You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/posts/2025-11-10-subnet-labels/index.md
+5-22Lines changed: 5 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,7 +10,7 @@ _Thanks to: (placeholder) for reviewing_
10
10
11
11
Often times, people who are installing NetObserv are especially looking for a solution that monitors the traffic from and to the cluster. For them, in-cluster traffic monitoring only comes as a secondary consideration. NetObserv does not process external traffic in any particular way, by default, internal and external traffic are just regular network traffic, period.
12
12
13
-
The eBPF agents know nothing about the network topology. They see packets, extract the IP addresses and metadata, do some aggregation, and forward that to `flowlogs-pipeline`. They can operate in various contexts, even though we're mostly interested in Kubernetes here, you can run them on your Linux PC if you wish, they're context-agnostic.
13
+
The eBPF agents know nothing about the network topology. They see packets, extract the IP addresses and metadata, do some aggregation, and forward that to `flowlogs-pipeline`. They can operate in various contexts, even though we're mostly interested in Kubernetes here, you can run them on your Linux PC if you wish, they're context-agnostic for everything beyond the host.
14
14
15
15
`flowlogs-pipeline` is context-aware, depending on its configuration. It's the one that knows about Kubernetes, and it uses that knowledge to enrich the network flows with pod names, namespaces, and so on.
16
16
@@ -20,25 +20,9 @@ But again, it doesn't know with absolute certainty what IP should be considered
20
20
21
21
As per [the doc](https://github.com/netobserv/network-observability-operator/blob/main/docs/FlowCollector.md#flowcollectorspecprocessorsubnetlabels), subnet labels "allow to define custom labels on subnets and IPs or to enable automatic labelling of recognized subnets in OpenShift, which is used to identify cluster external traffic. When a subnet matches the source or destination IP of a flow, a corresponding field is added: `SrcSubnetLabel` or `DstSubnetLabel`."
22
22
23
-
In OpenShift, NetObserv will check the Cluster Network Operator configuration to know which CIDRs are configured for Pods, Services and Nodes. You can verify that:
23
+
In OpenShift, NetObserv checks the Cluster Network Operator configuration to know which CIDRs are configured for Pods, Services and Nodes, then it configures `flowlogs-pipeline` accordingly. You can verify that in the generated configmap:
24
24
25
25
```bash
26
-
# "network" resource is from the cluster network operator configuration
27
-
$ kubectl get networks cluster -ojsonpath='{.spec}'| jq
28
-
{
29
-
(...),
30
-
"clusterNetwork": [
31
-
{
32
-
"cidr": "10.128.0.0/14",
33
-
"hostPrefix": 23
34
-
}
35
-
],
36
-
"serviceNetwork": [
37
-
"172.30.0.0/16"
38
-
]
39
-
}
40
-
41
-
# now, the resulting config map for flowlogs-pipeline
42
26
$ kubectl get cm -n netobserv flowlogs-pipeline-config -ojsonpath='{.data.config\.json}'| jq '.parameters[1].transform.network.subnetLabels'
43
27
[
44
28
{
@@ -62,16 +46,15 @@ $ kubectl get cm -n netobserv flowlogs-pipeline-config -ojsonpath='{.data.config
62
46
]
63
47
```
64
48
65
-
You see from where the "Pods" and "Services" CIDRs are taken. The "Machines" subnet source is different, it comes from the initial k8s configuration.
49
+
Those are the same values that you can find in the `cluster` resource from `networks.config.openshift.io`
66
50
67
51
When you open the Console plugin and configure columns to show the subnet labels, this is what you get:
68
52
69
53
70
54
71
-
Every time `flowlogs-pipeline` has to process a network flow, it checks if the IP belongs to any of the defined subnet, and if so, it associates with the flow the related label.
55
+
Every time `flowlogs-pipeline` has to process a network flow, it checks if the IP belongs to any of the defined subnet, and if so, it associates the flow with the related label.
72
56
73
-
74
-
Although the CIDR configuration mentioned above is the default when running on OpenShift, you can change it as much as you want. For instance, to add more machine networks, you can write in `FlowCollector`:
57
+
This is not just for OpenShift. If you're not running on OpenShift, or if you want to customize the default setup for OpenShift, you can perfectly configure different CIDRs. For instance, to add more machine networks, you can write in `FlowCollector`:
0 commit comments