Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 2. Network Observability Operator release notes archive
2.1. Network Observability Operator release notes archive
These release notes track past developments of the Network Observability Operator in the OpenShift Container Platform. They are for reference purposes only.
The Network Observability Operator enables administrators to observe and analyze network traffic flows for OpenShift Container Platform clusters.
2.1.1. Network Observability Operator 1.10.1 advisory
You can review the advisory for Network Observability Operator 1.10.1 release.
2.1.2. Network Observability Operator 1.10.1 CVEs
You can review the CVEs for the Network Observability Operator 1.10.1 release.
2.1.3. Network Observability Operator 1.10.1 fixed issues
The Network Observability Operator 1.10.1 release contains several fixed issues that improve performance and the user experience.
- Warning Generated for Direct Mode on Clusters Over 15 Nodes
Before this update, the recommendation against using the
deployment model on large clusters was only available in the documentation.DirectWith this release, the Network Observability Operator now generates a warning when the Direct deployment mode is used on a cluster exceeding 15 nodes.
- Network policy deployment disabled on OpenShiftSDN
Before this update, when OpenShift SDN was the cluster network plugin, enabling the
network policy would break communication between network observability pods. This issue does not occur with OVN-Kubernetes, which is the default supported network plugin.FlowCollectorWith this release, the Network Observability Operator no longer attempts to deploy the network policy when OpenShift SDN is detected; a warning is displayed instead. Additionally, the default value for enabling the network policy is modified: it is now enabled by default only when OVN-Kubernetes is detected as the cluster network plugin.
- Validation added for subnet label characters
Before this update, there were no restrictions on characters allowed in the subnet labels "name" configuration, meaning users could enter text containing spaces or special characters. This generated errors in the web console plugin when users tried to apply filters, and clicking the filter icon for a subnet label often failed.
With this release, the configured subnet label name is validated immediately when configured in the
custom resource. The validation ensures the name contains only alphanumeric characters,FlowCollector,:, and_. As a result, filtering on subnet labels from the web console plugin now works as expected.-- Network Observability CLI uses unique temporary directory per run
Before this update, the Network Observability CLI created or reused a single temporary (
) directory in the current working directory. This could lead to conflicts or data corruption between separate runs.tmpWith this release, the Network Observability CLI now creates a unique temporary directory for each run, preventing potential conflicts and improving file management hygiene.
2.1.4. Network Observability Operator 1.10 advisory
Review the advisory that is available for the Network Observability Operator 1.10:
2.1.5. Network Observability Operator 1.10 new features and enhancements
The Network Observability Operator 1.10 release enhances security, improves performance, and introduces new CLI UI tools for better network flow management.
2.1.5.1. Network policy updates
The Network Observability Operator now supports configuring both ingress and egress network policies to control pod traffic. This enhancement improves security.
By default, the
spec.NetworkPolicy.enabletrue2.1.5.2. Network Observability Operator CLI UI updates
This release brings the following new features and updates to the Network Observability Operator CLI (
oc netobservTable view enhancements
- Customizable columns: Click Manage Columns to select which columns to display, and tailor the table to your needs.
- Smart filtering: Live filters now include auto-suggestions, making it easier to select the right keys and values.
-
Packet preview: When capturing packets, click a row to inspect the content directly.
pcap
Terminal-based line charts enhancements
- Metrics visualization: Real-time graphs are rendered directly in the CLI.
- Panel selection: Choose from predefined views or customize views by using the Manage Panels pop-up menu to selectively view charts of specific metrics.
2.1.5.3. Network observability console improvements
The network observability console plugin includes a new view to configure the
FlowCollector-
Configure the CR.
FlowCollector - Calculate your resource footprint.
- Gain increased of issues such as configuration warnings or high metrics cardinality.
2.1.5.4. Performance improvements
Network Observability Operator 1.10 has improved the performance and memory footprint of the Operator, especially visible on large clusters.
2.1.6. Network Observability Operator 1.10 Technology Preview features
2.1.6.1. Network Observability Operator custom alerts (Technology Preview)
This release introduces new alert functionality, and custom alert configuration. These capabilities are Technology Preview features, and must be explicitly enabled.
To view the new alerts, in the OpenShift Container Platform web console, click Observe
2.1.6.2. Network Observability Operator Network Health dashboard (Technology Preview)
When you enable the Technology Preview alerts functionality in the Network Observability Operator, you can view a a new Network Health dashboard in the OpenShift Container Platform web console by clicking Observe.
The Network Health dashboard provides a summary of triggered alerts, distinguishing between critical, warning, and minor issues, and also shows pending alerts.
2.1.7. Network Observability Operator 1.10 removed features
Review the removed features that might affect your use of the Network Observability Operator 1.10 release.
2.1.7.1. FlowCollector API version v1beta1 has been removed
The
FlowCollectorv1beta1v1beta22.1.8. Network Observability Operator 1.10 known issues
Review the following known issues and their recommended workarounds (where available) that might affect your use of the Network Observability Operator 1.10 release.
2.1.8.1. Upgrading to 1.10 fails on OpenShift Container Platform 4.14 and earlier
Upgrading to the Network Observability Operator 1.10 on OpenShift Container Platform 4.14 and earlier can fail due to a
FlowCollectorTo workaround this problem, you must:
Uninstall both versions of the Network Observability Operator from the software catalog in the OpenShift Container Platform web console.
-
Keep the CRD installed so that it doesn’t cause any disruption in the flow collection process.
FlowCollector
-
Keep the
Check the current name of the
CRD by running the following command:FlowCollector$ oc get crd flowcollectors.flows.netobserv.io -o jsonpath='{.spec.versions[0].name}'Expected output:
v1beta1Check the current serving status of the
CRD by running the following command:FlowCollector$ oc get crd flowcollectors.flows.netobserv.io -o jsonpath='{.spec.versions[0].served}'Expected output:
trueSet the
flag for theservedversion tov1beta1by running the following command:false$ oc patch crd flowcollectors.flows.netobserv.io --type='json' -p "[{'op': 'replace', 'path': '/spec/versions/0/served', 'value': false}]"Verify that the
flag is set toservedby running the following command:false$ oc get crd flowcollectors.flows.netobserv.io -o jsonpath='{.spec.versions[0].served}'Expected output:
false- Install Network Observability Operator 1.10.
2.1.8.2. eBPF agent compatibility with older OpenShift Container Platform versions
The eBPF agent used in the Network Observability Command Line Interface (CLI) packet capture feature is incompatible with OpenShift Container Platform versions 4.16 and older.
This limitation prevents the eBPF-based Packet Capture Agent (PCA) from functioning correctly on those older clusters.
To work around this problem, you must manually configure PCA to use an older, compatible eBPF agent container image. For more information, see the Red Hat Knowledgebase Solution eBPF agent compatibility with older Openshift versions in Network Observability CLI 1.10+.
2.1.8.3. eBPF Agent fails to send flows with OpenShiftSDN when NetworkPolicy is enabled
When running Network Observability Operator 1.10 on OpenShift Container Platform 4.14 clusters that use the
OpenShiftSDNflowlogs-pipelineFlowCollectorNetworkPolicyspec.networkPolicy.enable: trueAs a consequence, flow data is not processed by the
flowlogs-pipelinei/o timeouttime="2025-10-17T13:53:44Z" level=error msg="couldn't send flow records to collector" collector="10.0.68.187:2055" component=exporter/GRPCProto error="rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing: dial tcp 10.0.68.187:2055: i/o timeout\""To work around this problem, set
spec.networkPolicy.enablefalseNetworkPolicyFlowCollectorThis will allow the eBPF agent to communicate with the
flowlogs-pipeline2.1.9. Network Observability Operator 1.10 fixed issues
The Network Observability Operator 1.10 release contains several fixed issues that improve performance and the user experience.
2.1.9.1. MetricName and Remap fields are validated
Before this update, users could create a
FlowMetricFlowMetricWith this release, the
FlowMetricmetricNameremap2.1.9.2. Improved html-to-image export performance
Before this update, performance issues in the underlying library caused the
html-to-imageWith this release, the performance of the
html-to-image2.1.9.3. Improved warnings for eBPF privileged mode
Before this update, when users selected
eBPFprivilegedprivilegedWith this release, a validation hook immediately warns the user if the configuration is inconsistent. This improves user understanding and prevents misconfiguration.
2.1.9.4. Subnet labels added to OpenTelemetry exporter
Before this update, the
OpenTelemetrySrcSubnetLabelDstSubnetLabelWith this release, these labels are now correctly provided by the exporter. They have also been renamed to
source.subnet.labeldestination.subnet.labelOpenTelemetry2.1.9.5. Reduced default tolerations for network observability components
Before this update, a default toleration was set on all network observability components to allow them to be scheduled on any node, including those tainted with
NoScheduleWith this release, the default toleration is now only maintained for the
eBPFFlowlogs-PipelineDirectFlowlogs-PipelineKafkaAdditionally, while tolerations were always configurable in the
FlowCollector2.1.10. Network Observability Operator 1.9.3 advisory
The following advisory is available for the Network Observability Operator 1.9.3:
2.1.11. Network Observability Operator 1.9.2 advisory
The following advisory is available for the Network Observability Operator 1.9.2:
2.1.12. Network observability 1.9.2 bug fixes
-
Before this update, OpenShift Container Platform versions 4.15 and earlier did not support the configuration. This led to command-line interface (CLI) errors and prevented the observation of packets and flows. With this release, the Traffic Control eXtension (TCX) hook attachment mode has been adjusted for these older versions. This eliminates
TC_ATTACH_MODEhook errors and enables flow and packet observation.tcx
2.1.13. Network Observability Operator 1.9.1 advisory
You can review the advisory for the Network Observability Operator 1.9.1 release.
The following advisory is available for the Network Observability Operator 1.9.1:
2.1.14. Network Observability Operator 1.9.1 fixed issues
You can review the fixed issues for the Network Observability Operator 1.9.1 release.
-
Before this update, network flows were not observed on OpenShift Container Platform 4.15 due to an incorrect attach mode setting. This stopped users from monitoring network flows correctly, especially with certain catalogs. With this release, the default attach mode for OpenShift Container Platform versions older than 4.16.0 is set to , so flows are now observed on OpenShift Container Platform 4.15. (NETOBSERV-2333)
tc - Before this update, if an IPFIX collector restarted, configuring an IPFIX exporter could lose its connection and stop sending network flows to the collector. With this release, the connection is restored, and network flows continue to be sent to the collector. (NETOBSERV-2315)
- Before this update, when you configured an IPFIX exporter, flows without port information (such as ICMP traffic) were ignored, which caused errors in logs. TCP flags and ICMP data were also missing from IPFIX exports. With this release, these details are now included. Missing fields (like ports) no longer cause errors and are part of the exported data. (NETOBSERV-2307)
- Before this update, the User Defined Networks (UDN) Mapping feature showed a configuration issue and warning on OpenShift Container Platform 4.18 because the OpenShift version was incorrectly set in the code. This impacted the user experience. With this release, UDN Mapping now supports OpenShift Container Platform 4.18 without warnings, making the user experience smooth. (NETOBSERV-2305)
-
Before this update, the expand function on the Network Traffic page had compatibility problems with OpenShift Container Platform Console 4.19. This resulted in empty menu space when expanding and an inconsistent user interface. With this release, the compatibility problem in the part and
NetflowTrafficis resolved. The side menu in the Network Traffic view is now properly managed, which improves how you interact with the user interface. (NETOBSERV-2304)theme hook
2.1.15. Network Observability Operator 1.9.0 advisory
You can review the advisory for the Network Observability Operator 1.9.0 release.
2.1.16. Network Observability Operator 1.9.0 new features and enhancements
You can review the new features and enhancements for the Network Observability Operator 1.9.0 release.
2.1.16.1. User-defined networks with network observability
With this release, user-defined networks (UDN) feature is generally available with network observability. When the
UDNMappingUDN labels2.1.16.2. Filter flowlogs at ingestion
With this release, you can create filters to reduce the number of generated network flows and the resource usage of network observability components. The following filters can be configured:
- eBPF Agent filters
- Flowlogs-pipeline filters
2.1.16.3. IPsec support
This update brings the following enhancements to network observability when IPsec is enabled on OpenShift Container Platform:
- A new column named IPsec Status is displayed in the network observability Traffic flows view to show whether a flow was successfully IPsec-encrypted or if there was an error during encryption/decryption.
- A new dashboard showing the percentage of encrypted traffic is generated.
2.1.16.4. Network Observability CLI
The following filtering options are now available for packets, flows, and metrics capture:
-
Configure the ratio of packets being sampled by using the option.
--sampling -
Filter flows using a custom query by using the option.
--query -
Specify interfaces to monitor by using the option.
--interfaces -
Specify interfaces to exclude by using the option.
--exclude_interfaces -
Specify metric names to generate by using the option.
--include_list
For more information, see:
2.1.17. Network Observability Operator release notes 1.9.0 notable technical changes
You can review the notable technical changes for the Network Observability Operator 1.6.0 release.
-
The feature in network observability 1.9 has been updated to work with the newer Linux kernel of OpenShift Container Platform 4.19. This update breaks compatibility with older kernels. As a result, the
NetworkEventsfeature can only be used with OpenShift Container Platform 4.19. If you are using this feature with network observability 1.8 and OpenShift Container Platform 4.18, consider avoiding a network observability upgrade or upgrade to network observability 1.9 and OpenShift Container Platform to 4.19.NetworkEvents -
The cluster role has been renamed to
netobserv-reader.netobserv-loki-reader - Improved CPU performance of the eBPF agents.
2.1.18. Network Observability Operator 1.9.0 Technology Preview features
You can review the Technology Preview features for the Network Observability Operator 1.9.0 release.
Some features in this release are currently in Technology Preview. These experimental features are not intended for production use. Note the following scope of support on the Red Hat Customer Portal for these features:
Technology Preview Features Support Scope
2.1.18.1. eBPF Manager Operator with network observability
The eBPF Manager Operator reduces the attack surface and ensures compliance, security, and conflict prevention by managing all eBPF programs. Network observability can use the eBPF Manager Operator to load hooks. This eliminates the need to provide the eBPF Agent with privileged mode or additional Linux capabilities like
CAP_BPFCAP_PERFMON2.1.19. Network Observability Operator 1.9.0 CVEs
You can review the CVEs for the Network Observability Operator 1.9.0 release.
2.1.20. Network Observability Operator 1.9.0 fixed issues
You can review the fixed issues for the Network Observability Operator 1.9.0 release.
-
Previously, when filtering by source or destination IP from the console plugin, using a Classless Inter-Domain Routing (CIDR) notation such as did not work, returning results that should be filtered out. With this update, it is now possible to use a CIDR notation, with the results being filtered as expected. (NETOBSERV-2276)
10.128.0.0/24 -
Previously, network flows might have incorrectly identified the network interfaces in use, especially with a risk of mixing up and
eth0. This issue only occurred when the eBPF agents were configured asens5. With this update, it has been fixed partially, and almost all network interfaces are correctly identified. Refer to the known issues below for more details. (NETOBSERV-2257)Privileged - Previously, when the Operator checked for available Kubernetes APIs in order to adapt its behavior, if there was a stale API, this resulted in an error that prevented the Operator from starting normally. With this update, the Operator ignores error on unrelated APIs, logs errors on related APIs, and continues to run normally. (NETOBSERV-2240)
- Previously, users could not sort flows by Bytes or Packets in the Traffic flows view of the Console plugin. With this update, users can sort flows by Bytes and Packets. (NETOBSERV-2239)
-
Previously, when configuring the resource with an IPFIX exporter, MAC addresses in the IPFIX flows were truncated to their 2 first bytes. With this update, MAC addresses are fully represented in the IPFIX flows. (NETOBSERV-2208)
FlowCollector - Previously, some of the warnings sent from the Operator validation webhook could lack clarity on what needed to be done. With this update, some of these messages have been reviewed and amended to make them more actionable. (NETOBSERV-2178)
-
Previously, it was not obvious to figure out there was an issue when referencing a from the
LokiStackresource, such as in case of typing error. With this update, theFlowCollectorstatus clearly states that the referencedFlowCollectoris not found in that case. (NETOBSERV-2174)LokiStack - Previously, in the console plugin Traffic flows view, in case of text overflow, text ellipses sometimes hid much of the text to be displayed. With this update, it displays as much text as possible. (NETOBSERV-2119)
- Previously, the console plugin for network observability 1.8.1 and earlier did not work with the OpenShift Container Platform 4.19 web console, making the Network Traffic page inaccessible. With this update, the console plugin is compatible and the Network Traffic page is accessible in network observability 1.9.0. (NETOBSERV-2046)
-
Previously, when using conversation tracking (or
logTypes: Conversationsin thelogTypes: Allresource), the Traffic rates metrics visible in the dashboards were flawed, wrongly showing an out-of-control increase in traffic. Now, the metrics show more accurate traffic rates. However, note that inFlowCollectorandConversationsmodes, these metrics are still not completely accurate as they do not include long-standing connections. This information has been added to the documentation. The default modeEndedConversationsis recommended to avoid these inaccuracy. (NETOBSERV-1955)logTypes: Flows
2.1.21. Network Observability Operator 1.9.0 known issues
You can review the known issues for the Network Observability Operator 1.9.0 release.
- The user-defined network (UDN) feature displays a configuration issue and a warning when used with OpenShift Container Platform 4.18, even though it is supported. This warning can be ignored. (NETOBSERV-2305)
-
In some rare cases, the eBPF agent is unable to appropriately correlate flows with the involved interfaces when running in modes with several network namespaces. A large part of these issues have been identified and resolved in this release, but some inconsistencies remain, especially with the
privilegedinterface. (NETOBSERV-2287)ens5
2.1.22. Network Observability Operator 1.8.1 advisory
You can review the advisory for the Network Observability Operator 1.8.1 release.
2.1.23. Network Observability Operator 1.8.1 CVEs
You can review the CVEs for the Network Observability Operator 1.8.1 release.
2.1.24. Network Observability Operator 1.8.1 fixed issues
You can review the fixed issues for the Network Observability Operator 1.8.1 release.
- This fix ensures that the Observe menu appears only once in future versions of OpenShift Container Platform. (NETOBSERV-2139)
2.1.25. Network Observability Operator 1.8.0 advisory
You can review the advisory for the Network Observability Operator 1.8.0 release.
2.1.26. Network Observability Operator 1.8.0 new features and enhancements
You can review the new features and enhancements for the Network Observability Operator 1.8.0 release.
2.1.26.1. Packet translation
You can now enrich network flows with translated endpoint information, showing not only the service but also the specific backend pod, so you can see which pod served a request.
For more information, see:
2.1.26.2. eBPF performance improvements in 1.8
- Network observability now uses hash maps instead of per-CPU maps. This means that network flows data is now tracked in the kernel space and new packets are also aggregated there. The de-duplication of network flows can now occur in the kernel, so the size of data transfer between the kernel and the user spaces yields better performance. With these eBPF performance improvements, there is potential to observe a CPU resource reduction between 40% and 57% in the eBPF Agent.
2.1.26.3. Network Observability CLI
The following new features, options, and filters are added to the Network Observability CLI for this release:
-
Capture metrics with filters enabled by running the command.
oc netobserv metrics -
Run the CLI in the background by using the option with flows and packets capture and running
--backgroundto see the progress of the background run andoc netobserv followto download the generated logs.oc netobserv copy -
Enrich flows and metrics capture with Machines, Pods, and Services subnets by using the option.
--get-subnets New filtering options available with packets, flows, and metrics capture:
- eBPF filters on IPs, Ports, Protocol, Action, TCP Flags and more
-
Custom nodes using
--node-selector -
Drops only using
--drops -
Any field using
--regexes
For more information, see:
2.1.27. Network Observability Operator release notes 1.8.0 fixed issues
You can review the fixed issues for the Network Observability Operator 1.8.0 release.
- Previously, the Network Observability Operator came with a "kube-rbac-proxy" container to manage RBAC for its metrics server. Since this external component is deprecated, it was necessary to remove it. It is now replaced with direct TLS and RBAC management through Kubernetes controller-runtime, without the need for a side-car proxy. (NETOBSERV-1999)
- Previously in the OpenShift Container Platform console plugin, filtering on a key that was not equal to multiple values would not filter anything. With this fix, the expected results are returned, which is all flows not having any of the filtered values. (NETOBSERV-1990)
- Previously in the OpenShift Container Platform console plugin with disabled Loki, it was very likely to generate a "Can’t build query" error due to selecting an incompatible set of filters and aggregations. Now this error is avoided avoid by automatically disabling incompatible filters while still making the user aware of the filter incompatibility. (NETOBSERV-1977)
- Previously, when viewing flow details from the console plugin, the ICMP info was always displayed in the side panel, showing "undefined" values for non-ICMP flows. With this fix, ICMP info is not displayed for non-ICMP flows. (NETOBSERV-1969)
- Previously, the "Export data" link from the Traffic flows view did not work as intended, generating empty CSV reports. Now, the export feature is restored, generating non-empty CSV data. (NETOBSERV-1958)
-
Previously, it was possible to configure the with
FlowCollectorprocessor.logTypes,ConversationsorEndedConversationswithAllset toloki.enable, despite the conversation logs being only useful when Loki is enabled. This resulted in resource usage waste. Now, this configuration is invalid and is rejected by the validation webhook. (NETOBSERV-1957)false -
Configuring the with
FlowCollectorset toprocessor.logTypesconsumes much more resources, such as CPU, memory and network bandwidth, than the other options. This was previously not documented. It is now documented, and triggers a warning from the validation webhook. (NETOBSERV-1956)All - Previously, under high stress, some flows generated by the eBPF agent were mistakenly dismissed, resulting in traffic bandwidth under-estimation. Now, those generated flows are not dismissed. (NETOBSERV-1954)
-
Previously, when enabling the network policy in the configuration, the traffic to the Operator webhooks was blocked, breaking the
FlowCollectorAPI validation. Now traffic to the webhooks is allowed. (NETOBSERV-1934)FlowMetrics -
Previously, when deploying the default network policy, namespaces and
openshift-consolewere set by default in theopenshift-monitoringfield, resulting in duplicated rules. Now there is no additional namespace set by default, which helps avoid getting duplicated rules.(NETOBSERV-1933)additionalNamespaces - Previously from the OpenShift Container Platform console plugin, filtering on TCP flags would match flows having only the exact desired flag. Now, any flow having at least the desired flag appears in filtered flows. (NETOBSERV-1890)
- When the eBPF agent runs in privileged mode and pods are continuously added or deleted, a file descriptor (FD) leak occurs. The fix ensures proper closure of the FD when a network namespace is deleted. (NETOBSERV-2063)
-
Previously, the CLI agent did not deploy on master nodes. Now, a toleration is added on the agent
DaemonSetto schedule on every node when taints are set. Now, CLI agentDaemonSetpods run on all nodes. (NETOBSERV-2030)DaemonSet - Previously, the Source Resource and Source Destination filters autocomplete were not working when using Prometheus storage only. Now this issue is fixed and suggestions displays as expected. (NETOBSERV-1885)
- Previously, a resource using multiple IPs was displayed separately in the Topology view. Now, the resource shows as a single topology node in the view. (NETOBSERV-1818)
- Previously, the console refreshed the Network traffic table view contents when the mouse pointer hovered over the columns. Now, the display is fixed, so row height remains constant with a mouse hover. (NETOBSERV-2049)
2.1.28. Network Observability Operator release notes 1.8.0 known issues
You can review the known issues for the Network Observability Operator 1.8.0 release.
- If there is traffic that uses overlapping subnets in your cluster, there is a small risk that the eBPF Agent mixes up the flows from overlapped IPs. This can happen if different connections happen to have the exact same source and destination IPs and if ports and protocol are within a 5 seconds time frame and happening on the same node. This should not be possible unless you configured secondary networks or UDN. Even in that case, it is still very unlikely in usual traffic, as source ports are usually a good differentiator. (NETOBSERV-2115)
-
After selecting a type of exporter to configure in the resource
FlowCollectorsection from the OpenShift Container Platform web console form view, the detailed configuration for that type does not show up in the form. The workaround is to configure directly the YAML. (NETOBSERV-1981)spec.exporters
2.1.29. Network Observability Operator 1.7.0 advisory
You can review the advisory for the Network Observability Operator 1.7.0 release.
2.1.30. Network Observability Operator 1.7.0 new features and enhancements
You can review the following new features and enhancements for the Network Observability Operator 1.7.0 release.
2.1.30.1. OpenTelemetry support
You can now export enriched network flows to a compatible OpenTelemetry endpoint, such as the Red Hat build of OpenTelemetry.
For more information, see:
2.1.30.2. Network observability Developer perspective
You can now use network observability in the Developer perspective.
For more information, see:
2.1.30.3. TCP flags filtering
You can now use the
tcpFlagsFor more information, see:
2.1.30.4. Network observability for OpenShift Virtualization
You can observe networking patterns on an OpenShift Virtualization setup by identifying eBPF-enriched network flows coming from VMs that are connected to secondary networks, such as through Open Virtual Network (OVN)-Kubernetes.
For more information, see:
2.1.30.5. Network policy deploys in the FlowCollector custom resource (CR)
With this release, you can configure the
FlowCollectorFor more information, see:
2.1.30.6. FIPS compliance
You can install and use the Network Observability Operator in an OpenShift Container Platform cluster running in FIPS mode.
ImportantTo enable FIPS mode for your cluster, you must run the installation program from a Red Hat Enterprise Linux (RHEL) computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see Switching RHEL to FIPS mode.
When running Red Hat Enterprise Linux (RHEL) or Red Hat Enterprise Linux CoreOS (RHCOS) booted in FIPS mode, OpenShift Container Platform core components use the RHEL cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
2.1.30.7. eBPF agent enhancements
The following enhancements are available for the eBPF agent:
-
If the DNS service maps to a different port than , you can specify this DNS tracking port using
53.spec.agent.ebpf.advanced.env.DNS_TRACKING_PORT - You can now use two ports for transport protocols (TCP, UDP, or SCTP) filtering rules.
- You can now filter on transport ports with a wildcard protocol by leaving the protocol field empty.
For more information, see:
2.1.30.8. Network Observability CLI
The Network Observability CLI (
oc netobserv- There are now eBPF enrichment filters for packet capture similar to flow capture.
-
You can now use filter with both flow and packets capture.
tcp_flags - The auto-teardown option is available when max-bytes or max-time is reached.
For more information, see:
2.1.31. Network Observability Operator 1.7.0 fixed issues
You can review the following fixed issues for the Network Observability Operator 1.7.0 release.
-
Previously, when using a RHEL 9.2 real-time kernel, some of the webhooks did not work. Now, a fix is in place to check whether this RHEL 9.2 real-time kernel is being used. If the kernel is being used, a warning is displayed about the features that do not work, such as packet drop and neither Round-trip Time when using architecture. The fix is in OpenShift 4.16 and later. (NETOBSERV-1808)
s390x - Previously, in the Manage panels dialog in the Overview tab, filtering on total, bar, donut, or line did not show a result. Now the available panels are correctly filtered. (NETOBSERV-1540)
-
Previously, under high stress, the eBPF agents were susceptible to enter into a state where they generated a high number of small flows, almost not aggregated. With this fix, the aggregation process is still maintained under high stress, resulting in less flows being created. This fix improves the resource consumption not only in the eBPF agent but also in and Loki. (NETOBSERV-1564)
flowlogs-pipeline -
Previously, when the metric was enabled instead of the
workload_flows_totalmetric, the health dashboard stopped showingnamespace_flows_totalflow charts. With this fix, the health dashboard now shows the flow charts when theBy namespaceis enabled. (NETOBSERV-1746)workload_flows_total -
Previously, when you used the API to generate a custom metric and later modified its labels, such as by adding a new label, the metric stopped populating and an error was shown in the
FlowMetricslogs. With this fix, you can modify the labels, and the error is no longer raised in theflowlogs-pipelinelogs. (NETOBSERV-1748)flowlogs-pipeline -
Previously, there was an inconsistency with the default Loki configuration: it was set to 100 KB in the
WriteBatchSizeCRD default, and 10 MB in the OLM sample or default configuration. Both are now aligned to 10 MB, which generally provides better performances and less resource footprint. (NETOBSERV-1766)FlowCollector - Previously, the eBPF flow filter on ports was ignored if you did not specify a protocol. With this fix, you can set eBPF flow filters independently on ports and or protocols. (NETOBSERV-1779)
- Previously, traffic from Pods to Services was hidden from the Topology view. Only the return traffic from Services to Pods was visible. With this fix, that traffic is correctly displayed. (NETOBSERV-1788)
- Previously, non-cluster administrator users that had access to Network Observability saw an error in the console plugin when they tried to filter for something that triggered auto-completion, such as a namespace. With this fix, no error is displayed, and the auto-completion returns the expected results. (NETOBSERV-1798)
- When the secondary interface support was added, you had to iterate multiple times to register the per network namespace with the netlink to learn about interface notifications. At the same time, unsuccessful handlers caused a leaking file descriptor because with TCX hook, unlike TC, handlers needed to be explicitly removed when the interface went down. Furthermore, when the network namespace was deleted, there was no Go close channel event to terminate the netlink goroutine socket, which caused go threads to leak. Now, there are no longer leaking file descriptors or go threads when you create or delete pods. (NETOBSERV-1805)
- Previously, the ICMP type and value were displaying 'n/a' in the Traffic flows table even when related data was available in the flow JSON. With this fix, ICMP columns display related values as expected in the flow table. (NETOBSERV-1806)
- Previously in the console plugin, it wasn’t always possible to filter for unset fields, such as unset DNS latency. With this fix, filtering on unset fields is now possible. (NETOBSERV-1816)
- Previously, when you cleared filters in the OpenShift web console plugin, sometimes the filters reappeared after you navigated to another page and returned to the page with filters. With this fix, filters do not unexpectedly reappear after they are cleared. (NETOBSERV-1733)
2.1.32. Network Observability Operator 1.7.0 known issues
You can review the following known issues for the Network Observability Operator 1.7.0 release.
- When you use the must-gather tool with network observability, logs are not collected when the cluster has FIPS enabled. (NETOBSERV-1830)
When the
is enabled in thespec.networkPolicy, which installs a network policy on theFlowCollectornamespace, it is impossible to use thenetobservAPI. The network policy blocks calls to the validation webhook. As a workaround, use the following network policy:FlowMetricskind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: allow-from-hostnetwork namespace: netobserv spec: podSelector: matchLabels: app: netobserv-operator ingress: - from: - namespaceSelector: matchLabels: policy-group.network.openshift.io/host-network: '' policyTypes: - Ingress
2.1.33. Network Observability Operator release notes 1.6.2 advisory
You can review the advisory for the Network Observability Operator 1.6.2 release.
2.1.34. Network Observability Operator release notes 1.6.2 CVEs
You can review the CVEs for the Network Observability Operator 1.6.2 release.
2.1.35. Network Observability Operator release notes 1.6.2 fixed issues
You can review the fixed issues for the Network Observability Operator 1.6.2 release.
- When the secondary interface support was added, there was a need to iterate multiple times to register the per network namespace with the netlink to learn about interface notifications. At the same time, unsuccessful handlers caused a leaking file descriptor because with TCX hook, unlike TC, handlers needed to be explicitly removed when the interface went down. Now, there are no longer leaking file descriptors when creating and deleting pods. (NETOBSERV-1805)
2.1.36. Network Observability Operator release notes 1.6.2 known issues
You can review the known issues for the Network Observability Operator 1.6.2 release.
- There was a compatibility issue with console plugins that would have prevented network observability from being installed on future versions of an OpenShift Container Platform cluster. By upgrading to 1.6.2, the compatibility issue is resolved and network observability can be installed as expected. (NETOBSERV-1737)
2.1.37. Network Observability Operator release notes 1.6.1 advisory
You can review the advisory for the Network Observability Operator 1.6.1 release.
2.1.38. Network Observability Operator release notes 1.6.1 CVEs
You can review the CVEs for the Network Observability Operator 1.6.1 release.
2.1.39. Network Observability Operator release notes 1.6.1 fixed issues
You can review the fixed issues for the Network Observability Operator 1.6.1 release.
- Previously, information about packet drops, such as the cause and TCP state, was only available in the Loki datastore and not in Prometheus. For that reason, the drop statistics in the OpenShift web console plugin Overview was only available with Loki. With this fix, information about packet drops is also added to metrics, so you can view drops statistics when Loki is disabled. (NETOBSERV-1649)
-
When the eBPF agent feature was enabled, and sampling was configured to a value greater than
PacketDrop, reported dropped bytes and dropped packets ignored the sampling configuration. While this was done on purpose, so as not to miss any drops, a side effect was that the reported proportion of drops compared with non-drops became biased. For example, at a very high sampling rate, such as1, it was likely that almost all the traffic appears to be dropped when observed from the console plugin. With this fix, the sampling configuration is honored with dropped bytes and packets. (NETOBSERV-1676)1:1000 - Previously, the SR-IOV secondary interface was not detected if the interface was created first and then the eBPF agent was deployed. It was only detected if the agent was deployed first and then the SR-IOV interface was created. With this fix, the SR-IOV secondary interface is detected no matter the sequence of the deployments. (NETOBSERV-1697)
- Previously, when Loki was disabled, the Topology view in the OpenShift web console displayed the Cluster and Zone aggregation options in the slider beside the network topology diagram, even when the related features were not enabled. With this fix, the slider now only displays options according to the enabled features. (NETOBSERV-1705)
-
Previously, when Loki was disabled, and the OpenShift web console was first loading, an error would occur: . With this fix, the errors no longer occur. (NETOBSERV-1706)
Request failed with status code 400 Loki is disabled - Previously, in the Topology view of the OpenShift web console, when clicking on the Step into icon next to any graph node, the filters were not applied as required in order to set the focus to the selected graph node, resulting in showing a wide view of the Topology view in the OpenShift web console. With this fix, the filters are correctly set, effectively narrowing down the Topology. As part of this change, clicking the Step into icon on a Node now brings you to the Resource scope instead of the Namespaces scope. (NETOBSERV-1720)
- Previously, when Loki was disabled, in the Topology view of the OpenShift web console with the Scope set to Owner, clicking on the Step into icon next to any graph node would bring the Scope to Resource, which is not available without Loki, so an error message was shown. With this fix, the Step into icon is hidden in the Owner scope when Loki is disabled, so this scenario no longer occurs. (NETOBSERV-1721)
- Previously, when Loki was disabled, an error was displayed in the Topology view of the OpenShift web console when a group was set, but then the scope was changed so that the group becomes invalid. With this fix, the invalid group is removed, preventing the error. (NETOBSERV-1722)
-
When creating a resource from the OpenShift web console Form view, as opposed to the YAML view, the following settings were incorrectly managed by the web console:
FlowCollectorandagent.ebpf.metrics.enable. These settings can only be disabled in the YAML view, not in the Form view. To avoid any confusion, these settings have been removed from the Form view. They are still accessible in the YAML view. (NETOBSERV-1731)processor.subnetLabels.openShiftAutoDetect - Previously, the eBPF agent was unable to clean up traffic control flows installed before an ungraceful crash, for example a crash due to a SIGTERM signal. This led to the creation of multiple traffic control flow filters with the same name, since the older ones were not removed. With this fix, all previously installed traffic control flows are cleaned up when the agent starts, before installing new ones. (NETOBSERV-1732)
- Previously, when configuring custom subnet labels and keeping the OpenShift subnets auto-detection enabled, OpenShift subnets would take precedence over the custom ones, preventing the definition of custom labels for in cluster subnets. With this fix, custom defined subnets take precedence, allowing the definition of custom labels for in cluster subnets. (NETOBSERV-1734)
2.1.40. Network Observability Operator release notes 1.6.0 advisory
You can review the advisory for the Network Observability Operator 1.6.0 release.
2.1.41. Network Observability Operator 1.6.0 new features and enhancements
You can review the following new features and enhancements for the Network Observability Operator 1.6.0.
2.1.41.1. Enhanced use of Network Observability Operator without Loki
You can now use Prometheus metrics and rely less on Loki for storage when using the Network Observability Operator.
For more information, see:
2.1.41.2. Custom metrics API
You can create custom metrics out of flowlogs data by using the
FlowMetricsSrcSubnetLabelDstSubnetLabelFor more information, see:
2.1.41.3. eBPF performance enhancements
Experience improved performances of the eBPF agent, in terms of CPU and memory, with the following updates:
- The eBPF agent now uses TCX webhooks instead of TC.
The NetObserv / Health dashboard has a new section that shows eBPF metrics.
- Based on the new eBPF metrics, an alert notifies you when the eBPF agent is dropping flows.
- Loki storage demand decreases significantly now that duplicated flows are removed. Instead of having multiple, individual duplicated flows per network interface, there is one de-duplicated flow with a list of related network interfaces.
With the duplicated flows update, the Interface and Interface Direction fields in the Network Traffic table are renamed to Interfaces and Interface Directions, so any bookmarked Quick filter queries using these fields need to be updated to
interfacesifdirectionsFor more information, see:
2.1.41.4. eBPF collection rule-based filtering
You can use rule-based filtering to reduce the volume of created flows. When this option is enabled, the Netobserv / Health dashboard for eBPF agent statistics has the Filtered flows rate view.
For more information, see:
2.1.42. Network Observability Operator 1.6.0 fixed issues
You can review the following fixed issues for the Network Observability Operator 1.6.0.
-
Previously, a dead link to the OpenShift Container Platform documentation was displayed in the Operator Lifecycle Manager (OLM) form for the API creation. Now the link has been updated to point to a valid page. (NETOBSERV-1607)
FlowMetrics - Previously, the Network Observability Operator description in the Operator Hub displayed a broken link to the documentation. With this fix, this link is restored. (NETOBSERV-1544)
-
Previously, if Loki was disabled and the Loki was set to
Mode, or if Loki manual TLS configuration was configured, the Network Observability Operator still tried to read the Loki CA certificates. With this fix, when Loki is disabled, the Loki certificates are not read, even if there are settings in the Loki configuration. (NETOBSERV-1647)LokiStack -
Previously, the
ocplugin for the Network Observability Operator was only working on themust-gatherarchitecture and failing on all others because the plugin was usingamd64for theamd64binary. Now, the Network Observability Operatorococplugin collects logs on any architecture platform.must-gather -
Previously, when filtering on IP addresses using , the Network Observability Operator would return a request error. Now, the IP filtering works in both
not equal toandequalcases for IP addresses and ranges. (NETOBSERV-1630)not equal to -
Previously, when a user was not an admin, the error messages were not consistent with the selected tab of the Network Traffic view in the web console. Now, the error displays on any tab with improved display.(NETOBSERV-1621)
user not admin
2.1.43. Network Observability Operator 1.6.0 known issues
You can review the following known issues for the Network Observability Operator 1.6.0.
-
When the eBPF agent feature is enabled, and sampling is configured to a value greater than
PacketDrop, reported dropped bytes and dropped packets ignore the sampling configuration. While this is done on purpose to not miss any drops, a side effect is that the reported proportion of drops compared to non-drops becomes biased. For example, at a very high sampling rate, such as1, it is likely that almost all the traffic appears to be dropped when observed from the console plugin. (NETOBSERV-1676)1:1000 - In the Manage panels window in the Overview tab, filtering on total, bar, donut, or line does not show any result. (NETOBSERV-1540)
- The SR-IOV secondary interface is not detected if the interface was created first and then the eBPF agent was deployed. It is only detected if the agent was deployed first and then the SR-IOV interface is created. (NETOBSERV-1697)
- When Loki is disabled, the Topology view in the OpenShift web console always shows the Cluster and Zone aggregation options in the slider beside the network topology diagram, even when the related features are not enabled. There is no specific workaround, besides ignoring these slider options. (NETOBSERV-1705)
-
When Loki is disabled, and the OpenShift web console first loads, it might display an error: . As a workaround, you can continue switching content on the Network Traffic page, such as clicking between the Topology and the Overview tabs. The error should disappear. (NETOBSERV-1706)
Request failed with status code 400 Loki is disabled
2.1.44. Network Observability Operator 1.5.0 advisory
You can view the following advisory for the Network Observability Operator 1.5 release.
2.1.45. Network Observability Operator 1.5.0 new features and enhancements
You can view the following new features and enhancements for the Network Observability Operator 1.5 release.
2.1.45.1. DNS tracking enhancements
In 1.5, the TCP protocol is now supported in addition to UDP. New dashboards are also added to the Overview view of the Network Traffic page.
For more information, see:
2.1.45.2. Round-trip time (RTT)
You can use TCP handshake Round-Trip Time (RTT) captured from the
fentry/tcp_rcv_establishedFor more information, see:
2.1.45.3. Metrics, dashboards, and alerts enhancements
The network observability metrics dashboards in Observe
includeListignoreTagsFor a complete list of these metrics, see:
2.1.45.4. Improvements for network observability without Loki
You can create Prometheus alerts for the Netobserv dashboard using DNS, Packet drop, and RTT metrics, even if you don’t use Loki. In the previous version of network observability, 1.4, these metrics were only available for querying and analysis in the Network Traffic, Overview, and Topology views, which are not available without Loki.
For more information, see:
2.1.45.5. Availability zones
You can configure the
FlowCollectortopology.kubernetes.io/zone label value applied to the nodes.
For more information, see:
2.1.45.6. Notable enhancements
The 1.5 release of the Network Observability Operator adds improvements and new capabilities to the OpenShift Container Platform web console plugin and the Operator configuration.
2.1.45.7. Performance enhancements
The
default is changed fromspec.agent.ebpf.kafkaBatchSizeto10MBto enhance eBPF performance when using Kafka.1MBImportantWhen upgrading from an existing installation, this new value is not set automatically in the configuration. If you monitor a performance regression with the eBPF Agent memory consumption after upgrading, you might consider reducing the
to the new value.kafkaBatchSize
2.1.45.8. Web console enhancements:
- There are new panels added to the Overview view for DNS and RTT: Min, Max, P90, P99.
There are new panel display options added:
- Focus on one panel while keeping others viewable but with smaller focus.
- Switch graph type.
- Show Top and Overall.
- A collection latency warning is shown in the Custom time range window.
- There is enhanced visibility for the contents of the Manage panels and Manage columns pop-up windows.
- The Differentiated Services Code Point (DSCP) field for egress QoS is available for filtering QoS DSCP in the web console Network Traffic page.
2.1.45.9. Configuration enhancements:
-
The mode in the
LokiStackspecification simplifies installation by automatically setting URLs, TLS, cluster roles and a cluster role binding, as well as thespec.loki.modevalue. TheauthTokenmode allows more control over configuration of these settings.Manual -
The API version changes from to
flows.netobserv.io/v1beta1.flows.netobserv.io/v1beta2
2.1.46. Network Observability Operator 1.5.0 fixed issues
You can view the following fixed issues for the Network Observability Operator 1.5 release.
-
Previously, it was not possible to register the console plugin manually in the web console interface if the automatic registration of the console plugin was disabled. If the value was set to
spec.console.registerin thefalseresource, the Operator would override and erase the plugin registration. With this fix, setting theFlowCollectorvalue tospec.console.registerdoes not impact the console plugin registration or registration removal. As a result, the plugin can be safely registered manually. (NETOBSERV-1134)false -
Previously, using the default metrics settings, the NetObserv/Health dashboard was showing an empty graph named Flows Overhead. This metric was only available by removing "namespaces-flows" and "namespaces" from the list. With this fix, this metric is visible when you use the default metrics setting. (NETOBSERV-1351)
ignoreTags - Previously, the node on which the eBPF Agent was running would not resolve with a specific cluster configuration. This resulted in cascading consequences that culminated in a failure to provide some of the traffic metrics. With this fix, the eBPF agent’s node IP is safely provided by the Operator, inferred from the pod status. Now, the missing metrics are restored. (NETOBSERV-1430)
- Previously, the Loki error 'Input size too long' error for the Loki Operator did not include additional information to troubleshoot the problem. With this fix, help is directly displayed in the web console next to the error with a direct link for more guidance. (NETOBSERV-1464)
-
Previously, the console plugin read timeout was forced to 30s. With the
FlowCollectorAPI update, you can configure thev1beta2specification to update this value according to the Loki Operatorspec.loki.readTimeoutlimit. (NETOBSERV-1443)queryTimeout -
Previously, the Operator bundle did not display some of the supported features by CSV annotations as expected, such as With this fix, these annotations are set in the CSV as expected. (NETOBSERV-1305)
features.operators.openshift.io/… -
Previously, the status sometimes oscillated between
FlowCollectorandDeploymentInProgressstates during reconciliation. With this fix, the status only becomesReadywhen all of the underlying components are fully ready. (NETOBSERV-1293)Ready
2.1.47. Network Observability Operator 1.5.0 known issues
You can view the following known issues for the Network Observability Operator 1.5 release.
-
When trying to access the web console, cache issues on OCP 4.14.10 prevent access to the Observe view. The web console shows the error message: . The recommended workaround is to update the cluster to the latest minor version. If this does not work, you need to apply the workarounds described in this Red Hat Knowledgebase article.(NETOBSERV-1493)
Failed to get a valid plugin manifest from /api/plugins/monitoring-plugin/ -
Since the 1.3.0 release of the Network Observability Operator, installing the Operator causes a warning kernel taint to appear. The reason for this error is that the network observability eBPF agent has memory constraints that prevent preallocating the entire hashmap table. The Operator eBPF agent sets the flag so that pre-allocation is disabled when the hashmap is too memory expansive.
BPF_F_NO_PREALLOC
2.1.48. Network Observability Operator 1.4.2 advisory
The following advisory is available for the Network Observability Operator 1.4.2:
2.1.49. Network Observability Operator 1.4.2 CVEs
You can review the following CVEs in the Network Observability Operator 1.4.2 release.
2.1.50. Network Observability Operator 1.4.1 advisory
You can review the following advisory for the Network Observability Operator 1.4.1.
2.1.51. Network Observability Operator release 1.4.1 CVEs
You can review the following CVEs in the Network Observability Operator 1.4.1 release.
2.1.52. Network Observability Operator release notes 1.4.1 fixed issues
You can review the following fixed issues in the Network Observability Operator 1.4.1 release.
- In 1.4, there was a known issue when sending network flow data to Kafka. The Kafka message key was ignored, causing an error with connection tracking. Now the key is used for partitioning, so each flow from the same connection is sent to the same processor. (NETOBSERV-926)
-
In 1.4, the flow direction was introduced to account for flows between pods running on the same node. Flows with the
Innerdirection were not taken into account in the generated Prometheus metrics derived from flows, resulting in under-evaluated bytes and packets rates. Now, derived metrics are including flows with theInnerdirection, providing correct bytes and packets rates. (NETOBSERV-1344)Inner
2.1.53. Network observability release notes 1.4.0 advisory
You can review the following advisory for the Network Observability Operator 1.4.0 release.
2.1.54. Network observability release notes 1.4.0 new features and enhancements
You can review the following new features and enhancements in the Network Observability Operator 1.4.0 release.
2.1.54.1. Notable enhancements
The 1.4 release of the Network Observability Operator adds improvements and new capabilities to the OpenShift Container Platform web console plugin and the Operator configuration.
2.1.54.2. Web console enhancements:
- In the Query Options, the Duplicate flows checkbox is added to choose whether or not to show duplicated flows.
-
You can now filter source and destination traffic with
One-way,
Back-and-forth, and Swap filters.
The network observability metrics dashboards in Observe
Dashboards NetObserv and NetObserv / Health are modified as follows: - The NetObserv dashboard shows top bytes, packets sent, packets received per nodes, namespaces, and workloads. Flow graphs are removed from this dashboard.
- The NetObserv / Health dashboard shows flows overhead as well as top flow rates per nodes, namespaces, and workloads.
- Infrastructure and Application metrics are shown in a split-view for namespaces and workloads.
For more information, see:
2.1.54.3. Configuration enhancements:
- You now have the option to specify different namespaces for any configured ConfigMap or Secret reference, such as in certificates configuration.
-
The parameter is added so that the name of the cluster appears in the flows data. This is useful in a multi-cluster context. When using OpenShift Container Platform, leave empty to make it automatically determined.
spec.processor.clusterName
For more information, see:
2.1.54.4. Network observability without Loki
The Network Observability Operator is now functional and usable without Loki. If Loki is not installed, it can only export flows to KAFKA or IPFIX format and provide metrics in the network observability metrics dashboards.
For more information, see:
2.1.54.5. DNS tracking
In 1.4, the Network Observability Operator makes use of eBPF tracepoint hooks to enable DNS tracking. You can monitor your network, conduct security analysis, and troubleshoot DNS issues in the Network Traffic and Overview pages in the web console.
For more information, see:
2.1.54.6. SR-IOV support
You can now collect traffic from a cluster with Single Root I/O Virtualization (SR-IOV) device.
For more information, see:
2.1.54.7. IPFIX exporter support
You can now export eBPF-enriched network flows to the IPFIX collector.
For more information, see:
2.1.54.8. Packet drops
In the 1.4 release of the Network Observability Operator, eBPF tracepoint hooks are used to enable packet drop tracking. You can now detect and analyze the cause for packet drops and make decisions to optimize network performance. In OpenShift Container Platform 4.14 and later, both host drops and OVS drops are detected. In OpenShift Container Platform 4.13, only host drops are detected.
For more information, see:
2.1.54.9. s390x architecture support
Network Observability Operator can now run on
s390xamd64ppc64learm642.1.55. Network observability release notes 1.4.0 removed features
You can review the following removed features from the Network Observability Operator 1.4.0 release.
2.1.55.1. Channel removal
You must switch your channel from
v1.0.xstablev1.0.x2.1.56. Network observability release notes 1.4.0 fixed issues
You can review the following fixed issues in the Network Observability Operator 1.4.0 release.
-
Previously, the Prometheus metrics exported by network observability were computed out of potentially duplicated network flows. In the related dashboards, from Observe
Dashboards, this could result in potentially doubled rates. Note that dashboards from the Network Traffic view were not affected. Now, network flows are filtered to eliminate duplicates before metrics calculation, which results in correct traffic rates displayed in the dashboards. (NETOBSERV-1131) -
Previously, the Network Observability Operator agents were not able to capture traffic on network interfaces when configured with Multus or SR-IOV, non-default network namespaces. Now, all available network namespaces are recognized and used for capturing flows, allowing capturing traffic for SR-IOV. There are configurations needed for the and
FlowCollectorcustom resource to collect traffic. (NETOBSERV-1283)SRIOVnetwork
-
Previously, in the Network Observability Operator details from Operators
Installed Operators, the Status field might have reported incorrect information about the state of the deployment. The status field now shows the proper conditions with improved messages. The history of events is kept, ordered by event date. (NETOBSERV-1224)FlowCollector -
Previously, during spikes of network traffic load, certain eBPF pods were OOM-killed and went into a state. Now, the
CrashLoopBackOffagent memory footprint is improved, so pods are not OOM-killed and entering aeBPFstate. (NETOBSERV-975)CrashLoopBackOff -
Previously when was set to
processor.metrics.tlsthePROVIDEDoption value was forced to beinsecureSkipVerify. Now you can settruetoinsecureSkipVerifyortrue, and provide a CA certificate if needed. (NETOBSERV-1087)false
2.1.57. Network observability release notes 1.4.0 known issues
You can review the following known issues in the Network Observability Operator 1.4.0 release.
-
Since the 1.2.0 release of the Network Observability Operator, using Loki Operator 5.6, a Loki certificate change periodically affects the pods and results in dropped flows rather than flows written to Loki. The problem self-corrects after some time, but it still causes temporary flow data loss during the Loki certificate change. This issue has only been observed in large-scale environments of 120 nodes or greater. (NETOBSERV-980)
flowlogs-pipeline -
Currently, when includes DNSTracking, larger DNS packets require the
spec.agent.ebpf.featuresagent to look for DNS header outside of the 1st socket buffer (SKB) segment. A neweBPFagent helper function needs to be implemented to support it. Currently, there is no workaround for this issue. (NETOBSERV-1304)eBPF -
Currently, when includes DNSTracking, DNS over TCP packets requires the
spec.agent.ebpf.featuresagent to look for DNS header outside of the 1st SKB segment. A neweBPFagent helper function needs to be implemented to support it. Currently, there is no workaround for this issue. (NETOBSERV-1245)eBPF -
Currently, when using a deployment model, if conversation tracking is configured, conversation events might be duplicated across Kafka consumers, resulting in inconsistent tracking of conversations, and incorrect volumetric data. For that reason, it is not recommended to configure conversation tracking when
KAFKAis set todeploymentModel. (NETOBSERV-926)KAFKA -
Currently, when the is configured to use a
processor.metrics.server.tls.typecertificate, the operator enters an unsteady state that might affect its performance and resource consumption. It is recommended to not use aPROVIDEDcertificate until this issue is resolved, and instead using an auto-generated certificate, settingPROVIDEDtoprocessor.metrics.server.tls.type. (NETOBSERV-1293AUTO -
Since the 1.3.0 release of the Network Observability Operator, installing the Operator causes a warning kernel taint to appear. The reason for this error is that the network observability eBPF agent has memory constraints that prevent preallocating the entire hashmap table. The Operator eBPF agent sets the flag so that pre-allocation is disabled when the hashmap is too memory expansive.
BPF_F_NO_PREALLOC
2.1.58. Network Observability Operator 1.3.0 advisory
You can review the following advisory in the Network Observability Operator 1.3.0 release.
2.1.59. Network Observability Operator 1.3.0 new features and enhancements
You can review the following new features and enhancements in the Network Observability Operator 1.3.0 release.
2.1.59.1. Multi-tenancy in network observability
- System administrators can allow and restrict individual user access, or group access, to the flows stored in Loki. For more information, see "Multi-tenancy in network observability".
2.1.59.2. Flow-based metrics dashboard
- This release adds a new dashboard, which provides an overview of the network flows in your OpenShift Container Platform cluster. For more information, see "Network observability metrics dashboards".
2.1.59.3. Troubleshooting with the must-gather tool
- Information about the Network Observability Operator can now be included in the must-gather data for troubleshooting. For more information, see "Network observability must-gather".
2.1.59.4. Multiple architectures now supported
-
Network Observability Operator can now run on an ,
amd64, orppc64learchitectures. Previously, it only ran onarm64.amd64
2.1.60. Network Observability Operator 1.3.0 deprecated features
You can review the following deprecated features in the Network Observability Operator 1.3.0 release.
2.1.60.1. Channel deprecation
You must switch your channel from
v1.0.xstablev1.0.x2.1.60.2. Deprecated configuration parameter setting
The release of Network Observability Operator 1.3 deprecates the
spec.Loki.authTokenHOSTFORWARD2.1.61. Network Observability Operator 1.3.0 fixed issues
You can review the following fixed issues in the Network Observability Operator 1.3.0 release.
-
Previously, when the Operator was installed from the CLI, the and
Rolethat are necessary for the Cluster Monitoring Operator to read the metrics were not installed as expected. The issue did not occur when the operator was installed from the web console. Now, either way of installing the Operator installs the requiredRoleBindingandRole. (NETOBSERV-1003)RoleBinding -
Since version 1.2, the Network Observability Operator can raise alerts when a problem occurs with the flows collection. Previously, due to a bug, the related configuration to disable alerts, was not working as expected and sometimes ineffectual. Now, this configuration is fixed so that it is possible to disable the alerts. (NETOBSERV-976)
spec.processor.metrics.disableAlerts -
Previously, when network observability was configured with set to
spec.loki.authToken, only aDISABLEDcluster administrator was able to view network flows. Other types of cluster administrators received authorization failure. Now, any cluster administrator is able to view network flows. (NETOBSERV-972)kubeadmin -
Previously, a bug prevented users from setting to
spec.consolePlugin.portNaming.enable. Now, this setting can be set tofalseto disable port-to-service name translation. (NETOBSERV-971)false - Previously, the metrics exposed by the console plugin were not collected by the Cluster Monitoring Operator (Prometheus), due to an incorrect configuration. Now the configuration has been fixed so that the console plugin metrics are correctly collected and accessible from the OpenShift Container Platform web console. (NETOBSERV-765)
-
Previously, when was set to
processor.metrics.tlsin theAUTO, theFlowCollectordid not adapt the appropriate TLS scheme, and metrics were not visible in the web console. Now the issue is fixed for AUTO mode. (NETOBSERV-1070)flowlogs-pipeline servicemonitor -
Previously, certificate configuration, such as used for Kafka and Loki, did not allow specifying a namespace field, implying that the certificates had to be in the same namespace where network observability is deployed. Moreover, when using Kafka with TLS/mTLS, the user had to manually copy the certificate(s) to the privileged namespace where the agent pods are deployed and manually manage certificate updates, such as in the case of certificate rotation. Now, network observability setup is simplified by adding a namespace field for certificates in the
eBPFresource. As a result, users can now install Loki or Kafka in different namespaces without needing to manually copy their certificates in the network observability namespace. The original certificates are watched so that the copies are automatically updated when needed. (NETOBSERV-773)FlowCollector - Previously, the SCTP, ICMPv4 and ICMPv6 protocols were not covered by the network observability agents, resulting in a less comprehensive network flows coverage. These protocols are now recognized to improve the flows coverage. (NETOBSERV-934)
2.1.62. Network Observability Operator 1.3.0 known issues
You can review the following issues and their workarounds, if available, to troubleshoot issues with the Network Observability Operator 1.3.0 release.
-
When is set to
processor.metrics.tlsin thePROVIDED, theFlowCollectorflowlogs-pipelineis not adapted to the TLS scheme. (NETOBSERV-1087)servicemonitor -
Since the 1.2.0 release of the Network Observability Operator, using Loki Operator 5.6, a Loki certificate change periodically affects the pods and results in dropped flows rather than flows written to Loki. The problem self-corrects after some time, but it still causes temporary flow data loss during the Loki certificate change. This issue has only been observed in large-scale environments of 120 nodes or greater.(NETOBSERV-980)
flowlogs-pipeline -
When you install the Operator, a warning kernel taint can appear. The reason for this error is that the network observability eBPF agent has memory constraints that prevent preallocating the entire hashmap table. The Operator eBPF agent sets the flag so that pre-allocation is disabled when the hashmap is too memory expansive.
BPF_F_NO_PREALLOC
2.1.63. Network observability release notes 1.2.0 preparing for the next update
Switch the Network Observability Operator’s update channel from the deprecated
v1.0.xstableThe subscription of an installed Operator specifies an update channel that tracks and receives updates for the Operator. Until the 1.2 release of the Network Observability Operator, the only channel available was
v1.0.xstablev1.0.xstablev1.0.x2.1.64. Network Observability Operator 1.2.0 advisory
You can view the following advisory for the Network Observability Operator 1.2.0 release.
2.1.65. Network Observability Operator 1.2.0 new features and enhancements
You can view the following new features and enhancements for the Network Observability Operator 1.2.0 release.
2.1.65.1. Histogram in Traffic Flows view
You can now choose to show a histogram of flows over time. The histogram enables you to visualize the history of flows without hitting the Loki query limit. For more information, see "Using the histogram".
2.1.65.2. Conversation tracking
You can now query flows by Log Type, which enables grouping network flows that are part of the same conversation. For more information, see "Working with conversations".
2.1.65.3. Network observability health alerts
The Network Observability Operator now creates automatic alerts if the
flowlogs-pipeline2.1.66. Network Observability Operator 1.2.0 bug fixes
You can view the following fixed issues for the Network Observability Operator 1.2.0 release.
-
Previously, after changing the value in the FlowCollector spec,
namespaceagent pods running in the previous namespace were not appropriately deleted. Now, the pods running in the previous namespace are appropriately deleted. (NETOBSERV-774)eBPF -
Previously, after changing the value in the FlowCollector spec (such as in Loki section), FlowLogs-Pipeline pods and Console plug-in pods were not restarted, therefore they were unaware of the configuration change. Now, the pods are restarted, so they get the configuration change. (NETOBSERV-772)
caCert.name - Previously, network flows between pods running on different nodes were sometimes not correctly identified as being duplicates because they are captured by different network interfaces. This resulted in over-estimated metrics displayed in the console plug-in. Now, flows are correctly identified as duplicates, and the console plug-in displays accurate metrics. (NETOBSERV-755)
- The "reporter" option in the console plug-in is used to filter flows based on the observation point of either source node or destination node. Previously, this option mixed the flows regardless of the node observation point. This was due to network flows being incorrectly reported as Ingress or Egress at the node level. Now, the network flow direction reporting is correct. The "reporter" option filters for source observation point, or destination observation point, as expected. (NETOBSERV-696)
- Previously, for agents configured to send flows directly to the processor as gRPC+protobuf requests, the submitted payload could be too large and is rejected by the processors' GRPC server. This occurred under very-high-load scenarios and with only some configurations of the agent. The agent logged an error message, such as: grpc: received message larger than max. As a consequence, there was information loss about those flows. Now, the gRPC payload is split into several messages when the size exceeds a threshold. As a result, the server maintains connectivity. (NETOBSERV-617)
2.1.67. Network Observability Operator 1.2.0 known issues
You can review the following issues and their workarounds, if available, to troubleshoot issues with the Network Observability Operator 1.2.0 release.
-
In the 1.2.0 release of the Network Observability Operator, using Loki Operator 5.6, a Loki certificate transition periodically affects the pods and results in dropped flows rather than flows written to Loki. The problem self-corrects after some time, but it still causes temporary flow data loss during the Loki certificate transition. (NETOBSERV-980)
flowlogs-pipeline
2.1.68. Network Observability Operator 1.2.0 notable technical changes
The Network Observability Operator 1.2.0 release requires installation in the
openshift-netobserv-operatorPreviously, you could install the Network Observability Operator using a custom namespace. This release introduces the
conversion webhookClusterServiceVersionopenshift-operatorsNow, the Operator must be installed in the
openshift-netobserv-operatorYou cannot automatically upgrade to the new Operator version if you previously installed the Network Observability Operator using a custom namespace. If you previously installed the Operator using a custom namespace, you must delete the instance of the Operator that was installed and re-install your operator in the
openshift-netobserv-operatornetobservFlowCollector2.1.69. Network Observability Operator 1.1.0 enhancements
You can view the following advisory for the Network Observability Operator 1.1.0:
The Network Observability Operator is now stable and the release channel is upgraded to
v1.1.02.1.70. Network Observability Operator 1.1.0 fixed issues
You can view the following fixed issues for the Network Observability Operator 1.1.0 release.
-
Previously, unless the Loki configuration was set to
authTokenmode, authentication was not enforced, allowing unauthorized users to retrieve flows. Now, regardless of the LokiFORWARDmode, only cluster administrators can retrieve flows. (BZ#2169468)authToken
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}