本文深入解析了Kubernetes控制器管理器的各个启动参数及其功能,涵盖了从基础控制循环到高级资源管理的各种控制器,如副本控制器、服务账户控制器等,是理解Kubernetes内部运作的关键。
kubernetes 1.12.1版本
Desc
The Kubernetes controller manager is a daemon that embeds the core control loops shipped with Kubernetes. In applications of robotics and automation, a control loop is a non-terminating loop that regulates the state of the system. In Kubernetes, a ontroller is a control loop that watches the shared state of the cluster through the apiserver and makes changes attempting to move the current state towards the desired state. Examples of controllers that ship with Kubernetes today are the replication controller, endpoints controller, namespace controller, and serviceaccounts controller.
/usr/bin/kube-controller-manager \
--address=127.0.0.1 \
--master=http://127.0.0.1:8080 \
--allocate-node-cidrs=true \
--service-cluster-ip-range=10.254.0.0/16 \
--cluster-cidr=172.30.0.0/16 \
--cluster-name=kubernetes \
--cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem \
--cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem \
--service-account-private-key-file=/etc/kubernetes/ssl/ca-key.pem \
--root-ca-file=/etc/kubernetes/ssl/ca.pem \
--leader-elect=false \
--log-dir=/var/log/kubernetes/kube-controller-manager \
--v=2
kube-controller-manager启动参数详解
Usage:
kube-controller-manager [flags]
Debugging flags:
|
参数 |
描述 |
| --contention-profiling | 启用了 profiling,则启用锁争用性分析 |
| --profiling | 开启profilling,通过web接口host:port/debug/pprof/分析性能 |
Generic flags:
| 参数 | 描述 |
| --allocate-node-cidrs | 是否应在云提供商上分配和设置Pod的CIDR |
| --cidr-allocator-type string | CIDR分配器的类型 (default "RangeAllocator") |
| --cloud-config string | 云提供商配置文件路径,空代表没有配置文件 |
| --cloud-provider string | 云提供商,空代表没有云提供商 |
| --cluster-cidr string | 集群中Pod的CIDR范围,要求--allocate-node-cidrs为true |
| --cluster-name string | 集群的实例前缀(default "kubernetes") |
| --configure-cloud-routes | 是否在云提供商上配置allocate-node-cidrs分配的CIDR(default true) |
| --controller-start-interval duration | 启动controller manager的间隔时间 |
| --controllers strings |
需要开启的controller列表,*代表开启所有(默认),‘foo’代表开启foo controller,‘-foo’代表禁止foo controller 所有的controller如下:
|
| --feature-gates mapStringBool | key = value对,用于试验 |
| --kube-api-burst int32 | 发送到kube-apiserver每秒请求量 (default 100) |
| --kube-api-content-type string | 发送到kube-apiserver请求内容类型(default "application/vnd.kubernetes.protobuf") |
| --kube-api-qps float32 | 与kube-apiserver通信的qps(default 50) |
| --leader-elect | 多个master情况设置为true保证高可用,进行leader选举 |
| --leader-elect-lease-duration duration | 当leader-elect设置为true生效,选举过程中非leader候选等待选举的时间间隔(default 15s) |
| --leader-elect-renew-deadline duration | eader选举过程中在停止leading,再次renew时间间隔,小于或者等于leader-elect-lease-duration duration,也是leader-elect设置为true生效(default 10s) |
| --leader-elect-retry-period duration | 当leader-elect设置为true生效,获取leader或者重新选举的等待间隔(default 2s) |
| --min-resync-period duration | 重新同步周期,在 [MinResyncPeriod-2 * MinResyncPeriod]间取随机值(default 12h0m0s) |
| --node-monitor-period duration | NodeController同步NodeStatus的时间间隔(default 5s) |
| --route-reconciliation-period duration | 协调由云提供商为节点创建的路由的时间间隔 (default 10s) |
| --use-service-account-credentials | 设置true为每个控制器使用单个service account |
Service controller flags
| 参数 | 描述 |
| --concurrent-service-syncs int32 | 允许同时同步的 service 数量。 数字越大=服务管理响应越快,但消耗更多 CPU 和网络资源 |
Secure serving flags
| 参数 | 描述 |
| --bind-address ip | 监听--secure-port端口的IP地址(default 0.0.0.0) |
| -cert-dir string | TLS证书所在的目录。如果提供了--tls-cert-file和--tls-private-key-file,则将忽略此标志(default "/var/run/kubernetes") |
| --http2-max-streams-per-connection int | api server 提供给 client 的HTTP / 2最大 stream 连接数。0 用golang的默认值 |
| --secure-port int | 使用身份验证和授权提供服务的HTTPS端口。0禁用HTTPS |
| --tls-cert-file string |
文件包含HTTPS的默认x509证书的文件。 (如果有CA证书,在服务器证书之后级联)。如果启用了HTTPS服务,但是 --tls-cert-file和--tls-private-key-file 未设置,则会为公共地址生成自签名证书和密钥,并将其保存到--cert-dir的目录中 |
| --tls-cipher-suites strings | 逗号分隔的cipher suites列表。如果省略则使用默认的Go cipher suites |
| --tls-min-version string | 支持最低TLS版本。 主要有:VersionTLS10,VersionTLS11,VersionTLS12 |
| --tls-private-key-file string | 文件包括与 --tls-cert-file 匹配的默认x509私钥 |
| --tls-sni-cert-key namedCertKey | x509证书和私钥对的文件路径(default []) Examples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com" |
Authentication flags
| 参数 | 描述 |
| --authentication-kubeconfig string | kubeconfig文件指向有权力创建tokenaccessreviews.authentication.k8s.io的核心kubernetes server,如果未设置所有的token请求被视为匿名的,在集群中也不查找client CA |
| --authentication-skip-lookup | 如果设置false,authentication-kubeconfig用来在集群中查找缺失的authentication配置 |
| --authentication-token-webhook-cache-ttl duration | 来自webhook token验证器的缓存响应时间 (default 10s) |
| --client-ca-file string | 如果设置任何请求必须提供其中一个客户端证书签名。则用其中的 Common Name 作为请求的用户名验证 |
| --requestheader-allowed-names strings | List of client certificate common names to allow to provide usernames in headers specified by --requestheader-username-headers. If empty, any client certificate validated by the authorities in --requestheader-client-ca-file is allowed. |
| --requestheader-client-ca-file string | Root certificate bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified by --requestheader-username-headers. WARNING: generally do not depend on authorization being already done for incoming requests. |
| --requestheader-extra-headers-prefix strings | List of request header prefixes to inspect. X-Remote-Extra- is suggested. (default [x-remote-extra-]) |
| --requestheader-group-headers strings | List of request headers to inspect for groups. X-Remote-Group is suggested. (default [x-remote-group]) |
| --requestheader-username-headers strings | List of request headers to inspect for usernames. X-Remote-User is common. (default [x-remote-user]) |
Authorization flags
| 参数 | 描述 |
| --authorization-always-allow-paths strings | 授权期间要跳过的HTTP路径列表,这些路径是经过授权、无须与'核心'kubernetes服务通信(default [/healthz]) |
| --authorization-kubeconfig string | kubeconfig指向核心的kubernetes服务拥有足够的权力来创建subjectaccessreviews.authorization.k8s.io,也是可选项,如果未设置,则所有请求将被禁止 |
| --authorization-webhook-cache-authorized-ttl duration | 从webhook授权器对于cache验证响应时间(default 10s) |
| --authorization-webhook-cache-unauthorized-ttl duration | 从webhook授权器对于cache验证未响应时间(default 10s) |
Attachdetach controller flags
| 参数 | 描述 |
| --attach-detach-reconcile-sync-period duration | 在volume attach detach调整同步等待时间,时间间隔必须大于1s,增加默认值可能导致volume与pod不匹配(default 1m0s) |
| --disable-attach-detach-reconcile-sync | 禁止volume attach detach 调整同步,禁用此功能可能会导致卷与 pod 不匹配 |
Csrsigning controller flags
| 参数 | 描述 |
| --cluster-signing-cert-file string | Filename containing a PEM-encoded X509 CA certificate used to issue cluster-scoped certificates (default "/etc/kubernetes/ca/ca.pem") |
| --cluster-signing-key-file string | Filename containing a PEM-encoded RSA or ECDSA private key used to sign cluster-scoped certificates (default "/etc/kubernetes/ca/ca.key") |
| --experimental-cluster-signing-duration duration | The length of duration signed certificates will be given. (default 8760h0m0s) |
Deployment controller flags
| 参数 | 描述 |
| --concurrent-deployment-syncs int32 | 允许同时同步的deployment对象的数量,部署数量越大需要的CPU网络load也多(default 5) |
| --deployment-controller-sync-period duration | 同步deployment的周期(default 30s) |
Endpoint controller flags
| 参数 | 描述 |
| --concurrent-endpoint-syncs int32 | 同时同步endpoint的数量,也是数量越多需要越多的CPU和network(default 5) |
Garbagecollector controller flags
| 参数 |
描述 |
| --concurrent-gc-syncs int32 | 允许同时同步的garbage collector workers数量(default 20) |
| --enable-garbage-collector | 启用通用垃圾收集器,必须与kube-apiserver的相应参数一起使用(default true) |
Horizontalpodautoscaling controller flags
| 参数 | 描述 |
| --horizontal-pod-autoscaler-cpu-initialization-period duration | 当CPU samples略过,在pod启动之后的周期(default 5m0s) |
| --horizontal-pod-autoscaler-downscale-stabilization duration | The period for which autoscaler will look backwards and not scale down below any recommendation it made during that period(default 5m0s) |
| --horizontal-pod-autoscaler-initial-readiness-delay duration | The period after pod start during which readiness changes will be treated as initial readiness(default 30s) |
| --horizontal-pod-autoscaler-sync-period duration | The period for syncing the number of pods in horizontal pod autoscaler. (default 15s) |
| --horizontal-pod-autoscaler-tolerance float | The minimum change (from 1.0) in the desired-to-actual metrics ratio for the horizontal pod autoscaler to consider scaling. (default 0.1) |
Namespace controller flags
| 参数 |
描述 |
| --concurrent-namespace-syncs int32 | The number of namespace objects that are allowed to sync concurrently. Larger number = more responsive namespace termination, but more CPU (and network) load (default 10) |
| --namespace-sync-period duration | 同步namespace生命周期更新的周期(default 5m0s) |
Nodeipam controller flags
| 参数 | 描述 |
| --node-cidr-mask-size int32 | 集群中节点子网掩码打小(default 24) |
| --service-cluster-ip-range string | 集群service的cidr范围,需要--allocate-node-cidrs设置为true |
Nodelifecycle controller flags:
| 参数 | 描述 |
| --enable-taint-manager | 如果设置为true则开启NoExecute Taints,将驱逐所有节点上(拥有这种污点的节点)不容忍运行pod (default true) |
| --large-cluster-size-threshold int32 | Number of nodes from which NodeController treats the cluster as large for the eviction logic purposes. --secondary-node-eviction-rate is implicitly overridden to 0 for clusters this size or smaller(default 50) |
| --node-eviction-rate float32 | 当zone健康node失败情况,删除节点上的pod的速率 (default 0.1) |
| --node-monitor-grace-period duration | 在标记节点不健康之前,允许运行节点不响应的时间,必须是n倍的kubelet's nodeStatusUpdateFrequency,N意味着kubelet报告node状态重试的次数(default 40s) |
| --node-startup-grace-period duration | 在标记节点不健康之前,允许开始节点不响应的时间 (default 1m0s) |
| --pod-eviction-timeout duration | 在失败的节点上删除pod的宽限时间 (default 5m0s) |
| --secondary-node-eviction-rate float32 | 当zone不健康node失败情况,删除节点上的pod的速率,如果集群大小小于 large-cluster-size-threshold,则隐式地将设置为0。(default 0.01) |
| --unhealthy-zone-threshold float32 | not ready 节点(至少3个)的比例达到该值时,将 Zone 标记为不健康 (default 0.55) |
Persistentvolume-binder controller flags
| 参数 | 描述 |
| --enable-dynamic-provisioning | 为支持它的环境启用动态配置 (default true) |
| --enable-hostpath-provisioner | 当没有云提供商运行时开启host path pv配置,这主要适合测试以及开发配置features,host path配置不支持多点集群 |
| --flex-volume-plugin-dir string | 第三方插件路径 (default "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/") |
| --pv-recycler-increment-timeout-nfs int32 | NFS scrubber pod添加每Gi到ActiveDeadlineSeconds的时间增量(default 30) |
| --pv-recycler-minimum-timeout-hostpath int32 | 对于HostPath Recycler pod的最小ActiveDeadlineSeconds,仅使用于测试于开发,不使用于多几点集群 (default 60) |
| --pv-recycler-minimum-timeout-nfs int32 | 对于NFS Recycler pod的最小ActiveDeadlineSeconds (default 300) |
| --pv-recycler-pod-template-filepath-hostpath string | 对于hostpaht持久卷重使用定义的模板路径,仅使用于测试于开发,不使用于多几点集群 |
| --pv-recycler-timeout-increment-hostpath int32 | 对于HostPath scrubber pod每增加Gi到ActiveDeadlineSeconds的时间增量,仅使用于测试于开发,不使用于多几点集群 (default 30) |
| --pvclaimbinder-sync-period duration | 同步pv以及pvc的周期 (default 15s) |
Podgc controller flags
| 参数 | 描述 |
| --terminated-pod-gc-threshold int32 | 当终止的pod达到该值时,pod garbage collector开始删除终止pod,如果设置<=0,关闭pod garbage collector (default 12500) |
Replicaset controller flags
| 参数 | 描述 |
| --concurrent-replicaset-syncs int32 | 允许同时同步的rs数量,Larger number = more responsive replica management, but more CPU (and network) load (default 5) |
Replicationcontroller flags
| 参数 | 描述 |
| --concurrent_rc_syncs int32 | The number of replication controllers that are allowed to sync concurrently. Larger number = more responsive replica management, but more CPU (and network) load (default 5) |
Resourcequota controller flags
| 参数 | 描述 |
| --concurrent-resource-quota-syncs int32 | The number of resource quotas that are allowed to sync concurrently. Larger number = more responsive quota management, but more CPU (and network) load (default 5) |
| --resource-quota-sync-period duration | 在系统中同步配额使用状态的周期 (default 5m0s) |
Serviceaccount controller flags
| 参数 | 描述 |
| --concurrent-serviceaccount-token-syncs int32 | The number of service account token objects that are allowed to sync concurrently. Larger number = more responsive token generation, but more CPU (and network) load (default 5) |
| --root-ca-file string | 根CA 证书文件路径,如果设置的话将被用于 Service Account 的 token secret 中 |
| --service-account-private-key-file string | Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens |
Ttl-after-finished controller flags
| 参数 | 描述 |
| --concurrent-ttl-after-finished-syncs int32 | The number of TTL-after-finished controller workers that are allowed to sync concurrently. (default 5) |
Misc flags
| 参数 | 描述 |
| --insecure-experimental-approve-all-kubelet-csrs-for-group string | This flag does nothing. |
| --kubeconfig string | kubeconfig文件路径,带有验证以及master信息 |
| --master string | kubernetes api server的地址,将会覆盖kubeconfig设置的值 |
扫一扫
18
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
