cilium-operator-generic

Run cilium-operator-generic

cilium-operator-generic [flags]

Options

      --auto-create-cilium-pod-ip-pools map                     Automatically create CiliumPodIPPool resources on startup. Specify pools in the form of <pool>=ipv4-cidrs:<cidr>,[<cidr>...];ipv4-mask-size:<size> (multiple pools can also be passed by repeating the CLI flag)
      --bgp-announce-lb-ip                                      Announces service IPs of type LoadBalancer via BGP
      --bgp-config-path string                                  Path to file containing the BGP configuration (default "/var/lib/cilium/bgp/config.yaml")
      --bgp-v2-api-enabled                                      Enables BGPv2 APIs in Cilium
      --ces-dynamic-rate-limit-nodes strings                    List of nodes used for the dynamic rate limit steps
      --ces-dynamic-rate-limit-qps-burst strings                List of qps burst used for the dynamic rate limit steps
      --ces-dynamic-rate-limit-qps-limit strings                List of qps limits used for the dynamic rate limit steps
      --ces-enable-dynamic-rate-limit                           Flag to enable dynamic rate limit specified in separate fields instead of the static one
      --ces-max-ciliumendpoints-per-ces int                     Maximum number of CiliumEndpoints allowed in a CES (default 100)
      --ces-slice-mode string                                   Slicing mode define how ceps are grouped into a CES (default "cesSliceModeIdentity")
      --ces-write-qps-burst int                                 CES work queue burst rate. Ignored when ces-enable-dynamic-rate-limit is set (default 20)
      --ces-write-qps-limit float                               CES work queue rate limit. Ignored when ces-enable-dynamic-rate-limit is set (default 10)
      --cilium-endpoint-gc-interval duration                    GC interval for cilium endpoints (default 5m0s)
      --cilium-pod-labels string                                Cilium Pod's labels. Used to detect if a Cilium pod is running to remove the node taints where its running and set NetworkUnavailable to false (default "k8s-app=cilium")
      --cilium-pod-namespace string                             Name of the Kubernetes namespace in which Cilium is deployed in. Defaults to the same namespace defined in k8s-namespace
      --cluster-id uint32                                       Unique identifier of the cluster
      --cluster-name string                                     Name of the cluster (default "default")
      --cluster-pool-ipv4-cidr strings                          IPv4 CIDR Range for Pods in cluster. Requires 'ipam=cluster-pool' and 'enable-ipv4=true'
      --cluster-pool-ipv4-mask-size int                         Mask size for each IPv4 podCIDR per node. Requires 'ipam=cluster-pool' and 'enable-ipv4=true' (default 24)
      --cluster-pool-ipv6-cidr strings                          IPv6 CIDR Range for Pods in cluster. Requires 'ipam=cluster-pool' and 'enable-ipv6=true'
      --cluster-pool-ipv6-mask-size int                         Mask size for each IPv6 podCIDR per node. Requires 'ipam=cluster-pool' and 'enable-ipv6=true' (default 112)
      --cnp-status-cleanup-burst int                            Maximum burst of requests to clean up status nodes updates in CNPs (default 20)
      --cnp-status-cleanup-qps float                            Rate used for limiting the clean up of the status nodes updates in CNP, expressed as qps (default 10)
      --config string                                           Configuration file (default "$HOME/ciliumd.yaml")
      --config-dir string                                       Configuration directory that contains a file for each option
      --controller-group-metrics strings                        List of controller group names for which to to enable metrics. Accepts 'all' and 'none'. The set of controller group names available is not guaranteed to be stable between Cilium versions.
  -D, --debug                                                   Enable debugging mode
      --enable-cilium-endpoint-slice                            If set to true, the CiliumEndpointSlice feature is enabled. If any CiliumEndpoints resources are created, updated, or deleted in the cluster, all those changes are broadcast as CiliumEndpointSlice updates to all of the Cilium agents.
      --enable-cilium-operator-server-access strings            List of cilium operator APIs which are administratively enabled. Supports '*'. (default [*])
      --enable-gateway-api-proxy-protocol                       Enable proxy protocol for all GatewayAPI listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled.
      --enable-gateway-api-secrets-sync                         Enables fan-in TLS secrets sync from multiple namespaces to singular namespace (specified by gateway-api-secrets-namespace flag) (default true)
      --enable-ingress-controller                               Enables cilium ingress controller. This must be enabled along with enable-envoy-config in cilium agent.
      --enable-ingress-proxy-protocol                           Enable proxy protocol for all Ingress listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled.
      --enable-ingress-secrets-sync                             Enables fan-in TLS secrets from multiple namespaces to singular namespace (specified by ingress-secrets-namespace flag) (default true)
      --enable-ipv4                                             Enable IPv4 support (default true)
      --enable-ipv6                                             Enable IPv6 support (default true)
      --enable-k8s                                              Enable the k8s clientset (default true)
      --enable-k8s-api-discovery                                Enable discovery of Kubernetes API groups and resources with the discovery API
      --enable-k8s-endpoint-slice                               Enables k8s EndpointSlice feature in Cilium if the k8s cluster supports it (default true)
      --enable-metrics                                          Enable Prometheus metrics
      --enable-node-ipam                                        Enable Node IPAM
      --enable-node-port                                        Enable NodePort type services by Cilium
      --enforce-ingress-https                                   Enforces https for host having matching TLS host in Ingress. Incoming traffic to http listener will return 308 http error code with respective location in header. (default true)
      --gateway-api-hostnetwork-enabled                         Exposes Gateway listeners on the host network.
      --gateway-api-hostnetwork-nodelabelselector string        Label selector that matches the nodes where the gateway listeners should be exposed. It's a list of comma-separated key-value label pairs. e.g. 'kubernetes.io/os=linux,kubernetes.io/hostname=kind-worker'
      --gateway-api-secrets-namespace string                    Namespace having tls secrets used by CEC for Gateway API (default "cilium-secrets")
      --gateway-api-xff-num-trusted-hops uint32                 The number of additional GatewayAPI proxy hops from the right side of the HTTP header to trust when determining the origin client's IP address.
      --gops-port uint16                                        Port for gops server to listen on (default 9891)
  -h, --help                                                    help for cilium-operator-generic
      --identity-allocation-mode string                         Method to use for identity allocation (default "kvstore")
      --identity-gc-interval duration                           GC interval for security identities (default 15m0s)
      --identity-gc-rate-interval duration                      Interval used for rate limiting the GC of security identities (default 1m0s)
      --identity-gc-rate-limit int                              Maximum number of security identities that will be deleted within the identity-gc-rate-interval (default 2500)
      --identity-heartbeat-timeout duration                     Timeout after which identity expires on lack of heartbeat (default 30m0s)
      --ingress-default-lb-mode string                          Default loadbalancer mode for Ingress. Applicable values: dedicated, shared (default "dedicated")
      --ingress-default-secret-name string                      Default secret name for Ingress.
      --ingress-default-secret-namespace string                 Default secret namespace for Ingress.
      --ingress-default-xff-num-trusted-hops uint32             The number of additional ingress proxy hops from the right side of the HTTP header to trust when determining the origin client's IP address.
      --ingress-hostnetwork-enabled                             Exposes ingress listeners on the host network.
      --ingress-hostnetwork-nodelabelselector string            Label selector that matches the nodes where the ingress listeners should be exposed. It's a list of comma-separated key-value label pairs. e.g. 'kubernetes.io/os=linux,kubernetes.io/hostname=kind-worker'
      --ingress-hostnetwork-shared-http-port uint32             Port on the host network that gets used for the shared HTTP listener (HTTP & HTTPS)
      --ingress-hostnetwork-shared-tlspassthrough-port uint32   Port on the host network that gets used for the shared TLS passthrough listener
      --ingress-lb-annotation-prefixes strings                  Annotations and labels which are needed to propagate from Ingress to the Load Balancer. (default [lbipam.cilium.io,service.beta.kubernetes.io,service.kubernetes.io,cloud.google.com])
      --ingress-secrets-namespace string                        Namespace having tls secrets used by Ingress and CEC. (default "cilium-secrets")
      --ingress-shared-lb-service-name string                   Name of shared LB service name for Ingress. (default "cilium-ingress")
      --instance-tags-filter map                                EC2 Instance tags in the form of k1=v1,k2=v2 (multiple k/v pairs can also be passed by repeating the CLI flag
      --ipam string                                             Backend to use for IPAM (default "cluster-pool")
      --k8s-api-server string                                   Kubernetes API server URL
      --k8s-client-burst int                                    Burst value allowed for the K8s client
      --k8s-client-qps float32                                  Queries per second limit for the K8s client
      --k8s-heartbeat-timeout duration                          Configures the timeout for api-server heartbeat, set to 0 to disable (default 30s)
      --k8s-kubeconfig-path string                              Absolute path of the kubernetes kubeconfig file
      --k8s-namespace string                                    Name of the Kubernetes namespace in which Cilium Operator is deployed in
      --k8s-service-proxy-name string                           Value of K8s service-proxy-name label for which Cilium handles the services (empty = all services without service.kubernetes.io/service-proxy-name label)
      --kube-proxy-replacement string                           Enable only selected features (will panic if any selected feature cannot be enabled) ("false"), or enable all features (will panic if any feature cannot be enabled) ("true") (default "false")
      --kvstore string                                          Key-value store type
      --kvstore-opt map                                         Key-value store options e.g. etcd.address=127.0.0.1:4001
      --leader-election-lease-duration duration                 Duration that non-leader operator candidates will wait before forcing to acquire leadership (default 15s)
      --leader-election-renew-deadline duration                 Duration that current acting master will retry refreshing leadership in before giving up the lock (default 10s)
      --leader-election-retry-period duration                   Duration that LeaderElector clients should wait between retries of the actions (default 2s)
      --limit-ipam-api-burst int                                Upper burst limit when accessing external APIs (default 20)
      --limit-ipam-api-qps float                                Queries per second limit when accessing external IPAM APIs (default 4)
      --loadbalancer-l7-algorithm string                        Default LB algorithm for services that do not specify related annotation (default "round_robin")
      --loadbalancer-l7-ports strings                           List of service ports that will be automatically redirected to backend.
      --log-driver strings                                      Logging endpoints to use for example syslog
      --log-opt map                                             Log driver options for cilium-operator, configmap example for syslog driver: {"syslog.level":"info","syslog.facility":"local4"}
      --max-connected-clusters uint32                           Maximum number of clusters to be connected in a clustermesh. Increasing this value will reduce the maximum number of identities available. Valid configurations are [255, 511]. (default 255)
      --mesh-auth-mutual-enabled                                The flag to enable mutual authentication for the SPIRE server (beta).
      --mesh-auth-spiffe-trust-domain string                    The trust domain for the SPIFFE identity. (default "spiffe.cilium")
      --mesh-auth-spire-agent-socket string                     The path for the SPIRE admin agent Unix socket. (default "/run/spire/sockets/agent/agent.sock")
      --mesh-auth-spire-server-address string                   SPIRE server endpoint. (default "spire-server.spire.svc:8081")
      --mesh-auth-spire-server-connection-timeout duration      SPIRE server connection timeout. (default 10s)
      --nodes-gc-interval duration                              GC interval for CiliumNodes (default 5m0s)
      --operator-api-serve-addr string                          Address to serve API requests (default "localhost:9234")
      --operator-pprof                                          Enable serving pprof debugging API
      --operator-pprof-address string                           Address that pprof listens on (default "localhost")
      --operator-pprof-port uint16                              Port that pprof listens on (default 6061)
      --operator-prometheus-serve-addr string                   Address to serve Prometheus metrics (default ":9963")
      --parallel-alloc-workers int                              Maximum number of parallel IPAM workers (default 50)
      --pod-restart-selector string                             cilium-operator will delete/restart any pods with these labels if the pod is not managed by Cilium. If this option is empty, then all pods may be restarted (default "k8s-app=kube-dns")
      --remove-cilium-node-taints                               Remove node taint "node.cilium.io/agent-not-ready" from Kubernetes nodes once Cilium is up and running (default true)
      --set-cilium-is-up-condition                              Set CiliumIsUp Node condition to mark a Kubernetes Node that a Cilium pod is up and running in that node (default true)
      --set-cilium-node-taints                                  Set node taint "node.cilium.io/agent-not-ready" from Kubernetes nodes if Cilium is scheduled but not up and running
      --skip-crd-creation                                       When true, Kubernetes Custom Resource Definitions will not be created
      --subnet-ids-filter strings                               Subnets IDs (separated by commas)
      --subnet-tags-filter map                                  Subnets tags in the form of k1=v1,k2=v2 (multiple k/v pairs can also be passed by repeating the CLI flag
      --synchronize-k8s-nodes                                   Synchronize Kubernetes nodes to kvstore and perform CNP GC (default true)
      --synchronize-k8s-services                                Synchronize Kubernetes services to kvstore (default true)
      --unmanaged-pod-watcher-interval int                      Interval to check for unmanaged kube-dns pods (0 to disable) (default 15)
      --version                                                 Print version information

SEE ALSO