Documentation ¶
Index ¶
- Constants
- Variables
- func BindEnv(vp *viper.Viper, optName string)
- func BindEnvWithLegacyEnvFallback(vp *viper.Viper, optName, legacyEnvName string)
- func EndpointStatusValues() []string
- func EndpointStatusValuesMap() (values map[string]struct{})
- func FormatMonitorAggregationLevel(level OptionSetting) string
- func GetTunnelModes() string
- func InitConfig(cmd *cobra.Command, programName, configName string, vp *viper.Viper) func()
- func LogRegisteredOptions(vp *viper.Viper, entry *logrus.Entry)
- func MergeConfig(vp *viper.Viper, m map[string]interface{}) error
- func MightAutoDetectDevices() bool
- func ReadDirConfig(dirName string) (map[string]interface{}, error)
- func ReplaceDeprecatedFields(m map[string]interface{})
- func StoreViperInFile(dir string) error
- func VerifyMonitorAggregationLevel(key, value string) error
- type BPFClockSource
- type BPFEventBufferConfig
- type BPFEventBufferConfigs
- type ChangedFunc
- type DaemonConfig
- func (c *DaemonConfig) AgentNotReadyNodeTaintValue() string
- func (c *DaemonConfig) AlwaysAllowLocalhost() bool
- func (c *DaemonConfig) AppendDevice(dev string)
- func (c *DaemonConfig) AreDevicesRequired() bool
- func (c *DaemonConfig) BGPControlPlaneEnabled() bool
- func (c *DaemonConfig) CiliumNamespaceName() string
- func (c *DaemonConfig) DirectRoutingDeviceRequired() bool
- func (c *DaemonConfig) EncryptionEnabled() bool
- func (c *DaemonConfig) EndpointStatusIsEnabled(option string) bool
- func (c *DaemonConfig) GetDevices() []string
- func (d *DaemonConfig) GetEventBufferConfig(name string) BPFEventBufferConfig
- func (c *DaemonConfig) GetGlobalsDir() string
- func (c *DaemonConfig) GetIPv4NativeRoutingCIDR() (cidr *cidr.CIDR)
- func (c *DaemonConfig) GetIPv6NativeRoutingCIDR() (cidr *cidr.CIDR)
- func (c *DaemonConfig) GetNodeConfigPath() string
- func (c *DaemonConfig) HealthCheckingEnabled() bool
- func (c *DaemonConfig) IPAMMode() string
- func (c *DaemonConfig) IPv4Enabled() bool
- func (c *DaemonConfig) IPv6Enabled() bool
- func (c *DaemonConfig) IPv6NDPEnabled() bool
- func (c *DaemonConfig) IptablesMasqueradingEnabled() bool
- func (c *DaemonConfig) IptablesMasqueradingIPv4Enabled() bool
- func (c *DaemonConfig) IptablesMasqueradingIPv6Enabled() bool
- func (c *DaemonConfig) IsExcludedLocalAddress(ip net.IP) bool
- func (c *DaemonConfig) IsPodSubnetsDefined() bool
- func (c *DaemonConfig) K8sGatewayAPIEnabled() bool
- func (c *DaemonConfig) K8sIngressControllerEnabled() bool
- func (c *DaemonConfig) K8sNetworkPolicyEnabled() bool
- func (c *DaemonConfig) K8sServiceProxyNameValue() string
- func (c *DaemonConfig) KubeProxyReplacementFullyEnabled() bool
- func (c *DaemonConfig) LocalClusterID() uint32
- func (c *DaemonConfig) LocalClusterName() string
- func (c *DaemonConfig) MasqueradingEnabled() bool
- func (c *DaemonConfig) NodeEncryptionEnabled() bool
- func (c *DaemonConfig) NodeIpsetNeeded() bool
- func (c *DaemonConfig) Populate(vp *viper.Viper)
- func (c *DaemonConfig) RemoteNodeIdentitiesEnabled() bool
- func (c *DaemonConfig) SCTPEnabled() bool
- func (c *DaemonConfig) SetDevices(devices []string)
- func (c *DaemonConfig) SetIPv4NativeRoutingCIDR(cidr *cidr.CIDR)
- func (c *DaemonConfig) SetIPv6NativeRoutingCIDR(cidr *cidr.CIDR)
- func (c *DaemonConfig) SetMapElementSizes(...)
- func (c *DaemonConfig) StoreInFile(dir string) error
- func (c *DaemonConfig) TracingEnabled() bool
- func (c *DaemonConfig) TunnelDevice() string
- func (c *DaemonConfig) TunnelExists() bool
- func (c *DaemonConfig) TunnelingEnabled() bool
- func (c *DaemonConfig) UnreachableRoutesEnabled() bool
- func (c *DaemonConfig) Validate(vp *viper.Viper) error
- type FormatFunc
- type IntOptions
- func (o *IntOptions) ApplyValidated(n OptionMap, changed ChangedFunc, data interface{}) int
- func (o *IntOptions) DeepCopy() *IntOptions
- func (o *IntOptions) Delete(key string)
- func (o *IntOptions) Dump()
- func (o *IntOptions) GetFmtList() string
- func (o *IntOptions) GetImmutableModel() *models.ConfigurationMap
- func (o *IntOptions) GetMutableModel() *models.ConfigurationMap
- func (o *IntOptions) GetValue(key string) OptionSetting
- func (o *IntOptions) InheritDefault(parent *IntOptions, key string)
- func (o *IntOptions) IsEnabled(key string) bool
- func (o *IntOptions) SetBool(key string, value bool)
- func (o *IntOptions) SetIfUnset(key string, value OptionSetting)
- func (o *IntOptions) SetValidated(key string, value OptionSetting)
- func (o *IntOptions) Validate(n models.ConfigurationMap) error
- type MapOptions
- type MonitorAggregationLevel
- type NamedMapOptions
- type Option
- type OptionLibrary
- type OptionMap
- type OptionSetting
- func NormalizeBool(value string) (OptionSetting, error)
- func ParseDaemonOption(opt string) (string, OptionSetting, error)
- func ParseKeyValue(lib *OptionLibrary, arg, value string) (string, OptionSetting, error)
- func ParseMonitorAggregationLevel(value string) (OptionSetting, error)
- func ParseOption(arg string, lib *OptionLibrary) (string, OptionSetting, error)
- type ParseFunc
- type Validator
- type VerifyFunc
Constants ¶
const ( // AgentHealthPort is the TCP port for agent health status API AgentHealthPort = "agent-health-port" // ClusterHealthPort is the TCP port for cluster-wide network connectivity health API ClusterHealthPort = "cluster-health-port" // ClusterMeshHealthPort is the TCP port for ClusterMesh apiserver health API ClusterMeshHealthPort = "clustermesh-health-port" // AgentLabels are additional labels to identify this agent AgentLabels = "agent-labels" // AllowICMPFragNeeded allows ICMP Fragmentation Needed type packets in policy. AllowICMPFragNeeded = "allow-icmp-frag-needed" // AllowLocalhost is the policy when to allow local stack to reach local endpoints { auto | always | policy } AllowLocalhost = "allow-localhost" // AllowLocalhostAuto defaults to policy except when running in // Kubernetes where it then defaults to "always" AllowLocalhostAuto = "auto" // AllowLocalhostAlways always allows the local stack to reach local // endpoints AllowLocalhostAlways = "always" // AllowLocalhostPolicy requires a policy rule to allow the local stack // to reach particular endpoints or policy enforcement must be // disabled. AllowLocalhostPolicy = "policy" // AnnotateK8sNode enables annotating a kubernetes node while bootstrapping // the daemon, which can also be disbled using this option. AnnotateK8sNode = "annotate-k8s-node" // ARPPingRefreshPeriod is the ARP entries refresher period ARPPingRefreshPeriod = "arping-refresh-period" // EnableL2NeighDiscovery determines if cilium should perform L2 neighbor // discovery. EnableL2NeighDiscovery = "enable-l2-neigh-discovery" // BPFRoot is the Path to BPF filesystem BPFRoot = "bpf-root" // CGroupRoot is the path to Cgroup2 filesystem CGroupRoot = "cgroup-root" // CompilerFlags allow to specify extra compiler commands for advanced debugging CompilerFlags = "cflags" // ConfigFile is the Configuration file (default "$HOME/ciliumd.yaml") ConfigFile = "config" // ConfigDir is the directory that contains a file for each option where // the filename represents the option name and the content of that file // represents the value of that option. ConfigDir = "config-dir" // ConntrackGCInterval is the name of the ConntrackGCInterval option ConntrackGCInterval = "conntrack-gc-interval" // DebugArg is the argument enables debugging mode DebugArg = "debug" // DebugVerbose is the argument enables verbose log message for particular subsystems DebugVerbose = "debug-verbose" // Devices facing cluster/external network for attaching bpf_host Devices = "devices" // DirectRoutingDevice is the name of a device used to connect nodes in // direct routing mode (only required by BPF NodePort) DirectRoutingDevice = "direct-routing-device" // LBDevInheritIPAddr is device name which IP addr is inherited by devices // running BPF loadbalancer program LBDevInheritIPAddr = "bpf-lb-dev-ip-addr-inherit" // DisableEnvoyVersionCheck do not perform Envoy binary version check on startup DisableEnvoyVersionCheck = "disable-envoy-version-check" // EnablePolicy enables policy enforcement in the agent. EnablePolicy = "enable-policy" // EnableExternalIPs enables implementation of k8s services with externalIPs in datapath EnableExternalIPs = "enable-external-ips" // K8sEnableEndpointSlice enables the k8s EndpointSlice feature into Cilium K8sEnableEndpointSlice = "enable-k8s-endpoint-slice" // EnableL7Proxy is the name of the option to enable L7 proxy EnableL7Proxy = "enable-l7-proxy" // EnableTracing enables tracing mode in the agent. EnableTracing = "enable-tracing" // Add unreachable routes on pod deletion EnableUnreachableRoutes = "enable-unreachable-routes" // EncryptInterface enables encryption on specified interface EncryptInterface = "encrypt-interface" // EncryptNode enables node IP encryption EncryptNode = "encrypt-node" // EnvoyLog sets the path to a separate Envoy log file, if any EnvoyLog = "envoy-log" // GopsPort is the TCP port for the gops server. GopsPort = "gops-port" // ProxyPrometheusPort specifies the port to serve Cilium host proxy metrics on. ProxyPrometheusPort = "proxy-prometheus-port" // ProxyMaxRequestsPerConnection specifies the max_requests_per_connection setting for the proxy ProxyMaxRequestsPerConnection = "proxy-max-requests-per-connection" // ProxyMaxConnectionDuration specifies the max_connection_duration setting for the proxy in seconds ProxyMaxConnectionDuration = "proxy-max-connection-duration-seconds" // FixedIdentityMapping is the key-value for the fixed identity mapping // which allows to use reserved label for fixed identities FixedIdentityMapping = "fixed-identity-mapping" // IPv4Range is the per-node IPv4 endpoint prefix, e.g. 10.16.0.0/16 IPv4Range = "ipv4-range" // IPv6Range is the per-node IPv6 endpoint prefix, must be /96, e.g. fd02:1:1::/96 IPv6Range = "ipv6-range" // IPv4ServiceRange is the Kubernetes IPv4 services CIDR if not inside cluster prefix IPv4ServiceRange = "ipv4-service-range" // IPv6ServiceRange is the Kubernetes IPv6 services CIDR if not inside cluster prefix IPv6ServiceRange = "ipv6-service-range" // IPv6ClusterAllocCIDRName is the name of the IPv6ClusterAllocCIDR option IPv6ClusterAllocCIDRName = "ipv6-cluster-alloc-cidr" // K8sRequireIPv4PodCIDRName is the name of the K8sRequireIPv4PodCIDR option K8sRequireIPv4PodCIDRName = "k8s-require-ipv4-pod-cidr" // K8sRequireIPv6PodCIDRName is the name of the K8sRequireIPv6PodCIDR option K8sRequireIPv6PodCIDRName = "k8s-require-ipv6-pod-cidr" // K8sWatcherEndpointSelector specifies the k8s endpoints that Cilium // should watch for. K8sWatcherEndpointSelector = "k8s-watcher-endpoint-selector" // K8sAPIServer is the kubernetes api address server (for https use --k8s-kubeconfig-path instead) K8sAPIServer = "k8s-api-server" // K8sKubeConfigPath is the absolute path of the kubernetes kubeconfig file K8sKubeConfigPath = "k8s-kubeconfig-path" // K8sServiceCacheSize is service cache size for cilium k8s package. K8sServiceCacheSize = "k8s-service-cache-size" // K8sSyncTimeout is the timeout since last event was received to synchronize all resources with k8s. K8sSyncTimeoutName = "k8s-sync-timeout" // AllocatorListTimeout is the timeout to list initial allocator state. AllocatorListTimeoutName = "allocator-list-timeout" // KeepConfig when restoring state, keeps containers' configuration in place KeepConfig = "keep-config" // KVStore key-value store type KVStore = "kvstore" // KVStoreOpt key-value store options KVStoreOpt = "kvstore-opt" // Labels is the list of label prefixes used to determine identity of an endpoint Labels = "labels" // LabelPrefixFile is the valid label prefixes file path LabelPrefixFile = "label-prefix-file" // EnableHostFirewall enables network policies for the host EnableHostFirewall = "enable-host-firewall" // EnableHostPort enables HostPort forwarding implemented by Cilium in BPF EnableHostPort = "enable-host-port" // EnableHostLegacyRouting enables the old routing path via stack. EnableHostLegacyRouting = "enable-host-legacy-routing" // EnableNodePort enables NodePort services implemented by Cilium in BPF EnableNodePort = "enable-node-port" // EnableSVCSourceRangeCheck enables check of service source range checks EnableSVCSourceRangeCheck = "enable-svc-source-range-check" // NodePortMode indicates in which mode NodePort implementation should run // ("snat", "dsr" or "hybrid") NodePortMode = "node-port-mode" // NodePortAlg indicates which algorithm is used for backend selection // ("random" or "maglev") NodePortAlg = "node-port-algorithm" // NodePortAcceleration indicates whether NodePort should be accelerated // via XDP ("none", "generic" or "native") NodePortAcceleration = "node-port-acceleration" // Alias to NodePortMode LoadBalancerMode = "bpf-lb-mode" // Alias to DSR dispatch method LoadBalancerDSRDispatch = "bpf-lb-dsr-dispatch" // Alias to DSR L4 translation method LoadBalancerDSRL4Xlate = "bpf-lb-dsr-l4-xlate" // Alias to DSR/IPIP IPv4 source CIDR LoadBalancerRSSv4CIDR = "bpf-lb-rss-ipv4-src-cidr" // Alias to DSR/IPIP IPv6 source CIDR LoadBalancerRSSv6CIDR = "bpf-lb-rss-ipv6-src-cidr" // Alias to NodePortAlg LoadBalancerAlg = "bpf-lb-algorithm" // Alias to NodePortAcceleration LoadBalancerAcceleration = "bpf-lb-acceleration" // MaglevTableSize determines the size of the backend table per service MaglevTableSize = "bpf-lb-maglev-table-size" // MaglevHashSeed contains the cluster-wide seed for the hash MaglevHashSeed = "bpf-lb-maglev-hash-seed" // NodePortBindProtection rejects bind requests to NodePort service ports NodePortBindProtection = "node-port-bind-protection" // NodePortRange defines a custom range where to look up NodePort services NodePortRange = "node-port-range" // EnableAutoProtectNodePortRange enables appending NodePort range to // net.ipv4.ip_local_reserved_ports if it overlaps with ephemeral port // range (net.ipv4.ip_local_port_range) EnableAutoProtectNodePortRange = "enable-auto-protect-node-port-range" // KubeProxyReplacement controls how to enable kube-proxy replacement // features in BPF datapath KubeProxyReplacement = "kube-proxy-replacement" // EnableSessionAffinity enables a support for service sessionAffinity EnableSessionAffinity = "enable-session-affinity" EnableServiceTopology = "enable-service-topology" // EnableIdentityMark enables setting the mark field with the identity for // local traffic. This may be disabled if chaining modes and Cilium use // conflicting marks. EnableIdentityMark = "enable-identity-mark" // AddressScopeMax controls the maximum address scope for addresses to be // considered local ones with HOST_ID in the ipcache AddressScopeMax = "local-max-addr-scope" // EnableBandwidthManager enables EDT-based pacing EnableBandwidthManager = "enable-bandwidth-manager" // EnableBBR enables BBR TCP congestion control for the node including Pods EnableBBR = "enable-bbr" // EnableRecorder enables the datapath pcap recorder EnableRecorder = "enable-recorder" // EnableLocalRedirectPolicy enables support for local redirect policy EnableLocalRedirectPolicy = "enable-local-redirect-policy" // EnableMKE enables MKE specific 'chaining' for kube-proxy replacement EnableMKE = "enable-mke" // CgroupPathMKE points to the cgroupv1 net_cls mount instance CgroupPathMKE = "mke-cgroup-mount" // LibDir enables the directory path to store runtime build environment LibDir = "lib-dir" // LogDriver sets logging endpoints to use for example syslog, fluentd LogDriver = "log-driver" // LogOpt sets log driver options for cilium LogOpt = "log-opt" // Logstash enables logstash integration Logstash = "logstash" // EnableIPv4Masquerade masquerades IPv4 packets from endpoints leaving the host. EnableIPv4Masquerade = "enable-ipv4-masquerade" // EnableIPv6Masquerade masquerades IPv6 packets from endpoints leaving the host. EnableIPv6Masquerade = "enable-ipv6-masquerade" // EnableIPv6BIGTCP enables IPv6 BIG TCP (larger GSO/GRO limits) for the node including pods. EnableIPv6BIGTCP = "enable-ipv6-big-tcp" // EnableBPFClockProbe selects a more efficient source clock (jiffies vs ktime) EnableBPFClockProbe = "enable-bpf-clock-probe" // EnableBPFMasquerade masquerades packets from endpoints leaving the host with BPF instead of iptables EnableBPFMasquerade = "enable-bpf-masquerade" // DeriveMasqIPAddrFromDevice is device name which IP addr is used for BPF masquerades DeriveMasqIPAddrFromDevice = "derive-masquerade-ip-addr-from-device" // EnableIPMasqAgent enables BPF ip-masq-agent EnableIPMasqAgent = "enable-ip-masq-agent" // EnableIPv4EgressGateway enables the IPv4 egress gateway EnableIPv4EgressGateway = "enable-ipv4-egress-gateway" // InstallEgressGatewayRoutes installs IP rules and routes required to steer traffic to the correct network interface InstallEgressGatewayRoutes = "install-egress-gateway-routes" // EnableIngressController enables Ingress Controller EnableIngressController = "enable-ingress-controller" // EnableGatewayAPI enables Gateway API support EnableGatewayAPI = "enable-gateway-api" // EnableEnvoyConfig enables processing of CiliumClusterwideEnvoyConfig and CiliumEnvoyConfig CRDs EnableEnvoyConfig = "enable-envoy-config" // EnvoyConfigTimeout determines how long to wait Envoy to N/ACK resources EnvoyConfigTimeout = "envoy-config-timeout" // IPMasqAgentConfigPath is the configuration file path IPMasqAgentConfigPath = "ip-masq-agent-config-path" // InstallIptRules sets whether Cilium should install any iptables in general InstallIptRules = "install-iptables-rules" // InstallNoConntrackIptRules instructs Cilium to install Iptables rules // to skip netfilter connection tracking on all pod traffic. InstallNoConntrackIptRules = "install-no-conntrack-iptables-rules" IPTablesLockTimeout = "iptables-lock-timeout" // IPTablesRandomFully sets iptables flag random-fully on masquerading rules IPTablesRandomFully = "iptables-random-fully" // IPv6NodeAddr is the IPv6 address of node IPv6NodeAddr = "ipv6-node" // IPv4NodeAddr is the IPv4 address of node IPv4NodeAddr = "ipv4-node" // Restore restores state, if possible, from previous daemon Restore = "restore" // SidecarIstioProxyImage regular expression matching compatible Istio sidecar istio-proxy container image names SidecarIstioProxyImage = "sidecar-istio-proxy-image" // SocketPath sets daemon's socket path to listen for connections SocketPath = "socket-path" // StateDir is the directory path to store runtime state StateDir = "state-dir" // TracePayloadlen length of payload to capture when tracing TracePayloadlen = "trace-payloadlen" // Version prints the version information Version = "version" // EnableXDPPrefilter enables XDP-based prefiltering EnableXDPPrefilter = "enable-xdp-prefilter" ProcFs = "procfs" // PrometheusServeAddr IP:Port on which to serve prometheus metrics (pass ":Port" to bind on all interfaces, "" is off) PrometheusServeAddr = "prometheus-serve-addr" // CMDRef is the path to cmdref output directory CMDRef = "cmdref" // DNSMaxIPsPerRestoredRule defines the maximum number of IPs to maintain // for each FQDN selector in endpoint's restored DNS rules DNSMaxIPsPerRestoredRule = "dns-max-ips-per-restored-rule" // DNSPolicyUnloadOnShutdown is the name of the dns-policy-unload-on-shutdown option. DNSPolicyUnloadOnShutdown = "dns-policy-unload-on-shutdown" // ToFQDNsMinTTL is the minimum time, in seconds, to use DNS data for toFQDNs policies. ToFQDNsMinTTL = "tofqdns-min-ttl" // ToFQDNsProxyPort is the global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port. ToFQDNsProxyPort = "tofqdns-proxy-port" // ToFQDNsMaxIPsPerHost defines the maximum number of IPs to maintain // for each FQDN name in an endpoint's FQDN cache ToFQDNsMaxIPsPerHost = "tofqdns-endpoint-max-ip-per-hostname" // ToFQDNsMaxDeferredConnectionDeletes defines the maximum number of IPs to // retain for expired DNS lookups with still-active connections" ToFQDNsMaxDeferredConnectionDeletes = "tofqdns-max-deferred-connection-deletes" // ToFQDNsIdleConnectionGracePeriod defines the connection idle time during which // previously active connections with expired DNS lookups are still considered alive ToFQDNsIdleConnectionGracePeriod = "tofqdns-idle-connection-grace-period" // ToFQDNsPreCache is a path to a file with DNS cache data to insert into the // global cache on startup. // The file is not re-read after agent start. ToFQDNsPreCache = "tofqdns-pre-cache" // ToFQDNsEnableDNSCompression allows the DNS proxy to compress responses to // endpoints that are larger than 512 Bytes or the EDNS0 option, if present. ToFQDNsEnableDNSCompression = "tofqdns-enable-dns-compression" // DNSProxyConcurrencyLimit limits parallel processing of DNS messages in // DNS proxy at any given point in time. DNSProxyConcurrencyLimit = "dnsproxy-concurrency-limit" // DNSProxyConcurrencyProcessingGracePeriod is the amount of grace time to // wait while processing DNS messages when the DNSProxyConcurrencyLimit has // been reached. DNSProxyConcurrencyProcessingGracePeriod = "dnsproxy-concurrency-processing-grace-period" // DNSProxyLockCount is the array size containing mutexes which protect // against parallel handling of DNS response IPs. DNSProxyLockCount = "dnsproxy-lock-count" // DNSProxyLockTimeout is timeout when acquiring the locks controlled by // DNSProxyLockCount. DNSProxyLockTimeout = "dnsproxy-lock-timeout" // MTUName is the name of the MTU option MTUName = "mtu" // RouteMetric is the name of the route-metric option RouteMetric = "route-metric" // DatapathMode is the name of the DatapathMode option DatapathMode = "datapath-mode" // EnableSocketLB is the name for the option to enable the socket LB EnableSocketLB = "bpf-lb-sock" // EnableSocketLBTracing is the name for the option to enable the socket LB tracing EnableSocketLBTracing = "trace-sock" // BPFSocketLBHostnsOnly is the name of the BPFSocketLBHostnsOnly option BPFSocketLBHostnsOnly = "bpf-lb-sock-hostns-only" // TunnelName is the name of the Tunnel option TunnelName = "tunnel" // TunnelPortName is the name of the TunnelPort option TunnelPortName = "tunnel-port" // SingleClusterRouteName is the name of the SingleClusterRoute option // // SingleClusterRoute enables use of a single route covering the entire // cluster CIDR to point to the cilium_host interface instead of using // a separate route for each cluster node CIDR. This option is not // compatible with Tunnel=TunnelDisabled SingleClusterRouteName = "single-cluster-route" // MonitorAggregationName specifies the MonitorAggregationLevel on the // comandline. MonitorAggregationName = "monitor-aggregation" // MonitorAggregationInterval configures interval for monitor-aggregation MonitorAggregationInterval = "monitor-aggregation-interval" // MonitorAggregationFlags configures TCP flags used by monitor aggregation. MonitorAggregationFlags = "monitor-aggregation-flags" // ClusterName is the name of the ClusterName option ClusterName = "cluster-name" // ClusterIDName is the name of the ClusterID option ClusterIDName = "cluster-id" // ClusterMeshConfigName is the name of the ClusterMeshConfig option ClusterMeshConfigName = "clustermesh-config" // CNIChainingMode configures which CNI plugin Cilium is chained with. CNIChainingMode = "cni-chaining-mode" // AuthMapEntriesMin defines the minimum auth map limit. AuthMapEntriesMin = 1 << 8 // AuthMapEntriesMax defines the maximum auth map limit. AuthMapEntriesMax = 1 << 24 // AuthMapEntriesDefault defines the default auth map limit. AuthMapEntriesDefault = 1 << 19 // AuthMapEntriesName configures max entries for BPF auth map. AuthMapEntriesName = "bpf-auth-map-max" // CTMapEntriesGlobalTCPDefault is the default maximum number of entries // in the TCP CT table. CTMapEntriesGlobalTCPDefault = 2 << 18 // 512Ki // CTMapEntriesGlobalAnyDefault is the default maximum number of entries // in the non-TCP CT table. CTMapEntriesGlobalAnyDefault = 2 << 17 // 256Ki // CTMapEntriesGlobalTCPName configures max entries for the TCP CT // table. CTMapEntriesGlobalTCPName = "bpf-ct-global-tcp-max" // CTMapEntriesGlobalAnyName configures max entries for the non-TCP CT // table. CTMapEntriesGlobalAnyName = "bpf-ct-global-any-max" // CTMapEntriesTimeout* name option and default value mappings CTMapEntriesTimeoutSYNName = "bpf-ct-timeout-regular-tcp-syn" CTMapEntriesTimeoutFINName = "bpf-ct-timeout-regular-tcp-fin" CTMapEntriesTimeoutTCPName = "bpf-ct-timeout-regular-tcp" CTMapEntriesTimeoutAnyName = "bpf-ct-timeout-regular-any" CTMapEntriesTimeoutSVCTCPName = "bpf-ct-timeout-service-tcp" CTMapEntriesTimeoutSVCTCPGraceName = "bpf-ct-timeout-service-tcp-grace" CTMapEntriesTimeoutSVCAnyName = "bpf-ct-timeout-service-any" // NATMapEntriesGlobalDefault holds the default size of the NAT map // and is 2/3 of the full CT size as a heuristic NATMapEntriesGlobalDefault = int((CTMapEntriesGlobalTCPDefault + CTMapEntriesGlobalAnyDefault) * 2 / 3) // SockRevNATMapEntriesDefault holds the default size of the SockRev NAT map // and is the same size of CTMapEntriesGlobalAnyDefault as a heuristic given // that sock rev NAT is mostly used for UDP and getpeername only. SockRevNATMapEntriesDefault = CTMapEntriesGlobalAnyDefault // MapEntriesGlobalDynamicSizeRatioName is the name of the option to // set the ratio of total system memory to use for dynamic sizing of the // CT, NAT, Neighbor and SockRevNAT BPF maps. MapEntriesGlobalDynamicSizeRatioName = "bpf-map-dynamic-size-ratio" // LimitTableAutoGlobalTCPMin defines the minimum TCP CT table limit for // dynamic size ration calculation. LimitTableAutoGlobalTCPMin = 1 << 17 // 128Ki entries // LimitTableAutoGlobalAnyMin defines the minimum UDP CT table limit for // dynamic size ration calculation. LimitTableAutoGlobalAnyMin = 1 << 16 // 64Ki entries // LimitTableAutoNatGlobalMin defines the minimum NAT limit for dynamic size // ration calculation. LimitTableAutoNatGlobalMin = 1 << 17 // 128Ki entries // LimitTableAutoSockRevNatMin defines the minimum SockRevNAT limit for // dynamic size ration calculation. LimitTableAutoSockRevNatMin = 1 << 16 // 64Ki entries // LimitTableMin defines the minimum CT or NAT table limit LimitTableMin = 1 << 10 // 1Ki entries // LimitTableMax defines the maximum CT or NAT table limit LimitTableMax = 1 << 24 // 16Mi entries (~1GiB of entries per map) // PolicyMapMin defines the minimum policy map limit. PolicyMapMin = 1 << 8 // PolicyMapMax defines the maximum policy map limit. PolicyMapMax = 1 << 16 // FragmentsMapMin defines the minimum fragments map limit. FragmentsMapMin = 1 << 8 // FragmentsMapMax defines the maximum fragments map limit. FragmentsMapMax = 1 << 16 // NATMapEntriesGlobalName configures max entries for BPF NAT table NATMapEntriesGlobalName = "bpf-nat-global-max" // NeighMapEntriesGlobalName configures max entries for BPF neighbor table NeighMapEntriesGlobalName = "bpf-neigh-global-max" // PolicyMapEntriesName configures max entries for BPF policymap. PolicyMapEntriesName = "bpf-policy-map-max" // SockRevNatEntriesName configures max entries for BPF sock reverse nat // entries. SockRevNatEntriesName = "bpf-sock-rev-map-max" // EgressGatewayPolicyMapEntriesName configures max entries for egress gateway's policy // map. EgressGatewayPolicyMapEntriesName = "egress-gateway-policy-map-max" // LogSystemLoadConfigName is the name of the option to enable system // load loggging LogSystemLoadConfigName = "log-system-load" // PrependIptablesChainsName is the name of the option to enable // prepending iptables chains instead of appending PrependIptablesChainsName = "prepend-iptables-chains" // DisableCiliumEndpointCRDName is the name of the option to disable // use of the CEP CRD DisableCiliumEndpointCRDName = "disable-endpoint-crd" // MaxCtrlIntervalName and MaxCtrlIntervalNameEnv allow configuration // of MaxControllerInterval. MaxCtrlIntervalName = "max-controller-interval" // SockopsEnableName is the name of the option to enable sockops SockopsEnableName = "sockops-enable" // K8sNamespaceName is the name of the K8sNamespace option K8sNamespaceName = "k8s-namespace" // AgentNotReadyNodeTaintKeyName is the name of the option to set // AgentNotReadyNodeTaintKey AgentNotReadyNodeTaintKeyName = "agent-not-ready-taint-key" // JoinClusterName is the name of the JoinCluster Option JoinClusterName = "join-cluster" // EnableIPv4Name is the name of the option to enable IPv4 support EnableIPv4Name = "enable-ipv4" // EnableIPv6Name is the name of the option to enable IPv6 support EnableIPv6Name = "enable-ipv6" // EnableIPv6NDPName is the name of the option to enable IPv6 NDP support EnableIPv6NDPName = "enable-ipv6-ndp" // EnableSRv6 is the name of the option to enable SRv6 encapsulation support EnableSRv6 = "enable-srv6" // SRv6EncapModeName is the name of the option to specify the SRv6 encapsulation mode SRv6EncapModeName = "srv6-encap-mode" // EnableSCTPName is the name of the option to enable SCTP support EnableSCTPName = "enable-sctp" // EnableNat46X64Gateway enables L3 based NAT46 and NAT64 gateway EnableNat46X64Gateway = "enable-nat46x64-gateway" // IPv6MCastDevice is the name of the option to select IPv6 multicast device IPv6MCastDevice = "ipv6-mcast-device" // EnableMonitor is the name of the option to enable the monitor socket EnableMonitorName = "enable-monitor" // MonitorQueueSizeName is the name of the option MonitorQueueSize MonitorQueueSizeName = "monitor-queue-size" //FQDNRejectResponseCode is the name for the option for dns-proxy reject response code FQDNRejectResponseCode = "tofqdns-dns-reject-response-code" // FQDNProxyDenyWithNameError is useful when stub resolvers, like the one // in Alpine Linux's libc (musl), treat a REFUSED as a resolution error. // This happens when trying a DNS search list, as in kubernetes, and breaks // even whitelisted DNS names. FQDNProxyDenyWithNameError = "nameError" // FQDNProxyDenyWithRefused is the response code for Domain refused. It is // the default for denied DNS requests. FQDNProxyDenyWithRefused = "refused" // FQDNProxyResponseMaxDelay is the maximum time the proxy holds back a response FQDNProxyResponseMaxDelay = "tofqdns-proxy-response-max-delay" // FQDNRegexCompileLRUSize is the size of the FQDN regex compilation LRU. // Useful for heavy but repeated FQDN MatchName or MatchPattern use. FQDNRegexCompileLRUSize = "fqdn-regex-compile-lru-size" // PreAllocateMapsName is the name of the option PreAllocateMaps PreAllocateMapsName = "preallocate-bpf-maps" // EnableBPFTProxy option supports enabling or disabling BPF TProxy. EnableBPFTProxy = "enable-bpf-tproxy" // EnableXTSocketFallbackName is the name of the EnableXTSocketFallback option EnableXTSocketFallbackName = "enable-xt-socket-fallback" // EnableAutoDirectRoutingName is the name for the EnableAutoDirectRouting option EnableAutoDirectRoutingName = "auto-direct-node-routes" // EnableIPSecName is the name of the option to enable IPSec EnableIPSecName = "enable-ipsec" // IPSecKeyFileName is the name of the option for ipsec key file IPSecKeyFileName = "ipsec-key-file" // EnableWireguard is the name of the option to enable wireguard EnableWireguard = "enable-wireguard" // EnableWireguardUserspaceFallback is the name of the option that enables the fallback to wireguard userspace mode EnableWireguardUserspaceFallback = "enable-wireguard-userspace-fallback" // NodeEncryptionOptOutLabels is the name of the option for the node-to-node encryption opt-out labels NodeEncryptionOptOutLabels = "node-encryption-opt-out-labels" // KVstoreLeaseTTL is the time-to-live for lease in kvstore. KVstoreLeaseTTL = "kvstore-lease-ttl" // KVstoreMaxConsecutiveQuorumErrorsName is the maximum number of acceptable // kvstore consecutive quorum errors before the agent assumes permanent failure KVstoreMaxConsecutiveQuorumErrorsName = "kvstore-max-consecutive-quorum-errors" // KVstorePeriodicSync is the time interval in which periodic // synchronization with the kvstore occurs KVstorePeriodicSync = "kvstore-periodic-sync" // KVstoreConnectivityTimeout is the timeout when performing kvstore operations KVstoreConnectivityTimeout = "kvstore-connectivity-timeout" // IPAllocationTimeout is the timeout when allocating CIDRs IPAllocationTimeout = "ip-allocation-timeout" // IdentityChangeGracePeriod is the name of the // IdentityChangeGracePeriod option IdentityChangeGracePeriod = "identity-change-grace-period" // IdentityRestoreGracePeriod is the name of the // IdentityRestoreGracePeriod option IdentityRestoreGracePeriod = "identity-restore-grace-period" // EnableHealthChecking is the name of the EnableHealthChecking option EnableHealthChecking = "enable-health-checking" // EnableEndpointHealthChecking is the name of the EnableEndpointHealthChecking option EnableEndpointHealthChecking = "enable-endpoint-health-checking" // EnableHealthCheckNodePort is the name of the EnableHealthCheckNodePort option EnableHealthCheckNodePort = "enable-health-check-nodeport" // PolicyQueueSize is the size of the queues utilized by the policy // repository. PolicyQueueSize = "policy-queue-size" // EndpointQueueSize is the size of the EventQueue per-endpoint. EndpointQueueSize = "endpoint-queue-size" // EndpointGCInterval interval to attempt garbage collection of // endpoints that are no longer alive and healthy. EndpointGCInterval = "endpoint-gc-interval" // K8sEventHandover is the name of the K8sEventHandover option K8sEventHandover = "enable-k8s-event-handover" // Metrics represents the metrics subsystem that Cilium should expose // to prometheus. Metrics = "metrics" // LoopbackIPv4 is the address to use for service loopback SNAT LoopbackIPv4 = "ipv4-service-loopback-address" // LocalRouterIPv4 is the link-local IPv4 address to use for Cilium router device LocalRouterIPv4 = "local-router-ipv4" // LocalRouterIPv6 is the link-local IPv6 address to use for Cilium router device LocalRouterIPv6 = "local-router-ipv6" // ForceLocalPolicyEvalAtSource forces a policy decision at the source // endpoint for all local communication ForceLocalPolicyEvalAtSource = "force-local-policy-eval-at-source" // SkipCRDCreation specifies whether the CustomResourceDefinition will be // created by the daemon SkipCRDCreation = "skip-crd-creation" // EnableEndpointRoutes enables use of per endpoint routes EnableEndpointRoutes = "enable-endpoint-routes" // ExcludeLocalAddress excludes certain addresses to be recognized as a // local address ExcludeLocalAddress = "exclude-local-address" // IPv4PodSubnets A list of IPv4 subnets that pods may be // assigned from. Used with CNI chaining where IPs are not directly managed // by Cilium. IPv4PodSubnets = "ipv4-pod-subnets" // IPv6PodSubnets A list of IPv6 subnets that pods may be // assigned from. Used with CNI chaining where IPs are not directly managed // by Cilium. IPv6PodSubnets = "ipv6-pod-subnets" // IPAM is the IPAM method to use IPAM = "ipam" // XDPModeNative for loading progs with XDPModeLinkDriver XDPModeNative = "native" // XDPModeGeneric for loading progs with XDPModeLinkGeneric XDPModeGeneric = "testing-only" // XDPModeDisabled for not having XDP enabled XDPModeDisabled = "disabled" // XDPModeLinkDriver is the tc selector for native XDP XDPModeLinkDriver = "xdpdrv" // XDPModeLinkGeneric is the tc selector for generic XDP XDPModeLinkGeneric = "xdpgeneric" // XDPModeLinkNone for not having XDP enabled XDPModeLinkNone = XDPModeDisabled // K8sClientQPSLimit is the queries per second limit for the K8s client. Defaults to k8s client defaults. K8sClientQPSLimit = "k8s-client-qps" // K8sClientBurst is the burst value allowed for the K8s client. Defaults to k8s client defaults. K8sClientBurst = "k8s-client-burst" // AutoCreateCiliumNodeResource enables automatic creation of a // CiliumNode resource for the local node AutoCreateCiliumNodeResource = "auto-create-cilium-node-resource" // IPv4NativeRoutingCIDR describes a v4 CIDR in which pod IPs are routable IPv4NativeRoutingCIDR = "ipv4-native-routing-cidr" // IPv6NativeRoutingCIDR describes a v6 CIDR in which pod IPs are routable IPv6NativeRoutingCIDR = "ipv6-native-routing-cidr" // EgressMasqueradeInterfaces is the selector used to select interfaces // subject to egress masquerading EgressMasqueradeInterfaces = "egress-masquerade-interfaces" // PolicyTriggerInterval is the amount of time between triggers of policy // updates are invoked. PolicyTriggerInterval = "policy-trigger-interval" // IdentityAllocationMode specifies what mode to use for identity // allocation IdentityAllocationMode = "identity-allocation-mode" // IdentityAllocationModeKVstore enables use of a key-value store such // as etcd for identity allocation IdentityAllocationModeKVstore = "kvstore" // IdentityAllocationModeCRD enables use of Kubernetes CRDs for // identity allocation IdentityAllocationModeCRD = "crd" // DisableCNPStatusUpdates disables updating of CNP NodeStatus in the CNP // CRD. DisableCNPStatusUpdates = "disable-cnp-status-updates" // EnableLocalNodeRoute controls installation of the route which points // the allocation prefix of the local node. EnableLocalNodeRoute = "enable-local-node-route" // EnableWellKnownIdentities enables the use of well-known identities. // This is requires if identiy resolution is required to bring up the // control plane, e.g. when using the managed etcd feature EnableWellKnownIdentities = "enable-well-known-identities" // EnableRemoteNodeIdentity enables use of the remote-node identity EnableRemoteNodeIdentity = "enable-remote-node-identity" // PolicyAuditModeArg argument enables policy audit mode. PolicyAuditModeArg = "policy-audit-mode" // EnableHubble enables hubble in the agent. EnableHubble = "enable-hubble" // HubbleSocketPath specifies the UNIX domain socket for Hubble server to listen to. HubbleSocketPath = "hubble-socket-path" // HubbleListenAddress specifies address for Hubble server to listen to. HubbleListenAddress = "hubble-listen-address" // HubblePreferIpv6 controls whether IPv6 or IPv4 addresses should be preferred for // communication to agents, if both are available. HubblePreferIpv6 = "hubble-prefer-ipv6" // HubbleTLSDisabled allows the Hubble server to run on the given listen // address without TLS. HubbleTLSDisabled = "hubble-disable-tls" // HubbleTLSCertFile specifies the path to the public key file for the // Hubble server. The file must contain PEM encoded data. HubbleTLSCertFile = "hubble-tls-cert-file" // HubbleTLSKeyFile specifies the path to the private key file for the // Hubble server. The file must contain PEM encoded data. HubbleTLSKeyFile = "hubble-tls-key-file" // HubbleTLSClientCAFiles specifies the path to one or more client CA // certificates to use for TLS with mutual authentication (mTLS). The files // must contain PEM encoded data. HubbleTLSClientCAFiles = "hubble-tls-client-ca-files" // HubbleEventBufferCapacity specifies the capacity of Hubble events buffer. HubbleEventBufferCapacity = "hubble-event-buffer-capacity" // HubbleEventQueueSize specifies the buffer size of the channel to receive monitor events. HubbleEventQueueSize = "hubble-event-queue-size" // HubbleMetricsServer specifies the addresses to serve Hubble metrics on. HubbleMetricsServer = "hubble-metrics-server" // HubbleMetrics specifies enabled metrics and their configuration options. HubbleMetrics = "hubble-metrics" // HubbleExportFilePath specifies the filepath to write Hubble events to. // e.g. "/var/run/cilium/hubble/events.log" HubbleExportFilePath = "hubble-export-file-path" // HubbleExportFileMaxSizeMB specifies the file size in MB at which to rotate // the Hubble export file. HubbleExportFileMaxSizeMB = "hubble-export-file-max-size-mb" // HubbleExportFileMaxBacks specifies the number of rotated files to keep. HubbleExportFileMaxBackups = "hubble-export-file-max-backups" // HubbleExportFileCompress specifies whether rotated files are compressed. HubbleExportFileCompress = "hubble-export-file-compress" // EnableHubbleRecorderAPI specifies if the Hubble Recorder API should be served EnableHubbleRecorderAPI = "enable-hubble-recorder-api" // EnableHubbleOpenMetrics enables exporting hubble metrics in OpenMetrics format. EnableHubbleOpenMetrics = "enable-hubble-open-metrics" // HubbleRecorderStoragePath specifies the directory in which pcap files // created via the Hubble Recorder API are stored HubbleRecorderStoragePath = "hubble-recorder-storage-path" // HubbleRecorderSinkQueueSize is the queue size for each recorder sink HubbleRecorderSinkQueueSize = "hubble-recorder-sink-queue-size" // HubbleSkipUnknownCGroupIDs specifies if events with unknown cgroup ids should be skipped HubbleSkipUnknownCGroupIDs = "hubble-skip-unknown-cgroup-ids" // DisableIptablesFeederRules specifies which chains will be excluded // when installing the feeder rules DisableIptablesFeederRules = "disable-iptables-feeder-rules" // K8sHeartbeatTimeout configures the timeout for apiserver heartbeat K8sHeartbeatTimeout = "k8s-heartbeat-timeout" // EndpointStatus enables population of information in the // CiliumEndpoint.Status resource EndpointStatus = "endpoint-status" // EndpointStatusPolicy enables CiliumEndpoint.Status.Policy EndpointStatusPolicy = "policy" // EndpointStatusHealth enables CilliumEndpoint.Status.Health EndpointStatusHealth = "health" // EndpointStatusControllers enables CiliumEndpoint.Status.Controllers EndpointStatusControllers = "controllers" // EndpointStatusLog enables CiliumEndpoint.Status.Log EndpointStatusLog = "log" // EndpointStatusState enables CiliumEndpoint.Status.State EndpointStatusState = "state" // EnableIPv4FragmentsTrackingName is the name of the option to enable // IPv4 fragments tracking for L4-based lookups. Needs LRU map support. EnableIPv4FragmentsTrackingName = "enable-ipv4-fragment-tracking" // FragmentsMapEntriesName configures max entries for BPF fragments // tracking map. FragmentsMapEntriesName = "bpf-fragments-map-max" // K8sEnableAPIDiscovery enables Kubernetes API discovery K8sEnableAPIDiscovery = "enable-k8s-api-discovery" // LBMapEntriesName configures max entries for BPF lbmap. LBMapEntriesName = "bpf-lb-map-max" // LBServiceMapMaxEntries configures max entries of bpf map for services. LBServiceMapMaxEntries = "bpf-lb-service-map-max" // LBBackendMapMaxEntries configures max entries of bpf map for service backends. LBBackendMapMaxEntries = "bpf-lb-service-backend-map-max" // LBRevNatMapMaxEntries configures max entries of bpf map for reverse NAT. LBRevNatMapMaxEntries = "bpf-lb-rev-nat-map-max" // LBAffinityMapMaxEntries configures max entries of bpf map for session affinity. LBAffinityMapMaxEntries = "bpf-lb-affinity-map-max" // LBSourceRangeMapMaxEntries configures max entries of bpf map for service source ranges. LBSourceRangeMapMaxEntries = "bpf-lb-source-range-map-max" // LBMaglevMapMaxEntries configures max entries of bpf map for Maglev. LBMaglevMapMaxEntries = "bpf-lb-maglev-map-max" // K8sServiceProxyName instructs Cilium to handle service objects only when // service.kubernetes.io/service-proxy-name label equals the provided value. K8sServiceProxyName = "k8s-service-proxy-name" // APIRateLimitName enables configuration of the API rate limits APIRateLimitName = "api-rate-limit" // CRDWaitTimeout is the timeout in which Cilium will exit if CRDs are not // available. CRDWaitTimeout = "crd-wait-timeout" // EgressMultiHomeIPRuleCompat instructs Cilium to use a new scheme to // store rules and routes under ENI and Azure IPAM modes, if false. // Otherwise, it will use the old scheme. EgressMultiHomeIPRuleCompat = "egress-multi-home-ip-rule-compat" // EnableCustomCallsName is the name of the option to enable tail calls // for user-defined custom eBPF programs. EnableCustomCallsName = "enable-custom-calls" // BGPAnnounceLBIP announces service IPs of type LoadBalancer via BGP BGPAnnounceLBIP = "bgp-announce-lb-ip" // BGPAnnouncePodCIDR announces the node's pod CIDR via BGP BGPAnnouncePodCIDR = "bgp-announce-pod-cidr" // BGPConfigPath is the file path to the BGP configuration. It is // compatible with MetalLB's configuration. BGPConfigPath = "bgp-config-path" // ExternalClusterIPName is the name of the option to enable // cluster external access to ClusterIP services. ExternalClusterIPName = "bpf-lb-external-clusterip" // VLANBPFBypass instructs Cilium to bypass bpf logic for vlan tagged packets VLANBPFBypass = "vlan-bpf-bypass" // EnableICMPRules enables ICMP-based rule support for Cilium Network Policies. EnableICMPRules = "enable-icmp-rules" // BypassIPAvailabilityUponRestore bypasses the IP availability error // within IPAM upon endpoint restore and allows the use of the restored IP // regardless of whether it's available in the pool. BypassIPAvailabilityUponRestore = "bypass-ip-availability-upon-restore" // EnableK8sTerminatingEndpoint enables the option to auto detect terminating // state for endpoints in order to support graceful termination. EnableK8sTerminatingEndpoint = "enable-k8s-terminating-endpoint" // EnableVTEP enables cilium VXLAN VTEP integration EnableVTEP = "enable-vtep" // VTEP endpoint IPs VtepEndpoint = "vtep-endpoint" // VTEP CIDRs VtepCIDR = "vtep-cidr" // VTEP CIDR Mask applies to all VtepCIDR VtepMask = "vtep-mask" // VTEP MACs VtepMAC = "vtep-mac" // TCFilterPriority sets the priority of the cilium tc filter, enabling other // filters to be inserted prior to the cilium filter. TCFilterPriority = "bpf-filter-priority" // Flag to enable BGP control plane features EnableBGPControlPlane = "enable-bgp-control-plane" // IngressSecretsNamespace is the namespace having tls secrets used by CEC. IngressSecretsNamespace = "ingress-secrets-namespace" // GatewayAPISecretsNamespace is the namespace having tls secrets used by CEC, originating from Gateway API. GatewayAPISecretsNamespace = "gateway-api-secrets-namespace" // EnableRuntimeDeviceDetection is the name of the option to enable detection // of new and removed datapath devices during the agent runtime. EnableRuntimeDeviceDetection = "enable-runtime-device-detection" // EnablePMTUDiscovery enables path MTU discovery to send ICMP // fragmentation-needed replies to the client (when needed). EnablePMTUDiscovery = "enable-pmtu-discovery" // BPFMapEventBuffers specifies what maps should have event buffers enabled, // and the max size and TTL of events in the buffers should be. BPFMapEventBuffers = "bpf-map-event-buffers" // EnableStaleCiliumEndpointCleanup sets whether Cilium should perform cleanup of // stale CiliumEndpoints during init. EnableStaleCiliumEndpointCleanup = "enable-stale-cilium-endpoint-cleanup" // IPAMCiliumnodeUpdateRate is the maximum rate at which the CiliumNode custom // resource is updated. IPAMCiliumNodeUpdateRate = "ipam-cilium-node-update-rate" // EnableK8sNetworkPolicy enables support for K8s NetworkPolicy. EnableK8sNetworkPolicy = "enable-k8s-networkpolicy" )
const ( // TunnelVXLAN specifies VXLAN encapsulation TunnelVXLAN = "vxlan" // TunnelGeneve specifies Geneve encapsulation TunnelGeneve = "geneve" // TunnelDisabled specifies to disable encapsulation TunnelDisabled = "disabled" )
Available option for DaemonConfig.Tunnel
const ( // HTTPNormalizePath switches on Envoy HTTP path normalization options, which currently // includes RFC 3986 path normalization, Envoy merge slashes option, and unescaping and // redirecting for paths that contain escaped slashes. These are necessary to keep path based // access control functional, and should not interfere with normal operation. Set this to // false only with caution. HTTPNormalizePath = "http-normalize-path" // HTTP403Message specifies the response body for 403 responses, defaults to "Access denied" HTTP403Message = "http-403-msg" // HTTPRequestTimeout specifies the time in seconds after which forwarded requests time out HTTPRequestTimeout = "http-request-timeout" // HTTPIdleTimeout spcifies the time in seconds if http stream being idle after which the // request times out HTTPIdleTimeout = "http-idle-timeout" // HTTPMaxGRPCTimeout specifies the maximum time in seconds that limits the values of // "grpc-timeout" headers being honored. HTTPMaxGRPCTimeout = "http-max-grpc-timeout" // HTTPRetryCount specifies the number of retries performed after a forwarded request fails HTTPRetryCount = "http-retry-count" // HTTPRetryTimeout is the time in seconds before an uncompleted request is retried. HTTPRetryTimeout = "http-retry-timeout" // ProxyConnectTimeout specifies the time in seconds after which a TCP connection attempt // is considered timed out ProxyConnectTimeout = "proxy-connect-timeout" // ProxyGID specifies the group ID that has access to unix domain sockets opened by Cilium // agent for proxy configuration and access logging. ProxyGID = "proxy-gid" // ReadCNIConfiguration reads the CNI configuration file and extracts // Cilium relevant information. This can be used to pass per node // configuration to Cilium. ReadCNIConfiguration = "read-cni-conf" // WriteCNIConfigurationWhenReady writes the CNI configuration to the // specified location once the agent is ready to serve requests. This // allows to keep a Kubernetes node NotReady until Cilium is up and // running and able to schedule endpoints. WriteCNIConfigurationWhenReady = "write-cni-conf-when-ready" // CNIExclusive tells the agent to remove other CNI configuration files CNIExclusive = "cni-exclusive" // CNILogFile is the path to a log file (on the host) for the CNI plugin // binary to use for logging. CNILogFile = "cni-log-file" // EnableCiliumEndpointSlice enables the cilium endpoint slicing feature. EnableCiliumEndpointSlice = "enable-cilium-endpoint-slice" )
Envoy option names
const ( // NodePortMinDefault is the minimal port to listen for NodePort requests NodePortMinDefault = 30000 // NodePortMaxDefault is the maximum port to listen for NodePort requests NodePortMaxDefault = 32767 // NodePortModeSNAT is for SNATing requests to remote nodes NodePortModeSNAT = "snat" // NodePortModeDSR is for performing DSR for requests to remote nodes NodePortModeDSR = "dsr" // NodePortAlgRandom is for randomly selecting a backend NodePortAlgRandom = "random" // NodePortAlgMaglev is for using maglev consistent hashing for backend selection NodePortAlgMaglev = "maglev" // NodePortModeHybrid is a dual mode of the above, that is, DSR for TCP and SNAT for UDP NodePortModeHybrid = "hybrid" // DSR dispatch mode to encode service into IP option or extension header DSRDispatchOption = "opt" // DSR dispatch mode to encapsulate to IPIP DSRDispatchIPIP = "ipip" // DSR L4 translation to frontend port DSRL4XlateFrontend = "frontend" // DSR L4 translation to backend port DSRL4XlateBackend = "backend" // NodePortAccelerationDisabled means we do not accelerate NodePort via XDP NodePortAccelerationDisabled = XDPModeDisabled // NodePortAccelerationGeneric means we accelerate NodePort via generic XDP NodePortAccelerationGeneric = XDPModeGeneric // NodePortAccelerationNative means we accelerate NodePort via native XDP in the driver (preferred) NodePortAccelerationNative = XDPModeNative // KubeProxyReplacementPartial specifies to enable only selected kube-proxy // replacement features (might panic) KubeProxyReplacementPartial = "partial" // KubeProxyReplacementStrict specifies to enable all kube-proxy replacement // features (might panic) KubeProxyReplacementStrict = "strict" // KubeProxyReplacementDisabled specified to completely disable kube-proxy // replacement KubeProxyReplacementDisabled = "disabled" // KubeProxyReplacement healthz server bind address KubeProxyReplacementHealthzBindAddr = "kube-proxy-replacement-healthz-bind-address" // PprofAddressAgent is the default value for pprof in the agent PprofAddressAgent = "localhost" // PprofPortAgent is the default value for pprof in the agent PprofPortAgent = 6060 )
const ( // TCP_FIN, ... from <linux/tcp.h> (host byte-order) TCP_FIN = uint16(0x0001) TCP_SYN = uint16(0x0002) TCP_RST = uint16(0x0004) TCP_PSH = uint16(0x0008) TCP_ACK = uint16(0x0010) TCP_URG = uint16(0x0020) TCP_ECE = uint16(0x0040) TCP_CWR = uint16(0x0080) )
const ( PolicyTracing = "PolicyTracing" ConntrackAccounting = "ConntrackAccounting" ConntrackLocal = "ConntrackLocal" Debug = "Debug" DebugLB = "DebugLB" DebugPolicy = "DebugPolicy" DropNotify = "DropNotification" TraceNotify = "TraceNotification" TraceSockNotify = "TraceSockNotification" PolicyVerdictNotify = "PolicyVerdictNotification" PolicyAuditMode = "PolicyAuditMode" MonitorAggregation = "MonitorAggregationLevel" SourceIPVerification = "SourceIPVerification" AlwaysEnforce = "always" NeverEnforce = "never" DefaultEnforcement = "default" )
const HostExtensionMKE = 0x1bda7a
Variables ¶
var ( FQDNRejectOptions = []string{FQDNProxyDenyWithNameError, FQDNProxyDenyWithRefused} // MonitorAggregationFlagsDefault ensure that all TCP flags trigger // monitor notifications even under medium monitor aggregation. MonitorAggregationFlagsDefault = []string{"syn", "fin", "rst"} )
Default string arguments
var ( // DaemonOptionLibrary is the daemon's option library that should be // used for read-only. DaemonOptionLibrary = OptionLibrary{ PolicyTracing: &specPolicyTracing, } DaemonMutableOptionLibrary = OptionLibrary{ ConntrackAccounting: &specConntrackAccounting, ConntrackLocal: &specConntrackLocal, Debug: &specDebug, DebugLB: &specDebugLB, DebugPolicy: &specDebugPolicy, DropNotify: &specDropNotify, TraceNotify: &specTraceNotify, PolicyVerdictNotify: &specPolicyVerdictNotify, PolicyAuditMode: &specPolicyAuditMode, MonitorAggregation: &specMonitorAggregation, SourceIPVerification: &specSourceIPVerification, } )
var ( // Config represents the daemon configuration Config = &DaemonConfig{ CreationTime: time.Now(), Opts: NewIntOptions(&DaemonOptionLibrary), Monitor: &models.MonitorStatus{Cpus: int64(runtime.NumCPU()), Npages: 64, Pagesize: int64(os.Getpagesize()), Lost: 0, Unknown: 0}, IPv6ClusterAllocCIDR: defaults.IPv6ClusterAllocCIDR, IPv6ClusterAllocCIDRBase: defaults.IPv6ClusterAllocCIDRBase, EnableHostIPRestore: defaults.EnableHostIPRestore, EnableHealthChecking: defaults.EnableHealthChecking, EnableEndpointHealthChecking: defaults.EnableEndpointHealthChecking, EnableHealthCheckNodePort: defaults.EnableHealthCheckNodePort, EnableIPv4: defaults.EnableIPv4, EnableIPv6: defaults.EnableIPv6, EnableIPv6NDP: defaults.EnableIPv6NDP, EnableSCTP: defaults.EnableSCTP, EnableL7Proxy: defaults.EnableL7Proxy, EndpointStatus: make(map[string]struct{}), DNSMaxIPsPerRestoredRule: defaults.DNSMaxIPsPerRestoredRule, ToFQDNsMaxIPsPerHost: defaults.ToFQDNsMaxIPsPerHost, KVstorePeriodicSync: defaults.KVstorePeriodicSync, KVstoreConnectivityTimeout: defaults.KVstoreConnectivityTimeout, IPAllocationTimeout: defaults.IPAllocationTimeout, IdentityChangeGracePeriod: defaults.IdentityChangeGracePeriod, IdentityRestoreGracePeriod: defaults.IdentityRestoreGracePeriod, FixedIdentityMapping: make(map[string]string), KVStoreOpt: make(map[string]string), LogOpt: make(map[string]string), LoopbackIPv4: defaults.LoopbackIPv4, ForceLocalPolicyEvalAtSource: defaults.ForceLocalPolicyEvalAtSource, EnableEndpointRoutes: defaults.EnableEndpointRoutes, AnnotateK8sNode: defaults.AnnotateK8sNode, K8sServiceCacheSize: defaults.K8sServiceCacheSize, AutoCreateCiliumNodeResource: defaults.AutoCreateCiliumNodeResource, IdentityAllocationMode: IdentityAllocationModeKVstore, AllowICMPFragNeeded: defaults.AllowICMPFragNeeded, EnableWellKnownIdentities: defaults.EnableWellKnownIdentities, K8sEnableK8sEndpointSlice: defaults.K8sEnableEndpointSlice, AllocatorListTimeout: defaults.AllocatorListTimeout, EnableICMPRules: defaults.EnableICMPRules, K8sEnableLeasesFallbackDiscovery: defaults.K8sEnableLeasesFallbackDiscovery, APIRateLimit: make(map[string]string), ExternalClusterIP: defaults.ExternalClusterIP, EnableVTEP: defaults.EnableVTEP, EnableBGPControlPlane: defaults.EnableBGPControlPlane, EnableK8sNetworkPolicy: defaults.EnableK8sNetworkPolicy, } )
Functions ¶
func BindEnv ¶ added in v1.5.0
BindEnv binds the option name with a deterministic generated environment variable which is based on the given optName. If the same optName is bound more than once, this function panics.
func BindEnvWithLegacyEnvFallback ¶ added in v1.5.1
BindEnvWithLegacyEnvFallback binds the given option name with either the same environment variable as BindEnv, if it's set, or with the given legacyEnvName.
The function is used to work around the viper.BindEnv limitation that only one environment variable can be bound for an option, and we need multiple environment variables due to backward compatibility reasons.
func EndpointStatusValues ¶ added in v1.14.0
func EndpointStatusValues() []string
EndpointStatusValues returns all available EndpointStatus option values
func EndpointStatusValuesMap ¶ added in v1.14.0
func EndpointStatusValuesMap() (values map[string]struct{})
EndpointStatusValuesMap returns all EndpointStatus option values as a map
func FormatMonitorAggregationLevel ¶ added in v1.5.0
func FormatMonitorAggregationLevel(level OptionSetting) string
FormatMonitorAggregationLevel maps a MonitorAggregationLevel to a string.
func GetTunnelModes ¶ added in v1.5.0
func GetTunnelModes() string
GetTunnelModes returns the list of all tunnel modes
func InitConfig ¶ added in v1.14.0
InitConfig reads in config file and ENV variables if set.
func LogRegisteredOptions ¶ added in v1.5.0
LogRegisteredOptions logs all options that where bound to viper.
func MergeConfig ¶ added in v1.5.0
MergeConfig merges the given configuration map with viper's configuration.
func MightAutoDetectDevices ¶ added in v1.14.0
func MightAutoDetectDevices() bool
MightAutoDetectDevices returns true if the device auto-detection might take place.
func ReadDirConfig ¶ added in v1.5.0
ReadDirConfig reads the given directory and returns a map that maps the filename to the contents of that file.
func ReplaceDeprecatedFields ¶ added in v1.5.0
func ReplaceDeprecatedFields(m map[string]interface{})
ReplaceDeprecatedFields replaces the deprecated options set with the new set of options that overwrite the deprecated ones. This function replaces the deprecated fields used by environment variables with a different name than the option they are setting. This also replaces the deprecated names used in the Kubernetes ConfigMap. Once we remove them from this function we also need to remove them from daemon_main.go and warn users about the old environment variable nor the option in the configuration map have any effect.
func StoreViperInFile ¶ added in v1.14.0
StoreViperInFile stores viper's configuration in a the given directory under the file name 'viper-config.yaml'. If this file already exists, it is renamed to 'viper-config-1.yaml', if 'viper-config-1.yaml' also exists, 'viper-config-1.yaml' is renamed to 'viper-config-2.yaml'
func VerifyMonitorAggregationLevel ¶ added in v1.5.0
VerifyMonitorAggregationLevel validates the specified key/value for a monitor aggregation level.
Types ¶
type BPFClockSource ¶ added in v1.14.0
type BPFClockSource int
const ( ClockSourceKtime BPFClockSource = iota ClockSourceJiffies )
type BPFEventBufferConfig ¶ added in v1.14.0
BPFEventBufferConfig contains parsed configuration for a bpf map event buffer.
func ParseEventBufferTupleString ¶ added in v1.14.0
func ParseEventBufferTupleString(optsStr string) (BPFEventBufferConfig, error)
ParseEventBufferTupleString parses a event buffer configuration tuple string. For example: true,100,24h Which refers to enabled=true, maxSize=100, ttl=24hours.
type BPFEventBufferConfigs ¶ added in v1.14.0
type BPFEventBufferConfigs map[string]BPFEventBufferConfig
BPFEventBufferConfigs contains parsed bpf event buffer configs, indexed but map name.
type ChangedFunc ¶
type ChangedFunc func(key string, value OptionSetting, data interface{})
ChangedFunc is called by `Apply()` for each option changed
type DaemonConfig ¶ added in v1.5.0
type DaemonConfig struct { CreationTime time.Time BpfDir string // BPF template files directory LibDir string // Cilium library files directory RunDir string // Cilium runtime directory DirectRoutingDevice string // Direct routing device (used by BPF NodePort and BPF Host Routing) LBDevInheritIPAddr string // Device which IP addr used by bpf_host devices EnableXDPPrefilter bool // Enable XDP-based prefiltering XDPMode string // XDP mode, values: { xdpdrv | xdpgeneric | none } HostV4Addr net.IP // Host v4 address of the snooping device HostV6Addr net.IP // Host v6 address of the snooping device EncryptInterface []string // Set of network facing interface to encrypt over EncryptNode bool // Set to true for encrypting node IP traffic // If set to true the daemon will detect new and deleted datapath devices // at runtime and reconfigure the datapath to load programs onto the new // devices. EnableRuntimeDeviceDetection bool DatapathMode string // Datapath mode Tunnel string // Tunnel mode TunnelPort int // Tunnel port DryMode bool // Do not create BPF maps, devices, .. // RestoreState enables restoring the state from previous running daemons. RestoreState bool // EnableHostIPRestore enables restoring the host IPs based on state // left behind by previous Cilium runs. EnableHostIPRestore bool KeepConfig bool // Keep configuration of existing endpoints when starting up. // AllowLocalhost defines when to allows the local stack to local endpoints // values: { auto | always | policy } AllowLocalhost string // StateDir is the directory where runtime state of endpoints is stored StateDir string // Options changeable at runtime Opts *IntOptions // Mutex for serializing configuration updates to the daemon. ConfigPatchMutex lock.RWMutex // Monitor contains the configuration for the node monitor. Monitor *models.MonitorStatus // AgentHealthPort is the TCP port for agent health status API AgentHealthPort int // ClusterHealthPort is the TCP port for cluster-wide network connectivity health API ClusterHealthPort int // ClusterMeshHealthPort is the TCP port for ClusterMesh apiserver health API ClusterMeshHealthPort int // AgentLabels contains additional labels to identify this agent in monitor events. AgentLabels []string // IPv6ClusterAllocCIDR is the base CIDR used to allocate IPv6 node // CIDRs if allocation is not performed by an orchestration system IPv6ClusterAllocCIDR string // IPv6ClusterAllocCIDRBase is derived from IPv6ClusterAllocCIDR and // contains the CIDR without the mask, e.g. "fdfd::1/64" -> "fdfd::" // // This variable should never be written to, it is initialized via // DaemonConfig.Validate() IPv6ClusterAllocCIDRBase string // IPv6NAT46x64CIDR is the private base CIDR for the NAT46x64 gateway IPv6NAT46x64CIDR string // IPv6NAT46x64CIDRBase is derived from IPv6NAT46x64CIDR and contains // the IPv6 prefix with the masked bits zeroed out IPv6NAT46x64CIDRBase netip.Addr // K8sRequireIPv4PodCIDR requires the k8s node resource to specify the // IPv4 PodCIDR. Cilium will block bootstrapping until the information // is available. K8sRequireIPv4PodCIDR bool // K8sRequireIPv6PodCIDR requires the k8s node resource to specify the // IPv6 PodCIDR. Cilium will block bootstrapping until the information // is available. K8sRequireIPv6PodCIDR bool // K8sServiceCacheSize is the service cache size for cilium k8s package. K8sServiceCacheSize uint // MTU is the maximum transmission unit of the underlying network MTU int // RouteMetric is the metric used for the routes added to the cilium_host device RouteMetric int // ClusterName is the name of the cluster ClusterName string // ClusterID is the unique identifier of the cluster ClusterID uint32 // ClusterMeshConfig is the path to the clustermesh configuration directory ClusterMeshConfig string // CTMapEntriesGlobalTCP is the maximum number of conntrack entries // allowed in each TCP CT table for IPv4/IPv6. CTMapEntriesGlobalTCP int // CTMapEntriesGlobalAny is the maximum number of conntrack entries // allowed in each non-TCP CT table for IPv4/IPv6. CTMapEntriesGlobalAny int // CTMapEntriesTimeout* values configured by the user. CTMapEntriesTimeoutTCP time.Duration CTMapEntriesTimeoutAny time.Duration CTMapEntriesTimeoutSVCTCP time.Duration CTMapEntriesTimeoutSVCTCPGrace time.Duration CTMapEntriesTimeoutSVCAny time.Duration CTMapEntriesTimeoutSYN time.Duration CTMapEntriesTimeoutFIN time.Duration // EnableMonitor enables the monitor unix domain socket server EnableMonitor bool // MonitorAggregationInterval configures the interval between monitor // messages when monitor aggregation is enabled. MonitorAggregationInterval time.Duration // MonitorAggregationFlags determines which TCP flags that the monitor // aggregation ensures reports are generated for when monitor-aggragation // is enabled. Network byte-order. MonitorAggregationFlags uint16 // BPFMapsDynamicSizeRatio is ratio of total system memory to use for // dynamic sizing of the CT, NAT, Neighbor and SockRevNAT BPF maps. BPFMapsDynamicSizeRatio float64 // NATMapEntriesGlobal is the maximum number of NAT mappings allowed // in the BPF NAT table NATMapEntriesGlobal int // NeighMapEntriesGlobal is the maximum number of neighbor mappings // allowed in the BPF neigh table NeighMapEntriesGlobal int // AuthMapEntries is the maximum number of entries in the auth map. AuthMapEntries int // PolicyMapEntries is the maximum number of peer identities that an // endpoint may allow traffic to exchange traffic with. PolicyMapEntries int // SockRevNatEntries is the maximum number of sock rev nat mappings // allowed in the BPF rev nat table SockRevNatEntries int // EgressGatewayPolicyMapEntries is the maximum number of entries // allowed in the BPF egress gateway policy map. EgressGatewayPolicyMapEntries int // DisableCiliumEndpointCRD disables the use of CiliumEndpoint CRD DisableCiliumEndpointCRD bool // MaxControllerInterval is the maximum value for a controller's // RunInterval. Zero means unlimited. MaxControllerInterval int // UseSingleClusterRoute specifies whether to use a single cluster route // instead of per-node routes. UseSingleClusterRoute bool // HTTPNormalizePath switches on Envoy HTTP path normalization options, which currently // includes RFC 3986 path normalization, Envoy merge slashes option, and unescaping and // redirecting for paths that contain escaped slashes. These are necessary to keep path based // access control functional, and should not interfere with normal operation. Set this to // false only with caution. HTTPNormalizePath bool // HTTP403Message is the error message to return when a HTTP 403 is returned // by the proxy, if L7 policy is configured. HTTP403Message string // HTTPRequestTimeout is the time in seconds after which Envoy responds with an // error code on a request that has not yet completed. This needs to be longer // than the HTTPIdleTimeout HTTPRequestTimeout int // HTTPIdleTimeout is the time in seconds of a HTTP stream having no traffic after // which Envoy responds with an error code. This needs to be shorter than the // HTTPRequestTimeout HTTPIdleTimeout int // HTTPMaxGRPCTimeout is the upper limit to which "grpc-timeout" headers in GRPC // requests are honored by Envoy. If 0 there is no limit. GRPC requests are not // bound by the HTTPRequestTimeout, but ARE affected by the idle timeout! HTTPMaxGRPCTimeout int // HTTPRetryCount is the upper limit on how many times Envoy retries failed requests. HTTPRetryCount int // HTTPRetryTimeout is the time in seconds before an uncompleted request is retried. HTTPRetryTimeout int // ProxyConnectTimeout is the time in seconds after which Envoy considers a TCP // connection attempt to have timed out. ProxyConnectTimeout int // ProxyGID specifies the group ID that has access to unix domain sockets opened by Cilium // agent for proxy configuration and access logging. ProxyGID int // ProxyPrometheusPort specifies the port to serve Envoy metrics on. ProxyPrometheusPort int // ProxyMaxRequestsPerConnection specifies the max_requests_per_connection setting for the proxy ProxyMaxRequestsPerConnection int // ProxyMaxConnectionDuration specifies the max_connection_duration setting for the proxy ProxyMaxConnectionDuration time.Duration // EnvoyLogPath specifies where to store the Envoy proxy logs when Envoy // runs in the same container as Cilium. EnvoyLogPath string // EnableSockOps specifies whether to enable sockops (socket lookup). SockopsEnable bool ProcFs string // PrependIptablesChains is the name of the option to enable prepending // iptables chains instead of appending PrependIptablesChains bool // IPTablesLockTimeout defines the "-w" iptables option when the // iptables CLI is directly invoked from the Cilium agent. IPTablesLockTimeout time.Duration // IPTablesRandomFully defines the "--random-fully" iptables option when the // iptables CLI is directly invoked from the Cilium agent. IPTablesRandomFully bool // K8sNamespace is the name of the namespace in which Cilium is // deployed in when running in Kubernetes mode K8sNamespace string // AgentNotReadyNodeTaint is a node taint which prevents pods from being // scheduled. Once cilium is setup it is removed from the node. Mostly // used in cloud providers to prevent existing CNI plugins from managing // pods. AgentNotReadyNodeTaintKey string // JoinCluster is 'true' if the agent should join a Cilium cluster via kvstore // registration JoinCluster bool // EnableIPv4 is true when IPv4 is enabled EnableIPv4 bool // EnableIPv6 is true when IPv6 is enabled EnableIPv6 bool // EnableNat46X64Gateway is true when L3 based NAT46 and NAT64 translation is enabled EnableNat46X64Gateway bool // EnableIPv6NDP is true when NDP is enabled for IPv6 EnableIPv6NDP bool // EnableIPv6BIGTCP enables IPv6 BIG TCP (larger GSO/GRO limits) for the node including pods. EnableIPv6BIGTCP bool // EnableSRv6 is true when SRv6 encapsulation support is enabled EnableSRv6 bool // SRv6EncapMode is the encapsulation mode for SRv6 SRv6EncapMode string // EnableSCTP is true when SCTP support is enabled. EnableSCTP bool // IPv6MCastDevice is the name of device that joins IPv6's solicitation multicast group IPv6MCastDevice string // EnableL7Proxy is the option to enable L7 proxy EnableL7Proxy bool // EnableIPSec is true when IPSec is enabled EnableIPSec bool // IPSec key file for stored keys IPSecKeyFile string // EnableWireguard enables Wireguard encryption EnableWireguard bool // EnableWireguardUserspaceFallback enables the fallback to the userspace implementation EnableWireguardUserspaceFallback bool // NodeEncryptionOptOutLabels contains the label selectors for nodes opting out of // node-to-node encryption NodeEncryptionOptOutLabels k8sLabels.Selector // MonitorQueueSize is the size of the monitor event queue MonitorQueueSize int BPFRoot string BPFSocketLBHostnsOnly bool CGroupRoot string BPFCompileDebug string CompilerFlags []string ConfigFile string ConfigDir string Debug bool DebugVerbose []string EnableSocketLB bool EnableSocketLBTracing bool EnableSocketLBPeer bool EnablePolicy string EnableTracing bool EnableUnreachableRoutes bool EnvoyLog string DisableEnvoyVersionCheck bool FixedIdentityMapping map[string]string FixedIdentityMappingValidator func(val string) (string, error) `json:"-"` IPv4Range string IPv6Range string IPv4ServiceRange string IPv6ServiceRange string K8sSyncTimeout time.Duration AllocatorListTimeout time.Duration K8sWatcherEndpointSelector string KVStore string KVStoreOpt map[string]string LabelPrefixFile string Labels []string LogDriver []string LogOpt map[string]string Logstash bool LogSystemLoadConfig bool // Masquerade specifies whether or not to masquerade packets from endpoints // leaving the host. EnableIPv4Masquerade bool EnableIPv6Masquerade bool EnableBPFMasquerade bool DeriveMasqIPAddrFromDevice string EnableBPFClockProbe bool EnableIPMasqAgent bool EnableIPv4EgressGateway bool InstallEgressGatewayRoutes bool EnableEnvoyConfig bool EnableIngressController bool EnableGatewayAPI bool EnvoyConfigTimeout time.Duration IPMasqAgentConfigPath string InstallIptRules bool MonitorAggregation string PreAllocateMaps bool IPv6NodeAddr string IPv4NodeAddr string SidecarIstioProxyImage string SocketPath string TracePayloadlen int Version string PrometheusServeAddr string ToFQDNsMinTTL int // DNSMaxIPsPerRestoredRule defines the maximum number of IPs to maintain // for each FQDN selector in endpoint's restored DNS rules DNSMaxIPsPerRestoredRule int // DNSPolicyUnloadOnShutdown defines whether DNS policy rules should be unloaded on // graceful shutdown. DNSPolicyUnloadOnShutdown bool // ToFQDNsProxyPort is the user-configured global, shared, DNS listen port used // by the DNS Proxy. Both UDP and TCP are handled on the same port. When it // is 0 a random port will be assigned, and can be obtained from // DefaultDNSProxy below. ToFQDNsProxyPort int // ToFQDNsMaxIPsPerHost defines the maximum number of IPs to maintain // for each FQDN name in an endpoint's FQDN cache ToFQDNsMaxIPsPerHost int // ToFQDNsMaxIPsPerHost defines the maximum number of IPs to retain for // expired DNS lookups with still-active connections ToFQDNsMaxDeferredConnectionDeletes int // ToFQDNsIdleConnectionGracePeriod Time during which idle but // previously active connections with expired DNS lookups are // still considered alive ToFQDNsIdleConnectionGracePeriod time.Duration // FQDNRejectResponse is the dns-proxy response for invalid dns-proxy request FQDNRejectResponse string // FQDNProxyResponseMaxDelay The maximum time the DNS proxy holds an allowed // DNS response before sending it along. Responses are sent as soon as the // datapath is updated with the new IP information. FQDNProxyResponseMaxDelay time.Duration // FQDNRegexCompileLRUSize is the size of the FQDN regex compilation LRU. // Useful for heavy but repeated FQDN MatchName or MatchPattern use. FQDNRegexCompileLRUSize int // Path to a file with DNS cache data to preload on startup ToFQDNsPreCache string // ToFQDNsEnableDNSCompression allows the DNS proxy to compress responses to // endpoints that are larger than 512 Bytes or the EDNS0 option, if present. ToFQDNsEnableDNSCompression bool // DNSProxyConcurrencyLimit limits parallel processing of DNS messages in // DNS proxy at any given point in time. DNSProxyConcurrencyLimit int // DNSProxyConcurrencyProcessingGracePeriod is the amount of grace time to // wait while processing DNS messages when the DNSProxyConcurrencyLimit has // been reached. DNSProxyConcurrencyProcessingGracePeriod time.Duration // DNSProxyLockCount is the array size containing mutexes which protect // against parallel handling of DNS response IPs. DNSProxyLockCount int // DNSProxyLockTimeout is timeout when acquiring the locks controlled by // DNSProxyLockCount. DNSProxyLockTimeout time.Duration // EnableXTSocketFallback allows disabling of kernel's ip_early_demux // sysctl option if `xt_socket` kernel module is not available. EnableXTSocketFallback bool // EnableBPFTProxy enables implementing proxy redirection via BPF // mechanisms rather than iptables rules. EnableBPFTProxy bool // EnableAutoDirectRouting enables installation of direct routes to // other nodes when available EnableAutoDirectRouting bool // EnableLocalNodeRoute controls installation of the route which points // the allocation prefix of the local node. EnableLocalNodeRoute bool // EnableHealthChecking enables health checking between nodes and // health endpoints EnableHealthChecking bool // EnableEndpointHealthChecking enables health checking between virtual // health endpoints EnableEndpointHealthChecking bool // EnableHealthCheckNodePort enables health checking of NodePort by // cilium EnableHealthCheckNodePort bool // KVstoreKeepAliveInterval is the interval in which the lease is being // renewed. This must be set to a value lesser than the LeaseTTL ideally // by a factor of 3. KVstoreKeepAliveInterval time.Duration // KVstoreLeaseTTL is the time-to-live for kvstore lease. KVstoreLeaseTTL time.Duration // KVstoreMaxConsecutiveQuorumErrors is the maximum number of acceptable // kvstore consecutive quorum errors before the agent assumes permanent failure KVstoreMaxConsecutiveQuorumErrors int // KVstorePeriodicSync is the time interval in which periodic // synchronization with the kvstore occurs KVstorePeriodicSync time.Duration // KVstoreConnectivityTimeout is the timeout when performing kvstore operations KVstoreConnectivityTimeout time.Duration // IPAllocationTimeout is the timeout when allocating CIDRs IPAllocationTimeout time.Duration // IdentityChangeGracePeriod is the grace period that needs to pass // before an endpoint that has changed its identity will start using // that new identity. During the grace period, the new identity has // already been allocated and other nodes in the cluster have a chance // to whitelist the new upcoming identity of the endpoint. IdentityChangeGracePeriod time.Duration // IdentityRestoreGracePeriod is the grace period that needs to pass before CIDR identities // restored during agent restart are released. If any of the restored identities remains // unused after this time, they will be removed from the IP cache. Any of the restored // identities that are used in network policies will remain in the IP cache until all such // policies are removed. IdentityRestoreGracePeriod time.Duration // PolicyQueueSize is the size of the queues for the policy repository. // A larger queue means that more events related to policy can be buffered. PolicyQueueSize int // EndpointQueueSize is the size of the EventQueue per-endpoint. A larger // queue means that more events can be buffered per-endpoint. This is useful // in the case where a cluster might be under high load for endpoint-related // events, specifically those which cause many regenerations. EndpointQueueSize int // ConntrackGCInterval is the connection tracking garbage collection // interval ConntrackGCInterval time.Duration // K8sEventHandover enables use of the kvstore to optimize Kubernetes // event handling by listening for k8s events in the operator and // mirroring it into the kvstore for reduced overhead in large // clusters. K8sEventHandover bool // MetricsConfig is the configuration set in metrics MetricsConfig metrics.Configuration // LoopbackIPv4 is the address to use for service loopback SNAT LoopbackIPv4 string // LocalRouterIPv4 is the link-local IPv4 address used for Cilium's router device LocalRouterIPv4 string // LocalRouterIPv6 is the link-local IPv6 address used for Cilium's router device LocalRouterIPv6 string // ForceLocalPolicyEvalAtSource forces a policy decision at the source // endpoint for all local communication ForceLocalPolicyEvalAtSource bool // EnableEndpointRoutes enables use of per endpoint routes EnableEndpointRoutes bool // Specifies wheather to annotate the kubernetes nodes or not AnnotateK8sNode bool // RunMonitorAgent indicates whether to run the monitor agent RunMonitorAgent bool // ReadCNIConfiguration reads the CNI configuration file and extracts // Cilium relevant information. This can be used to pass per node // configuration to Cilium. ReadCNIConfiguration string // WriteCNIConfigurationWhenReady writes the CNI configuration to the // specified location once the agent is ready to serve requests. This // allows to keep a Kubernetes node NotReady until Cilium is up and // running and able to schedule endpoints. WriteCNIConfigurationWhenReady string // CNIExclusive, if true, directs the agent to remove all other CNI configuration files CNIExclusive bool // CNILogFile is a path on disk (on the host) for the CNI plugin binary to use // for logging. CNILogFile string // EnableNodePort enables k8s NodePort service implementation in BPF EnableNodePort bool // EnableSVCSourceRangeCheck enables check of loadBalancerSourceRanges EnableSVCSourceRangeCheck bool // EnableHealthDatapath enables IPIP health probes data path EnableHealthDatapath bool // EnableHostPort enables k8s Pod's hostPort mapping through BPF EnableHostPort bool // EnableHostLegacyRouting enables the old routing path via stack. EnableHostLegacyRouting bool // NodePortNat46X64 indicates whether NAT46 / NAT64 can be used. NodePortNat46X64 bool // NodePortMode indicates in which mode NodePort implementation should run // ("snat", "dsr" or "hybrid") NodePortMode string // NodePortAlg indicates which backend selection algorithm is used // ("random" or "maglev") NodePortAlg string // LoadBalancerDSRDispatch indicates the method for pushing packets to // backends under DSR ("opt" or "ipip") LoadBalancerDSRDispatch string // LoadBalancerDSRL4Xlate indicates the method for L4 DNAT translation // under IPIP dispatch, that is, whether the inner packet will be // translated to the frontend or backend port. LoadBalancerDSRL4Xlate string // LoadBalancerRSSv4CIDR defines the outer source IPv4 prefix for DSR/IPIP LoadBalancerRSSv4CIDR string LoadBalancerRSSv4 net.IPNet // LoadBalancerRSSv4CIDR defines the outer source IPv6 prefix for DSR/IPIP LoadBalancerRSSv6CIDR string LoadBalancerRSSv6 net.IPNet // EnablePMTUDiscovery indicates whether to send ICMP fragmentation-needed // replies to the client (when needed). EnablePMTUDiscovery bool // Maglev backend table size (M) per service. Must be prime number. MaglevTableSize int // MaglevHashSeed contains the cluster-wide seed for the hash(es). MaglevHashSeed string // NodePortAcceleration indicates whether NodePort should be accelerated // via XDP ("none", "generic" or "native") NodePortAcceleration string // NodePortBindProtection rejects bind requests to NodePort service ports NodePortBindProtection bool // EnableAutoProtectNodePortRange enables appending NodePort range to // net.ipv4.ip_local_reserved_ports if it overlaps with ephemeral port // range (net.ipv4.ip_local_port_range) EnableAutoProtectNodePortRange bool // KubeProxyReplacement controls how to enable kube-proxy replacement // features in BPF datapath KubeProxyReplacement string // AddressScopeMax controls the maximum address scope for addresses to be // considered local ones with HOST_ID in the ipcache AddressScopeMax int // EnableBandwidthManager enables EDT-based pacing EnableBandwidthManager bool // EnableBBR enables BBR TCP congestion control for the node including Pods EnableBBR bool // ResetQueueMapping resets the Pod's skb queue mapping ResetQueueMapping bool // EnableRecorder enables the datapath pcap recorder EnableRecorder bool // EnableMKE enables MKE specific 'chaining' for kube-proxy replacement EnableMKE bool // CgroupPathMKE points to the cgroupv1 net_cls mount instance CgroupPathMKE string // KubeProxyReplacementHealthzBindAddr is the KubeProxyReplacement healthz server bind addr KubeProxyReplacementHealthzBindAddr string // EnableExternalIPs enables implementation of k8s services with externalIPs in datapath EnableExternalIPs bool // EnableHostFirewall enables network policies for the host EnableHostFirewall bool // EnableLocalRedirectPolicy enables redirect policies to redirect traffic within nodes EnableLocalRedirectPolicy bool // K8sEnableEndpointSlice enables k8s endpoint slice feature that is used // in kubernetes. K8sEnableK8sEndpointSlice bool // NodePortMin is the minimum port address for the NodePort range NodePortMin int // NodePortMax is the maximum port address for the NodePort range NodePortMax int // EnableSessionAffinity enables a support for service sessionAffinity EnableSessionAffinity bool EnableServiceTopology bool // Selection of BPF main clock source (ktime vs jiffies) ClockSource BPFClockSource // EnableIdentityMark enables setting the mark field with the identity for // local traffic. This may be disabled if chaining modes and Cilium use // conflicting marks. EnableIdentityMark bool // KernelHz is the HZ rate the kernel is operating in KernelHz int // ExcludeLocalAddresses excludes certain addresses to be recognized as // a local address ExcludeLocalAddresses []*net.IPNet // IPv4PodSubnets available subnets to be assign IPv4 addresses to pods from IPv4PodSubnets []*net.IPNet // IPv6PodSubnets available subnets to be assign IPv6 addresses to pods from IPv6PodSubnets []*net.IPNet // IPAM is the IPAM method to use IPAM string // Enable chaining with another CNI plugin. CNIChainingMode string // AutoCreateCiliumNodeResource enables automatic creation of a // CiliumNode resource for the local node AutoCreateCiliumNodeResource bool // IPv4NativeRoutingCIDR describes a CIDR in which pod IPs are routable IPv4NativeRoutingCIDR *cidr.CIDR // IPv6NativeRoutingCIDR describes a CIDR in which pod IPs are routable IPv6NativeRoutingCIDR *cidr.CIDR // EgressMasqueradeInterfaces is the selector used to select interfaces // subject to egress masquerading EgressMasqueradeInterfaces string // PolicyTriggerInterval is the amount of time between when policy updates // are triggered. PolicyTriggerInterval time.Duration // IdentityAllocationMode specifies what mode to use for identity // allocation IdentityAllocationMode string // DisableCNPStatusUpdates disables updating of CNP NodeStatus in the CNP // CRD. DisableCNPStatusUpdates bool // AllowICMPFragNeeded allows ICMP Fragmentation Needed type packets in // the network policy for cilium-agent. AllowICMPFragNeeded bool // EnableWellKnownIdentities enables the use of well-known identities. // This is requires if identiy resolution is required to bring up the // control plane, e.g. when using the managed etcd feature EnableWellKnownIdentities bool // EnableRemoteNodeIdentity enables use of the remote-node identity EnableRemoteNodeIdentity bool // PolicyAuditMode enables non-drop mode for installed policies. In // audit mode packets affected by policies will not be dropped. // Policy related decisions can be checked via the poicy verdict messages. PolicyAuditMode bool // EnableHubble specifies whether to enable the hubble server. EnableHubble bool // HubbleSocketPath specifies the UNIX domain socket for Hubble server to listen to. HubbleSocketPath string // HubbleListenAddress specifies address for Hubble to listen to. HubbleListenAddress string // HubblePreferIpv6 controls whether IPv6 or IPv4 addresses should be preferred for // communication to agents, if both are available. HubblePreferIpv6 bool // HubbleTLSDisabled allows the Hubble server to run on the given listen // address without TLS. HubbleTLSDisabled bool // HubbleTLSCertFile specifies the path to the public key file for the // Hubble server. The file must contain PEM encoded data. HubbleTLSCertFile string // HubbleTLSKeyFile specifies the path to the private key file for the // Hubble server. The file must contain PEM encoded data. HubbleTLSKeyFile string // HubbleTLSClientCAFiles specifies the path to one or more client CA // certificates to use for TLS with mutual authentication (mTLS). The files // must contain PEM encoded data. HubbleTLSClientCAFiles []string // HubbleEventBufferCapacity specifies the capacity of Hubble events buffer. HubbleEventBufferCapacity int // HubbleEventQueueSize specifies the buffer size of the channel to receive monitor events. HubbleEventQueueSize int // HubbleMetricsServer specifies the addresses to serve Hubble metrics on. HubbleMetricsServer string // HubbleMetrics specifies enabled metrics and their configuration options. HubbleMetrics []string // HubbleExportFilePath specifies the filepath to write Hubble events to. // e.g. "/var/run/cilium/hubble/events.log" HubbleExportFilePath string // HubbleExportFileMaxSizeMB specifies the file size in MB at which to rotate // the Hubble export file. HubbleExportFileMaxSizeMB int // HubbleExportFileMaxBacks specifies the number of rotated files to keep. HubbleExportFileMaxBackups int // HubbleExportFileCompress specifies whether rotated files are compressed. HubbleExportFileCompress bool // EnableHubbleRecorderAPI specifies if the Hubble Recorder API should be served EnableHubbleRecorderAPI bool // EnableHubbleOpenMetrics enables exporting hubble metrics in OpenMetrics format. EnableHubbleOpenMetrics bool // HubbleRecorderStoragePath specifies the directory in which pcap files // created via the Hubble Recorder API are stored HubbleRecorderStoragePath string // HubbleRecorderSinkQueueSize is the queue size for each recorder sink HubbleRecorderSinkQueueSize int // HubbleSkipUnknownCGroupIDs specifies if events with unknown cgroup ids should be skipped HubbleSkipUnknownCGroupIDs bool // EndpointStatus enables population of information in the // CiliumEndpoint.Status resource EndpointStatus map[string]struct{} // DisableIptablesFeederRules specifies which chains will be excluded // when installing the feeder rules DisableIptablesFeederRules []string // EnableIPv4FragmentsTracking enables IPv4 fragments tracking for // L4-based lookups. Needs LRU map support. EnableIPv4FragmentsTracking bool // FragmentsMapEntries is the maximum number of fragmented datagrams // that can simultaneously be tracked in order to retrieve their L4 // ports for all fragments. FragmentsMapEntries int // SizeofCTElement is the size of an element (key + value) in the CT map. SizeofCTElement int // SizeofNATElement is the size of an element (key + value) in the NAT map. SizeofNATElement int // SizeofNeighElement is the size of an element (key + value) in the neigh // map. SizeofNeighElement int // SizeofSockRevElement is the size of an element (key + value) in the neigh // map. SizeofSockRevElement int // k8sEnableLeasesFallbackDiscovery enables k8s to fallback to API probing to check // for the support of Leases in Kubernetes when there is an error in discovering // API groups using Discovery API. // We require to check for Leases capabilities in operator only, which uses Leases for leader // election purposes in HA mode. // This is only enabled for cilium-operator K8sEnableLeasesFallbackDiscovery bool // LBMapEntries is the maximum number of entries allowed in BPF lbmap. LBMapEntries int // LBServiceMapEntries is the maximum number of entries allowed in BPF lbmap for services. LBServiceMapEntries int // LBBackendMapEntries is the maximum number of entries allowed in BPF lbmap for service backends. LBBackendMapEntries int // LBRevNatEntries is the maximum number of entries allowed in BPF lbmap for reverse NAT. LBRevNatEntries int // LBAffinityMapEntries is the maximum number of entries allowed in BPF lbmap for session affinities. LBAffinityMapEntries int // LBSourceRangeMapEntries is the maximum number of entries allowed in BPF lbmap for source ranges. LBSourceRangeMapEntries int // LBMaglevMapEntries is the maximum number of entries allowed in BPF lbmap for maglev. LBMaglevMapEntries int // K8sServiceProxyName is the value of service.kubernetes.io/service-proxy-name label, // that identifies the service objects Cilium should handle. // If the provided value is an empty string, Cilium will manage service objects when // the label is not present. For more details - // https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/2447-Make-kube-proxy-service-abstraction-optional K8sServiceProxyName string // APIRateLimitName enables configuration of the API rate limits APIRateLimit map[string]string // CRDWaitTimeout is the timeout in which Cilium will exit if CRDs are not // available. CRDWaitTimeout time.Duration // EgressMultiHomeIPRuleCompat instructs Cilium to use a new scheme to // store rules and routes under ENI and Azure IPAM modes, if false. // Otherwise, it will use the old scheme. EgressMultiHomeIPRuleCompat bool // InstallNoConntrackIptRules instructs Cilium to install Iptables rules to skip netfilter connection tracking on all pod traffic. InstallNoConntrackIptRules bool // EnableCustomCalls enables tail call hooks for user-defined custom // eBPF programs, typically used to collect custom per-endpoint // metrics. EnableCustomCalls bool // BGPAnnounceLBIP announces service IPs of type LoadBalancer via BGP. BGPAnnounceLBIP bool // BGPAnnouncePodCIDR announces the node's pod CIDR via BGP. BGPAnnouncePodCIDR bool // BGPConfigPath is the file path to the BGP configuration. It is // compatible with MetalLB's configuration. BGPConfigPath string // ExternalClusterIP enables routing to ClusterIP services from outside // the cluster. This mirrors the behaviour of kube-proxy. ExternalClusterIP bool // ARPPingRefreshPeriod is the ARP entries refresher period. ARPPingRefreshPeriod time.Duration // EnableCiliumEndpointSlice enables the cilium endpoint slicing feature. EnableCiliumEndpointSlice bool // ARPPingKernelManaged denotes whether kernel can auto-refresh Neighbor entries ARPPingKernelManaged bool // VLANBPFBypass list of explicitly allowed VLAN id's for bpf logic bypass VLANBPFBypass []int // EnableL2NeighDiscovery determines if cilium should perform L2 neighbor // discovery. EnableL2NeighDiscovery bool // EnableICMPRules enables ICMP-based rule support for Cilium Network Policies. EnableICMPRules bool // BypassIPAvailabilityUponRestore bypasses the IP availability error // within IPAM upon endpoint restore and allows the use of the restored IP // regardless of whether it's available in the pool. BypassIPAvailabilityUponRestore bool // EnableK8sTerminatingEndpoint enables auto-detect of terminating state for // Kubernetes service endpoints. EnableK8sTerminatingEndpoint bool // EnableVTEP enable Cilium VXLAN VTEP integration EnableVTEP bool // VtepEndpoints VTEP endpoint IPs VtepEndpoints []net.IP // VtepCIDRs VTEP CIDRs VtepCIDRs []*cidr.CIDR // VtepMask VTEP Mask VtepCidrMask net.IP // VtepMACs VTEP MACs VtepMACs []mac.MAC // TCFilterPriority sets the priority of the cilium tc filter, enabling other // filters to be inserted prior to the cilium filter. TCFilterPriority uint16 // Enables BGP control plane features. EnableBGPControlPlane bool // EnvoySecretNamespaces for TLS secrets. Used by CiliumEnvoyConfig via SDS. EnvoySecretNamespaces []string // BPFMapEventBuffers has configuration on what BPF map event buffers to enabled // and configuration options for those. BPFMapEventBuffers map[string]string BPFMapEventBuffersValidator func(val string) (string, error) `json:"-"` // EnableStaleCiliumEndpointCleanup enables cleanup routine during Cilium init. // This will attempt to remove local CiliumEndpoints that are not managed by Cilium // following Endpoint restoration. EnableStaleCiliumEndpointCleanup bool // IPAMCiliumNodeUpdateRate is the maximum rate at which the CiliumNode custom // resource is updated. IPAMCiliumNodeUpdateRate time.Duration // EnableK8sNetworkPolicy enables support for K8s NetworkPolicy. EnableK8sNetworkPolicy bool // contains filtered or unexported fields }
DaemonConfig is the configuration used by Daemon.
func (*DaemonConfig) AgentNotReadyNodeTaintValue ¶ added in v1.14.0
func (c *DaemonConfig) AgentNotReadyNodeTaintValue() string
AgentNotReadyNodeTaintValue returns the value of the taint key that cilium agents will manage on their nodes
func (*DaemonConfig) AlwaysAllowLocalhost ¶ added in v1.5.0
func (c *DaemonConfig) AlwaysAllowLocalhost() bool
AlwaysAllowLocalhost returns true if the daemon has the option set that localhost can always reach local endpoints
func (*DaemonConfig) AppendDevice ¶ added in v1.14.0
func (c *DaemonConfig) AppendDevice(dev string)
func (*DaemonConfig) AreDevicesRequired ¶ added in v1.14.0
func (c *DaemonConfig) AreDevicesRequired() bool
AreDevicesRequired returns true if the agent needs to attach to the native devices to implement some features.
func (*DaemonConfig) BGPControlPlaneEnabled ¶ added in v1.14.0
func (c *DaemonConfig) BGPControlPlaneEnabled() bool
func (*DaemonConfig) CiliumNamespaceName ¶ added in v1.14.0
func (c *DaemonConfig) CiliumNamespaceName() string
CiliumNamespaceName returns the name of the namespace in which Cilium is deployed in
func (*DaemonConfig) DirectRoutingDeviceRequired ¶ added in v1.14.0
func (c *DaemonConfig) DirectRoutingDeviceRequired() bool
DirectRoutingDeviceRequired return whether the Direct Routing Device is needed under the current configuration.
func (*DaemonConfig) EncryptionEnabled ¶ added in v1.14.0
func (c *DaemonConfig) EncryptionEnabled() bool
EncryptionEnabled returns true if encryption is enabled
func (*DaemonConfig) EndpointStatusIsEnabled ¶ added in v1.14.0
func (c *DaemonConfig) EndpointStatusIsEnabled(option string) bool
EndpointStatusIsEnabled returns true if a particular EndpointStatus* feature is enabled
func (*DaemonConfig) GetDevices ¶ added in v1.14.0
func (c *DaemonConfig) GetDevices() []string
func (*DaemonConfig) GetEventBufferConfig ¶ added in v1.14.0
func (d *DaemonConfig) GetEventBufferConfig(name string) BPFEventBufferConfig
GetEventBufferConfig returns either the relevant config for a map name, or a default one with enabled=false otherwise.
func (*DaemonConfig) GetGlobalsDir ¶ added in v1.5.0
func (c *DaemonConfig) GetGlobalsDir() string
GetGlobalsDir returns the path for the globals directory.
func (*DaemonConfig) GetIPv4NativeRoutingCIDR ¶ added in v1.14.0
func (c *DaemonConfig) GetIPv4NativeRoutingCIDR() (cidr *cidr.CIDR)
GetIPv4NativeRoutingCIDR returns the native routing CIDR if configured
func (*DaemonConfig) GetIPv6NativeRoutingCIDR ¶ added in v1.14.0
func (c *DaemonConfig) GetIPv6NativeRoutingCIDR() (cidr *cidr.CIDR)
GetIPv6NativeRoutingCIDR returns the native routing CIDR if configured
func (*DaemonConfig) GetNodeConfigPath ¶ added in v1.5.0
func (c *DaemonConfig) GetNodeConfigPath() string
GetNodeConfigPath returns the full path of the NodeConfigFile.
func (*DaemonConfig) HealthCheckingEnabled ¶ added in v1.14.0
func (c *DaemonConfig) HealthCheckingEnabled() bool
HealthCheckingEnabled returns true if health checking is enabled
func (*DaemonConfig) IPAMMode ¶ added in v1.14.0
func (c *DaemonConfig) IPAMMode() string
IPAMMode returns the IPAM mode
func (*DaemonConfig) IPv4Enabled ¶ added in v1.14.0
func (c *DaemonConfig) IPv4Enabled() bool
IPv4Enabled returns true if IPv4 is enabled
func (*DaemonConfig) IPv6Enabled ¶ added in v1.14.0
func (c *DaemonConfig) IPv6Enabled() bool
IPv6Enabled returns true if IPv6 is enabled
func (*DaemonConfig) IPv6NDPEnabled ¶ added in v1.14.0
func (c *DaemonConfig) IPv6NDPEnabled() bool
IPv6NDPEnabled returns true if IPv6 NDP support is enabled
func (*DaemonConfig) IptablesMasqueradingEnabled ¶ added in v1.14.0
func (c *DaemonConfig) IptablesMasqueradingEnabled() bool
IptablesMasqueradingEnabled returns true if iptables-based masquerading is enabled.
func (*DaemonConfig) IptablesMasqueradingIPv4Enabled ¶ added in v1.14.0
func (c *DaemonConfig) IptablesMasqueradingIPv4Enabled() bool
IptablesMasqueradingIPv4Enabled returns true if iptables-based masquerading is enabled for IPv4.
func (*DaemonConfig) IptablesMasqueradingIPv6Enabled ¶ added in v1.14.0
func (c *DaemonConfig) IptablesMasqueradingIPv6Enabled() bool
IptablesMasqueradingIPv6Enabled returns true if iptables-based masquerading is enabled for IPv6.
func (*DaemonConfig) IsExcludedLocalAddress ¶ added in v1.6.0
func (c *DaemonConfig) IsExcludedLocalAddress(ip net.IP) bool
IsExcludedLocalAddress returns true if the specified IP matches one of the excluded local IP ranges
func (*DaemonConfig) IsPodSubnetsDefined ¶ added in v1.6.0
func (c *DaemonConfig) IsPodSubnetsDefined() bool
IsPodSubnetsDefined returns true if encryption subnets should be configured at init time.
func (*DaemonConfig) K8sGatewayAPIEnabled ¶ added in v1.14.0
func (c *DaemonConfig) K8sGatewayAPIEnabled() bool
K8sGatewayAPIEnabled returns true if Gateway API feature is enabled in Cilium
func (*DaemonConfig) K8sIngressControllerEnabled ¶ added in v1.14.0
func (c *DaemonConfig) K8sIngressControllerEnabled() bool
K8sIngressControllerEnabled returns true if ingress controller feature is enabled in Cilium
func (*DaemonConfig) K8sNetworkPolicyEnabled ¶ added in v1.14.0
func (c *DaemonConfig) K8sNetworkPolicyEnabled() bool
K8sNetworkPolicyEnabled returns true if cilium agent needs to support K8s NetworkPolicy, false otherwise.
func (*DaemonConfig) K8sServiceProxyNameValue ¶ added in v1.14.0
func (c *DaemonConfig) K8sServiceProxyNameValue() string
K8sServiceProxyName returns the required value for the service.kubernetes.io/service-proxy-name label in order for services to be handled.
func (*DaemonConfig) KubeProxyReplacementFullyEnabled ¶ added in v1.14.0
func (c *DaemonConfig) KubeProxyReplacementFullyEnabled() bool
KubeProxyReplacementFullyEnabled returns true if Cilium is _effectively_ running in full KPR mode.
func (*DaemonConfig) LocalClusterID ¶ added in v1.14.0
func (c *DaemonConfig) LocalClusterID() uint32
LocalClusterID returns the ID of the cluster local to the Cilium agent.
func (*DaemonConfig) LocalClusterName ¶ added in v1.14.0
func (c *DaemonConfig) LocalClusterName() string
LocalClusterName returns the name of the cluster Cilium is deployed in
func (*DaemonConfig) MasqueradingEnabled ¶ added in v1.14.0
func (c *DaemonConfig) MasqueradingEnabled() bool
MasqueradingEnabled returns true if either IPv4 or IPv6 masquerading is enabled.
func (*DaemonConfig) NodeEncryptionEnabled ¶ added in v1.14.0
func (c *DaemonConfig) NodeEncryptionEnabled() bool
NodeEncryptionEnabled returns true if node encryption is enabled
func (*DaemonConfig) NodeIpsetNeeded ¶ added in v1.14.0
func (c *DaemonConfig) NodeIpsetNeeded() bool
NodeIpsetNeeded returns true if a node ipsets should be used to skip masquerading for traffic to cluster nodes.
func (*DaemonConfig) Populate ¶ added in v1.5.0
func (c *DaemonConfig) Populate(vp *viper.Viper)
Populate sets all options with the values from viper
func (*DaemonConfig) RemoteNodeIdentitiesEnabled ¶ added in v1.14.0
func (c *DaemonConfig) RemoteNodeIdentitiesEnabled() bool
RemoteNodeIdentitiesEnabled returns true if the remote-node identity feature is enabled
func (*DaemonConfig) SCTPEnabled ¶ added in v1.14.0
func (c *DaemonConfig) SCTPEnabled() bool
SCTPEnabled returns true if SCTP support is enabled
func (*DaemonConfig) SetDevices ¶ added in v1.14.0
func (c *DaemonConfig) SetDevices(devices []string)
func (*DaemonConfig) SetIPv4NativeRoutingCIDR ¶ added in v1.6.0
func (c *DaemonConfig) SetIPv4NativeRoutingCIDR(cidr *cidr.CIDR)
SetIPv4NativeRoutingCIDR sets the native routing CIDR
func (*DaemonConfig) SetIPv6NativeRoutingCIDR ¶ added in v1.14.0
func (c *DaemonConfig) SetIPv6NativeRoutingCIDR(cidr *cidr.CIDR)
SetIPv6NativeRoutingCIDR sets the native routing CIDR
func (*DaemonConfig) SetMapElementSizes ¶ added in v1.14.0
func (c *DaemonConfig) SetMapElementSizes( sizeofCTElement, sizeofNATElement, sizeofNeighElement, sizeofSockRevElement int)
SetMapElementSizes sets the BPF map element sizes (key + value) used for dynamic BPF map size calculations in calculateDynamicBPFMapSizes.
func (*DaemonConfig) StoreInFile ¶ added in v1.14.0
func (c *DaemonConfig) StoreInFile(dir string) error
StoreInFile stores the configuration in a the given directory under the file name 'daemon-config.json'. If this file already exists, it is renamed to 'daemon-config-1.json', if 'daemon-config-1.json' also exists, 'daemon-config-1.json' is renamed to 'daemon-config-2.json'
func (*DaemonConfig) TracingEnabled ¶ added in v1.5.0
func (c *DaemonConfig) TracingEnabled() bool
TracingEnabled returns if tracing policy (outlining which rules apply to a specific set of labels) is enabled.
func (*DaemonConfig) TunnelDevice ¶ added in v1.14.0
func (c *DaemonConfig) TunnelDevice() string
TunnelDevice returns cilium_{vxlan,geneve} depending on the config or "" if disabled.
func (*DaemonConfig) TunnelExists ¶ added in v1.14.0
func (c *DaemonConfig) TunnelExists() bool
TunnelExists returns true if some traffic may go through a tunnel, including if the primary mode is native routing. For example, in the egress gateway, we may send such traffic to a gateway node via a tunnel.
func (*DaemonConfig) TunnelingEnabled ¶ added in v1.14.0
func (c *DaemonConfig) TunnelingEnabled() bool
TunnelingEnabled returns true if tunneling is enabled, i.e. not set to "disabled".
func (*DaemonConfig) UnreachableRoutesEnabled ¶ added in v1.14.0
func (c *DaemonConfig) UnreachableRoutesEnabled() bool
UnreachableRoutesEnabled returns true if unreachable routes is enabled
type FormatFunc ¶ added in v1.5.0
type FormatFunc func(value OptionSetting) string
FormatFunc formats the specified value as textual representation option.
type IntOptions ¶ added in v1.5.0
type IntOptions struct { Opts OptionMap `json:"map"` Library *OptionLibrary `json:"-"` // contains filtered or unexported fields }
IntOptions member functions with external access do not require locking by the caller, while functions with internal access presume the caller to have taken care of any locking needed.
func NewIntOptions ¶ added in v1.5.0
func NewIntOptions(lib *OptionLibrary) *IntOptions
func (*IntOptions) ApplyValidated ¶ added in v1.5.0
func (o *IntOptions) ApplyValidated(n OptionMap, changed ChangedFunc, data interface{}) int
ApplyValidated takes a configuration map and applies the changes. For an option which is changed, the `ChangedFunc` function is called with the `data` argument passed in as well. Returns the number of options changed if any.
The caller is expected to have validated the configuration options prior to calling this function.
func (*IntOptions) DeepCopy ¶ added in v1.5.0
func (o *IntOptions) DeepCopy() *IntOptions
func (*IntOptions) Delete ¶ added in v1.5.0
func (o *IntOptions) Delete(key string)
func (*IntOptions) Dump ¶ added in v1.5.0
func (o *IntOptions) Dump()
func (*IntOptions) GetFmtList ¶ added in v1.5.0
func (o *IntOptions) GetFmtList() string
func (*IntOptions) GetImmutableModel ¶ added in v1.5.0
func (o *IntOptions) GetImmutableModel() *models.ConfigurationMap
GetImmutableModel returns the set of immutable options as a ConfigurationMap API model.
func (*IntOptions) GetMutableModel ¶ added in v1.5.0
func (o *IntOptions) GetMutableModel() *models.ConfigurationMap
GetMutableModel returns the set of mutable options as a ConfigurationMap API model.
func (*IntOptions) GetValue ¶ added in v1.5.0
func (o *IntOptions) GetValue(key string) OptionSetting
func (*IntOptions) InheritDefault ¶ added in v1.5.0
func (o *IntOptions) InheritDefault(parent *IntOptions, key string)
func (*IntOptions) IsEnabled ¶ added in v1.5.0
func (o *IntOptions) IsEnabled(key string) bool
func (*IntOptions) SetBool ¶ added in v1.5.0
func (o *IntOptions) SetBool(key string, value bool)
SetBool sets the specified option to Enabled.
func (*IntOptions) SetIfUnset ¶ added in v1.5.0
func (o *IntOptions) SetIfUnset(key string, value OptionSetting)
func (*IntOptions) SetValidated ¶ added in v1.5.0
func (o *IntOptions) SetValidated(key string, value OptionSetting)
SetValidated sets the option `key` to the specified value. The caller is expected to have validated the input to this function.
func (*IntOptions) Validate ¶ added in v1.5.0
func (o *IntOptions) Validate(n models.ConfigurationMap) error
Validate validates a given configuration map based on the option library
type MapOptions ¶ added in v0.10.0
type MapOptions struct {
// contains filtered or unexported fields
}
MapOptions holds a map of values and a validation function.
func NewMapOpts ¶ added in v0.10.0
func NewMapOpts(values map[string]string, validator Validator) *MapOptions
NewMapOpts creates a new MapOpts with the specified map of values and an optional validator.
func (*MapOptions) Set ¶ added in v0.10.0
func (opts *MapOptions) Set(value string) error
Set validates, if needed, the input value and adds it to the internal map, by splitting on '='.
func (*MapOptions) String ¶ added in v0.10.0
func (opts *MapOptions) String() string
func (*MapOptions) Type ¶ added in v0.10.0
func (opts *MapOptions) Type() string
Type returns a string name for this Option type
type MonitorAggregationLevel ¶ added in v1.5.0
type MonitorAggregationLevel OptionSetting
MonitorAggregationLevel represents a level of aggregation for monitor events from the datapath. Low values represent no aggregation, that is, to increase the number of events emitted from the datapath; Higher values represent more aggregation, to minimize the number of events emitted from the datapath.
The MonitorAggregationLevel does not affect the Debug option in the daemon or endpoint, so debug notifications will continue uninhibited by this setting.
type NamedMapOptions ¶ added in v0.10.0
type NamedMapOptions struct { MapOptions // contains filtered or unexported fields }
NamedMapOptions is a MapOptions struct with a configuration name. This struct is useful to keep reference to the assigned field name in the internal configuration struct.
func NewNamedMapOptions ¶ added in v0.10.0
func NewNamedMapOptions(name string, values *map[string]string, validator Validator) *NamedMapOptions
NewNamedMapOptions creates a reference to a new NamedMapOpts struct.
type Option ¶
type Option struct { // Define is the name of the #define used for BPF programs Define string // Description is a short human readable description Description string // Immutable marks an option which is read-only Immutable bool // Requires is a list of required options, such options will be // automatically enabled as required. Requires []string // Parse is called to parse the option. If not specified, defaults to // NormalizeBool(). Parse ParseFunc // FormatFunc is called to format the value for an option. If not // specified, defaults to formatting 0 as "Disabled" and other values // as "Enabled". Format FormatFunc // Verify is called prior to applying the option Verify VerifyFunc }
Option is the structure used to specify the semantics of a configurable boolean option
func (Option) RequiresOption ¶
RequiresOption returns true if the option requires the specified option `name`.
type OptionLibrary ¶
func GetEndpointMutableOptionLibrary ¶ added in v1.5.0
func GetEndpointMutableOptionLibrary() OptionLibrary
func (OptionLibrary) Define ¶
func (l OptionLibrary) Define(name string) string
func (*OptionLibrary) ValidateConfigurationMap ¶ added in v1.5.0
func (l *OptionLibrary) ValidateConfigurationMap(n models.ConfigurationMap) (OptionMap, error)
ValidateConfigurationMap validates a given configuration map based on the option library
type OptionMap ¶
type OptionMap map[string]OptionSetting
type OptionSetting ¶ added in v1.5.0
type OptionSetting int
OptionSetting specifies the different choices each Option has.
const ( // MonitorAggregationLevelNone represents no aggregation in the // datapath; all packets will be monitored. MonitorAggregationLevelNone OptionSetting = 0 // MonitorAggregationLevelLow represents aggregation of monitor events // to emit a maximum of one trace event per packet. Trace events when // packets are received are disabled. MonitorAggregationLevelLowest OptionSetting = 1 // MonitorAggregationLevelLow is the same as // MonitorAggregationLevelLowest, but may aggregate additional traffic // in future. MonitorAggregationLevelLow OptionSetting = 2 // MonitorAggregationLevelMedium represents aggregation of monitor // events to only emit notifications periodically for each connection // unless there is new information (eg, a TCP connection is closed). MonitorAggregationLevelMedium OptionSetting = 3 // MonitorAggregationLevelMax is the maximum level of aggregation // currently supported. MonitorAggregationLevelMax OptionSetting = 4 )
const ( OptionDisabled OptionSetting = iota OptionEnabled )
func NormalizeBool ¶
func NormalizeBool(value string) (OptionSetting, error)
func ParseDaemonOption ¶ added in v1.5.0
func ParseDaemonOption(opt string) (string, OptionSetting, error)
ParseDaemonOption parses a string as daemon option
func ParseKeyValue ¶ added in v1.5.0
func ParseKeyValue(lib *OptionLibrary, arg, value string) (string, OptionSetting, error)
func ParseMonitorAggregationLevel ¶ added in v1.5.0
func ParseMonitorAggregationLevel(value string) (OptionSetting, error)
ParseMonitorAggregationLevel turns a string into a monitor aggregation level. The string may contain an integer value or a string representation of a particular monitor aggregation level.
func ParseOption ¶
func ParseOption(arg string, lib *OptionLibrary) (string, OptionSetting, error)
type ParseFunc ¶ added in v1.5.0
type ParseFunc func(value string) (OptionSetting, error)
ParseFunc parses the option value and may return an error if the option cannot be parsed or applied.
type VerifyFunc ¶
VerifyFunc validates option key with value and may return an error if the option should not be applied