# cilium-cli **Repository Path**: xishengcai/cilium-cli ## Basic Information - **Project Name**: cilium-cli - **Description**: No description available - **Primary Language**: Unknown - **License**: Apache-2.0 - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 0 - **Created**: 2021-07-10 - **Last Updated**: 2021-07-10 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # Next-Gen Cilium CLI (Experimental) [![Go](https://github.com/cilium/cilium-cli/workflows/Go/badge.svg)](https://github.com/cilium/cilium-cli/actions?query=workflow%3AGo) [![Kind](https://github.com/cilium/cilium-cli/workflows/Kind/badge.svg)](https://github.com/cilium/cilium-cli/actions?query=workflow%3AKind) [![EKS (ENI)](https://github.com/cilium/cilium-cli/actions/workflows/eks.yaml/badge.svg)](https://github.com/cilium/cilium-cli/actions/workflows/eks.yaml) [![EKS (tunnel)](https://github.com/cilium/cilium-cli/actions/workflows/eks-tunnel.yaml/badge.svg)](https://github.com/cilium/cilium-cli/actions/workflows/eks-tunnel.yaml) [![GKE](https://github.com/cilium/cilium-cli/workflows/GKE/badge.svg)](https://github.com/cilium/cilium-cli/actions?query=workflow%3AGKE) [![AKS](https://github.com/cilium/cilium-cli/workflows/AKS/badge.svg)](https://github.com/cilium/cilium-cli/actions?query=workflow%3AAKS) [![Multicluster](https://github.com/cilium/cilium-cli/workflows/Multicluster/badge.svg)](https://github.com/cilium/cilium-cli/actions?query=workflow%3AMulticluster) [![External Workloads](https://github.com/cilium/cilium-cli/actions/workflows/externalworkloads.yaml/badge.svg)](https://github.com/cilium/cilium-cli/actions/workflows/externalworkloads.yaml) ## Installation To build and install, use the `install` target: ```console make install ``` You may set the `BINDIR` environment variable to install the binary in a specific location instead of `/usr/local/bin`, e.g. ``` BINDIR=~/.local/bin make install ``` ## Capabilities ### Install Cilium To install Cilium while automatically detected: cilium install 🔮 Auto-detected Kubernetes kind: minikube ✨ Running "minikube" validation checks ✅ Detected minikube version "1.5.2" ℹī¸ Cilium version not set, using default version "v1.9.1" 🔮 Auto-detected cluster name: minikube 🔮 Auto-detected datapath mode: tunnel 🔑 Found existing CA in secret cilium-ca 🔑 Generating certificates for Hubble... 2021/01/06 14:40:09 [INFO] generate received request 2021/01/06 14:40:09 [INFO] received CSR 2021/01/06 14:40:09 [INFO] generating key: ecdsa-256 2021/01/06 14:40:09 [INFO] encoded CSR 2021/01/06 14:40:09 [INFO] signed certificate with serial number 100064573681617100283382379701098370105206717828 🚀 Creating service accounts... 🚀 Creating cluster roles... 🚀 Creating ConfigMap... 🚀 Creating agent DaemonSet... 🚀 Creating operator Deployment... #### Supported Environments - [x] minikube - [x] kind - [x] EKS - [x] self-managed - [x] GKE - [x] AKS - [ ] k3s - [ ] Rancher ### Cluster Context Management cilium context Context: minikube Cluster: minikube Auth: minikube Host: https://192.168.64.25:8443 TLS server name: CA path: /Users/tgraf/.minikube/ca.crt ### Hubble cilium hubble enable 🔑 Generating certificates for Relay... 2021/01/06 14:40:21 [INFO] generate received request 2021/01/06 14:40:21 [INFO] received CSR 2021/01/06 14:40:21 [INFO] generating key: ecdsa-256 2021/01/06 14:40:21 [INFO] encoded CSR 2021/01/06 14:40:21 [INFO] signed certificate with serial number 257161504887184430913779255692233956510035935986 2021/01/06 14:40:21 [INFO] generate received request 2021/01/06 14:40:21 [INFO] received CSR 2021/01/06 14:40:21 [INFO] generating key: ecdsa-256 2021/01/06 14:40:21 [INFO] encoded CSR 2021/01/06 14:40:21 [INFO] signed certificate with serial number 282554813841417773944504735898535346056548994034 ✨ Deploying Relay... ### Status cilium status /¯¯\ /¯¯\__/¯¯\ Cilium: OK \__/¯¯\__/ Operator: OK /¯¯\__/¯¯\ Hubble: OK \__/¯¯\__/ \__/ DaemonSet cilium Desired: 1, Ready: 1/1, Available: 1/1 Deployment cilium-operator Desired: 1, Ready: 1/1, Available: 1/1 Deployment hubble-relay Desired: 1, Ready: 1/1, Available: 1/1 Containers: cilium Running: 1 cilium-operator Running: 1 hubble-relay Running: 1 Image versions cilium quay.io/cilium/cilium:v1.9.1: 1 cilium-operator quay.io/cilium/operator-generic:v1.9.1: 1 hubble-relay quay.io/cilium/hubble-relay:v1.9.1: 1 ### Connectivity Check cilium connectivity test --single-node ⌛ Waiting for deployments to become ready 🔭 Enabling Hubble telescope... ⚠ī¸ Unable to contact Hubble Relay: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial tcp [::1]:4245: connect: connection refused" ⚠ī¸ Did you enable and expose Hubble + Relay? ℹī¸ You can export Relay with a port-forward: kubectl port-forward -n kube-system deployment/hubble-relay 4245:4245 ℹī¸ Disabling Hubble telescope and flow validation... ------------------------------------------------------------------------------------------- 🔌 Validating from pod cilium-test/client-9f579495f-b2pcq to pod cilium-test/echo-same-node-7f877bbf9-p2xg8... ------------------------------------------------------------------------------------------- ✅ client pod client-9f579495f-b2pcq was able to communicate with echo pod echo-same-node-7f877bbf9-p2xg8 (10.0.0.166) ------------------------------------------------------------------------------------------- 🔌 Validating from pod cilium-test/client-9f579495f-b2pcq to outside of cluster... ------------------------------------------------------------------------------------------- ✅ client pod client-9f579495f-b2pcq was able to communicate with cilium.io ------------------------------------------------------------------------------------------- 🔌 Validating from pod cilium-test/client-9f579495f-b2pcq to local host... ------------------------------------------------------------------------------------------- ✅ client pod client-9f579495f-b2pcq was able to communicate with local host ------------------------------------------------------------------------------------------- 🔌 Validating from pod cilium-test/client-9f579495f-b2pcq to service echo-same-node... ------------------------------------------------------------------------------------------- ✅ client pod client-9f579495f-b2pcq was able to communicate with service echo-same-node #### With Flow Validation cilium hubble port-forward& cilium connectivity test --single-node ⌛ Waiting for deployments to become ready 🔭 Enabling Hubble telescope... Handling connection for 4245 ℹī¸ Hubble is OK, flows: 405/4096 ------------------------------------------------------------------------------------------- 🔌 Validating from pod cilium-test/client-9f579495f-b2pcq to pod cilium-test/echo-same-node-7f877bbf9-p2xg8... ------------------------------------------------------------------------------------------- 📄 Flow logs of pod cilium-test/client-9f579495f-b2pcq: Jan 6 13:41:17.739: 10.0.0.11:43876 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: SYN) Jan 6 13:41:17.739: 10.0.0.166:8080 -> 10.0.0.11:43876 to-endpoint FORWARDED (TCP Flags: SYN, ACK) Jan 6 13:41:17.739: 10.0.0.11:43876 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK) Jan 6 13:41:17.739: 10.0.0.11:43876 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK, PSH) Jan 6 13:41:17.755: 10.0.0.166:8080 -> 10.0.0.11:43876 to-endpoint FORWARDED (TCP Flags: ACK, PSH) Jan 6 13:41:17.756: 10.0.0.11:43876 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK, FIN) Jan 6 13:41:17.757: 10.0.0.166:8080 -> 10.0.0.11:43876 to-endpoint FORWARDED (TCP Flags: ACK, FIN) Jan 6 13:41:17.757: 10.0.0.11:43876 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK) 📄 Flow logs of pod cilium-test/echo-same-node-7f877bbf9-p2xg8: Jan 6 13:41:17.739: 10.0.0.11:43876 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: SYN) Jan 6 13:41:17.739: 10.0.0.166:8080 -> 10.0.0.11:43876 to-endpoint FORWARDED (TCP Flags: SYN, ACK) Jan 6 13:41:17.739: 10.0.0.11:43876 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK) Jan 6 13:41:17.739: 10.0.0.11:43876 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK, PSH) Jan 6 13:41:17.755: 10.0.0.166:8080 -> 10.0.0.11:43876 to-endpoint FORWARDED (TCP Flags: ACK, PSH) Jan 6 13:41:17.756: 10.0.0.11:43876 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK, FIN) Jan 6 13:41:17.757: 10.0.0.166:8080 -> 10.0.0.11:43876 to-endpoint FORWARDED (TCP Flags: ACK, FIN) Jan 6 13:41:17.757: 10.0.0.11:43876 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK) ✅ client pod client-9f579495f-b2pcq was able to communicate with echo pod echo-same-node-7f877bbf9-p2xg8 (10.0.0.166) ------------------------------------------------------------------------------------------- 🔌 Validating from pod cilium-test/client-9f579495f-b2pcq to outside of cluster... ------------------------------------------------------------------------------------------- ❌ Found RST in pod cilium-test/client-9f579495f-b2pcq ❌ FIN not found in pod cilium-test/client-9f579495f-b2pcq 📄 Flow logs of pod cilium-test/client-9f579495f-b2pcq: Jan 6 13:41:22.025: 10.0.0.11:55334 -> 10.0.0.243:53 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.025: 10.0.0.11:55334 -> 10.0.0.243:53 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.027: 10.0.0.243:53 -> 10.0.0.11:55334 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.028: 10.0.0.243:53 -> 10.0.0.11:55334 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.028: 10.0.0.11:56466 -> 10.0.0.104:53 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.028: 10.0.0.11:56466 -> 10.0.0.104:53 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.029: 10.0.0.104:53 -> 10.0.0.11:56466 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.029: 10.0.0.104:53 -> 10.0.0.11:56466 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.030: 10.0.0.11:57691 -> 10.0.0.243:53 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.030: 10.0.0.243:53 -> 10.0.0.11:57691 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.030: 10.0.0.11:57691 -> 10.0.0.243:53 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.031: 10.0.0.243:53 -> 10.0.0.11:57691 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.031: 10.0.0.11:52849 -> 10.0.0.104:53 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.032: 10.0.0.104:53 -> 10.0.0.11:52849 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.033: 10.0.0.11:52849 -> 10.0.0.104:53 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.037: 10.0.0.104:53 -> 10.0.0.11:52849 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.038: 10.0.0.11:45040 -> 172.217.168.46:443 to-stack FORWARDED (TCP Flags: SYN) Jan 6 13:41:22.041: 172.217.168.46:443 -> 10.0.0.11:45040 to-endpoint FORWARDED (TCP Flags: SYN, ACK) Jan 6 13:41:22.041: 10.0.0.11:45040 -> 172.217.168.46:443 to-stack FORWARDED (TCP Flags: ACK) Jan 6 13:41:22.059: 10.0.0.11:45040 -> 172.217.168.46:443 to-stack FORWARDED (TCP Flags: ACK, PSH) Jan 6 13:41:22.073: 172.217.168.46:443 -> 10.0.0.11:45040 to-endpoint FORWARDED (TCP Flags: ACK, PSH) Jan 6 13:41:22.096: 10.0.0.11:45040 -> 172.217.168.46:443 to-stack FORWARDED (TCP Flags: ACK, RST) Jan 6 13:41:22.097: 172.217.168.46:443 -> 10.0.0.11:45040 to-endpoint FORWARDED (TCP Flags: ACK, FIN) Jan 6 13:41:22.097: 10.0.0.11:45040 -> 172.217.168.46:443 to-stack FORWARDED (TCP Flags: RST) ✅ client pod client-9f579495f-b2pcq was able to communicate with cilium.io ------------------------------------------------------------------------------------------- 🔌 Validating from pod cilium-test/client-9f579495f-b2pcq to local host... ------------------------------------------------------------------------------------------- 📄 Flow logs of pod cilium-test/client-9f579495f-b2pcq: Jan 6 13:41:25.305: 10.0.0.11 -> 192.168.64.25 to-stack FORWARDED (ICMPv4 EchoRequest) Jan 6 13:41:25.305: 192.168.64.25 -> 10.0.0.11 to-endpoint FORWARDED (ICMPv4 EchoReply) ✅ client pod client-9f579495f-b2pcq was able to communicate with local host ------------------------------------------------------------------------------------------- 🔌 Validating from pod cilium-test/client-9f579495f-b2pcq to service echo-same-node... ------------------------------------------------------------------------------------------- 📄 Flow logs of pod cilium-test/client-9f579495f-b2pcq: Jan 6 13:41:30.499: 10.0.0.11:39559 -> 10.0.0.104:53 to-endpoint FORWARDED (UDP) Jan 6 13:41:30.499: 10.0.0.11:39559 -> 10.0.0.104:53 to-endpoint FORWARDED (UDP) Jan 6 13:41:30.500: 10.0.0.104:53 -> 10.0.0.11:39559 to-endpoint FORWARDED (UDP) Jan 6 13:41:30.500: 10.0.0.104:53 -> 10.0.0.11:39559 to-endpoint FORWARDED (UDP) Jan 6 13:41:30.503: 10.0.0.11:59414 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: SYN) Jan 6 13:41:30.503: 10.0.0.166:8080 -> 10.0.0.11:59414 to-endpoint FORWARDED (TCP Flags: SYN, ACK) Jan 6 13:41:30.503: 10.0.0.11:59414 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK) Jan 6 13:41:30.503: 10.0.0.11:59414 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK, PSH) Jan 6 13:41:30.505: 10.0.0.166:8080 -> 10.0.0.11:59414 to-endpoint FORWARDED (TCP Flags: ACK, PSH) Jan 6 13:41:30.509: 10.0.0.11:59414 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK, FIN) Jan 6 13:41:30.509: 10.0.0.166:8080 -> 10.0.0.11:59414 to-endpoint FORWARDED (TCP Flags: ACK, FIN) Jan 6 13:41:30.509: 10.0.0.11:59414 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK) ✅ client pod client-9f579495f-b2pcq was able to communicate with service echo-same-node ### ClusterMesh Install Cilium & enable ClusterMesh in Cluster 1 cilium install --cluster-id 1 🔮 Auto-detected Kubernetes kind: GKE ℹī¸ Cilium version not set, using default version "v1.9.1" 🔮 Auto-detected cluster name: gke-cilium-dev-us-west2-a-tgraf-cluster1 🔮 Auto-detected datapath mode: gke ✅ Detected GKE native routing CIDR: 10.52.0.0/14 🚀 Creating resource quotas... 🔑 Found existing CA in secret cilium-ca 🔑 Generating certificates for Hubble... 2021/01/08 23:07:52 [INFO] generate received request 2021/01/08 23:07:52 [INFO] received CSR 2021/01/08 23:07:52 [INFO] generating key: ecdsa-256 2021/01/08 23:07:52 [INFO] encoded CSR 2021/01/08 23:07:52 [INFO] signed certificate with serial number 412940817381691474277840557608535075673795002662 🚀 Creating service accounts... 🚀 Creating cluster roles... 🚀 Creating ConfigMap... 🚀 Creating GKE Node Init DaemonSet... 🚀 Creating agent DaemonSet... 🚀 Creating operator Deployment... cilium clustermesh enable ✨ Validating cluster configuration... ✅ Valid cluster identification found: name="gke-cilium-dev-us-west2-a-tgraf-cluster1" id="1" 🔑 Found existing CA in secret cilium-ca 🔑 Generating certificates for ClusterMesh... 2021/01/08 23:11:48 [INFO] generate received request 2021/01/08 23:11:48 [INFO] received CSR 2021/01/08 23:11:48 [INFO] generating key: ecdsa-256 2021/01/08 23:11:48 [INFO] encoded CSR 2021/01/08 23:11:48 [INFO] signed certificate with serial number 670714666407590575359066679305478681356106905869 2021/01/08 23:11:48 [INFO] generate received request 2021/01/08 23:11:48 [INFO] received CSR 2021/01/08 23:11:48 [INFO] generating key: ecdsa-256 2021/01/08 23:11:49 [INFO] encoded CSR 2021/01/08 23:11:49 [INFO] signed certificate with serial number 591065363597916136413807294935737333774847803115 2021/01/08 23:11:49 [INFO] generate received request 2021/01/08 23:11:49 [INFO] received CSR 2021/01/08 23:11:49 [INFO] generating key: ecdsa-256 2021/01/08 23:11:49 [INFO] encoded CSR 2021/01/08 23:11:49 [INFO] signed certificate with serial number 212022707754116737648249489711560171325685820957 ✨ Deploying clustermesh-apiserver... 🔮 Auto-exposing service within GCP VPC (cloud.google.com/load-balancer-type=internal) Install Cilium in Cluster 2 cilium install --context gke_cilium-dev_us-west2-a_tgraf-cluster2 --cluster-id 2 🔮 Auto-detected Kubernetes kind: GKE ℹī¸ Cilium version not set, using default version "v1.9.1" 🔮 Auto-detected cluster name: gke-cilium-dev-us-west2-a-tgraf-cluster2 🔮 Auto-detected datapath mode: gke ✅ Detected GKE native routing CIDR: 10.4.0.0/14 🚀 Creating resource quotas... 🔑 Found existing CA in secret cilium-ca 🔑 Generating certificates for Hubble... 2021/01/08 23:08:28 [INFO] generate received request 2021/01/08 23:08:28 [INFO] received CSR 2021/01/08 23:08:28 [INFO] generating key: ecdsa-256 2021/01/08 23:08:28 [INFO] encoded CSR 2021/01/08 23:08:28 [INFO] signed certificate with serial number 166290456484087465763866003270622908833747392670 🚀 Creating service accounts... 🚀 Creating cluster roles... 🚀 Creating ConfigMap... 🚀 Creating GKE Node Init DaemonSet... 🚀 Creating agent DaemonSet... 🚀 Creating operator Deployment... cilium clustermesh enable --context gke_cilium-dev_us-west2-a_tgraf-cluster2 ✨ Validating cluster configuration... ✅ Valid cluster identification found: name="gke-cilium-dev-us-west2-a-tgraf-cluster2" id="2" 🔑 Found existing CA in secret cilium-ca 🔑 Generating certificates for ClusterMesh... 2021/01/08 23:12:44 [INFO] generate received request 2021/01/08 23:12:44 [INFO] received CSR 2021/01/08 23:12:44 [INFO] generating key: ecdsa-256 2021/01/08 23:12:45 [INFO] encoded CSR 2021/01/08 23:12:45 [INFO] signed certificate with serial number 450145143290293186546054780525926209813963421076 2021/01/08 23:12:45 [INFO] generate received request 2021/01/08 23:12:45 [INFO] received CSR 2021/01/08 23:12:45 [INFO] generating key: ecdsa-256 2021/01/08 23:12:45 [INFO] encoded CSR 2021/01/08 23:12:45 [INFO] signed certificate with serial number 341741502649230631228454642926521374579240641715 2021/01/08 23:12:45 [INFO] generate received request 2021/01/08 23:12:45 [INFO] received CSR 2021/01/08 23:12:45 [INFO] generating key: ecdsa-256 2021/01/08 23:12:45 [INFO] encoded CSR 2021/01/08 23:12:45 [INFO] signed certificate with serial number 233979838156429984835251051892420687423155442107 ✨ Deploying clustermesh-apiserver... 🔮 Auto-exposing service within GCP VPC (cloud.google.com/load-balancer-type=internal) Connect Clusters cilium clustermesh connect --destination-context gke_cilium-dev_us-west2-a_tgraf-cluster2 ✨ Extracting access information of cluster gke-cilium-dev-us-west2-a-tgraf-cluster2... 🔑 Extracting secrets from cluster gke-cilium-dev-us-west2-a-tgraf-cluster2... ℹī¸ Found ClusterMesh service IPs: [10.168.15.209] ✨ Extracting access information of cluster gke-cilium-dev-us-west2-a-tgraf-cluster1... 🔑 Extracting secrets from cluster gke-cilium-dev-us-west2-a-tgraf-cluster1... ℹī¸ Found ClusterMesh service IPs: [10.168.15.208] ✨ Connecting cluster gke_cilium-dev_us-west2-a_tgraf-cluster1 -> gke_cilium-dev_us-west2-a_tgraf-cluster2... 🔑 Patching existing secret cilium-clustermesh... ✨ Patching DaemonSet with IP aliases cilium-clustermesh... ✨ Connecting cluster gke_cilium-dev_us-west2-a_tgraf-cluster2 -> gke_cilium-dev_us-west2-a_tgraf-cluster1... 🔑 Patching existing secret cilium-clustermesh... ✨ Patching DaemonSet with IP aliases cilium-clustermesh... ### Encryption Install a Cilium in a cluster and enable encryption with IPsec cilium install --encryption=ipsec 🔮 Auto-detected Kubernetes kind: kind ✨ Running "kind" validation checks ✅ Detected kind version "0.9.0" ℹī¸ Cilium version not set, using default version "v1.9.2" 🔮 Auto-detected cluster name: kind-chart-testing 🔮 Auto-detected IPAM mode: kubernetes 🔑 Found existing CA in secret cilium-ca 2021/01/25 10:13:47 [INFO] generate received request 🔑 Generating certificates for Hubble... 2021/01/25 10:13:47 [INFO] received CSR 2021/01/25 10:13:47 [INFO] generating key: ecdsa-256 2021/01/25 10:13:47 [INFO] encoded CSR 2021/01/25 10:13:47 [INFO] signed certificate with serial number 254989930644407824918712685524397372889683962312 🚀 Creating Service accounts... 🚀 Creating Cluster roles... 🔑 Generated encryption secret cilium-ipsec-keys 🚀 Creating ConfigMap... 🚀 Creating Agent DaemonSet... 🚀 Creating Operator Deployment... ⌛ Waiting for Cilium to be installed...