1KUBERNETES(1)(kubernetes)                            KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7

NAME

9       kube-proxy -
10
11
12

SYNOPSIS

14       kube-proxy [OPTIONS]
15
16
17

DESCRIPTION

19       The  Kubernetes network proxy runs on each node. This reflects services
20       as defined in the Kubernetes API on each node and can  do  simple  TCP,
21       UDP,  and SCTP stream forwarding or round robin TCP, UDP, and SCTP for‐
22       warding across a set of backends.  Service cluster IPs  and  ports  are
23       currently  found  through Docker-links-compatible environment variables
24       specifying ports opened by the service proxy. There is an optional  ad‐
25       don that provides cluster DNS for these cluster IPs. The user must cre‐
26       ate a service with the apiserver API to configure the proxy.
27
28
29

OPTIONS

31       --azure-container-registry-config=""      Path to the  file  containing
32       Azure container registry configuration information.
33
34
35       --bind-address=0.0.0.0       The  IP  address  for  the proxy server to
36       serve on (set to '0.0.0.0' for all IPv4 interfaces  and  '::'  for  all
37       IPv6 interfaces)
38
39
40       --bind-address-hard-fail=false      If true kube-proxy will treat fail‐
41       ure to bind to a port as fatal and exit
42
43
44       --cleanup=false      If true cleanup iptables and ipvs rules and exit.
45
46
47       --cluster-cidr=""      The CIDR range of pods in the cluster. When con‐
48       figured,  traffic  sent to a Service cluster IP from outside this range
49       will be masqueraded and traffic sent from pods to an external  LoadBal‐
50       ancer IP will be directed to the respective cluster IP instead
51
52
53       --config=""      The path to the configuration file.
54
55
56       --config-sync-period=15m0s       How often configuration from the apis‐
57       erver is refreshed.  Must be greater than 0.
58
59
60       --conntrack-max-per-core=32768      Maximum number of  NAT  connections
61       to  track  per  CPU  core  (0  to leave the limit as-is and ignore con‐
62       ntrack-min).
63
64
65       --conntrack-min=131072      Minimum number of conntrack entries to  al‐
66       locate,     regardless     of    conntrack-max-per-core    (set    con‐
67       ntrack-max-per-core=0 to leave the limit as-is).
68
69
70       --conntrack-tcp-timeout-close-wait=1h0m0s      NAT timeout for TCP con‐
71       nections in the CLOSE_WAIT state
72
73
74       --conntrack-tcp-timeout-established=24h0m0s       Idle  timeout for es‐
75       tablished TCP connections (0 to leave as-is)
76
77
78       --detect-local-mode=      Mode to use to detect local traffic
79
80
81       --feature-gates=      A set of key=value pairs  that  describe  feature
82       gates  for  alpha/experimental  features.  Options  are:  APIListChunk‐
83       ing=true|false (BETA - default=true)  APIPriorityAndFairness=true|false
84       (BETA  -  default=true)  APIResponseCompression=true|false  (BETA - de‐
85       fault=true) APIServerIdentity=true|false (ALPHA - default=false) AllAl‐
86       pha=true|false  (ALPHA  - default=false) AllBeta=true|false (BETA - de‐
87       fault=false) AnyVolumeDataSource=true|false (ALPHA - default=false) Ap‐
88       pArmor=true|false   (BETA   -   default=true)   BalanceAttachedNodeVol‐
89       umes=true|false (ALPHA  -  default=false)  BoundServiceAccountTokenVol‐
90       ume=true|false  (BETA - default=true) CPUManager=true|false (BETA - de‐
91       fault=true) CSIInlineVolume=true|false (BETA - default=true)  CSIMigra‐
92       tion=true|false  (BETA - default=true) CSIMigrationAWS=true|false (BETA
93       -   default=false)   CSIMigrationAzureDisk=true|false   (BETA   -   de‐
94       fault=false)  CSIMigrationAzureFile=true|false  (BETA  - default=false)
95       CSIMigrationGCE=true|false  (BETA  -  default=false)  CSIMigrationOpen‐
96       Stack=true|false  (BETA  - default=true) CSIMigrationvSphere=true|false
97       (BETA - default=false) CSIMigrationvSphereComplete=true|false  (BETA  -
98       default=false)  CSIServiceAccountToken=true|false (BETA - default=true)
99       CSIStorageCapacity=true|false (BETA -  default=true)  CSIVolumeFSGroup‐
100       Policy=true|false (BETA - default=true) CSIVolumeHealth=true|false (AL‐
101       PHA - default=false) ConfigurableFSGroupPolicy=true|false (BETA  -  de‐
102       fault=true)  ControllerManagerLeaderMigration=true|false  (ALPHA  - de‐
103       fault=false) CronJobControllerV2=true|false (BETA - default=true)  Cus‐
104       tomCPUCFSQuotaPeriod=true|false  (ALPHA  -  default=false) DaemonSetUp‐
105       dateSurge=true|false   (ALPHA   -   default=false)    DefaultPodTopolo‐
106       gySpread=true|false   (BETA  -  default=true)  DevicePlugins=true|false
107       (BETA - default=true) DisableAcceleratorUsageMetrics=true|false (BETA -
108       default=true)  DownwardAPIHugePages=true|false  (BETA  - default=false)
109       DynamicKubeletConfig=true|false (BETA - default=true) EfficientWatchRe‐
110       sumption=true|false    (BETA    -   default=true)   EndpointSliceProxy‐
111       ing=true|false  (BETA  -  default=true)  EndpointSliceTerminatingCondi‐
112       tion=true|false  (ALPHA - default=false) EphemeralContainers=true|false
113       (ALPHA  -  default=false)  ExpandCSIVolumes=true|false  (BETA   -   de‐
114       fault=true)   ExpandInUsePersistentVolumes=true|false   (BETA   -   de‐
115       fault=true) ExpandPersistentVolumes=true|false  (BETA  -  default=true)
116       ExperimentalHostUserNamespaceDefaulting=true|false    (BETA    -    de‐
117       fault=false) GenericEphemeralVolume=true|false  (BETA  -  default=true)
118       GracefulNodeShutdown=true|false  (BETA - default=true) HPAContainerMet‐
119       rics=true|false (ALPHA - default=false) HPAScaleToZero=true|false  (AL‐
120       PHA  -  default=false) HugePageStorageMediumSize=true|false (BETA - de‐
121       fault=true) IPv6DualStack=true|false (BETA - default=true) InTreePlugi‐
122       nAWSUnregister=true|false  (ALPHA  -  default=false) InTreePluginAzure‐
123       DiskUnregister=true|false (ALPHA  -  default=false)  InTreePluginAzure‐
124       FileUnregister=true|false (ALPHA - default=false) InTreePluginGCEUnreg‐
125       ister=true|false (ALPHA - default=false)  InTreePluginOpenStackUnregis‐
126       ter=true|false   (ALPHA  -  default=false)  InTreePluginvSphereUnregis‐
127       ter=true|false (ALPHA - default=false) IndexedJob=true|false  (ALPHA  -
128       default=false)  IngressClassNamespacedParams=true|false  (ALPHA  -  de‐
129       fault=false)   KubeletCredentialProviders=true|false   (ALPHA   -   de‐
130       fault=false)   KubeletPodResources=true|false   (BETA  -  default=true)
131       KubeletPodResourcesGetAllocatable=true|false  (ALPHA  -  default=false)
132       LocalStorageCapacityIsolation=true|false  (BETA  - default=true) Local‐
133       StorageCapacityIsolationFSQuotaMonitoring=true|false   (ALPHA   -   de‐
134       fault=false)  LogarithmicScaleDown=true|false  (ALPHA  - default=false)
135       MemoryManager=true|false (ALPHA  -  default=false)  MixedProtocolLBSer‐
136       vice=true|false    (ALPHA   -   default=false)   NamespaceDefaultLabel‐
137       Name=true|false (BETA -  default=true)  NetworkPolicyEndPort=true|false
138       (ALPHA  -  default=false)  NonPreemptingPriority=true|false (BETA - de‐
139       fault=true)  PodAffinityNamespaceSelector=true|false   (ALPHA   -   de‐
140       fault=false)   PodDeletionCost=true|false   (ALPHA   -   default=false)
141       PodOverhead=true|false    (BETA    -    default=true)    PreferNominat‐
142       edNode=true|false   (ALPHA  -  default=false)  ProbeTerminationGracePe‐
143       riod=true|false (ALPHA - default=false) ProcMountType=true|false (ALPHA
144       - default=false) QOSReserved=true|false (ALPHA - default=false) Remain‐
145       ingItemCount=true|false (BETA - default=true) RemoveSelfLink=true|false
146       (BETA - default=true) RotateKubeletServerCertificate=true|false (BETA -
147       default=true) ServerSideApply=true|false (BETA -  default=true)  Servi‐
148       ceInternalTrafficPolicy=true|false  (ALPHA - default=false) ServiceLBN‐
149       odePortControl=true|false (ALPHA - default=false)  ServiceLoadBalancer‐
150       Class=true|false  (ALPHA  -  default=false)  ServiceTopology=true|false
151       (ALPHA  -  default=false)  SetHostnameAsFQDN=true|false  (BETA  -   de‐
152       fault=true)  SizeMemoryBackedVolumes=true|false (ALPHA - default=false)
153       StorageVersionAPI=true|false (ALPHA  -  default=false)  StorageVersion‐
154       Hash=true|false  (BETA  -  default=true) SuspendJob=true|false (ALPHA -
155       default=false) TTLAfterFinished=true|false (BETA - default=true) Topol‐
156       ogyAwareHints=true|false    (ALPHA    -   default=false)   TopologyMan‐
157       ager=true|false (BETA - default=true) ValidateProxyRedirects=true|false
158       (BETA  -  default=true)  VolumeCapacityPriority=true|false (ALPHA - de‐
159       fault=false)   WarningHeaders=true|false    (BETA    -    default=true)
160       WinDSR=true|false (ALPHA - default=false) WinOverlay=true|false (BETA -
161       default=true)  WindowsEndpointSliceProxying=true|false  (BETA   -   de‐
162       fault=true)
163
164
165       --healthz-bind-address=0.0.0.0:10256       The IP address with port for
166       the health check server to serve on (set  to  '0.0.0.0:10256'  for  all
167       IPv4 interfaces and '[::]:10256' for all IPv6 interfaces). Set empty to
168       disable.
169
170
171       --healthz-port=10256      The port to bind the health check server. Use
172       0 to disable.
173
174
175       --hostname-override=""      If non-empty, will use this string as iden‐
176       tification instead of the actual hostname.
177
178
179       --iptables-masquerade-bit=14      If using the pure iptables proxy, the
180       bit  of  the fwmark space to mark packets requiring SNAT with.  Must be
181       within the range [0, 31].
182
183
184       --iptables-min-sync-period=1s      The minimum interval  of  how  often
185       the  iptables  rules  can be refreshed as endpoints and services change
186       (e.g. '5s', '1m', '2h22m').
187
188
189       --iptables-sync-period=30s      The maximum interval of how often ipta‐
190       bles  rules  are refreshed (e.g. '5s', '1m', '2h22m').  Must be greater
191       than 0.
192
193
194       --ipvs-exclude-cidrs=[]      A comma-separated list of CIDR's which the
195       ipvs proxier should not touch when cleaning up IPVS rules.
196
197
198       --ipvs-min-sync-period=0s       The  minimum  interval of how often the
199       ipvs rules can be refreshed as  endpoints  and  services  change  (e.g.
200       '5s', '1m', '2h22m').
201
202
203       --ipvs-scheduler=""       The  ipvs  scheduler  type when proxy mode is
204       ipvs
205
206
207       --ipvs-strict-arp=false      Enable strict ARP by setting arp_ignore to
208       1 and arp_announce to 2
209
210
211       --ipvs-sync-period=30s       The  maximum  interval  of  how often ipvs
212       rules are refreshed (e.g. '5s', '1m', '2h22m').  Must be  greater  than
213       0.
214
215
216       --ipvs-tcp-timeout=0s      The timeout for idle IPVS TCP connections, 0
217       to leave as-is. (e.g. '5s', '1m', '2h22m').
218
219
220       --ipvs-tcpfin-timeout=0s      The timeout for IPVS TCP connections  af‐
221       ter  receiving  a  FIN  packet,  0  to  leave  as-is. (e.g. '5s', '1m',
222       '2h22m').
223
224
225       --ipvs-udp-timeout=0s      The timeout for IPVS UDP packets, 0 to leave
226       as-is. (e.g. '5s', '1m', '2h22m').
227
228
229       --kube-api-burst=10       Burst  to  use  while talking with kubernetes
230       apiserver
231
232
233       --kube-api-content-type="application/vnd.kubernetes.protobuf"      Con‐
234       tent type of requests sent to apiserver.
235
236
237       --kube-api-qps=5       QPS  to  use while talking with kubernetes apis‐
238       erver
239
240
241       --kubeconfig=""      Path to kubeconfig file with authorization  infor‐
242       mation (the master location can be overridden by the master flag).
243
244
245       --log-flush-frequency=5s       Maximum  number  of  seconds between log
246       flushes
247
248
249       --masquerade-all=false      If using the pure iptables proxy, SNAT  all
250       traffic sent via Service cluster IPs (this not commonly needed)
251
252
253       --master=""       The  address  of the Kubernetes API server (overrides
254       any value in kubeconfig)
255
256
257       --metrics-bind-address=127.0.0.1:10249      The IP  address  with  port
258       for the metrics server to serve on (set to '0.0.0.0:10249' for all IPv4
259       interfaces and '[::]:10249' for all IPv6 interfaces). Set empty to dis‐
260       able.
261
262
263       --metrics-port=10249      The port to bind the metrics server. Use 0 to
264       disable.
265
266
267       --nodeport-addresses=[]      A string slice of values which specify the
268       addresses  to  use  for  NodePorts. Values may be valid IP blocks (e.g.
269       1.2.3.0/24, 1.2.3.4/32). The default empty string slice ([])  means  to
270       use all local addresses.
271
272
273       --oom-score-adj=-999        The   oom-score-adj  value  for  kube-proxy
274       process. Values must be within the range [-1000, 1000]
275
276
277       --profiling=false      If true enables profiling via web  interface  on
278       /debug/pprof handler.
279
280
281       --proxy-mode=       Which  proxy  mode  to  use: 'userspace' (older) or
282       'iptables' (faster) or 'ipvs' or 'kernelspace' (windows). If blank, use
283       the best-available proxy (currently iptables). If the iptables proxy is
284       selected, regardless of how, but the system's kernel or  iptables  ver‐
285       sions are insufficient, this always falls back to the userspace proxy.
286
287
288       --proxy-port-range=      Range of host ports (beginPort-endPort, single
289       port or beginPort+offset, inclusive) that may be consumed in  order  to
290       proxy  service  traffic. If (unspecified, 0, or 0-0) then ports will be
291       randomly chosen.
292
293
294       --show-hidden-metrics-for-version=""       The  previous  version   for
295       which  you want to show hidden metrics. Only the previous minor version
296       is meaningful, other values will not be allowed. The format is ., e.g.:
297       '1.16'.  The  purpose of this format is make sure you have the opportu‐
298       nity to notice if the next release  hides  additional  metrics,  rather
299       than  being  surprised when they are permanently removed in the release
300       after that.
301
302
303       --udp-timeout=250ms      How long an idle UDP connection will  be  kept
304       open (e.g. '250ms', '2s').  Must be greater than 0. Only applicable for
305       proxy-mode=userspace
306
307
308       --version=false      Print version information and quit
309
310
311       --write-config-to=""      If set, write the default configuration  val‐
312       ues to this file and exit.
313
314
315

HISTORY

317       January  2015,  Originally compiled by Eric Paris (eparis at redhat dot
318       com) based on the kubernetes source material, but hopefully  they  have
319       been automatically generated since!
320
321
322
323Manuals                              User            KUBERNETES(1)(kubernetes)
Impressum