cilium-agent

Run the cilium agent

cilium-agent [flags]

Options

      --agent-health-port int                                     TCP port for agent health status API (default 9879)
      --agent-labels strings                                      Additional labels to identify this agent
      --agent-liveness-update-interval duration                   Interval at which the agent updates liveness time for the datapath (default 1s)
      --agent-not-ready-taint-key string                          Key of the taint indicating that Cilium is not ready on the node (default "node.cilium.io/agent-not-ready")
      --allocator-list-timeout duration                           Timeout for listing allocator state before exiting (default 3m0s)
      --allow-icmp-frag-needed                                    Allow ICMP Fragmentation Needed type packets for purposes like TCP Path MTU. (default true)
      --allow-localhost string                                    Policy when to allow local stack to reach local endpoints { auto | always | policy } (default "auto")
      --annotate-k8s-node                                         Annotate Kubernetes node
      --api-rate-limit string                                     API rate limiting configuration (example: --api-rate-limit endpoint-create=rate-limit:10/m,rate-burst:2)
      --arping-refresh-period duration                            Period for remote node ARP entry refresh (set 0 to disable) (default 30s)
      --auto-create-cilium-node-resource                          Automatically create CiliumNode resource for own node on startup (default true)
      --auto-direct-node-routes                                   Enable automatic L2 routing between nodes
      --bgp-announce-lb-ip                                        Announces service IPs of type LoadBalancer via BGP
      --bgp-announce-pod-cidr                                     Announces the node's pod CIDR via BGP
      --bgp-config-path string                                    Path to file containing the BGP configuration (default "/var/lib/cilium/bgp/config.yaml")
      --bpf-auth-map-max int                                      Maximum number of entries in auth map (default 524288)
      --bpf-ct-global-any-max int                                 Maximum number of entries in non-TCP CT table (default 262144)
      --bpf-ct-global-tcp-max int                                 Maximum number of entries in TCP CT table (default 524288)
      --bpf-ct-timeout-regular-any duration                       Timeout for entries in non-TCP CT table (default 1m0s)
      --bpf-ct-timeout-regular-tcp duration                       Timeout for established entries in TCP CT table (default 2h13m20s)
      --bpf-ct-timeout-regular-tcp-fin duration                   Teardown timeout for entries in TCP CT table (default 10s)
      --bpf-ct-timeout-regular-tcp-syn duration                   Establishment timeout for entries in TCP CT table (default 1m0s)
      --bpf-ct-timeout-service-any duration                       Timeout for service entries in non-TCP CT table (default 1m0s)
      --bpf-ct-timeout-service-tcp duration                       Timeout for established service entries in TCP CT table (default 2h13m20s)
      --bpf-ct-timeout-service-tcp-grace duration                 Timeout for graceful shutdown of service entries in TCP CT table (default 1m0s)
      --bpf-events-drop-enabled                                   Expose 'drop' events for Cilium monitor and/or Hubble (default true)
      --bpf-events-policy-verdict-enabled                         Expose 'policy verdict' events for Cilium monitor and/or Hubble (default true)
      --bpf-events-trace-enabled                                  Expose 'trace' events for Cilium monitor and/or Hubble (default true)
      --bpf-fragments-map-max int                                 Maximum number of entries in fragments tracking map (default 8192)
      --bpf-lb-acceleration string                                BPF load balancing acceleration via XDP ("native", "disabled") (default "disabled")
      --bpf-lb-algorithm string                                   BPF load balancing algorithm ("random", "maglev") (default "random")
      --bpf-lb-dsr-dispatch string                                BPF load balancing DSR dispatch method ("opt", "ipip", "geneve") (default "opt")
      --bpf-lb-dsr-l4-xlate string                                BPF load balancing DSR L4 DNAT method for IPIP ("frontend", "backend") (default "frontend")
      --bpf-lb-external-clusterip                                 Enable external access to ClusterIP services (default false)
      --bpf-lb-maglev-hash-seed string                            Maglev cluster-wide hash seed (base64 encoded) (default "JLfvgnHc2kaSUFaI")
      --bpf-lb-maglev-table-size uint                             Maglev per service backend table size (parameter M) (default 16381)
      --bpf-lb-map-max int                                        Maximum number of entries in Cilium BPF lbmap (default 65536)
      --bpf-lb-mode string                                        BPF load balancing mode ("snat", "dsr", "hybrid") (default "snat")
      --bpf-lb-rss-ipv4-src-cidr string                           BPF load balancing RSS outer source IPv4 CIDR prefix for IPIP
      --bpf-lb-rss-ipv6-src-cidr string                           BPF load balancing RSS outer source IPv6 CIDR prefix for IPIP
      --bpf-lb-sock                                               Enable socket-based LB for E/W traffic
      --bpf-lb-sock-hostns-only                                   Skip socket LB for services when inside a pod namespace, in favor of service LB at the pod interface. Socket LB is still used when in the host namespace. Required by service mesh (e.g., Istio, Linkerd).
      --bpf-map-dynamic-size-ratio float                          Ratio (0.0-1.0] of total system memory to use for dynamic sizing of CT, NAT and policy BPF maps (default 0.0025)
      --bpf-nat-global-max int                                    Maximum number of entries for the global BPF NAT table (default 524288)
      --bpf-neigh-global-max int                                  Maximum number of entries for the global BPF neighbor table (default 524288)
      --bpf-node-map-max uint32                                   Sets size of node bpf map which will be the max number of unique Node IPs in the cluster (default 16384)
      --bpf-policy-map-max int                                    Maximum number of entries in endpoint policy map (per endpoint) (default 16384)
      --bpf-root string                                           Path to BPF filesystem
      --bpf-sock-rev-map-max int                                  Maximum number of entries for the SockRevNAT BPF map (default 262144)
      --certificates-directory string                             Root directory to find certificates specified in L7 TLS policy enforcement (default "/var/run/cilium/certs")
      --cgroup-root string                                        Path to Cgroup2 filesystem
      --cluster-health-port int                                   TCP port for cluster-wide network connectivity health API (default 4240)
      --cluster-id uint32                                         Unique identifier of the cluster
      --cluster-name string                                       Name of the cluster. It must consist of at most 32 lower case alphanumeric characters and '-', start and end with an alphanumeric character. (default "default")
      --clustermesh-config string                                 Path to the ClusterMesh configuration directory
      --clustermesh-sync-timeout duration                         Timeout waiting for the initial synchronization of information from remote clusters (default 1m0s)
      --cni-chaining-mode string                                  Enable CNI chaining with the specified plugin (default "none")
      --cni-chaining-target string                                CNI network name into which to insert the Cilium chained configuration. Use '*' to select any network.
      --cni-exclusive                                             Whether to remove other CNI configurations
      --cni-external-routing                                      Whether the chained CNI plugin handles routing on the node
      --cni-log-file string                                       Path where the CNI plugin should write logs (default "/var/run/cilium/cilium-cni.log")
      --config string                                             Configuration file (default "$HOME/ciliumd.yaml")
      --config-dir string                                         Configuration directory that contains a file for each option
      --conntrack-gc-interval duration                            Overwrite the connection-tracking garbage collection interval
      --conntrack-gc-max-interval duration                        Set the maximum interval for the connection-tracking garbage collection
      --container-ip-local-reserved-ports string                  Instructs the Cilium CNI plugin to reserve the provided comma-separated list of ports in the container network namespace. Prevents the container from using these ports as ephemeral source ports (see Linux ip_local_reserved_ports). Use this flag if you observe port conflicts between transparent DNS proxy requests and host network namespace services. Value "auto" reserves the WireGuard and VXLAN ports used by Cilium (default "auto")
      --controller-group-metrics strings                          List of controller group names for which to to enable metrics. Accepts 'all' and 'none'. The set of controller group names available is not guaranteed to be stable between Cilium versions.
      --crd-wait-timeout duration                                 Cilium will exit if CRDs are not available within this duration upon startup (default 5m0s)
      --datapath-mode string                                      Datapath mode name (veth, netkit, netkit-l2, lb-only) (default "veth")
  -D, --debug                                                     Enable debugging mode
      --debug-verbose strings                                     List of enabled verbose debug groups
      --devices strings                                           List of devices facing cluster/external network (used for BPF NodePort, BPF masquerading and host firewall); supports '+' as wildcard in device name, e.g. 'eth+'
      --direct-routing-device string                              Device name used to connect nodes in direct routing mode (used by BPF NodePort, BPF host routing; if empty, automatically set to a device with k8s InternalIP/ExternalIP or with a default route)
      --direct-routing-skip-unreachable                           Enable skipping L2 routes between nodes on different subnets
      --disable-endpoint-crd                                      Disable use of CiliumEndpoint CRD
      --disable-envoy-version-check                               Do not perform Envoy version check
      --disable-external-ip-mitigation                            Disable ExternalIP mitigation (CVE-2020-8554, default false)
      --disable-iptables-feeder-rules strings                     Chains to ignore when installing feeder rules.
      --dns-max-ips-per-restored-rule int                         Maximum number of IPs to maintain for each restored DNS rule (default 1000)
      --dns-policy-unload-on-shutdown                             Unload DNS policy rules on graceful shutdown
      --dnsproxy-concurrency-limit int                            Limit concurrency of DNS message processing
      --dnsproxy-concurrency-processing-grace-period duration     Grace time to wait when DNS proxy concurrent limit has been reached during DNS message processing
      --dnsproxy-enable-transparent-mode                          Enable DNS proxy transparent mode
      --dnsproxy-socket-linger-timeout int                        Timeout (in seconds) when closing the connection between the DNS proxy and the upstream server. If set to 0, the connection is closed immediately (with TCP RST). If set to -1, the connection is closed asynchronously in the background (default 10)
      --egress-gateway-policy-map-max int                         Maximum number of entries in egress gateway policy map (default 16384)
      --egress-gateway-reconciliation-trigger-interval duration   Time between triggers of egress gateway state reconciliations (default 1s)
      --egress-masquerade-interfaces strings                      Limit iptables-based egress masquerading to interface selector
      --egress-multi-home-ip-rule-compat                          Offset routing table IDs under ENI IPAM mode to avoid collisions with reserved table IDs. If false, the offset is performed (new scheme), otherwise, the old scheme stays in-place.
      --enable-active-connection-tracking                         Count open and active connections to services, grouped by zones defined in fixed-zone-mapping.
      --enable-auto-protect-node-port-range                       Append NodePort range to net.ipv4.ip_local_reserved_ports if it overlaps with ephemeral port range (net.ipv4.ip_local_port_range) (default true)
      --enable-bandwidth-manager                                  Enable BPF bandwidth manager
      --enable-bbr                                                Enable BBR for the bandwidth manager
      --enable-bgp-control-plane                                  Enable the BGP control plane.
      --enable-bpf-clock-probe                                    Enable BPF clock source probing for more efficient tick retrieval
      --enable-bpf-masquerade                                     Masquerade packets from endpoints leaving the host with BPF instead of iptables
      --enable-bpf-tproxy                                         Enable BPF-based proxy redirection, if support available
      --enable-cilium-api-server-access strings                   List of cilium API APIs which are administratively enabled. Supports '*'. (default [*])
      --enable-cilium-endpoint-slice                              Enable the CiliumEndpointSlice watcher in place of the CiliumEndpoint watcher (beta)
      --enable-cilium-health-api-server-access strings            List of cilium health API APIs which are administratively enabled. Supports '*'. (default [*])
      --enable-custom-calls                                       Enable tail call hooks for custom eBPF programs
      --enable-encryption-strict-mode                             Enable encryption strict mode
      --enable-endpoint-health-checking                           Enable connectivity health checking between virtual endpoints (default true)
      --enable-endpoint-routes                                    Use per endpoint routes instead of routing via cilium_host
      --enable-envoy-config                                       Enable Envoy Config CRDs
      --enable-external-ips                                       Enable k8s service externalIPs feature (requires enabling enable-node-port)
      --enable-gateway-api                                        Enables Envoy secret sync for Gateway API related TLS secrets
      --enable-health-check-loadbalancer-ip                       Enable access of the healthcheck nodePort on the LoadBalancerIP. Needs --enable-health-check-nodeport to be enabled
      --enable-health-check-nodeport                              Enables a healthcheck nodePort server for NodePort services with 'healthCheckNodePort' being set (default true)
      --enable-health-checking                                    Enable connectivity health checking (default true)
      --enable-high-scale-ipcache                                 Enable the high scale mode for ipcache
      --enable-host-firewall                                      Enable host network policies
      --enable-host-legacy-routing                                Enable the legacy host forwarding model which does not bypass upper stack in host namespace
      --enable-host-port                                          Enable k8s hostPort mapping feature (requires enabling enable-node-port)
      --enable-hubble                                             Enable hubble server
      --enable-hubble-recorder-api                                Enable the Hubble recorder API (default true)
      --enable-identity-mark                                      Enable setting identity mark for local traffic (default true)
      --enable-ingress-controller                                 Enables Envoy secret sync for Ingress controller related TLS secrets
      --enable-ip-masq-agent                                      Enable BPF ip-masq-agent
      --enable-ipip-termination                                   Enable plain IPIP/IP6IP6 termination
      --enable-ipsec                                              Enable IPsec support
      --enable-ipsec-encrypted-overlay                            Enable IPsec encrypted overlay. If enabled tunnel traffic will be encrypted before leaving the host. Requires ipsec and tunnel mode vxlan to be enabled.
      --enable-ipsec-key-watcher                                  Enable watcher for IPsec key. If disabled, a restart of the agent will be necessary on key rotations. (default true)
      --enable-ipv4                                               Enable IPv4 support (default true)
      --enable-ipv4-big-tcp                                       Enable IPv4 BIG TCP option which increases device's maximum GRO/GSO limits for IPv4
      --enable-ipv4-egress-gateway                                Enable egress gateway for IPv4
      --enable-ipv4-fragment-tracking                             Enable IPv4 fragments tracking for L4-based lookups (default true)
      --enable-ipv4-masquerade                                    Masquerade IPv4 traffic from endpoints leaving the host (default true)
      --enable-ipv6                                               Enable IPv6 support (default true)
      --enable-ipv6-big-tcp                                       Enable IPv6 BIG TCP option which increases device's maximum GRO/GSO limits for IPv6
      --enable-ipv6-masquerade                                    Masquerade IPv6 traffic from endpoints leaving the host (default true)
      --enable-ipv6-ndp                                           Enable IPv6 NDP support
      --enable-k8s                                                Enable the k8s clientset (default true)
      --enable-k8s-api-discovery                                  Enable discovery of Kubernetes API groups and resources with the discovery API
      --enable-k8s-endpoint-slice                                 Enables k8s EndpointSlice feature in Cilium if the k8s cluster supports it (default true)
      --enable-k8s-terminating-endpoint                           Enable auto-detect of terminating endpoint condition (default true)
      --enable-l2-announcements                                   Enable L2 announcements
      --enable-l2-neigh-discovery                                 Enables L2 neighbor discovery used by kube-proxy-replacement and IPsec (default true)
      --enable-l2-pod-announcements                               Enable announcing Pod IPs with Gratuitous ARP
      --enable-l7-proxy                                           Enable L7 proxy for L7 policy enforcement (default true)
      --enable-local-node-route                                   Enable installation of the route which points the allocation prefix of the local node (default true)
      --enable-local-redirect-policy                              Enable Local Redirect Policy
      --enable-masquerade-to-route-source                         Masquerade packets to the source IP provided from the routing layer rather than interface address
      --enable-monitor                                            Enable the monitor unix domain socket server (default true)
      --enable-nat46x64-gateway                                   Enable NAT46 and NAT64 gateway
      --enable-node-port                                          Enable NodePort type services by Cilium
      --enable-node-selector-labels                               Enable use of node label based identity
      --enable-pmtu-discovery                                     Enable path MTU discovery to send ICMP fragmentation-needed replies to the client
      --enable-policy string                                      Enable policy enforcement (default "default")
      --enable-recorder                                           Enable BPF datapath pcap recorder
      --enable-route-mtu-for-cni-chaining                         Enable route MTU for pod netns when CNI chaining is used
      --enable-sctp                                               Enable SCTP support (beta)
      --enable-service-topology                                   Enable support for service topology aware hints
      --enable-session-affinity                                   Enable support for service session affinity
      --enable-svc-source-range-check                             Enable check of service source ranges (currently, only for LoadBalancer) (default true)
      --enable-tcx                                                Attach endpoint programs using tcx if supported by the kernel (default true)
      --enable-tracing                                            Enable tracing while determining policy (debugging)
      --enable-unreachable-routes                                 Add unreachable routes on pod deletion
      --enable-vtep                                               Enable  VXLAN Tunnel Endpoint (VTEP) Integration (beta)
      --enable-well-known-identities                              Enable well-known identities for known Kubernetes components (default true)
      --enable-wireguard                                          Enable WireGuard
      --enable-xdp-prefilter                                      Enable XDP prefiltering
      --enable-xt-socket-fallback                                 Enable fallback for missing xt_socket module (default true)
      --encrypt-interface string                                  Transparent encryption interface
      --encrypt-node                                              Enables encrypting traffic from non-Cilium pods and host networking (only supported with WireGuard, beta)
      --encryption-strict-mode-allow-remote-node-identities       Allows unencrypted traffic from pods to remote node identities within the strict mode CIDR. This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap.
      --encryption-strict-mode-cidr string                        In strict-mode encryption, all unencrypted traffic coming from this CIDR and going to this same CIDR will be dropped
      --endpoint-bpf-prog-watchdog-interval duration              Interval to trigger endpoint BPF programs load check watchdog (default 30s)
      --endpoint-queue-size int                                   Size of EventQueue per-endpoint (default 25)
      --envoy-base-id uint                                        Envoy base ID
      --envoy-config-retry-interval duration                      Interval in which an attempt is made to reconcile failed EnvoyConfigs. If the duration is zero, the retry is deactivated. (default 15s)
      --envoy-config-timeout duration                             Timeout that determines how long to wait for Envoy to N/ACK CiliumEnvoyConfig resources (default 2m0s)
      --envoy-keep-cap-netbindservice                             Keep capability NET_BIND_SERVICE for Envoy process
      --envoy-log string                                          Path to a separate Envoy log file, if any
      --envoy-secrets-namespace string                            EnvoySecretsNamespace is the namespace having secrets used by CEC
      --exclude-local-address strings                             Exclude CIDR from being recognized as local address
      --exclude-node-label-patterns strings                       List of k8s node label regex patterns to be excluded from CiliumNode
      --external-envoy-proxy                                      whether the Envoy is deployed externally in form of a DaemonSet or not
      --fixed-identity-mapping map                                Key-value for the fixed identity mapping which allows to use reserved label for fixed identities, e.g. 128=kv-store,129=kube-dns
      --force-device-detection                                    Forces the auto-detection of devices, even if specific devices are explicitly listed
      --gateway-api-secrets-namespace string                      GatewayAPISecretsNamespace is the namespace having tls secrets used by CEC, originating from Gateway API
      --gops-port uint16                                          Port for gops server to listen on (default 9890)
  -h, --help                                                      help for cilium-agent
      --http-idle-timeout uint                                    Time after which a non-gRPC HTTP stream is considered failed unless traffic in the stream has been processed (in seconds); defaults to 0 (unlimited)
      --http-max-grpc-timeout uint                                Time after which a forwarded gRPC request is considered failed unless completed (in seconds). A "grpc-timeout" header may override this with a shorter value; defaults to 0 (unlimited)
      --http-normalize-path                                       Use Envoy HTTP path normalization options, which currently includes RFC 3986 path normalization, Envoy merge slashes option, and unescaping and redirecting for paths that contain escaped slashes. These are necessary to keep path based access control functional, and should not interfere with normal operation. Set this to false only with caution. (default true)
      --http-request-timeout uint                                 Time after which a forwarded HTTP request is considered failed unless completed (in seconds); Use 0 for unlimited (default 3600)
      --http-retry-count uint                                     Number of retries performed after a forwarded request attempt fails (default 3)
      --http-retry-timeout uint                                   Time after which a forwarded but uncompleted request is retried (connection failures are retried immediately); defaults to 0 (never)
      --hubble-disable-tls                                        Allow Hubble server to run on the given listen address without TLS.
      --hubble-drop-events                                        Emit packet drop Events related to pods (alpha)
      --hubble-drop-events-interval duration                      Minimum time between emitting same events (default 2m0s)
      --hubble-drop-events-reasons string                         Drop reasons to emit events for (default "auth_required,policy_denied")
      --hubble-event-buffer-capacity int                          Capacity of Hubble events buffer. The provided value must be one less than an integer power of two and no larger than 65535 (ie: 1, 3, ..., 2047, 4095, ..., 65535) (default 4095)
      --hubble-event-queue-size int                               Buffer size of the channel to receive monitor events.
      --hubble-export-allowlist strings                           Specify allowlist as JSON encoded FlowFilters to Hubble exporter.
      --hubble-export-denylist strings                            Specify denylist as JSON encoded FlowFilters to Hubble exporter.
      --hubble-export-fieldmask strings                           Specify list of fields to use for field mask in Hubble exporter.
      --hubble-export-file-compress                               Compress rotated Hubble export files.
      --hubble-export-file-max-backups int                        Number of rotated Hubble export files to keep. (default 5)
      --hubble-export-file-max-size-mb int                        Size in MB at which to rotate Hubble export file. (default 10)
      --hubble-export-file-path stdout                            Filepath to write Hubble events to. By specifying stdout the flows are logged instead of written to a rotated file.
      --hubble-flowlogs-config-path string                        Filepath with configuration of hubble flowlogs
      --hubble-listen-address string                              An additional address for Hubble server to listen to, e.g. ":4244"
      --hubble-metrics strings                                    List of Hubble metrics to enable.
      --hubble-metrics-server string                              Address to serve Hubble metrics on.
      --hubble-monitor-events strings                             Cilium monitor events for Hubble to observe: [drop debug capture trace policy-verdict recorder trace-sock l7 agent]. By default, Hubble observes all monitor events.
      --hubble-prefer-ipv6                                        Prefer IPv6 addresses for announcing nodes when both address types are available.
      --hubble-recorder-sink-queue-size int                       Queue size of each Hubble recorder sink (default 1024)
      --hubble-recorder-storage-path string                       Directory in which pcap files created via the Hubble Recorder API are stored (default "/var/run/cilium/pcaps")
      --hubble-redact-enabled                                     Hubble redact sensitive information from flows
      --hubble-redact-http-headers-allow strings                  HTTP headers to keep visible in flows
      --hubble-redact-http-headers-deny strings                   HTTP headers to redact from flows
      --hubble-redact-http-urlquery                               Hubble redact http URL query from flows
      --hubble-redact-http-userinfo                               Hubble redact http user info from flows (default true)
      --hubble-redact-kafka-apikey                                Hubble redact Kafka API key from flows
      --hubble-skip-unknown-cgroup-ids                            Skip Hubble events with unknown cgroup ids (default true)
      --hubble-socket-path string                                 Set hubble's socket path to listen for connections (default "/var/run/cilium/hubble.sock")
      --hubble-tls-cert-file string                               Path to the public key file for the Hubble server. The file must contain PEM encoded data.
      --hubble-tls-client-ca-files strings                        Paths to one or more public key files of client CA certificates to use for TLS with mutual authentication (mTLS). The files must contain PEM encoded data. When provided, this option effectively enables mTLS.
      --hubble-tls-key-file string                                Path to the private key file for the Hubble server. The file must contain PEM encoded data.
      --identity-allocation-mode string                           Method to use for identity allocation (default "kvstore")
      --identity-change-grace-period duration                     Time to wait before using new identity on endpoint identity change (default 5s)
      --identity-restore-grace-period duration                    Time to wait before releasing unused restored CIDR identities during agent restart (default 30s)
      --ingress-secrets-namespace string                          IngressSecretsNamespace is the namespace having tls secrets used by CEC, originating from Ingress controller
      --install-no-conntrack-iptables-rules                       Install Iptables rules to skip netfilter connection tracking on all pod traffic. This option is only effective when Cilium is running in direct routing and full KPR mode. Moreover, this option cannot be enabled when Cilium is running in a managed Kubernetes environment or in a chained CNI setup.
      --ip-masq-agent-config-path string                          ip-masq-agent configuration file path (default "/etc/config/ip-masq-agent")
      --ipam string                                               Backend to use for IPAM (default "cluster-pool")
      --ipam-cilium-node-update-rate duration                     Maximum rate at which the CiliumNode custom resource is updated (default 15s)
      --ipam-default-ip-pool string                               Name of the default IP Pool when using multi-pool (default "default")
      --ipam-multi-pool-pre-allocation map                        Defines the minimum number of IPs a node should pre-allocate from each pool (default default=8)
      --ipsec-key-file string                                     Path to IPsec key file
      --ipsec-key-rotation-duration duration                      Maximum duration of the IPsec key rotation. The previous key will be removed after that delay. (default 5m0s)
      --iptables-lock-timeout duration                            Time to pass to each iptables invocation to wait for xtables lock acquisition (default 5s)
      --iptables-random-fully                                     Set iptables flag random-fully on masquerading rules
      --ipv4-native-routing-cidr string                           Allows to explicitly specify the IPv4 CIDR for native routing. When specified, Cilium assumes networking for this CIDR is preconfigured and hands traffic destined for that range to the Linux network stack without applying any SNAT. Generally speaking, specifying a native routing CIDR implies that Cilium can depend on the underlying networking stack to route packets to their destination. To offer a concrete example, if Cilium is configured to use direct routing and the Kubernetes CIDR is included in the native routing CIDR, the user must configure the routes to reach pods, either manually or by setting the auto-direct-node-routes flag.
      --ipv4-node string                                          IPv4 address of node (default "auto")
      --ipv4-pod-subnets strings                                  List of IPv4 pod subnets to preconfigure for encryption
      --ipv4-range string                                         Per-node IPv4 endpoint prefix, e.g. 10.16.0.0/16 (default "auto")
      --ipv4-service-loopback-address string                      IPv4 address for service loopback SNAT (default "169.254.42.1")
      --ipv4-service-range string                                 Kubernetes IPv4 services CIDR if not inside cluster prefix (default "auto")
      --ipv6-cluster-alloc-cidr string                            IPv6 /64 CIDR used to allocate per node endpoint /96 CIDR (default "f00d::/64")
      --ipv6-mcast-device string                                  Device that joins a Solicited-Node multicast group for IPv6
      --ipv6-native-routing-cidr string                           Allows to explicitly specify the IPv6 CIDR for native routing. When specified, Cilium assumes networking for this CIDR is preconfigured and hands traffic destined for that range to the Linux network stack without applying any SNAT. Generally speaking, specifying a native routing CIDR implies that Cilium can depend on the underlying networking stack to route packets to their destination. To offer a concrete example, if Cilium is configured to use direct routing and the Kubernetes CIDR is included in the native routing CIDR, the user must configure the routes to reach pods, either manually or by setting the auto-direct-node-routes flag.
      --ipv6-node string                                          IPv6 address of node (default "auto")
      --ipv6-pod-subnets strings                                  List of IPv6 pod subnets to preconfigure for encryption
      --ipv6-range string                                         Per-node IPv6 endpoint prefix, e.g. fd02:1:1::/96 (default "auto")
      --ipv6-service-range string                                 Kubernetes IPv6 services CIDR if not inside cluster prefix (default "auto")
      --join-cluster                                              Join a Cilium cluster via kvstore registration
      --k8s-api-server string                                     Kubernetes API server URL
      --k8s-client-burst int                                      Burst value allowed for the K8s client
      --k8s-client-connection-keep-alive duration                 Configures the keep alive duration of K8s client connections. K8 client is disabled if the value is set to 0 (default 30s)
      --k8s-client-connection-timeout duration                    Configures the timeout of K8s client connections. K8s client is disabled if the value is set to 0 (default 30s)
      --k8s-client-qps float32                                    Queries per second limit for the K8s client
      --k8s-heartbeat-timeout duration                            Configures the timeout for api-server heartbeat, set to 0 to disable (default 30s)
      --k8s-kubeconfig-path string                                Absolute path of the kubernetes kubeconfig file
      --k8s-namespace string                                      Name of the Kubernetes namespace in which Cilium is deployed in
      --k8s-require-ipv4-pod-cidr                                 Require IPv4 PodCIDR to be specified in node resource
      --k8s-require-ipv6-pod-cidr                                 Require IPv6 PodCIDR to be specified in node resource
      --k8s-service-proxy-name string                             Value of K8s service-proxy-name label for which Cilium handles the services (empty = all services without service.kubernetes.io/service-proxy-name label)
      --k8s-watcher-endpoint-selector string                      K8s endpoint watcher will watch for these k8s endpoints (default "metadata.name!=kube-scheduler,metadata.name!=kube-controller-manager,metadata.name!=etcd-operator,metadata.name!=gcp-controller-manager")
      --keep-config                                               When restoring state, keeps containers' configuration in place
      --kube-proxy-replacement string                             Enable only selected features (will panic if any selected feature cannot be enabled) ("false"), or enable all features (will panic if any feature cannot be enabled) ("true") (default "false")
      --kube-proxy-replacement-healthz-bind-address string        The IP address with port for kube-proxy replacement health check server to serve on (set to '0.0.0.0:10256' for all IPv4 interfaces and '[::]:10256' for all IPv6 interfaces). Set empty to disable.
      --kvstore string                                            Key-value store type
      --kvstore-connectivity-timeout duration                     Time after which an incomplete kvstore operation  is considered failed (default 2m0s)
      --kvstore-max-consecutive-quorum-errors uint                Max acceptable kvstore consecutive quorum errors before the agent assumes permanent failure (default 2)
      --kvstore-opt map                                           Key-value store options e.g. etcd.address=127.0.0.1:4001
      --kvstore-periodic-sync duration                            Periodic KVstore synchronization interval (default 5m0s)
      --l2-announcements-lease-duration duration                  Duration of inactivity after which a new leader is selected (default 15s)
      --l2-announcements-renew-deadline duration                  Interval at which the leader renews a lease (default 5s)
      --l2-announcements-retry-period duration                    Timeout after a renew failure, before the next retry (default 2s)
      --l2-pod-announcements-interface string                     Interface used for sending gratuitous arp messages
      --label-prefix-file string                                  Valid label prefixes file path
      --labels strings                                            List of label prefixes used to determine identity of an endpoint
      --lib-dir string                                            Directory path to store runtime build environment (default "/var/lib/cilium")
      --local-router-ipv4 string                                  Link-local IPv4 used for Cilium's router devices
      --local-router-ipv6 string                                  Link-local IPv6 used for Cilium's router devices
      --log-driver strings                                        Logging endpoints to use for example syslog
      --log-opt map                                               Log driver options for cilium-agent, configmap example for syslog driver: {"syslog.level":"info","syslog.facility":"local5","syslog.tag":"cilium-agent"}
      --log-system-load                                           Enable periodic logging of system load
      --max-connected-clusters uint32                             Maximum number of clusters to be connected in a clustermesh. Increasing this value will reduce the maximum number of identities available. Valid configurations are [255, 511]. (default 255)
      --mesh-auth-enabled                                         Enable authentication processing & garbage collection (beta) (default true)
      --mesh-auth-gc-interval duration                            Interval in which auth entries are attempted to be garbage collected (default 5m0s)
      --mesh-auth-mutual-connect-timeout duration                 Timeout for connecting to the remote node TCP socket (default 5s)
      --mesh-auth-mutual-listener-port int                        Port on which the Cilium Agent will perform mutual authentication handshakes between other Agents
      --mesh-auth-queue-size int                                  Queue size for the auth manager (default 1024)
      --mesh-auth-rotated-identities-queue-size int               The size of the queue for signaling rotated identities. (default 1024)
      --mesh-auth-spiffe-trust-domain string                      The trust domain for the SPIFFE identity. (default "spiffe.cilium")
      --mesh-auth-spire-admin-socket string                       The path for the SPIRE admin agent Unix socket.
      --metrics strings                                           Metrics that should be enabled or disabled from the default metric list. (+metric_foo to enable metric_foo, -metric_bar to disable metric_bar)
      --monitor-aggregation string                                Level of monitor aggregation for traces from the datapath (default "None")
      --monitor-aggregation-flags strings                         TCP flags that trigger monitor reports when monitor aggregation is enabled (default [syn,fin,rst])
      --monitor-aggregation-interval duration                     Monitor report interval when monitor aggregation is enabled (default 5s)
      --monitor-queue-size int                                    Size of the event queue when reading monitor events
      --mtu int                                                   Overwrite auto-detected MTU of underlying network
      --multicast-enabled                                         Enables multicast in Cilium
      --nat-map-stats-entries int                                 Number k top stats entries to store locally in statedb (default 32)
      --nat-map-stats-interval duration                           Interval upon which nat maps are iterated for stats (default 30s)
      --node-encryption-opt-out-labels string                     Label selector for nodes which will opt-out of node-to-node encryption (default "node-role.kubernetes.io/control-plane")
      --node-labels strings                                       List of label prefixes used to determine identity of a node (used only when enable-node-selector-labels is enabled)
      --node-port-bind-protection                                 Reject application bind(2) requests to service ports in the NodePort range (default true)
      --node-port-range strings                                   Set the min/max NodePort port range (default [30000,32767])
      --nodeport-addresses strings                                A whitelist of CIDRs to limit which IPs are used for NodePort. If not set, primary IPv4 and/or IPv6 address of each native device is used.
      --policy-accounting                                         Enable policy accounting (default true)
      --policy-audit-mode                                         Enable policy audit (non-drop) mode
      --policy-cidr-match-mode strings                            The entities that can be selected by CIDR policy. Supported values: 'nodes'
      --policy-queue-size int                                     Size of queues for policy-related events (default 100)
      --pprof                                                     Enable serving pprof debugging API
      --pprof-address string                                      Address that pprof listens on (default "localhost")
      --pprof-port uint16                                         Port that pprof listens on (default 6060)
      --preallocate-bpf-maps                                      Enable BPF map pre-allocation (default true)
      --prepend-iptables-chains                                   Prepend custom iptables chains instead of appending (default true)
      --procfs string                                             Path to the host's proc filesystem mount (default "/proc")
      --prometheus-serve-addr string                              IP:Port on which to serve prometheus metrics (pass ":Port" to bind on all interfaces, "" is off)
      --proxy-admin-port int                                      Port to serve Envoy admin interface on.
      --proxy-connect-timeout uint                                Time after which a TCP connect attempt is considered failed unless completed (in seconds) (default 2)
      --proxy-gid uint                                            Group ID for proxy control plane sockets. (default 1337)
      --proxy-idle-timeout-seconds int                            Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s (default 60)
      --proxy-max-connection-duration-seconds int                 Set Envoy HTTP option max_connection_duration seconds. Default 0 (disable)
      --proxy-max-requests-per-connection int                     Set Envoy HTTP option max_requests_per_connection. Default 0 (disable)
      --proxy-portrange-max uint16                                End of port range that is used to allocate ports for L7 proxies. (default 20000)
      --proxy-portrange-min uint16                                Start of port range that is used to allocate ports for L7 proxies. (default 10000)
      --proxy-prometheus-port int                                 Port to serve Envoy metrics on. Default 0 (disabled).
      --proxy-xff-num-trusted-hops-egress uint32                  Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners.
      --proxy-xff-num-trusted-hops-ingress uint32                 Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners.
      --read-cni-conf string                                      CNI configuration file to use as a source for --write-cni-conf-when-ready. If not supplied, a suitable one will be generated.
      --restore                                                   Restores state, if possible, from previous daemon (default true)
      --route-metric int                                          Overwrite the metric used by cilium when adding routes to its 'cilium_host' device
      --routing-mode string                                       Routing mode ("native" or "tunnel") (default "tunnel")
      --service-no-backend-response string                        Response to traffic for a service without backends (default "reject")
      --socket-path string                                        Sets daemon's socket path to listen for connections (default "/var/run/cilium/cilium.sock")
      --state-dir string                                          Directory path to store runtime state (default "/var/run/cilium")
      --static-cnp-path string                                    Directory path to watch and load static cilium network policy yaml files.
      --tofqdns-dns-reject-response-code string                   DNS response code for rejecting DNS requests, available options are '[nameError refused]' (default "refused")
      --tofqdns-enable-dns-compression                            Allow the DNS proxy to compress responses to endpoints that are larger than 512 Bytes or the EDNS0 option, if present (default true)
      --tofqdns-endpoint-max-ip-per-hostname int                  Maximum number of IPs to maintain per FQDN name for each endpoint (default 50)
      --tofqdns-idle-connection-grace-period duration             Time during which idle but previously active connections with expired DNS lookups are still considered alive (default 0s)
      --tofqdns-max-deferred-connection-deletes int               Maximum number of IPs to retain for expired DNS lookups with still-active connections (default 10000)
      --tofqdns-min-ttl int                                       The minimum time, in seconds, to use DNS data for toFQDNs policies
      --tofqdns-pre-cache string                                  DNS cache data at this path is preloaded on agent startup
      --tofqdns-proxy-port int                                    Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port.
      --tofqdns-proxy-response-max-delay duration                 The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. (default 100ms)
      --trace-payloadlen int                                      Length of payload to capture when tracing (default 128)
      --trace-sock                                                Enable tracing for socket-based LB (default true)
      --tunnel-port uint16                                        Tunnel port (default 8472 for "vxlan" and 6081 for "geneve")
      --tunnel-protocol string                                    Encapsulation protocol to use for the overlay ("vxlan" or "geneve") (default "vxlan")
      --use-full-tls-context                                      If enabled, persist ca.crt keys into the Envoy config even in a terminatingTLS block on an L7 Cilium Policy. This is to enable compatibility with previously buggy behaviour. This flag is deprecated and will be removed in a future release.
      --version                                                   Print version information
      --vlan-bpf-bypass strings                                   List of explicitly allowed VLAN IDs, '0' id will allow all VLAN IDs
      --vtep-cidr strings                                         List of VTEP CIDRs that will be routed towards VTEPs for traffic cluster egress
      --vtep-endpoint strings                                     List of VTEP IP addresses
      --vtep-mac strings                                          List of VTEP MAC addresses for forwarding traffic outside the cluster
      --vtep-mask string                                          VTEP CIDR Mask for all VTEP CIDRs (default "255.255.255.0")
      --wireguard-persistent-keepalive duration                   The Wireguard keepalive interval as a Go duration string
      --write-cni-conf-when-ready string                          Write the CNI configuration to the specified path when agent is ready

SEE ALSO