Cloud TAP

This chapter describes the Supervisor section specific to the Cloud TAP module, accessed via the Cloud TAP menu item. Kubernetes clusters can be managed further in the sections described in Traffic Management and Event Monitoring.

The Registered Clusters tab of the Cloud TAP page provides an overview of the K8s clusters managed by the Supervisor, general information about them, and their status.

Each cluster can be assigned to a Network. Networks can be used to isolate devices and K8s clusters in logical networks in the Traffic Management page, with each Network operating with its own set of traffic rules.

Clicking on a cluster provides additional information about this cluster, and the ability to create pod groups and tunnel destinations prior to Traffic Management.

Clicking on a network navigates to this network, listing the devices it contains. Clicking the Home button navigates back to the root.

From this dashboard, clusters and networks can be added, modified, or removed.

To add a new cluster, click the Add Virtual Environment button in the top right corner of the interface, and enter the cluster's information in the Add Virtual Environment window. Select a network in this window to add the device to this network. The cluster's information can be changed at a later time by clicking the cluster's Edit button.

To create a network, click the Add Network button, and enter the network name in the Add Virtual Network window. The network's name can be changed at a later time by clicking the network's Edit button.

• Name: A name for the virtual environment.
• Server Address: The IP address or server name of the kubernetes API server. The L4 port can be specified if required by the server configuration.
• Service Account: The service account under which the token was created. This service account must be within the profitap namespace.
• Access Token: This token will be used to access the kubernetes master node. Please refer to the following article for creating the token: Creating token for Supervisor access.
• Worker Nodes API Port: The port number on the worker node(s) that the tapping pod will listen on.
• Assigned Network: The virtual network that the virtual environment will be assigned to.
• Ingress Control: In case an ingress controller is deployed on the kubernetes cluster.
  • Disabled: No ingress controller.
  • Default: Default ingress class configured on the cluster.
  • Custom: Specific ingress class associated with the chosen ingress controller.
• Load-Balancer Address: The IP address or server name of the load balancer service. The L4 port can be specified if necessary.
• Ingress Class: Name of the ingress class (e.g. nginx).

The default ingress class can be viewed using the following command (if configured):

kubectl get ingressclass -o=jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.metadata.annotations.ingressclass\.kubernetes\.io/is-default-class}{"\n"}{end}'

Pod Groups are groups of Kubernetes pods monitored by Cloud TAP and used as a source of traffic to be sent to analysis tools. Two types of pod groups can be created: Static and Dynamic. Static Pod Groups contain specific pods that were manually selected. Dynamic Pod Groups contain any pods matching a name filter, and are automatically updated to include new pods which name matches that filter.

To create a pod group, navigate to the Cloud TAP > Registered Clusters page, click a cluster to open its details window, and click the Create Static Pod Group or Create Dynamic Pod Group button:

• For Static Pod Groups, set a name, select which traffic direction to monitor (ingress, egress, or both), and select the pods to include in the group.
• For Dynamic Pod Groups, set a name, select which traffic direction to monitor (ingress, egress, or both), and set a Match Filter to match the name of the pods to automatically include in the group.

Tunnel Destinations define where the monitored traffic from the configured pod groups will be sent, encapsulated in a GRE-TAP, VXLAN, or ERSPAN tunnel. This can for instance be an X2-Series device on which a Tunnel Termination port group was created, from where it can then be forwarded to analysis tools via Traffic Rules.

Tunnel destination creation process:

1. Navigate to the Cloud TAP > Registered Clusters page.
2. Click a cluster to open its details window.
3. Click the Create Destination button.
4. Set a name.
5. Set a destination IPv4 address.
6. Select the tunnel type (GRE-TAP/VXLAN/ERSPAN).
7. (For GRE-TAP) Set a GRE key.
8. (For VXLAN) Set a VNI, source UDP port, and destination UDP port.
9. (For ERSPAN) Set an ERSPAN session ID and ERSPAN index.
10. (Optional) Enable Force MTU Size and set the desired MTU.
11. Click the Confirm button.

You can then create Traffic Rules to send traffic from specific pod groups to the tunnel destination configured above.

To link a K8s cluster to an X2-Series device, create a Tunnel Termination port group on that device with the same IPv4 address as the one specified above, then create an uplink between this port group and the tunnel destination configured above. You can then create Traffic Rules to send traffic from specific pod groups to any destination linked through the X2-Series device.

The Cluster Topology tab of the Cloud TAP page gives a view of the topology of registered clusters. Select the cluster to view by selecting it in the Selected Environment drop-down menu in the top left corner.