-
Notifications
You must be signed in to change notification settings - Fork 2.8k
/
config.go
4419 lines (3550 loc) · 164 KB
/
config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium
package option
import (
"bytes"
"encoding/json"
"errors"
"fmt"
"io"
"math"
"net"
"net/netip"
"os"
"path/filepath"
"runtime"
"sort"
"strconv"
"strings"
"github.com/shirou/gopsutil/v3/mem"
"github.com/sirupsen/logrus"
"github.com/spf13/cast"
"github.com/spf13/cobra"
"github.com/spf13/viper"
"google.golang.org/protobuf/types/known/fieldmaskpb"
k8sLabels "k8s.io/apimachinery/pkg/labels"
flowpb "github.com/cilium/cilium/api/v1/flow"
"github.com/cilium/cilium/api/v1/models"
"github.com/cilium/cilium/pkg/cidr"
clustermeshTypes "github.com/cilium/cilium/pkg/clustermesh/types"
"github.com/cilium/cilium/pkg/command"
"github.com/cilium/cilium/pkg/defaults"
"github.com/cilium/cilium/pkg/ip"
ipamOption "github.com/cilium/cilium/pkg/ipam/option"
"github.com/cilium/cilium/pkg/lock"
"github.com/cilium/cilium/pkg/logging"
"github.com/cilium/cilium/pkg/logging/logfields"
"github.com/cilium/cilium/pkg/mac"
"github.com/cilium/cilium/pkg/time"
"github.com/cilium/cilium/pkg/version"
)
var (
log = logging.DefaultLogger.WithField(logfields.LogSubsys, "config")
)
const (
// AgentHealthPort is the TCP port for agent health status API
AgentHealthPort = "agent-health-port"
// ClusterHealthPort is the TCP port for cluster-wide network connectivity health API
ClusterHealthPort = "cluster-health-port"
// ClusterMeshHealthPort is the TCP port for ClusterMesh apiserver health API
ClusterMeshHealthPort = "clustermesh-health-port"
// AgentLabels are additional labels to identify this agent
AgentLabels = "agent-labels"
// AllowICMPFragNeeded allows ICMP Fragmentation Needed type packets in policy.
AllowICMPFragNeeded = "allow-icmp-frag-needed"
// AllowLocalhost is the policy when to allow local stack to reach local endpoints { auto | always | policy }
AllowLocalhost = "allow-localhost"
// AllowLocalhostAuto defaults to policy except when running in
// Kubernetes where it then defaults to "always"
AllowLocalhostAuto = "auto"
// AllowLocalhostAlways always allows the local stack to reach local
// endpoints
AllowLocalhostAlways = "always"
// AllowLocalhostPolicy requires a policy rule to allow the local stack
// to reach particular endpoints or policy enforcement must be
// disabled.
AllowLocalhostPolicy = "policy"
// AnnotateK8sNode enables annotating a kubernetes node while bootstrapping
// the daemon, which can also be disbled using this option.
AnnotateK8sNode = "annotate-k8s-node"
// ARPPingRefreshPeriod is the ARP entries refresher period
ARPPingRefreshPeriod = "arping-refresh-period"
// EnableL2NeighDiscovery determines if cilium should perform L2 neighbor
// discovery.
EnableL2NeighDiscovery = "enable-l2-neigh-discovery"
// BPFRoot is the Path to BPF filesystem
BPFRoot = "bpf-root"
// CGroupRoot is the path to Cgroup2 filesystem
CGroupRoot = "cgroup-root"
// CompilerFlags allow to specify extra compiler commands for advanced debugging
CompilerFlags = "cflags"
// ConfigFile is the Configuration file (default "$HOME/ciliumd.yaml")
ConfigFile = "config"
// ConfigDir is the directory that contains a file for each option where
// the filename represents the option name and the content of that file
// represents the value of that option.
ConfigDir = "config-dir"
// ConntrackGCInterval is the name of the ConntrackGCInterval option
ConntrackGCInterval = "conntrack-gc-interval"
// ConntrackGCMaxInterval is the name of the ConntrackGCMaxInterval option
ConntrackGCMaxInterval = "conntrack-gc-max-interval"
// DebugArg is the argument enables debugging mode
DebugArg = "debug"
// DebugVerbose is the argument enables verbose log message for particular subsystems
DebugVerbose = "debug-verbose"
// Devices facing cluster/external network for attaching bpf_host
Devices = "devices"
// DirectRoutingDevice is the name of a device used to connect nodes in
// direct routing mode (only required by BPF NodePort)
DirectRoutingDevice = "direct-routing-device"
// LBDevInheritIPAddr is device name which IP addr is inherited by devices
// running BPF loadbalancer program
LBDevInheritIPAddr = "bpf-lb-dev-ip-addr-inherit"
// DisableEnvoyVersionCheck do not perform Envoy binary version check on startup
DisableEnvoyVersionCheck = "disable-envoy-version-check"
// EnablePolicy enables policy enforcement in the agent.
EnablePolicy = "enable-policy"
// EnableExternalIPs enables implementation of k8s services with externalIPs in datapath
EnableExternalIPs = "enable-external-ips"
// EnableL7Proxy is the name of the option to enable L7 proxy
EnableL7Proxy = "enable-l7-proxy"
// EnableTracing enables tracing mode in the agent.
EnableTracing = "enable-tracing"
// Add unreachable routes on pod deletion
EnableUnreachableRoutes = "enable-unreachable-routes"
// EncryptInterface enables encryption on specified interface
EncryptInterface = "encrypt-interface"
// EncryptNode enables node IP encryption
EncryptNode = "encrypt-node"
// EnvoyLog sets the path to a separate Envoy log file, if any
EnvoyLog = "envoy-log"
// GopsPort is the TCP port for the gops server.
GopsPort = "gops-port"
// ProxyPrometheusPort specifies the port to serve Cilium host proxy metrics on.
ProxyPrometheusPort = "proxy-prometheus-port"
// ProxyMaxRequestsPerConnection specifies the max_requests_per_connection setting for the proxy
ProxyMaxRequestsPerConnection = "proxy-max-requests-per-connection"
// ProxyMaxConnectionDuration specifies the max_connection_duration setting for the proxy in seconds
ProxyMaxConnectionDuration = "proxy-max-connection-duration-seconds"
// ProxyIdleTimeout specifies the idle_timeout setting (in seconds), which applies
// for the connection from proxy to upstream cluster
ProxyIdleTimeout = "proxy-idle-timeout-seconds"
// FixedIdentityMapping is the key-value for the fixed identity mapping
// which allows to use reserved label for fixed identities
FixedIdentityMapping = "fixed-identity-mapping"
// IPv4Range is the per-node IPv4 endpoint prefix, e.g. 10.16.0.0/16
IPv4Range = "ipv4-range"
// IPv6Range is the per-node IPv6 endpoint prefix, must be /96, e.g. fd02:1:1::/96
IPv6Range = "ipv6-range"
// IPv4ServiceRange is the Kubernetes IPv4 services CIDR if not inside cluster prefix
IPv4ServiceRange = "ipv4-service-range"
// IPv6ServiceRange is the Kubernetes IPv6 services CIDR if not inside cluster prefix
IPv6ServiceRange = "ipv6-service-range"
// IPv6ClusterAllocCIDRName is the name of the IPv6ClusterAllocCIDR option
IPv6ClusterAllocCIDRName = "ipv6-cluster-alloc-cidr"
// K8sRequireIPv4PodCIDRName is the name of the K8sRequireIPv4PodCIDR option
K8sRequireIPv4PodCIDRName = "k8s-require-ipv4-pod-cidr"
// K8sRequireIPv6PodCIDRName is the name of the K8sRequireIPv6PodCIDR option
K8sRequireIPv6PodCIDRName = "k8s-require-ipv6-pod-cidr"
// K8sWatcherEndpointSelector specifies the k8s endpoints that Cilium
// should watch for.
K8sWatcherEndpointSelector = "k8s-watcher-endpoint-selector"
// EnableK8s operation of Kubernetes-related services/controllers.
// Intended for operating cilium with CNI-compatible orchestrators other than Kubernetes. (default is true)
EnableK8s = "enable-k8s"
// K8sAPIServer is the kubernetes api address server (for https use --k8s-kubeconfig-path instead)
K8sAPIServer = "k8s-api-server"
// K8sKubeConfigPath is the absolute path of the kubernetes kubeconfig file
K8sKubeConfigPath = "k8s-kubeconfig-path"
// K8sServiceCacheSize is service cache size for cilium k8s package.
K8sServiceCacheSize = "k8s-service-cache-size"
// K8sSyncTimeout is the timeout since last event was received to synchronize all resources with k8s.
K8sSyncTimeoutName = "k8s-sync-timeout"
// AllocatorListTimeout is the timeout to list initial allocator state.
AllocatorListTimeoutName = "allocator-list-timeout"
// KeepConfig when restoring state, keeps containers' configuration in place
KeepConfig = "keep-config"
// KVStore key-value store type
KVStore = "kvstore"
// KVStoreOpt key-value store options
KVStoreOpt = "kvstore-opt"
// Labels is the list of label prefixes used to determine identity of an endpoint
Labels = "labels"
// LabelPrefixFile is the valid label prefixes file path
LabelPrefixFile = "label-prefix-file"
// EnableHostFirewall enables network policies for the host
EnableHostFirewall = "enable-host-firewall"
// EnableHostPort enables HostPort forwarding implemented by Cilium in BPF
EnableHostPort = "enable-host-port"
// EnableHostLegacyRouting enables the old routing path via stack.
EnableHostLegacyRouting = "enable-host-legacy-routing"
// EnableNodePort enables NodePort services implemented by Cilium in BPF
EnableNodePort = "enable-node-port"
// EnableSVCSourceRangeCheck enables check of service source range checks
EnableSVCSourceRangeCheck = "enable-svc-source-range-check"
// NodePortMode indicates in which mode NodePort implementation should run
// ("snat", "dsr" or "hybrid")
NodePortMode = "node-port-mode"
// NodePortAlg indicates which algorithm is used for backend selection
// ("random" or "maglev")
NodePortAlg = "node-port-algorithm"
// NodePortAcceleration indicates whether NodePort should be accelerated
// via XDP ("none", "generic" or "native")
NodePortAcceleration = "node-port-acceleration"
// Alias to NodePortMode
LoadBalancerMode = "bpf-lb-mode"
// Alias to DSR dispatch method
LoadBalancerDSRDispatch = "bpf-lb-dsr-dispatch"
// Alias to DSR L4 translation method
LoadBalancerDSRL4Xlate = "bpf-lb-dsr-l4-xlate"
// Alias to DSR/IPIP IPv4 source CIDR
LoadBalancerRSSv4CIDR = "bpf-lb-rss-ipv4-src-cidr"
// Alias to DSR/IPIP IPv6 source CIDR
LoadBalancerRSSv6CIDR = "bpf-lb-rss-ipv6-src-cidr"
// Alias to NodePortAlg
LoadBalancerAlg = "bpf-lb-algorithm"
// Alias to NodePortAcceleration
LoadBalancerAcceleration = "bpf-lb-acceleration"
// MaglevTableSize determines the size of the backend table per service
MaglevTableSize = "bpf-lb-maglev-table-size"
// MaglevHashSeed contains the cluster-wide seed for the hash
MaglevHashSeed = "bpf-lb-maglev-hash-seed"
// NodePortBindProtection rejects bind requests to NodePort service ports
NodePortBindProtection = "node-port-bind-protection"
// NodePortRange defines a custom range where to look up NodePort services
NodePortRange = "node-port-range"
// EnableAutoProtectNodePortRange enables appending NodePort range to
// net.ipv4.ip_local_reserved_ports if it overlaps with ephemeral port
// range (net.ipv4.ip_local_port_range)
EnableAutoProtectNodePortRange = "enable-auto-protect-node-port-range"
// KubeProxyReplacement controls how to enable kube-proxy replacement
// features in BPF datapath
KubeProxyReplacement = "kube-proxy-replacement"
// EnableSessionAffinity enables a support for service sessionAffinity
EnableSessionAffinity = "enable-session-affinity"
EnableServiceTopology = "enable-service-topology"
// EnableIdentityMark enables setting the mark field with the identity for
// local traffic. This may be disabled if chaining modes and Cilium use
// conflicting marks.
EnableIdentityMark = "enable-identity-mark"
// EnableHighScaleIPcache enables the special ipcache mode for high scale
// clusters. The ipcache content will be reduced to the strict minimum and
// traffic will be encapsulated to carry security identities.
EnableHighScaleIPcache = "enable-high-scale-ipcache"
// AddressScopeMax controls the maximum address scope for addresses to be
// considered local ones with HOST_ID in the ipcache
AddressScopeMax = "local-max-addr-scope"
// EnableBandwidthManager enables EDT-based pacing
EnableBandwidthManager = "enable-bandwidth-manager"
// EnableBBR enables BBR TCP congestion control for the node including Pods
EnableBBR = "enable-bbr"
// EnableRecorder enables the datapath pcap recorder
EnableRecorder = "enable-recorder"
// EnableLocalRedirectPolicy enables support for local redirect policy
EnableLocalRedirectPolicy = "enable-local-redirect-policy"
// EnableMKE enables MKE specific 'chaining' for kube-proxy replacement
EnableMKE = "enable-mke"
// CgroupPathMKE points to the cgroupv1 net_cls mount instance
CgroupPathMKE = "mke-cgroup-mount"
// LibDir enables the directory path to store runtime build environment
LibDir = "lib-dir"
// LogDriver sets logging endpoints to use for example syslog, fluentd
LogDriver = "log-driver"
// LogOpt sets log driver options for cilium
LogOpt = "log-opt"
// Logstash enables logstash integration
Logstash = "logstash"
// EnableIPv4Masquerade masquerades IPv4 packets from endpoints leaving the host.
EnableIPv4Masquerade = "enable-ipv4-masquerade"
// EnableIPv6Masquerade masquerades IPv6 packets from endpoints leaving the host.
EnableIPv6Masquerade = "enable-ipv6-masquerade"
// EnableBPFClockProbe selects a more efficient source clock (jiffies vs ktime)
EnableBPFClockProbe = "enable-bpf-clock-probe"
// EnableBPFMasquerade masquerades packets from endpoints leaving the host with BPF instead of iptables
EnableBPFMasquerade = "enable-bpf-masquerade"
// EnableMasqueradeRouteSource masquerades to the source route IP address instead of the interface one
EnableMasqueradeRouteSource = "enable-masquerade-to-route-source"
// DeriveMasqIPAddrFromDevice is device name which IP addr is used for BPF masquerades
DeriveMasqIPAddrFromDevice = "derive-masquerade-ip-addr-from-device"
// EnableIPMasqAgent enables BPF ip-masq-agent
EnableIPMasqAgent = "enable-ip-masq-agent"
// EnableIPv4EgressGateway enables the IPv4 egress gateway
EnableIPv4EgressGateway = "enable-ipv4-egress-gateway"
// EnableIngressController enables Ingress Controller
EnableIngressController = "enable-ingress-controller"
// EnableGatewayAPI enables Gateway API support
EnableGatewayAPI = "enable-gateway-api"
// EnableEnvoyConfig enables processing of CiliumClusterwideEnvoyConfig and CiliumEnvoyConfig CRDs
EnableEnvoyConfig = "enable-envoy-config"
// EnvoyConfigTimeout determines how long to wait Envoy to N/ACK resources
EnvoyConfigTimeout = "envoy-config-timeout"
// IPMasqAgentConfigPath is the configuration file path
IPMasqAgentConfigPath = "ip-masq-agent-config-path"
// InstallIptRules sets whether Cilium should install any iptables in general
InstallIptRules = "install-iptables-rules"
// InstallNoConntrackIptRules instructs Cilium to install Iptables rules
// to skip netfilter connection tracking on all pod traffic.
InstallNoConntrackIptRules = "install-no-conntrack-iptables-rules"
IPTablesLockTimeout = "iptables-lock-timeout"
// IPTablesRandomFully sets iptables flag random-fully on masquerading rules
IPTablesRandomFully = "iptables-random-fully"
// IPv6NodeAddr is the IPv6 address of node
IPv6NodeAddr = "ipv6-node"
// IPv4NodeAddr is the IPv4 address of node
IPv4NodeAddr = "ipv4-node"
// Restore restores state, if possible, from previous daemon
Restore = "restore"
// SidecarIstioProxyImage regular expression matching compatible Istio sidecar istio-proxy container image names
SidecarIstioProxyImage = "sidecar-istio-proxy-image"
// SocketPath sets daemon's socket path to listen for connections
SocketPath = "socket-path"
// StateDir is the directory path to store runtime state
StateDir = "state-dir"
// TracePayloadlen length of payload to capture when tracing
TracePayloadlen = "trace-payloadlen"
// Version prints the version information
Version = "version"
// EnableXDPPrefilter enables XDP-based prefiltering
EnableXDPPrefilter = "enable-xdp-prefilter"
ProcFs = "procfs"
// PrometheusServeAddr IP:Port on which to serve prometheus metrics (pass ":Port" to bind on all interfaces, "" is off)
PrometheusServeAddr = "prometheus-serve-addr"
// ExternalEnvoyProxy defines whether the Envoy is deployed externally in form of a DaemonSet or not.
ExternalEnvoyProxy = "external-envoy-proxy"
// CMDRef is the path to cmdref output directory
CMDRef = "cmdref"
// DNSMaxIPsPerRestoredRule defines the maximum number of IPs to maintain
// for each FQDN selector in endpoint's restored DNS rules
DNSMaxIPsPerRestoredRule = "dns-max-ips-per-restored-rule"
// DNSPolicyUnloadOnShutdown is the name of the dns-policy-unload-on-shutdown option.
DNSPolicyUnloadOnShutdown = "dns-policy-unload-on-shutdown"
// ToFQDNsMinTTL is the minimum time, in seconds, to use DNS data for toFQDNs policies.
ToFQDNsMinTTL = "tofqdns-min-ttl"
// ToFQDNsProxyPort is the global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port.
ToFQDNsProxyPort = "tofqdns-proxy-port"
// ToFQDNsMaxIPsPerHost defines the maximum number of IPs to maintain
// for each FQDN name in an endpoint's FQDN cache
ToFQDNsMaxIPsPerHost = "tofqdns-endpoint-max-ip-per-hostname"
// ToFQDNsMaxDeferredConnectionDeletes defines the maximum number of IPs to
// retain for expired DNS lookups with still-active connections"
ToFQDNsMaxDeferredConnectionDeletes = "tofqdns-max-deferred-connection-deletes"
// ToFQDNsIdleConnectionGracePeriod defines the connection idle time during which
// previously active connections with expired DNS lookups are still considered alive
ToFQDNsIdleConnectionGracePeriod = "tofqdns-idle-connection-grace-period"
// ToFQDNsPreCache is a path to a file with DNS cache data to insert into the
// global cache on startup.
// The file is not re-read after agent start.
ToFQDNsPreCache = "tofqdns-pre-cache"
// ToFQDNsEnableDNSCompression allows the DNS proxy to compress responses to
// endpoints that are larger than 512 Bytes or the EDNS0 option, if present.
ToFQDNsEnableDNSCompression = "tofqdns-enable-dns-compression"
// DNSProxyConcurrencyLimit limits parallel processing of DNS messages in
// DNS proxy at any given point in time.
DNSProxyConcurrencyLimit = "dnsproxy-concurrency-limit"
// DNSProxyConcurrencyProcessingGracePeriod is the amount of grace time to
// wait while processing DNS messages when the DNSProxyConcurrencyLimit has
// been reached.
DNSProxyConcurrencyProcessingGracePeriod = "dnsproxy-concurrency-processing-grace-period"
// DNSProxyLockCount is the array size containing mutexes which protect
// against parallel handling of DNS response IPs.
DNSProxyLockCount = "dnsproxy-lock-count"
// DNSProxyLockTimeout is timeout when acquiring the locks controlled by
// DNSProxyLockCount.
DNSProxyLockTimeout = "dnsproxy-lock-timeout"
// MTUName is the name of the MTU option
MTUName = "mtu"
// RouteMetric is the name of the route-metric option
RouteMetric = "route-metric"
// DatapathMode is the name of the DatapathMode option
DatapathMode = "datapath-mode"
// EnableSocketLB is the name for the option to enable the socket LB
EnableSocketLB = "bpf-lb-sock"
// EnableSocketLBTracing is the name for the option to enable the socket LB tracing
EnableSocketLBTracing = "trace-sock"
// BPFSocketLBHostnsOnly is the name of the BPFSocketLBHostnsOnly option
BPFSocketLBHostnsOnly = "bpf-lb-sock-hostns-only"
// TunnelName is the name of the Tunnel option
TunnelName = "tunnel"
// RoutingMode is the name of the option to choose between native routing and tunneling mode
RoutingMode = "routing-mode"
// TunnelProtocol is the name of the option to select the tunneling protocol
TunnelProtocol = "tunnel-protocol"
// TunnelPortName is the name of the TunnelPort option
TunnelPortName = "tunnel-port"
// SingleClusterRouteName is the name of the SingleClusterRoute option
//
// SingleClusterRoute enables use of a single route covering the entire
// cluster CIDR to point to the cilium_host interface instead of using
// a separate route for each cluster node CIDR. This option is not
// compatible with Tunnel=TunnelDisabled
SingleClusterRouteName = "single-cluster-route"
// MaxInternalTimerDelay sets a maximum on all periodic timers in
// the agent in order to flush out timer-related bugs in the agent.
MaxInternalTimerDelay = "max-internal-timer-delay"
// MonitorAggregationName specifies the MonitorAggregationLevel on the
// comandline.
MonitorAggregationName = "monitor-aggregation"
// MonitorAggregationInterval configures interval for monitor-aggregation
MonitorAggregationInterval = "monitor-aggregation-interval"
// MonitorAggregationFlags configures TCP flags used by monitor aggregation.
MonitorAggregationFlags = "monitor-aggregation-flags"
// ciliumEnvPrefix is the prefix used for environment variables
ciliumEnvPrefix = "CILIUM_"
// CNIChainingMode configures which CNI plugin Cilium is chained with.
CNIChainingMode = "cni-chaining-mode"
// CNIChainingTarget is the name of a CNI network in to which we should
// insert our plugin configuration
CNIChainingTarget = "cni-chaining-target"
// AuthMapEntriesMin defines the minimum auth map limit.
AuthMapEntriesMin = 1 << 8
// AuthMapEntriesMax defines the maximum auth map limit.
AuthMapEntriesMax = 1 << 24
// AuthMapEntriesDefault defines the default auth map limit.
AuthMapEntriesDefault = 1 << 19
// AuthMapEntriesName configures max entries for BPF auth map.
AuthMapEntriesName = "bpf-auth-map-max"
// CTMapEntriesGlobalTCPDefault is the default maximum number of entries
// in the TCP CT table.
CTMapEntriesGlobalTCPDefault = 2 << 18 // 512Ki
// CTMapEntriesGlobalAnyDefault is the default maximum number of entries
// in the non-TCP CT table.
CTMapEntriesGlobalAnyDefault = 2 << 17 // 256Ki
// CTMapEntriesGlobalTCPName configures max entries for the TCP CT
// table.
CTMapEntriesGlobalTCPName = "bpf-ct-global-tcp-max"
// CTMapEntriesGlobalAnyName configures max entries for the non-TCP CT
// table.
CTMapEntriesGlobalAnyName = "bpf-ct-global-any-max"
// CTMapEntriesTimeout* name option and default value mappings
CTMapEntriesTimeoutSYNName = "bpf-ct-timeout-regular-tcp-syn"
CTMapEntriesTimeoutFINName = "bpf-ct-timeout-regular-tcp-fin"
CTMapEntriesTimeoutTCPName = "bpf-ct-timeout-regular-tcp"
CTMapEntriesTimeoutAnyName = "bpf-ct-timeout-regular-any"
CTMapEntriesTimeoutSVCTCPName = "bpf-ct-timeout-service-tcp"
CTMapEntriesTimeoutSVCTCPGraceName = "bpf-ct-timeout-service-tcp-grace"
CTMapEntriesTimeoutSVCAnyName = "bpf-ct-timeout-service-any"
// NATMapEntriesGlobalDefault holds the default size of the NAT map
// and is 2/3 of the full CT size as a heuristic
NATMapEntriesGlobalDefault = int((CTMapEntriesGlobalTCPDefault + CTMapEntriesGlobalAnyDefault) * 2 / 3)
// SockRevNATMapEntriesDefault holds the default size of the SockRev NAT map
// and is the same size of CTMapEntriesGlobalAnyDefault as a heuristic given
// that sock rev NAT is mostly used for UDP and getpeername only.
SockRevNATMapEntriesDefault = CTMapEntriesGlobalAnyDefault
// MapEntriesGlobalDynamicSizeRatioName is the name of the option to
// set the ratio of total system memory to use for dynamic sizing of the
// CT, NAT, Neighbor and SockRevNAT BPF maps.
MapEntriesGlobalDynamicSizeRatioName = "bpf-map-dynamic-size-ratio"
// LimitTableAutoGlobalTCPMin defines the minimum TCP CT table limit for
// dynamic size ration calculation.
LimitTableAutoGlobalTCPMin = 1 << 17 // 128Ki entries
// LimitTableAutoGlobalAnyMin defines the minimum UDP CT table limit for
// dynamic size ration calculation.
LimitTableAutoGlobalAnyMin = 1 << 16 // 64Ki entries
// LimitTableAutoNatGlobalMin defines the minimum NAT limit for dynamic size
// ration calculation.
LimitTableAutoNatGlobalMin = 1 << 17 // 128Ki entries
// LimitTableAutoSockRevNatMin defines the minimum SockRevNAT limit for
// dynamic size ration calculation.
LimitTableAutoSockRevNatMin = 1 << 16 // 64Ki entries
// LimitTableMin defines the minimum CT or NAT table limit
LimitTableMin = 1 << 10 // 1Ki entries
// LimitTableMax defines the maximum CT or NAT table limit
LimitTableMax = 1 << 24 // 16Mi entries (~1GiB of entries per map)
// PolicyMapMin defines the minimum policy map limit.
PolicyMapMin = 1 << 8
// PolicyMapMax defines the maximum policy map limit.
PolicyMapMax = 1 << 16
// FragmentsMapMin defines the minimum fragments map limit.
FragmentsMapMin = 1 << 8
// FragmentsMapMax defines the maximum fragments map limit.
FragmentsMapMax = 1 << 16
// NATMapEntriesGlobalName configures max entries for BPF NAT table
NATMapEntriesGlobalName = "bpf-nat-global-max"
// NeighMapEntriesGlobalName configures max entries for BPF neighbor table
NeighMapEntriesGlobalName = "bpf-neigh-global-max"
// PolicyMapEntriesName configures max entries for BPF policymap.
PolicyMapEntriesName = "bpf-policy-map-max"
// PolicyMapFullReconciliationInterval sets the interval for performing the full
// reconciliation of the endpoint policy map.
PolicyMapFullReconciliationIntervalName = "bpf-policy-map-full-reconciliation-interval"
// SockRevNatEntriesName configures max entries for BPF sock reverse nat
// entries.
SockRevNatEntriesName = "bpf-sock-rev-map-max"
// EgressGatewayPolicyMapEntriesName configures max entries for egress gateway's policy
// map.
EgressGatewayPolicyMapEntriesName = "egress-gateway-policy-map-max"
// LogSystemLoadConfigName is the name of the option to enable system
// load loggging
LogSystemLoadConfigName = "log-system-load"
// PrependIptablesChainsName is the name of the option to enable
// prepending iptables chains instead of appending
PrependIptablesChainsName = "prepend-iptables-chains"
// DisableCiliumEndpointCRDName is the name of the option to disable
// use of the CEP CRD
DisableCiliumEndpointCRDName = "disable-endpoint-crd"
// MaxCtrlIntervalName and MaxCtrlIntervalNameEnv allow configuration
// of MaxControllerInterval.
MaxCtrlIntervalName = "max-controller-interval"
// K8sNamespaceName is the name of the K8sNamespace option
K8sNamespaceName = "k8s-namespace"
// AgentNotReadyNodeTaintKeyName is the name of the option to set
// AgentNotReadyNodeTaintKey
AgentNotReadyNodeTaintKeyName = "agent-not-ready-taint-key"
// JoinClusterName is the name of the JoinCluster Option
JoinClusterName = "join-cluster"
// EnableIPv4Name is the name of the option to enable IPv4 support
EnableIPv4Name = "enable-ipv4"
// EnableIPv6Name is the name of the option to enable IPv6 support
EnableIPv6Name = "enable-ipv6"
// EnableIPv6NDPName is the name of the option to enable IPv6 NDP support
EnableIPv6NDPName = "enable-ipv6-ndp"
// EnableSRv6 is the name of the option to enable SRv6 encapsulation support
EnableSRv6 = "enable-srv6"
// SRv6EncapModeName is the name of the option to specify the SRv6 encapsulation mode
SRv6EncapModeName = "srv6-encap-mode"
// EnableSCTPName is the name of the option to enable SCTP support
EnableSCTPName = "enable-sctp"
// EnableNat46X64Gateway enables L3 based NAT46 and NAT64 gateway
EnableNat46X64Gateway = "enable-nat46x64-gateway"
// IPv6MCastDevice is the name of the option to select IPv6 multicast device
IPv6MCastDevice = "ipv6-mcast-device"
// FQDNRejectResponseCode is the name for the option for dns-proxy reject response code
FQDNRejectResponseCode = "tofqdns-dns-reject-response-code"
// FQDNProxyDenyWithNameError is useful when stub resolvers, like the one
// in Alpine Linux's libc (musl), treat a REFUSED as a resolution error.
// This happens when trying a DNS search list, as in kubernetes, and breaks
// even whitelisted DNS names.
FQDNProxyDenyWithNameError = "nameError"
// FQDNProxyDenyWithRefused is the response code for Domain refused. It is
// the default for denied DNS requests.
FQDNProxyDenyWithRefused = "refused"
// FQDNProxyResponseMaxDelay is the maximum time the proxy holds back a response
FQDNProxyResponseMaxDelay = "tofqdns-proxy-response-max-delay"
// FQDNRegexCompileLRUSize is the size of the FQDN regex compilation LRU.
// Useful for heavy but repeated FQDN MatchName or MatchPattern use.
FQDNRegexCompileLRUSize = "fqdn-regex-compile-lru-size"
// PreAllocateMapsName is the name of the option PreAllocateMaps
PreAllocateMapsName = "preallocate-bpf-maps"
// EnableBPFTProxy option supports enabling or disabling BPF TProxy.
EnableBPFTProxy = "enable-bpf-tproxy"
// EnableXTSocketFallbackName is the name of the EnableXTSocketFallback option
EnableXTSocketFallbackName = "enable-xt-socket-fallback"
// EnableAutoDirectRoutingName is the name for the EnableAutoDirectRouting option
EnableAutoDirectRoutingName = "auto-direct-node-routes"
// EnableIPSecName is the name of the option to enable IPSec
EnableIPSecName = "enable-ipsec"
// Duration of the IPsec key rotation. After that time, we will clean the
// previous IPsec key from the node.
IPsecKeyRotationDuration = "ipsec-key-rotation-duration"
// Enable watcher for IPsec key. If disabled, a restart of the agent will
// be necessary on key rotations.
EnableIPsecKeyWatcher = "enable-ipsec-key-watcher"
// IPSecKeyFileName is the name of the option for ipsec key file
IPSecKeyFileName = "ipsec-key-file"
// EnableWireguard is the name of the option to enable WireGuard
EnableWireguard = "enable-wireguard"
// EnableL2Announcements is the name of the option to enable l2 announcements
EnableL2Announcements = "enable-l2-announcements"
// L2AnnouncerLeaseDuration, if a lease has not been renewed for X amount of time, a new leader can be chosen.
L2AnnouncerLeaseDuration = "l2-announcements-lease-duration"
// L2AnnouncerRenewDeadline, the leader will renew the lease every X amount of time.
L2AnnouncerRenewDeadline = "l2-announcements-renew-deadline"
// L2AnnouncerRetryPeriod, on renew failure, retry after X amount of time.
L2AnnouncerRetryPeriod = "l2-announcements-retry-period"
// EnableEncryptionStrictMode is the name of the option to enable strict encryption mode.
EnableEncryptionStrictMode = "enable-encryption-strict-mode"
// EncryptionStrictModeCIDR is the CIDR in which the strict ecryption mode should be enforced.
EncryptionStrictModeCIDR = "encryption-strict-mode-cidr"
// EncryptionStrictModeAllowRemoteNodeIdentities allows dynamic lookup of remote node identities.
// This is required when tunneling is used
// or direct routing is used and the node CIDR and pod CIDR overlap.
EncryptionStrictModeAllowRemoteNodeIdentities = "encryption-strict-mode-allow-remote-node-identities"
// EnableWireguardUserspaceFallback is the name of the option that enables the fallback to WireGuard userspace mode
EnableWireguardUserspaceFallback = "enable-wireguard-userspace-fallback"
// WireguardPersistentKeepalivee controls Wireguard PersistentKeepalive option. Set 0 to disable.
WireguardPersistentKeepalive = "wireguard-persistent-keepalive"
// NodeEncryptionOptOutLabels is the name of the option for the node-to-node encryption opt-out labels
NodeEncryptionOptOutLabels = "node-encryption-opt-out-labels"
// KVstoreLeaseTTL is the time-to-live for lease in kvstore.
KVstoreLeaseTTL = "kvstore-lease-ttl"
// KVstoreMaxConsecutiveQuorumErrorsName is the maximum number of acceptable
// kvstore consecutive quorum errors before the agent assumes permanent failure
KVstoreMaxConsecutiveQuorumErrorsName = "kvstore-max-consecutive-quorum-errors"
// KVstorePeriodicSync is the time interval in which periodic
// synchronization with the kvstore occurs
KVstorePeriodicSync = "kvstore-periodic-sync"
// KVstoreConnectivityTimeout is the timeout when performing kvstore operations
KVstoreConnectivityTimeout = "kvstore-connectivity-timeout"
// IPAllocationTimeout is the timeout when allocating CIDRs
IPAllocationTimeout = "ip-allocation-timeout"
// IdentityChangeGracePeriod is the name of the
// IdentityChangeGracePeriod option
IdentityChangeGracePeriod = "identity-change-grace-period"
// IdentityRestoreGracePeriod is the name of the
// IdentityRestoreGracePeriod option
IdentityRestoreGracePeriod = "identity-restore-grace-period"
// EnableHealthChecking is the name of the EnableHealthChecking option
EnableHealthChecking = "enable-health-checking"
// EnableEndpointHealthChecking is the name of the EnableEndpointHealthChecking option
EnableEndpointHealthChecking = "enable-endpoint-health-checking"
// EnableHealthCheckNodePort is the name of the EnableHealthCheckNodePort option
EnableHealthCheckNodePort = "enable-health-check-nodeport"
// EnableHealthCheckLoadBalancerIP is the name of the EnableHealthCheckLoadBalancerIP option
EnableHealthCheckLoadBalancerIP = "enable-health-check-loadbalancer-ip"
// PolicyQueueSize is the size of the queues utilized by the policy
// repository.
PolicyQueueSize = "policy-queue-size"
// EndpointQueueSize is the size of the EventQueue per-endpoint.
EndpointQueueSize = "endpoint-queue-size"
// EndpointGCInterval interval to attempt garbage collection of
// endpoints that are no longer alive and healthy.
EndpointGCInterval = "endpoint-gc-interval"
// K8sEventHandover is the name of the K8sEventHandover option
K8sEventHandover = "enable-k8s-event-handover"
// LoopbackIPv4 is the address to use for service loopback SNAT
LoopbackIPv4 = "ipv4-service-loopback-address"
// LocalRouterIPv4 is the link-local IPv4 address to use for Cilium router device
LocalRouterIPv4 = "local-router-ipv4"
// LocalRouterIPv6 is the link-local IPv6 address to use for Cilium router device
LocalRouterIPv6 = "local-router-ipv6"
// EnableEndpointRoutes enables use of per endpoint routes
EnableEndpointRoutes = "enable-endpoint-routes"
// ExcludeLocalAddress excludes certain addresses to be recognized as a
// local address
ExcludeLocalAddress = "exclude-local-address"
// IPv4PodSubnets A list of IPv4 subnets that pods may be
// assigned from. Used with CNI chaining where IPs are not directly managed
// by Cilium.
IPv4PodSubnets = "ipv4-pod-subnets"
// IPv6PodSubnets A list of IPv6 subnets that pods may be
// assigned from. Used with CNI chaining where IPs are not directly managed
// by Cilium.
IPv6PodSubnets = "ipv6-pod-subnets"
// IPAM is the IPAM method to use
IPAM = "ipam"
// IPAMMultiPoolPreAllocation defines the pre-allocation value for each IPAM pool
IPAMMultiPoolPreAllocation = "ipam-multi-pool-pre-allocation"
// XDPModeNative for loading progs with XDPModeLinkDriver
XDPModeNative = "native"
// XDPModeGeneric for loading progs with XDPModeLinkGeneric
XDPModeGeneric = "testing-only"
// XDPModeDisabled for not having XDP enabled
XDPModeDisabled = "disabled"
// XDPModeLinkDriver is the tc selector for native XDP
XDPModeLinkDriver = "xdpdrv"
// XDPModeLinkGeneric is the tc selector for generic XDP
XDPModeLinkGeneric = "xdpgeneric"
// XDPModeLinkNone for not having XDP enabled
XDPModeLinkNone = XDPModeDisabled
// K8sClientQPSLimit is the queries per second limit for the K8s client. Defaults to k8s client defaults.
K8sClientQPSLimit = "k8s-client-qps"
// K8sClientBurst is the burst value allowed for the K8s client. Defaults to k8s client defaults.
K8sClientBurst = "k8s-client-burst"
// AutoCreateCiliumNodeResource enables automatic creation of a
// CiliumNode resource for the local node
AutoCreateCiliumNodeResource = "auto-create-cilium-node-resource"
// IPv4NativeRoutingCIDR describes a v4 CIDR in which pod IPs are routable
IPv4NativeRoutingCIDR = "ipv4-native-routing-cidr"
// IPv6NativeRoutingCIDR describes a v6 CIDR in which pod IPs are routable
IPv6NativeRoutingCIDR = "ipv6-native-routing-cidr"
// MasqueradeInterfaces is the selector used to select interfaces subject to
// egress masquerading
MasqueradeInterfaces = "egress-masquerade-interfaces"
// PolicyTriggerInterval is the amount of time between triggers of policy
// updates are invoked.
PolicyTriggerInterval = "policy-trigger-interval"
// IdentityAllocationMode specifies what mode to use for identity
// allocation
IdentityAllocationMode = "identity-allocation-mode"
// IdentityAllocationModeKVstore enables use of a key-value store such
// as etcd for identity allocation
IdentityAllocationModeKVstore = "kvstore"
// IdentityAllocationModeCRD enables use of Kubernetes CRDs for
// identity allocation
IdentityAllocationModeCRD = "crd"
// DisableCNPStatusUpdates disables updating of CNP NodeStatus in the CNP
// CRD.
DisableCNPStatusUpdates = "disable-cnp-status-updates"
// EnableLocalNodeRoute controls installation of the route which points
// the allocation prefix of the local node.
EnableLocalNodeRoute = "enable-local-node-route"
// EnableWellKnownIdentities enables the use of well-known identities.
// This is requires if identiy resolution is required to bring up the
// control plane, e.g. when using the managed etcd feature
EnableWellKnownIdentities = "enable-well-known-identities"
// EnableRemoteNodeIdentity enables use of the remote-node identity
EnableRemoteNodeIdentity = "enable-remote-node-identity"
// PolicyAuditModeArg argument enables policy audit mode.
PolicyAuditModeArg = "policy-audit-mode"
// EnableHubble enables hubble in the agent.
EnableHubble = "enable-hubble"
// HubbleSocketPath specifies the UNIX domain socket for Hubble server to listen to.
HubbleSocketPath = "hubble-socket-path"
// HubbleListenAddress specifies address for Hubble server to listen to.
HubbleListenAddress = "hubble-listen-address"
// HubblePreferIpv6 controls whether IPv6 or IPv4 addresses should be preferred for
// communication to agents, if both are available.
HubblePreferIpv6 = "hubble-prefer-ipv6"
// HubbleTLSDisabled allows the Hubble server to run on the given listen
// address without TLS.
HubbleTLSDisabled = "hubble-disable-tls"
// HubbleTLSCertFile specifies the path to the public key file for the
// Hubble server. The file must contain PEM encoded data.
HubbleTLSCertFile = "hubble-tls-cert-file"
// HubbleTLSKeyFile specifies the path to the private key file for the
// Hubble server. The file must contain PEM encoded data.
HubbleTLSKeyFile = "hubble-tls-key-file"
// HubbleTLSClientCAFiles specifies the path to one or more client CA
// certificates to use for TLS with mutual authentication (mTLS). The files
// must contain PEM encoded data.
HubbleTLSClientCAFiles = "hubble-tls-client-ca-files"
// HubbleEventBufferCapacity specifies the capacity of Hubble events buffer.
HubbleEventBufferCapacity = "hubble-event-buffer-capacity"
// HubbleEventQueueSize specifies the buffer size of the channel to receive monitor events.
HubbleEventQueueSize = "hubble-event-queue-size"
// HubbleMetricsServer specifies the addresses to serve Hubble metrics on.
HubbleMetricsServer = "hubble-metrics-server"
// HubbleMetrics specifies enabled metrics and their configuration options.
HubbleMetrics = "hubble-metrics"
// HubbleExportFilePath specifies the filepath to write Hubble events to.
// e.g. "/var/run/cilium/hubble/events.log"
HubbleExportFilePath = "hubble-export-file-path"
// HubbleExportFileMaxSizeMB specifies the file size in MB at which to rotate
// the Hubble export file.
HubbleExportFileMaxSizeMB = "hubble-export-file-max-size-mb"