OSDOCS-11625:Viewing Network events in Network Observability

Author: skrthomas

modules/network-observability-networking-events-overview.adoc

@@ -0,0 +1,17 @@
+// Module included in the following assemblies:
+//
+// network_observability/observing-network-traffic.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="network-observability-networking-events-overview_{context}"]
+= OVN Kubernetes networking events
+:FeatureName: OVN-Kubernetes networking events tracking
+include::snippets/technology-preview.adoc[]
+
+You use network event tracking in Network Observability to gain insight into OVN-Kubernetes events, including network policies, admin network policies, and egress firewalls. You can use the insights from tracking network events to help with the following tasks:
+
+* Network monitoring: Monitor allowed and blocked traffic, detecting whether packets are allowed or blocked based on network policies and admin network policies. 
+
+* Network security: You can track outbound traffic and see whether it adheres to egress firewall rules. Detect unauthorized outbound connections and flag outbound traffic that violates egress rules.
+
+See the _Additional resources_ in this section for more information about enabling and working with this view.

modules/network-observability-viewing-network-events.adoc

@@ -0,0 +1,60 @@
+// Module included in the following assemblies:
+//
+// * network_observability/observing-network-traffic.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="network-observability-viewing-network-events_{context}"]
+= Viewing network events
+:FeatureName: OVN-Kubernetes networking events tracking
+include::snippets/technology-preview.adoc[]
+
+You can edit the `FlowCollector` to view information about network traffic events, such as network flows that are dropped or allowed by the following resources:
+
+* `NetworkPolicy`
+* `AdminNetworkPolicy`
+* `BaselineNetworkPolicy`
+* `EgressFirewall`
+* `UserDefinedNetwork` isolation
+* Multicast ACLs 
+
+.Prerequisites
+* You must have `OVNObservability` enabled by setting the `TechPreviewNoUpgrade` feature set in the `FeatureGate` custom resource (CR) named `cluster`. For more information, see "Enabling feature sets using the CLI" and "Checking OVN-Kubernetes network traffic with OVS sampling using the CLI". 
+* You have created at least one of the following network APIs: `NetworkPolicy`, `AdminNetworkPolicy`, `BaselineNetworkPolicy`, `UserDefinedNetwork` isolation, multicast, or `EgressFirewall`.
+
+.Procedure
+. In the web console, navigate to *Operators* -> *Installed Operators*.
+. In the *Provided APIs* heading for the *NetObserv Operator*, select *Flow Collector*.
+. Select *cluster*, and then select the *YAML* tab.
+. Configure the `FlowCollector` CR to enable viewing `NetworkEvents`, for example:
++
+[id="network-observability-flowcollector-configuring-networkevents{context}"]
+.Example `FlowCollector` configuration
+[source, yaml]
+----
+apiVersion: flows.netobserv.io/v1beta2
+kind: FlowCollector
+metadata:
+  name: cluster
+spec:
+   agent:
+    type: eBPF
+    ebpf:
+  #   sampling: 1       <1>
+      privileged: true  <2>
+      features:
+       - "NetworkEvents"
+----
+<1> Optional: The `sampling` parameter is set to a value of 1 so that all network events are captured. If sampling `1` is too resource heavy, set sampling to something more appropriate for your needs. 
+<2> The `privileged` parameter is set to `true` because the `OVN observability` library needs to access local Open vSwitch (OVS) socket and OpenShift Virtual Network (OVN) databases.
+
+.Verification
+. Navigate to the *Network Traffic* view and select the *Traffic flows* table. 
+. You should see the new column, *Network Events*, where you can view information about impacts of one of the following network APIs you have enabled: `NetworkPolicy`, `AdminNetworkPolicy`, `BaselineNetworkPolicy`, `UserDefinedNetwork` isolation, multicast, or egress firewalls. 
+
+An example of the kind of events you could see in this column is as follows:
++
+.Example of Network Events output
+[source,text]
+----
+<Dropped_or_Allowed> by <network_event_and_event_name>, direction <Ingress_or_Egress>
+----

observability/network_observability/observing-network-traffic.adoc

@@ -41,6 +41,11 @@ include::modules/network-observability-flow-filter-parameters.adoc[leveloffset=+
 * xref:../../observability/network_observability/metrics-alerts-dashboards.adoc#network-observability-metrics_metrics-dashboards-alerts[Network Observability metrics]
 * xref:../../observability/network_observability/network-observability-operator-monitoring.adoc#network-observability-health-dashboard-overview_network_observability[Health dashboards]
 
+include::modules/network-observability-networking-events-overview.adoc[leveloffset=+2]
+[role="_additional-resources"]
+.Additional resources
+* xref:../../observability/network_observability/observing-network-traffic.adoc#network-observability-viewing-network-events_nw-observe-network-traffic[Viewing network events]
+
 //Traffic flows
 include::modules/network-observability-trafficflow.adoc[leveloffset=+1]
 include::modules/network-observability-working-with-trafficflow.adoc[leveloffset=+2]
@@ -54,6 +59,12 @@ include::modules/network-observability-working-with-zones.adoc[leveloffset=+2]
 include::modules/network-observability-filtering-ebpf-rule.adoc[leveloffset=+2]
 include::modules/network-observability-packet-translation-overview.adoc[leveloffset=+2]
 include::modules/network-observability-packet-translation.adoc[leveloffset=+2]
+include::modules/network-observability-viewing-network-events.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+* xref:../../nodes/clusters/nodes-cluster-enabling-features.adoc#nodes-cluster-enabling-features-cli_nodes-cluster-enabling[Enabling feature sets using the CLI]
+* xref:../../networking/ovn_kubernetes_network_provider/ovn-kubernetes-troubleshooting-sources.adoc#nw-ovn-kubernetes-observability_ovn-kubernetes-sources-of-troubleshooting-information[Checking OVN-Kubernetes network traffic with OVS sampling using the CLI]
 
 //Topology
 include::modules/network-observability-topology.adoc[leveloffset=+1]