Increase visibility of kubernetes network status
Open, MediumPublic
Actions

Assigned To

Authored By

	Raine
	Feb 7 2024, 2:59 PM

Description

Context: Follow-up of incident from 2024-02-07 (newly added kubernetes nodes missing BGP configuration).

We do not have good visibility into the network of kubernetes clusters.

We already collect some metrics from Calico components, we should make them more visible by adding key metrics to dashboards and possibly alerts
We do not have any metrics related to BGP sessions. These are not available in calico "open core", so we probably want to run bird-exporter.
- Specific for situations like that incident: nodes pooled in pybal vs BGP status would be useful to have

Details

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	kubernetes-generic: Add alerts for BGP failure scenarios.	operations/alerts	master	+100 -0
	kubernetes-generic: Add alerts for BGP failure scenarios.	operations/alerts	master	+32 -0

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Open	Blake	T356877 Increase visibility of kubernetes network status
Open	Blake	T423851 Collect calico BGP metrics
Open	Blake	T423852 Add calico network alerting

Event Timeline

Raine created this task.Feb 7 2024, 2:59 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 7 2024, 2:59 PM

Raine updated the task description. (Show Details)Feb 7 2024, 3:00 PM

CDanis subscribed.Feb 7 2024, 3:07 PM

Raine updated the task description. (Show Details)Feb 7 2024, 3:09 PM

please let us know if we can assist :-)

akosiaris subscribed.Feb 7 2024, 3:30 PM

JMeybohm subscribed.Feb 7 2024, 4:05 PM

jijiki changed the task status from Open to Stalled.Apr 2 2025, 11:46 AM

jijiki moved this task from Incoming 🐫 to ⎈Kubernetes on the serviceops-deprecated board.

We had some issues that could have been surfaced by this while populating racks that use new nokia switches (T417817) and netops invested in making the relevant information more accessible in T387287: Prometheus: attach host's BGP/interface remote side metrics, dashboard at: https://grafana.wikimedia.org/goto/afhobcaujherkc?orgId=1.

Not sure why this was stalled in the first place, but I think we should:

Add alerts if BGP sessions are not established (gnmi_bgp_neighbor_session_state{peer_descr=~"wikikube.*"}) != 6?)
Add alerts if routes from k8s workers are rejected from switches (sum by (peer_descr) (gnmi_bgp_neighbor_prefixes_received_pre_policy{peer_descr=~"wikikube.*"} - gnmi_bgp_neighbor_prefixes_received{peer_descr=~"wikikube.*"}) > 0?)
Add the information from the BGP dashboard to the Kubernetes nodes dashboard for increased visibility.

Restricted Application added a project: Infrastructure-Foundations. · View Herald TranscriptMar 31 2026, 12:04 PM

JMeybohm added a project: ServiceOps-good-first-task.Mar 31 2026, 3:40 PM

JMeybohm moved this task from Inbox to Scheduled (this Q) on the ServiceOps new board.Mar 31 2026, 4:06 PM

JMeybohm moved this task from Scheduled (this Q) to Needs Info / Blocked on the ServiceOps new board.Apr 1 2026, 10:35 AM

JMeybohm added a project: Sustainability (Incident Followup).

MLechvien-WMF assigned this task to Blake.Apr 9 2026, 4:25 PM

MLechvien-WMF moved this task from Needs Info / Blocked to In Progress on the ServiceOps new board.

Change #1269983 had a related patch set uploaded (by Blake; author: Blake):

[operations/alerts@master] kubernetes-generic: Add alerts for BGP failure scenarios.

https://gerrit.wikimedia.org/r/1269983

gerritbot added a project: Patch-For-Review.Fri, Apr 10, 9:39 AM

Change #1269994 had a related patch set uploaded (by Blake; author: Blake):

[operations/alerts@master] kubernetes-generic: Add alerts for BGP failure scenarios.

https://gerrit.wikimedia.org/r/1269994

Change #1269983 abandoned by Blake:

[operations/alerts@master] kubernetes-generic: Add alerts for BGP failure scenarios.

https://gerrit.wikimedia.org/r/1269983

Broadly the patch submitted looked good to me, though I see it was abandoned.

As per the comment I left on it we also need to alert when the session does not establish because the router/switch has not been configured for it. We could possibly detect that because there are no switch-exposed metrics for the given host. If we can't negatively alert on the series being missing we'd need to export the stats from Calico on the hosts instead. Unfortunately it doesn't do that as is, we'd need to instrument it ourselves but I think it's not too hard.

cmooney@wikikube-worker1273:~$ sudo calicoctl node status | awk '/node specific/{print "calico_bgp_peer_status=peer="$2", status="$11}'
calico_bgp_peer_status=peer=10.64.177.1, status=Established
calico_bgp_peer_status=peer=2620:0:861:137::1, status=Established

Ah, thanks Cathal! The original patch was abandoned because I was struggling with git, the new patch is now https://gerrit.wikimedia.org/r/c/operations/alerts/+/1269994. I'll update it in accordance with the comment on the previous patch.

In T356877#11808865, @cmooney wrote:
Broadly the patch submitted looked good to me, though I see it was abandoned.

As per the comment I left on it we also need to alert when the session does not establish because the router/switch has not been configured for it. We could possibly detect that because there are no switch-exposed metrics for the given host. If we can't negatively alert on the series being missing we'd need to export the stats from Calico on the hosts instead. Unfortunately it doesn't do that as is, we'd need to instrument it ourselves but I think it's not too hard.
cmooney@wikikube-worker1273:~$ sudo calicoctl node status | awk '/node specific/{print "calico_bgp_peer_status=peer="$2", status="$11}'
calico_bgp_peer_status=peer=10.64.177.1, status=Established
calico_bgp_peer_status=peer=2620:0:861:137::1, status=Established

We can also run the prometheus bird exporter as a sidecar to calico-node (container image needs to be build and some yaml needs to be edited) which should give us more standardized metrics. We could add that as a stretch goal for this task.

In T356877#11814024, @JMeybohm wrote:

We can also run the prometheus bird exporter as a sidecar to calico-node (container image needs to be build and some yaml needs to be edited) which should give us more standardized metrics. We could add that as a stretch goal for this task.

Yeah that's a better way to go if it works.

I gave a quick review on the CR, but you should at least use https://wikitech.wikimedia.org/wiki/Network_telemetry#remote_instance:gnmi_bgp_neighbor_session_state%7B%7D

If you also need the count of prefixes received by the switch we should implement the same "remote_instance" thing. That way you could also compare it to what's being sent on the host's side (for example with prometheus-bird-exporter)

Regarding the count of "prefixes received by the switch but not accepted", I think as a first step it could be a global Netops alert (for our internal peers).
However if it gets triggered more often by server side issues, we should move it to the same "remote_instance" mechanism.

Regarding the count of "prefixes received by the switch but not accepted", I think as a first step it could be a global Netops alert (for our internal peers).
However if it gets triggered more often by server side issues, we should move it to the same "remote_instance" mechanism.

I've open T423384: Investigate internal rejected prefixes for that.

Change #1269994 merged by jenkins-bot:

[operations/alerts@master] kubernetes-generic: Add alerts for BGP failure scenarios.

https://gerrit.wikimedia.org/r/1269994

Blake created subtask T423851: Collect calico BGP metrics.Mon, Apr 20, 9:33 AM

Maintenance_bot removed a project: Patch-For-Review.Mon, Apr 20, 9:33 AM

Blake mentioned this in T423852: Add calico network alerting.Mon, Apr 20, 9:34 AM

ayounsi mentioned this in T419992: Alert if calico BGP sessions are not established on any kubernetes worker.Mon, May 4, 2:30 PM