Discover how Kubernetes v1.33 introduces a new /flagz endpoint in Kubelet for runtime introspection of component flags, debug like never before.
Modern Kubernetes environments are complex. Debugging a misconfigured component often requires searching logs, tracing deployments, or examining configuration files deployed weeks ago. What if you could just ask the component what it’s running with live?
With the Kubernetes v1.33 release, Kubelet now exposes a /flagz endpoint, providing real-time introspection into the exact command-line flags it's running with. This enhancement (as part of KEP-4828: Component Flagz) marks a step forward in observability and operational transparency.
/flagz?¶The goal is simple but powerful: expose the runtime flags of core Kubernetes components, on demand.
This is especially useful for:
curl /flagz.Once the ComponentFlagz feature gate is enabled, Kubelet exposes a /flagz endpoint over HTTP(S). It’s accessible via:
The response is plain text:
You get the actual runtime values, not default assumptions or config guesses.
Access is restricted, only users in the system:monitoring group can hit this endpoint. It follows the same model as /livez, /readyz, and /healthz.
No sensitive data is exposed.
The /flagz endpoint:
zpages interface.ComponentFlagz feature gate.The /flagz enhancement aligns with a broader push in Kubernetes to make core component internals more observable via standard endpoints (/livez, /readyz, /configz, and now /flagz). Future versions may expand this capability to other components such as kube-apiserver, kube-controller-manager, scheduler, and kube-proxy.
As /flagz matures:
/flagz?version=2) for programmatic compatibility.Try it out in v1.33 with:
And see what your nodes are really running with, live, from the inside.
If you manage clusters, debug configuration drift, or support multi-tenant platforms, /flagz is a small addition that will likely save you hours.
/flagz is a new HTTP(S) endpoint exposed by the Kubelet that displays its active command-line flags at runtime. It allows operators to introspect live configuration without accessing logs or manifests, improving transparency and debugging.
You must enable the ComponentFlagz feature gate on the Kubelet. Once enabled, the Kubelet will expose the /flagz endpoint alongside standard health endpoints like /livez and /readyz.
Access is restricted to users in the system:monitoring group. The endpoint follows the same RBAC model as other introspection endpoints, ensuring controlled, read-only access to configuration details.
The /flagz endpoint is part of a larger observability effort (like /livez, /readyz, and /configz) to make Kubernetes components self-report their runtime state. It supports easier debugging, auditability, and eventual integration with diagnostics tools.
Get new posts, tools, and tips delivered straight to your inbox.
Follow along with walkthroughs and tutorials, especially on Rancher and DevOps topics.
A small act of support goes a long way. You're helping me stay consistent and keep the content flowing.
title: Kubernetes Flagz
description: Command line flags that Kubernetes component was started with.
address=0.0.0.0
anonymous-auth=true
container-runtime-endpoint=unix:///var/run/containerd/containerd.sock
cpu-cfs-quota=true
enable-server=true
...
kubectl get --raw "/api/v1/nodes/<node-name>/proxy/flagz"--feature-gates=ComponentFlagz=true
Stop waiting for schedules to debug CronJobs. Learn how to trigger them immediately, validate specs, and streamline testing in Kubernetes.
Helm upgrade failed due to Kubernetes managedFields conflict. Learn why spec looked fine, yet patching caused errors, and how to fix it.
Compare Kubernetes topologies across AWS EKS, Google GKE, and Azure AKS. Learn how to design resilient, production-grade clusters the right way.
FeaturedLearn how to reduce Docker image size and speed up builds with smart caching, cache busting, multi-stage builds, and BuildKit best practices.
Stop waiting for schedules to debug CronJobs. Learn how to trigger them immediately, validate specs, and streamline testing in Kubernetes.
Helm upgrade failed due to Kubernetes managedFields conflict. Learn why spec looked fine, yet patching caused errors, and how to fix it.
CVE-2025-1767 exposes root-level access on nodes via a deprecated volume plugin; Kubernetes 1.33 will disable it by default
Enhance Kubernetes pod scheduling with dynamic affinity using matchLabelKeys and mismatchLabelKeys for safer rollouts and tenant isolation.
Pods can now exclude tainted nodes during topology spread calculations, improving placement predictability.