Use SRIOV infra from networking team
Server Version: 4.17.0-0.nightly-2025-11-03-182249
NetObserv version: 1.10



=== Bridge mode ===

==> Set up net-attach-def:

$ cat ~/Documents/macvlan/net-attach-def-bridge.yaml
apiVersion: k8s.cni.cncf.io/v1
kind: NetworkAttachmentDefinition
metadata:
  name: macvlan-sctp-net
  namespace: test-sctp
spec:
  config: '{
      "cniVersion": "0.3.0",
      "type": "macvlan",
      "master": "eno1",
      "mode": "bridge",
      "ipam": {
        "type": "host-local",
        "subnet": "10.1.1.0/24",
        "rangeStart": "10.1.1.100",
        "rangeEnd": "10.1.1.200",
        "routes": [
          { "dst": "0.0.0.0/0" }
        ],
        "gateway": "10.1.1.1"
      }
    }'


==> Create SCTP client and server using that network and ensure they land on same nodes.
$ cat ~/Documents/macvlan/sctpserver.yaml
apiVersion: v1
kind: Pod
metadata:
  name: sctpserver
  namespace: test-sctp
  labels:
    name: sctpserver
  annotations:
    k8s.v1.cni.cncf.io/networks: macvlan-sctp-net
spec:
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: sctpserver
      image: quay.io/openshifttest/hello-sdn@sha256:c89445416459e7adea9a5a416b3365ed3d74f2491beb904d61dc8d1eb89a72a4
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop: ["ALL"]
      ports:
        - containerPort: 30102
          name: sctpserver
          protocol: SCTP


$ cat ~/Documents/macvlan/sctpclient.yaml
apiVersion: v1
kind: Pod
metadata:
  name: sctpclient
  namespace: test-sctp
  annotations:
    k8s.v1.cni.cncf.io/networks: macvlan-sctp-net
  labels:
    name: sctpclient
spec:
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: sctpclient
      image: quay.io/openshifttest/hello-sdn@sha256:c89445416459e7adea9a5a416b3365ed3d74f2491beb904d61dc8d1eb89a72a4
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop: ["ALL"]
  nodeSelector:
    kubernetes.io/hostname: openshift-qe-027.lab.eng.rdu2.redhat.com





$ oc get pod/sctpclient -o yaml
apiVersion: v1
kind: Pod
metadata:
  annotations:
    k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.130.2.30/23","fd01:0:0:6::1e/64"],"mac_address":"0a:58:0a:82:02:1e","gateway_ips":["10.130.2.1","fd01:0:0:6::1"],"routes":[{"dest":"10.128.0.0/14","nextHop":"10.130.2.1"},{"dest":"172.30.0.0/16","nextHop":"10.130.2.1"},{"dest":"169.254.0.5/32","nextHop":"10.130.2.1"},{"dest":"100.64.0.0/16","nextHop":"10.130.2.1"},{"dest":"fd01::/61","nextHop":"fd01:0:0:6::1"},{"dest":"fd02::/112","nextHop":"fd01:0:0:6::1"},{"dest":"fd69::5/128","nextHop":"fd01:0:0:6::1"},{"dest":"fd98::/64","nextHop":"fd01:0:0:6::1"}],"role":"primary"}}'
    k8s.v1.cni.cncf.io/network-status: |-
      [{
          "name": "ovn-kubernetes",
          "interface": "eth0",
          "ips": [
              "10.130.2.30",
              "fd01:0:0:6::1e"
          ],
          "mac": "0a:58:0a:82:02:1e",
          "default": true,
          "dns": {}
      },{
          "name": "test-sctp/macvlan-sctp-net",
          "interface": "net1",
          "ips": [
              "10.1.1.101"
          ],
          "mac": "c2:79:c2:53:97:99",
          "dns": {},
          "gateway": [
              "\u003cnil\u003e"
          ]
      }]
    k8s.v1.cni.cncf.io/networks: macvlan-sctp-net
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{"k8s.v1.cni.cncf.io/networks":"macvlan-sctp-net"},"labels":{"name":"sctpclient"},"name":"sctpclient","namespace":"test-sctp"},"spec":{"containers":[{"image":"quay.io/openshifttest/hello-sdn@sha256:c89445416459e7adea9a5a416b3365ed3d74f2491beb904d61dc8d1eb89a72a4","name":"sctpclient","securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}}],"nodeSelector":{"kubernetes.io/hostname":"openshift-qe-027.lab.eng.rdu2.redhat.com"},"securityContext":{"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}}}
    openshift.io/scc: restricted-v2
    seccomp.security.alpha.kubernetes.io/pod: runtime/default
  creationTimestamp: "2025-11-05T18:02:25Z"
  labels:
    name: sctpclient
  name: sctpclient
  namespace: test-sctp
  resourceVersion: "196012"
  uid: 6aa4b6af-0f96-4507-a3e2-0b73a1f4d6c7
spec:
  containers:
  - image: quay.io/openshifttest/hello-sdn@sha256:c89445416459e7adea9a5a416b3365ed3d74f2491beb904d61dc8d1eb89a72a4
    imagePullPolicy: IfNotPresent
    name: sctpclient
    resources: {}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      runAsUser: 1000720000
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-4vbdj
      readOnly: true
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  imagePullSecrets:
  - name: default-dockercfg-thhbq
  nodeName: openshift-qe-027.lab.eng.rdu2.redhat.com
  nodeSelector:
    kubernetes.io/hostname: openshift-qe-027.lab.eng.rdu2.redhat.com
  preemptionPolicy: PreemptLowerPriority
  priority: 0
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext:
    fsGroup: 1000720000
    runAsNonRoot: true
    seLinuxOptions:
      level: s0:c27,c9
    seccompProfile:
      type: RuntimeDefault
  serviceAccount: default
  serviceAccountName: default
  terminationGracePeriodSeconds: 30
  tolerations:
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
  volumes:
  - name: kube-api-access-4vbdj
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token
      - configMap:
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
      - downwardAPI:
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
            path: namespace
      - configMap:
          items:
          - key: service-ca.crt
            path: service-ca.crt
          name: openshift-service-ca.crt
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2025-11-05T18:02:28Z"
    status: "True"
    type: PodReadyToStartContainers
  - lastProbeTime: null
    lastTransitionTime: "2025-11-05T18:02:25Z"
    status: "True"
    type: Initialized
  - lastProbeTime: null
    lastTransitionTime: "2025-11-05T18:02:28Z"
    status: "True"
    type: Ready
  - lastProbeTime: null
    lastTransitionTime: "2025-11-05T18:02:28Z"
    status: "True"
    type: ContainersReady
  - lastProbeTime: null
    lastTransitionTime: "2025-11-05T18:02:25Z"
    status: "True"
    type: PodScheduled
  containerStatuses:
  - containerID: cri-o://0d5d6d44545fb6f20e0e0a1bbfea7d1acc9ca5fdd62cc3326eef7813379d02e5
    image: quay.io/openshifttest/hello-sdn@sha256:c89445416459e7adea9a5a416b3365ed3d74f2491beb904d61dc8d1eb89a72a4
    imageID: quay.io/openshifttest/hello-sdn@sha256:aa4e5b6448e5b38c66505216324ce247fbd14e0a4e8ab3b8c1746c0e49e70234
    lastState: {}
    name: sctpclient
    ready: true
    restartCount: 0
    started: true
    state:
      running:
        startedAt: "2025-11-05T18:02:27Z"
  hostIP: 192.168.111.58
  hostIPs:
  - ip: 192.168.111.58
  - ip: fd2e:6f44:5dd8:c956::25
  phase: Running
  podIP: 10.130.2.30
  podIPs:
  - ip: 10.130.2.30
  - ip: fd01:0:0:6::1e
  qosClass: BestEffort
  startTime: "2025-11-05T18:02:25Z"

===> Set flow collector with agent as privileged and with secondary network enrichment in processor config:

$ oc get flowcollector/cluster -o jsonpath='{.spec.agent.ebpf.privileged}' | jq
true

$ oc get flowcollector/cluster -o jsonpath='{.spec.processor.advanced}' | jq
{
  "conversationEndTimeout": "10s",
  "conversationHeartbeatInterval": "30s",
  "conversationTerminatingTimeout": "5s",
  "dropUnusedFields": true,
  "enableKubeProbes": true,
  "healthPort": 8080,
  "port": 2055,
  "secondaryNetworks": [
    {
      "index": [
        "MAC",
        "IP",
        "Interface"
      ],
      "name": "test-sctp/macvlan-sctp-net"
    }
  ]
}




Raw flowlog:

{
  "AgentIP": "192.168.111.58",
  "Bytes": 912,
  "Dscp": 0,
  "DstAddr": "10.1.1.100",
  "DstK8S_HostIP": "192.168.111.58",
  "DstK8S_HostName": "openshift-qe-027.lab.eng.rdu2.redhat.com",
  "DstK8S_Name": "sctpserver",
  "DstK8S_Namespace": "test-sctp",
  "DstK8S_NetworkName": "test-sctp/macvlan-sctp-net",
  "DstK8S_OwnerName": "sctpserver",
  "DstK8S_OwnerType": "Pod",
  "DstK8S_Type": "Pod",
  "DstMac": "06:c4:bf:da:0b:8a",
  "DstPort": 30102,
  "Etype": 2048,
  "FlowDirection": "2",
  "IfDirections": [
    1,
    0,
    0
  ],
  "Interfaces": [
    "net1",
    "eno1",
    "eth0"
  ],
  "K8S_FlowLayer": "app",
  "Packets": 12,
  "Proto": 132,
  "Sampling": 1,
  "SrcAddr": "10.1.1.101",
  "SrcK8S_HostIP": "192.168.111.58",
  "SrcK8S_HostName": "openshift-qe-027.lab.eng.rdu2.redhat.com",
  "SrcK8S_Name": "sctpclient",
  "SrcK8S_Namespace": "test-sctp",
  "SrcK8S_NetworkName": "test-sctp/macvlan-sctp-net",
  "SrcK8S_OwnerName": "sctpclient",
  "SrcK8S_OwnerType": "Pod",
  "SrcK8S_Type": "Pod",
  "SrcMac": "c2:79:c2:53:97:99",
  "SrcPort": 50870,
  "TimeFlowEndMs": 1762371511647,
  "TimeFlowStartMs": 1762371507216,
  "TimeReceived": 1762371512,
  "Udns": [
    ""
  ],
  "app": "netobserv-flowcollector"
}

Reference: https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-21151

==== Below tested for cross-node communication ====

cat <<EOF | oc apply -f -
apiVersion: k8s.cni.cncf.io/v1
kind: NetworkAttachmentDefinition
metadata:
  name: macvlan-cross-node
  namespace: test-macvlan
spec:
  config: '{
      "cniVersion": "0.3.1",
      "type": "macvlan",
      "master": "eno1",
      "mode": "bridge",
      "ipam": {
        "type": "whereabouts",
        "range": "192.168.50.0/24",
        "exclude": [
           "192.168.50.1/32",
           "192.168.50.254/32"
        ],
        "routes": [
          { "dst": "0.0.0.0/0", "gw": "192.168.50.1" }
        ]
      }
    }'



oc apply -f /Users/memodi/Documents/macvlan/pod-1.yaml

pod-1.yaml:

apiVersion: v1
kind: Pod
metadata:
  name: pod-node-a
  namespace: test-macvlan
  annotations:
    k8s.v1.cni.cncf.io/networks: macvlan-cross-node
spec:
  nodeSelector:
    kubernetes.io/hostname: openshift-qe-027.lab.eng.rdu2.redhat.com
  containers:
  - name: debug
    image: quay.io/openshifttest/hello-sdn@sha256:c89445416459e7adea9a5a416b3365ed3d74f2491beb904d61dc8d1eb89a72a4
    command: ["/bin/sleep", "infinity"]


oc apply -f /Users/memodi/Documents/macvlan/pod-2.yaml


{
  "AgentIP": "192.168.111.31",
  "Bytes": 490,
  "Dscp": 0,
  "DstAddr": "192.168.50.3",
  "DstK8S_HostIP": "192.168.111.58",
  "DstK8S_HostName": "openshift-qe-027.lab.eng.rdu2.redhat.com",
  "DstK8S_Name": "pod-node-a",
  "DstK8S_Namespace": "test-macvlan",
  "DstK8S_NetworkName": "test-macvlan/macvlan-cross-node",
  "DstK8S_OwnerName": "pod-node-a",
  "DstK8S_OwnerType": "Pod",
  "DstK8S_Type": "Pod",
  "DstMac": "4a:65:86:c9:4d:98",
  "Etype": 2048,
  "FlowDirection": "1",
  "IcmpCode": 0,
  "IcmpType": 8,
  "IfDirections": [
    1,
    1,
    1
  ],
  "Interfaces": [
    "net1",
    "eth0",
    "eno1"
  ],
  "K8S_FlowLayer": "app",
  "Packets": 5,
  "Proto": 1,
  "Sampling": 1,
  "SrcAddr": "192.168.50.2",
  "SrcK8S_HostIP": "192.168.111.31",
  "SrcK8S_HostName": "openshift-qe-024.lab.eng.rdu2.redhat.com",
  "SrcK8S_Name": "pod-node-b",
  "SrcK8S_Namespace": "test-macvlan",
  "SrcK8S_NetworkName": "test-macvlan/macvlan-cross-node",
  "SrcK8S_OwnerName": "pod-node-b",
  "SrcK8S_OwnerType": "Pod",
  "SrcK8S_Type": "Pod",
  "SrcMac": "1e:ae:49:ed:21:6f",
  "TimeFlowEndMs": 1762376162403,
  "TimeFlowStartMs": 1762376158307,
  "TimeReceived": 1762376163,
  "Udns": [
    ""
  ],
  "app": "netobserv-flowcollector"
}