Component tools

• 1: Feature Gates
• 2: Feature Gates (removed)
• 3: kubelet
• 4: kube-apiserver
• 5: kube-controller-manager
• 6: kube-proxy
• 7: kube-scheduler

1 - Feature Gates

This page contains an overview of the various feature gates an administrator can specify on different Kubernetes components.

See feature stages for an explanation of the stages for a feature.

Overview

Feature gates are a set of key=value pairs that describe Kubernetes features. You can turn these features on or off using the --feature-gates command line flag on each Kubernetes component.

Each Kubernetes component lets you enable or disable a set of feature gates that are relevant to that component. Use -h flag to see a full set of feature gates for all components. To set feature gates for a component, such as kubelet, use the --feature-gates flag assigned to a list of feature pairs:

--feature-gates=...,GracefulNodeShutdown=true

The following tables are a summary of the feature gates that you can set on different Kubernetes components.

• The "Since" column contains the Kubernetes release when a feature is introduced or its release stage is changed.
• The "Until" column, if not empty, contains the last Kubernetes release in which you can still use a feature gate.
• If a feature is in the Alpha or Beta state, you can find the feature listed in the Alpha/Beta feature gate table.
• If a feature is stable you can find all stages for that feature listed in the Graduated/Deprecated feature gate table.
• The Graduated/Deprecated feature gate table also lists deprecated and withdrawn features.

Feature gates for Alpha or Beta features

Feature gates for graduated or deprecated features

Using a feature

Feature stages

A feature can be in Alpha, Beta or GA stage. An Alpha feature means:

• Disabled by default.
• Might be buggy. Enabling the feature may expose bugs.
• Support for feature may be dropped at any time without notice.
• The API may change in incompatible ways in a later software release without notice.
• Recommended for use only in short-lived testing clusters, due to increased risk of bugs and lack of long-term support.

A Beta feature means:

• Usually enabled by default. Beta API groups are disabled by default.
• The feature is well tested. Enabling the feature is considered safe.
• Support for the overall feature will not be dropped, though details may change.
• The schema and/or semantics of objects may change in incompatible ways in a subsequent beta or stable release. When this happens, we will provide instructions for migrating to the next version. This may require deleting, editing, and re-creating API objects. The editing process may require some thought. This may require downtime for applications that rely on the feature.
• Recommended for only non-business-critical uses because of potential for incompatible changes in subsequent releases. If you have multiple clusters that can be upgraded independently, you may be able to relax this restriction.

A General Availability (GA) feature is also referred to as a stable feature. It means:

• The feature is always enabled; you cannot disable it.
• The corresponding feature gate is no longer needed.
• Stable versions of features will appear in released software for many subsequent versions.

List of feature gates

Each feature gate is designed for enabling/disabling a specific feature.

• AdmissionWebhookMatchConditions: Enable match conditions on mutating & validating admission webhooks.

• AggregatedDiscoveryEndpoint: Enable a single HTTP endpoint /discovery/<version> which supports native HTTP caching with ETags containing all APIResources known to the API server.

• AllowServiceLBStatusOnNonLB: Enables .status.ingress.loadBalancer to be set on Services of types other than LoadBalancer.

• AnyVolumeDataSource: Enable use of any custom resource as the DataSource of a PVC.

• APIListChunking: Enable the API clients to retrieve (LIST or GET) resources from API server in chunks.

• APIPriorityAndFairness: Enable managing request concurrency with prioritization and fairness at each server. (Renamed from RequestManagement)

• APIResponseCompression: Compress the API responses for LIST or GET requests.

• APISelfSubjectReview: Activate the SelfSubjectReview API which allows users to see the requesting subject's authentication information. See API access to authentication information for a client for more details.

• APIServerIdentity: Assign each API server an ID in a cluster, using a Lease.

• APIServerTracing: Add support for distributed tracing in the API server. See Traces for Kubernetes System Components for more details.

• AppArmor: Enable use of AppArmor mandatory access control for Pods running on Linux nodes. See AppArmor Tutorial for more details.

• CloudControllerManagerWebhook: Enable webhooks in cloud controller manager.

• CloudDualStackNodeIPs: Enables dual-stack kubelet --node-ip with external cloud providers. See Configure IPv4/IPv6 dual-stack for more details.

• ClusterTrustBundle: Enable ClusterTrustBundle objects and kubelet integration.

• ClusterTrustBundleProjection: clusterTrustBundle projected volume sources.

• ComponentSLIs: Enable the /metrics/slis endpoint on Kubernetes components like kubelet, kube-scheduler, kube-proxy, kube-controller-manager, cloud-controller-manager allowing you to scrape health check metrics.

• ConsistentHTTPGetHandlers: Normalize HTTP get URL and Header passing for lifecycle handlers with probers.

• ConsistentListFromCache: Allow the API server to serve consistent lists from cache.

• ContainerCheckpoint: Enables the kubelet checkpoint API. See Kubelet Checkpoint API for more details.

• ContextualLogging: Enables extra details in log output of Kubernetes components that support contextual logging.

• CPUManager: Enable container level CPU affinity support, see CPU Management Policies.

• CPUManagerPolicyAlphaOptions: This allows fine-tuning of CPUManager policies, experimental, Alpha-quality options This feature gate guards a group of CPUManager options whose quality level is alpha. This feature gate will never graduate to beta or stable.

• CPUManagerPolicyBetaOptions: This allows fine-tuning of CPUManager policies, experimental, Beta-quality options This feature gate guards a group of CPUManager options whose quality level is beta. This feature gate will never graduate to stable.

• CPUManagerPolicyOptions: Allow fine-tuning of CPUManager policies.

• CRDValidationRatcheting: Enable updates to custom resources to contain violations of their OpenAPI schema if the offending portions of the resource update did not change. See Validation Ratcheting for more details.

• CronJobsScheduledAnnotation: Set the scheduled job time as an annotation on Jobs that were created on behalf of a CronJob.

• CrossNamespaceVolumeDataSource: Enable the usage of cross namespace volume data source to allow you to specify a source namespace in the dataSourceRef field of a PersistentVolumeClaim.

• CSIMigrationAzureFile: Enables shims and translation logic to route volume operations from the Azure-File in-tree plugin to AzureFile CSI plugin. Supports falling back to in-tree AzureFile plugin for mount operations to nodes that have the feature disabled or that do not have AzureFile CSI plugin installed and configured. Does not support falling back for provision operations, for those the CSI plugin must be installed and configured. Requires CSIMigration feature flag enabled.

• CSIMigrationPortworx: Enables shims and translation logic to route volume operations from the Portworx in-tree plugin to Portworx CSI plugin. Requires Portworx CSI driver to be installed and configured in the cluster.

• CSIMigrationRBD: Enables shims and translation logic to route volume operations from the RBD in-tree plugin to Ceph RBD CSI plugin. Requires CSIMigration and csiMigrationRBD feature flags enabled and Ceph CSI plugin installed and configured in the cluster. This flag has been deprecated in favor of the InTreePluginRBDUnregister feature flag which prevents the registration of in-tree RBD plugin.

• CSINodeExpandSecret: Enable passing secret authentication data to a CSI driver for use during a NodeExpandVolume CSI operation.

• CSIVolumeHealth: Enable support for CSI volume health monitoring on node.

• CustomCPUCFSQuotaPeriod: Enable nodes to change cpuCFSQuotaPeriod in kubelet config.

• CustomResourceFieldSelectors: Enable selectableFields in the CustomResourceDefinition API to allow filtering of custom resource list, watch and deletecollection requests.

• CustomResourceValidationExpressions: Enable expression language validation in CRD which will validate customer resource based on validation rules written in the x-kubernetes-validations extension.

• DefaultHostNetworkHostPortsInPodTemplates:

  This feature gate controls the point at which a default value for .spec.containers[*].ports[*].hostPort is assigned, for Pods using hostNetwork: true. The default since Kubernetes v1.28 is to only set a default value in Pods.

  Enabling this means a default will be assigned even to the .spec of an embedded PodTemplate (for example, in a Deployment), which is the way that older releases of Kubernetes worked. You should migrate your code so that it does not rely on the legacy behavior.

• DevicePluginCDIDevices: Enable support to CDI device IDs in the Device Plugin API.

• DisableCloudProviders: Disables any functionality in kube-apiserver, kube-controller-manager and kubelet related to the --cloud-provider component flag.

• DisableKubeletCloudCredentialProviders: Disable the in-tree functionality in kubelet to authenticate to a cloud provider container registry for image pull credentials.

• DisableNodeKubeProxyVersion: Disable setting the kubeProxyVersion field of the Node.

• DynamicResourceAllocation: Enables support for resources with custom parameters and a lifecycle that is independent of a Pod.

• EfficientWatchResumption: Allows for storage-originated bookmark (progress notify) events to be delivered to the users. This is only applied to watch operations.

• ElasticIndexedJob: Enables Indexed Jobs to be scaled up or down by mutating both spec.completions and spec.parallelism together such that spec.completions == spec.parallelism. See docs on elastic Indexed Jobs for more details.

• EventedPLEG: Enable support for the kubelet to receive container life cycle events from the container runtime via an extension to CRI. (PLEG is an abbreviation for “Pod lifecycle event generator”). For this feature to be useful, you also need to enable support for container lifecycle events in each container runtime running in your cluster. If the container runtime does not announce support for container lifecycle events then the kubelet automatically switches to the legacy generic PLEG mechanism, even if you have this feature gate enabled.

• ExecProbeTimeout: Ensure kubelet respects exec probe timeouts. This feature gate exists in case any of your existing workloads depend on a now-corrected fault where Kubernetes ignored exec probe timeouts. See readiness probes.

• ExpandedDNSConfig: Enable kubelet and kube-apiserver to allow more DNS search paths and longer list of DNS search paths. This feature requires container runtime support(Containerd: v1.5.6 or higher, CRI-O: v1.22 or higher). See Expanded DNS Configuration.

• ExperimentalHostUserNamespaceDefaulting: Enabling the defaulting user namespace to host. This is for containers that are using other host namespaces, host mounts, or containers that are privileged or using specific non-namespaced capabilities (e.g. MKNODE, SYS_MODULE etc.). This should only be enabled if user namespace remapping is enabled in the Docker daemon.

• GracefulNodeShutdown: Enables support for graceful shutdown in kubelet. During a system shutdown, kubelet will attempt to detect the shutdown event and gracefully terminate pods running on the node. See Graceful Node Shutdown for more details.

• GracefulNodeShutdownBasedOnPodPriority: Enables the kubelet to check Pod priorities when shutting down a node gracefully.

• HonorPVReclaimPolicy: Honor persistent volume reclaim policy when it is Delete irrespective of PV-PVC deletion ordering. For more details, check the PersistentVolume deletion protection finalizer documentation.

• HPAContainerMetrics: Allow HorizontalPodAutoscalers to scale based on metrics from individual containers within target pods.

• HPAScaleToZero: Enables setting minReplicas to 0 for HorizontalPodAutoscaler resources when using custom or external metrics.

• ImageMaximumGCAge: Enables the kubelet configuration field imageMaximumGCAge, allowing an administrator to specify the age after which an image will be garbage collected.

• InPlacePodVerticalScaling: Enables in-place Pod vertical scaling.

• InTreePluginAWSUnregister: Stops registering the aws-ebs in-tree plugin in kubelet and volume controllers.

• InTreePluginAzureDiskUnregister: Stops registering the azuredisk in-tree plugin in kubelet and volume controllers.

• InTreePluginAzureFileUnregister: Stops registering the azurefile in-tree plugin in kubelet and volume controllers.

• InTreePluginGCEUnregister: Stops registering the gce-pd in-tree plugin in kubelet and volume controllers.

• InTreePluginOpenStackUnregister: Stops registering the OpenStack cinder in-tree plugin in kubelet and volume controllers.

• InTreePluginPortworxUnregister: Stops registering the Portworx in-tree plugin in kubelet and volume controllers.

• InTreePluginRBDUnregister: Stops registering the RBD in-tree plugin in kubelet and volume controllers.

• InTreePluginvSphereUnregister: Stops registering the vSphere in-tree plugin in kubelet and volume controllers.

• IPTablesOwnershipCleanup: This causes kubelet to no longer create legacy iptables rules.

• JobBackoffLimitPerIndex: Allows specifying the maximal number of pod retries per index in Indexed jobs.

• JobManagedBy: Allows to delegate reconciliation of a Job object to an external controller.

• JobPodFailurePolicy: Allow users to specify handling of pod failures based on container exit codes and pod conditions.

• JobPodReplacementPolicy: Allows you to specify pod replacement for terminating pods in a Job

• JobReadyPods: Enables tracking the number of Pods that have a Ready condition. The count of Ready pods is recorded in the status of a Job status.

• JobSuccessPolicy: Allow users to specify when a Job can be declared as succeeded based on the set of succeeded pods.

• KMSv1: Enables KMS v1 API for encryption at rest. See Using a KMS Provider for data encryption for more details.

• KMSv2: Enables KMS v2 API for encryption at rest. See Using a KMS Provider for data encryption for more details.

• KMSv2KDF: Enables KMS v2 to generate single use data encryption keys. See Using a KMS Provider for data encryption for more details. If the KMSv2 feature gate is not enabled in your cluster, the value of the KMSv2KDF feature gate has no effect.

• KubeletCgroupDriverFromCRI: Enable detection of the kubelet cgroup driver configuration option from the CRI. You can use this feature gate on nodes with a kubelet that supports the feature gate and where there is a CRI container runtime that supports the RuntimeConfig CRI call. If both CRI and kubelet support this feature, the kubelet ignores the cgroupDriver configuration setting (or deprecated --cgroup-driver command line argument). If you enable this feature gate and the container runtime doesn't support it, the kubelet falls back to using the driver configured using the cgroupDriver configuration setting. See Configuring a cgroup driver for more details.

• KubeletInUserNamespace: Enables support for running kubelet in a user namespace. See Running Kubernetes Node Components as a Non-root User.

• KubeletPodResources: Enable the kubelet's pod resources gRPC endpoint. See Support Device Monitoring for more details.

• KubeletPodResourcesDynamicResources: Extend the kubelet's pod resources gRPC endpoint to to include resources allocated in ResourceClaims via DynamicResourceAllocation API. See resource allocation reporting for more details. with information about the allocatable resources, enabling clients to properly track the free compute resources on a node.

• KubeletPodResourcesGet: Enable the Get gRPC endpoint on kubelet's for Pod resources. This API augments the resource allocation reporting.

• KubeletPodResourcesGetAllocatable: Enable the kubelet's pod resources GetAllocatableResources functionality. This API augments the resource allocation reporting

• KubeletSeparateDiskGC: Enable kubelet to garbage collect container images and containers even when those are on a separate filesystem.

• KubeletTracing: Add support for distributed tracing in the kubelet. When enabled, kubelet CRI interface and authenticated http servers are instrumented to generate OpenTelemetry trace spans. See Traces for Kubernetes System Components for more details.

• KubeProxyDrainingTerminatingNodes: Implement connection draining for terminating nodes for externalTrafficPolicy: Cluster services.

• LegacyServiceAccountTokenCleanUp: Enable cleaning up Secret-based service account tokens when they are not used in a specified time (default to be one year).

• LegacyServiceAccountTokenTracking: Track usage of Secret-based service account tokens.

• LoadBalancerIPMode: Allows setting ipMode for Services where type is set to LoadBalancer. See Specifying IPMode of load balancer status for more information.

• LocalStorageCapacityIsolationFSQuotaMonitoring: When LocalStorageCapacityIsolation is enabled for local ephemeral storage and the backing filesystem for emptyDir volumes supports project quotas and they are enabled, use project quotas to monitor emptyDir volume storage consumption rather than filesystem walk for better performance and accuracy.

• LogarithmicScaleDown: Enable semi-random selection of pods to evict on controller scaledown based on logarithmic bucketing of pod timestamps.

• LoggingAlphaOptions: Allow fine-tuning of experimental, alpha-quality logging options.

• LoggingBetaOptions: Allow fine-tuning of experimental, beta-quality logging options.

• MatchLabelKeysInPodAffinity: Enable the matchLabelKeys and mismatchLabelKeys field for pod (anti)affinity.

• MatchLabelKeysInPodTopologySpread: Enable the matchLabelKeys field for Pod topology spread constraints.

• MaxUnavailableStatefulSet: Enables setting the maxUnavailable field for the rolling update strategy of a StatefulSet. The field specifies the maximum number of Pods that can be unavailable during the update.

• MemoryManager: Allows setting memory affinity for a container based on NUMA topology.

• MemoryQoS: Enable memory protection and usage throttle on pod / container using cgroup v2 memory controller.

• MinDomainsInPodTopologySpread: Enable minDomains in Pod topology spread constraints.

• MinimizeIPTablesRestore: Enables new performance improvement logics in the kube-proxy iptables mode.

• MultiCIDRServiceAllocator: Track IP address allocations for Service cluster IPs using IPAddress objects.

• NameGenerationRetries: Enables retrying of object creation when the API server is expected to generate a name. When this feature is enabled, requests using generateName are retried automatically in case the control plane detects a name conflict with an existing object, up to a limit of 8 total attempts.

• NewVolumeManagerReconstruction:

  Enables improved discovery of mounted volumes during kubelet startup. Since the associated code had been significantly refactored, Kubernetes versions 1.25 to 1.29 allowed you to opt-out in case the kubelet got stuck at the startup, or did not unmount volumes from terminated Pods.

  This refactoring was behind the SELinuxMountReadWriteOncePod feature gate in Kubernetes releases 1.25 and 1.26.

• NFTablesProxyMode: Allow running kube-proxy with in nftables mode.

• NodeInclusionPolicyInPodTopologySpread: Enable using nodeAffinityPolicy and nodeTaintsPolicy in Pod topology spread constraints when calculating pod topology spread skew.

• NodeLogQuery: Enables querying logs of node services using the /logs endpoint.

• NodeOutOfServiceVolumeDetach: When a Node is marked out-of-service using the node.kubernetes.io/out-of-service taint, Pods on the node will be forcefully deleted if they can not tolerate this taint, and the volume detach operations for Pods terminating on the node will happen immediately. The deleted Pods can recover quickly on different nodes.

• NodeSwap: Enable the kubelet to allocate swap memory for Kubernetes workloads on a node. Must be used with KubeletConfiguration.failSwapOn set to false. For more details, please see swap memory

• OpenAPIEnums: Enables populating "enum" fields of OpenAPI schemas in the spec returned from the API server.

• PDBUnhealthyPodEvictionPolicy: Enables the unhealthyPodEvictionPolicy field of a PodDisruptionBudget. This specifies when unhealthy pods should be considered for eviction. Please see Unhealthy Pod Eviction Policy for more details.

• PersistentVolumeLastPhaseTransitionTime: Adds a new field to PersistentVolume which holds a timestamp of when the volume last transitioned its phase.

• PodAndContainerStatsFromCRI: Configure the kubelet to gather container and pod stats from the CRI container runtime rather than gathering them from cAdvisor. As of 1.26, this also includes gathering metrics from CRI and emitting them over /metrics/cadvisor (rather than having cAdvisor emit them directly).

• PodDeletionCost: Enable the Pod Deletion Cost feature which allows users to influence ReplicaSet downscaling order.

• PodDisruptionConditions: Enables support for appending a dedicated pod condition indicating that the pod is being deleted due to a disruption.

• PodHostIPs: Enable the status.hostIPs field for pods and the downward API. The field lets you expose host IP addresses to workloads.

• PodIndexLabel: Enables the Job controller and StatefulSet controller to add the pod index as a label when creating new pods. See Job completion mode docs and StatefulSet pod index label docs for more details.

• PodLifecycleSleepAction: Enables the sleep action in Container lifecycle hooks.

• PodReadyToStartContainersCondition:

  Enable the kubelet to mark the PodReadyToStartContainers condition on pods.

  This feature gate was previously known as PodHasNetworkCondition, and the associated condition was named PodHasNetwork.

• PodSchedulingReadiness: Enable setting schedulingGates field to control a Pod's scheduling readiness.

• PortForwardWebsockets: Allow WebSocket streaming of the portforward sub-protocol (port-forward) from clients requesting version v2 (v2.portforward.k8s.io) of the sub-protocol.

• ProcMountType: Enables control over the type proc mounts for containers by setting the procMount field of a SecurityContext.

• ProxyTerminatingEndpoints: Enable the kube-proxy to handle terminating endpoints when ExternalTrafficPolicy=Local.

• QOSReserved: Allows resource reservations at the QoS level preventing pods at lower QoS levels from bursting into resources requested at higher QoS levels (memory only for now).

• ReadWriteOncePod: Enables the usage of ReadWriteOncePod PersistentVolume access mode.

• RecoverVolumeExpansionFailure: Enables users to edit their PVCs to smaller sizes so as they can recover from previously issued volume expansion failures. See Recovering from Failure when Expanding Volumes for more details.

• RecursiveReadOnlyMounts: Enables support for recursive read-only mounts. For more details, see read-only mounts.

• RelaxedEnvironmentVariableValidation: Allow almost all printable ASCII characters in environment variables.

• RemainingItemCount: Allow the API servers to show a count of remaining items in the response to a chunking list request.

• RotateKubeletServerCertificate: Enable the rotation of the server TLS certificate on the kubelet. See kubelet configuration for more details.

• RuntimeClassInImageCriApi: Enables images to be pulled based on the runtime class of the pods that reference them.

• SchedulerQueueingHints: Enables the scheduler's queueing hints enhancement, which benefits to reduce the useless requeueing. The scheduler retries scheduling pods if something changes in the cluster that could make the pod scheduled. Queueing hints are internal signals that allow the scheduler to filter the changes in the cluster that are relevant to the unscheduled pod, based on previous scheduling attempts.

• SecurityContextDeny: This gate signals that the SecurityContextDeny admission controller is deprecated.

• SELinuxMount:

  Speeds up container startup by allowing kubelet to mount volumes for a Pod directly with the correct SELinux label instead of changing each file on the volumes recursively. It widens the performance improvements behind the SELinuxMountReadWriteOncePod feature gate by extending the implementation to all volumes.

  Enabling the SELinuxMount feature gate requires the feature gate SELinuxMountReadWriteOncePod to be enabled.

• SELinuxMountReadWriteOncePod: Speeds up container startup by allowing kubelet to mount volumes for a Pod directly with the correct SELinux label instead of changing each file on the volumes recursively. The initial implementation focused on ReadWriteOncePod volumes.

• SeparateTaintEvictionController: Enables running TaintEvictionController, that performs Taint-based Evictions, in a controller separated from NodeLifecycleController. When this feature is enabled, users can optionally disable Taint-based Eviction setting the --controllers=-taint-eviction-controller flag on the kube-controller-manager.

• ServerSideApply: Enables the Sever Side Apply (SSA) feature on the API Server.

• ServerSideFieldValidation: Enables server-side field validation. This means the validation of resource schema is performed at the API server side rather than the client side (for example, the kubectl create or kubectl apply command line).

• ServiceAccountTokenJTI: Controls whether JTIs (UUIDs) are embedded into generated service account tokens, and whether these JTIs are recorded into the Kubernetes audit log for future requests made by these tokens.

• ServiceAccountTokenNodeBinding: Controls whether the apiserver allows binding service account tokens to Node objects.

• ServiceAccountTokenNodeBindingValidation: Controls whether the apiserver will validate a Node reference in service account tokens.

• ServiceAccountTokenPodNodeInfo: Controls whether the apiserver embeds the node name and uid for the associated node when issuing service account tokens bound to Pod objects.

• ServiceNodePortStaticSubrange: Enables the use of different port allocation strategies for NodePort Services. For more details, see reserve NodePort ranges to avoid collisions.

• ServiceTrafficDistribution: Allows usage of the optional spec.trafficDistribution field in Services. The field offers a way to express preferences for how traffic is distributed to Service endpoints.

• SidecarContainers: Allow setting the restartPolicy of an init container to Always so that the container becomes a sidecar container (restartable init containers). See Sidecar containers and restartPolicy for more details.

• SizeMemoryBackedVolumes: Enable kubelets to determine the size limit for memory-backed volumes (mainly emptyDir volumes).

• SkipReadOnlyValidationGCE: Skip validation for GCE, will enable in the next version.

• StableLoadBalancerNodeSet: Enables less load balancer re-configurations by the service controller (KCCM) as an effect of changing node state.

• StatefulSetAutoDeletePVC: Allows the use of the optional .spec.persistentVolumeClaimRetentionPolicy field, providing control over the deletion of PVCs in a StatefulSet's lifecycle. See PersistentVolumeClaim retention for more details.

• StatefulSetStartOrdinal: Allow configuration of the start ordinal in a StatefulSet. See Start ordinal for more details.

• StorageVersionAPI: Enable the storage version API.

• StorageVersionHash: Allow API servers to expose the storage version hash in the discovery.

• StorageVersionMigrator: Enables storage version migration. See Migrate Kubernetes Objects Using Storage Version Migration for more details.

• StructuredAuthenticationConfiguration: Enable structured authentication configuration for the API server.

• StructuredAuthorizationConfiguration: Enable structured authorization configuration, so that cluster administrators can specify more than one authorization webhook in the API server handler chain.

• TopologyAwareHints: Enables topology aware routing based on topology hints in EndpointSlices. See Topology Aware Hints for more details.

• TopologyManagerPolicyAlphaOptions: Allow fine-tuning of topology manager policies, experimental, Alpha-quality options. This feature gate guards a group of topology manager options whose quality level is alpha. This feature gate will never graduate to beta or stable.

• TopologyManagerPolicyBetaOptions: Allow fine-tuning of topology manager policies, experimental, Beta-quality options. This feature gate guards a group of topology manager options whose quality level is beta. This feature gate will never graduate to stable.

• TopologyManagerPolicyOptions: Enable fine-tuning of topology manager policies.

• TranslateStreamCloseWebsocketRequests: Allow WebSocket streaming of the remote command sub-protocol (exec, cp, attach) from clients requesting version 5 (v5) of the sub-protocol.

• UnauthenticatedHTTP2DOSMitigation: Enables HTTP/2 Denial of Service (DoS) mitigations for unauthenticated clients. Kubernetes v1.28.0 through v1.28.2 do not include this feature gate.

• UnknownVersionInteroperabilityProxy: Proxy resource requests to the correct peer kube-apiserver when multiple kube-apiservers exist at varied versions. See Mixed version proxy for more information.

• UserNamespacesPodSecurityStandards: Enable Pod Security Standards policies relaxation for pods that run with namespaces. You must set the value of this feature gate consistently across all nodes in your cluster, and you must also enable UserNamespacesSupport to use this feature.

• UserNamespacesSupport: Enable user namespace support for Pods.

• ValidatingAdmissionPolicy: Enable ValidatingAdmissionPolicy support for CEL validations be used in Admission Control.

• VolumeAttributesClass: Enable support for VolumeAttributesClasses. See Volume Attributes Classes for more information.

• VolumeCapacityPriority: Enable support for prioritizing nodes in different topologies based on available PV capacity.

• WatchBookmark: Enable support for watch bookmark events.

• WatchList: Enable support for streaming initial state of objects in watch requests.

• WindowsHostNetwork: Enables support for joining Windows containers to a hosts' network namespace.

• WinDSR: Allows kube-proxy to create DSR loadbalancers for Windows.

• WinOverlay: Allows kube-proxy to run in overlay mode for Windows.

• ZeroLimitedNominalConcurrencyShares: Allow Priority & Fairness in the API server to use a zero value for the nominalConcurrencyShares field of the limited section of a priority level.

What's next

• The deprecation policy for Kubernetes explains the project's approach to removing features and components.
• Since Kubernetes 1.24, new beta APIs are not enabled by default. When enabling a beta feature, you will also need to enable any associated API resources. For example, to enable a particular resource like storage.k8s.io/v1beta1/csistoragecapacities, set --runtime-config=storage.k8s.io/v1beta1/csistoragecapacities. See API Versioning for more details on the command line flags.

2 - Feature Gates (removed)

This page contains list of feature gates that have been removed. The information on this page is for reference. A removed feature gate is different from a GA'ed or deprecated one in that a removed one is no longer recognized as a valid feature gate. However, a GA'ed or a deprecated feature gate is still recognized by the corresponding Kubernetes components although they are unable to cause any behavior differences in a cluster.

For feature gates that are still recognized by the Kubernetes components, please refer to the Alpha/Beta feature gate table or the Graduated/Deprecated feature gate table

Feature gates that are removed

In the following table:

• The "From" column contains the Kubernetes release when a feature is introduced or its release stage is changed.
• The "To" column, if not empty, contains the last Kubernetes release in which you can still use a feature gate. If the feature stage is either "Deprecated" or "GA", the "To" column is the Kubernetes release when the feature is removed.

Descriptions for removed feature gates

• Accelerators: Provided an early form of plugin to enable Nvidia GPU support when using Docker Engine; no longer available. See Device Plugins for an alternative.

• AdvancedAuditing: Enable advanced auditing

• AffinityInAnnotations: Enable setting Pod affinity or anti-affinity.

• AllowExtTrafficLocalEndpoints: Enable a service to route external requests to node local endpoints.

• AllowInsecureBackendProxy: Enable the users to skip TLS verification of kubelets on Pod log requests.

• AttachVolumeLimit: Enable volume plugins to report limits on number of volumes that can be attached to a node. See dynamic volume limits for more details.

• BalanceAttachedNodeVolumes: Include volume count on node to be considered for balanced resource allocation while scheduling. A node which has closer CPU, memory utilization, and volume count is favored by the scheduler while making decisions.

• BlockVolume: Enable the definition and consumption of raw block devices in Pods. See Raw Block Volume Support for more details.

• BoundServiceAccountTokenVolume:

  Migrate ServiceAccount volumes to use a projected volume consisting of a ServiceAccountTokenVolumeProjection. Cluster admins can use metric serviceaccount_stale_tokens_total to monitor workloads that are depending on the extended tokens. If there are no such workloads, turn off extended tokens by starting kube-apiserver with flag --service-account-extend-token-expiration=false.

  Check Bound Service Account Tokens for more details.

• ConfigurableFSGroupPolicy: Allows user to configure volume permission change policy for fsGroups when mounting a volume in a Pod. See Configure volume permission and ownership change policy for Pods for more details.

• ControllerManagerLeaderMigration: Enables Leader Migration for kube-controller-manager and cloud-controller-manager which allows a cluster operator to live migrate controllers from the kube-controller-manager into an external controller-manager (e.g. the cloud-controller-manager) in an HA cluster without downtime.

• CRIContainerLogRotation: Enable container log rotation for CRI container runtime. The default max size of a log file is 10MB and the default max number of log files allowed for a container is 5. These values can be configured in the kubelet config. See logging at node level for more details.

• CronJobControllerV2: Use an alternative implementation of the CronJob controller. Otherwise, version 1 of the same controller is selected.

• CronJobTimeZone: Allow the use of the timeZone optional field in CronJobs

• CSIBlockVolume: Enable external CSI volume drivers to support block storage. See csi raw block volume support for more details.

• CSIDriverRegistry: Enable all logic related to the CSIDriver API object in csi.storage.k8s.io.

• CSIInlineVolume: Enable CSI Inline volumes support for pods.

• CSIMigration: Enables shims and translation logic to route volume operations from in-tree plugins to corresponding pre-installed CSI plugins

• CSIMigrationAWS: Enables shims and translation logic to route volume operations from the AWS-EBS in-tree plugin to EBS CSI plugin. Supports falling back to in-tree EBS plugin for mount operations to nodes that have the feature disabled or that do not have EBS CSI plugin installed and configured. Does not support falling back for provision operations, for those the CSI plugin must be installed and configured.

• CSIMigrationAWSComplete: Stops registering the EBS in-tree plugin in kubelet and volume controllers and enables shims and translation logic to route volume operations from the AWS-EBS in-tree plugin to EBS CSI plugin. Requires CSIMigration and CSIMigrationAWS feature flags enabled and EBS CSI plugin installed and configured on all nodes in the cluster. This flag has been deprecated in favor of the InTreePluginAWSUnregister feature flag which prevents the registration of in-tree EBS plugin.

• CSIMigrationAzureDisk: Enables shims and translation logic to route volume operations from the Azure-Disk in-tree plugin to AzureDisk CSI plugin. Supports falling back to in-tree AzureDisk plugin for mount operations to nodes that have the feature disabled or that do not have AzureDisk CSI plugin installed and configured. Does not support falling back for provision operations, for those the CSI plugin must be installed and configured. Requires CSIMigration feature flag enabled.

• CSIMigrationAzureDiskComplete: Stops registering the Azure-Disk in-tree plugin in kubelet and volume controllers and enables shims and translation logic to route volume operations from the Azure-Disk in-tree plugin to AzureDisk CSI plugin. Requires CSIMigration and CSIMigrationAzureDisk feature flags enabled and AzureDisk CSI plugin installed and configured on all nodes in the cluster. This flag has been deprecated in favor of the InTreePluginAzureDiskUnregister feature flag which prevents the registration of in-tree AzureDisk plugin.

• CSIMigrationAzureFileComplete: Stops registering the Azure-File in-tree plugin in kubelet and volume controllers and enables shims and translation logic to route volume operations from the Azure-File in-tree plugin to AzureFile CSI plugin. Requires CSIMigration and CSIMigrationAzureFile feature flags enabled and AzureFile CSI plugin installed and configured on all nodes in the cluster. This flag has been deprecated in favor of the InTreePluginAzureFileUnregister feature flag which prevents the registration of in-tree AzureFile plugin.

• CSIMigrationGCE: Enables shims and translation logic to route volume operations from the GCE-PD in-tree plugin to PD CSI plugin. Supports falling back to in-tree GCE plugin for mount operations to nodes that have the feature disabled or that do not have PD CSI plugin installed and configured. Does not support falling back for provision operations, for those the CSI plugin must be installed and configured. Requires CSIMigration feature flag enabled.

• CSIMigrationGCEComplete: Stops registering the GCE-PD in-tree plugin in kubelet and volume controllers and enables shims and translation logic to route volume operations from the GCE-PD in-tree plugin to PD CSI plugin. Requires CSIMigration and CSIMigrationGCE feature flags enabled and PD CSI plugin installed and configured on all nodes in the cluster. This flag has been deprecated in favor of the InTreePluginGCEUnregister feature flag which prevents the registration of in-tree GCE PD plugin.

• CSIMigrationOpenStack: Enables shims and translation logic to route volume operations from the Cinder in-tree plugin to Cinder CSI plugin. Supports falling back to in-tree Cinder plugin for mount operations to nodes that have the feature disabled or that do not have Cinder CSI plugin installed and configured. Does not support falling back for provision operations, for those the CSI plugin must be installed and configured. Requires CSIMigration feature flag enabled.

• CSIMigrationOpenStackComplete: Stops registering the Cinder in-tree plugin in kubelet and volume controllers and enables shims and translation logic to route volume operations from the Cinder in-tree plugin to Cinder CSI plugin. Requires CSIMigration and CSIMigrationOpenStack feature flags enabled and Cinder CSI plugin installed and configured on all nodes in the cluster. This flag has been deprecated in favor of the InTreePluginOpenStackUnregister feature flag which prevents the registration of in-tree openstack cinder plugin.

• CSIMigrationvSphere: Enables shims and translation logic to route volume operations from the vSphere in-tree plugin to vSphere CSI plugin. Supports falling back to in-tree vSphere plugin for mount operations to nodes that have the feature disabled or that do not have vSphere CSI plugin installed and configured. Does not support falling back for provision operations, for those the CSI plugin must be installed and configured. Requires CSIMigration feature flag enabled.

• CSIMigrationvSphereComplete: Stops registering the vSphere in-tree plugin in kubelet and volume controllers and enables shims and translation logic to route volume operations from the vSphere in-tree plugin to vSphere CSI plugin. Requires CSIMigration and CSIMigrationvSphere feature flags enabled and vSphere CSI plugin installed and configured on all nodes in the cluster. This flag has been deprecated in favor of the InTreePluginvSphereUnregister feature flag which prevents the registration of in-tree vsphere plugin.

• CSINodeInfo: Enable all logic related to the CSINodeInfo API object in csi.storage.k8s.io.

• CSIPersistentVolume: Enable discovering and mounting volumes provisioned through a CSI (Container Storage Interface) compatible volume plugin.

• CSIServiceAccountToken: Enable CSI drivers to receive the pods' service account token that they mount volumes for. See Token Requests.

• CSIStorageCapacity: Enables CSI drivers to publish storage capacity information and the Kubernetes scheduler to use that information when scheduling pods. See Storage Capacity. Check the csi volume type documentation for more details.

• CSIVolumeFSGroupPolicy: Allows CSIDrivers to use the fsGroupPolicy field. This field controls whether volumes created by a CSIDriver support volume ownership and permission modifications when these volumes are mounted.

• CSRDuration: Allows clients to request a duration for certificates issued via the Kubernetes CSR API.

• CustomPodDNS: Enable customizing the DNS settings for a Pod using its dnsConfig property. Check Pod's DNS Config for more details.

• CustomResourceDefaulting: Enable CRD support for default values in OpenAPI v3 validation schemas.

• CustomResourcePublishOpenAPI: Enables publishing of CRD OpenAPI specs.

• CustomResourceSubresources: Enable /status and /scale subresources on resources created from CustomResourceDefinition.

• CustomResourceValidation: Enable schema based validation on resources created from CustomResourceDefinition.

• CustomResourceWebhookConversion: Enable webhook-based conversion on resources created from CustomResourceDefinition.

• DaemonSetUpdateSurge: Enables the DaemonSet workloads to maintain availability during update per node. See Perform a Rolling Update on a DaemonSet.

• DefaultPodTopologySpread: Enables the use of PodTopologySpread scheduling plugin to do default spreading.

• DelegateFSGroupToCSIDriver: If supported by the CSI driver, delegates the role of applying fsGroup from a Pod's securityContext to the driver by passing fsGroup through the NodeStageVolume and NodePublishVolume CSI calls.

• DevicePlugins: Enable the device-plugins based resource provisioning on nodes.

• DisableAcceleratorUsageMetrics: Disable accelerator metrics collected by the kubelet.

• DownwardAPIHugePages: Enables usage of hugepages in downward API.

• DryRun: Enable server-side dry run requests so that validation, merging, and mutation can be tested without committing.

• DynamicAuditing: Used to enable dynamic auditing before v1.19.

• DynamicKubeletConfig: Enable the dynamic configuration of kubelet. The feature is no longer supported outside of supported skew policy. The feature gate was removed from kubelet in 1.24.

• DynamicProvisioningScheduling: Extend the default scheduler to be aware of volume topology and handle PV provisioning. This feature was superseded by the VolumeScheduling feature in v1.12.

• DynamicVolumeProvisioning: Enable the dynamic provisioning of persistent volumes to Pods.

• EnableAggregatedDiscoveryTimeout: Enable the five second timeout on aggregated discovery calls.

• EnableEquivalenceClassCache: Enable the scheduler to cache equivalence of nodes when scheduling Pods.

• EndpointSlice: Enables EndpointSlices for more scalable and extensible network endpoints. See Enabling EndpointSlices.

• EndpointSliceNodeName: Enables EndpointSlice nodeName field.

• EndpointSliceProxying: When enabled, kube-proxy running on Linux will use EndpointSlices as the primary data source instead of Endpoints, enabling scalability and performance improvements. See Enabling Endpoint Slices.

• EndpointSliceTerminatingCondition: Enables EndpointSlice terminating and serving condition fields.

• EphemeralContainers: Enable the ability to add ephemeral containers to running Pods.

• EvenPodsSpread: Enable pods to be scheduled evenly across topology domains. See Pod Topology Spread Constraints.

• ExpandCSIVolumes: Enable the expanding of CSI volumes.

• ExpandInUsePersistentVolumes: Enable expanding in-use PVCs. See Resizing an in-use PersistentVolumeClaim.

• ExpandPersistentVolumes: Enable the expanding of persistent volumes. See Expanding Persistent Volumes Claims.

• ExperimentalCriticalPodAnnotation: Enable annotating specific pods as critical so that their scheduling is guaranteed. This feature is deprecated by Pod Priority and Preemption as of v1.13.

• ExternalPolicyForExternalIP: Fix a bug where ExternalTrafficPolicy is not applied to Service ExternalIPs.

• GCERegionalPersistentDisk: Enable the regional PD feature on GCE.

• GenericEphemeralVolume: Enables ephemeral, inline volumes that support all features of normal volumes (can be provided by third-party storage vendors, storage capacity tracking, restore from snapshot, etc.). See Ephemeral Volumes.

• GRPCContainerProbe: Enables the gRPC probe method for {Liveness,Readiness,Startup}Probe. See Configure Liveness, Readiness and Startup Probes.

• HugePages: Enable the allocation and consumption of pre-allocated huge pages.

• HugePageStorageMediumSize: Enable support for multiple sizes pre-allocated huge pages.

• HyperVContainer: Enable Hyper-V isolation for Windows containers.

• IdentifyPodOS: Allows the Pod OS field to be specified. This helps in identifying the OS of the pod authoritatively during the API server admission time.

• ImmutableEphemeralVolumes: Allows for marking individual Secrets and ConfigMaps as immutable for better safety and performance.

• IndexedJob: Allows the Job controller to manage Pod completions per completion index.

• IngressClassNamespacedParams: Allow namespace-scoped parameters reference in IngressClass resource. This feature adds two fields - Scope and Namespace to IngressClass.spec.parameters.

• Initializers: Allow asynchronous coordination of object creation using the Initializers admission plugin.

• IPv6DualStack: Enable dual stack support for IPv6.

• JobMutableNodeSchedulingDirectives: Allows updating node scheduling directives in the pod template of Job.

• JobTrackingWithFinalizers: Enables tracking Job completions without relying on Pods remaining in the cluster indefinitely. The Job controller uses Pod finalizers and a field in the Job status to keep track of the finished Pods to count towards completion.

• KubeletConfigFile: Enable loading kubelet configuration from a file specified using a config file. See setting kubelet parameters via a config file for more details.

• KubeletCredentialProviders: Enable kubelet exec credential providers for image pull credentials.

• KubeletPluginsWatcher: Enable probe-based plugin watcher utility to enable kubelet to discover plugins such as CSI volume drivers.

• LegacyNodeRoleBehavior: When disabled, legacy behavior in service load balancers and node disruption will ignore the node-role.kubernetes.io/master label in favor of the feature-specific labels provided by NodeDisruptionExclusion and ServiceNodeExclusion.

• LegacyServiceAccountTokenNoAutoGeneration: Stop auto-generation of Secret-based service account tokens.

• LocalStorageCapacityIsolation: Enable the consumption of local ephemeral storage and also the sizeLimit property of an emptyDir volume.

• MixedProtocolLBService: Enable using different protocols in the same LoadBalancer type Service instance.

• MountContainers: Enable using utility containers on host as the volume mounter.

• MountPropagation: Enable sharing volume mounted by one container to other containers or pods. For more details, please see mount propagation.

• MultiCIDRRangeAllocator: Enables the MultiCIDR range allocator.

• NamespaceDefaultLabelName: Configure the API Server to set an immutable label kubernetes.io/metadata.name on all namespaces, containing the namespace name.

• NetworkPolicyEndPort: Allows you to define ports in a NetworkPolicy rule as a range of port numbers.

• NetworkPolicyStatus: Enable the status subresource for NetworkPolicy objects.

• NodeDisruptionExclusion: Enable use of the Node label node.kubernetes.io/exclude-disruption which prevents nodes from being evacuated during zone failures.

• NodeLease: Enable the new Lease API to report node heartbeats, which could be used as a node health signal.

• NonPreemptingPriority: Enable preemptionPolicy field for PriorityClass and Pod.

• OpenAPIV3: Enables the API server to publish OpenAPI v3.

• PersistentLocalVolumes: Enable the usage of local volume type in Pods. Pod affinity has to be specified if requesting a local volume.

• PodAffinityNamespaceSelector: Enable the Pod Affinity Namespace Selector and CrossNamespacePodAffinity quota scope features.

• PodDisruptionBudget: Enable the PodDisruptionBudget feature.

• PodHasNetworkCondition: Enable the kubelet to mark the PodHasNetwork condition on pods. This was renamed to PodReadyToStartContainersCondition in 1.28.

• PodOverhead: Enable the PodOverhead feature to account for pod overheads.

• PodPriority: Enable the descheduling and preemption of Pods based on their priorities.

• PodReadinessGates: Enable the setting of PodReadinessGate field for extending Pod readiness evaluation. See Pod readiness gate for more details.

• PodSecurity: Enables the PodSecurity admission plugin.

• PodShareProcessNamespace: Enable the setting of shareProcessNamespace in a Pod for sharing a single process namespace between containers running in a pod. More details can be found in Share Process Namespace between Containers in a Pod.

• PreferNominatedNode: This flag tells the scheduler whether the nominated nodes will be checked first before looping through all the other nodes in the cluster.

• ProbeTerminationGracePeriod: Enable setting probe-level terminationGracePeriodSeconds on pods. See the enhancement proposal for more details.

• PVCProtection: Enable the prevention of a PersistentVolumeClaim (PVC) from being deleted when it is still used by any Pod.

• ReadOnlyAPIDataVolumes:

  Set configMap, secret, downwardAPI and projected volumes to be mounted read-only.

  Since Kubernetes v1.10, these volume types are always read-only and you cannot opt out.

• RemoveSelfLink: Sets the .metadata.selfLink field to blank (empty string) for all objects and collections. This field has been deprecated since the Kubernetes v1.16 release. When this feature is enabled, the .metadata.selfLink field remains part of the Kubernetes API, but is always unset.

• RequestManagement: Enables managing request concurrency with prioritization and fairness at each API server. Deprecated by APIPriorityAndFairness since 1.17.

• ResourceLimitsPriorityFunction: Enable a scheduler priority function that assigns a lowest possible score of 1 to a node that satisfies at least one of the input Pod's cpu and memory limits. The intent is to break ties between nodes with same scores.

• ResourceQuotaScopeSelectors: Enable resource quota scope selectors.

• RetroactiveDefaultStorageClass: Allow assigning StorageClass to unbound PVCs retroactively.

• RootCAConfigMap: Configure the kube-controller-manager to publish a ConfigMap named kube-root-ca.crt to every namespace. This ConfigMap contains a CA bundle used for verifying connections to the kube-apiserver. See Bound Service Account Tokens for more details.

• RotateKubeletClientCertificate: Enable the rotation of the client TLS certificate on the kubelet. See kubelet configuration for more details.

• RunAsGroup: Enable control over the primary group ID set on the init processes of containers.

• RuntimeClass: Enable the RuntimeClass feature for selecting container runtime configurations.

• ScheduleDaemonSetPods: Enable DaemonSet Pods to be scheduled by the default scheduler instead of the DaemonSet controller.

• SCTPSupport: Enables the SCTP protocol value in Pod, Service, Endpoints, EndpointSlice, and NetworkPolicy definitions.

• SeccompDefault: Enables the use of RuntimeDefault as the default seccomp profile for all workloads. The seccomp profile is specified in the securityContext of a Pod and/or a Container.

• SelectorIndex: Allows label and field based indexes in API server watch cache to accelerate list operations.

• ServiceAccountIssuerDiscovery: Enable OIDC discovery endpoints (issuer and JWKS URLs) for the service account issuer in the API server. See Configure Service Accounts for Pods for more details.

• ServiceAppProtocol: Enables the appProtocol field on Services and Endpoints.

• ServiceInternalTrafficPolicy: Enables the internalTrafficPolicy field on Services

• ServiceIPStaticSubrange: Enables a strategy for Services ClusterIP allocations, whereby the ClusterIP range is subdivided. Dynamic allocated ClusterIP addresses will be allocated preferently from the upper range allowing users to assign static ClusterIPs from the lower range with a low risk of collision. See Avoiding collisions for more details.

• ServiceLBNodePortControl: Enables the allocateLoadBalancerNodePorts field on Services.

• ServiceLoadBalancerClass: Enables the loadBalancerClass field on Services. See Specifying class of load balancer implementation for more details.

• ServiceLoadBalancerFinalizer: Enable finalizer protection for Service load balancers.

• ServiceNodeExclusion: Enable the exclusion of nodes from load balancers created by a cloud provider. A node is eligible for exclusion if labelled with "node.kubernetes.io/exclude-from-external-load-balancers".

• ServiceTopology: Enable service to route traffic based upon the Node topology of the cluster.

• SetHostnameAsFQDN: Enable the ability of setting Fully Qualified Domain Name(FQDN) as the hostname of a pod. See Pod's setHostnameAsFQDN field.

• StartupProbe: Enable the startup probe in the kubelet.

• StatefulSetMinReadySeconds: Allows minReadySeconds to be respected by the StatefulSet controller.

• StorageObjectInUseProtection: Postpone the deletion of PersistentVolume or PersistentVolumeClaim objects if they are still being used.

• StreamingProxyRedirects: Instructs the API server to intercept (and follow) redirects from the backend (kubelet) for streaming requests. Examples of streaming requests include the exec, attach and port-forward requests.

• SupportIPVSProxyMode: Enable providing in-cluster service load balancing using IPVS. See service proxies for more details.

• SupportNodePidsLimit: Enable the support to limiting PIDs on the Node. The parameter pid=<number> in the --system-reserved and --kube-reserved options can be specified to ensure that the specified number of process IDs will be reserved for the system as a whole and for Kubernetes system daemons respectively.

• SupportPodPidsLimit: Enable the support to limiting PIDs in Pods.

• SuspendJob: Enable support to suspend and resume Jobs. For more details, see the Jobs docs.

• Sysctls: Enable support for namespaced kernel parameters (sysctls) that can be set for each pod. See sysctls for more details.

• TaintBasedEvictions: Enable evicting pods from nodes based on taints on Nodes and tolerations on Pods. See taints and tolerations for more details.

• TaintNodesByCondition: Enable automatic tainting nodes based on node conditions.

• TokenRequest: Enable the TokenRequest endpoint on service account resources.

• TokenRequestProjection: Enable the injection of service account tokens into a Pod through a projected volume.

• TopologyManager: Enable a mechanism to coordinate fine-grained hardware resource assignments for different components in Kubernetes. See Control Topology Management Policies on a node.

• TTLAfterFinished: Allow a TTL controller to clean up resources after they finish execution.

• UserNamespacesStatelessPodsSupport: Enable user namespace support for stateless Pods. This feature gate was superseded by the UserNamespacesSupport feature gate in the Kubernetes v1.28 release.

• ValidateProxyRedirects: This flag controls whether the API server should validate that redirects are only followed to the same host. Only used if the StreamingProxyRedirects flag is enabled.

• VolumePVCDataSource: Enable support for specifying an existing PVC as a DataSource.

• VolumeScheduling: Enable volume topology aware scheduling and make the PersistentVolumeClaim (PVC) binding aware of scheduling decisions. It also enables the usage of local volume type when used together with the PersistentLocalVolumes feature gate.

• VolumeSnapshotDataSource: Enable volume snapshot data source support.

• VolumeSubpath: Allow mounting a subpath of a volume in a container.

• VolumeSubpathEnvExpansion: Enable subPathExpr field for expanding environment variables into a subPath.

• WarningHeaders: Allow sending warning headers in API responses.

• WindowsEndpointSliceProxying: When enabled, kube-proxy running on Windows will use EndpointSlices as the primary data source instead of Endpoints, enabling scalability and performance improvements. See Enabling Endpoint Slices.

• WindowsGMSA: Enables passing of GMSA credential specs from pods to container runtimes.

• WindowsHostProcessContainers: Enables support for Windows HostProcess containers.

• WindowsRunAsUserName: Enable support for running applications in Windows containers with as a non-default user. See Configuring RunAsUserName for more details.

3 - kubelet

Synopsis

The kubelet is the primary "node agent" that runs on each node. It can register the node with the apiserver using one of: the hostname; a flag to override the hostname; or specific logic for a cloud provider.

The kubelet works in terms of a PodSpec. A PodSpec is a YAML or JSON object that describes a pod. The kubelet takes a set of PodSpecs that are provided through various mechanisms (primarily through the apiserver) and ensures that the containers described in those PodSpecs are running and healthy. The kubelet doesn't manage containers which were not created by Kubernetes.

Other than from a PodSpec from the apiserver, there are two ways that a container manifest can be provided to the kubelet.

• File: Path passed as a flag on the command line. Files under this path will be monitored periodically for updates. The monitoring period is 20s by default and is configurable via a flag.
• HTTP endpoint: HTTP endpoint passed as a parameter on the command line. This endpoint is checked every 20 seconds (also configurable with a flag).

kubelet [flags]

Options