CLI Reference

Every flag of the c8s CLI — install, uninstall, render-values, operator, cds, allowlist, cds-attest, verify, get-cert, ratls-mesh, nri-image-policy, and probe-file — with types, defaults, and descriptions.

This page documents every flag of the c8s CLI, one section per command, mirroring the flags defined in the c8s source.

The c8s binary also responds to the symlink aliases get-cert, ratls-mesh, and nri-image-policy (each auto-prepends the matching subcommand).

c8s install

Install the c8s operator, CRDs, attestation-api, and component charts via Helm. Flags are registered with cobra/pflag.

FlagTypeDefaultRequiredDescription
--namespacestringc8s-systemNonamespace to install into
--releasestringc8sNoHelm release name
-f, --valuesstring slicenilNovalues files (repeatable)
--waitbooltrueNowait for the release to become ready (helm --wait)
--install-crdsbooltrueNoinstall chart CRDs (false passes helm --skip-crds)
--webhook-cert-fs-groupint6465532NofsGroup for injected certificate volume
--webhook-cert-key-modestring0640Nooctal mode for injected tls.key
--webhook-get-cert-renew-intervalduration6hNorenewal interval for injected workload certificates
--webhook-get-cert-run-as-userint6465532NorunAsUser for injected get-cert containers
--webhook-get-cert-run-as-groupint6465532NorunAsGroup for injected get-cert containers
--webhook-get-cert-run-as-non-rootbooltrueNoset runAsNonRoot for injected get-cert containers
--single-nodeboolfalseNosingle-node / single-CVM cluster: clear the dedicated-CDS-node selector and taint toleration so every node is CDS-eligible (no role=cds label or dedicated node needed). Sets cds.node.selector={} and cds.node.tolerations=[]
--cvm-modestringbaremetalNoCVM deployment shape (orthogonal to --hardware-platform): baremetal, or node (generalized node-as-CVM: our own TDX/SNP nodes are themselves confidential VMs, pods run as ordinary processes), or gke (GKE managed confidential VMs), or aks (vTPM /dev/tpm0). All modes render a privileged attestation-api (a hostPath device mount alone does not grant device-cgroup access)
--hardware-platformstringsev-snpNoCPU-level TEE hardware (orthogonal to --cvm-mode): sev-snp (/dev/sev-guest) or tdx (Intel TDX, /dev/tdx-guest). Ignored when --cvm-mode=aks (Azure vTPM path); --cvm-mode=aks with --hardware-platform=tdx is refused
--kataboolfalseNoinstall and enforce the Kata Containers runtime stack: every workload pod runs as a confidential VM (kata RuntimeClass injected; non-kata classes rejected), including NVIDIA GPU pods. Labels every kata node for the declared --hardware-platform (clearing the other platform's label), failing fast when no node qualifies
--debugboolfalseNouse the kata-guest-base DEBUG guest variant (<tag>-debug): kubectl logs/exec work on kata pods, but container I/O becomes readable by the untrusted host and the launch measurement differs from the locked image. Requires --kata; development only
--image-tagstring""Nocomponent image tag to resolve digests at (default: the CLI build version, or main for an unstamped build); override to pin a specific branch/tag/release
--resolve-digestsbooltrueNoresolve each component image tag to its registry digest (via crane), pin it, and add the resolved images to the NRI allowlist. Pass --resolve-digests=false when supplying digests via -f
--image-pull-secretstring""Noname of an existing registry-credential Secret (kubernetes.io/dockerconfigjson) in the release namespace; the chart appends it to every component's imagePullSecrets, so all pods can pull the c8s images from an authenticated registry (e.g. a private mirror) from first start. The Secret itself is never created or managed by the install — the install fails fast if it is missing or has the wrong type
--workload-refstring slicenilNoexisting workload to adopt as a confidential workload, as <cw-id>=<namespace>/<kind>/<name>[:<port>]; repeatable. Kind is any resource exposing a pod template at spec.template (deployment, statefulset, daemonset, or an operator CRD such as <kind>.<group>); install patches the pod template with confidential.ai/cw=<cw-id> once c8s is ready. The optional :<port> is the tls-lb upstream port, required on the ref --upstream selects
--upstreamstring""Noconfidential.ai/cw id of the adopted --workload-ref workload tls-lb routes its catch-all to; derives the mesh-wrapped upstream c8s-<id>.<ns>.svc.cluster.local:<port> from that ref's :<port>. Without this or a verified-https tlsLb.upstream, tls-lb renders no catch-all route until one is attached
--operator-keysstring""Nopath to a PEM bundle of operator EC public keys that authorize c8s allowlist writes; sets cds.operatorKeys. Without it, allowlist writes are disabled (reads still served). See creating the operator credential
--forceboolfalseNoproceed past guarded prompts — currently: install without --operator-keys (allowlist writes disabled). Not needed when values are supplied via -f

c8s uninstall

Uninstall the c8s Helm release and, for a --kata install, sweep the host-side kata artifacts off every node. helm uninstall unwinds the release resources; the host sweep then removes what that path cannot guarantee (/opt/kata, the containerd drop-in, the multi-GB kata-guest-base image, the RKE2 prep template, and the kata-runtime node labels). Requires the helm and kubectl CLIs on PATH.

FlagTypeDefaultRequiredDescription
--namespacestringc8s-systemNonamespace the release was installed into
--releasestringc8sNoHelm release name
--waitbooltrueNowait for the release deletion to complete (helm --wait); the kata host sweep additionally waits for the kata pods to be gone either way
--kata-sweepbooltrueNoafter the release is deleted, sweep the kata host artifacts off every kata node via a short-lived privileged DaemonSet. Skipped automatically when the release was installed without --kata
--host-sweep-onlyboolfalseNoskip the helm uninstall and only run the kata host sweep — for a cluster whose release is already gone (e.g. a previous bare helm uninstall) but whose nodes still carry kata artifacts. Uses the chart defaults and the distro detected from the cluster when the release values are unavailable
--forceboolfalseNouninstall even while pods with a kata RuntimeClass are running (they lose their runtime: kata VMs keep running unmanaged but cannot restart)
--delete-crdsboolfalseNoalso delete the ConfidentialWorkload CRD — this deletes every ConfidentialWorkload object in the cluster with it
--delete-namespaceboolfalseNoalso delete the release namespace (and everything left in it, e.g. an operator-created image pull Secret)

c8s render-values

Print the resolved Helm values an install would apply, to stdout — without contacting a cluster. Useful for feeding a GitOps consumer (e.g. a Flux HelmRelease's valuesFrom) instead of recomputing digests and device mappings. Unlike install, the host distro isn't autodetected — pass --distro to pin it. Still needs the registry reachable for the default digest resolution (--resolve-digests=true).

FlagTypeDefaultRequiredDescription
--distrostring""Nohost Kubernetes distro (k8s | rke2); install autodetects this, render-values can't, so pass it when you need it pinned (unset leaves the chart default)
--single-nodeboolfalseNosingle-node / single-CVM cluster: clear the dedicated-CDS-node selector and toleration (cds.node.selector={}, cds.node.tolerations=[])
--cvm-modestringbaremetalNoCVM deployment shape (orthogonal to --hardware-platform): baremetal, or node (generalized node-as-CVM native TEE device), or gke (GKE managed CVMs), or aks (vTPM /dev/tpm0)
--hardware-platformstringsev-snpNoCPU-level TEE hardware (orthogonal to --cvm-mode): sev-snp (/dev/sev-guest) or tdx (Intel TDX, /dev/tdx-guest). Ignored when --cvm-mode=aks
--kataboolfalseNoemit the Kata Containers runtime values (kata.enabled=true; disables host-side ratls-mesh/attestation-api/nri-image-policy)
--debugboolfalseNouse the kata-guest-base DEBUG image variant (requires --kata)
--resolve-digestsbooltrueNoresolve each component image tag to its registry digest (via crane), pin it, and enable the NRI allowlist derivation
--image-tagstring""Nocomponent image tag to resolve digests at (default: the CLI build version, or main)
--image-pull-secretstring""Noname of an existing dockerconfigjson Secret the chart wires into every component's imagePullSecrets
--operator-keysstring""Nopath to a PEM bundle of operator EC public keys that authorize c8s allowlist writes; the file's content is embedded as cds.operatorKeys in the emitted values (the chart value is PEM content, never a path)
--install-crdsbooltrueNoemit values for chart CRDs (false sets statusMirror.enabled=false, matching install --install-crds=false)
--workload-refstring slicenilNoadopted workload as <cw-id>=<namespace>/<kind>/<name>[:<port>]; repeatable. Used here only to derive --upstream's address (render-values patches nothing)
--upstreamstring""Noconfidential.ai/cw id of the adopted --workload-ref workload tls-lb routes its catch-all to; derives tlsLb.upstream.address c8s-<id>.<ns>.svc.cluster.local:<port> from that ref's :<port>

c8s operator

Run the c8s controller-manager and admission webhook.

FlagTypeDefaultRequiredDescription
--metrics-bind-addressstring:8080Noaddress for Prometheus metrics
--health-probe-bind-addressstring:8081Noaddress for health/readyz probes
--leader-electbooltrueNoenable leader election for HA
--leader-election-namespacestringc8s-systemNonamespace holding the leader-election Lease
--status-mirror-enabledbooltrueNoenable CRD-backed ConfidentialWorkload status mirror controller
--get-cert-imagestring""Noimage reference the webhook injects for get-cert containers (empty = webhook disabled)
--cds-urlstring""NoCDS Service URL the injected get-cert containers POST to
--attestation-api-urlstring""Noattestation-api endpoint (empty = no verification)
--exclude-namespacesstring slicenilNoextra namespaces the startup reinject sweep skips (mirrors webhook.extraExcluded)
--webhook-config-namestring""NoMutatingWebhookConfiguration to patch caBundle (empty = skip)
--webhook-service-namestring""Nowebhook Service name (defaults to c8s)
--webhook-service-namespacestring""Nowebhook Service namespace (defaults to --leader-election-namespace)
--cert-fs-groupint6465532NofsGroup applied to injected pods when unset (-1 disables mutation)
--cert-key-modestring0640Nooctal mode for injected tls.key
--get-cert-renew-intervalduration6hNorenewal interval for injected workload certificates
--get-cert-run-as-userint6465532NorunAsUser for injected get-cert containers
--get-cert-run-as-groupint6465532NorunAsGroup for injected get-cert containers
--get-cert-run-as-non-rootbooltrueNoset runAsNonRoot for injected get-cert containers
--kata-enforceboolfalseNoinject a kata runtimeClassName into workload pods that don't request one and enforce kata RuntimeClasses (set by the chart under kata.enabled)
--hardware-platformstringsev-snpNoCPU TEE the injected confidential kata classes target: sev-snp or tdx (set by the chart to match the RuntimeClasses it renders)

c8s cds

Run the Certificate Distribution Service (CDS). Requires --attestation-api-url and --allowlist-db.

FlagTypeDefaultRequiredDescription
--hoststring0.0.0.0Nolisten host
-p, --portint8443Nolisten port
--log-levelstringinfoNolog level: debug, info, warn, error
--attestation-api-urlstring""YesURL of the attestation-api service
--ca-common-namestringc8s Mesh CANocommon name for the in-memory generated mesh CA
--ca-cert-validityduration8760hNovalidity period of the in-memory mesh CA certificate
--measurementsstring slicenilNoSHA-384 hex launch measurements allowed to call /attest (empty = no pinning, UNSAFE)
--ear-issuerstringcdsNoEAR JWT issuer claim
--expected-issuerstring""NoEAR JWT issuer claim required on /sign-csr (empty disables)
--jwt-clock-skewint6430NoEAR JWT exp/nbf/iat clock skew tolerance in seconds
--max-ttlduration24hNoupper bound on /sign-csr leaf TTL
--cert-ttlduration24hNocertificate TTL
--challenge-ttlduration60sNochallenge TTL
--request-timeoutduration5sNoper-request /attest timeout (0 disables)
--max-request-sizeint6465536Nomax request body bytes on write endpoints
--read-timeoutduration10sNoHTTP server read timeout
--read-header-timeoutduration5sNoHTTP server read-header timeout
--write-timeoutduration10sNoHTTP server write timeout
--idle-timeoutduration20sNoHTTP server idle timeout
--max-header-bytesint1048576Nomaximum HTTP request header bytes
--san-validationbooltrueNorequire CSR IP SANs to equal the request source IP (false rejects CSRs carrying IP SANs)
--dns-san-patternstring slicenilNoregex a CSR's DNS SANs may match in full; repeatable, and a SAN passes if it matches any one. The chart always supplies the in-cluster Service DNS pattern and appends a public hostname when tls-lb fronts a routed domain. A CSR carrying DNS SANs is rejected when none are set
--allowed-cn-patternstring""Noregex the CSR Subject CN must match in full (empty disables)
--readiness-intervalduration10sNoreadiness check interval
--min-ca-validityduration1hNo/readyz fails when the loaded mesh CA has less than this remaining lifetime
--allowlist-dbstring""Yespath to the allowlist SQLite database
--allowlist-persistentboolfalseNowhether --allowlist-db is on durable storage; false makes the CDS warn at startup that operator-added digests and the mesh CA do not survive a restart
--allowlist-seedstring""Nopath to a JSON allowlist (version + digests map) seeded into the store at startup before serving; missing digests are added, existing entries are left untouched (empty disables seeding)
--operator-keysstring""Nopath to a PEM bundle of pinned operator EC public keys; /allowlist writes (POST/PUT/DELETE) require an operator token signed by one of them (empty = writes disabled, reads still served)
--handoff-measurementsstring slicenilNoSHA-384 hex launch measurements allowed to pull the mesh CA via /handoff (empty = /handoff disabled)
--rate-limitfloat6410Nomax requests per second per source IP on attestation endpoints
--rate-burstint20Nomax burst size per source IP
--rate-limiter-max-entriesint10000Nomax entries in the per-IP rate limiter
--rate-limiter-evict-intervalduration1mNointerval for per-IP rate limiter eviction sweep
--rate-limiter-idle-timeoutduration5mNoidle duration before a per-IP rate limiter entry is evicted
--token-signer-rotation-intervalduration720hNoEAR signing key rotation interval (0 disables)
--token-signer-overlapduration25hNohow long a retired EAR key stays in JWKS
--token-signer-rotation-jitterfloat640.1NoEAR key rotation jitter
--ratls-platformstringsev-snpNoTEE platform for the RA-TLS serving cert: sev-snp or tdx (snp/az-snp/gcp-snp and az-tdx/gcp-tdx aliases normalized). Empty disables TLS — UNSAFE outside tests
--ratls-cert-ttlduration24hNoRA-TLS certificate TTL

c8s allowlist

Read and mutate the CDS-served image-digest allowlist that nri-image-policy / policy-monitor enforce. Reads are unauthenticated; writes are signed with the operator EC private key whose public half the CDS pins (cds.operatorKeys, set by install --operator-keys). See The Allowlist for usage.

SubcommandArgumentsPurpose
listlist the current allowlist
export[file]write the current allowlist JSON to a file (default stdout) for backup or re-upload
diff<file>show how an allowlist file differs from the live allowlist
add<digest> <image>add a single image digest (operator key required)
remove<digest> [<digest>...]remove one or more image digests (operator key required)
upload<file>atomically replace the entire allowlist with the contents of a file (operator key required)

Flags shared by every subcommand:

FlagTypeDefaultRequiredDescription
--urlstring""YesCDS base URL. CDS has no public ingress: reach it via a port-forward or the tls-lb. An https:// URL is verified via RA-TLS; plaintext http:// is refused without --insecure
--measurementsstring slicenilNoallowed SHA-384 hex launch measurement(s) of the attested endpoint — CDS directly, or the tls-lb's discovery evidence when fronted (repeatable / comma-separated); empty = no pinning (UNSAFE)
--measurements-filestring""Nofile of allowed launch measurements, one hex digest per line
--attestation-api-urlstring""Noattestation-api URL used to verify CDS RA-TLS evidence; required for https:// URLs unless measurements make the verification self-contained
--timeoutduration15sNoper-request timeout
--operator-keystring""Nooperator EC private key PEM file whose public key is pinned on CDS via --operator-keys (env C8S_OPERATOR_KEY; the flag wins); required for writes
-o, --outputstringtextNooutput format: text or json
--insecureboolfalseNodev/test only: allow a plaintext http:// CDS URL, skipping RA-TLS attestation of CDS

Write-subcommand flags:

FlagTypeDefaultRequiredDescription
--dry-runboolfalseNoadd, remove: print the intended change without calling CDS; upload: show the diff without replacing the allowlist
--forceboolfalseNoupload only: upload even if core c8s components are missing from the file
--requirestring slicenilNoupload only: component identifiers that must appear in the uploaded image refs (overrides the default set cds, ratls-mesh, nri-image-policy, attestation-api, nginx)

c8s cds-attest

Run the tls-lb attestation + over-encryption sidecar (the c8s-verify/v1 server side). Fronted by the tls-lb nginx (chart flag tlsLb.attest.enabled), it serves the LB's attestation at /.well-known/c8s/attestation, runs the post-quantum handshake, and forwards decrypted tunnel traffic to the backend. It's a chart-managed component, not normally run by hand — see Consumer Verification for the protocol.

FlagTypeDefaultRequiredDescription
--hoststring127.0.0.1Nolisten host (loopback: nginx proxies to it)
-p, --portint8800Nolisten port
--log-levelstringinfoNolog level: debug, info, warn, error
--attestation-api-urlstring""Noattestation-api URL (production evidence source)
--platformstringsnpNoTEE platform
--generationstringgenoaNoAMD processor generation for the browser verifier: milan | genoa | turin
--serving-cert-filestring""Nopath to the LB serving-leaf PEM (the cert nginx presents); enables the tls-cert attestation binding (?pq=false, report_data binds the leaf's SPKI), re-read per request to follow get-cert rotation
--cds-cert-filestring""Nooptional PEM (LB leaf + mesh CA) to also serve at /.well-known/c8s/cds-cert.pem; normally nginx serves this statically, so leave empty
--evidence-fixturestring""Nodev only: serve recorded SNP evidence from this file instead of the attestation-api
--session-ttlduration5mNopending-handshake TTL and established-session idle TTL
--read-header-timeoutduration5sNoHTTP read-header timeout
--upstreamstring""Nobackend base URL to forward decrypted traffic to (http:// rides the RA-TLS mesh; https:// does mTLS). Empty uses an echo backend (demo)
--upstream-castring""NoPEM CA bundle to verify an https upstream (the mesh CA)
--upstream-certstring""Noclient cert presented to an https upstream (the CDS-issued LB cert)
--upstream-keystring""Noclient key for --upstream-cert
--upstream-server-namestring""NoSNI / verification name for an https upstream

c8s verify

Verify a deployed component's TEE attestation against the AMD signature chain and a pinned launch measurement. Verification runs in-process with attestation-go (the Go port of the attestation-rs engine the cluster runs) — no container runtime is needed; the only requirement is outbound HTTPS to AMD KDS (kdsintf.amd.com) to fetch the VCEK for a bare report. Takes a [target] (a URL or host:port) as its positional argument, or --url. c8s cds verify is the same command with CDS presets (--kind cds, default port 8443); --mode stays auto, which resolves to ratls-cert for a CDS target. See the verification guide for the end-to-end workflow.

FlagTypeDefaultRequiredDescription
--urlstring""Notarget URL or host:port (alternative to the positional argument)
--kindstringautoNocomponent being verified: cds, lb, workload, or auto
--modestringautoNoevidence mode: auto, ratls-cert, discovery, or attestation-endpoint
--discovery-pathstring/v1/discoveryNopath of the LB discovery document (discovery mode)
--server-namestring""NoTLS SNI server name (for port-forward / routed domains)
--timeoutduration15sNoper-attempt timeout
--from-filestring""Noverify evidence from a saved PEM certificate or attestation-response JSON instead of dialing
--measurementsstring slicenilNoallowed SHA-384 hex launch measurement(s) (repeatable / comma-separated); empty = no pinning (UNSAFE)
--measurements-filestring""Nofile of allowed launch measurements, one hex digest per line
--allow-debugboolfalseNoaccept debug-enabled guests
--min-tcb-bootloaderuint0Nominimum bootloader TCB component (0–255)
--min-tcb-teeuint0Nominimum TEE TCB component (0–255)
--min-tcb-snpuint0Nominimum SNP firmware TCB component (0–255)
--min-tcb-microcodeuint0Nominimum microcode TCB component (0–255)
--expected-report-datastring""Nohex REPORTDATA override for bare evidence files (up to 64 bytes, zero-padded)
-o, --outputstringtextNooutput format: text or json
--show-evidenceboolfalseNoprint the raw report fields

Exit codes are a CI contract: 0 verified · 1 usage · 2 verification/policy failed · 3 evidence unavailable (unreachable / unparseable).

c8s get-cert

Obtain a signed certificate via the CDS attestation flow. Requires --cds-url, --attestation-api-url, and --san.

FlagTypeDefaultRequiredDescription
--cds-urlstring""YesURL of the CDS service (e.g. https://cds:8443)
--cds-measurementsstring""Nocomma-separated SHA-384 hex launch measurements for CDS RA-TLS verification (empty = accept any attested CDS)
--attestation-api-urlstring""YesURL of the local attestation-api (e.g. http://localhost:8400)
-o, --outstring""Nopath to write the signed certificate chain PEM (stdout if omitted)
--ca-outstring""Nopath to write just the mesh CA bundle PEM (the issuer certs trailing the leaf in the CDS chain), e.g. for nginx to serve at a discovery endpoint without a separate ConfigMap
--keystring""Nopath to a PEM private key to use for the CSR (ephemeral if omitted)
--key-outstring""Nopath to write the generated private key PEM (ephemeral keys only)
--key-modestring0600Nooctal mode for generated private key
--sanstring""YesSubject Alternative Name for the certificate (IP address or hostname)
-v, --verboseboolfalseNoenable debug logging
--renew-intervalduration0Nore-obtain the certificate at this interval (0 = run once and exit)
--initial-retry-timeoutduration2mNoretry the first certificate request in-process for up to this long before failing, so a transient CDS/mesh outage during a roll does not crash the init container into kubelet backoff (0 = try once)
--initial-retry-intervalduration2sNodelay between in-process retries of the first certificate request
--reload-nginxbooltrueNoSIGHUP nginx after certificate renewal or watched file changes
--continue-on-initial-errorboolfalseNoin renewal mode, keep running when the first certificate request fails
--reload-watchstring arraynilNofile path to poll for changes and reload nginx when it changes (repeatable)
--reload-watch-intervalduration1mNopoll interval for --reload-watch paths
--discovery-outstring""Nopath to write JSON discovery metadata for the issued certificate and attestation evidence
--discovery-cds-cert-urlstring""Nopublic URL path where the CDS certificate PEM is served
--discovery-mesh-ca-urlstring""Nopublic URL path where the mesh CA PEM is served
--discovery-public-tls-modestringcdsNopublic TLS mode to report in discovery metadata (cds or webpki)

c8s ratls-mesh

Run the RA-TLS L4 mesh proxy or its iptables side commands.

FlagTypeDefaultRequiredDescription
--platformstringautoNoTEE platform: sev-snp, tdx, or auto (probes /dev/{tdx_guest,sev-guest})
--attestation-api-urlstring""NoURL of the local attestation-api (e.g. http://localhost:8400)
--outbound-portint15001Nooutbound listener port (intercepted app traffic)
--inbound-portint15006Noinbound listener port (RA-TLS from peer nodes)
--node-ipstring""Nothis node's IP (auto-detected from NODE_IP env if unset)
--cert-dns-sanstring""NoDNS SAN placed on the CDS-issued mesh cert (must match CDS --dns-san-pattern; empty omits SANs). Not used for peer verification, which is attestation-based
--log-levelstringinfoNolog level: debug, info, warn, error
--dial-timeoutduration5sNoplain TCP dial timeout
--tls-dial-timeoutduration10sNoRA-TLS dial timeout
--dest-header-timeoutduration5sNoinbound destination header read timeout
--drain-timeoutduration30sNograceful shutdown drain timeout
--keepaliveduration30sNoTCP keepalive interval (0 to disable)
--idle-timeoutduration0Noclose connections idle longer than this (0=disabled)
--max-connsint0Nomax concurrent connections (0=unlimited)
--max-conns-per-sourceint0Nomax concurrent connections per source IP (0=unlimited)
--health-portint15021Nohealth/metrics HTTP port
--measurementsstring""Nocomma-separated hex SHA-384 launch measurements (empty = accept any TEE)
--cert-ttlduration24hNoRA-TLS certificate lifetime (rotates at 50%)
--rotation-timeoutduration30sNomax time for background certificate rotation
--cert-modestringself-signedNocertificate mode: self-signed (default), or cds (boots self-signed, upgrades to CDS-issued in background)
--cds-urlstring""NoCDS service URL for attestation and CA bundle retrieval (required for cds mode)
--ca-certstring""Nopath to CA certificate file for peer verification
--ca-poll-intervalduration5mNointerval to poll CDS /ca for CA bundle updates
--cds-measurementsstring""Nocomma-separated SHA-384 hex launch measurements that CDS's RA-TLS peer cert must match; empty = accept any (UNSAFE outside development)
--session-cache-sizeint64NoTLS session cache size per node (0 disables session resumption)
--access-logbooltrueNoemit per-connection structured access log
--cert-pipeline-probe-urlstring""NoCDS /readyz URL for pipeline health probing (empty = disabled)
--cds-retry-backoffduration2sNoinitial backoff duration for CDS certificate upgrade retries
--cds-retry-max-backoffduration60sNomaximum backoff duration for CDS certificate upgrade retries
--max-dest-header-sizeint256Nomaximum destination header size in bytes
--pipe-buffer-sizeint32768Nobuffer size for TCP pipe forwarding
--accept-error-thresholdint6410Noconsecutive accept errors before marking unhealthy
--health-read-timeoutduration5sNohealth server read timeout
--health-write-timeoutduration10sNohealth server write timeout
--metrics-update-intervalduration10sNointerval for resolver cache and cert expiry metric updates
--local-cidr-boot-timeoutduration1sNosynchronous retry budget at startup for host pod-network CIDR discovery; past this the mesh falls through to the async refresh loop and local-destination validation uses Kubernetes pod HostIP ownership until discovery recovers
--iptables-metrics-filestring/tmp/ratls-iptables-metrics.jsonNoshared file where iptables-sync publishes counters (empty disables)
--cds-op-timeoutduration30sNoper-operation timeout for CDS certificate upgrade and CA bundle refresh
--cert-pipeline-probe-timeoutduration5sNoHTTP client timeout for cert pipeline health probe requests
--cert-pipeline-probe-intervalduration60sNointerval between cert pipeline health probe requests

c8s ratls-mesh iptables-sync

Watch Kubernetes pods and maintain the iptables/ipset rules that redirect mesh traffic.

FlagTypeDefaultRequiredDescription
--outbound-portint15001Nooutbound listener port
--uidint1337NoUID to exclude from redirect
--exclude-uidsstring0Nocomma-separated UIDs to skip (e.g. root=0 so kubelet/containerd can reach registries)
--exclude-source-namespacesstringkube-systemNocomma-separated local source namespaces excluded from transparent mesh interception
--node-ipstring slicenilNolocal node IP(s); repeat or comma-separate for dual-stack (one per family). Defaults to the NODE_IP env. Each address must be a non-loopback, non-unspecified IP bound to a local interface
--resync-periodduration30sNoperiodic full ipset reconciliation interval
--watchdog-periodduration2sNointerval at which the base-chain jump rules are re-asserted at position 1 (bounds the race window against kube-proxy reinserting KUBE-SERVICES)
--ipset-maxelemint262144Nomaximum members per managed ipset
--cw-inbound-passthroughstringudp:53,tcp:53Nocomma-separated proto:source-port replies exempted from the always-on cw inbound guard (which drops FORWARD-path traffic to confidential.ai/cw pods so only mesh-delivered and host-local traffic reaches them). Empty = strict drop-all; DNS is the default
--ready-filestring""Nopath to write after initial ipset and iptables sync succeeds
--iptables-metrics-filestring/tmp/ratls-iptables-metrics.jsonNoshared file where iptables-sync publishes counters (empty disables)
--log-levelstringinfoNolog level: debug, info, warn, error

The ratls-mesh iptables-cleanup subcommand takes no flags.

c8s nri-image-policy

Run the NRI image-policy plugin. Uses the standard Go flag package; most configuration comes from the YAML config file rather than CLI flags.

FlagTypeDefaultRequiredDescription
--configstring/etc/nri/conf.d/image-policy.yamlNopath to config file
--health-addrstring:8080Nohealth check listen address
--read-timeoutduration5sNoHTTP server read timeout
--write-timeoutduration10sNoHTTP server write timeout

c8s probe-file

Exit 0 if <path> exists and is non-empty — a file-existence helper for distroless containers, where /bin/test is not available. One-shot by default (for a kubelet exec probe); with --wait it blocks until the path passes (or --timeout elapses), so it can be the entrypoint of an init container that gates a workload on a file another container writes — the exec-free equivalent of a startup probe, needed on locked kata guests where exec probes are denied by policy. The non-empty check rules out passing on a half-written file.

FlagTypeDefaultRequiredDescription
--waitboolfalseNoblock until <path> passes the check instead of probing once
--poll-intervalduration1sNohow often to re-check <path> in --wait mode
--timeoutduration0Nogive up (non-zero exit) after this long in --wait mode; 0 waits forever