radar (or kubectl radar when installed via Krew) accepts the flags below. Defaults come from ~/.radar/config.json if present - see Configuration files.
General
| Flag | Default | Description |
|---|---|---|
--port | 9280 | HTTP port the UI / API serve on. |
--no-browser | false | Don’t auto-open the browser. |
--browser | "" | Browser to open the UI in, overriding the OS default launcher. Local runs only (in-cluster and Cloud can’t open a user browser). On macOS, app names and .app bundles work, e.g. --browser Safari or --browser "Google Chrome". Empty uses the OS default. |
--namespace | "" | Initial namespace filter (empty = all namespaces). |
--version | - | Print version and exit. |
--debug-events | false | Verbose event-drop logging. |
Cluster connection
| Flag | Description |
|---|---|
--kubeconfig | Path to a kubeconfig file. Falls back to KUBECONFIG env or ~/.kube/config. |
--kubeconfig-dir | Comma-separated directories whose kubeconfigs are merged. Mutually exclusive with --kubeconfig. |
Timeline storage
| Flag | Default | Description |
|---|---|---|
--timeline-storage | memory | memory or sqlite. SQLite persists across restarts. |
--timeline-db | ~/.radar/timeline.db | Path to the SQLite database when --timeline-storage=sqlite. |
--history-limit | 10000 | Max events retained in the timeline (memory mode). |
Metrics & traffic
| Flag | Description |
|---|---|
--prometheus-url | Manual Prometheus / VictoriaMetrics URL. Skips auto-discovery (handy for out-of-cluster Prometheus). |
Feature toggles
| Flag | Effect |
|---|---|
--no-mcp | Disable the MCP server (AI tools won’t be able to connect). |
--disable-helm-write | Read-only Helm: hide install / upgrade / rollback / uninstall buttons. |
--disable-exec | No pod terminal / debug shell. |
--disable-local-terminal | Disable the local-machine terminal pane. |
--pod-shell-default | Override the default pod exec shell (runs as sh -c <value>; empty falls back to bash -il → ash → sh). |
--debug-image | Image for ephemeral debug containers and node debug pods. Defaults to busybox:latest; point at a mirror for air-gapped / private-registry clusters. |
--list-page-size | Paginate the initial LIST of high-cardinality kinds (Pods, ReplicaSets) at this size. Defaults to 0 (single LIST). Helps very large clusters whose initial sync fails; only used when WatchList streaming is unavailable on the apiserver. Try 2000. |
Authentication
See Authentication for the full setup. Common flags:| Flag | Description |
|---|---|
--auth-mode | none (default), proxy, or oidc. |
--auth-secret | HMAC secret for session cookies. Auto-generated when empty - set this for multi-replica deployments. |
--auth-cookie-ttl | Sliding session TTL. Default 4h. |
| Flag | Default | Description |
|---|---|---|
--auth-user-header | X-Forwarded-User | Header carrying the username. |
--auth-groups-header | X-Forwarded-Groups | Header carrying the comma-separated groups. |
| Flag | Description |
|---|---|
--auth-oidc-issuer | OIDC issuer URL. |
--auth-oidc-client-id | Client ID from your IdP. |
--auth-oidc-client-secret | Client secret. |
--auth-oidc-redirect-url | The /auth/callback URL registered with the IdP. |
--auth-oidc-groups-claim | JWT claim that carries groups. Default groups. |
--auth-oidc-post-logout-redirect-url | URL to redirect to after IdP logout (must be registered with the IdP). |
--auth-oidc-username-prefix | Username prefix for K8s impersonation - must match kube-apiserver’s --oidc-username-prefix. |
--auth-oidc-groups-prefix | Groups prefix for K8s impersonation - must match kube-apiserver’s --oidc-groups-prefix. |
--auth-oidc-insecure-skip-verify | Skip TLS verification on the IdP (dev / test only). |
--auth-oidc-ca-cert | Path to a custom CA bundle for the IdP. |
--auth-oidc-backchannel-logout | Enable the back-channel logout endpoint. Single-replica only. |
Radar Cloud
These flags wire an in-cluster Radar to a hosted Radar Cloud. Each is also readable from the matchingRADAR_CLOUD_* env var (so secrets stay out of ps).
| Flag | Env | Description |
|---|---|---|
--cloud-url | RADAR_CLOUD_URL | Cloud WS endpoint (e.g. wss://api.radarhq.io/agent). Empty = local-only. |
--cloud-token | RADAR_CLOUD_TOKEN | Cluster token from the Cloud install wizard (rhc_<random>). |
--cluster-name | RADAR_CLOUD_CLUSTER_NAME | Human-readable name (required with --cloud-url). |
RADAR_CLOUD_MODE=true additionally forces --auth-mode=proxy and pins X-Forwarded-User / X-Forwarded-Groups so the in-cluster Radar impersonates the Cloud-authenticated user against the K8s API. Don’t set this for local installs.
Internal / development
| Flag | Description |
|---|---|
--dev | Serve the frontend from disk instead of the embedded bundle. |
--fake-in-cluster | Pretend Radar is running in-cluster (useful for testing the in-cluster UX off-cluster). |