OSDOCS-10877: Virtualization in Network Observability

skrthomas · skrthomas · commit 8868895132e8 · 2024-10-08T21:43:31.000-04:00
diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml
@@ -2922,6 +2922,8 @@ Topics:
     File: network-observability-operator-monitoring
   - Name: Scheduling resources
     File: network-observability-scheduling-resources
+  - Name: Secondary networks
+    File: network-observability-secondary-networks
   - Name: Network Observability CLI
     Dir: netobserv_cli
     Topics:
diff --git a/modules/network-observability-SRIOV-configuration.adoc b/modules/network-observability-SRIOV-configuration.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * network_observability/configuring-operator.adoc
+// * observability/network_observability/network-observability-secondary-networks.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="network-observability-SR-IOV-config_{context}"]
diff --git a/modules/network-observability-virtualization-configuration.adoc b/modules/network-observability-virtualization-configuration.adoc
@@ -0,0 +1,98 @@
+// Module included in the following assemblies:
+//
+// * observability/network_observability/network-observability-secondary-networks.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="network-observability-virtualization-config_{context}"]
+= Configuring virtual machine (VM) secondary network interfaces for Network Observability
+You can observe networking patterns on an OpenShift Virtualization setup by identifying eBPF-enriched network flows coming from VMs that are connected to secondary networks, such as through Open Virtual Network (OVN)-Kubernetes, or SR-IOV CNI plugins. Network flows coming from VMs that are connected to the default internal pod network are automatically captured by Network Observability.
+
+.Procedure
+. Get information about the virtual machine launcher pod by running the following command. This information is used in Step 2: 
++
+[source,terminal]
+----
+$ oc get pod virt-launcher-<vm_name>-<suffix> -n <namespace> -o yaml
+----
++
+[source,yaml]
+----
+$ oc get pod virt-launcher-fedora-aqua-fowl-13-zr2x9 -n my-vms -o yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    k8s.v1.cni.cncf.io/network-status: |- 
+      [{
+        "name": "ovn-kubernetes",
+        "interface": "eth0",
+        "ips": [
+          "10.129.2.39"
+        ],
+        "mac": "0a:58:0a:81:02:27",
+        "default": true,
+        "dns": {}
+      },
+      {
+        "name": "my-vms/l2-network",   <1>
+        "interface": "podc0f69e19ba2", <2>
+        "ips": [
+          "10.10.10.15"
+        ], <3>
+        "mac": "02:fb:f8:00:00:12",    <4>
+        "dns": {}
+      }]
+  name: virt-launcher-fedora-aqua-fowl-13-zr2x9
+  namespace: my-vms
+spec:
+  ...
+status:
+  ...
+----
+<1> The name of the secondary network.
+<2> The network interface name of the secondary network.
+<3> The list of IPs used by the secondary network.
+<4> The MAC address used for secondary network.
+
+. In the web console, navigate to *Operators* -> *Installed Operators*.
+. Under the *Provided APIs* heading for the *NetObserv Operator*, select *Flow Collector*.
+. Select *cluster* and then select the *YAML* tab.
+. Configure `FlowCollector` based on the information you found from the additional network investigation. 
++
+[source,yaml]
+----
+apiVersion: flows.netobserv.io/v1beta2
+kind: FlowCollector
+metadata:
+  name: cluster
+spec:
+# ...
+ebpf:
+    privileged: true              <1>
+  processor:
+    advanced:
+      secondaryNetworks:
+      - index:                    <2>
+        - Interface
+        - MAC                     <3>
+        - IP                      <4>
+        name: my-vms/l2-network   <5> 
+# ...
+----
+<1> Ensure that the ebpf agent is in `privileged` mode so that the flows are enriched according to the MAC address.
+<2> Define the fields to use for indexing the virtual machine launcher pods. These should form a unique identifier across the cluster according to the fields available in `k8s.v1.cni.cncf.io/network-status` annotation.
++
+[IMPORTANT] 
+====
+Not all secondary networks have all the index fields in this example. Ensure that only the fields that are annotated in your secondary interface are listed here and if they are not annotated, they are removed. 
+====
+<3> If your additional network information has a MAC address, specify add it here.
+<4> If your additional network information has an IP address, specify add it here.
+<5> Specify the name of the network found in `k8s.v1.cni.cncf.io/network-status` annotation. Usually <namespace>/<network_attachement_definition_name>. 
+
+. Ping from one VM to another for secondary interface IP.
+
+.Verification
+. Navigate to the *Network Traffic* page.
+. Filter by *Source* IP using your virtual machine IP found in `k8s.v1.cni.cncf.io/network-status` annotation.
+. View both *Source* and *Destination* fields should enriched identifying VM launcher Pods and VM instance as Owners
diff --git a/observability/network_observability/configuring-operator.adoc b/observability/network_observability/configuring-operator.adoc
@@ -24,10 +24,5 @@ For more information about specifying flow format, see xref:../../observability/
 
 include::modules/network-observability-configuring-FLP-sampling.adoc[leveloffset=+1]
 include::modules/network-observability-configuring-quickfilters-flowcollector.adoc[leveloffset=+1]
-include::modules/network-observability-SRIOV-configuration.adoc[leveloffset=+1]
-[role="_additional-resources"]
-.Additional resources
-For more information about creating the `SriovNetwork` custom resource, see xref:../../networking/hardware_networks/configuring-sriov-device.adoc#cnf-creating-an-additional-sriov-network-with-vrf-plug-in_configuring-sriov-device[Creating an additional SR-IOV network attachment with the CNI VRF plugin].
-
 include::modules/network-observability-resource-recommendations.adoc[leveloffset=+1]
 include::modules/network-observability-resources-table.adoc[leveloffset=+2]
diff --git a/observability/network_observability/network-observability-secondary-networks.adoc b/observability/network_observability/network-observability-secondary-networks.adoc
@@ -0,0 +1,22 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="network-observability-secondary-networks"]
+= Secondary networks
+include::_attributes/common-attributes.adoc[]
+:context: secondary_networks
+
+toc::[]
+You can configure the Network Observability Operator to collect and enrich network flow data from secondary networks, such as SR-IOV and Open Virtual Network (OVN)-Kubernetes.
+
+// Note to tech review:
+// Is the existing SR-IOV example we have, "Configuring monitoring for SR-IOV interface traffic", an example of secondary network? If so, it is not through a VM, right? 
+
+.Prerequisites
+* Access to an {product-title} cluster with an additional network interface, such as a secondary interface or an L2 network.
+* The `spec.agent.ebpf.privileged` field must be set to `true`.
+
+include::modules/network-observability-SRIOV-configuration.adoc[leveloffset=+1]
+[role="_additional-resources"]
+.Additional resources
+For more information about creating the `SriovNetwork` custom resource, see xref:../../networking/hardware_networks/configuring-sriov-device.adoc#cnf-creating-an-additional-sriov-network-with-vrf-plug-in_configuring-sriov-device[Creating an additional SR-IOV network attachment with the CNI VRF plugin].
+
+include::modules/network-observability-virtualization-configuration.adoc[leveloffset=+1]
