Skip to content

Instantly share code, notes, and snippets.

@ncdc

ncdc/-

Last active Jun 29, 2017
Embed
What would you like to do?
$ kube-proxy --help
The Kubernetes network proxy runs on each node. This
reflects services as defined in the Kubernetes API on each node and can do simple
TCP,UDP stream forwarding or round robin TCP,UDP forwarding across a set of backends.
Service cluster ips and ports are currently found through Docker-links-compatible
environment variables specifying ports opened by the service proxy. There is an optional
addon that provides cluster DNS for these cluster IPs. The user must create a service
with the apiserver API to configure the proxy.
Usage:
kube-proxy [flags]
The default config file contains these values:
apiVersion: componentconfig/v1alpha1
bindAddress: 0.0.0.0
clientConnection:
acceptContentTypes: ""
burst: 10
contentType: application/vnd.kubernetes.protobuf
kubeconfig: ""
qps: 5
clusterCIDR: ""
configSyncPeriod: 15m0s
conntrack:
max: 0
maxPerCore: 32768
min: 131072
tcpCloseWaitTimeout: 1h0m0s
tcpEstablishedTimeout: 24h0m0s
enableProfiling: false
featureGates: ""
healthzBindAddress: 0.0.0.0:10256
hostnameOverride: ""
iptables:
masqueradeAll: false
masqueradeBit: 14
minSyncPeriod: 0s
syncPeriod: 30s
kind: KubeProxyConfiguration
metricsBindAddress: 127.0.0.1:10249
mode: ""
oomScoreAdj: -999
portRange: ""
resourceContainer: /kube-proxy
udpTimeoutMilliseconds: 250ms
Configuration file field descriptions:
kind - Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+optional
apiVersion - APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources
+optional
featureGates - TODO this really should be a map but that requires refactoring all
components to use config files because local-up-cluster.sh only supports
the --feature-gates flag right now, which is comma-separated key=value
pairs.
featureGates is a comma-separated list of key=value pairs that control
which alpha/beta features are enabled.
bindAddress - bindAddress is the IP address for the proxy server to serve on (set to 0.0.0.0
for all interfaces)
healthzBindAddress - healthzBindAddress is the IP address and port for the health check server to serve on,
defaulting to 0.0.0.0:10256
metricsBindAddress - metricsBindAddress is the IP address and port for the metrics server to serve on,
defaulting to 127.0.0.1:10249 (set to 0.0.0.0 for all interfaces)
enableProfiling - enableProfiling enables profiling via web interface on /debug/pprof handler.
Profiling handlers will be handled by metrics server.
clusterCIDR - clusterCIDR is the CIDR range of the pods in the cluster. It is used to
bridge traffic coming from outside of the cluster. If not provided,
no off-cluster bridging will be performed.
hostnameOverride - hostnameOverride, if non-empty, will be used as the identity instead of the actual hostname.
clientConnection.kubeconfig - kubeconfig is the path to a kubeconfig file.
clientConnection.acceptContentTypes - acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the
default value of 'application/json'. This field will control all connections to the server used by a particular
client.
clientConnection.contentType - contentType is the content type used when sending data to the server from this client.
clientConnection.qps - cps controls the number of queries per second allowed for this connection.
clientConnection.burst - burst allows extra queries to accumulate when a client is exceeding its rate.
iptables.masqueradeBit - masqueradeBit is the bit of the iptables fwmark space to use for SNAT if using
the pure iptables proxy mode. Values must be within the range [0, 31].
iptables.masqueradeAll - masqueradeAll tells kube-proxy to SNAT everything if using the pure iptables proxy mode.
oomScoreAdj - oomScoreAdj is the oom-score-adj value for kube-proxy process. Values must be within
the range [-1000, 1000]
mode - mode specifies which proxy mode to use.
portRange - portRange is the range of host ports (beginPort-endPort, inclusive) that may be consumed
in order to proxy service traffic. If unspecified (0-0) then ports will be randomly chosen.
resourceContainer - resourceContainer is the bsolute name of the resource-only container to create and run
the Kube-proxy in (Default: /kube-proxy).
conntrack.max - max is the maximum number of NAT connections to track (0 to
leave as-is). This takes precedence over conntrackMaxPerCore and conntrackMin.
conntrack.maxPerCore - maxPerCore is the maximum number of NAT connections to track
per CPU core (0 to leave the limit as-is and ignore conntrackMin).
conntrack.min - min is the minimum value of connect-tracking records to allocate,
regardless of conntrackMaxPerCore (set conntrackMaxPerCore=0 to leave the limit as-is).
Flags:
--alsologtostderr log to standard error as well as files
--bind-address ip The IP address for the proxy server to serve on (set to 0.0.0.0 for all interfaces) (default 0.0.0.0)
--cleanup-iptables If true cleanup iptables rules and exit.
--cluster-cidr string The CIDR range of pods in the cluster. It is used to bridge traffic coming from outside of the cluster. If not provided, no off-cluster bridging will be performed.
--config string The path to the configuration file.
--config-sync-period duration How often configuration from the apiserver is refreshed. Must be greater than 0. (default 15m0s)
--conntrack-max-per-core int32 Maximum number of NAT connections to track per CPU core (0 to leave the limit as-is and ignore conntrack-min). (default 32768)
--conntrack-min int32 Minimum number of conntrack entries to allocate, regardless of conntrack-max-per-core (set conntrack-max-per-core=0 to leave the limit as-is). (default 131072)
--conntrack-tcp-timeout-close-wait duration NAT timeout for TCP connections in the CLOSE_WAIT state (default 1h0m0s)
--conntrack-tcp-timeout-established duration Idle timeout for established TCP connections (0 to leave as-is) (default 24h0m0s)
--feature-gates mapStringBool A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
APIResponseCompression=true|false (ALPHA - default=false)
Accelerators=true|false (ALPHA - default=false)
AdvancedAuditing=true|false (ALPHA - default=false)
AllAlpha=true|false (ALPHA - default=false)
AllowExtTrafficLocalEndpoints=true|false (default=true)
AppArmor=true|false (BETA - default=true)
DebugContainers=true|false (ALPHA - default=false)
DynamicKubeletConfig=true|false (ALPHA - default=false)
DynamicVolumeProvisioning=true|false (ALPHA - default=true)
ExperimentalCriticalPodAnnotation=true|false (ALPHA - default=false)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
LocalStorageCapacityIsolation=true|false (ALPHA - default=false)
PersistentLocalVolumes=true|false (ALPHA - default=false)
RotateKubeletClientCertificate=true|false (ALPHA - default=false)
RotateKubeletServerCertificate=true|false (ALPHA - default=false)
StreamingProxyRedirects=true|false (BETA - default=true)
TaintBasedEvictions=true|false (ALPHA - default=false)
--healthz-bind-address ip The IP address and port for the health check server to serve on (set to 0.0.0.0 for all interfaces) (default 0.0.0.0:10256)
--healthz-port int32 The port to bind the health check server. Use 0 to disable. (default 10256)
--hostname-override string If non-empty, will use this string as identification instead of the actual hostname.
--iptables-masquerade-bit int32 If using the pure iptables proxy, the bit of the fwmark space to mark packets requiring SNAT with. Must be within the range [0, 31]. (default 14)
--iptables-min-sync-period duration The minimum interval of how often the iptables rules can be refreshed as endpoints and services change (e.g. '5s', '1m', '2h22m').
--iptables-sync-period duration The maximum interval of how often iptables rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0. (default 30s)
--kube-api-burst int Burst to use while talking with kubernetes apiserver (default 10)
--kube-api-content-type string Content type of requests sent to apiserver. (default "application/vnd.kubernetes.protobuf")
--kube-api-qps float32 QPS to use while talking with kubernetes apiserver (default 5)
--kubeconfig string Path to kubeconfig file with authorization information (the master location is set by the master flag).
--log-backtrace-at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log-dir string If non-empty, write log files in this directory
--log-flush-frequency duration Maximum number of seconds between log flushes (default 5s)
--logtostderr log to standard error instead of files (default true)
--masquerade-all If using the pure iptables proxy, SNAT everything (this not commonly needed)
--master string The address of the Kubernetes API server (overrides any value in kubeconfig)
--oom-score-adj int32 The oom-score-adj value for kube-proxy process. Values must be within the range [-1000, 1000] (default -999)
--profiling If true enables profiling via web interface on /debug/pprof handler.
--proxy-mode ProxyMode Which proxy mode to use: 'userspace' (older) or 'iptables' (faster). If blank, use the best-available proxy (currently iptables). If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are insufficient, this always falls back to the userspace proxy.
--proxy-port-range port-range Range of host ports (beginPort-endPort, inclusive) that may be consumed in order to proxy service traffic. If unspecified (0-0) then ports will be randomly chosen.
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
--udp-timeout duration How long an idle UDP connection will be kept open (e.g. '250ms', '2s'). Must be greater than 0. Only applicable for proxy-mode=userspace (default 250ms)
-v, --v Level log level for V logs
--version version[=true] Print version information and quit
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
--write-config-to string If set, write the default configuration values to this file and exit.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment