Skip to content

Lucid CLI Reference

The Lucid CLI (lucid) is used for managing clusters, auditors, and deployments.

lucid

Usage:

console $ lucid [OPTIONS] COMMAND [ARGS]...

Options:

  • --install-completion: Install completion for the current shell.
  • --show-completion: Show completion for the current shell, to copy it or customize the installation.
  • --help: Show this message and exit.

Commands:

  • verify: Verify an auditor image's contract and...
  • publish: Verify, sign, and push an auditor image.

lucid verify

Verify an auditor image's contract and labels.

This command performs a 'compliance probe' on a local container image to ensure it meets the Lucid Auditor Standard. It checks: 1. OCI Labels: Required metadata like fields, version, and phase. 2. API Contract: Starts an ephemeral instance and probes /health and /audit.

Args: image: The tag of the local Docker image to verify (e.g., 'compliance-auditor:v1').

Usage:

console $ lucid verify [OPTIONS] IMAGE

Arguments:

  • IMAGE: [required]

Options:

  • --help: Show this message and exit.

lucid publish

Verify, sign, and push an auditor image.

This is the primary way to release an Auditor to the Lucid network. It performs the following steps: 1. Verify: Runs the lucid auditor verify suite. 2. Sign: Calculates the image digest and signs it using the API key (HMAC). 3. Push: Uploads the image to the specified container registry. 4. Notarize: Registers the signed digest with the centralized Verifier service.

Args: image: The local image tag to publish. registry: The target container registry (e.g., 'ghcr.io/my-org'). If not provided, skips the push step and only notarizes. api_key: Lucid API Key for authentication and signing. Defaults to LUCID_API_KEY env var.

Usage:

console $ lucid publish [OPTIONS] IMAGE

Arguments:

  • IMAGE: [required]

Options:

  • --registry TEXT
  • --api-key TEXT
  • --help: Show this message and exit.

lucid

Usage:

console $ lucid [OPTIONS] COMMAND [ARGS]...

Options:

  • --install-completion: Install completion for the current shell.
  • --show-completion: Show completion for the current shell, to copy it or customize the installation.
  • --help: Show this message and exit.

Commands:

  • setup: Setup the Lucid Operator and TEE...
  • status: Show the status of Lucid infrastructure in...

lucid setup

Setup the Lucid Operator and TEE infrastructure in the current K8s cluster.

This bootstrap command prepares a generic Kubernetes cluster for Lucid workloads. It performs the following: 1. Direct Namespace Creation: Creates lucid-system. 2. TLS Provisioning: Generates (mock) TLS certificates for the Admission Webhook. 3. Operator Deployment: Deploys the lucid-operator Deployment and Service. 4. Node Labeling: Optionally labels nodes to accept TEE workloads.

Args: namespace: Target K8s namespace for system components. operator_image: Container image for the Lucid Operator. force: If True, overwrite existing secrets/resources. label_nodes: Whether to label all nodes with lucid.io/role=tee-workload. mock: Optimizes deployment for MOCK mode (simulated TEE on standard hardware).

Usage:

console $ lucid setup [OPTIONS]

Options:

  • --namespace TEXT: [default: lucid-system]
  • --operator-image TEXT: Operator image (defaults to LUCID_REGISTRY/lucid-operator:LUCID_TAG or lucid-operator:latest)
  • --force / --no-force: [default: no-force]
  • --label-nodes: Label all nodes with lucid.io/role=tee-workload
  • --mock: Apply MOCK mode (software attestation) to the operator
  • --help: Show this message and exit.

lucid status

Show the status of Lucid infrastructure in the current cluster.

This command provides a comprehensive overview of: - Current kubectl context - Lucid Operator deployment status - TEE-ready nodes availability - Secured pods running in the cluster - Auditor chain configuration

Examples:

# Show cluster status
lucid cluster status

# Show detailed status
lucid cluster status -v

# Check status in custom namespace
lucid cluster status -n my-lucid-namespace

Usage:

console $ lucid status [OPTIONS]

Options:

  • -n, --namespace TEXT: Namespace where Lucid Operator is installed [default: lucid-system]
  • -v, --verbose: Show detailed information
  • --help: Show this message and exit.

lucid

Usage:

console $ lucid [OPTIONS] COMMAND [ARGS]...

Options:

  • --install-completion: Install completion for the current shell.
  • --show-completion: Show completion for the current shell, to copy it or customize the installation.
  • --help: Show this message and exit.

Commands:

  • gcp: Manage GCP TEE infrastructure
  • azure: Manage Azure TEE infrastructure

lucid gcp

Manage GCP TEE infrastructure

Usage:

console $ lucid gcp [OPTIONS] COMMAND [ARGS]...

Options:

  • --help: Show this message and exit.

Commands:

  • init: Initialize GCP infrastructure for TEE (GKE...

lucid gcp init

Initialize GCP infrastructure for TEE (GKE Confidential Nodes + WIF).

This command orchestrates the setup of a Google Kubernetes Engine (GKE) cluster optimized for Confidential Computing. It enables necessary APIs (Compute Engine, Kubernetes Engine) and creates a cluster with SEV-SNP Confidential Nodes enabled.

Args: project_id: The GCP Project ID to deploy into. cluster_name: Name of the cluster to create. region: GCP region (must support confidential computing, e.g., us-central1).

Usage:

console $ lucid gcp init [OPTIONS]

Options:

  • --project-id TEXT: GCP Project ID [required]
  • --cluster-name TEXT: [default: lucid-tee-cluster]
  • --region TEXT: [default: us-central1]
  • --help: Show this message and exit.

lucid azure

Manage Azure TEE infrastructure

Usage:

console $ lucid azure [OPTIONS] COMMAND [ARGS]...

Options:

  • --help: Show this message and exit.

Commands:

  • init: Initialize Azure infrastructure for TEE...

lucid azure init

Initialize Azure infrastructure for TEE (AKS + Confidential VMs).

Provision an Azure Kubernetes Service (AKS) cluster capable of running Confidential Containers (CoCo) via Confidential VMs (CVM) or Intel SGX enclaves.

Args: resource_group: The Azure permissions boundary (Resource Group). cluster_name: Name of the AKS cluster.

Usage:

console $ lucid azure init [OPTIONS]

Options:

  • --resource-group TEXT: Azure Resource Group [required]
  • --cluster-name TEXT: [default: lucid-aks-tee]
  • --help: Show this message and exit.

lucid

Deploy a workload to Kubernetes with automatic TEE enforcement.

The CLI prepares manifests with labels and env vars. The Lucid Operator (running in the cluster) handles sidecar injection.

Usage:

console $ lucid [OPTIONS]

Options:

  • -f, --file TEXT: Manifest file to deploy [required]
  • --tee / --no-tee: Enable TEE mode (adds labels for Operator injection) [default: tee]
  • --runtime-class TEXT: [default: kata-remote]
  • --mock: Configure for mock/local mode (use SDK policies)
  • -a, --auditors TEXT: Path to auditor configuration file
  • --install-completion: Install completion for the current shell.
  • --show-completion: Show completion for the current shell, to copy it or customize the installation.
  • --help: Show this message and exit.

lucid

View logs from Lucid-secured pods and auditor sidecars.

Provides convenient access to attestation logs without needing to remember kubectl label selectors.

Use lucid logs view to view logs, or run lucid logs --help for all commands.

Usage:

console $ lucid [OPTIONS] COMMAND [ARGS]...

Options:

  • --install-completion: Install completion for the current shell.
  • --show-completion: Show completion for the current shell, to copy it or customize the installation.
  • --help: Show this message and exit.

Commands:

  • view: View logs from Lucid-secured pods and...
  • pods: List all Lucid-secured pods in the cluster.
  • containers: List all containers in a specific...

lucid view

View logs from Lucid-secured pods and auditor sidecars.

This command provides easy access to logs from pods with the lucid.io/secured=true label, including all injected auditor sidecars.

Examples:

# View recent logs from secured pods in default namespace
lucid logs view

# Follow logs in real-time
lucid logs view -f

# View logs from a specific namespace
lucid logs view -n production

# Filter by auditor component
lucid logs view -c pii-auditor

# View logs from all namespaces
lucid logs view -A

# Show logs from last 30 minutes
lucid logs view --since 30m

Usage:

console $ lucid view [OPTIONS]

Options:

  • -n, --namespace TEXT: Kubernetes namespace to query logs from [default: default]
  • -f, --follow: Follow log output (stream logs)
  • -c, --component TEXT: Filter logs by auditor component name (e.g., 'pii-auditor', 'attestation-service')
  • --tail INTEGER: Number of recent log lines to show (use -1 for all) [default: 100]
  • -A, --all-namespaces: Query logs from all namespaces
  • -t, --timestamps: Include timestamps in log output
  • --since TEXT: Show logs since a relative duration (e.g., '5m', '1h', '2h30m')
  • -p, --pod TEXT: Filter logs from a specific pod name (partial match supported)
  • --help: Show this message and exit.

lucid pods

List all Lucid-secured pods in the cluster.

Shows pods with the lucid.io/secured=true label along with their status and the number of containers (including injected sidecars).

Examples:

# List secured pods in default namespace
lucid logs pods

# List all secured pods across namespaces
lucid logs pods -A

Usage:

console $ lucid pods [OPTIONS]

Options:

  • -n, --namespace TEXT: Kubernetes namespace to query [default: default]
  • -A, --all-namespaces: List secured pods from all namespaces
  • --help: Show this message and exit.

lucid containers

List all containers in a specific Lucid-secured pod.

Shows the main application container along with all injected auditor sidecars, useful for filtering logs by component.

Example:

lucid logs containers my-app-pod-abc123 -n production

Usage:

console $ lucid containers [OPTIONS] POD

Arguments:

  • POD: Name of the pod to inspect [required]

Options:

  • -n, --namespace TEXT: Kubernetes namespace of the pod [default: default]
  • --help: Show this message and exit.