Run Preflight Checks using the CLI

Learn how to run preflight checks from the CLI

You can run preflight checks to verify that a cluster or host meets the application requirements attempting an installation. While this capability is built in to some applications, you can run preflight checks using the CLI.


To run, preflight needs a specification to understand what information to collect and what to do with that information. The specification can be a YAML file, or hosted at a URL, located in an OCI registry, or provided as stdin.

To use stdin, supply - as the argument.

Example usage:

./preflight https://preflight.replicated.com
kubectl preflight oci://my.oci.registry/image
./preflight my-preflight-spec.yaml
helm template mychart --values my-values.yaml | ./preflight -

As of v0.64.0, valid input for specs can include:

  • Documents of kind: Preflight
  • Documents of kind: Secret that have the label troubleshoot.io/kind: preflight

Multiple YAML "documents" (specs) are supported as input, in addition all documents other than the above supported will be filtered out. This allows feeding an entire set of manifests (eg. a full Helm chart) in, and preflight will take only the relevant specs.

preflight [url] [flags] [-]


Flag Type (if applicable) Description
--as string Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
--as-group stringArray Group to impersonate for the operation. This flag can be repeated to specify multiple groups.
--as-uid string UID to impersonate for the operation.
--cache-dir string Default cache directory. Default: ~/.kube/cache
--certificate-authority string Path to a certificate file for the certificate authority.
--client-certificate string Path to a client certificate file for TLS.
--client-key string Path to a client key file for TLS.
--cluster string The name of the kubeconfig cluster to use.
--collect-without-permissions Always run preflight checks even if some require permissions that preflight does not have. Default: true
--collector-image string The full name of the collector image to use.
--collector-pullpolicy string The pull policy of the collector image.
--context string The name of the kubeconfig context to use.
--cpuprofile string File path to write CPU profiling data.
--debug Enable debug logging. This is equivalent to --v=0.
--disable-compression If true, opt-out of response compression for all requests to the server.
--format string Output format, one of human, json, yaml. Only used when interactive is set to false. Default: human
-h, --help Help for preflight.
--insecure-skip-tls-verify If true, the server's certificate will not be checked for validity and your HTTPS connections will be insecure.
--interactive Interactive preflights. Default: true
--kubeconfig string Path to the kubeconfig file to use for CLI requests.
--memprofile string File path to write memory profiling data.
-n, --namespace string If present, the namespace scope for this CLI request.
-o, --output string Specify the output file path for the preflight checks.
--request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit, such as 1s, 2m, 3h. A value of zero means that requests will not time out. Default: 0
--selector string Selector (label query) to filter remote collection nodes on.
-s, --server string The address and port of the Kubernetes API server.
--since string Force pod logs collectors to return logs newer than a relative duration, such as 5s, 2m, or 3h.
--since-time string Force pod logs collectors to return logs after a specific date (RFC3339).
--tls-server-name string Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used.
--token string Bearer token for authentication to the API server.
--user string The name of the kubeconfig user to use.
-v, --v level Number for the log level verbosity.
Edit on GitHub