Service Map & Hubble UI

This tutorial guides you through enabling the Hubble UI to access the graphical service map.

../../_images/hubble_sw_service_map.png

Note

This guide assumes that Cilium has been correctly installed in your Kubernetes cluster and that Hubble has been enabled. Please see Quick Installation and Setting up Hubble Observability for more information. If unsure, run cilium status and validate that Cilium and Hubble are up and running.

Enable the Hubble UI

If you have not done so already, enable the Hubble UI by running the following command:

Cilium CLIHelmHelm (Standalone install)

  1. cilium hubble enable --ui
  2. 🔑 Found existing CA in secret cilium-ca
  3.  Patching ConfigMap cilium-config to enable Hubble...
  4. ♻️  Restarted Cilium pods
  5.  Relay is already deployed
  6.  Hubble UI is already deployed
  1. helm upgrade cilium cilium/cilium --version 1.12.0 \
  2.    --namespace $CILIUM_NAMESPACE \
  3.    --reuse-values \
  4.    --set hubble.relay.enabled=true \
  5.    --set hubble.ui.enabled=true

Clusters sometimes come with Cilium, Hubble, and Hubble relay already installed. When this is the case you can still use Helm to install only Hubble UI on top of the pre-installed components.

You will need to set hubble.ui.standalone.enabled to true and optionally provide a volume to mount Hubble UI client certificates if TLS is enabled on Hubble Relay server side.

Below is an example deploying Hubble UI as standalone, with client certificates mounted from a my-hubble-ui-client-certs secret:

  1. helm upgrade --install --namespace kube-system cilium cilium/cilium --version 1.12.0 --values - <<EOF
  2. agent: false
  3. operator:
  4.   enabled: false
  5. cni:
  6.   install: false
  7. hubble:
  8.   enabled: false
  9.   relay:
  10.     # set this to false as Hubble relay is already installed
  11.     enabled: false
  12.     tls:
  13.       server:
  14.         # set this to true if tls is enabled on Hubble relay server side
  15.         enabled: true
  16.   ui:
  17.     # enable Hubble UI
  18.     enabled: true
  19.     standalone:
  20.       # enable Hubble UI standalone deployment
  21.       enabled: true
  22.       # provide a volume containing Hubble relay client certificates to mount in Hubble UI pod
  23.       tls:
  24.         certsVolume:
  25.           projected:
  26.             defaultMode: 0400
  27.             sources:
  28.               - secret:
  29.                   name: my-hubble-ui-client-certs
  30.                   items:
  31.                     - key: tls.crt
  32.                       path: client.crt
  33.                     - key: tls.key
  34.                       path: client.key
  35.                     - key: ca.crt
  36.                       path: hubble-relay-ca.crt
  37. EOF

Please note that Hubble UI expects the certificate files to be available under the following paths:

  1. - name: TLS_RELAY_CA_CERT_FILES
  2.   value: /var/lib/hubble-ui/certs/hubble-relay-ca.crt
  3. - name: TLS_RELAY_CLIENT_CERT_FILE
  4.   value: /var/lib/hubble-ui/certs/client.crt
  5. - name: TLS_RELAY_CLIENT_KEY_FILE
  6.   value: /var/lib/hubble-ui/certs/client.key

Keep this in mind when providing the volume containing the certificate.

Open the Hubble UI

Open the Hubble UI in your browser by running cilium hubble ui. It will automatically set up a port forward to the hubble-ui service in your Kubernetes cluster and make it available on a local port on your machine.

  1. cilium hubble ui
  2. Forwarding from 0.0.0.0:12000 -> 8081
  3. Forwarding from [::]:12000 -> 8081

Tip

The above command will block and continue running while the port forward is active. You can interrupt the command to abort the port forward and re-run the command to make the UI accessible again.

If your browser has not automatically opened the UI, open the page http://localhost:12000 in your browser. You should see a screen with an invitation to select a namespace, use the namespace selector dropdown on the left top corner to select a namespace:

../../_images/hubble_service_map_namespace_selector.png

In this example, we are deploying the Star Wars demo from the Identity-Aware and HTTP-Aware Policy Enforcement guide. However you can apply the same techniques to observe application connectivity dependencies in your own namespace, and clusters for application of any type.

Once the deployment is ready, issue a request from both spaceships to emulate some traffic.

  1. $ kubectl exec xwing -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
  2. Ship landed
  3. $ kubectl exec tiefighter -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
  4. Ship landed

These requests will then be displayed in the UI as service dependencies between the different pods:

../../_images/hubble_sw_service_map.png

In the bottom of the interface, you may also inspect each recent Hubble flow event in your current namespace individually.

Inspecting a wide variety of network traffic

In order to generate some network traffic, run the connectivity test in a loop:

  1. while true; do cilium connectivity test; done

To see the traffic in Hubble, open http://localhost:12000/cilium-test in your browser.