// the find
microsoft/retina
eBPF distributed networking observability tool for Kubernetes
Retina is Microsoft's eBPF-based network observability agent for Kubernetes, running as a DaemonSet to collect per-pod metrics (drops, DNS, TCP retransmits, packet forwarding) and export them to Prometheus. It also supports on-demand packet captures via a kubectl plugin or CRD. Aimed at cluster operators debugging network issues without SSH-ing into nodes.
The plugin architecture is well-thought-out — Linux and Windows plugins are separate, so you're not dragging eBPF concepts into a Windows HNS stats path. Packet capture via CRD is genuinely useful: you can trigger a tcpdump-equivalent across selected pods from kubectl without touching the node. Hubble integration is a smart choice rather than reinventing the flow visibility wheel — if you're already on Cilium, you get that for free. Images are signed with cosign and provenance is verifiable via GitHub OIDC, which is more than most Microsoft OSS projects bother with.
The known performance problem on 32+ core nodes under high load with packetparser is a real issue for anyone running on beefy instances — the README buries this in a warning rather than explaining what's actually happening (likely BPF map contention or perf ring buffer pressure). Windows support is clearly second-class: Server 2019 was dropped, and the Windows plugin list is thin compared to Linux. The dual Helm chart layout (standard vs hubble) adds operational surface area — you have to pick the right one upfront and migrating between them isn't documented. No out-of-the-box alerting rules ship with it, so you get metrics but have to write your own Prometheus alerts from scratch.