{"id":28557781,"url":"https://github.com/cilium/proxy","last_synced_at":"2025-07-22T07:35:09.977Z","repository":{"id":37823592,"uuid":"155294575","full_name":"cilium/proxy","owner":"cilium","description":"Envoy with Cilium filters","archived":false,"fork":false,"pushed_at":"2025-07-17T08:13:30.000Z","size":28071,"stargazers_count":164,"open_issues_count":26,"forks_count":64,"subscribers_count":17,"default_branch":"main","last_synced_at":"2025-07-17T14:25:59.154Z","etag":null,"topics":["cilium","ebpf","hacktoberfest"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cilium.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"custom":"cilium.io/enterprise"}},"created_at":"2018-10-29T23:24:15.000Z","updated_at":"2025-07-17T08:08:22.000Z","dependencies_parsed_at":"2023-02-18T08:16:04.896Z","dependency_job_id":"ccdf9857-a10f-417f-9124-05108d12431e","html_url":"https://github.com/cilium/proxy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/cilium/proxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cilium%2Fproxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cilium%2Fproxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cilium%2Fproxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cilium%2Fproxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cilium","download_url":"https://codeload.github.com/cilium/proxy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cilium%2Fproxy/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266448652,"owners_count":23930269,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-22T02:00:09.085Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cilium","ebpf","hacktoberfest"],"created_at":"2025-06-10T08:00:37.258Z","updated_at":"2025-07-22T07:35:09.967Z","avatar_url":"https://github.com/cilium.png","language":"C++","funding_links":["cilium.io/enterprise"],"categories":["Cilium related projects"],"sub_categories":[],"readme":"# Cilium Proxy\n\n[Envoy proxy](https://github.com/envoyproxy/envoy) for Cilium with\nminimal Envoy extensions and Cilium policy enforcement filters. Cilium\nuses this as its host proxy for enforcing HTTP and other L7 policies\nas specified in [network\npolicies](https://docs.cilium.io/en/latest/concepts/kubernetes/policy/#k8s-policy)\nfor the cluster. Cilium proxy is distributed within the Cilium images.\n\n## Version compatibility matrix\n\nThe following table shows the Cilium proxy version compatibility with supported upstream Cilium versions.\nOther combinations may work but are not tested.\n\n| Cilium Version | Envoy version |\n|----------------|---------------|\n| (main)         | v1.33.x       |\n| v1.17.5        | v1.32.6       |\n| v1.17.4        | v1.32.6       |\n| v1.17.3        | v1.32.5       |\n| v1.17.2        | v1.31.5       |\n| v1.17.1        | v1.31.5       |\n| v1.17.0        | v1.31.5       |\n| v1.16.11       | v1.32.6       |\n| v1.16.10       | v1.32.6       |\n| v1.16.9        | v1.32.5       |\n| v1.16.8        | v1.31.5       |\n| v1.16.7        | v1.31.5       |\n| v1.16.6        | v1.30.9       |\n| v1.16.5        | v1.30.8       |\n| v1.16.4        | v1.30.6       |\n| v1.16.3        | v1.29.9       |\n| v1.16.2        | v1.29.9       |\n| v1.16.1        | v1.29.7       |\n| v1.16.0        | v1.29.7       |\n| v1.15.18       | v1.32.6       |\n| v1.15.17       | v1.32.6       |\n| v1.15.16       | v1.32.5       |\n| v1.15.15       | v1.31.5       |\n| v1.15.14       | v1.31.5       |\n| v1.15.13       | v1.30.9       |\n| v1.15.12       | v1.30.8       |\n| v1.15.11       | v1.30.6       |\n| v1.15.10       | v1.29.9       |\n| v1.15.9        | v1.29.9       |\n| v1.15.8        | v1.29.7       |\n| v1.15.7        | v1.29.7       |\n| v1.15.6        | v1.28.4       |\n| v1.15.5        | v1.28.3       |\n| v1.15.4        | v1.27.4       |\n| v1.15.3        | v1.27.3       |\n| v1.15.2        | v1.27.3       |\n| v1.15.1        | v1.27.3       |\n| v1.15.0        | v1.27.2       |\n\n## Building\n\nCilium proxy is best built with the provided build containers. For a\nlocal host build consult [the builder\nDockerfile](https://github.com/cilium/proxy/blob/main/Dockerfile.builder)\nfor the required dependencies.\n\nContainer builds require Docker Buildkit and optionally Buildx for\nmulti-arch builds. Builds are currently only supported for amd64 and\narm64 targets. For arm64 both native and cross compile on amd64 are\nsupported.  Container builds produce container images by\ndefault. These images can not be run by themselves as they do not\ncontain the required runtime dependencies. To run the Cilium proxy the\nbinary `/usr/bin/cilium-envoy` needs to be copied from the image to a\ncompatible runtime environment, such as Ubuntu 20.04, or 22.04.\n\nThe provided container build tools work on both Linux and macOS.\n\nTo build the Cilium proxy in a docker container for the host\narchitecture only:\n\n```\nmake docker-image-envoy\n```\n\nThis will write the image to the local Docker registry.\n\nDepending on hour host CPU and memory resources a fresh build can take\nan hour or more. Docker caching will speed up subsequent builds.\n\n\u003e If your build fails due to a compiler failure the most likely reason\n\u003e is the compiler running out of memory. You can mitigate this by\n\u003e limiting the number of concurrent build jobs by passing environment\n\u003e variable `BAZEL_BUILD_OPTS=--jobs=2` to `make`. By default the\n\u003e number of jobs is the number of CPUs available for the build, and\n\u003e for some complex C++ sources this may be too much.  Note that\n\u003e changing the value of `BAZEL_BUILD_OPTS` invalidates Docker caches\n\u003e for the build stages.\n\n\n### Multi-arch builds\n\nBuild target architecture can be specified by passing `ARCH`\nenvironment variable to `make`. Supported values are `amd64` (only on\namd64 hosts), `arm64` (on arm64 or amd64 hosts), and `multi` (on amd64\nhosts). `multi` builds for all the supported architectures, currrently\namd64 and arm64:\n\n```\nARCH=multi make docker-image-envoy\n```\n\nThis will try to push the images to the container registry. Appropriate\nauthentication is required. (Pushing to the local Docker registry isn't\nsupported for multi-arch builds. See [Docker documentation](https://docs.docker.com/reference/cli/docker/buildx/build/#docker))\n\nBuilds will be performed concurrently when building for multiple\narchitectures on a single machine. You most likely need to limit the\nnumber of jobs allowed for each builder, see the note above for\ndetails.\n\nDocker builds are done using Docker Buildx by default when `ARCH` is\nexplicitly passed to `make`. You can also force Docker Buildx to be\nused when building for the host platform only (by not defining `ARCH`)\nby defining `DOCKER_BUILDX=1`. A new buildx builder instance will be\ncreated for amd64 and arm64 cross builds if the current builder is set\nto `default`.\n\n\u003e Buildx builds will push the build result to\n\u003e `quay.io/cilium/cilium-envoy:\u003cGIT_SHA\u003e` by default. You can change\n\u003e the first two parts of this by defining\n\u003e `DOCKER_DEV_ACCOUNT=docker.io/me` for your own docker hub account.\n\u003e You can also request the build results to be output to your local\n\u003e directory instead by defining `DOCKER_BUILD_OPTS=--output=out`,\n\u003e where `out` is a local directory name or use \n\u003e `DOCKER_BUILD_OPTS=\"--output=type=docker\"` to load it into the\n\u003e local Docker daemon.\n\n#### Building for the Raspberry Pi kernel\n\nBy default Raspberry Pi OS and other OSes using the \n[Raspberry Pi kernel](https://github.com/raspberrypi/linux) will\nnot be able to use Envoy as their default `CONFIG_ARM64_VA_BITS_39`\nconfiguration [is not compatible with tcmalloc](https://github.com/raspberrypi/linux/issues/4375).\n\nA workaround is to compile the Envoy proxy with `gperftools`: \n```\nARCH=arm64 BAZEL_BUILD_OPTS=\"--define tcmalloc=gperftools\" make docker-image-envoy\n```\n\nThis image can then be used in the [Envoy DaemonSet mode](https://docs.cilium.io/en/stable/security/network/proxy/envoy/#enable-and-configure-envoy-daemonset).\n\n### Using custom pre-compiled Envoy dependencies\n\nDocker build uses cached Bazel artifacts from\n`quay.io/cilium/cilium-envoy-builder:main-archive-latest` by\ndefault. You can override this by defining `ARCHIVE_IMAGE=\u003cref\u003e`:\n\n```\nARCH=multi ARCHIVE_IMAGE=docker.io/me/cilium-envoy-archive make docker-image-envoy\n```\n\n\u003e Bazel build artifacts contain toolchain specific data and binaries\n\u003e that are not compatible between native and cross-compiled\n\u003e builds. For now the image ref shown above is for builds on amd64\n\u003e only (native amd64, cross-compiled arm64).\n\nDefine `NO_CACHE=1` to clear the local build cache before the build, and `NO_ARCHIVE=1` to build\nfrom scratch, but be warned that this can take a long time.\n\n### Docker caching\n\nBy default the build also tries to pull Docker build caches from\n`docker.io/cilium/cilium-dev:cilium-envoy-cache`. You can override\nthis with our own build cache, which you can also update with the\n`CACHE_PUSH=1` definition:\n\n```\nARCH=multi CACHE_REF=docker.io/me/cilium-proxy:cache CACHE_PUSH=1 make docker-image-envoy\n```\n\n`NO_CACHE=1` can be used to disable docker cache pulling.\n\nIn a CI environment it might be a good idea to push a new cache image\nafter each main branch commit.\n\n\n### Updating the pre-compiled Envoy dependencies\n\nBuild and push a new version of the pre-compiled Envoy dependencies by:\n\n```\nARCH=multi make docker-builder-archive\n```\n\nBy default the pre-compiled dependencies image is tagged as\n`quay.io/cilium/cilium-envoy-builder:main-archive-latest`. You\ncan override the first two parts of this by defining\n`DOCKER_DEV_ACCOUNT=docker.io/me`,\n`BUILDER_ARCHIVE_TAG=my-builder-archive`, or completely by defining\n`ARCHIVE_IMAGE=\u003cref\u003e`.\n\nPre-compiled Envoy dependencies need to be updated only when Envoy\nversion is updated or patched enough to increase compilation time\nsignificantly. To do this you should update Envoy version in\n`ENVOY_VERSION` and supply `NO_CACHE=1` and `NO_ARCHIVE=1` on the make line, e.g.:\n\n```\nARCH=multi NO_CACHE=1 NO_ARCHIVE=1 BUILDER_ARCHIVE_TAG=main-archive-latest make docker-builder-archive\n```\n\n\n## Updating the builder image\n\nThe required Bazel version typically changes from one Envoy release to\nanother. To create a new builder image first update the required Bazel\nversion at `.bazelversion` and then run:\n\n```\nARCH=multi NO_CACHE=1 NO_ARCHIVE=1 make docker-image-builder\n```\n\nThe builder can not be cross-compiled as native build tools are needed\nfor native arm64 builds. This means that for non-native builds QEMU\nCPU emulation is used instead of cross-compilation. If you have an\narm64 machine you can create a Docker buildx builder to use it for\nnative builds.\n\nThe builder image is tagged as\n\"quay.io/cilium/cilium-envoy-builder:bazel-\u003cversion\u003e\". Change the\nBUILDER_BASE ARG in `Dockerfile` to use the new builder and commit the\nresult.\n\nFor testing purposes you can define `DOCKER_DEV_ACCOUNT` as explained\nabove to push the builder into a different registry or account.\n\n\n## Running integration tests\n\nTo run Cilium Envoy integration tests in a docker container:\n\n```\nmake docker-tests\n```\n\nThis runs the integration tests after loading Bazel build cache for\nEnvoy dependencies from\n`quay.io/cilium/cilium-envoy-builder:test-main-archive-latest`. Define\n`NO_ARCHIVE=1` and `NO_CACHE=1` to compile tests from scratch.\n\nThis command fails if any of the integration tests fail, printing the\nfailing test logs on console.\n\n\u003e Note that cross-compiling is not supported for running tests, so\n\u003e specifying `ARCH` is only supported for the native platform.\n\u003e `ARCH=multi` will fail.\n\n\n### Updating the pre-compiled Envoy test dependencies\n\nBuild and push a new version of the pre-compiled test dependencies by:\n\n```\nmake docker-tests-archive\n```\n\nBy default the pre-compiled test dependencies image is tagged as\n`quay.io/cilium/cilium-envoy-builder:test-main-archive-latest`. You\ncan override the first two parts of this by defining\n`DOCKER_DEV_ACCOUNT=docker.io/me`,\n`TESTS_ARCHIVE_TAG=my-test-archive`, or completely by defining\n`ARCHIVE_IMAGE=\u003cref\u003e`.\n\nPre-compiled Envoy test dependencies need to be updated only when\nEnvoy version is updated or patched enough to increase compilation\ntime significantly. To do this you should update Envoy version\nin `ENVOY_VERSION` and supply `NO_ARCHIVE=1` and `NO_CACHE=1` on\nthe make line, e.g.:\n\n```\nARCH=amd64 NO_ARCHIVE=1 NO_CACHE=1 make docker-tests-archive\n```\n\n\n## Updating generated API\n\n[Cilium project](https://github.com/cilium/cilium) vendors the Envoy\nxDS API, including Cilium extensions, from this repository. To update\nthe generated API files, run:\n\n```\nrm -r go/envoy/*\nmake api\n```\n\n`rm` is needed to clean up API files that are no longer generated for\nEnvoy. **Do not** remove files at `go/cilium/` as some of them are not\nautomatically generated!\n\nCommit the results and update\n[Cilium](https://github.com/cilium/cilium) to vendor this new commit.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcilium%2Fproxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcilium%2Fproxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcilium%2Fproxy/lists"}