API Reference

Introduction

The Cilium API is JSON based and provided by the cilium-agent. The purpose of the API is to provide visibility and control over an individual agent instance. In general, all API calls affect only the resources managed by the individual cilium-agent serving the API. A few selected API calls such as the security identity resolution provides cluster wide visibility. Such API calls are marked specifically. Unless noted otherwise, API calls will only affect local agent resources.

How to access the API

CLI Client

The easiest way to access the API is via the cilium CLI client. cilium will automatically locate the API of the agent running on the same node and access it. However, using the -H or --host flag, the cilium client can be pointed to an arbitrary API address.

Example

$ cilium -H unix:///var/run/cilium/cilium.sock
[...]

Golang Package

The following Go packages can be used to access the API:

Package

Description

pkg/client

Main client API abstraction

api/v1/models

API resource data type models

Example

The full example can be found in the cilium/client-example repository.

import (
        "fmt"

        "github.com/cilium/cilium/pkg/client"
)

func main() {
        c, err := client.NewDefaultClient()
        if err != nil {
                ...
        }

        endpoints, err := c.EndpointList()
        if err != nil {
                ...
        }

        for _, ep := range endpoints {
                fmt.Printf("%8d %14s %16s %32s\n", ep.ID, ep.ContainerName, ep.Addressing.IPV4, ep.Addressing.IPV6)
        }

Compatibility Guarantees

Cilium API is stable as of version 1.0, backward compatibility will be upheld for whole lifecycle of Cilium 1.x.

API Reference

GET /cluster/nodes

Get nodes information stored in the cilium-agent

Status Codes
Request Headers
  • client-id – Client UUID should be used when the client wants to request a diff of nodes added and / or removed since the last time that client has made a request.

GET /healthz

Get health of Cilium daemon

Returns health and status information of the Cilium daemon and related components such as the local container runtime, connected datastore, Kubernetes integration and Hubble.

Status Codes
Request Headers
  • brief – Brief will return a brief representation of the Cilium status.

Response JSON Object
  • bandwidth-manager.congestionControl (string) –

  • bandwidth-manager.devices[] (string) –

  • bandwidth-manager.enabled (boolean) – Is bandwidth manager enabled

  • bpf-maps.dynamic-size-ratio (number) – Ratio of total system memory to use for dynamic sizing of BPF maps

  • bpf-maps.maps[].name (string) – Name of the BPF map

  • bpf-maps.maps[].size (integer) – Size of the BPF map

  • cilium.msg (string) – Human readable status/error/warning message

  • cilium.state (string) – State the component is in

  • client-id (integer) – When supported by the API, this client ID should be used by the client when making another request to the server. See for example “/cluster/nodes”.

  • clock-source.hertz (integer) – Kernel Hz

  • clock-source.mode (string) – Datapath clock source

  • cluster (any) – Status of cluster +k8s:deepcopy-gen=true

  • cluster-mesh (any) – Status of ClusterMesh +k8s:deepcopy-gen=true

  • cni-chaining (any) – Status of CNI chaining +k8s:deepcopy-gen=true

  • container-runtime.msg (string) – Human readable status/error/warning message

  • container-runtime.state (string) – State the component is in

  • controllers[].configuration.error-retry (boolean) – Retry on error

  • controllers[].configuration.error-retry-base (string) – Base error retry back-off time

  • controllers[].configuration.interval (string) – Regular synchronization interval

  • controllers[].name (string) – Name of controller

  • controllers[].status.consecutive-failure-count (integer) – Number of consecutive errors since last success

  • controllers[].status.failure-count (integer) – Total number of failed runs

  • controllers[].status.last-failure-msg (string) – Error message of last failed run

  • controllers[].status.last-failure-timestamp (string) – Timestamp of last error

  • controllers[].status.last-success-timestamp (string) – Timestamp of last success

  • controllers[].status.success-count (integer) – Total number of successful runs

  • controllers[].uuid (string) – UUID of controller

  • encryption (any) – Status of transparent encryption +k8s:deepcopy-gen=true

  • host-firewall.devices[] (string) –

  • host-firewall.mode (string) –

  • host-routing.mode (string) – Datapath routing mode

  • hubble.metrics.state (string) – State of the Hubble metrics

  • hubble.msg (string) – Human readable status/error/warning message

  • hubble.observer.current-flows (integer) – Current number of flows this Hubble observer stores

  • hubble.observer.max-flows (integer) – Maximum number of flows this Hubble observer is able to store

  • hubble.observer.seen-flows (integer) – Total number of flows this Hubble observer has seen

  • hubble.observer.uptime (string) – Uptime of this Hubble observer instance

  • hubble.state (string) – State the component is in

  • identity-range (any) – Status of identity range of the cluster +k8s:deepcopy-gen=true

  • ipam (any) – Status of IP address management +k8s:deepcopy-gen=true

  • ipv6-big-tcp.enabled (boolean) – Is IPv6 BIG TCP enabled

  • kube-proxy-replacement.deviceList[].ip[] (string) –

  • kube-proxy-replacement.deviceList[].name (string) –

  • kube-proxy-replacement.devices[] (string) –

  • kube-proxy-replacement.directRoutingDevice (string) –

  • kube-proxy-replacement.features.externalIPs.enabled (boolean) –

  • kube-proxy-replacement.features.gracefulTermination.enabled (boolean) –

  • kube-proxy-replacement.features.hostPort.enabled (boolean) –

  • kube-proxy-replacement.features.hostReachableServices.enabled (boolean) –

  • kube-proxy-replacement.features.hostReachableServices.protocols[] (string) –

  • kube-proxy-replacement.features.nat46X64.enabled (boolean) –

  • kube-proxy-replacement.features.nodePort.acceleration (string) –

  • kube-proxy-replacement.features.nodePort.algorithm (string) –

  • kube-proxy-replacement.features.nodePort.enabled (boolean) –

  • kube-proxy-replacement.features.nodePort.lutSize (integer) –

  • kube-proxy-replacement.features.nodePort.mode (string) –

  • kube-proxy-replacement.features.nodePort.portMax (integer) –

  • kube-proxy-replacement.features.nodePort.portMin (integer) –

  • kube-proxy-replacement.features.sessionAffinity.enabled (boolean) –

  • kube-proxy-replacement.features.socketLB.enabled (boolean) –

  • kube-proxy-replacement.mode (string) –

  • kubernetes.k8s-api-versions[] (string) –

  • kubernetes.msg (string) – Human readable status/error/warning message

  • kubernetes.state (string) – State the component is in

  • kvstore.msg (string) – Human readable status/error/warning message

  • kvstore.state (string) – State the component is in

  • masquerading.enabled (boolean) –

  • masquerading.enabledProtocols.ipv4 (boolean) – Is masquerading enabled for IPv4 traffic

  • masquerading.enabledProtocols.ipv6 (boolean) – Is masquerading enabled for IPv6 traffic

  • masquerading.ip-masq-agent (boolean) – Is BPF ip-masq-agent enabled

  • masquerading.mode (string) –

  • masquerading.snat-exclusion-cidr (string) – This field is obsolete, please use snat-exclusion-cidr-v4 or snat-exclusion-cidr-v6.

  • masquerading.snat-exclusion-cidr-v4 (string) – SnatExclusionCIDRv4 exempts SNAT from being performed on any packet sent to an IPv4 address that belongs to this CIDR.

  • masquerading.snat-exclusion-cidr-v6 (string) – SnatExclusionCIDRv6 exempts SNAT from being performed on any packet sent to an IPv6 address that belongs to this CIDR. For IPv6 we only do masquerading in iptables mode.

  • nodeMonitor (any) – Status of the node monitor

  • proxy.ip (string) – IP address that the proxy listens on

  • proxy.port-range (string) – Port range used for proxying

  • proxy.redirects[].name (string) – Name of the proxy redirect

  • proxy.redirects[].proxy (string) – Name of the proxy this redirect points to

  • proxy.redirects[].proxy-port (integer) – Host port that this redirect points to

  • proxy.total-ports (integer) – Total number of listening proxy ports

  • proxy.total-redirects (integer) – Total number of ports configured to redirect to proxies

  • stale (object) – List of stale information in the status

GET /config

Get configuration of Cilium daemon

Returns the configuration of the Cilium daemon.

Status Codes
Response JSON Object
  • spec.options (object) – Map of configuration key/value pairs.

  • spec.policy-enforcement (string) – The policy-enforcement mode

  • status.GROMaxSize (integer) – Maximum GRO size on workload facing devices

  • status.GSOMaxSize (integer) – Maximum GSO size on workload facing devices

  • status.addressing.ipv4.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP

  • status.addressing.ipv4.alloc-range (string) – Address pool to be used for local endpoints

  • status.addressing.ipv4.enabled (boolean) – True if address family is enabled

  • status.addressing.ipv4.ip (string) – IP address of node

  • status.addressing.ipv6.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP

  • status.addressing.ipv6.alloc-range (string) – Address pool to be used for local endpoints

  • status.addressing.ipv6.enabled (boolean) – True if address family is enabled

  • status.addressing.ipv6.ip (string) – IP address of node

  • status.daemonConfigurationMap (any) – Config map which contains all the active daemon configurations

  • status.datapathMode (string) – Datapath mode

  • status.deviceMTU (integer) – MTU on workload facing devices

  • status.egress-multi-home-ip-rule-compat (boolean) – Configured compatibility mode for –egress-multi-home-ip-rule-compat

  • status.immutable (object) – Map of configuration key/value pairs.

  • status.ipam-mode (string) – Configured IPAM mode

  • status.k8s-configuration (string) –

  • status.k8s-endpoint (string) –

  • status.kvstoreConfiguration (any) – Configuration used for the kvstore

  • status.masquerade (boolean) –

  • status.masqueradeProtocols.ipv4 (boolean) – Status of masquerading for IPv4 traffic

  • status.masqueradeProtocols.ipv6 (boolean) – Status of masquerading for IPv6 traffic

  • status.nodeMonitor (any) – Status of the node monitor

  • status.realized.options (object) – Map of configuration key/value pairs.

  • status.realized.policy-enforcement (string) – The policy-enforcement mode

  • status.routeMTU (integer) – MTU for network facing routes

PATCH /config

Modify daemon configuration

Updates the daemon configuration by applying the provided ConfigurationMap and regenerates & recompiles all required datapath components.

Request JSON Object
  • options (object) – Map of configuration key/value pairs.

  • policy-enforcement (string) – The policy-enforcement mode

Status Codes
GET /endpoint/{id}

Get endpoint by endpoint ID

Returns endpoint information

Parameters
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

    Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595

    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343

    • container-id: Container runtime ID, e.g. container-id:22222

    • container-name: Container name, e.g. container-name:foobar

    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar

    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444

Status Codes
Response JSON Object
  • id (integer) – The cilium-agent-local ID of the endpoint

  • spec.label-configuration.user[] (string) –

  • spec.options (object) – Map of configuration key/value pairs.

  • status.controllers[].configuration.error-retry (boolean) – Retry on error

  • status.controllers[].configuration.error-retry-base (string) – Base error retry back-off time

  • status.controllers[].configuration.interval (string) – Regular synchronization interval

  • status.controllers[].name (string) – Name of controller

  • status.controllers[].status.consecutive-failure-count (integer) – Number of consecutive errors since last success

  • status.controllers[].status.failure-count (integer) – Total number of failed runs

  • status.controllers[].status.last-failure-msg (string) – Error message of last failed run

  • status.controllers[].status.last-failure-timestamp (string) – Timestamp of last error

  • status.controllers[].status.last-success-timestamp (string) – Timestamp of last success

  • status.controllers[].status.success-count (integer) – Total number of successful runs

  • status.controllers[].uuid (string) – UUID of controller

  • status.external-identifiers.container-id (string) – ID assigned by container runtime

  • status.external-identifiers.container-name (string) – Name assigned to container

  • status.external-identifiers.docker-endpoint-id (string) – Docker endpoint ID

  • status.external-identifiers.docker-network-id (string) – Docker network ID

  • status.external-identifiers.k8s-namespace (string) – K8s namespace for this endpoint

  • status.external-identifiers.k8s-pod-name (string) – K8s pod name for this endpoint

  • status.external-identifiers.pod-name (string) – K8s pod for this endpoint(Deprecated, use K8sPodName and K8sNamespace instead)

  • status.health.bpf (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • status.health.connected (boolean) – Is this endpoint reachable

  • status.health.overallHealth (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • status.health.policy (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • status.identity.id (integer) – Unique identifier

  • status.identity.labelsSHA256 (string) – SHA256 of labels

  • status.identity.labels[] (string) –

  • status.labels.derived[] (string) –

  • status.labels.disabled[] (string) –

  • status.labels.realized.user[] (string) –

  • status.labels.security-relevant[] (string) –

  • status.log[].code (string) – Code indicate type of status change

  • status.log[].message (string) – Status message

  • status.log[].state (string) – State of endpoint

  • status.log[].timestamp (string) – Timestamp when status change occurred

  • status.namedPorts[].name (string) – Optional layer 4 port name

  • status.namedPorts[].port (integer) – Layer 4 port number

  • status.namedPorts[].protocol (string) – Layer 4 protocol

  • status.networking.addressing[].ipv4 (string) – IPv4 address

  • status.networking.addressing[].ipv4-expiration-uuid (string) – UUID of IPv4 expiration timer

  • status.networking.addressing[].ipv6 (string) – IPv6 address

  • status.networking.addressing[].ipv6-expiration-uuid (string) – UUID of IPv6 expiration timer

  • status.networking.host-addressing.ipv4.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP

  • status.networking.host-addressing.ipv4.alloc-range (string) – Address pool to be used for local endpoints

  • status.networking.host-addressing.ipv4.enabled (boolean) – True if address family is enabled

  • status.networking.host-addressing.ipv4.ip (string) – IP address of node

  • status.networking.host-addressing.ipv6.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP

  • status.networking.host-addressing.ipv6.alloc-range (string) – Address pool to be used for local endpoints

  • status.networking.host-addressing.ipv6.enabled (boolean) – True if address family is enabled

  • status.networking.host-addressing.ipv6.ip (string) – IP address of node

  • status.networking.host-mac (string) – MAC address

  • status.networking.interface-index (integer) – Index of network device

  • status.networking.interface-name (string) – Name of network device

  • status.networking.mac (string) – MAC address

  • status.policy.proxy-policy-revision (integer) – The policy revision currently enforced in the proxy for this endpoint

  • status.policy.proxy-statistics[].allocated-proxy-port (integer) – The port the proxy is listening on

  • status.policy.proxy-statistics[].location (string) – Location of where the redirect is installed

  • status.policy.proxy-statistics[].port (integer) – The port subject to the redirect

  • status.policy.proxy-statistics[].protocol (string) – Name of the L7 protocol

  • status.policy.proxy-statistics[].statistics.requests.denied (integer) – Number of messages denied

  • status.policy.proxy-statistics[].statistics.requests.error (integer) – Number of errors while parsing messages

  • status.policy.proxy-statistics[].statistics.requests.forwarded (integer) – Number of messages forwarded

  • status.policy.proxy-statistics[].statistics.requests.received (integer) – Number of messages received

  • status.policy.proxy-statistics[].statistics.responses.denied (integer) – Number of messages denied

  • status.policy.proxy-statistics[].statistics.responses.error (integer) – Number of errors while parsing messages

  • status.policy.proxy-statistics[].statistics.responses.forwarded (integer) – Number of messages forwarded

  • status.policy.proxy-statistics[].statistics.responses.received (integer) – Number of messages received

  • status.policy.realized.allowed-egress-identities[] (integer) –

  • status.policy.realized.allowed-ingress-identities[] (integer) –

  • status.policy.realized.build (integer) – Build number of calculated policy in use

  • status.policy.realized.cidr-policy.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.realized.cidr-policy.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.realized.denied-egress-identities[] (integer) –

  • status.policy.realized.denied-ingress-identities[] (integer) –

  • status.policy.realized.id (integer) – Own identity of endpoint

  • status.policy.realized.l4.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.realized.l4.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.realized.policy-enabled (string) – Whether policy enforcement is enabled (ingress, egress, both or none)

  • status.policy.realized.policy-revision (integer) – The agent-local policy revision

  • status.policy.spec.allowed-egress-identities[] (integer) –

  • status.policy.spec.allowed-ingress-identities[] (integer) –

  • status.policy.spec.build (integer) – Build number of calculated policy in use

  • status.policy.spec.cidr-policy.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.spec.cidr-policy.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.spec.denied-egress-identities[] (integer) –

  • status.policy.spec.denied-ingress-identities[] (integer) –

  • status.policy.spec.id (integer) – Own identity of endpoint

  • status.policy.spec.l4.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.spec.l4.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.spec.policy-enabled (string) – Whether policy enforcement is enabled (ingress, egress, both or none)

  • status.policy.spec.policy-revision (integer) – The agent-local policy revision

  • status.realized.label-configuration.user[] (string) –

  • status.realized.options (object) – Map of configuration key/value pairs.

  • status.state (string) – State of endpoint (required)

PUT /endpoint/{id}

Create endpoint

Creates a new endpoint

Parameters
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

    Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595

    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343

    • container-id: Container runtime ID, e.g. container-id:22222

    • container-name: Container name, e.g. container-name:foobar

    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar

    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444

Request JSON Object
  • addressing.ipv4 (string) – IPv4 address

  • addressing.ipv4-expiration-uuid (string) – UUID of IPv4 expiration timer

  • addressing.ipv6 (string) – IPv6 address

  • addressing.ipv6-expiration-uuid (string) – UUID of IPv6 expiration timer

  • container-id (string) – ID assigned by container runtime

  • container-name (string) – Name assigned to container

  • datapath-configuration.disable-sip-verification (boolean) – Disable source IP verification for the endpoint.

  • datapath-configuration.external-ipam (boolean) – Indicates that IPAM is done external to Cilium. This will prevent the IP from being released and re-allocation of the IP address is skipped on restore.

  • datapath-configuration.install-endpoint-route (boolean) – Installs a route in the Linux routing table pointing to the device of the endpoint’s interface.

  • datapath-configuration.require-arp-passthrough (boolean) – Enable ARP passthrough mode

  • datapath-configuration.require-egress-prog (boolean) – Endpoint requires a host-facing egress program to be attached to implement ingress policy and reverse NAT.

  • datapath-configuration.require-routing (boolean) – Endpoint requires BPF routing to be enabled, when disabled, routing is delegated to Linux routing.

  • datapath-map-id (integer) – ID of datapath tail call map

  • docker-endpoint-id (string) – Docker endpoint ID

  • docker-network-id (string) – Docker network ID

  • host-mac (string) – MAC address

  • id (integer) – Local endpoint ID

  • interface-index (integer) – Index of network device

  • interface-name (string) – Name of network device

  • k8s-namespace (string) – Kubernetes namespace name

  • k8s-pod-name (string) – Kubernetes pod name

  • labels[] (string) –

  • mac (string) – MAC address

  • pid (integer) – Process ID of the workload belonging to this endpoint

  • policy-enabled (boolean) – Whether policy enforcement is enabled or not

  • state (string) – State of endpoint (required)

  • sync-build-endpoint (boolean) – Whether to build an endpoint synchronously

Status Codes
PATCH /endpoint/{id}

Modify existing endpoint

Applies the endpoint change request to an existing endpoint

Parameters
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

    Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595

    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343

    • container-id: Container runtime ID, e.g. container-id:22222

    • container-name: Container name, e.g. container-name:foobar

    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar

    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444

Request JSON Object
  • addressing.ipv4 (string) – IPv4 address

  • addressing.ipv4-expiration-uuid (string) – UUID of IPv4 expiration timer

  • addressing.ipv6 (string) – IPv6 address

  • addressing.ipv6-expiration-uuid (string) – UUID of IPv6 expiration timer

  • container-id (string) – ID assigned by container runtime

  • container-name (string) – Name assigned to container

  • datapath-configuration.disable-sip-verification (boolean) – Disable source IP verification for the endpoint.

  • datapath-configuration.external-ipam (boolean) – Indicates that IPAM is done external to Cilium. This will prevent the IP from being released and re-allocation of the IP address is skipped on restore.

  • datapath-configuration.install-endpoint-route (boolean) – Installs a route in the Linux routing table pointing to the device of the endpoint’s interface.

  • datapath-configuration.require-arp-passthrough (boolean) – Enable ARP passthrough mode

  • datapath-configuration.require-egress-prog (boolean) – Endpoint requires a host-facing egress program to be attached to implement ingress policy and reverse NAT.

  • datapath-configuration.require-routing (boolean) – Endpoint requires BPF routing to be enabled, when disabled, routing is delegated to Linux routing.

  • datapath-map-id (integer) – ID of datapath tail call map

  • docker-endpoint-id (string) – Docker endpoint ID

  • docker-network-id (string) – Docker network ID

  • host-mac (string) – MAC address

  • id (integer) – Local endpoint ID

  • interface-index (integer) – Index of network device

  • interface-name (string) – Name of network device

  • k8s-namespace (string) – Kubernetes namespace name

  • k8s-pod-name (string) – Kubernetes pod name

  • labels[] (string) –

  • mac (string) – MAC address

  • pid (integer) – Process ID of the workload belonging to this endpoint

  • policy-enabled (boolean) – Whether policy enforcement is enabled or not

  • state (string) – State of endpoint (required)

  • sync-build-endpoint (boolean) – Whether to build an endpoint synchronously

Status Codes
DELETE /endpoint/{id}

Delete endpoint

Deletes the endpoint specified by the ID. Deletion is imminent and atomic, if the deletion request is valid and the endpoint exists, deletion will occur even if errors are encountered in the process. If errors have been encountered, the code 202 will be returned, otherwise 200 on success.

All resources associated with the endpoint will be freed and the workload represented by the endpoint will be disconnected.It will no longer be able to initiate or receive communications of any sort.

Parameters
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

    Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595

    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343

    • container-id: Container runtime ID, e.g. container-id:22222

    • container-name: Container name, e.g. container-name:foobar

    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar

    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444

Status Codes
GET /endpoint

Retrieves a list of endpoints that have metadata matching the provided parameters.

Retrieves a list of endpoints that have metadata matching the provided parameters, or all endpoints if no parameters provided.

Request JSON Object
  • [] (string) –

Status Codes
Response JSON Object
  • [].id (integer) – The cilium-agent-local ID of the endpoint

  • [].spec.label-configuration.user[] (string) –

  • [].spec.options (object) – Map of configuration key/value pairs.

  • [].status.controllers[].configuration.error-retry (boolean) – Retry on error

  • [].status.controllers[].configuration.error-retry-base (string) – Base error retry back-off time

  • [].status.controllers[].configuration.interval (string) – Regular synchronization interval

  • [].status.controllers[].name (string) – Name of controller

  • [].status.controllers[].status.consecutive-failure-count (integer) – Number of consecutive errors since last success

  • [].status.controllers[].status.failure-count (integer) – Total number of failed runs

  • [].status.controllers[].status.last-failure-msg (string) – Error message of last failed run

  • [].status.controllers[].status.last-failure-timestamp (string) – Timestamp of last error

  • [].status.controllers[].status.last-success-timestamp (string) – Timestamp of last success

  • [].status.controllers[].status.success-count (integer) – Total number of successful runs

  • [].status.controllers[].uuid (string) – UUID of controller

  • [].status.external-identifiers.container-id (string) – ID assigned by container runtime

  • [].status.external-identifiers.container-name (string) – Name assigned to container

  • [].status.external-identifiers.docker-endpoint-id (string) – Docker endpoint ID

  • [].status.external-identifiers.docker-network-id (string) – Docker network ID

  • [].status.external-identifiers.k8s-namespace (string) – K8s namespace for this endpoint

  • [].status.external-identifiers.k8s-pod-name (string) – K8s pod name for this endpoint

  • [].status.external-identifiers.pod-name (string) – K8s pod for this endpoint(Deprecated, use K8sPodName and K8sNamespace instead)

  • [].status.health.bpf (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • [].status.health.connected (boolean) – Is this endpoint reachable

  • [].status.health.overallHealth (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • [].status.health.policy (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • [].status.identity.id (integer) – Unique identifier

  • [].status.identity.labelsSHA256 (string) – SHA256 of labels

  • [].status.identity.labels[] (string) –

  • [].status.labels.derived[] (string) –

  • [].status.labels.disabled[] (string) –

  • [].status.labels.realized.user[] (string) –

  • [].status.labels.security-relevant[] (string) –

  • [].status.log[].code (string) – Code indicate type of status change

  • [].status.log[].message (string) – Status message

  • [].status.log[].state (string) – State of endpoint

  • [].status.log[].timestamp (string) – Timestamp when status change occurred

  • [].status.namedPorts[].name (string) – Optional layer 4 port name

  • [].status.namedPorts[].port (integer) – Layer 4 port number

  • [].status.namedPorts[].protocol (string) – Layer 4 protocol

  • [].status.networking.addressing[].ipv4 (string) – IPv4 address

  • [].status.networking.addressing[].ipv4-expiration-uuid (string) – UUID of IPv4 expiration timer

  • [].status.networking.addressing[].ipv6 (string) – IPv6 address

  • [].status.networking.addressing[].ipv6-expiration-uuid (string) – UUID of IPv6 expiration timer

  • [].status.networking.host-addressing.ipv4.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP

  • [].status.networking.host-addressing.ipv4.alloc-range (string) – Address pool to be used for local endpoints

  • [].status.networking.host-addressing.ipv4.enabled (boolean) – True if address family is enabled

  • [].status.networking.host-addressing.ipv4.ip (string) – IP address of node

  • [].status.networking.host-addressing.ipv6.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP

  • [].status.networking.host-addressing.ipv6.alloc-range (string) – Address pool to be used for local endpoints

  • [].status.networking.host-addressing.ipv6.enabled (boolean) – True if address family is enabled

  • [].status.networking.host-addressing.ipv6.ip (string) – IP address of node

  • [].status.networking.host-mac (string) – MAC address

  • [].status.networking.interface-index (integer) – Index of network device

  • [].status.networking.interface-name (string) – Name of network device

  • [].status.networking.mac (string) – MAC address

  • [].status.policy.proxy-policy-revision (integer) – The policy revision currently enforced in the proxy for this endpoint

  • [].status.policy.proxy-statistics[].allocated-proxy-port (integer) – The port the proxy is listening on

  • [].status.policy.proxy-statistics[].location (string) – Location of where the redirect is installed

  • [].status.policy.proxy-statistics[].port (integer) – The port subject to the redirect

  • [].status.policy.proxy-statistics[].protocol (string) – Name of the L7 protocol

  • [].status.policy.proxy-statistics[].statistics.requests.denied (integer) – Number of messages denied

  • [].status.policy.proxy-statistics[].statistics.requests.error (integer) – Number of errors while parsing messages

  • [].status.policy.proxy-statistics[].statistics.requests.forwarded (integer) – Number of messages forwarded

  • [].status.policy.proxy-statistics[].statistics.requests.received (integer) – Number of messages received

  • [].status.policy.proxy-statistics[].statistics.responses.denied (integer) – Number of messages denied

  • [].status.policy.proxy-statistics[].statistics.responses.error (integer) – Number of errors while parsing messages

  • [].status.policy.proxy-statistics[].statistics.responses.forwarded (integer) – Number of messages forwarded

  • [].status.policy.proxy-statistics[].statistics.responses.received (integer) – Number of messages received

  • [].status.policy.realized.allowed-egress-identities[] (integer) –

  • [].status.policy.realized.allowed-ingress-identities[] (integer) –

  • [].status.policy.realized.build (integer) – Build number of calculated policy in use

  • [].status.policy.realized.cidr-policy.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • [].status.policy.realized.cidr-policy.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • [].status.policy.realized.denied-egress-identities[] (integer) –

  • [].status.policy.realized.denied-ingress-identities[] (integer) –

  • [].status.policy.realized.id (integer) – Own identity of endpoint

  • [].status.policy.realized.l4.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • [].status.policy.realized.l4.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • [].status.policy.realized.policy-enabled (string) – Whether policy enforcement is enabled (ingress, egress, both or none)

  • [].status.policy.realized.policy-revision (integer) – The agent-local policy revision

  • [].status.policy.spec.allowed-egress-identities[] (integer) –

  • [].status.policy.spec.allowed-ingress-identities[] (integer) –

  • [].status.policy.spec.build (integer) – Build number of calculated policy in use

  • [].status.policy.spec.cidr-policy.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • [].status.policy.spec.cidr-policy.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • [].status.policy.spec.denied-egress-identities[] (integer) –

  • [].status.policy.spec.denied-ingress-identities[] (integer) –

  • [].status.policy.spec.id (integer) – Own identity of endpoint

  • [].status.policy.spec.l4.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • [].status.policy.spec.l4.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • [].status.policy.spec.policy-enabled (string) – Whether policy enforcement is enabled (ingress, egress, both or none)

  • [].status.policy.spec.policy-revision (integer) – The agent-local policy revision

  • [].status.realized.label-configuration.user[] (string) –

  • [].status.realized.options (object) – Map of configuration key/value pairs.

  • [].status.state (string) – State of endpoint (required)

GET /endpoint/{id}/config

Retrieve endpoint configuration

Retrieves the configuration of the specified endpoint.

Parameters
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

    Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595

    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343

    • container-id: Container runtime ID, e.g. container-id:22222

    • container-name: Container name, e.g. container-name:foobar

    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar

    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444

Status Codes
Response JSON Object
  • error (string) –

  • immutable (object) – Map of configuration key/value pairs.

  • realized.label-configuration.user[] (string) –

  • realized.options (object) – Map of configuration key/value pairs.

PATCH /endpoint/{id}/config

Modify mutable endpoint configuration

Update the configuration of an existing endpoint and regenerates & recompiles the corresponding programs automatically.

Parameters
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

    Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595

    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343

    • container-id: Container runtime ID, e.g. container-id:22222

    • container-name: Container name, e.g. container-name:foobar

    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar

    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444

Request JSON Object
  • label-configuration.user[] (string) –

  • options (object) – Map of configuration key/value pairs.

Status Codes
GET /endpoint/{id}/labels

Retrieves the list of labels associated with an endpoint.

Parameters
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

    Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595

    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343

    • container-id: Container runtime ID, e.g. container-id:22222

    • container-name: Container name, e.g. container-name:foobar

    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar

    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444

Status Codes
Response JSON Object
  • spec.user[] (string) –

  • status.derived[] (string) –

  • status.disabled[] (string) –

  • status.realized.user[] (string) –

  • status.security-relevant[] (string) –

PATCH /endpoint/{id}/labels

Set label configuration of endpoint

Sets labels associated with an endpoint. These can be user provided or derived from the orchestration system.

Parameters
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

    Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595

    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343

    • container-id: Container runtime ID, e.g. container-id:22222

    • container-name: Container name, e.g. container-name:foobar

    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar

    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444

Request JSON Object
  • user[] (string) –

Status Codes
GET /endpoint/{id}/log

Retrieves the status logs associated with this endpoint.

Parameters
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

    Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595

    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343

    • container-id: Container runtime ID, e.g. container-id:22222

    • container-name: Container name, e.g. container-name:foobar

    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar

    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444

Status Codes
Response JSON Object
  • [].code (string) – Code indicate type of status change

  • [].message (string) – Status message

  • [].state (string) – State of endpoint

  • [].timestamp (string) – Timestamp when status change occurred

GET /endpoint/{id}/healthz

Retrieves the status logs associated with this endpoint.

Parameters
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

    Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595

    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343

    • container-id: Container runtime ID, e.g. container-id:22222

    • container-name: Container name, e.g. container-name:foobar

    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar

    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444

Status Codes
Response JSON Object
  • bpf (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • connected (boolean) – Is this endpoint reachable

  • overallHealth (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • policy (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

GET /identity

Retrieves a list of identities that have metadata matching the provided parameters.

Retrieves a list of identities that have metadata matching the provided parameters, or all identities if no parameters are provided.

Request JSON Object
  • [] (string) –

Status Codes
  • 200 OK – Success

  • 404 Not Found – Identities with provided parameters not found

  • 520 – Identity storage unreachable. Likely a network problem.

  • 521 – Invalid identity format in storage

Response JSON Object
  • [].id (integer) – Unique identifier

  • [].labelsSHA256 (string) – SHA256 of labels

  • [].labels[] (string) –

GET /identity/{id}

Retrieve identity

Parameters
  • id (string) – Cluster wide unique identifier of a security identity.

Status Codes
  • 200 OK – Success

  • 400 Bad Request – Invalid identity provided

  • 404 Not Found – Identity not found

  • 520 – Identity storage unreachable. Likely a network problem.

  • 521 – Invalid identity format in storage

Response JSON Object
  • id (integer) – Unique identifier

  • labelsSHA256 (string) – SHA256 of labels

  • labels[] (string) –

GET /identity/endpoints

Retrieve identities which are being used by local endpoints

Status Codes
  • 200 OK – Success

  • 404 Not Found – Set of identities which are being used by local endpoints could not be found.

Response JSON Object
  • [].identity.id (integer) – Unique identifier

  • [].identity.labelsSHA256 (string) – SHA256 of labels

  • [].identity.labels[] (string) –

  • [].refCount (integer) – number of endpoints consuming this identity locally (should always be > 0)

POST /ipam

Allocate an IP address

Query Parameters
  • family (string) –

  • owner (string) –

Status Codes
Request Headers
  • expiration

Response JSON Object
  • address.ipv4 (string) – IPv4 address

  • address.ipv4-expiration-uuid (string) – UUID of IPv4 expiration timer

  • address.ipv6 (string) – IPv6 address

  • address.ipv6-expiration-uuid (string) – UUID of IPv6 expiration timer

  • host-addressing.ipv4.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP

  • host-addressing.ipv4.alloc-range (string) – Address pool to be used for local endpoints

  • host-addressing.ipv4.enabled (boolean) – True if address family is enabled

  • host-addressing.ipv4.ip (string) – IP address of node

  • host-addressing.ipv6.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP

  • host-addressing.ipv6.alloc-range (string) – Address pool to be used for local endpoints

  • host-addressing.ipv6.enabled (boolean) – True if address family is enabled

  • host-addressing.ipv6.ip (string) – IP address of node

  • ipv4.cidrs[] (string) –

  • ipv4.expiration-uuid (string) – The UUID for the expiration timer. Set when expiration has been enabled while allocating.

  • ipv4.gateway (string) – IP of gateway

  • ipv4.interface-number (string) – InterfaceNumber is a field for generically identifying an interface. This is only useful in ENI mode.

  • ipv4.ip (string) – Allocated IP for endpoint

  • ipv4.master-mac (string) – MAC of master interface if address is a slave/secondary of a master interface

  • ipv6.cidrs[] (string) –

  • ipv6.expiration-uuid (string) – The UUID for the expiration timer. Set when expiration has been enabled while allocating.

  • ipv6.gateway (string) – IP of gateway

  • ipv6.interface-number (string) – InterfaceNumber is a field for generically identifying an interface. This is only useful in ENI mode.

  • ipv6.ip (string) – Allocated IP for endpoint

  • ipv6.master-mac (string) – MAC of master interface if address is a slave/secondary of a master interface

POST /ipam/{ip}

Allocate an IP address

Parameters
  • ip (string) – IP address

Query Parameters
  • owner (string) –

Status Codes
DELETE /ipam/{ip}

Release an allocated IP address

Parameters
  • ip (string) – IP address or owner name

Status Codes
GET /policy

Retrieve entire policy tree

Returns the entire policy tree with all children.

Request JSON Object
  • [] (string) –

Status Codes
Response JSON Object
  • policy (string) – Policy definition as JSON.

  • revision (integer) – Revision number of the policy. Incremented each time the policy is changed in the agent’s repository

PUT /policy

Create or update a policy (sub)tree

Status Codes
Response JSON Object
  • policy (string) – Policy definition as JSON.

  • revision (integer) – Revision number of the policy. Incremented each time the policy is changed in the agent’s repository

DELETE /policy

Delete a policy (sub)tree

Request JSON Object
  • [] (string) –

Status Codes
Response JSON Object
  • policy (string) – Policy definition as JSON.

  • revision (integer) – Revision number of the policy. Incremented each time the policy is changed in the agent’s repository

GET /policy/resolve

Resolve policy for an identity context

Request JSON Object
  • from.labels[] (string) –

  • to.dports[].name (string) – Optional layer 4 port name

  • to.dports[].port (integer) – Layer 4 port number

  • to.dports[].protocol (string) – Layer 4 protocol

  • to.labels[] (string) –

  • verbose (boolean) – Enable verbose tracing.

Status Codes
Response JSON Object
  • log (string) –

  • verdict (string) –

GET /policy/selectors

See what selectors match which identities

Status Codes
Response JSON Object
  • [].identities[] (integer) –

  • [].selector (string) – string form of selector

  • [].users (integer) – number of users of this selector in the cache

GET /lrp

Retrieve list of all local redirect policies

Status Codes
Response JSON Object
  • [].frontend-mappings[].backends[].backend-address.ip (string) – Layer 3 address (required)

  • [].frontend-mappings[].backends[].backend-address.nodeName (string) – Optional name of the node on which this backend runs

  • [].frontend-mappings[].backends[].backend-address.port (integer) – Layer 4 port number

  • [].frontend-mappings[].backends[].backend-address.preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.

  • [].frontend-mappings[].backends[].backend-address.state (string) – State of the backend for load-balancing service traffic

  • [].frontend-mappings[].backends[].pod-id (string) – Namespace and name of the backend pod

  • [].frontend-mappings[].frontend-address.ip (string) – Layer 3 address

  • [].frontend-mappings[].frontend-address.port (integer) – Layer 4 port number

  • [].frontend-mappings[].frontend-address.protocol (string) – Layer 4 protocol

  • [].frontend-mappings[].frontend-address.scope (string) – Load balancing scope for frontend address

  • [].frontend-type (string) – LRP frontend type

  • [].lrp-type (string) – LRP config type

  • [].name (string) – LRP service name

  • [].namespace (string) – LRP service namespace

  • [].service-id (string) – matching k8s service namespace and name

  • [].uid (string) – Unique identification

GET /service

Retrieve list of all services

Status Codes
Response JSON Object
  • [].spec.backend-addresses[].ip (string) – Layer 3 address (required)

  • [].spec.backend-addresses[].nodeName (string) – Optional name of the node on which this backend runs

  • [].spec.backend-addresses[].port (integer) – Layer 4 port number

  • [].spec.backend-addresses[].preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.

  • [].spec.backend-addresses[].state (string) – State of the backend for load-balancing service traffic

  • [].spec.flags.healthCheckNodePort (integer) – Service health check node port

  • [].spec.flags.name (string) – Service name (e.g. Kubernetes service name)

  • [].spec.flags.namespace (string) – Service namespace (e.g. Kubernetes namespace)

  • [].spec.flags.natPolicy (string) – Service protocol NAT policy

  • [].spec.flags.trafficPolicy (string) – Service traffic policy

  • [].spec.flags.type (string) – Service type

  • [].spec.frontend-address.ip (string) – Layer 3 address

  • [].spec.frontend-address.port (integer) – Layer 4 port number

  • [].spec.frontend-address.protocol (string) – Layer 4 protocol

  • [].spec.frontend-address.scope (string) – Load balancing scope for frontend address

  • [].spec.id (integer) – Unique identification

  • [].spec.updateServices (boolean) – Update all services selecting the backends with their given states (id and frontend are ignored)

  • [].status.realized.backend-addresses[].ip (string) – Layer 3 address (required)

  • [].status.realized.backend-addresses[].nodeName (string) – Optional name of the node on which this backend runs

  • [].status.realized.backend-addresses[].port (integer) – Layer 4 port number

  • [].status.realized.backend-addresses[].preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.

  • [].status.realized.backend-addresses[].state (string) – State of the backend for load-balancing service traffic

  • [].status.realized.flags.healthCheckNodePort (integer) – Service health check node port

  • [].status.realized.flags.name (string) – Service name (e.g. Kubernetes service name)

  • [].status.realized.flags.namespace (string) – Service namespace (e.g. Kubernetes namespace)

  • [].status.realized.flags.natPolicy (string) – Service protocol NAT policy

  • [].status.realized.flags.trafficPolicy (string) – Service traffic policy

  • [].status.realized.flags.type (string) – Service type

  • [].status.realized.frontend-address.ip (string) – Layer 3 address

  • [].status.realized.frontend-address.port (integer) – Layer 4 port number

  • [].status.realized.frontend-address.protocol (string) – Layer 4 protocol

  • [].status.realized.frontend-address.scope (string) – Load balancing scope for frontend address

  • [].status.realized.id (integer) – Unique identification

  • [].status.realized.updateServices (boolean) – Update all services selecting the backends with their given states (id and frontend are ignored)

GET /service/{id}

Retrieve configuration of a service

Parameters
  • id (integer) – ID of service

Status Codes
Response JSON Object
  • spec.backend-addresses[].ip (string) – Layer 3 address (required)

  • spec.backend-addresses[].nodeName (string) – Optional name of the node on which this backend runs

  • spec.backend-addresses[].port (integer) – Layer 4 port number

  • spec.backend-addresses[].preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.

  • spec.backend-addresses[].state (string) – State of the backend for load-balancing service traffic

  • spec.flags.healthCheckNodePort (integer) – Service health check node port

  • spec.flags.name (string) – Service name (e.g. Kubernetes service name)

  • spec.flags.namespace (string) – Service namespace (e.g. Kubernetes namespace)

  • spec.flags.natPolicy (string) – Service protocol NAT policy

  • spec.flags.trafficPolicy (string) – Service traffic policy

  • spec.flags.type (string) – Service type

  • spec.frontend-address.ip (string) – Layer 3 address

  • spec.frontend-address.port (integer) – Layer 4 port number

  • spec.frontend-address.protocol (string) – Layer 4 protocol

  • spec.frontend-address.scope (string) – Load balancing scope for frontend address

  • spec.id (integer) – Unique identification

  • spec.updateServices (boolean) – Update all services selecting the backends with their given states (id and frontend are ignored)

  • status.realized.backend-addresses[].ip (string) – Layer 3 address (required)

  • status.realized.backend-addresses[].nodeName (string) – Optional name of the node on which this backend runs

  • status.realized.backend-addresses[].port (integer) – Layer 4 port number

  • status.realized.backend-addresses[].preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.

  • status.realized.backend-addresses[].state (string) – State of the backend for load-balancing service traffic

  • status.realized.flags.healthCheckNodePort (integer) – Service health check node port

  • status.realized.flags.name (string) – Service name (e.g. Kubernetes service name)

  • status.realized.flags.namespace (string) – Service namespace (e.g. Kubernetes namespace)

  • status.realized.flags.natPolicy (string) – Service protocol NAT policy

  • status.realized.flags.trafficPolicy (string) – Service traffic policy

  • status.realized.flags.type (string) – Service type

  • status.realized.frontend-address.ip (string) – Layer 3 address

  • status.realized.frontend-address.port (integer) – Layer 4 port number

  • status.realized.frontend-address.protocol (string) – Layer 4 protocol

  • status.realized.frontend-address.scope (string) – Load balancing scope for frontend address

  • status.realized.id (integer) – Unique identification

  • status.realized.updateServices (boolean) – Update all services selecting the backends with their given states (id and frontend are ignored)

PUT /service/{id}

Create or update service

Parameters
  • id (integer) – ID of service

Request JSON Object
  • backend-addresses[].ip (string) – Layer 3 address (required)

  • backend-addresses[].nodeName (string) – Optional name of the node on which this backend runs

  • backend-addresses[].port (integer) – Layer 4 port number

  • backend-addresses[].preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.

  • backend-addresses[].state (string) – State of the backend for load-balancing service traffic

  • flags.healthCheckNodePort (integer) – Service health check node port

  • flags.name (string) – Service name (e.g. Kubernetes service name)

  • flags.namespace (string) – Service namespace (e.g. Kubernetes namespace)

  • flags.natPolicy (string) – Service protocol NAT policy

  • flags.trafficPolicy (string) – Service traffic policy

  • flags.type (string) – Service type

  • frontend-address.ip (string) – Layer 3 address

  • frontend-address.port (integer) – Layer 4 port number

  • frontend-address.protocol (string) – Layer 4 protocol

  • frontend-address.scope (string) – Load balancing scope for frontend address

  • id (integer) – Unique identification

  • updateServices (boolean) – Update all services selecting the backends with their given states (id and frontend are ignored)

Status Codes
DELETE /service/{id}

Delete a service

Parameters
  • id (integer) – ID of service

Status Codes
GET /recorder

Retrieve list of all recorders

Status Codes
Response JSON Object
  • [].spec.capture-length (integer) – Maximum packet length or zero for full packet length

  • [].spec.filters[].dst-port (string) – Layer 4 destination port, zero (or in future range)

  • [].spec.filters[].dst-prefix (string) – Layer 3 destination CIDR

  • [].spec.filters[].protocol (string) – Layer 4 protocol

  • [].spec.filters[].src-port (string) – Layer 4 source port, zero (or in future range)

  • [].spec.filters[].src-prefix (string) – Layer 3 source CIDR

  • [].spec.id (integer) – Unique identification (required)

  • [].status.realized.capture-length (integer) – Maximum packet length or zero for full packet length

  • [].status.realized.filters[].dst-port (string) – Layer 4 destination port, zero (or in future range)

  • [].status.realized.filters[].dst-prefix (string) – Layer 3 destination CIDR

  • [].status.realized.filters[].protocol (string) – Layer 4 protocol

  • [].status.realized.filters[].src-port (string) – Layer 4 source port, zero (or in future range)

  • [].status.realized.filters[].src-prefix (string) – Layer 3 source CIDR

  • [].status.realized.id (integer) – Unique identification (required)

GET /recorder/masks

Retrieve list of all recorder masks

Status Codes
Response JSON Object
  • [].status.realized.dst-port-mask (string) – Layer 4 destination port mask

  • [].status.realized.dst-prefix-mask (string) – Layer 3 destination IP mask

  • [].status.realized.priority (integer) – Priority of this mask

  • [].status.realized.protocol-mask (string) – Layer 4 protocol mask

  • [].status.realized.src-port-mask (string) – Layer 4 source port mask

  • [].status.realized.src-prefix-mask (string) – Layer 3 source IP mask

  • [].status.realized.users (integer) – Number of users of this mask

GET /recorder/{id}

Retrieve configuration of a recorder

Parameters
  • id (integer) – ID of recorder

Status Codes
Response JSON Object
  • spec.capture-length (integer) – Maximum packet length or zero for full packet length

  • spec.filters[].dst-port (string) – Layer 4 destination port, zero (or in future range)

  • spec.filters[].dst-prefix (string) – Layer 3 destination CIDR

  • spec.filters[].protocol (string) – Layer 4 protocol

  • spec.filters[].src-port (string) – Layer 4 source port, zero (or in future range)

  • spec.filters[].src-prefix (string) – Layer 3 source CIDR

  • spec.id (integer) – Unique identification (required)

  • status.realized.capture-length (integer) – Maximum packet length or zero for full packet length

  • status.realized.filters[].dst-port (string) – Layer 4 destination port, zero (or in future range)

  • status.realized.filters[].dst-prefix (string) – Layer 3 destination CIDR

  • status.realized.filters[].protocol (string) – Layer 4 protocol

  • status.realized.filters[].src-port (string) – Layer 4 source port, zero (or in future range)

  • status.realized.filters[].src-prefix (string) – Layer 3 source CIDR

  • status.realized.id (integer) – Unique identification (required)

PUT /recorder/{id}

Create or update recorder

Parameters
  • id (integer) – ID of recorder

Request JSON Object
  • capture-length (integer) – Maximum packet length or zero for full packet length

  • filters[].dst-port (string) – Layer 4 destination port, zero (or in future range)

  • filters[].dst-prefix (string) – Layer 3 destination CIDR

  • filters[].protocol (string) – Layer 4 protocol

  • filters[].src-port (string) – Layer 4 source port, zero (or in future range)

  • filters[].src-prefix (string) – Layer 3 source CIDR

  • id (integer) – Unique identification (required)

Status Codes
DELETE /recorder/{id}

Delete a recorder

Parameters
  • id (integer) – ID of recorder

Status Codes
GET /prefilter

Retrieve list of CIDRs

Status Codes
Response JSON Object
  • spec.deny[] (string) –

  • spec.revision (integer) –

  • status.realized.deny[] (string) –

  • status.realized.revision (integer) –

PATCH /prefilter

Update list of CIDRs

Request JSON Object
  • deny[] (string) –

  • revision (integer) –

Status Codes
Response JSON Object
  • spec.deny[] (string) –

  • spec.revision (integer) –

  • status.realized.deny[] (string) –

  • status.realized.revision (integer) –

DELETE /prefilter

Delete list of CIDRs

Request JSON Object
  • deny[] (string) –

  • revision (integer) –

Status Codes
Response JSON Object
  • spec.deny[] (string) –

  • spec.revision (integer) –

  • status.realized.deny[] (string) –

  • status.realized.revision (integer) –

GET /debuginfo

Retrieve information about the agent and evironment for debugging

Status Codes
Response JSON Object
  • cilium-memory-map (string) –

  • cilium-nodemonitor-memory-map (string) –

  • cilium-status.bandwidth-manager.congestionControl (string) –

  • cilium-status.bandwidth-manager.devices[] (string) –

  • cilium-status.bandwidth-manager.enabled (boolean) – Is bandwidth manager enabled

  • cilium-status.bpf-maps.dynamic-size-ratio (number) – Ratio of total system memory to use for dynamic sizing of BPF maps

  • cilium-status.bpf-maps.maps[].name (string) – Name of the BPF map

  • cilium-status.bpf-maps.maps[].size (integer) – Size of the BPF map

  • cilium-status.cilium.msg (string) – Human readable status/error/warning message

  • cilium-status.cilium.state (string) – State the component is in

  • cilium-status.client-id (integer) – When supported by the API, this client ID should be used by the client when making another request to the server. See for example “/cluster/nodes”.

  • cilium-status.clock-source.hertz (integer) – Kernel Hz

  • cilium-status.clock-source.mode (string) – Datapath clock source

  • cilium-status.cluster (any) – Status of cluster +k8s:deepcopy-gen=true

  • cilium-status.cluster-mesh (any) – Status of ClusterMesh +k8s:deepcopy-gen=true

  • cilium-status.cni-chaining (any) – Status of CNI chaining +k8s:deepcopy-gen=true

  • cilium-status.container-runtime.msg (string) – Human readable status/error/warning message

  • cilium-status.container-runtime.state (string) – State the component is in

  • cilium-status.controllers[].configuration.error-retry (boolean) – Retry on error

  • cilium-status.controllers[].configuration.error-retry-base (string) – Base error retry back-off time

  • cilium-status.controllers[].configuration.interval (string) – Regular synchronization interval

  • cilium-status.controllers[].name (string) – Name of controller

  • cilium-status.controllers[].status.consecutive-failure-count (integer) – Number of consecutive errors since last success

  • cilium-status.controllers[].status.failure-count (integer) – Total number of failed runs

  • cilium-status.controllers[].status.last-failure-msg (string) – Error message of last failed run

  • cilium-status.controllers[].status.last-failure-timestamp (string) – Timestamp of last error

  • cilium-status.controllers[].status.last-success-timestamp (string) – Timestamp of last success

  • cilium-status.controllers[].status.success-count (integer) – Total number of successful runs

  • cilium-status.controllers[].uuid (string) – UUID of controller

  • cilium-status.encryption (any) – Status of transparent encryption +k8s:deepcopy-gen=true

  • cilium-status.host-firewall.devices[] (string) –

  • cilium-status.host-firewall.mode (string) –

  • cilium-status.host-routing.mode (string) – Datapath routing mode

  • cilium-status.hubble.metrics.state (string) – State of the Hubble metrics

  • cilium-status.hubble.msg (string) – Human readable status/error/warning message

  • cilium-status.hubble.observer.current-flows (integer) – Current number of flows this Hubble observer stores

  • cilium-status.hubble.observer.max-flows (integer) – Maximum number of flows this Hubble observer is able to store

  • cilium-status.hubble.observer.seen-flows (integer) – Total number of flows this Hubble observer has seen

  • cilium-status.hubble.observer.uptime (string) – Uptime of this Hubble observer instance

  • cilium-status.hubble.state (string) – State the component is in

  • cilium-status.identity-range (any) – Status of identity range of the cluster +k8s:deepcopy-gen=true

  • cilium-status.ipam (any) – Status of IP address management +k8s:deepcopy-gen=true

  • cilium-status.ipv6-big-tcp.enabled (boolean) – Is IPv6 BIG TCP enabled

  • cilium-status.kube-proxy-replacement.deviceList[].ip[] (string) –

  • cilium-status.kube-proxy-replacement.deviceList[].name (string) –

  • cilium-status.kube-proxy-replacement.devices[] (string) –

  • cilium-status.kube-proxy-replacement.directRoutingDevice (string) –

  • cilium-status.kube-proxy-replacement.features.externalIPs.enabled (boolean) –

  • cilium-status.kube-proxy-replacement.features.gracefulTermination.enabled (boolean) –

  • cilium-status.kube-proxy-replacement.features.hostPort.enabled (boolean) –

  • cilium-status.kube-proxy-replacement.features.hostReachableServices.enabled (boolean) –

  • cilium-status.kube-proxy-replacement.features.hostReachableServices.protocols[] (string) –

  • cilium-status.kube-proxy-replacement.features.nat46X64.enabled (boolean) –

  • cilium-status.kube-proxy-replacement.features.nodePort.acceleration (string) –

  • cilium-status.kube-proxy-replacement.features.nodePort.algorithm (string) –

  • cilium-status.kube-proxy-replacement.features.nodePort.enabled (boolean) –

  • cilium-status.kube-proxy-replacement.features.nodePort.lutSize (integer) –

  • cilium-status.kube-proxy-replacement.features.nodePort.mode (string) –

  • cilium-status.kube-proxy-replacement.features.nodePort.portMax (integer) –

  • cilium-status.kube-proxy-replacement.features.nodePort.portMin (integer) –

  • cilium-status.kube-proxy-replacement.features.sessionAffinity.enabled (boolean) –

  • cilium-status.kube-proxy-replacement.features.socketLB.enabled (boolean) –

  • cilium-status.kube-proxy-replacement.mode (string) –

  • cilium-status.kubernetes.k8s-api-versions[] (string) –

  • cilium-status.kubernetes.msg (string) – Human readable status/error/warning message

  • cilium-status.kubernetes.state (string) – State the component is in

  • cilium-status.kvstore.msg (string) – Human readable status/error/warning message

  • cilium-status.kvstore.state (string) – State the component is in

  • cilium-status.masquerading.enabled (boolean) –

  • cilium-status.masquerading.enabledProtocols.ipv4 (boolean) – Is masquerading enabled for IPv4 traffic

  • cilium-status.masquerading.enabledProtocols.ipv6 (boolean) – Is masquerading enabled for IPv6 traffic

  • cilium-status.masquerading.ip-masq-agent (boolean) – Is BPF ip-masq-agent enabled

  • cilium-status.masquerading.mode (string) –

  • cilium-status.masquerading.snat-exclusion-cidr (string) – This field is obsolete, please use snat-exclusion-cidr-v4 or snat-exclusion-cidr-v6.

  • cilium-status.masquerading.snat-exclusion-cidr-v4 (string) – SnatExclusionCIDRv4 exempts SNAT from being performed on any packet sent to an IPv4 address that belongs to this CIDR.

  • cilium-status.masquerading.snat-exclusion-cidr-v6 (string) – SnatExclusionCIDRv6 exempts SNAT from being performed on any packet sent to an IPv6 address that belongs to this CIDR. For IPv6 we only do masquerading in iptables mode.

  • cilium-status.nodeMonitor (any) – Status of the node monitor

  • cilium-status.proxy.ip (string) – IP address that the proxy listens on

  • cilium-status.proxy.port-range (string) – Port range used for proxying

  • cilium-status.proxy.redirects[].name (string) – Name of the proxy redirect

  • cilium-status.proxy.redirects[].proxy (string) – Name of the proxy this redirect points to

  • cilium-status.proxy.redirects[].proxy-port (integer) – Host port that this redirect points to

  • cilium-status.proxy.total-ports (integer) – Total number of listening proxy ports

  • cilium-status.proxy.total-redirects (integer) – Total number of ports configured to redirect to proxies

  • cilium-status.stale (object) – List of stale information in the status

  • cilium-version (string) –

  • encryption.wireguard (any) – Status of the Wireguard agent +k8s:deepcopy-gen=true

  • endpoint-list[].id (integer) – The cilium-agent-local ID of the endpoint

  • endpoint-list[].spec.label-configuration.user[] (string) –

  • endpoint-list[].spec.options (object) – Map of configuration key/value pairs.

  • endpoint-list[].status.controllers[].configuration.error-retry (boolean) – Retry on error

  • endpoint-list[].status.controllers[].configuration.error-retry-base (string) – Base error retry back-off time

  • endpoint-list[].status.controllers[].configuration.interval (string) – Regular synchronization interval

  • endpoint-list[].status.controllers[].name (string) – Name of controller

  • endpoint-list[].status.controllers[].status.consecutive-failure-count (integer) – Number of consecutive errors since last success

  • endpoint-list[].status.controllers[].status.failure-count (integer) – Total number of failed runs

  • endpoint-list[].status.controllers[].status.last-failure-msg (string) – Error message of last failed run

  • endpoint-list[].status.controllers[].status.last-failure-timestamp (string) – Timestamp of last error

  • endpoint-list[].status.controllers[].status.last-success-timestamp (string) – Timestamp of last success

  • endpoint-list[].status.controllers[].status.success-count (integer) – Total number of successful runs

  • endpoint-list[].status.controllers[].uuid (string) – UUID of controller

  • endpoint-list[].status.external-identifiers.container-id (string) – ID assigned by container runtime

  • endpoint-list[].status.external-identifiers.container-name (string) – Name assigned to container

  • endpoint-list[].status.external-identifiers.docker-endpoint-id (string) – Docker endpoint ID

  • endpoint-list[].status.external-identifiers.docker-network-id (string) – Docker network ID

  • endpoint-list[].status.external-identifiers.k8s-namespace (string) – K8s namespace for this endpoint

  • endpoint-list[].status.external-identifiers.k8s-pod-name (string) – K8s pod name for this endpoint

  • endpoint-list[].status.external-identifiers.pod-name (string) – K8s pod for this endpoint(Deprecated, use K8sPodName and K8sNamespace instead)

  • endpoint-list[].status.health.bpf (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • endpoint-list[].status.health.connected (boolean) – Is this endpoint reachable

  • endpoint-list[].status.health.overallHealth (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • endpoint-list[].status.health.policy (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • endpoint-list[].status.identity.id (integer) – Unique identifier

  • endpoint-list[].status.identity.labelsSHA256 (string) – SHA256 of labels

  • endpoint-list[].status.identity.labels[] (string) –

  • endpoint-list[].status.labels.derived[] (string) –

  • endpoint-list[].status.labels.disabled[] (string) –

  • endpoint-list[].status.labels.realized.user[] (string) –

  • endpoint-list[].status.labels.security-relevant[] (string) –

  • endpoint-list[].status.log[].code (string) – Code indicate type of status change

  • endpoint-list[].status.log[].message (string) – Status message

  • endpoint-list[].status.log[].state (string) – State of endpoint

  • endpoint-list[].status.log[].timestamp (string) – Timestamp when status change occurred

  • endpoint-list[].status.namedPorts[].name (string) – Optional layer 4 port name

  • endpoint-list[].status.namedPorts[].port (integer) – Layer 4 port number

  • endpoint-list[].status.namedPorts[].protocol (string) – Layer 4 protocol

  • endpoint-list[].status.networking.addressing[].ipv4 (string) – IPv4 address

  • endpoint-list[].status.networking.addressing[].ipv4-expiration-uuid (string) – UUID of IPv4 expiration timer

  • endpoint-list[].status.networking.addressing[].ipv6 (string) – IPv6 address

  • endpoint-list[].status.networking.addressing[].ipv6-expiration-uuid (string) – UUID of IPv6 expiration timer

  • endpoint-list[].status.networking.host-addressing.ipv4.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP

  • endpoint-list[].status.networking.host-addressing.ipv4.alloc-range (string) – Address pool to be used for local endpoints

  • endpoint-list[].status.networking.host-addressing.ipv4.enabled (boolean) – True if address family is enabled

  • endpoint-list[].status.networking.host-addressing.ipv4.ip (string) – IP address of node

  • endpoint-list[].status.networking.host-addressing.ipv6.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP

  • endpoint-list[].status.networking.host-addressing.ipv6.alloc-range (string) – Address pool to be used for local endpoints

  • endpoint-list[].status.networking.host-addressing.ipv6.enabled (boolean) – True if address family is enabled

  • endpoint-list[].status.networking.host-addressing.ipv6.ip (string) – IP address of node

  • endpoint-list[].status.networking.host-mac (string) – MAC address

  • endpoint-list[].status.networking.interface-index (integer) – Index of network device

  • endpoint-list[].status.networking.interface-name (string) – Name of network device

  • endpoint-list[].status.networking.mac (string) – MAC address

  • endpoint-list[].status.policy.proxy-policy-revision (integer) – The policy revision currently enforced in the proxy for this endpoint

  • endpoint-list[].status.policy.proxy-statistics[].allocated-proxy-port (integer) – The port the proxy is listening on

  • endpoint-list[].status.policy.proxy-statistics[].location (string) – Location of where the redirect is installed

  • endpoint-list[].status.policy.proxy-statistics[].port (integer) – The port subject to the redirect

  • endpoint-list[].status.policy.proxy-statistics[].protocol (string) – Name of the L7 protocol

  • endpoint-list[].status.policy.proxy-statistics[].statistics.requests.denied (integer) – Number of messages denied

  • endpoint-list[].status.policy.proxy-statistics[].statistics.requests.error (integer) – Number of errors while parsing messages

  • endpoint-list[].status.policy.proxy-statistics[].statistics.requests.forwarded (integer) – Number of messages forwarded

  • endpoint-list[].status.policy.proxy-statistics[].statistics.requests.received (integer) – Number of messages received

  • endpoint-list[].status.policy.proxy-statistics[].statistics.responses.denied (integer) – Number of messages denied

  • endpoint-list[].status.policy.proxy-statistics[].statistics.responses.error (integer) – Number of errors while parsing messages

  • endpoint-list[].status.policy.proxy-statistics[].statistics.responses.forwarded (integer) – Number of messages forwarded

  • endpoint-list[].status.policy.proxy-statistics[].statistics.responses.received (integer) – Number of messages received

  • endpoint-list[].status.policy.realized.allowed-egress-identities[] (integer) –

  • endpoint-list[].status.policy.realized.allowed-ingress-identities[] (integer) –

  • endpoint-list[].status.policy.realized.build (integer) – Build number of calculated policy in use

  • endpoint-list[].status.policy.realized.cidr-policy.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • endpoint-list[].status.policy.realized.cidr-policy.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • endpoint-list[].status.policy.realized.denied-egress-identities[] (integer) –

  • endpoint-list[].status.policy.realized.denied-ingress-identities[] (integer) –

  • endpoint-list[].status.policy.realized.id (integer) – Own identity of endpoint

  • endpoint-list[].status.policy.realized.l4.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • endpoint-list[].status.policy.realized.l4.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • endpoint-list[].status.policy.realized.policy-enabled (string) – Whether policy enforcement is enabled (ingress, egress, both or none)

  • endpoint-list[].status.policy.realized.policy-revision (integer) – The agent-local policy revision

  • endpoint-list[].status.policy.spec.allowed-egress-identities[] (integer) –

  • endpoint-list[].status.policy.spec.allowed-ingress-identities[] (integer) –

  • endpoint-list[].status.policy.spec.build (integer) – Build number of calculated policy in use

  • endpoint-list[].status.policy.spec.cidr-policy.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • endpoint-list[].status.policy.spec.cidr-policy.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • endpoint-list[].status.policy.spec.denied-egress-identities[] (integer) –

  • endpoint-list[].status.policy.spec.denied-ingress-identities[] (integer) –

  • endpoint-list[].status.policy.spec.id (integer) – Own identity of endpoint

  • endpoint-list[].status.policy.spec.l4.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • endpoint-list[].status.policy.spec.l4.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • endpoint-list[].status.policy.spec.policy-enabled (string) – Whether policy enforcement is enabled (ingress, egress, both or none)

  • endpoint-list[].status.policy.spec.policy-revision (integer) – The agent-local policy revision

  • endpoint-list[].status.realized.label-configuration.user[] (string) –

  • endpoint-list[].status.realized.options (object) – Map of configuration key/value pairs.

  • endpoint-list[].status.state (string) – State of endpoint (required)

  • environment-variables[] (string) –

  • kernel-version (string) –

  • policy.policy (string) – Policy definition as JSON.

  • policy.revision (integer) – Revision number of the policy. Incremented each time the policy is changed in the agent’s repository

  • service-list[].spec.backend-addresses[].ip (string) – Layer 3 address (required)

  • service-list[].spec.backend-addresses[].nodeName (string) – Optional name of the node on which this backend runs

  • service-list[].spec.backend-addresses[].port (integer) – Layer 4 port number

  • service-list[].spec.backend-addresses[].preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.

  • service-list[].spec.backend-addresses[].state (string) – State of the backend for load-balancing service traffic

  • service-list[].spec.flags.healthCheckNodePort (integer) – Service health check node port

  • service-list[].spec.flags.name (string) – Service name (e.g. Kubernetes service name)

  • service-list[].spec.flags.namespace (string) – Service namespace (e.g. Kubernetes namespace)

  • service-list[].spec.flags.natPolicy (string) – Service protocol NAT policy

  • service-list[].spec.flags.trafficPolicy (string) – Service traffic policy

  • service-list[].spec.flags.type (string) – Service type

  • service-list[].spec.frontend-address.ip (string) – Layer 3 address

  • service-list[].spec.frontend-address.port (integer) – Layer 4 port number

  • service-list[].spec.frontend-address.protocol (string) – Layer 4 protocol

  • service-list[].spec.frontend-address.scope (string) – Load balancing scope for frontend address

  • service-list[].spec.id (integer) – Unique identification

  • service-list[].spec.updateServices (boolean) – Update all services selecting the backends with their given states (id and frontend are ignored)

  • service-list[].status.realized.backend-addresses[].ip (string) – Layer 3 address (required)

  • service-list[].status.realized.backend-addresses[].nodeName (string) – Optional name of the node on which this backend runs

  • service-list[].status.realized.backend-addresses[].port (integer) – Layer 4 port number

  • service-list[].status.realized.backend-addresses[].preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.

  • service-list[].status.realized.backend-addresses[].state (string) – State of the backend for load-balancing service traffic

  • service-list[].status.realized.flags.healthCheckNodePort (integer) – Service health check node port

  • service-list[].status.realized.flags.name (string) – Service name (e.g. Kubernetes service name)

  • service-list[].status.realized.flags.namespace (string) – Service namespace (e.g. Kubernetes namespace)

  • service-list[].status.realized.flags.natPolicy (string) – Service protocol NAT policy

  • service-list[].status.realized.flags.trafficPolicy (string) – Service traffic policy

  • service-list[].status.realized.flags.type (string) – Service type

  • service-list[].status.realized.frontend-address.ip (string) – Layer 3 address

  • service-list[].status.realized.frontend-address.port (integer) – Layer 4 port number

  • service-list[].status.realized.frontend-address.protocol (string) – Layer 4 protocol

  • service-list[].status.realized.frontend-address.scope (string) – Load balancing scope for frontend address

  • service-list[].status.realized.id (integer) – Unique identification

  • service-list[].status.realized.updateServices (boolean) – Update all services selecting the backends with their given states (id and frontend are ignored)

  • subsystem (object) –

GET /map

List all open maps

Status Codes
Response JSON Object
  • maps[].cache[].desired-action (string) – Desired action to be performed

  • maps[].cache[].key (string) – Key of map entry

  • maps[].cache[].last-error (string) – Last error seen while performing desired action

  • maps[].cache[].value (string) – Value of map entry

  • maps[].path (string) – Path to BPF map

GET /map/{name}

Retrieve contents of BPF map

Parameters
  • name (string) – Name of map

Status Codes
Response JSON Object
  • cache[].desired-action (string) – Desired action to be performed

  • cache[].key (string) – Key of map entry

  • cache[].last-error (string) – Last error seen while performing desired action

  • cache[].value (string) – Value of map entry

  • path (string) – Path to BPF map

GET /metrics/

Retrieve cilium metrics

Status Codes
Response JSON Object
  • [].labels (object) – Labels of the metric

  • [].name (string) – Name of the metric

  • [].value (number) – Value of the metric

GET /fqdn/cache

Retrieves the list of DNS lookups intercepted from all endpoints.

Retrieves the list of DNS lookups intercepted from endpoints, optionally filtered by DNS name, CIDR IP range or source.

Query Parameters
  • matchpattern (string) – A toFQDNs compatible matchPattern expression

  • cidr (string) – A CIDR range of IPs

  • source (string) – Source from which FQDN entries come from

Status Codes
Response JSON Object
  • [].endpoint-id (integer) – The endpoint that made this lookup, or 0 for the agent itself.

  • [].expiration-time (string) – The absolute time when this data will expire in this cache

  • [].fqdn (string) – DNS name

  • [].ips[] (string) –

  • [].lookup-time (string) – The absolute time when this data was received

  • [].source (string) – The reason this FQDN IP association exists. Either a DNS lookup or an ongoing connection to an IP that was created by a DNS lookup.

  • [].ttl (integer) – The TTL in the DNS response

DELETE /fqdn/cache

Deletes matching DNS lookups from the policy-generation cache.

Deletes matching DNS lookups from the cache, optionally restricted by DNS name. The removed IP data will no longer be used in generated policies.

Query Parameters
  • matchpattern (string) – A toFQDNs compatible matchPattern expression

Status Codes
GET /fqdn/cache/{id}

Retrieves the list of DNS lookups intercepted from an endpoint.

Retrieves the list of DNS lookups intercepted from the specific endpoint, optionally filtered by endpoint id, DNS name, CIDR IP range or source.

Parameters
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

    Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595

    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343

    • container-id: Container runtime ID, e.g. container-id:22222

    • container-name: Container name, e.g. container-name:foobar

    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar

    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444

Query Parameters
  • matchpattern (string) – A toFQDNs compatible matchPattern expression

  • cidr (string) – A CIDR range of IPs

  • source (string) – Source from which FQDN entries come from

Status Codes
Response JSON Object
  • [].endpoint-id (integer) – The endpoint that made this lookup, or 0 for the agent itself.

  • [].expiration-time (string) – The absolute time when this data will expire in this cache

  • [].fqdn (string) – DNS name

  • [].ips[] (string) –

  • [].lookup-time (string) – The absolute time when this data was received

  • [].source (string) – The reason this FQDN IP association exists. Either a DNS lookup or an ongoing connection to an IP that was created by a DNS lookup.

  • [].ttl (integer) – The TTL in the DNS response

GET /fqdn/names

List internal DNS selector representations

Retrieves the list of DNS-related fields (names to poll, selectors and their corresponding regexes).

Status Codes
Response JSON Object
  • DNSPollNames[] (string) –

  • FQDNPolicySelectors[].regexString (string) – String representation of regular expression form of FQDNSelector

  • FQDNPolicySelectors[].selectorString (string) – FQDNSelector in string representation

GET /ip

Lists information about known IP addresses

Retrieves a list of IPs with known associated information such as their identities, host addresses, Kubernetes pod names, etc. The list can optionally filtered by a CIDR IP range.

Query Parameters
  • cidr (string) – A CIDR range of IPs

Status Codes
Response JSON Object
  • [].cidr (string) – Key of the entry in the form of a CIDR range (required)

  • [].encryptKey (integer) – The context ID for the encryption session

  • [].hostIP (string) – IP address of the host

  • [].identity (integer) – Numerical identity assigned to the IP (required)

  • [].metadata.name (string) – Name assigned to the IP (e.g. Kubernetes pod name)

  • [].metadata.namespace (string) – Namespace of the IP (e.g. Kubernetes namespace)

  • [].metadata.source (string) – Source of the IP entry and its metadata