Enable Hubble when installing or upgrading Cilium: set hubble.enabled=true and hubble.relay.enabled=true in Helm values, or use cilium install --set hubble.relay.enabled=true
Install the hubble CLI on your workstation and port-forward the Hubble relay service: kubectl port-forward svc/hubble-relay -n kube-system 4245:80
Run hubble observe to stream live flows; filter by namespace with --namespace, by pod with --pod, and by verdict with --verdict DROPPED to surface policy denials
Use hubble observe --protocol dns to watch DNS queries and find resolution failures, or --protocol http to see HTTP status codes per request
Run hubble observe --type l7 --from-pod <namespace/pod> to see all layer-7 flows originating from a specific pod across protocols
Enable the Hubble UI (hubble.ui.enabled=true) for a graphical service dependency map; flows are correlated with Kubernetes labels automatically
Known gotchas
Hubble data is stored in a ring buffer on each node; the default buffer size retains only recent flows — increase hubble.bufferSize in Helm values for longer retention during debugging
Port-forwarding the relay only gives cluster-wide flow visibility; querying the Hubble server socket directly on a node gives only local node flows
L7 visibility (HTTP, gRPC, Kafka) requires a CiliumNetworkPolicy with l7Rules or setting policy-audit-mode; without it Hubble sees only L3/L4 metadata
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp