Back to Cilium

cilium

install/kubernetes/cilium/README.md

1.19.5169.1 KB
Original Source

cilium

Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as application containers or processes. Cilium operates at Layer 3/4 to provide traditional networking and security services as well as Layer 7 to protect and secure use of modern application protocols such as HTTP, gRPC and Kafka.

A new Linux kernel technology called eBPF is at the foundation of Cilium. It supports dynamic insertion of eBPF bytecode into the Linux kernel at various integration points such as: network IO, application sockets, and tracepoints to implement security, networking and visibility logic. eBPF is highly efficient and flexible.

Prerequisites

  • Kubernetes: >= 1.21.0-0
  • Helm: >= 3.0

Getting Started

Try Cilium on any Kubernetes distribution in under 15 minutes:

MinikubeSelf-Managed K8sAmazon EKSGoogle GKEMicrosoft AKS

Or, for a quick install with the default configuration:

$ helm repo add cilium https://helm.cilium.io/
$ helm install cilium cilium/cilium --namespace=kube-system

After Cilium is installed, you can explore the features that Cilium has to offer from the Getting Started Guides page.

Source Code

Getting Help

The best way to get help if you get stuck is to ask a question on the Cilium Slack channel. With Cilium contributors across the globe, there is almost always someone available to help.

Values

KeyTypeDefaultDescription
MTUint0Configure the underlying network MTU to overwrite auto-detected MTU. This value doesn't change the host network interface MTU i.e. eth0 or ens0. It changes the MTU for cilium_net@cilium_host, cilium_host@cilium_net, cilium_vxlan and lxc_health interfaces.
affinityobject{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}Affinity for cilium-agent.
agentbooltrueInstall the cilium agent resources.
agentNotReadyTaintKeystring"node.cilium.io/agent-not-ready"Configure the key of the taint indicating that Cilium is not ready on the node. When set to a value starting with ignore-taint.cluster-autoscaler.kubernetes.io/, the Cluster Autoscaler will ignore the taint on its decisions, allowing the cluster to scale up.
aksbyocni.enabledboolfalseEnable AKS BYOCNI integration. Note that this is incompatible with AKS clusters not created in BYOCNI mode: use Azure integration (azure.enabled) instead.
alibabacloud.enabledboolfalseEnable AlibabaCloud ENI integration
alibabacloud.nodeSpec.securityGroupTagslist[]
alibabacloud.nodeSpec.securityGroupslist[]
alibabacloud.nodeSpec.vSwitchTagslist[]
alibabacloud.nodeSpec.vSwitcheslist[]
annotateK8sNodeboolfalseAnnotate k8s node upon initialization with Cilium's metadata.
annotationsobject{}Annotations to be added to all top-level cilium-agent objects (resources under templates/cilium-agent)
apiRateLimitstringnilThe api-rate-limit option can be used to overwrite individual settings of the default configuration for rate limiting calls to the Cilium Agent API
authentication.enabledboolfalseEnable authentication processing and garbage collection. Note that if disabled, policy enforcement will still block requests that require authentication. But the resulting authentication requests for these requests will not be processed, therefore the requests not be allowed.
authentication.gcIntervalstring"5m0s"Interval for garbage collection of auth map entries.
authentication.mutual.connectTimeoutstring"5s"Timeout for connecting to the remote node TCP socket
authentication.mutual.portint4250Port on the agent where mutual authentication handshakes between agents will be performed
authentication.mutual.spire.adminSocketPathstring"/run/spire/sockets/admin.sock"SPIRE socket path where the SPIRE delegated api agent is listening
authentication.mutual.spire.agentSocketPathstring"/run/spire/sockets/agent/agent.sock"SPIRE socket path where the SPIRE workload agent is listening. Applies to both the Cilium Agent and Operator
authentication.mutual.spire.annotationsobject{}Annotations to be added to all top-level spire objects (resources under templates/spire)
authentication.mutual.spire.connectionTimeoutstring"30s"SPIRE connection timeout
authentication.mutual.spire.enabledboolfalseEnable SPIRE integration (beta)
authentication.mutual.spire.install.agent.affinityobject{}SPIRE agent affinity configuration
authentication.mutual.spire.install.agent.annotationsobject{}SPIRE agent annotations
authentication.mutual.spire.install.agent.imageobject{"digest":"sha256:5106ac601272a88684db14daf7f54b9a45f31f77bb16a906bd5e87756ee7b97c","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.9.6","useDigest":true}SPIRE agent image
authentication.mutual.spire.install.agent.labelsobject{}SPIRE agent labels
authentication.mutual.spire.install.agent.nodeSelectorobject{}SPIRE agent nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
authentication.mutual.spire.install.agent.podSecurityContextobject{}Security context to be added to spire agent pods. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
authentication.mutual.spire.install.agent.priorityClassNamestring""The priority class to use for the spire agent
authentication.mutual.spire.install.agent.resourcesobject{}container resource limits & requests
authentication.mutual.spire.install.agent.securityContextobject{}Security context to be added to spire agent containers. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
authentication.mutual.spire.install.agent.serviceAccountobject{"create":true,"name":"spire-agent"}SPIRE agent service account
authentication.mutual.spire.install.agent.skipKubeletVerificationbooltrueSPIRE Workload Attestor kubelet verification.
authentication.mutual.spire.install.agent.tolerationslist[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
authentication.mutual.spire.install.enabledbooltrueEnable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true
authentication.mutual.spire.install.existingNamespaceboolfalseSPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace.
authentication.mutual.spire.install.initImageobject{"digest":"sha256:9532d8c39891ca2ecde4d30d7710e01fb739c87a8b9299685c63704296b16028","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.37.0","useDigest":true}init container image of SPIRE agent and server
authentication.mutual.spire.install.namespacestring"cilium-spire"SPIRE namespace to install into
authentication.mutual.spire.install.server.affinityobject{}SPIRE server affinity configuration
authentication.mutual.spire.install.server.annotationsobject{}SPIRE server annotations
authentication.mutual.spire.install.server.ca.keyTypestring"rsa-4096"SPIRE CA key type AWS requires the use of RSA. EC cryptography is not supported
authentication.mutual.spire.install.server.ca.subjectobject{"commonName":"Cilium SPIRE CA","country":"US","organization":"SPIRE"}SPIRE CA Subject
authentication.mutual.spire.install.server.dataStorage.accessModestring"ReadWriteOnce"Access mode of the SPIRE server data storage
authentication.mutual.spire.install.server.dataStorage.enabledbooltrueEnable SPIRE server data storage
authentication.mutual.spire.install.server.dataStorage.sizestring"1Gi"Size of the SPIRE server data storage
authentication.mutual.spire.install.server.dataStorage.storageClassstringnilStorageClass of the SPIRE server data storage
authentication.mutual.spire.install.server.imageobject{"digest":"sha256:59a0b92b39773515e25e68a46c40d3b931b9c1860bc445a79ceb45a805cab8b4","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.9.6","useDigest":true}SPIRE server image
authentication.mutual.spire.install.server.initContainerslist[]SPIRE server init containers
authentication.mutual.spire.install.server.labelsobject{}SPIRE server labels
authentication.mutual.spire.install.server.nodeSelectorobject{}SPIRE server nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
authentication.mutual.spire.install.server.podSecurityContextobject{}Security context to be added to spire server pods. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
authentication.mutual.spire.install.server.priorityClassNamestring""The priority class to use for the spire server
authentication.mutual.spire.install.server.resourcesobject{}container resource limits & requests
authentication.mutual.spire.install.server.securityContextobject{}Security context to be added to spire server containers. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
authentication.mutual.spire.install.server.service.annotationsobject{}Annotations to be added to the SPIRE server service
authentication.mutual.spire.install.server.service.labelsobject{}Labels to be added to the SPIRE server service
authentication.mutual.spire.install.server.service.typestring"ClusterIP"Service type for the SPIRE server service
authentication.mutual.spire.install.server.serviceAccountobject{"create":true,"name":"spire-server"}SPIRE server service account
authentication.mutual.spire.install.server.tolerationslist[]SPIRE server tolerations configuration ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
authentication.mutual.spire.serverAddressstringnilSPIRE server address used by Cilium Operator If k8s Service DNS along with port number is used (e.g. <service-name>.<namespace>.svc(.*):<port-number> format), Cilium Operator will resolve its address by looking up the clusterIP from Service resource. Example values: 10.0.0.1:8081, spire-server.cilium-spire.svc:8081
authentication.mutual.spire.trustDomainstring"spiffe.cilium"SPIFFE trust domain to use for fetching certificates
authentication.queueSizeint1024Buffer size of the channel Cilium uses to receive authentication events from the signal map.
authentication.rotatedIdentitiesQueueSizeint1024Buffer size of the channel Cilium uses to receive certificate expiration events from auth handlers.
autoDirectNodeRoutesboolfalseEnable installation of PodCIDR routes between worker nodes if worker nodes share a common L2 network segment.
azure.enabledboolfalseEnable Azure integration. Note that this is incompatible with AKS clusters created in BYOCNI mode: use AKS BYOCNI integration (aksbyocni.enabled) instead.
azure.nodeSpec.azureInterfaceNamestring""
bandwidthManagerobject{"bbr":false,"bbrHostNamespaceOnly":false,"enabled":false}Enable bandwidth manager to optimize TCP and UDP workloads and allow for rate-limiting traffic from individual Pods with EDT (Earliest Departure Time) through the "kubernetes.io/egress-bandwidth" Pod annotation.
bandwidthManager.bbrboolfalseActivate BBR TCP congestion control for Pods
bandwidthManager.bbrHostNamespaceOnlyboolfalseActivate BBR TCP congestion control for Pods in the host namespace only.
bandwidthManager.enabledboolfalseEnable bandwidth manager infrastructure (also prerequirement for BBR)
bgpControlPlaneobject{"enabled":false,"legacyOriginAttribute":{"enabled":false},"routerIDAllocation":{"ipPool":"","mode":"default"},"secretsNamespace":{"create":false,"name":"kube-system"},"statusReport":{"enabled":true}}This feature set enables virtual BGP routers to be created via BGP CRDs.
bgpControlPlane.enabledboolfalseEnables the BGP control plane.
bgpControlPlane.legacyOriginAttributeobject{"enabled":false}Legacy BGP ORIGIN attribute settings
bgpControlPlane.legacyOriginAttribute.enabledboolfalseEnable/Disable advertising LoadBalancerIP routes with the legacy BGP ORIGIN attribute value INCOMPLETE (2) instead of the default IGP (0). Enable for compatibility with the legacy behavior of MetalLB integration.
bgpControlPlane.routerIDAllocationobject{"ipPool":"","mode":"default"}BGP router-id allocation mode
bgpControlPlane.routerIDAllocation.ipPoolstring""IP pool to allocate the BGP router-id from when the mode is ip-pool.
bgpControlPlane.routerIDAllocation.modestring"default"BGP router-id allocation mode. In default mode, the router-id is derived from the IPv4 address if it is available, or else it is determined by the lower 32 bits of the MAC address.
bgpControlPlane.secretsNamespaceobject{"create":false,"name":"kube-system"}SecretsNamespace is the namespace which BGP support will retrieve secrets from.
bgpControlPlane.secretsNamespace.createboolfalseCreate secrets namespace for BGP secrets.
bgpControlPlane.secretsNamespace.namestring"kube-system"The name of the secret namespace to which Cilium agents are given read access
bgpControlPlane.statusReportobject{"enabled":true}Status reporting settings
bgpControlPlane.statusReport.enabledbooltrueEnable/Disable BGP status reporting It is recommended to enable status reporting in general, but if you have any issue such as high API server load, you can disable it by setting this to false.
bpf.authMapMaxint524288Configure the maximum number of entries in auth map.
bpf.autoMount.enabledbooltrueEnable automatic mount of BPF filesystem When autoMount is enabled, the BPF filesystem is mounted at bpf.root path on the underlying host and inside the cilium agent pod. If users disable autoMount, it's expected that users have mounted bpffs filesystem at the specified bpf.root volume, and then the volume will be mounted inside the cilium agent pod at the same path.
bpf.ctAccountingboolfalseEnable CT accounting for packets and bytes
bpf.ctAnyMaxint262144Configure the maximum number of entries for the non-TCP connection tracking table.
bpf.ctTcpMaxint524288Configure the maximum number of entries in the TCP connection tracking table.
bpf.datapathModestringvethMode for Pod devices for the core datapath (veth, netkit, netkit-l2). Note netkit is incompatible with TPROXY (bpf.tproxy).
bpf.disableExternalIPMitigationboolfalseDisable ExternalIP mitigation (CVE-2020-8554)
bpf.distributedLRUobject{"enabled":false}Control to use a distributed per-CPU backend memory for the core BPF LRU maps which Cilium uses. This improves performance significantly, but it is also recommended to increase BPF map sizing along with that.
bpf.distributedLRU.enabledboolfalseEnable distributed LRU backend memory. For compatibility with existing installations it is off by default.
bpf.enableTCXbooltrueAttach endpoint programs using tcx instead of legacy tc hooks on supported kernels.
bpf.eventsobject{"default":{"burstLimit":null,"rateLimit":null},"drop":{"enabled":true},"policyVerdict":{"enabled":true},"trace":{"enabled":true}}Control events generated by the Cilium datapath exposed to Cilium monitor and Hubble. Helm configuration for BPF events map rate limiting is experimental and might change in upcoming releases.
bpf.events.defaultobject{"burstLimit":null,"rateLimit":null}Default settings for all types of events except dbg.
bpf.events.default.burstLimitint0Configure the maximum number of messages that can be written to BPF events map in 1 second. If burstLimit is greater than 0, non-zero value for rateLimit must also be provided lest the configuration is considered invalid. Setting both burstLimit and rateLimit to 0 disables BPF events rate limiting.
bpf.events.default.rateLimitint0Configure the limit of messages per second that can be written to BPF events map. The number of messages is averaged, meaning that if no messages were written to the map over 5 seconds, it's possible to write more events in the 6th second. If rateLimit is greater than 0, non-zero value for burstLimit must also be provided lest the configuration is considered invalid. Setting both burstLimit and rateLimit to 0 disables BPF events rate limiting.
bpf.events.drop.enabledbooltrueEnable drop events.
bpf.events.policyVerdict.enabledbooltrueEnable policy verdict events.
bpf.events.trace.enabledbooltrueEnable trace events.
bpf.hostLegacyRoutingboolfalseConfigure whether direct routing mode should route traffic via host stack (true) or directly and more efficiently out of BPF (false) if the kernel supports it. The latter has the implication that it will also bypass netfilter in the host namespace.
bpf.lbAlgorithmAnnotationboolfalseEnable the option to define the load balancing algorithm on a per-service basis through service.cilium.io/lb-algorithm annotation.
bpf.lbExternalClusterIPboolfalseAllow cluster external access to ClusterIP services.
bpf.lbMapMaxint65536Configure the maximum number of service entries in the load balancer maps.
bpf.lbModeAnnotationboolfalseEnable the option to define the load balancing mode (SNAT or DSR) on a per-service basis through service.cilium.io/forwarding-mode annotation.
bpf.lbSourceRangeAllTypesboolfalseEnable loadBalancerSourceRanges CIDR filtering for all service types, not just LoadBalancer services. The corresponding NodePort and ClusterIP (if enabled for cluster-external traffic) will also apply the CIDR filter.
bpf.mapDynamicSizeRatiofloat640.0025Configure auto-sizing for all BPF maps based on available memory. ref: https://docs.cilium.io/en/stable/network/ebpf/maps/
bpf.masqueradeboolfalseEnable native IP masquerade support in eBPF
bpf.monitorAggregationstring"medium"Configure the level of aggregation for monitor notifications. Valid options are none, low, medium, maximum.
bpf.monitorFlagsstring"all"Configure which TCP flags trigger notifications when seen for the first time in a connection.
bpf.monitorIntervalstring"5s"Configure the typical time between monitor notifications for active connections.
bpf.monitorTraceIPOptionint0Configure the IP tracing option type. This option is used to specify the IP option type to use for tracing. The value must be an integer between 0 and 255. @schema type: [null, integer] minimum: 0 maximum: 255 @schema
bpf.natMaxint524288Configure the maximum number of entries for the NAT table.
bpf.neighMaxint524288Configure the maximum number of entries for the neighbor table.
bpf.nodeMapMaxintnilConfigures the maximum number of entries for the node table.
bpf.policyMapMaxint16384Configure the maximum number of entries in endpoint policy map (per endpoint). @schema type: [null, integer] @schema
bpf.policyMapPressureMetricsThresholdfloat640.1Configure threshold for emitting pressure metrics of policy maps. @schema type: [null, number] @schema
bpf.policyStatsMapMaxint65536Configure the maximum number of entries in global policy stats map. @schema type: [null, integer] @schema
bpf.preallocateMapsboolfalseEnables pre-allocation of eBPF map values. This increases memory usage but can reduce latency.
bpf.rootstring"/sys/fs/bpf"Configure the mount point for the BPF filesystem
bpf.tproxyboolfalseConfigure the eBPF-based TPROXY (beta) to reduce reliance on iptables rules for implementing Layer 7 policy. Note this is incompatible with netkit (bpf.datapathMode=netkit, bpf.datapathMode=netkit-l2).
bpf.vlanBypasslist[]Configure explicitly allowed VLAN id's for bpf logic bypass. [0] will allow all VLAN id's without any filtering.
bpfClockProbeboolfalseEnable BPF clock source probing for more efficient tick retrieval.
certgenobject{"affinity":{},"annotations":{"cronJob":{},"job":{}},"cronJob":{"failedJobsHistoryLimit":1,"successfulJobsHistoryLimit":3},"extraVolumeMounts":[],"extraVolumes":[],"generateCA":true,"image":{"digest":"sha256:f107522ed4dcea62f918b8eb836142875a9b3e3cb2b2d728dc680f76cdbde6cf","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.4.5","useDigest":true},"nodeSelector":{},"podLabels":{},"priorityClassName":"","resources":{},"tolerations":[],"ttlSecondsAfterFinished":null}Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually.
certgen.affinityobject{}Affinity for certgen
certgen.annotationsobject{"cronJob":{},"job":{}}Annotations to be added to the hubble-certgen initial Job and CronJob
certgen.cronJob.failedJobsHistoryLimitint1The number of failed finished jobs to keep
certgen.cronJob.successfulJobsHistoryLimitint3The number of successful finished jobs to keep
certgen.extraVolumeMountslist[]Additional certgen volumeMounts.
certgen.extraVolumeslist[]Additional certgen volumes.
certgen.generateCAbooltrueWhen set to true the certificate authority secret is created.
certgen.nodeSelectorobject{}Node selector for certgen ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
certgen.podLabelsobject{}Labels to be added to hubble-certgen pods
certgen.priorityClassNamestring""Priority class for certgen ref: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass
certgen.resourcesobject{}Resource limits for certgen ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers
certgen.tolerationslist[]Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
certgen.ttlSecondsAfterFinishedstringnilSeconds after which the completed job pod will be deleted
cgroupobject{"autoMount":{"enabled":true,"resources":{}},"hostRoot":"/run/cilium/cgroupv2"}Configure cgroup related configuration
cgroup.autoMount.enabledbooltrueEnable auto mount of cgroup2 filesystem. When autoMount is enabled, cgroup2 filesystem is mounted at cgroup.hostRoot path on the underlying host and inside the cilium agent pod. If users disable autoMount, it's expected that users have mounted cgroup2 filesystem at the specified cgroup.hostRoot volume, and then the volume will be mounted inside the cilium agent pod at the same path.
cgroup.autoMount.resourcesobject{}Init Container Cgroup Automount resource limits & requests
cgroup.hostRootstring"/run/cilium/cgroupv2"Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: cgroup.autoMount)
ciliumEndpointSliceobject{"enabled":false,"rateLimits":[{"burst":20,"limit":10,"nodes":0},{"burst":100,"limit":50,"nodes":100}]}CiliumEndpointSlice configuration options.
ciliumEndpointSlice.enabledboolfalseEnable Cilium EndpointSlice feature.
ciliumEndpointSlice.rateLimitslist[{"burst":20,"limit":10,"nodes":0},{"burst":100,"limit":50,"nodes":100}]List of rate limit options to be used for the CiliumEndpointSlice controller. Each object in the list must have the following fields: nodes: Count of nodes at which to apply the rate limit. limit: The sustained request rate in requests per second. The maximum rate that can be configured is 50. burst: The burst request rate in requests per second. The maximum burst that can be configured is 100.
cleanBpfStateboolfalseClean all eBPF datapath state from the initContainer of the cilium-agent DaemonSet. WARNING: Use with care!
cleanStateboolfalseClean all local Cilium state from the initContainer of the cilium-agent DaemonSet. Implies cleanBpfState: true. WARNING: Use with care!
cluster.idint0Unique ID of the cluster. Must be unique across all connected clusters and in the range of 1 to 255. Only required for Cluster Mesh, may be 0 if Cluster Mesh is not used.
cluster.namestring"default"Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE. It must respect the following constraints: * It must contain at most 32 characters; * It must begin and end with a lower case alphanumeric character; * It may contain lower case alphanumeric characters and dashes between. The "default" name cannot be used if the Cluster ID is different from 0.
clustermesh.annotationsobject{}Annotations to be added to all top-level clustermesh objects (resources under templates/clustermesh-apiserver and templates/clustermesh-config)
clustermesh.apiserver.affinityobject{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchLabels":{"k8s-app":"clustermesh-apiserver"}},"topologyKey":"kubernetes.io/hostname"},"weight":100}]}}Affinity for clustermesh.apiserver
clustermesh.apiserver.etcd.init.extraArgslist[]Additional arguments to clustermesh-apiserver etcdinit.
clustermesh.apiserver.etcd.init.extraEnvlist[]Additional environment variables to clustermesh-apiserver etcdinit.
clustermesh.apiserver.etcd.init.resourcesobject{}Specifies the resources for etcd init container in the apiserver
clustermesh.apiserver.etcd.lifecycleobject{}lifecycle setting for the etcd container
clustermesh.apiserver.etcd.resourcesobject{}Specifies the resources for etcd container in the apiserver
clustermesh.apiserver.etcd.securityContextobject{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}Security context to be added to clustermesh-apiserver etcd containers
clustermesh.apiserver.etcd.storageMediumstring"Disk"Specifies whether etcd data is stored in a temporary volume backed by the node's default medium, such as disk, SSD or network storage (Disk), or RAM (Memory). The Memory option enables improved etcd read and write performance at the cost of additional memory usage, which counts against the memory limits of the container.
clustermesh.apiserver.extraArgslist[]Additional clustermesh-apiserver arguments.
clustermesh.apiserver.extraEnvlist[]Additional clustermesh-apiserver environment variables.
clustermesh.apiserver.extraVolumeMountslist[]Additional clustermesh-apiserver volumeMounts.
clustermesh.apiserver.extraVolumeslist[]Additional clustermesh-apiserver volumes.
clustermesh.apiserver.healthPortint9880TCP port for the clustermesh-apiserver health API.
clustermesh.apiserver.imageobject{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.19.5","useDigest":false}Clustermesh API server image.
clustermesh.apiserver.kvstoremesh.enabledbooltrueEnable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance (deprecated - KVStoreMesh will always be enabled once the option is removed).
clustermesh.apiserver.kvstoremesh.extraArgslist[]Additional KVStoreMesh arguments.
clustermesh.apiserver.kvstoremesh.extraEnvlist[]Additional KVStoreMesh environment variables.
clustermesh.apiserver.kvstoremesh.extraVolumeMountslist[]Additional KVStoreMesh volumeMounts.
clustermesh.apiserver.kvstoremesh.healthPortint9881TCP port for the KVStoreMesh health API.
clustermesh.apiserver.kvstoremesh.kvstoreModestring"internal"Specify the KVStore mode when running KVStoreMesh Supported values: - "internal": remote cluster identities are cached in etcd that runs as a sidecar within clustermesh-apiserver pod. - "external": clustermesh-apiserver will sync remote cluster information to the etcd used as kvstore. This can't be enabled with crd identity allocation mode.
clustermesh.apiserver.kvstoremesh.lifecycleobject{}lifecycle setting for the KVStoreMesh container
clustermesh.apiserver.kvstoremesh.readinessProbeobject{}Configuration for the KVStoreMesh readiness probe.
clustermesh.apiserver.kvstoremesh.resourcesobject{}Resource requests and limits for the KVStoreMesh container
clustermesh.apiserver.kvstoremesh.securityContextobject{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}KVStoreMesh Security context
clustermesh.apiserver.lifecycleobject{}lifecycle setting for the apiserver container
clustermesh.apiserver.metrics.enabledbooltrueEnables exporting apiserver metrics in OpenMetrics format.
clustermesh.apiserver.metrics.etcd.enabledbooltrueEnables exporting etcd metrics in OpenMetrics format.
clustermesh.apiserver.metrics.etcd.modestring"basic"Set level of detail for etcd metrics; specify 'extensive' to include server side gRPC histogram metrics.
clustermesh.apiserver.metrics.etcd.portint9963Configure the port the etcd metric server listens on.
clustermesh.apiserver.metrics.kvstoremesh.enabledbooltrueEnables exporting KVStoreMesh metrics in OpenMetrics format.
clustermesh.apiserver.metrics.kvstoremesh.portint9964Configure the port the KVStoreMesh metric server listens on.
clustermesh.apiserver.metrics.portint9962Configure the port the apiserver metric server listens on.
clustermesh.apiserver.metrics.serviceMonitor.annotationsobject{}Annotations to add to ServiceMonitor clustermesh-apiserver
clustermesh.apiserver.metrics.serviceMonitor.enabledboolfalseEnable service monitor. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
clustermesh.apiserver.metrics.serviceMonitor.etcd.intervalstring"10s"Interval for scrape metrics (etcd metrics)
clustermesh.apiserver.metrics.serviceMonitor.etcd.metricRelabelingsstringnilMetrics relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics)
clustermesh.apiserver.metrics.serviceMonitor.etcd.relabelingsstringnilRelabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics)
clustermesh.apiserver.metrics.serviceMonitor.etcd.scrapeTimeoutstringnilTimeout after which scrape is considered to be failed.
clustermesh.apiserver.metrics.serviceMonitor.intervalstring"10s"Interval for scrape metrics (apiserver metrics)
clustermesh.apiserver.metrics.serviceMonitor.kvstoremesh.intervalstring"10s"Interval for scrape metrics (KVStoreMesh metrics)
clustermesh.apiserver.metrics.serviceMonitor.kvstoremesh.metricRelabelingsstringnilMetrics relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics)
clustermesh.apiserver.metrics.serviceMonitor.kvstoremesh.relabelingsstringnilRelabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics)
clustermesh.apiserver.metrics.serviceMonitor.kvstoremesh.scrapeTimeoutstringnilTimeout after which scrape is considered to be failed.
clustermesh.apiserver.metrics.serviceMonitor.labelsobject{}Labels to add to ServiceMonitor clustermesh-apiserver
clustermesh.apiserver.metrics.serviceMonitor.metricRelabelingsstringnilMetrics relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics)
clustermesh.apiserver.metrics.serviceMonitor.relabelingsstringnilRelabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics)
clustermesh.apiserver.metrics.serviceMonitor.scrapeTimeoutstringnilTimeout after which scrape is considered to be failed.
clustermesh.apiserver.nodeSelectorobject{"kubernetes.io/os":"linux"}Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
clustermesh.apiserver.podAnnotationsobject{}Annotations to be added to clustermesh-apiserver pods
clustermesh.apiserver.podDisruptionBudget.enabledboolfalseenable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
clustermesh.apiserver.podDisruptionBudget.maxUnavailableint1Maximum number/percentage of pods that may be made unavailable
clustermesh.apiserver.podDisruptionBudget.minAvailablestringnilMinimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by maxUnavailable: null
clustermesh.apiserver.podDisruptionBudget.unhealthyPodEvictionPolicystringnilHow are unhealthy, but running, pods counted for eviction
clustermesh.apiserver.podLabelsobject{}Labels to be added to clustermesh-apiserver pods
clustermesh.apiserver.podSecurityContextobject{"fsGroup":65532,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532}Security context to be added to clustermesh-apiserver pods
clustermesh.apiserver.priorityClassNamestring""The priority class to use for clustermesh-apiserver
clustermesh.apiserver.readinessProbeobject{}Configuration for the clustermesh-apiserver readiness probe.
clustermesh.apiserver.replicasint1Number of replicas run for the clustermesh-apiserver deployment.
clustermesh.apiserver.resourcesobject{}Resource requests and limits for the clustermesh-apiserver
clustermesh.apiserver.securityContextobject{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}Security context to be added to clustermesh-apiserver containers
clustermesh.apiserver.service.annotationsobject{}Annotations for the clustermesh-apiserver service. Example annotations to configure an internal load balancer on different cloud providers: * AKS: service.beta.kubernetes.io/azure-load-balancer-internal: "true" * EKS: service.beta.kubernetes.io/aws-load-balancer-scheme: "internal" * GKE: networking.gke.io/load-balancer-type: "Internal"
clustermesh.apiserver.service.enableSessionAffinitystring"HAOnly"Defines when to enable session affinity. Each replica in a clustermesh-apiserver deployment runs its own discrete etcd cluster. Remote clients connect to one of the replicas through a shared Kubernetes Service. A client reconnecting to a different backend will require a full resync to ensure data integrity. Session affinity can reduce the likelihood of this happening, but may not be supported by all cloud providers. Possible values: - "HAOnly" (default) Only enable session affinity for deployments with more than 1 replica. - "Always" Always enable session affinity. - "Never" Never enable session affinity. Useful in environments where session affinity is not supported, but may lead to slightly degraded performance due to more frequent reconnections.
clustermesh.apiserver.service.externalTrafficPolicystring"Cluster"The externalTrafficPolicy of service used for apiserver access.
clustermesh.apiserver.service.externallyCreatedboolfalseSet externallyCreated to true to create the clustermesh-apiserver service outside this helm chart. For example after external load balancer controllers are created.
clustermesh.apiserver.service.internalTrafficPolicystring"Cluster"The internalTrafficPolicy of service used for apiserver access.
clustermesh.apiserver.service.labelsobject{}Labels for the clustermesh-apiserver service.
clustermesh.apiserver.service.loadBalancerClassstringnilConfigure a loadBalancerClass. Allows to configure the loadBalancerClass on the clustermesh-apiserver LB service in case the Service type is set to LoadBalancer (requires Kubernetes 1.24+).
clustermesh.apiserver.service.loadBalancerIPstringnilConfigure a specific loadBalancerIP. Allows to configure a specific loadBalancerIP on the clustermesh-apiserver LB service in case the Service type is set to LoadBalancer.
clustermesh.apiserver.service.loadBalancerSourceRangeslist[]Configure loadBalancerSourceRanges. Allows to configure the source IP ranges allowed to access the clustermesh-apiserver LB service in case the Service type is set to LoadBalancer.
clustermesh.apiserver.service.nodePortint32379Optional port to use as the node port for apiserver access.
clustermesh.apiserver.service.typestring"NodePort"The type of service used for apiserver access.
clustermesh.apiserver.terminationGracePeriodSecondsint30terminationGracePeriodSeconds for the clustermesh-apiserver deployment
clustermesh.apiserver.tls.adminobject{"cert":"","key":""}base64 encoded PEM values for the clustermesh-apiserver admin certificate and private key. Used if 'auto' is not enabled.
clustermesh.apiserver.tls.admin.certstring""Deprecated, as secrets will always need to be created externally if auto is disabled.
clustermesh.apiserver.tls.admin.keystring""Deprecated, as secrets will always need to be created externally if auto is disabled.
clustermesh.apiserver.tls.authModestring"migration"Configure the clustermesh authentication mode. Supported values: - legacy: All clusters access remote clustermesh instances with the same username (i.e., remote). The "remote" certificate must be generated with CN=remote if provided manually. - migration: Intermediate mode required to upgrade from legacy to cluster (and vice versa) with no disruption. Specifically, it enables the creation of the per-cluster usernames, while still using the common one for authentication. The "remote" certificate must be generated with CN=remote if provided manually (same as legacy). - cluster: Each cluster accesses remote etcd instances with a username depending on the local cluster name (i.e., remote-<cluster-name>). The "remote" certificate must be generated with CN=remote-<cluster-name> if provided manually. Cluster mode is meaningful only when the same CA is shared across all clusters part of the mesh.
clustermesh.apiserver.tls.autoobject{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm"}Configure automatic TLS certificates generation. A Kubernetes CronJob is used the generate any certificates not provided by the user at installation time.
clustermesh.apiserver.tls.auto.certManagerIssuerRefobject{}certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager.
clustermesh.apiserver.tls.auto.certValidityDurationint1095Generated certificates validity duration in days.
clustermesh.apiserver.tls.auto.enabledbooltrueWhen set to true, automatically generate a CA and certificates to enable mTLS between clustermesh-apiserver and external workload instances. When set to false you need to pre-create the following secrets: - clustermesh-apiserver-server-cert - clustermesh-apiserver-admin-cert - clustermesh-apiserver-remote-cert - clustermesh-apiserver-local-cert The above secret should at least contains the keys tls.crt and tls.key and optionally ca.crt if a CA bundle is not configured.
clustermesh.apiserver.tls.enableSecretsdeprecatedtrueAllow users to provide their own certificates Users may need to provide their certificates using a mechanism that requires they provide their own secrets. This setting does not apply to any of the auto-generated mechanisms below, it only restricts the creation of secrets via the tls-provided templates. This option is deprecated as secrets are expected to be created externally when 'auto' is not enabled.
clustermesh.apiserver.tls.remoteobject{"cert":"","key":""}base64 encoded PEM values for the clustermesh-apiserver remote cluster certificate and private key. Used if 'auto' is not enabled.
clustermesh.apiserver.tls.remote.certstring""Deprecated, as secrets will always need to be created externally if auto is disabled.
clustermesh.apiserver.tls.remote.keystring""Deprecated, as secrets will always need to be created externally if auto is disabled.
clustermesh.apiserver.tls.serverobject{"cert":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}base64 encoded PEM values for the clustermesh-apiserver server certificate and private key. Used if 'auto' is not enabled.
clustermesh.apiserver.tls.server.certstring""Deprecated, as secrets will always need to be created externally if auto is disabled.
clustermesh.apiserver.tls.server.extraDnsNameslist[]Extra DNS names added to certificate when it's auto generated
clustermesh.apiserver.tls.server.extraIpAddresseslist[]Extra IP addresses added to certificate when it's auto generated
clustermesh.apiserver.tls.server.keystring""Deprecated, as secrets will always need to be created externally if auto is disabled.
clustermesh.apiserver.tolerationslist[]Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
clustermesh.apiserver.topologySpreadConstraintslist[]Pod topology spread constraints for clustermesh-apiserver
clustermesh.apiserver.updateStrategyobject{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}clustermesh-apiserver update strategy
clustermesh.cacheTTLstring"0s"The time to live for the cache of a remote cluster after connectivity is lost. If the connection is not re-established within this duration, the cached data is revoked to prevent stale state. If not specified or set to 0s, the cache is never revoked (default).
clustermesh.configobject{"clusters":[],"domain":"mesh.cilium.io","enabled":false}Clustermesh explicit configuration.
clustermesh.config.clusterslist[]Clusters to be peered in the mesh. @schema type: [object, array] @schema
clustermesh.config.domainstring"mesh.cilium.io"Default dns domain for the Clustermesh API servers This is used in the case cluster addresses are not provided and IPs are used.
clustermesh.config.enabledboolfalseEnable the Clustermesh explicit configuration. If set to false, you need to provide the following resources yourself: - (Secret) cilium-clustermesh (used by cilium-agent/cilium-operator to connect to the local etcd instance if KVStoreMesh is enabled or the remote clusters if KVStoreMesh is disabled) - (Secret) cilium-kvstoremesh (used by KVStoreMesh to connect to the remote clusters) - (ConfigMap) clustermesh-remote-users (used to create one etcd user per remote cluster if clustermesh-apiserver is used and clustermesh.apiserver.tls.authMode is not set to legacy)
clustermesh.enableEndpointSliceSynchronizationboolfalseEnable the synchronization of Kubernetes EndpointSlices corresponding to the remote endpoints of appropriately-annotated global services through ClusterMesh
clustermesh.enableMCSAPISupportboolfalseEnable Multi-Cluster Services API support (deprecated; use clustermesh.mcsapi.enabled)
clustermesh.maxConnectedClustersint255The maximum number of clusters to support in a ClusterMesh. This value cannot be changed on running clusters, and all clusters in a ClusterMesh must be configured with the same value. Values > 255 will decrease the maximum allocatable cluster-local identities. Supported values are 255 and 511.
clustermesh.mcsapi.corednsAutoConfigure.affinityobject{}Affinity for coredns-mcsapi-autoconfig
clustermesh.mcsapi.corednsAutoConfigure.annotationsobject{}Annotations to be added to the coredns-mcsapi-autoconfig Job
clustermesh.mcsapi.corednsAutoConfigure.coredns.clusterDomainstring"cluster.local"The cluster domain for the cluster CoreDNS service
clustermesh.mcsapi.corednsAutoConfigure.coredns.clustersetDomainstring"clusterset.local"The clusterset domain for the cluster CoreDNS service
clustermesh.mcsapi.corednsAutoConfigure.coredns.configMapNamestring"coredns"The ConfigMap name for the cluster CoreDNS service
clustermesh.mcsapi.corednsAutoConfigure.coredns.deploymentNamestring"coredns"The Deployment for the cluster CoreDNS service
clustermesh.mcsapi.corednsAutoConfigure.coredns.namespacestring"kube-system"The namespace for the cluster CoreDNS service
clustermesh.mcsapi.corednsAutoConfigure.coredns.serviceAccountNamestring"coredns"The Service Account name for the cluster CoreDNS service
clustermesh.mcsapi.corednsAutoConfigure.enabledboolfalseEnable auto-configuration of CoreDNS for Multi-Cluster Services API. CoreDNS MUST be at least in version v1.12.2 to run this.
clustermesh.mcsapi.corednsAutoConfigure.extraArgslist[]Additional arguments to clustermesh-apiserver coredns-mcsapi-auto-configure.
clustermesh.mcsapi.corednsAutoConfigure.extraVolumeMountslist[]Additional coredns-mcsapi-autoconfig volumeMounts.
clustermesh.mcsapi.corednsAutoConfigure.extraVolumeslist[]Additional coredns-mcsapi-autoconfig volumes.
clustermesh.mcsapi.corednsAutoConfigure.nodeSelectorobject{}Node selector for coredns-mcsapi-autoconfig ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
clustermesh.mcsapi.corednsAutoConfigure.podLabelsobject{}Labels to be added to coredns-mcsapi-autoconfig pods
clustermesh.mcsapi.corednsAutoConfigure.priorityClassNamestring""Priority class for coredns-mcsapi-autoconfig ref: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass
clustermesh.mcsapi.corednsAutoConfigure.resourcesobject{}Resource limits for coredns-mcsapi-autoconfig ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers
clustermesh.mcsapi.corednsAutoConfigure.tolerationslist[]Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
clustermesh.mcsapi.corednsAutoConfigure.ttlSecondsAfterFinishedint1800Seconds after which the completed job pod will be deleted
clustermesh.mcsapi.enabledboolfalseEnable Multi-Cluster Services API support
clustermesh.mcsapi.installCRDsbooltrueEnabled MCS-API CRDs auto-installation
clustermesh.policyDefaultLocalClusterbooltrueControl whether policy rules assume by default the local cluster if not explicitly selected
clustermesh.useAPIServerboolfalseDeploy clustermesh-apiserver for clustermesh. This option is typically used with clustermesh.config.enabled=true. Refer to the clustermesh.config.enabled=truedocumentation for more information.
cni.binPathstring"/opt/cni/bin"Configure the path to the CNI binary directory on the host.
cni.chainingModestringnilConfigure chaining on top of other CNI plugins. Possible values: - none - aws-cni - flannel - generic-veth - portmap
cni.chainingTargetstringnilA CNI network name in to which the Cilium plugin should be added as a chained plugin. This will cause the agent to watch for a CNI network with this network name. When it is found, this will be used as the basis for Cilium's CNI configuration file. If this is set, it assumes a chaining mode of generic-veth. As a special case, a chaining mode of aws-cni implies a chainingTarget of aws-cni.
cni.confFileMountPathstring"/tmp/cni-configuration"Configure the path to where to mount the ConfigMap inside the agent pod.
cni.confPathstring"/etc/cni/net.d"Configure the path to the CNI configuration directory on the host.
cni.configMapstring""When defined, configMap will mount the provided value as ConfigMap and interpret the 'cni.configMapKey' value as CNI configuration file and write it when the agent starts up.
cni.configMapKeystring"cni-config"Configure the key in the CNI ConfigMap to read the contents of the CNI configuration from. For this to be effective, the 'cni.configMap' parameter must be specified too. Note that the 'cni.configMap' parameter is the name of the ConfigMap, while 'cni.configMapKey' is the name of the key in the ConfigMap data containing the actual configuration.
cni.customConfboolfalseSkip writing of the CNI configuration. This can be used if writing of the CNI configuration is performed by external automation.
cni.enableRouteMTUForCNIChainingboolfalseEnable route MTU for pod netns when CNI chaining is used
cni.exclusivebooltrueMake Cilium take ownership over the /etc/cni/net.d directory on the node, renaming all non-Cilium CNI configurations to *.cilium_bak. This ensures no Pods can be scheduled using other CNI plugins during Cilium agent downtime.
cni.hostConfDirMountPathstring"/host/etc/cni/net.d"Configure the path to where the CNI configuration directory is mounted inside the agent pod.
cni.installbooltrueInstall the CNI configuration and binary files into the filesystem.
cni.iptablesRemoveAWSRulesbooltrueEnable the removal of iptables rules created by the AWS CNI VPC plugin.
cni.logFilestring"/var/run/cilium/cilium-cni.log"Configure the log file for CNI logging with retention policy of 7 days. Disable CNI file logging by setting this field to empty explicitly.
cni.resourcesobject{"limits":{"cpu":1,"memory":"1Gi"},"requests":{"cpu":"100m","memory":"10Mi"}}Specifies the resources for the cni initContainer
cni.uninstallboolfalseRemove the CNI configuration and binary files on agent shutdown. Enable this if you're removing Cilium from the cluster. Disable this to prevent the CNI configuration file from being removed during agent upgrade, which can cause nodes to go unmanageable.
commonLabelsobject{}commonLabels allows users to add common labels for all Cilium resources.
configDriftDetectionobject{"driftChecker":true,"enabled":true,"ignoredKeys":[]}Configuration for the ConfigMap drift detection feature. When enabled, the agent continuously watches the cilium-config ConfigMap and exposes a cilium_drift_checker_config_delta Prometheus metric reporting the number of keys that differ between the ConfigMap and the agent's active settings. A non-zero value indicates that the agent has not yet applied all current ConfigMap changes and needs to be restarted.
configDriftDetection.driftCheckerbooltrueEnable the drift checker which compares the DynamicConfig table against the agent's active settings and publishes the cilium_drift_checker_config_delta metric.
configDriftDetection.enabledbooltrueEnable watching of the cilium-config ConfigMap and reflecting its contents into the agent's internal DynamicConfig table.
configDriftDetection.ignoredKeyslist[]List of config-map keys to ignore when computing the drift delta.
connectivityProbeFrequencyRatiofloat640.5Ratio of the connectivity probe frequency vs resource usage, a float in [0, 1]. 0 will give more frequent probing, 1 will give less frequent probing. Probing frequency is dynamically adjusted based on the cluster size.
conntrackGCIntervalstring"0s"Configure how frequently garbage collection should occur for the datapath connection tracking table.
conntrackGCMaxIntervalstring""Configure the maximum frequency for the garbage collection of the connection tracking table. Only affects the automatic computation for the frequency and has no effect when 'conntrackGCInterval' is set. This can be set to more frequently clean up unused identities created from ToFQDN policies.
crdWaitTimeoutstring"5m"Configure timeout in which Cilium will exit if CRDs are not available
daemon.allowedConfigOverridesstringnilallowedConfigOverrides is a list of config-map keys that can be overridden. That is to say, if this value is set, config sources (excepting the first one) can only override keys in this list. This takes precedence over blockedConfigOverrides. By default, all keys may be overridden. To disable overrides, set this to "none" or change the configSources variable.
daemon.blockedConfigOverridesstringnilblockedConfigOverrides is a list of config-map keys that may not be overridden. In other words, if any of these keys appear in a configuration source excepting the first one, they will be ignored This is ignored if allowedConfigOverrides is set. By default, all keys may be overridden.
daemon.configSourcesstringnilConfigure a custom list of possible configuration override sources The default is "config-map:cilium-config,cilium-node-config". For supported values, see the help text for the build-config subcommand. Note that this value should be a comma-separated string.
daemon.enableSourceIPVerificationbooltrueenableSourceIPVerification is a boolean flag to enable or disable the Source IP verification of endpoints. This flag is useful when Cilium is chained with other CNIs. By default, this functionality is enabled
daemon.runPathstring"/var/run/cilium"Configure where Cilium runtime state should be stored.
dashboardsobject{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null}Grafana dashboards for cilium-agent grafana can import dashboards based on the label and value ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards
debug.enabledboolfalseEnable debug logging
debug.metricsSamplingIntervalstring"5m"Set the agent-internal metrics sampling frequency. This sets the frequency of the internal sampling of the agent metrics. These are available via the "cilium-dbg shell -- metrics -s" command and are part of the metrics HTML page included in the sysdump. @schema type: [null, string] @schema
debug.verbosestringnilConfigure verbosity levels for debug logging This option is used to enable debug messages for operations related to such sub-system such as (e.g. kvstore, envoy, datapath, policy, or tagged), and flow is for enabling debug messages emitted per request, message and connection. Multiple values can be set via a space-separated string (e.g. "datapath envoy"). Applicable values: - flow - kvstore - envoy - datapath - policy - tagged
defaultLBServiceIPAMstring"lbipam"defaultLBServiceIPAM indicates the default LoadBalancer Service IPAM when no LoadBalancer class is set. Applicable values: lbipam, nodeipam, none
directRoutingSkipUnreachableboolfalseEnable skipping of PodCIDR routes between worker nodes if the worker nodes are in a different L2 network segment.
disableEndpointCRDboolfalseDisable the usage of CiliumEndpoint CRD.
dnsPolicystring""DNS policy for Cilium agent pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
dnsProxy.dnsRejectResponseCodestring"refused"DNS response code for rejecting DNS requests, available options are '[nameError refused]'.
dnsProxy.enableDnsCompressionbooltrueAllow the DNS proxy to compress responses to endpoints that are larger than 512 Bytes or the EDNS0 option, if present.
dnsProxy.endpointMaxIpPerHostnameint1000Maximum number of IPs to maintain per FQDN name for each endpoint.
dnsProxy.idleConnectionGracePeriodstring"0s"Time during which idle but previously active connections with expired DNS lookups are still considered alive.
dnsProxy.maxDeferredConnectionDeletesint10000Maximum number of IPs to retain for expired DNS lookups with still-active connections.
dnsProxy.minTtlint0The minimum time, in seconds, to use DNS data for toFQDNs policies. If the upstream DNS server returns a DNS record with a shorter TTL, Cilium overwrites the TTL with this value. Setting this value to zero means that Cilium will honor the TTLs returned by the upstream DNS server.
dnsProxy.preAllocateIdentitiesbooltruePre-allocate ToFQDN identities. This reduces DNS proxy tail latency, at the potential cost of some unnecessary policymap entries. Disable this if you have a large (200+) number of unique ToFQDN selectors.
dnsProxy.preCachestring""DNS cache data at this path is preloaded on agent startup.
dnsProxy.proxyPortint0Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port.
dnsProxy.proxyResponseMaxDelaystring"100ms"The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information.
dnsProxy.socketLingerTimeoutint10Timeout (in seconds) when closing the connection between the DNS proxy and the upstream server. If set to 0, the connection is closed immediately (with TCP RST). If set to -1, the connection is closed asynchronously in the background.
egressGateway.enabledboolfalseEnables egress gateway to redirect and SNAT the traffic that leaves the cluster.
egressGateway.reconciliationTriggerIntervalstring"1s"Time between triggers of egress gateway state reconciliations
enableCriticalPriorityClassbooltrueExplicitly enable or disable priority class. .Capabilities.KubeVersion is unsettable in helm template calls, it depends on k8s libraries version that Helm was compiled against. This option allows to explicitly disable setting the priority class, which is useful for rendering charts for gke clusters in advance.
enableIPv4BIGTCPboolfalseEnables IPv4 BIG TCP support which increases maximum IPv4 GSO/GRO limits for nodes and pods
enableIPv4Masqueradebooltrue unless ipam eni mode is activeEnables masquerading of IPv4 traffic leaving the node from endpoints.
enableIPv6BIGTCPboolfalseEnables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods
enableIPv6MasqueradebooltrueEnables masquerading of IPv6 traffic leaving the node from endpoints.
enableInternalTrafficPolicybooltrueEnable Internal Traffic Policy
enableLBIPAMbooltrueEnable LoadBalancer IP Address Management
enableMasqueradeRouteSourceboolfalseEnables masquerading to the source of the route for traffic leaving the node from endpoints.
enableNoServiceEndpointsRoutablebooltrueEnable routing to a service that has zero endpoints
enableNonDefaultDenyPoliciesbooltrueEnable Non-Default-Deny policies
enableXTSocketFallbackbooltrueEnables the fallback compatibility solution for when the xt_socket kernel module is missing and it is needed for the datapath L7 redirection to work properly. See documentation for details on when this can be disabled: https://docs.cilium.io/en/stable/operations/system_requirements/#linux-kernel.
encryption.enabledboolfalseEnable transparent network encryption.
encryption.ipsec.encryptedOverlayboolfalseEnable IPsec encrypted overlay
encryption.ipsec.interfacestring""The interface to use for encrypted traffic.
encryption.ipsec.keyFilestring"keys"Name of the key file inside the Kubernetes secret configured via secretName.
encryption.ipsec.keyRotationDurationstring"5m"Maximum duration of the IPsec key rotation. The previous key will be removed after that delay.
encryption.ipsec.keyWatcherbooltrueEnable the key watcher. If disabled, a restart of the agent will be necessary on key rotations.
encryption.ipsec.mountPathstring"/etc/ipsec"Path to mount the secret inside the Cilium pod.
encryption.ipsec.secretNamestring"cilium-ipsec-keys"Name of the Kubernetes secret containing the encryption keys.
encryption.nodeEncryptionboolfalseEnable encryption for pure node to node traffic. This option is only effective when encryption.type is set to "wireguard".
encryption.strictModeobject{"allowRemoteNodeIdentities":false,"cidr":"","egress":{"allowRemoteNodeIdentities":false,"cidr":"","enabled":false},"enabled":false,"ingress":{"enabled":false}}Configure the Encryption Pod2Pod strict mode.
encryption.strictMode.allowRemoteNodeIdentitiesboolfalseAllow dynamic lookup of remote node identities. (deprecated: please use encryption.strictMode.egress.allowRemoteNodeIdentities) This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap.
encryption.strictMode.cidrstring""CIDR for the Encryption Pod2Pod strict mode. (deprecated: please use encryption.strictMode.egress.cidr)
encryption.strictMode.egress.allowRemoteNodeIdentitiesboolfalseAllow dynamic lookup of remote node identities. This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap.
encryption.strictMode.egress.cidrstring""CIDR for the Encryption Pod2Pod strict egress mode.
encryption.strictMode.egress.enabledboolfalseEnable strict egress encryption.
encryption.strictMode.enabledboolfalseEnable Encryption Pod2Pod strict mode. (deprecated: please use encryption.strictMode.egress.enabled)
encryption.strictMode.ingress.enabledboolfalseEnable strict ingress encryption. When enabled, all unencrypted overlay ingress traffic will be dropped. This option is only applicable when WireGuard and tunneling are enabled.
encryption.typestring"ipsec"Encryption method. Can be one of ipsec, wireguard or ztunnel.
encryption.wireguard.persistentKeepalivestring"0s"Controls WireGuard PersistentKeepalive option. Set 0s to disable.
encryption.ztunnelobject{"affinity":{},"annotations":{},"caAddress":"https://localhost:15012","extraEnv":[],"extraVolumeMounts":[],"extraVolumes":[],"healthPort":15021,"image":{"digest":null,"override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/istio/ztunnel","tag":"1.28.0-distroless","useDigest":false},"nodeSelector":{"kubernetes.io/os":"linux"},"podAnnotations":{},"podLabels":{},"priorityClassName":null,"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":0,"periodSeconds":10},"resources":{"requests":{"cpu":"200m","memory":"512Mi"}},"secrets":{"bootstrapRootCert":null},"terminationGracePeriodSeconds":30,"tolerations":[{"effect":"NoSchedule","operator":"Exists"},{"key":"CriticalAddonsOnly","operator":"Exists"},{"effect":"NoExecute","operator":"Exists"}],"updateStrategy":{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}}ztunnel encryption configuration. ztunnel is Istio's purpose-built, per-node proxy for handling L4 traffic in ambient mesh mode. These settings only apply when encryption.type is set to "ztunnel".
encryption.ztunnel.affinityobject{}Affinity for ztunnel pods.
encryption.ztunnel.annotationsobject{}Annotations to be added to all ztunnel resources.
encryption.ztunnel.caAddressstring"https://localhost:15012"CA server address for certificate requests.
encryption.ztunnel.extraEnvlist[]Additional ztunnel container environment variables.
encryption.ztunnel.extraVolumeMountslist[]Additional ztunnel volumeMounts.
encryption.ztunnel.extraVolumeslist[]Additional ztunnel volumes.
encryption.ztunnel.healthPortint15021TCP port for the health API.
encryption.ztunnel.imageobject{"digest":null,"override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/istio/ztunnel","tag":"1.28.0-distroless","useDigest":false}ztunnel container image.
encryption.ztunnel.nodeSelectorobject{"kubernetes.io/os":"linux"}Node selector for ztunnel pods.
encryption.ztunnel.podAnnotationsobject{}Annotations to be added to ztunnel pods.
encryption.ztunnel.podLabelsobject{}Labels to be added to ztunnel pods.
encryption.ztunnel.priorityClassNamestringnilThe priority class to use for ztunnel pods.
encryption.ztunnel.readinessProbeobject{"failureThreshold":3,"initialDelaySeconds":0,"periodSeconds":10}Readiness probe configuration.
encryption.ztunnel.resourcesobject{"requests":{"cpu":"200m","memory":"512Mi"}}ztunnel resource limits & requests.
encryption.ztunnel.secretsobject{"bootstrapRootCert":null}ztunnel secrets configuration.
encryption.ztunnel.secrets.bootstrapRootCertstringnilBase64-encoded bootstrap root certificate content. If not provided, the secret must be created manually before deploying. @schema type: [null, string] @schema
encryption.ztunnel.terminationGracePeriodSecondsint30Configure termination grace period for ztunnel DaemonSet.
encryption.ztunnel.tolerationslist[{"effect":"NoSchedule","operator":"Exists"},{"key":"CriticalAddonsOnly","operator":"Exists"},{"effect":"NoExecute","operator":"Exists"}]Node tolerations for ztunnel scheduling.
encryption.ztunnel.updateStrategyobject{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}ztunnel update strategy.
endpointHealthChecking.enabledbooltrueEnable connectivity health checking between virtual endpoints.
endpointLockdownOnMapOverflowboolfalseEnable endpoint lockdown on policy map overflow.
endpointPolicyUpdateTimeoutDurationstringnilMax duration to wait for envoy to respond to configuration changes. Default "10s".
endpointRoutes.enabledboolfalseEnable use of per endpoint routes instead of routing via the cilium_host interface.
eni.awsEnablePrefixDelegationboolfalseEnable ENI prefix delegation
eni.awsReleaseExcessIPsboolfalseRelease IPs not used from the ENI
eni.ec2APIEndpointstring""EC2 API endpoint to use
eni.enabledboolfalseEnable Elastic Network Interface (ENI) integration.
eni.eniTagsobject{}Tags to apply to the newly created ENIs
eni.gcIntervalstring"5m"Interval for garbage collection of unattached ENIs. Set to "0s" to disable.
eni.gcTagsobject{"io.cilium/cilium-managed":"true,"io.cilium/cluster-name":"<auto-detected>"}Additional tags attached to ENIs created by Cilium. Dangling ENIs with this tag will be garbage collected
eni.iamRolestring""If using IAM role for Service Accounts will not try to inject identity values from cilium-aws kubernetes secret. Adds annotation to service account if managed by Helm. See https://github.com/aws/amazon-eks-pod-identity-webhook
eni.instanceTagsFilterlist[]Filter via AWS EC2 Instance tags (k=v) which will dictate which AWS EC2 Instances are going to be used to create new ENIs
eni.nodeSpecobject{"deleteOnTermination":null,"disablePrefixDelegation":false,"excludeInterfaceTags":[],"firstInterfaceIndex":null,"securityGroupTags":[],"securityGroups":[],"subnetIDs":[],"subnetTags":[],"usePrimaryAddress":false}NodeSpec configuration for the ENI
eni.nodeSpec.deleteOnTerminationstringnilDelete ENI on termination @schema type: [null, boolean] @schema
eni.nodeSpec.disablePrefixDelegationboolfalseDisable prefix delegation for IP allocation
eni.nodeSpec.excludeInterfaceTagslist[]Exclude interface tags to use for IP allocation
eni.nodeSpec.firstInterfaceIndexstringnilFirst interface index to use for IP allocation @schema type: [null, integer] @schema
eni.nodeSpec.securityGroupTagslist[]Security group tags to use for IP allocation
eni.nodeSpec.securityGroupslist[]Security groups to use for IP allocation
eni.nodeSpec.subnetIDslist[]Subnet IDs to use for IP allocation
eni.nodeSpec.subnetTagslist[]Subnet tags to use for IP allocation
eni.nodeSpec.usePrimaryAddressboolfalseUse primary address for IP allocation
eni.subnetIDsFilterlist[]Filter via subnet IDs which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead.
eni.subnetTagsFilterlist[]Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead.
envoy.affinityobject{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"cilium.io/no-schedule","operator":"NotIn","values":["true"]}]}]}},"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]},"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium-envoy"}},"topologyKey":"kubernetes.io/hostname"}]}}Affinity for cilium-envoy.
envoy.annotationsobject{}Annotations to be added to all top-level cilium-envoy objects (resources under templates/cilium-envoy)
envoy.baseIDint0Set Envoy'--base-id' to use when allocating shared memory regions. Only needs to be changed if multiple Envoy instances will run on the same node and may have conflicts. Supported values: 0 - 4294967295. Defaults to '0'
envoy.bootstrapConfigMapstringnilADVANCED OPTION: Bring your own custom Envoy bootstrap ConfigMap. Provide the name of a ConfigMap with a bootstrap-config.json key. When specified, Envoy will use this ConfigMap instead of the default provided by the chart. WARNING: Use of this setting has the potential to prevent cilium-envoy from starting up, and can cause unexpected behavior (e.g. due to syntax error or semantically incorrect configuration). Before submitting an issue, please ensure you have disabled this feature, as support cannot be provided for custom Envoy bootstrap configs. @schema type: [null, string] @schema
envoy.clusterMaxConnectionsint1024Maximum number of connections on Envoy clusters
envoy.clusterMaxRequestsint1024Maximum number of requests on Envoy clusters
envoy.connectTimeoutSecondsint2Time in seconds after which a TCP connection attempt times out
envoy.debug.admin.enabledboolfalseEnable admin interface for cilium-envoy. This is useful for debugging and should not be enabled in production.
envoy.debug.admin.portint9901Port number (bound to loopback interface). kubectl port-forward can be used to access the admin interface.
envoy.dnsPolicystringnilDNS policy for Cilium envoy pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
envoy.enabledstringtrue for new installationEnable Envoy Proxy in standalone DaemonSet. This field is enabled by default for new installation.
envoy.extraArgslist[]Additional envoy container arguments.
envoy.extraContainerslist[]Additional containers added to the cilium Envoy DaemonSet.
envoy.extraEnvlist[]Additional envoy container environment variables.
envoy.extraHostPathMountslist[]Additional envoy hostPath mounts.
envoy.extraVolumeMountslist[]Additional envoy volumeMounts.
envoy.extraVolumeslist[]Additional envoy volumes.
envoy.healthPortint9878TCP port for the health API.
envoy.httpRetryCountint3Maximum number of retries for each HTTP request
envoy.httpUpstreamLingerTimeoutstringnilTime in seconds to block Envoy worker thread while an upstream HTTP connection is closing. If set to 0, the connection is closed immediately (with TCP RST). If set to -1, the connection is closed asynchronously in the background.
envoy.idleTimeoutDurationSecondsint60Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s
envoy.imageobject{"digest":"sha256:326f872e19ce8aa45170efbf583b3f301586ba3feead14b864676d4baf3b45ed","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.36.8-1781157951-a7f42a3390781539911b5b9107881b35ecc4e752","useDigest":true}Envoy container image.
envoy.initContainerslist[]Init containers added to the cilium Envoy DaemonSet.
envoy.initialFetchTimeoutSecondsint30Time in seconds after which the initial fetch on an xDS stream is considered timed out
envoy.livenessProbe.enabledbooltrueEnable liveness probe for cilium-envoy
envoy.livenessProbe.failureThresholdint10failure threshold of liveness probe
envoy.livenessProbe.periodSecondsint30interval between checks of the liveness probe
envoy.log.accessLogBufferSizeint4096Size of the Envoy access log buffer created within the agent in bytes. Tune this value up if you encounter "Envoy: Discarded truncated access log message" errors. Large request/response header sizes (e.g. 16KiB) will require a larger buffer size.
envoy.log.defaultLevelstringDefaults to the default log level of the Cilium Agent - infoDefault log level of Envoy application log that is configured if Cilium debug / verbose logging isn't enabled. This option allows to have a different log level than the Cilium Agent - e.g. lower it to critical. Possible values: trace, debug, info, warning, error, critical, off
envoy.log.formatstring"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"The format string to use for laying out the log message metadata of Envoy. If specified, Envoy will use text format output. This setting is mutually exclusive with envoy.log.format_json.
envoy.log.format_jsonstringnilThe JSON logging format to use for Envoy. This setting is mutually exclusive with envoy.log.format. ref: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-field-config-bootstrap-v3-bootstrap-applicationlogconfig-logformat-json-format
envoy.log.pathstring""Path to a separate Envoy log file, if any. Defaults to /dev/stdout.
envoy.maxConcurrentRetriesint128Maximum number of concurrent retries on Envoy clusters
envoy.maxConnectionDurationSecondsint0Set Envoy HTTP option max_connection_duration seconds. Default 0 (disable)
envoy.maxGlobalDownstreamConnectionsint50000Maximum number of global downstream connections
envoy.maxRequestsPerConnectionint0ProxyMaxRequestsPerConnection specifies the max_requests_per_connection setting for Envoy
envoy.nodeSelectorobject{"kubernetes.io/os":"linux"}Node selector for cilium-envoy.
envoy.podAnnotationsobject{}Annotations to be added to envoy pods
envoy.podLabelsobject{}Labels to be added to envoy pods
envoy.podSecurityContextobject{"appArmorProfile":{"type":"Unconfined"}}Security Context for cilium-envoy pods.
envoy.podSecurityContext.appArmorProfileobject{"type":"Unconfined"}AppArmorProfile options for the cilium-agent and init containers
envoy.policyRestoreTimeoutDurationstringnilMax duration to wait for endpoint policies to be restored on restart. Default "3m".
envoy.priorityClassNamestringnilThe priority class to use for cilium-envoy.
envoy.prometheusobject{"enabled":true,"port":"9964","serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":[{"action":"replace","replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}],"scrapeTimeout":null}}Configure Cilium Envoy Prometheus options. Note that some of these apply to either cilium-agent or cilium-envoy.
envoy.prometheus.enabledbooltrueEnable prometheus metrics for cilium-envoy
envoy.prometheus.portstring"9964"Serve prometheus metrics for cilium-envoy on the configured port
envoy.prometheus.serviceMonitor.annotationsobject{}Annotations to add to ServiceMonitor cilium-envoy
envoy.prometheus.serviceMonitor.enabledboolfalseEnable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) Note that this setting applies to both cilium-envoy and cilium-agent with Envoy enabled.
envoy.prometheus.serviceMonitor.intervalstring"10s"Interval for scrape metrics.
envoy.prometheus.serviceMonitor.labelsobject{}Labels to add to ServiceMonitor cilium-envoy
envoy.prometheus.serviceMonitor.metricRelabelingsstringnilMetrics relabeling configs for the ServiceMonitor cilium-envoy or for cilium-agent with Envoy configured.
envoy.prometheus.serviceMonitor.relabelingslist[{"action":"replace","replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]Relabeling configs for the ServiceMonitor cilium-envoy or for cilium-agent with Envoy configured.
envoy.prometheus.serviceMonitor.scrapeTimeoutstringnilTimeout after which scrape is considered to be failed.
envoy.readinessProbe.failureThresholdint3failure threshold of readiness probe
envoy.readinessProbe.periodSecondsint30interval between checks of the readiness probe
envoy.resourcesobject{}Envoy resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
envoy.rollOutPodsboolfalseRoll out cilium envoy pods automatically when configmap is updated.
envoy.securityContext.capabilities.envoylist["NET_ADMIN","SYS_ADMIN"]Capabilities for the cilium-envoy container. Even though granted to the container, the cilium-envoy-starter wrapper drops all capabilities after forking the actual Envoy process. NET_BIND_SERVICE is the only capability that can be passed to the Envoy process by setting envoy.securityContext.capabilities.keepNetBindService=true (in addition to granting the capability to the container). Note: In case of embedded envoy, the capability must be granted to the cilium-agent container.
envoy.securityContext.capabilities.keepCapNetBindServiceboolfalseKeep capability NET_BIND_SERVICE for Envoy process.
envoy.securityContext.privilegedboolfalseRun the pod with elevated privileges
envoy.securityContext.seLinuxOptionsobject{"level":"s0","type":"spc_t"}SELinux options for the cilium-envoy container
envoy.startupProbe.enabledbooltrueEnable startup probe for cilium-envoy
envoy.startupProbe.failureThresholdint105failure threshold of startup probe. 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s)
envoy.startupProbe.periodSecondsint2interval between checks of the startup probe
envoy.streamIdleTimeoutDurationSecondsint300Set Envoy the amount of time that the connection manager will allow a stream to exist with no upstream or downstream activity. default 5 minutes
envoy.terminationGracePeriodSecondsint1Configure termination grace period for cilium-envoy DaemonSet.
envoy.tolerationslist[{"operator":"Exists"}]Node tolerations for envoy scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
envoy.updateStrategyobject{"rollingUpdate":{"maxUnavailable":2},"type":"RollingUpdate"}cilium-envoy update strategy ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/#updating-a-daemonset
envoy.useOriginalSourceAddressbooltrueFor cases when CiliumEnvoyConfig is not used directly (Ingress, Gateway), configures Cilium BPF Metadata listener filter to use the original source address when extracting the metadata for a request.
envoy.xffNumTrustedHopsL7PolicyEgressint0Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners.
envoy.xffNumTrustedHopsL7PolicyIngressint0Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners.
envoyConfig.enabledboolfalseEnable CiliumEnvoyConfig CRD CiliumEnvoyConfig CRD can also be implicitly enabled by other options.
envoyConfig.retryIntervalstring"15s"Interval in which an attempt is made to reconcile failed EnvoyConfigs. If the duration is zero, the retry is deactivated.
envoyConfig.secretsNamespaceobject{"create":true,"name":"cilium-secrets"}SecretsNamespace is the namespace in which envoy SDS will retrieve secrets from.
envoyConfig.secretsNamespace.createbooltrueCreate secrets namespace for CiliumEnvoyConfig CRDs.
envoyConfig.secretsNamespace.namestring"cilium-secrets"The name of the secret namespace to which Cilium agents are given read access.
etcd.enabledboolfalseEnable etcd mode for the agent.
etcd.endpointslist["https://CHANGE-ME:2379"]List of etcd endpoints
etcd.sslboolfalseEnable use of TLS/SSL for connectivity to etcd.
extraArgslist[]Additional agent container arguments.
extraConfigobject{}extraConfig allows you to specify additional configuration parameters to be included in the cilium-config configmap.
extraContainerslist[]Additional containers added to the cilium DaemonSet.
extraEnvlist[]Additional agent container environment variables.
extraHostPathMountslist[]Additional agent hostPath mounts.
extraInitContainerslist[]Additional initContainers added to the cilium Daemonset.
extraVolumeMountslist[]Additional agent volumeMounts.
extraVolumeslist[]Additional agent volumes.
forceDeviceDetectionboolfalseForces the auto-detection of devices, even if specific devices are explicitly listed
gatewayAPI.enableAlpnboolfalseEnable ALPN for all listeners configured with Gateway API. ALPN will attempt HTTP/2, then HTTP 1.1. Note that this will also enable appProtocol support, and services that wish to use HTTP/2 will need to indicate that via their appProtocol.
gatewayAPI.enableAppProtocolboolfalseEnable Backend Protocol selection support (GEP-1911) for Gateway API via appProtocol.
gatewayAPI.enableProxyProtocolboolfalseEnable proxy protocol for all GatewayAPI listeners. Note that only Proxy protocol traffic will be accepted once this is enabled.
gatewayAPI.enabledboolfalseEnable support for Gateway API in cilium This will automatically set enable-envoy-config as well.
gatewayAPI.externalTrafficPolicystring"Cluster"Control how traffic from external sources is routed to the LoadBalancer Kubernetes Service for all Cilium GatewayAPI Gateway instances. Valid values are "Cluster" and "Local". Note that this value will be ignored when hostNetwork.enabled == true. ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#external-traffic-policy
gatewayAPI.gatewayClass.createstring"auto"Enable creation of GatewayClass resource The default value is 'auto' which decides according to presence of gateway.networking.k8s.io/v1/GatewayClass in the cluster. Other possible values are 'true' and 'false', which will either always or never create the GatewayClass, respectively.
gatewayAPI.hostNetwork.enabledboolfalseConfigure whether the Envoy listeners should be exposed on the host network.
gatewayAPI.hostNetwork.nodes.matchLabelsobject{}Specify the labels of the nodes where the Ingress listeners should be exposed matchLabels: kubernetes.io/os: linux kubernetes.io/hostname: kind-worker
gatewayAPI.secretsNamespaceobject{"create":true,"name":"cilium-secrets","sync":true}SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from.
gatewayAPI.secretsNamespace.createbooltrueCreate secrets namespace for Gateway API.
gatewayAPI.secretsNamespace.namestring"cilium-secrets"Name of Gateway API secret namespace.
gatewayAPI.secretsNamespace.syncbooltrueEnable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name. If disabled, TLS secrets must be maintained externally.
gatewayAPI.xffNumTrustedHopsint0The number of additional GatewayAPI proxy hops from the right side of the HTTP header to trust when determining the origin client's IP address.
gke.enabledboolfalseEnable Google Kubernetes Engine integration
healthCheckICMPFailureThresholdint3Number of ICMP requests sent for each health check before marking a node or endpoint unreachable.
healthCheckingbooltrueEnable connectivity health checking.
healthPortint9879TCP port for the agent health API. This is not the port for cilium-health.
hostFirewallobject{"enabled":false}Configure the host firewall.
hostFirewall.enabledboolfalseEnables the enforcement of host policies in the eBPF datapath.
hubble.annotationsobject{}Annotations to be added to all top-level hubble objects (resources under templates/hubble)
hubble.dropEventEmitterobject{"enabled":false,"interval":"2m","reasons":["auth_required","policy_denied"]}Emit v1.Events related to pods on detection of packet drops. This feature is alpha, please provide feedback at https://github.com/cilium/cilium/issues/33975.
hubble.dropEventEmitter.intervalstring"2m"- Minimum time between emitting same events.
hubble.dropEventEmitter.reasonslist["auth_required","policy_denied"]- Drop reasons to emit events for. ref: https://docs.cilium.io/en/stable/_api/v1/flow/README/#dropreason
hubble.enabledbooltrueEnable Hubble (true by default).
hubble.exportobject{"dynamic":{"config":{"configMapName":"cilium-flowlog-config","content":[{"aggregationInterval":"0s","excludeFilters":[],"fieldAggregate":[],"fieldMask":[],"fileCompress":false,"fileMaxBackups":5,"fileMaxSizeMb":10,"filePath":"/var/run/cilium/hubble/events.log","includeFilters":[],"name":"all"}],"createConfigMap":true},"enabled":false},"static":{"aggregationInterval":"0s","allowList":[],"denyList":[],"enabled":false,"fieldAggregate":[],"fieldMask":[],"fileCompress":false,"fileMaxBackups":5,"fileMaxSizeMb":10,"filePath":"/var/run/cilium/hubble/events.log"}}Hubble flows export.
hubble.export.dynamicobject{"config":{"configMapName":"cilium-flowlog-config","content":[{"aggregationInterval":"0s","excludeFilters":[],"fieldAggregate":[],"fieldMask":[],"fileCompress":false,"fileMaxBackups":5,"fileMaxSizeMb":10,"filePath":"/var/run/cilium/hubble/events.log","includeFilters":[],"name":"all"}],"createConfigMap":true},"enabled":false}- Dynamic exporters configuration. Dynamic exporters may be reconfigured without a need of agent restarts.
hubble.export.dynamic.config.configMapNamestring"cilium-flowlog-config"-- Name of configmap with configuration that may be altered to reconfigure exporters within a running agents.
hubble.export.dynamic.config.contentlist[{"aggregationInterval":"0s","excludeFilters":[],"fieldAggregate":[],"fieldMask":[],"fileCompress":false,"fileMaxBackups":5,"fileMaxSizeMb":10,"filePath":"/var/run/cilium/hubble/events.log","includeFilters":[],"name":"all"}]-- Exporters configuration in YAML format.
hubble.export.dynamic.config.createConfigMapbooltrue-- True if helm installer should create config map. Switch to false if you want to self maintain the file content.
hubble.export.staticobject{"aggregationInterval":"0s","allowList":[],"denyList":[],"enabled":false,"fieldAggregate":[],"fieldMask":[],"fileCompress":false,"fileMaxBackups":5,"fileMaxSizeMb":10,"filePath":"/var/run/cilium/hubble/events.log"}- Static exporter configuration. Static exporter is bound to agent lifecycle.
hubble.export.static.aggregationIntervalstring"0s"- Defines the interval at which to aggregate before exporting Hubble flows. Aggregation feature is only enabled when fieldAggregate is specified and aggregationInterval > 0s.
hubble.export.static.fileCompressboolfalse- Enable compression of rotated files.
hubble.export.static.fileMaxBackupsint5- Defines max number of backup/rotated files.
hubble.export.static.fileMaxSizeMbint10- Defines max file size of output file before it gets rotated.
hubble.listenAddressstring":4244"An additional address for Hubble to listen to. Set this field ":4244" if you are enabling Hubble Relay, as it assumes that Hubble is listening on port 4244.
hubble.metricsobject{"dashboards":{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null},"dynamic":{"config":{"configMapName":"cilium-dynamic-metrics-config","content":[],"createConfigMap":true},"enabled":false},"enableOpenMetrics":false,"enabled":null,"port":9965,"serviceAnnotations":{},"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","jobLabel":"","labels":{},"metricRelabelings":null,"relabelings":[{"action":"replace","replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}],"scrapeTimeout":null,"tlsConfig":{}},"tls":{"enabled":false,"server":{"cert":"","existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":{"enabled":false,"key":"ca.crt","name":null,"useSecret":false}}}}Hubble metrics configuration. See https://docs.cilium.io/en/stable/observability/metrics/#hubble-metrics for more comprehensive documentation about Hubble metrics.
hubble.metrics.dashboardsobject{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null}Grafana dashboards for hubble grafana can import dashboards based on the label and value ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards
hubble.metrics.dynamic.config.configMapNamestring"cilium-dynamic-metrics-config"-- Name of configmap with configuration that may be altered to reconfigure metric handlers within a running agent.
hubble.metrics.dynamic.config.contentlist[]-- Exporters configuration in YAML format.
hubble.metrics.dynamic.config.createConfigMapbooltrue-- True if helm installer should create config map. Switch to false if you want to self maintain the file content.
hubble.metrics.enableOpenMetricsboolfalseEnables exporting hubble metrics in OpenMetrics format.
hubble.metrics.enabledstringnilConfigures the list of metrics to collect. If empty or null, metrics are disabled. Example: enabled: - dns:query;ignoreAAAA - drop - tcp - flow - icmp - http You can specify the list of metrics from the helm CLI: --set hubble.metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}"
hubble.metrics.portint9965Configure the port the hubble metric server listens on.
hubble.metrics.serviceAnnotationsobject{}Annotations to be added to hubble-metrics service.
hubble.metrics.serviceMonitor.annotationsobject{}Annotations to add to ServiceMonitor hubble
hubble.metrics.serviceMonitor.enabledboolfalseCreate ServiceMonitor resources for Prometheus Operator. This requires the prometheus CRDs to be available. ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
hubble.metrics.serviceMonitor.intervalstring"10s"Interval for scrape metrics.
hubble.metrics.serviceMonitor.jobLabelstring""jobLabel to add for ServiceMonitor hubble
hubble.metrics.serviceMonitor.labelsobject{}Labels to add to ServiceMonitor hubble
hubble.metrics.serviceMonitor.metricRelabelingsstringnilMetrics relabeling configs for the ServiceMonitor hubble
hubble.metrics.serviceMonitor.relabelingslist[{"action":"replace","replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]Relabeling configs for the ServiceMonitor hubble
hubble.metrics.serviceMonitor.scrapeTimeoutstringnilTimeout after which scrape is considered to be failed.
hubble.metrics.tls.server.certstring""base64 encoded PEM values for the Hubble metrics server certificate (deprecated). Use existingSecret instead.
hubble.metrics.tls.server.existingSecretstring""Name of the Secret containing the certificate and key for the Hubble metrics server. If specified, cert and key are ignored.
hubble.metrics.tls.server.extraDnsNameslist[]Extra DNS names added to certificate when it's auto generated
hubble.metrics.tls.server.extraIpAddresseslist[]Extra IP addresses added to certificate when it's auto generated
hubble.metrics.tls.server.keystring""base64 encoded PEM values for the Hubble metrics server key (deprecated). Use existingSecret instead.
hubble.metrics.tls.server.mtlsobject{"enabled":false,"key":"ca.crt","name":null,"useSecret":false}Configure mTLS for the Hubble metrics server.
hubble.metrics.tls.server.mtls.keystring"ca.crt"Entry of the ConfigMap containing the CA.
hubble.metrics.tls.server.mtls.namestringnilName of the ConfigMap containing the CA to validate client certificates against. If mTLS is enabled and this is unspecified, it will default to the same CA used for Hubble metrics server certificates.
hubble.networkPolicyCorrelationobject{"enabled":true}Enables network policy correlation of Hubble flows, i.e. populating egress_allowed_by, ingress_denied_by fields with policy information.
hubble.peerService.clusterDomainstring"cluster.local"The cluster domain to use to query the Hubble Peer service. It should be the local cluster.
hubble.peerService.targetPortint4244Target Port for the Peer service, must match the hubble.listenAddress' port.
hubble.preferIpv6boolfalseWhether Hubble should prefer to announce IPv6 or IPv4 addresses if both are available.
hubble.redactobject{"enabled":false,"http":{"headers":{"allow":[],"deny":[]},"urlQuery":false,"userInfo":true},"kafka":{"apiKey":true}}Enables redacting sensitive information present in Layer 7 flows.
hubble.redact.http.headers.allowlist[]List of HTTP headers to allow: headers not matching will be redacted. Note: allow and deny lists cannot be used both at the same time, only one can be present. Example: redact: enabled: true http: headers: allow: - traceparent - tracestate - Cache-Control You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.http.headers.allow="traceparent,tracestate,Cache-Control"
hubble.redact.http.headers.denylist[]List of HTTP headers to deny: matching headers will be redacted. Note: allow and deny lists cannot be used both at the same time, only one can be present. Example: redact: enabled: true http: headers: deny: - Authorization - Proxy-Authorization You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.http.headers.deny="Authorization,Proxy-Authorization"
hubble.redact.http.urlQueryboolfalseEnables redacting URL query (GET) parameters. Example: redact: enabled: true http: urlQuery: true You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.http.urlQuery="true"
hubble.redact.http.userInfobooltrueEnables redacting user info, e.g., password when basic auth is used. Example: redact: enabled: true http: userInfo: true You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.http.userInfo="true"
hubble.redact.kafka.apiKeybooltrueEnables redacting Kafka's API key (deprecated, will be removed in v1.19). Example: redact: enabled: true kafka: apiKey: true You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.kafka.apiKey="true"
hubble.relay.affinityobject{"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}Affinity for hubble-replay
hubble.relay.annotationsobject{}Annotations to be added to all top-level hubble-relay objects (resources under templates/hubble-relay)
hubble.relay.enabledboolfalseEnable Hubble Relay (requires hubble.enabled=true)
hubble.relay.extraEnvlist[]Additional hubble-relay environment variables.
hubble.relay.extraVolumeMountslist[]Additional hubble-relay volumeMounts.
hubble.relay.extraVolumeslist[]Additional hubble-relay volumes.
hubble.relay.gops.enabledbooltrueEnable gops for hubble-relay
hubble.relay.gops.portint9893Configure gops listen port for hubble-relay
hubble.relay.imageobject{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.19.5","useDigest":false}Hubble-relay container image.
hubble.relay.listenHoststring""Host to listen to. Specify an empty string to bind to all the interfaces.
hubble.relay.listenPortstring"4245"Port to listen to.
hubble.relay.logOptionsobject{"format":null,"level":null}Logging configuration for hubble-relay.
hubble.relay.logOptions.formatstringtext-tsLog format for hubble-relay. Valid values are: text, text-ts, json, json-ts.
hubble.relay.logOptions.levelstringinfoLog level for hubble-relay. Valid values are: debug, info, warn, error.
hubble.relay.nodeSelectorobject{"kubernetes.io/os":"linux"}Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
hubble.relay.podAnnotationsobject{}Annotations to be added to hubble-relay pods
hubble.relay.podDisruptionBudget.enabledboolfalseenable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
hubble.relay.podDisruptionBudget.maxUnavailableint1Maximum number/percentage of pods that may be made unavailable
hubble.relay.podDisruptionBudget.minAvailablestringnilMinimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by maxUnavailable: null
hubble.relay.podDisruptionBudget.unhealthyPodEvictionPolicystringnilHow are unhealthy, but running, pods counted for eviction
hubble.relay.podLabelsobject{}Labels to be added to hubble-relay pods
hubble.relay.podSecurityContextobject{"fsGroup":65532,"seccompProfile":{"type":"RuntimeDefault"}}hubble-relay pod security context
hubble.relay.pprof.addressstring"localhost"Configure pprof listen address for hubble-relay
hubble.relay.pprof.blockProfileRateint0Enable goroutine blocking profiling for hubble-relay and set the rate of sampled events in nanoseconds (set to 1 to sample all events [warning: performance overhead])
hubble.relay.pprof.enabledboolfalseEnable pprof for hubble-relay
hubble.relay.pprof.mutexProfileFractionint0Enable mutex contention profiling for hubble-relay and set the fraction of sampled events (set to 1 to sample all events)
hubble.relay.pprof.portint6062Configure pprof listen port for hubble-relay
hubble.relay.priorityClassNamestring""The priority class to use for hubble-relay
hubble.relay.prometheusobject{"enabled":false,"port":9966,"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":null,"scrapeTimeout":null}}Enable prometheus metrics for hubble-relay on the configured port at /metrics
hubble.relay.prometheus.serviceMonitor.annotationsobject{}Annotations to add to ServiceMonitor hubble-relay
hubble.relay.prometheus.serviceMonitor.enabledboolfalseEnable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
hubble.relay.prometheus.serviceMonitor.intervalstring"10s"Interval for scrape metrics.
hubble.relay.prometheus.serviceMonitor.labelsobject{}Labels to add to ServiceMonitor hubble-relay
hubble.relay.prometheus.serviceMonitor.metricRelabelingsstringnilMetrics relabeling configs for the ServiceMonitor hubble-relay
hubble.relay.prometheus.serviceMonitor.relabelingsstringnilRelabeling configs for the ServiceMonitor hubble-relay
hubble.relay.prometheus.serviceMonitor.scrapeTimeoutstringnilTimeout after which scrape is considered to be failed.
hubble.relay.replicasint1Number of replicas run for the hubble-relay deployment.
hubble.relay.resourcesobject{}Specifies the resources for the hubble-relay pods
hubble.relay.retryTimeoutstringnilBackoff duration to retry connecting to the local hubble instance in case of failure (e.g. "30s").
hubble.relay.rollOutPodsboolfalseRoll out Hubble Relay pods automatically when configmap is updated.
hubble.relay.securityContextobject{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}hubble-relay container security context
hubble.relay.serviceobject{"nodePort":31234,"type":"ClusterIP"}hubble-relay service configuration.
hubble.relay.service.nodePortint31234- The port to use when the service type is set to NodePort.
hubble.relay.service.typestring"ClusterIP"- The type of service used for Hubble Relay access, either ClusterIP, NodePort or LoadBalancer.
hubble.relay.sortBufferDrainTimeoutstringnilWhen the per-request flows sort buffer is not full, a flow is drained every time this timeout is reached (only affects requests in follow-mode) (e.g. "1s").
hubble.relay.sortBufferLenMaxintnilMax number of flows that can be buffered for sorting before being sent to the client (per request) (e.g. 100).
hubble.relay.terminationGracePeriodSecondsint1Configure termination grace period for hubble relay Deployment.
hubble.relay.tlsobject{"client":{"cert":"","existingSecret":"","key":""},"server":{"cert":"","enabled":false,"existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false,"relayName":"ui.hubble-relay.cilium.io"}}TLS configuration for Hubble Relay
hubble.relay.tls.clientobject{"cert":"","existingSecret":"","key":""}The hubble-relay client certificate and private key. This keypair is presented to Hubble server instances for mTLS authentication and is required when hubble.tls.enabled is true. These values need to be set manually if hubble.tls.auto.enabled is false.
hubble.relay.tls.client.certstring""base64 encoded PEM values for the Hubble relay client certificate (deprecated). Use existingSecret instead.
hubble.relay.tls.client.existingSecretstring""Name of the Secret containing the certificate and key for the Hubble metrics server. If specified, cert and key are ignored.
hubble.relay.tls.client.keystring""base64 encoded PEM values for the Hubble relay client key (deprecated). Use existingSecret instead.
hubble.relay.tls.serverobject{"cert":"","enabled":false,"existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false,"relayName":"ui.hubble-relay.cilium.io"}The hubble-relay server certificate and private key
hubble.relay.tls.server.certstring""base64 encoded PEM values for the Hubble relay server certificate (deprecated). Use existingSecret instead.
hubble.relay.tls.server.existingSecretstring""Name of the Secret containing the certificate and key for the Hubble relay server. If specified, cert and key are ignored.
hubble.relay.tls.server.extraDnsNameslist[]extra DNS names added to certificate when its auto gen
hubble.relay.tls.server.extraIpAddresseslist[]extra IP addresses added to certificate when its auto gen
hubble.relay.tls.server.keystring""base64 encoded PEM values for the Hubble relay server key (deprecated). Use existingSecret instead.
hubble.relay.tolerationslist[]Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
hubble.relay.topologySpreadConstraintslist[]Pod topology spread constraints for hubble-relay
hubble.relay.updateStrategyobject{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}hubble-relay update strategy
hubble.skipUnknownCGroupIDsbooltrueSkip Hubble events with unknown cgroup ids
hubble.socketPathstring"/var/run/cilium/hubble.sock"Unix domain socket path to listen to when Hubble is enabled.
hubble.tlsobject{"auto":{"certManagerIssuerRef":{},"certValidityDuration":365,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"},"enabled":true,"server":{"cert":"","existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}}TLS configuration for Hubble
hubble.tls.autoobject{"certManagerIssuerRef":{},"certValidityDuration":365,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"}Configure automatic TLS certificates generation.
hubble.tls.auto.certManagerIssuerRefobject{}certmanager issuer used when hubble.tls.auto.method=certmanager.
hubble.tls.auto.certValidityDurationint365Generated certificates validity duration in days. Defaults to 365 days (1 year) because MacOS does not accept self-signed certificates with expirations > 825 days.
hubble.tls.auto.enabledbooltrueAuto-generate certificates. When set to true, automatically generate a CA and certificates to enable mTLS between Hubble server and Hubble Relay instances. If set to false, the certs for Hubble server need to be provided by setting appropriate values below.
hubble.tls.auto.methodstring"helm"Set the method to auto-generate certificates. Supported values: - helm: This method uses Helm to generate all certificates. - cronJob: This method uses a Kubernetes CronJob the generate any certificates not provided by the user at installation time. - certmanager: This method use cert-manager to generate & rotate certificates.
hubble.tls.auto.schedulestring"0 0 1 */4 *"Schedule for certificates regeneration (regardless of their expiration date). Only used if method is "cronJob". If nil, then no recurring job will be created. Instead, only the one-shot job is deployed to generate the certificates at installation time. Defaults to midnight of the first day of every fourth month. For syntax, see https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax
hubble.tls.enabledbooltrueEnable mutual TLS for listenAddress. Setting this value to false is highly discouraged as the Hubble API provides access to potentially sensitive network flow metadata and is exposed on the host network.
hubble.tls.serverobject{"cert":"","existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}The Hubble server certificate and private key
hubble.tls.server.certstring""base64 encoded PEM values for the Hubble server certificate (deprecated). Use existingSecret instead.
hubble.tls.server.existingSecretstring""Name of the Secret containing the certificate and key for the Hubble server. If specified, cert and key are ignored.
hubble.tls.server.extraDnsNameslist[]Extra DNS names added to certificate when it's auto generated
hubble.tls.server.extraIpAddresseslist[]Extra IP addresses added to certificate when it's auto generated
hubble.tls.server.keystring""base64 encoded PEM values for the Hubble server key (deprecated). Use existingSecret instead.
hubble.ui.affinityobject{}Affinity for hubble-ui
hubble.ui.annotationsobject{}Annotations to be added to all top-level hubble-ui objects (resources under templates/hubble-ui)
hubble.ui.backend.extraEnvlist[]Additional hubble-ui backend environment variables.
hubble.ui.backend.extraVolumeMountslist[]Additional hubble-ui backend volumeMounts.
hubble.ui.backend.extraVolumeslist[]Additional hubble-ui backend volumes.
hubble.ui.backend.imageobject{"digest":"sha256:fac0c300ae119274edca11fd89b1ad23c788792d8bc4ea2ba631c709e8d3c688","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.5","useDigest":true}Hubble-ui backend image.
hubble.ui.backend.livenessProbe.enabledboolfalseEnable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+)
hubble.ui.backend.readinessProbe.enabledboolfalseEnable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+)
hubble.ui.backend.resourcesobject{}Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment.
hubble.ui.backend.securityContextobject{"allowPrivilegeEscalation":false}Hubble-ui backend security context.
hubble.ui.baseUrlstring"/"Defines base url prefix for all hubble-ui http requests. It needs to be changed in case if ingress for hubble-ui is configured under some sub-path. Trailing / is required for custom path, ex. /service-map/
hubble.ui.enabledboolfalseWhether to enable the Hubble UI.
hubble.ui.frontend.extraEnvlist[]Additional hubble-ui frontend environment variables.
hubble.ui.frontend.extraVolumeMountslist[]Additional hubble-ui frontend volumeMounts.
hubble.ui.frontend.extraVolumeslist[]Additional hubble-ui frontend volumes.
hubble.ui.frontend.imageobject{"digest":"sha256:f7d514fc54d784ed6df9d58cf0e97648b143f92b766dd1780ed3fc845bd4c516","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.5","useDigest":true}Hubble-ui frontend image.
hubble.ui.frontend.resourcesobject{}Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment.
hubble.ui.frontend.securityContextobject{"allowPrivilegeEscalation":false}Hubble-ui frontend security context.
hubble.ui.frontend.server.ipv6object{"enabled":true}Controls server listener for ipv6
hubble.ui.ingressobject{"annotations":{},"className":"","enabled":false,"hosts":["chart-example.local"],"labels":{},"tls":[]}hubble-ui ingress configuration.
hubble.ui.labelsobject{}Additional labels to be added to 'hubble-ui' deployment object
hubble.ui.nodeSelectorobject{"kubernetes.io/os":"linux"}Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
hubble.ui.podAnnotationsobject{}Annotations to be added to hubble-ui pods
hubble.ui.podDisruptionBudget.enabledboolfalseenable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
hubble.ui.podDisruptionBudget.maxUnavailableint1Maximum number/percentage of pods that may be made unavailable
hubble.ui.podDisruptionBudget.minAvailablestringnilMinimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by maxUnavailable: null
hubble.ui.podDisruptionBudget.unhealthyPodEvictionPolicystringnilHow are unhealthy, but running, pods counted for eviction
hubble.ui.podLabelsobject{}Labels to be added to hubble-ui pods
hubble.ui.priorityClassNamestring""The priority class to use for hubble-ui
hubble.ui.replicasint1The number of replicas of Hubble UI to deploy.
hubble.ui.rollOutPodsboolfalseRoll out Hubble-ui pods automatically when configmap is updated.
hubble.ui.securityContextobject{"fsGroup":1001,"runAsGroup":1001,"runAsUser":1001}Security context to be added to Hubble UI pods
hubble.ui.serviceobject{"annotations":{},"labels":{},"nodePort":31235,"type":"ClusterIP"}hubble-ui service configuration.
hubble.ui.service.annotationsobject{}Annotations to be added for the Hubble UI service
hubble.ui.service.labelsobject{}Labels to be added for the Hubble UI service
hubble.ui.service.nodePortint31235- The port to use when the service type is set to NodePort.
hubble.ui.service.typestring"ClusterIP"- The type of service used for Hubble UI access, either ClusterIP or NodePort.
hubble.ui.standalone.enabledboolfalseWhen true, it will allow installing the Hubble UI only, without checking dependencies. It is useful if a cluster already has cilium and Hubble relay installed and you just want Hubble UI to be deployed. When installed via helm, installing UI should be done via helm upgrade and when installed via the cilium cli, then cilium hubble enable --ui
hubble.ui.standalone.tls.certsVolumeobject{}When deploying Hubble UI in standalone, with tls enabled for Hubble relay, it is required to provide a volume for mounting the client certificates.
hubble.ui.tls.client.certstring""base64 encoded PEM values for the Hubble UI client certificate (deprecated). Use existingSecret instead.
hubble.ui.tls.client.existingSecretstring""Name of the Secret containing the client certificate and key for Hubble UI If specified, cert and key are ignored.
hubble.ui.tls.client.keystring""base64 encoded PEM values for the Hubble UI client key (deprecated). Use existingSecret instead.
hubble.ui.tmpVolumeobject{}Configure temporary volume for hubble-ui
hubble.ui.tolerationslist[]Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
hubble.ui.topologySpreadConstraintslist[]Pod topology spread constraints for hubble-ui
hubble.ui.updateStrategyobject{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}hubble-ui update strategy.
identityAllocationModestring"crd"Method to use for identity allocation (crd, kvstore or doublewrite-readkvstore / doublewrite-readcrd for migrating between identity backends).
identityChangeGracePeriodstring"5s"Time to wait before using new identity on endpoint identity change.
identityManagementModestring"agent"Control whether CiliumIdentities are created by the agent ("agent"), the operator ("operator") or both ("both"). "Both" should be used only to migrate between "agent" and "operator". Operator-managed identities is a beta feature.
imageobject{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.19.5","useDigest":false}Agent container image.
imagePullSecretslist[]Configure image pull secrets for pulling container images
ingressController.defaultboolfalseSet cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set
ingressController.defaultSecretNamestringnilDefault secret name for ingresses without .spec.tls[].secretName set.
ingressController.defaultSecretNamespacestringnilDefault secret namespace for ingresses without .spec.tls[].secretName set.
ingressController.enableProxyProtocolboolfalseEnable proxy protocol for all Ingress listeners. Note that only Proxy protocol traffic will be accepted once this is enabled.
ingressController.enabledboolfalseEnable cilium ingress controller This will automatically set enable-envoy-config as well.
ingressController.enforceHttpsbooltrueEnforce https for host having matching TLS host in Ingress. Incoming traffic to http listener will return 308 http error code with respective location in header.
ingressController.hostNetwork.enabledboolfalseConfigure whether the Envoy listeners should be exposed on the host network.
ingressController.hostNetwork.nodes.matchLabelsobject{}Specify the labels of the nodes where the Ingress listeners should be exposed matchLabels: kubernetes.io/os: linux kubernetes.io/hostname: kind-worker
ingressController.hostNetwork.sharedListenerPortint8080Configure a specific port on the host network that gets used for the shared listener.
ingressController.ingressLBAnnotationPrefixeslist["lbipam.cilium.io","nodeipam.cilium.io","service.beta.kubernetes.io","service.kubernetes.io","cloud.google.com"]IngressLBAnnotations are the annotation and label prefixes, which are used to filter annotations and/or labels to propagate from Ingress to the Load Balancer service
ingressController.loadbalancerModestring"dedicated"Default ingress load balancer mode Supported values: shared, dedicated For granular control, use the following annotations on the ingress resource: "ingress.cilium.io/loadbalancer-mode: dedicated" (or "shared").
ingressController.secretsNamespaceobject{"create":true,"name":"cilium-secrets","sync":true}SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from.
ingressController.secretsNamespace.createbooltrueCreate secrets namespace for Ingress.
ingressController.secretsNamespace.namestring"cilium-secrets"Name of Ingress secret namespace.
ingressController.secretsNamespace.syncbooltrueEnable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name. If disabled, TLS secrets must be maintained externally.
ingressController.serviceobject{"allocateLoadBalancerNodePorts":null,"annotations":{},"externalTrafficPolicy":"Cluster","insecureNodePort":null,"labels":{},"loadBalancerClass":null,"loadBalancerIP":null,"name":"cilium-ingress","secureNodePort":null,"type":"LoadBalancer"}Load-balancer service in shared mode. This is a single load-balancer service for all Ingress resources.
ingressController.service.allocateLoadBalancerNodePortsstringnilConfigure if node port allocation is required for LB service ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
ingressController.service.annotationsobject{}Annotations to be added for the shared LB service
ingressController.service.externalTrafficPolicystring"Cluster"Control how traffic from external sources is routed to the LoadBalancer Kubernetes Service for Cilium Ingress in shared mode. Valid values are "Cluster" and "Local". ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#external-traffic-policy
ingressController.service.insecureNodePortstringnilConfigure a specific nodePort for insecure HTTP traffic on the shared LB service
ingressController.service.labelsobject{}Labels to be added for the shared LB service
ingressController.service.loadBalancerClassstringnilConfigure a specific loadBalancerClass on the shared LB service (requires Kubernetes 1.24+)
ingressController.service.loadBalancerIPstringnilConfigure a specific loadBalancerIP on the shared LB service
ingressController.service.namestring"cilium-ingress"Service name
ingressController.service.secureNodePortstringnilConfigure a specific nodePort for secure HTTPS traffic on the shared LB service
ingressController.service.typestring"LoadBalancer"Service type for the shared LB service
initResourcesobject{}resources & limits for the agent init containers
installNoConntrackIptablesRulesboolfalseInstall Iptables rules to skip netfilter connection tracking on all pod traffic. This option is only effective when Cilium is running in direct routing and full KPR mode. Moreover, this option cannot be enabled when Cilium is running in a managed Kubernetes environment or in a chained CNI setup.
ipMasqAgentobject{"enabled":false}Configure the eBPF-based ip-masq-agent
ipam.ciliumNodeUpdateRatestring"15s"Maximum rate at which the CiliumNode custom resource is updated.
ipam.installUplinkRoutesForDelegatedIPAMboolfalseInstall ingress/egress routes through uplink on host for Pods when working with delegated IPAM plugin.
ipam.modestring"cluster-pool"Configure IP Address Management mode. ref: https://docs.cilium.io/en/stable/network/concepts/ipam/
ipam.multiPoolPreAllocationstring""Pre-allocation settings for IPAM in Multi-Pool mode
ipam.nodeSpecobject{"ipamMaxAllocate":null,"ipamMinAllocate":null,"ipamPreAllocate":null,"ipamStaticIPTags":[]}NodeSpec configuration for the IPAM
ipam.nodeSpec.ipamMaxAllocatestringnilIPAM max allocate @schema type: [null, integer] @schema
ipam.nodeSpec.ipamMinAllocatestringnilIPAM min allocate @schema type: [null, integer] @schema
ipam.nodeSpec.ipamPreAllocatestringnilIPAM pre allocate @schema type: [null, integer] @schema
ipam.nodeSpec.ipamStaticIPTagslist[]IPAM static IP tags (currently only works with AWS and Azure)
ipam.operator.autoCreateCiliumPodIPPoolsobject{}IP pools to auto-create in multi-pool IPAM mode.
ipam.operator.clusterPoolIPv4MaskSizeint24IPv4 CIDR mask size to delegate to individual nodes for IPAM.
ipam.operator.clusterPoolIPv4PodCIDRListlist["10.0.0.0/8"]IPv4 CIDR list range to delegate to individual nodes for IPAM.
ipam.operator.clusterPoolIPv6MaskSizeint120IPv6 CIDR mask size to delegate to individual nodes for IPAM.
ipam.operator.clusterPoolIPv6PodCIDRListlist["fd00::/104"]IPv6 CIDR list range to delegate to individual nodes for IPAM.
ipam.operator.externalAPILimitBurstSizeint20The maximum burst size when rate limiting access to external APIs. Also known as the token bucket capacity.
ipam.operator.externalAPILimitQPSfloat4.0The maximum queries per second when rate limiting access to external APIs. Also known as the bucket refill rate, which is used to refill the bucket up to the burst size capacity.
iptablesRandomFullyboolfalseConfigure iptables--random-fully. Disabled by default. View https://github.com/cilium/cilium/issues/13037 for more information.
ipv4.enabledbooltrueEnable IPv4 support.
ipv4NativeRoutingCIDRstring""Allows to explicitly specify the IPv4 CIDR for native routing. When specified, Cilium assumes networking for this CIDR is preconfigured and hands traffic destined for that range to the Linux network stack without applying any SNAT. Generally speaking, specifying a native routing CIDR implies that Cilium can depend on the underlying networking stack to route packets to their destination. To offer a concrete example, if Cilium is configured to use direct routing and the Kubernetes CIDR is included in the native routing CIDR, the user must configure the routes to reach pods, either manually or by setting the auto-direct-node-routes flag.
ipv6.enabledboolfalseEnable IPv6 support.
ipv6NativeRoutingCIDRstring""Allows to explicitly specify the IPv6 CIDR for native routing. When specified, Cilium assumes networking for this CIDR is preconfigured and hands traffic destined for that range to the Linux network stack without applying any SNAT. Generally speaking, specifying a native routing CIDR implies that Cilium can depend on the underlying networking stack to route packets to their destination. To offer a concrete example, if Cilium is configured to use direct routing and the Kubernetes CIDR is included in the native routing CIDR, the user must configure the routes to reach pods, either manually or by setting the auto-direct-node-routes flag.
k8sobject{"requireIPv4PodCIDR":false,"requireIPv6PodCIDR":false}Configure Kubernetes specific configuration
k8s.requireIPv4PodCIDRboolfalserequireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR range via the Kubernetes node resource
k8s.requireIPv6PodCIDRboolfalserequireIPv6PodCIDR enables waiting for Kubernetes to provide the PodCIDR range via the Kubernetes node resource
k8sClientExponentialBackoffobject{"backoffBaseSeconds":1,"backoffMaxDurationSeconds":120,"enabled":true}Configure exponential backoff for client-go in Cilium agent.
k8sClientExponentialBackoff.backoffBaseSecondsint1Configure base (in seconds) for exponential backoff.
k8sClientExponentialBackoff.backoffMaxDurationSecondsint120Configure maximum duration (in seconds) for exponential backoff.
k8sClientExponentialBackoff.enabledbooltrueEnable exponential backoff for client-go in Cilium agent.
k8sClientRateLimitobject{"burst":null,"operator":{"burst":null,"qps":null},"qps":null}Configure the client side rate limit for the agent If the amount of requests to the Kubernetes API server exceeds the configured rate limit, the agent will start to throttle requests by delaying them until there is budget or the request times out.
k8sClientRateLimit.burstint20The burst request rate in requests per second. The rate limiter will allow short bursts with a higher rate.
k8sClientRateLimit.operatorobject{"burst":null,"qps":null}Configure the client side rate limit for the Cilium Operator
k8sClientRateLimit.operator.burstint200The burst request rate in requests per second. The rate limiter will allow short bursts with a higher rate.
k8sClientRateLimit.operator.qpsint100The sustained request rate in requests per second.
k8sClientRateLimit.qpsint10The sustained request rate in requests per second.
k8sNetworkPolicy.enabledbooltrueEnable support for K8s NetworkPolicy
k8sServiceHoststring""Kubernetes service host - use "auto" for automatic lookup from the cluster-info ConfigMap
k8sServiceHostRefobject{"key":null,"name":null}Configure the Kubernetes service endpoint dynamically using a ConfigMap. Mutually exclusive with k8sServiceHost.
k8sServiceHostRef.keystringnilKey in the ConfigMap containing the Kubernetes service endpoint
k8sServiceHostRef.namestringnilname of the ConfigMap containing the Kubernetes service endpoint
k8sServiceLookupConfigMapNamestring""When k8sServiceHost=auto, allows to customize the configMap name. It defaults to cluster-info.
k8sServiceLookupNamespacestring""When k8sServiceHost=auto, allows to customize the namespace that contains k8sServiceLookupConfigMapName. It defaults to kube-public.
k8sServicePortstring""Kubernetes service port
keepDeprecatedLabelsboolfalseKeep the deprecated selector labels when deploying Cilium DaemonSet.
keepDeprecatedProbesboolfalseKeep the deprecated probes when deploying Cilium DaemonSet
kubeConfigPathstring"~/.kube/config"Kubernetes config path
kubeProxyReplacementstring"false"Configure the kube-proxy replacement in Cilium BPF datapath Valid options are "true" or "false". ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/ @schema@ type: [string, boolean] @schema@
kubeProxyReplacementHealthzBindAddrstring""healthz server bind address for the kube-proxy replacement. To enable set the value to '0.0.0.0:10256' for all ipv4 addresses and this '[::]:10256' for all ipv6 addresses. By default it is disabled.
l2NeighDiscovery.enabledboolfalseEnable L2 neighbor discovery in the agent
l2announcementsobject{"enabled":false}Configure L2 announcements
l2announcements.enabledboolfalseEnable L2 announcements
l2podAnnouncementsobject{"enabled":false,"interfacePattern":""}Configure L2 pod announcements
l2podAnnouncements.enabledboolfalseEnable L2 pod announcements
l2podAnnouncements.interfacePatternstring""A regular expression matching interfaces used for sending Gratuitous ARP pod announcements
l7ProxybooltrueEnable Layer 7 network policy.
livenessProbe.failureThresholdint10failure threshold of liveness probe
livenessProbe.periodSecondsint30interval between checks of the liveness probe
livenessProbe.requireK8sConnectivityboolfalsewhether to require k8s connectivity as part of the check.
loadBalancerobject{"acceleration":"disabled","l7":{"algorithm":"round_robin","backend":"disabled","ports":[]},"serviceTopology":false}Configure service load balancing
loadBalancer.accelerationstring"disabled"acceleration is the option to accelerate service handling via XDP Applicable values can be: disabled (do not use XDP), native (XDP BPF program is run directly out of the networking driver's early receive path), or best-effort (use native mode XDP acceleration on devices that support it).
loadBalancer.l7object{"algorithm":"round_robin","backend":"disabled","ports":[]}L7 LoadBalancer
loadBalancer.l7.algorithmstring"round_robin"Default LB algorithm The default LB algorithm to be used for services, which can be overridden by the service annotation (e.g. service.cilium.io/lb-l7-algorithm) Applicable values: round_robin, least_request, random
loadBalancer.l7.backendstring"disabled"Enable L7 service load balancing via envoy proxy. The request to a k8s service, which has specific annotation e.g. service.cilium.io/lb-l7, will be forwarded to the local backend proxy to be load balanced to the service endpoints. Please refer to docs for supported annotations for more configuration. Applicable values: - envoy: Enable L7 load balancing via envoy proxy. This will automatically set enable-envoy-config as well. - disabled: Disable L7 load balancing by way of service annotation.
loadBalancer.l7.portslist[]List of ports from service to be automatically redirected to above backend. Any service exposing one of these ports will be automatically redirected. Fine-grained control can be achieved by using the service annotation.
loadBalancer.serviceTopologyboolfalseserviceTopology enables K8s Topology Aware Hints -based service endpoints filtering
localRedirectPolicies.addressMatcherCIDRsstringnilLimit the allowed addresses in Address Matcher rule of Local Redirect Policies to the given CIDRs. @schema@ type: [null, array] @schema@
localRedirectPolicies.enabledboolfalseEnable local redirect policies.
localRedirectPolicyboolfalseEnable Local Redirect Policy (deprecated, please use 'localRedirectPolicies.enabled' instead)
logSystemLoadboolfalseEnables periodic logging of system load
maglevobject{}Configure maglev consistent hashing
monitorobject{"enabled":false}cilium-monitor sidecar.
monitor.enabledboolfalseEnable the cilium-monitor sidecar.
namestring"cilium"Agent daemonset name.
namespaceOverridestring""namespaceOverride allows to override the destination namespace for Cilium resources.
nat.mapStatsEntriesint32Number of the top-k SNAT map connections to track in Cilium statedb.
nat.mapStatsIntervalstring"30s"Interval between how often SNAT map is counted for stats.
nat46x64Gatewayobject{"enabled":false}Configure standalone NAT46/NAT64 gateway
nat46x64Gateway.enabledboolfalseEnable RFC6052-prefixed translation
nodeIPAM.enabledboolfalseConfigure Node IPAM ref: https://docs.cilium.io/en/stable/network/node-ipam/
nodePortobject{"addresses":null,"autoProtectPortRange":true,"bindProtection":true,"enableHealthCheck":true,"enableHealthCheckLoadBalancerIP":false}Configure N-S k8s service loadbalancing
nodePort.addressesstringnilList of CIDRs for choosing which IP addresses assigned to native devices are used for NodePort load-balancing. By default this is empty and the first suitable, preferably private, IPv4 and IPv6 address assigned to each device is used. Example: addresses: ["192.168.1.0/24", "2001::/64"]
nodePort.autoProtectPortRangebooltrueAppend NodePort range to ip_local_reserved_ports if clash with ephemeral ports is detected.
nodePort.bindProtectionbooltrueSet to true to prevent applications binding to service ports.
nodePort.enableHealthCheckbooltrueEnable healthcheck nodePort server for NodePort services
nodePort.enableHealthCheckLoadBalancerIPboolfalseEnable access of the healthcheck nodePort on the LoadBalancerIP. Needs EnableHealthCheck to be enabled
nodeSelectorobject{"kubernetes.io/os":"linux"}Node selector for cilium-agent.
nodeSelectorLabelsboolfalseEnable/Disable use of node label based identity
nodeinit.affinityobject{}Affinity for cilium-nodeinit
nodeinit.annotationsobject{}Annotations to be added to all top-level nodeinit objects (resources under templates/cilium-nodeinit)
nodeinit.bootstrapFilestring"/tmp/cilium-bootstrap.d/cilium-bootstrap-time"bootstrapFile is the location of the file where the bootstrap timestamp is written by the node-init DaemonSet
nodeinit.enabledboolfalseEnable the node initialization DaemonSet
nodeinit.extraEnvlist[]Additional nodeinit environment variables.
nodeinit.extraVolumeMountslist[]Additional nodeinit volumeMounts.
nodeinit.extraVolumeslist[]Additional nodeinit volumes.
nodeinit.imageobject{"digest":"sha256:50b9cf9c280096b59b80d2fc8ee6638facef79ac18998a22f0cbc40d5d28c16f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"1763560095-8f36c34","useDigest":true}node-init image.
nodeinit.nodeSelectorobject{"kubernetes.io/os":"linux"}Node labels for nodeinit pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
nodeinit.podAnnotationsobject{}Annotations to be added to node-init pods.
nodeinit.podLabelsobject{}Labels to be added to node-init pods.
nodeinit.podSecurityContextobject{"appArmorProfile":{"type":"Unconfined"}}Security Context for cilium-node-init pods.
nodeinit.podSecurityContext.appArmorProfileobject{"type":"Unconfined"}AppArmorProfile options for the cilium-node-init and init containers
nodeinit.prestopobject{"postScript":"","preScript":""}prestop offers way to customize prestop nodeinit script (pre and post position)
nodeinit.priorityClassNamestring""The priority class to use for the nodeinit pod.
nodeinit.resourcesobject{"requests":{"cpu":"100m","memory":"100Mi"}}nodeinit resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
nodeinit.securityContextobject{"allowPrivilegeEscalation":false,"capabilities":{"add":["SYS_MODULE","NET_ADMIN","SYS_ADMIN","SYS_CHROOT","SYS_PTRACE"]},"privileged":false,"seLinuxOptions":{"level":"s0","type":"spc_t"}}Security context to be added to nodeinit pods.
nodeinit.startupobject{"postScript":"","preScript":""}startup offers way to customize startup nodeinit script (pre and post position)
nodeinit.tolerationslist[{"operator":"Exists"}]Node tolerations for nodeinit scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
nodeinit.updateStrategyobject{"type":"RollingUpdate"}node-init update strategy
nodeinit.waitForCloudInitboolfalsewait for Cloud init to finish on the host and assume the node has cloud init installed
operator.affinityobject{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"io.cilium/app":"operator"}},"topologyKey":"kubernetes.io/hostname"}]}}Affinity for cilium-operator
operator.annotationsobject{}Annotations to be added to all top-level cilium-operator objects (resources under templates/cilium-operator)
operator.dashboardsobject{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null}Grafana dashboards for cilium-operator grafana can import dashboards based on the label and value ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards
operator.dnsPolicystring""DNS policy for Cilium operator pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
operator.enabledbooltrueEnable the cilium-operator component (required).
operator.endpointGCIntervalstring"5m0s"Interval for endpoint garbage collection.
operator.extraArgslist[]Additional cilium-operator container arguments.
operator.extraEnvlist[]Additional cilium-operator environment variables.
operator.extraHostPathMountslist[]Additional cilium-operator hostPath mounts.
operator.extraVolumeMountslist[]Additional cilium-operator volumeMounts.
operator.extraVolumeslist[]Additional cilium-operator volumes.
operator.hostNetworkbooltrueHostNetwork setting
operator.identityGCIntervalstring"15m0s"Interval for identity garbage collection.
operator.identityHeartbeatTimeoutstring"30m0s"Timeout for identity heartbeats.
operator.imageobject{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.19.5","useDigest":false}cilium-operator image.
operator.nodeGCIntervalstring"5m0s"Interval for cilium node garbage collection.
operator.nodeSelectorobject{"kubernetes.io/os":"linux"}Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
operator.podAnnotationsobject{}Annotations to be added to cilium-operator pods
operator.podDisruptionBudget.enabledboolfalseenable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
operator.podDisruptionBudget.maxUnavailableint1Maximum number/percentage of pods that may be made unavailable
operator.podDisruptionBudget.minAvailablestringnilMinimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by maxUnavailable: null
operator.podDisruptionBudget.unhealthyPodEvictionPolicystringnilHow are unhealthy, but running, pods counted for eviction
operator.podLabelsobject{}Labels to be added to cilium-operator pods
operator.podSecurityContextobject{"seccompProfile":{"type":"RuntimeDefault"}}Security context to be added to cilium-operator pods
operator.pprof.addressstring"localhost"Configure pprof listen address for cilium-operator
operator.pprof.blockProfileRateint0Enable goroutine blocking profiling for cilium-operator and set the rate of sampled events in nanoseconds (set to 1 to sample all events [warning: performance overhead])
operator.pprof.enabledboolfalseEnable pprof for cilium-operator
operator.pprof.mutexProfileFractionint0Enable mutex contention profiling for cilium-operator and set the fraction of sampled events (set to 1 to sample all events)
operator.pprof.portint6061Configure pprof listen port for cilium-operator
operator.priorityClassNamestring""The priority class to use for cilium-operator
operator.prometheusobject{"enabled":true,"metricsService":false,"port":9963,"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","jobLabel":"","labels":{},"metricRelabelings":null,"relabelings":null,"scrapeTimeout":null},"tls":{"enabled":false,"server":{"existingSecret":"","mtls":{"enabled":false}}}}Enable prometheus metrics for cilium-operator on the configured port at /metrics
operator.prometheus.serviceMonitor.annotationsobject{}Annotations to add to ServiceMonitor cilium-operator
operator.prometheus.serviceMonitor.enabledboolfalseEnable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
operator.prometheus.serviceMonitor.intervalstring"10s"Interval for scrape metrics.
operator.prometheus.serviceMonitor.jobLabelstring""jobLabel to add for ServiceMonitor cilium-operator
operator.prometheus.serviceMonitor.labelsobject{}Labels to add to ServiceMonitor cilium-operator
operator.prometheus.serviceMonitor.metricRelabelingsstringnilMetrics relabeling configs for the ServiceMonitor cilium-operator
operator.prometheus.serviceMonitor.relabelingsstringnilRelabeling configs for the ServiceMonitor cilium-operator
operator.prometheus.serviceMonitor.scrapeTimeoutstringnilTimeout after which scrape is considered to be failed.
operator.prometheus.tlsobject{"enabled":false,"server":{"existingSecret":"","mtls":{"enabled":false}}}TLS configuration for Prometheus
operator.prometheus.tls.server.existingSecretstring""Name of the Secret containing the certificate, key and CA files for the Prometheus server.
operator.removeNodeTaintsbooltrueRemove Cilium node taint from Kubernetes nodes that have a healthy Cilium pod running.
operator.replicasint2Number of replicas to run for the cilium-operator deployment
operator.resourcesobject{}cilium-operator resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
operator.rollOutPodsboolfalseRoll out cilium-operator pods automatically when configmap is updated.
operator.securityContextobject{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}Security context to be added to cilium-operator pods
operator.setNodeNetworkStatusbooltrueSet Node condition NetworkUnavailable to 'false' with the reason 'CiliumIsUp' for nodes that have a healthy Cilium pod.
operator.setNodeTaintsstringsame as removeNodeTaintsTaint nodes where Cilium is scheduled but not running. This prevents pods from being scheduled to nodes where Cilium is not the default CNI provider.
operator.skipCRDCreationboolfalseSkip CRDs creation for cilium-operator
operator.tolerationslist[{"key":"node-role.kubernetes.io/control-plane","operator":"Exists"},{"key":"node-role.kubernetes.io/master","operator":"Exists"},{"key":"node.kubernetes.io/not-ready","operator":"Exists"},{"key":"node.cloudprovider.kubernetes.io/uninitialized","operator":"Exists"}]Node tolerations for cilium-operator scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ Toleration for agentNotReadyTaintKey taint is always added to cilium-operator pods. @schema type: [null, array] @schema
operator.topologySpreadConstraintslist[]Pod topology spread constraints for cilium-operator
operator.unmanagedPodWatcher.intervalSecondsint15Interval, in seconds, to check if there are any pods that are not managed by Cilium.
operator.unmanagedPodWatcher.restartbooltrueRestart any pod that are not managed by Cilium.
operator.unmanagedPodWatcher.selectorstringnilSelector for pods that should be restarted when not managed by Cilium. If not set, defaults to built-in selector "k8s-app=kube-dns". Set to empty string to select all pods. @schema type: [null, string] @schema
operator.updateStrategyobject{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"50%"},"type":"RollingUpdate"}cilium-operator update strategy
pmtuDiscovery.enabledboolfalseEnable path MTU discovery to send ICMP fragmentation-needed replies to the client.
pmtuDiscovery.packetizationLayerPMTUDModestring"blackhole"Enable kernel probing path MTU discovery for Pods which uses different message sizes to search for correct MTU value. Valid values are: always, blackhole, disabled and unset (or empty). If value is 'unset' or left empty then will not try to override setting.
podAnnotationsobject{}Annotations to be added to agent pods
podLabelsobject{}Labels to be added to agent pods
podSecurityContextobject{"appArmorProfile":{"type":"Unconfined"},"seccompProfile":{"type":"Unconfined"}}Security Context for cilium-agent pods.
podSecurityContext.appArmorProfileobject{"type":"Unconfined"}AppArmorProfile options for the cilium-agent and init containers
policyCIDRMatchModestringnilpolicyCIDRMatchMode is a list of entities that may be selected by CIDR selector. The possible value is "nodes".
policyDenyResponsestring"none"Configure what the response should be to pod egress traffic denied by network policy. Possible values: - none (default) - icmp
policyEnforcementModestring"default"The agent can be put into one of the three policy enforcement modes: default, always and never. ref: https://docs.cilium.io/en/stable/security/policy/intro/#policy-enforcement-modes
pprof.addressstring"localhost"Configure pprof listen address for cilium-agent
pprof.blockProfileRateint0Enable goroutine blocking profiling for cilium-agent and set the rate of sampled events in nanoseconds (set to 1 to sample all events [warning: performance overhead])
pprof.enabledboolfalseEnable pprof for cilium-agent
pprof.mutexProfileFractionint0Enable mutex contention profiling for cilium-agent and set the fraction of sampled events (set to 1 to sample all events)
pprof.portint6060Configure pprof listen port for cilium-agent
preflight.affinityobject{"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}Affinity for cilium-preflight
preflight.annotationsobject{}Annotations to be added to all top-level preflight objects (resources under templates/cilium-preflight)
preflight.enabledboolfalseEnable Cilium pre-flight resources (required for upgrade)
preflight.envoy.imageobject{"digest":"sha256:326f872e19ce8aa45170efbf583b3f301586ba3feead14b864676d4baf3b45ed","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.36.8-1781157951-a7f42a3390781539911b5b9107881b35ecc4e752","useDigest":true}Envoy pre-flight image.
preflight.extraEnvlist[]Additional preflight environment variables.
preflight.extraVolumeMountslist[]Additional preflight volumeMounts.
preflight.extraVolumeslist[]Additional preflight volumes.
preflight.imageobject{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.19.5","useDigest":false}Cilium pre-flight image.
preflight.nodeSelectorobject{"kubernetes.io/os":"linux"}Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
preflight.podAnnotationsobject{}Annotations to be added to preflight pods
preflight.podDisruptionBudget.enabledboolfalseenable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
preflight.podDisruptionBudget.maxUnavailableint1Maximum number/percentage of pods that may be made unavailable
preflight.podDisruptionBudget.minAvailablestringnilMinimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by maxUnavailable: null
preflight.podDisruptionBudget.unhealthyPodEvictionPolicystringnilHow are unhealthy, but running, pods counted for eviction
preflight.podLabelsobject{}Labels to be added to the preflight pod.
preflight.podSecurityContextobject{}Security context to be added to preflight pods.
preflight.priorityClassNamestring""The priority class to use for the preflight pod.
preflight.readinessProbe.initialDelaySecondsint5For how long kubelet should wait before performing the first probe
preflight.readinessProbe.periodSecondsint5interval between checks of the readiness probe
preflight.resourcesobject{}preflight resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
preflight.securityContextobject{"allowPrivilegeEscalation":false}Security context to be added to preflight pods
preflight.terminationGracePeriodSecondsint1Configure termination grace period for preflight Deployment and DaemonSet.
preflight.tofqdnsPreCachestring""Path to write the --tofqdns-pre-cache file to.
preflight.tolerationslist[{"operator":"Exists"}]Node tolerations for preflight scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
preflight.updateStrategyobject{"type":"RollingUpdate"}preflight update strategy
preflight.validateCNPsbooltrueBy default we should always validate the installed CNPs before upgrading Cilium. This will make sure the user will have the policies deployed in the cluster with the right schema.
priorityClassNamestring""The priority class to use for cilium-agent.
prometheusobject{"controllerGroupMetrics":["write-cni-file","sync-host-ips","sync-lb-maps-with-k8s-services"],"enabled":false,"metrics":null,"metricsService":false,"port":9962,"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","jobLabel":"","labels":{},"metricRelabelings":null,"relabelings":[{"action":"replace","replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}],"scrapeTimeout":null,"trustCRDsExist":false}}Configure prometheus metrics on the configured port at /metrics
prometheus.controllerGroupMetricslist["write-cni-file","sync-host-ips","sync-lb-maps-with-k8s-services"]- Enable controller group metrics for monitoring specific Cilium subsystems. The list is a list of controller group names. The special values of "all" and "none" are supported. The set of controller group names is not guaranteed to be stable between Cilium versions.
prometheus.metricsstringnilMetrics that should be enabled or disabled from the default metric list. The list is expected to be separated by a space. (+metric_foo to enable metric_foo , -metric_bar to disable metric_bar). ref: https://docs.cilium.io/en/stable/observability/metrics/
prometheus.serviceMonitor.annotationsobject{}Annotations to add to ServiceMonitor cilium-agent
prometheus.serviceMonitor.enabledboolfalseEnable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
prometheus.serviceMonitor.intervalstring"10s"Interval for scrape metrics.
prometheus.serviceMonitor.jobLabelstring""jobLabel to add for ServiceMonitor cilium-agent
prometheus.serviceMonitor.labelsobject{}Labels to add to ServiceMonitor cilium-agent
prometheus.serviceMonitor.metricRelabelingsstringnilMetrics relabeling configs for the ServiceMonitor cilium-agent
prometheus.serviceMonitor.relabelingslist[{"action":"replace","replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]Relabeling configs for the ServiceMonitor cilium-agent
prometheus.serviceMonitor.scrapeTimeoutstringnilTimeout after which scrape is considered to be failed.
prometheus.serviceMonitor.trustCRDsExistboolfalseSet to true and helm will not check for monitoring.coreos.com/v1 CRDs before deploying
rbac.createbooltrueEnable creation of Resource-Based Access Control configuration.
readinessProbe.failureThresholdint3failure threshold of readiness probe
readinessProbe.periodSecondsint30interval between checks of the readiness probe
resourceQuotasobject{"cilium":{"hard":{"pods":"10k"}},"enabled":false,"operator":{"hard":{"pods":"15"}}}Enable resource quotas for priority classes used in the cluster.
resourcesobject{}Agent resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
rollOutCiliumPodsboolfalseRoll out cilium agent pods automatically when configmap is updated.
routingModestring"tunnel"Enable native-routing mode or tunneling mode. Possible values: - "" - native - tunnel
schedulingobject{"mode":"anti-affinity"}Scheduling configurations for cilium pods
scheduling.modestringDefaults to apply a pod anti-affinity rule to the agent pod - anti-affinityMode specifies how Cilium daemonset pods should be scheduled to Nodes. anti-affinity mode applies a pod anti-affinity rule to the cilium daemonset. Pod anti-affinity may significantly impact scheduling throughput for large clusters. See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity kube-scheduler mode forgoes the anti-affinity rule for full scheduling throughput. Kube-scheduler avoids host port conflict when scheduling pods.
sctpobject{"enabled":false}SCTP Configuration Values
sctp.enabledboolfalseEnable SCTP support. NOTE: Currently, SCTP support does not support rewriting ports or multihoming.
secretsNamespaceAnnotationsobject{}Annotations to be added to all cilium-secret namespaces (resources under templates/cilium-secrets-namespace)
secretsNamespaceLabelsobject{}Labels to be added to all cilium-secret namespaces (resources under templates/cilium-secrets-namespace)
securityContext.allowPrivilegeEscalationboolfalsedisable privilege escalation
securityContext.capabilities.applySysctlOverwriteslist["SYS_ADMIN","SYS_CHROOT","SYS_PTRACE"]capabilities for the apply-sysctl-overwrites init container
securityContext.capabilities.ciliumAgentlist["CHOWN","KILL","NET_ADMIN","NET_RAW","IPC_LOCK","SYS_MODULE","SYS_ADMIN","SYS_RESOURCE","DAC_OVERRIDE","FOWNER","SETGID","SETUID","SYSLOG"]Capabilities for the cilium-agent container
securityContext.capabilities.cleanCiliumStatelist["NET_ADMIN","SYS_MODULE","SYS_ADMIN","SYS_RESOURCE"]Capabilities for the clean-cilium-state init container
securityContext.capabilities.mountCgrouplist["SYS_ADMIN","SYS_CHROOT","SYS_PTRACE"]Capabilities for the mount-cgroup init container
securityContext.privilegedboolfalseRun the pod with elevated privileges
securityContext.seLinuxOptionsobject{"level":"s0","type":"spc_t"}SELinux options for the cilium-agent and init containers
serviceAccountsobjectComponent's fully qualified name.Define serviceAccount names for components.
serviceAccounts.clustermeshcertgenobject{"annotations":{},"automount":true,"create":true,"name":"clustermesh-apiserver-generate-certs"}Clustermeshcertgen is used if clustermesh.apiserver.tls.auto.method=cronJob
serviceAccounts.corednsMCSAPIobject{"annotations":{},"automount":true,"create":true,"name":"cilium-coredns-mcsapi-autoconfig"}CorednsMCSAPI is used if clustermesh.mcsapi.corednsAutoConfigure.enabled=true
serviceAccounts.hubblecertgenobject{"annotations":{},"automount":true,"create":true,"name":"hubble-generate-certs"}Hubblecertgen is used if hubble.tls.auto.method=cronJob
serviceAccounts.nodeinit.enabledboolfalseEnabled is temporary until https://github.com/cilium/cilium-cli/issues/1396 is implemented. Cilium CLI doesn't create the SAs for node-init, thus the workaround. Helm is not affected by this issue. Name and automount can be configured, if enabled is set to true. Otherwise, they are ignored. Enabled can be removed once the issue is fixed. Cilium-nodeinit DS must also be fixed.
serviceAccounts.ztunnelobject{"annotations":{},"automount":false,"create":true,"name":"ztunnel-cilium"}Ztunnel is used if encryption.type=ztunnel
serviceNoBackendResponsestring"reject"Configure what the response should be to traffic for a service without backends. Possible values: - reject (default) - drop
sleepAfterInitboolfalseDo not run Cilium agent when running with clean mode. Useful to completely uninstall Cilium as it will stop Cilium from starting and create artifacts in the node.
socketLBobject{"enabled":false}Configure socket LB
socketLB.enabledboolfalseEnable socket LB
standaloneDnsProxyobject{"annotations":{},"automountServiceAccountToken":false,"debug":false,"enabled":false,"image":{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"","tag":"","useDigest":false},"nodeSelector":{"kubernetes.io/os":"linux"},"rollOutPods":false,"serverPort":10095,"tolerations":[],"updateStrategy":{"rollingUpdate":{"maxSurge":2,"maxUnavailable":0},"type":"RollingUpdate"}}Standalone DNS Proxy Configuration Note: The standalone DNS proxy uses the agent's dnsProxy.* configuration for DNS settings (proxyPort, enableDnsCompression) to ensure consistency.
standaloneDnsProxy.annotationsobject{}Standalone DNS proxy annotations
standaloneDnsProxy.automountServiceAccountTokenboolfalseStandalone DNS proxy auto mount service account token
standaloneDnsProxy.debugboolfalseStandalone DNS proxy debug mode
standaloneDnsProxy.enabledboolfalseEnable standalone DNS proxy (alpha feature)
standaloneDnsProxy.imageobject{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"","tag":"","useDigest":false}Standalone DNS proxy image
standaloneDnsProxy.nodeSelectorobject{"kubernetes.io/os":"linux"}Standalone DNS proxy Node Selector
standaloneDnsProxy.rollOutPodsboolfalseRoll out Standalone DNS proxy automatically when configmap is updated.
standaloneDnsProxy.serverPortint10095Standalone DNS proxy server port
standaloneDnsProxy.tolerationslist[]Standalone DNS proxy tolerations
standaloneDnsProxy.updateStrategyobject{"rollingUpdate":{"maxSurge":2,"maxUnavailable":0},"type":"RollingUpdate"}Standalone DNS proxy update strategy
startupProbe.failureThresholdint300failure threshold of startup probe. Allow Cilium to take up to 600s to start up (300 attempts with 2s between attempts).
startupProbe.periodSecondsint2interval between checks of the startup probe
synchronizeK8sNodesbooltrueSynchronize Kubernetes nodes to kvstore and perform CNP GC.
sysctlfixobject{"enabled":true}Configure sysctl override described in #20072.
sysctlfix.enabledbooltrueEnable the sysctl override. When enabled, the init container will mount the /proc of the host so that the sysctlfix utility can execute.
terminationGracePeriodSecondsint1Configure termination grace period for cilium-agent DaemonSet.
tlsobject{"ca":{"cert":"","certValidityDuration":1095,"key":""},"caBundle":{"enabled":false,"key":"ca.crt","name":"cilium-root-ca.crt","useSecret":false},"readSecretsOnlyFromSecretsNamespace":null,"secretSync":{"enabled":null},"secretsBackend":null,"secretsNamespace":{"create":true,"name":"cilium-secrets"}}Configure TLS configuration in the agent.
tls.caobject{"cert":"","certValidityDuration":1095,"key":""}Base64 encoded PEM values for the CA certificate and private key. This can be used as common CA to generate certificates used by hubble and clustermesh components. It is neither required nor used when cert-manager is used to generate the certificates.
tls.ca.certstring""Optional CA cert. If it is provided, it will be used by cilium to generate all other certificates. Otherwise, an ephemeral CA is generated.
tls.ca.certValidityDurationint1095Generated certificates validity duration in days. This will be used for auto generated CA.
tls.ca.keystring""Optional CA private key. If it is provided, it will be used by cilium to generate all other certificates. Otherwise, an ephemeral CA is generated.
tls.caBundleobject{"enabled":false,"key":"ca.crt","name":"cilium-root-ca.crt","useSecret":false}Configure the CA trust bundle used for the validation of the certificates leveraged by hubble and clustermesh. When enabled, it overrides the content of the 'ca.crt' field of the respective certificates, allowing for CA rotation with no down-time.
tls.caBundle.enabledboolfalseEnable the use of the CA trust bundle.
tls.caBundle.keystring"ca.crt"Entry of the ConfigMap containing the CA trust bundle.
tls.caBundle.namestring"cilium-root-ca.crt"Name of the ConfigMap containing the CA trust bundle.
tls.caBundle.useSecretboolfalseUse a Secret instead of a ConfigMap.
tls.readSecretsOnlyFromSecretsNamespacestringnilConfigure if the Cilium Agent will only look in tls.secretsNamespace for CiliumNetworkPolicy relevant Secrets. If false, the Cilium Agent will be granted READ (GET/LIST/WATCH) access to all secrets in the entire cluster. This is not recommended and is included for backwards compatibility. This value obsoletes tls.secretsBackend, with true == local in the old setting, and false == k8s.
tls.secretSyncobject{"enabled":null}Configures settings for synchronization of TLS Interception Secrets
tls.secretSync.enabledstringnilEnable synchronization of Secrets for TLS Interception. If disabled and tls.readSecretsOnlyFromSecretsNamespace is set to 'false', then secrets will be read directly by the agent.
tls.secretsBackendstringnilThis configures how the Cilium agent loads the secrets used TLS-aware CiliumNetworkPolicies (namely the secrets referenced by terminatingTLS and originatingTLS). This value is DEPRECATED and will be removed in a future version. Use tls.readSecretsOnlyFromSecretsNamespace instead. Possible values: - local - k8s
tls.secretsNamespaceobject{"create":true,"name":"cilium-secrets"}Configures where secrets used in CiliumNetworkPolicies will be looked for
tls.secretsNamespace.createbooltrueCreate secrets namespace for TLS Interception secrets.
tls.secretsNamespace.namestring"cilium-secrets"Name of TLS Interception secret namespace.
tmpVolumeobject{}Configure temporary volume for cilium-agent
tolerationslist[{"operator":"Exists"}]Node tolerations for agent scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
tunnelPortintPort 8472 for VXLAN, Port 6081 for GeneveConfigure VXLAN and Geneve tunnel port.
tunnelProtocolstring"vxlan"Tunneling protocol to use in tunneling mode and for ad-hoc tunnels. Possible values: - "" - vxlan - geneve
tunnelSourcePortRangestring0-0 to let the kernel driver decide the rangeConfigure VXLAN and Geneve tunnel source port range hint.
underlayProtocolstring"ipv4"IP family for the underlay. Possible values: - "ipv4" - "ipv6"
updateStrategyobject{"rollingUpdate":{"maxUnavailable":2},"type":"RollingUpdate"}Cilium agent update strategy
upgradeCompatibilitystringnilupgradeCompatibility helps users upgrading to ensure that the configMap for Cilium will not change critical values to ensure continued operation This flag is not required for new installations. For example: '1.7', '1.8', '1.9'
vtep.cidrstring""A space separated list of VTEP device CIDRs, for example "1.1.1.0/24 1.1.2.0/24"
vtep.enabledboolfalseEnables VXLAN Tunnel Endpoint (VTEP) Integration (beta) to allow Cilium-managed pods to talk to third party VTEP devices over Cilium tunnel.
vtep.endpointstring""A space separated list of VTEP device endpoint IPs, for example "1.1.1.1 1.1.2.1"
vtep.macstring""A space separated list of VTEP device MAC addresses (VTEP MAC), for example "x:x:x:x:x:x y:y:y:y:y:y:y"
vtep.maskstring""VTEP CIDRs Mask that applies to all VTEP CIDRs, for example "255.255.255.0"
waitForKubeProxyboolfalseWait for KUBE-PROXY-CANARY iptables rule to appear in "wait-for-kube-proxy" init container before launching cilium-agent. More context can be found in the commit message of below PR https://github.com/cilium/cilium/pull/20123
wellKnownIdentities.enabledboolfalseEnable the use of well-known identities.