1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7
9 kube-proxy -
10
11
12
14 kube-proxy [OPTIONS]
15
16
17
19 The Kubernetes network proxy runs on each node. This reflects services
20 as defined in the Kubernetes API on each node and can do simple TCP,
21 UDP, and SCTP stream forwarding or round robin TCP, UDP, and SCTP for‐
22 warding across a set of backends. Service cluster IPs and ports are
23 currently found through Docker-links-compatible environment variables
24 specifying ports opened by the service proxy. There is an optional ad‐
25 don that provides cluster DNS for these cluster IPs. The user must cre‐
26 ate a service with the apiserver API to configure the proxy.
27
28
29
31 --allow_dynamic_housekeeping=true Whether to allow the housekeep‐
32 ing interval to be dynamic
33
34
35 --application_metrics_count_limit=100 Max number of application
36 metrics to store (per container)
37
38
39 --azure-container-registry-config="" Path to the file containing
40 Azure container registry configuration information.
41
42
43 --bind-address=0.0.0.0 The IP address for the proxy server to
44 serve on (set to '0.0.0.0' for all IPv4 interfaces and '::' for all
45 IPv6 interfaces). This parameter is ignored if a config file is speci‐
46 fied by --config.
47
48
49 --bind-address-hard-fail=false If true kube-proxy will treat fail‐
50 ure to bind to a port as fatal and exit
51
52
53 --boot_id_file="/proc/sys/kernel/random/boot_id" Comma-separated
54 list of files to check for boot-id. Use the first one that exists.
55
56
57 --cleanup=false If true cleanup iptables and ipvs rules and exit.
58
59
60 --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
61 CIDRs opened in GCE firewall for L7 LB traffic proxy & health
62 checks
63
64
65 --cloud-provider-gce-lb-src-
66 cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
67 CIDRs opened in GCE firewall for L4 LB traffic proxy & health
68 checks
69
70
71 --cluster-cidr="" The CIDR range of pods in the cluster. When con‐
72 figured, traffic sent to a Service cluster IP from outside this range
73 will be masqueraded and traffic sent from pods to an external LoadBal‐
74 ancer IP will be directed to the respective cluster IP instead. For
75 dual-stack clusters, a comma-separated list is accepted with at least
76 one CIDR per IP family (IPv4 and IPv6). This parameter is ignored if a
77 config file is specified by --config.
78
79
80 --config="" The path to the configuration file.
81
82
83 --config-sync-period=15m0s How often configuration from the apis‐
84 erver is refreshed. Must be greater than 0.
85
86
87 --conntrack-max-per-core=32768 Maximum number of NAT connections
88 to track per CPU core (0 to leave the limit as-is and ignore conntrack-
89 min).
90
91
92 --conntrack-min=131072 Minimum number of conntrack entries to al‐
93 locate, regardless of conntrack-max-per-core (set conntrack-max-per-
94 core=0 to leave the limit as-is).
95
96
97 --conntrack-tcp-timeout-close-wait=1h0m0s NAT timeout for TCP con‐
98 nections in the CLOSE_WAIT state
99
100
101 --conntrack-tcp-timeout-established=24h0m0s Idle timeout for es‐
102 tablished TCP connections (0 to leave as-is)
103
104
105 --container_hints="/etc/cadvisor/container_hints.json" location of
106 the container hints file
107
108
109 --containerd="/run/containerd/containerd.sock" containerd endpoint
110
111
112 --containerd-namespace="k8s.io" containerd namespace
113
114
115 --containerd_env_metadata_whitelist="" DEPRECATED: this flag will
116 be removed, please use env_metadata_whitelist. A comma-separated list
117 of environment variable keys matched with specified prefix that needs
118 to be collected for containerd containers
119
120
121 --default-not-ready-toleration-seconds=300 Indicates the tolera‐
122 tionSeconds of the toleration for notReady:NoExecute that is added by
123 default to every pod that does not already have such a toleration.
124
125
126 --default-unreachable-toleration-seconds=300 Indicates the tolera‐
127 tionSeconds of the toleration for unreachable:NoExecute that is added
128 by default to every pod that does not already have such a toleration.
129
130
131 --detect-local-mode= Mode to use to detect local traffic. This pa‐
132 rameter is ignored if a config file is specified by --config.
133
134
135 --disable_root_cgroup_stats=false Disable collecting root Cgroup
136 stats
137
138
139 --docker_only=false Only report docker containers in addition to
140 root stats
141
142
143 --enable_load_reader=false Whether to enable cpu load reader
144
145
146 --event_storage_age_limit="default=0" Max length of time for which
147 to store events (per type). Value is a comma separated list of key val‐
148 ues, where the keys are event types (e.g.: creation, oom) or "default"
149 and the value is a duration. Default is applied to all non-specified
150 event types
151
152
153 --event_storage_event_limit="default=0" Max number of events to
154 store (per type). Value is a comma separated list of key values, where
155 the keys are event types (e.g.: creation, oom) or "default" and the
156 value is an integer. Default is applied to all non-specified event
157 types
158
159
160 --feature-gates= A set of key=value pairs that describe feature
161 gates for alpha/experimental features. Options are: APIListChunk‐
162 ing=true|false (BETA - default=true) APIPriorityAndFairness=true|false
163 (BETA - default=true) APIResponseCompression=true|false (BETA - de‐
164 fault=true) APIServerIdentity=true|false (ALPHA - default=false) APIS‐
165 erverTracing=true|false (ALPHA - default=false) AllAlpha=true|false
166 (ALPHA - default=false) AllBeta=true|false (BETA - default=false)
167 AnyVolumeDataSource=true|false (BETA - default=true) AppAr‐
168 mor=true|false (BETA - default=true) CPUManager=true|false (BETA - de‐
169 fault=true) CPUManagerPolicyAlphaOptions=true|false (ALPHA - de‐
170 fault=false) CPUManagerPolicyBetaOptions=true|false (BETA - de‐
171 fault=true) CPUManagerPolicyOptions=true|false (BETA - default=true)
172 CSIMigrationAzureFile=true|false (BETA - default=true) CSIMigra‐
173 tionPortworx=true|false (BETA - default=false) CSIMigra‐
174 tionRBD=true|false (ALPHA - default=false) CSIMigrationv‐
175 Sphere=true|false (BETA - default=true) CSINodeExpandSecret=true|false
176 (ALPHA - default=false) CSIVolumeHealth=true|false (ALPHA - de‐
177 fault=false) ContainerCheckpoint=true|false (ALPHA - default=false)
178 ContextualLogging=true|false (ALPHA - default=false) CronJobTime‐
179 Zone=true|false (BETA - default=true) CustomCPUCFSQuotaPe‐
180 riod=true|false (ALPHA - default=false) CustomResourceValidationExpres‐
181 sions=true|false (BETA - default=true) DelegateFSGroupToC‐
182 SIDriver=true|false (BETA - default=true) DevicePlugins=true|false
183 (BETA - default=true) DisableCloudProviders=true|false (ALPHA - de‐
184 fault=false) DisableKubeletCloudCredentialProviders=true|false (ALPHA -
185 default=false) DownwardAPIHugePages=true|false (BETA - default=true)
186 EndpointSliceTerminatingCondition=true|false (BETA - default=true) Ex‐
187 pandedDNSConfig=true|false (ALPHA - default=false) ExperimentalHos‐
188 tUserNamespaceDefaulting=true|false (BETA - default=false) GRPCContain‐
189 erProbe=true|false (BETA - default=true) GracefulNodeShut‐
190 down=true|false (BETA - default=true) GracefulNodeShutdownBasedOnPod‐
191 Priority=true|false (BETA - default=true) HPAContainerMet‐
192 rics=true|false (ALPHA - default=false) HPAScaleToZero=true|false (AL‐
193 PHA - default=false) HonorPVReclaimPolicy=true|false (ALPHA - de‐
194 fault=false) IPTablesOwnershipCleanup=true|false (ALPHA - de‐
195 fault=false) InTreePluginAWSUnregister=true|false (ALPHA - de‐
196 fault=false) InTreePluginAzureDiskUnregister=true|false (ALPHA - de‐
197 fault=false) InTreePluginAzureFileUnregister=true|false (ALPHA - de‐
198 fault=false) InTreePluginGCEUnregister=true|false (ALPHA - de‐
199 fault=false) InTreePluginOpenStackUnregister=true|false (ALPHA - de‐
200 fault=false) InTreePluginPortworxUnregister=true|false (ALPHA - de‐
201 fault=false) InTreePluginRBDUnregister=true|false (ALPHA - de‐
202 fault=false) InTreePluginvSphereUnregister=true|false (ALPHA - de‐
203 fault=false) JobMutableNodeSchedulingDirectives=true|false (BETA - de‐
204 fault=true) JobPodFailurePolicy=true|false (ALPHA - default=false) Jo‐
205 bReadyPods=true|false (BETA - default=true) JobTrackingWithFinaliz‐
206 ers=true|false (BETA - default=true) KMSv2=true|false (ALPHA - de‐
207 fault=false) KubeletCredentialProviders=true|false (BETA - de‐
208 fault=true) KubeletInUserNamespace=true|false (ALPHA - default=false)
209 KubeletPodResources=true|false (BETA - default=true) KubeletPo‐
210 dResourcesGetAllocatable=true|false (BETA - default=true) KubeletTrac‐
211 ing=true|false (ALPHA - default=false) LegacyServiceAccountTokenNoAuto‐
212 Generation=true|false (BETA - default=true) LocalStorageCapacityIsola‐
213 tionFSQuotaMonitoring=true|false (ALPHA - default=false) Logarithmic‐
214 ScaleDown=true|false (BETA - default=true) LoggingAlphaOp‐
215 tions=true|false (ALPHA - default=false) LoggingBetaOptions=true|false
216 (BETA - default=true) MatchLabelKeysInPodTopologySpread=true|false (AL‐
217 PHA - default=false) MaxUnavailableStatefulSet=true|false (ALPHA - de‐
218 fault=false) MemoryManager=true|false (BETA - default=true) Memo‐
219 ryQoS=true|false (ALPHA - default=false) MinDomainsInPodTopolo‐
220 gySpread=true|false (BETA - default=false) MixedProtocolLBSer‐
221 vice=true|false (BETA - default=true) MultiCIDRRangeAlloca‐
222 tor=true|false (ALPHA - default=false) NetworkPolicyStatus=true|false
223 (ALPHA - default=false) NodeInclusionPolicyInPodTopolo‐
224 gySpread=true|false (ALPHA - default=false) NodeOutOfServiceVolumeDe‐
225 tach=true|false (ALPHA - default=false) NodeSwap=true|false (ALPHA -
226 default=false) OpenAPIEnums=true|false (BETA - default=true) Ope‐
227 nAPIV3=true|false (BETA - default=true) PodAndContainerStatsFrom‐
228 CRI=true|false (ALPHA - default=false) PodDeletionCost=true|false (BETA
229 - default=true) PodDisruptionConditions=true|false (ALPHA - de‐
230 fault=false) PodHasNetworkCondition=true|false (ALPHA - default=false)
231 ProbeTerminationGracePeriod=true|false (BETA - default=true) ProcMount‐
232 Type=true|false (ALPHA - default=false) ProxyTerminatingEnd‐
233 points=true|false (ALPHA - default=false) QOSReserved=true|false (ALPHA
234 - default=false) ReadWriteOncePod=true|false (ALPHA - default=false)
235 RecoverVolumeExpansionFailure=true|false (ALPHA - default=false) Re‐
236 mainingItemCount=true|false (BETA - default=true) RetroactiveDefault‐
237 StorageClass=true|false (ALPHA - default=false) RotateKubeletServerCer‐
238 tificate=true|false (BETA - default=true) SELinuxMountReadWriteOnce‐
239 Pod=true|false (ALPHA - default=false) SeccompDefault=true|false (BETA
240 - default=true) ServerSideFieldValidation=true|false (BETA - de‐
241 fault=true) ServiceIPStaticSubrange=true|false (BETA - default=true)
242 ServiceInternalTrafficPolicy=true|false (BETA - default=true) SizeMemo‐
243 ryBackedVolumes=true|false (BETA - default=true) StatefulSetAu‐
244 toDeletePVC=true|false (ALPHA - default=false) StorageVersion‐
245 API=true|false (ALPHA - default=false) StorageVersionHash=true|false
246 (BETA - default=true) TopologyAwareHints=true|false (BETA - de‐
247 fault=true) TopologyManager=true|false (BETA - default=true) UserNames‐
248 pacesStatelessPodsSupport=true|false (ALPHA - default=false) VolumeCa‐
249 pacityPriority=true|false (ALPHA - default=false) WinDSR=true|false
250 (ALPHA - default=false) WinOverlay=true|false (BETA - default=true)
251 WindowsHostProcessContainers=true|false (BETA - default=true)This pa‐
252 rameter is ignored if a config file is specified by --config.
253
254
255 --global_housekeeping_interval=1m0s Interval between global house‐
256 keepings
257
258
259 --healthz-bind-address=0.0.0.0:10256 The IP address with port for
260 the health check server to serve on (set to '0.0.0.0:10256' for all
261 IPv4 interfaces and '[::]:10256' for all IPv6 interfaces). Set empty to
262 disable. This parameter is ignored if a config file is specified by
263 --config.
264
265
266 --healthz-port=10256 The port to bind the health check server. Use
267 0 to disable.
268
269
270 --hostname-override="" If non-empty, will use this string as iden‐
271 tification instead of the actual hostname.
272
273
274 --housekeeping_interval=10s Interval between container housekeep‐
275 ings
276
277
278 --iptables-masquerade-bit=14 If using the pure iptables proxy, the
279 bit of the fwmark space to mark packets requiring SNAT with. Must be
280 within the range [0, 31].
281
282
283 --iptables-min-sync-period=1s The minimum interval of how often
284 the iptables rules can be refreshed as endpoints and services change
285 (e.g. '5s', '1m', '2h22m').
286
287
288 --iptables-sync-period=30s The maximum interval of how often ipta‐
289 bles rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater
290 than 0.
291
292
293 --ipvs-exclude-cidrs=[] A comma-separated list of CIDR's which the
294 ipvs proxier should not touch when cleaning up IPVS rules.
295
296
297 --ipvs-min-sync-period=0s The minimum interval of how often the
298 ipvs rules can be refreshed as endpoints and services change (e.g.
299 '5s', '1m', '2h22m').
300
301
302 --ipvs-scheduler="" The ipvs scheduler type when proxy mode is
303 ipvs
304
305
306 --ipvs-strict-arp=false Enable strict ARP by setting arp_ignore to
307 1 and arp_announce to 2
308
309
310 --ipvs-sync-period=30s The maximum interval of how often ipvs
311 rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than
312 0.
313
314
315 --ipvs-tcp-timeout=0s The timeout for idle IPVS TCP connections, 0
316 to leave as-is. (e.g. '5s', '1m', '2h22m').
317
318
319 --ipvs-tcpfin-timeout=0s The timeout for IPVS TCP connections af‐
320 ter receiving a FIN packet, 0 to leave as-is. (e.g. '5s', '1m',
321 '2h22m').
322
323
324 --ipvs-udp-timeout=0s The timeout for IPVS UDP packets, 0 to leave
325 as-is. (e.g. '5s', '1m', '2h22m').
326
327
328 --kube-api-burst=10 Burst to use while talking with kubernetes
329 apiserver
330
331
332 --kube-api-content-type="application/vnd.kubernetes.protobuf" Con‐
333 tent type of requests sent to apiserver.
334
335
336 --kube-api-qps=5 QPS to use while talking with kubernetes apis‐
337 erver
338
339
340 --kubeconfig="" Path to kubeconfig file with authorization infor‐
341 mation (the master location can be overridden by the master flag).
342
343
344 --log_cadvisor_usage=false Whether to log the usage of the cAdvi‐
345 sor container
346
347
348 --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
349 Comma-separated list of files to check for machine-id. Use the
350 first one that exists.
351
352
353 --masquerade-all=false If using the pure iptables proxy, SNAT all
354 traffic sent via Service cluster IPs (this not commonly needed)
355
356
357 --master="" The address of the Kubernetes API server (overrides
358 any value in kubeconfig)
359
360
361 --max_housekeeping_interval=1m0s Largest interval to allow between
362 container housekeepings
363
364
365 --metrics-bind-address=127.0.0.1:10249 The IP address with port
366 for the metrics server to serve on (set to '0.0.0.0:10249' for all IPv4
367 interfaces and '[::]:10249' for all IPv6 interfaces). Set empty to dis‐
368 able. This parameter is ignored if a config file is specified by --con‐
369 fig.
370
371
372 --metrics-port=10249 The port to bind the metrics server. Use 0 to
373 disable.
374
375
376 --nodeport-addresses=[] A string slice of values which specify the
377 addresses to use for NodePorts. Values may be valid IP blocks (e.g.
378 1.2.3.0/24, 1.2.3.4/32). The default empty string slice ([]) means to
379 use all local addresses. This parameter is ignored if a config file is
380 specified by --config.
381
382
383 --oom-score-adj=-999 The oom-score-adj value for kube-proxy
384 process. Values must be within the range [-1000, 1000]. This parameter
385 is ignored if a config file is specified by --config.
386
387
388 --pod-bridge-interface="" A bridge interface name in the cluster.
389 Kube-proxy considers traffic as local if originating from an interface
390 which matches the value. This argument should be set if DetectLocalMode
391 is set to BridgeInterface.
392
393
394 --pod-interface-name-prefix="" An interface prefix in the cluster.
395 Kube-proxy considers traffic as local if originating from interfaces
396 that match the given prefix. This argument should be set if DetectLo‐
397 calMode is set to InterfaceNamePrefix.
398
399
400 --profiling=false If true enables profiling via web interface on
401 /debug/pprof handler. This parameter is ignored if a config file is
402 specified by --config.
403
404
405 --proxy-mode= Which proxy mode to use: 'iptables' (Linux-only),
406 'ipvs' (Linux-only), 'kernelspace' (Windows-only), or 'userspace'
407 (Linux/Windows, deprecated). The default value is 'iptables' on Linux
408 and 'userspace' on Windows(will be 'kernelspace' in a future re‐
409 lease).This parameter is ignored if a config file is specified by
410 --config.
411
412
413 --proxy-port-range= Range of host ports (beginPort-endPort, single
414 port or beginPort+offset, inclusive) that may be consumed in order to
415 proxy service traffic. If (unspecified, 0, or 0-0) then ports will be
416 randomly chosen.
417
418
419 --referenced_reset_interval=0 Reset interval for referenced bytes
420 (container_referenced_bytes metric), number of measurement cycles after
421 which referenced bytes are cleared, if set to 0 referenced bytes are
422 never cleared (default: 0)
423
424
425 --show-hidden-metrics-for-version="" The previous version for
426 which you want to show hidden metrics. Only the previous minor version
427 is meaningful, other values will not be allowed. The format is ., e.g.:
428 '1.16'. The purpose of this format is make sure you have the opportu‐
429 nity to notice if the next release hides additional metrics, rather
430 than being surprised when they are permanently removed in the release
431 after that.This parameter is ignored if a config file is specified by
432 --config.
433
434
435 --storage_driver_buffer_duration=1m0s Writes in the storage driver
436 will be buffered for this duration, and committed to the non memory
437 backends as a single transaction
438
439
440 --storage_driver_db="cadvisor" database name
441
442
443 --storage_driver_host="localhost:8086" database host:port
444
445
446 --storage_driver_password="root" database password
447
448
449 --storage_driver_secure=false use secure connection with database
450
451
452 --storage_driver_table="stats" table name
453
454
455 --storage_driver_user="root" database username
456
457
458 --udp-timeout=250ms How long an idle UDP connection will be kept
459 open (e.g. '250ms', '2s'). Must be greater than 0. Only applicable for
460 proxy-mode=userspace
461
462
463 --update_machine_info_interval=5m0s Interval between machine info
464 updates.
465
466
467 --version=false Print version information and quit
468
469
470 --write-config-to="" If set, write the default configuration val‐
471 ues to this file and exit.
472
473
474
476 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
477 com) based on the kubernetes source material, but hopefully they have
478 been automatically generated since!
479
480
481
482Manuals User KUBERNETES(1)(kubernetes)