OpenShift docs are moving and will soon only be available at docs.redhat.com, the home of all Red Hat product documentation. Explore the new docs experience today.
  1. Documentation
    2. history bug_report picture_as_pdf
×

Visualizing external entities

Visualizing external entities is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Understanding the interactions between your cluster and external entities is essential for incident response and network policy management. With the Visualizing external entities feature, you can view the external IP addresses that interact with your cluster.

You can view external entities in the Network Graph or query external entities by using the API.

Visualizing external entities is an opt-in feature that is disabled by default. To enable this feature, you must enable external IP collection in Central and secured clusters, as described in the following sections.

Enabling external IP collection in Central

There are two environmental variables that control the collection of external IP in Central: ROX_EXTERNAL_IPS and ROX_NETWORK_GRAPH_EXTERNAL_IPS.

You must enable ROX_EXTERNAL_IPS in Central to enable external IP collection and to query external entities by using the API. After that, you can use ROX_NETWORK_GRAPH_EXTERNAL_IPS to display collected external IPs in the Network Graph.

Procedure

  • If you installed RHACS by using the RHACS Operator, insert the following customization in the Central custom resource definition (CRD):

    spec:
  customize:
    envVars:
      - name: ROX_EXTERNAL_IPS (1)
        value: 'true'
    1 Additionally, you can also specify ROX_NETWORK_GRAPH_EXTERNAL_IPS.

  • If you installed RHACS by using Helm, add the following annotations to your values-public.yaml file:

    customize:
  # Extra environment variables for all containers in all objects.
  envVars:
    ROX_EXTERNAL_IPS: “true” (1)
    1 Additionally, you can also specify ROX_NETWORK_GRAPH_EXTERNAL_IPS.

Enabling external IP collection in secured clusters

To enable external IP collection in secured clusters, you must individually configure each secured cluster’s runtime configuration.

You can have some clusters with the functionality enabled while others remain disabled. In this case, external IP information is only available for the clusters where you have enabled the feature.

You can use a ConfigMap object to enable the external IP collection in secured clusters.

Procedure

  • Create a ConfigMap object called collector-config with the following content:

    apiVersion: v1
kind: ConfigMap
metadata:
  name: collector-config
  namespace: stackrox
data:
  runtime_config.yaml: | (1)
    networking:
      externalIps:
        enable: true
    1 RHACS mounts this file at /etc/stackrox/runtime_config.yaml.

Whenever you create or update the ConfigMap object, the collector refreshes the runtime configuration. When you delete the ConfigMap object, the settings revert to the default runtime configuration values.

Querying external IP addresses by using the API

You can get information about the external IP addresses associated with a specific cluster by using the following endpoints:

  • /v1/networkgraph/cluster/{clusterId}/externalentities: This endpoint returns a list of external entities for a given cluster ID. Each entity includes the following information:

    • Name: The name of the external entity.

    • CIDR block: The CIDR block associated with the entity.

    • Default entity: Indicates that the entity is a CIDR-block definition provided by the system.

    • Discovered: If true, indicates that the external IP address does not match any specified CIDR block.

  • /v1/networkgraph/cluster/{clusterId}/externalentities/flows/{deploymentId}: This endpoint reports the flows to and from external entities for a given cluster ID and deployment ID. Use this endpoint to analyze network traffic patterns and gain insights into the interactions between your cluster and external entities.

Known limitations

The following are some known limitations of the Visualizing external entities feature:

  • When you enable external IP collection for a cluster, Collector in those clusters report more information to Sensor and to Central. This might create scalability issues if the workload in the cluster communicates with a large number of distinct external peers. It is recommended that you do not enable this feature on clusters with communication patterns involving more than 10,000 distinct external entities.

  • The display of IP information on the Network Graph page is experimental and uses a graphical item for each IP entity. Enabling this level of detail when the number of peers is a few hundred or more might result in an unreadable user interface and more than 2,000 peers may result in a potentially unresponsive user interface.

  • You cannot see external IP addresses if they are part of CIDR blocks.