API Server
2 minute read
The Kubernetes API server can be tuned in the Shoot manifest under spec.kubernetes.kubeAPIServer. Default values are sufficient for most clusters — adjustments are primarily relevant under high load or for specific security requirements.
Configuration
spec:
kubernetes:
kubeAPIServer:
requests:
maxNonMutatingInflight: 400
maxMutatingInflight: 200
eventTTL: 1h0m0s
logging:
verbosity: 2
defaultNotReadyTolerationSeconds: 300
defaultUnreachableTolerationSeconds: 300
enableAnonymousAuthentication: false
Fields
Rate Limiting
| Field | Default | Description |
|---|---|---|
requests.maxNonMutatingInflight | 400 | Maximum concurrent read requests (GET, LIST, WATCH) |
requests.maxMutatingInflight | 200 | Maximum concurrent write requests (POST, PUT, DELETE, PATCH) |
For clusters with many parallel CI/CD pipelines or operators, increasing these values may be appropriate. Excessively high values can put the API server under memory pressure.
Events
| Field | Default | Description |
|---|---|---|
eventTTL | 1h0m0s | Retention time for Kubernetes events. Longer values increase etcd storage requirements. |
Node Tolerations
| Field | Default | Description |
|---|---|---|
defaultNotReadyTolerationSeconds | 300 | Time pods remain on a NotReady node before being evicted |
defaultUnreachableTolerationSeconds | 300 | Time pods remain on an Unreachable node before being evicted |
These values are automatically added as default tolerations to every pod that does not define its own tolerations for node.kubernetes.io/not-ready or node.kubernetes.io/unreachable.
Logging
| Field | Default | Description |
|---|---|---|
logging.verbosity | 2 | API server log verbosity (0–10). Values above 4 produce very large log volumes. |
Anonymous Authentication
| Field | Default | Description |
|---|---|---|
enableAnonymousAuthentication | false | Allows unauthenticated requests to the API server. Should remain disabled in production environments. |
Audit Logging
Audit logging is configured via the Auditing Extension.