BindEnv binds the option name with an deterministic generated environment variable which s based on the given optName.

BindEnvWithLegacyEnvFallback binds the given option name with either the same environment variable as BindEnv, if it's set, or with the given legacyEnvName.

FormatMonitorAggregationLevel maps a MonitorAggregationLevel to a string.

GetTunnelModes returns the list of all tunnel modes.

LogRegisteredOptions logs all options that where bind to viper.

MergeConfig merges the given configuration map with viper's configuration.

NewMapOpts creates a new MapOpts with the specified map of values and an optional validator.

NewNamedMapOptions creates a reference to a new NamedMapOpts struct.

ParseDaemonOption parses a string as daemon option.

ParseMonitorAggregationLevel turns a string into a monitor aggregation level.

ReadDirConfig reads the given directory and returns a map that maps the filename to the contents of that file.

ReplaceDeprecatedFields replaces the deprecated options set with the new set of options that overwrite the deprecated ones.

VerifyMonitorAggregationLevel validates the specified key/value for a monitor aggregation level.

AccessLog is the path to access log of supported L7 requests observed.

AgentLabels are additional labels to identify this agent.

AllowLocalhost is the policy when to allow local stack to reach local endpoints { auto | always | policy }.

AllowLocalhostAlways always allows the local stack to reach local endpoints.

AllowLocalhostAuto defaults to policy except when running in Kubernetes where it then defaults to "always".

AllowLocalhostPolicy requires a policy rule to allow the local stack to reach particular endpoints or policy enforcement must be disabled.

AnnotateK8sNode enables annotating a kubernetes node while bootstrapping the daemon, which can also be disbled using this option.

AutoCreateCiliumNodeResource enables automatic creation of a CiliumNode resource for the local node.

AWSClientBurst is the burst value allowed for the AWS client used by the AWS ENI IPAM.

AWSClientQPSLimit is the queries per second limit for the AWS client used by AWS ENI IPAM.

BlacklistConflictingRoutes removes all IPs from the IPAM block if a local route not owned by Cilium conflicts with it.

BPFCompileDebugName is the name of the option to enable BPF compiliation debugging.

BPFRoot is the Path to BPF filesystem.

CGroupRoot is the path to Cgroup2 filesystem.

ClusterIDMax is the maximum value of the cluster ID.

ClusterIDMin is the minimum value of the cluster ID.

ClusterIDName is the name of the ClusterID option.

ClusterMeshConfigName is the name of the ClusterMeshConfig option.

ClusterName is the name of the ClusterName option.

CMDRef is the path to cmdref output directory.

ConfigDir is the directory that contains a file for each option where the filename represents the option name and the content of that file represents the value of that option.

ConfigFile is the Configuration file (default "$HOME/ciliumd.yaml").

ConntrackGarbageCollectorIntervalDeprecated is the deprecated option name to set the conntrack gc interval.

ConntrackGCInterval is the name of the ConntrackGCInterval option.

ContainerRuntime sets the container runtime(s) used by Cilium { containerd | crio | docker | none | auto } ( "auto" uses the container runtime found in the order: "docker", "containerd", "crio" ).

ContainerRuntimeEndpoint set the container runtime(s) endpoint(s).

256Ki.

CTMapEntriesGlobalTCP retains the Cilium 1.2 (or earlier) size to minimize disruption during upgrade.

CTMapEntriesTimeout* name option and default value mappings.

DatapathMode is the name of the DatapathMode option.

DatapathModeIpvlan specifies ipvlan datapath mode.

DatapathModeVeth specifies veth datapath mode (i.e.

DebugArg is the argument enables debugging mode.

DebugVerbose is the argument enables verbose log message for particular subsystems.

DeprecatedEnableLegacyServices enables the legacy services.

Device facing cluster/external network for direct L3 (non-overlay mode).

DisableCiliumEndpointCRDName is the name of the option to disable use of the CEP CRD.

DisableCNPStatusUpdates disables updating of CNP NodeStatus in the CNP CRD.

DisableConntrack disables connection tracking.

DisableEnvoyVersionCheck do not perform Envoy binary version check on startup.

DisableK8sServices disables east-west K8s load balancing by cilium.

Docker is the path to docker runtime socket (DEPRECATED: use container-runtime-endpoint instead).

EgressMasqueradeInterfaces is the selector used to select interfaces subject to egress masquerading.

EnableAutoDirectRoutingName is the name for the EnableAutoDirectRouting option.

EnableEndpointRoutes enables use of per endpoint routes.

EnableHealthChecking is the name of the EnableHealthChecking option.

EnableHostReachableServices is the name of the EnableHostReachableServices option.

EnableIPSecName is the name of the option to enable IPSec.

EnableIPv4Name is the name of the option to enable IPv4 support.

EnableIPv6Name is the name of the option to enable IPv6 support.

EnableNodePort enables NodePort services implemented by Cilium in BPF.

EnablePolicy enables policy enforcement in the agent.

EnableTracing enables tracing mode in the agent.

EncryptInterface enables encryption on specified interface.

EncryptNode enables node IP encryption.

EndpointInterfaceNamePrefix is the prefix name of the interface names shared by all endpoints.

EndpointQueueSize is the size of the EventQueue per-endpoint.

EnvoyLog sets the path to a separate Envoy log file, if any.

ExcludeLocalAddress excludes certain addresses to be recognized as a local address.

FixedIdentityMapping is the key-value for the fixed identity mapping which allows to use reserved label for fixed identities.

FlannelManageExistingContainers sets if Cilium should install the BPF programs on already running interfaces created by flannel.

FlannelMasterDevice installs a BPF program to allow for policy enforcement in the given network interface.

FlannelUninstallOnExit should be used along the flannel-master-device flag, it cleans up all BPF programs installed when Cilium agent is terminated.

ForceLocalPolicyEvalAtSource forces a policy decision at the source endpoint for all local communication.

FQDNProxyDenyWithNameError is useful when stub resolvers, like the one in Alpine Linux's libc (musl), treat a REFUSED as a resolution error.

FQDNProxyDenyWithRefused is the response code for Domain refused.

FQDNProxyResponseMaxDelay is the maximum time the proxy holds back a response.

FQDNRejectResponseCode is the name for the option for dns-proxy reject response code.

HostReachableServicesProtos is the name of the HostReachableServicesProtos option.

HostServicesTCP is the name of EnableHostServicesTCP config.

HostServicesUDP is the name of EnableHostServicesUDP config.

HTTP403Message specifies the response body for 403 responses, defaults to "Access denied".

HTTPIdleTimeout spcifies the time in seconds if http stream being idle after which the request times out.

HTTPMaxGRPCTimeout specifies the maximum time in seconds that limits the values of "grpc-timeout" headers being honored.

HTTPRequestTimeout specifies the time in seconds after which forwarded requests time out.

HTTPRetryCount specifies the number of retries performed after a forwarded request fails.

HTTPRetryTimeout is the time in seconds before an uncompleted request is retried.

IdentityAllocationMode specifies what mode to use for identity allocation.

IdentityAllocationModeCRD enables use of Kubernetes CRDs for identity allocation.

IdentityAllocationModeKVstore enables use of a key-value store such as etcd or consul for identity allocation.

IdentityChangeGracePeriod is the name of the IdentityChangeGracePeriod option.

InstallIptRules sets whether Cilium should install any iptables in general.

IPAllocationTimeout is the timeout when allocating CIDRs.

IPAM is the IPAM method to use.

IPAMCRD is the value to select the CRD-backed IPAM plugin for option.IPAM.

IPAMENI is the value to select the AWS ENI IPAM plugin for option.IPAM.

IPSecKeyFileName is the name of the option for ipsec key file.

IPv4ClusterCIDRMaskSize is the mask size for the cluster wide CIDR.

IPv4NativeRoutingCIDR describes a CIDR in which pod IPs are routable.

IPv4NodeAddr is the IPv4 address of node.

IPv4PodSubnets A list of IPv4 subnets that pods may be assigned from.

IPv4Range is the per-node IPv4 endpoint prefix, e.g.

IPv4ServiceRange is the Kubernetes IPv4 services CIDR if not inside cluster prefix.

IPv6ClusterAllocCIDRName is the name of the IPv6ClusterAllocCIDR option.

IPv6NodeAddr is the IPv6 address of node.

IPv6PodSubnets A list of IPv6 subnets that pods may be assigned from.

IPv6Range is the per-node IPv6 endpoint prefix, must be /96, e.g.

IPv6ServiceRange is the Kubernetes IPv6 services CIDR if not inside cluster prefix.

IpvlanMasterDevice is the name of the IpvlanMasterDevice option.

K8sAPIServer is the kubernetes api address server (for https use --k8s-kubeconfig-path instead).

K8sClientBurst is the burst value allowed for the K8s client.

K8sClientQPSLimit is the queries per second limit for the K8s client.

K8sEventHandover is the name of the K8sEventHandover option.

K8sForceJSONPatch when set, uses JSON Patch to update CNP and CEP status in kube-apiserver.

K8sKubeConfigPath is the absolute path of the kubernetes kubeconfig file.

K8sNamespaceName is the name of the K8sNamespace option.

K8sRequireIPv4PodCIDRName is the name of the K8sRequireIPv4PodCIDR option.

K8sRequireIPv6PodCIDRName is the name of the K8sRequireIPv6PodCIDR option.

K8sServiceCacheSize is service cache size for cilium k8s package.

K8sWatcherEndpointSelector specifies the k8s endpoints that Cilium should watch for.

K8sWatcherQueueSize is the queue size used to serialize each k8s event type.

KeepBPFTemplates do not restore BPF template files from binary.

KeepConfig when restoring state, keeps containers' configuration in place.

KVStore key-value store type.

KVstoreConnectivityTimeout is the timeout when performing kvstore operations.

KVstoreLeaseTTL is the time-to-live for lease in kvstore.

KVStoreOpt key-value store options.

KVstorePeriodicSync is the time interval in which periodic synchronization with the kvstore occurs.

LabelPrefixFile is the valid label prefixes file path.

Labels is the list of label prefixes used to determine identity of an endpoint.

LB enables load balancer mode where load balancer bpf program is attached to the given interface.

LegacyDisableIPv4Name is the name of the legacy option to disable IPv4 support.

LibDir enables the directory path to store runtime build environment.

16Mi entries (~1GiB of entries per map).

1Ki entries.

LogDriver sets logging endpoints to use for example syslog, fluentd.

LogOpt sets log driver options for cilium.

Logstash enables logstash integration.

LogSystemLoadConfigName is the name of the option to enable system load loggging.

LoopbackIPv4 is the address to use for service loopback SNAT.

Masquerade are the packets from endpoints leaving the host.

MaxCtrlIntervalName and MaxCtrlIntervalNameEnv allow configuration of MaxControllerInterval.

Metrics represents the metrics subsystem that Cilium should expose to prometheus.

ModePreFilterGeneric for loading progs with xdpgeneric.

ModePreFilterNative for loading progs with xdpdrv.

MonitorAggregationLevelLow is the same as MonitorAggregationLevelLowest, but may aggregate additional traffic in future.

MonitorAggregationLevelLow represents aggregation of monitor events to emit a maximum of one trace event per packet.

MonitorAggregationLevelMax is the maximum level of aggregation currently supported.

MonitorAggregationLevelMedium represents aggregation of monitor events to only emit notifications periodically for each connection unless there is new information (eg, a TCP connection is closed).

MonitorAggregationLevelNone represents no aggregation in the datapath; all packets will be monitored.

MonitorAggregationName specifies the MonitorAggregationLevel on the comandline.

MonitorQueueSizeName is the name of the option MonitorQueueSize.

MTUName is the name of the MTU option.

NAT46Range is the IPv6 prefix to map IPv4 addresses to.

NATMapEntriesGlobalDefault holds the default size of the NAT map and is 2/3 of the full CT size as a heuristic.

NATMapEntriesGlobalName configures max entries for BPF NAT table.

NodePortMaxDefault is the maximum port to listen for NodePort requests.

NodePortMinDefault is the minimal port to listen for NodePort requests.

NodePortRange defines a custom range where to look up NodePort services.

OperationModeL3 will bypass iptables rules on the host.

OperationModeL3S will respect iptables rules e.g.

PolicyMapEntriesName configures max entries for BPF policymap.

PolicyQueueSize is the size of the queues utilized by the policy repository.

PolicyTriggerInterval is the amount of time between triggers of policy updates are invoked.

PProf enables serving the pprof debugging API.

PreAllocateMapsName is the name of the option PreAllocateMaps.

PrefilterDevice is the device facing external network for XDP prefiltering.

PrefilterMode { "+ModePreFilterNative+" | "+ModePreFilterGeneric+" } (default: "+option.ModePreFilterNative+").

PrependIptablesChainsName is the name of the option to enable prepending iptables chains instead of appending.

PrometheusServeAddr IP:Port on which to serve prometheus metrics (pass ":Port" to bind on all interfaces, "" is off).

PrometheusServeAddrDeprecated IP:Port on which to serve prometheus metrics (pass ":Port" to bind on all interfaces, "" is off).

ProxyConnectTimeout specifies the time in seconds after which a TCP connection attempt is considered timed out.

ReadCNIConfiguration reads the CNI configuration file and extracts Cilium relevant information.

Restore restores state, if possible, from previous daemon.

SelectiveRegeneration specifies whether only the endpoints which policy changes select should be regenerated upon policy changes.

SidecarHTTPProxy disable host HTTP proxy, assuming proxies in sidecar containers.

SidecarIstioProxyImage regular expression matching compatible Istio sidecar istio-proxy container image names.

SingleClusterRouteName is the name of the SingleClusterRoute option SingleClusterRoute enables use of a single route covering the entire cluster CIDR to point to the cilium_host interface instead of using a separate route for each cluster node CIDR.

SkipCRDCreation specifies whether the CustomResourceDefinition will be created by the daemon.

SocketPath sets daemon's socket path to listen for connections.

SockopsEnableName is the name of the option to enable sockops.

StateDir is the directory path to store runtime state.

ToFQDNsEnablePoller enables proactive polling of DNS names in toFQDNs.matchName rules.

ToFQDNsEmitPollerEvents controls if poller lookups are sent as monitor events.

ToFQDNsMaxIPsPerHost defines the maximum number of IPs to maintain for each FQDN name in an endpoint's FQDN cache.

ToFQDNsMinTTL is the minimum time, in seconds, to use DNS data for toFQDNs policies.

ToFQDNsPreCache is a path to a file with DNS cache data to insert into the global cache on startup.

ToFQDNsProxyPort is the global port on which the in-agent DNS proxy should listen.

TracePayloadlen length of payload to capture when tracing.

TunnelDisabled specifies to disable encapsulation.

TunnelGeneve specifies Geneve encapsulation.

TunnelName is the name of the Tunnel option.

TunnelVXLAN specifies VXLAN encapsulation.

Version prints the version information.

WriteCNIConfigurationWhenReady writes the CNI configuration to the specified location once the agent is ready to serve requests.

Config represents the daemon configuration.

ContainerRuntimeAuto is the configuration for autodetecting the container runtime backends that Cilium should use.

DaemonOptionLibrary is the daemon's option library that should be used for read-only.

Default string arguments.

RegisteredOptions maps all options that are bind to viper.

DaemonConfig is the configuration used by Daemon.

IntOptions member functions with external access do not require locking by the caller, while functions with internal access presume the caller to have taken care of any locking needed.

IpvlanConfig is the configuration used by Daemon when in ipvlan mode.

MapOptions holds a map of values and a validation function.

NamedMapOptions is a MapOptions struct with a configuration name.

Option is the structure used to specify the semantics of a configurable boolean option.

ChangedFunc is called by `Apply()` for each option changed.

FormatFunc formats the specified value as a colored textual representation of the option.

MonitorAggregationLevel represents a level of aggregation for monitor events from the datapath.

OptionSetting specifies the different choices each Option has.

ParseFunc parses the option value and may return an error if the option cannot be parsed or applied.

Validator returns a validated string along with a possible error.

VerifyFunc validates option key with value and may return an error if the option should not be applied.