Network Observability

• RHEA-2025:22761 Network Observability Operator 1.10.1

• CVE-2025-47907

• RHEA-2025:19153 Network Observability Operator 1.10

• RHEA-2025:15780 Network Observability Operator 1.9.3

• RHEA-2025:14150 Network Observability Operator 1.9.2

• Before this update, OpenShift Container Platform versions 4.15 and earlier did not support the

  TC_ATTACH_MODE

  configuration. This led to command-line interface (CLI) errors and prevented the observation of packets and flows. With this release, the Traffic Control eXtension (TCX) hook attachment mode has been adjusted for these older versions. This eliminates

  tcx

  hook errors and enables flow and packet observation.

• 2025:12024 Network Observability Operator 1.9.1

• Before this update, network flows were not observed on OpenShift Container Platform 4.15 due to an incorrect attach mode setting. This stopped users from monitoring network flows correctly, especially with certain catalogs. With this release, the default attach mode for OpenShift Container Platform versions older than 4.16.0 is set to

  tc

  , so flows are now observed on OpenShift Container Platform 4.15. (NETOBSERV-2333)
• Before this update, if an IPFIX collector restarted, configuring an IPFIX exporter could lose its connection and stop sending network flows to the collector. With this release, the connection is restored, and network flows continue to be sent to the collector. (NETOBSERV-2315)
• Before this update, when you configured an IPFIX exporter, flows without port information (such as ICMP traffic) were ignored, which caused errors in logs. TCP flags and ICMP data were also missing from IPFIX exports. With this release, these details are now included. Missing fields (like ports) no longer cause errors and are part of the exported data. (NETOBSERV-2307)
• Before this update, the User Defined Networks (UDN) Mapping feature showed a configuration issue and warning on OpenShift Container Platform 4.18 because the OpenShift version was incorrectly set in the code. This impacted the user experience. With this release, UDN Mapping now supports OpenShift Container Platform 4.18 without warnings, making the user experience smooth. (NETOBSERV-2305)
• Before this update, the expand function on the Network Traffic page had compatibility problems with OpenShift Container Platform Console 4.19. This resulted in empty menu space when expanding and an inconsistent user interface. With this release, the compatibility problem in the

  NetflowTraffic

  part and

  theme hook

  is resolved. The side menu in the Network Traffic view is now properly managed, which improves how you interact with the user interface. (NETOBSERV-2304)

• Network Observability Operator 1.9

• The

  NetworkEvents

  feature in network observability 1.9 has been updated to work with the newer Linux kernel of OpenShift Container Platform 4.19. This update breaks compatibility with older kernels. As a result, the

  NetworkEvents

  feature can only be used with OpenShift Container Platform 4.19. If you are using this feature with network observability 1.8 and OpenShift Container Platform 4.18, consider avoiding a network observability upgrade or upgrade to network observability 1.9 and OpenShift Container Platform to 4.19.
• The

  netobserv-reader

  cluster role has been renamed to

  netobserv-loki-reader

  .
• Improved CPU performance of the eBPF agents.

• CVE-2025-26791

• Previously, when filtering by source or destination IP from the console plugin, using a Classless Inter-Domain Routing (CIDR) notation such as

  10.128.0.0/24

  did not work, returning results that should be filtered out. With this update, it is now possible to use a CIDR notation, with the results being filtered as expected. (NETOBSERV-2276)
• Previously, network flows might have incorrectly identified the network interfaces in use, especially with a risk of mixing up

  eth0

  and

  ens5

  . This issue only occurred when the eBPF agents were configured as

  Privileged

  . With this update, it has been fixed partially, and almost all network interfaces are correctly identified. Refer to the known issues below for more details. (NETOBSERV-2257)
• Previously, when the Operator checked for available Kubernetes APIs in order to adapt its behavior, if there was a stale API, this resulted in an error that prevented the Operator from starting normally. With this update, the Operator ignores error on unrelated APIs, logs errors on related APIs, and continues to run normally. (NETOBSERV-2240)
• Previously, users could not sort flows by Bytes or Packets in the Traffic flows view of the Console plugin. With this update, users can sort flows by Bytes and Packets. (NETOBSERV-2239)
• Previously, when configuring the

  FlowCollector

  resource with an IPFIX exporter, MAC addresses in the IPFIX flows were truncated to their 2 first bytes. With this update, MAC addresses are fully represented in the IPFIX flows. (NETOBSERV-2208)
• Previously, some of the warnings sent from the Operator validation webhook could lack clarity on what needed to be done. With this update, some of these messages have been reviewed and amended to make them more actionable. (NETOBSERV-2178)
• Previously, it was not obvious to figure out there was an issue when referencing a

  LokiStack

  from the

  FlowCollector

  resource, such as in case of typing error. With this update, the

  FlowCollector

  status clearly states that the referenced

  LokiStack

  is not found in that case. (NETOBSERV-2174)
• Previously, in the console plugin Traffic flows view, in case of text overflow, text ellipses sometimes hid much of the text to be displayed. With this update, it displays as much text as possible. (NETOBSERV-2119)
• Previously, the console plugin for network observability 1.8.1 and earlier did not work with the OpenShift Container Platform 4.19 web console, making the Network Traffic page inaccessible. With this update, the console plugin is compatible and the Network Traffic page is accessible in network observability 1.9.0. (NETOBSERV-2046)
• Previously, when using conversation tracking (

  logTypes: Conversations

  or

  logTypes: All

  in the

  FlowCollector

  resource), the Traffic rates metrics visible in the dashboards were flawed, wrongly showing an out-of-control increase in traffic. Now, the metrics show more accurate traffic rates. However, note that in

  Conversations

  and

  EndedConversations

  modes, these metrics are still not completely accurate as they do not include long-standing connections. This information has been added to the documentation. The default mode

  logTypes: Flows

  is recommended to avoid these inaccuracy. (NETOBSERV-1955)

• The user-defined network (UDN) feature displays a configuration issue and a warning when used with OpenShift Container Platform 4.18, even though it is supported. This warning can be ignored. (NETOBSERV-2305)
• In some rare cases, the eBPF agent is unable to appropriately correlate flows with the involved interfaces when running in

  privileged

  modes with several network namespaces. A large part of these issues have been identified and resolved in this release, but some inconsistencies remain, especially with the

  ens5

  interface. (NETOBSERV-2287)

• CVE-2024-56171
• CVE-2025-24928

• This fix ensures that the Observe menu appears only once in future versions of OpenShift Container Platform. (NETOBSERV-2139)

• Network Observability Operator 1.8.0

• Previously, the Network Observability Operator came with a "kube-rbac-proxy" container to manage RBAC for its metrics server. Since this external component is deprecated, it was necessary to remove it. It is now replaced with direct TLS and RBAC management through Kubernetes controller-runtime, without the need for a side-car proxy. (NETOBSERV-1999)
• Previously in the OpenShift Container Platform console plugin, filtering on a key that was not equal to multiple values would not filter anything. With this fix, the expected results are returned, which is all flows not having any of the filtered values. (NETOBSERV-1990)
• Previously in the OpenShift Container Platform console plugin with disabled Loki, it was very likely to generate a "Can’t build query" error due to selecting an incompatible set of filters and aggregations. Now this error is avoided avoid by automatically disabling incompatible filters while still making the user aware of the filter incompatibility. (NETOBSERV-1977)
• Previously, when viewing flow details from the console plugin, the ICMP info was always displayed in the side panel, showing "undefined" values for non-ICMP flows. With this fix, ICMP info is not displayed for non-ICMP flows. (NETOBSERV-1969)
• Previously, the "Export data" link from the Traffic flows view did not work as intended, generating empty CSV reports. Now, the export feature is restored, generating non-empty CSV data. (NETOBSERV-1958)
• Previously, it was possible to configure the

  FlowCollector

  with

  processor.logTypes

  Conversations

  ,

  EndedConversations

  or

  All

  with

  loki.enable

  set to

  false

  , despite the conversation logs being only useful when Loki is enabled. This resulted in resource usage waste. Now, this configuration is invalid and is rejected by the validation webhook. (NETOBSERV-1957)
• Configuring the

  FlowCollector

  with

  processor.logTypes

  set to

  All

  consumes much more resources, such as CPU, memory and network bandwidth, than the other options. This was previously not documented. It is now documented, and triggers a warning from the validation webhook. (NETOBSERV-1956)
• Previously, under high stress, some flows generated by the eBPF agent were mistakenly dismissed, resulting in traffic bandwidth under-estimation. Now, those generated flows are not dismissed. (NETOBSERV-1954)
• Previously, when enabling the network policy in the

  FlowCollector

  configuration, the traffic to the Operator webhooks was blocked, breaking the

  FlowMetrics

  API validation. Now traffic to the webhooks is allowed. (NETOBSERV-1934)
• Previously, when deploying the default network policy, namespaces

  openshift-console

  and

  openshift-monitoring

  were set by default in the

  additionalNamespaces

  field, resulting in duplicated rules. Now there is no additional namespace set by default, which helps avoid getting duplicated rules.(NETOBSERV-1933)
• Previously from the OpenShift Container Platform console plugin, filtering on TCP flags would match flows having only the exact desired flag. Now, any flow having at least the desired flag appears in filtered flows. (NETOBSERV-1890)
• When the eBPF agent runs in privileged mode and pods are continuously added or deleted, a file descriptor (FD) leak occurs. The fix ensures proper closure of the FD when a network namespace is deleted. (NETOBSERV-2063)
• Previously, the CLI agent

  DaemonSet

  did not deploy on master nodes. Now, a toleration is added on the agent

  DaemonSet

  to schedule on every node when taints are set. Now, CLI agent

  DaemonSet

  pods run on all nodes. (NETOBSERV-2030)
• Previously, the Source Resource and Source Destination filters autocomplete were not working when using Prometheus storage only. Now this issue is fixed and suggestions displays as expected. (NETOBSERV-1885)
• Previously, a resource using multiple IPs was displayed separately in the Topology view. Now, the resource shows as a single topology node in the view. (NETOBSERV-1818)
• Previously, the console refreshed the Network traffic table view contents when the mouse pointer hovered over the columns. Now, the display is fixed, so row height remains constant with a mouse hover. (NETOBSERV-2049)

• If there is traffic that uses overlapping subnets in your cluster, there is a small risk that the eBPF Agent mixes up the flows from overlapped IPs. This can happen if different connections happen to have the exact same source and destination IPs and if ports and protocol are within a 5 seconds time frame and happening on the same node. This should not be possible unless you configured secondary networks or UDN. Even in that case, it is still very unlikely in usual traffic, as source ports are usually a good differentiator. (NETOBSERV-2115)
• After selecting a type of exporter to configure in the

  FlowCollector

  resource

  spec.exporters

  section from the OpenShift Container Platform web console form view, the detailed configuration for that type does not show up in the form. The workaround is to configure directly the YAML. (NETOBSERV-1981)

• Network Observability Operator 1.7.0

• Previously, when using a RHEL 9.2 real-time kernel, some of the webhooks did not work. Now, a fix is in place to check whether this RHEL 9.2 real-time kernel is being used. If the kernel is being used, a warning is displayed about the features that do not work, such as packet drop and neither Round-trip Time when using

  s390x

  architecture. The fix is in OpenShift 4.16 and later. (NETOBSERV-1808)
• Previously, in the Manage panels dialog in the Overview tab, filtering on total, bar, donut, or line did not show a result. Now the available panels are correctly filtered. (NETOBSERV-1540)
• Previously, under high stress, the eBPF agents were susceptible to enter into a state where they generated a high number of small flows, almost not aggregated. With this fix, the aggregation process is still maintained under high stress, resulting in less flows being created. This fix improves the resource consumption not only in the eBPF agent but also in

  flowlogs-pipeline

  and Loki. (NETOBSERV-1564)
• Previously, when the

  workload_flows_total

  metric was enabled instead of the

  namespace_flows_total

  metric, the health dashboard stopped showing

  By namespace

  flow charts. With this fix, the health dashboard now shows the flow charts when the

  workload_flows_total

  is enabled. (NETOBSERV-1746)
• Previously, when you used the

  FlowMetrics

  API to generate a custom metric and later modified its labels, such as by adding a new label, the metric stopped populating and an error was shown in the

  flowlogs-pipeline

  logs. With this fix, you can modify the labels, and the error is no longer raised in the

  flowlogs-pipeline

  logs. (NETOBSERV-1748)
• Previously, there was an inconsistency with the default Loki

  WriteBatchSize

  configuration: it was set to 100 KB in the

  FlowCollector

  CRD default, and 10 MB in the OLM sample or default configuration. Both are now aligned to 10 MB, which generally provides better performances and less resource footprint. (NETOBSERV-1766)
• Previously, the eBPF flow filter on ports was ignored if you did not specify a protocol. With this fix, you can set eBPF flow filters independently on ports and or protocols. (NETOBSERV-1779)
• Previously, traffic from Pods to Services was hidden from the Topology view. Only the return traffic from Services to Pods was visible. With this fix, that traffic is correctly displayed. (NETOBSERV-1788)
• Previously, non-cluster administrator users that had access to Network Observability saw an error in the console plugin when they tried to filter for something that triggered auto-completion, such as a namespace. With this fix, no error is displayed, and the auto-completion returns the expected results. (NETOBSERV-1798)
• When the secondary interface support was added, you had to iterate multiple times to register the per network namespace with the netlink to learn about interface notifications. At the same time, unsuccessful handlers caused a leaking file descriptor because with TCX hook, unlike TC, handlers needed to be explicitly removed when the interface went down. Furthermore, when the network namespace was deleted, there was no Go close channel event to terminate the netlink goroutine socket, which caused go threads to leak. Now, there are no longer leaking file descriptors or go threads when you create or delete pods. (NETOBSERV-1805)
• Previously, the ICMP type and value were displaying 'n/a' in the Traffic flows table even when related data was available in the flow JSON. With this fix, ICMP columns display related values as expected in the flow table. (NETOBSERV-1806)
• Previously in the console plugin, it wasn’t always possible to filter for unset fields, such as unset DNS latency. With this fix, filtering on unset fields is now possible. (NETOBSERV-1816)
• Previously, when you cleared filters in the OpenShift web console plugin, sometimes the filters reappeared after you navigated to another page and returned to the page with filters. With this fix, filters do not unexpectedly reappear after they are cleared. (NETOBSERV-1733)

• When you use the must-gather tool with network observability, logs are not collected when the cluster has FIPS enabled. (NETOBSERV-1830)

• When the

  spec.networkPolicy

  is enabled in the

  FlowCollector

  , which installs a network policy on the

  netobserv

  namespace, it is impossible to use the

  FlowMetrics

  API. The network policy blocks calls to the validation webhook. As a workaround, use the following network policy:

  kind: NetworkPolicy
  apiVersion: networking.k8s.io/v1
  metadata:
    name: allow-from-hostnetwork
    namespace: netobserv
  spec:
    podSelector:
      matchLabels:
        app: netobserv-operator
    ingress:
      - from:
          - namespaceSelector:
              matchLabels:
                policy-group.network.openshift.io/host-network: ''
    policyTypes:
      - Ingress

  (NETOBSERV-193)

• 2024:7074 Network Observability Operator 1.6.2

• CVE-2024-24791

• When the secondary interface support was added, there was a need to iterate multiple times to register the per network namespace with the netlink to learn about interface notifications. At the same time, unsuccessful handlers caused a leaking file descriptor because with TCX hook, unlike TC, handlers needed to be explicitly removed when the interface went down. Now, there are no longer leaking file descriptors when creating and deleting pods. (NETOBSERV-1805)

• There was a compatibility issue with console plugins that would have prevented network observability from being installed on future versions of an OpenShift Container Platform cluster. By upgrading to 1.6.2, the compatibility issue is resolved and network observability can be installed as expected. (NETOBSERV-1737)

• 2024:4785 Network Observability Operator 1.6.1

• RHSA-2024:4237
• RHSA-2024:4212

• Previously, information about packet drops, such as the cause and TCP state, was only available in the Loki datastore and not in Prometheus. For that reason, the drop statistics in the OpenShift web console plugin Overview was only available with Loki. With this fix, information about packet drops is also added to metrics, so you can view drops statistics when Loki is disabled. (NETOBSERV-1649)
• When the eBPF agent

  PacketDrop

  feature was enabled, and sampling was configured to a value greater than

  1

  , reported dropped bytes and dropped packets ignored the sampling configuration. While this was done on purpose, so as not to miss any drops, a side effect was that the reported proportion of drops compared with non-drops became biased. For example, at a very high sampling rate, such as

  1:1000

  , it was likely that almost all the traffic appears to be dropped when observed from the console plugin. With this fix, the sampling configuration is honored with dropped bytes and packets. (NETOBSERV-1676)
• Previously, the SR-IOV secondary interface was not detected if the interface was created first and then the eBPF agent was deployed. It was only detected if the agent was deployed first and then the SR-IOV interface was created. With this fix, the SR-IOV secondary interface is detected no matter the sequence of the deployments. (NETOBSERV-1697)
• Previously, when Loki was disabled, the Topology view in the OpenShift web console displayed the Cluster and Zone aggregation options in the slider beside the network topology diagram, even when the related features were not enabled. With this fix, the slider now only displays options according to the enabled features. (NETOBSERV-1705)
• Previously, when Loki was disabled, and the OpenShift web console was first loading, an error would occur:

  Request failed with status code 400 Loki is disabled

  . With this fix, the errors no longer occur. (NETOBSERV-1706)
• Previously, in the Topology view of the OpenShift web console, when clicking on the Step into icon next to any graph node, the filters were not applied as required in order to set the focus to the selected graph node, resulting in showing a wide view of the Topology view in the OpenShift web console. With this fix, the filters are correctly set, effectively narrowing down the Topology. As part of this change, clicking the Step into icon on a Node now brings you to the Resource scope instead of the Namespaces scope. (NETOBSERV-1720)
• Previously, when Loki was disabled, in the Topology view of the OpenShift web console with the Scope set to Owner, clicking on the Step into icon next to any graph node would bring the Scope to Resource, which is not available without Loki, so an error message was shown. With this fix, the Step into icon is hidden in the Owner scope when Loki is disabled, so this scenario no longer occurs. (NETOBSERV-1721)
• Previously, when Loki was disabled, an error was displayed in the Topology view of the OpenShift web console when a group was set, but then the scope was changed so that the group becomes invalid. With this fix, the invalid group is removed, preventing the error. (NETOBSERV-1722)
• When creating a

  FlowCollector

  resource from the OpenShift web console Form view, as opposed to the YAML view, the following settings were incorrectly managed by the web console:

  agent.ebpf.metrics.enable

  and

  processor.subnetLabels.openShiftAutoDetect

  . These settings can only be disabled in the YAML view, not in the Form view. To avoid any confusion, these settings have been removed from the Form view. They are still accessible in the YAML view. (NETOBSERV-1731)
• Previously, the eBPF agent was unable to clean up traffic control flows installed before an ungraceful crash, for example a crash due to a SIGTERM signal. This led to the creation of multiple traffic control flow filters with the same name, since the older ones were not removed. With this fix, all previously installed traffic control flows are cleaned up when the agent starts, before installing new ones. (NETOBSERV-1732)
• Previously, when configuring custom subnet labels and keeping the OpenShift subnets auto-detection enabled, OpenShift subnets would take precedence over the custom ones, preventing the definition of custom labels for in cluster subnets. With this fix, custom defined subnets take precedence, allowing the definition of custom labels for in cluster subnets. (NETOBSERV-1734)

• Network Observability Operator 1.6.0

• Previously, a dead link to the OpenShift Container Platform documentation was displayed in the Operator Lifecycle Manager (OLM) form for the

  FlowMetrics

  API creation. Now the link has been updated to point to a valid page. (NETOBSERV-1607)
• Previously, the Network Observability Operator description in the Operator Hub displayed a broken link to the documentation. With this fix, this link is restored. (NETOBSERV-1544)
• Previously, if Loki was disabled and the Loki

  Mode

  was set to

  LokiStack

  , or if Loki manual TLS configuration was configured, the Network Observability Operator still tried to read the Loki CA certificates. With this fix, when Loki is disabled, the Loki certificates are not read, even if there are settings in the Loki configuration. (NETOBSERV-1647)
• Previously, the

  oc

  must-gather

  plugin for the Network Observability Operator was only working on the

  amd64

  architecture and failing on all others because the plugin was using

  amd64

  for the

  oc

  binary. Now, the Network Observability Operator

  oc

  must-gather

  plugin collects logs on any architecture platform.
• Previously, when filtering on IP addresses using

  not equal to

  , the Network Observability Operator would return a request error. Now, the IP filtering works in both

  equal

  and

  not equal to

  cases for IP addresses and ranges. (NETOBSERV-1630)
• Previously, when a user was not an admin, the error messages were not consistent with the selected tab of the Network Traffic view in the web console. Now, the

  user not admin

  error displays on any tab with improved display.(NETOBSERV-1621)

• When the eBPF agent

  PacketDrop

  feature is enabled, and sampling is configured to a value greater than

  1

  , reported dropped bytes and dropped packets ignore the sampling configuration. While this is done on purpose to not miss any drops, a side effect is that the reported proportion of drops compared to non-drops becomes biased. For example, at a very high sampling rate, such as

  1:1000

  , it is likely that almost all the traffic appears to be dropped when observed from the console plugin. (NETOBSERV-1676)
• In the Manage panels window in the Overview tab, filtering on total, bar, donut, or line does not show any result. (NETOBSERV-1540)
• The SR-IOV secondary interface is not detected if the interface was created first and then the eBPF agent was deployed. It is only detected if the agent was deployed first and then the SR-IOV interface is created. (NETOBSERV-1697)
• When Loki is disabled, the Topology view in the OpenShift web console always shows the Cluster and Zone aggregation options in the slider beside the network topology diagram, even when the related features are not enabled. There is no specific workaround, besides ignoring these slider options. (NETOBSERV-1705)
• When Loki is disabled, and the OpenShift web console first loads, it might display an error:

  Request failed with status code 400 Loki is disabled

  . As a workaround, you can continue switching content on the Network Traffic page, such as clicking between the Topology and the Overview tabs. The error should disappear. (NETOBSERV-1706)

• Previously, it was not possible to register the console plugin manually in the web console interface if the automatic registration of the console plugin was disabled. If the

  spec.console.register

  value was set to

  false

  in the

  FlowCollector

  resource, the Operator would override and erase the plugin registration. With this fix, setting the

  spec.console.register

  value to

  false

  does not impact the console plugin registration or registration removal. As a result, the plugin can be safely registered manually. (NETOBSERV-1134)
• Previously, using the default metrics settings, the NetObserv/Health dashboard was showing an empty graph named Flows Overhead. This metric was only available by removing "namespaces-flows" and "namespaces" from the

  ignoreTags

  list. With this fix, this metric is visible when you use the default metrics setting. (NETOBSERV-1351)
• Previously, the node on which the eBPF Agent was running would not resolve with a specific cluster configuration. This resulted in cascading consequences that culminated in a failure to provide some of the traffic metrics. With this fix, the eBPF agent’s node IP is safely provided by the Operator, inferred from the pod status. Now, the missing metrics are restored. (NETOBSERV-1430)
• Previously, the Loki error 'Input size too long' error for the Loki Operator did not include additional information to troubleshoot the problem. With this fix, help is directly displayed in the web console next to the error with a direct link for more guidance. (NETOBSERV-1464)
• Previously, the console plugin read timeout was forced to 30s. With the

  FlowCollector

  v1beta2

  API update, you can configure the

  spec.loki.readTimeout

  specification to update this value according to the Loki Operator

  queryTimeout

  limit. (NETOBSERV-1443)
• Previously, the Operator bundle did not display some of the supported features by CSV annotations as expected, such as

  features.operators.openshift.io/…​

  With this fix, these annotations are set in the CSV as expected. (NETOBSERV-1305)
• Previously, the

  FlowCollector

  status sometimes oscillated between

  DeploymentInProgress

  and

  Ready

  states during reconciliation. With this fix, the status only becomes

  Ready

  when all of the underlying components are fully ready. (NETOBSERV-1293)

• When trying to access the web console, cache issues on OCP 4.14.10 prevent access to the Observe view. The web console shows the error message:

  Failed to get a valid plugin manifest from /api/plugins/monitoring-plugin/

  . The recommended workaround is to update the cluster to the latest minor version. If this does not work, you need to apply the workarounds described in this Red Hat Knowledgebase article.(NETOBSERV-1493)
• Since the 1.3.0 release of the Network Observability Operator, installing the Operator causes a warning kernel taint to appear. The reason for this error is that the network observability eBPF agent has memory constraints that prevent preallocating the entire hashmap table. The Operator eBPF agent sets the

  BPF_F_NO_PREALLOC

  flag so that pre-allocation is disabled when the hashmap is too memory expansive.

• 2023:6787 Network Observability Operator 1.4.2

• 2023-39325
• 2023-44487

• 2023:5974 Network Observability Operator 1.4.1

• 2023-44487
• 2023-39325
• 2023-29406
• 2023-29409
• 2023-39322
• 2023-39318
• 2023-39319
• 2023-39321

• In 1.4, there was a known issue when sending network flow data to Kafka. The Kafka message key was ignored, causing an error with connection tracking. Now the key is used for partitioning, so each flow from the same connection is sent to the same processor. (NETOBSERV-926)
• In 1.4, the

  Inner

  flow direction was introduced to account for flows between pods running on the same node. Flows with the

  Inner

  direction were not taken into account in the generated Prometheus metrics derived from flows, resulting in under-evaluated bytes and packets rates. Now, derived metrics are including flows with the

  Inner

  direction, providing correct bytes and packets rates. (NETOBSERV-1344)

• RHSA-2023:5379 Network Observability Operator 1.4.0

• Previously, the Prometheus metrics exported by network observability were computed out of potentially duplicated network flows. In the related dashboards, from Observe → Dashboards, this could result in potentially doubled rates. Note that dashboards from the Network Traffic view were not affected. Now, network flows are filtered to eliminate duplicates before metrics calculation, which results in correct traffic rates displayed in the dashboards. (NETOBSERV-1131)
• Previously, the Network Observability Operator agents were not able to capture traffic on network interfaces when configured with Multus or SR-IOV, non-default network namespaces. Now, all available network namespaces are recognized and used for capturing flows, allowing capturing traffic for SR-IOV. There are configurations needed for the

  FlowCollector

  and

  SRIOVnetwork

  custom resource to collect traffic. (NETOBSERV-1283)

• Previously, in the Network Observability Operator details from Operators → Installed Operators, the

  FlowCollector

  Status field might have reported incorrect information about the state of the deployment. The status field now shows the proper conditions with improved messages. The history of events is kept, ordered by event date. (NETOBSERV-1224)
• Previously, during spikes of network traffic load, certain eBPF pods were OOM-killed and went into a

  CrashLoopBackOff

  state. Now, the

  eBPF

  agent memory footprint is improved, so pods are not OOM-killed and entering a

  CrashLoopBackOff

  state. (NETOBSERV-975)
• Previously when

  processor.metrics.tls

  was set to

  PROVIDED

  the

  insecureSkipVerify

  option value was forced to be

  true

  . Now you can set

  insecureSkipVerify

  to

  true

  or

  false

  , and provide a CA certificate if needed. (NETOBSERV-1087)

• Since the 1.2.0 release of the Network Observability Operator, using Loki Operator 5.6, a Loki certificate change periodically affects the

  flowlogs-pipeline

  pods and results in dropped flows rather than flows written to Loki. The problem self-corrects after some time, but it still causes temporary flow data loss during the Loki certificate change. This issue has only been observed in large-scale environments of 120 nodes or greater. (NETOBSERV-980)
• Currently, when

  spec.agent.ebpf.features

  includes DNSTracking, larger DNS packets require the

  eBPF

  agent to look for DNS header outside of the 1st socket buffer (SKB) segment. A new

  eBPF

  agent helper function needs to be implemented to support it. Currently, there is no workaround for this issue. (NETOBSERV-1304)
• Currently, when

  spec.agent.ebpf.features

  includes DNSTracking, DNS over TCP packets requires the

  eBPF

  agent to look for DNS header outside of the 1st SKB segment. A new

  eBPF

  agent helper function needs to be implemented to support it. Currently, there is no workaround for this issue. (NETOBSERV-1245)
• Currently, when using a

  KAFKA

  deployment model, if conversation tracking is configured, conversation events might be duplicated across Kafka consumers, resulting in inconsistent tracking of conversations, and incorrect volumetric data. For that reason, it is not recommended to configure conversation tracking when

  deploymentModel

  is set to

  KAFKA

  . (NETOBSERV-926)
• Currently, when the

  processor.metrics.server.tls.type

  is configured to use a

  PROVIDED

  certificate, the operator enters an unsteady state that might affect its performance and resource consumption. It is recommended to not use a

  PROVIDED

  certificate until this issue is resolved, and instead using an auto-generated certificate, setting

  processor.metrics.server.tls.type

  to

  AUTO

  . (NETOBSERV-1293
• Since the 1.3.0 release of the Network Observability Operator, installing the Operator causes a warning kernel taint to appear. The reason for this error is that the network observability eBPF agent has memory constraints that prevent preallocating the entire hashmap table. The Operator eBPF agent sets the

  BPF_F_NO_PREALLOC

  flag so that pre-allocation is disabled when the hashmap is too memory expansive.

• RHSA-2023:3905 Network Observability Operator 1.3.0

• Previously, when the Operator was installed from the CLI, the

  Role

  and

  RoleBinding

  that are necessary for the Cluster Monitoring Operator to read the metrics were not installed as expected. The issue did not occur when the operator was installed from the web console. Now, either way of installing the Operator installs the required

  Role

  and

  RoleBinding

  . (NETOBSERV-1003)
• Since version 1.2, the Network Observability Operator can raise alerts when a problem occurs with the flows collection. Previously, due to a bug, the related configuration to disable alerts,

  spec.processor.metrics.disableAlerts

  was not working as expected and sometimes ineffectual. Now, this configuration is fixed so that it is possible to disable the alerts. (NETOBSERV-976)
• Previously, when network observability was configured with

  spec.loki.authToken

  set to

  DISABLED

  , only a

  kubeadmin

  cluster administrator was able to view network flows. Other types of cluster administrators received authorization failure. Now, any cluster administrator is able to view network flows. (NETOBSERV-972)
• Previously, a bug prevented users from setting

  spec.consolePlugin.portNaming.enable

  to

  false

  . Now, this setting can be set to

  false

  to disable port-to-service name translation. (NETOBSERV-971)
• Previously, the metrics exposed by the console plugin were not collected by the Cluster Monitoring Operator (Prometheus), due to an incorrect configuration. Now the configuration has been fixed so that the console plugin metrics are correctly collected and accessible from the OpenShift Container Platform web console. (NETOBSERV-765)
• Previously, when

  processor.metrics.tls

  was set to

  AUTO

  in the

  FlowCollector

  , the

  flowlogs-pipeline servicemonitor

  did not adapt the appropriate TLS scheme, and metrics were not visible in the web console. Now the issue is fixed for AUTO mode. (NETOBSERV-1070)
• Previously, certificate configuration, such as used for Kafka and Loki, did not allow specifying a namespace field, implying that the certificates had to be in the same namespace where network observability is deployed. Moreover, when using Kafka with TLS/mTLS, the user had to manually copy the certificate(s) to the privileged namespace where the

  eBPF

  agent pods are deployed and manually manage certificate updates, such as in the case of certificate rotation. Now, network observability setup is simplified by adding a namespace field for certificates in the

  FlowCollector

  resource. As a result, users can now install Loki or Kafka in different namespaces without needing to manually copy their certificates in the network observability namespace. The original certificates are watched so that the copies are automatically updated when needed. (NETOBSERV-773)
• Previously, the SCTP, ICMPv4 and ICMPv6 protocols were not covered by the network observability agents, resulting in a less comprehensive network flows coverage. These protocols are now recognized to improve the flows coverage. (NETOBSERV-934)

• When

  processor.metrics.tls

  is set to

  PROVIDED

  in the

  FlowCollector

  , the

  flowlogs-pipeline

  servicemonitor

  is not adapted to the TLS scheme. (NETOBSERV-1087)
• Since the 1.2.0 release of the Network Observability Operator, using Loki Operator 5.6, a Loki certificate change periodically affects the

  flowlogs-pipeline

  pods and results in dropped flows rather than flows written to Loki. The problem self-corrects after some time, but it still causes temporary flow data loss during the Loki certificate change. This issue has only been observed in large-scale environments of 120 nodes or greater.(NETOBSERV-980)
• When you install the Operator, a warning kernel taint can appear. The reason for this error is that the network observability eBPF agent has memory constraints that prevent preallocating the entire hashmap table. The Operator eBPF agent sets the

  BPF_F_NO_PREALLOC

  flag so that pre-allocation is disabled when the hashmap is too memory expansive.

• RHSA-2023:1817 Network Observability Operator 1.2.0

• Previously, after changing the

  namespace

  value in the FlowCollector spec,

  eBPF

  agent pods running in the previous namespace were not appropriately deleted. Now, the pods running in the previous namespace are appropriately deleted. (NETOBSERV-774)
• Previously, after changing the

  caCert.name

  value in the FlowCollector spec (such as in Loki section), FlowLogs-Pipeline pods and Console plug-in pods were not restarted, therefore they were unaware of the configuration change. Now, the pods are restarted, so they get the configuration change. (NETOBSERV-772)
• Previously, network flows between pods running on different nodes were sometimes not correctly identified as being duplicates because they are captured by different network interfaces. This resulted in over-estimated metrics displayed in the console plug-in. Now, flows are correctly identified as duplicates, and the console plug-in displays accurate metrics. (NETOBSERV-755)
• The "reporter" option in the console plug-in is used to filter flows based on the observation point of either source node or destination node. Previously, this option mixed the flows regardless of the node observation point. This was due to network flows being incorrectly reported as Ingress or Egress at the node level. Now, the network flow direction reporting is correct. The "reporter" option filters for source observation point, or destination observation point, as expected. (NETOBSERV-696)
• Previously, for agents configured to send flows directly to the processor as gRPC+protobuf requests, the submitted payload could be too large and is rejected by the processors' GRPC server. This occurred under very-high-load scenarios and with only some configurations of the agent. The agent logged an error message, such as: grpc: received message larger than max. As a consequence, there was information loss about those flows. Now, the gRPC payload is split into several messages when the size exceeds a threshold. As a result, the server maintains connectivity. (NETOBSERV-617)

• In the 1.2.0 release of the Network Observability Operator, using Loki Operator 5.6, a Loki certificate transition periodically affects the

  flowlogs-pipeline

  pods and results in dropped flows rather than flows written to Loki. The problem self-corrects after some time, but it still causes temporary flow data loss during the Loki certificate transition. (NETOBSERV-980)

• NETOBSERV-907
• NETOBSERV-956

• RHSA-2023:0786 Network Observability Operator Security Advisory Update

• Previously, unless the Loki

  authToken

  configuration was set to

  FORWARD

  mode, authentication was not enforced, allowing unauthorized users to retrieve flows. Now, regardless of the Loki

  authToken

  mode, only cluster administrators can retrieve flows. (BZ#2169468)

Verification

• Once you create the secret, you should see it listed under Workloads → Secrets in the web console.

• Extra small: 10-node cluster, 4 vCPUs and 16 GiB memory per worker,

  LokiStack

  size

  1x.extra-small

  , tested on AWS M6i instances.
• Small: 25-node cluster, 16 vCPUs and 64 GiB memory per worker,

  LokiStack

  size

  1x.small

  , tested on AWS M6i instances.
• Large: 250-node cluster, 16 vCPUs and 64 GiB memory per worker,

  LokiStack

  size

  1x.medium

  , tested on AWS M6i instances. In addition to the worker and controller nodes, three infrastructure nodes (size

  M6i.12xlarge

  ) and one workload node (size

  M6i.8xlarge

  ) were tested.