github.com/zhyoulun/cilium@v1.6.12/pkg/option/config.go (about) 1 // Copyright 2016-2019 Authors of Cilium 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package option 16 17 import ( 18 "bytes" 19 "fmt" 20 "io/ioutil" 21 "net" 22 "os" 23 "path/filepath" 24 "runtime" 25 "sort" 26 "strconv" 27 "strings" 28 "time" 29 30 "github.com/cilium/cilium/api/v1/models" 31 "github.com/cilium/cilium/common" 32 "github.com/cilium/cilium/pkg/cidr" 33 "github.com/cilium/cilium/pkg/defaults" 34 "github.com/cilium/cilium/pkg/ip" 35 "github.com/cilium/cilium/pkg/lock" 36 "github.com/cilium/cilium/pkg/logging" 37 "github.com/cilium/cilium/pkg/logging/logfields" 38 "github.com/cilium/cilium/pkg/metrics" 39 40 "github.com/prometheus/client_golang/prometheus" 41 "github.com/sirupsen/logrus" 42 "github.com/spf13/viper" 43 ) 44 45 var ( 46 log = logging.DefaultLogger.WithField(logfields.LogSubsys, "config") 47 ) 48 49 const ( 50 // AccessLog is the path to access log of supported L7 requests observed 51 AccessLog = "access-log" 52 53 // AgentLabels are additional labels to identify this agent 54 AgentLabels = "agent-labels" 55 56 // AllowLocalhost is the policy when to allow local stack to reach local endpoints { auto | always | policy } 57 AllowLocalhost = "allow-localhost" 58 59 // AllowLocalhostAuto defaults to policy except when running in 60 // Kubernetes where it then defaults to "always" 61 AllowLocalhostAuto = "auto" 62 63 // AllowLocalhostAlways always allows the local stack to reach local 64 // endpoints 65 AllowLocalhostAlways = "always" 66 67 // AllowLocalhostPolicy requires a policy rule to allow the local stack 68 // to reach particular endpoints or policy enforcement must be 69 // disabled. 70 AllowLocalhostPolicy = "policy" 71 72 // AnnotateK8sNode enables annotating a kubernetes node while bootstrapping 73 // the daemon, which can also be disbled using this option. 74 AnnotateK8sNode = "annotate-k8s-node" 75 76 // AwsInstanceLimitMapping allows overwirting AWS instance limits defined in 77 // pkg/aws/eni/limits.go 78 // e.g. {"a1.medium": "2,4,4", "a2.custom2": "4,5,6"} 79 AwsInstanceLimitMapping = "aws-instance-limit-mapping" 80 81 // AwsReleaseExcessIps allows releasing excess free IP addresses from ENI. 82 // Enabling this option reduces waste of IP addresses but may increase 83 // the number of API calls to AWS EC2 service. 84 AwsReleaseExcessIps = "aws-release-excess-ips" 85 86 // BPFRoot is the Path to BPF filesystem 87 BPFRoot = "bpf-root" 88 89 // CGroupRoot is the path to Cgroup2 filesystem 90 CGroupRoot = "cgroup-root" 91 92 // ConfigFile is the Configuration file (default "$HOME/ciliumd.yaml") 93 ConfigFile = "config" 94 95 // ConfigDir is the directory that contains a file for each option where 96 // the filename represents the option name and the content of that file 97 // represents the value of that option. 98 ConfigDir = "config-dir" 99 100 // ConntrackGarbageCollectorIntervalDeprecated is the deprecated option 101 // name to set the conntrack gc interval 102 ConntrackGarbageCollectorIntervalDeprecated = "conntrack-garbage-collector-interval" 103 104 // ConntrackGCInterval is the name of the ConntrackGCInterval option 105 ConntrackGCInterval = "conntrack-gc-interval" 106 107 // ContainerRuntime sets the container runtime(s) used by Cilium 108 // { containerd | crio | docker | none | auto } ( "auto" uses the container 109 // runtime found in the order: "docker", "containerd", "crio" ) 110 ContainerRuntime = "container-runtime" 111 112 // ContainerRuntimeEndpoint set the container runtime(s) endpoint(s) 113 ContainerRuntimeEndpoint = "container-runtime-endpoint" 114 115 // DebugArg is the argument enables debugging mode 116 DebugArg = "debug" 117 118 // DebugVerbose is the argument enables verbose log message for particular subsystems 119 DebugVerbose = "debug-verbose" 120 121 // Device facing cluster/external network for direct L3 (non-overlay mode) 122 Device = "device" 123 124 // DisableConntrack disables connection tracking 125 DisableConntrack = "disable-conntrack" 126 127 // DisableEnvoyVersionCheck do not perform Envoy binary version check on startup 128 DisableEnvoyVersionCheck = "disable-envoy-version-check" 129 130 // Docker is the path to docker runtime socket (DEPRECATED: use container-runtime-endpoint instead) 131 Docker = "docker" 132 133 // EnablePolicy enables policy enforcement in the agent. 134 EnablePolicy = "enable-policy" 135 136 // EnableL7Proxy is the name of the option to enable L7 proxy 137 EnableL7Proxy = "enable-l7-proxy" 138 139 // EnableTracing enables tracing mode in the agent. 140 EnableTracing = "enable-tracing" 141 142 // EncryptInterface enables encryption on specified interface 143 EncryptInterface = "encrypt-interface" 144 145 // EncryptNode enables node IP encryption 146 EncryptNode = "encrypt-node" 147 148 // EnvoyLog sets the path to a separate Envoy log file, if any 149 EnvoyLog = "envoy-log" 150 151 // FixedIdentityMapping is the key-value for the fixed identity mapping 152 // which allows to use reserved label for fixed identities 153 FixedIdentityMapping = "fixed-identity-mapping" 154 155 // IPv4ClusterCIDRMaskSize is the mask size for the cluster wide CIDR 156 IPv4ClusterCIDRMaskSize = "ipv4-cluster-cidr-mask-size" 157 158 // IPv4Range is the per-node IPv4 endpoint prefix, e.g. 10.16.0.0/16 159 IPv4Range = "ipv4-range" 160 161 // IPv6Range is the per-node IPv6 endpoint prefix, must be /96, e.g. fd02:1:1::/96 162 IPv6Range = "ipv6-range" 163 164 // IPv4ServiceRange is the Kubernetes IPv4 services CIDR if not inside cluster prefix 165 IPv4ServiceRange = "ipv4-service-range" 166 167 // IPv6ServiceRange is the Kubernetes IPv6 services CIDR if not inside cluster prefix 168 IPv6ServiceRange = "ipv6-service-range" 169 170 // ModePreFilterNative for loading progs with xdpdrv 171 ModePreFilterNative = "native" 172 173 // ModePreFilterGeneric for loading progs with xdpgeneric 174 ModePreFilterGeneric = "generic" 175 176 // IPv6ClusterAllocCIDRName is the name of the IPv6ClusterAllocCIDR option 177 IPv6ClusterAllocCIDRName = "ipv6-cluster-alloc-cidr" 178 179 // K8sRequireIPv4PodCIDRName is the name of the K8sRequireIPv4PodCIDR option 180 K8sRequireIPv4PodCIDRName = "k8s-require-ipv4-pod-cidr" 181 182 // K8sRequireIPv6PodCIDRName is the name of the K8sRequireIPv6PodCIDR option 183 K8sRequireIPv6PodCIDRName = "k8s-require-ipv6-pod-cidr" 184 185 // K8sForceJSONPatch when set, uses JSON Patch to update CNP and CEP 186 // status in kube-apiserver. 187 K8sForceJSONPatch = "k8s-force-json-patch" 188 189 // K8sWatcherEndpointSelector specifies the k8s endpoints that Cilium 190 // should watch for. 191 K8sWatcherEndpointSelector = "k8s-watcher-endpoint-selector" 192 193 // K8sAPIServer is the kubernetes api address server (for https use --k8s-kubeconfig-path instead) 194 K8sAPIServer = "k8s-api-server" 195 196 // K8sKubeConfigPath is the absolute path of the kubernetes kubeconfig file 197 K8sKubeConfigPath = "k8s-kubeconfig-path" 198 199 // K8sServiceCacheSize is service cache size for cilium k8s package. 200 K8sServiceCacheSize = "k8s-service-cache-size" 201 202 // K8sSyncTimeout is the timeout to synchronize all resources with k8s. 203 K8sSyncTimeoutName = "k8s-sync-timeout" 204 205 // K8sWatcherQueueSize is the queue size used to serialize each k8s event type 206 K8sWatcherQueueSize = "k8s-watcher-queue-size" 207 208 // KeepConfig when restoring state, keeps containers' configuration in place 209 KeepConfig = "keep-config" 210 211 // KeepBPFTemplates do not restore BPF template files from binary 212 KeepBPFTemplates = "keep-bpf-templates" 213 214 // KVStore key-value store type 215 KVStore = "kvstore" 216 217 // KVStoreOpt key-value store options 218 KVStoreOpt = "kvstore-opt" 219 220 // Labels is the list of label prefixes used to determine identity of an endpoint 221 Labels = "labels" 222 223 // LabelPrefixFile is the valid label prefixes file path 224 LabelPrefixFile = "label-prefix-file" 225 226 // LB enables load balancer mode where load balancer bpf program is attached to the given interface 227 LB = "lb" 228 229 // EnableNodePort enables NodePort services implemented by Cilium in BPF 230 EnableNodePort = "enable-node-port" 231 232 // NodePortRange defines a custom range where to look up NodePort services 233 NodePortRange = "node-port-range" 234 235 // LibDir enables the directory path to store runtime build environment 236 LibDir = "lib-dir" 237 238 // LogDriver sets logging endpoints to use for example syslog, fluentd 239 LogDriver = "log-driver" 240 241 // LogOpt sets log driver options for cilium 242 LogOpt = "log-opt" 243 244 // Logstash enables logstash integration 245 Logstash = "logstash" 246 247 // NAT46Range is the IPv6 prefix to map IPv4 addresses to 248 NAT46Range = "nat46-range" 249 250 // Masquerade are the packets from endpoints leaving the host 251 Masquerade = "masquerade" 252 253 // InstallIptRules sets whether Cilium should install any iptables in general 254 InstallIptRules = "install-iptables-rules" 255 256 IPTablesLockTimeout = "iptables-lock-timeout" 257 258 // IPv6NodeAddr is the IPv6 address of node 259 IPv6NodeAddr = "ipv6-node" 260 261 // IPv4NodeAddr is the IPv4 address of node 262 IPv4NodeAddr = "ipv4-node" 263 264 // Restore restores state, if possible, from previous daemon 265 Restore = "restore" 266 267 // SidecarHTTPProxy disable host HTTP proxy, assuming proxies in sidecar containers 268 SidecarHTTPProxy = "sidecar-http-proxy" 269 270 // SidecarIstioProxyImage regular expression matching compatible Istio sidecar istio-proxy container image names 271 SidecarIstioProxyImage = "sidecar-istio-proxy-image" 272 273 // SocketPath sets daemon's socket path to listen for connections 274 SocketPath = "socket-path" 275 276 // StateDir is the directory path to store runtime state 277 StateDir = "state-dir" 278 279 // TracePayloadlen length of payload to capture when tracing 280 TracePayloadlen = "trace-payloadlen" 281 282 // Version prints the version information 283 Version = "version" 284 285 // FlannelMasterDevice installs a BPF program to allow for policy 286 // enforcement in the given network interface. Allows to run Cilium on top 287 // of other CNI plugins that provide networking, e.g. flannel, where for 288 // flannel, this value should be set with 'cni0'. [EXPERIMENTAL]") 289 FlannelMasterDevice = "flannel-master-device" 290 291 // FlannelUninstallOnExit should be used along the flannel-master-device flag, 292 // it cleans up all BPF programs installed when Cilium agent is terminated. 293 FlannelUninstallOnExit = "flannel-uninstall-on-exit" 294 295 // FlannelManageExistingContainers sets if Cilium should install the BPF 296 // programs on already running interfaces created by flannel. Require 297 // Cilium to be running in the hostPID. 298 FlannelManageExistingContainers = "flannel-manage-existing-containers" 299 300 // PProf enables serving the pprof debugging API 301 PProf = "pprof" 302 303 // PrefilterDevice is the device facing external network for XDP prefiltering 304 PrefilterDevice = "prefilter-device" 305 306 // PrefilterMode { "+ModePreFilterNative+" | "+ModePreFilterGeneric+" } (default: "+option.ModePreFilterNative+") 307 PrefilterMode = "prefilter-mode" 308 309 // PrometheusServeAddr IP:Port on which to serve prometheus metrics (pass ":Port" to bind on all interfaces, "" is off) 310 PrometheusServeAddr = "prometheus-serve-addr" 311 312 // PrometheusServeAddrDeprecated IP:Port on which to serve prometheus metrics (pass ":Port" to bind on all interfaces, "" is off) 313 PrometheusServeAddrDeprecated = "prometheus-serve-addr-deprecated" 314 315 // CMDRef is the path to cmdref output directory 316 CMDRef = "cmdref" 317 318 // ToFQDNsMinTTL is the minimum time, in seconds, to use DNS data for toFQDNs policies. 319 ToFQDNsMinTTL = "tofqdns-min-ttl" 320 321 // ToFQDNsProxyPort is the global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port. 322 ToFQDNsProxyPort = "tofqdns-proxy-port" 323 324 // ToFQDNsEnablePoller enables proactive polling of DNS names in toFQDNs.matchName rules. 325 ToFQDNsEnablePoller = "tofqdns-enable-poller" 326 327 // ToFQDNsEmitPollerEvents controls if poller lookups are sent as monitor events 328 ToFQDNsEnablePollerEvents = "tofqdns-enable-poller-events" 329 330 // ToFQDNsMaxIPsPerHost defines the maximum number of IPs to maintain 331 // for each FQDN name in an endpoint's FQDN cache 332 ToFQDNsMaxIPsPerHost = "tofqdns-endpoint-max-ip-per-hostname" 333 334 // ToFQDNsPreCache is a path to a file with DNS cache data to insert into the 335 // global cache on startup. 336 // The file is not re-read after agent start. 337 ToFQDNsPreCache = "tofqdns-pre-cache" 338 339 // MTUName is the name of the MTU option 340 MTUName = "mtu" 341 342 // DatapathMode is the name of the DatapathMode option 343 DatapathMode = "datapath-mode" 344 345 // IpvlanMasterDevice is the name of the IpvlanMasterDevice option 346 IpvlanMasterDevice = "ipvlan-master-device" 347 348 // EnableHostReachableServices is the name of the EnableHostReachableServices option 349 EnableHostReachableServices = "enable-host-reachable-services" 350 351 // HostReachableServicesProtos is the name of the HostReachableServicesProtos option 352 HostReachableServicesProtos = "host-reachable-services-protos" 353 354 // HostServicesTCP is the name of EnableHostServicesTCP config 355 HostServicesTCP = "tcp" 356 357 // HostServicesUDP is the name of EnableHostServicesUDP config 358 HostServicesUDP = "udp" 359 360 // TunnelName is the name of the Tunnel option 361 TunnelName = "tunnel" 362 363 // SingleClusterRouteName is the name of the SingleClusterRoute option 364 // 365 // SingleClusterRoute enables use of a single route covering the entire 366 // cluster CIDR to point to the cilium_host interface instead of using 367 // a separate route for each cluster node CIDR. This option is not 368 // compatible with Tunnel=TunnelDisabled 369 SingleClusterRouteName = "single-cluster-route" 370 371 // MonitorAggregationName specifies the MonitorAggregationLevel on the 372 // comandline. 373 MonitorAggregationName = "monitor-aggregation" 374 375 // ciliumEnvPrefix is the prefix used for environment variables 376 ciliumEnvPrefix = "CILIUM_" 377 378 // ClusterName is the name of the ClusterName option 379 ClusterName = "cluster-name" 380 381 // ClusterIDName is the name of the ClusterID option 382 ClusterIDName = "cluster-id" 383 384 // ClusterIDMin is the minimum value of the cluster ID 385 ClusterIDMin = 0 386 387 // ClusterIDMax is the maximum value of the cluster ID 388 ClusterIDMax = 255 389 390 // ClusterMeshConfigName is the name of the ClusterMeshConfig option 391 ClusterMeshConfigName = "clustermesh-config" 392 393 // BPFCompileDebugName is the name of the option to enable BPF compiliation debugging 394 BPFCompileDebugName = "bpf-compile-debug" 395 396 // CTMapEntriesGlobalTCP retains the Cilium 1.2 (or earlier) size to 397 // minimize disruption during upgrade. 398 CTMapEntriesGlobalTCPDefault = 1000000 399 CTMapEntriesGlobalAnyDefault = 2 << 17 // 256Ki 400 CTMapEntriesGlobalTCPName = "bpf-ct-global-tcp-max" 401 CTMapEntriesGlobalAnyName = "bpf-ct-global-any-max" 402 403 // CTMapEntriesTimeout* name option and default value mappings 404 CTMapEntriesTimeoutSYNName = "bpf-ct-timeout-regular-tcp-syn" 405 CTMapEntriesTimeoutFINName = "bpf-ct-timeout-regular-tcp-fin" 406 CTMapEntriesTimeoutTCPName = "bpf-ct-timeout-regular-tcp" 407 CTMapEntriesTimeoutAnyName = "bpf-ct-timeout-regular-any" 408 CTMapEntriesTimeoutSVCTCPName = "bpf-ct-timeout-service-tcp" 409 CTMapEntriesTimeoutSVCAnyName = "bpf-ct-timeout-service-any" 410 411 // NATMapEntriesGlobalDefault holds the default size of the NAT map 412 // and is 2/3 of the full CT size as a heuristic 413 NATMapEntriesGlobalDefault = int((CTMapEntriesGlobalTCPDefault + CTMapEntriesGlobalAnyDefault) * 2 / 3) 414 415 // LimitTableMin defines the minimum CT or NAT table limit 416 LimitTableMin = 1 << 10 // 1Ki entries 417 418 // LimitTableMax defines the maximum CT or NAT table limit 419 LimitTableMax = 1 << 24 // 16Mi entries (~1GiB of entries per map) 420 421 // NATMapEntriesGlobalName configures max entries for BPF NAT table 422 NATMapEntriesGlobalName = "bpf-nat-global-max" 423 424 // PolicyMapEntriesName configures max entries for BPF policymap. 425 PolicyMapEntriesName = "bpf-policy-map-max" 426 427 // LogSystemLoadConfigName is the name of the option to enable system 428 // load loggging 429 LogSystemLoadConfigName = "log-system-load" 430 431 // PrependIptablesChainsName is the name of the option to enable 432 // prepending iptables chains instead of appending 433 PrependIptablesChainsName = "prepend-iptables-chains" 434 435 // DisableCiliumEndpointCRDName is the name of the option to disable 436 // use of the CEP CRD 437 DisableCiliumEndpointCRDName = "disable-endpoint-crd" 438 439 // DisableK8sServices disables east-west K8s load balancing by cilium 440 DisableK8sServices = "disable-k8s-services" 441 442 // MaxCtrlIntervalName and MaxCtrlIntervalNameEnv allow configuration 443 // of MaxControllerInterval. 444 MaxCtrlIntervalName = "max-controller-interval" 445 446 // SockopsEnableName is the name of the option to enable sockops 447 SockopsEnableName = "sockops-enable" 448 449 // K8sNamespaceName is the name of the K8sNamespace option 450 K8sNamespaceName = "k8s-namespace" 451 452 // EnableIPv4Name is the name of the option to enable IPv4 support 453 EnableIPv4Name = "enable-ipv4" 454 455 // LegacyDisableIPv4Name is the name of the legacy option to disable 456 // IPv4 support 457 LegacyDisableIPv4Name = "disable-ipv4" 458 459 // EnableIPv6Name is the name of the option to enable IPv6 support 460 EnableIPv6Name = "enable-ipv6" 461 462 // MonitorQueueSizeName is the name of the option MonitorQueueSize 463 MonitorQueueSizeName = "monitor-queue-size" 464 465 //FQDNRejectResponseCode is the name for the option for dns-proxy reject response code 466 FQDNRejectResponseCode = "tofqdns-dns-reject-response-code" 467 468 // FQDNProxyDenyWithNameError is useful when stub resolvers, like the one 469 // in Alpine Linux's libc (musl), treat a REFUSED as a resolution error. 470 // This happens when trying a DNS search list, as in kubernetes, and breaks 471 // even whitelisted DNS names. 472 FQDNProxyDenyWithNameError = "nameError" 473 474 // FQDNProxyDenyWithRefused is the response code for Domain refused. It is 475 // the default for denied DNS requests. 476 FQDNProxyDenyWithRefused = "refused" 477 478 // FQDNProxyResponseMaxDelay is the maximum time the proxy holds back a response 479 FQDNProxyResponseMaxDelay = "tofqdns-proxy-response-max-delay" 480 481 // PreAllocateMapsName is the name of the option PreAllocateMaps 482 PreAllocateMapsName = "preallocate-bpf-maps" 483 484 // EnableXTSocketFallbackName is the name of the EnableXTSocketFallback option 485 EnableXTSocketFallbackName = "enable-xt-socket-fallback" 486 487 // EnableAutoDirectRoutingName is the name for the EnableAutoDirectRouting option 488 EnableAutoDirectRoutingName = "auto-direct-node-routes" 489 490 // EnableIPSecName is the name of the option to enable IPSec 491 EnableIPSecName = "enable-ipsec" 492 493 // IPSecKeyFileName is the name of the option for ipsec key file 494 IPSecKeyFileName = "ipsec-key-file" 495 496 // KVstoreLeaseTTL is the time-to-live for lease in kvstore. 497 KVstoreLeaseTTL = "kvstore-lease-ttl" 498 499 // KVstorePeriodicSync is the time interval in which periodic 500 // synchronization with the kvstore occurs 501 KVstorePeriodicSync = "kvstore-periodic-sync" 502 503 // KVstoreConnectivityTimeout is the timeout when performing kvstore operations 504 KVstoreConnectivityTimeout = "kvstore-connectivity-timeout" 505 506 // IPAllocationTimeout is the timeout when allocating CIDRs 507 IPAllocationTimeout = "ip-allocation-timeout" 508 509 // IdentityChangeGracePeriod is the name of the 510 // IdentityChangeGracePeriod option 511 IdentityChangeGracePeriod = "identity-change-grace-period" 512 513 // EnableHealthChecking is the name of the EnableHealthChecking option 514 EnableHealthChecking = "enable-health-checking" 515 516 // EnableEndpointHealthChecking is the name of the EnableEndpointHealthChecking option 517 EnableEndpointHealthChecking = "enable-endpoint-health-checking" 518 519 // PolicyQueueSize is the size of the queues utilized by the policy 520 // repository. 521 PolicyQueueSize = "policy-queue-size" 522 523 // EndpointQueueSize is the size of the EventQueue per-endpoint. 524 EndpointQueueSize = "endpoint-queue-size" 525 526 // SelectiveRegeneration specifies whether only the endpoints which policy 527 // changes select should be regenerated upon policy changes. 528 SelectiveRegeneration = "enable-selective-regeneration" 529 530 // K8sEventHandover is the name of the K8sEventHandover option 531 K8sEventHandover = "enable-k8s-event-handover" 532 533 // Metrics represents the metrics subsystem that Cilium should expose 534 // to prometheus. 535 Metrics = "metrics" 536 537 // LoopbackIPv4 is the address to use for service loopback SNAT 538 LoopbackIPv4 = "ipv4-service-loopback-address" 539 540 // EndpointInterfaceNamePrefix is the prefix name of the interface 541 // names shared by all endpoints 542 EndpointInterfaceNamePrefix = "endpoint-interface-name-prefix" 543 544 // BlacklistConflictingRoutes removes all IPs from the IPAM block if a 545 // local route not owned by Cilium conflicts with it 546 BlacklistConflictingRoutes = "blacklist-conflicting-routes" 547 548 // ForceLocalPolicyEvalAtSource forces a policy decision at the source 549 // endpoint for all local communication 550 ForceLocalPolicyEvalAtSource = "force-local-policy-eval-at-source" 551 552 // SkipCRDCreation specifies whether the CustomResourceDefinition will be 553 // created by the daemon 554 SkipCRDCreation = "skip-crd-creation" 555 556 // EnableEndpointRoutes enables use of per endpoint routes 557 EnableEndpointRoutes = "enable-endpoint-routes" 558 559 // ExcludeLocalAddress excludes certain addresses to be recognized as a 560 // local address 561 ExcludeLocalAddress = "exclude-local-address" 562 563 // IPv4PodSubnets A list of IPv4 subnets that pods may be 564 // assigned from. Used with CNI chaining where IPs are not directly managed 565 // by Cilium. 566 IPv4PodSubnets = "ipv4-pod-subnets" 567 568 // IPv6PodSubnets A list of IPv6 subnets that pods may be 569 // assigned from. Used with CNI chaining where IPs are not directly managed 570 // by Cilium. 571 IPv6PodSubnets = "ipv6-pod-subnets" 572 573 // IPAM is the IPAM method to use 574 IPAM = "ipam" 575 576 // IPAMCRD is the value to select the CRD-backed IPAM plugin for 577 // option.IPAM 578 IPAMCRD = "crd" 579 580 // IPAMENI is the value to select the AWS ENI IPAM plugin for option.IPAM 581 IPAMENI = "eni" 582 583 // AWSClientQPSLimit is the queries per second limit for the AWS client used by AWS ENI IPAM 584 AWSClientQPSLimit = "aws-client-qps" 585 586 // AWSClientBurst is the burst value allowed for the AWS client used by the AWS ENI IPAM 587 AWSClientBurst = "aws-client-burst" 588 589 // K8sClientQPSLimit is the queries per second limit for the K8s client. Defaults to k8s client defaults. 590 K8sClientQPSLimit = "k8s-client-qps" 591 592 // K8sClientBurst is the burst value allowed for the K8s client. Defaults to k8s client defaults. 593 K8sClientBurst = "k8s-client-burst" 594 595 // AutoCreateCiliumNodeResource enables automatic creation of a 596 // CiliumNode resource for the local node 597 AutoCreateCiliumNodeResource = "auto-create-cilium-node-resource" 598 599 // IPv4NativeRoutingCIDR describes a CIDR in which pod IPs are routable 600 IPv4NativeRoutingCIDR = "native-routing-cidr" 601 602 // EgressMasqueradeInterfaces is the selector used to select interfaces 603 // subject to egress masquerading 604 EgressMasqueradeInterfaces = "egress-masquerade-interfaces" 605 606 // DeprecatedEnableLegacyServices enables the legacy services 607 DeprecatedEnableLegacyServices = "enable-legacy-services" 608 609 // PolicyTriggerInterval is the amount of time between triggers of policy 610 // updates are invoked. 611 PolicyTriggerInterval = "policy-trigger-interval" 612 613 // IdentityAllocationMode specifies what mode to use for identity 614 // allocation 615 IdentityAllocationMode = "identity-allocation-mode" 616 617 // IdentityAllocationModeKVstore enables use of a key-value store such 618 // as etcd or consul for identity allocation 619 IdentityAllocationModeKVstore = "kvstore" 620 621 // IdentityAllocationModeCRD enables use of Kubernetes CRDs for 622 // identity allocation 623 IdentityAllocationModeCRD = "crd" 624 625 // DisableCNPStatusUpdates disables updating of CNP NodeStatus in the CNP 626 // CRD. 627 DisableCNPStatusUpdates = "disable-cnp-status-updates" 628 ) 629 630 // Default string arguments 631 var ( 632 FQDNRejectOptions = []string{FQDNProxyDenyWithNameError, FQDNProxyDenyWithRefused} 633 634 // ContainerRuntimeAuto is the configuration for autodetecting the 635 // container runtime backends that Cilium should use. 636 ContainerRuntimeAuto = []string{"auto"} 637 ) 638 639 // Available option for DaemonConfig.DatapathMode 640 const ( 641 // DatapathModeVeth specifies veth datapath mode (i.e. containers are 642 // attached to a network via veth pairs) 643 DatapathModeVeth = "veth" 644 645 // DatapathModeIpvlan specifies ipvlan datapath mode 646 DatapathModeIpvlan = "ipvlan" 647 ) 648 649 // Available option for DaemonConfig.Tunnel 650 const ( 651 // TunnelVXLAN specifies VXLAN encapsulation 652 TunnelVXLAN = "vxlan" 653 654 // TunnelGeneve specifies Geneve encapsulation 655 TunnelGeneve = "geneve" 656 657 // TunnelDisabled specifies to disable encapsulation 658 TunnelDisabled = "disabled" 659 ) 660 661 // Available option for DaemonConfig.Ipvlan.OperationMode 662 const ( 663 // OperationModeL3S will respect iptables rules e.g. set up for masquerading 664 OperationModeL3S = "L3S" 665 666 // OperationModeL3 will bypass iptables rules on the host 667 OperationModeL3 = "L3" 668 ) 669 670 // Envoy option names 671 const ( 672 // HTTP403Message specifies the response body for 403 responses, defaults to "Access denied" 673 HTTP403Message = "http-403-msg" 674 675 // HTTPRequestTimeout specifies the time in seconds after which forwarded requests time out 676 HTTPRequestTimeout = "http-request-timeout" 677 678 // HTTPIdleTimeout spcifies the time in seconds if http stream being idle after which the 679 // request times out 680 HTTPIdleTimeout = "http-idle-timeout" 681 682 // HTTPMaxGRPCTimeout specifies the maximum time in seconds that limits the values of 683 // "grpc-timeout" headers being honored. 684 HTTPMaxGRPCTimeout = "http-max-grpc-timeout" 685 686 // HTTPRetryCount specifies the number of retries performed after a forwarded request fails 687 HTTPRetryCount = "http-retry-count" 688 689 // HTTPRetryTimeout is the time in seconds before an uncompleted request is retried. 690 HTTPRetryTimeout = "http-retry-timeout" 691 692 // ProxyConnectTimeout specifies the time in seconds after which a TCP connection attempt 693 // is considered timed out 694 ProxyConnectTimeout = "proxy-connect-timeout" 695 696 // ReadCNIConfiguration reads the CNI configuration file and extracts 697 // Cilium relevant information. This can be used to pass per node 698 // configuration to Cilium. 699 ReadCNIConfiguration = "read-cni-conf" 700 701 // WriteCNIConfigurationWhenReady writes the CNI configuration to the 702 // specified location once the agent is ready to serve requests. This 703 // allows to keep a Kubernetes node NotReady until Cilium is up and 704 // running and able to schedule endpoints. 705 WriteCNIConfigurationWhenReady = "write-cni-conf-when-ready" 706 ) 707 708 const ( 709 // NodePortMinDefault is the minimal port to listen for NodePort requests 710 NodePortMinDefault = 30000 711 712 // NodePortMaxDefault is the maximum port to listen for NodePort requests 713 NodePortMaxDefault = 32767 714 ) 715 716 // GetTunnelModes returns the list of all tunnel modes 717 func GetTunnelModes() string { 718 return fmt.Sprintf("%s, %s, %s", TunnelVXLAN, TunnelGeneve, TunnelDisabled) 719 } 720 721 // getEnvName returns the environment variable to be used for the given option name. 722 func getEnvName(option string) string { 723 under := strings.Replace(option, "-", "_", -1) 724 upper := strings.ToUpper(under) 725 return ciliumEnvPrefix + upper 726 } 727 728 // RegisteredOptions maps all options that are bind to viper. 729 var RegisteredOptions = map[string]struct{}{} 730 731 // BindEnv binds the option name with an deterministic generated environment 732 // variable which s based on the given optName. If the same optName is bind 733 // more than 1 time, this function panics. 734 func BindEnv(optName string) { 735 registerOpt(optName) 736 viper.BindEnv(optName, getEnvName(optName)) 737 } 738 739 // BindEnvWithLegacyEnvFallback binds the given option name with either the same 740 // environment variable as BindEnv, if it's set, or with the given legacyEnvName. 741 // 742 // The function is used to work around the viper.BindEnv limitation that only 743 // one environment variable can be bound for an option, and we need multiple 744 // environment variables due to backward compatibility reasons. 745 func BindEnvWithLegacyEnvFallback(optName, legacyEnvName string) { 746 registerOpt(optName) 747 748 envName := getEnvName(optName) 749 if os.Getenv(envName) == "" { 750 envName = legacyEnvName 751 } 752 753 viper.BindEnv(optName, envName) 754 } 755 756 func registerOpt(optName string) { 757 _, ok := RegisteredOptions[optName] 758 if ok || optName == "" { 759 panic(fmt.Errorf("option already registered: %s", optName)) 760 } 761 RegisteredOptions[optName] = struct{}{} 762 } 763 764 // LogRegisteredOptions logs all options that where bind to viper. 765 func LogRegisteredOptions(entry *logrus.Entry) { 766 keys := make([]string, 0, len(RegisteredOptions)) 767 for k := range RegisteredOptions { 768 keys = append(keys, k) 769 } 770 sort.Strings(keys) 771 for _, k := range keys { 772 v := viper.GetStringSlice(k) 773 if len(v) > 0 { 774 entry.Infof(" --%s='%s'", k, strings.Join(v, ",")) 775 } else { 776 entry.Infof(" --%s='%s'", k, viper.GetString(k)) 777 } 778 } 779 } 780 781 // IpvlanConfig is the configuration used by Daemon when in ipvlan mode. 782 type IpvlanConfig struct { 783 MasterDeviceIndex int 784 OperationMode string 785 } 786 787 // DaemonConfig is the configuration used by Daemon. 788 type DaemonConfig struct { 789 BpfDir string // BPF template files directory 790 LibDir string // Cilium library files directory 791 RunDir string // Cilium runtime directory 792 NAT46Prefix *net.IPNet // NAT46 IPv6 Prefix 793 Device string // Receive device 794 DevicePreFilter string // XDP device 795 ModePreFilter string // XDP mode, values: { native | generic } 796 HostV4Addr net.IP // Host v4 address of the snooping device 797 HostV6Addr net.IP // Host v6 address of the snooping device 798 LBInterface string // Set with name of the interface to loadbalance packets from 799 EncryptInterface string // Set with name of network facing interface to encrypt 800 EncryptNode bool // Set to true for encrypting node IP traffic 801 Workloads []string // List of Workloads set by the user to used by cilium. 802 803 Ipvlan IpvlanConfig // Ipvlan related configuration 804 805 DatapathMode string // Datapath mode 806 Tunnel string // Tunnel mode 807 808 DryMode bool // Do not create BPF maps, devices, .. 809 810 // RestoreState enables restoring the state from previous running daemons. 811 RestoreState bool 812 813 // EnableHostIPRestore enables restoring the host IPs based on state 814 // left behind by previous Cilium runs. 815 EnableHostIPRestore bool 816 817 KeepConfig bool // Keep configuration of existing endpoints when starting up. 818 KeepTemplates bool // Do not overwrite the template files 819 820 // AllowLocalhost defines when to allows the local stack to local endpoints 821 // values: { auto | always | policy } 822 AllowLocalhost string 823 824 // StateDir is the directory where runtime state of endpoints is stored 825 StateDir string 826 827 // Options changeable at runtime 828 Opts *IntOptions 829 830 // Mutex for serializing configuration updates to the daemon. 831 ConfigPatchMutex lock.RWMutex 832 833 // Monitor contains the configuration for the node monitor. 834 Monitor *models.MonitorStatus 835 836 // AccessLog is the path to the access log of supported L7 requests observed. 837 AccessLog string 838 839 // AgentLabels contains additional labels to identify this agent in monitor events. 840 AgentLabels []string 841 842 // IPv6ClusterAllocCIDR is the base CIDR used to allocate IPv6 node 843 // CIDRs if allocation is not performed by an orchestration system 844 IPv6ClusterAllocCIDR string 845 846 // IPv6ClusterAllocCIDRBase is derived from IPv6ClusterAllocCIDR and 847 // contains the CIDR without the mask, e.g. "fdfd::1/64" -> "fdfd::" 848 // 849 // This variable should never be written to, it is initialized via 850 // DaemonConfig.Validate() 851 IPv6ClusterAllocCIDRBase string 852 853 // K8sRequireIPv4PodCIDR requires the k8s node resource to specify the 854 // IPv4 PodCIDR. Cilium will block bootstrapping until the information 855 // is available. 856 K8sRequireIPv4PodCIDR bool 857 858 // K8sRequireIPv6PodCIDR requires the k8s node resource to specify the 859 // IPv6 PodCIDR. Cilium will block bootstrapping until the information 860 // is available. 861 K8sRequireIPv6PodCIDR bool 862 863 // K8sServiceCacheSize is the service cache size for cilium k8s package. 864 K8sServiceCacheSize uint 865 866 // K8sForceJSONPatch when set, uses JSON Patch to update CNP and CEP 867 // status in kube-apiserver. 868 K8sForceJSONPatch bool 869 870 // K8sWatcherQueueSize is the queue size used to serialize each k8s event 871 // type. 872 K8sWatcherQueueSize uint 873 874 // MTU is the maximum transmission unit of the underlying network 875 MTU int 876 877 // ClusterName is the name of the cluster 878 ClusterName string 879 880 // ClusterID is the unique identifier of the cluster 881 ClusterID int 882 883 // ClusterMeshConfig is the path to the clustermesh configuration directory 884 ClusterMeshConfig string 885 886 // CTMapEntriesGlobalTCP is the maximum number of conntrack entries 887 // allowed in each TCP CT table for IPv4/IPv6. 888 CTMapEntriesGlobalTCP int 889 890 // CTMapEntriesGlobalAny is the maximum number of conntrack entries 891 // allowed in each non-TCP CT table for IPv4/IPv6. 892 CTMapEntriesGlobalAny int 893 894 // CTMapEntriesTimeout* values configured by the user. 895 CTMapEntriesTimeoutTCP time.Duration 896 CTMapEntriesTimeoutAny time.Duration 897 CTMapEntriesTimeoutSVCTCP time.Duration 898 CTMapEntriesTimeoutSVCAny time.Duration 899 CTMapEntriesTimeoutSYN time.Duration 900 CTMapEntriesTimeoutFIN time.Duration 901 902 // NATMapEntriesGlobal is the maximum number of NAT mappings allowed 903 // in the BPF NAT table 904 NATMapEntriesGlobal int 905 906 // PolicyMapMaxEntries is the maximum number of peer identities that an 907 // endpoint may allow traffic to exchange traffic with. 908 PolicyMapMaxEntries int 909 910 // DisableCiliumEndpointCRD disables the use of CiliumEndpoint CRD 911 DisableCiliumEndpointCRD bool 912 913 // MaxControllerInterval is the maximum value for a controller's 914 // RunInterval. Zero means unlimited. 915 MaxControllerInterval int 916 917 // UseSingleClusterRoute specifies whether to use a single cluster route 918 // instead of per-node routes. 919 UseSingleClusterRoute bool 920 921 // HTTP403Message is the error message to return when a HTTP 403 is returned 922 // by the proxy, if L7 policy is configured. 923 HTTP403Message string 924 925 // HTTPRequestTimeout is the time in seconds after which Envoy responds with an 926 // error code on a request that has not yet completed. This needs to be longer 927 // than the HTTPIdleTimeout 928 HTTPRequestTimeout int 929 930 // HTTPIdleTimeout is the time in seconds of a HTTP stream having no traffic after 931 // which Envoy responds with an error code. This needs to be shorter than the 932 // HTTPRequestTimeout 933 HTTPIdleTimeout int 934 935 // HTTPMaxGRPCTimeout is the upper limit to which "grpc-timeout" headers in GRPC 936 // requests are honored by Envoy. If 0 there is no limit. GRPC requests are not 937 // bound by the HTTPRequestTimeout, but ARE affected by the idle timeout! 938 HTTPMaxGRPCTimeout int 939 940 // HTTPRetryCount is the upper limit on how many times Envoy retries failed requests. 941 HTTPRetryCount int 942 943 // HTTPRetryTimeout is the time in seconds before an uncompleted request is retried. 944 HTTPRetryTimeout int 945 946 // ProxyConnectTimeout is the time in seconds after which Envoy considers a TCP 947 // connection attempt to have timed out. 948 ProxyConnectTimeout int 949 950 // BPFCompilationDebug specifies whether to compile BPF programs compilation 951 // debugging enabled. 952 BPFCompilationDebug bool 953 954 // EnvoyLogPath specifies where to store the Envoy proxy logs when Envoy 955 // runs in the same container as Cilium. 956 EnvoyLogPath string 957 958 // EnableSockOps specifies whether to enable sockops (socket lookup). 959 SockopsEnable bool 960 961 // PrependIptablesChains is the name of the option to enable prepending 962 // iptables chains instead of appending 963 PrependIptablesChains bool 964 965 // IPTablesLockTimeout defines the "-w" iptables option when the 966 // iptables CLI is directly invoked from the Cilium agent. 967 IPTablesLockTimeout time.Duration 968 969 // K8sNamespace is the name of the namespace in which Cilium is 970 // deployed in when running in Kubernetes mode 971 K8sNamespace string 972 973 // EnableIPv4 is true when IPv4 is enabled 974 EnableIPv4 bool 975 976 // EnableIPv6 is true when IPv6 is enabled 977 EnableIPv6 bool 978 979 // EnableL7Proxy is the option to enable L7 proxy 980 EnableL7Proxy bool 981 982 // EnableIPSec is true when IPSec is enabled 983 EnableIPSec bool 984 985 // IPSec key file for stored keys 986 IPSecKeyFile string 987 988 // MonitorQueueSize is the size of the monitor event queue 989 MonitorQueueSize int 990 991 // CLI options 992 993 BPFRoot string 994 CGroupRoot string 995 BPFCompileDebug string 996 ConfigFile string 997 ConfigDir string 998 ContainerRuntimeEndpoint map[string]string 999 Debug bool 1000 DebugVerbose []string 1001 DisableConntrack bool 1002 DisableK8sServices bool 1003 EnableHostReachableServices bool 1004 EnableHostServicesTCP bool 1005 EnableHostServicesUDP bool 1006 DockerEndpoint string 1007 EnablePolicy string 1008 EnableTracing bool 1009 EnvoyLog string 1010 DisableEnvoyVersionCheck bool 1011 FixedIdentityMapping map[string]string 1012 FixedIdentityMappingValidator func(val string) (string, error) 1013 IPv4ClusterCIDRMaskSize int 1014 IPv4Range string 1015 IPv6Range string 1016 IPv4ServiceRange string 1017 IPv6ServiceRange string 1018 K8sAPIServer string 1019 K8sKubeConfigPath string 1020 K8sSyncTimeout time.Duration 1021 K8sWatcherEndpointSelector string 1022 KVStore string 1023 KVStoreOpt map[string]string 1024 LabelPrefixFile string 1025 Labels []string 1026 LogDriver []string 1027 LogOpt map[string]string 1028 Logstash bool 1029 LogSystemLoadConfig bool 1030 NAT46Range string 1031 1032 // Masquerade specifies whether or not to masquerade packets from endpoints 1033 // leaving the host. 1034 Masquerade bool 1035 InstallIptRules bool 1036 MonitorAggregation string 1037 PreAllocateMaps bool 1038 IPv6NodeAddr string 1039 IPv4NodeAddr string 1040 SidecarHTTPProxy bool 1041 SidecarIstioProxyImage string 1042 SocketPath string 1043 TracePayloadlen int 1044 Version string 1045 PProf bool 1046 PrometheusServeAddr string 1047 CMDRefDir string 1048 ToFQDNsMinTTL int 1049 1050 // ToFQDNsProxyPort is the user-configured global, shared, DNS listen port used 1051 // by the DNS Proxy. Both UDP and TCP are handled on the same port. When it 1052 // is 0 a random port will be assigned, and can be obtained from 1053 // DefaultDNSProxy below. 1054 ToFQDNsProxyPort int 1055 1056 // ToFQDNsEnablePoller enables the DNS poller that polls toFQDNs.matchName 1057 ToFQDNsEnablePoller bool 1058 1059 // ToFQDNsEnablePollerEvents controls sending a monitor event for each DNS 1060 // response the DNS poller sees 1061 ToFQDNsEnablePollerEvents bool 1062 1063 // ToFQDNsMaxIPsPerHost defines the maximum number of IPs to maintain 1064 // for each FQDN name in an endpoint's FQDN cache 1065 ToFQDNsMaxIPsPerHost int 1066 1067 // FQDNRejectResponse is the dns-proxy response for invalid dns-proxy request 1068 FQDNRejectResponse string 1069 1070 // FQDNProxyResponseMaxDelay The maximum time the DNS proxy holds an allowed 1071 // DNS response before sending it along. Responses are sent as soon as the 1072 // datapath is updated with the new IP information. 1073 FQDNProxyResponseMaxDelay time.Duration 1074 1075 // Path to a file with DNS cache data to preload on startup 1076 ToFQDNsPreCache string 1077 1078 // HostDevice will be device used by Cilium to connect to the outside world. 1079 HostDevice string 1080 1081 // FlannelMasterDevice installs a BPF program in the given interface 1082 // to allow for policy enforcement mode on top of flannel. 1083 FlannelMasterDevice string 1084 1085 // FlannelUninstallOnExit removes the BPF programs that were installed by 1086 // Cilium on all interfaces created by the flannel. 1087 FlannelUninstallOnExit bool 1088 1089 // FlannelManageExistingContainers sets if Cilium should install the BPF 1090 // programs on already running interfaces created by flannel. Require 1091 // Cilium to be running in the hostPID. 1092 FlannelManageExistingContainers bool 1093 1094 // EnableXTSocketFallback allows disabling of kernel's ip_early_demux 1095 // sysctl option if `xt_socket` kernel module is not available. 1096 EnableXTSocketFallback bool 1097 1098 // EnableAutoDirectRouting enables installation of direct routes to 1099 // other nodes when available 1100 EnableAutoDirectRouting bool 1101 1102 // EnableHealthChecking enables health checking between nodes and 1103 // health endpoints 1104 EnableHealthChecking bool 1105 1106 // EnableEndpointHealthChecking enables health checking between virtual 1107 // health endpoints 1108 EnableEndpointHealthChecking bool 1109 1110 // KVstoreKeepAliveInterval is the interval in which the lease is being 1111 // renewed. This must be set to a value lesser than the LeaseTTL ideally 1112 // by a factor of 3. 1113 KVstoreKeepAliveInterval time.Duration 1114 1115 // KVstoreLeaseTTL is the time-to-live for kvstore lease. 1116 KVstoreLeaseTTL time.Duration 1117 1118 // KVstorePeriodicSync is the time interval in which periodic 1119 // synchronization with the kvstore occurs 1120 KVstorePeriodicSync time.Duration 1121 1122 // KVstoreConnectivityTimeout is the timeout when performing kvstore operations 1123 KVstoreConnectivityTimeout time.Duration 1124 1125 // IPAllocationTimeout is the timeout when allocating CIDRs 1126 IPAllocationTimeout time.Duration 1127 1128 // IdentityChangeGracePeriod is the grace period that needs to pass 1129 // before an endpoint that has changed its identity will start using 1130 // that new identity. During the grace period, the new identity has 1131 // already been allocated and other nodes in the cluster have a chance 1132 // to whitelist the new upcoming identity of the endpoint. 1133 IdentityChangeGracePeriod time.Duration 1134 1135 // PolicyQueueSize is the size of the queues for the policy repository. 1136 // A larger queue means that more events related to policy can be buffered. 1137 PolicyQueueSize int 1138 1139 // EndpointQueueSize is the size of the EventQueue per-endpoint. A larger 1140 // queue means that more events can be buffered per-endpoint. This is useful 1141 // in the case where a cluster might be under high load for endpoint-related 1142 // events, specifically those which cause many regenerations. 1143 EndpointQueueSize int 1144 1145 // SelectiveRegeneration, when true, enables the functionality to only 1146 // regenerate endpoints which are selected by the policy rules that have 1147 // been changed (added, deleted, or updated). If false, then all endpoints 1148 // are regenerated upon every policy change regardless of the scope of the 1149 // policy change. 1150 SelectiveRegeneration bool 1151 1152 // ConntrackGCInterval is the connection tracking garbage collection 1153 // interval 1154 ConntrackGCInterval time.Duration 1155 1156 // K8sEventHandover enables use of the kvstore to optimize Kubernetes 1157 // event handling by listening for k8s events in the operator and 1158 // mirroring it into the kvstore for reduced overhead in large 1159 // clusters. 1160 K8sEventHandover bool 1161 1162 // MetricsConfig is the configuration set in metrics 1163 MetricsConfig metrics.Configuration 1164 1165 // LoopbackIPv4 is the address to use for service loopback SNAT 1166 LoopbackIPv4 string 1167 1168 // EndpointInterfaceNamePrefix is the prefix name of the interface 1169 // names shared by all endpoints 1170 EndpointInterfaceNamePrefix string 1171 1172 // BlacklistConflictingRoutes removes all IPs from the IPAM block if a 1173 // local route not owned by Cilium conflicts with it 1174 BlacklistConflictingRoutes bool 1175 1176 // ForceLocalPolicyEvalAtSource forces a policy decision at the source 1177 // endpoint for all local communication 1178 ForceLocalPolicyEvalAtSource bool 1179 1180 // SkipCRDCreation disables creation of the CustomResourceDefinition 1181 // on daemon startup 1182 SkipCRDCreation bool 1183 1184 // EnableEndpointRoutes enables use of per endpoint routes 1185 EnableEndpointRoutes bool 1186 1187 // Specifies wheather to annotate the kubernetes nodes or not 1188 AnnotateK8sNode bool 1189 1190 // RunMonitorAgent indicates whether to run the monitor agent 1191 RunMonitorAgent bool 1192 1193 // ReadCNIConfiguration reads the CNI configuration file and extracts 1194 // Cilium relevant information. This can be used to pass per node 1195 // configuration to Cilium. 1196 ReadCNIConfiguration string 1197 1198 // WriteCNIConfigurationWhenReady writes the CNI configuration to the 1199 // specified location once the agent is ready to serve requests. This 1200 // allows to keep a Kubernetes node NotReady until Cilium is up and 1201 // running and able to schedule endpoints. 1202 WriteCNIConfigurationWhenReady string 1203 1204 // EnableNodePort enables k8s NodePort service implementation in BPF 1205 EnableNodePort bool 1206 1207 // NodePortMin is the minimum port address for the NodePort range 1208 NodePortMin int 1209 1210 // NodePortMax is the maximum port address for the NodePort range 1211 NodePortMax int 1212 1213 // excludeLocalAddresses excludes certain addresses to be recognized as 1214 // a local address 1215 excludeLocalAddresses []*net.IPNet 1216 1217 // IPv4PodSubnets available subnets to be assign IPv4 addresses to pods from 1218 IPv4PodSubnets []*net.IPNet 1219 1220 // IPv6PodSubnets available subnets to be assign IPv6 addresses to pods from 1221 IPv6PodSubnets []*net.IPNet 1222 1223 // IPAM is the IPAM method to use 1224 IPAM string 1225 1226 // AutoCreateCiliumNodeResource enables automatic creation of a 1227 // CiliumNode resource for the local node 1228 AutoCreateCiliumNodeResource bool 1229 1230 // ipv4NativeRoutingCIDR describes a CIDR in which pod IPs are routable 1231 ipv4NativeRoutingCIDR *cidr.CIDR 1232 1233 // EgressMasqueradeInterfaces is the selector used to select interfaces 1234 // subject to egress masquerading 1235 EgressMasqueradeInterfaces string 1236 1237 // PolicyTriggerInterval is the amount of time between when policy updates 1238 // are triggered. 1239 PolicyTriggerInterval time.Duration 1240 1241 // IdentityAllocationMode specifies what mode to use for identity 1242 // allocation 1243 IdentityAllocationMode string 1244 1245 // DisableCNPStatusUpdates disables updating of CNP NodeStatus in the CNP 1246 // CRD. 1247 DisableCNPStatusUpdates bool 1248 1249 // AwsInstanceLimitMapping allows overwirting AWS instance limits defined in 1250 // pkg/aws/eni/limits.go 1251 // e.g. {"a1.medium": "2,4,4", "a2.custom2": "4,5,6"} 1252 AwsInstanceLimitMapping map[string]string 1253 1254 // AwsReleaseExcessIps allows releasing excess free IP addresses from ENI. 1255 // Enabling this option reduces waste of IP addresses but may increase 1256 // the number of API calls to AWS EC2 service. 1257 AwsReleaseExcessIps bool 1258 } 1259 1260 var ( 1261 // Config represents the daemon configuration 1262 Config = &DaemonConfig{ 1263 Opts: NewIntOptions(&DaemonOptionLibrary), 1264 Monitor: &models.MonitorStatus{Cpus: int64(runtime.NumCPU()), Npages: 64, Pagesize: int64(os.Getpagesize()), Lost: 0, Unknown: 0}, 1265 IPv6ClusterAllocCIDR: defaults.IPv6ClusterAllocCIDR, 1266 IPv6ClusterAllocCIDRBase: defaults.IPv6ClusterAllocCIDRBase, 1267 EnableHostIPRestore: defaults.EnableHostIPRestore, 1268 EnableHealthChecking: defaults.EnableHealthChecking, 1269 EnableEndpointHealthChecking: defaults.EnableEndpointHealthChecking, 1270 EnableIPv4: defaults.EnableIPv4, 1271 EnableIPv6: defaults.EnableIPv6, 1272 EnableL7Proxy: defaults.EnableL7Proxy, 1273 ToFQDNsMaxIPsPerHost: defaults.ToFQDNsMaxIPsPerHost, 1274 KVstorePeriodicSync: defaults.KVstorePeriodicSync, 1275 KVstoreConnectivityTimeout: defaults.KVstoreConnectivityTimeout, 1276 IPAllocationTimeout: defaults.IPAllocationTimeout, 1277 IdentityChangeGracePeriod: defaults.IdentityChangeGracePeriod, 1278 ContainerRuntimeEndpoint: make(map[string]string), 1279 FixedIdentityMapping: make(map[string]string), 1280 KVStoreOpt: make(map[string]string), 1281 LogOpt: make(map[string]string), 1282 SelectiveRegeneration: defaults.SelectiveRegeneration, 1283 LoopbackIPv4: defaults.LoopbackIPv4, 1284 EndpointInterfaceNamePrefix: defaults.EndpointInterfaceNamePrefix, 1285 BlacklistConflictingRoutes: defaults.BlacklistConflictingRoutes, 1286 ForceLocalPolicyEvalAtSource: defaults.ForceLocalPolicyEvalAtSource, 1287 EnableEndpointRoutes: defaults.EnableEndpointRoutes, 1288 AnnotateK8sNode: defaults.AnnotateK8sNode, 1289 K8sServiceCacheSize: defaults.K8sServiceCacheSize, 1290 AutoCreateCiliumNodeResource: defaults.AutoCreateCiliumNodeResource, 1291 IdentityAllocationMode: IdentityAllocationModeKVstore, 1292 } 1293 ) 1294 1295 // IPv4NativeRoutingCIDR returns the native routing CIDR if configured 1296 func (c *DaemonConfig) IPv4NativeRoutingCIDR() (cidr *cidr.CIDR) { 1297 c.ConfigPatchMutex.RLock() 1298 cidr = c.ipv4NativeRoutingCIDR 1299 c.ConfigPatchMutex.RUnlock() 1300 return 1301 } 1302 1303 // SetIPv4NativeRoutingCIDR sets the native routing CIDR 1304 func (c *DaemonConfig) SetIPv4NativeRoutingCIDR(cidr *cidr.CIDR) { 1305 c.ConfigPatchMutex.Lock() 1306 c.ipv4NativeRoutingCIDR = cidr 1307 c.ConfigPatchMutex.Unlock() 1308 } 1309 1310 // IsExcludedLocalAddress returns true if the specified IP matches one of the 1311 // excluded local IP ranges 1312 func (c *DaemonConfig) IsExcludedLocalAddress(ip net.IP) bool { 1313 for _, ipnet := range c.excludeLocalAddresses { 1314 if ipnet.Contains(ip) { 1315 return true 1316 } 1317 } 1318 1319 return false 1320 } 1321 1322 // IsPodSubnetsDefined returns true if encryption subnets should be configured at init time. 1323 func (c *DaemonConfig) IsPodSubnetsDefined() bool { 1324 return len(c.IPv4PodSubnets) > 0 || len(c.IPv6PodSubnets) > 0 1325 } 1326 1327 // IsLBEnabled returns true if LB should be enabled 1328 func (c *DaemonConfig) IsLBEnabled() bool { 1329 return c.LBInterface != "" 1330 } 1331 1332 // GetNodeConfigPath returns the full path of the NodeConfigFile. 1333 func (c *DaemonConfig) GetNodeConfigPath() string { 1334 return filepath.Join(c.GetGlobalsDir(), common.NodeConfigFile) 1335 } 1336 1337 // GetGlobalsDir returns the path for the globals directory. 1338 func (c *DaemonConfig) GetGlobalsDir() string { 1339 return filepath.Join(c.StateDir, "globals") 1340 } 1341 1342 // WorkloadsEnabled returns true if any workload runtimes are enabled 1343 func (c *DaemonConfig) WorkloadsEnabled() bool { 1344 for _, w := range c.Workloads { 1345 if w == "none" { 1346 return false 1347 } 1348 } 1349 1350 return len(c.Workloads) > 0 1351 } 1352 1353 // AlwaysAllowLocalhost returns true if the daemon has the option set that 1354 // localhost can always reach local endpoints 1355 func (c *DaemonConfig) AlwaysAllowLocalhost() bool { 1356 switch c.AllowLocalhost { 1357 case AllowLocalhostAlways: 1358 return true 1359 case AllowLocalhostAuto, AllowLocalhostPolicy: 1360 return false 1361 default: 1362 return false 1363 } 1364 } 1365 1366 // TracingEnabled returns if tracing policy (outlining which rules apply to a 1367 // specific set of labels) is enabled. 1368 func (c *DaemonConfig) TracingEnabled() bool { 1369 return c.Opts.IsEnabled(PolicyTracing) 1370 } 1371 1372 // IsFlannelMasterDeviceSet returns if the flannel master device is set. 1373 func (c *DaemonConfig) IsFlannelMasterDeviceSet() bool { 1374 return len(c.FlannelMasterDevice) != 0 1375 } 1376 1377 func (c *DaemonConfig) validateIPv6ClusterAllocCIDR() error { 1378 ip, cidr, err := net.ParseCIDR(c.IPv6ClusterAllocCIDR) 1379 if err != nil { 1380 return err 1381 } 1382 1383 if cidr == nil { 1384 return fmt.Errorf("ParseCIDR returned nil") 1385 } 1386 1387 if ones, _ := cidr.Mask.Size(); ones != 64 { 1388 return fmt.Errorf("CIDR length must be /64") 1389 } 1390 1391 c.IPv6ClusterAllocCIDRBase = ip.Mask(cidr.Mask).String() 1392 1393 return nil 1394 } 1395 1396 // Validate validates the daemon configuration 1397 func (c *DaemonConfig) Validate() error { 1398 if err := c.validateIPv6ClusterAllocCIDR(); err != nil { 1399 return fmt.Errorf("unable to parse CIDR value '%s' of option --%s: %s", 1400 c.IPv6ClusterAllocCIDR, IPv6ClusterAllocCIDRName, err) 1401 } 1402 1403 if c.MTU < 0 { 1404 return fmt.Errorf("MTU '%d' cannot be negative", c.MTU) 1405 } 1406 1407 switch c.Tunnel { 1408 case TunnelVXLAN, TunnelGeneve, "": 1409 case TunnelDisabled: 1410 if c.UseSingleClusterRoute { 1411 return fmt.Errorf("option --%s cannot be used in combination with --%s=%s", 1412 SingleClusterRouteName, TunnelName, TunnelDisabled) 1413 } 1414 default: 1415 return fmt.Errorf("invalid tunnel mode '%s', valid modes = {%s}", c.Tunnel, GetTunnelModes()) 1416 } 1417 1418 if c.ClusterID < ClusterIDMin || c.ClusterID > ClusterIDMax { 1419 return fmt.Errorf("invalid cluster id %d: must be in range %d..%d", 1420 c.ClusterID, ClusterIDMin, ClusterIDMax) 1421 } 1422 1423 if c.ClusterID != 0 { 1424 if c.ClusterName == defaults.ClusterName { 1425 return fmt.Errorf("cannot use default cluster name (%s) with option %s", 1426 defaults.ClusterName, ClusterIDName) 1427 } 1428 } 1429 1430 if c.CTMapEntriesGlobalTCP < LimitTableMin || c.CTMapEntriesGlobalAny < LimitTableMin { 1431 return fmt.Errorf("specified CT tables values %d/%d must exceed minimum %d", 1432 c.CTMapEntriesGlobalTCP, c.CTMapEntriesGlobalAny, LimitTableMin) 1433 } 1434 if c.CTMapEntriesGlobalTCP > LimitTableMax || c.CTMapEntriesGlobalAny > LimitTableMax { 1435 return fmt.Errorf("specified CT tables values %d/%d must not exceed maximum %d", 1436 c.CTMapEntriesGlobalTCP, c.CTMapEntriesGlobalAny, LimitTableMax) 1437 } 1438 if c.NATMapEntriesGlobal < LimitTableMin { 1439 return fmt.Errorf("specified NAT table size %d must exceed minimum %d", 1440 c.NATMapEntriesGlobal, LimitTableMin) 1441 } 1442 if c.NATMapEntriesGlobal > LimitTableMax { 1443 return fmt.Errorf("specified NAT tables size %d must not exceed maximum %d", 1444 c.NATMapEntriesGlobal, LimitTableMax) 1445 } 1446 if c.NATMapEntriesGlobal > c.CTMapEntriesGlobalTCP+c.CTMapEntriesGlobalAny { 1447 if c.NATMapEntriesGlobal == NATMapEntriesGlobalDefault { 1448 // Auto-size for the case where CT table size was adapted but NAT still on default 1449 c.NATMapEntriesGlobal = int((c.CTMapEntriesGlobalTCP + c.CTMapEntriesGlobalAny) * 2 / 3) 1450 } else { 1451 return fmt.Errorf("specified NAT tables size %d must not exceed maximum CT table size %d", 1452 c.NATMapEntriesGlobal, c.CTMapEntriesGlobalTCP+c.CTMapEntriesGlobalAny) 1453 } 1454 } 1455 1456 policyMapMin := (1 << 8) 1457 policyMapMax := (1 << 16) 1458 if c.PolicyMapMaxEntries < policyMapMin { 1459 return fmt.Errorf("specified PolicyMap max entries %d must exceed minimum %d", 1460 c.PolicyMapMaxEntries, policyMapMin) 1461 } 1462 if c.PolicyMapMaxEntries > policyMapMax { 1463 return fmt.Errorf("specified PolicyMap max entries %d must not exceed maximum %d", 1464 c.PolicyMapMaxEntries, policyMapMax) 1465 } 1466 // Validate that the KVStore Lease TTL value lies between a particular range. 1467 if c.KVstoreLeaseTTL > defaults.KVstoreLeaseMaxTTL || c.KVstoreLeaseTTL < defaults.LockLeaseTTL { 1468 return fmt.Errorf("KVstoreLeaseTTL does not lie in required range(%ds, %ds)", 1469 int64(defaults.LockLeaseTTL.Seconds()), 1470 int64(defaults.KVstoreLeaseMaxTTL.Seconds())) 1471 } 1472 1473 if c.WriteCNIConfigurationWhenReady != "" && c.ReadCNIConfiguration == "" { 1474 return fmt.Errorf("%s must be set when using %s", ReadCNIConfiguration, WriteCNIConfigurationWhenReady) 1475 } 1476 1477 if c.EnableHostReachableServices && !c.EnableHostServicesUDP && !c.EnableHostServicesTCP { 1478 return fmt.Errorf("%s must be at minimum one of [%s,%s]", 1479 HostReachableServicesProtos, HostServicesTCP, HostServicesUDP) 1480 } 1481 1482 return nil 1483 } 1484 1485 // ReadDirConfig reads the given directory and returns a map that maps the 1486 // filename to the contents of that file. 1487 func ReadDirConfig(dirName string) (map[string]interface{}, error) { 1488 m := map[string]interface{}{} 1489 fi, err := ioutil.ReadDir(dirName) 1490 if err != nil && !os.IsNotExist(err) { 1491 return nil, fmt.Errorf("unable to read configuration directory: %s", err) 1492 } 1493 for _, f := range fi { 1494 if f.Mode().IsDir() { 1495 continue 1496 } 1497 fName := filepath.Join(dirName, f.Name()) 1498 1499 // the file can still be a symlink to a directory 1500 if f.Mode()&os.ModeSymlink == 0 { 1501 absFileName, err := filepath.EvalSymlinks(fName) 1502 if err != nil { 1503 log.Warnf("Unable to read configuration file %q: %s", absFileName, err) 1504 continue 1505 } 1506 fName = absFileName 1507 } 1508 1509 f, err = os.Stat(fName) 1510 if err != nil { 1511 log.Warnf("Unable to read configuration file %q: %s", fName, err) 1512 continue 1513 } 1514 if f.Mode().IsDir() { 1515 continue 1516 } 1517 1518 b, err := ioutil.ReadFile(fName) 1519 if err != nil { 1520 log.Warnf("Unable to read configuration file %q: %s", fName, err) 1521 continue 1522 } 1523 m[f.Name()] = string(bytes.TrimSpace(b)) 1524 } 1525 return m, nil 1526 } 1527 1528 // MergeConfig merges the given configuration map with viper's configuration. 1529 func MergeConfig(m map[string]interface{}) error { 1530 err := viper.MergeConfigMap(m) 1531 if err != nil { 1532 return fmt.Errorf("unable to read merge directory configuration: %s", err) 1533 } 1534 return nil 1535 } 1536 1537 // ReplaceDeprecatedFields replaces the deprecated options set with the new set 1538 // of options that overwrite the deprecated ones. 1539 // This function replaces the deprecated fields used by environment variables 1540 // with a different name than the option they are setting. This also replaces 1541 // the deprecated names used in the Kubernetes ConfigMap. 1542 // Once we remove them from this function we also need to remove them from 1543 // daemon_main.go and warn users about the old environment variable nor the 1544 // option in the configuration map have any effect. 1545 func ReplaceDeprecatedFields(m map[string]interface{}) { 1546 deprecatedFields := map[string]string{ 1547 "monitor-aggregation-level": MonitorAggregationName, 1548 "ct-global-max-entries-tcp": CTMapEntriesGlobalTCPName, 1549 "ct-global-max-entries-other": CTMapEntriesGlobalAnyName, 1550 } 1551 for deprecatedOption, newOption := range deprecatedFields { 1552 if deprecatedValue, ok := m[deprecatedOption]; ok { 1553 if _, ok := m[newOption]; !ok { 1554 m[newOption] = deprecatedValue 1555 } 1556 } 1557 } 1558 } 1559 1560 func (c *DaemonConfig) parseExcludedLocalAddresses(s []string) error { 1561 for _, ipString := range s { 1562 _, ipnet, err := net.ParseCIDR(ipString) 1563 if err != nil { 1564 return fmt.Errorf("unable to parse excluded local address %s: %s", ipString, err) 1565 } 1566 1567 c.excludeLocalAddresses = append(c.excludeLocalAddresses, ipnet) 1568 } 1569 1570 return nil 1571 } 1572 1573 // Populate sets all options with the values from viper 1574 func (c *DaemonConfig) Populate() { 1575 var err error 1576 1577 c.AccessLog = viper.GetString(AccessLog) 1578 c.AgentLabels = viper.GetStringSlice(AgentLabels) 1579 c.AllowLocalhost = viper.GetString(AllowLocalhost) 1580 c.AnnotateK8sNode = viper.GetBool(AnnotateK8sNode) 1581 c.AutoCreateCiliumNodeResource = viper.GetBool(AutoCreateCiliumNodeResource) 1582 c.BPFCompilationDebug = viper.GetBool(BPFCompileDebugName) 1583 c.CTMapEntriesGlobalTCP = viper.GetInt(CTMapEntriesGlobalTCPName) 1584 c.CTMapEntriesGlobalAny = viper.GetInt(CTMapEntriesGlobalAnyName) 1585 c.NATMapEntriesGlobal = viper.GetInt(NATMapEntriesGlobalName) 1586 c.BPFRoot = viper.GetString(BPFRoot) 1587 c.CGroupRoot = viper.GetString(CGroupRoot) 1588 c.ClusterID = viper.GetInt(ClusterIDName) 1589 c.ClusterName = viper.GetString(ClusterName) 1590 c.ClusterMeshConfig = viper.GetString(ClusterMeshConfigName) 1591 c.DatapathMode = viper.GetString(DatapathMode) 1592 c.Debug = viper.GetBool(DebugArg) 1593 c.DebugVerbose = viper.GetStringSlice(DebugVerbose) 1594 c.Device = viper.GetString(Device) 1595 c.DisableConntrack = viper.GetBool(DisableConntrack) 1596 c.EnableIPv4 = getIPv4Enabled() 1597 c.EnableIPv6 = viper.GetBool(EnableIPv6Name) 1598 c.EnableIPSec = viper.GetBool(EnableIPSecName) 1599 c.EndpointInterfaceNamePrefix = viper.GetString(EndpointInterfaceNamePrefix) 1600 c.DevicePreFilter = viper.GetString(PrefilterDevice) 1601 c.DisableCiliumEndpointCRD = viper.GetBool(DisableCiliumEndpointCRDName) 1602 c.DisableK8sServices = viper.GetBool(DisableK8sServices) 1603 c.EgressMasqueradeInterfaces = viper.GetString(EgressMasqueradeInterfaces) 1604 c.EnableHostReachableServices = viper.GetBool(EnableHostReachableServices) 1605 c.DockerEndpoint = viper.GetString(Docker) 1606 c.EnableXTSocketFallback = viper.GetBool(EnableXTSocketFallbackName) 1607 c.EnableAutoDirectRouting = viper.GetBool(EnableAutoDirectRoutingName) 1608 c.EnableEndpointRoutes = viper.GetBool(EnableEndpointRoutes) 1609 c.EnableHealthChecking = viper.GetBool(EnableHealthChecking) 1610 c.EnableEndpointHealthChecking = viper.GetBool(EnableEndpointHealthChecking) 1611 c.EnablePolicy = strings.ToLower(viper.GetString(EnablePolicy)) 1612 c.EnableL7Proxy = viper.GetBool(EnableL7Proxy) 1613 c.EnableTracing = viper.GetBool(EnableTracing) 1614 c.EnableNodePort = viper.GetBool(EnableNodePort) 1615 c.EncryptInterface = viper.GetString(EncryptInterface) 1616 c.EncryptNode = viper.GetBool(EncryptNode) 1617 c.EnvoyLogPath = viper.GetString(EnvoyLog) 1618 c.ForceLocalPolicyEvalAtSource = viper.GetBool(ForceLocalPolicyEvalAtSource) 1619 c.HostDevice = getHostDevice() 1620 c.HTTPIdleTimeout = viper.GetInt(HTTPIdleTimeout) 1621 c.HTTPMaxGRPCTimeout = viper.GetInt(HTTPMaxGRPCTimeout) 1622 c.HTTPRequestTimeout = viper.GetInt(HTTPRequestTimeout) 1623 c.HTTPRetryCount = viper.GetInt(HTTPRetryCount) 1624 c.HTTPRetryTimeout = viper.GetInt(HTTPRetryTimeout) 1625 c.IPv4ClusterCIDRMaskSize = viper.GetInt(IPv4ClusterCIDRMaskSize) 1626 c.IdentityChangeGracePeriod = viper.GetDuration(IdentityChangeGracePeriod) 1627 c.IPAM = viper.GetString(IPAM) 1628 c.IPv4Range = viper.GetString(IPv4Range) 1629 c.IPv4NodeAddr = viper.GetString(IPv4NodeAddr) 1630 c.IPv4ServiceRange = viper.GetString(IPv4ServiceRange) 1631 c.IPv6ClusterAllocCIDR = viper.GetString(IPv6ClusterAllocCIDRName) 1632 c.IPv6NodeAddr = viper.GetString(IPv6NodeAddr) 1633 c.IPv6Range = viper.GetString(IPv6Range) 1634 c.IPv6ServiceRange = viper.GetString(IPv6ServiceRange) 1635 c.K8sAPIServer = viper.GetString(K8sAPIServer) 1636 c.K8sKubeConfigPath = viper.GetString(K8sKubeConfigPath) 1637 c.K8sRequireIPv4PodCIDR = viper.GetBool(K8sRequireIPv4PodCIDRName) 1638 c.K8sRequireIPv6PodCIDR = viper.GetBool(K8sRequireIPv6PodCIDRName) 1639 c.K8sServiceCacheSize = uint(viper.GetInt(K8sServiceCacheSize)) 1640 c.K8sForceJSONPatch = viper.GetBool(K8sForceJSONPatch) 1641 c.K8sEventHandover = viper.GetBool(K8sEventHandover) 1642 c.K8sSyncTimeout = viper.GetDuration(K8sSyncTimeoutName) 1643 c.K8sWatcherQueueSize = uint(viper.GetInt(K8sWatcherQueueSize)) 1644 c.K8sWatcherEndpointSelector = viper.GetString(K8sWatcherEndpointSelector) 1645 c.KeepTemplates = viper.GetBool(KeepBPFTemplates) 1646 c.KeepConfig = viper.GetBool(KeepConfig) 1647 c.KVStore = viper.GetString(KVStore) 1648 c.KVstoreLeaseTTL = viper.GetDuration(KVstoreLeaseTTL) 1649 c.KVstoreKeepAliveInterval = c.KVstoreLeaseTTL / defaults.KVstoreKeepAliveIntervalFactor 1650 c.KVstorePeriodicSync = viper.GetDuration(KVstorePeriodicSync) 1651 c.KVstoreConnectivityTimeout = viper.GetDuration(KVstoreConnectivityTimeout) 1652 c.IPAllocationTimeout = viper.GetDuration(IPAllocationTimeout) 1653 c.LabelPrefixFile = viper.GetString(LabelPrefixFile) 1654 c.Labels = viper.GetStringSlice(Labels) 1655 c.LBInterface = viper.GetString(LB) 1656 c.LibDir = viper.GetString(LibDir) 1657 c.LogDriver = viper.GetStringSlice(LogDriver) 1658 c.LogSystemLoadConfig = viper.GetBool(LogSystemLoadConfigName) 1659 c.Logstash = viper.GetBool(Logstash) 1660 c.LoopbackIPv4 = viper.GetString(LoopbackIPv4) 1661 c.Masquerade = viper.GetBool(Masquerade) 1662 c.InstallIptRules = viper.GetBool(InstallIptRules) 1663 c.IPTablesLockTimeout = viper.GetDuration(IPTablesLockTimeout) 1664 c.IPSecKeyFile = viper.GetString(IPSecKeyFileName) 1665 c.ModePreFilter = viper.GetString(PrefilterMode) 1666 c.MonitorAggregation = viper.GetString(MonitorAggregationName) 1667 c.MonitorQueueSize = viper.GetInt(MonitorQueueSizeName) 1668 c.MTU = viper.GetInt(MTUName) 1669 c.NAT46Range = viper.GetString(NAT46Range) 1670 c.FlannelMasterDevice = viper.GetString(FlannelMasterDevice) 1671 c.FlannelUninstallOnExit = viper.GetBool(FlannelUninstallOnExit) 1672 c.FlannelManageExistingContainers = viper.GetBool(FlannelManageExistingContainers) 1673 c.PolicyMapMaxEntries = viper.GetInt(PolicyMapEntriesName) 1674 c.PProf = viper.GetBool(PProf) 1675 c.PreAllocateMaps = viper.GetBool(PreAllocateMapsName) 1676 c.PrependIptablesChains = viper.GetBool(PrependIptablesChainsName) 1677 c.PrometheusServeAddr = getPrometheusServerAddr() 1678 c.ProxyConnectTimeout = viper.GetInt(ProxyConnectTimeout) 1679 c.BlacklistConflictingRoutes = viper.GetBool(BlacklistConflictingRoutes) 1680 c.ReadCNIConfiguration = viper.GetString(ReadCNIConfiguration) 1681 c.RestoreState = viper.GetBool(Restore) 1682 c.RunDir = viper.GetString(StateDir) 1683 c.SidecarIstioProxyImage = viper.GetString(SidecarIstioProxyImage) 1684 c.UseSingleClusterRoute = viper.GetBool(SingleClusterRouteName) 1685 c.SocketPath = viper.GetString(SocketPath) 1686 c.SockopsEnable = viper.GetBool(SockopsEnableName) 1687 c.TracePayloadlen = viper.GetInt(TracePayloadlen) 1688 c.Tunnel = viper.GetString(TunnelName) 1689 c.Version = viper.GetString(Version) 1690 c.Workloads = viper.GetStringSlice(ContainerRuntime) 1691 c.WriteCNIConfigurationWhenReady = viper.GetString(WriteCNIConfigurationWhenReady) 1692 c.PolicyTriggerInterval = viper.GetDuration(PolicyTriggerInterval) 1693 c.CTMapEntriesTimeoutTCP = viper.GetDuration(CTMapEntriesTimeoutTCPName) 1694 c.CTMapEntriesTimeoutAny = viper.GetDuration(CTMapEntriesTimeoutAnyName) 1695 c.CTMapEntriesTimeoutSVCTCP = viper.GetDuration(CTMapEntriesTimeoutSVCTCPName) 1696 c.CTMapEntriesTimeoutSVCAny = viper.GetDuration(CTMapEntriesTimeoutSVCAnyName) 1697 c.CTMapEntriesTimeoutSYN = viper.GetDuration(CTMapEntriesTimeoutSYNName) 1698 c.CTMapEntriesTimeoutFIN = viper.GetDuration(CTMapEntriesTimeoutFINName) 1699 1700 if nativeCIDR := viper.GetString(IPv4NativeRoutingCIDR); nativeCIDR != "" { 1701 c.ipv4NativeRoutingCIDR = cidr.MustParseCIDR(nativeCIDR) 1702 } 1703 1704 // toFQDNs options 1705 // When the poller is enabled, the default MinTTL is lowered. This is to 1706 // avoid caching large sets of identities generated by a poller (it runs 1707 // every 5s). Without the poller, a longer default is better because it 1708 // avoids confusion about dropped connections. 1709 c.ToFQDNsEnablePoller = viper.GetBool(ToFQDNsEnablePoller) 1710 c.ToFQDNsEnablePollerEvents = viper.GetBool(ToFQDNsEnablePollerEvents) 1711 c.ToFQDNsMaxIPsPerHost = viper.GetInt(ToFQDNsMaxIPsPerHost) 1712 userSetMinTTL := viper.GetInt(ToFQDNsMinTTL) 1713 switch { 1714 case userSetMinTTL != 0: // set by user 1715 c.ToFQDNsMinTTL = userSetMinTTL 1716 case c.ToFQDNsEnablePoller: 1717 c.ToFQDNsMinTTL = defaults.ToFQDNsMinTTLPoller 1718 default: 1719 c.ToFQDNsMinTTL = defaults.ToFQDNsMinTTL 1720 } 1721 c.ToFQDNsProxyPort = viper.GetInt(ToFQDNsProxyPort) 1722 c.ToFQDNsPreCache = viper.GetString(ToFQDNsPreCache) 1723 1724 // Convert IP strings into net.IPNet types 1725 subnets, invalid := ip.ParseCIDRs(viper.GetStringSlice(IPv4PodSubnets)) 1726 if len(invalid) > 0 { 1727 log.WithFields( 1728 logrus.Fields{ 1729 "Subnets": invalid, 1730 }).Warning("IPv4PodSubnets parameter can not be parsed.") 1731 } 1732 c.IPv4PodSubnets = subnets 1733 1734 subnets, invalid = ip.ParseCIDRs(viper.GetStringSlice(IPv6PodSubnets)) 1735 if len(invalid) > 0 { 1736 log.WithFields( 1737 logrus.Fields{ 1738 "Subnets": invalid, 1739 }).Warning("IPv6PodSubnets parameter can not be parsed.") 1740 } 1741 c.IPv6PodSubnets = subnets 1742 1743 nodePortRange := viper.GetStringSlice(NodePortRange) 1744 if len(nodePortRange) > 0 { 1745 if len(nodePortRange) != 2 { 1746 log.Fatal("Unable to parse min/max port for NodePort range!") 1747 } 1748 c.NodePortMin, err = strconv.Atoi(nodePortRange[0]) 1749 if err != nil { 1750 log.WithError(err).Fatal("Unable to parse min port value for NodePort range!") 1751 } 1752 c.NodePortMax, err = strconv.Atoi(nodePortRange[1]) 1753 if err != nil { 1754 log.WithError(err).Fatal("Unable to parse max port value for NodePort range!") 1755 } 1756 if c.NodePortMax <= c.NodePortMin { 1757 log.Fatal("NodePort range min port must be smaller than max port!") 1758 } 1759 } 1760 1761 hostServicesProtos := viper.GetStringSlice(HostReachableServicesProtos) 1762 if len(hostServicesProtos) > 2 { 1763 log.Fatal("Unable to parse protocols for host reachable services!") 1764 } 1765 for i := 0; i < len(hostServicesProtos); i++ { 1766 switch strings.ToLower(hostServicesProtos[i]) { 1767 case HostServicesTCP: 1768 c.EnableHostServicesTCP = true 1769 case HostServicesUDP: 1770 c.EnableHostServicesUDP = true 1771 default: 1772 log.Fatalf("Unable to parse protocol %s for host reachable services!", 1773 hostServicesProtos[i]) 1774 } 1775 } 1776 1777 // Map options 1778 if m := viper.GetStringMapString(ContainerRuntimeEndpoint); len(m) != 0 { 1779 c.ContainerRuntimeEndpoint = m 1780 } 1781 1782 if m := viper.GetStringMapString(FixedIdentityMapping); len(m) != 0 { 1783 c.FixedIdentityMapping = m 1784 } 1785 1786 if m := viper.GetStringMapString(KVStoreOpt); len(m) != 0 { 1787 c.KVStoreOpt = m 1788 } 1789 1790 if m := viper.GetStringMapString(LogOpt); len(m) != 0 { 1791 c.LogOpt = m 1792 } 1793 1794 if val := viper.GetInt(ConntrackGarbageCollectorIntervalDeprecated); val != 0 { 1795 c.ConntrackGCInterval = time.Duration(val) * time.Second 1796 } else { 1797 c.ConntrackGCInterval = viper.GetDuration(ConntrackGCInterval) 1798 } 1799 1800 if c.MonitorQueueSize == 0 { 1801 c.MonitorQueueSize = runtime.NumCPU() * defaults.MonitorQueueSizePerCPU 1802 if c.MonitorQueueSize > defaults.MonitorQueueSizePerCPUMaximum { 1803 c.MonitorQueueSize = defaults.MonitorQueueSizePerCPUMaximum 1804 } 1805 } 1806 1807 // Metrics Setup 1808 defaultMetrics := metrics.DefaultMetrics() 1809 for _, metric := range viper.GetStringSlice(Metrics) { 1810 switch metric[0] { 1811 case '+': 1812 defaultMetrics[metric[1:]] = struct{}{} 1813 case '-': 1814 delete(defaultMetrics, metric[1:]) 1815 } 1816 } 1817 var collectors []prometheus.Collector 1818 metricsSlice := common.MapStringStructToSlice(defaultMetrics) 1819 c.MetricsConfig, collectors = metrics.CreateConfiguration(metricsSlice) 1820 metrics.MustRegister(collectors...) 1821 1822 if err := c.parseExcludedLocalAddresses(viper.GetStringSlice(ExcludeLocalAddress)); err != nil { 1823 log.WithError(err).Fatalf("Unable to parse excluded local addresses") 1824 } 1825 1826 c.IdentityAllocationMode = viper.GetString(IdentityAllocationMode) 1827 switch c.IdentityAllocationMode { 1828 // This is here for tests. Some call Populate without the normal init 1829 case "": 1830 c.IdentityAllocationMode = IdentityAllocationModeKVstore 1831 1832 case IdentityAllocationModeKVstore, IdentityAllocationModeCRD: 1833 // c.IdentityAllocationMode is set above 1834 1835 default: 1836 log.Fatalf("Invalid identity allocation mode %q. It must be one of %s or %s", c.IdentityAllocationMode, IdentityAllocationModeKVstore, IdentityAllocationModeCRD) 1837 } 1838 if c.KVStore == "" { 1839 if c.IdentityAllocationMode != IdentityAllocationModeCRD { 1840 log.Warningf("Running Cilium with %q=%q requires identity allocation via CRDs. Changing %s to %q", KVStore, c.KVStore, IdentityAllocationMode, IdentityAllocationModeCRD) 1841 c.IdentityAllocationMode = IdentityAllocationModeCRD 1842 } 1843 if c.DisableCiliumEndpointCRD { 1844 log.Warningf("Running Cilium with %q=%q requires endpoint CRDs. Changing %s to %t", KVStore, c.KVStore, DisableCiliumEndpointCRDName, false) 1845 c.DisableCiliumEndpointCRD = false 1846 } 1847 if c.K8sEventHandover { 1848 log.Warningf("Running Cilium with %q=%q requires KVStore capability. Changing %s to %t", KVStore, c.KVStore, K8sEventHandover, false) 1849 c.K8sEventHandover = false 1850 } 1851 } 1852 1853 // Hidden options 1854 c.ConfigFile = viper.GetString(ConfigFile) 1855 c.HTTP403Message = viper.GetString(HTTP403Message) 1856 c.DisableEnvoyVersionCheck = viper.GetBool(DisableEnvoyVersionCheck) 1857 c.K8sNamespace = viper.GetString(K8sNamespaceName) 1858 c.MaxControllerInterval = viper.GetInt(MaxCtrlIntervalName) 1859 c.SidecarHTTPProxy = viper.GetBool(SidecarHTTPProxy) 1860 c.CMDRefDir = viper.GetString(CMDRef) 1861 c.PolicyQueueSize = sanitizeIntParam(PolicyQueueSize, defaults.PolicyQueueSize) 1862 c.EndpointQueueSize = sanitizeIntParam(EndpointQueueSize, defaults.EndpointQueueSize) 1863 c.SelectiveRegeneration = viper.GetBool(SelectiveRegeneration) 1864 c.SkipCRDCreation = viper.GetBool(SkipCRDCreation) 1865 c.DisableCNPStatusUpdates = viper.GetBool(DisableCNPStatusUpdates) 1866 c.AwsReleaseExcessIps = viper.GetBool(AwsReleaseExcessIps) 1867 } 1868 1869 func sanitizeIntParam(paramName string, paramDefault int) int { 1870 intParam := viper.GetInt(paramName) 1871 if intParam <= 0 { 1872 log.WithFields( 1873 logrus.Fields{ 1874 "parameter": paramName, 1875 "defaultValue": paramDefault, 1876 }).Warning("user-provided parameter had value <= 0 , which is invalid ; setting to default") 1877 return paramDefault 1878 } 1879 return intParam 1880 } 1881 1882 func getIPv4Enabled() bool { 1883 if viper.GetBool(LegacyDisableIPv4Name) { 1884 return false 1885 } 1886 1887 return viper.GetBool(EnableIPv4Name) 1888 } 1889 1890 func getPrometheusServerAddr() string { 1891 promAddr := viper.GetString(PrometheusServeAddr) 1892 if promAddr == "" { 1893 return viper.GetString("prometheus-serve-addr-deprecated") 1894 } 1895 return promAddr 1896 } 1897 1898 func getHostDevice() string { 1899 hostDevice := viper.GetString(FlannelMasterDevice) 1900 if hostDevice == "" { 1901 return defaults.HostDevice 1902 } 1903 return hostDevice 1904 }