github.com/cilium/cilium@v1.16.2/Documentation/observability/hubble/hubble-cli.rst (about)

     1  .. only:: not (epub or latex or html)
     2  
     3      WARNING: You are looking at unreleased Cilium documentation.
     4      Please use the official rendered version released here:
     5      https://docs.cilium.io
     6  
     7  .. _hubble_cli:
     8  
     9  *************************************
    10  Inspecting Network Flows with the CLI
    11  *************************************
    12  
    13  This guide walks you through using the Hubble CLI to inspect network flows and
    14  gain visibility into what is happening on the network level.
    15  
    16  The best way to get help if you get stuck is to ask a question on `Cilium
    17  Slack`_. With Cilium contributors across the globe, there is almost always
    18  someone available to help.
    19  
    20  .. note::
    21  
    22      This guide uses examples based on the Demo App. If you would like to run them,
    23      deploy the Demo App first. Please refer to :ref:`gs_http` for more details.
    24  
    25  Pre-Requisites
    26  ==============
    27  
    28  * Cilium has been correctly :ref:`installed in your Kubernetes cluster<k8s_quick_install>`.
    29  * :ref:`Hubble is enabled<hubble_setup>`.
    30  * :ref:`Hubble CLI is installed<hubble_cli_install>`.
    31  * :ref:`The Hubble API is accessible<hubble_validate_api_access>`.
    32  
    33  If unsure, run ``cilium status`` and validate that Cilium and Hubble are up and
    34  running then run ``hubble status`` to verify you can communicate with the
    35  Hubble API .
    36  
    37  Inspecting the cluster's network traffic with Hubble Relay
    38  ==========================================================
    39  
    40  Let's issue some requests to emulate some traffic again. This first request is
    41  allowed by the policy.
    42  
    43  .. code-block:: shell-session
    44  
    45      kubectl exec tiefighter -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
    46      Ship landed
    47  
    48  This next request is accessing an HTTP endpoint which is denied by policy.
    49  
    50  .. code-block:: shell-session
    51  
    52      kubectl exec tiefighter -- curl -s -XPUT deathstar.default.svc.cluster.local/v1/exhaust-port
    53      Access denied
    54  
    55  Finally, this last request will hang because the ``xwing`` pod does not have
    56  the ``org=empire`` label required by policy. Press Control-C to kill the curl
    57  request, or wait for it to time out.
    58  
    59  .. code-block:: shell-session
    60  
    61      kubectl exec xwing -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
    62      command terminated with exit code 28
    63  
    64  Let's now inspect this traffic using the CLI. The command below filters all
    65  traffic on the application layer (L7, HTTP) to the ``deathstar`` pod:
    66  
    67  .. code-block:: shell-session
    68  
    69      hubble observe --pod deathstar --protocol http
    70      May  4 13:23:40.501: default/tiefighter:42690 -> default/deathstar-c74d84667-cx5kp:80 http-request FORWARDED (HTTP/1.1 POST http://deathstar.default.svc.cluster.local/v1/request-landing)
    71      May  4 13:23:40.502: default/tiefighter:42690 <- default/deathstar-c74d84667-cx5kp:80 http-response FORWARDED (HTTP/1.1 200 0ms (POST http://deathstar.default.svc.cluster.local/v1/request-landing))
    72      May  4 13:23:43.791: default/tiefighter:42742 -> default/deathstar-c74d84667-cx5kp:80 http-request DROPPED (HTTP/1.1 PUT http://deathstar.default.svc.cluster.local/v1/exhaust-port)
    73  
    74  
    75  
    76  The following command shows all traffic to the ``deathstar`` pod that has been
    77  dropped:
    78  
    79  .. code-block:: shell-session
    80  
    81      hubble observe --pod deathstar --verdict DROPPED
    82      May  4 13:23:43.791: default/tiefighter:42742 -> default/deathstar-c74d84667-cx5kp:80 http-request DROPPED (HTTP/1.1 PUT http://deathstar.default.svc.cluster.local/v1/exhaust-port)
    83      May  4 13:23:47.852: default/xwing:42818 <> default/deathstar-c74d84667-cx5kp:80 Policy denied DROPPED (TCP Flags: SYN)
    84      May  4 13:23:47.852: default/xwing:42818 <> default/deathstar-c74d84667-cx5kp:80 Policy denied DROPPED (TCP Flags: SYN)
    85      May  4 13:23:48.854: default/xwing:42818 <> default/deathstar-c74d84667-cx5kp:80 Policy denied DROPPED (TCP Flags: SYN)
    86  
    87  Feel free to further inspect the traffic. To get help for the ``observe``
    88  command, use ``hubble help observe``.
    89  
    90  Next Steps
    91  ==========
    92  
    93  * :ref:`hubble_api_tls`