kube-proxy(8)
kube-proxy is a network proxy that runs on each Kubernetes node to maintain network rules for service abstraction and load balancing.
Synopsis
kube-proxy [OPTIONS]Description
kube-proxy is a Kubernetes component that maintains network rules on each node, enabling service discovery and load balancing across pods. It watches the Kubernetes API server for changes to Service and Endpoint objects, then programs the node's networking stack (via iptables, IPVS, or userspace modes) to route traffic destined for service virtual IPs to actual pod endpoints.
kube-proxy runs as a DaemonSet in production clusters, with one instance per node. It supports multiple proxying modes including iptables (default for most distributions), IPVS (high-performance), and userspace (legacy), allowing operators to choose based on performance and compatibility requirements.
Common options
| Flag | What it does |
|---|---|
--proxy-mode | Proxying mode: 'userspace', 'iptables', 'ipvs', 'kernelspace', or 'nftables'; auto-detects if unset |
--cluster-cidr | CIDR range of cluster pods; traffic to pods outside this range is left untouched |
--hostname-override | Hostname of the node; overrides actual node hostname |
--kubeconfig | Path to kubeconfig file with authorization and API server information |
--bind-address | IP address to bind for serving metrics and health checks (default 0.0.0.0) |
--secure-port | Port for serving HTTPS metrics and health (default 10256) |
--healthz-port | Port for liveness and readiness probes (default 10256) |
--iptables-sync-period | Interval for syncing iptables rules (default 30s) |
--ipvs-sync-period | Interval for syncing IPVS rules (default 30s) |
--nodeport-addresses | List of CIDR ranges permitted for NodePort; empty means all interfaces |
--metrics-bind-address | Address and port for Prometheus metrics (default :10249) |
--conntrack-max | Maximum number of NAT connections to track (default: auto-sized) |
Examples
Start kube-proxy in iptables mode using a kubeconfig file for API access
kube-proxy --kubeconfig=/etc/kubernetes/kubeconfig --proxy-mode=iptablesRun in IPVS mode with explicit cluster CIDR and custom hostname
kube-proxy --proxy-mode=ipvs --cluster-cidr=10.0.0.0/8 --hostname-override=node-1View recent logs from kube-proxy DaemonSet pods in the cluster
kubectl logs -n kube-system -l k8s-app=kube-proxy --tail=50Fetch Prometheus metrics showing iptables sync performance
curl localhost:10249/metrics | grep proxy_sync_proxy_rulesCount total iptables rules created by kube-proxy for service routing
iptables-save | grep KUBE-SERVICES | wc -lStart with health check endpoint on localhost:8080 only
kube-proxy --healthz-port=8080 --bind-address=127.0.0.1