Uploaded image for project: 'Network Observability'
  1. Network Observability
  2. NETOBSERV-2223

Pod2Pod flows doesn't have IPSec fields

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • eBPF
    • None
    • False
    • None
    • False
    • NetObserv - Sprint 270, NetObserv - Sprint 271

      Description of problem:

      Pod2Pod flows (cross-nodes) doesn't have IPSec fields set in them, only node level traffic shows IPSec fields.

      Steps to Reproduce:

      1. Enable IPSec in cluster 
oc patch networks.operator.openshift.io cluster --type=merge -p '{"spec":{"defaultNetwork":{"ovnKubernetesConfig":{"ipsecConfig":{"mode":  "Full" }}}}}' 
2. Deploy NetObserv with IPSec feature in eBPF.
3.

      Actual results:

      Node level flows has IPSec fields but are seen as partial flows:

      {
  "AgentIP": "10.0.44.55",
  "Dscp": 0,
  "DstAddr": "10.0.34.193",
  "DstK8S_HostIP": "10.0.34.193",
  "DstK8S_HostName": "ip-10-0-34-193.us-east-2.compute.internal",
  "DstK8S_Name": "ip-10-0-34-193.us-east-2.compute.internal",
  "DstK8S_NetworkName": "primary",
  "DstK8S_OwnerName": "ip-10-0-34-193.us-east-2.compute.internal",
  "DstK8S_OwnerType": "Node",
  "DstK8S_Type": "Node",
  "DstMac": "00:00:00:00:00:00",
  "DstPort": 6081,
  "DstSubnetLabel": "Machines",
  "Etype": 2048,
  "FlowDirection": "1",
  "IPSecRetCode": 0,
  "IPSecSuccess": true,
  "IfDirections": [
    0
  ],
  "Interfaces": [
    "unknown"
  ],
  "K8S_FlowLayer": "infra",
  "Proto": 17,
  "SrcAddr": "10.0.44.55",
  "SrcK8S_HostIP": "10.0.44.55",
  "SrcK8S_HostName": "ip-10-0-44-55.us-east-2.compute.internal",
  "SrcK8S_Name": "ip-10-0-44-55.us-east-2.compute.internal",
  "SrcK8S_NetworkName": "primary",
  "SrcK8S_OwnerName": "ip-10-0-44-55.us-east-2.compute.internal",
  "SrcK8S_OwnerType": "Node",
  "SrcK8S_Type": "Node",
  "SrcMac": "00:00:00:00:00:00",
  "SrcPort": 24994,
  "SrcSubnetLabel": "Machines",
  "TimeFlowEndMs": 1744818885429,
  "TimeFlowStartMs": 1744818881333,
  "TimeReceived": 1744818885,
  "Udns": [
    ""
  ],
  "app": "netobserv-flowcollector"
}

      Pod2pod flows doesn't have IPSec fields:

      {
  "AgentIP": "10.0.34.193",
  "Bytes": 490,
  "Dscp": 0,
  "DstAddr": "10.128.0.40",
  "DstK8S_HostIP": "10.0.44.55",
  "DstK8S_HostName": "ip-10-0-44-55.us-east-2.compute.internal",
  "DstK8S_Name": "hello-daemonset-994hc",
  "DstK8S_Namespace": "test-client",
  "DstK8S_NetworkName": "primary",
  "DstK8S_OwnerName": "hello-daemonset",
  "DstK8S_OwnerType": "DaemonSet",
  "DstK8S_Type": "Pod",
  "DstMac": "0A:58:A9:FE:01:01",
  "DstSubnetLabel": "Pods",
  "Etype": 2048,
  "FlowDirection": "1",
  "IcmpCode": 0,
  "IcmpType": 0,
  "IfDirections": [
    0,
    1,
    0,
    1
  ],
  "Interfaces": [
    "0b34e47bcaa77bf",
    "genev_sys_6081",
    "genev_sys_6081",
    "b2ab3c67a872840"
  ],
  "K8S_FlowLayer": "app",
  "Packets": 5,
  "Proto": 1,
  "SrcAddr": "10.131.0.21",
  "SrcK8S_HostIP": "10.0.34.193",
  "SrcK8S_HostName": "ip-10-0-34-193.us-east-2.compute.internal",
  "SrcK8S_Name": "hello-daemonset-8hrkk",
  "SrcK8S_Namespace": "test-client",
  "SrcK8S_NetworkName": "primary",
  "SrcK8S_OwnerName": "hello-daemonset",
  "SrcK8S_OwnerType": "DaemonSet",
  "SrcK8S_Type": "Pod",
  "SrcMac": "0A:58:0A:83:00:15",
  "SrcSubnetLabel": "Pods",
  "TimeFlowEndMs": 1744819012405,
  "TimeFlowStartMs": 1744819008309,
  "TimeReceived": 1744819012,
  "Udns": [
    ""
  ],
  "app": "netobserv-flowcollector"
}

      Expected results:

      Pod2Pod/application flows to also have IPSec status.

       

      Slack discussion: https://redhat-internal.slack.com/archives/C02939DP5L5/p1744818947647149 

              Unassigned Unassigned
              rhn-support-memodi Mehul Modi
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: