-
Notifications
You must be signed in to change notification settings - Fork 2.8k
/
config.go
1354 lines (1090 loc) · 48.2 KB
/
config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
// Copyright 2016-2019 Authors of Cilium
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package option
import (
"bytes"
"fmt"
"io/ioutil"
"net"
"os"
"path/filepath"
"runtime"
"sort"
"strings"
"time"
"github.com/cilium/cilium/api/v1/models"
"github.com/cilium/cilium/common"
"github.com/cilium/cilium/pkg/defaults"
"github.com/cilium/cilium/pkg/lock"
"github.com/cilium/cilium/pkg/logging"
"github.com/cilium/cilium/pkg/logging/logfields"
"github.com/cilium/cilium/pkg/metrics"
"github.com/prometheus/client_golang/prometheus"
"github.com/sirupsen/logrus"
"github.com/spf13/viper"
)
var (
log = logging.DefaultLogger.WithField(logfields.LogSubsys, "config")
)
const (
// AccessLog is the path to access log of supported L7 requests observed
AccessLog = "access-log"
// AgentLabels are additional labels to identify this agent
AgentLabels = "agent-labels"
// AllowLocalhost is the policy when to allow local stack to reach local endpoints { auto | always | policy }
AllowLocalhost = "allow-localhost"
// AllowLocalhostAuto defaults to policy except when running in
// Kubernetes where it then defaults to "always"
AllowLocalhostAuto = "auto"
// AllowLocalhostAlways always allows the local stack to reach local
// endpoints
AllowLocalhostAlways = "always"
// AllowLocalhostPolicy requires a policy rule to allow the local stack
// to reach particular endpoints or policy enforcement must be
// disabled.
AllowLocalhostPolicy = "policy"
// BPFRoot is the Path to BPF filesystem
BPFRoot = "bpf-root"
// CGroupRoot is the path to Cgroup2 filesystem
CGroupRoot = "cgroup-root"
// ConfigFile is the Configuration file (default "$HOME/ciliumd.yaml")
ConfigFile = "config"
// ConfigDir is the directory that contains a file for each option where
// the filename represents the option name and the content of that file
// represents the value of that option.
ConfigDir = "config-dir"
// ConntrackGarbageCollectorIntervalDeprecated is the deprecated option
// name to set the conntrack gc interval
ConntrackGarbageCollectorIntervalDeprecated = "conntrack-garbage-collector-interval"
// ConntrackGCInterval is the name of the ConntrackGCInterval option
ConntrackGCInterval = "conntrack-gc-interval"
// ContainerRuntime sets the container runtime(s) used by Cilium
// { containerd | crio | docker | none | auto } ( "auto" uses the container
// runtime found in the order: "docker", "containerd", "crio" )
ContainerRuntime = "container-runtime"
// ContainerRuntimeEndpoint set the container runtime(s) endpoint(s)
ContainerRuntimeEndpoint = "container-runtime-endpoint"
// DebugArg is the argument enables debugging mode
DebugArg = "debug"
// DebugVerbose is the argument enables verbose log message for particular subsystems
DebugVerbose = "debug-verbose"
// Device facing cluster/external network for direct L3 (non-overlay mode)
Device = "device"
// DisableConntrack disables connection tracking
DisableConntrack = "disable-conntrack"
// DisableEnvoyVersionCheck do not perform Envoy binary version check on startup
DisableEnvoyVersionCheck = "disable-envoy-version-check"
// Docker is the path to docker runtime socket (DEPRECATED: use container-runtime-endpoint instead)
Docker = "docker"
// EnablePolicy enables policy enforcement in the agent.
EnablePolicy = "enable-policy"
// EnableTracing enables tracing mode in the agent.
EnableTracing = "enable-tracing"
// EncryptInterface enables encryption on specified interface
EncryptInterface = "encrypt-interface"
// EnvoyLog sets the path to a separate Envoy log file, if any
EnvoyLog = "envoy-log"
// FixedIdentityMapping is the key-value for the fixed identity mapping
// which allows to use reserved label for fixed identities
FixedIdentityMapping = "fixed-identity-mapping"
// IPv4ClusterCIDRMaskSize is the mask size for the cluster wide CIDR
IPv4ClusterCIDRMaskSize = "ipv4-cluster-cidr-mask-size"
// IPv4Range is the per-node IPv4 endpoint prefix, e.g. 10.16.0.0/16
IPv4Range = "ipv4-range"
// IPv6Range is the per-node IPv6 endpoint prefix, must be /96, e.g. fd02:1:1::/96
IPv6Range = "ipv6-range"
// IPv4ServiceRange is the Kubernetes IPv4 services CIDR if not inside cluster prefix
IPv4ServiceRange = "ipv4-service-range"
// IPv6ServiceRange is the Kubernetes IPv6 services CIDR if not inside cluster prefix
IPv6ServiceRange = "ipv6-service-range"
// ModePreFilterNative for loading progs with xdpdrv
ModePreFilterNative = "native"
// ModePreFilterGeneric for loading progs with xdpgeneric
ModePreFilterGeneric = "generic"
// IPv6ClusterAllocCIDRName is the name of the IPv6ClusterAllocCIDR option
IPv6ClusterAllocCIDRName = "ipv6-cluster-alloc-cidr"
// K8sRequireIPv4PodCIDRName is the name of the K8sRequireIPv4PodCIDR option
K8sRequireIPv4PodCIDRName = "k8s-require-ipv4-pod-cidr"
// K8sRequireIPv6PodCIDRName is the name of the K8sRequireIPv6PodCIDR option
K8sRequireIPv6PodCIDRName = "k8s-require-ipv6-pod-cidr"
// K8sForceJSONPatch when set, uses JSON Patch to update CNP and CEP
// status in kube-apiserver.
K8sForceJSONPatch = "k8s-force-json-patch"
// K8sWatcherEndpointSelector specifies the k8s endpoints that Cilium
// should watch for.
K8sWatcherEndpointSelector = "k8s-watcher-endpoint-selector"
// K8sAPIServer is the kubernetes api address server (for https use --k8s-kubeconfig-path instead)
K8sAPIServer = "k8s-api-server"
// K8sKubeConfigPath is the absolute path of the kubernetes kubeconfig file
K8sKubeConfigPath = "k8s-kubeconfig-path"
// K8sWatcherQueueSize is the queue size used to serialize each k8s event type
K8sWatcherQueueSize = "k8s-watcher-queue-size"
// KeepConfig when restoring state, keeps containers' configuration in place
KeepConfig = "keep-config"
// KeepBPFTemplates do not restore BPF template files from binary
KeepBPFTemplates = "keep-bpf-templates"
// KVStore key-value store type
KVStore = "kvstore"
// KVStoreOpt key-value store options
KVStoreOpt = "kvstore-opt"
// Labels is the list of label prefixes used to determine identity of an endpoint
Labels = "labels"
// LabelPrefixFile is the valid label prefixes file path
LabelPrefixFile = "label-prefix-file"
// LB enables load balancer mode where load balancer bpf program is attached to the given interface
LB = "lb"
// LibDir enables the directory path to store runtime build environment
LibDir = "lib-dir"
// LogDriver sets logging endpoints to use for example syslog, fluentd
LogDriver = "log-driver"
// LogOpt sets log driver options for cilium
LogOpt = "log-opt"
// Logstash enables logstash integration
Logstash = "logstash"
// NAT46Range is the IPv6 prefix to map IPv4 addresses to
NAT46Range = "nat46-range"
// Masquerade are the packets from endpoints leaving the host
Masquerade = "masquerade"
// InstallIptRules sets whether Cilium should install any iptables in general
InstallIptRules = "install-iptables-rules"
// IPv6NodeAddr is the IPv6 address of node
IPv6NodeAddr = "ipv6-node"
// IPv4NodeAddr is the IPv4 address of node
IPv4NodeAddr = "ipv4-node"
// Restore restores state, if possible, from previous daemon
Restore = "restore"
// SidecarHTTPProxy disable host HTTP proxy, assuming proxies in sidecar containers
SidecarHTTPProxy = "sidecar-http-proxy"
// SidecarIstioProxyImage regular expression matching compatible Istio sidecar istio-proxy container image names
SidecarIstioProxyImage = "sidecar-istio-proxy-image"
// SocketPath sets daemon's socket path to listen for connections
SocketPath = "socket-path"
// StateDir is the directory path to store runtime state
StateDir = "state-dir"
// TracePayloadlen length of payload to capture when tracing
TracePayloadlen = "trace-payloadlen"
// Version prints the version information
Version = "version"
// FlannelMasterDevice installs a BPF program to allow for policy
// enforcement in the given network interface. Allows to run Cilium on top
// of other CNI plugins that provide networking, e.g. flannel, where for
// flannel, this value should be set with 'cni0'. [EXPERIMENTAL]")
FlannelMasterDevice = "flannel-master-device"
// FlannelUninstallOnExit should be used along the flannel-master-device flag,
// it cleans up all BPF programs installed when Cilium agent is terminated.
FlannelUninstallOnExit = "flannel-uninstall-on-exit"
// FlannelManageExistingContainers sets if Cilium should install the BPF
// programs on already running interfaces created by flannel. Require
// Cilium to be running in the hostPID.
FlannelManageExistingContainers = "flannel-manage-existing-containers"
// PProf enables serving the pprof debugging API
PProf = "pprof"
// PrefilterDevice is the device facing external network for XDP prefiltering
PrefilterDevice = "prefilter-device"
// PrefilterMode { "+ModePreFilterNative+" | "+ModePreFilterGeneric+" } (default: "+option.ModePreFilterNative+")
PrefilterMode = "prefilter-mode"
// PrometheusServeAddr IP:Port on which to serve prometheus metrics (pass ":Port" to bind on all interfaces, "" is off)
PrometheusServeAddr = "prometheus-serve-addr"
// PrometheusServeAddrDeprecated IP:Port on which to serve prometheus metrics (pass ":Port" to bind on all interfaces, "" is off)
PrometheusServeAddrDeprecated = "prometheus-serve-addr-deprecated"
// CMDRef is the path to cmdref output directory
CMDRef = "cmdref"
// ToFQDNsMinTTL is the minimum time, in seconds, to use DNS data for toFQDNs policies.
ToFQDNsMinTTL = "tofqdns-min-ttl"
// ToFQDNsProxyPort is the global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port.
ToFQDNsProxyPort = "tofqdns-proxy-port"
// ToFQDNsEnablePoller enables proactive polling of DNS names in toFQDNs.matchName rules.
ToFQDNsEnablePoller = "tofqdns-enable-poller"
// ToFQDNsEmitPollerEvents controls if poller lookups are sent as monitor events
ToFQDNsEnablePollerEvents = "tofqdns-enable-poller-events"
// ToFQDNsMaxIPsPerHost defines the maximum number of IPs to maintain
// for each FQDN name in an endpoint's FQDN cache
ToFQDNsMaxIPsPerHost = "tofqdns-endpoint-max-ip-per-hostname"
// ToFQDNsPreCache is a path to a file with DNS cache data to insert into the
// global cache on startup.
// The file is not re-read after agent start.
ToFQDNsPreCache = "tofqdns-pre-cache"
// MTUName is the name of the MTU option
MTUName = "mtu"
// DatapathMode is the name of the DatapathMode option
DatapathMode = "datapath-mode"
// IpvlanMasterDevice is the name of the IpvlanMasterDevice option
IpvlanMasterDevice = "ipvlan-master-device"
// TunnelName is the name of the Tunnel option
TunnelName = "tunnel"
// SingleClusterRouteName is the name of the SingleClusterRoute option
//
// SingleClusterRoute enables use of a single route covering the entire
// cluster CIDR to point to the cilium_host interface instead of using
// a separate route for each cluster node CIDR. This option is not
// compatible with Tunnel=TunnelDisabled
SingleClusterRouteName = "single-cluster-route"
// MonitorAggregationName specifies the MonitorAggregationLevel on the
// comandline.
MonitorAggregationName = "monitor-aggregation"
// ciliumEnvPrefix is the prefix used for environment variables
ciliumEnvPrefix = "CILIUM_"
// ClusterName is the name of the ClusterName option
ClusterName = "cluster-name"
// ClusterIDName is the name of the ClusterID option
ClusterIDName = "cluster-id"
// ClusterIDMin is the minimum value of the cluster ID
ClusterIDMin = 0
// ClusterIDMax is the maximum value of the cluster ID
ClusterIDMax = 255
// ClusterMeshConfigName is the name of the ClusterMeshConfig option
ClusterMeshConfigName = "clustermesh-config"
// BPFCompileDebugName is the name of the option to enable BPF compiliation debugging
BPFCompileDebugName = "bpf-compile-debug"
// CTMapEntriesGlobalTCP retains the Cilium 1.2 (or earlier) size to
// minimize disruption during upgrade.
CTMapEntriesGlobalTCPDefault = 1000000
CTMapEntriesGlobalAnyDefault = 2 << 17 // 256Ki
CTMapEntriesGlobalTCPName = "bpf-ct-global-tcp-max"
CTMapEntriesGlobalAnyName = "bpf-ct-global-any-max"
// CTMapEntriesTimeout* name option and default value mappings
CTMapEntriesTimeoutSYNName = "bpf-ct-timeout-regular-tcp-syn"
CTMapEntriesTimeoutFINName = "bpf-ct-timeout-regular-tcp-fin"
CTMapEntriesTimeoutTCPName = "bpf-ct-timeout-regular-tcp"
CTMapEntriesTimeoutAnyName = "bpf-ct-timeout-regular-any"
CTMapEntriesTimeoutSVCTCPName = "bpf-ct-timeout-service-tcp"
CTMapEntriesTimeoutSVCAnyName = "bpf-ct-timeout-service-any"
// PolicyMapEntriesName configures max entries for BPF policymap.
PolicyMapEntriesName = "bpf-policy-map-max"
// LogSystemLoadConfigName is the name of the option to enable system
// load loggging
LogSystemLoadConfigName = "log-system-load"
// PrependIptablesChainsName is the name of the option to enable
// prepending iptables chains instead of appending
PrependIptablesChainsName = "prepend-iptables-chains"
// DisableCiliumEndpointCRDName is the name of the option to disable
// use of the CEP CRD
DisableCiliumEndpointCRDName = "disable-endpoint-crd"
// DisableK8sServices disables east-west K8s load balancing by cilium
DisableK8sServices = "disable-k8s-services"
// EnableLegacyServices enables the legacy services
EnableLegacyServices = "enable-legacy-services"
// MaxCtrlIntervalName and MaxCtrlIntervalNameEnv allow configuration
// of MaxControllerInterval.
MaxCtrlIntervalName = "max-controller-interval"
// SockopsEnableName is the name of the option to enable sockops
SockopsEnableName = "sockops-enable"
// K8sNamespaceName is the name of the K8sNamespace option
K8sNamespaceName = "k8s-namespace"
// EnableIPv4Name is the name of the option to enable IPv4 support
EnableIPv4Name = "enable-ipv4"
// LegacyDisableIPv4Name is the name of the legacy option to disable
// IPv4 support
LegacyDisableIPv4Name = "disable-ipv4"
// EnableIPv6Name is the name of the option to enable IPv6 support
EnableIPv6Name = "enable-ipv6"
// MonitorQueueSizeName is the name of the option MonitorQueueSize
MonitorQueueSizeName = "monitor-queue-size"
//FQDNRejectResponseCode is the name for the option for dns-proxy reject response code
FQDNRejectResponseCode = "tofqdns-dns-reject-response-code"
// FQDNProxyDenyWithNameError is useful when stub resolvers, like the one
// in Alpine Linux's libc (musl), treat a REFUSED as a resolution error.
// This happens when trying a DNS search list, as in kubernetes, and breaks
// even whitelisted DNS names.
FQDNProxyDenyWithNameError = "nameError"
// FQDNProxyDenyWithRefused is the response code for Domain refused. It is
// the default for denied DNS requests.
FQDNProxyDenyWithRefused = "refused"
// PreAllocateMapsName is the name of the option PreAllocateMaps
PreAllocateMapsName = "preallocate-bpf-maps"
// EnableAutoDirectRoutingName is the name for the EnableAutoDirectRouting option
EnableAutoDirectRoutingName = "auto-direct-node-routes"
// EnableIPSecName is the name of the option to enable IPSec
EnableIPSecName = "enable-ipsec"
// IPSecKeyFileName is the name of the option for ipsec key file
IPSecKeyFileName = "ipsec-key-file"
// KVstorePeriodicSync is the time interval in which periodic
// synchronization with the kvstore occurs
KVstorePeriodicSync = "kvstore-periodic-sync"
// IdentityChangeGracePeriod is the name of the
// IdentityChangeGracePeriod option
IdentityChangeGracePeriod = "identity-change-grace-period"
// EnableHealthChecking is the name of the EnableHealthChecking option
EnableHealthChecking = "enable-health-checking"
// PolicyQueueSize is the size of the queues utilized by the policy
// repository.
PolicyQueueSize = "policy-queue-size"
// EndpointQueueSize is the size of the EventQueue per-endpoint.
EndpointQueueSize = "endpoint-queue-size"
// SelectiveRegeneration specifies whether only the endpoints which policy
// changes select should be regenerated upon policy changes.
SelectiveRegeneration = "enable-selective-regeneration"
// K8sEventHandover is the name of the K8sEventHandover option
K8sEventHandover = "enable-k8s-event-handover"
// Metrics represents the metrics subsystem that Cilium should expose
// to prometheus.
Metrics = "metrics"
)
// FQDNS variables
var (
FQDNRejectOptions = []string{FQDNProxyDenyWithNameError, FQDNProxyDenyWithRefused}
)
// Available option for DaemonConfig.DatapathMode
const (
// DatapathModeVeth specifies veth datapath mode (i.e. containers are
// attached to a network via veth pairs)
DatapathModeVeth = "veth"
// DatapathModeIpvlan specifies ipvlan datapath mode
DatapathModeIpvlan = "ipvlan"
)
// Available option for DaemonConfig.Tunnel
const (
// TunnelVXLAN specifies VXLAN encapsulation
TunnelVXLAN = "vxlan"
// TunnelGeneve specifies Geneve encapsulation
TunnelGeneve = "geneve"
// TunnelDisabled specifies to disable encapsulation
TunnelDisabled = "disabled"
)
// Available option for DaemonConfig.Ipvlan.OperationMode
const (
// OperationModeL3S will respect iptables rules e.g. set up for masquerading
OperationModeL3S = "L3S"
// OperationModeL3 will bypass iptables rules on the host
OperationModeL3 = "L3"
)
// Envoy option names
const (
// HTTP403Message specifies the response body for 403 responses, defaults to "Access denied"
HTTP403Message = "http-403-msg"
// HTTPRequestTimeout specifies the time in seconds after which forwarded requests time out
HTTPRequestTimeout = "http-request-timeout"
// HTTPIdleTimeout spcifies the time in seconds if http stream being idle after which the
// request times out
HTTPIdleTimeout = "http-idle-timeout"
// HTTPMaxGRPCTimeout specifies the maximum time in seconds that limits the values of
// "grpc-timeout" headers being honored.
HTTPMaxGRPCTimeout = "http-max-grpc-timeout"
// HTTPRetryCount specifies the number of retries performed after a forwarded request fails
HTTPRetryCount = "http-retry-count"
// HTTPRetryTimeout is the time in seconds before an uncompleted request is retried.
HTTPRetryTimeout = "http-retry-timeout"
// ProxyConnectTimeout specifies the time in seconds after which a TCP connection attempt
// is considered timed out
ProxyConnectTimeout = "proxy-connect-timeout"
)
// GetTunnelModes returns the list of all tunnel modes
func GetTunnelModes() string {
return fmt.Sprintf("%s, %s, %s", TunnelVXLAN, TunnelGeneve, TunnelDisabled)
}
// getEnvName returns the environment variable to be used for the given option name.
func getEnvName(option string) string {
under := strings.Replace(option, "-", "_", -1)
upper := strings.ToUpper(under)
return ciliumEnvPrefix + upper
}
// RegisteredOptions maps all options that are bind to viper.
var RegisteredOptions = map[string]struct{}{}
// BindEnv binds the option name with an deterministic generated environment
// variable which s based on the given optName. If the same optName is bind
// more than 1 time, this function panics.
func BindEnv(optName string) {
registerOpt(optName)
viper.BindEnv(optName, getEnvName(optName))
}
// BindEnvWithLegacyEnvFallback binds the given option name with either the same
// environment variable as BindEnv, if it's set, or with the given legacyEnvName.
//
// The function is used to work around the viper.BindEnv limitation that only
// one environment variable can be bound for an option, and we need multiple
// environment variables due to backward compatibility reasons.
func BindEnvWithLegacyEnvFallback(optName, legacyEnvName string) {
registerOpt(optName)
envName := getEnvName(optName)
if os.Getenv(envName) == "" {
envName = legacyEnvName
}
viper.BindEnv(optName, envName)
}
func registerOpt(optName string) {
_, ok := RegisteredOptions[optName]
if ok || optName == "" {
panic(fmt.Errorf("option already registered: %s", optName))
}
RegisteredOptions[optName] = struct{}{}
}
// LogRegisteredOptions logs all options that where bind to viper.
func LogRegisteredOptions(entry *logrus.Entry) {
keys := make([]string, 0, len(RegisteredOptions))
for k := range RegisteredOptions {
keys = append(keys, k)
}
sort.Strings(keys)
for _, k := range keys {
entry.Infof(" --%s='%s'", k, viper.GetString(k))
}
}
// IpvlanConfig is the configuration used by Daemon when in ipvlan mode.
type IpvlanConfig struct {
MasterDeviceIndex int
OperationMode string
}
// DaemonConfig is the configuration used by Daemon.
type DaemonConfig struct {
BpfDir string // BPF template files directory
LibDir string // Cilium library files directory
RunDir string // Cilium runtime directory
NAT46Prefix *net.IPNet // NAT46 IPv6 Prefix
Device string // Receive device
DevicePreFilter string // XDP device
ModePreFilter string // XDP mode, values: { native | generic }
HostV4Addr net.IP // Host v4 address of the snooping device
HostV6Addr net.IP // Host v6 address of the snooping device
LBInterface string // Set with name of the interface to loadbalance packets from
EncryptInterface string // Set with name of network facing interface to encrypt
Workloads []string // List of Workloads set by the user to used by cilium.
Ipvlan IpvlanConfig // Ipvlan related configuration
DatapathMode string // Datapath mode
Tunnel string // Tunnel mode
DryMode bool // Do not create BPF maps, devices, ..
// RestoreState enables restoring the state from previous running daemons.
RestoreState bool
// EnableHostIPRestore enables restoring the host IPs based on state
// left behind by previous Cilium runs.
EnableHostIPRestore bool
KeepConfig bool // Keep configuration of existing endpoints when starting up.
KeepTemplates bool // Do not overwrite the template files
// AllowLocalhost defines when to allows the local stack to local endpoints
// values: { auto | always | policy }
AllowLocalhost string
// StateDir is the directory where runtime state of endpoints is stored
StateDir string
// Options changeable at runtime
Opts *IntOptions
// Mutex for serializing configuration updates to the daemon.
ConfigPatchMutex lock.RWMutex
// Monitor contains the configuration for the node monitor.
Monitor *models.MonitorStatus
// AccessLog is the path to the access log of supported L7 requests observed.
AccessLog string
// AgentLabels contains additional labels to identify this agent in monitor events.
AgentLabels []string
// IPv6ClusterAllocCIDR is the base CIDR used to allocate IPv6 node
// CIDRs if allocation is not performed by an orchestration system
IPv6ClusterAllocCIDR string
// IPv6ClusterAllocCIDRBase is derived from IPv6ClusterAllocCIDR and
// contains the CIDR without the mask, e.g. "fdfd::1/64" -> "fdfd::"
//
// This variable should never be written to, it is initialized via
// DaemonConfig.Validate()
IPv6ClusterAllocCIDRBase string
// K8sRequireIPv4PodCIDR requires the k8s node resource to specify the
// IPv4 PodCIDR. Cilium will block bootstrapping until the information
// is available.
K8sRequireIPv4PodCIDR bool
// K8sRequireIPv6PodCIDR requires the k8s node resource to specify the
// IPv6 PodCIDR. Cilium will block bootstrapping until the information
// is available.
K8sRequireIPv6PodCIDR bool
// K8sForceJSONPatch when set, uses JSON Patch to update CNP and CEP
// status in kube-apiserver.
K8sForceJSONPatch bool
// K8sWatcherQueueSize is the queue size used to serialize each k8s event
// type.
K8sWatcherQueueSize uint
// MTU is the maximum transmission unit of the underlying network
MTU int
// ClusterName is the name of the cluster
ClusterName string
// ClusterID is the unique identifier of the cluster
ClusterID int
// ClusterMeshConfig is the path to the clustermesh configuration directory
ClusterMeshConfig string
// CTMapEntriesGlobalTCP is the maximum number of conntrack entries
// allowed in each TCP CT table for IPv4/IPv6.
CTMapEntriesGlobalTCP int
// CTMapEntriesGlobalAny is the maximum number of conntrack entries
// allowed in each non-TCP CT table for IPv4/IPv6.
CTMapEntriesGlobalAny int
// CTMapEntriesTimeout* values configured by the user.
CTMapEntriesTimeoutTCP time.Duration
CTMapEntriesTimeoutAny time.Duration
CTMapEntriesTimeoutSVCTCP time.Duration
CTMapEntriesTimeoutSVCAny time.Duration
CTMapEntriesTimeoutSYN time.Duration
CTMapEntriesTimeoutFIN time.Duration
// PolicyMapMaxEntries is the maximum number of peer identities that an
// endpoint may allow traffic to exchange traffic with.
PolicyMapMaxEntries int
// DisableCiliumEndpointCRD disables the use of CiliumEndpoint CRD
DisableCiliumEndpointCRD bool
// MaxControllerInterval is the maximum value for a controller's
// RunInterval. Zero means unlimited.
MaxControllerInterval int
// UseSingleClusterRoute specifies whether to use a single cluster route
// instead of per-node routes.
UseSingleClusterRoute bool
// HTTP403Message is the error message to return when a HTTP 403 is returned
// by the proxy, if L7 policy is configured.
HTTP403Message string
// HTTPRequestTimeout is the time in seconds after which Envoy responds with an
// error code on a request that has not yet completed. This needs to be longer
// than the HTTPIdleTimeout
HTTPRequestTimeout int
// HTTPIdleTimeout is the time in seconds of a HTTP stream having no traffic after
// which Envoy responds with an error code. This needs to be shorter than the
// HTTPRequestTimeout
HTTPIdleTimeout int
// HTTPMaxGRPCTimeout is the upper limit to which "grpc-timeout" headers in GRPC
// requests are honored by Envoy. If 0 there is no limit. GRPC requests are not
// bound by the HTTPRequestTimeout, but ARE affected by the idle timeout!
HTTPMaxGRPCTimeout int
// HTTPRetryCount is the upper limit on how many times Envoy retries failed requests.
HTTPRetryCount int
// HTTPRetryTimeout is the time in seconds before an uncompleted request is retried.
HTTPRetryTimeout int
// ProxyConnectTimeout is the time in seconds after which Envoy considers a TCP
// connection attempt to have timed out.
ProxyConnectTimeout int
// BPFCompilationDebug specifies whether to compile BPF programs compilation
// debugging enabled.
BPFCompilationDebug bool
// EnvoyLogPath specifies where to store the Envoy proxy logs when Envoy
// runs in the same container as Cilium.
EnvoyLogPath string
// EnableSockOps specifies whether to enable sockops (socket lookup).
SockopsEnable bool
// PrependIptablesChains is the name of the option to enable prepending
// iptables chains instead of appending
PrependIptablesChains bool
// K8sNamespace is the name of the namespace in which Cilium is
// deployed in when running in Kubernetes mode
K8sNamespace string
// EnableIPv4 is true when IPv4 is enabled
EnableIPv4 bool
// EnableIPv6 is true when IPv6 is enabled
EnableIPv6 bool
// EnableIPSec is true when IPSec is enabled
EnableIPSec bool
// IPSec key file for stored keys
IPSecKeyFile string
// MonitorQueueSize is the size of the monitor event queue
MonitorQueueSize int
// CLI options
BPFRoot string
CGroupRoot string
BPFCompileDebug string
ConfigFile string
ConfigDir string
ContainerRuntimeEndpoint map[string]string
Debug bool
DebugVerbose []string
DisableConntrack bool
DisableK8sServices bool
EnableLegacyServices bool
DockerEndpoint string
EnablePolicy string
EnableTracing bool
EnvoyLog string
DisableEnvoyVersionCheck bool
FixedIdentityMapping map[string]string
FixedIdentityMappingValidator func(val string) (string, error)
IPv4ClusterCIDRMaskSize int
IPv4Range string
IPv6Range string
IPv4ServiceRange string
IPv6ServiceRange string
K8sAPIServer string
K8sKubeConfigPath string
K8sWatcherEndpointSelector string
KVStore string
KVStoreOpt map[string]string
LabelPrefixFile string
Labels []string
LogDriver []string
LogOpt map[string]string
Logstash bool
LogSystemLoadConfig bool
NAT46Range string
// Masquerade specifies whether or not to masquerade packets from endpoints
// leaving the host.
Masquerade bool
InstallIptRules bool
MonitorAggregation string
PreAllocateMaps bool
IPv6NodeAddr string
IPv4NodeAddr string
SidecarHTTPProxy bool
SidecarIstioProxyImage string
SocketPath string
TracePayloadlen int
Version string
PProf bool
PrometheusServeAddr string
CMDRefDir string
ToFQDNsMinTTL int
// ToFQDNsProxyPort is the user-configured global, shared, DNS listen port used
// by the DNS Proxy. Both UDP and TCP are handled on the same port. When it
// is 0 a random port will be assigned, and can be obtained from
// DefaultDNSProxy below.
ToFQDNsProxyPort int
// ToFQDNsEnablePoller enables the DNS poller that polls toFQDNs.matchName
ToFQDNsEnablePoller bool
// ToFQDNsEnablePollerEvents controls sending a monitor event for each DNS
// response the DNS poller sees
ToFQDNsEnablePollerEvents bool
// ToFQDNsMaxIPsPerHost defines the maximum number of IPs to maintain
// for each FQDN name in an endpoint's FQDN cache
ToFQDNsMaxIPsPerHost int
// FQDNRejectResponse is the dns-proxy response for invalid dns-proxy request
FQDNRejectResponse string
// Path to a file with DNS cache data to preload on startup
ToFQDNsPreCache string
// HostDevice will be device used by Cilium to connect to the outside world.
HostDevice string
// FlannelMasterDevice installs a BPF program in the given interface
// to allow for policy enforcement mode on top of flannel.
FlannelMasterDevice string
// FlannelUninstallOnExit removes the BPF programs that were installed by
// Cilium on all interfaces created by the flannel.
FlannelUninstallOnExit bool
// FlannelManageExistingContainers sets if Cilium should install the BPF
// programs on already running interfaces created by flannel. Require
// Cilium to be running in the hostPID.
FlannelManageExistingContainers bool
// EnableAutoDirectRouting enables installation of direct routes to
// other nodes when available
EnableAutoDirectRouting bool
// EnableHealthChecking enables health checking between nodes and
// health endpoints
EnableHealthChecking bool
// KVstorePeriodicSync is the time interval in which periodic
// synchronization with the kvstore occurs
KVstorePeriodicSync time.Duration
// IdentityChangeGracePeriod is the grace period that needs to pass
// before an endpoint that has changed its identity will start using
// that new identity. During the grace period, the new identity has
// already been allocated and other nodes in the cluster have a chance
// to whitelist the new upcoming identity of the endpoint.
IdentityChangeGracePeriod time.Duration
// PolicyQueueSize is the size of the queues for the policy repository.
// A larger queue means that more events related to policy can be buffered.
PolicyQueueSize int
// EndpointQueueSize is the size of the EventQueue per-endpoint. A larger
// queue means that more events can be buffered per-endpoint. This is useful
// in the case where a cluster might be under high load for endpoint-related
// events, specifically those which cause many regenerations.
EndpointQueueSize int
// SelectiveRegeneration, when true, enables the functionality to only
// regenerate endpoints which are selected by the policy rules that have
// been changed (added, deleted, or updated). If false, then all endpoints
// are regenerated upon every policy change regardless of the scope of the
// policy change.
SelectiveRegeneration bool
// ConntrackGCInterval is the connection tracking garbage collection
// interval
ConntrackGCInterval time.Duration
// K8sEventHandover enables use of the kvstore to optimize Kubernetes
// event handling by listening for k8s events in the operator and
// mirroring it into the kvstore for reduced overhead in large
// clusters.
K8sEventHandover bool
// MetricsConfig is the configuration set in metrics
MetricsConfig metrics.Configuration
}
var (
// Config represents the daemon configuration
Config = &DaemonConfig{
Opts: NewIntOptions(&DaemonOptionLibrary),
Monitor: &models.MonitorStatus{Cpus: int64(runtime.NumCPU()), Npages: 64, Pagesize: int64(os.Getpagesize()), Lost: 0, Unknown: 0},
IPv6ClusterAllocCIDR: defaults.IPv6ClusterAllocCIDR,
IPv6ClusterAllocCIDRBase: defaults.IPv6ClusterAllocCIDRBase,
EnableHostIPRestore: defaults.EnableHostIPRestore,
EnableHealthChecking: defaults.EnableHealthChecking,
EnableIPv4: defaults.EnableIPv4,
EnableIPv6: defaults.EnableIPv6,
ToFQDNsMaxIPsPerHost: defaults.ToFQDNsMaxIPsPerHost,
KVstorePeriodicSync: defaults.KVstorePeriodicSync,
IdentityChangeGracePeriod: defaults.IdentityChangeGracePeriod,
ContainerRuntimeEndpoint: make(map[string]string),
FixedIdentityMapping: make(map[string]string),
KVStoreOpt: make(map[string]string),
LogOpt: make(map[string]string),
SelectiveRegeneration: defaults.SelectiveRegeneration,
}
)
// IsLBEnabled returns true if LB should be enabled
func (c *DaemonConfig) IsLBEnabled() bool {
return c.LBInterface != ""
}
// GetNodeConfigPath returns the full path of the NodeConfigFile.
func (c *DaemonConfig) GetNodeConfigPath() string {
return filepath.Join(c.GetGlobalsDir(), common.NodeConfigFile)
}
// GetGlobalsDir returns the path for the globals directory.
func (c *DaemonConfig) GetGlobalsDir() string {
return filepath.Join(c.StateDir, "globals")
}
// WorkloadsEnabled returns true if any workload runtimes are enabled
func (c *DaemonConfig) WorkloadsEnabled() bool {
for _, w := range c.Workloads {
if w == "none" {
return false
}
}
return len(c.Workloads) > 0
}
// AlwaysAllowLocalhost returns true if the daemon has the option set that
// localhost can always reach local endpoints
func (c *DaemonConfig) AlwaysAllowLocalhost() bool {
switch c.AllowLocalhost {
case AllowLocalhostAlways:
return true
case AllowLocalhostAuto, AllowLocalhostPolicy:
return false
default:
return false
}
}
// TracingEnabled returns if tracing policy (outlining which rules apply to a
// specific set of labels) is enabled.
func (c *DaemonConfig) TracingEnabled() bool {
return c.Opts.IsEnabled(PolicyTracing)
}
// IsFlannelMasterDeviceSet returns if the flannel master device is set.
func (c *DaemonConfig) IsFlannelMasterDeviceSet() bool {
return len(c.FlannelMasterDevice) != 0
}
func (c *DaemonConfig) validateIPv6ClusterAllocCIDR() error {
ip, cidr, err := net.ParseCIDR(c.IPv6ClusterAllocCIDR)
if err != nil {
return err
}