Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 15. Secondary networks

You can configure the Network Observability Operator to collect and enrich network flow data from secondary networks, such as 

SR-IOV
and 
OVN-Kubernetes
.

15.1. Prerequisites
Copia collegamento

  • Access to an OpenShift Container Platform cluster with an additional network interface, such as a secondary interface or an L2 network.

15.2. Configuring monitoring for SR-IOV interface traffic
Copia collegamento

In order to collect traffic from a cluster with a Single Root I/O Virtualization (SR-IOV) device, you must set the 

FlowCollector
 
spec.agent.ebpf.privileged
field to 
true
. Then, the eBPF agent monitors other network namespaces in addition to the host network namespaces, which are monitored by default. When a pod with a virtual functions (VF) interface is created, a new network namespace is created. With 
SRIOVNetwork
policy 
IPAM
configurations specified, the VF interface is migrated from the host network namespace to the pod network namespace.

Prerequisites

  • Access to an OpenShift Container Platform cluster with a SR-IOV device.
  • The 
    SRIOVNetwork
    custom resource (CR) 
    spec.ipam
    configuration must be set with an IP address from the range that the interface lists or from other plugins.

Procedure

  1. In the web console, navigate to Operators Installed Operators.
  2. Under the Provided APIs heading for the NetObserv Operator, select Flow Collector.
  3. Select cluster and then select the YAML tab.

  4. Configure the 

    FlowCollector
    custom resource. A sample configuration is as follows:

    Configure FlowCollector for SR-IOV monitoring

    apiVersion: flows.netobserv.io/v1beta2
kind: FlowCollector
metadata:
  name: cluster
spec:
  namespace: netobserv
  deploymentModel: Service
  agent:
    type: eBPF
    ebpf:
      privileged: true
    1

    1
    The spec.agent.ebpf.privileged field value must be set to true to enable SR-IOV monitoring.

You can observe network traffic on an OpenShift Virtualization setup by identifying eBPF-enriched network flows coming from VMs that are connected to secondary networks, such as through OVN-Kubernetes. Network flows coming from VMs that are connected to the default internal pod network are automatically captured by Network Observability.

Procedure

  1. Get information about the virtual machine launcher pod by running the following command. This information is used in Step 5: 

    $ oc get pod virt-launcher-<vm_name>-<suffix> -n <namespace> -o yaml
     
    apiVersion: v1
kind: Pod
metadata:
  annotations:
    k8s.v1.cni.cncf.io/network-status: |-
      [{
        "name": "ovn-kubernetes",
        "interface": "eth0",
        "ips": [
          "10.129.2.39"
        ],
        "mac": "0a:58:0a:81:02:27",
        "default": true,
        "dns": {}
      },
      {
        "name": "my-vms/l2-network",
    1 
    
        "interface": "podc0f69e19ba2",
    2 
    
        "ips": [
    3 
    
          "10.10.10.15"
        ],
        "mac": "02:fb:f8:00:00:12",
    4 
    
        "dns": {}
      }]
  name: virt-launcher-fedora-aqua-fowl-13-zr2x9
  namespace: my-vms
spec:
#  ...
status:
#  ...
    1
    The name of the secondary network.
    2
    The network interface name of the secondary network.
    3
    The list of IPs used by the secondary network.
    4
    The MAC address used for secondary network.
  2. In the web console, navigate to Operators Installed Operators.
  3. Under the Provided APIs heading for the NetObserv Operator, select Flow Collector.
  4. Select cluster and then select the YAML tab.

  5. Configure 

    FlowCollector
    based on the information you found from the additional network investigation: 

    apiVersion: flows.netobserv.io/v1beta2
kind: FlowCollector
metadata:
  name: cluster
spec:
  agent:
    ebpf:
      privileged: true
    1 
    
  processor:
    advanced:
      secondaryNetworks:
      - index: \
    2 
    
        - MAC  \
    3 
    
        name: my-vms/l2-network \
    4 
    
# ...
    1
    Ensure that the eBPF agent is in privileged mode so that flows are collected for secondary interfaces.
    2
    Define the fields to use for indexing the virtual machine launcher pods. It is recommended to use the MAC address as the indexing field to get network flows enrichment for secondary interfaces. If you have overlapping MAC address between pods, then additional indexing fields, such as IP and Interface, could be added to have accurate enrichment.
    3
    If your additional network information has a MAC address, add MAC to the field list.
    4
    Specify the name of the network found in the k8s.v1.cni.cncf.io/network-status annotation. Usually <namespace>/<network_attachement_definition_name>.

  6. Observe VM traffic:

    1. Navigate to the Network Traffic page.
    2. Filter by Source IP using your virtual machine IP found in 
      k8s.v1.cni.cncf.io/network-status
      annotation.
    3. View both Source and Destination fields, which should be enriched, and identify the VM launcher pods and the VM instance as owners.
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2026 Red HatTorna in cima