kubernetes 1.12.1版本

Desc

      The Kubernetes controller manager is a daemon that embeds the core control loops shipped with Kubernetes. In applications of robotics and automation, a control loop is a non-terminating loop that regulates the state of the system. In Kubernetes, a ontroller is a control loop that watches the shared state of the cluster through the apiserver and makes changes attempting to move the current state towards the desired state. Examples of controllers that ship with Kubernetes today are the replication controller, endpoints controller, namespace controller, and serviceaccounts controller.

 

/usr/bin/kube-controller-manager \
  --address=127.0.0.1 \
  --master=http://127.0.0.1:8080 \
  --allocate-node-cidrs=true \
  --service-cluster-ip-range=10.254.0.0/16 \
  --cluster-cidr=172.30.0.0/16 \
  --cluster-name=kubernetes \
  --cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem \
  --cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem \
  --service-account-private-key-file=/etc/kubernetes/ssl/ca-key.pem \
  --root-ca-file=/etc/kubernetes/ssl/ca.pem \
  --leader-elect=false \
  --log-dir=/var/log/kubernetes/kube-controller-manager \
  --v=2

 

kube-controller-manager启动参数详解

Usage:
  kube-controller-manager [flags]

 

Debugging flags:

参数

描述

--contention-profiling启用了 profiling,则启用锁争用性分析
--profiling开启profilling,通过web接口host:port/debug/pprof/分析性能

 

Generic flags:

参数描述
--allocate-node-cidrs是否应在云提供商上分配和设置Pod的CIDR
--cidr-allocator-type stringCIDR分配器的类型 (default "RangeAllocator")
--cloud-config string云提供商配置文件路径,空代表没有配置文件
--cloud-provider string云提供商,空代表没有云提供商
--cluster-cidr string集群中Pod的CIDR范围,要求--allocate-node-cidrs为true
--cluster-name string集群的实例前缀(default "kubernetes")
--configure-cloud-routes是否在云提供商上配置allocate-node-cidrs分配的CIDR(default true)
--controller-start-interval duration启动controller manager的间隔时间
--controllers strings

需要开启的controller列表,*代表开启所有(默认),‘foo’代表开启foo controller,‘-foo’代表禁止foo controller

所有的controller如下:

  •   attachdetach, bootstrapsigner, clusterrole-aggregation,
  •   cronjob, csrapproving, csrcleaner, csrsigning, daemonset,
  •   deployment, disruption, endpoint, garbagecollector,
  •   horizontalpodautoscaling, job, namespace, nodeipam, nodelifecycle,     
  •   persistentvolume-binder, persistentvolume-expander, podgc, pv-protection,
  •   pvc-protection, replicaset, replicationcontroller,
  •   resourcequota, route, service, serviceaccount, serviceaccount-token,
  •   statefulset, tokencleaner, ttl,ttl-after-finished
--feature-gates mapStringBoolkey = value对,用于试验
--kube-api-burst int32发送到kube-apiserver每秒请求量 (default 100)
--kube-api-content-type string发送到kube-apiserver请求内容类型(default "application/vnd.kubernetes.protobuf")
--kube-api-qps float32与kube-apiserver通信的qps(default 50)
--leader-elect多个master情况设置为true保证高可用,进行leader选举
--leader-elect-lease-duration duration当leader-elect设置为true生效,选举过程中非leader候选等待选举的时间间隔(default 15s)
--leader-elect-renew-deadline durationeader选举过程中在停止leading,再次renew时间间隔,小于或者等于leader-elect-lease-duration duration,也是leader-elect设置为true生效(default 10s)
--leader-elect-retry-period duration当leader-elect设置为true生效,获取leader或者重新选举的等待间隔(default 2s)
--min-resync-period duration重新同步周期,在 [MinResyncPeriod-2 * MinResyncPeriod]间取随机值(default 12h0m0s)
--node-monitor-period durationNodeController同步NodeStatus的时间间隔(default 5s)
--route-reconciliation-period duration协调由云提供商为节点创建的路由的时间间隔 (default 10s)
--use-service-account-credentials设置true为每个控制器使用单个service account
  

 

Service controller flags

参数描述
--concurrent-service-syncs int32允许同时同步的 service 数量。 数字越大=服务管理响应越快,但消耗更多 CPU 和网络资源
  

 

Secure serving flags

参数描述
--bind-address ip监听--secure-port端口的IP地址(default 0.0.0.0)
-cert-dir stringTLS证书所在的目录。如果提供了--tls-cert-file和--tls-private-key-file,则将忽略此标志(default "/var/run/kubernetes")
--http2-max-streams-per-connection intapi server 提供给 client  的HTTP / 2最大 stream 连接数。0 用golang的默认值
--secure-port int使用身份验证和授权提供服务的HTTPS端口。0禁用HTTPS
--tls-cert-file string

文件包含HTTPS的默认x509证书的文件。 (如果有CA证书,在服务器证书之后级联)。如果启用了HTTPS服务,但是 --tls-cert-file和--tls-private-key-file 未设置,则会为公共地址生成自签名证书和密钥,并将其保存到--cert-dir的目录中

--tls-cipher-suites strings逗号分隔的cipher suites列表。如果省略则使用默认的Go cipher suites
--tls-min-version string支持最低TLS版本。 主要有:VersionTLS10,VersionTLS11,VersionTLS12
--tls-private-key-file string 文件包括与 --tls-cert-file 匹配的默认x509私钥
--tls-sni-cert-key namedCertKeyx509证书和私钥对的文件路径(default []) Examples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com"

 

Authentication flags

参数描述
--authentication-kubeconfig stringkubeconfig文件指向有权力创建tokenaccessreviews.authentication.k8s.io的核心kubernetes server,如果未设置所有的token请求被视为匿名的,在集群中也不查找client CA
--authentication-skip-lookup如果设置false,authentication-kubeconfig用来在集群中查找缺失的authentication配置
--authentication-token-webhook-cache-ttl duration来自webhook token验证器的缓存响应时间 (default 10s)
--client-ca-file string如果设置任何请求必须提供其中一个客户端证书签名。则用其中的 Common Name 作为请求的用户名验证
--requestheader-allowed-names stringsList of client certificate common names to allow to provide usernames in headers specified by --requestheader-username-headers. If empty, any client certificate validated by the authorities in --requestheader-client-ca-file is allowed.
--requestheader-client-ca-file stringRoot certificate bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified by --requestheader-username-headers. WARNING: generally do not depend on authorization being already done for incoming requests.
--requestheader-extra-headers-prefix stringsList of request header prefixes to inspect. X-Remote-Extra- is suggested. (default [x-remote-extra-])
--requestheader-group-headers stringsList of request headers to inspect for groups. X-Remote-Group is suggested. (default [x-remote-group])
--requestheader-username-headers stringsList of request headers to inspect for usernames. X-Remote-User is common. (default [x-remote-user])

 

Authorization flags

参数描述
--authorization-always-allow-paths strings授权期间要跳过的HTTP路径列表,这些路径是经过授权、无须与'核心'kubernetes服务通信(default [/healthz])
--authorization-kubeconfig stringkubeconfig指向核心的kubernetes服务拥有足够的权力来创建subjectaccessreviews.authorization.k8s.io,也是可选项,如果未设置,则所有请求将被禁止
--authorization-webhook-cache-authorized-ttl duration从webhook授权器对于cache验证响应时间(default 10s)
--authorization-webhook-cache-unauthorized-ttl duration从webhook授权器对于cache验证未响应时间(default 10s)

 

Attachdetach controller flags

参数描述
--attach-detach-reconcile-sync-period duration在volume attach detach调整同步等待时间,时间间隔必须大于1s,增加默认值可能导致volume与pod不匹配(default 1m0s)
--disable-attach-detach-reconcile-sync禁止volume attach detach 调整同步,禁用此功能可能会导致卷与 pod 不匹配

 

Csrsigning controller flags

参数描述
--cluster-signing-cert-file stringFilename containing a PEM-encoded X509 CA certificate used to issue cluster-scoped certificates (default "/etc/kubernetes/ca/ca.pem")
--cluster-signing-key-file stringFilename containing a PEM-encoded RSA or ECDSA private key used to sign cluster-scoped certificates (default "/etc/kubernetes/ca/ca.key")
--experimental-cluster-signing-duration durationThe length of duration signed certificates will be given. (default 8760h0m0s)

 

Deployment controller flags

参数描述
--concurrent-deployment-syncs int32允许同时同步的deployment对象的数量,部署数量越大需要的CPU网络load也多(default 5)
--deployment-controller-sync-period duration同步deployment的周期(default 30s)

 

Endpoint controller flags

参数描述
--concurrent-endpoint-syncs int32同时同步endpoint的数量,也是数量越多需要越多的CPU和network(default 5)

 

Garbagecollector controller flags

参数

描述

--concurrent-gc-syncs int32允许同时同步的garbage collector workers数量(default 20)
--enable-garbage-collector 启用通用垃圾收集器,必须与kube-apiserver的相应参数一起使用(default true)
  

 

Horizontalpodautoscaling controller flags

参数描述
--horizontal-pod-autoscaler-cpu-initialization-period duration当CPU samples略过,在pod启动之后的周期(default 5m0s)
--horizontal-pod-autoscaler-downscale-stabilization durationThe period for which autoscaler will look backwards and not scale down below any recommendation it made during that period(default 5m0s)
--horizontal-pod-autoscaler-initial-readiness-delay durationThe period after pod start during which readiness changes will be treated as initial readiness(default 30s)
--horizontal-pod-autoscaler-sync-period durationThe period for syncing the number of pods in horizontal pod autoscaler. (default 15s)
--horizontal-pod-autoscaler-tolerance floatThe minimum change (from 1.0) in the desired-to-actual metrics ratio for the horizontal pod autoscaler to consider scaling. (default 0.1)

 

Namespace controller flags

参数

描述

--concurrent-namespace-syncs int32The number of namespace objects that are allowed to sync concurrently. Larger number = more responsive namespace termination, but more CPU (and network) load (default 10)
--namespace-sync-period duration同步namespace生命周期更新的周期(default 5m0s)

 

Nodeipam controller flags

参数描述
--node-cidr-mask-size int32集群中节点子网掩码打小(default 24)
--service-cluster-ip-range string 集群service的cidr范围,需要--allocate-node-cidrs设置为true

 

Nodelifecycle controller flags:

参数描述
--enable-taint-manager如果设置为true则开启NoExecute Taints,将驱逐所有节点上(拥有这种污点的节点)不容忍运行pod (default true)
--large-cluster-size-threshold int32Number of nodes from which NodeController treats the cluster as large for the eviction logic purposes. --secondary-node-eviction-rate is implicitly overridden to 0 for clusters this size or smaller(default 50)
--node-eviction-rate float32当zone健康node失败情况,删除节点上的pod的速率 (default 0.1)
--node-monitor-grace-period duration在标记节点不健康之前,允许运行节点不响应的时间,必须是n倍的kubelet's nodeStatusUpdateFrequency,N意味着kubelet报告node状态重试的次数(default 40s)
--node-startup-grace-period duration在标记节点不健康之前,允许开始节点不响应的时间 (default 1m0s)
--pod-eviction-timeout duration在失败的节点上删除pod的宽限时间  (default 5m0s)
--secondary-node-eviction-rate float32当zone不健康node失败情况,删除节点上的pod的速率,如果集群大小小于 large-cluster-size-threshold,则隐式地将设置为0。(default 0.01)
--unhealthy-zone-threshold float32not ready 节点(至少3个)的比例达到该值时,将 Zone 标记为不健康 (default 0.55)
  

 

Persistentvolume-binder controller flags

参数描述
--enable-dynamic-provisioning为支持它的环境启用动态配置 (default true)
--enable-hostpath-provisioner当没有云提供商运行时开启host path pv配置,这主要适合测试以及开发配置features,host path配置不支持多点集群
--flex-volume-plugin-dir string第三方插件路径 (default "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/")
--pv-recycler-increment-timeout-nfs int32NFS scrubber pod添加每Gi到ActiveDeadlineSeconds的时间增量(default 30)
--pv-recycler-minimum-timeout-hostpath int32对于HostPath Recycler pod的最小ActiveDeadlineSeconds,仅使用于测试于开发,不使用于多几点集群 (default 60)
--pv-recycler-minimum-timeout-nfs int32对于NFS Recycler pod的最小ActiveDeadlineSeconds (default 300)
--pv-recycler-pod-template-filepath-hostpath string对于hostpaht持久卷重使用定义的模板路径,仅使用于测试于开发,不使用于多几点集群 
--pv-recycler-timeout-increment-hostpath int32对于HostPath scrubber pod每增加Gi到ActiveDeadlineSeconds的时间增量,仅使用于测试于开发,不使用于多几点集群 (default 30)
--pvclaimbinder-sync-period duration同步pv以及pvc的周期 (default 15s)

 

Podgc controller flags

参数描述
--terminated-pod-gc-threshold int32当终止的pod达到该值时,pod garbage collector开始删除终止pod,如果设置<=0,关闭pod garbage collector (default 12500)

 

Replicaset controller flags

参数描述
--concurrent-replicaset-syncs int32允许同时同步的rs数量,Larger number = more responsive replica
management, but more CPU (and network) load (default 5)

 

Replicationcontroller flags

参数描述
--concurrent_rc_syncs int32The number of replication controllers that are allowed to sync concurrently. Larger number = more responsive replica management, but more CPU (and network) load (default 5)

 

Resourcequota controller flags

参数描述
--concurrent-resource-quota-syncs int32The number of resource quotas that are allowed to sync concurrently. Larger number = more responsive quota management, but more CPU (and network) load (default 5)
--resource-quota-sync-period duration在系统中同步配额使用状态的周期 (default 5m0s)

 

Serviceaccount controller flags

参数描述
--concurrent-serviceaccount-token-syncs int32The number of service account token objects that are allowed to sync concurrently. Larger number = more responsive token generation, but more CPU (and network) load (default 5)
--root-ca-file string根CA 证书文件路径,如果设置的话将被用于 Service Account 的 token secret 中
--service-account-private-key-file stringFilename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens

 

Ttl-after-finished controller flags

参数描述
--concurrent-ttl-after-finished-syncs int32The number of TTL-after-finished controller workers that are allowed to sync concurrently. (default 5)

 

Misc flags

参数描述
--insecure-experimental-approve-all-kubelet-csrs-for-group stringThis flag does nothing.
--kubeconfig stringkubeconfig文件路径,带有验证以及master信息
--master stringkubernetes api server的地址,将会覆盖kubeconfig设置的值

 

Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐