红帽全球峰会此内容没有您所选择的语言版本。
Chapter 1. Network Observability Operator release notes
Review new features, enhancements, fixed issues, and known issues for the Network Observability Operator. These release notes provide information to help you understand changes and security advisories in the latest Operator release.
The Network Observability Operator enables administrators to observe and analyze network traffic flows for OpenShift Container Platform clusters.
These release notes track the development of the Network Observability Operator in the OpenShift Container Platform.
1.1. Network Observability Operator 1.12 advisory
You can review the advisory for Network Observability Operator 1.12 release.
The Network Observability Operator 1.12 release introduces non-decrypting TLS metadata tracking, Kafka message compression options, automated secondary network indexing, and expanded web console compatibility for OpenShift Container Platform clusters.
- Transport Layer Security traffic metadata tracking
The Network Observability Operator can now capture and analyze Transport Layer Security (TLS) metadata from network flows without decrypting traffic. By extracting handshake details from
ClientHelloandServerHellomessages, the Operator provides visibility into encryption protocols while maintaining data privacy.The following key benefits include:
- Security risk detection: Identify workloads using deprecated TLS versions (1.0, 1.1) or weak cipher suites.
- Compliance auditing: Audit TLS configurations to meet regulatory requirements through metric aggregation and dashboard visualization.
- Security posture assessment: Visualize encrypted network traffic with lock icons in the Topology view and identify unencrypted communications across your cluster.
Configure Prometheus alerts to automatically report insecure or non-compliant TLS configurations.
To use this feature, enable
TLSTrackingin thespec.agent.ebpf.featureslist of theFlowCollectorcustom resource (CR).
- Support for Kafka compression
Message compression configuration is now available when using Kafka to scale network flow collection. Enabling compression reduces the network bandwidth required to transport flows and decreases the storage footprint on Kafka brokers.
The following key benefits include:
- Reduced network load: Compressing flow data minimizes the traffic volume between the eBPF agent or flowlogs-pipeline and your Kafka cluster.
- Storage efficiency: Smaller message sizes lead to improved disk space utilization on Kafka brokers.
Tunable performance: Choose from several compression algorithms, such as
gzip,snappy,lz4, orzstd, to balance CPU usage with compression ratios.To enable this feature, configure the
spec.kafka.compressionandspec.exporters.kafka.compressionfields in theFlowCollectorcustom resource.
- Simplified secondary network indexing
The configuration process for secondary network indexing is now simplified.
The
namefield in thespec.processor.advanced.secondaryNetworkslist is deprecated and ignored. The Network Observability Operator automatically evaluates all secondary networks regardless of their assigned names, removing the requirement for manual name-matching entries in theFlowCollectorCR.- OpenShift Container Platform web console compatibility
- The Network Observability web console plugin is updated to support OpenShift Container Platform 4.22 and later. Backward compatibility is maintained for OpenShift Container Platform versions 4.14 through 4.21.
The Network Observability Operator is included by default as a Technology Preview feature in 1.12 and OpenShift Container Platform 4.22. You can explore network traffic visualization and monitoring capabilities without performing a separate installation.
To use this Technology Preview feature, you must enable the NetworkObservabilityInstall feature gate through a manifest file during cluster installation.
1.4. Network Observability Operator 1.12 fixed issues
The Network Observability Operator 1.12 release contains several fixed issues that improve performance, system status reporting, and user experience.
- Consistent FlowCollector pipeline status
Before this update, changes to the sampling field caused an inconsistency in the
FlowCollectorresource status. As a consequence, you could see conflicting statuses across pipeline components.With this release, status reporting is made consistent across all components. As a result, the reliability of the pipeline status indicator is improved.
- Fixed
--helpflag processing in netobserv-cli Before this update, the
--helpflag was ignored when placed after other command flags in the Network Observability CLI. As a consequence, running commands such asoc netobserv flows --interfaces=br-ex --max-time=10s --helpexecuted the flow collection instead of displaying the help page.With this release, the
--helpflag is recognized regardless of its position in the command. As a result, you can now display help information by placing the--helpflag anywhere in your command arguments.- Improved visibility of DNS names warning messages
Before this update, the DNS names graph repeatedly displayed a warning message on every refresh when running in a Prometheus-only configuration. As a consequence, the persistent warning message covered other dashboard elements.
With this release, the warning message is only displayed during the initial data load and does not overlay other content. As a result, interface clarity is improved when navigating the dashboard.
- Prometheus enabled by default in FlowCollector configurations
Before this update, the default setting for Prometheus metrics was unassigned during
FlowCollectorcustom resource creation. As a consequence, you had to manually ensure that metrics collection was active to query accurate flow data.With this release, the default value for Prometheus metrics collection in the
FlowCollectorconfiguration is set totrue. As a result, the deployment process is simplified and flow metrics are collected automatically.- Usage examples added to CLI subcommand help text
Before this update, the
helpsubcommands for the Network Observability CLI lacked syntax examples. As a consequence, understanding how to construct complex filtering and capture commands required additional research.With this release, clear examples are included in the subcommand help outputs. As a result, the usability and discoverability of the CLI features are enhanced.
- Corrected latency formatting for values above one second
Before this update, flow durations and network latencies greater than one second were improperly formatted as milliseconds. As a consequence, donut graphs and latency metrics displayed confusing or inaccurate time designations.
With this release, the duration formatting function handles values greater than one millisecond accurately using decimal seconds. As a result, you can view precise network latency values in console charts.
- Improved FlowCollector status reporting when eBPF pods are absent
Before this update, the
FlowCollectorresource reported a status ofReadyeven when a restrictivenodeSelectorprevented any eBPF agent pods from deploying. As a consequence, the system status misrepresented the health of the agent layer.With this release, the Operator checks for a zero-pod deployment count. As a result, the
FlowCollectorCR now correctly identifies when zero eBPF pods are active, improving cluster error diagnostics.- Optimized field exports for OpenTelemetry exporters
Before this update, the OpenTelemetry exporter processed missing or null keys as non-null data. As a consequence, unpopulated
metadatafields were exported to log streams, which increased storage usage and cluttered telemetry files.With this release, the OpenTelemetry exporter filters out null or unrelated fields, exporting only keys that belong to explicitly enabled features. As a result, exported log sizes are reduced and data efficiency is improved.
- Added sampling probability fields to IPFIX exports
Before this update, Internet Protocol Flow Information Export (IPFIX) record exports omitted per-flow sampling information. As a consequence, data exports failed to comply with the standard IPFIX specifications for
samplingProbabilityusage.With this release, the exporter includes sampling probability details within the IPFIX packet metadata. As a result, exported OpenTelemetry data matches industry compliance standards.
- Fixed TLS volume name conflicts on OpenTelemetry exporters
Before this update, configuring TLS certificates on OpenTelemetry exporters generated an invalid volume name format. As a consequence, the
apiserverrejected the underlying Flow-logs Pipeline deployment specification, causing the pipeline pod to fail during initialization.With this release, the Operator ensures valid volume names are generated when handling TLS attributes. As a result, enabling TLS on your OpenTelemetry exporters no longer interferes with pipeline pod lifecycles.
- Improved pod-to-pod flow filter rule matching for asymmetric CIDR rules
Before this update, the default flow filter action was not enforced when a network flow failed to match both a CIDR rule and its corresponding
peerCIDRrule identically. As a consequence, unexpected acknowledgment-only,ACK, flows bypass filtering restrictions inside the pod network.With this release, when a network flow matches a designated CIDR rule but fails the
peerCIDRpairing, the default filtering action is correctly applied. As a result, traffic blocking and network rule isolation are handled more securely.
1.5. Network Observability Operator 1.12 known issues
The following known issues affect the Network Observability Operator 1.12 release.
- Operator fails to start when custom web console logos are configured
When you configure custom product logos in the
Console.operator.openshift.ioresource using thespec.customization.logosfield, the Network Observability Operator pod fails to start during installation. The Operator incorrectly reports a validation error indicating that bothlogosand the deprecatedcustomLogoFilefields are set, even though onlylogosis configured.To work around this problem, manually enable the Network Observability Operator OpenShift Container Platform web console plugin by adding
netobserv-plugin-staticto thespec.pluginslist in theConsolecluster resource, or by enabling the plugin through the web console under AdministrationCluster Settings Configuration Console Console plugins.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}