Configuring Hubble exporter

Hubble Exporter is a feature of cilium-agent that lets you write Hubble flows to a file for later consumption as logs. Hubble Exporter supports file rotation, size limits, filters, and field masks.

Prerequisites

Setup Helm repository:

helm repo add cilium https://helm.cilium.io/

Basic Configuration

Setup

Hubble Exporter is enabled with Config Map property. It is disabled until you set a file path value for hubble-export-file-path.

You can use helm to install cilium with hubble exporter enabled:

helm install cilium cilium/cilium --version 1.16.3 \
   --set hubble.enabled=true \
   --set hubble.export.static.enabled=true \
   --set hubble.export.static.filePath=/var/run/cilium/hubble/events.log

Wait for cilium pod to become ready:

kubectl -n kube-system rollout status ds/cilium

Verify that flow logs are stored in target files:

kubectl -n kube-system exec ds/cilium -- tail -f /var/run/cilium/hubble/events.log

Once you have configured the Hubble Exporter, you can configure your logging solution to consume logs from your Hubble export file path.

To get Hubble flows directly exported to the logs instead of written to a rotated file, stdout can be defined as hubble-export-file-path.

To disable the static configuration, you must remove the hubble-export-file-path key in the cilium-config ConfigMap and manually clean up the log files created in the specified location in the container. The below command will restart the Cilium pods. If you edit the ConfigMap manually, you will need to restart the Cilium pods.

cilium config delete hubble-export-file-path

Configuration options

Helm chart configuration options include:

  • hubble.export.static.filePath: file path of target log file. (default /var/run/cilium/hubble/events.log)

  • hubble.export.fileMaxSizeMb: size in MB at which to rotate the Hubble export file. (default 10)

  • hubble.export.fileMaxBackups: number of rotated Hubble export files to keep. (default 5)

Additionally in cilium-config ConfigMap the following property might be set

  • hubble-export-file-compress: compress rotated Hubble export files. (default false)

Performance tuning

Configuration options impacting performance of Hubble exporter include:

  • hubble.export.static.allowList: specify an allowlist as JSON encoded FlowFilters to Hubble exporter.

  • hubble.export.static.denyList: specify a denylist as JSON encoded FlowFilters to Hubble exporter.

  • hubble.export.static.fieldMask: specify a list of fields to use for field masking in Hubble exporter.

Filters

You can use hubble CLI to generated required filters (see Specifying Raw Flow Filters for more examples).

For example, to filter flows with verdict DENIED or ERROR, run:

$ hubble observe --verdict DROPPED --verdict ERROR --print-raw-filters
allowlist:
- '{"verdict":["DROPPED","ERROR"]}'

Then paste the output to hubble-export-allowlist in cilium-config Config Map:

kubectl -n kube-system patch cm cilium-config --patch-file=/dev/stdin <<-EOF
data:
  hubble-export-allowlist: '{"verdict":["DROPPED","ERROR"]}'
EOF

Or use helm chart to update your cilium installation setting value flag hubble.export.static.allowList.

helm upgrade cilium cilium/cilium --version 1.16.3 \
   --set hubble.enabled=true \
   --set hubble.export.static.enabled=true \
   --set hubble.export.static.allowList[0]='{"verdict":["DROPPED","ERROR"]}'

You can do the same to selectively filter data. For example, to filter all flows in the kube-system namespace, run:

$ hubble observe --not --namespace kube-system --print-raw-filters
denylist:
- '{"source_pod":["kube-system/"]}'
- '{"destination_pod":["kube-system/"]}'

Then paste the output to hubble-export-denylist in cilium-config Config Map:

kubectl -n kube-system patch cm cilium-config --patch-file=/dev/stdin <<-EOF
data:
  hubble-export-denylist: '{"source_pod":["kube-system/"]},{"destination_pod":["kube-system/"]}'
EOF

Or use helm chart to update your cilium installation setting value flag hubble.export.static.denyList.

helm upgrade cilium cilium/cilium --version 1.16.3 \
   --set hubble.enabled=true \
   --set hubble.export.static.enabled=true \
   --set hubble.export.static.denyList[0]='{"source_pod":["kube-system/"]}' \
   --set hubble.export.static.denyList[1]='{"destination_pod":["kube-system/"]}'

Field mask

Field mask can’t be generated with hubble. Field mask is a list of field names from the flow proto definition.

Examples include:

  • To keep all information except pod labels:

    hubble-export-fieldmask: time source.identity source.namespace source.pod_name destination.identity destination.namespace destination.pod_name source_service destination_service l4 IP ethernet l7 Type node_name is_reply event_type verdict Summary
    
  • To keep only timestamp, verdict, ports, IP addresses, node name, pod name, and namespace:

    hubble-export-fieldmask: time source.namespace source.pod_name destination.namespace destination.pod_name l4 IP node_name is_reply verdict
    

The following is a complete example of configuring Hubble Exporter.

  • Configuration:

    helm upgrade cilium cilium/cilium --version 1.16.3 \
       --set hubble.enabled=true \
       --set hubble.export.static.enabled=true \
       --set hubble.export.static.filePath=/var/run/cilium/hubble/events.log \
       --set hubble.export.static.allowList[0]='{"verdict":["DROPPED","ERROR"]}'
       --set hubble.export.static.denyList[0]='{"source_pod":["kube-system/"]}' \
       --set hubble.export.static.denyList[1]='{"destination_pod":["kube-system/"]}' \
       --set "hubble.export.static.fieldMask={time,source.namespace,source.pod_name,destination.namespace,destination.pod_name,l4,IP,node_name,is_reply,verdict,drop_reason_desc}"
  • Command:

    kubectl -n kube-system exec ds/cilium -- tail -f /var/run/cilium/hubble/events.log
    
  • Output:

    {"flow":{"time":"2023-08-21T12:12:13.517394084Z","verdict":"DROPPED","IP":{"source":"fe80::64d8:8aff:fe72:fc14","destination":"ff02::2","ipVersion":"IPv6"},"l4":{"ICMPv6":{"type":133}},"source":{},"destination":{},"node_name":"kind-kind/kind-worker","drop_reason_desc":"INVALID_SOURCE_IP"},"node_name":"kind-kind/kind-worker","time":"2023-08-21T12:12:13.517394084Z"}
    {"flow":{"time":"2023-08-21T12:12:18.510175415Z","verdict":"DROPPED","IP":{"source":"10.244.1.60","destination":"10.244.1.5","ipVersion":"IPv4"},"l4":{"TCP":{"source_port":44916,"destination_port":80,"flags":{"SYN":true}}},"source":{"namespace":"default","pod_name":"xwing"},"destination":{"namespace":"default","pod_name":"deathstar-7848d6c4d5-th9v2"},"node_name":"kind-kind/kind-worker","drop_reason_desc":"POLICY_DENIED"},"node_name":"kind-kind/kind-worker","time":"2023-08-21T12:12:18.510175415Z"}
    

Dynamic exporter configuration

Standard hubble exporter configuration accepts only one set of filters and requires cilium pod restart to change config. Dynamic flow logs allow configuring multiple filters at the same time and saving output in separate files. Additionally it does not require cilium pod restarts to apply changed configuration.

Dynamic Hubble Exporter is enabled with Config Map property. It is disabled until you set a file path value for hubble-flowlogs-config-path.

Install cilium with dynamic exporter enabled:

helm install cilium cilium/cilium --version 1.16.3 \
   --set hubble.enabled=true \
   --set hubble.export.dynamic.enabled=true

Wait for cilium pod to become ready:

kubectl -n kube-system rollout status ds/cilium

You can change flow log settings without a need for pod to be restarted (changes should be reflected within 60s because of configmap propagation delay):

helm upgrade cilium cilium/cilium --version 1.16.3 \
   --set hubble.enabled=true \
   --set hubble.export.dynamic.enabled=true \
   --set hubble.export.dynamic.config.content[0].name=system \
   --set hubble.export.dynamic.config.content[0].filePath=/var/run/cilium/hubble/events-system.log \
   --set hubble.export.dynamic.config.content[0].includeFilters[0].source_pod[0]='kube_system/' \
   --set hubble.export.dynamic.config.content[0].includeFilters[1].destination_pod[0]='kube_system/'

Dynamic flow logs can be configured with end property which means that it will automatically stop logging after specified date time. It supports the same field masking and filtering as static hubble exporter.

For max output file size and backup files dynamic exporter reuses the same settings as static one: hubble.export.fileMaxSizeMb and hubble.export.fileMaxBackups

Sample dynamic flow logs configs:

hubble:
  export:
    dynamic:
      enabled: true
      config:
        enabled: true
        content:
        - name: "test001"
          filePath: "/var/run/cilium/hubble/test001.log"
          fieldMask: []
          includeFilters: []
          excludeFilters: []
          end: "2023-10-09T23:59:59-07:00"
        - name: "test002"
          filePath: "/var/run/cilium/hubble/test002.log"
          fieldMask: ["source.namespace", "source.pod_name", "destination.namespace", "destination.pod_name", "verdict"]
          includeFilters:
          - source_pod: ["default/"]
            event_type:
            - type: 1
          - destination_pod: ["frontend/webserver-975996d4c-7hhgt"]
          excludeFilters: []
          end: "2023-10-09T23:59:59-07:00"
        - name: "test003"
          filePath: "/var/run/cilium/hubble/test003.log"
          fieldMask: ["source", "destination","verdict"]
          includeFilters: []
          excludeFilters:
          - destination_pod: ["ingress/"]