openshift-start-kubernetes-kubelet man page

openshift start kubernetes kubelet — Launch the Kubelet (kubelet)

Synopsis

openshift start kubernetes kubelet [Options]

Description

Start Kubelet

This command launches a Kubelet. All options are exposed. Use 'openshift start node' for starting from a configuration file.

Options

--address=0.0.0.0

The IP address for the Kubelet to serve on (set to 0.0.0.0 for all interfaces)

--allow-privileged=false

If true, allow containers to request privileged mode. [default=false]

--anonymous-auth=true

Enables anonymous requests to the Kubelet server. Requests that are not rejected by another authentication method are treated as anonymous requests. Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated.

--api-servers=[]

List of Kubernetes API servers for publishing events, and reading pods and services. (ip:port), comma separated.

--authentication-token-webhook=false

Use the TokenReview API to determine authentication for bearer tokens.

--authentication-token-webhook-cache-ttl=0

The duration to cache responses from the webhook token authenticator.

--authorization-mode="AlwaysAllow"

Authorization mode for Kubelet server. Valid options are AlwaysAllow or Webhook. Webhook mode uses the SubjectAccessReview API to determine authorization.

--authorization-webhook-cache-authorized-ttl=0

The duration to cache 'authorized' responses from the webhook authorizer.

--authorization-webhook-cache-unauthorized-ttl=0

The duration to cache 'unauthorized' responses from the webhook authorizer.

--babysit-daemons=false

If true, the node has babysitter process monitoring docker and kubelet.

--cadvisor-port=4194

The port of the localhost cAdvisor endpoint

--cert-dir="/var/run/kubernetes"

The directory where the TLS certs are located (by default /var/run/kubernetes). If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored.

--cgroup-driver="cgroupfs"

Driver that the kubelet uses to manipulate cgroups on the host.  Possible values: 'cgroupfs', 'systemd'

--cgroup-root=""

Optional root cgroup to use for pods. This is handled by the container runtime on a best effort basis. Default: '', which means use the container runtime default.

--cgroups-per-qos=true

Enable creation of QoS cgroup hierarchy, if true top level QoS and pod cgroups are created. [default: true]

--chaos-chance=0

If > 0.0, introduce random client errors and latency. Intended for testing. [default=0.0]

--client-ca-file=""

If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate.

--cloud-config=""

The path to the cloud provider configuration file.  Empty string for no configuration file.

--cloud-provider="auto-detect"

The provider for cloud services. By default, kubelet will attempt to auto-detect the cloud provider. Specify empty string for running with no cloud provider. [default=auto-detect]

--cluster-dns=[]

Comma-separated list of DNS server IP address.  This value is used for containers DNS server in case of Pods with "dnsPolicy=ClusterFirst". Note: all DNS servers appearing in the list MUST serve the same set of records otherwise name resolution within the cluster may not work correctly. There is no guarantee as to which DNS server may be contacted for name resolution.

--cluster-domain=""

Domain for this cluster.  If set, kubelet will configure all containers to search this domain in addition to the host's search domains

--cni-bin-dir=""

<Warning: Alpha feature> The full path of the directory in which to search for CNI plugin binaries. Default: /opt/cni/bin

--cni-conf-dir=""

<Warning: Alpha feature> The full path of the directory in which to search for CNI config files. Default: /etc/cni/net.d

--container-runtime="docker"

The container runtime to use. Possible values: 'docker', 'rkt'. Default: 'docker'.

--container-runtime-endpoint=""

[Experimental] The unix socket endpoint of remote runtime service. The endpoint is used only when CRI integration is enabled (--enable-cri)

--containerized=false

Experimental support for running kubelet in a container.  Intended for testing. [default=false]

--contention-profiling=false

Enable lock contention profiling, if profiling is enabled

--cpu-cfs-quota=true

Enable CPU CFS quota enforcement for containers that specify CPU limits

--docker-endpoint="unix:///var/run/docker.sock"

Use this for the docker endpoint to communicate with

--docker-exec-handler="native"

Handler to use when executing a command in a container. Valid values are 'native' and 'nsenter'. Defaults to 'native'.

--enable-controller-attach-detach=true

Enables the Attach/Detach controller to manage attachment/detachment of volumes scheduled to this node, and disables kubelet from executing any attach/detach operations

--enable-cri=true

Enable the Container Runtime Interface (CRI) integration. If --container-runtime is set to "remote", Kubelet will communicate with the runtime/image CRI server listening on the endpoint specified by --remote-runtime-endpoint/--remote-image-endpoint. If --container-runtime is set to "docker", Kubelet will launch a in-process CRI server on behalf of docker, and communicate over a default endpoint. If --container-runtime is "rkt", the flag will be ignored because rkt integration doesn't support CRI yet. [default=true]

--enable-custom-metrics=false

Support for gathering custom metrics.

--enable-debugging-handlers=true

Enables server endpoints for log collection and local running of containers and commands

--enable-server=true

Enable the Kubelet's server

--enforce-node-allocatable=[pods]

A comma separated list of levels of node allocatable enforcement to be enforced by kubelet. Acceptible options are 'pods', 'system-reserved' 'kube-reserved'. If the latter two options are specified, '--system-reserved-cgroup' '--kube-reserved-cgroup' must also be set respectively. See  ⟨https://github.com/kubernetes/community/blob/master/contributors/design-proposals/node-allocatable.md⟩ for more details. [default='pods']

--event-burst=10

Maximum size of a bursty event records, temporarily allows event records to burst to this number, while still not exceeding event-qps. Only used if --event-qps > 0

--event-qps=5

If > 0, limit event creations per second to this value. If 0, unlimited.

--eviction-hard="memory.available<100Mi"

A set of eviction thresholds (e.g. memory.available<1Gi) that if met would trigger a pod eviction.

--eviction-max-pod-grace-period=0

Maximum allowed grace period (in seconds) to use when terminating pods in response to a soft eviction threshold being met.  If negative, defer to pod specified value.

--eviction-minimum-reclaim=""

A set of minimum reclaims (e.g. imagefs.available=2Gi) that describes the minimum amount of resource the kubelet will reclaim when performing a pod eviction if that resource is under pressure.

--eviction-pressure-transition-period=0

Duration for which the kubelet has to wait before transitioning out of an eviction pressure condition.

--eviction-soft=""

A set of eviction thresholds (e.g. memory.available<1.5Gi) that if met over a corresponding grace period would trigger a pod eviction.

--eviction-soft-grace-period=""

A set of eviction grace periods (e.g. memory.available=1m30s) that correspond to how long a soft eviction threshold must hold before triggering a pod eviction.

--exit-on-lock-contention=false

Whether kubelet should exit upon lock-file contention.

--experimental-allocatable-ignore-eviction=false

When set to 'true', Hard Eviction Thresholds will be ignored while calculating Node Allocatable. See  ⟨https://github.com/kubernetes/community/blob/master/contributors/design-proposals/node-allocatable.md⟩ for more details. [default=false]

--experimental-allowed-unsafe-sysctls=[]

Comma-separated whitelist of unsafe sysctls or unsafe sysctl patterns (ending in *). Use these at your own risk.

--experimental-bootstrap-kubeconfig=""

<Warning: Experimental feature> Path to a kubeconfig file that will be used to get client certificate for kubelet. If the file specified by --kubeconfig does not exist, the bootstrap kubeconfig is used to request a client certificate from the API server. On success, a kubeconfig file referencing the generated key and obtained certificate is written to the path specified by --kubeconfig. The certificate and key file will be stored in the directory pointed by --cert-dir.

--experimental-check-node-capabilities-before-mount=false

[Experimental] if set true, the kubelet will check the underlying node for required componenets (binaries, etc.) before performing the mount

--experimental-fail-swap-on=false

Makes the Kubelet fail to start if swap is enabled on the node. This is a temporary opton to maintain legacy behavior, failing due to swap enabled will happen by default in v1.6.

--experimental-kernel-memcg-notification=false

If enabled, the kubelet will integrate with the kernel memcg notification to determine if memory eviction thresholds are crossed rather than polling.

--experimental-mounter-path=""

[Experimental] Path of mounter binary. Leave empty to use the default mount.

--experimental-qos-reserved=

A set of ResourceName=Percentage (e.g. memory=50%) pairs that describe how pod resource requests are reserved at the QoS level. Currently only memory is supported. [default=none]

--feature-gates=""

A set of key=value pairs that describe feature gates for alpha/experimental features. Options are: Accelerators=true|false (ALPHA - default=false) AffinityInAnnotations=true|false (ALPHA - default=false) AllAlpha=true|false (ALPHA - default=false) AllowExtTrafficLocalEndpoints=true|false (BETA - default=true) AppArmor=true|false (BETA - default=true) DynamicKubeletConfig=true|false (ALPHA - default=false) DynamicVolumeProvisioning=true|false (ALPHA - default=true) ExperimentalCriticalPodAnnotation=true|false (ALPHA - default=false) ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false) StreamingProxyRedirects=true|false (BETA - default=true) TaintBasedEvictions=true|false (ALPHA - default=false)

--file-check-frequency=0

Duration between checking config files for new data

--hairpin-mode="promiscuous-bridge"

How should the kubelet setup hairpin NAT. This allows endpoints of a Service to loadbalance back to themselves if they should try to access their own Service. Valid values are "promiscuous-bridge", "hairpin-veth" and "none".

--healthz-bind-address=127.0.0.1

The IP address for the healthz server to serve on, defaulting to 127.0.0.1 (set to 0.0.0.0 for all interfaces)

--healthz-port=10248

The port of the localhost healthz endpoint

--host-ipc-sources=[]

Comma-separated list of sources from which the Kubelet allows pods to use the host ipc namespace. [default=""]

--host-network-sources=[]

Comma-separated list of sources from which the Kubelet allows pods to use of host network. [default=""]

--host-pid-sources=[]

Comma-separated list of sources from which the Kubelet allows pods to use the host pid namespace. [default=""]

--hostname-override=""

If non-empty, will use this string as identification instead of the actual hostname.

--http-check-frequency=0

Duration between checking http for new data

--image-gc-high-threshold=85

The percent of disk usage after which image garbage collection is always run. Default: 85%

--image-gc-low-threshold=80

The percent of disk usage before which image garbage collection is never run. Lowest disk usage to garbage collect to. Default: 80%

--image-pull-progress-deadline=0

If no pulling progress is made before this deadline, the image pulling will be cancelled. Default: 1m0s.

--image-service-endpoint=""

[Experimental] The unix socket endpoint of remote image service. If not specified, it will be the same with container-runtime-endpoint by default. The endpoint is used only when CRI integration is enabled (--enable-cri)

--iptables-drop-bit=15

The bit of the fwmark space to mark packets for dropping. Must be within the range [0, 31].

--iptables-masquerade-bit=14

The bit of the fwmark space to mark packets for SNAT. Must be within the range [0, 31]. Please match this parameter with corresponding parameter in kube-proxy.

--keep-terminated-pod-volumes=false

Keep terminated pod volumes mounted to the node after the pod terminates.  Can be useful for debugging volume related issues.

--kube-api-burst=10

Burst to use while talking with kubernetes apiserver

--kube-api-content-type="application/vnd.kubernetes.protobuf"

Content type of requests sent to apiserver.

--kube-api-qps=5

QPS to use while talking with kubernetes apiserver

--kube-reserved=

A set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=500Mi) pairs that describe resources reserved for kubernetes system components. Currently only cpu and memory are supported. See  ⟨http://kubernetes.io/docs/user-guide/compute-resources⟩ for more detail. [default=none]

--kube-reserved-cgroup=""

Absolute name of the top level cgroup that is used to manage kubernetes components for which compute resources were reserved via '--kube-reserved' flag. Ex. '/kube-reserved'. [default='']

--kubeconfig="/var/lib/kubelet/kubeconfig"

Path to a kubeconfig file, specifying how to connect to the API server. --api-servers will be used for the location unless --require-kubeconfig is set.

--kubelet-cgroups=""

Optional absolute name of cgroups to create and run the Kubelet in.

--lock-file=""

<Warning: Alpha feature> The path to file for kubelet to use as a lock file.

--low-diskspace-threshold-mb=256

The absolute free disk space, in MB, to maintain. When disk space falls below this threshold, new pods would be rejected. Default: 256

--make-iptables-util-chains=true

If true, kubelet will ensure iptables utility rules are present on host.

--manifest-url=""

URL for accessing the container manifest

--manifest-url-header=""

HTTP header to use when accessing the manifest URL, with the key separated from the value with a ':', as in 'key:value'

--master-service-namespace="default"

The namespace from which the kubernetes master services should be injected into pods

--max-open-files=1000000

Number of files that can be opened by Kubelet process. [default=1000000]

--max-pods=110

Number of Pods that can run on this Kubelet.

--maximum-dead-containers=-1

Maximum number of old instances of containers to retain globally.  Each container takes up some disk space. To disable, set to a negative number.  Default: -1.

--maximum-dead-containers-per-container=1

Maximum number of old instances to retain per container.  Each container takes up some disk space.  Default: 1.

--minimum-container-ttl-duration=0

Minimum age for a finished container before it is garbage collected.  Examples: '300ms', '10s' or '2h45m'

--minimum-image-ttl-duration=0

Minimum age for an unused image before it is garbage collected.  Examples: '300ms', '10s' or '2h45m'. Default: '2m'

--network-plugin=""

<Warning: Alpha feature> The name of the network plugin to be invoked for various events in kubelet/pod lifecycle

--network-plugin-dir=""

<Warning: Alpha feature> The full path of the directory in which to search for network plugins or CNI config

--network-plugin-mtu=0

<Warning: Alpha feature> The MTU to be passed to the network plugin, to override the default. Set to 0 to use the default 1460 MTU.

--node-ip=""

IP address of the node. If set, kubelet will use this IP address for the node

--node-labels=

<Warning: Alpha feature> Labels to add when registering the node in the cluster.  Labels must be key=value pairs separated by ','.

--node-status-update-frequency=0

Specifies how often kubelet posts node status to master. Note: be cautious when changing the constant, it must work with nodeMonitorGracePeriod in nodecontroller. Default: 10s

--non-masquerade-cidr="10.0.0.0/8"

Traffic to IPs outside this range will use IP masquerade.

--oom-score-adj=-999

The oom-score-adj value for kubelet process. Values must be within the range [-1000, 1000]

--outofdisk-transition-frequency=0

Duration for which the kubelet has to wait before transitioning out of out-of-disk node condition status. Default: 5m0s

--pod-cidr=""

The CIDR to use for pod IP addresses, only used in standalone mode.  In cluster mode, this is obtained from the master.

--pod-infra-container-image="gcr.io/google_containers/pause-amd64:3.0"

The image whose network/ipc namespaces containers in each pod will use.

--pod-manifest-path=""

Path to to the directory containing pod manifest files to run, or the path to a single pod manifest file. Files starting with dots will be ignored.

--pods-per-core=0

Number of Pods per core that can run on this Kubelet. The total number of Pods on this Kubelet cannot exceed max-pods, so max-pods will be used if this calculation results in a larger number of Pods allowed on the Kubelet. A value of 0 disables this limit.

--port=10250

The port for the Kubelet to serve on.

--protect-kernel-defaults=false

Default kubelet behaviour for kernel tuning. If set, kubelet errors if any of kernel tunables is different than kubelet defaults.

--read-only-port=10255

The read-only port for the Kubelet to serve on with no authentication/authorization (set to 0 to disable)

--really-crash-for-testing=false

If true, when panics occur crash. Intended for testing.

--register-node=true

Register the node with the apiserver (defaults to true if --api-servers is set)

--register-schedulable=true

Register the node as schedulable. Won't have any effect if register-node is false. [default=true]

--register-with-taints=<nil>

Register the node with the given list of taints (comma seperated "<key>=<value>:<effect>"). No-op if register-node is false.

--registry-burst=10

Maximum size of a bursty pulls, temporarily allows pulls to burst to this number, while still not exceeding registry-qps.  Only used if --registry-qps > 0

--registry-qps=5

If > 0, limit registry pull QPS to this value.  If 0, unlimited. [default=5.0]

--require-kubeconfig=false

If true the Kubelet will exit if there are configuration errors, and will ignore the value of --api-servers in favor of the server defined in the kubeconfig file.

--resolv-conf="/etc/resolv.conf"

Resolver configuration file used as the basis for the container DNS resolution configuration.

--rkt-api-endpoint="localhost:15441"

The endpoint of the rkt API service to communicate with. Only used if --container-runtime='rkt'.

--rkt-path=""

Path of rkt binary. Leave empty to use the first rkt in $PATH.  Only used if --container-runtime='rkt'.

--rkt-stage1-image=""

image to use as stage1. Local paths and http/https URLs are supported. If empty, the 'stage1.aci' in the same directory as '--rkt-path' will be used.

--root-dir="/var/lib/kubelet"

Directory path for managing kubelet files (volume mounts,etc).

--runonce=false

If true, exit after spawning pods from local manifests or remote urls. Exclusive with --api-servers, and --enable-server

--runtime-cgroups=""

Optional absolute name of cgroups to create and run the runtime in.

--runtime-request-timeout=0

Timeout of all runtime requests except long running request - pull, logs, exec and attach. When timeout exceeded, kubelet will cancel the request, throw out an error and retry later. Default: 2m0s

--seccomp-profile-root="/var/lib/kubelet/seccomp"

Directory path for seccomp profiles.

--serialize-image-pulls=true

Pull images one at a time. We recommend not changing the default value on nodes that run docker daemon with version < 1.9 or an Aufs storage backend. Issue #10959 has more details. [default=true]

--streaming-connection-idle-timeout=0

Maximum time a streaming connection can be idle before the connection is automatically closed. 0 indicates no timeout. Example: '5m'

--sync-frequency=0

Max period between synchronizing running containers and config

--system-cgroups=""

Optional absolute name of cgroups in which to place all non-kernel processes that are not already inside a cgroup under /. Empty for no container. Rolling back the flag requires a reboot. (Default: "").

--system-reserved=

A set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=500Mi) pairs that describe resources reserved for non-kubernetes components. Currently only cpu and memory are supported. See  ⟨http://kubernetes.io/docs/user-guide/compute-resources⟩ for more detail. [default=none]

--system-reserved-cgroup=""

Absolute name of the top level cgroup that is used to manage non-kubernetes components for which compute resources were reserved via '--system-reserved' flag. Ex. '/system-reserved'. [default='']

--tls-cert-file=""

File containing x509 Certificate for HTTPS.  (CA cert, if any, concatenated after server cert). If --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to --cert-dir.

--tls-private-key-file=""

File containing x509 private key matching --tls-cert-file.

--volume-plugin-dir="/usr/libexec/kubernetes/kubelet-plugins/volume/exec/"

<Warning: Alpha feature> The full path of the directory in which to search for additional third party volume plugins

--volume-stats-agg-period=0

Specifies interval for kubelet to calculate and cache the volume disk usage for all pods and volumes.  To disable volume calculations, set to 0.  Default: '1m'

Options Inherited from Parent Commands

--azure-container-registry-config=""

Path to the file container Azure container registry configuration information.

--google-json-key=""

The Google Cloud Platform Service Account JSON Key to use for authentication.

--log-flush-frequency=0

Maximum number of seconds between log flushes

See Also

openshift-start-kubernetes(1),

History

June 2016, Ported from the Kubernetes man-doc generator

Referenced By

openshift-start-kubernetes(1).

Openshift CLI User Manuals June 2016