API Reference
Introduction
The Cilium API is JSON based and provided by the cilium-agent
. The purpose
of the API is to provide visibility and control over an individual agent
instance. In general, all API calls affect only the resources managed by the
individual cilium-agent
serving the API. A few selected API calls such as
the security identity resolution provides cluster wide visibility. Such API
calls are marked specifically. Unless noted otherwise, API calls will only affect
local agent resources.
How to access the API
CLI Client
The easiest way to access the API is via the cilium
CLI client. cilium
will automatically locate the API of the agent running on the same node and
access it. However, using the -H
or --host
flag, the cilium
client
can be pointed to an arbitrary API address.
Example
$ cilium-dbg -H unix:///var/run/cilium/cilium.sock
[...]
Golang Package
The following Go packages can be used to access the API:
Package |
Description |
Main client API abstraction |
|
API resource data type models |
Example
The full example can be found in the cilium/client-example repository.
import (
"fmt"
"github.com/cilium/cilium/pkg/client"
)
func main() {
c, err := client.NewDefaultClient()
if err != nil {
...
}
endpoints, err := c.EndpointList()
if err != nil {
...
}
for _, ep := range endpoints {
fmt.Printf("%8d %14s %16s %32s\n", ep.ID, ep.ContainerName, ep.Addressing.IPV4, ep.Addressing.IPV6)
}
Compatibility Guarantees
Cilium API is stable as of version 1.0, backward compatibility will be upheld for whole lifecycle of Cilium 1.x.
API Reference
- GET /cluster/nodes
Get nodes information stored in the cilium-agent
- Status Codes:
200 OK – Success
- Request Headers:
client-id – Client UUID should be used when the client wants to request a diff of nodes added and / or removed since the last time that client has made a request.
- GET /healthz
Get health of Cilium daemon
Returns health and status information of the Cilium daemon and related components such as the local container runtime, connected datastore, Kubernetes integration and Hubble.
- Status Codes:
200 OK – Success
- Request Headers:
brief – Brief will return a brief representation of the Cilium status.
require-k8s-connectivity – If set to true, failure of the agent to connect to the Kubernetes control plane will cause the agent’s health status to also fail.
- Response JSON Object:
attach-mode (string) – Core datapath attachment mode
auth-certificate-provider.msg (string) – Human readable status/error/warning message
auth-certificate-provider.state (string) – State the component is in
bandwidth-manager.congestionControl (string) –
bandwidth-manager.devices[] (string) –
bandwidth-manager.enabled (boolean) – Is bandwidth manager enabled
bpf-maps.dynamic-size-ratio (number) – Ratio of total system memory to use for dynamic sizing of BPF maps
bpf-maps.maps[].name (string) – Name of the BPF map
bpf-maps.maps[].size (integer) – Size of the BPF map
cilium.msg (string) – Human readable status/error/warning message
cilium.state (string) – State the component is in
client-id (integer) – When supported by the API, this client ID should be used by the client when making another request to the server. See for example “/cluster/nodes”.
clock-source.hertz (integer) – Kernel Hz
clock-source.mode (string) – Datapath clock source
cluster (any) – Status of cluster +k8s:deepcopy-gen=true
cluster-mesh (any) – Status of ClusterMesh +k8s:deepcopy-gen=true
cni-chaining (any) – Status of CNI chaining
cni-file.msg (string) – Human readable status/error/warning message
cni-file.state (string) – State the component is in
container-runtime.msg (string) – Human readable status/error/warning message
container-runtime.state (string) – State the component is in
controllers[].configuration.error-retry (boolean) – Retry on error
controllers[].configuration.error-retry-base (string) – Base error retry back-off time
controllers[].configuration.interval (string) – Regular synchronization interval
controllers[].name (string) – Name of controller
controllers[].status.consecutive-failure-count (integer) – Number of consecutive errors since last success
controllers[].status.failure-count (integer) – Total number of failed runs
controllers[].status.last-failure-msg (string) – Error message of last failed run
controllers[].status.last-failure-timestamp (string) – Timestamp of last error
controllers[].status.last-success-timestamp (string) – Timestamp of last success
controllers[].status.success-count (integer) – Total number of successful runs
controllers[].uuid (string) – UUID of controller
datapath-mode (string) – Datapath mode
encryption (any) – Status of transparent encryption +k8s:deepcopy-gen=true
host-firewall.devices[] (string) –
host-firewall.mode (string) –
hubble.metrics.state (string) – State of the Hubble metrics
hubble.msg (string) – Human readable status/error/warning message
hubble.observer.current-flows (integer) – Current number of flows this Hubble observer stores
hubble.observer.max-flows (integer) – Maximum number of flows this Hubble observer is able to store
hubble.observer.seen-flows (integer) – Total number of flows this Hubble observer has seen
hubble.observer.uptime (string) – Uptime of this Hubble observer instance
hubble.state (string) – State the component is in
identity-range (any) – Status of identity range of the cluster
ipam (any) – Status of IP address management +k8s:deepcopy-gen=true
ipv4-big-tcp.enabled (boolean) – Is IPv4 BIG TCP enabled
ipv4-big-tcp.maxGRO (integer) – Maximum IPv4 GRO size
ipv4-big-tcp.maxGSO (integer) – Maximum IPv4 GSO size
ipv6-big-tcp.enabled (boolean) – Is IPv6 BIG TCP enabled
ipv6-big-tcp.maxGRO (integer) – Maximum IPv6 GRO size
ipv6-big-tcp.maxGSO (integer) – Maximum IPv6 GSO size
kube-proxy-replacement.deviceList[].ip[] (string) –
kube-proxy-replacement.deviceList[].name (string) –
kube-proxy-replacement.devices[] (string) –
kube-proxy-replacement.directRoutingDevice (string) –
kube-proxy-replacement.features.annotations[] (string) –
kube-proxy-replacement.features.bpfSocketLBHostnsOnly (boolean) – flag bpf-lb-sock-hostns-only
kube-proxy-replacement.features.externalIPs.enabled (boolean) –
kube-proxy-replacement.features.gracefulTermination.enabled (boolean) –
kube-proxy-replacement.features.hostPort.enabled (boolean) –
kube-proxy-replacement.features.hostReachableServices.enabled (boolean) –
kube-proxy-replacement.features.hostReachableServices.protocols[] (string) –
kube-proxy-replacement.features.nat46X64.enabled (boolean) –
kube-proxy-replacement.features.nat46X64.gateway.enabled (boolean) –
kube-proxy-replacement.features.nat46X64.gateway.prefixes[] (string) –
kube-proxy-replacement.features.nat46X64.service.enabled (boolean) –
kube-proxy-replacement.features.nodePort.acceleration (string) –
kube-proxy-replacement.features.nodePort.algorithm (string) –
kube-proxy-replacement.features.nodePort.dsrMode (string) –
kube-proxy-replacement.features.nodePort.enabled (boolean) –
kube-proxy-replacement.features.nodePort.lutSize (integer) –
kube-proxy-replacement.features.nodePort.mode (string) –
kube-proxy-replacement.features.nodePort.portMax (integer) –
kube-proxy-replacement.features.nodePort.portMin (integer) –
kube-proxy-replacement.features.sessionAffinity.enabled (boolean) –
kube-proxy-replacement.features.socketLB.enabled (boolean) –
kube-proxy-replacement.features.socketLBTracing.enabled (boolean) –
kube-proxy-replacement.mode (string) –
kubernetes.k8s-api-versions[] (string) –
kubernetes.msg (string) – Human readable status/error/warning message
kubernetes.state (string) – State the component is in
kvstore.msg (string) – Human readable status/error/warning message
kvstore.state (string) – State the component is in
masquerading.enabled (boolean) –
masquerading.enabledProtocols.ipv4 (boolean) – Is masquerading enabled for IPv4 traffic
masquerading.enabledProtocols.ipv6 (boolean) – Is masquerading enabled for IPv6 traffic
masquerading.ip-masq-agent (boolean) – Is BPF ip-masq-agent enabled
masquerading.mode (string) –
masquerading.snat-exclusion-cidr (string) – This field is obsolete, please use snat-exclusion-cidr-v4 or snat-exclusion-cidr-v6.
masquerading.snat-exclusion-cidr-v4 (string) – SnatExclusionCIDRv4 exempts SNAT from being performed on any packet sent to an IPv4 address that belongs to this CIDR.
masquerading.snat-exclusion-cidr-v6 (string) – SnatExclusionCIDRv6 exempts SNAT from being performed on any packet sent to an IPv6 address that belongs to this CIDR. For IPv6 we only do masquerading in iptables mode.
nodeMonitor (any) – Status of the node monitor
proxy.envoy-deployment-mode (string) – Deployment mode of Envoy L7 proxy
proxy.ip (string) – IP address that the proxy listens on
proxy.port-range (string) – Port range used for proxying
proxy.redirects[].name (string) – Name of the proxy redirect
proxy.redirects[].proxy (string) – Name of the proxy this redirect points to
proxy.redirects[].proxy-port (integer) – Host port that this redirect points to
proxy.total-ports (integer) – Total number of listening proxy ports
proxy.total-redirects (integer) – Total number of ports configured to redirect to proxies
routing.inter-host-routing-mode (string) – Datapath routing mode for cross-cluster connectivity
routing.intra-host-routing-mode (string) – Datapath routing mode for connectivity within the host
routing.tunnel-protocol (string) – Tunnel protocol in use for cross-cluster connectivity
srv6.enabled (boolean) –
srv6.srv6EncapMode (string) –
stale (object) – List of stale information in the status
- GET /config
Get configuration of Cilium daemon
Returns the configuration of the Cilium daemon.
- Status Codes:
200 OK – Success
- Response JSON Object:
spec.options (object) – Map of configuration key/value pairs.
spec.policy-enforcement (string) – The policy-enforcement mode
status.GROIPv4MaxSize (integer) – Maximum IPv4 GRO size on workload facing devices
status.GROMaxSize (integer) – Maximum IPv6 GRO size on workload facing devices
status.GSOIPv4MaxSize (integer) – Maximum IPv4 GSO size on workload facing devices
status.GSOMaxSize (integer) – Maximum IPv6 GSO size on workload facing devices
status.addressing.ipv4.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP
status.addressing.ipv4.alloc-range (string) – Address pool to be used for local endpoints
status.addressing.ipv4.enabled (boolean) – True if address family is enabled
status.addressing.ipv4.ip (string) – IP address of node
status.addressing.ipv6.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP
status.addressing.ipv6.alloc-range (string) – Address pool to be used for local endpoints
status.addressing.ipv6.enabled (boolean) – True if address family is enabled
status.addressing.ipv6.ip (string) – IP address of node
status.daemonConfigurationMap (any) – Config map which contains all the active daemon configurations
status.datapathMode (string) – Datapath mode
status.deviceMTU (integer) – MTU on workload facing devices
status.egress-multi-home-ip-rule-compat (boolean) – Configured compatibility mode for –egress-multi-home-ip-rule-compat
status.enableRouteMTUForCNIChaining (boolean) – Enable route MTU for pod netns when CNI chaining is used
status.immutable (object) – Map of configuration key/value pairs.
status.installUplinkRoutesForDelegatedIPAM (boolean) – Install ingress/egress routes through uplink on host for Pods when working with delegated IPAM plugin.
status.ipLocalReservedPorts (string) – Comma-separated list of IP ports should be reserved in the workload network namespace
status.ipam-mode (string) – Configured IPAM mode
status.k8s-configuration (string) –
status.k8s-endpoint (string) –
status.kvstoreConfiguration (any) – Configuration used for the kvstore
status.masquerade (boolean) –
status.masqueradeProtocols.ipv4 (boolean) – Status of masquerading for IPv4 traffic
status.masqueradeProtocols.ipv6 (boolean) – Status of masquerading for IPv6 traffic
status.nodeMonitor (any) – Status of the node monitor
status.realized.options (object) – Map of configuration key/value pairs.
status.realized.policy-enforcement (string) – The policy-enforcement mode
status.routeMTU (integer) – MTU for network facing routes
- PATCH /config
Modify daemon configuration
Updates the daemon configuration by applying the provided ConfigurationMap and regenerates & recompiles all required datapath components.
- Request JSON Object:
options (object) – Map of configuration key/value pairs.
policy-enforcement (string) – The policy-enforcement mode
- Status Codes:
200 OK – Success
400 Bad Request – Bad configuration parameters
403 Forbidden – Forbidden
500 Internal Server Error – Recompilation failed
- GET /endpoint/{id}
Get endpoint by endpoint ID
Returns endpoint information
- Parameters:
id (string) –
String describing an endpoint with the format
[prefix:]id
. If no prefix is specified, a prefix ofcilium-local:
is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.- Supported endpoint id prefixes:
cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595
cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343
cni-attachment-id: CNI attachment ID, e.g. cni-attachment-id:22222:eth0
container-id: Container runtime ID, e.g. container-id:22222 (deprecated, may not be unique)
container-name: Container name, e.g. container-name:foobar (deprecated, may not be unique)
pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar (deprecated, may not be unique)
cep-name: cep name for this container if K8s is enabled, e.g. pod-name:default:foobar-net1
docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444
- Status Codes:
200 OK – Success
400 Bad Request – Invalid endpoint ID format for specified type
404 Not Found – Endpoint not found
429 Too Many Requests – Rate-limiting too many requests in the given time frame
- Response JSON Object:
id (integer) – The cilium-agent-local ID of the endpoint
spec.label-configuration.user[] (string) –
spec.options (object) – Map of configuration key/value pairs.
status.controllers[].configuration.error-retry (boolean) – Retry on error
status.controllers[].configuration.error-retry-base (string) – Base error retry back-off time
status.controllers[].configuration.interval (string) – Regular synchronization interval
status.controllers[].name (string) – Name of controller
status.controllers[].status.consecutive-failure-count (integer) – Number of consecutive errors since last success
status.controllers[].status.failure-count (integer) – Total number of failed runs
status.controllers[].status.last-failure-msg (string) – Error message of last failed run
status.controllers[].status.last-failure-timestamp (string) – Timestamp of last error
status.controllers[].status.last-success-timestamp (string) – Timestamp of last success
status.controllers[].status.success-count (integer) – Total number of successful runs
status.controllers[].uuid (string) – UUID of controller
status.external-identifiers.cni-attachment-id (string) – ID assigned to this attachment by container runtime
status.external-identifiers.container-id (string) – ID assigned by container runtime (deprecated, may not be unique)
status.external-identifiers.container-name (string) – Name assigned to container (deprecated, may not be unique)
status.external-identifiers.docker-endpoint-id (string) – Docker endpoint ID
status.external-identifiers.docker-network-id (string) – Docker network ID
status.external-identifiers.k8s-namespace (string) – K8s namespace for this endpoint (deprecated, may not be unique)
status.external-identifiers.k8s-pod-name (string) – K8s pod name for this endpoint (deprecated, may not be unique)
status.external-identifiers.pod-name (string) – K8s pod for this endpoint (deprecated, may not be unique)
status.health.bpf (string) – A common set of statuses for endpoint health *
OK
= All components operational *Bootstrap
= This component is being created *Pending
= A change is being processed to be applied *Warning
= This component is not applying up-to-date policies (but is still applying the previous version) *Failure
= An error has occurred and no policy is being applied *Disabled
= This endpoint is disabled and will not handle trafficstatus.health.connected (boolean) – Is this endpoint reachable
status.health.overallHealth (string) – A common set of statuses for endpoint health *
OK
= All components operational *Bootstrap
= This component is being created *Pending
= A change is being processed to be applied *Warning
= This component is not applying up-to-date policies (but is still applying the previous version) *Failure
= An error has occurred and no policy is being applied *Disabled
= This endpoint is disabled and will not handle trafficstatus.health.policy (string) – A common set of statuses for endpoint health *
OK
= All components operational *Bootstrap
= This component is being created *Pending
= A change is being processed to be applied *Warning
= This component is not applying up-to-date policies (but is still applying the previous version) *Failure
= An error has occurred and no policy is being applied *Disabled
= This endpoint is disabled and will not handle trafficstatus.identity.id (integer) – Unique identifier
status.identity.labelsSHA256 (string) – SHA256 of labels
status.identity.labels[] (string) –
status.labels.derived[] (string) –
status.labels.disabled[] (string) –
status.labels.realized.user[] (string) –
status.labels.security-relevant[] (string) –
status.log[].code (string) – Code indicate type of status change
status.log[].message (string) – Status message
status.log[].state (string) – State of endpoint
status.log[].timestamp (string) – Timestamp when status change occurred
status.namedPorts[].name (string) – Optional layer 4 port name
status.namedPorts[].port (integer) – Layer 4 port number
status.namedPorts[].protocol (string) – Layer 4 protocol
status.networking.addressing[].ipv4 (string) – IPv4 address
status.networking.addressing[].ipv4-expiration-uuid (string) – UUID of IPv4 expiration timer
status.networking.addressing[].ipv4-pool-name (string) – IPAM pool from which this IPv4 address was allocated
status.networking.addressing[].ipv6 (string) – IPv6 address
status.networking.addressing[].ipv6-expiration-uuid (string) – UUID of IPv6 expiration timer
status.networking.addressing[].ipv6-pool-name (string) – IPAM pool from which this IPv6 address was allocated
status.networking.container-interface-name (string) – Name of network device in container netns
status.networking.host-addressing.ipv4.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP
status.networking.host-addressing.ipv4.alloc-range (string) – Address pool to be used for local endpoints
status.networking.host-addressing.ipv4.enabled (boolean) – True if address family is enabled
status.networking.host-addressing.ipv4.ip (string) – IP address of node
status.networking.host-addressing.ipv6.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP
status.networking.host-addressing.ipv6.alloc-range (string) – Address pool to be used for local endpoints
status.networking.host-addressing.ipv6.enabled (boolean) – True if address family is enabled
status.networking.host-addressing.ipv6.ip (string) – IP address of node
status.networking.host-mac (string) – MAC address
status.networking.interface-index (integer) – Index of network device in host netns
status.networking.interface-name (string) – Name of network device in host netns
status.networking.mac (string) – MAC address
status.policy.proxy-policy-revision (integer) – The policy revision currently enforced in the proxy for this endpoint
status.policy.proxy-statistics[].allocated-proxy-port (integer) – The port the proxy is listening on
status.policy.proxy-statistics[].location (string) – Location of where the redirect is installed
status.policy.proxy-statistics[].port (integer) – The port subject to the redirect
status.policy.proxy-statistics[].protocol (string) – Name of the L7 protocol
status.policy.proxy-statistics[].statistics.requests.denied (integer) – Number of messages denied
status.policy.proxy-statistics[].statistics.requests.error (integer) – Number of errors while parsing messages
status.policy.proxy-statistics[].statistics.requests.forwarded (integer) – Number of messages forwarded
status.policy.proxy-statistics[].statistics.requests.received (integer) – Number of messages received
status.policy.proxy-statistics[].statistics.responses.denied (integer) – Number of messages denied
status.policy.proxy-statistics[].statistics.responses.error (integer) – Number of errors while parsing messages
status.policy.proxy-statistics[].statistics.responses.forwarded (integer) – Number of messages forwarded
status.policy.proxy-statistics[].statistics.responses.received (integer) – Number of messages received
status.policy.realized.allowed-egress-identities[] (integer) –
status.policy.realized.allowed-ingress-identities[] (integer) –
status.policy.realized.build (integer) – Build number of calculated policy in use
status.policy.realized.cidr-policy.egress[] (any) – A policy rule including the rule labels it derives from
status.policy.realized.cidr-policy.ingress[] (any) – A policy rule including the rule labels it derives from
status.policy.realized.denied-egress-identities[] (integer) –
status.policy.realized.denied-ingress-identities[] (integer) –
status.policy.realized.id (integer) – Own identity of endpoint
status.policy.realized.l4.egress[] (any) – A policy rule including the rule labels it derives from
status.policy.realized.l4.ingress[] (any) – A policy rule including the rule labels it derives from
status.policy.realized.policy-enabled (string) – Whether policy enforcement is enabled (ingress, egress, both or none)
status.policy.realized.policy-revision (integer) – The agent-local policy revision
status.policy.spec.allowed-egress-identities[] (integer) –
status.policy.spec.allowed-ingress-identities[] (integer) –
status.policy.spec.build (integer) – Build number of calculated policy in use
status.policy.spec.cidr-policy.egress[] (any) – A policy rule including the rule labels it derives from
status.policy.spec.cidr-policy.ingress[] (any) – A policy rule including the rule labels it derives from
status.policy.spec.denied-egress-identities[] (integer) –
status.policy.spec.denied-ingress-identities[] (integer) –
status.policy.spec.id (integer) – Own identity of endpoint
status.policy.spec.l4.egress[] (any) – A policy rule including the rule labels it derives from
status.policy.spec.l4.ingress[] (any) – A policy rule including the rule labels it derives from
status.policy.spec.policy-enabled (string) – Whether policy enforcement is enabled (ingress, egress, both or none)
status.policy.spec.policy-revision (integer) – The agent-local policy revision
status.realized.label-configuration.user[] (string) –
status.realized.options (object) – Map of configuration key/value pairs.
status.state (string) – State of endpoint (required)
- PUT /endpoint/{id}
Create endpoint
Creates a new endpoint
- Parameters:
id (string) –
String describing an endpoint with the format
[prefix:]id
. If no prefix is specified, a prefix ofcilium-local:
is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.- Supported endpoint id prefixes:
cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595
cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343
cni-attachment-id: CNI attachment ID, e.g. cni-attachment-id:22222:eth0
container-id: Container runtime ID, e.g. container-id:22222 (deprecated, may not be unique)
container-name: Container name, e.g. container-name:foobar (deprecated, may not be unique)
pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar (deprecated, may not be unique)
cep-name: cep name for this container if K8s is enabled, e.g. pod-name:default:foobar-net1
docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444
- Request JSON Object:
addressing.ipv4 (string) – IPv4 address
addressing.ipv4-expiration-uuid (string) – UUID of IPv4 expiration timer
addressing.ipv4-pool-name (string) – IPAM pool from which this IPv4 address was allocated
addressing.ipv6 (string) – IPv6 address
addressing.ipv6-expiration-uuid (string) – UUID of IPv6 expiration timer
addressing.ipv6-pool-name (string) – IPAM pool from which this IPv6 address was allocated
container-id (string) – ID assigned by container runtime
container-interface-name (string) – Name of network device in container netns
container-name (string) – Name assigned to container
datapath-configuration.disable-sip-verification (boolean) – Disable source IP verification for the endpoint.
datapath-configuration.external-ipam (boolean) – Indicates that IPAM is done external to Cilium. This will prevent the IP from being released and re-allocation of the IP address is skipped on restore.
datapath-configuration.install-endpoint-route (boolean) – Installs a route in the Linux routing table pointing to the device of the endpoint’s interface.
datapath-configuration.require-arp-passthrough (boolean) – Enable ARP passthrough mode
datapath-configuration.require-egress-prog (boolean) – Endpoint requires a host-facing egress program to be attached to implement ingress policy and reverse NAT.
datapath-configuration.require-routing (boolean) – Endpoint requires BPF routing to be enabled, when disabled, routing is delegated to Linux routing.
datapath-map-id (integer) – ID of datapath tail call map
disable-legacy-identifiers (boolean) – Disables lookup using legacy endpoint identifiers (container name, container id, pod name) for this endpoint
docker-endpoint-id (string) – Docker endpoint ID
docker-network-id (string) – Docker network ID
host-mac (string) – MAC address
id (integer) – Local endpoint ID
interface-index (integer) – Index of network device in host netns
interface-name (string) – Name of network device in host netns
k8s-namespace (string) – Kubernetes namespace name
k8s-pod-name (string) – Kubernetes pod name
k8s-uid (string) – Kubernetes pod UID
labels[] (string) –
mac (string) – MAC address
netns-cookie (string) – Network namespace cookie
parent-interface-index (integer) – Index of network device from which an IP was used as endpoint IP. Only relevant for ENI environments.
pid (integer) – Process ID of the workload belonging to this endpoint
policy-enabled (boolean) – Whether policy enforcement is enabled or not
properties (any) – Properties is used to store information about the endpoint at creation. Useful for tests.
state (string) – State of endpoint (required)
sync-build-endpoint (boolean) – Whether to build an endpoint synchronously
- Status Codes:
201 Created – Created
400 Bad Request – Invalid endpoint in request
403 Forbidden – Forbidden
409 Conflict – Endpoint already exists
429 Too Many Requests – Rate-limiting too many requests in the given time frame
500 Internal Server Error – Endpoint creation failed
- Response JSON Object:
id (integer) – The cilium-agent-local ID of the endpoint
spec.label-configuration.user[] (string) –
spec.options (object) – Map of configuration key/value pairs.
status.controllers[].configuration.error-retry (boolean) – Retry on error
status.controllers[].configuration.error-retry-base (string) – Base error retry back-off time
status.controllers[].configuration.interval (string) – Regular synchronization interval
status.controllers[].name (string) – Name of controller
status.controllers[].status.consecutive-failure-count (integer) – Number of consecutive errors since last success
status.controllers[].status.failure-count (integer) – Total number of failed runs
status.controllers[].status.last-failure-msg (string) – Error message of last failed run
status.controllers[].status.last-failure-timestamp (string) – Timestamp of last error
status.controllers[].status.last-success-timestamp (string) – Timestamp of last success
status.controllers[].status.success-count (integer) – Total number of successful runs
status.controllers[].uuid (string) – UUID of controller
status.external-identifiers.cni-attachment-id (string) – ID assigned to this attachment by container runtime
status.external-identifiers.container-id (string) – ID assigned by container runtime (deprecated, may not be unique)
status.external-identifiers.container-name (string) – Name assigned to container (deprecated, may not be unique)
status.external-identifiers.docker-endpoint-id (string) – Docker endpoint ID
status.external-identifiers.docker-network-id (string) – Docker network ID
status.external-identifiers.k8s-namespace (string) – K8s namespace for this endpoint (deprecated, may not be unique)
status.external-identifiers.k8s-pod-name (string) – K8s pod name for this endpoint (deprecated, may not be unique)
status.external-identifiers.pod-name (string) – K8s pod for this endpoint (deprecated, may not be unique)
status.health.bpf (string) – A common set of statuses for endpoint health *
OK
= All components operational *Bootstrap
= This component is being created *Pending
= A change is being processed to be applied *Warning
= This component is not applying up-to-date policies (but is still applying the previous version) *Failure
= An error has occurred and no policy is being applied *Disabled
= This endpoint is disabled and will not handle trafficstatus.health.connected (boolean) – Is this endpoint reachable
status.health.overallHealth (string) – A common set of statuses for endpoint health *
OK
= All components operational *Bootstrap
= This component is being created *Pending
= A change is being processed to be applied *Warning
= This component is not applying up-to-date policies (but is still applying the previous version) *Failure
= An error has occurred and no policy is being applied *Disabled
= This endpoint is disabled and will not handle trafficstatus.health.policy (string) – A common set of statuses for endpoint health *
OK
= All components operational *Bootstrap
= This component is being created *Pending
= A change is being processed to be applied *Warning
= This component is not applying up-to-date policies (but is still applying the previous version) *Failure
= An error has occurred and no policy is being applied *Disabled
= This endpoint is disabled and will not handle trafficstatus.identity.id (integer) – Unique identifier
status.identity.labelsSHA256 (string) – SHA256 of labels
status.identity.labels[] (string) –
status.labels.derived[] (string) –
status.labels.disabled[] (string) –
status.labels.realized.user[] (string) –
status.labels.security-relevant[] (string) –
status.log[].code (string) – Code indicate type of status change
status.log[].message (string) – Status message
status.log[].state (string) – State of endpoint
status.log[].timestamp (string) – Timestamp when status change occurred
status.namedPorts[].name (string) – Optional layer 4 port name
status.namedPorts[].port (integer) – Layer 4 port number
status.namedPorts[].protocol (string) – Layer 4 protocol
status.networking.addressing[].ipv4 (string) – IPv4 address
status.networking.addressing[].ipv4-expiration-uuid (string) – UUID of IPv4 expiration timer
status.networking.addressing[].ipv4-pool-name (string) – IPAM pool from which this IPv4 address was allocated
status.networking.addressing[].ipv6 (string) – IPv6 address
status.networking.addressing[].ipv6-expiration-uuid (string) – UUID of IPv6 expiration timer
status.networking.addressing[].ipv6-pool-name (string) – IPAM pool from which this IPv6 address was allocated
status.networking.container-interface-name (string) – Name of network device in container netns
status.networking.host-addressing.ipv4.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP
status.networking.host-addressing.ipv4.alloc-range (string) – Address pool to be used for local endpoints
status.networking.host-addressing.ipv4.enabled (boolean) – True if address family is enabled
status.networking.host-addressing.ipv4.ip (string) – IP address of node
status.networking.host-addressing.ipv6.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP
status.networking.host-addressing.ipv6.alloc-range (string) – Address pool to be used for local endpoints
status.networking.host-addressing.ipv6.enabled (boolean) – True if address family is enabled
status.networking.host-addressing.ipv6.ip (string) – IP address of node
status.networking.host-mac (string) – MAC address
status.networking.interface-index (integer) – Index of network device in host netns
status.networking.interface-name (string) – Name of network device in host netns
status.networking.mac (string) – MAC address
status.policy.proxy-policy-revision (integer) – The policy revision currently enforced in the proxy for this endpoint
status.policy.proxy-statistics[].allocated-proxy-port (integer) – The port the proxy is listening on
status.policy.proxy-statistics[].location (string) – Location of where the redirect is installed
status.policy.proxy-statistics[].port (integer) – The port subject to the redirect
status.policy.proxy-statistics[].protocol (string) – Name of the L7 protocol
status.policy.proxy-statistics[].statistics.requests.denied (integer) – Number of messages denied
status.policy.proxy-statistics[].statistics.requests.error (integer) – Number of errors while parsing messages
status.policy.proxy-statistics[].statistics.requests.forwarded (integer) – Number of messages forwarded
status.policy.proxy-statistics[].statistics.requests.received (integer) – Number of messages received
status.policy.proxy-statistics[].statistics.responses.denied (integer) – Number of messages denied
status.policy.proxy-statistics[].statistics.responses.error (integer) – Number of errors while parsing messages
status.policy.proxy-statistics[].statistics.responses.forwarded (integer) – Number of messages forwarded
status.policy.proxy-statistics[].statistics.responses.received (integer) – Number of messages received
status.policy.realized.allowed-egress-identities[] (integer) –
status.policy.realized.allowed-ingress-identities[] (integer) –
status.policy.realized.build (integer) – Build number of calculated policy in use
status.policy.realized.cidr-policy.egress[] (any) – A policy rule including the rule labels it derives from
status.policy.realized.cidr-policy.ingress[] (any) – A policy rule including the rule labels it derives from
status.policy.realized.denied-egress-identities[] (integer) –
status.policy.realized.denied-ingress-identities[] (integer) –
status.policy.realized.id (integer) – Own identity of endpoint
status.policy.realized.l4.egress[] (any) – A policy rule including the rule labels it derives from
status.policy.realized.l4.ingress[] (any) – A policy rule including the rule labels it derives from
status.policy.realized.policy-enabled (string) – Whether policy enforcement is enabled (ingress, egress, both or none)
status.policy.realized.policy-revision (integer) – The agent-local policy revision
status.policy.spec.allowed-egress-identities[] (integer) –
status.policy.spec.allowed-ingress-identities[] (integer) –
status.policy.spec.build (integer) – Build number of calculated policy in use
status.policy.spec.cidr-policy.egress[] (any) – A policy rule including the rule labels it derives from
status.policy.spec.cidr-policy.ingress[] (any) – A policy rule including the rule labels it derives from
status.policy.spec.denied-egress-identities[] (integer) –
status.policy.spec.denied-ingress-identities[] (integer) –
status.policy.spec.id (integer) – Own identity of endpoint
status.policy.spec.l4.egress[] (any) – A policy rule including the rule labels it derives from
status.policy.spec.l4.ingress[] (any) – A policy rule including the rule labels it derives from
status.policy.spec.policy-enabled (string) – Whether policy enforcement is enabled (ingress, egress, both or none)
status.policy.spec.policy-revision (integer) – The agent-local policy revision
status.realized.label-configuration.user[] (string) –
status.realized.options (object) – Map of configuration key/value pairs.
status.state (string) – State of endpoint (required)
- PATCH /endpoint/{id}
Modify existing endpoint
Applies the endpoint change request to an existing endpoint
- Parameters:
id (string) –
String describing an endpoint with the format
[prefix:]id
. If no prefix is specified, a prefix ofcilium-local:
is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.- Supported endpoint id prefixes:
cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595
cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343
cni-attachment-id: CNI attachment ID, e.g. cni-attachment-id:22222:eth0
container-id: Container runtime ID, e.g. container-id:22222 (deprecated, may not be unique)
container-name: Container name, e.g. container-name:foobar (deprecated, may not be unique)
pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar (deprecated, may not be unique)
cep-name: cep name for this container if K8s is enabled, e.g. pod-name:default:foobar-net1
docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444
- Request JSON Object:
addressing.ipv4 (string) – IPv4 address
addressing.ipv4-expiration-uuid (string) – UUID of IPv4 expiration timer
addressing.ipv4-pool-name (string) – IPAM pool from which this IPv4 address was allocated
addressing.ipv6 (string) – IPv6 address
addressing.ipv6-expiration-uuid (string) – UUID of IPv6 expiration timer
addressing.ipv6-pool-name (string) – IPAM pool from which this IPv6 address was allocated
container-id (string) – ID assigned by container runtime
container-interface-name (string) – Name of network device in container netns
container-name (string) – Name assigned to container
datapath-configuration.disable-sip-verification (boolean) – Disable source IP verification for the endpoint.
datapath-configuration.external-ipam (boolean) – Indicates that IPAM is done external to Cilium. This will prevent the IP from being released and re-allocation of the IP address is skipped on restore.
datapath-configuration.install-endpoint-route (boolean) – Installs a route in the Linux routing table pointing to the device of the endpoint’s interface.
datapath-configuration.require-arp-passthrough (boolean) – Enable ARP passthrough mode
datapath-configuration.require-egress-prog (boolean) – Endpoint requires a host-facing egress program to be attached to implement ingress policy and reverse NAT.
datapath-configuration.require-routing (boolean) – Endpoint requires BPF routing to be enabled, when disabled, routing is delegated to Linux routing.
datapath-map-id (integer) – ID of datapath tail call map
disable-legacy-identifiers (boolean) – Disables lookup using legacy endpoint identifiers (container name, container id, pod name) for this endpoint
docker-endpoint-id (string) – Docker endpoint ID
docker-network-id (string) – Docker network ID
host-mac (string) – MAC address
id (integer) – Local endpoint ID
interface-index (integer) – Index of network device in host netns
interface-name (string) – Name of network device in host netns
k8s-namespace (string) – Kubernetes namespace name
k8s-pod-name (string) – Kubernetes pod name
k8s-uid (string) – Kubernetes pod UID
labels[] (string) –
mac (string) – MAC address
netns-cookie (string) – Network namespace cookie
parent-interface-index (integer) – Index of network device from which an IP was used as endpoint IP. Only relevant for ENI environments.
pid (integer) – Process ID of the workload belonging to this endpoint
policy-enabled (boolean) – Whether policy enforcement is enabled or not
properties (any) – Properties is used to store information about the endpoint at creation. Useful for tests.
state (string) – State of endpoint (required)
sync-build-endpoint (boolean) – Whether to build an endpoint synchronously
- Status Codes:
200 OK – Success
400 Bad Request – Invalid modify endpoint request
403 Forbidden – Forbidden
404 Not Found – Endpoint does not exist
429 Too Many Requests – Rate-limiting too many requests in the given time frame
500 Internal Server Error – Endpoint update failed
- DELETE /endpoint/{id}
Delete endpoint
Deletes the endpoint specified by the ID. Deletion is imminent and atomic, if the deletion request is valid and the endpoint exists, deletion will occur even if errors are encountered in the process. If errors have been encountered, the code 202 will be returned, otherwise 200 on success.
All resources associated with the endpoint will be freed and the workload represented by the endpoint will be disconnected.It will no longer be able to initiate or receive communications of any sort.
- Parameters:
id (string) –
String describing an endpoint with the format
[prefix:]id
. If no prefix is specified, a prefix ofcilium-local:
is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.- Supported endpoint id prefixes:
cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595
cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343
cni-attachment-id: CNI attachment ID, e.g. cni-attachment-id:22222:eth0
container-id: Container runtime ID, e.g. container-id:22222 (deprecated, may not be unique)
container-name: Container name, e.g. container-name:foobar (deprecated, may not be unique)
pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar (deprecated, may not be unique)
cep-name: cep name for this container if K8s is enabled, e.g. pod-name:default:foobar-net1
docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444
- Status Codes:
200 OK – Success
206 Partial Content – Deleted with a number of errors encountered
400 Bad Request – Invalid endpoint ID format for specified type. Details in error message
403 Forbidden – Forbidden
404 Not Found – Endpoint not found
429 Too Many Requests – Rate-limiting too many requests in the given time frame
- GET /endpoint
Retrieves a list of endpoints that have metadata matching the provided parameters.
Retrieves a list of endpoints that have metadata matching the provided parameters, or all endpoints if no parameters provided.
- Request JSON Object:
[] (string) –
- Status Codes:
200 OK – Success
404 Not Found – Endpoints with provided parameters not found
429 Too Many Requests – Rate-limiting too many requests in the given time frame
- Response JSON Object:
[].id (integer) – The cilium-agent-local ID of the endpoint
[].spec.label-configuration.user[] (string) –
[].spec.options (object) – Map of configuration key/value pairs.
[].status.controllers[].configuration.error-retry (boolean) – Retry on error
[].status.controllers[].configuration.error-retry-base (string) – Base error retry back-off time
[].status.controllers[].configuration.interval (string) – Regular synchronization interval
[].status.controllers[].name (string) – Name of controller
[].status.controllers[].status.consecutive-failure-count (integer) – Number of consecutive errors since last success
[].status.controllers[].status.failure-count (integer) – Total number of failed runs
[].status.controllers[].status.last-failure-msg (string) – Error message of last failed run
[].status.controllers[].status.last-failure-timestamp (string) – Timestamp of last error
[].status.controllers[].status.last-success-timestamp (string) – Timestamp of last success
[].status.controllers[].status.success-count (integer) – Total number of successful runs
[].status.controllers[].uuid (string) – UUID of controller
[].status.external-identifiers.cni-attachment-id (string) – ID assigned to this attachment by container runtime
[].status.external-identifiers.container-id (string) – ID assigned by container runtime (deprecated, may not be unique)
[].status.external-identifiers.container-name (string) – Name assigned to container (deprecated, may not be unique)
[].status.external-identifiers.docker-endpoint-id (string) – Docker endpoint ID
[].status.external-identifiers.docker-network-id (string) – Docker network ID
[].status.external-identifiers.k8s-namespace (string) – K8s namespace for this endpoint (deprecated, may not be unique)
[].status.external-identifiers.k8s-pod-name (string) – K8s pod name for this endpoint (deprecated, may not be unique)
[].status.external-identifiers.pod-name (string) – K8s pod for this endpoint (deprecated, may not be unique)
[].status.health.bpf (string) – A common set of statuses for endpoint health *
OK
= All components operational *Bootstrap
= This component is being created *Pending
= A change is being processed to be applied *Warning
= This component is not applying up-to-date policies (but is still applying the previous version) *Failure
= An error has occurred and no policy is being applied *Disabled
= This endpoint is disabled and will not handle traffic[].status.health.connected (boolean) – Is this endpoint reachable
[].status.health.overallHealth (string) – A common set of statuses for endpoint health *
OK
= All components operational *Bootstrap
= This component is being created *Pending
= A change is being processed to be applied *Warning
= This component is not applying up-to-date policies (but is still applying the previous version) *Failure
= An error has occurred and no policy is being applied *Disabled
= This endpoint is disabled and will not handle traffic[].status.health.policy (string) – A common set of statuses for endpoint health *
OK
= All components operational *Bootstrap
= This component is being created *Pending
= A change is being processed to be applied *Warning
= This component is not applying up-to-date policies (but is still applying the previous version) *Failure
= An error has occurred and no policy is being applied *Disabled
= This endpoint is disabled and will not handle traffic[].status.identity.id (integer) – Unique identifier
[].status.identity.labelsSHA256 (string) – SHA256 of labels
[].status.identity.labels[] (string) –
[].status.labels.derived[] (string) –
[].status.labels.disabled[] (string) –
[].status.labels.realized.user[] (string) –
[].status.labels.security-relevant[] (string) –
[].status.log[].code (string) – Code indicate type of status change
[].status.log[].message (string) – Status message
[].status.log[].state (string) – State of endpoint
[].status.log[].timestamp (string) – Timestamp when status change occurred
[].status.namedPorts[].name (string) – Optional layer 4 port name
[].status.namedPorts[].port (integer) – Layer 4 port number
[].status.namedPorts[].protocol (string) – Layer 4 protocol
[].status.networking.addressing[].ipv4 (string) – IPv4 address
[].status.networking.addressing[].ipv4-expiration-uuid (string) – UUID of IPv4 expiration timer
[].status.networking.addressing[].ipv4-pool-name (string) – IPAM pool from which this IPv4 address was allocated
[].status.networking.addressing[].ipv6 (string) – IPv6 address
[].status.networking.addressing[].ipv6-expiration-uuid (string) – UUID of IPv6 expiration timer
[].status.networking.addressing[].ipv6-pool-name (string) – IPAM pool from which this IPv6 address was allocated
[].status.networking.container-interface-name (string) – Name of network device in container netns
[].status.networking.host-addressing.ipv4.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP
[].status.networking.host-addressing.ipv4.alloc-range (string) – Address pool to be used for local endpoints
[].status.networking.host-addressing.ipv4.enabled (boolean) – True if address family is enabled
[].status.networking.host-addressing.ipv4.ip (string) – IP address of node
[].status.networking.host-addressing.ipv6.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP
[].status.networking.host-addressing.ipv6.alloc-range (string) – Address pool to be used for local endpoints
[].status.networking.host-addressing.ipv6.enabled (boolean) – True if address family is enabled
[].status.networking.host-addressing.ipv6.ip (string) – IP address of node
[].status.networking.host-mac (string) – MAC address
[].status.networking.interface-index (integer) – Index of network device in host netns
[].status.networking.interface-name (string) – Name of network device in host netns
[].status.networking.mac (string) – MAC address
[].status.policy.proxy-policy-revision (integer) – The policy revision currently enforced in the proxy for this endpoint
[].status.policy.proxy-statistics[].allocated-proxy-port (integer) – The port the proxy is listening on
[].status.policy.proxy-statistics[].location (string) – Location of where the redirect is installed
[].status.policy.proxy-statistics[].port (integer) – The port subject to the redirect
[].status.policy.proxy-statistics[].protocol (string) – Name of the L7 protocol
[].status.policy.proxy-statistics[].statistics.requests.denied (integer) – Number of messages denied
[].status.policy.proxy-statistics[].statistics.requests.error (integer) – Number of errors while parsing messages
[].status.policy.proxy-statistics[].statistics.requests.forwarded (integer) – Number of messages forwarded
[].status.policy.proxy-statistics[].statistics.requests.received (integer) – Number of messages received
[].status.policy.proxy-statistics[].statistics.responses.denied (integer) – Number of messages denied
[].status.policy.proxy-statistics[].statistics.responses.error (integer) – Number of errors while parsing messages
[].status.policy.proxy-statistics[].statistics.responses.forwarded (integer) – Number of messages forwarded
[].status.policy.proxy-statistics[].statistics.responses.received (integer) – Number of messages received
[].status.policy.realized.allowed-egress-identities[] (integer) –
[].status.policy.realized.allowed-ingress-identities[] (integer) –
[].status.policy.realized.build (integer) – Build number of calculated policy in use
[].status.policy.realized.cidr-policy.egress[] (any) – A policy rule including the rule labels it derives from
[].status.policy.realized.cidr-policy.ingress[] (any) – A policy rule including the rule labels it derives from
[].status.policy.realized.denied-egress-identities[] (integer) –
[].status.policy.realized.denied-ingress-identities[] (integer) –
[].status.policy.realized.id (integer) – Own identity of endpoint
[].status.policy.realized.l4.egress[] (any) – A policy rule including the rule labels it derives from
[].status.policy.realized.l4.ingress[] (any) – A policy rule including the rule labels it derives from
[].status.policy.realized.policy-enabled (string) – Whether policy enforcement is enabled (ingress, egress, both or none)
[].status.policy.realized.policy-revision (integer) – The agent-local policy revision
[].status.policy.spec.allowed-egress-identities[] (integer) –
[].status.policy.spec.allowed-ingress-identities[] (integer) –
[].status.policy.spec.build (integer) – Build number of calculated policy in use
[].status.policy.spec.cidr-policy.egress[] (any) – A policy rule including the rule labels it derives from
[].status.policy.spec.cidr-policy.ingress[] (any) – A policy rule including the rule labels it derives from
[].status.policy.spec.denied-egress-identities[] (integer) –
[].status.policy.spec.denied-ingress-identities[] (integer) –
[].status.policy.spec.id (integer) – Own identity of endpoint
[].status.policy.spec.l4.egress[] (any) – A policy rule including the rule labels it derives from
[].status.policy.spec.l4.ingress[] (any) – A policy rule including the rule labels it derives from
[].status.policy.spec.policy-enabled (string) – Whether policy enforcement is enabled (ingress, egress, both or none)
[].status.policy.spec.policy-revision (integer) – The agent-local policy revision
[].status.realized.label-configuration.user[] (string) –
[].status.realized.options (object) – Map of configuration key/value pairs.
[].status.state (string) – State of endpoint (required)
- DELETE /endpoint
Deletes a list of endpoints
Deletes a list of endpoints that have endpoints matching the provided properties
- Request JSON Object:
container-id (string) – ID assigned by container runtime
- Status Codes:
200 OK – Success
206 Partial Content – Deleted with a number of errors encountered
400 Bad Request – Invalid endpoint delete request
404 Not Found – No endpoints with provided parameters found
429 Too Many Requests – Rate-limiting too many requests in the given time frame
- GET /endpoint/{id}/config
Retrieve endpoint configuration
Retrieves the configuration of the specified endpoint.
- Parameters:
id (string) –
String describing an endpoint with the format
[prefix:]id
. If no prefix is specified, a prefix ofcilium-local:
is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.- Supported endpoint id prefixes:
cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595
cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343
cni-attachment-id: CNI attachment ID, e.g. cni-attachment-id:22222:eth0
container-id: Container runtime ID, e.g. container-id:22222 (deprecated, may not be unique)
container-name: Container name, e.g. container-name:foobar (deprecated, may not be unique)
pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar (deprecated, may not be unique)
cep-name: cep name for this container if K8s is enabled, e.g. pod-name:default:foobar-net1
docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444
- Status Codes:
200 OK – Success
404 Not Found – Endpoint not found
429 Too Many Requests – Rate-limiting too many requests in the given time frame
- Response JSON Object:
error (string) –
immutable (object) – Map of configuration key/value pairs.
realized.label-configuration.user[] (string) –
realized.options (object) – Map of configuration key/value pairs.
- PATCH /endpoint/{id}/config
Modify mutable endpoint configuration
Update the configuration of an existing endpoint and regenerates & recompiles the corresponding programs automatically.
- Parameters:
id (string) –
String describing an endpoint with the format
[prefix:]id
. If no prefix is specified, a prefix ofcilium-local:
is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.- Supported endpoint id prefixes:
cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595
cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343
cni-attachment-id: CNI attachment ID, e.g. cni-attachment-id:22222:eth0
container-id: Container runtime ID, e.g. container-id:22222 (deprecated, may not be unique)
container-name: Container name, e.g. container-name:foobar (deprecated, may not be unique)
pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar (deprecated, may not be unique)
cep-name: cep name for this container if K8s is enabled, e.g. pod-name:default:foobar-net1
docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444
- Request JSON Object:
label-configuration.user[] (string) –
options (object) – Map of configuration key/value pairs.
- Status Codes:
200 OK – Success
400 Bad Request – Invalid configuration request
403 Forbidden – Forbidden
404 Not Found – Endpoint not found
429 Too Many Requests – Rate-limiting too many requests in the given time frame
500 Internal Server Error – Update failed. Details in message.
- GET /endpoint/{id}/labels
Retrieves the list of labels associated with an endpoint.
- Parameters:
id (string) –
String describing an endpoint with the format
[prefix:]id
. If no prefix is specified, a prefix ofcilium-local:
is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.- Supported endpoint id prefixes:
cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595
cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343
cni-attachment-id: CNI attachment ID, e.g. cni-attachment-id:22222:eth0
container-id: Container runtime ID, e.g. container-id:22222 (deprecated, may not be unique)
container-name: Container name, e.g. container-name:foobar (deprecated, may not be unique)
pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar (deprecated, may not be unique)
cep-name: cep name for this container if K8s is enabled, e.g. pod-name:default:foobar-net1
docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444
- Status Codes:
200 OK – Success
404 Not Found – Endpoint not found
429 Too Many Requests – Rate-limiting too many requests in the given time frame
- Response JSON Object:
spec.user[] (string) –
status.derived[] (string) –
status.disabled[] (string) –
status.realized.user[] (string) –
status.security-relevant[] (string) –
- PATCH /endpoint/{id}/labels
Set label configuration of endpoint
Sets labels associated with an endpoint. These can be user provided or derived from the orchestration system.
- Parameters:
id (string) –
String describing an endpoint with the format
[prefix:]id
. If no prefix is specified, a prefix ofcilium-local:
is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.- Supported endpoint id prefixes:
cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595
cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343
cni-attachment-id: CNI attachment ID, e.g. cni-attachment-id:22222:eth0
container-id: Container runtime ID, e.g. container-id:22222 (deprecated, may not be unique)
container-name: Container name, e.g. container-name:foobar (deprecated, may not be unique)
pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar (deprecated, may not be unique)
cep-name: cep name for this container if K8s is enabled, e.g. pod-name:default:foobar-net1
docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444
- Request JSON Object:
user[] (string) –
- Status Codes:
200 OK – Success
403 Forbidden – Forbidden
404 Not Found – Endpoint not found
429 Too Many Requests – Rate-limiting too many requests in the given time frame
500 Internal Server Error – Error while updating labels
- GET /endpoint/{id}/log
Retrieves the status logs associated with this endpoint.
- Parameters:
id (string) –
String describing an endpoint with the format
[prefix:]id
. If no prefix is specified, a prefix ofcilium-local:
is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.- Supported endpoint id prefixes:
cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595
cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343
cni-attachment-id: CNI attachment ID, e.g. cni-attachment-id:22222:eth0
container-id: Container runtime ID, e.g. container-id:22222 (deprecated, may not be unique)
container-name: Container name, e.g. container-name:foobar (deprecated, may not be unique)
pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar (deprecated, may not be unique)
cep-name: cep name for this container if K8s is enabled, e.g. pod-name:default:foobar-net1
docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444
- Status Codes:
200 OK – Success
400 Bad Request – Invalid identity provided
404 Not Found – Endpoint not found
429 Too Many Requests – Rate-limiting too many requests in the given time frame
- Response JSON Object:
[].code (string) – Code indicate type of status change
[].message (string) – Status message
[].state (string) – State of endpoint
[].timestamp (string) – Timestamp when status change occurred
- GET /endpoint/{id}/healthz
Retrieves the status logs associated with this endpoint.
- Parameters:
id (string) –
String describing an endpoint with the format
[prefix:]id
. If no prefix is specified, a prefix ofcilium-local:
is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.- Supported endpoint id prefixes:
cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595
cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343
cni-attachment-id: CNI attachment ID, e.g. cni-attachment-id:22222:eth0
container-id: Container runtime ID, e.g. container-id:22222 (deprecated, may not be unique)
container-name: Container name, e.g. container-name:foobar (deprecated, may not be unique)
pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar (deprecated, may not be unique)
cep-name: cep name for this container if K8s is enabled, e.g. pod-name:default:foobar-net1
docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444
- Status Codes:
200 OK – Success
400 Bad Request – Invalid identity provided
404 Not Found – Endpoint not found
429 Too Many Requests – Rate-limiting too many requests in the given time frame
- Response JSON Object:
bpf (string) – A common set of statuses for endpoint health *
OK
= All components operational *Bootstrap
= This component is being created *Pending
= A change is being processed to be applied *Warning
= This component is not applying up-to-date policies (but is still applying the previous version) *Failure
= An error has occurred and no policy is being applied *Disabled
= This endpoint is disabled and will not handle trafficconnected (boolean) – Is this endpoint reachable
overallHealth (string) – A common set of statuses for endpoint health *
OK
= All components operational *Bootstrap
= This component is being created *Pending
= A change is being processed to be applied *Warning
= This component is not applying up-to-date policies (but is still applying the previous version) *Failure
= An error has occurred and no policy is being applied *Disabled
= This endpoint is disabled and will not handle trafficpolicy (string) – A common set of statuses for endpoint health *
OK
= All components operational *Bootstrap
= This component is being created *Pending
= A change is being processed to be applied *Warning
= This component is not applying up-to-date policies (but is still applying the previous version) *Failure
= An error has occurred and no policy is being applied *Disabled
= This endpoint is disabled and will not handle traffic
- GET /identity
Retrieves a list of identities that have metadata matching the provided parameters.
Retrieves a list of identities that have metadata matching the provided parameters, or all identities if no parameters are provided.
- Request JSON Object:
[] (string) –
- Status Codes:
200 OK – Success
404 Not Found – Identities with provided parameters not found
520 – Identity storage unreachable. Likely a network problem.
521 – Invalid identity format in storage
- Response JSON Object:
[].id (integer) – Unique identifier
[].labelsSHA256 (string) – SHA256 of labels
[].labels[] (string) –
- GET /identity/{id}
Retrieve identity
- Parameters:
id (string) – Cluster wide unique identifier of a security identity.
- Status Codes:
200 OK – Success
400 Bad Request – Invalid identity provided
404 Not Found – Identity not found
520 – Identity storage unreachable. Likely a network problem.
521 – Invalid identity format in storage
- Response JSON Object:
id (integer) – Unique identifier
labelsSHA256 (string) – SHA256 of labels
labels[] (string) –
- GET /identity/endpoints
Retrieve identities which are being used by local endpoints
- Status Codes:
200 OK – Success
404 Not Found – Set of identities which are being used by local endpoints could not be found.
- Response JSON Object:
[].identity.id (integer) – Unique identifier
[].identity.labelsSHA256 (string) – SHA256 of labels
[].identity.labels[] (string) –
[].refCount (integer) – number of endpoints consuming this identity locally (should always be > 0)
- POST /ipam
Allocate an IP address
- Query Parameters:
family (string) –
owner (string) –
pool (string) –
- Status Codes:
201 Created – Success
403 Forbidden – Forbidden
502 Bad Gateway – Allocation failure
- Request Headers:
expiration –
- Response JSON Object:
address.ipv4 (string) – IPv4 address
address.ipv4-expiration-uuid (string) – UUID of IPv4 expiration timer
address.ipv4-pool-name (string) – IPAM pool from which this IPv4 address was allocated
address.ipv6 (string) – IPv6 address
address.ipv6-expiration-uuid (string) – UUID of IPv6 expiration timer
address.ipv6-pool-name (string) – IPAM pool from which this IPv6 address was allocated
host-addressing.ipv4.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP
host-addressing.ipv4.alloc-range (string) – Address pool to be used for local endpoints
host-addressing.ipv4.enabled (boolean) – True if address family is enabled
host-addressing.ipv4.ip (string) – IP address of node
host-addressing.ipv6.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP
host-addressing.ipv6.alloc-range (string) – Address pool to be used for local endpoints
host-addressing.ipv6.enabled (boolean) – True if address family is enabled
host-addressing.ipv6.ip (string) – IP address of node
ipv4.cidrs[] (string) –
ipv4.expiration-uuid (string) – The UUID for the expiration timer. Set when expiration has been enabled while allocating.
ipv4.gateway (string) – IP of gateway
ipv4.interface-number (string) – InterfaceNumber is a field for generically identifying an interface. This is only useful in ENI mode.
ipv4.ip (string) – Allocated IP for endpoint
ipv4.master-mac (string) – MAC of master interface if address is a slave/secondary of a master interface
ipv6.cidrs[] (string) –
ipv6.expiration-uuid (string) – The UUID for the expiration timer. Set when expiration has been enabled while allocating.
ipv6.gateway (string) – IP of gateway
ipv6.interface-number (string) – InterfaceNumber is a field for generically identifying an interface. This is only useful in ENI mode.
ipv6.ip (string) – Allocated IP for endpoint
ipv6.master-mac (string) – MAC of master interface if address is a slave/secondary of a master interface
- POST /ipam/{ip}
Allocate an IP address
- Parameters:
ip (string) – IP address
- Query Parameters:
owner (string) –
pool (string) –
- Status Codes:
200 OK – Success
400 Bad Request – Invalid IP address
403 Forbidden – Forbidden
409 Conflict – IP already allocated
500 Internal Server Error – IP allocation failure. Details in message.
501 Not Implemented – Allocation for address family disabled
- DELETE /ipam/{ip}
Release an allocated IP address
- Parameters:
ip (string) – IP address
- Query Parameters:
pool (string) –
- Status Codes:
200 OK – Success
400 Bad Request – Invalid IP address
403 Forbidden – Forbidden
404 Not Found – IP address not found
500 Internal Server Error – Address release failure
501 Not Implemented – Allocation for address family disabled
- GET /policy
Retrieve entire policy tree
Returns the entire policy tree with all children.
- Request JSON Object:
[] (string) –
- Status Codes:
200 OK – Success
404 Not Found – No policy rules found
- Response JSON Object:
policy (string) – Policy definition as JSON.
revision (integer) – Revision number of the policy. Incremented each time the policy is changed in the agent’s repository
- PUT /policy
Create or update a policy (sub)tree
- Query Parameters:
replace (boolean) – If true, indicates that existing rules with identical labels should be replaced.
replace-with-labels (array) – If present, indicates that existing rules with the given labels should be deleted.
- Status Codes:
200 OK – Success
400 Bad Request – Invalid policy
403 Forbidden – Forbidden
460 – Invalid path
500 Internal Server Error – Policy import failed
- Response JSON Object:
policy (string) – Policy definition as JSON.
revision (integer) – Revision number of the policy. Incremented each time the policy is changed in the agent’s repository
- DELETE /policy
Delete a policy (sub)tree
- Request JSON Object:
[] (string) –
- Status Codes:
200 OK – Success
400 Bad Request – Invalid request
403 Forbidden – Forbidden
404 Not Found – Policy not found
500 Internal Server Error – Error while deleting policy
- Response JSON Object:
policy (string) – Policy definition as JSON.
revision (integer) – Revision number of the policy. Incremented each time the policy is changed in the agent’s repository
- GET /policy/selectors
See what selectors match which identities
- Status Codes:
200 OK – Success
- Response JSON Object:
[].identities[] (integer) –
[].labels[].key (string) –
[].labels[].source (string) – Source can be one of the above values (e.g. LabelSourceContainer)
[].labels[].value (string) –
[].selector (string) – string form of selector
[].users (integer) – number of users of this selector in the cache
- GET /lrp
Retrieve list of all local redirect policies
- Status Codes:
200 OK – Success
- Response JSON Object:
[].frontend-mappings[].backends[].backend-address.ip (string) – Layer 3 address (required)
[].frontend-mappings[].backends[].backend-address.nodeName (string) – Optional name of the node on which this backend runs
[].frontend-mappings[].backends[].backend-address.port (integer) – Layer 4 port number
[].frontend-mappings[].backends[].backend-address.preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.
[].frontend-mappings[].backends[].backend-address.protocol (string) – Layer 4 protocol (TCP, UDP, etc)
[].frontend-mappings[].backends[].backend-address.state (string) – State of the backend for load-balancing service traffic
[].frontend-mappings[].backends[].backend-address.weight (integer) – Backend weight
[].frontend-mappings[].backends[].backend-address.zone (string) – Optional name of the zone in which this backend runs
[].frontend-mappings[].backends[].pod-id (string) – Namespace and name of the backend pod
[].frontend-mappings[].frontend-address.ip (string) – Layer 3 address
[].frontend-mappings[].frontend-address.port (integer) – Layer 4 port number
[].frontend-mappings[].frontend-address.protocol (string) – Layer 4 protocol
[].frontend-mappings[].frontend-address.scope (string) – Load balancing scope for frontend address
[].frontend-type (string) – LRP frontend type
[].lrp-type (string) – LRP config type
[].name (string) – LRP service name
[].namespace (string) – LRP service namespace
[].service-id (string) – matching k8s service namespace and name
[].uid (string) – Unique identification
- GET /service
Retrieve list of all services
- Status Codes:
200 OK – Success
- Response JSON Object:
[].spec.backend-addresses[].ip (string) – Layer 3 address (required)
[].spec.backend-addresses[].nodeName (string) – Optional name of the node on which this backend runs
[].spec.backend-addresses[].port (integer) – Layer 4 port number
[].spec.backend-addresses[].preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.
[].spec.backend-addresses[].protocol (string) – Layer 4 protocol (TCP, UDP, etc)
[].spec.backend-addresses[].state (string) – State of the backend for load-balancing service traffic
[].spec.backend-addresses[].weight (integer) – Backend weight
[].spec.backend-addresses[].zone (string) – Optional name of the zone in which this backend runs
[].spec.flags.cluster (string) – Service cluster
[].spec.flags.extTrafficPolicy (string) – Service external traffic policy
[].spec.flags.healthCheckNodePort (integer) – Service health check node port
[].spec.flags.intTrafficPolicy (string) – Service internal traffic policy
[].spec.flags.name (string) – Service name (e.g. Kubernetes service name)
[].spec.flags.namespace (string) – Service namespace (e.g. Kubernetes namespace)
[].spec.flags.natPolicy (string) – Service protocol NAT policy
[].spec.flags.trafficPolicy (string) – Service external traffic policy (deprecated in favor of extTrafficPolicy)
[].spec.flags.type (string) – Service type
[].spec.frontend-address.ip (string) – Layer 3 address
[].spec.frontend-address.port (integer) – Layer 4 port number
[].spec.frontend-address.protocol (string) – Layer 4 protocol
[].spec.frontend-address.scope (string) – Load balancing scope for frontend address
[].spec.id (integer) – Unique identification
[].spec.updateServices (boolean) – Update all services selecting the backends with their given states (id and frontend are ignored)
[].status.realized.backend-addresses[].ip (string) – Layer 3 address (required)
[].status.realized.backend-addresses[].nodeName (string) – Optional name of the node on which this backend runs
[].status.realized.backend-addresses[].port (integer) – Layer 4 port number
[].status.realized.backend-addresses[].preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.
[].status.realized.backend-addresses[].protocol (string) – Layer 4 protocol (TCP, UDP, etc)
[].status.realized.backend-addresses[].state (string) – State of the backend for load-balancing service traffic
[].status.realized.backend-addresses[].weight (integer) – Backend weight
[].status.realized.backend-addresses[].zone (string) – Optional name of the zone in which this backend runs
[].status.realized.flags.cluster (string) – Service cluster
[].status.realized.flags.extTrafficPolicy (string) – Service external traffic policy
[].status.realized.flags.healthCheckNodePort (integer) – Service health check node port
[].status.realized.flags.intTrafficPolicy (string) – Service internal traffic policy
[].status.realized.flags.name (string) – Service name (e.g. Kubernetes service name)
[].status.realized.flags.namespace (string) – Service namespace (e.g. Kubernetes namespace)
[].status.realized.flags.natPolicy (string) – Service protocol NAT policy
[].status.realized.flags.trafficPolicy (string) – Service external traffic policy (deprecated in favor of extTrafficPolicy)
[].status.realized.flags.type (string) – Service type
[].status.realized.frontend-address.ip (string) – Layer 3 address
[].status.realized.frontend-address.port (integer) – Layer 4 port number
[].status.realized.frontend-address.protocol (string) – Layer 4 protocol
[].status.realized.frontend-address.scope (string) – Load balancing scope for frontend address
[].status.realized.id (integer) – Unique identification
[].status.realized.updateServices (boolean) – Update all services selecting the backends with their given states (id and frontend are ignored)
- GET /service/{id}
Retrieve configuration of a service
- Parameters:
id (integer) – ID of service
- Status Codes:
200 OK – Success
404 Not Found – Service not found
- Response JSON Object:
spec.backend-addresses[].ip (string) – Layer 3 address (required)
spec.backend-addresses[].nodeName (string) – Optional name of the node on which this backend runs
spec.backend-addresses[].port (integer) – Layer 4 port number
spec.backend-addresses[].preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.
spec.backend-addresses[].protocol (string) – Layer 4 protocol (TCP, UDP, etc)
spec.backend-addresses[].state (string) – State of the backend for load-balancing service traffic
spec.backend-addresses[].weight (integer) – Backend weight
spec.backend-addresses[].zone (string) – Optional name of the zone in which this backend runs
spec.flags.cluster (string) – Service cluster
spec.flags.extTrafficPolicy (string) – Service external traffic policy
spec.flags.healthCheckNodePort (integer) – Service health check node port
spec.flags.intTrafficPolicy (string) – Service internal traffic policy
spec.flags.name (string) – Service name (e.g. Kubernetes service name)
spec.flags.namespace (string) – Service namespace (e.g. Kubernetes namespace)
spec.flags.natPolicy (string) – Service protocol NAT policy
spec.flags.trafficPolicy (string) – Service external traffic policy (deprecated in favor of extTrafficPolicy)
spec.flags.type (string) – Service type
spec.frontend-address.ip (string) – Layer 3 address
spec.frontend-address.port (integer) – Layer 4 port number
spec.frontend-address.protocol (string) – Layer 4 protocol
spec.frontend-address.scope (string) – Load balancing scope for frontend address
spec.id (integer) – Unique identification
spec.updateServices (boolean) – Update all services selecting the backends with their given states (id and frontend are ignored)
status.realized.backend-addresses[].ip (string) – Layer 3 address (required)
status.realized.backend-addresses[].nodeName (string) – Optional name of the node on which this backend runs
status.realized.backend-addresses[].port (integer) – Layer 4 port number
status.realized.backend-addresses[].preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.
status.realized.backend-addresses[].protocol (string) – Layer 4 protocol (TCP, UDP, etc)
status.realized.backend-addresses[].state (string) – State of the backend for load-balancing service traffic
status.realized.backend-addresses[].weight (integer) – Backend weight
status.realized.backend-addresses[].zone (string) – Optional name of the zone in which this backend runs
status.realized.flags.cluster (string) – Service cluster
status.realized.flags.extTrafficPolicy (string) – Service external traffic policy
status.realized.flags.healthCheckNodePort (integer) – Service health check node port
status.realized.flags.intTrafficPolicy (string) – Service internal traffic policy
status.realized.flags.name (string) – Service name (e.g. Kubernetes service name)
status.realized.flags.namespace (string) – Service namespace (e.g. Kubernetes namespace)
status.realized.flags.natPolicy (string) – Service protocol NAT policy
status.realized.flags.trafficPolicy (string) – Service external traffic policy (deprecated in favor of extTrafficPolicy)
status.realized.flags.type (string) – Service type
status.realized.frontend-address.ip (string) – Layer 3 address
status.realized.frontend-address.port (integer) – Layer 4 port number
status.realized.frontend-address.protocol (string) – Layer 4 protocol
status.realized.frontend-address.scope (string) – Load balancing scope for frontend address
status.realized.id (integer) – Unique identification
status.realized.updateServices (boolean) – Update all services selecting the backends with their given states (id and frontend are ignored)
- PUT /service/{id}
Create or update service
- Parameters:
id (integer) – ID of service
- Request JSON Object:
backend-addresses[].ip (string) – Layer 3 address (required)
backend-addresses[].nodeName (string) – Optional name of the node on which this backend runs
backend-addresses[].port (integer) – Layer 4 port number
backend-addresses[].preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.
backend-addresses[].protocol (string) – Layer 4 protocol (TCP, UDP, etc)
backend-addresses[].state (string) – State of the backend for load-balancing service traffic
backend-addresses[].weight (integer) – Backend weight
backend-addresses[].zone (string) – Optional name of the zone in which this backend runs
flags.cluster (string) – Service cluster
flags.extTrafficPolicy (string) – Service external traffic policy
flags.healthCheckNodePort (integer) – Service health check node port
flags.intTrafficPolicy (string) – Service internal traffic policy
flags.name (string) – Service name (e.g. Kubernetes service name)
flags.namespace (string) – Service namespace (e.g. Kubernetes namespace)
flags.natPolicy (string) – Service protocol NAT policy
flags.trafficPolicy (string) – Service external traffic policy (deprecated in favor of extTrafficPolicy)
flags.type (string) – Service type
frontend-address.ip (string) – Layer 3 address
frontend-address.port (integer) – Layer 4 port number
frontend-address.protocol (string) – Layer 4 protocol
frontend-address.scope (string) – Load balancing scope for frontend address
id (integer) – Unique identification
updateServices (boolean) – Update all services selecting the backends with their given states (id and frontend are ignored)
- Status Codes:
200 OK – Updated
201 Created – Created
403 Forbidden – Forbidden
460 – Invalid frontend in service configuration
461 – Invalid backend in service configuration
500 Internal Server Error – Error while creating service
501 Not Implemented – Error while updating backend states
- DELETE /service/{id}
Delete a service
- Parameters:
id (integer) – ID of service
- Status Codes:
200 OK – Success
403 Forbidden – Forbidden
404 Not Found – Service not found
500 Internal Server Error – Service deletion failed
- GET /recorder
Retrieve list of all recorders
- Status Codes:
200 OK – Success
- Response JSON Object:
[].spec.capture-length (integer) – Maximum packet length or zero for full packet length
[].spec.filters[].dst-port (string) – Layer 4 destination port, zero (or in future range)
[].spec.filters[].dst-prefix (string) – Layer 3 destination CIDR
[].spec.filters[].protocol (string) – Layer 4 protocol
[].spec.filters[].src-port (string) – Layer 4 source port, zero (or in future range)
[].spec.filters[].src-prefix (string) – Layer 3 source CIDR
[].spec.id (integer) – Unique identification (required)
[].status.realized.capture-length (integer) – Maximum packet length or zero for full packet length
[].status.realized.filters[].dst-port (string) – Layer 4 destination port, zero (or in future range)
[].status.realized.filters[].dst-prefix (string) – Layer 3 destination CIDR
[].status.realized.filters[].protocol (string) – Layer 4 protocol
[].status.realized.filters[].src-port (string) – Layer 4 source port, zero (or in future range)
[].status.realized.filters[].src-prefix (string) – Layer 3 source CIDR
[].status.realized.id (integer) – Unique identification (required)
- GET /recorder/masks
Retrieve list of all recorder masks
- Status Codes:
200 OK – Success
- Response JSON Object:
[].status.realized.dst-port-mask (string) – Layer 4 destination port mask
[].status.realized.dst-prefix-mask (string) – Layer 3 destination IP mask
[].status.realized.priority (integer) – Priority of this mask
[].status.realized.protocol-mask (string) – Layer 4 protocol mask
[].status.realized.src-port-mask (string) – Layer 4 source port mask
[].status.realized.src-prefix-mask (string) – Layer 3 source IP mask
[].status.realized.users (integer) – Number of users of this mask
- GET /recorder/{id}
Retrieve configuration of a recorder
- Parameters:
id (integer) – ID of recorder
- Status Codes:
200 OK – Success
404 Not Found – Recorder not found
- Response JSON Object:
spec.capture-length (integer) – Maximum packet length or zero for full packet length
spec.filters[].dst-port (string) – Layer 4 destination port, zero (or in future range)
spec.filters[].dst-prefix (string) – Layer 3 destination CIDR
spec.filters[].protocol (string) – Layer 4 protocol
spec.filters[].src-port (string) – Layer 4 source port, zero (or in future range)
spec.filters[].src-prefix (string) – Layer 3 source CIDR
spec.id (integer) – Unique identification (required)
status.realized.capture-length (integer) – Maximum packet length or zero for full packet length
status.realized.filters[].dst-port (string) – Layer 4 destination port, zero (or in future range)
status.realized.filters[].dst-prefix (string) – Layer 3 destination CIDR
status.realized.filters[].protocol (string) – Layer 4 protocol
status.realized.filters[].src-port (string) – Layer 4 source port, zero (or in future range)
status.realized.filters[].src-prefix (string) – Layer 3 source CIDR
status.realized.id (integer) – Unique identification (required)
- PUT /recorder/{id}
Create or update recorder
- Parameters:
id (integer) – ID of recorder
- Request JSON Object:
capture-length (integer) – Maximum packet length or zero for full packet length
filters[].dst-port (string) – Layer 4 destination port, zero (or in future range)
filters[].dst-prefix (string) – Layer 3 destination CIDR
filters[].protocol (string) – Layer 4 protocol
filters[].src-port (string) – Layer 4 source port, zero (or in future range)
filters[].src-prefix (string) – Layer 3 source CIDR
id (integer) – Unique identification (required)
- Status Codes:
200 OK – Updated
201 Created – Created
403 Forbidden – Forbidden
500 Internal Server Error – Error while creating recorder
- DELETE /recorder/{id}
Delete a recorder
- Parameters:
id (integer) – ID of recorder
- Status Codes:
200 OK – Success
403 Forbidden – Forbidden
404 Not Found – Recorder not found
500 Internal Server Error – Recorder deletion failed
- GET /prefilter
Retrieve list of CIDRs
- Status Codes:
200 OK – Success
500 Internal Server Error – Prefilter get failed
- Response JSON Object:
spec.deny[] (string) –
spec.revision (integer) –
status.realized.deny[] (string) –
status.realized.revision (integer) –
- PATCH /prefilter
Update list of CIDRs
- Request JSON Object:
deny[] (string) –
revision (integer) –
- Status Codes:
200 OK – Updated
403 Forbidden – Forbidden
461 – Invalid CIDR prefix
500 Internal Server Error – Prefilter update failed
- Response JSON Object:
spec.deny[] (string) –
spec.revision (integer) –
status.realized.deny[] (string) –
status.realized.revision (integer) –
- DELETE /prefilter
Delete list of CIDRs
- Request JSON Object:
deny[] (string) –
revision (integer) –
- Status Codes:
200 OK – Deleted
403 Forbidden – Forbidden
461 – Invalid CIDR prefix
500 Internal Server Error – Prefilter delete failed
- Response JSON Object:
spec.deny[] (string) –
spec.revision (integer) –
status.realized.deny[] (string) –
status.realized.revision (integer) –
- GET /debuginfo
Retrieve information about the agent and environment for debugging
- Status Codes:
200 OK – Success
500 Internal Server Error – DebugInfo get failed
- Response JSON Object:
cilium-memory-map (string) –
cilium-nodemonitor-memory-map (string) –
cilium-status.attach-mode (string) – Core datapath attachment mode
cilium-status.auth-certificate-provider.msg (string) – Human readable status/error/warning message
cilium-status.auth-certificate-provider.state (string) – State the component is in
cilium-status.bandwidth-manager.congestionControl (string) –
cilium-status.bandwidth-manager.devices[] (string) –
cilium-status.bandwidth-manager.enabled (boolean) – Is bandwidth manager enabled
cilium-status.bpf-maps.dynamic-size-ratio (number) – Ratio of total system memory to use for dynamic sizing of BPF maps
cilium-status.bpf-maps.maps[].name (string) – Name of the BPF map
cilium-status.bpf-maps.maps[].size (integer) – Size of the BPF map
cilium-status.cilium.msg (string) – Human readable status/error/warning message
cilium-status.cilium.state (string) – State the component is in
cilium-status.client-id (integer) – When supported by the API, this client ID should be used by the client when making another request to the server. See for example “/cluster/nodes”.
cilium-status.clock-source.hertz (integer) – Kernel Hz
cilium-status.clock-source.mode (string) – Datapath clock source
cilium-status.cluster (any) – Status of cluster +k8s:deepcopy-gen=true
cilium-status.cluster-mesh (any) – Status of ClusterMesh +k8s:deepcopy-gen=true
cilium-status.cni-chaining (any) – Status of CNI chaining
cilium-status.cni-file.msg (string) – Human readable status/error/warning message
cilium-status.cni-file.state (string) – State the component is in
cilium-status.container-runtime.msg (string) – Human readable status/error/warning message
cilium-status.container-runtime.state (string) – State the component is in
cilium-status.controllers[].configuration.error-retry (boolean) – Retry on error
cilium-status.controllers[].configuration.error-retry-base (string) – Base error retry back-off time
cilium-status.controllers[].configuration.interval (string) – Regular synchronization interval
cilium-status.controllers[].name (string) – Name of controller
cilium-status.controllers[].status.consecutive-failure-count (integer) – Number of consecutive errors since last success
cilium-status.controllers[].status.failure-count (integer) – Total number of failed runs
cilium-status.controllers[].status.last-failure-msg (string) – Error message of last failed run
cilium-status.controllers[].status.last-failure-timestamp (string) – Timestamp of last error
cilium-status.controllers[].status.last-success-timestamp (string) – Timestamp of last success
cilium-status.controllers[].status.success-count (integer) – Total number of successful runs
cilium-status.controllers[].uuid (string) – UUID of controller
cilium-status.datapath-mode (string) – Datapath mode
cilium-status.encryption (any) – Status of transparent encryption +k8s:deepcopy-gen=true
cilium-status.host-firewall.devices[] (string) –
cilium-status.host-firewall.mode (string) –
cilium-status.hubble.metrics.state (string) – State of the Hubble metrics
cilium-status.hubble.msg (string) – Human readable status/error/warning message
cilium-status.hubble.observer.current-flows (integer) – Current number of flows this Hubble observer stores
cilium-status.hubble.observer.max-flows (integer) – Maximum number of flows this Hubble observer is able to store
cilium-status.hubble.observer.seen-flows (integer) – Total number of flows this Hubble observer has seen
cilium-status.hubble.observer.uptime (string) – Uptime of this Hubble observer instance
cilium-status.hubble.state (string) – State the component is in
cilium-status.identity-range (any) – Status of identity range of the cluster
cilium-status.ipam (any) – Status of IP address management +k8s:deepcopy-gen=true
cilium-status.ipv4-big-tcp.enabled (boolean) – Is IPv4 BIG TCP enabled
cilium-status.ipv4-big-tcp.maxGRO (integer) – Maximum IPv4 GRO size
cilium-status.ipv4-big-tcp.maxGSO (integer) – Maximum IPv4 GSO size
cilium-status.ipv6-big-tcp.enabled (boolean) – Is IPv6 BIG TCP enabled
cilium-status.ipv6-big-tcp.maxGRO (integer) – Maximum IPv6 GRO size
cilium-status.ipv6-big-tcp.maxGSO (integer) – Maximum IPv6 GSO size
cilium-status.kube-proxy-replacement.deviceList[].ip[] (string) –
cilium-status.kube-proxy-replacement.deviceList[].name (string) –
cilium-status.kube-proxy-replacement.devices[] (string) –
cilium-status.kube-proxy-replacement.directRoutingDevice (string) –
cilium-status.kube-proxy-replacement.features.annotations[] (string) –
cilium-status.kube-proxy-replacement.features.bpfSocketLBHostnsOnly (boolean) – flag bpf-lb-sock-hostns-only
cilium-status.kube-proxy-replacement.features.externalIPs.enabled (boolean) –
cilium-status.kube-proxy-replacement.features.gracefulTermination.enabled (boolean) –
cilium-status.kube-proxy-replacement.features.hostPort.enabled (boolean) –
cilium-status.kube-proxy-replacement.features.hostReachableServices.enabled (boolean) –
cilium-status.kube-proxy-replacement.features.hostReachableServices.protocols[] (string) –
cilium-status.kube-proxy-replacement.features.nat46X64.enabled (boolean) –
cilium-status.kube-proxy-replacement.features.nat46X64.gateway.enabled (boolean) –
cilium-status.kube-proxy-replacement.features.nat46X64.gateway.prefixes[] (string) –
cilium-status.kube-proxy-replacement.features.nat46X64.service.enabled (boolean) –
cilium-status.kube-proxy-replacement.features.nodePort.acceleration (string) –
cilium-status.kube-proxy-replacement.features.nodePort.algorithm (string) –
cilium-status.kube-proxy-replacement.features.nodePort.dsrMode (string) –
cilium-status.kube-proxy-replacement.features.nodePort.enabled (boolean) –
cilium-status.kube-proxy-replacement.features.nodePort.lutSize (integer) –
cilium-status.kube-proxy-replacement.features.nodePort.mode (string) –
cilium-status.kube-proxy-replacement.features.nodePort.portMax (integer) –
cilium-status.kube-proxy-replacement.features.nodePort.portMin (integer) –
cilium-status.kube-proxy-replacement.features.sessionAffinity.enabled (boolean) –
cilium-status.kube-proxy-replacement.features.socketLB.enabled (boolean) –
cilium-status.kube-proxy-replacement.features.socketLBTracing.enabled (boolean) –
cilium-status.kube-proxy-replacement.mode (string) –
cilium-status.kubernetes.k8s-api-versions[] (string) –
cilium-status.kubernetes.msg (string) – Human readable status/error/warning message
cilium-status.kubernetes.state (string) – State the component is in
cilium-status.kvstore.msg (string) – Human readable status/error/warning message
cilium-status.kvstore.state (string) – State the component is in
cilium-status.masquerading.enabled (boolean) –
cilium-status.masquerading.enabledProtocols.ipv4 (boolean) – Is masquerading enabled for IPv4 traffic
cilium-status.masquerading.enabledProtocols.ipv6 (boolean) – Is masquerading enabled for IPv6 traffic
cilium-status.masquerading.ip-masq-agent (boolean) – Is BPF ip-masq-agent enabled
cilium-status.masquerading.mode (string) –
cilium-status.masquerading.snat-exclusion-cidr (string) – This field is obsolete, please use snat-exclusion-cidr-v4 or snat-exclusion-cidr-v6.
cilium-status.masquerading.snat-exclusion-cidr-v4 (string) – SnatExclusionCIDRv4 exempts SNAT from being performed on any packet sent to an IPv4 address that belongs to this CIDR.
cilium-status.masquerading.snat-exclusion-cidr-v6 (string) – SnatExclusionCIDRv6 exempts SNAT from being performed on any packet sent to an IPv6 address that belongs to this CIDR. For IPv6 we only do masquerading in iptables mode.
cilium-status.nodeMonitor (any) – Status of the node monitor
cilium-status.proxy.envoy-deployment-mode (string) – Deployment mode of Envoy L7 proxy
cilium-status.proxy.ip (string) – IP address that the proxy listens on
cilium-status.proxy.port-range (string) – Port range used for proxying
cilium-status.proxy.redirects[].name (string) – Name of the proxy redirect
cilium-status.proxy.redirects[].proxy (string) – Name of the proxy this redirect points to
cilium-status.proxy.redirects[].proxy-port (integer) – Host port that this redirect points to
cilium-status.proxy.total-ports (integer) – Total number of listening proxy ports
cilium-status.proxy.total-redirects (integer) – Total number of ports configured to redirect to proxies
cilium-status.routing.inter-host-routing-mode (string) – Datapath routing mode for cross-cluster connectivity
cilium-status.routing.intra-host-routing-mode (string) – Datapath routing mode for connectivity within the host
cilium-status.routing.tunnel-protocol (string) – Tunnel protocol in use for cross-cluster connectivity
cilium-status.srv6.enabled (boolean) –
cilium-status.srv6.srv6EncapMode (string) –
cilium-status.stale (object) – List of stale information in the status
cilium-version (string) –
encryption.wireguard (any) – Status of the WireGuard agent +k8s:deepcopy-gen=true
endpoint-list[].id (integer) – The cilium-agent-local ID of the endpoint
endpoint-list[].spec.label-configuration.user[] (string) –
endpoint-list[].spec.options (object) – Map of configuration key/value pairs.
endpoint-list[].status.controllers[].configuration.error-retry (boolean) – Retry on error
endpoint-list[].status.controllers[].configuration.error-retry-base (string) – Base error retry back-off time
endpoint-list[].status.controllers[].configuration.interval (string) – Regular synchronization interval
endpoint-list[].status.controllers[].name (string) – Name of controller
endpoint-list[].status.controllers[].status.consecutive-failure-count (integer) – Number of consecutive errors since last success
endpoint-list[].status.controllers[].status.failure-count (integer) – Total number of failed runs
endpoint-list[].status.controllers[].status.last-failure-msg (string) – Error message of last failed run
endpoint-list[].status.controllers[].status.last-failure-timestamp (string) – Timestamp of last error
endpoint-list[].status.controllers[].status.last-success-timestamp (string) – Timestamp of last success
endpoint-list[].status.controllers[].status.success-count (integer) – Total number of successful runs
endpoint-list[].status.controllers[].uuid (string) – UUID of controller
endpoint-list[].status.external-identifiers.cni-attachment-id (string) – ID assigned to this attachment by container runtime
endpoint-list[].status.external-identifiers.container-id (string) – ID assigned by container runtime (deprecated, may not be unique)
endpoint-list[].status.external-identifiers.container-name (string) – Name assigned to container (deprecated, may not be unique)
endpoint-list[].status.external-identifiers.docker-endpoint-id (string) – Docker endpoint ID
endpoint-list[].status.external-identifiers.docker-network-id (string) – Docker network ID
endpoint-list[].status.external-identifiers.k8s-namespace (string) – K8s namespace for this endpoint (deprecated, may not be unique)
endpoint-list[].status.external-identifiers.k8s-pod-name (string) – K8s pod name for this endpoint (deprecated, may not be unique)
endpoint-list[].status.external-identifiers.pod-name (string) – K8s pod for this endpoint (deprecated, may not be unique)
endpoint-list[].status.health.bpf (string) – A common set of statuses for endpoint health *
OK
= All components operational *Bootstrap
= This component is being created *Pending
= A change is being processed to be applied *Warning
= This component is not applying up-to-date policies (but is still applying the previous version) *Failure
= An error has occurred and no policy is being applied *Disabled
= This endpoint is disabled and will not handle trafficendpoint-list[].status.health.connected (boolean) – Is this endpoint reachable
endpoint-list[].status.health.overallHealth (string) – A common set of statuses for endpoint health *
OK
= All components operational *Bootstrap
= This component is being created *Pending
= A change is being processed to be applied *Warning
= This component is not applying up-to-date policies (but is still applying the previous version) *Failure
= An error has occurred and no policy is being applied *Disabled
= This endpoint is disabled and will not handle trafficendpoint-list[].status.health.policy (string) – A common set of statuses for endpoint health *
OK
= All components operational *Bootstrap
= This component is being created *Pending
= A change is being processed to be applied *Warning
= This component is not applying up-to-date policies (but is still applying the previous version) *Failure
= An error has occurred and no policy is being applied *Disabled
= This endpoint is disabled and will not handle trafficendpoint-list[].status.identity.id (integer) – Unique identifier
endpoint-list[].status.identity.labelsSHA256 (string) – SHA256 of labels
endpoint-list[].status.identity.labels[] (string) –
endpoint-list[].status.labels.derived[] (string) –
endpoint-list[].status.labels.disabled[] (string) –
endpoint-list[].status.labels.realized.user[] (string) –
endpoint-list[].status.labels.security-relevant[] (string) –
endpoint-list[].status.log[].code (string) – Code indicate type of status change
endpoint-list[].status.log[].message (string) – Status message
endpoint-list[].status.log[].state (string) – State of endpoint
endpoint-list[].status.log[].timestamp (string) – Timestamp when status change occurred
endpoint-list[].status.namedPorts[].name (string) – Optional layer 4 port name
endpoint-list[].status.namedPorts[].port (integer) – Layer 4 port number
endpoint-list[].status.namedPorts[].protocol (string) – Layer 4 protocol
endpoint-list[].status.networking.addressing[].ipv4 (string) – IPv4 address
endpoint-list[].status.networking.addressing[].ipv4-expiration-uuid (string) – UUID of IPv4 expiration timer
endpoint-list[].status.networking.addressing[].ipv4-pool-name (string) – IPAM pool from which this IPv4 address was allocated
endpoint-list[].status.networking.addressing[].ipv6 (string) – IPv6 address
endpoint-list[].status.networking.addressing[].ipv6-expiration-uuid (string) – UUID of IPv6 expiration timer
endpoint-list[].status.networking.addressing[].ipv6-pool-name (string) – IPAM pool from which this IPv6 address was allocated
endpoint-list[].status.networking.container-interface-name (string) – Name of network device in container netns
endpoint-list[].status.networking.host-addressing.ipv4.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP
endpoint-list[].status.networking.host-addressing.ipv4.alloc-range (string) – Address pool to be used for local endpoints
endpoint-list[].status.networking.host-addressing.ipv4.enabled (boolean) – True if address family is enabled
endpoint-list[].status.networking.host-addressing.ipv4.ip (string) – IP address of node
endpoint-list[].status.networking.host-addressing.ipv6.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP
endpoint-list[].status.networking.host-addressing.ipv6.alloc-range (string) – Address pool to be used for local endpoints
endpoint-list[].status.networking.host-addressing.ipv6.enabled (boolean) – True if address family is enabled
endpoint-list[].status.networking.host-addressing.ipv6.ip (string) – IP address of node
endpoint-list[].status.networking.host-mac (string) – MAC address
endpoint-list[].status.networking.interface-index (integer) – Index of network device in host netns
endpoint-list[].status.networking.interface-name (string) – Name of network device in host netns
endpoint-list[].status.networking.mac (string) – MAC address
endpoint-list[].status.policy.proxy-policy-revision (integer) – The policy revision currently enforced in the proxy for this endpoint
endpoint-list[].status.policy.proxy-statistics[].allocated-proxy-port (integer) – The port the proxy is listening on
endpoint-list[].status.policy.proxy-statistics[].location (string) – Location of where the redirect is installed
endpoint-list[].status.policy.proxy-statistics[].port (integer) – The port subject to the redirect
endpoint-list[].status.policy.proxy-statistics[].protocol (string) – Name of the L7 protocol
endpoint-list[].status.policy.proxy-statistics[].statistics.requests.denied (integer) – Number of messages denied
endpoint-list[].status.policy.proxy-statistics[].statistics.requests.error (integer) – Number of errors while parsing messages
endpoint-list[].status.policy.proxy-statistics[].statistics.requests.forwarded (integer) – Number of messages forwarded
endpoint-list[].status.policy.proxy-statistics[].statistics.requests.received (integer) – Number of messages received
endpoint-list[].status.policy.proxy-statistics[].statistics.responses.denied (integer) – Number of messages denied
endpoint-list[].status.policy.proxy-statistics[].statistics.responses.error (integer) – Number of errors while parsing messages
endpoint-list[].status.policy.proxy-statistics[].statistics.responses.forwarded (integer) – Number of messages forwarded
endpoint-list[].status.policy.proxy-statistics[].statistics.responses.received (integer) – Number of messages received
endpoint-list[].status.policy.realized.allowed-egress-identities[] (integer) –
endpoint-list[].status.policy.realized.allowed-ingress-identities[] (integer) –
endpoint-list[].status.policy.realized.build (integer) – Build number of calculated policy in use
endpoint-list[].status.policy.realized.cidr-policy.egress[] (any) – A policy rule including the rule labels it derives from
endpoint-list[].status.policy.realized.cidr-policy.ingress[] (any) – A policy rule including the rule labels it derives from
endpoint-list[].status.policy.realized.denied-egress-identities[] (integer) –
endpoint-list[].status.policy.realized.denied-ingress-identities[] (integer) –
endpoint-list[].status.policy.realized.id (integer) – Own identity of endpoint
endpoint-list[].status.policy.realized.l4.egress[] (any) – A policy rule including the rule labels it derives from
endpoint-list[].status.policy.realized.l4.ingress[] (any) – A policy rule including the rule labels it derives from
endpoint-list[].status.policy.realized.policy-enabled (string) – Whether policy enforcement is enabled (ingress, egress, both or none)
endpoint-list[].status.policy.realized.policy-revision (integer) – The agent-local policy revision
endpoint-list[].status.policy.spec.allowed-egress-identities[] (integer) –
endpoint-list[].status.policy.spec.allowed-ingress-identities[] (integer) –
endpoint-list[].status.policy.spec.build (integer) – Build number of calculated policy in use
endpoint-list[].status.policy.spec.cidr-policy.egress[] (any) – A policy rule including the rule labels it derives from
endpoint-list[].status.policy.spec.cidr-policy.ingress[] (any) – A policy rule including the rule labels it derives from
endpoint-list[].status.policy.spec.denied-egress-identities[] (integer) –
endpoint-list[].status.policy.spec.denied-ingress-identities[] (integer) –
endpoint-list[].status.policy.spec.id (integer) – Own identity of endpoint
endpoint-list[].status.policy.spec.l4.egress[] (any) – A policy rule including the rule labels it derives from
endpoint-list[].status.policy.spec.l4.ingress[] (any) – A policy rule including the rule labels it derives from
endpoint-list[].status.policy.spec.policy-enabled (string) – Whether policy enforcement is enabled (ingress, egress, both or none)
endpoint-list[].status.policy.spec.policy-revision (integer) – The agent-local policy revision
endpoint-list[].status.realized.label-configuration.user[] (string) –
endpoint-list[].status.realized.options (object) – Map of configuration key/value pairs.
endpoint-list[].status.state (string) – State of endpoint (required)
environment-variables[] (string) –
kernel-version (string) –
policy.policy (string) – Policy definition as JSON.
policy.revision (integer) – Revision number of the policy. Incremented each time the policy is changed in the agent’s repository
service-list[].spec.backend-addresses[].ip (string) – Layer 3 address (required)
service-list[].spec.backend-addresses[].nodeName (string) – Optional name of the node on which this backend runs
service-list[].spec.backend-addresses[].port (integer) – Layer 4 port number
service-list[].spec.backend-addresses[].preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.
service-list[].spec.backend-addresses[].protocol (string) – Layer 4 protocol (TCP, UDP, etc)
service-list[].spec.backend-addresses[].state (string) – State of the backend for load-balancing service traffic
service-list[].spec.backend-addresses[].weight (integer) – Backend weight
service-list[].spec.backend-addresses[].zone (string) – Optional name of the zone in which this backend runs
service-list[].spec.flags.cluster (string) – Service cluster
service-list[].spec.flags.extTrafficPolicy (string) – Service external traffic policy
service-list[].spec.flags.healthCheckNodePort (integer) – Service health check node port
service-list[].spec.flags.intTrafficPolicy (string) – Service internal traffic policy
service-list[].spec.flags.name (string) – Service name (e.g. Kubernetes service name)
service-list[].spec.flags.namespace (string) – Service namespace (e.g. Kubernetes namespace)
service-list[].spec.flags.natPolicy (string) – Service protocol NAT policy
service-list[].spec.flags.trafficPolicy (string) – Service external traffic policy (deprecated in favor of extTrafficPolicy)
service-list[].spec.flags.type (string) – Service type
service-list[].spec.frontend-address.ip (string) – Layer 3 address
service-list[].spec.frontend-address.port (integer) – Layer 4 port number
service-list[].spec.frontend-address.protocol (string) – Layer 4 protocol
service-list[].spec.frontend-address.scope (string) – Load balancing scope for frontend address
service-list[].spec.id (integer) – Unique identification
service-list[].spec.updateServices (boolean) – Update all services selecting the backends with their given states (id and frontend are ignored)
service-list[].status.realized.backend-addresses[].ip (string) – Layer 3 address (required)
service-list[].status.realized.backend-addresses[].nodeName (string) – Optional name of the node on which this backend runs
service-list[].status.realized.backend-addresses[].port (integer) – Layer 4 port number
service-list[].status.realized.backend-addresses[].preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.
service-list[].status.realized.backend-addresses[].protocol (string) – Layer 4 protocol (TCP, UDP, etc)
service-list[].status.realized.backend-addresses[].state (string) – State of the backend for load-balancing service traffic
service-list[].status.realized.backend-addresses[].weight (integer) – Backend weight
service-list[].status.realized.backend-addresses[].zone (string) – Optional name of the zone in which this backend runs
service-list[].status.realized.flags.cluster (string) – Service cluster
service-list[].status.realized.flags.extTrafficPolicy (string) – Service external traffic policy
service-list[].status.realized.flags.healthCheckNodePort (integer) – Service health check node port
service-list[].status.realized.flags.intTrafficPolicy (string) – Service internal traffic policy
service-list[].status.realized.flags.name (string) – Service name (e.g. Kubernetes service name)
service-list[].status.realized.flags.namespace (string) – Service namespace (e.g. Kubernetes namespace)
service-list[].status.realized.flags.natPolicy (string) – Service protocol NAT policy
service-list[].status.realized.flags.trafficPolicy (string) – Service external traffic policy (deprecated in favor of extTrafficPolicy)
service-list[].status.realized.flags.type (string) – Service type
service-list[].status.realized.frontend-address.ip (string) – Layer 3 address
service-list[].status.realized.frontend-address.port (integer) – Layer 4 port number
service-list[].status.realized.frontend-address.protocol (string) – Layer 4 protocol
service-list[].status.realized.frontend-address.scope (string) – Load balancing scope for frontend address
service-list[].status.realized.id (integer) – Unique identification
service-list[].status.realized.updateServices (boolean) – Update all services selecting the backends with their given states (id and frontend are ignored)
subsystem (object) –
- GET /cgroup-dump-metadata
Retrieve cgroup metadata for all pods
- Status Codes:
200 OK – Success
500 Internal Server Error – CgroupDumpMetadata get failed
- Response JSON Object:
pod-metadatas[].containers[].cgroup-id (integer) –
pod-metadatas[].containers[].cgroup-path (string) –
pod-metadatas[].ips[] (string) –
pod-metadatas[].name (string) –
pod-metadatas[].namespace (string) –
- GET /map
List all open maps
- Status Codes:
200 OK – Success
- Response JSON Object:
maps[].cache[].desired-action (string) – Desired action to be performed
maps[].cache[].key (string) – Key of map entry
maps[].cache[].last-error (string) – Last error seen while performing desired action
maps[].cache[].value (string) – Value of map entry
maps[].path (string) – Path to BPF map
- GET /map/{name}
Retrieve contents of BPF map
- Parameters:
name (string) – Name of map
- Status Codes:
200 OK – Success
404 Not Found – Map not found
- Response JSON Object:
cache[].desired-action (string) – Desired action to be performed
cache[].key (string) – Key of map entry
cache[].last-error (string) – Last error seen while performing desired action
cache[].value (string) – Value of map entry
path (string) – Path to BPF map
- GET /map/{name}/events
Retrieves the recent event logs associated with this endpoint.
- Parameters:
name (string) – Name of map
- Query Parameters:
follow (boolean) – Whether to follow streamed requests
- Status Codes:
200 OK – Success
404 Not Found – Map not found
- GET /fqdn/cache
Retrieves the list of DNS lookups intercepted from all endpoints.
Retrieves the list of DNS lookups intercepted from endpoints, optionally filtered by DNS name, CIDR IP range or source.
- Query Parameters:
matchpattern (string) – A toFQDNs compatible matchPattern expression
cidr (string) – A CIDR range of IPs
source (string) – Source from which FQDN entries come from
- Status Codes:
200 OK – Success
400 Bad Request – Invalid request (error parsing parameters)
404 Not Found – No DNS data with provided parameters found
- Response JSON Object:
[].endpoint-id (integer) – The endpoint that made this lookup, or 0 for the agent itself.
[].expiration-time (string) – The absolute time when this data will expire in this cache
[].fqdn (string) – DNS name
[].ips[] (string) –
[].lookup-time (string) – The absolute time when this data was received
[].source (string) – The reason this FQDN IP association exists. Either a DNS lookup or an ongoing connection to an IP that was created by a DNS lookup.
[].ttl (integer) – The TTL in the DNS response
- DELETE /fqdn/cache
Deletes matching DNS lookups from the policy-generation cache.
Deletes matching DNS lookups from the cache, optionally restricted by DNS name. The removed IP data will no longer be used in generated policies.
- Query Parameters:
matchpattern (string) – A toFQDNs compatible matchPattern expression
- Status Codes:
200 OK – Success
400 Bad Request – Invalid request (error parsing parameters)
403 Forbidden – Forbidden
- GET /fqdn/cache/{id}
Retrieves the list of DNS lookups intercepted from an endpoint.
Retrieves the list of DNS lookups intercepted from the specific endpoint, optionally filtered by endpoint id, DNS name, CIDR IP range or source.
- Parameters:
id (string) –
String describing an endpoint with the format
[prefix:]id
. If no prefix is specified, a prefix ofcilium-local:
is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.- Supported endpoint id prefixes:
cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595
cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343
cni-attachment-id: CNI attachment ID, e.g. cni-attachment-id:22222:eth0
container-id: Container runtime ID, e.g. container-id:22222 (deprecated, may not be unique)
container-name: Container name, e.g. container-name:foobar (deprecated, may not be unique)
pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar (deprecated, may not be unique)
cep-name: cep name for this container if K8s is enabled, e.g. pod-name:default:foobar-net1
docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444
- Query Parameters:
matchpattern (string) – A toFQDNs compatible matchPattern expression
cidr (string) – A CIDR range of IPs
source (string) – Source from which FQDN entries come from
- Status Codes:
200 OK – Success
400 Bad Request – Invalid request (error parsing parameters)
404 Not Found – No DNS data with provided parameters found
- Response JSON Object:
[].endpoint-id (integer) – The endpoint that made this lookup, or 0 for the agent itself.
[].expiration-time (string) – The absolute time when this data will expire in this cache
[].fqdn (string) – DNS name
[].ips[] (string) –
[].lookup-time (string) – The absolute time when this data was received
[].source (string) – The reason this FQDN IP association exists. Either a DNS lookup or an ongoing connection to an IP that was created by a DNS lookup.
[].ttl (integer) – The TTL in the DNS response
- GET /fqdn/names
List internal DNS selector representations
Retrieves the list of DNS-related fields (names to poll, selectors and their corresponding regexes).
- Status Codes:
200 OK – Success
400 Bad Request – Invalid request (error parsing parameters)
- Response JSON Object:
DNSPollNames[] (string) –
FQDNPolicySelectors[].regexString (string) – String representation of regular expression form of FQDNSelector
FQDNPolicySelectors[].selectorString (string) – FQDNSelector in string representation
- GET /ip
Lists information about known IP addresses
Retrieves a list of IPs with known associated information such as their identities, host addresses, Kubernetes pod names, etc. The list can optionally filtered by a CIDR IP range.
- Query Parameters:
cidr (string) – A CIDR range of IPs
- Request JSON Object:
[] (string) –
- Status Codes:
200 OK – Success
400 Bad Request – Invalid request (error parsing parameters)
404 Not Found – No IP cache entries with provided parameters found
- Response JSON Object:
[].cidr (string) – Key of the entry in the form of a CIDR range (required)
[].encryptKey (integer) – The context ID for the encryption session
[].hostIP (string) – IP address of the host
[].identity (integer) – Numerical identity assigned to the IP (required)
[].metadata.name (string) – Name assigned to the IP (e.g. Kubernetes pod name)
[].metadata.namespace (string) – Namespace of the IP (e.g. Kubernetes namespace)
[].metadata.source (string) – Source of the IP entry and its metadata
- GET /node/ids
List information about known node IDs
Retrieves a list of node IDs allocated by the agent and their associated node IP addresses.
- Status Codes:
200 OK – Success
- Response JSON Object:
[].id (integer) – ID allocated by the agent for the node (required)
[].ips[] (string) –
- GET /bgp/peers
Lists operational state of BGP peers
Retrieves current operational state of BGP peers created by Cilium BGP virtual router. This includes session state, uptime, information per address family, etc.
- Status Codes:
200 OK – Success
500 Internal Server Error – Internal Server Error
501 Not Implemented – BGP Control Plane disabled
- Response JSON Object:
[] (any) – State of a BGP Peer +k8s:deepcopy-gen=true
- GET /bgp/routes
Lists BGP routes from BGP Control Plane RIB.
Retrieves routes from BGP Control Plane RIB filtered by parameters you specify
- Query Parameters:
table_type (string) – BGP Routing Information Base (RIB) table type
afi (string) – Address Family Indicator (AFI) of a BGP route
safi (string) – Subsequent Address Family Indicator (SAFI) of a BGP route
router_asn (integer) – Autonomous System Number (ASN) identifying a BGP virtual router instance. If not specified, all virtual router instances are selected.
neighbor (string) – IP address specifying a BGP neighbor. Has to be specified only when table type is adj-rib-in or adj-rib-out.
- Status Codes:
200 OK – Success
500 Internal Server Error – Internal Server Error
501 Not Implemented – BGP Control Plane disabled
- Response JSON Object:
[] (any) – Single BGP route retrieved from the RIB of underlying router
- GET /bgp/route-policies
Lists BGP route policies configured in BGP Control Plane.
Retrieves route policies from BGP Control Plane.
- Query Parameters:
router_asn (integer) – Autonomous System Number (ASN) identifying a BGP virtual router instance. If not specified, all virtual router instances are selected.
- Status Codes:
200 OK – Success
500 Internal Server Error – Internal Server Error
501 Not Implemented – BGP Control Plane disabled
- Response JSON Object:
[] (any) – Single BGP route policy retrieved from the underlying router