1KUBERNETES(1)(kubernetes)                            KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7

NAME

9       kube-proxy -
10
11
12

SYNOPSIS

14       kube-proxy [OPTIONS]
15
16
17

DESCRIPTION

19       The  Kubernetes network proxy runs on each node. This reflects services
20       as defined in the Kubernetes API on each node and can  do  simple  TCP,
21       UDP,  and SCTP stream forwarding or round robin TCP, UDP, and SCTP for‐
22       warding across a set of backends.  Service cluster IPs  and  ports  are
23       currently  found  through Docker-links-compatible environment variables
24       specifying ports opened by the service proxy. There is an optional  ad‐
25       don that provides cluster DNS for these cluster IPs. The user must cre‐
26       ate a service with the apiserver API to configure the proxy.
27
28
29

OPTIONS

31       --allow_dynamic_housekeeping=true      Whether to allow the  housekeep‐
32       ing interval to be dynamic
33
34
35       --application_metrics_count_limit=100       Max  number  of application
36       metrics to store (per container)
37
38
39       --azure-container-registry-config=""      Path to the  file  containing
40       Azure container registry configuration information.
41
42
43       --bind-address=0.0.0.0       The  IP  address  for  the proxy server to
44       serve on (set to '0.0.0.0' for all IPv4 interfaces  and  '::'  for  all
45       IPv6  interfaces). This parameter is ignored if a config file is speci‐
46       fied by --config.
47
48
49       --bind-address-hard-fail=false      If true kube-proxy will treat fail‐
50       ure to bind to a port as fatal and exit
51
52
53       --boot_id_file="/proc/sys/kernel/random/boot_id"        Comma-separated
54       list of files to check for boot-id. Use the first one that exists.
55
56
57       --cleanup=false      If true cleanup iptables and ipvs rules and exit.
58
59
60       --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
61            CIDRs  opened  in  GCE  firewall  for L7 LB traffic proxy & health
62       checks
63
64
65       --cloud-provider-gce-lb-src-
66       cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
67            CIDRs opened in GCE firewall for L4  LB  traffic  proxy  &  health
68       checks
69
70
71       --cluster-cidr=""      The CIDR range of pods in the cluster. When con‐
72       figured, traffic sent to a Service cluster IP from outside  this  range
73       will  be masqueraded and traffic sent from pods to an external LoadBal‐
74       ancer IP will be directed to the respective  cluster  IP  instead.  For
75       dual-stack  clusters,  a comma-separated list is accepted with at least
76       one CIDR per IP family (IPv4 and IPv6). This parameter is ignored if  a
77       config file is specified by --config.
78
79
80       --config=""      The path to the configuration file.
81
82
83       --config-sync-period=15m0s       How often configuration from the apis‐
84       erver is refreshed.  Must be greater than 0.
85
86
87       --conntrack-max-per-core=32768      Maximum number of  NAT  connections
88       to track per CPU core (0 to leave the limit as-is and ignore conntrack-
89       min).
90
91
92       --conntrack-min=131072      Minimum number of conntrack entries to  al‐
93       locate,  regardless  of  conntrack-max-per-core (set conntrack-max-per-
94       core=0 to leave the limit as-is).
95
96
97       --conntrack-tcp-timeout-close-wait=1h0m0s      NAT timeout for TCP con‐
98       nections in the CLOSE_WAIT state
99
100
101       --conntrack-tcp-timeout-established=24h0m0s       Idle  timeout for es‐
102       tablished TCP connections (0 to leave as-is)
103
104
105       --container_hints="/etc/cadvisor/container_hints.json"      location of
106       the container hints file
107
108
109       --containerd="/run/containerd/containerd.sock"      containerd endpoint
110
111
112       --containerd-namespace="k8s.io"      containerd namespace
113
114
115       --containerd_env_metadata_whitelist=""       DEPRECATED: this flag will
116       be removed, please use env_metadata_whitelist. A  comma-separated  list
117       of  environment  variable keys matched with specified prefix that needs
118       to be collected for containerd containers
119
120
121       --default-not-ready-toleration-seconds=300      Indicates  the  tolera‐
122       tionSeconds  of  the toleration for notReady:NoExecute that is added by
123       default to every pod that does not already have such a toleration.
124
125
126       --default-unreachable-toleration-seconds=300      Indicates the tolera‐
127       tionSeconds  of  the toleration for unreachable:NoExecute that is added
128       by default to every pod that does not already have such a toleration.
129
130
131       --detect-local-mode=      Mode to use to detect local traffic. This pa‐
132       rameter is ignored if a config file is specified by --config.
133
134
135       --disable_root_cgroup_stats=false       Disable  collecting root Cgroup
136       stats
137
138
139       --docker_only=false      Only report docker containers in  addition  to
140       root stats
141
142
143       --enable_load_reader=false      Whether to enable cpu load reader
144
145
146       --event_storage_age_limit="default=0"      Max length of time for which
147       to store events (per type). Value is a comma separated list of key val‐
148       ues,  where the keys are event types (e.g.: creation, oom) or "default"
149       and the value is a duration. Default is applied  to  all  non-specified
150       event types
151
152
153       --event_storage_event_limit="default=0"       Max  number  of events to
154       store (per type). Value is a comma separated list of key values,  where
155       the  keys  are  event  types (e.g.: creation, oom) or "default" and the
156       value is an integer. Default is  applied  to  all  non-specified  event
157       types
158
159
160       --feature-gates=       A  set  of key=value pairs that describe feature
161       gates  for  alpha/experimental  features.  Options  are:  APIListChunk‐
162       ing=true|false  (BETA - default=true) APIPriorityAndFairness=true|false
163       (BETA - default=true)  APIResponseCompression=true|false  (BETA  -  de‐
164       fault=true)  APIServerIdentity=true|false (ALPHA - default=false) APIS‐
165       erverTracing=true|false  (ALPHA  -  default=false)  AllAlpha=true|false
166       (ALPHA  -  default=false)  AllBeta=true|false  (BETA  -  default=false)
167       AnyVolumeDataSource=true|false    (BETA    -    default=true)    AppAr‐
168       mor=true|false  (BETA - default=true) CPUManager=true|false (BETA - de‐
169       fault=true)  CPUManagerPolicyAlphaOptions=true|false   (ALPHA   -   de‐
170       fault=false)   CPUManagerPolicyBetaOptions=true|false   (BETA   -   de‐
171       fault=true) CPUManagerPolicyOptions=true|false  (BETA  -  default=true)
172       CSIInlineVolume=true|false     (BETA    -    default=true)    CSIMigra‐
173       tion=true|false (BETA - default=true) CSIMigrationAWS=true|false  (BETA
174       -  default=true) CSIMigrationAzureFile=true|false (BETA - default=true)
175       CSIMigrationGCE=true|false  (BETA  -  default=true)   CSIMigrationPort‐
176       worx=true|false (ALPHA - default=false) CSIMigrationRBD=true|false (AL‐
177       PHA  -  default=false)  CSIMigrationvSphere=true|false  (BETA   -   de‐
178       fault=false) CSIVolumeHealth=true|false (ALPHA - default=false) Contex‐
179       tualLogging=true|false    (ALPHA    -    default=false)    CronJobTime‐
180       Zone=true|false    (ALPHA    -    default=false)   CustomCPUCFSQuotaPe‐
181       riod=true|false (ALPHA - default=false) CustomResourceValidationExpres‐
182       sions=true|false      (ALPHA      -     default=false)     DaemonSetUp‐
183       dateSurge=true|false   (BETA   -   default=true)    DelegateFSGroupToC‐
184       SIDriver=true|false   (BETA  -  default=true)  DevicePlugins=true|false
185       (BETA - default=true) DisableAcceleratorUsageMetrics=true|false (BETA -
186       default=true)  DisableCloudProviders=true|false (ALPHA - default=false)
187       DisableKubeletCloudCredentialProviders=true|false    (ALPHA    -    de‐
188       fault=false) DownwardAPIHugePages=true|false (BETA - default=true) End‐
189       pointSliceTerminatingCondition=true|false   (BETA    -    default=true)
190       EphemeralContainers=true|false  (BETA  -  default=true) ExpandedDNSCon‐
191       fig=true|false (ALPHA - default=false) ExperimentalHostUserNamespaceDe‐
192       faulting=true|false     (BETA     -    default=false)    GRPCContainer‐
193       Probe=true|false (BETA - default=true)  GracefulNodeShutdown=true|false
194       (BETA - default=true) GracefulNodeShutdownBasedOnPodPriority=true|false
195       (BETA  -  default=true)  HPAContainerMetrics=true|false  (ALPHA  -  de‐
196       fault=false)  HPAScaleToZero=true|false  (ALPHA - default=false) Honor‐
197       PVReclaimPolicy=true|false   (ALPHA   -   default=false)    IdentifyPo‐
198       dOS=true|false    (BETA    -    default=true)   InTreePluginAWSUnregis‐
199       ter=true|false (ALPHA  -  default=false)  InTreePluginAzureDiskUnregis‐
200       ter=true|false  (ALPHA  -  default=false) InTreePluginAzureFileUnregis‐
201       ter=true|false   (ALPHA   -   default=false)    InTreePluginGCEUnregis‐
202       ter=true|false  (ALPHA  -  default=false) InTreePluginOpenStackUnregis‐
203       ter=true|false  (ALPHA  -  default=false)  InTreePluginPortworxUnregis‐
204       ter=true|false    (ALPHA   -   default=false)   InTreePluginRBDUnregis‐
205       ter=true|false  (ALPHA  -  default=false)   InTreePluginvSphereUnregis‐
206       ter=true|false  (ALPHA  - default=false) JobMutableNodeSchedulingDirec‐
207       tives=true|false (BETA - default=true) JobReadyPods=true|false (BETA  -
208       default=true)    JobTrackingWithFinalizers=true|false   (BETA   -   de‐
209       fault=false)   KubeletCredentialProviders=true|false   (BETA   -    de‐
210       fault=true)  KubeletInUserNamespace=true|false  (ALPHA - default=false)
211       KubeletPodResources=true|false   (BETA   -   default=true)   KubeletPo‐
212       dResourcesGetAllocatable=true|false  (BETA  -  default=true) LegacySer‐
213       viceAccountTokenNoAutoGeneration=true|false (BETA -  default=true)  Lo‐
214       calStorageCapacityIsolation=true|false (BETA - default=true) LocalStor‐
215       ageCapacityIsolationFSQuotaMonitoring=true|false    (ALPHA    -     de‐
216       fault=false) LogarithmicScaleDown=true|false (BETA - default=true) Max‐
217       UnavailableStatefulSet=true|false (ALPHA  -  default=false)  MemoryMan‐
218       ager=true|false (BETA - default=true) MemoryQoS=true|false (ALPHA - de‐
219       fault=false)  MinDomainsInPodTopologySpread=true|false  (ALPHA  -   de‐
220       fault=false)  MixedProtocolLBService=true|false  (BETA  - default=true)
221       NetworkPolicyEndPort=true|false (BETA - default=true) NetworkPolicySta‐
222       tus=true|false   (ALPHA   -   default=false)  NodeOutOfServiceVolumeDe‐
223       tach=true|false (ALPHA - default=false)  NodeSwap=true|false  (ALPHA  -
224       default=false)   OpenAPIEnums=true|false  (BETA  -  default=true)  Ope‐
225       nAPIV3=true|false  (BETA  -   default=true)   PodAndContainerStatsFrom‐
226       CRI=true|false (ALPHA - default=false) PodDeletionCost=true|false (BETA
227       - default=true) PodSecurity=true|false (BETA - default=true)  ProbeTer‐
228       minationGracePeriod=true|false   (BETA   -   default=false)  ProcMount‐
229       Type=true|false   (ALPHA    -    default=false)    ProxyTerminatingEnd‐
230       points=true|false (ALPHA - default=false) QOSReserved=true|false (ALPHA
231       - default=false) ReadWriteOncePod=true|false  (ALPHA  -  default=false)
232       RecoverVolumeExpansionFailure=true|false  (ALPHA  -  default=false) Re‐
233       mainingItemCount=true|false  (BETA   -   default=true)   RotateKubelet‐
234       ServerCertificate=true|false    (BETA    -   default=true)   SeccompDe‐
235       fault=true|false   (ALPHA   -   default=false)   ServerSideFieldValida‐
236       tion=true|false    (ALPHA    -    default=false)    ServiceIPStaticSub‐
237       range=true|false  (ALPHA  -  default=false)  ServiceInternalTrafficPol‐
238       icy=true|false (BETA - default=true) SizeMemoryBackedVolumes=true|false
239       (BETA - default=true) StatefulSetAutoDeletePVC=true|false (ALPHA -  de‐
240       fault=false)    StatefulSetMinReadySeconds=true|false   (BETA   -   de‐
241       fault=true) StorageVersionAPI=true|false (ALPHA - default=false)  Stor‐
242       ageVersionHash=true|false    (BETA   -   default=true)   TopologyAware‐
243       Hints=true|false (BETA - default=true) TopologyManager=true|false (BETA
244       -   default=true)   VolumeCapacityPriority=true|false   (ALPHA   -  de‐
245       fault=false)  WinDSR=true|false  (ALPHA   -   default=false)   WinOver‐
246       lay=true|false   (BETA   -   default=true)   WindowsHostProcessContain‐
247       ers=true|false (BETA - default=true)This parameter is ignored if a con‐
248       fig file is specified by --config.
249
250
251       --global_housekeeping_interval=1m0s      Interval between global house‐
252       keepings
253
254
255       --healthz-bind-address=0.0.0.0:10256      The IP address with port  for
256       the  health  check  server  to serve on (set to '0.0.0.0:10256' for all
257       IPv4 interfaces and '[::]:10256' for all IPv6 interfaces). Set empty to
258       disable.  This  parameter  is  ignored if a config file is specified by
259       --config.
260
261
262       --healthz-port=10256      The port to bind the health check server. Use
263       0 to disable.
264
265
266       --hostname-override=""      If non-empty, will use this string as iden‐
267       tification instead of the actual hostname.
268
269
270       --housekeeping_interval=10s      Interval between container  housekeep‐
271       ings
272
273
274       --iptables-masquerade-bit=14      If using the pure iptables proxy, the
275       bit of the fwmark space to mark packets requiring SNAT with.   Must  be
276       within the range [0, 31].
277
278
279       --iptables-min-sync-period=1s       The  minimum  interval of how often
280       the iptables rules can be refreshed as endpoints  and  services  change
281       (e.g. '5s', '1m', '2h22m').
282
283
284       --iptables-sync-period=30s      The maximum interval of how often ipta‐
285       bles rules are refreshed (e.g. '5s', '1m', '2h22m').  Must  be  greater
286       than 0.
287
288
289       --ipvs-exclude-cidrs=[]      A comma-separated list of CIDR's which the
290       ipvs proxier should not touch when cleaning up IPVS rules.
291
292
293       --ipvs-min-sync-period=0s      The minimum interval of  how  often  the
294       ipvs  rules  can  be  refreshed  as endpoints and services change (e.g.
295       '5s', '1m', '2h22m').
296
297
298       --ipvs-scheduler=""      The ipvs scheduler type  when  proxy  mode  is
299       ipvs
300
301
302       --ipvs-strict-arp=false      Enable strict ARP by setting arp_ignore to
303       1 and arp_announce to 2
304
305
306       --ipvs-sync-period=30s      The maximum  interval  of  how  often  ipvs
307       rules  are  refreshed (e.g. '5s', '1m', '2h22m').  Must be greater than
308       0.
309
310
311       --ipvs-tcp-timeout=0s      The timeout for idle IPVS TCP connections, 0
312       to leave as-is. (e.g. '5s', '1m', '2h22m').
313
314
315       --ipvs-tcpfin-timeout=0s       The timeout for IPVS TCP connections af‐
316       ter receiving a FIN  packet,  0  to  leave  as-is.  (e.g.  '5s',  '1m',
317       '2h22m').
318
319
320       --ipvs-udp-timeout=0s      The timeout for IPVS UDP packets, 0 to leave
321       as-is. (e.g. '5s', '1m', '2h22m').
322
323
324       --kube-api-burst=10      Burst to use  while  talking  with  kubernetes
325       apiserver
326
327
328       --kube-api-content-type="application/vnd.kubernetes.protobuf"      Con‐
329       tent type of requests sent to apiserver.
330
331
332       --kube-api-qps=5      QPS to use while talking  with  kubernetes  apis‐
333       erver
334
335
336       --kubeconfig=""       Path to kubeconfig file with authorization infor‐
337       mation (the master location can be overridden by the master flag).
338
339
340       --log_cadvisor_usage=false      Whether to log the usage of the  cAdvi‐
341       sor container
342
343
344       --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
345            Comma-separated list of files to check  for  machine-id.  Use  the
346       first one that exists.
347
348
349       --masquerade-all=false       If using the pure iptables proxy, SNAT all
350       traffic sent via Service cluster IPs (this not commonly needed)
351
352
353       --master=""      The address of the Kubernetes  API  server  (overrides
354       any value in kubeconfig)
355
356
357       --max_housekeeping_interval=1m0s      Largest interval to allow between
358       container housekeepings
359
360
361       --metrics-bind-address=127.0.0.1:10249      The IP  address  with  port
362       for the metrics server to serve on (set to '0.0.0.0:10249' for all IPv4
363       interfaces and '[::]:10249' for all IPv6 interfaces). Set empty to dis‐
364       able. This parameter is ignored if a config file is specified by --con‐
365       fig.
366
367
368       --metrics-port=10249      The port to bind the metrics server. Use 0 to
369       disable.
370
371
372       --nodeport-addresses=[]      A string slice of values which specify the
373       addresses to use for NodePorts. Values may be  valid  IP  blocks  (e.g.
374       1.2.3.0/24,  1.2.3.4/32).  The default empty string slice ([]) means to
375       use all local addresses. This parameter is ignored if a config file  is
376       specified by --config.
377
378
379       --oom-score-adj=-999        The   oom-score-adj  value  for  kube-proxy
380       process. Values must be within the range [-1000, 1000]. This  parameter
381       is ignored if a config file is specified by --config.
382
383
384       --pod-bridge-interface=""       A bridge interface name in the cluster.
385       Kube-proxy considers traffic as local if originating from an  interface
386       which matches the value. This argument should be set if DetectLocalMode
387       is set to BridgeInterface.
388
389
390       --pod-interface-name-prefix=""      An interface prefix in the cluster.
391       Kube-proxy  considers  traffic  as local if originating from interfaces
392       that match the given prefix. This argument should be set  if  DetectLo‐
393       calMode is set to InterfaceNamePrefix.
394
395
396       --profiling=false       If  true enables profiling via web interface on
397       /debug/pprof handler. This parameter is ignored if  a  config  file  is
398       specified by --config.
399
400
401       --proxy-mode=       Which  proxy  mode to use: 'iptables' (Linux-only),
402       'ipvs'  (Linux-only),  'kernelspace'  (Windows-only),  or   'userspace'
403       (Linux/Windows,  deprecated).  The default value is 'iptables' on Linux
404       and 'userspace' on Windows.This parameter is ignored if a  config  file
405       is specified by --config.
406
407
408       --proxy-port-range=      Range of host ports (beginPort-endPort, single
409       port or beginPort+offset, inclusive) that may be consumed in  order  to
410       proxy  service  traffic. If (unspecified, 0, or 0-0) then ports will be
411       randomly chosen.
412
413
414       --referenced_reset_interval=0      Reset interval for referenced  bytes
415       (container_referenced_bytes metric), number of measurement cycles after
416       which referenced bytes are cleared, if set to 0  referenced  bytes  are
417       never cleared (default: 0)
418
419
420       --show-hidden-metrics-for-version=""        The  previous  version  for
421       which you want to show hidden metrics. Only the previous minor  version
422       is meaningful, other values will not be allowed. The format is ., e.g.:
423       '1.16'. The purpose of this format is make sure you have  the  opportu‐
424       nity  to  notice  if  the next release hides additional metrics, rather
425       than being surprised when they are permanently removed in  the  release
426       after  that.This  parameter is ignored if a config file is specified by
427       --config.
428
429
430       --storage_driver_buffer_duration=1m0s      Writes in the storage driver
431       will  be  buffered  for  this duration, and committed to the non memory
432       backends as a single transaction
433
434
435       --storage_driver_db="cadvisor"      database name
436
437
438       --storage_driver_host="localhost:8086"      database host:port
439
440
441       --storage_driver_password="root"      database password
442
443
444       --storage_driver_secure=false      use secure connection with database
445
446
447       --storage_driver_table="stats"      table name
448
449
450       --storage_driver_user="root"      database username
451
452
453       --udp-timeout=250ms      How long an idle UDP connection will  be  kept
454       open (e.g. '250ms', '2s').  Must be greater than 0. Only applicable for
455       proxy-mode=userspace
456
457
458       --update_machine_info_interval=5m0s      Interval between machine  info
459       updates.
460
461
462       --version=false      Print version information and quit
463
464
465       --write-config-to=""       If set, write the default configuration val‐
466       ues to this file and exit.
467
468
469

HISTORY

471       January 2015, Originally compiled by Eric Paris (eparis at  redhat  dot
472       com)  based  on the kubernetes source material, but hopefully they have
473       been automatically generated since!
474
475
476
477Manuals                              User            KUBERNETES(1)(kubernetes)
Impressum