You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: observability/network_observability/network-observability-operator-release-notes.adoc
+89
Original file line number
Diff line number
Diff line change
@@ -12,6 +12,95 @@ The Network Observability Operator enables administrators to observe and analyze
12
12
These release notes track the development of the Network Observability Operator in the {product-title}.
13
13
14
14
For an overview of the Network Observability Operator, see xref:../../observability/network_observability/network-observability-overview.adoc#dependency-network-observability[About Network Observability Operator].
You can now enrich network flows with translated endpoint information, showing not only the service but also the specific backend pod, so you can see which pod served a request.
28
+
29
+
For more information, see xref:../../observability/network_observability/observing-network-traffic.adoc#network-observability-packet-translation-overview_nw-observe-network-traffic[Endpoint translation (xlat)] and xref:../../observability/network_observability/observing-network-traffic.adoc#network-observability-packet-translation_nw-observe-network-traffic[Working with endpoint translation (xlat)].
You can now use network event tracking in Network Observability to gain insight into OVN-Kubernetes events, including network policies, admin network policies, and egress firewalls.
38
+
39
+
For more information, see xref:../../observability/network_observability/observing-network-traffic.adoc#network-observability-viewing-network-events_nw-observe-network-traffic[Viewing network events].
* Network Observability now uses hash maps instead of per-CPU maps. This means that network flows data is now tracked in the kernel space and new packets are also aggregated there. The de-duplication of network flows can now occur in the kernel, so the size of data transfer between the kernel and the user spaces yields better performance. With these eBPF performance improvements, there is potential to observe a CPU resource reduction between 40% and 57% in the eBPF Agent.
45
+
46
+
[id="network-observability-cli-1-8_{context}"]
47
+
==== Network Observability CLI
48
+
The following new features, options, and filters are added to the Network Observability CLI for this release:
49
+
50
+
* Capture metrics with filters enabled by running the `oc netobserv metrics` command.
51
+
* Run the CLI in the background by using the `--background` option with flows and packets capture and running `oc netobserv follow` to see the progress of the background run and `oc netobserv copy` to download the generated logs.
52
+
* Enrich flows and metrics capture with Machines, Pods, and Services subnets by using the `--get-subnets` option.
53
+
* New filtering options available with packets, flows, and metrics capture:
54
+
55
+
** eBPF filters on IPs, Ports, Protocol, Action, TCP Flags and more
56
+
** Custom nodes using `--node-selector`
57
+
** Drops only using `--drops`
58
+
** Any field using `--regexes`
59
+
60
+
For more information, see xref:../../observability/network_observability/netobserv_cli/netobserv-cli-reference.adoc#network-observability-netobserv-cli-reference_netobserv-cli-reference[Network Observability CLI reference].
* Previously, the Network Observability Operator came with a "kube-rbac-proxy" container to manage RBAC for its metrics server. Since this external component is deprecated, it was necessary to remove it. It is now replaced with direct TLS and RBAC management through Kubernetes controller-runtime, without the need for a side-car proxy. (link:https://issues.redhat.com/browse/NETOBSERV-1999[*NETOBSERV-1999*])
66
+
67
+
* Previously in the {product-title} console plugin, filtering on a key that was not equal to multiple values would not filter anything. With this fix, the expected results are returned, which is all flows not having any of the filtered values. (link:https://issues.redhat.com/browse/NETOBSERV-1990[*NETOBSERV-1990*])
68
+
69
+
* Previously in the {product-title} console plugin with disabled Loki, it was very likely to generate a "Can't build query" error due to selecting an incompatible set of filters and aggregations. Now this error is avoided avoid by automatically disabling incompatible filters while still making the user aware of the filter incompatibility. (link:https://issues.redhat.com/browse/NETOBSERV-1977[*NETOBSERV-1977*])
70
+
71
+
* Previously, when viewing flow details from the console plugin, the ICMP info was always displayed in the side panel, showing "undefined" values for non-ICMP flows. With this fix, ICMP info is not displayed for non-ICMP flows. (link:https://issues.redhat.com/browse/NETOBSERV-1969[*NETOBSERV-1969*])
72
+
73
+
* Previously, the "Export data" link from the *Traffic flows* view did not work as intended, generating empty CSV reports. Now, the export feature is restored, generating non-empty CSV data. (link:https://issues.redhat.com/browse/NETOBSERV-1958[*NETOBSERV-1958*])
74
+
75
+
* Previously, it was possible to configure the `FlowCollector` with `processor.logTypes` `Conversations`, `EndedConversations` or `All` with `loki.enable` set to `false`, despite the conversation logs being only useful when Loki is enabled. This resulted in resource usage waste. Now, this configuration is invalid and is rejected by the validation webhook. (link:https://issues.redhat.com/browse/NETOBSERV-1957[*NETOBSERV-1957*])
76
+
77
+
* Configuring the `FlowCollector` with `processor.logTypes` set to `All` consumes much more resources, such as CPU, memory and network bandwidth, than the other options. This was previously not documented. It is now documented, and triggers a warning from the validation webhook. (link:https://issues.redhat.com/browse/NETOBSERV-1956[*NETOBSERV-1956*])
78
+
79
+
* Previously, under high stress, some flows generated by the eBPF agent were mistakenly dismissed, resulting in traffic bandwidth under-estimation. Now, those generated flows are not dismissed. (link:https://issues.redhat.com/browse/NETOBSERV-1954[*NETOBSERV-1954*])
80
+
81
+
* Previously, when enabling the network policy in the `FlowCollector` configuration, the traffic to the Operator webhooks was blocked, breaking the `FlowMetrics` API validation. Now traffic to the webhooks is allowed. (link:https://issues.redhat.com/browse/NETOBSERV-1934[*NETOBSERV-1934*])
82
+
83
+
* Previously, when deploying the default network policy, namespaces `openshift-console` and `openshift-monitoring` were set by default in the `additionalNamespaces` field, resulting in duplicated rules. Now there is no additional namespace set by default, which helps avoid getting duplicated rules.(link:https://issues.redhat.com/browse/NETOBSERV-1933[*NETOBSERV-1933*])
84
+
85
+
* Previously from the {product-title} console plugin, filtering on TCP flags would match flows having only the exact desired flag. Now, any flow having at least the desired flag appears in filtered flows. (link:https://issues.redhat.com/browse/NETOBSERV-1890[*NETOBSERV-1890*])
86
+
87
+
* When the eBPF agent runs in privileged mode and pods are continuously added or deleted, a file descriptor (FD) leak occurs. The fix ensures proper closure of the FD when a network namespace is deleted. (link:https://issues.redhat.com/browse/NETOBSERV-2063[*NETOBSERV-2063*])
88
+
89
+
* Previously, the CLI agent `DaemonSet` did not deploy on master nodes. Now, a toleration is added on the agent `DaemonSet` to schedule on every node when taints are set. Now, CLI agent `DaemonSet` pods run on all nodes. (link:https://issues.redhat.com/browse/NETOBSERV-2030[*NETOBSERV-2030*])
90
+
91
+
* Previously, the *Source Resource* and *Source Destination* filters autocomplete were not working when using Prometheus storage only. Now this issue is fixed and suggestions displays as expected. (link:https://issues.redhat.com/browse/NETOBSERV-1885[*NETOBSERV-1885*])
92
+
93
+
* Previously, a resource using multiple IPs was displayed separately in the *Topology* view. Now, the resource shows as a single topology node in the view. (link:https://issues.redhat.com/browse/NETOBSERV-1818[*NETOBSERV-1818*])
94
+
95
+
* Previously, the console refreshed the *Network traffic* table view contents when the mouse pointer hovered over the columns. Now, the the display is fixed, so row height remains constant with a mouse hover. (link:https://issues.redhat.com/browse/NETOBSERV-2049[*NETOBSERV-2049*])
* If there is traffic that uses overlapping subnets in your cluster, there is a small risk that the eBPF Agent mixes up the flows from overlapped IPs. This can happen if different connections happen to have the exact same source and destination IPs and if ports and protocol are within a 5 seconds time frame and happening on the same node. This should not be possible unless you configured secondary networks or UDN. Even in that case, it is still very unlikely in usual traffic, as source ports are usually a good differentiator. (link:https://issues.redhat.com/browse/NETOBSERV-2115[*NETOBSERV-2115*])
101
+
102
+
* After selecting a type of exporter to configure in the `FlowCollector` resource `spec.exporters` section from the {product-title} web console form view, the detailed configuration for that type does not show up in the form. The workaround is to configure directly the YAML. (link:https://issues.redhat.com/browse/NETOBSERV-1981[*NETOBSERV-1981*])
0 commit comments