cilium-dbg preflight migrate-identity

Migrate KVStore-backed identities to kubernetes CRD-backed identities


migrate-identity allows migrating to CRD-backed identities while minimizing connection interruptions. It will allocate a CRD-backed identity, with the same numeric security identity, for each cilium security identity defined in the kvstore. When cilium-agents are restarted with identity-allocation-mode set to CRD the numeric identities will then be equivalent between new instances and not-upgraded ones. In cases where the numeric identity is already in-use by a different set of labels, a new numeric identity is created.

cilium-dbg preflight migrate-identity [flags]


      --enable-k8s                       Enable the k8s clientset (default true)
      --enable-k8s-api-discovery         Enable discovery of Kubernetes API groups and resources with the discovery API
  -h, --help                             help for migrate-identity
      --k8s-api-server string            Kubernetes API server URL
      --k8s-client-burst int             Burst value allowed for the K8s client
      --k8s-client-qps float32           Queries per second limit for the K8s client
      --k8s-heartbeat-timeout duration   Configures the timeout for api-server heartbeat, set to 0 to disable (default 30s)
      --k8s-kubeconfig-path string       Absolute path of the kubernetes kubeconfig file
      --kvstore string                   Key-value store type
      --kvstore-opt map                  Key-value store options e.g. etcd.address=

Options inherited from parent commands

      --config string   Config file (default is $HOME/.cilium.yaml)
  -D, --debug           Enable debug messages
  -H, --host string     URI to server-side API