Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 4. Installing the Network Observability Operator
Installing the Loki Operator is recommended before using the Network Observability Operator. You can use network observability without Loki, but special considerations apply if you only need metrics or external exporters.
The Loki Operator integrates a gateway that implements multi-tenancy and authentication with Loki for data flow storage. The
LokiStackLokiStackThe Loki Operator can also be used for configuring the LokiStack log store. The Network Observability Operator requires a dedicated LokiStack separate from the logging.
4.1. Network observability without Loki
You can use network observability without Loki by not performing the Loki installation steps and skipping directly to "Installing the Network Observability Operator". If you only want to export flows to a Kafka consumer or IPFIX collector, or you only need dashboard metrics, then you do not need to install Loki or provide storage for Loki. The following table compares available features with and without Loki.
| With Loki | Without Loki | |
|---|---|---|
| Exporters | X | X |
| Multi-tenancy | X | X |
| Complete filtering and aggregations capabilities [1] | X | |
| Partial filtering and aggregations capabilities [2] | X | X |
| Flow-based metrics and dashboards | X | X |
| Traffic flows view overview [3] | X | X |
| Traffic flows view table | X | |
| Topology view | X | X |
| OpenShift Container Platform console Network Traffic tab integration | X | X |
- Such as per pod.
- Such as per workload or namespace.
- Statistics on packet drops are only available with Loki.
4.2. Installing the Loki Operator
The Loki Operator versions 6.0+ are the supported Loki Operator versions for Network Observability; these versions provide the ability to create a
LokiStackopenshift-networkPrerequisites
- You have administrator permissions.
- You have access to the OpenShift Container Platform web console.
- You have access to a supported object store. For example: AWS S3, Google Cloud Storage, Azure, Swift, Minio, or OpenShift Data Foundation.
Procedure
-
In the OpenShift Container Platform web console, click Operators
OperatorHub. - Choose Loki Operator from the list of available Operators, and click Install.
- Under Installation Mode, select All namespaces on the cluster.
Verification
-
Verify that you installed the Loki Operator. Visit the Operators
Installed Operators page and look for Loki Operator. - Verify that Loki Operator is listed with Status as Succeeded in all the projects.
To uninstall Loki, refer to the uninstallation process that corresponds with the method you used to install Loki. You might have remaining
ClusterRolesClusterRoleBindings4.2.1. Creating a secret for Loki storage
The Loki Operator supports a few log storage options, such as AWS S3, Google Cloud Storage, Azure, Swift, Minio, OpenShift Data Foundation. The following example shows how to create a secret for AWS S3 storage. The secret created in this example,
loki-s3-
Using the web console, navigate to the Project
All Projects dropdown and select Create Project. -
Name the project and click Create.
netobserv Navigate to the Import icon, +, in the top right corner. Paste your YAML file into the editor.
The following shows an example secret YAML file for S3 storage:
apiVersion: v1 kind: Secret metadata: name: loki-s3 namespace: netobserv1 stringData: access_key_id: QUtJQUlPU0ZPRE5ON0VYQU1QTEUK access_key_secret: d0phbHJYVXRuRkVNSS9LN01ERU5HL2JQeFJmaUNZRVhBTVBMRUtFWQo= bucketnames: s3-bucket-name endpoint: https://s3.eu-central-1.amazonaws.com region: eu-central-1- 1
- The installation examples in this documentation use the same namespace,
netobserv, across all components. You can optionally use a different namespace for the different components
Verification
-
After you create the secret, you view the secret listed under Workloads
Secrets in the web console.
4.2.2. Creating a LokiStack custom resource
You can deploy a
LokiStackocProcedure
-
Navigate to Operators
Installed Operators, viewing All projects from the Project dropdown. - Look for Loki Operator. In the details, under Provided APIs, select LokiStack.
- Click Create LokiStack.
Ensure the following fields are specified in either Form View or YAML view:
apiVersion: loki.grafana.com/v1 kind: LokiStack metadata: name: loki namespace: netobserv1 spec: size: 1x.small2 storage: schemas: - version: v13 effectiveDate: '2022-06-01' secret: name: loki-s3 type: s3 storageClassName: gp33 tenants: mode: openshift-network- 1
- The installation examples in this documentation use the same namespace,
netobserv, across all components. You can optionally use a different namespace. - 2
- Specify the deployment size. In the Loki Operator 5.8 and later versions, the supported size options for production instances of Loki are
1x.extra-small,1x.small, or1x.medium.ImportantIt is not possible to change the number
for the deployment size.1x - 3
- Use a storage class name that is available on the cluster for
ReadWriteOnceaccess mode. For best performance, specify a storage class that allocates block storage. You can useoc get storageclassesto see what is available on your cluster.ImportantYou must not reuse the same
CR that is used for logging.LokiStack
- Click Create.
4.2.3. Creating a new group for the cluster-admin user role
Querying application logs for multiple namespaces as a
cluster-adminParse error: input size too long (XXXX > 5120)cluster-admincluster-admincluster-adminUse the following procedure to create a new group for users with
cluster-adminProcedure
Enter the following command to create a new group:
$ oc adm groups new cluster-adminEnter the following command to add the desired user to the
group:cluster-admin$ oc adm groups add-users cluster-admin <username>Enter the following command to add
user role to the group:cluster-admin$ oc adm policy add-cluster-role-to-group cluster-admin cluster-admin
4.2.4. Custom admin group access
If you need to see cluster-wide logs without necessarily being an administrator, or if you already have any group defined that you want to use here, you can specify a custom group using the
adminGroupadminGroupsLokiStackAdministrator users have access to all network logs across the cluster.
Example LokiStack CR
apiVersion: loki.grafana.com/v1
kind: LokiStack
metadata:
name: loki
namespace: netobserv
spec:
tenants:
mode: openshift-network
openshift:
adminGroups:
- cluster-admin
- custom-admin-group 4.2.5. Loki deployment sizing
Sizing for Loki follows the format of
1x.<size>1x<size>It is not possible to change the number
1x| 1x.demo | 1x.extra-small | 1x.small | 1x.medium | |
|---|---|---|---|---|
| Data transfer | Demo use only | 100GB/day | 500GB/day | 2TB/day |
| Queries per second (QPS) | Demo use only | 1-25 QPS at 200ms | 25-50 QPS at 200ms | 25-75 QPS at 200ms |
| Replication factor | None | 2 | 2 | 2 |
| Total CPU requests | None | 14 vCPUs | 34 vCPUs | 54 vCPUs |
| Total memory requests | None | 31Gi | 67Gi | 139Gi |
| Total disk requests | 40Gi | 430Gi | 430Gi | 590Gi |
4.2.6. LokiStack ingestion limits and health alerts
The LokiStack instance comes with default settings according to the configured size. It is possible to override some of these settings, such as the ingestion and query limits. An automatic alert in the web console notifies you when these limits are reached.
You might want to update the ingestion and query limits if you get Loki errors showing up in the Console plugin, or in
flowlogs-pipelineHere is an example of configured limits:
spec:
limits:
global:
ingestion:
ingestionBurstSize: 40
ingestionRate: 20
maxGlobalStreamsPerTenant: 25000
queries:
maxChunksPerQuery: 2000000
maxEntriesLimitPerQuery: 10000
maxQuerySeries: 3000For more information about these settings, see the LokiStack API reference.
4.3. Installing the Network Observability Operator
You can install the Network Observability Operator using the OpenShift Container Platform web console Operator Hub. When you install the Operator, it provides the
FlowCollectorFlowCollectorThe actual memory consumption of the Operator depends on your cluster size and the number of resources deployed. Memory consumption might need to be adjusted accordingly. For more information refer to "Network Observability controller manager pod runs out of memory" in the "Important Flow Collector configuration considerations" section.
Prerequisites
- If you choose to use Loki, install the Loki Operator version 5.7+.
-
You must have privileges.
cluster-admin -
One of the following supported architectures is required: ,
amd64,ppc64le, orarm64.s390x - Any CPU supported by Red Hat Enterprise Linux (RHEL) 9.
- Must be configured with OVN-Kubernetes or OpenShift SDN as the main network plugin, and optionally using secondary interfaces with Multus and SR-IOV.
Additionally, this installation example uses the
netobservProcedure
-
In the OpenShift Container Platform web console, click Operators
OperatorHub. - Choose Network Observability Operator from the list of available Operators in the OperatorHub, and click Install.
-
Select the checkbox .
Enable Operator recommended cluster monitoring on this Namespace -
Navigate to Operators
Installed Operators. Under Provided APIs for Network Observability, select the Flow Collector link. - Follow the Network Observability FlowCollector setup wizard.
- Click Create.
Verification
To confirm this was successful, when you navigate to Observe you should see Network Traffic listed in the options.
In the absence of Application Traffic within the OpenShift Container Platform cluster, default filters might show that there are "No results", which results in no visual flow. Beside the filter selections, select Clear all filters to see the flow.
4.4. Enabling multi-tenancy in network observability
Multi-tenancy in the Network Observability Operator allows and restricts individual user access, or group access, to the flows stored in Loki and or Prometheus. Access is enabled for project administrators. Project administrators who have limited access to some namespaces can access flows for only those namespaces.
For Developers, multi-tenancy is available for both Loki and Prometheus but requires different access rights.
Prerequisite
- If you are using Loki, you have installed at least Loki Operator version 5.7.
- You must be logged in as a project administrator.
Procedure
For per-tenant access, you must have the
cluster role and thenetobserv-loki-readernamespace role to use the developer perspective. Run the following commands for this level of access:netobserv-metrics-reader$ oc adm policy add-cluster-role-to-user netobserv-loki-reader <user_group_or_name>$ oc adm policy add-role-to-user netobserv-metrics-reader <user_group_or_name> -n <namespace>For cluster-wide access, non-cluster-administrators must have the
,netobserv-loki-reader, andcluster-monitoring-viewcluster roles. In this scenario, you can use either the admin perspective or the developer perspective. Run the following commands for this level of access:netobserv-metrics-reader$ oc adm policy add-cluster-role-to-user netobserv-loki-reader <user_group_or_name>$ oc adm policy add-cluster-role-to-user cluster-monitoring-view <user_group_or_name>$ oc adm policy add-cluster-role-to-user netobserv-metrics-reader <user_group_or_name>
4.6. Installing Kafka (optional)
The Kafka Operator is supported for large scale environments. Kafka provides high-throughput and low-latency data feeds for forwarding network flow data in a more resilient, scalable way. You can install the Kafka Operator as Red Hat AMQ Streams from the Operator Hub, just as the Loki Operator and Network Observability Operator were installed. Refer to "Configuring the FlowCollector resource with Kafka" to configure Kafka as a storage option.
To uninstall Kafka, refer to the uninstallation process that corresponds with the method you used to install.
4.7. Uninstalling the Network Observability Operator
You can uninstall the Network Observability Operator using the OpenShift Container Platform web console Operator Hub, working in the Operators
Procedure
Remove the
custom resource.FlowCollector- Click Flow Collector, which is next to the Network Observability Operator in the Provided APIs column.
-
Click the options menu
for the cluster and select Delete FlowCollector.
Uninstall the Network Observability Operator.
-
Navigate back to the Operators
Installed Operators area. -
Click the options menu
next to the Network Observability Operator and select Uninstall Operator.
-
Home
Projects and select openshift-netobserv-operator - Navigate to Actions and select Delete Project
-
Navigate back to the Operators
Remove the
custom resource definition (CRD).FlowCollector-
Navigate to Administration
CustomResourceDefinitions. -
Look for FlowCollector and click the options menu
.
Select Delete CustomResourceDefinition.
ImportantThe Loki Operator and Kafka remain if they were installed and must be removed separately. Additionally, you might have remaining data stored in an object store, and a persistent volume that must be removed.
-
Navigate to Administration
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}