Network security and performance maintenance crucially depend on monitoring network events triggered by Open Virtual Network (OVN), including network policies, admin network policies, and egress firewalls. You can achieve this using Network Observability eBPF agent, which runs in the Linux kernel and can trace various network activities with minimal performance overhead, allowing you to observe and capture detailed information about network traffic and events in real-time.

Key components

The following are key components for Network Observability with eBPF:

eBPF network events monitoring kprobe eBPF hook: Network events monitoring using eBPF kernel probes (kprobes) provides deep, kernel-level insights into network stack behavior. The NetObserv eBPF agent leverages the entry point to efficiently capture packet metadata and identify policy violations with minimal overhead. The hook implemented in the NetObserv eBPF agent can capture multiple events within the same network flow and generate a list of network events that applied to that flow, with a limit of up to four events per flow. ovn-kubernetes observability library: The eBPF agent captures network events as an array of bytes, which is not very user-friendly. This library provides functionality to convert these events into human-readable strings, making them easily understandable for customers.

Use cases for Network Observability with eBPF

Below are specific use cases for Network Observability with eBPF.

Monitor network policies

When you apply OVN network policies (like Kubernetes NetworkPolicy), eBPF agent can monitor allowed and/or blocked traffic, detecting whether packets are allowed or blocked based on network policies.

An example of these network policies is as follows: