Administrative API Enablement
Cilium 1.14 introduced a new set of flags that you can use to selectively enable which API endpoints are exposed to clients. When an API client makes a request to an API endpoint that is administratively disabled, the server responds with an HTTP 403 Forbidden error.
You can configure the option with a list of endpoints as described in the
following sections, or by specifying an option with the *
suffix. If *
is provided directly as a flag value, then all APIs are enabled. If there is
text before the *
, then the API flag must start with that prefix in order
for the flag to enable that option. For example, Get*
enables all read-only
“GET” APIs without enabling any write APIs.
The cilium-agent relies on several of these APIs for its basic duties. In particular, disabling the following APIs will likely cause significant disruption to agent operations:
GetConfig
GetHealthz
PutEndpointID
DeleteEndpointID
PostIPAM
DeleteIPAMIP
The following sections outline the flags for different Cilium binaries and the API endpoints that may be configured using those flags.
Cilium Agent API
The following API flags are compatible with the cilium-agent
flag
enable-cilium-api-server-access
.
Flag Name |
Description |
---|---|
DeleteEndpoint |
Deletes a list of endpoints that have endpoints matching the provided properties |
DeleteEndpointID |
Deletes the endpoint specified by the ID. Deletion is imminent and atomic, if the deletion request is valid and the endpoint exists, deletion will occur even if errors are encountered in the process. If errors have been encountered, the code 202 will be returned, otherwise 200 on success. All resources associated with the endpoint will be freed and the workload represented by the endpoint will be disconnected.It will no longer be able to initiate or receive communications of any sort. |
DeleteFqdnCache |
Deletes matching DNS lookups from the cache, optionally restricted by DNS name. The removed IP data will no longer be used in generated policies. |
DeleteIPAMIP |
|
DeletePolicy |
|
DeletePrefilter |
|
DeleteRecorderID |
|
DeleteServiceID |
|
GetBGPPeers |
Retrieves current operational state of BGP peers created by Cilium BGP virtual router. This includes session state, uptime, information per address family, etc. |
GetBGPRoutePolicies |
Retrieves route policies from BGP Control Plane. |
GetBGPRoutes |
Retrieves routes from BGP Control Plane RIB filtered by parameters you specify |
GetCgroupDumpMetadata |
|
GetClusterNodes |
|
GetConfig |
Returns the configuration of the Cilium daemon. |
GetDebuginfo |
|
GetEndpoint |
Retrieves a list of endpoints that have metadata matching the provided parameters, or all endpoints if no parameters provided. |
GetEndpointID |
Returns endpoint information |
GetEndpointIDConfig |
Retrieves the configuration of the specified endpoint. |
GetEndpointIDHealthz |
|
GetEndpointIDLabels |
|
GetEndpointIDLog |
|
GetFqdnCache |
Retrieves the list of DNS lookups intercepted from endpoints, optionally filtered by DNS name, CIDR IP range or source. |
GetFqdnCacheID |
Retrieves the list of DNS lookups intercepted from the specific endpoint, optionally filtered by endpoint id, DNS name, CIDR IP range or source. |
GetFqdnNames |
Retrieves the list of DNS-related fields (names to poll, selectors and their corresponding regexes). |
GetHealthz |
Returns health and status information of the Cilium daemon and related components such as the local container runtime, connected datastore, Kubernetes integration and Hubble. |
GetIP |
Retrieves a list of IPs with known associated information such as their identities, host addresses, Kubernetes pod names, etc. The list can optionally filtered by a CIDR IP range. |
GetIdentity |
Retrieves a list of identities that have metadata matching the provided parameters, or all identities if no parameters are provided. |
GetIdentityEndpoints |
|
GetIdentityID |
|
GetLRP |
|
GetMap |
|
GetMapName |
|
GetMapNameEvents |
|
GetMetrics |
|
GetNodeIds |
Retrieves a list of node IDs allocated by the agent and their associated node IP addresses. |
GetPolicy |
Returns the entire policy tree with all children. |
GetPolicySelectors |
|
GetPrefilter |
|
GetRecorder |
|
GetRecorderID |
|
GetRecorderMasks |
|
GetService |
|
GetServiceID |
|
PatchConfig |
Updates the daemon configuration by applying the provided ConfigurationMap and regenerates & recompiles all required datapath components. |
PatchEndpointID |
Applies the endpoint change request to an existing endpoint |
PatchEndpointIDConfig |
Update the configuration of an existing endpoint and regenerates & recompiles the corresponding programs automatically. |
PatchEndpointIDLabels |
Sets labels associated with an endpoint. These can be user provided or derived from the orchestration system. |
PatchPrefilter |
|
PostIPAM |
|
PostIPAMIP |
|
PutEndpointID |
Creates a new endpoint |
PutPolicy |
|
PutRecorderID |
|
PutServiceID |
Cilium Agent Clusterwide Health API
The following API flags are compatible with the cilium-agent
flag
enable-cilium-health-api-server-access
.
Flag Name |
Description |
---|---|
GetHealthz |
Returns health and status information of the local node including load and uptime, as well as the status of related components including the Cilium daemon. |
GetStatus |
Returns the connectivity status to all other cilium-health instances using interval-based probing. |
PutStatusProbe |
Runs a synchronous probe to all other cilium-health instances and returns the connectivity status. |
Cilium Operator API
The following API flags are compatible with the cilium-operator
flag
enable-cilium-operator-server-access
.
Flag Name |
Description |
---|---|
GetCluster |
Returns the list of remote clusters and their status. |
GetHealthz |
Returns the status of cilium operator instance. |
GetMetrics |
Returns the metrics exposed by the Cilium operator. |