1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2Eric Paris Jan 2015
6
9 kube-proxy -
10
14 kube-proxy [OPTIONS]
15
19 The Kubernetes network proxy runs on each node. This reflects services
20 as defined in the Kubernetes API on each node and can do simple TCP,
21 UDP, and SCTP stream forwarding or round robin TCP, UDP, and SCTP for‐
22 warding across a set of backends. Service cluster IPs and ports are
23 currently found through Docker-links-compatible environment variables
24 specifying ports opened by the service proxy. There is an optional ad‐
25 don that provides cluster DNS for these cluster IPs. The user must cre‐
26 ate a service with the apiserver API to configure the proxy.
27
31 --azure-container-registry-config="" Path to the file containing
32 Azure container registry configuration information.
33 --bind-address=0.0.0.0 The IP address for the proxy server to
36 serve on (set to '0.0.0.0' for all IPv4 interfaces and '::' for all
37 IPv6 interfaces)
38 --bind-address-hard-fail=false If true kube-proxy will treat fail‐
41 ure to bind to a port as fatal and exit
42 --cleanup=false If true cleanup iptables and ipvs rules and exit.
45 --cleanup-ipvs=true If true and --cleanup is specified, kube-proxy
48 will also flush IPVS rules, in addition to normal cleanup.
49 --cluster-cidr="" The CIDR range of pods in the cluster. When con‐
52 figured, traffic sent to a Service cluster IP from outside this range
53 will be masqueraded and traffic sent from pods to an external LoadBal‐
54 ancer IP will be directed to the respective cluster IP instead
55 --config="" The path to the configuration file.
58 --config-sync-period=15m0s How often configuration from the apis‐
61 erver is refreshed. Must be greater than 0.
62 --conntrack-max-per-core=32768 Maximum number of NAT connections
65 to track per CPU core (0 to leave the limit as-is and ignore con‐
66 ntrack-min).
67 --conntrack-min=131072 Minimum number of conntrack entries to al‐
70 locate, regardless of conntrack-max-per-core (set con‐
71 ntrack-max-per-core=0 to leave the limit as-is).
72 --conntrack-tcp-timeout-close-wait=1h0m0s NAT timeout for TCP con‐
75 nections in the CLOSE_WAIT state
76 --conntrack-tcp-timeout-established=24h0m0s Idle timeout for es‐
79 tablished TCP connections (0 to leave as-is)
80 --detect-local-mode= Mode to use to detect local traffic
83 --feature-gates= A set of key=value pairs that describe feature
86 gates for alpha/experimental features. Options are: APIListChunk‐
87 ing=true|false (BETA - default=true) APIPriorityAndFairness=true|false
88 (BETA - default=true) APIResponseCompression=true|false (BETA - de‐
89 fault=true) APIServerIdentity=true|false (ALPHA - default=false) AllAl‐
90 pha=true|false (ALPHA - default=false) AllBeta=true|false (BETA - de‐
91 fault=false) AllowInsecureBackendProxy=true|false (BETA - default=true)
92 AnyVolumeDataSource=true|false (ALPHA - default=false) AppAr‐
93 mor=true|false (BETA - default=true) BalanceAttachedNodeVol‐
94 umes=true|false (ALPHA - default=false) BoundServiceAccountTokenVol‐
95 ume=true|false (ALPHA - default=false) CPUManager=true|false (BETA -
96 default=true) CRIContainerLogRotation=true|false (BETA - default=true)
97 CSIInlineVolume=true|false (BETA - default=true) CSIMigra‐
98 tion=true|false (BETA - default=true) CSIMigrationAWS=true|false (BETA
99 - default=false) CSIMigrationAWSComplete=true|false (ALPHA - de‐
100 fault=false) CSIMigrationAzureDisk=true|false (BETA - default=false)
101 CSIMigrationAzureDiskComplete=true|false (ALPHA - default=false) CSIMi‐
102 grationAzureFile=true|false (ALPHA - default=false) CSIMigrationAzure‐
103 FileComplete=true|false (ALPHA - default=false) CSIMigra‐
104 tionGCE=true|false (BETA - default=false) CSIMigrationGCECom‐
105 plete=true|false (ALPHA - default=false) CSIMigrationOpen‐
106 Stack=true|false (BETA - default=false) CSIMigrationOpenStackCom‐
107 plete=true|false (ALPHA - default=false) CSIMigrationvSphere=true|false
108 (BETA - default=false) CSIMigrationvSphereComplete=true|false (BETA -
109 default=false) CSIServiceAccountToken=true|false (ALPHA - de‐
110 fault=false) CSIStorageCapacity=true|false (ALPHA - default=false)
111 CSIVolumeFSGroupPolicy=true|false (BETA - default=true) ConfigurableFS‐
112 GroupPolicy=true|false (BETA - default=true) CronJobCon‐
113 trollerV2=true|false (ALPHA - default=false) CustomCPUCFSQuotaPe‐
114 riod=true|false (ALPHA - default=false) DefaultPodTopolo‐
115 gySpread=true|false (BETA - default=true) DevicePlugins=true|false
116 (BETA - default=true) DisableAcceleratorUsageMetrics=true|false (BETA -
117 default=true) DownwardAPIHugePages=true|false (ALPHA - default=false)
118 DynamicKubeletConfig=true|false (BETA - default=true) EfficientWatchRe‐
119 sumption=true|false (ALPHA - default=false) EndpointSlice=true|false
120 (BETA - default=true) EndpointSliceNodeName=true|false (ALPHA - de‐
121 fault=false) EndpointSliceProxying=true|false (BETA - default=true)
122 EndpointSliceTerminatingCondition=true|false (ALPHA - default=false)
123 EphemeralContainers=true|false (ALPHA - default=false) ExpandCSIVol‐
124 umes=true|false (BETA - default=true) ExpandInUsePersistentVol‐
125 umes=true|false (BETA - default=true) ExpandPersistentVol‐
126 umes=true|false (BETA - default=true) ExperimentalHostUserNamespaceDe‐
127 faulting=true|false (BETA - default=false) GenericEphemeralVol‐
128 ume=true|false (ALPHA - default=false) GracefulNodeShutdown=true|false
129 (ALPHA - default=false) HPAContainerMetrics=true|false (ALPHA - de‐
130 fault=false) HPAScaleToZero=true|false (ALPHA - default=false)
131 HugePageStorageMediumSize=true|false (BETA - default=true) IPv6Dual‐
132 Stack=true|false (ALPHA - default=false) ImmutableEphemeralVol‐
133 umes=true|false (BETA - default=true) KubeletCredential‐
134 Providers=true|false (ALPHA - default=false) KubeletPo‐
135 dResources=true|false (BETA - default=true) LegacyNodeRoleBehav‐
136 ior=true|false (BETA - default=true) LocalStorageCapacityIsola‐
137 tion=true|false (BETA - default=true) LocalStorageCapacityIsolationF‐
138 SQuotaMonitoring=true|false (ALPHA - default=false) MixedProtocolLBSer‐
139 vice=true|false (ALPHA - default=false) NodeDisruptionExclu‐
140 sion=true|false (BETA - default=true) NonPreemptingPriority=true|false
141 (BETA - default=true) PodDisruptionBudget=true|false (BETA - de‐
142 fault=true) PodOverhead=true|false (BETA - default=true) ProcMount‐
143 Type=true|false (ALPHA - default=false) QOSReserved=true|false (ALPHA -
144 default=false) RemainingItemCount=true|false (BETA - default=true) Re‐
145 moveSelfLink=true|false (BETA - default=true) RootCACon‐
146 figMap=true|false (BETA - default=true) RotateKubeletServerCertifi‐
147 cate=true|false (BETA - default=true) RunAsGroup=true|false (BETA - de‐
148 fault=true) ServerSideApply=true|false (BETA - default=true) ServiceAc‐
149 countIssuerDiscovery=true|false (BETA - default=true) ServiceLBNode‐
150 PortControl=true|false (ALPHA - default=false) ServiceNodeExclu‐
151 sion=true|false (BETA - default=true) ServiceTopology=true|false (ALPHA
152 - default=false) SetHostnameAsFQDN=true|false (BETA - default=true)
153 SizeMemoryBackedVolumes=true|false (ALPHA - default=false) StorageVer‐
154 sionAPI=true|false (ALPHA - default=false) StorageVersion‐
155 Hash=true|false (BETA - default=true) Sysctls=true|false (BETA - de‐
156 fault=true) TTLAfterFinished=true|false (ALPHA - default=false) Topolo‐
157 gyManager=true|false (BETA - default=true) ValidateProxyRedi‐
158 rects=true|false (BETA - default=true) WarningHeaders=true|false (BETA
159 - default=true) WinDSR=true|false (ALPHA - default=false) WinOver‐
160 lay=true|false (BETA - default=true) WindowsEndpointSliceProxy‐
161 ing=true|false (ALPHA - default=false)
162 --healthz-bind-address=0.0.0.0:10256 The IP address with port for
165 the health check server to serve on (set to '0.0.0.0:10256' for all
166 IPv4 interfaces and '[::]:10256' for all IPv6 interfaces). Set empty to
167 disable.
168 --healthz-port=10256 The port to bind the health check server. Use
171 0 to disable.
172 --hostname-override="" If non-empty, will use this string as iden‐
175 tification instead of the actual hostname.
176 --iptables-masquerade-bit=14 If using the pure iptables proxy, the
179 bit of the fwmark space to mark packets requiring SNAT with. Must be
180 within the range [0, 31].
181 --iptables-min-sync-period=1s The minimum interval of how often
184 the iptables rules can be refreshed as endpoints and services change
185 (e.g. '5s', '1m', '2h22m').
186 --iptables-sync-period=30s The maximum interval of how often ipta‐
189 bles rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater
190 than 0.
191 --ipvs-exclude-cidrs=[] A comma-separated list of CIDR's which the
194 ipvs proxier should not touch when cleaning up IPVS rules.
195 --ipvs-min-sync-period=0s The minimum interval of how often the
198 ipvs rules can be refreshed as endpoints and services change (e.g.
199 '5s', '1m', '2h22m').
200 --ipvs-scheduler="" The ipvs scheduler type when proxy mode is
203 ipvs
204 --ipvs-strict-arp=false Enable strict ARP by setting arp_ignore to
207 1 and arp_announce to 2
208 --ipvs-sync-period=30s The maximum interval of how often ipvs
211 rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than
212 0.
213 --ipvs-tcp-timeout=0s The timeout for idle IPVS TCP connections, 0
216 to leave as-is. (e.g. '5s', '1m', '2h22m').
217 --ipvs-tcpfin-timeout=0s The timeout for IPVS TCP connections af‐
220 ter receiving a FIN packet, 0 to leave as-is. (e.g. '5s', '1m',
221 '2h22m').
222 --ipvs-udp-timeout=0s The timeout for IPVS UDP packets, 0 to leave
225 as-is. (e.g. '5s', '1m', '2h22m').
226 --kube-api-burst=10 Burst to use while talking with kubernetes
229 apiserver
230 --kube-api-content-type="application/vnd.kubernetes.protobuf" Con‐
233 tent type of requests sent to apiserver.
234 --kube-api-qps=5 QPS to use while talking with kubernetes apis‐
237 erver
238 --kubeconfig="" Path to kubeconfig file with authorization infor‐
241 mation (the master location can be overridden by the master flag).
242 --log-flush-frequency=5s Maximum number of seconds between log
245 flushes
246 --masquerade-all=false If using the pure iptables proxy, SNAT all
249 traffic sent via Service cluster IPs (this not commonly needed)
250 --master="" The address of the Kubernetes API server (overrides
253 any value in kubeconfig)
254 --metrics-bind-address=127.0.0.1:10249 The IP address with port
257 for the metrics server to serve on (set to '0.0.0.0:10249' for all IPv4
258 interfaces and '[::]:10249' for all IPv6 interfaces). Set empty to dis‐
259 able.
260 --metrics-port=10249 The port to bind the metrics server. Use 0 to
263 disable.
264 --nodeport-addresses=[] A string slice of values which specify the
267 addresses to use for NodePorts. Values may be valid IP blocks (e.g.
268 1.2.3.0/24, 1.2.3.4/32). The default empty string slice ([]) means to
269 use all local addresses.
270 --oom-score-adj=-999 The oom-score-adj value for kube-proxy
273 process. Values must be within the range [-1000, 1000]
274 --profiling=false If true enables profiling via web interface on
277 /debug/pprof handler.
278 --proxy-mode= Which proxy mode to use: 'userspace' (older) or
281 'iptables' (faster) or 'ipvs' or 'kernelspace' (windows). If blank, use
282 the best-available proxy (currently iptables). If the iptables proxy is
283 selected, regardless of how, but the system's kernel or iptables ver‐
284 sions are insufficient, this always falls back to the userspace proxy.
285 --proxy-port-range= Range of host ports (beginPort-endPort, single
288 port or beginPort+offset, inclusive) that may be consumed in order to
289 proxy service traffic. If (unspecified, 0, or 0-0) then ports will be
290 randomly chosen.
291 --show-hidden-metrics-for-version="" The previous version for
294 which you want to show hidden metrics. Only the previous minor version
295 is meaningful, other values will not be allowed. The format is ., e.g.:
296 '1.16'. The purpose of this format is make sure you have the opportu‐
297 nity to notice if the next release hides additional metrics, rather
298 than being surprised when they are permanently removed in the release
299 after that.
300 --udp-timeout=250ms How long an idle UDP connection will be kept
303 open (e.g. '250ms', '2s'). Must be greater than 0. Only applicable for
304 proxy-mode=userspace
305 --version=false Print version information and quit
308 --write-config-to="" If set, write the default configuration val‐
311 ues to this file and exit.
312
316 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
317 com) based on the kubernetes source material, but hopefully they have
318 been automatically generated since!
319Manuals User KUBERNETES(1)(kubernetes)