{"id":13509771,"url":"https://github.com/cilium/hubble","last_synced_at":"2025-05-12T05:34:23.270Z","repository":{"id":37836763,"uuid":"222612062","full_name":"cilium/hubble","owner":"cilium","description":"Hubble - Network, Service \u0026 Security Observability for Kubernetes using eBPF","archived":false,"fork":false,"pushed_at":"2025-04-30T23:53:36.000Z","size":44264,"stargazers_count":3779,"open_issues_count":41,"forks_count":268,"subscribers_count":49,"default_branch":"main","last_synced_at":"2025-05-12T02:51:18.509Z","etag":null,"topics":["cilium","ebpf","kubernetes","metrics","networking","observability","security","tracing"],"latest_commit_sha":null,"homepage":"","language":"Makefile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cilium.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-11-19T04:58:57.000Z","updated_at":"2025-05-10T16:32:08.000Z","dependencies_parsed_at":"2024-06-09T00:24:27.298Z","dependency_job_id":"250abdc2-3750-4c6b-bf03-4afae4f1c3bb","html_url":"https://github.com/cilium/hubble","commit_stats":{"total_commits":1157,"total_committers":51,"mean_commits":"22.686274509803923","dds":0.7536732929991357,"last_synced_commit":"40dc08a93a8f18078dbb21032ce083588798cc0e"},"previous_names":[],"tags_count":43,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cilium%2Fhubble","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cilium%2Fhubble/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cilium%2Fhubble/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cilium%2Fhubble/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cilium","download_url":"https://codeload.github.com/cilium/hubble/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253672736,"owners_count":21945483,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cilium","ebpf","kubernetes","metrics","networking","observability","security","tracing"],"created_at":"2024-08-01T02:01:12.803Z","updated_at":"2025-05-12T05:34:23.243Z","avatar_url":"https://github.com/cilium.png","language":"Makefile","funding_links":[],"categories":["Security Tools","Projects Related to eBPF","10. Application Performance Monitoring Solutions (APM)","Makefile","Go","Uncategorized","文章","security","eBPF 相关项目","Monitor","Tools","Observability","Cilium related projects","Networking \u0026 Connectivity","kubernetes"],"sub_categories":["Observability","Anomalies Detection","Interfaces","Uncategorized","可观测性","Winetricks","Objective-C Tools, Libraries, and Frameworks","Mesh networks","Service Mesh Observability"],"readme":" \u003cpicture\u003e\n   \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"https://cdn.jsdelivr.net/gh/cilium/hubble@main/Documentation/images/hubble_logo.png\" width=\"350\" alt=\"Hubble Logo\"\u003e\n   \u003cimg src=\"https://cdn.jsdelivr.net/gh/cilium/hubble@main/Documentation/images/hubble_logo-dark.png\" width=\"350\" alt=\"Hubble Logo\"\u003e\n\u003c/picture\u003e\n\n[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)\n\n----\n\n# Network, Service \u0026 Security Observability for Kubernetes\n\n- [What is Hubble?](#what-is-hubble)\n- [Getting Started](#getting-started)\n- [Features](#features)\n  - [Service Dependency Graph](#service-dependency-graph)\n  - [Metrics \u0026 Monitoring](#metrics--monitoring)\n  - [Flow Visibility](#flow-visibility)\n- [Get in touch / Community](#community)\n- [Authors](#authors)\n# What is Hubble?\n\nHubble is a fully distributed networking and security observability platform\nfor cloud native workloads. It is built on top of [Cilium] and [eBPF] to enable\ndeep visibility into the communication and behavior of services as well as the\nnetworking infrastructure in a completely transparent manner.\n\nHubble can answer questions such as:\n\n**Service dependencies \u0026 communication map:**\n * What services are communicating with each other? How frequently? What does\n   the service dependency graph look like?\n * What HTTP calls are being made? What Kafka topics does a service consume\n   from or produce to?\n\n**Operational monitoring \u0026 alerting:**\n * Is any network communication failing? Why is communication failing? Is it\n   DNS? Is it an application or network problem? Is the communication broken on\n   layer 4 (TCP) or layer 7 (HTTP)?\n * Which services have experienced a DNS resolution problems in the last 5\n   minutes? Which services have experienced an interrupted TCP connection\n   recently or have seen connections timing out? What is the rate of unanswered\n   TCP SYN requests?\n\n**Application monitoring:**\n * What is the rate of 5xx or 4xx HTTP response codes for a particular service\n   or across all clusters?\n * What is the 95th and 99th percentile latency between HTTP requests and\n   responses in my cluster? Which services are performing the worst? What is\n   the latency between two services?\n\n**Security observability:**\n * Which services had connections blocked due to network policy? What services\n   have been accessed from outside the cluster? Which services have resolved a\n   particular DNS name?\n\n## Why Hubble?\n\nThe Linux kernel technology [eBPF] is enabling visibility into systems and\napplications at a granularity and efficiency that was not possible before. It\ndoes so in a completely transparent way, without requiring the application to\nchange or for the application to hide information. By building on top of\n[Cilium], Hubble can leverage [eBPF] for visibility. By leveraging [eBPF], all\nvisibility is programmable and allows for a dynamic approach that minimizes\noverhead while providing deep and detailed insight where required. Hubble has\nbeen created and specifically designed to make best use of these new [eBPF]\npowers.\n\n## Releases\n\nThe Hubble CLI is backward compatible with all supported Cilium releases. For\nthis reason, only the latest Hubble CLI version is maintained.\n\n| Version                                              | Release Date         | Maintained | Supported Cilium Version | Artifacts                                                               |\n|------------------------------------------------------|----------------------|------------|--------------------------|-------------------------------------------------------------------------|\n| [v1.17](https://github.com/cilium/hubble/tree/main)  | 2025-04-30 (v1.17.3) | Yes        | Cilium 1.17 and older    | [GitHub Release](https://github.com/cilium/hubble/releases/tag/v1.17.3) |\n\n## Component Stability\n\nHubble project consists of several components (see Architecture section).\n\nWhile the core Hubble components have been running in production in multiple\nenvironments, new components continue to emerge as the project grows and\nexpands in scope.\n\nSome components, due to their relatively young age, are still considered beta\nand have to be used with caution in critical production workloads.\n\n| Component      | Area      | State  |\n|----------------|-----------|--------|\n| Hubble CLI     | Core      | Stable |\n| Hubble Server  | Core      | Stable |\n| Hubble Metrics | Core      | Stable |\n| Hubble Relay   | Multinode | Stable |\n| Hubble UI      | UI        | Beta   |\n\n## Architecture\n\n![Hubble Architecture](Documentation/images/hubble_arch.png)\n\n# Getting Started\n\n* [Introduction to Cilium \u0026 Hubble](https://docs.cilium.io/en/stable/overview/intro/)\n* [Networking and Security Observability with Hubble](https://docs.cilium.io/en/stable/gettingstarted/hubble/)\n\n# Features\n\n## Service Dependency Graph\n\nTroubleshooting microservices application connectivity is a challenging task.\nSimply looking at \"kubectl get pods\" does not indicate dependencies between\neach service or external APIs or databases.\n\nHubble enables zero-effort automatic discovery of the service dependency graph\nfor Kubernetes Clusters at L3/L4 and even L7, allowing user-friendly\nvisualization and filtering of those dataflows as a Service Map.\n\nSee [Hubble Service Map Tutorial](https://docs.cilium.io/en/stable/gettingstarted/hubble/)\nfor more examples.\n\n![Service Map](Documentation/images/servicemap.png)\n\n## Metrics \u0026 Monitoring\n\nThe metrics and monitoring functionality provides an overview of the state of\nsystems and allow to recognize patterns indicating failure and other scenarios\nthat require action. The following is a short list of example metrics, for a\nmore detailed list of examples, see the\n[Metrics Documentation](https://docs.cilium.io/en/stable/observability/metrics/).\n\n### Networking Behavior\n\n![Networking](Documentation/images/network_and_tcp.png)\n\n### Network Policy Observation\n\n![Network Policy](Documentation/images/network_policy_pod.png)\n\n### HTTP Request/Response Rate \u0026 Latency\n\n![HTTP](Documentation/images/http.png)\n\n### DNS Request/Response Monitoring\n\n![DNS](Documentation/images/dns.png)\n\n## Flow Visibility\n\nFlow visibility provides visibility into flow information on the network and\napplication protocol level. This enables visibility into individual TCP\nconnections, DNS queries, HTTP requests, Kafka communication, and much more.\n\n### DNS Resolution\n\nIdentifying pods which have received DNS response indicating failure:\n\n    hubble observe --since=1m -t l7 -o json \\\n       | jq 'select(.l7.dns.rcode==3) | .destination.namespace + \"/\" + .destination.pod_name' \\\n       | sort | uniq -c | sort -r\n      42 \"starwars/jar-jar-binks-6f5847c97c-qmggv\"\n\n*Successful query \u0026 response:*\n\n    starwars/x-wing-bd86d75c5-njv8k            kube-system/coredns-5c98db65d4-twwdg      DNS Query deathstar.starwars.svc.cluster.local. A\n    kube-system/coredns-5c98db65d4-twwdg       starwars/x-wing-bd86d75c5-njv8k           DNS Answer \"10.110.126.213\" TTL: 3 (Query deathstar.starwars.svc.cluster.local. A)\n\n*Non-existent domain:*\n\n    starwars/jar-jar-binks-789c4b695d-ltrzm    kube-system/coredns-5c98db65d4-f4m8n      DNS Query unknown-galaxy.svc.cluster.local. A\n    starwars/jar-jar-binks-789c4b695d-ltrzm    kube-system/coredns-5c98db65d4-f4m8n      DNS Query unknown-galaxy.svc.cluster.local. AAAA\n    kube-system/coredns-5c98db65d4-twwdg       starwars/jar-jar-binks-789c4b695d-ltrzm   DNS Answer RCode: Non-Existent Domain TTL: 4294967295 (Query unknown-galaxy.starwars.svc.cluster.local. A)\n    kube-system/coredns-5c98db65d4-twwdg       starwars/jar-jar-binks-789c4b695d-ltrzm   DNS Answer RCode: Non-Existent Domain TTL: 4294967295 (Query unknown-galaxy.starwars.svc.cluster.local. AAAA)\n\n### HTTP Protocol\n\n*Successful request \u0026 response with latency information:*\n\n    starwars/x-wing-bd86d75c5-njv8k:53410      starwars/deathstar-695d8f7ddc-lvj84:80    HTTP/1.1 GET http://deathstar/\n    starwars/deathstar-695d8f7ddc-lvj84:80     starwars/x-wing-bd86d75c5-njv8k:53410     HTTP/1.1 200 1ms (GET http://deathstar/)\n\n### TCP/UDP Packets\n\n*Successful TCP connection:*\n\n    starwars/x-wing-bd86d75c5-njv8k:53410      starwars/deathstar-695d8f7ddc-lvj84:80    TCP Flags: SYN\n    deathstar.starwars.svc.cluster.local:80    starwars/x-wing-bd86d75c5-njv8k:53410     TCP Flags: SYN, ACK\n    starwars/x-wing-bd86d75c5-njv8k:53410      starwars/deathstar-695d8f7ddc-lvj84:80    TCP Flags: ACK, FIN\n    deathstar.starwars.svc.cluster.local:80    starwars/x-wing-bd86d75c5-njv8k:53410     TCP Flags: ACK, FIN\n\n*Connection timeout:*\n\n    starwars/r2d2-6694d57947-xwhtz:60948   deathstar.starwars.svc.cluster.local:8080     TCP Flags: SYN\n    starwars/r2d2-6694d57947-xwhtz:60948   deathstar.starwars.svc.cluster.local:8080     TCP Flags: SYN\n    starwars/r2d2-6694d57947-xwhtz:60948   deathstar.starwars.svc.cluster.local:8080     TCP Flags: SYN\n\n### Network Policy Behavior\n\n*Denied connection attempt:*\n\n    starwars/enterprise-5775b56c4b-thtwl:37800   starwars/deathstar-695d8f7ddc-lvj84:80(http)   Policy denied (L3)   TCP Flags: SYN\n    starwars/enterprise-5775b56c4b-thtwl:37800   starwars/deathstar-695d8f7ddc-lvj84:80(http)   Policy denied (L3)   TCP Flags: SYN\n    starwars/enterprise-5775b56c4b-thtwl:37800   starwars/deathstar-695d8f7ddc-lvj84:80(http)   Policy denied (L3)   TCP Flags: SYN\n\n### Specifying Raw Flow Filters\n\nHubble supports extensive set of filtering options that can be specified as a combination of\nallowlist and denylist. Hubble applies these filters as follows:\n\n    for each flow:\n      if flow does not match any of the allowlist filters:\n        continue\n      if flow matches any of the denylist filters:\n        continue\n      send flow to client\n\nYou can pass these filters to `hubble observe` command as\n[JSON-encoded](https://developers.google.com/protocol-buffers/docs/proto3#json)\n[FlowFilters](https://github.com/cilium/cilium/blob/v1.10.5/api/v1/flow/flow.proto#L348). For\nexample, to observe flows that match the following conditions:\n\n- Either the source or destination identity contains `k8s:io.kubernetes.pod.namespace=kube-system`\n  or `reserved:host` label, AND\n- Neither the source nor destination identity contains `k8s:k8s-app=kube-dns` label:\n\n      hubble observe \\\n        --allowlist '{\"source_label\":[\"k8s:io.kubernetes.pod.namespace=kube-system\",\"reserved:host\"]}' \\\n        --allowlist '{\"destination_label\":[\"k8s:io.kubernetes.pod.namespace=kube-system\",\"reserved:host\"]}' \\\n        --denylist '{\"source_label\":[\"k8s:k8s-app=kube-dns\"]}' \\\n        --denylist '{\"destination_label\":[\"k8s:k8s-app=kube-dns\"]}'\n\nAlternatively, you can also specify these flags as `HUBBLE_{ALLOWLIST,DENYLIST}` environment variables:\n\n    cat \u003e allowlist.txt \u003c\u003cEOF\n    {\"source_label\":[\"k8s:io.kubernetes.pod.namespace=kube-system\",\"reserved:host\"]}\n    {\"destination_label\":[\"k8s:io.kubernetes.pod.namespace=kube-system\",\"reserved:host\"]}\n    EOF\n\n    cat \u003e denylist.txt \u003c\u003cEOF\n    {\"source_label\":[\"k8s:k8s-app=kube-dns\"]}\n    {\"destination_label\":[\"k8s:k8s-app=kube-dns\"]}\n    EOF\n\n    HUBBLE_ALLOWLIST=$(cat allowlist.txt)\n    HUBBLE_DENYLIST=$(cat denylist.txt)\n    export HUBBLE_ALLOWLIST\n    export HUBBLE_DENYLIST\n\n    hubble observe\n\nNote that `--allowlist` and `--denylist` filters get included in the request **in addition to**\nregular flow filters like `--label` or `--namespace`. Use `--print-raw-filters` flag to verify\nthe exact filters that the Hubble CLI generates. For example:\n\n    % hubble observe --print-raw-filters \\\n        -t drop \\\n        -n kube-system \\\n        --not --label \"k8s:k8s-app=kube-dns\" \\\n        --allowlist '{\"source_label\":[\"k8s:k8s-app=my-app\"]}'\n    allowlist:\n    - '{\"source_pod\":[\"kube-system/\"],\"event_type\":[{\"type\":1}]}'\n    - '{\"destination_pod\":[\"kube-system/\"],\"event_type\":[{\"type\":1}]}'\n    - '{\"source_label\":[\"k8s:k8s-app=my-app\"]}'\n    denylist:\n    - '{\"source_label\":[\"k8s:k8s-app=kube-dns\"]}'\n    - '{\"destination_label\":[\"k8s:k8s-app=kube-dns\"]}'\n\nThe output YAML can be saved to a file and passed to `hubble observe` command with `--config`\nflag. For example:\n\n    % hubble observe --print-raw-filters --allowlist '{\"source_label\":[\"k8s:k8s-app=my-app\"]}' \u003e filters.yaml\n    % hubble observe --config ./filters.yaml\n\n# Community\n\nJoin the [Cilium Slack #hubble channel](https://slack.cilium.io) to chat\nwith Cilium Hubble developers and other Cilium / Hubble users. This is a good\nplace to learn about Hubble and Cilium, ask questions, and share your\nexperiences.\n\nLearn more about [Cilium].\n\n# Authors\n\nHubble is an open source project licensed under the [Apache License]. Everybody\nis welcome to contribute. The project is following the [Governance Rules] of\nthe [Cilium] project. See [CONTRIBUTING] for instructions on how to contribute\nand details of the Code of Conduct.\n\n\n[Cilium]: https://github.com/cilium/cilium\n[eBPF]: https://ebpf.io\n[Apache License]: https://www.apache.org/licenses/LICENSE-2.0\n[Governance Rules]: https://docs.cilium.io/en/stable/contributing/development/contributing_guide/\n[CONTRIBUTING]: CONTRIBUTING.md\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcilium%2Fhubble","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcilium%2Fhubble","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcilium%2Fhubble/lists"}