Cilium · Schema
Cilium Endpoint
A Cilium-managed network endpoint representing a Kubernetes pod or container with associated security identity, IP addressing, and policy enforcement state.
Cloud NativeeBPFKubernetesNetworkingSecurity
Properties
| Name | Type | Description |
|---|---|---|
| id | integer | Numeric endpoint ID assigned by the Cilium agent. |
| spec | object | |
| status | object |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://cilium.io/schemas/endpoint.json",
"title": "Cilium Endpoint",
"description": "A Cilium-managed network endpoint representing a Kubernetes pod or container with associated security identity, IP addressing, and policy enforcement state.",
"type": "object",
"properties": {
"id": {
"type": "integer",
"description": "Numeric endpoint ID assigned by the Cilium agent.",
"minimum": 1
},
"spec": {
"$ref": "#/$defs/EndpointSpec"
},
"status": {
"$ref": "#/$defs/EndpointStatus"
}
},
"$defs": {
"EndpointSpec": {
"type": "object",
"description": "Desired configuration for a Cilium endpoint.",
"properties": {
"addressing": {
"$ref": "#/$defs/AddressPair"
},
"containerID": {
"type": "string",
"description": "Container runtime identifier for this endpoint.",
"minLength": 1
},
"containerName": {
"type": "string",
"description": "Container name as reported by the container runtime."
},
"k8sNamespace": {
"type": "string",
"description": "Kubernetes namespace in which the pod runs."
},
"k8sPodName": {
"type": "string",
"description": "Kubernetes pod name associated with this endpoint."
},
"k8sUID": {
"type": "string",
"description": "Kubernetes pod UID uniquely identifying the pod object."
},
"labels": {
"type": "array",
"description": "Security labels associated with this endpoint in key=value format.",
"items": {
"type": "string",
"pattern": "^[^=]+=.*$"
}
},
"datapath-configuration": {
"$ref": "#/$defs/DatapathConfiguration"
}
}
},
"AddressPair": {
"type": "object",
"description": "IPv4 and IPv6 address pair assigned to an endpoint.",
"properties": {
"ipv4": {
"type": "string",
"description": "IPv4 address assigned to the endpoint.",
"format": "ipv4"
},
"ipv4-expiry-time": {
"type": "string",
"description": "Expiry time for the IPv4 address lease.",
"format": "date-time"
},
"ipv6": {
"type": "string",
"description": "IPv6 address assigned to the endpoint.",
"format": "ipv6"
},
"ipv6-expiry-time": {
"type": "string",
"description": "Expiry time for the IPv6 address lease.",
"format": "date-time"
}
}
},
"DatapathConfiguration": {
"type": "object",
"description": "BPF datapath-specific configuration for an endpoint.",
"properties": {
"disable-sip-verification": {
"type": "boolean",
"description": "Disable source IP verification for this endpoint."
},
"external-ipam": {
"type": "boolean",
"description": "Whether IP addressing is managed by an external IPAM provider."
},
"install-endpoint-route": {
"type": "boolean",
"description": "Whether to install a per-endpoint host route."
},
"require-arp-passthrough": {
"type": "boolean",
"description": "Whether ARP passthrough is required for this endpoint."
},
"require-egress-prog": {
"type": "boolean",
"description": "Whether an egress BPF program is required."
},
"require-routing": {
"type": "boolean",
"description": "Whether routing is required for this endpoint."
}
}
},
"EndpointStatus": {
"type": "object",
"description": "Current observed state of a Cilium endpoint.",
"properties": {
"state": {
"type": "string",
"description": "Current lifecycle state of the endpoint.",
"enum": [
"waiting-for-identity",
"not-ready",
"waiting-to-regenerate",
"regenerating",
"restoring",
"ready",
"disconnecting",
"disconnected",
"invalid"
]
},
"identity": {
"$ref": "#/$defs/Identity"
},
"networking": {
"$ref": "#/$defs/EndpointNetworking"
},
"policy": {
"$ref": "#/$defs/EndpointPolicyStatus"
},
"health": {
"$ref": "#/$defs/EndpointHealth"
},
"controllers": {
"type": "array",
"description": "Status of background controllers managing this endpoint.",
"items": {
"$ref": "#/$defs/ControllerStatus"
}
},
"log": {
"type": "array",
"description": "Recent status change log entries for this endpoint.",
"items": {
"$ref": "#/$defs/EndpointStatusChange"
},
"maxItems": 100
}
}
},
"Identity": {
"type": "object",
"description": "Cilium security identity derived from a workload's label set.",
"required": ["id"],
"properties": {
"id": {
"type": "integer",
"format": "int64",
"description": "Unique numeric security identity ID.",
"minimum": 1
},
"labels": {
"type": "array",
"description": "Labels that define this security identity.",
"items": {
"type": "string"
}
},
"labelsSHA256": {
"type": "string",
"description": "SHA256 hash of the serialized label set for change detection.",
"pattern": "^[0-9a-f]{64}$"
}
}
},
"EndpointNetworking": {
"type": "object",
"description": "Network addressing and routing information for an endpoint.",
"properties": {
"addressing": {
"type": "array",
"description": "IP addresses assigned to this endpoint.",
"items": {
"$ref": "#/$defs/AddressPair"
}
},
"node": {
"type": "string",
"description": "IP address of the Kubernetes node hosting this endpoint."
},
"interface-index": {
"type": "integer",
"description": "Linux network interface index for this endpoint's veth."
},
"interface-name": {
"type": "string",
"description": "Linux network interface name for this endpoint's veth device."
}
}
},
"EndpointPolicyStatus": {
"type": "object",
"description": "Policy enforcement status for ingress and egress traffic.",
"properties": {
"spec": {
"$ref": "#/$defs/EndpointPolicy"
},
"realized": {
"$ref": "#/$defs/EndpointPolicy"
},
"proxy-statistics": {
"type": "array",
"description": "Statistics from L7 proxy enforcement.",
"items": {
"$ref": "#/$defs/ProxyStatistics"
}
}
}
},
"EndpointPolicy": {
"type": "object",
"description": "The set of policy rules applied to an endpoint.",
"properties": {
"allowed-egress-identities": {
"type": "array",
"description": "Numeric identity IDs that egress traffic from this endpoint may reach.",
"items": {
"type": "integer",
"format": "int64"
}
},
"allowed-ingress-identities": {
"type": "array",
"description": "Numeric identity IDs permitted to send traffic to this endpoint.",
"items": {
"type": "integer",
"format": "int64"
}
},
"denied-egress-identities": {
"type": "array",
"description": "Numeric identity IDs explicitly denied for egress.",
"items": {
"type": "integer",
"format": "int64"
}
},
"denied-ingress-identities": {
"type": "array",
"description": "Numeric identity IDs explicitly denied for ingress.",
"items": {
"type": "integer",
"format": "int64"
}
},
"cidr-policy": {
"type": "object",
"description": "CIDR-based policy configuration.",
"properties": {
"egress": {
"type": "array",
"items": {
"$ref": "#/$defs/CIDRRule"
},
"description": "CIDR rules for egress traffic."
},
"ingress": {
"type": "array",
"items": {
"$ref": "#/$defs/CIDRRule"
},
"description": "CIDR rules for ingress traffic."
}
}
},
"id": {
"type": "integer",
"format": "int64",
"description": "Policy revision number when these rules were last computed."
}
}
},
"CIDRRule": {
"type": "object",
"description": "A CIDR-based policy rule.",
"required": ["cidr"],
"properties": {
"cidr": {
"type": "string",
"description": "CIDR block this rule applies to.",
"pattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}/[0-9]{1,2}$|^[0-9a-fA-F:]+/[0-9]{1,3}$"
},
"except": {
"type": "array",
"description": "CIDR blocks to exclude from this rule.",
"items": {
"type": "string"
}
},
"derived-from-rules": {
"type": "array",
"description": "Policy rule labels from which this CIDR rule was derived.",
"items": {
"type": "array",
"items": {
"type": "string"
}
}
}
}
},
"ProxyStatistics": {
"type": "object",
"description": "L7 proxy traffic statistics for an endpoint port.",
"properties": {
"location": {
"type": "string",
"description": "Location of the proxy (ingress or egress).",
"enum": ["Ingress", "Egress"]
},
"port": {
"type": "integer",
"description": "Port number being proxied."
},
"protocol": {
"type": "string",
"description": "Application protocol being proxied (HTTP, Kafka, DNS, etc.)."
},
"statistics": {
"type": "object",
"description": "Traffic statistics counters.",
"properties": {
"requests": {
"$ref": "#/$defs/TrafficStatistics"
},
"responses": {
"$ref": "#/$defs/TrafficStatistics"
}
}
}
}
},
"TrafficStatistics": {
"type": "object",
"description": "Traffic counters for a direction.",
"properties": {
"received": {
"type": "integer",
"format": "int64",
"description": "Number of requests or responses received."
},
"sent": {
"type": "integer",
"format": "int64",
"description": "Number of requests or responses sent."
},
"forwarded": {
"type": "integer",
"format": "int64",
"description": "Number of requests or responses forwarded."
},
"denied": {
"type": "integer",
"format": "int64",
"description": "Number of requests or responses denied by policy."
},
"error": {
"type": "integer",
"format": "int64",
"description": "Number of requests or responses that encountered errors."
}
}
},
"EndpointHealth": {
"type": "object",
"description": "Health status of an endpoint's BPF programs and policy.",
"properties": {
"bpf": {
"type": "string",
"description": "Health status of BPF programs for this endpoint.",
"enum": ["OK", "Warning", "Failure", "Disabled", "Pending"]
},
"connected": {
"type": "boolean",
"description": "Whether the endpoint's network interface is connected."
},
"overallHealth": {
"type": "string",
"description": "Overall health status of the endpoint.",
"enum": ["OK", "Warning", "Failure", "Disabled", "Pending"]
},
"policy": {
"type": "string",
"description": "Health status of policy enforcement for this endpoint.",
"enum": ["OK", "Warning", "Failure", "Disabled", "Pending"]
}
}
},
"ControllerStatus": {
"type": "object",
"description": "Status of a background controller managing endpoint reconciliation.",
"properties": {
"name": {
"type": "string",
"description": "Controller name."
},
"configuration": {
"type": "object",
"description": "Controller configuration settings."
},
"status": {
"type": "object",
"description": "Current controller run status.",
"properties": {
"consecutiveFailureCount": {
"type": "integer",
"description": "Number of consecutive failed runs.",
"minimum": 0
},
"failureCount": {
"type": "integer",
"description": "Total number of failed runs.",
"minimum": 0
},
"lastFailureTimestamp": {
"type": "string",
"format": "date-time",
"description": "Timestamp of the most recent failure."
},
"lastSuccessTimestamp": {
"type": "string",
"format": "date-time",
"description": "Timestamp of the most recent successful run."
},
"successCount": {
"type": "integer",
"description": "Total number of successful runs.",
"minimum": 0
}
}
},
"uuid": {
"type": "string",
"description": "Unique identifier for this controller instance."
}
}
},
"EndpointStatusChange": {
"type": "object",
"description": "A single status change entry in the endpoint log.",
"properties": {
"code": {
"type": "string",
"description": "Status change result code.",
"enum": ["ok", "failed"]
},
"message": {
"type": "string",
"description": "Human-readable description of the status change event."
},
"state": {
"type": "string",
"description": "Endpoint state after this change.",
"enum": [
"waiting-for-identity",
"not-ready",
"waiting-to-regenerate",
"regenerating",
"restoring",
"ready",
"disconnecting",
"disconnected",
"invalid"
]
},
"timestamp": {
"type": "string",
"description": "ISO 8601 timestamp when this status change occurred."
}
}
}
}
}