Configuration options¶
auth table¶
Parameter |
Required |
Description |
---|---|---|
|
no |
The name of the authorization backend to use, Default: |
|
no |
The role assigned to new users for their private resource sets. Valid values: Default: |
auth.sessions¶
Parameter |
Required |
Description |
---|---|---|
|
no |
The initial session lifetime, in minutes. Default: |
|
no |
The length of time, in minutes, before the expiration of a session
where, if used, a session will be extended by the current configured
lifetime from then. A value of Default: |
|
no |
The maximum number of sessions that a user can have simultaneously active. If creating a new session will put a user over this limit, the least recently used session is deleted. A value of Default: |
|
no |
If set, the user token is stored in |
auth.external_identity_provider (optional)¶
Configures MKE with an external OpenID Connect (OIDC) identity provider.
Parameter |
Required |
Description |
---|---|---|
|
yes |
Sets the OpenID discovery endpoint, ending in
|
|
yes |
Sets the client ID, which you obtain from your identity provider. |
|
no (recommended) |
Sets the client secret, which you obtain from your identity provider. |
|
no |
Sets the unique JWT ID token claim that contains the user names from your identity provider. Default: |
|
no |
Sets the PEM certificate bundle that MKE uses to authenticate the discovery, issuer, and JWKs endpoints. |
|
no |
Sets the HTTP proxy for your identity provider. |
|
no |
Sets the HTTPS proxy for your identity provider. |
|
no |
Sets the ID token issuer. If left blank, the value is obtained automatically from the discovery endpoint. |
|
no |
Sets the MKE service ID with the JWK URI for the identity provider. If left blank, the service ID is generated automatically. Warning Do not remove or replace an existing value. |
auth.external_identity_provider.signInCriteria array (optional)¶
An array of claims that ID tokens require for use with MKE.
Parameter |
Required |
Description |
---|---|---|
|
yes |
Sets the name of the claim. |
|
yes |
Sets the value for the claim in the form of a string. |
|
yes |
Sets how MKE evaluates the JWT claim. Valid values:
|
auth.external_identity_provider.adminRoleCriteria array (optional)¶
An array of claims that admin user ID tokens require for use with MKE. Creating a new account using a token that satisfies the criteria determined by this array automatically produces an administrator account.
Parameter |
Required |
Description |
---|---|---|
|
yes |
Sets the name of the claim. |
|
yes |
Sets the value for the claim in the form of a string. |
|
yes |
Sets how the JWT claim is evaluated. Valid values:
|
auth.account_lock (optional)¶
Parameter |
Required |
Description |
---|---|---|
|
no |
Sets whether the MKE account lockout feature is enabled. |
|
no |
Sets the number of failed log in attempts that can occur before an account is locked. |
|
no |
Sets the desired lockout duration in seconds. A value of |
hardening_configuration (optional)¶
The hardening_enabled
option must be set to true
to enable all
other hardening_configuration
options.
Parameter |
Required |
Description |
---|---|---|
|
no |
Parent option that when set to Default: |
|
no |
The option can only be enabled when Limits kernel capabilities to the minimum required by each container. Components run using Docker default capabilities by default. When you
enable Default: |
|
no |
The option can only be enabled when Sets the maximum number of PIDs MKE can allow for their respective orchestrators. The Default: |
|
no |
The option can only be enabled when When set to Default: |
|
no |
The option can only be enabled when When set to
Default: |
registries array (optional)¶
An array of tables that specifies the MSR instances that are managed by the current MKE instance.
Parameter |
Required |
Description |
---|---|---|
|
yes |
Sets the address for connecting to the MSR instance tied to the MKE cluster. |
|
yes |
Sets the MSR instance’s OpenID Connect Client ID, as registered with the Docker authentication provider. |
|
no |
Specifies the root CA bundle for the MSR instance if you are using a
custom certificate authority (CA). The value is a string with the
contents of a |
audit_log_configuration table (optional)¶
Configures audit logging options for MKE components.
Parameter |
Required |
Description |
---|---|---|
|
no |
Specifies the audit logging level. Valid values: empty (to disable audit logs), Default: empty |
|
no |
Sets support dumps to include audit logs in the logs of
the Valid values: Default: |
scheduling_configuration table (optional)¶
Specifies scheduling options and the default orchestrator for new nodes.
Note
If you run a kubectl command, such as kubectl describe
nodes, to view scheduling rules on Kubernetes nodes, the results that
present do not reflect the MKE admin settings conifguration. MKE uses taints
to control container scheduling on nodes and is thus unrelated to the
kubectl Unschedulable
boolean flag.
Parameter |
Required |
Description |
---|---|---|
|
no |
Determines whether administrators can schedule containers on manager nodes. Valid values: Default: You can also set the parameter using the MKE web UI:
|
|
no |
Sets the type of orchestrator to use for new nodes that join the cluster. Valid values: Default: |
tracking_configuration table (optional)¶
Specifies the analytics data that MKE collects.
Parameter |
Required |
Description |
---|---|---|
|
no |
Set to disable analytics of usage information. Valid values: Default: |
|
no |
Set to disable analytics of API call information. Valid values: Default: |
|
no |
Set a label to be included with analytics. |
|
no |
Set to enable OpsCare. Valid values: Default: |
trust_configuration table (optional)¶
Specifies whether MSR images require signing.
Parameter |
Required |
Description |
---|---|---|
|
no |
Set to require the signing of images by content trust. Valid values: Default: You can also set the parameter using the MKE web UI:
|
|
no |
A string array that specifies which users or teams must sign images. |
|
no |
A string array that specifies repos that are to bypass content trust
check, for example, |
log_configuration table (optional)¶
Configures the logging options for MKE components.
Parameter |
Required |
Description |
---|---|---|
|
no |
The protocol to use for remote logging. Valid values: Default: |
|
no |
Specifies a remote syslog server to receive sent MKE controller logs. If
omitted, controller logs are sent through the default Docker daemon
logging driver from the |
|
no |
The logging level for MKE components. Valid values (syslog priority levels): |
license_configuration table (optional)¶
Enables automatic renewal of the MKE license.
Parameter |
Required |
Description |
---|---|---|
|
no |
Set to enable attempted automatic license renewal when the license nears expiration. If disabled, you must manually upload renewed license after expiration. Valid values: Default: |
custom headers (optional)¶
Included when you need to set custom API headers. You can repeat this
section multiple times to specify multiple separate headers. If you
include custom headers, you must specify both name
and value
.
[[custom_api_server_headers]]
Item |
Description |
---|---|
name |
Set to specify the name of the custom header with |
value |
Set to specify the value of the custom header with |
user_workload_defaults (optional)¶
A map describing default values to set on Swarm services at creation time if those fields are not explicitly set in the service spec.
[user_workload_defaults]
[user_workload_defaults.swarm_defaults]
Parameter |
Required |
Description |
---|---|---|
|
no |
Delay between restart attempts. The value is input in the <number><value type> formation. Valid value types include:
Default: |
|
no |
Maximum number of restarts before giving up. Default: |
cluster_config table (required)¶
Configures the cluster that the current MKE instance manages.
The dns
, dns_opt
, and dns_search
settings configure the DNS
settings for MKE components. These values, when assigned, override the
settings in a container /etc/resolv.conf
file.
Parameter |
Required |
Description |
---|---|---|
|
yes |
Sets the port that the Default: |
|
yes |
Sets the port the Kubernetes API server monitors. |
|
no |
Protects kernel parameters from being overridden by kubelet. Default: Important When enabled, kubelet can fail to start if the following kernel parameters are not properly set on the nodes before you install MKE or before adding a new node to an existing cluster: vm.panic_on_oom=0
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1
kernel.keys.root_maxkeys=1000000
kernel.keys.root_maxbytes=25000000
For more information, refer to Configure kernel parameters. |
|
no |
Enables auditing to the log file in the kube-apiserver container. Important
For more information, refer to the official Kubernetes documentation Troubleshooting Clusters - Audit backends. Default: |
|
yes |
Sets the port that the Default: |
|
no |
Sets placement strategy for container scheduling. Be aware that this does not affect swarm-mode services. Valid values: |
|
yes |
Array of IP addresses that serve as nameservers. |
|
yes |
Array of options in use by DNS resolvers. |
|
yes |
Array of domain names to search whenever a bare unqualified host name is used inside of a container. |
|
no |
Determines whether specialized debugging endpoints are enabled for profiling MKE performance. Valid values: Default: |
|
no |
Sets the timeout in seconds for the RBAC information cache of MKE non-Kubernetes resource listing APIs. Setting changes take immediate effect and do not require a restart of the MKE controller. Default: Once you enable the cache, the result of non-Kubernetes resource listing APIs only reflects the latest RBAC changes for the user when the cached RBAC info times out. |
|
no |
Sets the key-value store timeout setting, in milliseconds. Default: |
|
Required |
Sets the key-value store snapshot count. Default: |
|
no |
Specifies an optional external load balancer for default links to services with exposed ports in the MKE web interface. |
|
no |
Specifies the URL of a Kubernetes YAML file to use to install a CNI plugin. Only applicable during initial installation. If left empty, the default CNI plugin is put to use. |
|
no |
Sets the metrics retention time. |
|
no |
Sets the interval for how frequently managers gather metrics from nodes in the cluster. |
|
no |
Sets the interval for the gathering of storage metrics, an operation that can become expensive when large volumes are present. |
|
no |
Enables the |
|
no |
Sets the size of the cache for MKE RethinkDB servers. Default: 1GB Leaving the field empty or specifying |
|
no |
Determines whether the Valid values: Default: |
|
no |
Sets the cloud provider for the Kubernetes cluster. |
|
yes |
Sets the subnet pool from which the IP for the Pod should be allocated from the CNI IPAM plugin. Default: |
|
no |
Sets the IPIP MTU size for the Calico IPIP tunnel interface. |
|
yes |
Sets the IP count for Azure allocator to allocate IPs per Azure virtual machine. |
|
yes |
Sets the subnet pool from which the IP for Services should be allocated. Default: |
|
yes |
Sets the port range for Kubernetes services within which the type
Default: |
|
no |
Sets the configuration options for the Kubernetes API server. Be aware that this parameter function is only for development and testing. Arbitrary Kubernetes configuration parameters are not tested and supported under the MKE Software Support Agreement. |
|
no |
Sets the configuration options for the Kubernetes controller manager. Be aware that this parameter function is only for development and testing. Arbitrary Kubernetes configuration parameters are not tested and supported under the MKE Software Support Agreement. |
|
no |
Sets the configuration options for Be aware that this parameter function is only for development and testing. Arbitrary Kubernetes configuration parameters are not tested and supported under the MKE Software Support Agreement. |
|
no |
Sets a profile that can be applied to the kubelet agent on any node. |
|
no |
Sets the configuration options for the Kubernetes scheduler. Be aware that this arameter function is only for development and testing. Arbitrary Kubernetes configuration parameters are not tested and supported under the MKE Software Support Agreement. |
|
no |
Set to store data about collections for volumes in the MKE local KV store instead of on the volume labels. The parameter is used to enforce access control on volumes. |
|
no |
Reserves resources for MKE and Kubernetes components that are running on manager nodes. |
|
no |
Reserves resources for MKE and Kubernetes components that are running on worker nodes. |
|
yes |
Sets the number of Pods that can run on a node. Maximum: Default: |
|
no |
Sets the maximum number of Pods per core.
Recommended: Default: |
|
no |
Enables IPSec network encryption in Kubernetes. Valid values: Default: |
|
no |
Enables image scan result aggregation. The feature displays image vulnerabilities in shared resource/containers and shared resources/images pages. Valid values: Default: |
|
no |
Determines whether resource polling is disabled for both Swarm and Kubernetes resources, which is recommended for production instances. Valid values: Default: |
|
no |
Sets the OIDC client ID, using the eNZi service ID that is in the ODIC authorization flow. |
|
no |
Determines whether the UI is hidden for all Swarm-only object types (has no effect on Admin Settings). Valid values: Default: You can also set the parameter using the MKE web UI:
|
|
yes |
Sets Calico as the CNI provider, managed by MKE. Note that Calico is the default CNI provider. |
|
yes |
Enables Calico eBPF mode. |
|
yes |
Sets the use of Kubernetes default values for iptables drop and masquerade bits. |
|
yes |
Sets the operational mode for Valid values: Default: |
|
no |
Sets the value for the |
|
no |
Sets the value for the |
|
no |
Sets the value for the |
|
no |
Sets the cron expression used for the scheduling of image pruning. The parameter accepts either full crontab specifications or descriptors, but not both.
Refer to the cron documentation for more information. |
|
no |
Sets the CPU usage threshold, above which the MKE web UI displays a warning banner. Default: |
|
no |
Sets the MKE CPU usage measurement interval, which enables the function
of the Default: |
|
no |
Sets the etcd storage size limit. Example values: Default value: |
|
no |
Enables the NVIDIA device partitioner. Default: |
|
no |
Enables profiling for the Kubernetes API server. Default: |
|
no |
Enables profiling for the Kubernetes controller manager. Default: |
|
no |
Enables profiling for the Kubernetes scheduler. Default: |
|
no |
Enables kube scheduler to bind to all available network interfaces, rather than just localhost. Default: |
|
no |
Extends support of FlexVolume drivers, which have been deprecated since the release of MKE 3.4.13. Default: |
|
no |
Warning Implement Enables public key authentication cache. Note
Default: |
|
no |
The maximum amount of memory that can be used by the Prometheus container. Default: |
|
no |
The minimum amount of memory reserved for the Prometheus container. Default: |
|
no |
Subject alternative names for manager nodes. |
|
no |
Allows users to set the threshold for the terminated Pod garbage collector in Kube Controller Manager according to their cluster-specific requirement. Default: |
|
no |
Timeout for Kube API server requests. Default: |
|
no |
Enables the Default: |
|
no |
Enables the user to specify values for the Calico controller liveness and readiness probes. Default: |
|
no |
Sets the Calico controller liveness probe failure threshold. Default: |
|
no |
Sets the Calico controller liveness probe initial delay period in seconds. Default: |
|
no |
Sets the Calico controller liveness probe period in seconds. Default: |
|
no |
Sets the Calico controller liveness probe success threshold. Default: |
|
no |
Sets the Calico controller liveness probe timeout period in seconds. Default: |
|
no |
Sets the Calico controller readiness probe failure threshold. Default: |
|
no |
Sets the Calico controller readiness probe initial delay period in seconds. Default: |
|
no |
Sets the Calico controller readiness probe initial delay period in seconds. Default: |
|
no |
Sets the Calico controller readiness probe period in seconds. Default: |
|
no |
Sets the Calico controller readiness probe success threshold. Default: |
|
no |
Sets the Calico controller readiness probe timeout period in seconds. Default: |
|
no |
Sets the maximum number of days for which to retain old audit log files in Kubernetes API server. Default: |
|
no |
Sets the maximum number of audit log files for which to retain in the Kubernetes API server. Default: |
|
no |
Sets the maximum size the audit log file can attain, in megabytes, before it is rotated in Kubernetes API server. Default: |
|
no |
Specifies a Kubernetes audit logging policy. Refer to https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ for more information. |
|
no |
Enables the use of a specified custom audit policy yaml file. Default: |
|
yes |
Sets the listening port for Prometheus Node Exporter. Default: |
cluster_config.image_prune_whitelist (optional)¶
Configures the images that you do not want removed by MKE image pruning.
Note
Where possible, use the image ID to specify the image rather than the image name.
cluster_config.ingress_controller (optional)¶
Set the configuration for the NGINX Ingress Controller to manage traffic that originates outside of your cluster (ingress traffic).
Note
Prior versions of MKE use Istio Ingress to manage traffic that originates from outside of the cluster, which employs many of the same parameters as NGINX Ingress Controller.
Parameter |
Required |
Description |
---|---|---|
|
No |
Disables HTTP ingress for Kubernetes. Valid values: Default: |
|
No |
Sets the number of NGINX Ingress Controller deployment replicas. Default: |
|
No |
Sets the list of external IPs for Ingress service. Default: |
|
No |
Enables an external load balancer. Valid values: Default: |
|
No |
Enables preserving inbound traffic source IP. Valid values: Default: |
|
No |
Sets ports to expose. For each port, provide arrays that contain the following port information (defaults as displayed):
|
|
No |
Sets node affinity.
|
|
No |
Sets node toleration. For each node, provide an array that contains the following information (defaults as displayed):
|
|
No |
Sets advanced options for the NGINX proxy. NGINX Ingress Controller uses Examples:
|
|
No |
Sets the container port for servicing HTTP traffic. Default: |
|
No |
Sets the container port for servicing HTTPS traffic. Default: |
|
No |
Enables SSL passthrough. Default: |
|
No |
Sets the Secret that contains an SSL certificate to be used as a default TLS certificate. Valid value: |
|
No |
Set |
cluster_config.metallb_config (optional)¶
Enable and disable MetalLB for load balancer services in bare metal clusters.
Parameter |
Required |
Description |
---|---|---|
|
No |
Enables MetalLB load balancer for bare metal Kubernetes clusters. Valid values: Default: |
|
No |
Adds a list of custom address pool resources. At least one entry is required to enable MetalLB. Default: [] (empty). |
cluster_config.policy_enforcement.gatekeeper (optional)¶
Enable and disable OPA Gatekeeper for policy enforcement.
Note
By design, when the OPA Gatekeeper is disabled using the configuration file, the Pods are deleted but the policies are not cleaned up. Thus, when the OPA Gatekeeper is re-enabled, the cluster can immediately adopt the existing policies.
The retention of the policies poses no risk, as they are just data on the API server and have no value outside of a OPA Gatekeeper deployment.
Parameter |
Required |
Description |
---|---|---|
|
No |
Enables the Gatekeeper function. Valid values: Default: |
|
No |
Excludes from the Gatekeeper admission webhook all of the resources that are contained in a list of namespaces. Specify as a comma-separated list. For example: |
cluster_config.core_dns_lameduck_config (optional)¶
Available since MKE 3.7.0
Enable and disable lameduck in CoreDNS.
Parameter |
Required |
Description |
---|---|---|
|
No |
Enables the lameduck health function. Valid values: Default: |
|
No |
Length of time during which lameduck will run, expessed with integers
and time suffixes, such as Note
Default: |
Caution
Editing the CoreDNS config map outside of MKE to configure the lameduck function is not supported. Any such attempts will be superseded by the values that are configured in the MKE configuration file.
iSCSI (optional)¶
Configures iSCSI options for MKE.
Parameter |
Required |
Description |
---|---|---|
|
no |
Enables iSCSI-based Persistent Volumes in Kubernetes. Valid values: Default: |
|
no |
Specifies the path of the Default: |
|
no |
Specifies the path of the Default: |
pre_logon_message¶
Configures a pre-logon message.
Parameter |
Required |
Description |
---|---|---|
|
no |
Sets a pre-logon message to alert users prior to log in. |
backup_schedule_config (optional)¶
Configures backup scheduling and notifications for MKE.
Parameter |
Required |
Description |
---|---|---|
|
yes |
Sets the number of days that elapse before a user is notified that they
have not performed a recent backup. Set to Default: |
|
yes |
Enables backup scheduling. Valid values: Default: |
|
yes |
Sets the storage path for scheduled backups. Use
|
|
yes |
Sets whether a passphrase is necessary to encrypt the TAR file. A value
of Default: |
|
yes |
Encrypts the TAR file with a passphrase for all scheduled backups. Must
remain empty if Do not share the configuration file if a passphrase is used, as the passphrase displays in plain text. |
|
yes |
Sets the cron expression in use for scheduling backups. The parameter accepts either full crontab specifications or descriptors, but not both.
For more information, refer to the cron documentation. |
|
yes |
Determines whether a log file is generated in addition to the backup. Refer to backup for more information. |
|
yes |
Sets the number of backups to store. Once this number is reached, older
backups are deleted. Set to |
etcd_cleanup_schedule_config (optional)¶
Configures scheduling for etcd cleanup for MKE.
Parameter |
Required |
Description |
---|---|---|
|
yes |
Enables etcd cleanup scheduling. Valid values: Default: |
|
no |
Minimum Time To Live (TTL) for retaining certain events in etcd. Default: |
|
yes |
Sets the cron expression to use for scheduling backups.
The etcd cleanup operation starts with the deletion of the events, which is followed by the compacting of the etcd revisions. The cleanup scheduling inerval must be set for a minimum of 72 hours. Refer to the official cron documentation for more information. |
|
no |
Enables defragmentation of the etcd cluster after successful cleanup. Warning The etcd cluster defragmentation process can cause temporary
performance degradation. To minimize possible impact, schedule
Valid values: Default: |
|
no |
Sets the period of time, in seconds, to pause between issuing defrag commands to etcd members. Default: |
|
no |
Sets the period of time, in seconds, that each etcd member is allotted to complete defragmentation. If the defragmentation of a member times out before the process is successfully completed, the entire cluster defragmentation is aborted. Default: |
windows_gmsa¶
Configures use of Windows GMSA credentia specifications.
Parameter |
Required |
Description |
---|---|---|
|
no |
Allows creation of GMSA credential specifications for the Kubernetes cluster, as well as automatic population of full credential specifications for any Pod on which the GMSA credential specification is referenced in the security context of that Pod. The schema for gmsa credential spec MKE uses is publicly documented at https://github.com/kubernetes-sigs/windows-gmsa/blob/master/charts/gmsa/templates/credentialspec.yaml. For information on how to enable GMSA and how to obtain different components of the GMSA specification for one or more GMSA accounts in your domain, refer to the official Windows documentation. |