1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2Eric Paris Jan 2015
6
9 kube-scheduler -
10
14 kube-scheduler [OPTIONS]
15
19 The Kubernetes scheduler is a control plane process which assigns Pods
20 to Nodes. The scheduler determines which Nodes are valid placements for
21 each Pod in the scheduling queue according to constraints and available
22 resources. The scheduler then ranks each valid Node and binds the Pod
23 to a suitable Node. Multiple different schedulers may be used within a
24 cluster; kube-scheduler is the reference implementation. See schedul‐
25 ing ⟨https://kubernetes.io/docs/concepts/scheduling-eviction/⟩ for more
26 information about scheduling and the kube-scheduler component.
27
31 --allow-metric-labels=[] The map from metric-label to value allow-
32 list of this label. The key's format is ,. The value's format is
33 ,...e.g. metric1,label1='v1,v2,v3', metric1,label2='v1,v2,v3' met‐
34 ric2,label1='v1,v2,v3'.
35 --authentication-kubeconfig="" kubeconfig file pointing at the
38 'core' kubernetes server with enough rights to create tokenreviews.au‐
39 thentication.k8s.io. This is optional. If empty, all token requests are
40 considered to be anonymous and no client CA is looked up in the clus‐
41 ter.
42 --authentication-skip-lookup=false If false, the authentication-
45 kubeconfig will be used to lookup missing authentication configuration
46 from the cluster.
47 --authentication-token-webhook-cache-ttl=10s The duration to cache
50 responses from the webhook token authenticator.
51 --authentication-tolerate-lookup-failure=true If true, failures to
54 look up missing authentication configuration from the cluster are not
55 considered fatal. Note that this can result in authentication that
56 treats all requests as anonymous.
57 --authorization-always-allow-paths=[/healthz,/readyz,/livez] A
60 list of HTTP paths to skip during authorization, i.e. these are autho‐
61 rized without contacting the 'core' kubernetes server.
62 --authorization-kubeconfig="" kubeconfig file pointing at the
65 'core' kubernetes server with enough rights to create subjectaccessre‐
66 views.authorization.k8s.io. This is optional. If empty, all requests
67 not skipped by authorization are forbidden.
68 --authorization-webhook-cache-authorized-ttl=10s The duration to
71 cache 'authorized' responses from the webhook authorizer.
72 --authorization-webhook-cache-unauthorized-ttl=10s The duration to
75 cache 'unauthorized' responses from the webhook authorizer.
76 --azure-container-registry-config="" Path to the file containing
79 Azure container registry configuration information.
80 --bind-address=0.0.0.0 The IP address on which to listen for the
83 --secure-port port. The associated interface(s) must be reachable by
84 the rest of the cluster, and by CLI/web clients. If blank or an unspec‐
85 ified address (0.0.0.0 or ::), all interfaces will be used.
86 --cert-dir="" The directory where the TLS certs are located. If
89 --tls-cert-file and --tls-private-key-file are provided, this flag will
90 be ignored.
91 --client-ca-file="" If set, any request presenting a client cer‐
94 tificate signed by one of the authorities in the client-ca-file is au‐
95 thenticated with an identity corresponding to the CommonName of the
96 client certificate.
97 --config="" The path to the configuration file.
100 --contention-profiling=true DEPRECATED: enable block profiling, if
103 profiling is enabled. This parameter is ignored if a config file is
104 specified in --config.
105 --disabled-metrics=[] This flag provides an escape hatch for mis‐
108 behaving metrics. You must provide the fully qualified metric name in
109 order to disable it. Disclaimer: disabling metrics is higher in prece‐
110 dence than showing hidden metrics.
111 --feature-gates= A set of key=value pairs that describe feature
114 gates for alpha/experimental features. Options are: APIListChunk‐
115 ing=true|false (BETA - default=true) APIPriorityAndFairness=true|false
116 (BETA - default=true) APIResponseCompression=true|false (BETA - de‐
117 fault=true) APISelfSubjectReview=true|false (BETA - default=true) APIS‐
118 erverIdentity=true|false (BETA - default=true) APIServerTrac‐
119 ing=true|false (BETA - default=true) AdmissionWebhookMatchCondi‐
120 tions=true|false (ALPHA - default=false) AggregatedDiscoveryEnd‐
121 point=true|false (BETA - default=true) AllAlpha=true|false (ALPHA - de‐
122 fault=false) AllBeta=true|false (BETA - default=false) AnyVolumeData‐
123 Source=true|false (BETA - default=true) AppArmor=true|false (BETA - de‐
124 fault=true) CPUManagerPolicyAlphaOptions=true|false (ALPHA - de‐
125 fault=false) CPUManagerPolicyBetaOptions=true|false (BETA - de‐
126 fault=true) CPUManagerPolicyOptions=true|false (BETA - default=true)
127 CSIMigrationPortworx=true|false (BETA - default=false) CSIMigra‐
128 tionRBD=true|false (ALPHA - default=false) CSINodeExpandSe‐
129 cret=true|false (BETA - default=true) CSIVolumeHealth=true|false (ALPHA
130 - default=false) CloudControllerManagerWebhook=true|false (ALPHA - de‐
131 fault=false) CloudDualStackNodeIPs=true|false (ALPHA - default=false)
132 ClusterTrustBundle=true|false (ALPHA - default=false) Compo‐
133 nentSLIs=true|false (BETA - default=true) ContainerCheck‐
134 point=true|false (ALPHA - default=false) ContextualLogging=true|false
135 (ALPHA - default=false) CrossNamespaceVolumeDataSource=true|false (AL‐
136 PHA - default=false) CustomCPUCFSQuotaPeriod=true|false (ALPHA - de‐
137 fault=false) CustomResourceValidationExpressions=true|false (BETA - de‐
138 fault=true) DisableCloudProviders=true|false (ALPHA - default=false)
139 DisableKubeletCloudCredentialProviders=true|false (ALPHA - de‐
140 fault=false) DynamicResourceAllocation=true|false (ALPHA - de‐
141 fault=false) ElasticIndexedJob=true|false (BETA - default=true) Event‐
142 edPLEG=true|false (BETA - default=false) ExpandedDNSConfig=true|false
143 (BETA - default=true) ExperimentalHostUserNamespaceDefault‐
144 ing=true|false (BETA - default=false) GracefulNodeShutdown=true|false
145 (BETA - default=true) GracefulNodeShutdownBasedOnPodPriority=true|false
146 (BETA - default=true) HPAContainerMetrics=true|false (BETA - de‐
147 fault=true) HPAScaleToZero=true|false (ALPHA - default=false) Honor‐
148 PVReclaimPolicy=true|false (ALPHA - default=false) IPTablesOwnership‐
149 Cleanup=true|false (BETA - default=true) InPlacePodVerticalScal‐
150 ing=true|false (ALPHA - default=false) InTreePluginAWSUnregis‐
151 ter=true|false (ALPHA - default=false) InTreePluginAzureDiskUnregis‐
152 ter=true|false (ALPHA - default=false) InTreePluginAzureFileUnregis‐
153 ter=true|false (ALPHA - default=false) InTreePluginGCEUnregis‐
154 ter=true|false (ALPHA - default=false) InTreePluginOpenStackUnregis‐
155 ter=true|false (ALPHA - default=false) InTreePluginPortworxUnregis‐
156 ter=true|false (ALPHA - default=false) InTreePluginRBDUnregis‐
157 ter=true|false (ALPHA - default=false) InTreePluginvSphereUnregis‐
158 ter=true|false (ALPHA - default=false) JobPodFailurePolicy=true|false
159 (BETA - default=true) JobReadyPods=true|false (BETA - default=true)
160 KMSv2=true|false (BETA - default=true) KubeletInUserNames‐
161 pace=true|false (ALPHA - default=false) KubeletPodResources=true|false
162 (BETA - default=true) KubeletPodResourcesDynamicResources=true|false
163 (ALPHA - default=false) KubeletPodResourcesGet=true|false (ALPHA - de‐
164 fault=false) KubeletPodResourcesGetAllocatable=true|false (BETA - de‐
165 fault=true) KubeletTracing=true|false (BETA - default=true) LegacySer‐
166 viceAccountTokenTracking=true|false (BETA - default=true) LocalStorage‐
167 CapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
168 LogarithmicScaleDown=true|false (BETA - default=true) LoggingAlphaOp‐
169 tions=true|false (ALPHA - default=false) LoggingBetaOptions=true|false
170 (BETA - default=true) MatchLabelKeysInPodTopologySpread=true|false
171 (BETA - default=true) MaxUnavailableStatefulSet=true|false (ALPHA - de‐
172 fault=false) MemoryManager=true|false (BETA - default=true) Memo‐
173 ryQoS=true|false (ALPHA - default=false) MinDomainsInPodTopolo‐
174 gySpread=true|false (BETA - default=true) MinimizeIPTablesRe‐
175 store=true|false (BETA - default=true) MultiCIDRRangeAlloca‐
176 tor=true|false (ALPHA - default=false) MultiCIDRServiceAlloca‐
177 tor=true|false (ALPHA - default=false) NetworkPolicyStatus=true|false
178 (ALPHA - default=false) NewVolumeManagerReconstruction=true|false (BETA
179 - default=false) NodeInclusionPolicyInPodTopologySpread=true|false
180 (BETA - default=true) NodeLogQuery=true|false (ALPHA - default=false)
181 NodeOutOfServiceVolumeDetach=true|false (BETA - default=true)
182 NodeSwap=true|false (ALPHA - default=false) OpenAPIEnums=true|false
183 (BETA - default=true) PDBUnhealthyPodEvictionPolicy=true|false (BETA -
184 default=true) PodAndContainerStatsFromCRI=true|false (ALPHA - de‐
185 fault=false) PodDeletionCost=true|false (BETA - default=true) PodDis‐
186 ruptionConditions=true|false (BETA - default=true) PodHasNetworkCondi‐
187 tion=true|false (ALPHA - default=false) PodSchedulingReadi‐
188 ness=true|false (BETA - default=true) ProbeTerminationGracePe‐
189 riod=true|false (BETA - default=true) ProcMountType=true|false (ALPHA -
190 default=false) ProxyTerminatingEndpoints=true|false (BETA - de‐
191 fault=true) QOSReserved=true|false (ALPHA - default=false) ReadWriteOn‐
192 cePod=true|false (BETA - default=true) RecoverVolumeExpansionFail‐
193 ure=true|false (ALPHA - default=false) RemainingItemCount=true|false
194 (BETA - default=true) RetroactiveDefaultStorageClass=true|false (BETA -
195 default=true) RotateKubeletServerCertificate=true|false (BETA - de‐
196 fault=true) SELinuxMountReadWriteOncePod=true|false (BETA - de‐
197 fault=false) SecurityContextDeny=true|false (ALPHA - default=false)
198 ServiceNodePortStaticSubrange=true|false (ALPHA - default=false) Size‐
199 MemoryBackedVolumes=true|false (BETA - default=true) StableLoadBal‐
200 ancerNodeSet=true|false (BETA - default=true) StatefulSetAu‐
201 toDeletePVC=true|false (BETA - default=true) StatefulSetStartOrdi‐
202 nal=true|false (BETA - default=true) StorageVersionAPI=true|false (AL‐
203 PHA - default=false) StorageVersionHash=true|false (BETA - de‐
204 fault=true) TopologyAwareHints=true|false (BETA - default=true) Topolo‐
205 gyManagerPolicyAlphaOptions=true|false (ALPHA - default=false) Topolo‐
206 gyManagerPolicyBetaOptions=true|false (BETA - default=false) Topology‐
207 ManagerPolicyOptions=true|false (ALPHA - default=false) Unauthenticat‐
208 edHTTP2DOSMitigation=true|false (BETA - default=false) UserNames‐
209 pacesStatelessPodsSupport=true|false (ALPHA - default=false) Validatin‐
210 gAdmissionPolicy=true|false (ALPHA - default=false) VolumeCapacityPri‐
211 ority=true|false (ALPHA - default=false) WatchList=true|false (ALPHA -
212 default=false) WinDSR=true|false (ALPHA - default=false) WinOver‐
213 lay=true|false (BETA - default=true) WindowsHostNetwork=true|false (AL‐
214 PHA - default=true)
215 -h, --help=false help for kube-scheduler
218 --http2-max-streams-per-connection=0 The limit that the server
221 gives to clients for the maximum number of streams in an HTTP/2 connec‐
222 tion. Zero means to use golang's default.
223 --kube-api-burst=100 DEPRECATED: burst to use while talking with
226 kubernetes apiserver. This parameter is ignored if a config file is
227 specified in --config.
228 --kube-api-content-type="application/vnd.kubernetes.protobuf" DEP‐
231 RECATED: content type of requests sent to apiserver. This parameter is
232 ignored if a config file is specified in --config.
233 --kube-api-qps=50 DEPRECATED: QPS to use while talking with kuber‐
236 netes apiserver. This parameter is ignored if a config file is speci‐
237 fied in --config.
238 --kubeconfig="" DEPRECATED: path to kubeconfig file with autho‐
241 rization and master location information. This parameter is ignored if
242 a config file is specified in --config.
243 --leader-elect=true Start a leader election client and gain lead‐
246 ership before executing the main loop. Enable this when running repli‐
247 cated components for high availability.
248 --leader-elect-lease-duration=15s The duration that non-leader
251 candidates will wait after observing a leadership renewal until at‐
252 tempting to acquire leadership of a led but unrenewed leader slot. This
253 is effectively the maximum duration that a leader can be stopped before
254 it is replaced by another candidate. This is only applicable if leader
255 election is enabled.
256 --leader-elect-renew-deadline=10s The interval between attempts by
259 the acting master to renew a leadership slot before it stops leading.
260 This must be less than the lease duration. This is only applicable if
261 leader election is enabled.
262 --leader-elect-resource-lock="leases" The type of resource object
265 that is used for locking during leader election. Supported options are
266 'leases', 'endpointsleases' and 'configmapsleases'.
267 --leader-elect-resource-name="kube-scheduler" The name of resource
270 object that is used for locking during leader election.
271 --leader-elect-resource-namespace="kube-system" The namespace of
274 resource object that is used for locking during leader election.
275 --leader-elect-retry-period=2s The duration the clients should
278 wait between attempting acquisition and renewal of a leadership. This
279 is only applicable if leader election is enabled.
280 --lock-object-name="kube-scheduler" DEPRECATED: define the name of
283 the lock object. Will be removed in favor of leader-elect-resource-
284 name. This parameter is ignored if a config file is specified in --con‐
285 fig.
286 --lock-object-namespace="kube-system" DEPRECATED: define the name‐
289 space of the lock object. Will be removed in favor of leader-elect-re‐
290 source-namespace. This parameter is ignored if a config file is speci‐
291 fied in --config.
292 --log-flush-frequency=5s Maximum number of seconds between log
295 flushes
296 --logging-format="text" Sets the log format. Permitted formats:
299 "text".
300 --master="" The address of the Kubernetes API server (overrides
303 any value in kubeconfig)
304 --permit-address-sharing=false If true, SO_REUSEADDR will be used
307 when binding the port. This allows binding to wildcard IPs like 0.0.0.0
308 and specific IPs in parallel, and it avoids waiting for the kernel to
309 release sockets in TIME_WAIT state. [default=false]
310 --permit-port-sharing=false If true, SO_REUSEPORT will be used
313 when binding the port, which allows more than one instance to bind on
314 the same address and port. [default=false]
315 --pod-max-in-unschedulable-pods-duration=5m0s DEPRECATED: the max‐
318 imum time a pod can stay in unschedulablePods. If a pod stays in un‐
319 schedulablePods for longer than this value, the pod will be moved from
320 unschedulablePods to backoffQ or activeQ. This flag is deprecated and
321 will be removed in 1.26
322 --profiling=true DEPRECATED: enable profiling via web interface
325 host:port/debug/pprof/. This parameter is ignored if a config file is
326 specified in --config.
327 --requestheader-allowed-names=[] List of client certificate common
330 names to allow to provide usernames in headers specified by --request‐
331 header-username-headers. If empty, any client certificate validated by
332 the authorities in --requestheader-client-ca-file is allowed.
333 --requestheader-client-ca-file="" Root certificate bundle to use
336 to verify client certificates on incoming requests before trusting
337 usernames in headers specified by --requestheader-username-headers.
338 WARNING: generally do not depend on authorization being already done
339 for incoming requests.
340 --requestheader-extra-headers-prefix=[x-remote-extra-] List of re‐
343 quest header prefixes to inspect. X-Remote-Extra- is suggested.
344 --requestheader-group-headers=[x-remote-group] List of request
347 headers to inspect for groups. X-Remote-Group is suggested.
348 --requestheader-username-headers=[x-remote-user] List of request
351 headers to inspect for usernames. X-Remote-User is common.
352 --secure-port=10259 The port on which to serve HTTPS with authen‐
355 tication and authorization. If 0, don't serve HTTPS at all.
356 --show-hidden-metrics-for-version="" The previous version for
359 which you want to show hidden metrics. Only the previous minor version
360 is meaningful, other values will not be allowed. The format is ., e.g.:
361 '1.16'. The purpose of this format is make sure you have the opportu‐
362 nity to notice if the next release hides additional metrics, rather
363 than being surprised when they are permanently removed in the release
364 after that.
365 --tls-cert-file="" File containing the default x509 Certificate
368 for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS
369 serving is enabled, and --tls-cert-file and --tls-private-key-file are
370 not provided, a self-signed certificate and key are generated for the
371 public address and saved to the directory specified by --cert-dir.
372 --tls-cipher-suites=[] Comma-separated list of cipher suites for
375 the server. If omitted, the default Go cipher suites will be used.
376 Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
377 TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
378 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
379 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
380 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
381 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
382 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
383 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
385 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
386 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
387 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
388 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
389 TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,
390 TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384. Inse‐
391 cure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
392 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
393 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
394 TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,
395 TLS_RSA_WITH_RC4_128_SHA.
396 --tls-min-version="" Minimum TLS version supported. Possible val‐
399 ues: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
400 --tls-private-key-file="" File containing the default x509 private
403 key matching --tls-cert-file.
404 --tls-sni-cert-key=[] A pair of x509 certificate and private key
407 file paths, optionally suffixed with a list of domain patterns which
408 are fully qualified domain names, possibly with prefixed wildcard seg‐
409 ments. The domain patterns also allow IP addresses, but IPs should only
410 be used if the apiserver has visibility to the IP address requested by
411 a client. If no domain patterns are provided, the names of the certifi‐
412 cate are extracted. Non-wildcard matches trump over wildcard matches,
413 explicit domain patterns trump over extracted names. For multiple
414 key/certificate pairs, use the --tls-sni-cert-key multiple times. Exam‐
415 ples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com".
416 -v, --v=0 number for the log level verbosity
419 --version=false Print version information and quit
422 --vmodule= comma-separated list of pattern=N settings for file-
425 filtered logging (only works for text log format)
426 --write-config-to="" If set, write the configuration values to
429 this file and exit.
430
434 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
435 com) based on the kubernetes source material, but hopefully they have
436 been automatically generated since!
437Manuals User KUBERNETES(1)(kubernetes)