Some cluster parameters that affect control plane management are derived from the ClusterConfiguration resource.

The module is enabled by default in the Default bundle. The module is disabled by default in the following bundles: Managed, Minimal.

How to explicitly enable the module…

Note that the configOverrides parameter of the InitConfiguration resource is used when installing Deckhouse, not ModuleConfig.

Set the controlPlaneManagerEnabled: true or controlPlaneManagerEnabled: false in the configOverrides parameter to explicitly enable or disable the module when installing Deckhouse.

Use the controlPlaneManager section of the configOverrides parameter to configure the module when installing Deckhouse.

Set the spec.enabled module parameter to true or false to explicitly enable or disable the module.

Example of enabling the control-plane-manager module:

kind: ModuleConfig
  name: control-plane-manager
  enabled: true

Example of disabling the control-plane-manager module:

kind: ModuleConfig
  name: control-plane-manager
  enabled: false

The module is configured using the ModuleConfig custom resource named control-plane-manager (learn more about setting up Deckhouse…).

Example of the ModuleConfig/control-plane-manager resource for configuring the module:

kind: ModuleConfig
  name: control-plane-manager
  version: 1
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.


Schema version: 1

  • apiserverobject

    kube-apiserver parameters.

    • apiserver.admissionPluginsarray of strings

      List of enabled additional admission plugins.

      Note, that in addition to the admission plugins enabled by default in Kubernetes, the following admission plugins are also always enabled:

      • ExtendedResourceToleration
      • EventRateLimit with the following config:

        kind: Configuration
        - type: Namespace
          qps: 50
          burst: 100
          cacheSize: 2000

      Note that th PodNodeSelector admission plugin does not require specifiying a global configuration, it relies on annotated Namespaces.


      - AlwaysPullImages
      - NamespaceAutoProvision
      • Element of the arraystring

        Allowed values: AlwaysPullImages, NamespaceAutoProvision, OwnerReferencesPermissionEnforcement, PodNodeSelector, PodTolerationRestriction

    • apiserver.auditLogobject

      Audit policy settings

      Default: {"output":"File"}

      • apiserver.auditLog.outputstring

        Required value

        Audit logs target stream.

        Default: "File"

        Allowed values: File, Stdout


        output: Stdout
      • apiserver.auditLog.pathstring

        Directory path for logs if the output is “File”, otherwise ignored.

        Default: "/var/log/kube-audit"

        Pattern: ^[a-zA-Z0-9_/.-]+[a-zA-Z0-9_.-]$

    • apiserver.auditPolicyEnabledboolean

      Set the audit policies using the configuration from the kube-system/audit-policy Secret.

      Default: false

    • apiserver.authnobject

      Optional authentication parameters for Kubernetes API clients.

      By default, they are taken from user-authn module ConfigMap.

      • apiserver.authn.oidcCAstring

        OIDC provider CA.

      • apiserver.authn.oidcIssuerAddressstring

        OIDC provider network address alias.


        oidcIssuerAddress: ''
      • apiserver.authn.oidcIssuerURLstring

        OIDC provider URL.


      • apiserver.authn.webhookCAstring

        Authorization webhook CA.

      • apiserver.authn.webhookCacheTTLstring

        The duration to cache responses from the webhook token authenticator.

        It is specified as a string containing the time unit in hours and minutes: 30m, 1h, 2h30m, 24h.

        Pattern: ^([0-9]+h)?([0-9]+m)?([0-9]+s)?$


        webhookCacheTTL: 5m
      • apiserver.authn.webhookURLstring

        Authentication webhook URL.


    • apiserver.authzobject

      Optional authorization parameters for Kubernetes API clients.

      By default, they are taken from user-authz module ConfigMap.

      • apiserver.authz.webhookCAstring

        Authorization webhook CA.

      • apiserver.authz.webhookURLstring

        Authorization webhook URL.


    • apiserver.basicAuditPolicyEnabledboolean

      Enforce basic Deckhouse audit policies.

      Default: true

    • apiserver.bindToWildcardboolean

      Specifies whether to listen on

      By default, the API server listens on the hostIP. The latter usually corresponds to the Internal node address; however, the actual IP depends on the cluster type (Static or Cloud) and the layout selected.

      Default: false

    • apiserver.certSANsarray of strings

      Array of SANs, with which the API server certificate will be generated.

      In addition to the passed list, the following list is always used:

      • kubernetes;
      • kubernetes.default;
      • kubernetes.default.svc;
      • kubernetes.default.svc.cluster.local;
      • current_hostname;
      • hostIP.


      • Element of the arraystring

        Pattern: ^[0-9a-zA-Z\.-]+$

    • apiserver.encryptionEnabledboolean

      Enables encrypting secret data at rest.

      Generates kube-system/d8-secret-encryption-key Secret with encryption key.

      Note! This mode cannot be disabled!

      Default: false

    • apiserver.loadBalancerobject

      If set, a service kube-system/d8-control-plane-apiserver of the LoadBalancer type will be created.

      • apiserver.loadBalancer.annotationsobject

        Annotations to attach to a service to fine-tune the load balancer.

        Caution! The module does not take into account the specifics of setting annotations in various cloud environments. If the annotations for load balancer provisioning are only applied when creating a service, you will need to delete and add the apiserver.loadBalancer parameter to update such parameters.

      • apiserver.loadBalancer.portinteger

        External LoadBalancer TCP port.

        Default: 443

        Allowed values: 1 <= X <= 65534

      • apiserver.loadBalancer.sourceRangesarray of strings

        A list of CIDRs that are allowed to connect to the API.

        The cloud provider may not support this option or ignore it.

        • Element of the arraystring

          Pattern: ^[0-9]{1,}\.[0-9]{1,}\.[0-9]{1,}\.[0-9]{1,}\/[0-9]+$

    • apiserver.serviceAccountobject

      ServiceAccount issuing settings.


      serviceAccount: {}
        - istio-ca
      • apiserver.serviceAccount.additionalAPIAudiencesarray of strings

        A list of API audiences to add when provisioning ServiceAccount tokens.

  • etcdobject

    etcd parameters.

    • etcd.externalMembersNamesarray of strings

      etcd external members array (they will not be deleted).


      - main-master-1
      - my-external-member
      • Element of the arraystring

        Pattern: ^[0-9a-zA-Z\.-:\-\/]+$

    • etcd.maxDbSizenumber

      quota-backend-bytes parameter. Deckhouse automatically manages the quota-backend-bytes parameter. If the maxDbSize parameter is set, deckhouse will use this value for the quota-backend-bytes etcd parameter.

      Minimum: 512MB.

      Maximum: 8GB.

      Experimental. It can be removed in the future.

      Allowed values: 536870912 <= X <= 8589934592

  • failedNodePodEvictionTimeoutSecondsinteger

    The number of seconds after which pods will be deleted from the node with the Unreachable status.

    Note! If you change the parameter, the pods must be restarted.

    Default: 300

  • nodeMonitorGracePeriodSecondsinteger

    The number of seconds after which the node will enter the Unreachable status in case of lost connection.

    Default: 40