kubernetes
settings.kubernetes.*
)Topic list
- Node labels & taints
- Settings needed for
aws-k8s-*
variants - Settings needed for
metal-k8s-*
variants - Settings needed for
vmware-k8s-*
variants - Static Pods & standalone mode
Setting list for settings.kubernetes
settings.kubernetes.allowed-unsafe-sysctls
settings.kubernetes.api-server
settings.kubernetes.authentication-mode
settings.kubernetes.bootstrap-token
settings.kubernetes.cloud-provider
settings.kubernetes.cluster-certificate
settings.kubernetes.cluster-dns-ip
settings.kubernetes.cluster-domain
settings.kubernetes.cluster-name
settings.kubernetes.container-log-max-files
settings.kubernetes.container-log-max-size
settings.kubernetes.cpu-cfs-quota-enforced
settings.kubernetes.cpu-manager-policy
settings.kubernetes.cpu-manager-policy-options
settings.kubernetes.cpu-manager-reconcile-period
settings.kubernetes.credential-providers
settings.kubernetes.<custom identifier>.enabled
settings.kubernetes.<custom identifier>.manifest
settings.kubernetes.event-burst
settings.kubernetes.event-qps
settings.kubernetes.eviction-hard
settings.kubernetes.eviction-max-pod-grace-period
settings.kubernetes.eviction-soft
settings.kubernetes.eviction-soft-grace-period
settings.kubernetes.hostname-override
settings.kubernetes.image-gc-high-threshold-percent
settings.kubernetes.image-gc-low-threshold-percent
settings.kubernetes.kube-api-burst
settings.kubernetes.kube-api-qps
settings.kubernetes.kube-reserved
settings.kubernetes.log-level
settings.kubernetes.max-pods
settings.kubernetes.memory-manager-policy
settings.kubernetes.memory-manager-reserved-memory
settings.kubernetes.node-ip
settings.kubernetes.node-labels
settings.kubernetes.node-taints
settings.kubernetes.pod-infra-container-image
settings.kubernetes.pod-pids-limit
settings.kubernetes.provider-id
settings.kubernetes.registry-burst
settings.kubernetes.registry-qps
settings.kubernetes.server-certificate
settings.kubernetes.server-key
settings.kubernetes.server-tls-bootstrap
settings.kubernetes.shutdown-grace-period
settings.kubernetes.shutdown-grace-period-for-critical-pods
settings.kubernetes.system-reserved
settings.kubernetes.topology-manager-policy
settings.kubernetes.topology-manager-scope
Topics
Node labels & taints
You can use these optional settings to customize the node labels and taints.Settings
Settings needed for aws-k8s-*
variants
Required settings for Kubernetes variants in AWS. These settings are typically specified in user data.
See the EKS Quickstart and the EKS setup guide for more details on setting up Bottlerocket and Kubernetes on Amazon EKS.
Settings
Settings needed for metal-k8s-*
variants
Required settings for Kubernetes bare metal variants. These settings are typically specified in user data.
See metal provisioning guide for more information.
Settings
Settings needed for vmware-k8s-*
variants
Required settings for Kubernetes VMware variants. These settings are typically specified in user data.
See the VMware setup guide for more information.
Settings
Static Pods & standalone mode
You can also optionally specify static pods for your node. Static pods can be particularly useful when running in standalone mode.Settings
Full Reference
settings.kubernetes.allowed-unsafe-sysctls
Enables specified list of unsafe sysctls.
[settings.kubernetes]
allowed-unsafe-sysctls = ["net.core.somaxconn", "net.ipv4.ip_local_port_range"]
apiclient apply <<EOF
[settings.kubernetes]
allowed-unsafe-sysctls = ["net.core.somaxconn", "net.ipv4.ip_local_port_range"]
EOF
settings.kubernetes.api-server
The cluster’s Kubernetes API endpoint. This is typically specified in user data.
Also see:settings.kubernetes.authentication-mode
The authentication method kubelet should use to connect to the API server, and for incoming requests.
Default: aws
for AWS variants, tls
for other variants
settings.kubernetes.bootstrap-token
The token to use for TLS bootstrapping.
Only used when settings.kubernetes.authentication-mode
is set to tls
(ignored otherwise).
settings.kubernetes.cloud-provider
The cloud provider for the cluster.
Default: aws
for AWS variants, external
for other variants
settings.kubernetes.cluster-certificate
The base64-encoded certificate authority of the cluster.
Also see:settings.kubernetes.cluster-dns-ip
The IP of the DNS service running in the cluster. On AWS variants, this is derived from the EKS Service IP CIDR or the CIDR block of the primary network interface. This value can be set as a string containing a single IP address, or as a list containing multiple IP addresses.
# Valid, single IP
[settings.kubernetes]
cluster-dns-ip = "10.0.0.1"
# Also valid, multiple nameserver IPs
[settings.kubernetes]
cluster-dns-ip = ["10.0.0.1", "10.0.0.2"]
apiclient set settings.kubernetes.cluster-dns-ip="10.0.0.1"
apiclient apply <<EOF
[settings.kubernetes]
cluster-dns-ip = ["10.0.0.1", "10.0.0.2"]
EOF
settings.kubernetes.cluster-domain
The DNS domain for the cluster, allowing all Kubernetes-run containers to search this domain before the host’s search domains
Default: cluster.local
settings.kubernetes.cluster-name
The cluster name you chose during setup.
Also see:settings.kubernetes.container-log-max-files
The maximum number of container log files that can be present for a container.
Also see:settings.kubernetes.container-log-max-size
The maximum size of container log file before it is rotated.
Also see:settings.kubernetes.cpu-cfs-quota-enforced
Whether CPU CFS quotas are enforced
Default: true
settings.kubernetes.cpu-manager-policy
Specifies the CPU manager policy.
If you want to allow pods with certain resource characteristics to be granted increased CPU affinity and exclusivity on the node, you can set this setting to static
.
You should reboot if you change this setting after startup - try apiclient reboot
Default: none
static
none
settings.kubernetes.cpu-manager-policy-options
Policy options to apply when settings.kubernetes.cpu-manager-policy
is set to static
.
There currently there is only one allowed option, so the default is implict if not the setting is not defined.
full-pcpus-only
# When `settings.kubernetes.cpu-manager-policy` is set to `static`
[settings.kubernetes]
cpu-manager-policy-options = ["full-pcpus-only"]
apiclient apply <<EOF
[settings.kubernetes]
cpu-manager-policy-options = ["full-pcpus-only"]
EOF
settings.kubernetes.cpu-manager-reconcile-period
Specifies the CPU manager reconcile period, which controls how often updated CPU assignments are written to cgroupfs.
The value is a duration like 30s
for 30 seconds or 1h5m
for 1 hour and 5 minutes.
settings.kubernetes.credential-providers
Contains a collection of Kubelet image credential provider settings. Each key under this setting is the name of the plugin to configure. See Example 1 below.
The ecr-credential-provider
plugin can also be used for AWS IAM Roles Anywhere support. IAM Roles Anywhere is configured using the settings.aws.config
setting. The content of that setting needs to configure the credential_process
using the aws_signing_helper
using your IAM Roles Anywhere settings, see Example 2 below.
Note
ecr-credential-provider
is currently the only supported provider. To manage its AWS credentials, see the settings.aws.config
and settings.aws.credentials
settings.
# Example 1: user data for configuring the `ecr-credential-provider` credential provider plug-in
[settings.kubernetes.credential-providers.ecr-credential-provider]
enabled = true
# (optional - defaults to "12h")
cache-duration = "30m"
image-patterns = [
# One or more URL paths to match an image prefix. Supports globbing of subdomains.
"*.dkr.ecr.us-east-2.amazonaws.com",
"*.dkr.ecr.us-west-2.amazonaws.com"
]
[settings.kubernetes.credential-providers.ecr-credential-provider.environment]
# The following are not used with ecr-credential-provider, but are provided for illustration
"KEY" = "abc123xyz"
"GOMAXPROCS" = "2"
# Example 2: `credential_process` using the `aws_signing_helper`
[default]
region = us-west-2
credential_process = aws_signing_helper credential-process --certificate /var/lib/kubelet/pki/kubelet-client-current.pem --private-key /var/lib/kubelet/pki/kubelet-client-current.pem --profile-arn [profile ARN]
--role-arn [role ARN]
--trust-anchor-arn [trust anchor ARN]
settings.kubernetes.<custom identifier>.enabled
Whether the static pod is enabled.
Also see:settings.kubernetes.<custom identifier>.manifest
A base64-encoded pod manifest.
Also see:settings.kubernetes.event-burst
The maximum size of a burst of event creations.
Also see:settings.kubernetes.event-qps
The maximum event creations per second.
Also see:settings.kubernetes.eviction-hard
The signals and thresholds that trigger pod eviction.
Keys are signals and must be quoted since they contain a dot (.
).
[settings.kubernetes.eviction-hard]
"memory.available" = "15%"
apiclient set settings.kubernetes.eviction-hard."memory.available"="15%"
settings.kubernetes.eviction-max-pod-grace-period
Maximum grace period, in seconds, to wait for pod termination before soft eviction.
Default: 0
[settings.kubernetes]
eviction-max-pod-grace-period = 40
apiclient set settings.kubernetes.eviction-max-pod-grace-period=40
settings.kubernetes.eviction-soft
The signals and thresholds that trigger pod eviction with a provided grace period (settings.kubernetes.eviction-soft-grace-period
). Keys are signals and must be quoted since they contain a dot (.
).
[settings.kubernetes.eviction-soft]
"memory.available" = "12%"
apiclient set settings.kubernetes.eviction-soft."memory.available"="12%"
settings.kubernetes.eviction-soft-grace-period
Delay for each signal to wait for pod termination before eviction.
Keys are signals and must be quoted since they contain a dot (.
).
[settings.kubernetes.eviction-soft-grace-period]
"memory.available" = "30s"
apiclient set settings.kubernetes.eviction-soft-grace-period."memory.available"="30s"
settings.kubernetes.hostname-override
The node name kubelet uses as identification instead of the hostname or the name determined by the in-tree cloud provider if that’s enabled.
Warning
Changing this setting at runtime (not via user-data) can cause issues with kubelet registration, as hostname is closely tied to the identity of the system for both registration and certificates/authorization purposes.
Most users don’t need to change this setting.
If left unset, the system hostname will be used instead. The settings.network.hostname
setting can be used to specify the value for both kubelet and the host.
Only set this override if you intend for the kubelet to register with a different name than the host.
For aws-k8s-1.26
variants, which use the “external” cloud provider, a hostname override will be automatically generated by querying the EC2 API for the private DNS name of the instance. This is done for backwards compatibility with the deprecated “aws” cloud provider, which adjusted the hostname in a similar way. Future aws-k8s-*
variants may remove this behavior.
settings.kubernetes.image-gc-high-threshold-percent
The percent of disk usage after which image garbage collection is always run, expressed as an integer from 0-100 inclusive.
If you downgrade from 1.14.0 to an earlier version, the values will be automatically converted to strings.
# After 1.14.0, the value can be represented as a integer or string for backwards compatiblity.
[settings.kubernetes]
image-gc-high-threshold-percent = 85
# Before 1.14.0, the value must be represented as a string.
[settings.kubernetes]
image-gc-high-threshold-percent = "85"
apiclient set settings.kubernetes.image-gc-high-threshold-percent=85
apiclient set settings.kubernetes.image-gc-high-threshold-percent="85"
settings.kubernetes.image-gc-low-threshold-percent
The percent of disk usage before which image garbage collection is never run, expressed as an integer from 0-100 inclusive.
If you downgrade from 1.14.0 to an earlier version, the values will be automatically converted to strings.
# After 1.14.0, the value can be represented as a integer or string for backwards compatiblity.
[settings.kubernetes]
image-gc-low-threshold-percent = 80
# Before 1.14.0, the value must be represented as a string.
[settings.kubernetes]
image-gc-low-threshold-percent = "80"
apiclient set settings.kubernetes.image-gc-low-threshold-percent=80
apiclient set settings.kubernetes.image-gc-low-threshold-percent="80"
settings.kubernetes.kube-api-burst
The burst to allow while talking with kubernetes.
Also see:settings.kubernetes.kube-api-qps
The QPS to use while talking with kubernetes apiserver.
Also see:settings.kubernetes.kube-reserved
Resources reserved for node components. The following keys are valid:
cpu
: in millicores from the total number of vCPUs available on the instance.memory
: in mebibytes from the max num of pods on the instance.memory_to_reserve = max_num_pods * 11 + 255
.ephemeral-storage
: defaults to1Gi
.
settings.kubernetes.log-level
The logging verbosity of the kubelet process. Higher numbers enabling more verbose logging.
Default: 2
Also see:settings.kubernetes.max-pods
The maximum number of pods that can be scheduled on this node (limited by number of available IPv4 addresses).
Also see:settings.kubernetes.memory-manager-policy
The memory management policy to use: None
or Static
.
When using the Static
policy you should also set settings.kubernetes.memory-manager-reserved-memory
values.
Default: None
settings.kubernetes.memory-manager-reserved-memory
Set the total amount of reserved memory for a node.
settings.kubernetes.memory-manager-reserved-memory
is set per NUMA node.
These settings are used to configure memory manager policy when settings.kubernetes.memory-manager-policy
is set to Static
.
Warning
memory-manager-reserved-memory
settings are an advanced configuration and requires a clear understanding of what you are setting.
Misconfiguration of reserved memory settings may cause the Kubernetes kubelet
process to fail.
It can be very difficult to recover from configuration errors.
Use the memory reservation information from kubectl describe node
and make sure you understand the Kubernetes documentation related to the memory manager and how to reserve compute resources for system daemons.
[settings.kubernetes]
"memory-manager-policy" = "Static"
[settings.kubernetes.memory-manager-reserved-memory.0]
# Reserve a single 1GiB huge page along with 674MiB of memory
"enabled" = true
"memory" = "674Mi"
"hugepages-1Gi" = "1Gi"
[settings.kubernetes.memory-manager-reserved-memory.1]
# Reserve 1,074 2MiB huge pages
"enabled" = true
"hugepages-2Mi" = "2148Mi"
settings.kubernetes.node-ip
The IP address of the node.
settings.kubernetes.node-labels
Labels in the form of key, value pairs added when registering the node in the cluster.
Note
Remember to quote keys (since they often contain .
) and to quote all values.
[settings.kubernetes.node-labels]
label1 = foo
label2 = bar
apiclient set settings.kubernetes.node-labels.label1=foo \
settings.kubernetes.node-labels.label2=bar
settings.kubernetes.node-taints
Taints in the form of key, values and effects entries added when registering the node in the cluster.
Note
Remember to quote keys (since they often contain .
) and to quote all values.
[settings.kubernetes.node-taints]
dedicated = ["experimental:PreferNoSchedule", "experimental:NoExecute"]
special = ["true:NoSchedule"]
apiclient set settings.kubernetes.node-taints.dedicated=["experimental:PreferNoSchedule", "experimental:NoExecute"] \
settings.kubernetes.node-taints.special=["true:NoSchedule"]
settings.kubernetes.pod-infra-container-image
The URI of the ‘pause’ container.
Also see:settings.kubernetes.pod-pids-limit
The maximum number of processes per pod.
Also see:settings.kubernetes.provider-id
The way an external provider identifies a node.
Also see:settings.kubernetes.registry-burst
The maximum size of bursty pulls.
Also see:settings.kubernetes.registry-qps
The registry pull QPS.
Also see:settings.kubernetes.server-certificate
The base64 encoded content of an x509 certificate for the kubelet web server, which is used for retrieving logs and executing commands.
Also see:settings.kubernetes.server-key
The base64 encoded content of an x509 private key for the kubelet web server.
Also see:settings.kubernetes.server-tls-bootstrap
Enables or disables server certificate bootstrap. When enabled, the kubelet will request a certificate from the certificates.k8s.io API. This requires an approver to approve the certificate signing requests (CSR).
Default: true
settings.kubernetes.shutdown-grace-period
Delay the node should wait for pod termination before shutdown.
Default: 0s
settings.kubernetes.shutdown-grace-period-for-critical-pods
The portion of the shutdown delay that should be dedicated to critical pod shutdown. Default is 0s.
Default: false
settings.kubernetes.system-reserved
Resources reserved for system components.
# Example user data for setting up system reserved
[settings.kubernetes.system-reserved]
cpu = "10m"
ephemeral-storage = "1Gi"
memory = "100Mi"
apiclient set settings.kubernetes.system-reserved.cpu="10m" \
settings.kubernetes.system-reserved.ephemeral-storage="1Gi" \
settings.kubernetes.system-reserved.memory="100Mi"
settings.kubernetes.topology-manager-policy
Specifies the topology manager policy.
Default: none
none
restricted
best-effort
single-numa-node
settings.kubernetes.topology-manager-scope
Specifies the topology manager scope. If you want to group all containers in a pod to a common set of NUMA nodes, you can set this setting to pod.
Default: container
container
pod
Some setting descriptions come from the Kubelet Configuration or Kubelet Options documentation.