github.com/cilium/cilium@v1.16.2/Documentation/observability/hubble/configuration/export.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 https://docs.cilium.io 6 7 *************************** 8 Configuring Hubble exporter 9 *************************** 10 11 **Hubble Exporter** is a feature of ``cilium-agent`` that lets you write 12 Hubble flows to a file for later consumption as logs. Hubble Exporter supports file 13 rotation, size limits, filters, and field masks. 14 15 Prerequisites 16 ============= 17 18 .. include:: /installation/k8s-install-download-release.rst 19 20 Basic Configuration 21 =================== 22 23 Setup 24 ----- 25 26 **Hubble Exporter** is enabled with Config Map property. It is disabled 27 until you set a file path value for ``hubble-export-file-path``. 28 29 You can use helm to install cilium with hubble exporter enabled: 30 31 .. parsed-literal:: 32 33 helm install cilium |CHART_RELEASE| \\ 34 --set hubble.enabled=true \\ 35 --set hubble.export.static.enabled=true \\ 36 --set hubble.export.static.filePath=/var/run/cilium/hubble/events.log 37 38 Wait for ``cilium`` pod to become ready: 39 40 .. code-block:: shell-session 41 42 kubectl -n kube-system rollout status ds/cilium 43 44 Verify that flow logs are stored in target files: 45 46 .. code-block:: shell-session 47 48 kubectl -n kube-system exec ds/cilium -- tail -f /var/run/cilium/hubble/events.log 49 50 Once you have configured the Hubble Exporter, you can configure your logging solution to consume 51 logs from your Hubble export file path. 52 53 To get Hubble flows directly exported to the logs instead of written to a rotated file, 54 ``stdout`` can be defined as ``hubble-export-file-path``. 55 56 To disable the static configuration, you must remove the ``hubble-export-file-path`` key in the 57 ``cilium-config`` ConfigMap and manually clean up the log files created in the specified 58 location in the container. The below command will restart the Cilium pods. If you edit the 59 ConfigMap manually, you will need to restart the Cilium pods. 60 61 .. code-block:: shell-session 62 63 cilium config delete hubble-export-file-path 64 65 Configuration options 66 --------------------- 67 68 Helm chart configuration options include: 69 70 - ``hubble.export.static.filePath``: file path of target log file. (default /var/run/cilium/hubble/events.log) 71 72 - ``hubble.export.fileMaxSizeMb``: size in MB at which to rotate the Hubble export file. (default 10) 73 74 - ``hubble.export.fileMaxBackups``: number of rotated Hubble export files to keep. (default 5) 75 76 Additionally in ``cilium-config`` ConfigMap the following property might be set 77 78 - ``hubble-export-file-compress``: compress rotated Hubble export files. (default false) 79 80 Performance tuning 81 ================== 82 83 Configuration options impacting performance of **Hubble exporter** include: 84 85 - ``hubble.export.static.allowList``: specify an allowlist as JSON encoded FlowFilters to Hubble exporter. 86 87 - ``hubble.export.static.denyList``: specify a denylist as JSON encoded FlowFilters to Hubble exporter. 88 89 - ``hubble.export.static.fieldMask``: specify a list of fields to use for field masking in Hubble exporter. 90 91 Filters 92 ------- 93 94 You can use ``hubble`` CLI to generated required filters (see `Specifying Raw 95 Flow Filters`_ for more examples). 96 97 .. _Specifying Raw Flow Filters: https://github.com/cilium/hubble#specifying-raw-flow-filters 98 99 For example, to filter flows with verdict ``DENIED`` or ``ERROR``, run: 100 101 .. code-block:: shell-session 102 103 $ hubble observe --verdict DROPPED --verdict ERROR --print-raw-filters 104 allowlist: 105 - '{"verdict":["DROPPED","ERROR"]}' 106 107 Then paste the output to ``hubble-export-allowlist`` in ``cilium-config`` 108 Config Map: 109 110 .. code-block:: shell-session 111 112 kubectl -n kube-system patch cm cilium-config --patch-file=/dev/stdin <<-EOF 113 data: 114 hubble-export-allowlist: '{"verdict":["DROPPED","ERROR"]}' 115 EOF 116 117 Or use helm chart to update your cilium installation setting value flag 118 ``hubble.export.static.allowList``. 119 120 .. parsed-literal:: 121 122 helm upgrade cilium |CHART_RELEASE| \\ 123 --set hubble.enabled=true \\ 124 --set hubble.export.static.enabled=true \\ 125 --set hubble.export.static.allowList[0]='{"verdict":["DROPPED","ERROR"]}' 126 127 128 You can do the same to selectively filter data. For example, to filter all flows in the 129 ``kube-system`` namespace, run: 130 131 .. code-block:: shell-session 132 133 $ hubble observe --not --namespace kube-system --print-raw-filters 134 denylist: 135 - '{"source_pod":["kube-system/"]}' 136 - '{"destination_pod":["kube-system/"]}' 137 138 Then paste the output to ``hubble-export-denylist`` in ``cilium-config`` Config 139 Map: 140 141 .. code-block:: shell-session 142 143 kubectl -n kube-system patch cm cilium-config --patch-file=/dev/stdin <<-EOF 144 data: 145 hubble-export-denylist: '{"source_pod":["kube-system/"]},{"destination_pod":["kube-system/"]}' 146 EOF 147 148 Or use helm chart to update your cilium installation setting value flag 149 ``hubble.export.static.denyList``. 150 151 .. parsed-literal:: 152 153 helm upgrade cilium |CHART_RELEASE| \\ 154 --set hubble.enabled=true \\ 155 --set hubble.export.static.enabled=true \\ 156 --set hubble.export.static.denyList[0]='{"source_pod":["kube-system/"]}' \\ 157 --set hubble.export.static.denyList[1]='{"destination_pod":["kube-system/"]}' 158 159 Field mask 160 ---------- 161 162 Field mask can't be generated with ``hubble``. Field mask is a list of field 163 names from the `flow proto`_ definition. 164 165 .. _flow proto: https://github.com/cilium/cilium/blob/main/api/v1/flow/flow.proto 166 167 Examples include: 168 169 - To keep all information except pod labels: 170 171 .. code-block:: shell-session 172 173 hubble-export-fieldmask: time source.identity source.namespace source.pod_name destination.identity destination.namespace destination.pod_name source_service destination_service l4 IP ethernet l7 Type node_name is_reply event_type verdict Summary 174 175 - To keep only timestamp, verdict, ports, IP addresses, node name, pod name, and namespace: 176 177 .. code-block:: shell-session 178 179 hubble-export-fieldmask: time source.namespace source.pod_name destination.namespace destination.pod_name l4 IP node_name is_reply verdict 180 181 The following is a complete example of configuring Hubble Exporter. 182 183 - Configuration: 184 185 .. parsed-literal:: 186 187 helm upgrade cilium |CHART_RELEASE| \\ 188 --set hubble.enabled=true \\ 189 --set hubble.export.static.enabled=true \\ 190 --set hubble.export.static.filePath=/var/run/cilium/hubble/events.log \\ 191 --set hubble.export.static.allowList[0]='{"verdict":["DROPPED","ERROR"]}' 192 --set hubble.export.static.denyList[0]='{"source_pod":["kube-system/"]}' \\ 193 --set hubble.export.static.denyList[1]='{"destination_pod":["kube-system/"]}' \\ 194 --set "hubble.export.static.fieldMask={time,source.namespace,source.pod_name,destination.namespace,destination.pod_name,l4,IP,node_name,is_reply,verdict,drop_reason_desc}" 195 196 - Command: 197 198 .. code-block:: shell-session 199 200 kubectl -n kube-system exec ds/cilium -- tail -f /var/run/cilium/hubble/events.log 201 202 - Output: 203 204 :: 205 206 {"flow":{"time":"2023-08-21T12:12:13.517394084Z","verdict":"DROPPED","IP":{"source":"fe80::64d8:8aff:fe72:fc14","destination":"ff02::2","ipVersion":"IPv6"},"l4":{"ICMPv6":{"type":133}},"source":{},"destination":{},"node_name":"kind-kind/kind-worker","drop_reason_desc":"INVALID_SOURCE_IP"},"node_name":"kind-kind/kind-worker","time":"2023-08-21T12:12:13.517394084Z"} 207 {"flow":{"time":"2023-08-21T12:12:18.510175415Z","verdict":"DROPPED","IP":{"source":"10.244.1.60","destination":"10.244.1.5","ipVersion":"IPv4"},"l4":{"TCP":{"source_port":44916,"destination_port":80,"flags":{"SYN":true}}},"source":{"namespace":"default","pod_name":"xwing"},"destination":{"namespace":"default","pod_name":"deathstar-7848d6c4d5-th9v2"},"node_name":"kind-kind/kind-worker","drop_reason_desc":"POLICY_DENIED"},"node_name":"kind-kind/kind-worker","time":"2023-08-21T12:12:18.510175415Z"} 208 209 210 Dynamic exporter configuration 211 ============================== 212 213 Standard hubble exporter configuration accepts only one set of filters and 214 requires cilium pod restart to change config. Dynamic flow logs allow configuring 215 multiple filters at the same time and saving output in separate files. 216 Additionally it does not require cilium pod restarts to apply changed configuration. 217 218 **Dynamic Hubble Exporter** is enabled with Config Map property. It is disabled 219 until you set a file path value for ``hubble-flowlogs-config-path``. 220 221 Install cilium with dynamic exporter enabled: 222 223 .. parsed-literal:: 224 225 helm install cilium |CHART_RELEASE| \\ 226 --set hubble.enabled=true \\ 227 --set hubble.export.dynamic.enabled=true 228 229 Wait for ``cilium`` pod to become ready: 230 231 .. code-block:: shell-session 232 233 kubectl -n kube-system rollout status ds/cilium 234 235 You can change flow log settings without a need for pod to be restarted 236 (changes should be reflected within 60s because of configmap propagation delay): 237 238 .. parsed-literal:: 239 240 helm upgrade cilium |CHART_RELEASE| \\ 241 --set hubble.enabled=true \\ 242 --set hubble.export.dynamic.enabled=true \\ 243 --set hubble.export.dynamic.config.content[0].name=system \\ 244 --set hubble.export.dynamic.config.content[0].filePath=/var/run/cilium/hubble/events-system.log \\ 245 --set hubble.export.dynamic.config.content[0].includeFilters[0].source_pod[0]='kube_system/' \\ 246 --set hubble.export.dynamic.config.content[0].includeFilters[1].destination_pod[0]='kube_system/' 247 248 249 Dynamic flow logs can be configured with ``end`` property which means that it will 250 automatically stop logging after specified date time. It supports the same 251 field masking and filtering as static hubble exporter. 252 253 For max output file size and backup files dynamic exporter reuses the same 254 settings as static one: ``hubble.export.fileMaxSizeMb`` and ``hubble.export.fileMaxBackups`` 255 256 Sample dynamic flow logs configs: 257 258 :: 259 260 hubble: 261 export: 262 dynamic: 263 enabled: true 264 config: 265 enabled: true 266 content: 267 - name: "test001" 268 filePath: "/var/run/cilium/hubble/test001.log" 269 fieldMask: [] 270 includeFilters: [] 271 excludeFilters: [] 272 end: "2023-10-09T23:59:59-07:00" 273 - name: "test002" 274 filePath: "/var/run/cilium/hubble/test002.log" 275 fieldMask: ["source.namespace", "source.pod_name", "destination.namespace", "destination.pod_name", "verdict"] 276 includeFilters: 277 - source_pod: ["default/"] 278 event_type: 279 - type: 1 280 - destination_pod: ["frontend/webserver-975996d4c-7hhgt"] 281 excludeFilters: [] 282 end: "2023-10-09T23:59:59-07:00" 283 - name: "test003" 284 filePath: "/var/run/cilium/hubble/test003.log" 285 fieldMask: ["source", "destination","verdict"] 286 includeFilters: [] 287 excludeFilters: 288 - destination_pod: ["ingress/"]