Questo contenuto non è disponibile nella lingua selezionata.
Chapter 9. Visualizing external entities
Visualizing external entities is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
Understanding the interactions between your cluster and external entities is essential for incident response and network policy management. With the Visualizing external entities feature, you can view the external IP addresses that interact with your cluster.
You can view external entities in the Network Graph or query external entities by using the API.
Visualizing external entities is an opt-in feature that is disabled by default. To enable this feature, you must enable external IP collection in Central and secured clusters, as described in the following sections.
9.1. Enabling external IP collection in Central
There are two environmental variables that control the collection of external IP in Central: ROX_EXTERNAL_IPS
and ROX_NETWORK_GRAPH_EXTERNAL_IPS
.
You must enable ROX_EXTERNAL_IPS
in Central to enable external IP collection and to query external entities by using the API. After that, you can use ROX_NETWORK_GRAPH_EXTERNAL_IPS
to display collected external IPs in the Network Graph.
Procedure
If you installed RHACS by using the RHACS Operator, insert the following customization in the Central custom resource definition (CRD):
spec: customize: envVars: - name: ROX_EXTERNAL_IPS 1 value: 'true'
- 1
- Additionally, you can also specify
ROX_NETWORK_GRAPH_EXTERNAL_IPS
.
If you installed RHACS by using Helm, add the following annotations to your
values-public.yaml
file:customize: # Extra environment variables for all containers in all objects. envVars: ROX_EXTERNAL_IPS: “true” 1
- 1
- Additionally, you can also specify
ROX_NETWORK_GRAPH_EXTERNAL_IPS
.
9.2. Enabling external IP collection in secured clusters
To enable external IP collection in secured clusters, you must individually configure each secured cluster’s runtime configuration.
You can have some clusters with the functionality enabled while others remain disabled. In this case, external IP information is only available for the clusters where you have enabled the feature.
You can use a ConfigMap
object to enable the external IP collection in secured clusters.
Procedure
Create a
ConfigMap
object calledcollector-config
with the following content:apiVersion: v1 kind: ConfigMap metadata: name: collector-config namespace: stackrox data: runtime_config.yaml: | 1 networking: externalIps: enable: true
- 1
- RHACS mounts this file at
/etc/stackrox/runtime_config.yaml
.
Whenever you create or update the ConfigMap
object, the collector refreshes the runtime configuration. When you delete the ConfigMap
object, the settings revert to the default runtime configuration values.
9.3. Querying external IP addresses by using the API
You can get information about the external IP addresses associated with a specific cluster by using the following endpoints:
/v1/networkgraph/cluster/{clusterId}/externalentities
: This endpoint returns a list of external entities for a given cluster ID. Each entity includes the following information:- Name: The name of the external entity.
- CIDR block: The CIDR block associated with the entity.
- Default entity: Indicates that the entity is a CIDR-block definition provided by the system.
-
Discovered: If
true
, indicates that the external IP address does not match any specified CIDR block.
-
/v1/networkgraph/cluster/{clusterId}/externalentities/flows/{deploymentId}
: This endpoint reports the flows to and from external entities for a given cluster ID and deployment ID. Use this endpoint to analyze network traffic patterns and gain insights into the interactions between your cluster and external entities.
9.4. Known limitations
The following are some known limitations of the Visualizing external entities feature:
- When you enable external IP collection for a cluster, Collector in those clusters report more information to Sensor and to Central. This might create scalability issues if the workload in the cluster communicates with a large number of distinct external peers. It is recommended that you do not enable this feature on clusters with communication patterns involving more than 10,000 distinct external entities.
- The display of IP information on the Network Graph page is experimental and uses a graphical item for each IP entity. Enabling this level of detail when the number of peers is a few hundred or more might result in an unreadable user interface and more than 2,000 peers may result in a potentially unresponsive user interface.
- You cannot see external IP addresses if they are part of CIDR blocks.