From ee81eeccfa40d0ffe5dd76aab3be997205115a88 Mon Sep 17 00:00:00 2001 From: Qiming Teng Date: Mon, 18 Jan 2021 21:15:12 +0800 Subject: [PATCH] [zh] Resync kube-apiserver reference --- .../kube-apiserver.md | 393 ++++++++++-------- 1 file changed, 216 insertions(+), 177 deletions(-) diff --git a/content/zh/docs/reference/command-line-tools-reference/kube-apiserver.md b/content/zh/docs/reference/command-line-tools-reference/kube-apiserver.md index c871a3dc4f..24c8fe683e 100644 --- a/content/zh/docs/reference/command-line-tools-reference/kube-apiserver.md +++ b/content/zh/docs/reference/command-line-tools-reference/kube-apiserver.md @@ -245,6 +245,19 @@ Maximum average number of batches per second. Only used in batch mode. + +--audit-log-compress + + + + +若设置了此标志,则轮换的日志文件会使用 gzip 压缩。 + + + + 尽管位于默认启用的插件列表中(NamespaceLifecycle、LimitRanger、ServiceAccount、TaintNodesByCondition、Priority、DefaultTolerationSeconds、DefaultStorageClass、StorageObjectInUseProtection、PersistentVolumeClaimResize、RuntimeClass、CertificateApproval、CertificateSigning、CertificateSubjectRestriction、DefaultIngressClass、MutatingAdmissionWebhook、ValidatingAdmissionWebhook、ResourceQuota)仍须被禁用的插件。 -
取值为逗号分隔的准入插件列表:AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyEscalatingExec, DenyExecOnPrivileged, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodPreset, PodSecurityPolicy, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook。 +
取值为逗号分隔的准入插件列表:AlwaysAdmit、AlwaysDeny、AlwaysPullImages、CertificateApproval、CertificateSigning、CertificateSubjectRestriction、DefaultIngressClass、DefaultStorageClass、DefaultTolerationSeconds、DenyEscalatingExec、DenyExecOnPrivileged、EventRateLimit、ExtendedResourceToleration、ImagePolicyWebhook、LimitPodHardAntiAffinityTopology、LimitRanger、MutatingAdmissionWebhook、NamespaceAutoProvision、NamespaceExists、NamespaceLifecycle、NodeRestriction、OwnerReferencesPermissionEnforcement、PersistentVolumeClaimResize、PersistentVolumeLabel、PodNodeSelector、PodSecurityPolicy、PodTolerationRestriction、Priority、ResourceQuota、RuntimeClass、SecurityContextDeny、ServiceAccount、StorageObjectInUseProtection、TaintNodesByCondition、ValidatingAdmissionWebhook。
该标志中插件的顺序无关紧要。 @@ -1041,10 +1055,10 @@ File with apiserver egress selector configuration. 除了默认启用的插件(NamespaceLifecycle、LimitRanger、ServiceAccount、TaintNodesByCondition、Priority、DefaultTolerationSeconds、DefaultStorageClass、StorageObjectInUseProtection、PersistentVolumeClaimResize、RuntimeClass、CertificateApproval、CertificateSigning、CertificateSubjectRestriction、DefaultIngressClass、MutatingAdmissionWebhook、ValidatingAdmissionWebhook、ResourceQuota)之外要启用的插件 -
取值为逗号分隔的准入插件列表:AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyEscalatingExec, DenyExecOnPrivileged, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodPreset, PodSecurityPolicy, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook +
取值为逗号分隔的准入插件列表:AlwaysAdmit、AlwaysDeny、AlwaysPullImages、CertificateApproval、CertificateSigning、CertificateSubjectRestriction、DefaultIngressClass、DefaultStorageClass、DefaultTolerationSeconds、DenyEscalatingExec、DenyExecOnPrivileged、EventRateLimit、ExtendedResourceToleration、ImagePolicyWebhook、LimitPodHardAntiAffinityTopology、LimitRanger、MutatingAdmissionWebhook、NamespaceAutoProvision、NamespaceExists、NamespaceLifecycle、NodeRestriction、OwnerReferencesPermissionEnforcement、PersistentVolumeClaimResize、PersistentVolumeLabel、PodNodeSelector、PodSecurityPolicy、PodTolerationRestriction、Priority、ResourceQuota、RuntimeClass、SecurityContextDeny、ServiceAccount、StorageObjectInUseProtection、TaintNodesByCondition、ValidatingAdmissionWebhook
该标志中插件的顺序无关紧要。 @@ -1220,6 +1234,18 @@ The interval of requests to poll etcd and update metric. 0 disables the metric c + +--etcd-healthcheck-timeout duration      +检查 etcd 健康状况时使用的超时时长。 + + + --etcd-keyfile string @@ -1293,6 +1319,18 @@ Amount of time to retain events. + +--experimental-logging-sanitization + + + + +[试验性功能] 启用此标志时,被标记为敏感的字段(密码、密钥、令牌)都不会被日志输出。
+运行时的日志清理可能会引入相当程度的计算开销,因此不应该在产品环境中启用。 + + + --external-hostname string @@ -1312,97 +1350,102 @@ The hostname to use when generating externalized URLs for this master -一组 key=value 对,用来描述测试性/试验性功能的特性门控(Feature Gate)。可选项有: +一组 key=value 对,用来描述测试性/试验性功能的特性门控。可选项有:
APIListChunking=true|false (BETA - 默认值=true) -
APIPriorityAndFairness=true|false (ALPHA - 默认值=false) +
APIPriorityAndFairness=true|false (BETA - 默认值=true)
APIResponseCompression=true|false (BETA - 默认值=true) +
APIServerIdentity=true|false (ALPHA - 默认值=false)
AllAlpha=true|false (ALPHA - 默认值=false)
AllBeta=true|false (BETA - 默认值=false)
AllowInsecureBackendProxy=true|false (BETA - 默认值=true) @@ -1426,31 +1469,40 @@ A set of key=value pairs that describe feature gates for alpha/experimental feat
CSIMigrationOpenStackComplete=true|false (ALPHA - 默认值=false)
CSIMigrationvSphere=true|false (BETA - 默认值=false)
CSIMigrationvSphereComplete=true|false (BETA - 默认值=false) +
CSIServiceAccountToken=true|false (ALPHA - 默认值=false)
CSIStorageCapacity=true|false (ALPHA - 默认值=false) -
CSIVolumeFSGroupPolicy=true|false (ALPHA - 默认值=false) -
ConfigurableFSGroupPolicy=true|false (ALPHA - 默认值=false) +
CSIVolumeFSGroupPolicy=true|false (BETA - 默认值=true) +
ConfigurableFSGroupPolicy=true|false (BETA - 默认值=true) +
CronJobControllerV2=true|false (ALPHA - 默认值=false)
CustomCPUCFSQuotaPeriod=true|false (ALPHA - 默认值=false) -
DefaultPodTopologySpread=true|false (ALPHA - 默认值=false) +
DefaultPodTopologySpread=true|false (BETA - 默认值=true)
DevicePlugins=true|false (BETA - 默认值=true) -
DisableAcceleratorUsageMetrics=true|false (ALPHA - 默认值=false) +
DisableAcceleratorUsageMetrics=true|false (BETA - 默认值=true) +
DownwardAPIHugePages=true|false (ALPHA - default=false)
DynamicKubeletConfig=true|false (BETA - 默认值=true) +
EfficientWatchResumption=true|false (ALPHA - 默认值=false)
EndpointSlice=true|false (BETA - 默认值=true) +
EndpointSliceNodeName=true|false (ALPHA - 默认值=false)
EndpointSliceProxying=true|false (BETA - 默认值=true) +
EndpointSliceTerminatingCondition=true|false (ALPHA - 默认值=false)
EphemeralContainers=true|false (ALPHA - 默认值=false)
ExpandCSIVolumes=true|false (BETA - 默认值=true)
ExpandInUsePersistentVolumes=true|false (BETA - 默认值=true)
ExpandPersistentVolumes=true|false (BETA - 默认值=true)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - 默认值=false)
GenericEphemeralVolume=true|false (ALPHA - 默认值=false) +
GracefulNodeShutdown=true|false (ALPHA - 默认值=false) +
HPAContainerMetrics=true|false (ALPHA - default=false)
HPAScaleToZero=true|false (ALPHA - 默认值=false)
HugePageStorageMediumSize=true|false (BETA - 默认值=true) -
HyperVContainer=true|false (ALPHA - 默认值=false)
IPv6DualStack=true|false (ALPHA - 默认值=false)
ImmutableEphemeralVolumes=true|false (BETA - 默认值=true) +
KubeletCredentialProviders=true|false (ALPHA - 默认值=false)
KubeletPodResources=true|false (BETA - 默认值=true)
LegacyNodeRoleBehavior=true|false (BETA - 默认值=true)
LocalStorageCapacityIsolation=true|false (BETA - 默认值=true)
LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - 默认值=false) +
MixedProtocolLBService=true|false (ALPHA - 默认值=false)
NodeDisruptionExclusion=true|false (BETA - 默认值=true)
NonPreemptingPriority=true|false (BETA - 默认值=true)
PodDisruptionBudget=true|false (BETA - 默认值=true) @@ -1458,32 +1510,26 @@ A set of key=value pairs that describe feature gates for alpha/experimental feat
ProcMountType=true|false (ALPHA - 默认值=false)
QOSReserved=true|false (ALPHA - 默认值=false)
RemainingItemCount=true|false (BETA - 默认值=true) -
RemoveSelfLink=true|false (ALPHA - 默认值=false) +
RemoveSelfLink=true|false (BETA - 默认值=true) +
RootCAConfigMap=true|false (BETA - 默认值=true)
RotateKubeletServerCertificate=true|false (BETA - 默认值=true)
RunAsGroup=true|false (BETA - 默认值=true) -
RuntimeClass=true|false (BETA - 默认值=true) -
SCTPSupport=true|false (BETA - 默认值=true) -
SelectorIndex=true|false (BETA - 默认值=true)
ServerSideApply=true|false (BETA - 默认值=true) -
ServiceAccountIssuerDiscovery=true|false (ALPHA - 默认值=false) -
ServiceAppProtocol=true|false (BETA - 默认值=true) +
ServiceAccountIssuerDiscovery=true|false (BETA - 默认值=true) +
ServiceLBNodePortControl=true|false (ALPHA - 默认值=false)
ServiceNodeExclusion=true|false (BETA - 默认值=true)
ServiceTopology=true|false (ALPHA - 默认值=false) -
SetHostnameAsFQDN=true|false (ALPHA - 默认值=false) -
StartupProbe=true|false (BETA - 默认值=true) +
SetHostnameAsFQDN=true|false (BETA - 默认值=true) +
SizeMemoryBackedVolumes=true|false (ALPHA - 默认值=false) +
StorageVersionAPI=true|false (ALPHA - 默认值=false)
StorageVersionHash=true|false (BETA - 默认值=true) -
SupportNodePidsLimit=true|false (BETA - 默认值=true) -
SupportPodPidsLimit=true|false (BETA - 默认值=true)
Sysctls=true|false (BETA - 默认值=true)
TTLAfterFinished=true|false (ALPHA - 默认值=false) -
TokenRequest=true|false (BETA - 默认值=true) -
TokenRequestProjection=true|false (BETA - 默认值=true)
TopologyManager=true|false (BETA - 默认值=true)
ValidateProxyRedirects=true|false (BETA - 默认值=true) -
VolumeSnapshotDataSource=true|false (BETA - 默认值=true)
WarningHeaders=true|false (BETA - 默认值=true)
WinDSR=true|false (ALPHA - 默认值=false) -
WinOverlay=true|false (ALPHA - 默认值=false) +
WinOverlay=true|false (BETA - 默认值=true)
WindowsEndpointSliceProxying=true|false (ALPHA - 默认值=false) @@ -1538,6 +1584,32 @@ of streams in an HTTP/2 connection. Zero means to use golang's default. + +--identity-lease-duration-seconds int     默认值:3600 + + + + +kube-apiserver 租约时长(按秒计),必须是正数。 +(当 APIServerIdentity 特性门控被启用时使用此标志值) + + + + +--identity-lease-renew-interval-seconds int     默认值:10 + + + + +kube-apiserver 对其租约进行续期的时间间隔(按秒计),必须是正数。 +(当 APIServerIdentity 特性门控被启用时使用此标志值) + + + --kubelet-certificate-authority string @@ -1681,12 +1753,7 @@ If non-empty, use this log file - - ---log-file-max-size uint     默认值:1800 - +--log-file-max-size uint     默认值:1800 @@ -1700,12 +1767,7 @@ If the value is 0, the maximum file size is unlimited. - - ---log-flush-frequency duration     默认值:5s - +--log-flush-frequency duration     默认值:5s @@ -1717,23 +1779,16 @@ Maximum number of seconds between log flushes - - ---logging-format string     默认值:"text" - +--logging-format string     默认值:"text" -设置日志格式。允许的格式:"text","json"。 -
非默认格式不支持以下标志:--add_dir_header、--alsologtostderr、--log_backtrace_at、--log_dir、--log_file、--log_file_max_size、--logtostderr、-skip_headers、-skip_log_headers、-stderrthreshold、-vmodule和--log-flush-frequency。 -
当前非默认选择为 alpha,并且会随时更改而不会发出警告。 +设置日志格式。允许的格式:"json","json"。
+非默认格式不支持以下标志:--add_dir_header--alsologtostderr--log_backtrace_at--log_dir--log_file--log_file_max_size--logtostderr--one_output-skip_headers-skip_log_headers--stderrthreshold-vmodule--log-flush-frequency
+当前非默认选择为 alpha,会随时更改而不会发出警告。 @@ -1988,6 +2043,19 @@ If not provided, username claims other than 'email' are prefixed + +--one-output + + + + +此标志为真时,日志只会被写入到其原生的严重性级别中(而不是同时写到所有较低 +严重性级别中)。 + + + --permit-port-sharing @@ -2003,12 +2071,7 @@ which allows more than one instance to bind on the same address and port. [defau - - ---profiling     默认值:true - +--profiling     默认值:true @@ -2059,12 +2122,7 @@ webhook admission plugins. - - ---request-timeout duration     默认值:1m0s - +--request-timeout duration     默认值:1m0s @@ -2075,7 +2133,8 @@ requests but may be overridden by flags such as --min-request-timeout for specific types of requests. --> 可选字段,指示处理程序在超时之前必须保持打开请求的持续时间。 -这是请求的默认请求超时,但对于特定类型的请求,可能会被 --min-request-timeout 等标志覆盖。 +这是请求的默认请求超时,但对于特定类型的请求,可能会被 +--min-request-timeout等标志覆盖。 @@ -2107,7 +2166,7 @@ incoming requests before trusting usernames in headers specified by --requestheader-username-headers. WARNING: generally do not depend on authorization being already done for incoming requests. --> -在信任请求头中以 --requestheader-username-headers 指示的用户名之前, +在信任请求头中以 --requestheader-username-headers 指示的用户名之前, 用于验证接入请求中客户端证书的根证书包。 警告:一般不要假定传入请求已被授权。 @@ -2195,7 +2254,7 @@ It cannot be switched off with 0. ---service-account-extend-token-expiration +--service-account-extend-token-expiration     默认值:true @@ -2213,7 +2272,7 @@ If this flag is enabled, admission injected tokens would be extended up to ---service-account-issuer {service-account-issuer}/.well-known/openid-configuration +--service-account-issuer string @@ -2314,14 +2373,14 @@ a token will be issued with a validity duration of this value. --service-account-signing-key-file string + 包含服务帐户令牌颁发者当前私钥的文件的路径。 -颁发者将使用此私钥签署所颁发的 ID 令牌(需要启用 "TokenRequest" 特性门控)。 +颁发者将使用此私钥签署所颁发的 ID 令牌。 @@ -2340,12 +2399,7 @@ CIDR 表示的 IP 范围用来为服务分配集群 IP。 - - ---service-node-port-range portRange     默认值:30000-32767 - +--service-node-port-range portRange     默认值:30000-32767 @@ -2421,12 +2475,7 @@ If true, avoid headers when opening log files - - ---stderrthreshold severity     默认值:2 - +--stderrthreshold severity     默认值:2 @@ -2450,12 +2499,7 @@ The storage backend for persistence. Options: 'etcd3' (default). - - ---storage-media-type string     默认值:"application/vnd.kubernetes.protobuf" - +--storage-media-type string     默认值:"application/vnd.kubernetes.protobuf" @@ -2605,12 +2649,7 @@ comma-separated list of pattern=N settings for file-filtered logging - - ---watch-cache     默认值:true - +--watch-cache     默认值:true