
v1.18.0-pre.0 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Mar 3, 2025 License: Apache-2.0 Imports: 40 Imported by: 311




View Source
const (
	// AgentHealthPort is the TCP port for agent health status API
	AgentHealthPort = "agent-health-port"

	// ClusterHealthPort is the TCP port for cluster-wide network connectivity health API
	ClusterHealthPort = "cluster-health-port"

	// ClusterMeshHealthPort is the TCP port for ClusterMesh apiserver health API
	ClusterMeshHealthPort = "clustermesh-health-port"

	// AgentLabels are additional labels to identify this agent
	AgentLabels = "agent-labels"

	// AllowICMPFragNeeded allows ICMP Fragmentation Needed type packets in policy.
	AllowICMPFragNeeded = "allow-icmp-frag-needed"

	// AllowLocalhost is the policy when to allow local stack to reach local endpoints { auto | always | policy }
	AllowLocalhost = "allow-localhost"

	// AllowLocalhostAuto defaults to policy except when running in
	// Kubernetes where it then defaults to "always"
	AllowLocalhostAuto = "auto"

	// AllowLocalhostAlways always allows the local stack to reach local
	// endpoints
	AllowLocalhostAlways = "always"

	// AllowLocalhostPolicy requires a policy rule to allow the local stack
	// to reach particular endpoints or policy enforcement must be
	// disabled.
	AllowLocalhostPolicy = "policy"

	// AnnotateK8sNode enables annotating a kubernetes node while bootstrapping
	// the daemon, which can also be disabled using this option.
	AnnotateK8sNode = "annotate-k8s-node"

	// ARPPingRefreshPeriod is the ARP entries refresher period
	ARPPingRefreshPeriod = "arping-refresh-period"

	// EnableL2NeighDiscovery determines if cilium should perform L2 neighbor
	// discovery.
	EnableL2NeighDiscovery = "enable-l2-neigh-discovery"

	// BPFRoot is the Path to BPF filesystem
	BPFRoot = "bpf-root"

	// CGroupRoot is the path to Cgroup2 filesystem
	CGroupRoot = "cgroup-root"

	// CompilerFlags allow to specify extra compiler commands for advanced debugging
	CompilerFlags = "cflags"

	// ConfigFile is the Configuration file (default "$HOME/ciliumd.yaml")
	ConfigFile = "config"

	// ConfigDir is the directory that contains a file for each option where
	// the filename represents the option name and the content of that file
	// represents the value of that option.
	ConfigDir = "config-dir"

	// ConntrackGCInterval is the name of the ConntrackGCInterval option
	ConntrackGCInterval = "conntrack-gc-interval"

	// ConntrackGCMaxInterval is the name of the ConntrackGCMaxInterval option
	ConntrackGCMaxInterval = "conntrack-gc-max-interval"

	// DebugArg is the argument enables debugging mode
	DebugArg = "debug"

	// DebugVerbose is the argument enables verbose log message for particular subsystems
	DebugVerbose = "debug-verbose"

	// Devices facing cluster/external network for attaching bpf_host
	Devices = "devices"

	// Forces the auto-detection of devices, even if specific devices are explicitly listed
	ForceDeviceDetection = "force-device-detection"

	// DirectRoutingDevice is the name of a device used to connect nodes in
	// direct routing mode (only required by BPF NodePort)
	DirectRoutingDevice = "direct-routing-device"

	// EnablePolicy enables policy enforcement in the agent.
	EnablePolicy = "enable-policy"

	// EnableExternalIPs enables implementation of k8s services with externalIPs in datapath
	EnableExternalIPs = "enable-external-ips"

	// EnableL7Proxy is the name of the option to enable L7 proxy
	EnableL7Proxy = "enable-l7-proxy"

	// EnableTracing enables tracing mode in the agent.
	EnableTracing = "enable-tracing"

	// EnableIPIPTermination is the name of the option to enable IPIP termination
	EnableIPIPTermination = "enable-ipip-termination"

	// Add unreachable routes on pod deletion
	EnableUnreachableRoutes = "enable-unreachable-routes"

	// EncryptInterface enables encryption on specified interface
	EncryptInterface = "encrypt-interface"

	// EncryptNode enables node IP encryption
	EncryptNode = "encrypt-node"

	// GopsPort is the TCP port for the gops server.
	GopsPort = "gops-port"

	// EnableGops run the gops server
	EnableGops = "enable-gops"

	// FixedIdentityMapping is the key-value for the fixed identity mapping
	// which allows to use reserved label for fixed identities
	FixedIdentityMapping = "fixed-identity-mapping"

	// FixedZoneMapping is the key-value for the fixed zone mapping which
	// is used to map zone value (string) from EndpointSlice to ID (uint8)
	// in lb{4,6}_backend in BPF map.
	FixedZoneMapping = "fixed-zone-mapping"

	// IPv4Range is the per-node IPv4 endpoint prefix, e.g.
	IPv4Range = "ipv4-range"

	// IPv6Range is the per-node IPv6 endpoint prefix, must be /96, e.g. fd02:1:1::/96
	IPv6Range = "ipv6-range"

	// IPv4ServiceRange is the Kubernetes IPv4 services CIDR if not inside cluster prefix
	IPv4ServiceRange = "ipv4-service-range"

	// IPv6ServiceRange is the Kubernetes IPv6 services CIDR if not inside cluster prefix
	IPv6ServiceRange = "ipv6-service-range"

	// IPv6ClusterAllocCIDRName is the name of the IPv6ClusterAllocCIDR option
	IPv6ClusterAllocCIDRName = "ipv6-cluster-alloc-cidr"

	// K8sRequireIPv4PodCIDRName is the name of the K8sRequireIPv4PodCIDR option
	K8sRequireIPv4PodCIDRName = "k8s-require-ipv4-pod-cidr"

	// K8sRequireIPv6PodCIDRName is the name of the K8sRequireIPv6PodCIDR option
	K8sRequireIPv6PodCIDRName = "k8s-require-ipv6-pod-cidr"

	// EnableK8s operation of Kubernetes-related services/controllers.
	// Intended for operating cilium with CNI-compatible orchestrators other than Kubernetes. (default is true)
	EnableK8s = "enable-k8s"

	// K8sAPIServer is the kubernetes api address server (for https use --k8s-kubeconfig-path instead)
	K8sAPIServer = "k8s-api-server"

	// K8sKubeConfigPath is the absolute path of the kubernetes kubeconfig file
	K8sKubeConfigPath = "k8s-kubeconfig-path"

	// K8sServiceCacheSize is service cache size for cilium k8s package.
	K8sServiceCacheSize = "k8s-service-cache-size"

	// K8sSyncTimeout is the timeout since last event was received to synchronize all resources with k8s.
	K8sSyncTimeoutName = "k8s-sync-timeout"

	// AllocatorListTimeout is the timeout to list initial allocator state.
	AllocatorListTimeoutName = "allocator-list-timeout"

	// KeepConfig when restoring state, keeps containers' configuration in place
	KeepConfig = "keep-config"

	// KVStore key-value store type
	KVStore = "kvstore"

	// KVStoreOpt key-value store options
	KVStoreOpt = "kvstore-opt"

	// Labels is the list of label prefixes used to determine identity of an endpoint
	Labels = "labels"

	// LabelPrefixFile is the valid label prefixes file path
	LabelPrefixFile = "label-prefix-file"

	// EnableHostFirewall enables network policies for the host
	EnableHostFirewall = "enable-host-firewall"

	// EnableHostPort enables HostPort forwarding implemented by Cilium in BPF
	EnableHostPort = "enable-host-port"

	// EnableHostLegacyRouting enables the old routing path via stack.
	EnableHostLegacyRouting = "enable-host-legacy-routing"

	// EnableNodePort enables NodePort services implemented by Cilium in BPF
	EnableNodePort = "enable-node-port"

	// EnableSVCSourceRangeCheck enables check of service source range checks
	EnableSVCSourceRangeCheck = "enable-svc-source-range-check"

	// NodePortMode indicates in which mode NodePort implementation should run
	// ("snat", "dsr" or "hybrid")
	NodePortMode = "node-port-mode"

	// NodePortAlg indicates which algorithm is used for backend selection
	// ("random" or "maglev")
	NodePortAlg = "node-port-algorithm"

	// NodePortAcceleration indicates whether NodePort should be accelerated
	// via XDP ("none", "generic", "native", or "best-effort")
	NodePortAcceleration = "node-port-acceleration"

	// Alias to NodePortMode
	LoadBalancerMode = "bpf-lb-mode"

	// LoadBalancerModeAnnotation tells whether controller should check service
	// level annotation for configuring bpf loadbalancing method (snat vs dsr).
	LoadBalancerModeAnnotation = "bpf-lb-mode-annotation"

	// Alias to DSR dispatch method
	LoadBalancerDSRDispatch = "bpf-lb-dsr-dispatch"

	// Alias to DSR/IPIP IPv4 source CIDR
	LoadBalancerRSSv4CIDR = "bpf-lb-rss-ipv4-src-cidr"

	// Alias to DSR/IPIP IPv6 source CIDR
	LoadBalancerRSSv6CIDR = "bpf-lb-rss-ipv6-src-cidr"

	// Alias to NodePortAlg
	LoadBalancerAlgorithm = "bpf-lb-algorithm"

	// LoadBalancerNat46X64 enables NAT46 and NAT64 for services
	LoadBalancerNat46X64 = "bpf-lb-nat46x64"

	// LoadBalancerAlgorithmAnnotation tells whether controller should check service
	// level annotation for configuring bpf loadbalancing algorithm.
	LoadBalancerAlgorithmAnnotation = "bpf-lb-algorithm-annotation"

	// Alias to NodePortAcceleration
	LoadBalancerAcceleration = "bpf-lb-acceleration"

	// LoadBalancerIPIPSockMark enables sock-lb logic to force service traffic via IPIP
	LoadBalancerIPIPSockMark = "bpf-lb-ipip-sock-mark"

	// LoadBalancerExternalControlPlane switch skips connectivity to kube-apiserver
	// which is relevant in lb-only mode
	LoadBalancerExternalControlPlane = "bpf-lb-external-control-plane"

	// LoadBalancerProtocolDifferentiation enables support for service protocol differentiation (TCP, UDP, SCTP)
	LoadBalancerProtocolDifferentiation = "bpf-lb-proto-diff"

	// NodePortBindProtection rejects bind requests to NodePort service ports
	NodePortBindProtection = "node-port-bind-protection"

	// NodePortRange defines a custom range where to look up NodePort services
	NodePortRange = "node-port-range"

	// EnableAutoProtectNodePortRange enables appending NodePort range to
	// net.ipv4.ip_local_reserved_ports if it overlaps with ephemeral port
	// range (net.ipv4.ip_local_port_range)
	EnableAutoProtectNodePortRange = "enable-auto-protect-node-port-range"

	// KubeProxyReplacement controls how to enable kube-proxy replacement
	// features in BPF datapath
	KubeProxyReplacement = "kube-proxy-replacement"

	// EnableSessionAffinity enables a support for service sessionAffinity
	EnableSessionAffinity = "enable-session-affinity"

	// EnableIdentityMark enables setting the mark field with the identity for
	// local traffic. This may be disabled if chaining modes and Cilium use
	// conflicting marks.
	EnableIdentityMark = "enable-identity-mark"

	// AddressScopeMax controls the maximum address scope for addresses to be
	// considered local ones with HOST_ID in the ipcache
	AddressScopeMax = "local-max-addr-scope"

	// EnableRecorder enables the datapath pcap recorder
	EnableRecorder = "enable-recorder"

	// EnableLocalRedirectPolicy enables support for local redirect policy
	EnableLocalRedirectPolicy = "enable-local-redirect-policy"

	// EnableMKE enables MKE specific 'chaining' for kube-proxy replacement
	EnableMKE = "enable-mke"

	// CgroupPathMKE points to the cgroupv1 net_cls mount instance
	CgroupPathMKE = "mke-cgroup-mount"

	// LibDir enables the directory path to store runtime build environment
	LibDir = "lib-dir"

	// LogDriver sets logging endpoints to use for example syslog, fluentd
	LogDriver = "log-driver"

	// LogOpt sets log driver options for cilium
	LogOpt = "log-opt"

	// EnableIPv4Masquerade masquerades IPv4 packets from endpoints leaving the host.
	EnableIPv4Masquerade = "enable-ipv4-masquerade"

	// EnableIPv6Masquerade masquerades IPv6 packets from endpoints leaving the host.
	EnableIPv6Masquerade = "enable-ipv6-masquerade"

	// EnableBPFClockProbe selects a more efficient source clock (jiffies vs ktime)
	EnableBPFClockProbe = "enable-bpf-clock-probe"

	// EnableBPFMasquerade masquerades packets from endpoints leaving the host with BPF instead of iptables
	EnableBPFMasquerade = "enable-bpf-masquerade"

	// EnableMasqueradeRouteSource masquerades to the source route IP address instead of the interface one
	EnableMasqueradeRouteSource = "enable-masquerade-to-route-source"

	// EnableIPMasqAgent enables BPF ip-masq-agent
	EnableIPMasqAgent = "enable-ip-masq-agent"

	// EnableIPv4EgressGateway enables the IPv4 egress gateway
	EnableIPv4EgressGateway = "enable-ipv4-egress-gateway"

	// EnableEnvoyConfig enables processing of CiliumClusterwideEnvoyConfig and CiliumEnvoyConfig CRDs
	EnableEnvoyConfig = "enable-envoy-config"

	// IPMasqAgentConfigPath is the configuration file path
	IPMasqAgentConfigPath = "ip-masq-agent-config-path"

	// InstallIptRules sets whether Cilium should install any iptables in general
	InstallIptRules = "install-iptables-rules"

	// InstallNoConntrackIptRules instructs Cilium to install Iptables rules
	// to skip netfilter connection tracking on all pod traffic.
	InstallNoConntrackIptRules = "install-no-conntrack-iptables-rules"

	// ContainerIPLocalReservedPorts instructs the Cilium CNI plugin to reserve
	// the provided comma-separated list of ports in the container network namespace
	ContainerIPLocalReservedPorts = "container-ip-local-reserved-ports"

	// IPv6NodeAddr is the IPv6 address of node
	IPv6NodeAddr = "ipv6-node"

	// IPv4NodeAddr is the IPv4 address of node
	IPv4NodeAddr = "ipv4-node"

	// Restore restores state, if possible, from previous daemon
	Restore = "restore"

	// SocketPath sets daemon's socket path to listen for connections
	SocketPath = "socket-path"

	// StateDir is the directory path to store runtime state
	StateDir = "state-dir"

	// TracePayloadlen length of payload to capture when tracing
	TracePayloadlen = "trace-payloadlen"

	// Version prints the version information
	Version = "version"

	// EnableXDPPrefilter enables XDP-based prefiltering
	EnableXDPPrefilter = "enable-xdp-prefilter"

	// EnableTCX enables attaching endpoint programs using tcx if the kernel supports it
	EnableTCX = "enable-tcx"

	ProcFs = "procfs"

	// PrometheusServeAddr IP:Port on which to serve prometheus metrics (pass ":Port" to bind on all interfaces, "" is off)
	PrometheusServeAddr = "prometheus-serve-addr"

	// ExternalEnvoyProxy defines whether the Envoy is deployed externally in form of a DaemonSet or not.
	ExternalEnvoyProxy = "external-envoy-proxy"

	// CMDRef is the path to cmdref output directory
	CMDRef = "cmdref"

	// DNSMaxIPsPerRestoredRule defines the maximum number of IPs to maintain
	// for each FQDN selector in endpoint's restored DNS rules
	DNSMaxIPsPerRestoredRule = "dns-max-ips-per-restored-rule"

	// DNSPolicyUnloadOnShutdown is the name of the dns-policy-unload-on-shutdown option.
	DNSPolicyUnloadOnShutdown = "dns-policy-unload-on-shutdown"

	// ToFQDNsMinTTL is the minimum time, in seconds, to use DNS data for toFQDNs policies.
	ToFQDNsMinTTL = "tofqdns-min-ttl"

	// ToFQDNsProxyPort is the global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port.
	ToFQDNsProxyPort = "tofqdns-proxy-port"

	// ToFQDNsMaxIPsPerHost defines the maximum number of IPs to maintain
	// for each FQDN name in an endpoint's FQDN cache
	ToFQDNsMaxIPsPerHost = "tofqdns-endpoint-max-ip-per-hostname"

	// ToFQDNsMaxDeferredConnectionDeletes defines the maximum number of IPs to
	// retain for expired DNS lookups with still-active connections"
	ToFQDNsMaxDeferredConnectionDeletes = "tofqdns-max-deferred-connection-deletes"

	// ToFQDNsIdleConnectionGracePeriod defines the connection idle time during which
	// previously active connections with expired DNS lookups are still considered alive
	ToFQDNsIdleConnectionGracePeriod = "tofqdns-idle-connection-grace-period"

	// ToFQDNsPreCache is a path to a file with DNS cache data to insert into the
	// global cache on startup.
	// The file is not re-read after agent start.
	ToFQDNsPreCache = "tofqdns-pre-cache"

	// ToFQDNsEnableDNSCompression allows the DNS proxy to compress responses to
	// endpoints that are larger than 512 Bytes or the EDNS0 option, if present.
	ToFQDNsEnableDNSCompression = "tofqdns-enable-dns-compression"

	// DNSProxyConcurrencyLimit limits parallel processing of DNS messages in
	// DNS proxy at any given point in time.
	DNSProxyConcurrencyLimit = "dnsproxy-concurrency-limit"

	// DNSProxyConcurrencyProcessingGracePeriod is the amount of grace time to
	// wait while processing DNS messages when the DNSProxyConcurrencyLimit has
	// been reached.
	DNSProxyConcurrencyProcessingGracePeriod = "dnsproxy-concurrency-processing-grace-period"

	// DNSProxyLockCount is the array size containing mutexes which protect
	// against parallel handling of DNS response IPs.
	DNSProxyLockCount = "dnsproxy-lock-count"

	// DNSProxyLockTimeout is timeout when acquiring the locks controlled by
	// DNSProxyLockCount.
	DNSProxyLockTimeout = "dnsproxy-lock-timeout"

	// DNSProxySocketLingerTimeout defines how many seconds we wait for the connection
	// between the DNS proxy and the upstream server to be closed.
	DNSProxySocketLingerTimeout = "dnsproxy-socket-linger-timeout"

	// DNSProxyEnableTransparentMode enables transparent mode for the DNS proxy.
	DNSProxyEnableTransparentMode = "dnsproxy-enable-transparent-mode"

	// DNSProxyInsecureSkipTransparentModeCheck is a hidden flag that allows users
	// to disable transparent mode even if IPSec is enabled
	DNSProxyInsecureSkipTransparentModeCheck = "dnsproxy-insecure-skip-transparent-mode-check"

	// MTUName is the name of the MTU option
	MTUName = "mtu"

	// RouteMetric is the name of the route-metric option
	RouteMetric = "route-metric"

	// DatapathMode is the name of the DatapathMode option
	DatapathMode = "datapath-mode"

	// EnableSocketLB is the name for the option to enable the socket LB
	EnableSocketLB = "bpf-lb-sock"

	// EnableSocketLBTracing is the name for the option to enable the socket LB tracing
	EnableSocketLBTracing = "trace-sock"

	// BPFSocketLBHostnsOnly is the name of the BPFSocketLBHostnsOnly option
	BPFSocketLBHostnsOnly = "bpf-lb-sock-hostns-only"

	// EnableSocketLBPodConnectionTermination enables termination of pod connections
	// to deleted service backends when socket-LB is enabled.
	EnableSocketLBPodConnectionTermination = "bpf-lb-sock-terminate-pod-connections"

	// RoutingMode is the name of the option to choose between native routing and tunneling mode
	RoutingMode = "routing-mode"

	// ServiceNoBackendResponse is the name of the option to pick how to handle traffic for services
	// without any backends
	ServiceNoBackendResponse = "service-no-backend-response"

	// ServiceNoBackendResponseReject is the name of the option to reject traffic for services
	// without any backends
	ServiceNoBackendResponseReject = "reject"

	// ServiceNoBackendResponseDrop is the name of the option to drop traffic for services
	// without any backends
	ServiceNoBackendResponseDrop = "drop"

	// MaxInternalTimerDelay sets a maximum on all periodic timers in
	// the agent in order to flush out timer-related bugs in the agent.
	MaxInternalTimerDelay = "max-internal-timer-delay"

	// MonitorAggregationName specifies the MonitorAggregationLevel on the
	// comandline.
	MonitorAggregationName = "monitor-aggregation"

	// MonitorAggregationInterval configures interval for monitor-aggregation
	MonitorAggregationInterval = "monitor-aggregation-interval"

	// MonitorAggregationFlags configures TCP flags used by monitor aggregation.
	MonitorAggregationFlags = "monitor-aggregation-flags"

	// CNIChainingMode configures which CNI plugin Cilium is chained with.
	CNIChainingMode = "cni-chaining-mode"

	// CNIChainingTarget is the name of a CNI network in to which we should
	// insert our plugin configuration
	CNIChainingTarget = "cni-chaining-target"

	// AuthMapEntriesMin defines the minimum auth map limit.
	AuthMapEntriesMin = 1 << 8

	// AuthMapEntriesMax defines the maximum auth map limit.
	AuthMapEntriesMax = 1 << 24

	// AuthMapEntriesDefault defines the default auth map limit.
	AuthMapEntriesDefault = 1 << 19

	// BPFConntrackAccounting controls whether CT accounting for packets and bytes is enabled
	BPFConntrackAccountingDefault = false

	// AuthMapEntriesName configures max entries for BPF auth map.
	AuthMapEntriesName = "bpf-auth-map-max"

	// CTMapEntriesGlobalTCPDefault is the default maximum number of entries
	// in the TCP CT table.
	CTMapEntriesGlobalTCPDefault = 2 << 18 // 512Ki

	// CTMapEntriesGlobalAnyDefault is the default maximum number of entries
	// in the non-TCP CT table.
	CTMapEntriesGlobalAnyDefault = 2 << 17 // 256Ki

	// CTMapEntriesGlobalTCPName configures max entries for the TCP CT
	// table.
	CTMapEntriesGlobalTCPName = "bpf-ct-global-tcp-max"

	// CTMapEntriesGlobalAnyName configures max entries for the non-TCP CT
	// table.
	CTMapEntriesGlobalAnyName = "bpf-ct-global-any-max"

	// CTMapEntriesTimeout* name option and default value mappings
	CTMapEntriesTimeoutSYNName         = "bpf-ct-timeout-regular-tcp-syn"
	CTMapEntriesTimeoutFINName         = "bpf-ct-timeout-regular-tcp-fin"
	CTMapEntriesTimeoutTCPName         = "bpf-ct-timeout-regular-tcp"
	CTMapEntriesTimeoutAnyName         = "bpf-ct-timeout-regular-any"
	CTMapEntriesTimeoutSVCTCPName      = "bpf-ct-timeout-service-tcp"
	CTMapEntriesTimeoutSVCTCPGraceName = "bpf-ct-timeout-service-tcp-grace"
	CTMapEntriesTimeoutSVCAnyName      = "bpf-ct-timeout-service-any"

	// NATMapEntriesGlobalDefault holds the default size of the NAT map
	// and is 2/3 of the full CT size as a heuristic
	NATMapEntriesGlobalDefault = int((CTMapEntriesGlobalTCPDefault + CTMapEntriesGlobalAnyDefault) * 2 / 3)

	// SockRevNATMapEntriesDefault holds the default size of the SockRev NAT map
	// and is the same size of CTMapEntriesGlobalAnyDefault as a heuristic given
	// that sock rev NAT is mostly used for UDP and getpeername only.
	SockRevNATMapEntriesDefault = CTMapEntriesGlobalAnyDefault

	// MapEntriesGlobalDynamicSizeRatioName is the name of the option to
	// set the ratio of total system memory to use for dynamic sizing of the
	// CT, NAT, Neighbor and SockRevNAT BPF maps.
	MapEntriesGlobalDynamicSizeRatioName = "bpf-map-dynamic-size-ratio"

	// LimitTableAutoGlobalTCPMin defines the minimum TCP CT table limit for
	// dynamic size ration calculation.
	LimitTableAutoGlobalTCPMin = 1 << 17 // 128Ki entries

	// LimitTableAutoGlobalAnyMin defines the minimum UDP CT table limit for
	// dynamic size ration calculation.
	LimitTableAutoGlobalAnyMin = 1 << 16 // 64Ki entries

	// LimitTableAutoNatGlobalMin defines the minimum NAT limit for dynamic size
	// ration calculation.
	LimitTableAutoNatGlobalMin = 1 << 17 // 128Ki entries

	// LimitTableAutoSockRevNatMin defines the minimum SockRevNAT limit for
	// dynamic size ration calculation.
	LimitTableAutoSockRevNatMin = 1 << 16 // 64Ki entries

	// LimitTableMin defines the minimum CT or NAT table limit
	LimitTableMin = 1 << 10 // 1Ki entries

	// LimitTableMax defines the maximum CT or NAT table limit
	LimitTableMax = 1 << 24 // 16Mi entries (~1GiB of entries per map)

	// PolicyMapMin defines the minimum policy map limit.
	PolicyMapMin = 1 << 8

	// PolicyMapMax defines the maximum policy map limit.
	PolicyMapMax = 1 << 16

	// FragmentsMapMin defines the minimum fragments map limit.
	FragmentsMapMin = 1 << 8

	// FragmentsMapMax defines the maximum fragments map limit.
	FragmentsMapMax = 1 << 16

	// NATMapEntriesGlobalName configures max entries for BPF NAT table
	NATMapEntriesGlobalName = "bpf-nat-global-max"

	// NeighMapEntriesGlobalName configures max entries for BPF neighbor table
	NeighMapEntriesGlobalName = "bpf-neigh-global-max"

	// PolicyMapFullReconciliationInterval sets the interval for performing the full
	// reconciliation of the endpoint policy map.
	PolicyMapFullReconciliationIntervalName = "bpf-policy-map-full-reconciliation-interval"

	// SockRevNatEntriesName configures max entries for BPF sock reverse nat
	// entries.
	SockRevNatEntriesName = "bpf-sock-rev-map-max"

	// EgressGatewayPolicyMapEntriesName configures max entries for egress gateway's policy
	// map.
	EgressGatewayPolicyMapEntriesName = "egress-gateway-policy-map-max"

	// LogSystemLoadConfigName is the name of the option to enable system
	// load loggging
	LogSystemLoadConfigName = "log-system-load"

	// DisableCiliumEndpointCRDName is the name of the option to disable
	// use of the CEP CRD
	DisableCiliumEndpointCRDName = "disable-endpoint-crd"

	// MaxCtrlIntervalName and MaxCtrlIntervalNameEnv allow configuration
	// of MaxControllerInterval.
	MaxCtrlIntervalName = "max-controller-interval"

	// K8sNamespaceName is the name of the K8sNamespace option
	K8sNamespaceName = "k8s-namespace"

	// AgentNotReadyNodeTaintKeyName is the name of the option to set
	// AgentNotReadyNodeTaintKey
	AgentNotReadyNodeTaintKeyName = "agent-not-ready-taint-key"

	// EnableIPv4Name is the name of the option to enable IPv4 support
	EnableIPv4Name = "enable-ipv4"

	// EnableIPv6Name is the name of the option to enable IPv6 support
	EnableIPv6Name = "enable-ipv6"

	// EnableIPv6NDPName is the name of the option to enable IPv6 NDP support
	EnableIPv6NDPName = "enable-ipv6-ndp"

	// EnableSRv6 is the name of the option to enable SRv6 encapsulation support
	EnableSRv6 = "enable-srv6"

	// SRv6EncapModeName is the name of the option to specify the SRv6 encapsulation mode
	SRv6EncapModeName = "srv6-encap-mode"

	// EnableSCTPName is the name of the option to enable SCTP support
	EnableSCTPName = "enable-sctp"

	// EnableNat46X64Gateway enables L3 based NAT46 and NAT64 gateway
	EnableNat46X64Gateway = "enable-nat46x64-gateway"

	// IPv6MCastDevice is the name of the option to select IPv6 multicast device
	IPv6MCastDevice = "ipv6-mcast-device"

	// BPFEventsDefaultRateLimit specifies limit of messages per second that can be written to
	// BPF events map. This limit is defined for all types of events except dbg and pcap.
	// The number of messages is averaged, meaning that if no messages were written
	// to the map over 5 seconds, it's possible to write more events than the value of rate limit
	// in the 6th second.
	// If BPFEventsDefaultRateLimit > 0, non-zero value for BPFEventsDefaultBurstLimit must also be provided
	// lest the configuration is considered invalid.
	// If both rate and burst limit are 0 or not specified, no limit is imposed.
	BPFEventsDefaultRateLimit = "bpf-events-default-rate-limit"

	// BPFEventsDefaultBurstLimit specifies the maximum number of messages that can be written
	// to BPF events map in 1 second. This limit is defined for all types of events except dbg and pcap.
	// If BPFEventsDefaultBurstLimit > 0, non-zero value for BPFEventsDefaultRateLimit must also be provided
	// lest the configuration is considered invalid.
	// If both burst and rate limit are 0 or not specified, no limit is imposed.
	BPFEventsDefaultBurstLimit = "bpf-events-default-burst-limit"

	// FQDNRejectResponseCode is the name for the option for dns-proxy reject response code
	FQDNRejectResponseCode = "tofqdns-dns-reject-response-code"

	// FQDNProxyDenyWithNameError is useful when stub resolvers, like the one
	// in Alpine Linux's libc (musl), treat a REFUSED as a resolution error.
	// This happens when trying a DNS search list, as in kubernetes, and breaks
	// even whitelisted DNS names.
	FQDNProxyDenyWithNameError = "nameError"

	// FQDNProxyDenyWithRefused is the response code for Domain refused. It is
	// the default for denied DNS requests.
	FQDNProxyDenyWithRefused = "refused"

	// FQDNProxyResponseMaxDelay is the maximum time the proxy holds back a response
	FQDNProxyResponseMaxDelay = "tofqdns-proxy-response-max-delay"

	// FQDNRegexCompileLRUSize is the size of the FQDN regex compilation LRU.
	// Useful for heavy but repeated FQDN MatchName or MatchPattern use.
	FQDNRegexCompileLRUSize = "fqdn-regex-compile-lru-size"

	// PreAllocateMapsName is the name of the option PreAllocateMaps
	PreAllocateMapsName = "preallocate-bpf-maps"

	// EnableBPFTProxy option supports enabling or disabling BPF TProxy.
	EnableBPFTProxy = "enable-bpf-tproxy"

	// EnableAutoDirectRoutingName is the name for the EnableAutoDirectRouting option
	EnableAutoDirectRoutingName = "auto-direct-node-routes"

	// DirectRoutingSkipUnreachableName is the name for the DirectRoutingSkipUnreachable option
	DirectRoutingSkipUnreachableName = "direct-routing-skip-unreachable"

	// EnableIPSecName is the name of the option to enable IPSec
	EnableIPSecName = "enable-ipsec"

	// Duration of the IPsec key rotation. After that time, we will clean the
	// previous IPsec key from the node.
	IPsecKeyRotationDuration = "ipsec-key-rotation-duration"

	// Enable watcher for IPsec key. If disabled, a restart of the agent will
	// be necessary on key rotations.
	EnableIPsecKeyWatcher = "enable-ipsec-key-watcher"

	// Enable caching for XfrmState for IPSec. Significantly reduces CPU usage
	// in large clusters.
	EnableIPSecXfrmStateCaching = "enable-ipsec-xfrm-state-caching"

	// IPSecKeyFileName is the name of the option for ipsec key file
	IPSecKeyFileName = "ipsec-key-file"

	// EnableIPSecEncrytpedOverlay is the name of the option which enables
	// the EncryptedOverlay feature.
	// This feature will encrypt overlay traffic before it leaves the cluster.
	EnableIPSecEncryptedOverlay = "enable-ipsec-encrypted-overlay"

	// BootIDFilename is a hidden flag that allows users to specify a
	// filename other than /proc/sys/kernel/random/boot_id. This can be
	// useful for testing purposes in local containerized cluster.
	BootIDFilename = "boot-id-file"

	// EnableWireguard is the name of the option to enable WireGuard
	EnableWireguard = "enable-wireguard"

	// WireguardTrackAllIPsFallback forces the WireGuard agent to track all IPs.
	WireguardTrackAllIPsFallback = "wireguard-track-all-ips-fallback"

	// EnableL2Announcements is the name of the option to enable l2 announcements
	EnableL2Announcements = "enable-l2-announcements"

	// L2AnnouncerLeaseDuration, if a lease has not been renewed for X amount of time, a new leader can be chosen.
	L2AnnouncerLeaseDuration = "l2-announcements-lease-duration"

	// L2AnnouncerRenewDeadline, the leader will renew the lease every X amount of time.
	L2AnnouncerRenewDeadline = "l2-announcements-renew-deadline"

	// L2AnnouncerRetryPeriod, on renew failure, retry after X amount of time.
	L2AnnouncerRetryPeriod = "l2-announcements-retry-period"

	// EnableEncryptionStrictMode is the name of the option to enable strict encryption mode.
	EnableEncryptionStrictMode = "enable-encryption-strict-mode"

	// EncryptionStrictModeCIDR is the CIDR in which the strict ecryption mode should be enforced.
	EncryptionStrictModeCIDR = "encryption-strict-mode-cidr"

	// EncryptionStrictModeAllowRemoteNodeIdentities allows dynamic lookup of remote node identities.
	// This is required when tunneling is used
	// or direct routing is used and the node CIDR and pod CIDR overlap.
	EncryptionStrictModeAllowRemoteNodeIdentities = "encryption-strict-mode-allow-remote-node-identities"

	// WireguardPersistentKeepalivee controls Wireguard PersistentKeepalive option. Set 0 to disable.
	WireguardPersistentKeepalive = "wireguard-persistent-keepalive"

	// NodeEncryptionOptOutLabels is the name of the option for the node-to-node encryption opt-out labels
	NodeEncryptionOptOutLabels = "node-encryption-opt-out-labels"

	// KVstoreLeaseTTL is the time-to-live for lease in kvstore.
	KVstoreLeaseTTL = "kvstore-lease-ttl"

	// KVstoreMaxConsecutiveQuorumErrorsName is the maximum number of acceptable
	// kvstore consecutive quorum errors before the agent assumes permanent failure
	KVstoreMaxConsecutiveQuorumErrorsName = "kvstore-max-consecutive-quorum-errors"

	// KVstorePeriodicSync is the time interval in which periodic
	// synchronization with the kvstore occurs
	KVstorePeriodicSync = "kvstore-periodic-sync"

	// KVstoreConnectivityTimeout is the timeout when performing kvstore operations
	KVstoreConnectivityTimeout = "kvstore-connectivity-timeout"

	// KVstorePodNetworkSupport enables the support for running the Cilium KVstore
	// in pod network.
	KVstorePodNetworkSupport = "kvstore-pod-network-support"

	// IdentityChangeGracePeriod is the name of the
	// IdentityChangeGracePeriod option
	IdentityChangeGracePeriod = "identity-change-grace-period"

	// IdentityRestoreGracePeriod is the name of the
	// IdentityRestoreGracePeriod option
	IdentityRestoreGracePeriod = "identity-restore-grace-period"

	// EnableHealthChecking is the name of the EnableHealthChecking option
	EnableHealthChecking = "enable-health-checking"

	// EnableEndpointHealthChecking is the name of the EnableEndpointHealthChecking option
	EnableEndpointHealthChecking = "enable-endpoint-health-checking"

	// EnableHealthCheckNodePort is the name of the EnableHealthCheckNodePort option
	EnableHealthCheckNodePort = "enable-health-check-nodeport"

	// EnableHealthCheckLoadBalancerIP is the name of the EnableHealthCheckLoadBalancerIP option
	EnableHealthCheckLoadBalancerIP = "enable-health-check-loadbalancer-ip"

	// HealthCheckICMPFailureThreshold is the name of the HealthCheckICMPFailureThreshold option
	HealthCheckICMPFailureThreshold = "health-check-icmp-failure-threshold"

	// EndpointQueueSize is the size of the EventQueue per-endpoint.
	EndpointQueueSize = "endpoint-queue-size"

	// EndpointGCInterval interval to attempt garbage collection of
	// endpoints that are no longer alive and healthy.
	EndpointGCInterval = "endpoint-gc-interval"

	// EndpointRegenInterval is the interval of the periodic endpoint regeneration loop.
	EndpointRegenInterval = "endpoint-regen-interval"

	// LoopbackIPv4 is the address to use for service loopback SNAT
	LoopbackIPv4 = "ipv4-service-loopback-address"

	// LocalRouterIPv4 is the link-local IPv4 address to use for Cilium router device
	LocalRouterIPv4 = "local-router-ipv4"

	// LocalRouterIPv6 is the link-local IPv6 address to use for Cilium router device
	LocalRouterIPv6 = "local-router-ipv6"

	// EnableEndpointRoutes enables use of per endpoint routes
	EnableEndpointRoutes = "enable-endpoint-routes"

	// ExcludeLocalAddress excludes certain addresses to be recognized as a
	// local address
	ExcludeLocalAddress = "exclude-local-address"

	// IPv4PodSubnets A list of IPv4 subnets that pods may be
	// assigned from. Used with CNI chaining where IPs are not directly managed
	// by Cilium.
	IPv4PodSubnets = "ipv4-pod-subnets"

	// IPv6PodSubnets A list of IPv6 subnets that pods may be
	// assigned from. Used with CNI chaining where IPs are not directly managed
	// by Cilium.
	IPv6PodSubnets = "ipv6-pod-subnets"

	// IPAM is the IPAM method to use
	IPAM = "ipam"

	// IPAMMultiPoolPreAllocation defines the pre-allocation value for each IPAM pool
	IPAMMultiPoolPreAllocation = "ipam-multi-pool-pre-allocation"

	// IPAMDefaultIPPool defines the default IP Pool when using multi-pool
	IPAMDefaultIPPool = "ipam-default-ip-pool"

	// XDPModeNative for loading progs with XDPModeLinkDriver
	XDPModeNative = "native"

	// XDPModeBestEffort for loading progs with XDPModeLinkDriver
	XDPModeBestEffort = "best-effort"

	// XDPModeGeneric for loading progs with XDPModeLinkGeneric
	XDPModeGeneric = "testing-only"

	// XDPModeDisabled for not having XDP enabled
	XDPModeDisabled = "disabled"

	// XDPModeLinkDriver is the tc selector for native XDP
	XDPModeLinkDriver = "xdpdrv"

	// XDPModeLinkGeneric is the tc selector for generic XDP
	XDPModeLinkGeneric = "xdpgeneric"

	// XDPModeLinkNone for not having XDP enabled
	XDPModeLinkNone = XDPModeDisabled

	// K8sClientQPSLimit is the queries per second limit for the K8s client. Defaults to k8s client defaults.
	K8sClientQPSLimit = "k8s-client-qps"

	// K8sClientBurst is the burst value allowed for the K8s client. Defaults to k8s client defaults.
	K8sClientBurst = "k8s-client-burst"

	// AutoCreateCiliumNodeResource enables automatic creation of a
	// CiliumNode resource for the local node
	AutoCreateCiliumNodeResource = "auto-create-cilium-node-resource"

	// ExcludeNodeLabelPatterns allows for excluding unnecessary labels from being propagated from k8s node to cilium
	// node object. This allows for avoiding unnecessary events being broadcast to all nodes in the cluster.
	ExcludeNodeLabelPatterns = "exclude-node-label-patterns"

	// IPv4NativeRoutingCIDR describes a v4 CIDR in which pod IPs are routable
	IPv4NativeRoutingCIDR = "ipv4-native-routing-cidr"

	// IPv6NativeRoutingCIDR describes a v6 CIDR in which pod IPs are routable
	IPv6NativeRoutingCIDR = "ipv6-native-routing-cidr"

	// MasqueradeInterfaces is the selector used to select interfaces subject to
	// egress masquerading
	MasqueradeInterfaces = "egress-masquerade-interfaces"

	// PolicyTriggerInterval is the amount of time between triggers of policy
	// updates are invoked.
	PolicyTriggerInterval = "policy-trigger-interval"

	// IdentityAllocationMode specifies what mode to use for identity
	// allocation
	IdentityAllocationMode = "identity-allocation-mode"

	// IdentityAllocationModeKVstore enables use of a key-value store such
	// as etcd for identity allocation
	IdentityAllocationModeKVstore = "kvstore"

	// IdentityAllocationModeCRD enables use of Kubernetes CRDs for
	// identity allocation
	IdentityAllocationModeCRD = "crd"

	// IdentityAllocationModeDoubleWriteReadKVstore writes identities to the KVStore and as CRDs at the same time.
	// Identities are then read from the KVStore.
	IdentityAllocationModeDoubleWriteReadKVstore = "doublewrite-readkvstore"

	// IdentityAllocationModeDoubleWriteReadCRD writes identities to the KVStore and as CRDs at the same time.
	// Identities are then read from the CRDs.
	IdentityAllocationModeDoubleWriteReadCRD = "doublewrite-readcrd"

	// EnableLocalNodeRoute controls installation of the route which points
	// the allocation prefix of the local node.
	EnableLocalNodeRoute = "enable-local-node-route"

	// PolicyAuditModeArg argument enables policy audit mode.
	PolicyAuditModeArg = "policy-audit-mode"

	// PolicyAccountingArg argument enable policy accounting.
	PolicyAccountingArg = "policy-accounting"

	// K8sClientConnectionTimeout configures the timeout for K8s client connections.
	K8sClientConnectionTimeout = "k8s-client-connection-timeout"

	// K8sClientConnectionKeepAlive configures the keep alive duration for K8s client connections.
	K8sClientConnectionKeepAlive = "k8s-client-connection-keep-alive"

	// K8sHeartbeatTimeout configures the timeout for apiserver heartbeat
	K8sHeartbeatTimeout = "k8s-heartbeat-timeout"

	// EnableIPv4FragmentsTrackingName is the name of the option to enable
	// IPv4 fragments tracking for L4-based lookups. Needs LRU map support.
	EnableIPv4FragmentsTrackingName = "enable-ipv4-fragment-tracking"

	// FragmentsMapEntriesName configures max entries for BPF fragments
	// tracking map.
	FragmentsMapEntriesName = "bpf-fragments-map-max"

	// K8sEnableAPIDiscovery enables Kubernetes API discovery
	K8sEnableAPIDiscovery = "enable-k8s-api-discovery"

	// LBMapEntriesName configures max entries for BPF lbmap.
	LBMapEntriesName = "bpf-lb-map-max"

	// LBServiceMapMaxEntries configures max entries of bpf map for services.
	LBServiceMapMaxEntries = "bpf-lb-service-map-max"

	// LBBackendMapMaxEntries configures max entries of bpf map for service backends.
	LBBackendMapMaxEntries = "bpf-lb-service-backend-map-max"

	// LBRevNatMapMaxEntries configures max entries of bpf map for reverse NAT.
	LBRevNatMapMaxEntries = "bpf-lb-rev-nat-map-max"

	// LBAffinityMapMaxEntries configures max entries of bpf map for session affinity.
	LBAffinityMapMaxEntries = "bpf-lb-affinity-map-max"

	// LBSourceRangeAllTypes configures service source ranges for all service types.
	LBSourceRangeAllTypes = "bpf-lb-source-range-all-types"

	// LBSourceRangeMapMaxEntries configures max entries of bpf map for service source ranges.
	LBSourceRangeMapMaxEntries = "bpf-lb-source-range-map-max"

	// LBMaglevMapMaxEntries configures max entries of bpf map for Maglev.
	LBMaglevMapMaxEntries = "bpf-lb-maglev-map-max"

	// EgressMultiHomeIPRuleCompat instructs Cilium to use a new scheme to
	// store rules and routes under ENI and Azure IPAM modes, if false.
	// Otherwise, it will use the old scheme.
	EgressMultiHomeIPRuleCompat = "egress-multi-home-ip-rule-compat"

	// Install ingress/egress routes through uplink on host for Pods when working with
	// delegated IPAM plugin.
	InstallUplinkRoutesForDelegatedIPAM = "install-uplink-routes-for-delegated-ipam"

	// EnableCustomCallsName is the name of the option to enable tail calls
	// for user-defined custom eBPF programs.
	EnableCustomCallsName = "enable-custom-calls"

	// BGPSecretsNamespace is the Kubernetes namespace to get BGP control plane secrets from.
	BGPSecretsNamespace = "bgp-secrets-namespace"

	// ExternalClusterIPName is the name of the option to enable
	// cluster external access to ClusterIP services.
	ExternalClusterIPName = "bpf-lb-external-clusterip"

	// VLANBPFBypass instructs Cilium to bypass bpf logic for vlan tagged packets
	VLANBPFBypass = "vlan-bpf-bypass"

	// DisableExternalIPMitigation disable ExternalIP mitigation (CVE-2020-8554)
	DisableExternalIPMitigation = "disable-external-ip-mitigation"

	// EnableICMPRules enables ICMP-based rule support for Cilium Network Policies.
	EnableICMPRules = "enable-icmp-rules"

	// Use the CiliumInternalIPs (vs. NodeInternalIPs) for IPsec encapsulation.
	UseCiliumInternalIPForIPsec = "use-cilium-internal-ip-for-ipsec"

	// BypassIPAvailabilityUponRestore bypasses the IP availability error
	// within IPAM upon endpoint restore and allows the use of the restored IP
	// regardless of whether it's available in the pool.
	BypassIPAvailabilityUponRestore = "bypass-ip-availability-upon-restore"

	// EnableK8sTerminatingEndpoint enables the option to auto detect terminating
	// state for endpoints in order to support graceful termination.
	EnableK8sTerminatingEndpoint = "enable-k8s-terminating-endpoint"

	// EnableVTEP enables cilium VXLAN VTEP integration
	EnableVTEP = "enable-vtep"

	// VTEP endpoint IPs
	VtepEndpoint = "vtep-endpoint"

	VtepCIDR = "vtep-cidr"

	// VTEP CIDR Mask applies to all VtepCIDR
	VtepMask = "vtep-mask"

	VtepMAC = "vtep-mac"

	// TCFilterPriority sets the priority of the cilium tc filter, enabling other
	// filters to be inserted prior to the cilium filter.
	TCFilterPriority = "bpf-filter-priority"

	// Flag to enable BGP control plane features
	EnableBGPControlPlane = "enable-bgp-control-plane"

	// EnableBGPControlPlaneStatusReport enables BGP Control Plane CRD status reporting
	EnableBGPControlPlaneStatusReport = "enable-bgp-control-plane-status-report"

	// BGP router-id allocation mode in ipv6 standalone environment
	BGPRouterIDAllocationMode = "bgp-router-id-allocation-mode"

	// EnableRuntimeDeviceDetection is the name of the option to enable detection
	// of new and removed datapath devices during the agent runtime.
	EnableRuntimeDeviceDetection = "enable-runtime-device-detection"

	// EnablePMTUDiscovery enables path MTU discovery to send ICMP
	// fragmentation-needed replies to the client (when needed).
	EnablePMTUDiscovery = "enable-pmtu-discovery"

	// BPFMapEventBuffers specifies what maps should have event buffers enabled,
	// and the max size and TTL of events in the buffers should be.
	BPFMapEventBuffers = "bpf-map-event-buffers"

	// IPAMCiliumnodeUpdateRate is the maximum rate at which the CiliumNode custom
	// resource is updated.
	IPAMCiliumNodeUpdateRate = "ipam-cilium-node-update-rate"

	// EnableK8sNetworkPolicy enables support for K8s NetworkPolicy.
	EnableK8sNetworkPolicy = "enable-k8s-networkpolicy"

	// EnableCiliumNetworkPolicy enables support for Cilium Network Policy.
	EnableCiliumNetworkPolicy = "enable-cilium-network-policy"

	// EnableCiliumClusterwideNetworkPolicy enables support for Cilium Clusterwide
	// Network Policy.
	EnableCiliumClusterwideNetworkPolicy = "enable-cilium-clusterwide-network-policy"

	// PolicyCIDRMatchMode defines the entities that CIDR selectors can reach
	PolicyCIDRMatchMode = "policy-cidr-match-mode"

	// EnableNodeSelectorLabels enables use of the node label based identity
	EnableNodeSelectorLabels = "enable-node-selector-labels"

	// NodeLabels is the list of label prefixes used to determine identity of a node (requires enabling of
	// EnableNodeSelectorLabels)
	NodeLabels = "node-labels"

	// BPFEventsDropEnabled defines the DropNotification setting for any endpoint
	BPFEventsDropEnabled = "bpf-events-drop-enabled"

	// BPFEventsPolicyVerdictEnabled defines the PolicyVerdictNotification setting for any endpoint
	BPFEventsPolicyVerdictEnabled = "bpf-events-policy-verdict-enabled"

	// BPFEventsTraceEnabled defines the TraceNotification setting for any endpoint
	BPFEventsTraceEnabled = "bpf-events-trace-enabled"

	// BPFConntrackAccounting controls whether CT accounting for packets and bytes is enabled
	BPFConntrackAccounting = "bpf-conntrack-accounting"

	// EnableInternalTrafficPolicy enables handling routing for services with internalTrafficPolicy configured
	EnableInternalTrafficPolicy = "enable-internal-traffic-policy"

	// EnableNonDefaultDenyPolicies allows policies to define whether they are operating in default-deny mode
	EnableNonDefaultDenyPolicies = "enable-non-default-deny-policies"

	// EnableEndpointLockdownOnPolicyOverflow enables endpoint lockdown when an endpoint's
	// policy map overflows.
	EnableEndpointLockdownOnPolicyOverflow = "enable-endpoint-lockdown-on-policy-overflow"

	// ConnectivityProbeFrequencyRatio is the name of the option to specify the connectivity probe frequency
	ConnectivityProbeFrequencyRatio = "connectivity-probe-frequency-ratio"
View Source
const (
	// RoutingModeNative specifies native routing mode
	RoutingModeNative = "native"

	// RoutingModeTunnel specifies tunneling mode
	RoutingModeTunnel = "tunnel"

Available options for DaemonConfig.RoutingMode

View Source
const (
	// HTTP403Message specifies the response body for 403 responses, defaults to "Access denied"
	HTTP403Message = "http-403-msg"

	// ReadCNIConfiguration reads the CNI configuration file and extracts
	// Cilium relevant information. This can be used to pass per node
	// configuration to Cilium.
	ReadCNIConfiguration = "read-cni-conf"

	// WriteCNIConfigurationWhenReady writes the CNI configuration to the
	// specified location once the agent is ready to serve requests. This
	// allows to keep a Kubernetes node NotReady until Cilium is up and
	// running and able to schedule endpoints.
	WriteCNIConfigurationWhenReady = "write-cni-conf-when-ready"

	// CNIExclusive tells the agent to remove other CNI configuration files
	CNIExclusive = "cni-exclusive"

	// CNIExternalRouting delegates endpoint routing to the chained CNI plugin.
	CNIExternalRouting = "cni-external-routing"

	// CNILogFile is the path to a log file (on the host) for the CNI plugin
	// binary to use for logging.
	CNILogFile = "cni-log-file"

	// EnableCiliumEndpointSlice enables the cilium endpoint slicing feature.
	EnableCiliumEndpointSlice = "enable-cilium-endpoint-slice"

	// IdentityManagementMode controls whether CiliumIdentities are managed by cilium-agent, cilium-operator, or both.
	IdentityManagementMode = "identity-management-mode"

	// EnableSourceIPVerification enables the source ip verification, defaults to true
	EnableSourceIPVerification = "enable-source-ip-verification"
View Source
const (
	// NodePortMinDefault is the minimal port to listen for NodePort requests
	NodePortMinDefault = 30000

	// NodePortMaxDefault is the maximum port to listen for NodePort requests
	NodePortMaxDefault = 32767

	// NodePortModeSNAT is for SNATing requests to remote nodes
	NodePortModeSNAT = "snat"

	// NodePortModeDSR is for performing DSR for requests to remote nodes
	NodePortModeDSR = "dsr"

	// NodePortModeHybrid is a dual mode of the above, that is, DSR for TCP and SNAT for UDP
	NodePortModeHybrid = "hybrid"

	// NodePortAlgRandom is for randomly selecting a backend
	NodePortAlgRandom = "random"

	// NodePortAlgMaglev is for using maglev consistent hashing for backend selection
	NodePortAlgMaglev = "maglev"

	// DSR dispatch mode to encode service into IP option or extension header
	DSRDispatchOption = "opt"

	// DSR dispatch mode to encapsulate to IPIP
	DSRDispatchIPIP = "ipip"

	// DSR dispatch mode to encapsulate to Geneve
	DSRDispatchGeneve = "geneve"

	// NodePortAccelerationDisabled means we do not accelerate NodePort via XDP
	NodePortAccelerationDisabled = XDPModeDisabled

	// NodePortAccelerationGeneric means we accelerate NodePort via generic XDP
	NodePortAccelerationGeneric = XDPModeGeneric

	// NodePortAccelerationNative means we accelerate NodePort via native XDP in the driver (preferred)
	NodePortAccelerationNative = XDPModeNative

	// NodePortAccelerationBestEffort means we accelerate NodePort via native XDP in the driver (preferred), but will skip devices without driver support
	NodePortAccelerationBestEffort = XDPModeBestEffort

	// KubeProxyReplacementTrue specifies to enable all kube-proxy replacement
	// features (might panic).
	KubeProxyReplacementTrue = "true"

	// KubeProxyReplacementFalse specifies to enable only selected kube-proxy
	// replacement features (might panic).
	KubeProxyReplacementFalse = "false"

	// KubeProxyReplacement healthz server bind address
	KubeProxyReplacementHealthzBindAddr = "kube-proxy-replacement-healthz-bind-address"

	// PprofAddressAgent is the default value for pprof in the agent
	PprofAddressAgent = "localhost"

	// PprofPortAgent is the default value for pprof in the agent
	PprofPortAgent = 6060

	// IdentityManagementModeAgent means cilium-agent is solely responsible for managing CiliumIdentity.
	IdentityManagementModeAgent = "agent"

	// IdentityManagementModeOperator means cilium-operator is solely responsible for managing CiliumIdentity.
	IdentityManagementModeOperator = "operator"

	// IdentityManagementModeBoth means cilium-agent and cilium-operator both manage identities
	// (used only during migration between "agent" and "operator").
	IdentityManagementModeBoth = "both"
View Source
const (
	// TCP_FIN, ... from <linux/tcp.h> (host byte-order)
	TCP_FIN = uint16(0x0001)
	TCP_SYN = uint16(0x0002)
	TCP_RST = uint16(0x0004)
	TCP_PSH = uint16(0x0008)
	TCP_ACK = uint16(0x0010)
	TCP_URG = uint16(0x0020)
	TCP_ECE = uint16(0x0040)
	TCP_CWR = uint16(0x0080)
View Source
const (
	PolicyTracing        = "PolicyTracing"
	ConntrackAccounting  = "ConntrackAccounting"
	ConntrackLocal       = "ConntrackLocal"
	Debug                = "Debug"
	DebugLB              = "DebugLB"
	DebugPolicy          = "DebugPolicy"
	DropNotify           = "DropNotification"
	TraceNotify          = "TraceNotification"
	TraceSockNotify      = "TraceSockNotification"
	PolicyVerdictNotify  = "PolicyVerdictNotification"
	PolicyAuditMode      = "PolicyAuditMode"
	PolicyAccounting     = "PolicyAccounting"
	MonitorAggregation   = "MonitorAggregationLevel"
	SourceIPVerification = "SourceIPVerification"
	AlwaysEnforce        = "always"
	NeverEnforce         = "never"
	DefaultEnforcement   = "default"
View Source
const HostExtensionMKE = 0x1bda7a


View Source
var (
	FQDNRejectOptions = []string{FQDNProxyDenyWithNameError, FQDNProxyDenyWithRefused}

	// MonitorAggregationFlagsDefault ensure that all TCP flags trigger
	// monitor notifications even under medium monitor aggregation.
	MonitorAggregationFlagsDefault = []string{"syn", "fin", "rst"}

Default string arguments

View Source
var (

	// DaemonOptionLibrary is the daemon's option library that should be
	// used for read-only.
	DaemonOptionLibrary = OptionLibrary{
		PolicyTracing: &specPolicyTracing,

	DaemonMutableOptionLibrary = OptionLibrary{
		ConntrackAccounting:  &specConntrackAccounting,
		PolicyAccounting:     &specPolicyAccounting,
		ConntrackLocal:       &specConntrackLocal,
		Debug:                &specDebug,
		DebugLB:              &specDebugLB,
		DebugPolicy:          &specDebugPolicy,
		DropNotify:           &specDropNotify,
		TraceNotify:          &specTraceNotify,
		PolicyVerdictNotify:  &specPolicyVerdictNotify,
		PolicyAuditMode:      &specPolicyAuditMode,
		MonitorAggregation:   &specMonitorAggregation,
		SourceIPVerification: &specSourceIPVerification,
View Source
var (
	// Config represents the daemon configuration
	Config = &DaemonConfig{
		CreationTime:                    time.Now(),
		Opts:                            NewIntOptions(&DaemonOptionLibrary),
		Monitor:                         &models.MonitorStatus{Cpus: int64(runtime.NumCPU()), Npages: 64, Pagesize: int64(os.Getpagesize()), Lost: 0, Unknown: 0},
		IPv6ClusterAllocCIDR:            defaults.IPv6ClusterAllocCIDR,
		IPv6ClusterAllocCIDRBase:        defaults.IPv6ClusterAllocCIDRBase,
		IPAMDefaultIPPool:               defaults.IPAMDefaultIPPool,
		EnableHealthChecking:            defaults.EnableHealthChecking,
		EnableEndpointHealthChecking:    defaults.EnableEndpointHealthChecking,
		EnableHealthCheckLoadBalancerIP: defaults.EnableHealthCheckLoadBalancerIP,
		EnableHealthCheckNodePort:       defaults.EnableHealthCheckNodePort,
		HealthCheckICMPFailureThreshold: defaults.HealthCheckICMPFailureThreshold,
		EnableIPv4:                      defaults.EnableIPv4,
		EnableIPv6:                      defaults.EnableIPv6,
		EnableIPv6NDP:                   defaults.EnableIPv6NDP,
		EnableSCTP:                      defaults.EnableSCTP,
		EnableL7Proxy:                   defaults.EnableL7Proxy,
		DNSMaxIPsPerRestoredRule:        defaults.DNSMaxIPsPerRestoredRule,
		ToFQDNsMaxIPsPerHost:            defaults.ToFQDNsMaxIPsPerHost,
		KVstorePeriodicSync:             defaults.KVstorePeriodicSync,
		KVstoreConnectivityTimeout:      defaults.KVstoreConnectivityTimeout,
		KVstorePodNetworkSupport:        defaults.KVstorePodNetworkSupport,
		IdentityChangeGracePeriod:       defaults.IdentityChangeGracePeriod,
		IdentityRestoreGracePeriod:      defaults.IdentityRestoreGracePeriodK8s,
		FixedIdentityMapping:            make(map[string]string),
		KVStoreOpt:                      make(map[string]string),
		LogOpt:                          make(map[string]string),
		LoopbackIPv4:                    defaults.LoopbackIPv4,
		EnableEndpointRoutes:            defaults.EnableEndpointRoutes,
		AnnotateK8sNode:                 defaults.AnnotateK8sNode,
		K8sServiceCacheSize:             defaults.K8sServiceCacheSize,
		AutoCreateCiliumNodeResource:    defaults.AutoCreateCiliumNodeResource,
		IdentityAllocationMode:          IdentityAllocationModeKVstore,
		AllowICMPFragNeeded:             defaults.AllowICMPFragNeeded,
		AllocatorListTimeout:            defaults.AllocatorListTimeout,
		EnableICMPRules:                 defaults.EnableICMPRules,
		UseCiliumInternalIPForIPsec:     defaults.UseCiliumInternalIPForIPsec,

		K8sEnableLeasesFallbackDiscovery: defaults.K8sEnableLeasesFallbackDiscovery,

		ExternalClusterIP:                    defaults.ExternalClusterIP,
		EnableVTEP:                           defaults.EnableVTEP,
		EnableBGPControlPlane:                defaults.EnableBGPControlPlane,
		EnableK8sNetworkPolicy:               defaults.EnableK8sNetworkPolicy,
		EnableCiliumNetworkPolicy:            defaults.EnableCiliumNetworkPolicy,
		EnableCiliumClusterwideNetworkPolicy: defaults.EnableCiliumClusterwideNetworkPolicy,
		PolicyCIDRMatchMode:                  defaults.PolicyCIDRMatchMode,
		MaxConnectedClusters:                 defaults.MaxConnectedClusters,

		BPFEventsDropEnabled:          defaults.BPFEventsDropEnabled,
		BPFEventsPolicyVerdictEnabled: defaults.BPFEventsPolicyVerdictEnabled,
		BPFEventsTraceEnabled:         defaults.BPFEventsTraceEnabled,
		BPFConntrackAccounting:        defaults.BPFConntrackAccounting,
		EnableEnvoyConfig:             defaults.EnableEnvoyConfig,
		EnableInternalTrafficPolicy:   defaults.EnableInternalTrafficPolicy,

		EnableNonDefaultDenyPolicies: defaults.EnableNonDefaultDenyPolicies,

		EnableSourceIPVerification: defaults.EnableSourceIPVerification,

		ConnectivityProbeFrequencyRatio: defaults.ConnectivityProbeFrequencyRatio,
View Source
var (
	TCPFlags = map[string]uint16{
		"none": uint16(0x0000),
		"all":  uint16(0x00FF),
		"fin":  TCP_FIN,
		"syn":  TCP_SYN,
		"rst":  TCP_RST,
		"psh":  TCP_PSH,
		"ack":  TCP_ACK,
		"urg":  TCP_URG,
		"ece":  TCP_ECE,
		"cwr":  TCP_CWR,


func BindEnv added in v0.15.7

func BindEnv(vp *viper.Viper, optName string)

BindEnv binds the option name with a deterministic generated environment variable which is based on the given optName. If the same optName is bound more than once, this function panics.

func BindEnvWithLegacyEnvFallback added in v0.15.7

func BindEnvWithLegacyEnvFallback(vp *viper.Viper, optName, legacyEnvName string)

BindEnvWithLegacyEnvFallback binds the given option name with either the same environment variable as BindEnv, if it's set, or with the given legacyEnvName.

The function is used to work around the viper.BindEnv limitation that only one environment variable can be bound for an option, and we need multiple environment variables due to backward compatibility reasons.

func FormatMonitorAggregationLevel added in v0.15.7

func FormatMonitorAggregationLevel(level OptionSetting) string

FormatMonitorAggregationLevel maps a MonitorAggregationLevel to a string.

func InitConfig added in v0.15.7

func InitConfig(cmd *cobra.Command, programName, configName string, vp *viper.Viper) func()

InitConfig reads in config file and ENV variables if set.

func LogRegisteredOptions added in v0.15.7

func LogRegisteredOptions(vp *viper.Viper, entry *logrus.Entry)

LogRegisteredOptions logs all options that where bound to viper.

func MergeConfig added in v0.15.7

func MergeConfig(vp *viper.Viper, m map[string]interface{}) error

MergeConfig merges the given configuration map with viper's configuration.

func NetworkPolicyEnabled added in v1.17.0

func NetworkPolicyEnabled(cfg *DaemonConfig) bool

NetworkPolicyEnabled returns true if the network policy enforcement system is enabled for K8s, Cilium and Cilium Clusterwide network policies.

func ReadDirConfig added in v0.15.7

func ReadDirConfig(dirName string) (map[string]interface{}, error)

ReadDirConfig reads the given directory and returns a map that maps the filename to the contents of that file.

func ReplaceDeprecatedFields added in v0.15.7

func ReplaceDeprecatedFields(m map[string]interface{})

ReplaceDeprecatedFields replaces the deprecated options set with the new set of options that overwrite the deprecated ones. This function replaces the deprecated fields used by environment variables with a different name than the option they are setting. This also replaces the deprecated names used in the Kubernetes ConfigMap. Once we remove them from this function we also need to remove them from daemon_main.go and warn users about the old environment variable nor the option in the configuration map have any effect.

func StoreViperInFile added in v0.15.7

func StoreViperInFile(dir string) error

StoreViperInFile stores viper's configuration in a the given directory under the file name 'viper-config.yaml'. If this file already exists, it is renamed to 'viper-config-1.yaml', if 'viper-config-1.yaml' also exists, 'viper-config-1.yaml' is renamed to 'viper-config-2.yaml'

func VerifyMonitorAggregationLevel added in v0.15.7

func VerifyMonitorAggregationLevel(key, value string) error

VerifyMonitorAggregationLevel validates the specified key/value for a monitor aggregation level.


type BPFClockSource added in v0.15.7

type BPFClockSource int
const (
	ClockSourceKtime BPFClockSource = iota

type BPFEventBufferConfig added in v0.15.7

type BPFEventBufferConfig struct {
	Enabled bool
	MaxSize int
	TTL     time.Duration

BPFEventBufferConfig contains parsed configuration for a bpf map event buffer.

func ParseEventBufferTupleString added in v0.15.7

func ParseEventBufferTupleString(optsStr string) (BPFEventBufferConfig, error)

ParseEventBufferTupleString parses a event buffer configuration tuple string. For example: true,100,24h Which refers to enabled=true, maxSize=100, ttl=24hours.

type BPFEventBufferConfigs added in v0.15.7

type BPFEventBufferConfigs map[string]BPFEventBufferConfig

BPFEventBufferConfigs contains parsed bpf event buffer configs, indexed but map name.

type ChangedFunc

type ChangedFunc func(key string, value OptionSetting, data interface{})

ChangedFunc is called by `Apply()` for each option changed

type DaemonConfig added in v0.15.7

type DaemonConfig struct {
	CreationTime       time.Time
	BpfDir             string   // BPF template files directory
	LibDir             string   // Cilium library files directory
	RunDir             string   // Cilium runtime directory
	ExternalEnvoyProxy bool     // Whether Envoy is deployed as external DaemonSet or not
	LBDevInheritIPAddr string   // Device which IP addr used by bpf_host devices
	EnableXDPPrefilter bool     // Enable XDP-based prefiltering
	XDPMode            string   // XDP mode, values: { xdpdrv | xdpgeneric | none }
	EnableTCX          bool     // Enable attaching endpoint programs using tcx if the kernel supports it
	HostV4Addr         net.IP   // Host v4 address of the snooping device
	HostV6Addr         net.IP   // Host v6 address of the snooping device
	EncryptInterface   []string // Set of network facing interface to encrypt over
	EncryptNode        bool     // Set to true for encrypting node IP traffic

	// If set to true the daemon will detect new and deleted datapath devices
	// at runtime and reconfigure the datapath to load programs onto the new
	// devices.
	EnableRuntimeDeviceDetection bool

	DatapathMode string // Datapath mode
	RoutingMode  string // Routing mode

	DryMode bool // Do not create BPF maps, devices, ..

	// RestoreState enables restoring the state from previous running daemons.
	RestoreState bool

	KeepConfig bool // Keep configuration of existing endpoints when starting up.

	// AllowLocalhost defines when to allows the local stack to local endpoints
	// values: { auto | always | policy }
	AllowLocalhost string

	// StateDir is the directory where runtime state of endpoints is stored
	StateDir string

	// Options changeable at runtime
	Opts *IntOptions

	// Monitor contains the configuration for the node monitor.
	Monitor *models.MonitorStatus

	// AgentHealthPort is the TCP port for agent health status API
	AgentHealthPort int

	// ClusterHealthPort is the TCP port for cluster-wide network connectivity health API
	ClusterHealthPort int

	// ClusterMeshHealthPort is the TCP port for ClusterMesh apiserver health API
	ClusterMeshHealthPort int

	// AgentLabels contains additional labels to identify this agent in monitor events.
	AgentLabels []string

	// IPv6ClusterAllocCIDR is the base CIDR used to allocate IPv6 node
	// CIDRs if allocation is not performed by an orchestration system
	IPv6ClusterAllocCIDR string

	// IPv6ClusterAllocCIDRBase is derived from IPv6ClusterAllocCIDR and
	// contains the CIDR without the mask, e.g. "fdfd::1/64" -> "fdfd::"
	// This variable should never be written to, it is initialized via
	// DaemonConfig.Validate()
	IPv6ClusterAllocCIDRBase string

	// IPv6NAT46x64CIDR is the private base CIDR for the NAT46x64 gateway
	IPv6NAT46x64CIDR string

	// IPv6NAT46x64CIDRBase is derived from IPv6NAT46x64CIDR and contains
	// the IPv6 prefix with the masked bits zeroed out
	IPv6NAT46x64CIDRBase netip.Addr

	// K8sRequireIPv4PodCIDR requires the k8s node resource to specify the
	// IPv4 PodCIDR. Cilium will block bootstrapping until the information
	// is available.
	K8sRequireIPv4PodCIDR bool

	// K8sRequireIPv6PodCIDR requires the k8s node resource to specify the
	// IPv6 PodCIDR. Cilium will block bootstrapping until the information
	// is available.
	K8sRequireIPv6PodCIDR bool

	// K8sServiceCacheSize is the service cache size for cilium k8s package.
	K8sServiceCacheSize uint

	// MTU is the maximum transmission unit of the underlying network
	MTU int

	// RouteMetric is the metric used for the routes added to the cilium_host device
	RouteMetric int

	// ClusterName is the name of the cluster
	ClusterName string

	// ClusterID is the unique identifier of the cluster
	ClusterID uint32

	// CTMapEntriesGlobalTCP is the maximum number of conntrack entries
	// allowed in each TCP CT table for IPv4/IPv6.
	CTMapEntriesGlobalTCP int

	// CTMapEntriesGlobalAny is the maximum number of conntrack entries
	// allowed in each non-TCP CT table for IPv4/IPv6.
	CTMapEntriesGlobalAny int

	// CTMapEntriesTimeout* values configured by the user.
	CTMapEntriesTimeoutTCP         time.Duration
	CTMapEntriesTimeoutAny         time.Duration
	CTMapEntriesTimeoutSVCTCP      time.Duration
	CTMapEntriesTimeoutSVCTCPGrace time.Duration
	CTMapEntriesTimeoutSVCAny      time.Duration
	CTMapEntriesTimeoutSYN         time.Duration
	CTMapEntriesTimeoutFIN         time.Duration

	// MaxInternalTimerDelay sets a maximum on all periodic timers in
	// the agent in order to flush out timer-related bugs in the agent.
	MaxInternalTimerDelay time.Duration

	// MonitorAggregationInterval configures the interval between monitor
	// messages when monitor aggregation is enabled.
	MonitorAggregationInterval time.Duration

	// MonitorAggregationFlags determines which TCP flags that the monitor
	// aggregation ensures reports are generated for when monitor-aggragation
	// is enabled. Network byte-order.
	MonitorAggregationFlags uint16

	// BPFEventsDefaultRateLimit specifies limit of messages per second that can be written to
	// BPF events map. This limit is defined for all types of events except dbg and pcap.
	// The number of messages is averaged, meaning that if no messages were written
	// to the map over 5 seconds, it's possible to write more events than the value of rate limit
	// in the 6th second.
	// If BPFEventsDefaultRateLimit > 0, non-zero value for BPFEventsDefaultBurstLimit must also be provided
	// lest the configuration is considered invalid.
	BPFEventsDefaultRateLimit uint32

	// BPFEventsDefaultBurstLimit specifies the maximum number of messages that can be written
	// to BPF events map in 1 second. This limit is defined for all types of events except dbg and pcap.
	// If BPFEventsDefaultBurstLimit > 0, non-zero value for BPFEventsDefaultRateLimit must also be provided
	// lest the configuration is considered invalid.
	// If both burst and rate limit are 0 or not specified, no limit is imposed.
	BPFEventsDefaultBurstLimit uint32

	// BPFMapsDynamicSizeRatio is ratio of total system memory to use for
	// dynamic sizing of the CT, NAT, Neighbor and SockRevNAT BPF maps.
	BPFMapsDynamicSizeRatio float64

	// NATMapEntriesGlobal is the maximum number of NAT mappings allowed
	// in the BPF NAT table
	NATMapEntriesGlobal int

	// NeighMapEntriesGlobal is the maximum number of neighbor mappings
	// allowed in the BPF neigh table
	NeighMapEntriesGlobal int

	// AuthMapEntries is the maximum number of entries in the auth map.
	AuthMapEntries int

	// PolicyMapFullReconciliationInterval is the interval at which to perform
	// the full reconciliation of the endpoint policy map.
	PolicyMapFullReconciliationInterval time.Duration

	// SockRevNatEntries is the maximum number of sock rev nat mappings
	// allowed in the BPF rev nat table
	SockRevNatEntries int

	// DisableCiliumEndpointCRD disables the use of CiliumEndpoint CRD
	DisableCiliumEndpointCRD bool

	// MaxControllerInterval is the maximum value for a controller's
	// RunInterval. Zero means unlimited.
	MaxControllerInterval int

	// HTTP403Message is the error message to return when a HTTP 403 is returned
	// by the proxy, if L7 policy is configured.
	HTTP403Message string

	ProcFs string

	// K8sNamespace is the name of the namespace in which Cilium is
	// deployed in when running in Kubernetes mode
	K8sNamespace string

	// AgentNotReadyNodeTaint is a node taint which prevents pods from being
	// scheduled. Once cilium is setup it is removed from the node. Mostly
	// used in cloud providers to prevent existing CNI plugins from managing
	// pods.
	AgentNotReadyNodeTaintKey string

	// EnableIPv4 is true when IPv4 is enabled
	EnableIPv4 bool

	// EnableIPv6 is true when IPv6 is enabled
	EnableIPv6 bool

	// EnableNat46X64Gateway is true when L3 based NAT46 and NAT64 translation is enabled
	EnableNat46X64Gateway bool

	// EnableIPv6NDP is true when NDP is enabled for IPv6
	EnableIPv6NDP bool

	// EnableSRv6 is true when SRv6 encapsulation support is enabled
	EnableSRv6 bool

	// SRv6EncapMode is the encapsulation mode for SRv6
	SRv6EncapMode string

	// EnableSCTP is true when SCTP support is enabled.
	EnableSCTP bool

	// IPv6MCastDevice is the name of device that joins IPv6's solicitation multicast group
	IPv6MCastDevice string

	// EnableL7Proxy is the option to enable L7 proxy
	EnableL7Proxy bool

	// EnableIPSec is true when IPSec is enabled
	EnableIPSec bool

	// IPSec key file for stored keys
	IPSecKeyFile string

	// Duration of the IPsec key rotation. After that time, we will clean the
	// previous IPsec key from the node.
	IPsecKeyRotationDuration time.Duration

	// Enable watcher for IPsec key. If disabled, a restart of the agent will
	// be necessary on key rotations.
	EnableIPsecKeyWatcher bool

	// EnableIPSecXfrmStateCaching enables IPSec XfrmState caching.
	EnableIPSecXfrmStateCaching bool

	// EnableIPSecEncryptedOverlay enables IPSec encryption for overlay traffic.
	EnableIPSecEncryptedOverlay bool

	// BootIDFile is the file containing the boot ID of the node
	BootIDFile string

	// EnableWireguard enables Wireguard encryption
	EnableWireguard bool

	// EnableEncryptionStrictMode enables strict mode for encryption
	EnableEncryptionStrictMode bool

	// WireguardTrackAllIPsFallback forces the WireGuard agent to track all IPs.
	WireguardTrackAllIPsFallback bool

	// EncryptionStrictModeCIDR is the CIDR to use for strict mode
	EncryptionStrictModeCIDR netip.Prefix

	// EncryptionStrictModeAllowRemoteNodeIdentities allows dynamic lookup of node identities.
	// This is required when tunneling is used
	// or direct routing is used and the node CIDR and pod CIDR overlap.
	EncryptionStrictModeAllowRemoteNodeIdentities bool

	// WireguardPersistentKeepalive controls Wireguard PersistentKeepalive option.
	WireguardPersistentKeepalive time.Duration

	// EnableL2Announcements enables L2 announcement of service IPs
	EnableL2Announcements bool

	// L2AnnouncerLeaseDuration, if a lease has not been renewed for X amount of time, a new leader can be chosen.
	L2AnnouncerLeaseDuration time.Duration
	// L2AnnouncerRenewDeadline, the leader will renew the lease every X amount of time.
	L2AnnouncerRenewDeadline time.Duration
	// L2AnnouncerRetryPeriod, on renew failure, retry after X amount of time.
	L2AnnouncerRetryPeriod time.Duration

	// NodeEncryptionOptOutLabels contains the label selectors for nodes opting out of
	// node-to-node encryption
	// This field ignored when marshalling to JSON in DaemonConfig.StoreInFile,
	// because a k8sLabels.Selector cannot be unmarshalled from JSON. The
	// string is stored in NodeEncryptionOptOutLabelsString instead.
	NodeEncryptionOptOutLabels k8sLabels.Selector `json:"-"`
	// NodeEncryptionOptOutLabelsString is the string is used to construct
	// the label selector in the above field.
	NodeEncryptionOptOutLabelsString string

	BPFRoot                       string
	BPFSocketLBHostnsOnly         bool
	CGroupRoot                    string
	BPFCompileDebug               string
	CompilerFlags                 []string
	ConfigFile                    string
	ConfigDir                     string
	Debug                         bool
	DebugVerbose                  []string
	EnableSocketLB                bool
	EnableSocketLBTracing         bool
	EnableSocketLBPeer            bool
	EnablePolicy                  string
	EnableTracing                 bool
	EnableIPIPTermination         bool
	EnableUnreachableRoutes       bool
	FixedIdentityMapping          map[string]string
	FixedIdentityMappingValidator func(val string) (string, error) `json:"-"`
	FixedZoneMapping              map[string]uint8
	ReverseFixedZoneMapping       map[uint8]string
	FixedZoneMappingValidator     func(val string) (string, error) `json:"-"`
	IPv4Range                     string
	IPv6Range                     string
	IPv4ServiceRange              string
	IPv6ServiceRange              string
	K8sSyncTimeout                time.Duration
	AllocatorListTimeout          time.Duration
	KVStore                       string
	KVStoreOpt                    map[string]string
	LabelPrefixFile               string
	Labels                        []string
	LogDriver                     []string
	LogOpt                        map[string]string
	LogSystemLoadConfig           bool

	// Masquerade specifies whether or not to masquerade packets from endpoints
	// leaving the host.
	EnableIPv4Masquerade        bool
	EnableIPv6Masquerade        bool
	EnableBPFMasquerade         bool
	EnableMasqueradeRouteSource bool
	EnableIPMasqAgent           bool
	IPMasqAgentConfigPath       string

	EnableBPFClockProbe     bool
	EnableIPv4EgressGateway bool
	EnableEnvoyConfig       bool
	InstallIptRules         bool
	MonitorAggregation      string
	PreAllocateMaps         bool
	IPv6NodeAddr            string
	IPv4NodeAddr            string
	SocketPath              string
	TracePayloadlen         int
	Version                 string
	PrometheusServeAddr     string
	ToFQDNsMinTTL           int

	// DNSMaxIPsPerRestoredRule defines the maximum number of IPs to maintain
	// for each FQDN selector in endpoint's restored DNS rules
	DNSMaxIPsPerRestoredRule int

	// DNSPolicyUnloadOnShutdown defines whether DNS policy rules should be unloaded on
	// graceful shutdown.
	DNSPolicyUnloadOnShutdown bool

	// ToFQDNsProxyPort is the user-configured global, shared, DNS listen port used
	// by the DNS Proxy. Both UDP and TCP are handled on the same port. When it
	// is 0 a random port will be assigned, and can be obtained from
	// DefaultDNSProxy below.
	ToFQDNsProxyPort int

	// ToFQDNsMaxIPsPerHost defines the maximum number of IPs to maintain
	// for each FQDN name in an endpoint's FQDN cache
	ToFQDNsMaxIPsPerHost int

	// ToFQDNsMaxIPsPerHost defines the maximum number of IPs to retain for
	// expired DNS lookups with still-active connections
	ToFQDNsMaxDeferredConnectionDeletes int

	// ToFQDNsIdleConnectionGracePeriod Time during which idle but
	// previously active connections with expired DNS lookups are
	// still considered alive
	ToFQDNsIdleConnectionGracePeriod time.Duration

	// FQDNRejectResponse is the dns-proxy response for invalid dns-proxy request
	FQDNRejectResponse string

	// FQDNProxyResponseMaxDelay The maximum time the DNS proxy holds an allowed
	// DNS response before sending it along. Responses are sent as soon as the
	// datapath is updated with the new IP information.
	FQDNProxyResponseMaxDelay time.Duration

	// FQDNRegexCompileLRUSize is the size of the FQDN regex compilation LRU.
	// Useful for heavy but repeated FQDN MatchName or MatchPattern use.
	FQDNRegexCompileLRUSize int

	// Path to a file with DNS cache data to preload on startup
	ToFQDNsPreCache string

	// ToFQDNsEnableDNSCompression allows the DNS proxy to compress responses to
	// endpoints that are larger than 512 Bytes or the EDNS0 option, if present.
	ToFQDNsEnableDNSCompression bool

	// DNSProxyConcurrencyLimit limits parallel processing of DNS messages in
	// DNS proxy at any given point in time.
	DNSProxyConcurrencyLimit int

	// DNSProxyConcurrencyProcessingGracePeriod is the amount of grace time to
	// wait while processing DNS messages when the DNSProxyConcurrencyLimit has
	// been reached.
	DNSProxyConcurrencyProcessingGracePeriod time.Duration

	// DNSProxyEnableTransparentMode enables transparent mode for the DNS proxy.
	DNSProxyEnableTransparentMode bool

	// DNSProxyInsecureSkipTransparentModeCheck is a hidden flag that allows users
	// to disable transparent mode even if IPSec is enabled
	DNSProxyInsecureSkipTransparentModeCheck bool

	// DNSProxyLockCount is the array size containing mutexes which protect
	// against parallel handling of DNS response names.
	DNSProxyLockCount int

	// DNSProxyLockTimeout is timeout when acquiring the locks controlled by
	// DNSProxyLockCount.
	DNSProxyLockTimeout time.Duration

	// DNSProxySocketLingerTimeout defines how many seconds we wait for the connection
	// between the DNS proxy and the upstream server to be closed.
	DNSProxySocketLingerTimeout int

	// EnableBPFTProxy enables implementing proxy redirection via BPF
	// mechanisms rather than iptables rules.
	EnableBPFTProxy bool

	// EnableAutoDirectRouting enables installation of direct routes to
	// other nodes when available
	EnableAutoDirectRouting bool

	// DirectRoutingSkipUnreachable skips installation of direct routes
	// to nodes when they're not on the same L2
	DirectRoutingSkipUnreachable bool

	// EnableLocalNodeRoute controls installation of the route which points
	// the allocation prefix of the local node.
	EnableLocalNodeRoute bool

	// EnableHealthChecking enables health checking between nodes and
	// health endpoints
	EnableHealthChecking bool

	// EnableEndpointHealthChecking enables health checking between virtual
	// health endpoints
	EnableEndpointHealthChecking bool

	// EnableHealthCheckNodePort enables health checking of NodePort by
	// cilium
	EnableHealthCheckNodePort bool

	// EnableHealthCheckLoadBalancerIP enables health checking of LoadBalancerIP
	// by cilium
	EnableHealthCheckLoadBalancerIP bool

	// HealthCheckICMPFailureThreshold is the number of ICMP packets sent for each health
	// checking run. If at least an ICMP response is received, the node or endpoint
	// is marked as healthy.
	HealthCheckICMPFailureThreshold int

	// KVstoreLeaseTTL is the time-to-live for kvstore lease.
	KVstoreLeaseTTL time.Duration

	// KVstoreMaxConsecutiveQuorumErrors is the maximum number of acceptable
	// kvstore consecutive quorum errors before the agent assumes permanent failure
	KVstoreMaxConsecutiveQuorumErrors uint

	// KVstorePeriodicSync is the time interval in which periodic
	// synchronization with the kvstore occurs
	KVstorePeriodicSync time.Duration

	// KVstoreConnectivityTimeout is the timeout when performing kvstore operations
	KVstoreConnectivityTimeout time.Duration

	// KVstorePodNetworkSupport enables the support for running the Cilium KVstore
	// in pod network.
	KVstorePodNetworkSupport bool

	// IdentityChangeGracePeriod is the grace period that needs to pass
	// before an endpoint that has changed its identity will start using
	// that new identity. During the grace period, the new identity has
	// already been allocated and other nodes in the cluster have a chance
	// to whitelist the new upcoming identity of the endpoint.
	IdentityChangeGracePeriod time.Duration

	// IdentityRestoreGracePeriod is the grace period that needs to pass before CIDR identities
	// restored during agent restart are released. If any of the restored identities remains
	// unused after this time, they will be removed from the IP cache. Any of the restored
	// identities that are used in network policies will remain in the IP cache until all such
	// policies are removed.
	// The default is 30 seconds for k8s clusters, and 10 minutes for kvstore clusters
	IdentityRestoreGracePeriod time.Duration

	// EndpointQueueSize is the size of the EventQueue per-endpoint. A larger
	// queue means that more events can be buffered per-endpoint. This is useful
	// in the case where a cluster might be under high load for endpoint-related
	// events, specifically those which cause many regenerations.
	EndpointQueueSize int

	// ConntrackGCInterval is the connection tracking garbage collection
	// interval
	ConntrackGCInterval time.Duration

	// ConntrackGCMaxInterval if set limits the automatic GC interval calculation to
	// the specified maximum value.
	ConntrackGCMaxInterval time.Duration

	// LoopbackIPv4 is the address to use for service loopback SNAT
	LoopbackIPv4 string

	// LocalRouterIPv4 is the link-local IPv4 address used for Cilium's router device
	LocalRouterIPv4 string

	// LocalRouterIPv6 is the link-local IPv6 address used for Cilium's router device
	LocalRouterIPv6 string

	// EnableEndpointRoutes enables use of per endpoint routes
	EnableEndpointRoutes bool

	// Specifies wheather to annotate the kubernetes nodes or not
	AnnotateK8sNode bool

	// EnableNodePort enables k8s NodePort service implementation in BPF
	EnableNodePort bool

	// EnableSVCSourceRangeCheck enables check of loadBalancerSourceRanges
	EnableSVCSourceRangeCheck bool

	// EnableHealthDatapath enables IPIP health probes data path
	EnableHealthDatapath bool

	// EnableHostPort enables k8s Pod's hostPort mapping through BPF
	EnableHostPort bool

	// EnableHostLegacyRouting enables the old routing path via stack.
	EnableHostLegacyRouting bool

	// NodePortNat46X64 indicates whether NAT46 / NAT64 can be used.
	NodePortNat46X64 bool

	// NodePortMode indicates in which mode NodePort implementation should run
	// ("snat", "dsr" or "hybrid")
	NodePortMode string

	// LoadBalancerModeAnnotation tells whether controller should check service
	// level annotation for configuring bpf load balancing algorithm.
	LoadBalancerModeAnnotation bool

	// LoadBalancerIPIPSockMark enables sock-lb logic to force service traffic via IPIP
	LoadBalancerIPIPSockMark bool

	// NodePortAlg indicates which backend selection algorithm is used
	// ("random" or "maglev")
	NodePortAlg string

	// LoadBalancerAlgorithmAnnotation tells whether controller should check service
	// level annotation for configuring bpf load balancing algorithm.
	LoadBalancerAlgorithmAnnotation bool

	// LoadBalancerDSRDispatch indicates the method for pushing packets to
	// backends under DSR ("opt" or "ipip")
	LoadBalancerDSRDispatch string

	// LoadBalancerRSSv4CIDR defines the outer source IPv4 prefix for DSR/IPIP
	LoadBalancerRSSv4CIDR string
	LoadBalancerRSSv4     net.IPNet

	// LoadBalancerRSSv4CIDR defines the outer source IPv6 prefix for DSR/IPIP
	LoadBalancerRSSv6CIDR string
	LoadBalancerRSSv6     net.IPNet

	// LoadBalancerExternalControlPlane tells whether to not use kube-apiserver as
	// its control plane in lb-only mode.
	LoadBalancerExternalControlPlane bool

	// LoadBalancerProtocolDifferentiation enables support for service protocol differentiation (TCP, UDP, SCTP)
	LoadBalancerProtocolDifferentiation bool

	// EnablePMTUDiscovery indicates whether to send ICMP fragmentation-needed
	// replies to the client (when needed).
	EnablePMTUDiscovery bool

	// NodePortAcceleration indicates whether NodePort should be accelerated
	// via XDP ("none", "generic", "native", or "best-effort")
	NodePortAcceleration string

	// NodePortBindProtection rejects bind requests to NodePort service ports
	NodePortBindProtection bool

	// EnableAutoProtectNodePortRange enables appending NodePort range to
	// net.ipv4.ip_local_reserved_ports if it overlaps with ephemeral port
	// range (net.ipv4.ip_local_port_range)
	EnableAutoProtectNodePortRange bool

	// KubeProxyReplacement controls how to enable kube-proxy replacement
	// features in BPF datapath
	KubeProxyReplacement string

	// AddressScopeMax controls the maximum address scope for addresses to be
	// considered local ones with HOST_ID in the ipcache
	AddressScopeMax int

	// EnableRecorder enables the datapath pcap recorder
	EnableRecorder bool

	// EnableMKE enables MKE specific 'chaining' for kube-proxy replacement
	EnableMKE bool

	// CgroupPathMKE points to the cgroupv1 net_cls mount instance
	CgroupPathMKE string

	// KubeProxyReplacementHealthzBindAddr is the KubeProxyReplacement healthz server bind addr
	KubeProxyReplacementHealthzBindAddr string

	// EnableExternalIPs enables implementation of k8s services with externalIPs in datapath
	EnableExternalIPs bool

	// EnableHostFirewall enables network policies for the host
	EnableHostFirewall bool

	// EnableLocalRedirectPolicy enables redirect policies to redirect traffic within nodes
	EnableLocalRedirectPolicy bool

	// NodePortMin is the minimum port address for the NodePort range
	NodePortMin int

	// NodePortMax is the maximum port address for the NodePort range
	NodePortMax int

	// EnableSessionAffinity enables a support for service sessionAffinity
	EnableSessionAffinity bool

	// Selection of BPF main clock source (ktime vs jiffies)
	ClockSource BPFClockSource

	// EnableIdentityMark enables setting the mark field with the identity for
	// local traffic. This may be disabled if chaining modes and Cilium use
	// conflicting marks.
	EnableIdentityMark bool

	// KernelHz is the HZ rate the kernel is operating in
	KernelHz int

	// ExcludeLocalAddresses excludes certain addresses to be recognized as
	// a local address
	ExcludeLocalAddresses []*net.IPNet

	// IPv4PodSubnets available subnets to be assign IPv4 addresses to pods from
	IPv4PodSubnets []*net.IPNet

	// IPv6PodSubnets available subnets to be assign IPv6 addresses to pods from
	IPv6PodSubnets []*net.IPNet

	// IPAM is the IPAM method to use
	IPAM string

	// IPAMMultiPoolPreAllocation defines the pre-allocation value for each IPAM pool
	IPAMMultiPoolPreAllocation map[string]string
	// IPAMDefaultIPPool the default IP Pool when using multi-pool
	IPAMDefaultIPPool string
	// AutoCreateCiliumNodeResource enables automatic creation of a
	// CiliumNode resource for the local node
	AutoCreateCiliumNodeResource bool

	// ExcludeNodeLabelPatterns allows for excluding unnecessary labels from being propagated from k8s node to cilium
	// node object. This allows for avoiding unnecessary events being broadcast to all nodes in the cluster.
	ExcludeNodeLabelPatterns []*regexp.Regexp

	// IPv4NativeRoutingCIDR describes a CIDR in which pod IPs are routable
	IPv4NativeRoutingCIDR *cidr.CIDR

	// IPv6NativeRoutingCIDR describes a CIDR in which pod IPs are routable
	IPv6NativeRoutingCIDR *cidr.CIDR

	// MasqueradeInterfaces is the selector used to select interfaces subject
	// to egress masquerading.
	MasqueradeInterfaces []string

	// PolicyTriggerInterval is the amount of time between when policy updates
	// are triggered.
	PolicyTriggerInterval time.Duration

	// IdentityAllocationMode specifies what mode to use for identity
	// allocation
	IdentityAllocationMode string

	// AllowICMPFragNeeded allows ICMP Fragmentation Needed type packets in
	// the network policy for cilium-agent.
	AllowICMPFragNeeded bool

	// PolicyAuditMode enables non-drop mode for installed policies. In
	// audit mode packets affected by policies will not be dropped.
	// Policy related decisions can be checked via the poicy verdict messages.
	PolicyAuditMode bool

	// PolicyAccounting enable policy accounting
	PolicyAccounting bool

	// EnableIPv4FragmentsTracking enables IPv4 fragments tracking for
	// L4-based lookups. Needs LRU map support.
	EnableIPv4FragmentsTracking bool

	// FragmentsMapEntries is the maximum number of fragmented datagrams
	// that can simultaneously be tracked in order to retrieve their L4
	// ports for all fragments.
	FragmentsMapEntries int

	// SizeofCTElement is the size of an element (key + value) in the CT map.
	SizeofCTElement int

	// SizeofNATElement is the size of an element (key + value) in the NAT map.
	SizeofNATElement int

	// SizeofNeighElement is the size of an element (key + value) in the neigh
	// map.
	SizeofNeighElement int

	// SizeofSockRevElement is the size of an element (key + value) in the neigh
	// map.
	SizeofSockRevElement int

	// k8sEnableLeasesFallbackDiscovery enables k8s to fallback to API probing to check
	// for the support of Leases in Kubernetes when there is an error in discovering
	// API groups using Discovery API.
	// We require to check for Leases capabilities in operator only, which uses Leases for leader
	// election purposes in HA mode.
	// This is only enabled for cilium-operator
	K8sEnableLeasesFallbackDiscovery bool

	// LBMapEntries is the maximum number of entries allowed in BPF lbmap.
	LBMapEntries int

	// LBServiceMapEntries is the maximum number of entries allowed in BPF lbmap for services.
	LBServiceMapEntries int

	// LBBackendMapEntries is the maximum number of entries allowed in BPF lbmap for service backends.
	LBBackendMapEntries int

	// LBRevNatEntries is the maximum number of entries allowed in BPF lbmap for reverse NAT.
	LBRevNatEntries int

	// LBAffinityMapEntries is the maximum number of entries allowed in BPF lbmap for session affinities.
	LBAffinityMapEntries int

	// LBSourceRangeAllTypes enables propagation of loadbalancerSourceRanges to all Kubernetes
	// service types which were created from the LoadBalancer service.
	LBSourceRangeAllTypes bool

	// LBSourceRangeMapEntries is the maximum number of entries allowed in BPF lbmap for source ranges.
	LBSourceRangeMapEntries int

	// LBMaglevMapEntries is the maximum number of entries allowed in BPF lbmap for maglev.
	LBMaglevMapEntries int

	// EgressMultiHomeIPRuleCompat instructs Cilium to use a new scheme to
	// store rules and routes under ENI and Azure IPAM modes, if false.
	// Otherwise, it will use the old scheme.
	EgressMultiHomeIPRuleCompat bool

	// Install ingress/egress routes through uplink on host for Pods when working with
	// delegated IPAM plugin.
	InstallUplinkRoutesForDelegatedIPAM bool

	// InstallNoConntrackIptRules instructs Cilium to install Iptables rules to skip netfilter connection tracking on all pod traffic.
	InstallNoConntrackIptRules bool

	// ContainerIPLocalReservedPorts instructs the Cilium CNI plugin to reserve
	// the provided comma-separated list of ports in the container network namespace
	ContainerIPLocalReservedPorts string

	// EnableCustomCalls enables tail call hooks for user-defined custom
	// eBPF programs, typically used to collect custom per-endpoint
	// metrics.
	EnableCustomCalls bool

	// BGPSecretsNamespace is the Kubernetes namespace to get BGP control plane secrets from.
	BGPSecretsNamespace string

	// ExternalClusterIP enables routing to ClusterIP services from outside
	// the cluster. This mirrors the behaviour of kube-proxy.
	ExternalClusterIP bool

	// ARPPingRefreshPeriod is the ARP entries refresher period.
	ARPPingRefreshPeriod time.Duration

	// EnableCiliumEndpointSlice enables the cilium endpoint slicing feature.
	EnableCiliumEndpointSlice bool

	// ARPPingKernelManaged denotes whether kernel can auto-refresh Neighbor entries
	ARPPingKernelManaged bool

	// VLANBPFBypass list of explicitly allowed VLAN id's for bpf logic bypass
	VLANBPFBypass []int

	// DisableExternalIPMigration disable externalIP mitigation (CVE-2020-8554)
	DisableExternalIPMitigation bool

	// EnableL2NeighDiscovery determines if cilium should perform L2 neighbor
	// discovery.
	EnableL2NeighDiscovery bool

	// EnableICMPRules enables ICMP-based rule support for Cilium Network Policies.
	EnableICMPRules bool

	// Use the CiliumInternalIPs (vs. NodeInternalIPs) for IPsec encapsulation.
	UseCiliumInternalIPForIPsec bool

	// BypassIPAvailabilityUponRestore bypasses the IP availability error
	// within IPAM upon endpoint restore and allows the use of the restored IP
	// regardless of whether it's available in the pool.
	BypassIPAvailabilityUponRestore bool

	// EnableK8sTerminatingEndpoint enables auto-detect of terminating state for
	// Kubernetes service endpoints.
	EnableK8sTerminatingEndpoint bool

	// EnableVTEP enable Cilium VXLAN VTEP integration
	EnableVTEP bool

	// VtepEndpoints VTEP endpoint IPs
	VtepEndpoints []net.IP

	VtepCIDRs []*cidr.CIDR

	// VtepMask VTEP Mask
	VtepCidrMask net.IP

	// VtepMACs VTEP MACs
	VtepMACs []mac.MAC

	// TCFilterPriority sets the priority of the cilium tc filter, enabling other
	// filters to be inserted prior to the cilium filter.
	TCFilterPriority uint16

	// Enables BGP control plane features.
	EnableBGPControlPlane bool

	// Enables BGP control plane status reporting.
	EnableBGPControlPlaneStatusReport bool

	// BGPRouterIDAllocationMode is the mode to allocate the BGP router-id in ipv6 standalone environment.
	BGPRouterIDAllocationMode string

	// BPFMapEventBuffers has configuration on what BPF map event buffers to enabled
	// and configuration options for those.
	BPFMapEventBuffers          map[string]string
	BPFMapEventBuffersValidator func(val string) (string, error) `json:"-"`

	// BPFEventsDropEnabled controls whether the Cilium datapath exposes "drop" events to Cilium monitor and Hubble.
	BPFEventsDropEnabled bool

	// BPFEventsPolicyVerdictEnabled controls whether the Cilium datapath exposes "policy verdict" events to Cilium monitor and Hubble.
	BPFEventsPolicyVerdictEnabled bool

	// BPFEventsTraceEnabled  controls whether the Cilium datapath exposes "trace" events to Cilium monitor and Hubble.
	BPFEventsTraceEnabled bool

	// BPFConntrackAccounting controls whether CT accounting for packets and bytes is enabled.
	BPFConntrackAccounting bool

	// IPAMCiliumNodeUpdateRate is the maximum rate at which the CiliumNode custom
	// resource is updated.
	IPAMCiliumNodeUpdateRate time.Duration

	// EnableK8sNetworkPolicy enables support for K8s NetworkPolicy.
	EnableK8sNetworkPolicy bool

	// EnableCiliumNetworkPolicy enables support for Cilium Network Policy.
	EnableCiliumNetworkPolicy bool

	// EnableCiliumClusterwideNetworkPolicy enables support for Cilium Clusterwide
	// Network Policy.
	EnableCiliumClusterwideNetworkPolicy bool

	// PolicyCIDRMatchMode is the list of entities that can be selected by CIDR policy.
	// Currently supported values:
	// - world
	// - world, remote-node
	PolicyCIDRMatchMode []string

	// MaxConnectedClusters sets the maximum number of clusters that can be
	// connected in a clustermesh.
	// The value is used to determine the bit allocation for cluster ID and
	// identity in a numeric identity. Values > 255 will decrease the number of
	// allocatable identities.
	MaxConnectedClusters uint32

	// ForceDeviceRequired enforces the attachment of BPF programs on native device.
	ForceDeviceRequired bool

	// ServiceNoBackendResponse determines how we handle traffic to a service with no backends.
	ServiceNoBackendResponse string

	// EnableNodeSelectorLabels enables use of the node label based identity
	EnableNodeSelectorLabels bool

	// NodeLabels is the list of label prefixes used to determine identity of a node (requires enabling of
	// EnableNodeSelectorLabels)
	NodeLabels []string

	// EnableSocketLBPodConnectionTermination enables the termination of connections from pods
	// to deleted service backends when socket-LB is enabled
	EnableSocketLBPodConnectionTermination bool

	// EnableInternalTrafficPolicy enables handling routing for services with internalTrafficPolicy configured
	EnableInternalTrafficPolicy bool

	// EnableNonDefaultDenyPolicies allows policies to define whether they are operating in default-deny mode
	EnableNonDefaultDenyPolicies bool

	// EnableSourceIPVerification enables the source ip validation of connection from endpoints to endpoints
	EnableSourceIPVerification bool

	// EnableEndpointLockdownOnPolicyOverflow enables endpoint lockdown when an endpoint's
	// policy map overflows.
	EnableEndpointLockdownOnPolicyOverflow bool

	// ConnectivityProbeFrequencyRatio is the ratio of the connectivity probe frequency vs resource consumption
	ConnectivityProbeFrequencyRatio float64
	// contains filtered or unexported fields

DaemonConfig is the configuration used by Daemon.

func (*DaemonConfig) AgentNotReadyNodeTaintValue added in v0.15.7

func (c *DaemonConfig) AgentNotReadyNodeTaintValue() string

AgentNotReadyNodeTaintValue returns the value of the taint key that cilium agents will manage on their nodes

func (*DaemonConfig) AlwaysAllowLocalhost added in v0.15.7

func (c *DaemonConfig) AlwaysAllowLocalhost() bool

AlwaysAllowLocalhost returns true if the daemon has the option set that localhost can always reach local endpoints

func (*DaemonConfig) AreDevicesRequired added in v0.15.7

func (c *DaemonConfig) AreDevicesRequired() bool

AreDevicesRequired returns true if the agent needs to attach to the native devices to implement some features.

func (*DaemonConfig) BGPControlPlaneEnabled added in v0.15.7

func (c *DaemonConfig) BGPControlPlaneEnabled() bool

func (*DaemonConfig) CiliumNamespaceName added in v0.15.7

func (c *DaemonConfig) CiliumNamespaceName() string

CiliumNamespaceName returns the name of the namespace in which Cilium is deployed in

func (*DaemonConfig) DirectRoutingDeviceRequired added in v0.15.7

func (c *DaemonConfig) DirectRoutingDeviceRequired() bool

DirectRoutingDeviceRequired return whether the Direct Routing Device is needed under the current configuration.

func (*DaemonConfig) EncryptionEnabled added in v0.15.7

func (c *DaemonConfig) EncryptionEnabled() bool

EncryptionEnabled returns true if encryption is enabled

func (*DaemonConfig) EnforceLXCFibLookup added in v1.14.5

func (d *DaemonConfig) EnforceLXCFibLookup() bool

func (*DaemonConfig) GetEventBufferConfig added in v0.15.7

func (d *DaemonConfig) GetEventBufferConfig(name string) BPFEventBufferConfig

GetEventBufferConfig returns either the relevant config for a map name, or a default one with enabled=false otherwise.

func (*DaemonConfig) GetGlobalsDir added in v0.15.7

func (c *DaemonConfig) GetGlobalsDir() string

GetGlobalsDir returns the path for the globals directory.

func (*DaemonConfig) GetNodeConfigPath added in v0.15.7

func (c *DaemonConfig) GetNodeConfigPath() string

GetNodeConfigPath returns the full path of the NodeConfigFile.

func (*DaemonConfig) GetZone added in v1.16.0

func (d *DaemonConfig) GetZone(id uint8) string

func (*DaemonConfig) GetZoneID added in v1.16.0

func (d *DaemonConfig) GetZoneID(zone string) uint8

func (*DaemonConfig) HealthCheckingEnabled added in v0.15.7

func (c *DaemonConfig) HealthCheckingEnabled() bool

HealthCheckingEnabled returns true if health checking is enabled

func (*DaemonConfig) IPAMMode added in v0.15.7

func (c *DaemonConfig) IPAMMode() string

IPAMMode returns the IPAM mode

func (*DaemonConfig) IPv4Enabled added in v0.15.7

func (c *DaemonConfig) IPv4Enabled() bool

IPv4Enabled returns true if IPv4 is enabled

func (*DaemonConfig) IPv6Enabled added in v0.15.7

func (c *DaemonConfig) IPv6Enabled() bool

IPv6Enabled returns true if IPv6 is enabled

func (*DaemonConfig) IPv6NDPEnabled added in v0.15.7

func (c *DaemonConfig) IPv6NDPEnabled() bool

IPv6NDPEnabled returns true if IPv6 NDP support is enabled

func (*DaemonConfig) IptablesMasqueradingEnabled added in v0.15.7

func (c *DaemonConfig) IptablesMasqueradingEnabled() bool

IptablesMasqueradingEnabled returns true if iptables-based masquerading is enabled.

func (*DaemonConfig) IptablesMasqueradingIPv4Enabled added in v0.15.7

func (c *DaemonConfig) IptablesMasqueradingIPv4Enabled() bool

IptablesMasqueradingIPv4Enabled returns true if iptables-based masquerading is enabled for IPv4.

func (*DaemonConfig) IptablesMasqueradingIPv6Enabled added in v0.15.7

func (c *DaemonConfig) IptablesMasqueradingIPv6Enabled() bool

IptablesMasqueradingIPv6Enabled returns true if iptables-based masquerading is enabled for IPv6.

func (*DaemonConfig) IsDualStack added in v0.15.7

func (c *DaemonConfig) IsDualStack() bool

func (*DaemonConfig) IsExcludedLocalAddress added in v0.15.7

func (c *DaemonConfig) IsExcludedLocalAddress(ip net.IP) bool

IsExcludedLocalAddress returns true if the specified IP matches one of the excluded local IP ranges

func (*DaemonConfig) IsLocalRouterIP added in v1.15.0

func (c *DaemonConfig) IsLocalRouterIP(ip string) bool

IsLocalRouterIP checks if provided IP address matches either LocalRouterIPv4 or LocalRouterIPv6

func (*DaemonConfig) IsPodSubnetsDefined added in v0.15.7

func (c *DaemonConfig) IsPodSubnetsDefined() bool

IsPodSubnetsDefined returns true if encryption subnets should be configured at init time.

func (*DaemonConfig) K8sNetworkPolicyEnabled added in v0.15.7

func (c *DaemonConfig) K8sNetworkPolicyEnabled() bool

K8sNetworkPolicyEnabled returns true if cilium agent needs to support K8s NetworkPolicy, false otherwise.

func (*DaemonConfig) KVstoreEnabledWithoutPodNetworkSupport added in v1.17.0

func (c *DaemonConfig) KVstoreEnabledWithoutPodNetworkSupport() bool

KVstoreEnabledWithoutPodNetworkSupport returns whether Cilium is configured to connect to an external KVStore, and the support for running it in pod network is disabled.

func (*DaemonConfig) KubeProxyReplacementFullyEnabled added in v0.15.7

func (c *DaemonConfig) KubeProxyReplacementFullyEnabled() bool

KubeProxyReplacementFullyEnabled returns true if Cilium is _effectively_ running in full KPR mode.

func (*DaemonConfig) LBProtoDiffEnabled added in v1.17.0

func (c *DaemonConfig) LBProtoDiffEnabled() bool

LBProtoDiffEnabled returns true if LoadBalancerProtocolDifferentiation is enabled

func (*DaemonConfig) LoadBalancerUsesDSR added in v1.15.0

func (c *DaemonConfig) LoadBalancerUsesDSR() bool

func (*DaemonConfig) MasqueradingEnabled added in v0.15.7

func (c *DaemonConfig) MasqueradingEnabled() bool

MasqueradingEnabled returns true if either IPv4 or IPv6 masquerading is enabled.

func (*DaemonConfig) NeedBPFHostOnWireGuardDevice added in v1.16.0

func (c *DaemonConfig) NeedBPFHostOnWireGuardDevice() bool

NeedBPFHostOnWireGuardDevice returns true if the agent needs to attach a BPF program on the Ingress of Cilium's WireGuard device

func (*DaemonConfig) NodeEncryptionEnabled added in v0.15.7

func (c *DaemonConfig) NodeEncryptionEnabled() bool

NodeEncryptionEnabled returns true if node encryption is enabled

func (*DaemonConfig) NodeIpsetNeeded added in v0.15.7

func (c *DaemonConfig) NodeIpsetNeeded() bool

NodeIpsetNeeded returns true if a node ipsets should be used to skip masquerading for traffic to cluster nodes.

func (*DaemonConfig) PerNodeLabelsEnabled added in v1.16.0

func (c *DaemonConfig) PerNodeLabelsEnabled() bool

PerNodeLabelsEnabled returns true if per-node labels feature is enabled

func (*DaemonConfig) PolicyCIDRMatchesNodes added in v1.15.0

func (c *DaemonConfig) PolicyCIDRMatchesNodes() bool

func (*DaemonConfig) Populate added in v0.15.7

func (c *DaemonConfig) Populate(vp *viper.Viper)

Populate sets all non-logging options with the values from viper.

This function may emit logs. Consider calling SetupLogging before this to make sure that they honor logging-related options.

func (*DaemonConfig) SCTPEnabled added in v0.15.7

func (c *DaemonConfig) SCTPEnabled() bool

SCTPEnabled returns true if SCTP support is enabled

func (*DaemonConfig) SetMapElementSizes added in v0.15.7

func (c *DaemonConfig) SetMapElementSizes(
	sizeofSockRevElement int)

SetMapElementSizes sets the BPF map element sizes (key + value) used for dynamic BPF map size calculations in calculateDynamicBPFMapSizes.

func (*DaemonConfig) SetupLogging added in v1.17.0

func (c *DaemonConfig) SetupLogging(vp *viper.Viper, tag string)

SetupLogging sets all logging-related options with the values from viper, then setup logging based on these options and the given tag.

This allows initializing logging as early as possible, then log entries produced below in Populate can honor the requested logging configurations.

func (*DaemonConfig) StoreInFile added in v0.15.7

func (c *DaemonConfig) StoreInFile(dir string) error

StoreInFile stores the configuration in a the given directory under the file name 'daemon-config.json'. If this file already exists, it is renamed to 'daemon-config-1.json', if 'daemon-config-1.json' also exists, 'daemon-config-1.json' is renamed to 'daemon-config-2.json' Caller is responsible for blocking concurrent changes.

func (*DaemonConfig) TracingEnabled added in v0.15.7

func (c *DaemonConfig) TracingEnabled() bool

TracingEnabled returns if tracing policy (outlining which rules apply to a specific set of labels) is enabled.

func (*DaemonConfig) TunnelingEnabled added in v0.15.7

func (c *DaemonConfig) TunnelingEnabled() bool

TunnelingEnabled returns true if tunneling is enabled.

func (*DaemonConfig) UnreachableRoutesEnabled added in v0.15.7

func (c *DaemonConfig) UnreachableRoutesEnabled() bool

UnreachableRoutesEnabled returns true if unreachable routes is enabled

func (*DaemonConfig) Validate added in v0.15.7

func (c *DaemonConfig) Validate(vp *viper.Viper) error

Validate validates the daemon configuration

func (*DaemonConfig) ValidateUnchanged added in v1.16.0

func (c *DaemonConfig) ValidateUnchanged() error

ValidateUnchanged checks that invariable parts of the config have not changed since init. Caller is responsible for blocking concurrent changes.

type FormatFunc added in v0.15.7

type FormatFunc func(value OptionSetting) string

FormatFunc formats the specified value as textual representation option.

type IntOptions added in v0.15.7

type IntOptions struct {
	// contains filtered or unexported fields

IntOptions member functions with external access do not require locking by the caller, while functions with internal access presume the caller to have taken care of any locking needed.

func NewIntOptions added in v0.15.7

func NewIntOptions(lib *OptionLibrary) *IntOptions

func (*IntOptions) ApplyValidated added in v0.15.7

func (o *IntOptions) ApplyValidated(n OptionMap, changed ChangedFunc, data interface{}) int

ApplyValidated takes a configuration map and applies the changes. For an option which is changed, the `ChangedFunc` function is called with the `data` argument passed in as well. Returns the number of options changed if any.

The caller is expected to have validated the configuration options prior to calling this function.

func (*IntOptions) DeepCopy added in v0.15.7

func (o *IntOptions) DeepCopy() *IntOptions

func (*IntOptions) Delete added in v0.15.7

func (o *IntOptions) Delete(key string)

func (*IntOptions) Dump added in v0.15.7

func (o *IntOptions) Dump()

func (*IntOptions) GetFmtList added in v0.15.7

func (o *IntOptions) GetFmtList() string

func (*IntOptions) GetImmutableModel added in v0.15.7

func (o *IntOptions) GetImmutableModel() *models.ConfigurationMap

GetImmutableModel returns the set of immutable options as a ConfigurationMap API model.

func (*IntOptions) GetMutableModel added in v0.15.7

func (o *IntOptions) GetMutableModel() *models.ConfigurationMap

GetMutableModel returns the set of mutable options as a ConfigurationMap API model.

func (*IntOptions) GetValue added in v0.15.7

func (o *IntOptions) GetValue(key string) OptionSetting

func (*IntOptions) InheritDefault added in v0.15.7

func (o *IntOptions) InheritDefault(parent *IntOptions, key string)

func (*IntOptions) IsEnabled added in v0.15.7

func (o *IntOptions) IsEnabled(key string) bool

func (*IntOptions) MarshalJSON added in v1.17.0

func (o *IntOptions) MarshalJSON() ([]byte, error)

Custom json marshal for unexported 'opts' while holding a read lock

func (*IntOptions) SetBool added in v0.15.7

func (o *IntOptions) SetBool(key string, value bool)

SetBool sets the specified option to Enabled.

func (*IntOptions) SetIfUnset added in v0.15.7

func (o *IntOptions) SetIfUnset(key string, value OptionSetting)

func (*IntOptions) SetValidated added in v0.15.7

func (o *IntOptions) SetValidated(key string, value OptionSetting)

SetValidated sets the option `key` to the specified value. The caller is expected to have validated the input to this function.

func (*IntOptions) UnmarshalJSON added in v1.17.0

func (o *IntOptions) UnmarshalJSON(b []byte) error

Custom json unmarshal for unexported 'opts' while holding a write lock

func (*IntOptions) Validate added in v0.15.7

func (o *IntOptions) Validate(n models.ConfigurationMap) error

Validate validates a given configuration map based on the option library

func (*IntOptions) ValidateConfigurationMap added in v1.17.0

func (o *IntOptions) ValidateConfigurationMap(n models.ConfigurationMap) (OptionMap, error)

ValidateConfigurationMap validates a given configuration map based on the option library

type MapOptions added in v0.10.0

type MapOptions struct {
	// contains filtered or unexported fields

MapOptions holds a map of values and a validation function.

func NewMapOpts added in v0.10.0

func NewMapOpts(values map[string]string, validator Validator) *MapOptions

NewMapOpts creates a new MapOpts with the specified map of values and an optional validator.

func (*MapOptions) Set added in v0.10.0

func (opts *MapOptions) Set(value string) error

Set validates, if needed, the input value and adds it to the internal map, by splitting on '='.

func (*MapOptions) String added in v0.10.0

func (opts *MapOptions) String() string

func (*MapOptions) Type added in v0.10.0

func (opts *MapOptions) Type() string

Type returns a string name for this Option type

type MonitorAggregationLevel added in v0.15.7

type MonitorAggregationLevel OptionSetting

MonitorAggregationLevel represents a level of aggregation for monitor events from the datapath. Low values represent no aggregation, that is, to increase the number of events emitted from the datapath; Higher values represent more aggregation, to minimize the number of events emitted from the datapath.

The MonitorAggregationLevel does not affect the Debug option in the daemon or endpoint, so debug notifications will continue uninhibited by this setting.

type NamedMapOptions added in v0.10.0

type NamedMapOptions struct {
	// contains filtered or unexported fields

NamedMapOptions is a MapOptions struct with a configuration name. This struct is useful to keep reference to the assigned field name in the internal configuration struct.

func NewNamedMapOptions added in v0.10.0

func NewNamedMapOptions(name string, values *map[string]string, validator Validator) *NamedMapOptions

NewNamedMapOptions creates a reference to a new NamedMapOpts struct.

type Option

type Option struct {
	// Define is the name of the #define used for BPF programs
	Define string
	// Description is a short human readable description
	Description string
	// Immutable marks an option which is read-only
	Immutable bool
	// Requires is a list of required options, such options will be
	// automatically enabled as required.
	Requires []string
	// Parse is called to parse the option. If not specified, defaults to
	// NormalizeBool().
	Parse ParseFunc
	// FormatFunc is called to format the value for an option. If not
	// specified, defaults to formatting 0 as "Disabled" and other values
	// as "Enabled".
	Format FormatFunc
	// Verify is called prior to applying the option
	Verify VerifyFunc
	// Deprecated is true if this option is deprecated and a warning
	// should be printed.
	Deprecated bool

Option is the structure used to specify the semantics of a configurable boolean option

func (Option) RequiresOption

func (o Option) RequiresOption(name string) bool

RequiresOption returns true if the option requires the specified option `name`.

type OptionLibrary

type OptionLibrary map[string]*Option

func GetEndpointMutableOptionLibrary added in v0.15.7

func GetEndpointMutableOptionLibrary() OptionLibrary

func (OptionLibrary) Define

func (l OptionLibrary) Define(name string) string

func (OptionLibrary) Lookup

func (l OptionLibrary) Lookup(name string) (string, *Option)

func (*OptionLibrary) ParseOption added in v1.17.0

func (l *OptionLibrary) ParseOption(arg string) (string, OptionSetting, bool, error)

func (OptionLibrary) Validate

func (l OptionLibrary) Validate(name string, value string) error

func (*OptionLibrary) ValidateConfigurationMap added in v0.15.7

func (l *OptionLibrary) ValidateConfigurationMap(n models.ConfigurationMap) (OptionMap, error)

ValidateConfigurationMap validates a given configuration map based on the option library

type OptionMap

type OptionMap map[string]OptionSetting

func (OptionMap) DeepCopy

func (om OptionMap) DeepCopy() OptionMap

type OptionSetting added in v0.15.7

type OptionSetting int

OptionSetting specifies the different choices each Option has.

const (
	// MonitorAggregationLevelNone represents no aggregation in the
	// datapath; all packets will be monitored.
	MonitorAggregationLevelNone OptionSetting = 0

	// MonitorAggregationLevelLow represents aggregation of monitor events
	// to emit a maximum of one trace event per packet. Trace events when
	// packets are received are disabled.
	MonitorAggregationLevelLowest OptionSetting = 1

	// MonitorAggregationLevelLow is the same as
	// MonitorAggregationLevelLowest, but may aggregate additional traffic
	// in future.
	MonitorAggregationLevelLow OptionSetting = 2

	// MonitorAggregationLevelMedium represents aggregation of monitor
	// events to only emit notifications periodically for each connection
	// unless there is new information (eg, a TCP connection is closed).
	MonitorAggregationLevelMedium OptionSetting = 3

	// MonitorAggregationLevelMax is the maximum level of aggregation
	// currently supported.
	MonitorAggregationLevelMax OptionSetting = 4
const (
	OptionDisabled OptionSetting = iota

func NormalizeBool

func NormalizeBool(value string) (OptionSetting, error)

func ParseDaemonOption added in v0.15.7

func ParseDaemonOption(opt string) (string, OptionSetting, bool, error)

ParseDaemonOption parses a string as daemon option

func ParseMonitorAggregationLevel added in v0.15.7

func ParseMonitorAggregationLevel(value string) (OptionSetting, error)

ParseMonitorAggregationLevel turns a string into a monitor aggregation level. The string may contain an integer value or a string representation of a particular monitor aggregation level.

type ParseFunc added in v0.15.7

type ParseFunc func(value string) (OptionSetting, error)

ParseFunc parses the option value and may return an error if the option cannot be parsed or applied.

type Validator added in v0.10.0

type Validator func(val string) (string, error)

Validator returns a validated string along with a possible error.

type VerifyFunc

type VerifyFunc func(key string, value string) error

VerifyFunc validates option key with value and may return an error if the option should not be applied


Path Synopsis
Package resolver provides the logic for merging in the various sources of configuration, overrides, and drop-ins.
Package resolver provides the logic for merging in the various sources of configuration, overrides, and drop-ins.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL