For modern Network Operations (NetOps) Teams, the definition of "the network" has expanded drastically. It used to stop at the data center firewall. Then, it extended to the public cloud with VPCs. Now, with the explosion of microservices, the network extends deep inside Kubernetes clusters.
However, for many Network Engineers, Kubernetes remains a black box. You have excellent visibility into your routers, switches, and cloud gateways via NetFlow, IPFIX, and Cloud Flow Logs. But the moment traffic enters a Kubernetes cluster, visibility often drops to zero.
This disconnect creates a fragmented view of reality. To truly secure, troubleshoot, and optimize a hybrid infrastructure, Network Teams need to capture Kubernetes network flow logs alongside their existing device and cloud logs.
Here is how Mermin, ElastiFlow’s open source Kubernetes observability solution, bridges that gap and why it matters for NetOps.
The Kubernetes Blind Spot in Network Operations
Traditional Network Performance Monitoring (NPM) tools excel at managing physical and virtual infrastructure. They tell you if a link is saturated or if a specific interface is dropping packets. However, these tools struggle with the dynamic, ephemeral nature of Kubernetes.
Inside a cluster, IP addresses change constantly. Traffic flows over overlay networks that traditional appliances can’t inspect. As a result, Network Teams often cannot identify which specific application is generating traffic.
This leads to major problems:
The Blame Game: When an application is slow, developers blame the network. Without visibility inside the cluster, NetOps Teams can prove the physical network is healthy, but they can't prove the cluster network is healthy.
Missing Attribution: When a large part of your network is a black box to the network team, app attribution is an impossible problem to solve, making it much more difficult to do capacity planning for network devices.
Incomplete Security: You might secure the perimeter, but you have no visibility into unauthorized lateral movement (east-west traffic) between pods. This really impairs your microsegmentation strategy.
Mermin: The Missing Link for Complete Observability
Mermin is designed to close this observability gap. It is a lightweight, eBPF-based agent that runs directly inside your Kubernetes cluster. It captures ground-truth network data about every conversation between services without requiring any changes to application code.
By integrating Mermin with the ElastiFlow Platform, you can ingest these Kubernetes flows alongside your existing NetFlow, sFlow, and IPFIX data.
1. From IP Addresses to Services
In a standard router flow log, you see a source IP and a destination IP. In Kubernetes, those IPs might belong to a pod that exists for only five minutes. This makes historical forensic analysis nearly impossible.
Mermin solves this via Automated Kubernetes Metadata Enrichment. It correlates network flows with Kubernetes objects, identifying the specific Pod, Namespace, and Service involved.
Old View: 10.42.0.5 sent 5GB of data to 10.42.0.8.
Mermin View: The payment-service in the prod namespace sent 5GB of data to the fraud-detection service.
This context makes network data instantly useful for capacity planning and troubleshooting.
2. Unified Troubleshooting
When you capture Kubernetes flows alongside cloud and device logs, you can trace a transaction across your entire infrastructure.
Imagine a user reports slow performance. With unified data, you can see the traffic flow from:
The WAN Edge: (Via Cisco/Juniper NetFlow) confirming the user reached the data center.
The Cloud Load Balancer: (Via AWS/Azure Flow Logs) confirming traffic was passed to the cluster.
Inside the Cluster: (Via Mermin) identifying that the frontend pod experienced high latency when talking to the database pod due to TCP retransmissions.
This end-to-end visibility significantly reduces Mean Time to Resolution (MTTR) by allowing you to pinpoint exactly where the bottleneck lies, whether it's the physical wire or the virtual overlay.
3. Strengthening Security Posture
Network Teams are the guardians of infrastructure security. Mermin extends this guardianship into the cluster. By illuminating all pod-to-pod traffic, Mermin allows NetOps and SecOps Teams to:
Verify Policies: Ensure that network policies are actually enforcing the segmentation you designed.
Detect Anomalies: Identify unexpected traffic patterns, such as a frontend web server attempting to communicate with a sensitive backend database it shouldn't access.
Forensic Analysis: Maintain a historical record of all internal cluster communications for audit and compliance purposes.
4. How to get started
Mermin is an open-source tool on GitHub with a getting started guide and further documentation available here. We provide helm charts for a straightforward installation. Mermin exports flow traces in OTLP format, so it can be used with any storage and visualization layer that supports OpenTelemetry. If you want to get the full power of ElastiFlow enrichment, start with a free license of ElastiFlow here.
TL:DR
The Kubernetes "Black Box": Traditional network monitoring tools (NetFlow/IPFIX) lose visibility at the cluster edge, creating a disconnect between physical infrastructure and microservices.
Context Over Connectivity: Mermin uses eBPF to bridge this gap, automatically correlating ephemeral IPs with Kubernetes metadata. You stop seeing random IPs and start seeing Pod, Namespace, and Service names.
End-to-End Troubleshooting: By integrating Mermin with ElastiFlow, NetOps teams can trace a single transaction from the WAN edge, through cloud gateways, deep into the specific container, reducing MTTR.
Securing East-West Traffic: Gain visibility into internal cluster communications to validate microsegmentation policies and detect unauthorized lateral movement.
Open & Compatible: Mermin is open-source, deployable via Helm, and exports standard OTLP data, making it compatible with any OpenTelemetry-supported backend.
Stay connected
Sign up to stay connected and receive the latest content and updates from us!