github.com/cilium/cilium@v1.16.2/Documentation/helm-values.rst (about) 1 .. 2 AUTO-GENERATED. Please DO NOT edit manually. 3 4 .. role:: raw-html-m2r(raw) 5 :format: html 6 7 8 .. list-table:: 9 :header-rows: 1 10 11 * - :spelling:ignore:`Key` 12 - Description 13 - Type 14 - Default 15 * - :spelling:ignore:`MTU` 16 - Configure the underlying network MTU to overwrite auto-detected MTU. This value doesn't change the host network interface MTU i.e. eth0 or ens0. It changes the MTU for cilium_net@cilium_host, cilium_host@cilium_net, cilium_vxlan and lxc_health interfaces. 17 - int 18 - ``0`` 19 * - :spelling:ignore:`affinity` 20 - Affinity for cilium-agent. 21 - object 22 - ``{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}`` 23 * - :spelling:ignore:`agent` 24 - Install the cilium agent resources. 25 - bool 26 - ``true`` 27 * - :spelling:ignore:`agentNotReadyTaintKey` 28 - Configure the key of the taint indicating that Cilium is not ready on the node. When set to a value starting with ``ignore-taint.cluster-autoscaler.kubernetes.io/``\ , the Cluster Autoscaler will ignore the taint on its decisions, allowing the cluster to scale up. 29 - string 30 - ``"node.cilium.io/agent-not-ready"`` 31 * - :spelling:ignore:`aksbyocni.enabled` 32 - Enable AKS BYOCNI integration. Note that this is incompatible with AKS clusters not created in BYOCNI mode: use Azure integration (\ ``azure.enabled``\ ) instead. 33 - bool 34 - ``false`` 35 * - :spelling:ignore:`alibabacloud.enabled` 36 - Enable AlibabaCloud ENI integration 37 - bool 38 - ``false`` 39 * - :spelling:ignore:`annotateK8sNode` 40 - Annotate k8s node upon initialization with Cilium's metadata. 41 - bool 42 - ``false`` 43 * - :spelling:ignore:`annotations` 44 - Annotations to be added to all top-level cilium-agent objects (resources under templates/cilium-agent) 45 - object 46 - ``{}`` 47 * - :spelling:ignore:`apiRateLimit` 48 - The api-rate-limit option can be used to overwrite individual settings of the default configuration for rate limiting calls to the Cilium Agent API 49 - string 50 - ``nil`` 51 * - :spelling:ignore:`authentication.enabled` 52 - Enable authentication processing and garbage collection. Note that if disabled, policy enforcement will still block requests that require authentication. But the resulting authentication requests for these requests will not be processed, therefore the requests not be allowed. 53 - bool 54 - ``true`` 55 * - :spelling:ignore:`authentication.gcInterval` 56 - Interval for garbage collection of auth map entries. 57 - string 58 - ``"5m0s"`` 59 * - :spelling:ignore:`authentication.mutual.connectTimeout` 60 - Timeout for connecting to the remote node TCP socket 61 - string 62 - ``"5s"`` 63 * - :spelling:ignore:`authentication.mutual.port` 64 - Port on the agent where mutual authentication handshakes between agents will be performed 65 - int 66 - ``4250`` 67 * - :spelling:ignore:`authentication.mutual.spire.adminSocketPath` 68 - SPIRE socket path where the SPIRE delegated api agent is listening 69 - string 70 - ``"/run/spire/sockets/admin.sock"`` 71 * - :spelling:ignore:`authentication.mutual.spire.agentSocketPath` 72 - SPIRE socket path where the SPIRE workload agent is listening. Applies to both the Cilium Agent and Operator 73 - string 74 - ``"/run/spire/sockets/agent/agent.sock"`` 75 * - :spelling:ignore:`authentication.mutual.spire.annotations` 76 - Annotations to be added to all top-level spire objects (resources under templates/spire) 77 - object 78 - ``{}`` 79 * - :spelling:ignore:`authentication.mutual.spire.connectionTimeout` 80 - SPIRE connection timeout 81 - string 82 - ``"30s"`` 83 * - :spelling:ignore:`authentication.mutual.spire.enabled` 84 - Enable SPIRE integration (beta) 85 - bool 86 - ``false`` 87 * - :spelling:ignore:`authentication.mutual.spire.install.agent.affinity` 88 - SPIRE agent affinity configuration 89 - object 90 - ``{}`` 91 * - :spelling:ignore:`authentication.mutual.spire.install.agent.annotations` 92 - SPIRE agent annotations 93 - object 94 - ``{}`` 95 * - :spelling:ignore:`authentication.mutual.spire.install.agent.image` 96 - SPIRE agent image 97 - object 98 - ``{"digest":"sha256:5106ac601272a88684db14daf7f54b9a45f31f77bb16a906bd5e87756ee7b97c","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.9.6","useDigest":true}`` 99 * - :spelling:ignore:`authentication.mutual.spire.install.agent.labels` 100 - SPIRE agent labels 101 - object 102 - ``{}`` 103 * - :spelling:ignore:`authentication.mutual.spire.install.agent.nodeSelector` 104 - SPIRE agent nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector 105 - object 106 - ``{}`` 107 * - :spelling:ignore:`authentication.mutual.spire.install.agent.podSecurityContext` 108 - Security context to be added to spire agent pods. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod 109 - object 110 - ``{}`` 111 * - :spelling:ignore:`authentication.mutual.spire.install.agent.securityContext` 112 - Security context to be added to spire agent containers. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container 113 - object 114 - ``{}`` 115 * - :spelling:ignore:`authentication.mutual.spire.install.agent.serviceAccount` 116 - SPIRE agent service account 117 - object 118 - ``{"create":true,"name":"spire-agent"}`` 119 * - :spelling:ignore:`authentication.mutual.spire.install.agent.skipKubeletVerification` 120 - SPIRE Workload Attestor kubelet verification. 121 - bool 122 - ``true`` 123 * - :spelling:ignore:`authentication.mutual.spire.install.agent.tolerations` 124 - SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ 125 - list 126 - ``[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]`` 127 * - :spelling:ignore:`authentication.mutual.spire.install.enabled` 128 - Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true 129 - bool 130 - ``true`` 131 * - :spelling:ignore:`authentication.mutual.spire.install.existingNamespace` 132 - SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. 133 - bool 134 - ``false`` 135 * - :spelling:ignore:`authentication.mutual.spire.install.initImage` 136 - init container image of SPIRE agent and server 137 - object 138 - ``{"digest":"sha256:c230832bd3b0be59a6c47ed64294f9ce71e91b327957920b6929a0caa8353140","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}`` 139 * - :spelling:ignore:`authentication.mutual.spire.install.namespace` 140 - SPIRE namespace to install into 141 - string 142 - ``"cilium-spire"`` 143 * - :spelling:ignore:`authentication.mutual.spire.install.server.affinity` 144 - SPIRE server affinity configuration 145 - object 146 - ``{}`` 147 * - :spelling:ignore:`authentication.mutual.spire.install.server.annotations` 148 - SPIRE server annotations 149 - object 150 - ``{}`` 151 * - :spelling:ignore:`authentication.mutual.spire.install.server.ca.keyType` 152 - SPIRE CA key type AWS requires the use of RSA. EC cryptography is not supported 153 - string 154 - ``"rsa-4096"`` 155 * - :spelling:ignore:`authentication.mutual.spire.install.server.ca.subject` 156 - SPIRE CA Subject 157 - object 158 - ``{"commonName":"Cilium SPIRE CA","country":"US","organization":"SPIRE"}`` 159 * - :spelling:ignore:`authentication.mutual.spire.install.server.dataStorage.accessMode` 160 - Access mode of the SPIRE server data storage 161 - string 162 - ``"ReadWriteOnce"`` 163 * - :spelling:ignore:`authentication.mutual.spire.install.server.dataStorage.enabled` 164 - Enable SPIRE server data storage 165 - bool 166 - ``true`` 167 * - :spelling:ignore:`authentication.mutual.spire.install.server.dataStorage.size` 168 - Size of the SPIRE server data storage 169 - string 170 - ``"1Gi"`` 171 * - :spelling:ignore:`authentication.mutual.spire.install.server.dataStorage.storageClass` 172 - StorageClass of the SPIRE server data storage 173 - string 174 - ``nil`` 175 * - :spelling:ignore:`authentication.mutual.spire.install.server.image` 176 - SPIRE server image 177 - object 178 - ``{"digest":"sha256:59a0b92b39773515e25e68a46c40d3b931b9c1860bc445a79ceb45a805cab8b4","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.9.6","useDigest":true}`` 179 * - :spelling:ignore:`authentication.mutual.spire.install.server.initContainers` 180 - SPIRE server init containers 181 - list 182 - ``[]`` 183 * - :spelling:ignore:`authentication.mutual.spire.install.server.labels` 184 - SPIRE server labels 185 - object 186 - ``{}`` 187 * - :spelling:ignore:`authentication.mutual.spire.install.server.nodeSelector` 188 - SPIRE server nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector 189 - object 190 - ``{}`` 191 * - :spelling:ignore:`authentication.mutual.spire.install.server.podSecurityContext` 192 - Security context to be added to spire server pods. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod 193 - object 194 - ``{}`` 195 * - :spelling:ignore:`authentication.mutual.spire.install.server.securityContext` 196 - Security context to be added to spire server containers. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container 197 - object 198 - ``{}`` 199 * - :spelling:ignore:`authentication.mutual.spire.install.server.service.annotations` 200 - Annotations to be added to the SPIRE server service 201 - object 202 - ``{}`` 203 * - :spelling:ignore:`authentication.mutual.spire.install.server.service.labels` 204 - Labels to be added to the SPIRE server service 205 - object 206 - ``{}`` 207 * - :spelling:ignore:`authentication.mutual.spire.install.server.service.type` 208 - Service type for the SPIRE server service 209 - string 210 - ``"ClusterIP"`` 211 * - :spelling:ignore:`authentication.mutual.spire.install.server.serviceAccount` 212 - SPIRE server service account 213 - object 214 - ``{"create":true,"name":"spire-server"}`` 215 * - :spelling:ignore:`authentication.mutual.spire.install.server.tolerations` 216 - SPIRE server tolerations configuration ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ 217 - list 218 - ``[]`` 219 * - :spelling:ignore:`authentication.mutual.spire.serverAddress` 220 - SPIRE server address used by Cilium Operator If k8s Service DNS along with port number is used (e.g. :raw-html-m2r:`<service-name>`.\ :raw-html-m2r:`<namespace>`.svc(.*):\ :raw-html-m2r:`<port-number>` format), Cilium Operator will resolve its address by looking up the clusterIP from Service resource. Example values: 10.0.0.1:8081, spire-server.cilium-spire.svc:8081 221 - string 222 - ``nil`` 223 * - :spelling:ignore:`authentication.mutual.spire.trustDomain` 224 - SPIFFE trust domain to use for fetching certificates 225 - string 226 - ``"spiffe.cilium"`` 227 * - :spelling:ignore:`authentication.queueSize` 228 - Buffer size of the channel Cilium uses to receive authentication events from the signal map. 229 - int 230 - ``1024`` 231 * - :spelling:ignore:`authentication.rotatedIdentitiesQueueSize` 232 - Buffer size of the channel Cilium uses to receive certificate expiration events from auth handlers. 233 - int 234 - ``1024`` 235 * - :spelling:ignore:`autoDirectNodeRoutes` 236 - Enable installation of PodCIDR routes between worker nodes if worker nodes share a common L2 network segment. 237 - bool 238 - ``false`` 239 * - :spelling:ignore:`azure.enabled` 240 - Enable Azure integration. Note that this is incompatible with AKS clusters created in BYOCNI mode: use AKS BYOCNI integration (\ ``aksbyocni.enabled``\ ) instead. 241 - bool 242 - ``false`` 243 * - :spelling:ignore:`bandwidthManager` 244 - Enable bandwidth manager to optimize TCP and UDP workloads and allow for rate-limiting traffic from individual Pods with EDT (Earliest Departure Time) through the "kubernetes.io/egress-bandwidth" Pod annotation. 245 - object 246 - ``{"bbr":false,"enabled":false}`` 247 * - :spelling:ignore:`bandwidthManager.bbr` 248 - Activate BBR TCP congestion control for Pods 249 - bool 250 - ``false`` 251 * - :spelling:ignore:`bandwidthManager.enabled` 252 - Enable bandwidth manager infrastructure (also prerequirement for BBR) 253 - bool 254 - ``false`` 255 * - :spelling:ignore:`bgp` 256 - Configure BGP 257 - object 258 - ``{"announce":{"loadbalancerIP":false,"podCIDR":false},"enabled":false}`` 259 * - :spelling:ignore:`bgp.announce.loadbalancerIP` 260 - Enable allocation and announcement of service LoadBalancer IPs 261 - bool 262 - ``false`` 263 * - :spelling:ignore:`bgp.announce.podCIDR` 264 - Enable announcement of node pod CIDR 265 - bool 266 - ``false`` 267 * - :spelling:ignore:`bgp.enabled` 268 - Enable BGP support inside Cilium; embeds a new ConfigMap for BGP inside cilium-agent and cilium-operator 269 - bool 270 - ``false`` 271 * - :spelling:ignore:`bgpControlPlane` 272 - This feature set enables virtual BGP routers to be created via CiliumBGPPeeringPolicy CRDs. 273 - object 274 - ``{"enabled":false,"secretsNamespace":{"create":false,"name":"kube-system"}}`` 275 * - :spelling:ignore:`bgpControlPlane.enabled` 276 - Enables the BGP control plane. 277 - bool 278 - ``false`` 279 * - :spelling:ignore:`bgpControlPlane.secretsNamespace` 280 - SecretsNamespace is the namespace which BGP support will retrieve secrets from. 281 - object 282 - ``{"create":false,"name":"kube-system"}`` 283 * - :spelling:ignore:`bgpControlPlane.secretsNamespace.create` 284 - Create secrets namespace for BGP secrets. 285 - bool 286 - ``false`` 287 * - :spelling:ignore:`bgpControlPlane.secretsNamespace.name` 288 - The name of the secret namespace to which Cilium agents are given read access 289 - string 290 - ``"kube-system"`` 291 * - :spelling:ignore:`bpf.authMapMax` 292 - Configure the maximum number of entries in auth map. 293 - int 294 - ``524288`` 295 * - :spelling:ignore:`bpf.autoMount.enabled` 296 - Enable automatic mount of BPF filesystem When ``autoMount`` is enabled, the BPF filesystem is mounted at ``bpf.root`` path on the underlying host and inside the cilium agent pod. If users disable ``autoMount``\ , it's expected that users have mounted bpffs filesystem at the specified ``bpf.root`` volume, and then the volume will be mounted inside the cilium agent pod at the same path. 297 - bool 298 - ``true`` 299 * - :spelling:ignore:`bpf.ctAnyMax` 300 - Configure the maximum number of entries for the non-TCP connection tracking table. 301 - int 302 - ``262144`` 303 * - :spelling:ignore:`bpf.ctTcpMax` 304 - Configure the maximum number of entries in the TCP connection tracking table. 305 - int 306 - ``524288`` 307 * - :spelling:ignore:`bpf.datapathMode` 308 - Mode for Pod devices for the core datapath (veth, netkit, netkit-l2, lb-only) 309 - string 310 - ``veth`` 311 * - :spelling:ignore:`bpf.disableExternalIPMitigation` 312 - Disable ExternalIP mitigation (CVE-2020-8554) 313 - bool 314 - ``false`` 315 * - :spelling:ignore:`bpf.enableTCX` 316 - Attach endpoint programs using tcx instead of legacy tc hooks on supported kernels. 317 - bool 318 - ``true`` 319 * - :spelling:ignore:`bpf.events` 320 - Control events generated by the Cilium datapath exposed to Cilium monitor and Hubble. 321 - object 322 - ``{"drop":{"enabled":true},"policyVerdict":{"enabled":true},"trace":{"enabled":true}}`` 323 * - :spelling:ignore:`bpf.events.drop.enabled` 324 - Enable drop events. 325 - bool 326 - ``true`` 327 * - :spelling:ignore:`bpf.events.policyVerdict.enabled` 328 - Enable policy verdict events. 329 - bool 330 - ``true`` 331 * - :spelling:ignore:`bpf.events.trace.enabled` 332 - Enable trace events. 333 - bool 334 - ``true`` 335 * - :spelling:ignore:`bpf.hostLegacyRouting` 336 - Configure whether direct routing mode should route traffic via host stack (true) or directly and more efficiently out of BPF (false) if the kernel supports it. The latter has the implication that it will also bypass netfilter in the host namespace. 337 - bool 338 - ``false`` 339 * - :spelling:ignore:`bpf.lbExternalClusterIP` 340 - Allow cluster external access to ClusterIP services. 341 - bool 342 - ``false`` 343 * - :spelling:ignore:`bpf.lbMapMax` 344 - Configure the maximum number of service entries in the load balancer maps. 345 - int 346 - ``65536`` 347 * - :spelling:ignore:`bpf.mapDynamicSizeRatio` 348 - Configure auto-sizing for all BPF maps based on available memory. ref: https://docs.cilium.io/en/stable/network/ebpf/maps/ 349 - float64 350 - ``0.0025`` 351 * - :spelling:ignore:`bpf.masquerade` 352 - Enable native IP masquerade support in eBPF 353 - bool 354 - ``false`` 355 * - :spelling:ignore:`bpf.monitorAggregation` 356 - Configure the level of aggregation for monitor notifications. Valid options are none, low, medium, maximum. 357 - string 358 - ``"medium"`` 359 * - :spelling:ignore:`bpf.monitorFlags` 360 - Configure which TCP flags trigger notifications when seen for the first time in a connection. 361 - string 362 - ``"all"`` 363 * - :spelling:ignore:`bpf.monitorInterval` 364 - Configure the typical time between monitor notifications for active connections. 365 - string 366 - ``"5s"`` 367 * - :spelling:ignore:`bpf.natMax` 368 - Configure the maximum number of entries for the NAT table. 369 - int 370 - ``524288`` 371 * - :spelling:ignore:`bpf.neighMax` 372 - Configure the maximum number of entries for the neighbor table. 373 - int 374 - ``524288`` 375 * - :spelling:ignore:`bpf.nodeMapMax` 376 - Configures the maximum number of entries for the node table. 377 - int 378 - ``nil`` 379 * - :spelling:ignore:`bpf.policyMapMax` 380 - Configure the maximum number of entries in endpoint policy map (per endpoint). @schema type: [null, integer] @schema 381 - int 382 - ``16384`` 383 * - :spelling:ignore:`bpf.preallocateMaps` 384 - Enables pre-allocation of eBPF map values. This increases memory usage but can reduce latency. 385 - bool 386 - ``false`` 387 * - :spelling:ignore:`bpf.root` 388 - Configure the mount point for the BPF filesystem 389 - string 390 - ``"/sys/fs/bpf"`` 391 * - :spelling:ignore:`bpf.tproxy` 392 - Configure the eBPF-based TPROXY to reduce reliance on iptables rules for implementing Layer 7 policy. 393 - bool 394 - ``false`` 395 * - :spelling:ignore:`bpf.vlanBypass` 396 - Configure explicitly allowed VLAN id's for bpf logic bypass. [0] will allow all VLAN id's without any filtering. 397 - list 398 - ``[]`` 399 * - :spelling:ignore:`bpfClockProbe` 400 - Enable BPF clock source probing for more efficient tick retrieval. 401 - bool 402 - ``false`` 403 * - :spelling:ignore:`certgen` 404 - Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. 405 - object 406 - ``{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:169d93fd8f2f9009db3b9d5ccd37c2b753d0989e1e7cd8fe79f9160c459eef4f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.2.0","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}`` 407 * - :spelling:ignore:`certgen.affinity` 408 - Affinity for certgen 409 - object 410 - ``{}`` 411 * - :spelling:ignore:`certgen.annotations` 412 - Annotations to be added to the hubble-certgen initial Job and CronJob 413 - object 414 - ``{"cronJob":{},"job":{}}`` 415 * - :spelling:ignore:`certgen.extraVolumeMounts` 416 - Additional certgen volumeMounts. 417 - list 418 - ``[]`` 419 * - :spelling:ignore:`certgen.extraVolumes` 420 - Additional certgen volumes. 421 - list 422 - ``[]`` 423 * - :spelling:ignore:`certgen.podLabels` 424 - Labels to be added to hubble-certgen pods 425 - object 426 - ``{}`` 427 * - :spelling:ignore:`certgen.tolerations` 428 - Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ 429 - list 430 - ``[]`` 431 * - :spelling:ignore:`certgen.ttlSecondsAfterFinished` 432 - Seconds after which the completed job pod will be deleted 433 - int 434 - ``1800`` 435 * - :spelling:ignore:`cgroup` 436 - Configure cgroup related configuration 437 - object 438 - ``{"autoMount":{"enabled":true,"resources":{}},"hostRoot":"/run/cilium/cgroupv2"}`` 439 * - :spelling:ignore:`cgroup.autoMount.enabled` 440 - Enable auto mount of cgroup2 filesystem. When ``autoMount`` is enabled, cgroup2 filesystem is mounted at ``cgroup.hostRoot`` path on the underlying host and inside the cilium agent pod. If users disable ``autoMount``\ , it's expected that users have mounted cgroup2 filesystem at the specified ``cgroup.hostRoot`` volume, and then the volume will be mounted inside the cilium agent pod at the same path. 441 - bool 442 - ``true`` 443 * - :spelling:ignore:`cgroup.autoMount.resources` 444 - Init Container Cgroup Automount resource limits & requests 445 - object 446 - ``{}`` 447 * - :spelling:ignore:`cgroup.hostRoot` 448 - Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: ``cgroup.autoMount``\ ) 449 - string 450 - ``"/run/cilium/cgroupv2"`` 451 * - :spelling:ignore:`ciliumEndpointSlice.enabled` 452 - Enable Cilium EndpointSlice feature. 453 - bool 454 - ``false`` 455 * - :spelling:ignore:`ciliumEndpointSlice.rateLimits` 456 - List of rate limit options to be used for the CiliumEndpointSlice controller. Each object in the list must have the following fields: nodes: Count of nodes at which to apply the rate limit. limit: The sustained request rate in requests per second. The maximum rate that can be configured is 50. burst: The burst request rate in requests per second. The maximum burst that can be configured is 100. 457 - list 458 - ``[{"burst":20,"limit":10,"nodes":0},{"burst":15,"limit":7,"nodes":100},{"burst":10,"limit":5,"nodes":500}]`` 459 * - :spelling:ignore:`cleanBpfState` 460 - Clean all eBPF datapath state from the initContainer of the cilium-agent DaemonSet. WARNING: Use with care! 461 - bool 462 - ``false`` 463 * - :spelling:ignore:`cleanState` 464 - Clean all local Cilium state from the initContainer of the cilium-agent DaemonSet. Implies cleanBpfState: true. WARNING: Use with care! 465 - bool 466 - ``false`` 467 * - :spelling:ignore:`cluster.id` 468 - Unique ID of the cluster. Must be unique across all connected clusters and in the range of 1 to 255. Only required for Cluster Mesh, may be 0 if Cluster Mesh is not used. 469 - int 470 - ``0`` 471 * - :spelling:ignore:`cluster.name` 472 - Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE. It must respect the following constraints: * It must contain at most 32 characters; * It must begin and end with a lower case alphanumeric character; * It may contain lower case alphanumeric characters and dashes between. The "default" name cannot be used if the Cluster ID is different from 0. 473 - string 474 - ``"default"`` 475 * - :spelling:ignore:`clustermesh.annotations` 476 - Annotations to be added to all top-level clustermesh objects (resources under templates/clustermesh-apiserver and templates/clustermesh-config) 477 - object 478 - ``{}`` 479 * - :spelling:ignore:`clustermesh.apiserver.affinity` 480 - Affinity for clustermesh.apiserver 481 - object 482 - ``{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchLabels":{"k8s-app":"clustermesh-apiserver"}},"topologyKey":"kubernetes.io/hostname"},"weight":100}]}}`` 483 * - :spelling:ignore:`clustermesh.apiserver.etcd.init.extraArgs` 484 - Additional arguments to ``clustermesh-apiserver etcdinit``. 485 - list 486 - ``[]`` 487 * - :spelling:ignore:`clustermesh.apiserver.etcd.init.extraEnv` 488 - Additional environment variables to ``clustermesh-apiserver etcdinit``. 489 - list 490 - ``[]`` 491 * - :spelling:ignore:`clustermesh.apiserver.etcd.init.resources` 492 - Specifies the resources for etcd init container in the apiserver 493 - object 494 - ``{}`` 495 * - :spelling:ignore:`clustermesh.apiserver.etcd.lifecycle` 496 - lifecycle setting for the etcd container 497 - object 498 - ``{}`` 499 * - :spelling:ignore:`clustermesh.apiserver.etcd.resources` 500 - Specifies the resources for etcd container in the apiserver 501 - object 502 - ``{}`` 503 * - :spelling:ignore:`clustermesh.apiserver.etcd.securityContext` 504 - Security context to be added to clustermesh-apiserver etcd containers 505 - object 506 - ``{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}`` 507 * - :spelling:ignore:`clustermesh.apiserver.etcd.storageMedium` 508 - Specifies whether etcd data is stored in a temporary volume backed by the node's default medium, such as disk, SSD or network storage (Disk), or RAM (Memory). The Memory option enables improved etcd read and write performance at the cost of additional memory usage, which counts against the memory limits of the container. 509 - string 510 - ``"Disk"`` 511 * - :spelling:ignore:`clustermesh.apiserver.extraArgs` 512 - Additional clustermesh-apiserver arguments. 513 - list 514 - ``[]`` 515 * - :spelling:ignore:`clustermesh.apiserver.extraEnv` 516 - Additional clustermesh-apiserver environment variables. 517 - list 518 - ``[]`` 519 * - :spelling:ignore:`clustermesh.apiserver.extraVolumeMounts` 520 - Additional clustermesh-apiserver volumeMounts. 521 - list 522 - ``[]`` 523 * - :spelling:ignore:`clustermesh.apiserver.extraVolumes` 524 - Additional clustermesh-apiserver volumes. 525 - list 526 - ``[]`` 527 * - :spelling:ignore:`clustermesh.apiserver.healthPort` 528 - TCP port for the clustermesh-apiserver health API. 529 - int 530 - ``9880`` 531 * - :spelling:ignore:`clustermesh.apiserver.image` 532 - Clustermesh API server image. 533 - object 534 - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.2","useDigest":false}`` 535 * - :spelling:ignore:`clustermesh.apiserver.kvstoremesh.enabled` 536 - Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. 537 - bool 538 - ``true`` 539 * - :spelling:ignore:`clustermesh.apiserver.kvstoremesh.extraArgs` 540 - Additional KVStoreMesh arguments. 541 - list 542 - ``[]`` 543 * - :spelling:ignore:`clustermesh.apiserver.kvstoremesh.extraEnv` 544 - Additional KVStoreMesh environment variables. 545 - list 546 - ``[]`` 547 * - :spelling:ignore:`clustermesh.apiserver.kvstoremesh.extraVolumeMounts` 548 - Additional KVStoreMesh volumeMounts. 549 - list 550 - ``[]`` 551 * - :spelling:ignore:`clustermesh.apiserver.kvstoremesh.healthPort` 552 - TCP port for the KVStoreMesh health API. 553 - int 554 - ``9881`` 555 * - :spelling:ignore:`clustermesh.apiserver.kvstoremesh.lifecycle` 556 - lifecycle setting for the KVStoreMesh container 557 - object 558 - ``{}`` 559 * - :spelling:ignore:`clustermesh.apiserver.kvstoremesh.readinessProbe` 560 - Configuration for the KVStoreMesh readiness probe. 561 - object 562 - ``{}`` 563 * - :spelling:ignore:`clustermesh.apiserver.kvstoremesh.resources` 564 - Resource requests and limits for the KVStoreMesh container 565 - object 566 - ``{}`` 567 * - :spelling:ignore:`clustermesh.apiserver.kvstoremesh.securityContext` 568 - KVStoreMesh Security context 569 - object 570 - ``{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}`` 571 * - :spelling:ignore:`clustermesh.apiserver.lifecycle` 572 - lifecycle setting for the apiserver container 573 - object 574 - ``{}`` 575 * - :spelling:ignore:`clustermesh.apiserver.metrics.enabled` 576 - Enables exporting apiserver metrics in OpenMetrics format. 577 - bool 578 - ``true`` 579 * - :spelling:ignore:`clustermesh.apiserver.metrics.etcd.enabled` 580 - Enables exporting etcd metrics in OpenMetrics format. 581 - bool 582 - ``true`` 583 * - :spelling:ignore:`clustermesh.apiserver.metrics.etcd.mode` 584 - Set level of detail for etcd metrics; specify 'extensive' to include server side gRPC histogram metrics. 585 - string 586 - ``"basic"`` 587 * - :spelling:ignore:`clustermesh.apiserver.metrics.etcd.port` 588 - Configure the port the etcd metric server listens on. 589 - int 590 - ``9963`` 591 * - :spelling:ignore:`clustermesh.apiserver.metrics.kvstoremesh.enabled` 592 - Enables exporting KVStoreMesh metrics in OpenMetrics format. 593 - bool 594 - ``true`` 595 * - :spelling:ignore:`clustermesh.apiserver.metrics.kvstoremesh.port` 596 - Configure the port the KVStoreMesh metric server listens on. 597 - int 598 - ``9964`` 599 * - :spelling:ignore:`clustermesh.apiserver.metrics.port` 600 - Configure the port the apiserver metric server listens on. 601 - int 602 - ``9962`` 603 * - :spelling:ignore:`clustermesh.apiserver.metrics.serviceMonitor.annotations` 604 - Annotations to add to ServiceMonitor clustermesh-apiserver 605 - object 606 - ``{}`` 607 * - :spelling:ignore:`clustermesh.apiserver.metrics.serviceMonitor.enabled` 608 - Enable service monitor. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) 609 - bool 610 - ``false`` 611 * - :spelling:ignore:`clustermesh.apiserver.metrics.serviceMonitor.etcd.interval` 612 - Interval for scrape metrics (etcd metrics) 613 - string 614 - ``"10s"`` 615 * - :spelling:ignore:`clustermesh.apiserver.metrics.serviceMonitor.etcd.metricRelabelings` 616 - Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics) 617 - string 618 - ``nil`` 619 * - :spelling:ignore:`clustermesh.apiserver.metrics.serviceMonitor.etcd.relabelings` 620 - Relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics) 621 - string 622 - ``nil`` 623 * - :spelling:ignore:`clustermesh.apiserver.metrics.serviceMonitor.interval` 624 - Interval for scrape metrics (apiserver metrics) 625 - string 626 - ``"10s"`` 627 * - :spelling:ignore:`clustermesh.apiserver.metrics.serviceMonitor.kvstoremesh.interval` 628 - Interval for scrape metrics (KVStoreMesh metrics) 629 - string 630 - ``"10s"`` 631 * - :spelling:ignore:`clustermesh.apiserver.metrics.serviceMonitor.kvstoremesh.metricRelabelings` 632 - Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics) 633 - string 634 - ``nil`` 635 * - :spelling:ignore:`clustermesh.apiserver.metrics.serviceMonitor.kvstoremesh.relabelings` 636 - Relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics) 637 - string 638 - ``nil`` 639 * - :spelling:ignore:`clustermesh.apiserver.metrics.serviceMonitor.labels` 640 - Labels to add to ServiceMonitor clustermesh-apiserver 641 - object 642 - ``{}`` 643 * - :spelling:ignore:`clustermesh.apiserver.metrics.serviceMonitor.metricRelabelings` 644 - Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics) 645 - string 646 - ``nil`` 647 * - :spelling:ignore:`clustermesh.apiserver.metrics.serviceMonitor.relabelings` 648 - Relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics) 649 - string 650 - ``nil`` 651 * - :spelling:ignore:`clustermesh.apiserver.nodeSelector` 652 - Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector 653 - object 654 - ``{"kubernetes.io/os":"linux"}`` 655 * - :spelling:ignore:`clustermesh.apiserver.podAnnotations` 656 - Annotations to be added to clustermesh-apiserver pods 657 - object 658 - ``{}`` 659 * - :spelling:ignore:`clustermesh.apiserver.podDisruptionBudget.enabled` 660 - enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ 661 - bool 662 - ``false`` 663 * - :spelling:ignore:`clustermesh.apiserver.podDisruptionBudget.maxUnavailable` 664 - Maximum number/percentage of pods that may be made unavailable 665 - int 666 - ``1`` 667 * - :spelling:ignore:`clustermesh.apiserver.podDisruptionBudget.minAvailable` 668 - Minimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by ``maxUnavailable: null`` 669 - string 670 - ``nil`` 671 * - :spelling:ignore:`clustermesh.apiserver.podLabels` 672 - Labels to be added to clustermesh-apiserver pods 673 - object 674 - ``{}`` 675 * - :spelling:ignore:`clustermesh.apiserver.podSecurityContext` 676 - Security context to be added to clustermesh-apiserver pods 677 - object 678 - ``{"fsGroup":65532,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532}`` 679 * - :spelling:ignore:`clustermesh.apiserver.priorityClassName` 680 - The priority class to use for clustermesh-apiserver 681 - string 682 - ``""`` 683 * - :spelling:ignore:`clustermesh.apiserver.readinessProbe` 684 - Configuration for the clustermesh-apiserver readiness probe. 685 - object 686 - ``{}`` 687 * - :spelling:ignore:`clustermesh.apiserver.replicas` 688 - Number of replicas run for the clustermesh-apiserver deployment. 689 - int 690 - ``1`` 691 * - :spelling:ignore:`clustermesh.apiserver.resources` 692 - Resource requests and limits for the clustermesh-apiserver 693 - object 694 - ``{}`` 695 * - :spelling:ignore:`clustermesh.apiserver.securityContext` 696 - Security context to be added to clustermesh-apiserver containers 697 - object 698 - ``{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}`` 699 * - :spelling:ignore:`clustermesh.apiserver.service.annotations` 700 - Annotations for the clustermesh-apiserver For GKE LoadBalancer, use annotation cloud.google.com/load-balancer-type: "Internal" For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: "true" 701 - object 702 - ``{}`` 703 * - :spelling:ignore:`clustermesh.apiserver.service.enableSessionAffinity` 704 - Defines when to enable session affinity. Each replica in a clustermesh-apiserver deployment runs its own discrete etcd cluster. Remote clients connect to one of the replicas through a shared Kubernetes Service. A client reconnecting to a different backend will require a full resync to ensure data integrity. Session affinity can reduce the likelihood of this happening, but may not be supported by all cloud providers. Possible values: - "HAOnly" (default) Only enable session affinity for deployments with more than 1 replica. - "Always" Always enable session affinity. - "Never" Never enable session affinity. Useful in environments where session affinity is not supported, but may lead to slightly degraded performance due to more frequent reconnections. 705 - string 706 - ``"HAOnly"`` 707 * - :spelling:ignore:`clustermesh.apiserver.service.externalTrafficPolicy` 708 - The externalTrafficPolicy of service used for apiserver access. 709 - string 710 - ``"Cluster"`` 711 * - :spelling:ignore:`clustermesh.apiserver.service.internalTrafficPolicy` 712 - The internalTrafficPolicy of service used for apiserver access. 713 - string 714 - ``"Cluster"`` 715 * - :spelling:ignore:`clustermesh.apiserver.service.loadBalancerClass` 716 - Configure a loadBalancerClass. Allows to configure the loadBalancerClass on the clustermesh-apiserver LB service in case the Service type is set to LoadBalancer (requires Kubernetes 1.24+). 717 - string 718 - ``nil`` 719 * - :spelling:ignore:`clustermesh.apiserver.service.loadBalancerIP` 720 - Configure a specific loadBalancerIP. Allows to configure a specific loadBalancerIP on the clustermesh-apiserver LB service in case the Service type is set to LoadBalancer. 721 - string 722 - ``nil`` 723 * - :spelling:ignore:`clustermesh.apiserver.service.nodePort` 724 - Optional port to use as the node port for apiserver access. WARNING: make sure to configure a different NodePort in each cluster if kube-proxy replacement is enabled, as Cilium is currently affected by a known bug (#24692) when NodePorts are handled by the KPR implementation. If a service with the same NodePort exists both in the local and the remote cluster, all traffic originating from inside the cluster and targeting the corresponding NodePort will be redirected to a local backend, regardless of whether the destination node belongs to the local or the remote cluster. 725 - int 726 - ``32379`` 727 * - :spelling:ignore:`clustermesh.apiserver.service.type` 728 - The type of service used for apiserver access. 729 - string 730 - ``"NodePort"`` 731 * - :spelling:ignore:`clustermesh.apiserver.terminationGracePeriodSeconds` 732 - terminationGracePeriodSeconds for the clustermesh-apiserver deployment 733 - int 734 - ``30`` 735 * - :spelling:ignore:`clustermesh.apiserver.tls.admin` 736 - base64 encoded PEM values for the clustermesh-apiserver admin certificate and private key. Used if 'auto' is not enabled. 737 - object 738 - ``{"cert":"","key":""}`` 739 * - :spelling:ignore:`clustermesh.apiserver.tls.authMode` 740 - Configure the clustermesh authentication mode. Supported values: - legacy: All clusters access remote clustermesh instances with the same username (i.e., remote). The "remote" certificate must be generated with CN=remote if provided manually. - migration: Intermediate mode required to upgrade from legacy to cluster (and vice versa) with no disruption. Specifically, it enables the creation of the per-cluster usernames, while still using the common one for authentication. The "remote" certificate must be generated with CN=remote if provided manually (same as legacy). - cluster: Each cluster accesses remote etcd instances with a username depending on the local cluster name (i.e., remote-\ :raw-html-m2r:`<cluster-name>`\ ). The "remote" certificate must be generated with CN=remote-\ :raw-html-m2r:`<cluster-name>` if provided manually. Cluster mode is meaningful only when the same CA is shared across all clusters part of the mesh. 741 - string 742 - ``"legacy"`` 743 * - :spelling:ignore:`clustermesh.apiserver.tls.auto` 744 - Configure automatic TLS certificates generation. A Kubernetes CronJob is used the generate any certificates not provided by the user at installation time. 745 - object 746 - ``{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm"}`` 747 * - :spelling:ignore:`clustermesh.apiserver.tls.auto.certManagerIssuerRef` 748 - certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. 749 - object 750 - ``{}`` 751 * - :spelling:ignore:`clustermesh.apiserver.tls.auto.certValidityDuration` 752 - Generated certificates validity duration in days. 753 - int 754 - ``1095`` 755 * - :spelling:ignore:`clustermesh.apiserver.tls.auto.enabled` 756 - When set to true, automatically generate a CA and certificates to enable mTLS between clustermesh-apiserver and external workload instances. If set to false, the certs to be provided by setting appropriate values below. 757 - bool 758 - ``true`` 759 * - :spelling:ignore:`clustermesh.apiserver.tls.client` 760 - base64 encoded PEM values for the clustermesh-apiserver client certificate and private key. Used if 'auto' is not enabled. 761 - object 762 - ``{"cert":"","key":""}`` 763 * - :spelling:ignore:`clustermesh.apiserver.tls.enableSecrets` 764 - Allow users to provide their own certificates Users may need to provide their certificates using a mechanism that requires they provide their own secrets. This setting does not apply to any of the auto-generated mechanisms below, it only restricts the creation of secrets via the ``tls-provided`` templates. 765 - bool 766 - ``true`` 767 * - :spelling:ignore:`clustermesh.apiserver.tls.remote` 768 - base64 encoded PEM values for the clustermesh-apiserver remote cluster certificate and private key. Used if 'auto' is not enabled. 769 - object 770 - ``{"cert":"","key":""}`` 771 * - :spelling:ignore:`clustermesh.apiserver.tls.server` 772 - base64 encoded PEM values for the clustermesh-apiserver server certificate and private key. Used if 'auto' is not enabled. 773 - object 774 - ``{"cert":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}`` 775 * - :spelling:ignore:`clustermesh.apiserver.tls.server.extraDnsNames` 776 - Extra DNS names added to certificate when it's auto generated 777 - list 778 - ``[]`` 779 * - :spelling:ignore:`clustermesh.apiserver.tls.server.extraIpAddresses` 780 - Extra IP addresses added to certificate when it's auto generated 781 - list 782 - ``[]`` 783 * - :spelling:ignore:`clustermesh.apiserver.tolerations` 784 - Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ 785 - list 786 - ``[]`` 787 * - :spelling:ignore:`clustermesh.apiserver.topologySpreadConstraints` 788 - Pod topology spread constraints for clustermesh-apiserver 789 - list 790 - ``[]`` 791 * - :spelling:ignore:`clustermesh.apiserver.updateStrategy` 792 - clustermesh-apiserver update strategy 793 - object 794 - ``{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}`` 795 * - :spelling:ignore:`clustermesh.config` 796 - Clustermesh explicit configuration. 797 - object 798 - ``{"clusters":[],"domain":"mesh.cilium.io","enabled":false}`` 799 * - :spelling:ignore:`clustermesh.config.clusters` 800 - List of clusters to be peered in the mesh. 801 - list 802 - ``[]`` 803 * - :spelling:ignore:`clustermesh.config.domain` 804 - Default dns domain for the Clustermesh API servers This is used in the case cluster addresses are not provided and IPs are used. 805 - string 806 - ``"mesh.cilium.io"`` 807 * - :spelling:ignore:`clustermesh.config.enabled` 808 - Enable the Clustermesh explicit configuration. 809 - bool 810 - ``false`` 811 * - :spelling:ignore:`clustermesh.enableEndpointSliceSynchronization` 812 - Enable the synchronization of Kubernetes EndpointSlices corresponding to the remote endpoints of appropriately-annotated global services through ClusterMesh 813 - bool 814 - ``false`` 815 * - :spelling:ignore:`clustermesh.enableMCSAPISupport` 816 - Enable Multi-Cluster Services API support 817 - bool 818 - ``false`` 819 * - :spelling:ignore:`clustermesh.maxConnectedClusters` 820 - The maximum number of clusters to support in a ClusterMesh. This value cannot be changed on running clusters, and all clusters in a ClusterMesh must be configured with the same value. Values > 255 will decrease the maximum allocatable cluster-local identities. Supported values are 255 and 511. 821 - int 822 - ``255`` 823 * - :spelling:ignore:`clustermesh.useAPIServer` 824 - Deploy clustermesh-apiserver for clustermesh 825 - bool 826 - ``false`` 827 * - :spelling:ignore:`cni.binPath` 828 - Configure the path to the CNI binary directory on the host. 829 - string 830 - ``"/opt/cni/bin"`` 831 * - :spelling:ignore:`cni.chainingMode` 832 - Configure chaining on top of other CNI plugins. Possible values: - none - aws-cni - flannel - generic-veth - portmap 833 - string 834 - ``nil`` 835 * - :spelling:ignore:`cni.chainingTarget` 836 - A CNI network name in to which the Cilium plugin should be added as a chained plugin. This will cause the agent to watch for a CNI network with this network name. When it is found, this will be used as the basis for Cilium's CNI configuration file. If this is set, it assumes a chaining mode of generic-veth. As a special case, a chaining mode of aws-cni implies a chainingTarget of aws-cni. 837 - string 838 - ``nil`` 839 * - :spelling:ignore:`cni.confFileMountPath` 840 - Configure the path to where to mount the ConfigMap inside the agent pod. 841 - string 842 - ``"/tmp/cni-configuration"`` 843 * - :spelling:ignore:`cni.confPath` 844 - Configure the path to the CNI configuration directory on the host. 845 - string 846 - ``"/etc/cni/net.d"`` 847 * - :spelling:ignore:`cni.configMapKey` 848 - Configure the key in the CNI ConfigMap to read the contents of the CNI configuration from. 849 - string 850 - ``"cni-config"`` 851 * - :spelling:ignore:`cni.customConf` 852 - Skip writing of the CNI configuration. This can be used if writing of the CNI configuration is performed by external automation. 853 - bool 854 - ``false`` 855 * - :spelling:ignore:`cni.enableRouteMTUForCNIChaining` 856 - Enable route MTU for pod netns when CNI chaining is used 857 - bool 858 - ``false`` 859 * - :spelling:ignore:`cni.exclusive` 860 - Make Cilium take ownership over the ``/etc/cni/net.d`` directory on the node, renaming all non-Cilium CNI configurations to ``*.cilium_bak``. This ensures no Pods can be scheduled using other CNI plugins during Cilium agent downtime. 861 - bool 862 - ``true`` 863 * - :spelling:ignore:`cni.hostConfDirMountPath` 864 - Configure the path to where the CNI configuration directory is mounted inside the agent pod. 865 - string 866 - ``"/host/etc/cni/net.d"`` 867 * - :spelling:ignore:`cni.install` 868 - Install the CNI configuration and binary files into the filesystem. 869 - bool 870 - ``true`` 871 * - :spelling:ignore:`cni.logFile` 872 - Configure the log file for CNI logging with retention policy of 7 days. Disable CNI file logging by setting this field to empty explicitly. 873 - string 874 - ``"/var/run/cilium/cilium-cni.log"`` 875 * - :spelling:ignore:`cni.resources` 876 - Specifies the resources for the cni initContainer 877 - object 878 - ``{"requests":{"cpu":"100m","memory":"10Mi"}}`` 879 * - :spelling:ignore:`cni.uninstall` 880 - Remove the CNI configuration and binary files on agent shutdown. Enable this if you're removing Cilium from the cluster. Disable this to prevent the CNI configuration file from being removed during agent upgrade, which can cause nodes to go unmanageable. 881 - bool 882 - ``false`` 883 * - :spelling:ignore:`conntrackGCInterval` 884 - Configure how frequently garbage collection should occur for the datapath connection tracking table. 885 - string 886 - ``"0s"`` 887 * - :spelling:ignore:`conntrackGCMaxInterval` 888 - Configure the maximum frequency for the garbage collection of the connection tracking table. Only affects the automatic computation for the frequency and has no effect when 'conntrackGCInterval' is set. This can be set to more frequently clean up unused identities created from ToFQDN policies. 889 - string 890 - ``""`` 891 * - :spelling:ignore:`crdWaitTimeout` 892 - Configure timeout in which Cilium will exit if CRDs are not available 893 - string 894 - ``"5m"`` 895 * - :spelling:ignore:`customCalls` 896 - Tail call hooks for custom eBPF programs. 897 - object 898 - ``{"enabled":false}`` 899 * - :spelling:ignore:`customCalls.enabled` 900 - Enable tail call hooks for custom eBPF programs. 901 - bool 902 - ``false`` 903 * - :spelling:ignore:`daemon.allowedConfigOverrides` 904 - allowedConfigOverrides is a list of config-map keys that can be overridden. That is to say, if this value is set, config sources (excepting the first one) can only override keys in this list. This takes precedence over blockedConfigOverrides. By default, all keys may be overridden. To disable overrides, set this to "none" or change the configSources variable. 905 - string 906 - ``nil`` 907 * - :spelling:ignore:`daemon.blockedConfigOverrides` 908 - blockedConfigOverrides is a list of config-map keys that may not be overridden. In other words, if any of these keys appear in a configuration source excepting the first one, they will be ignored This is ignored if allowedConfigOverrides is set. By default, all keys may be overridden. 909 - string 910 - ``nil`` 911 * - :spelling:ignore:`daemon.configSources` 912 - Configure a custom list of possible configuration override sources The default is "config-map:cilium-config,cilium-node-config". For supported values, see the help text for the build-config subcommand. Note that this value should be a comma-separated string. 913 - string 914 - ``nil`` 915 * - :spelling:ignore:`daemon.runPath` 916 - Configure where Cilium runtime state should be stored. 917 - string 918 - ``"/var/run/cilium"`` 919 * - :spelling:ignore:`dashboards` 920 - Grafana dashboards for cilium-agent grafana can import dashboards based on the label and value ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards 921 - object 922 - ``{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null}`` 923 * - :spelling:ignore:`debug.enabled` 924 - Enable debug logging 925 - bool 926 - ``false`` 927 * - :spelling:ignore:`debug.verbose` 928 - Configure verbosity levels for debug logging This option is used to enable debug messages for operations related to such sub-system such as (e.g. kvstore, envoy, datapath or policy), and flow is for enabling debug messages emitted per request, message and connection. Multiple values can be set via a space-separated string (e.g. "datapath envoy"). Applicable values: - flow - kvstore - envoy - datapath - policy 929 - string 930 - ``nil`` 931 * - :spelling:ignore:`directRoutingSkipUnreachable` 932 - Enable skipping of PodCIDR routes between worker nodes if the worker nodes are in a different L2 network segment. 933 - bool 934 - ``false`` 935 * - :spelling:ignore:`disableEndpointCRD` 936 - Disable the usage of CiliumEndpoint CRD. 937 - bool 938 - ``false`` 939 * - :spelling:ignore:`dnsPolicy` 940 - DNS policy for Cilium agent pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy 941 - string 942 - ``""`` 943 * - :spelling:ignore:`dnsProxy.dnsRejectResponseCode` 944 - DNS response code for rejecting DNS requests, available options are '[nameError refused]'. 945 - string 946 - ``"refused"`` 947 * - :spelling:ignore:`dnsProxy.enableDnsCompression` 948 - Allow the DNS proxy to compress responses to endpoints that are larger than 512 Bytes or the EDNS0 option, if present. 949 - bool 950 - ``true`` 951 * - :spelling:ignore:`dnsProxy.endpointMaxIpPerHostname` 952 - Maximum number of IPs to maintain per FQDN name for each endpoint. 953 - int 954 - ``50`` 955 * - :spelling:ignore:`dnsProxy.idleConnectionGracePeriod` 956 - Time during which idle but previously active connections with expired DNS lookups are still considered alive. 957 - string 958 - ``"0s"`` 959 * - :spelling:ignore:`dnsProxy.maxDeferredConnectionDeletes` 960 - Maximum number of IPs to retain for expired DNS lookups with still-active connections. 961 - int 962 - ``10000`` 963 * - :spelling:ignore:`dnsProxy.minTtl` 964 - The minimum time, in seconds, to use DNS data for toFQDNs policies. If the upstream DNS server returns a DNS record with a shorter TTL, Cilium overwrites the TTL with this value. Setting this value to zero means that Cilium will honor the TTLs returned by the upstream DNS server. 965 - int 966 - ``0`` 967 * - :spelling:ignore:`dnsProxy.preCache` 968 - DNS cache data at this path is preloaded on agent startup. 969 - string 970 - ``""`` 971 * - :spelling:ignore:`dnsProxy.proxyPort` 972 - Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port. 973 - int 974 - ``0`` 975 * - :spelling:ignore:`dnsProxy.proxyResponseMaxDelay` 976 - The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. 977 - string 978 - ``"100ms"`` 979 * - :spelling:ignore:`dnsProxy.socketLingerTimeout` 980 - Timeout (in seconds) when closing the connection between the DNS proxy and the upstream server. If set to 0, the connection is closed immediately (with TCP RST). If set to -1, the connection is closed asynchronously in the background. 981 - int 982 - ``10`` 983 * - :spelling:ignore:`egressGateway.enabled` 984 - Enables egress gateway to redirect and SNAT the traffic that leaves the cluster. 985 - bool 986 - ``false`` 987 * - :spelling:ignore:`egressGateway.reconciliationTriggerInterval` 988 - Time between triggers of egress gateway state reconciliations 989 - string 990 - ``"1s"`` 991 * - :spelling:ignore:`enableCiliumEndpointSlice` 992 - Enable CiliumEndpointSlice feature (deprecated, please use ``ciliumEndpointSlice.enabled`` instead). 993 - bool 994 - ``false`` 995 * - :spelling:ignore:`enableCriticalPriorityClass` 996 - Explicitly enable or disable priority class. .Capabilities.KubeVersion is unsettable in ``helm template`` calls, it depends on k8s libraries version that Helm was compiled against. This option allows to explicitly disable setting the priority class, which is useful for rendering charts for gke clusters in advance. 997 - bool 998 - ``true`` 999 * - :spelling:ignore:`enableIPv4BIGTCP` 1000 - Enables IPv4 BIG TCP support which increases maximum IPv4 GSO/GRO limits for nodes and pods 1001 - bool 1002 - ``false`` 1003 * - :spelling:ignore:`enableIPv4Masquerade` 1004 - Enables masquerading of IPv4 traffic leaving the node from endpoints. 1005 - bool 1006 - ``true`` 1007 * - :spelling:ignore:`enableIPv6BIGTCP` 1008 - Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods 1009 - bool 1010 - ``false`` 1011 * - :spelling:ignore:`enableIPv6Masquerade` 1012 - Enables masquerading of IPv6 traffic leaving the node from endpoints. 1013 - bool 1014 - ``true`` 1015 * - :spelling:ignore:`enableK8sTerminatingEndpoint` 1016 - Configure whether to enable auto detect of terminating state for endpoints in order to support graceful termination. 1017 - bool 1018 - ``true`` 1019 * - :spelling:ignore:`enableMasqueradeRouteSource` 1020 - Enables masquerading to the source of the route for traffic leaving the node from endpoints. 1021 - bool 1022 - ``false`` 1023 * - :spelling:ignore:`enableRuntimeDeviceDetection` 1024 - Enables experimental support for the detection of new and removed datapath devices. When devices change the eBPF datapath is reloaded and services updated. If "devices" is set then only those devices, or devices matching a wildcard will be considered. This option has been deprecated and is a no-op. 1025 - bool 1026 - ``true`` 1027 * - :spelling:ignore:`enableXTSocketFallback` 1028 - Enables the fallback compatibility solution for when the xt_socket kernel module is missing and it is needed for the datapath L7 redirection to work properly. See documentation for details on when this can be disabled: https://docs.cilium.io/en/stable/operations/system_requirements/#linux-kernel. 1029 - bool 1030 - ``true`` 1031 * - :spelling:ignore:`encryption.enabled` 1032 - Enable transparent network encryption. 1033 - bool 1034 - ``false`` 1035 * - :spelling:ignore:`encryption.ipsec.encryptedOverlay` 1036 - Enable IPsec encrypted overlay 1037 - bool 1038 - ``false`` 1039 * - :spelling:ignore:`encryption.ipsec.interface` 1040 - The interface to use for encrypted traffic. 1041 - string 1042 - ``""`` 1043 * - :spelling:ignore:`encryption.ipsec.keyFile` 1044 - Name of the key file inside the Kubernetes secret configured via secretName. 1045 - string 1046 - ``"keys"`` 1047 * - :spelling:ignore:`encryption.ipsec.keyRotationDuration` 1048 - Maximum duration of the IPsec key rotation. The previous key will be removed after that delay. 1049 - string 1050 - ``"5m"`` 1051 * - :spelling:ignore:`encryption.ipsec.keyWatcher` 1052 - Enable the key watcher. If disabled, a restart of the agent will be necessary on key rotations. 1053 - bool 1054 - ``true`` 1055 * - :spelling:ignore:`encryption.ipsec.mountPath` 1056 - Path to mount the secret inside the Cilium pod. 1057 - string 1058 - ``"/etc/ipsec"`` 1059 * - :spelling:ignore:`encryption.ipsec.secretName` 1060 - Name of the Kubernetes secret containing the encryption keys. 1061 - string 1062 - ``"cilium-ipsec-keys"`` 1063 * - :spelling:ignore:`encryption.nodeEncryption` 1064 - Enable encryption for pure node to node traffic. This option is only effective when encryption.type is set to "wireguard". 1065 - bool 1066 - ``false`` 1067 * - :spelling:ignore:`encryption.strictMode` 1068 - Configure the WireGuard Pod2Pod strict mode. 1069 - object 1070 - ``{"allowRemoteNodeIdentities":false,"cidr":"","enabled":false}`` 1071 * - :spelling:ignore:`encryption.strictMode.allowRemoteNodeIdentities` 1072 - Allow dynamic lookup of remote node identities. This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap. 1073 - bool 1074 - ``false`` 1075 * - :spelling:ignore:`encryption.strictMode.cidr` 1076 - CIDR for the WireGuard Pod2Pod strict mode. 1077 - string 1078 - ``""`` 1079 * - :spelling:ignore:`encryption.strictMode.enabled` 1080 - Enable WireGuard Pod2Pod strict mode. 1081 - bool 1082 - ``false`` 1083 * - :spelling:ignore:`encryption.type` 1084 - Encryption method. Can be either ipsec or wireguard. 1085 - string 1086 - ``"ipsec"`` 1087 * - :spelling:ignore:`encryption.wireguard.persistentKeepalive` 1088 - Controls WireGuard PersistentKeepalive option. Set 0s to disable. 1089 - string 1090 - ``"0s"`` 1091 * - :spelling:ignore:`encryption.wireguard.userspaceFallback` 1092 - Enables the fallback to the user-space implementation (deprecated). 1093 - bool 1094 - ``false`` 1095 * - :spelling:ignore:`endpointHealthChecking.enabled` 1096 - Enable connectivity health checking between virtual endpoints. 1097 - bool 1098 - ``true`` 1099 * - :spelling:ignore:`endpointRoutes.enabled` 1100 - Enable use of per endpoint routes instead of routing via the cilium_host interface. 1101 - bool 1102 - ``false`` 1103 * - :spelling:ignore:`eni.awsEnablePrefixDelegation` 1104 - Enable ENI prefix delegation 1105 - bool 1106 - ``false`` 1107 * - :spelling:ignore:`eni.awsReleaseExcessIPs` 1108 - Release IPs not used from the ENI 1109 - bool 1110 - ``false`` 1111 * - :spelling:ignore:`eni.ec2APIEndpoint` 1112 - EC2 API endpoint to use 1113 - string 1114 - ``""`` 1115 * - :spelling:ignore:`eni.enabled` 1116 - Enable Elastic Network Interface (ENI) integration. 1117 - bool 1118 - ``false`` 1119 * - :spelling:ignore:`eni.eniTags` 1120 - Tags to apply to the newly created ENIs 1121 - object 1122 - ``{}`` 1123 * - :spelling:ignore:`eni.gcInterval` 1124 - Interval for garbage collection of unattached ENIs. Set to "0s" to disable. 1125 - string 1126 - ``"5m"`` 1127 * - :spelling:ignore:`eni.gcTags` 1128 - Additional tags attached to ENIs created by Cilium. Dangling ENIs with this tag will be garbage collected 1129 - object 1130 - ``{"io.cilium/cilium-managed":"true,"io.cilium/cluster-name":"<auto-detected>"}`` 1131 * - :spelling:ignore:`eni.iamRole` 1132 - If using IAM role for Service Accounts will not try to inject identity values from cilium-aws kubernetes secret. Adds annotation to service account if managed by Helm. See https://github.com/aws/amazon-eks-pod-identity-webhook 1133 - string 1134 - ``""`` 1135 * - :spelling:ignore:`eni.instanceTagsFilter` 1136 - Filter via AWS EC2 Instance tags (k=v) which will dictate which AWS EC2 Instances are going to be used to create new ENIs 1137 - list 1138 - ``[]`` 1139 * - :spelling:ignore:`eni.subnetIDsFilter` 1140 - Filter via subnet IDs which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead. 1141 - list 1142 - ``[]`` 1143 * - :spelling:ignore:`eni.subnetTagsFilter` 1144 - Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead. 1145 - list 1146 - ``[]`` 1147 * - :spelling:ignore:`eni.updateEC2AdapterLimitViaAPI` 1148 - Update ENI Adapter limits from the EC2 API 1149 - bool 1150 - ``true`` 1151 * - :spelling:ignore:`envoy.affinity` 1152 - Affinity for cilium-envoy. 1153 - object 1154 - ``{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"cilium.io/no-schedule","operator":"NotIn","values":["true"]}]}]}},"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]},"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium-envoy"}},"topologyKey":"kubernetes.io/hostname"}]}}`` 1155 * - :spelling:ignore:`envoy.annotations` 1156 - Annotations to be added to all top-level cilium-envoy objects (resources under templates/cilium-envoy) 1157 - object 1158 - ``{}`` 1159 * - :spelling:ignore:`envoy.baseID` 1160 - Set Envoy'--base-id' to use when allocating shared memory regions. Only needs to be changed if multiple Envoy instances will run on the same node and may have conflicts. Supported values: 0 - 4294967295. Defaults to '0' 1161 - int 1162 - ``0`` 1163 * - :spelling:ignore:`envoy.connectTimeoutSeconds` 1164 - Time in seconds after which a TCP connection attempt times out 1165 - int 1166 - ``2`` 1167 * - :spelling:ignore:`envoy.debug.admin.enabled` 1168 - Enable admin interface for cilium-envoy. This is useful for debugging and should not be enabled in production. 1169 - bool 1170 - ``false`` 1171 * - :spelling:ignore:`envoy.debug.admin.port` 1172 - Port number (bound to loopback interface). kubectl port-forward can be used to access the admin interface. 1173 - int 1174 - ``9901`` 1175 * - :spelling:ignore:`envoy.dnsPolicy` 1176 - DNS policy for Cilium envoy pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy 1177 - string 1178 - ``nil`` 1179 * - :spelling:ignore:`envoy.enabled` 1180 - Enable Envoy Proxy in standalone DaemonSet. This field is enabled by default for new installation. 1181 - string 1182 - ``true`` for new installation 1183 * - :spelling:ignore:`envoy.extraArgs` 1184 - Additional envoy container arguments. 1185 - list 1186 - ``[]`` 1187 * - :spelling:ignore:`envoy.extraContainers` 1188 - Additional containers added to the cilium Envoy DaemonSet. 1189 - list 1190 - ``[]`` 1191 * - :spelling:ignore:`envoy.extraEnv` 1192 - Additional envoy container environment variables. 1193 - list 1194 - ``[]`` 1195 * - :spelling:ignore:`envoy.extraHostPathMounts` 1196 - Additional envoy hostPath mounts. 1197 - list 1198 - ``[]`` 1199 * - :spelling:ignore:`envoy.extraVolumeMounts` 1200 - Additional envoy volumeMounts. 1201 - list 1202 - ``[]`` 1203 * - :spelling:ignore:`envoy.extraVolumes` 1204 - Additional envoy volumes. 1205 - list 1206 - ``[]`` 1207 * - :spelling:ignore:`envoy.healthPort` 1208 - TCP port for the health API. 1209 - int 1210 - ``9878`` 1211 * - :spelling:ignore:`envoy.idleTimeoutDurationSeconds` 1212 - Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s 1213 - int 1214 - ``60`` 1215 * - :spelling:ignore:`envoy.image` 1216 - Envoy container image. 1217 - object 1218 - ``{"digest":"sha256:9762041c3760de226a8b00cc12f27dacc28b7691ea926748f9b5c18862db503f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.29.9-1726784081-a90146d13b4cd7d168d573396ccf2b3db5a3b047","useDigest":true}`` 1219 * - :spelling:ignore:`envoy.livenessProbe.failureThreshold` 1220 - failure threshold of liveness probe 1221 - int 1222 - ``10`` 1223 * - :spelling:ignore:`envoy.livenessProbe.periodSeconds` 1224 - interval between checks of the liveness probe 1225 - int 1226 - ``30`` 1227 * - :spelling:ignore:`envoy.log.format` 1228 - The format string to use for laying out the log message metadata of Envoy. 1229 - string 1230 - ``"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"`` 1231 * - :spelling:ignore:`envoy.log.path` 1232 - Path to a separate Envoy log file, if any. Defaults to /dev/stdout. 1233 - string 1234 - ``""`` 1235 * - :spelling:ignore:`envoy.maxConnectionDurationSeconds` 1236 - Set Envoy HTTP option max_connection_duration seconds. Default 0 (disable) 1237 - int 1238 - ``0`` 1239 * - :spelling:ignore:`envoy.maxRequestsPerConnection` 1240 - ProxyMaxRequestsPerConnection specifies the max_requests_per_connection setting for Envoy 1241 - int 1242 - ``0`` 1243 * - :spelling:ignore:`envoy.nodeSelector` 1244 - Node selector for cilium-envoy. 1245 - object 1246 - ``{"kubernetes.io/os":"linux"}`` 1247 * - :spelling:ignore:`envoy.podAnnotations` 1248 - Annotations to be added to envoy pods 1249 - object 1250 - ``{}`` 1251 * - :spelling:ignore:`envoy.podLabels` 1252 - Labels to be added to envoy pods 1253 - object 1254 - ``{}`` 1255 * - :spelling:ignore:`envoy.podSecurityContext` 1256 - Security Context for cilium-envoy pods. 1257 - object 1258 - ``{"appArmorProfile":{"type":"Unconfined"}}`` 1259 * - :spelling:ignore:`envoy.podSecurityContext.appArmorProfile` 1260 - AppArmorProfile options for the ``cilium-agent`` and init containers 1261 - object 1262 - ``{"type":"Unconfined"}`` 1263 * - :spelling:ignore:`envoy.priorityClassName` 1264 - The priority class to use for cilium-envoy. 1265 - string 1266 - ``nil`` 1267 * - :spelling:ignore:`envoy.prometheus` 1268 - Configure Cilium Envoy Prometheus options. Note that some of these apply to either cilium-agent or cilium-envoy. 1269 - object 1270 - ``{"enabled":true,"port":"9964","serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]}}`` 1271 * - :spelling:ignore:`envoy.prometheus.enabled` 1272 - Enable prometheus metrics for cilium-envoy 1273 - bool 1274 - ``true`` 1275 * - :spelling:ignore:`envoy.prometheus.port` 1276 - Serve prometheus metrics for cilium-envoy on the configured port 1277 - string 1278 - ``"9964"`` 1279 * - :spelling:ignore:`envoy.prometheus.serviceMonitor.annotations` 1280 - Annotations to add to ServiceMonitor cilium-envoy 1281 - object 1282 - ``{}`` 1283 * - :spelling:ignore:`envoy.prometheus.serviceMonitor.enabled` 1284 - Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) Note that this setting applies to both cilium-envoy *and* cilium-agent with Envoy enabled. 1285 - bool 1286 - ``false`` 1287 * - :spelling:ignore:`envoy.prometheus.serviceMonitor.interval` 1288 - Interval for scrape metrics. 1289 - string 1290 - ``"10s"`` 1291 * - :spelling:ignore:`envoy.prometheus.serviceMonitor.labels` 1292 - Labels to add to ServiceMonitor cilium-envoy 1293 - object 1294 - ``{}`` 1295 * - :spelling:ignore:`envoy.prometheus.serviceMonitor.metricRelabelings` 1296 - Metrics relabeling configs for the ServiceMonitor cilium-envoy or for cilium-agent with Envoy configured. 1297 - string 1298 - ``nil`` 1299 * - :spelling:ignore:`envoy.prometheus.serviceMonitor.relabelings` 1300 - Relabeling configs for the ServiceMonitor cilium-envoy or for cilium-agent with Envoy configured. 1301 - list 1302 - ``[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]`` 1303 * - :spelling:ignore:`envoy.readinessProbe.failureThreshold` 1304 - failure threshold of readiness probe 1305 - int 1306 - ``3`` 1307 * - :spelling:ignore:`envoy.readinessProbe.periodSeconds` 1308 - interval between checks of the readiness probe 1309 - int 1310 - ``30`` 1311 * - :spelling:ignore:`envoy.resources` 1312 - Envoy resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ 1313 - object 1314 - ``{}`` 1315 * - :spelling:ignore:`envoy.rollOutPods` 1316 - Roll out cilium envoy pods automatically when configmap is updated. 1317 - bool 1318 - ``false`` 1319 * - :spelling:ignore:`envoy.securityContext.capabilities.envoy` 1320 - Capabilities for the ``cilium-envoy`` container. Even though granted to the container, the cilium-envoy-starter wrapper drops all capabilities after forking the actual Envoy process. ``NET_BIND_SERVICE`` is the only capability that can be passed to the Envoy process by setting ``envoy.securityContext.capabilities.keepNetBindService=true`` (in addition to granting the capability to the container). Note: In case of embedded envoy, the capability must be granted to the cilium-agent container. 1321 - list 1322 - ``["NET_ADMIN","SYS_ADMIN"]`` 1323 * - :spelling:ignore:`envoy.securityContext.capabilities.keepCapNetBindService` 1324 - Keep capability ``NET_BIND_SERVICE`` for Envoy process. 1325 - bool 1326 - ``false`` 1327 * - :spelling:ignore:`envoy.securityContext.privileged` 1328 - Run the pod with elevated privileges 1329 - bool 1330 - ``false`` 1331 * - :spelling:ignore:`envoy.securityContext.seLinuxOptions` 1332 - SELinux options for the ``cilium-envoy`` container 1333 - object 1334 - ``{"level":"s0","type":"spc_t"}`` 1335 * - :spelling:ignore:`envoy.startupProbe.failureThreshold` 1336 - failure threshold of startup probe. 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s) 1337 - int 1338 - ``105`` 1339 * - :spelling:ignore:`envoy.startupProbe.periodSeconds` 1340 - interval between checks of the startup probe 1341 - int 1342 - ``2`` 1343 * - :spelling:ignore:`envoy.terminationGracePeriodSeconds` 1344 - Configure termination grace period for cilium-envoy DaemonSet. 1345 - int 1346 - ``1`` 1347 * - :spelling:ignore:`envoy.tolerations` 1348 - Node tolerations for envoy scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ 1349 - list 1350 - ``[{"operator":"Exists"}]`` 1351 * - :spelling:ignore:`envoy.updateStrategy` 1352 - cilium-envoy update strategy ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/#updating-a-daemonset 1353 - object 1354 - ``{"rollingUpdate":{"maxUnavailable":2},"type":"RollingUpdate"}`` 1355 * - :spelling:ignore:`envoy.xffNumTrustedHopsL7PolicyEgress` 1356 - Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners. 1357 - int 1358 - ``0`` 1359 * - :spelling:ignore:`envoy.xffNumTrustedHopsL7PolicyIngress` 1360 - Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners. 1361 - int 1362 - ``0`` 1363 * - :spelling:ignore:`envoyConfig.enabled` 1364 - Enable CiliumEnvoyConfig CRD CiliumEnvoyConfig CRD can also be implicitly enabled by other options. 1365 - bool 1366 - ``false`` 1367 * - :spelling:ignore:`envoyConfig.retryInterval` 1368 - Interval in which an attempt is made to reconcile failed EnvoyConfigs. If the duration is zero, the retry is deactivated. 1369 - string 1370 - ``"15s"`` 1371 * - :spelling:ignore:`envoyConfig.secretsNamespace` 1372 - SecretsNamespace is the namespace in which envoy SDS will retrieve secrets from. 1373 - object 1374 - ``{"create":true,"name":"cilium-secrets"}`` 1375 * - :spelling:ignore:`envoyConfig.secretsNamespace.create` 1376 - Create secrets namespace for CiliumEnvoyConfig CRDs. 1377 - bool 1378 - ``true`` 1379 * - :spelling:ignore:`envoyConfig.secretsNamespace.name` 1380 - The name of the secret namespace to which Cilium agents are given read access. 1381 - string 1382 - ``"cilium-secrets"`` 1383 * - :spelling:ignore:`etcd.enabled` 1384 - Enable etcd mode for the agent. 1385 - bool 1386 - ``false`` 1387 * - :spelling:ignore:`etcd.endpoints` 1388 - List of etcd endpoints 1389 - list 1390 - ``["https://CHANGE-ME:2379"]`` 1391 * - :spelling:ignore:`etcd.ssl` 1392 - Enable use of TLS/SSL for connectivity to etcd. 1393 - bool 1394 - ``false`` 1395 * - :spelling:ignore:`externalIPs.enabled` 1396 - Enable ExternalIPs service support. 1397 - bool 1398 - ``false`` 1399 * - :spelling:ignore:`externalWorkloads` 1400 - Configure external workloads support 1401 - object 1402 - ``{"enabled":false}`` 1403 * - :spelling:ignore:`externalWorkloads.enabled` 1404 - Enable support for external workloads, such as VMs (false by default). 1405 - bool 1406 - ``false`` 1407 * - :spelling:ignore:`extraArgs` 1408 - Additional agent container arguments. 1409 - list 1410 - ``[]`` 1411 * - :spelling:ignore:`extraConfig` 1412 - extraConfig allows you to specify additional configuration parameters to be included in the cilium-config configmap. 1413 - object 1414 - ``{}`` 1415 * - :spelling:ignore:`extraContainers` 1416 - Additional containers added to the cilium DaemonSet. 1417 - list 1418 - ``[]`` 1419 * - :spelling:ignore:`extraEnv` 1420 - Additional agent container environment variables. 1421 - list 1422 - ``[]`` 1423 * - :spelling:ignore:`extraHostPathMounts` 1424 - Additional agent hostPath mounts. 1425 - list 1426 - ``[]`` 1427 * - :spelling:ignore:`extraInitContainers` 1428 - Additional initContainers added to the cilium Daemonset. 1429 - list 1430 - ``[]`` 1431 * - :spelling:ignore:`extraVolumeMounts` 1432 - Additional agent volumeMounts. 1433 - list 1434 - ``[]`` 1435 * - :spelling:ignore:`extraVolumes` 1436 - Additional agent volumes. 1437 - list 1438 - ``[]`` 1439 * - :spelling:ignore:`forceDeviceDetection` 1440 - Forces the auto-detection of devices, even if specific devices are explicitly listed 1441 - bool 1442 - ``false`` 1443 * - :spelling:ignore:`gatewayAPI.enableAlpn` 1444 - Enable ALPN for all listeners configured with Gateway API. ALPN will attempt HTTP/2, then HTTP 1.1. Note that this will also enable ``appProtocol`` support, and services that wish to use HTTP/2 will need to indicate that via their ``appProtocol``. 1445 - bool 1446 - ``false`` 1447 * - :spelling:ignore:`gatewayAPI.enableAppProtocol` 1448 - Enable Backend Protocol selection support (GEP-1911) for Gateway API via appProtocol. 1449 - bool 1450 - ``false`` 1451 * - :spelling:ignore:`gatewayAPI.enableProxyProtocol` 1452 - Enable proxy protocol for all GatewayAPI listeners. Note that *only* Proxy protocol traffic will be accepted once this is enabled. 1453 - bool 1454 - ``false`` 1455 * - :spelling:ignore:`gatewayAPI.enabled` 1456 - Enable support for Gateway API in cilium This will automatically set enable-envoy-config as well. 1457 - bool 1458 - ``false`` 1459 * - :spelling:ignore:`gatewayAPI.externalTrafficPolicy` 1460 - Control how traffic from external sources is routed to the LoadBalancer Kubernetes Service for all Cilium GatewayAPI Gateway instances. Valid values are "Cluster" and "Local". Note that this value will be ignored when ``hostNetwork.enabled == true``. ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#external-traffic-policy 1461 - string 1462 - ``"Cluster"`` 1463 * - :spelling:ignore:`gatewayAPI.gatewayClass.create` 1464 - Enable creation of GatewayClass resource The default value is 'auto' which decides according to presence of gateway.networking.k8s.io/v1/GatewayClass in the cluster. Other possible values are 'true' and 'false', which will either always or never create the GatewayClass, respectively. 1465 - string 1466 - ``"auto"`` 1467 * - :spelling:ignore:`gatewayAPI.hostNetwork.enabled` 1468 - Configure whether the Envoy listeners should be exposed on the host network. 1469 - bool 1470 - ``false`` 1471 * - :spelling:ignore:`gatewayAPI.hostNetwork.nodes.matchLabels` 1472 - Specify the labels of the nodes where the Ingress listeners should be exposed matchLabels: kubernetes.io/os: linux kubernetes.io/hostname: kind-worker 1473 - object 1474 - ``{}`` 1475 * - :spelling:ignore:`gatewayAPI.secretsNamespace` 1476 - SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from. 1477 - object 1478 - ``{"create":true,"name":"cilium-secrets","sync":true}`` 1479 * - :spelling:ignore:`gatewayAPI.secretsNamespace.create` 1480 - Create secrets namespace for Gateway API. 1481 - bool 1482 - ``true`` 1483 * - :spelling:ignore:`gatewayAPI.secretsNamespace.name` 1484 - Name of Gateway API secret namespace. 1485 - string 1486 - ``"cilium-secrets"`` 1487 * - :spelling:ignore:`gatewayAPI.secretsNamespace.sync` 1488 - Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name. If disabled, TLS secrets must be maintained externally. 1489 - bool 1490 - ``true`` 1491 * - :spelling:ignore:`gatewayAPI.xffNumTrustedHops` 1492 - The number of additional GatewayAPI proxy hops from the right side of the HTTP header to trust when determining the origin client's IP address. 1493 - int 1494 - ``0`` 1495 * - :spelling:ignore:`gke.enabled` 1496 - Enable Google Kubernetes Engine integration 1497 - bool 1498 - ``false`` 1499 * - :spelling:ignore:`healthChecking` 1500 - Enable connectivity health checking. 1501 - bool 1502 - ``true`` 1503 * - :spelling:ignore:`healthPort` 1504 - TCP port for the agent health API. This is not the port for cilium-health. 1505 - int 1506 - ``9879`` 1507 * - :spelling:ignore:`highScaleIPcache` 1508 - EnableHighScaleIPcache enables the special ipcache mode for high scale clusters. The ipcache content will be reduced to the strict minimum and traffic will be encapsulated to carry security identities. 1509 - object 1510 - ``{"enabled":false}`` 1511 * - :spelling:ignore:`highScaleIPcache.enabled` 1512 - Enable the high scale mode for the ipcache. 1513 - bool 1514 - ``false`` 1515 * - :spelling:ignore:`hostFirewall` 1516 - Configure the host firewall. 1517 - object 1518 - ``{"enabled":false}`` 1519 * - :spelling:ignore:`hostFirewall.enabled` 1520 - Enables the enforcement of host policies in the eBPF datapath. 1521 - bool 1522 - ``false`` 1523 * - :spelling:ignore:`hostPort.enabled` 1524 - Enable hostPort service support. 1525 - bool 1526 - ``false`` 1527 * - :spelling:ignore:`hubble.annotations` 1528 - Annotations to be added to all top-level hubble objects (resources under templates/hubble) 1529 - object 1530 - ``{}`` 1531 * - :spelling:ignore:`hubble.dropEventEmitter` 1532 - Emit v1.Events related to pods on detection of packet drops. This feature is alpha, please provide feedback at https://github.com/cilium/cilium/issues/33975. 1533 - object 1534 - ``{"enabled":false,"interval":"2m","reasons":["auth_required","policy_denied"]}`` 1535 * - :spelling:ignore:`hubble.dropEventEmitter.interval` 1536 - - Minimum time between emitting same events. 1537 - string 1538 - ``"2m"`` 1539 * - :spelling:ignore:`hubble.dropEventEmitter.reasons` 1540 - - Drop reasons to emit events for. ref: https://docs.cilium.io/en/stable/_api/v1/flow/README/#dropreason 1541 - list 1542 - ``["auth_required","policy_denied"]`` 1543 * - :spelling:ignore:`hubble.enabled` 1544 - Enable Hubble (true by default). 1545 - bool 1546 - ``true`` 1547 * - :spelling:ignore:`hubble.export` 1548 - Hubble flows export. 1549 - object 1550 - ``{"dynamic":{"config":{"configMapName":"cilium-flowlog-config","content":[{"excludeFilters":[],"fieldMask":[],"filePath":"/var/run/cilium/hubble/events.log","includeFilters":[],"name":"all"}],"createConfigMap":true},"enabled":false},"fileMaxBackups":5,"fileMaxSizeMb":10,"static":{"allowList":[],"denyList":[],"enabled":false,"fieldMask":[],"filePath":"/var/run/cilium/hubble/events.log"}}`` 1551 * - :spelling:ignore:`hubble.export.dynamic` 1552 - - Dynamic exporters configuration. Dynamic exporters may be reconfigured without a need of agent restarts. 1553 - object 1554 - ``{"config":{"configMapName":"cilium-flowlog-config","content":[{"excludeFilters":[],"fieldMask":[],"filePath":"/var/run/cilium/hubble/events.log","includeFilters":[],"name":"all"}],"createConfigMap":true},"enabled":false}`` 1555 * - :spelling:ignore:`hubble.export.dynamic.config.configMapName` 1556 - -- Name of configmap with configuration that may be altered to reconfigure exporters within a running agents. 1557 - string 1558 - ``"cilium-flowlog-config"`` 1559 * - :spelling:ignore:`hubble.export.dynamic.config.content` 1560 - -- Exporters configuration in YAML format. 1561 - list 1562 - ``[{"excludeFilters":[],"fieldMask":[],"filePath":"/var/run/cilium/hubble/events.log","includeFilters":[],"name":"all"}]`` 1563 * - :spelling:ignore:`hubble.export.dynamic.config.createConfigMap` 1564 - -- True if helm installer should create config map. Switch to false if you want to self maintain the file content. 1565 - bool 1566 - ``true`` 1567 * - :spelling:ignore:`hubble.export.fileMaxBackups` 1568 - - Defines max number of backup/rotated files. 1569 - int 1570 - ``5`` 1571 * - :spelling:ignore:`hubble.export.fileMaxSizeMb` 1572 - - Defines max file size of output file before it gets rotated. 1573 - int 1574 - ``10`` 1575 * - :spelling:ignore:`hubble.export.static` 1576 - - Static exporter configuration. Static exporter is bound to agent lifecycle. 1577 - object 1578 - ``{"allowList":[],"denyList":[],"enabled":false,"fieldMask":[],"filePath":"/var/run/cilium/hubble/events.log"}`` 1579 * - :spelling:ignore:`hubble.listenAddress` 1580 - An additional address for Hubble to listen to. Set this field ":4244" if you are enabling Hubble Relay, as it assumes that Hubble is listening on port 4244. 1581 - string 1582 - ``":4244"`` 1583 * - :spelling:ignore:`hubble.metrics` 1584 - Hubble metrics configuration. See https://docs.cilium.io/en/stable/observability/metrics/#hubble-metrics for more comprehensive documentation about Hubble metrics. 1585 - object 1586 - ``{"dashboards":{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null},"enableOpenMetrics":false,"enabled":null,"port":9965,"serviceAnnotations":{},"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","jobLabel":"","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}],"tlsConfig":{}},"tls":{"enabled":false,"server":{"cert":"","existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":{"enabled":false,"key":"ca.crt","name":null,"useSecret":false}}}}`` 1587 * - :spelling:ignore:`hubble.metrics.dashboards` 1588 - Grafana dashboards for hubble grafana can import dashboards based on the label and value ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards 1589 - object 1590 - ``{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null}`` 1591 * - :spelling:ignore:`hubble.metrics.enableOpenMetrics` 1592 - Enables exporting hubble metrics in OpenMetrics format. 1593 - bool 1594 - ``false`` 1595 * - :spelling:ignore:`hubble.metrics.enabled` 1596 - Configures the list of metrics to collect. If empty or null, metrics are disabled. Example: enabled: - dns:query;ignoreAAAA - drop - tcp - flow - icmp - http You can specify the list of metrics from the helm CLI: --set hubble.metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" 1597 - string 1598 - ``nil`` 1599 * - :spelling:ignore:`hubble.metrics.port` 1600 - Configure the port the hubble metric server listens on. 1601 - int 1602 - ``9965`` 1603 * - :spelling:ignore:`hubble.metrics.serviceAnnotations` 1604 - Annotations to be added to hubble-metrics service. 1605 - object 1606 - ``{}`` 1607 * - :spelling:ignore:`hubble.metrics.serviceMonitor.annotations` 1608 - Annotations to add to ServiceMonitor hubble 1609 - object 1610 - ``{}`` 1611 * - :spelling:ignore:`hubble.metrics.serviceMonitor.enabled` 1612 - Create ServiceMonitor resources for Prometheus Operator. This requires the prometheus CRDs to be available. ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) 1613 - bool 1614 - ``false`` 1615 * - :spelling:ignore:`hubble.metrics.serviceMonitor.interval` 1616 - Interval for scrape metrics. 1617 - string 1618 - ``"10s"`` 1619 * - :spelling:ignore:`hubble.metrics.serviceMonitor.jobLabel` 1620 - jobLabel to add for ServiceMonitor hubble 1621 - string 1622 - ``""`` 1623 * - :spelling:ignore:`hubble.metrics.serviceMonitor.labels` 1624 - Labels to add to ServiceMonitor hubble 1625 - object 1626 - ``{}`` 1627 * - :spelling:ignore:`hubble.metrics.serviceMonitor.metricRelabelings` 1628 - Metrics relabeling configs for the ServiceMonitor hubble 1629 - string 1630 - ``nil`` 1631 * - :spelling:ignore:`hubble.metrics.serviceMonitor.relabelings` 1632 - Relabeling configs for the ServiceMonitor hubble 1633 - list 1634 - ``[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]`` 1635 * - :spelling:ignore:`hubble.metrics.tls.server.cert` 1636 - base64 encoded PEM values for the Hubble metrics server certificate (deprecated). Use existingSecret instead. 1637 - string 1638 - ``""`` 1639 * - :spelling:ignore:`hubble.metrics.tls.server.existingSecret` 1640 - Name of the Secret containing the certificate and key for the Hubble metrics server. If specified, cert and key are ignored. 1641 - string 1642 - ``""`` 1643 * - :spelling:ignore:`hubble.metrics.tls.server.extraDnsNames` 1644 - Extra DNS names added to certificate when it's auto generated 1645 - list 1646 - ``[]`` 1647 * - :spelling:ignore:`hubble.metrics.tls.server.extraIpAddresses` 1648 - Extra IP addresses added to certificate when it's auto generated 1649 - list 1650 - ``[]`` 1651 * - :spelling:ignore:`hubble.metrics.tls.server.key` 1652 - base64 encoded PEM values for the Hubble metrics server key (deprecated). Use existingSecret instead. 1653 - string 1654 - ``""`` 1655 * - :spelling:ignore:`hubble.metrics.tls.server.mtls` 1656 - Configure mTLS for the Hubble metrics server. 1657 - object 1658 - ``{"enabled":false,"key":"ca.crt","name":null,"useSecret":false}`` 1659 * - :spelling:ignore:`hubble.metrics.tls.server.mtls.key` 1660 - Entry of the ConfigMap containing the CA. 1661 - string 1662 - ``"ca.crt"`` 1663 * - :spelling:ignore:`hubble.metrics.tls.server.mtls.name` 1664 - Name of the ConfigMap containing the CA to validate client certificates against. If mTLS is enabled and this is unspecified, it will default to the same CA used for Hubble metrics server certificates. 1665 - string 1666 - ``nil`` 1667 * - :spelling:ignore:`hubble.peerService.clusterDomain` 1668 - The cluster domain to use to query the Hubble Peer service. It should be the local cluster. 1669 - string 1670 - ``"cluster.local"`` 1671 * - :spelling:ignore:`hubble.peerService.targetPort` 1672 - Target Port for the Peer service, must match the hubble.listenAddress' port. 1673 - int 1674 - ``4244`` 1675 * - :spelling:ignore:`hubble.preferIpv6` 1676 - Whether Hubble should prefer to announce IPv6 or IPv4 addresses if both are available. 1677 - bool 1678 - ``false`` 1679 * - :spelling:ignore:`hubble.redact` 1680 - Enables redacting sensitive information present in Layer 7 flows. 1681 - object 1682 - ``{"enabled":false,"http":{"headers":{"allow":[],"deny":[]},"urlQuery":false,"userInfo":true},"kafka":{"apiKey":false}}`` 1683 * - :spelling:ignore:`hubble.redact.http.headers.allow` 1684 - List of HTTP headers to allow: headers not matching will be redacted. Note: ``allow`` and ``deny`` lists cannot be used both at the same time, only one can be present. Example: redact: enabled: true http: headers: allow: - traceparent - tracestate - Cache-Control You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.http.headers.allow="traceparent,tracestate,Cache-Control" 1685 - list 1686 - ``[]`` 1687 * - :spelling:ignore:`hubble.redact.http.headers.deny` 1688 - List of HTTP headers to deny: matching headers will be redacted. Note: ``allow`` and ``deny`` lists cannot be used both at the same time, only one can be present. Example: redact: enabled: true http: headers: deny: - Authorization - Proxy-Authorization You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.http.headers.deny="Authorization,Proxy-Authorization" 1689 - list 1690 - ``[]`` 1691 * - :spelling:ignore:`hubble.redact.http.urlQuery` 1692 - Enables redacting URL query (GET) parameters. Example: redact: enabled: true http: urlQuery: true You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.http.urlQuery="true" 1693 - bool 1694 - ``false`` 1695 * - :spelling:ignore:`hubble.redact.http.userInfo` 1696 - Enables redacting user info, e.g., password when basic auth is used. Example: redact: enabled: true http: userInfo: true You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.http.userInfo="true" 1697 - bool 1698 - ``true`` 1699 * - :spelling:ignore:`hubble.redact.kafka.apiKey` 1700 - Enables redacting Kafka's API key. Example: redact: enabled: true kafka: apiKey: true You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.kafka.apiKey="true" 1701 - bool 1702 - ``false`` 1703 * - :spelling:ignore:`hubble.relay.affinity` 1704 - Affinity for hubble-replay 1705 - object 1706 - ``{"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}`` 1707 * - :spelling:ignore:`hubble.relay.annotations` 1708 - Annotations to be added to all top-level hubble-relay objects (resources under templates/hubble-relay) 1709 - object 1710 - ``{}`` 1711 * - :spelling:ignore:`hubble.relay.dialTimeout` 1712 - Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). 1713 - string 1714 - ``nil`` 1715 * - :spelling:ignore:`hubble.relay.enabled` 1716 - Enable Hubble Relay (requires hubble.enabled=true) 1717 - bool 1718 - ``false`` 1719 * - :spelling:ignore:`hubble.relay.extraEnv` 1720 - Additional hubble-relay environment variables. 1721 - list 1722 - ``[]`` 1723 * - :spelling:ignore:`hubble.relay.extraVolumeMounts` 1724 - Additional hubble-relay volumeMounts. 1725 - list 1726 - ``[]`` 1727 * - :spelling:ignore:`hubble.relay.extraVolumes` 1728 - Additional hubble-relay volumes. 1729 - list 1730 - ``[]`` 1731 * - :spelling:ignore:`hubble.relay.gops.enabled` 1732 - Enable gops for hubble-relay 1733 - bool 1734 - ``true`` 1735 * - :spelling:ignore:`hubble.relay.gops.port` 1736 - Configure gops listen port for hubble-relay 1737 - int 1738 - ``9893`` 1739 * - :spelling:ignore:`hubble.relay.image` 1740 - Hubble-relay container image. 1741 - object 1742 - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.2","useDigest":false}`` 1743 * - :spelling:ignore:`hubble.relay.listenHost` 1744 - Host to listen to. Specify an empty string to bind to all the interfaces. 1745 - string 1746 - ``""`` 1747 * - :spelling:ignore:`hubble.relay.listenPort` 1748 - Port to listen to. 1749 - string 1750 - ``"4245"`` 1751 * - :spelling:ignore:`hubble.relay.nodeSelector` 1752 - Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector 1753 - object 1754 - ``{"kubernetes.io/os":"linux"}`` 1755 * - :spelling:ignore:`hubble.relay.podAnnotations` 1756 - Annotations to be added to hubble-relay pods 1757 - object 1758 - ``{}`` 1759 * - :spelling:ignore:`hubble.relay.podDisruptionBudget.enabled` 1760 - enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ 1761 - bool 1762 - ``false`` 1763 * - :spelling:ignore:`hubble.relay.podDisruptionBudget.maxUnavailable` 1764 - Maximum number/percentage of pods that may be made unavailable 1765 - int 1766 - ``1`` 1767 * - :spelling:ignore:`hubble.relay.podDisruptionBudget.minAvailable` 1768 - Minimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by ``maxUnavailable: null`` 1769 - string 1770 - ``nil`` 1771 * - :spelling:ignore:`hubble.relay.podLabels` 1772 - Labels to be added to hubble-relay pods 1773 - object 1774 - ``{}`` 1775 * - :spelling:ignore:`hubble.relay.podSecurityContext` 1776 - hubble-relay pod security context 1777 - object 1778 - ``{"fsGroup":65532}`` 1779 * - :spelling:ignore:`hubble.relay.pprof.address` 1780 - Configure pprof listen address for hubble-relay 1781 - string 1782 - ``"localhost"`` 1783 * - :spelling:ignore:`hubble.relay.pprof.enabled` 1784 - Enable pprof for hubble-relay 1785 - bool 1786 - ``false`` 1787 * - :spelling:ignore:`hubble.relay.pprof.port` 1788 - Configure pprof listen port for hubble-relay 1789 - int 1790 - ``6062`` 1791 * - :spelling:ignore:`hubble.relay.priorityClassName` 1792 - The priority class to use for hubble-relay 1793 - string 1794 - ``""`` 1795 * - :spelling:ignore:`hubble.relay.prometheus` 1796 - Enable prometheus metrics for hubble-relay on the configured port at /metrics 1797 - object 1798 - ``{"enabled":false,"port":9966,"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":null}}`` 1799 * - :spelling:ignore:`hubble.relay.prometheus.serviceMonitor.annotations` 1800 - Annotations to add to ServiceMonitor hubble-relay 1801 - object 1802 - ``{}`` 1803 * - :spelling:ignore:`hubble.relay.prometheus.serviceMonitor.enabled` 1804 - Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) 1805 - bool 1806 - ``false`` 1807 * - :spelling:ignore:`hubble.relay.prometheus.serviceMonitor.interval` 1808 - Interval for scrape metrics. 1809 - string 1810 - ``"10s"`` 1811 * - :spelling:ignore:`hubble.relay.prometheus.serviceMonitor.labels` 1812 - Labels to add to ServiceMonitor hubble-relay 1813 - object 1814 - ``{}`` 1815 * - :spelling:ignore:`hubble.relay.prometheus.serviceMonitor.metricRelabelings` 1816 - Metrics relabeling configs for the ServiceMonitor hubble-relay 1817 - string 1818 - ``nil`` 1819 * - :spelling:ignore:`hubble.relay.prometheus.serviceMonitor.relabelings` 1820 - Relabeling configs for the ServiceMonitor hubble-relay 1821 - string 1822 - ``nil`` 1823 * - :spelling:ignore:`hubble.relay.replicas` 1824 - Number of replicas run for the hubble-relay deployment. 1825 - int 1826 - ``1`` 1827 * - :spelling:ignore:`hubble.relay.resources` 1828 - Specifies the resources for the hubble-relay pods 1829 - object 1830 - ``{}`` 1831 * - :spelling:ignore:`hubble.relay.retryTimeout` 1832 - Backoff duration to retry connecting to the local hubble instance in case of failure (e.g. "30s"). 1833 - string 1834 - ``nil`` 1835 * - :spelling:ignore:`hubble.relay.rollOutPods` 1836 - Roll out Hubble Relay pods automatically when configmap is updated. 1837 - bool 1838 - ``false`` 1839 * - :spelling:ignore:`hubble.relay.securityContext` 1840 - hubble-relay container security context 1841 - object 1842 - ``{"capabilities":{"drop":["ALL"]},"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532}`` 1843 * - :spelling:ignore:`hubble.relay.service` 1844 - hubble-relay service configuration. 1845 - object 1846 - ``{"nodePort":31234,"type":"ClusterIP"}`` 1847 * - :spelling:ignore:`hubble.relay.service.nodePort` 1848 - - The port to use when the service type is set to NodePort. 1849 - int 1850 - ``31234`` 1851 * - :spelling:ignore:`hubble.relay.service.type` 1852 - - The type of service used for Hubble Relay access, either ClusterIP or NodePort. 1853 - string 1854 - ``"ClusterIP"`` 1855 * - :spelling:ignore:`hubble.relay.sortBufferDrainTimeout` 1856 - When the per-request flows sort buffer is not full, a flow is drained every time this timeout is reached (only affects requests in follow-mode) (e.g. "1s"). 1857 - string 1858 - ``nil`` 1859 * - :spelling:ignore:`hubble.relay.sortBufferLenMax` 1860 - Max number of flows that can be buffered for sorting before being sent to the client (per request) (e.g. 100). 1861 - int 1862 - ``nil`` 1863 * - :spelling:ignore:`hubble.relay.terminationGracePeriodSeconds` 1864 - Configure termination grace period for hubble relay Deployment. 1865 - int 1866 - ``1`` 1867 * - :spelling:ignore:`hubble.relay.tls` 1868 - TLS configuration for Hubble Relay 1869 - object 1870 - ``{"client":{"cert":"","existingSecret":"","key":""},"server":{"cert":"","enabled":false,"existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false,"relayName":"ui.hubble-relay.cilium.io"}}`` 1871 * - :spelling:ignore:`hubble.relay.tls.client` 1872 - The hubble-relay client certificate and private key. This keypair is presented to Hubble server instances for mTLS authentication and is required when hubble.tls.enabled is true. These values need to be set manually if hubble.tls.auto.enabled is false. 1873 - object 1874 - ``{"cert":"","existingSecret":"","key":""}`` 1875 * - :spelling:ignore:`hubble.relay.tls.client.cert` 1876 - base64 encoded PEM values for the Hubble relay client certificate (deprecated). Use existingSecret instead. 1877 - string 1878 - ``""`` 1879 * - :spelling:ignore:`hubble.relay.tls.client.existingSecret` 1880 - Name of the Secret containing the certificate and key for the Hubble metrics server. If specified, cert and key are ignored. 1881 - string 1882 - ``""`` 1883 * - :spelling:ignore:`hubble.relay.tls.client.key` 1884 - base64 encoded PEM values for the Hubble relay client key (deprecated). Use existingSecret instead. 1885 - string 1886 - ``""`` 1887 * - :spelling:ignore:`hubble.relay.tls.server` 1888 - The hubble-relay server certificate and private key 1889 - object 1890 - ``{"cert":"","enabled":false,"existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false,"relayName":"ui.hubble-relay.cilium.io"}`` 1891 * - :spelling:ignore:`hubble.relay.tls.server.cert` 1892 - base64 encoded PEM values for the Hubble relay server certificate (deprecated). Use existingSecret instead. 1893 - string 1894 - ``""`` 1895 * - :spelling:ignore:`hubble.relay.tls.server.existingSecret` 1896 - Name of the Secret containing the certificate and key for the Hubble relay server. If specified, cert and key are ignored. 1897 - string 1898 - ``""`` 1899 * - :spelling:ignore:`hubble.relay.tls.server.extraDnsNames` 1900 - extra DNS names added to certificate when its auto gen 1901 - list 1902 - ``[]`` 1903 * - :spelling:ignore:`hubble.relay.tls.server.extraIpAddresses` 1904 - extra IP addresses added to certificate when its auto gen 1905 - list 1906 - ``[]`` 1907 * - :spelling:ignore:`hubble.relay.tls.server.key` 1908 - base64 encoded PEM values for the Hubble relay server key (deprecated). Use existingSecret instead. 1909 - string 1910 - ``""`` 1911 * - :spelling:ignore:`hubble.relay.tolerations` 1912 - Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ 1913 - list 1914 - ``[]`` 1915 * - :spelling:ignore:`hubble.relay.topologySpreadConstraints` 1916 - Pod topology spread constraints for hubble-relay 1917 - list 1918 - ``[]`` 1919 * - :spelling:ignore:`hubble.relay.updateStrategy` 1920 - hubble-relay update strategy 1921 - object 1922 - ``{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}`` 1923 * - :spelling:ignore:`hubble.skipUnknownCGroupIDs` 1924 - Skip Hubble events with unknown cgroup ids 1925 - bool 1926 - ``true`` 1927 * - :spelling:ignore:`hubble.socketPath` 1928 - Unix domain socket path to listen to when Hubble is enabled. 1929 - string 1930 - ``"/var/run/cilium/hubble.sock"`` 1931 * - :spelling:ignore:`hubble.tls` 1932 - TLS configuration for Hubble 1933 - object 1934 - ``{"auto":{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"},"enabled":true,"server":{"cert":"","existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}}`` 1935 * - :spelling:ignore:`hubble.tls.auto` 1936 - Configure automatic TLS certificates generation. 1937 - object 1938 - ``{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"}`` 1939 * - :spelling:ignore:`hubble.tls.auto.certManagerIssuerRef` 1940 - certmanager issuer used when hubble.tls.auto.method=certmanager. 1941 - object 1942 - ``{}`` 1943 * - :spelling:ignore:`hubble.tls.auto.certValidityDuration` 1944 - Generated certificates validity duration in days. 1945 - int 1946 - ``1095`` 1947 * - :spelling:ignore:`hubble.tls.auto.enabled` 1948 - Auto-generate certificates. When set to true, automatically generate a CA and certificates to enable mTLS between Hubble server and Hubble Relay instances. If set to false, the certs for Hubble server need to be provided by setting appropriate values below. 1949 - bool 1950 - ``true`` 1951 * - :spelling:ignore:`hubble.tls.auto.method` 1952 - Set the method to auto-generate certificates. Supported values: - helm: This method uses Helm to generate all certificates. - cronJob: This method uses a Kubernetes CronJob the generate any certificates not provided by the user at installation time. - certmanager: This method use cert-manager to generate & rotate certificates. 1953 - string 1954 - ``"helm"`` 1955 * - :spelling:ignore:`hubble.tls.auto.schedule` 1956 - Schedule for certificates regeneration (regardless of their expiration date). Only used if method is "cronJob". If nil, then no recurring job will be created. Instead, only the one-shot job is deployed to generate the certificates at installation time. Defaults to midnight of the first day of every fourth month. For syntax, see https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax 1957 - string 1958 - ``"0 0 1 */4 *"`` 1959 * - :spelling:ignore:`hubble.tls.enabled` 1960 - Enable mutual TLS for listenAddress. Setting this value to false is highly discouraged as the Hubble API provides access to potentially sensitive network flow metadata and is exposed on the host network. 1961 - bool 1962 - ``true`` 1963 * - :spelling:ignore:`hubble.tls.server` 1964 - The Hubble server certificate and private key 1965 - object 1966 - ``{"cert":"","existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}`` 1967 * - :spelling:ignore:`hubble.tls.server.cert` 1968 - base64 encoded PEM values for the Hubble server certificate (deprecated). Use existingSecret instead. 1969 - string 1970 - ``""`` 1971 * - :spelling:ignore:`hubble.tls.server.existingSecret` 1972 - Name of the Secret containing the certificate and key for the Hubble server. If specified, cert and key are ignored. 1973 - string 1974 - ``""`` 1975 * - :spelling:ignore:`hubble.tls.server.extraDnsNames` 1976 - Extra DNS names added to certificate when it's auto generated 1977 - list 1978 - ``[]`` 1979 * - :spelling:ignore:`hubble.tls.server.extraIpAddresses` 1980 - Extra IP addresses added to certificate when it's auto generated 1981 - list 1982 - ``[]`` 1983 * - :spelling:ignore:`hubble.tls.server.key` 1984 - base64 encoded PEM values for the Hubble server key (deprecated). Use existingSecret instead. 1985 - string 1986 - ``""`` 1987 * - :spelling:ignore:`hubble.ui.affinity` 1988 - Affinity for hubble-ui 1989 - object 1990 - ``{}`` 1991 * - :spelling:ignore:`hubble.ui.annotations` 1992 - Annotations to be added to all top-level hubble-ui objects (resources under templates/hubble-ui) 1993 - object 1994 - ``{}`` 1995 * - :spelling:ignore:`hubble.ui.backend.extraEnv` 1996 - Additional hubble-ui backend environment variables. 1997 - list 1998 - ``[]`` 1999 * - :spelling:ignore:`hubble.ui.backend.extraVolumeMounts` 2000 - Additional hubble-ui backend volumeMounts. 2001 - list 2002 - ``[]`` 2003 * - :spelling:ignore:`hubble.ui.backend.extraVolumes` 2004 - Additional hubble-ui backend volumes. 2005 - list 2006 - ``[]`` 2007 * - :spelling:ignore:`hubble.ui.backend.image` 2008 - Hubble-ui backend image. 2009 - object 2010 - ``{"digest":"sha256:0e0eed917653441fded4e7cdb096b7be6a3bddded5a2dd10812a27b1fc6ed95b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.1","useDigest":true}`` 2011 * - :spelling:ignore:`hubble.ui.backend.livenessProbe.enabled` 2012 - Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) 2013 - bool 2014 - ``false`` 2015 * - :spelling:ignore:`hubble.ui.backend.readinessProbe.enabled` 2016 - Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) 2017 - bool 2018 - ``false`` 2019 * - :spelling:ignore:`hubble.ui.backend.resources` 2020 - Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. 2021 - object 2022 - ``{}`` 2023 * - :spelling:ignore:`hubble.ui.backend.securityContext` 2024 - Hubble-ui backend security context. 2025 - object 2026 - ``{}`` 2027 * - :spelling:ignore:`hubble.ui.baseUrl` 2028 - Defines base url prefix for all hubble-ui http requests. It needs to be changed in case if ingress for hubble-ui is configured under some sub-path. Trailing ``/`` is required for custom path, ex. ``/service-map/`` 2029 - string 2030 - ``"/"`` 2031 * - :spelling:ignore:`hubble.ui.enabled` 2032 - Whether to enable the Hubble UI. 2033 - bool 2034 - ``false`` 2035 * - :spelling:ignore:`hubble.ui.frontend.extraEnv` 2036 - Additional hubble-ui frontend environment variables. 2037 - list 2038 - ``[]`` 2039 * - :spelling:ignore:`hubble.ui.frontend.extraVolumeMounts` 2040 - Additional hubble-ui frontend volumeMounts. 2041 - list 2042 - ``[]`` 2043 * - :spelling:ignore:`hubble.ui.frontend.extraVolumes` 2044 - Additional hubble-ui frontend volumes. 2045 - list 2046 - ``[]`` 2047 * - :spelling:ignore:`hubble.ui.frontend.image` 2048 - Hubble-ui frontend image. 2049 - object 2050 - ``{"digest":"sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.1","useDigest":true}`` 2051 * - :spelling:ignore:`hubble.ui.frontend.resources` 2052 - Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. 2053 - object 2054 - ``{}`` 2055 * - :spelling:ignore:`hubble.ui.frontend.securityContext` 2056 - Hubble-ui frontend security context. 2057 - object 2058 - ``{}`` 2059 * - :spelling:ignore:`hubble.ui.frontend.server.ipv6` 2060 - Controls server listener for ipv6 2061 - object 2062 - ``{"enabled":true}`` 2063 * - :spelling:ignore:`hubble.ui.ingress` 2064 - hubble-ui ingress configuration. 2065 - object 2066 - ``{"annotations":{},"className":"","enabled":false,"hosts":["chart-example.local"],"labels":{},"tls":[]}`` 2067 * - :spelling:ignore:`hubble.ui.nodeSelector` 2068 - Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector 2069 - object 2070 - ``{"kubernetes.io/os":"linux"}`` 2071 * - :spelling:ignore:`hubble.ui.podAnnotations` 2072 - Annotations to be added to hubble-ui pods 2073 - object 2074 - ``{}`` 2075 * - :spelling:ignore:`hubble.ui.podDisruptionBudget.enabled` 2076 - enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ 2077 - bool 2078 - ``false`` 2079 * - :spelling:ignore:`hubble.ui.podDisruptionBudget.maxUnavailable` 2080 - Maximum number/percentage of pods that may be made unavailable 2081 - int 2082 - ``1`` 2083 * - :spelling:ignore:`hubble.ui.podDisruptionBudget.minAvailable` 2084 - Minimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by ``maxUnavailable: null`` 2085 - string 2086 - ``nil`` 2087 * - :spelling:ignore:`hubble.ui.podLabels` 2088 - Labels to be added to hubble-ui pods 2089 - object 2090 - ``{}`` 2091 * - :spelling:ignore:`hubble.ui.priorityClassName` 2092 - The priority class to use for hubble-ui 2093 - string 2094 - ``""`` 2095 * - :spelling:ignore:`hubble.ui.replicas` 2096 - The number of replicas of Hubble UI to deploy. 2097 - int 2098 - ``1`` 2099 * - :spelling:ignore:`hubble.ui.rollOutPods` 2100 - Roll out Hubble-ui pods automatically when configmap is updated. 2101 - bool 2102 - ``false`` 2103 * - :spelling:ignore:`hubble.ui.securityContext` 2104 - Security context to be added to Hubble UI pods 2105 - object 2106 - ``{"fsGroup":1001,"runAsGroup":1001,"runAsUser":1001}`` 2107 * - :spelling:ignore:`hubble.ui.service` 2108 - hubble-ui service configuration. 2109 - object 2110 - ``{"annotations":{},"nodePort":31235,"type":"ClusterIP"}`` 2111 * - :spelling:ignore:`hubble.ui.service.annotations` 2112 - Annotations to be added for the Hubble UI service 2113 - object 2114 - ``{}`` 2115 * - :spelling:ignore:`hubble.ui.service.nodePort` 2116 - - The port to use when the service type is set to NodePort. 2117 - int 2118 - ``31235`` 2119 * - :spelling:ignore:`hubble.ui.service.type` 2120 - - The type of service used for Hubble UI access, either ClusterIP or NodePort. 2121 - string 2122 - ``"ClusterIP"`` 2123 * - :spelling:ignore:`hubble.ui.standalone.enabled` 2124 - When true, it will allow installing the Hubble UI only, without checking dependencies. It is useful if a cluster already has cilium and Hubble relay installed and you just want Hubble UI to be deployed. When installed via helm, installing UI should be done via ``helm upgrade`` and when installed via the cilium cli, then ``cilium hubble enable --ui`` 2125 - bool 2126 - ``false`` 2127 * - :spelling:ignore:`hubble.ui.standalone.tls.certsVolume` 2128 - When deploying Hubble UI in standalone, with tls enabled for Hubble relay, it is required to provide a volume for mounting the client certificates. 2129 - object 2130 - ``{}`` 2131 * - :spelling:ignore:`hubble.ui.tls.client.cert` 2132 - base64 encoded PEM values for the Hubble UI client certificate (deprecated). Use existingSecret instead. 2133 - string 2134 - ``""`` 2135 * - :spelling:ignore:`hubble.ui.tls.client.existingSecret` 2136 - Name of the Secret containing the client certificate and key for Hubble UI If specified, cert and key are ignored. 2137 - string 2138 - ``""`` 2139 * - :spelling:ignore:`hubble.ui.tls.client.key` 2140 - base64 encoded PEM values for the Hubble UI client key (deprecated). Use existingSecret instead. 2141 - string 2142 - ``""`` 2143 * - :spelling:ignore:`hubble.ui.tolerations` 2144 - Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ 2145 - list 2146 - ``[]`` 2147 * - :spelling:ignore:`hubble.ui.topologySpreadConstraints` 2148 - Pod topology spread constraints for hubble-ui 2149 - list 2150 - ``[]`` 2151 * - :spelling:ignore:`hubble.ui.updateStrategy` 2152 - hubble-ui update strategy. 2153 - object 2154 - ``{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}`` 2155 * - :spelling:ignore:`identityAllocationMode` 2156 - Method to use for identity allocation (\ ``crd`` or ``kvstore``\ ). 2157 - string 2158 - ``"crd"`` 2159 * - :spelling:ignore:`identityChangeGracePeriod` 2160 - Time to wait before using new identity on endpoint identity change. 2161 - string 2162 - ``"5s"`` 2163 * - :spelling:ignore:`image` 2164 - Agent container image. 2165 - object 2166 - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.2","useDigest":false}`` 2167 * - :spelling:ignore:`imagePullSecrets` 2168 - Configure image pull secrets for pulling container images 2169 - list 2170 - ``[]`` 2171 * - :spelling:ignore:`ingressController.default` 2172 - Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set 2173 - bool 2174 - ``false`` 2175 * - :spelling:ignore:`ingressController.defaultSecretName` 2176 - Default secret name for ingresses without .spec.tls[].secretName set. 2177 - string 2178 - ``nil`` 2179 * - :spelling:ignore:`ingressController.defaultSecretNamespace` 2180 - Default secret namespace for ingresses without .spec.tls[].secretName set. 2181 - string 2182 - ``nil`` 2183 * - :spelling:ignore:`ingressController.enableProxyProtocol` 2184 - Enable proxy protocol for all Ingress listeners. Note that *only* Proxy protocol traffic will be accepted once this is enabled. 2185 - bool 2186 - ``false`` 2187 * - :spelling:ignore:`ingressController.enabled` 2188 - Enable cilium ingress controller This will automatically set enable-envoy-config as well. 2189 - bool 2190 - ``false`` 2191 * - :spelling:ignore:`ingressController.enforceHttps` 2192 - Enforce https for host having matching TLS host in Ingress. Incoming traffic to http listener will return 308 http error code with respective location in header. 2193 - bool 2194 - ``true`` 2195 * - :spelling:ignore:`ingressController.hostNetwork.enabled` 2196 - Configure whether the Envoy listeners should be exposed on the host network. 2197 - bool 2198 - ``false`` 2199 * - :spelling:ignore:`ingressController.hostNetwork.nodes.matchLabels` 2200 - Specify the labels of the nodes where the Ingress listeners should be exposed matchLabels: kubernetes.io/os: linux kubernetes.io/hostname: kind-worker 2201 - object 2202 - ``{}`` 2203 * - :spelling:ignore:`ingressController.hostNetwork.sharedListenerPort` 2204 - Configure a specific port on the host network that gets used for the shared listener. 2205 - int 2206 - ``8080`` 2207 * - :spelling:ignore:`ingressController.ingressLBAnnotationPrefixes` 2208 - IngressLBAnnotations are the annotation and label prefixes, which are used to filter annotations and/or labels to propagate from Ingress to the Load Balancer service 2209 - list 2210 - ``["lbipam.cilium.io","nodeipam.cilium.io","service.beta.kubernetes.io","service.kubernetes.io","cloud.google.com"]`` 2211 * - :spelling:ignore:`ingressController.loadbalancerMode` 2212 - Default ingress load balancer mode Supported values: shared, dedicated For granular control, use the following annotations on the ingress resource: "ingress.cilium.io/loadbalancer-mode: dedicated" (or "shared"). 2213 - string 2214 - ``"dedicated"`` 2215 * - :spelling:ignore:`ingressController.secretsNamespace` 2216 - SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from. 2217 - object 2218 - ``{"create":true,"name":"cilium-secrets","sync":true}`` 2219 * - :spelling:ignore:`ingressController.secretsNamespace.create` 2220 - Create secrets namespace for Ingress. 2221 - bool 2222 - ``true`` 2223 * - :spelling:ignore:`ingressController.secretsNamespace.name` 2224 - Name of Ingress secret namespace. 2225 - string 2226 - ``"cilium-secrets"`` 2227 * - :spelling:ignore:`ingressController.secretsNamespace.sync` 2228 - Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name. If disabled, TLS secrets must be maintained externally. 2229 - bool 2230 - ``true`` 2231 * - :spelling:ignore:`ingressController.service` 2232 - Load-balancer service in shared mode. This is a single load-balancer service for all Ingress resources. 2233 - object 2234 - ``{"allocateLoadBalancerNodePorts":null,"annotations":{},"externalTrafficPolicy":"Cluster","insecureNodePort":null,"labels":{},"loadBalancerClass":null,"loadBalancerIP":null,"name":"cilium-ingress","secureNodePort":null,"type":"LoadBalancer"}`` 2235 * - :spelling:ignore:`ingressController.service.allocateLoadBalancerNodePorts` 2236 - Configure if node port allocation is required for LB service ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation 2237 - string 2238 - ``nil`` 2239 * - :spelling:ignore:`ingressController.service.annotations` 2240 - Annotations to be added for the shared LB service 2241 - object 2242 - ``{}`` 2243 * - :spelling:ignore:`ingressController.service.externalTrafficPolicy` 2244 - Control how traffic from external sources is routed to the LoadBalancer Kubernetes Service for Cilium Ingress in shared mode. Valid values are "Cluster" and "Local". ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#external-traffic-policy 2245 - string 2246 - ``"Cluster"`` 2247 * - :spelling:ignore:`ingressController.service.insecureNodePort` 2248 - Configure a specific nodePort for insecure HTTP traffic on the shared LB service 2249 - string 2250 - ``nil`` 2251 * - :spelling:ignore:`ingressController.service.labels` 2252 - Labels to be added for the shared LB service 2253 - object 2254 - ``{}`` 2255 * - :spelling:ignore:`ingressController.service.loadBalancerClass` 2256 - Configure a specific loadBalancerClass on the shared LB service (requires Kubernetes 1.24+) 2257 - string 2258 - ``nil`` 2259 * - :spelling:ignore:`ingressController.service.loadBalancerIP` 2260 - Configure a specific loadBalancerIP on the shared LB service 2261 - string 2262 - ``nil`` 2263 * - :spelling:ignore:`ingressController.service.name` 2264 - Service name 2265 - string 2266 - ``"cilium-ingress"`` 2267 * - :spelling:ignore:`ingressController.service.secureNodePort` 2268 - Configure a specific nodePort for secure HTTPS traffic on the shared LB service 2269 - string 2270 - ``nil`` 2271 * - :spelling:ignore:`ingressController.service.type` 2272 - Service type for the shared LB service 2273 - string 2274 - ``"LoadBalancer"`` 2275 * - :spelling:ignore:`initResources` 2276 - resources & limits for the agent init containers 2277 - object 2278 - ``{}`` 2279 * - :spelling:ignore:`installNoConntrackIptablesRules` 2280 - Install Iptables rules to skip netfilter connection tracking on all pod traffic. This option is only effective when Cilium is running in direct routing and full KPR mode. Moreover, this option cannot be enabled when Cilium is running in a managed Kubernetes environment or in a chained CNI setup. 2281 - bool 2282 - ``false`` 2283 * - :spelling:ignore:`ipMasqAgent` 2284 - Configure the eBPF-based ip-masq-agent 2285 - object 2286 - ``{"enabled":false}`` 2287 * - :spelling:ignore:`ipam.ciliumNodeUpdateRate` 2288 - Maximum rate at which the CiliumNode custom resource is updated. 2289 - string 2290 - ``"15s"`` 2291 * - :spelling:ignore:`ipam.mode` 2292 - Configure IP Address Management mode. ref: https://docs.cilium.io/en/stable/network/concepts/ipam/ 2293 - string 2294 - ``"cluster-pool"`` 2295 * - :spelling:ignore:`ipam.operator.autoCreateCiliumPodIPPools` 2296 - IP pools to auto-create in multi-pool IPAM mode. 2297 - object 2298 - ``{}`` 2299 * - :spelling:ignore:`ipam.operator.clusterPoolIPv4MaskSize` 2300 - IPv4 CIDR mask size to delegate to individual nodes for IPAM. 2301 - int 2302 - ``24`` 2303 * - :spelling:ignore:`ipam.operator.clusterPoolIPv4PodCIDRList` 2304 - IPv4 CIDR list range to delegate to individual nodes for IPAM. 2305 - list 2306 - ``["10.0.0.0/8"]`` 2307 * - :spelling:ignore:`ipam.operator.clusterPoolIPv6MaskSize` 2308 - IPv6 CIDR mask size to delegate to individual nodes for IPAM. 2309 - int 2310 - ``120`` 2311 * - :spelling:ignore:`ipam.operator.clusterPoolIPv6PodCIDRList` 2312 - IPv6 CIDR list range to delegate to individual nodes for IPAM. 2313 - list 2314 - ``["fd00::/104"]`` 2315 * - :spelling:ignore:`ipam.operator.externalAPILimitBurstSize` 2316 - The maximum burst size when rate limiting access to external APIs. Also known as the token bucket capacity. 2317 - int 2318 - ``20`` 2319 * - :spelling:ignore:`ipam.operator.externalAPILimitQPS` 2320 - The maximum queries per second when rate limiting access to external APIs. Also known as the bucket refill rate, which is used to refill the bucket up to the burst size capacity. 2321 - float 2322 - ``4.0`` 2323 * - :spelling:ignore:`ipv4.enabled` 2324 - Enable IPv4 support. 2325 - bool 2326 - ``true`` 2327 * - :spelling:ignore:`ipv4NativeRoutingCIDR` 2328 - Allows to explicitly specify the IPv4 CIDR for native routing. When specified, Cilium assumes networking for this CIDR is preconfigured and hands traffic destined for that range to the Linux network stack without applying any SNAT. Generally speaking, specifying a native routing CIDR implies that Cilium can depend on the underlying networking stack to route packets to their destination. To offer a concrete example, if Cilium is configured to use direct routing and the Kubernetes CIDR is included in the native routing CIDR, the user must configure the routes to reach pods, either manually or by setting the auto-direct-node-routes flag. 2329 - string 2330 - ``""`` 2331 * - :spelling:ignore:`ipv6.enabled` 2332 - Enable IPv6 support. 2333 - bool 2334 - ``false`` 2335 * - :spelling:ignore:`ipv6NativeRoutingCIDR` 2336 - Allows to explicitly specify the IPv6 CIDR for native routing. When specified, Cilium assumes networking for this CIDR is preconfigured and hands traffic destined for that range to the Linux network stack without applying any SNAT. Generally speaking, specifying a native routing CIDR implies that Cilium can depend on the underlying networking stack to route packets to their destination. To offer a concrete example, if Cilium is configured to use direct routing and the Kubernetes CIDR is included in the native routing CIDR, the user must configure the routes to reach pods, either manually or by setting the auto-direct-node-routes flag. 2337 - string 2338 - ``""`` 2339 * - :spelling:ignore:`k8s` 2340 - Configure Kubernetes specific configuration 2341 - object 2342 - ``{"requireIPv4PodCIDR":false,"requireIPv6PodCIDR":false}`` 2343 * - :spelling:ignore:`k8s.requireIPv4PodCIDR` 2344 - requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR range via the Kubernetes node resource 2345 - bool 2346 - ``false`` 2347 * - :spelling:ignore:`k8s.requireIPv6PodCIDR` 2348 - requireIPv6PodCIDR enables waiting for Kubernetes to provide the PodCIDR range via the Kubernetes node resource 2349 - bool 2350 - ``false`` 2351 * - :spelling:ignore:`k8sClientRateLimit` 2352 - Configure the client side rate limit for the agent and operator If the amount of requests to the Kubernetes API server exceeds the configured rate limit, the agent and operator will start to throttle requests by delaying them until there is budget or the request times out. 2353 - object 2354 - ``{"burst":null,"qps":null}`` 2355 * - :spelling:ignore:`k8sClientRateLimit.burst` 2356 - The burst request rate in requests per second. The rate limiter will allow short bursts with a higher rate. 2357 - int 2358 - 10 for k8s up to 1.26. 20 for k8s version 1.27+ 2359 * - :spelling:ignore:`k8sClientRateLimit.qps` 2360 - The sustained request rate in requests per second. 2361 - int 2362 - 5 for k8s up to 1.26. 10 for k8s version 1.27+ 2363 * - :spelling:ignore:`k8sNetworkPolicy.enabled` 2364 - Enable support for K8s NetworkPolicy 2365 - bool 2366 - ``true`` 2367 * - :spelling:ignore:`k8sServiceHost` 2368 - Kubernetes service host - use "auto" for automatic lookup from the cluster-info ConfigMap (kubeadm-based clusters only) 2369 - string 2370 - ``""`` 2371 * - :spelling:ignore:`k8sServicePort` 2372 - Kubernetes service port 2373 - string 2374 - ``""`` 2375 * - :spelling:ignore:`keepDeprecatedLabels` 2376 - Keep the deprecated selector labels when deploying Cilium DaemonSet. 2377 - bool 2378 - ``false`` 2379 * - :spelling:ignore:`keepDeprecatedProbes` 2380 - Keep the deprecated probes when deploying Cilium DaemonSet 2381 - bool 2382 - ``false`` 2383 * - :spelling:ignore:`kubeConfigPath` 2384 - Kubernetes config path 2385 - string 2386 - ``"~/.kube/config"`` 2387 * - :spelling:ignore:`kubeProxyReplacementHealthzBindAddr` 2388 - healthz server bind address for the kube-proxy replacement. To enable set the value to '0.0.0.0:10256' for all ipv4 addresses and this '[::]:10256' for all ipv6 addresses. By default it is disabled. 2389 - string 2390 - ``""`` 2391 * - :spelling:ignore:`l2NeighDiscovery.enabled` 2392 - Enable L2 neighbor discovery in the agent 2393 - bool 2394 - ``true`` 2395 * - :spelling:ignore:`l2NeighDiscovery.refreshPeriod` 2396 - Override the agent's default neighbor resolution refresh period. 2397 - string 2398 - ``"30s"`` 2399 * - :spelling:ignore:`l2announcements` 2400 - Configure L2 announcements 2401 - object 2402 - ``{"enabled":false}`` 2403 * - :spelling:ignore:`l2announcements.enabled` 2404 - Enable L2 announcements 2405 - bool 2406 - ``false`` 2407 * - :spelling:ignore:`l2podAnnouncements` 2408 - Configure L2 pod announcements 2409 - object 2410 - ``{"enabled":false,"interface":"eth0"}`` 2411 * - :spelling:ignore:`l2podAnnouncements.enabled` 2412 - Enable L2 pod announcements 2413 - bool 2414 - ``false`` 2415 * - :spelling:ignore:`l2podAnnouncements.interface` 2416 - Interface used for sending Gratuitous ARP pod announcements 2417 - string 2418 - ``"eth0"`` 2419 * - :spelling:ignore:`l7Proxy` 2420 - Enable Layer 7 network policy. 2421 - bool 2422 - ``true`` 2423 * - :spelling:ignore:`livenessProbe.failureThreshold` 2424 - failure threshold of liveness probe 2425 - int 2426 - ``10`` 2427 * - :spelling:ignore:`livenessProbe.periodSeconds` 2428 - interval between checks of the liveness probe 2429 - int 2430 - ``30`` 2431 * - :spelling:ignore:`loadBalancer` 2432 - Configure service load balancing 2433 - object 2434 - ``{"acceleration":"disabled","l7":{"algorithm":"round_robin","backend":"disabled","ports":[]}}`` 2435 * - :spelling:ignore:`loadBalancer.acceleration` 2436 - acceleration is the option to accelerate service handling via XDP Applicable values can be: disabled (do not use XDP), native (XDP BPF program is run directly out of the networking driver's early receive path), or best-effort (use native mode XDP acceleration on devices that support it). 2437 - string 2438 - ``"disabled"`` 2439 * - :spelling:ignore:`loadBalancer.l7` 2440 - L7 LoadBalancer 2441 - object 2442 - ``{"algorithm":"round_robin","backend":"disabled","ports":[]}`` 2443 * - :spelling:ignore:`loadBalancer.l7.algorithm` 2444 - Default LB algorithm The default LB algorithm to be used for services, which can be overridden by the service annotation (e.g. service.cilium.io/lb-l7-algorithm) Applicable values: round_robin, least_request, random 2445 - string 2446 - ``"round_robin"`` 2447 * - :spelling:ignore:`loadBalancer.l7.backend` 2448 - Enable L7 service load balancing via envoy proxy. The request to a k8s service, which has specific annotation e.g. service.cilium.io/lb-l7, will be forwarded to the local backend proxy to be load balanced to the service endpoints. Please refer to docs for supported annotations for more configuration. Applicable values: - envoy: Enable L7 load balancing via envoy proxy. This will automatically set enable-envoy-config as well. - disabled: Disable L7 load balancing by way of service annotation. 2449 - string 2450 - ``"disabled"`` 2451 * - :spelling:ignore:`loadBalancer.l7.ports` 2452 - List of ports from service to be automatically redirected to above backend. Any service exposing one of these ports will be automatically redirected. Fine-grained control can be achieved by using the service annotation. 2453 - list 2454 - ``[]`` 2455 * - :spelling:ignore:`localRedirectPolicy` 2456 - Enable Local Redirect Policy. 2457 - bool 2458 - ``false`` 2459 * - :spelling:ignore:`logSystemLoad` 2460 - Enables periodic logging of system load 2461 - bool 2462 - ``false`` 2463 * - :spelling:ignore:`maglev` 2464 - Configure maglev consistent hashing 2465 - object 2466 - ``{}`` 2467 * - :spelling:ignore:`monitor` 2468 - cilium-monitor sidecar. 2469 - object 2470 - ``{"enabled":false}`` 2471 * - :spelling:ignore:`monitor.enabled` 2472 - Enable the cilium-monitor sidecar. 2473 - bool 2474 - ``false`` 2475 * - :spelling:ignore:`name` 2476 - Agent container name. 2477 - string 2478 - ``"cilium"`` 2479 * - :spelling:ignore:`nat.mapStatsEntries` 2480 - Number of the top-k SNAT map connections to track in Cilium statedb. 2481 - int 2482 - ``32`` 2483 * - :spelling:ignore:`nat.mapStatsInterval` 2484 - Interval between how often SNAT map is counted for stats. 2485 - string 2486 - ``"30s"`` 2487 * - :spelling:ignore:`nat46x64Gateway` 2488 - Configure standalone NAT46/NAT64 gateway 2489 - object 2490 - ``{"enabled":false}`` 2491 * - :spelling:ignore:`nat46x64Gateway.enabled` 2492 - Enable RFC8215-prefixed translation 2493 - bool 2494 - ``false`` 2495 * - :spelling:ignore:`nodeIPAM.enabled` 2496 - Configure Node IPAM ref: https://docs.cilium.io/en/stable/network/node-ipam/ 2497 - bool 2498 - ``false`` 2499 * - :spelling:ignore:`nodePort` 2500 - Configure N-S k8s service loadbalancing 2501 - object 2502 - ``{"addresses":null,"autoProtectPortRange":true,"bindProtection":true,"enableHealthCheck":true,"enableHealthCheckLoadBalancerIP":false,"enabled":false}`` 2503 * - :spelling:ignore:`nodePort.addresses` 2504 - List of CIDRs for choosing which IP addresses assigned to native devices are used for NodePort load-balancing. By default this is empty and the first suitable, preferably private, IPv4 and IPv6 address assigned to each device is used. Example: addresses: ["192.168.1.0/24", "2001::/64"] 2505 - string 2506 - ``nil`` 2507 * - :spelling:ignore:`nodePort.autoProtectPortRange` 2508 - Append NodePort range to ip_local_reserved_ports if clash with ephemeral ports is detected. 2509 - bool 2510 - ``true`` 2511 * - :spelling:ignore:`nodePort.bindProtection` 2512 - Set to true to prevent applications binding to service ports. 2513 - bool 2514 - ``true`` 2515 * - :spelling:ignore:`nodePort.enableHealthCheck` 2516 - Enable healthcheck nodePort server for NodePort services 2517 - bool 2518 - ``true`` 2519 * - :spelling:ignore:`nodePort.enableHealthCheckLoadBalancerIP` 2520 - Enable access of the healthcheck nodePort on the LoadBalancerIP. Needs EnableHealthCheck to be enabled 2521 - bool 2522 - ``false`` 2523 * - :spelling:ignore:`nodePort.enabled` 2524 - Enable the Cilium NodePort service implementation. 2525 - bool 2526 - ``false`` 2527 * - :spelling:ignore:`nodeSelector` 2528 - Node selector for cilium-agent. 2529 - object 2530 - ``{"kubernetes.io/os":"linux"}`` 2531 * - :spelling:ignore:`nodeSelectorLabels` 2532 - Enable/Disable use of node label based identity 2533 - bool 2534 - ``false`` 2535 * - :spelling:ignore:`nodeinit.affinity` 2536 - Affinity for cilium-nodeinit 2537 - object 2538 - ``{}`` 2539 * - :spelling:ignore:`nodeinit.annotations` 2540 - Annotations to be added to all top-level nodeinit objects (resources under templates/cilium-nodeinit) 2541 - object 2542 - ``{}`` 2543 * - :spelling:ignore:`nodeinit.bootstrapFile` 2544 - bootstrapFile is the location of the file where the bootstrap timestamp is written by the node-init DaemonSet 2545 - string 2546 - ``"/tmp/cilium-bootstrap.d/cilium-bootstrap-time"`` 2547 * - :spelling:ignore:`nodeinit.enabled` 2548 - Enable the node initialization DaemonSet 2549 - bool 2550 - ``false`` 2551 * - :spelling:ignore:`nodeinit.extraEnv` 2552 - Additional nodeinit environment variables. 2553 - list 2554 - ``[]`` 2555 * - :spelling:ignore:`nodeinit.extraVolumeMounts` 2556 - Additional nodeinit volumeMounts. 2557 - list 2558 - ``[]`` 2559 * - :spelling:ignore:`nodeinit.extraVolumes` 2560 - Additional nodeinit volumes. 2561 - list 2562 - ``[]`` 2563 * - :spelling:ignore:`nodeinit.image` 2564 - node-init image. 2565 - object 2566 - ``{"digest":"sha256:8d7b41c4ca45860254b3c19e20210462ef89479bb6331d6760c4e609d651b29c","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"c54c7edeab7fde4da68e59acd319ab24af242c3f","useDigest":true}`` 2567 * - :spelling:ignore:`nodeinit.nodeSelector` 2568 - Node labels for nodeinit pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector 2569 - object 2570 - ``{"kubernetes.io/os":"linux"}`` 2571 * - :spelling:ignore:`nodeinit.podAnnotations` 2572 - Annotations to be added to node-init pods. 2573 - object 2574 - ``{}`` 2575 * - :spelling:ignore:`nodeinit.podLabels` 2576 - Labels to be added to node-init pods. 2577 - object 2578 - ``{}`` 2579 * - :spelling:ignore:`nodeinit.podSecurityContext` 2580 - Security Context for cilium-node-init pods. 2581 - object 2582 - ``{"appArmorProfile":{"type":"Unconfined"}}`` 2583 * - :spelling:ignore:`nodeinit.podSecurityContext.appArmorProfile` 2584 - AppArmorProfile options for the ``cilium-node-init`` and init containers 2585 - object 2586 - ``{"type":"Unconfined"}`` 2587 * - :spelling:ignore:`nodeinit.prestop` 2588 - prestop offers way to customize prestop nodeinit script (pre and post position) 2589 - object 2590 - ``{"postScript":"","preScript":""}`` 2591 * - :spelling:ignore:`nodeinit.priorityClassName` 2592 - The priority class to use for the nodeinit pod. 2593 - string 2594 - ``""`` 2595 * - :spelling:ignore:`nodeinit.resources` 2596 - nodeinit resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ 2597 - object 2598 - ``{"requests":{"cpu":"100m","memory":"100Mi"}}`` 2599 * - :spelling:ignore:`nodeinit.securityContext` 2600 - Security context to be added to nodeinit pods. 2601 - object 2602 - ``{"capabilities":{"add":["SYS_MODULE","NET_ADMIN","SYS_ADMIN","SYS_CHROOT","SYS_PTRACE"]},"privileged":false,"seLinuxOptions":{"level":"s0","type":"spc_t"}}`` 2603 * - :spelling:ignore:`nodeinit.startup` 2604 - startup offers way to customize startup nodeinit script (pre and post position) 2605 - object 2606 - ``{"postScript":"","preScript":""}`` 2607 * - :spelling:ignore:`nodeinit.tolerations` 2608 - Node tolerations for nodeinit scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ 2609 - list 2610 - ``[{"operator":"Exists"}]`` 2611 * - :spelling:ignore:`nodeinit.updateStrategy` 2612 - node-init update strategy 2613 - object 2614 - ``{"type":"RollingUpdate"}`` 2615 * - :spelling:ignore:`operator.affinity` 2616 - Affinity for cilium-operator 2617 - object 2618 - ``{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"io.cilium/app":"operator"}},"topologyKey":"kubernetes.io/hostname"}]}}`` 2619 * - :spelling:ignore:`operator.annotations` 2620 - Annotations to be added to all top-level cilium-operator objects (resources under templates/cilium-operator) 2621 - object 2622 - ``{}`` 2623 * - :spelling:ignore:`operator.dashboards` 2624 - Grafana dashboards for cilium-operator grafana can import dashboards based on the label and value ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards 2625 - object 2626 - ``{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null}`` 2627 * - :spelling:ignore:`operator.dnsPolicy` 2628 - DNS policy for Cilium operator pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy 2629 - string 2630 - ``""`` 2631 * - :spelling:ignore:`operator.enabled` 2632 - Enable the cilium-operator component (required). 2633 - bool 2634 - ``true`` 2635 * - :spelling:ignore:`operator.endpointGCInterval` 2636 - Interval for endpoint garbage collection. 2637 - string 2638 - ``"5m0s"`` 2639 * - :spelling:ignore:`operator.extraArgs` 2640 - Additional cilium-operator container arguments. 2641 - list 2642 - ``[]`` 2643 * - :spelling:ignore:`operator.extraEnv` 2644 - Additional cilium-operator environment variables. 2645 - list 2646 - ``[]`` 2647 * - :spelling:ignore:`operator.extraHostPathMounts` 2648 - Additional cilium-operator hostPath mounts. 2649 - list 2650 - ``[]`` 2651 * - :spelling:ignore:`operator.extraVolumeMounts` 2652 - Additional cilium-operator volumeMounts. 2653 - list 2654 - ``[]`` 2655 * - :spelling:ignore:`operator.extraVolumes` 2656 - Additional cilium-operator volumes. 2657 - list 2658 - ``[]`` 2659 * - :spelling:ignore:`operator.hostNetwork` 2660 - HostNetwork setting 2661 - bool 2662 - ``true`` 2663 * - :spelling:ignore:`operator.identityGCInterval` 2664 - Interval for identity garbage collection. 2665 - string 2666 - ``"15m0s"`` 2667 * - :spelling:ignore:`operator.identityHeartbeatTimeout` 2668 - Timeout for identity heartbeats. 2669 - string 2670 - ``"30m0s"`` 2671 * - :spelling:ignore:`operator.image` 2672 - cilium-operator image. 2673 - object 2674 - ``{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.2","useDigest":false}`` 2675 * - :spelling:ignore:`operator.nodeGCInterval` 2676 - Interval for cilium node garbage collection. 2677 - string 2678 - ``"5m0s"`` 2679 * - :spelling:ignore:`operator.nodeSelector` 2680 - Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector 2681 - object 2682 - ``{"kubernetes.io/os":"linux"}`` 2683 * - :spelling:ignore:`operator.podAnnotations` 2684 - Annotations to be added to cilium-operator pods 2685 - object 2686 - ``{}`` 2687 * - :spelling:ignore:`operator.podDisruptionBudget.enabled` 2688 - enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ 2689 - bool 2690 - ``false`` 2691 * - :spelling:ignore:`operator.podDisruptionBudget.maxUnavailable` 2692 - Maximum number/percentage of pods that may be made unavailable 2693 - int 2694 - ``1`` 2695 * - :spelling:ignore:`operator.podDisruptionBudget.minAvailable` 2696 - Minimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by ``maxUnavailable: null`` 2697 - string 2698 - ``nil`` 2699 * - :spelling:ignore:`operator.podLabels` 2700 - Labels to be added to cilium-operator pods 2701 - object 2702 - ``{}`` 2703 * - :spelling:ignore:`operator.podSecurityContext` 2704 - Security context to be added to cilium-operator pods 2705 - object 2706 - ``{}`` 2707 * - :spelling:ignore:`operator.pprof.address` 2708 - Configure pprof listen address for cilium-operator 2709 - string 2710 - ``"localhost"`` 2711 * - :spelling:ignore:`operator.pprof.enabled` 2712 - Enable pprof for cilium-operator 2713 - bool 2714 - ``false`` 2715 * - :spelling:ignore:`operator.pprof.port` 2716 - Configure pprof listen port for cilium-operator 2717 - int 2718 - ``6061`` 2719 * - :spelling:ignore:`operator.priorityClassName` 2720 - The priority class to use for cilium-operator 2721 - string 2722 - ``""`` 2723 * - :spelling:ignore:`operator.prometheus` 2724 - Enable prometheus metrics for cilium-operator on the configured port at /metrics 2725 - object 2726 - ``{"enabled":true,"port":9963,"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","jobLabel":"","labels":{},"metricRelabelings":null,"relabelings":null}}`` 2727 * - :spelling:ignore:`operator.prometheus.serviceMonitor.annotations` 2728 - Annotations to add to ServiceMonitor cilium-operator 2729 - object 2730 - ``{}`` 2731 * - :spelling:ignore:`operator.prometheus.serviceMonitor.enabled` 2732 - Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) 2733 - bool 2734 - ``false`` 2735 * - :spelling:ignore:`operator.prometheus.serviceMonitor.interval` 2736 - Interval for scrape metrics. 2737 - string 2738 - ``"10s"`` 2739 * - :spelling:ignore:`operator.prometheus.serviceMonitor.jobLabel` 2740 - jobLabel to add for ServiceMonitor cilium-operator 2741 - string 2742 - ``""`` 2743 * - :spelling:ignore:`operator.prometheus.serviceMonitor.labels` 2744 - Labels to add to ServiceMonitor cilium-operator 2745 - object 2746 - ``{}`` 2747 * - :spelling:ignore:`operator.prometheus.serviceMonitor.metricRelabelings` 2748 - Metrics relabeling configs for the ServiceMonitor cilium-operator 2749 - string 2750 - ``nil`` 2751 * - :spelling:ignore:`operator.prometheus.serviceMonitor.relabelings` 2752 - Relabeling configs for the ServiceMonitor cilium-operator 2753 - string 2754 - ``nil`` 2755 * - :spelling:ignore:`operator.removeNodeTaints` 2756 - Remove Cilium node taint from Kubernetes nodes that have a healthy Cilium pod running. 2757 - bool 2758 - ``true`` 2759 * - :spelling:ignore:`operator.replicas` 2760 - Number of replicas to run for the cilium-operator deployment 2761 - int 2762 - ``2`` 2763 * - :spelling:ignore:`operator.resources` 2764 - cilium-operator resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ 2765 - object 2766 - ``{}`` 2767 * - :spelling:ignore:`operator.rollOutPods` 2768 - Roll out cilium-operator pods automatically when configmap is updated. 2769 - bool 2770 - ``false`` 2771 * - :spelling:ignore:`operator.securityContext` 2772 - Security context to be added to cilium-operator pods 2773 - object 2774 - ``{}`` 2775 * - :spelling:ignore:`operator.setNodeNetworkStatus` 2776 - Set Node condition NetworkUnavailable to 'false' with the reason 'CiliumIsUp' for nodes that have a healthy Cilium pod. 2777 - bool 2778 - ``true`` 2779 * - :spelling:ignore:`operator.setNodeTaints` 2780 - Taint nodes where Cilium is scheduled but not running. This prevents pods from being scheduled to nodes where Cilium is not the default CNI provider. 2781 - string 2782 - same as removeNodeTaints 2783 * - :spelling:ignore:`operator.skipCRDCreation` 2784 - Skip CRDs creation for cilium-operator 2785 - bool 2786 - ``false`` 2787 * - :spelling:ignore:`operator.tolerations` 2788 - Node tolerations for cilium-operator scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ 2789 - list 2790 - ``[{"operator":"Exists"}]`` 2791 * - :spelling:ignore:`operator.topologySpreadConstraints` 2792 - Pod topology spread constraints for cilium-operator 2793 - list 2794 - ``[]`` 2795 * - :spelling:ignore:`operator.unmanagedPodWatcher.intervalSeconds` 2796 - Interval, in seconds, to check if there are any pods that are not managed by Cilium. 2797 - int 2798 - ``15`` 2799 * - :spelling:ignore:`operator.unmanagedPodWatcher.restart` 2800 - Restart any pod that are not managed by Cilium. 2801 - bool 2802 - ``true`` 2803 * - :spelling:ignore:`operator.updateStrategy` 2804 - cilium-operator update strategy 2805 - object 2806 - ``{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"50%"},"type":"RollingUpdate"}`` 2807 * - :spelling:ignore:`pmtuDiscovery.enabled` 2808 - Enable path MTU discovery to send ICMP fragmentation-needed replies to the client. 2809 - bool 2810 - ``false`` 2811 * - :spelling:ignore:`podAnnotations` 2812 - Annotations to be added to agent pods 2813 - object 2814 - ``{}`` 2815 * - :spelling:ignore:`podLabels` 2816 - Labels to be added to agent pods 2817 - object 2818 - ``{}`` 2819 * - :spelling:ignore:`podSecurityContext` 2820 - Security Context for cilium-agent pods. 2821 - object 2822 - ``{"appArmorProfile":{"type":"Unconfined"}}`` 2823 * - :spelling:ignore:`podSecurityContext.appArmorProfile` 2824 - AppArmorProfile options for the ``cilium-agent`` and init containers 2825 - object 2826 - ``{"type":"Unconfined"}`` 2827 * - :spelling:ignore:`policyCIDRMatchMode` 2828 - policyCIDRMatchMode is a list of entities that may be selected by CIDR selector. The possible value is "nodes". 2829 - string 2830 - ``nil`` 2831 * - :spelling:ignore:`policyEnforcementMode` 2832 - The agent can be put into one of the three policy enforcement modes: default, always and never. ref: https://docs.cilium.io/en/stable/security/policy/intro/#policy-enforcement-modes 2833 - string 2834 - ``"default"`` 2835 * - :spelling:ignore:`pprof.address` 2836 - Configure pprof listen address for cilium-agent 2837 - string 2838 - ``"localhost"`` 2839 * - :spelling:ignore:`pprof.enabled` 2840 - Enable pprof for cilium-agent 2841 - bool 2842 - ``false`` 2843 * - :spelling:ignore:`pprof.port` 2844 - Configure pprof listen port for cilium-agent 2845 - int 2846 - ``6060`` 2847 * - :spelling:ignore:`preflight.affinity` 2848 - Affinity for cilium-preflight 2849 - object 2850 - ``{"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}`` 2851 * - :spelling:ignore:`preflight.annotations` 2852 - Annotations to be added to all top-level preflight objects (resources under templates/cilium-preflight) 2853 - object 2854 - ``{}`` 2855 * - :spelling:ignore:`preflight.enabled` 2856 - Enable Cilium pre-flight resources (required for upgrade) 2857 - bool 2858 - ``false`` 2859 * - :spelling:ignore:`preflight.extraEnv` 2860 - Additional preflight environment variables. 2861 - list 2862 - ``[]`` 2863 * - :spelling:ignore:`preflight.extraVolumeMounts` 2864 - Additional preflight volumeMounts. 2865 - list 2866 - ``[]`` 2867 * - :spelling:ignore:`preflight.extraVolumes` 2868 - Additional preflight volumes. 2869 - list 2870 - ``[]`` 2871 * - :spelling:ignore:`preflight.image` 2872 - Cilium pre-flight image. 2873 - object 2874 - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.2","useDigest":false}`` 2875 * - :spelling:ignore:`preflight.nodeSelector` 2876 - Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector 2877 - object 2878 - ``{"kubernetes.io/os":"linux"}`` 2879 * - :spelling:ignore:`preflight.podAnnotations` 2880 - Annotations to be added to preflight pods 2881 - object 2882 - ``{}`` 2883 * - :spelling:ignore:`preflight.podDisruptionBudget.enabled` 2884 - enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ 2885 - bool 2886 - ``false`` 2887 * - :spelling:ignore:`preflight.podDisruptionBudget.maxUnavailable` 2888 - Maximum number/percentage of pods that may be made unavailable 2889 - int 2890 - ``1`` 2891 * - :spelling:ignore:`preflight.podDisruptionBudget.minAvailable` 2892 - Minimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by ``maxUnavailable: null`` 2893 - string 2894 - ``nil`` 2895 * - :spelling:ignore:`preflight.podLabels` 2896 - Labels to be added to the preflight pod. 2897 - object 2898 - ``{}`` 2899 * - :spelling:ignore:`preflight.podSecurityContext` 2900 - Security context to be added to preflight pods. 2901 - object 2902 - ``{}`` 2903 * - :spelling:ignore:`preflight.priorityClassName` 2904 - The priority class to use for the preflight pod. 2905 - string 2906 - ``""`` 2907 * - :spelling:ignore:`preflight.readinessProbe.initialDelaySeconds` 2908 - For how long kubelet should wait before performing the first probe 2909 - int 2910 - ``5`` 2911 * - :spelling:ignore:`preflight.readinessProbe.periodSeconds` 2912 - interval between checks of the readiness probe 2913 - int 2914 - ``5`` 2915 * - :spelling:ignore:`preflight.resources` 2916 - preflight resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ 2917 - object 2918 - ``{}`` 2919 * - :spelling:ignore:`preflight.securityContext` 2920 - Security context to be added to preflight pods 2921 - object 2922 - ``{}`` 2923 * - :spelling:ignore:`preflight.terminationGracePeriodSeconds` 2924 - Configure termination grace period for preflight Deployment and DaemonSet. 2925 - int 2926 - ``1`` 2927 * - :spelling:ignore:`preflight.tofqdnsPreCache` 2928 - Path to write the ``--tofqdns-pre-cache`` file to. 2929 - string 2930 - ``""`` 2931 * - :spelling:ignore:`preflight.tolerations` 2932 - Node tolerations for preflight scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ 2933 - list 2934 - ``[{"operator":"Exists"}]`` 2935 * - :spelling:ignore:`preflight.updateStrategy` 2936 - preflight update strategy 2937 - object 2938 - ``{"type":"RollingUpdate"}`` 2939 * - :spelling:ignore:`preflight.validateCNPs` 2940 - By default we should always validate the installed CNPs before upgrading Cilium. This will make sure the user will have the policies deployed in the cluster with the right schema. 2941 - bool 2942 - ``true`` 2943 * - :spelling:ignore:`priorityClassName` 2944 - The priority class to use for cilium-agent. 2945 - string 2946 - ``""`` 2947 * - :spelling:ignore:`prometheus` 2948 - Configure prometheus metrics on the configured port at /metrics 2949 - object 2950 - ``{"controllerGroupMetrics":["write-cni-file","sync-host-ips","sync-lb-maps-with-k8s-services"],"enabled":false,"metrics":null,"port":9962,"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","jobLabel":"","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}],"trustCRDsExist":false}}`` 2951 * - :spelling:ignore:`prometheus.controllerGroupMetrics` 2952 - - Enable controller group metrics for monitoring specific Cilium subsystems. The list is a list of controller group names. The special values of "all" and "none" are supported. The set of controller group names is not guaranteed to be stable between Cilium versions. 2953 - list 2954 - ``["write-cni-file","sync-host-ips","sync-lb-maps-with-k8s-services"]`` 2955 * - :spelling:ignore:`prometheus.metrics` 2956 - Metrics that should be enabled or disabled from the default metric list. The list is expected to be separated by a space. (+metric_foo to enable metric_foo , -metric_bar to disable metric_bar). ref: https://docs.cilium.io/en/stable/observability/metrics/ 2957 - string 2958 - ``nil`` 2959 * - :spelling:ignore:`prometheus.serviceMonitor.annotations` 2960 - Annotations to add to ServiceMonitor cilium-agent 2961 - object 2962 - ``{}`` 2963 * - :spelling:ignore:`prometheus.serviceMonitor.enabled` 2964 - Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) 2965 - bool 2966 - ``false`` 2967 * - :spelling:ignore:`prometheus.serviceMonitor.interval` 2968 - Interval for scrape metrics. 2969 - string 2970 - ``"10s"`` 2971 * - :spelling:ignore:`prometheus.serviceMonitor.jobLabel` 2972 - jobLabel to add for ServiceMonitor cilium-agent 2973 - string 2974 - ``""`` 2975 * - :spelling:ignore:`prometheus.serviceMonitor.labels` 2976 - Labels to add to ServiceMonitor cilium-agent 2977 - object 2978 - ``{}`` 2979 * - :spelling:ignore:`prometheus.serviceMonitor.metricRelabelings` 2980 - Metrics relabeling configs for the ServiceMonitor cilium-agent 2981 - string 2982 - ``nil`` 2983 * - :spelling:ignore:`prometheus.serviceMonitor.relabelings` 2984 - Relabeling configs for the ServiceMonitor cilium-agent 2985 - list 2986 - ``[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]`` 2987 * - :spelling:ignore:`prometheus.serviceMonitor.trustCRDsExist` 2988 - Set to ``true`` and helm will not check for monitoring.coreos.com/v1 CRDs before deploying 2989 - bool 2990 - ``false`` 2991 * - :spelling:ignore:`rbac.create` 2992 - Enable creation of Resource-Based Access Control configuration. 2993 - bool 2994 - ``true`` 2995 * - :spelling:ignore:`readinessProbe.failureThreshold` 2996 - failure threshold of readiness probe 2997 - int 2998 - ``3`` 2999 * - :spelling:ignore:`readinessProbe.periodSeconds` 3000 - interval between checks of the readiness probe 3001 - int 3002 - ``30`` 3003 * - :spelling:ignore:`resourceQuotas` 3004 - Enable resource quotas for priority classes used in the cluster. 3005 - object 3006 - ``{"cilium":{"hard":{"pods":"10k"}},"enabled":false,"operator":{"hard":{"pods":"15"}}}`` 3007 * - :spelling:ignore:`resources` 3008 - Agent resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ 3009 - object 3010 - ``{}`` 3011 * - :spelling:ignore:`rollOutCiliumPods` 3012 - Roll out cilium agent pods automatically when configmap is updated. 3013 - bool 3014 - ``false`` 3015 * - :spelling:ignore:`routingMode` 3016 - Enable native-routing mode or tunneling mode. Possible values: - "" - native - tunnel 3017 - string 3018 - ``"tunnel"`` 3019 * - :spelling:ignore:`sctp` 3020 - SCTP Configuration Values 3021 - object 3022 - ``{"enabled":false}`` 3023 * - :spelling:ignore:`sctp.enabled` 3024 - Enable SCTP support. NOTE: Currently, SCTP support does not support rewriting ports or multihoming. 3025 - bool 3026 - ``false`` 3027 * - :spelling:ignore:`securityContext.capabilities.applySysctlOverwrites` 3028 - capabilities for the ``apply-sysctl-overwrites`` init container 3029 - list 3030 - ``["SYS_ADMIN","SYS_CHROOT","SYS_PTRACE"]`` 3031 * - :spelling:ignore:`securityContext.capabilities.ciliumAgent` 3032 - Capabilities for the ``cilium-agent`` container 3033 - list 3034 - ``["CHOWN","KILL","NET_ADMIN","NET_RAW","IPC_LOCK","SYS_MODULE","SYS_ADMIN","SYS_RESOURCE","DAC_OVERRIDE","FOWNER","SETGID","SETUID"]`` 3035 * - :spelling:ignore:`securityContext.capabilities.cleanCiliumState` 3036 - Capabilities for the ``clean-cilium-state`` init container 3037 - list 3038 - ``["NET_ADMIN","SYS_MODULE","SYS_ADMIN","SYS_RESOURCE"]`` 3039 * - :spelling:ignore:`securityContext.capabilities.mountCgroup` 3040 - Capabilities for the ``mount-cgroup`` init container 3041 - list 3042 - ``["SYS_ADMIN","SYS_CHROOT","SYS_PTRACE"]`` 3043 * - :spelling:ignore:`securityContext.privileged` 3044 - Run the pod with elevated privileges 3045 - bool 3046 - ``false`` 3047 * - :spelling:ignore:`securityContext.seLinuxOptions` 3048 - SELinux options for the ``cilium-agent`` and init containers 3049 - object 3050 - ``{"level":"s0","type":"spc_t"}`` 3051 * - :spelling:ignore:`serviceAccounts` 3052 - Define serviceAccount names for components. 3053 - object 3054 - Component's fully qualified name. 3055 * - :spelling:ignore:`serviceAccounts.clustermeshcertgen` 3056 - Clustermeshcertgen is used if clustermesh.apiserver.tls.auto.method=cronJob 3057 - object 3058 - ``{"annotations":{},"automount":true,"create":true,"name":"clustermesh-apiserver-generate-certs"}`` 3059 * - :spelling:ignore:`serviceAccounts.hubblecertgen` 3060 - Hubblecertgen is used if hubble.tls.auto.method=cronJob 3061 - object 3062 - ``{"annotations":{},"automount":true,"create":true,"name":"hubble-generate-certs"}`` 3063 * - :spelling:ignore:`serviceAccounts.nodeinit.enabled` 3064 - Enabled is temporary until https://github.com/cilium/cilium-cli/issues/1396 is implemented. Cilium CLI doesn't create the SAs for node-init, thus the workaround. Helm is not affected by this issue. Name and automount can be configured, if enabled is set to true. Otherwise, they are ignored. Enabled can be removed once the issue is fixed. Cilium-nodeinit DS must also be fixed. 3065 - bool 3066 - ``false`` 3067 * - :spelling:ignore:`serviceNoBackendResponse` 3068 - Configure what the response should be to traffic for a service without backends. "reject" only works on kernels >= 5.10, on lower kernels we fallback to "drop". Possible values: - reject (default) - drop 3069 - string 3070 - ``"reject"`` 3071 * - :spelling:ignore:`sleepAfterInit` 3072 - Do not run Cilium agent when running with clean mode. Useful to completely uninstall Cilium as it will stop Cilium from starting and create artifacts in the node. 3073 - bool 3074 - ``false`` 3075 * - :spelling:ignore:`socketLB` 3076 - Configure socket LB 3077 - object 3078 - ``{"enabled":false}`` 3079 * - :spelling:ignore:`socketLB.enabled` 3080 - Enable socket LB 3081 - bool 3082 - ``false`` 3083 * - :spelling:ignore:`startupProbe.failureThreshold` 3084 - failure threshold of startup probe. 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s) 3085 - int 3086 - ``105`` 3087 * - :spelling:ignore:`startupProbe.periodSeconds` 3088 - interval between checks of the startup probe 3089 - int 3090 - ``2`` 3091 * - :spelling:ignore:`svcSourceRangeCheck` 3092 - Enable check of service source ranges (currently, only for LoadBalancer). 3093 - bool 3094 - ``true`` 3095 * - :spelling:ignore:`synchronizeK8sNodes` 3096 - Synchronize Kubernetes nodes to kvstore and perform CNP GC. 3097 - bool 3098 - ``true`` 3099 * - :spelling:ignore:`sysctlfix` 3100 - Configure sysctl override described in #20072. 3101 - object 3102 - ``{"enabled":true}`` 3103 * - :spelling:ignore:`sysctlfix.enabled` 3104 - Enable the sysctl override. When enabled, the init container will mount the /proc of the host so that the ``sysctlfix`` utility can execute. 3105 - bool 3106 - ``true`` 3107 * - :spelling:ignore:`terminationGracePeriodSeconds` 3108 - Configure termination grace period for cilium-agent DaemonSet. 3109 - int 3110 - ``1`` 3111 * - :spelling:ignore:`tls` 3112 - Configure TLS configuration in the agent. 3113 - object 3114 - ``{"ca":{"cert":"","certValidityDuration":1095,"key":""},"caBundle":{"enabled":false,"key":"ca.crt","name":"cilium-root-ca.crt","useSecret":false},"secretsBackend":"local"}`` 3115 * - :spelling:ignore:`tls.ca` 3116 - Base64 encoded PEM values for the CA certificate and private key. This can be used as common CA to generate certificates used by hubble and clustermesh components. It is neither required nor used when cert-manager is used to generate the certificates. 3117 - object 3118 - ``{"cert":"","certValidityDuration":1095,"key":""}`` 3119 * - :spelling:ignore:`tls.ca.cert` 3120 - Optional CA cert. If it is provided, it will be used by cilium to generate all other certificates. Otherwise, an ephemeral CA is generated. 3121 - string 3122 - ``""`` 3123 * - :spelling:ignore:`tls.ca.certValidityDuration` 3124 - Generated certificates validity duration in days. This will be used for auto generated CA. 3125 - int 3126 - ``1095`` 3127 * - :spelling:ignore:`tls.ca.key` 3128 - Optional CA private key. If it is provided, it will be used by cilium to generate all other certificates. Otherwise, an ephemeral CA is generated. 3129 - string 3130 - ``""`` 3131 * - :spelling:ignore:`tls.caBundle` 3132 - Configure the CA trust bundle used for the validation of the certificates leveraged by hubble and clustermesh. When enabled, it overrides the content of the 'ca.crt' field of the respective certificates, allowing for CA rotation with no down-time. 3133 - object 3134 - ``{"enabled":false,"key":"ca.crt","name":"cilium-root-ca.crt","useSecret":false}`` 3135 * - :spelling:ignore:`tls.caBundle.enabled` 3136 - Enable the use of the CA trust bundle. 3137 - bool 3138 - ``false`` 3139 * - :spelling:ignore:`tls.caBundle.key` 3140 - Entry of the ConfigMap containing the CA trust bundle. 3141 - string 3142 - ``"ca.crt"`` 3143 * - :spelling:ignore:`tls.caBundle.name` 3144 - Name of the ConfigMap containing the CA trust bundle. 3145 - string 3146 - ``"cilium-root-ca.crt"`` 3147 * - :spelling:ignore:`tls.caBundle.useSecret` 3148 - Use a Secret instead of a ConfigMap. 3149 - bool 3150 - ``false`` 3151 * - :spelling:ignore:`tls.secretsBackend` 3152 - This configures how the Cilium agent loads the secrets used TLS-aware CiliumNetworkPolicies (namely the secrets referenced by terminatingTLS and originatingTLS). Possible values: - local - k8s 3153 - string 3154 - ``"local"`` 3155 * - :spelling:ignore:`tolerations` 3156 - Node tolerations for agent scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ 3157 - list 3158 - ``[{"operator":"Exists"}]`` 3159 * - :spelling:ignore:`tunnelPort` 3160 - Configure VXLAN and Geneve tunnel port. 3161 - int 3162 - Port 8472 for VXLAN, Port 6081 for Geneve 3163 * - :spelling:ignore:`tunnelProtocol` 3164 - Tunneling protocol to use in tunneling mode and for ad-hoc tunnels. Possible values: - "" - vxlan - geneve 3165 - string 3166 - ``"vxlan"`` 3167 * - :spelling:ignore:`updateStrategy` 3168 - Cilium agent update strategy 3169 - object 3170 - ``{"rollingUpdate":{"maxUnavailable":2},"type":"RollingUpdate"}`` 3171 * - :spelling:ignore:`upgradeCompatibility` 3172 - upgradeCompatibility helps users upgrading to ensure that the configMap for Cilium will not change critical values to ensure continued operation This flag is not required for new installations. For example: '1.7', '1.8', '1.9' 3173 - string 3174 - ``nil`` 3175 * - :spelling:ignore:`vtep.cidr` 3176 - A space separated list of VTEP device CIDRs, for example "1.1.1.0/24 1.1.2.0/24" 3177 - string 3178 - ``""`` 3179 * - :spelling:ignore:`vtep.enabled` 3180 - Enables VXLAN Tunnel Endpoint (VTEP) Integration (beta) to allow Cilium-managed pods to talk to third party VTEP devices over Cilium tunnel. 3181 - bool 3182 - ``false`` 3183 * - :spelling:ignore:`vtep.endpoint` 3184 - A space separated list of VTEP device endpoint IPs, for example "1.1.1.1 1.1.2.1" 3185 - string 3186 - ``""`` 3187 * - :spelling:ignore:`vtep.mac` 3188 - A space separated list of VTEP device MAC addresses (VTEP MAC), for example "x:x:x:x:x:x y:y:y:y:y:y:y" 3189 - string 3190 - ``""`` 3191 * - :spelling:ignore:`vtep.mask` 3192 - VTEP CIDRs Mask that applies to all VTEP CIDRs, for example "255.255.255.0" 3193 - string 3194 - ``""`` 3195 * - :spelling:ignore:`waitForKubeProxy` 3196 - Wait for KUBE-PROXY-CANARY iptables rule to appear in "wait-for-kube-proxy" init container before launching cilium-agent. More context can be found in the commit message of below PR https://github.com/cilium/cilium/pull/20123 3197 - bool 3198 - ``false`` 3199 * - :spelling:ignore:`wellKnownIdentities.enabled` 3200 - Enable the use of well-known identities. 3201 - bool 3202 - ``false``