1. Documentation
×

FlowCollector API reference

The FlowCollector API is the underlying schema used to pilot and configure the deployments for collecting network flows. This reference guide helps you manage those critical settings.

FlowCollector API specifications

Description

FlowCollector is the schema for the network flows collection API, which pilots and configures the underlying deployments.

Type

object

Property Type Description

apiVersion

string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and might reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind

string

Kind is a string value representing the REST resource this object represents. Servers might infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata

object

Standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata

spec

object

Defines the desired state of the FlowCollector resource.

*: the mention of "unsupported" or "deprecated" for a feature throughout this document means that this feature is not officially supported by Red Hat. It might have been, for example, contributed by the community and accepted without a formal agreement for maintenance. The product maintainers might provide some support for these features as a best effort only.

.metadata

Description

Standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata

Type

object

.spec

Description

Defines the desired state of the FlowCollector resource.

*: the mention of "unsupported" or "deprecated" for a feature throughout this document means that this feature is not officially supported by Red Hat. It might have been, for example, contributed by the community and accepted without a formal agreement for maintenance. The product maintainers might provide some support for these features as a best effort only.

Type

object

Property Type Description

agent

object

Agent configuration for flows extraction.

consolePlugin

object

consolePlugin defines the settings related to the OKD Console plugin, when available.

deploymentModel

string

deploymentModel defines the desired type of deployment for flow processing. Possible values are:

- Direct (default) to make the flow processor listen directly from the agents.

- Kafka to make flows sent to a Kafka pipeline before consumption by the processor.

Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).

exporters

array

exporters defines additional optional exporters for custom consumption or storage.

kafka

object

Kafka configuration, allowing to use Kafka as a broker as part of the flow collection pipeline. Available when the spec.deploymentModel is Kafka.

loki

object

loki, the flow store, client settings.

namespace

string

Namespace where Network Observability pods are deployed.

networkPolicy

object

networkPolicy defines network policy settings for Network Observability components isolation.

processor

object

processor defines the settings of the component that receives the flows from the agent, enriches them, generates metrics, and forwards them to the Loki persistence layer and/or any available exporter.

prometheus

object

prometheus defines Prometheus settings, such as querier configuration used to fetch metrics from the Console plugin.

.spec.agent

Description

Agent configuration for flows extraction.

Type

object

Property Type Description

ebpf

object

ebpf describes the settings related to the eBPF-based flow reporter when spec.agent.type is set to eBPF.

type

string

type [deprecated *] selects the flows tracing agent. Previously, this field allowed to select between eBPF or IPFIX. Only eBPF is allowed now, so this field is deprecated and is planned for removal in a future version of the API.

.spec.agent.ebpf

Description

ebpf describes the settings related to the eBPF-based flow reporter when spec.agent.type is set to eBPF.

Type

object

Property Type Description

advanced

object

advanced allows setting some aspects of the internal configuration of the eBPF agent. This section is aimed mostly for debugging and fine-grained performance optimizations, such as GOGC and GOMAXPROCS environment variables. Set these values at your own risk. You can also override the default Linux capabilities from there.

cacheActiveTimeout

string

cacheActiveTimeout is the max period during which the reporter aggregates flows before sending. Increasing cacheMaxFlows and cacheActiveTimeout can decrease the network traffic overhead and the CPU load, however you can expect higher memory consumption and an increased latency in the flow collection.

cacheMaxFlows

integer

cacheMaxFlows is the max number of flows in an aggregate; when reached, the reporter sends the flows. Increasing cacheMaxFlows and cacheActiveTimeout can decrease the network traffic overhead and the CPU load, however you can expect higher memory consumption and an increased latency in the flow collection.

excludeInterfaces

array (string)

excludeInterfaces contains the interface names that are excluded from flow tracing. An entry enclosed by slashes, such as /br-/, is matched as a regular expression. Otherwise it is matched as a case-sensitive string.

features

array (string)

List of additional features to enable. They are all disabled by default. Enabling additional features might have performance impacts. Possible values are:

- PacketDrop: Enable the packets drop flows logging feature. This feature requires mounting the kernel debug filesystem, so the eBPF agent pods must run as privileged. If the spec.agent.ebpf.privileged parameter is not set, an error is reported.

- DNSTracking: Enable the DNS tracking feature.

- FlowRTT: Enable flow latency (sRTT) extraction in the eBPF agent from TCP traffic.

- NetworkEvents: Enable the network events monitoring feature, such as correlating flows and network policies. This feature requires mounting the kernel debug filesystem, so the eBPF agent pods must run as privileged. It requires using the OVN-Kubernetes network plugin with the Observability feature.
IMPORTANT: This feature is available as a Technology Preview.

- PacketTranslation: Enable enriching flows with packet translation information, such as Service NAT.

- EbpfManager: Unsupported * . Use eBPF Manager to manage Network Observability eBPF programs. Pre-requisite: the eBPF Manager operator (or upstream bpfman operator) must be installed.

- UDNMapping: Unsupported *. Enable interfaces mapping to User Defined Networks (UDN).
This feature requires mounting the kernel debug filesystem, so the eBPF agent pods must run as privileged. It requires using the OVN-Kubernetes network plugin with the Observability feature.

flowFilter

object

flowFilter defines the eBPF agent configuration regarding flow filtering.

imagePullPolicy

string

imagePullPolicy is the Kubernetes pull policy for the image defined above

interfaces

array (string)

interfaces contains the interface names from where flows are collected. If empty, the agent fetches all the interfaces in the system, excepting the ones listed in excludeInterfaces. An entry enclosed by slashes, such as /br-/, is matched as a regular expression. Otherwise it is matched as a case-sensitive string.

kafkaBatchSize

integer

kafkaBatchSize limits the maximum size of a request in bytes before being sent to a partition. Ignored when not using Kafka. Default: 1MB.

logLevel

string

logLevel defines the log level for the Network Observability eBPF Agent

metrics

object

metrics defines the eBPF agent configuration regarding metrics.

privileged

boolean

Privileged mode for the eBPF Agent container. When set to true, the agent is able to capture more traffic, including from secondary interfaces. When ignored or set to false, the operator sets granular capabilities (BPF, PERFMON, NET_ADMIN) to the container. Some agent features require the privileged mode, such as packet drops tracking (see features) and SR-IOV support.

resources

object

resources are the compute resources required by this container. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

sampling

integer

Sampling interval of the eBPF probe. 100 means one packet on 100 is sent. 0 or 1 means all packets are sampled.

.spec.agent.ebpf.advanced

Description

advanced allows setting some aspects of the internal configuration of the eBPF agent. This section is aimed mostly for debugging and fine-grained performance optimizations, such as GOGC and GOMAXPROCS environment variables. Set these values at your own risk. You can also override the default Linux capabilities from there.

Type

object

Property Type Description

env

object (string)

env allows passing custom environment variables to underlying components. Useful for passing some very concrete performance-tuning options, such as GOGC and GOMAXPROCS, that should not be publicly exposed as part of the FlowCollector descriptor, as they are only useful in edge debug or support scenarios.

scheduling

object

scheduling controls how the pods are scheduled on nodes.

.spec.agent.ebpf.advanced.scheduling

Description

scheduling controls how the pods are scheduled on nodes.

Type

object

Property Type Description

affinity

object

If specified, the pod’s scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.

nodeSelector

object (string)

nodeSelector allows scheduling of pods only onto nodes that have each of the specified labels. For documentation, refer to https://kubernetes.io/docs/concepts/configuration/assign-pod-node/.

priorityClassName

string

If specified, indicates the pod’s priority. For documentation, refer to https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#how-to-use-priority-and-preemption. If not specified, default priority is used, or zero if there is no default.

tolerations

array

tolerations is a list of tolerations that allow the pod to schedule onto nodes with matching taints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.

.spec.agent.ebpf.advanced.scheduling.affinity

Description

If specified, the pod’s scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.

Type

object

.spec.agent.ebpf.advanced.scheduling.tolerations

Description

tolerations is a list of tolerations that allow the pod to schedule onto nodes with matching taints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.

Type

array

.spec.agent.ebpf.flowFilter

Description

flowFilter defines the eBPF agent configuration regarding flow filtering.

Type

object

Property Type Description

action

string

action defines the action to perform on the flows that match the filter. The available options are Accept, which is the default, and Reject.

cidr

string

cidr defines the IP CIDR to filter flows by. Examples: 10.10.10.0/24 or 100:100:100:100::/64

destPorts

integer-or-string

destPorts optionally defines the destination ports to filter flows by. To filter a single port, set a single port as an integer value. For example, destPorts: 80. To filter a range of ports, use a "start-end" range in string format. For example, destPorts: "80-100". To filter two ports, use a "port1,port2" in string format. For example, ports: "80,100".

direction

string

direction optionally defines a direction to filter flows by. The available options are Ingress and Egress.

enable

boolean

Set enable to true to enable the eBPF flow filtering feature.

icmpCode

integer

icmpCode, for Internet Control Message Protocol (ICMP) traffic, optionally defines the ICMP code to filter flows by.

icmpType

integer

icmpType, for ICMP traffic, optionally defines the ICMP type to filter flows by.

peerCIDR

string

peerCIDR defines the Peer IP CIDR to filter flows by. Examples: 10.10.10.0/24 or 100:100:100:100::/64

peerIP

string

peerIP optionally defines the remote IP address to filter flows by. Example: 10.10.10.10.

pktDrops

boolean

pktDrops optionally filters only flows containing packet drops.

ports

integer-or-string

ports optionally defines the ports to filter flows by. It is used both for source and destination ports. To filter a single port, set a single port as an integer value. For example, ports: 80. To filter a range of ports, use a "start-end" range in string format. For example, ports: "80-100". To filter two ports, use a "port1,port2" in string format. For example, ports: "80,100".

protocol

string

protocol optionally defines a protocol to filter flows by. The available options are TCP, UDP, ICMP, ICMPv6, and SCTP.

rules

array

rules defines a list of filtering rules on the eBPF Agents. When filtering is enabled, by default, flows that don’t match any rule are rejected. To change the default, you can define a rule that accepts everything: { action: "Accept", cidr: "0.0.0.0/0" }, and then refine with rejecting rules.

sampling

integer

sampling is the sampling interval for the matched packets, overriding the global sampling defined at spec.agent.ebpf.sampling.

sourcePorts

integer-or-string

sourcePorts optionally defines the source ports to filter flows by. To filter a single port, set a single port as an integer value. For example, sourcePorts: 80. To filter a range of ports, use a "start-end" range in string format. For example, sourcePorts: "80-100". To filter two ports, use a "port1,port2" in string format. For example, ports: "80,100".

tcpFlags

string

tcpFlags optionally defines TCP flags to filter flows by. In addition to the standard flags (RFC-9293), you can also filter by one of the three following combinations: SYN-ACK, FIN-ACK, and RST-ACK.

.spec.agent.ebpf.flowFilter.rules

Description

rules defines a list of filtering rules on the eBPF Agents. When filtering is enabled, by default, flows that don’t match any rule are rejected. To change the default, you can define a rule that accepts everything: { action: "Accept", cidr: "0.0.0.0/0" }, and then refine with rejecting rules.

Type

array

.spec.agent.ebpf.flowFilter.rules[]

Description

EBPFFlowFilterRules defines the desired eBPF agent configuration regarding flow filtering rules.

Type

object

Property Type Description

action

string

action defines the action to perform on the flows that match the filter. The available options are Accept, which is the default, and Reject.

cidr

string

cidr defines the IP CIDR to filter flows by. Examples: 10.10.10.0/24 or 100:100:100:100::/64

destPorts

integer-or-string

destPorts optionally defines the destination ports to filter flows by. To filter a single port, set a single port as an integer value. For example, destPorts: 80. To filter a range of ports, use a "start-end" range in string format. For example, destPorts: "80-100". To filter two ports, use a "port1,port2" in string format. For example, ports: "80,100".

direction

string

direction optionally defines a direction to filter flows by. The available options are Ingress and Egress.

icmpCode

integer

icmpCode, for Internet Control Message Protocol (ICMP) traffic, optionally defines the ICMP code to filter flows by.

icmpType

integer

icmpType, for ICMP traffic, optionally defines the ICMP type to filter flows by.

peerCIDR

string

peerCIDR defines the Peer IP CIDR to filter flows by. Examples: 10.10.10.0/24 or 100:100:100:100::/64

peerIP

string

peerIP optionally defines the remote IP address to filter flows by. Example: 10.10.10.10.

pktDrops

boolean

pktDrops optionally filters only flows containing packet drops.

ports

integer-or-string

ports optionally defines the ports to filter flows by. It is used both for source and destination ports. To filter a single port, set a single port as an integer value. For example, ports: 80. To filter a range of ports, use a "start-end" range in string format. For example, ports: "80-100". To filter two ports, use a "port1,port2" in string format. For example, ports: "80,100".

protocol

string

protocol optionally defines a protocol to filter flows by. The available options are TCP, UDP, ICMP, ICMPv6, and SCTP.

sampling

integer

sampling is the sampling interval for the matched packets, overriding the global sampling defined at spec.agent.ebpf.sampling.

sourcePorts

integer-or-string

sourcePorts optionally defines the source ports to filter flows by. To filter a single port, set a single port as an integer value. For example, sourcePorts: 80. To filter a range of ports, use a "start-end" range in string format. For example, sourcePorts: "80-100". To filter two ports, use a "port1,port2" in string format. For example, ports: "80,100".

tcpFlags

string

tcpFlags optionally defines TCP flags to filter flows by. In addition to the standard flags (RFC-9293), you can also filter by one of the three following combinations: SYN-ACK, FIN-ACK, and RST-ACK.

.spec.agent.ebpf.metrics

Description

metrics defines the eBPF agent configuration regarding metrics.

Type

object

Property Type Description

disableAlerts

array (string)

disableAlerts is a list of alerts that should be disabled. Possible values are:

NetObservDroppedFlows, which is triggered when the eBPF agent is missing packets or flows, such as when the BPF hashmap is busy or full, or the capacity limiter is being triggered.

enable

boolean

Set enable to false to disable eBPF agent metrics collection. It is enabled by default.

server

object

Metrics server endpoint configuration for the Prometheus scraper.

.spec.agent.ebpf.metrics.server

Description

Metrics server endpoint configuration for the Prometheus scraper.

Type

object

Property Type Description

port

integer

The metrics server HTTP port.

tls

object

TLS configuration.

.spec.agent.ebpf.metrics.server.tls

Description

TLS configuration.

Type

object

Required

  • type

Property Type Description

insecureSkipVerify

boolean

insecureSkipVerify allows skipping client-side verification of the provided certificate. If set to true, the providedCaFile field is ignored.

provided

object

TLS configuration when type is set to Provided.

providedCaFile

object

Reference to the CA file when type is set to Provided.

type

string

Select the type of TLS configuration:

- Disabled (default) to not configure TLS for the endpoint. - Provided to manually provide cert file and a key file. Unsupported *. - Auto to use OKD auto generated certificate using annotations.

.spec.agent.ebpf.metrics.server.tls.provided

Description

TLS configuration when type is set to Provided.

Type

object

Property Type Description

certFile

string

certFile defines the path to the certificate file name within the config map or secret.

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates.

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret.

.spec.agent.ebpf.metrics.server.tls.providedCaFile

Description

Reference to the CA file when type is set to Provided.

Type

object

Property Type Description

file

string

File name within the config map or secret.

name

string

Name of the config map or secret containing the file.

namespace

string

Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the file reference: configmap or secret.

.spec.agent.ebpf.resources

Description

resources are the compute resources required by this container. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Type

object

Property Type Description

limits

integer-or-string

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests

integer-or-string

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

.spec.consolePlugin

Description

consolePlugin defines the settings related to the OKD Console plugin, when available.

Type

object

Property Type Description

advanced

object

advanced allows setting some aspects of the internal configuration of the console plugin. This section is aimed mostly for debugging and fine-grained performance optimizations, such as GOGC and GOMAXPROCS environment variables. Set these values at your own risk.

autoscaler

object

autoscaler spec of a horizontal pod autoscaler to set up for the plugin Deployment. Refer to HorizontalPodAutoscaler documentation (autoscaling/v2).

enable

boolean

Enables the console plugin deployment.

imagePullPolicy

string

imagePullPolicy is the Kubernetes pull policy for the image defined above

logLevel

string

logLevel for the console plugin backend

portNaming

object

portNaming defines the configuration of the port-to-service name translation

quickFilters

array

quickFilters configures quick filter presets for the Console plugin

replicas

integer

replicas defines the number of replicas (pods) to start.

resources

object

resources, in terms of compute resources, required by this container. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

.spec.consolePlugin.advanced

Description

advanced allows setting some aspects of the internal configuration of the console plugin. This section is aimed mostly for debugging and fine-grained performance optimizations, such as GOGC and GOMAXPROCS environment variables. Set these values at your own risk.

Type

object

Property Type Description

args

array (string)

args allows passing custom arguments to underlying components. Useful for overriding some parameters, such as a URL or a configuration path, that should not be publicly exposed as part of the FlowCollector descriptor, as they are only useful in edge debug or support scenarios.

env

object (string)

env allows passing custom environment variables to underlying components. Useful for passing some very concrete performance-tuning options, such as GOGC and GOMAXPROCS, that should not be publicly exposed as part of the FlowCollector descriptor, as they are only useful in edge debug or support scenarios.

port

integer

port is the plugin service port. Do not use 9002, which is reserved for metrics.

register

boolean

register allows, when set to true, to automatically register the provided console plugin with the OKD Console operator. When set to false, you can still register it manually by editing console.operator.openshift.io/cluster with the following command: oc patch console.operator.openshift.io cluster --type='json' -p '[{"op": "add", "path": "/spec/plugins/-", "value": "netobserv-plugin"}]'

scheduling

object

scheduling controls how the pods are scheduled on nodes.

.spec.consolePlugin.advanced.scheduling

Description

scheduling controls how the pods are scheduled on nodes.

Type

object

Property Type Description

affinity

object

If specified, the pod’s scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.

nodeSelector

object (string)

nodeSelector allows scheduling of pods only onto nodes that have each of the specified labels. For documentation, refer to https://kubernetes.io/docs/concepts/configuration/assign-pod-node/.

priorityClassName

string

If specified, indicates the pod’s priority. For documentation, refer to https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#how-to-use-priority-and-preemption. If not specified, default priority is used, or zero if there is no default.

tolerations

array

tolerations is a list of tolerations that allow the pod to schedule onto nodes with matching taints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.

.spec.consolePlugin.advanced.scheduling.affinity

Description

If specified, the pod’s scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.

Type

object

.spec.consolePlugin.advanced.scheduling.tolerations

Description

tolerations is a list of tolerations that allow the pod to schedule onto nodes with matching taints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.

Type

array

.spec.consolePlugin.autoscaler

Description

autoscaler spec of a horizontal pod autoscaler to set up for the plugin Deployment. Refer to HorizontalPodAutoscaler documentation (autoscaling/v2).

Type

object

.spec.consolePlugin.portNaming

Description

portNaming defines the configuration of the port-to-service name translation

Type

object

Property Type Description

enable

boolean

Enable the console plugin port-to-service name translation

portNames

object (string)

portNames defines additional port names to use in the console, for example, portNames: {"3100": "loki"}.

.spec.consolePlugin.quickFilters

Description

quickFilters configures quick filter presets for the Console plugin

Type

array

.spec.consolePlugin.quickFilters[]

Description

QuickFilter defines preset configuration for Console’s quick filters

Type

object

Required

  • filter

  • name

Property Type Description

default

boolean

default defines whether this filter should be active by default or not

filter

object (string)

filter is a set of keys and values to be set when this filter is selected. Each key can relate to a list of values using a coma-separated string, for example, filter: {"src_namespace": "namespace1,namespace2"}.

name

string

Name of the filter, that is displayed in the Console

.spec.consolePlugin.resources

Description

resources, in terms of compute resources, required by this container. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Type

object

Property Type Description

limits

integer-or-string

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests

integer-or-string

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

.spec.exporters

Description

exporters defines additional optional exporters for custom consumption or storage.

Type

array

.spec.exporters[]

Description

FlowCollectorExporter defines an additional exporter to send enriched flows to.

Type

object

Required

  • type

Property Type Description

ipfix

object

IPFIX configuration, such as the IP address and port to send enriched IPFIX flows to.

kafka

object

Kafka configuration, such as the address and topic, to send enriched flows to.

openTelemetry

object

OpenTelemetry configuration, such as the IP address and port to send enriched logs or metrics to.

type

string

type selects the type of exporters. The available options are Kafka, IPFIX, and OpenTelemetry.

.spec.exporters[].ipfix

Description

IPFIX configuration, such as the IP address and port to send enriched IPFIX flows to.

Type

object

Required

  • targetHost

  • targetPort

Property Type Description

targetHost

string

Address of the IPFIX external receiver.

targetPort

integer

Port for the IPFIX external receiver.

transport

string

Transport protocol (TCP or UDP) to be used for the IPFIX connection, defaults to TCP.

.spec.exporters[].kafka

Description

Kafka configuration, such as the address and topic, to send enriched flows to.

Type

object

Required

  • address

  • topic

Property Type Description

address

string

Address of the Kafka server

sasl

object

SASL authentication configuration. Unsupported *.

tls

object

TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.

topic

string

Kafka topic to use. It must exist. Network Observability does not create it.

.spec.exporters[].kafka.sasl

Description

SASL authentication configuration. Unsupported *.

Type

object

Property Type Description

clientIDReference

object

Reference to the secret or config map containing the client ID

clientSecretReference

object

Reference to the secret or config map containing the client secret

type

string

Type of SASL authentication to use, or Disabled if SASL is not used

.spec.exporters[].kafka.sasl.clientIDReference

Description

Reference to the secret or config map containing the client ID

Type

object

Property Type Description

file

string

File name within the config map or secret.

name

string

Name of the config map or secret containing the file.

namespace

string

Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the file reference: configmap or secret.

.spec.exporters[].kafka.sasl.clientSecretReference

Description

Reference to the secret or config map containing the client secret

Type

object

Property Type Description

file

string

File name within the config map or secret.

name

string

Name of the config map or secret containing the file.

namespace

string

Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the file reference: configmap or secret.

.spec.exporters[].kafka.tls

Description

TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.

Type

object

Property Type Description

caCert

object

caCert defines the reference of the certificate for the Certificate Authority.

enable

boolean

Enable TLS

insecureSkipVerify

boolean

insecureSkipVerify allows skipping client-side verification of the server certificate. If set to true, the caCert field is ignored.

userCert

object

userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

.spec.exporters[].kafka.tls.caCert

Description

caCert defines the reference of the certificate for the Certificate Authority.

Type

object

Property Type Description

certFile

string

certFile defines the path to the certificate file name within the config map or secret.

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates.

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret.

.spec.exporters[].kafka.tls.userCert

Description

userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

Type

object

Property Type Description

certFile

string

certFile defines the path to the certificate file name within the config map or secret.

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates.

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret.

.spec.exporters[].openTelemetry

Description

OpenTelemetry configuration, such as the IP address and port to send enriched logs or metrics to.

Type

object

Required

  • targetHost

  • targetPort

Property Type Description

fieldsMapping

array

Custom fields mapping to an OpenTelemetry conformant format. By default, Network Observability format proposal is used: https://github.com/rhobs/observability-data-model/blob/main/network-observability.md#format-proposal . As there is currently no accepted standard for L3 or L4 enriched network logs, you can freely override it with your own.

headers

object (string)

Headers to add to messages (optional)

logs

object

OpenTelemetry configuration for logs.

metrics

object

OpenTelemetry configuration for metrics.

protocol

string

Protocol of the OpenTelemetry connection. The available options are http and grpc.

targetHost

string

Address of the OpenTelemetry receiver.

targetPort

integer

Port for the OpenTelemetry receiver.

tls

object

TLS client configuration.

.spec.exporters[].openTelemetry.fieldsMapping

Description

Custom fields mapping to an OpenTelemetry conformant format. By default, Network Observability format proposal is used: https://github.com/rhobs/observability-data-model/blob/main/network-observability.md#format-proposal . As there is currently no accepted standard for L3 or L4 enriched network logs, you can freely override it with your own.

Type

array

.spec.exporters[].openTelemetry.fieldsMapping[]

Description
Type

object

Property Type Description

input

string

multiplier

integer

output

string

.spec.exporters[].openTelemetry.logs

Description

OpenTelemetry configuration for logs.

Type

object

Property Type Description

enable

boolean

Set enable to true to send logs to an OpenTelemetry receiver.

.spec.exporters[].openTelemetry.metrics

Description

OpenTelemetry configuration for metrics.

Type

object

Property Type Description

enable

boolean

Set enable to true to send metrics to an OpenTelemetry receiver.

pushTimeInterval

string

Specify how often metrics are sent to a collector.

.spec.exporters[].openTelemetry.tls

Description

TLS client configuration.

Type

object

Property Type Description

caCert

object

caCert defines the reference of the certificate for the Certificate Authority.

enable

boolean

Enable TLS

insecureSkipVerify

boolean

insecureSkipVerify allows skipping client-side verification of the server certificate. If set to true, the caCert field is ignored.

userCert

object

userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

.spec.exporters[].openTelemetry.tls.caCert

Description

caCert defines the reference of the certificate for the Certificate Authority.

Type

object

Property Type Description

certFile

string

certFile defines the path to the certificate file name within the config map or secret.

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates.

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret.

.spec.exporters[].openTelemetry.tls.userCert

Description

userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

Type

object

Property Type Description

certFile

string

certFile defines the path to the certificate file name within the config map or secret.

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates.

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret.

.spec.kafka

Description

Kafka configuration, allowing to use Kafka as a broker as part of the flow collection pipeline. Available when the spec.deploymentModel is Kafka.

Type

object

Required

  • address

  • topic

Property Type Description

address

string

Address of the Kafka server

sasl

object

SASL authentication configuration. Unsupported *.

tls

object

TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.

topic

string

Kafka topic to use. It must exist. Network Observability does not create it.

.spec.kafka.sasl

Description

SASL authentication configuration. Unsupported *.

Type

object

Property Type Description

clientIDReference

object

Reference to the secret or config map containing the client ID

clientSecretReference

object

Reference to the secret or config map containing the client secret

type

string

Type of SASL authentication to use, or Disabled if SASL is not used

.spec.kafka.sasl.clientIDReference

Description

Reference to the secret or config map containing the client ID

Type

object

Property Type Description

file

string

File name within the config map or secret.

name

string

Name of the config map or secret containing the file.

namespace

string

Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the file reference: configmap or secret.

.spec.kafka.sasl.clientSecretReference

Description

Reference to the secret or config map containing the client secret

Type

object

Property Type Description

file

string

File name within the config map or secret.

name

string

Name of the config map or secret containing the file.

namespace

string

Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the file reference: configmap or secret.

.spec.kafka.tls

Description

TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.

Type

object

Property Type Description

caCert

object

caCert defines the reference of the certificate for the Certificate Authority.

enable

boolean

Enable TLS

insecureSkipVerify

boolean

insecureSkipVerify allows skipping client-side verification of the server certificate. If set to true, the caCert field is ignored.

userCert

object

userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

.spec.kafka.tls.caCert

Description

caCert defines the reference of the certificate for the Certificate Authority.

Type

object

Property Type Description

certFile

string

certFile defines the path to the certificate file name within the config map or secret.

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates.

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret.

.spec.kafka.tls.userCert

Description

userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

Type

object

Property Type Description

certFile

string

certFile defines the path to the certificate file name within the config map or secret.

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates.

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret.

.spec.loki

Description

loki, the flow store, client settings.

Type

object

Required

  • mode

Property Type Description

advanced

object

advanced allows setting some aspects of the internal configuration of the Loki clients. This section is aimed mostly for debugging and fine-grained performance optimizations.

enable

boolean

Set enable to true to store flows in Loki. The Console plugin can use either Loki or Prometheus as a data source for metrics (see also spec.prometheus.querier), or both. Not all queries are transposable from Loki to Prometheus. Hence, if Loki is disabled, some features of the plugin are disabled as well, such as getting per-pod information or viewing raw flows. If both Prometheus and Loki are enabled, Prometheus takes precedence and Loki is used as a fallback for queries that Prometheus cannot handle. If they are both disabled, the Console plugin is not deployed.

lokiStack

object

Loki configuration for LokiStack mode. This is useful for an easy Loki Operator configuration. It is ignored for other modes.

manual

object

Loki configuration for Manual mode. This is the most flexible configuration. It is ignored for other modes.

microservices

object

Loki configuration for Microservices mode. Use this option when Loki is installed using the microservices deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#microservices-mode). It is ignored for other modes.

mode

string

mode must be set according to the installation mode of Loki:

- Use LokiStack when Loki is managed using the Loki Operator

- Use Monolithic when Loki is installed as a monolithic workload

- Use Microservices when Loki is installed as microservices, but without Loki Operator

- Use Manual if none of the options above match your setup

monolithic

object

Loki configuration for Monolithic mode. Use this option when Loki is installed using the monolithic deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#monolithic-mode). It is ignored for other modes.

readTimeout

string

readTimeout is the maximum console plugin loki query total time limit. A timeout of zero means no timeout.

writeBatchSize

integer

writeBatchSize is the maximum batch size (in bytes) of Loki logs to accumulate before sending.

writeBatchWait

string

writeBatchWait is the maximum time to wait before sending a Loki batch.

writeTimeout

string

writeTimeout is the maximum Loki time connection / request limit. A timeout of zero means no timeout.

.spec.loki.advanced

Description

advanced allows setting some aspects of the internal configuration of the Loki clients. This section is aimed mostly for debugging and fine-grained performance optimizations.

Type

object

Property Type Description

excludeLabels

array (string)

excludeLabels is a list of fields to be excluded from the list of Loki labels. [Unsupported (*)].

staticLabels

object (string)

staticLabels is a map of common labels to set on each flow in Loki storage.

writeMaxBackoff

string

writeMaxBackoff is the maximum backoff time for Loki client connection between retries.

writeMaxRetries

integer

writeMaxRetries is the maximum number of retries for Loki client connections.

writeMinBackoff

string

writeMinBackoff is the initial backoff time for Loki client connection between retries.

.spec.loki.lokiStack

Description

Loki configuration for LokiStack mode. This is useful for an easy Loki Operator configuration. It is ignored for other modes.

Type

object

Required

  • name

Property Type Description

name

string

Name of an existing LokiStack resource to use.

namespace

string

Namespace where this LokiStack resource is located. If omitted, it is assumed to be the same as spec.namespace.

.spec.loki.manual

Description

Loki configuration for Manual mode. This is the most flexible configuration. It is ignored for other modes.

Type

object

Property Type Description

authToken

string

authToken describes the way to get a token to authenticate to Loki.

- Disabled does not send any token with the request.

- Forward forwards the user token for authorization.

- Host [deprecated *] - uses the local pod service account to authenticate to Loki.

When using the Loki Operator, this must be set to Forward.

ingesterUrl

string

ingesterUrl is the address of an existing Loki ingester service to push the flows to. When using the Loki Operator, set it to the Loki gateway service with the network tenant set in path, for example https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network.

querierUrl

string

querierUrl specifies the address of the Loki querier service. When using the Loki Operator, set it to the Loki gateway service with the network tenant set in path, for example https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network.

statusTls

object

TLS client configuration for Loki status URL.

statusUrl

string

statusUrl specifies the address of the Loki /ready, /metrics and /config endpoints, in case it is different from the Loki querier URL. If empty, the querierUrl value is used. This is useful to show error messages and some context in the frontend. When using the Loki Operator, set it to the Loki HTTP query frontend service, for example https://loki-query-frontend-http.netobserv.svc:3100/. statusTLS configuration is used when statusUrl is set.

tenantID

string

tenantID is the Loki X-Scope-OrgID that identifies the tenant for each request. When using the Loki Operator, set it to network, which corresponds to a special tenant mode.

tls

object

TLS client configuration for Loki URL.

.spec.loki.manual.statusTls

Description

TLS client configuration for Loki status URL.

Type

object

Property Type Description

caCert

object

caCert defines the reference of the certificate for the Certificate Authority.

enable

boolean

Enable TLS

insecureSkipVerify

boolean

insecureSkipVerify allows skipping client-side verification of the server certificate. If set to true, the caCert field is ignored.

userCert

object

userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

.spec.loki.manual.statusTls.caCert

Description

caCert defines the reference of the certificate for the Certificate Authority.

Type

object

Property Type Description

certFile

string

certFile defines the path to the certificate file name within the config map or secret.

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates.

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret.

.spec.loki.manual.statusTls.userCert

Description

userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

Type

object

Property Type Description

certFile

string

certFile defines the path to the certificate file name within the config map or secret.

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates.

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret.

.spec.loki.manual.tls

Description

TLS client configuration for Loki URL.

Type

object

Property Type Description

caCert

object

caCert defines the reference of the certificate for the Certificate Authority.

enable

boolean

Enable TLS

insecureSkipVerify

boolean

insecureSkipVerify allows skipping client-side verification of the server certificate. If set to true, the caCert field is ignored.

userCert

object

userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

.spec.loki.manual.tls.caCert

Description

caCert defines the reference of the certificate for the Certificate Authority.

Type

object

Property Type Description

certFile

string

certFile defines the path to the certificate file name within the config map or secret.

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates.

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret.

.spec.loki.manual.tls.userCert

Description

userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

Type

object

Property Type Description

certFile

string

certFile defines the path to the certificate file name within the config map or secret.

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates.

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret.

.spec.loki.microservices

Description

Loki configuration for Microservices mode. Use this option when Loki is installed using the microservices deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#microservices-mode). It is ignored for other modes.

Type

object

Property Type Description

ingesterUrl

string

ingesterUrl is the address of an existing Loki ingester service to push the flows to.

querierUrl

string

querierURL specifies the address of the Loki querier service.

tenantID

string

tenantID is the Loki X-Scope-OrgID header that identifies the tenant for each request.

tls

object

TLS client configuration for Loki URL.

.spec.loki.microservices.tls

Description

TLS client configuration for Loki URL.

Type

object

Property Type Description

caCert

object

caCert defines the reference of the certificate for the Certificate Authority.

enable

boolean

Enable TLS

insecureSkipVerify

boolean

insecureSkipVerify allows skipping client-side verification of the server certificate. If set to true, the caCert field is ignored.

userCert

object

userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

.spec.loki.microservices.tls.caCert

Description

caCert defines the reference of the certificate for the Certificate Authority.

Type

object

Property Type Description

certFile

string

certFile defines the path to the certificate file name within the config map or secret.

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates.

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret.

.spec.loki.microservices.tls.userCert

Description

userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

Type

object

Property Type Description

certFile

string

certFile defines the path to the certificate file name within the config map or secret.

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates.

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret.

.spec.loki.monolithic

Description

Loki configuration for Monolithic mode. Use this option when Loki is installed using the monolithic deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#monolithic-mode). It is ignored for other modes.

Type

object

Property Type Description

tenantID

string

tenantID is the Loki X-Scope-OrgID header that identifies the tenant for each request.

tls

object

TLS client configuration for Loki URL.

url

string

url is the unique address of an existing Loki service that points to both the ingester and the querier.

.spec.loki.monolithic.tls

Description

TLS client configuration for Loki URL.

Type

object

Property Type Description

caCert

object

caCert defines the reference of the certificate for the Certificate Authority.

enable

boolean

Enable TLS

insecureSkipVerify

boolean

insecureSkipVerify allows skipping client-side verification of the server certificate. If set to true, the caCert field is ignored.

userCert

object

userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

.spec.loki.monolithic.tls.caCert

Description

caCert defines the reference of the certificate for the Certificate Authority.

Type

object

Property Type Description

certFile

string

certFile defines the path to the certificate file name within the config map or secret.

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates.

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret.

.spec.loki.monolithic.tls.userCert

Description

userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

Type

object

Property Type Description

certFile

string

certFile defines the path to the certificate file name within the config map or secret.

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates.

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret.

.spec.networkPolicy

Description

networkPolicy defines network policy settings for Network Observability components isolation.

Type

object

Property Type Description

additionalNamespaces

array (string)

additionalNamespaces contains additional namespaces allowed to connect to the Network Observability namespace. It provides flexibility in the network policy configuration, but if you need a more specific configuration, you can disable it and install your own instead.

enable

boolean

Set enable to true to deploy network policies on the namespaces used by Network Observability (main and privileged). It is disabled by default. These network policies better isolate the Network Observability components to prevent undesired connections to them. This option is enabled by default, disable it to manually manage network policies

.spec.processor

Description

processor defines the settings of the component that receives the flows from the agent, enriches them, generates metrics, and forwards them to the Loki persistence layer and/or any available exporter.

Type

object

Property Type Description

addZone

boolean

addZone allows availability zone awareness by labelling flows with their source and destination zones. This feature requires the "topology.kubernetes.io/zone" label to be set on nodes.

advanced

object

advanced allows setting some aspects of the internal configuration of the flow processor. This section is aimed mostly for debugging and fine-grained performance optimizations, such as GOGC and GOMAXPROCS environment variables. Set these values at your own risk.

clusterName

string

clusterName is the name of the cluster to appear in the flows data. This is useful in a multi-cluster context. When using OKD, leave empty to make it automatically determined.

deduper

object

deduper allows you to sample or drop flows identified as duplicates, in order to save on resource usage. Unsupported *.

filters

array

filters lets you define custom filters to limit the amount of generated flows. These filters provide more flexibility than the eBPF Agent filters (in spec.agent.ebpf.flowFilter), such as allowing to filter by Kubernetes namespace, but with a lesser improvement in performance. Unsupported *.

imagePullPolicy

string

imagePullPolicy is the Kubernetes pull policy for the image defined above

kafkaConsumerAutoscaler

object

kafkaConsumerAutoscaler is the spec of a horizontal pod autoscaler to set up for flowlogs-pipeline-transformer, which consumes Kafka messages. This setting is ignored when Kafka is disabled. Refer to HorizontalPodAutoscaler documentation (autoscaling/v2).

kafkaConsumerBatchSize

integer

kafkaConsumerBatchSize indicates to the broker the maximum batch size, in bytes, that the consumer accepts. Ignored when not using Kafka. Default: 10MB.

kafkaConsumerQueueCapacity

integer

kafkaConsumerQueueCapacity defines the capacity of the internal message queue used in the Kafka consumer client. Ignored when not using Kafka.

kafkaConsumerReplicas

integer

kafkaConsumerReplicas defines the number of replicas (pods) to start for flowlogs-pipeline-transformer, which consumes Kafka messages. This setting is ignored when Kafka is disabled.

logLevel

string

logLevel of the processor runtime

logTypes

string

logTypes defines the desired record types to generate. Possible values are:

- Flows to export regular network flows. This is the default.

- Conversations to generate events for started conversations, ended conversations as well as periodic "tick" updates.

- EndedConversations to generate only ended conversations events.

- All to generate both network flows and all conversations events. It is not recommended due to the impact on resources footprint.

metrics

object

Metrics define the processor configuration regarding metrics

multiClusterDeployment

boolean

Set multiClusterDeployment to true to enable multi clusters feature. This adds clusterName label to flows data

resources

object

resources are the compute resources required by this container. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

subnetLabels

object

subnetLabels allows to define custom labels on subnets and IPs or to enable automatic labelling of recognized subnets in OKD, which is used to identify cluster external traffic. When a subnet matches the source or destination IP of a flow, a corresponding field is added: SrcSubnetLabel or DstSubnetLabel.

.spec.processor.advanced

Description

advanced allows setting some aspects of the internal configuration of the flow processor. This section is aimed mostly for debugging and fine-grained performance optimizations, such as GOGC and GOMAXPROCS environment variables. Set these values at your own risk.

Type

object

Property Type Description

conversationEndTimeout

string

conversationEndTimeout is the time to wait after a network flow is received, to consider the conversation ended. This delay is ignored when a FIN packet is collected for TCP flows (see conversationTerminatingTimeout instead).

conversationHeartbeatInterval

string

conversationHeartbeatInterval is the time to wait between "tick" events of a conversation

conversationTerminatingTimeout

string

conversationTerminatingTimeout is the time to wait from detected FIN flag to end a conversation. Only relevant for TCP flows.

dropUnusedFields

boolean

dropUnusedFields [deprecated *] this setting is not used anymore.

enableKubeProbes

boolean

enableKubeProbes is a flag to enable or disable Kubernetes liveness and readiness probes

env

object (string)

env allows passing custom environment variables to underlying components. Useful for passing some very concrete performance-tuning options, such as GOGC and GOMAXPROCS, that should not be publicly exposed as part of the FlowCollector descriptor, as they are only useful in edge debug or support scenarios.

healthPort

integer

healthPort is a collector HTTP port in the Pod that exposes the health check API

port

integer

Port of the flow collector (host port). By convention, some values are forbidden. It must be greater than 1024 and different from 4500, 4789 and 6081.

profilePort

integer

profilePort allows setting up a Go pprof profiler listening to this port

scheduling

object

scheduling controls how the pods are scheduled on nodes.

secondaryNetworks

array

Defines secondary networks to be checked for resources identification. To guarantee a correct identification, indexed values must form an unique identifier across the cluster. If the same index is used by several resources, those resources might be incorrectly labeled.

.spec.processor.advanced.scheduling

Description

scheduling controls how the pods are scheduled on nodes.

Type

object

Property Type Description

affinity

object

If specified, the pod’s scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.

nodeSelector

object (string)

nodeSelector allows scheduling of pods only onto nodes that have each of the specified labels. For documentation, refer to https://kubernetes.io/docs/concepts/configuration/assign-pod-node/.

priorityClassName

string

If specified, indicates the pod’s priority. For documentation, refer to https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#how-to-use-priority-and-preemption. If not specified, default priority is used, or zero if there is no default.

tolerations

array

tolerations is a list of tolerations that allow the pod to schedule onto nodes with matching taints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.

.spec.processor.advanced.scheduling.affinity

Description

If specified, the pod’s scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.

Type

object

.spec.processor.advanced.scheduling.tolerations

Description

tolerations is a list of tolerations that allow the pod to schedule onto nodes with matching taints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.

Type

array

.spec.processor.advanced.secondaryNetworks

Description

Defines secondary networks to be checked for resources identification. To guarantee a correct identification, indexed values must form an unique identifier across the cluster. If the same index is used by several resources, those resources might be incorrectly labeled.

Type

array

.spec.processor.advanced.secondaryNetworks[]

Description
Type

object

Required

  • index

  • name

Property Type Description

index

array (string)

index is a list of fields to use for indexing the pods. They should form a unique Pod identifier across the cluster. Can be any of: MAC, IP, Interface. Fields absent from the 'k8s.v1.cni.cncf.io/network-status' annotation must not be added to the index.

name

string

name should match the network name as visible in the pods annotation 'k8s.v1.cni.cncf.io/network-status'.

.spec.processor.deduper

Description

deduper allows you to sample or drop flows identified as duplicates, in order to save on resource usage. Unsupported *.

Type

object

Property Type Description

mode

string

Set the Processor de-duplication mode. It comes in addition to the Agent-based deduplication because the Agent cannot de-duplicate same flows reported from different nodes.

- Use Drop to drop every flow considered as duplicates, allowing saving more on resource usage but potentially losing some information such as the network interfaces used from peer, or network events.

- Use Sample to randomly keep only one flow on 50, which is the default, among the ones considered as duplicates. This is a compromise between dropping every duplicate or keeping every duplicate. This sampling action comes in addition to the Agent-based sampling. If both Agent and Processor sampling values are 50, the combined sampling is 1:2500.

- Use Disabled to turn off Processor-based de-duplication.

sampling

integer

sampling is the sampling interval when deduper mode is Sample. For example, a value of 50 means that 1 flow in 50 is sampled.

.spec.processor.filters

Description

filters lets you define custom filters to limit the amount of generated flows. These filters provide more flexibility than the eBPF Agent filters (in spec.agent.ebpf.flowFilter), such as allowing to filter by Kubernetes namespace, but with a lesser improvement in performance. Unsupported *.

Type

array

.spec.processor.filters[]

Description

FLPFilterSet defines the desired configuration for FLP-based filtering satisfying all conditions.

Type

object

Property Type Description

allOf

array

filters is a list of matches that must be all satisfied in order to remove a flow.

outputTarget

string

If specified, these filters only target a single output: Loki, Metrics or Exporters. By default, all outputs are targeted.

sampling

integer

sampling is an optional sampling interval to apply to this filter. For example, a value of 50 means that 1 matching flow in 50 is sampled.

.spec.processor.kafkaConsumerAutoscaler

Description

kafkaConsumerAutoscaler is the spec of a horizontal pod autoscaler to set up for flowlogs-pipeline-transformer, which consumes Kafka messages. This setting is ignored when Kafka is disabled. Refer to HorizontalPodAutoscaler documentation (autoscaling/v2).

Type

object

.spec.processor.metrics

Description

Metrics define the processor configuration regarding metrics

Type

object

Property Type Description

alerts

array

alerts is a list of alerts to be created for Prometheus AlertManager, organized by templates and variants [Unsupported (*)]. This is currently an experimental feature behind a feature gate. To enable, edit spec.processor.advanced.env by adding EXPERIMENTAL_ALERTS_HEALTH set to true. More information on alerts: https://github.com/netobserv/network-observability-operator/blob/main/docs/Alerts.md

disableAlerts

array (string)

disableAlerts is a list of alert groups that should be disabled from the default set of alerts. Possible values are: NetObservNoFlows, NetObservLokiError, PacketDropsByKernel, PacketDropsByDevice, IPsecErrors, NetpolDenied, LatencyHighTrend, DNSErrors, ExternalEgressHighTrend, ExternalIngressHighTrend, CrossAZ. More information on alerts: https://github.com/netobserv/network-observability-operator/blob/main/docs/Alerts.md

includeList

array (string)

includeList is a list of metric names to specify which ones to generate. The names correspond to the names in Prometheus without the prefix. For example, namespace_egress_packets_total shows up as netobserv_namespace_egress_packets_total in Prometheus. Note that the more metrics you add, the bigger is the impact on Prometheus workload resources. Metrics enabled by default are: namespace_flows_total, node_ingress_bytes_total, node_egress_bytes_total, workload_ingress_bytes_total, workload_egress_bytes_total, namespace_drop_packets_total (when PacketDrop feature is enabled), namespace_rtt_seconds (when FlowRTT feature is enabled), namespace_dns_latency_seconds (when DNSTracking feature is enabled), namespace_network_policy_events_total (when NetworkEvents feature is enabled). More information, with full list of available metrics: https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md

server

object

Metrics server endpoint configuration for Prometheus scraper

.spec.processor.metrics.alerts

Description

alerts is a list of alerts to be created for Prometheus AlertManager, organized by templates and variants [Unsupported (*)]. This is currently an experimental feature behind a feature gate. To enable, edit spec.processor.advanced.env by adding EXPERIMENTAL_ALERTS_HEALTH set to true. More information on alerts: https://github.com/netobserv/network-observability-operator/blob/main/docs/Alerts.md

Type

array

.spec.processor.metrics.alerts[]

Description
Type

object

Required

  • template

  • variants

Property Type Description

template

string

Alert template name. Possible values are: PacketDropsByKernel, PacketDropsByDevice, IPsecErrors, NetpolDenied, LatencyHighTrend, DNSErrors, ExternalEgressHighTrend, ExternalIngressHighTrend, CrossAZ. More information on alerts: https://github.com/netobserv/network-observability-operator/blob/main/docs/Alerts.md

variants

array

A list of variants for this template

.spec.processor.metrics.alerts[].variants

Description

A list of variants for this template

Type

array

.spec.processor.metrics.alerts[].variants[]

Description
Type

object

Required

  • thresholds

Property Type Description

groupBy

string

Optional grouping criteria, possible values are: Node, Namespace, Workload.

lowVolumeThreshold

string

The low volume threshold allows to ignore metrics with a too low volume of traffic, in order to improve signal-to-noise. It is provided as an absolute rate (bytes per second or packets per second, depending on the context). When provided, it must be parsable as a float.

thresholds

object

Thresholds of the alert per severity. They are expressed as a percentage of errors above which the alert is triggered. They must be parsable as floats.

trendDuration

string

For trending alerts, the duration interval for baseline comparison. For example, "2h" means comparing against a 2-hours average. Defaults to 2h.

trendOffset

string

For trending alerts, the time offset for baseline comparison. For example, "1d" means comparing against yesterday. Defaults to 1d.

.spec.processor.metrics.alerts[].variants[].thresholds

Description

Thresholds of the alert per severity. They are expressed as a percentage of errors above which the alert is triggered. They must be parsable as floats.

Type

object

Property Type Description

critical

string

Threshold for severity critical. Leave empty to not generate a Critical alert.

info

string

Threshold for severity info. Leave empty to not generate an Info alert.

warning

string

Threshold for severity warning. Leave empty to not generate a Warning alert.

.spec.processor.metrics.server

Description

Metrics server endpoint configuration for Prometheus scraper

Type

object

Property Type Description

port

integer

The metrics server HTTP port.

tls

object

TLS configuration.

.spec.processor.metrics.server.tls

Description

TLS configuration.

Type

object

Required

  • type

Property Type Description

insecureSkipVerify

boolean

insecureSkipVerify allows skipping client-side verification of the provided certificate. If set to true, the providedCaFile field is ignored.

provided

object

TLS configuration when type is set to Provided.

providedCaFile

object

Reference to the CA file when type is set to Provided.

type

string

Select the type of TLS configuration:

- Disabled (default) to not configure TLS for the endpoint. - Provided to manually provide cert file and a key file. Unsupported *. - Auto to use OKD auto generated certificate using annotations.

.spec.processor.metrics.server.tls.provided

Description

TLS configuration when type is set to Provided.

Type

object

Property Type Description

certFile

string

certFile defines the path to the certificate file name within the config map or secret.

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates.

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret.

.spec.processor.metrics.server.tls.providedCaFile

Description

Reference to the CA file when type is set to Provided.

Type

object

Property Type Description

file

string

File name within the config map or secret.

name

string

Name of the config map or secret containing the file.

namespace

string

Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the file reference: configmap or secret.

.spec.processor.resources

Description

resources are the compute resources required by this container. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Type

object

Property Type Description

limits

integer-or-string

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests

integer-or-string

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

.spec.processor.subnetLabels

Description

subnetLabels allows to define custom labels on subnets and IPs or to enable automatic labelling of recognized subnets in OKD, which is used to identify cluster external traffic. When a subnet matches the source or destination IP of a flow, a corresponding field is added: SrcSubnetLabel or DstSubnetLabel.

Type

object

Property Type Description

customLabels

array

customLabels allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services. If you enable openShiftAutoDetect, customLabels can override the detected subnets in case they overlap.

openShiftAutoDetect

boolean

openShiftAutoDetect allows, when set to true, to detect automatically the machines, pods and services subnets based on the OKD install configuration and the Cluster Network Operator configuration. Indirectly, this is a way to accurately detect external traffic: flows that are not labeled for those subnets are external to the cluster. Enabled by default on OKD.

.spec.processor.subnetLabels.customLabels

Description

customLabels allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services. If you enable openShiftAutoDetect, customLabels can override the detected subnets in case they overlap.

Type

array

.spec.processor.subnetLabels.customLabels[]

Description

SubnetLabel allows to label subnets and IPs, such as to identify cluster-external workloads or web services.

Type

object

Required

  • cidrs

  • name

Property Type Description

cidrs

array (string)

List of CIDRs, such as ["1.2.3.4/32"].

name

string

Label name, used to flag matching flows.

.spec.prometheus

Description

prometheus defines Prometheus settings, such as querier configuration used to fetch metrics from the Console plugin.

Type

object

Property Type Description

querier

object

Prometheus querying configuration, such as client settings, used in the Console plugin.

.spec.prometheus.querier

Description

Prometheus querying configuration, such as client settings, used in the Console plugin.

Type

object

Required

  • mode

Property Type Description

enable

boolean

When enable is true, the Console plugin queries flow metrics from Prometheus instead of Loki whenever possible. It is enbaled by default: set it to false to disable this feature. The Console plugin can use either Loki or Prometheus as a data source for metrics (see also spec.loki), or both. Not all queries are transposable from Loki to Prometheus. Hence, if Loki is disabled, some features of the plugin are disabled as well, such as getting per-pod information or viewing raw flows. If both Prometheus and Loki are enabled, Prometheus takes precedence and Loki is used as a fallback for queries that Prometheus cannot handle. If they are both disabled, the Console plugin is not deployed.

manual

object

Prometheus configuration for Manual mode.

mode

string

mode must be set according to the type of Prometheus installation that stores Network Observability metrics:

- Use Auto to try configuring automatically. In OKD, it uses the Thanos querier from OKD Cluster Monitoring

- Use Manual for a manual setup

timeout

string

timeout is the read timeout for console plugin queries to Prometheus. A timeout of zero means no timeout.

.spec.prometheus.querier.manual

Description

Prometheus configuration for Manual mode.

Type

object

Property Type Description

forwardUserToken

boolean

Set true to forward logged in user token in queries to Prometheus

tls

object

TLS client configuration for Prometheus URL.

url

string

url is the address of an existing Prometheus service to use for querying metrics.

.spec.prometheus.querier.manual.tls

Description

TLS client configuration for Prometheus URL.

Type

object

Property Type Description

caCert

object

caCert defines the reference of the certificate for the Certificate Authority.

enable

boolean

Enable TLS

insecureSkipVerify

boolean

insecureSkipVerify allows skipping client-side verification of the server certificate. If set to true, the caCert field is ignored.

userCert

object

userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

.spec.prometheus.querier.manual.tls.caCert

Description

caCert defines the reference of the certificate for the Certificate Authority.

Type

object

Property Type Description

certFile

string

certFile defines the path to the certificate file name within the config map or secret.

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates.

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret.

.spec.prometheus.querier.manual.tls.userCert

Description

userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

Type

object

Property Type Description

certFile

string

certFile defines the path to the certificate file name within the config map or secret.

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates.

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret.