kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #25346 from howieyuen/command-line-tools-2 

[zh] sync kube-controller-manager, kube-proxy and kubelet-authentication-authorization
pull/25363/head
Kubernetes Prow Robot 2020-12-02 19:25:00 -08:00 committed by GitHub
parent 810ff1d80f 05381f6078
commit e7ef8fd8c9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 773 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

423
content/zh/docs/reference/command-line-tools-reference/kube-controller-manager.md
View File

@ -262,6 +262,23 @@ kube-controller-manager [flags]
<td></td><td style="line-height: 130%; word-wrap: break-word;">包含 PEM 编码格式的 X509 CA 证书的文件名。该证书用来发放集群范围的证书。</td>
</tr>
<tr>
<td colspan="2">
<!--
--cluster-signing-duration duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 8760h0m0s
-->
--cluster-signing-duration duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值: 8760h0m0s
</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
The length of duration signed certificates will be given.
-->
所签名证书的有效期限。
</td>
</tr>
<tr>
<!-- td colspan="2">--cluster-signing-key-file string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/ca/ca.key"</td -->
<td colspan="2">--cluster-signing-key-file string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值:"/etc/kubernetes/ca/ca.key"</td>
@ -271,6 +288,118 @@ kube-controller-manager [flags]
<td></td><td style="line-height: 130%; word-wrap: break-word;">包含 PEM 编码的 RSA 或 ECDSA 私钥的文件名。该私钥用来对集群范围证书签名。</td>
</tr>
<tr>
<td colspan="2">--cluster-signing-kube-apiserver-client-cert-file string</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/kube-apiserver-client signer. If specified, --cluster-signing-{cert,key}-file must not be set.
-->
包含 PEM 编码的 X509 CA 证书的文件名,
该证书用于为 kubernetes.io/kube-apiserver-client 签署者颁发证书。
如果指定,则不得设置 --cluster-signing-{cert,key}-file。
</td>
</tr>
<tr>
<td colspan="2">--cluster-signing-kube-apiserver-client-key-file string</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/kube-apiserver-client signer. If specified, --cluster-signing-{cert,key}-file must not be set.
-->
包含 PEM 编码的 RSA 或 ECDSA 私钥的文件名,
该私钥用于为 kubernetes.io/kube-apiserver-client 签署者签名证书。
如果指定,则不得设置 --cluster-signing-{cert,key}-file。
</td>
</tr>
<tr>
<td colspan="2">--cluster-signing-kubelet-client-cert-file string</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/kube-apiserver-client-kubelet signer. If specified, --cluster-signing-{cert,key}-file must not be set.
-->
包含 PEM 编码的 X509 CA 证书的文件名,
该证书用于为 kubernetes.io/kube-apiserver-client-kubelet 签署者颁发证书。
如果指定,则不得设置 --cluster-signing-{cert,key}-file。
</td>
</tr>
<tr>
<td colspan="2">--cluster-signing-kubelet-client-key-file string</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/kube-apiserver-client-kubelet signer. If specified, --cluster-signing-{cert,key}-file must not be set.
-->
包含 PEM 编码的 RSA 或 ECDSA 私钥的文件名,
该私钥用于为 kubernetes.io/kube-apiserver-client-kubelet 签署者签名证书。
如果指定,则不得设置 --cluster-signing-{cert,key}-file。
</td>
</tr>
<tr>
<td colspan="2">--cluster-signing-kubelet-serving-cert-file string</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/kubelet-serving signer. If specified, --cluster-signing-{cert,key}-file must not be set.
-->
包含 PEM 编码的 X509 CA 证书的文件名,
该证书用于为 kubernetes.io/kubelet-serving 签署者颁发证书。
如果指定,则不得设置 --cluster-signing-{cert,key}-file。
</td>
</tr>
<tr>
<td colspan="2">--cluster-signing-kubelet-serving-key-file string</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/kubelet-serving signer. If specified, --cluster-signing-{cert,key}-file must not be set.
-->
包含 PEM 编码的 RSA或ECDSA 私钥的文件名,
该私钥用于对 kubernetes.io/kubelet-serving 签署者的证书进行签名。
如果指定,则不得设置 --cluster-signing-{cert,key}-file。
</td>
</tr>
<tr>
<td colspan="2">--cluster-signing-legacy-unknown-cert-file string</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/legacy-unknown signer. If specified, --cluster-signing-{cert,key}-file must not be set.
-->
包含 PEM 编码的 X509 CA 证书的文件名,
用于为 kubernetes.io/legacy-unknown 签署者颁发证书。
如果指定,则不得设置 --cluster-signing-{cert,key}-file。
</td>
</tr>
<tr>
<td colspan="2">--cluster-signing-legacy-unknown-key-file string</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/legacy-unknown signer. If specified, --cluster-signing-{cert,key}-file must not be set.
-->
包含 PEM 编码的 RSA 或 ECDSA 私钥的文件名,
用于为 kubernetes.io/legacy-unknown 签署者签名证书。
如果指定,则不得设置 --cluster-signing-{cert,key}-file。
</td>
</tr>
<tr>
<!-- td colspan="2">--concurrent-deployment-syncs int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 5</td -->
<td colspan="2">--concurrent-deployment-syncs int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值5</td>
@ -409,9 +538,9 @@ kube-controller-manager [flags]
<td colspan="2">--controllers stringSlice&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值:[*]</td>
</tr>
<tr>
<!-- td></td><td style="line-height: 130%; word-wrap: break-word;">A list of controllers to enable. '*' enables all on-by-default controllers, 'foo' enables the controller named 'foo', '-foo' disables the controller named 'foo'.<br/>All controllers: attachdetach, bootstrapsigner, cloud-node-lifecycle, clusterrole-aggregation, cronjob, csrapproving, csrcleaner, csrsigning, daemonset, deployment, disruption, endpoint, endpointslice, garbagecollector, horizontalpodautoscaling, job, namespace, nodeipam, nodelifecycle, persistentvolume-binder, persistentvolume-expander, podgc, pv-protection, pvc-protection, replicaset, replicationcontroller, resourcequota, root-ca-cert-publisher, route, service, serviceaccount, serviceaccount-token, statefulset, tokencleaner, ttl, ttl-after-finished<br/>Disabled-by-default controllers: bootstrapsigner, tokencleaner</td -->
<!-- <td></td><td style="line-height: 130%; word-wrap: break-word;">A list of controllers to enable. '*' enables all on-by-default controllers, 'foo' enables the controller named 'foo', '-foo' disables the controller named 'foo'.<br/>All controllers: attachdetach, bootstrapsigner, cloud-node-lifecycle, clusterrole-aggregation, cronjob, csrapproving, csrcleaner, csrsigning, daemonset, deployment, disruption, endpoint, endpointslice, endpointslicemirroring, ephemeral-volume, garbagecollector, horizontalpodautoscaling, job, namespace, nodeipam, nodelifecycle, persistentvolume-binder, persistentvolume-expander, podgc, pv-protection, pvc-protection, replicaset, replicationcontroller, resourcequota, root-ca-cert-publisher, route, service, serviceaccount, serviceaccount-token, statefulset, tokencleaner, ttl, ttl-after-finished<br/>Disabled-by-default controllers: bootstrapsigner, tokencleaner</td> -->
<td></td><td style="line-height: 130%; word-wrap: break-word;">要启用的控制器列表。* 表示启用所有默认启用的控制器foo 启用名为 foo 的控制器;-foo 表示禁用名为 foo 的控制器。<br/>
控制器的全集attachdetach、bootstrapsigner、cloud-node-lifecycle、clusterrole-aggregation、cronjob、csrapproving、csrcleaner、csrsigning、daemonset、deployment、disruption、endpoint、endpointslice、garbagecollector、horizontalpodautoscaling、job、namespace、nodeipam、nodelifecycle、persistentvolume-binder、persistentvolume-expander、podgc、pv-protection、pvc-protection、replicaset、replicationcontroller、resourcequota、root-ca-cert-publisher、route、service、serviceaccount、serviceaccount-token、statefulset、tokencleaner、ttl、ttl-after-finished<br/>
控制器的全集attachdetach、bootstrapsigner、cloud-node-lifecycle、clusterrole-aggregation、cronjob、csrapproving、csrcleaner、csrsigning、daemonset、deployment、disruption、endpoint、endpointslice、endpointslicemirroring、ephemeral-volume、garbagecollector、horizontalpodautoscaling、job、namespace、nodeipam、nodelifecycle、persistentvolume-binder、persistentvolume-expander、podgc、pv-protection、pvc-protection、replicaset、replicationcontroller、resourcequota、root-ca-cert-publisher、route、service、serviceaccount、serviceaccount-token、statefulset、tokencleaner、ttl、ttl-after-finished<br/>
默认禁用的控制器有bootstrapsigner 和 tokencleaner。</td>
</tr>
@ -482,14 +611,6 @@ kube-controller-manager [flags]
<td></td><td style="line-height: 130%; word-wrap: break-word;">端点片段Endpoint Slice批量更新周期时长。对 Pods 变更的处理会被延迟,以便将其与即将到来的更新操作合并,从而减少端点更新操作次数。较大的数值意味着端点更新的迟滞时间会增长,也意味着所生成的端点版本个数会变少。</td>
</tr>
<tr>
<!-- td colspan="2">--experimental-cluster-signing-duration duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 8760h0m0s</td -->
<td colspan="2">--experimental-cluster-signing-duration duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值8760h0m0s</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">所签署的证书的有效期时长。</td>
</tr>
<tr>
<td colspan="2">--external-cloud-volume-plugin string</td>
</tr>
@ -502,8 +623,180 @@ kube-controller-manager [flags]
<td colspan="2">--feature-gates mapStringBool</td>
</tr>
<tr>
<!-- td></td><td style="line-height: 130%; word-wrap: break-word;">A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:<br/>APIListChunking=true|false (BETA - default=true)<br/>APIPriorityAndFairness=true|false (ALPHA - default=false)<br/>APIResponseCompression=true|false (BETA - default=true)<br/>AllAlpha=true|false (ALPHA - default=false)<br/>AllBeta=true|false (BETA - default=false)<br/>AllowInsecureBackendProxy=true|false (BETA - default=true)<br/>AnyVolumeDataSource=true|false (ALPHA - default=false)<br/>AppArmor=true|false (BETA - default=true)<br/>BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)<br/>BoundServiceAccountTokenVolume=true|false (ALPHA - default=false)<br/>CPUManager=true|false (BETA - default=true)<br/>CRIContainerLogRotation=true|false (BETA - default=true)<br/>CSIInlineVolume=true|false (BETA - default=true)<br/>CSIMigration=true|false (BETA - default=true)<br/>CSIMigrationAWS=true|false (BETA - default=false)<br/>CSIMigrationAWSComplete=true|false (ALPHA - default=false)<br/>CSIMigrationAzureDisk=true|false (ALPHA - default=false)<br/>CSIMigrationAzureDiskComplete=true|false (ALPHA - default=false)<br/>CSIMigrationAzureFile=true|false (ALPHA - default=false)<br/>CSIMigrationAzureFileComplete=true|false (ALPHA - default=false)<br/>CSIMigrationGCE=true|false (BETA - default=false)<br/>CSIMigrationGCEComplete=true|false (ALPHA - default=false)<br/>CSIMigrationOpenStack=true|false (BETA - default=false)<br/>CSIMigrationOpenStackComplete=true|false (ALPHA - default=false)<br/>ConfigurableFSGroupPolicy=true|false (ALPHA - default=false)<br/>CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)<br/>DefaultIngressClass=true|false (BETA - default=true)<br/>DevicePlugins=true|false (BETA - default=true)<br/>DryRun=true|false (BETA - default=true)<br/>DynamicAuditing=true|false (ALPHA - default=false)<br/>DynamicKubeletConfig=true|false (BETA - default=true)<br/>EndpointSlice=true|false (BETA - default=true)<br/>EndpointSliceProxying=true|false (ALPHA - default=false)<br/>EphemeralContainers=true|false (ALPHA - default=false)<br/>EvenPodsSpread=true|false (BETA - default=true)<br/>ExpandCSIVolumes=true|false (BETA - default=true)<br/>ExpandInUsePersistentVolumes=true|false (BETA - default=true)<br/>ExpandPersistentVolumes=true|false (BETA - default=true)<br/>ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)<br/>HPAScaleToZero=true|false (ALPHA - default=false)<br/>HugePageStorageMediumSize=true|false (ALPHA - default=false)<br/>HyperVContainer=true|false (ALPHA - default=false)<br/>IPv6DualStack=true|false (ALPHA - default=false)<br/>ImmutableEphemeralVolumes=true|false (ALPHA - default=false)<br/>KubeletPodResources=true|false (BETA - default=true)<br/>LegacyNodeRoleBehavior=true|false (ALPHA - default=true)<br/>LocalStorageCapacityIsolation=true|false (BETA - default=true)<br/>LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)<br/>NodeDisruptionExclusion=true|false (ALPHA - default=false)<br/>NonPreemptingPriority=true|false (ALPHA - default=false)<br/>PodDisruptionBudget=true|false (BETA - default=true)<br/>PodOverhead=true|false (BETA - default=true)<br/>ProcMountType=true|false (ALPHA - default=false)<br/>QOSReserved=true|false (ALPHA - default=false)<br/>RemainingItemCount=true|false (BETA - default=true)<br/>RemoveSelfLink=true|false (ALPHA - default=false)<br/>ResourceLimitsPriorityFunction=true|false (ALPHA - default=false)<br/>RotateKubeletClientCertificate=true|false (BETA - default=true)<br/>RotateKubeletServerCertificate=true|false (BETA - default=true)<br/>RunAsGroup=true|false (BETA - default=true)<br/>RuntimeClass=true|false (BETA - default=true)<br/>SCTPSupport=true|false (ALPHA - default=false)<br/>SelectorIndex=true|false (ALPHA - default=false)<br/>ServerSideApply=true|false (BETA - default=true)<br/>ServiceAccountIssuerDiscovery=true|false (ALPHA - default=false)<br/>ServiceAppProtocol=true|false (ALPHA - default=false)<br/>ServiceNodeExclusion=true|false (ALPHA - default=false)<br/>ServiceTopology=true|false (ALPHA - default=false)<br/>StartupProbe=true|false (BETA - default=true)<br/>StorageVersionHash=true|false (BETA - default=true)<br/>SupportNodePidsLimit=true|false (BETA - default=true)<br/>SupportPodPidsLimit=true|false (BETA - default=true)<br/>Sysctls=true|false (BETA - default=true)<br/>TTLAfterFinished=true|false (ALPHA - default=false)<br/>TokenRequest=true|false (BETA - default=true)<br/>TokenRequestProjection=true|false (BETA - default=true)<br/>TopologyManager=true|false (BETA - default=true)<br/>ValidateProxyRedirects=true|false (BETA - default=true)<br/>VolumeSnapshotDataSource=true|false (BETA - default=true)<br/>WinDSR=true|false (ALPHA - default=false)<br/>WinOverlay=true|false (ALPHA - default=false)</td -->
<td></td><td style="line-height: 130%; word-wrap: break-word;">一组 key=value 耦对,用来描述测试性/试验性功能的特性门控Feature Gate。可选项有<br/>APIListChunking=true|false (BETA - default=true)<br/>APIPriorityAndFairness=true|false (ALPHA - default=false)<br/>APIResponseCompression=true|false (BETA - default=true)<br/>AllAlpha=true|false (ALPHA - default=false)<br/>AllBeta=true|false (BETA - default=false)<br/>AllowInsecureBackendProxy=true|false (BETA - default=true)<br/>AnyVolumeDataSource=true|false (ALPHA - default=false)<br/>AppArmor=true|false (BETA - default=true)<br/>BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)<br/>BoundServiceAccountTokenVolume=true|false (ALPHA - default=false)<br/>CPUManager=true|false (BETA - default=true)<br/>CRIContainerLogRotation=true|false (BETA - default=true)<br/>CSIInlineVolume=true|false (BETA - default=true)<br/>CSIMigration=true|false (BETA - default=true)<br/>CSIMigrationAWS=true|false (BETA - default=false)<br/>CSIMigrationAWSComplete=true|false (ALPHA - default=false)<br/>CSIMigrationAzureDisk=true|false (ALPHA - default=false)<br/>CSIMigrationAzureDiskComplete=true|false (ALPHA - default=false)<br/>CSIMigrationAzureFile=true|false (ALPHA - default=false)<br/>CSIMigrationAzureFileComplete=true|false (ALPHA - default=false)<br/>CSIMigrationGCE=true|false (BETA - default=false)<br/>CSIMigrationGCEComplete=true|false (ALPHA - default=false)<br/>CSIMigrationOpenStack=true|false (BETA - default=false)<br/>CSIMigrationOpenStackComplete=true|false (ALPHA - default=false)<br/>ConfigurableFSGroupPolicy=true|false (ALPHA - default=false)<br/>CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)<br/>DefaultIngressClass=true|false (BETA - default=true)<br/>DevicePlugins=true|false (BETA - default=true)<br/>DryRun=true|false (BETA - default=true)<br/>DynamicAuditing=true|false (ALPHA - default=false)<br/>DynamicKubeletConfig=true|false (BETA - default=true)<br/>EndpointSlice=true|false (BETA - default=true)<br/>EndpointSliceProxying=true|false (ALPHA - default=false)<br/>EphemeralContainers=true|false (ALPHA - default=false)<br/>EvenPodsSpread=true|false (BETA - default=true)<br/>ExpandCSIVolumes=true|false (BETA - default=true)<br/>ExpandInUsePersistentVolumes=true|false (BETA - default=true)<br/>ExpandPersistentVolumes=true|false (BETA - default=true)<br/>ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)<br/>HPAScaleToZero=true|false (ALPHA - default=false)<br/>HugePageStorageMediumSize=true|false (ALPHA - default=false)<br/>HyperVContainer=true|false (ALPHA - default=false)<br/>IPv6DualStack=true|false (ALPHA - default=false)<br/>ImmutableEphemeralVolumes=true|false (ALPHA - default=false)<br/>KubeletPodResources=true|false (BETA - default=true)<br/>LegacyNodeRoleBehavior=true|false (ALPHA - default=true)<br/>LocalStorageCapacityIsolation=true|false (BETA - default=true)<br/>LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)<br/>NodeDisruptionExclusion=true|false (ALPHA - default=false)<br/>NonPreemptingPriority=true|false (ALPHA - default=false)<br/>PodDisruptionBudget=true|false (BETA - default=true)<br/>PodOverhead=true|false (BETA - default=true)<br/>ProcMountType=true|false (ALPHA - default=false)<br/>QOSReserved=true|false (ALPHA - default=false)<br/>RemainingItemCount=true|false (BETA - default=true)<br/>RemoveSelfLink=true|false (ALPHA - default=false)<br/>ResourceLimitsPriorityFunction=true|false (ALPHA - default=false)<br/>RotateKubeletClientCertificate=true|false (BETA - default=true)<br/>RotateKubeletServerCertificate=true|false (BETA - default=true)<br/>RunAsGroup=true|false (BETA - default=true)<br/>RuntimeClass=true|false (BETA - default=true)<br/>SCTPSupport=true|false (ALPHA - default=false)<br/>SelectorIndex=true|false (ALPHA - default=false)<br/>ServerSideApply=true|false (BETA - default=true)<br/>ServiceAccountIssuerDiscovery=true|false (ALPHA - default=false)<br/>ServiceAppProtocol=true|false (ALPHA - default=false)<br/>ServiceNodeExclusion=true|false (ALPHA - default=false)<br/>ServiceTopology=true|false (ALPHA - default=false)<br/>StartupProbe=true|false (BETA - default=true)<br/>StorageVersionHash=true|false (BETA - default=true)<br/>SupportNodePidsLimit=true|false (BETA - default=true)<br/>SupportPodPidsLimit=true|false (BETA - default=true)<br/>Sysctls=true|false (BETA - default=true)<br/>TTLAfterFinished=true|false (ALPHA - default=false)<br/>TokenRequest=true|false (BETA - default=true)<br/>TokenRequestProjection=true|false (BETA - default=true)<br/>TopologyManager=true|false (BETA - default=true)<br/>ValidateProxyRedirects=true|false (BETA - default=true)<br/>VolumeSnapshotDataSource=true|false (BETA - default=true)<br/>WinDSR=true|false (ALPHA - default=false)<br/>WinOverlay=true|false (ALPHA - default=false)</td>
<!-- td></td><td style="line-height: 130%; word-wrap: break-word;">A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
<br/>APIListChunking=true|false (BETA - default=true)
<br/>APIPriorityAndFairness=true|false (ALPHA - default=false)
<br/>APIResponseCompression=true|false (BETA - default=true)
<br/>AllAlpha=true|false (ALPHA - default=false)
<br/>AllBeta=true|false (BETA - default=false)
<br/>AllowInsecureBackendProxy=true|false (BETA - default=true)
<br/>AnyVolumeDataSource=true|false (ALPHA - default=false)
<br/>AppArmor=true|false (BETA - default=true)
<br/>BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
<br/>BoundServiceAccountTokenVolume=true|false (ALPHA - default=false)
<br/>CPUManager=true|false (BETA - default=true)
<br/>CRIContainerLogRotation=true|false (BETA - default=true)
<br/>CSIInlineVolume=true|false (BETA - default=true)
<br/>CSIMigration=true|false (BETA - default=true)
<br/>CSIMigrationAWS=true|false (BETA - default=false)
<br/>CSIMigrationAWSComplete=true|false (ALPHA - default=false)
<br/>CSIMigrationAzureDisk=true|false (BETA - default=false)
<br/>CSIMigrationAzureDiskComplete=true|false (ALPHA - default=false)
<br/>CSIMigrationAzureFile=true|false (ALPHA - default=false)
<br/>CSIMigrationAzureFileComplete=true|false (ALPHA - default=false)
<br/>CSIMigrationGCE=true|false (BETA - default=false)
<br/>CSIMigrationGCEComplete=true|false (ALPHA - default=false)
<br/>CSIMigrationOpenStack=true|false (BETA - default=false)
<br/>CSIMigrationOpenStackComplete=true|false (ALPHA - default=false)
<br/>CSIMigrationvSphere=true|false (BETA - default=false)
<br/>CSIMigrationvSphereComplete=true|false (BETA - default=false)
<br/>CSIStorageCapacity=true|false (ALPHA - default=false)
<br/>CSIVolumeFSGroupPolicy=true|false (ALPHA - default=false)
<br/>ConfigurableFSGroupPolicy=true|false (ALPHA - default=false)
<br/>CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
<br/>DefaultPodTopologySpread=true|false (ALPHA - default=false)
<br/>DevicePlugins=true|false (BETA - default=true)
<br/>DisableAcceleratorUsageMetrics=true|false (ALPHA - default=false)
<br/>DynamicKubeletConfig=true|false (BETA - default=true)
<br/>EndpointSlice=true|false (BETA - default=true)
<br/>EndpointSliceProxying=true|false (BETA - default=true)
<br/>EphemeralContainers=true|false (ALPHA - default=false)
<br/>ExpandCSIVolumes=true|false (BETA - default=true)
<br/>ExpandInUsePersistentVolumes=true|false (BETA - default=true)
<br/>ExpandPersistentVolumes=true|false (BETA - default=true)
<br/>ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
<br/>GenericEphemeralVolume=true|false (ALPHA - default=false)
<br/>HPAScaleToZero=true|false (ALPHA - default=false)
<br/>HugePageStorageMediumSize=true|false (BETA - default=true)
<br/>HyperVContainer=true|false (ALPHA - default=false)
<br/>IPv6DualStack=true|false (ALPHA - default=false)
<br/>ImmutableEphemeralVolumes=true|false (BETA - default=true)
<br/>KubeletPodResources=true|false (BETA - default=true)
<br/>LegacyNodeRoleBehavior=true|false (BETA - default=true)
<br/>LocalStorageCapacityIsolation=true|false (BETA - default=true)
<br/>LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
<br/>NodeDisruptionExclusion=true|false (BETA - default=true)
<br/>NonPreemptingPriority=true|false (BETA - default=true)
<br/>PodDisruptionBudget=true|false (BETA - default=true)
<br/>PodOverhead=true|false (BETA - default=true)
<br/>ProcMountType=true|false (ALPHA - default=false)
<br/>QOSReserved=true|false (ALPHA - default=false)
<br/>RemainingItemCount=true|false (BETA - default=true)
<br/>RemoveSelfLink=true|false (ALPHA - default=false)
<br/>RotateKubeletServerCertificate=true|false (BETA - default=true)
<br/>RunAsGroup=true|false (BETA - default=true)
<br/>RuntimeClass=true|false (BETA - default=true)
<br/>SCTPSupport=true|false (BETA - default=true)
<br/>SelectorIndex=true|false (BETA - default=true)
<br/>ServerSideApply=true|false (BETA - default=true)
<br/>ServiceAccountIssuerDiscovery=true|false (ALPHA - default=false)
<br/>ServiceAppProtocol=true|false (BETA - default=true)
<br/>ServiceNodeExclusion=true|false (BETA - default=true)
<br/>ServiceTopology=true|false (ALPHA - default=false)
<br/>SetHostnameAsFQDN=true|false (ALPHA - default=false)
<br/>StartupProbe=true|false (BETA - default=true)
<br/>StorageVersionHash=true|false (BETA - default=true)
<br/>SupportNodePidsLimit=true|false (BETA - default=true)
<br/>SupportPodPidsLimit=true|false (BETA - default=true)
<br/>Sysctls=true|false (BETA - default=true)
<br/>TTLAfterFinished=true|false (ALPHA - default=false)
<br/>TokenRequest=true|false (BETA - default=true)
<br/>TokenRequestProjection=true|false (BETA - default=true)
<br/>TopologyManager=true|false (BETA - default=true)
<br/>ValidateProxyRedirects=true|false (BETA - default=true)
<br/>VolumeSnapshotDataSource=true|false (BETA - default=true)
<br/>WarningHeaders=true|false (BETA - default=true)
<br/>WinDSR=true|false (ALPHA - default=false)
<br/>WinOverlay=true|false (ALPHA - default=false)
<br/>WindowsEndpointSliceProxying=true|false (ALPHA - default=false)
</td> -->
<td></td><td style="line-height: 130%; word-wrap: break-word;">一组 key=value 对,用来描述测试性/试验性功能的特性门控Feature Gate。可选项有
<br/>APIListChunking=true|false (BETA - 默认值=true)
<br/>APIPriorityAndFairness=true|false (ALPHA - 默认值=false)
<br/>APIResponseCompression=true|false (BETA - 默认值=true)
<br/>AllAlpha=true|false (ALPHA - 默认值=false)
<br/>AllBeta=true|false (BETA - 默认值=false)
<br/>AllowInsecureBackendProxy=true|false (BETA - 默认值=true)
<br/>AnyVolumeDataSource=true|false (ALPHA - 默认值=false)
<br/>AppArmor=true|false (BETA - 默认值=true)
<br/>BalanceAttachedNodeVolumes=true|false (ALPHA - 默认值=false)
<br/>BoundServiceAccountTokenVolume=true|false (ALPHA - 默认值=false)
<br/>CPUManager=true|false (BETA - 默认值=true)
<br/>CRIContainerLogRotation=true|false (BETA - 默认值=true)
<br/>CSIInlineVolume=true|false (BETA - 默认值=true)
<br/>CSIMigration=true|false (BETA - 默认值=true)
<br/>CSIMigrationAWS=true|false (BETA - 默认值=false)
<br/>CSIMigrationAWSComplete=true|false (ALPHA - 默认值=false)
<br/>CSIMigrationAzureDisk=true|false (BETA - 默认值=false)
<br/>CSIMigrationAzureDiskComplete=true|false (ALPHA - 默认值=false)
<br/>CSIMigrationAzureFile=true|false (ALPHA - 默认值=false)
<br/>CSIMigrationAzureFileComplete=true|false (ALPHA - 默认值=false)
<br/>CSIMigrationGCE=true|false (BETA - 默认值=false)
<br/>CSIMigrationGCEComplete=true|false (ALPHA - 默认值=false)
<br/>CSIMigrationOpenStack=true|false (BETA - 默认值=false)
<br/>CSIMigrationOpenStackComplete=true|false (ALPHA - 默认值=false)
<br/>CSIMigrationvSphere=true|false (BETA - 默认值=false)
<br/>CSIMigrationvSphereComplete=true|false (BETA - 默认值=false)
<br/>CSIStorageCapacity=true|false (ALPHA - 默认值=false)
<br/>CSIVolumeFSGroupPolicy=true|false (ALPHA - 默认值=false)
<br/>ConfigurableFSGroupPolicy=true|false (ALPHA - 默认值=false)
<br/>CustomCPUCFSQuotaPeriod=true|false (ALPHA - 默认值=false)
<br/>DefaultPodTopologySpread=true|false (ALPHA - 默认值=false)
<br/>DevicePlugins=true|false (BETA - 默认值=true)
<br/>DisableAcceleratorUsageMetrics=true|false (ALPHA - 默认值=false)
<br/>DynamicKubeletConfig=true|false (BETA - 默认值=true)
<br/>EndpointSlice=true|false (BETA - 默认值=true)
<br/>EndpointSliceProxying=true|false (BETA - 默认值=true)
<br/>EphemeralContainers=true|false (ALPHA - 默认值=false)
<br/>ExpandCSIVolumes=true|false (BETA - 默认值=true)
<br/>ExpandInUsePersistentVolumes=true|false (BETA - 默认值=true)
<br/>ExpandPersistentVolumes=true|false (BETA - 默认值=true)
<br/>ExperimentalHostUserNamespaceDefaulting=true|false (BETA - 默认值=false)
<br/>GenericEphemeralVolume=true|false (ALPHA - 默认值=false)
<br/>HPAScaleToZero=true|false (ALPHA - 默认值=false)
<br/>HugePageStorageMediumSize=true|false (BETA - 默认值=true)
<br/>HyperVContainer=true|false (ALPHA - 默认值=false)
<br/>IPv6DualStack=true|false (ALPHA - 默认值=false)
<br/>ImmutableEphemeralVolumes=true|false (BETA - 默认值=true)
<br/>KubeletPodResources=true|false (BETA - 默认值=true)
<br/>LegacyNodeRoleBehavior=true|false (BETA - 默认值=true)
<br/>LocalStorageCapacityIsolation=true|false (BETA - 默认值=true)
<br/>LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - 默认值=false)
<br/>NodeDisruptionExclusion=true|false (BETA - 默认值=true)
<br/>NonPreemptingPriority=true|false (BETA - 默认值=true)
<br/>PodDisruptionBudget=true|false (BETA - 默认值=true)
<br/>PodOverhead=true|false (BETA - 默认值=true)
<br/>ProcMountType=true|false (ALPHA - 默认值=false)
<br/>QOSReserved=true|false (ALPHA - 默认值=false)
<br/>RemainingItemCount=true|false (BETA - 默认值=true)
<br/>RemoveSelfLink=true|false (ALPHA - 默认值=false)
<br/>RotateKubeletServerCertificate=true|false (BETA - 默认值=true)
<br/>RunAsGroup=true|false (BETA - 默认值=true)
<br/>RuntimeClass=true|false (BETA - 默认值=true)
<br/>SCTPSupport=true|false (BETA - 默认值=true)
<br/>SelectorIndex=true|false (BETA - 默认值=true)
<br/>ServerSideApply=true|false (BETA - 默认值=true)
<br/>ServiceAccountIssuerDiscovery=true|false (ALPHA - 默认值=false)
<br/>ServiceAppProtocol=true|false (BETA - 默认值=true)
<br/>ServiceNodeExclusion=true|false (BETA - 默认值=true)
<br/>ServiceTopology=true|false (ALPHA - 默认值=false)
<br/>SetHostnameAsFQDN=true|false (ALPHA - 默认值=false)
<br/>StartupProbe=true|false (BETA - 默认值=true)
<br/>StorageVersionHash=true|false (BETA - 默认值=true)
<br/>SupportNodePidsLimit=true|false (BETA - 默认值=true)
<br/>SupportPodPidsLimit=true|false (BETA - 默认值=true)
<br/>Sysctls=true|false (BETA - 默认值=true)
<br/>TTLAfterFinished=true|false (ALPHA - 默认值=false)
<br/>TokenRequest=true|false (BETA - 默认值=true)
<br/>TokenRequestProjection=true|false (BETA - 默认值=true)
<br/>TopologyManager=true|false (BETA - 默认值=true)
<br/>ValidateProxyRedirects=true|false (BETA - 默认值=true)
<br/>VolumeSnapshotDataSource=true|false (BETA - 默认值=true)
<br/>WarningHeaders=true|false (BETA - 默认值=true)
<br/>WinDSR=true|false (ALPHA - 默认值=false)
<br/>WinOverlay=true|false (ALPHA - 默认值=false)
<br/>WindowsEndpointSliceProxying=true|false (ALPHA - 默认值=false)
</td>
</tr>
<tr>
@ -647,12 +940,20 @@ kube-controller-manager [flags]
</tr>
<tr>
<!-- td colspan="2">--leader-elect-resource-lock endpoints&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "endpointsleases"</td -->
<td colspan="2">--leader-elect-resource-lock endpoints&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值:"endpointsleases"</td>
<td colspan="2">
<!--
--leader-elect-resource-lock string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "endpointsleases"
-->
--leader-elect-resource-lock string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值:"endpointsleases"
</td>
</tr>
<tr>
<!-- td></td><td style="line-height: 130%; word-wrap: break-word;">The type of resource object that is used for locking during leader election. Supported options are endpoints (default) and configmaps.</td -->
<td></td><td style="line-height: 130%; word-wrap: break-word;">在领导者选举期间用来执行锁操作的资源对象类型。可选项为 endpointsleases (默认值)和 configmaps。</td>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
The type of resource object that is used for locking during leader election. Supported options are 'endpoints', 'configmaps', 'leases', 'endpointsleases' and 'configmapsleases'.
-->
在领导者选举期间用于锁定的资源对象的类型。 支持的选项为'endpoints'、'configmaps'、'leases'、'endpointsleases' 和 'configmapsleases'。
</td>
</tr>
<tr>
@ -723,6 +1024,25 @@ kube-controller-manager [flags]
<td></td><td style="line-height: 130%; word-wrap: break-word;">将内存中日志数据清除到日志文件中时,相邻两次清除操作之间最大间隔秒数。</td>
</tr>
<tr>
<td colspan="2">
<!--
--logging-format string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "text"
-->
--logging-format string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值:"text"
</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
Sets the log format. Permitted formats: "text", "json".<br/>Non-default formats don't honor these flags: --add_dir_header, --alsologtostderr, --log_backtrace_at, --log_dir, --log_file, --log_file_max_size, --logtostderr, --skip_headers, --skip_log_headers, --stderrthreshold, --vmodule, --log-flush-frequency.<br/>Non-default choices are currently alpha and subject to change without warning.
-->
设置日志格式。允许的格式:"text""json"。
<br/>非默认格式不支持以下标志:--add_dir_header、--alsologtostderr、--log_backtrace_at、--log_dir、--log_file、--log_file_max_size、--logtostderr、--skip_headers、--skip_log_headers、--stderrthreshold、--vmodule、--log-flush-frequency。
<br/>当前非默认选项为 Alpha如有更改恕不另行通知。
</td>
</tr>
<tr>
<!-- td colspan="2">--logtostderr&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: true</td -->
<td colspan="2">--logtostderr&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值true</td>
@ -758,6 +1078,58 @@ kube-controller-manager [flags]
<td></td><td style="line-height: 130%; word-wrap: break-word;">自省程序的重新同步时隔下限。实际时隔长度会在 min-resync-period 和 2 * min-resync-period 之间。</td>
</tr>
<tr>
<td colspan="2">
<!--
--mirroring-concurrent-service-endpoint-syncs int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 5
-->
--mirroring-concurrent-service-endpoint-syncs int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值5
</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
The number of service endpoint syncing operations that will be done concurrently by the EndpointSliceMirroring controller. Larger number = faster endpoint slice updating, but more CPU (and network) load. Defaults to 5.
-->
EndpointSliceMirroring 控制器将同时执行的服务端点同步操作数。
较大的数量 = 更快的端点切片更新,但 CPU和网络负载更多。 默认为 5。
</td>
</tr>
<tr>
<td colspan="2">--mirroring-endpointslice-updates-batch-period duration</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
The length of EndpointSlice updates batching period for EndpointSliceMirroring controller. Processing of EndpointSlice changes will be delayed by this duration to join them with potential upcoming updates and reduce the overall number of EndpointSlice updates. Larger number = higher endpoint programming latency, but lower number of endpoints revision generated
-->
EndpointSlice 的长度更新了 EndpointSliceMirroring 控制器的批处理周期。
EndpointSlice 更改的处理将延迟此持续时间,
以使它们与潜在的即将进行的更新结合在一起,并减少 EndpointSlice 更新的总数。
较大的数量 = 较高的端点编程延迟,但是生成的端点修订版本数量较少
</td>
</tr>
<tr>
<td colspan="2">
<!--
--mirroring-max-endpoints-per-subset int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 1000
-->
--mirroring-max-endpoints-per-subset int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值1000
</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
The maximum number of endpoints that will be added to an EndpointSlice by the EndpointSliceMirroring controller. More endpoints per slice will result in less endpoint slices, but larger resources. Defaults to 100.
-->
EndpointSliceMirroring 控制器将添加到 EndpointSlice 的最大端点数。
每个分片的端点越多,端点分片越少,但资源越大。
默认为 100。
</td>
</tr>
<tr>
<!-- td colspan="2">--namespace-sync-period duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 5m0s</td -->
<td colspan="2">--namespace-sync-period duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值5m0s</td>
@ -827,6 +1199,20 @@ kube-controller-manager [flags]
<td></td><td style="line-height: 130%; word-wrap: break-word;">在节点启动期间,节点可以处于无响应状态;但超出此标志所设置的时长仍然无响应则该节点被标记为不健康。</td>
</tr>
<tr>
<td colspan="2">--permit-port-sharing</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
If true, SO_REUSEPORT will be used when binding the port, which allows more than one instance to bind on the same address and port. [default=false]
-->
如果为 true则在绑定端口时将使用 SO_REUSEPORT
这允许多个实例在同一地址和端口上进行绑定。
[默认值 = false]
</td>
</tr>
<tr>
<!-- td colspan="2">--pod-eviction-timeout duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 5m0s</td -->
<td colspan="2">--pod-eviction-timeout duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值5m0s</td>
@ -1058,8 +1444,9 @@ kube-controller-manager [flags]
<td colspan="2">--tls-cipher-suites stringSlice</td>
</tr>
<tr>
<!-- td></td><td style="line-height: 130%; word-wrap: break-word;">Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be use. Possible values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA</td -->
<td></td><td style="line-height: 130%; word-wrap: break-word;">供服务器使用的加密包的逗号分隔列表。若忽略此标志,则使用 Go 语言默认的加密包。可选值包括TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA</td>
<!-- <td></td><td style="line-height: 130%; word-wrap: break-word;">Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used. <br/>Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384. <br/>Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA.</td -->
<td></td><td style="line-height: 130%; word-wrap: break-word;">供服务器使用的加密包的逗号分隔列表。若忽略此标志,则使用 Go 语言默认的加密包。可选值包括TLS_AES_128_GCM_SHA256、TLS_AES_256_GCM_SHA384、TLS_CHACHA20_POLY1305_SHA256、TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA、TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256、TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA、TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384、TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305、TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256、TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA、TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA、TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256、TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA、TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384、TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305、TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256、TLS_RSA_WITH_3DES_EDE_CBC_SHA、TLS_RSA_WITH_AES_128_CBC_SHA、TLS_RSA_WITH_AES_128_GCM_SHA256、TLS_RSA_WITH_AES_256_CBC_SHA、TLS_RSA_WITH_AES_256_GCM_SHA384.
<br/>不安全的值: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256、TLS_ECDHE_ECDSA_WITH_RC4_128_SHA、TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256、TLS_ECDHE_RSA_WITH_RC4_128_SHA、TLS_RSA_WITH_AES_128_CBC_SHA256、TLS_RSA_WITH_RC4_128_SHA</td>
</tr>
<tr>

295
content/zh/docs/reference/command-line-tools-reference/kube-proxy.md
View File

@ -209,15 +209,215 @@ Idle timeout for established TCP connections (0 to leave as-is)
</td>
</tr>
<tr>
<td colspan="2">--detect-local-mode LocalMode</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!-- Mode to use to detect local traffic -->
用于检测本地流量的模式
</td>
</tr>
<tr>
<td colspan="2">--feature-gates mapStringBool</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:<br/>APIListChunking=true|false (BETA - default=true)<br/>APIResponseCompression=true|false (BETA - default=true)<br/>AllAlpha=true|false (ALPHA - default=false)<br/>AppArmor=true|false (BETA - default=true)<br/>AttachVolumeLimit=true|false (BETA - default=true)<br/>BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)<br/>BlockVolume=true|false (BETA - default=true)<br/>BoundServiceAccountTokenVolume=true|false (ALPHA - default=false)<br/>CPUManager=true|false (BETA - default=true)<br/>CRIContainerLogRotation=true|false (BETA - default=true)<br/>CSIBlockVolume=true|false (BETA - default=true)<br/>CSIDriverRegistry=true|false (BETA - default=true)<br/>CSIInlineVolume=true|false (BETA - default=true)<br/>CSIMigration=true|false (ALPHA - default=false)<br/>CSIMigrationAWS=true|false (ALPHA - default=false)<br/>CSIMigrationAzureDisk=true|false (ALPHA - default=false)<br/>CSIMigrationAzureFile=true|false (ALPHA - default=false)<br/>CSIMigrationGCE=true|false (ALPHA - default=false)<br/>CSIMigrationOpenStack=true|false (ALPHA - default=false)<br/>CSINodeInfo=true|false (BETA - default=true)<br/>CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)<br/>CustomResourceDefaulting=true|false (BETA - default=true)<br/>DevicePlugins=true|false (BETA - default=true)<br/>DryRun=true|false (BETA - default=true)<br/>DynamicAuditing=true|false (ALPHA - default=false)<br/>DynamicKubeletConfig=true|false (BETA - default=true)<br/>EndpointSlice=true|false (ALPHA - default=false)<br/>EphemeralContainers=true|false (ALPHA - default=false)<br/>EvenPodsSpread=true|false (ALPHA - default=false)<br/>ExpandCSIVolumes=true|false (BETA - default=true)<br/>ExpandInUsePersistentVolumes=true|false (BETA - default=true)<br/>ExpandPersistentVolumes=true|false (BETA - default=true)<br/>ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)<br/>HPAScaleToZero=true|false (ALPHA - default=false)<br/>HyperVContainer=true|false (ALPHA - default=false)<br/>IPv6DualStack=true|false (ALPHA - default=false)<br/>KubeletPodResources=true|false (BETA - default=true)<br/>LegacyNodeRoleBehavior=true|false (ALPHA - default=true)<br/>LocalStorageCapacityIsolation=true|false (BETA - default=true)<br/>LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)<br/>MountContainers=true|false (ALPHA - default=false)<br/>NodeDisruptionExclusion=true|false (ALPHA - default=false)<br/>NodeLease=true|false (BETA - default=true)<br/>NonPreemptingPriority=true|false (ALPHA - default=false)<br/>PodOverhead=true|false (ALPHA - default=false)<br/>PodShareProcessNamespace=true|false (BETA - default=true)<br/>ProcMountType=true|false (ALPHA - default=false)<br/>QOSReserved=true|false (ALPHA - default=false)<br/>RemainingItemCount=true|false (BETA - default=true)<br/>RemoveSelfLink=true|false (ALPHA - default=false)<br/>RequestManagement=true|false (ALPHA - default=false)<br/>ResourceLimitsPriorityFunction=true|false (ALPHA - default=false)<br/>ResourceQuotaScopeSelectors=true|false (BETA - default=true)<br/>RotateKubeletClientCertificate=true|false (BETA - default=true)<br/>RotateKubeletServerCertificate=true|false (BETA - default=true)<br/>RunAsGroup=true|false (BETA - default=true)<br/>RuntimeClass=true|false (BETA - default=true)<br/>SCTPSupport=true|false (ALPHA - default=false)<br/>ScheduleDaemonSetPods=true|false (BETA - default=true)<br/>ServerSideApply=true|false (BETA - default=true)<br/>ServiceLoadBalancerFinalizer=true|false (BETA - default=true)<br/>ServiceNodeExclusion=true|false (ALPHA - default=false)<br/>StartupProbe=true|false (BETA - default=true)<br/>StorageVersionHash=true|false (BETA - default=true)<br/>StreamingProxyRedirects=true|false (BETA - default=true)<br/>SupportNodePidsLimit=true|false (BETA - default=true)<br/>SupportPodPidsLimit=true|false (BETA - default=true)<br/>Sysctls=true|false (BETA - default=true)<br/>TTLAfterFinished=true|false (ALPHA - default=false)<br/>TaintBasedEvictions=true|false (BETA - default=true)<br/>TaintNodesByCondition=true|false (BETA - default=true)<br/>TokenRequest=true|false (BETA - default=true)<br/>TokenRequestProjection=true|false (BETA - default=true)<br/>TopologyManager=true|false (ALPHA - default=false)<br/>ValidateProxyRedirects=true|false (BETA - default=true)<br/>VolumePVCDataSource=true|false (BETA - default=true)<br/>VolumeSnapshotDataSource=true|false (ALPHA - default=false)<br/>VolumeSubpathEnvExpansion=true|false (BETA - default=true)<br/>WatchBookmark=true|false (BETA - default=true)<br/>WinDSR=true|false (ALPHA - default=false)<br/>WinOverlay=true|false (ALPHA - default=false)<br/>WindowsGMSA=true|false (BETA - default=true)<br/>WindowsRunAsUserName=true|false (ALPHA - default=false)
A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
<br/>APIListChunking=true|false (BETA - default=true)
<br/>APIPriorityAndFairness=true|false (ALPHA - default=false)
<br/>APIResponseCompression=true|false (BETA - default=true)
<br/>AllAlpha=true|false (ALPHA - default=false)
<br/>AllBeta=true|false (BETA - default=false)
<br/>AllowInsecureBackendProxy=true|false (BETA - default=true)
<br/>AnyVolumeDataSource=true|false (ALPHA - default=false)
<br/>AppArmor=true|false (BETA - default=true)
<br/>BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
<br/>BoundServiceAccountTokenVolume=true|false (ALPHA - default=false)
<br/>CPUManager=true|false (BETA - default=true)
<br/>CRIContainerLogRotation=true|false (BETA - default=true)
<br/>CSIInlineVolume=true|false (BETA - default=true)
<br/>CSIMigration=true|false (BETA - default=true)
<br/>CSIMigrationAWS=true|false (BETA - default=false)
<br/>CSIMigrationAWSComplete=true|false (ALPHA - default=false)
<br/>CSIMigrationAzureDisk=true|false (BETA - default=false)
<br/>CSIMigrationAzureDiskComplete=true|false (ALPHA - default=false)
<br/>CSIMigrationAzureFile=true|false (ALPHA - default=false)
<br/>CSIMigrationAzureFileComplete=true|false (ALPHA - default=false)
<br/>CSIMigrationGCE=true|false (BETA - default=false)
<br/>CSIMigrationGCEComplete=true|false (ALPHA - default=false)
<br/>CSIMigrationOpenStack=true|false (BETA - default=false)
<br/>CSIMigrationOpenStackComplete=true|false (ALPHA - default=false)
<br/>CSIMigrationvSphere=true|false (BETA - default=false)
<br/>CSIMigrationvSphereComplete=true|false (BETA - default=false)
<br/>CSIStorageCapacity=true|false (ALPHA - default=false)
<br/>CSIVolumeFSGroupPolicy=true|false (ALPHA - default=false)
<br/>ConfigurableFSGroupPolicy=true|false (ALPHA - default=false)
<br/>CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
<br/>DefaultPodTopologySpread=true|false (ALPHA - default=false)
<br/>DevicePlugins=true|false (BETA - default=true)
<br/>DisableAcceleratorUsageMetrics=true|false (ALPHA - default=false)
<br/>DynamicKubeletConfig=true|false (BETA - default=true)
<br/>EndpointSlice=true|false (BETA - default=true)
<br/>EndpointSliceProxying=true|false (BETA - default=true)
<br/>EphemeralContainers=true|false (ALPHA - default=false)
<br/>ExpandCSIVolumes=true|false (BETA - default=true)
<br/>ExpandInUsePersistentVolumes=true|false (BETA - default=true)
<br/>ExpandPersistentVolumes=true|false (BETA - default=true)
<br/>ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
<br/>GenericEphemeralVolume=true|false (ALPHA - default=false)
<br/>HPAScaleToZero=true|false (ALPHA - default=false)
<br/>HugePageStorageMediumSize=true|false (BETA - default=true)
<br/>HyperVContainer=true|false (ALPHA - default=false)
<br/>IPv6DualStack=true|false (ALPHA - default=false)
<br/>ImmutableEphemeralVolumes=true|false (BETA - default=true)
<br/>KubeletPodResources=true|false (BETA - default=true)
<br/>LegacyNodeRoleBehavior=true|false (BETA - default=true)
<br/>LocalStorageCapacityIsolation=true|false (BETA - default=true)
<br/>LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
<br/>NodeDisruptionExclusion=true|false (BETA - default=true)
<br/>NonPreemptingPriority=true|false (BETA - default=true)
<br/>PodDisruptionBudget=true|false (BETA - default=true)
<br/>PodOverhead=true|false (BETA - default=true)
<br/>ProcMountType=true|false (ALPHA - default=false)
<br/>QOSReserved=true|false (ALPHA - default=false)
<br/>RemainingItemCount=true|false (BETA - default=true)
<br/>RemoveSelfLink=true|false (ALPHA - default=false)
<br/>RotateKubeletServerCertificate=true|false (BETA - default=true)
<br/>RunAsGroup=true|false (BETA - default=true)
<br/>RuntimeClass=true|false (BETA - default=true)
<br/>SCTPSupport=true|false (BETA - default=true)
<br/>SelectorIndex=true|false (BETA - default=true)
<br/>ServerSideApply=true|false (BETA - default=true)
<br/>ServiceAccountIssuerDiscovery=true|false (ALPHA - default=false)
<br/>ServiceAppProtocol=true|false (BETA - default=true)
<br/>ServiceNodeExclusion=true|false (BETA - default=true)
<br/>ServiceTopology=true|false (ALPHA - default=false)
<br/>SetHostnameAsFQDN=true|false (ALPHA - default=false)
<br/>StartupProbe=true|false (BETA - default=true)
<br/>StorageVersionHash=true|false (BETA - default=true)
<br/>SupportNodePidsLimit=true|false (BETA - default=true)
<br/>SupportPodPidsLimit=true|false (BETA - default=true)
<br/>Sysctls=true|false (BETA - default=true)
<br/>TTLAfterFinished=true|false (ALPHA - default=false)
<br/>TokenRequest=true|false (BETA - default=true)
<br/>TokenRequestProjection=true|false (BETA - default=true)
<br/>TopologyManager=true|false (BETA - default=true)
<br/>ValidateProxyRedirects=true|false (BETA - default=true)
<br/>VolumeSnapshotDataSource=true|false (BETA - default=true)
<br/>WarningHeaders=true|false (BETA - default=true)
<br/>WinDSR=true|false (ALPHA - default=false)
<br/>WinOverlay=true|false (ALPHA - default=false)
<br/>WindowsEndpointSliceProxying=true|false (ALPHA - default=false)
-->
一组键=值key=value描述了 alpha/experimental 的特征。可选项有:<br/>APIListChunking=true|false (BETA - 默认值=true)<br/>APIResponseCompression=true|false (BETA - 默认值=true)<br/>AllAlpha=true|false (ALPHA - 默认值=false)<br/>AppArmor=true|false (BETA - 默认值=true)<br/>AttachVolumeLimit=true|false (BETA - 默认值=true)<br/>BalanceAttachedNodeVolumes=true|false (ALPHA - 默认值=false)<br/>BlockVolume=true|false (BETA - 默认值=true)<br/>BoundServiceAccountTokenVolume=true|false (ALPHA - 默认值=false)<br/>CPUManager=true|false (BETA - 默认值=true)<br/>CRIContainerLogRotation=true|false (BETA - 默认值=true)<br/>CSIBlockVolume=true|false (BETA - 默认值=true)<br/>CSIDriverRegistry=true|false (BETA - 默认值=true)<br/>CSIInlineVolume=true|false (BETA - 默认值=true)<br/>CSIMigration=true|false (ALPHA - 默认值=false)<br/>CSIMigrationAWS=true|false (ALPHA - 默认值=false)<br/>CSIMigrationAzureDisk=true|false (ALPHA - 默认值=false)<br/>CSIMigrationAzureFile=true|false (ALPHA - 默认值=false)<br/>CSIMigrationGCE=true|false (ALPHA - 默认值=false)<br/>CSIMigrationOpenStack=true|false (ALPHA - 默认值=false)<br/>CSINodeInfo=true|false (BETA - 默认值=true)<br/>CustomCPUCFSQuotaPeriod=true|false (ALPHA - 默认值=false)<br/>CustomResource默认值ing=true|false (BETA - 默认值=true)<br/>DevicePlugins=true|false (BETA - 默认值=true)<br/>DryRun=true|false (BETA - 默认值=true)<br/>DynamicAuditing=true|false (ALPHA - 默认值=false)<br/>DynamicKubeletConfig=true|false (BETA - 默认值=true)<br/>EndpointSlice=true|false (ALPHA - 默认值=false)<br/>EphemeralContainers=true|false (ALPHA - 默认值=false)<br/>EvenPodsSpread=true|false (ALPHA - 默认值=false)<br/>ExpandCSIVolumes=true|false (BETA - 默认值=true)<br/>ExpandInUsePersistentVolumes=true|false (BETA - 默认值=true)<br/>ExpandPersistentVolumes=true|false (BETA - 默认值=true)<br/>ExperimentalHostUserNamespace默认值ing=true|false (BETA - 默认值=false)<br/>HPAScaleToZero=true|false (ALPHA - 默认值=false)<br/>HyperVContainer=true|false (ALPHA - 默认值=false)<br/>IPv6DualStack=true|false (ALPHA - 默认值=false)<br/>KubeletPodResources=true|false (BETA - 默认值=true)<br/>LegacyNodeRoleBehavior=true|false (ALPHA - 默认值=true)<br/>LocalStorageCapacityIsolation=true|false (BETA - 默认值=true)<br/>LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - 默认值=false)<br/>MountContainers=true|false (ALPHA - 默认值=false)<br/>NodeDisruptionExclusion=true|false (ALPHA - 默认值=false)<br/>NodeLease=true|false (BETA - 默认值=true)<br/>NonPreemptingPriority=true|false (ALPHA - 默认值=false)<br/>PodOverhead=true|false (ALPHA - 默认值=false)<br/>PodShareProcessNamespace=true|false (BETA - 默认值=true)<br/>ProcMountType=true|false (ALPHA - 默认值=false)<br/>QOSReserved=true|false (ALPHA - 默认值=false)<br/>RemainingItemCount=true|false (BETA - 默认值=true)<br/>RemoveSelfLink=true|false (ALPHA - 默认值=false)<br/>RequestManagement=true|false (ALPHA - 默认值=false)<br/>ResourceLimitsPriorityFunction=true|false (ALPHA - 默认值=false)<br/>ResourceQuotaScopeSelectors=true|false (BETA - 默认值=true)<br/>RotateKubeletClientCertificate=true|false (BETA - 默认值=true)<br/>RotateKubeletServerCertificate=true|false (BETA - 默认值=true)<br/>RunAsGroup=true|false (BETA - 默认值=true)<br/>RuntimeClass=true|false (BETA - 默认值=true)<br/>SCTPSupport=true|false (ALPHA - 默认值=false)<br/>ScheduleDaemonSetPods=true|false (BETA - 默认值=true)<br/>ServerSideApply=true|false (BETA - 默认值=true)<br/>ServiceLoadBalancerFinalizer=true|false (BETA - 默认值=true)<br/>ServiceNodeExclusion=true|false (ALPHA - 默认值=false)<br/>StartupProbe=true|false (BETA - 默认值=true)<br/>StorageVersionHash=true|false (BETA - 默认值=true)<br/>StreamingProxyRedirects=true|false (BETA - 默认值=true)<br/>SupportNodePidsLimit=true|false (BETA - 默认值=true)<br/>SupportPodPidsLimit=true|false (BETA - 默认值=true)<br/>Sysctls=true|false (BETA - 默认值=true)<br/>TTLAfterFinished=true|false (ALPHA - 默认值=false)<br/>TaintBasedEvictions=true|false (BETA - 默认值=true)<br/>TaintNodesByCondition=true|false (BETA - 默认值=true)<br/>TokenRequest=true|false (BETA - 默认值=true)<br/>TokenRequestProjection=true|false (BETA - 默认值=true)<br/>TopologyManager=true|false (ALPHA - 默认值=false)<br/>ValidateProxyRedirects=true|false (BETA - 默认值=true)<br/>VolumePVCDataSource=true|false (BETA - 默认值=true)<br/>VolumeSnapshotDataSource=true|false (ALPHA - 默认值=false)<br/>VolumeSubpathEnvExpansion=true|false (BETA - 默认值=true)<br/>WatchBookmark=true|false (BETA - 默认值=true)<br/>WinDSR=true|false (ALPHA - 默认值=false)<br/>WinOverlay=true|false (ALPHA - 默认值=false)<br/>WindowsGMSA=true|false (BETA - 默认值=true)<br/>WindowsRunAsUserName=true|false (ALPHA - 默认值=false)
一组键=值key=value描述了 alpha/experimental 的特征。可选项有:
<br/>APIListChunking=true|false (BETA - 默认值=true)
<br/>APIPriorityAndFairness=true|false (ALPHA - 默认值=false)
<br/>APIResponseCompression=true|false (BETA - 默认值=true)
<br/>AllAlpha=true|false (ALPHA - 默认值=false)
<br/>AllBeta=true|false (BETA - 默认值=false)
<br/>AllowInsecureBackendProxy=true|false (BETA - 默认值=true)
<br/>AnyVolumeDataSource=true|false (ALPHA - 默认值=false)
<br/>AppArmor=true|false (BETA - 默认值=true)
<br/>BalanceAttachedNodeVolumes=true|false (ALPHA - 默认值=false)
<br/>BoundServiceAccountTokenVolume=true|false (ALPHA - 默认值=false)
<br/>CPUManager=true|false (BETA - 默认值=true)
<br/>CRIContainerLogRotation=true|false (BETA - 默认值=true)
<br/>CSIInlineVolume=true|false (BETA - 默认值=true)
<br/>CSIMigration=true|false (BETA - 默认值=true)
<br/>CSIMigrationAWS=true|false (BETA - 默认值=false)
<br/>CSIMigrationAWSComplete=true|false (ALPHA - 默认值=false)
<br/>CSIMigrationAzureDisk=true|false (BETA - 默认值=false)
<br/>CSIMigrationAzureDiskComplete=true|false (ALPHA - 默认值=false)
<br/>CSIMigrationAzureFile=true|false (ALPHA - 默认值=false)
<br/>CSIMigrationAzureFileComplete=true|false (ALPHA - 默认值=false)
<br/>CSIMigrationGCE=true|false (BETA - 默认值=false)
<br/>CSIMigrationGCEComplete=true|false (ALPHA - 默认值=false)
<br/>CSIMigrationOpenStack=true|false (BETA - 默认值=false)
<br/>CSIMigrationOpenStackComplete=true|false (ALPHA - 默认值=false)
<br/>CSIMigrationvSphere=true|false (BETA - 默认值=false)
<br/>CSIMigrationvSphereComplete=true|false (BETA - 默认值=false)
<br/>CSIStorageCapacity=true|false (ALPHA - 默认值=false)
<br/>CSIVolumeFSGroupPolicy=true|false (ALPHA - 默认值=false)
<br/>ConfigurableFSGroupPolicy=true|false (ALPHA - 默认值=false)
<br/>CustomCPUCFSQuotaPeriod=true|false (ALPHA - 默认值=false)
<br/>DefaultPodTopologySpread=true|false (ALPHA - 默认值=false)
<br/>DevicePlugins=true|false (BETA - 默认值=true)
<br/>DisableAcceleratorUsageMetrics=true|false (ALPHA - 默认值=false)
<br/>DynamicKubeletConfig=true|false (BETA - 默认值=true)
<br/>EndpointSlice=true|false (BETA - 默认值=true)
<br/>EndpointSliceProxying=true|false (BETA - 默认值=true)
<br/>EphemeralContainers=true|false (ALPHA - 默认值=false)
<br/>ExpandCSIVolumes=true|false (BETA - 默认值=true)
<br/>ExpandInUsePersistentVolumes=true|false (BETA - 默认值=true)
<br/>ExpandPersistentVolumes=true|false (BETA - 默认值=true)
<br/>ExperimentalHostUserNamespace默认值ing=true|false (BETA - 默认值=false)
<br/>GenericEphemeralVolume=true|false (ALPHA - 默认值=false)
<br/>HPAScaleToZero=true|false (ALPHA - 默认值=false)
<br/>HugePageStorageMediumSize=true|false (BETA - 默认值=true)
<br/>HyperVContainer=true|false (ALPHA - 默认值=false)
<br/>IPv6DualStack=true|false (ALPHA - 默认值=false)
<br/>ImmutableEphemeralVolumes=true|false (BETA - 默认值=true)
<br/>KubeletPodResources=true|false (BETA - 默认值=true)
<br/>LegacyNodeRoleBehavior=true|false (BETA - 默认值=true)
<br/>LocalStorageCapacityIsolation=true|false (BETA - 默认值=true)
<br/>LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - 默认值=false)
<br/>NodeDisruptionExclusion=true|false (BETA - 默认值=true)
<br/>NonPreemptingPriority=true|false (BETA - 默认值=true)
<br/>PodDisruptionBudget=true|false (BETA - 默认值=true)
<br/>PodOverhead=true|false (BETA - 默认值=true)
<br/>ProcMountType=true|false (ALPHA - 默认值=false)
<br/>QOSReserved=true|false (ALPHA - 默认值=false)
<br/>RemainingItemCount=true|false (BETA - 默认值=true)
<br/>RemoveSelfLink=true|false (ALPHA - 默认值=false)
<br/>RotateKubeletServerCertificate=true|false (BETA - 默认值=true)
<br/>RunAsGroup=true|false (BETA - 默认值=true)
<br/>RuntimeClass=true|false (BETA - 默认值=true)
<br/>SCTPSupport=true|false (BETA - 默认值=true)
<br/>SelectorIndex=true|false (BETA - 默认值=true)
<br/>ServerSideApply=true|false (BETA - 默认值=true)
<br/>ServiceAccountIssuerDiscovery=true|false (ALPHA - 默认值=false)
<br/>ServiceAppProtocol=true|false (BETA - 默认值=true)
<br/>ServiceNodeExclusion=true|false (BETA - 默认值=true)
<br/>ServiceTopology=true|false (ALPHA - 默认值=false)
<br/>SetHostnameAsFQDN=true|false (ALPHA - 默认值=false)
<br/>StartupProbe=true|false (BETA - 默认值=true)
<br/>StorageVersionHash=true|false (BETA - 默认值=true)
<br/>SupportNodePidsLimit=true|false (BETA - 默认值=true)
<br/>SupportPodPidsLimit=true|false (BETA - 默认值=true)
<br/>Sysctls=true|false (BETA - 默认值=true)
<br/>TTLAfterFinished=true|false (ALPHA - 默认值=false)
<br/>TokenRequest=true|false (BETA - 默认值=true)
<br/>TokenRequestProjection=true|false (BETA - 默认值=true)
<br/>TopologyManager=true|false (BETA - 默认值=true)
<br/>ValidateProxyRedirects=true|false (BETA - 默认值=true)
<br/>VolumeSnapshotDataSource=true|false (BETA - 默认值=true)
<br/>WarningHeaders=true|false (BETA - 默认值=true)
<br/>WinDSR=true|false (ALPHA - 默认值=false)
<br/>WinOverlay=true|false (ALPHA - 默认值=false)
<br/>WindowsEndpointSliceProxying=true|false (ALPHA - 默认值=false)
</td>
</tr>
<tr>
<td colspan="2">
<!--
--healthz-bind-address 0.0.0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 0.0.0.0:10256
-->
--healthz-bind-address 0.0.0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值: 0.0.0.0:10256
</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
The IP address with port for the health check server to serve on
(set to '0.0.0.0:10256' for all IPv4 interfaces and '[::]:10256' for all IPv6 interfaces).
Set empty to disable.
-->
服务健康检查的 IP 地址和端口(对于所有 IPv4 接口设置为 '0.0.0.0:10256',对于所有 IPv6 接口设置为 '[::]:10256'
设置为空则禁用。
</td>
</tr>
@ -234,24 +434,7 @@ A set of key=value pairs that describe feature gates for alpha/experimental feat
<!--
The IP address for the health check server to serve on (set to 0.0.0.0 for all IPv4 interfaces and `::` for all IPv6 interfaces)
-->
服务健康检查的 IP 地址和端口(对于所有 IPv4 接口设置为 0.0.0.0,对于所有 IPv6 接口设置为 ::
</td>
</tr>
<tr>
<td colspan="2">
<!--
--healthz-port int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 10256
-->
--healthz-port int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值: 10256
</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
The port to bind the health check server. Use 0 to disable.
-->
绑定健康检查服务的端口。使用 0 表示禁用。
服务健康检查的 IP 地址和端口(设置为 0.0.0.0 表示使用所有 IPv4 接口,设置为 :: 表示使用所有 IPv6 接口)
</td>
</tr>
@ -297,7 +480,12 @@ If using the pure iptables proxy, the bit of the fwmark space to mark packets re
</tr>
<tr>
<td colspan="2">--iptables-min-sync-period duration</td>
<td colspan="2">
<!--
--iptables-min-sync-period duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 1s
-->
--iptables-min-sync-period duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值1s
</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
@ -390,6 +578,43 @@ The maximum interval of how often ipvs rules are refreshed (e.g. '5s', '1m', '2h
</td>
</tr>
<tr>
<td colspan="2">--ipvs-tcp-timeout duration</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
The timeout for idle IPVS TCP connections, 0 to leave as-is. (e.g. '5s', '1m', '2h22m').
-->
空闲 IPVS TCP 连接的超时时间0 保持连接(例如 '5s'、'1m'、'2h22m')。
</td>
</tr>
<tr>
<td colspan="2">--ipvs-tcpfin-timeout duration</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
The timeout for IPVS TCP connections after receiving a FIN packet, 0 to leave as-is. (e.g. '5s', '1m', '2h22m').
-->
收到 FIN 数据包后IPVS TCP 连接的超时0 保持连接不变(例如 '5s'、'1m'、'2h22m')。
</td>
</tr>
<tr>
<td colspan="2">--ipvs-udp-timeout duration</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
The timeout for IPVS UDP packets, 0 to leave as-is. (e.g. '5s', '1m', '2h22m').
-->
IPVS UDP 数据包的超时0 保持连接不动(例如 '5s'、'1m'、'2h22m')。
</td>
</tr>
<tr>
<td colspan="2">
<!--
@ -497,17 +722,21 @@ Kubernetes API 服务器的地址(覆盖 kubeconfig 中的任何值)
<tr>
<td colspan="2">
<!--
--metrics-bind-address 0.0.0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 127.0.0.1:10249
--metrics-bind-address ipport 0.0.0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 127.0.0.1:10249
-->
--metrics-bind-address 0.0.0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值: 127.0.0.1:10249
--metrics-bind-address ipport 0.0.0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值: 127.0.0.1:10249
</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
The IP address for the metrics server to serve on (set to 0.0.0.0 for all IPv4 interfaces and `::` for all IPv6 interfaces)
The IP address with port for the metrics server to serve on
(set to '0.0.0.0:10249' for all IPv4 interfaces and '[::]:10249' for all IPv6 interfaces).
Set empty to disable.
-->
metrics 服务器要使用的 IP 地址(所有 IPv4 接口设置为 0.0.0.0,所有 IPv6 接口设置为 `::`
metrics 服务器要使用的 IP 地址和端口
(设置为 '0.0.0.0:10249' 则使用 IPv4 接口,设置为 '[::]:10249' 则使用所有 IPv6 接口)
设置为空则禁用。
</td>
</tr>
@ -593,6 +822,22 @@ Range of host ports (beginPort-endPort, single port or beginPort+offset, inclusi
</td>
</tr>
<tr>
<td colspan="2">--show-hidden-metrics-for-version string</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
The previous version for which you want to show hidden metrics. Only the previous minor version is meaningful, other values will not be allowed. The format is &lt;major&gt;.&lt;minor&gt;, e.g.: '1.16'. The purpose of this format is make sure you have the opportunity to notice if the next release hides additional metrics, rather than being surprised when they are permanently removed in the release after that.
-->
你要显示隐藏指标的先前版本。
仅先前的次要版本有意义,不允许其他值。
格式为 &lt;major&gt;.&lt;minor&gt; ,例如:'1.16'。
这种格式的目的是确保你有机会注意到下一个发行版是否隐藏了其他指标,
而不是在之后将其永久删除时感到惊讶。
</td>
</tr>
<tr>
<td colspan="2">
<!--

109
content/zh/docs/reference/command-line-tools-reference/kubelet-authentication-authorization.md
View File

@ -1,61 +1,134 @@
---
approvers:
title: Kubelet 认证/鉴权
---
<!--
reviewers:
- liggitt
title: Kubelet authentication/authorization
---
-->
{{< toc >}}
## Overview
<!--
## Overview
-->
## 概述
<!--
A kubelet's HTTPS endpoint exposes APIs which give access to data of varying sensitivity,
and allow you to perform operations with varying levels of power on the node and within containers.
-->
kubelet 的 HTTPS 端点公开了 API
这些 API 可以访问敏感度不同的数据,
并允许你在节点上和容器内以不同级别的权限执行操作。
<!--
This document describes how to authenticate and authorize access to the kubelet's HTTPS endpoint.
-->
本文档介绍了如何对 kubelet 的 HTTPS 端点的访问进行认证和鉴权。
## Kubelet authentication
<!--
## Kubelet authentication
-->
## Kubelet 认证
<!--
By default, requests to the kubelet's HTTPS endpoint that are not rejected by other configured
authentication methods are treated as anonymous requests, and given a username of `system:anonymous`
and a group of `system:unauthenticated`.
-->
默认情况下,未被已配置的其他身份认证方法拒绝的对 kubelet 的 HTTPS 端点的请求会被视为匿名请求,
并被赋予 `system:anonymous` 用户名和 `system:unauthenticated` 组。
<!--
To disable anonymous access and send `401 Unauthorized` responses to unauthenticated requests:
-->
要禁用匿名访问并向未经身份认证的请求发送 `401 Unauthorized` 响应,请执行以下操作:
* start the kubelet with the `--anonymous-auth=false` flag
<!--
* start the kubelet with the `--anonymous-auth=false` flag
-->
* 带 `--anonymous-auth=false` 标志启动 kubelet
<!--
To enable X509 client certificate authentication to the kubelet's HTTPS endpoint:
-->
要对 kubelet 的 HTTPS 端点启用 X509 客户端证书认证:
<!--
* start the kubelet with the `--client-ca-file` flag, providing a CA bundle to verify client certificates with
* start the apiserver with `--kubelet-client-certificate` and `--kubelet-client-key` flags
* see the [apiserver authentication documentation](/docs/admin/authentication/#x509-client-certs) for more details
-->
* 带 `--client-ca-file` 标志启动 kubelet提供一个 CA 证书包以供验证客户端证书
* 带 `--kubelet-client-certificate``--kubelet-client-key` 标志启动 apiserver
* 有关更多详细信息,请参见 [apiserver 身份验证文档](/zh/docs/admin/authentication/#x509-client-certs)
<!--
To enable API bearer tokens (including service account tokens) to be used to authenticate to the kubelet's HTTPS endpoint:
-->
要启用 API 持有者令牌(包括服务帐户令牌)以对 kubelet 的 HTTPS 端点进行身份验证,请执行以下操作:
<!--
* ensure the `authentication.k8s.io/v1beta1` API group is enabled in the API server
* start the kubelet with the `--authentication-token-webhook` and the `--kubeconfig` flags
* the kubelet calls the `TokenReview` API on the configured API server to determine user information from bearer tokens
-->
* 确保在 API 服务器中启用了 `authentication.k8s.io/v1beta1` API 组
* 带 `--authentication-token-webhook``--kubeconfig` 标志启动 kubelet
* kubelet 调用已配置的 API 服务器上的 `TokenReview` API以根据持有者令牌确定用户信息
## Kubelet authorization
<!--
## Kubelet authorization
-->
## Kubelet 鉴权
<!--
Any request that is successfully authenticated (including an anonymous request) is then authorized. The default authorization mode is `AlwaysAllow`, which allows all requests.
-->
任何成功通过身份验证的请求(包括匿名请求)之后都会被鉴权。
默认的鉴权模式为 `AlwaysAllow`,它允许所有请求。
<!--
There are many possible reasons to subdivide access to the kubelet API:
-->
细分对 kubelet API 的访问权限可能有多种原因:
<!--
* anonymous auth is enabled, but anonymous users' ability to call the kubelet API should be limited
* bearer token auth is enabled, but arbitrary API users' (like service accounts) ability to call the kubelet API should be limited
* client certificate auth is enabled, but only some of the client certificates signed by the configured CA should be allowed to use the kubelet API
-->
* 启用了匿名身份验证,但是应限制匿名用户调用 kubelet API 的能力
* 启用了持有者令牌认证,但应限制任意 API 用户(如服务帐户)调用 kubelet API 的能力
* 启用了客户端证书身份验证,但仅应允许已配置的 CA 签名的某些客户端证书使用 kubelet API
<!--
To subdivide access to the kubelet API, delegate authorization to the API server:
-->
要细分对 kubelet API 的访问权限,请将鉴权委派给 API 服务器:
<!--
* ensure the `authorization.k8s.io/v1beta1` API group is enabled in the API server
* start the kubelet with the `--authorization-mode=Webhook` and the `--kubeconfig` flags
* the kubelet calls the `SubjectAccessReview` API on the configured API server to determine whether each request is authorized
-->
* 确保在 API 服务器中启用了 `authorization.k8s.io/v1beta1` API 组
* 带 `--authorization-mode=Webhook``--kubeconfig` 标志启动 kubelet
* kubelet 调用已配置的 API 服务器上的 `SubjectAccessReview` API以确定每个请求是否得到鉴权
<!--
The kubelet authorizes API requests using the same [request attributes](/docs/admin/authorization/#request-attributes) approach as the apiserver.
-->
kubelet 使用与 apiserver 相同的[请求属性](/zh/docs/admin/authorization/#request-attributes)方法对 API 请求执行鉴权。
<!--
The verb is determined from the incoming request's HTTP verb:
-->
请求的动词根据传入请求的 HTTP 动词确定:
<!--
HTTP verb | request verb
-->
HTTP 动词 | 请求动词
----------|---------------
POST | create
GET, HEAD | get
@ -63,24 +136,38 @@ PUT | update
PATCH | patch
DELETE | delete
<!--
The resource and subresource is determined from the incoming request's path:
-->
资源和子资源是根据传入请求的路径确定的:
Kubelet API | resource | subresource
<!--
Kubelet API | resource | subresource
-->
Kubelet API | 资源 | 子资源
-------------|----------|------------
/stats/\* | nodes | stats
/metrics/\* | nodes | metrics
/logs/\* | nodes | log
/spec/\* | nodes | spec
*all others* | nodes | proxy
*其它所有* | nodes | proxy
<!--
The namespace and API group attributes are always an empty string, and
the resource name is always the name of the kubelet's `Node` API object.
-->
名字空间和 API 组属性始终是空字符串,
资源名称始终是 kubelet 的 `Node` API 对象的名称。
<!--
When running in this mode, ensure the user identified by the `--kubelet-client-certificate` and `--kubelet-client-key`
flags passed to the apiserver is authorized for the following attributes:
-->
在此模式下运行时,请确保传递给 apiserver 的由 `--kubelet-client-certificate`
`--kubelet-client-key` 标志标识的用户具有以下属性的鉴权:
* verb=\*, resource=nodes, subresource=proxy
* verb=\*, resource=nodes, subresource=stats
* verb=\*, resource=nodes, subresource=log
* verb=\*, resource=nodes, subresource=spec
* verb=\*, resource=nodes, subresource=metrics
* verb=\*, resource=nodes, subresource=metrics