Cilium · Agentic Access
Cilium Agentic Access
x-agentic-access
generated
Cilium exposes 41 API operations that an AI agent could call, of which 15 are state-changing ‘acting’ operations. This is a recommended x-agentic-access execution contract — the scope, audience, consequence tier, short-lived token constraints, and escalation each action should carry before it is handed to an autonomous agent.
By consequence: 26 read and 15 write.
Contracts are classified heuristically from the provider’s OpenAPI and refresh on every APIs.io network build; audience is bound per deployment. The model follows Curity’s Access Intelligence (apidays Munich 2026). Browse every provider’s agent contracts at agentic-access.apis.io.
Cloud NativeeBPFKubernetesNetworkingSecurity
Operations: 41
Acting: 15
Human-in-the-loop: 0
Method: generated
By consequence
read 26
write 15
Source
Agentic Access
generated: '2026-07-15'
method: generated
source: openapi/cilium-api-openapi.yml
description: Recommended x-agentic-access execution contracts, classified heuristically from
the OpenAPI. A governance starting point for exposing this API to AI agents — review and bind
audience per deployment. See research/curity/agentic-governance/.
summary:
operations: 41
by_action_class:
connected: 26
acting: 15
by_consequence:
read: 26
write: 15
human_in_the_loop_required: 0
operations:
- path: /healthz
method: get
operationId: getDaemonHealth
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /config
method: get
operationId: getDaemonConfig
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /config
method: patch
operationId: patchDaemonConfig
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /cluster/nodes
method: get
operationId: getClusterNodes
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /debuginfo
method: get
operationId: getDebugInfo
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /map
method: get
operationId: getBPFMaps
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /node/ids
method: get
operationId: getNodeIDs
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /endpoint
method: get
operationId: listEndpoints
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /endpoint
method: delete
operationId: deleteEndpoints
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /endpoint/{id}
method: get
operationId: getEndpoint
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /endpoint/{id}
method: put
operationId: putEndpoint
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /endpoint/{id}
method: patch
operationId: patchEndpoint
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /endpoint/{id}
method: delete
operationId: deleteEndpoint
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /endpoint/{id}/config
method: get
operationId: getEndpointConfig
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /endpoint/{id}/config
method: patch
operationId: patchEndpointConfig
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /endpoint/{id}/labels
method: get
operationId: getEndpointLabels
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /endpoint/{id}/labels
method: patch
operationId: patchEndpointLabels
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /endpoint/{id}/log
method: get
operationId: getEndpointLog
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /endpoint/{id}/healthz
method: get
operationId: getEndpointHealth
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity
method: get
operationId: listIdentities
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/{id}
method: get
operationId: getIdentity
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/endpoints
method: get
operationId: getLocalEndpointIdentities
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /policy/selectors
method: get
operationId: getPolicySelectors
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /fqdn/cache
method: get
operationId: getFQDNCache
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /fqdn/cache
method: delete
operationId: deleteFQDNCache
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /fqdn/names
method: get
operationId: getFQDNNames
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /ipam
method: post
operationId: allocateIPAddress
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /ipam/{ip}
method: post
operationId: allocateSpecificIPAddress
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /ipam/{ip}
method: delete
operationId: releaseIPAddress
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /ip
method: get
operationId: listIPAddresses
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /service
method: get
operationId: listServices
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /service/{id}
method: get
operationId: getService
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /service/{id}
method: put
operationId: putService
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /service/{id}
method: delete
operationId: deleteService
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /lrp
method: get
operationId: listLocalRedirectPolicies
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /prefilter
method: get
operationId: getPrefilterConfig
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /prefilter
method: patch
operationId: patchPrefilterConfig
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /prefilter
method: delete
operationId: deletePrefilterConfig
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /bgp/peers
method: get
operationId: getBGPPeers
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /bgp/routes
method: get
operationId: getBGPRoutes
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /bgp/route-policies
method: get
operationId: getBGPRoutePolicies
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none