Configuration and Troubleshooting
Kubernetes Network Configuration
Sysdig provides a Configuration page for Administrators who want to fine-tune the way the agent processes the network data.
It contains three areas, described below:
Workload Labels
The Sysdig agent automatically detects labels used for the Kubernetes objects in a
cluster. Sometimes, there are many more labels than are required for
network security purposes. In this cases, you can select the two or
three most meaningful labels and use include
or exclude
namespace or workload labels to avoid clutter
in both the UI and your network security policies. For example you can exclude labels inherited by helm, and only include the labels that are required for each ojbect, like app
and name
Unresolved IP Configuration
If the Sysdig agent cannot resolve an IP to a higher-level structure
(Service
, Deployment
, Daemonset
, etc.) it will be displayed as
“unresolved” in the ingress/egress tables. Additionaly you can add unresolved IPs from the ingress or egress tabs by clicking the @
and creating a new alias or assigning it to an existing alias
You can manually enter such IPs or CIDRs in the configuration panel, label them with an alias, and optionally set them to “allowed” status. Note that grouping IPs under a single alias helps declutter the Topography view.
Pod communication without an alias
Pod communicaiton with IP aliases
Cluster CIDR Configuration
Unresolved IPs are listed and categorized as “internal” (inside the cluster), “external” (outside the cluster) or “unknown,” (subnet information incomplete). For unknowns, Sysdig will prompt with an error message to help you resolve it.
The simplest resolution is to manually specify cluster and service CIDRs for the clusters.
Troubleshooting
Tips to resolve common error messages:
Error message: Namespaces without labels
Problem: Namespaces must be labeled for the KNPs to define ingress/egress rules. If non-labeled namespaces are detected in the targeted communications, the “Namespaces without labels” error message is displayed in the UI:
Resolution: Simply assign a label to the relevant namespace and wait a few minutes for the system’s auto-detection to catch up.
Error Message: Cluster subnet is incomplete
Problem: To categorize unresolved IPs as inside or outside the
cluster, the agent must know which CIDR ranges belong to the cluster. By
default, the agent tries to discover the ranges by examining the command
line arguments of the kube-apiserver
and kube-controller-manager
processes.
If it cannot auto-discover the cluster subnets, the “cluster subnet is incomplete” error message is displayed in the UI:
Resolution:
Preferred: Use the Configuration panel to add the CIDR entries.
In rare cases, you may need to configure the agent to look for the CIDR ranges in other processes than the default
kube-apiserver, kube-controller-manager
processes. In that case, append the following to the agent configmap:network_topology: pod_prefix_for_cidr_retrieval: [<PROCESS_NAME>, <PROCESS_NAME>]
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.