我的书签
添加书签
移除书签cilium policy trace
Trace a policy decision
Synopsis
Verifies if the source is allowed to consume destination. Source / destination can be provided as endpoint ID, security ID, Kubernetes Pod, YAML file, set of LABELs. LABEL is represented as SOURCE:KEY[=VALUE]. dports can be can be for example: 80/tcp, 53 or 23/udp. If multiple sources and / or destinations are provided, each source is tested whether there is a policy allowing traffic between it and each destination. –src-k8s-pod and –dst-k8s-pod requires cilium-agent to be running with disable-endpoint-crd option set to “false”.
cilium policy trace ( -s <label context> | --src-identity <security identity> | --src-endpoint <endpoint ID> | --src-k8s-pod <namespace:pod-name> | --src-k8s-yaml <path to YAML file> ) ( -d <label context> | --dst-identity <security identity> | --dst-endpoint <endpoint ID> | --dst-k8s-pod <namespace:pod-name> | --dst-k8s-yaml <path to YAML file>) [--dport <port>[/<protocol>] [flags]
Options
--dport strings L4 destination port to search on outgoing traffic of the source label context and on incoming traffic of the destination label context-d, --dst strings Destination label context--dst-endpoint string Destination endpoint--dst-identity int Destination identity (default -1)--dst-k8s-pod string Destination k8s pod ([namespace:]podname)--dst-k8s-yaml string Path to YAML file for destination-h, --help help for trace-o, --output string json| jsonpath='{}'-s, --src strings Source label context--src-endpoint string Source endpoint--src-identity int Source identity (default -1)--src-k8s-pod string Source k8s pod ([namespace:]podname)--src-k8s-yaml string Path to YAML file for source-v, --verbose Set tracing to TRACE_VERBOSE
Options inherited from parent commands
--config string config file (default is $HOME/.cilium.yaml)-D, --debug Enable debug messages-H, --host string URI to server-side API
SEE ALSO
- cilium policy - Manage security policies
