이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 11. Secondary networks


You can configure the Network Observability Operator to collect and enrich network flow data from secondary networks, such as SR-IOV and OVN-Kubernetes.

Prerequisites

  • Access to an OpenShift Container Platform cluster with an additional network interface, such as a secondary interface or an L2 network.

11.1. Configuring monitoring for SR-IOV interface traffic

In order to collect traffic from a cluster with a Single Root I/O Virtualization (SR-IOV) device, you must set the FlowCollector spec.agent.ebpf.privileged field to true. Then, the eBPF agent monitors other network namespaces in addition to the host network namespaces, which are monitored by default. When a pod with a virtual functions (VF) interface is created, a new network namespace is created. With SRIOVNetwork policy IPAM configurations specified, the VF interface is migrated from the host network namespace to the pod network namespace.

Prerequisites

  • Access to an OpenShift Container Platform cluster with a SR-IOV device.
  • The SRIOVNetwork custom resource (CR) spec.ipam configuration must be set with an IP address from the range that the interface lists or from other plugins.

Procedure

  1. In the web console, navigate to Operators Installed Operators.
  2. Under the Provided APIs heading for the NetObserv Operator, select Flow Collector.
  3. Select cluster and then select the YAML tab.
  4. Configure the FlowCollector custom resource. A sample configuration is as follows:

    Configure FlowCollector for SR-IOV monitoring

    apiVersion: flows.netobserv.io/v1beta2
    kind: FlowCollector
    metadata:
      name: cluster
    spec:
      namespace: netobserv
      deploymentModel: Direct
      agent:
        type: eBPF
        ebpf:
          privileged: true   1

    1
    The spec.agent.ebpf.privileged field value must be set to true to enable SR-IOV monitoring.

11.2. Configuring virtual machine (VM) secondary network interfaces for Network Observability

You can observe network traffic on an OpenShift Virtualization setup by identifying eBPF-enriched network flows coming from VMs that are connected to secondary networks, such as through OVN-Kubernetes. Network flows coming from VMs that are connected to the default internal pod network are automatically captured by Network Observability.

Procedure

  1. Get information about the virtual machine launcher pod by running the following command. This information is used in Step 5:

    $ oc get pod virt-launcher-<vm_name>-<suffix> -n <namespace> -o yaml
    apiVersion: v1
    kind: Pod
    metadata:
      annotations:
        k8s.v1.cni.cncf.io/network-status: |-
          [{
            "name": "ovn-kubernetes",
            "interface": "eth0",
            "ips": [
              "10.129.2.39"
            ],
            "mac": "0a:58:0a:81:02:27",
            "default": true,
            "dns": {}
          },
          {
            "name": "my-vms/l2-network",   1
            "interface": "podc0f69e19ba2", 2
            "ips": [                       3
              "10.10.10.15"
            ],
            "mac": "02:fb:f8:00:00:12",    4
            "dns": {}
          }]
      name: virt-launcher-fedora-aqua-fowl-13-zr2x9
      namespace: my-vms
    spec:
    #  ...
    status:
    #  ...
    1
    The name of the secondary network.
    2
    The network interface name of the secondary network.
    3
    The list of IPs used by the secondary network.
    4
    The MAC address used for secondary network.
  2. In the web console, navigate to Operators Installed Operators.
  3. Under the Provided APIs heading for the NetObserv Operator, select Flow Collector.
  4. Select cluster and then select the YAML tab.
  5. Configure FlowCollector based on the information you found from the additional network investigation:

    apiVersion: flows.netobserv.io/v1beta2
    kind: FlowCollector
    metadata:
      name: cluster
    spec:
      agent:
        ebpf:
          privileged: true            1
      processor:
        advanced:
          secondaryNetworks:
          - index:                    2
            - MAC                     3
            name: my-vms/l2-network   4
    # ...

    <.> Ensure that the eBPF agent is in privileged mode so that flows are collected for secondary interfaces. <.> Define the fields to use for indexing the virtual machine launcher pods. It is recommended to use the MAC address as the indexing field to get network flows enrichment for secondary interfaces. If you have overlapping MAC address between pods, then additional indexing fields, such as IP and Interface, could be added to have accurate enrichment. <.> If your additional network information has a MAC address, add MAC to the field list. <.> Specify the name of the network found in the k8s.v1.cni.cncf.io/network-status annotation. Usually <namespace>/<network_attachement_definition_name>.

  6. Observe VM traffic:

    1. Navigate to the Network Traffic page.
    2. Filter by Source IP using your virtual machine IP found in k8s.v1.cni.cncf.io/network-status annotation.
    3. View both Source and Destination fields, which should be enriched, and identify the VM launcher pods and the VM instance as owners.
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.