-
Notifications
You must be signed in to change notification settings - Fork 373
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Hang Yan <yhang@vmware.com>
- Loading branch information
Showing
8 changed files
with
138 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,92 @@ | ||
| # PacketSampling User Guide | ||
|
|
||
| Antrea supports using PacketSampling for network diagnosis. It can capture | ||
| specified number of packets from real traffic and upload them to a | ||
| supported storage location. Users can create a PacketSampling CRD to trigger | ||
| such an action on the target traffic flow. | ||
|
|
||
| ## Prerequisites | ||
|
|
||
| The PacketSampling feature is disabled by default since Antrea 1.16.0. If you | ||
| want to enable this feature, you need to enable PacketSampling from the | ||
| featureGates map defined in antrea.yml fro both Controller and Agent. In | ||
| order to use a Service as the destination in sampling, you also need to ensure | ||
| [AntreaProxy](feature-gates.md) is enabled in the agent configuration: | ||
|
|
||
| ```yaml | ||
| antrea-controller.conf: | | ||
| featureGates: | ||
| # Enable packetsampling feature to help diagnose network issues by capture real traffic packets. | ||
| PacketSampling: true | ||
| antrea-agent.conf: | | ||
| featureGates: | ||
| # Enable packetsampling feature to capture real traffic packets. | ||
| PacketSampling: true | ||
| # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. | ||
| # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on | ||
| # Service traffic. | ||
| AntreaProxy: true | ||
| ``` | ||
| ## Start a new PacketSampling | ||
| When start a new sampling, you can provide the following information to identify | ||
| the target flow: | ||
| * source pod | ||
| * destination pod, Service or destination IP address | ||
| * transport protocol(TCP/UDP/ICMP) | ||
| * transport ports | ||
| You can start a new packet sampling by creating PacketSampling CRD via | ||
| `kubectl` and a yaml file which contains the essential configuration of | ||
| PacketSampling CRD. An example YAML file of PacketSampling CRD might | ||
| look like this: | ||
|
|
||
| ```yaml | ||
| apiVersion: crd.antrea.io/v1alpha1 | ||
| kind: PacketSampling | ||
| metadata: | ||
| name: ps-test | ||
| spec: | ||
| fileServer: | ||
| url: sftp://127.0.0.1:22/upload | ||
| authentication: | ||
| authType: "BasicAuthentication" | ||
| authSecret: | ||
| name: test-secret | ||
| namespace: default # | ||
| timeout: 600 | ||
| type: FirstNSampling | ||
| firstNSamplingConfig: | ||
| number: 5 | ||
| source: | ||
| namespace: default | ||
| pod: frontend | ||
| destination: | ||
| namespace: default | ||
| pod: backend | ||
| # destination can also be an IP address ('ip' field) or a Service name ('service' field); the 3 choices are mutually exclusive. | ||
| packet: | ||
| ipHeader: # If ipHeader/ipv6Header is not set, the default value is IPv4+ICMP. | ||
| protocol: 6 # Protocol here can be 6 (TCP), 17 (UDP) or 1 (ICMP), default value is 1 (ICMP) | ||
| transportHeader: | ||
| tcp: | ||
| dstPort: 8080 # Destination port needs to be set when Protocol is TCP/UDP. | ||
| ``` | ||
| The CRD above starts a new packet sampling from pod named `frontend` | ||
| to port 8080 of pod named `backend` using TCP protocol. | ||
|
|
||
| ## RBAC | ||
| PacketSampling CRDs are meant for admins to troubleshoot and diagnose the network | ||
| by capture sampling packets from a source workload to a destination workload. Thus, | ||
| access to manage these CRDs must be granted to subjects which | ||
| have the authority to perform these diagnostic actions. On cluster | ||
| initialization, Antrea grants the permissions to edit these CRDs with `admin` | ||
| and the `edit` ClusterRole. In addition to this, Antrea also grants the | ||
| permission to view these CRDs with the `view` ClusterRole. Cluster admins can | ||
| therefore grant these ClusterRoles to any subject who may be responsible to | ||
| troubleshoot the network. The admins may also decide to share the `view` | ||
| ClusterRole to a wider range of subjects to allow them to read the packetsamplings | ||
| that are active in the cluster. |