How to Use Cilium Hubble for Network Visibility and Security of Kubernetes Clusters
Validated on 16 Jan 2024 • Last edited on 15 Feb 2024
DigitalOcean Kubernetes (DOKS) is a Kubernetes service with a fully managed control plane, high availability, and autoscaling. DOKS integrates with standard Kubernetes toolchains and DigitalOcean’s load balancers, volumes, CPU and GPU Droplets, API, and CLI.
DigitalOcean Kubernetes provides Cilium Hubble which you can use to get network observability for your DOKS clusters. Using Hubble, you can determine service dependencies, set up operational monitoring and alerts, monitor applications, and observe cluster security such as services accessing the cluster from outside and blocked connections.
By default, Hubble is enabled on all DOKS clusters. Because Hubble metrics can be resource intensive, we currently do not enable it by default.
Resources Used by Hubble
We run two deployments, hubble-relay
and hubble-ui
, in a configuration that minimizes the resources the cluster uses. To see the deployments, run kubectl get deploy -n kube-system
. The output looks similar to the following:
NAME READY UP-TO-DATE AVAILABLE AGE
cilium-operator 1/1 1 1 50m
coredns 2/2 2 2 47m
hubble-relay 1/1 1 1 48m
hubble-ui 1/1 1 1 48m
For the configuration details of the deployments, run kubectl get cm -n kube-system | egrep 'hubble|cilium'
. The output looks similar to the following:
cilium-config 106 48m
hubble-relay-config 1 48m
hubble-ui-nginx 1 48m
To see a specific configuration file, for example hubble-ui-nginx
, run:
kubectl get configmap -n kube-system hubble-ui-nginx -o yaml
Prerequisites
To use the Hubble command-line tool and UI:
-
Install the Cilium CLI. For example, to install on MacOS, use the following commands:
CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt) CLI_ARCH=amd64 if [ "$(uname -m)" = "arm64" ]; then CLI_ARCH=arm64; fi curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-darwin-${CLI_ARCH}.tar.gz{,.sha256sum} shasum -a 256 -c cilium-darwin-${CLI_ARCH}.tar.gz.sha256sum sudo tar xzvfC cilium-darwin-${CLI_ARCH}.tar.gz /usr/local/bin rm cilium-darwin-${CLI_ARCH}.tar.gz{,.sha256sum}
The commands check the SHA256 value, download the Cilium binary from GitHub for the
amd64
architecture, and install the Cilium binary in the/usr/local/bin
folder. -
Install the Hubble CLI. For example, to install on MacOS, use the following commands:
HUBBLE_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/hubble/master/stable.txt) HUBBLE_ARCH=amd64 if [ "$(uname -m)" = "arm64" ]; then HUBBLE_ARCH=arm64; fi curl -L --fail --remote-name-all https://github.com/cilium/hubble/releases/download/$HUBBLE_VERSION/hubble-darwin-${HUBBLE_ARCH}.tar.gz{,.sha256sum} shasum -a 256 -c hubble-darwin-${HUBBLE_ARCH}.tar.gz.sha256sum sudo tar xzvfC hubble-darwin-${HUBBLE_ARCH}.tar.gz /usr/local/bin rm hubble-darwin-${HUBBLE_ARCH}.tar.gz{,.sha256sum}
The commands check the SHA256 value, download the Hubble client from GitHub for the
amd64
architecture, and install Hubble in the/usr/local/bin
folder. -
Authenticate and connect to your DOKS cluster using
kubeconfig
.
Use the Hubble CLI
To use Hubble at the command line:
-
Open a shell and run
cilium hubble port-forward
.Since the command only port-forwards Hubble to your local terminal, you will not see any output for this command.
-
Open a second shell and run
hubble observe
.
For more information on these commands and their options, see the Hubble documentation.
Use the Hubble UI
To use the Hubble UI, open a shell and run the following command:
cilium hubble ui
This command automatically port-forwards to the Hubble UI on your cluster and opens your default browser with the Hubble UI. For more information, see the Hubble UI documentation.
Disable Hubble Relay and UI
If you don’t want to run the deployments for Hubble Relay and Hubble UI, you can scale them down to zero replicas. For example, run kubectl scale deploy hubble-ui --replicas=0
to disable the Hubble UI.