SupportConsoleDevelopersStart a trialContact

Chapter 11. Secondary networks

You can configure the Network Observability Operator to collect and enrich network flow data from secondary networks, such as SR-IOV and OVN-Kubernetes.

Prerequisites

  • Access to an OpenShift Container Platform cluster with an additional network interface, such as a secondary interface or an L2 network.

11.1. Configuring monitoring for SR-IOV interface traffic

In order to collect traffic from a cluster with a Single Root I/O Virtualization (SR-IOV) device, you must set the FlowCollector spec.agent.ebpf.privileged field to true. Then, the eBPF agent monitors other network namespaces in addition to the host network namespaces, which are monitored by default. When a pod with a virtual functions (VF) interface is created, a new network namespace is created. With SRIOVNetwork policy IPAM configurations specified, the VF interface is migrated from the host network namespace to the pod network namespace.

Prerequisites

  • Access to an OpenShift Container Platform cluster with a SR-IOV device.
  • The SRIOVNetwork custom resource (CR) spec.ipam configuration must be set with an IP address from the range that the interface lists or from other plugins.

Procedure

  1. In the web console, navigate to Operators Installed Operators.
  2. Under the Provided APIs heading for the NetObserv Operator, select Flow Collector.
  3. Select cluster and then select the YAML tab.

  4. Configure the FlowCollector custom resource. A sample configuration is as follows:

    Configure FlowCollector for SR-IOV monitoring

    apiVersion: flows.netobserv.io/v1beta2
kind: FlowCollector
metadata:
  name: cluster
spec:
  namespace: netobserv
  deploymentModel: Direct
  agent:
    type: eBPF
    ebpf:
      privileged: true   1

    1
    The spec.agent.ebpf.privileged field value must be set to true to enable SR-IOV monitoring.

Additional resources

*Creating an additional SR-IOV network attachment with the CNI VRF plugin.

11.2. Configuring virtual machine (VM) secondary network interfaces for Network Observability

You can observe network traffic on an OpenShift Virtualization setup by identifying eBPF-enriched network flows coming from VMs that are connected to secondary networks, such as through OVN-Kubernetes. Network flows coming from VMs that are connected to the default internal pod network are automatically captured by Network Observability.

Procedure

  1. Get information about the virtual machine launcher pod by running the following command. This information is used in Step 5: 

    $ oc get pod virt-launcher-<vm_name>-<suffix> -n <namespace> -o yaml
    apiVersion: v1
kind: Pod
metadata:
  annotations:
    k8s.v1.cni.cncf.io/network-status: |-
      [{
        "name": "ovn-kubernetes",
        "interface": "eth0",
        "ips": [
          "10.129.2.39"
        ],
        "mac": "0a:58:0a:81:02:27",
        "default": true,
        "dns": {}
      },
      {
        "name": "my-vms/l2-network",   1
        "interface": "podc0f69e19ba2", 2
        "ips": [                       3
          "10.10.10.15"
        ],
        "mac": "02:fb:f8:00:00:12",    4
        "dns": {}
      }]
  name: virt-launcher-fedora-aqua-fowl-13-zr2x9
  namespace: my-vms
spec:
#  ...
status:
#  ...
    1
    The name of the secondary network.
    2
    The network interface name of the secondary network.
    3
    The list of IPs used by the secondary network.
    4
    The MAC address used for secondary network.
  2. In the web console, navigate to Operators Installed Operators.
  3. Under the Provided APIs heading for the NetObserv Operator, select Flow Collector.
  4. Select cluster and then select the YAML tab.

  5. Configure FlowCollector based on the information you found from the additional network investigation: 

    apiVersion: flows.netobserv.io/v1beta2
kind: FlowCollector
metadata:
  name: cluster
spec:
  agent:
    ebpf:
      privileged: true            1
  processor:
    advanced:
      secondaryNetworks:
      - index:                    2
        - MAC                     3
        name: my-vms/l2-network   4
# ...

    <.> Ensure that the eBPF agent is in privileged mode so that flows are collected for secondary interfaces. <.> Define the fields to use for indexing the virtual machine launcher pods. It is recommended to use the MAC address as the indexing field to get network flows enrichment for secondary interfaces. If you have overlapping MAC address between pods, then additional indexing fields, such as IP and Interface, could be added to have accurate enrichment. <.> If your additional network information has a MAC address, add MAC to the field list. <.> Specify the name of the network found in the k8s.v1.cni.cncf.io/network-status annotation. Usually <namespace>/<network_attachement_definition_name>.

  6. Observe VM traffic:

    1. Navigate to the Network Traffic page.
    2. Filter by Source IP using your virtual machine IP found in k8s.v1.cni.cncf.io/network-status annotation.
    3. View both Source and Destination fields, which should be enriched, and identify the VM launcher pods and the VM instance as owners.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.