FlowCollector
is the schema for the network flows collection API, which pilots and configures the underlying deployments.
FlowCollector is the Schema for the network flows collection API, which pilots and configures the underlying deployments.
FlowCollector
is the schema for the network flows collection API, which pilots and configures the underlying deployments.
object
Property | Type | Description |
---|---|---|
|
|
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and might reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
|
|
Kind is a string value representing the REST resource this object represents. Servers might infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
|
|
Standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata |
|
|
|
Standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
object
FlowCollectorSpec
defines the desired state of the FlowCollector resource.
*: the mention of "unsupported", or "deprecated" for a feature throughout this document means that this feature is not officially supported by Red Hat. It might have been, for instance, contributed by the community and accepted without a formal agreement for maintenance. The product maintainers might provide some support for these features as a best effort only.
object
agent
deploymentModel
Property | Type | Description |
---|---|---|
|
|
Agent configuration for flows extraction. |
|
|
|
|
|
|
|
|
|
|
|
Kafka configuration, allowing to use Kafka as a broker as part of the flow collection pipeline. Available when the |
|
|
Loki, the flow store, client settings. |
|
|
Namespace where NetObserv pods are deployed. If empty, the namespace of the operator is going to be used. |
|
|
|
Agent configuration for flows extraction.
object
type
Property | Type | Description |
---|---|---|
|
|
|
|
|
|
|
|
|
ebpf
describes the settings related to the eBPF-based flow reporter when spec.agent.type
is set to EBPF
.
object
Property | Type | Description |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Privileged mode for the eBPF Agent container. In general this setting can be ignored or set to false: in that case, the operator will set granular capabilities (BPF, PERFMON, NET_ADMIN, SYS_RESOURCE) to the container, to enable its correct operation. If for some reason these capabilities cannot be set, such as if an old kernel version not knowing CAP_BPF is in use, then you can turn on this mode for more global privileges. |
|
|
|
|
|
Sampling rate of the flow reporter. 100 means one flow on 100 is sent. 0 or 1 means all flows are sampled. |
debug
allows setting some aspects of the internal configuration of the eBPF agent. This section is aimed exclusively for debugging and fine-grained performance optimizations, such as GOGC and GOMAXPROCS env vars. Users setting its values do it at their own risk.
object
Property | Type | Description |
---|---|---|
|
|
|
resources
are the compute resources required by this container. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
object
Property | Type | Description |
---|---|---|
|
|
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
|
|
Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
ipfix
- deprecated (*) - describes the settings related to the IPFIX-based flow reporter when spec.agent.type
is set to IPFIX
.
object
Property | Type | Description |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
clusterNetworkOperator
defines the settings related to the OKD Cluster Network Operator, when available.
object
Property | Type | Description |
---|---|---|
|
|
Namespace where the config map is going to be deployed. |
ovnKubernetes
defines the settings of the OVN-Kubernetes CNI, when available. This configuration is used when using OVN’s IPFIX exports, without OKD. When using OKD, refer to the clusterNetworkOperator
property instead.
object
Property | Type | Description |
---|---|---|
|
|
|
|
|
|
|
|
Namespace where OVN-Kubernetes pods are deployed. |
consolePlugin
defines the settings related to the OKD Console plugin, when available.
object
Property | Type | Description |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
autoscaler
spec of a horizontal pod autoscaler to set up for the plugin Deployment. Refer to HorizontalPodAutoscaler documentation (autoscaling/v2).
object
portNaming
defines the configuration of the port-to-service name translation
object
Property | Type | Description |
---|---|---|
|
|
Enable the console plugin port-to-service name translation |
|
|
|
quickFilters
configures quick filter presets for the Console plugin
array
QuickFilter
defines preset configuration for Console’s quick filters
object
filter
name
Property | Type | Description |
---|---|---|
|
|
|
|
|
|
|
|
Name of the filter, that will be displayed in Console |
resources
, in terms of compute resources, required by this container. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
object
Property | Type | Description |
---|---|---|
|
|
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
|
|
Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
exporters
define additional optional exporters for custom consumption or storage.
array
FlowCollectorExporter
defines an additional exporter to send enriched flows to.
object
type
Property | Type | Description |
---|---|---|
|
|
IPFIX configuration, such as the IP address and port to send enriched IPFIX flows to. Unsupported (*). |
|
|
Kafka configuration, such as the address and topic, to send enriched flows to. |
|
|
|
IPFIX configuration, such as the IP address and port to send enriched IPFIX flows to. Unsupported (*).
object
targetHost
targetPort
Property | Type | Description |
---|---|---|
|
|
Address of the IPFIX external receiver |
|
|
Port for the IPFIX external receiver |
|
|
Transport protocol ( |
Kafka configuration, such as the address and topic, to send enriched flows to.
object
address
topic
Property | Type | Description |
---|---|---|
|
|
Address of the Kafka server |
|
|
TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093. Note that, when eBPF agents are used, the Kafka certificate needs to be copied in the agent namespace (by default it is |
|
|
Kafka topic to use. It must exist, NetObserv will not create it. |
TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093. Note that, when eBPF agents are used, the Kafka certificate needs to be copied in the agent namespace (by default it is netobserv-privileged
).
object
Property | Type | Description |
---|---|---|
|
|
|
|
|
Enable TLS |
|
|
|
|
|
|
caCert
defines the reference of the certificate for the Certificate Authority
object
Property | Type | Description |
---|---|---|
|
|
|
|
|
|
|
|
Name of the config map or secret containing certificates |
|
|
Namespace of the config map or secret containing certificates. If omitted, assumes the same namespace as where NetObserv is deployed. If the namespace is different, the config map or the secret will be copied so that it can be mounted as required. |
|
|
Type for the certificate reference: |
userCert
defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS)
object
Property | Type | Description |
---|---|---|
|
|
|
|
|
|
|
|
Name of the config map or secret containing certificates |
|
|
Namespace of the config map or secret containing certificates. If omitted, assumes the same namespace as where NetObserv is deployed. If the namespace is different, the config map or the secret will be copied so that it can be mounted as required. |
|
|
Type for the certificate reference: |
Kafka configuration, allowing to use Kafka as a broker as part of the flow collection pipeline. Available when the spec.deploymentModel
is KAFKA
.
object
address
topic
Property | Type | Description |
---|---|---|
|
|
Address of the Kafka server |
|
|
TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093. Note that, when eBPF agents are used, the Kafka certificate needs to be copied in the agent namespace (by default it is |
|
|
Kafka topic to use. It must exist, NetObserv will not create it. |
TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093. Note that, when eBPF agents are used, the Kafka certificate needs to be copied in the agent namespace (by default it is netobserv-privileged
).
object
Property | Type | Description |
---|---|---|
|
|
|
|
|
Enable TLS |
|
|
|
|
|
|
caCert
defines the reference of the certificate for the Certificate Authority
object
Property | Type | Description |
---|---|---|
|
|
|
|
|
|
|
|
Name of the config map or secret containing certificates |
|
|
Namespace of the config map or secret containing certificates. If omitted, assumes the same namespace as where NetObserv is deployed. If the namespace is different, the config map or the secret will be copied so that it can be mounted as required. |
|
|
Type for the certificate reference: |
userCert
defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS)
object
Property | Type | Description |
---|---|---|
|
|
|
|
|
|
|
|
Name of the config map or secret containing certificates |
|
|
Namespace of the config map or secret containing certificates. If omitted, assumes the same namespace as where NetObserv is deployed. If the namespace is different, the config map or the secret will be copied so that it can be mounted as required. |
|
|
Type for the certificate reference: |
Loki, the flow store, client settings.
object
Property | Type | Description |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
TLS client configuration for Loki status URL. |
|
|
|
|
|
|
|
|
|
|
|
TLS client configuration for Loki URL. |
|
|
|
TLS client configuration for Loki status URL.
object
Property | Type | Description |
---|---|---|
|
|
|
|
|
Enable TLS |
|
|
|
|
|
|
caCert
defines the reference of the certificate for the Certificate Authority
object
Property | Type | Description |
---|---|---|
|
|
|
|
|
|
|
|
Name of the config map or secret containing certificates |
|
|
Namespace of the config map or secret containing certificates. If omitted, assumes the same namespace as where NetObserv is deployed. If the namespace is different, the config map or the secret will be copied so that it can be mounted as required. |
|
|
Type for the certificate reference: |
userCert
defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS)
object
Property | Type | Description |
---|---|---|
|
|
|
|
|
|
|
|
Name of the config map or secret containing certificates |
|
|
Namespace of the config map or secret containing certificates. If omitted, assumes the same namespace as where NetObserv is deployed. If the namespace is different, the config map or the secret will be copied so that it can be mounted as required. |
|
|
Type for the certificate reference: |
TLS client configuration for Loki URL.
object
Property | Type | Description |
---|---|---|
|
|
|
|
|
Enable TLS |
|
|
|
|
|
|
caCert
defines the reference of the certificate for the Certificate Authority
object
Property | Type | Description |
---|---|---|
|
|
|
|
|
|
|
|
Name of the config map or secret containing certificates |
|
|
Namespace of the config map or secret containing certificates. If omitted, assumes the same namespace as where NetObserv is deployed. If the namespace is different, the config map or the secret will be copied so that it can be mounted as required. |
|
|
Type for the certificate reference: |
userCert
defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS)
object
Property | Type | Description |
---|---|---|
|
|
|
|
|
|
|
|
Name of the config map or secret containing certificates |
|
|
Namespace of the config map or secret containing certificates. If omitted, assumes the same namespace as where NetObserv is deployed. If the namespace is different, the config map or the secret will be copied so that it can be mounted as required. |
|
|
Type for the certificate reference: |
processor
defines the settings of the component that receives the flows from the agent, enriches them, generates metrics, and forwards them to the Loki persistence layer and/or any available exporter.
object
Property | Type | Description |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Port of the flow collector (host port). By convention, some values are forbidden. It must be greater than 1024 and different from 4500, 4789 and 6081. |
|
|
|
|
|
|
debug
allows setting some aspects of the internal configuration of the flow processor. This section is aimed exclusively for debugging and fine-grained performance optimizations, such as GOGC and GOMAXPROCS env vars. Users setting its values do it at their own risk.
object
Property | Type | Description |
---|---|---|
|
|
|
kafkaConsumerAutoscaler
is the spec of a horizontal pod autoscaler to set up for flowlogs-pipeline-transformer
, which consumes Kafka messages. This setting is ignored when Kafka is disabled. Refer to HorizontalPodAutoscaler documentation (autoscaling/v2).
object
Metrics
define the processor configuration regarding metrics
object
Property | Type | Description |
---|---|---|
|
|
|
|
|
|
|
|
Metrics server endpoint configuration for Prometheus scraper |
Metrics server endpoint configuration for Prometheus scraper
object
Property | Type | Description |
---|---|---|
|
|
The prometheus HTTP port |
|
|
TLS configuration. |
TLS configuration.
object
Property | Type | Description |
---|---|---|
|
|
TLS configuration when |
|
|
Select the type of TLS configuration: |
TLS configuration when type
is set to PROVIDED
.
object
Property | Type | Description |
---|---|---|
|
|
|
|
|
|
|
|
Name of the config map or secret containing certificates |
|
|
Namespace of the config map or secret containing certificates. If omitted, assumes the same namespace as where NetObserv is deployed. If the namespace is different, the config map or the secret will be copied so that it can be mounted as required. |
|
|
Type for the certificate reference: |
resources
are the compute resources required by this container. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
object
Property | Type | Description |
---|---|---|
|
|
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
|
|
Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |