Helm Reference

affinity

Affinity for cilium-agent.

object

{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}

agentNotReadyTaintKey

Configure the key of the taint indicating that Cilium is not ready on the node. When set to a value starting with ignore-taint.cluster-autoscaler.kubernetes.io/, the Cluster Autoscaler will ignore the taint on its decisions, allowing the cluster to scale up.

string

"node.cilium.io/agent-not-ready"

alibabacloud.enabled

Enable AlibabaCloud ENI integration

bool

false

alibabacloud.nodeSpec.securityGroups

list

[]

alibabacloud.nodeSpec.vSwitches

list

[]

annotations

Annotations to be added to all top-level cilium-agent objects (resources under templates/cilium-agent)

object

{}

authentication.enabled

Enable authentication processing and garbage collection. Note that if disabled, policy enforcement will still block requests that require authentication. But the resulting authentication requests for these requests will not be processed, therefore the requests not be allowed.

bool

false

authentication.mutual.connectTimeout

Timeout for connecting to the remote node TCP socket

string

"5s"

authentication.mutual.spire.adminSocketPath

SPIRE socket path where the SPIRE delegated api agent is listening

string

"/run/spire/sockets/admin.sock"

authentication.mutual.spire.annotations

Annotations to be added to all top-level spire objects (resources under templates/spire)

object

{}

authentication.mutual.spire.enabled

Enable SPIRE integration (beta)

bool

false

authentication.mutual.spire.install.agent.annotations

SPIRE agent annotations

object

{}

authentication.mutual.spire.install.agent.labels

SPIRE agent labels

object

{}

authentication.mutual.spire.install.agent.podSecurityContext

Security context to be added to spire agent pods. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

object

{}

authentication.mutual.spire.install.agent.resources

container resource limits & requests

object

{}

authentication.mutual.spire.install.agent.serviceAccount

SPIRE agent service account

object

{"create":true,"name":"spire-agent"}

authentication.mutual.spire.install.agent.tolerations

SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/

list

[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]

authentication.mutual.spire.install.existingNamespace

SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace.

bool

false

authentication.mutual.spire.install.namespace

SPIRE namespace to install into

string

"cilium-spire"

authentication.mutual.spire.install.server.annotations

SPIRE server annotations

object

{}

authentication.mutual.spire.install.server.ca.subject

SPIRE CA Subject

object

{"commonName":"Cilium SPIRE CA","country":"US","organization":"SPIRE"}

authentication.mutual.spire.install.server.dataStorage.enabled

Enable SPIRE server data storage

bool

true

authentication.mutual.spire.install.server.dataStorage.storageClass

StorageClass of the SPIRE server data storage

string

nil

authentication.mutual.spire.install.server.initContainers

SPIRE server init containers

list

[]

authentication.mutual.spire.install.server.nodeSelector

SPIRE server nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector

object

{}

authentication.mutual.spire.install.server.priorityClassName

The priority class to use for the spire server

string

""

authentication.mutual.spire.install.server.securityContext

Security context to be added to spire server containers. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container

object

{}

authentication.mutual.spire.install.server.service.labels

Labels to be added to the SPIRE server service

object

{}

authentication.mutual.spire.install.server.serviceAccount

SPIRE server service account

object

{"create":true,"name":"spire-server"}

authentication.mutual.spire.serverAddress

SPIRE server address used by Cilium Operator If k8s Service DNS along with port number is used (e.g. ..svc(.*): format), Cilium Operator will resolve its address by looking up the clusterIP from Service resource. Example values: 10.0.0.1:8081, spire-server.cilium-spire.svc:8081

string

nil

authentication.queueSize

Buffer size of the channel Cilium uses to receive authentication events from the signal map.

int

1024

autoDirectNodeRoutes

Enable installation of PodCIDR routes between worker nodes if worker nodes share a common L2 network segment.

bool

false

azure.nodeSpec.azureInterfaceName

string

""

bandwidthManager.bbr

Activate BBR TCP congestion control for Pods

bool

false

bandwidthManager.enabled

Enable bandwidth manager infrastructure (also prerequirement for BBR)

bool

false

bgpControlPlane.enabled

Enables the BGP control plane.

bool

false

bgpControlPlane.legacyOriginAttribute.enabled

Enable/Disable advertising LoadBalancerIP routes with the legacy BGP ORIGIN attribute value INCOMPLETE (2) instead of the default IGP (0). Enable for compatibility with the legacy behavior of MetalLB integration.

bool

false

bgpControlPlane.routerIDAllocation.ipPool

IP pool to allocate the BGP router-id from when the mode is ip-pool.

string

""

bgpControlPlane.secretsNamespace

SecretsNamespace is the namespace which BGP support will retrieve secrets from.

object

{"create":false,"name":"kube-system"}

bgpControlPlane.secretsNamespace.name

The name of the secret namespace to which Cilium agents are given read access

string

"kube-system"

bgpControlPlane.statusReport.enabled

Enable/Disable BGP status reporting It is recommended to enable status reporting in general, but if you have any issue such as high API server load, you can disable it by setting this to false.

bool

true

bpf.autoMount.enabled

Enable automatic mount of BPF filesystem When autoMount is enabled, the BPF filesystem is mounted at bpf.root path on the underlying host and inside the cilium agent pod. If users disable autoMount, it’s expected that users have mounted bpffs filesystem at the specified bpf.root volume, and then the volume will be mounted inside the cilium agent pod at the same path.

bool

true

bpf.ctAnyMax

Configure the maximum number of entries for the non-TCP connection tracking table.

int

262144

bpf.datapathMode

Mode for Pod devices for the core datapath (veth, netkit, netkit-l2). Note netkit is incompatible with TPROXY (bpf.tproxy).

string

veth

bpf.distributedLRU

Control to use a distributed per-CPU backend memory for the core BPF LRU maps which Cilium uses. This improves performance significantly, but it is also recommended to increase BPF map sizing along with that.

object

{"enabled":false}

bpf.enableTCX

Attach endpoint programs using tcx instead of legacy tc hooks on supported kernels.

bool

true

bpf.events.default

Default settings for all types of events except dbg.

object

{"burstLimit":null,"rateLimit":null}

bpf.events.default.rateLimit

Configure the limit of messages per second that can be written to BPF events map. The number of messages is averaged, meaning that if no messages were written to the map over 5 seconds, it’s possible to write more events in the 6th second. If rateLimit is greater than 0, non-zero value for burstLimit must also be provided lest the configuration is considered invalid. Setting both burstLimit and rateLimit to 0 disables BPF events rate limiting.

int

0

bpf.events.policyVerdict.enabled

Enable policy verdict events.

bool

true

bpf.hostLegacyRouting

Configure whether direct routing mode should route traffic via host stack (true) or directly and more efficiently out of BPF (false) if the kernel supports it. The latter has the implication that it will also bypass netfilter in the host namespace.

bool

false

bpf.lbExternalClusterIP

Allow cluster external access to ClusterIP services.

bool

false

bpf.lbModeAnnotation

Enable the option to define the load balancing mode (SNAT or DSR) on a per-service basis through service.cilium.io/forwarding-mode annotation.

bool

false

bpf.mapDynamicSizeRatio

Configure auto-sizing for all BPF maps based on available memory. ref: https://docs.cilium.io/en/stable/network/ebpf/maps/

float64

0.0025

bpf.monitorAggregation

Configure the level of aggregation for monitor notifications. Valid options are none, low, medium, maximum.

string

"medium"

bpf.monitorInterval

Configure the typical time between monitor notifications for active connections.

string

"5s"

bpf.natMax

Configure the maximum number of entries for the NAT table.

int

524288

bpf.nodeMapMax

Configures the maximum number of entries for the node table.

int

nil

bpf.policyMapPressureMetricsThreshold

Configure threshold for emitting pressure metrics of policy maps. @schema type: [null, number] @schema

float64

0.1

bpf.preallocateMaps

Enables pre-allocation of eBPF map values. This increases memory usage but can reduce latency.

bool

false

bpf.tproxy

Configure the eBPF-based TPROXY (beta) to reduce reliance on iptables rules for implementing Layer 7 policy. Note this is incompatible with netkit (bpf.datapathMode=netkit, bpf.datapathMode=netkit-l2).

bool

false

bpfClockProbe

Enable BPF clock source probing for more efficient tick retrieval.

bool

false

certgen.affinity

Affinity for certgen

object

{}

certgen.cronJob.failedJobsHistoryLimit

The number of failed finished jobs to keep

int

1

certgen.extraVolumeMounts

Additional certgen volumeMounts.

list

[]

certgen.generateCA

When set to true the certificate authority secret is created.

bool

true

certgen.podLabels

Labels to be added to hubble-certgen pods

object

{}

certgen.resources

Resource limits for certgen ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers

object

{}

certgen.ttlSecondsAfterFinished

Seconds after which the completed job pod will be deleted

string

nil

cgroup.autoMount.enabled

Enable auto mount of cgroup2 filesystem. When autoMount is enabled, cgroup2 filesystem is mounted at cgroup.hostRoot path on the underlying host and inside the cilium agent pod. If users disable autoMount, it’s expected that users have mounted cgroup2 filesystem at the specified cgroup.hostRoot volume, and then the volume will be mounted inside the cilium agent pod at the same path.

bool

true

cgroup.hostRoot

Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: cgroup.autoMount)

string

"/run/cilium/cgroupv2"

ciliumEndpointSlice.enabled

Enable Cilium EndpointSlice feature.

bool

false

cleanBpfState

Clean all eBPF datapath state from the initContainer of the cilium-agent DaemonSet. WARNING: Use with care!

bool

false

cluster.id

Unique ID of the cluster. Must be unique across all connected clusters and in the range of 1 to 255. Only required for Cluster Mesh, may be 0 if Cluster Mesh is not used.

int

0

clustermesh.annotations

Annotations to be added to all top-level clustermesh objects (resources under templates/clustermesh-apiserver and templates/clustermesh-config)

object

{}

clustermesh.apiserver.etcd.init.extraArgs

Additional arguments to clustermesh-apiserver etcdinit.

list

[]

clustermesh.apiserver.etcd.init.resources

Specifies the resources for etcd init container in the apiserver

object

{}

clustermesh.apiserver.etcd.resources

Specifies the resources for etcd container in the apiserver

object

{}

clustermesh.apiserver.etcd.storageMedium

Specifies whether etcd data is stored in a temporary volume backed by the node’s default medium, such as disk, SSD or network storage (Disk), or RAM (Memory). The Memory option enables improved etcd read and write performance at the cost of additional memory usage, which counts against the memory limits of the container.

string

"Disk"

clustermesh.apiserver.extraEnv

Additional clustermesh-apiserver environment variables.

list

[]

clustermesh.apiserver.extraVolumes

Additional clustermesh-apiserver volumes.

list

[]

clustermesh.apiserver.image

Clustermesh API server image.

object

{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.19.1","useDigest":false}

clustermesh.apiserver.kvstoremesh.extraArgs

Additional KVStoreMesh arguments.

list

[]

clustermesh.apiserver.kvstoremesh.extraVolumeMounts

Additional KVStoreMesh volumeMounts.

list

[]

clustermesh.apiserver.kvstoremesh.kvstoreMode

Specify the KVStore mode when running KVStoreMesh Supported values: - “internal”: remote cluster identities are cached in etcd that runs as a sidecar within clustermesh-apiserver pod. - “external”: clustermesh-apiserver will sync remote cluster information to the etcd used as kvstore. This can’t be enabled with crd identity allocation mode.

string

"internal"

clustermesh.apiserver.kvstoremesh.readinessProbe

Configuration for the KVStoreMesh readiness probe.

object

{}

clustermesh.apiserver.kvstoremesh.securityContext

KVStoreMesh Security context

object

{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}

clustermesh.apiserver.metrics.enabled

Enables exporting apiserver metrics in OpenMetrics format.

bool

true

clustermesh.apiserver.metrics.etcd.mode

Set level of detail for etcd metrics; specify ‘extensive’ to include server side gRPC histogram metrics.

string

"basic"

clustermesh.apiserver.metrics.kvstoremesh.enabled

Enables exporting KVStoreMesh metrics in OpenMetrics format.

bool

true

clustermesh.apiserver.metrics.port

Configure the port the apiserver metric server listens on.

int

9962

clustermesh.apiserver.metrics.serviceMonitor.enabled

Enable service monitor. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)

bool

false

clustermesh.apiserver.metrics.serviceMonitor.etcd.metricRelabelings

Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics)

string

nil

clustermesh.apiserver.metrics.serviceMonitor.etcd.scrapeTimeout

Timeout after which scrape is considered to be failed.

string

nil

clustermesh.apiserver.metrics.serviceMonitor.kvstoremesh.interval

Interval for scrape metrics (KVStoreMesh metrics)

string

"10s"

clustermesh.apiserver.metrics.serviceMonitor.kvstoremesh.relabelings

Relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics)

string

nil

clustermesh.apiserver.metrics.serviceMonitor.labels

Labels to add to ServiceMonitor clustermesh-apiserver

object

{}

clustermesh.apiserver.metrics.serviceMonitor.relabelings

Relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics)

string

nil

clustermesh.apiserver.nodeSelector

Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector

object

{"kubernetes.io/os":"linux"}

clustermesh.apiserver.podDisruptionBudget.enabled

enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/

bool

false

clustermesh.apiserver.podDisruptionBudget.minAvailable

Minimum number/percentage of pods that should remain scheduled. When it’s set, maxUnavailable must be disabled by maxUnavailable: null

string

nil

clustermesh.apiserver.podLabels

Labels to be added to clustermesh-apiserver pods

object

{}

clustermesh.apiserver.priorityClassName

The priority class to use for clustermesh-apiserver

string

""

clustermesh.apiserver.replicas

Number of replicas run for the clustermesh-apiserver deployment.

int

1

clustermesh.apiserver.securityContext

Security context to be added to clustermesh-apiserver containers

object

{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}

clustermesh.apiserver.service.enableSessionAffinity

Defines when to enable session affinity. Each replica in a clustermesh-apiserver deployment runs its own discrete etcd cluster. Remote clients connect to one of the replicas through a shared Kubernetes Service. A client reconnecting to a different backend will require a full resync to ensure data integrity. Session affinity can reduce the likelihood of this happening, but may not be supported by all cloud providers. Possible values: - “HAOnly” (default) Only enable session affinity for deployments with more than 1 replica. - “Always” Always enable session affinity. - “Never” Never enable session affinity. Useful in environments where session affinity is not supported, but may lead to slightly degraded performance due to more frequent reconnections.

string

"HAOnly"

clustermesh.apiserver.service.externallyCreated

Set externallyCreated to true to create the clustermesh-apiserver service outside this helm chart. For example after external load balancer controllers are created.

bool

false

clustermesh.apiserver.service.labels

Labels for the clustermesh-apiserver service.

object

{}

clustermesh.apiserver.service.loadBalancerIP

Configure a specific loadBalancerIP. Allows to configure a specific loadBalancerIP on the clustermesh-apiserver LB service in case the Service type is set to LoadBalancer.

string

nil

clustermesh.apiserver.service.nodePort

Optional port to use as the node port for apiserver access.

int

32379

clustermesh.apiserver.terminationGracePeriodSeconds

terminationGracePeriodSeconds for the clustermesh-apiserver deployment

int

30

clustermesh.apiserver.tls.admin.cert

Deprecated, as secrets will always need to be created externally if auto is disabled.

string

""

clustermesh.apiserver.tls.authMode

Configure the clustermesh authentication mode. Supported values: - legacy: All clusters access remote clustermesh instances with the same username (i.e., remote). The “remote” certificate must be generated with CN=remote if provided manually. - migration: Intermediate mode required to upgrade from legacy to cluster (and vice versa) with no disruption. Specifically, it enables the creation of the per-cluster usernames, while still using the common one for authentication. The “remote” certificate must be generated with CN=remote if provided manually (same as legacy). - cluster: Each cluster accesses remote etcd instances with a username depending on the local cluster name (i.e., remote-). The “remote” certificate must be generated with CN=remote- if provided manually. Cluster mode is meaningful only when the same CA is shared across all clusters part of the mesh.

string

"migration"

clustermesh.apiserver.tls.auto.certManagerIssuerRef

certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager.

object

{}

clustermesh.apiserver.tls.auto.enabled

When set to true, automatically generate a CA and certificates to enable mTLS between clustermesh-apiserver and external workload instances. When set to false you need to pre-create the following secrets: - clustermesh-apiserver-server-cert - clustermesh-apiserver-admin-cert - clustermesh-apiserver-remote-cert - clustermesh-apiserver-local-cert The above secret should at least contains the keys tls.crt and tls.key and optionally ca.crt if a CA bundle is not configured.

bool

true

clustermesh.apiserver.tls.remote

base64 encoded PEM values for the clustermesh-apiserver remote cluster certificate and private key. Used if ‘auto’ is not enabled.

object

{"cert":"","key":""}

clustermesh.apiserver.tls.remote.key

Deprecated, as secrets will always need to be created externally if auto is disabled.

string

""

clustermesh.apiserver.tls.server.cert

Deprecated, as secrets will always need to be created externally if auto is disabled.

string

""

clustermesh.apiserver.tls.server.extraIpAddresses

Extra IP addresses added to certificate when it’s auto generated

list

[]

clustermesh.apiserver.tolerations

Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/

list

[]

clustermesh.apiserver.updateStrategy

clustermesh-apiserver update strategy

object

{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}

clustermesh.config

Clustermesh explicit configuration.

object

{"clusters":[],"domain":"mesh.cilium.io","enabled":false}

clustermesh.config.domain

Default dns domain for the Clustermesh API servers This is used in the case cluster addresses are not provided and IPs are used.

string

"mesh.cilium.io"

clustermesh.enableEndpointSliceSynchronization

Enable the synchronization of Kubernetes EndpointSlices corresponding to the remote endpoints of appropriately-annotated global services through ClusterMesh

bool

false

clustermesh.maxConnectedClusters

The maximum number of clusters to support in a ClusterMesh. This value cannot be changed on running clusters, and all clusters in a ClusterMesh must be configured with the same value. Values > 255 will decrease the maximum allocatable cluster-local identities. Supported values are 255 and 511.

int

255

clustermesh.mcsapi.corednsAutoConfigure.annotations

Annotations to be added to the coredns-mcsapi-autoconfig Job

object

{}

clustermesh.mcsapi.corednsAutoConfigure.coredns.clustersetDomain

The clusterset domain for the cluster CoreDNS service

string

"clusterset.local"

clustermesh.mcsapi.corednsAutoConfigure.coredns.deploymentName

The Deployment for the cluster CoreDNS service

string

"coredns"

clustermesh.mcsapi.corednsAutoConfigure.coredns.serviceAccountName

The Service Account name for the cluster CoreDNS service

string

"coredns"

clustermesh.mcsapi.corednsAutoConfigure.extraArgs

Additional arguments to clustermesh-apiserver coredns-mcsapi-auto-configure.

list

[]

clustermesh.mcsapi.corednsAutoConfigure.extraVolumes

Additional coredns-mcsapi-autoconfig volumes.

list

[]

clustermesh.mcsapi.corednsAutoConfigure.podLabels

Labels to be added to coredns-mcsapi-autoconfig pods

object

{}

clustermesh.mcsapi.corednsAutoConfigure.resources

Resource limits for coredns-mcsapi-autoconfig ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers

object

{}

clustermesh.mcsapi.corednsAutoConfigure.ttlSecondsAfterFinished

Seconds after which the completed job pod will be deleted

int

1800

clustermesh.mcsapi.installCRDs

Enabled MCS-API CRDs auto-installation

bool

true

clustermesh.useAPIServer

Deploy clustermesh-apiserver for clustermesh. This option is typically used with clustermesh.config.enabled=true. Refer to the clustermesh.config.enabled=truedocumentation for more information.

bool

false

cni.chainingMode

Configure chaining on top of other CNI plugins. Possible values: - none - aws-cni - flannel - generic-veth - portmap

string

nil

cni.confFileMountPath

Configure the path to where to mount the ConfigMap inside the agent pod.

string

"/tmp/cni-configuration"

cni.configMap

When defined, configMap will mount the provided value as ConfigMap and interpret the ‘cni.configMapKey’ value as CNI configuration file and write it when the agent starts up.

string

""

cni.customConf

Skip writing of the CNI configuration. This can be used if writing of the CNI configuration is performed by external automation.

bool

false

cni.exclusive

Make Cilium take ownership over the /etc/cni/net.d directory on the node, renaming all non-Cilium CNI configurations to *.cilium_bak. This ensures no Pods can be scheduled using other CNI plugins during Cilium agent downtime.

bool

true

cni.install

Install the CNI configuration and binary files into the filesystem.

bool

true

cni.logFile

Configure the log file for CNI logging with retention policy of 7 days. Disable CNI file logging by setting this field to empty explicitly.

string

"/var/run/cilium/cilium-cni.log"

cni.uninstall

Remove the CNI configuration and binary files on agent shutdown. Enable this if you’re removing Cilium from the cluster. Disable this to prevent the CNI configuration file from being removed during agent upgrade, which can cause nodes to go unmanageable.

bool

false

connectivityProbeFrequencyRatio

Ratio of the connectivity probe frequency vs resource usage, a float in [0, 1]. 0 will give more frequent probing, 1 will give less frequent probing. Probing frequency is dynamically adjusted based on the cluster size.

float64

0.5

conntrackGCMaxInterval

Configure the maximum frequency for the garbage collection of the connection tracking table. Only affects the automatic computation for the frequency and has no effect when ‘conntrackGCInterval’ is set. This can be set to more frequently clean up unused identities created from ToFQDN policies.

string

""

daemon.allowedConfigOverrides

allowedConfigOverrides is a list of config-map keys that can be overridden. That is to say, if this value is set, config sources (excepting the first one) can only override keys in this list. This takes precedence over blockedConfigOverrides. By default, all keys may be overridden. To disable overrides, set this to “none” or change the configSources variable.

string

nil

daemon.configSources

Configure a custom list of possible configuration override sources The default is “config-map:cilium-config,cilium-node-config”. For supported values, see the help text for the build-config subcommand. Note that this value should be a comma-separated string.

string

nil

daemon.runPath

Configure where Cilium runtime state should be stored.

string

"/var/run/cilium"

debug.enabled

Enable debug logging

bool

false

debug.verbose

Configure verbosity levels for debug logging This option is used to enable debug messages for operations related to such sub-system such as (e.g. kvstore, envoy, datapath, policy, or tagged), and flow is for enabling debug messages emitted per request, message and connection. Multiple values can be set via a space-separated string (e.g. “datapath envoy”). Applicable values: - flow - kvstore - envoy - datapath - policy - tagged

string

nil

directRoutingSkipUnreachable

Enable skipping of PodCIDR routes between worker nodes if the worker nodes are in a different L2 network segment.

bool

false

dnsPolicy

DNS policy for Cilium agent pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy

string

""

dnsProxy.enableDnsCompression

Allow the DNS proxy to compress responses to endpoints that are larger than 512 Bytes or the EDNS0 option, if present.

bool

true

dnsProxy.idleConnectionGracePeriod

Time during which idle but previously active connections with expired DNS lookups are still considered alive.

string

"0s"

dnsProxy.minTtl

The minimum time, in seconds, to use DNS data for toFQDNs policies. If the upstream DNS server returns a DNS record with a shorter TTL, Cilium overwrites the TTL with this value. Setting this value to zero means that Cilium will honor the TTLs returned by the upstream DNS server.

int

0

dnsProxy.preCache

DNS cache data at this path is preloaded on agent startup.

string

""

dnsProxy.proxyResponseMaxDelay

The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information.

string

"100ms"

egressGateway.enabled

Enables egress gateway to redirect and SNAT the traffic that leaves the cluster.

bool

false

enableCriticalPriorityClass

Explicitly enable or disable priority class. .Capabilities.KubeVersion is unsettable in helm template calls, it depends on k8s libraries version that Helm was compiled against. This option allows to explicitly disable setting the priority class, which is useful for rendering charts for gke clusters in advance.

bool

true

enableIPv4Masquerade

Enables masquerading of IPv4 traffic leaving the node from endpoints.

bool

true unless ipam eni mode is active

enableIPv6Masquerade

Enables masquerading of IPv6 traffic leaving the node from endpoints.

bool

true

enableLBIPAM

Enable LoadBalancer IP Address Management

bool

true

enableNoServiceEndpointsRoutable

Enable routing to a service that has zero endpoints

bool

true

enableTunnelBIGTCP

Enable BIG TCP in tunneling mode and increase maximum GRO/GSO limits for VXLAN/GENEVE tunnels

bool

false

encryption.enabled

Enable transparent network encryption.

bool

false

encryption.ipsec.interface

The interface to use for encrypted traffic.

string

""

encryption.ipsec.keyRotationDuration

Maximum duration of the IPsec key rotation. The previous key will be removed after that delay.

string

"5m"

encryption.ipsec.mountPath

Path to mount the secret inside the Cilium pod.

string

"/etc/ipsec"

encryption.nodeEncryption

Enable encryption for pure node to node traffic. This option is only effective when encryption.type is set to “wireguard”.

bool

false

encryption.strictMode.allowRemoteNodeIdentities

Allow dynamic lookup of remote node identities. (deprecated: please use encryption.strictMode.egress.allowRemoteNodeIdentities) This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap.

bool

false

encryption.strictMode.egress.allowRemoteNodeIdentities

Allow dynamic lookup of remote node identities. This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap.

bool

false

encryption.strictMode.egress.enabled

Enable strict egress encryption.

bool

false

encryption.strictMode.ingress.enabled

Enable strict ingress encryption. When enabled, all unencrypted overlay ingress traffic will be dropped. This option is only applicable when WireGuard and tunneling are enabled.

bool

false

encryption.wireguard.persistentKeepalive

Controls WireGuard PersistentKeepalive option. Set 0s to disable.

string

"0s"

endpointLockdownOnMapOverflow

Enable endpoint lockdown on policy map overflow.

bool

false

eni.awsEnablePrefixDelegation

Enable ENI prefix delegation

bool

false

eni.ec2APIEndpoint

EC2 API endpoint to use

string

""

eni.eniTags

Tags to apply to the newly created ENIs

object

{}

eni.gcTags

Additional tags attached to ENIs created by Cilium. Dangling ENIs with this tag will be garbage collected

object

{"io.cilium/cilium-managed":"true,"io.cilium/cluster-name":"<auto-detected>"}

eni.instanceTagsFilter

Filter via AWS EC2 Instance tags (k=v) which will dictate which AWS EC2 Instances are going to be used to create new ENIs

list

[]

eni.nodeSpec.deleteOnTermination

Delete ENI on termination @schema type: [null, boolean] @schema

string

nil

eni.nodeSpec.excludeInterfaceTags

Exclude interface tags to use for IP allocation

list

[]

eni.nodeSpec.securityGroupTags

Security group tags to use for IP allocation

list

[]

eni.nodeSpec.subnetIDs

Subnet IDs to use for IP allocation

list

[]

eni.nodeSpec.usePrimaryAddress

Use primary address for IP allocation

bool

false

eni.subnetTagsFilter

Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead.

list

[]

envoy.annotations

Annotations to be added to all top-level cilium-envoy objects (resources under templates/cilium-envoy)

object

{}

envoy.bootstrapConfigMap

ADVANCED OPTION: Bring your own custom Envoy bootstrap ConfigMap. Provide the name of a ConfigMap with a bootstrap-config.json key. When specified, Envoy will use this ConfigMap instead of the default provided by the chart. WARNING: Use of this setting has the potential to prevent cilium-envoy from starting up, and can cause unexpected behavior (e.g. due to syntax error or semantically incorrect configuration). Before submitting an issue, please ensure you have disabled this feature, as support cannot be provided for custom Envoy bootstrap configs. @schema type: [null, string] @schema

string

nil

envoy.clusterMaxRequests

Maximum number of requests on Envoy clusters

int

1024

envoy.debug.admin.enabled

Enable admin interface for cilium-envoy. This is useful for debugging and should not be enabled in production.

bool

false

envoy.dnsPolicy

DNS policy for Cilium envoy pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy

string

nil

envoy.extraArgs

Additional envoy container arguments.

list

[]

envoy.extraEnv

Additional envoy container environment variables.

list

[]

envoy.extraVolumeMounts

Additional envoy volumeMounts.

list

[]

envoy.healthPort

TCP port for the health API.

int

9878

envoy.httpUpstreamLingerTimeout

Time in seconds to block Envoy worker thread while an upstream HTTP connection is closing. If set to 0, the connection is closed immediately (with TCP RST). If set to -1, the connection is closed asynchronously in the background.

string

nil

envoy.image

Envoy container image.

object

{"digest":"sha256:8188114a2768b5f49d6ce58e168b20d765e0fbc64eee0d83241aa2b150ccd788","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.35.9-1770979049-232ed4a26881e4ab4f766f251f258ed424fff663","useDigest":true}

envoy.initialFetchTimeoutSeconds

Time in seconds after which the initial fetch on an xDS stream is considered timed out

int

30

envoy.livenessProbe.failureThreshold

failure threshold of liveness probe

int

10

envoy.log.accessLogBufferSize

Size of the Envoy access log buffer created within the agent in bytes. Tune this value up if you encounter “Envoy: Discarded truncated access log message” errors. Large request/response header sizes (e.g. 16KiB) will require a larger buffer size.

int

4096

envoy.log.format

The format string to use for laying out the log message metadata of Envoy. If specified, Envoy will use text format output. This setting is mutually exclusive with envoy.log.format_json.

string

"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"

envoy.log.path

Path to a separate Envoy log file, if any. Defaults to /dev/stdout.

string

""

envoy.maxConnectionDurationSeconds

Set Envoy HTTP option max_connection_duration seconds. Default 0 (disable)

int

0

envoy.maxRequestsPerConnection

ProxyMaxRequestsPerConnection specifies the max_requests_per_connection setting for Envoy

int

0

envoy.podAnnotations

Annotations to be added to envoy pods

object

{}

envoy.podSecurityContext

Security Context for cilium-envoy pods.

object

{"appArmorProfile":{"type":"Unconfined"}}

envoy.policyRestoreTimeoutDuration

Max duration to wait for endpoint policies to be restored on restart. Default “3m”.

string

nil

envoy.prometheus

Configure Cilium Envoy Prometheus options. Note that some of these apply to either cilium-agent or cilium-envoy.

object

{"enabled":true,"port":"9964","serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":[{"action":"replace","replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}],"scrapeTimeout":null}}

envoy.prometheus.port

Serve prometheus metrics for cilium-envoy on the configured port

string

"9964"

envoy.prometheus.serviceMonitor.enabled

Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) Note that this setting applies to both cilium-envoy and cilium-agent with Envoy enabled.

bool

false

envoy.prometheus.serviceMonitor.labels

Labels to add to ServiceMonitor cilium-envoy

object

{}

envoy.prometheus.serviceMonitor.relabelings

Relabeling configs for the ServiceMonitor cilium-envoy or for cilium-agent with Envoy configured.

list

[{"action":"replace","replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]

envoy.readinessProbe.failureThreshold

failure threshold of readiness probe

int

3

envoy.resources

Envoy resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

object

{}

envoy.securityContext.capabilities.envoy

Capabilities for the cilium-envoy container. Even though granted to the container, the cilium-envoy-starter wrapper drops all capabilities after forking the actual Envoy process. NET_BIND_SERVICE is the only capability that can be passed to the Envoy process by setting envoy.securityContext.capabilities.keepNetBindService=true (in addition to granting the capability to the container). Note: In case of embedded envoy, the capability must be granted to the cilium-agent container.

list

["NET_ADMIN","SYS_ADMIN"]

envoy.securityContext.privileged

Run the pod with elevated privileges

bool

false

envoy.startupProbe.enabled

Enable startup probe for cilium-envoy

bool

true

envoy.startupProbe.periodSeconds

interval between checks of the startup probe

int

2

envoy.terminationGracePeriodSeconds

Configure termination grace period for cilium-envoy DaemonSet.

int

1

envoy.updateStrategy

cilium-envoy update strategy ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/#updating-a-daemonset

object

{"rollingUpdate":{"maxUnavailable":2},"type":"RollingUpdate"}

envoy.xffNumTrustedHopsL7PolicyEgress

Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners.

int

0

envoyConfig.enabled

Enable CiliumEnvoyConfig CRD CiliumEnvoyConfig CRD can also be implicitly enabled by other options.

bool

false

envoyConfig.secretsNamespace

SecretsNamespace is the namespace in which envoy SDS will retrieve secrets from.

object

{"create":true,"name":"cilium-secrets"}

envoyConfig.secretsNamespace.name

The name of the secret namespace to which Cilium agents are given read access.

string

"cilium-secrets"

etcd.endpoints

List of etcd endpoints

list

["https://CHANGE-ME:2379"]

extraArgs

Additional agent container arguments.

list

[]

extraContainers

Additional containers added to the cilium DaemonSet.

list

[]

extraHostPathMounts

Additional agent hostPath mounts.

list

[]

extraVolumeMounts

Additional agent volumeMounts.

list

[]

forceDeviceDetection

Forces the auto-detection of devices, even if specific devices are explicitly listed

bool

false

gatewayAPI.enableAppProtocol

Enable Backend Protocol selection support (GEP-1911) for Gateway API via appProtocol.

bool

false

gatewayAPI.enabled

Enable support for Gateway API in cilium This will automatically set enable-envoy-config as well.

bool

false

gatewayAPI.gatewayClass.create

Enable creation of GatewayClass resource The default value is ‘auto’ which decides according to presence of gateway.networking.k8s.io/v1/GatewayClass in the cluster. Other possible values are ‘true’ and ‘false’, which will either always or never create the GatewayClass, respectively.

string

"auto"

gatewayAPI.hostNetwork.nodes.matchLabels

Specify the labels of the nodes where the Ingress listeners should be exposed matchLabels: kubernetes.io/os: linux kubernetes.io/hostname: kind-worker

object

{}

gatewayAPI.secretsNamespace.create

Create secrets namespace for Gateway API.

bool

true

gatewayAPI.secretsNamespace.sync

Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name. If disabled, TLS secrets must be maintained externally.

bool

true

gke.enabled

Enable Google Kubernetes Engine integration

bool

false

healthChecking

Enable connectivity health checking.

bool

true

hostFirewall

Configure the host firewall.

object

{"enabled":false}

hubble.annotations

Annotations to be added to all top-level hubble objects (resources under templates/hubble)

object

{}

hubble.dropEventEmitter.interval

• Minimum time between emitting same events.

string

"2m"

hubble.enabled

Enable Hubble (true by default).

bool

true

hubble.export.dynamic

• Dynamic exporters configuration. Dynamic exporters may be reconfigured without a need of agent restarts.

object

{"config":{"configMapName":"cilium-flowlog-config","content":[{"aggregationInterval":"0s","excludeFilters":[],"fieldAggregate":[],"fieldMask":[],"fileCompress":false,"fileMaxBackups":5,"fileMaxSizeMb":10,"filePath":"/var/run/cilium/hubble/events.log","includeFilters":[],"name":"all"}],"createConfigMap":true},"enabled":false}

hubble.export.dynamic.config.content

– Exporters configuration in YAML format.

list

[{"aggregationInterval":"0s","excludeFilters":[],"fieldAggregate":[],"fieldMask":[],"fileCompress":false,"fileMaxBackups":5,"fileMaxSizeMb":10,"filePath":"/var/run/cilium/hubble/events.log","includeFilters":[],"name":"all"}]

hubble.export.static

• Static exporter configuration. Static exporter is bound to agent lifecycle.

object

{"aggregationInterval":"0s","allowList":[],"denyList":[],"enabled":false,"fieldAggregate":[],"fieldMask":[],"fileCompress":false,"fileMaxBackups":5,"fileMaxSizeMb":10,"filePath":"/var/run/cilium/hubble/events.log"}

hubble.export.static.fileCompress

• Enable compression of rotated files.

bool

false

hubble.export.static.fileMaxSizeMb

• Defines max file size of output file before it gets rotated.

int

10

hubble.metrics

Hubble metrics configuration. See https://docs.cilium.io/en/stable/observability/metrics/#hubble-metrics for more comprehensive documentation about Hubble metrics.

object

{"dashboards":{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null},"dynamic":{"config":{"configMapName":"cilium-dynamic-metrics-config","content":[],"createConfigMap":true},"enabled":false},"enableOpenMetrics":false,"enabled":null,"port":9965,"serviceAnnotations":{},"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","jobLabel":"","labels":{},"metricRelabelings":null,"relabelings":[{"action":"replace","replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}],"scrapeTimeout":null,"tlsConfig":{}},"tls":{"enabled":false,"server":{"cert":"","existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":{"enabled":false,"key":"ca.crt","name":null,"useSecret":false}}}}

hubble.metrics.dynamic.config.configMapName

– Name of configmap with configuration that may be altered to reconfigure metric handlers within a running agent.

string

"cilium-dynamic-metrics-config"

hubble.metrics.dynamic.config.createConfigMap

– True if helm installer should create config map. Switch to false if you want to self maintain the file content.

bool

true

hubble.metrics.enabled

Configures the list of metrics to collect. If empty or null, metrics are disabled. Example: enabled: - dns:query;ignoreAAAA - drop - tcp - flow - icmp - http You can specify the list of metrics from the helm CLI: –set hubble.metrics.enabled=”{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}”

string

nil

hubble.metrics.serviceAnnotations

Annotations to be added to hubble-metrics service.

object

{}

hubble.metrics.serviceMonitor.enabled

Create ServiceMonitor resources for Prometheus Operator. This requires the prometheus CRDs to be available. ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)

bool

false

hubble.metrics.serviceMonitor.jobLabel

jobLabel to add for ServiceMonitor hubble

string

""

hubble.metrics.serviceMonitor.metricRelabelings

Metrics relabeling configs for the ServiceMonitor hubble

string

nil

hubble.metrics.serviceMonitor.scrapeTimeout

Timeout after which scrape is considered to be failed.

string

nil

hubble.metrics.tls.server.existingSecret

Name of the Secret containing the certificate and key for the Hubble metrics server. If specified, cert and key are ignored.

string

""

hubble.metrics.tls.server.extraIpAddresses

Extra IP addresses added to certificate when it’s auto generated

list

[]

hubble.metrics.tls.server.mtls

Configure mTLS for the Hubble metrics server.

object

{"enabled":false,"key":"ca.crt","name":null,"useSecret":false}

hubble.metrics.tls.server.mtls.name

Name of the ConfigMap containing the CA to validate client certificates against. If mTLS is enabled and this is unspecified, it will default to the same CA used for Hubble metrics server certificates.

string

nil

hubble.peerService.clusterDomain

The cluster domain to use to query the Hubble Peer service. It should be the local cluster.

string

"cluster.local"

hubble.preferIpv6

Whether Hubble should prefer to announce IPv6 or IPv4 addresses if both are available.

bool

false

hubble.redact.http.headers.allow

List of HTTP headers to allow: headers not matching will be redacted. Note: allow and deny lists cannot be used both at the same time, only one can be present. Example: redact: enabled: true http: headers: allow: - traceparent - tracestate - Cache-Control You can specify the options from the helm CLI: –set hubble.redact.enabled=”true” –set hubble.redact.http.headers.allow=”traceparent,tracestate,Cache-Control”

list

[]

hubble.redact.http.urlQuery

Enables redacting URL query (GET) parameters. Example: redact: enabled: true http: urlQuery: true You can specify the options from the helm CLI: –set hubble.redact.enabled=”true” –set hubble.redact.http.urlQuery=”true”

bool

false

hubble.redact.kafka.apiKey

Enables redacting Kafka’s API key (deprecated, will be removed in v1.19). Example: redact: enabled: true kafka: apiKey: true You can specify the options from the helm CLI: –set hubble.redact.enabled=”true” –set hubble.redact.kafka.apiKey=”true”

bool

true

hubble.relay.annotations

Annotations to be added to all top-level hubble-relay objects (resources under templates/hubble-relay)

object

{}

hubble.relay.extraEnv

Additional hubble-relay environment variables.

list

[]

hubble.relay.extraVolumes

Additional hubble-relay volumes.

list

[]

hubble.relay.gops.port

Configure gops listen port for hubble-relay

int

9893

hubble.relay.listenHost

Host to listen to. Specify an empty string to bind to all the interfaces.

string

""

hubble.relay.logOptions

Logging configuration for hubble-relay.

object

{"format":null,"level":null}

hubble.relay.logOptions.level

Log level for hubble-relay. Valid values are: debug, info, warn, error.

string

info

hubble.relay.podAnnotations

Annotations to be added to hubble-relay pods

object

{}

hubble.relay.podDisruptionBudget.maxUnavailable

Maximum number/percentage of pods that may be made unavailable

int

1

hubble.relay.podDisruptionBudget.unhealthyPodEvictionPolicy

How are unhealthy, but running, pods counted for eviction

string

nil

hubble.relay.podSecurityContext

hubble-relay pod security context

object

{"fsGroup":65532,"seccompProfile":{"type":"RuntimeDefault"}}

hubble.relay.pprof.blockProfileRate

Enable goroutine blocking profiling for hubble-relay and set the rate of sampled events in nanoseconds (set to 1 to sample all events [warning: performance overhead])

int

0

hubble.relay.pprof.mutexProfileFraction

Enable mutex contention profiling for hubble-relay and set the fraction of sampled events (set to 1 to sample all events)

int

0

hubble.relay.priorityClassName

The priority class to use for hubble-relay

string

""

hubble.relay.prometheus.serviceMonitor.annotations

Annotations to add to ServiceMonitor hubble-relay

object

{}

hubble.relay.prometheus.serviceMonitor.interval

Interval for scrape metrics.

string

"10s"

hubble.relay.prometheus.serviceMonitor.metricRelabelings

Metrics relabeling configs for the ServiceMonitor hubble-relay

string

nil

hubble.relay.prometheus.serviceMonitor.scrapeTimeout

Timeout after which scrape is considered to be failed.

string

nil

hubble.relay.resources

Specifies the resources for the hubble-relay pods

object

{}

hubble.relay.rollOutPods

Roll out Hubble Relay pods automatically when configmap is updated.

bool

false

hubble.relay.service

hubble-relay service configuration.

object

{"nodePort":31234,"type":"ClusterIP"}

hubble.relay.service.type

• The type of service used for Hubble Relay access, either ClusterIP, NodePort or LoadBalancer.

string

"ClusterIP"

hubble.relay.sortBufferLenMax

Max number of flows that can be buffered for sorting before being sent to the client (per request) (e.g. 100).

int

nil

hubble.relay.tls

TLS configuration for Hubble Relay

object

{"client":{"cert":"","existingSecret":"","key":""},"server":{"cert":"","enabled":false,"existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false,"relayName":"ui.hubble-relay.cilium.io"}}

hubble.relay.tls.client.cert

base64 encoded PEM values for the Hubble relay client certificate (deprecated). Use existingSecret instead.

string

""

hubble.relay.tls.client.key

base64 encoded PEM values for the Hubble relay client key (deprecated). Use existingSecret instead.

string

""

hubble.relay.tls.server.cert

base64 encoded PEM values for the Hubble relay server certificate (deprecated). Use existingSecret instead.

string

""

hubble.relay.tls.server.extraDnsNames

extra DNS names added to certificate when its auto gen

list

[]

hubble.relay.tls.server.key

base64 encoded PEM values for the Hubble relay server key (deprecated). Use existingSecret instead.

string

""

hubble.relay.topologySpreadConstraints

Pod topology spread constraints for hubble-relay

list

[]

hubble.skipUnknownCGroupIDs

Skip Hubble events with unknown cgroup ids

bool

true

hubble.tls

TLS configuration for Hubble

object

{"auto":{"certManagerIssuerRef":{},"certValidityDuration":365,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"},"enabled":true,"server":{"cert":"","existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}}

hubble.tls.auto.certManagerIssuerRef

certmanager issuer used when hubble.tls.auto.method=certmanager.

object

{}

hubble.tls.auto.enabled

Auto-generate certificates. When set to true, automatically generate a CA and certificates to enable mTLS between Hubble server and Hubble Relay instances. If set to false, the certs for Hubble server need to be provided by setting appropriate values below.

bool

true

hubble.tls.auto.schedule

Schedule for certificates regeneration (regardless of their expiration date). Only used if method is “cronJob”. If nil, then no recurring job will be created. Instead, only the one-shot job is deployed to generate the certificates at installation time. Defaults to midnight of the first day of every fourth month. For syntax, see https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax

string

"0 0 1 */4 *"

hubble.tls.server

The Hubble server certificate and private key

object

{"cert":"","existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}

hubble.tls.server.existingSecret

Name of the Secret containing the certificate and key for the Hubble server. If specified, cert and key are ignored.

string

""

hubble.tls.server.extraIpAddresses

Extra IP addresses added to certificate when it’s auto generated

list

[]

hubble.ui.affinity

Affinity for hubble-ui

object

{}

hubble.ui.backend.extraEnv

Additional hubble-ui backend environment variables.

list

[]

hubble.ui.backend.extraVolumes

Additional hubble-ui backend volumes.

list

[]

hubble.ui.backend.livenessProbe.enabled

Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+)

bool

false

hubble.ui.backend.resources

Resource requests and limits for the ‘backend’ container of the ‘hubble-ui’ deployment.

object

{}

hubble.ui.baseUrl

Defines base url prefix for all hubble-ui http requests. It needs to be changed in case if ingress for hubble-ui is configured under some sub-path. Trailing / is required for custom path, ex. /service-map/

string

"/"

hubble.ui.frontend.extraEnv

Additional hubble-ui frontend environment variables.

list

[]

hubble.ui.frontend.extraVolumes

Additional hubble-ui frontend volumes.

list

[]

hubble.ui.frontend.resources

Resource requests and limits for the ‘frontend’ container of the ‘hubble-ui’ deployment.

object

{}

hubble.ui.frontend.server.ipv6

Controls server listener for ipv6

object

{"enabled":true}

hubble.ui.labels

Additional labels to be added to ‘hubble-ui’ deployment object

object

{}

hubble.ui.podAnnotations

Annotations to be added to hubble-ui pods

object

{}

hubble.ui.podDisruptionBudget.maxUnavailable

Maximum number/percentage of pods that may be made unavailable

int

1

hubble.ui.podDisruptionBudget.unhealthyPodEvictionPolicy

How are unhealthy, but running, pods counted for eviction

string

nil

hubble.ui.priorityClassName

The priority class to use for hubble-ui

string

""

hubble.ui.rollOutPods

Roll out Hubble-ui pods automatically when configmap is updated.

bool

false

hubble.ui.service

hubble-ui service configuration.

object

{"annotations":{},"labels":{},"nodePort":31235,"type":"ClusterIP"}

hubble.ui.service.labels

Labels to be added for the Hubble UI service

object

{}

hubble.ui.service.type

• The type of service used for Hubble UI access, either ClusterIP or NodePort.

string

"ClusterIP"

hubble.ui.standalone.tls.certsVolume

When deploying Hubble UI in standalone, with tls enabled for Hubble relay, it is required to provide a volume for mounting the client certificates.

object

{}

hubble.ui.tls.client.existingSecret

Name of the Secret containing the client certificate and key for Hubble UI If specified, cert and key are ignored.

string

""

hubble.ui.tmpVolume

Configure temporary volume for hubble-ui

object

{}

hubble.ui.topologySpreadConstraints

Pod topology spread constraints for hubble-ui

list

[]

identityAllocationMode

Method to use for identity allocation (crd, kvstore or doublewrite-readkvstore / doublewrite-readcrd for migrating between identity backends).

string

"crd"

identityManagementMode

Control whether CiliumIdentities are created by the agent (“agent”), the operator (“operator”) or both (“both”). “Both” should be used only to migrate between “agent” and “operator”. Operator-managed identities is a beta feature.

string

"agent"

imagePullSecrets

Configure image pull secrets for pulling container images

list

[]

ingressController.defaultSecretName

Default secret name for ingresses without .spec.tls[].secretName set.

string

nil

ingressController.enableProxyProtocol

Enable proxy protocol for all Ingress listeners. Note that only Proxy protocol traffic will be accepted once this is enabled.

bool

false

ingressController.enforceHttps

Enforce https for host having matching TLS host in Ingress. Incoming traffic to http listener will return 308 http error code with respective location in header.

bool

true

ingressController.hostNetwork.nodes.matchLabels

Specify the labels of the nodes where the Ingress listeners should be exposed matchLabels: kubernetes.io/os: linux kubernetes.io/hostname: kind-worker

object

{}

ingressController.ingressLBAnnotationPrefixes

IngressLBAnnotations are the annotation and label prefixes, which are used to filter annotations and/or labels to propagate from Ingress to the Load Balancer service

list

["lbipam.cilium.io","nodeipam.cilium.io","service.beta.kubernetes.io","service.kubernetes.io","cloud.google.com"]

ingressController.secretsNamespace

SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from.

object

{"create":true,"name":"cilium-secrets","sync":true}

ingressController.secretsNamespace.name

Name of Ingress secret namespace.

string

"cilium-secrets"

ingressController.service

Load-balancer service in shared mode. This is a single load-balancer service for all Ingress resources.

object

{"allocateLoadBalancerNodePorts":null,"annotations":{},"externalTrafficPolicy":"Cluster","insecureNodePort":null,"labels":{},"loadBalancerClass":null,"loadBalancerIP":null,"name":"cilium-ingress","secureNodePort":null,"type":"LoadBalancer"}

ingressController.service.annotations

Annotations to be added for the shared LB service

object

{}

ingressController.service.insecureNodePort

Configure a specific nodePort for insecure HTTP traffic on the shared LB service

string

nil

ingressController.service.loadBalancerClass

Configure a specific loadBalancerClass on the shared LB service (requires Kubernetes 1.24+)

string

nil

ingressController.service.name

Service name

string

"cilium-ingress"

ingressController.service.type

Service type for the shared LB service

string

"LoadBalancer"

installNoConntrackIptablesRules

Install Iptables rules to skip netfilter connection tracking on all pod traffic. This option is only effective when Cilium is running in direct routing and full KPR mode. Moreover, this option cannot be enabled when Cilium is running in a managed Kubernetes environment or in a chained CNI setup.

bool

false

ipam.ciliumNodeUpdateRate

Maximum rate at which the CiliumNode custom resource is updated.

string

"15s"

ipam.mode

Configure IP Address Management mode. ref: https://docs.cilium.io/en/stable/network/concepts/ipam/

string

"cluster-pool"

ipam.nodeSpec

NodeSpec configuration for the IPAM

object

{"ipamMaxAllocate":null,"ipamMinAllocate":null,"ipamPreAllocate":null,"ipamStaticIPTags":[]}

ipam.nodeSpec.ipamMinAllocate

IPAM min allocate @schema type: [null, integer] @schema

string

nil

ipam.nodeSpec.ipamStaticIPTags

IPAM static IP tags (currently only works with AWS and Azure)

list

[]

ipam.operator.clusterPoolIPv4MaskSize

IPv4 CIDR mask size to delegate to individual nodes for IPAM.

int

24

ipam.operator.clusterPoolIPv6MaskSize

IPv6 CIDR mask size to delegate to individual nodes for IPAM.

int

120

ipam.operator.externalAPILimitBurstSize

The maximum burst size when rate limiting access to external APIs. Also known as the token bucket capacity.

int

20

iptablesRandomFully

Configure iptables–random-fully. Disabled by default. View https://github.com/cilium/cilium/issues/13037 for more information.