BEL CLI reference
In addition to the commands provided by the Linkerd CLI, the commands below are available in the BEL CLI.
buoyant diagnostics
Collects data from the Linkerd control plane or a Linkerd proxy running in a specified pod, and generates a single gzip file that can be sent to Buoyant for further analysis.
Usage
Control plane bundle:
linkerd buoyant diagnostics
Proxy bundle:
linkerd buoyant diagnostics --pod hello-5774974dbc-qlct8
Flags
| Flag | Usage |
|---|---|
-f, --file | Write the diagnostics bundle to the specified file |
-n, --namespace | Collect diagnostics for the proxy running in the specified namespace |
-p, --pod | Collect diagnostics for the proxy running in the specified pod |
-h, --help | help for diagnostics |
fips audit
Audits the usage of FIPS-validated cryptographic modules by Linkerd.
Usage
linkerd fips audit
Flags
| Flag | Usage |
|---|---|
--verbose | List each Linkerd proxy that was checked for FIPS modules |
-h, --help | help for audit |
license
Prints client license information based on the BUOYANT_LICENSE environment
variable, and the server license based on the current cluster.
Usage
linkerd license
Flags
| Flag | Usage |
|---|---|
--client | Print the client license only |
-h, --help | help for license |
policy generate
Generates policy based on current traffic.
Usage
linkerd policy generate
Flags
| Flag | Usage |
|---|---|
--concurrency | Limit of concurrent requests to the Kubernetes API (default 10) |
--disable-audit | Disable audit mode, deny traffic |
--verbose | Output detailed logging to stderr |
-h, --help | help for generate |
trust
The linkerd-trust CLI extension drives BEL’s
trust-rotation operator: it bootstraps the
initial trust bundle, inspects rotation state, and runs operator health checks.
It installs as a linkerd extension, so its subcommands are invoked as
linkerd trust <subcommand>. See the
trust-rotation configuration guide for
an end-to-end walkthrough.
All trust subcommands accept the following common flags:
| Flag | Usage |
|---|---|
--linkerd-namespace | Namespace containing the Linkerd control-plane resources (default linkerd) |
--kubeconfig | Path to the kubeconfig file to use for CLI requests |
--context | Name of the kubeconfig context to use |
--as | Username to impersonate for Kubernetes operations |
--as-group | Group to impersonate for Kubernetes operations (may be repeated; requires --as) |
--api-addr | Communicate directly with the control plane at host:port (mostly for testing) |
--verbose | Turn on debug logging |
-h, --help | help for the subcommand |
trust bundle
Renders a linkerd-identity-trust-roots ConfigMap manifest from the
cert-manager linkerd-trust-anchor Secret, writing it to standard output so it
can be piped to kubectl apply. This is used during bootstrap, before the
trust-rotation operator is installed and maintaining the trust bundle for you.
Usage
linkerd trust bundle | kubectl apply -f -
Flags
| Flag | Usage |
|---|---|
--cert-manager-namespace | Namespace containing the cert-manager trust-anchor Secret (default cert-manager) |
trust inspect
Summarizes the cluster’s TrustAnchorRotation status (current phase,
convergence conditions, and blocking messages) and reports meshed
non-control-plane pods whose trust bundle annotation or live workload
certificate chain has not yet converged.
Usage
linkerd trust inspect
linkerd trust inspect --output json
linkerd trust inspect --concurrency 50 --timeout 10s
Flags
| Flag | Usage |
|---|---|
--output | Output format, one of text, json (default text) |
--concurrency | Maximum number of pods to inspect concurrently (default 8) |
--timeout | Timeout for each port-forward and TLS probe (default 10s) |
--abbrev | Abbreviate certificate fingerprints to the first 8 characters (default true for text output, false for JSON) |
trust check
Runs health checks for the trust-rotation operator and the cert-manager-managed
Linkerd PKI resources it depends on. The output mirrors linkerd check and ends
with either Status check results are √ or Status check results are ×; it is
also invoked automatically by linkerd check.
Usage
linkerd trust check
linkerd trust check --pre
linkerd trust check -o json
Flags
| Flag | Usage |
|---|---|
-o, --output | Output format, one of table, json, short (default table) |
--pre | Only run pre-installation checks |
--wait | Maximum allowed time for all checks to pass (default 5m) |
--cert-manager-namespace | Namespace where cert-manager is installed (default cert-manager) |
--trust-root-issuer-name | Name of the cert-manager Issuer for the trust root (default linkerd-trust-root-issuer) |
--trust-anchor-certificate-name | Name of the cert-manager Certificate for the trust anchor (default linkerd-trust-anchor) |
--identity-cluster-issuer-name | Name of the cert-manager ClusterIssuer for the identity issuer (default linkerd-identity-issuer) |
--identity-issuer-certificate-name | Name of the cert-manager Certificate for the identity issuer (default linkerd-identity-issuer) |
--operator-deployment-name | Name of the trust-rotation operator Deployment (default trust-rotation-operator) |
trust version
Prints the linkerd-trust version.
Usage
linkerd trust version