README
¶
.. raw:: html
<picture>
<source media="(prefers-color-scheme: light)" srcset="https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo.png" width="350" alt="Cilium Logo">
<img src="https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-dark.png" width="350" alt="Cilium Logo">
</picture>
|cii| |go-report| |clomonitor| |artifacthub| |slack| |go-doc| |rtd| |apache| |bsd| |gpl| |fossa| |gateway-api| |codespaces|
Cilium is a networking, observability, and security solution with an eBPF-based
dataplane. It provides a simple flat Layer 3 network with the ability to span
multiple clusters in either a native routing or overlay mode. It is L7-protocol
aware and can enforce network policies on L3-L7 using an identity based security
model that is decoupled from network addressing.
Cilium implements distributed load balancing for traffic between pods and to
external services, and is able to fully replace kube-proxy, using efficient
hash tables in eBPF allowing for almost unlimited scale. It also supports
advanced functionality like integrated ingress and egress gateway, bandwidth
management and service mesh, and provides deep network and security visibility and monitoring.
A new Linux kernel technology called eBPF_ is at the foundation of Cilium. It
supports dynamic insertion of eBPF bytecode into the Linux kernel at various
integration points such as: network IO, application sockets, and tracepoints to
implement security, networking and visibility logic. eBPF is highly efficient
and flexible. To learn more about eBPF, visit `eBPF.io`_.
.. image:: Documentation/images/cilium-overview.png
:alt: Overview of Cilium features for networking, observability, service mesh, and runtime security
.. raw:: html
<a href="https://cncf.io/">
<picture>
<source media="(prefers-color-scheme: light)" srcset="https://github.com/cncf/artwork/blob/main/other/cncf-member/graduated/color/cncf-graduated-color.svg" />
<img src="https://github.com/cncf/artwork/blob/main/other/cncf-member/graduated/white/cncf-graduated-white.svg" alt="CNCF Graduated Project" height="80" />
</picture>
</a>
<a href="https://ebpf.io/">
<picture>
<source media="(prefers-color-scheme: light)" srcset=".github/assets/ebpf-horizontal.svg" />
<img src=".github/assets/ebpf-horizontal-dark-back.svg" alt="eBPF Logo" height="80" align="right" />
</picture>
</a>
Stable Releases
===============
The Cilium community maintains minor stable releases for the last three minor
Cilium versions. Older Cilium stable versions from minor releases prior to that
are considered EOL.
For upgrades to new minor releases please consult the `Cilium Upgrade Guide`_.
Listed below are the actively maintained release branches along with their latest
patch release, corresponding image pull tags and their release notes:
+---------------------------------------------------------+------------+------------------------------------+----------------------------------------------------------------------------+
| `v1.18 <https://github.com/cilium/cilium/tree/v1.18>`__ | 2026-01-13 | ``quay.io/cilium/cilium:v1.18.6`` | `Release Notes <https://github.com/cilium/cilium/releases/tag/v1.18.6>`__ |
+---------------------------------------------------------+------------+------------------------------------+----------------------------------------------------------------------------+
| `v1.17 <https://github.com/cilium/cilium/tree/v1.17>`__ | 2026-01-13 | ``quay.io/cilium/cilium:v1.17.12`` | `Release Notes <https://github.com/cilium/cilium/releases/tag/v1.17.12>`__ |
+---------------------------------------------------------+------------+------------------------------------+----------------------------------------------------------------------------+
| `v1.16 <https://github.com/cilium/cilium/tree/v1.16>`__ | 2026-01-13 | ``quay.io/cilium/cilium:v1.16.19`` | `Release Notes <https://github.com/cilium/cilium/releases/tag/v1.16.19>`__ |
+---------------------------------------------------------+------------+------------------------------------+----------------------------------------------------------------------------+
Architectures
-------------
Cilium images are distributed for AMD64 and AArch64 architectures.
Software Bill of Materials
--------------------------
Starting with Cilium version 1.13.0, all images include a Software Bill of
Materials (SBOM). The SBOM is generated in `SPDX`_ format. More information
on this is available on `Cilium SBOM`_.
.. _`SPDX`: https://spdx.dev/
.. _`Cilium SBOM`: https://docs.cilium.io/en/latest/configuration/sbom/
Development
===========
For development and testing purpose, the Cilium community publishes snapshots,
early release candidates (RC) and CI container images build from the `main
branch <https://github.com/cilium/cilium/commits/main>`_. These images are
not for use in production.
For testing upgrades to new development releases please consult the latest
development build of the `Cilium Upgrade Guide`_.
Listed below are branches for testing along with their snapshots or RC releases,
corresponding image pull tags and their release notes where applicable:
+----------------------------------------------------------------------------+------------+-----------------------------------------+---------------------------------------------------------------------------------+
| `main <https://github.com/cilium/cilium/commits/main>`__ | daily | ``quay.io/cilium/cilium-ci:latest`` | N/A |
+----------------------------------------------------------------------------+------------+-----------------------------------------+---------------------------------------------------------------------------------+
| `v1.19.0-pre.4 <https://github.com/cilium/cilium/commits/v1.19.0-pre.4>`__ | 2026-01-07 | ``quay.io/cilium/cilium:v1.19.0-pre.4`` | `Release Notes <https://github.com/cilium/cilium/releases/tag/v1.19.0-pre.4>`__ |
+----------------------------------------------------------------------------+------------+-----------------------------------------+---------------------------------------------------------------------------------+
Functionality Overview
======================
.. begin-functionality-overview
CNI (Container Network Interface)
---------------------------------
`Cilium as a CNI plugin <https://cilium.io/use-cases/cni/>`_ provides a
fast, scalable, and secure networking layer for Kubernetes clusters. Built
on eBPF, it offers several deployment options:
* **Overlay networking:** encapsulation-based virtual network spanning all
hosts with support for VXLAN and Geneve. It works on almost any network
infrastructure as the only requirement is IP connectivity between hosts
which is typically already given.
* **Native routing mode:** Use of the regular routing table of the Linux
host. The network is required to be capable of routing the IP addresses
of the application containers. It integrates with cloud routers, routing
daemons, and IPv6-native infrastructure.
* **Flexible routing options:** Cilium can automate route learning and
advertisement in common topologies such as using L2 neighbor discovery
when nodes share a layer 2 domain, or BGP when routing across layer 3
boundaries.
Each mode is designed for maximum interoperability with existing
infrastructure while minimizing operational burden.
Load Balancing
--------------
Cilium implements distributed load balancing for traffic between application
containers and to/from external services. The load balancing is implemented
in eBPF using efficient hashtables enabling high service density and low
latency at scale.
* **East-west load balancing** rewrites service connections at the socket
level (``connect()``), avoiding the overhead of per-packet NAT and fully
`replacing kube-proxy <https://cilium.io/use-cases/kube-proxy/>`_.
* **North-south load balancing** supports XDP for high-throughput scenarios
and `layer 4 load balancing <https://cilium.io/use-cases/load-balancer/>`_
including Direct Server Return (DSR), and Maglev consistent hashing.
Cluster Mesh
------------
Cilium `Cluster Mesh <https://cilium.io/use-cases/cluster-mesh/>`_ enables
secure, seamless connectivity across multiple Kubernetes clusters. For
operators running hybrid or multi-cloud environments, Cluster Mesh ensures
a consistent security and connectivity experience.
* **Global service discovery**: Workloads across clusters can discover and
connect to services as if they were local. This enables fault tolerance,
like automatically failing over to backends in another cluster, and
exposes shared services like logging, auth, or databases across
environments.
* **Unified identity model:** Security policies are enforced based on
identity, not IP address, across all clusters.
Network Policy
--------------
Cilium `Network Policy <https://cilium.io/use-cases/network-policy/>`_
provides identity-aware enforcement across L3-L7. Typical container
firewalls secure workloads by filtering on source IP addresses and
destination ports. This concept requires the firewalls on all servers to be
manipulated whenever a container is started anywhere in the cluster.
In order to avoid this situation which limits scale, Cilium assigns a
security identity to groups of application containers which share identical
security policies. The identity is then associated with all network packets
emitted by the application containers, allowing to validate the identity at
the receiving node.
* **Identity-based security** removes reliance on brittle IP addresses.
* **L3/L4 policies** restrict traffic based on labels, protocols, and ports.
* **DNS-based policies:** Allow or deny traffic to FQDNs or wildcard domains
(e.g., ``api.example.com``, ``*.trusted.com``). This is especially useful
for securing egress traffic to third-party services.
* **L7-aware policies** allow filtering by HTTP method, URL path, gRPC call,
and more:
* Example: Allow only GET requests to ``/public/.*``.
* Enforce the presence of headers like ``X-Token: [0-9]+``.
CIDR-based egress and ingress policies are also supported for controlling
access to external IPs, ideal for integrating with legacy systems or
regulatory boundaries.
Service Mesh
------------
With Cilium `Service Mesh <https://cilium.io/use-cases/service-mesh/>`_,
operators gain the benefits of fine-grained traffic control, encryption, observability,
access control, without the cost and complexity of traditional proxy-based
designs. Key features include:
* **Mutual authentication** with automatic identity-based encryption between
workloads using IPSec or WireGuard.
* **L7-aware policy enforcement** for security and compliance.
* **Deep integration with the Kubernetes Gateway API :** Acts as a
`Gateway API <https://cilium.io/use-cases/gateway-api/>`_ compliant data
plane, allowing you to declaratively manage ingress, traffic splitting, and
routing behavior using Kubernetes-native CRDs.
Observability and Troubleshooting
---------------------------------
Observability is built into Cilium from the ground up, providing rich
visibility that helps operators diagnose and understand system behavior
including:
* **Hubble**: A fully integrated observability platform that offers
real-time service maps, flow visibility with identity and label metadata,
and DNS-aware filtering and protocol-specific insights
* **Metrics and alerting**: Integration with Prometheus, Grafana, and other
monitoring systems.
* **Drop reasons and audit trails**: Get actionable insights into why traffic
was dropped, including policy or port violations and issues like failed
DNS lookups.
.. end-functionality-overview
Getting Started
===============
* `Why Cilium?`_
* `Getting Started`_
* `Architecture and Concepts`_
* `Installing Cilium`_
* `Frequently Asked Questions`_
* Contributing_
Community
=========
Slack
-----
Join the Cilium `Slack channel <https://slack.cilium.io>`_ to chat with
Cilium developers and other Cilium users. This is a good place to learn about
Cilium, ask questions, and share your experiences.
Special Interest Groups (SIG)
-----------------------------
See `Special Interest groups
<https://github.com/cilium/community/blob/main/sigs.yaml>`_ for a list of all SIGs and their meeting times.
Developer meetings
------------------
The Cilium developer community hangs out on Zoom to chat. Everybody is welcome.
* Weekly, Wednesday,
5:00 pm `Europe/Zurich time <https://time.is/Canton_of_Zurich>`__ (CET/CEST),
usually equivalent to 8:00 am PT, or 11:00 am ET. `Meeting Notes and Zoom Info`_
* Third Wednesday of each month, 9:00 am `Japan time <https://time.is/Tokyo>`__ (JST). `APAC Meeting Notes and Zoom Info`_
eBPF & Cilium Office Hours livestream
-------------------------------------
We host a weekly community `YouTube livestream called eCHO <https://www.youtube.com/channel/UCJFUxkVQTBJh3LD1wYBWvuQ>`_ which (very loosely!) stands for eBPF & Cilium Office Hours. Join us live, catch up with past episodes, or head over to the `eCHO repo <https://github.com/isovalent/eCHO>`_ and let us know your ideas for topics we should cover.
Governance
----------
The Cilium project is governed by a group of `Maintainers and Committers <https://raw.githubusercontent.com/cilium/cilium/main/MAINTAINERS.md>`__.
How they are selected and govern is outlined in our `governance document <https://github.com/cilium/community/blob/main/GOVERNANCE.md>`__.
Adopters
--------
A list of adopters of the Cilium project who are deploying it in production, and of their use cases,
can be found in file `USERS.md <https://github.com/cilium/cilium/blob/main/USERS.md>`__.
License
=======
.. _apache-license: LICENSE
.. _bsd-license: bpf/LICENSE.BSD-2-Clause
.. _gpl-license: bpf/LICENSE.GPL-2.0
The Cilium user space components are licensed under the
`Apache License, Version 2.0 <apache-license_>`__.
The BPF code templates are dual-licensed under the
`General Public License, Version 2.0 (only) <gpl-license_>`__
and the `2-Clause BSD License <bsd-license_>`__
(you can use the terms of either license, at your option).
.. _`Cilium Upgrade Guide`: https://docs.cilium.io/en/stable/operations/upgrade/
.. _`Why Cilium?`: https://docs.cilium.io/en/stable/overview/intro
.. _`Getting Started`: https://docs.cilium.io/en/stable/#getting-started
.. _`Architecture and Concepts`: https://docs.cilium.io/en/stable/overview/component-overview/
.. _`Installing Cilium`: https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/
.. _`Frequently Asked Questions`: https://github.com/cilium/cilium/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Akind%2Fquestion+
.. _Contributing: https://docs.cilium.io/en/stable/contributing/development/
.. _Prerequisites: https://docs.cilium.io/en/stable/operations/system_requirements/
.. _`eBPF`: https://ebpf.io
.. _`eBPF.io`: https://ebpf.io
.. _`Meeting Notes and Zoom Info`: https://docs.google.com/document/d/1Y_4chDk4rznD6UgXPlPvn3Dc7l-ZutGajUv1eF0VDwQ/edit#
.. _`APAC Meeting Notes and Zoom Info`: https://docs.google.com/document/d/1egv4qLydr0geP-GjQexYKm4tz3_tHy-LCBjVQcXcT5M/edit#
.. |go-report| image:: https://goreportcard.com/badge/github.com/cilium/cilium
:alt: Go Report Card
:target: https://goreportcard.com/report/github.com/cilium/cilium
.. |go-doc| image:: https://godoc.org/github.com/cilium/cilium?status.svg
:alt: GoDoc
:target: https://godoc.org/github.com/cilium/cilium
.. |rtd| image:: https://readthedocs.org/projects/docs/badge/?version=latest
:alt: Read the Docs
:target: https://docs.cilium.io/
.. |apache| image:: https://img.shields.io/badge/license-Apache-blue.svg
:alt: Apache licensed
:target: apache-license_
.. |bsd| image:: https://img.shields.io/badge/license-BSD-blue.svg
:alt: BSD licensed
:target: bsd-license_
.. |gpl| image:: https://img.shields.io/badge/license-GPL-blue.svg
:alt: GPL licensed
:target: gpl-license_
.. |slack| image:: https://img.shields.io/badge/slack-cilium-brightgreen.svg?logo=slack
:alt: Join the Cilium slack channel
:target: https://slack.cilium.io
.. |cii| image:: https://bestpractices.coreinfrastructure.org/projects/1269/badge
:alt: CII Best Practices
:target: https://bestpractices.coreinfrastructure.org/projects/1269
.. |clomonitor| image:: https://img.shields.io/endpoint?url=https://clomonitor.io/api/projects/cncf/cilium/badge
:alt: CLOMonitor
:target: https://clomonitor.io/projects/cncf/cilium
.. |artifacthub| image:: https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/cilium
:alt: Artifact Hub
:target: https://artifacthub.io/packages/helm/cilium/cilium
.. |fossa| image:: https://app.fossa.com/api/projects/custom%2B162%2Fgit%40github.com%3Acilium%2Fcilium.git.svg?type=shield
:alt: FOSSA Status
:target: https://app.fossa.com/projects/custom%2B162%2Fgit%40github.com%3Acilium%2Fcilium.git?ref=badge_shield
.. |gateway-api| image:: https://img.shields.io/badge/Gateway%20API%20Conformance%20v1.2.0-Cilium-green
:alt: Gateway API Status
:target: https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.2.0/cilium-cilium
.. |codespaces| image:: https://img.shields.io/badge/Open_in_GitHub_Codespaces-gray?logo=github
:alt: Github Codespaces
:target: https://github.com/codespaces/new?hide_repo_select=true&ref=master&repo=48109239&machine=standardLinux32gb&location=WestEurope
Directories
¶
| Path | Synopsis |
|---|---|
|
api
|
|
|
v1/health/server
Package server Cilium-Health API
|
Package server Cilium-Health API |
|
v1/kvstoremesh/server
Package server KvstoreMesh
|
Package server KvstoreMesh |
|
v1/models
Package models defines all models to be used in the Cilium API.
|
Package models defines all models to be used in the Cilium API. |
|
v1/operator/server
Package server Cilium Operator
|
Package server Cilium Operator |
|
v1/server
Package server Cilium API
|
Package server Cilium API |
|
bpf
|
|
|
responder
command
|
|
|
contrib
|
|
|
examples/statedb
command
|
|
|
examples/statedb_k8s
command
|
|
|
k8s
Package k8s abstracts all Kubernetes specific behaviour
|
Package k8s abstracts all Kubernetes specific behaviour |
|
cmd/common
Package common implements utilities that are meant to be used commonly by all sub-commands to ensure consistency across them.
|
Package common implements utilities that are meant to be used commonly by all sub-commands to ensure consistency across them. |
|
cmd/common/validate
Package validate implements utilities to validate the command configuration by, for example, validating a set of given options.
|
Package validate implements utilities to validate the command configuration by, for example, validating a set of given options. |
|
images
|
|
|
builder
command
|
|
|
auth
Package auth provides routines to manage mutual authentication identities in Cilium.
|
Package auth provides routines to manage mutual authentication identities in Cilium. |
|
pkg/ciliumendpointslice/testutils
SPDX-License-Identifier: Apache-2.0 Copyright Authors of Cilium
|
SPDX-License-Identifier: Apache-2.0 Copyright Authors of Cilium |
|
pkg/ciliumenvoyconfig
Package service contains the logic for Cilium Load Balancer Controller via envoy config
|
Package service contains the logic for Cilium Load Balancer Controller via envoy config |
|
pkg/ciliumidentity/testutils
SPDX-License-Identifier: Apache-2.0 Copyright Authors of Cilium
|
SPDX-License-Identifier: Apache-2.0 Copyright Authors of Cilium |
|
pkg/gateway-api/indexers
Package indexers holds functions related to building indexes for Kubernetes objects in the client cache.
|
Package indexers holds functions related to building indexes for Kubernetes objects in the client cache. |
|
pkg/ingress
Package ingress contains all the logic for Cilium Ingress Controller.
|
Package ingress contains all the logic for Cilium Ingress Controller. |
|
pkg/ingress/annotations
Package annotations contains all annotations that supported by cilium ingress controller along with some sensible defaults.
|
Package annotations contains all annotations that supported by cilium ingress controller along with some sensible defaults. |
|
pkg/model
Package model contains a data model for translations from upstream Kubernetes resources to Cilium Kubernetes resources.
|
Package model contains a data model for translations from upstream Kubernetes resources to Cilium Kubernetes resources. |
|
pkg/model/ingestion
Package ingestion holds functions that translate from Kubernetes resources into Listener types for storage in the model.
|
Package ingestion holds functions that translate from Kubernetes resources into Listener types for storage in the model. |
|
pkg/model/translation
Package translation building block for translation from model to CiliumEnvoyConfig, Service, etc.
|
Package translation building block for translation from model to CiliumEnvoyConfig, Service, etc. |
|
pkg/model/translation/ingress
Package ingress contains the translation logic from Ingress to CiliumEnvoyConfig and related resources.
|
Package ingress contains the translation logic from Ingress to CiliumEnvoyConfig and related resources. |
|
pkg
|
|
|
alibabacloud/eni/types
Package types provides Alibaba Cloud specific types
|
Package types provides Alibaba Cloud specific types |
|
alignchecker
Package alignchecker provides routines to check Go and C struct alignments
|
Package alignchecker provides routines to check Go and C struct alignments |
|
allocator
Package allocator provides a kvstore based ID allocator
|
Package allocator provides a kvstore based ID allocator |
|
api
Package api provides the Cilium useful helpers for the external API
|
Package api provides the Cilium useful helpers for the external API |
|
aws/eni
Package eni implements AWS ENI allocation logic
|
Package eni implements AWS ENI allocation logic |
|
azure/ipam
Package ipam implements Azure IPAM logic
|
Package ipam implements Azure IPAM logic |
|
azure/types
+groupName=azure
|
+groupName=azure |
|
bgp/agent/signaler
SPDX-License-Identifier: Apache-2.0 Copyright Authors of Cilium
|
SPDX-License-Identifier: Apache-2.0 Copyright Authors of Cilium |
|
bpf
Package bpf provides functions that allow golang programs to interact with bpf maps.
|
Package bpf provides functions that allow golang programs to interact with bpf maps. |
|
byteorder
Package byteorder provides functions to convert from and to network byte order.
|
Package byteorder provides functions to convert from and to network byte order. |
|
command/exec
Package exec provides useful wrappers around the standard "exec" library.
|
Package exec provides useful wrappers around the standard "exec" library. |
|
completion
Package completion implements a variant of sync.WaitGroup that is associated with a context.Context.
|
Package completion implements a variant of sync.WaitGroup that is associated with a context.Context. |
|
controller
Package controller provide a simple pattern for async operations that require retries and/or regular intervals.
|
Package controller provide a simple pattern for async operations that require retries and/or regular intervals. |
|
counter
Package counter provides generic reference counter objects
|
Package counter provides generic reference counter objects |
|
crypto/certloader
package certloader aim to provide a facility to ease dynamic tls.Config handling.
|
package certloader aim to provide a facility to ease dynamic tls.Config handling. |
|
datapath
Package datapath defines the interfaces to abstract all platform specific datapath components.
|
Package datapath defines the interfaces to abstract all platform specific datapath components. |
|
datapath/alignchecker
Package alignchecker is a thin wrapper around pkg/alignchecker to validate datapath object alignment.
|
Package alignchecker is a thin wrapper around pkg/alignchecker to validate datapath object alignment. |
|
datapath/bpf
Package bpf provides Go skeletons containing BPF programs.
|
Package bpf provides Go skeletons containing BPF programs. |
|
datapath/config
Package config contains objects used to configure the eBPF datapath.
|
Package config contains objects used to configure the eBPF datapath. |
|
datapath/connector
Package connector is responsible for the datapath specific plumbing to connect an endpoint to the network
|
Package connector is responsible for the datapath specific plumbing to connect an endpoint to the network |
|
datapath/fake
Package fake is a fake datapath implementation.
|
Package fake is a fake datapath implementation. |
|
datapath/ipcache
Package ipcache provides a BPF datapath implementation of the IPCache store.
|
Package ipcache provides a BPF datapath implementation of the IPCache store. |
|
datapath/iptables
Package iptables manages iptables-related configuration for Cilium.
|
Package iptables manages iptables-related configuration for Cilium. |
|
datapath/link
Package link provides the Cilium specific abstraction and useful helpers to manage network interfaces
|
Package link provides the Cilium specific abstraction and useful helpers to manage network interfaces |
|
datapath/linux
Package linux implements the Linux specific datapath implementation
|
Package linux implements the Linux specific datapath implementation |
|
datapath/linux/bandwidth
Package bandwidth provides efficient EDT-based rate-limiting.
|
Package bandwidth provides efficient EDT-based rate-limiting. |
|
datapath/linux/bigtcp
Package bigtcp provides helpers to probe and enable BIG TCP for the Linux datapath
|
Package bigtcp provides helpers to probe and enable BIG TCP for the Linux datapath |
|
datapath/linux/ipsec
Package ipsec provides the Linux datapath specific abstraction and useful helpers to manage IPSec via Linux xfrm.
|
Package ipsec provides the Linux datapath specific abstraction and useful helpers to manage IPSec via Linux xfrm. |
|
datapath/linux/linux_defaults
Package linux_defaults provides the Linux datapath defaults
|
Package linux_defaults provides the Linux datapath defaults |
|
datapath/linux/probes
Package probes provides BPF features checks based on bpftool.
|
Package probes provides BPF features checks based on bpftool. |
|
datapath/linux/route
Package route provides the Cilium specific abstraction and useful helpers to manage network routes
|
Package route provides the Cilium specific abstraction and useful helpers to manage network routes |
|
datapath/linux/sysctl
Package sysctl allows to change kernel parameters at runtime.
|
Package sysctl allows to change kernel parameters at runtime. |
|
datapath/linux/utime
Package utime converts between time.Time and Unix Epoch time in 512ns time unit.
|
Package utime converts between time.Time and Unix Epoch time in 512ns time unit. |
|
datapath/loader
Package loader provides accessors to compilation and BPF load routines necessary for creating datapath objects and attaching them to links.
|
Package loader provides accessors to compilation and BPF load routines necessary for creating datapath objects and attaching them to links. |
|
datapath/loader/tools
command
|
|
|
datapath/maps
Package maps performs various lifecycle operations related to maps in the datapath.
|
Package maps performs various lifecycle operations related to maps in the datapath. |
|
datapath/prefilter
Package prefilter provides a means of configuring XDP pre-filters for DDoS-mitigation.
|
Package prefilter provides a means of configuring XDP pre-filters for DDoS-mitigation. |
|
ebpf
Package ebpf provides functions that allow golang programs to interact with ebpf maps by wrapping the cilium/ebpf library.
|
Package ebpf provides functions that allow golang programs to interact with ebpf maps by wrapping the cilium/ebpf library. |
|
egressgateway
Package egressgateway defines an internal representation of the Cilium Egress Policy.
|
Package egressgateway defines an internal representation of the Cilium Egress Policy. |
|
endpointmanager
Package endpointmanager manages the list of all local endpoints
|
Package endpointmanager manages the list of all local endpoints |
|
envoy/xds
Package xds is an implementation of Envoy's xDS (Discovery Service) protocol.
|
Package xds is an implementation of Envoy's xDS (Discovery Service) protocol. |
|
eventqueue
Package eventqueue implements a queue-based system for event processing in a generic fashion in a first-in, first-out manner.
|
Package eventqueue implements a queue-based system for event processing in a generic fashion in a first-in, first-out manner. |
|
fqdn
Package fqdn handles some of the DNS-based policy functions:
|
Package fqdn handles some of the DNS-based policy functions: |
|
fqdn/re
Package re provides a simple function to access compile regex objects for the FQDN subsystem.
|
Package re provides a simple function to access compile regex objects for the FQDN subsystem. |
|
fqdn/restore
The restore package provides data structures important to restoring DNS proxy rules.
|
The restore package provides data structures important to restoring DNS proxy rules. |
|
identity
Package identity contains code for managing security identities in Cilium.
|
Package identity contains code for managing security identities in Cilium. |
|
identity/identitymanager
Package identitymanager tracks which global identities are being used by the currently running cilium-agent
|
Package identitymanager tracks which global identities are being used by the currently running cilium-agent |
|
ip
Package ip is a library for performing manipulations on IPv4 and IPv6 addresses and CIDR prefixes.
|
Package ip is a library for performing manipulations on IPv4 and IPv6 addresses and CIDR prefixes. |
|
ipam
Package ipam handles address allocation management
|
Package ipam handles address allocation management |
|
ipam/types
+groupName=ipam
|
+groupName=ipam |
|
ipcache
Package ipcache provides a local cache of the mapping of IPs of endpoints managed by Cilium to their corresponding security identities.
|
Package ipcache provides a local cache of the mapping of IPs of endpoints managed by Cilium to their corresponding security identities. |
|
k8s
Package k8s contains all k8s related logic.
|
Package k8s contains all k8s related logic. |
|
k8s/apis/cilium.io/v2
Package v2 is the v2 version of the API.
|
Package v2 is the v2 version of the API. |
|
k8s/apis/cilium.io/v2alpha1
Package v2alpha1 is the v2alpha1 version of the API.
|
Package v2alpha1 is the v2alpha1 version of the API. |
|
k8s/client/clientset/versioned/fake
This package has the automatically generated fake clientset.
|
This package has the automatically generated fake clientset. |
|
k8s/client/clientset/versioned/scheme
This package contains the scheme of the automatically generated clientset.
|
This package contains the scheme of the automatically generated clientset. |
|
k8s/client/clientset/versioned/typed/cilium.io/v2
This package has the automatically generated typed clients.
|
This package has the automatically generated typed clients. |
|
k8s/client/clientset/versioned/typed/cilium.io/v2/fake
Package fake has the automatically generated clients.
|
Package fake has the automatically generated clients. |
|
k8s/client/clientset/versioned/typed/cilium.io/v2alpha1
This package has the automatically generated typed clients.
|
This package has the automatically generated typed clients. |
|
k8s/client/clientset/versioned/typed/cilium.io/v2alpha1/fake
Package fake has the automatically generated clients.
|
Package fake has the automatically generated clients. |
|
k8s/resource/example
command
|
|
|
k8s/slim/k8s/api/core/v1
Package v1 is the v1 version of the core API.
|
Package v1 is the v1 version of the core API. |
|
k8s/slim/k8s/api/discovery/v1
Package v1 contains slimmer versions of k8s discovery types.
|
Package v1 contains slimmer versions of k8s discovery types. |
|
k8s/slim/k8s/api/networking/v1
Package v1 contains slimmer versions of k8s networking types.
|
Package v1 contains slimmer versions of k8s networking types. |
|
k8s/slim/k8s/apiextensions-client/clientset/versioned/fake
This package has the automatically generated fake clientset.
|
This package has the automatically generated fake clientset. |
|
k8s/slim/k8s/apiextensions-client/clientset/versioned/scheme
This package contains the scheme of the automatically generated clientset.
|
This package contains the scheme of the automatically generated clientset. |
|
k8s/slim/k8s/apiextensions-client/clientset/versioned/typed/apiextensions/v1
This package has the automatically generated typed clients.
|
This package has the automatically generated typed clients. |
|
k8s/slim/k8s/apiextensions-client/clientset/versioned/typed/apiextensions/v1/fake
Package fake has the automatically generated clients.
|
Package fake has the automatically generated clients. |
|
k8s/slim/k8s/apis/apiextensions/v1
Package v1 is the v1 version of the API.
|
Package v1 is the v1 version of the API. |
|
k8s/slim/k8s/apis/labels
Package labels implements a simple label system, parsing and matching selectors with sets of labels.
|
Package labels implements a simple label system, parsing and matching selectors with sets of labels. |
|
k8s/slim/k8s/apis/meta/v1
Package v1 contains API types that are common to all versions.
|
Package v1 contains API types that are common to all versions. |
|
k8s/slim/k8s/apis/meta/v1beta1
package v1beta1 is alpha objects from meta that will be introduced.
|
package v1beta1 is alpha objects from meta that will be introduced. |
|
k8s/slim/k8s/apis/util/intstr
Package types contains slimmer versions of k8s types.
|
Package types contains slimmer versions of k8s types. |
|
k8s/slim/k8s/client/clientset/versioned/fake
This package has the automatically generated fake clientset.
|
This package has the automatically generated fake clientset. |
|
k8s/slim/k8s/client/clientset/versioned/scheme
This package contains the scheme of the automatically generated clientset.
|
This package contains the scheme of the automatically generated clientset. |
|
k8s/slim/k8s/client/clientset/versioned/typed/core/v1
This package has the automatically generated typed clients.
|
This package has the automatically generated typed clients. |
|
k8s/slim/k8s/client/clientset/versioned/typed/core/v1/fake
Package fake has the automatically generated clients.
|
Package fake has the automatically generated clients. |
|
k8s/slim/k8s/client/clientset/versioned/typed/discovery/v1
This package has the automatically generated typed clients.
|
This package has the automatically generated typed clients. |
|
k8s/slim/k8s/client/clientset/versioned/typed/discovery/v1/fake
Package fake has the automatically generated clients.
|
Package fake has the automatically generated clients. |
|
k8s/slim/k8s/client/clientset/versioned/typed/networking/v1
This package has the automatically generated typed clients.
|
This package has the automatically generated typed clients. |
|
k8s/slim/k8s/client/clientset/versioned/typed/networking/v1/fake
Package fake has the automatically generated clients.
|
Package fake has the automatically generated clients. |
|
k8s/synced
Package synced provides tools for tracking if k8s resources have been initially sychronized with the k8s apiserver.
|
Package synced provides tools for tracking if k8s resources have been initially sychronized with the k8s apiserver. |
|
k8s/types
Package types contains slimmer versions of k8s types.
|
Package types contains slimmer versions of k8s types. |
|
k8s/version
Package version keeps track of the Kubernetes version the client is connected to
|
Package version keeps track of the Kubernetes version the client is connected to |
|
k8s/watchers/resources
This package contains exported resource identifiers and metric resource labels related to K8s watchers.
|
This package contains exported resource identifiers and metric resource labels related to K8s watchers. |
|
k8s/watchers/subscriber
Package subscriber implements a mechanism to represent K8s watcher subscribers and allows K8s events to objects / resources to notify their respective subscribers.
|
Package subscriber implements a mechanism to represent K8s watcher subscribers and allows K8s events to objects / resources to notify their respective subscribers. |
|
kvstore
Package kvstore abstracts KVstore access and provides a high level API to atomically manage cluster wide resources
|
Package kvstore abstracts KVstore access and provides a high level API to atomically manage cluster wide resources |
|
kvstore/allocator
Package allocator provides a kvstore based ID allocator
|
Package allocator provides a kvstore based ID allocator |
|
kvstore/store
Package store implements a shared store backed by a kvstore or similar with the following properties:
|
Package store implements a shared store backed by a kvstore or similar with the following properties: |
|
labels
Package api defines the API of the Cilium network policy interface
|
Package api defines the API of the Cilium network policy interface |
|
loadbalancer
Package loadbalancer contains load-balancing types and tables
|
Package loadbalancer contains load-balancing types and tables |
|
loadbalancer/benchmark/cmd
command
|
|
|
loadbalancer/reconciler
SPDX-License-Identifier: Apache-2.0 Copyright Authors of Cilium
|
SPDX-License-Identifier: Apache-2.0 Copyright Authors of Cilium |
|
loadbalancer/repl
command
|
|
|
loadinfo
Package loadinfo provides the ability to log system load information either at a particular time or periodically in the background
|
Package loadinfo provides the ability to log system load information either at a particular time or periodically in the background |
|
lock/lockfile
SPDX-License-Identifier: Apache-2.0 Copyright Authors of Cilium
|
SPDX-License-Identifier: Apache-2.0 Copyright Authors of Cilium |
|
logging/logfields
Package logfields defines common logging fields which are used across packages
|
Package logfields defines common logging fields which are used across packages |
|
maps/authmap
Package auth represents the BPF map used to keep track of authentication state between security identities.
|
Package auth represents the BPF map used to keep track of authentication state between security identities. |
|
maps/bwmap
Package bwmap represents the BPF map used to enforce Pod bandwidth limitations via EDT (Earliest Departure Time) + BPF.
|
Package bwmap represents the BPF map used to enforce Pod bandwidth limitations via EDT (Earliest Departure Time) + BPF. |
|
maps/callsmap
Package callsmap represents the internal calls map for endpoint and host datapaths.
|
Package callsmap represents the internal calls map for endpoint and host datapaths. |
|
maps/configmap
Package config stores runtime configuration state for the Cilium datapath.
|
Package config stores runtime configuration state for the Cilium datapath. |
|
maps/ctmap
+groupName=maps
|
+groupName=maps |
|
maps/egressmap
+groupName=maps
|
+groupName=maps |
|
maps/encrypt
Package encrypt represents the nodes current encryption state.
|
Package encrypt represents the nodes current encryption state. |
|
maps/eventsmap
Package eventsmap represents the perf event map used by the datapath to send events to the Cilium agent.
|
Package eventsmap represents the perf event map used by the datapath to send events to the Cilium agent. |
|
maps/fragmap
Package fragmap represents the BPF map used to associate datagram fragments to the L4 ports of the datagram they belong to, in order to retrieve the full 5-tuple necessary to do L4-based lookups.
|
Package fragmap represents the BPF map used to associate datagram fragments to the L4 ports of the datagram they belong to, in order to retrieve the full 5-tuple necessary to do L4-based lookups. |
|
maps/ipcache
+groupName=maps
|
+groupName=maps |
|
maps/lxcmap
Package lxcmap represents the endpoints BPF map in the BPF programs.
|
Package lxcmap represents the endpoints BPF map in the BPF programs. |
|
maps/metricsmap
Package metricsmap represents the BPF metrics map in the BPF programs.
|
Package metricsmap represents the BPF metrics map in the BPF programs. |
|
maps/multicast
+groupName=maps
|
+groupName=maps |
|
maps/nat
Package nat implements the BPF NAT map interaction code.
|
Package nat implements the BPF NAT map interaction code. |
|
maps/neighborsmap
Package neighborsmap represents the map that stores IP to mac address mappings for NodePort clients.
|
Package neighborsmap represents the map that stores IP to mac address mappings for NodePort clients. |
|
maps/nodemap
+groupName=maps
|
+groupName=maps |
|
maps/policymap
+groupName=maps
|
+groupName=maps |
|
maps/ratelimitmap
Package ratelimitmap represents the BPF ratelimit maps in the BPF programs.
|
Package ratelimitmap represents the BPF ratelimit maps in the BPF programs. |
|
maps/signalmap
Package signalmap represents the perf event map used to signal potential congestion to Cilium agent.
|
Package signalmap represents the perf event map used to signal potential congestion to Cilium agent. |
|
maps/srv6map
+groupName=maps
|
+groupName=maps |
|
maps/vtep
+groupName=maps
|
+groupName=maps |
|
mcastmanager
Package mcastmanager manages endpoint's IPv6 addresses and join the node solicitation multicast addresses
|
Package mcastmanager manages endpoint's IPv6 addresses and join the node solicitation multicast addresses |
|
metrics
Package metrics holds prometheus metrics objects and related utility functions.
|
Package metrics holds prometheus metrics objects and related utility functions. |
|
monitor/format
Package format provides stdout formatting of monitor messages for reuse by command-line clients of the monitor event channel.
|
Package format provides stdout formatting of monitor messages for reuse by command-line clients of the monitor event channel. |
|
mtu
Package mtu is a library for tracking and configuring MTU for devices and routes.
|
Package mtu is a library for tracking and configuring MTU for devices and routes. |
|
multicast
Package multicast contains various utility functions to work with IPv6 multicast
|
Package multicast contains various utility functions to work with IPv6 multicast |
|
netns
Package netns contains various utility functions to work with network namespaces
|
Package netns contains various utility functions to work with network namespaces |
|
node
Package node provides functionality related to the local and remote node addresses
|
Package node provides functionality related to the local and remote node addresses |
|
option/resolver
Package resolver provides the logic for merging in the various sources of configuration, overrides, and drop-ins.
|
Package resolver provides the logic for merging in the various sources of configuration, overrides, and drop-ins. |
|
policy/api
Package api defines the API of the Cilium network policy interface +groupName=policy
|
Package api defines the API of the Cilium network policy interface +groupName=policy |
|
policy/trafficdirection
package trafficdirection specifies the directionality of policy in a numeric representation.
|
package trafficdirection specifies the directionality of policy in a numeric representation. |
|
pprof
Package pprof enables use of pprof in Cilium
|
Package pprof enables use of pprof in Cilium |
|
proxy/accesslog
Package logger provides the accesslog logging logic for all proxies
|
Package logger provides the accesslog logging logic for all proxies |
|
rate
Package rate provides a rate limiter to rate limit requests that can be burstable but they should only allowed N per a period defined.
|
Package rate provides a rate limiter to rate limit requests that can be burstable but they should only allowed N per a period defined. |
|
safetime
Package safetime contains a wrapper function for time.Since to deal with negative durations.
|
Package safetime contains a wrapper function for time.Since to deal with negative durations. |
|
signal
Package signal provides handling notifications from perf RB signal map.
|
Package signal provides handling notifications from perf RB signal map. |
|
slices
Package slices contains common utilities to work on slices of any type.
|
Package slices contains common utilities to work on slices of any type. |
|
spanstat
Package spanstat provides a mechanism to measure duration of multiple spans and add them up to a total duration
|
Package spanstat provides a mechanism to measure duration of multiple spans and add them up to a total duration |
|
time
package time is a wrapper for the stdlib time library that aliases most underlying types, but allows overrides for testing purposes.
|
package time is a wrapper for the stdlib time library that aliases most underlying types, but allows overrides for testing purposes. |
|
trigger
Package trigger provides a mechanism to trigger actions that require to be serialized while providing a non-blocking notification mechanism
|
Package trigger provides a mechanism to trigger actions that require to be serialized while providing a non-blocking notification mechanism |
|
tuple
Package tuple defines keys used for connection tuples in multiple BPF maps.
|
Package tuple defines keys used for connection tuples in multiple BPF maps. |
|
util
Package util provides miscellaneous helper functions.
|
Package util provides miscellaneous helper functions. |
|
versioncheck
Package versioncheck provides utility wrappers for go-version, allowing the constraints to be used as global variables.
|
Package versioncheck provides utility wrappers for go-version, allowing the constraints to be used as global variables. |
|
wireguard/agent
This package contains the agent code used to configure the WireGuard tunnel between nodes.
|
This package contains the agent code used to configure the WireGuard tunnel between nodes. |
|
wireguard/types
Common WireGuard types and constants
|
Common WireGuard types and constants |
|
xds/experimental/client
SPDX-License-Identifier: Apache-2.0 Copyright Authors of Cilium
|
SPDX-License-Identifier: Apache-2.0 Copyright Authors of Cilium |
|
plugins
|
|
|
cilium-cni
command
|
|
|
cilium-docker
command
|
|
|
test
|
|
|
tools
|
|
|
alignchecker
command
|
|
|
api-flaggen
command
|
|
|
complexity-diff
command
|
|
|
crdcheck
command
|
|
|
crdlistgen
command
|
|
|
dev-doctor
command
Command doctor checks the development setup for common problems.
|
Command doctor checks the development setup for common problems. |
|
dpgen
command
|
|
|
feature-helm-generator
command
|
|
|
legacyhguardcheck
command
|
|
|
licensecheck
command
|
|
|
licensegen
command
|
|
|
metricslint
command
|
|
|
metricslint/pkg/analyzer
SPDX-License-Identifier: Apache-2.0 Copyright Authors of Cilium
|
SPDX-License-Identifier: Apache-2.0 Copyright Authors of Cilium |
|
mount
command
|
|
|
slogloggercheck
command
|
|
|
spdxconv
command
|
|
|
sysctlfix
command
|
|
|
testowners
command
|
|
Click to show internal directories.
Click to hide internal directories.