| Summary: | [RFE] Consolidated log every nonlocal ip connection | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Brennan Vincello <bvincell> |
| Component: | Networking | Assignee: | Ben Bennett <bbennett> |
| Status: | CLOSED WONTFIX | QA Contact: | Meng Bo <bmeng> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.2.1 | CC: | aos-bugs, cpatters |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-07-26 13:17:21 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
We are unlikely to add something specifically for this soon; however, you can do this yourself. On each node you can add iptables rules to log the packets for all outgoing pod connections. However, be very careful when working with iptables because OpenShift relies on them being set up correctly, and it is easy to break OpenShift networking by changing the chains too much. If you add a NFLOG entry to the top of the POSTROUTING chain to log all traffic leaving the cluster. You can restrict the source to the pod sdn if you just want to log that traffic. Then you need to run ulogd on each node to gather the logged information, and that can send it to syslog, and then you could have your syslog configured to forward just the packet information to a remote server where you could collect all the info. The problem is that it will be logged by pod IP, so you would need to have something that could translate that back to the pod name. You would need to do that in real-time because the pods come and go, so determining the IP address used at a point in time can be tricky. See also: - Ulogd man page: http://www2.kangran.su/~nnz/pub/nf-doc/ulogd2/ - ULOG vs. NFLOG: http://unix.stackexchange.com/questions/138135/whats-the-difference-between-ulog-and-nflog |
As an OpenShift admin I need a historical record of all pod connections to nonlocal IPs for security audits. I'd like to configure SDN logging to reveal information regarding: {time, ip, port} <--> {pod}. Required info: {time, ip, port} of ant pod that generates a nonlocal connection Requested on behalf of customer.