1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2Eric Paris Jan 2015
6
9 kube-proxy -
10
14 kube-proxy [OPTIONS]
15
19 The Kubernetes network proxy runs on each node. This reflects services
20 as defined in the Kubernetes API on each node and can do simple TCP,
21 UDP, and SCTP stream forwarding or round robin TCP, UDP, and SCTP for‐
22 warding across a set of backends. Service cluster IPs and ports are
23 currently found through Docker-links-compatible environment variables
24 specifying ports opened by the service proxy. There is an optional ad‐
25 don that provides cluster DNS for these cluster IPs. The user must cre‐
26 ate a service with the apiserver API to configure the proxy.
27
31 --allow_dynamic_housekeeping=true Whether to allow the housekeep‐
32 ing interval to be dynamic
33 --application_metrics_count_limit=100 Max number of application
36 metrics to store (per container)
37 --azure-container-registry-config="" Path to the file containing
40 Azure container registry configuration information.
41 --bind-address=0.0.0.0 The IP address for the proxy server to
44 serve on (set to '0.0.0.0' for all IPv4 interfaces and '::' for all
45 IPv6 interfaces). This parameter is ignored if a config file is speci‐
46 fied by --config.
47 --bind-address-hard-fail=false If true kube-proxy will treat fail‐
50 ure to bind to a port as fatal and exit
51 --boot_id_file="/proc/sys/kernel/random/boot_id" Comma-separated
54 list of files to check for boot-id. Use the first one that exists.
55 --cleanup=false If true cleanup iptables and ipvs rules and exit.
58 --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
61 CIDRs opened in GCE firewall for L7 LB traffic proxy & health
62 checks
63 --cloud-provider-gce-lb-src-
66 cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
67 CIDRs opened in GCE firewall for L4 LB traffic proxy & health
68 checks
69 --cluster-cidr="" The CIDR range of pods in the cluster. When con‐
72 figured, traffic sent to a Service cluster IP from outside this range
73 will be masqueraded and traffic sent from pods to an external LoadBal‐
74 ancer IP will be directed to the respective cluster IP instead. For
75 dual-stack clusters, a comma-separated list is accepted with at least
76 one CIDR per IP family (IPv4 and IPv6). This parameter is ignored if a
77 config file is specified by --config.
78 --config="" The path to the configuration file.
81 --config-sync-period=15m0s How often configuration from the apis‐
84 erver is refreshed. Must be greater than 0.
85 --conntrack-max-per-core=32768 Maximum number of NAT connections
88 to track per CPU core (0 to leave the limit as-is and ignore conntrack-
89 min).
90 --conntrack-min=131072 Minimum number of conntrack entries to al‐
93 locate, regardless of conntrack-max-per-core (set conntrack-max-per-
94 core=0 to leave the limit as-is).
95 --conntrack-tcp-timeout-close-wait=1h0m0s NAT timeout for TCP con‐
98 nections in the CLOSE_WAIT state
99 --conntrack-tcp-timeout-established=24h0m0s Idle timeout for es‐
102 tablished TCP connections (0 to leave as-is)
103 --container_hints="/etc/cadvisor/container_hints.json" location of
106 the container hints file
107 --containerd="/run/containerd/containerd.sock" containerd endpoint
110 --containerd-namespace="k8s.io" containerd namespace
113 --containerd_env_metadata_whitelist="" DEPRECATED: this flag will
116 be removed, please use env_metadata_whitelist. A comma-separated list
117 of environment variable keys matched with specified prefix that needs
118 to be collected for containerd containers
119 --default-not-ready-toleration-seconds=300 Indicates the tolera‐
122 tionSeconds of the toleration for notReady:NoExecute that is added by
123 default to every pod that does not already have such a toleration.
124 --default-unreachable-toleration-seconds=300 Indicates the tolera‐
127 tionSeconds of the toleration for unreachable:NoExecute that is added
128 by default to every pod that does not already have such a toleration.
129 --detect-local-mode= Mode to use to detect local traffic. This pa‐
132 rameter is ignored if a config file is specified by --config.
133 --disable_root_cgroup_stats=false Disable collecting root Cgroup
136 stats
137 --docker_only=false Only report docker containers in addition to
140 root stats
141 --enable_load_reader=false Whether to enable cpu load reader
144 --event_storage_age_limit="default=0" Max length of time for which
147 to store events (per type). Value is a comma separated list of key val‐
148 ues, where the keys are event types (e.g.: creation, oom) or "default"
149 and the value is a duration. Default is applied to all non-specified
150 event types
151 --event_storage_event_limit="default=0" Max number of events to
154 store (per type). Value is a comma separated list of key values, where
155 the keys are event types (e.g.: creation, oom) or "default" and the
156 value is an integer. Default is applied to all non-specified event
157 types
158 --feature-gates= A set of key=value pairs that describe feature
161 gates for alpha/experimental features. Options are: APIListChunk‐
162 ing=true|false (BETA - default=true) APIPriorityAndFairness=true|false
163 (BETA - default=true) APIResponseCompression=true|false (BETA - de‐
164 fault=true) APIServerIdentity=true|false (ALPHA - default=false) APIS‐
165 erverTracing=true|false (ALPHA - default=false) AllAlpha=true|false
166 (ALPHA - default=false) AllBeta=true|false (BETA - default=false)
167 AnyVolumeDataSource=true|false (BETA - default=true) AppAr‐
168 mor=true|false (BETA - default=true) CPUManager=true|false (BETA - de‐
169 fault=true) CPUManagerPolicyAlphaOptions=true|false (ALPHA - de‐
170 fault=false) CPUManagerPolicyBetaOptions=true|false (BETA - de‐
171 fault=true) CPUManagerPolicyOptions=true|false (BETA - default=true)
172 CSIInlineVolume=true|false (BETA - default=true) CSIMigra‐
173 tion=true|false (BETA - default=true) CSIMigrationAWS=true|false (BETA
174 - default=true) CSIMigrationAzureFile=true|false (BETA - default=true)
175 CSIMigrationGCE=true|false (BETA - default=true) CSIMigrationPort‐
176 worx=true|false (ALPHA - default=false) CSIMigrationRBD=true|false (AL‐
177 PHA - default=false) CSIMigrationvSphere=true|false (BETA - de‐
178 fault=false) CSIVolumeHealth=true|false (ALPHA - default=false) Contex‐
179 tualLogging=true|false (ALPHA - default=false) CronJobTime‐
180 Zone=true|false (ALPHA - default=false) CustomCPUCFSQuotaPe‐
181 riod=true|false (ALPHA - default=false) CustomResourceValidationExpres‐
182 sions=true|false (ALPHA - default=false) DaemonSetUp‐
183 dateSurge=true|false (BETA - default=true) DelegateFSGroupToC‐
184 SIDriver=true|false (BETA - default=true) DevicePlugins=true|false
185 (BETA - default=true) DisableAcceleratorUsageMetrics=true|false (BETA -
186 default=true) DisableCloudProviders=true|false (ALPHA - default=false)
187 DisableKubeletCloudCredentialProviders=true|false (ALPHA - de‐
188 fault=false) DownwardAPIHugePages=true|false (BETA - default=true) End‐
189 pointSliceTerminatingCondition=true|false (BETA - default=true)
190 EphemeralContainers=true|false (BETA - default=true) ExpandedDNSCon‐
191 fig=true|false (ALPHA - default=false) ExperimentalHostUserNamespaceDe‐
192 faulting=true|false (BETA - default=false) GRPCContainer‐
193 Probe=true|false (BETA - default=true) GracefulNodeShutdown=true|false
194 (BETA - default=true) GracefulNodeShutdownBasedOnPodPriority=true|false
195 (BETA - default=true) HPAContainerMetrics=true|false (ALPHA - de‐
196 fault=false) HPAScaleToZero=true|false (ALPHA - default=false) Honor‐
197 PVReclaimPolicy=true|false (ALPHA - default=false) IdentifyPo‐
198 dOS=true|false (BETA - default=true) InTreePluginAWSUnregis‐
199 ter=true|false (ALPHA - default=false) InTreePluginAzureDiskUnregis‐
200 ter=true|false (ALPHA - default=false) InTreePluginAzureFileUnregis‐
201 ter=true|false (ALPHA - default=false) InTreePluginGCEUnregis‐
202 ter=true|false (ALPHA - default=false) InTreePluginOpenStackUnregis‐
203 ter=true|false (ALPHA - default=false) InTreePluginPortworxUnregis‐
204 ter=true|false (ALPHA - default=false) InTreePluginRBDUnregis‐
205 ter=true|false (ALPHA - default=false) InTreePluginvSphereUnregis‐
206 ter=true|false (ALPHA - default=false) JobMutableNodeSchedulingDirec‐
207 tives=true|false (BETA - default=true) JobReadyPods=true|false (BETA -
208 default=true) JobTrackingWithFinalizers=true|false (BETA - de‐
209 fault=false) KubeletCredentialProviders=true|false (BETA - de‐
210 fault=true) KubeletInUserNamespace=true|false (ALPHA - default=false)
211 KubeletPodResources=true|false (BETA - default=true) KubeletPo‐
212 dResourcesGetAllocatable=true|false (BETA - default=true) LegacySer‐
213 viceAccountTokenNoAutoGeneration=true|false (BETA - default=true) Lo‐
214 calStorageCapacityIsolation=true|false (BETA - default=true) LocalStor‐
215 ageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - de‐
216 fault=false) LogarithmicScaleDown=true|false (BETA - default=true) Max‐
217 UnavailableStatefulSet=true|false (ALPHA - default=false) MemoryMan‐
218 ager=true|false (BETA - default=true) MemoryQoS=true|false (ALPHA - de‐
219 fault=false) MinDomainsInPodTopologySpread=true|false (ALPHA - de‐
220 fault=false) MixedProtocolLBService=true|false (BETA - default=true)
221 NetworkPolicyEndPort=true|false (BETA - default=true) NetworkPolicySta‐
222 tus=true|false (ALPHA - default=false) NodeOutOfServiceVolumeDe‐
223 tach=true|false (ALPHA - default=false) NodeSwap=true|false (ALPHA -
224 default=false) OpenAPIEnums=true|false (BETA - default=true) Ope‐
225 nAPIV3=true|false (BETA - default=true) PodAndContainerStatsFrom‐
226 CRI=true|false (ALPHA - default=false) PodDeletionCost=true|false (BETA
227 - default=true) PodSecurity=true|false (BETA - default=true) ProbeTer‐
228 minationGracePeriod=true|false (BETA - default=false) ProcMount‐
229 Type=true|false (ALPHA - default=false) ProxyTerminatingEnd‐
230 points=true|false (ALPHA - default=false) QOSReserved=true|false (ALPHA
231 - default=false) ReadWriteOncePod=true|false (ALPHA - default=false)
232 RecoverVolumeExpansionFailure=true|false (ALPHA - default=false) Re‐
233 mainingItemCount=true|false (BETA - default=true) RotateKubelet‐
234 ServerCertificate=true|false (BETA - default=true) SeccompDe‐
235 fault=true|false (ALPHA - default=false) ServerSideFieldValida‐
236 tion=true|false (ALPHA - default=false) ServiceIPStaticSub‐
237 range=true|false (ALPHA - default=false) ServiceInternalTrafficPol‐
238 icy=true|false (BETA - default=true) SizeMemoryBackedVolumes=true|false
239 (BETA - default=true) StatefulSetAutoDeletePVC=true|false (ALPHA - de‐
240 fault=false) StatefulSetMinReadySeconds=true|false (BETA - de‐
241 fault=true) StorageVersionAPI=true|false (ALPHA - default=false) Stor‐
242 ageVersionHash=true|false (BETA - default=true) TopologyAware‐
243 Hints=true|false (BETA - default=true) TopologyManager=true|false (BETA
244 - default=true) VolumeCapacityPriority=true|false (ALPHA - de‐
245 fault=false) WinDSR=true|false (ALPHA - default=false) WinOver‐
246 lay=true|false (BETA - default=true) WindowsHostProcessContain‐
247 ers=true|false (BETA - default=true)This parameter is ignored if a con‐
248 fig file is specified by --config.
249 --global_housekeeping_interval=1m0s Interval between global house‐
252 keepings
253 --healthz-bind-address=0.0.0.0:10256 The IP address with port for
256 the health check server to serve on (set to '0.0.0.0:10256' for all
257 IPv4 interfaces and '[::]:10256' for all IPv6 interfaces). Set empty to
258 disable. This parameter is ignored if a config file is specified by
259 --config.
260 --healthz-port=10256 The port to bind the health check server. Use
263 0 to disable.
264 --hostname-override="" If non-empty, will use this string as iden‐
267 tification instead of the actual hostname.
268 --housekeeping_interval=10s Interval between container housekeep‐
271 ings
272 --iptables-masquerade-bit=14 If using the pure iptables proxy, the
275 bit of the fwmark space to mark packets requiring SNAT with. Must be
276 within the range [0, 31].
277 --iptables-min-sync-period=1s The minimum interval of how often
280 the iptables rules can be refreshed as endpoints and services change
281 (e.g. '5s', '1m', '2h22m').
282 --iptables-sync-period=30s The maximum interval of how often ipta‐
285 bles rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater
286 than 0.
287 --ipvs-exclude-cidrs=[] A comma-separated list of CIDR's which the
290 ipvs proxier should not touch when cleaning up IPVS rules.
291 --ipvs-min-sync-period=0s The minimum interval of how often the
294 ipvs rules can be refreshed as endpoints and services change (e.g.
295 '5s', '1m', '2h22m').
296 --ipvs-scheduler="" The ipvs scheduler type when proxy mode is
299 ipvs
300 --ipvs-strict-arp=false Enable strict ARP by setting arp_ignore to
303 1 and arp_announce to 2
304 --ipvs-sync-period=30s The maximum interval of how often ipvs
307 rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than
308 0.
309 --ipvs-tcp-timeout=0s The timeout for idle IPVS TCP connections, 0
312 to leave as-is. (e.g. '5s', '1m', '2h22m').
313 --ipvs-tcpfin-timeout=0s The timeout for IPVS TCP connections af‐
316 ter receiving a FIN packet, 0 to leave as-is. (e.g. '5s', '1m',
317 '2h22m').
318 --ipvs-udp-timeout=0s The timeout for IPVS UDP packets, 0 to leave
321 as-is. (e.g. '5s', '1m', '2h22m').
322 --kube-api-burst=10 Burst to use while talking with kubernetes
325 apiserver
326 --kube-api-content-type="application/vnd.kubernetes.protobuf" Con‐
329 tent type of requests sent to apiserver.
330 --kube-api-qps=5 QPS to use while talking with kubernetes apis‐
333 erver
334 --kubeconfig="" Path to kubeconfig file with authorization infor‐
337 mation (the master location can be overridden by the master flag).
338 --log_cadvisor_usage=false Whether to log the usage of the cAdvi‐
341 sor container
342 --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
345 Comma-separated list of files to check for machine-id. Use the
346 first one that exists.
347 --masquerade-all=false If using the pure iptables proxy, SNAT all
350 traffic sent via Service cluster IPs (this not commonly needed)
351 --master="" The address of the Kubernetes API server (overrides
354 any value in kubeconfig)
355 --max_housekeeping_interval=1m0s Largest interval to allow between
358 container housekeepings
359 --metrics-bind-address=127.0.0.1:10249 The IP address with port
362 for the metrics server to serve on (set to '0.0.0.0:10249' for all IPv4
363 interfaces and '[::]:10249' for all IPv6 interfaces). Set empty to dis‐
364 able. This parameter is ignored if a config file is specified by --con‐
365 fig.
366 --metrics-port=10249 The port to bind the metrics server. Use 0 to
369 disable.
370 --nodeport-addresses=[] A string slice of values which specify the
373 addresses to use for NodePorts. Values may be valid IP blocks (e.g.
374 1.2.3.0/24, 1.2.3.4/32). The default empty string slice ([]) means to
375 use all local addresses. This parameter is ignored if a config file is
376 specified by --config.
377 --oom-score-adj=-999 The oom-score-adj value for kube-proxy
380 process. Values must be within the range [-1000, 1000]. This parameter
381 is ignored if a config file is specified by --config.
382 --pod-bridge-interface="" A bridge interface name in the cluster.
385 Kube-proxy considers traffic as local if originating from an interface
386 which matches the value. This argument should be set if DetectLocalMode
387 is set to BridgeInterface.
388 --pod-interface-name-prefix="" An interface prefix in the cluster.
391 Kube-proxy considers traffic as local if originating from interfaces
392 that match the given prefix. This argument should be set if DetectLo‐
393 calMode is set to InterfaceNamePrefix.
394 --profiling=false If true enables profiling via web interface on
397 /debug/pprof handler. This parameter is ignored if a config file is
398 specified by --config.
399 --proxy-mode= Which proxy mode to use: 'iptables' (Linux-only),
402 'ipvs' (Linux-only), 'kernelspace' (Windows-only), or 'userspace'
403 (Linux/Windows, deprecated). The default value is 'iptables' on Linux
404 and 'userspace' on Windows.This parameter is ignored if a config file
405 is specified by --config.
406 --proxy-port-range= Range of host ports (beginPort-endPort, single
409 port or beginPort+offset, inclusive) that may be consumed in order to
410 proxy service traffic. If (unspecified, 0, or 0-0) then ports will be
411 randomly chosen.
412 --referenced_reset_interval=0 Reset interval for referenced bytes
415 (container_referenced_bytes metric), number of measurement cycles after
416 which referenced bytes are cleared, if set to 0 referenced bytes are
417 never cleared (default: 0)
418 --show-hidden-metrics-for-version="" The previous version for
421 which you want to show hidden metrics. Only the previous minor version
422 is meaningful, other values will not be allowed. The format is ., e.g.:
423 '1.16'. The purpose of this format is make sure you have the opportu‐
424 nity to notice if the next release hides additional metrics, rather
425 than being surprised when they are permanently removed in the release
426 after that.This parameter is ignored if a config file is specified by
427 --config.
428 --storage_driver_buffer_duration=1m0s Writes in the storage driver
431 will be buffered for this duration, and committed to the non memory
432 backends as a single transaction
433 --storage_driver_db="cadvisor" database name
436 --storage_driver_host="localhost:8086" database host:port
439 --storage_driver_password="root" database password
442 --storage_driver_secure=false use secure connection with database
445 --storage_driver_table="stats" table name
448 --storage_driver_user="root" database username
451 --udp-timeout=250ms How long an idle UDP connection will be kept
454 open (e.g. '250ms', '2s'). Must be greater than 0. Only applicable for
455 proxy-mode=userspace
456 --update_machine_info_interval=5m0s Interval between machine info
459 updates.
460 --version=false Print version information and quit
463 --write-config-to="" If set, write the default configuration val‐
466 ues to this file and exit.
467
471 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
472 com) based on the kubernetes source material, but hopefully they have
473 been automatically generated since!
474Manuals User KUBERNETES(1)(kubernetes)