Estimated time: 20 min
We deployed security alerts in the first module. While we were implementing the use cases, some of them have triggered the alerts and now we can explore them.
Review alerts manifests.
demo/50-alerts path and review YAML manifests that represent alerts definitions. Each file containes an alert template and alert definition. Alerts templates can be used to quickly create an alert definition in the UI.
View triggered alerts.
Alerts view to see all triggered alerts in the cluster. Review the generated alerts.
You can also review the alerts configuration and templates by navigating to alerts configuration in the top right corner.
Refer to packet capture documentation for more details about this capability.
Configure packet capture.
demo/60-packet-capture and review YAML manifests that represent packet capture definition. Each packet capture is configured by deploing a
PacketCapture resource that targets endpoints using
Deploy packet capture definition to capture packets for
kubectl apply -f demo/60-packet-capture/nginx-pcap.yaml
PacketCaptureresource is deployed, Calico starts capturing packets for all endpoints configured in the
Stop packet capture by removing the
kubectl delete -f demo/60-packet-capture/nginx-pcap.yaml
The easiest way to retrieve captured
*.pcap files is to use calicoctl CLI.
# download and configure calicoctl curl -o calicoctl -O -L https://docs.tigera.io/download/binaries/v3.7.0/calicoctl chmod +x calicoctl sudo mv calicoctl /usr/local/bin/ calicoctl version
Fetch and review captured payload.
*.pcapfiles are stored on the hosts where pods are running at the time the
PacketCaptureresource is active.
*.pcap files and review the content.
# get pcap files calicoctl captured-packets copy dev-capture-nginx --namespace dev ls dev-nginx* # view *.pcap content tcpdump -Ar $(ls dev-* | head -1) tcpdump -Xr $(ls dev-* | head -1)