Skip to content

Controller Flags

The controller manager accepts the following command-line flags.

Operator-Specific Flags

Flag Default Description
--drift-policy enforce How to handle external drift on AWS resources. See Drift Detection for details.
--aws-region (SDK default) AWS region for CloudFront API calls. If not set, uses AWS SDK default resolution (environment variables, config file, IMDS).
--max-concurrent-reconciles 1 Maximum number of concurrent reconcile loops. Higher values improve throughput when managing many tenants but increase AWS API usage.

Drift Policy Values

Value Behavior
enforce Overwrite the AWS state with the K8s spec. The spec is treated as the single source of truth.
report Log the drift and set status conditions, but do not modify the AWS state.
suspend Skip drift detection entirely. Useful during planned maintenance windows when AWS resources are modified manually.

Infrastructure Flags

Flag Default Description
--metrics-bind-address 0 Address for the metrics endpoint. Use :8443 for HTTPS or :8080 for HTTP. 0 disables metrics.
--health-probe-bind-address :8081 Address for health and readiness probes.
--leader-elect false Enable leader election for controller manager. Required for HA deployments with multiple replicas.
--metrics-secure true Serve the metrics endpoint over HTTPS. Set to false for HTTP.
--enable-http2 false Enable HTTP/2 for metrics and webhook servers.

TLS Certificate Flags

These flags are used to provide custom TLS certificates instead of the auto-generated self-signed ones. Only needed in production when using cert-manager or another certificate provider.

Flag Default Description
--metrics-cert-path (empty) Directory containing the metrics server TLS certificate and key.
--metrics-cert-name tls.crt Filename of the metrics server certificate within the cert directory.
--metrics-cert-key tls.key Filename of the metrics server private key within the cert directory.
--webhook-cert-path (empty) Directory containing the webhook server TLS certificate and key.
--webhook-cert-name tls.crt Filename of the webhook server certificate within the cert directory.
--webhook-cert-key tls.key Filename of the webhook server private key within the cert directory.