github.com/cilium/cilium@v1.16.2/Documentation/observability/hubble/hubble-cli.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 https://docs.cilium.io 6 7 .. _hubble_cli: 8 9 ************************************* 10 Inspecting Network Flows with the CLI 11 ************************************* 12 13 This guide walks you through using the Hubble CLI to inspect network flows and 14 gain visibility into what is happening on the network level. 15 16 The best way to get help if you get stuck is to ask a question on `Cilium 17 Slack`_. With Cilium contributors across the globe, there is almost always 18 someone available to help. 19 20 .. note:: 21 22 This guide uses examples based on the Demo App. If you would like to run them, 23 deploy the Demo App first. Please refer to :ref:`gs_http` for more details. 24 25 Pre-Requisites 26 ============== 27 28 * Cilium has been correctly :ref:`installed in your Kubernetes cluster<k8s_quick_install>`. 29 * :ref:`Hubble is enabled<hubble_setup>`. 30 * :ref:`Hubble CLI is installed<hubble_cli_install>`. 31 * :ref:`The Hubble API is accessible<hubble_validate_api_access>`. 32 33 If unsure, run ``cilium status`` and validate that Cilium and Hubble are up and 34 running then run ``hubble status`` to verify you can communicate with the 35 Hubble API . 36 37 Inspecting the cluster's network traffic with Hubble Relay 38 ========================================================== 39 40 Let's issue some requests to emulate some traffic again. This first request is 41 allowed by the policy. 42 43 .. code-block:: shell-session 44 45 kubectl exec tiefighter -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing 46 Ship landed 47 48 This next request is accessing an HTTP endpoint which is denied by policy. 49 50 .. code-block:: shell-session 51 52 kubectl exec tiefighter -- curl -s -XPUT deathstar.default.svc.cluster.local/v1/exhaust-port 53 Access denied 54 55 Finally, this last request will hang because the ``xwing`` pod does not have 56 the ``org=empire`` label required by policy. Press Control-C to kill the curl 57 request, or wait for it to time out. 58 59 .. code-block:: shell-session 60 61 kubectl exec xwing -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing 62 command terminated with exit code 28 63 64 Let's now inspect this traffic using the CLI. The command below filters all 65 traffic on the application layer (L7, HTTP) to the ``deathstar`` pod: 66 67 .. code-block:: shell-session 68 69 hubble observe --pod deathstar --protocol http 70 May 4 13:23:40.501: default/tiefighter:42690 -> default/deathstar-c74d84667-cx5kp:80 http-request FORWARDED (HTTP/1.1 POST http://deathstar.default.svc.cluster.local/v1/request-landing) 71 May 4 13:23:40.502: default/tiefighter:42690 <- default/deathstar-c74d84667-cx5kp:80 http-response FORWARDED (HTTP/1.1 200 0ms (POST http://deathstar.default.svc.cluster.local/v1/request-landing)) 72 May 4 13:23:43.791: default/tiefighter:42742 -> default/deathstar-c74d84667-cx5kp:80 http-request DROPPED (HTTP/1.1 PUT http://deathstar.default.svc.cluster.local/v1/exhaust-port) 73 74 75 76 The following command shows all traffic to the ``deathstar`` pod that has been 77 dropped: 78 79 .. code-block:: shell-session 80 81 hubble observe --pod deathstar --verdict DROPPED 82 May 4 13:23:43.791: default/tiefighter:42742 -> default/deathstar-c74d84667-cx5kp:80 http-request DROPPED (HTTP/1.1 PUT http://deathstar.default.svc.cluster.local/v1/exhaust-port) 83 May 4 13:23:47.852: default/xwing:42818 <> default/deathstar-c74d84667-cx5kp:80 Policy denied DROPPED (TCP Flags: SYN) 84 May 4 13:23:47.852: default/xwing:42818 <> default/deathstar-c74d84667-cx5kp:80 Policy denied DROPPED (TCP Flags: SYN) 85 May 4 13:23:48.854: default/xwing:42818 <> default/deathstar-c74d84667-cx5kp:80 Policy denied DROPPED (TCP Flags: SYN) 86 87 Feel free to further inspect the traffic. To get help for the ``observe`` 88 command, use ``hubble help observe``. 89 90 Next Steps 91 ========== 92 93 * :ref:`hubble_api_tls`