Configure UCT-C Controller and TAP through GigaVUE-FM

This section describes how to configure UCT-C through GigaVUE-FM GUI. Refer to the following section for details.

The recent GigaVUE-FM image files can be downloaded from the Gigamon Customer Portal. After fetching the image, upload and launch GigaVUE-FM on the supported Cloud environment. For assistance,Contact Technical Support of Gigamon or refer to GigaVUE-FM Installation Guide and GigaVUE Fabric Management Guide for details on installing and launching GigaVUE-FM.

In GigaVUE-FM, on the left navigation pane, go to Inventory > CONTAINER > Universal Cloud Tap - Container. You can view the following tabs on the Universal Cloud Tap - Container launch page:

Tabs

Description

Monitoring Domains

Displays the Monitoring Domain details and the connectivity status from GigaVUE-FM to Cluster. The count of reachable and unreachable clusters per Monitoring Domain.

Clusters

Displays Kubernetes Clusters, along with UCT-C Controller information and the total number of nodes per Cluster. Also displays GigaVUE-FM to Controller connectivity and Heartbeats status. Heartbeat status is from UCT-C Controller to GigaVUE-FM.

Note:  You can delete a cluster that is not associated to any Monitoring Domain from the Clusters page. Ensure that you delete the cluster only after stopping the UCT-C Controller and the UCT-C TAP.

Nodes

Displays the Nodes from all Kubernetes Clusters along with UCT-C TAP information and Total Pods per Node. UCT-C TAP status should be Connected for deployments for respective Worker Nodes to go through. If the UCT-C TAP status for a Worker Node is not shown as Connected, the deployment for that Worker Node will not go through.

Pods

Displays the list of Pods from all Kubernetes Clusters. For each Pod, all metadata - Pod Name, Labels, IPs, Namespace, Service Name, Service IPs, Node Name, Containers, and Host Network information is displayed.

Settings

Displays the general settings which include disconnected UCT-C Controller or TAP Purge Interval days, and the maximum number of Clusters allowed in GigaVUE-FM.

To view and filter the list of Monitoring Domains, Cluster, and Node details, click the filter button on the left side of any of the above listed tabs. You can also create a new Monitoring Domain, edit, and delete the existing Monitoring Domains.

On Clusters, Nodes, and Pods screens, you can click the Filter button displayed on the right of the page to filter the details on that particular screen.

To create a monitoring domain in GigaVUE-FM:

  1. In GigaVUE-FM, on the left navigation pane, go to Inventory > CONTAINER > Universal Cloud Tap - Container > Monitoring Domains.
  2. In the Monitoring Domains page, click New. The New Monitoring Domain wizard appears.
  3. Enter or select the required information as described in the following table.

    Fields

    Description

    Monitoring Domain Name

    Enter a name for the monitoring domain

    Clusters

    Cluster Name

    Enter a name for the cluster

    API Server URL

    Enter or select the URL of the API server

    Option

    CA

    Select the required CA name from the drop-down menu.

    Note:  CA is required for deploying the policy with Secure Tunnels.

    Click to add another cluster and click to remove an existing cluster.

  4. Click Save to create a monitoring domain.

You can view the monitoring domain created in the list view. The list view shows the following information for UCT-C and controllers:

■   Monitoring Domain - Shows the list of Monitoring Domains created.
■   Cluster - Displays the status of GigaVUE-FM to UCT-C Controller connectivity. You can click the number link next to (connected) or the (disconnected) icons to view the cluster details for the selected Monitoring Domain.

Use the following buttons to manage your Monitoring Domain:

Button Description

New

Use to create new Monitoring Domain

Actions

Provides the following options:

Edit- Edit the monitoring domain
Delete - Delete the monitoring domain

Refresh Inventory

Triggers Inventory Refresh on all Clusters in the Monitoring Domain

When setting up a traffic flow, it is important to define the selection criteria for the sources of traffic. Use the Source Selectors page to configure the sources of the traffic to be monitored.

Notes:
  • DefaultExclusion: DefaultExclusion is a default source selector which will be applied to all policies. It cannot be deleted but can be modified. After modifying the DefaultExclusion source selector, policies need to be deployed again for the changes to take effect. DefaultExclusion appears by default on the Source Selector Specifications page.

  • To exclude the pods from monitoring, you can add criteria to DefaultExclusion. From the drop-down list, select any of the following Object Property to exclude them from the monitoring, and provide the value for the property selected in the Value field:

    ■  servicename
    ■  serviceip
    ■  podname
    ■  podip
    ■  podlabels
    ■  nodename
    ■  namespace
    ■  nodepodcidr
    ■  hostNetwork

    By default, pods in kube-system namespace, and metallb-system namespace are excluded from monitoring.

  • You can add criteria to DefaultExclusion to exclude nodenames where UCT-C TAP is not launched. If Master node(s) does not have UCT-C TAP, add master node names to DefaultExclusion.

  • During the upgrade to Version 6.10, GigaVUE‑FM will automatically remove the Host Network criteria from the DefaultExclusion Source Selector and will add the Host Network Enabled Exclusion Criteria by default to all the existing policies.

To configure the Source Selectors:

  1. Go to Inventory > Resources> Source Selectors> Container.
  2. Click Create. The New Source Selector wizard appears.
  3. Enter or select the required information:
    FieldAction

    Name

    Enter a name for the source

    Inclusion Criteria

    You can select any one of the following options:

    All Sources - Select this option to acquire traffic from all namespaces and pods within the selected cluster(s). The volume of traffic may be large, depending on the size of the cluster(s).

    Criteria1- You must enter the following options:

    Object Property

    Select an object property to filter the traffic source.

    Operator

    Select the operator.

    Values

    Enter the values for the filter. Values are case-sensitive.

    On the Criteria, click to add another object and click to remove an existing object.

    Exclusion Criteria

    On the Criteria, click to add another Object and click to remove an existing Object.

    Host Network Enabled

    Uncheck the Host Network Enabled to monitor the Host Network Enabled pods.

    Refer to the Exclusion Criteria for more information.

    Object Property

    Select an object property to filter the traffic source.

    Operator

    Select the operator.

    Values

    Enter the values for the filter. Values are case-sensitive.

    On the Inclusion or Exclusion Criteria sections, click to add another Criteria and click to remove an existing Criteria.

  4. Click Save.
Notes: You can create multiple criteria. Within each criteria, you can configure multiple objects.
  • If you have configured multiple objects in a criteria, then the traffic will be filtered only if all the object rules are true (AND condition).
  • If you have configured multiple criteria, then the traffic will be filtered even if one of the criteria is true (OR condition).

Exclusion Criteria

Host Network Enabled - The UCT-C introduces support for tapping Host Network Enabled pods. By default, this check box is selected (i.e.) you are excluding the host network enabled pods.

When you want to monitor the pod, clear the Host Network Enabled checkbox. A warning message appears and requires your confirmation to proceed with tapping pods with Host Network Enabled.

Notes:

  • Worker Node must have cgroup version 2 to support the Host Network Enabled feature.

  • If the Worker Node has cgroup version 1, the policy deployment status for pod will show an error message.

  • When tapping Host Network enabled pods, tapped traffic is sent to user space for tunneling. It uses performance buffers, requiring more memory. To accommodate this, increase the memory request/limit to atleast 1GB for UCT-C taps.

Identify the cgroup Version on the Worker Node

To check which cgroup version your distribution uses, there are two ways:

1.   Run the stat -fc %T /sys/fs/cgroup/ command on the worker node:
o   For cgroup v2, the output is cgroup2fs.
o   For cgroup v1, the output is tmpfs.
2. Check if /sys/fs/cgroup/cgroup.controllers is present, then it is cgroup v2.

Identify the cgroup Version for Worker Pod

To check which cgroup version your worker pod uses:

1.   Login to the worker pod and check file /proc/$$/cgroup.
2. If the file has net_cls, then it's cgroup v1 otherwise it is cgroup v2.

A tunnel of type L2GRE, VXLAN, or TLS-PCAPNG can be created. The tunnel is an egress tunnel. For more information on how to create a tunnel of type TLS-PCAPNG, refer to Secure Tunnels Secure Tunnels . Secure Tunnels

Note:   Secure Tunnels

To configure the tunnels:

  1. Go to Inventory > Resources > Tunnel Specifications.
  2. On the Tunnel Specifications page, navigate to the Container tab and click Create. The Create Tunnel Specification wizard appears.
  3. Enter or select the following information:

    Field

    Description

    Name

    The name of the tunnel endpoint.

    Note:  Do not enter space or Invalid characters.

    Tunnel Type

    Select L2GRE, VXLAN, or TLS-PCAPNG tunnel type to create a tunnel.

    Destination IP Address

    Enter the IP address of the destination endpoint.

    Key

    (Applicable when the selected tunnel type is L2GRE)

    Enter a value for the tunnel key.

    VXLAN Network Identifier

    (Applicable when the selected tunnel type is VXLAN)

    Enter the identifier key for VXLAN network.

    Destination Port

    (Applicable when the selected tunnel type is VXLAN or TLS-PCAPNG)

    Specify the destination port value. Enter a value between 1 and 65535.

  1. Click Save to save the configuration.

The traffic from the workload pods is processed based on the Traffic Policy configuration. The UCT-C TAP routes the traffic to the tunnel destination IP addresses specified in the Traffic Policy rules.

You can refer to the GigaVUE API Reference for detailed information on the REST APIs of UCT-C

To create a UCT-C Traffic Policy in GigaVUE-FM, follow the below steps:

1.   From the GigaVUE-FM left navigation pane, go toTraffic > CONTAINER > Universal Cloud Tap - Container. The Policies page appears.
2. In the Policies page, click New. The Create Policy wizard appears.

Note:  You can deploy a maximum of eight policies per Monitoring Domain.

3. In the General tab, enter or select the required information as described in the following table:

Fields

Description

Policy Name

Enter a name for the Traffic Policy. The name must be unique.

Monitoring Domain

Select an existing monitoring domain. To create a new monitoring domain, refer to Create Monitoring Domain section.

Clusters

Select the required cluster from the drop-down menu.

Precryption Policy

Click the radio button Yes, to enable the Precryption rules for the policy. Click radio button No to enable the Mirroring.

Note:  Once the policy is deployed, you cannot change the Precryption Policy setting.
4. Click Next to switch to the Source Selectors tab, select an existing source selector and click Add or select Create New to create a new source selector, refer to Create Source Selectors section for detailed information. You can configure a maximum of eight source selectors per policy.
5. In the Source Selectors page, click to expand the Default Exclusion section. DefaultExclusion Source Selector is applied automatically for all policies.

Note:  You can edit the values across the Monitoring Domain in Inventory > Resources > Source Selectors section. On the Source Selectors Specifications page, navigate to Container > Default Exclusion. In the Edit Source Selector wizard, you can edit the values in the Exclusion Criteria section.

6. Click Next to switch to the Rules tab, enter or select the required information for the Ingress Rules and the Egress Rules as described in the following table. You must select CA in the Monitoring Domain page to use secure tunnel in rules:

Fields

Description

Tunnel Specifications

Select an existing tunnel or select Create New to create a new tunnel, refer to Create Tunnel Specifications section for detailed information.

For Precryption, only one Tunnel Specification field will be displayed at the top for all the rules. For Mirroring, Tunnel Specification can be configured for every individual rule.

Rules

On the Ingress or Egress rules, click to add another rule and click to remove an existing rule. You must select CA in the Monitoring Domain page to use secure tunnel in rules.

Rule Name

Enter a name for the rule. Rule name should always be unique within a policy.

Note:  Rule names ending with __I, __E, __RI, __RE are not recommended as the names are invalid in policy rules. Rule names like passall, ingress-passall, and egress-passall are restricted.

Enable

Select On to enable the passall rule or select Off to disable the passall rule. Refer to Enable Selective Precryption to add the filters when you choose to disable the passall rule.

Action

Select Pass to allow the packets or select Drop to block the packets based on the filters.

Direction

Select any one of the following directions:

Bi-directional - Taps the traffic in both directions. Each bidirectional rule will add 2 ingress rules and 2 egress rules

Note:  When you apply filters to two pods on the same worker node to capture traffic in both directions, only one copy of the packet will be tunneled out for each packet traveling from one pod to the other.

Ingress- Taps the ingress traffic
Egress - Taps the egress traffic
Ingress Pass All - Taps all the ingress traffic
Egress Pass All - Taps all the egress traffic

Note:  The maximum number of rules supported per direction is 32.

Priority

Enter a priority value to specify the order of rule execution on the selected Pod.

Unique Priority is enforced in a policy within ingress and egress space. Bi-directional rules get expanded in ingress and egress space. Priority is not applicable for Drop Rules. Drop Rules are executed first, followed by passall rules, and then filter rules based on specified priority values.

Enable Selective Precryption

If you wish to use selective Precryption follow the steps given below:

  1. Disable the Enable toggle button to turn off the default passall rule.
  2. Click to add another rule.
  3. Enter the following details as mentioned in the below table:

    Fields

    Description

    Rule Name

    Enter a name for the rule.

    Action

    Choose any one of the following options:

    Pass — Passes the traffic.
    Drop — Drops the traffic.

    Note:  In the absence of a Precryption rule, traffic is implicitly allowed. However, once rules are defined, they include an implicit pass all rule. Should the traffic not conform to any of the specified rules, it will be passed.

    Direction

    Choose any one of the following options:

    Bi-Directional —- Allows the traffic in both directions of the flow. A single Bi-direction rule should consist of 1 Ingress and 1 Egress rule.
    Ingress — Filters the traffic that flows in.
    Egress — Filters the traffic that flows out.

    Priority

    Select the value of the priority based on which the rules must be prioritized for filtering. Select the value as 1 to pass or drop a rule in top priority. Similarly, you can select the value as 2, 3, 4 to 8, where 8 can be used for setting a rule with the least priority. Drop rules are added based on the priority and, then pass rules are added.

    Filters

    Filter Type

    Select the Filter Type from the following options:

    L3
    L4

    L3:

    Filter Name

    Select the Filter Name from the following options:

    IPv4 Source
    IPv4 Destination
    IPv6 Source
    IPv6 Destination
    Protocol - It is common for both IPv4 and IPv6

    Value

    Enter or Select the Value based on the selected Filter Name.

    Note:  When using Protocol as the Filter Name, select TCP from the drop-down menu.

    L4:

    Filter Name

    Select the Filter Name from the following options:

    Source Port
    Destination Port

    Filter Relation

    Select the Filter Relation from any one of the following options:

    Not Equal to
    Equal to

    Value

    Enter the source or destination port value.

7. Click Next to switch to the Validate tab, click Save to the policy or click Deploy, and the selected traffic policy rules get deployed to the required UCT-C TAPs present on the nodes corresponding to the source pods selected for monitoring.

Note:  If policy deployment for pods fails with a Duplicate Filter Rules error, you need to decide which policy the pod should be monitored under and make changes to the failed policies by removing the overlapping sources from the failed policy.

In the Policies page, you can view various details related to a policy such as Policy Name, Monitoring Domain, Cluster, Deployment Status, and Statistics etc., The fields and the description of the field names are given in the following table:

Table 1: Policies Landing Page

Fields

Description

Policy

Name of the Policy

Monitoring Domain

Monitoring Domain associated with the Policy

Cluster

The cluster name associated with the policy

Deployment Status

Indicates the policy deployment status:

  • Deployed

  • Not Deployed

  • Undeploying

  • UndeploymentFailure

Statistics

Displays the statistics of the policy

Note:  Click the gear icon to add or remove column or columns as per your requirement.

Use the following buttons on the Policies screen to manage your Policy:

Button Description

New

Use to create a new policy

Actions

Provides the following options:

Edit
Delete
Deploy
Undeploy

To view the Deployment status, click the Deployment status link in the Deployment Status column of a policy. The Deployment status appears on the bottom of the Policies page.
You can view the following fields along with the policy name:

o   Pod Name
o   Namespace
o   Rules
o   Cluster
o   Node

Click Filter to filter the details like Cluster, Node, Namespace, Pod Name, and Pod Status in the Deployment Status Wizard.

To view the Policy Configurations of the traffic policy configured in the GigaVUE-FM, click the policy name. The configurations appear on the bottom of the Policies page.
You can view the following tabs along with the policy name:

■   Source Specifications
■   Mirroring Rules or Precryption Rules

You can scroll each of the tables to view more columns. The fields and description for the tab that appears when you click the tabs are described in the topics respectively.

Source Specifications

You can view the criteria based on which pod is selected for tapping.

The fields and descriptions of the Source Specifications tab are described in the following table:

Table 2: Source Specifications

Tab-

Source Specifications

Field

Description

Source Selector

 

 

 

Name

Specifies the name of the Source selector.

Inclusion Criteria

 

 

 

Criteria Name

Specifies the inclusion criteria for the source selector. Pod that matches the inclusion criteria will be selected as source for the given traffic policy.

 

Property

Specifies the property for the attributes in the criteria. The available properties are:

namespace
servicename
serviceip
podname
podip
podlables
nodename
nodepodcidr

 

Operator

Specifies the operator used in the criteria.

 

Value

Specifies the value for the attributes in the criteria.

Exclusion Criteria

 

 

 

Criteria Name

Specifies the exclusion criteria for the source selector. Pod that matches the exclusion criteria will be excluded from the source for the given traffic policy.

 

Property

Specifies the property in the exclusion criteria based on which the pod associated with the source is excluded.

 

Operator

Specifies the operator involved in the exclusion criteria in tapping the traffic in the pod.

 

Value

Specifies the value in the criteria based on which traffic in the pod is excluded.

Mirroring Rules or Precryption Rules

The fields and descriptions of the Mirroring Rules or Precryption Rules tab are described in the following table:

Table 3: Mirroring Rules or Precryption Rules

Tab-Rules

Rules

Field

Description

Mirroring Rules or Precryption Rules

 

 

 

Rule

Specifies the name of the rules in which the traffic is filtered in the pod. Click on the Rule name to view the filters.

 

Tunnel

Specifies the tunnel details which is associated with the rules to send the traffic out. When you hover over the tunnel specification value, you can view the details of the tunnel in a message box.

 

Priority

Specifies the priority assigned for the rule.

 

Action

Specifies whether to pass or drop the rule.

 

Direction

Specifies the direction of the flow of traffic is ingress, egress, or in both direction.

Filter

 

 

 

Type

Specifies the filter type.

 

Filter

Specifies the name for the filter.

 

Value

Specifies the value of the filter.

Traffic Policy Statistics in GigaVUE-FM provides the visibility of the policies within a Monitoring Domain and displays the information of the policies and its rules statistics in the dashboard.

Rules are configured in the UCT-C to either forward the traffic to a Tunnel or drop the flow of the traffic.

The activities of the rules are reflected by the statistics counters. The statistics counters show how the policy statistics are directly co-related to the policy and its rules being configured through the GigaVUE-FM.

To view the statistics of the traffic policy configured in the GigaVUE-FM, click the View status link in the Statistics column of a policy. The Policy Statistics and the Mirroring Statistics or Precryption Statistics appears on the bottom of the Policies page:

Table 4: Policy Statistics

Fields

Description

Policy Name

Name of the policy

Ingress packets

Total aggregate value of the ingress packets associated with the policy

Egress packets

Total aggregate value of the egress packets associated with the policy

Ingress Bytes

Total aggregate value of the ingress bytes associated with the policy

Egress Bytes

Total aggregate value of the egress bytes associated with the policy

Ingress Errors

Total aggregate value of the ingress errors associated with the policy

Egress Errors

Total aggregate value of the egress errors associated with the policy

Ingress Dropped

Total aggregate value of the ingress packets dropped associated with the policy

Egress Dropped

Total aggregate value of the egress packets dropped associated with the policy

Table 5: Mirroring or Precryption Statistics

Fields

Description

Rule Name

Name of the individual rule.

Ingress packets

Total aggregate value of the ingress packets associated with the rule

Egress packets

Total aggregate value of the egress packets associated with the rule

Ingress Bytes

Total aggregate value of the ingress bytes associated with the rule

Egress Bytes

Total aggregate value of the egress bytes associated with the rule

Ingress Errors

Total aggregate value of the ingress errors associated with the rule

Egress Errors

Total aggregate value of the egress errors associated with the rule

Ingress Dropped

Total aggregate value of the ingress packets dropped associated with the rule

Egress Dropped

Total aggregate value of the egress packets dropped associated with the rule