kubernetes
Last updated
Was this helpful?
Last updated
Was this helpful?
[!TIP]
kubernetes.io
add/_print
as suffix in the url, it will show pages into one page i.e.:
/etc/kubernetes/manifests
[!TIP]
/etc/kubernetes/manifests
as the path where kubelet should look for static Pod manifests. Names of static Pod manifests are:
etcd.yaml
kube-apiserver.yaml
kube-controller-manager.yaml
kube-scheduler.yaml
/etc/kubernetes
[!TIP]
kubelet.conf
(bootstrap-kubelet.conf during TLS bootstrap)
controller-manager.conf
scheduler.conf
admin.conf
for the cluster admin and kubeadm itself
[!TIP]
ca.crt
,ca.key
for the Kubernetes certificate authority
apiserver.crt
,apiserver.key
for the API server certificate
apiserver-kubelet-client.crt
,apiserver-kubelet-client.key
for the client certificate used by the API server to connect to the kubelets securely
sa.pub
,sa.key
for the key used by the controller manager when signing ServiceAccount
front-proxy-ca.crt
,front-proxy-ca.key
for the front proxy certificate authority
front-proxy-client.crt
,front-proxy-client.key
for the front proxy client
[!TIP]
apiserver-advertise-address
andapiserver-bind-port
to bind to; if not provided, those value defaults to the IP address of the default network interface on the machine and port6443
service-cluster-ip-range
to use for servicesIf an external etcd server is specified, the
etcd-servers
address and related TLS settings (etcd-cafile
,etcd-certfile
,etcd-keyfile
);
if an external etcd server is not be provided, a local etcd will be used ( via host network )
If a cloud provider is specified, the corresponding
--cloud-provider
is configured, together with the--cloud-config
path if such file exists (this is experimental, alpha and will be removed in a future version)
--insecure-port=0
to avoid insecure connections to the api server
--enable-bootstrap-token-auth=true
to enable the BootstrapTokenAuthenticator authentication module. See TLS Bootstrapping for more details
--allow-privileged
to true (required e.g. by kube proxy)
--requestheader-client-ca-file
to front-proxy-ca.crt
--enable-admission-plugins
to:
NamespaceLifecycle
e.g. to avoid deletion of system reserved namespaces
LimitRanger
and ResourceQuota
to enforce limits on namespaces
ServiceAccount
to enforce service account automation
PersistentVolumeLabel
attaches region or zone labels to PersistentVolumes as defined by the cloud provider (This admission controller is deprecated and will be removed in a future version. It is not deployed by kubeadm by default with v1.9 onwards when not explicitly opting into using gce or aws as cloud providers)
DefaultStorageClass
to enforce default storage class on PersistentVolumeClaim objects
DefaultTolerationSeconds
NodeRestriction
to limit what a kubelet can modify (e.g. only pods on this node)
--kubelet-preferred-address-types
to InternalIP
,ExternalIP
,Hostname
; this makes kubectl logs
and other API server-kubelet communication work in environments where the hostnames of the nodes aren't resolvable
Flags for using certificates generated in previous steps:
--client-ca-file
to ca.crt
--tls-cert-file
to apiserver.crt
--tls-private-key-file
to apiserver.key
--kubelet-client-certificate
to apiserver-kubelet-client.crt
--kubelet-client-key
to apiserver-kubelet-client.key
--service-account-key-file
to sa.pub
--requestheader-client-ca-file
to front-proxy-ca.crt
--proxy-client-cert-file
to front-proxy-client.crt
--proxy-client-key-file
to front-proxy-client.key
Other flags for securing the front proxy (API Aggregation) communications:
--requestheader-username-headers=X-Remote-User
--requestheader-group-headers=X-Remote-Group
--requestheader-extra-headers-prefix=X-Remote-Extra-
--requestheader-allowed-names=front-proxy-client
[!TIP]
If kubeadm is invoked specifying a
--pod-network-cidr
, the subnet manager feature required for some CNI network plugins is enabled by setting:
--allocate-node-cidrs=true
--cluster-cidr
and--node-cidr-mask-size
flags according to the given CIDRIf a cloud provider is specified, the corresponding
--cloud-provider
is specified, together with the--cloud-config
path if such configuration file exists (this is experimental, alpha and will be removed in a future version)
--controllers
enabling all the default controllers plus BootstrapSigner
and TokenCleaner
controllers for TLS bootstrap. See TLS Bootstrapping for more details
--use-service-account-credentials
to true
Flags for using certificates generated in previous steps:
--root-ca-file
to ca.crt
--cluster-signing-cert-file
to ca.crt
, if External CA mode is disabled, otherwise to ""
--cluster-signing-key-file
to ca.key
, if External CA mode is disabled, otherwise to ""
--service-account-private-key-file
to sa.key
TCP
Inbound
6443
Kubernetes API server
All
TCP
Inbound
2379-2380
etcd server client API
kube-apiserver, etcd
TCP
Inbound
10250
Kubelet API
Self, Control plane
TCP
Inbound
10259
kube-scheduler
Self
TCP
Inbound
10257
kube-controller-manager
Self
TCP
Inbound
10250
Kubelet API
Self, Control plane
TCP
Inbound
30000-32767
All
[!NOTE]
linux
containerd
unix:///var/run/containerd/containerd.sock
CRI-O
unix:///var/run/crio/crio.sock
Docker Engine (using cri-dockerd)
unix:///var/run/cri-dockerd.sock
windows
containerd
npipe:////./pipe/containerd-containerd
Docker Engine (using cri-dockerd)
npipe:////./pipe/cri-dockerd
[!NOTE|label:references:]
or
__start_kubectl
_complete_alias
[!NOET|label:see also:]
[!TIP]
ubuntu
CentOS/RHEL
|
/etc/kubernetes/
as the path where kubeconfig files with identities for control plane components are stored. Names of kubeconfig files are: