DEV.co
Open-Source Observability · microsoft

retina

Retina is an open-source eBPF-based Kubernetes network observability platform maintained by Microsoft. It collects customizable network telemetry, integrates with Prometheus and cloud monitoring services, and enables troubleshooting via metrics and packet captures without requiring kernel module recompilation.

Source: GitHub — github.com/microsoft/retina
3.2k
GitHub stars
290
Forks
Go
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorymicrosoft/retina
Ownermicrosoft
Primary languageGo
LicenseMIT — OSI-approved
Stars3.2k
Forks290
Open issues173
Latest releasev1.2.2 (2026-05-26)
Last updated2026-07-08
Sourcehttps://github.com/microsoft/retina

What retina is

Retina uses eBPF (extended Berkeley Packet Filter) to perform in-kernel network monitoring on Kubernetes nodes, supporting Linux and Windows Server 2022. It exports Prometheus-compatible metrics and provides a CLI and CRD interface for on-demand packet capture, with a known performance constraint on high-core-count systems (32+ cores) under load with advanced metrics enabled.

Quickstart

Get the retina source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/microsoft/retina.gitcd retina# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Kubernetes cluster network troubleshooting

Quickly diagnose network connectivity issues, packet loss, and DNS resolution problems across pod-to-pod and pod-to-external communication without redeploying workloads.

Continuous network monitoring and compliance

Export standardized Prometheus metrics to existing monitoring stacks (Grafana, Azure Monitor) for ongoing visibility into application and cluster health, supporting security and compliance audits.

Multi-vendor cloud observability

Operate consistently across on-premises, Azure, and other cloud environments with a cloud-agnostic tool that exports to multiple telemetry backends without vendor lock-in.

Implementation considerations

  • Decide on metrics mode (Basic vs. Advanced with packetparser) based on node CPU count and expected network throughput; Basic is safer for 32+ core systems.
  • Plan telemetry export destination early (Prometheus, Azure Monitor, or vendor-specific endpoint) and configure accordingly in Helm values or CRD.
  • eBPF requires appropriate kernel version and host capabilities; verify kernel support and potential SELinux/AppArmor policies before cluster-wide rollout.
  • Packet capture features require operator enablement (Helm flag `operator.enabled=true`) and CRD installation; verify RBAC and network policies permit capture operations.
  • Test image signature verification workflow using cosign if supply-chain security is a compliance requirement.

When to avoid it — and what to weigh

  • Specialized Windows Server 2019 environments — Project no longer supports Windows Server 2019; requires Windows Server 2022 for Windows workloads, which may conflict with legacy infrastructure.
  • High-core-count nodes under sustained peak load — Advanced metrics with packetparser plugin show documented performance degradation on nodes with 32+ CPU cores; may require careful tuning or fallback to basic metrics mode.
  • Network observability without eBPF capability — Requires eBPF support in the kernel; unsuitable for highly restricted or older kernel versions that do not support eBPF operations.
  • Projects requiring guaranteed commercial support SLA — Open-source project maintained by Microsoft with community support; no documented commercial support tier or SLA.

License & commercial use

Licensed under MIT (MIT License), an OSI-approved permissive open-source license. Permits commercial use, modification, and distribution with minimal restrictions (requires license and copyright notice).

MIT license permits commercial use without restriction. However, no commercial support tier, SLA, or warranty is documented. Organizations requiring guaranteed response times or liability protection should evaluate Microsoft's paid support offerings separately or establish internal support capability.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

Retina runs kernel-space eBPF code; requires trusted container images and kernel module verification. Images are cryptographically signed via cosign for provenance verification. Packet capture feature can expose sensitive network data; implement RBAC and network policies to restrict capture permissions. No documented security audit or penetration test results are provided.

Alternatives to consider

Cilium Hubble

Native Kubernetes network observability integrated with Cilium CNI; strong for service mesh environments but requires Cilium as the network plugin and may have different eBPF kernel requirements.

eBPF-based tcpdump or similar tools

Lower-level packet capture tools with simpler deployment but lack Kubernetes-aware telemetry export, dashboarding, and multi-cluster aggregation that Retina provides.

Traditional monitoring (sFlow, netflow, tcpdump-based agents)

Proven but higher overhead, kernel module dependencies, and less Kubernetes-native; suitable for non-eBPF environments or where eBPF is unavailable.

Software development agency

Build on retina with DEV.co software developers

Retina's MIT license and Microsoft backing provide a low-risk entry point. Start with the Helm quick-install guide, evaluate metrics mode for your node sizes, and integrate with your existing Prometheus or Azure Monitor stack.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

retina FAQ

Does Retina require changes to my application code or pod manifests?
No. Retina is deployed as a DaemonSet and uses eBPF to observe traffic at the node level; applications are unaware of Retina's presence.
What export backends does Retina support?
Prometheus is primary; documentation also mentions Azure Monitor and other vendors, but specific integrations require configuration outside the Helm chart. Review retina.sh installation guides for your desired backend.
Can I use Retina on a Windows-only cluster?
Partially. Windows support requires Windows Server 2022 nodes. Mixed Linux/Windows clusters are supported if eBPF kernel support is available on Linux nodes.
What are the resource overhead and performance implications?
Not explicitly quantified in provided data. Known constraint: Advanced metrics with packetparser on 32+ core systems may degrade under high load; start with Basic metrics mode on large node types per documentation.

Custom software development services

Need help beyond evaluating retina? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source observability integrations — and maintain them long-term.

Ready to add network observability to your Kubernetes clusters?

Retina's MIT license and Microsoft backing provide a low-risk entry point. Start with the Helm quick-install guide, evaluate metrics mode for your node sizes, and integrate with your existing Prometheus or Azure Monitor stack.