Feature Gates

This page contains an overview of the various feature gates an administrator can specify on different Kubernetes components.

See feature stages for an explanation of the stages for a feature.

Overview

Feature gates are a set of key=value pairs that describe Kubernetes features. You can turn these features on or off using the --feature-gates command line flag on each Kubernetes component.

Each Kubernetes component lets you enable or disable a set of feature gates that are relevant to that component. Use -h flag to see a full set of feature gates for all components. To set feature gates for a component, such as kubelet, use the --feature-gates flag assigned to a list of feature pairs:

--feature-gates=...,GracefulNodeShutdown=true

The following tables are a summary of the feature gates that you can set on different Kubernetes components.

  • The "Since" column contains the Kubernetes release when a feature is introduced or its release stage is changed.
  • The "Until" column, if not empty, contains the last Kubernetes release in which you can still use a feature gate.
  • If a feature is in the Alpha or Beta state, you can find the feature listed in the Alpha/Beta feature gate table.
  • If a feature is stable you can find all stages for that feature listed in the Graduated/Deprecated feature gate table.
  • The Graduated/Deprecated feature gate table also lists deprecated and withdrawn features.

Feature gates for Alpha or Beta features

Feature gates for features in Alpha or Beta states
Feature Default Stage Since Until
AdmissionWebhookMatchConditions false Alpha 1.27 1.27
AdmissionWebhookMatchConditions true Beta 1.28
AggregatedDiscoveryEndpoint false Alpha 1.26 1.26
AggregatedDiscoveryEndpoint true Beta 1.27
AnyVolumeDataSource false Alpha 1.18 1.23
AnyVolumeDataSource true Beta 1.24
APIResponseCompression false Alpha 1.7 1.15
APIResponseCompression true Beta 1.16
APIServerIdentity false Alpha 1.20 1.25
APIServerIdentity true Beta 1.26
APIServerTracing false Alpha 1.22 1.26
APIServerTracing true Beta 1.27
AppArmor true Beta 1.4
CloudControllerManagerWebhook false Alpha 1.27
CloudDualStackNodeIPs false Alpha 1.27 1.28
CloudDualStackNodeIPs true Beta 1.29
ClusterTrustBundle false Alpha 1.27
ClusterTrustBundleProjection false Alpha 1.29
ComponentSLIs false Alpha 1.26 1.26
ComponentSLIs true Beta 1.27
ConsistentListFromCache false Alpha 1.28
ContainerCheckpoint false Alpha 1.25
ContextualLogging false Alpha 1.24
CPUManagerPolicyAlphaOptions false Alpha 1.23
CPUManagerPolicyBetaOptions true Beta 1.23
CPUManagerPolicyOptions false Alpha 1.22 1.22
CPUManagerPolicyOptions true Beta 1.23
CRDValidationRatcheting false Alpha 1.28
CronJobsScheduledAnnotation true Beta 1.28
CrossNamespaceVolumeDataSource false Alpha 1.26
CSIMigrationPortworx false Alpha 1.23 1.24
CSIMigrationPortworx false Beta 1.25
CSIVolumeHealth false Alpha 1.21
CustomCPUCFSQuotaPeriod false Alpha 1.12
DevicePluginCDIDevices false Alpha 1.28 1.28
DevicePluginCDIDevices true Beta 1.29
DisableCloudProviders false Alpha 1.22 1.28
DisableCloudProviders true Beta 1.29
DisableKubeletCloudCredentialProviders false Alpha 1.23 1.28
DisableKubeletCloudCredentialProviders true Beta 1.29
DisableNodeKubeProxyVersion false Alpha 1.29
DynamicResourceAllocation false Alpha 1.26
ElasticIndexedJob true Beta 1.27
EventedPLEG false Alpha 1.26 1.26
EventedPLEG false Beta 1.27
GracefulNodeShutdown false Alpha 1.20 1.20
GracefulNodeShutdown true Beta 1.21
GracefulNodeShutdownBasedOnPodPriority false Alpha 1.23 1.23
GracefulNodeShutdownBasedOnPodPriority true Beta 1.24
HonorPVReclaimPolicy false Alpha 1.23
HPAContainerMetrics false Alpha 1.20 1.26
HPAContainerMetrics true Beta 1.27
HPAScaleToZero false Alpha 1.16
ImageMaximumGCAge false Alpha 1.29
InPlacePodVerticalScaling false Alpha 1.27
InTreePluginAWSUnregister false Alpha 1.21
InTreePluginAzureDiskUnregister false Alpha 1.21
InTreePluginAzureFileUnregister false Alpha 1.21
InTreePluginGCEUnregister false Alpha 1.21
InTreePluginOpenStackUnregister false Alpha 1.21
InTreePluginPortworxUnregister false Alpha 1.23
InTreePluginvSphereUnregister false Alpha 1.21
JobBackoffLimitPerIndex false Alpha 1.28 1.28
JobBackoffLimitPerIndex true Beta 1.29
JobPodFailurePolicy false Alpha 1.25 1.25
JobPodFailurePolicy true Beta 1.26
JobPodReplacementPolicy false Alpha 1.28 1.28
JobPodReplacementPolicy true Beta 1.29
KubeletCgroupDriverFromCRI false Alpha 1.28
KubeletInUserNamespace false Alpha 1.22
KubeletPodResourcesDynamicResources false Alpha 1.27
KubeletPodResourcesGet false Alpha 1.27
KubeletSeparateDiskGC false Alpha 1.29
KubeletTracing false Alpha 1.25 1.26
KubeletTracing true Beta 1.27
KubeProxyDrainingTerminatingNodes false Alpha 1.28
LegacyServiceAccountTokenCleanUp false Alpha 1.28 1.28
LegacyServiceAccountTokenCleanUp true Beta 1.29
LoadBalancerIPMode false Alpha 1.29
LocalStorageCapacityIsolationFSQuotaMonitoring false Alpha 1.15
LogarithmicScaleDown false Alpha 1.21 1.21
LogarithmicScaleDown true Beta 1.22
LoggingAlphaOptions false Alpha 1.24
LoggingBetaOptions true Beta 1.24
MatchLabelKeysInPodAffinity false Alpha 1.29
MatchLabelKeysInPodTopologySpread false Alpha 1.25 1.26
MatchLabelKeysInPodTopologySpread true Beta 1.27
MaxUnavailableStatefulSet false Alpha 1.24
MemoryManager false Alpha 1.21 1.21
MemoryManager true Beta 1.22
MemoryQoS false Alpha 1.22
MinDomainsInPodTopologySpread false Alpha 1.24 1.24
MinDomainsInPodTopologySpread false Beta 1.25 1.26
MinDomainsInPodTopologySpread true Beta 1.27
MultiCIDRServiceAllocator false Alpha 1.27
NewVolumeManagerReconstruction false Beta 1.27 1.27
NewVolumeManagerReconstruction true Beta 1.28
NFTablesProxyMode false Alpha 1.29
NodeInclusionPolicyInPodTopologySpread false Alpha 1.25 1.25
NodeInclusionPolicyInPodTopologySpread true Beta 1.26
NodeLogQuery false Alpha 1.27
NodeSwap false Alpha 1.22 1.27
NodeSwap false Beta 1.28
OpenAPIEnums false Alpha 1.23 1.23
OpenAPIEnums true Beta 1.24
PDBUnhealthyPodEvictionPolicy false Alpha 1.26 1.26
PDBUnhealthyPodEvictionPolicy true Beta 1.27
PersistentVolumeLastPhaseTransitionTime false Alpha 1.28 1.28
PersistentVolumeLastPhaseTransitionTime true Beta 1.29
PodAndContainerStatsFromCRI false Alpha 1.23
PodDeletionCost false Alpha 1.21 1.21
PodDeletionCost true Beta 1.22
PodDisruptionConditions false Alpha 1.25 1.25
PodDisruptionConditions true Beta 1.26
PodHostIPs false Alpha 1.28 1.28
PodHostIPs true Beta 1.29
PodIndexLabel true Beta 1.28
PodLifecycleSleepAction false Alpha 1.29
PodReadyToStartContainersCondition false Alpha 1.28 1.28
PodReadyToStartContainersCondition true Beta 1.29
PodSchedulingReadiness false Alpha 1.26 1.26
PodSchedulingReadiness true Beta 1.27
ProcMountType false Alpha 1.12
QOSReserved false Alpha 1.11
RecoverVolumeExpansionFailure false Alpha 1.23
RotateKubeletServerCertificate false Alpha 1.7 1.11
RotateKubeletServerCertificate true Beta 1.12
RuntimeClassInImageCriApi false Alpha 1.29
SchedulerQueueingHints true Beta 1.28 1.28
SchedulerQueueingHints false Beta 1.29
SecurityContextDeny false Alpha 1.27
SELinuxMountReadWriteOncePod false Alpha 1.25 1.26
SELinuxMountReadWriteOncePod false Beta 1.27 1.27
SELinuxMountReadWriteOncePod true Beta 1.28
SeparateTaintEvictionController true Beta 1.29
ServiceAccountTokenJTI false Alpha 1.29
ServiceAccountTokenNodeBinding false Alpha 1.29
ServiceAccountTokenNodeBindingValidation false Alpha 1.29
ServiceAccountTokenPodNodeInfo false Alpha 1.29
SidecarContainers false Alpha 1.28 1.28
SidecarContainers true Beta 1.29
SizeMemoryBackedVolumes false Alpha 1.20 1.21
SizeMemoryBackedVolumes true Beta 1.22
StableLoadBalancerNodeSet true Beta 1.27
StatefulSetAutoDeletePVC false Alpha 1.23 1.26
StatefulSetAutoDeletePVC true Beta 1.27
StatefulSetStartOrdinal false Alpha 1.26 1.26
StatefulSetStartOrdinal true Beta 1.27
StorageVersionAPI false Alpha 1.20
StorageVersionHash false Alpha 1.14 1.14
StorageVersionHash true Beta 1.15
StructuredAuthenticationConfiguration false Alpha 1.29
StructuredAuthorizationConfiguration false Alpha 1.29
TopologyAwareHints false Alpha 1.21 1.22
TopologyAwareHints false Beta 1.23 1.23
TopologyAwareHints true Beta 1.24
TopologyManagerPolicyAlphaOptions false Alpha 1.26
TopologyManagerPolicyBetaOptions false Beta 1.26 1.27
TopologyManagerPolicyBetaOptions true Beta 1.28
TopologyManagerPolicyOptions false Alpha 1.26 1.27
TopologyManagerPolicyOptions true Beta 1.28
TranslateStreamCloseWebsocketRequests false Alpha 1.29
UnauthenticatedHTTP2DOSMitigation false Beta 1.28 1.28
UnauthenticatedHTTP2DOSMitigation true Beta 1.29
UnknownVersionInteroperabilityProxy false Alpha 1.28
UserNamespacesPodSecurityStandards false Alpha 1.29
UserNamespacesSupport false Alpha 1.28
ValidatingAdmissionPolicy false Alpha 1.26 1.27
ValidatingAdmissionPolicy false Beta 1.28
VolumeAttributesClass false Alpha 1.29
VolumeCapacityPriority false Alpha 1.21
WatchList false Alpha 1.27
WindowsHostNetwork true Alpha 1.26
WinDSR false Alpha 1.14
WinOverlay false Alpha 1.14 1.19
WinOverlay true Beta 1.20
ZeroLimitedNominalConcurrencyShares false Beta 1.29

Feature gates for graduated or deprecated features

Feature Gates for Graduated or Deprecated Features
Feature Default Stage Since Until
AllowServiceLBStatusOnNonLB false Deprecated 1.29
APIListChunking false Alpha 1.8 1.8
APIListChunking true Beta 1.9 1.28
APIListChunking true GA 1.29
APIPriorityAndFairness false Alpha 1.18 1.19
APIPriorityAndFairness true Beta 1.20 1.28
APIPriorityAndFairness true GA 1.29
APISelfSubjectReview false Alpha 1.26 1.26
APISelfSubjectReview true Beta 1.27 1.27
APISelfSubjectReview true GA 1.28
ConsistentHTTPGetHandlers true GA 1.25
CPUManager false Alpha 1.8 1.9
CPUManager true Beta 1.10 1.25
CPUManager true GA 1.26
CSIMigrationAzureFile false Alpha 1.15 1.20
CSIMigrationAzureFile false Beta 1.21 1.23
CSIMigrationAzureFile true Beta 1.24 1.25
CSIMigrationAzureFile true GA 1.26
CSIMigrationRBD false Alpha 1.23 1.27
CSIMigrationRBD false Deprecated 1.28
CSINodeExpandSecret false Alpha 1.25 1.26
CSINodeExpandSecret true Beta 1.27 1.28
CSINodeExpandSecret true GA 1.29
CustomResourceValidationExpressions false Alpha 1.23 1.24
CustomResourceValidationExpressions true Beta 1.25 1.28
CustomResourceValidationExpressions true GA 1.29
DefaultHostNetworkHostPortsInPodTemplates false Deprecated 1.28
EfficientWatchResumption false Alpha 1.20 1.20
EfficientWatchResumption true Beta 1.21 1.23
EfficientWatchResumption true GA 1.24
ExecProbeTimeout true GA 1.20
ExpandedDNSConfig false Alpha 1.22 1.25
ExpandedDNSConfig true Beta 1.26 1.27
ExpandedDNSConfig true GA 1.28
ExperimentalHostUserNamespaceDefaulting false Beta 1.5 1.27
ExperimentalHostUserNamespaceDefaulting false Deprecated 1.28
InTreePluginRBDUnregister false Alpha 1.23 1.27
InTreePluginRBDUnregister false Deprecated 1.28
IPTablesOwnershipCleanup false Alpha 1.25 1.26
IPTablesOwnershipCleanup true Beta 1.27 1.27
IPTablesOwnershipCleanup true GA 1.28
JobReadyPods false Alpha 1.23 1.23
JobReadyPods true Beta 1.24 1.28
JobReadyPods true GA 1.29
KMSv1 true Deprecated 1.28 1.28
KMSv1 false Deprecated 1.29
KMSv2 false Alpha 1.25 1.26
KMSv2 true Beta 1.27 1.28
KMSv2 true GA 1.29
KMSv2KDF false Beta 1.28 1.28
KMSv2KDF true GA 1.29
KubeletPodResources false Alpha 1.13 1.14
KubeletPodResources true Beta 1.15 1.27
KubeletPodResources true GA 1.28
KubeletPodResourcesGetAllocatable false Alpha 1.21 1.22
KubeletPodResourcesGetAllocatable true Beta 1.23 1.27
KubeletPodResourcesGetAllocatable true GA 1.28
LegacyServiceAccountTokenTracking false Alpha 1.26 1.26
LegacyServiceAccountTokenTracking true Beta 1.27 1.27
LegacyServiceAccountTokenTracking true GA 1.28
MinimizeIPTablesRestore false Alpha 1.26 1.26
MinimizeIPTablesRestore true Beta 1.27 1.27
MinimizeIPTablesRestore true GA 1.28
NodeOutOfServiceVolumeDetach false Alpha 1.24 1.25
NodeOutOfServiceVolumeDetach true Beta 1.26 1.27
NodeOutOfServiceVolumeDetach true GA 1.28
ProxyTerminatingEndpoints false Alpha 1.22 1.25
ProxyTerminatingEndpoints true Beta 1.26 1.27
ProxyTerminatingEndpoints true GA 1.28
ReadWriteOncePod false Alpha 1.22 1.26
ReadWriteOncePod true Beta 1.27 1.28
ReadWriteOncePod true GA 1.29
RemainingItemCount false Alpha 1.15 1.15
RemainingItemCount true Beta 1.16 1.28
RemainingItemCount true GA 1.29
RemoveSelfLink false Alpha 1.16 1.19
RemoveSelfLink true Beta 1.20 1.23
RemoveSelfLink true GA 1.24
ServerSideApply false Alpha 1.14 1.15
ServerSideApply true Beta 1.16 1.21
ServerSideApply true GA 1.22
ServerSideFieldValidation false Alpha 1.23 1.24
ServerSideFieldValidation true Beta 1.25 1.26
ServerSideFieldValidation true GA 1.27
ServiceNodePortStaticSubrange false Alpha 1.27 1.27
ServiceNodePortStaticSubrange true Beta 1.28 1.28
ServiceNodePortStaticSubrange true GA 1.29
SkipReadOnlyValidationGCE false Alpha 1.28 1.28
SkipReadOnlyValidationGCE true Deprecated 1.29
WatchBookmark false Alpha 1.15 1.15
WatchBookmark true Beta 1.16 1.16
WatchBookmark true GA 1.17

Using a feature

Feature stages

A feature can be in Alpha, Beta or GA stage. An Alpha feature means:

  • Disabled by default.
  • Might be buggy. Enabling the feature may expose bugs.
  • Support for feature may be dropped at any time without notice.
  • The API may change in incompatible ways in a later software release without notice.
  • Recommended for use only in short-lived testing clusters, due to increased risk of bugs and lack of long-term support.

A Beta feature means:

  • Usually enabled by default. Beta API groups are disabled by default.
  • The feature is well tested. Enabling the feature is considered safe.
  • Support for the overall feature will not be dropped, though details may change.
  • The schema and/or semantics of objects may change in incompatible ways in a subsequent beta or stable release. When this happens, we will provide instructions for migrating to the next version. This may require deleting, editing, and re-creating API objects. The editing process may require some thought. This may require downtime for applications that rely on the feature.
  • Recommended for only non-business-critical uses because of potential for incompatible changes in subsequent releases. If you have multiple clusters that can be upgraded independently, you may be able to relax this restriction.

A General Availability (GA) feature is also referred to as a stable feature. It means:

  • The feature is always enabled; you cannot disable it.
  • The corresponding feature gate is no longer needed.
  • Stable versions of features will appear in released software for many subsequent versions.

List of feature gates

Each feature gate is designed for enabling/disabling a specific feature.

  • AdmissionWebhookMatchConditions: Enable match conditions on mutating & validating admission webhooks.

  • AggregatedDiscoveryEndpoint: Enable a single HTTP endpoint /discovery/<version> which supports native HTTP caching with ETags containing all APIResources known to the API server.

  • AllowServiceLBStatusOnNonLB: Enables .status.ingress.loadBalancer to be set on Services of types other than LoadBalancer.

  • AnyVolumeDataSource: Enable use of any custom resource as the DataSource of a PVC.

  • APIListChunking: Enable the API clients to retrieve (LIST or GET) resources from API server in chunks.

  • APIPriorityAndFairness: Enable managing request concurrency with prioritization and fairness at each server. (Renamed from RequestManagement)

  • APIResponseCompression: Compress the API responses for LIST or GET requests.

  • APISelfSubjectReview: Activate the SelfSubjectReview API which allows users to see the requesting subject's authentication information. See API access to authentication information for a client for more details.

  • APIServerIdentity: Assign each API server an ID in a cluster, using a Lease.

  • APIServerTracing: Add support for distributed tracing in the API server. See Traces for Kubernetes System Components for more details.

  • AppArmor: Enable use of AppArmor mandatory access control for Pods running on Linux nodes. See AppArmor Tutorial for more details.

  • CloudControllerManagerWebhook: Enable webhooks in cloud controller manager.

  • CloudDualStackNodeIPs: Enables dual-stack kubelet --node-ip with external cloud providers. See Configure IPv4/IPv6 dual-stack for more details.

  • ClusterTrustBundle: Enable ClusterTrustBundle objects and kubelet integration.

  • ClusterTrustBundleProjection: clusterTrustBundle projected volume sources.

  • ComponentSLIs: Enable the /metrics/slis endpoint on Kubernetes components like kubelet, kube-scheduler, kube-proxy, kube-controller-manager, cloud-controller-manager allowing you to scrape health check metrics.

  • ConsistentHTTPGetHandlers: Normalize HTTP get URL and Header passing for lifecycle handlers with probers.

  • ConsistentListFromCache: Allow the API server to serve consistent lists from cache.

  • ContainerCheckpoint: Enables the kubelet checkpoint API. See Kubelet Checkpoint API for more details.

  • ContextualLogging: When you enable this feature gate, Kubernetes components that support contextual logging add extra detail to log output.

  • CPUManager: Enable container level CPU affinity support, see CPU Management Policies.

  • CPUManagerPolicyAlphaOptions: This allows fine-tuning of CPUManager policies, experimental, Alpha-quality options This feature gate guards a group of CPUManager options whose quality level is alpha. This feature gate will never graduate to beta or stable.

  • CPUManagerPolicyBetaOptions: This allows fine-tuning of CPUManager policies, experimental, Beta-quality options This feature gate guards a group of CPUManager options whose quality level is beta. This feature gate will never graduate to stable.

  • CPUManagerPolicyOptions: Allow fine-tuning of CPUManager policies.

  • CRDValidationRatcheting: Enable updates to custom resources to contain violations of their OpenAPI schema if the offending portions of the resource update did not change. See Validation Ratcheting for more details.

  • CronJobsScheduledAnnotation: Set the scheduled job time as an annotation on Jobs that were created on behalf of a CronJob.

  • CrossNamespaceVolumeDataSource: Enable the usage of cross namespace volume data source to allow you to specify a source namespace in the dataSourceRef field of a PersistentVolumeClaim.

  • CSIMigrationAzureFile: Enables shims and translation logic to route volume operations from the Azure-File in-tree plugin to AzureFile CSI plugin. Supports falling back to in-tree AzureFile plugin for mount operations to nodes that have the feature disabled or that do not have AzureFile CSI plugin installed and configured. Does not support falling back for provision operations, for those the CSI plugin must be installed and configured. Requires CSIMigration feature flag enabled.

  • CSIMigrationPortworx: Enables shims and translation logic to route volume operations from the Portworx in-tree plugin to Portworx CSI plugin. Requires Portworx CSI driver to be installed and configured in the cluster.

  • CSIMigrationRBD: Enables shims and translation logic to route volume operations from the RBD in-tree plugin to Ceph RBD CSI plugin. Requires CSIMigration and csiMigrationRBD feature flags enabled and Ceph CSI plugin installed and configured in the cluster. This flag has been deprecated in favor of the InTreePluginRBDUnregister feature flag which prevents the registration of in-tree RBD plugin.

  • CSINodeExpandSecret: Enable passing secret authentication data to a CSI driver for use during a NodeExpandVolume CSI operation.

  • CSIVolumeHealth: Enable support for CSI volume health monitoring on node.

  • CustomCPUCFSQuotaPeriod: Enable nodes to change cpuCFSQuotaPeriod in kubelet config.

  • CustomResourceValidationExpressions: Enable expression language validation in CRD which will validate customer resource based on validation rules written in the x-kubernetes-validations extension.

  • DefaultHostNetworkHostPortsInPodTemplates:

    This feature gate controls the point at which a default value for .spec.containers[*].ports[*].hostPort is assigned, for Pods using hostNetwork: true. The default since Kubernetes v1.28 is to only set a default value in Pods.

    Enabling this means a default will be assigned even to the .spec of an embedded PodTemplate (for example, in a Deployment), which is the way that older releases of Kubernetes worked. You should migrate your code so that it does not rely on the legacy behavior.

  • DevicePluginCDIDevices: Enable support to CDI device IDs in the Device Plugin API.

  • DisableCloudProviders: Disables any functionality in kube-apiserver, kube-controller-manager and kubelet related to the --cloud-provider component flag.

  • DisableKubeletCloudCredentialProviders: Disable the in-tree functionality in kubelet to authenticate to a cloud provider container registry for image pull credentials.

  • DisableNodeKubeProxyVersion: Disable setting the kubeProxyVersion field of the Node.

  • DynamicResourceAllocation: Enables support for resources with custom parameters and a lifecycle that is independent of a Pod.

  • EfficientWatchResumption: Allows for storage-originated bookmark (progress notify) events to be delivered to the users. This is only applied to watch operations.

  • ElasticIndexedJob: Enables Indexed Jobs to be scaled up or down by mutating both spec.completions and spec.parallelism together such that spec.completions == spec.parallelism. See docs on elastic Indexed Jobs for more details.

  • EventedPLEG: Enable support for the kubelet to receive container life cycle events from the container runtime via an extension to CRI. (PLEG is an abbreviation for “Pod lifecycle event generator”). For this feature to be useful, you also need to enable support for container lifecycle events in each container runtime running in your cluster. If the container runtime does not announce support for container lifecycle events then the kubelet automatically switches to the legacy generic PLEG mechanism, even if you have this feature gate enabled.

  • ExecProbeTimeout: Ensure kubelet respects exec probe timeouts. This feature gate exists in case any of your existing workloads depend on a now-corrected fault where Kubernetes ignored exec probe timeouts. See readiness probes.

  • ExpandedDNSConfig: Enable kubelet and kube-apiserver to allow more DNS search paths and longer list of DNS search paths. This feature requires container runtime support(Containerd: v1.5.6 or higher, CRI-O: v1.22 or higher). See Expanded DNS Configuration.

  • ExperimentalHostUserNamespaceDefaulting: Enabling the defaulting user namespace to host. This is for containers that are using other host namespaces, host mounts, or containers that are privileged or using specific non-namespaced capabilities (e.g. MKNODE, SYS_MODULE etc.). This should only be enabled if user namespace remapping is enabled in the Docker daemon.

  • GracefulNodeShutdown: Enables support for graceful shutdown in kubelet. During a system shutdown, kubelet will attempt to detect the shutdown event and gracefully terminate pods running on the node. See Graceful Node Shutdown for more details.

  • GracefulNodeShutdownBasedOnPodPriority: Enables the kubelet to check Pod priorities when shutting down a node gracefully.

  • HonorPVReclaimPolicy: Honor persistent volume reclaim policy when it is Delete irrespective of PV-PVC deletion ordering. For more details, check the PersistentVolume deletion protection finalizer documentation.

  • HPAContainerMetrics: Enable the HorizontalPodAutoscaler to scale based on metrics from individual containers in target pods.

  • HPAScaleToZero: Enables setting minReplicas to 0 for HorizontalPodAutoscaler resources when using custom or external metrics.

  • ImageMaximumGCAge: Enables the kubelet configuration field imageMaximumGCAge, allowing an administrator to specify the age after which an image will be garbage collected.

  • InPlacePodVerticalScaling: Enables in-place Pod vertical scaling.

  • InTreePluginAWSUnregister: Stops registering the aws-ebs in-tree plugin in kubelet and volume controllers.

  • InTreePluginAzureDiskUnregister: Stops registering the azuredisk in-tree plugin in kubelet and volume controllers.

  • InTreePluginAzureFileUnregister: Stops registering the azurefile in-tree plugin in kubelet and volume controllers.

  • InTreePluginGCEUnregister: Stops registering the gce-pd in-tree plugin in kubelet and volume controllers.

  • InTreePluginOpenStackUnregister: Stops registering the OpenStack cinder in-tree plugin in kubelet and volume controllers.

  • InTreePluginPortworxUnregister: Stops registering the Portworx in-tree plugin in kubelet and volume controllers.

  • InTreePluginRBDUnregister: Stops registering the RBD in-tree plugin in kubelet and volume controllers.

  • InTreePluginvSphereUnregister: Stops registering the vSphere in-tree plugin in kubelet and volume controllers.

  • IPTablesOwnershipCleanup: This causes kubelet to no longer create legacy iptables rules.

  • JobBackoffLimitPerIndex: Allows specifying the maximal number of pod retries per index in Indexed jobs.

  • JobPodFailurePolicy: Allow users to specify handling of pod failures based on container exit codes and pod conditions.

  • JobPodReplacementPolicy: Allows you to specify pod replacement for terminating pods in a Job

  • JobReadyPods: Enables tracking the number of Pods that have a Ready condition. The count of Ready pods is recorded in the status of a Job status.

  • KMSv1: Enables KMS v1 API for encryption at rest. See Using a KMS Provider for data encryption for more details.

  • KMSv2: Enables KMS v2 API for encryption at rest. See Using a KMS Provider for data encryption for more details.

  • KMSv2KDF: Enables KMS v2 to generate single use data encryption keys. See Using a KMS Provider for data encryption for more details. If the KMSv2 feature gate is not enabled in your cluster, the value of the KMSv2KDF feature gate has no effect.

  • KubeletCgroupDriverFromCRI: Enable detection of the kubelet cgroup driver configuration option from the CRI. You can use this feature gate on nodes with a kubelet that supports the feature gate and where there is a CRI container runtime that supports the RuntimeConfig CRI call. If both CRI and kubelet support this feature, the kubelet ignores the cgroupDriver configuration setting (or deprecated --cgroup-driver command line argument). If you enable this feature gate and the container runtime doesn't support it, the kubelet falls back to using the driver configured using the cgroupDriver configuration setting. See Configuring a cgroup driver for more details.

  • KubeletInUserNamespace: Enables support for running kubelet in a user namespace. See Running Kubernetes Node Components as a Non-root User.

  • KubeletPodResources: Enable the kubelet's pod resources gRPC endpoint. See Support Device Monitoring for more details.

  • KubeletPodResourcesDynamicResources: Extend the kubelet's pod resources gRPC endpoint to to include resources allocated in ResourceClaims via DynamicResourceAllocation API. See resource allocation reporting for more details. with information about the allocatable resources, enabling clients to properly track the free compute resources on a node.

  • KubeletPodResourcesGet: Enable the Get gRPC endpoint on kubelet's for Pod resources. This API augments the resource allocation reporting.

  • KubeletPodResourcesGetAllocatable: Enable the kubelet's pod resources GetAllocatableResources functionality. This API augments the resource allocation reporting

  • KubeletSeparateDiskGC: Enable kubelet to garbage collect container images and containers even when those are on a separate filesystem.

  • KubeletTracing: Add support for distributed tracing in the kubelet. When enabled, kubelet CRI interface and authenticated http servers are instrumented to generate OpenTelemetry trace spans. See Traces for Kubernetes System Components for more details.

  • KubeProxyDrainingTerminatingNodes: Implement connection draining for terminating nodes for externalTrafficPolicy: Cluster services.

  • LegacyServiceAccountTokenCleanUp: Enable cleaning up Secret-based service account tokens when they are not used in a specified time (default to be one year).

  • LegacyServiceAccountTokenTracking: Track usage of Secret-based service account tokens.

  • LoadBalancerIPMode: Allows setting ipMode for Services where type is set to LoadBalancer. See Specifying IPMode of load balancer status for more information.

  • LocalStorageCapacityIsolationFSQuotaMonitoring: When LocalStorageCapacityIsolation is enabled for local ephemeral storage and the backing filesystem for emptyDir volumes supports project quotas and they are enabled, use project quotas to monitor emptyDir volume storage consumption rather than filesystem walk for better performance and accuracy.

  • LogarithmicScaleDown: Enable semi-random selection of pods to evict on controller scaledown based on logarithmic bucketing of pod timestamps.

  • LoggingAlphaOptions: Allow fine-tuning of experimental, alpha-quality logging options.

  • LoggingBetaOptions: Allow fine-tuning of experimental, beta-quality logging options.

  • MatchLabelKeysInPodAffinity: Enable the matchLabelKeys and mismatchLabelKeys field for pod (anti)affinity.

  • MatchLabelKeysInPodTopologySpread: Enable the matchLabelKeys field for Pod topology spread constraints.

  • MaxUnavailableStatefulSet: Enables setting the maxUnavailable field for the rolling update strategy of a StatefulSet. The field specifies the maximum number of Pods that can be unavailable during the update.

  • MemoryManager: Allows setting memory affinity for a container based on NUMA topology.

  • MemoryQoS: Enable memory protection and usage throttle on pod / container using cgroup v2 memory controller.

  • MinDomainsInPodTopologySpread: Enable minDomains in Pod topology spread constraints.

  • MinimizeIPTablesRestore: Enables new performance improvement logics in the kube-proxy iptables mode.

  • MultiCIDRServiceAllocator: Track IP address allocations for Service cluster IPs using IPAddress objects.

  • NewVolumeManagerReconstruction:

    Enables improved discovery of mounted volumes during kubelet startup. Since this code has been significantly refactored, we allow to opt-out in case kubelet gets stuck at the startup or is not unmounting volumes from terminated Pods. Note that this refactoring was behind SELinuxMountReadWriteOncePod alpha feature gate in Kubernetes 1.25.

    Before Kubernetes v1.25, the kubelet used different default behavior for discovering mounted volumes during the kubelet startup. If you disable this feature gate (it's enabled by default), you select the legacy discovery behavior.

    In Kubernetes v1.25 and v1.26, this behavior toggle was part of the SELinuxMountReadWriteOncePod feature gate.

  • NFTablesProxyMode: Allow running kube-proxy with in nftables mode.

  • NodeInclusionPolicyInPodTopologySpread: Enable using nodeAffinityPolicy and nodeTaintsPolicy in Pod topology spread constraints when calculating pod topology spread skew.

  • NodeLogQuery: Enables querying logs of node services using the /logs endpoint.

  • NodeOutOfServiceVolumeDetach: When a Node is marked out-of-service using the node.kubernetes.io/out-of-service taint, Pods on the node will be forcefully deleted if they can not tolerate this taint, and the volume detach operations for Pods terminating on the node will happen immediately. The deleted Pods can recover quickly on different nodes.

  • NodeSwap: Enable the kubelet to allocate swap memory for Kubernetes workloads on a node. Must be used with KubeletConfiguration.failSwapOn set to false. For more details, please see swap memory

  • OpenAPIEnums: Enables populating "enum" fields of OpenAPI schemas in the spec returned from the API server.

  • PDBUnhealthyPodEvictionPolicy: Enables the unhealthyPodEvictionPolicy field of a PodDisruptionBudget. This specifies when unhealthy pods should be considered for eviction. Please see Unhealthy Pod Eviction Policy for more details.

  • PersistentVolumeLastPhaseTransitionTime: Adds a new field to PersistentVolume which holds a timestamp of when the volume last transitioned its phase.

  • PodAndContainerStatsFromCRI: Configure the kubelet to gather container and pod stats from the CRI container runtime rather than gathering them from cAdvisor. As of 1.26, this also includes gathering metrics from CRI and emitting them over /metrics/cadvisor (rather than having cAdvisor emit them directly).

  • PodDeletionCost: Enable the Pod Deletion Cost feature which allows users to influence ReplicaSet downscaling order.

  • PodDisruptionConditions: Enables support for appending a dedicated pod condition indicating that the pod is being deleted due to a disruption.

  • PodHostIPs: Enable the status.hostIPs field for pods and the downward API. The field lets you expose host IP addresses to workloads.

  • PodIndexLabel: Enables the Job controller and StatefulSet controller to add the pod index as a label when creating new pods. See Job completion mode docs and StatefulSet pod index label docs for more details.

  • PodLifecycleSleepAction: Enables the sleep action in Container lifecycle hooks.

  • PodReadyToStartContainersCondition:

    Enable the kubelet to mark the PodReadyToStartContainers condition on pods.

    This feature gate was previously known as PodHasNetworkCondition, and the associated condition was named PodHasNetwork.

  • PodSchedulingReadiness: Enable setting schedulingGates field to control a Pod's scheduling readiness.

  • ProcMountType: Enables control over the type proc mounts for containers by setting the procMount field of a SecurityContext.

  • ProxyTerminatingEndpoints: Enable the kube-proxy to handle terminating endpoints when ExternalTrafficPolicy=Local.

  • QOSReserved: Allows resource reservations at the QoS level preventing pods at lower QoS levels from bursting into resources requested at higher QoS levels (memory only for now).

  • ReadWriteOncePod: Enables the usage of ReadWriteOncePod PersistentVolume access mode.

  • RecoverVolumeExpansionFailure: Enables users to edit their PVCs to smaller sizes so as they can recover from previously issued volume expansion failures. See Recovering from Failure when Expanding Volumes for more details.

  • RemainingItemCount: Allow the API servers to show a count of remaining items in the response to a chunking list request.

  • RemoveSelfLink: Sets the .metadata.selfLink field to blank (empty string) for all objects and collections. This field has been deprecated since the Kubernetes v1.16 release. When this feature is enabled, the .metadata.selfLink field remains part of the Kubernetes API, but is always unset.

  • RotateKubeletServerCertificate: Enable the rotation of the server TLS certificate on the kubelet. See kubelet configuration for more details.

  • RuntimeClassInImageCriApi: Enables images to be pulled based on the runtime class of the pods that reference them.

  • SchedulerQueueingHints: Enables the scheduler's queueing hints enhancement, which benefits to reduce the useless requeueing. The scheduler retries scheduling pods if something changes in the cluster that could make the pod scheduled. Queueing hints are internal signals that allow the scheduler to filter the changes in the cluster that are relevant to the unscheduled pod, based on previous scheduling attempts.

  • SecurityContextDeny: This gate signals that the SecurityContextDeny admission controller is deprecated.

  • SELinuxMountReadWriteOncePod: Speeds up container startup by allowing kubelet to mount volumes for a Pod directly with the correct SELinux label instead of changing each file on the volumes recursively. The initial implementation focused on ReadWriteOncePod volumes.

  • SeparateTaintEvictionController: Enables running TaintEvictionController, that performs Taint-based Evictions, in a controller separated from NodeLifecycleController. When this feature is enabled, users can optionally disable Taint-based Eviction setting the --controllers=-taint-eviction-controller flag on the kube-controller-manager.

  • ServerSideApply: Enables the Sever Side Apply (SSA) feature on the API Server.

  • ServerSideFieldValidation: Enables server-side field validation. This means the validation of resource schema is performed at the API server side rather than the client side (for example, the kubectl create or kubectl apply command line).

  • ServiceAccountTokenJTI: Controls whether JTIs (UUIDs) are embedded into generated service account tokens, and whether these JTIs are recorded into the Kubernetes audit log for future requests made by these tokens.

  • ServiceAccountTokenNodeBinding: Controls whether the apiserver allows binding service account tokens to Node objects.

  • ServiceAccountTokenNodeBindingValidation: Controls whether the apiserver will validate a Node reference in service account tokens.

  • ServiceAccountTokenPodNodeInfo: Controls whether the apiserver embeds the node name and uid for the associated node when issuing service account tokens bound to Pod objects.

  • ServiceNodePortStaticSubrange: Enables the use of different port allocation strategies for NodePort Services. For more details, see reserve NodePort ranges to avoid collisions.

  • SidecarContainers: Allow setting the restartPolicy of an init container to Always so that the container becomes a sidecar container (restartable init containers). See Sidecar containers and restartPolicy for more details.

  • SizeMemoryBackedVolumes: Enable kubelets to determine the size limit for memory-backed volumes (mainly emptyDir volumes).

  • SkipReadOnlyValidationGCE: Skip validation for GCE, will enable in the next version.

  • StableLoadBalancerNodeSet: Enables less load balancer re-configurations by the service controller (KCCM) as an effect of changing node state.

  • StatefulSetAutoDeletePVC: Allows the use of the optional .spec.persistentVolumeClaimRetentionPolicy field, providing control over the deletion of PVCs in a StatefulSet's lifecycle. See PersistentVolumeClaim retention for more details.

  • StatefulSetStartOrdinal: Allow configuration of the start ordinal in a StatefulSet. See Start ordinal for more details.

  • StorageVersionAPI: Enable the storage version API.

  • StorageVersionHash: Allow API servers to expose the storage version hash in the discovery.

  • StructuredAuthenticationConfiguration: Enable structured authentication configuration for the API server.

  • StructuredAuthorizationConfiguration: Enable structured authorization configuration, so that cluster administrators can specify more than one authorization webhook in the API server handler chain.

  • TopologyAwareHints: Enables topology aware routing based on topology hints in EndpointSlices. See Topology Aware Hints for more details.

  • TopologyManagerPolicyAlphaOptions: Allow fine-tuning of topology manager policies, experimental, Alpha-quality options. This feature gate guards a group of topology manager options whose quality level is alpha. This feature gate will never graduate to beta or stable.

  • TopologyManagerPolicyBetaOptions: Allow fine-tuning of topology manager policies, experimental, Beta-quality options. This feature gate guards a group of topology manager options whose quality level is beta. This feature gate will never graduate to stable.

  • TopologyManagerPolicyOptions: Enable fine-tuning of topology manager policies.

  • TranslateStreamCloseWebsocketRequests: Allow WebSocket streaming of the remote command sub-protocol (exec, cp, attach) from clients requesting version 5 (v5) of the sub-protocol.

  • UnauthenticatedHTTP2DOSMitigation: Enables HTTP/2 Denial of Service (DoS) mitigations for unauthenticated clients. Kubernetes v1.28.0 through v1.28.2 do not include this feature gate.

  • UnknownVersionInteroperabilityProxy: Proxy resource requests to the correct peer kube-apiserver when multiple kube-apiservers exist at varied versions. See Mixed version proxy for more information.

  • UserNamespacesPodSecurityStandards: Enable Pod Security Standards policies relaxation for pods that run with namespaces. You must set the value of this feature gate consistently across all nodes in your cluster, and you must also enable UserNamespacesSupport to use this feature.

  • UserNamespacesSupport: Enable user namespace support for Pods.

  • ValidatingAdmissionPolicy: Enable ValidatingAdmissionPolicy support for CEL validations be used in Admission Control.

  • VolumeAttributesClass: Enable support for VolumeAttributesClasses. See Volume Attributes Classes for more information.

  • VolumeCapacityPriority: Enable support for prioritizing nodes in different topologies based on available PV capacity.

  • WatchBookmark: Enable support for watch bookmark events.

  • WatchList: Enable support for streaming initial state of objects in watch requests.

  • WindowsHostNetwork: Enables support for joining Windows containers to a hosts' network namespace.

  • WinDSR: Allows kube-proxy to create DSR loadbalancers for Windows.

  • WinOverlay: Allows kube-proxy to run in overlay mode for Windows.

  • ZeroLimitedNominalConcurrencyShares: Allow Priority & Fairness in the API server to use a zero value for the nominalConcurrencyShares field of the limited section of a priority level.

What's next

  • The deprecation policy for Kubernetes explains the project's approach to removing features and components.
  • Since Kubernetes 1.24, new beta APIs are not enabled by default. When enabling a beta feature, you will also need to enable any associated API resources. For example, to enable a particular resource like storage.k8s.io/v1beta1/csistoragecapacities, set --runtime-config=storage.k8s.io/v1beta1/csistoragecapacities. See API Versioning for more details on the command line flags.
Last modified December 28, 2023 at 10:17 AM PST: Render feature gate descriptions automatically (daecef8292)