Tracking network flows

    • Monitor ingress and egress traffic on the pod network.

    • Troubleshoot performance issues.

    • Gather data for capacity planning and security audits.

    When you enable the collection of the network flows, only the metadata about the traffic is collected. For example, packet data is not collected, but the protocol, source address, destination address, port numbers, number of bytes, and other packet-level information is collected.

    The data is collected in one or more of the following record formats:

    • NetFlow

    • sFlow

    • IPFIX

    When you configure the Cluster Network Operator (CNO) with one or more collector IP addresses and port numbers, the Operator configures Open vSwitch (OVS) on each node to send the network flows records to each collector.

    You can configure the Operator to send records to more than one type of network flow collector. For example, you can send records to NetFlow collectors and also send records to sFlow collectors.

    When OVS sends data to the collectors, each type of collector receives identical records. For example, if you configure two NetFlow collectors, OVS on a node sends identical records to the two collectors. If you also configure two sFlow collectors, the two sFlow collectors receive identical records. However, each collector type has a unique record format.

    Collecting the network flows data and sending the records to collectors affects performance. Nodes process packets at a slower rate. If the performance impact is too great, you can delete the destinations for collectors to disable collecting network flows data and restore performance.

    The fields for configuring network flows collectors in the Cluster Network Operator (CNO) are shown in the following table:

    Table 1. Network flows configuration
    FieldTypeDescription

    string

    The name of the CNO object. This name is always cluster.

    object

    One or more of netFlow, sFlow, or ipfix.

    spec.exportNetworkFlows.netFlow.collectors

    array

    A list of IP address and network port pairs for up to 10 collectors.

    spec.exportNetworkFlows.sFlow.collectors

    array

    A list of IP address and network port pairs for up to 10 collectors.

    spec.exportNetworkFlows.ipfix.collectors

    array

    A list of IP address and network port pairs for up to 10 collectors.

    After applying the following manifest to the CNO, the Operator configures Open vSwitch (OVS) on each node in the cluster to send network flows records to the NetFlow collector that is listening at 192.168.1.99:2056.

    Example configuration for tracking network flows

    As a cluster administrator, you can configure the Cluster Network Operator (CNO) to send network flows metadata about the pod network to a network flows collector.

    Prerequisites

    • You installed the OpenShift CLI (oc).

    • You are logged in to the cluster with a user with privileges.

    Procedure

    1. Create a patch file that specifies the network flows collector type and the IP address and port information of the collectors:

      1. spec:
      2. exportNetworkFlows:
      3. collectors:
      4. - 192.168.1.99:2056
    2. Configure the CNO with the network flows collectors:

      1. $ oc patch network.operator cluster --type merge -p "$(cat <file_name>.yaml)"

      Example output

    Verification

    Verification is not typically necessary. You can run the following command to confirm that Open vSwitch (OVS) on each node is configured to send network flows records to one or more collectors.

    1. View the Operator configuration to confirm that the exportNetworkFlows field is configured:

      1. $ oc get network.operator cluster -o jsonpath="{.spec.exportNetworkFlows}"

      Example output

      1. {"netFlow":{"collectors":["192.168.1.99:2056"]}}
    2. View the network flows configuration in OVS from each node:

      Example output

      1. ovnkube-node-xrn4p
      2. _uuid : a4d2aaca-5023-4f3d-9400-7275f92611f9
      3. active_timeout : 60
      4. add_id_to_interface : false
      5. engine_id : []
      6. engine_type : []
      7. targets : ["192.168.1.99:2056"]
      8. ovnkube-node-z4vq9
      9. _uuid : 61d02fdb-9228-4993-8ff5-b27f01a29bd6
      10. active_timeout : 60
      11. add_id_to_interface : false
      12. engine_id : []
      13. engine_type : []
      14. external_ids : {}
      15. targets : ["192.168.1.99:2056"]-
      16. ...

    As a cluster administrator, you can configure the Cluster Network Operator (CNO) to stop sending network flows metadata to a network flows collector.

    Prerequisites

    • You installed the OpenShift CLI (oc).

    • You are logged in to the cluster with a user with cluster-admin privileges.

    Procedure

    1. Remove all network flows collectors:

      1. $ oc patch network.operator cluster --type='json' \

      Example output

    • [Network [operator.openshift.io/v1]($205d58c88502d2fe.md#network-operator-openshift-io-v1)]