All Products
Search

This Product

    :Customize control plane parameters for Pro clusters

    Document Center

    :Customize control plane parameters for Pro clusters

    Last Updated:Apr 03, 2026

    When you run ACK Pro clusters in production, you may need to tune control plane behavior for performance, security, or compliance. ACK Pro lets you modify parameters for core control plane components — kube-apiserver, kube-controller-manager, cloud-controller-manager (CCM), and kube-scheduler — directly in the console.

    This topic explains how to customize those parameters and lists the available parameters for each cluster type.

    Before you begin

    Make sure you have:

    • An ACK managed cluster Pro Edition, ACK serverless cluster Pro Edition, ACK Edge cluster Pro Edition, or ACK LINGJUN Cluster

    • The required permissions to modify cluster add-ons in the Container Service Management Console

    Usage notes

    • Control plane restart: The control plane restarts after you save parameter changes. Perform this operation during off-peak hours to minimize impact.

    • Parameters overwrite defaults: Custom parameters replace the default cluster parameters entirely. Verify that your configuration is complete and correct before saving. Incorrect or incomplete parameters can prevent the control plane from starting.

    • Version constraints: Some parameters are available only in specific cluster versions. Version requirements are noted in each parameter table. To upgrade your cluster, see Manually upgrade a cluster.

    • Console as source of truth: The console shows the most current list of customizable parameters. The tables in this topic reflect the documented defaults.

    Customize a control plane component parameter

    The steps are the same for all control plane components. The following example uses kube-apiserver.

    1. Log on to the Container Service Management Console. In the left navigation pane, click Clusters.

    2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Add-ons.

    3. In the Core Components section, find the component you want to configure, then click Configuration in the lower-right corner of its card.

    4. In the Parameters dialog box, enter your custom parameters. Make sure the configuration is complete and correct, then follow the on-screen instructions to submit.

    Default parameters

    The following tables list the customizable parameters for each cluster type. For parameter semantics and valid values beyond what is listed, refer to the official Kubernetes documentation: kube-apiserver, kube-controller-manager, and kube-scheduler.

    ACK managed cluster Pro Edition

    kube-apiserver

    Parameter Description Valid range / notes
    enableAdmissionPlugins Enables additional admission controller plugins. Default: blank.
    serviceNodePortRange Port range for NodePort services. 10000–65535. Default: blank.
    Important

    Make sure this range does not overlap with net.ipv4.ip_local_port_range on cluster nodes. See How do I correctly configure the NodePort range?
    requestTimeout Global timeout for API requests that do not have a specific timeout. Default: blank (uses Kubernetes default).
    defaultNotReadyTolerationSeconds Duration containers can run on a node in NotReady state before eviction. Default: blank.
    defaultUnreachableTolerationSeconds Duration containers can run on a node in Unreachable state before eviction. Default: blank.
    maxMutatingRequestsInflight Maximum number of concurrent mutating API requests. Requests above this limit are rejected. 1–1000. Default: blank.
    maxRequestsInflight Maximum number of concurrent non-mutating API requests. 1–3000. Default: blank.
    featureGates Enables or disables specific Kubernetes feature gates. Supported values: ServerSideApply, TTLAfterFinished, EphemeralContainers, RemoveSelfLink, HPAScaleToZero. Default: blank.
    Note

    HPAScaleToZero requires cluster version 1.18 or later. RemoveSelfLink cannot be modified in cluster version 1.24 or later.
    oidcIssuerURL URL of the OpenID Connect (OIDC) issuer for external identity provider integration. Default: blank. Requires cluster version 1.18 or later.
    Important

    After setting this parameter, kube-apiserver accesses the specified address. If it is a public endpoint, enable public network access for the cluster. If the API server still cannot reach the endpoint after enabling public access, run kubectl get endpoints to check the number of backend IP addresses for Kubernetes. If more than one IP address is returned, log on to a worker node, attempt to access the oidcIssuerURL, and review public network settings and security group rules. If only one IP address is returned, submit a ticket.
    oidcClientId Client ID for the OIDC provider. Default: blank. Requires cluster version 1.18 or later.
    oidcUsernameClaim JWT claim used as the username for OIDC authentication. Default: sub. Requires cluster version 1.18 or later.
    oidcUsernamePrefix Prefix added to OIDC usernames to avoid conflicts with existing names. Default: blank. Requires cluster version 1.18 or later.
    oidcGroupsPrefix Prefix added to OIDC group names. Default: blank. Requires cluster version 1.18 or later.
    oidcGroupsClaim JWT claim used to populate user groups for OIDC authentication. Default: blank. Requires cluster version 1.18 or later.
    oidcRequiredClaim Key-value pairs that must be present in the OIDC ID token. Default: blank. Requires cluster version 1.18 or later.
    oidcCAContent PEM-encoded certificate authority (CA) content for verifying the OIDC provider. Default: blank. Requires cluster version 1.18 or later.
    hostAliases Custom hostname-to-IP mappings added to the kube-apiserver pod's /etc/hosts. Default: blank. Requires cluster version 1.26 or later.
    enableTrace Enables distributed tracing for control plane components. Default: blank. Requires cluster version 1.28 or later. See Enable Tracing Analysis for control plane components of a cluster.
    samplingRatePerMillion Default: blank.

    kube-controller-manager

    Parameter Description Valid range / notes
    horizontalPodAutoscalerSyncPeriod How often the Horizontal Pod Autoscaler (HPA) controller recalculates the desired replica count. Default: blank (uses Kubernetes default).
    horizontalPodAutoscalerTolerance Minimum ratio change required before HPA triggers a scaling action. Prevents thrashing. Default: blank.
    concurrentTTLAfterFinishedSyncs Number of concurrent workers cleaning up TTL-expired finished jobs. Default: blank.
    concurrentHorizontalPodAutoscalerSyncs Number of concurrent HPA sync workers. Default: blank. Requires cluster version 1.26 or later.
    largeClusterSizeThreshold Node count threshold above which the cluster is treated as "large" for eviction calculations. Default: blank.
    unhealthyZoneThreshold Fraction of nodes in a zone that must be unhealthy to trigger reduced eviction rates. Default: blank.
    secondaryNodeEvictionRate Node eviction rate when the cluster is in a secondary (reduced) eviction mode. Default: blank.
    nodeEvictionRate Node eviction rate under normal conditions. Default: blank.
    terminatedPodGCThreshold Number of terminated pods that triggers garbage collection. Default: blank.
    kubeAPIQPS Maximum queries per second (QPS) from kube-controller-manager to kube-apiserver. 1–1000. Default: blank.
    kubeAPIBurst Maximum burst of requests from kube-controller-manager to kube-apiserver. 1–1000. Default: blank.
    concurrentCSRSyncs Number of concurrent workers processing CertificateSigningRequest (CSR) objects. Default: blank. Requires cluster version 1.32 or later.
    concurrentNodeTaintSyncs Number of concurrent workers syncing node taint conditions. Default: blank. Requires cluster version 1.32 or later.
    featureGates Enables or disables specific feature gates for the controller manager. Supported values: TTLAfterFinished. Default: blank.

    cloud-controller-manager (CCM)

    Parameter Description Valid range / notes
    routeTableIDs Comma-separated list of VPC route table IDs for CCM to manage. Default: blank. Set this if your VPC has multiple route tables. Example: vtb-,vtb*.

    kube-scheduler

    For kube-scheduler parameters, see Customize scheduler parameters.

    ACK serverless cluster Pro Edition

    kube-apiserver

    Parameter Description Valid range / notes
    enableAdmissionPlugins Enables additional admission controller plugins. Default: blank.
    requestTimeout Global timeout for API requests that do not have a specific timeout. Default: blank (uses Kubernetes default).
    defaultNotReadyTolerationSeconds Duration containers can run on a node in NotReady state before eviction. Default: blank.
    defaultUnreachableTolerationSeconds Duration containers can run on a node in Unreachable state before eviction. Default: blank.
    maxMutatingRequestsInflight Maximum number of concurrent mutating API requests. Requests above this limit are rejected. 1–1000. Default: blank.
    maxRequestsInflight Maximum number of concurrent non-mutating API requests. 1–3000. Default: blank.
    featureGates Enables or disables specific Kubernetes feature gates. Supported values: ServerSideApply, TTLAfterFinished, EphemeralContainers, RemoveSelfLink, HPAScaleToZero. Default: blank.
    Note

    HPAScaleToZero requires cluster version 1.18 or later. RemoveSelfLink cannot be modified in cluster version 1.24 or later.
    oidcIssuerURL URL of the OIDC issuer for external identity provider integration. Default: blank. Requires cluster version 1.18 or later.
    oidcClientId Client ID for the OIDC provider. Default: blank. Requires cluster version 1.18 or later.
    oidcUsernameClaim JWT claim used as the username for OIDC authentication. Default: sub. Requires cluster version 1.18 or later.
    oidcUsernamePrefix Prefix added to OIDC usernames to avoid conflicts with existing names. Default: blank. Requires cluster version 1.18 or later.
    oidcGroupsPrefix Prefix added to OIDC group names. Default: blank. Requires cluster version 1.18 or later.
    oidcGroupsClaim JWT claim used to populate user groups for OIDC authentication. Default: blank. Requires cluster version 1.18 or later.
    oidcRequiredClaim Key-value pairs that must be present in the OIDC ID token. Default: blank. Requires cluster version 1.18 or later.
    oidcCAContent PEM-encoded CA content for verifying the OIDC provider. Default: blank. Requires cluster version 1.18 or later.

    kube-controller-manager

    Parameter Description Valid range / notes
    horizontalPodAutoscalerSyncPeriod How often the HPA controller recalculates the desired replica count. Default: blank (uses Kubernetes default).
    horizontalPodAutoscalerTolerance Minimum ratio change required before HPA triggers a scaling action. Default: blank.
    concurrentTTLAfterFinishedSyncs Number of concurrent workers cleaning up TTL-expired finished jobs. Default: blank.
    kubeAPIQPS Maximum QPS from kube-controller-manager to kube-apiserver. 1–1000. Default: blank.
    kubeAPIBurst Maximum burst of requests from kube-controller-manager to kube-apiserver. 1–1000. Default: blank.
    featureGates Enables or disables specific feature gates for the controller manager. Supported values: TTLAfterFinished. Default: blank.

    kube-scheduler

    Kube-scheduler customization is available to users on the allowlist. For supported parameters, see Customize scheduler parameters.

    ACK Edge cluster Pro Edition

    kube-apiserver

    Parameter Description Valid range / notes
    enableAdmissionPlugins Enables additional admission controller plugins. Default: blank.
    serviceNodePortRange Port range for NodePort services. 10000–65535. Default: blank.
    Important

    Make sure this range does not overlap with net.ipv4.ip_local_port_range on cluster nodes. See How do I correctly configure the NodePort range?
    requestTimeout Global timeout for API requests that do not have a specific timeout. Default: blank (uses Kubernetes default).
    defaultNotReadyTolerationSeconds Duration containers can run on a node in NotReady state before eviction. Default: blank.
    defaultUnreachableTolerationSeconds Duration containers can run on a node in Unreachable state before eviction. Default: blank.
    maxMutatingRequestsInflight Maximum number of concurrent mutating API requests. Requests above this limit are rejected. 1–1000. Default: blank.
    maxRequestsInflight Maximum number of concurrent non-mutating API requests. 1–3000. Default: blank.
    featureGates Enables or disables specific Kubernetes feature gates. Supported values: ServerSideApply, TTLAfterFinished, EphemeralContainers, RemoveSelfLink, HPAScaleToZero. Default: blank.
    Note

    HPAScaleToZero requires cluster version 1.18 or later. RemoveSelfLink cannot be modified in cluster version 1.24 or later.
    oidcIssuerURL URL of the OIDC issuer for external identity provider integration. Default: blank. Requires cluster version 1.18 or later.
    oidcClientId Client ID for the OIDC provider. Default: blank. Requires cluster version 1.18 or later.
    oidcUsernameClaim JWT claim used as the username for OIDC authentication. Default: sub. Requires cluster version 1.18 or later.
    oidcUsernamePrefix Prefix added to OIDC usernames to avoid conflicts with existing names. Default: blank. Requires cluster version 1.18 or later.
    oidcGroupsPrefix Prefix added to OIDC group names. Default: blank. Requires cluster version 1.18 or later.
    oidcGroupsClaim JWT claim used to populate user groups for OIDC authentication. Default: blank. Requires cluster version 1.18 or later.
    oidcRequiredClaim Key-value pairs that must be present in the OIDC ID token. Default: blank. Requires cluster version 1.18 or later.
    oidcCAContent PEM-encoded CA content for verifying the OIDC provider. Default: blank. Requires cluster version 1.18 or later.

    kube-controller-manager

    Parameter Description Valid range / notes
    horizontalPodAutoscalerSyncPeriod How often the HPA controller recalculates the desired replica count. Default: blank (uses Kubernetes default).
    concurrentTTLAfterFinishedSyncs Number of concurrent workers cleaning up TTL-expired finished jobs. Default: blank.
    largeClusterSizeThreshold Node count threshold above which the cluster is treated as "large" for eviction calculations. Default: blank.
    unhealthyZoneThreshold Fraction of nodes in a zone that must be unhealthy to trigger reduced eviction rates. Default: blank.
    secondaryNodeEvictionRate Node eviction rate when the cluster is in a secondary (reduced) eviction mode. Default: blank.
    nodeEvictionRate Node eviction rate under normal conditions. Default: blank.
    podEvictionTimeout Duration after which pods on an unresponsive node are evicted. Default: blank.
    kubeAPIQPS Maximum QPS from kube-controller-manager to kube-apiserver. 1–1000. Default: blank.
    kubeAPIBurst Maximum burst of requests from kube-controller-manager to kube-apiserver. 1–1000. Default: blank.
    featureGates Enables or disables specific feature gates for the controller manager. Supported values: TTLAfterFinished. Default: blank.

    cloud-controller-manager (CCM)

    Parameter Description Valid range / notes
    routeTableIDs Comma-separated list of VPC route table IDs for CCM to manage. Default: blank. Set this if your VPC has multiple route tables. Example: vtb-,vtb*.

    kube-scheduler

    For kube-scheduler parameters, see Customize scheduler parameters.

    ACK LINGJUN Cluster

    kube-apiserver

    Parameter Description Valid range / notes
    enableAdmissionPlugins Enables additional admission controller plugins. Default: blank.
    serviceNodePortRange Port range for NodePort services. 10000–65535. Default: blank.
    Important

    Make sure this range does not overlap with net.ipv4.ip_local_port_range on cluster nodes. See How do I correctly configure the NodePort range?
    requestTimeout Global timeout for API requests that do not have a specific timeout. Default: blank (uses Kubernetes default).
    defaultNotReadyTolerationSeconds Duration containers can run on a node in NotReady state before eviction. Default: blank.
    defaultUnreachableTolerationSeconds Duration containers can run on a node in Unreachable state before eviction. Default: blank.
    maxMutatingRequestsInflight Maximum number of concurrent mutating API requests. Requests above this limit are rejected. 1–1000. Default: blank.
    maxRequestsInflight Maximum number of concurrent non-mutating API requests. 1–3000. Default: blank.
    featureGates Enables or disables specific Kubernetes feature gates. Supported values: ServerSideApply, TTLAfterFinished, EphemeralContainers, RemoveSelfLink, HPAScaleToZero. Default: blank.
    Note

    HPAScaleToZero requires cluster version 1.18 or later. RemoveSelfLink cannot be modified in cluster version 1.24 or later.
    oidcIssuerURL URL of the OIDC issuer for external identity provider integration. Default: blank. Requires cluster version 1.18 or later.
    oidcClientId Client ID for the OIDC provider. Default: blank. Requires cluster version 1.18 or later.
    oidcUsernameClaim JWT claim used as the username for OIDC authentication. Default: sub. Requires cluster version 1.18 or later.
    oidcUsernamePrefix Prefix added to OIDC usernames to avoid conflicts with existing names. Default: blank. Requires cluster version 1.18 or later.
    oidcGroupsPrefix Prefix added to OIDC group names. Default: blank. Requires cluster version 1.18 or later.
    oidcGroupsClaim JWT claim used to populate user groups for OIDC authentication. Default: blank. Requires cluster version 1.18 or later.
    oidcRequiredClaim Key-value pairs that must be present in the OIDC ID token. Default: blank. Requires cluster version 1.18 or later.
    oidcCAContent PEM-encoded CA content for verifying the OIDC provider. Default: blank. Requires cluster version 1.18 or later.

    kube-controller-manager

    Parameter Description Valid range / notes
    horizontalPodAutoscalerSyncPeriod How often the HPA controller recalculates the desired replica count. Default: blank (uses Kubernetes default).
    horizontalPodAutoscalerTolerance Minimum ratio change required before HPA triggers a scaling action. Default: blank.
    concurrentTTLAfterFinishedSyncs Number of concurrent workers cleaning up TTL-expired finished jobs. Default: blank.
    largeClusterSizeThreshold Node count threshold above which the cluster is treated as "large" for eviction calculations. Default: blank.
    unhealthyZoneThreshold Fraction of nodes in a zone that must be unhealthy to trigger reduced eviction rates. Default: blank.
    secondaryNodeEvictionRate Node eviction rate when the cluster is in a secondary (reduced) eviction mode. Default: blank.
    nodeEvictionRate Node eviction rate under normal conditions. Default: blank.
    podEvictionTimeout Duration after which pods on an unresponsive node are evicted. Default: blank.
    kubeAPIQPS Maximum QPS from kube-controller-manager to kube-apiserver. 1–1000. Default: blank.
    kubeAPIBurst Maximum burst of requests from kube-controller-manager to kube-apiserver. 1–1000. Default: blank.
    featureGates Enables or disables specific feature gates for the controller manager. Supported values: TTLAfterFinished. Default: blank.

    cloud-controller-manager (CCM)

    Parameter Description Valid range / notes
    routeTableIDs Comma-separated list of VPC route table IDs for CCM to manage. Default: blank. Set this if your VPC has multiple route tables. Example: vtb-,vtb*.

    kube-scheduler

    For kube-scheduler parameters, see Customize scheduler parameters.

    What's next