Tracking network flows

As a cluster administrator, you can collect information about pod network flows from your cluster to assist with the following areas:

  • Monitor ingress and egress traffic on the pod network.

  • Troubleshoot performance issues.

  • Gather data for capacity planning and security audits.

When you enable the collection of the network flows, only the metadata about the traffic is collected. For example, packet data is not collected, but the protocol, source address, destination address, port numbers, number of bytes, and other packet-level information is collected.

The data is collected in one or more of the following record formats:

  • NetFlow

  • sFlow

  • IPFIX

When you configure the Cluster Network Operator (CNO) with one or more collector IP addresses and port numbers, the Operator configures Open vSwitch (OVS) on each node to send the network flows records to each collector.

You can configure the Operator to send records to more than one type of network flow collector. For example, you can send records to NetFlow collectors and also send records to sFlow collectors.

When OVS sends data to the collectors, each type of collector receives identical records. For example, if you configure two NetFlow collectors, OVS on a node sends identical records to the two collectors. If you also configure two sFlow collectors, the two sFlow collectors receive identical records. However, each collector type has a unique record format.

Collecting the network flows data and sending the records to collectors affects performance. Nodes process packets at a slower rate. If the performance impact is too great, you can delete the destinations for collectors to disable collecting network flows data and restore performance.

Enabling network flow collectors might have an impact on the overall performance of the cluster network.

Network object configuration for tracking network flows

The fields for configuring network flows collectors in the Cluster Network Operator (CNO) are shown in the following table:

Table 1. Network flows configuration
FieldTypeDescription

metadata.name

string

The name of the CNO object. This name is always cluster.

spec.exportNetworkFlows

object

One or more of netFlow, sFlow, or ipfix.

spec.exportNetworkFlows.netFlow.collectors

array

A list of IP address and network port pairs for up to 10 collectors.

spec.exportNetworkFlows.sFlow.collectors

array

A list of IP address and network port pairs for up to 10 collectors.

spec.exportNetworkFlows.ipfix.collectors

array

A list of IP address and network port pairs for up to 10 collectors.

After applying the following manifest to the CNO, the Operator configures Open vSwitch (OVS) on each node in the cluster to send network flows records to the NetFlow collector that is listening at 192.168.1.99:2056.

Example configuration for tracking network flows

  1. apiVersion: operator.openshift.io/v1
  2. kind: Network
  3. metadata:
  4. name: cluster
  5. spec:
  6. exportNetworkFlows:
  7. netFlow:
  8. collectors:
  9. - 192.168.1.99:2056

Adding destinations for network flows collectors

As a cluster administrator, you can configure the Cluster Network Operator (CNO) to send network flows metadata about the pod network to a network flows collector.

Prerequisites

  • You installed the OpenShift CLI (oc).

  • You are logged in to the cluster with a user with cluster-admin privileges.

  • You have a network flows collector and know the IP address and port that it listens on.

Procedure

  1. Create a patch file that specifies the network flows collector type and the IP address and port information of the collectors:

    1. spec:
    2. exportNetworkFlows:
    3. netFlow:
    4. collectors:
    5. - 192.168.1.99:2056
  2. Configure the CNO with the network flows collectors:

    1. $ oc patch network.operator cluster --type merge -p "$(cat <file_name>.yaml)"

    Example output

    1. network.operator.openshift.io/cluster patched

Verification

Verification is not typically necessary. You can run the following command to confirm that Open vSwitch (OVS) on each node is configured to send network flows records to one or more collectors.

  1. View the Operator configuration to confirm that the exportNetworkFlows field is configured:

    1. $ oc get network.operator cluster -o jsonpath="{.spec.exportNetworkFlows}"

    Example output

    1. {"netFlow":{"collectors":["192.168.1.99:2056"]}}
  2. View the network flows configuration in OVS from each node:

    1. $ for pod in $(oc get pods -n openshift-ovn-kubernetes -l app=ovnkube-node -o jsonpath='{range@.items[*]}{.metadata.name}{"\n"}{end}');
    2. do ;
    3. echo;
    4. echo $pod;
    5. oc -n openshift-ovn-kubernetes exec -c ovnkube-node $pod \
    6. -- bash -c 'for type in ipfix sflow netflow ; do ovs-vsctl find $type ; done';
    7. done

    Example output

    1. ovnkube-node-xrn4p
    2. _uuid : a4d2aaca-5023-4f3d-9400-7275f92611f9
    3. active_timeout : 60
    4. add_id_to_interface : false
    5. engine_id : []
    6. engine_type : []
    7. external_ids : {}
    8. targets : ["192.168.1.99:2056"]
    9. ovnkube-node-z4vq9
    10. _uuid : 61d02fdb-9228-4993-8ff5-b27f01a29bd6
    11. active_timeout : 60
    12. add_id_to_interface : false
    13. engine_id : []
    14. engine_type : []
    15. external_ids : {}
    16. targets : ["192.168.1.99:2056"]-
    17. ...

Deleting all destinations for network flows collectors

As a cluster administrator, you can configure the Cluster Network Operator (CNO) to stop sending network flows metadata to a network flows collector.

Prerequisites

  • You installed the OpenShift CLI (oc).

  • You are logged in to the cluster with a user with cluster-admin privileges.

Procedure

  1. Remove all network flows collectors:

    1. $ oc patch network.operator cluster --type='json' \
    2. -p='[{"op":"remove", "path":"/spec/exportNetworkFlows"}]'

    Example output

    1. network.operator.openshift.io/cluster patched

Additional resources

  • [Network [operator.openshift.io/v1]($0abf071c10115298.md#network-operator-openshift-io-v1)]