Skip to content

Instantly share code, notes, and snippets.

@epk

epk/README.md

Last active February 19, 2023 06:56
Show Gist options
  • Save epk/31e9b0ededb5c21872ccd492d61f541a to your computer and use it in GitHub Desktop.
Save epk/31e9b0ededb5c21872ccd492d61f541a to your computer and use it in GitHub Desktop.
Download ZIP
Enable Hubble UI on GKE Dataplane V2
Raw
README.md

Enable Hubble UI on GKE Dataplane V2

Dataplane V2 does not support L7 visibility so you will be limited to L4 flows.

  1. Add the following to cilium-config ConfigMap's data in kube-system:
kubectl --namespace kube-system edit configmap cilium-config
enable-hubble: "true"
hubble-disable-tls: "true"
hubble-listen-address: ":4244"
  1. Add the following port to cilium-agent container in the anetd DaemonSet in kube-system:
kubectl --namespace kube-system edit daemonsets.apps anetd
- containerPort: 4244
  hostPort: 4244
  name: hubble
  1. Restart anetd:
kubectl --namespace kube-system rollout restart daemonset anetd
  1. Deploy hubble-ui
kubectl create namespace hubble-ui
kubectl --namespace hubble-ui apply -f https://gist.githubusercontent.com/epk/31e9b0ededb5c21872ccd492d61f541a/raw/f2a1e32ff9188facf1aa54f5c04fb65d5976943e/hubble-ui.yml
  1. Port-forward to hubble-ui
kubectl --namespace hubble-ui port-forward svc/hubble-ui 8081
  1. Access hubble UI at http://localhost:8081

Cleanup:

  • kubectl --namespace hubble-ui delete -f https://gist.githubusercontent.com/epk/31e9b0ededb5c21872ccd492d61f541a/raw/f2a1e32ff9188facf1aa54f5c04fb65d5976943e/hubble-ui.yml
  • kubectl delete namespace hubble-ui
  • Revert steps 1 & 2
  • kubectl --namespace kube-system rollout restart daemonset anetd
Raw
hubble-ui.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: hubble-relay
namespace: hubble-ui
labels:
k8s-app: hubble-relay
app.kubernetes.io/name: hubble-relay
spec:
replicas: 1
selector:
matchLabels:
k8s-app: hubble-relay
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
k8s-app: hubble-relay
app.kubernetes.io/name: hubble-relay
spec:
containers:
- name: hubble-relay
image: cilium/hubble-relay:v1.13.0
imagePullPolicy: IfNotPresent
command:
- hubble-relay
- serve
- --disable-client-tls
- --disable-server-tls
- --debug
volumeMounts:
- name: hubble-socket-dir
mountPath: /var/run/cilium
mountPropagation: HostToContainer
readOnly: true
ports:
- containerPort: 4245
name: hubble-relay
protocol: TCP
- containerPort: 4246
name: metrics
protocol: TCP
volumes:
- name: hubble-socket-dir
hostPath:
path: /var/run/cilium
---
kind: Service
apiVersion: v1
metadata:
name: hubble-relay
namespace: hubble-ui
labels:
k8s-app: hubble-relay
app.kubernetes.io/name: hubble-relay
spec:
type: ClusterIP
selector:
k8s-app: hubble-relay
ports:
- name: hubble-relay
port: 4245
targetPort: 4245
protocol: TCP
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: hubble-ui
namespace: hubble-ui
labels:
k8s-app: hubble-ui
app.kubernetes.io/name: hubble-ui
spec:
replicas: 1
selector:
matchLabels:
k8s-app: hubble-ui
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
k8s-app: hubble-ui
app.kubernetes.io/name: hubble-ui
spec:
serviceAccount: hubble-ui
serviceAccountName: hubble-ui
automountServiceAccountToken: true
containers:
- name: frontend
image: cilium/hubble-ui:v0.10.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8081
name: http
protocol: TCP
volumeMounts:
- name: hubble-ui-nginx-conf
mountPath: /etc/nginx/conf.d/default.conf
subPath: nginx.conf
- name: tmp-dir
mountPath: /tmp
- name: backend
image: cilium/hubble-ui-backend:v0.10.0
ports :
- containerPort: 8090
name: grpc
protocol: TCP
env:
- name: EVENTS_SERVER_PORT
value: "8090"
- name: FLOWS_API_ADDR
value: "hubble-relay:4245"
volumes:
- name: hubble-ui-nginx-conf
configMap:
name: hubble-ui-nginx-conf
- emptyDir: {}
name: tmp-dir
---
kind: Service
apiVersion: v1
metadata:
name: hubble-ui
namespace: hubble-ui
labels:
k8s-app: hubble-ui
app.kubernetes.io/name: hubble-ui
spec:
type: ClusterIP
selector:
k8s-app: hubble-ui
ports:
- name: http
port: 8081
targetPort: 8081
protocol: TCP
---
apiVersion: v1
kind: ConfigMap
metadata:
name: hubble-ui-nginx-conf
namespace: hubble-ui
labels:
k8s-app: hubble-ui
app.kubernetes.io/name: hubble-ui
data:
nginx.conf: |
server {
listen 8081;
server_name localhost;
root /app;
index index.html;
client_max_body_size 1G;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# CORS
add_header Access-Control-Allow-Methods "GET, POST, PUT, HEAD, DELETE, OPTIONS";
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Max-Age 1728000;
add_header Access-Control-Expose-Headers content-length,grpc-status,grpc-message;
add_header Access-Control-Allow-Headers range,keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout;
if ($request_method = OPTIONS) {
return 204;
}
# /CORS
location /api {
proxy_http_version 1.1;
proxy_pass_request_headers on;
proxy_hide_header Access-Control-Allow-Origin;
proxy_pass http://127.0.0.1:8090;
}
location / {
try_files $uri $uri/ /index.html;
}
}
}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: hubble-ui
namespace: hubble-ui
labels:
k8s-app: hubble-ui
app.kubernetes.io/name: hubble-ui
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hubble-ui
labels:
app.kubernetes.io/name: hubble-ui
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hubble-ui
labels:
app.kubernetes.io/name: hubble-ui
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: hubble-ui
subjects:
- kind: ServiceAccount
name: hubble-ui
namespace: hubble-ui
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment