Feature Gates (removed)

This page contains list of feature gates that have been removed. The information on this page is for reference. A removed feature gate is different from a GA'ed or deprecated one in that a removed one is no longer recognized as a valid feature gate. However, a GA'ed or a deprecated feature gate is still recognized by the corresponding Kubernetes components although they are unable to cause any behavior differences in a cluster.

For feature gates that are still recognized by the Kubernetes components, please refer to the Alpha/Beta feature gate table or the Graduated/Deprecated feature gate table

Feature gates that are removed

In the following table:

• The "From" column contains the Kubernetes release when a feature is introduced or its release stage is changed.
• The "To" column, if not empty, contains the last Kubernetes release in which you can still use a feature gate. If the feature stage is either "Deprecated" or "GA", the "To" column is the Kubernetes release when the feature is removed.

Descriptions for removed feature gates

Accelerators

Provided an early form of plugin to enable Nvidia GPU support when using Docker Engine; no longer available. See Device Plugins for an alternative.

AdmissionWebhookMatchConditions

Enable match conditions on mutating & validating admission webhooks.

AdvancedAuditing

Enable advanced auditing

AffinityInAnnotations

Enable setting Pod affinity or anti-affinity.

AggregatedDiscoveryEndpoint

Enable a single HTTP endpoint /discovery/<version> which supports native HTTP caching with ETags containing all APIResources known to the API server.

AllowExtTrafficLocalEndpoints

Enable a service to route external requests to node local endpoints.

AllowInsecureBackendProxy

Enable the users to skip TLS verification of kubelets on Pod log requests.

AllowServiceLBStatusOnNonLB

Enables .status.ingress.loadBalancer to be set on Services of types other than LoadBalancer.

APIListChunking

Enable the API clients to retrieve (LIST or GET) resources from API server in chunks.

APIPriorityAndFairness

Enable managing request concurrency with prioritization and fairness at each server. (Renamed from RequestManagement)

APISelfSubjectReview

Activate the SelfSubjectReview API which allows users to see the requesting subject's authentication information. See API access to authentication information for a client for more details.

AppArmor

Enable use of AppArmor mandatory access control for Pods running on Linux nodes. See AppArmor Tutorial for more details.

AppArmorFields

Enable AppArmor related security context settings.

For more information about AppArmor and Kubernetes, read the AppArmor section within security features in the Linux kernel.

AttachVolumeLimit

Enable volume plugins to report limits on number of volumes that can be attached to a node. See dynamic volume limits for more details.

BalanceAttachedNodeVolumes

Include volume count on node to be considered for balanced resource allocation while scheduling. A node which has closer CPU, memory utilization, and volume count is favored by the scheduler while making decisions.

BlockVolume

Enable the definition and consumption of raw block devices in Pods. See Raw Block Volume Support for more details.

BoundServiceAccountTokenVolume

Migrate ServiceAccount volumes to use a projected volume consisting of a ServiceAccountTokenVolumeProjection. Cluster admins can use metric serviceaccount_stale_tokens_total to monitor workloads that are depending on the extended tokens. If there are no such workloads, turn off extended tokens by starting kube-apiserver with flag --service-account-extend-token-expiration=false.

Check Bound Service Account Tokens for more details.

CloudDualStackNodeIPs

Enables dual-stack kubelet --node-ip with external cloud providers. See Configure IPv4/IPv6 dual-stack for more details.

ComponentSLIs

Enable the /metrics/slis endpoint on Kubernetes components like kubelet, kube-scheduler, kube-proxy, kube-controller-manager, cloud-controller-manager allowing you to scrape health check metrics.

ConfigurableFSGroupPolicy

Allows user to configure volume permission change policy for fsGroups when mounting a volume in a Pod. See Configure volume permission and ownership change policy for Pods for more details.

ConsistentHTTPGetHandlers

Normalize HTTP get URL and Header passing for lifecycle handlers with probers.

ControllerManagerLeaderMigration

Enables Leader Migration for kube-controller-manager and cloud-controller-manager which allows a cluster operator to live migrate controllers from the kube-controller-manager into an external controller-manager (e.g. the cloud-controller-manager) in an HA cluster without downtime.

CPUManager

Enable container level CPU affinity support, see CPU Management Policies.

CRIContainerLogRotation

Enable container log rotation for CRI container runtime. The default max size of a log file is 10MB and the default max number of log files allowed for a container is 5. These values can be configured in the kubelet config. See logging at node level for more details.

CronJobControllerV2

Use an alternative implementation of the CronJob controller. Otherwise, version 1 of the same controller is selected.

CronJobTimeZone

Allow the use of the timeZone optional field in CronJobs

CSIBlockVolume

Enable external CSI volume drivers to support block storage. See csi raw block volume support for more details.

CSIDriverRegistry

Enable all logic related to the CSIDriver API object in csi.storage.k8s.io.

CSIInlineVolume

Enable CSI Inline volumes support for pods.

CSIMigration

Enables shims and translation logic to route volume operations from in-tree plugins to corresponding pre-installed CSI plugins

CSIMigrationAWS

Enables shims and translation logic to route volume operations from the AWS-EBS in-tree plugin to EBS CSI plugin. Supports falling back to in-tree EBS plugin for mount operations to nodes that have the feature disabled or that do not have EBS CSI plugin installed and configured. Does not support falling back for provision operations, for those the CSI plugin must be installed and configured.

CSIMigrationAWSComplete

Stops registering the EBS in-tree plugin in kubelet and volume controllers and enables shims and translation logic to route volume operations from the AWS-EBS in-tree plugin to EBS CSI plugin. Requires CSIMigration and CSIMigrationAWS feature flags enabled and EBS CSI plugin installed and configured on all nodes in the cluster. This flag has been deprecated in favor of the InTreePluginAWSUnregister feature flag which prevents the registration of in-tree EBS plugin.

CSIMigrationAzureDisk

Enables shims and translation logic to route volume operations from the Azure-Disk in-tree plugin to AzureDisk CSI plugin. Supports falling back to in-tree AzureDisk plugin for mount operations to nodes that have the feature disabled or that do not have AzureDisk CSI plugin installed and configured. Does not support falling back for provision operations, for those the CSI plugin must be installed and configured. Requires CSIMigration feature flag enabled.

CSIMigrationAzureDiskComplete

Stops registering the Azure-Disk in-tree plugin in kubelet and volume controllers and enables shims and translation logic to route volume operations from the Azure-Disk in-tree plugin to AzureDisk CSI plugin. Requires CSIMigration and CSIMigrationAzureDisk feature flags enabled and AzureDisk CSI plugin installed and configured on all nodes in the cluster. This flag has been deprecated in favor of the InTreePluginAzureDiskUnregister feature flag which prevents the registration of in-tree AzureDisk plugin.

CSIMigrationAzureFile

Enables shims and translation logic to route volume operations from the Azure-File in-tree plugin to AzureFile CSI plugin. Supports falling back to in-tree AzureFile plugin for mount operations to nodes that have the feature disabled or that do not have AzureFile CSI plugin installed and configured. Does not support falling back for provision operations, for those the CSI plugin must be installed and configured. Requires CSIMigration feature flag enabled.

CSIMigrationAzureFileComplete

Stops registering the Azure-File in-tree plugin in kubelet and volume controllers and enables shims and translation logic to route volume operations from the Azure-File in-tree plugin to AzureFile CSI plugin. Requires CSIMigration and CSIMigrationAzureFile feature flags enabled and AzureFile CSI plugin installed and configured on all nodes in the cluster. This flag has been deprecated in favor of the InTreePluginAzureFileUnregister feature flag which prevents the registration of in-tree AzureFile plugin.

CSIMigrationGCE

Enables shims and translation logic to route volume operations from the GCE-PD in-tree plugin to PD CSI plugin. Supports falling back to in-tree GCE plugin for mount operations to nodes that have the feature disabled or that do not have PD CSI plugin installed and configured. Does not support falling back for provision operations, for those the CSI plugin must be installed and configured. Requires CSIMigration feature flag enabled.

CSIMigrationGCEComplete

Stops registering the GCE-PD in-tree plugin in kubelet and volume controllers and enables shims and translation logic to route volume operations from the GCE-PD in-tree plugin to PD CSI plugin. Requires CSIMigration and CSIMigrationGCE feature flags enabled and PD CSI plugin installed and configured on all nodes in the cluster. This flag has been deprecated in favor of the InTreePluginGCEUnregister feature flag which prevents the registration of in-tree GCE PD plugin.

CSIMigrationOpenStack

Enables shims and translation logic to route volume operations from the Cinder in-tree plugin to Cinder CSI plugin. Supports falling back to in-tree Cinder plugin for mount operations to nodes that have the feature disabled or that do not have Cinder CSI plugin installed and configured. Does not support falling back for provision operations, for those the CSI plugin must be installed and configured. Requires CSIMigration feature flag enabled.

CSIMigrationOpenStackComplete

Stops registering the Cinder in-tree plugin in kubelet and volume controllers and enables shims and translation logic to route volume operations from the Cinder in-tree plugin to Cinder CSI plugin. Requires CSIMigration and CSIMigrationOpenStack feature flags enabled and Cinder CSI plugin installed and configured on all nodes in the cluster. This flag has been deprecated in favor of the InTreePluginOpenStackUnregister feature flag which prevents the registration of in-tree openstack cinder plugin.

CSIMigrationRBD

Enables shims and translation logic to route volume operations from the RBD in-tree plugin to Ceph RBD CSI plugin. Requires CSIMigration and csiMigrationRBD feature flags enabled and Ceph CSI plugin installed and configured in the cluster.

This feature gate was deprecated in favor of the InTreePluginRBDUnregister feature gate, which prevents the registration of in-tree RBD plugin.

CSIMigrationvSphere

Enables shims and translation logic to route volume operations from the vSphere in-tree plugin to vSphere CSI plugin. Supports falling back to in-tree vSphere plugin for mount operations to nodes that have the feature disabled or that do not have vSphere CSI plugin installed and configured. Does not support falling back for provision operations, for those the CSI plugin must be installed and configured. Requires CSIMigration feature flag enabled.

CSIMigrationvSphereComplete

Stops registering the vSphere in-tree plugin in kubelet and volume controllers and enables shims and translation logic to route volume operations from the vSphere in-tree plugin to vSphere CSI plugin. Requires CSIMigration and CSIMigrationvSphere feature flags enabled and vSphere CSI plugin installed and configured on all nodes in the cluster. This flag has been deprecated in favor of the InTreePluginvSphereUnregister feature flag which prevents the registration of in-tree vsphere plugin.

CSINodeExpandSecret

Enable passing secret authentication data to a CSI driver for use during a NodeExpandVolume CSI operation.

CSINodeInfo

Enable all logic related to the CSINodeInfo API object in csi.storage.k8s.io.

CSIPersistentVolume

Enable discovering and mounting volumes provisioned through a CSI (Container Storage Interface) compatible volume plugin.

CSIServiceAccountToken

Enable CSI drivers to receive the pods' service account token that they mount volumes for. See Token Requests.

CSIStorageCapacity

Enables CSI drivers to publish storage capacity information and the Kubernetes scheduler to use that information when scheduling pods. See Storage Capacity. Check the csi volume type documentation for more details.

CSIVolumeFSGroupPolicy

Allows CSIDrivers to use the fsGroupPolicy field. This field controls whether volumes created by a CSIDriver support volume ownership and permission modifications when these volumes are mounted.

CSRDuration

Allows clients to request a duration for certificates issued via the Kubernetes CSR API.

CustomPodDNS

Enable customizing the DNS settings for a Pod using its dnsConfig property. Check Pod's DNS Config for more details.

CustomResourceDefaulting

Enable CRD support for default values in OpenAPI v3 validation schemas.

CustomResourcePublishOpenAPI

Enables publishing of CRD OpenAPI specs.

CustomResourceSubresources

Enable /status and /scale subresources on resources created from CustomResourceDefinition.

CustomResourceValidation

Enable schema based validation on resources created from CustomResourceDefinition.

CustomResourceValidationExpressions

Enable expression language validation in CRD which will validate customer resource based on validation rules written in the x-kubernetes-validations extension.

CustomResourceWebhookConversion

Enable webhook-based conversion on resources created from CustomResourceDefinition.

DaemonSetUpdateSurge

Enables the DaemonSet workloads to maintain availability during update per node. See Perform a Rolling Update on a DaemonSet.

DefaultHostNetworkHostPortsInPodTemplates

This feature gate controls the point at which a default value for .spec.containers[*].ports[*].hostPort is assigned, for Pods using hostNetwork: true. The default since Kubernetes v1.28 is to only set a default value in Pods.

Enabling this means a default will be assigned even to the .spec of an embedded PodTemplate (for example, in a Deployment), which is the way that older releases of Kubernetes worked. You should migrate your code so that it does not rely on the legacy behavior.

DefaultPodTopologySpread

Enables the use of PodTopologySpread scheduling plugin to do default spreading.

DelegateFSGroupToCSIDriver

If supported by the CSI driver, delegates the role of applying fsGroup from a Pod's securityContext to the driver by passing fsGroup through the NodeStageVolume and NodePublishVolume CSI calls.

DevicePluginCDIDevices

Enable support to CDI device IDs in the Device Plugin API.

DevicePlugins

Enable the device-plugins based resource provisioning on nodes.

DisableAcceleratorUsageMetrics

Disable accelerator metrics collected by the kubelet.

DisableCloudProviders

Enabling this feature gate deactivated functionality in kube-apiserver, kube-controller-manager and kubelet that related to the --cloud-provider command line argument.

In Kubernetes v1.31 and later, the only valid values for --cloud-provider are the empty string (no cloud provider integration), or "external" (integration via a separate cloud-controller-manager).

DisableKubeletCloudCredentialProviders

Enabling the feature gate deactivated the legacy in-tree functionality within the kubelet, that allowed the kubelet to to authenticate to a cloud provider container registry for container image pulls.

DownwardAPIHugePages

Enables usage of hugepages in downward API.

DRAControlPlaneController

Enables support for resources with custom parameters and a lifecycle that is independent of a Pod. Allocation of resources is handled by a resource driver's control plane controller.

DryRun

Enable server-side dry run requests so that validation, merging, and mutation can be tested without committing.

DynamicAuditing

Used to enable dynamic auditing before v1.19.

DynamicKubeletConfig

Enable the dynamic configuration of kubelet. The feature is no longer supported outside of supported skew policy. The feature gate was removed from kubelet in 1.24.

DynamicProvisioningScheduling

Extend the default scheduler to be aware of volume topology and handle PV provisioning. This feature was superseded by the VolumeScheduling feature in v1.12.

DynamicVolumeProvisioning

Enable the dynamic provisioning of persistent volumes to Pods.

EfficientWatchResumption

Allows for storage-originated bookmark (progress notify) events to be delivered to the users. This is only applied to watch operations.

EnableAggregatedDiscoveryTimeout

Enable the five second timeout on aggregated discovery calls.

EnableEquivalenceClassCache

Enable the scheduler to cache equivalence of nodes when scheduling Pods.

EndpointSlice

Enables EndpointSlices for more scalable and extensible network endpoints. See Enabling EndpointSlices.

EndpointSliceNodeName

Enables EndpointSlice nodeName field.

EndpointSliceProxying

When enabled, kube-proxy running on Linux will use EndpointSlices as the primary data source instead of Endpoints, enabling scalability and performance improvements. See Enabling Endpoint Slices.

EndpointSliceTerminatingCondition

Enables EndpointSlice terminating and serving condition fields.

EphemeralContainers

Enable the ability to add ephemeral containers to running Pods.

EvenPodsSpread

Enable pods to be scheduled evenly across topology domains. See Pod Topology Spread Constraints.

ExpandCSIVolumes

Enable the expanding of CSI volumes.

ExpandedDNSConfig

Enable kubelet and kube-apiserver to allow more DNS search paths and longer list of DNS search paths. This feature requires container runtime support(Containerd: v1.5.6 or higher, CRI-O: v1.22 or higher). See Expanded DNS Configuration.

ExpandInUsePersistentVolumes

Enable expanding in-use PVCs. See Resizing an in-use PersistentVolumeClaim.

ExpandPersistentVolumes

Enable the expanding of persistent volumes. See Expanding Persistent Volumes Claims.

ExperimentalCriticalPodAnnotation

Enable annotating specific pods as critical so that their scheduling is guaranteed. This feature is deprecated by Pod Priority and Preemption as of v1.13.

ExperimentalHostUserNamespaceDefaulting

Enabling the defaulting user namespace to host. This is for containers that are using other host namespaces, host mounts, or containers that are privileged or using specific non-namespaced capabilities (e.g. MKNODE, SYS_MODULE etc.). This should only be enabled if user namespace remapping is enabled in the Docker daemon.

ExternalPolicyForExternalIP

Fix a bug where ExternalTrafficPolicy is not applied to Service ExternalIPs.

GCERegionalPersistentDisk

Enable the regional PD feature on GCE.

GenericEphemeralVolume

Enables ephemeral, inline volumes that support all features of normal volumes (can be provided by third-party storage vendors, storage capacity tracking, restore from snapshot, etc.). See Ephemeral Volumes.

GRPCContainerProbe

Enables the gRPC probe method for {Liveness,Readiness,Startup}Probe. See Configure Liveness, Readiness and Startup Probes.

HPAContainerMetrics

Allow HorizontalPodAutoscalers to scale based on metrics from individual containers within target pods.

HugePages

Enable the allocation and consumption of pre-allocated huge pages.

HugePageStorageMediumSize

Enable support for multiple sizes pre-allocated huge pages.

HyperVContainer

Enable Hyper-V isolation for Windows containers.

IdentifyPodOS

Allows the Pod OS field to be specified. This helps in identifying the OS of the pod authoritatively during the API server admission time.

ImmutableEphemeralVolumes

Allows for marking individual Secrets and ConfigMaps as immutable for better safety and performance.

IndexedJob

Allows the Job controller to manage Pod completions per completion index.

IngressClassNamespacedParams

Allow namespace-scoped parameters reference in IngressClass resource. This feature adds two fields - Scope and Namespace to IngressClass.spec.parameters.

Initializers

Allow asynchronous coordination of object creation using the Initializers admission plugin.

InTreePluginAWSUnregister

Stops registering the aws-ebs in-tree plugin in kubelet and volume controllers.

InTreePluginAzureDiskUnregister

Stops registering the azuredisk in-tree plugin in kubelet and volume controllers.

InTreePluginAzureFileUnregister

Stops registering the azurefile in-tree plugin in kubelet and volume controllers.

InTreePluginGCEUnregister

Stops registering the gce-pd in-tree plugin in kubelet and volume controllers.

InTreePluginOpenStackUnregister

Stops registering the OpenStack cinder in-tree plugin in kubelet and volume controllers.

InTreePluginRBDUnregister

Stops registering the RBD in-tree plugin within kubelet and volume controllers.

InTreePluginvSphereUnregister

Stops registering the vSphere in-tree plugin in kubelet and volume controllers.

IPTablesOwnershipCleanup

This causes kubelet to no longer create legacy iptables rules.

IPv6DualStack

Enable dual stack support for IPv6.

JobMutableNodeSchedulingDirectives

Allows updating node scheduling directives in the pod template of Job.

JobPodFailurePolicy

Allow users to specify handling of pod failures based on container exit codes and pod conditions.

JobReadyPods

Enables tracking the number of Pods that have a Ready condition. The count of Ready pods is recorded in the status of a Job status.

JobTrackingWithFinalizers

Enables tracking Job completions without relying on Pods remaining in the cluster indefinitely. The Job controller uses Pod finalizers and a field in the Job status to keep track of the finished Pods to count towards completion.

KMSv2

Enables KMS v2 API for encryption at rest. See Using a KMS Provider for data encryption for more details.

KMSv2KDF

Enables KMS v2 to generate single use data encryption keys. See Using a KMS Provider for data encryption for more details. If the KMSv2 feature gate is not enabled in your cluster, the value of the KMSv2KDF feature gate has no effect.

KubeletConfigFile

Enable loading kubelet configuration from a file specified using a config file. See setting kubelet parameters via a config file for more details.

KubeletCredentialProviders

Enable kubelet exec credential providers for image pull credentials.

KubeletPluginsWatcher

Enable probe-based plugin watcher utility to enable kubelet to discover plugins such as CSI volume drivers.

KubeletPodResources

Enable the kubelet's pod resources gRPC endpoint. See Support Device Monitoring for more details.

KubeletPodResourcesGetAllocatable

Enable the kubelet's pod resources GetAllocatableResources functionality. This API augments the resource allocation reporting

KubeProxyDrainingTerminatingNodes

Implement connection draining for terminating nodes for externalTrafficPolicy: Cluster services.

LegacyNodeRoleBehavior

When disabled, legacy behavior in service load balancers and node disruption will ignore the node-role.kubernetes.io/master label in favor of the feature-specific labels provided by NodeDisruptionExclusion and ServiceNodeExclusion.

LegacyServiceAccountTokenCleanUp

Enable cleaning up Secret-based service account tokens when they are not used in a specified time (default to be one year).

LegacyServiceAccountTokenNoAutoGeneration

Stop auto-generation of Secret-based service account tokens.

LegacyServiceAccountTokenTracking

Track usage of Secret-based service account tokens.

LoadBalancerIPMode

Allows setting ipMode for Services where type is set to LoadBalancer. See Specifying IPMode of load balancer status for more information.

LocalStorageCapacityIsolation

Enable the consumption of local ephemeral storage and also the sizeLimit property of an emptyDir volume.

MinDomainsInPodTopologySpread

Enable minDomains in Pod topology spread constraints.

MinimizeIPTablesRestore

Enables new performance improvement logics in the kube-proxy iptables mode.

MixedProtocolLBService

Enable using different protocols in the same LoadBalancer type Service instance.

MountContainers

Enable using utility containers on host as the volume mounter.

MountPropagation

Enable sharing volume mounted by one container to other containers or pods. For more details, please see mount propagation.

MultiCIDRRangeAllocator

Enables the MultiCIDR range allocator.

NamespaceDefaultLabelName

Configure the API Server to set an immutable label kubernetes.io/metadata.name on all namespaces, containing the namespace name.

NetworkPolicyEndPort

Allows you to define ports in a NetworkPolicy rule as a range of port numbers.

NetworkPolicyStatus

Enable the status subresource for NetworkPolicy objects.

NewVolumeManagerReconstruction

Enables improved discovery of mounted volumes during kubelet startup. Since the associated code had been significantly refactored, Kubernetes versions 1.25 to 1.29 allowed you to opt-out in case the kubelet got stuck at the startup, or did not unmount volumes from terminated Pods.

This refactoring was behind the SELinuxMountReadWriteOncePod feature gate in Kubernetes releases 1.25 and 1.26.

NodeDisruptionExclusion

Enable use of the Node label node.kubernetes.io/exclude-disruption which prevents nodes from being evacuated during zone failures.

NodeLease

Enable the new Lease API to report node heartbeats, which could be used as a node health signal.

NodeOutOfServiceVolumeDetach

When a Node is marked out-of-service using the node.kubernetes.io/out-of-service taint, Pods on the node will be forcefully deleted if they can not tolerate this taint, and the volume detach operations for Pods terminating on the node will happen immediately. The deleted Pods can recover quickly on different nodes.

NonPreemptingPriority

Enable preemptionPolicy field for PriorityClass and Pod.

OpenAPIV3

Enables the API server to publish OpenAPI v3.

PDBUnhealthyPodEvictionPolicy

Enables the unhealthyPodEvictionPolicy field of a PodDisruptionBudget. This specifies when unhealthy pods should be considered for eviction. Please see Unhealthy Pod Eviction Policy for more details.

PersistentLocalVolumes

Enable the usage of local volume type in Pods. Pod affinity has to be specified if requesting a local volume.

PersistentVolumeLastPhaseTransitionTime

Adds a new field to PersistentVolume which holds a timestamp of when the volume last transitioned its phase.

PodAffinityNamespaceSelector

Enable the Pod Affinity Namespace Selector and CrossNamespacePodAffinity quota scope features.

PodDisruptionBudget

Enable the PodDisruptionBudget feature.

PodDisruptionConditions

Enabled support for appending a dedicated pod condition indicating that the pod is being deleted due to a disruption.

PodHasNetworkCondition

Enable the kubelet to mark the PodHasNetwork condition on pods. This was renamed to PodReadyToStartContainersCondition in 1.28.

PodHostIPs

Enable the status.hostIPs field for pods and the downward API. The field lets you expose host IP addresses to workloads.

PodOverhead

Enable the PodOverhead feature to account for pod overheads.

PodPriority

Enable the descheduling and preemption of Pods based on their priorities.

PodReadinessGates

Enable the setting of PodReadinessGate field for extending Pod readiness evaluation. See Pod readiness gate for more details.

PodSecurity

Enables the PodSecurity admission plugin.

PodShareProcessNamespace

Enable the setting of shareProcessNamespace in a Pod for sharing a single process namespace between containers running in a pod. More details can be found in Share Process Namespace between Containers in a Pod.

PreferNominatedNode

This flag tells the scheduler whether the nominated nodes will be checked first before looping through all the other nodes in the cluster.

ProbeTerminationGracePeriod

Enable setting probe-level terminationGracePeriodSeconds on pods. See the enhancement proposal for more details.

ProxyTerminatingEndpoints

Enable the kube-proxy to handle terminating endpoints when ExternalTrafficPolicy=Local.

PVCProtection

Enable the prevention of a PersistentVolumeClaim (PVC) from being deleted when it is still used by any Pod.

ReadOnlyAPIDataVolumes

Set configMap, secret, downwardAPI and projected volumes to be mounted read-only.

Since Kubernetes v1.10, these volume types are always read-only and you cannot opt out.

ReadWriteOncePod

Enables the usage of ReadWriteOncePod PersistentVolume access mode.

RemainingItemCount

Allow the API servers to show a count of remaining items in the response to a chunking list request.

RemoveSelfLink

Sets the .metadata.selfLink field to blank (empty string) for all objects and collections. This field has been deprecated since the Kubernetes v1.16 release. When this feature is enabled, the .metadata.selfLink field remains part of the Kubernetes API, but is always unset.

RequestManagement

Enables managing request concurrency with prioritization and fairness at each API server. Deprecated by APIPriorityAndFairness since 1.17.

ResourceLimitsPriorityFunction

Enable a scheduler priority function that assigns a lowest possible score of 1 to a node that satisfies at least one of the input Pod's cpu and memory limits. The intent is to break ties between nodes with same scores.

ResourceQuotaScopeSelectors

Enable resource quota scope selectors.

RetroactiveDefaultStorageClass

Allow assigning StorageClass to unbound PVCs retroactively.

RootCAConfigMap

Configure the kube-controller-manager to publish a ConfigMap named kube-root-ca.crt to every namespace. This ConfigMap contains a CA bundle used for verifying connections to the kube-apiserver. See Bound Service Account Tokens for more details.

RotateKubeletClientCertificate

Enable the rotation of the client TLS certificate on the kubelet. See kubelet configuration for more details.

RunAsGroup

Enable control over the primary group ID set on the init processes of containers.

RuntimeClass

Enable the RuntimeClass feature for selecting container runtime configurations.

ScheduleDaemonSetPods

Enable DaemonSet Pods to be scheduled by the default scheduler instead of the DaemonSet controller.

SCTPSupport

Enables the SCTP protocol value in Pod, Service, Endpoints, EndpointSlice, and NetworkPolicy definitions.

SeccompDefault

Enables the use of RuntimeDefault as the default seccomp profile for all workloads. The seccomp profile is specified in the securityContext of a Pod and/or a Container.

SecurityContextDeny

This gate signals that the SecurityContextDeny admission controller is deprecated.

SelectorIndex

Allows label and field based indexes in API server watch cache to accelerate list operations.

ServerSideApply

Enables the Sever Side Apply (SSA) feature on the API Server.

ServerSideFieldValidation

Enables server-side field validation. This means the validation of resource schema is performed at the API server side rather than the client side (for example, the kubectl create or kubectl apply command line).

ServiceAccountIssuerDiscovery

Enable OIDC discovery endpoints (issuer and JWKS URLs) for the service account issuer in the API server. See Configure Service Accounts for Pods for more details.

ServiceAppProtocol

Enables the appProtocol field on Services and Endpoints.

ServiceInternalTrafficPolicy

Enables the internalTrafficPolicy field on Services

ServiceIPStaticSubrange

Enables a strategy for Services ClusterIP allocations, whereby the ClusterIP range is subdivided. Dynamic allocated ClusterIP addresses will be allocated preferently from the upper range allowing users to assign static ClusterIPs from the lower range with a low risk of collision. See Avoiding collisions for more details.

ServiceLBNodePortControl

Enables the allocateLoadBalancerNodePorts field on Services.

ServiceLoadBalancerClass

Enables the loadBalancerClass field on Services. See Specifying class of load balancer implementation for more details.

ServiceLoadBalancerFinalizer

Enable finalizer protection for Service load balancers.

ServiceNodeExclusion

Enable the exclusion of nodes from load balancers created by a cloud provider. A node is eligible for exclusion if labelled with "node.kubernetes.io/exclude-from-external-load-balancers".

ServiceNodePortStaticSubrange

Enables the use of different port allocation strategies for NodePort Services. For more details, see reserve NodePort ranges to avoid collisions.

ServiceTopology

Enable service to route traffic based upon the Node topology of the cluster.

SetHostnameAsFQDN

Enable the ability of setting Fully Qualified Domain Name(FQDN) as the hostname of a pod. See Pod's setHostnameAsFQDN field.

SizeMemoryBackedVolumes

Enable kubelets to determine the size limit for memory-backed volumes (mainly emptyDir volumes).

SkipReadOnlyValidationGCE

Skip validation that GCE PersistentDisk volumes are in read-only mode.

StableLoadBalancerNodeSet

Enables less load balancer re-configurations by the service controller (KCCM) as an effect of changing node state.

StartupProbe

Enable the startup probe in the kubelet.

StatefulSetMinReadySeconds

Allows minReadySeconds to be respected by the StatefulSet controller.

StorageObjectInUseProtection

Postpone the deletion of PersistentVolume or PersistentVolumeClaim objects if they are still being used.

StreamingProxyRedirects

Instructs the API server to intercept (and follow) redirects from the backend (kubelet) for streaming requests. Examples of streaming requests include the exec, attach and port-forward requests.

SupportIPVSProxyMode

Enable providing in-cluster service load balancing using IPVS. See service proxies for more details.

SupportNodePidsLimit

Enable the support to limiting PIDs on the Node. The parameter pid=<number> in the --system-reserved and --kube-reserved options can be specified to ensure that the specified number of process IDs will be reserved for the system as a whole and for Kubernetes system daemons respectively.

SupportPodPidsLimit

Enable the support to limiting PIDs in Pods.

SuspendJob

Enable support to suspend and resume Jobs. For more details, see the Jobs docs.

Sysctls

Enable support for namespaced kernel parameters (sysctls) that can be set for each pod. See sysctls for more details.

TaintBasedEvictions

Enable evicting pods from nodes based on taints on Nodes and tolerations on Pods. See taints and tolerations for more details.

TaintNodesByCondition

Enable automatic tainting nodes based on node conditions.

TokenRequest

Enable the TokenRequest endpoint on service account resources.

TokenRequestProjection

Enable the injection of service account tokens into a Pod through a projected volume.

TopologyManager

Enable a mechanism to coordinate fine-grained hardware resource assignments for different components in Kubernetes. See Control Topology Management Policies on a node.

TTLAfterFinished

Allow a TTL controller to clean up resources after they finish execution.

UserNamespacesPodSecurityStandards

Enable Pod Security Standards policies relaxation for pods that run with namespaces. You must set the value of this feature gate consistently across all nodes in your cluster, and you must also enable UserNamespacesSupport to use this feature.

This feature gate is not part of Kubernetes v1.35 (and onwards) because, for those versions of Kubernetes, all supported kubelet versions will fail to create a pod if it requests a user namespace, but the node does not.

UserNamespacesStatelessPodsSupport

Enable user namespace support for stateless Pods. This feature gate was superseded by the UserNamespacesSupport feature gate in the Kubernetes v1.28 release.

ValidateProxyRedirects

This flag controls whether the API server should validate that redirects are only followed to the same host. Only used if the StreamingProxyRedirects flag is enabled.

ValidatingAdmissionPolicy

Enable ValidatingAdmissionPolicy support for CEL validations be used in Admission Control.

VolumeCapacityPriority

Enable support for prioritizing nodes in different topologies based on available PV capacity. This feature is renamed to StorageCapacityScoring in v1.33.

VolumePVCDataSource

Enable support for specifying an existing PVC as a DataSource.

VolumeScheduling

Enable volume topology aware scheduling and make the PersistentVolumeClaim (PVC) binding aware of scheduling decisions. It also enables the usage of local volume type when used together with the PersistentLocalVolumes feature gate.

VolumeSnapshotDataSource

Enable volume snapshot data source support.

VolumeSubpath

Allow mounting a subpath of a volume in a container.

VolumeSubpathEnvExpansion

Enable subPathExpr field for expanding environment variables into a subPath.

WarningHeaders

Allow sending warning headers in API responses.

WatchBookmark

Enable support for watch bookmark events.

WindowsEndpointSliceProxying

When enabled, kube-proxy running on Windows will use EndpointSlices as the primary data source instead of Endpoints, enabling scalability and performance improvements. See Enabling Endpoint Slices.

WindowsGMSA

Enables passing of GMSA credential specs from pods to container runtimes.

WindowsHostProcessContainers

Enables support for Windows HostProcess containers.

WindowsRunAsUserName

Enable support for running applications in Windows containers with as a non-default user. See Configuring RunAsUserName for more details.

ZeroLimitedNominalConcurrencyShares

Allow priority & fairness in the API server to use a zero value for the nominalConcurrencyShares field of the limited section of a priority level.