diff --git a/content/en/docs/reference/command-line-tools-reference/kube-apiserver.md b/content/en/docs/reference/command-line-tools-reference/kube-apiserver.md
index 6e87bff44c..edf25ad835 100644
--- a/content/en/docs/reference/command-line-tools-reference/kube-apiserver.md
+++ b/content/en/docs/reference/command-line-tools-reference/kube-apiserver.md
@@ -2,8 +2,21 @@
title: kube-apiserver
content_type: tool-reference
weight: 30
+auto_generated: true
---
+
+
+
## {{% heading "synopsis" %}}
@@ -29,1099 +42,1099 @@ kube-apiserver [flags]
| --add-dir-header |
- | If true, adds the file directory to the header of the log messages |
+ | If true, adds the file directory to the header of the log messages |
| --admission-control-config-file string |
- | File with admission control configuration. |
+ | File with admission control configuration. |
-| --advertise-address ip |
+--advertise-address string |
- | The IP address on which to advertise the apiserver to members of the cluster. This address must be reachable by the rest of the cluster. If blank, the --bind-address will be used. If --bind-address is unspecified, the host's default interface will be used. |
+ | The IP address on which to advertise the apiserver to members of the cluster. This address must be reachable by the rest of the cluster. If blank, the --bind-address will be used. If --bind-address is unspecified, the host's default interface will be used. |
| --allow-privileged |
- | If true, allow privileged containers. [default=false] |
+ | If true, allow privileged containers. [default=false] |
| --alsologtostderr |
- | log to standard error as well as files |
+ | log to standard error as well as files |
| --anonymous-auth Default: true |
- | Enables anonymous requests to the secure port of the API server. Requests that are not rejected by another authentication method are treated as anonymous requests. Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated. |
+ | Enables anonymous requests to the secure port of the API server. Requests that are not rejected by another authentication method are treated as anonymous requests. Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated. |
-| --api-audiences stringSlice |
+--api-audiences strings |
- | Identifiers of the API. The service account token authenticator will validate that tokens used against the API are bound to at least one of these audiences. If the --service-account-issuer flag is configured and this flag is not, this field defaults to a single element list containing the issuer URL. |
+ | Identifiers of the API. The service account token authenticator will validate that tokens used against the API are bound to at least one of these audiences. If the --service-account-issuer flag is configured and this flag is not, this field defaults to a single element list containing the issuer URL. |
| --apiserver-count int Default: 1 |
- | The number of apiservers running in the cluster, must be a positive number. (In use when --endpoint-reconciler-type=master-count is enabled.) |
+ | The number of apiservers running in the cluster, must be a positive number. (In use when --endpoint-reconciler-type=master-count is enabled.) |
| --audit-log-batch-buffer-size int Default: 10000 |
- | The size of the buffer to store events before batching and writing. Only used in batch mode. |
+ | The size of the buffer to store events before batching and writing. Only used in batch mode. |
| --audit-log-batch-max-size int Default: 1 |
- | The maximum size of a batch. Only used in batch mode. |
+ | The maximum size of a batch. Only used in batch mode. |
| --audit-log-batch-max-wait duration |
- | The amount of time to wait before force writing the batch that hadn't reached the max size. Only used in batch mode. |
+ | The amount of time to wait before force writing the batch that hadn't reached the max size. Only used in batch mode. |
| --audit-log-batch-throttle-burst int |
- | Maximum number of requests sent at the same moment if ThrottleQPS was not utilized before. Only used in batch mode. |
+ | Maximum number of requests sent at the same moment if ThrottleQPS was not utilized before. Only used in batch mode. |
| --audit-log-batch-throttle-enable |
- | Whether batching throttling is enabled. Only used in batch mode. |
+ | Whether batching throttling is enabled. Only used in batch mode. |
-| --audit-log-batch-throttle-qps float32 |
+--audit-log-batch-throttle-qps float |
- | Maximum average number of batches per second. Only used in batch mode. |
+ | Maximum average number of batches per second. Only used in batch mode. |
| --audit-log-compress |
- | If set, the rotated log files will be compressed using gzip. |
+ | If set, the rotated log files will be compressed using gzip. |
| --audit-log-format string Default: "json" |
- | Format of saved audits. "legacy" indicates 1-line text format for each event. "json" indicates structured json format. Known formats are legacy,json. |
+ | Format of saved audits. "legacy" indicates 1-line text format for each event. "json" indicates structured json format. Known formats are legacy,json. |
| --audit-log-maxage int |
- | The maximum number of days to retain old audit log files based on the timestamp encoded in their filename. |
+ | The maximum number of days to retain old audit log files based on the timestamp encoded in their filename. |
| --audit-log-maxbackup int |
- | The maximum number of old audit log files to retain. |
+ | The maximum number of old audit log files to retain. |
| --audit-log-maxsize int |
- | The maximum size in megabytes of the audit log file before it gets rotated. |
+ | The maximum size in megabytes of the audit log file before it gets rotated. |
| --audit-log-mode string Default: "blocking" |
- | Strategy for sending audit events. Blocking indicates sending events should block server responses. Batch causes the backend to buffer and write events asynchronously. Known modes are batch,blocking,blocking-strict. |
+ | Strategy for sending audit events. Blocking indicates sending events should block server responses. Batch causes the backend to buffer and write events asynchronously. Known modes are batch,blocking,blocking-strict. |
| --audit-log-path string |
- | If set, all requests coming to the apiserver will be logged to this file. '-' means standard out. |
+ | If set, all requests coming to the apiserver will be logged to this file. '-' means standard out. |
| --audit-log-truncate-enabled |
- | Whether event and batch truncating is enabled. |
+ | Whether event and batch truncating is enabled. |
| --audit-log-truncate-max-batch-size int Default: 10485760 |
- | Maximum size of the batch sent to the underlying backend. Actual serialized size can be several hundreds of bytes greater. If a batch exceeds this limit, it is split into several batches of smaller size. |
+ | Maximum size of the batch sent to the underlying backend. Actual serialized size can be several hundreds of bytes greater. If a batch exceeds this limit, it is split into several batches of smaller size. |
| --audit-log-truncate-max-event-size int Default: 102400 |
- | Maximum size of the audit event sent to the underlying backend. If the size of an event is greater than this number, first request and response are removed, and if this doesn't reduce the size enough, event is discarded. |
+ | Maximum size of the audit event sent to the underlying backend. If the size of an event is greater than this number, first request and response are removed, and if this doesn't reduce the size enough, event is discarded. |
| --audit-log-version string Default: "audit.k8s.io/v1" |
- | API group and version used for serializing audit events written to log. |
+ | API group and version used for serializing audit events written to log. |
| --audit-policy-file string |
- | Path to the file that defines the audit policy configuration. |
+ | Path to the file that defines the audit policy configuration. |
| --audit-webhook-batch-buffer-size int Default: 10000 |
- | The size of the buffer to store events before batching and writing. Only used in batch mode. |
+ | The size of the buffer to store events before batching and writing. Only used in batch mode. |
| --audit-webhook-batch-max-size int Default: 400 |
- | The maximum size of a batch. Only used in batch mode. |
+ | The maximum size of a batch. Only used in batch mode. |
| --audit-webhook-batch-max-wait duration Default: 30s |
- | The amount of time to wait before force writing the batch that hadn't reached the max size. Only used in batch mode. |
+ | The amount of time to wait before force writing the batch that hadn't reached the max size. Only used in batch mode. |
| --audit-webhook-batch-throttle-burst int Default: 15 |
- | Maximum number of requests sent at the same moment if ThrottleQPS was not utilized before. Only used in batch mode. |
+ | Maximum number of requests sent at the same moment if ThrottleQPS was not utilized before. Only used in batch mode. |
| --audit-webhook-batch-throttle-enable Default: true |
- | Whether batching throttling is enabled. Only used in batch mode. |
+ | Whether batching throttling is enabled. Only used in batch mode. |
-| --audit-webhook-batch-throttle-qps float32 Default: 10 |
+--audit-webhook-batch-throttle-qps float Default: 10 |
- | Maximum average number of batches per second. Only used in batch mode. |
+ | Maximum average number of batches per second. Only used in batch mode. |
| --audit-webhook-config-file string |
- | Path to a kubeconfig formatted file that defines the audit webhook configuration. |
+ | Path to a kubeconfig formatted file that defines the audit webhook configuration. |
| --audit-webhook-initial-backoff duration Default: 10s |
- | The amount of time to wait before retrying the first failed request. |
+ | The amount of time to wait before retrying the first failed request. |
| --audit-webhook-mode string Default: "batch" |
- | Strategy for sending audit events. Blocking indicates sending events should block server responses. Batch causes the backend to buffer and write events asynchronously. Known modes are batch,blocking,blocking-strict. |
+ | Strategy for sending audit events. Blocking indicates sending events should block server responses. Batch causes the backend to buffer and write events asynchronously. Known modes are batch,blocking,blocking-strict. |
| --audit-webhook-truncate-enabled |
- | Whether event and batch truncating is enabled. |
+ | Whether event and batch truncating is enabled. |
| --audit-webhook-truncate-max-batch-size int Default: 10485760 |
- | Maximum size of the batch sent to the underlying backend. Actual serialized size can be several hundreds of bytes greater. If a batch exceeds this limit, it is split into several batches of smaller size. |
+ | Maximum size of the batch sent to the underlying backend. Actual serialized size can be several hundreds of bytes greater. If a batch exceeds this limit, it is split into several batches of smaller size. |
| --audit-webhook-truncate-max-event-size int Default: 102400 |
- | Maximum size of the audit event sent to the underlying backend. If the size of an event is greater than this number, first request and response are removed, and if this doesn't reduce the size enough, event is discarded. |
+ | Maximum size of the audit event sent to the underlying backend. If the size of an event is greater than this number, first request and response are removed, and if this doesn't reduce the size enough, event is discarded. |
| --audit-webhook-version string Default: "audit.k8s.io/v1" |
- | API group and version used for serializing audit events written to webhook. |
+ | API group and version used for serializing audit events written to webhook. |
| --authentication-token-webhook-cache-ttl duration Default: 2m0s |
- | The duration to cache responses from the webhook token authenticator. |
+ | The duration to cache responses from the webhook token authenticator. |
| --authentication-token-webhook-config-file string |
- | File with webhook configuration for token authentication in kubeconfig format. The API server will query the remote service to determine authentication for bearer tokens. |
+ | File with webhook configuration for token authentication in kubeconfig format. The API server will query the remote service to determine authentication for bearer tokens. |
| --authentication-token-webhook-version string Default: "v1beta1" |
- | The API version of the authentication.k8s.io TokenReview to send to and expect from the webhook. |
+ | The API version of the authentication.k8s.io TokenReview to send to and expect from the webhook. |
-| --authorization-mode stringSlice Default: [AlwaysAllow] |
+--authorization-mode strings Default: "AlwaysAllow" |
- | Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: AlwaysAllow,AlwaysDeny,ABAC,Webhook,RBAC,Node. |
+ | Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: AlwaysAllow,AlwaysDeny,ABAC,Webhook,RBAC,Node. |
| --authorization-policy-file string |
- | File with authorization policy in json line by line format, used with --authorization-mode=ABAC, on the secure port. |
+ | File with authorization policy in json line by line format, used with --authorization-mode=ABAC, on the secure port. |
| --authorization-webhook-cache-authorized-ttl duration Default: 5m0s |
- | The duration to cache 'authorized' responses from the webhook authorizer. |
+ | The duration to cache 'authorized' responses from the webhook authorizer. |
| --authorization-webhook-cache-unauthorized-ttl duration Default: 30s |
- | The duration to cache 'unauthorized' responses from the webhook authorizer. |
+ | The duration to cache 'unauthorized' responses from the webhook authorizer. |
| --authorization-webhook-config-file string |
- | File with webhook configuration in kubeconfig format, used with --authorization-mode=Webhook. The API server will query the remote service to determine access on the API server's secure port. |
+ | File with webhook configuration in kubeconfig format, used with --authorization-mode=Webhook. The API server will query the remote service to determine access on the API server's secure port. |
| --authorization-webhook-version string Default: "v1beta1" |
- | The API version of the authorization.k8s.io SubjectAccessReview to send to and expect from the webhook. |
+ | The API version of the authorization.k8s.io SubjectAccessReview to send to and expect from the webhook. |
| --azure-container-registry-config string |
- | Path to the file containing Azure container registry configuration information. |
+ | Path to the file containing Azure container registry configuration information. |
-| --bind-address ip Default: 0.0.0.0 |
+--bind-address string Default: 0.0.0.0 |
- | The IP address on which to listen for the --secure-port port. The associated interface(s) must be reachable by the rest of the cluster, and by CLI/web clients. If blank or an unspecified address (0.0.0.0 or ::), all interfaces will be used. |
+ | The IP address on which to listen for the --secure-port port. The associated interface(s) must be reachable by the rest of the cluster, and by CLI/web clients. If blank or an unspecified address (0.0.0.0 or ::), all interfaces will be used. |
| --cert-dir string Default: "/var/run/kubernetes" |
- | The directory where the TLS certs are located. If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored. |
+ | The directory where the TLS certs are located. If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored. |
| --client-ca-file string |
- | If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate. |
+ | If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate. |
| --cloud-config string |
- | The path to the cloud provider configuration file. Empty string for no configuration file. |
+ | The path to the cloud provider configuration file. Empty string for no configuration file. |
| --cloud-provider string |
- | The provider for cloud services. Empty string for no provider. |
+ | The provider for cloud services. Empty string for no provider. |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
- | CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
+ | CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --contention-profiling |
- | Enable lock contention profiling, if profiling is enabled |
+ | Enable lock contention profiling, if profiling is enabled |
-| --cors-allowed-origins stringSlice |
+--cors-allowed-origins strings |
- | List of allowed origins for CORS, comma separated. An allowed origin can be a regular expression to support subdomain matching. If this list is empty CORS will not be enabled. |
+ | List of allowed origins for CORS, comma separated. An allowed origin can be a regular expression to support subdomain matching. If this list is empty CORS will not be enabled. |
| --default-not-ready-toleration-seconds int Default: 300 |
- | Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
+ | Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
- | Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
+ | Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-watch-cache-size int Default: 100 |
- | Default watch cache size. If zero, watch cache will be disabled for resources that do not have a default watch size set. |
+ | Default watch cache size. If zero, watch cache will be disabled for resources that do not have a default watch size set. |
| --delete-collection-workers int Default: 1 |
- | Number of workers spawned for DeleteCollection call. These are used to speed up namespace cleanup. |
+ | Number of workers spawned for DeleteCollection call. These are used to speed up namespace cleanup. |
-| --disable-admission-plugins stringSlice |
+--disable-admission-plugins strings |
- | admission plugins that should be disabled although they are in the default enabled plugins list (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota). Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyEscalatingExec, DenyExecOnPrivileged, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodSecurityPolicy, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter. |
+ | admission plugins that should be disabled although they are in the default enabled plugins list (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota). Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyEscalatingExec, DenyExecOnPrivileged, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodSecurityPolicy, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter. |
| --egress-selector-config-file string |
- | File with apiserver egress selector configuration. |
+ | File with apiserver egress selector configuration. |
-| --enable-admission-plugins stringSlice |
+--enable-admission-plugins strings |
- | admission plugins that should be enabled in addition to default enabled ones (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota). Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyEscalatingExec, DenyExecOnPrivileged, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodSecurityPolicy, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter. |
+ | admission plugins that should be enabled in addition to default enabled ones (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota). Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyEscalatingExec, DenyExecOnPrivileged, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodSecurityPolicy, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter. |
| --enable-aggregator-routing |
- | Turns on aggregator routing requests to endpoints IP rather than cluster IP. |
+ | Turns on aggregator routing requests to endpoints IP rather than cluster IP. |
| --enable-bootstrap-token-auth |
- | Enable to allow secrets of type 'bootstrap.kubernetes.io/token' in the 'kube-system' namespace to be used for TLS bootstrapping authentication. |
+ | Enable to allow secrets of type 'bootstrap.kubernetes.io/token' in the 'kube-system' namespace to be used for TLS bootstrapping authentication. |
| --enable-garbage-collector Default: true |
- | Enables the generic garbage collector. MUST be synced with the corresponding flag of the kube-controller-manager. |
+ | Enables the generic garbage collector. MUST be synced with the corresponding flag of the kube-controller-manager. |
| --enable-priority-and-fairness Default: true |
- | If true and the APIPriorityAndFairness feature gate is enabled, replace the max-in-flight handler with an enhanced one that queues and dispatches with priority and fairness |
+ | If true and the APIPriorityAndFairness feature gate is enabled, replace the max-in-flight handler with an enhanced one that queues and dispatches with priority and fairness |
| --encryption-provider-config string |
- | The file containing configuration for encryption providers to be used for storing secrets in etcd |
+ | The file containing configuration for encryption providers to be used for storing secrets in etcd |
| --endpoint-reconciler-type string Default: "lease" |
- | Use an endpoint reconciler (master-count, lease, none) |
+ | Use an endpoint reconciler (master-count, lease, none) |
| --etcd-cafile string |
- | SSL Certificate Authority file used to secure etcd communication. |
+ | SSL Certificate Authority file used to secure etcd communication. |
| --etcd-certfile string |
- | SSL certification file used to secure etcd communication. |
+ | SSL certification file used to secure etcd communication. |
| --etcd-compaction-interval duration Default: 5m0s |
- | The interval of compaction requests. If 0, the compaction request from apiserver is disabled. |
+ | The interval of compaction requests. If 0, the compaction request from apiserver is disabled. |
| --etcd-count-metric-poll-period duration Default: 1m0s |
- | Frequency of polling etcd for number of resources per type. 0 disables the metric collection. |
+ | Frequency of polling etcd for number of resources per type. 0 disables the metric collection. |
| --etcd-db-metric-poll-interval duration Default: 30s |
- | The interval of requests to poll etcd and update metric. 0 disables the metric collection |
+ | The interval of requests to poll etcd and update metric. 0 disables the metric collection |
| --etcd-healthcheck-timeout duration Default: 2s |
- | The timeout to use when checking etcd health. |
+ | The timeout to use when checking etcd health. |
| --etcd-keyfile string |
- | SSL key file used to secure etcd communication. |
+ | SSL key file used to secure etcd communication. |
| --etcd-prefix string Default: "/registry" |
- | The prefix to prepend to all resource paths in etcd. |
+ | The prefix to prepend to all resource paths in etcd. |
-| --etcd-servers stringSlice |
+--etcd-servers strings |
- | List of etcd servers to connect with (scheme://ip:port), comma separated. |
+ | List of etcd servers to connect with (scheme://ip:port), comma separated. |
-| --etcd-servers-overrides stringSlice |
+--etcd-servers-overrides strings |
- | Per-resource etcd servers overrides, comma separated. The individual override format: group/resource#servers, where servers are URLs, semicolon separated. |
+ | Per-resource etcd servers overrides, comma separated. The individual override format: group/resource#servers, where servers are URLs, semicolon separated. |
| --event-ttl duration Default: 1h0m0s |
- | Amount of time to retain events. |
+ | Amount of time to retain events. |
| --experimental-logging-sanitization |
- | [Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens).
Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production. |
+ | [Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens).
Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production. |
| --external-hostname string |
- | The hostname to use when generating externalized URLs for this master (e.g. Swagger API Docs or OpenID Discovery). |
+ | The hostname to use when generating externalized URLs for this master (e.g. Swagger API Docs or OpenID Discovery). |
-| --feature-gates mapStringBool |
+--feature-gates <comma-separated 'key=True|False' pairs> |
- | A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
APIListChunking=true|false (BETA - default=true)
APIPriorityAndFairness=true|false (BETA - default=true)
APIResponseCompression=true|false (BETA - default=true)
APIServerIdentity=true|false (ALPHA - default=false)
AllAlpha=true|false (ALPHA - default=false)
AllBeta=true|false (BETA - default=false)
AllowInsecureBackendProxy=true|false (BETA - default=true)
AnyVolumeDataSource=true|false (ALPHA - default=false)
AppArmor=true|false (BETA - default=true)
BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
BoundServiceAccountTokenVolume=true|false (ALPHA - default=false)
CPUManager=true|false (BETA - default=true)
CRIContainerLogRotation=true|false (BETA - default=true)
CSIInlineVolume=true|false (BETA - default=true)
CSIMigration=true|false (BETA - default=true)
CSIMigrationAWS=true|false (BETA - default=false)
CSIMigrationAWSComplete=true|false (ALPHA - default=false)
CSIMigrationAzureDisk=true|false (BETA - default=false)
CSIMigrationAzureDiskComplete=true|false (ALPHA - default=false)
CSIMigrationAzureFile=true|false (ALPHA - default=false)
CSIMigrationAzureFileComplete=true|false (ALPHA - default=false)
CSIMigrationGCE=true|false (BETA - default=false)
CSIMigrationGCEComplete=true|false (ALPHA - default=false)
CSIMigrationOpenStack=true|false (BETA - default=false)
CSIMigrationOpenStackComplete=true|false (ALPHA - default=false)
CSIMigrationvSphere=true|false (BETA - default=false)
CSIMigrationvSphereComplete=true|false (BETA - default=false)
CSIServiceAccountToken=true|false (ALPHA - default=false)
CSIStorageCapacity=true|false (ALPHA - default=false)
CSIVolumeFSGroupPolicy=true|false (BETA - default=true)
ConfigurableFSGroupPolicy=true|false (BETA - default=true)
CronJobControllerV2=true|false (ALPHA - default=false)
CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
DefaultPodTopologySpread=true|false (BETA - default=true)
DevicePlugins=true|false (BETA - default=true)
DisableAcceleratorUsageMetrics=true|false (BETA - default=true)
DownwardAPIHugePages=true|false (ALPHA - default=false)
DynamicKubeletConfig=true|false (BETA - default=true)
EfficientWatchResumption=true|false (ALPHA - default=false)
EndpointSlice=true|false (BETA - default=true)
EndpointSliceNodeName=true|false (ALPHA - default=false)
EndpointSliceProxying=true|false (BETA - default=true)
EndpointSliceTerminatingCondition=true|false (ALPHA - default=false)
EphemeralContainers=true|false (ALPHA - default=false)
ExpandCSIVolumes=true|false (BETA - default=true)
ExpandInUsePersistentVolumes=true|false (BETA - default=true)
ExpandPersistentVolumes=true|false (BETA - default=true)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
GenericEphemeralVolume=true|false (ALPHA - default=false)
GracefulNodeShutdown=true|false (ALPHA - default=false)
HPAContainerMetrics=true|false (ALPHA - default=false)
HPAScaleToZero=true|false (ALPHA - default=false)
HugePageStorageMediumSize=true|false (BETA - default=true)
IPv6DualStack=true|false (ALPHA - default=false)
ImmutableEphemeralVolumes=true|false (BETA - default=true)
KubeletCredentialProviders=true|false (ALPHA - default=false)
KubeletPodResources=true|false (BETA - default=true)
LegacyNodeRoleBehavior=true|false (BETA - default=true)
LocalStorageCapacityIsolation=true|false (BETA - default=true)
LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
MixedProtocolLBService=true|false (ALPHA - default=false)
NodeDisruptionExclusion=true|false (BETA - default=true)
NonPreemptingPriority=true|false (BETA - default=true)
PodDisruptionBudget=true|false (BETA - default=true)
PodOverhead=true|false (BETA - default=true)
ProcMountType=true|false (ALPHA - default=false)
QOSReserved=true|false (ALPHA - default=false)
RemainingItemCount=true|false (BETA - default=true)
RemoveSelfLink=true|false (BETA - default=true)
RootCAConfigMap=true|false (BETA - default=true)
RotateKubeletServerCertificate=true|false (BETA - default=true)
RunAsGroup=true|false (BETA - default=true)
ServerSideApply=true|false (BETA - default=true)
ServiceAccountIssuerDiscovery=true|false (BETA - default=true)
ServiceLBNodePortControl=true|false (ALPHA - default=false)
ServiceNodeExclusion=true|false (BETA - default=true)
ServiceTopology=true|false (ALPHA - default=false)
SetHostnameAsFQDN=true|false (BETA - default=true)
SizeMemoryBackedVolumes=true|false (ALPHA - default=false)
StorageVersionAPI=true|false (ALPHA - default=false)
StorageVersionHash=true|false (BETA - default=true)
Sysctls=true|false (BETA - default=true)
TTLAfterFinished=true|false (ALPHA - default=false)
TopologyManager=true|false (BETA - default=true)
ValidateProxyRedirects=true|false (BETA - default=true)
WarningHeaders=true|false (BETA - default=true)
WinDSR=true|false (ALPHA - default=false)
WinOverlay=true|false (BETA - default=true)
WindowsEndpointSliceProxying=true|false (ALPHA - default=false) |
+ | A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
APIListChunking=true|false (BETA - default=true)
APIPriorityAndFairness=true|false (BETA - default=true)
APIResponseCompression=true|false (BETA - default=true)
APIServerIdentity=true|false (ALPHA - default=false)
AllAlpha=true|false (ALPHA - default=false)
AllBeta=true|false (BETA - default=false)
AllowInsecureBackendProxy=true|false (BETA - default=true)
AnyVolumeDataSource=true|false (ALPHA - default=false)
AppArmor=true|false (BETA - default=true)
BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
BoundServiceAccountTokenVolume=true|false (ALPHA - default=false)
CPUManager=true|false (BETA - default=true)
CRIContainerLogRotation=true|false (BETA - default=true)
CSIInlineVolume=true|false (BETA - default=true)
CSIMigration=true|false (BETA - default=true)
CSIMigrationAWS=true|false (BETA - default=false)
CSIMigrationAWSComplete=true|false (ALPHA - default=false)
CSIMigrationAzureDisk=true|false (BETA - default=false)
CSIMigrationAzureDiskComplete=true|false (ALPHA - default=false)
CSIMigrationAzureFile=true|false (ALPHA - default=false)
CSIMigrationAzureFileComplete=true|false (ALPHA - default=false)
CSIMigrationGCE=true|false (BETA - default=false)
CSIMigrationGCEComplete=true|false (ALPHA - default=false)
CSIMigrationOpenStack=true|false (BETA - default=false)
CSIMigrationOpenStackComplete=true|false (ALPHA - default=false)
CSIMigrationvSphere=true|false (BETA - default=false)
CSIMigrationvSphereComplete=true|false (BETA - default=false)
CSIServiceAccountToken=true|false (ALPHA - default=false)
CSIStorageCapacity=true|false (ALPHA - default=false)
CSIVolumeFSGroupPolicy=true|false (BETA - default=true)
ConfigurableFSGroupPolicy=true|false (BETA - default=true)
CronJobControllerV2=true|false (ALPHA - default=false)
CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
DefaultPodTopologySpread=true|false (BETA - default=true)
DevicePlugins=true|false (BETA - default=true)
DisableAcceleratorUsageMetrics=true|false (BETA - default=true)
DownwardAPIHugePages=true|false (ALPHA - default=false)
DynamicKubeletConfig=true|false (BETA - default=true)
EfficientWatchResumption=true|false (ALPHA - default=false)
EndpointSlice=true|false (BETA - default=true)
EndpointSliceNodeName=true|false (ALPHA - default=false)
EndpointSliceProxying=true|false (BETA - default=true)
EndpointSliceTerminatingCondition=true|false (ALPHA - default=false)
EphemeralContainers=true|false (ALPHA - default=false)
ExpandCSIVolumes=true|false (BETA - default=true)
ExpandInUsePersistentVolumes=true|false (BETA - default=true)
ExpandPersistentVolumes=true|false (BETA - default=true)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
GenericEphemeralVolume=true|false (ALPHA - default=false)
GracefulNodeShutdown=true|false (ALPHA - default=false)
HPAContainerMetrics=true|false (ALPHA - default=false)
HPAScaleToZero=true|false (ALPHA - default=false)
HugePageStorageMediumSize=true|false (BETA - default=true)
IPv6DualStack=true|false (ALPHA - default=false)
ImmutableEphemeralVolumes=true|false (BETA - default=true)
KubeletCredentialProviders=true|false (ALPHA - default=false)
KubeletPodResources=true|false (BETA - default=true)
LegacyNodeRoleBehavior=true|false (BETA - default=true)
LocalStorageCapacityIsolation=true|false (BETA - default=true)
LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
MixedProtocolLBService=true|false (ALPHA - default=false)
NodeDisruptionExclusion=true|false (BETA - default=true)
NonPreemptingPriority=true|false (BETA - default=true)
PodDisruptionBudget=true|false (BETA - default=true)
PodOverhead=true|false (BETA - default=true)
ProcMountType=true|false (ALPHA - default=false)
QOSReserved=true|false (ALPHA - default=false)
RemainingItemCount=true|false (BETA - default=true)
RemoveSelfLink=true|false (BETA - default=true)
RootCAConfigMap=true|false (BETA - default=true)
RotateKubeletServerCertificate=true|false (BETA - default=true)
RunAsGroup=true|false (BETA - default=true)
ServerSideApply=true|false (BETA - default=true)
ServiceAccountIssuerDiscovery=true|false (BETA - default=true)
ServiceLBNodePortControl=true|false (ALPHA - default=false)
ServiceNodeExclusion=true|false (BETA - default=true)
ServiceTopology=true|false (ALPHA - default=false)
SetHostnameAsFQDN=true|false (BETA - default=true)
SizeMemoryBackedVolumes=true|false (ALPHA - default=false)
StorageVersionAPI=true|false (ALPHA - default=false)
StorageVersionHash=true|false (BETA - default=true)
Sysctls=true|false (BETA - default=true)
TTLAfterFinished=true|false (ALPHA - default=false)
TopologyManager=true|false (BETA - default=true)
ValidateProxyRedirects=true|false (BETA - default=true)
WarningHeaders=true|false (BETA - default=true)
WinDSR=true|false (ALPHA - default=false)
WinOverlay=true|false (BETA - default=true)
WindowsEndpointSliceProxying=true|false (ALPHA - default=false) |
| --goaway-chance float |
- | To prevent HTTP/2 clients from getting stuck on a single apiserver, randomly close a connection (GOAWAY). The client's other in-flight requests won't be affected, and the client will reconnect, likely landing on a different apiserver after going through the load balancer again. This argument sets the fraction of requests that will be sent a GOAWAY. Clusters with single apiservers, or which don't use a load balancer, should NOT enable this. Min is 0 (off), Max is .02 (1/50 requests); .001 (1/1000) is a recommended starting point. |
+ | To prevent HTTP/2 clients from getting stuck on a single apiserver, randomly close a connection (GOAWAY). The client's other in-flight requests won't be affected, and the client will reconnect, likely landing on a different apiserver after going through the load balancer again. This argument sets the fraction of requests that will be sent a GOAWAY. Clusters with single apiservers, or which don't use a load balancer, should NOT enable this. Min is 0 (off), Max is .02 (1/50 requests); .001 (1/1000) is a recommended starting point. |
| -h, --help |
- | help for kube-apiserver |
+ | help for kube-apiserver |
| --http2-max-streams-per-connection int |
- | The limit that the server gives to clients for the maximum number of streams in an HTTP/2 connection. Zero means to use golang's default. |
+ | The limit that the server gives to clients for the maximum number of streams in an HTTP/2 connection. Zero means to use golang's default. |
| --identity-lease-duration-seconds int Default: 3600 |
- | The duration of kube-apiserver lease in seconds, must be a positive number. (In use when the APIServerIdentity feature gate is enabled.) |
+ | The duration of kube-apiserver lease in seconds, must be a positive number. (In use when the APIServerIdentity feature gate is enabled.) |
| --identity-lease-renew-interval-seconds int Default: 10 |
- | The interval of kube-apiserver renewing its lease in seconds, must be a positive number. (In use when the APIServerIdentity feature gate is enabled.) |
+ | The interval of kube-apiserver renewing its lease in seconds, must be a positive number. (In use when the APIServerIdentity feature gate is enabled.) |
| --kubelet-certificate-authority string |
- | Path to a cert file for the certificate authority. |
+ | Path to a cert file for the certificate authority. |
| --kubelet-client-certificate string |
- | Path to a client cert file for TLS. |
+ | Path to a client cert file for TLS. |
| --kubelet-client-key string |
- | Path to a client key file for TLS. |
+ | Path to a client key file for TLS. |
-| --kubelet-preferred-address-types stringSlice Default: [Hostname,InternalDNS,InternalIP,ExternalDNS,ExternalIP] |
+--kubelet-preferred-address-types strings Default: "Hostname,InternalDNS,InternalIP,ExternalDNS,ExternalIP" |
- | List of the preferred NodeAddressTypes to use for kubelet connections. |
+ | List of the preferred NodeAddressTypes to use for kubelet connections. |
| --kubelet-timeout duration Default: 5s |
- | Timeout for kubelet operations. |
+ | Timeout for kubelet operations. |
| --kubernetes-service-node-port int |
- | If non-zero, the Kubernetes master service (which apiserver creates/maintains) will be of type NodePort, using this as the value of the port. If zero, the Kubernetes master service will be of type ClusterIP. |
+ | If non-zero, the Kubernetes master service (which apiserver creates/maintains) will be of type NodePort, using this as the value of the port. If zero, the Kubernetes master service will be of type ClusterIP. |
| --livez-grace-period duration |
- | This option represents the maximum amount of time it should take for apiserver to complete its startup sequence and become live. From apiserver's start time to when this amount of time has elapsed, /livez will assume that unfinished post-start hooks will complete successfully and therefore return true. |
+ | This option represents the maximum amount of time it should take for apiserver to complete its startup sequence and become live. From apiserver's start time to when this amount of time has elapsed, /livez will assume that unfinished post-start hooks will complete successfully and therefore return true. |
-| --log-backtrace-at traceLocation Default: :0 |
+--log-backtrace-at <a string in the form 'file:N'> Default: :0 |
- | when logging hits line file:N, emit a stack trace |
+ | when logging hits line file:N, emit a stack trace |
| --log-dir string |
- | If non-empty, write log files in this directory |
+ | If non-empty, write log files in this directory |
| --log-file string |
- | If non-empty, use this log file |
+ | If non-empty, use this log file |
| --log-file-max-size uint Default: 1800 |
- | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. |
+ | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. |
| --log-flush-frequency duration Default: 5s |
- | Maximum number of seconds between log flushes |
+ | Maximum number of seconds between log flushes |
| --logging-format string Default: "text" |
- | Sets the log format. Permitted formats: "json", "text".
Non-default formats don't honor these flags: --add_dir_header, --alsologtostderr, --log_backtrace_at, --log_dir, --log_file, --log_file_max_size, --logtostderr, --one_output, --skip_headers, --skip_log_headers, --stderrthreshold, --vmodule, --log-flush-frequency.
Non-default choices are currently alpha and subject to change without warning. |
+ | Sets the log format. Permitted formats: "json", "text".
Non-default formats don't honor these flags: --add_dir_header, --alsologtostderr, --log_backtrace_at, --log_dir, --log_file, --log_file_max_size, --logtostderr, --one_output, --skip_headers, --skip_log_headers, --stderrthreshold, --vmodule, --log-flush-frequency.
Non-default choices are currently alpha and subject to change without warning. |
| --logtostderr Default: true |
- | log to standard error instead of files |
+ | log to standard error instead of files |
| --master-service-namespace string Default: "default" |
- | DEPRECATED: the namespace from which the Kubernetes master services should be injected into pods. |
+ | DEPRECATED: the namespace from which the Kubernetes master services should be injected into pods. |
| --max-connection-bytes-per-sec int |
- | If non-zero, throttle each user connection to this number of bytes/sec. Currently only applies to long-running requests. |
+ | If non-zero, throttle each user connection to this number of bytes/sec. Currently only applies to long-running requests. |
| --max-mutating-requests-inflight int Default: 200 |
- | The maximum number of mutating requests in flight at a given time. When the server exceeds this, it rejects requests. Zero for no limit. |
+ | The maximum number of mutating requests in flight at a given time. When the server exceeds this, it rejects requests. Zero for no limit. |
| --max-requests-inflight int Default: 400 |
- | The maximum number of non-mutating requests in flight at a given time. When the server exceeds this, it rejects requests. Zero for no limit. |
+ | The maximum number of non-mutating requests in flight at a given time. When the server exceeds this, it rejects requests. Zero for no limit. |
| --min-request-timeout int Default: 1800 |
- | An optional field indicating the minimum number of seconds a handler must keep a request open before timing it out. Currently only honored by the watch request handler, which picks a randomized value above this number as the connection timeout, to spread out load. |
+ | An optional field indicating the minimum number of seconds a handler must keep a request open before timing it out. Currently only honored by the watch request handler, which picks a randomized value above this number as the connection timeout, to spread out load. |
| --oidc-ca-file string |
- | If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used. |
+ | If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used. |
| --oidc-client-id string |
- | The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set. |
+ | The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set. |
| --oidc-groups-claim string |
- | If provided, the name of a custom OpenID Connect claim for specifying user groups. The claim value is expected to be a string or array of strings. This flag is experimental, please see the authentication documentation for further details. |
+ | If provided, the name of a custom OpenID Connect claim for specifying user groups. The claim value is expected to be a string or array of strings. This flag is experimental, please see the authentication documentation for further details. |
| --oidc-groups-prefix string |
- | If provided, all groups will be prefixed with this value to prevent conflicts with other authentication strategies. |
+ | If provided, all groups will be prefixed with this value to prevent conflicts with other authentication strategies. |
| --oidc-issuer-url string |
- | The URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT). |
+ | The URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT). |
-| --oidc-required-claim mapStringString |
+--oidc-required-claim <comma-separated 'key=value' pairs> |
- | A key=value pair that describes a required claim in the ID Token. If set, the claim is verified to be present in the ID Token with a matching value. Repeat this flag to specify multiple claims. |
+ | A key=value pair that describes a required claim in the ID Token. If set, the claim is verified to be present in the ID Token with a matching value. Repeat this flag to specify multiple claims. |
-| --oidc-signing-algs stringSlice Default: [RS256] |
+--oidc-signing-algs strings Default: "RS256" |
- | Comma-separated list of allowed JOSE asymmetric signing algorithms. JWTs with a 'alg' header value not in this list will be rejected. Values are defined by RFC 7518 https://tools.ietf.org/html/rfc7518#section-3.1. |
+ | Comma-separated list of allowed JOSE asymmetric signing algorithms. JWTs with a 'alg' header value not in this list will be rejected. Values are defined by RFC 7518 https://tools.ietf.org/html/rfc7518#section-3.1. |
| --oidc-username-claim string Default: "sub" |
- | The OpenID claim to use as the user name. Note that claims other than the default ('sub') is not guaranteed to be unique and immutable. This flag is experimental, please see the authentication documentation for further details. |
+ | The OpenID claim to use as the user name. Note that claims other than the default ('sub') is not guaranteed to be unique and immutable. This flag is experimental, please see the authentication documentation for further details. |
| --oidc-username-prefix string |
- | If provided, all usernames will be prefixed with this value. If not provided, username claims other than 'email' are prefixed by the issuer URL to avoid clashes. To skip any prefixing, provide the value '-'. |
+ | If provided, all usernames will be prefixed with this value. If not provided, username claims other than 'email' are prefixed by the issuer URL to avoid clashes. To skip any prefixing, provide the value '-'. |
| --one-output |
- | If true, only write logs to their native severity level (vs also writing to each lower severity level |
+ | If true, only write logs to their native severity level (vs also writing to each lower severity level |
| --permit-port-sharing |
- | If true, SO_REUSEPORT will be used when binding the port, which allows more than one instance to bind on the same address and port. [default=false] |
+ | If true, SO_REUSEPORT will be used when binding the port, which allows more than one instance to bind on the same address and port. [default=false] |
| --profiling Default: true |
- | Enable profiling via web interface host:port/debug/pprof/ |
+ | Enable profiling via web interface host:port/debug/pprof/ |
| --proxy-client-cert-file string |
- | Client certificate used to prove the identity of the aggregator or kube-apiserver when it must call out during a request. This includes proxying requests to a user api-server and calling out to webhook admission plugins. It is expected that this cert includes a signature from the CA in the --requestheader-client-ca-file flag. That CA is published in the 'extension-apiserver-authentication' configmap in the kube-system namespace. Components receiving calls from kube-aggregator should use that CA to perform their half of the mutual TLS verification. |
+ | Client certificate used to prove the identity of the aggregator or kube-apiserver when it must call out during a request. This includes proxying requests to a user api-server and calling out to webhook admission plugins. It is expected that this cert includes a signature from the CA in the --requestheader-client-ca-file flag. That CA is published in the 'extension-apiserver-authentication' configmap in the kube-system namespace. Components receiving calls from kube-aggregator should use that CA to perform their half of the mutual TLS verification. |
| --proxy-client-key-file string |
- | Private key for the client certificate used to prove the identity of the aggregator or kube-apiserver when it must call out during a request. This includes proxying requests to a user api-server and calling out to webhook admission plugins. |
+ | Private key for the client certificate used to prove the identity of the aggregator or kube-apiserver when it must call out during a request. This includes proxying requests to a user api-server and calling out to webhook admission plugins. |
| --request-timeout duration Default: 1m0s |
- | An optional field indicating the duration a handler must keep a request open before timing it out. This is the default request timeout for requests but may be overridden by flags such as --min-request-timeout for specific types of requests. |
+ | An optional field indicating the duration a handler must keep a request open before timing it out. This is the default request timeout for requests but may be overridden by flags such as --min-request-timeout for specific types of requests. |
-| --requestheader-allowed-names stringSlice |
+--requestheader-allowed-names strings |
- | List of client certificate common names to allow to provide usernames in headers specified by --requestheader-username-headers. If empty, any client certificate validated by the authorities in --requestheader-client-ca-file is allowed. |
+ | List of client certificate common names to allow to provide usernames in headers specified by --requestheader-username-headers. If empty, any client certificate validated by the authorities in --requestheader-client-ca-file is allowed. |
| --requestheader-client-ca-file string |
- | Root certificate bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified by --requestheader-username-headers. WARNING: generally do not depend on authorization being already done for incoming requests. |
+ | Root certificate bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified by --requestheader-username-headers. WARNING: generally do not depend on authorization being already done for incoming requests. |
-| --requestheader-extra-headers-prefix stringSlice |
+--requestheader-extra-headers-prefix strings |
- | List of request header prefixes to inspect. X-Remote-Extra- is suggested. |
+ | List of request header prefixes to inspect. X-Remote-Extra- is suggested. |
-| --requestheader-group-headers stringSlice |
+--requestheader-group-headers strings |
- | List of request headers to inspect for groups. X-Remote-Group is suggested. |
+ | List of request headers to inspect for groups. X-Remote-Group is suggested. |
-| --requestheader-username-headers stringSlice |
+--requestheader-username-headers strings |
- | List of request headers to inspect for usernames. X-Remote-User is common. |
+ | List of request headers to inspect for usernames. X-Remote-User is common. |
-| --runtime-config mapStringString |
+--runtime-config <comma-separated 'key=value' pairs> |
- | A set of key=value pairs that enable or disable built-in APIs. Supported options are:
v1=true|false for the core API group
<group>/<version>=true|false for a specific API group and version (e.g. apps/v1=true)
api/all=true|false controls all API versions
api/ga=true|false controls all API versions of the form v[0-9]+
api/beta=true|false controls all API versions of the form v[0-9]+beta[0-9]+
api/alpha=true|false controls all API versions of the form v[0-9]+alpha[0-9]+
api/legacy is deprecated, and will be removed in a future version |
+ | A set of key=value pairs that enable or disable built-in APIs. Supported options are:
v1=true|false for the core API group
/=true|false for a specific API group and version (e.g. apps/v1=true)
api/all=true|false controls all API versions
api/ga=true|false controls all API versions of the form v[0-9]+
api/beta=true|false controls all API versions of the form v[0-9]+beta[0-9]+
api/alpha=true|false controls all API versions of the form v[0-9]+alpha[0-9]+
api/legacy is deprecated, and will be removed in a future version |
| --secure-port int Default: 6443 |
- | The port on which to serve HTTPS with authentication and authorization. It cannot be switched off with 0. |
+ | The port on which to serve HTTPS with authentication and authorization. It cannot be switched off with 0. |
| --service-account-extend-token-expiration Default: true |
- | Turns on projected service account expiration extension during token generation, which helps safe transition from legacy token to bound service account token feature. If this flag is enabled, admission injected tokens would be extended up to 1 year to prevent unexpected failure during transition, ignoring value of service-account-max-token-expiration. |
+ | Turns on projected service account expiration extension during token generation, which helps safe transition from legacy token to bound service account token feature. If this flag is enabled, admission injected tokens would be extended up to 1 year to prevent unexpected failure during transition, ignoring value of service-account-max-token-expiration. |
| --service-account-issuer string |
- | Identifier of the service account token issuer. The issuer will assert this identifier in "iss" claim of issued tokens. This value is a string or URI. If this option is not a valid URI per the OpenID Discovery 1.0 spec, the ServiceAccountIssuerDiscovery feature will remain disabled, even if the feature gate is set to true. It is highly recommended that this value comply with the OpenID spec: https://openid.net/specs/openid-connect-discovery-1_0.html. In practice, this means that service-account-issuer must be an https URL. It is also highly recommended that this URL be capable of serving OpenID discovery documents at {service-account-issuer}/.well-known/openid-configuration. |
+ | Identifier of the service account token issuer. The issuer will assert this identifier in "iss" claim of issued tokens. This value is a string or URI. If this option is not a valid URI per the OpenID Discovery 1.0 spec, the ServiceAccountIssuerDiscovery feature will remain disabled, even if the feature gate is set to true. It is highly recommended that this value comply with the OpenID spec: https://openid.net/specs/openid-connect-discovery-1_0.html. In practice, this means that service-account-issuer must be an https URL. It is also highly recommended that this URL be capable of serving OpenID discovery documents at {service-account-issuer}/.well-known/openid-configuration. |
| --service-account-jwks-uri string |
- | Overrides the URI for the JSON Web Key Set in the discovery doc served at /.well-known/openid-configuration. This flag is useful if the discovery docand key set are served to relying parties from a URL other than the API server's external (as auto-detected or overridden with external-hostname). Only valid if the ServiceAccountIssuerDiscovery feature gate is enabled. |
+ | Overrides the URI for the JSON Web Key Set in the discovery doc served at /.well-known/openid-configuration. This flag is useful if the discovery docand key set are served to relying parties from a URL other than the API server's external (as auto-detected or overridden with external-hostname). Only valid if the ServiceAccountIssuerDiscovery feature gate is enabled. |
-| --service-account-key-file stringArray |
+--service-account-key-file strings |
- | File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify ServiceAccount tokens. The specified file can contain multiple keys, and the flag can be specified multiple times with different files. If unspecified, --tls-private-key-file is used. Must be specified when --service-account-signing-key is provided |
+ | File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify ServiceAccount tokens. The specified file can contain multiple keys, and the flag can be specified multiple times with different files. If unspecified, --tls-private-key-file is used. Must be specified when --service-account-signing-key is provided |
| --service-account-lookup Default: true |
- | If true, validate ServiceAccount tokens exist in etcd as part of authentication. |
+ | If true, validate ServiceAccount tokens exist in etcd as part of authentication. |
| --service-account-max-token-expiration duration |
- | The maximum validity duration of a token created by the service account token issuer. If an otherwise valid TokenRequest with a validity duration larger than this value is requested, a token will be issued with a validity duration of this value. |
+ | The maximum validity duration of a token created by the service account token issuer. If an otherwise valid TokenRequest with a validity duration larger than this value is requested, a token will be issued with a validity duration of this value. |
| --service-account-signing-key-file string |
- | Path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this private key. |
+ | Path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this private key. |
| --service-cluster-ip-range string |
- | A CIDR notation IP range from which to assign service cluster IPs. This must not overlap with any IP ranges assigned to nodes or pods. |
+ | A CIDR notation IP range from which to assign service cluster IPs. This must not overlap with any IP ranges assigned to nodes or pods. |
-| --service-node-port-range portRange Default: 30000-32767 |
+--service-node-port-range <a string in the form 'N1-N2'> Default: 30000-32767 |
- | A port range to reserve for services with NodePort visibility. Example: '30000-32767'. Inclusive at both ends of the range. |
+ | A port range to reserve for services with NodePort visibility. Example: '30000-32767'. Inclusive at both ends of the range. |
| --show-hidden-metrics-for-version string |
- | The previous version for which you want to show hidden metrics. Only the previous minor version is meaningful, other values will not be allowed. The format is <major>.<minor>, e.g.: '1.16'. The purpose of this format is make sure you have the opportunity to notice if the next release hides additional metrics, rather than being surprised when they are permanently removed in the release after that. |
+ | The previous version for which you want to show hidden metrics. Only the previous minor version is meaningful, other values will not be allowed. The format is ., e.g.: '1.16'. The purpose of this format is make sure you have the opportunity to notice if the next release hides additional metrics, rather than being surprised when they are permanently removed in the release after that. |
| --shutdown-delay-duration duration |
- | Time to delay the termination. During that time the server keeps serving requests normally. The endpoints /healthz and /livez will return success, but /readyz immediately returns failure. Graceful termination starts after this delay has elapsed. This can be used to allow load balancer to stop sending traffic to this server. |
+ | Time to delay the termination. During that time the server keeps serving requests normally. The endpoints /healthz and /livez will return success, but /readyz immediately returns failure. Graceful termination starts after this delay has elapsed. This can be used to allow load balancer to stop sending traffic to this server. |
| --skip-headers |
- | If true, avoid header prefixes in the log messages |
+ | If true, avoid header prefixes in the log messages |
| --skip-log-headers |
- | If true, avoid headers when opening log files |
+ | If true, avoid headers when opening log files |
-| --stderrthreshold severity Default: 2 |
+--stderrthreshold int Default: 2 |
- | logs at or above this threshold go to stderr |
+ | logs at or above this threshold go to stderr |
| --storage-backend string |
- | The storage backend for persistence. Options: 'etcd3' (default). |
+ | The storage backend for persistence. Options: 'etcd3' (default). |
| --storage-media-type string Default: "application/vnd.kubernetes.protobuf" |
- | The media type to use to store objects in storage. Some resources or storage backends may only support a specific media type and will ignore this setting. |
+ | The media type to use to store objects in storage. Some resources or storage backends may only support a specific media type and will ignore this setting. |
| --tls-cert-file string |
- | File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir. |
+ | File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir. |
-| --tls-cipher-suites stringSlice |
+--tls-cipher-suites strings |
- | Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.
Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384.
Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA. |
+ | Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.
Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384.
Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA. |
| --tls-min-version string |
- | Minimum TLS version supported. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 |
+ | Minimum TLS version supported. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 |
| --tls-private-key-file string |
- | File containing the default x509 private key matching --tls-cert-file. |
+ | File containing the default x509 private key matching --tls-cert-file. |
-| --tls-sni-cert-key namedCertKey Default: [] |
+--tls-sni-cert-key string |
- | A pair of x509 certificate and private key file paths, optionally suffixed with a list of domain patterns which are fully qualified domain names, possibly with prefixed wildcard segments. The domain patterns also allow IP addresses, but IPs should only be used if the apiserver has visibility to the IP address requested by a client. If no domain patterns are provided, the names of the certificate are extracted. Non-wildcard matches trump over wildcard matches, explicit domain patterns trump over extracted names. For multiple key/certificate pairs, use the --tls-sni-cert-key multiple times. Examples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com". |
+ | A pair of x509 certificate and private key file paths, optionally suffixed with a list of domain patterns which are fully qualified domain names, possibly with prefixed wildcard segments. The domain patterns also allow IP addresses, but IPs should only be used if the apiserver has visibility to the IP address requested by a client. If no domain patterns are provided, the names of the certificate are extracted. Non-wildcard matches trump over wildcard matches, explicit domain patterns trump over extracted names. For multiple key/certificate pairs, use the --tls-sni-cert-key multiple times. Examples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com". |
| --token-auth-file string |
- | If set, the file that will be used to secure the secure port of the API server via token authentication. |
+ | If set, the file that will be used to secure the secure port of the API server via token authentication. |
-| -v, --v Level |
+-v, --v int |
- | number for the log level verbosity |
+ | number for the log level verbosity |
| --version version[=true] |
- | Print version information and quit |
+ | Print version information and quit |
-| --vmodule moduleSpec |
+--vmodule <comma-separated 'pattern=N' settings> |
- | comma-separated list of pattern=N settings for file-filtered logging |
+ | comma-separated list of pattern=N settings for file-filtered logging |
| --watch-cache Default: true |
- | Enable watch caching in the apiserver |
+ | Enable watch caching in the apiserver |
-| --watch-cache-sizes stringSlice |
+--watch-cache-sizes strings |
- | Watch cache size settings for some resources (pods, nodes, etc.), comma separated. The individual setting format: resource[.group]#size, where resource is lowercase plural (no version), group is omitted for resources of apiVersion v1 (the legacy core API) and included for others, and size is a number. It takes effect when watch-cache is enabled. Some resources (replicationcontrollers, endpoints, nodes, pods, services, apiservices.apiregistration.k8s.io) have system defaults set by heuristics, others default to default-watch-cache-size |
+ | Watch cache size settings for some resources (pods, nodes, etc.), comma separated. The individual setting format: resource[.group]#size, where resource is lowercase plural (no version), group is omitted for resources of apiVersion v1 (the legacy core API) and included for others, and size is a number. It takes effect when watch-cache is enabled. Some resources (replicationcontrollers, endpoints, nodes, pods, services, apiservices.apiregistration.k8s.io) have system defaults set by heuristics, others default to default-watch-cache-size |
diff --git a/content/en/docs/reference/command-line-tools-reference/kube-controller-manager.md b/content/en/docs/reference/command-line-tools-reference/kube-controller-manager.md
index 79af1bc81a..a7ad248e94 100644
--- a/content/en/docs/reference/command-line-tools-reference/kube-controller-manager.md
+++ b/content/en/docs/reference/command-line-tools-reference/kube-controller-manager.md
@@ -2,8 +2,21 @@
title: kube-controller-manager
content_type: tool-reference
weight: 30
+auto_generated: true
---
+
+
+
## {{% heading "synopsis" %}}
@@ -33,980 +46,980 @@ kube-controller-manager [flags]
--add-dir-header |
- | If true, adds the file directory to the header of the log messages |
+ | If true, adds the file directory to the header of the log messages |
| --allocate-node-cidrs |
- | Should CIDRs for Pods be allocated and set on the cloud provider. |
+ | Should CIDRs for Pods be allocated and set on the cloud provider. |
| --alsologtostderr |
- | log to standard error as well as files |
+ | log to standard error as well as files |
| --attach-detach-reconcile-sync-period duration Default: 1m0s |
- | The reconciler sync wait time between volume attach detach. This duration must be larger than one second, and increasing this value from the default may allow for volumes to be mismatched with pods. |
+ | The reconciler sync wait time between volume attach detach. This duration must be larger than one second, and increasing this value from the default may allow for volumes to be mismatched with pods. |
| --authentication-kubeconfig string |
- | kubeconfig file pointing at the 'core' kubernetes server with enough rights to create tokenreviews.authentication.k8s.io. This is optional. If empty, all token requests are considered to be anonymous and no client CA is looked up in the cluster. |
+ | kubeconfig file pointing at the 'core' kubernetes server with enough rights to create tokenreviews.authentication.k8s.io. This is optional. If empty, all token requests are considered to be anonymous and no client CA is looked up in the cluster. |
| --authentication-skip-lookup |
- | If false, the authentication-kubeconfig will be used to lookup missing authentication configuration from the cluster. |
+ | If false, the authentication-kubeconfig will be used to lookup missing authentication configuration from the cluster. |
| --authentication-token-webhook-cache-ttl duration Default: 10s |
- | The duration to cache responses from the webhook token authenticator. |
+ | The duration to cache responses from the webhook token authenticator. |
| --authentication-tolerate-lookup-failure |
- | If true, failures to look up missing authentication configuration from the cluster are not considered fatal. Note that this can result in authentication that treats all requests as anonymous. |
+ | If true, failures to look up missing authentication configuration from the cluster are not considered fatal. Note that this can result in authentication that treats all requests as anonymous. |
-| --authorization-always-allow-paths stringSlice Default: [/healthz] |
+--authorization-always-allow-paths strings Default: "/healthz" |
- | A list of HTTP paths to skip during authorization, i.e. these are authorized without contacting the 'core' kubernetes server. |
+ | A list of HTTP paths to skip during authorization, i.e. these are authorized without contacting the 'core' kubernetes server. |
| --authorization-kubeconfig string |
- | kubeconfig file pointing at the 'core' kubernetes server with enough rights to create subjectaccessreviews.authorization.k8s.io. This is optional. If empty, all requests not skipped by authorization are forbidden. |
+ | kubeconfig file pointing at the 'core' kubernetes server with enough rights to create subjectaccessreviews.authorization.k8s.io. This is optional. If empty, all requests not skipped by authorization are forbidden. |
| --authorization-webhook-cache-authorized-ttl duration Default: 10s |
- | The duration to cache 'authorized' responses from the webhook authorizer. |
+ | The duration to cache 'authorized' responses from the webhook authorizer. |
| --authorization-webhook-cache-unauthorized-ttl duration Default: 10s |
- | The duration to cache 'unauthorized' responses from the webhook authorizer. |
+ | The duration to cache 'unauthorized' responses from the webhook authorizer. |
| --azure-container-registry-config string |
- | Path to the file containing Azure container registry configuration information. |
+ | Path to the file containing Azure container registry configuration information. |
-| --bind-address ip Default: 0.0.0.0 |
+--bind-address string Default: 0.0.0.0 |
- | The IP address on which to listen for the --secure-port port. The associated interface(s) must be reachable by the rest of the cluster, and by CLI/web clients. If blank or an unspecified address (0.0.0.0 or ::), all interfaces will be used. |
+ | The IP address on which to listen for the --secure-port port. The associated interface(s) must be reachable by the rest of the cluster, and by CLI/web clients. If blank or an unspecified address (0.0.0.0 or ::), all interfaces will be used. |
| --cert-dir string |
- | The directory where the TLS certs are located. If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored. |
+ | The directory where the TLS certs are located. If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored. |
| --cidr-allocator-type string Default: "RangeAllocator" |
- | Type of CIDR allocator to use |
+ | Type of CIDR allocator to use |
| --client-ca-file string |
- | If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate. |
+ | If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate. |
| --cloud-config string |
- | The path to the cloud provider configuration file. Empty string for no configuration file. |
+ | The path to the cloud provider configuration file. Empty string for no configuration file. |
| --cloud-provider string |
- | The provider for cloud services. Empty string for no provider. |
+ | The provider for cloud services. Empty string for no provider. |
| --cluster-cidr string |
- | CIDR Range for Pods in cluster. Requires --allocate-node-cidrs to be true |
+ | CIDR Range for Pods in cluster. Requires --allocate-node-cidrs to be true |
| --cluster-name string Default: "kubernetes" |
- | The instance prefix for the cluster. |
+ | The instance prefix for the cluster. |
| --cluster-signing-cert-file string |
- | Filename containing a PEM-encoded X509 CA certificate used to issue cluster-scoped certificates. If specified, no more specific --cluster-signing-* flag may be specified. |
+ | Filename containing a PEM-encoded X509 CA certificate used to issue cluster-scoped certificates. If specified, no more specific --cluster-signing-* flag may be specified. |
| --cluster-signing-duration duration Default: 8760h0m0s |
- | The length of duration signed certificates will be given. |
+ | The length of duration signed certificates will be given. |
| --cluster-signing-key-file string |
- | Filename containing a PEM-encoded RSA or ECDSA private key used to sign cluster-scoped certificates. If specified, no more specific --cluster-signing-* flag may be specified. |
+ | Filename containing a PEM-encoded RSA or ECDSA private key used to sign cluster-scoped certificates. If specified, no more specific --cluster-signing-* flag may be specified. |
| --cluster-signing-kube-apiserver-client-cert-file string |
- | Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/kube-apiserver-client signer. If specified, --cluster-signing-{cert,key}-file must not be set. |
+ | Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/kube-apiserver-client signer. If specified, --cluster-signing-{cert,key}-file must not be set. |
| --cluster-signing-kube-apiserver-client-key-file string |
- | Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/kube-apiserver-client signer. If specified, --cluster-signing-{cert,key}-file must not be set. |
+ | Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/kube-apiserver-client signer. If specified, --cluster-signing-{cert,key}-file must not be set. |
| --cluster-signing-kubelet-client-cert-file string |
- | Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/kube-apiserver-client-kubelet signer. If specified, --cluster-signing-{cert,key}-file must not be set. |
+ | Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/kube-apiserver-client-kubelet signer. If specified, --cluster-signing-{cert,key}-file must not be set. |
| --cluster-signing-kubelet-client-key-file string |
- | Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/kube-apiserver-client-kubelet signer. If specified, --cluster-signing-{cert,key}-file must not be set. |
+ | Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/kube-apiserver-client-kubelet signer. If specified, --cluster-signing-{cert,key}-file must not be set. |
| --cluster-signing-kubelet-serving-cert-file string |
- | Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/kubelet-serving signer. If specified, --cluster-signing-{cert,key}-file must not be set. |
+ | Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/kubelet-serving signer. If specified, --cluster-signing-{cert,key}-file must not be set. |
| --cluster-signing-kubelet-serving-key-file string |
- | Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/kubelet-serving signer. If specified, --cluster-signing-{cert,key}-file must not be set. |
+ | Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/kubelet-serving signer. If specified, --cluster-signing-{cert,key}-file must not be set. |
| --cluster-signing-legacy-unknown-cert-file string |
- | Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/legacy-unknown signer. If specified, --cluster-signing-{cert,key}-file must not be set. |
+ | Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/legacy-unknown signer. If specified, --cluster-signing-{cert,key}-file must not be set. |
| --cluster-signing-legacy-unknown-key-file string |
- | Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/legacy-unknown signer. If specified, --cluster-signing-{cert,key}-file must not be set. |
+ | Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/legacy-unknown signer. If specified, --cluster-signing-{cert,key}-file must not be set. |
| --concurrent-deployment-syncs int32 Default: 5 |
- | The number of deployment objects that are allowed to sync concurrently. Larger number = more responsive deployments, but more CPU (and network) load |
+ | The number of deployment objects that are allowed to sync concurrently. Larger number = more responsive deployments, but more CPU (and network) load |
| --concurrent-endpoint-syncs int32 Default: 5 |
- | The number of endpoint syncing operations that will be done concurrently. Larger number = faster endpoint updating, but more CPU (and network) load |
+ | The number of endpoint syncing operations that will be done concurrently. Larger number = faster endpoint updating, but more CPU (and network) load |
| --concurrent-gc-syncs int32 Default: 20 |
- | The number of garbage collector workers that are allowed to sync concurrently. |
+ | The number of garbage collector workers that are allowed to sync concurrently. |
| --concurrent-namespace-syncs int32 Default: 10 |
- | The number of namespace objects that are allowed to sync concurrently. Larger number = more responsive namespace termination, but more CPU (and network) load |
+ | The number of namespace objects that are allowed to sync concurrently. Larger number = more responsive namespace termination, but more CPU (and network) load |
| --concurrent-replicaset-syncs int32 Default: 5 |
- | The number of replica sets that are allowed to sync concurrently. Larger number = more responsive replica management, but more CPU (and network) load |
+ | The number of replica sets that are allowed to sync concurrently. Larger number = more responsive replica management, but more CPU (and network) load |
| --concurrent-resource-quota-syncs int32 Default: 5 |
- | The number of resource quotas that are allowed to sync concurrently. Larger number = more responsive quota management, but more CPU (and network) load |
+ | The number of resource quotas that are allowed to sync concurrently. Larger number = more responsive quota management, but more CPU (and network) load |
| --concurrent-service-endpoint-syncs int32 Default: 5 |
- | The number of service endpoint syncing operations that will be done concurrently. Larger number = faster endpoint slice updating, but more CPU (and network) load. Defaults to 5. |
+ | The number of service endpoint syncing operations that will be done concurrently. Larger number = faster endpoint slice updating, but more CPU (and network) load. Defaults to 5. |
| --concurrent-service-syncs int32 Default: 1 |
- | The number of services that are allowed to sync concurrently. Larger number = more responsive service management, but more CPU (and network) load |
+ | The number of services that are allowed to sync concurrently. Larger number = more responsive service management, but more CPU (and network) load |
| --concurrent-serviceaccount-token-syncs int32 Default: 5 |
- | The number of service account token objects that are allowed to sync concurrently. Larger number = more responsive token generation, but more CPU (and network) load |
+ | The number of service account token objects that are allowed to sync concurrently. Larger number = more responsive token generation, but more CPU (and network) load |
| --concurrent-statefulset-syncs int32 Default: 5 |
- | The number of statefulset objects that are allowed to sync concurrently. Larger number = more responsive statefulsets, but more CPU (and network) load |
+ | The number of statefulset objects that are allowed to sync concurrently. Larger number = more responsive statefulsets, but more CPU (and network) load |
| --concurrent-ttl-after-finished-syncs int32 Default: 5 |
- | The number of TTL-after-finished controller workers that are allowed to sync concurrently. |
+ | The number of TTL-after-finished controller workers that are allowed to sync concurrently. |
| --concurrent_rc_syncs int32 Default: 5 |
- | The number of replication controllers that are allowed to sync concurrently. Larger number = more responsive replica management, but more CPU (and network) load |
+ | The number of replication controllers that are allowed to sync concurrently. Larger number = more responsive replica management, but more CPU (and network) load |
| --configure-cloud-routes Default: true |
- | Should CIDRs allocated by allocate-node-cidrs be configured on the cloud provider. |
+ | Should CIDRs allocated by allocate-node-cidrs be configured on the cloud provider. |
| --contention-profiling |
- | Enable lock contention profiling, if profiling is enabled |
+ | Enable lock contention profiling, if profiling is enabled |
| --controller-start-interval duration |
- | Interval between starting controller managers. |
+ | Interval between starting controller managers. |
-| --controllers stringSlice Default: [*] |
+--controllers strings Default: "*" |
- | A list of controllers to enable. '*' enables all on-by-default controllers, 'foo' enables the controller named 'foo', '-foo' disables the controller named 'foo'.
All controllers: attachdetach, bootstrapsigner, cloud-node-lifecycle, clusterrole-aggregation, cronjob, csrapproving, csrcleaner, csrsigning, daemonset, deployment, disruption, endpoint, endpointslice, endpointslicemirroring, ephemeral-volume, garbagecollector, horizontalpodautoscaling, job, namespace, nodeipam, nodelifecycle, persistentvolume-binder, persistentvolume-expander, podgc, pv-protection, pvc-protection, replicaset, replicationcontroller, resourcequota, root-ca-cert-publisher, route, service, serviceaccount, serviceaccount-token, statefulset, tokencleaner, ttl, ttl-after-finished
Disabled-by-default controllers: bootstrapsigner, tokencleaner |
+ | A list of controllers to enable. '*' enables all on-by-default controllers, 'foo' enables the controller named 'foo', '-foo' disables the controller named 'foo'.
All controllers: attachdetach, bootstrapsigner, cloud-node-lifecycle, clusterrole-aggregation, cronjob, csrapproving, csrcleaner, csrsigning, daemonset, deployment, disruption, endpoint, endpointslice, endpointslicemirroring, ephemeral-volume, garbagecollector, horizontalpodautoscaling, job, namespace, nodeipam, nodelifecycle, persistentvolume-binder, persistentvolume-expander, podgc, pv-protection, pvc-protection, replicaset, replicationcontroller, resourcequota, root-ca-cert-publisher, route, service, serviceaccount, serviceaccount-token, statefulset, tokencleaner, ttl, ttl-after-finished
Disabled-by-default controllers: bootstrapsigner, tokencleaner |
| --deployment-controller-sync-period duration Default: 30s |
- | Period for syncing the deployments. |
+ | Period for syncing the deployments. |
| --disable-attach-detach-reconcile-sync |
- | Disable volume attach detach reconciler sync. Disabling this may cause volumes to be mismatched with pods. Use wisely. |
+ | Disable volume attach detach reconciler sync. Disabling this may cause volumes to be mismatched with pods. Use wisely. |
| --enable-dynamic-provisioning Default: true |
- | Enable dynamic provisioning for environments that support it. |
+ | Enable dynamic provisioning for environments that support it. |
| --enable-garbage-collector Default: true |
- | Enables the generic garbage collector. MUST be synced with the corresponding flag of the kube-apiserver. |
+ | Enables the generic garbage collector. MUST be synced with the corresponding flag of the kube-apiserver. |
| --enable-hostpath-provisioner |
- | Enable HostPath PV provisioning when running without a cloud provider. This allows testing and development of provisioning features. HostPath provisioning is not supported in any way, won't work in a multi-node cluster, and should not be used for anything other than testing or development. |
+ | Enable HostPath PV provisioning when running without a cloud provider. This allows testing and development of provisioning features. HostPath provisioning is not supported in any way, won't work in a multi-node cluster, and should not be used for anything other than testing or development. |
| --enable-taint-manager Default: true |
- | WARNING: Beta feature. If set to true enables NoExecute Taints and will evict all not-tolerating Pod running on Nodes tainted with this kind of Taints. |
+ | WARNING: Beta feature. If set to true enables NoExecute Taints and will evict all not-tolerating Pod running on Nodes tainted with this kind of Taints. |
| --endpoint-updates-batch-period duration |
- | The length of endpoint updates batching period. Processing of pod changes will be delayed by this duration to join them with potential upcoming updates and reduce the overall number of endpoints updates. Larger number = higher endpoint programming latency, but lower number of endpoints revision generated |
+ | The length of endpoint updates batching period. Processing of pod changes will be delayed by this duration to join them with potential upcoming updates and reduce the overall number of endpoints updates. Larger number = higher endpoint programming latency, but lower number of endpoints revision generated |
| --endpointslice-updates-batch-period duration |
- | The length of endpoint slice updates batching period. Processing of pod changes will be delayed by this duration to join them with potential upcoming updates and reduce the overall number of endpoints updates. Larger number = higher endpoint programming latency, but lower number of endpoints revision generated |
+ | The length of endpoint slice updates batching period. Processing of pod changes will be delayed by this duration to join them with potential upcoming updates and reduce the overall number of endpoints updates. Larger number = higher endpoint programming latency, but lower number of endpoints revision generated |
| --experimental-logging-sanitization |
- | [Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens).
Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production. |
+ | [Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens).
Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production. |
| --external-cloud-volume-plugin string |
- | The plugin to use when cloud provider is set to external. Can be empty, should only be set when cloud-provider is external. Currently used to allow node and volume controllers to work for in tree cloud providers. |
+ | The plugin to use when cloud provider is set to external. Can be empty, should only be set when cloud-provider is external. Currently used to allow node and volume controllers to work for in tree cloud providers. |
-| --feature-gates mapStringBool |
+--feature-gates <comma-separated 'key=True|False' pairs> |
- | A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
APIListChunking=true|false (BETA - default=true)
APIPriorityAndFairness=true|false (BETA - default=true)
APIResponseCompression=true|false (BETA - default=true)
APIServerIdentity=true|false (ALPHA - default=false)
AllAlpha=true|false (ALPHA - default=false)
AllBeta=true|false (BETA - default=false)
AllowInsecureBackendProxy=true|false (BETA - default=true)
AnyVolumeDataSource=true|false (ALPHA - default=false)
AppArmor=true|false (BETA - default=true)
BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
BoundServiceAccountTokenVolume=true|false (ALPHA - default=false)
CPUManager=true|false (BETA - default=true)
CRIContainerLogRotation=true|false (BETA - default=true)
CSIInlineVolume=true|false (BETA - default=true)
CSIMigration=true|false (BETA - default=true)
CSIMigrationAWS=true|false (BETA - default=false)
CSIMigrationAWSComplete=true|false (ALPHA - default=false)
CSIMigrationAzureDisk=true|false (BETA - default=false)
CSIMigrationAzureDiskComplete=true|false (ALPHA - default=false)
CSIMigrationAzureFile=true|false (ALPHA - default=false)
CSIMigrationAzureFileComplete=true|false (ALPHA - default=false)
CSIMigrationGCE=true|false (BETA - default=false)
CSIMigrationGCEComplete=true|false (ALPHA - default=false)
CSIMigrationOpenStack=true|false (BETA - default=false)
CSIMigrationOpenStackComplete=true|false (ALPHA - default=false)
CSIMigrationvSphere=true|false (BETA - default=false)
CSIMigrationvSphereComplete=true|false (BETA - default=false)
CSIServiceAccountToken=true|false (ALPHA - default=false)
CSIStorageCapacity=true|false (ALPHA - default=false)
CSIVolumeFSGroupPolicy=true|false (BETA - default=true)
ConfigurableFSGroupPolicy=true|false (BETA - default=true)
CronJobControllerV2=true|false (ALPHA - default=false)
CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
DefaultPodTopologySpread=true|false (BETA - default=true)
DevicePlugins=true|false (BETA - default=true)
DisableAcceleratorUsageMetrics=true|false (BETA - default=true)
DownwardAPIHugePages=true|false (ALPHA - default=false)
DynamicKubeletConfig=true|false (BETA - default=true)
EfficientWatchResumption=true|false (ALPHA - default=false)
EndpointSlice=true|false (BETA - default=true)
EndpointSliceNodeName=true|false (ALPHA - default=false)
EndpointSliceProxying=true|false (BETA - default=true)
EndpointSliceTerminatingCondition=true|false (ALPHA - default=false)
EphemeralContainers=true|false (ALPHA - default=false)
ExpandCSIVolumes=true|false (BETA - default=true)
ExpandInUsePersistentVolumes=true|false (BETA - default=true)
ExpandPersistentVolumes=true|false (BETA - default=true)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
GenericEphemeralVolume=true|false (ALPHA - default=false)
GracefulNodeShutdown=true|false (ALPHA - default=false)
HPAContainerMetrics=true|false (ALPHA - default=false)
HPAScaleToZero=true|false (ALPHA - default=false)
HugePageStorageMediumSize=true|false (BETA - default=true)
IPv6DualStack=true|false (ALPHA - default=false)
ImmutableEphemeralVolumes=true|false (BETA - default=true)
KubeletCredentialProviders=true|false (ALPHA - default=false)
KubeletPodResources=true|false (BETA - default=true)
LegacyNodeRoleBehavior=true|false (BETA - default=true)
LocalStorageCapacityIsolation=true|false (BETA - default=true)
LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
MixedProtocolLBService=true|false (ALPHA - default=false)
NodeDisruptionExclusion=true|false (BETA - default=true)
NonPreemptingPriority=true|false (BETA - default=true)
PodDisruptionBudget=true|false (BETA - default=true)
PodOverhead=true|false (BETA - default=true)
ProcMountType=true|false (ALPHA - default=false)
QOSReserved=true|false (ALPHA - default=false)
RemainingItemCount=true|false (BETA - default=true)
RemoveSelfLink=true|false (BETA - default=true)
RootCAConfigMap=true|false (BETA - default=true)
RotateKubeletServerCertificate=true|false (BETA - default=true)
RunAsGroup=true|false (BETA - default=true)
ServerSideApply=true|false (BETA - default=true)
ServiceAccountIssuerDiscovery=true|false (BETA - default=true)
ServiceLBNodePortControl=true|false (ALPHA - default=false)
ServiceNodeExclusion=true|false (BETA - default=true)
ServiceTopology=true|false (ALPHA - default=false)
SetHostnameAsFQDN=true|false (BETA - default=true)
SizeMemoryBackedVolumes=true|false (ALPHA - default=false)
StorageVersionAPI=true|false (ALPHA - default=false)
StorageVersionHash=true|false (BETA - default=true)
Sysctls=true|false (BETA - default=true)
TTLAfterFinished=true|false (ALPHA - default=false)
TopologyManager=true|false (BETA - default=true)
ValidateProxyRedirects=true|false (BETA - default=true)
WarningHeaders=true|false (BETA - default=true)
WinDSR=true|false (ALPHA - default=false)
WinOverlay=true|false (BETA - default=true)
WindowsEndpointSliceProxying=true|false (ALPHA - default=false) |
+ | A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
APIListChunking=true|false (BETA - default=true)
APIPriorityAndFairness=true|false (BETA - default=true)
APIResponseCompression=true|false (BETA - default=true)
APIServerIdentity=true|false (ALPHA - default=false)
AllAlpha=true|false (ALPHA - default=false)
AllBeta=true|false (BETA - default=false)
AllowInsecureBackendProxy=true|false (BETA - default=true)
AnyVolumeDataSource=true|false (ALPHA - default=false)
AppArmor=true|false (BETA - default=true)
BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
BoundServiceAccountTokenVolume=true|false (ALPHA - default=false)
CPUManager=true|false (BETA - default=true)
CRIContainerLogRotation=true|false (BETA - default=true)
CSIInlineVolume=true|false (BETA - default=true)
CSIMigration=true|false (BETA - default=true)
CSIMigrationAWS=true|false (BETA - default=false)
CSIMigrationAWSComplete=true|false (ALPHA - default=false)
CSIMigrationAzureDisk=true|false (BETA - default=false)
CSIMigrationAzureDiskComplete=true|false (ALPHA - default=false)
CSIMigrationAzureFile=true|false (ALPHA - default=false)
CSIMigrationAzureFileComplete=true|false (ALPHA - default=false)
CSIMigrationGCE=true|false (BETA - default=false)
CSIMigrationGCEComplete=true|false (ALPHA - default=false)
CSIMigrationOpenStack=true|false (BETA - default=false)
CSIMigrationOpenStackComplete=true|false (ALPHA - default=false)
CSIMigrationvSphere=true|false (BETA - default=false)
CSIMigrationvSphereComplete=true|false (BETA - default=false)
CSIServiceAccountToken=true|false (ALPHA - default=false)
CSIStorageCapacity=true|false (ALPHA - default=false)
CSIVolumeFSGroupPolicy=true|false (BETA - default=true)
ConfigurableFSGroupPolicy=true|false (BETA - default=true)
CronJobControllerV2=true|false (ALPHA - default=false)
CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
DefaultPodTopologySpread=true|false (BETA - default=true)
DevicePlugins=true|false (BETA - default=true)
DisableAcceleratorUsageMetrics=true|false (BETA - default=true)
DownwardAPIHugePages=true|false (ALPHA - default=false)
DynamicKubeletConfig=true|false (BETA - default=true)
EfficientWatchResumption=true|false (ALPHA - default=false)
EndpointSlice=true|false (BETA - default=true)
EndpointSliceNodeName=true|false (ALPHA - default=false)
EndpointSliceProxying=true|false (BETA - default=true)
EndpointSliceTerminatingCondition=true|false (ALPHA - default=false)
EphemeralContainers=true|false (ALPHA - default=false)
ExpandCSIVolumes=true|false (BETA - default=true)
ExpandInUsePersistentVolumes=true|false (BETA - default=true)
ExpandPersistentVolumes=true|false (BETA - default=true)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
GenericEphemeralVolume=true|false (ALPHA - default=false)
GracefulNodeShutdown=true|false (ALPHA - default=false)
HPAContainerMetrics=true|false (ALPHA - default=false)
HPAScaleToZero=true|false (ALPHA - default=false)
HugePageStorageMediumSize=true|false (BETA - default=true)
IPv6DualStack=true|false (ALPHA - default=false)
ImmutableEphemeralVolumes=true|false (BETA - default=true)
KubeletCredentialProviders=true|false (ALPHA - default=false)
KubeletPodResources=true|false (BETA - default=true)
LegacyNodeRoleBehavior=true|false (BETA - default=true)
LocalStorageCapacityIsolation=true|false (BETA - default=true)
LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
MixedProtocolLBService=true|false (ALPHA - default=false)
NodeDisruptionExclusion=true|false (BETA - default=true)
NonPreemptingPriority=true|false (BETA - default=true)
PodDisruptionBudget=true|false (BETA - default=true)
PodOverhead=true|false (BETA - default=true)
ProcMountType=true|false (ALPHA - default=false)
QOSReserved=true|false (ALPHA - default=false)
RemainingItemCount=true|false (BETA - default=true)
RemoveSelfLink=true|false (BETA - default=true)
RootCAConfigMap=true|false (BETA - default=true)
RotateKubeletServerCertificate=true|false (BETA - default=true)
RunAsGroup=true|false (BETA - default=true)
ServerSideApply=true|false (BETA - default=true)
ServiceAccountIssuerDiscovery=true|false (BETA - default=true)
ServiceLBNodePortControl=true|false (ALPHA - default=false)
ServiceNodeExclusion=true|false (BETA - default=true)
ServiceTopology=true|false (ALPHA - default=false)
SetHostnameAsFQDN=true|false (BETA - default=true)
SizeMemoryBackedVolumes=true|false (ALPHA - default=false)
StorageVersionAPI=true|false (ALPHA - default=false)
StorageVersionHash=true|false (BETA - default=true)
Sysctls=true|false (BETA - default=true)
TTLAfterFinished=true|false (ALPHA - default=false)
TopologyManager=true|false (BETA - default=true)
ValidateProxyRedirects=true|false (BETA - default=true)
WarningHeaders=true|false (BETA - default=true)
WinDSR=true|false (ALPHA - default=false)
WinOverlay=true|false (BETA - default=true)
WindowsEndpointSliceProxying=true|false (ALPHA - default=false) |
| --flex-volume-plugin-dir string Default: "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/" |
- | Full path of the directory in which the flex volume plugin should search for additional third party volume plugins. |
+ | Full path of the directory in which the flex volume plugin should search for additional third party volume plugins. |
| -h, --help |
- | help for kube-controller-manager |
+ | help for kube-controller-manager |
| --horizontal-pod-autoscaler-cpu-initialization-period duration Default: 5m0s |
- | The period after pod start when CPU samples might be skipped. |
+ | The period after pod start when CPU samples might be skipped. |
| --horizontal-pod-autoscaler-downscale-stabilization duration Default: 5m0s |
- | The period for which autoscaler will look backwards and not scale down below any recommendation it made during that period. |
+ | The period for which autoscaler will look backwards and not scale down below any recommendation it made during that period. |
| --horizontal-pod-autoscaler-initial-readiness-delay duration Default: 30s |
- | The period after pod start during which readiness changes will be treated as initial readiness. |
+ | The period after pod start during which readiness changes will be treated as initial readiness. |
| --horizontal-pod-autoscaler-sync-period duration Default: 15s |
- | The period for syncing the number of pods in horizontal pod autoscaler. |
+ | The period for syncing the number of pods in horizontal pod autoscaler. |
| --horizontal-pod-autoscaler-tolerance float Default: 0.1 |
- | The minimum change (from 1.0) in the desired-to-actual metrics ratio for the horizontal pod autoscaler to consider scaling. |
+ | The minimum change (from 1.0) in the desired-to-actual metrics ratio for the horizontal pod autoscaler to consider scaling. |
| --http2-max-streams-per-connection int |
- | The limit that the server gives to clients for the maximum number of streams in an HTTP/2 connection. Zero means to use golang's default. |
+ | The limit that the server gives to clients for the maximum number of streams in an HTTP/2 connection. Zero means to use golang's default. |
| --kube-api-burst int32 Default: 30 |
- | Burst to use while talking with kubernetes apiserver. |
+ | Burst to use while talking with kubernetes apiserver. |
| --kube-api-content-type string Default: "application/vnd.kubernetes.protobuf" |
- | Content type of requests sent to apiserver. |
+ | Content type of requests sent to apiserver. |
-| --kube-api-qps float32 Default: 20 |
+--kube-api-qps float Default: 20 |
- | QPS to use while talking with kubernetes apiserver. |
+ | QPS to use while talking with kubernetes apiserver. |
| --kubeconfig string |
- | Path to kubeconfig file with authorization and master location information. |
+ | Path to kubeconfig file with authorization and master location information. |
| --large-cluster-size-threshold int32 Default: 50 |
- | Number of nodes from which NodeController treats the cluster as large for the eviction logic purposes. --secondary-node-eviction-rate is implicitly overridden to 0 for clusters this size or smaller. |
+ | Number of nodes from which NodeController treats the cluster as large for the eviction logic purposes. --secondary-node-eviction-rate is implicitly overridden to 0 for clusters this size or smaller. |
| --leader-elect Default: true |
- | Start a leader election client and gain leadership before executing the main loop. Enable this when running replicated components for high availability. |
+ | Start a leader election client and gain leadership before executing the main loop. Enable this when running replicated components for high availability. |
| --leader-elect-lease-duration duration Default: 15s |
- | The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. |
+ | The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. |
| --leader-elect-renew-deadline duration Default: 10s |
- | The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. |
+ | The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. |
| --leader-elect-resource-lock string Default: "leases" |
- | The type of resource object that is used for locking during leader election. Supported options are 'endpoints', 'configmaps', 'leases', 'endpointsleases' and 'configmapsleases'. |
+ | The type of resource object that is used for locking during leader election. Supported options are 'endpoints', 'configmaps', 'leases', 'endpointsleases' and 'configmapsleases'. |
| --leader-elect-resource-name string Default: "kube-controller-manager" |
- | The name of resource object that is used for locking during leader election. |
+ | The name of resource object that is used for locking during leader election. |
| --leader-elect-resource-namespace string Default: "kube-system" |
- | The namespace of resource object that is used for locking during leader election. |
+ | The namespace of resource object that is used for locking during leader election. |
| --leader-elect-retry-period duration Default: 2s |
- | The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. |
+ | The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. |
-| --log-backtrace-at traceLocation Default: :0 |
+--log-backtrace-at <a string in the form 'file:N'> Default: :0 |
- | when logging hits line file:N, emit a stack trace |
+ | when logging hits line file:N, emit a stack trace |
| --log-dir string |
- | If non-empty, write log files in this directory |
+ | If non-empty, write log files in this directory |
| --log-file string |
- | If non-empty, use this log file |
+ | If non-empty, use this log file |
| --log-file-max-size uint Default: 1800 |
- | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. |
+ | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. |
| --log-flush-frequency duration Default: 5s |
- | Maximum number of seconds between log flushes |
+ | Maximum number of seconds between log flushes |
| --logging-format string Default: "text" |
- | Sets the log format. Permitted formats: "json", "text".
Non-default formats don't honor these flags: --add_dir_header, --alsologtostderr, --log_backtrace_at, --log_dir, --log_file, --log_file_max_size, --logtostderr, --one_output, --skip_headers, --skip_log_headers, --stderrthreshold, --vmodule, --log-flush-frequency.
Non-default choices are currently alpha and subject to change without warning. |
+ | Sets the log format. Permitted formats: "json", "text".
Non-default formats don't honor these flags: --add_dir_header, --alsologtostderr, --log_backtrace_at, --log_dir, --log_file, --log_file_max_size, --logtostderr, --one_output, --skip_headers, --skip_log_headers, --stderrthreshold, --vmodule, --log-flush-frequency.
Non-default choices are currently alpha and subject to change without warning. |
| --logtostderr Default: true |
- | log to standard error instead of files |
+ | log to standard error instead of files |
| --master string |
- | The address of the Kubernetes API server (overrides any value in kubeconfig). |
+ | The address of the Kubernetes API server (overrides any value in kubeconfig). |
| --max-endpoints-per-slice int32 Default: 100 |
- | The maximum number of endpoints that will be added to an EndpointSlice. More endpoints per slice will result in less endpoint slices, but larger resources. Defaults to 100. |
+ | The maximum number of endpoints that will be added to an EndpointSlice. More endpoints per slice will result in less endpoint slices, but larger resources. Defaults to 100. |
| --min-resync-period duration Default: 12h0m0s |
- | The resync period in reflectors will be random between MinResyncPeriod and 2*MinResyncPeriod. |
+ | The resync period in reflectors will be random between MinResyncPeriod and 2*MinResyncPeriod. |
| --mirroring-concurrent-service-endpoint-syncs int32 Default: 5 |
- | The number of service endpoint syncing operations that will be done concurrently by the EndpointSliceMirroring controller. Larger number = faster endpoint slice updating, but more CPU (and network) load. Defaults to 5. |
+ | The number of service endpoint syncing operations that will be done concurrently by the EndpointSliceMirroring controller. Larger number = faster endpoint slice updating, but more CPU (and network) load. Defaults to 5. |
| --mirroring-endpointslice-updates-batch-period duration |
- | The length of EndpointSlice updates batching period for EndpointSliceMirroring controller. Processing of EndpointSlice changes will be delayed by this duration to join them with potential upcoming updates and reduce the overall number of EndpointSlice updates. Larger number = higher endpoint programming latency, but lower number of endpoints revision generated |
+ | The length of EndpointSlice updates batching period for EndpointSliceMirroring controller. Processing of EndpointSlice changes will be delayed by this duration to join them with potential upcoming updates and reduce the overall number of EndpointSlice updates. Larger number = higher endpoint programming latency, but lower number of endpoints revision generated |
| --mirroring-max-endpoints-per-subset int32 Default: 1000 |
- | The maximum number of endpoints that will be added to an EndpointSlice by the EndpointSliceMirroring controller. More endpoints per slice will result in less endpoint slices, but larger resources. Defaults to 100. |
+ | The maximum number of endpoints that will be added to an EndpointSlice by the EndpointSliceMirroring controller. More endpoints per slice will result in less endpoint slices, but larger resources. Defaults to 100. |
| --namespace-sync-period duration Default: 5m0s |
- | The period for syncing namespace life-cycle updates |
+ | The period for syncing namespace life-cycle updates |
| --node-cidr-mask-size int32 |
- | Mask size for node cidr in cluster. Default is 24 for IPv4 and 64 for IPv6. |
+ | Mask size for node cidr in cluster. Default is 24 for IPv4 and 64 for IPv6. |
| --node-cidr-mask-size-ipv4 int32 |
- | Mask size for IPv4 node cidr in dual-stack cluster. Default is 24. |
+ | Mask size for IPv4 node cidr in dual-stack cluster. Default is 24. |
| --node-cidr-mask-size-ipv6 int32 |
- | Mask size for IPv6 node cidr in dual-stack cluster. Default is 64. |
+ | Mask size for IPv6 node cidr in dual-stack cluster. Default is 64. |
-| --node-eviction-rate float32 Default: 0.1 |
+--node-eviction-rate float Default: 0.1 |
- | Number of nodes per second on which pods are deleted in case of node failure when a zone is healthy (see --unhealthy-zone-threshold for definition of healthy/unhealthy). Zone refers to entire cluster in non-multizone clusters. |
+ | Number of nodes per second on which pods are deleted in case of node failure when a zone is healthy (see --unhealthy-zone-threshold for definition of healthy/unhealthy). Zone refers to entire cluster in non-multizone clusters. |
| --node-monitor-grace-period duration Default: 40s |
- | Amount of time which we allow running Node to be unresponsive before marking it unhealthy. Must be N times more than kubelet's nodeStatusUpdateFrequency, where N means number of retries allowed for kubelet to post node status. |
+ | Amount of time which we allow running Node to be unresponsive before marking it unhealthy. Must be N times more than kubelet's nodeStatusUpdateFrequency, where N means number of retries allowed for kubelet to post node status. |
| --node-monitor-period duration Default: 5s |
- | The period for syncing NodeStatus in NodeController. |
+ | The period for syncing NodeStatus in NodeController. |
| --node-startup-grace-period duration Default: 1m0s |
- | Amount of time which we allow starting Node to be unresponsive before marking it unhealthy. |
+ | Amount of time which we allow starting Node to be unresponsive before marking it unhealthy. |
| --one-output |
- | If true, only write logs to their native severity level (vs also writing to each lower severity level |
+ | If true, only write logs to their native severity level (vs also writing to each lower severity level |
| --permit-port-sharing |
- | If true, SO_REUSEPORT will be used when binding the port, which allows more than one instance to bind on the same address and port. [default=false] |
+ | If true, SO_REUSEPORT will be used when binding the port, which allows more than one instance to bind on the same address and port. [default=false] |
| --pod-eviction-timeout duration Default: 5m0s |
- | The grace period for deleting pods on failed nodes. |
+ | The grace period for deleting pods on failed nodes. |
| --profiling Default: true |
- | Enable profiling via web interface host:port/debug/pprof/ |
+ | Enable profiling via web interface host:port/debug/pprof/ |
| --pv-recycler-increment-timeout-nfs int32 Default: 30 |
- | the increment of time added per Gi to ActiveDeadlineSeconds for an NFS scrubber pod |
+ | the increment of time added per Gi to ActiveDeadlineSeconds for an NFS scrubber pod |
| --pv-recycler-minimum-timeout-hostpath int32 Default: 60 |
- | The minimum ActiveDeadlineSeconds to use for a HostPath Recycler pod. This is for development and testing only and will not work in a multi-node cluster. |
+ | The minimum ActiveDeadlineSeconds to use for a HostPath Recycler pod. This is for development and testing only and will not work in a multi-node cluster. |
| --pv-recycler-minimum-timeout-nfs int32 Default: 300 |
- | The minimum ActiveDeadlineSeconds to use for an NFS Recycler pod |
+ | The minimum ActiveDeadlineSeconds to use for an NFS Recycler pod |
| --pv-recycler-pod-template-filepath-hostpath string |
- | The file path to a pod definition used as a template for HostPath persistent volume recycling. This is for development and testing only and will not work in a multi-node cluster. |
+ | The file path to a pod definition used as a template for HostPath persistent volume recycling. This is for development and testing only and will not work in a multi-node cluster. |
| --pv-recycler-pod-template-filepath-nfs string |
- | The file path to a pod definition used as a template for NFS persistent volume recycling |
+ | The file path to a pod definition used as a template for NFS persistent volume recycling |
| --pv-recycler-timeout-increment-hostpath int32 Default: 30 |
- | the increment of time added per Gi to ActiveDeadlineSeconds for a HostPath scrubber pod. This is for development and testing only and will not work in a multi-node cluster. |
+ | the increment of time added per Gi to ActiveDeadlineSeconds for a HostPath scrubber pod. This is for development and testing only and will not work in a multi-node cluster. |
| --pvclaimbinder-sync-period duration Default: 15s |
- | The period for syncing persistent volumes and persistent volume claims |
+ | The period for syncing persistent volumes and persistent volume claims |
-| --requestheader-allowed-names stringSlice |
+--requestheader-allowed-names strings |
- | List of client certificate common names to allow to provide usernames in headers specified by --requestheader-username-headers. If empty, any client certificate validated by the authorities in --requestheader-client-ca-file is allowed. |
+ | List of client certificate common names to allow to provide usernames in headers specified by --requestheader-username-headers. If empty, any client certificate validated by the authorities in --requestheader-client-ca-file is allowed. |
| --requestheader-client-ca-file string |
- | Root certificate bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified by --requestheader-username-headers. WARNING: generally do not depend on authorization being already done for incoming requests. |
+ | Root certificate bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified by --requestheader-username-headers. WARNING: generally do not depend on authorization being already done for incoming requests. |
-| --requestheader-extra-headers-prefix stringSlice Default: [x-remote-extra-] |
+--requestheader-extra-headers-prefix strings Default: "x-remote-extra-" |
- | List of request header prefixes to inspect. X-Remote-Extra- is suggested. |
+ | List of request header prefixes to inspect. X-Remote-Extra- is suggested. |
-| --requestheader-group-headers stringSlice Default: [x-remote-group] |
+--requestheader-group-headers strings Default: "x-remote-group" |
- | List of request headers to inspect for groups. X-Remote-Group is suggested. |
+ | List of request headers to inspect for groups. X-Remote-Group is suggested. |
-| --requestheader-username-headers stringSlice Default: [x-remote-user] |
+--requestheader-username-headers strings Default: "x-remote-user" |
- | List of request headers to inspect for usernames. X-Remote-User is common. |
+ | List of request headers to inspect for usernames. X-Remote-User is common. |
| --resource-quota-sync-period duration Default: 5m0s |
- | The period for syncing quota usage status in the system |
+ | The period for syncing quota usage status in the system |
| --root-ca-file string |
- | If set, this root certificate authority will be included in service account's token secret. This must be a valid PEM-encoded CA bundle. |
+ | If set, this root certificate authority will be included in service account's token secret. This must be a valid PEM-encoded CA bundle. |
| --route-reconciliation-period duration Default: 10s |
- | The period for reconciling routes created for Nodes by cloud provider. |
+ | The period for reconciling routes created for Nodes by cloud provider. |
-| --secondary-node-eviction-rate float32 Default: 0.01 |
+--secondary-node-eviction-rate float Default: 0.01 |
- | Number of nodes per second on which pods are deleted in case of node failure when a zone is unhealthy (see --unhealthy-zone-threshold for definition of healthy/unhealthy). Zone refers to entire cluster in non-multizone clusters. This value is implicitly overridden to 0 if the cluster size is smaller than --large-cluster-size-threshold. |
+ | Number of nodes per second on which pods are deleted in case of node failure when a zone is unhealthy (see --unhealthy-zone-threshold for definition of healthy/unhealthy). Zone refers to entire cluster in non-multizone clusters. This value is implicitly overridden to 0 if the cluster size is smaller than --large-cluster-size-threshold. |
| --secure-port int Default: 10257 |
- | The port on which to serve HTTPS with authentication and authorization. If 0, don't serve HTTPS at all. |
+ | The port on which to serve HTTPS with authentication and authorization. If 0, don't serve HTTPS at all. |
| --service-account-private-key-file string |
- | Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens. |
+ | Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens. |
| --service-cluster-ip-range string |
- | CIDR Range for Services in cluster. Requires --allocate-node-cidrs to be true |
+ | CIDR Range for Services in cluster. Requires --allocate-node-cidrs to be true |
| --show-hidden-metrics-for-version string |
- | The previous version for which you want to show hidden metrics. Only the previous minor version is meaningful, other values will not be allowed. The format is <major>.<minor>, e.g.: '1.16'. The purpose of this format is make sure you have the opportunity to notice if the next release hides additional metrics, rather than being surprised when they are permanently removed in the release after that. |
+ | The previous version for which you want to show hidden metrics. Only the previous minor version is meaningful, other values will not be allowed. The format is ., e.g.: '1.16'. The purpose of this format is make sure you have the opportunity to notice if the next release hides additional metrics, rather than being surprised when they are permanently removed in the release after that. |
| --skip-headers |
- | If true, avoid header prefixes in the log messages |
+ | If true, avoid header prefixes in the log messages |
| --skip-log-headers |
- | If true, avoid headers when opening log files |
+ | If true, avoid headers when opening log files |
-| --stderrthreshold severity Default: 2 |
+--stderrthreshold int Default: 2 |
- | logs at or above this threshold go to stderr |
+ | logs at or above this threshold go to stderr |
| --terminated-pod-gc-threshold int32 Default: 12500 |
- | Number of terminated pods that can exist before the terminated pod garbage collector starts deleting terminated pods. If <= 0, the terminated pod garbage collector is disabled. |
+ | Number of terminated pods that can exist before the terminated pod garbage collector starts deleting terminated pods. If <= 0, the terminated pod garbage collector is disabled. |
| --tls-cert-file string |
- | File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir. |
+ | File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir. |
-| --tls-cipher-suites stringSlice |
+--tls-cipher-suites strings |
- | Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.
Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384.
Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA. |
+ | Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.
Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384.
Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA. |
| --tls-min-version string |
- | Minimum TLS version supported. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 |
+ | Minimum TLS version supported. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 |
| --tls-private-key-file string |
- | File containing the default x509 private key matching --tls-cert-file. |
+ | File containing the default x509 private key matching --tls-cert-file. |
-| --tls-sni-cert-key namedCertKey Default: [] |
+--tls-sni-cert-key string |
- | A pair of x509 certificate and private key file paths, optionally suffixed with a list of domain patterns which are fully qualified domain names, possibly with prefixed wildcard segments. The domain patterns also allow IP addresses, but IPs should only be used if the apiserver has visibility to the IP address requested by a client. If no domain patterns are provided, the names of the certificate are extracted. Non-wildcard matches trump over wildcard matches, explicit domain patterns trump over extracted names. For multiple key/certificate pairs, use the --tls-sni-cert-key multiple times. Examples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com". |
+ | A pair of x509 certificate and private key file paths, optionally suffixed with a list of domain patterns which are fully qualified domain names, possibly with prefixed wildcard segments. The domain patterns also allow IP addresses, but IPs should only be used if the apiserver has visibility to the IP address requested by a client. If no domain patterns are provided, the names of the certificate are extracted. Non-wildcard matches trump over wildcard matches, explicit domain patterns trump over extracted names. For multiple key/certificate pairs, use the --tls-sni-cert-key multiple times. Examples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com". |
-| --unhealthy-zone-threshold float32 Default: 0.55 |
+--unhealthy-zone-threshold float Default: 0.55 |
- | Fraction of Nodes in a zone which needs to be not Ready (minimum 3) for zone to be treated as unhealthy. |
+ | Fraction of Nodes in a zone which needs to be not Ready (minimum 3) for zone to be treated as unhealthy. |
| --use-service-account-credentials |
- | If true, use individual service account credentials for each controller. |
+ | If true, use individual service account credentials for each controller. |
-| -v, --v Level |
+-v, --v int |
- | number for the log level verbosity |
+ | number for the log level verbosity |
| --version version[=true] |
- | Print version information and quit |
+ | Print version information and quit |
-| --vmodule moduleSpec |
+--vmodule <comma-separated 'pattern=N' settings> |
- | comma-separated list of pattern=N settings for file-filtered logging |
+ | comma-separated list of pattern=N settings for file-filtered logging |
| --volume-host-allow-local-loopback Default: true |
- | If false, deny local loopback IPs in addition to any CIDR ranges in --volume-host-cidr-denylist |
+ | If false, deny local loopback IPs in addition to any CIDR ranges in --volume-host-cidr-denylist |
-| --volume-host-cidr-denylist stringSlice |
+--volume-host-cidr-denylist strings |
- | A comma-separated list of CIDR ranges to avoid from volume plugins. |
+ | A comma-separated list of CIDR ranges to avoid from volume plugins. |
diff --git a/content/en/docs/reference/command-line-tools-reference/kube-proxy.md b/content/en/docs/reference/command-line-tools-reference/kube-proxy.md
index a13368ed01..ad9d8b022d 100644
--- a/content/en/docs/reference/command-line-tools-reference/kube-proxy.md
+++ b/content/en/docs/reference/command-line-tools-reference/kube-proxy.md
@@ -2,8 +2,21 @@
title: kube-proxy
content_type: tool-reference
weight: 30
+auto_generated: true
---
+
+
+
## {{% heading "synopsis" %}}
@@ -32,308 +45,308 @@ kube-proxy [flags]
--azure-container-registry-config string |
- | Path to the file containing Azure container registry configuration information. |
+ | Path to the file containing Azure container registry configuration information. |
-| --bind-address ip Default: 0.0.0.0 |
+--bind-address string Default: 0.0.0.0 |
- | The IP address for the proxy server to serve on (set to '0.0.0.0' for all IPv4 interfaces and '::' for all IPv6 interfaces) |
+ | The IP address for the proxy server to serve on (set to '0.0.0.0' for all IPv4 interfaces and '::' for all IPv6 interfaces) |
| --bind-address-hard-fail |
- | If true kube-proxy will treat failure to bind to a port as fatal and exit |
+ | If true kube-proxy will treat failure to bind to a port as fatal and exit |
| --cleanup |
- | If true cleanup iptables and ipvs rules and exit. |
+ | If true cleanup iptables and ipvs rules and exit. |
| --cluster-cidr string |
- | The CIDR range of pods in the cluster. When configured, traffic sent to a Service cluster IP from outside this range will be masqueraded and traffic sent from pods to an external LoadBalancer IP will be directed to the respective cluster IP instead |
+ | The CIDR range of pods in the cluster. When configured, traffic sent to a Service cluster IP from outside this range will be masqueraded and traffic sent from pods to an external LoadBalancer IP will be directed to the respective cluster IP instead |
| --config string |
- | The path to the configuration file. |
+ | The path to the configuration file. |
| --config-sync-period duration Default: 15m0s |
- | How often configuration from the apiserver is refreshed. Must be greater than 0. |
+ | How often configuration from the apiserver is refreshed. Must be greater than 0. |
| --conntrack-max-per-core int32 Default: 32768 |
- | Maximum number of NAT connections to track per CPU core (0 to leave the limit as-is and ignore conntrack-min). |
+ | Maximum number of NAT connections to track per CPU core (0 to leave the limit as-is and ignore conntrack-min). |
| --conntrack-min int32 Default: 131072 |
- | Minimum number of conntrack entries to allocate, regardless of conntrack-max-per-core (set conntrack-max-per-core=0 to leave the limit as-is). |
+ | Minimum number of conntrack entries to allocate, regardless of conntrack-max-per-core (set conntrack-max-per-core=0 to leave the limit as-is). |
| --conntrack-tcp-timeout-close-wait duration Default: 1h0m0s |
- | NAT timeout for TCP connections in the CLOSE_WAIT state |
+ | NAT timeout for TCP connections in the CLOSE_WAIT state |
| --conntrack-tcp-timeout-established duration Default: 24h0m0s |
- | Idle timeout for established TCP connections (0 to leave as-is) |
+ | Idle timeout for established TCP connections (0 to leave as-is) |
| --detect-local-mode LocalMode |
- | Mode to use to detect local traffic |
+ | Mode to use to detect local traffic |
-| --feature-gates mapStringBool |
+--feature-gates <comma-separated 'key=True|False' pairs> |
- | A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
APIListChunking=true|false (BETA - default=true)
APIPriorityAndFairness=true|false (BETA - default=true)
APIResponseCompression=true|false (BETA - default=true)
APIServerIdentity=true|false (ALPHA - default=false)
AllAlpha=true|false (ALPHA - default=false)
AllBeta=true|false (BETA - default=false)
AllowInsecureBackendProxy=true|false (BETA - default=true)
AnyVolumeDataSource=true|false (ALPHA - default=false)
AppArmor=true|false (BETA - default=true)
BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
BoundServiceAccountTokenVolume=true|false (ALPHA - default=false)
CPUManager=true|false (BETA - default=true)
CRIContainerLogRotation=true|false (BETA - default=true)
CSIInlineVolume=true|false (BETA - default=true)
CSIMigration=true|false (BETA - default=true)
CSIMigrationAWS=true|false (BETA - default=false)
CSIMigrationAWSComplete=true|false (ALPHA - default=false)
CSIMigrationAzureDisk=true|false (BETA - default=false)
CSIMigrationAzureDiskComplete=true|false (ALPHA - default=false)
CSIMigrationAzureFile=true|false (ALPHA - default=false)
CSIMigrationAzureFileComplete=true|false (ALPHA - default=false)
CSIMigrationGCE=true|false (BETA - default=false)
CSIMigrationGCEComplete=true|false (ALPHA - default=false)
CSIMigrationOpenStack=true|false (BETA - default=false)
CSIMigrationOpenStackComplete=true|false (ALPHA - default=false)
CSIMigrationvSphere=true|false (BETA - default=false)
CSIMigrationvSphereComplete=true|false (BETA - default=false)
CSIServiceAccountToken=true|false (ALPHA - default=false)
CSIStorageCapacity=true|false (ALPHA - default=false)
CSIVolumeFSGroupPolicy=true|false (BETA - default=true)
ConfigurableFSGroupPolicy=true|false (BETA - default=true)
CronJobControllerV2=true|false (ALPHA - default=false)
CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
DefaultPodTopologySpread=true|false (BETA - default=true)
DevicePlugins=true|false (BETA - default=true)
DisableAcceleratorUsageMetrics=true|false (BETA - default=true)
DownwardAPIHugePages=true|false (ALPHA - default=false)
DynamicKubeletConfig=true|false (BETA - default=true)
EfficientWatchResumption=true|false (ALPHA - default=false)
EndpointSlice=true|false (BETA - default=true)
EndpointSliceNodeName=true|false (ALPHA - default=false)
EndpointSliceProxying=true|false (BETA - default=true)
EndpointSliceTerminatingCondition=true|false (ALPHA - default=false)
EphemeralContainers=true|false (ALPHA - default=false)
ExpandCSIVolumes=true|false (BETA - default=true)
ExpandInUsePersistentVolumes=true|false (BETA - default=true)
ExpandPersistentVolumes=true|false (BETA - default=true)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
GenericEphemeralVolume=true|false (ALPHA - default=false)
GracefulNodeShutdown=true|false (ALPHA - default=false)
HPAContainerMetrics=true|false (ALPHA - default=false)
HPAScaleToZero=true|false (ALPHA - default=false)
HugePageStorageMediumSize=true|false (BETA - default=true)
IPv6DualStack=true|false (ALPHA - default=false)
ImmutableEphemeralVolumes=true|false (BETA - default=true)
KubeletCredentialProviders=true|false (ALPHA - default=false)
KubeletPodResources=true|false (BETA - default=true)
LegacyNodeRoleBehavior=true|false (BETA - default=true)
LocalStorageCapacityIsolation=true|false (BETA - default=true)
LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
MixedProtocolLBService=true|false (ALPHA - default=false)
NodeDisruptionExclusion=true|false (BETA - default=true)
NonPreemptingPriority=true|false (BETA - default=true)
PodDisruptionBudget=true|false (BETA - default=true)
PodOverhead=true|false (BETA - default=true)
ProcMountType=true|false (ALPHA - default=false)
QOSReserved=true|false (ALPHA - default=false)
RemainingItemCount=true|false (BETA - default=true)
RemoveSelfLink=true|false (BETA - default=true)
RootCAConfigMap=true|false (BETA - default=true)
RotateKubeletServerCertificate=true|false (BETA - default=true)
RunAsGroup=true|false (BETA - default=true)
ServerSideApply=true|false (BETA - default=true)
ServiceAccountIssuerDiscovery=true|false (BETA - default=true)
ServiceLBNodePortControl=true|false (ALPHA - default=false)
ServiceNodeExclusion=true|false (BETA - default=true)
ServiceTopology=true|false (ALPHA - default=false)
SetHostnameAsFQDN=true|false (BETA - default=true)
SizeMemoryBackedVolumes=true|false (ALPHA - default=false)
StorageVersionAPI=true|false (ALPHA - default=false)
StorageVersionHash=true|false (BETA - default=true)
Sysctls=true|false (BETA - default=true)
TTLAfterFinished=true|false (ALPHA - default=false)
TopologyManager=true|false (BETA - default=true)
ValidateProxyRedirects=true|false (BETA - default=true)
WarningHeaders=true|false (BETA - default=true)
WinDSR=true|false (ALPHA - default=false)
WinOverlay=true|false (BETA - default=true)
WindowsEndpointSliceProxying=true|false (ALPHA - default=false) |
+ | A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
APIListChunking=true|false (BETA - default=true)
APIPriorityAndFairness=true|false (BETA - default=true)
APIResponseCompression=true|false (BETA - default=true)
APIServerIdentity=true|false (ALPHA - default=false)
AllAlpha=true|false (ALPHA - default=false)
AllBeta=true|false (BETA - default=false)
AllowInsecureBackendProxy=true|false (BETA - default=true)
AnyVolumeDataSource=true|false (ALPHA - default=false)
AppArmor=true|false (BETA - default=true)
BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
BoundServiceAccountTokenVolume=true|false (ALPHA - default=false)
CPUManager=true|false (BETA - default=true)
CRIContainerLogRotation=true|false (BETA - default=true)
CSIInlineVolume=true|false (BETA - default=true)
CSIMigration=true|false (BETA - default=true)
CSIMigrationAWS=true|false (BETA - default=false)
CSIMigrationAWSComplete=true|false (ALPHA - default=false)
CSIMigrationAzureDisk=true|false (BETA - default=false)
CSIMigrationAzureDiskComplete=true|false (ALPHA - default=false)
CSIMigrationAzureFile=true|false (ALPHA - default=false)
CSIMigrationAzureFileComplete=true|false (ALPHA - default=false)
CSIMigrationGCE=true|false (BETA - default=false)
CSIMigrationGCEComplete=true|false (ALPHA - default=false)
CSIMigrationOpenStack=true|false (BETA - default=false)
CSIMigrationOpenStackComplete=true|false (ALPHA - default=false)
CSIMigrationvSphere=true|false (BETA - default=false)
CSIMigrationvSphereComplete=true|false (BETA - default=false)
CSIServiceAccountToken=true|false (ALPHA - default=false)
CSIStorageCapacity=true|false (ALPHA - default=false)
CSIVolumeFSGroupPolicy=true|false (BETA - default=true)
ConfigurableFSGroupPolicy=true|false (BETA - default=true)
CronJobControllerV2=true|false (ALPHA - default=false)
CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
DefaultPodTopologySpread=true|false (BETA - default=true)
DevicePlugins=true|false (BETA - default=true)
DisableAcceleratorUsageMetrics=true|false (BETA - default=true)
DownwardAPIHugePages=true|false (ALPHA - default=false)
DynamicKubeletConfig=true|false (BETA - default=true)
EfficientWatchResumption=true|false (ALPHA - default=false)
EndpointSlice=true|false (BETA - default=true)
EndpointSliceNodeName=true|false (ALPHA - default=false)
EndpointSliceProxying=true|false (BETA - default=true)
EndpointSliceTerminatingCondition=true|false (ALPHA - default=false)
EphemeralContainers=true|false (ALPHA - default=false)
ExpandCSIVolumes=true|false (BETA - default=true)
ExpandInUsePersistentVolumes=true|false (BETA - default=true)
ExpandPersistentVolumes=true|false (BETA - default=true)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
GenericEphemeralVolume=true|false (ALPHA - default=false)
GracefulNodeShutdown=true|false (ALPHA - default=false)
HPAContainerMetrics=true|false (ALPHA - default=false)
HPAScaleToZero=true|false (ALPHA - default=false)
HugePageStorageMediumSize=true|false (BETA - default=true)
IPv6DualStack=true|false (ALPHA - default=false)
ImmutableEphemeralVolumes=true|false (BETA - default=true)
KubeletCredentialProviders=true|false (ALPHA - default=false)
KubeletPodResources=true|false (BETA - default=true)
LegacyNodeRoleBehavior=true|false (BETA - default=true)
LocalStorageCapacityIsolation=true|false (BETA - default=true)
LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
MixedProtocolLBService=true|false (ALPHA - default=false)
NodeDisruptionExclusion=true|false (BETA - default=true)
NonPreemptingPriority=true|false (BETA - default=true)
PodDisruptionBudget=true|false (BETA - default=true)
PodOverhead=true|false (BETA - default=true)
ProcMountType=true|false (ALPHA - default=false)
QOSReserved=true|false (ALPHA - default=false)
RemainingItemCount=true|false (BETA - default=true)
RemoveSelfLink=true|false (BETA - default=true)
RootCAConfigMap=true|false (BETA - default=true)
RotateKubeletServerCertificate=true|false (BETA - default=true)
RunAsGroup=true|false (BETA - default=true)
ServerSideApply=true|false (BETA - default=true)
ServiceAccountIssuerDiscovery=true|false (BETA - default=true)
ServiceLBNodePortControl=true|false (ALPHA - default=false)
ServiceNodeExclusion=true|false (BETA - default=true)
ServiceTopology=true|false (ALPHA - default=false)
SetHostnameAsFQDN=true|false (BETA - default=true)
SizeMemoryBackedVolumes=true|false (ALPHA - default=false)
StorageVersionAPI=true|false (ALPHA - default=false)
StorageVersionHash=true|false (BETA - default=true)
Sysctls=true|false (BETA - default=true)
TTLAfterFinished=true|false (ALPHA - default=false)
TopologyManager=true|false (BETA - default=true)
ValidateProxyRedirects=true|false (BETA - default=true)
WarningHeaders=true|false (BETA - default=true)
WinDSR=true|false (ALPHA - default=false)
WinOverlay=true|false (BETA - default=true)
WindowsEndpointSliceProxying=true|false (ALPHA - default=false) |
| --healthz-bind-address ipport Default: 0.0.0.0:10256 |
- | The IP address with port for the health check server to serve on (set to '0.0.0.0:10256' for all IPv4 interfaces and '[::]:10256' for all IPv6 interfaces). Set empty to disable. |
+ | The IP address with port for the health check server to serve on (set to '0.0.0.0:10256' for all IPv4 interfaces and '[::]:10256' for all IPv6 interfaces). Set empty to disable. |
| -h, --help |
- | help for kube-proxy |
+ | help for kube-proxy |
| --hostname-override string |
- | If non-empty, will use this string as identification instead of the actual hostname. |
+ | If non-empty, will use this string as identification instead of the actual hostname. |
| --iptables-masquerade-bit int32 Default: 14 |
- | If using the pure iptables proxy, the bit of the fwmark space to mark packets requiring SNAT with. Must be within the range [0, 31]. |
+ | If using the pure iptables proxy, the bit of the fwmark space to mark packets requiring SNAT with. Must be within the range [0, 31]. |
| --iptables-min-sync-period duration Default: 1s |
- | The minimum interval of how often the iptables rules can be refreshed as endpoints and services change (e.g. '5s', '1m', '2h22m'). |
+ | The minimum interval of how often the iptables rules can be refreshed as endpoints and services change (e.g. '5s', '1m', '2h22m'). |
| --iptables-sync-period duration Default: 30s |
- | The maximum interval of how often iptables rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0. |
+ | The maximum interval of how often iptables rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0. |
-| --ipvs-exclude-cidrs stringSlice |
+--ipvs-exclude-cidrs strings |
- | A comma-separated list of CIDR's which the ipvs proxier should not touch when cleaning up IPVS rules. |
+ | A comma-separated list of CIDR's which the ipvs proxier should not touch when cleaning up IPVS rules. |
| --ipvs-min-sync-period duration |
- | The minimum interval of how often the ipvs rules can be refreshed as endpoints and services change (e.g. '5s', '1m', '2h22m'). |
+ | The minimum interval of how often the ipvs rules can be refreshed as endpoints and services change (e.g. '5s', '1m', '2h22m'). |
| --ipvs-scheduler string |
- | The ipvs scheduler type when proxy mode is ipvs |
+ | The ipvs scheduler type when proxy mode is ipvs |
| --ipvs-strict-arp |
- | Enable strict ARP by setting arp_ignore to 1 and arp_announce to 2 |
+ | Enable strict ARP by setting arp_ignore to 1 and arp_announce to 2 |
| --ipvs-sync-period duration Default: 30s |
- | The maximum interval of how often ipvs rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0. |
+ | The maximum interval of how often ipvs rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0. |
| --ipvs-tcp-timeout duration |
- | The timeout for idle IPVS TCP connections, 0 to leave as-is. (e.g. '5s', '1m', '2h22m'). |
+ | The timeout for idle IPVS TCP connections, 0 to leave as-is. (e.g. '5s', '1m', '2h22m'). |
| --ipvs-tcpfin-timeout duration |
- | The timeout for IPVS TCP connections after receiving a FIN packet, 0 to leave as-is. (e.g. '5s', '1m', '2h22m'). |
+ | The timeout for IPVS TCP connections after receiving a FIN packet, 0 to leave as-is. (e.g. '5s', '1m', '2h22m'). |
| --ipvs-udp-timeout duration |
- | The timeout for IPVS UDP packets, 0 to leave as-is. (e.g. '5s', '1m', '2h22m'). |
+ | The timeout for IPVS UDP packets, 0 to leave as-is. (e.g. '5s', '1m', '2h22m'). |
| --kube-api-burst int32 Default: 10 |
- | Burst to use while talking with kubernetes apiserver |
+ | Burst to use while talking with kubernetes apiserver |
| --kube-api-content-type string Default: "application/vnd.kubernetes.protobuf" |
- | Content type of requests sent to apiserver. |
+ | Content type of requests sent to apiserver. |
-| --kube-api-qps float32 Default: 5 |
+--kube-api-qps float Default: 5 |
- | QPS to use while talking with kubernetes apiserver |
+ | QPS to use while talking with kubernetes apiserver |
| --kubeconfig string |
- | Path to kubeconfig file with authorization information (the master location can be overridden by the master flag). |
+ | Path to kubeconfig file with authorization information (the master location can be overridden by the master flag). |
| --log-flush-frequency duration Default: 5s |
- | Maximum number of seconds between log flushes |
+ | Maximum number of seconds between log flushes |
| --masquerade-all |
- | If using the pure iptables proxy, SNAT all traffic sent via Service cluster IPs (this not commonly needed) |
+ | If using the pure iptables proxy, SNAT all traffic sent via Service cluster IPs (this not commonly needed) |
| --master string |
- | The address of the Kubernetes API server (overrides any value in kubeconfig) |
+ | The address of the Kubernetes API server (overrides any value in kubeconfig) |
| --metrics-bind-address ipport Default: 127.0.0.1:10249 |
- | The IP address with port for the metrics server to serve on (set to '0.0.0.0:10249' for all IPv4 interfaces and '[::]:10249' for all IPv6 interfaces). Set empty to disable. |
+ | The IP address with port for the metrics server to serve on (set to '0.0.0.0:10249' for all IPv4 interfaces and '[::]:10249' for all IPv6 interfaces). Set empty to disable. |
-| --nodeport-addresses stringSlice |
+--nodeport-addresses strings |
- | A string slice of values which specify the addresses to use for NodePorts. Values may be valid IP blocks (e.g. 1.2.3.0/24, 1.2.3.4/32). The default empty string slice ([]) means to use all local addresses. |
+ | A string slice of values which specify the addresses to use for NodePorts. Values may be valid IP blocks (e.g. 1.2.3.0/24, 1.2.3.4/32). The default empty string slice ([]) means to use all local addresses. |
| --oom-score-adj int32 Default: -999 |
- | The oom-score-adj value for kube-proxy process. Values must be within the range [-1000, 1000] |
+ | The oom-score-adj value for kube-proxy process. Values must be within the range [-1000, 1000] |
| --profiling |
- | If true enables profiling via web interface on /debug/pprof handler. |
+ | If true enables profiling via web interface on /debug/pprof handler. |
| --proxy-mode ProxyMode |
- | Which proxy mode to use: 'userspace' (older) or 'iptables' (faster) or 'ipvs' or 'kernelspace' (windows). If blank, use the best-available proxy (currently iptables). If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are insufficient, this always falls back to the userspace proxy. |
+ | Which proxy mode to use: 'userspace' (older) or 'iptables' (faster) or 'ipvs' or 'kernelspace' (windows). If blank, use the best-available proxy (currently iptables). If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are insufficient, this always falls back to the userspace proxy. |
| --proxy-port-range port-range |
- | Range of host ports (beginPort-endPort, single port or beginPort+offset, inclusive) that may be consumed in order to proxy service traffic. If (unspecified, 0, or 0-0) then ports will be randomly chosen. |
+ | Range of host ports (beginPort-endPort, single port or beginPort+offset, inclusive) that may be consumed in order to proxy service traffic. If (unspecified, 0, or 0-0) then ports will be randomly chosen. |
| --show-hidden-metrics-for-version string |
- | The previous version for which you want to show hidden metrics. Only the previous minor version is meaningful, other values will not be allowed. The format is <major>.<minor>, e.g.: '1.16'. The purpose of this format is make sure you have the opportunity to notice if the next release hides additional metrics, rather than being surprised when they are permanently removed in the release after that. |
+ | The previous version for which you want to show hidden metrics. Only the previous minor version is meaningful, other values will not be allowed. The format is ., e.g.: '1.16'. The purpose of this format is make sure you have the opportunity to notice if the next release hides additional metrics, rather than being surprised when they are permanently removed in the release after that. |
| --udp-timeout duration Default: 250ms |
- | How long an idle UDP connection will be kept open (e.g. '250ms', '2s'). Must be greater than 0. Only applicable for proxy-mode=userspace |
+ | How long an idle UDP connection will be kept open (e.g. '250ms', '2s'). Must be greater than 0. Only applicable for proxy-mode=userspace |
| --version version[=true] |
- | Print version information and quit |
+ | Print version information and quit |
| --write-config-to string |
- | If set, write the default configuration values to this file and exit. |
+ | If set, write the default configuration values to this file and exit. |
diff --git a/content/en/docs/reference/command-line-tools-reference/kube-scheduler.md b/content/en/docs/reference/command-line-tools-reference/kube-scheduler.md
index 7aa8ccf5d0..913d7eb925 100644
--- a/content/en/docs/reference/command-line-tools-reference/kube-scheduler.md
+++ b/content/en/docs/reference/command-line-tools-reference/kube-scheduler.md
@@ -2,8 +2,21 @@
title: kube-scheduler
content_type: tool-reference
weight: 30
+auto_generated: true
---
+
+
+
## {{% heading "synopsis" %}}
@@ -33,504 +46,504 @@ kube-scheduler [flags]
--add-dir-header |
- | If true, adds the file directory to the header of the log messages |
+ | If true, adds the file directory to the header of the log messages |
| --address string Default: "0.0.0.0" |
- | DEPRECATED: the IP address on which to listen for the --port port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces). See --bind-address instead. |
+ | DEPRECATED: the IP address on which to listen for the --port port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces). See --bind-address instead. |
| --algorithm-provider string |
- | DEPRECATED: the scheduling algorithm provider to use, this sets the default plugins for component config profiles. Choose one of: ClusterAutoscalerProvider | DefaultProvider |
+ | DEPRECATED: the scheduling algorithm provider to use, this sets the default plugins for component config profiles. Choose one of: ClusterAutoscalerProvider | DefaultProvider |
| --alsologtostderr |
- | log to standard error as well as files |
+ | log to standard error as well as files |
| --authentication-kubeconfig string |
- | kubeconfig file pointing at the 'core' kubernetes server with enough rights to create tokenreviews.authentication.k8s.io. This is optional. If empty, all token requests are considered to be anonymous and no client CA is looked up in the cluster. |
+ | kubeconfig file pointing at the 'core' kubernetes server with enough rights to create tokenreviews.authentication.k8s.io. This is optional. If empty, all token requests are considered to be anonymous and no client CA is looked up in the cluster. |
| --authentication-skip-lookup |
- | If false, the authentication-kubeconfig will be used to lookup missing authentication configuration from the cluster. |
+ | If false, the authentication-kubeconfig will be used to lookup missing authentication configuration from the cluster. |
| --authentication-token-webhook-cache-ttl duration Default: 10s |
- | The duration to cache responses from the webhook token authenticator. |
+ | The duration to cache responses from the webhook token authenticator. |
| --authentication-tolerate-lookup-failure Default: true |
- | If true, failures to look up missing authentication configuration from the cluster are not considered fatal. Note that this can result in authentication that treats all requests as anonymous. |
+ | If true, failures to look up missing authentication configuration from the cluster are not considered fatal. Note that this can result in authentication that treats all requests as anonymous. |
-| --authorization-always-allow-paths stringSlice Default: [/healthz] |
+--authorization-always-allow-paths strings Default: "/healthz" |
- | A list of HTTP paths to skip during authorization, i.e. these are authorized without contacting the 'core' kubernetes server. |
+ | A list of HTTP paths to skip during authorization, i.e. these are authorized without contacting the 'core' kubernetes server. |
| --authorization-kubeconfig string |
- | kubeconfig file pointing at the 'core' kubernetes server with enough rights to create subjectaccessreviews.authorization.k8s.io. This is optional. If empty, all requests not skipped by authorization are forbidden. |
+ | kubeconfig file pointing at the 'core' kubernetes server with enough rights to create subjectaccessreviews.authorization.k8s.io. This is optional. If empty, all requests not skipped by authorization are forbidden. |
| --authorization-webhook-cache-authorized-ttl duration Default: 10s |
- | The duration to cache 'authorized' responses from the webhook authorizer. |
+ | The duration to cache 'authorized' responses from the webhook authorizer. |
| --authorization-webhook-cache-unauthorized-ttl duration Default: 10s |
- | The duration to cache 'unauthorized' responses from the webhook authorizer. |
+ | The duration to cache 'unauthorized' responses from the webhook authorizer. |
| --azure-container-registry-config string |
- | Path to the file containing Azure container registry configuration information. |
+ | Path to the file containing Azure container registry configuration information. |
-| --bind-address ip Default: 0.0.0.0 |
+--bind-address string Default: 0.0.0.0 |
- | The IP address on which to listen for the --secure-port port. The associated interface(s) must be reachable by the rest of the cluster, and by CLI/web clients. If blank or an unspecified address (0.0.0.0 or ::), all interfaces will be used. |
+ | The IP address on which to listen for the --secure-port port. The associated interface(s) must be reachable by the rest of the cluster, and by CLI/web clients. If blank or an unspecified address (0.0.0.0 or ::), all interfaces will be used. |
| --cert-dir string |
- | The directory where the TLS certs are located. If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored. |
+ | The directory where the TLS certs are located. If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored. |
| --client-ca-file string |
- | If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate. |
+ | If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate. |
| --config string |
- | The path to the configuration file. The following flags can overwrite fields in this file:
--address
--port
--use-legacy-policy-config
--policy-configmap
--policy-config-file
--algorithm-provider |
+ | The path to the configuration file. The following flags can overwrite fields in this file:
--address
--port
--use-legacy-policy-config
--policy-configmap
--policy-config-file
--algorithm-provider |
| --contention-profiling Default: true |
- | DEPRECATED: enable lock contention profiling, if profiling is enabled |
+ | DEPRECATED: enable lock contention profiling, if profiling is enabled |
| --experimental-logging-sanitization |
- | [Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens).
Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production. |
+ | [Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens).
Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production. |
-| --feature-gates mapStringBool |
+--feature-gates <comma-separated 'key=True|False' pairs> |
- | A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
APIListChunking=true|false (BETA - default=true)
APIPriorityAndFairness=true|false (BETA - default=true)
APIResponseCompression=true|false (BETA - default=true)
APIServerIdentity=true|false (ALPHA - default=false)
AllAlpha=true|false (ALPHA - default=false)
AllBeta=true|false (BETA - default=false)
AllowInsecureBackendProxy=true|false (BETA - default=true)
AnyVolumeDataSource=true|false (ALPHA - default=false)
AppArmor=true|false (BETA - default=true)
BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
BoundServiceAccountTokenVolume=true|false (ALPHA - default=false)
CPUManager=true|false (BETA - default=true)
CRIContainerLogRotation=true|false (BETA - default=true)
CSIInlineVolume=true|false (BETA - default=true)
CSIMigration=true|false (BETA - default=true)
CSIMigrationAWS=true|false (BETA - default=false)
CSIMigrationAWSComplete=true|false (ALPHA - default=false)
CSIMigrationAzureDisk=true|false (BETA - default=false)
CSIMigrationAzureDiskComplete=true|false (ALPHA - default=false)
CSIMigrationAzureFile=true|false (ALPHA - default=false)
CSIMigrationAzureFileComplete=true|false (ALPHA - default=false)
CSIMigrationGCE=true|false (BETA - default=false)
CSIMigrationGCEComplete=true|false (ALPHA - default=false)
CSIMigrationOpenStack=true|false (BETA - default=false)
CSIMigrationOpenStackComplete=true|false (ALPHA - default=false)
CSIMigrationvSphere=true|false (BETA - default=false)
CSIMigrationvSphereComplete=true|false (BETA - default=false)
CSIServiceAccountToken=true|false (ALPHA - default=false)
CSIStorageCapacity=true|false (ALPHA - default=false)
CSIVolumeFSGroupPolicy=true|false (BETA - default=true)
ConfigurableFSGroupPolicy=true|false (BETA - default=true)
CronJobControllerV2=true|false (ALPHA - default=false)
CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
DefaultPodTopologySpread=true|false (BETA - default=true)
DevicePlugins=true|false (BETA - default=true)
DisableAcceleratorUsageMetrics=true|false (BETA - default=true)
DownwardAPIHugePages=true|false (ALPHA - default=false)
DynamicKubeletConfig=true|false (BETA - default=true)
EfficientWatchResumption=true|false (ALPHA - default=false)
EndpointSlice=true|false (BETA - default=true)
EndpointSliceNodeName=true|false (ALPHA - default=false)
EndpointSliceProxying=true|false (BETA - default=true)
EndpointSliceTerminatingCondition=true|false (ALPHA - default=false)
EphemeralContainers=true|false (ALPHA - default=false)
ExpandCSIVolumes=true|false (BETA - default=true)
ExpandInUsePersistentVolumes=true|false (BETA - default=true)
ExpandPersistentVolumes=true|false (BETA - default=true)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
GenericEphemeralVolume=true|false (ALPHA - default=false)
GracefulNodeShutdown=true|false (ALPHA - default=false)
HPAContainerMetrics=true|false (ALPHA - default=false)
HPAScaleToZero=true|false (ALPHA - default=false)
HugePageStorageMediumSize=true|false (BETA - default=true)
IPv6DualStack=true|false (ALPHA - default=false)
ImmutableEphemeralVolumes=true|false (BETA - default=true)
KubeletCredentialProviders=true|false (ALPHA - default=false)
KubeletPodResources=true|false (BETA - default=true)
LegacyNodeRoleBehavior=true|false (BETA - default=true)
LocalStorageCapacityIsolation=true|false (BETA - default=true)
LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
MixedProtocolLBService=true|false (ALPHA - default=false)
NodeDisruptionExclusion=true|false (BETA - default=true)
NonPreemptingPriority=true|false (BETA - default=true)
PodDisruptionBudget=true|false (BETA - default=true)
PodOverhead=true|false (BETA - default=true)
ProcMountType=true|false (ALPHA - default=false)
QOSReserved=true|false (ALPHA - default=false)
RemainingItemCount=true|false (BETA - default=true)
RemoveSelfLink=true|false (BETA - default=true)
RootCAConfigMap=true|false (BETA - default=true)
RotateKubeletServerCertificate=true|false (BETA - default=true)
RunAsGroup=true|false (BETA - default=true)
ServerSideApply=true|false (BETA - default=true)
ServiceAccountIssuerDiscovery=true|false (BETA - default=true)
ServiceLBNodePortControl=true|false (ALPHA - default=false)
ServiceNodeExclusion=true|false (BETA - default=true)
ServiceTopology=true|false (ALPHA - default=false)
SetHostnameAsFQDN=true|false (BETA - default=true)
SizeMemoryBackedVolumes=true|false (ALPHA - default=false)
StorageVersionAPI=true|false (ALPHA - default=false)
StorageVersionHash=true|false (BETA - default=true)
Sysctls=true|false (BETA - default=true)
TTLAfterFinished=true|false (ALPHA - default=false)
TopologyManager=true|false (BETA - default=true)
ValidateProxyRedirects=true|false (BETA - default=true)
WarningHeaders=true|false (BETA - default=true)
WinDSR=true|false (ALPHA - default=false)
WinOverlay=true|false (BETA - default=true)
WindowsEndpointSliceProxying=true|false (ALPHA - default=false) |
+ | A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
APIListChunking=true|false (BETA - default=true)
APIPriorityAndFairness=true|false (BETA - default=true)
APIResponseCompression=true|false (BETA - default=true)
APIServerIdentity=true|false (ALPHA - default=false)
AllAlpha=true|false (ALPHA - default=false)
AllBeta=true|false (BETA - default=false)
AllowInsecureBackendProxy=true|false (BETA - default=true)
AnyVolumeDataSource=true|false (ALPHA - default=false)
AppArmor=true|false (BETA - default=true)
BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
BoundServiceAccountTokenVolume=true|false (ALPHA - default=false)
CPUManager=true|false (BETA - default=true)
CRIContainerLogRotation=true|false (BETA - default=true)
CSIInlineVolume=true|false (BETA - default=true)
CSIMigration=true|false (BETA - default=true)
CSIMigrationAWS=true|false (BETA - default=false)
CSIMigrationAWSComplete=true|false (ALPHA - default=false)
CSIMigrationAzureDisk=true|false (BETA - default=false)
CSIMigrationAzureDiskComplete=true|false (ALPHA - default=false)
CSIMigrationAzureFile=true|false (ALPHA - default=false)
CSIMigrationAzureFileComplete=true|false (ALPHA - default=false)
CSIMigrationGCE=true|false (BETA - default=false)
CSIMigrationGCEComplete=true|false (ALPHA - default=false)
CSIMigrationOpenStack=true|false (BETA - default=false)
CSIMigrationOpenStackComplete=true|false (ALPHA - default=false)
CSIMigrationvSphere=true|false (BETA - default=false)
CSIMigrationvSphereComplete=true|false (BETA - default=false)
CSIServiceAccountToken=true|false (ALPHA - default=false)
CSIStorageCapacity=true|false (ALPHA - default=false)
CSIVolumeFSGroupPolicy=true|false (BETA - default=true)
ConfigurableFSGroupPolicy=true|false (BETA - default=true)
CronJobControllerV2=true|false (ALPHA - default=false)
CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
DefaultPodTopologySpread=true|false (BETA - default=true)
DevicePlugins=true|false (BETA - default=true)
DisableAcceleratorUsageMetrics=true|false (BETA - default=true)
DownwardAPIHugePages=true|false (ALPHA - default=false)
DynamicKubeletConfig=true|false (BETA - default=true)
EfficientWatchResumption=true|false (ALPHA - default=false)
EndpointSlice=true|false (BETA - default=true)
EndpointSliceNodeName=true|false (ALPHA - default=false)
EndpointSliceProxying=true|false (BETA - default=true)
EndpointSliceTerminatingCondition=true|false (ALPHA - default=false)
EphemeralContainers=true|false (ALPHA - default=false)
ExpandCSIVolumes=true|false (BETA - default=true)
ExpandInUsePersistentVolumes=true|false (BETA - default=true)
ExpandPersistentVolumes=true|false (BETA - default=true)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
GenericEphemeralVolume=true|false (ALPHA - default=false)
GracefulNodeShutdown=true|false (ALPHA - default=false)
HPAContainerMetrics=true|false (ALPHA - default=false)
HPAScaleToZero=true|false (ALPHA - default=false)
HugePageStorageMediumSize=true|false (BETA - default=true)
IPv6DualStack=true|false (ALPHA - default=false)
ImmutableEphemeralVolumes=true|false (BETA - default=true)
KubeletCredentialProviders=true|false (ALPHA - default=false)
KubeletPodResources=true|false (BETA - default=true)
LegacyNodeRoleBehavior=true|false (BETA - default=true)
LocalStorageCapacityIsolation=true|false (BETA - default=true)
LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
MixedProtocolLBService=true|false (ALPHA - default=false)
NodeDisruptionExclusion=true|false (BETA - default=true)
NonPreemptingPriority=true|false (BETA - default=true)
PodDisruptionBudget=true|false (BETA - default=true)
PodOverhead=true|false (BETA - default=true)
ProcMountType=true|false (ALPHA - default=false)
QOSReserved=true|false (ALPHA - default=false)
RemainingItemCount=true|false (BETA - default=true)
RemoveSelfLink=true|false (BETA - default=true)
RootCAConfigMap=true|false (BETA - default=true)
RotateKubeletServerCertificate=true|false (BETA - default=true)
RunAsGroup=true|false (BETA - default=true)
ServerSideApply=true|false (BETA - default=true)
ServiceAccountIssuerDiscovery=true|false (BETA - default=true)
ServiceLBNodePortControl=true|false (ALPHA - default=false)
ServiceNodeExclusion=true|false (BETA - default=true)
ServiceTopology=true|false (ALPHA - default=false)
SetHostnameAsFQDN=true|false (BETA - default=true)
SizeMemoryBackedVolumes=true|false (ALPHA - default=false)
StorageVersionAPI=true|false (ALPHA - default=false)
StorageVersionHash=true|false (BETA - default=true)
Sysctls=true|false (BETA - default=true)
TTLAfterFinished=true|false (ALPHA - default=false)
TopologyManager=true|false (BETA - default=true)
ValidateProxyRedirects=true|false (BETA - default=true)
WarningHeaders=true|false (BETA - default=true)
WinDSR=true|false (ALPHA - default=false)
WinOverlay=true|false (BETA - default=true)
WindowsEndpointSliceProxying=true|false (ALPHA - default=false) |
| --hard-pod-affinity-symmetric-weight int32 Default: 1 |
- | DEPRECATED: RequiredDuringScheduling affinity is not symmetric, but there is an implicit PreferredDuringScheduling affinity rule corresponding to every RequiredDuringScheduling affinity rule. --hard-pod-affinity-symmetric-weight represents the weight of implicit PreferredDuringScheduling affinity rule. Must be in the range 0-100.This option was moved to the policy configuration file |
+ | DEPRECATED: RequiredDuringScheduling affinity is not symmetric, but there is an implicit PreferredDuringScheduling affinity rule corresponding to every RequiredDuringScheduling affinity rule. --hard-pod-affinity-symmetric-weight represents the weight of implicit PreferredDuringScheduling affinity rule. Must be in the range 0-100.This option was moved to the policy configuration file |
| -h, --help |
- | help for kube-scheduler |
+ | help for kube-scheduler |
| --http2-max-streams-per-connection int |
- | The limit that the server gives to clients for the maximum number of streams in an HTTP/2 connection. Zero means to use golang's default. |
+ | The limit that the server gives to clients for the maximum number of streams in an HTTP/2 connection. Zero means to use golang's default. |
| --kube-api-burst int32 Default: 100 |
- | DEPRECATED: burst to use while talking with kubernetes apiserver |
+ | DEPRECATED: burst to use while talking with kubernetes apiserver |
| --kube-api-content-type string Default: "application/vnd.kubernetes.protobuf" |
- | DEPRECATED: content type of requests sent to apiserver. |
+ | DEPRECATED: content type of requests sent to apiserver. |
-| --kube-api-qps float32 Default: 50 |
+--kube-api-qps float Default: 50 |
- | DEPRECATED: QPS to use while talking with kubernetes apiserver |
+ | DEPRECATED: QPS to use while talking with kubernetes apiserver |
| --kubeconfig string |
- | DEPRECATED: path to kubeconfig file with authorization and master location information. |
+ | DEPRECATED: path to kubeconfig file with authorization and master location information. |
| --leader-elect Default: true |
- | Start a leader election client and gain leadership before executing the main loop. Enable this when running replicated components for high availability. |
+ | Start a leader election client and gain leadership before executing the main loop. Enable this when running replicated components for high availability. |
| --leader-elect-lease-duration duration Default: 15s |
- | The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. |
+ | The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. |
| --leader-elect-renew-deadline duration Default: 10s |
- | The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. |
+ | The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. |
| --leader-elect-resource-lock string Default: "leases" |
- | The type of resource object that is used for locking during leader election. Supported options are 'endpoints', 'configmaps', 'leases', 'endpointsleases' and 'configmapsleases'. |
+ | The type of resource object that is used for locking during leader election. Supported options are 'endpoints', 'configmaps', 'leases', 'endpointsleases' and 'configmapsleases'. |
| --leader-elect-resource-name string Default: "kube-scheduler" |
- | The name of resource object that is used for locking during leader election. |
+ | The name of resource object that is used for locking during leader election. |
| --leader-elect-resource-namespace string Default: "kube-system" |
- | The namespace of resource object that is used for locking during leader election. |
+ | The namespace of resource object that is used for locking during leader election. |
| --leader-elect-retry-period duration Default: 2s |
- | The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. |
+ | The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. |
| --lock-object-name string Default: "kube-scheduler" |
- | DEPRECATED: define the name of the lock object. Will be removed in favor of leader-elect-resource-name |
+ | DEPRECATED: define the name of the lock object. Will be removed in favor of leader-elect-resource-name |
| --lock-object-namespace string Default: "kube-system" |
- | DEPRECATED: define the namespace of the lock object. Will be removed in favor of leader-elect-resource-namespace. |
+ | DEPRECATED: define the namespace of the lock object. Will be removed in favor of leader-elect-resource-namespace. |
-| --log-backtrace-at traceLocation Default: :0 |
+--log-backtrace-at <a string in the form 'file:N'> Default: :0 |
- | when logging hits line file:N, emit a stack trace |
+ | when logging hits line file:N, emit a stack trace |
| --log-dir string |
- | If non-empty, write log files in this directory |
+ | If non-empty, write log files in this directory |
| --log-file string |
- | If non-empty, use this log file |
+ | If non-empty, use this log file |
| --log-file-max-size uint Default: 1800 |
- | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. |
+ | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. |
| --log-flush-frequency duration Default: 5s |
- | Maximum number of seconds between log flushes |
+ | Maximum number of seconds between log flushes |
| --logging-format string Default: "text" |
- | Sets the log format. Permitted formats: "json", "text".
Non-default formats don't honor these flags: --add_dir_header, --alsologtostderr, --log_backtrace_at, --log_dir, --log_file, --log_file_max_size, --logtostderr, --one_output, --skip_headers, --skip_log_headers, --stderrthreshold, --vmodule, --log-flush-frequency.
Non-default choices are currently alpha and subject to change without warning. |
+ | Sets the log format. Permitted formats: "json", "text".
Non-default formats don't honor these flags: --add_dir_header, --alsologtostderr, --log_backtrace_at, --log_dir, --log_file, --log_file_max_size, --logtostderr, --one_output, --skip_headers, --skip_log_headers, --stderrthreshold, --vmodule, --log-flush-frequency.
Non-default choices are currently alpha and subject to change without warning. |
| --logtostderr Default: true |
- | log to standard error instead of files |
+ | log to standard error instead of files |
| --master string |
- | The address of the Kubernetes API server (overrides any value in kubeconfig) |
+ | The address of the Kubernetes API server (overrides any value in kubeconfig) |
| --one-output |
- | If true, only write logs to their native severity level (vs also writing to each lower severity level |
+ | If true, only write logs to their native severity level (vs also writing to each lower severity level |
| --permit-port-sharing |
- | If true, SO_REUSEPORT will be used when binding the port, which allows more than one instance to bind on the same address and port. [default=false] |
+ | If true, SO_REUSEPORT will be used when binding the port, which allows more than one instance to bind on the same address and port. [default=false] |
| --policy-config-file string |
- | DEPRECATED: file with scheduler policy configuration. This file is used if policy ConfigMap is not provided or --use-legacy-policy-config=true. Note: The scheduler will fail if this is combined with Plugin configs |
+ | DEPRECATED: file with scheduler policy configuration. This file is used if policy ConfigMap is not provided or --use-legacy-policy-config=true. Note: The scheduler will fail if this is combined with Plugin configs |
| --policy-configmap string |
- | DEPRECATED: name of the ConfigMap object that contains scheduler's policy configuration. It must exist in the system namespace before scheduler initialization if --use-legacy-policy-config=false. The config must be provided as the value of an element in 'Data' map with the key='policy.cfg'. Note: The scheduler will fail if this is combined with Plugin configs |
+ | DEPRECATED: name of the ConfigMap object that contains scheduler's policy configuration. It must exist in the system namespace before scheduler initialization if --use-legacy-policy-config=false. The config must be provided as the value of an element in 'Data' map with the key='policy.cfg'. Note: The scheduler will fail if this is combined with Plugin configs |
| --policy-configmap-namespace string Default: "kube-system" |
- | DEPRECATED: the namespace where policy ConfigMap is located. The kube-system namespace will be used if this is not provided or is empty. Note: The scheduler will fail if this is combined with Plugin configs |
+ | DEPRECATED: the namespace where policy ConfigMap is located. The kube-system namespace will be used if this is not provided or is empty. Note: The scheduler will fail if this is combined with Plugin configs |
| --port int Default: 10251 |
- | DEPRECATED: the port on which to serve HTTP insecurely without authentication and authorization. If 0, don't serve plain HTTP at all. See --secure-port instead. |
+ | DEPRECATED: the port on which to serve HTTP insecurely without authentication and authorization. If 0, don't serve plain HTTP at all. See --secure-port instead. |
| --profiling Default: true |
- | DEPRECATED: enable profiling via web interface host:port/debug/pprof/ |
+ | DEPRECATED: enable profiling via web interface host:port/debug/pprof/ |
-| --requestheader-allowed-names stringSlice |
+--requestheader-allowed-names strings |
- | List of client certificate common names to allow to provide usernames in headers specified by --requestheader-username-headers. If empty, any client certificate validated by the authorities in --requestheader-client-ca-file is allowed. |
+ | List of client certificate common names to allow to provide usernames in headers specified by --requestheader-username-headers. If empty, any client certificate validated by the authorities in --requestheader-client-ca-file is allowed. |
| --requestheader-client-ca-file string |
- | Root certificate bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified by --requestheader-username-headers. WARNING: generally do not depend on authorization being already done for incoming requests. |
+ | Root certificate bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified by --requestheader-username-headers. WARNING: generally do not depend on authorization being already done for incoming requests. |
-| --requestheader-extra-headers-prefix stringSlice Default: [x-remote-extra-] |
+--requestheader-extra-headers-prefix strings Default: "x-remote-extra-" |
- | List of request header prefixes to inspect. X-Remote-Extra- is suggested. |
+ | List of request header prefixes to inspect. X-Remote-Extra- is suggested. |
-| --requestheader-group-headers stringSlice Default: [x-remote-group] |
+--requestheader-group-headers strings Default: "x-remote-group" |
- | List of request headers to inspect for groups. X-Remote-Group is suggested. |
+ | List of request headers to inspect for groups. X-Remote-Group is suggested. |
-| --requestheader-username-headers stringSlice Default: [x-remote-user] |
+--requestheader-username-headers strings Default: "x-remote-user" |
- | List of request headers to inspect for usernames. X-Remote-User is common. |
+ | List of request headers to inspect for usernames. X-Remote-User is common. |
| --scheduler-name string Default: "default-scheduler" |
- | DEPRECATED: name of the scheduler, used to select which pods will be processed by this scheduler, based on pod's "spec.schedulerName". |
+ | DEPRECATED: name of the scheduler, used to select which pods will be processed by this scheduler, based on pod's "spec.schedulerName". |
| --secure-port int Default: 10259 |
- | The port on which to serve HTTPS with authentication and authorization. If 0, don't serve HTTPS at all. |
+ | The port on which to serve HTTPS with authentication and authorization. If 0, don't serve HTTPS at all. |
| --show-hidden-metrics-for-version string |
- | The previous version for which you want to show hidden metrics. Only the previous minor version is meaningful, other values will not be allowed. The format is <major>.<minor>, e.g.: '1.16'. The purpose of this format is make sure you have the opportunity to notice if the next release hides additional metrics, rather than being surprised when they are permanently removed in the release after that. |
+ | The previous version for which you want to show hidden metrics. Only the previous minor version is meaningful, other values will not be allowed. The format is ., e.g.: '1.16'. The purpose of this format is make sure you have the opportunity to notice if the next release hides additional metrics, rather than being surprised when they are permanently removed in the release after that. |
| --skip-headers |
- | If true, avoid header prefixes in the log messages |
+ | If true, avoid header prefixes in the log messages |
| --skip-log-headers |
- | If true, avoid headers when opening log files |
+ | If true, avoid headers when opening log files |
-| --stderrthreshold severity Default: 2 |
+--stderrthreshold int Default: 2 |
- | logs at or above this threshold go to stderr |
+ | logs at or above this threshold go to stderr |
| --tls-cert-file string |
- | File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir. |
+ | File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir. |
-| --tls-cipher-suites stringSlice |
+--tls-cipher-suites strings |
- | Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.
Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384.
Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA. |
+ | Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.
Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384.
Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA. |
| --tls-min-version string |
- | Minimum TLS version supported. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 |
+ | Minimum TLS version supported. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 |
| --tls-private-key-file string |
- | File containing the default x509 private key matching --tls-cert-file. |
+ | File containing the default x509 private key matching --tls-cert-file. |
-| --tls-sni-cert-key namedCertKey Default: [] |
+--tls-sni-cert-key string |
- | A pair of x509 certificate and private key file paths, optionally suffixed with a list of domain patterns which are fully qualified domain names, possibly with prefixed wildcard segments. The domain patterns also allow IP addresses, but IPs should only be used if the apiserver has visibility to the IP address requested by a client. If no domain patterns are provided, the names of the certificate are extracted. Non-wildcard matches trump over wildcard matches, explicit domain patterns trump over extracted names. For multiple key/certificate pairs, use the --tls-sni-cert-key multiple times. Examples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com". |
+ | A pair of x509 certificate and private key file paths, optionally suffixed with a list of domain patterns which are fully qualified domain names, possibly with prefixed wildcard segments. The domain patterns also allow IP addresses, but IPs should only be used if the apiserver has visibility to the IP address requested by a client. If no domain patterns are provided, the names of the certificate are extracted. Non-wildcard matches trump over wildcard matches, explicit domain patterns trump over extracted names. For multiple key/certificate pairs, use the --tls-sni-cert-key multiple times. Examples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com". |
| --use-legacy-policy-config |
- | DEPRECATED: when set to true, scheduler will ignore policy ConfigMap and uses policy config file. Note: The scheduler will fail if this is combined with Plugin configs |
+ | DEPRECATED: when set to true, scheduler will ignore policy ConfigMap and uses policy config file. Note: The scheduler will fail if this is combined with Plugin configs |
-| -v, --v Level |
+-v, --v int |
- | number for the log level verbosity |
+ | number for the log level verbosity |
| --version version[=true] |
- | Print version information and quit |
+ | Print version information and quit |
-| --vmodule moduleSpec |
+--vmodule <comma-separated 'pattern=N' settings> |
- | comma-separated list of pattern=N settings for file-filtered logging |
+ | comma-separated list of pattern=N settings for file-filtered logging |
| --write-config-to string |
- | If set, write the configuration values to this file and exit. |
+ | If set, write the configuration values to this file and exit. |