Add namespace name to antrea network policy logs #3794
Comments
jsalatiel
added
the
kind/feature
|
It's easy enough to add the Namespace / Name for the local Pod (the Pod on which the network policy is applied) to the logs. The Antrea Agent has this information already. However, getting that information for the other endpoint - if it is a Pod - is not really straightforward. The Pod will typically be on a different Node, and the Agent generating the log entry has no knowledge about that Pod, it only has the IP address and doesn't know how to map it to a Pod Namespace & Name. And we want to keep it this way: an Antrea Agent doesn't need to know about Pods running on other Nodes. If all Agents need to know about all Pods, that put some unnecessary load on both the K8s APIs and on the Agents, which have to keep a lot of state up-to-date. I think we are trying to keep audit logs light weight: self-contained and easily generated locally by just the Antrea Agent. For more advanced use cases, we are investing in the Flow Aggregator (and the surrounding Flow Visibility solution). The Aggregator aggregates flow information from all the different Agents, and can report all blocked connections, with full information for each connection (K8s Namespaces, Names, ...), even for Service traffic. See https://github.com/antrea-io/antrea/blob/main/docs/network-flow-visibility.md. for an overview. Think of the Flow Aggregator as the Antrea Controller equivalent for network flows. We are very receptive to feedback when it comes to the Flow Aggregator and what helpful features we can build with it. Coming back to your original question: if you are happy with the Namespace & Name of the local endpoint (Pod to which the policy is applied), we can add that to the policy audit logs. However, it will only give you half the information you need to answer your original "question:"
|
antoninbas
added
the
triage/needs-information
|
It would be great to have the namespace/pod name for local on the logs, even if it is only half of the information it would be really helpful if it could be implemented. Also i suppose if both pods are on the same node i will get the full information. |
|
I've justed started to evaluate the usage of ACNP and ACP's, and this was the first major issue that stood out to me. I understand your looking to focus more on the Flow data, but I think prioritising that is a mistake, because
|
|
Thanks for the feedback. I'd like to make the following points though:
That being said, I can understand this request. I am just trying to avoid too much redundancy, and also too much resource consumption by Antrea components. Ideally, what would be the best consumption model for audit logs for you? If we need to add Pod namespace/name, we are likely to do it in a central location (could be the Flow Aggregator, or something else). Should we then expose an API, write the logs to a file, send them to a configurable webhook (like K8s audit events)? |
|
Yes, it seems hard to add remote Pod information for every logged packet, and probably also hard to stream all logs to a central service to add Pod information there. Maybe we can have an async service (in antrea-agent or a separate one) to add information for dropped traffic (assuming dropped traffic is less), and try best to add information for other with some rate control? |
I like the approach of just writing to a file. If it's going to be on a central location, add to a log file in the node running the controller. |
|
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment, or this will be closed in 90 days |
github-actions
bot
added
the
lifecycle/stale
|
/remove-stale |
github-actions
bot
removed
the
lifecycle/stale
|
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment, or this will be closed in 90 days |
github-actions
bot
added
the
lifecycle/stale
|
/remove-stale |
tnqn
removed
the
lifecycle/stale
|
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment, or this will be closed in 90 days |
github-actions
bot
added
the
lifecycle/stale
|
/remove-stale |
antoninbas
removed
the
lifecycle/stale
Flows are written to a local "log" file, in CSV format, with support for log rotation. Not all the fields from the flow records are included. Configuration options include the ability to filter flows based on ingress / egress network policy rule actions (in the future, additional filtering capabilities could be introduced). For antrea-io#3794 Signed-off-by: Antonin Bas <abas@vmware.com>
antoninbas
added
lifecycle/active
Flows are written to a local "log" file, in CSV format, with support for log rotation. Not all the fields from the flow records are included. Configuration options include the ability to filter flows based on ingress / egress network policy rule actions (in the future, additional filtering capabilities could be introduced). For antrea-io#3794 Signed-off-by: Antonin Bas <abas@vmware.com>
Flows are written to a local "log" file, in CSV format, with support for log rotation. Not all the fields from the flow records are included. Configuration options include the ability to filter flows based on ingress / egress network policy rule actions (in the future, additional filtering capabilities could be introduced). For antrea-io#3794 Signed-off-by: Antonin Bas <abas@vmware.com>
Flows are written to a local "log" file, in CSV format, with support for log rotation. Not all the fields from the flow records are included. Configuration options include the ability to filter flows based on ingress / egress network policy rule actions (in the future, additional filtering capabilities could be introduced). For antrea-io#3794 Signed-off-by: Antonin Bas <abas@vmware.com>
Flows are written to a local "log" file, in CSV format, with support for log rotation. Not all the fields from the flow records are included. Configuration options include the ability to filter flows based on ingress / egress network policy rule actions (in the future, additional filtering capabilities could be introduced). For #3794 Signed-off-by: Antonin Bas <abas@vmware.com>
…ea-io#4855) Flows are written to a local "log" file, in CSV format, with support for log rotation. Not all the fields from the flow records are included. Configuration options include the ability to filter flows based on ingress / egress network policy rule actions (in the future, additional filtering capabilities could be introduced). For antrea-io#3794 Signed-off-by: Antonin Bas <abas@vmware.com>
|
Now that we have added support for file logging to the FlowAggregator, I think the only remaining ask would be to include the appliedTo (local) Pod namespace/name to audit logs. As a reminder, we do not believe that including the peer Pod namespace/name is a good idea, for scalability reasons. |
|
Great. Which version should it make available? |
File logging is available in the FlowAggregator in Antrea v1.12 |
…ea-io#4855) Flows are written to a local "log" file, in CSV format, with support for log rotation. Not all the fields from the flow records are included. Configuration options include the ability to filter flows based on ingress / egress network policy rule actions (in the future, additional filtering capabilities could be introduced). For antrea-io#3794 Signed-off-by: Antonin Bas <abas@vmware.com>
We include 2 new fields in the audit logs: * the "direction" of the NP rule (`Ingress` or `Egress`) * the reference of the Pod to which the NP rule is applied (as `<namespace>/<name>`). These new fields are *NOT* added to the end of the logs, which could break existing consumers. We also refactor the e2e tests for AuditLogging to improve correctness and readbility. Some logs were not validated properly because of an early "break" statement, and some log fields (e.g., logLabel) were not validated. Fixes antrea-io#3794 Signed-off-by: Antonin Bas <abas@vmware.com>
We include 2 new fields in the audit logs: * the "direction" of the NP rule (`Ingress` or `Egress`) * the reference of the Pod to which the NP rule is applied (as `<namespace>/<name>`). These new fields are *NOT* added to the end of the logs, which could break existing consumers. We also refactor the e2e tests for AuditLogging to improve correctness and readbility. Some logs were not validated properly because of an early "break" statement, and some log fields (e.g., logLabel) were not validated. Fixes antrea-io#3794 Signed-off-by: Antonin Bas <abas@vmware.com>
We include 2 new fields in the audit logs: * the "direction" of the NP rule (`Ingress` or `Egress`) * the reference of the Pod to which the NP rule is applied (as `<namespace>/<name>`). These new fields are *NOT* added to the end of the logs, which could break existing consumers. We also refactor the e2e tests for AuditLogging to improve correctness and readbility. Some logs were not validated properly because of an early "break" statement, and some log fields (e.g., logLabel) were not validated. Fixes antrea-io#3794 Signed-off-by: Antonin Bas <abas@vmware.com>
We include 2 new fields in the audit logs: * the "direction" of the NP rule (`Ingress` or `Egress`) * the reference of the Pod to which the NP rule is applied (as `<namespace>/<name>`). These new fields are *NOT* added to the end of the logs, which could break existing consumers. We also refactor the e2e tests for AuditLogging to improve correctness and readbility. Some logs were not validated properly because of an early "break" statement, and some log fields (e.g., logLabel) were not validated. Fixes antrea-io#3794 Signed-off-by: Antonin Bas <abas@vmware.com>
We include 2 new fields in the audit logs: * the "direction" of the NP rule (`Ingress` or `Egress`) * the reference of the Pod to which the NP rule is applied (as `<namespace>/<name>`). These new fields are *NOT* added to the end of the logs, which could break existing consumers. We also refactor the e2e tests for AuditLogging to improve correctness and readbility. Some logs were not validated properly because of an early "break" statement, and some log fields (e.g., logLabel) were not validated. Fixes antrea-io#3794 Signed-off-by: Antonin Bas <abas@vmware.com>
We include 2 new fields in the audit logs: * the "direction" of the NP rule (`Ingress` or `Egress`) * the reference of the Pod to which the NP rule is applied (as `<namespace>/<name>`). These new fields are *NOT* added to the end of the logs, which could break existing consumers. We also refactor the e2e tests for AuditLogging to improve correctness and readbility. Some logs were not validated properly because of an early "break" statement, and some log fields (e.g., logLabel) were not validated. Fixes #3794 Signed-off-by: Antonin Bas <abas@vmware.com>
|
@jsalatiel we have closed this issue, as what we discussed above has been implemented as a reminder, we have the following capabilities:
|
It would be really nice if we could get the namespace name on the antrea network policy logs. I do not even know if this would be possible, but if so it would be a lot more friendly to debug if you see any drops because you can clearly see if those namespaces should be communicating or not.
of course if the traffic comes from/goes to some external entity that should issue a "null" namespace as source or destination.
The text was updated successfully, but these errors were encountered: