kube-proxy Configuration (v1alpha1)

featureGates is a map of feature names to bools that enable or disable alpha/experimental features.

bindAddress is the IP address for the proxy server to serve on (set to 0.0.0.0 for all interfaces)

healthzBindAddress is the IP address and port for the health check server to serve on, defaulting to 0.0.0.0:10256

metricsBindAddress is the IP address and port for the metrics server to serve on, defaulting to 127.0.0.1:10249 (set to 0.0.0.0 for all interfaces)

bindAddressHardFail, if true, kube-proxy will treat failure to bind to a port as fatal and exit

enableProfiling enables profiling via web interface on /debug/pprof handler. Profiling handlers will be handled by metrics server.

clusterCIDR is the CIDR range of the pods in the cluster. It is used to bridge traffic coming from outside of the cluster. If not provided, no off-cluster bridging will be performed.

hostnameOverride, if non-empty, will be used as the identity instead of the actual hostname.

clientConnection specifies the kubeconfig file and client connection settings for the proxy server to use when communicating with the apiserver.

iptables contains iptables-related configuration options.

ipvs contains ipvs-related configuration options.

oomScoreAdj is the oom-score-adj value for kube-proxy process. Values must be within the range [-1000, 1000]

mode specifies which proxy mode to use.

portRange is the range of host ports (beginPort-endPort, inclusive) that may be consumed in order to proxy service traffic. If unspecified (0-0) then ports will be randomly chosen.

udpIdleTimeout is how long an idle UDP connection will be kept open (e.g. '250ms', '2s'). Must be greater than 0. Only applicable for proxyMode=userspace.

conntrack contains conntrack-related configuration options.

configSyncPeriod is how often configuration from the apiserver is refreshed. Must be greater than 0.

nodePortAddresses is the --nodeport-addresses value for kube-proxy process. Values must be valid IP blocks. These values are as a parameter to select the interfaces where nodeport works. In case someone would like to expose a service on localhost for local visit and some other interfaces for particular purpose, a list of IP blocks would do that. If set it to "127.0.0.0/8", kube-proxy will only select the loopback interface for NodePort. If set it to a non-zero IP block, kube-proxy will filter that down to just the IPs that applied to the node. An empty string slice is meant to select all network interfaces.

winkernel contains winkernel-related configuration options.

ShowHiddenMetricsForVersion is the version for which you want to show hidden metrics.

DetectLocalMode determines mode to use for detecting local traffic, defaults to LocalModeClusterCIDR

maxPerCore is the maximum number of NAT connections to track per CPU core (0 to leave the limit as-is and ignore min).

min is the minimum value of connect-tracking records to allocate, regardless of conntrackMaxPerCore (set maxPerCore=0 to leave the limit as-is).

tcpEstablishedTimeout is how long an idle TCP connection will be kept open (e.g. '2s'). Must be greater than 0 to set.

tcpCloseWaitTimeout is how long an idle conntrack entry in CLOSE_WAIT state will remain in the conntrack table. (e.g. '60s'). Must be greater than 0 to set.

masqueradeBit is the bit of the iptables fwmark space to use for SNAT if using the pure iptables proxy mode. Values must be within the range [0, 31].

masqueradeAll tells kube-proxy to SNAT everything if using the pure iptables proxy mode.

syncPeriod is the period that iptables rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0.

minSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m', '2h22m').

syncPeriod is the period that ipvs rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0.

minSyncPeriod is the minimum period that ipvs rules are refreshed (e.g. '5s', '1m', '2h22m').

ipvs scheduler

excludeCIDRs is a list of CIDR's which the ipvs proxier should not touch when cleaning up ipvs services.

strict ARP configure arp_ignore and arp_announce to avoid answering ARP queries from kube-ipvs0 interface

tcpTimeout is the timeout value used for idle IPVS TCP sessions. The default value is 0, which preserves the current timeout value on the system.

tcpFinTimeout is the timeout value used for IPVS TCP sessions after receiving a FIN. The default value is 0, which preserves the current timeout value on the system.

udpTimeout is the timeout value used for IPVS UDP packets. The default value is 0, which preserves the current timeout value on the system.

networkName is the name of the network kube-proxy will use to create endpoints and policies

sourceVip is the IP address of the source VIP endoint used for NAT when loadbalancing

enableDSR tells kube-proxy whether HNS policies should be created with DSR

kubeconfig is the path to a KubeConfig file.

acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the default value of 'application/json'. This field will control all connections to the server used by a particular client.

contentType is the content type used when sending data to the server from this client.

qps controls the number of queries per second allowed for this connection.

burst allows extra queries to accumulate when a client is exceeding its rate.

enableProfiling enables profiling via web interface host:port/debug/pprof/

enableContentionProfiling enables lock contention profiling, if enableProfiling is true.

[Experimental] JSON contains options for logging format "json".

[Experimental] SplitStream redirects error messages to stderr while info messages go to stdout, with buffering. The default is to write both to stdout, without buffering.

[Experimental] InfoBufferSize sets the size of the info stream when using split streams. The default is zero, which disables buffering.

leaderElect enables a leader election client to gain leadership before executing the main loop. Enable this when running replicated components for high availability.

leaseDuration is the duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled.

renewDeadline is the interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled.

retryPeriod is the duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled.

resourceLock indicates the resource object type that will be used to lock during leader election cycles.

resourceName indicates the name of resource object that will be used to lock during leader election cycles.

resourceName indicates the namespace of resource object that will be used to lock during leader election cycles.

Format Flag specifies the structure of log messages. default value of format is text

Maximum number of seconds between log flushes. Ignored if the selected logging backend writes log messages without buffering.

Verbosity is the threshold that determines which log messages are logged. Default is zero which logs only the most important messages. Higher values enable additional messages. Error messages are always logged.

VModule overrides the verbosity threshold for individual files. Only supported for "text" log format.

[Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens). Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production.`)

[Experimental] Options holds additional parameters that are specific to the different logging formats. Only the options for the selected format get used, but all of them get validated.