Command Cheatsheet

    All commands and subcommands have the option that will provide information about the options and arguments that the subcommand has. In case of any error in the command, Cilium CLI will return a non-zero status.

    All the list commands will return a pretty printed list with the information retrieved from Cilium Daemon. If you need something more detailed you can use JSON output, to get the JSON output you can use the global option -o json

    1. $ cilium endpoint list -o json

    Moreover, Cilium also provides a JSONPath support, so detailed information can be extracted. JSONPath template reference can be found in 

    1. $ cilium endpoint list -o jsonpath='{[*].id}'
    2. 29898 38939 56326
    3. $ cilium endpoint list -o jsonpath='{range [*]}{@.id}{"="}{@.status.policy.spec.policy-enabled}{"\n"}{end}'
    4. 29898=none
    5. 38939=none
    6. 56326=none

    Shell Tab-completion

    If you use bash or zsh, Cilium CLI can provide tab completion for subcommands. If you want to install tab completion, you should run the following command in your terminal.

    1. $ source <(cilium completion)

    If you want to have Cilium completion always loaded, you can install using the following:

    1. $ echo "source <(cilium completion)" >> ~/.bashrc

    Basics

    Check the status of the agent

    1. $ cilium status
    2. KVStore:                Ok         Consul: 172.17.0.3:8300
    3. ContainerRuntime:       Ok
    4. Kubernetes:             Disabled
    5. Cilium:                 Ok         OK
    6. Cilium health daemon:   Ok
    7. Controller Status:      6/6 healthy
    8. Proxy Status:           OK, ip 10.15.28.238, port-range 10000-20000
    9. Cluster health:   1/1 reachable   (2018-04-11T07:33:09Z)
    10. $

    Get a detailed status of the agent:

    1. $ cilium status --all-controllers --all-health --all-redirects
    2. KVStore:                Ok         Consul: 172.17.0.3:8300
    3. ContainerRuntime:       Ok
    4. Kubernetes:             Disabled
    6. NodeMonitor:            Listening for events on 2 CPUs with 64x4096 of shared memory
    7. Cilium health daemon:   Ok
    8. Controller Status:      6/6 healthy
    9.   Name                                 Last success   Last error   Count   Message
    10.   kvstore-lease-keepalive              2m52s ago      never        0       no error
    11.   ipcache-bpf-garbage-collection       2m50s ago      never        0       no error
    12.   resolve-identity-29898               2m50s ago      never        0       no error
    13.   sync-identity-to-k8s-pod (29898)     50s ago        never        0       no error
    14.   sync-IPv4-identity-mapping (29898)   2m49s ago      never        0       no error
    15.   sync-IPv6-identity-mapping (29898)   2m49s ago      never        0       no error
    16. Proxy Status:   OK, ip 10.15.28.238, port-range 10000-20000
    17. Cluster health:         1/1 reachable   (2018-04-11T07:32:09Z)
    18.   Name                  IP              Reachable   Endpoints reachable
    19.   runtime (localhost)   10.0.2.15       true        false
    20. $

    Get the current agent configuration

    1. cilium config

    Importing a Cilium Network Policy

    1. cilium policy import my-policy.json

    Get list of all imported policy rules

    1. cilium policy get

    Remove all policies

    1. cilium policy delete --all

    Tracing

    Check policy enforcement between two labels on port 80:

      Check policy enforcement between two pods:

      1. cilium policy trace --src-k8s-pod <namespace>:<pod.from> --dst-k8s-pod <namespace>:<pod.to>

      Monitoring

      Monitor cilium datapath notifications

      1. cilium monitor

      Verbose output (including debug if enabled)

      1. cilium monitor -v

      Extra verbose output (including packet dissection)

      1. cilium monitor -v -v

      Filter for only the events related to endpoint

      1. cilium monitor --related-to=<id>

      Filter for only events on layer 7

      Show notifications only for dropped packet events

      1. cilium monitor --type drop

      Don’t dissect packet payload, display payload in hex information

      1. cilium monitor -v -v --hex

      Connectivity

      Check cluster Connectivity

      1. cilium-health status

      There is also a related to this tool.

      Endpoints

      Get list of all local endpoints

      1. cilium endpoint list

      Get detailed view of endpoint properties and state

      1. cilium endpoint get <id>

      Enable debugging output on the cilium monitor for this endpoint

      1. cilium endpoint config <id> Debug=true

      Get list of loadbalancer services

      1. cilium service list

      Or you can get the loadbalancer information using bpf list ::

      1. cilium bpf lb list

      Add a new loadbalancer

      1. cilium service update --frontend 127.0.0.1:80 \
      2.     --backends 127.0.0.2:90,127.0.0.3:90 \
      3.     --id 20

      BPF

      List node tunneling mapping information

      1. cilium bpf tunnel list

      Checking logs for verifier issue

      1. journalctl -u cilium | grep -B20 -F10 Verifier

      List connection tracking entries:

      1. sudo cilium bpf ct list global

      Flush connection tracking entries:

      1. sudo cilium bpf ct flush

      List proxy configuration:

      1. sudo cilium bpf proxy list

      If you running Cilium on top of Kubernetes you may also want a way to list all cilium endpoints or policies from a single Kubectl commands. Cilium provides all this information to the user by using Kubernetes Resource Definitions:

      Policies

      In Kubernetes you can use two kinds of policies, Kubernetes Network Policies or Cilium Network Policies. Both can be retrieved from the kubectl command:

      Kubernetes Network Policies

      1.  kubectl get netpol
      1.  $ kubectl get cnp
      2.  NAME      AGE
      3.  rule1     3m
      4.  $ kubectl get cnp rule1
      5.  NAME      AGE
      6.  rule1     3m

      To retrieve a list of all endpoints managed by cilium, resource can be used.