How to view proxy logs in a multi-network OpenShift cluster
UKCloud for Red Hat OpenShift enables you to develop, deploy, and manage digital and container-based applications seamlessly across local physical or virtual environments, with full portability to and from UKCloud.
This article explains how you can view the connection logs generated by the squid proxy in your OpenShift cluster to identify potential connection issues, such as attempting to access endpoints that aren't on the allow-list.
Your OpenShift cluster must have access to multiple networks, be version 3.11, and must have proxy logging enabled. Any OpenShift clusters deployed from November 2019 will have proxy logging enabled.
In multi-network 3.11 clusters, we run a proxy service on the control plane load balancers to access Red Hat's container registry
registry.redhat.io during the deployment and scaling process. The proxy also allows you to enable controlled access to internet endpoints from all nodes, providing you pass the correct variables to your pods and have added the endpoint to your allow-list. You may inadvertently be traversing the proxy when you do not want to or attempting to hit endpoints that are not on the allow-list, which will cause you to get 403 forbidden messages in the logs. The proxy logs contain information about these denials.
As a customer, while you don't have direct access to the proxy logs, we send them through to a set of fluentd pods in a project called
proxy-showback. These logs are then forwarded on to the clusters' aggregated logging and you can view them in the Kibana dashboard in the
openshift-logging project, usually available on kibana.<cluster_domain_suffix>
Set a filter of
kubernetes_namespace_name: "proxy-showback" to filter only for the logs from the pods receiving the proxy logs and show only the message. You can then query the message field for the particular IP/endpoint you're looking for. From here you can see if it's being denied and update the allow-list as needed.
For more information about the UKCloud for Red Hat OpenShift service, see:
If you find a problem with this article, click Improve this Doc to make the change yourself or raise an issue in GitHub. If you have an idea for how we could improve any of our services, send an email to firstname.lastname@example.org.