Logging network policy events

    The OVN-Kubernetes cluster network provider uses Open Virtual Network (OVN) ACLs to manage network policy. Audit logging exposes allow and deny ACL events.

    You can configure the destination for network policy audit logs, such as a syslog server or a UNIX domain socket. Regardless of any additional configuration, an audit log is always saved to on each OVN-Kubernetes pod in the cluster.

    Network policy audit logging is enabled per namespace by annotating the namespace with the k8s.ovn.org/acl-logging key as in the following example:

    Example namespace annotation

    The logging format is compatible with syslog as defined by RFC5424. The syslog facility is configurable and defaults to local0. An example log entry might resemble the following:

    Example ACL deny log entry

    1. 2021-06-13T19:33:11.590Z|00005|acl_log(ovn_pinctrl0)|INFO|name="verify-audit-logging_deny-all", verdict=drop, severity=alert: icmp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:39,dl_dst=0a:58:0a:80:02:37,nw_src=10.128.2.57,nw_dst=10.128.2.55,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=8,icmp_code=0

    The following table describes namespace annotation values:

    Table 1. Network policy audit logging namespace annotation
    AnnotationValue

    k8s.ovn.org/acl-logging

    You must specify at least one of allow, deny, or both to enable network policy audit logging for a namespace.

      deny

      Optional: Specify alert, warning, notice, info, or debug.

      allow

      Optional: Specify alert, warning, notice, info, or debug.

    Network policy audit configuration

    The configuration for audit logging is specified as part of the OVN-Kubernetes cluster network provider configuration. The following YAML illustrates default values for network policy audit logging feature.

    Audit logging configuration

    1. apiVersion: operator.openshift.io/v1
    2. kind: Network
    3. metadata:
    4. name: cluster
    5. spec:
    6. defaultNetwork:
    7. ovnKubernetesConfig:
    8. policyAuditConfig:
    9. destination: "null"
    10. maxFileSize: 50
    11. rateLimit: 20
    12. syslogFacility: local0

    The following table describes the configuration fields for network policy audit logging.

    As a cluster administrator, you can customize network policy audit logging for your cluster.

    Prerequisites

    • Install the OpenShift CLI (oc).

    • Log in to the cluster with a user with cluster-admin privileges.

    Procedure

    • To customize the network policy audit logging configuration, enter the following command:

      1. $ oc edit network.operator.openshift.io/cluster

      You can alternatively customize and apply the following YAML to configure audit logging:

      1. apiVersion: operator.openshift.io/v1
      2. metadata:
      3. name: cluster
      4. spec:
      5. defaultNetwork:
      6. ovnKubernetesConfig:
      7. policyAuditConfig:
      8. destination: null
      9. maxFileSize: 50
      10. rateLimit: 20
      11. syslogFacility: local0

    Verification

    1. To create a namespace with network policies complete the following steps:

      1. Create a namespace for verification:

        1. $ cat <<EOF| oc create -f -
        2. kind: Namespace
        3. apiVersion: v1
        4. metadata:
        5. name: verify-audit-logging
        6. annotations:
        7. EOF

        Example output

        1. namespace/verify-audit-logging created
      2. Enable audit logging:

        1. $ oc annotate namespace verify-audit-logging k8s.ovn.org/acl-logging='{ "deny": "alert", "allow": "alert" }'
        1. namespace/verify-audit-logging annotated
      3. Create network policies for the namespace:

        Example output

        1. networkpolicy.networking.k8s.io/deny-all created
        2. networkpolicy.networking.k8s.io/allow-from-same-namespace created
    2. Create a pod for source traffic in the default namespace:

      1. $ cat <<EOF| oc create -n default -f -
      2. apiVersion: v1
      3. kind: Pod
      4. metadata:
      5. name: client
      6. spec:
      7. containers:
      8. - name: client
      9. image: registry.access.redhat.com/rhel7/rhel-tools
      10. command: ["/bin/sh", "-c"]
      11. args:
      12. ["sleep inf"]
      13. EOF
    3. Create two pods in the verify-audit-logging namespace:

      1. $ for name in client server; do
      2. cat <<EOF| oc create -n verify-audit-logging -f -
      3. apiVersion: v1
      4. kind: Pod
      5. metadata:
      6. name: ${name}
      7. spec:
      8. containers:
      9. - name: ${name}
      10. image: registry.access.redhat.com/rhel7/rhel-tools
      11. command: ["/bin/sh", "-c"]
      12. args:
      13. EOF
      14. done

      Example output

      1. pod/client created
      2. pod/server created
    4. To generate traffic and produce network policy audit log entries, complete the following steps:

      1. Obtain the IP address for pod named server in the verify-audit-logging namespace:

        1. $ POD_IP=$(oc get pods server -n verify-audit-logging -o jsonpath='{.status.podIP}')
      2. Ping the IP address saved in the POD_IP shell environment variable from the pod named client in the verify-audit-logging namespace and confirm that all packets are allowed:

        1. $ oc exec -it client -n verify-audit-logging -- /bin/ping -c 2 $POD_IP
    5. Display the latest entries in the network policy audit log:

      1. $ for pod in $(oc get pods -n openshift-ovn-kubernetes -l app=ovnkube-node --no-headers=true | awk '{ print $1 }') ; do
      2. oc exec -it $pod -n openshift-ovn-kubernetes -- tail -4 /var/log/ovn/acl-audit-log.log
      3. done

      Example output

      1. Defaulting container name to ovn-controller.
      2. Use 'oc describe pod/ovnkube-node-hdb8v -n openshift-ovn-kubernetes' to see all of the containers in this pod.
      3. 2021-06-13T19:33:11.590Z|00005|acl_log(ovn_pinctrl0)|INFO|name="verify-audit-logging_deny-all", verdict=drop, severity=alert: icmp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:39,dl_dst=0a:58:0a:80:02:37,nw_src=10.128.2.57,nw_dst=10.128.2.55,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=8,icmp_code=0
      4. 2021-06-13T19:33:12.614Z|00006|acl_log(ovn_pinctrl0)|INFO|name="verify-audit-logging_deny-all", verdict=drop, severity=alert: icmp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:39,dl_dst=0a:58:0a:80:02:37,nw_src=10.128.2.57,nw_dst=10.128.2.55,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=8,icmp_code=0
      5. 2021-06-13T19:44:10.037Z|00007|acl_log(ovn_pinctrl0)|INFO|name="verify-audit-logging_allow-from-same-namespace_0", verdict=allow, severity=alert: icmp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:3b,dl_dst=0a:58:0a:80:02:3a,nw_src=10.128.2.59,nw_dst=10.128.2.58,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=8,icmp_code=0
      6. 2021-06-13T19:44:11.037Z|00008|acl_log(ovn_pinctrl0)|INFO|name="verify-audit-logging_allow-from-same-namespace_0", verdict=allow, severity=alert: icmp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:3b,dl_dst=0a:58:0a:80:02:3a,nw_src=10.128.2.59,nw_dst=10.128.2.58,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=8,icmp_code=0

    Enabling network policy audit logging for a namespace

    As a cluster administrator, you can enable network policy audit logging for a namespace.

    Prerequisites

    • Install the OpenShift CLI (oc).

    • Log in to the cluster with a user with cluster-admin privileges.

    Procedure

    • To enable network policy audit logging for a namespace, enter the following command:

      1. $ oc annotate namespace <namespace> \
      2. k8s.ovn.org/acl-logging='{ "deny": "alert", "allow": "notice" }'

      where:

      <namespace>

      Specifies the name of the namespace.

      Example output

      1. namespace/verify-audit-logging annotated

    Verification

    • Display the latest entries in the network policy audit log:

      1. $ for pod in $(oc get pods -n openshift-ovn-kubernetes -l app=ovnkube-node --no-headers=true | awk '{ print $1 }') ; do
      2. oc exec -it $pod -n openshift-ovn-kubernetes -- tail -4 /var/log/ovn/acl-audit-log.log
      3. done

      Example output

      1. 2021-06-13T19:33:11.590Z|00005|acl_log(ovn_pinctrl0)|INFO|name="verify-audit-logging_deny-all", verdict=drop, severity=alert: icmp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:39,dl_dst=0a:58:0a:80:02:37,nw_src=10.128.2.57,nw_dst=10.128.2.55,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=8,icmp_code=0

    As a cluster administrator, you can disable network policy audit logging for a namespace.

    Prerequisites

    • Install the OpenShift CLI (oc).

    • Log in to the cluster with a user with cluster-admin privileges.

    Procedure

    • To disable network policy audit logging for a namespace, enter the following command:

      1. $ annotate --overwrite namespace <namespace> k8s.ovn.org/acl-logging={}

      where:

      Specifies the name of the namespace.

      You can alternatively apply the following YAML to disable audit logging:

      1. namespace/verify-audit-logging annotated

    Additional resources