-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
None
-
None
-
None
-
NetObserv - Sprint 270, NetObserv - Sprint 271
-
None
-
None
-
None
Description of problem:
Pod2Pod flows (cross-nodes) doesn't have IPSec fields set in them, only node level traffic shows IPSec fields.
Steps to Reproduce:
1. Enable IPSec in cluster
oc patch networks.operator.openshift.io cluster --type=merge -p '{"spec":{"defaultNetwork":{"ovnKubernetesConfig":{"ipsecConfig":{"mode": "Full" }}}}}'
2. Deploy NetObserv with IPSec feature in eBPF.
3.
Actual results:
Node level flows has IPSec fields but are seen as partial flows:
{
"AgentIP": "10.0.44.55",
"Dscp": 0,
"DstAddr": "10.0.34.193",
"DstK8S_HostIP": "10.0.34.193",
"DstK8S_HostName": "ip-10-0-34-193.us-east-2.compute.internal",
"DstK8S_Name": "ip-10-0-34-193.us-east-2.compute.internal",
"DstK8S_NetworkName": "primary",
"DstK8S_OwnerName": "ip-10-0-34-193.us-east-2.compute.internal",
"DstK8S_OwnerType": "Node",
"DstK8S_Type": "Node",
"DstMac": "00:00:00:00:00:00",
"DstPort": 6081,
"DstSubnetLabel": "Machines",
"Etype": 2048,
"FlowDirection": "1",
"IPSecRetCode": 0,
"IPSecSuccess": true,
"IfDirections": [
0
],
"Interfaces": [
"unknown"
],
"K8S_FlowLayer": "infra",
"Proto": 17,
"SrcAddr": "10.0.44.55",
"SrcK8S_HostIP": "10.0.44.55",
"SrcK8S_HostName": "ip-10-0-44-55.us-east-2.compute.internal",
"SrcK8S_Name": "ip-10-0-44-55.us-east-2.compute.internal",
"SrcK8S_NetworkName": "primary",
"SrcK8S_OwnerName": "ip-10-0-44-55.us-east-2.compute.internal",
"SrcK8S_OwnerType": "Node",
"SrcK8S_Type": "Node",
"SrcMac": "00:00:00:00:00:00",
"SrcPort": 24994,
"SrcSubnetLabel": "Machines",
"TimeFlowEndMs": 1744818885429,
"TimeFlowStartMs": 1744818881333,
"TimeReceived": 1744818885,
"Udns": [
""
],
"app": "netobserv-flowcollector"
}
Pod2pod flows doesn't have IPSec fields:
{
"AgentIP": "10.0.34.193",
"Bytes": 490,
"Dscp": 0,
"DstAddr": "10.128.0.40",
"DstK8S_HostIP": "10.0.44.55",
"DstK8S_HostName": "ip-10-0-44-55.us-east-2.compute.internal",
"DstK8S_Name": "hello-daemonset-994hc",
"DstK8S_Namespace": "test-client",
"DstK8S_NetworkName": "primary",
"DstK8S_OwnerName": "hello-daemonset",
"DstK8S_OwnerType": "DaemonSet",
"DstK8S_Type": "Pod",
"DstMac": "0A:58:A9:FE:01:01",
"DstSubnetLabel": "Pods",
"Etype": 2048,
"FlowDirection": "1",
"IcmpCode": 0,
"IcmpType": 0,
"IfDirections": [
0,
1,
0,
1
],
"Interfaces": [
"0b34e47bcaa77bf",
"genev_sys_6081",
"genev_sys_6081",
"b2ab3c67a872840"
],
"K8S_FlowLayer": "app",
"Packets": 5,
"Proto": 1,
"SrcAddr": "10.131.0.21",
"SrcK8S_HostIP": "10.0.34.193",
"SrcK8S_HostName": "ip-10-0-34-193.us-east-2.compute.internal",
"SrcK8S_Name": "hello-daemonset-8hrkk",
"SrcK8S_Namespace": "test-client",
"SrcK8S_NetworkName": "primary",
"SrcK8S_OwnerName": "hello-daemonset",
"SrcK8S_OwnerType": "DaemonSet",
"SrcK8S_Type": "Pod",
"SrcMac": "0A:58:0A:83:00:15",
"SrcSubnetLabel": "Pods",
"TimeFlowEndMs": 1744819012405,
"TimeFlowStartMs": 1744819008309,
"TimeReceived": 1744819012,
"Udns": [
""
],
"app": "netobserv-flowcollector"
}
Expected results:
Pod2Pod/application flows to also have IPSec status.
Slack discussion: https://redhat-internal.slack.com/archives/C02939DP5L5/p1744818947647149