Increased "hubble observe" CPU usage after upgrade from 1.15.15 to 1.15.16 or newer

[tporeba]

I was planning to upgrade cilium images I use to run hubble observe and I noticed that newer images use significantly more CPU to do the same work.

I started from quay.io/cilium/cilium:v1.15.5 and switching to 1.15.16 or newer (1.17.x, 1.18.x) causes an increase in CPU usage ~5x in my setup.

I have 10 pods organized as daemonset, each is running 3 containers of hubble observe, each fetching a subset of logs. All those processes produce total ~30MB/min of logs for whole system.

# log for business traffic
# 20 exclusions total
hubble observe --follow --print-node-name --time-format RFC3339Milli  \
  --not --namespace kube-system \
  --not --namespace A \
  --not --namespace B \
  --not --namespace C 
...

# log for technical traffic
# 20 inclusions total
hubble observe --follow --print-node-name --time-format RFC3339Milli \
     --namespace kube-system \
     --namespace A \
     --namespace B \
     --namespace C
...

# log for dropped traffic
hubble observe --follow --print-node-name --time-format RFC3339Milli \
          --type drop --type l7 --verdict DROPPED --not --to-ip ff02::/16 

I tested a couple of cilium versions:

• 1.15.5, 1.15.6, 1.15.12, 1.15.14, 1.15.15 --> these behave normally, my grafana shows that whole deamonset uses < 1 cpu in total
• 1.15.16, 1.15.19, 1.16.16, 1.17.6, 1.17.9, 1.18.3 ---> for these I see increased CPU usage of almost 5 cpus total.

Here is a screen from graphana after I downgraded back to 1.15.15

This is from a standard graphana Dashboard Kubernetes / Compute Resources / Namespace (Workloads), with metric plotted being more or less:

sum(
  node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate{namespace="logs"}
* on(namespace,pod)
  group_left(workload, workload_type) namespace_workload_pod:kube_pod_owner:relabel{namespace="logs"}
) by (workload, workload_type)

Here is also hubble version from inside of the containers for those 2 closest image tags:

v1.15.15 >  hubble version
hubble v1.17.1@HEAD-0d65c11 compiled with go1.23.6 on linux/amd64

v1.15.16 > root@os-workernode06:/home/cilium# hubble version
hubble v1.17.2@HEAD-aba36c0 compiled with go1.23.7 on linux/amd64

Is this intended effect or a bug?
Is new hubble version doing something more, that requires more cpu?

[rolinh]

Thanks for the report and for pinning down to the specific patch version when the regression in performance was first noticed. There are no Hubble changes (no commit affecting pkg/hubble between v1.15.15 and v1.15.16 so the root cause is not Hubble directly but something affecting it (a dep update or change in the datapath).

[marseel]

Would you mind attaching a sysdump from affected version?
As part of sysdump we are collecting profiling information and hubble flows, that would help us to easily check what is the root cause of increased CPU usage.

[tporeba]

Sorry for the delay.

I made cilium sysdump on version 1.15.5 and 1.15.16 on affected enviornment, but I am not allowed to share whole zips, due to security restrictions. Are you interested in any specific parts of the dump? Maybe I will get approval for them.

If not then maybe I will try to spawn a completely new sandbox k8s env and try to reproduce it there.

Or maybe we could build a some images from those 87 commits betwen 1.15.15 and 1.15.16 between 1.15.15 and 1.15.16 to bisect the problem and detect which commit introduced this?

[marseel]

CPU and memory profiles may be sufficient. They do not contain any sensitive data and are in the format of (within sysdump zip):

cilium-dh4l8-pprof-cpu-20251202-163753.pprof
cilium-dh4l8-pprof-heap-20251202-163753.pprof

[tporeba]

Ok, here they are:

v1.15.5.zip
v1.15.16.zip

These dumps seems like a system-wide dump from cilium pods. Note however that these are not the pods I mentioned in the original post, that gather the logs from hubble for me using hubble observe command. I don't know how I can make a similar dump from those "client pods". Cilium-agent pods or cilium-operator pods don't seem to show any significant increase in CPU usage, while those "client pods" running hubble observe do show it.

[marseel]

Cilium-agent pods or cilium-operator pods don't seem to show any significant increase in CPU usage, while those "client pods" running hubble observe do show it.

ah, I missed that part in the initial issue, I thought that increase of CPU was for Cilium daemonset. So if I understand it correctly, increased CPU usage is essentially for client pods that are running "hubble observe" itself.
First thing that you could check is to compare if rate of events observed by client pods is the same between versions.

[tporeba]

I checked number of lines per second produced by each hubble observe processes mentioned in the original post and there are no significant differences between versions 1.15.5 and 1.15.16.

1. ~130 lines / s
2. ~360 lines / s
3. 0 lines / s

I also checked hubble observe --follow --all -A on both versions and it also produces similar number of lines per second.

Output file sizes are also comparable, so it is also not the amount of data written that is the reason of increased cpu usage.

On the other hand I can repetitively reproduce increased CPU usage in both grafana plots and using top command:
1.15.5 -> cpu usage ~2-3% for each hubble observe process (except for that last one, which has 0%)
1.15.16 -> cpu usage ~10-15% (except for that last one, which has 0%).

Seems like processing a single event is just more expensive in cpu terms in that newer version for some reason.