cilium-agent
Run the cilium agent
cilium-agent [flags]
Options
--agent-health-port int TCP port for agent health status API (default 9879)
--agent-labels strings Additional labels to identify this agent
--agent-liveness-update-interval duration Interval at which the agent updates liveness time for the datapath (default 1s)
--agent-not-ready-taint-key string Key of the taint indicating that Cilium is not ready on the node (default "node.cilium.io/agent-not-ready")
--allocator-list-timeout duration Timeout for listing allocator state before exiting (default 3m0s)
--allow-icmp-frag-needed Allow ICMP Fragmentation Needed type packets for purposes like TCP Path MTU. (default true)
--allow-localhost string Policy when to allow local stack to reach local endpoints { auto | always | policy } (default "auto")
--annotate-k8s-node Annotate Kubernetes node
--api-rate-limit string API rate limiting configuration (example: --api-rate-limit endpoint-create=rate-limit:10/m,rate-burst:2)
--arping-refresh-period duration Period for remote node ARP entry refresh (set 0 to disable) (default 30s)
--auto-create-cilium-node-resource Automatically create CiliumNode resource for own node on startup (default true)
--auto-direct-node-routes Enable automatic L2 routing between nodes
--bgp-announce-lb-ip Announces service IPs of type LoadBalancer via BGP
--bgp-announce-pod-cidr Announces the node's pod CIDR via BGP
--bgp-config-path string Path to file containing the BGP configuration (default "/var/lib/cilium/bgp/config.yaml")
--bpf-auth-map-max int Maximum number of entries in auth map (default 524288)
--bpf-ct-global-any-max int Maximum number of entries in non-TCP CT table (default 262144)
--bpf-ct-global-tcp-max int Maximum number of entries in TCP CT table (default 524288)
--bpf-ct-timeout-regular-any duration Timeout for entries in non-TCP CT table (default 1m0s)
--bpf-ct-timeout-regular-tcp duration Timeout for established entries in TCP CT table (default 2h13m20s)
--bpf-ct-timeout-regular-tcp-fin duration Teardown timeout for entries in TCP CT table (default 10s)
--bpf-ct-timeout-regular-tcp-syn duration Establishment timeout for entries in TCP CT table (default 1m0s)
--bpf-ct-timeout-service-any duration Timeout for service entries in non-TCP CT table (default 1m0s)
--bpf-ct-timeout-service-tcp duration Timeout for established service entries in TCP CT table (default 2h13m20s)
--bpf-ct-timeout-service-tcp-grace duration Timeout for graceful shutdown of service entries in TCP CT table (default 1m0s)
--bpf-events-drop-enabled Expose 'drop' events for Cilium monitor and/or Hubble (default true)
--bpf-events-policy-verdict-enabled Expose 'policy verdict' events for Cilium monitor and/or Hubble (default true)
--bpf-events-trace-enabled Expose 'trace' events for Cilium monitor and/or Hubble (default true)
--bpf-fragments-map-max int Maximum number of entries in fragments tracking map (default 8192)
--bpf-lb-acceleration string BPF load balancing acceleration via XDP ("native", "disabled") (default "disabled")
--bpf-lb-algorithm string BPF load balancing algorithm ("random", "maglev") (default "random")
--bpf-lb-dsr-dispatch string BPF load balancing DSR dispatch method ("opt", "ipip", "geneve") (default "opt")
--bpf-lb-dsr-l4-xlate string BPF load balancing DSR L4 DNAT method for IPIP ("frontend", "backend") (default "frontend")
--bpf-lb-external-clusterip Enable external access to ClusterIP services (default false)
--bpf-lb-maglev-hash-seed string Maglev cluster-wide hash seed (base64 encoded) (default "JLfvgnHc2kaSUFaI")
--bpf-lb-maglev-table-size uint Maglev per service backend table size (parameter M) (default 16381)
--bpf-lb-map-max int Maximum number of entries in Cilium BPF lbmap (default 65536)
--bpf-lb-mode string BPF load balancing mode ("snat", "dsr", "hybrid") (default "snat")
--bpf-lb-rss-ipv4-src-cidr string BPF load balancing RSS outer source IPv4 CIDR prefix for IPIP
--bpf-lb-rss-ipv6-src-cidr string BPF load balancing RSS outer source IPv6 CIDR prefix for IPIP
--bpf-lb-sock Enable socket-based LB for E/W traffic
--bpf-lb-sock-hostns-only Skip socket LB for services when inside a pod namespace, in favor of service LB at the pod interface. Socket LB is still used when in the host namespace. Required by service mesh (e.g., Istio, Linkerd).
--bpf-map-dynamic-size-ratio float Ratio (0.0-1.0] of total system memory to use for dynamic sizing of CT, NAT and policy BPF maps (default 0.0025)
--bpf-nat-global-max int Maximum number of entries for the global BPF NAT table (default 524288)
--bpf-neigh-global-max int Maximum number of entries for the global BPF neighbor table (default 524288)
--bpf-node-map-max uint32 Sets size of node bpf map which will be the max number of unique Node IPs in the cluster (default 16384)
--bpf-policy-map-max int Maximum number of entries in endpoint policy map (per endpoint) (default 16384)
--bpf-root string Path to BPF filesystem
--bpf-sock-rev-map-max int Maximum number of entries for the SockRevNAT BPF map (default 262144)
--certificates-directory string Root directory to find certificates specified in L7 TLS policy enforcement (default "/var/run/cilium/certs")
--cgroup-root string Path to Cgroup2 filesystem
--cluster-health-port int TCP port for cluster-wide network connectivity health API (default 4240)
--cluster-id uint32 Unique identifier of the cluster
--cluster-name string Name of the cluster. It must consist of at most 32 lower case alphanumeric characters and '-', start and end with an alphanumeric character. (default "default")
--clustermesh-config string Path to the ClusterMesh configuration directory
--clustermesh-sync-timeout duration Timeout waiting for the initial synchronization of information from remote clusters (default 1m0s)
--cni-chaining-mode string Enable CNI chaining with the specified plugin (default "none")
--cni-chaining-target string CNI network name into which to insert the Cilium chained configuration. Use '*' to select any network.
--cni-exclusive Whether to remove other CNI configurations
--cni-external-routing Whether the chained CNI plugin handles routing on the node
--cni-log-file string Path where the CNI plugin should write logs (default "/var/run/cilium/cilium-cni.log")
--config string Configuration file (default "$HOME/ciliumd.yaml")
--config-dir string Configuration directory that contains a file for each option
--conntrack-gc-interval duration Overwrite the connection-tracking garbage collection interval
--conntrack-gc-max-interval duration Set the maximum interval for the connection-tracking garbage collection
--container-ip-local-reserved-ports string Instructs the Cilium CNI plugin to reserve the provided comma-separated list of ports in the container network namespace. Prevents the container from using these ports as ephemeral source ports (see Linux ip_local_reserved_ports). Use this flag if you observe port conflicts between transparent DNS proxy requests and host network namespace services. Value "auto" reserves the WireGuard and VXLAN ports used by Cilium (default "auto")
--controller-group-metrics strings List of controller group names for which to to enable metrics. Accepts 'all' and 'none'. The set of controller group names available is not guaranteed to be stable between Cilium versions.
--crd-wait-timeout duration Cilium will exit if CRDs are not available within this duration upon startup (default 5m0s)
--datapath-mode string Datapath mode name (veth, netkit, netkit-l2, lb-only) (default "veth")
-D, --debug Enable debugging mode
--debug-verbose strings List of enabled verbose debug groups
--devices strings List of devices facing cluster/external network (used for BPF NodePort, BPF masquerading and host firewall); supports '+' as wildcard in device name, e.g. 'eth+'
--direct-routing-device string Device name used to connect nodes in direct routing mode (used by BPF NodePort, BPF host routing; if empty, automatically set to a device with k8s InternalIP/ExternalIP or with a default route)
--direct-routing-skip-unreachable Enable skipping L2 routes between nodes on different subnets
--disable-endpoint-crd Disable use of CiliumEndpoint CRD
--disable-envoy-version-check Do not perform Envoy version check
--disable-external-ip-mitigation Disable ExternalIP mitigation (CVE-2020-8554, default false)
--disable-iptables-feeder-rules strings Chains to ignore when installing feeder rules.
--dns-max-ips-per-restored-rule int Maximum number of IPs to maintain for each restored DNS rule (default 1000)
--dns-policy-unload-on-shutdown Unload DNS policy rules on graceful shutdown
--dnsproxy-concurrency-limit int Limit concurrency of DNS message processing
--dnsproxy-concurrency-processing-grace-period duration Grace time to wait when DNS proxy concurrent limit has been reached during DNS message processing
--dnsproxy-enable-transparent-mode Enable DNS proxy transparent mode
--dnsproxy-socket-linger-timeout int Timeout (in seconds) when closing the connection between the DNS proxy and the upstream server. If set to 0, the connection is closed immediately (with TCP RST). If set to -1, the connection is closed asynchronously in the background (default 10)
--egress-gateway-policy-map-max int Maximum number of entries in egress gateway policy map (default 16384)
--egress-gateway-reconciliation-trigger-interval duration Time between triggers of egress gateway state reconciliations (default 1s)
--egress-masquerade-interfaces strings Limit iptables-based egress masquerading to interface selector
--egress-multi-home-ip-rule-compat Offset routing table IDs under ENI IPAM mode to avoid collisions with reserved table IDs. If false, the offset is performed (new scheme), otherwise, the old scheme stays in-place.
--enable-active-connection-tracking Count open and active connections to services, grouped by zones defined in fixed-zone-mapping.
--enable-auto-protect-node-port-range Append NodePort range to net.ipv4.ip_local_reserved_ports if it overlaps with ephemeral port range (net.ipv4.ip_local_port_range) (default true)
--enable-bandwidth-manager Enable BPF bandwidth manager
--enable-bbr Enable BBR for the bandwidth manager
--enable-bgp-control-plane Enable the BGP control plane.
--enable-bpf-clock-probe Enable BPF clock source probing for more efficient tick retrieval
--enable-bpf-masquerade Masquerade packets from endpoints leaving the host with BPF instead of iptables
--enable-bpf-tproxy Enable BPF-based proxy redirection, if support available
--enable-cilium-api-server-access strings List of cilium API APIs which are administratively enabled. Supports '*'. (default [*])
--enable-cilium-endpoint-slice Enable the CiliumEndpointSlice watcher in place of the CiliumEndpoint watcher (beta)
--enable-cilium-health-api-server-access strings List of cilium health API APIs which are administratively enabled. Supports '*'. (default [*])
--enable-custom-calls Enable tail call hooks for custom eBPF programs
--enable-encryption-strict-mode Enable encryption strict mode
--enable-endpoint-health-checking Enable connectivity health checking between virtual endpoints (default true)
--enable-endpoint-routes Use per endpoint routes instead of routing via cilium_host
--enable-envoy-config Enable Envoy Config CRDs
--enable-external-ips Enable k8s service externalIPs feature (requires enabling enable-node-port)
--enable-gateway-api Enables Envoy secret sync for Gateway API related TLS secrets
--enable-health-check-loadbalancer-ip Enable access of the healthcheck nodePort on the LoadBalancerIP. Needs --enable-health-check-nodeport to be enabled
--enable-health-check-nodeport Enables a healthcheck nodePort server for NodePort services with 'healthCheckNodePort' being set (default true)
--enable-health-checking Enable connectivity health checking (default true)
--enable-high-scale-ipcache Enable the high scale mode for ipcache
--enable-host-firewall Enable host network policies
--enable-host-legacy-routing Enable the legacy host forwarding model which does not bypass upper stack in host namespace
--enable-host-port Enable k8s hostPort mapping feature (requires enabling enable-node-port)
--enable-hubble Enable hubble server
--enable-hubble-recorder-api Enable the Hubble recorder API (default true)
--enable-identity-mark Enable setting identity mark for local traffic (default true)
--enable-ingress-controller Enables Envoy secret sync for Ingress controller related TLS secrets
--enable-ip-masq-agent Enable BPF ip-masq-agent
--enable-ipip-termination Enable plain IPIP/IP6IP6 termination
--enable-ipsec Enable IPsec support
--enable-ipsec-encrypted-overlay Enable IPsec encrypted overlay. If enabled tunnel traffic will be encrypted before leaving the host. Requires ipsec and tunnel mode vxlan to be enabled.
--enable-ipsec-key-watcher Enable watcher for IPsec key. If disabled, a restart of the agent will be necessary on key rotations. (default true)
--enable-ipv4 Enable IPv4 support (default true)
--enable-ipv4-big-tcp Enable IPv4 BIG TCP option which increases device's maximum GRO/GSO limits for IPv4
--enable-ipv4-egress-gateway Enable egress gateway for IPv4
--enable-ipv4-fragment-tracking Enable IPv4 fragments tracking for L4-based lookups (default true)
--enable-ipv4-masquerade Masquerade IPv4 traffic from endpoints leaving the host (default true)
--enable-ipv6 Enable IPv6 support (default true)
--enable-ipv6-big-tcp Enable IPv6 BIG TCP option which increases device's maximum GRO/GSO limits for IPv6
--enable-ipv6-masquerade Masquerade IPv6 traffic from endpoints leaving the host (default true)
--enable-ipv6-ndp Enable IPv6 NDP support
--enable-k8s Enable the k8s clientset (default true)
--enable-k8s-api-discovery Enable discovery of Kubernetes API groups and resources with the discovery API
--enable-k8s-endpoint-slice Enables k8s EndpointSlice feature in Cilium if the k8s cluster supports it (default true)
--enable-k8s-terminating-endpoint Enable auto-detect of terminating endpoint condition (default true)
--enable-l2-announcements Enable L2 announcements
--enable-l2-neigh-discovery Enables L2 neighbor discovery used by kube-proxy-replacement and IPsec (default true)
--enable-l2-pod-announcements Enable announcing Pod IPs with Gratuitous ARP
--enable-l7-proxy Enable L7 proxy for L7 policy enforcement (default true)
--enable-local-node-route Enable installation of the route which points the allocation prefix of the local node (default true)
--enable-local-redirect-policy Enable Local Redirect Policy
--enable-masquerade-to-route-source Masquerade packets to the source IP provided from the routing layer rather than interface address
--enable-monitor Enable the monitor unix domain socket server (default true)
--enable-nat46x64-gateway Enable NAT46 and NAT64 gateway
--enable-node-port Enable NodePort type services by Cilium
--enable-node-selector-labels Enable use of node label based identity
--enable-pmtu-discovery Enable path MTU discovery to send ICMP fragmentation-needed replies to the client
--enable-policy string Enable policy enforcement (default "default")
--enable-recorder Enable BPF datapath pcap recorder
--enable-route-mtu-for-cni-chaining Enable route MTU for pod netns when CNI chaining is used
--enable-sctp Enable SCTP support (beta)
--enable-service-topology Enable support for service topology aware hints
--enable-session-affinity Enable support for service session affinity
--enable-svc-source-range-check Enable check of service source ranges (currently, only for LoadBalancer) (default true)
--enable-tcx Attach endpoint programs using tcx if supported by the kernel (default true)
--enable-tracing Enable tracing while determining policy (debugging)
--enable-unreachable-routes Add unreachable routes on pod deletion
--enable-vtep Enable VXLAN Tunnel Endpoint (VTEP) Integration (beta)
--enable-well-known-identities Enable well-known identities for known Kubernetes components (default true)
--enable-wireguard Enable WireGuard
--enable-xdp-prefilter Enable XDP prefiltering
--enable-xt-socket-fallback Enable fallback for missing xt_socket module (default true)
--encrypt-interface string Transparent encryption interface
--encrypt-node Enables encrypting traffic from non-Cilium pods and host networking (only supported with WireGuard, beta)
--encryption-strict-mode-allow-remote-node-identities Allows unencrypted traffic from pods to remote node identities within the strict mode CIDR. This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap.
--encryption-strict-mode-cidr string In strict-mode encryption, all unencrypted traffic coming from this CIDR and going to this same CIDR will be dropped
--endpoint-bpf-prog-watchdog-interval duration Interval to trigger endpoint BPF programs load check watchdog (default 30s)
--endpoint-queue-size int Size of EventQueue per-endpoint (default 25)
--envoy-base-id uint Envoy base ID
--envoy-config-retry-interval duration Interval in which an attempt is made to reconcile failed EnvoyConfigs. If the duration is zero, the retry is deactivated. (default 15s)
--envoy-config-timeout duration Timeout that determines how long to wait for Envoy to N/ACK CiliumEnvoyConfig resources (default 2m0s)
--envoy-keep-cap-netbindservice Keep capability NET_BIND_SERVICE for Envoy process
--envoy-log string Path to a separate Envoy log file, if any
--envoy-secrets-namespace string EnvoySecretsNamespace is the namespace having secrets used by CEC
--exclude-local-address strings Exclude CIDR from being recognized as local address
--exclude-node-label-patterns strings List of k8s node label regex patterns to be excluded from CiliumNode
--external-envoy-proxy whether the Envoy is deployed externally in form of a DaemonSet or not
--fixed-identity-mapping map Key-value for the fixed identity mapping which allows to use reserved label for fixed identities, e.g. 128=kv-store,129=kube-dns
--force-device-detection Forces the auto-detection of devices, even if specific devices are explicitly listed
--gateway-api-secrets-namespace string GatewayAPISecretsNamespace is the namespace having tls secrets used by CEC, originating from Gateway API
--gops-port uint16 Port for gops server to listen on (default 9890)
-h, --help help for cilium-agent
--http-idle-timeout uint Time after which a non-gRPC HTTP stream is considered failed unless traffic in the stream has been processed (in seconds); defaults to 0 (unlimited)
--http-max-grpc-timeout uint Time after which a forwarded gRPC request is considered failed unless completed (in seconds). A "grpc-timeout" header may override this with a shorter value; defaults to 0 (unlimited)
--http-normalize-path Use Envoy HTTP path normalization options, which currently includes RFC 3986 path normalization, Envoy merge slashes option, and unescaping and redirecting for paths that contain escaped slashes. These are necessary to keep path based access control functional, and should not interfere with normal operation. Set this to false only with caution. (default true)
--http-request-timeout uint Time after which a forwarded HTTP request is considered failed unless completed (in seconds); Use 0 for unlimited (default 3600)
--http-retry-count uint Number of retries performed after a forwarded request attempt fails (default 3)
--http-retry-timeout uint Time after which a forwarded but uncompleted request is retried (connection failures are retried immediately); defaults to 0 (never)
--hubble-disable-tls Allow Hubble server to run on the given listen address without TLS.
--hubble-drop-events Emit packet drop Events related to pods (alpha)
--hubble-drop-events-interval duration Minimum time between emitting same events (default 2m0s)
--hubble-drop-events-reasons string Drop reasons to emit events for (default "auth_required,policy_denied")
--hubble-event-buffer-capacity int Capacity of Hubble events buffer. The provided value must be one less than an integer power of two and no larger than 65535 (ie: 1, 3, ..., 2047, 4095, ..., 65535) (default 4095)
--hubble-event-queue-size int Buffer size of the channel to receive monitor events.
--hubble-export-allowlist strings Specify allowlist as JSON encoded FlowFilters to Hubble exporter.
--hubble-export-denylist strings Specify denylist as JSON encoded FlowFilters to Hubble exporter.
--hubble-export-fieldmask strings Specify list of fields to use for field mask in Hubble exporter.
--hubble-export-file-compress Compress rotated Hubble export files.
--hubble-export-file-max-backups int Number of rotated Hubble export files to keep. (default 5)
--hubble-export-file-max-size-mb int Size in MB at which to rotate Hubble export file. (default 10)
--hubble-export-file-path stdout Filepath to write Hubble events to. By specifying stdout the flows are logged instead of written to a rotated file.
--hubble-flowlogs-config-path string Filepath with configuration of hubble flowlogs
--hubble-listen-address string An additional address for Hubble server to listen to, e.g. ":4244"
--hubble-metrics strings List of Hubble metrics to enable.
--hubble-metrics-server string Address to serve Hubble metrics on.
--hubble-monitor-events strings Cilium monitor events for Hubble to observe: [drop debug capture trace policy-verdict recorder trace-sock l7 agent]. By default, Hubble observes all monitor events.
--hubble-prefer-ipv6 Prefer IPv6 addresses for announcing nodes when both address types are available.
--hubble-recorder-sink-queue-size int Queue size of each Hubble recorder sink (default 1024)
--hubble-recorder-storage-path string Directory in which pcap files created via the Hubble Recorder API are stored (default "/var/run/cilium/pcaps")
--hubble-redact-enabled Hubble redact sensitive information from flows
--hubble-redact-http-headers-allow strings HTTP headers to keep visible in flows
--hubble-redact-http-headers-deny strings HTTP headers to redact from flows
--hubble-redact-http-urlquery Hubble redact http URL query from flows
--hubble-redact-http-userinfo Hubble redact http user info from flows (default true)
--hubble-redact-kafka-apikey Hubble redact Kafka API key from flows
--hubble-skip-unknown-cgroup-ids Skip Hubble events with unknown cgroup ids (default true)
--hubble-socket-path string Set hubble's socket path to listen for connections (default "/var/run/cilium/hubble.sock")
--hubble-tls-cert-file string Path to the public key file for the Hubble server. The file must contain PEM encoded data.
--hubble-tls-client-ca-files strings Paths to one or more public key files of client CA certificates to use for TLS with mutual authentication (mTLS). The files must contain PEM encoded data. When provided, this option effectively enables mTLS.
--hubble-tls-key-file string Path to the private key file for the Hubble server. The file must contain PEM encoded data.
--identity-allocation-mode string Method to use for identity allocation (default "kvstore")
--identity-change-grace-period duration Time to wait before using new identity on endpoint identity change (default 5s)
--identity-restore-grace-period duration Time to wait before releasing unused restored CIDR identities during agent restart (default 30s)
--ingress-secrets-namespace string IngressSecretsNamespace is the namespace having tls secrets used by CEC, originating from Ingress controller
--install-no-conntrack-iptables-rules Install Iptables rules to skip netfilter connection tracking on all pod traffic. This option is only effective when Cilium is running in direct routing and full KPR mode. Moreover, this option cannot be enabled when Cilium is running in a managed Kubernetes environment or in a chained CNI setup.
--ip-masq-agent-config-path string ip-masq-agent configuration file path (default "/etc/config/ip-masq-agent")
--ipam string Backend to use for IPAM (default "cluster-pool")
--ipam-cilium-node-update-rate duration Maximum rate at which the CiliumNode custom resource is updated (default 15s)
--ipam-default-ip-pool string Name of the default IP Pool when using multi-pool (default "default")
--ipam-multi-pool-pre-allocation map Defines the minimum number of IPs a node should pre-allocate from each pool (default default=8)
--ipsec-key-file string Path to IPsec key file
--ipsec-key-rotation-duration duration Maximum duration of the IPsec key rotation. The previous key will be removed after that delay. (default 5m0s)
--iptables-lock-timeout duration Time to pass to each iptables invocation to wait for xtables lock acquisition (default 5s)
--iptables-random-fully Set iptables flag random-fully on masquerading rules
--ipv4-native-routing-cidr string Allows to explicitly specify the IPv4 CIDR for native routing. When specified, Cilium assumes networking for this CIDR is preconfigured and hands traffic destined for that range to the Linux network stack without applying any SNAT. Generally speaking, specifying a native routing CIDR implies that Cilium can depend on the underlying networking stack to route packets to their destination. To offer a concrete example, if Cilium is configured to use direct routing and the Kubernetes CIDR is included in the native routing CIDR, the user must configure the routes to reach pods, either manually or by setting the auto-direct-node-routes flag.
--ipv4-node string IPv4 address of node (default "auto")
--ipv4-pod-subnets strings List of IPv4 pod subnets to preconfigure for encryption
--ipv4-range string Per-node IPv4 endpoint prefix, e.g. 10.16.0.0/16 (default "auto")
--ipv4-service-loopback-address string IPv4 address for service loopback SNAT (default "169.254.42.1")
--ipv4-service-range string Kubernetes IPv4 services CIDR if not inside cluster prefix (default "auto")
--ipv6-cluster-alloc-cidr string IPv6 /64 CIDR used to allocate per node endpoint /96 CIDR (default "f00d::/64")
--ipv6-mcast-device string Device that joins a Solicited-Node multicast group for IPv6
--ipv6-native-routing-cidr string Allows to explicitly specify the IPv6 CIDR for native routing. When specified, Cilium assumes networking for this CIDR is preconfigured and hands traffic destined for that range to the Linux network stack without applying any SNAT. Generally speaking, specifying a native routing CIDR implies that Cilium can depend on the underlying networking stack to route packets to their destination. To offer a concrete example, if Cilium is configured to use direct routing and the Kubernetes CIDR is included in the native routing CIDR, the user must configure the routes to reach pods, either manually or by setting the auto-direct-node-routes flag.
--ipv6-node string IPv6 address of node (default "auto")
--ipv6-pod-subnets strings List of IPv6 pod subnets to preconfigure for encryption
--ipv6-range string Per-node IPv6 endpoint prefix, e.g. fd02:1:1::/96 (default "auto")
--ipv6-service-range string Kubernetes IPv6 services CIDR if not inside cluster prefix (default "auto")
--join-cluster Join a Cilium cluster via kvstore registration
--k8s-api-server string Kubernetes API server URL
--k8s-client-burst int Burst value allowed for the K8s client
--k8s-client-connection-keep-alive duration Configures the keep alive duration of K8s client connections. K8 client is disabled if the value is set to 0 (default 30s)
--k8s-client-connection-timeout duration Configures the timeout of K8s client connections. K8s client is disabled if the value is set to 0 (default 30s)
--k8s-client-qps float32 Queries per second limit for the K8s client
--k8s-heartbeat-timeout duration Configures the timeout for api-server heartbeat, set to 0 to disable (default 30s)
--k8s-kubeconfig-path string Absolute path of the kubernetes kubeconfig file
--k8s-namespace string Name of the Kubernetes namespace in which Cilium is deployed in
--k8s-require-ipv4-pod-cidr Require IPv4 PodCIDR to be specified in node resource
--k8s-require-ipv6-pod-cidr Require IPv6 PodCIDR to be specified in node resource
--k8s-service-proxy-name string Value of K8s service-proxy-name label for which Cilium handles the services (empty = all services without service.kubernetes.io/service-proxy-name label)
--k8s-watcher-endpoint-selector string K8s endpoint watcher will watch for these k8s endpoints (default "metadata.name!=kube-scheduler,metadata.name!=kube-controller-manager,metadata.name!=etcd-operator,metadata.name!=gcp-controller-manager")
--keep-config When restoring state, keeps containers' configuration in place
--kube-proxy-replacement string Enable only selected features (will panic if any selected feature cannot be enabled) ("false"), or enable all features (will panic if any feature cannot be enabled) ("true") (default "false")
--kube-proxy-replacement-healthz-bind-address string The IP address with port for kube-proxy replacement health check server to serve on (set to '0.0.0.0:10256' for all IPv4 interfaces and '[::]:10256' for all IPv6 interfaces). Set empty to disable.
--kvstore string Key-value store type
--kvstore-connectivity-timeout duration Time after which an incomplete kvstore operation is considered failed (default 2m0s)
--kvstore-max-consecutive-quorum-errors uint Max acceptable kvstore consecutive quorum errors before the agent assumes permanent failure (default 2)
--kvstore-opt map Key-value store options e.g. etcd.address=127.0.0.1:4001
--kvstore-periodic-sync duration Periodic KVstore synchronization interval (default 5m0s)
--l2-announcements-lease-duration duration Duration of inactivity after which a new leader is selected (default 15s)
--l2-announcements-renew-deadline duration Interval at which the leader renews a lease (default 5s)
--l2-announcements-retry-period duration Timeout after a renew failure, before the next retry (default 2s)
--l2-pod-announcements-interface string Interface used for sending gratuitous arp messages
--label-prefix-file string Valid label prefixes file path
--labels strings List of label prefixes used to determine identity of an endpoint
--lib-dir string Directory path to store runtime build environment (default "/var/lib/cilium")
--local-router-ipv4 string Link-local IPv4 used for Cilium's router devices
--local-router-ipv6 string Link-local IPv6 used for Cilium's router devices
--log-driver strings Logging endpoints to use for example syslog
--log-opt map Log driver options for cilium-agent, configmap example for syslog driver: {"syslog.level":"info","syslog.facility":"local5","syslog.tag":"cilium-agent"}
--log-system-load Enable periodic logging of system load
--max-connected-clusters uint32 Maximum number of clusters to be connected in a clustermesh. Increasing this value will reduce the maximum number of identities available. Valid configurations are [255, 511]. (default 255)
--mesh-auth-enabled Enable authentication processing & garbage collection (beta) (default true)
--mesh-auth-gc-interval duration Interval in which auth entries are attempted to be garbage collected (default 5m0s)
--mesh-auth-mutual-connect-timeout duration Timeout for connecting to the remote node TCP socket (default 5s)
--mesh-auth-mutual-listener-port int Port on which the Cilium Agent will perform mutual authentication handshakes between other Agents
--mesh-auth-queue-size int Queue size for the auth manager (default 1024)
--mesh-auth-rotated-identities-queue-size int The size of the queue for signaling rotated identities. (default 1024)
--mesh-auth-spiffe-trust-domain string The trust domain for the SPIFFE identity. (default "spiffe.cilium")
--mesh-auth-spire-admin-socket string The path for the SPIRE admin agent Unix socket.
--metrics strings Metrics that should be enabled or disabled from the default metric list. (+metric_foo to enable metric_foo, -metric_bar to disable metric_bar)
--monitor-aggregation string Level of monitor aggregation for traces from the datapath (default "None")
--monitor-aggregation-flags strings TCP flags that trigger monitor reports when monitor aggregation is enabled (default [syn,fin,rst])
--monitor-aggregation-interval duration Monitor report interval when monitor aggregation is enabled (default 5s)
--monitor-queue-size int Size of the event queue when reading monitor events
--mtu int Overwrite auto-detected MTU of underlying network
--multicast-enabled Enables multicast in Cilium
--nat-map-stats-entries int Number k top stats entries to store locally in statedb (default 32)
--nat-map-stats-interval duration Interval upon which nat maps are iterated for stats (default 30s)
--node-encryption-opt-out-labels string Label selector for nodes which will opt-out of node-to-node encryption (default "node-role.kubernetes.io/control-plane")
--node-labels strings List of label prefixes used to determine identity of a node (used only when enable-node-selector-labels is enabled)
--node-port-bind-protection Reject application bind(2) requests to service ports in the NodePort range (default true)
--node-port-range strings Set the min/max NodePort port range (default [30000,32767])
--nodeport-addresses strings A whitelist of CIDRs to limit which IPs are used for NodePort. If not set, primary IPv4 and/or IPv6 address of each native device is used.
--policy-accounting Enable policy accounting (default true)
--policy-audit-mode Enable policy audit (non-drop) mode
--policy-cidr-match-mode strings The entities that can be selected by CIDR policy. Supported values: 'nodes'
--policy-queue-size int Size of queues for policy-related events (default 100)
--pprof Enable serving pprof debugging API
--pprof-address string Address that pprof listens on (default "localhost")
--pprof-port uint16 Port that pprof listens on (default 6060)
--preallocate-bpf-maps Enable BPF map pre-allocation (default true)
--prepend-iptables-chains Prepend custom iptables chains instead of appending (default true)
--procfs string Path to the host's proc filesystem mount (default "/proc")
--prometheus-serve-addr string IP:Port on which to serve prometheus metrics (pass ":Port" to bind on all interfaces, "" is off)
--proxy-admin-port int Port to serve Envoy admin interface on.
--proxy-connect-timeout uint Time after which a TCP connect attempt is considered failed unless completed (in seconds) (default 2)
--proxy-gid uint Group ID for proxy control plane sockets. (default 1337)
--proxy-idle-timeout-seconds int Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s (default 60)
--proxy-max-connection-duration-seconds int Set Envoy HTTP option max_connection_duration seconds. Default 0 (disable)
--proxy-max-requests-per-connection int Set Envoy HTTP option max_requests_per_connection. Default 0 (disable)
--proxy-portrange-max uint16 End of port range that is used to allocate ports for L7 proxies. (default 20000)
--proxy-portrange-min uint16 Start of port range that is used to allocate ports for L7 proxies. (default 10000)
--proxy-prometheus-port int Port to serve Envoy metrics on. Default 0 (disabled).
--proxy-xff-num-trusted-hops-egress uint32 Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners.
--proxy-xff-num-trusted-hops-ingress uint32 Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners.
--read-cni-conf string CNI configuration file to use as a source for --write-cni-conf-when-ready. If not supplied, a suitable one will be generated.
--restore Restores state, if possible, from previous daemon (default true)
--route-metric int Overwrite the metric used by cilium when adding routes to its 'cilium_host' device
--routing-mode string Routing mode ("native" or "tunnel") (default "tunnel")
--service-no-backend-response string Response to traffic for a service without backends (default "reject")
--socket-path string Sets daemon's socket path to listen for connections (default "/var/run/cilium/cilium.sock")
--state-dir string Directory path to store runtime state (default "/var/run/cilium")
--static-cnp-path string Directory path to watch and load static cilium network policy yaml files.
--tofqdns-dns-reject-response-code string DNS response code for rejecting DNS requests, available options are '[nameError refused]' (default "refused")
--tofqdns-enable-dns-compression Allow the DNS proxy to compress responses to endpoints that are larger than 512 Bytes or the EDNS0 option, if present (default true)
--tofqdns-endpoint-max-ip-per-hostname int Maximum number of IPs to maintain per FQDN name for each endpoint (default 50)
--tofqdns-idle-connection-grace-period duration Time during which idle but previously active connections with expired DNS lookups are still considered alive (default 0s)
--tofqdns-max-deferred-connection-deletes int Maximum number of IPs to retain for expired DNS lookups with still-active connections (default 10000)
--tofqdns-min-ttl int The minimum time, in seconds, to use DNS data for toFQDNs policies
--tofqdns-pre-cache string DNS cache data at this path is preloaded on agent startup
--tofqdns-proxy-port int Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port.
--tofqdns-proxy-response-max-delay duration The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. (default 100ms)
--trace-payloadlen int Length of payload to capture when tracing (default 128)
--trace-sock Enable tracing for socket-based LB (default true)
--tunnel-port uint16 Tunnel port (default 8472 for "vxlan" and 6081 for "geneve")
--tunnel-protocol string Encapsulation protocol to use for the overlay ("vxlan" or "geneve") (default "vxlan")
--use-full-tls-context If enabled, persist ca.crt keys into the Envoy config even in a terminatingTLS block on an L7 Cilium Policy. This is to enable compatibility with previously buggy behaviour. This flag is deprecated and will be removed in a future release.
--version Print version information
--vlan-bpf-bypass strings List of explicitly allowed VLAN IDs, '0' id will allow all VLAN IDs
--vtep-cidr strings List of VTEP CIDRs that will be routed towards VTEPs for traffic cluster egress
--vtep-endpoint strings List of VTEP IP addresses
--vtep-mac strings List of VTEP MAC addresses for forwarding traffic outside the cluster
--vtep-mask string VTEP CIDR Mask for all VTEP CIDRs (default "255.255.255.0")
--wireguard-persistent-keepalive duration The Wireguard keepalive interval as a Go duration string
--write-cni-conf-when-ready string Write the CNI configuration to the specified path when agent is ready
SEE ALSO
cilium-agent completion - Generate the autocompletion script for the specified shell
cilium-agent hive - Inspect the hive