retina
Retina is an open-source eBPF-based Kubernetes network observability platform maintained by Microsoft. It collects customizable network telemetry, integrates with Prometheus and cloud monitoring services, and enables troubleshooting via metrics and packet captures without requiring kernel module recompilation.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | microsoft/retina |
| Owner | microsoft |
| Primary language | Go |
| License | MIT — OSI-approved |
| Stars | 3.2k |
| Forks | 290 |
| Open issues | 173 |
| Latest release | v1.2.2 (2026-05-26) |
| Last updated | 2026-07-08 |
| Source | https://github.com/microsoft/retina |
What retina is
Retina uses eBPF (extended Berkeley Packet Filter) to perform in-kernel network monitoring on Kubernetes nodes, supporting Linux and Windows Server 2022. It exports Prometheus-compatible metrics and provides a CLI and CRD interface for on-demand packet capture, with a known performance constraint on high-core-count systems (32+ cores) under load with advanced metrics enabled.
Get the retina source
Clone the repository and explore it locally.
git clone https://github.com/microsoft/retina.gitcd retina# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Decide on metrics mode (Basic vs. Advanced with packetparser) based on node CPU count and expected network throughput; Basic is safer for 32+ core systems.
- Plan telemetry export destination early (Prometheus, Azure Monitor, or vendor-specific endpoint) and configure accordingly in Helm values or CRD.
- eBPF requires appropriate kernel version and host capabilities; verify kernel support and potential SELinux/AppArmor policies before cluster-wide rollout.
- Packet capture features require operator enablement (Helm flag `operator.enabled=true`) and CRD installation; verify RBAC and network policies permit capture operations.
- Test image signature verification workflow using cosign if supply-chain security is a compliance requirement.
When to avoid it — and what to weigh
- Specialized Windows Server 2019 environments — Project no longer supports Windows Server 2019; requires Windows Server 2022 for Windows workloads, which may conflict with legacy infrastructure.
- High-core-count nodes under sustained peak load — Advanced metrics with packetparser plugin show documented performance degradation on nodes with 32+ CPU cores; may require careful tuning or fallback to basic metrics mode.
- Network observability without eBPF capability — Requires eBPF support in the kernel; unsuitable for highly restricted or older kernel versions that do not support eBPF operations.
- Projects requiring guaranteed commercial support SLA — Open-source project maintained by Microsoft with community support; no documented commercial support tier or SLA.
License & commercial use
Licensed under MIT (MIT License), an OSI-approved permissive open-source license. Permits commercial use, modification, and distribution with minimal restrictions (requires license and copyright notice).
MIT license permits commercial use without restriction. However, no commercial support tier, SLA, or warranty is documented. Organizations requiring guaranteed response times or liability protection should evaluate Microsoft's paid support offerings separately or establish internal support capability.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Strong |
| Assessment confidence | High |
Retina runs kernel-space eBPF code; requires trusted container images and kernel module verification. Images are cryptographically signed via cosign for provenance verification. Packet capture feature can expose sensitive network data; implement RBAC and network policies to restrict capture permissions. No documented security audit or penetration test results are provided.
Alternatives to consider
Cilium Hubble
Native Kubernetes network observability integrated with Cilium CNI; strong for service mesh environments but requires Cilium as the network plugin and may have different eBPF kernel requirements.
eBPF-based tcpdump or similar tools
Lower-level packet capture tools with simpler deployment but lack Kubernetes-aware telemetry export, dashboarding, and multi-cluster aggregation that Retina provides.
Traditional monitoring (sFlow, netflow, tcpdump-based agents)
Proven but higher overhead, kernel module dependencies, and less Kubernetes-native; suitable for non-eBPF environments or where eBPF is unavailable.
Build on retina with DEV.co software developers
Retina's MIT license and Microsoft backing provide a low-risk entry point. Start with the Helm quick-install guide, evaluate metrics mode for your node sizes, and integrate with your existing Prometheus or Azure Monitor stack.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
retina FAQ
Does Retina require changes to my application code or pod manifests?
What export backends does Retina support?
Can I use Retina on a Windows-only cluster?
What are the resource overhead and performance implications?
Custom software development services
Need help beyond evaluating retina? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source observability integrations — and maintain them long-term.
Ready to add network observability to your Kubernetes clusters?
Retina's MIT license and Microsoft backing provide a low-risk entry point. Start with the Helm quick-install guide, evaluate metrics mode for your node sizes, and integrate with your existing Prometheus or Azure Monitor stack.