1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2Eric Paris Jan 2015
6
9 kube-proxy -
10
14 kube-proxy [OPTIONS]
15
19 The Kubernetes network proxy runs on each node. This reflects services
20 as defined in the Kubernetes API on each node and can do simple TCP,
21 UDP, and SCTP stream forwarding or round robin TCP, UDP, and SCTP for‐
22 warding across a set of backends. Service cluster IPs and ports are
23 currently found through Docker-links-compatible environment variables
24 specifying ports opened by the service proxy. There is an optional ad‐
25 don that provides cluster DNS for these cluster IPs. The user must cre‐
26 ate a service with the apiserver API to configure the proxy.
27
31 --allow_dynamic_housekeeping=true Whether to allow the housekeep‐
32 ing interval to be dynamic
33 --application_metrics_count_limit=100 Max number of application
36 metrics to store (per container)
37 --azure-container-registry-config="" Path to the file containing
40 Azure container registry configuration information.
41 --bind-address=0.0.0.0 The IP address for the proxy server to
44 serve on (set to '0.0.0.0' for all IPv4 interfaces and '::' for all
45 IPv6 interfaces). This parameter is ignored if a config file is speci‐
46 fied by --config.
47 --bind-address-hard-fail=false If true kube-proxy will treat fail‐
50 ure to bind to a port as fatal and exit
51 --boot_id_file="/proc/sys/kernel/random/boot_id" Comma-separated
54 list of files to check for boot-id. Use the first one that exists.
55 --cleanup=false If true cleanup iptables and ipvs rules and exit.
58 --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
61 CIDRs opened in GCE firewall for L7 LB traffic proxy & health
62 checks
63 --cloud-provider-gce-lb-src-
66 cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
67 CIDRs opened in GCE firewall for L4 LB traffic proxy & health
68 checks
69 --cluster-cidr="" The CIDR range of pods in the cluster. When con‐
72 figured, traffic sent to a Service cluster IP from outside this range
73 will be masqueraded and traffic sent from pods to an external LoadBal‐
74 ancer IP will be directed to the respective cluster IP instead. For
75 dual-stack clusters, a comma-separated list is accepted with at least
76 one CIDR per IP family (IPv4 and IPv6). This parameter is ignored if a
77 config file is specified by --config.
78 --config="" The path to the configuration file.
81 --config-sync-period=15m0s How often configuration from the apis‐
84 erver is refreshed. Must be greater than 0.
85 --conntrack-max-per-core=32768 Maximum number of NAT connections
88 to track per CPU core (0 to leave the limit as-is and ignore conntrack-
89 min).
90 --conntrack-min=131072 Minimum number of conntrack entries to al‐
93 locate, regardless of conntrack-max-per-core (set conntrack-max-per-
94 core=0 to leave the limit as-is).
95 --conntrack-tcp-timeout-close-wait=1h0m0s NAT timeout for TCP con‐
98 nections in the CLOSE_WAIT state
99 --conntrack-tcp-timeout-established=24h0m0s Idle timeout for es‐
102 tablished TCP connections (0 to leave as-is)
103 --container_hints="/etc/cadvisor/container_hints.json" location of
106 the container hints file
107 --containerd="/run/containerd/containerd.sock" containerd endpoint
110 --containerd-namespace="k8s.io" containerd namespace
113 --containerd_env_metadata_whitelist="" DEPRECATED: this flag will
116 be removed, please use env_metadata_whitelist. A comma-separated list
117 of environment variable keys matched with specified prefix that needs
118 to be collected for containerd containers
119 --default-not-ready-toleration-seconds=300 Indicates the tolera‐
122 tionSeconds of the toleration for notReady:NoExecute that is added by
123 default to every pod that does not already have such a toleration.
124 --default-unreachable-toleration-seconds=300 Indicates the tolera‐
127 tionSeconds of the toleration for unreachable:NoExecute that is added
128 by default to every pod that does not already have such a toleration.
129 --detect-local-mode= Mode to use to detect local traffic. This pa‐
132 rameter is ignored if a config file is specified by --config.
133 --disable_root_cgroup_stats=false Disable collecting root Cgroup
136 stats
137 --docker_only=false Only report docker containers in addition to
140 root stats
141 --enable_load_reader=false Whether to enable cpu load reader
144 --event_storage_age_limit="default=0" Max length of time for which
147 to store events (per type). Value is a comma separated list of key val‐
148 ues, where the keys are event types (e.g.: creation, oom) or "default"
149 and the value is a duration. Default is applied to all non-specified
150 event types
151 --event_storage_event_limit="default=0" Max number of events to
154 store (per type). Value is a comma separated list of key values, where
155 the keys are event types (e.g.: creation, oom) or "default" and the
156 value is an integer. Default is applied to all non-specified event
157 types
158 --feature-gates= A set of key=value pairs that describe feature
161 gates for alpha/experimental features. Options are: APIListChunk‐
162 ing=true|false (BETA - default=true) APIPriorityAndFairness=true|false
163 (BETA - default=true) APIResponseCompression=true|false (BETA - de‐
164 fault=true) APISelfSubjectReview=true|false (ALPHA - default=false)
165 APIServerIdentity=true|false (BETA - default=true) APIServerTrac‐
166 ing=true|false (ALPHA - default=false) AggregatedDiscoveryEnd‐
167 point=true|false (ALPHA - default=false) AllAlpha=true|false (ALPHA -
168 default=false) AllBeta=true|false (BETA - default=false) AnyVolumeData‐
169 Source=true|false (BETA - default=true) AppArmor=true|false (BETA - de‐
170 fault=true) CPUManagerPolicyAlphaOptions=true|false (ALPHA - de‐
171 fault=false) CPUManagerPolicyBetaOptions=true|false (BETA - de‐
172 fault=true) CPUManagerPolicyOptions=true|false (BETA - default=true)
173 CSIMigrationPortworx=true|false (BETA - default=false) CSIMigra‐
174 tionRBD=true|false (ALPHA - default=false) CSINodeExpandSe‐
175 cret=true|false (ALPHA - default=false) CSIVolumeHealth=true|false (AL‐
176 PHA - default=false) ComponentSLIs=true|false (ALPHA - default=false)
177 ContainerCheckpoint=true|false (ALPHA - default=false) ContextualLog‐
178 ging=true|false (ALPHA - default=false) CronJobTimeZone=true|false
179 (BETA - default=true) CrossNamespaceVolumeDataSource=true|false (ALPHA
180 - default=false) CustomCPUCFSQuotaPeriod=true|false (ALPHA - de‐
181 fault=false) CustomResourceValidationExpressions=true|false (BETA - de‐
182 fault=true) DisableCloudProviders=true|false (ALPHA - default=false)
183 DisableKubeletCloudCredentialProviders=true|false (ALPHA - de‐
184 fault=false) DownwardAPIHugePages=true|false (BETA - default=true) Dy‐
185 namicResourceAllocation=true|false (ALPHA - default=false) EventedP‐
186 LEG=true|false (ALPHA - default=false) ExpandedDNSConfig=true|false
187 (BETA - default=true) ExperimentalHostUserNamespaceDefault‐
188 ing=true|false (BETA - default=false) GRPCContainerProbe=true|false
189 (BETA - default=true) GracefulNodeShutdown=true|false (BETA - de‐
190 fault=true) GracefulNodeShutdownBasedOnPodPriority=true|false (BETA -
191 default=true) HPAContainerMetrics=true|false (ALPHA - default=false)
192 HPAScaleToZero=true|false (ALPHA - default=false) HonorPVReclaimPol‐
193 icy=true|false (ALPHA - default=false) IPTablesOwnership‐
194 Cleanup=true|false (ALPHA - default=false) InTreePluginAWSUnregis‐
195 ter=true|false (ALPHA - default=false) InTreePluginAzureDiskUnregis‐
196 ter=true|false (ALPHA - default=false) InTreePluginAzureFileUnregis‐
197 ter=true|false (ALPHA - default=false) InTreePluginGCEUnregis‐
198 ter=true|false (ALPHA - default=false) InTreePluginOpenStackUnregis‐
199 ter=true|false (ALPHA - default=false) InTreePluginPortworxUnregis‐
200 ter=true|false (ALPHA - default=false) InTreePluginRBDUnregis‐
201 ter=true|false (ALPHA - default=false) InTreePluginvSphereUnregis‐
202 ter=true|false (ALPHA - default=false) JobMutableNodeSchedulingDirec‐
203 tives=true|false (BETA - default=true) JobPodFailurePolicy=true|false
204 (BETA - default=true) JobReadyPods=true|false (BETA - default=true)
205 KMSv2=true|false (ALPHA - default=false) KubeletInUserNames‐
206 pace=true|false (ALPHA - default=false) KubeletPodResources=true|false
207 (BETA - default=true) KubeletPodResourcesGetAllocatable=true|false
208 (BETA - default=true) KubeletTracing=true|false (ALPHA - default=false)
209 LegacyServiceAccountTokenTracking=true|false (ALPHA - default=false)
210 LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - de‐
211 fault=false) LogarithmicScaleDown=true|false (BETA - default=true) Log‐
212 gingAlphaOptions=true|false (ALPHA - default=false) LoggingBetaOp‐
213 tions=true|false (BETA - default=true) MatchLabelKeysInPodTopolo‐
214 gySpread=true|false (ALPHA - default=false) MaxUnavailableState‐
215 fulSet=true|false (ALPHA - default=false) MemoryManager=true|false
216 (BETA - default=true) MemoryQoS=true|false (ALPHA - default=false) Min‐
217 DomainsInPodTopologySpread=true|false (BETA - default=false) Mini‐
218 mizeIPTablesRestore=true|false (ALPHA - default=false) MultiCIDR‐
219 RangeAllocator=true|false (ALPHA - default=false) NetworkPolicySta‐
220 tus=true|false (ALPHA - default=false) NodeInclusionPolicyInPodTopolo‐
221 gySpread=true|false (BETA - default=true) NodeOutOfServiceVolumeDe‐
222 tach=true|false (BETA - default=true) NodeSwap=true|false (ALPHA - de‐
223 fault=false) OpenAPIEnums=true|false (BETA - default=true) Ope‐
224 nAPIV3=true|false (BETA - default=true) PDBUnhealthyPodEvictionPol‐
225 icy=true|false (ALPHA - default=false) PodAndContainerStatsFrom‐
226 CRI=true|false (ALPHA - default=false) PodDeletionCost=true|false (BETA
227 - default=true) PodDisruptionConditions=true|false (BETA - de‐
228 fault=true) PodHasNetworkCondition=true|false (ALPHA - default=false)
229 PodSchedulingReadiness=true|false (ALPHA - default=false) ProbeTermina‐
230 tionGracePeriod=true|false (BETA - default=true) ProcMount‐
231 Type=true|false (ALPHA - default=false) ProxyTerminatingEnd‐
232 points=true|false (BETA - default=true) QOSReserved=true|false (ALPHA -
233 default=false) ReadWriteOncePod=true|false (ALPHA - default=false) Re‐
234 coverVolumeExpansionFailure=true|false (ALPHA - default=false) Remain‐
235 ingItemCount=true|false (BETA - default=true) RetroactiveDefaultStor‐
236 ageClass=true|false (BETA - default=true) RotateKubeletServerCertifi‐
237 cate=true|false (BETA - default=true) SELinuxMountReadWriteOnce‐
238 Pod=true|false (ALPHA - default=false) SeccompDefault=true|false (BETA
239 - default=true) ServerSideFieldValidation=true|false (BETA - de‐
240 fault=true) SizeMemoryBackedVolumes=true|false (BETA - default=true)
241 StatefulSetAutoDeletePVC=true|false (ALPHA - default=false) State‐
242 fulSetStartOrdinal=true|false (ALPHA - default=false) StorageVersion‐
243 API=true|false (ALPHA - default=false) StorageVersionHash=true|false
244 (BETA - default=true) TopologyAwareHints=true|false (BETA - de‐
245 fault=true) TopologyManager=true|false (BETA - default=true) Topology‐
246 ManagerPolicyAlphaOptions=true|false (ALPHA - default=false) Topology‐
247 ManagerPolicyBetaOptions=true|false (BETA - default=false) TopologyMan‐
248 agerPolicyOptions=true|false (ALPHA - default=false) Unauthenticated‐
249 HTTP2DOSMitigation=true|false (BETA - default=false) UserNames‐
250 pacesStatelessPodsSupport=true|false (ALPHA - default=false) Validatin‐
251 gAdmissionPolicy=true|false (ALPHA - default=false) VolumeCapacityPri‐
252 ority=true|false (ALPHA - default=false) WinDSR=true|false (ALPHA - de‐
253 fault=false) WinOverlay=true|false (BETA - default=true) WindowsHost‐
254 Network=true|false (ALPHA - default=true) This parameter is ignored if
255 a config file is specified by --config.
256 --global_housekeeping_interval=1m0s Interval between global house‐
259 keepings
260 --healthz-bind-address=0.0.0.0:10256 The IP address with port for
263 the health check server to serve on (set to '0.0.0.0:10256' for all
264 IPv4 interfaces and '[::]:10256' for all IPv6 interfaces). Set empty to
265 disable. This parameter is ignored if a config file is specified by
266 --config.
267 --healthz-port=10256 The port to bind the health check server. Use
270 0 to disable.
271 --hostname-override="" If non-empty, will use this string as iden‐
274 tification instead of the actual hostname.
275 --housekeeping_interval=10s Interval between container housekeep‐
278 ings
279 --iptables-localhost-nodeports=true If false Kube-proxy will dis‐
282 able the legacy behavior of allowing NodePort services to be accessed
283 via localhost, This only applies to iptables mode and ipv4.
284 --iptables-masquerade-bit=14 If using the pure iptables proxy, the
287 bit of the fwmark space to mark packets requiring SNAT with. Must be
288 within the range [0, 31].
289 --iptables-min-sync-period=1s The minimum interval of how often
292 the iptables rules can be refreshed as endpoints and services change
293 (e.g. '5s', '1m', '2h22m').
294 --iptables-sync-period=30s The maximum interval of how often ipta‐
297 bles rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater
298 than 0.
299 --ipvs-exclude-cidrs=[] A comma-separated list of CIDR's which the
302 ipvs proxier should not touch when cleaning up IPVS rules.
303 --ipvs-min-sync-period=0s The minimum interval of how often the
306 ipvs rules can be refreshed as endpoints and services change (e.g.
307 '5s', '1m', '2h22m').
308 --ipvs-scheduler="" The ipvs scheduler type when proxy mode is
311 ipvs
312 --ipvs-strict-arp=false Enable strict ARP by setting arp_ignore to
315 1 and arp_announce to 2
316 --ipvs-sync-period=30s The maximum interval of how often ipvs
319 rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than
320 0.
321 --ipvs-tcp-timeout=0s The timeout for idle IPVS TCP connections, 0
324 to leave as-is. (e.g. '5s', '1m', '2h22m').
325 --ipvs-tcpfin-timeout=0s The timeout for IPVS TCP connections af‐
328 ter receiving a FIN packet, 0 to leave as-is. (e.g. '5s', '1m',
329 '2h22m').
330 --ipvs-udp-timeout=0s The timeout for IPVS UDP packets, 0 to leave
333 as-is. (e.g. '5s', '1m', '2h22m').
334 --kube-api-burst=10 Burst to use while talking with kubernetes
337 apiserver
338 --kube-api-content-type="application/vnd.kubernetes.protobuf" Con‐
341 tent type of requests sent to apiserver.
342 --kube-api-qps=5 QPS to use while talking with kubernetes apis‐
345 erver
346 --kubeconfig="" Path to kubeconfig file with authorization infor‐
349 mation (the master location can be overridden by the master flag).
350 --log_cadvisor_usage=false Whether to log the usage of the cAdvi‐
353 sor container
354 --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
357 Comma-separated list of files to check for machine-id. Use the
358 first one that exists.
359 --masquerade-all=false If using the pure iptables proxy, SNAT all
362 traffic sent via Service cluster IPs (this not commonly needed)
363 --master="" The address of the Kubernetes API server (overrides
366 any value in kubeconfig)
367 --max_housekeeping_interval=1m0s Largest interval to allow between
370 container housekeepings
371 --metrics-bind-address=127.0.0.1:10249 The IP address with port
374 for the metrics server to serve on (set to '0.0.0.0:10249' for all IPv4
375 interfaces and '[::]:10249' for all IPv6 interfaces). Set empty to dis‐
376 able. This parameter is ignored if a config file is specified by --con‐
377 fig.
378 --metrics-port=10249 The port to bind the metrics server. Use 0 to
381 disable.
382 --nodeport-addresses=[] A string slice of values which specify the
385 addresses to use for NodePorts. Values may be valid IP blocks (e.g.
386 1.2.3.0/24, 1.2.3.4/32). The default empty string slice ([]) means to
387 use all local addresses. This parameter is ignored if a config file is
388 specified by --config.
389 --oom-score-adj=-999 The oom-score-adj value for kube-proxy
392 process. Values must be within the range [-1000, 1000]. This parameter
393 is ignored if a config file is specified by --config.
394 --pod-bridge-interface="" A bridge interface name in the cluster.
397 Kube-proxy considers traffic as local if originating from an interface
398 which matches the value. This argument should be set if DetectLocalMode
399 is set to BridgeInterface.
400 --pod-interface-name-prefix="" An interface prefix in the cluster.
403 Kube-proxy considers traffic as local if originating from interfaces
404 that match the given prefix. This argument should be set if DetectLo‐
405 calMode is set to InterfaceNamePrefix.
406 --profiling=false If true enables profiling via web interface on
409 /debug/pprof handler. This parameter is ignored if a config file is
410 specified by --config.
411 --proxy-mode= Which proxy mode to use: on Linux this can be 'ipta‐
414 bles' (default) or 'ipvs'. On Windows the only supported value is 'ker‐
415 nelspace'.This parameter is ignored if a config file is specified by
416 --config.
417 --proxy-port-range= Range of host ports (beginPort-endPort, single
420 port or beginPort+offset, inclusive) that may be consumed in order to
421 proxy service traffic. If (unspecified, 0, or 0-0) then ports will be
422 randomly chosen.
423 --referenced_reset_interval=0 Reset interval for referenced bytes
426 (container_referenced_bytes metric), number of measurement cycles after
427 which referenced bytes are cleared, if set to 0 referenced bytes are
428 never cleared (default: 0)
429 --show-hidden-metrics-for-version="" The previous version for
432 which you want to show hidden metrics. Only the previous minor version
433 is meaningful, other values will not be allowed. The format is ., e.g.:
434 '1.16'. The purpose of this format is make sure you have the opportu‐
435 nity to notice if the next release hides additional metrics, rather
436 than being surprised when they are permanently removed in the release
437 after that. This parameter is ignored if a config file is specified by
438 --config.
439 --storage_driver_buffer_duration=1m0s Writes in the storage driver
442 will be buffered for this duration, and committed to the non memory
443 backends as a single transaction
444 --storage_driver_db="cadvisor" database name
447 --storage_driver_host="localhost:8086" database host:port
450 --storage_driver_password="root" database password
453 --storage_driver_secure=false use secure connection with database
456 --storage_driver_table="stats" table name
459 --storage_driver_user="root" database username
462 --update_machine_info_interval=5m0s Interval between machine info
465 updates.
466 --version=false Print version information and quit
469 --write-config-to="" If set, write the default configuration val‐
472 ues to this file and exit.
473
477 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
478 com) based on the kubernetes source material, but hopefully they have
479 been automatically generated since!
480Manuals User KUBERNETES(1)(kubernetes)