Configuration options¶
auth table¶
Parameter |
Required |
Description |
---|---|---|
|
no |
The name of the authorization back end to use, Default: |
|
no |
The role assigned to new users for their private resource sets. Valid values: Default: |
auth.sessions¶
Parameter |
Required |
Description |
---|---|---|
|
no |
The initial session lifetime, in minutes. Default: |
|
no |
The length of time, in minutes, before the expiration of a session
where, if used, a session will be extended by the current configured
lifetime from then. A value of Default: |
|
no |
The maximum number of sessions that a user can have simultaneously active. If creating a new session will put a user over this limit, the least recently used session is deleted. A value of Default: |
|
no |
If set, the user token is stored in |
auth.external_identity_provider (optional)¶
Available since MKE 3.5.0
Configures MKE with an external OpenID Connect (OIDC) identity provider.
Parameter |
Required |
Description |
---|---|---|
|
yes |
Sets the OpenID discovery endpoint, ending in
|
|
yes |
Sets the client ID, which you obtain from your identity provider. |
|
no (recommended) |
Sets the client secret, which you obtain from your identity provider. |
|
no |
Sets the unique JWT ID token claim that contains the user names from your identity provider. Default: |
|
no |
Sets the PEM certificate bundle that MKE uses to authenticate the discovery, issuer, and JWKs endpoints. |
|
no |
Sets the HTTP proxy for your identity provider. |
|
no |
Sets the HTTPS proxy for your identity provider. |
|
no |
Sets the ID token issuer. If left blank, the value is obtained automatically from the discovery endpoint. |
|
no |
Sets the MKE service ID with the JWK URI for the identity provider. If left blank, the service ID is generated automatically. Warning Do not remove or replace an existing value. |
auth.external_identity_provider.signInCriteria array (optional)¶
Available since MKE 3.5.0
An array of claims that ID tokens require for use with MKE.
Parameter |
Required |
Description |
---|---|---|
|
yes |
Sets the name of the claim. |
|
yes |
Sets the value for the claim in the form of a string. |
|
yes |
Sets how MKE evaluates the JWT claim. Valid values:
|
auth.external_identity_provider.adminRoleCriteria array (optional)¶
Available since MKE 3.5.0
An array of claims that admin user ID tokens require for use with MKE. Creating a new account using a token that satisfies the criteria determined by this array automatically produces an administrator account.
Parameter |
Required |
Description |
---|---|---|
|
yes |
Sets the name of the claim. |
|
yes |
Sets the value for the claim in the form of a string. |
|
yes |
Sets how the JWT claim is evaluated. Valid values:
|
registries array (optional)¶
An array of tables that specifies the MSR instances that are managed by the current MKE instance.
Parameter |
Required |
Description |
---|---|---|
|
yes |
Sets the address for connecting to the MSR instance tied to the MKE cluster. |
|
yes |
Sets the MSR instance’s OpenID Connect Client ID, as registered with the Docker authentication provider. |
|
no |
Specifies the root CA bundle for the MSR instance if you are using a
custom certificate authority (CA). The value is a string with the
contents of a |
audit_log_configuration table (optional)¶
Configures audit logging options for MKE components.
Parameter |
Required |
Description |
---|---|---|
|
no |
Specifies the audit logging level. Valid values: empty (to disable audit logs), Default: empty |
|
no |
Sets support dumps to include audit logs in the logs of
the Valid values: Default: |
scheduling_configuration table (optional)¶
Specifies scheduling options and the default orchestrator for new nodes.
Note
If you run a kubectl command, such as kubectl describe
nodes, to view scheduling rules on Kubernetes nodes, the results that
present do not reflect the MKE admin settings conifguration. MKE uses taints
to control container scheduling on nodes and is thus unrelated to the
kubectl Unschedulable
boolean flag.
Parameter |
Required |
Description |
---|---|---|
|
no |
Determines whether administrators can schedule containers on manager nodes. Valid values: Default: You can also set the parameter using the MKE web UI:
|
|
no |
Sets the type of orchestrator to use for new nodes that join the cluster. Valid values: Default: |
tracking_configuration table (optional)¶
Specifies the analytics data that MKE collects.
Parameter |
Required |
Description |
---|---|---|
|
no |
Set to disable analytics of usage information. Valid values: Default: |
|
no |
Set to disable analytics of API call information. Valid values: Default: |
|
no |
Set a label to be included with analytics. |
|
no |
Set to enable OpsCare. Valid values: Default: |
trust_configuration table (optional)¶
Specifies whether MSR images require signing.
Parameter |
Required |
Description |
---|---|---|
|
no |
Set to require the signing of images by content trust. Valid values: Default: You can also set the parameter using the MKE web UI:
|
|
no |
A string array that specifies which users or teams must sign images. |
|
no |
A string array that specifies repos that are to bypass content trust
check, for example, |
log_configuration table (optional)¶
Configures the logging options for MKE components.
Parameter |
Required |
Description |
---|---|---|
|
no |
The protocol to use for remote logging. Valid values: Default: |
|
no |
Specifies a remote syslog server to receive sent MKE controller logs. If
omitted, controller logs are sent through the default Docker daemon
logging driver from the |
|
no |
The logging level for MKE components. Valid values (syslog priority levels): |
license_configuration table (optional)¶
Enables automatic renewal of the MKE license.
Parameter |
Required |
Description |
---|---|---|
|
no |
Set to enable attempted automatic license renewal when the license nears expiration. If disabled, you must manually upload renewed license after expiration. Valid values: Default: |
custom headers (optional)¶
Included when you need to set custom API headers. You can repeat this
section multiple times to specify multiple separate headers. If you
include custom headers, you must specify both name
and value
.
[[custom_api_server_headers]]
Item |
Description |
---|---|
name |
Set to specify the name of the custom header with |
value |
Set to specify the value of the custom header with |
user_workload_defaults (optional)¶
A map describing default values to set on Swarm services at creation time if those fields are not explicitly set in the service spec.
[user_workload_defaults]
[user_workload_defaults.swarm_defaults]
Parameter |
Required |
Description |
---|---|---|
|
no |
Delay between restart attempts. The value is input in the <number><value type> formation. Valid value types include:
Default: |
|
no |
Maximum number of restarts before giving up. Default: |
cluster_config table (required)¶
Configures the cluster that the current MKE instance manages.
The dns
, dns_opt
, and dns_search
settings configure the DNS
settings for MKE components. These values, when assigned, override the
settings in a container /etc/resolv.conf
file.
Parameter |
Required |
Description |
---|---|---|
|
yes |
Sets the port that the Default: |
|
yes |
Sets the port the Kubernetes API server monitors. |
|
yes |
Sets the port that the Default: |
|
no |
Sets placement strategy for container scheduling. Be aware that this does not affect swarm-mode services. Valid values: |
|
yes |
Array of IP addresses that serve as nameservers. |
|
yes |
Array of options in use by DNS resolvers. |
|
yes |
Array of domain names to search whenever a bare unqualified host name is used inside of a container. |
|
no |
Determines whether specialized debugging endpoints are enabled for profiling MKE performance. Valid values: Default: |
|
no |
Sets the timeout in seconds for the RBAC information cache of MKE non-Kubernetes resource listing APIs. Setting changes take immediate effect and do not require a restart of the MKE controller. Default: Once you enable the cache, the result of non-Kubernetes resource listing APIs only reflects the latest RBAC changes for the user when the cached RBAC info times out. |
|
no |
Sets the key-value store timeout setting, in milliseconds. Default: |
|
Required |
Sets the key-value store snapshot count. Default: |
|
no |
Specifies an optional external load balancer for default links to services with exposed ports in the MKE web interface. |
|
no |
Specifies the URL of a Kubernetes YAML file to use to install a CNI plugin. Only applicable during initial installation. If left empty, the default CNI plugin is put to use. |
|
no |
Sets the metrics retention time. |
|
no |
Sets the interval for how frequently managers gather metrics from nodes in the cluster. |
|
no |
Sets the interval for the gathering of storage metrics, an operation that can become expensive when large volumes are present. |
|
no |
Enables the |
|
no |
Sets the size of the cache for MKE RethinkDB servers. Default: 1GB Leaving the field empty or specifying |
|
no |
Determines whether the Valid values: Default: |
|
no |
Sets the cloud provider for the Kubernetes cluster. |
|
yes |
Sets the subnet pool from which the IP for the Pod should be allocated from the CNI IPAM plugin. Default: |
|
no |
Sets the maximum transmission unit (MTU) size for the Calico plugin. |
|
no |
Sets the IPIP MTU size for the Calico IPIP tunnel interface. |
|
yes |
Sets the IP count for Azure allocator to allocate IPs per Azure virtual machine. |
|
yes |
Sets the subnet pool from which the IP for Services should be allocated. Default: |
|
yes |
Sets the port range for Kubernetes services within which the type
Default: |
|
no |
Sets the configuration options for the Kubernetes API server. Be aware that this parameter function is only for development and testing. Arbitrary Kubernetes configuration parameters are not tested and supported under the MKE Software Support Agreement. |
|
no |
Sets the configuration options for the Kubernetes controller manager. Be aware that this parameter function is only for development and testing. Arbitrary Kubernetes configuration parameters are not tested and supported under the MKE Software Support Agreement. |
|
no |
Sets the configuration options for Be aware that this parameter function is only for development and testing. Arbitrary Kubernetes configuration parameters are not tested and supported under the MKE Software Support Agreement. |
|
no |
Sets the configuration options for the Kubernetes scheduler. Be aware that this arameter function is only for development and testing. Arbitrary Kubernetes configuration parameters are not tested and supported under the MKE Software Support Agreement. |
|
no |
Set to store data about collections for volumes in the MKE local KV store instead of on the volume labels. The parameter is used to enforce access control on volumes. |
|
no |
Reserves resources for MKE and Kubernetes components that are running on manager nodes. |
|
no |
Reserves resources for MKE and Kubernetes components that are running on worker nodes. |
|
yes |
Sets the number of Pods that can run on a node. Maximum: Default: |
|
no |
Sets the maximum number of Pods per core.
Recommended: Default: |
|
no |
Enables IPSec network encryption in Kubernetes. Valid values: Default: |
|
no |
Enables image scan result aggregation. The feature displays image vulnerabilities in shared resource/containers and shared resources/images pages. Valid values: Default: |
|
no |
Determines whether auto-refresh is turned off (which defaults to 15
seconds). If set to Valid values: Default: |
|
no |
Sets the OIDC client ID, using the eNZi service ID that is in the ODIC authorization flow. |
|
no |
Determines whether the UI is hidden for all Swarm-only object types (has no effect on Admin Settings). Valid values: Default: You can also set the parameter using the MKE web UI:
|
|
yes |
Sets Calico as the CNI provider, managed by MKE. Note that Calico is the default CNI provider. |
|
yes |
Enables Calico eBPF mode. |
|
yes |
Sets the use of Kubernetes default values for iptables drop and masquerade bits. |
|
yes |
Sets the operational mode for Valid values: Default: |
|
no |
Sets the value for the |
|
no |
Sets the value for the |
|
no |
Sets the value for the |
cluster_config.ingress_controller (optional)¶
Available since MKE 3.5.0
Set the configuration for the NGINX Ingress Controller to manage traffic that originates outside of your cluster (ingress traffic).
Note
Prior versions of MKE use Istio Ingress to manage traffic that originates from outside of the cluster, which employs many of the same parameters as NGINX Ingress Controller.
Parameter |
Required |
Description |
---|---|---|
|
No |
Disables HTTP ingress for Kubernetes. Valid values: Default: |
|
No |
Sets the number of NGINX Ingress Controller deployment replicas. Default: |
|
No |
Sets the list of external IPs for Ingress service. Default: |
|
No |
Enables an external load balancer. Valid values: Default: |
|
No |
Enables preserving inbound traffic source IP. Valid values: Default: |
|
No |
Sets ports to expose. For each port, provide arrays that contain the following port information (defaults as displayed):
|
|
No |
Sets node affinity.
|
|
No |
Sets node toleration. For each node, provide an array that contains the following information (defaults as displayed):
|
|
No |
Sets advanced options for the NGINX proxy. NGINX Ingress Controller uses Examples:
|
iSCSI (optional)¶
Configures iSCSI options for MKE.
Parameter |
Required |
Description |
---|---|---|
|
no |
Enables iSCSI-based Persistent Volumes in Kubernetes. Valid values: Default: |
|
no |
Specifies the path of the Default: |
|
no |
Specifies the path of the Default: |
pre_logon_message¶
Configures a pre-logon message.
Parameter |
Required |
Description |
---|---|---|
|
no |
Sets a pre-logon message to alert users prior to log in. |
backup_schedule_config (optional)¶
Available since MKE 3.5.0
Configures backup scheduling and notifications for MKE.
Parameter |
Required |
Description |
---|---|---|
|
yes |
Sets the number of days that elapse before a user is notified that they
have not performed a recent backup. Set to Default: |
|
yes |
Enables backup scheduling. Valid values: Default: |
|
yes |
Sets the storage path for scheduled backups. Use
|
|
yes |
Sets whether a passphrase is necessary to encrypt the TAR file. A value
of Default: |
|
yes |
Encrypts the TAR file with a passphrase for all scheduled backups. Must
remain empty if Do not share the configuration file if a passphrase is used, as the passphrase displays in plain text. |
|
yes |
Sets the cron expression in use for scheduling backups. The parameter accepts either full crontab specifications or descriptors, but not both.
For more information, refer to the cron documentation. |
|
yes |
Determines whether a log file is generated in addition to the backup. Refer to backup for more information. |
|
yes |
Sets the number of backups to store. Once this number is reached, older
backups are deleted. Set to |