1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2Eric Paris Jan 2015
6
9 kube-proxy -
10
14 kube-proxy [OPTIONS]
15
19 The Kubernetes network proxy runs on each node. This reflects services
20 as defined in the Kubernetes API on each node and can do simple TCP,
21 UDP, and SCTP stream forwarding or round robin TCP, UDP, and SCTP for‐
22 warding across a set of backends. Service cluster IPs and ports are
23 currently found through Docker-links-compatible environment variables
24 specifying ports opened by the service proxy. There is an optional ad‐
25 don that provides cluster DNS for these cluster IPs. The user must cre‐
26 ate a service with the apiserver API to configure the proxy.
27
31 --allow_dynamic_housekeeping=true Whether to allow the housekeep‐
32 ing interval to be dynamic
33 --application_metrics_count_limit=100 Max number of application
36 metrics to store (per container)
37 --azure-container-registry-config="" Path to the file containing
40 Azure container registry configuration information.
41 --bind-address=0.0.0.0 The IP address for the proxy server to
44 serve on (set to '0.0.0.0' for all IPv4 interfaces and '::' for all
45 IPv6 interfaces). This parameter is ignored if a config file is speci‐
46 fied by --config.
47 --bind-address-hard-fail=false If true kube-proxy will treat fail‐
50 ure to bind to a port as fatal and exit
51 --boot_id_file="/proc/sys/kernel/random/boot_id" Comma-separated
54 list of files to check for boot-id. Use the first one that exists.
55 --cleanup=false If true cleanup iptables and ipvs rules and exit.
58 --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
61 CIDRs opened in GCE firewall for L7 LB traffic proxy & health
62 checks
63 --cloud-provider-gce-lb-src-
66 cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
67 CIDRs opened in GCE firewall for L4 LB traffic proxy & health
68 checks
69 --cluster-cidr="" The CIDR range of pods in the cluster. When con‐
72 figured, traffic sent to a Service cluster IP from outside this range
73 will be masqueraded and traffic sent from pods to an external LoadBal‐
74 ancer IP will be directed to the respective cluster IP instead. For
75 dual-stack clusters, a comma-separated list is accepted with at least
76 one CIDR per IP family (IPv4 and IPv6). This parameter is ignored if a
77 config file is specified by --config.
78 --config="" The path to the configuration file.
81 --config-sync-period=15m0s How often configuration from the apis‐
84 erver is refreshed. Must be greater than 0.
85 --conntrack-max-per-core=32768 Maximum number of NAT connections
88 to track per CPU core (0 to leave the limit as-is and ignore conntrack-
89 min).
90 --conntrack-min=131072 Minimum number of conntrack entries to al‐
93 locate, regardless of conntrack-max-per-core (set conntrack-max-per-
94 core=0 to leave the limit as-is).
95 --conntrack-tcp-timeout-close-wait=1h0m0s NAT timeout for TCP con‐
98 nections in the CLOSE_WAIT state
99 --conntrack-tcp-timeout-established=24h0m0s Idle timeout for es‐
102 tablished TCP connections (0 to leave as-is)
103 --container_hints="/etc/cadvisor/container_hints.json" location of
106 the container hints file
107 --containerd="/run/containerd/containerd.sock" containerd endpoint
110 --containerd-namespace="k8s.io" containerd namespace
113 --containerd_env_metadata_whitelist="" DEPRECATED: this flag will
116 be removed, please use env_metadata_whitelist. A comma-separated list
117 of environment variable keys matched with specified prefix that needs
118 to be collected for containerd containers
119 --default-not-ready-toleration-seconds=300 Indicates the tolera‐
122 tionSeconds of the toleration for notReady:NoExecute that is added by
123 default to every pod that does not already have such a toleration.
124 --default-unreachable-toleration-seconds=300 Indicates the tolera‐
127 tionSeconds of the toleration for unreachable:NoExecute that is added
128 by default to every pod that does not already have such a toleration.
129 --detect-local-mode= Mode to use to detect local traffic. This pa‐
132 rameter is ignored if a config file is specified by --config.
133 --disable_root_cgroup_stats=false Disable collecting root Cgroup
136 stats
137 --docker_only=false Only report docker containers in addition to
140 root stats
141 --enable_load_reader=false Whether to enable cpu load reader
144 --event_storage_age_limit="default=0" Max length of time for which
147 to store events (per type). Value is a comma separated list of key val‐
148 ues, where the keys are event types (e.g.: creation, oom) or "default"
149 and the value is a duration. Default is applied to all non-specified
150 event types
151 --event_storage_event_limit="default=0" Max number of events to
154 store (per type). Value is a comma separated list of key values, where
155 the keys are event types (e.g.: creation, oom) or "default" and the
156 value is an integer. Default is applied to all non-specified event
157 types
158 --feature-gates= A set of key=value pairs that describe feature
161 gates for alpha/experimental features. Options are: APIListChunk‐
162 ing=true|false (BETA - default=true) APIPriorityAndFairness=true|false
163 (BETA - default=true) APIResponseCompression=true|false (BETA - de‐
164 fault=true) APISelfSubjectReview=true|false (BETA - default=true) APIS‐
165 erverIdentity=true|false (BETA - default=true) APIServerTrac‐
166 ing=true|false (BETA - default=true) AdmissionWebhookMatchCondi‐
167 tions=true|false (ALPHA - default=false) AggregatedDiscoveryEnd‐
168 point=true|false (BETA - default=true) AllAlpha=true|false (ALPHA - de‐
169 fault=false) AllBeta=true|false (BETA - default=false) AnyVolumeData‐
170 Source=true|false (BETA - default=true) AppArmor=true|false (BETA - de‐
171 fault=true) CPUManagerPolicyAlphaOptions=true|false (ALPHA - de‐
172 fault=false) CPUManagerPolicyBetaOptions=true|false (BETA - de‐
173 fault=true) CPUManagerPolicyOptions=true|false (BETA - default=true)
174 CSIMigrationPortworx=true|false (BETA - default=false) CSIMigra‐
175 tionRBD=true|false (ALPHA - default=false) CSINodeExpandSe‐
176 cret=true|false (BETA - default=true) CSIVolumeHealth=true|false (ALPHA
177 - default=false) CloudControllerManagerWebhook=true|false (ALPHA - de‐
178 fault=false) CloudDualStackNodeIPs=true|false (ALPHA - default=false)
179 ClusterTrustBundle=true|false (ALPHA - default=false) Compo‐
180 nentSLIs=true|false (BETA - default=true) ContainerCheck‐
181 point=true|false (ALPHA - default=false) ContextualLogging=true|false
182 (ALPHA - default=false) CrossNamespaceVolumeDataSource=true|false (AL‐
183 PHA - default=false) CustomCPUCFSQuotaPeriod=true|false (ALPHA - de‐
184 fault=false) CustomResourceValidationExpressions=true|false (BETA - de‐
185 fault=true) DisableCloudProviders=true|false (ALPHA - default=false)
186 DisableKubeletCloudCredentialProviders=true|false (ALPHA - de‐
187 fault=false) DynamicResourceAllocation=true|false (ALPHA - de‐
188 fault=false) ElasticIndexedJob=true|false (BETA - default=true) Event‐
189 edPLEG=true|false (BETA - default=false) ExpandedDNSConfig=true|false
190 (BETA - default=true) ExperimentalHostUserNamespaceDefault‐
191 ing=true|false (BETA - default=false) GracefulNodeShutdown=true|false
192 (BETA - default=true) GracefulNodeShutdownBasedOnPodPriority=true|false
193 (BETA - default=true) HPAContainerMetrics=true|false (BETA - de‐
194 fault=true) HPAScaleToZero=true|false (ALPHA - default=false) Honor‐
195 PVReclaimPolicy=true|false (ALPHA - default=false) IPTablesOwnership‐
196 Cleanup=true|false (BETA - default=true) InPlacePodVerticalScal‐
197 ing=true|false (ALPHA - default=false) InTreePluginAWSUnregis‐
198 ter=true|false (ALPHA - default=false) InTreePluginAzureDiskUnregis‐
199 ter=true|false (ALPHA - default=false) InTreePluginAzureFileUnregis‐
200 ter=true|false (ALPHA - default=false) InTreePluginGCEUnregis‐
201 ter=true|false (ALPHA - default=false) InTreePluginOpenStackUnregis‐
202 ter=true|false (ALPHA - default=false) InTreePluginPortworxUnregis‐
203 ter=true|false (ALPHA - default=false) InTreePluginRBDUnregis‐
204 ter=true|false (ALPHA - default=false) InTreePluginvSphereUnregis‐
205 ter=true|false (ALPHA - default=false) JobPodFailurePolicy=true|false
206 (BETA - default=true) JobReadyPods=true|false (BETA - default=true)
207 KMSv2=true|false (BETA - default=true) KubeletInUserNames‐
208 pace=true|false (ALPHA - default=false) KubeletPodResources=true|false
209 (BETA - default=true) KubeletPodResourcesDynamicResources=true|false
210 (ALPHA - default=false) KubeletPodResourcesGet=true|false (ALPHA - de‐
211 fault=false) KubeletPodResourcesGetAllocatable=true|false (BETA - de‐
212 fault=true) KubeletTracing=true|false (BETA - default=true) LegacySer‐
213 viceAccountTokenTracking=true|false (BETA - default=true) LocalStorage‐
214 CapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
215 LogarithmicScaleDown=true|false (BETA - default=true) LoggingAlphaOp‐
216 tions=true|false (ALPHA - default=false) LoggingBetaOptions=true|false
217 (BETA - default=true) MatchLabelKeysInPodTopologySpread=true|false
218 (BETA - default=true) MaxUnavailableStatefulSet=true|false (ALPHA - de‐
219 fault=false) MemoryManager=true|false (BETA - default=true) Memo‐
220 ryQoS=true|false (ALPHA - default=false) MinDomainsInPodTopolo‐
221 gySpread=true|false (BETA - default=true) MinimizeIPTablesRe‐
222 store=true|false (BETA - default=true) MultiCIDRRangeAlloca‐
223 tor=true|false (ALPHA - default=false) MultiCIDRServiceAlloca‐
224 tor=true|false (ALPHA - default=false) NetworkPolicyStatus=true|false
225 (ALPHA - default=false) NewVolumeManagerReconstruction=true|false (BETA
226 - default=false) NodeInclusionPolicyInPodTopologySpread=true|false
227 (BETA - default=true) NodeLogQuery=true|false (ALPHA - default=false)
228 NodeOutOfServiceVolumeDetach=true|false (BETA - default=true)
229 NodeSwap=true|false (ALPHA - default=false) OpenAPIEnums=true|false
230 (BETA - default=true) PDBUnhealthyPodEvictionPolicy=true|false (BETA -
231 default=true) PodAndContainerStatsFromCRI=true|false (ALPHA - de‐
232 fault=false) PodDeletionCost=true|false (BETA - default=true) PodDis‐
233 ruptionConditions=true|false (BETA - default=true) PodHasNetworkCondi‐
234 tion=true|false (ALPHA - default=false) PodSchedulingReadi‐
235 ness=true|false (BETA - default=true) ProbeTerminationGracePe‐
236 riod=true|false (BETA - default=true) ProcMountType=true|false (ALPHA -
237 default=false) ProxyTerminatingEndpoints=true|false (BETA - de‐
238 fault=true) QOSReserved=true|false (ALPHA - default=false) ReadWriteOn‐
239 cePod=true|false (BETA - default=true) RecoverVolumeExpansionFail‐
240 ure=true|false (ALPHA - default=false) RemainingItemCount=true|false
241 (BETA - default=true) RetroactiveDefaultStorageClass=true|false (BETA -
242 default=true) RotateKubeletServerCertificate=true|false (BETA - de‐
243 fault=true) SELinuxMountReadWriteOncePod=true|false (BETA - de‐
244 fault=false) SecurityContextDeny=true|false (ALPHA - default=false)
245 ServiceNodePortStaticSubrange=true|false (ALPHA - default=false) Size‐
246 MemoryBackedVolumes=true|false (BETA - default=true) StableLoadBal‐
247 ancerNodeSet=true|false (BETA - default=true) StatefulSetAu‐
248 toDeletePVC=true|false (BETA - default=true) StatefulSetStartOrdi‐
249 nal=true|false (BETA - default=true) StorageVersionAPI=true|false (AL‐
250 PHA - default=false) StorageVersionHash=true|false (BETA - de‐
251 fault=true) TopologyAwareHints=true|false (BETA - default=true) Topolo‐
252 gyManagerPolicyAlphaOptions=true|false (ALPHA - default=false) Topolo‐
253 gyManagerPolicyBetaOptions=true|false (BETA - default=false) Topology‐
254 ManagerPolicyOptions=true|false (ALPHA - default=false) Unauthenticat‐
255 edHTTP2DOSMitigation=true|false (BETA - default=false) UserNames‐
256 pacesStatelessPodsSupport=true|false (ALPHA - default=false) Validatin‐
257 gAdmissionPolicy=true|false (ALPHA - default=false) VolumeCapacityPri‐
258 ority=true|false (ALPHA - default=false) WatchList=true|false (ALPHA -
259 default=false) WinDSR=true|false (ALPHA - default=false) WinOver‐
260 lay=true|false (BETA - default=true) WindowsHostNetwork=true|false (AL‐
261 PHA - default=true) This parameter is ignored if a config file is spec‐
262 ified by --config.
263 --global_housekeeping_interval=1m0s Interval between global house‐
266 keepings
267 --healthz-bind-address=0.0.0.0:10256 The IP address with port for
270 the health check server to serve on (set to '0.0.0.0:10256' for all
271 IPv4 interfaces and '[::]:10256' for all IPv6 interfaces). Set empty to
272 disable. This parameter is ignored if a config file is specified by
273 --config.
274 --healthz-port=10256 The port to bind the health check server. Use
277 0 to disable.
278 --hostname-override="" If non-empty, will use this string as iden‐
281 tification instead of the actual hostname.
282 --housekeeping_interval=10s Interval between container housekeep‐
285 ings
286 --iptables-localhost-nodeports=true If false Kube-proxy will dis‐
289 able the legacy behavior of allowing NodePort services to be accessed
290 via localhost, This only applies to iptables mode and ipv4.
291 --iptables-masquerade-bit=14 If using the pure iptables proxy, the
294 bit of the fwmark space to mark packets requiring SNAT with. Must be
295 within the range [0, 31].
296 --iptables-min-sync-period=1s The minimum interval of how often
299 the iptables rules can be refreshed as endpoints and services change
300 (e.g. '5s', '1m', '2h22m').
301 --iptables-sync-period=30s The maximum interval of how often ipta‐
304 bles rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater
305 than 0.
306 --ipvs-exclude-cidrs=[] A comma-separated list of CIDR's which the
309 ipvs proxier should not touch when cleaning up IPVS rules.
310 --ipvs-min-sync-period=0s The minimum interval of how often the
313 ipvs rules can be refreshed as endpoints and services change (e.g.
314 '5s', '1m', '2h22m').
315 --ipvs-scheduler="" The ipvs scheduler type when proxy mode is
318 ipvs
319 --ipvs-strict-arp=false Enable strict ARP by setting arp_ignore to
322 1 and arp_announce to 2
323 --ipvs-sync-period=30s The maximum interval of how often ipvs
326 rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than
327 0.
328 --ipvs-tcp-timeout=0s The timeout for idle IPVS TCP connections, 0
331 to leave as-is. (e.g. '5s', '1m', '2h22m').
332 --ipvs-tcpfin-timeout=0s The timeout for IPVS TCP connections af‐
335 ter receiving a FIN packet, 0 to leave as-is. (e.g. '5s', '1m',
336 '2h22m').
337 --ipvs-udp-timeout=0s The timeout for IPVS UDP packets, 0 to leave
340 as-is. (e.g. '5s', '1m', '2h22m').
341 --kube-api-burst=10 Burst to use while talking with kubernetes
344 apiserver
345 --kube-api-content-type="application/vnd.kubernetes.protobuf" Con‐
348 tent type of requests sent to apiserver.
349 --kube-api-qps=5 QPS to use while talking with kubernetes apis‐
352 erver
353 --kubeconfig="" Path to kubeconfig file with authorization infor‐
356 mation (the master location can be overridden by the master flag).
357 --log_cadvisor_usage=false Whether to log the usage of the cAdvi‐
360 sor container
361 --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
364 Comma-separated list of files to check for machine-id. Use the
365 first one that exists.
366 --masquerade-all=false If using the pure iptables proxy, SNAT all
369 traffic sent via Service cluster IPs (this not commonly needed)
370 --master="" The address of the Kubernetes API server (overrides
373 any value in kubeconfig)
374 --max_housekeeping_interval=1m0s Largest interval to allow between
377 container housekeepings
378 --metrics-bind-address=127.0.0.1:10249 The IP address with port
381 for the metrics server to serve on (set to '0.0.0.0:10249' for all IPv4
382 interfaces and '[::]:10249' for all IPv6 interfaces). Set empty to dis‐
383 able. This parameter is ignored if a config file is specified by --con‐
384 fig.
385 --metrics-port=10249 The port to bind the metrics server. Use 0 to
388 disable.
389 --nodeport-addresses=[] A string slice of values which specify the
392 addresses to use for NodePorts. Values may be valid IP blocks (e.g.
393 1.2.3.0/24, 1.2.3.4/32). The default empty string slice ([]) means to
394 use all local addresses. This parameter is ignored if a config file is
395 specified by --config.
396 --oom-score-adj=-999 The oom-score-adj value for kube-proxy
399 process. Values must be within the range [-1000, 1000]. This parameter
400 is ignored if a config file is specified by --config.
401 --pod-bridge-interface="" A bridge interface name in the cluster.
404 Kube-proxy considers traffic as local if originating from an interface
405 which matches the value. This argument should be set if DetectLocalMode
406 is set to BridgeInterface.
407 --pod-interface-name-prefix="" An interface prefix in the cluster.
410 Kube-proxy considers traffic as local if originating from interfaces
411 that match the given prefix. This argument should be set if DetectLo‐
412 calMode is set to InterfaceNamePrefix.
413 --profiling=false If true enables profiling via web interface on
416 /debug/pprof handler. This parameter is ignored if a config file is
417 specified by --config.
418 --proxy-mode= Which proxy mode to use: on Linux this can be 'ipta‐
421 bles' (default) or 'ipvs'. On Windows the only supported value is 'ker‐
422 nelspace'.This parameter is ignored if a config file is specified by
423 --config.
424 --proxy-port-range= Range of host ports (beginPort-endPort, single
427 port or beginPort+offset, inclusive) that may be consumed in order to
428 proxy service traffic. If (unspecified, 0, or 0-0) then ports will be
429 randomly chosen.
430 --referenced_reset_interval=0 Reset interval for referenced bytes
433 (container_referenced_bytes metric), number of measurement cycles after
434 which referenced bytes are cleared, if set to 0 referenced bytes are
435 never cleared (default: 0)
436 --show-hidden-metrics-for-version="" The previous version for
439 which you want to show hidden metrics. Only the previous minor version
440 is meaningful, other values will not be allowed. The format is ., e.g.:
441 '1.16'. The purpose of this format is make sure you have the opportu‐
442 nity to notice if the next release hides additional metrics, rather
443 than being surprised when they are permanently removed in the release
444 after that. This parameter is ignored if a config file is specified by
445 --config.
446 --storage_driver_buffer_duration=1m0s Writes in the storage driver
449 will be buffered for this duration, and committed to the non memory
450 backends as a single transaction
451 --storage_driver_db="cadvisor" database name
454 --storage_driver_host="localhost:8086" database host:port
457 --storage_driver_password="root" database password
460 --storage_driver_secure=false use secure connection with database
463 --storage_driver_table="stats" table name
466 --storage_driver_user="root" database username
469 --update_machine_info_interval=5m0s Interval between machine info
472 updates.
473 --version=false Print version information and quit
476 --write-config-to="" If set, write the default configuration val‐
479 ues to this file and exit.
480
484 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
485 com) based on the kubernetes source material, but hopefully they have
486 been automatically generated since!
487Manuals User KUBERNETES(1)(kubernetes)