-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NodeNetworkPolicy not creating logs #6525
Comments
@notsrch traffic logging for NodeNetworkPolicy is not implemented, though it should be technically feasible. |
Will investigate that. |
Prevent ACNP appliedTo Node (NodeNetworkPolicy) with "enableLogging: true". Prevent ACNP appliedTo Node (NodeNetworkPolicy) with other selectors. For antrea-io#6525 Signed-off-by: Kumar Atish <kumar.atish@broadcom.com>
Prevent ACNP appliedTo Node (NodeNetworkPolicy) with "enableLogging: true". Prevent ACNP appliedTo Node (NodeNetworkPolicy) with other selectors. For antrea-io#6525 Signed-off-by: Kumar Atish <kumar.atish@broadcom.com>
Prevent ACNP appliedTo Node (NodeNetworkPolicy) with "enableLogging: true". Prevent ACNP appliedTo Node (NodeNetworkPolicy) with other selectors. For antrea-io#6525 Signed-off-by: Kumar Atish <kumar.atish@broadcom.com>
Sorry for replying this late. The data path of NodeNetworkPolicy is iptables, which supports logging matched packets information to system log (/var/log/syslog or /var/log/messages). Unfortunately, iptables does not natively support logging directly to a specific file. IMO, it is not easy for Antrea to read the corresponding log from the system log file. It is easy for Antrea using iptables to log the packet information to system log if |
Prevent ACNP appliedTo Node (NodeNetworkPolicy) with "enableLogging: true". Prevent ACNP appliedTo Node (NodeNetworkPolicy) with other selectors. For antrea-io#6525 Signed-off-by: Kumar Atish <kumar.atish@broadcom.com>
Prevent ACNP appliedTo Node (NodeNetworkPolicy) with "enableLogging: true". Prevent ACNP appliedTo Node (NodeNetworkPolicy) with other selectors. For #6525 Signed-off-by: Kumar Atish <kumar.atish@broadcom.com>
Tools like rsyslog may redirect logs to specific files, but not sure whether it can be easily configured and works for all OS. If it's too complex, logging to syslog sounds not bad too as long as we document it clearly where to find the logs. |
For us at least, having it logged somewhere/anywhere is better then nothing. When having some deny NodeNetworkPolicy, it is near impossible to troubleshoot anything without some form of log as to the permit/deny action taken with traffic. |
Describe the bug
NodeNetworkPolicy type policies do not create logs in /var/log/antrea/networkpolicy/np.log even with
enableLogging: true
is setTo Reproduce
Create a NodeNetworkPolicy with
enableLogging: true
Generate traffic
Expected
Log entry /var/log/antrea/networkpolicy/np.log similar to other ClusterNetworkPolicy
Actual behavior
Nothing is logged
Versions:
2.0.1
v1.28.8+rke2r1
containerd
uname -r
).6.4.0-150600.10-default
-->
Additional context
The text was updated successfully, but these errors were encountered: