OSDOCS-10877: Virtualization in Network Observability #83105
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@skrthomas: This pull request references OSDOCS-10877 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
size/L
skrthomas
force-pushed
the
OSDOCS-10877
branch
5 times, most recently
from
e0d2704 to
4d8f1a2
Compare
|
@skrthomas: This pull request references OSDOCS-10877 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
| = Configuring virtual machine (VM) secondary network interfaces for Network Observability | ||
| You can observe networking patterns on an OpenShift Virtualization setup by identifying eBPF-enriched network flows coming from VMs that are connected to additional network interfaces. |
There was a problem hiding this comment.
Should we add a mention that default pod network are covered out of the box ?
There was a problem hiding this comment.
@jpinsonneau do you mean that if a user has this configured, the flows from this default pod network are automatically captured by Network Observability? Or that the default pod networks are automatically configured out of the box? I assumed the former but just want to make sure.
There was a problem hiding this comment.
yes the flows are automatically captured by netobserv
| = Configuring virtual machine (VM) secondary network interfaces for Network Observability | ||
| You can observe networking patterns on an OpenShift Virtualization setup by identifying eBPF-enriched network flows coming from VMs that are connected to additional network interfaces. | ||
| // NOTE to tech review: | ||
| // do we need to mention anything about CNI here? I noted this in our convo, but I'm not sure if its relevant in the context of this procedure. Maybe its a prerequisite? |
There was a problem hiding this comment.
The virt docs explicitly mention OVN-Kubernetes secondary network so I would suggest to only refer to that in our doc too as it's what we tested 😸
There was a problem hiding this comment.
Okay, so I changed the intro sentence to:
You can observe networking patterns on an OpenShift Virtualization setup by identifying eBPF-enriched network flows coming from VMs that are connected to an Open Virtual Network (OVN)-Kubernetes secondary network.
|
|
||
| .Prerequisites | ||
| * Access to an {product-title} cluster with an additional network interface, such as a secondary interface or an L2 network. | ||
| * Any other prerequisites? |
There was a problem hiding this comment.
As same as SRIOV case, we need to have spec.agent.ebpf.privileged field to true
cc @msherif1234
There was a problem hiding this comment.
I have this listed as a FlowCollector config: https://github.com/openshift/openshift-docs/pull/83105/files#diff-2e10b29803e092e329b07fcd472f336c98d04f3eed531135e2afb892b7b22db0R111. I could also call it out in the prerequisites though.
There was a problem hiding this comment.
yes, that's right, we should probably have dedicated menu item for "secondary interfaces" and list common pre-requisites there.
There was a problem hiding this comment.
Ok I added this. I feel that the intro text for "secondary interfaces" with Network Observability is lacking, and I'm wondering about potentially mixing up SR-IOV VMs and then SR-IOV interfaces. Are those two separate things? I left a //comment to you guys there trying to parse my confusion 🥴 Just trying to better understand the bigger Network Observability/secondary networks picture
| . Get information about the virtual machine by running the following command. This information is used in Step 2: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| oc get network-attachment-definitions.k8s.cni.cncf.io/netdevice67619-1 -o yaml | ||
| ---- | ||
| // NOTE to tech review: | ||
| // does any of this need to be anonymized for the customer? Or made to a <user_replaceable_value>? and is it necessary to use a different oc get command for different interfaces? Like I know the one above is from Mehul's SR-IOV example. But then in the QE test, its `$ oc get pod/virt-launcher-test-vm1-bsfb4 -o jsonpath='{.metadata.annotations.k8s\.v1\.cni\.cncf\.io/network-status}' | jq`. I can split this up and put both, but just not sure and want to verify. | ||
| . Investigate each additional network interface to find relevant pod annotations. These annotations differ depending on the kind of network interface you have: | ||
| .. For SR-IOV, look for the annotated fields: | ||
| + | ||
| [source,yaml] | ||
| ---- | ||
| apiVersion: k8s.cni.cncf.io/v1 | ||
| kind: NetworkAttachmentDefinition | ||
| metadata: | ||
| annotations: | ||
| k8s.v1.cni.cncf.io/resourceName: openshift.io/netpolicy67619 | ||
| creationTimestamp: "2024-10-03T20:40:48Z" | ||
| generation: 1 | ||
| name: netdevice67619-1 | ||
| namespace: openshift-sriov-network-operator | ||
| resourceVersion: "159492" | ||
| uid: 13131f06-e7b1-4b42-8d95-ac7c53e908cb | ||
| spec: | ||
| config: |- | ||
| { | ||
| "cniVersion": "1.0.0", | ||
| "name": "netdevice67619-1", <1> | ||
| "type": "sriov", | ||
| "vlan": 0, | ||
| "vlanQoS": 0, | ||
| "logLevel": "info", | ||
| "ipam": { | ||
| "type": "static", | ||
| "addresses": [ | ||
| { | ||
| "address": "192.168.122.71/24" <2> | ||
| } | ||
| ] | ||
| } | ||
| ---- | ||
| <1> Name of the virtual virtual machine connected to the additional network interface. | ||
| <2> The MAC address to identify the virtual machine. | ||
|
|
||
| .. For L2, look for the annotated fields: | ||
| + | ||
| [source,yaml] | ||
| ---- | ||
| # ... | ||
| { | ||
| "name": "ovn-kubernetes", | ||
| "interface": "eth0", | ||
| "ips": [ | ||
| "10.129.2.39" | ||
| ], | ||
| "mac": "0a:58:0a:81:02:27", | ||
| "default": true, | ||
| "dns": {} | ||
| }, | ||
| { | ||
| "name": "my-vms/l2-network", <1> | ||
| "interface": "podc0f69e19ba2", | ||
| "mac": "02:fb:f8:00:00:12", <2> | ||
| "dns": {} | ||
| } | ||
| # ... | ||
| ---- | ||
| <1> The name of the virtual machine connected to the additional network interface. | ||
| <2> The MAC address to identify the virtual machine. | ||
|
|
||
| . Configure `FlowCollector` based on the information you found from the additional network investigation. |
There was a problem hiding this comment.
This whole section is not needed to me.
You can directly configure the secondary network discovery without checking at these.
There was a problem hiding this comment.
However, we can recommend to check for k8s.v1.cni.cncf.io/network-status annotation in launcher pods to let the user understand how it work:
| . Get information about the virtual machine by running the following command. This information is used in Step 2: | |
| + | |
| [source,terminal] | |
| ---- | |
| oc get network-attachment-definitions.k8s.cni.cncf.io/netdevice67619-1 -o yaml | |
| ---- | |
| // NOTE to tech review: | |
| // does any of this need to be anonymized for the customer? Or made to a <user_replaceable_value>? and is it necessary to use a different oc get command for different interfaces? Like I know the one above is from Mehul's SR-IOV example. But then in the QE test, its `$ oc get pod/virt-launcher-test-vm1-bsfb4 -o jsonpath='{.metadata.annotations.k8s\.v1\.cni\.cncf\.io/network-status}' | jq`. I can split this up and put both, but just not sure and want to verify. | |
| . Investigate each additional network interface to find relevant pod annotations. These annotations differ depending on the kind of network interface you have: | |
| .. For SR-IOV, look for the annotated fields: | |
| + | |
| [source,yaml] | |
| ---- | |
| apiVersion: k8s.cni.cncf.io/v1 | |
| kind: NetworkAttachmentDefinition | |
| metadata: | |
| annotations: | |
| k8s.v1.cni.cncf.io/resourceName: openshift.io/netpolicy67619 | |
| creationTimestamp: "2024-10-03T20:40:48Z" | |
| generation: 1 | |
| name: netdevice67619-1 | |
| namespace: openshift-sriov-network-operator | |
| resourceVersion: "159492" | |
| uid: 13131f06-e7b1-4b42-8d95-ac7c53e908cb | |
| spec: | |
| config: |- | |
| { | |
| "cniVersion": "1.0.0", | |
| "name": "netdevice67619-1", <1> | |
| "type": "sriov", | |
| "vlan": 0, | |
| "vlanQoS": 0, | |
| "logLevel": "info", | |
| "ipam": { | |
| "type": "static", | |
| "addresses": [ | |
| { | |
| "address": "192.168.122.71/24" <2> | |
| } | |
| ] | |
| } | |
| ---- | |
| <1> Name of the virtual virtual machine connected to the additional network interface. | |
| <2> The MAC address to identify the virtual machine. | |
| .. For L2, look for the annotated fields: | |
| + | |
| [source,yaml] | |
| ---- | |
| # ... | |
| { | |
| "name": "ovn-kubernetes", | |
| "interface": "eth0", | |
| "ips": [ | |
| "10.129.2.39" | |
| ], | |
| "mac": "0a:58:0a:81:02:27", | |
| "default": true, | |
| "dns": {} | |
| }, | |
| { | |
| "name": "my-vms/l2-network", <1> | |
| "interface": "podc0f69e19ba2", | |
| "mac": "02:fb:f8:00:00:12", <2> | |
| "dns": {} | |
| } | |
| # ... | |
| ---- | |
| <1> The name of the virtual machine connected to the additional network interface. | |
| <2> The MAC address to identify the virtual machine. | |
| . Configure `FlowCollector` based on the information you found from the additional network investigation. | |
| . Get information about the virtual machine launcher pod by running the following command. This information is used in Step 2: | |
| + | |
| [source,terminal] | |
| ---- | |
| $ oc get pod virt-launcher-<vm-name>-<random-suffix> -n <namespace> -o yaml | |
| ---- | |
| + | |
| [source,yaml] | |
| ---- | |
| $ oc get pod virt-launcher-fedora-aqua-fowl-13-zr2x9 -n my-vms -o yaml | |
| apiVersion: v1 | |
| kind: Pod | |
| metadata: | |
| annotations: | |
| k8s.v1.cni.cncf.io/network-status: |- | |
| [{ | |
| "name": "ovn-kubernetes", | |
| "interface": "eth0", | |
| "ips": [ | |
| "10.129.2.39" | |
| ], | |
| "mac": "0a:58:0a:81:02:27", | |
| "default": true, | |
| "dns": {} | |
| }, | |
| { | |
| "name": "my-vms/l2-network", <1> | |
| "interface": "podc0f69e19ba2", <2> | |
| "ips": [ | |
| "10.10.10.15" | |
| ], <3> | |
| "mac": "02:fb:f8:00:00:12", <4> | |
| "dns": {} | |
| }] | |
| name: virt-launcher-fedora-aqua-fowl-13-zr2x9 | |
| namespace: my-vms | |
| spec: | |
| ... | |
| status: | |
| ... | |
| ---- | |
| <1> The name of the secondary network. | |
| <2> The network interface name of the secondary network. | |
| <3> The list of IPs used by the secondary network. | |
| <4> The MAC address used for secondary network. | |
| . Configure `FlowCollector` based on the information you found from the additional network investigation. |
There was a problem hiding this comment.
You can directly configure the secondary network discovery without checking at these.
just configuring name of secondary network wouldn't be enough, right? I think some sort of indexing would definitely be needed for enrichment, no? cc @jpinsonneau
There was a problem hiding this comment.
Yes @memodi, you need to specify the fields that define the index. However, you don't really care about the values here.
Either we let the user check the k8s.v1.cni.cncf.io/network-status and figure out by themself which fields are reliable or we directly tell them for each type of secondary network which fields to use as index.
| [source,yaml] | ||
| ---- | ||
| apiVersion: flows.netobserv.io/v1beta2 | ||
| kind: FlowCollector | ||
| metadata: | ||
| name: cluster | ||
| spec: | ||
| # ... | ||
| ebpf: | ||
| privileged: true <1> | ||
| processor: | ||
| advanced: | ||
| secondaryNetworks: | ||
| - index: | ||
| - MAC "02:fb:f8:00:00:12" <2> | ||
| - IP "192.168.122.71/24" <3> | ||
| name: my-vms/l2-network <4> | ||
| # ... | ||
| ---- | ||
| <1> Ensure that the ebpf agent is in `privileged` mode so that the flows are enriched according to the MAC address. | ||
| <2> If your additional network information has a MAC address, specify add it here. | ||
| <3> If your additional network information has an IP address, specify add it here. | ||
| <4> Specify the name of the virtual machine. | ||
|
|
||
| . Ping from one VM to another for secondary interface IP |
There was a problem hiding this comment.
| [source,yaml] | |
| ---- | |
| apiVersion: flows.netobserv.io/v1beta2 | |
| kind: FlowCollector | |
| metadata: | |
| name: cluster | |
| spec: | |
| # ... | |
| ebpf: | |
| privileged: true <1> | |
| processor: | |
| advanced: | |
| secondaryNetworks: | |
| - index: | |
| - MAC "02:fb:f8:00:00:12" <2> | |
| - IP "192.168.122.71/24" <3> | |
| name: my-vms/l2-network <4> | |
| # ... | |
| ---- | |
| <1> Ensure that the ebpf agent is in `privileged` mode so that the flows are enriched according to the MAC address. | |
| <2> If your additional network information has a MAC address, specify add it here. | |
| <3> If your additional network information has an IP address, specify add it here. | |
| <4> Specify the name of the virtual machine. | |
| . Ping from one VM to another for secondary interface IP | |
| [source,yaml] | |
| ---- | |
| apiVersion: flows.netobserv.io/v1beta2 | |
| kind: FlowCollector | |
| metadata: | |
| name: cluster | |
| spec: | |
| # ... | |
| ebpf: | |
| privileged: true <1> | |
| processor: | |
| advanced: | |
| secondaryNetworks: | |
| - index: <2> | |
| - Interface | |
| - MAC | |
| - IP | |
| name: my-vms/l2-network <3> | |
| # ... | |
| ---- | |
| <1> Ensure that the ebpf agent is in `privileged` mode so that the flows are enriched according to the MAC address. | |
| <2> Define the fields to use for indexing the virtual machine launcher pods. These should form a unique identifier across the cluster according to the fields available in `k8s.v1.cni.cncf.io/network-status` annotation. | |
| <3> Specify the name of the network found in `k8s.v1.cni.cncf.io/network-status` annotation. Usually <namespace>/<network-attachement-definition-name>. |
There was a problem hiding this comment.
Discussed this with @skrthomas on slack - that we should keep general recommendation such as indexing by MAC only. For other fields we could simply add a note saying, indexing is also supported for IP and Interface fields in combination with MAC if they’re published in annotations.
| .Verification | ||
| . Navigate to Netflow traffic page, Filter by *Source* IP the 10.10.10.15. | ||
| . View both *Source* and *Destination* fields should enriched identifying VM Pods and VM as Owners |
There was a problem hiding this comment.
| .Verification | |
| . Navigate to Netflow traffic page, Filter by *Source* IP the 10.10.10.15. | |
| . View both *Source* and *Destination* fields should enriched identifying VM Pods and VM as Owners | |
| .Verification | |
| . Navigate to Netflow traffic page, Filter by *Source* IP using your virtual machine IP found in `k8s.v1.cni.cncf.io/network-status` annotation. | |
| . View both *Source* and *Destination* fields should enriched identifying VM launcher Pods and VM instance as Owners |
There was a problem hiding this comment.
@skrthomas I think we could have separate menu item for "Secondary Networks" under Network Observability here and list pre-requisites and enrichment configuration there.
Examples of annotations could be added there. Between SRIOV and VM's secondary interface there's nothing specific that we do to capture their traffic or enrichment, so we could simply generalize them and remove "sriov" text from them to make it sound that it's not sriov specific.
| = Configuring virtual machine (VM) secondary network interfaces for Network Observability | ||
| You can observe networking patterns on an OpenShift Virtualization setup by identifying eBPF-enriched network flows coming from VMs that are connected to additional network interfaces. |
| = Configuring virtual machine (VM) secondary network interfaces for Network Observability | ||
| You can observe networking patterns on an OpenShift Virtualization setup by identifying eBPF-enriched network flows coming from VMs that are connected to additional network interfaces. | ||
| // NOTE to tech review: | ||
| // do we need to mention anything about CNI here? I noted this in our convo, but I'm not sure if its relevant in the context of this procedure. Maybe its a prerequisite? |
|
|
||
| .Prerequisites | ||
| * Access to an {product-title} cluster with an additional network interface, such as a secondary interface or an L2 network. | ||
| * Any other prerequisites? |
There was a problem hiding this comment.
yes, that's right, we should probably have dedicated menu item for "secondary interfaces" and list common pre-requisites there.
| . Get information about the virtual machine by running the following command. This information is used in Step 2: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| oc get network-attachment-definitions.k8s.cni.cncf.io/netdevice67619-1 -o yaml | ||
| ---- | ||
| // NOTE to tech review: | ||
| // does any of this need to be anonymized for the customer? Or made to a <user_replaceable_value>? and is it necessary to use a different oc get command for different interfaces? Like I know the one above is from Mehul's SR-IOV example. But then in the QE test, its `$ oc get pod/virt-launcher-test-vm1-bsfb4 -o jsonpath='{.metadata.annotations.k8s\.v1\.cni\.cncf\.io/network-status}' | jq`. I can split this up and put both, but just not sure and want to verify. | ||
| . Investigate each additional network interface to find relevant pod annotations. These annotations differ depending on the kind of network interface you have: | ||
| .. For SR-IOV, look for the annotated fields: | ||
| + | ||
| [source,yaml] | ||
| ---- | ||
| apiVersion: k8s.cni.cncf.io/v1 | ||
| kind: NetworkAttachmentDefinition | ||
| metadata: | ||
| annotations: | ||
| k8s.v1.cni.cncf.io/resourceName: openshift.io/netpolicy67619 | ||
| creationTimestamp: "2024-10-03T20:40:48Z" | ||
| generation: 1 | ||
| name: netdevice67619-1 | ||
| namespace: openshift-sriov-network-operator | ||
| resourceVersion: "159492" | ||
| uid: 13131f06-e7b1-4b42-8d95-ac7c53e908cb | ||
| spec: | ||
| config: |- | ||
| { | ||
| "cniVersion": "1.0.0", | ||
| "name": "netdevice67619-1", <1> | ||
| "type": "sriov", | ||
| "vlan": 0, | ||
| "vlanQoS": 0, | ||
| "logLevel": "info", | ||
| "ipam": { | ||
| "type": "static", | ||
| "addresses": [ | ||
| { | ||
| "address": "192.168.122.71/24" <2> | ||
| } | ||
| ] | ||
| } | ||
| ---- | ||
| <1> Name of the virtual virtual machine connected to the additional network interface. | ||
| <2> The MAC address to identify the virtual machine. | ||
|
|
||
| .. For L2, look for the annotated fields: | ||
| + | ||
| [source,yaml] | ||
| ---- | ||
| # ... | ||
| { | ||
| "name": "ovn-kubernetes", | ||
| "interface": "eth0", | ||
| "ips": [ | ||
| "10.129.2.39" | ||
| ], | ||
| "mac": "0a:58:0a:81:02:27", | ||
| "default": true, | ||
| "dns": {} | ||
| }, | ||
| { | ||
| "name": "my-vms/l2-network", <1> | ||
| "interface": "podc0f69e19ba2", | ||
| "mac": "02:fb:f8:00:00:12", <2> | ||
| "dns": {} | ||
| } | ||
| # ... | ||
| ---- | ||
| <1> The name of the virtual machine connected to the additional network interface. | ||
| <2> The MAC address to identify the virtual machine. | ||
|
|
||
| . Configure `FlowCollector` based on the information you found from the additional network investigation. |
There was a problem hiding this comment.
You can directly configure the secondary network discovery without checking at these.
just configuring name of secondary network wouldn't be enough, right? I think some sort of indexing would definitely be needed for enrichment, no? cc @jpinsonneau
| [source,yaml] | ||
| ---- | ||
| apiVersion: flows.netobserv.io/v1beta2 | ||
| kind: FlowCollector | ||
| metadata: | ||
| name: cluster | ||
| spec: | ||
| # ... | ||
| ebpf: | ||
| privileged: true <1> | ||
| processor: | ||
| advanced: | ||
| secondaryNetworks: | ||
| - index: | ||
| - MAC "02:fb:f8:00:00:12" <2> | ||
| - IP "192.168.122.71/24" <3> | ||
| name: my-vms/l2-network <4> | ||
| # ... | ||
| ---- | ||
| <1> Ensure that the ebpf agent is in `privileged` mode so that the flows are enriched according to the MAC address. | ||
| <2> If your additional network information has a MAC address, specify add it here. | ||
| <3> If your additional network information has an IP address, specify add it here. | ||
| <4> Specify the name of the virtual machine. | ||
|
|
||
| . Ping from one VM to another for secondary interface IP |
There was a problem hiding this comment.
Discussed this with @skrthomas on slack - that we should keep general recommendation such as indexing by MAC only. For other fields we could simply add a note saying, indexing is also supported for IP and Interface fields in combination with MAC if they’re published in annotations.
skrthomas
force-pushed
the
OSDOCS-10877
branch
2 times, most recently
from
4dbaa8c to
0dfcb55
Compare
|
@skrthomas: This pull request references OSDOCS-10877 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
skrthomas
force-pushed
the
OSDOCS-10877
branch
4 times, most recently
from
8868895 to
a1293cb
Compare
modules/network-observability-virtualization-configuration.adoc
Outdated
Show resolved
Hide resolved
skrthomas
force-pushed
the
OSDOCS-10877
branch
from
a1293cb to
9e961f4
Compare
skrthomas
force-pushed
the
OSDOCS-10877
branch
from
6a414b3 to
a0d2180
Compare
| :_mod-docs-content-type: PROCEDURE | ||
| [id="network-observability-virtualization-config_{context}"] | ||
| = Configuring virtual machine (VM) secondary network interfaces for Network Observability | ||
| You can observe networking patterns on an OpenShift Virtualization setup by identifying eBPF-enriched network flows coming from VMs that are connected to secondary networks, such as through Open Virtual Network (OVN)-Kubernetes, or SR-IOV CNI plugins. Network flows coming from VMs that are connected to the default internal pod network are automatically captured by Network Observability. |
There was a problem hiding this comment.
| You can observe networking patterns on an OpenShift Virtualization setup by identifying eBPF-enriched network flows coming from VMs that are connected to secondary networks, such as through Open Virtual Network (OVN)-Kubernetes, or SR-IOV CNI plugins. Network flows coming from VMs that are connected to the default internal pod network are automatically captured by Network Observability. | |
| You can observe network traffic on an OpenShift Virtualization setup by identifying enriched network flows coming from VMs that are connected to secondary networks, such as through Open Virtual Network (OVN)-Kubernetes, or SR-IOV CNI plugins. Network flows coming from VMs that are connected to the default internal pod network are automatically captured by Network Observability. |
There was a problem hiding this comment.
do we want to mention here about ebpf must be in privileged mode to be inline with what you have SRIOV? I see you have already mentioned as pre-requisite.
There was a problem hiding this comment.
| You can observe networking patterns on an OpenShift Virtualization setup by identifying eBPF-enriched network flows coming from VMs that are connected to secondary networks, such as through Open Virtual Network (OVN)-Kubernetes, or SR-IOV CNI plugins. Network flows coming from VMs that are connected to the default internal pod network are automatically captured by Network Observability. | |
| You can observe networking patterns on an OpenShift Virtualization setup by identifying eBPF-enriched network flows coming from VMs that are connected to secondary networks. Network flows coming from VMs that are connected to the default internal pod network are automatically captured by Network Observability. |
I would remove the mention of SRIOV here as it's not the goal in VMs
There was a problem hiding this comment.
do we want to mention here about ebpf must be in privileged mode to be inline with what you have SRIOV? I see you have already mentioned as pre-requisite.
Since its a prerequisite and also a code callout, i think mentioning it in two places is good enough.
| advanced: | ||
| secondaryNetworks: | ||
| - index: <2> | ||
| - Interface |
There was a problem hiding this comment.
In example, I'd suggest only show MAC index and add IP and Interface as field as simply note.
There was a problem hiding this comment.
+1, it will be more obvious for the user
There was a problem hiding this comment.
Okay I added IP and Interface as part of the callout <2> text and removed them from the example yaml + corresponding callouts.
| name: my-vms/l2-network <5> | ||
| # ... | ||
| ---- | ||
| <.> Ensure that the ebpf agent is in `privileged` mode so that the flows are enriched according to the MAC address. |
There was a problem hiding this comment.
| <.> Ensure that the ebpf agent is in `privileged` mode so that the flows are enriched according to the MAC address. | |
| <.> Ensure that the ebpf agent is in `privileged` mode so that the flows so that flows are collected for secondary interfaces |
| # ... | ||
| ---- | ||
| <.> Ensure that the ebpf agent is in `privileged` mode so that the flows are enriched according to the MAC address. | ||
| <.> Define the fields to use for indexing the virtual machine launcher pods. These should form a unique identifier across the cluster according to the fields available in `k8s.v1.cni.cncf.io/network-status` annotation. Not all secondary networks have all the index fields in this example. Ensure that only the fields that are annotated in your secondary interface are listed here and if they are not annotated, they are removed. |
There was a problem hiding this comment.
I don't understand existing sentence. I'd suggest something like below instead
| <.> Define the fields to use for indexing the virtual machine launcher pods. These should form a unique identifier across the cluster according to the fields available in `k8s.v1.cni.cncf.io/network-status` annotation. Not all secondary networks have all the index fields in this example. Ensure that only the fields that are annotated in your secondary interface are listed here and if they are not annotated, they are removed. | |
| <.> Define the fields to use for indexing the virtual machine launcher pods. It is recommended to use MAC address as indexing field to get network flows enrichment for secondary interfaces. If you have overlapping MAC address between pods then additional indexing fields such as IP and Interface could be added to have accurate enrichment. |
There was a problem hiding this comment.
Addressed, thanks for the suggestion.
| <.> If your additional network information has a MAC address, specify it here. | ||
| <.> If your additional network information has an IP address, specify it here. | ||
| <.> Specify the name of the network found in `k8s.v1.cni.cncf.io/network-status` annotation. Usually <namespace>/<network_attachement_definition_name>. | ||
|
|
There was a problem hiding this comment.
Even though you have omitted index by Interface here, but if users see this example and use Interface as indexing field they will not get enrichment since when the flows are captured it matches interface name partially just for the hex portion of it between what's published in annotation and what ebpf sees. Therefore it's important we only mention MAC index as an example and add a note about IP and Interface.
There was a problem hiding this comment.
Got it and addressed as part of your other comment on this. I was initially thinking I could try to make it clear in the callouts that they would need to be careful to omit any of the index fields that weren't relevant to their secondary interface, but I see your point about the risk if they copy our sample and use it without actually reading all the callouts.
| <.> If your additional network information has an IP address, specify it here. | ||
| <.> Specify the name of the network found in `k8s.v1.cni.cncf.io/network-status` annotation. Usually <namespace>/<network_attachement_definition_name>. | ||
|
|
||
| . Ping from one VM to another for secondary interface IP. |
There was a problem hiding this comment.
I think this is not required for users to do. We do that for testing.
There was a problem hiding this comment.
Got it, will remove.
| .Verification | ||
| . Navigate to the *Network Traffic* page. | ||
| . Filter by *Source* IP using your virtual machine IP found in `k8s.v1.cni.cncf.io/network-status` annotation. | ||
| . View both *Source* and *Destination* fields should enriched identifying VM launcher Pods and VM instance as Owners |
There was a problem hiding this comment.
Instead of "verification" could we say something like "Observe VM Traffic" and after Navigate to the Network Traffic page bullet:
- filter by Source/Destination Owner name == VM name to view traffic from/to those VMs
There was a problem hiding this comment.
This could even be a new section, more generic, giving the summary of any scenario (SRIOV & VMs)
There was a problem hiding this comment.
Yeah I can make it a step with substeps. For the sake of time, I'll just do that instead of making a new section for both bc that would technically need to be a new module
| <.> If your additional network information has a MAC address, specify it here. | ||
| <.> If your additional network information has an IP address, specify it here. |
There was a problem hiding this comment.
| <.> If your additional network information has a MAC address, specify it here. | |
| <.> If your additional network information has an IP address, specify it here. | |
| <.> If your additional network information has a MAC address, add `MAC` to the field list. | |
| <.> If your additional network information has an IP address, add `IP` to the field list. |
The specify it here mentions are confusing to me. I feel it requires to fill the values found in the pod annotation instead of the field names.
There was a problem hiding this comment.
Makes sense. Added your suggestion
skrthomas
force-pushed
the
OSDOCS-10877
branch
2 times, most recently
from
aa3b3f9 to
4360107
Compare
|
|
||
| .Prerequisites | ||
| * Access to an {product-title} cluster with an additional network interface, such as a secondary interface or an L2 network. | ||
| * The `spec.agent.ebpf.privileged` field must be set to `true`. |
There was a problem hiding this comment.
This shouldn't be considered a prerequisite since it's providing the instructions to do this in the two scenarios below.
skrthomas
force-pushed
the
OSDOCS-10877
branch
from
4360107 to
9efabd6
Compare
skrthomas
added
the
peer-review-needed
|
@skrthomas: This pull request references OSDOCS-10877 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/label peer-review-in-progress |
openshift-ci
bot
added
the
peer-review-in-progress
observability/network_observability/network-observability-secondary-networks.adoc
Outdated
Show resolved
Hide resolved
observability/network_observability/network-observability-secondary-networks.adoc
Outdated
Show resolved
Hide resolved
observability/network_observability/network-observability-secondary-networks.adoc
Outdated
Show resolved
Hide resolved
observability/network_observability/network-observability-secondary-networks.adoc
Outdated
Show resolved
Hide resolved
modules/network-observability-virtualization-configuration.adoc
Outdated
Show resolved
Hide resolved
modules/network-observability-virtualization-configuration.adoc
Outdated
Show resolved
Hide resolved
modules/network-observability-virtualization-configuration.adoc
Outdated
Show resolved
Hide resolved
modules/network-observability-virtualization-configuration.adoc
Outdated
Show resolved
Hide resolved
|
/label peer-review-done |
openshift-ci
bot
added
peer-review-done
skrthomas
force-pushed
the
OSDOCS-10877
branch
from
9efabd6 to
6c640cc
Compare
openshift-ci
bot
added
the
qe-approved
|
@skrthomas: This pull request references OSDOCS-10877 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
skrthomas
force-pushed
the
OSDOCS-10877
branch
from
6c640cc to
7c8b771
Compare
|
@skrthomas: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
skrthomas
added
the
merge-review-needed
jab-rh
removed
the
merge-review-needed
Version(s):
Merge only to no-1.7. On GA 10/21/24, Sara will open a branch to integrate no-1.7 with main, and that branch will go to 4.12+.
Issue:
https://issues.redhat.com/browse/OSDOCS-10877
Link to docs preview:
https://83105--ocpdocs-pr.netlify.app/openshift-enterprise/latest/observability/network_observability/network-observability-secondary-networks
QE review:
Additional information: