Documentation/cmdref/cilium-agent_hive.md
Inspect the hive
cilium-agent hive [flags]
--agent-health-port int TCP port for agent health status API (default 9879)
--agent-health-require-k8s-connectivity Require Kubernetes connectivity in agent health endpoint (default true)
--agent-labels strings Additional labels to identify this agent in monitor events
--agent-liveness-update-interval duration Interval at which the agent updates liveness time for the datapath (default 1s)
--alibabacloud-security-group-tags stringToString List of tags to use when evaluating what security groups to use for the ENI at the node level (default [])
--alibabacloud-security-groups strings List of security groups to attach to any ENI that is created and attached to the instance at the node level
--alibabacloud-vswitch-tags stringToString List of tags to use when evaluating what VSwitches to use for ENI and IP allocation at the node level (default [])
--alibabacloud-vswitches strings List of VSwitches to use for ENI and IP allocation at the node level
--api-rate-limit string API rate limiting configuration (example: --api-rate-limit endpoint-create=rate-limit:10/m,rate-burst:2)
--azure-interface-name string InterfaceName the cilium-operator will use to allocate all the IPs on at the node level
--bpf-lb-algorithm string BPF load balancing algorithm ("random", "maglev") (default "random")
--bpf-lb-algorithm-annotation Enable service-level annotation for configuring BPF load balancing algorithm
--bpf-lb-dsr-dispatch string BPF load balancing DSR dispatch method ("opt", "ipip", "geneve") (default "opt")
--bpf-lb-external-clusterip Enable external access to ClusterIP services (default false)
--bpf-lb-maglev-hash-seed string Maglev cluster-wide hash seed (base64 encoded) (default "JLfvgnHc2kaSUFaI")
--bpf-lb-maglev-table-size uint Maglev per service backend table size (parameter M, one of: [251 509 1021 2039 4093 8191 16381 32749 65521 131071]) (default 16381)
--bpf-lb-map-max int Maximum number of entries in Cilium BPF lbmap (default 65536)
--bpf-lb-mode string BPF load balancing mode ("snat", "dsr", "hybrid") (default "snat")
--bpf-lb-mode-annotation Enable service-level annotation for configuring BPF load balancing mode
--bpf-lb-sock Enable socket-based LB for E/W traffic
--bpf-lb-source-range-all-types Propagate loadbalancerSourceRanges to all corresponding service types
--bpf-node-map-max uint32 Sets size of node bpf map which will be the max number of unique Node IPs in the cluster (default 16384)
--bpf-policy-map-max int Maximum number of entries in endpoint policy map (per endpoint) (default 16384)
--bpf-policy-map-pressure-metrics-threshold float Sets threshold for emitting pressure metrics of policy maps (default 0.1)
--bpf-policy-stats-map-max int Maximum number of entries in bpf policy stats map (default 65536)
--bpf-sock-rev-map-max int Maximum number of entries for the SockRevNAT BPF map
--certificates-directory string Root directory to find certificates specified in L7 TLS policy enforcement (default "/var/run/cilium/certs")
--cluster-id uint32 Unique identifier of the cluster
--cluster-name string Name of the cluster. It must consist of at most 32 lower case alphanumeric characters and '-', start and end with an alphanumeric character. (default "default")
--clustermesh-cache-ttl duration The time to live for the cache of a remote cluster after connectivity is lost. If the connection is not re-established within this duration, the cached data is revoked to prevent stale state. If not specified or set to 0s, the cache is never revoked.
--clustermesh-config string Path to the ClusterMesh configuration directory
--clustermesh-sync-timeout duration Timeout waiting for the initial synchronization of information from remote clusters (default 1m0s)
--cni-chaining-mode string Enable CNI chaining with the specified plugin (default "none")
--cni-chaining-target string CNI network name into which to insert the Cilium chained configuration. Use '*' to select any network.
--cni-exclusive Whether to remove other CNI configurations
--cni-external-routing Whether the chained CNI plugin handles routing on the node
--cni-log-file string Path where the CNI plugin should write logs (default "/var/run/cilium/cilium-cni.log")
--conntrack-gc-interval duration Overwrite the connection-tracking garbage collection interval
--conntrack-gc-max-interval duration Set the maximum interval for the connection-tracking garbage collection
--controller-group-metrics strings List of controller group names for which to to enable metrics. Accepts 'all' and 'none'. The set of controller group names available is not guaranteed to be stable between Cilium versions.
--crd-wait-timeout duration Cilium will exit if CRDs are not available within this duration upon startup (default 5m0s)
--default-lb-service-ipam string Indicates the default LoadBalancer Service IPAM when no LoadBalancer class is set.Applicable values: lbipam, nodeipam, none (default "lbipam")
--devices strings List of devices facing cluster/external network (used for BPF NodePort, BPF masquerading and host firewall); supports '+' as wildcard in device name, e.g. 'eth+'; support '!' to exclude devices, e.g. '!eth+' excludes any device with prefix 'eth'. Note '!' says nothing about which ones to include. A device must match other criteria to be selected; The filters are matched in order and whatever matched first wins.
--direct-routing-device string Device name used to connect nodes in direct routing mode (used by BPF NodePort, BPF host routing; if empty, automatically set to a device with k8s InternalIP/ExternalIP or with a default route)
--disable-envoy-version-check Do not perform Envoy version check
--disable-iptables-feeder-rules strings Chains to ignore when installing feeder rules.
--dns-max-ips-per-restored-rule int Maximum number of IPs to maintain for each restored DNS rule (default 1000)
--dnsproxy-concurrency-processing-grace-period duration Grace time to wait when DNS proxy concurrent limit has been reached during DNS message processing
--dynamic-lifecycle-config string List of dynamic lifecycle features and their configuration including the dependencies (default "[]")
--egress-gateway-policy-map-max int Maximum number of entries in egress gateway policy map (default 16384)
--egress-gateway-reconciliation-trigger-interval duration Time between triggers of egress gateway state reconciliations (default 1s)
--enable-active-connection-tracking Count open and active connections to services, grouped by zones defined in fixed-zone-mapping.
--enable-bandwidth-manager Enable BPF bandwidth manager
--enable-bbr Enable BBR for the bandwidth manager
--enable-bbr-hostns-only Enable BBR only in the host network namespace.
--enable-bgp-legacy-origin-attribute Enable LoadBalancerIP routes to be advertised with BGP Origin Attribute set to INCOMPLETE
--enable-cilium-api-server-access strings List of cilium API APIs which are administratively enabled. Supports '*'. (default [*])
--enable-cilium-health-api-server-access strings List of cilium health API APIs which are administratively enabled. Supports '*'. (default [*])
--enable-drift-checker Enables support for config drift checker (default true)
--enable-dynamic-config Enables support for dynamic agent config (default true)
--enable-dynamic-lifecycle-manager Enables support for dynamic lifecycle management
--enable-endpoint-health-checking Enable connectivity health checking between virtual endpoints (default true)
--enable-gateway-api Enables Envoy secret sync for Gateway API related TLS secrets
--enable-gops Enable gops server (default true)
--enable-health-check-loadbalancer-ip Enable access of the healthcheck nodePort on the LoadBalancerIP. Needs --enable-health-check-nodeport to be enabled
--enable-health-check-nodeport Enables a healthcheck nodePort server for NodePort services with 'healthCheckNodePort' being set (default true)
--enable-health-checking Enable connectivity health checking (default true)
--enable-hubble Enable hubble server
--enable-hubble-open-metrics Enable exporting hubble metrics in OpenMetrics format.
--enable-ingress-controller Enables Envoy secret sync for Ingress controller related TLS secrets
--enable-ip-masq-agent Enable BPF ip-masq-agent
--enable-ipsec Enable IPsec
--enable-ipsec-key-watcher Enable watcher for IPsec key. If disabled, a restart of the agent will be necessary on key rotations. (default true)
--enable-ipv4-big-tcp Enable IPv4 BIG TCP option which increases device's maximum GRO/GSO limits for IPv4
--enable-ipv6-big-tcp Enable IPv6 BIG TCP option which increases device's maximum GRO/GSO limits for IPv6
--enable-k8s Enable the k8s clientset (default true)
--enable-k8s-api-discovery Enable discovery of Kubernetes API groups and resources with the discovery API
--enable-l2-neigh-discovery Enables L2 neighbor discovery used by kube-proxy-replacement and IPsec
--enable-l2-pod-announcements Enable announcing Pod IPs with Gratuitous ARP and NDP
--enable-lb-ipam Enable LB IPAM (default true)
--enable-monitor Enable the monitor unix domain socket server (default true)
--enable-no-service-endpoints-routable Enable routes when service has 0 endpoints (default true)
--enable-node-ipam Enable Node IPAM
--enable-policy-secrets-sync Enables Envoy secret sync for Secrets used in CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy
--enable-route-mtu-for-cni-chaining Enable route MTU for pod netns when CNI chaining is used
--enable-service-topology Enable support for service topology aware hints
--enable-standalone-dns-proxy Enables standalone DNS proxy
--enable-well-known-identities Enable well-known identities for known Kubernetes components (default true)
--enable-wireguard Enable WireGuard
--enable-xt-socket-fallback Enable fallback for missing xt_socket module (default true)
--enable-ztunnel Use zTunnel as Cilium's encryption infrastructure
--endpoint-bpf-prog-watchdog-interval duration Interval to trigger endpoint BPF programs load check watchdog (default 30s)
--endpoint-policy-update-timeout duration Timeout duration for Endpoint policy updates (default 10s)
--endpoint-regen-interval duration Periodically recalculate and re-apply endpoint configuration. Set to 0 to disable (default 2m0s)
--eni-delete-on-termination Whether the ENI should be deleted when the associated instance is terminated at the node level (default true)
--eni-disable-prefix-delegation Whether ENI prefix delegation should be disabled on this node at the node level
--eni-exclude-interface-tags stringToString List of tags to use when excluding ENIs for Cilium IP allocation at the node level (default [])
--eni-first-interface-index int Index of the first ENI to use for IP allocation at the node level
--eni-security-group-tags stringToString List of tags to use when evaluating what AWS security groups to use for the ENI at the node level (default [])
--eni-security-groups strings List of security groups to attach to any ENI that is created and attached to the instance at the node level
--eni-subnet-ids strings List of subnet ids to use when evaluating what AWS subnets to use for ENI and IP allocation at the node level
--eni-subnet-tags stringToString List of tags to use when evaluating what AWS subnets to use for ENI and IP allocation at the node level (default [])
--eni-use-primary-address Whether an ENI's primary address should be available for allocations on the node at the node level
--envoy-access-log-buffer-size uint Envoy access log buffer size in bytes (default 4096)
--envoy-base-id uint Envoy base ID
--envoy-config-retry-interval duration Interval in which an attempt is made to reconcile failed EnvoyConfigs. If the duration is zero, the retry is deactivated. (default 15s)
--envoy-config-timeout duration Timeout that determines how long to wait for Envoy to N/ACK CiliumEnvoyConfig resources (default 2m0s)
--envoy-default-log-level string Default log level of Envoy application log that is configured if Cilium debug / verbose logging isn't enabled. If not defined, the default log level of the Cilium Agent is used.
--envoy-http-upstream-linger-timeout int Time in seconds to block Envoy worker thread while an upstream HTTP connection is closing. If set to 0, the connection is closed immediately (with TCP RST). If set to -1, the connection is closed asynchronously in the background. (default -1)
--envoy-keep-cap-netbindservice Keep capability NET_BIND_SERVICE for Envoy process
--envoy-log string Path to a separate Envoy log file, if any
--envoy-policy-restore-timeout duration Maximum time to wait for endpoint policy restoration before starting serving resources to Envoy (default 3m0s)
--envoy-secrets-namespace string EnvoySecretsNamespace is the namespace having secrets used by CEC
--force-device-detection Forces the auto-detection of devices, even if specific devices are explicitly listed
--gateway-api-secrets-namespace string GatewayAPISecretsNamespace is the namespace having tls secrets used by CEC, originating from Gateway API
--gops-port uint16 Port for gops server to listen on (default 9890)
-h, --help help for hive
--http-idle-timeout uint Time after which a non-gRPC HTTP stream is considered failed unless traffic in the stream has been processed (in seconds); defaults to 0 (unlimited)
--http-max-grpc-timeout uint Time after which a forwarded gRPC request is considered failed unless completed (in seconds). A "grpc-timeout" header may override this with a shorter value; defaults to 0 (unlimited)
--http-normalize-path Use Envoy HTTP path normalization options, which currently includes RFC 3986 path normalization, Envoy merge slashes option, and unescaping and redirecting for paths that contain escaped slashes. These are necessary to keep path based access control functional, and should not interfere with normal operation. Set this to false only with caution. (default true)
--http-request-timeout uint Time after which a forwarded HTTP request is considered failed unless completed (in seconds); Use 0 for unlimited (default 3600)
--http-retry-count uint Number of retries performed after a forwarded request attempt fails (default 3)
--http-retry-timeout uint Time after which a forwarded but uncompleted request is retried (connection failures are retried immediately); defaults to 0 (never)
--http-stream-idle-timeout uint Set Envoy the amount of time in seconds that the connection manager will allow a stream to exist with no upstream or downstream activity. (default 300)
--hubble-disable-tls Allow Hubble server to run on the given listen address without TLS. (default true)
--hubble-drop-events Emit packet drop Events related to pods (alpha)
--hubble-drop-events-extended Include L4 network policies in drop event message
--hubble-drop-events-interval duration Minimum time between emitting same events (default 2m0s)
--hubble-drop-events-rate-limit int Rate limit for the drop event emitter in events per second (0 for no rate limit) (default 1)
--hubble-drop-events-reasons strings Drop reasons to emit events for (default [auth_required,policy_denied])
--hubble-dynamic-metrics-config-path string Filepath with dynamic configuration of hubble metrics.
--hubble-event-buffer-capacity int Capacity of Hubble events buffer. The provided value must be one less than an integer power of two and no larger than 65535 (ie: 1, 3, ..., 2047, 4095, ..., 65535) (default 4095)
--hubble-event-queue-size int Buffer size of the channel to receive monitor events.
--hubble-export-aggregation-interval duration Interval at which to aggregate before exporting Hubble flows. 0s disables aggregation.
--hubble-export-allowlist string Specify allowlist as JSON encoded FlowFilters to Hubble exporter.
--hubble-export-denylist string Specify denylist as JSON encoded FlowFilters to Hubble exporter.
--hubble-export-fieldaggregate strings Specify list of fields to use for aggregation in Hubble exporter. Empty list disables aggregation.
--hubble-export-fieldmask strings Specify list of fields to use for field mask in Hubble exporter.
--hubble-export-file-compress Compress rotated Hubble export files.
--hubble-export-file-max-backups int Number of rotated Hubble export files to keep. (default 5)
--hubble-export-file-max-size-mb int Size in MB at which to rotate Hubble export file. (default 10)
--hubble-export-file-path stdout Filepath to write Hubble events to. By specifying stdout the flows are logged instead of written to a rotated file.
--hubble-flowlogs-config-path string Filepath with configuration of hubble flowlogs
--hubble-listen-address string An additional address for Hubble server to listen to, e.g. ":4244"
--hubble-lost-event-send-interval duration Interval at which lost events are sent from the Observer server, if any. (default 1s)
--hubble-metrics string List of Hubble metrics to enable.
--hubble-metrics-server string Address to serve Hubble metrics on.
--hubble-metrics-server-enable-tls Run the Hubble metrics server on the given listen address with TLS.
--hubble-metrics-server-tls-cert-file string Path to the public key file for the Hubble metrics server. The file must contain PEM encoded data.
--hubble-metrics-server-tls-client-ca-files strings Paths to one or more public key files of client CA certificates to use for TLS with mutual authentication (mTLS). The files must contain PEM encoded data. When provided, this option effectively enables mTLS.
--hubble-metrics-server-tls-key-file string Path to the private key file for the Hubble metrics server. The file must contain PEM encoded data.
--hubble-monitor-events strings Cilium monitor events for Hubble to observe: [drop debug capture trace policy-verdict trace-sock l7 agent]. By default, Hubble observes all monitor events.
--hubble-network-policy-correlation-enabled Enable network policy correlation of Hubble flows (default true)
--hubble-prefer-ipv6 Prefer IPv6 addresses for announcing nodes when both address types are available.
--hubble-redact-enabled Hubble redact sensitive information from flows
--hubble-redact-http-headers-allow strings HTTP headers to keep visible in flows
--hubble-redact-http-headers-deny strings HTTP headers to redact from flows
--hubble-redact-http-urlquery Hubble redact http URL query from flows
--hubble-redact-http-userinfo Hubble redact http user info from flows (default true)
--hubble-skip-unknown-cgroup-ids Skip Hubble events with unknown cgroup ids (default true)
--hubble-socket-path string Set hubble's socket path to listen for connections (default "/var/run/cilium/hubble.sock")
--hubble-tls-cert-file string Path to the public key file for the Hubble server. The file must contain PEM encoded data.
--hubble-tls-client-ca-files strings Paths to one or more public key files of client CA certificates to use for TLS with mutual authentication (mTLS). The files must contain PEM encoded data. When provided, this option effectively enables mTLS.
--hubble-tls-key-file string Path to the private key file for the Hubble server. The file must contain PEM encoded data.
--identity-allocation-sync-interval duration Periodic synchronization interval of the allocated identities (default 5m0s)
--identity-allocation-timeout duration Timeout for identity allocation operations (default 2m0s)
--identity-management-mode string Configure whether Cilium Identities are managed by cilium-agent, cilium-operator, or both (default "agent")
--ignore-flags-drift-checker strings Ignores specified flags during drift checking
--ingress-secrets-namespace string IngressSecretsNamespace is the namespace having tls secrets used by CEC, originating from Ingress controller
--ip-masq-agent-config-path string ip-masq-agent configuration file path (default "/etc/config/ip-masq-agent")
--ipam-max-allocate int Maximum number of IPs that can be allocated at the node level
--ipam-min-allocate int Minimum number of IPs that must be allocated when the node is first bootstrapped at the node level
--ipam-pre-allocate int Number of IP addresses that must be available for allocation in the IPAMspec at the node level
--ipam-static-ip-tags stringToString List of tags to determine the pool of IPs from which to attribute a static IP to the node at the node level, this currently works with AWS and Azure (default [])
--ipsec-key-file string Path to IPsec key file
--ipsec-key-rotation-duration duration Maximum duration of the IPsec key rotation. The previous key will be removed after that delay. (default 5m0s)
--iptables-lock-timeout duration Time to pass to each iptables invocation to wait for xtables lock acquisition (default 5s)
--iptables-random-fully Set iptables flag random-fully on masquerading rules
--ipv4-service-loopback-address string IPv4 source address to use for SNAT when a Pod talks to itself over a Service. (default "169.254.42.1")
--ipv6-service-loopback-address string IPv6 source address to use for SNAT when a Pod talks to itself over a Service. (default "fe80::1")
--k8s-api-server-urls strings Kubernetes API server URLs
--k8s-client-burst int Burst value allowed for the K8s client (default 20)
--k8s-client-connection-keep-alive duration Configures the keep alive duration of K8s client connections. K8 client is disabled if the value is set to 0 (default 30s)
--k8s-client-connection-timeout duration Configures the timeout of K8s client connections. K8s client is disabled if the value is set to 0 (default 30s)
--k8s-client-qps float32 Queries per second limit for the K8s client (default 10)
--k8s-heartbeat-timeout duration Configures the timeout for api-server heartbeat, set to 0 to disable (default 30s)
--k8s-kubeconfig-path string Absolute path of the kubernetes kubeconfig file
--k8s-service-proxy-name string Value of K8s service-proxy-name label for which Cilium handles the services (empty = all services without service.kubernetes.io/service-proxy-name label)
--kube-proxy-replacement Enable kube-proxy replacement
--kube-proxy-replacement-healthz-bind-address string The IP address with port for kube-proxy replacement health check server to serve on (set to '0.0.0.0:10256' for all IPv4 interfaces and '[::]:10256' for all IPv6 interfaces). Set empty to disable.
--kvstore string Key-value store type
--kvstore-lease-ttl duration Time-to-live for the KVstore lease. (default 15m0s)
--kvstore-max-consecutive-quorum-errors uint Max acceptable kvstore consecutive quorum errors before recreating the etcd connection (default 2)
--kvstore-opt stringToString Key-value store options e.g. etcd.address=127.0.0.1:4001 (default [])
--l2-pod-announcements-interface-pattern string Regex matching interfaces used for sending gratuitous ARP and NDP messages
--lb-state-file string Synchronize load-balancing state from the specified file
--lrp-address-matcher-cidrs strings Limit address matches to specific CIDRs
--max-connected-clusters uint32 Maximum number of clusters to be connected in a clustermesh. Increasing this value will reduce the maximum number of identities available. Valid configurations are [255, 511]. (default 255)
--mesh-auth-enabled Enable authentication processing & garbage collection (beta)
--mesh-auth-gc-interval duration Interval in which auth entries are attempted to be garbage collected (default 5m0s)
--mesh-auth-mutual-connect-timeout duration Timeout for connecting to the remote node TCP socket (default 5s)
--mesh-auth-mutual-listener-port int Port on which the Cilium Agent will perform mutual authentication handshakes between other Agents
--mesh-auth-queue-size int Queue size for the auth manager (default 1024)
--mesh-auth-rotated-identities-queue-size int The size of the queue for signaling rotated identities. (default 1024)
--mesh-auth-spiffe-trust-domain string The trust domain for the SPIFFE identity. (default "spiffe.cilium")
--mesh-auth-spire-admin-socket string The path for the SPIRE admin agent Unix socket.
--metrics strings Metrics that should be enabled or disabled from the default metric list. (+metric_foo to enable metric_foo, -metric_bar to disable metric_bar)
--metrics-sampling-interval duration Set the internal metrics sampling interval (default 5m0s)
--monitor-queue-size int Size of the event queue when reading monitor events
--mtu int Overwrite auto-detected MTU of underlying network
--multicast-enabled Enables multicast in Cilium
--nat-map-stats-entries int Number k top stats entries to store locally in statedb (default 32)
--nat-map-stats-interval duration Interval upon which nat maps are iterated for stats (default 30s)
--node-encryption-opt-out-labels string Label selector for nodes which will opt-out of node-to-node encryption (default "node-role.kubernetes.io/control-plane")
--node-port-range strings Set the min/max NodePort port range (default [30000,32767])
--nodeport-addresses strings A whitelist of CIDRs to limit which IPs are used for NodePort. If not set, primary IPv4 and/or IPv6 address of each native device is used.
--only-masquerade-default-pool When using multi-pool IPAM, only masquerade flows from the default IP pool. This will preserve source IPs for pods from non-default IP pools. Useful when combining multi-pool IPAM with BGP control plane. This option must be combined with enable-bpf-masquerade.
--packetization-layer-pmtud-mode string Enables kernel packetization layer path mtu discovery on Pod netns (if empty will use host setting) (default "blackhole")
--policy-default-local-cluster Control whether policy rules assume by default the local cluster if not explicitly selected (default true)
--policy-queue-size uint Size of queue for policy-related events (default 100)
--policy-secrets-namespace string PolicySecretsNamesapce is the namespace having secrets used in CNP and CCNP
--policy-secrets-only-from-secrets-namespace Configures the agent to only read policy Secrets from the policy-secrets-namespace
--pprof Enable serving pprof debugging API
--pprof-address string Address that pprof listens on (default "localhost")
--pprof-block-profile-rate int Enable goroutine blocking profiling and set the rate of sampled events in nanoseconds (set to 1 to sample all events [warning: performance overhead])
--pprof-mutex-profile-fraction int Enable mutex contention profiling and set the fraction of sampled events (set to 1 to sample all events)
--pprof-port uint16 Port that pprof listens on (default 6060)
--prepend-iptables-chains Prepend custom iptables chains instead of appending (default true)
--procfs string Path to the host's proc filesystem mount (default "/proc")
--prometheus-serve-addr string IP:Port on which to serve prometheus metrics (pass ":Port" to bind on all interfaces, "" is off)
--proxy-admin-port int Port to serve Envoy admin interface on.
--proxy-cluster-max-connections uint32 Maximum number of connections on Envoy clusters (default 1024)
--proxy-cluster-max-requests uint32 Maximum number of requests on Envoy clusters (default 1024)
--proxy-connect-timeout uint Time after which a TCP connect attempt is considered failed unless completed (in seconds) (default 2)
--proxy-gid uint Group ID for proxy control plane sockets. (default 1337)
--proxy-idle-timeout-seconds int Set Envoy upstream HTTP idle connection timeout in seconds. Does not apply to connections with pending requests. (default 60)
--proxy-initial-fetch-timeout uint Time after which an xDS stream is considered timed out (in seconds) (default 30)
--proxy-max-active-downstream-connections int Set Envoy HTTP option max_active_downstream_connections (default 50000)
--proxy-max-concurrent-retries uint32 Maximum number of concurrent retries on Envoy clusters (default 128)
--proxy-max-connection-duration-seconds int Set Envoy HTTP option max_connection_duration seconds. Default 0 (disable)
--proxy-max-requests-per-connection int Set Envoy HTTP option max_requests_per_connection. Default 0 (disable)
--proxy-portrange-max uint16 End of port range that is used to allocate ports for L7 proxies. (default 20000)
--proxy-portrange-min uint16 Start of port range that is used to allocate ports for L7 proxies. (default 10000)
--proxy-prometheus-port int Port to serve Envoy metrics on. Default 0 (disabled).
--proxy-use-original-source-address Controls if Cilium's Envoy BPF metadata listener filter for L7 policy enforcement redirects should be configured to use original source address when extracting the metadata (doesn't affect Ingress/Gateway API). (default true)
--proxy-xff-num-trusted-hops-egress uint32 Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners.
--proxy-xff-num-trusted-hops-ingress uint32 Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners.
--read-cni-conf string CNI configuration file to use as a source for --write-cni-conf-when-ready. If not supplied, a suitable one will be generated.
--restored-proxy-ports-age-limit uint Time after which a restored proxy ports file is considered stale (in minutes) (default 15)
--shell-sock-path string Path to the shell UNIX socket (default "/var/run/cilium/shell.sock")
--standalone-dns-proxy-server-port int Global port on which the gRPC server for standalone DNS proxy should listen (default 10095)
--static-cnp-path string Directory path to watch and load static cilium network policy yaml files.
--status-collector-failure-threshold duration The duration after which a probe is considered failed (default 1m0s)
--status-collector-interval duration The interval between probe invocations (default 5s)
--status-collector-probe-check-timeout duration The timeout after which all probes should have finished at least once (default 5m0s)
--status-collector-stackdump-path string The path where probe stackdumps should be written to (default "/run/cilium/state/agent.stack.gz")
--status-collector-warning-threshold duration The duration after which a probe is declared as stale (default 15s)
--tofqdns-enable-dns-compression Allow the DNS proxy to compress responses to endpoints that are larger than 512 Bytes or the EDNS0 option, if present (default true)
--tofqdns-preallocate-identities Preallocate identities for ToFQDN selectors. This reduces proxied DNS response latency. Disable if you have many ToFQDN selectors. (default true)
--tunnel-port uint16 Tunnel port (default 8472 for "vxlan" and 6081 for "geneve")
--tunnel-protocol string Encapsulation protocol to use for the overlay ("vxlan" or "geneve") (default "vxlan")
--tunnel-source-port-range string Tunnel source port range hint (default 0-0) (default "0-0")
--underlay-protocol string IP family for the underlay ("ipv4" or "ipv6") (default "ipv4")
--use-full-tls-context If enabled, persist ca.crt keys into the Envoy config even in a terminatingTLS block on an L7 Cilium Policy. This is to enable compatibility with previously buggy behaviour. This flag is deprecated and will be removed in a future release.
--vtep-cidr strings List of VTEP CIDRs that will be routed towards VTEPs for traffic cluster egress
--vtep-endpoint strings List of VTEP IP addresses
--vtep-mac strings List of VTEP MAC addresses for forwarding traffic outside the cluster
--vtep-sync-interval duration Interval for VTEP sync (default 1m0s)
--wireguard-persistent-keepalive duration The Wireguard keepalive interval as a Go duration string
--write-cni-conf-when-ready string Write the CNI configuration to the specified path when agent is ready