All Products
Search
Document Center

Container Service for Kubernetes:Implement network observability by using ACK Terway and Cilium Hubble

Last Updated:Mar 15, 2024

You can deploy Cilium Hubble in a Container Service for Kubernetes (ACK) cluster that uses the Terway network plug-in to view the network traffic and network policies of containers. This enables you to monitor the network architecture and business topology. This topic describes how to use Cilium Hubble to view statistics about network traffic in a container network, such as the sources and destinations of packets.

Prerequisites

An ACK managed cluster is created.

Note

Cilium Hubble supports only the One ENI for Multi-Pod mode of Terway. This mode is based on IPVLAN. Therefore, when you create the ACK cluster, you must specify Terway as Network Plug-in and IPvlan as Terway Mode. Otherwise, you cannot use Cilium Hubble.

Step 1: Modify the Terway ConfigMap eni-config

Modify the Terway ConfigMap eni-config in the ACK console

  1. Log on to the ACK console.

  2. In the left-side navigation pane of the ACK console, click Clusters.

  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.

  4. Modify the Terway ConfigMap eni-config.

    1. In the left-side navigation pane of the details page, choose Configurations > ConfigMaps.

    2. In the upper part of the ConfigMap page, set Namespace to kube-system and click Edit YAML in the Actions column of eni-config.

    3. In the View in YAML panel, find 10-terway.conf, add the following parameters to 10-terway.conf, and then click OK.

      "cilium_enable_hubble":"true",
      "cilium_hubble_listen_address":":4244",
      "cilium_hubble_metrics_server":":9091",
      "cilium_hubble_metrics":"drop,tcp,flow,port-distribution,icmp",

      Parameter

      Description

      Note

      eniip_virtual_type

      Specifies whether to enable the IPVLAN mode.

      If the ConfigMap does not contain this parameter or the value is not set to IPVLAN, your cluster does not support Cilium Hubble.

      cilium_enable_hubble

      Specifies whether to enable Cilium Hubble to analyze network traffic.

      This parameter is set to "true" in this example.

      cilium_hubble_listen_address

      The port that is used to expose the Cilium Hubble Service.

      This parameter is set to ":4244" in this example.

      cilium_hubble_metrics_server

      The port that is used to expose the Cilium Hubble metrics server.

      This parameter is set to ":9091" in this example.

      cilium_hubble_metrics

      The metrics that you want to collect by using Cilium Hubble. Separate the metrics with commas (,).

      Layer 7 network capabilities such as HTTP and DNS are not supported. Cilium Hubble can collect the following metrics: "drop,tcp,flow,port-distribution,icmp".

      Note

      If you specify an excessive number of metrics, the performance of Cilium Hubble may be degraded.

  5. Restart the Terway pods for the modified ConfigMap to take effect.

    1. In the left-side navigation pane of the details page, choose Workloads > Pods.

    2. In the upper part of the Pods page, set Namespace to kube-system, search for terway-eniip in the search box, and choose More > Delete in the Actions column of each pod whose name is terway-eniip-xxx.

    3. In the message that appears, click OK.

      On the Pods page, if the Status column of terway-eniip-xxx displays Running, the pod is restarted.

    4. Repeat the preceding steps to delete all Terway pods.

Modify the Terway ConfigMap eni-config by using the CLI

  1. Step 2: Select a type of cluster credentials.

  2. Modify the Terway ConfigMap eni-config.

    1. Run the following command to modify the Terway ConfigMap eni-config:

      kubectl -n kube-system edit configmap eni-config
    2. Paste the following content to the Terway ConfigMap and save the ConfigMap:

      "cilium_enable_hubble":"true",
      "cilium_hubble_listen_address":":4244",
      "cilium_hubble_metrics_server":":9091",
      "cilium_hubble_metrics":"drop,tcp,flow,port-distribution,icmp",

      Parameter

      Description

      Note

      eniip_virtual_type

      Specifies whether to enable the IPVLAN mode.

      If the ConfigMap does not contain this parameter or the value is not set to IPVLAN, your cluster does not support Cilium Hubble.

      cilium_enable_hubble

      Specifies whether to enable Cilium Hubble to analyze network traffic.

      This parameter is set to "true" in this example.

      cilium_hubble_listen_address

      The port that is used to expose the Cilium Hubble Service.

      This parameter is set to ":4244" in this example.

      cilium_hubble_metrics_server

      The port that is used to expose the Cilium Hubble metrics server.

      This parameter is set to ":9091" in this example.

      cilium_hubble_metrics

      The metrics that you want to collect by using Cilium Hubble. Separate the metrics with commas (,).

      Layer 7 network capabilities such as HTTP and DNS are not supported. Cilium Hubble can collect the following metrics: "drop,tcp,flow,port-distribution,icmp".

      Note

      If you specify an excessive number of metrics, the performance of Cilium Hubble may be degraded.

  3. Restart the Terway pods for the modified ConfigMap to take effect.

    1. Run the following command to query the Terway pods:

      kubectl -n kube-system get pod | grep terway-eniip
    2. Run the following command to delete a Terway pod:

       kubectl -n kube-system delete pod terway-eniip-xxx

      Replace terway-eniip-xxx with the name of the Terway pod. Repeat the preceding steps to delete all Terway pods.

Step 2: Install Cilium Hubble

  1. Log on to the ACK console.

  2. In the left-side navigation pane of the ACK console, choose Marketplace > Marketplace.

  3. On the App Catalog page, search for ack-terway-hubble. Find and click ack-terway-hubble.

  4. Click Deploy, select a cluster, and then click Next.

  5. In the Parameters section, configure hosts of ingress. The host is used to log on to Hubble UI. You can configure other parameters based on your business requirements.

    Note

    The following parameters must be specified under ingress.

    Parameter

    Description

    enabled

    Specifies whether to use the Ingress to access Hubble UI.

    annotations

    The annotations of the Ingress.

    path

    The root path of the Ingress.

    hosts

    The host of the Ingress.

    tls

    The TLS settings of the Ingress.

  6. Click OK.

Step 3: Use Cilium Hubble

If you configured the hosts parameter for the Ingress of Cilium Hubble, you can log on to Hubble UI by accessing the Ingress host through port 80. When you access the Ingress host, the following information appears:

Note

If the domain name that you access is not an authoritative domain name, such as ingress.local, you must run the kubectl -n kube-system get svc nginx-ingress-lb command to query the IP address of Hubble UI. Then, modify the hosts file on your computer to map ingress.local to the IP address of Hubble UI.

  • In the upper portion of the page, you can view the topologies of pods and Services that belong to different namespaces.

  • In the lower portion of the page, you can view the sources, destinations, ports, and forwarding states of network traffic.

  • If you have configured network policies, you can view packets that are dropped because of network policy mismatching.

可观测

Cilium Hubble uses the hubble-metrics Service in the kube-system namespace to expose network flow metrics. You can specify the metrics that Cilium Hubble exposes by setting the cilium_hubble_metrics parameter in the Terway ConfigMap eni-config. You can use open source Prometheus and Managed Service for Prometheus to collect these metrics. For more information, see Use open source Prometheus to monitor an ACK cluster and Managed Service for Prometheus.

Note

For more information about the metrics that Cilium Hubble can expose, see hubble-exported-metrics.

Category

Name

Label

Description

drop

hubble_drop_total

reason, protocol

The number of dropped packets.

tcp

hubble_tcp_flags_total

flag, family

The number of TCP flags.

flow

hubble_flows_processed_total

type, subtype, verdict

The number of network flows processed.

port-distribution

hubble_port_distribution_total

protocol, port

The distribution of packets on destination ports.

icmp

hubble_icmp_total

family, type

The number of ICMP messages.