CUSTOMER PROBLEM

We would like to monitor traffic using network graph in ACS even if it is blocked by a kuberentes network policy. This is so that we have a backup method of detecting anomalous traffic in case the network policies are broken. There have been a few occassions when network policies in OVN have had bugs and has been unreliable, Some references in [1][2][3]

The other use case is to meet compliance requirements of monitoring malicious activity even though the attempts to access a prohibited namespace/deployment may be blocked by a network policy

USERS

• The main user of this feature would be the Managed OpenShift (ROSA) service team. We would use ACS network graph' monitoring and alerting functionalities to meet our compliance requirements and to fire alerts if anomalous traffic is observed between HCP namespaces

ACCEPTANCE CRITERIA

• Network graph allows users to monitor traffic that is blocked by kubernetes network policies so that users can detect malicious intent by a threat actor

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=2048538
[2]: https://issues.redhat.com/browse/OCPBUGS-1705
[3]: https://bugzilla.redhat.com/show_bug.cgi?id=2076307