Add docs for TrafficControl feature#3800
Conversation
tnqn
added
action/release-note
tnqn
force-pushed
the
tc-doc
branch
2 times, most recently
from
cf5ec58 to
eb34894
Compare
| following specification creates a new TrafficControl object named | ||
| "mirror-web-app", which mirrors all traffic from or to any Pod with the | ||
| `app=web` label and send them to a collector running on "10.0.10.2" encapsulated | ||
| within VXLAN tunnel: |
| `podSelector`. If set with a `namespaceSelector`, all Pods from Namespaces | ||
| selected by the `namespaceSelector` will be selected. Specific Pods from | ||
| specific Namespaces can be selected by providing both a `podSelector` and a | ||
| `namespaceSelector`. Empty `appliedTo` selects nothing. The field is mandatory. |
There was a problem hiding this comment.
IIRC, empty podSelector and empty namespaceSelector can be used to select all Pods in the cluster?
There was a problem hiding this comment.
that was also my first thought but I found we made it select nothing from the beginning for NetworkPolicy and Egress so have to keep consistency:
https://github.com/antrea-io/antrea/blob/main/docs/egress.md#appliedto
There was a problem hiding this comment.
ok, but jut to make sure, the following (which is what I meant by having both selectors be empty) will select all Pods in the cluster:
appliedTo:
namespaceSelector:
podSelector:while the following (both selectors unset) will select nothing:
appliedTo:There was a problem hiding this comment.
the above two examples mean the same, selecting nothing, because namespaceSelector and podSelector are "omitempty".
To select all Pods, we need to use either:
appliedTo:
namespaceSelector: {}
or
appliedTo:
podSelector: {}
| ### Action | ||
|
|
||
| The `action` field specifies which action should be taken for the traffic. It | ||
| can be `Mirror` or `Redirect`. For `Mirror` action, `targetPort` must be |
|
|
||
| The `action` field specifies which action should be taken for the traffic. It | ||
| can be `Mirror` or `Redirect`. For `Mirror` action, `targetPort` must be | ||
| specified to the port to which the traffic will be mirrored to. For `Redirect` |
There was a problem hiding this comment.
targetPort must be set to the port to which the traffic will be mirrored.
|
|
||
| The `action` field specifies which action should be taken for the traffic. It | ||
| can be `Mirror` or `Redirect`. For `Mirror` action, `targetPort` must be | ||
| specified to the port to which the traffic will be mirrored to. For `Redirect` |
There was a problem hiding this comment.
For the Redirect action
| **device**: This specifies a network device on all Nodes. A Pod's traffic will | ||
| be redirected or mirrored to the network device on the same Node that hosts the | ||
| Pod. The network device must exist on all Nodes and Antrea will attach it to the | ||
| OVS bridge if not already attached. To use a network device, `name` of the |
| name: eno2 | ||
| ``` | ||
|
|
||
| **geneve**: This specifies a remote destination based on GENEVE tunnel. All |
There was a problem hiding this comment.
nit: I would say "a remote destination for a GENEVE tunnel"
same below
| To replicate Pod traffic to threat detection engines for analysis, create a | ||
| TrafficControl with the `Mirror` action, and set the `targetPort` to an OVS | ||
| internal port that threat detection engines will capture traffic from. This | ||
| cookbook uses `tap0` as the port name and perform intrusion detection for Pods |
|
|
||
| You can then generate malicious requests to trigger alerts. For ingress, you can | ||
| fake a web application attack against the Pod with the following command | ||
| (assumed that the Pod IP is 10.10.2.3): |
tnqn
left a comment
tnqn
left a comment
There was a problem hiding this comment.
@antoninbas thanks for the review.
| To replicate Pod traffic to threat detection engines for analysis, create a | ||
| TrafficControl with the `Mirror` action, and set the `targetPort` to an OVS | ||
| internal port that threat detection engines will capture traffic from. This | ||
| cookbook uses `tap0` as the port name and perform intrusion detection for Pods |
|
|
||
| You can then generate malicious requests to trigger alerts. For ingress, you can | ||
| fake a web application attack against the Pod with the following command | ||
| (assumed that the Pod IP is 10.10.2.3): |
| following specification creates a new TrafficControl object named | ||
| "mirror-web-app", which mirrors all traffic from or to any Pod with the | ||
| `app=web` label and send them to a collector running on "10.0.10.2" encapsulated | ||
| within VXLAN tunnel: |
| `podSelector`. If set with a `namespaceSelector`, all Pods from Namespaces | ||
| selected by the `namespaceSelector` will be selected. Specific Pods from | ||
| specific Namespaces can be selected by providing both a `podSelector` and a | ||
| `namespaceSelector`. Empty `appliedTo` selects nothing. The field is mandatory. |
There was a problem hiding this comment.
that was also my first thought but I found we made it select nothing from the beginning for NetworkPolicy and Egress so have to keep consistency:
https://github.com/antrea-io/antrea/blob/main/docs/egress.md#appliedto
| ### Action | ||
|
|
||
| The `action` field specifies which action should be taken for the traffic. It | ||
| can be `Mirror` or `Redirect`. For `Mirror` action, `targetPort` must be |
| can be `Mirror` or `Redirect`. For `Mirror` action, `targetPort` must be | ||
| specified to the port to which the traffic will be mirrored to. For `Redirect` | ||
| action, both `targetPort` and `returnPort` need to be specified, the latter of | ||
| which represents a port from which the traffic will be sent back to OVS and be |
| **ovsInternal**: This specifies an OVS internal port on all Nodes. A Pod's | ||
| traffic will be redirected or mirrored to the OVS internal port on the same Node | ||
| that hosts the Pod. The port doesn't need to exist in advance, Antrea will | ||
| create the port if it doesn't exist. To use an OVS internal port, `name` of the |
| **device**: This specifies a network device on all Nodes. A Pod's traffic will | ||
| be redirected or mirrored to the network device on the same Node that hosts the | ||
| Pod. The network device must exist on all Nodes and Antrea will attach it to the | ||
| OVS bridge if not already attached. To use a network device, `name` of the |
| name: eno2 | ||
| ``` | ||
|
|
||
| **geneve**: This specifies a remote destination based on GENEVE tunnel. All |
jianjuns
left a comment
jianjuns
left a comment
There was a problem hiding this comment.
Not finished yet. Will continue.
|
|
||
| ### TrafficControl | ||
|
|
||
| `TrafficControl` enables a CRD API for Antrea that manages and manipulates the |
There was a problem hiding this comment.
How about "controls" to be consistent with TrafficControl.
| ### TrafficControl | ||
|
|
||
| `TrafficControl` enables a CRD API for Antrea that manages and manipulates the | ||
| transmission of Pod traffic. It allows users to mirror or redirect specific |
There was a problem hiding this comment.
As we do not support matching specific traffic, we can remove this "specific"?
| `TrafficControl` enables a CRD API for Antrea that manages and manipulates the | ||
| transmission of Pod traffic. It allows users to mirror or redirect specific | ||
| traffic originating from specific Pods or destined to specific Pods to a local | ||
| network device or a remote destination via various tunnels. It provides full |
There was a problem hiding this comment.
How about changing "provides" to "enables", or "enables a monitoring solution to get full visibility..."
| purposes such as troubleshooting, intrusion detection, and so on. | ||
|
|
||
| - You want to redirect network traffic passing in or out of a set of Pods to | ||
| applications that analyze traffic, enforce policies, and reject traffic to |
There was a problem hiding this comment.
Remove "analyze traffic" as that should fall into the mirroring bucket?
| remoteIP: 10.0.10.2 | ||
| ``` | ||
|
|
||
| ### Redirecting specific traffic to local analyzer |
There was a problem hiding this comment.
Should we just use "local receiver" to be generic? Typically, redirection is not for an analyzer that does not change/drop the packets.
| prevent intrusion. | ||
|
|
||
| This guide demonstrates how to configure `TrafficControl` to achieve the above | ||
| result. |
|
|
||
| TrafficControl was introduced in v1.7 as an alpha feature. A feature gate, | ||
| `TrafficControl` must be enabled on the antrea-agent in the `antrea-config` | ||
| ConfigMap like the following options for the feature to work: |
There was a problem hiding this comment.
like the following options -> like the following?
Maybe it to the end of the sentence.
There was a problem hiding this comment.
sorry, what does your second suggestion mean?
There was a problem hiding this comment.
Typo. I meant:
must be enabled on the antrea-agent in the
antrea-configConfigMap for the feature to work, like the following:
| For example, suppose you have a set of Pods which contain a label `app=web`, the | ||
| following specification creates a new TrafficControl object named | ||
| "mirror-web-app", which mirrors all traffic from or to any Pod with the | ||
| `app=web` label and send them to a collector running on "10.0.10.2" encapsulated |
|
|
||
| To replicate Pod traffic to threat detection engines for analysis, create a | ||
| TrafficControl with the `Mirror` action, and set the `targetPort` to an OVS | ||
| internal port that threat detection engines will capture traffic from. This |
|
|
||
| ### Step 3: Deploy Suricata as a DaemonSet | ||
|
|
||
| Suricata supports many possible configuration options, we will focus on the |
There was a problem hiding this comment.
we will just take the basics in the cookbook? is it correct?
| ### Step 3: Deploy Suricata as a DaemonSet | ||
|
|
||
| Suricata supports many possible configuration options, we will focus on the | ||
| basics in the cookbook. The YAML file for Suricata DaemonSet is included in the |
There was a problem hiding this comment.
We should mention are using the image from https://github.com/jasonish/docker-suricata?
| tail -f /var/log/suricata/fast.log | ||
| ``` | ||
|
|
||
| You can then generate malicious requests to trigger alerts. For ingress, you can |
tnqn
force-pushed
the
tc-doc
branch
2 times, most recently
from
5e2f72f to
613b9be
Compare
| `TrafficControl` enables a CRD API for Antrea that controls and manipulates the | ||
| transmission of Pod traffic. It allows users to mirror or redirect traffic | ||
| originating from specific Pods or destined to specific Pods to a local network | ||
| device or a remote destination via various tunnels. It enables a monitoring |
There was a problem hiding this comment.
"via a tunnel of various types"?
|
|
||
| TrafficControl was introduced in v1.7 as an alpha feature. A feature gate, | ||
| `TrafficControl` must be enabled on the antrea-agent in the `antrea-config` | ||
| ConfigMap like the following options for the feature to work: |
There was a problem hiding this comment.
Typo. I meant:
must be enabled on the antrea-agent in the
antrea-configConfigMap for the feature to work, like the following:
|
|
||
| A TrafficControl in Kubernetes is a REST object. Like all the REST objects, you | ||
| can POST a TrafficControl definition to the API server to create a new instance. | ||
| For example, suppose you have a set of Pods which contain a label `app=web`, the |
| set to the port to which the traffic will be mirrored. For the `Redirect` | ||
| action, both `targetPort` and `returnPort` need to be specified, the latter of | ||
| which represents the port from which the traffic will be sent back to OVS and be | ||
| forwarded to its original destination. |
There was a problem hiding this comment.
This might not be true if the packet has been modified?
There was a problem hiding this comment.
what kind of modification you mean? I thought the packet can either be forwarded or dropped, other kind of modification may not work as we do not make the returned packet go through the whole pipeline again.
I changed "will" to "could"
There was a problem hiding this comment.
Ok. Should document the packets should not be modified?
There was a problem hiding this comment.
Added "Once redirected, a packet should be either dropped or sent back to OVS without modification, otherwise it would lead to undefined behavior."
| selected Pods' traffic will be mirrored to the destination via an ERSPAN tunnel. | ||
| The `remoteIP` field must be provided to specify the IP address of the | ||
| destination. If ERSPAN session ID is desired, the `sessionID` field can be | ||
| specified to an integer in the range 0-1,023. The `version` field must be |
There was a problem hiding this comment.
We do not have a default value for version?
There was a problem hiding this comment.
@jianjuns We don't have a default value for version since it is not a pointer type in API, and it is int type.
| destination. Therefore, if an intrusion prevention system or a network firewall | ||
| is configured to capture and forward traffic between `tap0` and `tap1`, it can | ||
| actively scan forwarded network traffic for malicious activities and known | ||
| attack patterns, and drop traffic determined to be malicious. |
| ## What's next | ||
|
|
||
| With the `TrafficControl` capability, Antrea can be used with threat detection | ||
| engines to provide network-based IDS/IPS to Pods, and provides a reference |
There was a problem hiding this comment.
". We provide a reference cookbook..."?
|
|
||
| This guide will describe how to use Project Antrea with threat detection | ||
| engines, in order to provide network-based intrusion detection service to your | ||
| Pods. In this scenario, Antrea is used for the default network. For the sake of |
| * [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/) | ||
|
|
||
| The [TrafficControl](../../traffic-control.md) capability was added in Antrea | ||
| version 1.7. Therefore, an Antrea version >= 1.7.0 should be used to configure |
There was a problem hiding this comment.
We typically use "v1.7.0"
|
|
||
| ### Step 2: Configure TrafficControl resource | ||
|
|
||
| To replicate Pod traffic to threat detection engines for analysis, create a |
There was a problem hiding this comment.
Change "threat detection engines" to "Suricata" too?
| key: 1 | ||
| ``` | ||
|
|
||
| **erspan**: This specifies a remote destination for an ERSPAN tunnel. All |
There was a problem hiding this comment.
Should we mention the requirement of ERSPAN?
It can be used with 4.19-rc6+ kernel and iproute2-ss180813?
There was a problem hiding this comment.
I don't know the exact version in which ERSPAN is added to kernel, the version you provided is a rc version, then I suppose 4.19 but I didn't find it was mentioned in release note, do you have a link for reference?
why iproute2 matters here?
There was a problem hiding this comment.
There was a problem hiding this comment.
It's an "Linux Native Mode tunnel example" with 4.19-rc6+ kernel and iproute2-ss180813, not saying the supported is added in that version and iproute2 is required for OVS ERSPAN.
There was a problem hiding this comment.
Got it, for OVS ERSPAN, iproute2 is not related, but according to this http://vger.kernel.org/lpc_net2018_talks/erspan-linux.pdf, ERSPAN was added to Linux kernel in 4.14 for IPv4 and 4.16 for IPv6., we should mention this?
There was a problem hiding this comment.
but I remember you said 4.15 didn't work in your testbed? Unless we have accurate information, I wouldn't mention its version requirement given it's in alpha phase, to avoid misleading users. We can add the information anytime once we have verified it.
There was a problem hiding this comment.
Yes, it didn't work in 4.15 in my testbed actually. Maybe we can add the information in the future.
|
|
||
| `TrafficControl` is a CRD API that manages and manipulates the transmission of | ||
| Pod traffic. It allows users to mirror or redirect specific traffic originating | ||
| from specific Pods or destined to specific Pods to a local network device or a |
There was a problem hiding this comment.
| from specific Pods or destined to specific Pods to a local network device or a | |
| from specific Pods or destined for specific Pods to a local network device or a |
Codecov Report
@@ Coverage Diff @@
## main #3800 +/- ##
===========================================
- Coverage 64.48% 37.41% -27.08%
===========================================
Files 291 116 -175
Lines 42795 16089 -26706
===========================================
- Hits 27598 6020 -21578
+ Misses 12974 9574 -3400
+ Partials 2223 495 -1728
Flags with carried forward coverage won't be shown. Click here to find out more. |
* Add a document to introduce the feature * Add a cookbook to describe how to use Antrea with Suricata to provide IDS to Pods Signed-off-by: Quan Tian <qtian@vmware.com>
|
/skip-all |
5 participants
IDS to Pods
Signed-off-by: Quan Tian qtian@vmware.com
For #3324