github.com/cilium/cilium@v1.16.2/Documentation/cmdref/cilium-agent_hive.md (about) 1 <!-- This file was autogenerated via cilium-agent --cmdref, do not edit manually--> 2 3 ## cilium-agent hive 4 5 Inspect the hive 6 7 ``` 8 cilium-agent hive [flags] 9 ``` 10 11 ### Options 12 13 ``` 14 --agent-liveness-update-interval duration Interval at which the agent updates liveness time for the datapath (default 1s) 15 --api-rate-limit string API rate limiting configuration (example: --api-rate-limit endpoint-create=rate-limit:10/m,rate-burst:2) 16 --bpf-node-map-max uint32 Sets size of node bpf map which will be the max number of unique Node IPs in the cluster (default 16384) 17 --certificates-directory string Root directory to find certificates specified in L7 TLS policy enforcement (default "/var/run/cilium/certs") 18 --cluster-id uint32 Unique identifier of the cluster 19 --cluster-name string Name of the cluster. It must consist of at most 32 lower case alphanumeric characters and '-', start and end with an alphanumeric character. (default "default") 20 --clustermesh-config string Path to the ClusterMesh configuration directory 21 --clustermesh-sync-timeout duration Timeout waiting for the initial synchronization of information from remote clusters (default 1m0s) 22 --cni-chaining-mode string Enable CNI chaining with the specified plugin (default "none") 23 --cni-chaining-target string CNI network name into which to insert the Cilium chained configuration. Use '*' to select any network. 24 --cni-exclusive Whether to remove other CNI configurations 25 --cni-external-routing Whether the chained CNI plugin handles routing on the node 26 --cni-log-file string Path where the CNI plugin should write logs (default "/var/run/cilium/cilium-cni.log") 27 --controller-group-metrics strings List of controller group names for which to to enable metrics. Accepts 'all' and 'none'. The set of controller group names available is not guaranteed to be stable between Cilium versions. 28 --devices strings List of devices facing cluster/external network (used for BPF NodePort, BPF masquerading and host firewall); supports '+' as wildcard in device name, e.g. 'eth+' 29 --disable-envoy-version-check Do not perform Envoy version check 30 --disable-iptables-feeder-rules strings Chains to ignore when installing feeder rules. 31 --egress-gateway-policy-map-max int Maximum number of entries in egress gateway policy map (default 16384) 32 --egress-gateway-reconciliation-trigger-interval duration Time between triggers of egress gateway state reconciliations (default 1s) 33 --enable-active-connection-tracking Count open and active connections to services, grouped by zones defined in fixed-zone-mapping. 34 --enable-bandwidth-manager Enable BPF bandwidth manager 35 --enable-bbr Enable BBR for the bandwidth manager 36 --enable-cilium-api-server-access strings List of cilium API APIs which are administratively enabled. Supports '*'. (default [*]) 37 --enable-cilium-health-api-server-access strings List of cilium health API APIs which are administratively enabled. Supports '*'. (default [*]) 38 --enable-gateway-api Enables Envoy secret sync for Gateway API related TLS secrets 39 --enable-ingress-controller Enables Envoy secret sync for Ingress controller related TLS secrets 40 --enable-ipv4-big-tcp Enable IPv4 BIG TCP option which increases device's maximum GRO/GSO limits for IPv4 41 --enable-ipv6-big-tcp Enable IPv6 BIG TCP option which increases device's maximum GRO/GSO limits for IPv6 42 --enable-k8s Enable the k8s clientset (default true) 43 --enable-k8s-api-discovery Enable discovery of Kubernetes API groups and resources with the discovery API 44 --enable-k8s-endpoint-slice Enables k8s EndpointSlice feature in Cilium if the k8s cluster supports it (default true) 45 --enable-l2-pod-announcements Enable announcing Pod IPs with Gratuitous ARP 46 --enable-monitor Enable the monitor unix domain socket server (default true) 47 --enable-route-mtu-for-cni-chaining Enable route MTU for pod netns when CNI chaining is used 48 --enable-service-topology Enable support for service topology aware hints 49 --endpoint-bpf-prog-watchdog-interval duration Interval to trigger endpoint BPF programs load check watchdog (default 30s) 50 --envoy-base-id uint Envoy base ID 51 --envoy-config-retry-interval duration Interval in which an attempt is made to reconcile failed EnvoyConfigs. If the duration is zero, the retry is deactivated. (default 15s) 52 --envoy-config-timeout duration Timeout that determines how long to wait for Envoy to N/ACK CiliumEnvoyConfig resources (default 2m0s) 53 --envoy-keep-cap-netbindservice Keep capability NET_BIND_SERVICE for Envoy process 54 --envoy-log string Path to a separate Envoy log file, if any 55 --envoy-secrets-namespace string EnvoySecretsNamespace is the namespace having secrets used by CEC 56 --force-device-detection Forces the auto-detection of devices, even if specific devices are explicitly listed 57 --gateway-api-secrets-namespace string GatewayAPISecretsNamespace is the namespace having tls secrets used by CEC, originating from Gateway API 58 --gops-port uint16 Port for gops server to listen on (default 9890) 59 -h, --help help for hive 60 --http-idle-timeout uint Time after which a non-gRPC HTTP stream is considered failed unless traffic in the stream has been processed (in seconds); defaults to 0 (unlimited) 61 --http-max-grpc-timeout uint Time after which a forwarded gRPC request is considered failed unless completed (in seconds). A "grpc-timeout" header may override this with a shorter value; defaults to 0 (unlimited) 62 --http-normalize-path Use Envoy HTTP path normalization options, which currently includes RFC 3986 path normalization, Envoy merge slashes option, and unescaping and redirecting for paths that contain escaped slashes. These are necessary to keep path based access control functional, and should not interfere with normal operation. Set this to false only with caution. (default true) 63 --http-request-timeout uint Time after which a forwarded HTTP request is considered failed unless completed (in seconds); Use 0 for unlimited (default 3600) 64 --http-retry-count uint Number of retries performed after a forwarded request attempt fails (default 3) 65 --http-retry-timeout uint Time after which a forwarded but uncompleted request is retried (connection failures are retried immediately); defaults to 0 (never) 66 --ingress-secrets-namespace string IngressSecretsNamespace is the namespace having tls secrets used by CEC, originating from Ingress controller 67 --iptables-lock-timeout duration Time to pass to each iptables invocation to wait for xtables lock acquisition (default 5s) 68 --iptables-random-fully Set iptables flag random-fully on masquerading rules 69 --k8s-api-server string Kubernetes API server URL 70 --k8s-client-burst int Burst value allowed for the K8s client 71 --k8s-client-connection-keep-alive duration Configures the keep alive duration of K8s client connections. K8 client is disabled if the value is set to 0 (default 30s) 72 --k8s-client-connection-timeout duration Configures the timeout of K8s client connections. K8s client is disabled if the value is set to 0 (default 30s) 73 --k8s-client-qps float32 Queries per second limit for the K8s client 74 --k8s-heartbeat-timeout duration Configures the timeout for api-server heartbeat, set to 0 to disable (default 30s) 75 --k8s-kubeconfig-path string Absolute path of the kubernetes kubeconfig file 76 --k8s-service-proxy-name string Value of K8s service-proxy-name label for which Cilium handles the services (empty = all services without service.kubernetes.io/service-proxy-name label) 77 --l2-pod-announcements-interface string Interface used for sending gratuitous arp messages 78 --max-connected-clusters uint32 Maximum number of clusters to be connected in a clustermesh. Increasing this value will reduce the maximum number of identities available. Valid configurations are [255, 511]. (default 255) 79 --mesh-auth-enabled Enable authentication processing & garbage collection (beta) (default true) 80 --mesh-auth-gc-interval duration Interval in which auth entries are attempted to be garbage collected (default 5m0s) 81 --mesh-auth-mutual-connect-timeout duration Timeout for connecting to the remote node TCP socket (default 5s) 82 --mesh-auth-mutual-listener-port int Port on which the Cilium Agent will perform mutual authentication handshakes between other Agents 83 --mesh-auth-queue-size int Queue size for the auth manager (default 1024) 84 --mesh-auth-rotated-identities-queue-size int The size of the queue for signaling rotated identities. (default 1024) 85 --mesh-auth-spiffe-trust-domain string The trust domain for the SPIFFE identity. (default "spiffe.cilium") 86 --mesh-auth-spire-admin-socket string The path for the SPIRE admin agent Unix socket. 87 --metrics strings Metrics that should be enabled or disabled from the default metric list. (+metric_foo to enable metric_foo, -metric_bar to disable metric_bar) 88 --monitor-queue-size int Size of the event queue when reading monitor events 89 --multicast-enabled Enables multicast in Cilium 90 --nat-map-stats-entries int Number k top stats entries to store locally in statedb (default 32) 91 --nat-map-stats-interval duration Interval upon which nat maps are iterated for stats (default 30s) 92 --nodeport-addresses strings A whitelist of CIDRs to limit which IPs are used for NodePort. If not set, primary IPv4 and/or IPv6 address of each native device is used. 93 --pprof Enable serving pprof debugging API 94 --pprof-address string Address that pprof listens on (default "localhost") 95 --pprof-port uint16 Port that pprof listens on (default 6060) 96 --prepend-iptables-chains Prepend custom iptables chains instead of appending (default true) 97 --procfs string Path to the host's proc filesystem mount (default "/proc") 98 --prometheus-serve-addr string IP:Port on which to serve prometheus metrics (pass ":Port" to bind on all interfaces, "" is off) 99 --proxy-admin-port int Port to serve Envoy admin interface on. 100 --proxy-connect-timeout uint Time after which a TCP connect attempt is considered failed unless completed (in seconds) (default 2) 101 --proxy-gid uint Group ID for proxy control plane sockets. (default 1337) 102 --proxy-idle-timeout-seconds int Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s (default 60) 103 --proxy-max-connection-duration-seconds int Set Envoy HTTP option max_connection_duration seconds. Default 0 (disable) 104 --proxy-max-requests-per-connection int Set Envoy HTTP option max_requests_per_connection. Default 0 (disable) 105 --proxy-portrange-max uint16 End of port range that is used to allocate ports for L7 proxies. (default 20000) 106 --proxy-portrange-min uint16 Start of port range that is used to allocate ports for L7 proxies. (default 10000) 107 --proxy-prometheus-port int Port to serve Envoy metrics on. Default 0 (disabled). 108 --proxy-xff-num-trusted-hops-egress uint32 Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners. 109 --proxy-xff-num-trusted-hops-ingress uint32 Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners. 110 --read-cni-conf string CNI configuration file to use as a source for --write-cni-conf-when-ready. If not supplied, a suitable one will be generated. 111 --static-cnp-path string Directory path to watch and load static cilium network policy yaml files. 112 --tunnel-port uint16 Tunnel port (default 8472 for "vxlan" and 6081 for "geneve") 113 --tunnel-protocol string Encapsulation protocol to use for the overlay ("vxlan" or "geneve") (default "vxlan") 114 --use-full-tls-context If enabled, persist ca.crt keys into the Envoy config even in a terminatingTLS block on an L7 Cilium Policy. This is to enable compatibility with previously buggy behaviour. This flag is deprecated and will be removed in a future release. 115 --write-cni-conf-when-ready string Write the CNI configuration to the specified path when agent is ready 116 ``` 117 118 ### SEE ALSO 119 120 * [cilium-agent](cilium-agent.md) - Run the cilium agent 121 * [cilium-agent hive dot-graph](cilium-agent_hive_dot-graph.md) - Output the dependencies graph in graphviz dot format 122