cilium-agent hive dot-graph

Output the dependencies graph in graphviz dot format

cilium-agent hive dot-graph [flags]

Options

  -h, --help   help for dot-graph

Options inherited from parent commands

      --agent-liveness-update-interval duration                   Interval at which the agent updates liveness time for the datapath (default 1s)
      --api-rate-limit string                                     API rate limiting configuration (example: --api-rate-limit endpoint-create=rate-limit:10/m,rate-burst:2)
      --bpf-node-map-max uint32                                   Sets size of node bpf map which will be the max number of unique Node IPs in the cluster (default 16384)
      --certificates-directory string                             Root directory to find certificates specified in L7 TLS policy enforcement (default "/var/run/cilium/certs")
      --cluster-id uint32                                         Unique identifier of the cluster
      --cluster-name string                                       Name of the cluster. It must consist of at most 32 lower case alphanumeric characters and '-', start and end with an alphanumeric character. (default "default")
      --clustermesh-config string                                 Path to the ClusterMesh configuration directory
      --clustermesh-sync-timeout duration                         Timeout waiting for the initial synchronization of information from remote clusters (default 1m0s)
      --cni-chaining-mode string                                  Enable CNI chaining with the specified plugin (default "none")
      --cni-chaining-target string                                CNI network name into which to insert the Cilium chained configuration. Use '*' to select any network.
      --cni-exclusive                                             Whether to remove other CNI configurations
      --cni-external-routing                                      Whether the chained CNI plugin handles routing on the node
      --cni-log-file string                                       Path where the CNI plugin should write logs (default "/var/run/cilium/cilium-cni.log")
      --controller-group-metrics strings                          List of controller group names for which to to enable metrics. Accepts 'all' and 'none'. The set of controller group names available is not guaranteed to be stable between Cilium versions.
      --devices strings                                           List of devices facing cluster/external network (used for BPF NodePort, BPF masquerading and host firewall); supports '+' as wildcard in device name, e.g. 'eth+'
      --direct-routing-device string                              Device name used to connect nodes in direct routing mode (used by BPF NodePort, BPF host routing; if empty, automatically set to a device with k8s InternalIP/ExternalIP or with a default route)
      --disable-envoy-version-check                               Do not perform Envoy version check
      --disable-iptables-feeder-rules strings                     Chains to ignore when installing feeder rules.
      --dynamic-lifecycle-config string                           List of dynamic lifecycle features and their configuration including the dependencies (default "[]")
      --egress-gateway-policy-map-max int                         Maximum number of entries in egress gateway policy map (default 16384)
      --egress-gateway-reconciliation-trigger-interval duration   Time between triggers of egress gateway state reconciliations (default 1s)
      --enable-active-connection-tracking                         Count open and active connections to services, grouped by zones defined in fixed-zone-mapping.
      --enable-bandwidth-manager                                  Enable BPF bandwidth manager
      --enable-bbr                                                Enable BBR for the bandwidth manager
      --enable-cilium-api-server-access strings                   List of cilium API APIs which are administratively enabled. Supports '*'. (default [*])
      --enable-cilium-health-api-server-access strings            List of cilium health API APIs which are administratively enabled. Supports '*'. (default [*])
      --enable-drift-checker                                      Enables support for config drift checker
      --enable-dynamic-config                                     Enables support for dynamic agent config
      --enable-dynamic-lifecycle-manager                          Enables support for dynamic lifecycle management
      --enable-gateway-api                                        Enables Envoy secret sync for Gateway API related TLS secrets
      --enable-hubble                                             Enable hubble server (default true)
      --enable-hubble-open-metrics                                Enable exporting hubble metrics in OpenMetrics format
      --enable-hubble-recorder-api                                Enable the Hubble recorder API (default true)
      --enable-ingress-controller                                 Enables Envoy secret sync for Ingress controller related TLS secrets
      --enable-ipv4-big-tcp                                       Enable IPv4 BIG TCP option which increases device's maximum GRO/GSO limits for IPv4
      --enable-ipv6-big-tcp                                       Enable IPv6 BIG TCP option which increases device's maximum GRO/GSO limits for IPv6
      --enable-k8s                                                Enable the k8s clientset (default true)
      --enable-k8s-api-discovery                                  Enable discovery of Kubernetes API groups and resources with the discovery API
      --enable-k8s-endpoint-slice                                 Enables k8s EndpointSlice feature in Cilium if the k8s cluster supports it (default true)
      --enable-l2-pod-announcements                               Enable announcing Pod IPs with Gratuitous ARP
      --enable-monitor                                            Enable the monitor unix domain socket server (default true)
      --enable-route-mtu-for-cni-chaining                         Enable route MTU for pod netns when CNI chaining is used
      --enable-service-topology                                   Enable support for service topology aware hints
      --endpoint-bpf-prog-watchdog-interval duration              Interval to trigger endpoint BPF programs load check watchdog (default 30s)
      --envoy-base-id uint                                        Envoy base ID
      --envoy-config-retry-interval duration                      Interval in which an attempt is made to reconcile failed EnvoyConfigs. If the duration is zero, the retry is deactivated. (default 15s)
      --envoy-config-timeout duration                             Timeout that determines how long to wait for Envoy to N/ACK CiliumEnvoyConfig resources (default 2m0s)
      --envoy-default-log-level string                            Default log level of Envoy application log that is configured if Cilium debug / verbose logging isn't enabled. If not defined, the default log level of the Cilium Agent is used.
      --envoy-keep-cap-netbindservice                             Keep capability NET_BIND_SERVICE for Envoy process
      --envoy-log string                                          Path to a separate Envoy log file, if any
      --envoy-secrets-namespace string                            EnvoySecretsNamespace is the namespace having secrets used by CEC
      --force-device-detection                                    Forces the auto-detection of devices, even if specific devices are explicitly listed
      --gateway-api-secrets-namespace string                      GatewayAPISecretsNamespace is the namespace having tls secrets used by CEC, originating from Gateway API
      --gops-port uint16                                          Port for gops server to listen on (default 9890)
      --http-idle-timeout uint                                    Time after which a non-gRPC HTTP stream is considered failed unless traffic in the stream has been processed (in seconds); defaults to 0 (unlimited)
      --http-max-grpc-timeout uint                                Time after which a forwarded gRPC request is considered failed unless completed (in seconds). A "grpc-timeout" header may override this with a shorter value; defaults to 0 (unlimited)
      --http-normalize-path                                       Use Envoy HTTP path normalization options, which currently includes RFC 3986 path normalization, Envoy merge slashes option, and unescaping and redirecting for paths that contain escaped slashes. These are necessary to keep path based access control functional, and should not interfere with normal operation. Set this to false only with caution. (default true)
      --http-request-timeout uint                                 Time after which a forwarded HTTP request is considered failed unless completed (in seconds); Use 0 for unlimited (default 3600)
      --http-retry-count uint                                     Number of retries performed after a forwarded request attempt fails (default 3)
      --http-retry-timeout uint                                   Time after which a forwarded but uncompleted request is retried (connection failures are retried immediately); defaults to 0 (never)
      --hubble-disable-tls                                        Allow Hubble server to run on the given listen address without TLS.
      --hubble-drop-events                                        Emit packet drop Events related to pods (alpha)
      --hubble-drop-events-interval duration                      Minimum time between emitting same events (default 2m0s)
      --hubble-drop-events-reasons strings                        Drop reasons to emit events for (default [auth_required,policy_denied])
      --hubble-event-buffer-capacity int                          Capacity of Hubble events buffer. The provided value must be one less than an integer power of two and no larger than 65535 (ie: 1, 3, ..., 2047, 4095, ..., 65535) (default 4095)
      --hubble-event-queue-size int                               Buffer size of the channel to receive monitor events.
      --hubble-export-allowlist strings                           Specify allowlist as JSON encoded FlowFilters to Hubble exporter.
      --hubble-export-denylist strings                            Specify denylist as JSON encoded FlowFilters to Hubble exporter.
      --hubble-export-fieldmask strings                           Specify list of fields to use for field mask in Hubble exporter.
      --hubble-export-file-compress                               Compress rotated Hubble export files.
      --hubble-export-file-max-backups int                        Number of rotated Hubble export files to keep. (default 5)
      --hubble-export-file-max-size-mb int                        Size in MB at which to rotate Hubble export file. (default 10)
      --hubble-export-file-path stdout                            Filepath to write Hubble events to. By specifying stdout the flows are logged instead of written to a rotated file.
      --hubble-flowlogs-config-path string                        Filepath with configuration of hubble flowlogs
      --hubble-listen-address string                              An additional address for Hubble server to listen to, e.g. ":4244"
      --hubble-metrics strings                                    List of Hubble metrics to enable.
      --hubble-metrics-server string                              Address to serve Hubble metrics on.
      --hubble-metrics-server-enable-tls                          Run the Hubble metrics server on the given listen address with TLS.
      --hubble-metrics-server-tls-cert-file string                Path to the public key file for the Hubble metrics server. The file must contain PEM encoded data.
      --hubble-metrics-server-tls-client-ca-files strings         Paths to one or more public key files of client CA certificates to use for TLS with mutual authentication (mTLS). The files must contain PEM encoded data. When provided, this option effectively enables mTLS.
      --hubble-metrics-server-tls-key-file string                 Path to the private key file for the Hubble metrics server. The file must contain PEM encoded data.
      --hubble-monitor-events strings                             Cilium monitor events for Hubble to observe: [drop debug capture trace policy-verdict recorder trace-sock l7 agent]. By default, Hubble observes all monitor events.
      --hubble-prefer-ipv6                                        Prefer IPv6 addresses for announcing nodes when both address types are available.
      --hubble-recorder-sink-queue-size int                       Queue size of each Hubble recorder sink (default 1024)
      --hubble-recorder-storage-path string                       Directory in which pcap files created via the Hubble Recorder API are stored (default "/var/run/cilium/pcaps")
      --hubble-redact-enabled                                     Hubble redact sensitive information from flows
      --hubble-redact-http-headers-allow strings                  HTTP headers to keep visible in flows
      --hubble-redact-http-headers-deny strings                   HTTP headers to redact from flows
      --hubble-redact-http-urlquery                               Hubble redact http URL query from flows
      --hubble-redact-http-userinfo                               Hubble redact http user info from flows (default true)
      --hubble-redact-kafka-apikey                                Hubble redact Kafka API key from flows
      --hubble-skip-unknown-cgroup-ids                            Skip Hubble events with unknown cgroup ids (default true)
      --hubble-socket-path string                                 Set hubble's socket path to listen for connections (default "/var/run/cilium/hubble.sock")
      --hubble-tls-cert-file string                               Path to the public key file for the Hubble server. The file must contain PEM encoded data.
      --hubble-tls-client-ca-files strings                        Paths to one or more public key files of client CA certificates to use for TLS with mutual authentication (mTLS). The files must contain PEM encoded data. When provided, this option effectively enables mTLS.
      --hubble-tls-key-file string                                Path to the private key file for the Hubble server. The file must contain PEM encoded data.
      --ignore-flags-drift-checker strings                        Ignores specified flags during drift checking
      --ingress-secrets-namespace string                          IngressSecretsNamespace is the namespace having tls secrets used by CEC, originating from Ingress controller
      --iptables-lock-timeout duration                            Time to pass to each iptables invocation to wait for xtables lock acquisition (default 5s)
      --iptables-random-fully                                     Set iptables flag random-fully on masquerading rules
      --k8s-api-server string                                     Kubernetes API server URL
      --k8s-client-burst int                                      Burst value allowed for the K8s client (default 20)
      --k8s-client-connection-keep-alive duration                 Configures the keep alive duration of K8s client connections. K8 client is disabled if the value is set to 0 (default 30s)
      --k8s-client-connection-timeout duration                    Configures the timeout of K8s client connections. K8s client is disabled if the value is set to 0 (default 30s)
      --k8s-client-qps float32                                    Queries per second limit for the K8s client (default 10)
      --k8s-heartbeat-timeout duration                            Configures the timeout for api-server heartbeat, set to 0 to disable (default 30s)
      --k8s-kubeconfig-path string                                Absolute path of the kubernetes kubeconfig file
      --k8s-service-proxy-name string                             Value of K8s service-proxy-name label for which Cilium handles the services (empty = all services without service.kubernetes.io/service-proxy-name label)
      --l2-pod-announcements-interface string                     Interface used for sending gratuitous arp messages
      --max-connected-clusters uint32                             Maximum number of clusters to be connected in a clustermesh. Increasing this value will reduce the maximum number of identities available. Valid configurations are [255, 511]. (default 255)
      --mesh-auth-enabled                                         Enable authentication processing & garbage collection (beta) (default true)
      --mesh-auth-gc-interval duration                            Interval in which auth entries are attempted to be garbage collected (default 5m0s)
      --mesh-auth-mutual-connect-timeout duration                 Timeout for connecting to the remote node TCP socket (default 5s)
      --mesh-auth-mutual-listener-port int                        Port on which the Cilium Agent will perform mutual authentication handshakes between other Agents
      --mesh-auth-queue-size int                                  Queue size for the auth manager (default 1024)
      --mesh-auth-rotated-identities-queue-size int               The size of the queue for signaling rotated identities. (default 1024)
      --mesh-auth-spiffe-trust-domain string                      The trust domain for the SPIFFE identity. (default "spiffe.cilium")
      --mesh-auth-spire-admin-socket string                       The path for the SPIRE admin agent Unix socket.
      --metrics strings                                           Metrics that should be enabled or disabled from the default metric list. (+metric_foo to enable metric_foo, -metric_bar to disable metric_bar)
      --monitor-queue-size int                                    Size of the event queue when reading monitor events
      --multicast-enabled                                         Enables multicast in Cilium
      --nat-map-stats-entries int                                 Number k top stats entries to store locally in statedb (default 32)
      --nat-map-stats-interval duration                           Interval upon which nat maps are iterated for stats (default 30s)
      --nodeport-addresses strings                                A whitelist of CIDRs to limit which IPs are used for NodePort. If not set, primary IPv4 and/or IPv6 address of each native device is used.
      --pprof                                                     Enable serving pprof debugging API
      --pprof-address string                                      Address that pprof listens on (default "localhost")
      --pprof-port uint16                                         Port that pprof listens on (default 6060)
      --prepend-iptables-chains                                   Prepend custom iptables chains instead of appending (default true)
      --procfs string                                             Path to the host's proc filesystem mount (default "/proc")
      --prometheus-serve-addr string                              IP:Port on which to serve prometheus metrics (pass ":Port" to bind on all interfaces, "" is off)
      --proxy-admin-port int                                      Port to serve Envoy admin interface on.
      --proxy-connect-timeout uint                                Time after which a TCP connect attempt is considered failed unless completed (in seconds) (default 2)
      --proxy-gid uint                                            Group ID for proxy control plane sockets. (default 1337)
      --proxy-idle-timeout-seconds int                            Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s (default 60)
      --proxy-max-connection-duration-seconds int                 Set Envoy HTTP option max_connection_duration seconds. Default 0 (disable)
      --proxy-max-requests-per-connection int                     Set Envoy HTTP option max_requests_per_connection. Default 0 (disable)
      --proxy-portrange-max uint16                                End of port range that is used to allocate ports for L7 proxies. (default 20000)
      --proxy-portrange-min uint16                                Start of port range that is used to allocate ports for L7 proxies. (default 10000)
      --proxy-prometheus-port int                                 Port to serve Envoy metrics on. Default 0 (disabled).
      --proxy-xff-num-trusted-hops-egress uint32                  Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners.
      --proxy-xff-num-trusted-hops-ingress uint32                 Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners.
      --read-cni-conf string                                      CNI configuration file to use as a source for --write-cni-conf-when-ready. If not supplied, a suitable one will be generated.
      --static-cnp-path string                                    Directory path to watch and load static cilium network policy yaml files.
      --tunnel-port uint16                                        Tunnel port (default 8472 for "vxlan" and 6081 for "geneve")
      --tunnel-protocol string                                    Encapsulation protocol to use for the overlay ("vxlan" or "geneve") (default "vxlan")
      --use-full-tls-context                                      If enabled, persist ca.crt keys into the Envoy config even in a terminatingTLS block on an L7 Cilium Policy. This is to enable compatibility with previously buggy behaviour. This flag is deprecated and will be removed in a future release.
      --write-cni-conf-when-ready string                          Write the CNI configuration to the specified path when agent is ready

SEE ALSO