--- # image for kubeproxy image: repository: rancher/hardened-kubernetes tag: v1.19.16-rke2r1-build20211028 # The IP address for the proxy server to serve on # (set to '0.0.0.0' for all IPv4 interfaces and '::' for all IPv6 interfaces) bindAddress: 0.0.0.0 # If true cleanup iptables and ipvs rules and exit. cleanup: # The CIDR range of pods in the cluster. # When configured, traffic sent to a Service cluster IP from outside this range # will be masqueraded and traffic sent from pods to an external # LoadBalancer IP will be directed to the respective cluster IP instead clusterCIDR: 10.42.0.0/16 # The path to the configuration file. config: # How often configuration from the apiserver is refreshed. Must be greater than 0. configSyncPeriod: 15m0s conntrack: # Maximum number of NAT connections to track per CPU core (0 to leave the limit as-is and ignore conntrack-min). maxPerCore: 32768 # Minimum number of conntrack entries to allocate, regardless of conntrack-max-per-core (set conntrack-max-per-core=0 to leave the limit as-is). min: 131072 # NAT timeout for TCP connections in the CLOSE_WAIT state tcpTimeoutCloseWait: 1h0m0s # Idle timeout for established TCP connections (0 to leave as-is) tcpTimeoutEstablished: 24h0m0s # Mode to use to detect local traffic detectLocalMode: # A set of key=value pairs that describe feature gates for alpha/experimental features: featureGates: # The IP address with port for the health check server to serve on # (set to '0.0.0.0:10256' for all IPv4 interfaces and '[::]:10256' for all IPv6 interfaces). Set empty to disable. healthzBindAddress: 0.0.0.0:10256 # help for kube-proxy help: # If non-empty, will use this string as identification instead of the actual hostname. hostnameOverride: iptables: # If using the pure iptables proxy, SNAT all traffic sent via Service cluster IPs (this not commonly needed) masqueradeAll: # If using the pure iptables proxy, the bit of the fwmark space to mark packets requiring SNAT with. Must be within the range [0, 31]. masqueradeBit: 14 # The minimum interval of how often the iptables rules can be refreshed as endpoints and services change (e.g. '5s', '1m', '2h22m'). minSyncPeriod: # The maximum interval of how often iptables rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0. syncPeriod: 30s ipvs: # A comma-separated list of CIDR's which the ipvs proxier should not touch when cleaning up IPVS rules. excludeCidrs: # The minimum interval of how often the ipvs rules can be refreshed as endpoints and services change (e.g. '5s', '1m', '2h22m'). minSyncPeriod: # The ipvs scheduler type when proxy mode is ipvs scheduler: # Enable strict ARP by setting arp_ignore to 1 and arp_announce to 2 strictArp: # The maximum interval of how often ipvs rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0. syncPeriod: 30s # The timeout for idle IPVS TCP connections, 0 to leave as-is. (e.g. '5s', '1m', '2h22m'). tcpTimeout: # The timeout for IPVS TCP connections after receiving a FIN packet, 0 to leave as-is. (e.g. '5s', '1m', '2h22m'). tcpfinTimeout: # The timeout for IPVS UDP packets, 0 to leave as-is. (e.g. '5s', '1m', '2h22m'). udpTimeout: clientConnection: # Burst to use while talking with kubernetes apiserver apiBurst: 10 # Content type of requests sent to apiserver. apiContentType: # QPS to use while talking with kubernetes apiserver qps: 5 # Path to kubeconfig file with authorization information (the master location is set by the master flag). kubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig # Maximum number of seconds between log flushes logFlushFrequency: 5s # The address of the Kubernetes API server (overrides any value in kubeconfig) master: # The IP address with port for the metrics server to serve on # (set to '0.0.0.0:10249' for all IPv4 interfaces and '[::]:10249' for all IPv6 interfaces). Set empty to disable. metricsBindAddress: 127.0.0.1:10249 # A string slice of values which specify the addresses to use for NodePorts. # Values may be valid IP blocks (e.g. 1.2.3.0/24, 1.2.3.4/32). The default empty string slice ([]) means to use all local addresses. nodeportAddresses: # The oom-score-adj value for kube-proxy process. Values must be within the range [-1000, 1000] oomScoreAdj: -999 # If true enables profiling via web interface on /debug/pprof handler. profiling: proxy: # Which proxy mode to use: 'userspace' (older) or 'iptables' (faster) or 'ipvs'. # If blank, use the best-available proxy (currently iptables). # If the iptables proxy is selected, regardless of how, but the system's # kernel or iptables versions are insufficient, this always falls back to the userspace proxy. mode: # Range of host ports (beginPort-endPort, single port or beginPort+offset, inclusive) # that may be consumed in order to proxy service traffic. # If (unspecified, 0, or 0-0) then ports will be randomly chosen. portRange: # The previous version for which you want to show hidden metrics. # Only the previous minor version is meaningful, other values will not be allowed. # The format is ., e.g.: '1.16'. The purpose of this format is make # sure you have the opportunity to notice if the next release hides additional metrics, # rather than being surprised when they are permanently removed in the release after that. showHiddenMetricsForVersion: # How long an idle UDP connection will be kept open (e.g. '250ms', '2s'). # Must be greater than 0. Only applicable for proxy-mode=userspace udpTimeout: 250ms # Print version information and quit version: # If set, write the default configuration values to this file and exit. writeConfigTo: global: systemDefaultRegistry: ""