search
githubEdit

Beta Program

Thank you for participating in the Mermin beta program. Mermin captures network traffic passing through your Kubernetes cluster and generates flow traces in OpenTelemetry format, allowing you to see exactly what is happening inside your cluster. See Mermin Overview for a more detailed description of what Mermin can do for you.

We plan to update the beta image multiple times throughout this beta period. We will reach out to you every time a new version is available and describe the changes included.

hashtag
Accessing the Beta Image

Version Requirement: v0.1.0-beta.40 or higher

Before starting, add the beta Helm chart:

# Add Helm repository
helm repo add mermin https://elastiflow.github.io/mermin/
helm repo update

hashtag
Configuration Essentials

To view flows with Kubernetes metadata enrichment, Mermin requires four core configuration blocks: Network Interface Discovery, Kubernetes Informer, Flow-to-Kubernetes Attribute Mapping & Export.

A minimal example configuration is available here: Example Configurationarrow-up-right, for a more comprehensive example, please see the Default Configarrow-up-right

chevron-rightNetwork Interface Discoveryhashtag

CNI-Specific Patterns

discovery "instrument" {
  # Kind / kindnet
  # interfaces = ["veth*"]

  # Flannel
  # interfaces = ["veth*", "flannel*", "vxlan*"]

  # Calico
  # interfaces = ["veth*", "cali*", "tunl*", "ip6tnl*"]

  # Cilium
  # interfaces = ["veth*", "cilium_*", "lxc*"]

  # GKE
  # interfaces = ["veth*", "gke*"]

  # AWS VPC CNI
  # interfaces = ["veth*", "eni*"]
}

Default:

"veth*", "tunl*", "ip6tnl*", "vxlan*", "flannel*", "cali*", "cilium_*", "lxc", "gke*", "eni*", "ovn-k8s*"

What you'll see: All pod-to-pod traffic (inter-node and intra-node) What you'll miss: Traffic on other CNI-specific interfaces not listed Use cases: Fine-tuning for specific CNI setups, reducing monitored interface count

circle-info

Mermin's goal is to show you pod-to-pod traffic which is exposed by Virtual Ethernet Devices, which match patterns like "veth*", "gke*", "cali*". Currently, bridge interfaces like "tun*" or flannel* are ignored, because Mermin does not support parsing tunneled/encapsulated traffic. This feature will come very soon.

Physical Interfaces Only

circle-exclamation

Most of the traffic on the physical interfaces will be ignored, because Mermin currently lacks support for tunneled/encapsulated traffic.

Monitor only physical network interfaces for inter-node traffic:

discovery "instrument" {
  interfaces = ["eth*", "ens*", "en*"]
}

What you'll see: Inter-node pod traffic, node-to-node traffic, external connections What you'll miss: Same-node pod-to-pod communication (never hits physical interfaces)

Trade-offs: Lower overhead (fewer interfaces), incomplete visibility, may cause flow duplication if combined with veth monitoring Use cases: Infrastructure-focused monitoring, cost-sensitive deployments, clusters with minimal same-node communication

For more information, please reference: Network Interface Discoveryarrow-up-right

chevron-rightKubernetes Informerhashtag

Configures which Kubernetes resources Mermin watches to enrich network flows with metadata. This enables Mermin to associate IP addresses and ports with pod names, services, deployments, and other Kubernetes contexts.

For more information, please reference: Owner Relations & Selector Relations

chevron-rightFlow-to-Kubernetes Attribute Mappinghashtag

Configures how Mermin matches network flow data (source/destination IPs and ports) to Kubernetes resources. This mapping defines which Kubernetes object fields to extract and how to associate them with captured flows.

For more information, please reference: Flow Attributes

chevron-rightExporterhashtag

Configures how Mermin exports network flow data. Flows can be sent to an OTLP receiver (OpenTelemetry Protocol) for storage and analysis, or output to stdout for debugging.

For more information, please reference: OTLP Exporter

hashtag
Deploying Mermin

Once your configuration is ready, you can deploy with the following command:

hashtag
See Your First Flows

View network flows captured by Mermin:

Expected output (flow span example):

hashtag
Known Limitations

chevron-rightTunneled/Encapsulated Traffic Parsinghashtag

Deep packet parsing for tunneled traffic is not yet implemented in userspace.

Current functionality:

The default configuration monitors veth interfaces and CNI-specific interfaces where packets are already decapsulated. This includes:

  • veth* interfaces (pod network namespaces)

  • CNI workload interfaces (cali*, cilium_, lxc, eni*, etc.)

Not currently supported:

  • Direct monitoring of tunnel interfaces (tunl*, vxlan*, flannel*) as the primary capture point

  • Bare metal deployments where packet encapsulation is not removed

  • Parsing nested/encapsulated protocol headers

chevron-rightKernel and Platform Compatibilityhashtag

Mermin has been tested and verified on the following platforms:

Platform
Status

Debian 13

Supported

Debian 12

Supported

GKE Standard

Supported

Kind (local dev)

Supported

Important: eBPF verifier requirements vary between kernel versions. If you encounter eBPF program loading failures, include your kernel version when reporting the issue.

hashtag
eBPF Errors

When deploying Mermin for the first time, you may encounter issues. Depending on your kernel version, you may encounter eBPF verifier errors, as shown here.

Minimum requirements:

  • Linux kernel 5.4 or later (may work, but has not been fully tested)

  • BTF support enabled

  • eBPF support enabled

Note: While Mermin may work on kernels older than 6.1, it has been tested and validated on 6.1+. If you encounter verifier errors on older kernels, please report the issue with your kernel version using the template below.

hashtag
Reporting Issues

If you encounter problems during the beta, please report them using the template below. This information helps us diagnose and resolve issues quickly

Feedback Channels

PreviousOverviewNextIntroductory Primer

Last updated