The Deckhouse Kubernetes Platform installs CRDs but does not remove them when a module is disabled. If you no longer need the created CRDs, delete them.
The module lifecycle stage: General Availability
EgressGatewayPolicy
Scope: Cluster
Version: v1alpha1
Interface for configuring policies to redirect application traffic to specific egress gateways described through the EgressGateway interface.
- objectspec
Required value
- array of stringsspec.destinationCIDRs
Available in editions: SE+, EE
Network requests towards these subnets will be routed through the egress gateway.
- stringspec.egressGatewayName
Required value
Available in editions: SE+, EE
The name of the EgressGateway resource that describes the egress gateway for handling traffic.
- array of stringsspec.excludedCIDRs
Available in editions: SE+, EE
Network ranges that are required to be excluded from the ranges described in
destinationCIDRs. Note that you do not need to exclude the special cluster ranges (podSubnetCIDRandserviceSubnetCIDR). - array of objectsspec.selectors
Available in editions: SE+, EE
Application Pod Selectors. Their traffic will be routed through the appropriate egress gateway. For namespase designation use the
io.kubernetes.pod.namespacepseudo-label.- objectspec.selectors.podSelector
Required value
Available in editions: SE+, EE
A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
- array of objectsspec.selectors.podSelector.matchExpressions
Available in editions: SE+, EE
matchExpressions is a list of label selector requirements. The requirements are ANDed.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- stringspec.selectors.podSelector.matchExpressions.key
Required value
Available in editions: SE+, EE
key is the label key that the selector applies to.
- stringspec.selectors.podSelector.matchExpressions.operator
Required value
Available in editions: SE+, EE
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- array of stringsspec.selectors.podSelector.matchExpressions.values
Available in editions: SE+, EE
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- objectspec.selectors.podSelector.matchLabels
Available in editions: SE+, EE
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
EgressGateway
Scope: Cluster
Version: v1alpha1
Interface for configuring a fault-tolerant egress gateway based on a group of nodes.
The configured egress gateways can be used in EgressGatewayPolicy interface to configure egress gateway for application Pods.
- objectspec
- objectspec.nodeSelector
Available in editions: SE+, EE
The selector for a group of nodes that will transfer network requests to external services. Among these nodes, eligible nodes will be detected and one of them will be assigned as the active one. Signs of an eligible node:
- The node is in Ready state.
- Node is not cordoned.
- The cilium-agent on the node is in the Ready state.
Different EgressGateways can use common nodes for operation, and active nodes will be selected independently for each EgressGateway, thus distributing the load between them.
- objectspec.sourceIP
- stringspec.sourceIP.mode
Required value
Available in editions: SE+, EE
A method for determining the source IP address to be assigned to requests through this gateway.
Possible options:
-
PrimaryIPFromEgressGatewayNodeInterface(basic mode) — the primary IP address on the public network interface of the node will be used as the source IP address.Particularities:
- When the active node goes down and a new node is assigned, the outgoing IP address will change.
- The network subsystem on all egress nodes must be configured in advance:
- the public interfaces must have the same name (eth1, for example),
- all necessary routes for access to all external public services must be configured.
-
VirtualIPAddress(Virtual IP mode) — explicitly specify the outgoing IP address.Particularities:
- If the active node goes down, the outgoing IP address will not change.
- The network subsystem on all egress nodes must be configured in advance:
- all necessary routes for access to all external public services must be configured,
- the public interface must be prepared to automatically configure a virtual IP as a secondary IP address (if an egress node is designated as active, the address will not appear in the IP list on the public interface, but the node will emulate it with ARP-responses)
Allowed values:
VirtualIPAddress,PrimaryIPFromEgressGatewayNodeInterface -
- objectspec.sourceIP.primaryIPFromEgressGatewayNodeInterface
Used for basic mode (if
mode: PrimaryIPFromEgressGatewayNodeInterface).- stringspec.sourceIP.primaryIPFromEgressGatewayNodeInterface.interfaceName
Available in editions: SE+, EE
The interface name on the egress nodes through which external requests are processed.
- objectspec.sourceIP.virtualIPAddress
Used for mode with Virtual IP (if
mode: PrimaryIPFromEgressGatewayNodeInterface).- array of stringsspec.sourceIP.virtualIPAddress.interfaces
Available in editions: SE+, EE
The list of network interfaces to which the virtual IP will be simulated.
Default:
[] - stringspec.sourceIP.virtualIPAddress.ip
Available in editions: SE+, EE
The virtual source IP address to be assigned to outgoing requests through the egress gateway.
HubbleMonitoringConfig
Scope: Cluster
Version: v1alpha1
- objectspec
Required value
- objectspec.extendedMetrics
Configuration for exporting extended metrics from Cilium agents.
Extended metrics provide deeper insight into cluster network behavior.
Warning. Changing this parameter will trigger a restart of the Cilium agents.
For more details, see the Cilium documentation.
Example:
extendedMetrics: enabled: true collectors: - name: drop contextOptions: labelsContext=source_ip,source_namespace,source_pod,destination_ip,destination_namespace,destination_pod - name: flow- array of objectsspec.extendedMetrics.collectors
List of Hubble extended metrics to export.
Each collector represents a specific metric type.
For more details, see the Cilium documentation.
Example:
collectors: - name: drop contextOptions: labelsContext=source_ip,source_namespace,source_pod,destination_ip,destination_namespace,destination_pod - name: flow- stringspec.extendedMetrics.collectors.contextOptions
Optional context options for Hubble metrics.
Defines which parameters are used to break down the metrics produced by a collector. If you do not specify
contextOptions, the collector returns the default set of metrics aggregated overall, without breakdown by individual parameters. For example, for thedropcollector, an emptycontextOptionsreturns overall drop statistics without distinguishing the exact source and destination. When you setcontextOptions, metric values are grouped by the selected dimensions, for example by source and destination Pods, namespaces, and labels.Warning. A large number of labels on metrics can lead to Prometheus performance degradation.
For more information about supported options, see the Cilium documentation.
- stringspec.extendedMetrics.collectors.name
Name of the extended metric to export.
Allowed values:
dns,drop,flow,flows-to-world,http,httpV2,icmp,kafka,tcp
- booleanspec.extendedMetrics.enabled
Enables the export of extended metrics from Cilium agents.
Default:
false
- objectspec.flowLogs
Configuration for exporting event logs from Cilium agents.
Event logs provide detailed visibility into Cilium’s network events.
Warning. Changing this parameter will trigger a restart of the Cilium agents.
For more details see the Cilium documentation.
Example:
flowLogs: enabled: true allowFilterList: - verdict: - DROPPED - ERROR denyFilterList: - source_pod: - kube-system/ - destination_pod: - kube-system/ fieldMaskList: - time - source.namespace - verdict fileMaxSizeMB: 50- array of objectsspec.flowLogs.allowFilterList
Defines filters that control which events are exported for logging. Only events that match at least one of the specified filter objects will be exported. If no filters are specified, all events are allowed. Logical semantics: - Within a single filter object, all specified fields are combined using AND. - Across filter objects in the array, filters are combined using OR. For more details, see the Cilium documentation.
- array of stringsspec.flowLogs.allowFilterList.destination_cluster_name
Destination cluster names.
- array of stringsspec.flowLogs.allowFilterList.destination_fqdn
Destination fully qualified domain names (FQDN).
- stringElement of the array
Maximum length:
255
- array of integersspec.flowLogs.allowFilterList.destination_identity
Destination security identity.
- integerElement of the array
Allowed values:
0 <= X <= 4294967295
- array of stringsspec.flowLogs.allowFilterList.destination_ip
Destination IP or CIDR.
- array of stringsspec.flowLogs.allowFilterList.destination_label
Destination label selectors.
For more information, please see the Cilium documentation.
Examples:
destination_label: k8s:role=frontenddestination_label: reserved:kube-apiserver - array of stringsspec.flowLogs.allowFilterList.destination_pod
Destination Pod name prefixes in the form NamespacedName (
namespace/pod).Examples:
destination_pod: kube-system/d8-kube-dns-7bc4648cb4-94tpsdestination_pod: kube-system/destination_pod: "/d8-kube-dns-7bc4648cb4-94tps" - array of stringsspec.flowLogs.allowFilterList.destination_port
L4 destination port.
- stringElement of the array
Pattern:
^(?:6553[0-5]|655[0-2]\d|65[0-4]\d{2}|6[0-4]\d{3}|[1-5]\d{4}|[1-9]\d{0,3})$
- array of stringsspec.flowLogs.allowFilterList.destination_service
Destination service name prefixes in the form NamespacedName (
namespace/service).Examples:
destination_service: kube-system/kube-dnsdestination_service: kube-system/destination_service: "/kube-dns" - array of objectsspec.flowLogs.allowFilterList.destination_workload
Destination workloads.
- stringspec.flowLogs.allowFilterList.destination_workload.kind
Workload kind.
- stringspec.flowLogs.allowFilterList.destination_workload.name
Workload name.
- array of stringsspec.flowLogs.allowFilterList.dns_query
DNS query regex patterns.
- array of stringsspec.flowLogs.allowFilterList.drop_reason_desc
Drop reason (only for DROPPED verdict).
- stringElement of the array
Allowed values:
DROP_REASON_UNKNOWN,INVALID_SOURCE_MAC,INVALID_DESTINATION_MAC,INVALID_SOURCE_IP,POLICY_DENIED,INVALID_PACKET_DROPPED,CT_TRUNCATED_OR_INVALID_HEADER,CT_MISSING_TCP_ACK_FLAG,CT_UNKNOWN_L4_PROTOCOL,CT_CANNOT_CREATE_ENTRY_FROM_PACKET,UNSUPPORTED_L3_PROTOCOL,MISSED_TAIL_CALL,ERROR_WRITING_TO_PACKET,UNKNOWN_L4_PROTOCOL,UNKNOWN_ICMPV4_CODE,UNKNOWN_ICMPV4_TYPE,UNKNOWN_ICMPV6_CODE,UNKNOWN_ICMPV6_TYPE,ERROR_RETRIEVING_TUNNEL_KEY,ERROR_RETRIEVING_TUNNEL_OPTIONS,INVALID_GENEVE_OPTION,UNKNOWN_L3_TARGET_ADDRESS,STALE_OR_UNROUTABLE_IP,NO_MATCHING_LOCAL_CONTAINER_FOUND,ERROR_WHILE_CORRECTING_L3_CHECKSUM,ERROR_WHILE_CORRECTING_L4_CHECKSUM,CT_MAP_INSERTION_FAILED,INVALID_IPV6_EXTENSION_HEADER,IP_FRAGMENTATION_NOT_SUPPORTED,SERVICE_BACKEND_NOT_FOUND,NO_TUNNEL_OR_ENCAPSULATION_ENDPOINT,FAILED_TO_INSERT_INTO_PROXYMAP,REACHED_EDT_RATE_LIMITING_DROP_HORIZON,UNKNOWN_CONNECTION_TRACKING_STATE,LOCAL_HOST_IS_UNREACHABLE,NO_CONFIGURATION_AVAILABLE_TO_PERFORM_POLICY_DECISION,UNSUPPORTED_L2_PROTOCOL,NO_MAPPING_FOR_NAT_MASQUERADE,UNSUPPORTED_PROTOCOL_FOR_NAT_MASQUERADE,FIB_LOOKUP_FAILED,ENCAPSULATION_TRAFFIC_IS_PROHIBITED,INVALID_IDENTITY,UNKNOWN_SENDER,NAT_NOT_NEEDED,IS_A_CLUSTERIP,FIRST_LOGICAL_DATAGRAM_FRAGMENT_NOT_FOUND,FORBIDDEN_ICMPV6_MESSAGE,DENIED_BY_LB_SRC_RANGE_CHECK,SOCKET_LOOKUP_FAILED,SOCKET_ASSIGN_FAILED,PROXY_REDIRECTION_NOT_SUPPORTED_FOR_PROTOCOL,POLICY_DENY,VLAN_FILTERED,INVALID_VNI,INVALID_TC_BUFFER,NO_SID,MISSING_SRV6_STATE,NAT46,NAT64,AUTH_REQUIRED,CT_NO_MAP_FOUND,SNAT_NO_MAP_FOUND,INVALID_CLUSTER_ID,UNSUPPORTED_PROTOCOL_FOR_DSR_ENCAP,NO_EGRESS_GATEWAY,UNENCRYPTED_TRAFFIC,TTL_EXCEEDED,NO_NODE_ID,DROP_RATE_LIMITED,IGMP_HANDLED,IGMP_SUBSCRIBED,MULTICAST_HANDLED,DROP_HOST_NOT_READY,DROP_EP_NOT_READY,DROP_NO_EGRESS_IP
- array of objectsspec.flowLogs.allowFilterList.event_type
Event types to filter on.
- booleanspec.flowLogs.allowFilterList.event_type.match_sub_type
Whether to match on
sub_type. - integerspec.flowLogs.allowFilterList.event_type.sub_type
Secondary event type.
- integerspec.flowLogs.allowFilterList.event_type.type
Primary event type.
- array of objectsspec.flowLogs.allowFilterList.http_header
HTTP headers to match.
- stringspec.flowLogs.allowFilterList.http_header.key
Header key.
- stringspec.flowLogs.allowFilterList.http_header.value
Header value.
- array of stringsspec.flowLogs.allowFilterList.http_method
HTTP methods.
- stringElement of the array
Allowed values:
GET,HEAD,POST,PUT,DELETE,CONNECT,OPTIONS,TRACE,PATCH
- array of stringsspec.flowLogs.allowFilterList.http_path
Regex list to match HTTP path.
- array of stringsspec.flowLogs.allowFilterList.http_status_code
HTTP status code prefixes.
- stringElement of the array
Pattern:
^(?:[1-5]\+|[1-5][0-9]\+|[1-5][0-9]{2})$
- array of stringsspec.flowLogs.allowFilterList.http_url
Regex list to match HTTP URL.
- array of objectsspec.flowLogs.allowFilterList.interface
Network interface where flow was observed.
- integerspec.flowLogs.allowFilterList.interface.index
Interface index.
Allowed values:
0 <= X - stringspec.flowLogs.allowFilterList.interface.name
Interface name.
- array of stringsspec.flowLogs.allowFilterList.ip_version
IP version.
- stringElement of the array
Allowed values:
IP_NOT_USED,IPv4,IPv6
- array of stringsspec.flowLogs.allowFilterList.node_labels
Node label selectors.
Examples:
node_labels: node-role.kubernetes.io/control-plane=node_labels: topology.kubernetes.io/ru-central1-a - array of stringsspec.flowLogs.allowFilterList.node_name
Node name patterns.
- array of stringsspec.flowLogs.allowFilterList.protocol
L4 or L7 protocol.
- array of stringsspec.flowLogs.allowFilterList.source_cluster_name
Source cluster names.
- array of stringsspec.flowLogs.allowFilterList.source_fqdn
Source fully qualified domain names (FQDN).
- stringElement of the array
Maximum length:
255
- array of integersspec.flowLogs.allowFilterList.source_identity
Source security identity.
- integerElement of the array
Allowed values:
0 <= X <= 4294967295
- array of stringsspec.flowLogs.allowFilterList.source_ip
Source IP or CIDR.
- array of stringsspec.flowLogs.allowFilterList.source_ip_xlated
Post-translation (SNAT) source IP or CIDR.
- array of stringsspec.flowLogs.allowFilterList.source_label
Source label selectors.
For more information, please see the Cilium documentation.
Examples:
source_label: k8s:role=frontendsource_label: reserved:kube-apiserver - array of stringsspec.flowLogs.allowFilterList.source_pod
Source Pod name prefixes in the form NamespacedName (
namespace/pod).Examples:
source_pod: kube-system/d8-kube-dns-7bc4648cb4-94tpssource_pod: kube-system/source_pod: "/d8-kube-dns-7bc4648cb4-94tps" - array of stringsspec.flowLogs.allowFilterList.source_port
L4 source port.
- stringElement of the array
Pattern:
^(?:6553[0-5]|655[0-2]\d|65[0-4]\d{2}|6[0-4]\d{3}|[1-5]\d{4}|[1-9]\d{0,3})$
- array of stringsspec.flowLogs.allowFilterList.source_service
Source service name prefixes in the form NamespacedName (
namespace/service).Examples:
source_service: kube-system/kube-dnssource_service: kube-system/source_service: "/kube-dns" - array of objectsspec.flowLogs.allowFilterList.source_workload
Source workloads.
- stringspec.flowLogs.allowFilterList.source_workload.kind
Workload kind.
- stringspec.flowLogs.allowFilterList.source_workload.name
Workload name.
- array of objectsspec.flowLogs.allowFilterList.tcp_flags
TCP flags to match.
- booleanspec.flowLogs.allowFilterList.tcp_flags.ACK
- booleanspec.flowLogs.allowFilterList.tcp_flags.CWR
- booleanspec.flowLogs.allowFilterList.tcp_flags.ECE
- booleanspec.flowLogs.allowFilterList.tcp_flags.FIN
- booleanspec.flowLogs.allowFilterList.tcp_flags.NS
- booleanspec.flowLogs.allowFilterList.tcp_flags.PSH
- booleanspec.flowLogs.allowFilterList.tcp_flags.RST
- booleanspec.flowLogs.allowFilterList.tcp_flags.SYN
- booleanspec.flowLogs.allowFilterList.tcp_flags.URG
- array of stringsspec.flowLogs.allowFilterList.trace_id
Trace ID.
- array of stringsspec.flowLogs.allowFilterList.traffic_direction
Traffic direction.
- stringElement of the array
Allowed values:
TRAFFIC_DIRECTION_UNKNOWN,INGRESS,EGRESS
- array of stringsspec.flowLogs.allowFilterList.uuid
Filters by flow UUIDs.
- array of stringsspec.flowLogs.allowFilterList.verdict
Match by verdict.
- stringElement of the array
Allowed values:
VERDICT_UNKNOWN,FORWARDED,DROPPED,ERROR,AUDIT,REDIRECTED,TRACED,TRANSLATED
- array of objectsspec.flowLogs.denyFilterList
Defines filters that control which events are explicitly excluded from logging. Any event that matches at least one of the specified filter objects will be denied from being exported. If no filters are specified, no events are denied. This allows you to refine the set of events that are logged by excluding certain types. Logical semantics: - Within a single filter object, all specified fields are combined using AND. - Across filter objects in the array, filters are combined using OR. For more details, see the Cilium documentation.
- array of stringsspec.flowLogs.denyFilterList.destination_cluster_name
Destination cluster names.
- array of stringsspec.flowLogs.denyFilterList.destination_fqdn
Destination fully qualified domain names (FQDN).
- stringElement of the array
Maximum length:
255
- array of integersspec.flowLogs.denyFilterList.destination_identity
Destination security identity.
- integerElement of the array
Allowed values:
0 <= X <= 4294967295
- array of stringsspec.flowLogs.denyFilterList.destination_ip
Destination IP or CIDR.
- array of stringsspec.flowLogs.denyFilterList.destination_label
Destination label selectors.
For more information, please see the Cilium documentation.
Examples:
destination_label: k8s:role=frontenddestination_label: reserved:kube-apiserver - array of stringsspec.flowLogs.denyFilterList.destination_pod
Destination Pod name prefixes in the form NamespacedName (
namespace/pod).Examples:
destination_pod: kube-system/d8-kube-dns-7bc4648cb4-94tpsdestination_pod: kube-system/destination_pod: "/d8-kube-dns-7bc4648cb4-94tps" - array of stringsspec.flowLogs.denyFilterList.destination_port
L4 destination port.
- stringElement of the array
Pattern:
^(?:6553[0-5]|655[0-2]\d|65[0-4]\d{2}|6[0-4]\d{3}|[1-5]\d{4}|[1-9]\d{0,3})$
- array of stringsspec.flowLogs.denyFilterList.destination_service
Destination service name prefixes in the form NamespacedName (
namespace/service).Examples:
destination_service: kube-system/kube-dnsdestination_service: kube-system/destination_service: "/kube-dns" - array of objectsspec.flowLogs.denyFilterList.destination_workload
Destination workloads.
- stringspec.flowLogs.denyFilterList.destination_workload.kind
Workload kind.
- stringspec.flowLogs.denyFilterList.destination_workload.name
Workload name.
- array of stringsspec.flowLogs.denyFilterList.dns_query
DNS query regex patterns.
- array of stringsspec.flowLogs.denyFilterList.drop_reason_desc
Drop reason (only for DROPPED verdict).
- stringElement of the array
Allowed values:
DROP_REASON_UNKNOWN,INVALID_SOURCE_MAC,INVALID_DESTINATION_MAC,INVALID_SOURCE_IP,POLICY_DENIED,INVALID_PACKET_DROPPED,CT_TRUNCATED_OR_INVALID_HEADER,CT_MISSING_TCP_ACK_FLAG,CT_UNKNOWN_L4_PROTOCOL,CT_CANNOT_CREATE_ENTRY_FROM_PACKET,UNSUPPORTED_L3_PROTOCOL,MISSED_TAIL_CALL,ERROR_WRITING_TO_PACKET,UNKNOWN_L4_PROTOCOL,UNKNOWN_ICMPV4_CODE,UNKNOWN_ICMPV4_TYPE,UNKNOWN_ICMPV6_CODE,UNKNOWN_ICMPV6_TYPE,ERROR_RETRIEVING_TUNNEL_KEY,ERROR_RETRIEVING_TUNNEL_OPTIONS,INVALID_GENEVE_OPTION,UNKNOWN_L3_TARGET_ADDRESS,STALE_OR_UNROUTABLE_IP,NO_MATCHING_LOCAL_CONTAINER_FOUND,ERROR_WHILE_CORRECTING_L3_CHECKSUM,ERROR_WHILE_CORRECTING_L4_CHECKSUM,CT_MAP_INSERTION_FAILED,INVALID_IPV6_EXTENSION_HEADER,IP_FRAGMENTATION_NOT_SUPPORTED,SERVICE_BACKEND_NOT_FOUND,NO_TUNNEL_OR_ENCAPSULATION_ENDPOINT,FAILED_TO_INSERT_INTO_PROXYMAP,REACHED_EDT_RATE_LIMITING_DROP_HORIZON,UNKNOWN_CONNECTION_TRACKING_STATE,LOCAL_HOST_IS_UNREACHABLE,NO_CONFIGURATION_AVAILABLE_TO_PERFORM_POLICY_DECISION,UNSUPPORTED_L2_PROTOCOL,NO_MAPPING_FOR_NAT_MASQUERADE,UNSUPPORTED_PROTOCOL_FOR_NAT_MASQUERADE,FIB_LOOKUP_FAILED,ENCAPSULATION_TRAFFIC_IS_PROHIBITED,INVALID_IDENTITY,UNKNOWN_SENDER,NAT_NOT_NEEDED,IS_A_CLUSTERIP,FIRST_LOGICAL_DATAGRAM_FRAGMENT_NOT_FOUND,FORBIDDEN_ICMPV6_MESSAGE,DENIED_BY_LB_SRC_RANGE_CHECK,SOCKET_LOOKUP_FAILED,SOCKET_ASSIGN_FAILED,PROXY_REDIRECTION_NOT_SUPPORTED_FOR_PROTOCOL,POLICY_DENY,VLAN_FILTERED,INVALID_VNI,INVALID_TC_BUFFER,NO_SID,MISSING_SRV6_STATE,NAT46,NAT64,AUTH_REQUIRED,CT_NO_MAP_FOUND,SNAT_NO_MAP_FOUND,INVALID_CLUSTER_ID,UNSUPPORTED_PROTOCOL_FOR_DSR_ENCAP,NO_EGRESS_GATEWAY,UNENCRYPTED_TRAFFIC,TTL_EXCEEDED,NO_NODE_ID,DROP_RATE_LIMITED,IGMP_HANDLED,IGMP_SUBSCRIBED,MULTICAST_HANDLED,DROP_HOST_NOT_READY,DROP_EP_NOT_READY,DROP_NO_EGRESS_IP
- array of objectsspec.flowLogs.denyFilterList.event_type
Event types to filter on.
- booleanspec.flowLogs.denyFilterList.event_type.match_sub_type
Whether to match on
sub_type. - integerspec.flowLogs.denyFilterList.event_type.sub_type
Secondary event type.
- integerspec.flowLogs.denyFilterList.event_type.type
Primary event type.
- array of objectsspec.flowLogs.denyFilterList.http_header
HTTP headers to match.
- stringspec.flowLogs.denyFilterList.http_header.key
Header key.
- stringspec.flowLogs.denyFilterList.http_header.value
Header value.
- array of stringsspec.flowLogs.denyFilterList.http_method
HTTP methods.
- stringElement of the array
Allowed values:
GET,HEAD,POST,PUT,DELETE,CONNECT,OPTIONS,TRACE,PATCH
- array of stringsspec.flowLogs.denyFilterList.http_path
Regex list to match HTTP path.
- array of stringsspec.flowLogs.denyFilterList.http_status_code
HTTP status code prefixes.
- stringElement of the array
Pattern:
^(?:[1-5]\+|[1-5][0-9]\+|[1-5][0-9]{2})$
- array of stringsspec.flowLogs.denyFilterList.http_url
Regex list to match HTTP URL.
- array of objectsspec.flowLogs.denyFilterList.interface
Network interface where flow was observed.
- integerspec.flowLogs.denyFilterList.interface.index
Interface index.
Allowed values:
0 <= X - stringspec.flowLogs.denyFilterList.interface.name
Interface name.
- array of stringsspec.flowLogs.denyFilterList.ip_version
IP version.
- stringElement of the array
Allowed values:
IP_NOT_USED,IPv4,IPv6
- array of stringsspec.flowLogs.denyFilterList.node_labels
Node label selectors.
Examples:
node_labels: node-role.kubernetes.io/control-plane=node_labels: topology.kubernetes.io/ru-central1-a - array of stringsspec.flowLogs.denyFilterList.node_name
Node name patterns.
- array of stringsspec.flowLogs.denyFilterList.protocol
L4 or L7 protocol.
- array of stringsspec.flowLogs.denyFilterList.source_cluster_name
Source cluster names.
- array of stringsspec.flowLogs.denyFilterList.source_fqdn
Source fully qualified domain names (FQDN).
- stringElement of the array
Maximum length:
255
- array of integersspec.flowLogs.denyFilterList.source_identity
Source security identity.
- integerElement of the array
Allowed values:
0 <= X <= 4294967295
- array of stringsspec.flowLogs.denyFilterList.source_ip
Source IP or CIDR.
- array of stringsspec.flowLogs.denyFilterList.source_ip_xlated
Post-translation (SNAT) source IP or CIDR.
- array of stringsspec.flowLogs.denyFilterList.source_label
Source label selectors.
For more information, please see the Cilium documentation.
Examples:
source_label: k8s:role=frontendsource_label: reserved:kube-apiserver - array of stringsspec.flowLogs.denyFilterList.source_pod
Source Pod name prefixes in the form NamespacedName (
namespace/pod).Examples:
source_pod: kube-system/d8-kube-dns-7bc4648cb4-94tpssource_pod: kube-system/source_pod: "/d8-kube-dns-7bc4648cb4-94tps" - array of stringsspec.flowLogs.denyFilterList.source_port
L4 source port.
- stringElement of the array
Pattern:
^(?:6553[0-5]|655[0-2]\d|65[0-4]\d{2}|6[0-4]\d{3}|[1-5]\d{4}|[1-9]\d{0,3})$
- array of stringsspec.flowLogs.denyFilterList.source_service
Source service name prefixes in the form NamespacedName (
namespace/service).Examples:
source_service: kube-system/kube-dnssource_service: kube-system/source_service: "/kube-dns" - array of objectsspec.flowLogs.denyFilterList.source_workload
Source workloads.
- stringspec.flowLogs.denyFilterList.source_workload.kind
Workload kind.
- stringspec.flowLogs.denyFilterList.source_workload.name
Workload name.
- array of objectsspec.flowLogs.denyFilterList.tcp_flags
TCP flags to match.
- booleanspec.flowLogs.denyFilterList.tcp_flags.ACK
- booleanspec.flowLogs.denyFilterList.tcp_flags.CWR
- booleanspec.flowLogs.denyFilterList.tcp_flags.ECE
- booleanspec.flowLogs.denyFilterList.tcp_flags.FIN
- booleanspec.flowLogs.denyFilterList.tcp_flags.NS
- booleanspec.flowLogs.denyFilterList.tcp_flags.PSH
- booleanspec.flowLogs.denyFilterList.tcp_flags.RST
- booleanspec.flowLogs.denyFilterList.tcp_flags.SYN
- booleanspec.flowLogs.denyFilterList.tcp_flags.URG
- array of stringsspec.flowLogs.denyFilterList.trace_id
Trace ID.
- array of stringsspec.flowLogs.denyFilterList.traffic_direction
Traffic direction.
- stringElement of the array
Allowed values:
TRAFFIC_DIRECTION_UNKNOWN,INGRESS,EGRESS
- array of stringsspec.flowLogs.denyFilterList.uuid
Filters by flow UUIDs.
- array of stringsspec.flowLogs.denyFilterList.verdict
Match by verdict.
- stringElement of the array
Allowed values:
VERDICT_UNKNOWN,FORWARDED,DROPPED,ERROR,AUDIT,REDIRECTED,TRACED,TRANSLATED
- booleanspec.flowLogs.enabled
Enables event logging for Cilium agents. The log file is located on the node’s filesystem at
/var/log/cilium/hubble/flow.log.Default:
false - array of stringsspec.flowLogs.fieldMaskList
List of fields that should be displayed in events.
For more details, see the Cilium documentation.
- stringElement of the array
Allowed values:
time,uuid,verdict,drop_reason_desc,auth_type,ethernet,ethernet.source,ethernet.destination,IP,IP.source,IP.source_xlated,IP.destination,IP.ipVersion,IP.encrypted,l4,l4.TCP,l4.TCP.source_port,l4.TCP.destination_port,l4.TCP.flags,l4.TCP.flags.FIN,l4.TCP.flags.SYN,l4.TCP.flags.RST,l4.TCP.flags.PSH,l4.TCP.flags.ACK,l4.TCP.flags.URG,l4.TCP.flags.ECE,l4.TCP.flags.CWR,l4.TCP.flags.NS,l4.UDP,l4.UDP.source_port,l4.UDP.destination_port,l4.ICMPv4,l4.ICMPv4.type,l4.ICMPv4.code,l4.ICMPv6,l4.ICMPv6.type,l4.ICMPv6.code,l4.SCTP,l4.SCTP.source_port,l4.SCTP.destination_port,source,source.ID,source.identity,source.cluster_name,source.namespace,source.labels,source.pod_name,source.workloads,source.workloads.name,source.workloads.kind,destination,destination.ID,destination.identity,destination.cluster_name,destination.namespace,destination.labels,destination.pod_name,destination.workloads,destination.workloads.name,destination.workloads.kind,Type,node_name,node_labels,source_names,destination_names,l7,l7.type,l7.latency_ns,l7.record,l7.record.dns,l7.record.dns.query,l7.record.dns.ips,l7.record.dns.ttl,l7.record.dns.cnames,l7.record.dns.observation_source,l7.record.dns.rcode,l7.record.dns.qtypes,l7.record.dns.rrtypes,l7.record.http,l7.record.http.code,l7.record.http.method,l7.record.http.url,l7.record.http.protocol,l7.record.http.headers,l7.record.http.headers.key,l7.record.http.headers.value,l7.record.kafka,l7.record.kafka.error_code,l7.record.kafka.api_version,l7.record.kafka.api_key,l7.record.kafka.correlation_id,l7.record.kafka.topic,is_reply,event_type,event_type.type,event_type.sub_type,traffic_direction,trace_observation_point,trace_reason,file,file.name,file.line,debug_capture_point,interface,interface.index,interface.name,proxy_port,trace_context,trace_context.parent,trace_context.parent.trace_id,sock_xlate_point,socket_cookie,cgroup_id,extensions,egress_allowed_by,egress_allowed_by.name,egress_allowed_by.namespace,egress_allowed_by.labels,egress_allowed_by.revision,egress_allowed_by.kind,ingress_allowed_by,ingress_allowed_by.name,ingress_allowed_by.namespace,ingress_allowed_by.labels,ingress_allowed_by.revision,ingress_allowed_by.kind,egress_denied_by,egress_denied_by.name,egress_denied_by.namespace,egress_denied_by.labels,egress_denied_by.revision,egress_denied_by.kind,ingress_denied_by,ingress_denied_by.name,ingress_denied_by.namespace,ingress_denied_by.labels,ingress_denied_by.revision,ingress_denied_by.kind,source_service,source_service.name,source_service.namespace,destination_service,destination_service.name,destination_service.namespace
- integerspec.flowLogs.fileMaxSizeMB
Size in MB at which to rotate the Hubble export file.
Default:
10Allowed values:
1 <= X <= 150