Feature Gates
This page contains an overview of the various feature gates an administrator can specify on different Kubernetes components.
See feature stages for an explanation of the stages for a feature.
Overview
Feature gates are a set of key=value pairs that describe Kubernetes features.
You can turn these features on or off using the --feature-gates
command line flag
on each Kubernetes component.
Each Kubernetes component lets you enable or disable a set of feature gates that
are relevant to that component.
Use -h
flag to see a full set of feature gates for all components.
To set feature gates for a component, such as kubelet, use the --feature-gates
flag assigned to a list of feature pairs:
--feature-gates=...,GracefulNodeShutdown=true
The following tables are a summary of the feature gates that you can set on different Kubernetes components.
- The "Since" column contains the Kubernetes release when a feature is introduced or its release stage is changed.
- The "Until" column, if not empty, contains the last Kubernetes release in which you can still use a feature gate.
- If a feature is in the Alpha or Beta state, you can find the feature listed in the Alpha/Beta feature gate table.
- If a feature is stable you can find all stages for that feature listed in the Graduated/Deprecated feature gate table.
- The Graduated/Deprecated feature gate table also lists deprecated and withdrawn features.
Note:
For a reference to old feature gates that are removed, please refer to feature gates removed.Feature gates for Alpha or Beta features
Feature | Default | Stage | Since | Until |
---|---|---|---|---|
AnonymousAuthConfigurableEndpoints |
false |
Alpha | 1.31 | 1.31 |
AnonymousAuthConfigurableEndpoints |
true |
Beta | 1.32 | – |
AnyVolumeDataSource |
false |
Alpha | 1.18 | 1.23 |
AnyVolumeDataSource |
true |
Beta | 1.24 | – |
APIResponseCompression |
false |
Alpha | 1.7 | 1.15 |
APIResponseCompression |
true |
Beta | 1.16 | – |
APIServerIdentity |
false |
Alpha | 1.20 | 1.25 |
APIServerIdentity |
true |
Beta | 1.26 | – |
APIServerTracing |
false |
Alpha | 1.22 | 1.26 |
APIServerTracing |
true |
Beta | 1.27 | – |
AuthorizeNodeWithSelectors |
false |
Alpha | 1.31 | 1.31 |
AuthorizeNodeWithSelectors |
true |
Beta | 1.32 | – |
AuthorizeWithSelectors |
false |
Alpha | 1.31 | 1.31 |
AuthorizeWithSelectors |
true |
Beta | 1.32 | – |
CloudControllerManagerWebhook |
false |
Alpha | 1.27 | – |
ClusterTrustBundle |
false |
Alpha | 1.27 | – |
ClusterTrustBundleProjection |
false |
Alpha | 1.29 | – |
ComponentSLIs |
false |
Alpha | 1.26 | 1.26 |
ComponentSLIs |
true |
Beta | 1.27 | – |
ConcurrentWatchObjectDecode |
false |
Beta | 1.31 | – |
ConsistentListFromCache |
false |
Alpha | 1.28 | 1.30 |
ConsistentListFromCache |
true |
Beta | 1.31 | – |
ContainerCheckpoint |
false |
Alpha | 1.25 | 1.29 |
ContainerCheckpoint |
true |
Beta | 1.30 | – |
ContextualLogging |
false |
Alpha | 1.24 | – |
ContextualLogging |
true |
Beta | 1.30 | – |
CoordinatedLeaderElection |
false |
Alpha | 1.31 | – |
CPUManagerPolicyAlphaOptions |
false |
Alpha | 1.23 | – |
CPUManagerPolicyBetaOptions |
true |
Beta | 1.23 | – |
CPUManagerPolicyOptions |
false |
Alpha | 1.22 | 1.22 |
CPUManagerPolicyOptions |
true |
Beta | 1.23 | – |
CRDValidationRatcheting |
false |
Alpha | 1.28 | 1.29 |
CRDValidationRatcheting |
true |
Beta | 1.30 | – |
CrossNamespaceVolumeDataSource |
false |
Alpha | 1.26 | – |
CSIMigrationPortworx |
false |
Alpha | 1.23 | 1.24 |
CSIMigrationPortworx |
false |
Beta | 1.25 | 1.30 |
CSIMigrationPortworx |
true |
Beta | 1.31 | – |
CSIVolumeHealth |
false |
Alpha | 1.21 | – |
CustomCPUCFSQuotaPeriod |
false |
Alpha | 1.12 | – |
DisableAllocatorDualWrite |
false |
Alpha | 1.31 | – |
DisableNodeKubeProxyVersion |
false |
Alpha | 1.29 | 1.30 |
DisableNodeKubeProxyVersion |
true |
Beta | 1.31 | – |
DynamicResourceAllocation |
false |
Alpha | 1.30 | – |
EventedPLEG |
false |
Alpha | 1.25 | – |
ExternalServiceAccountTokenSigner |
false |
Alpha | 1.32 | – |
GracefulNodeShutdown |
false |
Alpha | 1.20 | 1.20 |
GracefulNodeShutdown |
true |
Beta | 1.21 | – |
GracefulNodeShutdownBasedOnPodPriority |
false |
Alpha | 1.23 | 1.23 |
GracefulNodeShutdownBasedOnPodPriority |
true |
Beta | 1.24 | – |
HonorPVReclaimPolicy |
false |
Alpha | 1.23 | 1.30 |
HonorPVReclaimPolicy |
true |
Beta | 1.31 | – |
HPAScaleToZero |
false |
Alpha | 1.16 | – |
ImageMaximumGCAge |
false |
Alpha | 1.29 | 1.29 |
ImageMaximumGCAge |
true |
Beta | 1.30 | – |
ImageVolume |
false |
Alpha | 1.31 | – |
InPlacePodVerticalScaling |
false |
Alpha | 1.27 | – |
InTreePluginPortworxUnregister |
false |
Alpha | 1.23 | – |
JobBackoffLimitPerIndex |
false |
Alpha | 1.28 | 1.28 |
JobBackoffLimitPerIndex |
true |
Beta | 1.29 | – |
JobManagedBy |
false |
Alpha | 1.30 | 1.31 |
JobManagedBy |
false |
Beta | 1.32 | – |
JobPodReplacementPolicy |
false |
Alpha | 1.28 | 1.28 |
JobPodReplacementPolicy |
true |
Beta | 1.29 | – |
JobSuccessPolicy |
false |
Alpha | 1.30 | 1.30 |
JobSuccessPolicy |
true |
Beta | 1.31 | – |
KubeletCgroupDriverFromCRI |
false |
Alpha | 1.28 | 1.30 |
KubeletCgroupDriverFromCRI |
true |
Beta | 1.31 | – |
KubeletFineGrainedAuthz |
false |
Alpha | 1.32 | – |
KubeletInUserNamespace |
false |
Alpha | 1.22 | – |
KubeletPodResourcesDynamicResources |
false |
Alpha | 1.27 | – |
KubeletPodResourcesGet |
false |
Alpha | 1.27 | – |
KubeletSeparateDiskGC |
false |
Alpha | 1.29 | 1.30 |
KubeletSeparateDiskGC |
true |
Beta | 1.31 | – |
KubeletTracing |
false |
Alpha | 1.25 | 1.26 |
KubeletTracing |
true |
Beta | 1.27 | – |
LocalStorageCapacityIsolationFSQuotaMonitoring |
false |
Alpha | 1.15 | 1.30 |
LocalStorageCapacityIsolationFSQuotaMonitoring |
false |
Beta | 1.31 | – |
LoggingAlphaOptions |
false |
Alpha | 1.24 | – |
LoggingBetaOptions |
true |
Beta | 1.24 | – |
MatchLabelKeysInPodAffinity |
false |
Alpha | 1.29 | 1.30 |
MatchLabelKeysInPodAffinity |
true |
Beta | 1.31 | – |
MatchLabelKeysInPodTopologySpread |
false |
Alpha | 1.25 | 1.26 |
MatchLabelKeysInPodTopologySpread |
true |
Beta | 1.27 | – |
MaxUnavailableStatefulSet |
false |
Alpha | 1.24 | – |
MemoryQoS |
false |
Alpha | 1.22 | – |
MultiCIDRServiceAllocator |
false |
Alpha | 1.27 | 1.30 |
MultiCIDRServiceAllocator |
false |
Beta | 1.31 | – |
MutatingAdmissionPolicy |
false |
Alpha | 1.30 | – |
NFTablesProxyMode |
false |
Alpha | 1.29 | 1.30 |
NFTablesProxyMode |
true |
Beta | 1.31 | – |
NodeInclusionPolicyInPodTopologySpread |
false |
Alpha | 1.25 | 1.25 |
NodeInclusionPolicyInPodTopologySpread |
true |
Beta | 1.26 | – |
NodeLogQuery |
false |
Alpha | 1.27 | 1.29 |
NodeLogQuery |
false |
Beta | 1.30 | – |
NodeSwap |
false |
Alpha | 1.22 | 1.27 |
NodeSwap |
false |
Beta | 1.28 | 1.29 |
NodeSwap |
true |
Beta | 1.30 | – |
OpenAPIEnums |
false |
Alpha | 1.23 | 1.23 |
OpenAPIEnums |
true |
Beta | 1.24 | – |
PodAndContainerStatsFromCRI |
false |
Alpha | 1.23 | – |
PodDeletionCost |
false |
Alpha | 1.21 | 1.21 |
PodDeletionCost |
true |
Beta | 1.22 | – |
PodIndexLabel |
true |
Beta | 1.28 | – |
PodLifecycleSleepAction |
false |
Alpha | 1.29 | 1.29 |
PodLifecycleSleepAction |
true |
Beta | 1.30 | – |
PodReadyToStartContainersCondition |
false |
Alpha | 1.28 | 1.28 |
PodReadyToStartContainersCondition |
true |
Beta | 1.29 | – |
PortForwardWebsockets |
false |
Alpha | 1.30 | 1.30 |
PortForwardWebsockets |
true |
Beta | 1.31 | – |
ProcMountType |
false |
Alpha | 1.12 | 1.30 |
ProcMountType |
false |
Beta | 1.31 | – |
QOSReserved |
false |
Alpha | 1.11 | – |
RecoverVolumeExpansionFailure |
false |
Alpha | 1.23 | – |
RecursiveReadOnlyMounts |
false |
Alpha | 1.30 | 1.30 |
RecursiveReadOnlyMounts |
true |
Beta | 1.31 | – |
RelaxedEnvironmentVariableValidation |
false |
Alpha | 1.30 | 1.31 |
RelaxedEnvironmentVariableValidation |
true |
Beta | 1.32 | – |
ReloadKubeletServerCertificateFile |
true |
Beta | 1.31 | – |
ResilientWatchCacheInitialization |
true |
Beta | 1.31 | – |
ResourceHealthStatus |
false |
Alpha | 1.31 | – |
RotateKubeletServerCertificate |
false |
Alpha | 1.7 | 1.11 |
RotateKubeletServerCertificate |
true |
Beta | 1.12 | – |
RuntimeClassInImageCriApi |
false |
Alpha | 1.29 | – |
SchedulerAsyncPreemption |
false |
Alpha | 1.32 | – |
SchedulerQueueingHints |
true |
Beta | 1.28 | 1.28 |
SchedulerQueueingHints |
false |
Beta | 1.29 | 1.31 |
SchedulerQueueingHints |
true |
Beta | 1.32 | – |
SELinuxMount |
false |
Alpha | 1.30 | – |
SELinuxMountReadWriteOncePod |
false |
Alpha | 1.25 | 1.26 |
SELinuxMountReadWriteOncePod |
false |
Beta | 1.27 | 1.27 |
SELinuxMountReadWriteOncePod |
true |
Beta | 1.28 | – |
SeparateTaintEvictionController |
true |
Beta | 1.29 | – |
ServiceAccountTokenNodeBinding |
false |
Alpha | 1.29 | 1.30 |
ServiceAccountTokenNodeBinding |
true |
Beta | 1.31 | – |
ServiceTrafficDistribution |
false |
Alpha | 1.30 | 1.30 |
ServiceTrafficDistribution |
true |
Beta | 1.31 | – |
SidecarContainers |
false |
Alpha | 1.28 | 1.28 |
SidecarContainers |
true |
Beta | 1.29 | – |
StorageVersionAPI |
false |
Alpha | 1.20 | – |
StorageVersionHash |
false |
Alpha | 1.14 | 1.14 |
StorageVersionHash |
true |
Beta | 1.15 | – |
StorageVersionMigrator |
false |
Alpha | 1.30 | 1.32 |
StrictCostEnforcementForVAP |
false |
Beta | 1.31 | – |
StrictCostEnforcementForWebhooks |
false |
Beta | 1.31 | – |
StructuredAuthenticationConfiguration |
false |
Alpha | 1.29 | 1.29 |
StructuredAuthenticationConfiguration |
true |
Beta | 1.30 | – |
SupplementalGroupsPolicy |
false |
Alpha | 1.31 | – |
TopologyAwareHints |
false |
Alpha | 1.21 | 1.22 |
TopologyAwareHints |
false |
Beta | 1.23 | 1.23 |
TopologyAwareHints |
true |
Beta | 1.24 | – |
TopologyManagerPolicyAlphaOptions |
false |
Alpha | 1.26 | – |
TopologyManagerPolicyBetaOptions |
false |
Beta | 1.26 | 1.27 |
TopologyManagerPolicyBetaOptions |
true |
Beta | 1.28 | – |
TranslateStreamCloseWebsocketRequests |
true |
Beta | 1.30 | – |
UnauthenticatedHTTP2DOSMitigation |
false |
Beta | 1.28 | 1.28 |
UnauthenticatedHTTP2DOSMitigation |
true |
Beta | 1.29 | – |
UnknownVersionInteroperabilityProxy |
false |
Alpha | 1.28 | – |
UserNamespacesPodSecurityStandards |
false |
Alpha | 1.29 | – |
UserNamespacesSupport |
false |
Alpha | 1.28 | 1.29 |
UserNamespacesSupport |
false |
Beta | 1.30 | – |
VolumeAttributesClass |
false |
Alpha | 1.29 | 1.30 |
VolumeAttributesClass |
false |
Beta | 1.31 | – |
VolumeCapacityPriority |
false |
Alpha | 1.21 | – |
WatchCacheInitializationPostStartHook |
false |
Beta | 1.31 | – |
WatchFromStorageWithoutResourceVersion |
false |
Beta | 1.30 | – |
WatchList |
false |
Alpha | 1.27 | – |
WindowsHostNetwork |
true |
Alpha | 1.26 | – |
WinDSR |
false |
Alpha | 1.14 | – |
WinOverlay |
false |
Alpha | 1.14 | 1.19 |
WinOverlay |
true |
Beta | 1.20 | – |
Feature gates for graduated or deprecated features
Feature | Default | Stage | Since | Until |
---|---|---|---|---|
AdmissionWebhookMatchConditions |
false |
Alpha | 1.27 | 1.27 |
AdmissionWebhookMatchConditions |
true |
Beta | 1.28 | 1.29 |
AdmissionWebhookMatchConditions |
true |
GA | 1.30 | – |
AggregatedDiscoveryEndpoint |
false |
Alpha | 1.26 | 1.26 |
AggregatedDiscoveryEndpoint |
true |
Beta | 1.27 | 1.29 |
AggregatedDiscoveryEndpoint |
true |
GA | 1.30 | – |
AllowDNSOnlyNodeCSR |
false |
Deprecated | 1.31 | – |
AllowInsecureKubeletCertificateSigningRequests |
false |
Deprecated | 1.31 | – |
AllowServiceLBStatusOnNonLB |
false |
Deprecated | 1.29 | – |
APIListChunking |
false |
Alpha | 1.8 | 1.8 |
APIListChunking |
true |
Beta | 1.9 | 1.28 |
APIListChunking |
true |
GA | 1.29 | – |
AppArmor |
true |
Beta | 1.4 | 1.30 |
AppArmor |
true |
GA | 1.31 | – |
AppArmorFields |
true |
Beta | 1.30 | 1.30 |
AppArmorFields |
true |
GA | 1.31 | – |
CPUManager |
false |
Alpha | 1.8 | 1.9 |
CPUManager |
true |
Beta | 1.10 | 1.25 |
CPUManager |
true |
GA | 1.26 | – |
CronJobsScheduledAnnotation |
true |
Beta | 1.28 | 1.31 |
CronJobsScheduledAnnotation |
true |
GA | 1.32 | – |
CustomResourceFieldSelectors |
false |
Alpha | 1.30 | 1.30 |
CustomResourceFieldSelectors |
true |
Beta | 1.31 | 1.31 |
CustomResourceFieldSelectors |
true |
GA | 1.32 | – |
DefaultHostNetworkHostPortsInPodTemplates |
false |
Deprecated | 1.28 | – |
DevicePluginCDIDevices |
false |
Alpha | 1.28 | 1.28 |
DevicePluginCDIDevices |
true |
Beta | 1.29 | 1.30 |
DevicePluginCDIDevices |
true |
GA | 1.31 | – |
DisableCloudProviders |
false |
Alpha | 1.22 | 1.28 |
DisableCloudProviders |
true |
Beta | 1.29 | – |
DisableCloudProviders |
true |
GA | 1.31 | – |
DisableKubeletCloudCredentialProviders |
false |
Alpha | 1.23 | 1.28 |
DisableKubeletCloudCredentialProviders |
true |
Beta | 1.29 | 1.30 |
DisableKubeletCloudCredentialProviders |
true |
GA | 1.31 | – |
EfficientWatchResumption |
false |
Alpha | 1.20 | 1.20 |
EfficientWatchResumption |
true |
Beta | 1.21 | 1.23 |
EfficientWatchResumption |
true |
GA | 1.24 | – |
ElasticIndexedJob |
true |
Beta | 1.27 | 1.30 |
ElasticIndexedJob |
true |
GA | 1.31 | – |
ExecProbeTimeout |
true |
GA | 1.20 | – |
JobPodFailurePolicy |
false |
Alpha | 1.25 | 1.25 |
JobPodFailurePolicy |
true |
Beta | 1.26 | 1.30 |
JobPodFailurePolicy |
true |
GA | 1.31 | – |
KMSv1 |
true |
Deprecated | 1.28 | 1.28 |
KMSv1 |
false |
Deprecated | 1.29 | – |
KubeProxyDrainingTerminatingNodes |
false |
Alpha | 1.28 | 1.30 |
KubeProxyDrainingTerminatingNodes |
true |
Beta | 1.30 | 1.30 |
KubeProxyDrainingTerminatingNodes |
true |
GA | 1.31 | – |
LoadBalancerIPMode |
false |
Alpha | 1.29 | 1.30 |
LoadBalancerIPMode |
true |
Beta | 1.30 | 1.31 |
LoadBalancerIPMode |
true |
GA | 1.32 | – |
LogarithmicScaleDown |
false |
Alpha | 1.21 | 1.21 |
LogarithmicScaleDown |
true |
Beta | 1.22 | 1.30 |
LogarithmicScaleDown |
true |
GA | 1.31 | – |
MemoryManager |
false |
Alpha | 1.21 | 1.21 |
MemoryManager |
true |
Beta | 1.22 | 1.31 |
MemoryManager |
true |
GA | 1.32 | – |
PDBUnhealthyPodEvictionPolicy |
false |
Alpha | 1.26 | 1.26 |
PDBUnhealthyPodEvictionPolicy |
true |
Beta | 1.27 | 1.30 |
PDBUnhealthyPodEvictionPolicy |
true |
GA | 1.31 | – |
PersistentVolumeLastPhaseTransitionTime |
false |
Alpha | 1.28 | 1.28 |
PersistentVolumeLastPhaseTransitionTime |
true |
Beta | 1.29 | 1.30 |
PersistentVolumeLastPhaseTransitionTime |
true |
GA | 1.31 | – |
PodDisruptionConditions |
false |
Alpha | 1.25 | 1.25 |
PodDisruptionConditions |
true |
Beta | 1.26 | 1.30 |
PodDisruptionConditions |
true |
GA | 1.31 | – |
PodSchedulingReadiness |
false |
Alpha | 1.26 | 1.26 |
PodSchedulingReadiness |
true |
Beta | 1.27 | 1.29 |
PodSchedulingReadiness |
true |
GA | 1.30 | – |
RemainingItemCount |
false |
Alpha | 1.15 | 1.15 |
RemainingItemCount |
true |
Beta | 1.16 | 1.28 |
RemainingItemCount |
true |
GA | 1.29 | – |
RetryGenerateName |
false |
Alpha | 1.30 | 1.30 |
RetryGenerateName |
true |
Beta | 1.31 | 1.31 |
RetryGenerateName |
true |
GA | 1.32 | – |
ServiceAccountTokenJTI |
false |
Alpha | 1.29 | 1.29 |
ServiceAccountTokenJTI |
true |
Beta | 1.30 | 1.31 |
ServiceAccountTokenJTI |
true |
GA | 1.32 | – |
ServiceAccountTokenNodeBindingValidation |
false |
Alpha | 1.29 | 1.29 |
ServiceAccountTokenNodeBindingValidation |
true |
Beta | 1.30 | 1.31 |
ServiceAccountTokenNodeBindingValidation |
true |
GA | 1.32 | – |
ServiceAccountTokenPodNodeInfo |
false |
Alpha | 1.29 | 1.29 |
ServiceAccountTokenPodNodeInfo |
true |
Beta | 1.30 | 1.31 |
ServiceAccountTokenPodNodeInfo |
true |
GA | 1.32 | – |
SizeMemoryBackedVolumes |
false |
Alpha | 1.20 | 1.21 |
SizeMemoryBackedVolumes |
true |
Beta | 1.22 | 1.31 |
SizeMemoryBackedVolumes |
true |
GA | 1.32 | – |
StatefulSetAutoDeletePVC |
false |
Alpha | 1.23 | 1.26 |
StatefulSetAutoDeletePVC |
true |
Beta | 1.27 | 1.31 |
StatefulSetAutoDeletePVC |
true |
GA | 1.32 | – |
StatefulSetStartOrdinal |
false |
Alpha | 1.26 | 1.26 |
StatefulSetStartOrdinal |
true |
Beta | 1.27 | 1.30 |
StatefulSetStartOrdinal |
true |
GA | 1.31 | – |
StructuredAuthorizationConfiguration |
false |
Alpha | 1.29 | 1.29 |
StructuredAuthorizationConfiguration |
true |
Beta | 1.30 | 1.31 |
StructuredAuthorizationConfiguration |
true |
GA | 1.32 | – |
TopologyManagerPolicyOptions |
false |
Alpha | 1.26 | 1.27 |
TopologyManagerPolicyOptions |
true |
Beta | 1.28 | 1.31 |
TopologyManagerPolicyOptions |
true |
GA | 1.32 | – |
ValidatingAdmissionPolicy |
false |
Alpha | 1.26 | 1.27 |
ValidatingAdmissionPolicy |
false |
Beta | 1.28 | 1.29 |
ValidatingAdmissionPolicy |
true |
GA | 1.30 | – |
WatchBookmark |
false |
Alpha | 1.15 | 1.15 |
WatchBookmark |
true |
Beta | 1.16 | 1.16 |
WatchBookmark |
true |
GA | 1.17 | – |
Using a feature
Feature stages
A feature can be in Alpha, Beta or GA stage. An Alpha feature means:
- Disabled by default.
- Might be buggy. Enabling the feature may expose bugs.
- Support for feature may be dropped at any time without notice.
- The API may change in incompatible ways in a later software release without notice.
- Recommended for use only in short-lived testing clusters, due to increased risk of bugs and lack of long-term support.
A Beta feature means:
- Usually enabled by default. Beta API groups are disabled by default.
- The feature is well tested. Enabling the feature is considered safe.
- Support for the overall feature will not be dropped, though details may change.
- The schema and/or semantics of objects may change in incompatible ways in a subsequent beta or stable release. When this happens, we will provide instructions for migrating to the next version. This may require deleting, editing, and re-creating API objects. The editing process may require some thought. This may require downtime for applications that rely on the feature.
- Recommended for only non-business-critical uses because of potential for incompatible changes in subsequent releases. If you have multiple clusters that can be upgraded independently, you may be able to relax this restriction.
Note:
Please do try Beta features and give feedback on them! After they exit beta, it may not be practical for us to make more changes.A General Availability (GA) feature is also referred to as a stable feature. It means:
- The feature is always enabled; you cannot disable it.
- The corresponding feature gate is no longer needed.
- Stable versions of features will appear in released software for many subsequent versions.
List of feature gates
Each feature gate is designed for enabling/disabling a specific feature.
AdmissionWebhookMatchConditions
: Enable match conditions on mutating & validating admission webhooks.AggregatedDiscoveryEndpoint
: Enable a single HTTP endpoint/discovery/<version>
which supports native HTTP caching with ETags containing all APIResources known to the API server.AllowDNSOnlyNodeCSR
: Allow kubelet to request a certificate without any Node IP available, only with DNS names.AllowInsecureKubeletCertificateSigningRequests
: Disable node admission validation of CertificateSigningRequests for kubelet signers. Unless you disable this feature gate, Kubernetes enforces that new kubelet certificates have acommonName
matchingsystem:node:$nodeName
.AllowServiceLBStatusOnNonLB
: Enables.status.ingress.loadBalancer
to be set on Services of types other thanLoadBalancer
.AnonymousAuthConfigurableEndpoints
: Enable configurable endpoints for anonymous auth for the API server.AnyVolumeDataSource
: Enable use of any custom resource as theDataSource
of a PVC.APIListChunking
: Enable the API clients to retrieve (LIST
orGET
) resources from API server in chunks.APIResponseCompression
: Compress the API responses forLIST
orGET
requests.APIServerIdentity
: Assign each API server an ID in a cluster, using a Lease.APIServerTracing
: Add support for distributed tracing in the API server. See Traces for Kubernetes System Components for more details.AppArmor
: Enable use of AppArmor mandatory access control for Pods running on Linux nodes. See AppArmor Tutorial for more details.AppArmorFields
:Enable AppArmor related security context settings.
For more information about AppArmor and Kubernetes, read the AppArmor section within security features in the Linux kernel.
AuthorizeNodeWithSelectors
: Make the Node authorizer use fine-grained selector authorization. RequiresAuthorizeWithSelectors
to be enabled.AuthorizeWithSelectors
: Allows authorization to use field and label selectors. EnablesfieldSelector
andlabelSelector
fields in the SubjectAccessReview API, passes field and label selector information to authorization webhooks, enablesfieldSelector
andlabelSelector
functions in the authorizer CEL library, and enables checkingfieldSelector
andlabelSelector
fields in authorization webhookmatchConditions
.CloudControllerManagerWebhook
: Enable webhooks in cloud controller manager.ClusterTrustBundle
: Enable ClusterTrustBundle objects and kubelet integration.ClusterTrustBundleProjection
:clusterTrustBundle
projected volume sources.ComponentSLIs
: Enable the/metrics/slis
endpoint on Kubernetes components like kubelet, kube-scheduler, kube-proxy, kube-controller-manager, cloud-controller-manager allowing you to scrape health check metrics.ConcurrentWatchObjectDecode
: Enable concurrent watch object decoding. This is to avoid starving the API server's watch cache when a conversion webhook is installed.ConsistentListFromCache
:Enhance Kubernetes API server performance by serving consistent list requests directly from its watch cache, improving scalability and response times. To consistent list from cache Kubernetes requires a newer etcd version (v3.4.31+ or v3.5.13+), that includes fixes to watch progress request feature. If older etcd version is provided Kubernetes will automatically detect it and fallback to serving consistent reads from etcd. Progress notifications ensure watch cache is consistent with etcd while reducing the need for resource-intensive quorum reads from etcd.
See the Kubernetes documentation on Semantics for get and list for more details.
ContainerCheckpoint
: Enables the kubeletcheckpoint
API. See Kubelet Checkpoint API for more details.ContextualLogging
: Enables extra details in log output of Kubernetes components that support contextual logging.CoordinatedLeaderElection
: Enables the behaviors supporting the LeaseCandidate API, and also enables coordinated leader election for the Kubernetes control plane, deterministically.CPUManager
: Enable container level CPU affinity support, see CPU Management Policies.CPUManagerPolicyAlphaOptions
: This allows fine-tuning of CPUManager policies, experimental, Alpha-quality options This feature gate guards a group of CPUManager options whose quality level is alpha. This feature gate will never graduate to beta or stable.CPUManagerPolicyBetaOptions
: This allows fine-tuning of CPUManager policies, experimental, Beta-quality options This feature gate guards a group of CPUManager options whose quality level is beta. This feature gate will never graduate to stable.CPUManagerPolicyOptions
: Allow fine-tuning of CPUManager policies.CRDValidationRatcheting
: Enable updates to custom resources to contain violations of their OpenAPI schema if the offending portions of the resource update did not change. See Validation Ratcheting for more details.CronJobsScheduledAnnotation
: Set the scheduled job time as an annotation on Jobs that were created on behalf of a CronJob.CrossNamespaceVolumeDataSource
: Enable the usage of cross namespace volume data source to allow you to specify a source namespace in thedataSourceRef
field of a PersistentVolumeClaim.CSIMigrationPortworx
: Enables shims and translation logic to route volume operations from the Portworx in-tree plugin to Portworx CSI plugin. Requires Portworx CSI driver to be installed and configured in the cluster.CSIVolumeHealth
: Enable support for CSI volume health monitoring on node.CustomCPUCFSQuotaPeriod
: Enable nodes to changecpuCFSQuotaPeriod
in kubelet config.CustomResourceFieldSelectors
: EnableselectableFields
in the CustomResourceDefinition API to allow filtering of custom resource list, watch and deletecollection requests.DefaultHostNetworkHostPortsInPodTemplates
:This feature gate controls the point at which a default value for
.spec.containers[*].ports[*].hostPort
is assigned, for Pods usinghostNetwork: true
. The default since Kubernetes v1.28 is to only set a default value in Pods.Enabling this means a default will be assigned even to the
.spec
of an embedded PodTemplate (for example, in a Deployment), which is the way that older releases of Kubernetes worked. You should migrate your code so that it does not rely on the legacy behavior.DevicePluginCDIDevices
: Enable support to CDI device IDs in the Device Plugin API.DisableAllocatorDualWrite
:You can enable the
MultiCIDRServiceAllocator
feature gate. The API server supports migration from the old bitmap ClusterIP allocators to the new IPAddress allocators.The API server performs a dual-write on both allocators. This feature gate disables the dual write on the new Cluster IP allocators; you can enable this feature gate if you have completed the relevant stage of the migration.
DisableCloudProviders
:Enabling this feature gate deactivated functionality in
kube-apiserver
,kube-controller-manager
andkubelet
that related to the--cloud-provider
command line argument.In Kubernetes v1.31 and later, the only valid values for
--cloud-provider
are the empty string (no cloud provider integration), or "external" (integration via a separate cloud-controller-manager).DisableKubeletCloudCredentialProviders
: Enabling the feature gate deactivated the legacy in-tree functionality within the kubelet, that allowed the kubelet to to authenticate to a cloud provider container registry for container image pulls.DisableNodeKubeProxyVersion
: Disable setting thekubeProxyVersion
field of the Node.DynamicResourceAllocation
: Enables support for resources with custom parameters and a lifecycle that is independent of a Pod. Allocation of resources is handled by the Kubernetes scheduler based on "structured parameters".EfficientWatchResumption
: Allows for storage-originated bookmark (progress notify) events to be delivered to the users. This is only applied to watch operations.ElasticIndexedJob
: Enables Indexed Jobs to be scaled up or down by mutating bothspec.completions
andspec.parallelism
together such thatspec.completions == spec.parallelism
. See docs on elastic Indexed Jobs for more details.EventedPLEG
: Enable support for the kubelet to receive container life cycle events from the container runtime via an extension to CRI. (PLEG is an abbreviation for “Pod lifecycle event generator”). For this feature to be useful, you also need to enable support for container lifecycle events in each container runtime running in your cluster. If the container runtime does not announce support for container lifecycle events then the kubelet automatically switches to the legacy generic PLEG mechanism, even if you have this feature gate enabled.ExecProbeTimeout
: Ensure kubelet respects exec probe timeouts. This feature gate exists in case any of your existing workloads depend on a now-corrected fault where Kubernetes ignored exec probe timeouts. See readiness probes.ExternalServiceAccountTokenSigner
: Enable setting--service-account-signing-endpoint
to make the kube-apiserver use external signer for token signing and token verifying key management.GracefulNodeShutdown
: Enables support for graceful shutdown in kubelet. During a system shutdown, kubelet will attempt to detect the shutdown event and gracefully terminate pods running on the node. See Graceful Node Shutdown for more details.GracefulNodeShutdownBasedOnPodPriority
: Enables the kubelet to check Pod priorities when shutting down a node gracefully.HonorPVReclaimPolicy
: Honor persistent volume reclaim policy when it isDelete
irrespective of PV-PVC deletion ordering. For more details, check the PersistentVolume deletion protection finalizer documentation.HPAScaleToZero
: Enables settingminReplicas
to 0 forHorizontalPodAutoscaler
resources when using custom or external metrics.ImageMaximumGCAge
: Enables the kubelet configuration fieldimageMaximumGCAge
, allowing an administrator to specify the age after which an image will be garbage collected.ImageVolume
: Allow using theimage
volume source in a Pod. This volume source lets you mount a container image as a read-only volume.InPlacePodVerticalScaling
: Enables in-place Pod vertical scaling.InTreePluginPortworxUnregister
: Stops registering the Portworx in-tree plugin in kubelet and volume controllers.JobBackoffLimitPerIndex
: Allows specifying the maximal number of pod retries per index in Indexed jobs.JobManagedBy
: Allows to delegate reconciliation of a Job object to an external controller.JobPodFailurePolicy
: Allow users to specify handling of pod failures based on container exit codes and pod conditions.JobPodReplacementPolicy
: Allows you to specify pod replacement for terminating pods in a JobJobSuccessPolicy
: Allow users to specify when a Job can be declared as succeeded based on the set of succeeded pods.KMSv1
: Enables KMS v1 API for encryption at rest. See Using a KMS Provider for data encryption for more details.KubeletCgroupDriverFromCRI
: Enable detection of the kubelet cgroup driver configuration option from the CRI. You can use this feature gate on nodes with a kubelet that supports the feature gate and where there is a CRI container runtime that supports theRuntimeConfig
CRI call. If both CRI and kubelet support this feature, the kubelet ignores thecgroupDriver
configuration setting (or deprecated--cgroup-driver
command line argument). If you enable this feature gate and the container runtime doesn't support it, the kubelet falls back to using the driver configured using thecgroupDriver
configuration setting. See Configuring a cgroup driver for more details.KubeletFineGrainedAuthz
: Enable fine-grained authorization for the kubelet's HTTP(s) API.KubeletInUserNamespace
: Enables support for running kubelet in a user namespace. See Running Kubernetes Node Components as a Non-root User.KubeletPodResourcesDynamicResources
: Extend the kubelet's pod resources gRPC endpoint to to include resources allocated inResourceClaims
viaDynamicResourceAllocation
API. See resource allocation reporting for more details. with information about the allocatable resources, enabling clients to properly track the free compute resources on a node.KubeletPodResourcesGet
: Enable theGet
gRPC endpoint on kubelet's for Pod resources. This API augments the resource allocation reporting.KubeletSeparateDiskGC
: The split image filesystem feature enables kubelet to perform garbage collection of images (read-only layers) and/or containers (writeable layers) deployed on separate filesystems.KubeletTracing
: Add support for distributed tracing in the kubelet. When enabled, kubelet CRI interface and authenticated http servers are instrumented to generate OpenTelemetry trace spans. See Traces for Kubernetes System Components for more details.KubeProxyDrainingTerminatingNodes
: Implement connection draining for terminating nodes forexternalTrafficPolicy: Cluster
services.LoadBalancerIPMode
: Allows settingipMode
for Services wheretype
is set toLoadBalancer
. See Specifying IPMode of load balancer status for more information.LocalStorageCapacityIsolationFSQuotaMonitoring
: WhenLocalStorageCapacityIsolation
is enabled for local ephemeral storage, the backing filesystem for emptyDir volumes supports project quotas, andUserNamespacesSupport
is enabled, project quotas are used to monitoremptyDir
volume storage consumption rather than using filesystem walk, ensuring better performance and accuracy.LogarithmicScaleDown
: Enable semi-random selection of pods to evict on controller scaledown based on logarithmic bucketing of pod timestamps.LoggingAlphaOptions
: Allow fine-tuning of experimental, alpha-quality logging options.LoggingBetaOptions
: Allow fine-tuning of experimental, beta-quality logging options.MatchLabelKeysInPodAffinity
: Enable thematchLabelKeys
andmismatchLabelKeys
fields for pod (anti)affinity.MatchLabelKeysInPodTopologySpread
: Enable thematchLabelKeys
field for Pod topology spread constraints.MaxUnavailableStatefulSet
: Enables setting themaxUnavailable
field for the rolling update strategy of a StatefulSet. The field specifies the maximum number of Pods that can be unavailable during the update.MemoryManager
: Allows setting memory affinity for a container based on NUMA topology.MemoryQoS
: Enable memory protection and usage throttle on pod / container using cgroup v2 memory controller.MultiCIDRServiceAllocator
: Track IP address allocations for Service cluster IPs using IPAddress objects.MutatingAdmissionPolicy
: In Kubernetes 1.32, this feature gate has no effect. A future release of Kubernetes may use this feature gate to enable the MutatingAdmissionPolicy in admission chain.NFTablesProxyMode
: Allow running kube-proxy in nftables mode.NodeInclusionPolicyInPodTopologySpread
: Enable usingnodeAffinityPolicy
andnodeTaintsPolicy
in Pod topology spread constraints when calculating pod topology spread skew.NodeLogQuery
: Enables querying logs of node services using the/logs
endpoint.NodeSwap
: Enable the kubelet to allocate swap memory for Kubernetes workloads on a node. Must be used withKubeletConfiguration.failSwapOn
set to false. For more details, please see swap memoryOpenAPIEnums
: Enables populating "enum" fields of OpenAPI schemas in the spec returned from the API server.PDBUnhealthyPodEvictionPolicy
: Enables theunhealthyPodEvictionPolicy
field of aPodDisruptionBudget
. This specifies when unhealthy pods should be considered for eviction. Please see Unhealthy Pod Eviction Policy for more details.PersistentVolumeLastPhaseTransitionTime
: Adds a new field to PersistentVolume which holds a timestamp of when the volume last transitioned its phase.PodAndContainerStatsFromCRI
: Configure the kubelet to gather container and pod stats from the CRI container runtime rather than gathering them from cAdvisor. As of 1.26, this also includes gathering metrics from CRI and emitting them over/metrics/cadvisor
(rather than having cAdvisor emit them directly).PodDeletionCost
: Enable the Pod Deletion Cost feature which allows users to influence ReplicaSet downscaling order.PodDisruptionConditions
: Enables support for appending a dedicated pod condition indicating that the pod is being deleted due to a disruption.PodIndexLabel
: Enables the Job controller and StatefulSet controller to add the pod index as a label when creating new pods. See Job completion mode docs and StatefulSet pod index label docs for more details.PodLifecycleSleepAction
: Enables thesleep
action in Container lifecycle hooks.PodReadyToStartContainersCondition
:Enable the kubelet to mark the PodReadyToStartContainers condition on pods.
This feature gate was previously known as
PodHasNetworkCondition
, and the associated condition was namedPodHasNetwork
.PodSchedulingReadiness
: Enable settingschedulingGates
field to control a Pod's scheduling readiness.PortForwardWebsockets
: Allow WebSocket streaming of the portforward sub-protocol (port-forward
) from clients requesting version v2 (v2.portforward.k8s.io
) of the sub-protocol.ProcMountType
: Enables control over the type proc mounts for containers by setting theprocMount
field of a Pod'ssecurityContext
.QOSReserved
: Allows resource reservations at the QoS level preventing pods at lower QoS levels from bursting into resources requested at higher QoS levels (memory only for now).RecoverVolumeExpansionFailure
: Enables users to edit their PVCs to smaller sizes so as they can recover from previously issued volume expansion failures. See Recovering from Failure when Expanding Volumes for more details.RecursiveReadOnlyMounts
: Enables support for recursive read-only mounts. For more details, see read-only mounts.RelaxedEnvironmentVariableValidation
: Allow almost all printable ASCII characters in environment variables.ReloadKubeletServerCertificateFile
:Enable the kubelet TLS server to update its certificate if the specified certificate file are changed.
This feature is useful when specifying
tlsCertFile
andtlsPrivateKeyFile
in kubelet configuration. The feature gate has no effect for other cases such as using TLS boostrap.RemainingItemCount
: Allow the API servers to show a count of remaining items in the response to a chunking list request.ResilientWatchCacheInitialization
: Enables resilient watchcache initialization to avoid controlplane overload.ResourceHealthStatus
: Enable theallocatedResourcesStatus
field within the.status
for a Pod. The field reports additional details for each container in the Pod, with the health information for each device assigned to the Pod. See Device plugin and unhealthy devices for more details.RetryGenerateName
:Enables retrying of object creation when the API server is expected to generate a name.
When this feature is enabled, requests using
generateName
are retried automatically in case the control plane detects a name conflict with an existing object, up to a limit of 8 total attempts.RotateKubeletServerCertificate
: Enable the rotation of the server TLS certificate on the kubelet. See kubelet configuration for more details.RuntimeClassInImageCriApi
: Enables images to be pulled based on the runtime class of the pods that reference them.SchedulerAsyncPreemption
: Enable running some expensive operations within the scheduler, associated with preemption, asynchronously. Asynchronous processing of preemption improves overall Pod scheduling latency.SchedulerQueueingHints
: Enables the scheduler's queueing hints feature, which benefits to reduce the useless requeueing. The scheduler retries scheduling pods if something changes in the cluster that could make the pod scheduled. Queueing hints are internal signals that allow the scheduler to filter the changes in the cluster that are relevant to the unscheduled pod, based on previous scheduling attempts.SELinuxMount
:Speeds up container startup by allowing kubelet to mount volumes for a Pod directly with the correct SELinux label instead of changing each file on the volumes recursively. It widens the performance improvements behind the
SELinuxMountReadWriteOncePod
feature gate by extending the implementation to all volumes.Enabling the
SELinuxMount
feature gate requires the feature gateSELinuxMountReadWriteOncePod
to be enabled.SELinuxMountReadWriteOncePod
: Speeds up container startup by allowing kubelet to mount volumes for a Pod directly with the correct SELinux label instead of changing each file on the volumes recursively. The initial implementation focused on ReadWriteOncePod volumes.SeparateTaintEvictionController
: Enables runningTaintEvictionController
, that performs Taint-based Evictions, in a controller separated fromNodeLifecycleController
. When this feature is enabled, users can optionally disable Taint-based Eviction setting the--controllers=-taint-eviction-controller
flag on thekube-controller-manager
.ServiceAccountTokenJTI
: Controls whether JTIs (UUIDs) are embedded into generated service account tokens, and whether these JTIs are recorded into the Kubernetes audit log for future requests made by these tokens.ServiceAccountTokenNodeBinding
: Controls whether the API server allows binding service account tokens to Node objects.ServiceAccountTokenNodeBindingValidation
: Controls whether the apiserver will validate a Node reference in service account tokens.ServiceAccountTokenPodNodeInfo
: Controls whether the apiserver embeds the node name and uid for the associated node when issuing service account tokens bound to Pod objects.ServiceTrafficDistribution
: Allows usage of the optionalspec.trafficDistribution
field in Services. The field offers a way to express preferences for how traffic is distributed to Service endpoints.SidecarContainers
: Allow setting therestartPolicy
of an init container toAlways
so that the container becomes a sidecar container (restartable init containers). See Sidecar containers and restartPolicy for more details.SizeMemoryBackedVolumes
: Enable kubelets to determine the size limit for memory-backed volumes (mainlyemptyDir
volumes).StatefulSetAutoDeletePVC
: Allows the use of the optional.spec.persistentVolumeClaimRetentionPolicy
field, providing control over the deletion of PVCs in a StatefulSet's lifecycle. See PersistentVolumeClaim retention for more details.StatefulSetStartOrdinal
: Allow configuration of the start ordinal in a StatefulSet. See Start ordinal for more details.StorageVersionAPI
: Enable the storage version API.StorageVersionHash
: Allow API servers to expose the storage version hash in the discovery.StorageVersionMigrator
: Enables storage version migration. See Migrate Kubernetes Objects Using Storage Version Migration for more details.StrictCostEnforcementForVAP
: Apply strict CEL cost validation for ValidatingAdmissionPolicies.StrictCostEnforcementForWebhooks
: Apply strict CEL cost validation formatchConditions
within admission webhooks.StructuredAuthenticationConfiguration
: Enable structured authentication configuration for the API server.StructuredAuthorizationConfiguration
: Enable structured authorization configuration, so that cluster administrators can specify more than one authorization webhook in the API server handler chain.SupplementalGroupsPolicy
: Enables support for fine-grained SupplementalGroups control. For more details, see Configure fine-grained SupplementalGroups control for a Pod.TopologyAwareHints
: Enables topology aware routing based on topology hints in EndpointSlices. See Topology Aware Hints for more details.TopologyManagerPolicyAlphaOptions
: Allow fine-tuning of topology manager policies, experimental, Alpha-quality options. This feature gate guards a group of topology manager options whose quality level is alpha. This feature gate will never graduate to beta or stable.TopologyManagerPolicyBetaOptions
: Allow fine-tuning of topology manager policies, experimental, Beta-quality options. This feature gate guards a group of topology manager options whose quality level is beta. This feature gate will never graduate to stable.TopologyManagerPolicyOptions
: Enable fine-tuning of topology manager policies.TranslateStreamCloseWebsocketRequests
: Allow WebSocket streaming of the remote command sub-protocol (exec
,cp
,attach
) from clients requesting version 5 (v5) of the sub-protocol.UnauthenticatedHTTP2DOSMitigation
: Enables HTTP/2 Denial of Service (DoS) mitigations for unauthenticated clients. Kubernetes v1.28.0 through v1.28.2 do not include this feature gate.UnknownVersionInteroperabilityProxy
: Proxy resource requests to the correct peer kube-apiserver when multiple kube-apiservers exist at varied versions. See Mixed version proxy for more information.UserNamespacesPodSecurityStandards
: Enable Pod Security Standards policies relaxation for pods that run with namespaces. You must set the value of this feature gate consistently across all nodes in your cluster, and you must also enableUserNamespacesSupport
to use this feature.UserNamespacesSupport
: Enable user namespace support for Pods.ValidatingAdmissionPolicy
: Enable ValidatingAdmissionPolicy support for CEL validations be used in Admission Control.VolumeAttributesClass
: Enable support for VolumeAttributesClasses. See Volume Attributes Classes for more information.VolumeCapacityPriority
: Enable support for prioritizing nodes in different topologies based on available PV capacity.WatchBookmark
: Enable support for watch bookmark events.WatchCacheInitializationPostStartHook
: Enables post-start-hook for watchcache initialization to be part of readyz (with timeout).WatchFromStorageWithoutResourceVersion
: Enables watches withoutresourceVersion
to be served from storage.WatchList
: Enable support for streaming initial state of objects in watch requests.WindowsHostNetwork
: Enables support for joining Windows containers to a hosts' network namespace.WinDSR
: Allows kube-proxy to create DSR loadbalancers for Windows.WinOverlay
: Allows kube-proxy to run in overlay mode for Windows.
What's next
- The deprecation policy for Kubernetes explains the project's approach to removing features and components.
- Since Kubernetes 1.24, new beta APIs are not enabled by default. When enabling a beta
feature, you will also need to enable any associated API resources.
For example, to enable a particular resource like
storage.k8s.io/v1beta1/csistoragecapacities
, set--runtime-config=storage.k8s.io/v1beta1/csistoragecapacities
. See API Versioning for more details on the command line flags.