marking it unhealthy.
646 --node-sync-period=0s This flag is deprecated and will be removed
649 in future releases. See node-monitor-period for Node health checking or
650 route-reconciliation-period for cloud provider's route configuration
651 settings.
652 --permit-address-sharing=false If true, SO_REUSEADDR will be used
655 when binding the port. This allows binding to wildcard IPs like 0.0.0.0
656 and specific IPs in parallel, and it avoids waiting for the kernel to
657 release sockets in TIME_WAIT state. [default=false]
658 --permit-port-sharing=false If true, SO_REUSEPORT will be used
661 when binding the port, which allows more than one instance to bind on
662 the same address and port. [default=false]
663 --profiling=true Enable profiling via web interface host:port/de‐
666 bug/pprof/
667 --pv-recycler-increment-timeout-nfs=30 the increment of time added
670 per Gi to ActiveDeadlineSeconds for an NFS scrubber pod
671 --pv-recycler-minimum-timeout-hostpath=60 The minimum ActiveDead‐
674 lineSeconds to use for a HostPath Recycler pod. This is for develop‐
675 ment and testing only and will not work in a multi-node cluster.
676 --pv-recycler-minimum-timeout-nfs=300 The minimum ActiveDeadli‐
679 neSeconds to use for an NFS Recycler pod
680 --pv-recycler-pod-template-filepath-hostpath="" The file path to a
683 pod definition used as a template for HostPath persistent volume recy‐
684 cling. This is for development and testing only and will not work in a
685 multi-node cluster.
686 --pv-recycler-pod-template-filepath-nfs="" The file path to a pod
689 definition used as a template for NFS persistent volume recycling
690 --pv-recycler-timeout-increment-hostpath=30 the increment of time
693 added per Gi to ActiveDeadlineSeconds for a HostPath scrubber pod.
694 This is for development and testing only and will not work in a multi-
695 node cluster.
696 --pvclaimbinder-sync-period=15s The period for syncing persistent
699 volumes and persistent volume claims
700 --requestheader-allowed-names=[] List of client certificate common
703 names to allow to provide usernames in headers specified by --request‐
704 header-username-headers. If empty, any client certificate validated by
705 the authorities in --requestheader-client-ca-file is allowed.
706 --requestheader-client-ca-file="" Root certificate bundle to use
709 to verify client certificates on incoming requests before trusting
710 usernames in headers specified by --requestheader-username-headers.
711 WARNING: generally do not depend on authorization being already done
712 for incoming requests.
713 --requestheader-extra-headers-prefix=[x-remote-extra-] List of re‐
716 quest header prefixes to inspect. X-Remote-Extra- is suggested.
717 --requestheader-group-headers=[x-remote-group] List of request
720 headers to inspect for groups. X-Remote-Group is suggested.
721 --requestheader-username-headers=[x-remote-user] List of request
724 headers to inspect for usernames. X-Remote-User is common.
725 --resource-quota-sync-period=5m0s The period for syncing quota us‐
728 age status in the system
729 --root-ca-file="" If set, this root certificate authority will be
732 included in service account's token secret. This must be a valid PEM-
733 encoded CA bundle.
734 --route-reconciliation-period=10s The period for reconciling
737 routes created for Nodes by cloud provider.
738 --secondary-node-eviction-rate=0.01 Number of nodes per second on
741 which pods are deleted in case of node failure when a zone is unhealthy
742 (see --unhealthy-zone-threshold for definition of healthy/unhealthy).
743 Zone refers to entire cluster in non-multizone clusters. This value is
744 implicitly overridden to 0 if the cluster size is smaller than --large-
745 cluster-size-threshold.
746 --secure-port=10257 The port on which to serve HTTPS with authen‐
749 tication and authorization. If 0, don't serve HTTPS at all.
750 --service-account-private-key-file="" Filename containing a PEM-
753 encoded private RSA or ECDSA key used to sign service account tokens.
754 --service-cluster-ip-range="" CIDR Range for Services in cluster.
757 Requires --allocate-node-cidrs to be true
758 --show-hidden-metrics-for-version="" The previous version for
761 which you want to show hidden metrics. Only the previous minor version
762 is meaningful, other values will not be allowed. The format is ., e.g.:
763 '1.16'. The purpose of this format is make sure you have the opportu‐
764 nity to notice if the next release hides additional metrics, rather
765 than being surprised when they are permanently removed in the release
766 after that.
767 --terminated-pod-gc-threshold=12500 Number of terminated pods that
770 can exist before the terminated pod garbage collector starts deleting
771 terminated pods. If <= 0, the terminated pod garbage collector is dis‐
772 abled.
773 --tls-cert-file="" File containing the default x509 Certificate
776 for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS
777 serving is enabled, and --tls-cert-file and --tls-private-key-file are
778 not provided, a self-signed certificate and key are generated for the
779 public address and saved to the directory specified by --cert-dir.
780 --tls-cipher-suites=[] Comma-separated list of cipher suites for
783 the server. If omitted, the default Go cipher suites will be used.
784 Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
785 TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
786 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
787 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
788 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
789 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
790 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
791 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
792 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
793 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
794 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
795 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
796 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
797 TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,
798 TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384. Inse‐
799 cure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
800 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
801 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
802 TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,
803 TLS_RSA_WITH_RC4_128_SHA.
804 --tls-min-version="" Minimum TLS version supported. Possible val‐
807 ues: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
808 --tls-private-key-file="" File containing the default x509 private
811 key matching --tls-cert-file.
812 --tls-sni-cert-key=[] A pair of x509 certificate and private key
815 file paths, optionally suffixed with a list of domain patterns which
816 are fully qualified domain names, possibly with prefixed wildcard seg‐
817 ments. The domain patterns also allow IP addresses, but IPs should only
818 be used if the apiserver has visibility to the IP address requested by
819 a client. If no domain patterns are provided, the names of the certifi‐
820 cate are extracted. Non-wildcard matches trump over wildcard matches,
821 explicit domain patterns trump over extracted names. For multiple
822 key/certificate pairs, use the --tls-sni-cert-key multiple times. Exam‐
823 ples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com".
824 --unhealthy-zone-threshold=0.55 Fraction of Nodes in a zone which
827 needs to be not Ready (minimum 3) for zone to be treated as unhealthy.
828 --use-service-account-credentials=false If true, use individual
831 service account credentials for each controller.
832 -v, --v=0 number for the log level verbosity
835 --version=false Print version information and quit
838 --vmodule= comma-separated list of pattern=N settings for file-
841 filtered logging (only works for text log format)
842 --volume-host-allow-local-loopback=true If false, deny local loop‐
845 back IPs in addition to any CIDR ranges in --volume-host-cidr-denylist
846 --volume-host-cidr-denylist=[] A comma-separated list of CIDR
849 ranges to avoid from volume plugins.
850
854 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
855 com) based on the kubernetes source material, but hopefully they have
856 been automatically generated since!
857Manuals User KUBERNETES(1)(kubernetes)