Skip to main content

Illumio Segmentation for the Cloud User Guide

Configure OpenShift OVN-Kubernetes

In OpenShift clusters, the cloud operator requires that OVN-Kubernetes be used as the network plugin. The cloud operator acts as an IPFIX collector to connect network flows from OVN-Kubernetes.

Prerequisites

  • An installation of OpenShift CLI (oc).

  • Access to an OpenShift cluster onboarded with the cloud operator.

  • Log into the cluster with a user with cluster-admin privileges.

Steps to configure IPFIX network flow export

  1. Execute the following commands to configure IPFIX network flow export to the IP address of the cloud operator's ClusterIP service:

    export COLLECTOR_CLUSTER_IP=$(oc get service -l app=cloud-operator -n illumio-cloud --template '{{(index .items 0).spec.clusterIP}}')

oc patch network.operator cluster --type merge -p '{"spec":{"exportNetworkFlows":{"ipfix":{"collectors":["'$COLLECTOR_CLUSTER_IP':4739"]}}}}'

  2. Execute the following command to verify that the configuration has been changed:

    oc get network.operator cluster -o jsonpath="{.spec.exportNetworkFlows}"

    The output should be:

    {"ipfix":{"collectors":["<cloud-operator-cluster-ip>:4739"]}}

    Warning

    The IP address of the cloud operator's ClusterIP service may change if the cloud operator is uninstalled and re-installed. In this case, the commands above must be executed again to reconfigure flow export.

IPFIX and network flow traffic restrictions in OVN-Kubernetes

In OVN-Kubernetes, the IPFIX packets containing network flows are sent directly from each node in the cluster to the cloud operator. To allow the cloud operator to receive IPFIX packets from all nodes, the NetworkPolicy controlling ingress traffic allows by default packets from anywhere to the IPFIX port (UDP port 7349).

Illumio strongly recommends allowing only ingress from the IP addresses of all cluster nodes by modifying the Helm values in the illumio-cloud-operator-values-<...>.yaml file downloaded from the Onboarding page, before installing the cloud-operator. In this file, define the openshift.workerNodeCidrs with the list of cluster node CIDRs, for example:

onboardingSecret:
  clientId: "..."
  clientSecret: "..."

# CIDRs of all the cluster nodes that send IPFIX packets to cloud-operator:
openshift:
  workerNodeCidrs:
    - "10.1.0.0/24"
    - "10.2.0.0/24"