红帽全球峰会此内容没有您所选择的语言版本。
Chapter 15. Secondary networks
You can configure the Network Observability Operator to collect and enrich network flow data from secondary networks, such as SR-IOV and OVN-Kubernetes.
15.1. Prerequisites
- Access to an OpenShift Container Platform cluster with an additional network interface, such as a secondary interface or an L2 network.
Configure the FlowCollector resource to monitor traffic on Single Root I/O Virtualization (SR-IOV) device by setting the spec.agent.ebpf.privileged field to true, which enables the eBPF agent to monitor other network namespaces.
The eBPF agent monitors other network namespaces in addition to the host network namespaces, which are monitored by default. When a pod with a virtual functions (VF) interface is created, a new network namespace is created. With SRIOVNetwork policy IPAM configurations specified, the VF interface is migrated from the host network namespace to the pod network namespace.
Prerequisites
- Access to an OpenShift Container Platform cluster with a SR-IOV device.
-
The
SRIOVNetworkcustom resource (CR)spec.ipamconfiguration must be set with an IP address from the range that the interface lists or from other plugins.
Procedure
-
In the web console, navigate to Ecosystem
Installed Operators. - Under the Provided APIs heading for the NetObserv Operator, select Flow Collector.
- Select cluster and then select the YAML tab.
Configure the
FlowCollectorcustom resource. A sample configuration is as follows:Configure
FlowCollectorfor SR-IOV monitoringapiVersion: flows.netobserv.io/v1beta2 kind: FlowCollector metadata: name: cluster spec: namespace: netobserv deploymentModel: Service agent: type: eBPF ebpf: privileged: true-
The
spec.agent.ebpf.privilegedfield value must be set totrueto enable SR-IOV monitoring.
-
The
Configure the FlowCollector to monitor VM secondary network traffic by setting the eBPF agent to privileged mode and defining the indexing for secondary networks, enabling the capture and enrichment of flows from OpenShift Virtualization.
Network flows coming from VMs that are connected to the default internal pod network are automatically captured by network observability.
Procedure
Get information about the virtual machine launcher pod by running the following command. This information is used in Step 5:
$ oc get pod virt-launcher-<vm_name>-<suffix> -n <namespace> -o yamlapiVersion: v1 kind: Pod metadata: annotations: k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.129.2.39" ], "mac": "0a:58:0a:81:02:27", "default": true, "dns": {} }, { "name": "my-vms/l2-network", "interface": "podc0f69e19ba2", "ips": [ "10.10.10.15" ], "mac": "02:fb:f8:00:00:12", "dns": {} }] name: virt-launcher-fedora-aqua-fowl-13-zr2x9 namespace: my-vms spec: # ... status: # ...where:
name- Specifies the name of the secondary network.
interface- Specifies the network interface of the secondary network.
ips- Specifies the list of IP addresses used by the secondary network.
mac- Specifies the MAC address used for the secondary network.
-
In the web console, navigate to Ecosystem
Installed Operators. - Under the Provided APIs heading for the NetObserv Operator, select Flow Collector.
- Select cluster and then select the YAML tab.
Configure
FlowCollectorbased on the information you found from the additional network investigation:apiVersion: flows.netobserv.io/v1beta2 kind: FlowCollector metadata: name: cluster spec: agent: ebpf: privileged: true processor: advanced: secondaryNetworks: - index: - MAC name: my-vms/l2-network # ...where:
spec.agent.ebpf.privileged-
Specifies that the eBPF agent runs in
privilegedmode, which is required to collect flows from secondary network interfaces on virtual machine launcher pods. spec.processor.advanced.secondaryNetworks.index-
Specifies the fields to use for indexing the virtual machine launcher pods. It is recommended to use the
MACaddress as the indexing field to get network flows enrichment for secondary interfaces. If you have overlapping MAC addresses between pods, then additional indexing fields, such asIPandInterface, can be added to ensure accurate enrichment. MAC-
Specifies the MAC address as an indexing field value. Add
MACto theindexfield list if your additional network information includes a MAC address. spec.processor.advanced.secondaryNetworks.name-
Specifies the name of the secondary network as found in the
k8s.v1.cni.cncf.io/network-statusannotation of the virtual machine launcher pod. The format is typically<namespace>/<network_attachment_definition_name>.
Verification
Observe VM traffic:
- Navigate to the Network Traffic page.
-
Filter by Source IP using your virtual machine IP found in
k8s.v1.cni.cncf.io/network-statusannotation. - View both Source and Destination fields, which should be enriched, and identify the VM launcher pods and the VM instance as owners.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}