How to view proxy logs in a multi-network OpenShift cluster

Overview

UKCloud for Red Hat OpenShift enables you to develop, deploy, and manage digital and container-based applications seamlessly across local physical or virtual environments, with full portability to and from UKCloud.

This article explains how you can view the connection logs generated by the squid proxy in your OpenShift cluster to identify potential connection issues, such as attempting to access endpoints that aren't on the allow-list.

Prerequisites

Your OpenShift cluster must have access to multiple networks, be version 3.11, and must have proxy logging enabled. Any OpenShift clusters deployed from November 2019 will have proxy logging enabled.

Viewing logs

In multi-network 3.11 clusters, we run a proxy service on the control plane load balancers to access Red Hat's container registry registry.redhat.io during the deployment and scaling process. The proxy also allows you to enable controlled access to internet endpoints from all nodes, providing you pass the correct variables to your pods and have added the endpoint to your allow-list. You may inadvertently be traversing the proxy when you do not want to or attempting to hit endpoints that are not on the allow-list, which will cause you to get 403 forbidden messages in the logs. The proxy logs contain information about these denials.

As a customer, while you don't have direct access to the proxy logs, we send them through to a set of fluentd pods in a project called proxy-showback. These logs are then forwarded on to the clusters' aggregated logging and you can view them in the Kibana dashboard in the openshift-logging project, usually available on kibana.<cluster_domain_suffix>

Set a filter of kubernetes_namespace_name: "proxy-showback" to filter only for the logs from the pods receiving the proxy logs and show only the message. You can then query the message field for the particular IP/endpoint you're looking for. From here you can see if it's being denied and update the allow-list as needed.

Further reading

https://docs.ukcloud.com/articles/openshift/oshift-how-add-domains-proxy-allow-list.html

https://docs.ukcloud.com/articles/openshift/oshift-ref-no-proxy.html

https://docs.openshift.com/container-platform/3.11/install_config/http_proxies.html

Next steps

For more information about the UKCloud for Red Hat OpenShift service, see:

• Getting Started Guide for UKCloud for Red Hat OpenShift

• UKCloud for Red Hat OpenShift FAQs

Feedback

If you find a problem with this article, click Improve this Doc to make the change yourself or raise an issue in GitHub. If you have an idea for how we could improve any of our services, send an email to feedback@ukcloud.com.