search

cilium / hubble

Hubble - Network, Service & Security Observability for Kubernetes using eBPF
Apache License 2.0
3.41k stars 246 forks source link

No observability in sealed-secrets-controller #1405

Closed dcristobalhMad closed 4 months ago

dcristobalhMad commented 4 months ago

Hi team 👋 !

We have a rare case in EKS, we use sealed-secrets as an application to handle the secrets and we do not see in Hubble the call traces or any network flows. On the other hand, we do see all the communications between all the applications we have in the cluster.

Installed versions:

Helm cilium values:

  set {
    name  = "cluster.id"
    value = "0"
  }

  set {
    name  = "cluster.name"
    value = "${local.cluster_name}"
  }

  set {
    name  = "encryption.nodeEncryption"
    value = "false"
  }
  set {
    name  = "hubble.enabled"
    value = true
  }

  set {
    name  = "hubble.ui.enabled"
    value = true
  }

  set {
    name  = "hubble.relay.enabled"
    value = true
  }

  set {
    name  = "hostPort.enabled"
    value = true
  }

  set {
    name  = "socketLB.enabled"
    value = true
  }

  set {
    name  = "nodePort.enabled"
    value = true
  }

  set {
    name  = "externalIPs.enabled"
    value = true
  }

  set {
    name  = "bandwithManager.enabled"
    value = true
  }

  set {
    name  = "eni.awsEnablePrefixDelegation"
    value = true
  }

  set {
    name  = "nodeinit.enabled"
    value = true
  }
  # Metrics
  set {
    name  = "hubble.metrics.enabled"
    value = "{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}"
  }

Cilium status:

KVStore:                 Ok   Disabled
Kubernetes:              Ok   1.29+ (v1.29.0-eks-c417bb3) [linux/amd64]
Kubernetes APIs:         ["EndpointSliceOrEndpoint", "cilium/v2::CiliumClusterwideNetworkPolicy", "cilium/v2::CiliumEndpoint", "cilium/v2::CiliumNetworkPolicy", "cilium/v2::CiliumNode", "cilium/v2alpha1::CiliumCIDRGroup", "core/v1::Namespace", "core/v1::Pods", "core/v1::Service", "networking.k8s.io/v1::NetworkPolicy"]
KubeProxyReplacement:    False   [eth0   10.1.2.227 fe80::10af:cbff:feaa:c1f7 (Direct Routing)]
Host firewall:           Disabled
SRv6:                    Disabled
CNI Chaining:            none
Cilium:                  Ok   1.15.1 (v1.15.1-a368c8f0)
NodeMonitor:             Listening for events on 16 CPUs with 64x4096 of shared memory
Cilium health daemon:    Ok
IPAM:                    IPv4: 3/254 allocated from 10.0.2.0/24,
IPv4 BIG TCP:            Disabled
IPv6 BIG TCP:            Disabled
BandwidthManager:        Disabled
Host Routing:            Legacy
Masquerading:            IPTables [IPv4: Enabled, IPv6: Disabled]
Controller Status:       27/27 healthy
Proxy Status:            OK, ip 10.0.2.184, 0 redirects active on ports 10000-20000, Envoy: embedded
Global Identity Range:   min 256, max 65535
Hubble:                  Ok              Current/Max Flows: 2583/4095 (63.08%), Flows/s: 2.62   Metrics: Ok
Encryption:              Disabled
Cluster health:          3/3 reachable   (2024-03-08T08:08:02Z)
Modules Health:          Stopped(0) Degraded(0) OK(11) Unknown(3)
dcristobalhMad commented 4 months ago

Issue with networking, sorry for the inconvenience