This page shows you how to observe your traffic using GKE Dataplane V2 observability. For more information on the benefits and requirements of GKE Dataplane V2 observability, see About GKE Dataplane V2 observability.
How to use GKE Dataplane V2 observability
Start by enabling GKE Dataplane V2 metrics with Google Cloud Managed Service for Prometheus. To create custom dashboards and set alerts similar to any of the metrics that you've been monitoring, you can use Google Cloud's operations suite tools such as Cloud Monitoring Metrics Explorer.
You can also configure any third-party dashboard or tooling that uses Prometheus, including Grafana. With your GKE cluster enabled with GKE Dataplane V2 observability, you can inspect traffic with GKE Dataplane V2 observability tools.
Visualize metrics and Service dependencies
You can visualize Kubernetes traffic metrics and Service Dependencies as follows:
View cluster and workload observability metrics
To view GKE Dataplane V2 metrics for your clusters, perform the following steps in the Google Cloud console in the Metrics Explorer:
Go to the Monitoring Metrics Explorer page.
Select the Metric under the Query as either the Prometheus Target prometheus/pod_flow_egress_flows_count or prometheus/pod_flow_ingress_flows_count/counter.
(Optional) Choose any desired filters based on Labels.
(Optional) Save the chart to a custom Dashboard.
Visualize Service dependencies
Use the Hubble UI to be able to determine the dependencies of the Pod and Services deployed on your cluster at a glance. Visualize the traffic flows including those reaching out to external destinations. Filter by namespaces, Kubernetes labels, and more.
Verify traffic flows
The Hubble UI can also be used to view live flows happening on your cluster. Each live flow shows the source and destination services, destination port, Policy verdicts and timestamps.
Inspect traffic with GKE Dataplane V2 observability tools
You can capture and analyze network traffic using GKE Dataplane V2 observability tools, accessed via a private endpoint. The endpoint is exposed on an internal IP address, which you can access from within the Kubernetes cluster and the VPC within which the cluster resides.
To inspect network traffic metadata, use the following commands:
Use the built-in hubble-cli plugin to inspect network traffic
GKE 1.28 or later
alias hubble="kubectl exec -it deployment/hubble-relay -c hubble-cli -n gke-managed-dpv2-observability -- hubble"
hubble observe
GKE 1.27 or earlier
alias hubble="kubectl exec -it deployment/hubble-relay -c hubble-cli -n kube-system -- hubble"
hubble observe
This command inspects network traffic for the cluster.
Use the built-in hubble-cli plugin to inspect network traffic in follow mode
GKE 1.28 or later
alias hubble="kubectl exec -it deployment/hubble-relay -c hubble-cli -n gke-managed-dpv2-observability -- hubble"
hubble observe -f
GKE 1.27 or earlier
alias hubble="kubectl exec -it deployment/hubble-relay -c hubble-cli -n kube-system -- hubble"
hubble observe -f
This command inspects network traffic metadata in following mode for the cluster:
Use the built-in hubble-cli plugin to inspect network traffic in single namespace
GKE 1.28 or later
alias hubble="kubectl exec -it deployment/hubble-relay -c hubble-cli -n gke-managed-dpv2-observability -- hubble"
hubble observe -n default
GKE 1.27 or earlier
alias hubble="kubectl exec -it deployment/hubble-relay -c hubble-cli -n kube-system -- hubble"
hubble observe -n default
This command uses the built-in hubble-cli plugin to inspect network traffic for the default namespace in the cluster.
To expose the endpoint of Hubble Relay services, set the
--dataplane-v2-observability-mode flag with the following options:
DISABLED: GKE Dataplane V2 observability components are not deployed. You cannot view or analyze the network telemetry data collected by
hubble-relay.INTERNAL_VPC_LB:
GKE Dataplane V2 observability components are deployed in your VPC and can only be accessed from within your VPC.
GKE Dataplane V2 components are deployed behind an internal global load balancer that can only be accessed through the load balancer's IP address. Each component requires a forwarding rule, which comes with an additional cost (one load balancer per cluster).
During Preview:
Download authorization certificates from Google Cloud console.
Pass the endpoint's IP address to the open source binary version of Hubble CLI.
Use Hubble CLI to view the network telemetry data collected by
Hubble Relay.
Once the endpoint is exposed on an internal IP address, you can access from within the Kubernetes cluster and the VPC of the cluster.
Analyze traffic flows
Use the Hubble CLI to observe live traffic flow dumps with the ability to filter with Kubernetes namespaces and more.
