Configuring the Network Observability Operator

You can update the Flow Collector API resource to configure the Network Observability Operator and its managed components. The Flow Collector is explicitly created during installation. Since this resource operates cluster-wide, only a single FlowCollector is allowed, and it has to be named cluster.

View the FlowCollector resource

You can view and edit YAML directly in the OKD web console.

Procedure

  1. In the web console, navigate to OperatorsInstalled Operators.

  2. Under the Provided APIs heading for the NetObserv Operator, select Flow Collector.

  3. Select cluster then select the YAML tab. There, you can modify the FlowCollector resource to configure the Network Observability operator.

The following example shows a sample FlowCollector resource for OKD Network Observability operator:

Sample FlowCollector resource

  1. apiVersion: flows.netobserv.io/v1beta1
  2. kind: FlowCollector
  3. metadata:
  4. name: cluster
  5. spec:
  6. namespace: netobserv
  7. deploymentModel: DIRECT
  8. agent:
  9. type: EBPF (1)
  10. ebpf:
  11. sampling: 50 (2)
  12. logLevel: info
  13. privileged: false
  14. resources:
  15. requests:
  16. memory: 50Mi
  17. cpu: 100m
  18. limits:
  19. memory: 800Mi
  20. processor:
  21. logLevel: info
  22. resources:
  23. requests:
  24. memory: 100Mi
  25. cpu: 100m
  26. limits:
  27. memory: 800Mi
  28. conversationEndTimeout: 10s
  29. logTypes: FLOWS (3)
  30. conversationHeartbeatInterval: 30s
  31. loki: (4)
  32. url: 'https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network'
  33. statusUrl: 'https://loki-query-frontend-http.netobserv.svc:3100/'
  34. authToken: FORWARD
  35. tls:
  36. enable: true
  37. caCert:
  38. type: configmap
  39. name: loki-gateway-ca-bundle
  40. certFile: service-ca.crt
  41. namespace: loki-namespace # (5)
  42. consolePlugin:
  43. register: true
  44. logLevel: info
  45. portNaming:
  46. enable: true
  47. portNames:
  48. "3100": loki
  49. quickFilters: (6)
  50. - name: Applications
  51. filter:
  52. src_namespace!: 'openshift-,netobserv'
  53. dst_namespace!: 'openshift-,netobserv'
  54. default: true
  55. - name: Infrastructure
  56. filter:
  57. src_namespace: 'openshift-,netobserv'
  58. dst_namespace: 'openshift-,netobserv'
  59. - name: Pods network
  60. filter:
  61. src_kind: 'Pod'
  62. dst_kind: 'Pod'
  63. default: true
  64. - name: Services network
  65. filter:
  66. dst_kind: 'Service'
1The Agent specification, spec.agent.type, must be EBPF. eBPF is the only OKD supported option.
2You can set the Sampling specification, spec.agent.ebpf.sampling, to manage resources. Lower sampling values might consume a large amount of computational, memory and storage resources. You can mitigate this by specifying a sampling ratio value. A value of 100 means 1 flow every 100 is sampled. A value of 0 or 1 means all flows are captured. The lower the value, the increase in returned flows and the accuracy of derived metrics. By default, eBPF sampling is set to a value of 50, so 1 flow every 50 is sampled. Note that more sampled flows also means more storage needed. It is recommend to start with default values and refine empirically, to determine which setting your cluster can manage.
3The optional specifications spec.processor.logTypes, spec.processor.conversationHeartbeatInterval, and spec.processor.conversationEndTimeout can be set to enable conversation tracking. When enabled, conversation events are queryable in the web console. The values for spec.processor.logTypes are as follows: FLOWS CONVERSATIONS, ENDED_CONVERSATIONS, or ALL. Storage requirements are highest for ALL and lowest for ENDED_CONVERSATIONS.
4The Loki specification, spec.loki, specifies the Loki client. The default values match the Loki install paths mentioned in the Installing the Loki Operator section. If you used another installation method for Loki, specify the appropriate client information for your install.
5The original certificates are copied to the Network Observability instance namespace and watched for updates. When not provided, the namespace defaults to be the same as “spec.namespace”. If you chose to install Loki in a different namespace, you must specify it in the spec.loki.tls.caCert.namespace field. Similarly, the spec.exporters.kafka.tls.caCert.namespace field is available for Kafka installed in a different namespace.
6The spec.quickFilters specification defines filters that show up in the web console. The Application filter keys,src_namespace and dst_namespace, are negated (!), so the Application filter shows all traffic that does not originate from, or have a destination to, any openshift- or netobserv namespaces. For more information, see Configuring quick filters below.

Additional resources

For more information about conversation tracking, see Working with conversations.

Configuring the Flow Collector resource with Kafka

You can configure the FlowCollector resource to use Kafka for high-throughput and low-latency data feeds. A Kafka instance needs to be running, and a Kafka topic dedicated to OKD Network Observability must be created in that instance. For more information, see Kafka documentation with AMQ Streams.

Prerequisites

  • Kafka is installed. Red Hat supports Kafka with AMQ Streams Operator.

Procedure

  1. In the web console, navigate to OperatorsInstalled Operators.

  2. Under the Provided APIs heading for the Network Observability Operator, select Flow Collector.

  3. Select the cluster and then click the YAML tab.

  4. Modify the FlowCollector resource for OKD Network Observability Operator to use Kafka, as shown in the following sample YAML:

Sample Kafka configuration in FlowCollector resource

  1. apiVersion: flows.netobserv.io/v1beta1
  2. kind: FlowCollector
  3. metadata:
  4. name: cluster
  5. spec:
  6. deploymentModel: KAFKA (1)
  7. kafka:
  8. address: "kafka-cluster-kafka-bootstrap.netobserv" (2)
  9. topic: network-flows (3)
  10. tls:
  11. enable: false (4)
1Set spec.deploymentModel to KAFKA instead of DIRECT to enable the Kafka deployment model.
2spec.kafka.address refers to the Kafka bootstrap server address. You can specify a port if needed, for instance kafka-cluster-kafka-bootstrap.netobserv:9093 for using TLS on port 9093.
3spec.kafka.topic should match the name of a topic created in Kafka.
4spec.kafka.tls can be used to encrypt all communications to and from Kafka with TLS or mTLS. When enabled, the Kafka CA certificate must be available as a ConfigMap or a Secret, both in the namespace where the flowlogs-pipeline processor component is deployed (default: netobserv) and where the eBPF agents are deployed (default: netobserv-privileged). It must be referenced with spec.kafka.tls.caCert. When using mTLS, client secrets must be available in these namespaces as well (they can be generated for instance using the AMQ Streams User Operator) and referenced with spec.kafka.tls.userCert.

Export enriched network flow data

You can send network flows to Kafka, IPFIX, or both at the same time. Any processor or storage that supports Kafka or IPFIX input, such as Splunk, Elasticsearch, or Fluentd, can consume the enriched network flow data.

Prerequisites

  • Your Kafka or IPFIX collector endpoint(s) are available from Network Observability flowlogs-pipeline pods.

Procedure

  1. In the web console, navigate to OperatorsInstalled Operators.

  2. Under the Provided APIs heading for the NetObserv Operator, select Flow Collector.

  3. Select cluster and then select the YAML tab.

  4. Edit the FlowCollector to configure spec.exporters as follows:

    1. apiVersion: flows.netobserv.io/v1alpha1
    2. kind: FlowCollector
    3. metadata:
    4. name: cluster
    5. spec:
    6. exporters:
    7. - type: KAFKA (3)
    8. kafka:
    9. address: "kafka-cluster-kafka-bootstrap.netobserv"
    10. topic: netobserv-flows-export (1)
    11. tls:
    12. enable: false (2)
    13. - type: IPFIX (3)
    14. ipfix:
    15. targetHost: "ipfix-collector.ipfix.svc.cluster.local"
    16. targetPort: 4739
    17. transport: tcp or udp (4)
    1The Network Observability Operator exports all flows to the configured Kafka topic.
    2You can encrypt all communications to and from Kafka with SSL/TLS or mTLS. When enabled, the Kafka CA certificate must be available as a ConfigMap or a Secret, both in the namespace where the flowlogs-pipeline processor component is deployed (default: netobserv). It must be referenced with spec.exporters.tls.caCert. When using mTLS, client secrets must be available in these namespaces as well (they can be generated for instance using the AMQ Streams User Operator) and referenced with spec.exporters.tls.userCert.
    3You can export flows to IPFIX instead of or in conjunction with exporting flows to Kafka.
    4You have the option to specify transport. The default value is tcp but you can also specify udp.
  5. After configuration, network flows data can be sent to an available output in a JSON format. For more information, see Network flows format reference.

Additional resources

For more information about specifying flow format, see Network flows format reference.

Updating the Flow Collector resource

As an alternative to editing YAML in the OKD web console, you can configure specifications, such as eBPF sampling, by patching the flowcollector custom resource (CR):

Procedure

  1. Run the following command to patch the flowcollector CR and update the spec.agent.ebpf.sampling value:

    1. $ oc patch flowcollector cluster --type=json -p "[{"op": "replace", "path": "/spec/agent/ebpf/sampling", "value": <new value>}] -n netobserv"

Configuring quick filters

You can modify the filters in the FlowCollector resource. Exact matches are possible using double-quotes around values. Otherwise, partial matches are used for textual values. The bang (!) character, placed at the end of a key, means negation. See the sample FlowCollector resource for more context about modifying the YAML.

The filter matching types “all of” or “any of” is a UI setting that the users can modify from the query options. It is not part of this resource configuration.

Here is a list of all available filter keys:

Table 1. Filter keys
Universal*SourceDestinationDescription

namespace

src_namespace

dst_namespace

Filter traffic related to a specific namespace.

name

src_name

dst_name

Filter traffic related to a given leaf resource name, such as a specific pod, service, or node (for host-network traffic).

kind

src_kind

dst_kind

Filter traffic related to a given resource kind. The resource kinds include the leaf resource (Pod, Service or Node), or the owner resource (Deployment and StatefulSet).

owner_name

src_owner_name

dst_owner_name

Filter traffic related to a given resource owner; that is, a workload or a set of pods. For example, it can be a Deployment name, a StatefulSet name, etc.

resource

src_resource

dst_resource

Filter traffic related to a specific resource that is denoted by its canonical name, that identifies it uniquely. The canonical notation is kind.namespace.name for namespaced kinds, or node.name for nodes. For example, Deployment.my-namespace.my-web-server.

address

src_address

dst_address

Filter traffic related to an IP address. IPv4 and IPv6 are supported. CIDR ranges are also supported.

mac

src_mac

dst_mac

Filter traffic related to a MAC address.

port

src_port

dst_port

Filter traffic related to a specific port.

host_address

src_host_address

dst_host_address

Filter traffic related to the host IP address where the pods are running.

protocol

N/A

N/A

Filter traffic related to a protocol, such as TCP or UDP.

  • Universal keys filter for any of source or destination. For example, filtering name: 'my-pod' means all traffic from my-pod and all traffic to my-pod, regardless of the matching type used, whether Match all or Match any.

Configuring monitoring for SR-IOV interface traffic

In order to collect traffic from a cluster with a Single Root I/O Virtualization (SR-IOV) device, you must set the FlowCollector spec.agent.ebpf.privileged field to true. Then, the eBPF agent monitors other network namespaces in addition to the host network namespaces, which are monitored by default. When a pod with a virtual functions (VF) interface is created, a new network namespace is created. With SRIOVNetwork policy IPAM configurations specified, the VF interface is migrated from the host network namespace to the pod network namespace.

Prerequisites

  • Access to an OKD cluster with a SR-IOV device.

  • The SRIOVNetwork custom resource (CR) spec.ipam configuration must be set with an IP address from the range that the interface lists or from other plugins.

Procedure

  1. In the web console, navigate to OperatorsInstalled Operators.

  2. Under the Provided APIs heading for the NetObserv Operator, select Flow Collector.

  3. Select cluster and then select the YAML tab.

  4. Configure the FlowCollector custom resource. A sample configuration is as follows:

    Configure FlowCollector for SR-IOV monitoring

    1. apiVersion: flows.netobserv.io/v1alpha1
    2. kind: FlowCollector
    3. metadata:
    4. name: cluster
    5. spec:
    6. namespace: netobserv
    7. deploymentModel: DIRECT
    8. agent:
    9. type: EBPF
    10. ebpf:
    11. privileged: true (1)
    1The spec.agent.ebpf.privileged field value must be set to true to enable SR-IOV monitoring.

Additional resources

For more information about creating the SriovNetwork custom resource, see Creating an additional SR-IOV network attachment with the CNI VRF plugin.

Resource management and performance considerations

The amount of resources required by Network Observability depends on the size of your cluster and your requirements for the cluster to ingest and store observability data. To manage resources and set performance criteria for your cluster, consider configuring the following settings. Configuring these settings might meet your optimal setup and observability needs.

The following settings can help you manage resources and performance from the outset:

eBPF Sampling

You can set the Sampling specification, spec.agent.ebpf.sampling, to manage resources. Smaller sampling values might consume a large amount of computational, memory and storage resources. You can mitigate this by specifying a sampling ratio value. A value of 100 means 1 flow every 100 is sampled. A value of 0 or 1 means all flows are captured. Smaller values result in an increase in returned flows and the accuracy of derived metrics. By default, eBPF sampling is set to a value of 50, so 1 flow every 50 is sampled. Note that more sampled flows also means more storage needed. Consider starting with the default values and refine empirically, in order to determine which setting your cluster can manage.

Restricting or excluding interfaces

Reduce the overall observed traffic by setting the values for spec.agent.ebpf.interfaces and spec.agent.ebpf.excludeInterfaces. By default, the agent fetches all the interfaces in the system, except the ones listed in excludeInterfaces and lo (local interface). Note that the interface names might vary according to the Container Network Interface (CNI) used.

The following settings can be used to fine-tune performance after the Network Observability has been running for a while:

Resource requirements and limits

Adapt the resource requirements and limits to the load and memory usage you expect on your cluster by using the spec.agent.ebpf.resources and spec.processor.resources specifications. The default limits of 800MB might be sufficient for most medium-sized clusters.

Cache max flows timeout

Control how often flows are reported by the agents by using the eBPF agent’s spec.agent.ebpf.cacheMaxFlows and spec.agent.ebpf.cacheActiveTimeout specifications. A larger value results in less traffic being generated by the agents, which correlates with a lower CPU load. However, a larger value leads to a slightly higher memory consumption, and might generate more latency in the flow collection.

Resource considerations

The following table outlines examples of resource considerations for clusters with certain workload sizes.

The examples outlined in the table demonstrate scenarios that are tailored to specific workloads. Consider each example only as a baseline from which adjustments can be made to accommodate your workload needs.

Table 2. Resource recommendations
Extra small (10 nodes)Small (25 nodes)Medium (65 nodes) [2]Large (120 nodes) [2]

Worker Node vCPU and memory

4 vCPUs| 16GiB mem [1]

16 vCPUs| 64GiB mem [1]

16 vCPUs| 64GiB mem [1]

16 vCPUs| 64GiB Mem [1]

LokiStack size

1x.extra-small

1x.small

1x.small

1x.medium

Network Observability controller memory limit

400Mi (default)

400Mi (default)

400Mi (default)

800Mi

eBPF sampling rate

50 (default)

50 (default)

50 (default)

50 (default)

eBPF memory limit

800Mi (default)

800Mi (default)

2000Mi

800Mi (default)

FLP memory limit

800Mi (default)

800Mi (default)

800Mi (default)

800Mi (default)

FLP Kafka partitions

N/A

48

48

48

Kafka consumer replicas

N/A

24

24

24

Kafka brokers

N/A

3 (default)

3 (default)

3 (default)

  1. Tested with AWS M6i instances.

  2. In addition to this worker and its controller, 3 infra nodes (size M6i.12xlarge) and 1 workload node (size M6i.8xlarge) were tested.