Hubble is the network, service, and security observability layer for Cilium. It taps directly into Cilium’s eBPF dataplane to produce flow logs, service dependency maps, and security events for Kubernetes clusters without requiring sidecars, packet capture, or any application-level instrumentation. Because the visibility is generated by the same eBPF programs that already process every packet, the overhead is minimal and the data covers L3/L4 connections, L7 protocols like HTTP, gRPC, Kafka, and DNS, and policy verdicts (allowed, denied, dropped) in a single stream.
The system is distributed. Each node runs a Hubble server inside the Cilium agent that exposes a gRPC API for the flows observed on that node. Hubble Relay aggregates those per-node streams into a single cluster-wide API endpoint, and Hubble UI consumes the relay to draw service dependency graphs and connectivity maps in the browser. The hubble CLI talks to either the local socket or the relay and is the day-to-day tool for filtering and tailing flows, much like tcpdump for a Kubernetes cluster.
Typical use cases are diagnosing DNS resolution failures, debugging why a NetworkPolicy is dropping traffic, mapping which services actually talk to each other before tightening policy, and feeding flow metrics into Prometheus and Grafana. Hubble is bundled with Cilium rather than maintained as a separate project, so it does not carry its own CNCF status; it inherits Cilium’s graduated standing and ships in the same release cadence.
