github.com/looshlee/beatles@v0.0.0-20220727174639-742810ab631c/Documentation/cheatsheet.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 http://docs.cilium.io 6 7 ****************** 8 Command Cheatsheet 9 ****************** 10 11 Cilium is controlled via an easy command-line interface. This CLI is a single 12 application that takes subcommands that you can find in the command reference 13 guide. 14 15 :: 16 17 $ cilium 18 CLI for interacting with the local Cilium Agent 19 20 Usage: 21 cilium [command] 22 23 Available Commands: 24 bpf Direct access to local BPF maps 25 cleanup Reset the agent state 26 completion Output shell completion code for bash 27 config Cilium configuration options 28 debuginfo Request available debugging information from agent 29 endpoint Manage endpoints 30 identity Manage security identities 31 kvstore Direct access to the kvstore 32 monitor Monitoring 33 policy Manage security policies 34 prefilter Manage XDP CIDR filters 35 service Manage services & loadbalancers 36 status Display status of daemon 37 version Print version information 38 39 Flags: 40 --config string config file (default is $HOME/.cilium.yaml) 41 -D, --debug Enable debug messages 42 -H, --host string URI to server-side API 43 44 Use "cilium [command] --help" for more information about a command. 45 46 All commands and subcommands have the option ``-h`` that will provide information 47 about the options and arguments that the subcommand has. In case of any error in 48 the command, Cilium CLI will return a non-zero status. 49 50 Command utilities: 51 ================== 52 53 JSON Output 54 ----------- 55 56 All the list commands will return a pretty printed list with the information 57 retrieved from Cilium Daemon. If you need something more detailed you can use JSON 58 output, to get the JSON output you can use the global option ``-o json`` 59 60 :: 61 62 $ cilium endpoint list -o json 63 64 Moreover, Cilium also provides a `JSONPath 65 <http://goessner.net/articles/JsonPath/>`_ support, so detailed information can 66 be extracted. JSONPath template reference can be found in `Kubernetes 67 documentation <https://kubernetes.io/docs/reference/kubectl/jsonpath/>`_ 68 69 :: 70 71 $ cilium endpoint list -o jsonpath='{[*].id}' 72 29898 38939 56326 73 $ cilium endpoint list -o jsonpath='{range [*]}{@.id}{"="}{@.status.policy.spec.policy-enabled}{"\n"}{end}' 74 29898=none 75 38939=none 76 56326=none 77 78 79 Shell Tab-completion 80 -------------------- 81 82 If you use bash or zsh, Cilium CLI can provide tab completion for subcommands. 83 If you want to install tab completion, you should run the following command in 84 your terminal. 85 86 :: 87 88 $ source <(cilium completion) 89 90 If you want to have Cilium completion always loaded, you can install using the 91 following: 92 93 :: 94 95 $ echo "source <(cilium completion)" >> ~/.bashrc 96 97 98 Command examples: 99 ================= 100 101 Basics 102 ------ 103 104 Check the status of the agent 105 :: 106 107 $ cilium status 108 KVStore: Ok Consul: 172.17.0.3:8300 109 ContainerRuntime: Ok 110 Kubernetes: Disabled 111 Cilium: Ok OK 112 NodeMonitor: Listening for events on 2 CPUs with 64x4096 of shared memory 113 Cilium health daemon: Ok 114 Controller Status: 6/6 healthy 115 Proxy Status: OK, ip 10.15.28.238, port-range 10000-20000 116 Cluster health: 1/1 reachable (2018-04-11T07:33:09Z) 117 $ 118 119 Get a detailed status of the agent: 120 :: 121 122 $ cilium status --all-controllers --all-health --all-redirects 123 KVStore: Ok Consul: 172.17.0.3:8300 124 ContainerRuntime: Ok 125 Kubernetes: Disabled 126 Cilium: Ok OK 127 NodeMonitor: Listening for events on 2 CPUs with 64x4096 of shared memory 128 Cilium health daemon: Ok 129 Controller Status: 6/6 healthy 130 Name Last success Last error Count Message 131 kvstore-lease-keepalive 2m52s ago never 0 no error 132 ipcache-bpf-garbage-collection 2m50s ago never 0 no error 133 resolve-identity-29898 2m50s ago never 0 no error 134 sync-identity-to-k8s-pod (29898) 50s ago never 0 no error 135 sync-IPv4-identity-mapping (29898) 2m49s ago never 0 no error 136 sync-IPv6-identity-mapping (29898) 2m49s ago never 0 no error 137 Proxy Status: OK, ip 10.15.28.238, port-range 10000-20000 138 Cluster health: 1/1 reachable (2018-04-11T07:32:09Z) 139 Name IP Reachable Endpoints reachable 140 runtime (localhost) 10.0.2.15 true false 141 $ 142 143 Get the current agent configuration 144 :: 145 146 cilium config 147 148 Policy management 149 ----------------- 150 151 152 Importing a Cilium Network Policy 153 :: 154 155 cilium policy import my-policy.json 156 157 158 Get list of all imported policy rules 159 :: 160 161 cilium policy get 162 163 Remove all policies 164 :: 165 166 cilium policy delete --all 167 168 169 Tracing 170 ~~~~~~~ 171 172 173 Check policy enforcement between two labels on port 80: 174 :: 175 176 cilium policy trace -s <app.from> -d <app.to> --dport 80 177 178 179 Check policy enforcement between two identities 180 :: 181 182 cilium policy trace --src-identity <from-id> --dst-identity <to-id> 183 184 Check policy enforcement between two pods: 185 :: 186 187 cilium policy trace --src-k8s-pod <namespace>:<pod.from> --dst-k8s-pod <namespace>:<pod.to> 188 189 190 Monitoring 191 ~~~~~~~~~~~ 192 193 194 Monitor cilium datapath notifications 195 :: 196 197 cilium monitor 198 199 200 Verbose output (including debug if enabled) 201 :: 202 203 cilium monitor -v 204 205 206 Filter for only the events related to endpoint 207 :: 208 209 cilium monitor --related-to=<id> 210 211 212 Filter for only events on layer 7 213 :: 214 215 cilium monitor -t L7 216 217 218 Show notifications only for dropped packet events 219 :: 220 221 cilium monitor --type drop 222 223 224 Don't dissect packet payload, display payload in hex information 225 :: 226 227 cilium monitor -v --hex 228 229 230 231 Connectivity 232 ------------ 233 234 Check cluster Connectivity 235 :: 236 237 cilium-health status 238 239 There is also a `blog post 240 <https://cilium.io/blog/2018/2/6/cilium-troubleshooting-cluster-health-monitor>`_ 241 related to this tool. 242 243 Endpoints 244 --------- 245 246 Get list of all local endpoints 247 :: 248 249 cilium endpoint list 250 251 Get detailed view of endpoint properties and state 252 :: 253 254 cilium endpoint get <id> 255 256 Show recent endpoint specific log entries 257 :: 258 259 cilium endpoint log <id> 260 261 Enable debugging output on the cilium monitor for this endpoint 262 :: 263 264 cilium endpoint config <id> Debug=true 265 266 267 Loadbalancing 268 ------------- 269 270 Get list of loadbalancer services 271 :: 272 273 cilium service list 274 275 276 Or you can get the loadbalancer information using bpf list 277 ::: 278 279 cilium bpf lb list 280 281 282 Add a new loadbalancer 283 :: 284 285 cilium service update --frontend 127.0.0.1:80 \ 286 --backends 127.0.0.2:90,127.0.0.3:90 \ 287 --id 20 \ 288 --rev 2 289 290 BPF 291 --- 292 293 List node tunneling mapping information 294 :: 295 296 cilium bpf tunnel list 297 298 Checking logs for verifier issue 299 :: 300 301 journalctl -u cilium | grep -B20 -F10 Verifier 302 303 List connection tracking entries: 304 :: 305 306 sudo cilium bpf ct list global 307 308 Flush connection tracking entries: 309 :: 310 311 sudo cilium bpf ct flush 312 313 List proxy configuration: 314 :: 315 316 sudo cilium bpf proxy list 317 318 319 Kubernetes examples: 320 ===================== 321 322 If you running Cilium on top of Kubernetes you may also want a way to list all 323 cilium endpoints or policies from a single Kubectl commands. Cilium provides all 324 this information to the user by using `Kubernetes Resource Definitions 325 <https://kubernetes.io/docs/concepts/api-extension/custom-resources/>`_: 326 327 Policies 328 --------- 329 330 In Kubernetes you can use two kinds of policies, Kubernetes Network Policies or 331 Cilium Network Policies. Both can be retrieved from the ``kubectl`` command: 332 333 .. code-block:: bash 334 :name: Kubernetes Network Policies 335 :caption: Kubernetes Network Policies 336 337 kubectl get netpol 338 339 .. code-block:: bash 340 :name: Kubernetes Cilium Policies 341 :caption: Kubernetes Cilium Policies 342 343 $ kubectl get cnp 344 NAME AGE 345 rule1 3m 346 $ kubectl get cnp rule1 347 NAME AGE 348 rule1 3m 349 $ kubectl get cnp rule1 -o json 350 351 352 Endpoints 353 ---------- 354 355 To retrieve a list of all endpoints managed by cilium, ``Cilum Endpoint`` 356 resource can be used. 357 358 :: 359 360 $ kubectl get cep 361 NAME AGE 362 34e299f0-b25c2fef 41s 363 34e299f0-dd86986c 42s 364 4d088f48-83e4f98d 2m 365 4d088f48-d04ab55f 2m 366 5c6211b5-9217a4d1 1m 367 5c6211b5-dccc3d24 1m 368 700e0976-6cb50b02 3m 369 700e0976-afd3a30c 3m 370 78092a35-4874ed16 1m 371 78092a35-4b08b92b 1m 372 9b74f61f-14571299 7s 373 9b74f61f-f9a96f4a 7s 374 375 $ kubectl get cep 700e0976-6cb50b02 -o json 376 377 $ kubectl get cep -o jsonpath='{range .items[*]}{@.status.id}{"="}{@.status.status.policy.spec.policy-enabled}{"\n"}{end}' 378 30391=ingress 379 5766=ingress 380 51796=none 381 40355=none 382 383 384 Microscope 385 ---------- 386 387 Cilium also provides an option to monitor all connections from all Kubernetes 388 nodes. `Microscope <https://github.com/cilium/microscope>`_ is a distributed 389 monitor that connects to all Cilium instances and retrieves monitor information 390 from there. 391 392 Cilium also provides the ability to monitor all cilium-managed connections in 393 the kubernetes cluster via `Microscope <https://github.com/cilium/microscope>`_. 394 It is a distributed monitor that connects to all Cilium instances and retrieves 395 monitor information from each node. 396 397 Microscope can be installed an run as a pod, the basic usage is the following: 398 :: 399 400 $ kubectl apply -f 401 https://raw.githubusercontent.com/cilium/microscope/1.1.0/docs/microscope.yaml 402 $ kubectl exec -n kube-system microscope -- microscope -h 403 404 405 More information about Cilium Microscope options can be found on the project 406 homepage: `cilium/microscope <https://github.com/cilium/microscope>`_