kubernetes

settings.kubernetes.allowed-unsafe-sysctls

Enables specified list of unsafe sysctls.

• TOML
• apiclient

[settings.kubernetes]
allowed-unsafe-sysctls = ["net.core.somaxconn", "net.ipv4.ip_local_port_range"]

apiclient apply <<EOF
[settings.kubernetes]
allowed-unsafe-sysctls = ["net.core.somaxconn", "net.ipv4.ip_local_port_range"]
EOF

• Using sysctls in a Kubernetes Cluster
• allowedUnsafeSysctls in Kubelet Configuration

settings.kubernetes.api-server

The cluster’s Kubernetes API endpoint. This is typically specified in user data.

• Settings needed for aws-k8s-* variants
• Settings needed for vmware-k8s-* variants
• Settings needed for metal-k8s-* variants

settings.kubernetes.authentication-mode

The authentication method kubelet should use to connect to the API server, and for incoming requests.

Default: aws for AWS variants, tls for other variants

• settings.kubernetes.bootstrap-token

settings.kubernetes.bootstrap-token

The token to use for TLS bootstrapping. Only used when settings.kubernetes.authentication-mode is set to tls (ignored otherwise).

• Settings needed for vmware-k8s-* variants
• Settings needed for metal-k8s-* variants
• settings.kubernetes.authentication-mode
• TLS bootstrapping

settings.kubernetes.cloud-provider

The cloud provider for the cluster.

Default: aws for AWS variants, external for other variants

• kubernetes/cloud-provider
• --cloud-provider in Kubelet Options

settings.kubernetes.cluster-certificate

The base64-encoded certificate authority of the cluster.

• Settings needed for aws-k8s-* variants
• Settings needed for vmware-k8s-* variants
• Settings needed for metal-k8s-* variants

settings.kubernetes.cluster-dns-ip

The IP of the DNS service running in the cluster. On AWS variants, this is derived from the EKS Service IP CIDR or the CIDR block of the primary network interface. This value can be set as a string containing a single IP address, or as a list containing multiple IP addresses.

• TOML
• apiclient

# Valid, single IP
[settings.kubernetes]
cluster-dns-ip = "10.0.0.1"

# Also valid, multiple nameserver IPs
[settings.kubernetes]
cluster-dns-ip = ["10.0.0.1", "10.0.0.2"]

apiclient set settings.kubernetes.cluster-dns-ip="10.0.0.1"

apiclient apply <<EOF
[settings.kubernetes]
cluster-dns-ip = ["10.0.0.1", "10.0.0.2"]
EOF

• clusterDNS in Kubelet Configuration
• --cluster-dns in Kubelet Options

settings.kubernetes.cluster-domain

The DNS domain for the cluster, allowing all Kubernetes-run containers to search this domain before the host’s search domains

Default: cluster.local

• clusterDomain in Kubelet Configuration
• --cluster-domain in Kubelet Options

settings.kubernetes.cluster-name

The cluster name you chose during setup.

• Settings needed for aws-k8s-* variants

settings.kubernetes.container-log-max-files

The maximum number of container log files that can be present for a container.

• containerLogMaxFiles in Kubelet Configuration
• Logging Architecture

settings.kubernetes.container-log-max-size

The maximum size of container log file before it is rotated.

• containerLogMaxSize in Kubelet Configuration
• Logging Architecture

settings.kubernetes.cpu-cfs-quota-enforced

Whether CPU CFS quotas are enforced

Default: true

• cpuCFSQuota in Kubelet Configuration

settings.kubernetes.cpu-manager-policy

Specifies the CPU manager policy. If you want to allow pods with certain resource characteristics to be granted increased CPU affinity and exclusivity on the node, you can set this setting to static. You should reboot if you change this setting after startup - try apiclient reboot

Default: none

• static
• none

• cpuManagerPolicy in Kubelet Configuration
• settings.kubernetes.cpu-manager-policy-options

settings.kubernetes.cpu-manager-policy-options

Policy options to apply when settings.kubernetes.cpu-manager-policy is set to static. There currently there is only one allowed option, so the default is implict if not the setting is not defined.

• full-pcpus-only

• TOML
• apiclient

# When `settings.kubernetes.cpu-manager-policy` is set to `static`
[settings.kubernetes]
cpu-manager-policy-options = ["full-pcpus-only"]

apiclient apply <<EOF
[settings.kubernetes]
cpu-manager-policy-options = ["full-pcpus-only"]
EOF

• Static policy options
• cpuManagerPolicyOptions in Kubelet Configuration
• settings.kubernetes.cpu-manager-policy-options

settings.kubernetes.cpu-manager-reconcile-period

Specifies the CPU manager reconcile period, which controls how often updated CPU assignments are written to cgroupfs. The value is a duration like 30s for 30 seconds or 1h5m for 1 hour and 5 minutes.

• cpuManagerReconcilePeriod in Kubelet Configuration

settings.kubernetes.credential-providers

Contains a collection of Kubelet image credential provider settings. Each key under this setting is the name of the plugin to configure. See Example 1 below. The ecr-credential-provider plugin can also be used for AWS IAM Roles Anywhere support. IAM Roles Anywhere is configured using the settings.aws.config setting. The content of that setting needs to configure the credential_process using the aws_signing_helper using your IAM Roles Anywhere settings, see Example 2 below.

• TOML

# Example 1: user data for configuring the `ecr-credential-provider` credential provider plug-in
[settings.kubernetes.credential-providers.ecr-credential-provider]
enabled = true
# (optional - defaults to "12h")
cache-duration = "30m"
image-patterns = [
  # One or more URL paths to match an image prefix. Supports globbing of subdomains.
  "*.dkr.ecr.us-east-2.amazonaws.com",
  "*.dkr.ecr.us-west-2.amazonaws.com"
]

[settings.kubernetes.credential-providers.ecr-credential-provider.environment]
# The following are not used with ecr-credential-provider, but are provided for illustration
"KEY" = "abc123xyz"
"GOMAXPROCS" = "2"

# Example 2: `credential_process` using the `aws_signing_helper`
[default]
region = us-west-2
credential_process = aws_signing_helper credential-process --certificate /var/lib/kubelet/pki/kubelet-client-current.pem --private-key /var/lib/kubelet/pki/kubelet-client-current.pem --profile-arn [profile ARN]
   --role-arn [role ARN]
   --trust-anchor-arn [trust anchor ARN]

• Roles Anywhere documentation on aws_signing_helper arguments

settings.kubernetes.static-pods.<custom identifier>.enabled

Whether the static pod is enabled.

• Static Pods & standalone mode
• settings.kubernetes.customid_manifest

settings.kubernetes.static-pods.<custom identifier>.manifest

A base64-encoded pod manifest.

• Static Pods & standalone mode
• settings.kubernetes.customid_enabled

settings.kubernetes.event-burst

The maximum size of a burst of event creations.

• eventBurst in Kubelet Configuration

settings.kubernetes.event-qps

The maximum event creations per second.

• eventRecordQPS in Kubelet Configuration

settings.kubernetes.eviction-hard

The signals and thresholds that trigger pod eviction. Keys are signals and must be quoted since they contain a dot (.).

• TOML
• apiclient

[settings.kubernetes.eviction-hard]
"memory.available" = "15%"

apiclient set settings.kubernetes.eviction-hard."memory.available"="15%"

• evictionHard in Kubelet Configuration
• settings.kubernetes.eviction-soft

settings.kubernetes.eviction-max-pod-grace-period

Maximum grace period, in seconds, to wait for pod termination before soft eviction.

Default: 0

• TOML
• apiclient

[settings.kubernetes]
eviction-max-pod-grace-period = 40

apiclient set settings.kubernetes.eviction-max-pod-grace-period=40

• evictionMaxPodGracePeriod in Kubelet Configuration
• settings.kubernetes.eviction-soft

settings.kubernetes.eviction-soft

The signals and thresholds that trigger pod eviction with a provided grace period (settings.kubernetes.eviction-soft-grace-period). Keys are signals and must be quoted since they contain a dot (.).

• TOML
• apiclient

[settings.kubernetes.eviction-soft]
"memory.available" = "12%"

apiclient set settings.kubernetes.eviction-soft."memory.available"="12%"

• evictionSoft in Kubelet Configuration
• settings.kubernetes.eviction-hard
• settings.kubernetes.eviction-max-pod-grace-period
• settings.kubernetes.eviction-soft-grace-period

settings.kubernetes.eviction-soft-grace-period

Delay for each signal to wait for pod termination before eviction. Keys are signals and must be quoted since they contain a dot (.).

• TOML
• apiclient

[settings.kubernetes.eviction-soft-grace-period]
"memory.available" = "30s"

apiclient set settings.kubernetes.eviction-soft-grace-period."memory.available"="30s"

• evictionSoftGracePeriod in Kubelet Configuration
• settings.kubernetes.eviction-soft

settings.kubernetes.hostname-override

The node name kubelet uses as identification instead of the hostname or the name determined by the in-tree cloud provider if that’s enabled.

• --hostname-override in Kubelet Options

settings.kubernetes.image-gc-high-threshold-percent

The percent of disk usage after which image garbage collection is always run, expressed as an integer from 0-100 inclusive.

If you downgrade from 1.14.0 to an earlier version, the values will be automatically converted to strings.

• TOML
• apiclient

# After 1.14.0, the value can be represented as a integer or string for backwards compatiblity.
[settings.kubernetes]
image-gc-high-threshold-percent = 85

# Before 1.14.0, the value must be represented as a string.
[settings.kubernetes]
image-gc-high-threshold-percent = "85"

apiclient set settings.kubernetes.image-gc-high-threshold-percent=85

apiclient set settings.kubernetes.image-gc-high-threshold-percent="85"

• imageGCHighThresholdPercent in Kubelet Configuration
• settings.kubernetes.image-gc-low-threshold-percent

settings.kubernetes.image-gc-low-threshold-percent

The percent of disk usage before which image garbage collection is never run, expressed as an integer from 0-100 inclusive.

If you downgrade from 1.14.0 to an earlier version, the values will be automatically converted to strings.

• TOML
• apiclient

# After 1.14.0, the value can be represented as a integer or string for backwards compatiblity.
[settings.kubernetes]
image-gc-low-threshold-percent = 80

# Before 1.14.0, the value must be represented as a string.
[settings.kubernetes]
image-gc-low-threshold-percent = "80"

apiclient set settings.kubernetes.image-gc-low-threshold-percent=80

apiclient set settings.kubernetes.image-gc-low-threshold-percent="80"

• imageGCLowThresholdPercent in Kubelet Configuration
• settings.kubernetes.image-gc-high-threshold-percent

settings.kubernetes.kube-api-burst

The burst to allow while talking with kubernetes.

• kubeAPIBurst in Kubelet Configuration

settings.kubernetes.kube-api-qps

The QPS to use while talking with kubernetes apiserver.

• kubeAPIQPS in Kubelet Configuration

settings.kubernetes.kube-reserved

Resources reserved for node components. The following keys are valid:

• cpu: in millicores from the total number of vCPUs available on the instance.
• memory: in mebibytes from the max num of pods on the instance. memory_to_reserve = max_num_pods * 11 + 255.
• ephemeral-storage: defaults to 1Gi.

• kubeReserved in Kubelet Configuration

settings.kubernetes.log-level

The logging verbosity of the kubelet process. Higher numbers enabling more verbose logging.

Default: 2

• --v Level in Kubelet Options

settings.kubernetes.max-pods

The maximum number of pods that can be scheduled on this node (limited by number of available IPv4 addresses).

• maxPods in Kubelet Configuration

settings.kubernetes.memory-manager-policy

The memory management policy to use: None or Static. When using the Static policy you should also set settings.kubernetes.memory-manager-reserved-memory values.

Default: None

• memoryManagerPolicy in Kubelet Configuration
• settings.kubernetes.memory-manager-reserved-memory

settings.kubernetes.memory-manager-reserved-memory

Set the total amount of reserved memory for a node. settings.kubernetes.memory-manager-reserved-memory is set per NUMA node. These settings are used to configure memory manager policy when settings.kubernetes.memory-manager-policy is set to Static.

• TOML

[settings.kubernetes]
"memory-manager-policy" = "Static"

[settings.kubernetes.memory-manager-reserved-memory.0]
# Reserve a single 1GiB huge page along with 674MiB of memory
"enabled" = true
"memory" = "674Mi"
"hugepages-1Gi" = "1Gi"

[settings.kubernetes.memory-manager-reserved-memory.1]
# Reserve 1,074 2MiB huge pages
"enabled" = true
"hugepages-2Mi" = "2148Mi"

• Utilizing the NUMA-aware Memory Manager

settings.kubernetes.node-ip

The IP address of the node.

settings.kubernetes.node-labels

Labels in the form of key, value pairs added when registering the node in the cluster.

• TOML
• apiclient

[settings.kubernetes.node-labels]
label1 = foo
label2 = bar

apiclient set settings.kubernetes.node-labels.label1=foo \ 
 	settings.kubernetes.node-labels.label2=bar

• Node labels & taints
• Labels and Selectors

settings.kubernetes.node-taints

Taints in the form of key, values and effects entries added when registering the node in the cluster.

• TOML
• apiclient

[settings.kubernetes.node-taints]
dedicated = ["experimental:PreferNoSchedule", "experimental:NoExecute"]
special = ["true:NoSchedule"]

apiclient set settings.kubernetes.node-taints.dedicated=["experimental:PreferNoSchedule", "experimental:NoExecute"] \ 
 	settings.kubernetes.node-taints.special=["true:NoSchedule"]

• Node labels & taints
• Taints and Tolerations

settings.kubernetes.pod-infra-container-image

The URI of the ‘pause’ container.

• --pod-infra-container-image in Kubelet Options

settings.kubernetes.pod-pids-limit

The maximum number of processes per pod.

• podPidsLimit in Kubelet Configuration

settings.kubernetes.provider-id

The way an external provider identifies a node.

• providerID in Kubelet Configuration

settings.kubernetes.registry-burst

The maximum size of bursty pulls.

• registryBurst in Kubelet Configuration

settings.kubernetes.registry-qps

The registry pull QPS.

• registryPullQPS in Kubelet Configuration

settings.kubernetes.seccomp-default

Enable RuntimeDefault as the default seccomp profile for all workloads via kubelet-configuration

Default: false

• true
• false

settings.kubernetes.server-certificate

The base64 encoded content of an x509 certificate for the kubelet web server, which is used for retrieving logs and executing commands.

• --tls-cert-file in Kubelet Options

settings.kubernetes.server-key

The base64 encoded content of an x509 private key for the kubelet web server.

• --tls-key-file in Kubelet Options

settings.kubernetes.server-tls-bootstrap

Enables or disables server certificate bootstrap. When enabled, the kubelet will request a certificate from the certificates.k8s.io API. This requires an approver to approve the certificate signing requests (CSR).

Default: true

• serverTLSBootstrap in Kubelet Configuration

settings.kubernetes.shutdown-grace-period

Delay the node should wait for pod termination before shutdown.

Default: 0s

• shutdownGracePeriod in Kubelet Configuration

settings.kubernetes.shutdown-grace-period-for-critical-pods

The portion of the shutdown delay that should be dedicated to critical pod shutdown. Default is 0s.

Default: false

• shutdownGracePeriodCriticalPods in Kubelet Configuration

settings.kubernetes.standalone-mode

It true, kubelet runs in standalone mode without connecting to an API server.

Default: false

• true
• false

• Static Pods & standalone mode

settings.kubernetes.system-reserved

Resources reserved for system components.

• TOML
• apiclient

# Example user data for setting up system reserved
[settings.kubernetes.system-reserved]
cpu = "10m"
ephemeral-storage = "1Gi"
memory = "100Mi"

apiclient set settings.kubernetes.system-reserved.cpu="10m" \ 
 	settings.kubernetes.system-reserved.ephemeral-storage="1Gi" \ 
 	settings.kubernetes.system-reserved.memory="100Mi"

• systemReserved in Kubelet Configuration

settings.kubernetes.topology-manager-policy

Specifies the topology manager policy.

Default: none

• none
• restricted
• best-effort
• single-numa-node

• topologyManagerPolicy in Kubelet Configuration
• Utilizing the NUMA-aware Memory Manager

settings.kubernetes.topology-manager-scope

Specifies the topology manager scope. If you want to group all containers in a pod to a common set of NUMA nodes, you can set this setting to pod.

Default: container

• container
• pod

• topologyManagerPolicy in Kubelet Configuration
• Utilizing the NUMA-aware Memory Manager