Bitnami package for Cilium

Cilium is an eBPF-based networking, observability, and security for Linux container management platforms like Docker and Kubernetes.

Overview of Cilium

Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.

TL;DR

helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/cilium

Note: You need to substitute the placeholders REGISTRY_NAME and REPOSITORY_NAME with a reference to your Helm chart registry and repository.

Introduction

Bitnami charts for Helm are carefully engineered, actively maintained and are the quickest and easiest way to deploy containers on a Kubernetes cluster that are ready to handle production workloads.

This chart bootstraps a Cilium deployment in a Kubernetes cluster using the Helm package manager.

Bitnami charts can be used with Kubeapps for deployment and management of Helm Charts in clusters.

Prerequisites

• Kubernetes 1.23+
• Helm 3.8.0+
• Nodes with Linux kernel >= 4.19.57 or equivalent (e.g., 4.18 on RHEL8)

Installing the Chart

To install the chart with the release name my-release:

helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/cilium

Note: You need to substitute the placeholders REGISTRY_NAME and REPOSITORY_NAME with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use REGISTRY_NAME=registry-1.docker.io and REPOSITORY_NAME=bitnamicharts.

The command deploys Cilium on the Kubernetes cluster in the default configuration. The Parameters section lists the parameters that can be configured during installation.

Tip: List all releases using helm list

Configuration and installation details

Rolling VS Immutable tags

It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.

Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.

External Key-Value Store support

You may want to have Cilium connect to an external key-value store rather than installing one inside your cluster. Typical reasons for this are to use a managed service, or to share a common store for all your applications. To achieve this, the chart allows you to specify credentials for an external database with the externalKvstore parameter. You should also disable the etcd installation with the etcd.enabled option. Here is an example:

etcd.enabled=false
externalKvstorehost.enabled=true
externalKvstorehost.endpoints[0]=external-kvstore-host-0:2379
externalKvstorehost.endpoints[1]=external-kvstore-host-1:2379

Cilium CNI plugin

Please also note the chart installs the Cilium CNI plugin on the Kubernetes nodes by default. If you want to disable this behavior, set the agent.cniPlugin.install parameter to false.

It’s also necessary to know the paths where the CNI binary and configuration files are located in your Kubernetes nodes. The chart assumes that the CNI binary is located in the /opt/cni/bin directory and the CNI configuration files are located in the /etc/cni/net.d directory. You can customize these paths using the agent.cniPlugin.hostCNIBinDir and agent.cniPlugin.hostCNINetDir parameters.

TLS

This chart supports encrypting communications between Hubble components using TLS. To enable this feature, set the hubble.tls.enabled.

It is necessary to create a secret containing the TLS certificates and pass it to the chart via the hubble.tls.existingCASecret, hubble.tls.peers.existingSecret, hubble.tls.relay.existingSecret and hubble.tls.client.existingSecret parameters. Every secret should contain a tls.crt and tls.key keys including the certificate and key files respectively. For example: create the CA secret with the certificates files:

kubectl create secret generic ca-tls-secret --from-file=./tls.crt --from-file=./tls.key

You can manually create the required TLS certificates or relying on the chart auto-generation capabilities. The chart supports two different ways to auto-generate the required certificates:

• Using Helm capabilities. Enable this feature by setting hubble.tls.autoGenerated.enabled to true and hubble.tls.autoGenerated.engine to helm.
• Relying on CertManager (please note it’s required to have CertManager installed in your K8s cluster). Enable this feature by setting hubble.tls.autoGenerated.enabled to true and hubble.tls.autoGenerated.engine to cert-manager. Please note it’s supported to use an existing Issuer/ClusterIssuer for issuing the TLS certificates by setting the hubble.tls.autoGenerated.certManager.existingIssuer and hubble.tls.autoGenerated.certManager.existingIssuerKind parameters.

Ingress

This chart provides support for Ingress resources. If you have an ingress controller installed on your cluster, such as nginx-ingress-controller or contour you can utilize the ingress controller to serve Hubble UI. To enable Ingress integration, set hubble.ui.enabled and hubble.ui.ingress.enabled to true.

The most common scenario is to have one host name mapped to the deployment. In this case, the hubble.ui.ingress.hostname property can be used to set the host name. The ui.ingress.tls parameter can be used to add the TLS configuration for this host.

However, it is also possible to have more than one host. To facilitate this, the hubble.ui.ingress.extraHosts parameter (if available) can be set with the host names specified as an array. The hubble.ui.ingress.extraTLS parameter (if available) can also be used to add the TLS configuration for extra hosts.

NOTE: For each host specified in the hubble.ui.ingress.extraHosts parameter, it is necessary to set a name, path, and any annotations that the Ingress controller should know about. Not all annotations are supported by all Ingress controllers, but this annotation reference document lists the annotations supported by many popular Ingress controllers.

Adding the TLS parameter (where available) will cause the chart to generate HTTPS URLs, and the application will be available on port 443. The actual TLS secrets do not have to be generated by this chart. However, if TLS is enabled, the Ingress record will not work until the TLS secret exists.

Learn more about Ingress controllers.

Additional environment variables

In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the extraEnvVars property. For instance:

agent:
  extraEnvVars:
    - name: LOG_LEVEL
      value: error

Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the extraEnvVarsCM or the extraEnvVarsSecret values.

Sidecars

If additional containers are needed in the same pod as Ciliuma (such as additional metrics or logging exporters), they can be defined using the agent.sidecars parameter.

agent:
  sidecars:
  - name: your-image-name
    image: your-image
    imagePullPolicy: Always
    ports:
    - name: portname
      containerPort: 1234

If these sidecars export extra ports, extra port definitions can be added using the agent.service.extraPorts parameter (where available), as shown in the example below:

agent:
  service:
    extraPorts:
    - name: extraPort
      port: 11311
      targetPort: 11311

If additional init containers are needed in the same pod, they can be defined using the agent.initContainers parameter. Here is an example:

agent:
  initContainers:
  - name: your-image-name
    image: your-image
    imagePullPolicy: Always
    ports:
      - name: portname
        containerPort: 1234

Learn more about sidecar containers and init containers.

Pod affinity

This chart allows you to set your custom affinity using the affinity parameter. Find more information about Pod affinity in the kubernetes documentation.

As an alternative, use one of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the bitnami/common chart. To do so, set the podAffinityPreset, podAntiAffinityPreset, or nodeAffinityPreset parameters.

Parameters

Global parameters

Name	Description	Value
global.imageRegistry	Global Docker image registry	""
global.imagePullSecrets	Global Docker registry secret names as an array	[]
global.defaultStorageClass	Global default StorageClass for Persistent Volume(s)	""
global.storageClass	DEPRECATED: use global.defaultStorageClass instead	""
global.compatibility.openshift.adaptSecurityContext	Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)	auto

Common parameters

Name	Description	Value
kubeVersion	Override Kubernetes version	""
nameOverride	String to partially override common.names.name	""
fullnameOverride	String to fully override common.names.fullname	""
namespaceOverride	String to fully override common.names.namespace	""
commonLabels	Labels to add to all deployed objects	{}
commonAnnotations	Annotations to add to all deployed objects	{}
clusterDomain	Kubernetes cluster domain name	cluster.local
extraDeploy	Array of extra objects to deploy with the release	[]
diagnosticMode.enabled	Enable diagnostic mode (all probes will be disabled and the command will be overridden)	false
diagnosticMode.command	Command to override all containers in the chart release	["sleep"]
diagnosticMode.args	Args to override all containers in the chart release	["infinity"]
configuration	Specify content for Cilium common configuration (basic one auto-generated based on other values otherwise)	{}
overrideConfiguration	Cilium common configuration override. Values defined here takes precedence over the ones defined at configuration	{}
existingConfigmap	The name of an existing ConfigMap with your custom Cilium configuration	""
clusterName	Name of the Cilium cluster	default
azure.enabled	Enable Azure integration	false
azure.resourceGroup	When enabling Azure integration, set the Azure Resource Group	""
azure.tenantID	When enabling Azure integration, set the Azure Tenant ID	""
azure.subscriptionID	When enabling Azure integration, set the Azure Subscription ID	""
azure.clientID	When enabling Azure integration, set the Azure Client ID	""
azure.clientSecret	When enabling Azure integration, set the Azure Client Secret	""
aws.enabled	Enable AWS integration	false
aws.region	When enabling AWS integration, set the AWS region	""
aws.accessKeyID	When enabling AWS integration, set the AWS Access Key ID	""
aws.secretAccessKey	When enabling AWS integration, set the AWS Secret Access Key	""
gcp.enabled	Enable GCP integration	false

Cilium Agent Parameters

Name	Description	Value
agent.image.registry	Cilium Agent image registry	REGISTRY_NAME
agent.image.repository	Cilium Agent image repository	REPOSITORY_NAME/cilium
agent.image.digest	Cilium Agent image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag image tag (immutable tags are recommended)	""
agent.image.pullPolicy	Cilium Agent image pull policy	IfNotPresent
agent.image.pullSecrets	Cilium Agent image pull secrets	[]
agent.image.debug	Enable Cilium Agent image debug mode	false
agent.containerPorts.health	Cilium Agent health container port	9879
agent.containerPorts.pprof	Cilium Agent pprof container port	6060
agent.containerPorts.hubblePeer	Cilium Agent Hubble peer service container port	4244
agent.containerPorts.metrics	Cilium Agent metrics container port	9962
agent.containerPorts.hubbleMetrics	Cilium Agent Hubble metrics container port	9965
agent.extraContainerPorts	Optionally specify extra list of additional ports for Cilium Agent containers	[]
agent.livenessProbe.enabled	Enable livenessProbe on Cilium Agent containers	true
agent.livenessProbe.initialDelaySeconds	Initial delay seconds for livenessProbe	10
agent.livenessProbe.periodSeconds	Period seconds for livenessProbe	30
agent.livenessProbe.timeoutSeconds	Timeout seconds for livenessProbe	5
agent.livenessProbe.failureThreshold	Failure threshold for livenessProbe	10
agent.livenessProbe.successThreshold	Success threshold for livenessProbe	1
agent.readinessProbe.enabled	Enable readinessProbe on Cilium Agent containers	true
agent.readinessProbe.initialDelaySeconds	Initial delay seconds for readinessProbe	10
agent.readinessProbe.periodSeconds	Period seconds for readinessProbe	30
agent.readinessProbe.timeoutSeconds	Timeout seconds for readinessProbe	5
agent.readinessProbe.failureThreshold	Failure threshold for readinessProbe	3
agent.readinessProbe.successThreshold	Success threshold for readinessProbe	1
agent.startupProbe.enabled	Enable startupProbe on Cilium Agent containers	false
agent.startupProbe.initialDelaySeconds	Initial delay seconds for startupProbe	5
agent.startupProbe.periodSeconds	Period seconds for startupProbe	2
agent.startupProbe.timeoutSeconds	Timeout seconds for startupProbe	1
agent.startupProbe.failureThreshold	Failure threshold for startupProbe	100
agent.startupProbe.successThreshold	Success threshold for startupProbe	1
agent.customLivenessProbe	Custom livenessProbe that overrides the default one	{}
agent.customReadinessProbe	Custom readinessProbe that overrides the default one	{}
agent.customStartupProbe	Custom startupProbe that overrides the default one	{}
agent.resourcesPreset	Set Cilium Agent container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if agent.resources is set (agent.resources is recommended for production).	micro
agent.resources	Set Cilium Agent container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
agent.podSecurityContext.enabled	Enable Cilium Agent pods’ Security Context	true
agent.podSecurityContext.fsGroupChangePolicy	Set filesystem group change policy for Cilium Agent pods	Always
agent.podSecurityContext.sysctls	Set kernel settings using the sysctl interface for Cilium Agent pods	[]
agent.podSecurityContext.supplementalGroups	Set filesystem extra groups for Cilium Agent pods	[]
agent.podSecurityContext.fsGroup	Set fsGroup in Cilium Agent pods’ Security Context	0
agent.containerSecurityContext.enabled	Enabled Cilium Agent container’ Security Context	true
agent.containerSecurityContext.seLinuxOptions	Set SELinux options in Cilium Agent container	undefined
agent.containerSecurityContext.runAsUser	Set runAsUser in Cilium Agent container’ Security Context	0
agent.containerSecurityContext.runAsGroup	Set runAsUser in Cilium Agent container’ Security Context	0
agent.containerSecurityContext.runAsNonRoot	Set runAsNonRoot in Cilium Agent container’ Security Context	false
agent.containerSecurityContext.readOnlyRootFilesystem	Set readOnlyRootFilesystem in Cilium Agent container’ Security Context	true
agent.containerSecurityContext.privileged	Set privileged in Cilium Agent container’ Security Context	false
agent.containerSecurityContext.allowPrivilegeEscalation	Set allowPrivilegeEscalation in Cilium Agent container’ Security Context	false
agent.containerSecurityContext.capabilities.add	List of capabilities to be added in Cilium Agent container	["BPF","CHOWN","DAC_OVERRIDE","FOWNER","KILL","NET_ADMIN","NET_RAW","IPC_LOCK","PERFMON","SETGID","SETUID","SYS_ADMIN","SYS_MODULE","SYS_RESOURCE"]
agent.containerSecurityContext.capabilities.drop	List of capabilities to be dropped in Cilium Agent container	["ALL"]
agent.containerSecurityContext.seccompProfile.type	Set seccomp profile in Cilium Agent container	RuntimeDefault
agent.bpf.autoMount	Enable automatically mounting BPF fs on the host	true
agent.bpf.hostRoot	Path to the host’s BPF root directory	/sys/fs/bpf
agent.cgroup2.autoMount	Enable automatically mounting cgroup2 filesystem on the host	true
agent.cgroup2.hostRoot	Path to the host’s cgroup2 root directory	/run/cilium/cgroupv2
agent.cniPlugin.install	Enable Cilium CNI plugin installation on the host	true
agent.cniPlugin.uninstall	Remove the CNI plugin from the host on agent shutdown	false
agent.cniPlugin.hostCNIBinDir	Path to the host’s CNI bin directory (default: /opt/cni/bin)	""
agent.cniPlugin.hostCNINetDir	Path to the host’s CNI net configuration directory (default: /etc/cni/net.d)	""
agent.enableENI	Elastic Network Interface (ENI) integration	false
agent.byoCNI	Integration with Azure clusters using Bring Your Own CNI	false
agent.waitForKubeProxy	Wait for kube-proxy to be ready before starting Cilium Agent	false
agent.enablePprof	Enable pprof for Cilium Agent	false
agent.command	Override default Cilium Agent container command (useful when using custom images)	[]
agent.args	Override default Cilium Agent container args (useful when using custom images)	[]
agent.automountServiceAccountToken	Mount Service Account token in Cilium Agent pods	true
agent.hostAliases	Cilium Agent pods host aliases	[]
agent.daemonsetAnnotations	Annotations for Cilium Agent daemonset	{}
agent.podLabels	Extra labels for Cilium Agent pods	{}
agent.podAnnotations	Annotations for Cilium Agent pods	{}
agent.nodeAffinityPreset.type	Node affinity preset type. Ignored if agent.affinity is set. Allowed values: soft or hard	""
agent.nodeAffinityPreset.key	Node label key to match. Ignored if agent.affinity is set	""
agent.nodeAffinityPreset.values	Node label values to match. Ignored if agent.affinity is set	[]
agent.affinity	Affinity for Cilium Agent pods assignment	{}
agent.nodeSelector	Node labels for Cilium Agent pods assignment	{}
agent.tolerations	Tolerations for Cilium Agent pods assignment	[]
agent.updateStrategy.type	Cilium Agent daemonset update strategy type	RollingUpdate
agent.priorityClassName	Cilium Agent pods’ priorityClassName	system-node-critical
agent.terminationGracePeriodSeconds	Seconds Cilium Agent pods need to terminate gracefully	1
agent.lifecycleHooks	for Cilium Agent containers to automate configuration before or after startup	{}
agent.extraEnvVars	Array with extra environment variables to add to Cilium Agent containers	[]
agent.extraEnvVarsCM	Name of existing ConfigMap containing extra env vars for Cilium Agent containers	""
agent.extraEnvVarsSecret	Name of existing Secret containing extra env vars for Cilium Agent containers	""
agent.extraVolumes	Optionally specify extra list of additional volumes for the Cilium Agent pods	[]
agent.extraVolumeMounts	Optionally specify extra list of additional volumeMounts for the Cilium Agent containers	[]
agent.sidecars	Add additional sidecar containers to the Cilium Agent pods	[]
agent.initContainers	Add additional init containers to the Cilium Agent pods	[]
agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.enabled	Enabled Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.seLinuxOptions	Set SELinux options in Cilium Agent init-containers	{}
agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.runAsUser	Set runAsUser in Cilium Agent init-containers’ Security Context	1001
agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.runAsGroup	Set runAsUser in Cilium Agent init-containers’ Security Context	1001
agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.runAsNonRoot	Set runAsNonRoot in Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.readOnlyRootFilesystem	Set readOnlyRootFilesystem in Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.privileged	Set privileged in Cilium Agent init-containers’ Security Context	false
agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.allowPrivilegeEscalation	Set allowPrivilegeEscalation in Cilium Agent init-containers’ Security Context	false
agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.capabilities.add	List of capabilities to be added in Cilium Agent init-containers	[]
agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.capabilities.drop	List of capabilities to be dropped in Cilium Agent init-containers	["ALL"]
agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.seccompProfile.type	Set seccomp profile in Cilium Agent init-containers	RuntimeDefault
agent.defaultInitContainers.prepareWriteDirs.resourcesPreset	Set Cilium Agent “prepare-write-dirs” init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if agent.resources is set (agent.initContainerResources is recommended for production).	nano
agent.defaultInitContainers.prepareWriteDirs.resources	Set Cilium Agent “prepare-write-dirs” init container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
agent.defaultInitContainers.buildConfig.containerSecurityContext.enabled	Enabled Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.buildConfig.containerSecurityContext.seLinuxOptions	Set SELinux options in Cilium Agent init-containers	{}
agent.defaultInitContainers.buildConfig.containerSecurityContext.runAsUser	Set runAsUser in Cilium Agent init-containers’ Security Context	1001
agent.defaultInitContainers.buildConfig.containerSecurityContext.runAsGroup	Set runAsUser in Cilium Agent init-containers’ Security Context	1001
agent.defaultInitContainers.buildConfig.containerSecurityContext.runAsNonRoot	Set runAsNonRoot in Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.buildConfig.containerSecurityContext.readOnlyRootFilesystem	Set readOnlyRootFilesystem in Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.buildConfig.containerSecurityContext.privileged	Set privileged in Cilium Agent init-containers’ Security Context	false
agent.defaultInitContainers.buildConfig.containerSecurityContext.allowPrivilegeEscalation	Set allowPrivilegeEscalation in Cilium Agent init-containers’ Security Context	false
agent.defaultInitContainers.buildConfig.containerSecurityContext.capabilities.add	List of capabilities to be added in Cilium Agent init-containers	[]
agent.defaultInitContainers.buildConfig.containerSecurityContext.capabilities.drop	List of capabilities to be dropped in Cilium Agent init-containers	["ALL"]
agent.defaultInitContainers.buildConfig.containerSecurityContext.seccompProfile.type	Set seccomp profile in Cilium Agent init-containers	RuntimeDefault
agent.defaultInitContainers.buildConfig.resourcesPreset	Set Cilium Agent “build-config” init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if agent.resources is set (agent.initContainerResources is recommended for production).	nano
agent.defaultInitContainers.buildConfig.resources	Set Cilium Agent “build-config” init container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
agent.defaultInitContainers.installCniPlugin.containerSecurityContext.enabled	Enabled Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.installCniPlugin.containerSecurityContext.seLinuxOptions	Set SELinux options in Cilium Agent init-containers	undefined
agent.defaultInitContainers.installCniPlugin.containerSecurityContext.runAsUser	Set runAsUser in Cilium Agent init-containers’ Security Context	0
agent.defaultInitContainers.installCniPlugin.containerSecurityContext.runAsGroup	Set runAsUser in Cilium Agent init-containers’ Security Context	0
agent.defaultInitContainers.installCniPlugin.containerSecurityContext.runAsNonRoot	Set runAsNonRoot in Cilium Agent init-containers’ Security Context	false
agent.defaultInitContainers.installCniPlugin.containerSecurityContext.readOnlyRootFilesystem	Set readOnlyRootFilesystem in Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.installCniPlugin.containerSecurityContext.privileged	Set privileged in Cilium Agent init-containers’ Security Context	false
agent.defaultInitContainers.installCniPlugin.containerSecurityContext.allowPrivilegeEscalation	Set allowPrivilegeEscalation in Cilium Agent init-containers’ Security Context	false
agent.defaultInitContainers.installCniPlugin.containerSecurityContext.capabilities.add	List of capabilities to be added in Cilium Agent init-containers	["NET_ADMIN","SYS_ADMIN","SYS_CHROOT","SYS_MODULE","SYS_PTRACE","SYS_RESOURCE"]
agent.defaultInitContainers.installCniPlugin.containerSecurityContext.capabilities.drop	List of capabilities to be dropped in Cilium Agent init-containers	["ALL"]
agent.defaultInitContainers.installCniPlugin.containerSecurityContext.seccompProfile.type	Set seccomp profile in Cilium Agent init-containers	RuntimeDefault
agent.defaultInitContainers.installCniPlugin.resourcesPreset	Set Cilium Agent “install-cni-plugin” init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if agent.resources is set (agent.initContainerResources is recommended for production).	nano
agent.defaultInitContainers.installCniPlugin.resources	Set Cilium Agent “install-cni-plugin” init container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
agent.defaultInitContainers.mountBpf.containerSecurityContext.enabled	Enabled Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.mountBpf.containerSecurityContext.seLinuxOptions	Set SELinux options in Cilium Agent init-containers	{}
agent.defaultInitContainers.mountBpf.containerSecurityContext.runAsUser	Set runAsUser in Cilium Agent init-containers’ Security Context	0
agent.defaultInitContainers.mountBpf.containerSecurityContext.runAsGroup	Set runAsUser in Cilium Agent init-containers’ Security Context	0
agent.defaultInitContainers.mountBpf.containerSecurityContext.runAsNonRoot	Set runAsNonRoot in Cilium Agent init-containers’ Security Context	false
agent.defaultInitContainers.mountBpf.containerSecurityContext.readOnlyRootFilesystem	Set readOnlyRootFilesystem in Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.mountBpf.containerSecurityContext.privileged	Set privileged in Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.mountBpf.containerSecurityContext.allowPrivilegeEscalation	Set allowPrivilegeEscalation in Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.mountBpf.containerSecurityContext.capabilities.add	List of capabilities to be added in Cilium Agent init-containers	[]
agent.defaultInitContainers.mountBpf.containerSecurityContext.capabilities.drop	List of capabilities to be dropped in Cilium Agent init-containers	[]
agent.defaultInitContainers.mountBpf.containerSecurityContext.seccompProfile.type	Set seccomp profile in Cilium Agent init-containers	RuntimeDefault
agent.defaultInitContainers.mountBpf.resourcesPreset	Set Cilium Agent “host-mount-bpf” init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if agent.resources is set (agent.initContainerResources is recommended for production).	nano
agent.defaultInitContainers.mountBpf.resources	Set Cilium Agent “host-mount-bpf” init container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
agent.defaultInitContainers.mountCgroup2.containerSecurityContext.enabled	Enabled Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.mountCgroup2.containerSecurityContext.seLinuxOptions	Set SELinux options in Cilium Agent init-containers	{}
agent.defaultInitContainers.mountCgroup2.containerSecurityContext.runAsUser	Set runAsUser in Cilium Agent init-containers’ Security Context	0
agent.defaultInitContainers.mountCgroup2.containerSecurityContext.runAsGroup	Set runAsUser in Cilium Agent init-containers’ Security Context	0
agent.defaultInitContainers.mountCgroup2.containerSecurityContext.runAsNonRoot	Set runAsNonRoot in Cilium Agent init-containers’ Security Context	false
agent.defaultInitContainers.mountCgroup2.containerSecurityContext.readOnlyRootFilesystem	Set readOnlyRootFilesystem in Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.mountCgroup2.containerSecurityContext.privileged	Set privileged in Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.mountCgroup2.containerSecurityContext.allowPrivilegeEscalation	Set allowPrivilegeEscalation in Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.mountCgroup2.containerSecurityContext.capabilities.add	List of capabilities to be added in Cilium Agent init-containers	[]
agent.defaultInitContainers.mountCgroup2.containerSecurityContext.capabilities.drop	List of capabilities to be dropped in Cilium Agent init-containers	[]
agent.defaultInitContainers.mountCgroup2.containerSecurityContext.seccompProfile.type	Set seccomp profile in Cilium Agent init-containers	RuntimeDefault
agent.defaultInitContainers.mountCgroup2.resourcesPreset	Set Cilium Agent “host-mount-cgroup2” init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if agent.resources is set (agent.initContainerResources is recommended for production).	nano
agent.defaultInitContainers.mountCgroup2.resources	Set Cilium Agent “host-mount-cgroup2” init container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
agent.defaultInitContainers.cleanState.containerSecurityContext.enabled	Enabled Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.cleanState.containerSecurityContext.seLinuxOptions	Set SELinux options in Cilium Agent init-containers	undefined
agent.defaultInitContainers.cleanState.containerSecurityContext.runAsUser	Set runAsUser in Cilium Agent init-containers’ Security Context	1001
agent.defaultInitContainers.cleanState.containerSecurityContext.runAsGroup	Set runAsUser in Cilium Agent init-containers’ Security Context	1001
agent.defaultInitContainers.cleanState.containerSecurityContext.runAsNonRoot	Set runAsNonRoot in Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.cleanState.containerSecurityContext.readOnlyRootFilesystem	Set readOnlyRootFilesystem in Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.cleanState.containerSecurityContext.privileged	Set privileged in Cilium Agent init-containers’ Security Context	false
agent.defaultInitContainers.cleanState.containerSecurityContext.allowPrivilegeEscalation	Set allowPrivilegeEscalation in Cilium Agent init-containers’ Security Context	false
agent.defaultInitContainers.cleanState.containerSecurityContext.capabilities.add	List of capabilities to be added in Cilium Agent init-containers	["NET_ADMIN","SYS_ADMIN","SYS_MODULE","SYS_RESOURCE"]
agent.defaultInitContainers.cleanState.containerSecurityContext.capabilities.drop	List of capabilities to be dropped in Cilium Agent init-containers	["ALL"]
agent.defaultInitContainers.cleanState.containerSecurityContext.seccompProfile.type	Set seccomp profile in Cilium Agent init-containers	RuntimeDefault
agent.defaultInitContainers.cleanState.resourcesPreset	Set Cilium Agent “clean-state” init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if agent.resources is set (agent.initContainerResources is recommended for production).	nano
agent.defaultInitContainers.cleanState.resources	Set Cilium Agent “clean-state” init container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.enabled	Enabled Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.seLinuxOptions	Set SELinux options in Cilium Agent init-containers	{}
agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.runAsUser	Set runAsUser in Cilium Agent init-containers’ Security Context	0
agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.runAsGroup	Set runAsUser in Cilium Agent init-containers’ Security Context	0
agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.runAsNonRoot	Set runAsNonRoot in Cilium Agent init-containers’ Security Context	false
agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.readOnlyRootFilesystem	Set readOnlyRootFilesystem in Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.privileged	Set privileged in Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.allowPrivilegeEscalation	Set allowPrivilegeEscalation in Cilium Agent init-containers’ Security Context	true
agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.capabilities.add	List of capabilities to be added in Cilium Agent init-containers	[]
agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.capabilities.drop	List of capabilities to be dropped in Cilium Agent init-containers	[]
agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.seccompProfile.type	Set seccomp profile in Cilium Agent init-containers	RuntimeDefault
agent.defaultInitContainers.waitForKubeProxy.resourcesPreset	Set Cilium Agent “wait-for-kube-proxy” init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if agent.resources is set (agent.initContainerResources is recommended for production).	nano
agent.defaultInitContainers.waitForKubeProxy.resources	Set Cilium Agent “wait-for-kube-proxy” init container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
agent.autoscaling.vpa.enabled	Enable VPA for Cilium Agent	false
agent.autoscaling.vpa.annotations	Annotations for VPA resource	{}
agent.autoscaling.vpa.controlledResources	List of resources that the VPA can control. Defaults to cpu and memory	[]
agent.autoscaling.vpa.maxAllowed	VPA max allowed resources for the pod	{}
agent.autoscaling.vpa.minAllowed	VPA min allowed resources for the pod	{}
agent.autoscaling.vpa.updatePolicy.updateMode	Autoscaling update policy	Auto

Cilium Agent RBAC configuration

Name	Description	Value
agent.serviceAccount.create	Specifies whether a ServiceAccount should be created for Cilium Agent	true
agent.serviceAccount.name	The name of the ServiceAccount to use for Cilium Agent	""
agent.serviceAccount.annotations	Additional Service Account annotations (evaluated as a template)	{}
agent.serviceAccount.automountServiceAccountToken	Automount ServiceAccount token	false
agent.rbac.create	Specifies whether RBAC resources should be created for Cilium Agent	true
agent.rbac.rules	Custom RBAC rules to set for Cilium Agent	[]

Cilium Agent Network Policies Parameters

Name	Description	Value
agent.networkPolicy.enabled	Specifies whether a NetworkPolicy should be created for Cilium Agent	true
agent.networkPolicy.allowExternal	Don’t require server label for connections	true
agent.networkPolicy.allowExternalEgress	Allow the Cilium Agent pods to access any range of port and all destinations.	true
agent.networkPolicy.addExternalClientAccess	Allow access from pods with client label set to “true”. Ignored if agent.networkPolicy.allowExternal is true.	true
agent.networkPolicy.kubeAPIServerPorts	List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)	[]
agent.networkPolicy.extraIngress	Add extra ingress rules to the NetworkPolicy	[]
agent.networkPolicy.extraEgress	Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true)	[]
agent.networkPolicy.ingressPodMatchLabels	Labels to match to allow traffic from other pods. Ignored if agent.networkPolicy.allowExternal is true.	{}
agent.networkPolicy.ingressNSMatchLabels	Labels to match to allow traffic from other namespaces	{}
agent.networkPolicy.ingressNSPodMatchLabels	Pod labels to match to allow traffic from other namespaces	{}

Cilium Agent Metrics Parameters

Name	Description	Value
agent.metrics.enabled	Enable the export of Prometheus metrics for Cilium Agent	false
agent.metrics.service.port	Cilium Agent metrics service port	9962
agent.metrics.service.annotations	Annotations for the Cilium Agent metrics service.	{}
agent.metrics.serviceMonitor.enabled	if true, creates a Prometheus Operator ServiceMonitor (also requires metrics.enabled to be true)	false
agent.metrics.serviceMonitor.namespace	Namespace in which Prometheus is running	""
agent.metrics.serviceMonitor.annotations	Additional custom annotations for the ServiceMonitor	{}
agent.metrics.serviceMonitor.labels	Extra labels for the ServiceMonitor	{}
agent.metrics.serviceMonitor.jobLabel	The name of the label on the target service to use as the job name in Prometheus	""
agent.metrics.serviceMonitor.honorLabels	honorLabels chooses the metric’s labels on collisions with target labels	false
agent.metrics.serviceMonitor.interval	Interval at which metrics should be scraped.	""
agent.metrics.serviceMonitor.scrapeTimeout	Timeout after which the scrape is ended	""
agent.metrics.serviceMonitor.metricRelabelings	Specify additional relabeling of metrics	[]
agent.metrics.serviceMonitor.relabelings	Specify general relabeling	[]
agent.metrics.serviceMonitor.selector	Prometheus instance selector labels	{}

Cilium Operator Parameters

Name	Description	Value
operator.image.registry	Cilium Operator image registry	REGISTRY_NAME
operator.image.repository	Cilium Operator image repository	REPOSITORY_NAME/cilium
operator.image.digest	Cilium Operator image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag image tag (immutable tags are recommended)	""
operator.image.pullPolicy	Cilium Operator image pull policy	IfNotPresent
operator.image.pullSecrets	Cilium Operator image pull secrets	[]
operator.image.debug	Enable Cilium Operator image debug mode	false
operator.replicaCount	Number of Cilium Operator replicas to deploy	1
operator.containerPorts.api	Cilium Operator API container port	9234
operator.containerPorts.pprof	Cilium Operator pprof container port	6061
operator.containerPorts.metrics	Cilium Operator metrics container port	9963
operator.extraContainerPorts	Optionally specify extra list of additional ports for Cilium Operator containers	[]
operator.hostNetwork	Enable Host Network	true
operator.livenessProbe.enabled	Enable livenessProbe on Cilium Operator containers	true
operator.livenessProbe.initialDelaySeconds	Initial delay seconds for livenessProbe	10
operator.livenessProbe.periodSeconds	Period seconds for livenessProbe	30
operator.livenessProbe.timeoutSeconds	Timeout seconds for livenessProbe	5
operator.livenessProbe.failureThreshold	Failure threshold for livenessProbe	10
operator.livenessProbe.successThreshold	Success threshold for livenessProbe	1
operator.readinessProbe.enabled	Enable readinessProbe on Cilium Operator containers	true
operator.readinessProbe.initialDelaySeconds	Initial delay seconds for readinessProbe	10
operator.readinessProbe.periodSeconds	Period seconds for readinessProbe	30
operator.readinessProbe.timeoutSeconds	Timeout seconds for readinessProbe	5
operator.readinessProbe.failureThreshold	Failure threshold for readinessProbe	3
operator.readinessProbe.successThreshold	Success threshold for readinessProbe	1
operator.startupProbe.enabled	Enable startupProbe on Cilium Operator containers	false
operator.startupProbe.initialDelaySeconds	Initial delay seconds for startupProbe	5
operator.startupProbe.periodSeconds	Period seconds for startupProbe	2
operator.startupProbe.timeoutSeconds	Timeout seconds for startupProbe	1
operator.startupProbe.failureThreshold	Failure threshold for startupProbe	100
operator.startupProbe.successThreshold	Success threshold for startupProbe	1
operator.customLivenessProbe	Custom livenessProbe that overrides the default one	{}
operator.customReadinessProbe	Custom readinessProbe that overrides the default one	{}
operator.customStartupProbe	Custom startupProbe that overrides the default one	{}
operator.resourcesPreset	Set Cilium Operator container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if operator.resources is set (operator.resources is recommended for production).	micro
operator.resources	Set Cilium Operator container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
operator.podSecurityContext.enabled	Enable Cilium Operator pods’ Security Context	true
operator.podSecurityContext.fsGroupChangePolicy	Set filesystem group change policy for Cilium Operator pods	Always
operator.podSecurityContext.sysctls	Set kernel settings using the sysctl interface for Cilium Operator pods	[]
operator.podSecurityContext.supplementalGroups	Set filesystem extra groups for Cilium Operator pods	[]
operator.podSecurityContext.fsGroup	Set fsGroup in Cilium Operator pods’ Security Context	1001
operator.containerSecurityContext.enabled	Enabled Cilium Operator container’ Security Context	true
operator.containerSecurityContext.seLinuxOptions	Set SELinux options in Cilium Operator container	{}
operator.containerSecurityContext.runAsUser	Set runAsUser in Cilium Operator container’ Security Context	1001
operator.containerSecurityContext.runAsGroup	Set runAsUser in Cilium Operator container’ Security Context	1001
operator.containerSecurityContext.runAsNonRoot	Set runAsNonRoot in Cilium Operator container’ Security Context	true
operator.containerSecurityContext.readOnlyRootFilesystem	Set readOnlyRootFilesystem in Cilium Operator container’ Security Context	true
operator.containerSecurityContext.privileged	Set privileged in Cilium Operator container’ Security Context	false
operator.containerSecurityContext.allowPrivilegeEscalation	Set allowPrivilegeEscalation in Cilium Operator container’ Security Context	false
operator.containerSecurityContext.capabilities.drop	List of capabilities to be dropped in Cilium Operator container	["ALL"]
operator.containerSecurityContext.seccompProfile.type	Set seccomp profile in Cilium Operator container	RuntimeDefault
operator.enablePprof	Enable pprof for Cilium Operator	false
operator.command	Override default Cilium Operator container command (useful when using custom images)	[]
operator.args	Override default Cilium Operator container args (useful when using custom images)	[]
operator.automountServiceAccountToken	Mount Service Account token in Cilium Operator pods	true
operator.hostAliases	Cilium Operator pods host aliases	[]
operator.deploymentAnnotations	Annotations for Cilium Operator deployment	{}
operator.podLabels	Extra labels for Cilium Operator pods	{}
operator.podAnnotations	Annotations for Cilium Operator pods	{}
operator.podAffinityPreset	Pod affinity preset. Ignored if operator.affinity is set. Allowed values: soft or hard	""
operator.podAntiAffinityPreset	Pod anti-affinity preset. Ignored if operator.affinity is set. Allowed values: soft or hard	soft
operator.nodeAffinityPreset.type	Node affinity preset type. Ignored if operator.affinity is set. Allowed values: soft or hard	""
operator.nodeAffinityPreset.key	Node label key to match. Ignored if operator.affinity is set	""
operator.nodeAffinityPreset.values	Node label values to match. Ignored if operator.affinity is set	[]
operator.affinity	Affinity for Cilium Operator pods assignment	{}
operator.nodeSelector	Node labels for Cilium Operator pods assignment	{}
operator.tolerations	Tolerations for Cilium Operator pods assignment	[]
operator.updateStrategy.type	Cilium Operator deployment update strategy type	RollingUpdate
operator.priorityClassName	Cilium Operator pods’ priorityClassName	""
operator.topologySpreadConstraints	Topology Spread Constraints for Cilium Operator pod assignment spread across your cluster among failure-domains	[]
operator.schedulerName	Name of the k8s scheduler (other than default) for Cilium Operator pods	""
operator.terminationGracePeriodSeconds	Seconds Cilium Operator pods need to terminate gracefully	1
operator.lifecycleHooks	for Cilium Operator containers to automate configuration before or after startup	{}
operator.extraEnvVars	Array with extra environment variables to add to Cilium Operator containers	[]
operator.extraEnvVarsCM	Name of existing ConfigMap containing extra env vars for Cilium Operator containers	""
operator.extraEnvVarsSecret	Name of existing Secret containing extra env vars for Cilium Operator containers	""
operator.extraVolumes	Optionally specify extra list of additional volumes for the Cilium Operator pods	[]
operator.extraVolumeMounts	Optionally specify extra list of additional volumeMounts for the Cilium Operator containers	[]
operator.sidecars	Add additional sidecar containers to the Cilium Operator pods	[]
operator.initContainers	Add additional init containers to the Cilium Operator pods	[]
operator.pdb.create	Enable/disable a Pod Disruption Budget creation	true
operator.pdb.minAvailable	Minimum number/percentage of pods that should remain scheduled	""
operator.pdb.maxUnavailable	Maximum number/percentage of pods that may be made unavailable. Defaults to 1 if both operator.pdb.minAvailable and operator.pdb.maxUnavailable are empty.	""
operator.autoscaling.vpa.enabled	Enable VPA for Cilium Operator	false
operator.autoscaling.vpa.annotations	Annotations for VPA resource	{}
operator.autoscaling.vpa.controlledResources	List of resources that the VPA can control. Defaults to cpu and memory	[]
operator.autoscaling.vpa.maxAllowed	VPA max allowed resources for the pod	{}
operator.autoscaling.vpa.minAllowed	VPA min allowed resources for the pod	{}
operator.autoscaling.vpa.updatePolicy.updateMode	Autoscaling update policy	Auto
operator.autoscaling.hpa.enabled	Enable HPA	false
operator.autoscaling.hpa.minReplicas	Minimum number of replicas	""
operator.autoscaling.hpa.maxReplicas	Maximum number of replicas	""
operator.autoscaling.hpa.targetCPU	Target CPU utilization percentage	""
operator.autoscaling.hpa.targetMemory	Target Memory utilization percentage	""

Cilium Operator RBAC configuration

Name	Description	Value
operator.serviceAccount.create	Specifies whether a ServiceAccount should be created for Cilium Operator	true
operator.serviceAccount.name	The name of the ServiceAccount to use for Cilium Operator	""
operator.serviceAccount.annotations	Additional Service Account annotations (evaluated as a template)	{}
operator.serviceAccount.automountServiceAccountToken	Automount ServiceAccount token	false
operator.rbac.create	Specifies whether RBAC resources should be created for Cilium Operator	true
operator.rbac.rules	Custom RBAC rules to set for Cilium Operator	[]

Cilium Operator Network Policies Parameters

Name	Description	Value
operator.networkPolicy.enabled	Specifies whether a NetworkPolicy should be created for Cilium Operator	true
operator.networkPolicy.allowExternal	Don’t require server label for connections	true
operator.networkPolicy.allowExternalEgress	Allow the Cilium Operator pods to access any range of port and all destinations.	true
operator.networkPolicy.addExternalClientAccess	Allow access from pods with client label set to “true”. Ignored if operator.networkPolicy.allowExternal is true.	true
operator.networkPolicy.kubeAPIServerPorts	List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)	[]
operator.networkPolicy.extraIngress	Add extra ingress rules to the NetworkPolicy	[]
operator.networkPolicy.extraEgress	Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true)	[]
operator.networkPolicy.ingressPodMatchLabels	Labels to match to allow traffic from other pods. Ignored if operator.networkPolicy.allowExternal is true.	{}
operator.networkPolicy.ingressNSMatchLabels	Labels to match to allow traffic from other namespaces	{}
operator.networkPolicy.ingressNSPodMatchLabels	Pod labels to match to allow traffic from other namespaces	{}

Cilium Operator Metrics Parameters

Name	Description	Value
operator.metrics.enabled	Enable the export of Prometheus metrics	false
operator.metrics.service.port	Metrics service port	9963
operator.metrics.service.annotations	Annotations for the metrics service.	{}
operator.metrics.serviceMonitor.enabled	if true, creates a Prometheus Operator ServiceMonitor (also requires metrics.enabled to be true)	false
operator.metrics.serviceMonitor.namespace	Namespace in which Prometheus is running	""
operator.metrics.serviceMonitor.annotations	Additional custom annotations for the ServiceMonitor	{}
operator.metrics.serviceMonitor.labels	Extra labels for the ServiceMonitor	{}
operator.metrics.serviceMonitor.jobLabel	The name of the label on the target service to use as the job name in Prometheus	""
operator.metrics.serviceMonitor.honorLabels	honorLabels chooses the metric’s labels on collisions with target labels	false
operator.metrics.serviceMonitor.interval	Interval at which metrics should be scraped.	""
operator.metrics.serviceMonitor.scrapeTimeout	Timeout after which the scrape is ended	""
operator.metrics.serviceMonitor.metricRelabelings	Specify additional relabeling of metrics	[]
operator.metrics.serviceMonitor.relabelings	Specify general relabeling	[]
operator.metrics.serviceMonitor.selector	Prometheus instance selector labels	{}

Cilium Envoy Parameters

Name	Description	Value
envoy.useDaemonSet	Run Cilium Envoy as an independent DaemonSet instead of a sidecar in the Cilium Agent	false
envoy.image.registry	Cilium Proxy image registry	REGISTRY_NAME
envoy.image.repository	Cilium Proxy image repository	REPOSITORY_NAME/cilium
envoy.image.digest	Cilium Proxy image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag image tag (immutable tags are recommended)	""
envoy.image.pullPolicy	Cilium Proxy image pull policy	IfNotPresent
envoy.image.pullSecrets	Cilium Proxy image pull secrets	[]
envoy.image.debug	Enable Cilium Proxy image debug mode	false
envoy.containerPorts.health	Cilium Envoy health container port	9878
envoy.containerPorts.metrics	Cilium Envoy metrics container port	9964
envoy.extraContainerPorts	Optionally specify extra list of additional ports for Cilium Envoy containers	[]
envoy.livenessProbe.enabled	Enable livenessProbe on Cilium Envoy containers	true
envoy.livenessProbe.initialDelaySeconds	Initial delay seconds for livenessProbe	10
envoy.livenessProbe.periodSeconds	Period seconds for livenessProbe	30
envoy.livenessProbe.timeoutSeconds	Timeout seconds for livenessProbe	5
envoy.livenessProbe.failureThreshold	Failure threshold for livenessProbe	10
envoy.livenessProbe.successThreshold	Success threshold for livenessProbe	1
envoy.readinessProbe.enabled	Enable readinessProbe on Cilium Envoy containers	true
envoy.readinessProbe.initialDelaySeconds	Initial delay seconds for readinessProbe	10
envoy.readinessProbe.periodSeconds	Period seconds for readinessProbe	30
envoy.readinessProbe.timeoutSeconds	Timeout seconds for readinessProbe	5
envoy.readinessProbe.failureThreshold	Failure threshold for readinessProbe	3
envoy.readinessProbe.successThreshold	Success threshold for readinessProbe	1
envoy.startupProbe.enabled	Enable startupProbe on Cilium Envoy containers	false
envoy.startupProbe.initialDelaySeconds	Initial delay seconds for startupProbe	5
envoy.startupProbe.periodSeconds	Period seconds for startupProbe	2
envoy.startupProbe.timeoutSeconds	Timeout seconds for startupProbe	1
envoy.startupProbe.failureThreshold	Failure threshold for startupProbe	100
envoy.startupProbe.successThreshold	Success threshold for startupProbe	1
envoy.customLivenessProbe	Custom livenessProbe that overrides the default one	{}
envoy.customReadinessProbe	Custom readinessProbe that overrides the default one	{}
envoy.customStartupProbe	Custom startupProbe that overrides the default one	{}
envoy.resourcesPreset	Set Cilium Envoy container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if envoy.resources is set (envoy.resources is recommended for production).	micro
envoy.resources	Set Cilium Envoy container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
envoy.podSecurityContext.enabled	Enable Cilium Envoy pods’ Security Context (only applies when envoy.useDaemonSet is set to true)	true
envoy.podSecurityContext.fsGroupChangePolicy	Set filesystem group change policy for Cilium Envoy pods	Always
envoy.podSecurityContext.sysctls	Set kernel settings using the sysctl interface for Cilium Envoy pods	[]
envoy.podSecurityContext.supplementalGroups	Set filesystem extra groups for Cilium Envoy pods	[]
envoy.podSecurityContext.fsGroup	Set fsGroup in Cilium Envoy pods’ Security Context	0
envoy.containerSecurityContext.enabled	Enabled Cilium Envoy container’ Security Context	true
envoy.containerSecurityContext.seLinuxOptions	Set SELinux options in Cilium Envoy container	undefined
envoy.containerSecurityContext.runAsUser	Set runAsUser in Cilium Envoy container’ Security Context	0
envoy.containerSecurityContext.runAsGroup	Set runAsUser in Cilium Envoy container’ Security Context	0
envoy.containerSecurityContext.runAsNonRoot	Set runAsNonRoot in Cilium Envoy container’ Security Context	false
envoy.containerSecurityContext.readOnlyRootFilesystem	Set readOnlyRootFilesystem in Cilium Envoy container’ Security Context	true
envoy.containerSecurityContext.privileged	Set privileged in Cilium Envoy container’ Security Context	false
envoy.containerSecurityContext.allowPrivilegeEscalation	Set allowPrivilegeEscalation in Cilium Envoy container’ Security Context	false
envoy.containerSecurityContext.capabilities.add	List of capabilities to be added in Cilium Envoy container	["BPF","NET_ADMIN","PERFMON","SYS_ADMIN"]
envoy.containerSecurityContext.capabilities.drop	List of capabilities to be dropped in Cilium Envoy container	["ALL"]
envoy.containerSecurityContext.seccompProfile.type	Set seccomp profile in Cilium Envoy container	RuntimeDefault
envoy.configuration	Specify content for Cilium Envoy configuration (basic one auto-generated based on other values otherwise)	{}
envoy.overrideConfiguration	Cilium Envoy configuration override. Values defined here takes precedence over the ones defined at envoy.configuration	{}
envoy.existingConfigmap	The name of an existing ConfigMap with your custom Cilium Envoy configuration	""
envoy.logLevel	Cilium Envoy log level	info
envoy.command	Override default Cilium Envoy container command (useful when using custom images)	[]
envoy.args	Override default Cilium Envoy container args (useful when using custom images)	[]
envoy.extraArgs	Extra args passed to Cilium Envoy container	[]
envoy.automountServiceAccountToken	Mount Service Account token in Cilium Envoy pods (only applies when envoy.useDaemonSet is set to true)	true
envoy.hostAliases	Cilium Envoy pods host aliases (only applies when envoy.useDaemonSet is set to true)	[]
envoy.daemonsetAnnotations	Annotations for Cilium Envoy daemonset (only applies when envoy.useDaemonSet is set to true)	{}
envoy.podLabels	Extra labels for Cilium Envoy pods (only applies when envoy.useDaemonSet is set to true)	{}
envoy.podAnnotations	Annotations for Cilium Envoy pods (only applies when envoy.useDaemonSet is set to true)	{}
envoy.nodeAffinityPreset.type	Node affinity preset type. Ignored if envoy.affinity is set. Allowed values: soft or hard	""
envoy.nodeAffinityPreset.key	Node label key to match. Ignored if envoy.affinity is set	""
envoy.nodeAffinityPreset.values	Node label values to match. Ignored if envoy.affinity is set	[]
envoy.affinity	Affinity for Cilium Envoy pods assignment (only applies when envoy.useDaemonSet is set to true)	{}
envoy.nodeSelector	Node labels for Cilium Envoy pods assignment (only applies when envoy.useDaemonSet is set to true)	{}
envoy.tolerations	Tolerations for Cilium Envoy pods assignment (only applies when envoy.useDaemonSet is set to true)	[]
envoy.updateStrategy.type	Cilium Envoy daemonset update strategy type (only applies when envoy.useDaemonSet is set to true)	RollingUpdate
envoy.priorityClassName	Cilium Envoy pods’ priorityClassName (only applies when envoy.useDaemonSet is set to true)	""
envoy.terminationGracePeriodSeconds	Seconds Cilium Envoy pods need to terminate gracefully (only applies when envoy.useDaemonSet is set to true)	1
envoy.lifecycleHooks	for Cilium Envoy containers to automate configuration before or after startup	{}
envoy.extraEnvVars	Array with extra environment variables to add to Cilium Envoy containers	[]
envoy.extraEnvVarsCM	Name of existing ConfigMap containing extra env vars for Cilium Envoy containers	""
envoy.extraEnvVarsSecret	Name of existing Secret containing extra env vars for Cilium Envoy containers	""
envoy.extraVolumes	Optionally specify extra list of additional volumes for the Cilium Envoy pods (only applies when envoy.useDaemonSet is set to true)	[]
envoy.extraVolumeMounts	Optionally specify extra list of additional volumeMounts for the Cilium Envoy containers	[]
envoy.sidecars	Add additional sidecar containers to the Cilium Envoy pods (only applies when envoy.useDaemonSet is set to true)	[]
envoy.initContainers	Add additional init containers to the Cilium Envoy pods (only applies when envoy.useDaemonSet is set to true)	[]
envoy.autoscaling.vpa.enabled	Enable VPA for Cilium Envoy	false
envoy.autoscaling.vpa.annotations	Annotations for VPA resource	{}
envoy.autoscaling.vpa.controlledResources	List of resources that the VPA can control. Defaults to cpu and memory	[]
envoy.autoscaling.vpa.maxAllowed	VPA max allowed resources for the pod	{}
envoy.autoscaling.vpa.minAllowed	VPA min allowed resources for the pod	{}
envoy.autoscaling.vpa.updatePolicy.updateMode	Autoscaling update policy	Auto

Cilium Envoy ServiceAccount configuration

Name	Description	Value
envoy.serviceAccount.create	Specifies whether a ServiceAccount should be created for Cilium Envoy (only applies when envoy.useDaemonSet is set to true)	true
envoy.serviceAccount.name	The name of the ServiceAccount to use for Cilium Envoy	""
envoy.serviceAccount.annotations	Additional Service Account annotations (evaluated as a template)	{}
envoy.serviceAccount.automountServiceAccountToken	Automount ServiceAccount token	false

Cilium Envoy Network Policies Parameters

Name	Description	Value
envoy.networkPolicy.enabled	Specifies whether a NetworkPolicy should be created for Cilium Envoy (only applies when envoy.useDaemonSet is set to true)	true
envoy.networkPolicy.allowExternal	Don’t require server label for connections	true
envoy.networkPolicy.allowExternalEgress	Allow the Cilium Envoy pods to access any range of port and all destinations.	true
envoy.networkPolicy.addExternalClientAccess	Allow access from pods with client label set to “true”. Ignored if envoy.networkPolicy.allowExternal is true.	true
envoy.networkPolicy.extraIngress	Add extra ingress rules to the NetworkPolicy	[]
envoy.networkPolicy.extraEgress	Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true)	[]
envoy.networkPolicy.ingressPodMatchLabels	Labels to match to allow traffic from other pods. Ignored if envoy.networkPolicy.allowExternal is true.	{}
envoy.networkPolicy.ingressNSMatchLabels	Labels to match to allow traffic from other namespaces	{}
envoy.networkPolicy.ingressNSPodMatchLabels	Pod labels to match to allow traffic from other namespaces	{}

Cilium Envoy Metrics Parameters

Name	Description	Value
envoy.metrics.enabled	Enable the export of Prometheus metrics for Cilium Envoy	false
envoy.metrics.service.port	Cilium Envoy metrics service port	9964
envoy.metrics.service.annotations	Annotations for the Cilium Envoy metrics service.	{}
envoy.metrics.serviceMonitor.enabled	if true, creates a Prometheus Operator ServiceMonitor (also requires metrics.enabled to be true)	false
envoy.metrics.serviceMonitor.namespace	Namespace in which Prometheus is running	""
envoy.metrics.serviceMonitor.annotations	Additional custom annotations for the ServiceMonitor	{}
envoy.metrics.serviceMonitor.labels	Extra labels for the ServiceMonitor	{}
envoy.metrics.serviceMonitor.jobLabel	The name of the label on the target service to use as the job name in Prometheus	""
envoy.metrics.serviceMonitor.honorLabels	honorLabels chooses the metric’s labels on collisions with target labels	false
envoy.metrics.serviceMonitor.interval	Interval at which metrics should be scraped.	""
envoy.metrics.serviceMonitor.scrapeTimeout	Timeout after which the scrape is ended	""
envoy.metrics.serviceMonitor.metricRelabelings	Specify additional relabeling of metrics	[]
envoy.metrics.serviceMonitor.relabelings	Specify general relabeling	[]
envoy.metrics.serviceMonitor.selector	Prometheus instance selector labels	{}

Hubble Common Parameters

Name	Description	Value
hubble.tls.enabled	Enable TLS for communications for Hubble components	true
hubble.tls.autoGenerated.enabled	Enable automatic generation of certificates for TLS	true
hubble.tls.autoGenerated.engine	Mechanism to generate the certificates (allowed values: helm, cert-manager)	helm
hubble.tls.autoGenerated.certManager.existingIssuer	The name of an existing Issuer to use for generating the certificates (only for cert-manager engine)	""
hubble.tls.autoGenerated.certManager.existingIssuerKind	Existing Issuer kind, defaults to Issuer (only for cert-manager engine)	""
hubble.tls.autoGenerated.certManager.keyAlgorithm	Key algorithm for the certificates (only for cert-manager engine)	RSA
hubble.tls.autoGenerated.certManager.keySize	Key size for the certificates (only for cert-manager engine)	2048
hubble.tls.autoGenerated.certManager.duration	Duration for the certificates (only for cert-manager engine)	2160h
hubble.tls.autoGenerated.certManager.renewBefore	Renewal period for the certificates (only for cert-manager engine)	360h
hubble.tls.ca	CA certificate for TLS. Ignored if hubble.tls.existingCASecret is set	""
hubble.tls.existingCASecret	The name of an existing Secret containing the CA certificate for TLS	""
hubble.tls.peers.cert	TLS certificate for Hubble peers. Ignored if hubble.tls.peers.existingSecret is set	""
hubble.tls.peers.key	TLS key for Hubble peers. Ignored if hubble.tls.peers.existingSecret is set	""
hubble.tls.peers.existingSecret	The name of an existing Secret containing the Hubble peers certificates for TLS	""
hubble.tls.relay.cert	TLS certificate for Hubble relay. Ignored if hubble.tls.relay.existingSecret is set	""
hubble.tls.relay.key	TLS key for Hubble relay. Ignored if hubble.tls.relay.existingSecret is set	""
hubble.tls.relay.existingSecret	The name of an existing Secret containing the Hubble relay certificates for TLS	""
hubble.tls.relayClient.cert	TLS certificate for Hubble Relay client(s). Ignored if hubble.tls.relayClient.existingSecret is set	""
hubble.tls.relayClient.key	TLS key for Hubble Relay client(s). Ignored if hubble.tls.relayClient.existingSecret is set	""
hubble.tls.relayClient.existingSecret	The name of an existing Secret containing the Hubble Relay client(s) certificates for TLS	""

Hubble Peers Service Parameters

Name	Description	Value
hubble.peers.service.port	Hubble Peers service port	4244
hubble.peers.service.extraPorts	Extra ports to expose in the service (normally used with the agent.sidecars value)	[]
hubble.peers.service.clusterIP	Hubble Peers service Cluster IP	""
hubble.peers.service.internalTrafficPolicy	Hubble Peers service internal traffic policy	Cluster
hubble.peers.service.annotations	Annotations for the Hubble Peers service.	{}

Hubble Peers Metrics Parameters

Name	Description	Value
hubble.peers.metrics.enabled	Enable the export of Prometheus metrics for Hubble peers	false
hubble.peers.metrics.service.port	Hubble peers metrics service port	9965
hubble.peers.metrics.service.annotations	Annotations for the Hubble peers metrics service.	{}
hubble.peers.metrics.serviceMonitor.enabled	if true, creates a Prometheus Operator ServiceMonitor (also requires hubble.peers.metrics.enabled to be true)	false
hubble.peers.metrics.serviceMonitor.namespace	Namespace in which Prometheus is running	""
hubble.peers.metrics.serviceMonitor.annotations	Additional custom annotations for the ServiceMonitor	{}
hubble.peers.metrics.serviceMonitor.labels	Extra labels for the ServiceMonitor	{}
hubble.peers.metrics.serviceMonitor.jobLabel	The name of the label on the target service to use as the job name in Prometheus	""
hubble.peers.metrics.serviceMonitor.honorLabels	honorLabels chooses the metric’s labels on collisions with target labels	false
hubble.peers.metrics.serviceMonitor.interval	Interval at which metrics should be scraped.	""
hubble.peers.metrics.serviceMonitor.scrapeTimeout	Timeout after which the scrape is ended	""
hubble.peers.metrics.serviceMonitor.metricRelabelings	Specify additional relabeling of metrics	[]
hubble.peers.metrics.serviceMonitor.relabelings	Specify general relabeling	[]
hubble.peers.metrics.serviceMonitor.selector	Prometheus instance selector labels	{}

Hubble Relay Parameters

Name	Description	Value
hubble.relay.enabled	Enable Hubble Relay	false
hubble.relay.image.registry	Hubble Relay image registry	REGISTRY_NAME
hubble.relay.image.repository	Hubble Relay image repository	REPOSITORY_NAME/hubble-relay
hubble.relay.image.digest	Hubble Relay image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag image tag (immutable tags are recommended)	""
hubble.relay.image.pullPolicy	Hubble Relay image pull policy	IfNotPresent
hubble.relay.image.pullSecrets	Hubble Relay image pull secrets	[]
hubble.relay.image.debug	Enable Hubble Relay image debug mode	false
hubble.relay.replicaCount	Number of Hubble Relay replicas to deploy	1
hubble.relay.containerPorts.grpc	Hubble Relay gRPC container port	4245
hubble.relay.containerPorts.pprof	Hubble Relay pprof container port	6062
hubble.relay.containerPorts.gops	Hubble Relay gops container port	9893
hubble.relay.containerPorts.metrics	Hubble Relay metrics container port	9966
hubble.relay.extraContainerPorts	Optionally specify extra list of additional ports for Hubble Relay containers	[]
hubble.relay.livenessProbe.enabled	Enable livenessProbe on Hubble Relay containers	true
hubble.relay.livenessProbe.initialDelaySeconds	Initial delay seconds for livenessProbe	5
hubble.relay.livenessProbe.periodSeconds	Period seconds for livenessProbe	10
hubble.relay.livenessProbe.timeoutSeconds	Timeout seconds for livenessProbe	3
hubble.relay.livenessProbe.failureThreshold	Failure threshold for livenessProbe	3
hubble.relay.livenessProbe.successThreshold	Success threshold for livenessProbe	1
hubble.relay.readinessProbe.enabled	Enable readinessProbe on Hubble Relay containers	true
hubble.relay.readinessProbe.initialDelaySeconds	Initial delay seconds for readinessProbe	5
hubble.relay.readinessProbe.periodSeconds	Period seconds for readinessProbe	10
hubble.relay.readinessProbe.timeoutSeconds	Timeout seconds for readinessProbe	3
hubble.relay.readinessProbe.failureThreshold	Failure threshold for readinessProbe	3
hubble.relay.readinessProbe.successThreshold	Success threshold for readinessProbe	1
hubble.relay.startupProbe.enabled	Enable startupProbe on Hubble Relay containers	false
hubble.relay.startupProbe.initialDelaySeconds	Initial delay seconds for startupProbe	0
hubble.relay.startupProbe.periodSeconds	Period seconds for startupProbe	3
hubble.relay.startupProbe.timeoutSeconds	Timeout seconds for startupProbe	1
hubble.relay.startupProbe.failureThreshold	Failure threshold for startupProbe	20
hubble.relay.startupProbe.successThreshold	Success threshold for startupProbe	1
hubble.relay.customLivenessProbe	Custom livenessProbe that overrides the default one	{}
hubble.relay.customReadinessProbe	Custom readinessProbe that overrides the default one	{}
hubble.relay.customStartupProbe	Custom startupProbe that overrides the default one	{}
hubble.relay.resourcesPreset	Set Hubble Relay container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if hubble.relay.resources is set (hubble.relay.resources is recommended for production).	nano
hubble.relay.resources	Set Hubble Relay container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
hubble.relay.podSecurityContext.enabled	Enable Hubble Relay pods’ Security Context	true
hubble.relay.podSecurityContext.fsGroupChangePolicy	Set filesystem group change policy for Hubble Relay pods	Always
hubble.relay.podSecurityContext.sysctls	Set kernel settings using the sysctl interface for Hubble Relay pods	[]
hubble.relay.podSecurityContext.supplementalGroups	Set filesystem extra groups for Hubble Relay pods	[]
hubble.relay.podSecurityContext.fsGroup	Set fsGroup in Hubble Relay pods’ Security Context	1001
hubble.relay.containerSecurityContext.enabled	Enabled Hubble Relay container’ Security Context	true
hubble.relay.containerSecurityContext.seLinuxOptions	Set SELinux options in Hubble Relay container	{}
hubble.relay.containerSecurityContext.runAsUser	Set runAsUser in Hubble Relay container’ Security Context	1001
hubble.relay.containerSecurityContext.runAsGroup	Set runAsGroup in Hubble Relay container’ Security Context	1001
hubble.relay.containerSecurityContext.runAsNonRoot	Set runAsNonRoot in Hubble Relay container’ Security Context	true
hubble.relay.containerSecurityContext.readOnlyRootFilesystem	Set readOnlyRootFilesystem in Hubble Relay container’ Security Context	true
hubble.relay.containerSecurityContext.privileged	Set privileged in Hubble Relay container’ Security Context	false
hubble.relay.containerSecurityContext.allowPrivilegeEscalation	Set allowPrivilegeEscalation in Hubble Relay container’ Security Context	false
hubble.relay.containerSecurityContext.capabilities.drop	List of capabilities to be dropped in Hubble Relay container	["ALL"]
hubble.relay.containerSecurityContext.seccompProfile.type	Set seccomp profile in Hubble Relay container	RuntimeDefault
hubble.relay.configuration	Specify content for Hubble Relay configuration (basic one auto-generated based on other values otherwise)	{}
hubble.relay.overrideConfiguration	Hubble Relay configuration override. Values defined here takes precedence over the ones defined at hubble.relay.configuration	{}
hubble.relay.existingConfigmap	The name of an existing ConfigMap with your custom configuration for Hubble Relay	""
hubble.relay.enableGops	Enable gops for Hubble Relay	false
hubble.relay.enablePprof	Enable pprof for Hubble Relay	false
hubble.relay.command	Override default Hubble Relay container command (useful when using custom images)	[]
hubble.relay.args	Override default Hubble Relay container args (useful when using custom images)	[]
hubble.relay.automountServiceAccountToken	Mount Service Account token in Hubble Relay pods	false
hubble.relay.hostAliases	Hubble Relay pods host aliases	[]
hubble.relay.deploymentAnnotations	Annotations for Hubble Relay deployment	{}
hubble.relay.podLabels	Extra labels for Hubble Relay pods	{}
hubble.relay.podAnnotations	Annotations for Hubble Relay pods	{}
hubble.relay.podAffinityPreset	Pod affinity preset. Ignored if hubble.relay.affinity is set. Allowed values: soft or hard	""
hubble.relay.podAntiAffinityPreset	Pod anti-affinity preset. Ignored if hubble.relay.affinity is set. Allowed values: soft or hard	soft
hubble.relay.nodeAffinityPreset.type	Node affinity preset type. Ignored if hubble.relay.affinity is set. Allowed values: soft or hard	""
hubble.relay.nodeAffinityPreset.key	Node label key to match. Ignored if hubble.relay.affinity is set	""
hubble.relay.nodeAffinityPreset.values	Node label values to match. Ignored if hubble.relay.affinity is set	[]
hubble.relay.affinity	Affinity for Hubble Relay pods assignment	{}
hubble.relay.nodeSelector	Node labels for Hubble Relay pods assignment	{}
hubble.relay.tolerations	Tolerations for Hubble Relay pods assignment	[]
hubble.relay.updateStrategy.type	Hubble Relay deployment strategy type	RollingUpdate
hubble.relay.priorityClassName	Hubble Relay pods’ priorityClassName	""
hubble.relay.topologySpreadConstraints	Topology Spread Constraints for Hubble Relay pod assignment spread across your cluster among failure-domains	[]
hubble.relay.schedulerName	Name of the k8s scheduler (other than default) for Hubble Relay pods	""
hubble.relay.terminationGracePeriodSeconds	Seconds Hubble Relay pods need to terminate gracefully	""
hubble.relay.lifecycleHooks	for Hubble Relay containers to automate configuration before or after startup	{}
hubble.relay.extraEnvVars	Array with extra environment variables to add to Hubble Relay containers	[]
hubble.relay.extraEnvVarsCM	Name of existing ConfigMap containing extra env vars for Hubble Relay containers	""
hubble.relay.extraEnvVarsSecret	Name of existing Secret containing extra env vars for Hubble Relay containers	""
hubble.relay.extraVolumes	Optionally specify extra list of additional volumes for the Hubble Relay pods	[]
hubble.relay.extraVolumeMounts	Optionally specify extra list of additional volumeMounts for the Hubble Relay containers	[]
hubble.relay.sidecars	Add additional sidecar containers to the Hubble Relay pods	[]
hubble.relay.initContainers	Add additional init containers to the Hubble Relay pods	[]
hubble.relay.defaultInitContainers.waitForHubble.containerSecurityContext.enabled	Enabled Hubble Relay init-containers’ Security Context	true
hubble.relay.defaultInitContainers.waitForHubble.containerSecurityContext.seLinuxOptions	Set SELinux options in Hubble Relay init-containers	{}
hubble.relay.defaultInitContainers.waitForHubble.containerSecurityContext.runAsUser	Set runAsUser in Hubble Relay init-containers’ Security Context	1001
hubble.relay.defaultInitContainers.waitForHubble.containerSecurityContext.runAsGroup	Set runAsUser in Hubble Relay init-containers’ Security Context	1001
hubble.relay.defaultInitContainers.waitForHubble.containerSecurityContext.runAsNonRoot	Set runAsNonRoot in Hubble Relay init-containers’ Security Context	true
hubble.relay.defaultInitContainers.waitForHubble.containerSecurityContext.readOnlyRootFilesystem	Set readOnlyRootFilesystem in Hubble Relay init-containers’ Security Context	true
hubble.relay.defaultInitContainers.waitForHubble.containerSecurityContext.privileged	Set privileged in Hubble Relay init-containers’ Security Context	false
hubble.relay.defaultInitContainers.waitForHubble.containerSecurityContext.allowPrivilegeEscalation	Set allowPrivilegeEscalation in Hubble Relay init-containers’ Security Context	false
hubble.relay.defaultInitContainers.waitForHubble.containerSecurityContext.capabilities.drop	List of capabilities to be dropped in Hubble Relay init-containers	["ALL"]
hubble.relay.defaultInitContainers.waitForHubble.containerSecurityContext.seccompProfile.type	Set seccomp profile in Hubble Relay init-containers	RuntimeDefault
hubble.relay.defaultInitContainers.waitForHubble.resourcesPreset	Set Hubble Relay “wait-for-hubble-peers” init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if hubble.relay.resources is set (hubble.relay.defaultInitContainers.waitForHubble.resources is recommended for production).	nano
hubble.relay.defaultInitContainers.waitForHubble.resources	Set Hubble Relay “wait-for-hubble-peers” init container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
hubble.relay.pdb.create	Enable/disable a Pod Disruption Budget creation	true
hubble.relay.pdb.minAvailable	Minimum number/percentage of pods that should remain scheduled	""
hubble.relay.pdb.maxUnavailable	Maximum number/percentage of pods that may be made unavailable. Defaults to 1 if both hubble.relay.pdb.minAvailable and hubble.relay.pdb.maxUnavailable are empty.	""
hubble.relay.autoscaling.vpa.enabled	Enable VPA for Hubble Relay pods	false
hubble.relay.autoscaling.vpa.annotations	Annotations for VPA resource	{}
hubble.relay.autoscaling.vpa.controlledResources	VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory	[]
hubble.relay.autoscaling.vpa.maxAllowed	VPA Max allowed resources for the pod	{}
hubble.relay.autoscaling.vpa.minAllowed	VPA Min allowed resources for the pod	{}
hubble.relay.autoscaling.vpa.updatePolicy.updateMode	Autoscaling update policy	Auto
hubble.relay.autoscaling.hpa.enabled	Enable HPA for Hubble Relay pods	false
hubble.relay.autoscaling.hpa.minReplicas	Minimum number of replicas	""
hubble.relay.autoscaling.hpa.maxReplicas	Maximum number of replicas	""
hubble.relay.autoscaling.hpa.targetCPU	Target CPU utilization percentage	""
hubble.relay.autoscaling.hpa.targetMemory	Target Memory utilization percentage	""
hubble.relay.serviceAccount.create	Specifies whether a ServiceAccount should be created for Hubble Relay	true
hubble.relay.serviceAccount.name	The name of the ServiceAccount to use for Hubble Relay	""
hubble.relay.serviceAccount.annotations	Additional Service Account annotations (evaluated as a template)	{}
hubble.relay.serviceAccount.automountServiceAccountToken	Automount service account token for the server service account	false

Hubble Relay Traffic Exposure Parameters

Name	Description	Value
hubble.relay.service.type	Hubble Relay service type	ClusterIP
hubble.relay.service.ports.grpc	Hubble Relay service gRPC port	4245
hubble.relay.service.ports.metrics	Hubble Relay service metrics port	9966
hubble.relay.service.nodePorts.grpc	Node port for gRPC	""
hubble.relay.service.nodePorts.metrics	Node port for metrics	""
hubble.relay.service.clusterIP	Hubble Relay service Cluster IP	""
hubble.relay.service.loadBalancerIP	Hubble Relay service Load Balancer IP	""
hubble.relay.service.loadBalancerSourceRanges	Hubble Relay service Load Balancer sources	[]
hubble.relay.service.externalTrafficPolicy	Hubble Relay service external traffic policy	Cluster
hubble.relay.service.annotations	Additional custom annotations for Hubble Relay service	{}
hubble.relay.service.extraPorts	Extra ports to expose in Hubble Relay service (normally used with the sidecars value)	[]
hubble.relay.service.sessionAffinity	Control where client requests go, to the same pod or round-robin	None
hubble.relay.service.sessionAffinityConfig	Additional settings for the sessionAffinity	{}
hubble.relay.networkPolicy.enabled	Specifies whether a NetworkPolicy should be created for Hubble Relay	true
hubble.relay.networkPolicy.allowExternal	Don’t require server label for connections	true
hubble.relay.networkPolicy.allowExternalEgress	Allow the pod to access any range of port and all destinations.	true
hubble.relay.networkPolicy.addExternalClientAccess	Allow access from pods with client label set to “true”. Ignored if hubble.relay.networkPolicy.allowExternal is true.	true
hubble.relay.networkPolicy.extraIngress	Add extra ingress rules to the NetworkPolicy	[]
hubble.relay.networkPolicy.extraEgress	Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true)	[]
hubble.relay.networkPolicy.ingressPodMatchLabels	Labels to match to allow traffic from other pods. Ignored if hubble.relay.networkPolicy.allowExternal is true.	{}
hubble.relay.networkPolicy.ingressNSMatchLabels	Labels to match to allow traffic from other namespaces	{}
hubble.relay.networkPolicy.ingressNSPodMatchLabels	Pod labels to match to allow traffic from other namespaces	{}

Hubble Relay Metrics Parameters

Name	Description	Value
hubble.relay.metrics.enabled	Enable the export of Prometheus metrics on Hubble Relay	false
hubble.relay.metrics.serviceMonitor.enabled	if true, creates a Prometheus Operator ServiceMonitor (also requires hubble.relay.metrics.enabled to be true)	false
hubble.relay.metrics.serviceMonitor.namespace	Namespace in which Prometheus is running	""
hubble.relay.metrics.serviceMonitor.annotations	Additional custom annotations for the ServiceMonitor	{}
hubble.relay.metrics.serviceMonitor.labels	Extra labels for the ServiceMonitor	{}
hubble.relay.metrics.serviceMonitor.jobLabel	The name of the label on the target service to use as the job name in Prometheus	""
hubble.relay.metrics.serviceMonitor.honorLabels	honorLabels chooses the metric’s labels on collisions with target labels	false
hubble.relay.metrics.serviceMonitor.interval	Interval at which metrics should be scraped.	""
hubble.relay.metrics.serviceMonitor.scrapeTimeout	Timeout after which the scrape is ended	""
hubble.relay.metrics.serviceMonitor.metricRelabelings	Specify additional relabeling of metrics	[]
hubble.relay.metrics.serviceMonitor.relabelings	Specify general relabeling	[]
hubble.relay.metrics.serviceMonitor.selector	Prometheus instance selector labels	{}

Hubble UI Parameters

Name	Description	Value
hubble.ui.enabled	Enable Hubble UI	false
hubble.ui.frontend.image.registry	Hubble UI image registry	REGISTRY_NAME
hubble.ui.frontend.image.repository	Hubble UI image repository	REPOSITORY_NAME/hubble-ui
hubble.ui.frontend.image.digest	Hubble UI image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag image tag (immutable tags are recommended)	""
hubble.ui.frontend.image.pullPolicy	Hubble UI image pull policy	IfNotPresent
hubble.ui.frontend.image.pullSecrets	Hubble UI image pull secrets	[]
hubble.ui.frontend.image.debug	Enable Hubble UI image debug mode	false
hubble.ui.frontend.containerPorts.http	Hubble UI frontend HTTP container port	8081
hubble.ui.frontend.extraContainerPorts	Optionally specify extra list of additional ports for Hubble UI frontend containers	[]
hubble.ui.frontend.livenessProbe.enabled	Enable livenessProbe on Hubble UI frontend containers	true
hubble.ui.frontend.livenessProbe.initialDelaySeconds	Initial delay seconds for livenessProbe	5
hubble.ui.frontend.livenessProbe.periodSeconds	Period seconds for livenessProbe	10
hubble.ui.frontend.livenessProbe.timeoutSeconds	Timeout seconds for livenessProbe	3
hubble.ui.frontend.livenessProbe.failureThreshold	Failure threshold for livenessProbe	3
hubble.ui.frontend.livenessProbe.successThreshold	Success threshold for livenessProbe	1
hubble.ui.frontend.readinessProbe.enabled	Enable readinessProbe on Hubble UI frontend containers	true
hubble.ui.frontend.readinessProbe.initialDelaySeconds	Initial delay seconds for readinessProbe	5
hubble.ui.frontend.readinessProbe.periodSeconds	Period seconds for readinessProbe	10
hubble.ui.frontend.readinessProbe.timeoutSeconds	Timeout seconds for readinessProbe	3
hubble.ui.frontend.readinessProbe.failureThreshold	Failure threshold for readinessProbe	3
hubble.ui.frontend.readinessProbe.successThreshold	Success threshold for readinessProbe	1
hubble.ui.frontend.startupProbe.enabled	Enable startupProbe on Hubble UI frontend containers	false
hubble.ui.frontend.startupProbe.initialDelaySeconds	Initial delay seconds for startupProbe	0
hubble.ui.frontend.startupProbe.periodSeconds	Period seconds for startupProbe	3
hubble.ui.frontend.startupProbe.timeoutSeconds	Timeout seconds for startupProbe	1
hubble.ui.frontend.startupProbe.failureThreshold	Failure threshold for startupProbe	20
hubble.ui.frontend.startupProbe.successThreshold	Success threshold for startupProbe	1
hubble.ui.frontend.customLivenessProbe	Custom livenessProbe that overrides the default one	{}
hubble.ui.frontend.customReadinessProbe	Custom readinessProbe that overrides the default one	{}
hubble.ui.frontend.customStartupProbe	Custom startupProbe that overrides the default one	{}
hubble.ui.frontend.resourcesPreset	Set Hubble UI frontend container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if hubble.ui.frontend.resources is set (hubble.ui.frontend.resources is recommended for production).	nano
hubble.ui.frontend.resources	Set Hubble UI frontend container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
hubble.ui.frontend.containerSecurityContext.enabled	Enabled Hubble UI frontend container’ Security Context	true
hubble.ui.frontend.containerSecurityContext.seLinuxOptions	Set SELinux options in Hubble UI frontend container	{}
hubble.ui.frontend.containerSecurityContext.runAsUser	Set runAsUser in Hubble UI frontend container’ Security Context	1001
hubble.ui.frontend.containerSecurityContext.runAsGroup	Set runAsGroup in Hubble UI frontend container’ Security Context	1001
hubble.ui.frontend.containerSecurityContext.runAsNonRoot	Set runAsNonRoot in Hubble UI frontend container’ Security Context	true
hubble.ui.frontend.containerSecurityContext.readOnlyRootFilesystem	Set readOnlyRootFilesystem in Hubble UI frontend container’ Security Context	true
hubble.ui.frontend.containerSecurityContext.privileged	Set privileged in Hubble UI frontend container’ Security Context	false
hubble.ui.frontend.containerSecurityContext.allowPrivilegeEscalation	Set allowPrivilegeEscalation in Hubble UI frontend container’ Security Context	false
hubble.ui.frontend.containerSecurityContext.capabilities.drop	List of capabilities to be dropped in Hubble UI frontend container	["ALL"]
hubble.ui.frontend.containerSecurityContext.seccompProfile.type	Set seccomp profile in Hubble UI frontend container	RuntimeDefault
hubble.ui.frontend.enableIPv6	Enable IPv6 for Hubble UI frontend	false
hubble.ui.frontend.serverBlock	Custom server block to be used to configure NGINX (ignored if existingServerBlockConfigmap is set)	""
hubble.ui.frontend.existingServerBlockConfigmap	ConfigMap with custom server block to be used to configure NGINX	""
hubble.ui.frontend.command	Override default Hubble UI frontend container command (useful when using custom images)	[]
hubble.ui.frontend.args	Override default Hubble UI frontend container args (useful when using custom images)	[]
hubble.ui.frontend.lifecycleHooks	for Hubble UI frontend containers to automate configuration before or after startup	{}
hubble.ui.frontend.extraEnvVars	Array with extra environment variables to add to Hubble UI frontend containers	[]
hubble.ui.frontend.extraEnvVarsCM	Name of existing ConfigMap containing extra env vars for Hubble UI frontend containers	""
hubble.ui.frontend.extraEnvVarsSecret	Name of existing Secret containing extra env vars for Hubble UI frontend containers	""
hubble.ui.frontend.extraVolumeMounts	Optionally specify extra list of additional volumeMounts for the Hubble UI frontend containers	[]
hubble.ui.backend.image.registry	Hubble UI Backend image registry	REGISTRY_NAME
hubble.ui.backend.image.repository	Hubble UI Backend image repository	REPOSITORY_NAME/hubble-ui-backend
hubble.ui.backend.image.digest	Hubble UI Backend image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag image tag (immutable tags are recommended)	""
hubble.ui.backend.image.pullPolicy	Hubble UI Backend image pull policy	IfNotPresent
hubble.ui.backend.image.pullSecrets	Hubble UI Backend image pull secrets	[]
hubble.ui.backend.containerPorts.http	Hubble UI backend HTTP container port	8090
hubble.ui.backend.extraContainerPorts	Optionally specify extra list of additional ports for Hubble UI backend containers	[]
hubble.ui.backend.livenessProbe.enabled	Enable livenessProbe on Hubble UI backend containers	true
hubble.ui.backend.livenessProbe.initialDelaySeconds	Initial delay seconds for livenessProbe	5
hubble.ui.backend.livenessProbe.periodSeconds	Period seconds for livenessProbe	10
hubble.ui.backend.livenessProbe.timeoutSeconds	Timeout seconds for livenessProbe	3
hubble.ui.backend.livenessProbe.failureThreshold	Failure threshold for livenessProbe	3
hubble.ui.backend.livenessProbe.successThreshold	Success threshold for livenessProbe	1
hubble.ui.backend.readinessProbe.enabled	Enable readinessProbe on Hubble UI backend containers	true
hubble.ui.backend.readinessProbe.initialDelaySeconds	Initial delay seconds for readinessProbe	5
hubble.ui.backend.readinessProbe.periodSeconds	Period seconds for readinessProbe	10
hubble.ui.backend.readinessProbe.timeoutSeconds	Timeout seconds for readinessProbe	3
hubble.ui.backend.readinessProbe.failureThreshold	Failure threshold for readinessProbe	3
hubble.ui.backend.readinessProbe.successThreshold	Success threshold for readinessProbe	1
hubble.ui.backend.startupProbe.enabled	Enable startupProbe on Hubble UI backend containers	false
hubble.ui.backend.startupProbe.initialDelaySeconds	Initial delay seconds for startupProbe	0
hubble.ui.backend.startupProbe.periodSeconds	Period seconds for startupProbe	3
hubble.ui.backend.startupProbe.timeoutSeconds	Timeout seconds for startupProbe	1
hubble.ui.backend.startupProbe.failureThreshold	Failure threshold for startupProbe	20
hubble.ui.backend.startupProbe.successThreshold	Success threshold for startupProbe	1
hubble.ui.backend.customLivenessProbe	Custom livenessProbe that overrides the default one	{}
hubble.ui.backend.customReadinessProbe	Custom readinessProbe that overrides the default one	{}
hubble.ui.backend.customStartupProbe	Custom startupProbe that overrides the default one	{}
hubble.ui.backend.resourcesPreset	Set Hubble UI backend container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if hubble.ui.backend.resources is set (hubble.ui.backend.resources is recommended for production).	nano
hubble.ui.backend.resources	Set Hubble UI backend container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
hubble.ui.backend.containerSecurityContext.enabled	Enabled Hubble UI backend container’ Security Context	true
hubble.ui.backend.containerSecurityContext.seLinuxOptions	Set SELinux options in Hubble UI backend container	{}
hubble.ui.backend.containerSecurityContext.runAsUser	Set runAsUser in Hubble UI backend container’ Security Context	1001
hubble.ui.backend.containerSecurityContext.runAsGroup	Set runAsGroup in Hubble UI backend container’ Security Context	1001
hubble.ui.backend.containerSecurityContext.runAsNonRoot	Set runAsNonRoot in Hubble UI backend container’ Security Context	true
hubble.ui.backend.containerSecurityContext.readOnlyRootFilesystem	Set readOnlyRootFilesystem in Hubble UI backend container’ Security Context	true
hubble.ui.backend.containerSecurityContext.privileged	Set privileged in Hubble UI backend container’ Security Context	false
hubble.ui.backend.containerSecurityContext.allowPrivilegeEscalation	Set allowPrivilegeEscalation in Hubble UI backend container’ Security Context	false
hubble.ui.backend.containerSecurityContext.capabilities.drop	List of capabilities to be dropped in Hubble UI backend container	["ALL"]
hubble.ui.backend.containerSecurityContext.seccompProfile.type	Set seccomp profile in Hubble UI backend container	RuntimeDefault
hubble.ui.backend.command	Override default Hubble UI backend container command (useful when using custom images)	[]
hubble.ui.backend.args	Override default Hubble UI backend container args (useful when using custom images)	[]
hubble.ui.backend.lifecycleHooks	for Hubble UI backend containers to automate configuration before or after startup	{}
hubble.ui.backend.extraEnvVars	Array with extra environment variables to add to Hubble UI backend containers	[]
hubble.ui.backend.extraEnvVarsCM	Name of existing ConfigMap containing extra env vars for Hubble UI backend containers	""
hubble.ui.backend.extraEnvVarsSecret	Name of existing Secret containing extra env vars for Hubble UI backend containers	""
hubble.ui.backend.extraVolumeMounts	Optionally specify extra list of additional volumeMounts for the Hubble UI backend containers	[]
hubble.ui.replicaCount	Number of Hubble UI replicas to deploy	1
hubble.ui.podSecurityContext.enabled	Enable Hubble UI pods’ Security Context	true
hubble.ui.podSecurityContext.fsGroupChangePolicy	Set filesystem group change policy for Hubble UI pods	Always
hubble.ui.podSecurityContext.sysctls	Set kernel settings using the sysctl interface for Hubble UI pods	[]
hubble.ui.podSecurityContext.supplementalGroups	Set filesystem extra groups for Hubble UI pods	[]
hubble.ui.podSecurityContext.fsGroup	Set fsGroup in Hubble UI pods’ Security Context	1001
hubble.ui.automountServiceAccountToken	Mount Service Account token in Hubble UI pods	true
hubble.ui.hostAliases	Hubble UI pods host aliases	[]
hubble.ui.deploymentAnnotations	Annotations for Hubble UI deployment	{}
hubble.ui.podLabels	Extra labels for Hubble UI pods	{}
hubble.ui.podAnnotations	Annotations for Hubble UI pods	{}
hubble.ui.podAffinityPreset	Pod affinity preset. Ignored if hubble.ui.affinity is set. Allowed values: soft or hard	""
hubble.ui.podAntiAffinityPreset	Pod anti-affinity preset. Ignored if hubble.ui.affinity is set. Allowed values: soft or hard	soft
hubble.ui.nodeAffinityPreset.type	Node affinity preset type. Ignored if hubble.ui.affinity is set. Allowed values: soft or hard	""
hubble.ui.nodeAffinityPreset.key	Node label key to match. Ignored if hubble.ui.affinity is set	""
hubble.ui.nodeAffinityPreset.values	Node label values to match. Ignored if hubble.ui.affinity is set	[]
hubble.ui.affinity	Affinity for Hubble UI pods assignment	{}
hubble.ui.nodeSelector	Node labels for Hubble UI pods assignment	{}
hubble.ui.tolerations	Tolerations for Hubble UI pods assignment	[]
hubble.ui.updateStrategy.type	Hubble UI deployment strategy type	RollingUpdate
hubble.ui.priorityClassName	Hubble UI pods’ priorityClassName	""
hubble.ui.topologySpreadConstraints	Topology Spread Constraints for Hubble UI pod assignment spread across your cluster among failure-domains	[]
hubble.ui.schedulerName	Name of the k8s scheduler (other than default) for Hubble UI pods	""
hubble.ui.terminationGracePeriodSeconds	Seconds Hubble UI pods need to terminate gracefully	""
hubble.ui.extraVolumes	Optionally specify extra list of additional volumes for the Hubble UI pods	[]
hubble.ui.sidecars	Add additional sidecar containers to the Hubble UI pods	[]
hubble.ui.initContainers	Add additional init containers to the Hubble UI pods	[]
hubble.ui.defaultInitContainers.waitForHubbleRelay.containerSecurityContext.enabled	Enabled Hubble UI init-containers’ Security Context	true
hubble.ui.defaultInitContainers.waitForHubbleRelay.containerSecurityContext.seLinuxOptions	Set SELinux options in Hubble UI init-containers	{}
hubble.ui.defaultInitContainers.waitForHubbleRelay.containerSecurityContext.runAsUser	Set runAsUser in Hubble UI init-containers’ Security Context	1001
hubble.ui.defaultInitContainers.waitForHubbleRelay.containerSecurityContext.runAsGroup	Set runAsUser in Hubble UI init-containers’ Security Context	1001
hubble.ui.defaultInitContainers.waitForHubbleRelay.containerSecurityContext.runAsNonRoot	Set runAsNonRoot in Hubble UI init-containers’ Security Context	true
hubble.ui.defaultInitContainers.waitForHubbleRelay.containerSecurityContext.readOnlyRootFilesystem	Set readOnlyRootFilesystem in Hubble UI init-containers’ Security Context	true
hubble.ui.defaultInitContainers.waitForHubbleRelay.containerSecurityContext.privileged	Set privileged in Hubble UI init-containers’ Security Context	false
hubble.ui.defaultInitContainers.waitForHubbleRelay.containerSecurityContext.allowPrivilegeEscalation	Set allowPrivilegeEscalation in Hubble UI init-containers’ Security Context	false
hubble.ui.defaultInitContainers.waitForHubbleRelay.containerSecurityContext.capabilities.drop	List of capabilities to be dropped in Hubble UI init-containers	["ALL"]
hubble.ui.defaultInitContainers.waitForHubbleRelay.containerSecurityContext.seccompProfile.type	Set seccomp profile in Hubble UI init-containers	RuntimeDefault
hubble.ui.defaultInitContainers.waitForHubbleRelay.resourcesPreset	Set Hubble UI “wait-for-hubble-relay” init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if hubble.ui.resources is set (hubble.ui.defaultInitContainers.waitForHubbleRelay.resources is recommended for production).	nano
hubble.ui.defaultInitContainers.waitForHubbleRelay.resources	Set Hubble UI “wait-for-hubble-relay” init container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
hubble.ui.pdb.create	Enable/disable a Pod Disruption Budget creation	true
hubble.ui.pdb.minAvailable	Minimum number/percentage of pods that should remain scheduled	""
hubble.ui.pdb.maxUnavailable	Maximum number/percentage of pods that may be made unavailable. Defaults to 1 if both hubble.ui.pdb.minAvailable and hubble.ui.pdb.maxUnavailable are empty.	""
hubble.ui.autoscaling.vpa.enabled	Enable VPA for Hubble UI pods	false
hubble.ui.autoscaling.vpa.annotations	Annotations for VPA resource	{}
hubble.ui.autoscaling.vpa.controlledResources	VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory	[]
hubble.ui.autoscaling.vpa.maxAllowed	VPA Max allowed resources for the pod	{}
hubble.ui.autoscaling.vpa.minAllowed	VPA Min allowed resources for the pod	{}
hubble.ui.autoscaling.vpa.updatePolicy.updateMode	Autoscaling update policy	Auto
hubble.ui.autoscaling.hpa.enabled	Enable HPA for Hubble UI pods	false
hubble.ui.autoscaling.hpa.minReplicas	Minimum number of replicas	""
hubble.ui.autoscaling.hpa.maxReplicas	Maximum number of replicas	""
hubble.ui.autoscaling.hpa.targetCPU	Target CPU utilization percentage	""
hubble.ui.autoscaling.hpa.targetMemory	Target Memory utilization percentage	""

Hubble UI Traffic Exposure Parameters

Name	Description	Value
hubble.ui.service.type	Hubble UI service type	LoadBalancer
hubble.ui.service.ports.http	Hubble UI service HTTP port	80
hubble.ui.service.nodePorts.http	Node port for HTTP	""
hubble.ui.service.clusterIP	Hubble UI service Cluster IP	""
hubble.ui.service.loadBalancerIP	Hubble UI service Load Balancer IP	""
hubble.ui.service.loadBalancerSourceRanges	Hubble UI service Load Balancer sources	[]
hubble.ui.service.externalTrafficPolicy	Hubble UI service external traffic policy	Cluster
hubble.ui.service.annotations	Additional custom annotations for Hubble UI service	{}
hubble.ui.service.extraPorts	Extra ports to expose in Hubble UI service (normally used with the sidecars value)	[]
hubble.ui.service.sessionAffinity	Control where client requests go, to the same pod or round-robin	None
hubble.ui.service.sessionAffinityConfig	Additional settings for the sessionAffinity	{}
hubble.ui.ingress.enabled	Enable ingress record generation for Hubble UI	false
hubble.ui.ingress.pathType	Ingress path type	ImplementationSpecific
hubble.ui.ingress.hostname	Default host for the ingress record	hubble.local
hubble.ui.ingress.ingressClassName	IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)	""
hubble.ui.ingress.path	Default path for the ingress record	/
hubble.ui.ingress.annotations	Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.	{}
hubble.ui.ingress.tls	Enable TLS configuration for the host defined at hubble.ui.ingress.hostname parameter	false
hubble.ui.ingress.selfSigned	Create a TLS secret for this ingress record using self-signed certificates generated by Helm	false
hubble.ui.ingress.extraHosts	An array with additional hostname(s) to be covered with the ingress record	[]
hubble.ui.ingress.extraPaths	An array with additional arbitrary paths that may need to be added to the ingress under the main host	[]
hubble.ui.ingress.extraTls	TLS configuration for additional hostname(s) to be covered with this ingress record	[]
hubble.ui.ingress.secrets	Custom TLS certificates as secrets	[]
hubble.ui.ingress.extraRules	Additional rules to be covered with this ingress record	[]
hubble.ui.networkPolicy.enabled	Specifies whether a NetworkPolicy should be created for Hubble UI	true
hubble.ui.networkPolicy.allowExternal	Don’t require server label for connections	true
hubble.ui.networkPolicy.allowExternalEgress	Allow the pod to access any range of port and all destinations.	true
hubble.ui.networkPolicy.addExternalClientAccess	Allow access from pods with client label set to “true”. Ignored if hubble.ui.networkPolicy.allowExternal is true.	true
hubble.ui.networkPolicy.extraIngress	Add extra ingress rules to the NetworkPolicy	[]
hubble.ui.networkPolicy.extraEgress	Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true)	[]
hubble.ui.networkPolicy.ingressPodMatchLabels	Labels to match to allow traffic from other pods. Ignored if hubble.ui.networkPolicy.allowExternal is true.	{}
hubble.ui.networkPolicy.ingressNSMatchLabels	Labels to match to allow traffic from other namespaces	{}
hubble.ui.networkPolicy.ingressNSPodMatchLabels	Pod labels to match to allow traffic from other namespaces	{}

Hubble UI RBAC configuration

Name	Description	Value
hubble.ui.serviceAccount.create	Specifies whether a ServiceAccount should be created for Hubble UI	true
hubble.ui.serviceAccount.name	The name of the ServiceAccount to use for Hubble UI	""
hubble.ui.serviceAccount.annotations	Additional Service Account annotations (evaluated as a template)	{}
hubble.ui.serviceAccount.automountServiceAccountToken	Automount service account token for the server service account	false
hubble.ui.rbac.create	Specifies whether RBAC resources should be created for Hubble UI	true
hubble.ui.rbac.rules	Custom RBAC rules to set for Hubble UI	[]

Key-Value Store Parameters

Name	Description	Value
etcd.enabled	Deploy etcd to satisfy the key-value store requirements	false
etcd.replicaCount	Number of etcd replicas	1
etcd.auth.rbac.create	Switch to enable RBAC authentication	false
etcd.resourcesPreset	Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).	micro
etcd.resources	Set container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
etcd.service.ports.client	etcd client port	2379
externalKvstore.enabled	Use an externally managed kvstore	false
externalKvstore.endpoints	List of endpoints to connect to the external kvstore	[]

Specify each parameter using the --set key=value[,key=value] argument to helm install.

Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,

helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/cilium

Note: You need to substitute the placeholders REGISTRY_NAME and REPOSITORY_NAME with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use REGISTRY_NAME=registry-1.docker.io and REPOSITORY_NAME=bitnamicharts. Tip: You can use the default values.yaml

Troubleshooting

Find more information about how to deal with common errors related to Bitnami’s Helm charts in this troubleshooting guide.

License

Copyright © 2024 Broadcom. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.