API Reference

Introduction

The Cilium API is JSON based and provided by the cilium-agent. The purpose of the API is to provide visibility and control over an individual agent instance. In general, all API calls affect only the resources managed by the individual cilium-agent serving the API. A few selected API calls such as the security identity resolution provides cluster wide visibility. Such API calls are marked specifically. Unless noted otherwise, API calls will only affect local agent resources.

How to access the API

CLI Client

The easiest way to access the API is via the cilium CLI client. cilium will automatically locate the API of the agent running on the same node and access it. However, using the -H or --host flag, the cilium client can be pointed to an arbitrary API address.

Example

$ cilium-dbg -H unix:///var/run/cilium/cilium.sock
[...]

Golang Package

The following Go packages can be used to access the API:

Package

Description

pkg/client

Main client API abstraction

api/v1/models

API resource data type models

Example

The full example can be found in the cilium/client-example repository.

import (
        "fmt"

        "github.com/cilium/cilium/pkg/client"
)

func main() {
        c, err := client.NewDefaultClient()
        if err != nil {
                ...
        }

        endpoints, err := c.EndpointList()
        if err != nil {
                ...
        }

        for _, ep := range endpoints {
                fmt.Printf("%8d %14s %16s %32s\n", ep.ID, ep.ContainerName, ep.Addressing.IPV4, ep.Addressing.IPV6)
        }

Compatibility Guarantees

Cilium API is stable as of version 1.0, backward compatibility will be upheld for whole lifecycle of Cilium 1.x.

API Reference

GET /cluster/nodes

Get nodes information stored in the cilium-agent

Status Codes:
Request Headers:
  • client-id – Client UUID should be used when the client wants to request a diff of nodes added and / or removed since the last time that client has made a request.

GET /healthz

Get health of Cilium daemon

Returns health and status information of the Cilium daemon and related components such as the local container runtime, connected datastore, Kubernetes integration and Hubble.

Status Codes:
Request Headers:
  • brief – Brief will return a brief representation of the Cilium status.

Response JSON Object:
  • auth-certificate-provider.msg (string) – Human readable status/error/warning message

  • auth-certificate-provider.state (string) – State the component is in

  • bandwidth-manager.congestionControl (string) –

  • bandwidth-manager.devices[] (string) –

  • bandwidth-manager.enabled (boolean) – Is bandwidth manager enabled

  • bpf-maps.dynamic-size-ratio (number) – Ratio of total system memory to use for dynamic sizing of BPF maps

  • bpf-maps.maps[].name (string) – Name of the BPF map

  • bpf-maps.maps[].size (integer) – Size of the BPF map

  • cilium.msg (string) – Human readable status/error/warning message

  • cilium.state (string) – State the component is in

  • client-id (integer) – When supported by the API, this client ID should be used by the client when making another request to the server. See for example “/cluster/nodes”.

  • clock-source.hertz (integer) – Kernel Hz

  • clock-source.mode (string) – Datapath clock source

  • cluster (any) – Status of cluster +k8s:deepcopy-gen=true

  • cluster-mesh (any) – Status of ClusterMesh +k8s:deepcopy-gen=true

  • cni-chaining (any) – Status of CNI chaining +k8s:deepcopy-gen=true

  • cni-file.msg (string) – Human readable status/error/warning message

  • cni-file.state (string) – State the component is in

  • container-runtime.msg (string) – Human readable status/error/warning message

  • container-runtime.state (string) – State the component is in

  • controllers[].configuration.error-retry (boolean) – Retry on error

  • controllers[].configuration.error-retry-base (string) – Base error retry back-off time

  • controllers[].configuration.interval (string) – Regular synchronization interval

  • controllers[].name (string) – Name of controller

  • controllers[].status.consecutive-failure-count (integer) – Number of consecutive errors since last success

  • controllers[].status.failure-count (integer) – Total number of failed runs

  • controllers[].status.last-failure-msg (string) – Error message of last failed run

  • controllers[].status.last-failure-timestamp (string) – Timestamp of last error

  • controllers[].status.last-success-timestamp (string) – Timestamp of last success

  • controllers[].status.success-count (integer) – Total number of successful runs

  • controllers[].uuid (string) – UUID of controller

  • encryption (any) – Status of transparent encryption +k8s:deepcopy-gen=true

  • host-firewall.devices[] (string) –

  • host-firewall.mode (string) –

  • host-routing.mode (string) – Datapath routing mode

  • hubble.metrics.state (string) – State of the Hubble metrics

  • hubble.msg (string) – Human readable status/error/warning message

  • hubble.observer.current-flows (integer) – Current number of flows this Hubble observer stores

  • hubble.observer.max-flows (integer) – Maximum number of flows this Hubble observer is able to store

  • hubble.observer.seen-flows (integer) – Total number of flows this Hubble observer has seen

  • hubble.observer.uptime (string) – Uptime of this Hubble observer instance

  • hubble.state (string) – State the component is in

  • identity-range (any) – Status of identity range of the cluster +k8s:deepcopy-gen=true

  • ipam (any) – Status of IP address management +k8s:deepcopy-gen=true

  • ipv4-big-tcp.enabled (boolean) – Is IPv4 BIG TCP enabled

  • ipv4-big-tcp.maxGRO (integer) – Maximum IPv4 GRO size

  • ipv4-big-tcp.maxGSO (integer) – Maximum IPv4 GSO size

  • ipv6-big-tcp.enabled (boolean) – Is IPv6 BIG TCP enabled

  • ipv6-big-tcp.maxGRO (integer) – Maximum IPv6 GRO size

  • ipv6-big-tcp.maxGSO (integer) – Maximum IPv6 GSO size

  • kube-proxy-replacement.deviceList[].ip[] (string) –

  • kube-proxy-replacement.deviceList[].name (string) –

  • kube-proxy-replacement.devices[] (string) –

  • kube-proxy-replacement.directRoutingDevice (string) –

  • kube-proxy-replacement.features.bpfSocketLBHostnsOnly (boolean) – flag bpf-lb-sock-hostns-only

  • kube-proxy-replacement.features.externalIPs.enabled (boolean) –

  • kube-proxy-replacement.features.gracefulTermination.enabled (boolean) –

  • kube-proxy-replacement.features.hostPort.enabled (boolean) –

  • kube-proxy-replacement.features.hostReachableServices.enabled (boolean) –

  • kube-proxy-replacement.features.hostReachableServices.protocols[] (string) –

  • kube-proxy-replacement.features.nat46X64.enabled (boolean) –

  • kube-proxy-replacement.features.nat46X64.gateway.enabled (boolean) –

  • kube-proxy-replacement.features.nat46X64.gateway.prefixes[] (string) –

  • kube-proxy-replacement.features.nat46X64.service.enabled (boolean) –

  • kube-proxy-replacement.features.nodePort.acceleration (string) –

  • kube-proxy-replacement.features.nodePort.algorithm (string) –

  • kube-proxy-replacement.features.nodePort.dsrMode (string) –

  • kube-proxy-replacement.features.nodePort.enabled (boolean) –

  • kube-proxy-replacement.features.nodePort.lutSize (integer) –

  • kube-proxy-replacement.features.nodePort.mode (string) –

  • kube-proxy-replacement.features.nodePort.portMax (integer) –

  • kube-proxy-replacement.features.nodePort.portMin (integer) –

  • kube-proxy-replacement.features.sessionAffinity.enabled (boolean) –

  • kube-proxy-replacement.features.socketLB.enabled (boolean) –

  • kube-proxy-replacement.features.socketLBTracing.enabled (boolean) –

  • kube-proxy-replacement.mode (string) –

  • kubernetes.k8s-api-versions[] (string) –

  • kubernetes.msg (string) – Human readable status/error/warning message

  • kubernetes.state (string) – State the component is in

  • kvstore.msg (string) – Human readable status/error/warning message

  • kvstore.state (string) – State the component is in

  • masquerading.enabled (boolean) –

  • masquerading.enabledProtocols.ipv4 (boolean) – Is masquerading enabled for IPv4 traffic

  • masquerading.enabledProtocols.ipv6 (boolean) – Is masquerading enabled for IPv6 traffic

  • masquerading.ip-masq-agent (boolean) – Is BPF ip-masq-agent enabled

  • masquerading.mode (string) –

  • masquerading.snat-exclusion-cidr (string) – This field is obsolete, please use snat-exclusion-cidr-v4 or snat-exclusion-cidr-v6.

  • masquerading.snat-exclusion-cidr-v4 (string) – SnatExclusionCIDRv4 exempts SNAT from being performed on any packet sent to an IPv4 address that belongs to this CIDR.

  • masquerading.snat-exclusion-cidr-v6 (string) – SnatExclusionCIDRv6 exempts SNAT from being performed on any packet sent to an IPv6 address that belongs to this CIDR. For IPv6 we only do masquerading in iptables mode.

  • nodeMonitor (any) – Status of the node monitor

  • proxy.envoy-deployment-mode (string) – Deployment mode of Envoy L7 proxy

  • proxy.ip (string) – IP address that the proxy listens on

  • proxy.port-range (string) – Port range used for proxying

  • proxy.redirects[].name (string) – Name of the proxy redirect

  • proxy.redirects[].proxy (string) – Name of the proxy this redirect points to

  • proxy.redirects[].proxy-port (integer) – Host port that this redirect points to

  • proxy.total-ports (integer) – Total number of listening proxy ports

  • proxy.total-redirects (integer) – Total number of ports configured to redirect to proxies

  • srv6.enabled (boolean) –

  • srv6.srv6EncapMode (string) –

  • stale (object) – List of stale information in the status

GET /health

Get modules health of Cilium daemon

Returns modules health and status information of the Cilium daemon.

Status Codes:
Request Headers:
  • brief – Brief is a brief representation of the Cilium status.

GET /config

Get configuration of Cilium daemon

Returns the configuration of the Cilium daemon.

Status Codes:
Response JSON Object:
  • spec.options (object) – Map of configuration key/value pairs.

  • spec.policy-enforcement (string) – The policy-enforcement mode

  • status.GROIPv4MaxSize (integer) – Maximum IPv4 GRO size on workload facing devices

  • status.GROMaxSize (integer) – Maximum IPv6 GRO size on workload facing devices

  • status.GSOIPv4MaxSize (integer) – Maximum IPv4 GSO size on workload facing devices

  • status.GSOMaxSize (integer) – Maximum IPv6 GSO size on workload facing devices

  • status.addressing.ipv4.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP

  • status.addressing.ipv4.alloc-range (string) – Address pool to be used for local endpoints

  • status.addressing.ipv4.enabled (boolean) – True if address family is enabled

  • status.addressing.ipv4.ip (string) – IP address of node

  • status.addressing.ipv6.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP

  • status.addressing.ipv6.alloc-range (string) – Address pool to be used for local endpoints

  • status.addressing.ipv6.enabled (boolean) – True if address family is enabled

  • status.addressing.ipv6.ip (string) – IP address of node

  • status.daemonConfigurationMap (any) – Config map which contains all the active daemon configurations

  • status.datapathMode (string) – Datapath mode

  • status.deviceMTU (integer) – MTU on workload facing devices

  • status.egress-multi-home-ip-rule-compat (boolean) – Configured compatibility mode for –egress-multi-home-ip-rule-compat

  • status.immutable (object) – Map of configuration key/value pairs.

  • status.ipam-mode (string) – Configured IPAM mode

  • status.k8s-configuration (string) –

  • status.k8s-endpoint (string) –

  • status.kvstoreConfiguration (any) – Configuration used for the kvstore

  • status.masquerade (boolean) –

  • status.masqueradeProtocols.ipv4 (boolean) – Status of masquerading for IPv4 traffic

  • status.masqueradeProtocols.ipv6 (boolean) – Status of masquerading for IPv6 traffic

  • status.nodeMonitor (any) – Status of the node monitor

  • status.realized.options (object) – Map of configuration key/value pairs.

  • status.realized.policy-enforcement (string) – The policy-enforcement mode

  • status.routeMTU (integer) – MTU for network facing routes

PATCH /config

Modify daemon configuration

Updates the daemon configuration by applying the provided ConfigurationMap and regenerates & recompiles all required datapath components.

Request JSON Object:
  • options (object) – Map of configuration key/value pairs.

  • policy-enforcement (string) – The policy-enforcement mode

Status Codes:
GET /endpoint/{id}

Get endpoint by endpoint ID

Returns endpoint information

Parameters:
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

    Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595

    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343

    • cni-attachment-id: CNI attachment ID, e.g. cni-attachment-id:22222:eth0

    • container-id: Container runtime ID, e.g. container-id:22222 (deprecated, may not be unique)

    • container-name: Container name, e.g. container-name:foobar (deprecated, may not be unique)

    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar (deprecated, may not be unique)

    • cep-name: cep name for this container if K8s is enabled, e.g. pod-name:default:foobar-net1

    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444

Status Codes:
Response JSON Object:
  • id (integer) – The cilium-agent-local ID of the endpoint

  • spec.label-configuration.user[] (string) –

  • spec.options (object) – Map of configuration key/value pairs.

  • status.controllers[].configuration.error-retry (boolean) – Retry on error

  • status.controllers[].configuration.error-retry-base (string) – Base error retry back-off time

  • status.controllers[].configuration.interval (string) – Regular synchronization interval

  • status.controllers[].name (string) – Name of controller

  • status.controllers[].status.consecutive-failure-count (integer) – Number of consecutive errors since last success

  • status.controllers[].status.failure-count (integer) – Total number of failed runs

  • status.controllers[].status.last-failure-msg (string) – Error message of last failed run

  • status.controllers[].status.last-failure-timestamp (string) – Timestamp of last error

  • status.controllers[].status.last-success-timestamp (string) – Timestamp of last success

  • status.controllers[].status.success-count (integer) – Total number of successful runs

  • status.controllers[].uuid (string) – UUID of controller

  • status.external-identifiers.cni-attachment-id (string) – ID assigned to this attachment by container runtime

  • status.external-identifiers.container-id (string) – ID assigned by container runtime (deprecated, may not be unique)

  • status.external-identifiers.container-name (string) – Name assigned to container (deprecated, may not be unique)

  • status.external-identifiers.docker-endpoint-id (string) – Docker endpoint ID

  • status.external-identifiers.docker-network-id (string) – Docker network ID

  • status.external-identifiers.k8s-namespace (string) – K8s namespace for this endpoint (deprecated, may not be unique)

  • status.external-identifiers.k8s-pod-name (string) – K8s pod name for this endpoint (deprecated, may not be unique)

  • status.external-identifiers.pod-name (string) – K8s pod for this endpoint (deprecated, may not be unique)

  • status.health.bpf (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • status.health.connected (boolean) – Is this endpoint reachable

  • status.health.overallHealth (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • status.health.policy (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • status.identity.id (integer) – Unique identifier

  • status.identity.labelsSHA256 (string) – SHA256 of labels

  • status.identity.labels[] (string) –

  • status.labels.derived[] (string) –

  • status.labels.disabled[] (string) –

  • status.labels.realized.user[] (string) –

  • status.labels.security-relevant[] (string) –

  • status.log[].code (string) – Code indicate type of status change

  • status.log[].message (string) – Status message

  • status.log[].state (string) – State of endpoint

  • status.log[].timestamp (string) – Timestamp when status change occurred

  • status.namedPorts[].name (string) – Optional layer 4 port name

  • status.namedPorts[].port (integer) – Layer 4 port number

  • status.namedPorts[].protocol (string) – Layer 4 protocol

  • status.networking.addressing[].ipv4 (string) – IPv4 address

  • status.networking.addressing[].ipv4-expiration-uuid (string) – UUID of IPv4 expiration timer

  • status.networking.addressing[].ipv4-pool-name (string) – IPAM pool from which this IPv4 address was allocated

  • status.networking.addressing[].ipv6 (string) – IPv6 address

  • status.networking.addressing[].ipv6-expiration-uuid (string) – UUID of IPv6 expiration timer

  • status.networking.addressing[].ipv6-pool-name (string) – IPAM pool from which this IPv6 address was allocated

  • status.networking.container-interface-name (string) – Name of network device in container netns

  • status.networking.host-addressing.ipv4.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP

  • status.networking.host-addressing.ipv4.alloc-range (string) – Address pool to be used for local endpoints

  • status.networking.host-addressing.ipv4.enabled (boolean) – True if address family is enabled

  • status.networking.host-addressing.ipv4.ip (string) – IP address of node

  • status.networking.host-addressing.ipv6.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP

  • status.networking.host-addressing.ipv6.alloc-range (string) – Address pool to be used for local endpoints

  • status.networking.host-addressing.ipv6.enabled (boolean) – True if address family is enabled

  • status.networking.host-addressing.ipv6.ip (string) – IP address of node

  • status.networking.host-mac (string) – MAC address

  • status.networking.interface-index (integer) – Index of network device in host netns

  • status.networking.interface-name (string) – Name of network device in host netns

  • status.networking.mac (string) – MAC address

  • status.policy.proxy-policy-revision (integer) – The policy revision currently enforced in the proxy for this endpoint

  • status.policy.proxy-statistics[].allocated-proxy-port (integer) – The port the proxy is listening on

  • status.policy.proxy-statistics[].location (string) – Location of where the redirect is installed

  • status.policy.proxy-statistics[].port (integer) – The port subject to the redirect

  • status.policy.proxy-statistics[].protocol (string) – Name of the L7 protocol

  • status.policy.proxy-statistics[].statistics.requests.denied (integer) – Number of messages denied

  • status.policy.proxy-statistics[].statistics.requests.error (integer) – Number of errors while parsing messages

  • status.policy.proxy-statistics[].statistics.requests.forwarded (integer) – Number of messages forwarded

  • status.policy.proxy-statistics[].statistics.requests.received (integer) – Number of messages received

  • status.policy.proxy-statistics[].statistics.responses.denied (integer) – Number of messages denied

  • status.policy.proxy-statistics[].statistics.responses.error (integer) – Number of errors while parsing messages

  • status.policy.proxy-statistics[].statistics.responses.forwarded (integer) – Number of messages forwarded

  • status.policy.proxy-statistics[].statistics.responses.received (integer) – Number of messages received

  • status.policy.realized.allowed-egress-identities[] (integer) –

  • status.policy.realized.allowed-ingress-identities[] (integer) –

  • status.policy.realized.build (integer) – Build number of calculated policy in use

  • status.policy.realized.cidr-policy.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.realized.cidr-policy.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.realized.denied-egress-identities[] (integer) –

  • status.policy.realized.denied-ingress-identities[] (integer) –

  • status.policy.realized.id (integer) – Own identity of endpoint

  • status.policy.realized.l4.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.realized.l4.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.realized.policy-enabled (string) – Whether policy enforcement is enabled (ingress, egress, both or none)

  • status.policy.realized.policy-revision (integer) – The agent-local policy revision

  • status.policy.spec.allowed-egress-identities[] (integer) –

  • status.policy.spec.allowed-ingress-identities[] (integer) –

  • status.policy.spec.build (integer) – Build number of calculated policy in use

  • status.policy.spec.cidr-policy.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.spec.cidr-policy.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.spec.denied-egress-identities[] (integer) –

  • status.policy.spec.denied-ingress-identities[] (integer) –

  • status.policy.spec.id (integer) – Own identity of endpoint

  • status.policy.spec.l4.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.spec.l4.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.spec.policy-enabled (string) – Whether policy enforcement is enabled (ingress, egress, both or none)

  • status.policy.spec.policy-revision (integer) – The agent-local policy revision

  • status.realized.label-configuration.user[] (string) –

  • status.realized.options (object) – Map of configuration key/value pairs.

  • status.state (string) – State of endpoint (required)

PUT /endpoint/{id}

Create endpoint

Creates a new endpoint

Parameters:
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

    Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595

    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343

    • cni-attachment-id: CNI attachment ID, e.g. cni-attachment-id:22222:eth0

    • container-id: Container runtime ID, e.g. container-id:22222 (deprecated, may not be unique)

    • container-name: Container name, e.g. container-name:foobar (deprecated, may not be unique)

    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar (deprecated, may not be unique)

    • cep-name: cep name for this container if K8s is enabled, e.g. pod-name:default:foobar-net1

    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444

Request JSON Object:
  • addressing.ipv4 (string) – IPv4 address

  • addressing.ipv4-expiration-uuid (string) – UUID of IPv4 expiration timer

  • addressing.ipv4-pool-name (string) – IPAM pool from which this IPv4 address was allocated

  • addressing.ipv6 (string) – IPv6 address

  • addressing.ipv6-expiration-uuid (string) – UUID of IPv6 expiration timer

  • addressing.ipv6-pool-name (string) – IPAM pool from which this IPv6 address was allocated

  • container-id (string) – ID assigned by container runtime

  • container-interface-name (string) – Name of network device in container netns

  • container-name (string) – Name assigned to container

  • datapath-configuration.disable-sip-verification (boolean) – Disable source IP verification for the endpoint.

  • datapath-configuration.external-ipam (boolean) – Indicates that IPAM is done external to Cilium. This will prevent the IP from being released and re-allocation of the IP address is skipped on restore.

  • datapath-configuration.install-endpoint-route (boolean) – Installs a route in the Linux routing table pointing to the device of the endpoint’s interface.

  • datapath-configuration.require-arp-passthrough (boolean) – Enable ARP passthrough mode

  • datapath-configuration.require-egress-prog (boolean) – Endpoint requires a host-facing egress program to be attached to implement ingress policy and reverse NAT.

  • datapath-configuration.require-routing (boolean) – Endpoint requires BPF routing to be enabled, when disabled, routing is delegated to Linux routing.

  • datapath-map-id (integer) – ID of datapath tail call map

  • disable-legacy-identifiers (boolean) – Disables lookup using legacy endpoint identifiers (container name, container id, pod name) for this endpoint

  • docker-endpoint-id (string) – Docker endpoint ID

  • docker-network-id (string) – Docker network ID

  • host-mac (string) – MAC address

  • id (integer) – Local endpoint ID

  • interface-index (integer) – Index of network device in host netns

  • interface-name (string) – Name of network device in host netns

  • k8s-namespace (string) – Kubernetes namespace name

  • k8s-pod-name (string) – Kubernetes pod name

  • labels[] (string) –

  • mac (string) – MAC address

  • pid (integer) – Process ID of the workload belonging to this endpoint

  • policy-enabled (boolean) – Whether policy enforcement is enabled or not

  • properties (any) – Properties is used to store information about the endpoint at creation. Useful for tests.

  • state (string) – State of endpoint (required)

  • sync-build-endpoint (boolean) – Whether to build an endpoint synchronously

Status Codes:
Response JSON Object:
  • id (integer) – The cilium-agent-local ID of the endpoint

  • spec.label-configuration.user[] (string) –

  • spec.options (object) – Map of configuration key/value pairs.

  • status.controllers[].configuration.error-retry (boolean) – Retry on error

  • status.controllers[].configuration.error-retry-base (string) – Base error retry back-off time

  • status.controllers[].configuration.interval (string) – Regular synchronization interval

  • status.controllers[].name (string) – Name of controller

  • status.controllers[].status.consecutive-failure-count (integer) – Number of consecutive errors since last success

  • status.controllers[].status.failure-count (integer) – Total number of failed runs

  • status.controllers[].status.last-failure-msg (string) – Error message of last failed run

  • status.controllers[].status.last-failure-timestamp (string) – Timestamp of last error

  • status.controllers[].status.last-success-timestamp (string) – Timestamp of last success

  • status.controllers[].status.success-count (integer) – Total number of successful runs

  • status.controllers[].uuid (string) – UUID of controller

  • status.external-identifiers.cni-attachment-id (string) – ID assigned to this attachment by container runtime

  • status.external-identifiers.container-id (string) – ID assigned by container runtime (deprecated, may not be unique)

  • status.external-identifiers.container-name (string) – Name assigned to container (deprecated, may not be unique)

  • status.external-identifiers.docker-endpoint-id (string) – Docker endpoint ID

  • status.external-identifiers.docker-network-id (string) – Docker network ID

  • status.external-identifiers.k8s-namespace (string) – K8s namespace for this endpoint (deprecated, may not be unique)

  • status.external-identifiers.k8s-pod-name (string) – K8s pod name for this endpoint (deprecated, may not be unique)

  • status.external-identifiers.pod-name (string) – K8s pod for this endpoint (deprecated, may not be unique)

  • status.health.bpf (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • status.health.connected (boolean) – Is this endpoint reachable

  • status.health.overallHealth (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • status.health.policy (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • status.identity.id (integer) – Unique identifier

  • status.identity.labelsSHA256 (string) – SHA256 of labels

  • status.identity.labels[] (string) –

  • status.labels.derived[] (string) –

  • status.labels.disabled[] (string) –

  • status.labels.realized.user[] (string) –

  • status.labels.security-relevant[] (string) –

  • status.log[].code (string) – Code indicate type of status change

  • status.log[].message (string) – Status message

  • status.log[].state (string) – State of endpoint

  • status.log[].timestamp (string) – Timestamp when status change occurred

  • status.namedPorts[].name (string) – Optional layer 4 port name

  • status.namedPorts[].port (integer) – Layer 4 port number

  • status.namedPorts[].protocol (string) – Layer 4 protocol

  • status.networking.addressing[].ipv4 (string) – IPv4 address

  • status.networking.addressing[].ipv4-expiration-uuid (string) – UUID of IPv4 expiration timer

  • status.networking.addressing[].ipv4-pool-name (string) – IPAM pool from which this IPv4 address was allocated

  • status.networking.addressing[].ipv6 (string) – IPv6 address

  • status.networking.addressing[].ipv6-expiration-uuid (string) – UUID of IPv6 expiration timer

  • status.networking.addressing[].ipv6-pool-name (string) – IPAM pool from which this IPv6 address was allocated

  • status.networking.container-interface-name (string) – Name of network device in container netns

  • status.networking.host-addressing.ipv4.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP

  • status.networking.host-addressing.ipv4.alloc-range (string) – Address pool to be used for local endpoints

  • status.networking.host-addressing.ipv4.enabled (boolean) – True if address family is enabled

  • status.networking.host-addressing.ipv4.ip (string) – IP address of node

  • status.networking.host-addressing.ipv6.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP

  • status.networking.host-addressing.ipv6.alloc-range (string) – Address pool to be used for local endpoints

  • status.networking.host-addressing.ipv6.enabled (boolean) – True if address family is enabled

  • status.networking.host-addressing.ipv6.ip (string) – IP address of node

  • status.networking.host-mac (string) – MAC address

  • status.networking.interface-index (integer) – Index of network device in host netns

  • status.networking.interface-name (string) – Name of network device in host netns

  • status.networking.mac (string) – MAC address

  • status.policy.proxy-policy-revision (integer) – The policy revision currently enforced in the proxy for this endpoint

  • status.policy.proxy-statistics[].allocated-proxy-port (integer) – The port the proxy is listening on

  • status.policy.proxy-statistics[].location (string) – Location of where the redirect is installed

  • status.policy.proxy-statistics[].port (integer) – The port subject to the redirect

  • status.policy.proxy-statistics[].protocol (string) – Name of the L7 protocol

  • status.policy.proxy-statistics[].statistics.requests.denied (integer) – Number of messages denied

  • status.policy.proxy-statistics[].statistics.requests.error (integer) – Number of errors while parsing messages

  • status.policy.proxy-statistics[].statistics.requests.forwarded (integer) – Number of messages forwarded

  • status.policy.proxy-statistics[].statistics.requests.received (integer) – Number of messages received

  • status.policy.proxy-statistics[].statistics.responses.denied (integer) – Number of messages denied

  • status.policy.proxy-statistics[].statistics.responses.error (integer) – Number of errors while parsing messages

  • status.policy.proxy-statistics[].statistics.responses.forwarded (integer) – Number of messages forwarded

  • status.policy.proxy-statistics[].statistics.responses.received (integer) – Number of messages received

  • status.policy.realized.allowed-egress-identities[] (integer) –

  • status.policy.realized.allowed-ingress-identities[] (integer) –

  • status.policy.realized.build (integer) – Build number of calculated policy in use

  • status.policy.realized.cidr-policy.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.realized.cidr-policy.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.realized.denied-egress-identities[] (integer) –

  • status.policy.realized.denied-ingress-identities[] (integer) –

  • status.policy.realized.id (integer) – Own identity of endpoint

  • status.policy.realized.l4.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.realized.l4.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.realized.policy-enabled (string) – Whether policy enforcement is enabled (ingress, egress, both or none)

  • status.policy.realized.policy-revision (integer) – The agent-local policy revision

  • status.policy.spec.allowed-egress-identities[] (integer) –

  • status.policy.spec.allowed-ingress-identities[] (integer) –

  • status.policy.spec.build (integer) – Build number of calculated policy in use

  • status.policy.spec.cidr-policy.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.spec.cidr-policy.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.spec.denied-egress-identities[] (integer) –

  • status.policy.spec.denied-ingress-identities[] (integer) –

  • status.policy.spec.id (integer) – Own identity of endpoint

  • status.policy.spec.l4.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.spec.l4.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • status.policy.spec.policy-enabled (string) – Whether policy enforcement is enabled (ingress, egress, both or none)

  • status.policy.spec.policy-revision (integer) – The agent-local policy revision

  • status.realized.label-configuration.user[] (string) –

  • status.realized.options (object) – Map of configuration key/value pairs.

  • status.state (string) – State of endpoint (required)

PATCH /endpoint/{id}

Modify existing endpoint

Applies the endpoint change request to an existing endpoint

Parameters:
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

    Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595

    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343

    • cni-attachment-id: CNI attachment ID, e.g. cni-attachment-id:22222:eth0

    • container-id: Container runtime ID, e.g. container-id:22222 (deprecated, may not be unique)

    • container-name: Container name, e.g. container-name:foobar (deprecated, may not be unique)

    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar (deprecated, may not be unique)

    • cep-name: cep name for this container if K8s is enabled, e.g. pod-name:default:foobar-net1

    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444

Request JSON Object:
  • addressing.ipv4 (string) – IPv4 address

  • addressing.ipv4-expiration-uuid (string) – UUID of IPv4 expiration timer

  • addressing.ipv4-pool-name (string) – IPAM pool from which this IPv4 address was allocated

  • addressing.ipv6 (string) – IPv6 address

  • addressing.ipv6-expiration-uuid (string) – UUID of IPv6 expiration timer

  • addressing.ipv6-pool-name (string) – IPAM pool from which this IPv6 address was allocated

  • container-id (string) – ID assigned by container runtime

  • container-interface-name (string) – Name of network device in container netns

  • container-name (string) – Name assigned to container

  • datapath-configuration.disable-sip-verification (boolean) – Disable source IP verification for the endpoint.

  • datapath-configuration.external-ipam (boolean) – Indicates that IPAM is done external to Cilium. This will prevent the IP from being released and re-allocation of the IP address is skipped on restore.

  • datapath-configuration.install-endpoint-route (boolean) – Installs a route in the Linux routing table pointing to the device of the endpoint’s interface.

  • datapath-configuration.require-arp-passthrough (boolean) – Enable ARP passthrough mode

  • datapath-configuration.require-egress-prog (boolean) – Endpoint requires a host-facing egress program to be attached to implement ingress policy and reverse NAT.

  • datapath-configuration.require-routing (boolean) – Endpoint requires BPF routing to be enabled, when disabled, routing is delegated to Linux routing.

  • datapath-map-id (integer) – ID of datapath tail call map

  • disable-legacy-identifiers (boolean) – Disables lookup using legacy endpoint identifiers (container name, container id, pod name) for this endpoint

  • docker-endpoint-id (string) – Docker endpoint ID

  • docker-network-id (string) – Docker network ID

  • host-mac (string) – MAC address

  • id (integer) – Local endpoint ID

  • interface-index (integer) – Index of network device in host netns

  • interface-name (string) – Name of network device in host netns

  • k8s-namespace (string) – Kubernetes namespace name

  • k8s-pod-name (string) – Kubernetes pod name

  • labels[] (string) –

  • mac (string) – MAC address

  • pid (integer) – Process ID of the workload belonging to this endpoint

  • policy-enabled (boolean) – Whether policy enforcement is enabled or not

  • properties (any) – Properties is used to store information about the endpoint at creation. Useful for tests.

  • state (string) – State of endpoint (required)

  • sync-build-endpoint (boolean) – Whether to build an endpoint synchronously

Status Codes:
DELETE /endpoint/{id}

Delete endpoint

Deletes the endpoint specified by the ID. Deletion is imminent and atomic, if the deletion request is valid and the endpoint exists, deletion will occur even if errors are encountered in the process. If errors have been encountered, the code 202 will be returned, otherwise 200 on success.

All resources associated with the endpoint will be freed and the workload represented by the endpoint will be disconnected.It will no longer be able to initiate or receive communications of any sort.

Parameters:
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

    Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595

    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343

    • cni-attachment-id: CNI attachment ID, e.g. cni-attachment-id:22222:eth0

    • container-id: Container runtime ID, e.g. container-id:22222 (deprecated, may not be unique)

    • container-name: Container name, e.g. container-name:foobar (deprecated, may not be unique)

    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar (deprecated, may not be unique)

    • cep-name: cep name for this container if K8s is enabled, e.g. pod-name:default:foobar-net1

    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444

Status Codes:
GET /endpoint

Retrieves a list of endpoints that have metadata matching the provided parameters.

Retrieves a list of endpoints that have metadata matching the provided parameters, or all endpoints if no parameters provided.

Request JSON Object:
  • [] (string) –

Status Codes:
Response JSON Object:
  • [].id (integer) – The cilium-agent-local ID of the endpoint

  • [].spec.label-configuration.user[] (string) –

  • [].spec.options (object) – Map of configuration key/value pairs.

  • [].status.controllers[].configuration.error-retry (boolean) – Retry on error

  • [].status.controllers[].configuration.error-retry-base (string) – Base error retry back-off time

  • [].status.controllers[].configuration.interval (string) – Regular synchronization interval

  • [].status.controllers[].name (string) – Name of controller

  • [].status.controllers[].status.consecutive-failure-count (integer) – Number of consecutive errors since last success

  • [].status.controllers[].status.failure-count (integer) – Total number of failed runs

  • [].status.controllers[].status.last-failure-msg (string) – Error message of last failed run

  • [].status.controllers[].status.last-failure-timestamp (string) – Timestamp of last error

  • [].status.controllers[].status.last-success-timestamp (string) – Timestamp of last success

  • [].status.controllers[].status.success-count (integer) – Total number of successful runs

  • [].status.controllers[].uuid (string) – UUID of controller

  • [].status.external-identifiers.cni-attachment-id (string) – ID assigned to this attachment by container runtime

  • [].status.external-identifiers.container-id (string) – ID assigned by container runtime (deprecated, may not be unique)

  • [].status.external-identifiers.container-name (string) – Name assigned to container (deprecated, may not be unique)

  • [].status.external-identifiers.docker-endpoint-id (string) – Docker endpoint ID

  • [].status.external-identifiers.docker-network-id (string) – Docker network ID

  • [].status.external-identifiers.k8s-namespace (string) – K8s namespace for this endpoint (deprecated, may not be unique)

  • [].status.external-identifiers.k8s-pod-name (string) – K8s pod name for this endpoint (deprecated, may not be unique)

  • [].status.external-identifiers.pod-name (string) – K8s pod for this endpoint (deprecated, may not be unique)

  • [].status.health.bpf (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • [].status.health.connected (boolean) – Is this endpoint reachable

  • [].status.health.overallHealth (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • [].status.health.policy (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • [].status.identity.id (integer) – Unique identifier

  • [].status.identity.labelsSHA256 (string) – SHA256 of labels

  • [].status.identity.labels[] (string) –

  • [].status.labels.derived[] (string) –

  • [].status.labels.disabled[] (string) –

  • [].status.labels.realized.user[] (string) –

  • [].status.labels.security-relevant[] (string) –

  • [].status.log[].code (string) – Code indicate type of status change

  • [].status.log[].message (string) – Status message

  • [].status.log[].state (string) – State of endpoint

  • [].status.log[].timestamp (string) – Timestamp when status change occurred

  • [].status.namedPorts[].name (string) – Optional layer 4 port name

  • [].status.namedPorts[].port (integer) – Layer 4 port number

  • [].status.namedPorts[].protocol (string) – Layer 4 protocol

  • [].status.networking.addressing[].ipv4 (string) – IPv4 address

  • [].status.networking.addressing[].ipv4-expiration-uuid (string) – UUID of IPv4 expiration timer

  • [].status.networking.addressing[].ipv4-pool-name (string) – IPAM pool from which this IPv4 address was allocated

  • [].status.networking.addressing[].ipv6 (string) – IPv6 address

  • [].status.networking.addressing[].ipv6-expiration-uuid (string) – UUID of IPv6 expiration timer

  • [].status.networking.addressing[].ipv6-pool-name (string) – IPAM pool from which this IPv6 address was allocated

  • [].status.networking.container-interface-name (string) – Name of network device in container netns

  • [].status.networking.host-addressing.ipv4.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP

  • [].status.networking.host-addressing.ipv4.alloc-range (string) – Address pool to be used for local endpoints

  • [].status.networking.host-addressing.ipv4.enabled (boolean) – True if address family is enabled

  • [].status.networking.host-addressing.ipv4.ip (string) – IP address of node

  • [].status.networking.host-addressing.ipv6.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP

  • [].status.networking.host-addressing.ipv6.alloc-range (string) – Address pool to be used for local endpoints

  • [].status.networking.host-addressing.ipv6.enabled (boolean) – True if address family is enabled

  • [].status.networking.host-addressing.ipv6.ip (string) – IP address of node

  • [].status.networking.host-mac (string) – MAC address

  • [].status.networking.interface-index (integer) – Index of network device in host netns

  • [].status.networking.interface-name (string) – Name of network device in host netns

  • [].status.networking.mac (string) – MAC address

  • [].status.policy.proxy-policy-revision (integer) – The policy revision currently enforced in the proxy for this endpoint

  • [].status.policy.proxy-statistics[].allocated-proxy-port (integer) – The port the proxy is listening on

  • [].status.policy.proxy-statistics[].location (string) – Location of where the redirect is installed

  • [].status.policy.proxy-statistics[].port (integer) – The port subject to the redirect

  • [].status.policy.proxy-statistics[].protocol (string) – Name of the L7 protocol

  • [].status.policy.proxy-statistics[].statistics.requests.denied (integer) – Number of messages denied

  • [].status.policy.proxy-statistics[].statistics.requests.error (integer) – Number of errors while parsing messages

  • [].status.policy.proxy-statistics[].statistics.requests.forwarded (integer) – Number of messages forwarded

  • [].status.policy.proxy-statistics[].statistics.requests.received (integer) – Number of messages received

  • [].status.policy.proxy-statistics[].statistics.responses.denied (integer) – Number of messages denied

  • [].status.policy.proxy-statistics[].statistics.responses.error (integer) – Number of errors while parsing messages

  • [].status.policy.proxy-statistics[].statistics.responses.forwarded (integer) – Number of messages forwarded

  • [].status.policy.proxy-statistics[].statistics.responses.received (integer) – Number of messages received

  • [].status.policy.realized.allowed-egress-identities[] (integer) –

  • [].status.policy.realized.allowed-ingress-identities[] (integer) –

  • [].status.policy.realized.build (integer) – Build number of calculated policy in use

  • [].status.policy.realized.cidr-policy.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • [].status.policy.realized.cidr-policy.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • [].status.policy.realized.denied-egress-identities[] (integer) –

  • [].status.policy.realized.denied-ingress-identities[] (integer) –

  • [].status.policy.realized.id (integer) – Own identity of endpoint

  • [].status.policy.realized.l4.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • [].status.policy.realized.l4.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • [].status.policy.realized.policy-enabled (string) – Whether policy enforcement is enabled (ingress, egress, both or none)

  • [].status.policy.realized.policy-revision (integer) – The agent-local policy revision

  • [].status.policy.spec.allowed-egress-identities[] (integer) –

  • [].status.policy.spec.allowed-ingress-identities[] (integer) –

  • [].status.policy.spec.build (integer) – Build number of calculated policy in use

  • [].status.policy.spec.cidr-policy.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • [].status.policy.spec.cidr-policy.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • [].status.policy.spec.denied-egress-identities[] (integer) –

  • [].status.policy.spec.denied-ingress-identities[] (integer) –

  • [].status.policy.spec.id (integer) – Own identity of endpoint

  • [].status.policy.spec.l4.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • [].status.policy.spec.l4.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • [].status.policy.spec.policy-enabled (string) – Whether policy enforcement is enabled (ingress, egress, both or none)

  • [].status.policy.spec.policy-revision (integer) – The agent-local policy revision

  • [].status.realized.label-configuration.user[] (string) –

  • [].status.realized.options (object) – Map of configuration key/value pairs.

  • [].status.state (string) – State of endpoint (required)

DELETE /endpoint

Deletes a list of endpoints

Deletes a list of endpoints that have endpoints matching the provided properties

Request JSON Object:
  • container-id (string) – ID assigned by container runtime

Status Codes:
GET /endpoint/{id}/config

Retrieve endpoint configuration

Retrieves the configuration of the specified endpoint.

Parameters:
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

    Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595

    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343

    • cni-attachment-id: CNI attachment ID, e.g. cni-attachment-id:22222:eth0

    • container-id: Container runtime ID, e.g. container-id:22222 (deprecated, may not be unique)

    • container-name: Container name, e.g. container-name:foobar (deprecated, may not be unique)

    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar (deprecated, may not be unique)

    • cep-name: cep name for this container if K8s is enabled, e.g. pod-name:default:foobar-net1

    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444

Status Codes:
Response JSON Object:
  • error (string) –

  • immutable (object) – Map of configuration key/value pairs.

  • realized.label-configuration.user[] (string) –

  • realized.options (object) – Map of configuration key/value pairs.

PATCH /endpoint/{id}/config

Modify mutable endpoint configuration

Update the configuration of an existing endpoint and regenerates & recompiles the corresponding programs automatically.

Parameters:
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

    Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595

    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343

    • cni-attachment-id: CNI attachment ID, e.g. cni-attachment-id:22222:eth0

    • container-id: Container runtime ID, e.g. container-id:22222 (deprecated, may not be unique)

    • container-name: Container name, e.g. container-name:foobar (deprecated, may not be unique)

    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar (deprecated, may not be unique)

    • cep-name: cep name for this container if K8s is enabled, e.g. pod-name:default:foobar-net1

    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444

Request JSON Object:
  • label-configuration.user[] (string) –

  • options (object) – Map of configuration key/value pairs.

Status Codes:
GET /endpoint/{id}/labels

Retrieves the list of labels associated with an endpoint.

Parameters:
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

    Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595

    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343

    • cni-attachment-id: CNI attachment ID, e.g. cni-attachment-id:22222:eth0

    • container-id: Container runtime ID, e.g. container-id:22222 (deprecated, may not be unique)

    • container-name: Container name, e.g. container-name:foobar (deprecated, may not be unique)

    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar (deprecated, may not be unique)

    • cep-name: cep name for this container if K8s is enabled, e.g. pod-name:default:foobar-net1

    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444

Status Codes:
Response JSON Object:
  • spec.user[] (string) –

  • status.derived[] (string) –

  • status.disabled[] (string) –

  • status.realized.user[] (string) –

  • status.security-relevant[] (string) –

PATCH /endpoint/{id}/labels

Set label configuration of endpoint

Sets labels associated with an endpoint. These can be user provided or derived from the orchestration system.

Parameters:
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

    Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595

    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343

    • cni-attachment-id: CNI attachment ID, e.g. cni-attachment-id:22222:eth0

    • container-id: Container runtime ID, e.g. container-id:22222 (deprecated, may not be unique)

    • container-name: Container name, e.g. container-name:foobar (deprecated, may not be unique)

    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar (deprecated, may not be unique)

    • cep-name: cep name for this container if K8s is enabled, e.g. pod-name:default:foobar-net1

    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444

Request JSON Object:
  • user[] (string) –

Status Codes:
GET /endpoint/{id}/log

Retrieves the status logs associated with this endpoint.

Parameters:
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

    Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595

    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343

    • cni-attachment-id: CNI attachment ID, e.g. cni-attachment-id:22222:eth0

    • container-id: Container runtime ID, e.g. container-id:22222 (deprecated, may not be unique)

    • container-name: Container name, e.g. container-name:foobar (deprecated, may not be unique)

    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar (deprecated, may not be unique)

    • cep-name: cep name for this container if K8s is enabled, e.g. pod-name:default:foobar-net1

    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444

Status Codes:
Response JSON Object:
  • [].code (string) – Code indicate type of status change

  • [].message (string) – Status message

  • [].state (string) – State of endpoint

  • [].timestamp (string) – Timestamp when status change occurred

GET /endpoint/{id}/healthz

Retrieves the status logs associated with this endpoint.

Parameters:
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

    Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595

    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343

    • cni-attachment-id: CNI attachment ID, e.g. cni-attachment-id:22222:eth0

    • container-id: Container runtime ID, e.g. container-id:22222 (deprecated, may not be unique)

    • container-name: Container name, e.g. container-name:foobar (deprecated, may not be unique)

    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar (deprecated, may not be unique)

    • cep-name: cep name for this container if K8s is enabled, e.g. pod-name:default:foobar-net1

    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444

Status Codes:
Response JSON Object:
  • bpf (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • connected (boolean) – Is this endpoint reachable

  • overallHealth (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • policy (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

GET /identity

Retrieves a list of identities that have metadata matching the provided parameters.

Retrieves a list of identities that have metadata matching the provided parameters, or all identities if no parameters are provided.

Request JSON Object:
  • [] (string) –

Status Codes:
  • 200 OK – Success

  • 404 Not Found – Identities with provided parameters not found

  • 520 – Identity storage unreachable. Likely a network problem.

  • 521 – Invalid identity format in storage

Response JSON Object:
  • [].id (integer) – Unique identifier

  • [].labelsSHA256 (string) – SHA256 of labels

  • [].labels[] (string) –

GET /identity/{id}

Retrieve identity

Parameters:
  • id (string) – Cluster wide unique identifier of a security identity.

Status Codes:
  • 200 OK – Success

  • 400 Bad Request – Invalid identity provided

  • 404 Not Found – Identity not found

  • 520 – Identity storage unreachable. Likely a network problem.

  • 521 – Invalid identity format in storage

Response JSON Object:
  • id (integer) – Unique identifier

  • labelsSHA256 (string) – SHA256 of labels

  • labels[] (string) –

GET /identity/endpoints

Retrieve identities which are being used by local endpoints

Status Codes:
  • 200 OK – Success

  • 404 Not Found – Set of identities which are being used by local endpoints could not be found.

Response JSON Object:
  • [].identity.id (integer) – Unique identifier

  • [].identity.labelsSHA256 (string) – SHA256 of labels

  • [].identity.labels[] (string) –

  • [].refCount (integer) – number of endpoints consuming this identity locally (should always be > 0)

POST /ipam

Allocate an IP address

Query Parameters:
  • family (string) –

  • owner (string) –

  • pool (string) –

Status Codes:
Request Headers:
  • expiration

Response JSON Object:
  • address.ipv4 (string) – IPv4 address

  • address.ipv4-expiration-uuid (string) – UUID of IPv4 expiration timer

  • address.ipv4-pool-name (string) – IPAM pool from which this IPv4 address was allocated

  • address.ipv6 (string) – IPv6 address

  • address.ipv6-expiration-uuid (string) – UUID of IPv6 expiration timer

  • address.ipv6-pool-name (string) – IPAM pool from which this IPv6 address was allocated

  • host-addressing.ipv4.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP

  • host-addressing.ipv4.alloc-range (string) – Address pool to be used for local endpoints

  • host-addressing.ipv4.enabled (boolean) – True if address family is enabled

  • host-addressing.ipv4.ip (string) – IP address of node

  • host-addressing.ipv6.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP

  • host-addressing.ipv6.alloc-range (string) – Address pool to be used for local endpoints

  • host-addressing.ipv6.enabled (boolean) – True if address family is enabled

  • host-addressing.ipv6.ip (string) – IP address of node

  • ipv4.cidrs[] (string) –

  • ipv4.expiration-uuid (string) – The UUID for the expiration timer. Set when expiration has been enabled while allocating.

  • ipv4.gateway (string) – IP of gateway

  • ipv4.interface-number (string) – InterfaceNumber is a field for generically identifying an interface. This is only useful in ENI mode.

  • ipv4.ip (string) – Allocated IP for endpoint

  • ipv4.master-mac (string) – MAC of master interface if address is a slave/secondary of a master interface

  • ipv6.cidrs[] (string) –

  • ipv6.expiration-uuid (string) – The UUID for the expiration timer. Set when expiration has been enabled while allocating.

  • ipv6.gateway (string) – IP of gateway

  • ipv6.interface-number (string) – InterfaceNumber is a field for generically identifying an interface. This is only useful in ENI mode.

  • ipv6.ip (string) – Allocated IP for endpoint

  • ipv6.master-mac (string) – MAC of master interface if address is a slave/secondary of a master interface

POST /ipam/{ip}

Allocate an IP address

Parameters:
  • ip (string) – IP address

Query Parameters:
  • owner (string) –

  • pool (string) –

Status Codes:
DELETE /ipam/{ip}

Release an allocated IP address

Parameters:
  • ip (string) – IP address

Query Parameters:
  • pool (string) –

Status Codes:
GET /policy

Retrieve entire policy tree

Returns the entire policy tree with all children.

Request JSON Object:
  • [] (string) –

Status Codes:
Response JSON Object:
  • policy (string) – Policy definition as JSON.

  • revision (integer) – Revision number of the policy. Incremented each time the policy is changed in the agent’s repository

PUT /policy

Create or update a policy (sub)tree

Query Parameters:
  • replace (boolean) – If true, indicates that existing rules with identical labels should be replaced.

  • replace-with-labels (array) – If present, indicates that existing rules with the given labels should be deleted.

Status Codes:
Response JSON Object:
  • policy (string) – Policy definition as JSON.

  • revision (integer) – Revision number of the policy. Incremented each time the policy is changed in the agent’s repository

DELETE /policy

Delete a policy (sub)tree

Request JSON Object:
  • [] (string) –

Status Codes:
Response JSON Object:
  • policy (string) – Policy definition as JSON.

  • revision (integer) – Revision number of the policy. Incremented each time the policy is changed in the agent’s repository

GET /policy/selectors

See what selectors match which identities

Status Codes:
Response JSON Object:
  • [].identities[] (integer) –

  • [].labels[].key (string) –

  • [].labels[].source (string) – Source can be one of the above values (e.g. LabelSourceContainer)

  • [].labels[].value (string) –

  • [].selector (string) – string form of selector

  • [].users (integer) – number of users of this selector in the cache

GET /lrp

Retrieve list of all local redirect policies

Status Codes:
Response JSON Object:
  • [].frontend-mappings[].backends[].backend-address.ip (string) – Layer 3 address (required)

  • [].frontend-mappings[].backends[].backend-address.nodeName (string) – Optional name of the node on which this backend runs

  • [].frontend-mappings[].backends[].backend-address.port (integer) – Layer 4 port number

  • [].frontend-mappings[].backends[].backend-address.preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.

  • [].frontend-mappings[].backends[].backend-address.state (string) – State of the backend for load-balancing service traffic

  • [].frontend-mappings[].backends[].backend-address.weight (integer) – Backend weight

  • [].frontend-mappings[].backends[].pod-id (string) – Namespace and name of the backend pod

  • [].frontend-mappings[].frontend-address.ip (string) – Layer 3 address

  • [].frontend-mappings[].frontend-address.port (integer) – Layer 4 port number

  • [].frontend-mappings[].frontend-address.protocol (string) – Layer 4 protocol

  • [].frontend-mappings[].frontend-address.scope (string) – Load balancing scope for frontend address

  • [].frontend-type (string) – LRP frontend type

  • [].lrp-type (string) – LRP config type

  • [].name (string) – LRP service name

  • [].namespace (string) – LRP service namespace

  • [].service-id (string) – matching k8s service namespace and name

  • [].uid (string) – Unique identification

GET /service

Retrieve list of all services

Status Codes:
Response JSON Object:
  • [].spec.backend-addresses[].ip (string) – Layer 3 address (required)

  • [].spec.backend-addresses[].nodeName (string) – Optional name of the node on which this backend runs

  • [].spec.backend-addresses[].port (integer) – Layer 4 port number

  • [].spec.backend-addresses[].preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.

  • [].spec.backend-addresses[].state (string) – State of the backend for load-balancing service traffic

  • [].spec.backend-addresses[].weight (integer) – Backend weight

  • [].spec.flags.cluster (string) – Service cluster

  • [].spec.flags.extTrafficPolicy (string) – Service external traffic policy

  • [].spec.flags.healthCheckNodePort (integer) – Service health check node port

  • [].spec.flags.intTrafficPolicy (string) – Service internal traffic policy

  • [].spec.flags.name (string) – Service name (e.g. Kubernetes service name)

  • [].spec.flags.namespace (string) – Service namespace (e.g. Kubernetes namespace)

  • [].spec.flags.natPolicy (string) – Service protocol NAT policy

  • [].spec.flags.trafficPolicy (string) – Service external traffic policy (deprecated in favor of extTrafficPolicy)

  • [].spec.flags.type (string) – Service type

  • [].spec.frontend-address.ip (string) – Layer 3 address

  • [].spec.frontend-address.port (integer) – Layer 4 port number

  • [].spec.frontend-address.protocol (string) – Layer 4 protocol

  • [].spec.frontend-address.scope (string) – Load balancing scope for frontend address

  • [].spec.id (integer) – Unique identification

  • [].spec.updateServices (boolean) – Update all services selecting the backends with their given states (id and frontend are ignored)

  • [].status.realized.backend-addresses[].ip (string) – Layer 3 address (required)

  • [].status.realized.backend-addresses[].nodeName (string) – Optional name of the node on which this backend runs

  • [].status.realized.backend-addresses[].port (integer) – Layer 4 port number

  • [].status.realized.backend-addresses[].preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.

  • [].status.realized.backend-addresses[].state (string) – State of the backend for load-balancing service traffic

  • [].status.realized.backend-addresses[].weight (integer) – Backend weight

  • [].status.realized.flags.cluster (string) – Service cluster

  • [].status.realized.flags.extTrafficPolicy (string) – Service external traffic policy

  • [].status.realized.flags.healthCheckNodePort (integer) – Service health check node port

  • [].status.realized.flags.intTrafficPolicy (string) – Service internal traffic policy

  • [].status.realized.flags.name (string) – Service name (e.g. Kubernetes service name)

  • [].status.realized.flags.namespace (string) – Service namespace (e.g. Kubernetes namespace)

  • [].status.realized.flags.natPolicy (string) – Service protocol NAT policy

  • [].status.realized.flags.trafficPolicy (string) – Service external traffic policy (deprecated in favor of extTrafficPolicy)

  • [].status.realized.flags.type (string) – Service type

  • [].status.realized.frontend-address.ip (string) – Layer 3 address

  • [].status.realized.frontend-address.port (integer) – Layer 4 port number

  • [].status.realized.frontend-address.protocol (string) – Layer 4 protocol

  • [].status.realized.frontend-address.scope (string) – Load balancing scope for frontend address

  • [].status.realized.id (integer) – Unique identification

  • [].status.realized.updateServices (boolean) – Update all services selecting the backends with their given states (id and frontend are ignored)

GET /service/{id}

Retrieve configuration of a service

Parameters:
  • id (integer) – ID of service

Status Codes:
Response JSON Object:
  • spec.backend-addresses[].ip (string) – Layer 3 address (required)

  • spec.backend-addresses[].nodeName (string) – Optional name of the node on which this backend runs

  • spec.backend-addresses[].port (integer) – Layer 4 port number

  • spec.backend-addresses[].preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.

  • spec.backend-addresses[].state (string) – State of the backend for load-balancing service traffic

  • spec.backend-addresses[].weight (integer) – Backend weight

  • spec.flags.cluster (string) – Service cluster

  • spec.flags.extTrafficPolicy (string) – Service external traffic policy

  • spec.flags.healthCheckNodePort (integer) – Service health check node port

  • spec.flags.intTrafficPolicy (string) – Service internal traffic policy

  • spec.flags.name (string) – Service name (e.g. Kubernetes service name)

  • spec.flags.namespace (string) – Service namespace (e.g. Kubernetes namespace)

  • spec.flags.natPolicy (string) – Service protocol NAT policy

  • spec.flags.trafficPolicy (string) – Service external traffic policy (deprecated in favor of extTrafficPolicy)

  • spec.flags.type (string) – Service type

  • spec.frontend-address.ip (string) – Layer 3 address

  • spec.frontend-address.port (integer) – Layer 4 port number

  • spec.frontend-address.protocol (string) – Layer 4 protocol

  • spec.frontend-address.scope (string) – Load balancing scope for frontend address

  • spec.id (integer) – Unique identification

  • spec.updateServices (boolean) – Update all services selecting the backends with their given states (id and frontend are ignored)

  • status.realized.backend-addresses[].ip (string) – Layer 3 address (required)

  • status.realized.backend-addresses[].nodeName (string) – Optional name of the node on which this backend runs

  • status.realized.backend-addresses[].port (integer) – Layer 4 port number

  • status.realized.backend-addresses[].preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.

  • status.realized.backend-addresses[].state (string) – State of the backend for load-balancing service traffic

  • status.realized.backend-addresses[].weight (integer) – Backend weight

  • status.realized.flags.cluster (string) – Service cluster

  • status.realized.flags.extTrafficPolicy (string) – Service external traffic policy

  • status.realized.flags.healthCheckNodePort (integer) – Service health check node port

  • status.realized.flags.intTrafficPolicy (string) – Service internal traffic policy

  • status.realized.flags.name (string) – Service name (e.g. Kubernetes service name)

  • status.realized.flags.namespace (string) – Service namespace (e.g. Kubernetes namespace)

  • status.realized.flags.natPolicy (string) – Service protocol NAT policy

  • status.realized.flags.trafficPolicy (string) – Service external traffic policy (deprecated in favor of extTrafficPolicy)

  • status.realized.flags.type (string) – Service type

  • status.realized.frontend-address.ip (string) – Layer 3 address

  • status.realized.frontend-address.port (integer) – Layer 4 port number

  • status.realized.frontend-address.protocol (string) – Layer 4 protocol

  • status.realized.frontend-address.scope (string) – Load balancing scope for frontend address

  • status.realized.id (integer) – Unique identification

  • status.realized.updateServices (boolean) – Update all services selecting the backends with their given states (id and frontend are ignored)

PUT /service/{id}

Create or update service

Parameters:
  • id (integer) – ID of service

Request JSON Object:
  • backend-addresses[].ip (string) – Layer 3 address (required)

  • backend-addresses[].nodeName (string) – Optional name of the node on which this backend runs

  • backend-addresses[].port (integer) – Layer 4 port number

  • backend-addresses[].preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.

  • backend-addresses[].state (string) – State of the backend for load-balancing service traffic

  • backend-addresses[].weight (integer) – Backend weight

  • flags.cluster (string) – Service cluster

  • flags.extTrafficPolicy (string) – Service external traffic policy

  • flags.healthCheckNodePort (integer) – Service health check node port

  • flags.intTrafficPolicy (string) – Service internal traffic policy

  • flags.name (string) – Service name (e.g. Kubernetes service name)

  • flags.namespace (string) – Service namespace (e.g. Kubernetes namespace)

  • flags.natPolicy (string) – Service protocol NAT policy

  • flags.trafficPolicy (string) – Service external traffic policy (deprecated in favor of extTrafficPolicy)

  • flags.type (string) – Service type

  • frontend-address.ip (string) – Layer 3 address

  • frontend-address.port (integer) – Layer 4 port number

  • frontend-address.protocol (string) – Layer 4 protocol

  • frontend-address.scope (string) – Load balancing scope for frontend address

  • id (integer) – Unique identification

  • updateServices (boolean) – Update all services selecting the backends with their given states (id and frontend are ignored)

Status Codes:
DELETE /service/{id}

Delete a service

Parameters:
  • id (integer) – ID of service

Status Codes:
GET /statedb/dump

Dump StateDB contents

Status Codes:
GET /statedb/query/{table}

Perform a query against a StateDB table

Parameters:
  • table (string) – StateDB table name

Query Parameters:
  • index (string) – StateDB index name

  • key (string) – Query key (base64 encoded)

  • lowerbound (boolean) – If true perform a LowerBound search

Status Codes:
GET /recorder

Retrieve list of all recorders

Status Codes:
Response JSON Object:
  • [].spec.capture-length (integer) – Maximum packet length or zero for full packet length

  • [].spec.filters[].dst-port (string) – Layer 4 destination port, zero (or in future range)

  • [].spec.filters[].dst-prefix (string) – Layer 3 destination CIDR

  • [].spec.filters[].protocol (string) – Layer 4 protocol

  • [].spec.filters[].src-port (string) – Layer 4 source port, zero (or in future range)

  • [].spec.filters[].src-prefix (string) – Layer 3 source CIDR

  • [].spec.id (integer) – Unique identification (required)

  • [].status.realized.capture-length (integer) – Maximum packet length or zero for full packet length

  • [].status.realized.filters[].dst-port (string) – Layer 4 destination port, zero (or in future range)

  • [].status.realized.filters[].dst-prefix (string) – Layer 3 destination CIDR

  • [].status.realized.filters[].protocol (string) – Layer 4 protocol

  • [].status.realized.filters[].src-port (string) – Layer 4 source port, zero (or in future range)

  • [].status.realized.filters[].src-prefix (string) – Layer 3 source CIDR

  • [].status.realized.id (integer) – Unique identification (required)

GET /recorder/masks

Retrieve list of all recorder masks

Status Codes:
Response JSON Object:
  • [].status.realized.dst-port-mask (string) – Layer 4 destination port mask

  • [].status.realized.dst-prefix-mask (string) – Layer 3 destination IP mask

  • [].status.realized.priority (integer) – Priority of this mask

  • [].status.realized.protocol-mask (string) – Layer 4 protocol mask

  • [].status.realized.src-port-mask (string) – Layer 4 source port mask

  • [].status.realized.src-prefix-mask (string) – Layer 3 source IP mask

  • [].status.realized.users (integer) – Number of users of this mask

GET /recorder/{id}

Retrieve configuration of a recorder

Parameters:
  • id (integer) – ID of recorder

Status Codes:
Response JSON Object:
  • spec.capture-length (integer) – Maximum packet length or zero for full packet length

  • spec.filters[].dst-port (string) – Layer 4 destination port, zero (or in future range)

  • spec.filters[].dst-prefix (string) – Layer 3 destination CIDR

  • spec.filters[].protocol (string) – Layer 4 protocol

  • spec.filters[].src-port (string) – Layer 4 source port, zero (or in future range)

  • spec.filters[].src-prefix (string) – Layer 3 source CIDR

  • spec.id (integer) – Unique identification (required)

  • status.realized.capture-length (integer) – Maximum packet length or zero for full packet length

  • status.realized.filters[].dst-port (string) – Layer 4 destination port, zero (or in future range)

  • status.realized.filters[].dst-prefix (string) – Layer 3 destination CIDR

  • status.realized.filters[].protocol (string) – Layer 4 protocol

  • status.realized.filters[].src-port (string) – Layer 4 source port, zero (or in future range)

  • status.realized.filters[].src-prefix (string) – Layer 3 source CIDR

  • status.realized.id (integer) – Unique identification (required)

PUT /recorder/{id}

Create or update recorder

Parameters:
  • id (integer) – ID of recorder

Request JSON Object:
  • capture-length (integer) – Maximum packet length or zero for full packet length

  • filters[].dst-port (string) – Layer 4 destination port, zero (or in future range)

  • filters[].dst-prefix (string) – Layer 3 destination CIDR

  • filters[].protocol (string) – Layer 4 protocol

  • filters[].src-port (string) – Layer 4 source port, zero (or in future range)

  • filters[].src-prefix (string) – Layer 3 source CIDR

  • id (integer) – Unique identification (required)

Status Codes:
DELETE /recorder/{id}

Delete a recorder

Parameters:
  • id (integer) – ID of recorder

Status Codes:
GET /prefilter

Retrieve list of CIDRs

Status Codes:
Response JSON Object:
  • spec.deny[] (string) –

  • spec.revision (integer) –

  • status.realized.deny[] (string) –

  • status.realized.revision (integer) –

PATCH /prefilter

Update list of CIDRs

Request JSON Object:
  • deny[] (string) –

  • revision (integer) –

Status Codes:
Response JSON Object:
  • spec.deny[] (string) –

  • spec.revision (integer) –

  • status.realized.deny[] (string) –

  • status.realized.revision (integer) –

DELETE /prefilter

Delete list of CIDRs

Request JSON Object:
  • deny[] (string) –

  • revision (integer) –

Status Codes:
Response JSON Object:
  • spec.deny[] (string) –

  • spec.revision (integer) –

  • status.realized.deny[] (string) –

  • status.realized.revision (integer) –

GET /debuginfo

Retrieve information about the agent and environment for debugging

Status Codes:
Response JSON Object:
  • cilium-memory-map (string) –

  • cilium-nodemonitor-memory-map (string) –

  • cilium-status.auth-certificate-provider.msg (string) – Human readable status/error/warning message

  • cilium-status.auth-certificate-provider.state (string) – State the component is in

  • cilium-status.bandwidth-manager.congestionControl (string) –

  • cilium-status.bandwidth-manager.devices[] (string) –

  • cilium-status.bandwidth-manager.enabled (boolean) – Is bandwidth manager enabled

  • cilium-status.bpf-maps.dynamic-size-ratio (number) – Ratio of total system memory to use for dynamic sizing of BPF maps

  • cilium-status.bpf-maps.maps[].name (string) – Name of the BPF map

  • cilium-status.bpf-maps.maps[].size (integer) – Size of the BPF map

  • cilium-status.cilium.msg (string) – Human readable status/error/warning message

  • cilium-status.cilium.state (string) – State the component is in

  • cilium-status.client-id (integer) – When supported by the API, this client ID should be used by the client when making another request to the server. See for example “/cluster/nodes”.

  • cilium-status.clock-source.hertz (integer) – Kernel Hz

  • cilium-status.clock-source.mode (string) – Datapath clock source

  • cilium-status.cluster (any) – Status of cluster +k8s:deepcopy-gen=true

  • cilium-status.cluster-mesh (any) – Status of ClusterMesh +k8s:deepcopy-gen=true

  • cilium-status.cni-chaining (any) – Status of CNI chaining +k8s:deepcopy-gen=true

  • cilium-status.cni-file.msg (string) – Human readable status/error/warning message

  • cilium-status.cni-file.state (string) – State the component is in

  • cilium-status.container-runtime.msg (string) – Human readable status/error/warning message

  • cilium-status.container-runtime.state (string) – State the component is in

  • cilium-status.controllers[].configuration.error-retry (boolean) – Retry on error

  • cilium-status.controllers[].configuration.error-retry-base (string) – Base error retry back-off time

  • cilium-status.controllers[].configuration.interval (string) – Regular synchronization interval

  • cilium-status.controllers[].name (string) – Name of controller

  • cilium-status.controllers[].status.consecutive-failure-count (integer) – Number of consecutive errors since last success

  • cilium-status.controllers[].status.failure-count (integer) – Total number of failed runs

  • cilium-status.controllers[].status.last-failure-msg (string) – Error message of last failed run

  • cilium-status.controllers[].status.last-failure-timestamp (string) – Timestamp of last error

  • cilium-status.controllers[].status.last-success-timestamp (string) – Timestamp of last success

  • cilium-status.controllers[].status.success-count (integer) – Total number of successful runs

  • cilium-status.controllers[].uuid (string) – UUID of controller

  • cilium-status.encryption (any) – Status of transparent encryption +k8s:deepcopy-gen=true

  • cilium-status.host-firewall.devices[] (string) –

  • cilium-status.host-firewall.mode (string) –

  • cilium-status.host-routing.mode (string) – Datapath routing mode

  • cilium-status.hubble.metrics.state (string) – State of the Hubble metrics

  • cilium-status.hubble.msg (string) – Human readable status/error/warning message

  • cilium-status.hubble.observer.current-flows (integer) – Current number of flows this Hubble observer stores

  • cilium-status.hubble.observer.max-flows (integer) – Maximum number of flows this Hubble observer is able to store

  • cilium-status.hubble.observer.seen-flows (integer) – Total number of flows this Hubble observer has seen

  • cilium-status.hubble.observer.uptime (string) – Uptime of this Hubble observer instance

  • cilium-status.hubble.state (string) – State the component is in

  • cilium-status.identity-range (any) – Status of identity range of the cluster +k8s:deepcopy-gen=true

  • cilium-status.ipam (any) – Status of IP address management +k8s:deepcopy-gen=true

  • cilium-status.ipv4-big-tcp.enabled (boolean) – Is IPv4 BIG TCP enabled

  • cilium-status.ipv4-big-tcp.maxGRO (integer) – Maximum IPv4 GRO size

  • cilium-status.ipv4-big-tcp.maxGSO (integer) – Maximum IPv4 GSO size

  • cilium-status.ipv6-big-tcp.enabled (boolean) – Is IPv6 BIG TCP enabled

  • cilium-status.ipv6-big-tcp.maxGRO (integer) – Maximum IPv6 GRO size

  • cilium-status.ipv6-big-tcp.maxGSO (integer) – Maximum IPv6 GSO size

  • cilium-status.kube-proxy-replacement.deviceList[].ip[] (string) –

  • cilium-status.kube-proxy-replacement.deviceList[].name (string) –

  • cilium-status.kube-proxy-replacement.devices[] (string) –

  • cilium-status.kube-proxy-replacement.directRoutingDevice (string) –

  • cilium-status.kube-proxy-replacement.features.bpfSocketLBHostnsOnly (boolean) – flag bpf-lb-sock-hostns-only

  • cilium-status.kube-proxy-replacement.features.externalIPs.enabled (boolean) –

  • cilium-status.kube-proxy-replacement.features.gracefulTermination.enabled (boolean) –

  • cilium-status.kube-proxy-replacement.features.hostPort.enabled (boolean) –

  • cilium-status.kube-proxy-replacement.features.hostReachableServices.enabled (boolean) –

  • cilium-status.kube-proxy-replacement.features.hostReachableServices.protocols[] (string) –

  • cilium-status.kube-proxy-replacement.features.nat46X64.enabled (boolean) –

  • cilium-status.kube-proxy-replacement.features.nat46X64.gateway.enabled (boolean) –

  • cilium-status.kube-proxy-replacement.features.nat46X64.gateway.prefixes[] (string) –

  • cilium-status.kube-proxy-replacement.features.nat46X64.service.enabled (boolean) –

  • cilium-status.kube-proxy-replacement.features.nodePort.acceleration (string) –

  • cilium-status.kube-proxy-replacement.features.nodePort.algorithm (string) –

  • cilium-status.kube-proxy-replacement.features.nodePort.dsrMode (string) –

  • cilium-status.kube-proxy-replacement.features.nodePort.enabled (boolean) –

  • cilium-status.kube-proxy-replacement.features.nodePort.lutSize (integer) –

  • cilium-status.kube-proxy-replacement.features.nodePort.mode (string) –

  • cilium-status.kube-proxy-replacement.features.nodePort.portMax (integer) –

  • cilium-status.kube-proxy-replacement.features.nodePort.portMin (integer) –

  • cilium-status.kube-proxy-replacement.features.sessionAffinity.enabled (boolean) –

  • cilium-status.kube-proxy-replacement.features.socketLB.enabled (boolean) –

  • cilium-status.kube-proxy-replacement.features.socketLBTracing.enabled (boolean) –

  • cilium-status.kube-proxy-replacement.mode (string) –

  • cilium-status.kubernetes.k8s-api-versions[] (string) –

  • cilium-status.kubernetes.msg (string) – Human readable status/error/warning message

  • cilium-status.kubernetes.state (string) – State the component is in

  • cilium-status.kvstore.msg (string) – Human readable status/error/warning message

  • cilium-status.kvstore.state (string) – State the component is in

  • cilium-status.masquerading.enabled (boolean) –

  • cilium-status.masquerading.enabledProtocols.ipv4 (boolean) – Is masquerading enabled for IPv4 traffic

  • cilium-status.masquerading.enabledProtocols.ipv6 (boolean) – Is masquerading enabled for IPv6 traffic

  • cilium-status.masquerading.ip-masq-agent (boolean) – Is BPF ip-masq-agent enabled

  • cilium-status.masquerading.mode (string) –

  • cilium-status.masquerading.snat-exclusion-cidr (string) – This field is obsolete, please use snat-exclusion-cidr-v4 or snat-exclusion-cidr-v6.

  • cilium-status.masquerading.snat-exclusion-cidr-v4 (string) – SnatExclusionCIDRv4 exempts SNAT from being performed on any packet sent to an IPv4 address that belongs to this CIDR.

  • cilium-status.masquerading.snat-exclusion-cidr-v6 (string) – SnatExclusionCIDRv6 exempts SNAT from being performed on any packet sent to an IPv6 address that belongs to this CIDR. For IPv6 we only do masquerading in iptables mode.

  • cilium-status.nodeMonitor (any) – Status of the node monitor

  • cilium-status.proxy.envoy-deployment-mode (string) – Deployment mode of Envoy L7 proxy

  • cilium-status.proxy.ip (string) – IP address that the proxy listens on

  • cilium-status.proxy.port-range (string) – Port range used for proxying

  • cilium-status.proxy.redirects[].name (string) – Name of the proxy redirect

  • cilium-status.proxy.redirects[].proxy (string) – Name of the proxy this redirect points to

  • cilium-status.proxy.redirects[].proxy-port (integer) – Host port that this redirect points to

  • cilium-status.proxy.total-ports (integer) – Total number of listening proxy ports

  • cilium-status.proxy.total-redirects (integer) – Total number of ports configured to redirect to proxies

  • cilium-status.srv6.enabled (boolean) –

  • cilium-status.srv6.srv6EncapMode (string) –

  • cilium-status.stale (object) – List of stale information in the status

  • cilium-version (string) –

  • encryption.wireguard (any) – Status of the WireGuard agent +k8s:deepcopy-gen=true

  • endpoint-list[].id (integer) – The cilium-agent-local ID of the endpoint

  • endpoint-list[].spec.label-configuration.user[] (string) –

  • endpoint-list[].spec.options (object) – Map of configuration key/value pairs.

  • endpoint-list[].status.controllers[].configuration.error-retry (boolean) – Retry on error

  • endpoint-list[].status.controllers[].configuration.error-retry-base (string) – Base error retry back-off time

  • endpoint-list[].status.controllers[].configuration.interval (string) – Regular synchronization interval

  • endpoint-list[].status.controllers[].name (string) – Name of controller

  • endpoint-list[].status.controllers[].status.consecutive-failure-count (integer) – Number of consecutive errors since last success

  • endpoint-list[].status.controllers[].status.failure-count (integer) – Total number of failed runs

  • endpoint-list[].status.controllers[].status.last-failure-msg (string) – Error message of last failed run

  • endpoint-list[].status.controllers[].status.last-failure-timestamp (string) – Timestamp of last error

  • endpoint-list[].status.controllers[].status.last-success-timestamp (string) – Timestamp of last success

  • endpoint-list[].status.controllers[].status.success-count (integer) – Total number of successful runs

  • endpoint-list[].status.controllers[].uuid (string) – UUID of controller

  • endpoint-list[].status.external-identifiers.cni-attachment-id (string) – ID assigned to this attachment by container runtime

  • endpoint-list[].status.external-identifiers.container-id (string) – ID assigned by container runtime (deprecated, may not be unique)

  • endpoint-list[].status.external-identifiers.container-name (string) – Name assigned to container (deprecated, may not be unique)

  • endpoint-list[].status.external-identifiers.docker-endpoint-id (string) – Docker endpoint ID

  • endpoint-list[].status.external-identifiers.docker-network-id (string) – Docker network ID

  • endpoint-list[].status.external-identifiers.k8s-namespace (string) – K8s namespace for this endpoint (deprecated, may not be unique)

  • endpoint-list[].status.external-identifiers.k8s-pod-name (string) – K8s pod name for this endpoint (deprecated, may not be unique)

  • endpoint-list[].status.external-identifiers.pod-name (string) – K8s pod for this endpoint (deprecated, may not be unique)

  • endpoint-list[].status.health.bpf (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • endpoint-list[].status.health.connected (boolean) – Is this endpoint reachable

  • endpoint-list[].status.health.overallHealth (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • endpoint-list[].status.health.policy (string) – A common set of statuses for endpoint health * OK = All components operational * Bootstrap = This component is being created * Pending = A change is being processed to be applied * Warning = This component is not applying up-to-date policies (but is still applying the previous version) * Failure = An error has occurred and no policy is being applied * Disabled = This endpoint is disabled and will not handle traffic

  • endpoint-list[].status.identity.id (integer) – Unique identifier

  • endpoint-list[].status.identity.labelsSHA256 (string) – SHA256 of labels

  • endpoint-list[].status.identity.labels[] (string) –

  • endpoint-list[].status.labels.derived[] (string) –

  • endpoint-list[].status.labels.disabled[] (string) –

  • endpoint-list[].status.labels.realized.user[] (string) –

  • endpoint-list[].status.labels.security-relevant[] (string) –

  • endpoint-list[].status.log[].code (string) – Code indicate type of status change

  • endpoint-list[].status.log[].message (string) – Status message

  • endpoint-list[].status.log[].state (string) – State of endpoint

  • endpoint-list[].status.log[].timestamp (string) – Timestamp when status change occurred

  • endpoint-list[].status.namedPorts[].name (string) – Optional layer 4 port name

  • endpoint-list[].status.namedPorts[].port (integer) – Layer 4 port number

  • endpoint-list[].status.namedPorts[].protocol (string) – Layer 4 protocol

  • endpoint-list[].status.networking.addressing[].ipv4 (string) – IPv4 address

  • endpoint-list[].status.networking.addressing[].ipv4-expiration-uuid (string) – UUID of IPv4 expiration timer

  • endpoint-list[].status.networking.addressing[].ipv4-pool-name (string) – IPAM pool from which this IPv4 address was allocated

  • endpoint-list[].status.networking.addressing[].ipv6 (string) – IPv6 address

  • endpoint-list[].status.networking.addressing[].ipv6-expiration-uuid (string) – UUID of IPv6 expiration timer

  • endpoint-list[].status.networking.addressing[].ipv6-pool-name (string) – IPAM pool from which this IPv6 address was allocated

  • endpoint-list[].status.networking.container-interface-name (string) – Name of network device in container netns

  • endpoint-list[].status.networking.host-addressing.ipv4.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP

  • endpoint-list[].status.networking.host-addressing.ipv4.alloc-range (string) – Address pool to be used for local endpoints

  • endpoint-list[].status.networking.host-addressing.ipv4.enabled (boolean) – True if address family is enabled

  • endpoint-list[].status.networking.host-addressing.ipv4.ip (string) – IP address of node

  • endpoint-list[].status.networking.host-addressing.ipv6.address-type (string) – Node address type, one of HostName, ExternalIP or InternalIP

  • endpoint-list[].status.networking.host-addressing.ipv6.alloc-range (string) – Address pool to be used for local endpoints

  • endpoint-list[].status.networking.host-addressing.ipv6.enabled (boolean) – True if address family is enabled

  • endpoint-list[].status.networking.host-addressing.ipv6.ip (string) – IP address of node

  • endpoint-list[].status.networking.host-mac (string) – MAC address

  • endpoint-list[].status.networking.interface-index (integer) – Index of network device in host netns

  • endpoint-list[].status.networking.interface-name (string) – Name of network device in host netns

  • endpoint-list[].status.networking.mac (string) – MAC address

  • endpoint-list[].status.policy.proxy-policy-revision (integer) – The policy revision currently enforced in the proxy for this endpoint

  • endpoint-list[].status.policy.proxy-statistics[].allocated-proxy-port (integer) – The port the proxy is listening on

  • endpoint-list[].status.policy.proxy-statistics[].location (string) – Location of where the redirect is installed

  • endpoint-list[].status.policy.proxy-statistics[].port (integer) – The port subject to the redirect

  • endpoint-list[].status.policy.proxy-statistics[].protocol (string) – Name of the L7 protocol

  • endpoint-list[].status.policy.proxy-statistics[].statistics.requests.denied (integer) – Number of messages denied

  • endpoint-list[].status.policy.proxy-statistics[].statistics.requests.error (integer) – Number of errors while parsing messages

  • endpoint-list[].status.policy.proxy-statistics[].statistics.requests.forwarded (integer) – Number of messages forwarded

  • endpoint-list[].status.policy.proxy-statistics[].statistics.requests.received (integer) – Number of messages received

  • endpoint-list[].status.policy.proxy-statistics[].statistics.responses.denied (integer) – Number of messages denied

  • endpoint-list[].status.policy.proxy-statistics[].statistics.responses.error (integer) – Number of errors while parsing messages

  • endpoint-list[].status.policy.proxy-statistics[].statistics.responses.forwarded (integer) – Number of messages forwarded

  • endpoint-list[].status.policy.proxy-statistics[].statistics.responses.received (integer) – Number of messages received

  • endpoint-list[].status.policy.realized.allowed-egress-identities[] (integer) –

  • endpoint-list[].status.policy.realized.allowed-ingress-identities[] (integer) –

  • endpoint-list[].status.policy.realized.build (integer) – Build number of calculated policy in use

  • endpoint-list[].status.policy.realized.cidr-policy.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • endpoint-list[].status.policy.realized.cidr-policy.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • endpoint-list[].status.policy.realized.denied-egress-identities[] (integer) –

  • endpoint-list[].status.policy.realized.denied-ingress-identities[] (integer) –

  • endpoint-list[].status.policy.realized.id (integer) – Own identity of endpoint

  • endpoint-list[].status.policy.realized.l4.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • endpoint-list[].status.policy.realized.l4.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • endpoint-list[].status.policy.realized.policy-enabled (string) – Whether policy enforcement is enabled (ingress, egress, both or none)

  • endpoint-list[].status.policy.realized.policy-revision (integer) – The agent-local policy revision

  • endpoint-list[].status.policy.spec.allowed-egress-identities[] (integer) –

  • endpoint-list[].status.policy.spec.allowed-ingress-identities[] (integer) –

  • endpoint-list[].status.policy.spec.build (integer) – Build number of calculated policy in use

  • endpoint-list[].status.policy.spec.cidr-policy.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • endpoint-list[].status.policy.spec.cidr-policy.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • endpoint-list[].status.policy.spec.denied-egress-identities[] (integer) –

  • endpoint-list[].status.policy.spec.denied-ingress-identities[] (integer) –

  • endpoint-list[].status.policy.spec.id (integer) – Own identity of endpoint

  • endpoint-list[].status.policy.spec.l4.egress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • endpoint-list[].status.policy.spec.l4.ingress[] (any) – A policy rule including the rule labels it derives from +k8s:deepcopy-gen=true

  • endpoint-list[].status.policy.spec.policy-enabled (string) – Whether policy enforcement is enabled (ingress, egress, both or none)

  • endpoint-list[].status.policy.spec.policy-revision (integer) – The agent-local policy revision

  • endpoint-list[].status.realized.label-configuration.user[] (string) –

  • endpoint-list[].status.realized.options (object) – Map of configuration key/value pairs.

  • endpoint-list[].status.state (string) – State of endpoint (required)

  • environment-variables[] (string) –

  • kernel-version (string) –

  • policy.policy (string) – Policy definition as JSON.

  • policy.revision (integer) – Revision number of the policy. Incremented each time the policy is changed in the agent’s repository

  • service-list[].spec.backend-addresses[].ip (string) – Layer 3 address (required)

  • service-list[].spec.backend-addresses[].nodeName (string) – Optional name of the node on which this backend runs

  • service-list[].spec.backend-addresses[].port (integer) – Layer 4 port number

  • service-list[].spec.backend-addresses[].preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.

  • service-list[].spec.backend-addresses[].state (string) – State of the backend for load-balancing service traffic

  • service-list[].spec.backend-addresses[].weight (integer) – Backend weight

  • service-list[].spec.flags.cluster (string) – Service cluster

  • service-list[].spec.flags.extTrafficPolicy (string) – Service external traffic policy

  • service-list[].spec.flags.healthCheckNodePort (integer) – Service health check node port

  • service-list[].spec.flags.intTrafficPolicy (string) – Service internal traffic policy

  • service-list[].spec.flags.name (string) – Service name (e.g. Kubernetes service name)

  • service-list[].spec.flags.namespace (string) – Service namespace (e.g. Kubernetes namespace)

  • service-list[].spec.flags.natPolicy (string) – Service protocol NAT policy

  • service-list[].spec.flags.trafficPolicy (string) – Service external traffic policy (deprecated in favor of extTrafficPolicy)

  • service-list[].spec.flags.type (string) – Service type

  • service-list[].spec.frontend-address.ip (string) – Layer 3 address

  • service-list[].spec.frontend-address.port (integer) – Layer 4 port number

  • service-list[].spec.frontend-address.protocol (string) – Layer 4 protocol

  • service-list[].spec.frontend-address.scope (string) – Load balancing scope for frontend address

  • service-list[].spec.id (integer) – Unique identification

  • service-list[].spec.updateServices (boolean) – Update all services selecting the backends with their given states (id and frontend are ignored)

  • service-list[].status.realized.backend-addresses[].ip (string) – Layer 3 address (required)

  • service-list[].status.realized.backend-addresses[].nodeName (string) – Optional name of the node on which this backend runs

  • service-list[].status.realized.backend-addresses[].port (integer) – Layer 4 port number

  • service-list[].status.realized.backend-addresses[].preferred (boolean) – Indicator if this backend is preferred in the context of clustermesh service affinity. The value is set based on related annotation of global service. Applicable for active state only.

  • service-list[].status.realized.backend-addresses[].state (string) – State of the backend for load-balancing service traffic

  • service-list[].status.realized.backend-addresses[].weight (integer) – Backend weight

  • service-list[].status.realized.flags.cluster (string) – Service cluster

  • service-list[].status.realized.flags.extTrafficPolicy (string) – Service external traffic policy

  • service-list[].status.realized.flags.healthCheckNodePort (integer) – Service health check node port

  • service-list[].status.realized.flags.intTrafficPolicy (string) – Service internal traffic policy

  • service-list[].status.realized.flags.name (string) – Service name (e.g. Kubernetes service name)

  • service-list[].status.realized.flags.namespace (string) – Service namespace (e.g. Kubernetes namespace)

  • service-list[].status.realized.flags.natPolicy (string) – Service protocol NAT policy

  • service-list[].status.realized.flags.trafficPolicy (string) – Service external traffic policy (deprecated in favor of extTrafficPolicy)

  • service-list[].status.realized.flags.type (string) – Service type

  • service-list[].status.realized.frontend-address.ip (string) – Layer 3 address

  • service-list[].status.realized.frontend-address.port (integer) – Layer 4 port number

  • service-list[].status.realized.frontend-address.protocol (string) – Layer 4 protocol

  • service-list[].status.realized.frontend-address.scope (string) – Load balancing scope for frontend address

  • service-list[].status.realized.id (integer) – Unique identification

  • service-list[].status.realized.updateServices (boolean) – Update all services selecting the backends with their given states (id and frontend are ignored)

  • subsystem (object) –

GET /cgroup-dump-metadata

Retrieve cgroup metadata for all pods

Status Codes:
Response JSON Object:
  • pod-metadatas[].containers[].cgroup-id (integer) –

  • pod-metadatas[].containers[].cgroup-path (string) –

  • pod-metadatas[].ips[] (string) –

  • pod-metadatas[].name (string) –

  • pod-metadatas[].namespace (string) –

GET /map

List all open maps

Status Codes:
Response JSON Object:
  • maps[].cache[].desired-action (string) – Desired action to be performed

  • maps[].cache[].key (string) – Key of map entry

  • maps[].cache[].last-error (string) – Last error seen while performing desired action

  • maps[].cache[].value (string) – Value of map entry

  • maps[].path (string) – Path to BPF map

GET /map/{name}

Retrieve contents of BPF map

Parameters:
  • name (string) – Name of map

Status Codes:
Response JSON Object:
  • cache[].desired-action (string) – Desired action to be performed

  • cache[].key (string) – Key of map entry

  • cache[].last-error (string) – Last error seen while performing desired action

  • cache[].value (string) – Value of map entry

  • path (string) – Path to BPF map

GET /map/{name}/events

Retrieves the recent event logs associated with this endpoint.

Parameters:
  • name (string) – Name of map

Query Parameters:
  • follow (boolean) – Whether to follow streamed requests

Status Codes:
GET /metrics/

Retrieve cilium metrics

Status Codes:
Response JSON Object:
  • [].labels (object) – Labels of the metric

  • [].name (string) – Name of the metric

  • [].value (number) – Value of the metric

GET /fqdn/cache

Retrieves the list of DNS lookups intercepted from all endpoints.

Retrieves the list of DNS lookups intercepted from endpoints, optionally filtered by DNS name, CIDR IP range or source.

Query Parameters:
  • matchpattern (string) – A toFQDNs compatible matchPattern expression

  • cidr (string) – A CIDR range of IPs

  • source (string) – Source from which FQDN entries come from

Status Codes:
Response JSON Object:
  • [].endpoint-id (integer) – The endpoint that made this lookup, or 0 for the agent itself.

  • [].expiration-time (string) – The absolute time when this data will expire in this cache

  • [].fqdn (string) – DNS name

  • [].ips[] (string) –

  • [].lookup-time (string) – The absolute time when this data was received

  • [].source (string) – The reason this FQDN IP association exists. Either a DNS lookup or an ongoing connection to an IP that was created by a DNS lookup.

  • [].ttl (integer) – The TTL in the DNS response

DELETE /fqdn/cache

Deletes matching DNS lookups from the policy-generation cache.

Deletes matching DNS lookups from the cache, optionally restricted by DNS name. The removed IP data will no longer be used in generated policies.

Query Parameters:
  • matchpattern (string) – A toFQDNs compatible matchPattern expression

Status Codes:
GET /fqdn/cache/{id}

Retrieves the list of DNS lookups intercepted from an endpoint.

Retrieves the list of DNS lookups intercepted from the specific endpoint, optionally filtered by endpoint id, DNS name, CIDR IP range or source.

Parameters:
  • id (string) –

    String describing an endpoint with the format [prefix:]id. If no prefix is specified, a prefix of cilium-local: is assumed. Not all endpoints will be addressable by all endpoint ID prefixes with the exception of the local Cilium UUID which is assigned to all endpoints.

    Supported endpoint id prefixes:
    • cilium-local: Local Cilium endpoint UUID, e.g. cilium-local:3389595

    • cilium-global: Global Cilium endpoint UUID, e.g. cilium-global:cluster1:nodeX:452343

    • cni-attachment-id: CNI attachment ID, e.g. cni-attachment-id:22222:eth0

    • container-id: Container runtime ID, e.g. container-id:22222 (deprecated, may not be unique)

    • container-name: Container name, e.g. container-name:foobar (deprecated, may not be unique)

    • pod-name: pod name for this container if K8s is enabled, e.g. pod-name:default:foobar (deprecated, may not be unique)

    • cep-name: cep name for this container if K8s is enabled, e.g. pod-name:default:foobar-net1

    • docker-endpoint: Docker libnetwork endpoint ID, e.g. docker-endpoint:4444

Query Parameters:
  • matchpattern (string) – A toFQDNs compatible matchPattern expression

  • cidr (string) – A CIDR range of IPs

  • source (string) – Source from which FQDN entries come from

Status Codes:
Response JSON Object:
  • [].endpoint-id (integer) – The endpoint that made this lookup, or 0 for the agent itself.

  • [].expiration-time (string) – The absolute time when this data will expire in this cache

  • [].fqdn (string) – DNS name

  • [].ips[] (string) –

  • [].lookup-time (string) – The absolute time when this data was received

  • [].source (string) – The reason this FQDN IP association exists. Either a DNS lookup or an ongoing connection to an IP that was created by a DNS lookup.

  • [].ttl (integer) – The TTL in the DNS response

GET /fqdn/names

List internal DNS selector representations

Retrieves the list of DNS-related fields (names to poll, selectors and their corresponding regexes).

Status Codes:
Response JSON Object:
  • DNSPollNames[] (string) –

  • FQDNPolicySelectors[].regexString (string) – String representation of regular expression form of FQDNSelector

  • FQDNPolicySelectors[].selectorString (string) – FQDNSelector in string representation

GET /ip

Lists information about known IP addresses

Retrieves a list of IPs with known associated information such as their identities, host addresses, Kubernetes pod names, etc. The list can optionally filtered by a CIDR IP range.

Query Parameters:
  • cidr (string) – A CIDR range of IPs

Status Codes:
Response JSON Object:
  • [].cidr (string) – Key of the entry in the form of a CIDR range (required)

  • [].encryptKey (integer) – The context ID for the encryption session

  • [].hostIP (string) – IP address of the host

  • [].identity (integer) – Numerical identity assigned to the IP (required)

  • [].metadata.name (string) – Name assigned to the IP (e.g. Kubernetes pod name)

  • [].metadata.namespace (string) – Namespace of the IP (e.g. Kubernetes namespace)

  • [].metadata.source (string) – Source of the IP entry and its metadata

GET /node/ids

List information about known node IDs

Retrieves a list of node IDs allocated by the agent and their associated node IP addresses.

Status Codes:
Response JSON Object:
  • [].id (integer) – ID allocated by the agent for the node (required)

  • [].ips[] (string) –

GET /bgp/peers

Lists operational state of BGP peers

Retrieves current operational state of BGP peers created by Cilium BGP virtual router. This includes session state, uptime, information per address family, etc.

Status Codes:
Response JSON Object:
  • [] (any) – State of a BGP Peer +k8s:deepcopy-gen=true

GET /bgp/routes

Lists BGP routes from BGP Control Plane RIB.

Retrieves routes from BGP Control Plane RIB filtered by parameters you specify

Query Parameters:
  • table_type (string) – BGP Routing Information Base (RIB) table type

  • afi (string) – Address Family Indicator (AFI) of a BGP route

  • safi (string) – Subsequent Address Family Indicator (SAFI) of a BGP route

  • router_asn (integer) – Autonomous System Number (ASN) identifying a BGP virtual router instance. If not specified, all virtual router instances are selected.

  • neighbor (string) – IP address specifying a BGP neighbor. Has to be specified only when table type is adj-rib-in or adj-rib-out.

Status Codes:
Response JSON Object:
  • [] (any) – Single BGP route retrieved from the RIB of underlying router

GET /bgp/route-policies

Lists BGP route policies configured in BGP Control Plane.

Retrieves route policies from BGP Control Plane.

Query Parameters:
  • router_asn (integer) – Autonomous System Number (ASN) identifying a BGP virtual router instance. If not specified, all virtual router instances are selected.

Status Codes:
Response JSON Object:
  • [] (any) – Single BGP route policy retrieved from the underlying router