# Cilium CLI [![Go](https://github.com/cilium/cilium-cli/workflows/Go/badge.svg)](https://github.com/cilium/cilium-cli/actions?query=workflow%3AGo) [![Kind](https://github.com/cilium/cilium-cli/workflows/Kind/badge.svg)](https://github.com/cilium/cilium-cli/actions?query=workflow%3AKind) ## Installation To build and install, use the `install` target: ```console make install ``` You may set the `BINDIR` environment variable to install the binary in a specific location instead of `/usr/local/bin`, e.g. ``` BINDIR=~/.local/bin make install ``` Alternatively, to install the latest binary release: ``` CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt) GOOS=$(go env GOOS) GOARCH=$(go env GOARCH) curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-${GOOS}-${GOARCH}.tar.gz{,.sha256sum} sha256sum --check cilium-${GOOS}-${GOARCH}.tar.gz.sha256sum sudo tar -C /usr/local/bin -xzvf cilium-${GOOS}-${GOARCH}.tar.gz rm cilium-${GOOS}-${GOARCH}.tar.gz{,.sha256sum} ``` See https://github.com/cilium/cilium-cli/releases for supported `GOOS`/`GOARCH` binary releases. ## Releases | Release | Maintained | Compatible Cilium Versions | |----------------------------------------------------------------------|------------|----------------------------| | [v0.19.2](https://github.com/cilium/cilium-cli/releases/tag/v0.19.2) | Yes | Cilium 1.16 and newer | ## Capabilities ### Install Cilium To install Cilium while automatically detected: cilium install ๐Ÿ”ฎ Auto-detected Kubernetes kind: minikube โœจ Running "minikube" validation checks โœ… Detected minikube version "1.5.2" โ„น๏ธ Cilium version not set, using default version "v1.9.1" ๐Ÿ”ฎ Auto-detected cluster name: minikube ๐Ÿ”‘ Found existing CA in secret cilium-ca ๐Ÿ”‘ Generating certificates for Hubble... ๐Ÿš€ Creating service accounts... ๐Ÿš€ Creating cluster roles... ๐Ÿš€ Creating ConfigMap... ๐Ÿš€ Creating agent DaemonSet... ๐Ÿš€ Creating operator Deployment... #### Supported Environments - [x] minikube - [x] kind - [x] EKS - [x] self-managed - [x] GKE - [x] AKS BYOCNI - [x] k3s - [ ] Rancher ### Cluster Context Management cilium context Context: minikube Cluster: minikube Auth: minikube Host: https://192.168.64.25:8443 TLS server name: CA path: /Users/tgraf/.minikube/ca.crt ### Hubble cilium hubble enable ๐Ÿ”‘ Generating certificates for Relay... โœจ Deploying Relay... ### Status cilium status /ยฏยฏ\ /ยฏยฏ\__/ยฏยฏ\ Cilium: OK \__/ยฏยฏ\__/ Operator: OK /ยฏยฏ\__/ยฏยฏ\ Envoy DaemonSet: OK \__/ยฏยฏ\__/ Hubble Relay: OK \__/ ClusterMesh: disabled DaemonSet cilium Desired: 1, Ready: 1/1, Available: 1/1 DaemonSet cilium-envoy Desired: 1, Ready: 1/1, Available: 1/1 Deployment cilium-operator Desired: 1, Ready: 1/1, Available: 1/1 Deployment hubble-relay Desired: 1, Ready: 1/1, Available: 1/1 Containers: cilium Running: 1 cilium-envoy Running: 1 cilium-operator Running: 1 hubble-relay Running: 1 Image versions cilium quay.io/cilium/cilium:v1.9.1: 1 cilium-envoy quay.io/cilium/cilium-envoy:v1.25.5-37a98693f069413c82bef1724dd75dcf1b564fd9@sha256:d10841c9cc5b0822eeca4e3654929418b6424c978fd818868b429023f6cc215d: 1 cilium-operator quay.io/cilium/operator-generic:v1.9.1: 1 hubble-relay quay.io/cilium/hubble-relay:v1.9.1: 1 ### Connectivity Check cilium connectivity test --single-node โŒ› Waiting for deployments to become ready ๐Ÿ”ญ Enabling Hubble telescope... โš ๏ธ Unable to contact Hubble Relay: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial tcp [::1]:4245: connect: connection refused" โš ๏ธ Did you enable and expose Hubble + Relay? โ„น๏ธ You can export Relay with a port-forward: kubectl port-forward -n kube-system deployment/hubble-relay 4245:4245 โ„น๏ธ Disabling Hubble telescope and flow validation... ------------------------------------------------------------------------------------------- ๐Ÿ”Œ Validating from pod cilium-test/client-9f579495f-b2pcq to pod cilium-test/echo-same-node-7f877bbf9-p2xg8... ------------------------------------------------------------------------------------------- โœ… client pod client-9f579495f-b2pcq was able to communicate with echo pod echo-same-node-7f877bbf9-p2xg8 (10.0.0.166) ------------------------------------------------------------------------------------------- ๐Ÿ”Œ Validating from pod cilium-test/client-9f579495f-b2pcq to outside of cluster... ------------------------------------------------------------------------------------------- โœ… client pod client-9f579495f-b2pcq was able to communicate with cilium.io ------------------------------------------------------------------------------------------- ๐Ÿ”Œ Validating from pod cilium-test/client-9f579495f-b2pcq to local host... ------------------------------------------------------------------------------------------- โœ… client pod client-9f579495f-b2pcq was able to communicate with local host ------------------------------------------------------------------------------------------- ๐Ÿ”Œ Validating from pod cilium-test/client-9f579495f-b2pcq to service echo-same-node... ------------------------------------------------------------------------------------------- โœ… client pod client-9f579495f-b2pcq was able to communicate with service echo-same-node #### With Flow Validation cilium hubble port-forward& cilium connectivity test --single-node โŒ› Waiting for deployments to become ready ๐Ÿ”ญ Enabling Hubble telescope... Handling connection for 4245 โ„น๏ธ Hubble is OK, flows: 405/4096 ------------------------------------------------------------------------------------------- ๐Ÿ”Œ Validating from pod cilium-test/client-9f579495f-b2pcq to pod cilium-test/echo-same-node-7f877bbf9-p2xg8... ------------------------------------------------------------------------------------------- ๐Ÿ“„ Flow logs of pod cilium-test/client-9f579495f-b2pcq: Jan 6 13:41:17.739: 10.0.0.11:43876 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: SYN) Jan 6 13:41:17.739: 10.0.0.166:8080 -> 10.0.0.11:43876 to-endpoint FORWARDED (TCP Flags: SYN, ACK) Jan 6 13:41:17.739: 10.0.0.11:43876 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK) Jan 6 13:41:17.739: 10.0.0.11:43876 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK, PSH) Jan 6 13:41:17.755: 10.0.0.166:8080 -> 10.0.0.11:43876 to-endpoint FORWARDED (TCP Flags: ACK, PSH) Jan 6 13:41:17.756: 10.0.0.11:43876 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK, FIN) Jan 6 13:41:17.757: 10.0.0.166:8080 -> 10.0.0.11:43876 to-endpoint FORWARDED (TCP Flags: ACK, FIN) Jan 6 13:41:17.757: 10.0.0.11:43876 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK) ๐Ÿ“„ Flow logs of pod cilium-test/echo-same-node-7f877bbf9-p2xg8: Jan 6 13:41:17.739: 10.0.0.11:43876 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: SYN) Jan 6 13:41:17.739: 10.0.0.166:8080 -> 10.0.0.11:43876 to-endpoint FORWARDED (TCP Flags: SYN, ACK) Jan 6 13:41:17.739: 10.0.0.11:43876 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK) Jan 6 13:41:17.739: 10.0.0.11:43876 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK, PSH) Jan 6 13:41:17.755: 10.0.0.166:8080 -> 10.0.0.11:43876 to-endpoint FORWARDED (TCP Flags: ACK, PSH) Jan 6 13:41:17.756: 10.0.0.11:43876 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK, FIN) Jan 6 13:41:17.757: 10.0.0.166:8080 -> 10.0.0.11:43876 to-endpoint FORWARDED (TCP Flags: ACK, FIN) Jan 6 13:41:17.757: 10.0.0.11:43876 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK) โœ… client pod client-9f579495f-b2pcq was able to communicate with echo pod echo-same-node-7f877bbf9-p2xg8 (10.0.0.166) ------------------------------------------------------------------------------------------- ๐Ÿ”Œ Validating from pod cilium-test/client-9f579495f-b2pcq to outside of cluster... ------------------------------------------------------------------------------------------- โŒ Found RST in pod cilium-test/client-9f579495f-b2pcq โŒ FIN not found in pod cilium-test/client-9f579495f-b2pcq ๐Ÿ“„ Flow logs of pod cilium-test/client-9f579495f-b2pcq: Jan 6 13:41:22.025: 10.0.0.11:55334 -> 10.0.0.243:53 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.025: 10.0.0.11:55334 -> 10.0.0.243:53 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.027: 10.0.0.243:53 -> 10.0.0.11:55334 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.028: 10.0.0.243:53 -> 10.0.0.11:55334 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.028: 10.0.0.11:56466 -> 10.0.0.104:53 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.028: 10.0.0.11:56466 -> 10.0.0.104:53 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.029: 10.0.0.104:53 -> 10.0.0.11:56466 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.029: 10.0.0.104:53 -> 10.0.0.11:56466 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.030: 10.0.0.11:57691 -> 10.0.0.243:53 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.030: 10.0.0.243:53 -> 10.0.0.11:57691 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.030: 10.0.0.11:57691 -> 10.0.0.243:53 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.031: 10.0.0.243:53 -> 10.0.0.11:57691 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.031: 10.0.0.11:52849 -> 10.0.0.104:53 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.032: 10.0.0.104:53 -> 10.0.0.11:52849 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.033: 10.0.0.11:52849 -> 10.0.0.104:53 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.037: 10.0.0.104:53 -> 10.0.0.11:52849 to-endpoint FORWARDED (UDP) Jan 6 13:41:22.038: 10.0.0.11:45040 -> 172.217.168.46:443 to-stack FORWARDED (TCP Flags: SYN) Jan 6 13:41:22.041: 172.217.168.46:443 -> 10.0.0.11:45040 to-endpoint FORWARDED (TCP Flags: SYN, ACK) Jan 6 13:41:22.041: 10.0.0.11:45040 -> 172.217.168.46:443 to-stack FORWARDED (TCP Flags: ACK) Jan 6 13:41:22.059: 10.0.0.11:45040 -> 172.217.168.46:443 to-stack FORWARDED (TCP Flags: ACK, PSH) Jan 6 13:41:22.073: 172.217.168.46:443 -> 10.0.0.11:45040 to-endpoint FORWARDED (TCP Flags: ACK, PSH) Jan 6 13:41:22.096: 10.0.0.11:45040 -> 172.217.168.46:443 to-stack FORWARDED (TCP Flags: ACK, RST) Jan 6 13:41:22.097: 172.217.168.46:443 -> 10.0.0.11:45040 to-endpoint FORWARDED (TCP Flags: ACK, FIN) Jan 6 13:41:22.097: 10.0.0.11:45040 -> 172.217.168.46:443 to-stack FORWARDED (TCP Flags: RST) โœ… client pod client-9f579495f-b2pcq was able to communicate with cilium.io ------------------------------------------------------------------------------------------- ๐Ÿ”Œ Validating from pod cilium-test/client-9f579495f-b2pcq to local host... ------------------------------------------------------------------------------------------- ๐Ÿ“„ Flow logs of pod cilium-test/client-9f579495f-b2pcq: Jan 6 13:41:25.305: 10.0.0.11 -> 192.168.64.25 to-stack FORWARDED (ICMPv4 EchoRequest) Jan 6 13:41:25.305: 192.168.64.25 -> 10.0.0.11 to-endpoint FORWARDED (ICMPv4 EchoReply) โœ… client pod client-9f579495f-b2pcq was able to communicate with local host ------------------------------------------------------------------------------------------- ๐Ÿ”Œ Validating from pod cilium-test/client-9f579495f-b2pcq to service echo-same-node... ------------------------------------------------------------------------------------------- ๐Ÿ“„ Flow logs of pod cilium-test/client-9f579495f-b2pcq: Jan 6 13:41:30.499: 10.0.0.11:39559 -> 10.0.0.104:53 to-endpoint FORWARDED (UDP) Jan 6 13:41:30.499: 10.0.0.11:39559 -> 10.0.0.104:53 to-endpoint FORWARDED (UDP) Jan 6 13:41:30.500: 10.0.0.104:53 -> 10.0.0.11:39559 to-endpoint FORWARDED (UDP) Jan 6 13:41:30.500: 10.0.0.104:53 -> 10.0.0.11:39559 to-endpoint FORWARDED (UDP) Jan 6 13:41:30.503: 10.0.0.11:59414 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: SYN) Jan 6 13:41:30.503: 10.0.0.166:8080 -> 10.0.0.11:59414 to-endpoint FORWARDED (TCP Flags: SYN, ACK) Jan 6 13:41:30.503: 10.0.0.11:59414 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK) Jan 6 13:41:30.503: 10.0.0.11:59414 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK, PSH) Jan 6 13:41:30.505: 10.0.0.166:8080 -> 10.0.0.11:59414 to-endpoint FORWARDED (TCP Flags: ACK, PSH) Jan 6 13:41:30.509: 10.0.0.11:59414 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK, FIN) Jan 6 13:41:30.509: 10.0.0.166:8080 -> 10.0.0.11:59414 to-endpoint FORWARDED (TCP Flags: ACK, FIN) Jan 6 13:41:30.509: 10.0.0.11:59414 -> 10.0.0.166:8080 to-endpoint FORWARDED (TCP Flags: ACK) โœ… client pod client-9f579495f-b2pcq was able to communicate with service echo-same-node #### Network Performance test cilium connectivity perf ๐Ÿ”ฅ Network Performance Test Summary: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ๐Ÿ“‹ Scenario | Node | Test | Duration | Min | Mean | Max | P50 | P90 | P99 | Transaction rate OP/s -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ๐Ÿ“‹ pod-to-pod | same-node | TCP_RR | 1s | 16ยตs | 32.39ยตs | 1.567ms | 20ยตs | 52ยตs | 97ยตs | 30696.13 ๐Ÿ“‹ pod-to-pod | same-node | UDP_RR | 1s | 14ยตs | 29.86ยตs | 4.41ms | 17ยตs | 47ยตs | 97ยตs | 33251.51 ๐Ÿ“‹ pod-to-pod | same-node | TCP_CRR | 1s | 290ยตs | 512.1ยตs | 13.413ms | 467ยตs | 626ยตs | 980ยตs | 1949.69 ๐Ÿ“‹ pod-to-pod | other-node | TCP_RR | 1s | 350ยตs | 692.85ยตs | 3.543ms | 631ยตs | 1.001ms | 1.483ms | 1438.69 ๐Ÿ“‹ pod-to-pod | other-node | UDP_RR | 1s | 312ยตs | 865.83ยตs | 8.731ms | 605ยตs | 1.444ms | 6ms | 1150.79 ๐Ÿ“‹ pod-to-pod | other-node | TCP_CRR | 1s | 959ยตs | 2.15805ms | 7.677ms | 1.555ms | 5.425ms | 7.133ms | 461.78 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- ๐Ÿ“‹ Scenario | Node | Test | Duration | Throughput Mb/s ------------------------------------------------------------------------------------- ๐Ÿ“‹ pod-to-pod | same-node | TCP_STREAM | 1s | 631.58 ๐Ÿ“‹ pod-to-pod | same-node | UDP_STREAM | 1s | 458.66 ๐Ÿ“‹ pod-to-pod | other-node | TCP_STREAM | 1s | 411.43 ๐Ÿ“‹ pod-to-pod | other-node | UDP_STREAM | 1s | 144.44 ------------------------------------------------------------------------------------- ### ClusterMesh Install Cilium & enable ClusterMesh in Cluster 1 cilium install --set=cluster.id=1 ๐Ÿ”ฎ Auto-detected Kubernetes kind: GKE โ„น๏ธ Cilium version not set, using default version "v1.9.1" ๐Ÿ”ฎ Auto-detected cluster name: gke-cilium-dev-us-west2-a-tgraf-cluster1 โœ… Detected GKE native routing CIDR: 10.52.0.0/14 ๐Ÿš€ Creating resource quotas... ๐Ÿ”‘ Found existing CA in secret cilium-ca ๐Ÿ”‘ Generating certificates for Hubble... ๐Ÿš€ Creating service accounts... ๐Ÿš€ Creating cluster roles... ๐Ÿš€ Creating ConfigMap... ๐Ÿš€ Creating GKE Node Init DaemonSet... ๐Ÿš€ Creating agent DaemonSet... ๐Ÿš€ Creating operator Deployment... cilium clustermesh enable โœจ Validating cluster configuration... โœ… Valid cluster identification found: name="gke-cilium-dev-us-west2-a-tgraf-cluster1" id="1" ๐Ÿ”‘ Found existing CA in secret cilium-ca ๐Ÿ”‘ Generating certificates for ClusterMesh... โœจ Deploying clustermesh-apiserver... ๐Ÿ”ฎ Auto-exposing service within GCP VPC (cloud.google.com/load-balancer-type=internal) Install Cilium in Cluster 2 cilium install --context gke_cilium-dev_us-west2-a_tgraf-cluster2 --set=cluster.id=2 ๐Ÿ”ฎ Auto-detected Kubernetes kind: GKE โ„น๏ธ Cilium version not set, using default version "v1.9.1" ๐Ÿ”ฎ Auto-detected cluster name: gke-cilium-dev-us-west2-a-tgraf-cluster2 โœ… Detected GKE native routing CIDR: 10.4.0.0/14 ๐Ÿš€ Creating resource quotas... ๐Ÿ”‘ Found existing CA in secret cilium-ca ๐Ÿ”‘ Generating certificates for Hubble... ๐Ÿš€ Creating service accounts... ๐Ÿš€ Creating cluster roles... ๐Ÿš€ Creating ConfigMap... ๐Ÿš€ Creating GKE Node Init DaemonSet... ๐Ÿš€ Creating agent DaemonSet... ๐Ÿš€ Creating operator Deployment... cilium clustermesh enable --context gke_cilium-dev_us-west2-a_tgraf-cluster2 โœจ Validating cluster configuration... โœ… Valid cluster identification found: name="gke-cilium-dev-us-west2-a-tgraf-cluster2" id="2" ๐Ÿ”‘ Found existing CA in secret cilium-ca ๐Ÿ”‘ Generating certificates for ClusterMesh... โœจ Deploying clustermesh-apiserver... ๐Ÿ”ฎ Auto-exposing service within GCP VPC (cloud.google.com/load-balancer-type=internal) Connect Clusters cilium clustermesh connect --destination-context gke_cilium-dev_us-west2-a_tgraf-cluster2 โœจ Extracting access information of cluster gke-cilium-dev-us-west2-a-tgraf-cluster2... ๐Ÿ”‘ Extracting secrets from cluster gke-cilium-dev-us-west2-a-tgraf-cluster2... โ„น๏ธ Found ClusterMesh service IPs: [10.168.15.209] โœจ Extracting access information of cluster gke-cilium-dev-us-west2-a-tgraf-cluster1... ๐Ÿ”‘ Extracting secrets from cluster gke-cilium-dev-us-west2-a-tgraf-cluster1... โ„น๏ธ Found ClusterMesh service IPs: [10.168.15.208] โœจ Connecting cluster gke_cilium-dev_us-west2-a_tgraf-cluster1 -> gke_cilium-dev_us-west2-a_tgraf-cluster2... ๐Ÿ”‘ Patching existing secret cilium-clustermesh... โœจ Patching DaemonSet with IP aliases cilium-clustermesh... โœจ Connecting cluster gke_cilium-dev_us-west2-a_tgraf-cluster2 -> gke_cilium-dev_us-west2-a_tgraf-cluster1... ๐Ÿ”‘ Patching existing secret cilium-clustermesh... โœจ Patching DaemonSet with IP aliases cilium-clustermesh... ### Encryption Install a Cilium in a cluster and enable encryption with IPsec cilium install --encryption=ipsec ๐Ÿ”ฎ Auto-detected Kubernetes kind: kind โœจ Running "kind" validation checks โœ… Detected kind version "0.9.0" โ„น๏ธ Cilium version not set, using default version "v1.9.2" ๐Ÿ”ฎ Auto-detected cluster name: kind-chart-testing ๐Ÿ”ฎ Auto-detected IPAM mode: kubernetes ๐Ÿ”‘ Found existing CA in secret cilium-ca ๐Ÿ”‘ Generating certificates for Hubble... ๐Ÿš€ Creating Service accounts... ๐Ÿš€ Creating Cluster roles... ๐Ÿ”‘ Generated encryption secret cilium-ipsec-keys ๐Ÿš€ Creating ConfigMap... ๐Ÿš€ Creating Agent DaemonSet... ๐Ÿš€ Creating Operator Deployment... โŒ› Waiting for Cilium to be installed... ### Examples #### `install` examples To install the default version of Cilium: cilium install To see the Helm release that got deployed: helm list -n kube-system --filter "cilium" To see non-default Helm values that `cilium-cli` used for this Cilium installation: helm get values -n kube-system cilium To see all the Cilium-related resources without installing them to your cluster: cilium install --dry-run To see all the non-default Helm values without actually performing the installation: cilium install --dry-run-helm-values To install using Cilium's [OCI dev chart repository](https://quay.io/repository/cilium-charts-dev/cilium): cilium install --repository oci://quay.io/cilium-charts-dev/cilium --version 1.14.0-dev-dev.4-main-797347707c #### `upgrade` examples To upgrade to a specific version of Cilium: cilium upgrade --version v1.13.3 To upgrade using a local Helm chart: cilium upgrade --chart-directory ./install/kubernetes/cilium To upgrade using Cilium's [OCI dev chart repository](https://quay.io/repository/cilium-charts-dev/cilium): cilium upgrade --repository oci://quay.io/cilium-charts-dev/cilium --version 1.14.0-dev-dev.4-main-797347707c Note that `upgrade` does not mean you can only upgrade to a newer version than what is currently installed. Similar to `helm upgrade`, `cilium upgrade` can be used to downgrade to a previous version. For example: cilium install --version 1.13.3 cilium upgrade --version 1.12.10 Please read [the upgrade guide](https://docs.cilium.io/en/stable/operations/upgrade/) carefully before upgrading Cilium to understand all the necessary steps. In particular, please note that `cilium-cli` does not automatically modify non-default Helm values during upgrade. You can use `--dry-run` and `--dry-run-helm-values` flags to review Kubernetes resources and non-default Helm values without actually performing an upgrade: To see the difference between the current Kubernetes resources in a live cluster and what would be applied: cilium upgrade --version v1.13.3 --dry-run | kubectl diff -f - To see the non-default Helm values that would be used during upgrade: cilium upgrade --version v1.13.3 --dry-run-helm-values > **Note** > You can use external diff tools such as [dyff](https://github.com/homeport/dyff) to make > `kubectl diff` output more readable. It is strongly recommended that you use Cilium's [OCI dev chart repository](https://quay.io/repository/cilium-charts-dev/cilium) if you need to deploy Cilium with a specific commit SHA. Alternatively, you can use `image.override` Helm value if you need to override the cilium-agent container image. For example: cilium upgrade --set image.override=quay.io/cilium/cilium-ci:103e277f78ce95e922bfac98f1e74138a411778a --reuse-values Please see Cilium's [Helm Reference](https://docs.cilium.io/en/stable/helm-reference/) for the complete list of Helm values.