Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NodeNetworkPolicy not creating logs #6525

Open
notsrch opened this issue Jul 15, 2024 · 5 comments
Open

NodeNetworkPolicy not creating logs #6525

notsrch opened this issue Jul 15, 2024 · 5 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@notsrch
Copy link

notsrch commented Jul 15, 2024

Describe the bug
NodeNetworkPolicy type policies do not create logs in /var/log/antrea/networkpolicy/np.log even with enableLogging: true is set

To Reproduce
Create a NodeNetworkPolicy with enableLogging: true
Generate traffic

Expected
Log entry /var/log/antrea/networkpolicy/np.log similar to other ClusterNetworkPolicy

Actual behavior
Nothing is logged

Versions:

  • Antrea version
    2.0.1
  • Kubernetes version:
    v1.28.8+rke2r1
  • Container runtime:
    containerd
  • Linux kernel version on the Kubernetes Nodes (uname -r).
    6.4.0-150600.10-default
    -->

Additional context
@notsrch notsrch added the kind/bug Categorizes issue or PR as related to a bug. label Jul 15, 2024
@tnqn
Copy link
Member

tnqn commented Jul 22, 2024

@notsrch traffic logging for NodeNetworkPolicy is not implemented, though it should be technically feasible.
@hongliangl could you confirm the feasibility? And before it's supported we should prevent this configuration and document it.

@hongliangl
Copy link
Contributor

@notsrch traffic logging for NodeNetworkPolicy is not implemented, though it should be technically feasible. @hongliangl could you confirm the feasibility? And before it's supported we should prevent this configuration and document it.

Will investigate that.

Atish-iaf added a commit to Atish-iaf/antrea that referenced this issue Aug 19, 2024
@Atish-iaf
Add validations for NodeNetworkPolicy
c398ffd 
Prevent ACNP appliedTo Node (NodeNetworkPolicy) with "enableLogging: true".
Prevent ACNP appliedTo Node (NodeNetworkPolicy) with other selectors.

For antrea-io#6525

Signed-off-by: Kumar Atish <kumar.atish@broadcom.com>
@Atish-iaf Atish-iaf mentioned this issue Aug 19, 2024
Merged
Atish-iaf added a commit to Atish-iaf/antrea that referenced this issue Aug 19, 2024
@Atish-iaf
Add validations for NodeNetworkPolicy
87ad7d0 
Prevent ACNP appliedTo Node (NodeNetworkPolicy) with "enableLogging: true".
Prevent ACNP appliedTo Node (NodeNetworkPolicy) with other selectors.

For antrea-io#6525

Signed-off-by: Kumar Atish <kumar.atish@broadcom.com>
Atish-iaf added a commit to Atish-iaf/antrea that referenced this issue Aug 19, 2024
@Atish-iaf
Add validations for NodeNetworkPolicy
6752b78 
Prevent ACNP appliedTo Node (NodeNetworkPolicy) with "enableLogging: true".
Prevent ACNP appliedTo Node (NodeNetworkPolicy) with other selectors.

For antrea-io#6525

Signed-off-by: Kumar Atish <kumar.atish@broadcom.com>
@hongliangl
Copy link
Contributor

Sorry for replying this late.

The data path of NodeNetworkPolicy is iptables, which supports logging matched packets information to system log (/var/log/syslog or /var/log/messages). Unfortunately, iptables does not natively support logging directly to a specific file. IMO, it is not easy for Antrea to read the corresponding log from the system log file.

It is easy for Antrea using iptables to log the packet information to system log if enableLogging of a ACNP is true, but it is not friendly to users. @tnqn

Atish-iaf added a commit to Atish-iaf/antrea that referenced this issue Aug 21, 2024
@Atish-iaf
Add validations for NodeNetworkPolicy
4f9cbfd 
Prevent ACNP appliedTo Node (NodeNetworkPolicy) with "enableLogging: true".
Prevent ACNP appliedTo Node (NodeNetworkPolicy) with other selectors.

For antrea-io#6525

Signed-off-by: Kumar Atish <kumar.atish@broadcom.com>
tnqn pushed a commit that referenced this issue Aug 21, 2024
@Atish-iaf
Add validations for NodeNetworkPolicy (#6613)
27ed93d 
Prevent ACNP appliedTo Node (NodeNetworkPolicy) with "enableLogging: true".
Prevent ACNP appliedTo Node (NodeNetworkPolicy) with other selectors.

For #6525

Signed-off-by: Kumar Atish <kumar.atish@broadcom.com>
@tnqn
Copy link
Member

tnqn commented Aug 21, 2024
edited
Loading

The data path of NodeNetworkPolicy is iptables, which supports logging matched packets information to system log (/var/log/syslog or /var/log/messages). Unfortunately, iptables does not natively support logging directly to a specific file. IMO, it is not easy for Antrea to read the corresponding log from the system log file.

It is easy for Antrea using iptables to log the packet information to system log if enableLogging of a ACNP is true, but it is not friendly to users. @tnqn

Tools like rsyslog may redirect logs to specific files, but not sure whether it can be easily configured and works for all OS. If it's too complex, logging to syslog sounds not bad too as long as we document it clearly where to find the logs.

@notsrch
Copy link
Author

notsrch commented Sep 5, 2024

For us at least, having it logged somewhere/anywhere is better then nothing. When having some deny NodeNetworkPolicy, it is near impossible to troubleshoot anything without some form of log as to the permit/deny action taken with traffic.

@hongliangl hongliangl mentioned this issue Sep 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tnqn @notsrch @hongliangl