API Reference

Introduction

The Cilium API is JSON based and provided by the cilium-agent. The purpose of the API is to provide visibility and control over an individual agent instance. In general, all API calls affect only the resources managed by the individual cilium-agent serving the API. A few selected API calls such as the security identity resolution provides cluster wide visibility. Such API calls are marked specifically. Unless noted otherwise, API calls will only affect local agent resources.

How to access the API

CLI Client

The easiest way to access the API is via the cilium CLI client. cilium will automatically locate the API of the agent running on the same node and access it. However, using the -H or --host flag, the cilium client can be pointed to an arbitrary API address.

Example

  1. $ cilium -H unix:///var/run/cilium/cilium.sock
  2. [...]

Golang Package

The following Go packages can be used to access the API:

PackageDescription
pkg/clientMain client API abstraction
api/v1/modelsAPI resource data type models

Example

The full example can be found in the cilium/client-example repository.

  1. import (
  2.         "fmt"
  4.         "github.com/cilium/cilium/pkg/client"
  5. )
  7. func main() {
  8.         c, err := client.NewDefaultClient()
  9.         if err != nil {
  10.                 ...
  11.         }
  13.         endpoints, err := c.EndpointList()
  14.         if err != nil {
  15.                 ...
  16.         }
  18.         for _, ep := range endpoints {
  19.                 fmt.Printf("%8d %14s %16s %32s\n", ep.ID, ep.ContainerName, ep.Addressing.IPV4, ep.Addressing.IPV6)
  20.         }

Compatibility Guarantees

Cilium API is stable as of version 1.0, backward compatibility will be upheld for whole lifecycle of Cilium 1.x.

API Reference

GET /cluster/nodes

Get nodes information stored in the cilium-agent

Status Codes:
Request Headers:
 
  • client-id – Client UUID should be used when the client wants to request a diff of nodes added and / or removed since the last time that client has made a request.

GET /healthz

Get health of Cilium daemon

Returns health and status information of the Cilium daemon and related components such as the local container runtime, connected datastore, Kubernetes integration and Hubble.

Status Codes:
Request Headers:
 
  • brief – Brief will return a brief representation of the Cilium status.

GET /config

Get configuration of Cilium daemon

Returns the configuration of the Cilium daemon.

Status Codes:

PATCH /config

Modify daemon configuration

Updates the daemon configuration by applying the provided ConfigurationMap and regenerates & recompiles all required datapath components.

Status Codes:

GET /endpoint/{id}

Get endpoint by endpoint ID

Returns endpoint information

Parameters:
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

  • Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595
    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343
    • container-id: Container runtime ID, e.g. container-id:22222
    • container-name: Container name, e.g. container-name:foobar
    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar
    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444
Status Codes:

PUT /endpoint/{id}

Create endpoint

Creates a new endpoint

Parameters:
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

  • Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595
    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343
    • container-id: Container runtime ID, e.g. container-id:22222
    • container-name: Container name, e.g. container-name:foobar
    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar
    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444
Status Codes:

PATCH /endpoint/{id}

Modify existing endpoint

Applies the endpoint change request to an existing endpoint

Parameters:
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

  • Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595
    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343
    • container-id: Container runtime ID, e.g. container-id:22222
    • container-name: Container name, e.g. container-name:foobar
    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar
    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444
Status Codes:

DELETE /endpoint/{id}

Delete endpoint

Deletes the endpoint specified by the ID. Deletion is imminent and atomic, if the deletion request is valid and the endpoint exists, deletion will occur even if errors are encountered in the process. If errors have been encountered, the code 202 will be returned, otherwise 200 on success.

All resources associated with the endpoint will be freed and the workload represented by the endpoint will be disconnected.It will no longer be able to initiate or receive communications of any sort.

Parameters:
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

  • Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595
    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343
    • container-id: Container runtime ID, e.g. container-id:22222
    • container-name: Container name, e.g. container-name:foobar
    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar
    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444
Status Codes:

GET /endpoint

Retrieves a list of endpoints that have metadata matching the provided parameters.

Retrieves a list of endpoints that have metadata matching the provided parameters, or all endpoints if no parameters provided.

Status Codes:

GET /endpoint/{id}/config

Retrieve endpoint configuration

Retrieves the configuration of the specified endpoint.

Parameters:
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

  • Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595
    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343
    • container-id: Container runtime ID, e.g. container-id:22222
    • container-name: Container name, e.g. container-name:foobar
    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar
    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444
Status Codes:

PATCH /endpoint/{id}/config

Modify mutable endpoint configuration

Update the configuration of an existing endpoint and regenerates & recompiles the corresponding programs automatically.

Parameters:
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

  • Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595
    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343
    • container-id: Container runtime ID, e.g. container-id:22222
    • container-name: Container name, e.g. container-name:foobar
    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar
    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444
Status Codes:

GET /endpoint/{id}/labels

Retrieves the list of labels associated with an endpoint.

Parameters:
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

  • Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595
    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343
    • container-id: Container runtime ID, e.g. container-id:22222
    • container-name: Container name, e.g. container-name:foobar
    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar
    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444
Status Codes:

PATCH /endpoint/{id}/labels

Set label configuration of endpoint

Sets labels associated with an endpoint. These can be user provided or derived from the orchestration system.

Parameters:
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

  • Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595
    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343
    • container-id: Container runtime ID, e.g. container-id:22222
    • container-name: Container name, e.g. container-name:foobar
    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar
    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444
Status Codes:

GET /endpoint/{id}/log

Retrieves the status logs associated with this endpoint.

Parameters:
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

  • Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595
    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343
    • container-id: Container runtime ID, e.g. container-id:22222
    • container-name: Container name, e.g. container-name:foobar
    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar
    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444
Status Codes:

GET /endpoint/{id}/healthz

Retrieves the status logs associated with this endpoint.

Parameters:
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

  • Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595
    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343
    • container-id: Container runtime ID, e.g. container-id:22222
    • container-name: Container name, e.g. container-name:foobar
    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar
    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444
Status Codes:

GET /identity

Retrieves a list of identities that have metadata matching the provided parameters.

Retrieves a list of identities that have metadata matching the provided parameters, or all identities if no parameters are provided.

Status Codes:
  • 200 OK – Success
  • 404 Not Found – Identities with provided parameters not found
  • 520 – Identity storage unreachable. Likely a network problem.
  • 521 – Invalid identity format in storage

GET /identity/{id}

Retrieve identity

Parameters:
  • id (string) – Cluster wide unique identifier of a security identity.
Status Codes:
  • 200 OK – Success
  • 400 Bad Request – Invalid identity provided
  • 404 Not Found – Identity not found
  • 520 – Identity storage unreachable. Likely a network problem.
  • 521 – Invalid identity format in storage

GET /identity/endpoints

Retrieve identities which are being used by local endpoints

Status Codes:
  • 200 OK – Success
  • 404 Not Found – Set of identities which are being used by local endpoints could not be found.

POST /ipam

Allocate an IP address

Query Parameters:
 
  • family (string) –
  • owner (string) –
Status Codes:
Request Headers:
 
  • expiration

POST /ipam/{ip}

Allocate an IP address

Parameters:
  • ip (string) – IP address
Query Parameters:
 
  • owner (string) –
Status Codes:

DELETE /ipam/{ip}

Release an allocated IP address

Parameters:
  • ip (string) – IP address or owner name
Status Codes:

GET /policy

Retrieve entire policy tree

Returns the entire policy tree with all children.

Status Codes:

PUT /policy

Create or update a policy (sub)tree

Status Codes:

DELETE /policy

Delete a policy (sub)tree

Status Codes:

GET /policy/resolve

Resolve policy for an identity context

Status Codes:

GET /policy/selectors

See what selectors match which identities

Status Codes:

GET /lrp

Retrieve list of all local redirect policies

Status Codes:

GET /service

Retrieve list of all services

Status Codes:

GET /service/{id}

Retrieve configuration of a service

Parameters:
  • id (integer) – ID of service
Status Codes:

PUT /service/{id}

Create or update service

Parameters:
  • id (integer) – ID of service
Status Codes:

DELETE /service/{id}

Delete a service

Parameters:
  • id (integer) – ID of service
Status Codes:

GET /recorder

Retrieve list of all recorders

Status Codes:

GET /recorder/masks

Retrieve list of all recorder masks

Status Codes:

GET /recorder/{id}

Retrieve configuration of a recorder

Parameters:
  • id (integer) – ID of recorder
Status Codes:

PUT /recorder/{id}

Create or update recorder

Parameters:
  • id (integer) – ID of recorder
Status Codes:

DELETE /recorder/{id}

Delete a recorder

Parameters:
  • id (integer) – ID of recorder
Status Codes:

GET /prefilter

Retrieve list of CIDRs

Status Codes:

PATCH /prefilter

Update list of CIDRs

Status Codes:

DELETE /prefilter

Delete list of CIDRs

Status Codes:

GET /debuginfo

Retrieve information about the agent and evironment for debugging

Status Codes:

GET /map

List all open maps

Status Codes:

GET /map/{name}

Retrieve contents of BPF map

Parameters:
  • name (string) – Name of map
Status Codes:

GET /metrics/

Retrieve cilium metrics

Status Codes:

GET /fqdn/cache

Retrieves the list of DNS lookups intercepted from all endpoints.

Retrieves the list of DNS lookups intercepted from endpoints, optionally filtered by endpoint id, DNS name, or CIDR IP range.

Query Parameters:
 
  • matchpattern (string) – A toFQDNs compatible matchPattern expression
  • cidr (string) – A CIDR range of IPs
Status Codes:

DELETE /fqdn/cache

Deletes matching DNS lookups from the policy-generation cache.

Deletes matching DNS lookups from the cache, optionally restricted by DNS name. The removed IP data will no longer be used in generated policies.

Query Parameters:
 
  • matchpattern (string) – A toFQDNs compatible matchPattern expression
Status Codes:

GET /fqdn/cache/{id}

Retrieves the list of DNS lookups intercepted from an endpoint.

Retrieves the list of DNS lookups intercepted from endpoints, optionally filtered by endpoint id, DNS name, or CIDR IP range.

Parameters:
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

  • Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595
    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343
    • container-id: Container runtime ID, e.g. container-id:22222
    • container-name: Container name, e.g. container-name:foobar
    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar
    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444
Query Parameters:
 
  • matchpattern (string) – A toFQDNs compatible matchPattern expression
  • cidr (string) – A CIDR range of IPs
Status Codes:

GET /fqdn/names

List internal DNS selector representations

Retrieves the list of DNS-related fields (names to poll, selectors and their corresponding regexes).

Status Codes:

GET /ip

Lists information about known IP addresses

Retrieves a list of IPs with known associated information such as their identities, host addresses, Kubernetes pod names, etc. The list can optionally filtered by a CIDR IP range.

Query Parameters:
 
  • cidr (string) – A CIDR range of IPs
Status Codes: