generated: '2026-07-15' method: generated source: openapi/cilium-api-openapi.yml description: Recommended x-agentic-access execution contracts, classified heuristically from the OpenAPI. A governance starting point for exposing this API to AI agents — review and bind audience per deployment. See research/curity/agentic-governance/. summary: operations: 41 by_action_class: connected: 26 acting: 15 by_consequence: read: 26 write: 15 human_in_the_loop_required: 0 operations: - path: /healthz method: get operationId: getDaemonHealth x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /config method: get operationId: getDaemonConfig x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /config method: patch operationId: patchDaemonConfig x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /cluster/nodes method: get operationId: getClusterNodes x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /debuginfo method: get operationId: getDebugInfo x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /map method: get operationId: getBPFMaps x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /node/ids method: get operationId: getNodeIDs x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /endpoint method: get operationId: listEndpoints x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /endpoint method: delete operationId: deleteEndpoints x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /endpoint/{id} method: get operationId: getEndpoint x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /endpoint/{id} method: put operationId: putEndpoint x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /endpoint/{id} method: patch operationId: patchEndpoint x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /endpoint/{id} method: delete operationId: deleteEndpoint x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /endpoint/{id}/config method: get operationId: getEndpointConfig x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /endpoint/{id}/config method: patch operationId: patchEndpointConfig x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /endpoint/{id}/labels method: get operationId: getEndpointLabels x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /endpoint/{id}/labels method: patch operationId: patchEndpointLabels x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /endpoint/{id}/log method: get operationId: getEndpointLog x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /endpoint/{id}/healthz method: get operationId: getEndpointHealth x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /identity method: get operationId: listIdentities x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /identity/{id} method: get operationId: getIdentity x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /identity/endpoints method: get operationId: getLocalEndpointIdentities x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /policy/selectors method: get operationId: getPolicySelectors x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /fqdn/cache method: get operationId: getFQDNCache x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /fqdn/cache method: delete operationId: deleteFQDNCache x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /fqdn/names method: get operationId: getFQDNNames x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /ipam method: post operationId: allocateIPAddress x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /ipam/{ip} method: post operationId: allocateSpecificIPAddress x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /ipam/{ip} method: delete operationId: releaseIPAddress x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /ip method: get operationId: listIPAddresses x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /service method: get operationId: listServices x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /service/{id} method: get operationId: getService x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /service/{id} method: put operationId: putService x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /service/{id} method: delete operationId: deleteService x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /lrp method: get operationId: listLocalRedirectPolicies x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /prefilter method: get operationId: getPrefilterConfig x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /prefilter method: patch operationId: patchPrefilterConfig x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /prefilter method: delete operationId: deletePrefilterConfig x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /bgp/peers method: get operationId: getBGPPeers x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /bgp/routes method: get operationId: getBGPRoutes x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /bgp/route-policies method: get operationId: getBGPRoutePolicies x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none