Logging of network policy events

2018-11-21 Thread Lars Milland 
HiIs it possible to get OpenShift 3.10 to produce log events of its allow and 
deny activities on network traffic to and from pods internally in the Openshift 
and with allowing or denying egress traffic. The log would have to show 
originating source IP and pod and then the target ip and target pod for the 
internal traffic. And similar for external traffic. I am looking at complying 
with log policies at my company to keep an audit log of network traffic 
decisions. So what is sought for would be result of the resolving logic of 
NetworkPolicy and EgressNetworkPolicy objects to have that logged to 
ElasticSearch or similar log targets. If this can be solved by logging of 
IPTables or flow rules activity that might also be useful. Anybody know how 
such a log can be produced. Best Regards Lars Milland___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Regarding Logging

2018-11-21 Thread Rich Megginson 

On 11/21/18 12:28 AM, Kasturi Narra wrote:

Hello Rich,

   I was on PTO yesterday and did not get chance to run the above commands. But before running these when i logged into my system i see that fluentd pods are up and running. So does it take 
some time for the fluentd pods to come up once logging is installed ?



yes




   Today i did re installation of my logging and i again see fluentd pods not 
being up again.



I guess it may take a while for fluentd to come up, but not sure why it would 
take more than a minute or two.

Look for /var/log/*.pos and /var/lib/fluentd/* for evidence that fluentd is up 
and doing something.




Thanks
kasturi

On Mon, Nov 19, 2018 at 9:21 PM Rich Megginson mailto:rmegg...@redhat.com>> wrote:

Try unlabeling then relabeling the nodes:

oc label node --all logging-infra-fluentd-

wait a minute

oc label node --all logging-infra-fluentd=true

On 11/19/18 8:44 AM, Kasturi Narra wrote:
> Hello,
>
>   Please find replies line
>
> On Mon, Nov 19, 2018 at 9:12 PM Rich Megginson mailto:rmegg...@redhat.com> >> wrote:
>
>     On 11/19/18 8:32 AM, Kasturi Narra wrote:
>     > Hello Jeff,
>     >    yes , i do have it. Here is the output i have got.
>     >
>     > dhcp46-68.lab.eng.blr.redhat.com  
     Ready     

   6d        v1.9.1+a0ce1bc657
>     >
>

beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/hostname=dhcp46-68.lab.eng.blr.redhat.com,logging-infra-fluentd=true,region=infra,registry=enabled,role=node,router=enabled


>   
 

>
>     >
>   
 

>     >
>
>     oc get daemonset
>
>
> [root@dhcp46-170 ~]# oc get daemonset
> NAME              DESIRED   CURRENT   READY UP-TO-DATE AVAILABLE   NODE 
SELECTOR  AGE
> logging-fluentd   0         0         0         0  0           
logging-infra-fluentd=true   3m
>
>
>     oc describe daemonset logging-fluentd
>
>
> [root@dhcp46-170 ~]# oc describe daemonset logging-fluentd
> Name:           logging-fluentd
> Selector:       component=fluentd,provider=openshift
> Node-Selector:  logging-infra-fluentd=true
> Labels:         component=fluentd
>                 logging-infra=fluentd
>                 provider=openshift
> Annotations:    
> Desired Number of Nodes Scheduled: 0
> Current Number of Nodes Scheduled: 0
> Number of Nodes Scheduled with Up-to-date Pods: 0
> Number of Nodes Scheduled with Available Pods: 0
> Number of Nodes Misscheduled: 0
> Pods Status:  0 Running / 0 Waiting / 0 Succeeded / 0 Failed
> Pod Template:
>   Labels:           component=fluentd
>                     logging-infra=fluentd
>                     provider=openshift
>   Service Account:  aggregated-logging-fluentd
>   Containers:
>    fluentd-elasticsearch:
>     Image: registry.access.redhat.com/openshift3/logging-fluentd:v3.9.43 


>     Port:   
>     Limits:
>       memory:  512Mi
>     Requests:
>       cpu:     100m
>       memory:  512Mi
>     Environment:
>       K8S_HOST_URL: https://kubernetes.default.svc.cluster.local
>       ES_HOST:                 logging-es
>       ES_PORT:                 9200
>       ES_CLIENT_CERT:          /etc/fluent/keys/cert
>       ES_CLIENT_KEY:           /etc/fluent/keys/key
>       ES_CA:                   /etc/fluent/keys/ca
>       OPS_HOST:                logging-es
>       OPS_PORT:                9200
>       OPS_CLIENT_CERT: /etc/fluent/keys/ops-cert
>       OPS_CLIENT_KEY:  /etc/fluent/keys/ops-key
>       OPS_CA:  /etc/fluent/keys/ops-ca
>       JOURNAL_SOURCE:
>       JOURNAL_READ_FROM_HEAD:
>       BUFFER_QUEUE_LIMIT:      32
>       BUFFER_SIZE_LIMIT:       8m
>       FLUENTD_CPU_LIMIT:       node allocatable (limits.cpu)
>       FLUENTD_MEMORY_LIMIT:    536870912 (limits.memory)
>       FILE_BUFFER_LIMIT: