Command Cheatsheet

Cilium is controlled via an easy command-line interface. This CLI is a single application that takes subcommands that you can find in the command reference guide.

  1. $ cilium
  2. CLI for interacting with the local Cilium Agent
  3. Usage:
  4. cilium [command]
  5. Available Commands:
  6. bpf Direct access to local eBPF maps
  7. cleanup Reset the agent state
  8. completion Output shell completion code for bash
  9. config Cilium configuration options
  10. debuginfo Request available debugging information from agent
  11. endpoint Manage endpoints
  12. identity Manage security identities
  13. kvstore Direct access to the kvstore
  14. monitor Monitoring
  15. policy Manage security policies
  16. prefilter Manage XDP CIDR filters
  17. service Manage services & loadbalancers
  18. status Display status of daemon
  19. version Print version information
  20. Flags:
  21. --config string config file (default is $HOME/.cilium.yaml)
  22. -D, --debug Enable debug messages
  23. -H, --host string URI to server-side API
  24. Use "cilium [command] --help" for more information about a command.

All commands and subcommands have the option -h that will provide information about the options and arguments that the subcommand has. In case of any error in the command, Cilium CLI will return a non-zero status.

Command utilities:

JSON Output

All the list commands will return a pretty printed list with the information retrieved from Cilium Daemon. If you need something more detailed you can use JSON output, to get the JSON output you can use the global option -o json

  1. $ cilium endpoint list -o json

Moreover, Cilium also provides a JSONPath support, so detailed information can be extracted. JSONPath template reference can be found in Kubernetes documentation

  1. $ cilium endpoint list -o jsonpath='{[*].id}'
  2. 29898 38939 56326
  3. $ cilium endpoint list -o jsonpath='{range [*]}{@.id}{"="}{@.status.policy.spec.policy-enabled}{"\n"}{end}'
  4. 29898=none
  5. 38939=none
  6. 56326=none

Shell Tab-completion

If you use bash or zsh, Cilium CLI can provide tab completion for subcommands. If you want to install tab completion, you should run the following command in your terminal.

  1. $ source <(cilium completion)

If you want to have Cilium completion always loaded, you can install using the following:

  1. $ echo "source <(cilium completion)" >> ~/.bashrc

Command examples:

Basics

Check the status of the agent

  1. $ cilium status
  2. KVStore: Ok Consul: 172.17.0.3:8300
  3. ContainerRuntime: Ok
  4. Kubernetes: Disabled
  5. Cilium: Ok OK
  6. NodeMonitor: Listening for events on 2 CPUs with 64x4096 of shared memory
  7. Cilium health daemon: Ok
  8. Controller Status: 6/6 healthy
  9. Proxy Status: OK, ip 10.15.28.238, port-range 10000-20000
  10. Cluster health: 1/1 reachable (2018-04-11T07:33:09Z)
  11. $

Get a detailed status of the agent:

  1. $ cilium status --all-controllers --all-health --all-redirects
  2. KVStore: Ok Consul: 172.17.0.3:8300
  3. ContainerRuntime: Ok
  4. Kubernetes: Disabled
  5. Cilium: Ok OK
  6. NodeMonitor: Listening for events on 2 CPUs with 64x4096 of shared memory
  7. Cilium health daemon: Ok
  8. Controller Status: 6/6 healthy
  9. Name Last success Last error Count Message
  10. kvstore-lease-keepalive 2m52s ago never 0 no error
  11. ipcache-bpf-garbage-collection 2m50s ago never 0 no error
  12. resolve-identity-29898 2m50s ago never 0 no error
  13. sync-identity-to-k8s-pod (29898) 50s ago never 0 no error
  14. sync-IPv4-identity-mapping (29898) 2m49s ago never 0 no error
  15. sync-IPv6-identity-mapping (29898) 2m49s ago never 0 no error
  16. Proxy Status: OK, ip 10.15.28.238, port-range 10000-20000
  17. Cluster health: 1/1 reachable (2018-04-11T07:32:09Z)
  18. Name IP Reachable Endpoints reachable
  19. runtime (localhost) 10.0.2.15 true false
  20. $

Get the current agent configuration

  1. cilium config

Policy management

Importing a Cilium Network Policy

  1. cilium policy import my-policy.json

Get list of all imported policy rules

  1. cilium policy get

Remove all policies

  1. cilium policy delete --all

Tracing

Check policy enforcement between two labels on port 80:

  1. cilium policy trace -s <app.from> -d <app.to> --dport 80

Check policy enforcement between two identities

  1. cilium policy trace --src-identity <from-id> --dst-identity <to-id>

Check policy enforcement between two pods:

  1. cilium policy trace --src-k8s-pod <namespace>:<pod.from> --dst-k8s-pod <namespace>:<pod.to>

Monitoring

Monitor cilium datapath notifications

  1. cilium monitor

Verbose output (including debug if enabled)

  1. cilium monitor -v

Extra verbose output (including packet dissection)

  1. cilium monitor -v -v

Filter for only the events related to endpoint

  1. cilium monitor --related-to=<id>

Filter for only events on layer 7

  1. cilium monitor -t L7

Show notifications only for dropped packet events

  1. cilium monitor --type drop

Don’t dissect packet payload, display payload in hex information

  1. cilium monitor -v -v --hex

Connectivity

Check cluster Connectivity

  1. cilium-health status

There is also a blog post related to this tool.

Endpoints

Get list of all local endpoints

  1. cilium endpoint list

Get detailed view of endpoint properties and state

  1. cilium endpoint get <id>

Show recent endpoint specific log entries

  1. cilium endpoint log <id>

Enable debugging output on the cilium monitor for this endpoint

  1. cilium endpoint config <id> Debug=true

Loadbalancing

Get list of loadbalancer services

  1. cilium service list

Or you can get the loadbalancer information using bpf list

  1. cilium bpf lb list

Add a new loadbalancer

  1. cilium service update --frontend 127.0.0.1:80 \
  2. --backends 127.0.0.2:90,127.0.0.3:90 \
  3. --id 20

eBPF

List node tunneling mapping information

  1. cilium bpf tunnel list

Checking logs for verifier issue

  1. journalctl -u cilium | grep -B20 -F10 Verifier

List connection tracking entries:

  1. sudo cilium bpf ct list global

Flush connection tracking entries:

  1. sudo cilium bpf ct flush

Kubernetes examples:

If you running Cilium on top of Kubernetes you may also want a way to list all cilium endpoints or policies from a single Kubectl commands. Cilium provides all this information to the user by using Kubernetes Resource Definitions:

Policies

In Kubernetes you can use two kinds of policies, Kubernetes Network Policies or Cilium Network Policies. Both can be retrieved from the kubectl command:

Kubernetes Network Policies

  1. kubectl get netpol

Kubernetes Cilium Policies

  1. $ kubectl get cnp
  2. NAME AGE
  3. rule1 3m
  4. $ kubectl get cnp rule1
  5. NAME AGE
  6. rule1 3m
  7. $ kubectl get cnp rule1 -o json

Endpoints

To retrieve a list of all endpoints managed by cilium, Cilium Endpoint resource can be used.

  1. $ kubectl get cep
  2. NAME AGE
  3. 34e299f0-b25c2fef 41s
  4. 34e299f0-dd86986c 42s
  5. 4d088f48-83e4f98d 2m
  6. 4d088f48-d04ab55f 2m
  7. 5c6211b5-9217a4d1 1m
  8. 5c6211b5-dccc3d24 1m
  9. 700e0976-6cb50b02 3m
  10. 700e0976-afd3a30c 3m
  11. 78092a35-4874ed16 1m
  12. 78092a35-4b08b92b 1m
  13. 9b74f61f-14571299 7s
  14. 9b74f61f-f9a96f4a 7s
  15. $ kubectl get cep 700e0976-6cb50b02 -o json
  16. $ kubectl get cep -o jsonpath='{range .items[*]}{@.status.id}{"="}{@.status.status.policy.spec.policy-enabled}{"\n"}{end}'
  17. 30391=ingress
  18. 5766=ingress
  19. 51796=none
  20. 40355=none