Skip to main content

Browse the archive

Raw File
cilium_policy_trace.md 
<!-- This file was autogenerated via cilium cmdref, do not edit manually-->

## cilium policy trace

Trace a policy decision

### Synopsis

Verifies if the source is allowed to consume
destination. Source / destination can be provided as endpoint ID, security ID, Kubernetes Pod, YAML file, set of LABELs. LABEL is represented as
SOURCE:KEY[=VALUE].
dports can be can be for example: 80/tcp, 53 or 23/udp.
If multiple sources and / or destinations are provided, each source is tested whether there is a policy allowing traffic between it and each destination.
--src-k8s-pod and --dst-k8s-pod requires cilium-agent to be running with disable-endpoint-crd option set to "false".

```
cilium policy trace ( -s <label context> | --src-identity <security identity> | --src-endpoint <endpoint ID> | --src-k8s-pod <namespace:pod-name> | --src-k8s-yaml <path to YAML file> ) ( -d <label context> | --dst-identity <security identity> | --dst-endpoint <endpoint ID> | --dst-k8s-pod <namespace:pod-name> | --dst-k8s-yaml <path to YAML file>) [--dport <port>[/<protocol>] [flags]
```

### Options

```
      --dport strings         L4 destination port to search on outgoing traffic of the source label context and on incoming traffic of the destination label context
  -d, --dst strings           Destination label context
      --dst-endpoint string   Destination endpoint
      --dst-identity int      Destination identity (default -1)
      --dst-k8s-pod string    Destination k8s pod ([namespace:]podname)
      --dst-k8s-yaml string   Path to YAML file for destination
  -h, --help                  help for trace
  -o, --output string         json| jsonpath='{}'
  -s, --src strings           Source label context
      --src-endpoint string   Source endpoint
      --src-identity int      Source identity (default -1)
      --src-k8s-pod string    Source k8s pod ([namespace:]podname)
      --src-k8s-yaml string   Path to YAML file for source
  -v, --verbose               Set tracing to TRACE_VERBOSE
```

### Options inherited from parent commands

```
      --config string   config file (default is $HOME/.cilium.yaml)
  -D, --debug           Enable debug messages
  -H, --host string     URI to server-side API
```

### SEE ALSO

* [cilium policy](../cilium_policy)	 - Manage security policies
back to top