Documentation ¶
Index ¶
- Constants
- Variables
- func BindEnv(optName string)
- func BindEnvWithLegacyEnvFallback(optName, legacyEnvName string)
- func EndpointStatusValues() []string
- func EndpointStatusValuesMap() (values map[string]struct{})
- func FormatMonitorAggregationLevel(level OptionSetting) string
- func GetTunnelModes() string
- func InitConfig(programName, configName string) func()
- func LogRegisteredOptions(entry *logrus.Entry)
- func MergeConfig(m map[string]interface{}) error
- func MightAutoDetectDevices() bool
- func ReadDirConfig(dirName string) (map[string]interface{}, error)
- func ReplaceDeprecatedFields(m map[string]interface{})
- func VerifyMonitorAggregationLevel(key, value string) error
- type BPFClockSource
- type ChangedFunc
- type DaemonConfig
- func (c *DaemonConfig) AlwaysAllowLocalhost() bool
- func (c *DaemonConfig) BlacklistConflictingRoutesEnabled() bool
- func (c *DaemonConfig) CiliumNamespaceName() string
- func (c *DaemonConfig) EnableK8sLeasesFallbackDiscovery()
- func (c *DaemonConfig) EndpointStatusIsEnabled(option string) bool
- func (c *DaemonConfig) GetGlobalsDir() string
- func (c *DaemonConfig) GetNodeConfigPath() string
- func (c *DaemonConfig) HealthCheckingEnabled() bool
- func (c *DaemonConfig) IPAMMode() string
- func (c *DaemonConfig) IPv4Enabled() bool
- func (c *DaemonConfig) IPv4NativeRoutingCIDR() (cidr *cidr.CIDR)
- func (c *DaemonConfig) IPv6Enabled() bool
- func (c *DaemonConfig) IsExcludedLocalAddress(ip net.IP) bool
- func (c *DaemonConfig) IsFlannelMasterDeviceSet() bool
- func (c *DaemonConfig) IsPodSubnetsDefined() bool
- func (c *DaemonConfig) K8sAPIDiscoveryEnabled() bool
- func (c *DaemonConfig) K8sLeasesFallbackDiscoveryEnabled() bool
- func (c *DaemonConfig) LocalClusterName() string
- func (c *DaemonConfig) NodeEncryptionEnabled() bool
- func (c *DaemonConfig) Populate()
- func (c *DaemonConfig) RemoteNodeIdentitiesEnabled() bool
- func (c *DaemonConfig) SetIPv4NativeRoutingCIDR(cidr *cidr.CIDR)
- func (c *DaemonConfig) SetMapElementSizes(...)
- func (c *DaemonConfig) TracingEnabled() bool
- func (c *DaemonConfig) Validate() error
- type FlagsSection
- type FormatFunc
- type IntOptions
- func (o *IntOptions) ApplyValidated(n OptionMap, changed ChangedFunc, data interface{}) int
- func (o *IntOptions) DeepCopy() *IntOptions
- func (o *IntOptions) Delete(key string)
- func (o *IntOptions) Dump()
- func (o *IntOptions) GetFmtList() string
- func (o *IntOptions) GetImmutableModel() *models.ConfigurationMap
- func (o *IntOptions) GetMutableModel() *models.ConfigurationMap
- func (o *IntOptions) GetValue(key string) OptionSetting
- func (o *IntOptions) InheritDefault(parent *IntOptions, key string)
- func (o *IntOptions) IsEnabled(key string) bool
- func (o *IntOptions) SetBool(key string, value bool)
- func (o *IntOptions) SetIfUnset(key string, value OptionSetting)
- func (o *IntOptions) SetValidated(key string, value OptionSetting)
- func (o *IntOptions) Validate(n models.ConfigurationMap) error
- type IpvlanConfig
- type MapOptions
- type MonitorAggregationLevel
- type NamedMapOptions
- type Option
- type OptionLibrary
- type OptionMap
- type OptionSetting
- func NormalizeBool(value string) (OptionSetting, error)
- func ParseDaemonOption(opt string) (string, OptionSetting, error)
- func ParseKeyValue(lib *OptionLibrary, arg, value string) (string, OptionSetting, error)
- func ParseMonitorAggregationLevel(value string) (OptionSetting, error)
- func ParseOption(arg string, lib *OptionLibrary) (string, OptionSetting, error)
- type ParseFunc
- type Validator
- type VerifyFunc
Constants ¶
const ( // AgentHealthPort is the TCP port for the agent health status API. AgentHealthPort = "agent-health-port" // AgentLabels are additional labels to identify this agent AgentLabels = "agent-labels" // AllowICMPFragNeeded allows ICMP Fragmentation Needed type packets in policy. AllowICMPFragNeeded = "allow-icmp-frag-needed" // AllowLocalhost is the policy when to allow local stack to reach local endpoints { auto | always | policy } AllowLocalhost = "allow-localhost" // AllowLocalhostAuto defaults to policy except when running in // Kubernetes where it then defaults to "always" AllowLocalhostAuto = "auto" // AllowLocalhostAlways always allows the local stack to reach local // endpoints AllowLocalhostAlways = "always" // AllowLocalhostPolicy requires a policy rule to allow the local stack // to reach particular endpoints or policy enforcement must be // disabled. AllowLocalhostPolicy = "policy" // AnnotateK8sNode enables annotating a kubernetes node while bootstrapping // the daemon, which can also be disbled using this option. AnnotateK8sNode = "annotate-k8s-node" // BPFRoot is the Path to BPF filesystem BPFRoot = "bpf-root" // CertsDirectory is the root directory used to find out certificates used // in L7 HTTPs policy enforcement. CertsDirectory = "certificates-directory" // CGroupRoot is the path to Cgroup2 filesystem CGroupRoot = "cgroup-root" // ConfigFile is the Configuration file (default "$HOME/ciliumd.yaml") ConfigFile = "config" // ConfigDir is the directory that contains a file for each option where // the filename represents the option name and the content of that file // represents the value of that option. ConfigDir = "config-dir" // ConntrackGCInterval is the name of the ConntrackGCInterval option ConntrackGCInterval = "conntrack-gc-interval" // DebugArg is the argument enables debugging mode DebugArg = "debug" // DebugVerbose is the argument enables verbose log message for particular subsystems DebugVerbose = "debug-verbose" // Device facing cluster/external network for attaching bpf_host Device = "device" // Devices facing cluster/external network for attaching bpf_host Devices = "devices" // DirectRoutingDevice is the name of a device used to connect nodes in // direct routing mode (only required by BPF NodePort) DirectRoutingDevice = "direct-routing-device" // DisableConntrack disables connection tracking DisableConntrack = "disable-conntrack" // DisableEnvoyVersionCheck do not perform Envoy binary version check on startup DisableEnvoyVersionCheck = "disable-envoy-version-check" // EnablePolicy enables policy enforcement in the agent. EnablePolicy = "enable-policy" // EnableExternalIPs enables implementation of k8s services with externalIPs in datapath EnableExternalIPs = "enable-external-ips" // K8sEnableEndpointSlice enables the k8s EndpointSlice feature into Cilium K8sEnableEndpointSlice = "enable-k8s-endpoint-slice" // EnableL7Proxy is the name of the option to enable L7 proxy EnableL7Proxy = "enable-l7-proxy" // EnableTracing enables tracing mode in the agent. EnableTracing = "enable-tracing" // EncryptInterface enables encryption on specified interface EncryptInterface = "encrypt-interface" // EncryptNode enables node IP encryption EncryptNode = "encrypt-node" // EnvoyLog sets the path to a separate Envoy log file, if any EnvoyLog = "envoy-log" // FixedIdentityMapping is the key-value for the fixed identity mapping // which allows to use reserved label for fixed identities FixedIdentityMapping = "fixed-identity-mapping" // IPv4ClusterCIDRMaskSize is the mask size for the cluster wide CIDR IPv4ClusterCIDRMaskSize = "ipv4-cluster-cidr-mask-size" // IPv4Range is the per-node IPv4 endpoint prefix, e.g. 10.16.0.0/16 IPv4Range = "ipv4-range" // IPv6Range is the per-node IPv6 endpoint prefix, must be /96, e.g. fd02:1:1::/96 IPv6Range = "ipv6-range" // IPv4ServiceRange is the Kubernetes IPv4 services CIDR if not inside cluster prefix IPv4ServiceRange = "ipv4-service-range" // IPv6ServiceRange is the Kubernetes IPv6 services CIDR if not inside cluster prefix IPv6ServiceRange = "ipv6-service-range" // ModePreFilterNative for loading progs with xdpdrv ModePreFilterNative = XDPModeNative // ModePreFilterGeneric for loading progs with xdpgeneric ModePreFilterGeneric = XDPModeGeneric // IPv6ClusterAllocCIDRName is the name of the IPv6ClusterAllocCIDR option IPv6ClusterAllocCIDRName = "ipv6-cluster-alloc-cidr" // K8sRequireIPv4PodCIDRName is the name of the K8sRequireIPv4PodCIDR option K8sRequireIPv4PodCIDRName = "k8s-require-ipv4-pod-cidr" // K8sRequireIPv6PodCIDRName is the name of the K8sRequireIPv6PodCIDR option K8sRequireIPv6PodCIDRName = "k8s-require-ipv6-pod-cidr" // K8sForceJSONPatch when set, uses JSON Patch to update CNP and CEP // status in kube-apiserver. K8sForceJSONPatch = "k8s-force-json-patch" // K8sWatcherEndpointSelector specifies the k8s endpoints that Cilium // should watch for. K8sWatcherEndpointSelector = "k8s-watcher-endpoint-selector" // K8sAPIServer is the kubernetes api address server (for https use --k8s-kubeconfig-path instead) K8sAPIServer = "k8s-api-server" // K8sKubeConfigPath is the absolute path of the kubernetes kubeconfig file K8sKubeConfigPath = "k8s-kubeconfig-path" // K8sServiceCacheSize is service cache size for cilium k8s package. K8sServiceCacheSize = "k8s-service-cache-size" // K8sSyncTimeout is the timeout to synchronize all resources with k8s. K8sSyncTimeoutName = "k8s-sync-timeout" // K8sWatcherQueueSize is the queue size used to serialize each k8s event type K8sWatcherQueueSize = "k8s-watcher-queue-size" // KeepConfig when restoring state, keeps containers' configuration in place KeepConfig = "keep-config" // KeepBPFTemplates do not restore BPF template files from binary // Deprecated: This option is no longer available since cilium-agent does // not include the BPF templates anymore. KeepBPFTemplates = "keep-bpf-templates" // KVStore key-value store type KVStore = "kvstore" // KVStoreOpt key-value store options KVStoreOpt = "kvstore-opt" // Labels is the list of label prefixes used to determine identity of an endpoint Labels = "labels" // LabelPrefixFile is the valid label prefixes file path LabelPrefixFile = "label-prefix-file" // EnableHostFirewall enables network policies for the host EnableHostFirewall = "enable-host-firewall" // EnableHostPort enables HostPort forwarding implemented by Cilium in BPF EnableHostPort = "enable-host-port" // EnableNodePort enables NodePort services implemented by Cilium in BPF EnableNodePort = "enable-node-port" // EnableSVCSourceRangeCheck enables check of service source range checks EnableSVCSourceRangeCheck = "enable-svc-source-range-check" // NodePortMode indicates in which mode NodePort implementation should run // ("snat", "dsr" or "hybrid") NodePortMode = "node-port-mode" // NodePortAcceleration indicates whether NodePort should be accelerated // via XDP ("none", "generic" or "native") NodePortAcceleration = "node-port-acceleration" // NodePortBindProtection rejects bind requests to NodePort service ports NodePortBindProtection = "node-port-bind-protection" // NodePortRange defines a custom range where to look up NodePort services NodePortRange = "node-port-range" // EnableAutoProtectNodePortRange enables appending NodePort range to // net.ipv4.ip_local_reserved_ports if it overlaps with ephemeral port // range (net.ipv4.ip_local_port_range) EnableAutoProtectNodePortRange = "enable-auto-protect-node-port-range" // KubeProxyReplacement controls how to enable kube-proxy replacement // features in BPF datapath KubeProxyReplacement = "kube-proxy-replacement" // EnableSessionAffinity enables a support for service sessionAffinity EnableSessionAffinity = "enable-session-affinity" // EnableIdentityMark enables setting the mark field with the identity for // local traffic. This may be disabled if chaining modes and Cilium use // conflicting marks. EnableIdentityMark = "enable-identity-mark" // LibDir enables the directory path to store runtime build environment LibDir = "lib-dir" // LogDriver sets logging endpoints to use for example syslog, fluentd LogDriver = "log-driver" // LogOpt sets log driver options for cilium LogOpt = "log-opt" // Logstash enables logstash integration Logstash = "logstash" // NAT46Range is the IPv6 prefix to map IPv4 addresses to NAT46Range = "nat46-range" // Masquerade are the packets from endpoints leaving the host Masquerade = "masquerade" // EnableBPFClockProbe selects a more efficient source clock (jiffies vs ktime) EnableBPFClockProbe = "enable-bpf-clock-probe" // EnableBPFMasquerade masquerades packets from endpoints leaving the host with BPF instead of iptables EnableBPFMasquerade = "enable-bpf-masquerade" // EnableIPMasqAgent enables BPF ip-masq-agent EnableIPMasqAgent = "enable-ip-masq-agent" // IPMasqAgentConfigPath is the configuration file path IPMasqAgentConfigPath = "ip-masq-agent-config-path" // InstallIptRules sets whether Cilium should install any iptables in general InstallIptRules = "install-iptables-rules" IPTablesLockTimeout = "iptables-lock-timeout" // IPv6NodeAddr is the IPv6 address of node IPv6NodeAddr = "ipv6-node" // IPv4NodeAddr is the IPv4 address of node IPv4NodeAddr = "ipv4-node" // Restore restores state, if possible, from previous daemon Restore = "restore" // SidecarIstioProxyImage regular expression matching compatible Istio sidecar istio-proxy container image names SidecarIstioProxyImage = "sidecar-istio-proxy-image" // SocketPath sets daemon's socket path to listen for connections SocketPath = "socket-path" // StateDir is the directory path to store runtime state StateDir = "state-dir" // TracePayloadlen length of payload to capture when tracing TracePayloadlen = "trace-payloadlen" // Version prints the version information Version = "version" // FlannelMasterDevice installs a BPF program to allow for policy // enforcement in the given network interface. Allows to run Cilium on top // of other CNI plugins that provide networking, e.g. flannel, where for // flannel, this value should be set with 'cni0'. [EXPERIMENTAL]") FlannelMasterDevice = "flannel-master-device" // FlannelUninstallOnExit should be used along the flannel-master-device flag, // it cleans up all BPF programs installed when Cilium agent is terminated. FlannelUninstallOnExit = "flannel-uninstall-on-exit" // PProf enables serving the pprof debugging API PProf = "pprof" // PrefilterDevice is the device facing external network for XDP prefiltering PrefilterDevice = "prefilter-device" // PrefilterMode { "+ModePreFilterNative+" | "+ModePreFilterGeneric+" } (default: "+option.ModePreFilterNative+") PrefilterMode = "prefilter-mode" // PrometheusServeAddr IP:Port on which to serve prometheus metrics (pass ":Port" to bind on all interfaces, "" is off) PrometheusServeAddr = "prometheus-serve-addr" // PrometheusServeAddrDeprecated IP:Port on which to serve prometheus metrics (pass ":Port" to bind on all interfaces, "" is off) PrometheusServeAddrDeprecated = "prometheus-serve-addr-deprecated" // CMDRef is the path to cmdref output directory CMDRef = "cmdref" // ToFQDNsMinTTL is the minimum time, in seconds, to use DNS data for toFQDNs policies. ToFQDNsMinTTL = "tofqdns-min-ttl" // ToFQDNsProxyPort is the global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port. ToFQDNsProxyPort = "tofqdns-proxy-port" // ToFQDNsEnablePoller enables proactive polling of DNS names in toFQDNs.matchName rules. ToFQDNsEnablePoller = "tofqdns-enable-poller" // ToFQDNsEnablePollerEvents controls if poller lookups are sent as monitor events ToFQDNsEnablePollerEvents = "tofqdns-enable-poller-events" // ToFQDNsMaxIPsPerHost defines the maximum number of IPs to maintain // for each FQDN name in an endpoint's FQDN cache ToFQDNsMaxIPsPerHost = "tofqdns-endpoint-max-ip-per-hostname" // ToFQDNsMaxDeferredConnectionDeletes defines the maximum number of IPs to // retain for expired DNS lookups with still-active connections" ToFQDNsMaxDeferredConnectionDeletes = "tofqdns-max-deferred-connection-deletes" // ToFQDNsPreCache is a path to a file with DNS cache data to insert into the // global cache on startup. // The file is not re-read after agent start. ToFQDNsPreCache = "tofqdns-pre-cache" // ToFQDNsEnableDNSCompression allows the DNS proxy to compress responses to // endpoints that are larger than 512 Bytes or the EDNS0 option, if present. ToFQDNsEnableDNSCompression = "tofqdns-enable-dns-compression" // MTUName is the name of the MTU option MTUName = "mtu" // DatapathMode is the name of the DatapathMode option DatapathMode = "datapath-mode" // IpvlanMasterDevice is the name of the IpvlanMasterDevice option IpvlanMasterDevice = "ipvlan-master-device" // EnableHostReachableServices is the name of the EnableHostReachableServices option EnableHostReachableServices = "enable-host-reachable-services" // HostReachableServicesProtos is the name of the HostReachableServicesProtos option HostReachableServicesProtos = "host-reachable-services-protos" // HostServicesTCP is the name of EnableHostServicesTCP config HostServicesTCP = "tcp" // HostServicesUDP is the name of EnableHostServicesUDP config HostServicesUDP = "udp" // TunnelName is the name of the Tunnel option TunnelName = "tunnel" // SingleClusterRouteName is the name of the SingleClusterRoute option // // SingleClusterRoute enables use of a single route covering the entire // cluster CIDR to point to the cilium_host interface instead of using // a separate route for each cluster node CIDR. This option is not // compatible with Tunnel=TunnelDisabled SingleClusterRouteName = "single-cluster-route" // MonitorAggregationName specifies the MonitorAggregationLevel on the // comandline. MonitorAggregationName = "monitor-aggregation" // MonitorAggregationInterval configures interval for monitor-aggregation MonitorAggregationInterval = "monitor-aggregation-interval" // MonitorAggregationFlags configures TCP flags used by monitor aggregation. MonitorAggregationFlags = "monitor-aggregation-flags" // ClusterName is the name of the ClusterName option ClusterName = "cluster-name" // ClusterIDName is the name of the ClusterID option ClusterIDName = "cluster-id" // ClusterMeshConfigName is the name of the ClusterMeshConfig option ClusterMeshConfigName = "clustermesh-config" // BPFCompileDebugName is the name of the option to enable BPF compiliation debugging BPFCompileDebugName = "bpf-compile-debug" // CTMapEntriesGlobalTCPDefault is the default maximum number of entries // in the TCP CT table. CTMapEntriesGlobalTCPDefault = 2 << 18 // 512Ki // CTMapEntriesGlobalAnyDefault is the default maximum number of entries // in the non-TCP CT table. CTMapEntriesGlobalAnyDefault = 2 << 17 // 256Ki // CTMapEntriesGlobalTCPName configures max entries for the TCP CT // table. CTMapEntriesGlobalTCPName = "bpf-ct-global-tcp-max" // CTMapEntriesGlobalAnyName configures max entries for the non-TCP CT // table. CTMapEntriesGlobalAnyName = "bpf-ct-global-any-max" // CTMapEntriesTimeout* name option and default value mappings CTMapEntriesTimeoutSYNName = "bpf-ct-timeout-regular-tcp-syn" CTMapEntriesTimeoutFINName = "bpf-ct-timeout-regular-tcp-fin" CTMapEntriesTimeoutTCPName = "bpf-ct-timeout-regular-tcp" CTMapEntriesTimeoutAnyName = "bpf-ct-timeout-regular-any" CTMapEntriesTimeoutSVCTCPName = "bpf-ct-timeout-service-tcp" CTMapEntriesTimeoutSVCAnyName = "bpf-ct-timeout-service-any" // NATMapEntriesGlobalDefault holds the default size of the NAT map // and is 2/3 of the full CT size as a heuristic NATMapEntriesGlobalDefault = int((CTMapEntriesGlobalTCPDefault + CTMapEntriesGlobalAnyDefault) * 2 / 3) // SockRevNATMapEntriesDefault holds the default size of the SockRev NAT map // and is the same size of CTMapEntriesGlobalAnyDefault as a heuristic given // that sock rev NAT is mostly used for UDP and getpeername only. SockRevNATMapEntriesDefault = CTMapEntriesGlobalAnyDefault // MapEntriesGlobalDynamicSizeRatioName is the name of the option to // set the ratio of total system memory to use for dynamic sizing of the // CT, NAT, Neighbor and SockRevNAT BPF maps. MapEntriesGlobalDynamicSizeRatioName = "bpf-map-dynamic-size-ratio" // LimitTableAutoGlobalTCPMin defines the minimum TCP CT table limit for // dynamic size ration calculation. LimitTableAutoGlobalTCPMin = 1 << 17 // 128Ki entries // LimitTableAutoGlobalAnyMin defines the minimum UDP CT table limit for // dynamic size ration calculation. LimitTableAutoGlobalAnyMin = 1 << 16 // 64Ki entries // LimitTableAutoNatGlobalMin defines the minimum NAT limit for dynamic size // ration calculation. LimitTableAutoNatGlobalMin = 1 << 17 // 128Ki entries // LimitTableAutoSockRevNatMin defines the minimum SockRevNAT limit for // dynamic size ration calculation. LimitTableAutoSockRevNatMin = 1 << 16 // 64Ki entries // LimitTableMin defines the minimum CT or NAT table limit LimitTableMin = 1 << 10 // 1Ki entries // LimitTableMax defines the maximum CT or NAT table limit LimitTableMax = 1 << 24 // 16Mi entries (~1GiB of entries per map) // PolicyMapMin defines the minimum policy map limit. PolicyMapMin = 1 << 8 // PolicyMapMax defines the maximum policy map limit. PolicyMapMax = 1 << 16 // FragmentsMapMin defines the minimum fragments map limit. FragmentsMapMin = 1 << 8 // FragmentsMapMax defines the maximum fragments map limit. FragmentsMapMax = 1 << 16 // NATMapEntriesGlobalName configures max entries for BPF NAT table NATMapEntriesGlobalName = "bpf-nat-global-max" // NeighMapEntriesGlobalName configures max entries for BPF neighbor table NeighMapEntriesGlobalName = "bpf-neigh-global-max" // PolicyMapEntriesName configures max entries for BPF policymap. PolicyMapEntriesName = "bpf-policy-map-max" // SockRevNatEntriesName configures max entries for BPF sock reverse nat // entries. SockRevNatEntriesName = "bpf-sock-rev-map-max" // LogSystemLoadConfigName is the name of the option to enable system // load loggging LogSystemLoadConfigName = "log-system-load" // PrependIptablesChainsName is the name of the option to enable // prepending iptables chains instead of appending PrependIptablesChainsName = "prepend-iptables-chains" // DisableCiliumEndpointCRDName is the name of the option to disable // use of the CEP CRD DisableCiliumEndpointCRDName = "disable-endpoint-crd" // DisableK8sServices disables east-west K8s load balancing by cilium DisableK8sServices = "disable-k8s-services" // MaxCtrlIntervalName and MaxCtrlIntervalNameEnv allow configuration // of MaxControllerInterval. MaxCtrlIntervalName = "max-controller-interval" // SockopsEnableName is the name of the option to enable sockops SockopsEnableName = "sockops-enable" // K8sNamespaceName is the name of the K8sNamespace option K8sNamespaceName = "k8s-namespace" // EnableIPv4Name is the name of the option to enable IPv4 support EnableIPv4Name = "enable-ipv4" // LegacyDisableIPv4Name is the name of the legacy option to disable // IPv4 support LegacyDisableIPv4Name = "disable-ipv4" // EnableIPv6Name is the name of the option to enable IPv6 support EnableIPv6Name = "enable-ipv6" // MonitorQueueSizeName is the name of the option MonitorQueueSize MonitorQueueSizeName = "monitor-queue-size" //FQDNRejectResponseCode is the name for the option for dns-proxy reject response code FQDNRejectResponseCode = "tofqdns-dns-reject-response-code" // FQDNProxyDenyWithNameError is useful when stub resolvers, like the one // in Alpine Linux's libc (musl), treat a REFUSED as a resolution error. // This happens when trying a DNS search list, as in kubernetes, and breaks // even whitelisted DNS names. FQDNProxyDenyWithNameError = "nameError" // FQDNProxyDenyWithRefused is the response code for Domain refused. It is // the default for denied DNS requests. FQDNProxyDenyWithRefused = "refused" // FQDNProxyResponseMaxDelay is the maximum time the proxy holds back a response FQDNProxyResponseMaxDelay = "tofqdns-proxy-response-max-delay" // PreAllocateMapsName is the name of the option PreAllocateMaps PreAllocateMapsName = "preallocate-bpf-maps" // EnableXTSocketFallbackName is the name of the EnableXTSocketFallback option EnableXTSocketFallbackName = "enable-xt-socket-fallback" // EnableAutoDirectRoutingName is the name for the EnableAutoDirectRouting option EnableAutoDirectRoutingName = "auto-direct-node-routes" // EnableIPSecName is the name of the option to enable IPSec EnableIPSecName = "enable-ipsec" // IPSecKeyFileName is the name of the option for ipsec key file IPSecKeyFileName = "ipsec-key-file" // KVstoreLeaseTTL is the time-to-live for lease in kvstore. KVstoreLeaseTTL = "kvstore-lease-ttl" // KVstorePeriodicSync is the time interval in which periodic // synchronization with the kvstore occurs KVstorePeriodicSync = "kvstore-periodic-sync" // KVstoreConnectivityTimeout is the timeout when performing kvstore operations KVstoreConnectivityTimeout = "kvstore-connectivity-timeout" // IPAllocationTimeout is the timeout when allocating CIDRs IPAllocationTimeout = "ip-allocation-timeout" // IdentityChangeGracePeriod is the name of the // IdentityChangeGracePeriod option IdentityChangeGracePeriod = "identity-change-grace-period" // EnableHealthChecking is the name of the EnableHealthChecking option EnableHealthChecking = "enable-health-checking" // EnableEndpointHealthChecking is the name of the EnableEndpointHealthChecking option EnableEndpointHealthChecking = "enable-endpoint-health-checking" // EnableHealthCheckNodePort is the name of the EnableHealthCheckNodePort option EnableHealthCheckNodePort = "enable-health-check-nodeport" // PolicyQueueSize is the size of the queues utilized by the policy // repository. PolicyQueueSize = "policy-queue-size" // EndpointQueueSize is the size of the EventQueue per-endpoint. EndpointQueueSize = "endpoint-queue-size" // SelectiveRegeneration specifies whether only the endpoints which policy // changes select should be regenerated upon policy changes. SelectiveRegeneration = "enable-selective-regeneration" // K8sEventHandover is the name of the K8sEventHandover option K8sEventHandover = "enable-k8s-event-handover" // Metrics represents the metrics subsystem that Cilium should expose // to prometheus. Metrics = "metrics" // LoopbackIPv4 is the address to use for service loopback SNAT LoopbackIPv4 = "ipv4-service-loopback-address" // EndpointInterfaceNamePrefix is the prefix name of the interface // names shared by all endpoints EndpointInterfaceNamePrefix = "endpoint-interface-name-prefix" // BlacklistConflictingRoutes removes all IPs from the IPAM block if a // local route not owned by Cilium conflicts with it BlacklistConflictingRoutes = "blacklist-conflicting-routes" // ForceLocalPolicyEvalAtSource forces a policy decision at the source // endpoint for all local communication ForceLocalPolicyEvalAtSource = "force-local-policy-eval-at-source" // SkipCRDCreation specifies whether the CustomResourceDefinition will be // created by the daemon SkipCRDCreation = "skip-crd-creation" // EnableEndpointRoutes enables use of per endpoint routes EnableEndpointRoutes = "enable-endpoint-routes" // ExcludeLocalAddress excludes certain addresses to be recognized as a // local address ExcludeLocalAddress = "exclude-local-address" // IPv4PodSubnets A list of IPv4 subnets that pods may be // assigned from. Used with CNI chaining where IPs are not directly managed // by Cilium. IPv4PodSubnets = "ipv4-pod-subnets" // IPv6PodSubnets A list of IPv6 subnets that pods may be // assigned from. Used with CNI chaining where IPs are not directly managed // by Cilium. IPv6PodSubnets = "ipv6-pod-subnets" // IPAM is the IPAM method to use IPAM = "ipam" // XDPModeNative for loading progs with XDPModeLinkDriver XDPModeNative = "native" // XDPModeGeneric for loading progs with XDPModeLinkGeneric XDPModeGeneric = "testing-only" // XDPModeDisabled for not having XDP enabled XDPModeDisabled = "disabled" // XDPModeLinkDriver is the tc selector for native XDP XDPModeLinkDriver = "xdpdrv" // XDPModeLinkGeneric is the tc selector for generic XDP XDPModeLinkGeneric = "xdpgeneric" // XDPModeLinkNone for not having XDP enabled XDPModeLinkNone = XDPModeDisabled // K8sClientQPSLimit is the queries per second limit for the K8s client. Defaults to k8s client defaults. K8sClientQPSLimit = "k8s-client-qps" // K8sClientBurst is the burst value allowed for the K8s client. Defaults to k8s client defaults. K8sClientBurst = "k8s-client-burst" // AutoCreateCiliumNodeResource enables automatic creation of a // CiliumNode resource for the local node AutoCreateCiliumNodeResource = "auto-create-cilium-node-resource" // IPv4NativeRoutingCIDR describes a CIDR in which pod IPs are routable IPv4NativeRoutingCIDR = "native-routing-cidr" // EgressMasqueradeInterfaces is the selector used to select interfaces // subject to egress masquerading EgressMasqueradeInterfaces = "egress-masquerade-interfaces" // PolicyTriggerInterval is the amount of time between triggers of policy // updates are invoked. PolicyTriggerInterval = "policy-trigger-interval" // IdentityAllocationMode specifies what mode to use for identity // allocation IdentityAllocationMode = "identity-allocation-mode" // IdentityAllocationModeKVstore enables use of a key-value store such // as etcd or consul for identity allocation IdentityAllocationModeKVstore = "kvstore" // IdentityAllocationModeCRD enables use of Kubernetes CRDs for // identity allocation IdentityAllocationModeCRD = "crd" // DisableCNPStatusUpdates disables updating of CNP NodeStatus in the CNP // CRD. DisableCNPStatusUpdates = "disable-cnp-status-updates" // EnableLocalNodeRoute controls installation of the route which points // the allocation prefix of the local node. EnableLocalNodeRoute = "enable-local-node-route" // EnableWellKnownIdentities enables the use of well-known identities. // This is requires if identiy resolution is required to bring up the // control plane, e.g. when using the managed etcd feature EnableWellKnownIdentities = "enable-well-known-identities" // EnableRemoteNodeIdentity enables use of the remote-node identity EnableRemoteNodeIdentity = "enable-remote-node-identity" // PolicyAuditModeArg argument enables policy audit mode. PolicyAuditModeArg = "policy-audit-mode" // EnableHubble enables hubble in the agent. EnableHubble = "enable-hubble" // HubbleSocketPath specifies the UNIX domain socket for Hubble server to listen to. HubbleSocketPath = "hubble-socket-path" // HubbleListenAddress specifies address for Hubble server to listen to. HubbleListenAddress = "hubble-listen-address" // HubbleFlowBufferSize specifies the maximum number of flows in Hubble's buffer. HubbleFlowBufferSize = "hubble-flow-buffer-size" // HubbleEventQueueSize specifies the buffer size of the channel to receive monitor events. HubbleEventQueueSize = "hubble-event-queue-size" // HubbleMetricsServer specifies the addresses to serve Hubble metrics on. HubbleMetricsServer = "hubble-metrics-server" // HubbleMetrics specifies enabled metrics and their configuration options. HubbleMetrics = "hubble-metrics" // DisableIptablesFeederRules specifies which chains will be excluded // when installing the feeder rules DisableIptablesFeederRules = "disable-iptables-feeder-rules" // K8sHeartbeatTimeout configures the timeout for apiserver heartbeat K8sHeartbeatTimeout = "k8s-heartbeat-timeout" // EndpointStatus enables population of information in the // CiliumEndpoint.Status resource EndpointStatus = "endpoint-status" // EndpointStatusPolicy enables CiliumEndpoint.Status.Policy EndpointStatusPolicy = "policy" // EndpointStatusHealth enables CilliumEndpoint.Status.Health EndpointStatusHealth = "health" // EndpointStatusControllers enables CiliumEndpoint.Status.Controllers EndpointStatusControllers = "controllers" // EndpointStatusLog enables CiliumEndpoint.Status.Log EndpointStatusLog = "log" // EndpointStatusState enables CiliumEndpoint.Status.State EndpointStatusState = "state" // EnableIPv4FragmentsTrackingName is the name of the option to enable // IPv4 fragments tracking for L4-based lookups. Needs LRU map support. EnableIPv4FragmentsTrackingName = "enable-ipv4-fragment-tracking" // FragmentsMapEntriesName configures max entries for BPF fragments // tracking map. FragmentsMapEntriesName = "bpf-fragments-map-max" // K8sEnableAPIDiscovery K8sEnableAPIDiscovery = "enable-k8s-api-discovery" )
const ( // TunnelVXLAN specifies VXLAN encapsulation TunnelVXLAN = "vxlan" // TunnelGeneve specifies Geneve encapsulation TunnelGeneve = "geneve" // TunnelDisabled specifies to disable encapsulation TunnelDisabled = "disabled" )
Available option for DaemonConfig.Tunnel
const ( // HTTP403Message specifies the response body for 403 responses, defaults to "Access denied" HTTP403Message = "http-403-msg" // HTTPRequestTimeout specifies the time in seconds after which forwarded requests time out HTTPRequestTimeout = "http-request-timeout" // HTTPIdleTimeout spcifies the time in seconds if http stream being idle after which the // request times out HTTPIdleTimeout = "http-idle-timeout" // HTTPMaxGRPCTimeout specifies the maximum time in seconds that limits the values of // "grpc-timeout" headers being honored. HTTPMaxGRPCTimeout = "http-max-grpc-timeout" // HTTPRetryCount specifies the number of retries performed after a forwarded request fails HTTPRetryCount = "http-retry-count" // HTTPRetryTimeout is the time in seconds before an uncompleted request is retried. HTTPRetryTimeout = "http-retry-timeout" // ProxyConnectTimeout specifies the time in seconds after which a TCP connection attempt // is considered timed out ProxyConnectTimeout = "proxy-connect-timeout" // ReadCNIConfiguration reads the CNI configuration file and extracts // Cilium relevant information. This can be used to pass per node // configuration to Cilium. ReadCNIConfiguration = "read-cni-conf" // WriteCNIConfigurationWhenReady writes the CNI configuration to the // specified location once the agent is ready to serve requests. This // allows to keep a Kubernetes node NotReady until Cilium is up and // running and able to schedule endpoints. WriteCNIConfigurationWhenReady = "write-cni-conf-when-ready" )
Envoy option names
const ( // NodePortMinDefault is the minimal port to listen for NodePort requests NodePortMinDefault = 30000 // NodePortMaxDefault is the maximum port to listen for NodePort requests NodePortMaxDefault = 32767 // NodePortModeSNAT is for SNATing requests to remote nodes NodePortModeSNAT = "snat" // NodePortModeDSR is for performing DSR for requests to remote nodes NodePortModeDSR = "dsr" // NodePortModeHybrid is a dual mode of the above, that is, DSR for TCP and SNAT for UDP NodePortModeHybrid = "hybrid" // NodePortAccelerationDisabled means we do not accelerate NodePort via XDP NodePortAccelerationDisabled = XDPModeDisabled // NodePortAccelerationGeneric means we accelerate NodePort via generic XDP NodePortAccelerationGeneric = XDPModeGeneric // NodePortAccelerationNative means we accelerate NodePort via native XDP in the driver (preferred) NodePortAccelerationNative = XDPModeNative // KubeProxyReplacementProbe specifies to auto-enable available features for // kube-proxy replacement KubeProxyReplacementProbe = "probe" // KubeProxyReplacementPartial specifies to enable only selected kube-proxy // replacement features (might panic) KubeProxyReplacementPartial = "partial" // KubeProxyReplacementStrict specifies to enable all kube-proxy replacement // features (might panic) KubeProxyReplacementStrict = "strict" // KubeProxyReplacementDisabled specified to completely disable kube-proxy // replacement KubeProxyReplacementDisabled = "disabled" )
const ( // TCP_FIN, ... from <linux/tcp.h> (host byte-order) TCP_FIN = uint16(0x0001) TCP_SYN = uint16(0x0002) TCP_RST = uint16(0x0004) TCP_PSH = uint16(0x0008) TCP_ACK = uint16(0x0010) TCP_URG = uint16(0x0020) TCP_ECE = uint16(0x0040) TCP_CWR = uint16(0x0080) )
const ( PolicyTracing = "PolicyTracing" ConntrackAccounting = "ConntrackAccounting" ConntrackLocal = "ConntrackLocal" Conntrack = "Conntrack" Debug = "Debug" DebugLB = "DebugLB" DropNotify = "DropNotification" TraceNotify = "TraceNotification" PolicyVerdictNotify = "PolicyVerdictNotification" PolicyAuditMode = "PolicyAuditMode" MonitorAggregation = "MonitorAggregationLevel" NAT46 = "NAT46" AlwaysEnforce = "always" NeverEnforce = "never" DefaultEnforcement = "default" )
Variables ¶
var ( FQDNRejectOptions = []string{FQDNProxyDenyWithNameError, FQDNProxyDenyWithRefused} // MonitorAggregationFlagsDefault ensure that all TCP flags trigger // monitor notifications even under medium monitor aggregation. MonitorAggregationFlagsDefault = []string{"syn", "fin", "rst"} )
Default string arguments
var ( // DaemonOptionLibrary is the daemon's option library that should be // used for read-only. DaemonOptionLibrary = OptionLibrary{ PolicyTracing: &specPolicyTracing, } DaemonMutableOptionLibrary = OptionLibrary{ ConntrackAccounting: &specConntrackAccounting, ConntrackLocal: &specConntrackLocal, Conntrack: &specConntrack, Debug: &specDebug, DebugLB: &specDebugLB, DropNotify: &specDropNotify, TraceNotify: &specTraceNotify, PolicyVerdictNotify: &specPolicyVerdictNotify, PolicyAuditMode: &specPolicyAuditMode, MonitorAggregation: &specMonitorAggregation, NAT46: &specNAT46, } )
var ( ErrNAT46ReqIPv4 = errors.New("NAT46 requires IPv4 to be enabled") ErrNAT46ReqIPv6 = errors.New("NAT46 requires IPv6 to be enabled") ErrNAT46ReqVeth = errors.New("NAT46 not supported in ipvlan datapath mode") )
var ( // Config represents the daemon configuration Config = &DaemonConfig{ Opts: NewIntOptions(&DaemonOptionLibrary), Monitor: &models.MonitorStatus{Cpus: int64(runtime.NumCPU()), Npages: 64, Pagesize: int64(os.Getpagesize()), Lost: 0, Unknown: 0}, IPv6ClusterAllocCIDR: defaults.IPv6ClusterAllocCIDR, IPv6ClusterAllocCIDRBase: defaults.IPv6ClusterAllocCIDRBase, EnableHostIPRestore: defaults.EnableHostIPRestore, EnableHealthChecking: defaults.EnableHealthChecking, EnableEndpointHealthChecking: defaults.EnableEndpointHealthChecking, EnableHealthCheckNodePort: defaults.EnableHealthCheckNodePort, EnableIPv4: defaults.EnableIPv4, EnableIPv6: defaults.EnableIPv6, EnableL7Proxy: defaults.EnableL7Proxy, EndpointStatus: make(map[string]struct{}), ToFQDNsMaxIPsPerHost: defaults.ToFQDNsMaxIPsPerHost, KVstorePeriodicSync: defaults.KVstorePeriodicSync, KVstoreConnectivityTimeout: defaults.KVstoreConnectivityTimeout, IPAllocationTimeout: defaults.IPAllocationTimeout, IdentityChangeGracePeriod: defaults.IdentityChangeGracePeriod, FixedIdentityMapping: make(map[string]string), KVStoreOpt: make(map[string]string), LogOpt: make(map[string]string), SelectiveRegeneration: defaults.SelectiveRegeneration, LoopbackIPv4: defaults.LoopbackIPv4, EndpointInterfaceNamePrefix: defaults.EndpointInterfaceNamePrefix, BlacklistConflictingRoutes: defaults.BlacklistConflictingRoutes, ForceLocalPolicyEvalAtSource: defaults.ForceLocalPolicyEvalAtSource, EnableEndpointRoutes: defaults.EnableEndpointRoutes, AnnotateK8sNode: defaults.AnnotateK8sNode, K8sServiceCacheSize: defaults.K8sServiceCacheSize, AutoCreateCiliumNodeResource: defaults.AutoCreateCiliumNodeResource, IdentityAllocationMode: IdentityAllocationModeKVstore, AllowICMPFragNeeded: defaults.AllowICMPFragNeeded, EnableWellKnownIdentities: defaults.EnableEndpointRoutes, K8sEnableK8sEndpointSlice: defaults.K8sEnableEndpointSlice, k8sEnableAPIDiscovery: defaults.K8sEnableAPIDiscovery, k8sEnableLeasesFallbackDiscovery: defaults.K8sEnableLeasesFallbackDiscovery, } )
var HelpFlagSections = []FlagsSection{ { Name: "BPF flags", Flags: []string{ BPFRoot, KeepBPFTemplates, CTMapEntriesGlobalTCPName, CTMapEntriesGlobalAnyName, CTMapEntriesTimeoutSYNName, CTMapEntriesTimeoutFINName, CTMapEntriesTimeoutTCPName, CTMapEntriesTimeoutAnyName, CTMapEntriesTimeoutSVCTCPName, CTMapEntriesTimeoutSVCAnyName, NATMapEntriesGlobalName, NeighMapEntriesGlobalName, SockRevNatEntriesName, PolicyMapEntriesName, MapEntriesGlobalDynamicSizeRatioName, PreAllocateMapsName, BPFCompileDebugName, FragmentsMapEntriesName, EnableBPFClockProbe, EnableBPFMasquerade, EnableIdentityMark, }, }, { Name: "DNS policy flags", Flags: []string{ FQDNRejectResponseCode, ToFQDNsEnablePoller, ToFQDNsEnablePollerEvents, ToFQDNsMaxIPsPerHost, ToFQDNsMinTTL, ToFQDNsPreCache, ToFQDNsProxyPort, FQDNProxyResponseMaxDelay, ToFQDNsEnableDNSCompression, ToFQDNsMaxDeferredConnectionDeletes, }, }, { Name: "Kubernetes flags", Flags: []string{ K8sAPIServer, K8sKubeConfigPath, K8sNamespaceName, K8sRequireIPv4PodCIDRName, K8sRequireIPv6PodCIDRName, K8sSyncTimeoutName, K8sWatcherEndpointSelector, K8sWatcherQueueSize, K8sEventHandover, DisableK8sServices, AnnotateK8sNode, K8sForceJSONPatch, DisableCiliumEndpointCRDName, K8sHeartbeatTimeout, K8sEnableEndpointSlice, K8sEnableAPIDiscovery, EnableHostPort, AutoCreateCiliumNodeResource, DisableCNPStatusUpdates, ReadCNIConfiguration, WriteCNIConfigurationWhenReady, EndpointStatus, SkipCRDCreation, FlannelMasterDevice, FlannelUninstallOnExit, EnableWellKnownIdentities, }, }, { Name: "Clustermesh flags", Flags: []string{ ClusterIDName, ClusterName, ClusterMeshConfigName, }, }, { Name: "Route flags", Flags: []string{ SingleClusterRouteName, EnableEndpointRoutes, EnableLocalNodeRoute, BlacklistConflictingRoutes, EnableAutoDirectRoutingName, }, }, { Name: "Proxy flags", Flags: []string{ HTTPIdleTimeout, HTTPMaxGRPCTimeout, HTTPRequestTimeout, HTTPRetryCount, HTTPRetryTimeout, ProxyConnectTimeout, SidecarIstioProxyImage, }, }, { Name: "Debug, logging and trace flags", Flags: []string{ DebugArg, DebugVerbose, EnableTracing, LogDriver, LogOpt, LogSystemLoadConfigName, EnvoyLog, EnableEndpointHealthChecking, EnableHealthChecking, TracePayloadlen, PProf, }, }, { Name: "Metrics and monitoring flags", Flags: []string{ Metrics, MonitorAggregationName, MonitorAggregationFlags, MonitorAggregationInterval, MonitorQueueSizeName, PrometheusServeAddr, }, }, { Name: "IP flags", Flags: []string{ EnableIPv4Name, EnableIPv6Name, IPAllocationTimeout, IPAM, IPv4ClusterCIDRMaskSize, IPv4NodeAddr, IPv6NodeAddr, IPv4PodSubnets, IPv6PodSubnets, IPv4Range, IPv6Range, LoopbackIPv4, IPv4ServiceRange, IPv6ServiceRange, IPv6ClusterAllocCIDRName, MTUName, NAT46Range, EnableIPv4FragmentsTrackingName, }, }, { Name: "KVstore flags", Flags: []string{ KVStore, KVStoreOpt, KVstoreConnectivityTimeout, KVstorePeriodicSync, }, }, { Name: "Encryption flags", Flags: []string{ EncryptInterface, EncryptNode, EnableIPSecName, IPSecKeyFileName, }, }, { Name: "Policy flags", Flags: []string{ AllowLocalhost, AllowICMPFragNeeded, EnablePolicy, ExcludeLocalAddress, ForceLocalPolicyEvalAtSource, PolicyQueueSize, PolicyAuditModeArg, EnableL7Proxy, IdentityAllocationMode, IdentityChangeGracePeriod, FixedIdentityMapping, CertsDirectory, EnableHostFirewall, }, }, { Name: "Hubble flags", Flags: []string{ EnableHubble, HubbleSocketPath, HubbleListenAddress, HubbleFlowBufferSize, HubbleEventQueueSize, HubbleMetricsServer, HubbleMetrics, }, }, { Name: "Services and address translation flags", Flags: []string{ EgressMasqueradeInterfaces, Masquerade, NodePortRange, EnableHostReachableServices, HostReachableServicesProtos, EnableSessionAffinity, }, }, { Name: "IPtables flags", Flags: []string{ PrependIptablesChainsName, DisableIptablesFeederRules, InstallIptRules, IPTablesLockTimeout, }, }, { Name: "Networking flags", Flags: []string{ Device, DatapathMode, ConntrackGCInterval, DisableConntrack, EnableAutoProtectNodePortRange, TunnelName, SockopsEnableName, PrefilterDevice, PrefilterMode, EnableXTSocketFallbackName, IpvlanMasterDevice, }, }, { Name: "KubeProxy free flags", Flags: []string{ KubeProxyReplacement, EnableNodePort, EnableSVCSourceRangeCheck, EnableHostReachableServices, EnableExternalIPs, HostReachableServicesProtos, NodePortMode, NodePortBindProtection, NodePortAcceleration, }, }, { Name: "Path and config file flags", Flags: []string{ ConfigFile, ConfigDir, CGroupRoot, IPMasqAgentConfigPath, LibDir, StateDir, SocketPath, LabelPrefixFile, }, }, }
HelpFlagSections to format the Cilium Agent help template. Developers please make sure to add the new flags to the respective sections or create a new section.
var RegisteredOptions = map[string]struct{}{}
RegisteredOptions maps all options that are bind to viper.
Functions ¶
func BindEnv ¶ added in v0.15.7
func BindEnv(optName string)
BindEnv binds the option name with an deterministic generated environment variable which s based on the given optName. If the same optName is bind more than 1 time, this function panics.
func BindEnvWithLegacyEnvFallback ¶ added in v0.15.7
func BindEnvWithLegacyEnvFallback(optName, legacyEnvName string)
BindEnvWithLegacyEnvFallback binds the given option name with either the same environment variable as BindEnv, if it's set, or with the given legacyEnvName.
The function is used to work around the viper.BindEnv limitation that only one environment variable can be bound for an option, and we need multiple environment variables due to backward compatibility reasons.
func EndpointStatusValues ¶ added in v0.15.7
func EndpointStatusValues() []string
EndpointStatusValues returns all available EndpointStatus option values
func EndpointStatusValuesMap ¶ added in v0.15.7
func EndpointStatusValuesMap() (values map[string]struct{})
EndpointStatusValuesMap returns all EndpointStatus option values as a map
func FormatMonitorAggregationLevel ¶ added in v0.15.7
func FormatMonitorAggregationLevel(level OptionSetting) string
FormatMonitorAggregationLevel maps a MonitorAggregationLevel to a string.
func GetTunnelModes ¶ added in v0.15.7
func GetTunnelModes() string
GetTunnelModes returns the list of all tunnel modes
func InitConfig ¶ added in v0.15.7
func InitConfig(programName, configName string) func()
InitConfig reads in config file and ENV variables if set.
func LogRegisteredOptions ¶ added in v0.15.7
LogRegisteredOptions logs all options that where bind to viper.
func MergeConfig ¶ added in v0.15.7
MergeConfig merges the given configuration map with viper's configuration.
func MightAutoDetectDevices ¶ added in v0.15.7
func MightAutoDetectDevices() bool
MightAutoDetectDevices returns true if the device auto-detection might take place.
func ReadDirConfig ¶ added in v0.15.7
ReadDirConfig reads the given directory and returns a map that maps the filename to the contents of that file.
func ReplaceDeprecatedFields ¶ added in v0.15.7
func ReplaceDeprecatedFields(m map[string]interface{})
ReplaceDeprecatedFields replaces the deprecated options set with the new set of options that overwrite the deprecated ones. This function replaces the deprecated fields used by environment variables with a different name than the option they are setting. This also replaces the deprecated names used in the Kubernetes ConfigMap. Once we remove them from this function we also need to remove them from daemon_main.go and warn users about the old environment variable nor the option in the configuration map have any effect.
func VerifyMonitorAggregationLevel ¶ added in v0.15.7
VerifyMonitorAggregationLevel validates the specified key/value for a monitor aggregation level.
Types ¶
type BPFClockSource ¶ added in v0.15.7
type BPFClockSource int
const ( ClockSourceKtime BPFClockSource = iota ClockSourceJiffies )
type ChangedFunc ¶
type ChangedFunc func(key string, value OptionSetting, data interface{})
ChangedFunc is called by `Apply()` for each option changed
type DaemonConfig ¶ added in v0.15.7
type DaemonConfig struct { BpfDir string // BPF template files directory LibDir string // Cilium library files directory RunDir string // Cilium runtime directory NAT46Prefix *net.IPNet // NAT46 IPv6 Prefix Devices []string // bpf_host device DirectRoutingDevice string // Direct routing device (used only by NodePort BPF) DevicePreFilter string // Prefilter device ModePreFilter string // Prefilter mode XDPDevice string // XDP device XDPMode string // XDP mode, values: { xdpdrv | xdpgeneric | none } HostV4Addr net.IP // Host v4 address of the snooping device HostV6Addr net.IP // Host v6 address of the snooping device EncryptInterface string // Set with name of network facing interface to encrypt EncryptNode bool // Set to true for encrypting node IP traffic Ipvlan IpvlanConfig // Ipvlan related configuration DatapathMode string // Datapath mode Tunnel string // Tunnel mode DryMode bool // Do not create BPF maps, devices, .. // RestoreState enables restoring the state from previous running daemons. RestoreState bool // EnableHostIPRestore enables restoring the host IPs based on state // left behind by previous Cilium runs. EnableHostIPRestore bool KeepConfig bool // Keep configuration of existing endpoints when starting up. // AllowLocalhost defines when to allows the local stack to local endpoints // values: { auto | always | policy } AllowLocalhost string // StateDir is the directory where runtime state of endpoints is stored StateDir string // Options changeable at runtime Opts *IntOptions // Mutex for serializing configuration updates to the daemon. ConfigPatchMutex lock.RWMutex // Monitor contains the configuration for the node monitor. Monitor *models.MonitorStatus // AgentHealthPort is the TCP port for the agent health status API. AgentHealthPort int // AgentLabels contains additional labels to identify this agent in monitor events. AgentLabels []string // IPv6ClusterAllocCIDR is the base CIDR used to allocate IPv6 node // CIDRs if allocation is not performed by an orchestration system IPv6ClusterAllocCIDR string // IPv6ClusterAllocCIDRBase is derived from IPv6ClusterAllocCIDR and // contains the CIDR without the mask, e.g. "fdfd::1/64" -> "fdfd::" // // This variable should never be written to, it is initialized via // DaemonConfig.Validate() IPv6ClusterAllocCIDRBase string // K8sRequireIPv4PodCIDR requires the k8s node resource to specify the // IPv4 PodCIDR. Cilium will block bootstrapping until the information // is available. K8sRequireIPv4PodCIDR bool // K8sRequireIPv6PodCIDR requires the k8s node resource to specify the // IPv6 PodCIDR. Cilium will block bootstrapping until the information // is available. K8sRequireIPv6PodCIDR bool // K8sServiceCacheSize is the service cache size for cilium k8s package. K8sServiceCacheSize uint // K8sForceJSONPatch when set, uses JSON Patch to update CNP and CEP // status in kube-apiserver. K8sForceJSONPatch bool // K8sWatcherQueueSize is the queue size used to serialize each k8s event // type. K8sWatcherQueueSize uint // MTU is the maximum transmission unit of the underlying network MTU int // ClusterName is the name of the cluster ClusterName string // ClusterID is the unique identifier of the cluster ClusterID int // ClusterMeshConfig is the path to the clustermesh configuration directory ClusterMeshConfig string // CTMapEntriesGlobalTCP is the maximum number of conntrack entries // allowed in each TCP CT table for IPv4/IPv6. CTMapEntriesGlobalTCP int // CTMapEntriesGlobalAny is the maximum number of conntrack entries // allowed in each non-TCP CT table for IPv4/IPv6. CTMapEntriesGlobalAny int // CTMapEntriesTimeout* values configured by the user. CTMapEntriesTimeoutTCP time.Duration CTMapEntriesTimeoutAny time.Duration CTMapEntriesTimeoutSVCTCP time.Duration CTMapEntriesTimeoutSVCAny time.Duration CTMapEntriesTimeoutSYN time.Duration CTMapEntriesTimeoutFIN time.Duration // MonitorAggregationInterval configures the interval between monitor // messages when monitor aggregation is enabled. MonitorAggregationInterval time.Duration // MonitorAggregationFlags determines which TCP flags that the monitor // aggregation ensures reports are generated for when monitor-aggragation // is enabled. Network byte-order. MonitorAggregationFlags uint16 // NATMapEntriesGlobal is the maximum number of NAT mappings allowed // in the BPF NAT table NATMapEntriesGlobal int // NeighMapEntriesGlobal is the maximum number of neighbor mappings // allowed in the BPF neigh table NeighMapEntriesGlobal int // PolicyMapEntries is the maximum number of peer identities that an // endpoint may allow traffic to exchange traffic with. PolicyMapEntries int // SockRevNatEntries is the maximum number of sock rev nat mappings // allowed in the BPF rev nat table SockRevNatEntries int // DisableCiliumEndpointCRD disables the use of CiliumEndpoint CRD DisableCiliumEndpointCRD bool // MaxControllerInterval is the maximum value for a controller's // RunInterval. Zero means unlimited. MaxControllerInterval int // UseSingleClusterRoute specifies whether to use a single cluster route // instead of per-node routes. UseSingleClusterRoute bool // HTTP403Message is the error message to return when a HTTP 403 is returned // by the proxy, if L7 policy is configured. HTTP403Message string // HTTPRequestTimeout is the time in seconds after which Envoy responds with an // error code on a request that has not yet completed. This needs to be longer // than the HTTPIdleTimeout HTTPRequestTimeout int // HTTPIdleTimeout is the time in seconds of a HTTP stream having no traffic after // which Envoy responds with an error code. This needs to be shorter than the // HTTPRequestTimeout HTTPIdleTimeout int // HTTPMaxGRPCTimeout is the upper limit to which "grpc-timeout" headers in GRPC // requests are honored by Envoy. If 0 there is no limit. GRPC requests are not // bound by the HTTPRequestTimeout, but ARE affected by the idle timeout! HTTPMaxGRPCTimeout int // HTTPRetryCount is the upper limit on how many times Envoy retries failed requests. HTTPRetryCount int // HTTPRetryTimeout is the time in seconds before an uncompleted request is retried. HTTPRetryTimeout int // ProxyConnectTimeout is the time in seconds after which Envoy considers a TCP // connection attempt to have timed out. ProxyConnectTimeout int // BPFCompilationDebug specifies whether to compile BPF programs compilation // debugging enabled. BPFCompilationDebug bool // EnvoyLogPath specifies where to store the Envoy proxy logs when Envoy // runs in the same container as Cilium. EnvoyLogPath string // EnableSockOps specifies whether to enable sockops (socket lookup). SockopsEnable bool // PrependIptablesChains is the name of the option to enable prepending // iptables chains instead of appending PrependIptablesChains bool // IPTablesLockTimeout defines the "-w" iptables option when the // iptables CLI is directly invoked from the Cilium agent. IPTablesLockTimeout time.Duration // K8sNamespace is the name of the namespace in which Cilium is // deployed in when running in Kubernetes mode K8sNamespace string // EnableIPv4 is true when IPv4 is enabled EnableIPv4 bool // EnableIPv6 is true when IPv6 is enabled EnableIPv6 bool // EnableL7Proxy is the option to enable L7 proxy EnableL7Proxy bool // EnableIPSec is true when IPSec is enabled EnableIPSec bool // IPSec key file for stored keys IPSecKeyFile string // MonitorQueueSize is the size of the monitor event queue MonitorQueueSize int BPFRoot string CGroupRoot string BPFCompileDebug string ConfigFile string ConfigDir string Debug bool DebugVerbose []string DisableConntrack bool DisableK8sServices bool EnableHostReachableServices bool EnableHostServicesTCP bool EnableHostServicesUDP bool EnableHostServicesPeer bool EnablePolicy string EnableTracing bool EnvoyLog string DisableEnvoyVersionCheck bool FixedIdentityMapping map[string]string FixedIdentityMappingValidator func(val string) (string, error) IPv4Range string IPv6Range string IPv4ServiceRange string IPv6ServiceRange string K8sAPIServer string K8sKubeConfigPath string K8sClientBurst int K8sClientQPSLimit float64 K8sSyncTimeout time.Duration K8sWatcherEndpointSelector string KVStore string KVStoreOpt map[string]string LabelPrefixFile string Labels []string LogDriver []string LogOpt map[string]string Logstash bool LogSystemLoadConfig bool NAT46Range string // Masquerade specifies whether or not to masquerade packets from endpoints // leaving the host. Masquerade bool EnableBPFMasquerade bool EnableBPFClockProbe bool EnableIPMasqAgent bool IPMasqAgentConfigPath string InstallIptRules bool MonitorAggregation string PreAllocateMaps bool IPv6NodeAddr string IPv4NodeAddr string SidecarIstioProxyImage string SocketPath string TracePayloadlen int Version string PProf bool PrometheusServeAddr string ToFQDNsMinTTL int // ToFQDNsProxyPort is the user-configured global, shared, DNS listen port used // by the DNS Proxy. Both UDP and TCP are handled on the same port. When it // is 0 a random port will be assigned, and can be obtained from // DefaultDNSProxy below. ToFQDNsProxyPort int // ToFQDNsEnablePoller enables the DNS poller that polls toFQDNs.matchName ToFQDNsEnablePoller bool // ToFQDNsEnablePollerEvents controls sending a monitor event for each DNS // response the DNS poller sees ToFQDNsEnablePollerEvents bool // ToFQDNsMaxIPsPerHost defines the maximum number of IPs to maintain // for each FQDN name in an endpoint's FQDN cache ToFQDNsMaxIPsPerHost int // ToFQDNsMaxIPsPerHost defines the maximum number of IPs to retain for // expired DNS lookups with still-active connections ToFQDNsMaxDeferredConnectionDeletes int // FQDNRejectResponse is the dns-proxy response for invalid dns-proxy request FQDNRejectResponse string // FQDNProxyResponseMaxDelay The maximum time the DNS proxy holds an allowed // DNS response before sending it along. Responses are sent as soon as the // datapath is updated with the new IP information. FQDNProxyResponseMaxDelay time.Duration // Path to a file with DNS cache data to preload on startup ToFQDNsPreCache string // ToFQDNsEnableDNSCompression allows the DNS proxy to compress responses to // endpoints that are larger than 512 Bytes or the EDNS0 option, if present. ToFQDNsEnableDNSCompression bool // HostDevice will be device used by Cilium to connect to the outside world. HostDevice string // FlannelMasterDevice installs a BPF program in the given interface // to allow for policy enforcement mode on top of flannel. FlannelMasterDevice string // FlannelUninstallOnExit removes the BPF programs that were installed by // Cilium on all interfaces created by the flannel. FlannelUninstallOnExit bool // EnableXTSocketFallback allows disabling of kernel's ip_early_demux // sysctl option if `xt_socket` kernel module is not available. EnableXTSocketFallback bool // EnableAutoDirectRouting enables installation of direct routes to // other nodes when available EnableAutoDirectRouting bool // EnableLocalNodeRoute controls installation of the route which points // the allocation prefix of the local node. EnableLocalNodeRoute bool // EnableHealthChecking enables health checking between nodes and // health endpoints EnableHealthChecking bool // EnableEndpointHealthChecking enables health checking between virtual // health endpoints EnableEndpointHealthChecking bool // EnableHealthCheckNodePort enables health checking of NodePort by // cilium EnableHealthCheckNodePort bool // KVstoreKeepAliveInterval is the interval in which the lease is being // renewed. This must be set to a value lesser than the LeaseTTL ideally // by a factor of 3. KVstoreKeepAliveInterval time.Duration // KVstoreLeaseTTL is the time-to-live for kvstore lease. KVstoreLeaseTTL time.Duration // KVstorePeriodicSync is the time interval in which periodic // synchronization with the kvstore occurs KVstorePeriodicSync time.Duration // KVstoreConnectivityTimeout is the timeout when performing kvstore operations KVstoreConnectivityTimeout time.Duration // IPAllocationTimeout is the timeout when allocating CIDRs IPAllocationTimeout time.Duration // IdentityChangeGracePeriod is the grace period that needs to pass // before an endpoint that has changed its identity will start using // that new identity. During the grace period, the new identity has // already been allocated and other nodes in the cluster have a chance // to whitelist the new upcoming identity of the endpoint. IdentityChangeGracePeriod time.Duration // PolicyQueueSize is the size of the queues for the policy repository. // A larger queue means that more events related to policy can be buffered. PolicyQueueSize int // EndpointQueueSize is the size of the EventQueue per-endpoint. A larger // queue means that more events can be buffered per-endpoint. This is useful // in the case where a cluster might be under high load for endpoint-related // events, specifically those which cause many regenerations. EndpointQueueSize int // SelectiveRegeneration, when true, enables the functionality to only // regenerate endpoints which are selected by the policy rules that have // been changed (added, deleted, or updated). If false, then all endpoints // are regenerated upon every policy change regardless of the scope of the // policy change. SelectiveRegeneration bool // ConntrackGCInterval is the connection tracking garbage collection // interval ConntrackGCInterval time.Duration // K8sEventHandover enables use of the kvstore to optimize Kubernetes // event handling by listening for k8s events in the operator and // mirroring it into the kvstore for reduced overhead in large // clusters. K8sEventHandover bool // MetricsConfig is the configuration set in metrics MetricsConfig metrics.Configuration // LoopbackIPv4 is the address to use for service loopback SNAT LoopbackIPv4 string // EndpointInterfaceNamePrefix is the prefix name of the interface // names shared by all endpoints EndpointInterfaceNamePrefix string // BlacklistConflictingRoutes removes all IPs from the IPAM block if a // local route not owned by Cilium conflicts with it BlacklistConflictingRoutes bool // ForceLocalPolicyEvalAtSource forces a policy decision at the source // endpoint for all local communication ForceLocalPolicyEvalAtSource bool // SkipCRDCreation disables creation of the CustomResourceDefinition // on daemon startup SkipCRDCreation bool // EnableEndpointRoutes enables use of per endpoint routes EnableEndpointRoutes bool // Specifies wheather to annotate the kubernetes nodes or not AnnotateK8sNode bool // RunMonitorAgent indicates whether to run the monitor agent RunMonitorAgent bool // ReadCNIConfiguration reads the CNI configuration file and extracts // Cilium relevant information. This can be used to pass per node // configuration to Cilium. ReadCNIConfiguration string // WriteCNIConfigurationWhenReady writes the CNI configuration to the // specified location once the agent is ready to serve requests. This // allows to keep a Kubernetes node NotReady until Cilium is up and // running and able to schedule endpoints. WriteCNIConfigurationWhenReady string // EnableNodePort enables k8s NodePort service implementation in BPF EnableNodePort bool // EnableSVCSourceRangeCheck enables check of loadBalancerSourceRanges EnableSVCSourceRangeCheck bool // EnableHostPort enables k8s Pod's hostPort mapping through BPF EnableHostPort bool // NodePortMode indicates in which mode NodePort implementation should run // ("snat", "dsr" or "hybrid") NodePortMode string // NodePortAcceleration indicates whether NodePort should be accelerated // via XDP ("none", "generic" or "native") NodePortAcceleration string // NodePortHairpin indicates whether the setup is a one-legged LB NodePortHairpin bool // NodePortBindProtection rejects bind requests to NodePort service ports NodePortBindProtection bool // EnableAutoProtectNodePortRange enables appending NodePort range to // net.ipv4.ip_local_reserved_ports if it overlaps with ephemeral port // range (net.ipv4.ip_local_port_range) EnableAutoProtectNodePortRange bool // KubeProxyReplacement controls how to enable kube-proxy replacement // features in BPF datapath KubeProxyReplacement string // EnableExternalIPs enables implementation of k8s services with externalIPs in datapath EnableExternalIPs bool // EnableHostFirewall enables network policies for the host EnableHostFirewall bool // K8sEnableEndpointSlice enables k8s endpoint slice feature that is used // in kubernetes. K8sEnableK8sEndpointSlice bool // NodePortMin is the minimum port address for the NodePort range NodePortMin int // NodePortMax is the maximum port address for the NodePort range NodePortMax int // EnableSessionAffinity enables a support for service sessionAffinity EnableSessionAffinity bool // Selection of BPF main clock source (ktime vs jiffies) ClockSource BPFClockSource // EnableIdentityMark enables setting the mark field with the identity for // local traffic. This may be disabled if chaining modes and Cilium use // conflicting marks. EnableIdentityMark bool // KernelHz is the HZ rate the kernel is operating in KernelHz int // IPv4PodSubnets available subnets to be assign IPv4 addresses to pods from IPv4PodSubnets []*net.IPNet // IPv6PodSubnets available subnets to be assign IPv6 addresses to pods from IPv6PodSubnets []*net.IPNet // IPAM is the IPAM method to use IPAM string // AutoCreateCiliumNodeResource enables automatic creation of a // CiliumNode resource for the local node AutoCreateCiliumNodeResource bool // EgressMasqueradeInterfaces is the selector used to select interfaces // subject to egress masquerading EgressMasqueradeInterfaces string // PolicyTriggerInterval is the amount of time between when policy updates // are triggered. PolicyTriggerInterval time.Duration // IdentityAllocationMode specifies what mode to use for identity // allocation IdentityAllocationMode string // DisableCNPStatusUpdates disables updating of CNP NodeStatus in the CNP // CRD. DisableCNPStatusUpdates bool // AllowICMPFragNeeded allows ICMP Fragmentation Needed type packets in // the network policy for cilium-agent. AllowICMPFragNeeded bool // EnableWellKnownIdentities enables the use of well-known identities. // This is requires if identiy resolution is required to bring up the // control plane, e.g. when using the managed etcd feature EnableWellKnownIdentities bool // CertsDirectory is the root directory to be used by cilium to find // certificates locally. CertDirectory string // EnableRemoteNodeIdentity enables use of the remote-node identity EnableRemoteNodeIdentity bool // PolicyAuditMode enables non-drop mode for installed policies. In // audit mode packets affected by policies will not be dropped. // Policy related decisions can be checked via the poicy verdict messages. PolicyAuditMode bool // EnableHubble specifies whether to enable the hubble server. EnableHubble bool // HubbleSocketPath specifies the UNIX domain socket for Hubble server to listen to. HubbleSocketPath string // HubbleListenAddress specifies address for Hubble to listen to. HubbleListenAddress string // HubbleFlowBufferSize specifies the maximum number of flows in Hubble's buffer. HubbleFlowBufferSize int // HubbleEventQueueSize specifies the buffer size of the channel to receive monitor events. HubbleEventQueueSize int // HubbleMetricsServer specifies the addresses to serve Hubble metrics on. HubbleMetricsServer string // HubbleMetrics specifies enabled metrics and their configuration options. HubbleMetrics []string // K8sHeartbeatTimeout configures the timeout for apiserver heartbeat K8sHeartbeatTimeout time.Duration // EndpointStatus enables population of information in the // CiliumEndpoint.Status resource EndpointStatus map[string]struct{} // DisableIptablesFeederRules specifies which chains will be excluded // when installing the feeder rules DisableIptablesFeederRules []string // EnableIPv4FragmentsTracking enables IPv4 fragments tracking for // L4-based lookups. Needs LRU map support. EnableIPv4FragmentsTracking bool // FragmentsMapEntries is the maximum number of fragmented datagrams // that can simultaneously be tracked in order to retrieve their L4 // ports for all fragments. FragmentsMapEntries int // contains filtered or unexported fields }
DaemonConfig is the configuration used by Daemon.
func (*DaemonConfig) AlwaysAllowLocalhost ¶ added in v0.15.7
func (c *DaemonConfig) AlwaysAllowLocalhost() bool
AlwaysAllowLocalhost returns true if the daemon has the option set that localhost can always reach local endpoints
func (*DaemonConfig) BlacklistConflictingRoutesEnabled ¶ added in v1.8.0
func (c *DaemonConfig) BlacklistConflictingRoutesEnabled() bool
BlacklistConflictingRoutesEnabled returns true when blacklisting of conflicting routes is enabled
func (*DaemonConfig) CiliumNamespaceName ¶ added in v0.15.7
func (c *DaemonConfig) CiliumNamespaceName() string
CiliumNamespaceName returns the name of the namespace in which Cilium is deployed in
func (*DaemonConfig) EnableK8sLeasesFallbackDiscovery ¶ added in v1.7.8
func (c *DaemonConfig) EnableK8sLeasesFallbackDiscovery()
EnableK8sLeasesFallbackDiscovery enables using direct API probing as a fallback to check for the support of Leases when discovering API groups is not possible.
func (*DaemonConfig) EndpointStatusIsEnabled ¶ added in v0.15.7
func (c *DaemonConfig) EndpointStatusIsEnabled(option string) bool
EndpointStatusIsEnabled returns true if a particular EndpointStatus* feature is enabled
func (*DaemonConfig) GetGlobalsDir ¶ added in v0.15.7
func (c *DaemonConfig) GetGlobalsDir() string
GetGlobalsDir returns the path for the globals directory.
func (*DaemonConfig) GetNodeConfigPath ¶ added in v0.15.7
func (c *DaemonConfig) GetNodeConfigPath() string
GetNodeConfigPath returns the full path of the NodeConfigFile.
func (*DaemonConfig) HealthCheckingEnabled ¶ added in v0.15.7
func (c *DaemonConfig) HealthCheckingEnabled() bool
HealthCheckingEnabled returns true if health checking is enabled
func (*DaemonConfig) IPAMMode ¶ added in v0.15.7
func (c *DaemonConfig) IPAMMode() string
IPAMMode returns the IPAM mode
func (*DaemonConfig) IPv4Enabled ¶ added in v0.15.7
func (c *DaemonConfig) IPv4Enabled() bool
IPv4Enabled returns true if IPv4 is enabled
func (*DaemonConfig) IPv4NativeRoutingCIDR ¶ added in v0.15.7
func (c *DaemonConfig) IPv4NativeRoutingCIDR() (cidr *cidr.CIDR)
IPv4NativeRoutingCIDR returns the native routing CIDR if configured
func (*DaemonConfig) IPv6Enabled ¶ added in v0.15.7
func (c *DaemonConfig) IPv6Enabled() bool
IPv6Enabled returns true if IPv6 is enabled
func (*DaemonConfig) IsExcludedLocalAddress ¶ added in v0.15.7
func (c *DaemonConfig) IsExcludedLocalAddress(ip net.IP) bool
IsExcludedLocalAddress returns true if the specified IP matches one of the excluded local IP ranges
func (*DaemonConfig) IsFlannelMasterDeviceSet ¶ added in v1.5.0
func (c *DaemonConfig) IsFlannelMasterDeviceSet() bool
IsFlannelMasterDeviceSet returns if the flannel master device is set.
func (*DaemonConfig) IsPodSubnetsDefined ¶ added in v0.15.7
func (c *DaemonConfig) IsPodSubnetsDefined() bool
IsPodSubnetsDefined returns true if encryption subnets should be configured at init time.
func (*DaemonConfig) K8sAPIDiscoveryEnabled ¶ added in v1.7.4
func (c *DaemonConfig) K8sAPIDiscoveryEnabled() bool
K8sAPIDiscoveryEnabled returns true if API discovery of API groups and resources is enabled
func (*DaemonConfig) K8sLeasesFallbackDiscoveryEnabled ¶ added in v1.7.8
func (c *DaemonConfig) K8sLeasesFallbackDiscoveryEnabled() bool
K8sLeasesFallbackDiscoveryEnabled returns true if we should fallback to direct API probing when checking for support of Leases in case Discovery API fails to discover required groups.
func (*DaemonConfig) LocalClusterName ¶ added in v0.15.7
func (c *DaemonConfig) LocalClusterName() string
LocalClusterName returns the name of the cluster Cilium is deployed in
func (*DaemonConfig) NodeEncryptionEnabled ¶ added in v0.15.7
func (c *DaemonConfig) NodeEncryptionEnabled() bool
NodeEncryptionEnabled returns true if node encryption is enabled
func (*DaemonConfig) Populate ¶ added in v0.15.7
func (c *DaemonConfig) Populate()
Populate sets all options with the values from viper
func (*DaemonConfig) RemoteNodeIdentitiesEnabled ¶ added in v0.15.7
func (c *DaemonConfig) RemoteNodeIdentitiesEnabled() bool
RemoteNodeIdentitiesEnabled returns true if the remote-node identity feature is enabled
func (*DaemonConfig) SetIPv4NativeRoutingCIDR ¶ added in v0.15.7
func (c *DaemonConfig) SetIPv4NativeRoutingCIDR(cidr *cidr.CIDR)
SetIPv4NativeRoutingCIDR sets the native routing CIDR
func (*DaemonConfig) SetMapElementSizes ¶ added in v0.15.7
func (c *DaemonConfig) SetMapElementSizes( sizeofCTElement, sizeofNATElement, sizeofNeighElement, sizeofSockRevElement int)
SetMapElementSizes sets the BPF map element sizes (key + value) used for dynamic BPF map size calculations in calculateDynamicBPFMapSizes.
func (*DaemonConfig) TracingEnabled ¶ added in v0.15.7
func (c *DaemonConfig) TracingEnabled() bool
TracingEnabled returns if tracing policy (outlining which rules apply to a specific set of labels) is enabled.
func (*DaemonConfig) Validate ¶ added in v0.15.7
func (c *DaemonConfig) Validate() error
Validate validates the daemon configuration
type FlagsSection ¶ added in v1.8.0
type FormatFunc ¶ added in v0.15.7
type FormatFunc func(value OptionSetting) string
FormatFunc formats the specified value as textual representation option.
type IntOptions ¶ added in v0.15.7
type IntOptions struct { Opts OptionMap `json:"map"` Library *OptionLibrary `json:"-"` // contains filtered or unexported fields }
IntOptions member functions with external access do not require locking by the caller, while functions with internal access presume the caller to have taken care of any locking needed.
func NewIntOptions ¶ added in v0.15.7
func NewIntOptions(lib *OptionLibrary) *IntOptions
func (*IntOptions) ApplyValidated ¶ added in v0.15.7
func (o *IntOptions) ApplyValidated(n OptionMap, changed ChangedFunc, data interface{}) int
ApplyValidated takes a configuration map and applies the changes. For an option which is changed, the `ChangedFunc` function is called with the `data` argument passed in as well. Returns the number of options changed if any.
The caller is expected to have validated the configuration options prior to calling this function.
func (*IntOptions) DeepCopy ¶ added in v0.15.7
func (o *IntOptions) DeepCopy() *IntOptions
func (*IntOptions) Delete ¶ added in v0.15.7
func (o *IntOptions) Delete(key string)
func (*IntOptions) Dump ¶ added in v0.15.7
func (o *IntOptions) Dump()
func (*IntOptions) GetFmtList ¶ added in v0.15.7
func (o *IntOptions) GetFmtList() string
func (*IntOptions) GetImmutableModel ¶ added in v0.15.7
func (o *IntOptions) GetImmutableModel() *models.ConfigurationMap
GetImmutableModel returns the set of immutable options as a ConfigurationMap API model.
func (*IntOptions) GetMutableModel ¶ added in v0.15.7
func (o *IntOptions) GetMutableModel() *models.ConfigurationMap
GetMutableModel returns the set of mutable options as a ConfigurationMap API model.
func (*IntOptions) GetValue ¶ added in v0.15.7
func (o *IntOptions) GetValue(key string) OptionSetting
func (*IntOptions) InheritDefault ¶ added in v0.15.7
func (o *IntOptions) InheritDefault(parent *IntOptions, key string)
func (*IntOptions) IsEnabled ¶ added in v0.15.7
func (o *IntOptions) IsEnabled(key string) bool
func (*IntOptions) SetBool ¶ added in v0.15.7
func (o *IntOptions) SetBool(key string, value bool)
SetBool sets the specified option to Enabled.
func (*IntOptions) SetIfUnset ¶ added in v0.15.7
func (o *IntOptions) SetIfUnset(key string, value OptionSetting)
func (*IntOptions) SetValidated ¶ added in v0.15.7
func (o *IntOptions) SetValidated(key string, value OptionSetting)
SetValidated sets the option `key` to the specified value. The caller is expected to have validated the input to this function.
func (*IntOptions) Validate ¶ added in v0.15.7
func (o *IntOptions) Validate(n models.ConfigurationMap) error
Validate validates a given configuration map based on the option library
type IpvlanConfig ¶ added in v1.5.0
IpvlanConfig is the configuration used by Daemon when in ipvlan mode.
type MapOptions ¶ added in v0.10.0
type MapOptions struct {
// contains filtered or unexported fields
}
MapOptions holds a map of values and a validation function.
func NewMapOpts ¶ added in v0.10.0
func NewMapOpts(values map[string]string, validator Validator) *MapOptions
NewMapOpts creates a new MapOpts with the specified map of values and an optional validator.
func (*MapOptions) Set ¶ added in v0.10.0
func (opts *MapOptions) Set(value string) error
Set validates, if needed, the input value and adds it to the internal map, by splitting on '='.
func (*MapOptions) String ¶ added in v0.10.0
func (opts *MapOptions) String() string
func (*MapOptions) Type ¶ added in v0.10.0
func (opts *MapOptions) Type() string
Type returns a string name for this Option type
type MonitorAggregationLevel ¶ added in v0.15.7
type MonitorAggregationLevel OptionSetting
MonitorAggregationLevel represents a level of aggregation for monitor events from the datapath. Low values represent no aggregation, that is, to increase the number of events emitted from the datapath; Higher values represent more aggregation, to minimize the number of events emitted from the datapath.
The MonitorAggregationLevel does not affect the Debug option in the daemon or endpoint, so debug notifications will continue uninhibited by this setting.
type NamedMapOptions ¶ added in v0.10.0
type NamedMapOptions struct { MapOptions // contains filtered or unexported fields }
NamedMapOptions is a MapOptions struct with a configuration name. This struct is useful to keep reference to the assigned field name in the internal configuration struct.
func NewNamedMapOptions ¶ added in v0.10.0
func NewNamedMapOptions(name string, values *map[string]string, validator Validator) *NamedMapOptions
NewNamedMapOptions creates a reference to a new NamedMapOpts struct.
type Option ¶
type Option struct { // Define is the name of the #define used for BPF programs Define string // Description is a short human readable description Description string // Immutable marks an option which is read-only Immutable bool // Requires is a list of required options, such options will be // automatically enabled as required. Requires []string // Parse is called to parse the option. If not specified, defaults to // NormalizeBool(). Parse ParseFunc // FormatFunc is called to format the value for an option. If not // specified, defaults to formatting 0 as "Disabled" and other values // as "Enabled". Format FormatFunc // Verify is called prior to applying the option Verify VerifyFunc }
Option is the structure used to specify the semantics of a configurable boolean option
func (Option) RequiresOption ¶
RequiresOption returns true if the option requires the specified option `name`.
type OptionLibrary ¶
func GetEndpointMutableOptionLibrary ¶ added in v0.15.7
func GetEndpointMutableOptionLibrary() OptionLibrary
func (OptionLibrary) Define ¶
func (l OptionLibrary) Define(name string) string
func (*OptionLibrary) ValidateConfigurationMap ¶ added in v0.15.7
func (l *OptionLibrary) ValidateConfigurationMap(n models.ConfigurationMap) (OptionMap, error)
ValidateConfigurationMap validates a given configuration map based on the option library
type OptionMap ¶
type OptionMap map[string]OptionSetting
type OptionSetting ¶ added in v0.15.7
type OptionSetting int
OptionSetting specifies the different choices each Option has.
const ( // MonitorAggregationLevelNone represents no aggregation in the // datapath; all packets will be monitored. MonitorAggregationLevelNone OptionSetting = 0 // MonitorAggregationLevelLow represents aggregation of monitor events // to emit a maximum of one trace event per packet. Trace events when // packets are received are disabled. MonitorAggregationLevelLowest OptionSetting = 1 // MonitorAggregationLevelLow is the same as // MonitorAggregationLevelLowest, but may aggregate additional traffic // in future. MonitorAggregationLevelLow OptionSetting = 2 // MonitorAggregationLevelMedium represents aggregation of monitor // events to only emit notifications periodically for each connection // unless there is new information (eg, a TCP connection is closed). MonitorAggregationLevelMedium OptionSetting = 3 // MonitorAggregationLevelMax is the maximum level of aggregation // currently supported. MonitorAggregationLevelMax OptionSetting = 4 )
const ( OptionDisabled OptionSetting = iota OptionEnabled )
func NormalizeBool ¶
func NormalizeBool(value string) (OptionSetting, error)
func ParseDaemonOption ¶ added in v0.15.7
func ParseDaemonOption(opt string) (string, OptionSetting, error)
ParseDaemonOption parses a string as daemon option
func ParseKeyValue ¶ added in v0.15.7
func ParseKeyValue(lib *OptionLibrary, arg, value string) (string, OptionSetting, error)
func ParseMonitorAggregationLevel ¶ added in v0.15.7
func ParseMonitorAggregationLevel(value string) (OptionSetting, error)
ParseMonitorAggregationLevel turns a string into a monitor aggregation level. The string may contain an integer value or a string representation of a particular monitor aggregation level.
func ParseOption ¶
func ParseOption(arg string, lib *OptionLibrary) (string, OptionSetting, error)
type ParseFunc ¶ added in v0.15.7
type ParseFunc func(value string) (OptionSetting, error)
ParseFunc parses the option value and may return an error if the option cannot be parsed or applied.
type VerifyFunc ¶
VerifyFunc validates option key with value and may return an error if the option should not be applied