kube-scheduler

Synopsis

The Kubernetes scheduler is a control plane process which assigns Pods to Nodes. The scheduler determines which Nodes are valid placements for each Pod in the scheduling queue according to constraints and available resources. The scheduler then ranks each valid Node and binds the Pod to a suitable Node. Multiple different schedulers may be used within a cluster; kube-scheduler is the reference implementation. See scheduling for more information about scheduling and the kube-scheduler component.

  1. kube-scheduler [flags]

Options

—add-dir-header

If true, adds the file directory to the header of the log messages

—address string     Default: “0.0.0.0”

DEPRECATED: the IP address on which to listen for the —port port (set to 0.0.0.0 or :: for listening in all interfaces and IP families). See —bind-address instead. This parameter is ignored if a config file is specified in —config.

—algorithm-provider string

DEPRECATED: the scheduling algorithm provider to use, this sets the default plugins for component config profiles. Choose one of: ClusterAutoscalerProvider | DefaultProvider

—allow-metric-labels stringToString     Default: []

The map from metric-label to value allow-list of this label. The key’s format is ,. The value’s format is <allowed_value>,<allowed_value>…e.g. metric1,label1=’v1,v2,v3’, metric1,label2=’v1,v2,v3’ metric2,label1=’v1,v2,v3’.

—alsologtostderr

log to standard error as well as files

—authentication-kubeconfig string

kubeconfig file pointing at the ‘core’ kubernetes server with enough rights to create tokenreviews.authentication.k8s.io. This is optional. If empty, all token requests are considered to be anonymous and no client CA is looked up in the cluster.

—authentication-skip-lookup

If false, the authentication-kubeconfig will be used to lookup missing authentication configuration from the cluster.

—authentication-token-webhook-cache-ttl duration     Default: 10s

The duration to cache responses from the webhook token authenticator.

—authentication-tolerate-lookup-failure     Default: true

If true, failures to look up missing authentication configuration from the cluster are not considered fatal. Note that this can result in authentication that treats all requests as anonymous.

—authorization-always-allow-paths strings     Default: “/healthz,/readyz,/livez”

A list of HTTP paths to skip during authorization, i.e. these are authorized without contacting the ‘core’ kubernetes server.

—authorization-kubeconfig string

kubeconfig file pointing at the ‘core’ kubernetes server with enough rights to create subjectaccessreviews.authorization.k8s.io. This is optional. If empty, all requests not skipped by authorization are forbidden.

—authorization-webhook-cache-authorized-ttl duration     Default: 10s

The duration to cache ‘authorized’ responses from the webhook authorizer.

—authorization-webhook-cache-unauthorized-ttl duration     Default: 10s

The duration to cache ‘unauthorized’ responses from the webhook authorizer.

—azure-container-registry-config string

Path to the file containing Azure container registry configuration information.

—bind-address string     Default: 0.0.0.0

The IP address on which to listen for the —secure-port port. The associated interface(s) must be reachable by the rest of the cluster, and by CLI/web clients. If blank or an unspecified address (0.0.0.0 or ::), all interfaces will be used.

—cert-dir string

The directory where the TLS certs are located. If —tls-cert-file and —tls-private-key-file are provided, this flag will be ignored.

—client-ca-file string

If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate.

—config string

The path to the configuration file. The following flags can overwrite fields in this file:
—algorithm-provider
—policy-config-file
—policy-configmap
—policy-configmap-namespace

—contention-profiling     Default: true

DEPRECATED: enable lock contention profiling, if profiling is enabled. This parameter is ignored if a config file is specified in —config.

—disabled-metrics strings

This flag provides an escape hatch for misbehaving metrics. You must provide the fully qualified metric name in order to disable it. Disclaimer: disabling metrics is higher in precedence than showing hidden metrics.

—experimental-logging-sanitization

[Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens).
Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production.

—feature-gates <comma-separated ‘key=True|False’ pairs>

A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
APIListChunking=true|false (BETA - default=true)
APIPriorityAndFairness=true|false (BETA - default=true)
APIResponseCompression=true|false (BETA - default=true)
APIServerIdentity=true|false (ALPHA - default=false)
AllAlpha=true|false (ALPHA - default=false)
AllBeta=true|false (BETA - default=false)
AnyVolumeDataSource=true|false (ALPHA - default=false)
AppArmor=true|false (BETA - default=true)
BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
BoundServiceAccountTokenVolume=true|false (BETA - default=true)
CPUManager=true|false (BETA - default=true)
CSIInlineVolume=true|false (BETA - default=true)
CSIMigration=true|false (BETA - default=true)
CSIMigrationAWS=true|false (BETA - default=false)
CSIMigrationAzureDisk=true|false (BETA - default=false)
CSIMigrationAzureFile=true|false (BETA - default=false)
CSIMigrationGCE=true|false (BETA - default=false)
CSIMigrationOpenStack=true|false (BETA - default=true)
CSIMigrationvSphere=true|false (BETA - default=false)
CSIMigrationvSphereComplete=true|false (BETA - default=false)
CSIServiceAccountToken=true|false (BETA - default=true)
CSIStorageCapacity=true|false (BETA - default=true)
CSIVolumeFSGroupPolicy=true|false (BETA - default=true)
CSIVolumeHealth=true|false (ALPHA - default=false)
ConfigurableFSGroupPolicy=true|false (BETA - default=true)
ControllerManagerLeaderMigration=true|false (ALPHA - default=false)
CronJobControllerV2=true|false (BETA - default=true)
CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
DaemonSetUpdateSurge=true|false (ALPHA - default=false)
DefaultPodTopologySpread=true|false (BETA - default=true)
DevicePlugins=true|false (BETA - default=true)
DisableAcceleratorUsageMetrics=true|false (BETA - default=true)
DownwardAPIHugePages=true|false (BETA - default=false)
DynamicKubeletConfig=true|false (BETA - default=true)
EfficientWatchResumption=true|false (BETA - default=true)
EndpointSliceProxying=true|false (BETA - default=true)
EndpointSliceTerminatingCondition=true|false (ALPHA - default=false)
EphemeralContainers=true|false (ALPHA - default=false)
ExpandCSIVolumes=true|false (BETA - default=true)
ExpandInUsePersistentVolumes=true|false (BETA - default=true)
ExpandPersistentVolumes=true|false (BETA - default=true)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
GenericEphemeralVolume=true|false (BETA - default=true)
GracefulNodeShutdown=true|false (BETA - default=true)
HPAContainerMetrics=true|false (ALPHA - default=false)
HPAScaleToZero=true|false (ALPHA - default=false)
HugePageStorageMediumSize=true|false (BETA - default=true)
IPv6DualStack=true|false (BETA - default=true)
InTreePluginAWSUnregister=true|false (ALPHA - default=false)
InTreePluginAzureDiskUnregister=true|false (ALPHA - default=false)
InTreePluginAzureFileUnregister=true|false (ALPHA - default=false)
InTreePluginGCEUnregister=true|false (ALPHA - default=false)
InTreePluginOpenStackUnregister=true|false (ALPHA - default=false)
InTreePluginvSphereUnregister=true|false (ALPHA - default=false)
IndexedJob=true|false (ALPHA - default=false)
IngressClassNamespacedParams=true|false (ALPHA - default=false)
KubeletCredentialProviders=true|false (ALPHA - default=false)
KubeletPodResources=true|false (BETA - default=true)
KubeletPodResourcesGetAllocatable=true|false (ALPHA - default=false)
LocalStorageCapacityIsolation=true|false (BETA - default=true)
LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
LogarithmicScaleDown=true|false (ALPHA - default=false)
MemoryManager=true|false (ALPHA - default=false)
MixedProtocolLBService=true|false (ALPHA - default=false)
NamespaceDefaultLabelName=true|false (BETA - default=true)
NetworkPolicyEndPort=true|false (ALPHA - default=false)
NonPreemptingPriority=true|false (BETA - default=true)
PodAffinityNamespaceSelector=true|false (ALPHA - default=false)
PodDeletionCost=true|false (ALPHA - default=false)
PodOverhead=true|false (BETA - default=true)
PreferNominatedNode=true|false (ALPHA - default=false)
ProbeTerminationGracePeriod=true|false (ALPHA - default=false)
ProcMountType=true|false (ALPHA - default=false)
QOSReserved=true|false (ALPHA - default=false)
RemainingItemCount=true|false (BETA - default=true)
RemoveSelfLink=true|false (BETA - default=true)
RotateKubeletServerCertificate=true|false (BETA - default=true)
ServerSideApply=true|false (BETA - default=true)
ServiceInternalTrafficPolicy=true|false (ALPHA - default=false)
ServiceLBNodePortControl=true|false (ALPHA - default=false)
ServiceLoadBalancerClass=true|false (ALPHA - default=false)
ServiceTopology=true|false (ALPHA - default=false)
SetHostnameAsFQDN=true|false (BETA - default=true)
SizeMemoryBackedVolumes=true|false (ALPHA - default=false)
StorageVersionAPI=true|false (ALPHA - default=false)
StorageVersionHash=true|false (BETA - default=true)
SuspendJob=true|false (ALPHA - default=false)
TTLAfterFinished=true|false (BETA - default=true)
TopologyAwareHints=true|false (ALPHA - default=false)
TopologyManager=true|false (BETA - default=true)
ValidateProxyRedirects=true|false (BETA - default=true)
VolumeCapacityPriority=true|false (ALPHA - default=false)
WarningHeaders=true|false (BETA - default=true)
WinDSR=true|false (ALPHA - default=false)
WinOverlay=true|false (BETA - default=true)
WindowsEndpointSliceProxying=true|false (BETA - default=true)

—hard-pod-affinity-symmetric-weight int32     Default: 1

DEPRECATED: RequiredDuringScheduling affinity is not symmetric, but there is an implicit PreferredDuringScheduling affinity rule corresponding to every RequiredDuringScheduling affinity rule. —hard-pod-affinity-symmetric-weight represents the weight of implicit PreferredDuringScheduling affinity rule. Must be in the range 0-100.This parameter is ignored if a config file is specified in —config.

-h, —help

help for kube-scheduler

—http2-max-streams-per-connection int

The limit that the server gives to clients for the maximum number of streams in an HTTP/2 connection. Zero means to use golang’s default.

—kube-api-burst int32     Default: 100

DEPRECATED: burst to use while talking with kubernetes apiserver. This parameter is ignored if a config file is specified in —config.

—kube-api-content-type string     Default: “application/vnd.kubernetes.protobuf”

DEPRECATED: content type of requests sent to apiserver. This parameter is ignored if a config file is specified in —config.

—kube-api-qps float     Default: 50

DEPRECATED: QPS to use while talking with kubernetes apiserver. This parameter is ignored if a config file is specified in —config.

—kubeconfig string

DEPRECATED: path to kubeconfig file with authorization and master location information. This parameter is ignored if a config file is specified in —config.

—leader-elect     Default: true

Start a leader election client and gain leadership before executing the main loop. Enable this when running replicated components for high availability.

—leader-elect-lease-duration duration     Default: 15s

The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled.

—leader-elect-renew-deadline duration     Default: 10s

The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled.

—leader-elect-resource-lock string     Default: “leases”

The type of resource object that is used for locking during leader election. Supported options are ‘endpoints’, ‘configmaps’, ‘leases’, ‘endpointsleases’ and ‘configmapsleases’.

—leader-elect-resource-name string     Default: “kube-scheduler”

The name of resource object that is used for locking during leader election.

—leader-elect-resource-namespace string     Default: “kube-system”

The namespace of resource object that is used for locking during leader election.

—leader-elect-retry-period duration     Default: 2s

The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled.

—lock-object-name string     Default: “kube-scheduler”

DEPRECATED: define the name of the lock object. Will be removed in favor of leader-elect-resource-name. This parameter is ignored if a config file is specified in —config.

—lock-object-namespace string     Default: “kube-system”

DEPRECATED: define the namespace of the lock object. Will be removed in favor of leader-elect-resource-namespace. This parameter is ignored if a config file is specified in —config.

—log-backtrace-at <a string in the form ‘file:N’>     Default: :0

when logging hits line file:N, emit a stack trace

—log-dir string

If non-empty, write log files in this directory

—log-file string

If non-empty, use this log file

—log-file-max-size uint     Default: 1800

Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited.

—log-flush-frequency duration     Default: 5s

Maximum number of seconds between log flushes

—logging-format string     Default: “text”

Sets the log format. Permitted formats: “json”, “text”.
Non-default formats don’t honor these flags: —add-dir-header, —alsologtostderr, —log-backtrace-at, —log-dir, —log-file, —log-file-max-size, —logtostderr, —one-output, —skip-headers, —skip-log-headers, —stderrthreshold, —vmodule, —log-flush-frequency.
Non-default choices are currently alpha and subject to change without warning.

—logtostderr     Default: true

log to standard error instead of files

—master string

The address of the Kubernetes API server (overrides any value in kubeconfig)

—one-output

If true, only write logs to their native severity level (vs also writing to each lower severity level)

—permit-address-sharing

If true, SO_REUSEADDR will be used when binding the port. This allows binding to wildcard IPs like 0.0.0.0 and specific IPs in parallel, and it avoids waiting for the kernel to release sockets in TIME_WAIT state. [default=false]

—permit-port-sharing

If true, SO_REUSEPORT will be used when binding the port, which allows more than one instance to bind on the same address and port. [default=false]

—policy-config-file string

DEPRECATED: file with scheduler policy configuration. This file is used if policy ConfigMap is not provided or —use-legacy-policy-config=true. Note: The scheduler will fail if this is combined with Plugin configs

—policy-configmap string

DEPRECATED: name of the ConfigMap object that contains scheduler’s policy configuration. It must exist in the system namespace before scheduler initialization if —use-legacy-policy-config=false. The config must be provided as the value of an element in ‘Data’ map with the key=’policy.cfg’. Note: The scheduler will fail if this is combined with Plugin configs

—policy-configmap-namespace string     Default: “kube-system”

DEPRECATED: the namespace where policy ConfigMap is located. The kube-system namespace will be used if this is not provided or is empty. Note: The scheduler will fail if this is combined with Plugin configs

—port int     Default: 10251

DEPRECATED: the port on which to serve HTTP insecurely without authentication and authorization. If 0, don’t serve plain HTTP at all. See —secure-port instead. This parameter is ignored if a config file is specified in —config.

—profiling     Default: true

DEPRECATED: enable profiling via web interface host:port/debug/pprof/. This parameter is ignored if a config file is specified in —config.

—requestheader-allowed-names strings

List of client certificate common names to allow to provide usernames in headers specified by —requestheader-username-headers. If empty, any client certificate validated by the authorities in —requestheader-client-ca-file is allowed.

—requestheader-client-ca-file string

Root certificate bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified by —requestheader-username-headers. WARNING: generally do not depend on authorization being already done for incoming requests.

—requestheader-extra-headers-prefix strings     Default: “x-remote-extra-“

List of request header prefixes to inspect. X-Remote-Extra- is suggested.

—requestheader-group-headers strings     Default: “x-remote-group”

List of request headers to inspect for groups. X-Remote-Group is suggested.

—requestheader-username-headers strings     Default: “x-remote-user”

List of request headers to inspect for usernames. X-Remote-User is common.

—scheduler-name string     Default: “default-scheduler”

DEPRECATED: name of the scheduler, used to select which pods will be processed by this scheduler, based on pod’s “spec.schedulerName”. This parameter is ignored if a config file is specified in —config.

—secure-port int     Default: 10259

The port on which to serve HTTPS with authentication and authorization. If 0, don’t serve HTTPS at all.

—show-hidden-metrics-for-version string

The previous version for which you want to show hidden metrics. Only the previous minor version is meaningful, other values will not be allowed. The format is ., e.g.: ‘1.16’. The purpose of this format is make sure you have the opportunity to notice if the next release hides additional metrics, rather than being surprised when they are permanently removed in the release after that.

—skip-headers

If true, avoid header prefixes in the log messages

—skip-log-headers

If true, avoid headers when opening log files

—stderrthreshold int     Default: 2

logs at or above this threshold go to stderr

—tls-cert-file string

File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and —tls-cert-file and —tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by —cert-dir.

—tls-cipher-suites strings

Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.
Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384.
Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA.

—tls-min-version string

Minimum TLS version supported. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13

—tls-private-key-file string

File containing the default x509 private key matching —tls-cert-file.

—tls-sni-cert-key string

A pair of x509 certificate and private key file paths, optionally suffixed with a list of domain patterns which are fully qualified domain names, possibly with prefixed wildcard segments. The domain patterns also allow IP addresses, but IPs should only be used if the apiserver has visibility to the IP address requested by a client. If no domain patterns are provided, the names of the certificate are extracted. Non-wildcard matches trump over wildcard matches, explicit domain patterns trump over extracted names. For multiple key/certificate pairs, use the —tls-sni-cert-key multiple times. Examples: “example.crt,example.key” or “foo.crt,foo.key:*.foo.com,foo.com”.

—use-legacy-policy-config

DEPRECATED: when set to true, scheduler will ignore policy ConfigMap and uses policy config file. Note: The scheduler will fail if this is combined with Plugin configs

-v, —v int

number for the log level verbosity

—version version[=true]

Print version information and quit

—vmodule <comma-separated ‘pattern=N’ settings>

comma-separated list of pattern=N settings for file-filtered logging

—write-config-to string

If set, write the configuration values to this file and exit.