| Field | Description |
|---|---|
apiVersionstring | kubeproxy.config.k8s.io/v1alpha1 |
kindstring | KubeProxyConfiguration |
featureGates [Required]+ map[string]bool
+ |
++ featureGates is a map of feature names to bools that enable or disable alpha/experimental features. | +
bindAddress [Required]+ string
+ |
++ bindAddress is the IP address for the proxy server to serve on (set to 0.0.0.0 +for all interfaces) | +
healthzBindAddress [Required]+ string
+ |
++ healthzBindAddress is the IP address and port for the health check server to serve on, +defaulting to 0.0.0.0:10256 | +
metricsBindAddress [Required]+ string
+ |
++ metricsBindAddress is the IP address and port for the metrics server to serve on, +defaulting to 127.0.0.1:10249 (set to 0.0.0.0 for all interfaces) | +
bindAddressHardFail [Required]+ bool
+ |
++ bindAddressHardFail, if true, kube-proxy will treat failure to bind to a port as fatal and exit | +
enableProfiling [Required]+ bool
+ |
++ enableProfiling enables profiling via web interface on /debug/pprof handler. +Profiling handlers will be handled by metrics server. | +
clusterCIDR [Required]+ string
+ |
++ clusterCIDR is the CIDR range of the pods in the cluster. It is used to +bridge traffic coming from outside of the cluster. If not provided, +no off-cluster bridging will be performed. | +
hostnameOverride [Required]+ string
+ |
++ hostnameOverride, if non-empty, will be used as the identity instead of the actual hostname. | +
clientConnection [Required]+ ClientConnectionConfiguration
+ |
++ clientConnection specifies the kubeconfig file and client connection settings for the proxy +server to use when communicating with the apiserver. | +
iptables [Required]+ KubeProxyIPTablesConfiguration
+ |
++ iptables contains iptables-related configuration options. | +
ipvs [Required]+ KubeProxyIPVSConfiguration
+ |
++ ipvs contains ipvs-related configuration options. | +
oomScoreAdj [Required]+ int32
+ |
++ oomScoreAdj is the oom-score-adj value for kube-proxy process. Values must be within +the range [-1000, 1000] | +
mode [Required]+ ProxyMode
+ |
++ mode specifies which proxy mode to use. | +
portRange [Required]+ string
+ |
++ portRange is the range of host ports (beginPort-endPort, inclusive) that may be consumed +in order to proxy service traffic. If unspecified (0-0) then ports will be randomly chosen. | +
udpIdleTimeout [Required]+ meta/v1.Duration
+ |
++ udpIdleTimeout is how long an idle UDP connection will be kept open (e.g. '250ms', '2s'). +Must be greater than 0. Only applicable for proxyMode=userspace. | +
conntrack [Required]+ KubeProxyConntrackConfiguration
+ |
++ conntrack contains conntrack-related configuration options. | +
configSyncPeriod [Required]+ meta/v1.Duration
+ |
++ configSyncPeriod is how often configuration from the apiserver is refreshed. Must be greater +than 0. | +
nodePortAddresses [Required]+ []string
+ |
++ nodePortAddresses is the --nodeport-addresses value for kube-proxy process. Values must be valid +IP blocks. These values are as a parameter to select the interfaces where nodeport works. +In case someone would like to expose a service on localhost for local visit and some other interfaces for +particular purpose, a list of IP blocks would do that. +If set it to "127.0.0.0/8", kube-proxy will only select the loopback interface for NodePort. +If set it to a non-zero IP block, kube-proxy will filter that down to just the IPs that applied to the node. +An empty string slice is meant to select all network interfaces. | +
winkernel [Required]+ KubeProxyWinkernelConfiguration
+ |
++ winkernel contains winkernel-related configuration options. | +
showHiddenMetricsForVersion [Required]+ string
+ |
++ ShowHiddenMetricsForVersion is the version for which you want to show hidden metrics. | +
detectLocalMode [Required]+ LocalMode
+ |
++ DetectLocalMode determines mode to use for detecting local traffic, defaults to LocalModeClusterCIDR | +
| Field | Description |
|---|---|
maxPerCore [Required]+ int32
+ |
++ maxPerCore is the maximum number of NAT connections to track +per CPU core (0 to leave the limit as-is and ignore min). | +
min [Required]+ int32
+ |
++ min is the minimum value of connect-tracking records to allocate, +regardless of conntrackMaxPerCore (set maxPerCore=0 to leave the limit as-is). | +
tcpEstablishedTimeout [Required]+ meta/v1.Duration
+ |
++ tcpEstablishedTimeout is how long an idle TCP connection will be kept open +(e.g. '2s'). Must be greater than 0 to set. | +
tcpCloseWaitTimeout [Required]+ meta/v1.Duration
+ |
++ tcpCloseWaitTimeout is how long an idle conntrack entry +in CLOSE_WAIT state will remain in the conntrack +table. (e.g. '60s'). Must be greater than 0 to set. | +
| Field | Description |
|---|---|
masqueradeBit [Required]+ int32
+ |
++ masqueradeBit is the bit of the iptables fwmark space to use for SNAT if using +the pure iptables proxy mode. Values must be within the range [0, 31]. | +
masqueradeAll [Required]+ bool
+ |
++ masqueradeAll tells kube-proxy to SNAT everything if using the pure iptables proxy mode. | +
syncPeriod [Required]+ meta/v1.Duration
+ |
++ syncPeriod is the period that iptables rules are refreshed (e.g. '5s', '1m', +'2h22m'). Must be greater than 0. | +
minSyncPeriod [Required]+ meta/v1.Duration
+ |
++ minSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m', +'2h22m'). | +
| Field | Description |
|---|---|
syncPeriod [Required]+ meta/v1.Duration
+ |
++ syncPeriod is the period that ipvs rules are refreshed (e.g. '5s', '1m', +'2h22m'). Must be greater than 0. | +
minSyncPeriod [Required]+ meta/v1.Duration
+ |
++ minSyncPeriod is the minimum period that ipvs rules are refreshed (e.g. '5s', '1m', +'2h22m'). | +
scheduler [Required]+ string
+ |
++ ipvs scheduler | +
excludeCIDRs [Required]+ []string
+ |
++ excludeCIDRs is a list of CIDR's which the ipvs proxier should not touch +when cleaning up ipvs services. | +
strictARP [Required]+ bool
+ |
++ strict ARP configure arp_ignore and arp_announce to avoid answering ARP queries +from kube-ipvs0 interface | +
tcpTimeout [Required]+ meta/v1.Duration
+ |
++ tcpTimeout is the timeout value used for idle IPVS TCP sessions. +The default value is 0, which preserves the current timeout value on the system. | +
tcpFinTimeout [Required]+ meta/v1.Duration
+ |
++ tcpFinTimeout is the timeout value used for IPVS TCP sessions after receiving a FIN. +The default value is 0, which preserves the current timeout value on the system. | +
udpTimeout [Required]+ meta/v1.Duration
+ |
++ udpTimeout is the timeout value used for IPVS UDP packets. +The default value is 0, which preserves the current timeout value on the system. | +
| Field | Description |
|---|---|
networkName [Required]+ string
+ |
++ networkName is the name of the network kube-proxy will use +to create endpoints and policies | +
sourceVip [Required]+ string
+ |
++ sourceVip is the IP address of the source VIP endoint used for +NAT when loadbalancing | +
enableDSR [Required]+ bool
+ |
++ enableDSR tells kube-proxy whether HNS policies should be created +with DSR | +
| Field | Description |
|---|---|
kubeconfig [Required]+ string
+ |
++ kubeconfig is the path to a KubeConfig file. | +
acceptContentTypes [Required]+ string
+ |
++ acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the +default value of 'application/json'. This field will control all connections to the server used by a particular +client. | +
contentType [Required]+ string
+ |
++ contentType is the content type used when sending data to the server from this client. | +
qps [Required]+ float32
+ |
++ qps controls the number of queries per second allowed for this connection. | +
burst [Required]+ int32
+ |
++ burst allows extra queries to accumulate when a client is exceeding its rate. | +
| Field | Description |
|---|---|
apiVersionstring | kubelet.config.k8s.io/v1beta1 |
kindstring | KubeletConfiguration |
enableServer [Required]+ bool
+ |
++ enableServer enables Kubelet's secured server. +Note: Kubelet's insecure port is controlled by the readOnlyPort option. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may disrupt components that interact with the Kubelet server. +Default: true | +
staticPodPath+ string
+ |
++ staticPodPath is the path to the directory containing local (static) pods to +run, or the path to a single static pod file. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +the set of static pods specified at the new path may be different than the +ones the Kubelet initially started with, and this may disrupt your node. +Default: "" | +
syncFrequency+ meta/v1.Duration
+ |
++ syncFrequency is the max period between synchronizing running +containers and config. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +shortening this duration may have a negative performance impact, especially +as the number of Pods on the node increases. Alternatively, increasing this +duration will result in longer refresh times for ConfigMaps and Secrets. +Default: "1m" | +
fileCheckFrequency+ meta/v1.Duration
+ |
++ fileCheckFrequency is the duration between checking config files for +new data +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +shortening the duration will cause the Kubelet to reload local Static Pod +configurations more frequently, which may have a negative performance impact. +Default: "20s" | +
httpCheckFrequency+ meta/v1.Duration
+ |
++ httpCheckFrequency is the duration between checking http for new data +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +shortening the duration will cause the Kubelet to poll staticPodURL more +frequently, which may have a negative performance impact. +Default: "20s" | +
staticPodURL+ string
+ |
++ staticPodURL is the URL for accessing static pods to run +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +the set of static pods specified at the new URL may be different than the +ones the Kubelet initially started with, and this may disrupt your node. +Default: "" | +
staticPodURLHeader+ map[string][]string
+ |
++ staticPodURLHeader is a map of slices with HTTP headers to use when accessing the podURL +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may disrupt the ability to read the latest set of static pods from StaticPodURL. +Default: nil | +
address+ string
+ |
++ address is the IP address for the Kubelet to serve on (set to 0.0.0.0 +for all interfaces). +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may disrupt components that interact with the Kubelet server. +Default: "0.0.0.0" | +
port+ int32
+ |
++ port is the port for the Kubelet to serve on. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may disrupt components that interact with the Kubelet server. +Default: 10250 | +
readOnlyPort+ int32
+ |
++ readOnlyPort is the read-only port for the Kubelet to serve on with +no authentication/authorization. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may disrupt components that interact with the Kubelet server. +Default: 0 (disabled) | +
tlsCertFile+ string
+ |
++ tlsCertFile is the file containing x509 Certificate for HTTPS. (CA cert, +if any, concatenated after server cert). If tlsCertFile and +tlsPrivateKeyFile are not provided, a self-signed certificate +and key are generated for the public address and saved to the directory +passed to the Kubelet's --cert-dir flag. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may disrupt components that interact with the Kubelet server. +Default: "" | +
tlsPrivateKeyFile+ string
+ |
++ tlsPrivateKeyFile is the file containing x509 private key matching tlsCertFile +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may disrupt components that interact with the Kubelet server. +Default: "" | +
tlsCipherSuites+ []string
+ |
++ TLSCipherSuites is the list of allowed cipher suites for the server. +Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may disrupt components that interact with the Kubelet server. +Default: nil | +
tlsMinVersion+ string
+ |
++ TLSMinVersion is the minimum TLS version supported. +Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may disrupt components that interact with the Kubelet server. +Default: "" | +
rotateCertificates+ bool
+ |
++ rotateCertificates enables client certificate rotation. The Kubelet will request a +new certificate from the certificates.k8s.io API. This requires an approver to approve the +certificate signing requests. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +disabling it may disrupt the Kubelet's ability to authenticate with the API server +after the current certificate expires. +Default: false | +
serverTLSBootstrap+ bool
+ |
++ serverTLSBootstrap enables server certificate bootstrap. Instead of self +signing a serving certificate, the Kubelet will request a certificate from +the certificates.k8s.io API. This requires an approver to approve the +certificate signing requests. The RotateKubeletServerCertificate feature +must be enabled. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +disabling it will stop the renewal of Kubelet server certificates, which can +disrupt components that interact with the Kubelet server in the long term, +due to certificate expiration. +Default: false | +
authentication+ KubeletAuthentication
+ |
++ authentication specifies how requests to the Kubelet's server are authenticated +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may disrupt components that interact with the Kubelet server. +Defaults: + anonymous: + enabled: false + webhook: + enabled: true + cacheTTL: "2m" | +
authorization+ KubeletAuthorization
+ |
++ authorization specifies how requests to the Kubelet's server are authorized +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may disrupt components that interact with the Kubelet server. +Defaults: + mode: Webhook + webhook: + cacheAuthorizedTTL: "5m" + cacheUnauthorizedTTL: "30s" | +
registryPullQPS+ int32
+ |
++ registryPullQPS is the limit of registry pulls per second. +Set to 0 for no limit. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may impact scalability by changing the amount of traffic produced +by image pulls. +Default: 5 | +
registryBurst+ int32
+ |
++ registryBurst is the maximum size of bursty pulls, temporarily allows +pulls to burst to this number, while still not exceeding registryPullQPS. +Only used if registryPullQPS > 0. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may impact scalability by changing the amount of traffic produced +by image pulls. +Default: 10 | +
eventRecordQPS+ int32
+ |
++ eventRecordQPS is the maximum event creations per second. If 0, there +is no limit enforced. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may impact scalability by changing the amount of traffic produced by +event creations. +Default: 5 | +
eventBurst+ int32
+ |
++ eventBurst is the maximum size of a burst of event creations, temporarily +allows event creations to burst to this number, while still not exceeding +eventRecordQPS. Only used if eventRecordQPS > 0. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may impact scalability by changing the amount of traffic produced by +event creations. +Default: 10 | +
enableDebuggingHandlers+ bool
+ |
++ enableDebuggingHandlers enables server endpoints for log access +and local running of containers and commands, including the exec, +attach, logs, and portforward features. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +disabling it may disrupt components that interact with the Kubelet server. +Default: true | +
enableContentionProfiling+ bool
+ |
++ enableContentionProfiling enables lock contention profiling, if enableDebuggingHandlers is true. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +enabling it may carry a performance impact. +Default: false | +
healthzPort+ int32
+ |
++ healthzPort is the port of the localhost healthz endpoint (set to 0 to disable) +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may disrupt components that monitor Kubelet health. +Default: 10248 | +
healthzBindAddress+ string
+ |
++ healthzBindAddress is the IP address for the healthz server to serve on +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may disrupt components that monitor Kubelet health. +Default: "127.0.0.1" | +
oomScoreAdj+ int32
+ |
++ oomScoreAdj is The oom-score-adj value for kubelet process. Values +must be within the range [-1000, 1000]. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may impact the stability of nodes under memory pressure. +Default: -999 | +
clusterDomain+ string
+ |
++ clusterDomain is the DNS domain for this cluster. If set, kubelet will +configure all containers to search this domain in addition to the +host's search domains. +Dynamic Kubelet Config (beta): Dynamically updating this field is not recommended, +as it should be kept in sync with the rest of the cluster. +Default: "" | +
clusterDNS+ []string
+ |
++ clusterDNS is a list of IP addresses for the cluster DNS server. If set, +kubelet will configure all containers to use this for DNS resolution +instead of the host's DNS servers. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +changes will only take effect on Pods created after the update. Draining +the node is recommended before changing this field. +Default: nil | +
streamingConnectionIdleTimeout+ meta/v1.Duration
+ |
++ streamingConnectionIdleTimeout is the maximum time a streaming connection +can be idle before the connection is automatically closed. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may impact components that rely on infrequent updates over streaming +connections to the Kubelet server. +Default: "4h" | +
nodeStatusUpdateFrequency+ meta/v1.Duration
+ |
++ nodeStatusUpdateFrequency is the frequency that kubelet computes node +status. If node lease feature is not enabled, it is also the frequency that +kubelet posts node status to master. +Note: When node lease feature is not enabled, be cautious when changing the +constant, it must work with nodeMonitorGracePeriod in nodecontroller. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may impact node scalability, and also that the node controller's +nodeMonitorGracePeriod must be set to N∗NodeStatusUpdateFrequency, +where N is the number of retries before the node controller marks +the node unhealthy. +Default: "10s" | +
nodeStatusReportFrequency+ meta/v1.Duration
+ |
++ nodeStatusReportFrequency is the frequency that kubelet posts node +status to master if node status does not change. Kubelet will ignore this +frequency and post node status immediately if any change is detected. It is +only used when node lease feature is enabled. nodeStatusReportFrequency's +default value is 1m. But if nodeStatusUpdateFrequency is set explicitly, +nodeStatusReportFrequency's default value will be set to +nodeStatusUpdateFrequency for backward compatibility. +Default: "1m" | +
nodeLeaseDurationSeconds+ int32
+ |
++ nodeLeaseDurationSeconds is the duration the Kubelet will set on its corresponding Lease, +when the NodeLease feature is enabled. This feature provides an indicator of node +health by having the Kubelet create and periodically renew a lease, named after the node, +in the kube-node-lease namespace. If the lease expires, the node can be considered unhealthy. +The lease is currently renewed every 10s, per KEP-0009. In the future, the lease renewal interval +may be set based on the lease duration. +Requires the NodeLease feature gate to be enabled. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +decreasing the duration may reduce tolerance for issues that temporarily prevent +the Kubelet from renewing the lease (e.g. a short-lived network issue). +Default: 40 | +
imageMinimumGCAge+ meta/v1.Duration
+ |
++ imageMinimumGCAge is the minimum age for an unused image before it is +garbage collected. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may trigger or delay garbage collection, and may change the image overhead +on the node. +Default: "2m" | +
imageGCHighThresholdPercent+ int32
+ |
++ imageGCHighThresholdPercent is the percent of disk usage after which +image garbage collection is always run. The percent is calculated as +this field value out of 100. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may trigger or delay garbage collection, and may change the image overhead +on the node. +Default: 85 | +
imageGCLowThresholdPercent+ int32
+ |
++ imageGCLowThresholdPercent is the percent of disk usage before which +image garbage collection is never run. Lowest disk usage to garbage +collect to. The percent is calculated as this field value out of 100. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may trigger or delay garbage collection, and may change the image overhead +on the node. +Default: 80 | +
volumeStatsAggPeriod+ meta/v1.Duration
+ |
++ How frequently to calculate and cache volume disk usage for all pods +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +shortening the period may carry a performance impact. +Default: "1m" | +
kubeletCgroups+ string
+ |
++ kubeletCgroups is the absolute name of cgroups to isolate the kubelet in +Dynamic Kubelet Config (beta): This field should not be updated without a full node +reboot. It is safest to keep this value the same as the local config. +Default: "" | +
systemCgroups+ string
+ |
++ systemCgroups is absolute name of cgroups in which to place +all non-kernel processes that are not already in a container. Empty +for no container. Rolling back the flag requires a reboot. +Dynamic Kubelet Config (beta): This field should not be updated without a full node +reboot. It is safest to keep this value the same as the local config. +Default: "" | +
cgroupRoot+ string
+ |
++ cgroupRoot is the root cgroup to use for pods. This is handled by the +container runtime on a best effort basis. +Dynamic Kubelet Config (beta): This field should not be updated without a full node +reboot. It is safest to keep this value the same as the local config. +Default: "" | +
cgroupsPerQOS+ bool
+ |
++ Enable QoS based Cgroup hierarchy: top level cgroups for QoS Classes +And all Burstable and BestEffort pods are brought up under their +specific top level QoS cgroup. +Dynamic Kubelet Config (beta): This field should not be updated without a full node +reboot. It is safest to keep this value the same as the local config. +Default: true | +
cgroupDriver+ string
+ |
++ driver that the kubelet uses to manipulate cgroups on the host (cgroupfs or systemd) +Dynamic Kubelet Config (beta): This field should not be updated without a full node +reboot. It is safest to keep this value the same as the local config. +Default: "cgroupfs" | +
cpuManagerPolicy+ string
+ |
++ CPUManagerPolicy is the name of the policy to use. +Requires the CPUManager feature gate to be enabled. +Dynamic Kubelet Config (beta): This field should not be updated without a full node +reboot. It is safest to keep this value the same as the local config. +Default: "none" | +
cpuManagerReconcilePeriod+ meta/v1.Duration
+ |
++ CPU Manager reconciliation period. +Requires the CPUManager feature gate to be enabled. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +shortening the period may carry a performance impact. +Default: "10s" | +
topologyManagerPolicy+ string
+ |
++ TopologyManagerPolicy is the name of the policy to use. +Policies other than "none" require the TopologyManager feature gate to be enabled. +Dynamic Kubelet Config (beta): This field should not be updated without a full node +reboot. It is safest to keep this value the same as the local config. +Default: "none" | +
topologyManagerScope+ string
+ |
++ TopologyManagerScope represents the scope of topology hint generation +that topology manager requests and hint providers generate. +"pod" scope requires the TopologyManager feature gate to be enabled. +Default: "container" | +
qosReserved+ map[string]string
+ |
++ qosReserved is a set of resource name to percentage pairs that specify +the minimum percentage of a resource reserved for exclusive use by the +guaranteed QoS tier. +Currently supported resources: "memory" +Requires the QOSReserved feature gate to be enabled. +Dynamic Kubelet Config (beta): This field should not be updated without a full node +reboot. It is safest to keep this value the same as the local config. +Default: nil | +
runtimeRequestTimeout+ meta/v1.Duration
+ |
++ runtimeRequestTimeout is the timeout for all runtime requests except long running +requests - pull, logs, exec and attach. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may disrupt components that interact with the Kubelet server. +Default: "2m" | +
hairpinMode+ string
+ |
++ hairpinMode specifies how the Kubelet should configure the container +bridge for hairpin packets. +Setting this flag allows endpoints in a Service to loadbalance back to +themselves if they should try to access their own Service. Values: + "promiscuous-bridge": make the container bridge promiscuous. + "hairpin-veth": set the hairpin flag on container veth interfaces. + "none": do nothing. +Generally, one must set --hairpin-mode=hairpin-veth to achieve hairpin NAT, +because promiscuous-bridge assumes the existence of a container bridge named cbr0. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may require a node reboot, depending on the network plugin. +Default: "promiscuous-bridge" | +
maxPods+ int32
+ |
++ maxPods is the number of pods that can run on this Kubelet. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +changes may cause Pods to fail admission on Kubelet restart, and may change +the value reported in Node.Status.Capacity[v1.ResourcePods], thus affecting +future scheduling decisions. Increasing this value may also decrease performance, +as more Pods can be packed into a single node. +Default: 110 | +
podCIDR+ string
+ |
++ The CIDR to use for pod IP addresses, only used in standalone mode. +In cluster mode, this is obtained from the master. +Dynamic Kubelet Config (beta): This field should always be set to the empty default. +It should only set for standalone Kubelets, which cannot use Dynamic Kubelet Config. +Default: "" | +
podPidsLimit+ int64
+ |
++ PodPidsLimit is the maximum number of pids in any pod. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +lowering it may prevent container processes from forking after the change. +Default: -1 | +
resolvConf+ string
+ |
++ ResolverConfig is the resolver configuration file used as the basis +for the container DNS resolution configuration. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +changes will only take effect on Pods created after the update. Draining +the node is recommended before changing this field. +Default: "/etc/resolv.conf" | +
runOnce+ bool
+ |
++ RunOnce causes the Kubelet to check the API server once for pods, +run those in addition to the pods specified by static pod files, and exit. +Default: false | +
cpuCFSQuota+ bool
+ |
++ cpuCFSQuota enables CPU CFS quota enforcement for containers that +specify CPU limits. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +disabling it may reduce node stability. +Default: true | +
cpuCFSQuotaPeriod+ meta/v1.Duration
+ |
++ CPUCFSQuotaPeriod is the CPU CFS quota period value, cpu.cfs_period_us. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +limits set for containers will result in different cpu.cfs_quota settings. This +will trigger container restarts on the node being reconfigured. +Default: "100ms" | +
nodeStatusMaxImages+ int32
+ |
++ nodeStatusMaxImages caps the number of images reported in Node.Status.Images. +Note: If -1 is specified, no cap will be applied. If 0 is specified, no image is returned. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +different values can be reported on node status. +Default: 50 | +
maxOpenFiles+ int64
+ |
++ maxOpenFiles is Number of files that can be opened by Kubelet process. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may impact the ability of the Kubelet to interact with the node's filesystem. +Default: 1000000 | +
contentType+ string
+ |
++ contentType is contentType of requests sent to apiserver. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may impact the ability for the Kubelet to communicate with the API server. +If the Kubelet loses contact with the API server due to a change to this field, +the change cannot be reverted via dynamic Kubelet config. +Default: "application/vnd.kubernetes.protobuf" | +
kubeAPIQPS+ int32
+ |
++ kubeAPIQPS is the QPS to use while talking with kubernetes apiserver +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may impact scalability by changing the amount of traffic the Kubelet +sends to the API server. +Default: 5 | +
kubeAPIBurst+ int32
+ |
++ kubeAPIBurst is the burst to allow while talking with kubernetes apiserver +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may impact scalability by changing the amount of traffic the Kubelet +sends to the API server. +Default: 10 | +
serializeImagePulls+ bool
+ |
++ serializeImagePulls when enabled, tells the Kubelet to pull images one +at a time. We recommend ∗not∗ changing the default value on nodes that +run docker daemon with version < 1.9 or an Aufs storage backend. +Issue #10959 has more details. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may impact the performance of image pulls. +Default: true | +
evictionHard+ map[string]string
+ |
++ Map of signal names to quantities that defines hard eviction thresholds. For example: {"memory.available": "300Mi"}. +To explicitly disable, pass a 0% or 100% threshold on an arbitrary resource. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may trigger or delay Pod evictions. +Default: + memory.available: "100Mi" + nodefs.available: "10%" + nodefs.inodesFree: "5%" + imagefs.available: "15%" | +
evictionSoft+ map[string]string
+ |
++ Map of signal names to quantities that defines soft eviction thresholds. +For example: {"memory.available": "300Mi"}. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may trigger or delay Pod evictions, and may change the allocatable reported +by the node. +Default: nil | +
evictionSoftGracePeriod+ map[string]string
+ |
++ Map of signal names to quantities that defines grace periods for each soft eviction signal. +For example: {"memory.available": "30s"}. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may trigger or delay Pod evictions. +Default: nil | +
evictionPressureTransitionPeriod+ meta/v1.Duration
+ |
++ Duration for which the kubelet has to wait before transitioning out of an eviction pressure condition. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +lowering it may decrease the stability of the node when the node is overcommitted. +Default: "5m" | +
evictionMaxPodGracePeriod+ int32
+ |
++ Maximum allowed grace period (in seconds) to use when terminating pods in +response to a soft eviction threshold being met. This value effectively caps +the Pod's TerminationGracePeriodSeconds value during soft evictions. +Note: Due to issue #64530, the behavior has a bug where this value currently just +overrides the grace period during soft eviction, which can increase the grace +period from what is set on the Pod. This bug will be fixed in a future release. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +lowering it decreases the amount of time Pods will have to gracefully clean +up before being killed during a soft eviction. +Default: 0 | +
evictionMinimumReclaim+ map[string]string
+ |
++ Map of signal names to quantities that defines minimum reclaims, which describe the minimum +amount of a given resource the kubelet will reclaim when performing a pod eviction while +that resource is under pressure. For example: {"imagefs.available": "2Gi"} +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may change how well eviction can manage resource pressure. +Default: nil | +
podsPerCore+ int32
+ |
++ podsPerCore is the maximum number of pods per core. Cannot exceed MaxPods. +If 0, this field is ignored. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +changes may cause Pods to fail admission on Kubelet restart, and may change +the value reported in Node.Status.Capacity[v1.ResourcePods], thus affecting +future scheduling decisions. Increasing this value may also decrease performance, +as more Pods can be packed into a single node. +Default: 0 | +
enableControllerAttachDetach+ bool
+ |
++ enableControllerAttachDetach enables the Attach/Detach controller to +manage attachment/detachment of volumes scheduled to this node, and +disables kubelet from executing any attach/detach operations +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +changing which component is responsible for volume management on a live node +may result in volumes refusing to detach if the node is not drained prior to +the update, and if Pods are scheduled to the node before the +volumes.kubernetes.io/controller-managed-attach-detach annotation is updated by the +Kubelet. In general, it is safest to leave this value set the same as local config. +Default: true | +
protectKernelDefaults+ bool
+ |
++ protectKernelDefaults, if true, causes the Kubelet to error if kernel +flags are not as it expects. Otherwise the Kubelet will attempt to modify +kernel flags to match its expectation. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +enabling it may cause the Kubelet to crash-loop if the Kernel is not configured as +Kubelet expects. +Default: false | +
makeIPTablesUtilChains+ bool
+ |
++ If true, Kubelet ensures a set of iptables rules are present on host. +These rules will serve as utility rules for various components, e.g. KubeProxy. +The rules will be created based on IPTablesMasqueradeBit and IPTablesDropBit. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +disabling it will prevent the Kubelet from healing locally misconfigured iptables rules. +Default: true | +
iptablesMasqueradeBit+ int32
+ |
++ iptablesMasqueradeBit is the bit of the iptables fwmark space to mark for SNAT +Values must be within the range [0, 31]. Must be different from other mark bits. +Warning: Please match the value of the corresponding parameter in kube-proxy. +TODO: clean up IPTablesMasqueradeBit in kube-proxy +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it needs to be coordinated with other components, like kube-proxy, and the update +will only be effective if MakeIPTablesUtilChains is enabled. +Default: 14 | +
iptablesDropBit+ int32
+ |
++ iptablesDropBit is the bit of the iptables fwmark space to mark for dropping packets. +Values must be within the range [0, 31]. Must be different from other mark bits. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it needs to be coordinated with other components, like kube-proxy, and the update +will only be effective if MakeIPTablesUtilChains is enabled. +Default: 15 | +
featureGates+ map[string]bool
+ |
++ featureGates is a map of feature names to bools that enable or disable alpha/experimental +features. This field modifies piecemeal the built-in default values from +"k8s.io/kubernetes/pkg/features/kube_features.go". +Dynamic Kubelet Config (beta): If dynamically updating this field, consider the +documentation for the features you are enabling or disabling. While we +encourage feature developers to make it possible to dynamically enable +and disable features, some changes may require node reboots, and some +features may require careful coordination to retroactively disable. +Default: nil | +
failSwapOn+ bool
+ |
++ failSwapOn tells the Kubelet to fail to start if swap is enabled on the node. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +setting it to true will cause the Kubelet to crash-loop if swap is enabled. +Default: true | +
containerLogMaxSize+ string
+ |
++ A quantity defines the maximum size of the container log file before it is rotated. +For example: "5Mi" or "256Ki". +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may trigger log rotation. +Default: "10Mi" | +
containerLogMaxFiles+ int32
+ |
++ Maximum number of container log files that can be present for a container. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +lowering it may cause log files to be deleted. +Default: 5 | +
configMapAndSecretChangeDetectionStrategy+ ResourceChangeDetectionStrategy
+ |
++ ConfigMapAndSecretChangeDetectionStrategy is a mode in which +config map and secret managers are running. +Default: "Watch" | +
systemReserved+ map[string]string
+ |
++ systemReserved is a set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) +pairs that describe resources reserved for non-kubernetes components. +Currently only cpu and memory are supported. +See http://kubernetes.io/docs/user-guide/compute-resources for more detail. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may not be possible to increase the reserved resources, because this +requires resizing cgroups. Always look for a NodeAllocatableEnforced event +after updating this field to ensure that the update was successful. +Default: nil | +
kubeReserved+ map[string]string
+ |
++ A set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) pairs +that describe resources reserved for kubernetes system components. +Currently cpu, memory and local storage for root file system are supported. +See http://kubernetes.io/docs/user-guide/compute-resources for more detail. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may not be possible to increase the reserved resources, because this +requires resizing cgroups. Always look for a NodeAllocatableEnforced event +after updating this field to ensure that the update was successful. +Default: nil | +
reservedSystemCPUs [Required]+ string
+ |
++ This ReservedSystemCPUs option specifies the cpu list reserved for the host level system threads and kubernetes related threads. +This provide a "static" CPU list rather than the "dynamic" list by system-reserved and kube-reserved. +This option overwrites CPUs provided by system-reserved and kube-reserved. | +
showHiddenMetricsForVersion+ string
+ |
+
+ The previous version for which you want to show hidden metrics.
+Only the previous minor version is meaningful, other values will not be allowed.
+The format is |
+
systemReservedCgroup+ string
+ |
++ This flag helps kubelet identify absolute name of top level cgroup used to enforce `SystemReserved` compute resource reservation for OS system daemons. +Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) doc for more information. +Dynamic Kubelet Config (beta): This field should not be updated without a full node +reboot. It is safest to keep this value the same as the local config. +Default: "" | +
kubeReservedCgroup+ string
+ |
++ This flag helps kubelet identify absolute name of top level cgroup used to enforce `KubeReserved` compute resource reservation for Kubernetes node system daemons. +Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) doc for more information. +Dynamic Kubelet Config (beta): This field should not be updated without a full node +reboot. It is safest to keep this value the same as the local config. +Default: "" | +
enforceNodeAllocatable+ []string
+ |
++ This flag specifies the various Node Allocatable enforcements that Kubelet needs to perform. +This flag accepts a list of options. Acceptable options are `none`, `pods`, `system-reserved` & `kube-reserved`. +If `none` is specified, no other options may be specified. +Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) doc for more information. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +removing enforcements may reduce the stability of the node. Alternatively, adding +enforcements may reduce the stability of components which were using more than +the reserved amount of resources; for example, enforcing kube-reserved may cause +Kubelets to OOM if it uses more than the reserved resources, and enforcing system-reserved +may cause system daemons to OOM if they use more than the reserved resources. +Default: ["pods"] | +
allowedUnsafeSysctls+ []string
+ |
++ A comma separated whitelist of unsafe sysctls or sysctl patterns (ending in ∗). +Unsafe sysctl groups are kernel.shm∗, kernel.msg∗, kernel.sem, fs.mqueue.∗, and net.∗. +These sysctls are namespaced but not allowed by default. For example: "kernel.msg∗,net.ipv4.route.min_pmtu" +Default: [] | +
volumePluginDir+ string
+ |
++ volumePluginDir is the full path of the directory in which to search +for additional third party volume plugins. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that changing +the volumePluginDir may disrupt workloads relying on third party volume plugins. +Default: "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/" | +
providerID+ string
+ |
++ providerID, if set, sets the unique id of the instance that an external provider (i.e. cloudprovider) +can use to identify a specific node. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may impact the ability of the Kubelet to interact with cloud providers. +Default: "" | +
kernelMemcgNotification+ bool
+ |
++ kernelMemcgNotification, if set, the kubelet will integrate with the kernel memcg notification +to determine if memory eviction thresholds are crossed rather than polling. +Dynamic Kubelet Config (beta): If dynamically updating this field, consider that +it may impact the way Kubelet interacts with the kernel. +Default: false | +
logging [Required]+ LoggingConfiguration
+ |
++ Logging specifies the options of logging. +Refer [Logs Options](https://github.com/kubernetes/component-base/blob/master/logs/options.go) for more information. +Defaults: + Format: text | +
enableSystemLogHandler+ bool
+ |
++ enableSystemLogHandler enables system logs via web interface host:port/logs/ +Default: true | +
shutdownGracePeriod+ meta/v1.Duration
+ |
++ ShutdownGracePeriod specifies the total duration that the node should delay the shutdown and total grace period for pod termination during a node shutdown. +Default: "30s" | +
shutdownGracePeriodCriticalPods+ meta/v1.Duration
+ |
++ ShutdownGracePeriodCriticalPods specifies the duration used to terminate critical pods during a node shutdown. This should be less than ShutdownGracePeriod. +For example, if ShutdownGracePeriod=30s, and ShutdownGracePeriodCriticalPods=10s, during a node shutdown the first 20 seconds would be reserved for gracefully terminating normal pods, and the last 10 seconds would be reserved for terminating critical pods. +Default: "10s" | +
| Field | Description |
|---|---|
apiVersionstring | kubelet.config.k8s.io/v1beta1 |
kindstring | SerializedNodeConfigSource |
source+ core/v1.NodeConfigSource
+ |
++ Source is the source that we are serializing | +
| Field | Description |
|---|---|
enabled+ bool
+ |
++ enabled allows anonymous requests to the kubelet server. +Requests that are not rejected by another authentication method are treated as anonymous requests. +Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated. | +
| Field | Description |
|---|---|
x509+ KubeletX509Authentication
+ |
++ x509 contains settings related to x509 client certificate authentication | +
webhook+ KubeletWebhookAuthentication
+ |
++ webhook contains settings related to webhook bearer token authentication | +
anonymous+ KubeletAnonymousAuthentication
+ |
++ anonymous contains settings related to anonymous authentication | +
| Field | Description |
|---|---|
mode+ KubeletAuthorizationMode
+ |
++ mode is the authorization mode to apply to requests to the kubelet server. +Valid values are AlwaysAllow and Webhook. +Webhook mode uses the SubjectAccessReview API to determine authorization. | +
webhook+ KubeletWebhookAuthorization
+ |
++ webhook contains settings related to Webhook authorization. | +
| Field | Description |
|---|---|
enabled+ bool
+ |
++ enabled allows bearer token authentication backed by the tokenreviews.authentication.k8s.io API | +
cacheTTL+ meta/v1.Duration
+ |
++ cacheTTL enables caching of authentication results | +
| Field | Description |
|---|---|
cacheAuthorizedTTL+ meta/v1.Duration
+ |
++ cacheAuthorizedTTL is the duration to cache 'authorized' responses from the webhook authorizer. | +
cacheUnauthorizedTTL+ meta/v1.Duration
+ |
++ cacheUnauthorizedTTL is the duration to cache 'unauthorized' responses from the webhook authorizer. | +
| Field | Description |
|---|---|
clientCAFile+ string
+ |
++ clientCAFile is the path to a PEM-encoded certificate bundle. If set, any request presenting a client certificate +signed by one of the authorities in the bundle is authenticated with a username corresponding to the CommonName, +and groups corresponding to the Organization in the client certificate. | +
| Field | Description |
|---|---|
format [Required]+ string
+ |
++ Format Flag specifies the structure of log messages. +default value of format is `text` | +
sanitization [Required]+ bool
+ |
++ [Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens). +Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production.`) | +