Theia is a network observability and analytics platform for Kubernetes, built on top of Antrea. Theia consumes network flows exported by Antrea to provide fine-grained visibility into the communication and NetworkPolicies among Pods and Services in a Kubernetes cluster.
Theia supports network flow visualization and monitoring with Grafana, and can recommend appropriate NetworkPolicy configuration to secure Kubernetes network and applications. This guide describes how to install and get started with Theia.
Theia requires that Antrea v1.7.0 or later is installed in the Kubernetes cluster.
Please ensure the Flow Exporter feature of Antrea Agent is enabled in the
Antrea deployment manifest. You need to set both featureGates.FlowExport
flag and flowExporter.enable flag to true.
The antrea-agent ConfigMap should look like this:
antrea-agent.conf: |
...
featureGates:
...
FlowExporter: true
flowExporter:
...
enable: trueYou can also deploy Antrea through Helm by running the following commands.
helm repo add antrea https://charts.antrea.io
helm install antrea antrea/antrea -n kube-system --set featureGates.FlowExporter=true --set flowExporter.enable=trueThis will install the latest available version of Antrea with the Flow Exporter
feature enabled. You can also install a specific version of Antrea (>= v1.8.0)
with --version <TAG>.
Prior to the Antrea v1.13 release, the flowExporter option group in the
Antrea Agent configuration did not exist. To enable the Flow Exporter feature,
one simply needed to enable the feature gate, and the Flow Exporter related
configuration could be configured using the (now deprecated)
flowCollectorAddr, flowPollInterval, activeFlowExportTimeout,
idleFlowExportTimeout parameters.
The antrea-agent ConfigMap should look like this:
antrea-agent.conf: |
...
featureGates:
...
FlowExporter: trueWhen deploying Antrea (v1.8 - v1.12) through Helm, you can run the following commands:
helm repo add antrea https://charts.antrea.io
helm install antrea antrea/antrea -n kube-system --set featureGates.FlowExporter=true --version <TAG>For more information about Antrea Helm chart, please refer to Antrea Helm chart installation instructions.
Please install Flow Aggregator and Theia through Helm.
For Theia v0.1, please clone the repository and checkout branch release-0.1.
Both Helm charts are located under the folder build/charts.
From Theia v0.2 and Antrea v1.8, the Flow Aggregator Helm chart is moved from Theia repository to Antrea repository; and the Helm charts are added to Antrea Helm repo. Please add the repo by running the following command:
helm repo add antrea https://charts.antrea.io
helm repo updateTo install Flow Aggregator, please run the following command:
helm install flow-aggregator antrea/flow-aggregator --set clickHouse.enable=true,recordContents.podLabels=true -n flow-aggregator --create-namespaceTo enable Grafana Flow Collector, NetworkPolicy Recommendation and Throughput Anomaly Detection, please install Theia by running the following commands:
helm install theia antrea/theia --set sparkOperator.enable=true -n flow-visibility --create-namespaceFrom Theia v0.3, Theia Command-line Tool uses Theia Manager as a layer to connect and manage other resources like ClickHouse and Spark Operator. To enable Theia Manager, please install Theia by running the following commands:
helm install theia antrea/theia --set sparkOperator.enable=true,theiaManager.enable=true -n flow-visibility --create-namespaceTo enable only Grafana Flow Collector, please install Theia by running the following commands:
helm install theia antrea/theia -n flow-visibility --create-namespaceThese will install the latest available versions of Flow Aggregator and Theia.
You can also install specific versions of Flow Aggregator (>= v1.8.0) and
Theia (>= v0.2.0) with --version <TAG>. Please ensure that you use the same
released version for the Flow Aggregator chart as for the Antrea chart.
Theia uses Grafana to visualize network flows in the Kubernetes cluster. After the installation, you can run the following commands to get the Grafana Service address:
NODE_NAME=$(kubectl get pod -l app=grafana -n flow-visibility -o jsonpath='{.items[0].spec.nodeName}')
NODE_IP=$(kubectl get nodes ${NODE_NAME} -o jsonpath='{.status.addresses[0].address}')
GRAFANA_NODEPORT=$(kubectl get svc grafana -n flow-visibility -o jsonpath='{.spec.ports[*].nodePort}')
echo "=== Grafana Service is listening on ${NODE_IP}:${GRAFANA_NODEPORT} ==="You can access Grafana in your browser at: http://[NodeIP]:[NodePort],
and log in with username: admin and password: admin. Navigate to the Theia
dashboards to view the network
flows in the cluster.
Theia facilitates multi-cluster monitoring, allowing administrators to simultaneously supervise network operations across Antrea clusters. For guidance on exposing Theia across multiple clusters and enabling secure connections, refer to the instructions in clickhouse-ingress
Please follow the instructions in the NetworkPolicy Recommendation user guide.
Please follow the instructions in the Throughput Anomaly Detection user guide.
Refer to Antrea documentation to learn more about Flow Exporter, Flow Aggregator, and their advanced configurations.
For more information about Grafana Flow Collector installation and customization, please refer to Grafana Flow Collector Deployment Steps, and Configuration.
If you are interested in using Ingress to set up ClickHouse server, please refer to ClickHouse Ingress for more information.