Administrative API Enablement

Cilium 1.14 introduced a new set of flags that you can use to selectively enable which API endpoints are exposed to clients. When an API client makes a request to an API endpoint that is administratively disabled, the server responds with an HTTP 403 Forbidden error.

You can configure the option with a list of endpoints as described in the following sections, or by specifying an option with the * suffix. If * is provided directly as a flag value, then all APIs are enabled. If there is text before the *, then the API flag must start with that prefix in order for the flag to enable that option. For example, Get* enables all read-only “GET” APIs without enabling any write APIs.

The cilium-agent relies on several of these APIs for its basic duties. In particular, disabling the following APIs will likely cause significant disruption to agent operations:

  • GetConfig

  • GetHealthz

  • PutEndpointID

  • DeleteEndpointID

  • PostIPAM

  • DeleteIPAMIP

The following sections outline the flags for different Cilium binaries and the API endpoints that may be configured using those flags.

Cilium Agent API

The following API flags are compatible with the cilium-agent flag enable-cilium-api-server-access.

Flag Name

Description

DeleteEndpoint

Deletes a list of endpoints that have endpoints matching the provided properties

DeleteEndpointID

Deletes the endpoint specified by the ID. Deletion is imminent and atomic, if the deletion request is valid and the endpoint exists, deletion will occur even if errors are encountered in the process. If errors have been encountered, the code 202 will be returned, otherwise 200 on success. All resources associated with the endpoint will be freed and the workload represented by the endpoint will be disconnected.It will no longer be able to initiate or receive communications of any sort.

DeleteFqdnCache

Deletes matching DNS lookups from the cache, optionally restricted by DNS name. The removed IP data will no longer be used in generated policies.

DeleteIPAMIP

DeletePolicy

DeletePrefilter

DeleteRecorderID

DeleteServiceID

GetBGPPeers

Retrieves current operational state of BGP peers created by Cilium BGP virtual router. This includes session state, uptime, information per address family, etc.

GetBGPRoutePolicies

Retrieves route policies from BGP Control Plane.

GetBGPRoutes

Retrieves routes from BGP Control Plane RIB filtered by parameters you specify

GetCgroupDumpMetadata

GetClusterNodes

GetConfig

Returns the configuration of the Cilium daemon.

GetDebuginfo

GetEndpoint

Retrieves a list of endpoints that have metadata matching the provided parameters, or all endpoints if no parameters provided.

GetEndpointID

Returns endpoint information

GetEndpointIDConfig

Retrieves the configuration of the specified endpoint.

GetEndpointIDHealthz

GetEndpointIDLabels

GetEndpointIDLog

GetFqdnCache

Retrieves the list of DNS lookups intercepted from endpoints, optionally filtered by DNS name, CIDR IP range or source.

GetFqdnCacheID

Retrieves the list of DNS lookups intercepted from the specific endpoint, optionally filtered by endpoint id, DNS name, CIDR IP range or source.

GetFqdnNames

Retrieves the list of DNS-related fields (names to poll, selectors and their corresponding regexes).

GetHealthz

Returns health and status information of the Cilium daemon and related components such as the local container runtime, connected datastore, Kubernetes integration and Hubble.

GetIP

Retrieves a list of IPs with known associated information such as their identities, host addresses, Kubernetes pod names, etc. The list can optionally filtered by a CIDR IP range.

GetIdentity

Retrieves a list of identities that have metadata matching the provided parameters, or all identities if no parameters are provided.

GetIdentityEndpoints

GetIdentityID

GetLRP

GetMap

GetMapName

GetMapNameEvents

GetMetrics

GetNodeIds

Retrieves a list of node IDs allocated by the agent and their associated node IP addresses.

GetPolicy

Returns the entire policy tree with all children.

GetPolicySelectors

GetPrefilter

GetRecorder

GetRecorderID

GetRecorderMasks

GetService

GetServiceID

PatchConfig

Updates the daemon configuration by applying the provided ConfigurationMap and regenerates & recompiles all required datapath components.

PatchEndpointID

Applies the endpoint change request to an existing endpoint

PatchEndpointIDConfig

Update the configuration of an existing endpoint and regenerates & recompiles the corresponding programs automatically.

PatchEndpointIDLabels

Sets labels associated with an endpoint. These can be user provided or derived from the orchestration system.

PatchPrefilter

PostIPAM

PostIPAMIP

PutEndpointID

Creates a new endpoint

PutPolicy

PutRecorderID

PutServiceID

Cilium Agent Clusterwide Health API

The following API flags are compatible with the cilium-agent flag enable-cilium-health-api-server-access.

Flag Name

Description

GetHealthz

Returns health and status information of the local node including load and uptime, as well as the status of related components including the Cilium daemon.

GetStatus

Returns the connectivity status to all other cilium-health instances using interval-based probing.

PutStatusProbe

Runs a synchronous probe to all other cilium-health instances and returns the connectivity status.

Cilium Operator API

The following API flags are compatible with the cilium-operator flag enable-cilium-operator-server-access.

Flag Name

Description

GetCluster

Returns the list of remote clusters and their status.

GetHealthz

Returns the status of cilium operator instance.

GetMetrics

Returns the metrics exposed by the Cilium operator.