cs_service_settings.md

copyright	years 2014, 2020
lastupdated	2020-08-12
keywords	kubernetes, iks
subcollection	containers

{:beta: .beta} {:codeblock: .codeblock} {:deprecated: .deprecated} {:download: .download} {:external: target="_blank" .external} {:faq: data-hd-content-type='faq'} {:gif: data-image-type='gif'} {:help: data-hd-content-type='help'} {:important: .important} {:java: data-hd-programlang="java"} {:javascript: data-hd-programlang="javascript"} {:new_window: target="_blank"} {:note: .note} {:pre: .pre} {:preview: .preview} {:screen: .screen} {:shortdesc: .shortdesc} {:support: data-reuse='support'} {:table: .aria-labeledby="caption"} {:tip: .tip} {:troubleshoot: data-hd-content-type='troubleshoot'} {:tsCauses: .tsCauses} {:tsResolve: .tsResolve} {:tsSymptoms: .tsSymptoms}

Default service settings for Kubernetes components

{: #service-settings}

Review the default settings for Kubernetes components, such as the kube-apiserver, kubelet or kube-proxy that {{site.data.keyword.containerlong}} sets when you create your cluster. {: shortdesc}

kube-apiserver

{: #kube-apiserver}

Review the default settings for the kube-apiserver master component in {{site.data.keyword.containerlong_notm}}. {: shortdesc}

Category	Default settings
Default pod tolerations	default-not-ready-toleration-seconds=600s default-unreachable-toleration-seconds=600s
Privileged pods	allow-privileged=true
Request headers	requestheader-client-ca-file=/mnt/etc/kubernetes-cert/ca.pem requestheader-username-headers=X-Remote-User requestheader-group-headers=X-Remote-Group requestheader-extra-headers-prefix=X-Remote-Extra-
Number of client requests	k8s_max_requests_inflight: 1600 k8s_max_mutating_requests_inflight: 800
Admission controllers	NamespaceLifecycle LimitRanger ServiceAccount DefaultStorageClass Initializers (Kubernetes 1.13 or earlier) MutatingAdmissionWebhook ValidatingAdmissionWebhook ResourceQuota PodSecurityPolicy DefaultTolerationSeconds StorageObjectInUseProtection PersistentVolumeClaimResize Priority (Kubernetes 1.11 or later) NodeRestriction (Kubernetes 1.14 or later) TaintNodesByCondition (Kubernetes 1.14 or later) CertificateApproval (Kubernetes 1.18 or later) CertificateSigning (Kubernetes 1.18 or later) CertificateSubjectRestriction (Kubernetes 1.18 or later) DefaultIngressClass (Kubernetes 1.18 or later)
Kube audit log config	audit-log-maxsize=128 audit-log-maxage=2 audit-log-maxbackup=2
Feature gates	See Feature gates
{: summary="The rows are read from left to right. The category is in the first column, with the description in the second column."}
{: caption="kube-apiserver settings" caption-side="top"}

kube-controller-manager

{: #kube-controller-manager}

Review the default settings for the kube-controller-manager master component in {{site.data.keyword.containerlong_notm}}. {: shortdesc}

Category	Default settings
Feature gates	See Feature gates
Pod garbage collection threshold	terminated-pod-gc-threshold=12500
Horizontal pod autoscaling	horizontal-pod-autoscaler-use-rest-clients=true
{: summary="The rows are read from left to right. The category is in the first column, with the description in the second column."}
{: caption="kube-controller-manager settings" caption-side="top"}

kubelet

{: #kubelet}

Review the default settings for the kubelet worker node component in {{site.data.keyword.containerlong_notm}}. {: shortdesc}

Category	Default settings
Feature gates	See Feature gates. In addition, CRIContainerLogRotation=true is set.
Pod manifest path	pod-manifest-path=/etc/kubernetes/manifests
File check frequency	file-check-frequency=5s
Container logs	container-log-max-size=100Mi container-log-max-files=3
Container runtime endpoint	container-runtime-endpoint=unix:///run/containerd/containerd.sock
Kubernetes and system reserves	kube-reserved='memory=1051Mi,cpu=36m,pid=2048' system-reserved='memory=1576Mi,cpu=54m,pid=2048'
CPU CFS quota	cpu-cfs-quota-period=20ms
cgroups	kubelet-cgroups=/podruntime/kubelet runtime-cgroups=/podruntime/runtime
Pod eviction	eviction-soft='memory.available<100Mi,nodefs.available<10%,imagefs.available<10%,nodefs.inodesFree<10%,imagefs.inodesFree<10%' eviction-soft-grace-period='memory.available=10m,nodefs.available=10m,imagefs.available=10m,nodefs.inodesFree=10m,imagefs.inodesFree=10m' eviction-hard='memory.available<100Mi,nodefs.available<5%,imagefs.available<5%,nodefs.inodesFree<5%,imagefs.inodesFree<5%'
{: summary="The rows are read from left to right. The category is in the first column, with the description in the second column."}
{: caption="kubelet settings" caption-side="top"}

kube-proxy

{: #kube-proxy}

Review the default settings for the kube-proxy worker node component in {{site.data.keyword.containerlong_notm}}. {: shortdesc}

Category	Default settings
Iptable settings	iptables-sync-period 300s iptables-min-sync-period 5s
Proxy mode	proxy-mode=iptables
Feature gates	See Feature gates
{: summary="The rows are read from left to right. The category is in the first column, with the description in the second column."}
{: caption="kube-proxy settings" caption-side="top"}

Feature gates

{: #feature-gates}

Review the feature gates that are applied to all master and worker node components by default in {{site.data.keyword.containerlong_notm}} clusters. These feature gates differ from the ones that are set up in community distributions. The {{site.data.keyword.cloud_notm}} provider version enables Kubernetes APIs and features that are at beta. Kubernetes alpha features, which are subject to change, are disabled. {: shortdesc}

Kubernetes version	Default feature gates
1.17	RuntimeClass=false CustomCPUCFSQuotaPeriod=true AllowInsecureBackendProxy=false
1.16	RuntimeClass=false CustomCPUCFSQuotaPeriod=true
1.15	RuntimeClass=false CustomCPUCFSQuotaPeriod=true
1.14	RuntimeClass=false SupportNodePidsLimit=true CustomCPUCFSQuotaPeriod=true
{: caption="Overview of feature gates" caption-side="top"}
{: summary="The rows are read from left to right. The version is in the first column, with the default feature gates in the second column."}