Chapter 1. Network Observability Operator release notes 1.10

The Network Observability Operator now supports configuring both ingress and egress network policies to control pod traffic. This enhancement improves security.

By default, the spec.NetworkPolicy.enable specification is now set to true. This means that if you use Loki or Kafka, it is recommended that you deploy the Loki Operator and Kafka instances into dedicated namespaces. This ensures that the network policies can be configured correctly to allow communication between all components.

This release brings the following new features and updates to the Network Observability Operator CLI (oc netobserv) user interface (UI):

Table view enhancements

Terminal-based line charts enhancements

The network observability console plugin includes a new view to configure the FlowCollector custom resource (CR). From this view, you can complete the following tasks:

Network Observability Operator 1.10 has improved the performance and memory footprint of the Operator, especially visible on large clusters.

This release introduces new alert functionality, and custom alert configuration. These capabilities are Technology Preview features, and must be explicitly enabled.

To view the new alerts, in the OpenShift Container Platform web console, click Observe Alerting Alerting rules.

When you enable the Technology Preview alerts functionality in the Network Observability Operator, you can view a a new Network Health dashboard in the OpenShift Container Platform web console by clicking Observe.

The Network Health dashboard provides a summary of triggered alerts, distinguishing between critical, warning, and minor issues, and also shows pending alerts.

Upgrading to the Network Observability Operator 1.10 on OpenShift Container Platform 4.14 and earlier can fail due to a FlowCollector custom resource definition (CRD) validation error in the software catalog.

To workaround this problem, you must:

OCPBUGS-63208, NETOBSERV-2451

The eBPF agent used in the Network Observability Command Line Interface (CLI) packet capture feature is incompatible with OpenShift Container Platform versions 4.16 and older.

This limitation prevents the eBPF-based Packet Capture Agent (PCA) from functioning correctly on those older clusters.

To work around this problem, you must manually configure PCA to use an older, compatible eBPF agent container image. For more information, see the Red Hat Knowledgebase Solution eBPF agent compatibility with older Openshift versions in Network Observability CLI 1.10+.

NETOBSERV-2358

When running Network Observability Operator 1.10 on OpenShift Container Platform 4.14 clusters that use the OpenShiftSDN CNI plugin, the eBPF agent is unable to send flow records to the flowlogs-pipeline component. This occurs when the FlowCollector custom resource is created with NetworkPolicy enabled (spec.networkPolicy.enable: true).

As a consequence, flow data is not processed by the flowlogs-pipeline component and does not appear in the Network Traffic dashboard or the configured storage (Loki). The eBPF agent pod logs show i/o timeout errors when attempting to connect to the collector:

time="2025-10-17T13:53:44Z" level=error msg="couldn't send flow records to collector" collector="10.0.68.187:2055" component=exporter/GRPCProto error="rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing: dial tcp 10.0.68.187:2055: i/o timeout\""

time="2025-10-17T13:53:44Z" level=error msg="couldn't send flow records to collector" collector="10.0.68.187:2055" component=exporter/GRPCProto error="rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing: dial tcp 10.0.68.187:2055: i/o timeout\""

To work around this problem, set spec.networkPolicy.enable to false to disable NetworkPolicy in the FlowCollector resource for Network Observability Operator 1.10.

This will allow the eBPF agent to communicate with the flowlogs-pipeline component without interference from the automatically deployed network policy.

NETOBSERV-2450

Before this update, users could create a FlowMetric custom resource (CR) with an invalid metric name. Although the FlowMetric CR was successfully created, the underlying metric would fail silently without providing any error feedback to the user.

With this release, the FlowMetric, metricName, and remap fields are now validated before creation, so users are immediately notified if they enter an invalid name.

NETOBSERV-2348

Before this update, performance issues in the underlying library caused the html-to-image export function to take a long time, leading to browser freezing.

With this release, the performance of the html-to-image library has been improved, reducing export wait times and eliminating browser freezing during image generation.

NETOBSERV-2314

Before this update, when users selected eBPF features that require privileged mode, the features would often fail without clearly informing the user that privileged mode was missing or needed to be enabled.

With this release, a validation hook immediately warns the user if the configuration is inconsistent. This improves user understanding and prevents misconfiguration.

NETOBSERV-2268

Before this update, the OpenTelemetry metrics exporter was missing the network flow labels SrcSubnetLabel and DstSubnetLabel, causing them to show as empty.

With this release, these labels are now correctly provided by the exporter. They have also been renamed to source.subnet.label and destination.subnet.label for improved clarity and consistency with OpenTelemetry standards.

NETOBSERV-2405

Before this update, a default toleration was set on all network observability components to allow them to be scheduled on any node, including those tainted with NoSchedule. This could potentially block cluster upgrades.

With this release, the default toleration is now only maintained for the eBPF agents and the Flowlogs-Pipeline when configured in Direct mode. The toleration has been removed from the OpenShift Container Platform web console plugin and the Flowlogs-Pipeline when configured in Kafka mode.

Additionally, while tolerations were always configurable in the FlowCollector custom resource (CR), it was previously impossible to replace the tolerations with an empty list. It is now possible to replace the tolerations with an empty list.

NETOBSERV-2434