Traffic & Pod Targeting
Traffic & Pod Targeting provides the means to concentrate exclusively on critical traffic while effectively managing CPU and memory usage.
Pod Targeting
Pod Targeting enables the targeting of specific pods using pod regex (regular expression) and a list of namespaces. It monitors Kubernetes events to track pods that match these criteria across nodes and replicas, tapping into their traffic from launch until termination.
Explicit BPF Expression (Traffic Targeting)
Another way to target specific traffic is by using an explicit BPF expression written in BPF syntax. This BPF expression will be used to target traffic, and any Pod Targeting rules will be ignored. Examples of BPF expressions include: net 10.10.0.0/16 or host 12.13.14.15
.
Setting an explicit BPF expression that overrides other rules is available only when AF_PACKET is used as a packet capture library. Read here to learn how to explicitly set AF_PACKET as the packet capture library.
Dynamically Changing The Traffic Targeting Rules
You can dynamically set the Pod Targeting properties and the BPF expression from the dashboard. To operate the Pod Targeting dialog window, press the kube
button located to the right of the Pod Targeting section.
In the dialog window, you can set the namespaces and the pod regex:
The following video demonstrates the behavior:
Processing Traffic Consumes CPU and Memory
Kubeshark’s resource consumption is directly related to the amount of traffic it processes. This becomes a significant issue in busy clusters. Limiting CPU and memory consumption doesn’t guarantee efficient operation if the allocated resources are insufficient for the traffic volume that Kubeshark needs to handle.
Moreover, the dynamic and distributed architecture of Kubernetes can lead to challenges in tracking and tapping targeted pods, as pods may start and stop, have replicas, and move across nodes.
These Grafana panels show the implications on CPU and memory consumption:
Starting with Default Traffic Targeting Rules
Default rules can be set in the configuration (e.g., values.yaml). For instance, the following configuration directs Kubeshark to process only traffic associated with pods matching the regex catal.*
in the ks-load
or sock-shop
namespaces:
tap:
regex: catal.*
namespaces:
- ks-load
- sock-shop
Setting a BPF expression will override any existing Pod Targeting rules.
tap:
regex: catal.*
namespaces:
- ks-load
- sock-shop
bpfOverride: net 10.10.0.0/16
KFL vs. Traffic Targeting (Display vs. Capture Filters)
KFL should not be confused with Traffic Targeting as they serve different purposes. KFL statements only affect the data presented in the Dashboard, whereas Traffic Targeting determines which pods are targeted and, consequently, which traffic is tapped.
For those familiar with Wireshark, KFL can be likened to Wireshark’s Display Filters, and Traffic Targeting to Wireshark’s BPF (Berkeley Packet Filter) filters.