The Cloud controller manager is a daemon that embeds the cloud specific control loops shipped with Kubernetes.
cloud-controller-manager [flags]
--address ip Default: 0.0.0.0 | |
DEPRECATED: the IP address on which to listen for the --port port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces). See --bind-address instead. | |
--allocate-node-cidrs | |
Should CIDRs for Pods be allocated and set on the cloud provider. | |
--azure-container-registry-config string | |
Path to the file containing Azure container registry configuration information. | |
--bind-address ip Default: 0.0.0.0 | |
The IP address on which to listen for the --secure-port port. The associated interface(s) must be reachable by the rest of the cluster, and by CLI/web clients. If blank, all interfaces will be used (0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces). | |
--cert-dir string Default: "/var/run/kubernetes" | |
The directory where the TLS certs are located. If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored. | |
--cidr-allocator-type string Default: "RangeAllocator" | |
Type of CIDR allocator to use | |
--cloud-config string | |
The path to the cloud provider configuration file. Empty string for no configuration file. | |
--cloud-provider string | |
The provider for cloud services. Empty string for no provider. | |
--cluster-cidr string | |
CIDR Range for Pods in cluster. Requires --allocate-node-cidrs to be true | |
--cluster-name string Default: "kubernetes" | |
The instance prefix for the cluster. | |
--concurrent-service-syncs int32 Default: 1 | |
The number of services that are allowed to sync concurrently. Larger number = more responsive service management, but more CPU (and network) load | |
--configure-cloud-routes Default: true | |
Should CIDRs allocated by allocate-node-cidrs be configured on the cloud provider. | |
--contention-profiling | |
Enable lock contention profiling, if profiling is enabled | |
--controller-start-interval duration | |
Interval between starting controller managers. | |
--feature-gates mapStringBool | |
A set of key=value pairs that describe feature gates for alpha/experimental features. Options are: APIListChunking=true|false (BETA - default=true) APIResponseCompression=true|false (ALPHA - default=false) AdvancedAuditing=true|false (BETA - default=true) AllAlpha=true|false (ALPHA - default=false) AppArmor=true|false (BETA - default=true) AttachVolumeLimit=true|false (ALPHA - default=false) BalanceAttachedNodeVolumes=true|false (ALPHA - default=false) BlockVolume=true|false (ALPHA - default=false) CPUManager=true|false (BETA - default=true) CRIContainerLogRotation=true|false (BETA - default=true) CSIBlockVolume=true|false (ALPHA - default=false) CSIPersistentVolume=true|false (BETA - default=true) CustomPodDNS=true|false (BETA - default=true) CustomResourceSubresources=true|false (BETA - default=true) CustomResourceValidation=true|false (BETA - default=true) DebugContainers=true|false (ALPHA - default=false) DevicePlugins=true|false (BETA - default=true) DynamicKubeletConfig=true|false (BETA - default=true) DynamicProvisioningScheduling=true|false (ALPHA - default=false) EnableEquivalenceClassCache=true|false (ALPHA - default=false) ExpandInUsePersistentVolumes=true|false (ALPHA - default=false) ExpandPersistentVolumes=true|false (BETA - default=true) ExperimentalCriticalPodAnnotation=true|false (ALPHA - default=false) ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false) GCERegionalPersistentDisk=true|false (BETA - default=true) HugePages=true|false (BETA - default=true) HyperVContainer=true|false (ALPHA - default=false) Initializers=true|false (ALPHA - default=false) KubeletPluginsWatcher=true|false (ALPHA - default=false) LocalStorageCapacityIsolation=true|false (BETA - default=true) MountContainers=true|false (ALPHA - default=false) MountPropagation=true|false (BETA - default=true) PersistentLocalVolumes=true|false (BETA - default=true) PodPriority=true|false (BETA - default=true) PodReadinessGates=true|false (BETA - default=false) PodShareProcessNamespace=true|false (ALPHA - default=false) QOSReserved=true|false (ALPHA - default=false) ReadOnlyAPIDataVolumes=true|false (DEPRECATED - default=true) ResourceLimitsPriorityFunction=true|false (ALPHA - default=false) ResourceQuotaScopeSelectors=true|false (ALPHA - default=false) RotateKubeletClientCertificate=true|false (BETA - default=true) RotateKubeletServerCertificate=true|false (ALPHA - default=false) RunAsGroup=true|false (ALPHA - default=false) ScheduleDaemonSetPods=true|false (ALPHA - default=false) ServiceNodeExclusion=true|false (ALPHA - default=false) ServiceProxyAllowExternalIPs=true|false (DEPRECATED - default=false) StorageObjectInUseProtection=true|false (default=true) StreamingProxyRedirects=true|false (BETA - default=true) SupportIPVSProxyMode=true|false (default=true) SupportPodPidsLimit=true|false (ALPHA - default=false) Sysctls=true|false (BETA - default=true) TaintBasedEvictions=true|false (ALPHA - default=false) TaintNodesByCondition=true|false (ALPHA - default=false) TokenRequest=true|false (ALPHA - default=false) TokenRequestProjection=true|false (ALPHA - default=false) VolumeScheduling=true|false (BETA - default=true) VolumeSubpath=true|false (default=true) VolumeSubpathEnvExpansion=true|false (ALPHA - default=false) |
|
-h, --help | |
help for cloud-controller-manager | |
--http2-max-streams-per-connection int | |
The limit that the server gives to clients for the maximum number of streams in an HTTP/2 connection. Zero means to use golang's default. | |
--kube-api-burst int32 Default: 30 | |
Burst to use while talking with kubernetes apiserver. | |
--kube-api-content-type string Default: "application/vnd.kubernetes.protobuf" | |
Content type of requests sent to apiserver. | |
--kube-api-qps float32 Default: 20 | |
QPS to use while talking with kubernetes apiserver. | |
--kubeconfig string | |
Path to kubeconfig file with authorization and master location information. | |
--leader-elect Default: true | |
Start a leader election client and gain leadership before executing the main loop. Enable this when running replicated components for high availability. | |
--leader-elect-lease-duration duration Default: 15s | |
The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. | |
--leader-elect-renew-deadline duration Default: 10s | |
The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. | |
--leader-elect-resource-lock endpoints Default: "endpoints" | |
The type of resource object that is used for locking during leader election. Supported options are endpoints (default) and `configmaps`. | |
--leader-elect-retry-period duration Default: 2s | |
The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. | |
--log-flush-frequency duration Default: 5s | |
Maximum number of seconds between log flushes | |
--master string | |
The address of the Kubernetes API server (overrides any value in kubeconfig). | |
--min-resync-period duration Default: 12h0m0s | |
The resync period in reflectors will be random between MinResyncPeriod and 2*MinResyncPeriod. | |
--node-monitor-period duration Default: 5s | |
The period for syncing NodeStatus in NodeController. | |
--node-status-update-frequency duration Default: 5m0s | |
Specifies how often the controller updates nodes' status. | |
--port int Default: 10253 | |
DEPRECATED: the port on which to serve HTTP insecurely without authentication and authorization. If 0, don't serve HTTPS at all. See --secure-port instead. | |
--profiling | |
Enable profiling via web interface host:port/debug/pprof/ | |
--route-reconciliation-period duration Default: 10s | |
The period for reconciling routes created for Nodes by cloud provider. | |
--secure-port int | |
The port on which to serve HTTPS with authentication and authorization. If 0, don't serve HTTPS at all. | |
--tls-cert-file string | |
File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir. | |
--tls-cipher-suites stringSlice | |
Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be use. Possible values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA | |
--tls-min-version string | |
Minimum TLS version supported. Possible values: VersionTLS10, VersionTLS11, VersionTLS12 | |
--tls-private-key-file string | |
File containing the default x509 private key matching --tls-cert-file. | |
--tls-sni-cert-key namedCertKey Default: [] | |
A pair of x509 certificate and private key file paths, optionally suffixed with a list of domain patterns which are fully qualified domain names, possibly with prefixed wildcard segments. If no domain patterns are provided, the names of the certificate are extracted. Non-wildcard matches trump over wildcard matches, explicit domain patterns trump over extracted names. For multiple key/certificate pairs, use the --tls-sni-cert-key multiple times. Examples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com". | |
--use-service-account-credentials | |
If true, use individual service account credentials for each controller. | |
--version version[=true] | |
Print version information and quit |