@@ -129,6 +129,62 @@ the [kubeadm config migrate](/docs/reference/setup-tools/kubeadm/kubeadm-config/
129129For more information on the fields and usage of the configuration you can navigate to our
130130[ API reference page] ( /docs/reference/config-api/kubeadm-config.v1beta3/ ) .
131131
132+ ### Using kubeadm init with feature gates {#feature-gates}
133+
134+ Kubeadm supports a set of feature gates that are unique to kubeadm and can only be applied
135+ during cluster creation with ` kubeadm init ` . These features can control the behavior
136+ of the cluster. Feature gates are removed after a feature graduates to GA.
137+
138+ To pass a feature gate you can either use the ` --feature-gates ` flag for
139+ ` kubeadm init ` , or you can add items into the ` featureGates ` field when you pass
140+ a [ configuration file] ( /docs/reference/config-api/kubeadm-config.v1beta3/#kubeadm-k8s-io-v1beta3-ClusterConfiguration )
141+ using ` --config ` .
142+
143+ Passing [ feature gates for core Kubernetes components] ( /docs/reference/command-line-tools-reference/feature-gates )
144+ directly to kubeadm is not supported. Instead, it is possible to pass them by
145+ [ Customizing components with the kubeadm API] ( /docs/setup/production-environment/tools/kubeadm/control-plane-flags/ ) .
146+
147+ List of feature gates:
148+
149+ {{< table caption="kubeadm feature gates" >}}
150+ Feature | Default | Alpha | Beta
151+ :-------|:--------|:------|:-----
152+ ` PublicKeysECDSA ` | ` false ` | 1.19 | -
153+ ` RootlessControlPlane ` | ` false ` | 1.22 | -
154+ ` UnversionedKubeletConfigMap ` | ` true ` | 1.22 | 1.23
155+ {{< /table >}}
156+
157+ {{< note >}}
158+ Once a feature gate goes GA it is removed from this list as its value becomes locked to ` true ` by default.
159+ {{< /note >}}
160+
161+ Feature gate descriptions:
162+
163+ ` PublicKeysECDSA `
164+ : Can be used to create a cluster that uses ECDSA certificates instead of the default RSA algorithm.
165+ Renewal of existing ECDSA certificates is also supported using ` kubeadm certs renew ` , but you cannot
166+ switch between the RSA and ECDSA algorithms on the fly or during upgrades.
167+
168+ ` RootlessControlPlane `
169+ : Setting this flag configures the kubeadm deployed control plane component static Pod containers
170+ for ` kube-apiserver ` , ` kube-controller-manager ` , ` kube-scheduler ` and ` etcd ` to run as non-root users.
171+ If the flag is not set, those components run as root. You can change the value of this feature gate before
172+ you upgrade to a newer version of Kubernetes.
173+
174+ ` UnversionedKubeletConfigMap `
175+ : This flag controls the name of the {{< glossary_tooltip text="ConfigMap" term_id="configmap" >}} where kubeadm stores
176+ kubelet configuration data. With this flag not specified or set to ` true ` , the ConfigMap is named ` kubelet-config ` .
177+ If you set this flag to ` false ` , the name of the ConfigMap includes the major and minor version for Kubernetes
178+ (for example: ` kubelet-config-{{< skew currentVersion >}} ` ). Kubeadm ensures that RBAC rules for reading and writing
179+ that ConfigMap are appropriate for the value you set. When kubeadm writes this ConfigMap (during ` kubeadm init `
180+ or ` kubeadm upgrade apply ` ), kubeadm respects the value of ` UnversionedKubeletConfigMap ` . When reading that ConfigMap
181+ (during ` kubeadm join ` , ` kubeadm reset ` , ` kubeadm upgrade ... ` ), kubeadm attempts to use unversioned ConfigMap name first;
182+ if that does not succeed, kubeadm falls back to using the legacy (versioned) name for that ConfigMap.
183+
184+ {{< note >}}
185+ Setting ` UnversionedKubeletConfigMap ` to ` false ` is supported but ** deprecated** .
186+ {{< /note >}}
187+
132188### Adding kube-proxy parameters {#kube-proxy}
133189
134190For information about kube-proxy parameters in the kubeadm configuration see:
0 commit comments