我的书签
添加书签
移除书签cilium-agent
Run the cilium agent
cilium-agent [flags]
Options
--agent-health-port int TCP port for agent health status API (default 9879)--agent-labels strings Additional labels to identify this agent--agent-not-ready-taint-key string Key of the taint indicating that Cilium is not ready on the node (default "node.cilium.io/agent-not-ready")--allocator-list-timeout duration Timeout for listing allocator state before exiting (default 3m0s)--allow-icmp-frag-needed Allow ICMP Fragmentation Needed type packets for purposes like TCP Path MTU. (default true)--allow-localhost string Policy when to allow local stack to reach local endpoints { auto | always | policy } (default "auto")--annotate-k8s-node Annotate Kubernetes node (default true)--api-rate-limit map API rate limiting configuration (example: --rate-limit endpoint-create=rate-limit:10/m,rate-burst:2)--arping-refresh-period duration Period for remote node ARP entry refresh (set 0 to disable) (default 30s)--auto-create-cilium-node-resource Automatically create CiliumNode resource for own node on startup (default true)--auto-direct-node-routes Enable automatic L2 routing between nodes--bgp-announce-lb-ip Announces service IPs of type LoadBalancer via BGP--bgp-announce-pod-cidr Announces the node's pod CIDR via BGP--bgp-config-path string Path to file containing the BGP configuration (default "/var/lib/cilium/bgp/config.yaml")--bpf-ct-global-any-max int Maximum number of entries in non-TCP CT table (default 262144)--bpf-ct-global-tcp-max int Maximum number of entries in TCP CT table (default 524288)--bpf-ct-timeout-regular-any duration Timeout for entries in non-TCP CT table (default 1m0s)--bpf-ct-timeout-regular-tcp duration Timeout for established entries in TCP CT table (default 6h0m0s)--bpf-ct-timeout-regular-tcp-fin duration Teardown timeout for entries in TCP CT table (default 10s)--bpf-ct-timeout-regular-tcp-syn duration Establishment timeout for entries in TCP CT table (default 1m0s)--bpf-ct-timeout-service-any duration Timeout for service entries in non-TCP CT table (default 1m0s)--bpf-ct-timeout-service-tcp duration Timeout for established service entries in TCP CT table (default 6h0m0s)--bpf-fragments-map-max int Maximum number of entries in fragments tracking map (default 8192)--bpf-lb-acceleration string BPF load balancing acceleration via XDP ("native", "disabled") (default "disabled")--bpf-lb-algorithm string BPF load balancing algorithm ("random", "maglev") (default "random")--bpf-lb-dev-ip-addr-inherit string Device name which IP addr is inherited by devices running LB BPF program (--devices)--bpf-lb-dsr-dispatch string BPF load balancing DSR dispatch method ("opt", "ipip") (default "opt")--bpf-lb-dsr-l4-xlate string BPF load balancing DSR L4 DNAT method for IPIP ("frontend", "backend") (default "frontend")--bpf-lb-external-clusterip Enable external access to ClusterIP services (default false)--bpf-lb-maglev-hash-seed string Maglev cluster-wide hash seed (base64 encoded) (default "JLfvgnHc2kaSUFaI")--bpf-lb-maglev-table-size uint Maglev per service backend table size (parameter M) (default 16381)--bpf-lb-map-max int Maximum number of entries in Cilium BPF lbmap (default 65536)--bpf-lb-mode string BPF load balancing mode ("snat", "dsr", "hybrid") (default "snat")--bpf-lb-rss-ipv4-src-cidr string BPF load balancing RSS outer source IPv4 CIDR prefix for IPIP--bpf-lb-rss-ipv6-src-cidr string BPF load balancing RSS outer source IPv6 CIDR prefix for IPIP--bpf-lb-sock-hostns-only Skip socket LB for services when inside a pod namespace, in favor of service LB at the pod interface. Socket LB is still used when in the host namespace. Required by service mesh (e.g., Istio, Linkerd).--bpf-map-dynamic-size-ratio float Ratio (0.0-1.0) of total system memory to use for dynamic sizing of CT, NAT and policy BPF maps. Set to 0.0 to disable dynamic BPF map sizing (default: 0.0)--bpf-nat-global-max int Maximum number of entries for the global BPF NAT table (default 524288)--bpf-neigh-global-max int Maximum number of entries for the global BPF neighbor table (default 524288)--bpf-policy-map-max int Maximum number of entries in endpoint policy map (per endpoint) (default 16384)--bpf-root string Path to BPF filesystem--bpf-sock-rev-map-max int Maximum number of entries for the SockRevNAT BPF map (default 262144)--certificates-directory string Root directory to find certificates specified in L7 TLS policy enforcement (default "/var/run/cilium/certs")--cgroup-root string Path to Cgroup2 filesystem--cluster-health-port int TCP port for cluster-wide network connectivity health API (default 4240)--cluster-id int Unique identifier of the cluster--cluster-name string Name of the cluster (default "default")--clustermesh-config string Path to the ClusterMesh configuration directory--config string Configuration file (default "$HOME/ciliumd.yaml")--config-dir string Configuration directory that contains a file for each option--conntrack-gc-interval duration Overwrite the connection-tracking garbage collection interval--crd-wait-timeout duration Cilium will exit if CRDs are not available within this duration upon startup (default 5m0s)--datapath-mode string Datapath mode name (default "veth")-D, --debug Enable debugging mode--debug-verbose strings List of enabled verbose debug groups--devices strings List of devices facing cluster/external network (used for BPF NodePort, BPF masquerading and host firewall); supports '+' as wildcard in device name, e.g. 'eth+'--direct-routing-device string Device name used to connect nodes in direct routing mode (used by BPF NodePort, BPF fast redirect; if empty, automatically set to a device with k8s InternalIP/ExternalIP or with a default route)--disable-cnp-status-updates Do not send CNP NodeStatus updates to the Kubernetes api-server (recommended to run with "cnp-node-status-gc-interval=0" in cilium-operator)--disable-conntrack Disable connection tracking--disable-endpoint-crd Disable use of CiliumEndpoint CRD--disable-iptables-feeder-rules strings Chains to ignore when installing feeder rules.--dns-max-ips-per-restored-rule int Maximum number of IPs to maintain for each restored DNS rule (default 1000)--dnsproxy-concurrency-limit int Limit concurrency of DNS message processing--dnsproxy-concurrency-processing-grace-period duration Grace time to wait when DNS proxy concurrent limit has been reached during DNS message processing--egress-masquerade-interfaces string Limit egress masquerading to interface selector--egress-multi-home-ip-rule-compat Offset routing table IDs under ENI IPAM mode to avoid collisions with reserved table IDs. If false, the offset is performed (new scheme), otherwise, the old scheme stays in-place.--enable-auto-protect-node-port-range Append NodePort range to net.ipv4.ip_local_reserved_ports if it overlaps with ephemeral port range (net.ipv4.ip_local_port_range) (default true)--enable-bandwidth-manager Enable BPF bandwidth manager--enable-bpf-clock-probe Enable BPF clock source probing for more efficient tick retrieval--enable-bpf-masquerade Masquerade packets from endpoints leaving the host with BPF instead of iptables--enable-bpf-tproxy Enable BPF-based proxy redirection, if support available--enable-cilium-endpoint-slice If set to true, CiliumEndpointSlice feature is enabled and cilium agent watch for CiliumEndpointSlice instead of CiliumEndpoint to update the IPCache.--enable-custom-calls Enable tail call hooks for custom eBPF programs--enable-endpoint-health-checking Enable connectivity health checking between virtual endpoints (default true)--enable-endpoint-routes Use per endpoint routes instead of routing via cilium_host--enable-external-ips Enable k8s service externalIPs feature (requires enabling enable-node-port) (default true)--enable-health-check-nodeport Enables a healthcheck nodePort server for NodePort services with 'healthCheckNodePort' being set (default true)--enable-health-checking Enable connectivity health checking (default true)--enable-host-firewall Enable host network policies--enable-host-legacy-routing Enable the legacy host forwarding model which does not bypass upper stack in host namespace--enable-host-port Enable k8s hostPort mapping feature (requires enabling enable-node-port) (default true)--enable-host-reachable-services Enable reachability of services for host applications--enable-hubble Enable hubble server--enable-hubble-recorder-api Enable the Hubble recorder API (default true)--enable-identity-mark Enable setting identity mark for local traffic (default true)--enable-ip-masq-agent Enable BPF ip-masq-agent--enable-ipsec Enable IPSec support--enable-ipv4 Enable IPv4 support (default true)--enable-ipv4-egress-gateway Enable egress gateway for IPv4--enable-ipv4-fragment-tracking Enable IPv4 fragments tracking for L4-based lookups (default true)--enable-ipv4-masquerade Masquerade IPv4 traffic from endpoints leaving the host (default true)--enable-ipv6 Enable IPv6 support (default true)--enable-ipv6-masquerade Masquerade IPv6 traffic from endpoints leaving the host (default true)--enable-ipv6-ndp Enable IPv6 NDP support--enable-k8s-api-discovery Enable discovery of Kubernetes API groups and resources with the discovery API--enable-k8s-endpoint-slice Enables k8s EndpointSlice feature in Cilium if the k8s cluster supports it (default true)--enable-k8s-event-handover Enable k8s event handover to kvstore for improved scalability--enable-k8s-terminating-endpoint Enable auto-detect of terminating endpoint condition (default true)--enable-l2-neigh-discovery Enables L2 neighbor discovery used by kube-proxy-replacement and IPsec (default true)--enable-l7-proxy Enable L7 proxy for L7 policy enforcement (default true)--enable-local-node-route Enable installation of the route which points the allocation prefix of the local node (default true)--enable-local-redirect-policy Enable Local Redirect Policy--enable-monitor Enable the monitor unix domain socket server (default true)--enable-node-port Enable NodePort type services by Cilium--enable-policy string Enable policy enforcement (default "default")--enable-recorder Enable BPF datapath pcap recorder--enable-remote-node-identity Enable use of remote node identity--enable-service-topology Enable support for service topology aware hints--enable-session-affinity Enable support for service session affinity--enable-svc-source-range-check Enable check of service source ranges (currently, only for LoadBalancer) (default true)--enable-tracing Enable tracing while determining policy (debugging)--enable-well-known-identities Enable well-known identities for known Kubernetes components (default true)--enable-wireguard Enable wireguard--enable-wireguard-userspace-fallback Enables the fallback to the wireguard userspace implementation--enable-xdp-prefilter Enable XDP prefiltering--enable-xt-socket-fallback Enable fallback for missing xt_socket module (default true)--encrypt-interface string Transparent encryption interface--encrypt-node Enables encrypting traffic from non-Cilium pods and host networking--endpoint-interface-name-prefix string Prefix of interface name shared by all endpoints (default "lxc+")--endpoint-queue-size int size of EventQueue per-endpoint (default 25)--endpoint-status strings Enable additional CiliumEndpoint status features (controllers,health,log,policy,state)--envoy-log string Path to a separate Envoy log file, if any--exclude-local-address strings Exclude CIDR from being recognized as local address--fixed-identity-mapping map Key-value for the fixed identity mapping which allows to use reserved label for fixed identities, e.g. 128=kv-store,129=kube-dns--force-local-policy-eval-at-source Force policy evaluation of all local communication at the source endpoint (default true)--gops-port int Port for gops server to listen on (default 9890)-h, --help help for cilium-agent--host-reachable-services-protos strings Only enable reachability of services for host applications for specific protocols (default [tcp,udp])--http-idle-timeout uint Time after which a non-gRPC HTTP stream is considered failed unless traffic in the stream has been processed (in seconds); defaults to 0 (unlimited)--http-max-grpc-timeout uint Time after which a forwarded gRPC request is considered failed unless completed (in seconds). A "grpc-timeout" header may override this with a shorter value; defaults to 0 (unlimited)--http-normalize-path Use Envoy HTTP path normalization options, which currently includes RFC 3986 path normalization, Envoy merge slashes option, and unescaping and redirecting for paths that contain escaped slashes. These are necessary to keep path based access control functional, and should not interfere with normal operation. Set this to false only with caution. (default true)--http-request-timeout uint Time after which a forwarded HTTP request is considered failed unless completed (in seconds); Use 0 for unlimited (default 3600)--http-retry-count uint Number of retries performed after a forwarded request attempt fails (default 3)--http-retry-timeout uint Time after which a forwarded but uncompleted request is retried (connection failures are retried immediately); defaults to 0 (never)--hubble-disable-tls Allow Hubble server to run on the given listen address without TLS.--hubble-event-buffer-capacity int Capacity of Hubble events buffer. The provided value must be one less than an integer power of two and no larger than 65535 (ie: 1, 3, ..., 2047, 4095, ..., 65535) (default 4095)--hubble-event-queue-size int Buffer size of the channel to receive monitor events.--hubble-export-file-compress Compress rotated Hubble export files.--hubble-export-file-max-backups int Number of rotated Hubble export files to keep. (default 5)--hubble-export-file-max-size-mb int Size in MB at which to rotate Hubble export file. (default 10)--hubble-export-file-path string Filepath to write Hubble events to.--hubble-listen-address string An additional address for Hubble server to listen to, e.g. ":4244"--hubble-metrics strings List of Hubble metrics to enable.--hubble-metrics-server string Address to serve Hubble metrics on.--hubble-recorder-sink-queue-size int Queue size of each Hubble recorder sink (default 1024)--hubble-recorder-storage-path string Directory in which pcap files created via the Hubble Recorder API are stored (default "/var/run/cilium/pcaps")--hubble-socket-path string Set hubble's socket path to listen for connections (default "/var/run/cilium/hubble.sock")--hubble-tls-cert-file string Path to the public key file for the Hubble server. The file must contain PEM encoded data.--hubble-tls-client-ca-files strings Paths to one or more public key files of client CA certificates to use for TLS with mutual authentication (mTLS). The files must contain PEM encoded data. When provided, this option effectively enables mTLS.--hubble-tls-key-file string Path to the private key file for the Hubble server. The file must contain PEM encoded data.--identity-allocation-mode string Method to use for identity allocation (default "kvstore")--identity-change-grace-period duration Time to wait before using new identity on endpoint identity change (default 5s)--identity-restore-grace-period duration Time to wait before releasing unused restored CIDR identities during agent restart (default 10m0s)--install-iptables-rules Install base iptables rules for cilium to mainly interact with kube-proxy (and masquerading) (default true)--install-no-conntrack-iptables-rules Install Iptables rules to skip netfilter connection tracking on all pod traffic. This option is only effective when Cilium is running in direct routing and full KPR mode. Moreover, this option cannot be enabled when Cilium is running in a managed Kubernetes environment or in a chained CNI setup.--ip-allocation-timeout duration Time after which an incomplete CIDR allocation is considered failed (default 2m0s)--ip-masq-agent-config-path string ip-masq-agent configuration file path (default "/etc/config/ip-masq-agent")--ipam string Backend to use for IPAM (default "cluster-pool")--ipsec-key-file string Path to IPSec key file--iptables-lock-timeout duration Time to pass to each iptables invocation to wait for xtables lock acquisition (default 5s)--iptables-random-fully Set iptables flag random-fully on masquerading rules--ipv4-native-routing-cidr string Allows to explicitly specify the IPv4 CIDR for native routing. This value corresponds to the configured cluster-cidr.--ipv4-node string IPv4 address of node (default "auto")--ipv4-pod-subnets strings List of IPv4 pod subnets to preconfigure for encryption--ipv4-range string Per-node IPv4 endpoint prefix, e.g. 10.16.0.0/16 (default "auto")--ipv4-service-loopback-address string IPv4 address for service loopback SNAT (default "169.254.42.1")--ipv4-service-range string Kubernetes IPv4 services CIDR if not inside cluster prefix (default "auto")--ipv6-cluster-alloc-cidr string IPv6 /64 CIDR used to allocate per node endpoint /96 CIDR (default "f00d::/64")--ipv6-mcast-device string Device that joins a Solicited-Node multicast group for IPv6--ipv6-node string IPv6 address of node (default "auto")--ipv6-pod-subnets strings List of IPv6 pod subnets to preconfigure for encryption--ipv6-range string Per-node IPv6 endpoint prefix, e.g. fd02:1:1::/96 (default "auto")--ipv6-service-range string Kubernetes IPv6 services CIDR if not inside cluster prefix (default "auto")--join-cluster Join a Cilium cluster via kvstore registration--k8s-api-server string Kubernetes API server URL--k8s-heartbeat-timeout duration Configures the timeout for api-server heartbeat, set to 0 to disable (default 30s)--k8s-kubeconfig-path string Absolute path of the kubernetes kubeconfig file--k8s-namespace string Name of the Kubernetes namespace in which Cilium is deployed in--k8s-require-ipv4-pod-cidr Require IPv4 PodCIDR to be specified in node resource--k8s-require-ipv6-pod-cidr Require IPv6 PodCIDR to be specified in node resource--k8s-service-proxy-name string Value of K8s service-proxy-name label for which Cilium handles the services (empty = all services without service.kubernetes.io/service-proxy-name label)--k8s-watcher-endpoint-selector string K8s endpoint watcher will watch for these k8s endpoints (default "metadata.name!=kube-scheduler,metadata.name!=kube-controller-manager,metadata.name!=etcd-operator,metadata.name!=gcp-controller-manager")--keep-config When restoring state, keeps containers' configuration in place--kube-proxy-replacement string auto-enable available features for kube-proxy replacement ("probe"), or enable only selected features (will panic if any selected feature cannot be enabled) ("partial") or enable all features (will panic if any feature cannot be enabled) ("strict"), or completely disable it (ignores any selected feature) ("disabled") (default "partial")--kube-proxy-replacement-healthz-bind-address string The IP address with port for kube-proxy replacement health check server to serve on (set to '0.0.0.0:10256' for all IPv4 interfaces and '[::]:10256' for all IPv6 interfaces). Set empty to disable.--kvstore string Key-value store type--kvstore-connectivity-timeout duration Time after which an incomplete kvstore operation is considered failed (default 2m0s)--kvstore-max-consecutive-quorum-errors int Max acceptable kvstore consecutive quorum errors before the agent assumes permanent failure (default 2)--kvstore-opt map Key-value store options e.g. etcd.address=127.0.0.1:4001--kvstore-periodic-sync duration Periodic KVstore synchronization interval (default 5m0s)--label-prefix-file string Valid label prefixes file path--labels strings List of label prefixes used to determine identity of an endpoint--lib-dir string Directory path to store runtime build environment (default "/var/lib/cilium")--local-router-ipv4 string Link-local IPv4 used for Cilium's router devices--local-router-ipv6 string Link-local IPv6 used for Cilium's router devices--log-driver strings Logging endpoints to use for example syslog--log-opt map Log driver options for cilium-agent, configmap example for syslog driver: {"syslog.level":"info","syslog.facility":"local5","syslog.tag":"cilium-agent"}--log-system-load Enable periodic logging of system load--metrics strings Metrics that should be enabled or disabled from the default metric list. (+metric_foo to enable metric_foo , -metric_bar to disable metric_bar)--monitor-aggregation string Level of monitor aggregation for traces from the datapath (default "None")--monitor-aggregation-flags strings TCP flags that trigger monitor reports when monitor aggregation is enabled (default [syn,fin,rst])--monitor-aggregation-interval duration Monitor report interval when monitor aggregation is enabled (default 5s)--monitor-queue-size int Size of the event queue when reading monitor events--mtu int Overwrite auto-detected MTU of underlying network--nat46-range string IPv6 prefix to map IPv4 addresses to (default "0:0:0:0:0:FFFF::/96")--node-port-bind-protection Reject application bind(2) requests to service ports in the NodePort range (default true)--node-port-range strings Set the min/max NodePort port range (default [30000,32767])--policy-audit-mode Enable policy audit (non-drop) mode--policy-queue-size int size of queues for policy-related events (default 100)--pprof Enable serving the pprof debugging API--pprof-port int Port that the pprof listens on (default 6060)--preallocate-bpf-maps Enable BPF map pre-allocation (default true)--prepend-iptables-chains Prepend custom iptables chains instead of appending (default true)--prometheus-serve-addr string IP:Port on which to serve prometheus metrics (pass ":Port" to bind on all interfaces, "" is off)--proxy-connect-timeout uint Time after which a TCP connect attempt is considered failed unless completed (in seconds) (default 1)--proxy-gid uint Group ID for proxy control plane sockets. (default 1337)--proxy-prometheus-port int Port to serve Envoy metrics on. Default 0 (disabled).--read-cni-conf string Read to the CNI configuration at specified path to extract per node configuration--restore Restores state, if possible, from previous daemon (default true)--route-metric int Overwrite the metric used by cilium when adding routes to its 'cilium_host' device--sidecar-istio-proxy-image string Regular expression matching compatible Istio sidecar istio-proxy container image names (default "cilium/istio_proxy")--single-cluster-route Use a single cluster route instead of per node routes--socket-path string Sets daemon's socket path to listen for connections (default "/var/run/cilium/cilium.sock")--sockops-enable Enable sockops when kernel supported--state-dir string Directory path to store runtime state (default "/var/run/cilium")--tofqdns-dns-reject-response-code string DNS response code for rejecting DNS requests, available options are '[nameError refused]' (default "refused")--tofqdns-enable-dns-compression Allow the DNS proxy to compress responses to endpoints that are larger than 512 Bytes or the EDNS0 option, if present (default true)--tofqdns-endpoint-max-ip-per-hostname int Maximum number of IPs to maintain per FQDN name for each endpoint (default 50)--tofqdns-idle-connection-grace-period duration Time during which idle but previously active connections with expired DNS lookups are still considered alive (default 0s)--tofqdns-max-deferred-connection-deletes int Maximum number of IPs to retain for expired DNS lookups with still-active connections (default 10000)--tofqdns-min-ttl int The minimum time, in seconds, to use DNS data for toFQDNs policies. (default 3600 )--tofqdns-pre-cache string DNS cache data at this path is preloaded on agent startup--tofqdns-proxy-port int Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port.--tofqdns-proxy-response-max-delay duration The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. (default 100ms)--trace-payloadlen int Length of payload to capture when tracing (default 128)-t, --tunnel string Tunnel mode {vxlan, geneve, disabled} (default "vxlan" for the "veth" datapath mode)--tunnel-port int Tunnel port (default 8472 for "vxlan" and 6081 for "geneve")--version Print version information--vlan-bpf-bypass strings List of explicitly allowed VLAN IDs, '0' id will allow all VLAN IDs--write-cni-conf-when-ready string Write the CNI configuration as specified via --read-cni-conf to path when agent is ready
