• Stars
    star
    3,452
  • Rank 12,926 (Top 0.3 %)
  • Language Makefile
  • License
    Apache License 2.0
  • Created about 5 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Hubble - Network, Service & Security Observability for Kubernetes using eBPF
Hubble Logo

License


Network, Service & Security Observability for Kubernetes

What is Hubble?

Hubble is a fully distributed networking and security observability platform for cloud native workloads. It is built on top of Cilium and eBPF to enable deep visibility into the communication and behavior of services as well as the networking infrastructure in a completely transparent manner.

Hubble can answer questions such as:

Service dependencies & communication map:

  • What services are communicating with each other? How frequently? What does the service dependency graph look like?
  • What HTTP calls are being made? What Kafka topics does a service consume from or produce to?

Operational monitoring & alerting:

  • Is any network communication failing? Why is communication failing? Is it DNS? Is it an application or network problem? Is the communication broken on layer 4 (TCP) or layer 7 (HTTP)?
  • Which services have experienced a DNS resolution problems in the last 5 minutes? Which services have experienced an interrupted TCP connection recently or have seen connections timing out? What is the rate of unanswered TCP SYN requests?

Application monitoring:

  • What is the rate of 5xx or 4xx HTTP response codes for a particular service or across all clusters?
  • What is the 95th and 99th percentile latency between HTTP requests and responses in my cluster? Which services are performing the worst? What is the latency between two services?

Security observability:

  • Which services had connections blocked due to network policy? What services have been accessed from outside the cluster? Which services have resolved a particular DNS name?

Why Hubble?

The Linux kernel technology eBPF is enabling visibility into systems and applications at a granularity and efficiency that was not possible before. It does so in a completely transparent way, without requiring the application to change or for the application to hide information. By building on top of Cilium, Hubble can leverage eBPF for visibility. By leveraging eBPF, all visibility is programmable and allows for a dynamic approach that minimizes overhead while providing deep and detailed insight where required. Hubble has been created and specifically designed to make best use of these new eBPF powers.

Releases

Since the release of v0.8, the Hubble CLI is backward compatible with all supported Cilium releases. For this reason, only the latest Hubble CLI version is maintained.

Version Release Date Maintained Supported Cilium Version Artifacts
v0.11 2023-06-07 (v0.11.6) Yes Cilium 1.13 and older GitHub Release
v0.10 2022-06-22 (v0.10.0) No Cilium 1.12 and older GitHub Release
v0.9 2021-11-30 (v0.9.0) No Cilium 1.11 and older GitHub Release
v0.8 2021-09-10 (v0.8.2) No Cilium 1.10 and older GitHub Release
v0.7 2020-10-22 (v0.7.1) No Cilium 1.9 and older GitHub Release
v0.6 2020-05-29 (v0.6.1) No Cilium 1.8 GitHub Release
v0.5 2020-07-28 (v0.5.2) No Cilium 1.7 GitHub Release

Component Stability

Hubble project consists of several components (see Architecture section).

While the core Hubble components have been running in production in multiple environments, new components continue to emerge as the project grows and expands in scope.

Some components, due to their relatively young age, are still considered beta and have to be used with caution in critical production workloads.

Component Area State
Hubble CLI Core Stable
Hubble Server Core Stable
Hubble Metrics Core Stable
Hubble Relay Multinode Stable
Hubble UI UI Beta

Architecture

Hubble Architecture

Getting Started

Features

Service Dependency Graph

Troubleshooting microservices application connectivity is a challenging task. Simply looking at "kubectl get pods" does not indicate dependencies between each service or external APIs or databases.

Hubble enables zero-effort automatic discovery of the service dependency graph for Kubernetes Clusters at L3/L4 and even L7, allowing user-friendly visualization and filtering of those dataflows as a Service Map.

See Hubble Service Map Tutorial for more examples.

Service Map

Metrics & Monitoring

The metrics and monitoring functionality provides an overview of the state of systems and allow to recognize patterns indicating failure and other scenarios that require action. The following is a short list of example metrics, for a more detailed list of examples, see the Metrics Documentation.

Networking Behavior

Networking

Network Policy Observation

Network Policy

HTTP Request/Response Rate & Latency

HTTP

DNS Request/Response Monitoring

DNS

Flow Visibility

Flow visibility provides visibility into flow information on the network and application protocol level. This enables visibility into individual TCP connections, DNS queries, HTTP requests, Kafka communication, and much more.

DNS Resolution

Identifying pods which have received DNS response indicating failure:

hubble observe --since=1m -t l7 -j \
   | jq 'select(.l7.dns.rcode==3) | .destination.namespace + "/" + .destination.pod_name' \
   | sort | uniq -c | sort -r
  42 "starwars/jar-jar-binks-6f5847c97c-qmggv"

Successful query & response:

starwars/x-wing-bd86d75c5-njv8k            kube-system/coredns-5c98db65d4-twwdg      DNS Query deathstar.starwars.svc.cluster.local. A
kube-system/coredns-5c98db65d4-twwdg       starwars/x-wing-bd86d75c5-njv8k           DNS Answer "10.110.126.213" TTL: 3 (Query deathstar.starwars.svc.cluster.local. A)

Non-existent domain:

starwars/jar-jar-binks-789c4b695d-ltrzm    kube-system/coredns-5c98db65d4-f4m8n      DNS Query unknown-galaxy.svc.cluster.local. A
starwars/jar-jar-binks-789c4b695d-ltrzm    kube-system/coredns-5c98db65d4-f4m8n      DNS Query unknown-galaxy.svc.cluster.local. AAAA
kube-system/coredns-5c98db65d4-twwdg       starwars/jar-jar-binks-789c4b695d-ltrzm   DNS Answer RCode: Non-Existent Domain TTL: 4294967295 (Query unknown-galaxy.starwars.svc.cluster.local. A)
kube-system/coredns-5c98db65d4-twwdg       starwars/jar-jar-binks-789c4b695d-ltrzm   DNS Answer RCode: Non-Existent Domain TTL: 4294967295 (Query unknown-galaxy.starwars.svc.cluster.local. AAAA)

HTTP Protocol

Successful request & response with latency information:

starwars/x-wing-bd86d75c5-njv8k:53410      starwars/deathstar-695d8f7ddc-lvj84:80    HTTP/1.1 GET http://deathstar/
starwars/deathstar-695d8f7ddc-lvj84:80     starwars/x-wing-bd86d75c5-njv8k:53410     HTTP/1.1 200 1ms (GET http://deathstar/)

TCP/UDP Packets

Successful TCP connection:

starwars/x-wing-bd86d75c5-njv8k:53410      starwars/deathstar-695d8f7ddc-lvj84:80    TCP Flags: SYN
deathstar.starwars.svc.cluster.local:80    starwars/x-wing-bd86d75c5-njv8k:53410     TCP Flags: SYN, ACK
starwars/x-wing-bd86d75c5-njv8k:53410      starwars/deathstar-695d8f7ddc-lvj84:80    TCP Flags: ACK, FIN
deathstar.starwars.svc.cluster.local:80    starwars/x-wing-bd86d75c5-njv8k:53410     TCP Flags: ACK, FIN

Connection timeout:

starwars/r2d2-6694d57947-xwhtz:60948   deathstar.starwars.svc.cluster.local:8080     TCP Flags: SYN
starwars/r2d2-6694d57947-xwhtz:60948   deathstar.starwars.svc.cluster.local:8080     TCP Flags: SYN
starwars/r2d2-6694d57947-xwhtz:60948   deathstar.starwars.svc.cluster.local:8080     TCP Flags: SYN

Network Policy Behavior

Denied connection attempt:

starwars/enterprise-5775b56c4b-thtwl:37800   starwars/deathstar-695d8f7ddc-lvj84:80(http)   Policy denied (L3)   TCP Flags: SYN
starwars/enterprise-5775b56c4b-thtwl:37800   starwars/deathstar-695d8f7ddc-lvj84:80(http)   Policy denied (L3)   TCP Flags: SYN
starwars/enterprise-5775b56c4b-thtwl:37800   starwars/deathstar-695d8f7ddc-lvj84:80(http)   Policy denied (L3)   TCP Flags: SYN

Specifying Raw Flow Filters

Hubble supports extensive set of filtering options that can be specified as a combination of allowlist and denylist. Hubble applies these filters as follows:

for each flow:
  if flow does not match any of the allowlist filters:
    continue
  if flow matches any of the denylist filters:
    continue
  send flow to client

You can pass these filters to hubble observe command as JSON-encoded FlowFilters. For example, to observe flows that match the following conditions:

  • Either the source or destination identity contains k8s:io.kubernetes.pod.namespace=kube-system or reserved:host label, AND

  • Neither the source nor destination identity contains k8s:k8s-app=kube-dns label:

    hubble observe \
      --allowlist '{"source_label":["k8s:io.kubernetes.pod.namespace=kube-system","reserved:host"]}' \
      --allowlist '{"destination_label":["k8s:io.kubernetes.pod.namespace=kube-system","reserved:host"]}' \
      --denylist '{"source_label":["k8s:k8s-app=kube-dns"]}' \
      --denylist '{"destination_label":["k8s:k8s-app=kube-dns"]}'
    

Alternatively, you can also specify these flags as HUBBLE_{ALLOWLIST,DENYLIST} environment variables:

cat > allowlist.txt <<EOF
{"source_label":["k8s:io.kubernetes.pod.namespace=kube-system","reserved:host"]}
{"destination_label":["k8s:io.kubernetes.pod.namespace=kube-system","reserved:host"]}
EOF

cat > denylist.txt <<EOF
{"source_label":["k8s:k8s-app=kube-dns"]}
{"destination_label":["k8s:k8s-app=kube-dns"]}
EOF

HUBBLE_ALLOWLIST=$(cat allowlist.txt)
HUBBLE_DENYLIST=$(cat denylist.txt)
export HUBBLE_ALLOWLIST
export HUBBLE_DENYLIST

hubble observe

Note that --allowlist and --denylist filters get included in the request in addition to regular flow filters like --label or --namespace. Use --print-raw-filters flag to verify the exact filters that the Hubble CLI generates. For example:

% hubble observe --print-raw-filters \
    -t drop \
    -n kube-system \
    --not --label "k8s:k8s-app=kube-dns" \
    --allowlist '{"source_label":["k8s:k8s-app=my-app"]}'
allowlist:
- '{"source_pod":["kube-system/"],"event_type":[{"type":1}]}'
- '{"destination_pod":["kube-system/"],"event_type":[{"type":1}]}'
- '{"source_label":["k8s:k8s-app=my-app"]}'
denylist:
- '{"source_label":["k8s:k8s-app=kube-dns"]}'
- '{"destination_label":["k8s:k8s-app=kube-dns"]}'

The output YAML can be saved to a file and passed to hubble observe command with --config flag. For example:

% hubble observe --print-raw-filters --allowlist '{"source_label":["k8s:k8s-app=my-app"]}' > filters.yaml
% hubble observe --config ./filters.yaml

Community

Join the Cilium Slack #hubble channel to chat with Cilium Hubble developers and other Cilium / Hubble users. This is a good place to learn about Hubble and Cilium, ask questions, and share your experiences.

Learn more about Cilium.

Authors

Hubble is an open source project licensed under the Apache License. Everybody is welcome to contribute. The project is following the Governance Rules of the Cilium project. See CONTRIBUTING for instructions on how to contribute and details of the Code of Conduct.

More Repositories

1

cilium

eBPF-based Networking, Security, and Observability
Go
19,773
star
2

ebpf

ebpf-go is a pure-Go library to read, modify and load eBPF programs and attach them to various hooks in the Linux kernel.
Go
6,227
star
3

tetragon

eBPF-based Security Observability and Runtime Enforcement
Go
3,519
star
4

pwru

Packet, where are you? -- eBPF-based Linux kernel networking debugger
C
2,718
star
5

cilium-cli

CLI to install, manage & troubleshoot Kubernetes clusters running Cilium
Makefile
413
star
6

hubble-ui

Observability & Troubleshooting for Kubernetes Services
TypeScript
386
star
7

proxy

Envoy with Cilium filters
C++
135
star
8

k8s-iptables-diagram

Diagram of Kubernetes / kube-proxy iptables rules architecture
106
star
9

cilium-service-mesh-beta

Instructions and issue tracking for Service Mesh capabilities of Cilium
104
star
10

hubble-otel

Hubble adaptor for OpenTelemetry
Go
69
star
11

little-vm-helper

tool for building and running VMs for development and testing
Go
58
star
12

cilium-perf-networking

Utilities for Cilium networking performance evaluation
Shell
55
star
13

team-manager

Bot to manage team members in GitHub organizations
Go
51
star
14

bpf-map

Generic tool to inspect BPF maps
Go
43
star
15

charts

Helm charts repository for the Cilium project
Shell
39
star
16

coverbee

Code coverage tooling for eBPF
Go
34
star
17

cilium.io

Cilium project website
JavaScript
34
star
18

statedb

In-memory state database for Go
Go
30
star
19

star-wars-demo

Cilium Star Wars Demo
Shell
28
star
20

chaos-testing-examples

Examples of using Cilium for chaos testing and fault injection
Shell
27
star
21

design-cfps

Repo to store Cilium CFP design docs
27
star
22

cilium-etcd-operator

Operator to manage Cilium's etcd cluster
Go
26
star
23

workerpool

Run tasks concurrently with limits
Go
26
star
24

k8s-1abel

Kubernetes YAML/JSON survival kit
TypeScript
22
star
25

certgen

A convenience tool to generate and store certificates for Hubble Relay mTLS
Go
20
star
26

fake

A Go library to generate random data for testing and/or performance evaluation
Go
19
star
27

image-tools

Dockerfiles for cilium-runtime and cilium-builder dependencies
Shell
17
star
28

microscope

[DEPRECATED: See https://github.com/cilium/hubble/] Gather monitor data data from all cilium nodes in your cluster
Python
17
star
29

cilium-sysdump

Tool to collect system information to troubleshoot Cilium & Hubble related issues
Python
16
star
30

ci-kernels

A collection of kernels used for CI builds
Shell
14
star
31

installfest

Documentation and resources for Cilium Installfest
14
star
32

echoserver

k8s.gcr.io/echoserver fork
Dockerfile
13
star
33

json-mock

Simple container image for json-server to mock REST/JSON APIs
Makefile
13
star
34

little-vm-helper-images

Dockerfile
12
star
35

community

Here you can find community content around Cilium
Shell
11
star
36

hive

Hive dependency injection
Go
11
star
37

cilium-olm

Smarty
10
star
38

packer-ci-build

Contains the scripts and data for building the Cilium CI testing VM.
Shell
10
star
39

scaffolding

Set of tools and resources for automating performance tests.
Go
9
star
40

cilium-l4lb-test

Repo for containing scripts to test Cilium's L4LB
C
9
star
41

ipam

Go
8
star
42

gke

Guide & scripts for deploying Cilium on GKE
Shell
7
star
43

clustermesh-apiserver

API server for ClusterMesh
Go
7
star
44

client-example

Cilium API example
Go
7
star
45

chaos-monkeys

Base infrastructure plus collection of tests to assist in the Cilium chaos testing efforts
Shell
7
star
46

release

Repository used to generate release notes for Cilium releases
Go
6
star
47

alpine-curl

Container image for curl client
Makefile
6
star
48

misc-scripts

Misc netperf scripts
Shell
5
star
49

github-actions

Repository dedicated for the GitHub actions logic executed in cilium/cilium. Also known as the maintainer's little helper (MLH).
Go
5
star
50

docsearch-scraper-webhook

Python
5
star
51

xdp-config

XDP config quirks / troubleshooting documents
Shell
5
star
52

arping

Go
5
star
53

kube-apate

Go
4
star
54

clustermesh-tools

Tooling to set up a cluster mesh
Shell
4
star
55

cilium-perf-test

Go
4
star
56

terraform-gke-ci-management-cluster

Terraform module for GKE CI management cluster
HCL
4
star
57

stream

Reactive streams for Go
Go
4
star
58

openshift-terraform-upi

HCL
3
star
59

customvet

Custom Go Vet tool for the Cilium Repository
Go
3
star
60

starwars-docker

Deathstar as a Service
Go
2
star
61

ubuntu-curl

Container image for curl client
Makefile
2
star
62

linters

Go
2
star
63

star-wars-demo-automated

Shell
2
star
64

helm-toolbox

Set of tools that are useful for linting helm charts and generating documentation
Dockerfile
2
star
65

echoserver-udp

Container image serving a dynamic TFTP page similar to cilium/echoserver
Go
2
star
66

kustomize-bases

A collection of kustomize bases used for demos
2
star
67

.github

2
star
68

scruffy

Utility to garbage collect docker image tags from quay.io
Go
1
star
69

reusable-workflows

1
star
70

bpf-ci-scripts

Make testing BPF trees easier with Jenkins
Shell
1
star
71

ebpf.io-summit

JavaScript
1
star
72

stale-rules

A tool to detect and remove stale routing rules
Go
1
star
73

go-bindata

Go
1
star
74

log-gatherer

Dockerfile
1
star
75

api-router

Simple HTTP API router
Go
1
star
76

state-writer

Restore endpoint state from API and write to disk
Go
1
star
77

graceful-termination-test-apps

Apps to test graceful termination
Go
1
star
78

affinity-test-apps

Apps to test connection affinity with load-balancing endpoint updates
Go
1
star
79

test-connection-disruption

Testing connection interruptions during Cilium upgrades
Go
1
star
80

dummylb

Dummy k8s LB used for testing
Go
1
star
81

little-vm-helper-action

1
star
82

busybox

C
1
star
83

scale-tests-action

Repository that hosts the GitHub action to run scale tests
1
star