cilium policy trace

Trace a policy decision


Verifies if the source is allowed to consume destination. Source / destination can be provided as endpoint ID, security ID, Kubernetes Pod, YAML file, set of LABELs. LABEL is represented as SOURCE:KEY[=VALUE]. dports can be can be for example: 80/tcp, 53 or 23/udp. If multiple sources and / or destinations are provided, each source is tested whether there is a policy allowing traffic between it and each destination. –src-k8s-pod and –dst-k8s-pod requires cilium-agent to be running with disable-endpoint-crd option set to “false”.

cilium policy trace ( -s <label context> | --src-identity <security identity> | --src-endpoint <endpoint ID> | --src-k8s-pod <namespace:pod-name> | --src-k8s-yaml <path to YAML file> ) ( -d <label context> | --dst-identity <security identity> | --dst-endpoint <endpoint ID> | --dst-k8s-pod <namespace:pod-name> | --dst-k8s-yaml <path to YAML file>) [--dport <port>[/<protocol>]


      --dport stringSlice     L4 destination port to search on outgoing traffic of the source label context and on incoming traffic of the destination label context
  -d, --dst stringSlice       Destination label context
      --dst-endpoint string   Destination endpoint
      --dst-identity int      Destination identity (default -1)
      --dst-k8s-pod string    Destination k8s pod ([namespace:]podname)
      --dst-k8s-yaml string   Path to YAML file for destination
  -o, --output string         json| jsonpath='{}'
  -s, --src stringSlice       Source label context
      --src-endpoint string   Source endpoint
      --src-identity int      Source identity (default -1)
      --src-k8s-pod string    Source k8s pod ([namespace:]podname)
      --src-k8s-yaml string   Path to YAML file for source
  -v, --verbose               Set tracing to TRACE_VERBOSE

Options inherited from parent commands

      --config string   config file (default is $HOME/.cilium.yaml)
  -D, --debug           Enable debug messages
  -H, --host string     URI to server-side API