Kube Controller Manager
Note
This section is optional and intended only for cases where this resource needs to be configured separately from the others.
- HardWay
- Kubeadm
Environment variables
export CLUSTER_NAME=my-first-cluster
Working directory
mkdir -p /etc/kubernetes/manifests
Static Pod Kube-Controller-Manager
Manifest generation
cat <<EOF > /etc/kubernetes/manifests/kube-controller-manager.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-controller-manager
tier: control-plane
name: kube-controller-manager
namespace: kube-system
spec:
containers:
- command:
- kube-controller-manager
- --allocate-node-cidrs=false
- --allow-untagged-cloud=false
- --attach-detach-reconcile-sync-period=1m0s
- --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf
- --authentication-skip-lookup=false
- --authentication-token-webhook-cache-ttl=10s
- --authentication-tolerate-lookup-failure=false
- --authorization-always-allow-paths=/healthz,/readyz,/livez,/metrics
- --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf
- --authorization-webhook-cache-authorized-ttl=10s
- --authorization-webhook-cache-unauthorized-ttl=10s
- --bind-address=0.0.0.0
- --cidr-allocator-type=RangeAllocator
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --cluster-name=${CLUSTER_NAME}
- --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
- --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt
- --cluster-signing-duration=720h0m0s
- --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
- --concurrent-cron-job-syncs=5
- --concurrent-deployment-syncs=5
- --concurrent-endpoint-syncs=5
- --concurrent-ephemeralvolume-syncs=5
- --concurrent-gc-syncs=20
- --concurrent-horizontal-pod-autoscaler-syncs=5
- --concurrent-job-syncs=5
- --concurrent-namespace-syncs=10
- --concurrent-rc-syncs=5
- --concurrent-replicaset-syncs=20
- --concurrent-resource-quota-syncs=5
- --concurrent-service-endpoint-syncs=5
- --concurrent-service-syncs=1
- --concurrent-serviceaccount-token-syncs=5
- --concurrent-statefulset-syncs=5
- --concurrent-ttl-after-finished-syncs=5
- --concurrent-validating-admission-policy-status-syncs=5
- --configure-cloud-routes=true
- --contention-profiling=false
- --controller-start-interval=0s
- --controllers=*,bootstrapsigner,tokencleaner
- --disable-attach-detach-reconcile-sync=false
- --disable-force-detach-on-timeout=false
- --enable-dynamic-provisioning=true
- --enable-garbage-collector=true
- --enable-hostpath-provisioner=false
- --enable-leader-migration=false
- --endpoint-updates-batch-period=0s
- --endpointslice-updates-batch-period=0s
- --feature-gates=RotateKubeletServerCertificate=true
- --flex-volume-plugin-dir=/usr/libexec/kubernetes/kubelet-plugins/volume/exec/
- --help=false
- --horizontal-pod-autoscaler-cpu-initialization-period=5m0s
- --horizontal-pod-autoscaler-downscale-delay=5m0s
- --horizontal-pod-autoscaler-downscale-stabilization=5m0s
- --horizontal-pod-autoscaler-initial-readiness-delay=30s
- --horizontal-pod-autoscaler-sync-period=30s
- --horizontal-pod-autoscaler-tolerance=0.1
- --horizontal-pod-autoscaler-upscale-delay=3m0s
- --http2-max-streams-per-connection=0
- --kube-api-burst=120
- --kube-api-content-type=application/vnd.kubernetes.protobuf
- --kube-api-qps=100
- --kubeconfig=/etc/kubernetes/controller-manager.conf
- --large-cluster-size-threshold=50
- --leader-elect=true
- --leader-elect-lease-duration=15s
- --leader-elect-renew-deadline=10s
- --leader-elect-resource-lock=leases
- --leader-elect-resource-name=kube-controller-manager
- --leader-elect-resource-namespace=kube-system
- --leader-elect-retry-period=2s
- --legacy-service-account-token-clean-up-period=8760h0m0s
- --log-flush-frequency=5s
- --log-json-info-buffer-size=0
- --log-json-split-stream=false
- --log-text-info-buffer-size=0
- --log-text-split-stream=false
- --logging-format=text
- --max-endpoints-per-slice=100
- --min-resync-period=12h0m0s
- --mirroring-concurrent-service-endpoint-syncs=5
- --mirroring-endpointslice-updates-batch-period=0s
- --mirroring-max-endpoints-per-subset=1000
- --namespace-sync-period=2m0s
- --node-cidr-mask-size=0
- --node-cidr-mask-size-ipv4=0
- --node-cidr-mask-size-ipv6=0
- --node-eviction-rate=0.1
- --node-monitor-grace-period=40s
- --node-monitor-period=5s
- --node-startup-grace-period=10s
- --node-sync-period=0s
- --permit-address-sharing=false
- --permit-port-sharing=false
- --profiling=false
- --pv-recycler-increment-timeout-nfs=30
- --pv-recycler-minimum-timeout-hostpath=60
- --pv-recycler-minimum-timeout-nfs=300
- --pv-recycler-timeout-increment-hostpath=30
- --pvclaimbinder-sync-period=15s
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=x-remote-extra-
- --requestheader-group-headers=x-remote-group
- --requestheader-username-headers=x-remote-user
- --resource-quota-sync-period=5m0s
- --root-ca-file=/etc/kubernetes/pki/ca.crt
- --route-reconciliation-period=10s
- --secondary-node-eviction-rate=0.01
- --secure-port=10257
- --service-account-private-key-file=/etc/kubernetes/pki/sa.key
- --terminated-pod-gc-threshold=0
- --unhealthy-zone-threshold=0.55
- --use-service-account-credentials=true
- --v=2
- --version=false
- --volume-host-allow-local-loopback=true
# IF YOU NEED TO CONNECT CLOUD-CONTROLLER-MANAGER
# UNCOMMENT THE FOLLOWING
# ->
# - --cloud-provider: "external"
# IF YOU NEED TO CONNECT SERVER CERTIFICATES FOR KUBE-CONTROLLER-MANAGER
# NOTE THAT KUBEADM DOES NOT CREATE THESE CERTIFICATES
# UNCOMMENT THE FOLLOWING
# ->
# - --tls-cert-file=/etc/kubernetes/pki/controller-manager-server.crt
# - --tls-private-key-file=/etc/kubernetes/pki/controller-manager-server.key
# Do not specify if value is "" or undefined
# - --cluster-signing-kube-apiserver-client-cert-file=
# - --cluster-signing-kube-apiserver-client-key-file=
# - --cluster-signing-kubelet-client-cert-file=
# - --cluster-signing-kubelet-client-key-file=
# - --cluster-signing-kubelet-serving-cert-file=
# - --cluster-signing-kubelet-serving-key-file=
# - --cluster-signing-legacy-unknown-cert-file=
# - --cluster-signing-legacy-unknown-key-file=
# - --cluster-cidr=
# - --cloud-config=
# - --cert-dir=
# - --allow-metric-labels-manifest=
# - --allow-metric-labels=
# - --disabled-metrics=
# - --leader-migration-config=
# - --master=
# - --pv-recycler-pod-template-filepath-hostpath=
# - --pv-recycler-pod-template-filepath-nfs=
# - --service-cluster-ip-range=
# - --show-hidden-metrics-for-version=
# - --tls-cipher-suites=
# - --tls-min-version=
# - --tls-sni-cert-key=
# - --vmodule=
# - --volume-host-cidr-denylist=
# - --external-cloud-volume-plugin=
# - --requestheader-allowed-names=
image: registry.k8s.io/kube-controller-manager:v1.30.4
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 8
httpGet:
path: /healthz
port: 10257
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
name: kube-controller-manager
resources:
requests:
cpu: 200m
startupProbe:
failureThreshold: 24
httpGet:
path: /healthz
port: 10257
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
volumeMounts:
- mountPath: /etc/ssl/certs
name: ca-certs
readOnly: true
- mountPath: /etc/ca-certificates
name: etc-ca-certificates
readOnly: true
- mountPath: /etc/pki
name: etc-pki
readOnly: true
- mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/
name: flexvolume-dir
- mountPath: /etc/kubernetes/pki
name: k8s-certs
readOnly: true
- mountPath: /etc/kubernetes/controller-manager.conf
name: kubeconfig
readOnly: true
- mountPath: /usr/local/share/ca-certificates
name: usr-local-share-ca-certificates
readOnly: true
- mountPath: /usr/share/ca-certificates
name: usr-share-ca-certificates
readOnly: true
hostNetwork: true
priority: 2000001000
priorityClassName: system-node-critical
securityContext:
seccompProfile:
type: RuntimeDefault
volumes:
- hostPath:
path: /etc/ssl/certs
type: DirectoryOrCreate
name: ca-certs
- hostPath:
path: /etc/ca-certificates
type: DirectoryOrCreate
name: etc-ca-certificates
- hostPath:
path: /etc/pki
type: DirectoryOrCreate
name: etc-pki
- hostPath:
path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/
type: DirectoryOrCreate
name: flexvolume-dir
- hostPath:
path: /etc/kubernetes/pki
type: DirectoryOrCreate
name: k8s-certs
- hostPath:
path: /etc/kubernetes/controller-manager.conf
type: FileOrCreate
name: kubeconfig
- hostPath:
path: /usr/local/share/ca-certificates
type: DirectoryOrCreate
name: usr-local-share-ca-certificates
- hostPath:
path: /usr/share/ca-certificates
type: DirectoryOrCreate
name: usr-share-ca-certificates
status: {}
EOF
Manifest generation
kubeadm init phase control-plane controller-manager \
--config=/var/run/kubeadm/kubeadm.yaml
note
#### Kube API
[control-plane] Creating static Pod manifest for "kube-controller-manager"
Note
This section is optional and intended only for cases where this resource needs to be configured separately from the others.
- HardWay
- Kubeadm
Environment variables
export CLUSTER_NAME=my-first-cluster
Working directory
mkdir -p /etc/kubernetes/manifests
Static Pod Kube-Controller-Manager
Manifest generation
cat <<EOF > /etc/kubernetes/manifests/kube-controller-manager.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-controller-manager
tier: control-plane
name: kube-controller-manager
namespace: kube-system
spec:
containers:
- command:
- kube-controller-manager
- --allocate-node-cidrs=false
- --allow-untagged-cloud=false
- --attach-detach-reconcile-sync-period=1m0s
- --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf
- --authentication-skip-lookup=false
- --authentication-token-webhook-cache-ttl=10s
- --authentication-tolerate-lookup-failure=false
- --authorization-always-allow-paths=/healthz,/readyz,/livez,/metrics
- --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf
- --authorization-webhook-cache-authorized-ttl=10s
- --authorization-webhook-cache-unauthorized-ttl=10s
- --bind-address=0.0.0.0
- --cidr-allocator-type=RangeAllocator
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --cluster-name=${CLUSTER_NAME}
- --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
- --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt
- --cluster-signing-duration=720h0m0s
- --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
- --concurrent-cron-job-syncs=5
- --concurrent-deployment-syncs=5
- --concurrent-endpoint-syncs=5
- --concurrent-ephemeralvolume-syncs=5
- --concurrent-gc-syncs=20
- --concurrent-horizontal-pod-autoscaler-syncs=5
- --concurrent-job-syncs=5
- --concurrent-namespace-syncs=10
- --concurrent-rc-syncs=5
- --concurrent-replicaset-syncs=20
- --concurrent-resource-quota-syncs=5
- --concurrent-service-endpoint-syncs=5
- --concurrent-service-syncs=1
- --concurrent-serviceaccount-token-syncs=5
- --concurrent-statefulset-syncs=5
- --concurrent-ttl-after-finished-syncs=5
- --concurrent-validating-admission-policy-status-syncs=5
- --configure-cloud-routes=true
- --contention-profiling=false
- --controller-start-interval=0s
- --controllers=*,bootstrapsigner,tokencleaner
- --disable-attach-detach-reconcile-sync=false
- --disable-force-detach-on-timeout=false
- --enable-dynamic-provisioning=true
- --enable-garbage-collector=true
- --enable-hostpath-provisioner=false
- --enable-leader-migration=false
- --endpoint-updates-batch-period=0s
- --endpointslice-updates-batch-period=0s
- --feature-gates=RotateKubeletServerCertificate=true
- --flex-volume-plugin-dir=/usr/libexec/kubernetes/kubelet-plugins/volume/exec/
- --help=false
- --horizontal-pod-autoscaler-cpu-initialization-period=5m0s
- --horizontal-pod-autoscaler-downscale-delay=5m0s
- --horizontal-pod-autoscaler-downscale-stabilization=5m0s
- --horizontal-pod-autoscaler-initial-readiness-delay=30s
- --horizontal-pod-autoscaler-sync-period=30s
- --horizontal-pod-autoscaler-tolerance=0.1
- --horizontal-pod-autoscaler-upscale-delay=3m0s
- --http2-max-streams-per-connection=0
- --kube-api-burst=120
- --kube-api-content-type=application/vnd.kubernetes.protobuf
- --kube-api-qps=100
- --kubeconfig=/etc/kubernetes/controller-manager.conf
- --large-cluster-size-threshold=50
- --leader-elect=true
- --leader-elect-lease-duration=15s
- --leader-elect-renew-deadline=10s
- --leader-elect-resource-lock=leases
- --leader-elect-resource-name=kube-controller-manager
- --leader-elect-resource-namespace=kube-system
- --leader-elect-retry-period=2s
- --legacy-service-account-token-clean-up-period=8760h0m0s
- --log-flush-frequency=5s
- --log-json-info-buffer-size=0
- --log-json-split-stream=false
- --log-text-info-buffer-size=0
- --log-text-split-stream=false
- --logging-format=text
- --max-endpoints-per-slice=100
- --min-resync-period=12h0m0s
- --mirroring-concurrent-service-endpoint-syncs=5
- --mirroring-endpointslice-updates-batch-period=0s
- --mirroring-max-endpoints-per-subset=1000
- --namespace-sync-period=2m0s
- --node-cidr-mask-size=0
- --node-cidr-mask-size-ipv4=0
- --node-cidr-mask-size-ipv6=0
- --node-eviction-rate=0.1
- --node-monitor-grace-period=40s
- --node-monitor-period=5s
- --node-startup-grace-period=10s
- --node-sync-period=0s
- --permit-address-sharing=false
- --permit-port-sharing=false
- --profiling=false
- --pv-recycler-increment-timeout-nfs=30
- --pv-recycler-minimum-timeout-hostpath=60
- --pv-recycler-minimum-timeout-nfs=300
- --pv-recycler-timeout-increment-hostpath=30
- --pvclaimbinder-sync-period=15s
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=x-remote-extra-
- --requestheader-group-headers=x-remote-group
- --requestheader-username-headers=x-remote-user
- --resource-quota-sync-period=5m0s
- --root-ca-file=/etc/kubernetes/pki/ca.crt
- --route-reconciliation-period=10s
- --secondary-node-eviction-rate=0.01
- --secure-port=10257
- --service-account-private-key-file=/etc/kubernetes/pki/sa.key
- --terminated-pod-gc-threshold=0
- --unhealthy-zone-threshold=0.55
- --use-service-account-credentials=true
- --v=2
- --version=false
- --volume-host-allow-local-loopback=true
# IF YOU NEED TO CONNECT CLOUD-CONTROLLER-MANAGER
# UNCOMMENT THE FOLLOWING
# ->
# - --cloud-provider: "external"
# IF YOU NEED TO CONNECT SERVER CERTIFICATES FOR KUBE-CONTROLLER-MANAGER
# NOTE THAT KUBEADM DOES NOT CREATE THESE CERTIFICATES
# UNCOMMENT THE FOLLOWING
# ->
# - --tls-cert-file=/etc/kubernetes/pki/controller-manager-server.crt
# - --tls-private-key-file=/etc/kubernetes/pki/controller-manager-server.key
# Do not specify if value is "" or undefined
# - --cluster-signing-kube-apiserver-client-cert-file=
# - --cluster-signing-kube-apiserver-client-key-file=
# - --cluster-signing-kubelet-client-cert-file=
# - --cluster-signing-kubelet-client-key-file=
# - --cluster-signing-kubelet-serving-cert-file=
# - --cluster-signing-kubelet-serving-key-file=
# - --cluster-signing-legacy-unknown-cert-file=
# - --cluster-signing-legacy-unknown-key-file=
# - --cluster-cidr=
# - --cloud-config=
# - --cert-dir=
# - --allow-metric-labels-manifest=
# - --allow-metric-labels=
# - --disabled-metrics=
# - --leader-migration-config=
# - --master=
# - --pv-recycler-pod-template-filepath-hostpath=
# - --pv-recycler-pod-template-filepath-nfs=
# - --service-cluster-ip-range=
# - --show-hidden-metrics-for-version=
# - --tls-cipher-suites=
# - --tls-min-version=
# - --tls-sni-cert-key=
# - --vmodule=
# - --volume-host-cidr-denylist=
# - --external-cloud-volume-plugin=
# - --requestheader-allowed-names=
image: registry.k8s.io/kube-controller-manager:v1.30.4
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 8
httpGet:
path: /healthz
port: 10257
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
name: kube-controller-manager
resources:
requests:
cpu: 200m
startupProbe:
failureThreshold: 24
httpGet:
path: /healthz
port: 10257
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
volumeMounts:
- mountPath: /etc/ssl/certs
name: ca-certs
readOnly: true
- mountPath: /etc/ca-certificates
name: etc-ca-certificates
readOnly: true
- mountPath: /etc/pki
name: etc-pki
readOnly: true
- mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/
name: flexvolume-dir
- mountPath: /etc/kubernetes/pki
name: k8s-certs
readOnly: true
- mountPath: /etc/kubernetes/controller-manager.conf
name: kubeconfig
readOnly: true
- mountPath: /usr/local/share/ca-certificates
name: usr-local-share-ca-certificates
readOnly: true
- mountPath: /usr/share/ca-certificates
name: usr-share-ca-certificates
readOnly: true
hostNetwork: true
priority: 2000001000
priorityClassName: system-node-critical
securityContext:
seccompProfile:
type: RuntimeDefault
volumes:
- hostPath:
path: /etc/ssl/certs
type: DirectoryOrCreate
name: ca-certs
- hostPath:
path: /etc/ca-certificates
type: DirectoryOrCreate
name: etc-ca-certificates
- hostPath:
path: /etc/pki
type: DirectoryOrCreate
name: etc-pki
- hostPath:
path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/
type: DirectoryOrCreate
name: flexvolume-dir
- hostPath:
path: /etc/kubernetes/pki
type: DirectoryOrCreate
name: k8s-certs
- hostPath:
path: /etc/kubernetes/controller-manager.conf
type: FileOrCreate
name: kubeconfig
- hostPath:
path: /usr/local/share/ca-certificates
type: DirectoryOrCreate
name: usr-local-share-ca-certificates
- hostPath:
path: /usr/share/ca-certificates
type: DirectoryOrCreate
name: usr-share-ca-certificates
status: {}
EOF
Warning
Please note: during the Join phase, you cannot choose which manifests to generate — kubeadm creates all of them at once, in full.
Manifest generation
kubeadm join phase control-plane-prepare control-plane \
--config=/var/run/kubeadm/kubeadm.yaml
note
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"