Hubble - Network, Service & Security Observability for Kubernetes using eBPF

Overview

Hubble logo

Network, Service & Security Observability for Kubernetes

What is Hubble?

Hubble is a fully distributed networking and security observability platform for cloud native workloads. It is built on top of Cilium and eBPF to enable deep visibility into the communication and behavior of services as well as the networking infrastructure in a completely transparent manner.

Hubble can answer questions such as:

Service dependencies & communication map:

  • What services are communicating with each other? How frequently? What does the service dependency graph look like?
  • What HTTP calls are being made? What Kafka topics does a service consume from or produce to?

Operational monitoring & alerting:

  • Is any network communication failing? Why is communication failing? Is it DNS? Is it an application or network problem? Is the communication broken on layer 4 (TCP) or layer 7 (HTTP)?
  • Which services have experienced a DNS resolution problems in the last 5 minutes? Which services have experienced an interrupted TCP connection recently or have seen connections timing out? What is the rate of unanswered TCP SYN requests?

Application monitoring:

  • What is the rate of 5xx or 4xx HTTP response codes for a particular service or across all clusters?
  • What is the 95th and 99th percentile latency between HTTP requests and responses in my cluster? Which services are performing the worst? What is the latency between two services?

Security observability:

  • Which services had connections blocked due to network policy? What services have been accessed from outside the cluster? Which services have resolved a particular DNS name?

Why Hubble?

The Linux kernel technology eBPF is enabling visibility into systems and applications at a granularity and efficiency that was not possible before. It does so in a completely transparent way, without requiring the application to change or for the application to hide information. By building on top of Cilium, Hubble can leverage eBPF for visibility. By leveraging eBPF, all visibility is programmable and allows for a dynamic approach that minimizes overhead while providing deep and detailed insight where required. Hubble has been created and specifically designed to make best use of these new eBPF powers.

Releases

Since the release of v0.8, the Hubble CLI is backward compatible with all supported Cilium releases. For this reason, only the latest Hubble CLI version is maintained.

Version Release Date Maintained Supported Cilium Version Artifacts
v0.9 2021-11-30 (v0.9.0) Yes Cilium 1.11 and older GitHub Release
v0.8 2021-09-10 (v0.8.2) No Cilium 1.10 and older GitHub Release
v0.7 2020-10-22 (v0.7.1) No Cilium 1.9 and older GitHub Release
v0.6 2020-05-29 (v0.6.1) No Cilium 1.8 GitHub Release
v0.5 2020-07-28 (v0.5.2) No Cilium 1.7 GitHub Release

Component Stability

Hubble project consists of several components (see Architecture section).

While the core Hubble components have been running in production in multiple environments, new components continue to emerge as the project grows and expands in scope.

Some components, due to their relatively young age, are still considered beta and have to be used with caution in critical production workloads.

Component Area State
Hubble CLI Core Stable
Hubble Server Core Stable
Hubble Metrics Core Stable
Hubble Relay Multinode Stable
Hubble UI UI Beta

Architecture

Hubble Architecture

Getting Started

Features

Service Dependency Graph

Troubleshooting microservices application connectivity is a challenging task. Simply looking at "kubectl get pods" does not indicate dependencies between each service or external APIs or databases.

Hubble enables zero-effort automatic discovery of the service dependency graph for Kubernetes Clusters at L3/L4 and even L7, allowing user-friendly visualization and filtering of those dataflows as a Service Map.

See Hubble Service Map Tutorial for more examples.

Service Map

Metrics & Monitoring

The metrics and monitoring functionality provides an overview of the state of systems and allow to recognize patterns indicating failure and other scenarios that require action. The following is a short list of example metrics, for a more detailed list of examples, see the Metrics Documentation.

Networking Behavior

Networking

Network Policy Observation

Network Policy

HTTP Request/Response Rate & Latency

HTTP

DNS Request/Response Monitoring

DNS

Flow Visibility

Flow visibility provides visibility into flow information on the network and application protocol level. This enables visibility into individual TCP connections, DNS queries, HTTP requests, Kafka communication, and much more.

DNS Resolution

Identifying pods which have received DNS response indicating failure:

hubble observe --since=1m -t l7 -j \
   | jq 'select(.l7.dns.rcode==3) | .destination.namespace + "/" + .destination.pod_name' \
   | sort | uniq -c | sort -r
  42 "starwars/jar-jar-binks-6f5847c97c-qmggv"

Successful query & response:

starwars/x-wing-bd86d75c5-njv8k            kube-system/coredns-5c98db65d4-twwdg      DNS Query deathstar.starwars.svc.cluster.local. A
kube-system/coredns-5c98db65d4-twwdg       starwars/x-wing-bd86d75c5-njv8k           DNS Answer "10.110.126.213" TTL: 3 (Query deathstar.starwars.svc.cluster.local. A)

Non-existent domain:

starwars/jar-jar-binks-789c4b695d-ltrzm    kube-system/coredns-5c98db65d4-f4m8n      DNS Query unknown-galaxy.svc.cluster.local. A
starwars/jar-jar-binks-789c4b695d-ltrzm    kube-system/coredns-5c98db65d4-f4m8n      DNS Query unknown-galaxy.svc.cluster.local. AAAA
kube-system/coredns-5c98db65d4-twwdg       starwars/jar-jar-binks-789c4b695d-ltrzm   DNS Answer RCode: Non-Existent Domain TTL: 4294967295 (Query unknown-galaxy.starwars.svc.cluster.local. A)
kube-system/coredns-5c98db65d4-twwdg       starwars/jar-jar-binks-789c4b695d-ltrzm   DNS Answer RCode: Non-Existent Domain TTL: 4294967295 (Query unknown-galaxy.starwars.svc.cluster.local. AAAA)

HTTP Protocol

Successful request & response with latency information:

starwars/x-wing-bd86d75c5-njv8k:53410      starwars/deathstar-695d8f7ddc-lvj84:80    HTTP/1.1 GET http://deathstar/
starwars/deathstar-695d8f7ddc-lvj84:80     starwars/x-wing-bd86d75c5-njv8k:53410     HTTP/1.1 200 1ms (GET http://deathstar/)

TCP/UDP Packets

Successful TCP connection:

starwars/x-wing-bd86d75c5-njv8k:53410      starwars/deathstar-695d8f7ddc-lvj84:80    TCP Flags: SYN
deathstar.starwars.svc.cluster.local:80    starwars/x-wing-bd86d75c5-njv8k:53410     TCP Flags: SYN, ACK
starwars/x-wing-bd86d75c5-njv8k:53410      starwars/deathstar-695d8f7ddc-lvj84:80    TCP Flags: ACK, FIN
deathstar.starwars.svc.cluster.local:80    starwars/x-wing-bd86d75c5-njv8k:53410     TCP Flags: ACK, FIN

Connection timeout:

starwars/r2d2-6694d57947-xwhtz:60948   deathstar.starwars.svc.cluster.local:8080     TCP Flags: SYN
starwars/r2d2-6694d57947-xwhtz:60948   deathstar.starwars.svc.cluster.local:8080     TCP Flags: SYN
starwars/r2d2-6694d57947-xwhtz:60948   deathstar.starwars.svc.cluster.local:8080     TCP Flags: SYN

Network Policy Behavior

Denied connection attempt:

starwars/enterprise-5775b56c4b-thtwl:37800   starwars/deathstar-695d8f7ddc-lvj84:80(http)   Policy denied (L3)   TCP Flags: SYN
starwars/enterprise-5775b56c4b-thtwl:37800   starwars/deathstar-695d8f7ddc-lvj84:80(http)   Policy denied (L3)   TCP Flags: SYN
starwars/enterprise-5775b56c4b-thtwl:37800   starwars/deathstar-695d8f7ddc-lvj84:80(http)   Policy denied (L3)   TCP Flags: SYN

Specifying Raw Flow Filters

Hubble supports extensive set of filtering options that can be specified as a combination of allowlist and denylist. Hubble applies these filters as follows:

for each flow:
  if flow does not match any of the allowlist filters:
    continue
  if flow matches any of the denylist filters:
    continue
  send flow to client

You can pass these filters to hubble observe command as JSON-encoded FlowFilters. For example, to observe flows that match the following conditions:

  • Either the source or destination identity contains k8s:io.kubernetes.pod.namespace=kube-system or reserved:host label, AND

  • Neither the source nor destination identity contains k8s:k8s-app=kube-dns label:

    hubble observe \
      --allowlist '{"source_label":["k8s:io.kubernetes.pod.namespace=kube-system","reserved:host"]}' \
      --allowlist '{"destination_label":["k8s:io.kubernetes.pod.namespace=kube-system","reserved:host"]}' \
      --denylist '{"source_label":["k8s:k8s-app=kube-dns"]}' \
      --denylist '{"destination_label":["k8s:k8s-app=kube-dns"]}'
    

Alternatively, you can also specify these flags as HUBBLE_{ALLOWLIST,DENYLIST} environment variables:

cat > allowlist.txt <<EOF
{"source_label":["k8s:io.kubernetes.pod.namespace=kube-system","reserved:host"]}
{"destination_label":["k8s:io.kubernetes.pod.namespace=kube-system","reserved:host"]}
EOF

cat > denylist.txt <<EOF
{"source_label":["k8s:k8s-app=kube-dns"]}
{"destination_label":["k8s:k8s-app=kube-dns"]}
EOF

HUBBLE_ALLOWLIST=$(cat allowlist.txt)
HUBBLE_DENYLIST=$(cat denylist.txt)
export HUBBLE_ALLOWLIST
export HUBBLE_DENYLIST

hubble observe

Note that --allowlist and --denylist filters get included in the request in addition to regular flow filters like --label or --namespace. Use --print-raw-filters flag to verify the exact filters that the Hubble CLI generates. For example:

% hubble observe --print-raw-filters \
    -t drop \
    -n kube-system \
    --not --label "k8s:k8s-app=kube-dns" \
    --allowlist '{"source_label":["k8s:k8s-app=my-app"]}'
allowlist:
- '{"source_pod":["kube-system/"],"event_type":[{"type":1}]}'
- '{"destination_pod":["kube-system/"],"event_type":[{"type":1}]}'
- '{"source_label":["k8s:k8s-app=my-app"]}'
denylist:
- '{"source_label":["k8s:k8s-app=kube-dns"]}'
- '{"destination_label":["k8s:k8s-app=kube-dns"]}'

The output YAML can be saved to a file and passed to hubble observe command with --config flag. For example:

% hubble observe --print-raw-filters --allowlist '{"source_label":["k8s:k8s-app=my-app"]}' > filters.yaml
% hubble observe --config ./filters.yaml

Community

Join the Cilium Slack #hubble channel to chat with Cilium Hubble developers and other Cilium / Hubble users. This is a good place to learn about Hubble and Cilium, ask questions, and share your experiences.

Learn more about Cilium.

Authors

Hubble is an open source project licensed under the Apache License. Everybody is welcome to contribute. The project is following the Governance Rules of the Cilium project. See CONTRIBUTING for instructions on how to contribute and details of the Code of Conduct.

Comments
  • hubble status reports Max Flows 0/0 and Unavailable Nodes

    hubble status reports Max Flows 0/0 and Unavailable Nodes

    Trying to enable hubble ui in a cluster where cilium was installed with helm:

    cilium hubble enable --ui --create-ca --relay-version v1.10.3
    

    (The --relay-version is a workaround for https://github.com/cilium/cilium-cli/issues/456)

    After port-forward, hubble status reports Max Flows 0/0 and all Nodes Unavailable even though running cilium status in each cilium pod shows Max Flows 4095/4095.

    No known workaround.

    Is this another case of cilium-cli being incompatible with a helm-installed Cilium? We wouldn't have to blaze that trail if cilium-cli were able to install Cilium chained to eks-vpc-cni.

    📬 kind/question 📊 kind/community-report area/cilium 
    opened by joebowbeerxealth 40
  • Unable to load UI. `Error: getaddrinfo EAI_AGAIN`

    Unable to load UI. `Error: getaddrinfo EAI_AGAIN`

    When I port-forward the hubble-ui service and try to load the UI in a browser, the following happens:

    • the web page remains stuck on the "The application is loading, please wait..." page.
    • the logs of the hubble-ui pod show the following message:
    {
      "name": "frontend",
      "hostname": "hubble-ui-79b6c7c67-z4bs5",
      "pid": 19,
      "req_id": "101ee530-14a9-4580-868a-66fed7c6fd49",
      "user": "admin@localhost",
      "level": 50,
      "err": {
        "message": "Can't fetch namespaces via k8s api: Error: getaddrinfo EAI_AGAIN $ENTER_AKS_CLUSTER_DOMAIN_NAME",
        "locations": [
          {
            "line": 4,
            "column": 7
          }
        ],
        "path": [
          "viewer",
          "clusters"
        ],
        "extensions": {
          "code": "INTERNAL_SERVER_ERROR"
        }
      },
      "msg": "",
      "time": "2020-03-08T18:09:56.167Z",
      "v": 0
    }
    
    🖥 area/ui 
    opened by uipo78 37
  • Install Hubble from installation guide failing

    Install Hubble from installation guide failing

    Hi, when trying to follow the instructions that appears in this site: https://github.com/cilium/hubble/blob/master/Documentation/installation.md once you reach to hubble and try to run this cmd:

    helm template hubble \
        --namespace kube-system \
        --set metrics.enabled="{dns,drop,tcp,flow,port-distribution,icmp,http}" \
        > hubble.yaml
    

    you will fail on :

    Error: rendering template failed: runtime error: invalid memory address or nil pointer dereference
    

    tried to install also without any metrics and also not working , it looks like the template that exist here not working . can you please update the guidelines if any thing is expected?

    opened by amitrintzler 15
  • Add endpoint workload filters

    Add endpoint workload filters

    This adds support to Hubble CLI for filtering against endpoints workloads The server side of this was implemented in https://github.com/cilium/cilium/pull/21296

    🌟 kind/feature release-note/minor ready-to-merge 
    opened by chancez 14
  • Flows don't show up on GKE

    Flows don't show up on GKE

    Flows and arrows are not visible in Hubble UI. Yet flows for "hubble" namespace are visible. Running in GKE.

    Running procedure:

    helm template cilium \
      --namespace cilium \
      --set global.nodeinit.enabled=true \
      --set nodeinit.reconfigureKubelet=true \
      --set nodeinit.removeCbrBridge=true \
      --set global.cni.binPath=/home/kubernetes/bin \
      --set global.tag=v1.7.0-rc1 \
      > cilium.yaml
    
    helm template hubble \
        --namespace hubble \
        --set metrics.enabled="{dns,drop,tcp,flow,port-distribution,icmp,http}" \
        --set ui.enabled=true \
        > hubble.yaml
    

    I can confirm that flows are visible in "cilium monitor", "hubble observe", and "kubectl get cep".

    🐛 kind/bug 
    opened by rubenhak 10
  • OpenTelemetry Support

    OpenTelemetry Support

    Dear Hubble Community,

    We are currently migrating to Cilium as our networking solution and are very excited to use Hubble for observability.

    However, we miss one thing to be happy – OpenTelemetry (OpenTracing) support. I can see it was mentioned in the roadmap around Cilium 1.0 release:

    h3. The Roadmap Ahead Integration with OpenTracing, Jaeger, and Zipkin: The minimal overhead of BPF makes it the ideal technology to provide tracing and telemetry functionality without imposing additional system load.

    However, I haven't found any code/issues connected to it. I thought that might be Cilium Go Extensions is the right place to implement it. Then I checked Hubble, and it looks like all the data required is in place. I can potentially contribute to it if you give some guidance if Hubble Relay the right place for it.

    🌟 kind/feature 
    opened by trnl 9
  • network: unable to connect to Cilium daemon

    network: unable to connect to Cilium daemon

    I would like to ask how to clean up the cilium environment

    I follow the official documentation

    # install
    kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/v1.7.0/install/kubernetes/quick-install.yaml
    
    # delete
    kubectl delete -f https://raw.githubusercontent.com/cilium/cilium/v1.7.0/install/kubernetes/quick-install.yaml
    

    After that, I found that all my pods cannot be created properly. about cilium crd,I have deleted. Do i need to delete anything?

    Error message

    # kubectl get pod  | grep httpd
    httpd-596db6fdc4-4r22k                                 0/1     ContainerCreating   0          15m
    httpd-596db6fdc4-5xldk                                 0/1     ContainerCreating   0          15m
    
    # kubectl describe pod
    Events:
      Type     Reason                  Age    From                             Message
      ----     ------                  ----   ----                             -------
      Normal   Scheduled               10m    default-scheduler                Successfully assigned default/httpd-596db6fdc4-5xldk to node001
      Warning  FailedCreatePodSandBox  9m17s  kubelet, node001  Failed create pod sandbox: rpc error: code = Unknown desc = failed to set up sandbox container "ffcd455f1ab5483a17f87cdad35beaea980e61317dbe35b788cac7953e72c95f" network for pod "httpd-596db6fdc4-5xldk": NetworkPlugin cni failed to set up pod "httpd-596db6fdc4-5xldk_default" network: unable to connect to Cilium daemon: failed to create cilium agent client after 30.000000 seconds timeout: Get http:///var/run/cilium/cilium.sock/v1/config: dial unix /var/run/cilium/cilium.sock: connect: no such file or directory
    Is the agent running?
    
    opened by llussy 9
  • Verdict events doubling

    Verdict events doubling

    Dear Hubble community,

    While logging traffic with Hubble:

    hubble observe -f --server hubble-relay:80 -o json --tcp-flags ACK --not --tcp-flags SYN
    

    Getting most events doubled in output: They have only difference in logging timestamp, ex:

    {"time":"2021-10-18T11:30:20.830417817Z","verdict":"FORWARDED","ethernet":{"source":"66:54:11:3e:bd:de","destination":"12:7a:c7:e0:b1:28"},"IP":{"source":"10.0.2.75","destination":"10.45.80.193","ipVersion":"IPv4"},"l4":{"TCP":{"source_port":49488,"destination_port":6443,"flags":{"ACK":true}}},"source":{"ID":140,"identity":6013,"namespace":"ingress-nginx","labels":["k8s:app.kubernetes.io/component=controller","k8s:app.kubernetes.io/instance=ingress-nginx","k8s:app.kubernetes.io/name=ingress-nginx","k8s:io.cilium.k8s.namespace.labels.field.cattle.io/projectId=p-8xjww","k8s:io.cilium.k8s.namespace.labels.name=ingress-nginx","k8s:io.cilium.k8s.policy.cluster=default","k8s:io.cilium.k8s.policy.serviceaccount=ingress-nginx","k8s:io.kubernetes.pod.namespace=ingress-nginx"],"pod_name":"ingress-nginx-controller-db9d9c7f4-gjllb"},"destination":{"identity":6,"labels":["reserved:remote-node"]},"Type":"L3_L4","node_name":"dev-wg-app1","event_type":{"type":4,"sub_type":3},"traffic_direction":"EGRESS","trace_observation_point":"TO_STACK","is_reply":false,"Summary":"TCP Flags: ACK"}
    {"time":"2021-10-18T11:30:26.853421611Z","verdict":"FORWARDED","ethernet":{"source":"66:54:11:3e:bd:de","destination":"12:7a:c7:e0:b1:28"},"IP":{"source":"10.0.2.75","destination":"10.45.80.193","ipVersion":"IPv4"},"l4":{"TCP":{"source_port":49488,"destination_port":6443,"flags":{"ACK":true}}},"source":{"ID":140,"identity":6013,"namespace":"ingress-nginx","labels":["k8s:app.kubernetes.io/component=controller","k8s:app.kubernetes.io/instance=ingress-nginx","k8s:app.kubernetes.io/name=ingress-nginx","k8s:io.cilium.k8s.namespace.labels.field.cattle.io/projectId=p-8xjww","k8s:io.cilium.k8s.namespace.labels.name=ingress-nginx","k8s:io.cilium.k8s.policy.cluster=default","k8s:io.cilium.k8s.policy.serviceaccount=ingress-nginx","k8s:io.kubernetes.pod.namespace=ingress-nginx"],"pod_name":"ingress-nginx-controller-db9d9c7f4-gjllb"},"destination":{"identity":6,"labels":["reserved:remote-node"]},"Type":"L3_L4","node_name":"dev-wg-app1","event_type":{"type":4,"sub_type":3},"traffic_direction":"EGRESS","trace_observation_point":"TO_STACK","is_reply":false,"Summary":"TCP Flags: ACK"}
    

    How this could be explained and avoided? Thanks!

    📬 kind/question 
    opened by voatsap 8
  • cmd/node: Refactor & Test output methods

    cmd/node: Refactor & Test output methods

    This PR aims to achieve the following:

    • [x] Refactor, where applicable, to test output functions.
    • [x] Add table driven inputs for invoking certain output functionality.

    Signed-off-by: Simarpreet Singh [email protected]

    🤖 area/CI release-note/misc ready-to-merge 
    opened by simar7 8
  • Remove contrib/scripts/release.sh

    Remove contrib/scripts/release.sh

    Rename the current release make target to local-release, and update the release target to generate release artifacts from inside Docker.

    Signed-off-by: Michi Mutsuzaki [email protected]

    opened by michi-covalent 8
  • Hubble UI cannot render due to Error: unable to get issuer certificate

    Hubble UI cannot render due to Error: unable to get issuer certificate

    Screen Shot 2020-02-21 at 10 04 54 AM

    We cannot render the hubble-ui due to this below error message:

    "message":"Can't fetch namespaces via k8s api: Error: unable to get issuer certificate","locations":[{"line":4,"column":7}],"path":["viewer","clusters"],"extensions":{"code":"INTERNAL_SERVER_ERROR"}}
    

    { name: 'inCluster', caFile: '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt', server: 'https://10.110.121.43:443', skipTLSVerify: false }

    🖥 area/ui 
    opened by CH-anhngo 8
  • Request for incremental release of 0.10.x to address GO Security Vulnerabilities

    Request for incremental release of 0.10.x to address GO Security Vulnerabilities

    Current Hubble 0.10.0 contains 16 GO related CVEs. Updating Hubble to use 1.18.9 will address these CVEs that have occurred since the June 2022 release of 0.10.0. I am requesting an incremental release of 0.10.x with this issue submission. Has there been any thought to aligning Hubble incremental release cadence with that of Cilium cadence (1.12.5 came out last week and updated to 1.18.9 GO) ?

    opened by jhawkins1 0
  • build(deps): bump actions/setup-go from 3.3.1 to 3.5.0

    build(deps): bump actions/setup-go from 3.3.1 to 3.5.0

    Bumps actions/setup-go from 3.3.1 to 3.5.0.

    Release notes

    Sourced from actions/setup-go's releases.

    Add support for stable and oldstable aliases

    In scope of this release we introduce aliases for the go-version input. The stable alias instals the latest stable version of Go. The oldstable alias installs previous latest minor release (the stable is 1.19.x -> the oldstable is 1.18.x).

    Stable

    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-go@v3
        with:
          go-version: 'stable'
      - run: go run hello.go
    

    OldStable

    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-go@v3
        with:
          go-version: 'oldstable'
      - run: go run hello.go
    

    Add support for go.work and pass the token input through on GHES

    In scope of this release we added support for go.work file to pass it in go-version-file input.

    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-go@v3
        with:
          go-version-file: go.work
      - run: go run hello.go
    

    Besides, we added support to pass the token input through on GHES.

    Commits
    • 6edd440 fix log for stable aliases (#303)
    • 38dbe75 Add stable and oldstable aliases (#300)
    • 30c39bf Merge pull request #301 from jongwooo/chore/use-cache-in-check-dist
    • 8377b69 Use cache in check-dist.yml
    • d0a58c1 Merge pull request #294 from JamesMGreene/patch-1
    • 3dcd9d6 Update to latest actions/publish-action
    • e983b65 Merge pull request #283 from koba1t/add_support_gowork_for_go-version-file
    • 27b43e1 Pass the token input through on GHES (#277)
    • 7678c83 add support gowork for go-version-file
    • See full diff in compare view

    Dependabot compatibility score

    You can trigger a rebase of this PR by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    kind/enhancement release-note/misc 
    opened by dependabot[bot] 0
  • ExternalName k8s Services - Hubble display

    ExternalName k8s Services - Hubble display

    Hi ,

    I'm having some issue trying to display external services.

    Here are the details :

    I have an external service defined as follow :

    kind: Service
    apiVersion: v1
    metadata:
      name: "searchmaster"
      labels:
        ressourcetype: service-solr-cd
        env: cd
    spec:
      type: ExternalName
      externalName: searchmaster.mydomain.local 
    

    Now , I have a pod that call this service , and also call a MysqL url ( which is not defined as a kubernetes service ). So basically configuration is :

    searchMasterUrl: http://searchmaster:8080 mySqlUrl: np-mysql01.mydomain.local

    Here is what I see in hubble :

    image

    I can see dns resolution works because i can see the the ip in the hubble log. But this is flag as "World"

    image

    Is there any way I can display my externalService name to identify theses flows ?

    I might missunderstanding something maybe because this should work out of the box since I use a dns name and it should get caught by dns rule.

    Cilium Version

    v1.12.4

    Kernel Version

    5.10.0-14-amd64

    Kubernetes Version

    v1.25.4

    Hubble version

    v1.12.4

    Thanks for your help !

    Regards

    opened by Stolr 0
  • Support for filtering on HTTP headers

    Support for filtering on HTTP headers

    HTTP flows contain headers but Hubble doesn't support filtering flows based on HTTP headers. Using the CLI, we can already filter based on HTTP status code, methods and paths but filtering on headers is still missing.

    👍 good-first-issue 🌟 kind/feature 
    opened by rolinh 13
  • Apllying http-visibility breaks OAuth requests

    Apllying http-visibility breaks OAuth requests

    Hello, after applying http-visibility

    
    apiVersion: cilium.io/v2
    kind: CiliumNetworkPolicy
    metadata:
      name: http-visibility
    spec:
      endpointSelector:
        matchLabels: {}
      ingress:
        - fromEntities:
            - all
          toPorts:
            - ports:
                - port: "80"
                  protocol: TCP
              rules:
                http:
                  - {}
        - fromEntities:
            - all
    

    as described in docs makes my services return 401 responses after authorization.

    How can I check envoy doesn't trim Authorization headers or Cookies.

    NOTE: If I remove the policy everything works as expected.

    Any help is appreciated.

    🐛 kind/bug 📊 kind/community-report ⁉ needs/triage 
    opened by pandarun 2
Releases(v0.10.0)
  • v0.10.0(Jun 22, 2022)

    The v0.10.0 release of the Hubble CLI coincides with Cilium v1.12. It adds a new --first option to query for earlier flows and events (#719, requires Cilium v1.12 and newer), further improves the default compact output by displaying security identities and refining policy verdict event output (#717, #734, #745), and deprecates the -o json option in favor of -o jsonpb (#738).

    This release also contains many quality of life improvements, such as more flexible time range filter parsing (#707), extended shell completion for various filter flags (#727, #744), support for named identity filters (#732), improvements to the command-line usage documentation (#718, #730, #731, #733), and an updated version of the Hubble logo (#726).

    Major Changes:

    • cli: Deprecate -o json, recommend -o jsonpb instead (#738, @gandro)
    • cmd/observe: Add --first to support querying for earlier flows and events (#719, @chancez)
    • printer: Display security identity in compact output (#717, @gandro)

    Minor Changes:

    • Add support for less granular time formats (#707, @rolinh)
    • cmd/observe: add flag completion for --protocol (#727, @rolinh)
    • cmd/observe: document subtypes and add completion for subtypes (#744, @rolinh)
    • cmd/observe: improve policy verdict output in compact mode (#745, @rolinh)

    Bugfixes:

    • cmd/config: ensure that the configuration directory exist (#684, @rolinh)
    • cmd/observe: match only Hubble-specific part of error in Test_getFlowsRequestWithInvalidRawFilters (#655, @tklauser)

    CI Changes:

    • .github: let dependabot ignore Cilium dependency (#675, @tklauser)

    Misc Changes:

    • build(deps): bump actions/checkout from 2.4.0 to 3 (#693, @dependabot[bot])
    • build(deps): bump actions/checkout from 3.0.0 to 3.0.1 (#705, @dependabot[bot])
    • build(deps): bump actions/checkout from 3.0.1 to 3.0.2 (#709, @dependabot[bot])
    • build(deps): bump actions/download-artifact from 2.0.10 to 2.1.0 (#668, @dependabot[bot])
    • build(deps): bump actions/download-artifact from 2.1.0 to 3 (#688, @dependabot[bot])
    • build(deps): bump actions/setup-go from 2.1.4 to 2.1.5 (#665, @dependabot[bot])
    • build(deps): bump actions/setup-go from 2.1.5 to 2.2.0 (#680, @dependabot[bot])
    • build(deps): bump actions/setup-go from 2.2.0 to 3 (#697, @dependabot[bot])
    • build(deps): bump actions/setup-go from 3.1.0 to 3.2.0 (#746, @dependabot[bot])
    • build(deps): bump actions/upload-artifact from 2.2.4 to 2.3.0 (#662, @dependabot[bot])
    • build(deps): bump actions/upload-artifact from 2.3.0 to 2.3.1 (#663, @dependabot[bot])
    • build(deps): bump actions/upload-artifact from 2.3.1 to 3 (#701, @dependabot[bot])
    • build(deps): bump actions/upload-artifact from 3.0.0 to 3.1.0 (#724, @dependabot[bot])
    • build(deps): bump docker/build-push-action from 2.10.0 to 3 (#728, @dependabot[bot])
    • build(deps): bump docker/build-push-action from 2.7.0 to 2.8.0 (#673, @dependabot[bot])
    • build(deps): bump docker/build-push-action from 2.8.0 to 2.9.0 (#679, @dependabot[bot])
    • build(deps): bump docker/build-push-action from 2.9.0 to 2.10.0 (#699, @dependabot[bot])
    • build(deps): bump docker/login-action from 1.10.0 to 1.12.0 (#669, @dependabot[bot])
    • build(deps): bump docker/login-action from 1.12.0 to 1.13.0 (#683, @dependabot[bot])
    • build(deps): bump docker/login-action from 1.13.0 to 1.14.1 (#704, @dependabot[bot])
    • build(deps): bump docker/login-action from 1.14.1 to 2 (#742, @dependabot[bot])
    • build(deps): bump docker/setup-buildx-action from 1.6.0 to 2 (#714, @dependabot[bot])
    • build(deps): bump github.com/cilium/cilium from 1.11.0 to 1.11.1 (#674, @dependabot[bot])
    • build(deps): bump github.com/google/go-cmp from 0.5.6 to 0.5.7 (#676, @dependabot[bot])
    • build(deps): bump github.com/google/go-cmp from 0.5.7 to 0.5.8 (#712, @dependabot[bot])
    • build(deps): bump github.com/spf13/cast from 1.4.1 to 1.5.0 (#725, @dependabot[bot])
    • build(deps): bump github.com/spf13/cobra from 1.2.1 to 1.3.0 (#664, @dependabot[bot])
    • build(deps): bump github.com/spf13/cobra from 1.3.0 to 1.4.0 (#694, @dependabot[bot])
    • build(deps): bump github.com/spf13/viper from 1.10.0 to 1.10.1 (#667, @dependabot[bot])
    • build(deps): bump github.com/spf13/viper from 1.10.1 to 1.11.0 (#706, @dependabot[bot])
    • build(deps): bump github.com/spf13/viper from 1.11.0 to 1.12.0 (#729, @dependabot[bot])
    • build(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1 (#698, @dependabot[bot])
    • build(deps): bump github.com/stretchr/testify from 1.7.1 to 1.7.2 (#743, @dependabot[bot])
    • build(deps): bump github/codeql-action from 1 to 2 (#711, @dependabot[bot])
    • build(deps): bump github/codeql-action from 96bc9c36c68e097cd033777efed25c248ffcf09a to 2.1.12 (#735, @dependabot[bot])
    • build(deps): bump golangci/golangci-lint-action from 2 to 3.1.0 (#685, @dependabot[bot])
    • build(deps): bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (#720, @dependabot[bot])
    • build(deps): bump google.golang.org/grpc from 1.42.0 to 1.43.0 (#666, @dependabot[bot])
    • build(deps): bump google.golang.org/grpc from 1.43.0 to 1.44.0 (#678, @dependabot[bot])
    • build(deps): bump google.golang.org/grpc from 1.44.0 to 1.45.0 (#702, @dependabot[bot])
    • build(deps): bump google.golang.org/grpc from 1.45.0 to 1.46.0 (#710, @dependabot[bot])
    • build(deps): bump google.golang.org/grpc from 1.46.0 to 1.46.2 (#721, @dependabot[bot])
    • build(deps): bump google.golang.org/grpc from 1.46.2 to 1.47.0 (#736, @dependabot[bot])
    • build(deps): bump google.golang.org/protobuf from 1.27.1 to 1.28.0 (#700, @dependabot[bot])
    • bump Go to v1.18.1, update golangci-lint to v1.45.2 (#708, @rolinh)
    • ci: bump golangci-lint to v1.45.0 (#696, @rolinh)
    • ci: use hashes for all GitHub Action modules (#722, @rolinh)
    • compact: Use "ID" for security identity prefix (#734, @michi-covalent)
    • Dockerfile: fix golang image name to v1.18.2 (#723, @kaworu)
    • docs: Document pod/service filter prefix behavior (#733, @slayer321)
    • docs: update logos and add dark logo (#726, @raphink)
    • docs: update the cli doc with cidr range source/destination ip filter (#731, @slayer321)
    • go.mod, vendor: update cilium to 1.11.0 (#658, @tklauser)
    • improve cli help text for service filtering (#730, @ILLIDOM)
    • named reserved identites support for --{,from-,to-}identity (#732, @kaworu)
    • Prepare for v0.10 development cycle (#652, @gandro)
    • Refactor usage template to determine --help flags using a registration pattern (#718, @chancez)
    • release and changelog misc improvements (#659, @kaworu)
    • Update Cobra to v1.5.0 (#747, @rolinh)
    • Update Go to 1.17.4 and alpine to 3.15 (#653, @tklauser)
    • Update Go to 1.17.5 (#660, @tklauser)
    • Update Go to 1.17.6 (#670, @tklauser)
    • Update Go to 1.17.7 (#681, @tklauser)
    • Update Go to 1.17.8 (#689, @tklauser)
    • Update Go to 1.18.2 (#715, @tklauser)
    • Update Go to 1.18.3, alpine to 3.16, golangci-lint to 1.46.2 (#737, @tklauser)
    • Update Go to v1.18 (#695, @rolinh)
    • vendor: Bump Cilium to v1.12 branch (#748, @gandro)
    • vendor: update yaml.v3 to v3.0.1 (#741, @kaworu)
    Source code(tar.gz)
    Source code(zip)
    hubble-darwin-amd64.tar.gz(7.27 MB)
    hubble-darwin-amd64.tar.gz.sha256sum(93 bytes)
    hubble-darwin-arm64.tar.gz(6.95 MB)
    hubble-darwin-arm64.tar.gz.sha256sum(93 bytes)
    hubble-linux-386.tar.gz(6.66 MB)
    hubble-linux-386.tar.gz.sha256sum(90 bytes)
    hubble-linux-amd64.tar.gz(6.96 MB)
    hubble-linux-amd64.tar.gz.sha256sum(92 bytes)
    hubble-linux-arm.tar.gz(6.55 MB)
    hubble-linux-arm.tar.gz.sha256sum(90 bytes)
    hubble-linux-arm64.tar.gz(6.32 MB)
    hubble-linux-arm64.tar.gz.sha256sum(92 bytes)
    hubble-windows-386.tar.gz(6.89 MB)
    hubble-windows-386.tar.gz.sha256sum(92 bytes)
    hubble-windows-amd64.tar.gz(7.00 MB)
    hubble-windows-amd64.tar.gz.sha256sum(94 bytes)
    hubble-windows-arm64.tar.gz(6.36 MB)
    hubble-windows-arm64.tar.gz.sha256sum(94 bytes)
  • v0.9.0(Nov 30, 2021)

    Hubble v0.9.0 coincides with Cilium v1.11. It brings many improvements to the CLI: Colored output (#551), improved readability and alternative output formats in hubble status (#629, #614), and the ability to specify custom filters via the newly introduced --allowlist and --denylist flags (#643). Other changes include automatic stop conditions for hubble record (#607), omit displaying old flows in follow mode by default (#573) and client binary support for Windows ARM64 (#618).

    Minor Changes:

    • build release binaries for Windows ARM64 (#618, @rolinh)
    • cmd/observe: add color support (#551, @rolinh)
    • cmd/observe: do not set --last to 20 by default in follow mode (#573, @rolinh)
    • cmd/record: Add stop condition flags (#607, @gandro)
    • cmd/status: add support for multiple output formats (#614, @rolinh)
    • observe: Add --allowlist / --denylist flags (#643, @michi-covalent)
    • printer: group digits by 3 for flow counters and make uptime human-readable (#629, @rolinh)
    • Update cobra to v1.2.1 and use built-in completion command (#582, @rolinh)

    Bugfixes:

    • printer: Add missing verdicts (#626, @pchaigno)
    • printer: fix dict outout newline (#615, @rolinh)

    CI Changes:

    • .github: Cancel outdated PR and push workflows (#555, @pchaigno)
    • Add CODEOWNERS (#576, @gandro)
    • ci: bump golangci-lint to v1.42.0 (#611, @tklauser)
    • CODEOWNERS: assign GH actions to github-sec team (#577, @tklauser)

    Misc Changes:

    • .github/workflows: move Go module vendoring check to build checks (#563, @tklauser)
    • .github: Rename maintainer's little helper's config file (#569, @pchaigno)
    • build(deps): bump actions/checkout from 2 to 2.3.5 (#640, @dependabot[bot])
    • build(deps): bump actions/checkout from 2.3.5 to 2.4.0 (#648, @dependabot[bot])
    • build(deps): bump actions/setup-go from 2.1.3 to 2.1.4 (#616, @dependabot[bot])
    • build(deps): bump github.com/fatih/color from 1.10.0 to 1.12.0 (#558, @dependabot[bot])
    • build(deps): bump github.com/fatih/color from 1.12.0 to 1.13.0 (#633, @dependabot[bot])
    • build(deps): bump github.com/google/go-cmp from 0.5.5 to 0.5.6 (#561, @dependabot[bot])
    • build(deps): bump github.com/spf13/cast from 1.3.1 to 1.4.0 (#600, @dependabot[bot])
    • build(deps): bump github.com/spf13/cast from 1.4.0 to 1.4.1 (#613, @dependabot[bot])
    • build(deps): bump github.com/spf13/viper from 1.8.0 to 1.8.1 (#579, @dependabot[bot])
    • build(deps): bump github.com/spf13/viper from 1.8.1 to 1.9.0 (#628, @dependabot[bot])
    • build(deps): bump google.golang.org/grpc from 1.38.0 to 1.39.0 (#584, @dependabot[bot])
    • build(deps): bump google.golang.org/grpc from 1.39.0 to 1.39.1 (#608, @dependabot[bot])
    • build(deps): bump google.golang.org/grpc from 1.39.1 to 1.40.0 (#610, @dependabot[bot])
    • build(deps): bump google.golang.org/grpc from 1.40.0 to 1.41.0 (#634, @dependabot[bot])
    • build(deps): bump google.golang.org/grpc from 1.41.0 to 1.42.0 (#649, @dependabot[bot])
    • build(deps): bump google.golang.org/protobuf from 1.26.0 to 1.27.1 (#583, @dependabot[bot])
    • build(deps): bump skx/github-action-publish-binaries from c881a3f8ffb80b684f367660178d38ceabc065c2 to 2.0 (#632, @dependabot[bot])
    • ci: bump Go to 1.17 for golangci-lint (#625, @kaworu)
    • ci: enable checks for missing Go documentation (#581, @rolinh)
    • ci: fix the go vendoring check (#575, @kaworu)
    • cmd/observe: move flows specific code to flows*.go files (#578, @tklauser)
    • cmd/observe: remove depreacted formatting flags (json, compact, dict) (#603, @rolinh)
    • cmd/observe: rename flow-related functions, types and import aliases (#574, @tklauser)
    • CODEOWNERS: assign Go module vendoring to @cilium/vendor (#580, @tklauser)
    • docker: add note about bogus busybox's nslookup implementation (#587, @rolinh)
    • Fix broken link (#593, @sharjeelaziz)
    • git commands in the Makefile return the empty string if they fail. (#589, @zhiyanfoo)
    • github: Add "Image Release Build" workflow (#627, @gandro)
    • Log a debug message when reading from stdin (#598, @michi-covalent)
    • Makefile: Introduce GO_BUILD variable (#560, @gandro)
    • pkg/printer: disable color output in tests (#562, @tklauser)
    • Prepare for 0.9 development cycle (#545, @gandro)
    • readme: clarify that only the latest version is maintained/supported (#568, @rolinh)
    • RELEASE.md: document Homebrew formular update as optional step (#624, @tklauser)
    • RELEASE.md: fix brew command formatting (#630, @tklauser)
    • release: pin skx/github-action-publish-binaries to a specific sha (#546, @rolinh)
    • Small test cleanups (#571, @tklauser)
    • Update doc and stable.txt for v0.8.2 release (#623, @rolinh)
    • Update Go to 1.16.4 (#548, @tklauser)
    • Update Go to 1.16.5 (#564, @tklauser)
    • Update Go to 1.16.7 (#604, @tklauser)
    • Update Go to 1.17 (#612, @tklauser)
    • Update Go to 1.17.2 (#635, @tklauser)
    • update Go to v1.16.6, alpine to 3.14 (#585, @rolinh)
    • update Go to v1.17.1 (#620, @rolinh)
    • Update Go to v1.17.3, golangci-lint to v1.43.0 (#646, @rolinh)
    • Update readme, changelog and stable.txt for v0.8.1 release (#595, @rolinh)
    • Use golangci-lint for static checks (#559, @rolinh)
    • vendor: bump github.com/cilium/cilium to latest master (#556, @tklauser)
    • vendor: Bump github.com/cilium/cilium to v1.11.0-rc3 (#650, @gandro)
    • vendor: bump grpc to v1.37.1; honnef tools to v0.1.4 (#552, @rolinh)
    • vendor: bump viper to v1.8.0 and grpc to v1.38.0 (#572, @rolinh)
    • version: Drop the "v" prefix (#638, @michi-covalent)
    Source code(tar.gz)
    Source code(zip)
    hubble-darwin-amd64.tar.gz(6.79 MB)
    hubble-darwin-amd64.tar.gz.sha256sum(93 bytes)
    hubble-darwin-arm64.tar.gz(6.74 MB)
    hubble-darwin-arm64.tar.gz.sha256sum(93 bytes)
    hubble-linux-386.tar.gz(6.05 MB)
    hubble-linux-386.tar.gz.sha256sum(90 bytes)
    hubble-linux-amd64.tar.gz(6.47 MB)
    hubble-linux-amd64.tar.gz.sha256sum(92 bytes)
    hubble-linux-arm.tar.gz(5.97 MB)
    hubble-linux-arm.tar.gz.sha256sum(90 bytes)
    hubble-linux-arm64.tar.gz(5.94 MB)
    hubble-linux-arm64.tar.gz.sha256sum(92 bytes)
    hubble-windows-386.tar.gz(6.34 MB)
    hubble-windows-386.tar.gz.sha256sum(92 bytes)
    hubble-windows-amd64.tar.gz(6.57 MB)
    hubble-windows-amd64.tar.gz.sha256sum(94 bytes)
    hubble-windows-arm64.tar.gz(6.02 MB)
    hubble-windows-arm64.tar.gz.sha256sum(94 bytes)
  • v0.8.2(Sep 10, 2021)

    This patch release fixes a bug in the dict output where a newline was missing. It also removes long-deprecated --json, --compact and --dict flags (use the --output flag instead) that actually turned out to be broken at this point. A very visible addition is color support, a change that was backported from the master branch upon popular request. In addition, the Go version, which is used to create release binaries, is updated to the latest v1.16.8 and the Cilium dependency is updated to v1.10.4.

    Minor Changes:

    • Backport color output to v0.8 branch (#609, @michi-covalent)

    Bugfixes:

    • v0.8: printer: fix dict outout newline (#617, @rolinh)

    Misc Changes:

    • [v0.8] go.mod, vendor: bump cilium to v1.10.4 (#619, @tklauser)
    • v0.8: cmd/observe: remove depreacted formatting flags (json, compact, dict) (#606, @rolinh)
    • v0.8: Update Go to 1.16.7 (#605, @tklauser)
    • v0.8: update Go to v1.16.8, Alpine base image to 3.14.2 (#621, @rolinh)
    Source code(tar.gz)
    Source code(zip)
    hubble-darwin-amd64.tar.gz(4.39 MB)
    hubble-darwin-amd64.tar.gz.sha256sum(93 bytes)
    hubble-darwin-arm64.tar.gz(4.27 MB)
    hubble-darwin-arm64.tar.gz.sha256sum(93 bytes)
    hubble-linux-386.tar.gz(3.93 MB)
    hubble-linux-386.tar.gz.sha256sum(90 bytes)
    hubble-linux-amd64.tar.gz(4.22 MB)
    hubble-linux-amd64.tar.gz.sha256sum(92 bytes)
    hubble-linux-arm.tar.gz(3.85 MB)
    hubble-linux-arm.tar.gz.sha256sum(90 bytes)
    hubble-linux-arm64.tar.gz(3.81 MB)
    hubble-linux-arm64.tar.gz.sha256sum(92 bytes)
    hubble-windows-386.tar.gz(4.12 MB)
    hubble-windows-386.tar.gz.sha256sum(92 bytes)
    hubble-windows-amd64.tar.gz(4.30 MB)
    hubble-windows-amd64.tar.gz.sha256sum(94 bytes)
  • v0.8.1(Jul 19, 2021)

    [v0.8.1] - 2021-07-19

    This patch release updates gRPC and Cilium dependencies to v1.37.1 and v1.10.3 respectively. The Go version, which is used to create release binaries, is also updated to the latest v1.16.6. A minor, mostly cosmetic, bug is also fixed which allows building Hubble without any warning being displayed when the .git directory is not present.

    Misc Changes:

    • v0.8: bump cilium to v1.10.2, Go to v1.16.6 (#586, @rolinh)
    • v0.8: release: pin skx/github-action-publish-binaries to a specific sha (#547, @rolinh)
    • v0.8: update cilium to v1.10.3, backport git version fix (#591, @rolinh)
    • v0.8: Update Go to 1.16.4 (#549, @tklauser)
    • v0.8: Update Go to 1.16.5 (#565, @tklauser)
    • v0.8: vendor: bump github.com/cilium/cilium to v1.10.0 (#557, @tklauser)
    • v0.8: vendor: bump grpc to v1.37.1; honnef tools to v0.1.4 (#553, @rolinh)
    Source code(tar.gz)
    Source code(zip)
    hubble-darwin-amd64.tar.gz(4.38 MB)
    hubble-darwin-amd64.tar.gz.sha256sum(93 bytes)
    hubble-darwin-arm64.tar.gz(4.27 MB)
    hubble-darwin-arm64.tar.gz.sha256sum(93 bytes)
    hubble-linux-386.tar.gz(3.93 MB)
    hubble-linux-386.tar.gz.sha256sum(90 bytes)
    hubble-linux-amd64.tar.gz(4.21 MB)
    hubble-linux-amd64.tar.gz.sha256sum(92 bytes)
    hubble-linux-arm.tar.gz(3.85 MB)
    hubble-linux-arm.tar.gz.sha256sum(90 bytes)
    hubble-linux-arm64.tar.gz(3.80 MB)
    hubble-linux-arm64.tar.gz.sha256sum(92 bytes)
    hubble-windows-386.tar.gz(4.10 MB)
    hubble-windows-386.tar.gz.sha256sum(92 bytes)
    hubble-windows-amd64.tar.gz(4.28 MB)
    hubble-windows-amd64.tar.gz.sha256sum(94 bytes)
  • v0.8.0(May 3, 2021)

    [v0.8.0] - 2021-05-03

    This release coincides with Cilium 1.10 and has support for new API additions added in Cilium. Some of the new API features include support for agent and debug events (#537), as well as prelimary support for the experimental Hubble Recorder API (#530). Both of these features are currenlty only available via the local unix domain socket. Other API features include filtering by TCP flags (#461), IP version (#505) and node name (#412).

    Hubble CLI 0.8 also comes with improvements to the CLI utility, such as reading flows and filtering flows from stdin (#524), more flexible timestamp format printing (#509), support for Apple silicon (#488), as well as miscellaneous flag improvements and additions (#411, #420, #421, #443). It also contains a new hubble list subcommand which, when targeting Hubble Relay, lists all Hubble enabled nodes (#427).

    Breaking Changes

    In accordance with semver 0.x releases, this release contains a few breaking changes to the Hubble command-line interface:

    • The new default Hubble API endpoint (specified with --server) is now localhost:4245 to ease usage with Hubble Relay. To connect to the local unix domain socket, use --server unix:///var/run/cilium/hubble.sock or set the HUBBLE_SERVER environment variable (default within a Cilium container) (#535)
    • The new default output format is now always compact regardless of being in follow-mode or not. To obtain the old table output in the hubble observe command, use --output=table (#536)
    • The source of reply packets is now printed on the left side in the compact output format. Such flows are indicated with a <- arrow instead of ->. Flows with an unknown direction now use the <> arrow in the compact output (#533).
    • The hidden hubble peers watch command has been renamed to hubble watch peers (#542)

    Major Changes:

    • Add basic support for agent events (#442, @tklauser)
    • Add subcommands for agent and debug events (#537, @tklauser)
    • cmd/observe: support for filtering events based on tcp-flags (#461, @nyrahul)
    • cmd: add node list subcommand to list hubble nodes with status (#427, @rolinh)

    Minor Changes:

    • change default address to localhost:4245 (#535, @rolinh)
    • cmd/config: add shell completion support for keys for get|set|reset (#420, @rolinh)
    • cmd/observe: add a new flag to allow specifying different time formats for timestamps (#509, @rolinh)
    • cmd/observe: add all flags (#411, @rolinh)
    • cmd/observe: Add node name filter (#412, @twpayne)
    • cmd/observe: add shell completion support for various flags (#421, @rolinh)
    • cmd/observe: add support for IP version filters (#505, @rolinh)
    • cmd/observe: mark deprecated output flags as deprecated (#506, @rolinh)
    • cmd/observer: add support for agent event sub-type filters (#465, @tklauser)
    • cmd: Add record subcommand (#530, @gandro)
    • cmd: improve command usage message by grouping related flags (#443, @rolinh)
    • compact: Always print original source on the left (#533, @michi-covalent)
    • make: build release binaries for darwin/arm64 (aka Apple silicon) (#488, @rolinh)
    • printer: Add support for debug events (#473, @gandro)
    • RFC: cmd/observe: set default output format to "compact" (#536, @rolinh)
    • Support reading flows from stdin (#524, @michi-covalent)

    Bugfixes:

    • cmd: fix environment variable names for options with dashes (#407, @rolinh)

    Misc Changes:

    • Agent event follow-up fixes for #442 (#454, @tklauser)
    • all: avoid using the deprecated io/ioutil package (#489, @rolinh)
    • Automate release creation and artifacts publishing (#490, @rolinh)
    • build(deps): bump actions/setup-go from v1 to v2.1.3 (#476, @dependabot[bot])
    • build(deps): bump github.com/sirupsen/logrus from 1.7.0 to 1.8.1 (#525, @dependabot[bot])
    • build(deps): bump github.com/spf13/cobra from 1.1.2 to 1.1.3 (#486, @dependabot[bot])
    • build(deps): bump google.golang.org/grpc from 1.36.0 to 1.36.1 (#522, @dependabot[bot])
    • build(deps): bump google.golang.org/protobuf from 1.25.0 to 1.26.0 (#518, @dependabot[bot])
    • build: ensure that binaries are always statically built (#397, @rolinh)
    • Bump alpine base image to 3.13 (#472, @tklauser)
    • Bump github.com/cilium/cilium to pull in reworked agent/debug event API (#532, @tklauser)
    • ci: Add CodeQL analysis (#475, @twpayne)
    • ci: Add dependabot configuration (#474, @twpayne)
    • ci: do not upload artifacts (#485, @rolinh)
    • ci: fix dependabot kind/enhancement label (#477, @kaworu)
    • cmd/node: fix completion of output flag (#466, @rolinh)
    • cmd/node: Refactor & Test output methods (#496, @simar7)
    • cmd/observe: don't list agent/debug events and recorder captures in event type filter (#534, @tklauser)
    • cmd/observe: print filters in debug mode (#502, @rolinh)
    • cmd/observe: Print the entire request in debug mode (#515, @michi-covalent)
    • cmd/observe: use signal.NotifyContext to cancel context on SIGINT (#539, @rolinh)
    • cmd/peer: Refactor and test processing of response (#499, @simar7)
    • cmd: change "node list" command for "list node" (#541, @rolinh)
    • cmd: change 'peers watch' command to 'watch peers' (#542, @rolinh)
    • cmd: use config key constants instead of hardcoded strings (#471, @rolinh)
    • completion: remove the copyright header (#444, @kaworu)
    • doc: #hubble-devel on Slack is now #sig-hubble (#495, @rolinh)
    • doc: fix broken links (#406, @rolinh)
    • Dockerfile: use alpine 3.12 (#540, @aanm)
    • docs: Point to stable documentation (#414, @joestringer)
    • Ensure build with Cilium master (#463, @gandro)
    • Fix brokenlink on README.md (#500, @kaitoii11)
    • make: set missing IMAGE_TAG variable (#432, @rolinh)
    • Makefile: Add support for DOCKER_FLAGS environment variable (#456, @jrajahalme)
    • Move version into VERSION file (#434, @glibsm)
    • readme: bump versions in releases table (#400, @rolinh)
    • readme: update releases table, mark Hubble Relay as stable (#404, @rolinh)
    • release: fix release binary usage instruction (#396, @rolinh)
    • Revert "ci: fix dependabot kind/enhancement label" (#493, @kaworu)
    • set version to 0.8.0-dev (#393, @rolinh)
    • stable.txt: Bump to v0.7.0 (#405, @gandro)
    • Switch protobuf module to google.golang.org/protobuf (#452, @tklauser)
    • update CHANGELOG for releases v0.6.1 and v0.7.0 (#398, @rolinh)
    • Update Go to 1.15.4 (#416, @rolinh)
    • Update Go to 1.15.5 (#423, @tklauser)
    • Update Go to 1.15.6 (#446, @tklauser)
    • Update Go to 1.15.7 (#467, @tklauser)
    • Update Go to 1.15.8 (#478, @tklauser)
    • Update Go to 1.16.1 (#507, @tklauser)
    • Update Go to 1.16.2 (#510, @rolinh)
    • Update Go to 1.16.3 (#526, @tklauser)
    • update Go to v1.16.0 (#487, @rolinh)
    • update readme and stable.txt for v0.7.1 (#410, @rolinh)
    • update release instructions (#399, @rolinh)
    • Update RELEASE.md with -dev change (#520, @rolinh)
    • vendor: bump Cilium and grpc (#538, @rolinh)
    • vendor: bump github.com/cilium/cilium (#482, @rolinh)
    • vendor: bump github.com/cilium/cilium (#528, @rolinh)
    • vendor: bump github.com/google/go-cmp from 0.5.4 to 0.5.5 (#504, @rolinh)
    • vendor: bump google.golang.org to v1.33.2 (#437, @tklauser)
    • vendor: bump google.golang.org/grpc to v1.34.0 (#457, @tklauser)
    • vendor: bump google.golang.org/grpc to v1.35.0 (#464, @tklauser)
    • vendor: bump google.golang.org/grpc to v1.36.0 (#498, @rolinh)
    • vendor: Bump gopkg.in/yaml.v2 to v2.4.0 (#441, @twpayne)
    • vendor: bump honnef.co/go/tools from v0.1.1 to v0.1.2 (#494, @rolinh)
    • vendor: bump honnef.co/go/tools from v0.1.2 to v0.1.3 (#513, @rolinh)
    • vendor: bump honnef.co/go/tools to v0.1.1 (#484, @rolinh)
    Source code(tar.gz)
    Source code(zip)
    hubble-darwin-amd64.tar.gz(4.38 MB)
    hubble-darwin-amd64.tar.gz.sha256sum(93 bytes)
    hubble-darwin-arm64.tar.gz(4.26 MB)
    hubble-darwin-arm64.tar.gz.sha256sum(93 bytes)
    hubble-linux-386.tar.gz(3.92 MB)
    hubble-linux-386.tar.gz.sha256sum(90 bytes)
    hubble-linux-amd64.tar.gz(4.20 MB)
    hubble-linux-amd64.tar.gz.sha256sum(92 bytes)
    hubble-linux-arm.tar.gz(3.84 MB)
    hubble-linux-arm.tar.gz.sha256sum(90 bytes)
    hubble-linux-arm64.tar.gz(3.80 MB)
    hubble-linux-arm64.tar.gz.sha256sum(92 bytes)
    hubble-windows-386.tar.gz(4.10 MB)
    hubble-windows-386.tar.gz.sha256sum(92 bytes)
    hubble-windows-amd64.tar.gz(4.27 MB)
    hubble-windows-amd64.tar.gz.sha256sum(94 bytes)
  • v0.7.0(Oct 19, 2020)

    Minor Changes:

    • Add config subcommand (#380, @Rolinh)
    • Add reflect command (#378, @michi-covalent)
    • cmd/observe: Add HTTP method and path filters (#371, @twpayne)
    • cmd/peer: print tls.ServerName when available (#374, @Rolinh)
    • cmd/status: Add flows per second to hubble status (#330, @gandro)
    • cmd/status: print node availability information when available (#328, @Rolinh)
    • cmd/status: report current/max flows on the same line (#346, @Rolinh)
    • cmd: add support for fish and powershell completion (#316, @Rolinh)
    • cmd: add support for TLS and mTLS (#372, @Rolinh)
    • cmd: honor user configuration directory for the configuration file (#375, @Rolinh)
    • cmd: remove globals, optimize grpc client conn creation, remove pprof (#369, @Rolinh)
    • Dockerfile: Remove ENTRYPOINT (#355, @michi-covalent)
    • printer: ommit node name from output (#358, @mdnix)
    • Update Go to v1.15, drop support for darwin/386, add support for linux/[arm,arm64] (#343, @Rolinh)

    Bugfixes:

    • cmd/status: do not report flows ratio when max flows is zero (#345, @Rolinh)
    • make: fix git hash variable assignments for old make versions (#290, @Rolinh)

    Misc Changes:

    • .gitattributes: hide go.sum and vendor/modules.txt in pull requests (#317, @Rolinh)
    • actions: add go-mod check (#382, @Rolinh)
    • Add staticcheck to make check (#344, @tklauser)
    • Clarify wording in README (#341, @christarazi)
    • cmd/config: only write provided key/value when using set subcommand (#385, @Rolinh)
    • cmd: fix help message for the -config flag (#377, @Rolinh)
    • cmd: update observe and status command description/formatting (#390, @Rolinh)
    • defaults: avoid stutter in exported names (#383, @tklauser)
    • docs: Add link to Cilium Development Guide (#376, @twpayne)
    • Fixes SC2038 in check-fmt.sh (#360, @nebril)
    • make: fix release build directory ownership (#321, @kAworu)
    • make: vendor in ineffassign, staticcheck, and golint (#357, @kAworu)
    • observe: Document default flow count output (#318, @joestringer)
    • printer: avoid duplicate import (#342, @tklauser)
    • printer: use fmt.Fprintln instead of fmt.Fprintf (#347, @tklauser)
    • README: fix broken link to metrics documentation (#327, @Rolinh)
    • Readme: remove old beta warning and make a components table (#322, @glibsm)
    • README: Update links (#351, @pchaigno)
    • Remove version from release artifact file names (#293, @michi-covalent)
    • tutorials: Fix README.md (#340, @jrajahalme)
    • Update Cilium dep and fix unit tests that subsequently broke (#335, @Rolinh)
    • Update Go to 1.15.3 (#386, @tklauser)
    • update Go version to v1.14.7 (#336, @Rolinh)
    • update Go version to v1.15.2 (#365, @Rolinh)
    • v0.7: vendor: bump cilium to v1.9.0-rc2 to track cilium v1.9 branch (#394, @Rolinh)
    • vendor: bump cilium to master right before branching v1.9 (#392, @Rolinh)
    • vendor: bump cobra to v1.1.1 (#391, @twpayne)
    • vendor: bump dependencies (#389, @Rolinh)
    • vendor: go mod tidy && go mod vendor && go mod verify (#381, @Rolinh)
    • vendor: update cilium@latest, [email protected] (#373, @Rolinh)

    Other Changes:

    • Add little helper actions (#326, @glibsm)
    • Add RELEASE.md with release checklist (#281, @glibsm)
    • Add stable.txt (#299, @michi-covalent)
    • add v0.6.0 release notes to changelog and bump version to 0.7.0-dev (#275, @Rolinh)
    • Build release artifacts inside a container (#295, @michi-covalent)
    • docs: Re-add images linked in README (#309, @gandro)
    • Fix v0.6 branch link in README (#306, @gandro)
    • Generate release binaries (#285, @Rolinh)
    • Prepare for Cilium 1.8 (#305, @gandro)
    • printer: Add jsonpb output (#302, @michi-covalent)
    • Remove contrib/scripts/release.sh (#297, @michi-covalent)
    • Require Cilium 1.7.x (#283, @tgraf)
    • Update Go to v1.14.6 (#320, @Rolinh)
    • update Go version to v1.14.4 and alpine base image to v3.12 (#278, @Rolinh)
    • update Go version to v1.14.5 (#319, @Rolinh)
    • vendor: cilium@master (#313, @glibsm)
    Source code(tar.gz)
    Source code(zip)
    hubble-darwin-amd64.tar.gz(4.35 MB)
    hubble-darwin-amd64.tar.gz.sha256sum(93 bytes)
    hubble-linux-386.tar.gz(3.87 MB)
    hubble-linux-386.tar.gz.sha256sum(90 bytes)
    hubble-linux-amd64.tar.gz(4.15 MB)
    hubble-linux-amd64.tar.gz.sha256sum(92 bytes)
    hubble-linux-arm.tar.gz(3.79 MB)
    hubble-linux-arm.tar.gz.sha256sum(90 bytes)
    hubble-linux-arm64.tar.gz(3.75 MB)
    hubble-linux-arm64.tar.gz.sha256sum(92 bytes)
    hubble-windows-386.tar.gz(3.98 MB)
    hubble-windows-386.tar.gz.sha256sum(92 bytes)
    hubble-windows-amd64.tar.gz(4.16 MB)
    hubble-windows-amd64.tar.gz.sha256sum(94 bytes)
  • v0.5.2(Jul 28, 2020)

    Summary of Changes

    Misc Changes:

    • Update Go version to v1.14.4 and alpine base image to v3.12 (#279, @Rolinh)
    • Update Go version to v1.14.5 (#319, @Rolinh, backport PR #323)
    • Update Go version to v1.14.6 (#320, @Rolinh, backport PR #323)
    • backport/v0.5: update Go version, pull in a fix (#274, @Rolinh)
    • helm: Pin Hubble v0.5.1 in v0.5 branch (#249, @gandro)
    • printer: Fall back on ethernet MAC addresses (#262, @Rolinh)
    • Ratelimit cilium identity fetch (#270, @glibsm)
    • v0.5: Pin Hubble and Cilium branches (#301, @gandro)
    Source code(tar.gz)
    Source code(zip)
  • v0.6.0(May 29, 2020)

    Bugfixes:

    • api: fix potential panic in endpoint's EqualsByID (#199, @Rolinh)

    Misc Changes:

    • cmd: add hidden 'peer' command (#248, @Rolinh)
    • update Go version to v1.14.2 (#226, @Rolinh)
    • update Go version to v1.14.3 (#258, @Rolinh)

    Other Changes:

    • actions: Trigger on release branches (#233, @michi-covalent)
    • Add changelog (#203, @glibsm)
    • add peer gRPC service (#212, @Rolinh)
    • Add support for policy verdict events (#200, @gandro)
    • adjust dockerfile and makefile for "serve" command removal (#263, @Rolinh)
    • Adjust to moved PolicyMatchType location (#222, @tgraf)
    • api: Small fixes to the protoc invocations in Makefile (#206, @gandro)
    • Bring back HUBBLE_DEFAULT_SOCKET_PATH env var (#239, @gandro)
    • cmd/observe: use flags.DurationVar instead of StringVar for timeout flag (#210, @Rolinh)
    • cmd/serve: refactor, introduce Server struct and options (#208, @Rolinh)
    • cmd: Export RootCmd (#237, @glibsm)
    • cmd: Finish config move (#254, @glibsm)
    • cmd: Make all sub-commands more prominent (#255, @glibsm)
    • cmd: Make pprof optional (#269, @gandro)
    • cmd: Move completion and profile code from root (#246, @glibsm)
    • defaults: Introduce new defaults for embedded Hubble (#224, @gandro)
    • doc: Add a Quickstart section to the documentation (#243, @michi-covalent)
    • doc: Update DNS visibility policy (#259, @michi-covalent)
    • docker: ensure the hubble binary is statically built (#272, @Rolinh)
    • fix: add skipped quote in hubble-all-minikube.yaml (#225, @geakstr)
    • helm: Update hubble cli options (#245, @michi-covalent)
    • l7: Add "Error" verdict (#211, @michi-covalent)
    • make: optimize binary size by omitting symbol table and debug info (#268, @Rolinh)
    • observe: Disable port-translation by default (#236, @michi-covalent)
    • observe: Remove --port-translation (#271, @michi-covalent)
    • observe: Show all the event types by default (#241, @michi-covalent)
    • OnBuildFilter (#209, @tgraf)
    • printer: Add support for NodeStatusEvent (#260, @gandro)
    • printer: Fall back on ethernet MAC addresses (#261, @gandro)
    • printer: Use policy verdict match type formatter from Cilium (#205, @gandro)
    • Rebase vendored github.com/cilium (#232, @tgraf)
    • Remove all server-side code (#220, @tgraf)
    • Remove logger package (#221, @tgraf)
    • server: Introduce per-request context (#216, @gandro)
    • server: Match time range before filters (#213, @tgraf)
    • Set version to 0.6.0-dev (#202, @glibsm)
    • vendor: Bump github.com/cilium/cilium (#223, @gandro)
    • vendor: pick up latest cilium (#247, @Rolinh)
    • vendor: update cilium and sync replace directives (#207, @Rolinh)
    Source code(tar.gz)
    Source code(zip)
Owner
Cilium
eBPF-based Networking, Security, and Observability
Cilium
Google Kubernetes Engine (GKE) with a Snyk Kubernetes controller installed/configured for Snyk App

Google Kubernetes Engine (GKE) with a Snyk Kubernetes controller installed/configured for Snyk App This example provisions a Google Kubernetes Engine

Pas Apicella 2 Feb 9, 2022
Coding For Entrepreneurs 100 Jan 1, 2023
Helperpod - A CLI tool to run a Kubernetes utility pod with pre-installed tools that can be used for debugging/testing purposes inside a Kubernetes cluster

Helperpod is a CLI tool to run a Kubernetes utility pod with pre-installed tools that can be used for debugging/testing purposes inside a Kubernetes cluster.

Atakan Tatlı 2 Feb 5, 2022
A Blazing fast Security Auditing tool for Kubernetes

A Blazing fast Security Auditing tool for kubernetes!! Basic Overview Kubestriker performs numerous in depth checks on kubernetes infra to identify th

Vasant Chinnipilli 934 Jan 4, 2023
Linux, Jenkins, AWS, SRE, Prometheus, Docker, Python, Ansible, Git, Kubernetes, Terraform, OpenStack, SQL, NoSQL, Azure, GCP, DNS, Elastic, Network, Virtualization. DevOps Interview Questions

Linux, Jenkins, AWS, SRE, Prometheus, Docker, Python, Ansible, Git, Kubernetes, Terraform, OpenStack, SQL, NoSQL, Azure, GCP, DNS, Elastic, Network, Virtualization. DevOps Interview Questions

Arie Bregman 35.1k Jan 2, 2023
This repository contains code examples and documentation for learning how applications can be developed with Kubernetes

BigBitBus KAT Components Click on the diagram to enlarge, or follow this link for detailed documentation Introduction Welcome to the BigBitBus Kuberne

null 51 Oct 16, 2022
Official Python client library for kubernetes

Kubernetes Python Client Python client for the kubernetes API. Installation From source: git clone --recursive https://github.com/kubernetes-client/py

Kubernetes Clients 5.4k Jan 2, 2023
A Kubernetes operator that creates UptimeRobot monitors for your ingresses

This operator automatically creates uptime monitors at UptimeRobot for your Kubernetes Ingress resources. This allows you to easily integrate uptime monitoring of your services into your Kubernetes deployments.

Max 49 Dec 14, 2022
A Simple script to hunt unused Kubernetes resources.

K8SPurger A Simple script to hunt unused Kubernetes resources. Release History Release 0.3 Added Ingress Added Services Account Adding RoleBindding Re

Yogesh Kunjir 202 Nov 19, 2022
Run Oracle on Kubernetes with El Carro

El Carro is a new project that offers a way to run Oracle databases in Kubernetes as a portable, open source, community driven, no vendor lock-in container orchestration system. El Carro provides a powerful declarative API for comprehensive and consistent configuration and deployment as well as for real-time operations and monitoring.

Google Cloud Platform 205 Dec 30, 2022
Chartreuse: Automated Alembic migrations within kubernetes

Chartreuse: Automated Alembic SQL schema migrations within kubernetes "How to automate management of Alembic database schema migration at scale using

Wiremind 8 Oct 25, 2022
sysctl/sysfs settings on a fly for Kubernetes Cluster. No restarts are required for clusters and nodes.

SysBindings Daemon Little toolkit for control the sysctl/sysfs bindings on Kubernetes Cluster on the fly and without unnecessary restarts of cluster o

Wallarm 19 May 6, 2022
Caboto, the Kubernetes semantic analysis tool

Caboto Caboto, the Kubernetes semantic analysis toolkit. It contains a lightweight Python library for semantic analysis of plain Kubernetes manifests

Michael Schilonka 8 Nov 26, 2022
Rancher Kubernetes API compatible with RKE, RKE2 and maybe others?

kctl Rancher Kubernetes API compatible with RKE, RKE2 and maybe others? Documentation is WIP. Quickstart pip install --upgrade kctl Usage from lazycls

null 1 Dec 2, 2021
A charmed operator for running PGbouncer on kubernetes.

operator-template Description TODO: Describe your charm in a few paragraphs of Markdown Usage TODO: Provide high-level usage, such as required config

Canonical 1 Dec 1, 2022
Quick & dirty controller to schedule Kubernetes Jobs later (once)

K8s Jobber Operator Quickly implemented Kubernetes controller to enable scheduling of Jobs at a later time. Usage: To schedule a Job later, Set .spec.

Jukka Väisänen 2 Feb 11, 2022
Copy a Kubernetes pod and run commands in its environment

copypod Utility for copying a running Kubernetes pod so you can run commands in a copy of its environment, without worrying about it the pod potential

Memrise 4 Apr 8, 2022
Autoscaling volumes for Kubernetes (with the help of Prometheus)

Kubernetes Volume Autoscaler (with Prometheus) This repository contains a service that automatically increases the size of a Persistent Volume Claim i

DevOps Nirvana 142 Dec 28, 2022
Kube kombu - Running kombu consumers with support of liveness probe for kubernetes

Setup and Running Kombu consumers Steps: Install python 3.9 or greater on your s

Anmol Porwal 5 Dec 10, 2022