diff --git a/charts/network-observability-operator/.helmignore b/charts/network-observability-operator/.helmignore
new file mode 100644
index 0000000000..0e8a0eb36f
--- /dev/null
+++ b/charts/network-observability-operator/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/network-observability-operator/Chart.yaml b/charts/network-observability-operator/Chart.yaml
new file mode 100644
index 0000000000..2eac899e69
--- /dev/null
+++ b/charts/network-observability-operator/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: network-observability-operator
+description: A Helm chart for Kubernetes
+appVersion: 1.0.5
+type: application
+version: 0.1.0
diff --git a/charts/network-observability-operator/crds/flowcollectors.flows.netobserv.io.yaml b/charts/network-observability-operator/crds/flowcollectors.flows.netobserv.io.yaml
new file mode 100644
index 0000000000..b0a6b61256
--- /dev/null
+++ b/charts/network-observability-operator/crds/flowcollectors.flows.netobserv.io.yaml
@@ -0,0 +1,8232 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.14.0
+ service.beta.openshift.io/inject-cabundle: "true"
+ name: flowcollectors.flows.netobserv.io
+spec:
+ conversion:
+ strategy: Webhook
+ webhook:
+ clientConfig:
+ service:
+ name: netobserv-webhook-service
+ namespace: netobserv
+ path: /convert
+ conversionReviewVersions:
+ - v1beta1
+ - v1beta2
+ group: flows.netobserv.io
+ names:
+ kind: FlowCollector
+ listKind: FlowCollectorList
+ plural: flowcollectors
+ singular: flowcollector
+ scope: Cluster
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.agent.type
+ name: Agent
+ type: string
+ - jsonPath: .spec.agent.ebpf.sampling
+ name: Sampling (EBPF)
+ type: string
+ - jsonPath: .spec.deploymentModel
+ name: Deployment Model
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+ name: Status
+ type: string
+ deprecated: true
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: '`FlowCollector` is the schema for the network flows collection
+ API, which pilots and configures the underlying deployments.'
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ properties:
+ name:
+ pattern: ^cluster$
+ type: string
+ type: object
+ spec:
+ description: |-
+ Defines the desired state of the FlowCollector resource.
+
+ *: the mention of "unsupported", or "deprecated" for a feature throughout this document means that this feature
+ is not officially supported by Red Hat. It might have been, for example, contributed by the community
+ and accepted without a formal agreement for maintenance. The product maintainers might provide some support
+ for these features as a best effort only.
+ properties:
+ agent:
+ description: Agent configuration for flows extraction.
+ properties:
+ ebpf:
+ description: |-
+ `ebpf` describes the settings related to the eBPF-based flow reporter when `spec.agent.type`
+ is set to `EBPF`.
+ properties:
+ cacheActiveTimeout:
+ default: 5s
+ description: |-
+ `cacheActiveTimeout` is the max period during which the reporter aggregates flows before sending.
+ Increasing `cacheMaxFlows` and `cacheActiveTimeout` can decrease the network traffic overhead and the CPU load,
+ however you can expect higher memory consumption and an increased latency in the flow collection.
+ pattern: ^\d+(ns|ms|s|m)?$
+ type: string
+ cacheMaxFlows:
+ default: 100000
+ description: |-
+ `cacheMaxFlows` is the max number of flows in an aggregate; when reached, the reporter sends the flows.
+ Increasing `cacheMaxFlows` and `cacheActiveTimeout` can decrease the network traffic overhead and the CPU load,
+ however you can expect higher memory consumption and an increased latency in the flow collection.
+ format: int32
+ minimum: 1
+ type: integer
+ debug:
+ description: |-
+ `debug` allows setting some aspects of the internal configuration of the eBPF agent.
+ This section is aimed exclusively for debugging and fine-grained performance optimizations,
+ such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
+ properties:
+ env:
+ additionalProperties:
+ type: string
+ description: |-
+ `env` allows passing custom environment variables to underlying components. Useful for passing
+ some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be
+ publicly exposed as part of the FlowCollector descriptor, as they are only useful
+ in edge debug or support scenarios.
+ type: object
+ type: object
+ excludeInterfaces:
+ default:
+ - lo
+ description: |-
+ `excludeInterfaces` contains the interface names that are excluded from flow tracing.
+ An entry enclosed by slashes, such as `/br-/`, is matched as a regular expression.
+ Otherwise it is matched as a case-sensitive string.
+ items:
+ type: string
+ type: array
+ features:
+ description: |-
+ List of additional features to enable. They are all disabled by default. Enabling additional features might have performance impacts. Possible values are:
+ - `PacketDrop`: enable the packets drop flows logging feature. This feature requires mounting
+ the kernel debug filesystem, so the eBPF pod has to run as privileged.
+ If the `spec.agent.ebpf.privileged` parameter is not set, an error is reported.
+ - `DNSTracking`: enable the DNS tracking feature.
+ - `FlowRTT` [unsupported (*)]: enable flow latency (RTT) calculations in the eBPF agent during TCP handshakes. This feature better works with `sampling` set to 1.
+ items:
+ description: |-
+ Agent feature, can be one of:
+ - `PacketDrop`, to track packet drops.
+ - `DNSTracking`, to track specific information on DNS traffic.
+ - `FlowRTT`, to track TCP latency. [Unsupported (*)].
+ enum:
+ - PacketDrop
+ - DNSTracking
+ - FlowRTT
+ type: string
+ type: array
+ flowFilter:
+ description: '`flowFilter` defines the eBPF agent configuration
+ regarding flow filtering'
+ properties:
+ action:
+ description: Action defines the action to perform on the
+ flows that match the filter.
+ enum:
+ - Accept
+ - Reject
+ type: string
+ cidr:
+ description: |-
+ CIDR defines the IP CIDR to filter flows by.
+ Example: 10.10.10.0/24 or 100:100:100:100::/64
+ type: string
+ destPorts:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ DestPorts defines the destination ports to filter flows by.
+ To filter a single port, set a single port as an integer value. For example destPorts: 80.
+ To filter a range of ports, use a "start-end" range, string format. For example destPorts: "80-100".
+ x-kubernetes-int-or-string: true
+ direction:
+ description: Direction defines the direction to filter
+ flows by.
+ enum:
+ - Ingress
+ - Egress
+ type: string
+ enable:
+ description: Set `enable` to `true` to enable eBPF flow
+ filtering feature.
+ type: boolean
+ icmpCode:
+ description: ICMPCode defines the ICMP code to filter
+ flows by.
+ type: integer
+ icmpType:
+ description: ICMPType defines the ICMP type to filter
+ flows by.
+ type: integer
+ peerIP:
+ description: |-
+ PeerIP defines the IP address to filter flows by.
+ Example: 10.10.10.10
+ type: string
+ ports:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Ports defines the ports to filter flows by. it can be user for either source or destination ports.
+ To filter a single port, set a single port as an integer value. For example ports: 80.
+ To filter a range of ports, use a "start-end" range, string format. For example ports: "80-10
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: Protocol defines the protocol to filter flows
+ by.
+ enum:
+ - TCP
+ - UDP
+ - ICMP
+ - ICMPv6
+ - SCTP
+ type: string
+ sourcePorts:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SourcePorts defines the source ports to filter flows by.
+ To filter a single port, set a single port as an integer value. For example sourcePorts: 80.
+ To filter a range of ports, use a "start-end" range, string format. For example sourcePorts: "80-100".
+ x-kubernetes-int-or-string: true
+ type: object
+ imagePullPolicy:
+ default: IfNotPresent
+ description: '`imagePullPolicy` is the Kubernetes pull policy
+ for the image defined above'
+ enum:
+ - IfNotPresent
+ - Always
+ - Never
+ type: string
+ interfaces:
+ description: |-
+ `interfaces` contains the interface names from where flows are collected. If empty, the agent
+ fetches all the interfaces in the system, excepting the ones listed in ExcludeInterfaces.
+ An entry enclosed by slashes, such as `/br-/`, is matched as a regular expression.
+ Otherwise it is matched as a case-sensitive string.
+ items:
+ type: string
+ type: array
+ kafkaBatchSize:
+ default: 1048576
+ description: '`kafkaBatchSize` limits the maximum size of
+ a request in bytes before being sent to a partition. Ignored
+ when not using Kafka. Default: 1MB.'
+ type: integer
+ logLevel:
+ default: info
+ description: '`logLevel` defines the log level for the NetObserv
+ eBPF Agent'
+ enum:
+ - trace
+ - debug
+ - info
+ - warn
+ - error
+ - fatal
+ - panic
+ type: string
+ metrics:
+ description: '`metrics` defines the eBPF agent configuration
+ regarding metrics'
+ properties:
+ disableAlerts:
+ description: |-
+ `disableAlerts` is a list of alerts that should be disabled.
+ Possible values are:
+ `NetObservDroppedFlows`, which is triggered when eBPF agent hashmap table is full.
+ items:
+ description: |-
+ Name of a ebpf agent alert.
+ Possible values are:
+ - `NetObservDroppedFlows`, which is triggered when eBPF agent hashmap table is full.
+ enum:
+ - NetObservDroppedFlows
+ type: string
+ type: array
+ enable:
+ description: Set `enable` to `true` to enable eBPF agent
+ metrics collection.
+ type: boolean
+ server:
+ description: Metrics server endpoint configuration for
+ Prometheus scraper
+ properties:
+ port:
+ description: The prometheus HTTP port
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ tls:
+ description: TLS configuration.
+ properties:
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the provided certificate.
+ If set to `true`, the `providedCaFile` field is ignored.
+ type: boolean
+ provided:
+ description: TLS configuration when `type` is
+ set to `PROVIDED`.
+ properties:
+ certFile:
+ description: '`certFile` defines the path
+ to the certificate file name within the
+ config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to
+ the certificate private key file name within
+ the config map or secret. Omit when the
+ key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret
+ containing certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ providedCaFile:
+ description: Reference to the CA file when `type`
+ is set to `PROVIDED`.
+ properties:
+ file:
+ description: File name within the config map
+ or secret
+ type: string
+ name:
+ description: Name of the config map or secret
+ containing the file
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference:
+ "configmap" or "secret"'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type:
+ default: DISABLED
+ description: |-
+ Select the type of TLS configuration:
+ - `DISABLED` (default) to not configure TLS for the endpoint.
+ - `PROVIDED` to manually provide cert file and a key file. [Unsupported (*)].
+ - `AUTO` to use OpenShift auto generated certificate using annotations.
+ enum:
+ - DISABLED
+ - PROVIDED
+ - AUTO
+ type: string
+ type: object
+ type: object
+ type: object
+ privileged:
+ description: |-
+ Privileged mode for the eBPF Agent container. When ignored or set to `false`, the operator sets
+ granular capabilities (BPF, PERFMON, NET_ADMIN, SYS_RESOURCE) to the container.
+ If for some reason these capabilities cannot be set, such as if an old kernel version not knowing CAP_BPF
+ is in use, then you can turn on this mode for more global privileges.
+ Some agent features require the privileged mode, such as packet drops tracking (see `features`) and SR-IOV support.
+ type: boolean
+ resources:
+ default:
+ limits:
+ memory: 800Mi
+ requests:
+ cpu: 100m
+ memory: 50Mi
+ description: |-
+ `resources` are the compute resources required by this container.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ sampling:
+ default: 50
+ description: Sampling rate of the flow reporter. 100 means
+ one flow on 100 is sent. 0 or 1 means all flows are sampled.
+ format: int32
+ minimum: 0
+ type: integer
+ type: object
+ ipfix:
+ description: |-
+ `ipfix` [deprecated (*)] - describes the settings related to the IPFIX-based flow reporter when `spec.agent.type`
+ is set to `IPFIX`.
+ properties:
+ cacheActiveTimeout:
+ default: 20s
+ description: '`cacheActiveTimeout` is the max period during
+ which the reporter aggregates flows before sending.'
+ pattern: ^\d+(ns|ms|s|m)?$
+ type: string
+ cacheMaxFlows:
+ default: 400
+ description: '`cacheMaxFlows` is the max number of flows in
+ an aggregate; when reached, the reporter sends the flows.'
+ format: int32
+ minimum: 0
+ type: integer
+ clusterNetworkOperator:
+ description: '`clusterNetworkOperator` defines the settings
+ related to the OpenShift Cluster Network Operator, when
+ available.'
+ properties:
+ namespace:
+ default: openshift-network-operator
+ description: Namespace where the config map is going
+ to be deployed.
+ type: string
+ type: object
+ forceSampleAll:
+ default: false
+ description: |-
+ `forceSampleAll` allows disabling sampling in the IPFIX-based flow reporter.
+ It is not recommended to sample all the traffic with IPFIX, as it might generate cluster instability.
+ If you REALLY want to do that, set this flag to `true`. Use at your own risk.
+ When it is set to `true`, the value of `sampling` is ignored.
+ type: boolean
+ ovnKubernetes:
+ description: '`ovnKubernetes` defines the settings of the
+ OVN-Kubernetes CNI, when available. This configuration is
+ used when using OVN''s IPFIX exports, without OpenShift.
+ When using OpenShift, refer to the `clusterNetworkOperator`
+ property instead.'
+ properties:
+ containerName:
+ default: ovnkube-node
+ description: '`containerName` defines the name of the
+ container to configure for IPFIX.'
+ type: string
+ daemonSetName:
+ default: ovnkube-node
+ description: '`daemonSetName` defines the name of the
+ DaemonSet controlling the OVN-Kubernetes pods.'
+ type: string
+ namespace:
+ default: ovn-kubernetes
+ description: Namespace where OVN-Kubernetes pods are deployed.
+ type: string
+ type: object
+ sampling:
+ default: 400
+ description: |-
+ `sampling` is the sampling rate on the reporter. 100 means one flow on 100 is sent.
+ To ensure cluster stability, it is not possible to set a value below 2.
+ If you really want to sample every packet, which might impact the cluster stability,
+ refer to `forceSampleAll`. Alternatively, you can use the eBPF Agent instead of IPFIX.
+ format: int32
+ minimum: 2
+ type: integer
+ type: object
+ type:
+ default: EBPF
+ description: |-
+ `type` [deprecated (*)] selects the flows tracing agent. The only possible value is `EBPF` (default), to use NetObserv eBPF agent.
+ Previously, using an IPFIX collector was allowed, but was deprecated and it is now removed.
+ Setting `IPFIX` is ignored and still use the eBPF Agent.
+ Since there is only a single option here, this field will be remove in a future API version.
+ enum:
+ - EBPF
+ - IPFIX
+ type: string
+ type: object
+ consolePlugin:
+ description: '`consolePlugin` defines the settings related to the
+ OpenShift Console plugin, when available.'
+ properties:
+ autoscaler:
+ description: '`autoscaler` spec of a horizontal pod autoscaler
+ to set up for the plugin Deployment.'
+ properties:
+ maxReplicas:
+ default: 3
+ description: '`maxReplicas` is the upper limit for the number
+ of pods that can be set by the autoscaler; cannot be smaller
+ than MinReplicas.'
+ format: int32
+ type: integer
+ metrics:
+ description: Metrics used by the pod autoscaler. For documentation,
+ refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2/
+ items:
+ properties:
+ containerResource:
+ properties:
+ container:
+ type: string
+ name:
+ type: string
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - container
+ - name
+ - target
+ type: object
+ external:
+ properties:
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - metric
+ - target
+ type: object
+ object:
+ properties:
+ describedObject:
+ properties:
+ apiVersion:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - describedObject
+ - metric
+ - target
+ type: object
+ pods:
+ properties:
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - metric
+ - target
+ type: object
+ resource:
+ properties:
+ name:
+ type: string
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - target
+ type: object
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ type: array
+ minReplicas:
+ description: |-
+ `minReplicas` is the lower limit for the number of replicas to which the autoscaler
+ can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the
+ alpha feature gate HPAScaleToZero is enabled and at least one Object or External
+ metric is configured. Scaling is active as long as at least one metric value is
+ available.
+ format: int32
+ type: integer
+ status:
+ default: DISABLED
+ description: |-
+ `status` describes the desired status regarding deploying an horizontal pod autoscaler.
+ - `DISABLED` does not deploy an horizontal pod autoscaler.
+ - `ENABLED` deploys an horizontal pod autoscaler.
+ enum:
+ - DISABLED
+ - ENABLED
+ type: string
+ type: object
+ enable:
+ default: true
+ description: |-
+ Enables the console plugin deployment.
+ `spec.loki.enable` must also be `true`
+ type: boolean
+ imagePullPolicy:
+ default: IfNotPresent
+ description: '`imagePullPolicy` is the Kubernetes pull policy
+ for the image defined above'
+ enum:
+ - IfNotPresent
+ - Always
+ - Never
+ type: string
+ logLevel:
+ default: info
+ description: '`logLevel` for the console plugin backend'
+ enum:
+ - trace
+ - debug
+ - info
+ - warn
+ - error
+ - fatal
+ - panic
+ type: string
+ port:
+ default: 9001
+ description: '`port` is the plugin service port. Do not use 9002,
+ which is reserved for metrics.'
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ portNaming:
+ default:
+ enable: true
+ description: '`portNaming` defines the configuration of the port-to-service
+ name translation'
+ properties:
+ enable:
+ default: true
+ description: Enable the console plugin port-to-service name
+ translation
+ type: boolean
+ portNames:
+ additionalProperties:
+ type: string
+ description: |-
+ `portNames` defines additional port names to use in the console,
+ for example, `portNames: {"3100": "loki"}`.
+ type: object
+ type: object
+ quickFilters:
+ default:
+ - default: true
+ filter:
+ flow_layer: app
+ name: Applications
+ - filter:
+ flow_layer: infra
+ name: Infrastructure
+ - default: true
+ filter:
+ dst_kind: Pod
+ src_kind: Pod
+ name: Pods network
+ - filter:
+ dst_kind: Service
+ name: Services network
+ description: '`quickFilters` configures quick filter presets for
+ the Console plugin'
+ items:
+ description: '`QuickFilter` defines preset configuration for
+ Console''s quick filters'
+ properties:
+ default:
+ description: '`default` defines whether this filter should
+ be active by default or not'
+ type: boolean
+ filter:
+ additionalProperties:
+ type: string
+ description: |-
+ `filter` is a set of keys and values to be set when this filter is selected. Each key can relate to a list of values using a coma-separated string,
+ for example, `filter: {"src_namespace": "namespace1,namespace2"}`.
+ type: object
+ name:
+ description: Name of the filter, that is displayed in the
+ Console
+ type: string
+ required:
+ - filter
+ - name
+ type: object
+ type: array
+ register:
+ default: true
+ description: |-
+ `register` allows, when set to `true`, to automatically register the provided console plugin with the OpenShift Console operator.
+ When set to `false`, you can still register it manually by editing console.operator.openshift.io/cluster with the following command:
+ `oc patch console.operator.openshift.io cluster --type='json' -p '[{"op": "add", "path": "/spec/plugins/-", "value": "netobserv-plugin"}]'`
+ type: boolean
+ replicas:
+ default: 1
+ description: '`replicas` defines the number of replicas (pods)
+ to start.'
+ format: int32
+ minimum: 0
+ type: integer
+ resources:
+ default:
+ limits:
+ memory: 100Mi
+ requests:
+ cpu: 100m
+ memory: 50Mi
+ description: |-
+ `resources`, in terms of compute resources, required by this container.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ type: object
+ deploymentModel:
+ default: DIRECT
+ description: |-
+ `deploymentModel` defines the desired type of deployment for flow processing. Possible values are:
+ - `DIRECT` (default) to make the flow processor listening directly from the agents.
+ - `KAFKA` to make flows sent to a Kafka pipeline before consumption by the processor.
+ Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).
+ enum:
+ - DIRECT
+ - KAFKA
+ type: string
+ exporters:
+ description: '`exporters` define additional optional exporters for
+ custom consumption or storage.'
+ items:
+ description: '`FlowCollectorExporter` defines an additional exporter
+ to send enriched flows to.'
+ properties:
+ ipfix:
+ description: IPFIX configuration, such as the IP address and
+ port to send enriched IPFIX flows to.
+ properties:
+ targetHost:
+ default: ""
+ description: Address of the IPFIX external receiver
+ type: string
+ targetPort:
+ description: Port for the IPFIX external receiver
+ type: integer
+ transport:
+ description: Transport protocol (`TCP` or `UDP`) to be used
+ for the IPFIX connection, defaults to `TCP`.
+ enum:
+ - TCP
+ - UDP
+ type: string
+ required:
+ - targetHost
+ - targetPort
+ type: object
+ kafka:
+ description: Kafka configuration, such as the address and topic,
+ to send enriched flows to.
+ properties:
+ address:
+ default: ""
+ description: Address of the Kafka server
+ type: string
+ sasl:
+ description: SASL authentication configuration. [Unsupported
+ (*)].
+ properties:
+ clientIDReference:
+ description: Reference to the secret or config map containing
+ the client ID
+ properties:
+ file:
+ description: File name within the config map or
+ secret
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ the file
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference: "configmap"
+ or "secret"'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ clientSecretReference:
+ description: Reference to the secret or config map containing
+ the client secret
+ properties:
+ file:
+ description: File name within the config map or
+ secret
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ the file
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference: "configmap"
+ or "secret"'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type:
+ default: DISABLED
+ description: Type of SASL authentication to use, or
+ `DISABLED` if SASL is not used
+ enum:
+ - DISABLED
+ - PLAIN
+ - SCRAM-SHA512
+ type: string
+ type: object
+ tls:
+ description: TLS client configuration. When using TLS, verify
+ that the address matches the Kafka port used for TLS,
+ generally 9093.
+ properties:
+ caCert:
+ description: '`caCert` defines the reference of the
+ certificate for the Certificate Authority'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the
+ certificate file name within the config map or
+ secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the
+ certificate private key file name within the config
+ map or secret. Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ enable:
+ default: false
+ description: Enable TLS
+ type: boolean
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+ If set to `true`, the `caCert` field is ignored.
+ type: boolean
+ userCert:
+ description: '`userCert` defines the user certificate
+ reference and is used for mTLS (you can ignore it
+ when using one-way TLS)'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the
+ certificate file name within the config map or
+ secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the
+ certificate private key file name within the config
+ map or secret. Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type: object
+ topic:
+ default: ""
+ description: Kafka topic to use. It must exist. NetObserv
+ does not create it.
+ type: string
+ required:
+ - address
+ - topic
+ type: object
+ type:
+ description: '`type` selects the type of exporters. The available
+ options are `KAFKA` and `IPFIX`.'
+ enum:
+ - KAFKA
+ - IPFIX
+ type: string
+ required:
+ - type
+ type: object
+ type: array
+ kafka:
+ description: Kafka configuration, allowing to use Kafka as a broker
+ as part of the flow collection pipeline. Available when the `spec.deploymentModel`
+ is `KAFKA`.
+ properties:
+ address:
+ default: ""
+ description: Address of the Kafka server
+ type: string
+ sasl:
+ description: SASL authentication configuration. [Unsupported (*)].
+ properties:
+ clientIDReference:
+ description: Reference to the secret or config map containing
+ the client ID
+ properties:
+ file:
+ description: File name within the config map or secret
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ the file
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference: "configmap"
+ or "secret"'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ clientSecretReference:
+ description: Reference to the secret or config map containing
+ the client secret
+ properties:
+ file:
+ description: File name within the config map or secret
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ the file
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference: "configmap"
+ or "secret"'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type:
+ default: DISABLED
+ description: Type of SASL authentication to use, or `DISABLED`
+ if SASL is not used
+ enum:
+ - DISABLED
+ - PLAIN
+ - SCRAM-SHA512
+ type: string
+ type: object
+ tls:
+ description: TLS client configuration. When using TLS, verify
+ that the address matches the Kafka port used for TLS, generally
+ 9093.
+ properties:
+ caCert:
+ description: '`caCert` defines the reference of the certificate
+ for the Certificate Authority'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference: `configmap`
+ or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ enable:
+ default: false
+ description: Enable TLS
+ type: boolean
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+ If set to `true`, the `caCert` field is ignored.
+ type: boolean
+ userCert:
+ description: '`userCert` defines the user certificate reference
+ and is used for mTLS (you can ignore it when using one-way
+ TLS)'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference: `configmap`
+ or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type: object
+ topic:
+ default: ""
+ description: Kafka topic to use. It must exist. NetObserv does
+ not create it.
+ type: string
+ required:
+ - address
+ - topic
+ type: object
+ loki:
+ description: '`loki`, the flow store, client settings.'
+ properties:
+ authToken:
+ default: DISABLED
+ description: |-
+ `authToken` describes the way to get a token to authenticate to Loki.
+ - `DISABLED` does not send any token with the request.
+ - `FORWARD` forwards the user token for authorization.
+ - `HOST` [deprecated (*)] - uses the local pod service account to authenticate to Loki.
+ When using the Loki Operator, this must be set to `FORWARD`.
+ enum:
+ - DISABLED
+ - HOST
+ - FORWARD
+ type: string
+ batchSize:
+ default: 102400
+ description: '`batchSize` is the maximum batch size (in bytes)
+ of logs to accumulate before sending.'
+ format: int64
+ minimum: 1
+ type: integer
+ batchWait:
+ default: 1s
+ description: '`batchWait` is the maximum time to wait before sending
+ a batch.'
+ type: string
+ enable:
+ default: true
+ description: Set `enable` to `true` to store flows in Loki. It
+ is required for the OpenShift Console plugin installation.
+ type: boolean
+ maxBackoff:
+ default: 5s
+ description: '`maxBackoff` is the maximum backoff time for client
+ connection between retries.'
+ type: string
+ maxRetries:
+ default: 2
+ description: '`maxRetries` is the maximum number of retries for
+ client connections.'
+ format: int32
+ minimum: 0
+ type: integer
+ minBackoff:
+ default: 1s
+ description: '`minBackoff` is the initial backoff time for client
+ connection between retries.'
+ type: string
+ querierUrl:
+ description: |-
+ `querierURL` specifies the address of the Loki querier service, in case it is different from the
+ Loki ingester URL. If empty, the URL value is used (assuming that the Loki ingester
+ and querier are in the same server). When using the Loki Operator, do not set it, since
+ ingestion and queries use the Loki gateway.
+ type: string
+ readTimeout:
+ default: 30s
+ description: |-
+ `readTimeout` is the maximum loki query total time limit.
+ A timeout of zero means no timeout.
+ type: string
+ staticLabels:
+ additionalProperties:
+ type: string
+ default:
+ app: netobserv-flowcollector
+ description: '`staticLabels` is a map of common labels to set
+ on each flow.'
+ type: object
+ statusTls:
+ description: TLS client configuration for Loki status URL.
+ properties:
+ caCert:
+ description: '`caCert` defines the reference of the certificate
+ for the Certificate Authority'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference: `configmap`
+ or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ enable:
+ default: false
+ description: Enable TLS
+ type: boolean
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+ If set to `true`, the `caCert` field is ignored.
+ type: boolean
+ userCert:
+ description: '`userCert` defines the user certificate reference
+ and is used for mTLS (you can ignore it when using one-way
+ TLS)'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference: `configmap`
+ or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type: object
+ statusUrl:
+ description: |-
+ `statusURL` specifies the address of the Loki `/ready`, `/metrics` and `/config` endpoints, in case it is different from the
+ Loki querier URL. If empty, the `querierURL` value is used.
+ This is useful to show error messages and some context in the frontend.
+ When using the Loki Operator, set it to the Loki HTTP query frontend service, for example
+ https://loki-query-frontend-http.netobserv.svc:3100/.
+ `statusTLS` configuration is used when `statusUrl` is set.
+ type: string
+ tenantID:
+ default: netobserv
+ description: |-
+ `tenantID` is the Loki `X-Scope-OrgID` that identifies the tenant for each request.
+ When using the Loki Operator, set it to `network`, which corresponds to a special tenant mode.
+ type: string
+ timeout:
+ default: 10s
+ description: |-
+ `timeout` is the maximum processor time connection / request limit.
+ A timeout of zero means no timeout.
+ type: string
+ tls:
+ description: TLS client configuration for Loki URL.
+ properties:
+ caCert:
+ description: '`caCert` defines the reference of the certificate
+ for the Certificate Authority'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference: `configmap`
+ or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ enable:
+ default: false
+ description: Enable TLS
+ type: boolean
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+ If set to `true`, the `caCert` field is ignored.
+ type: boolean
+ userCert:
+ description: '`userCert` defines the user certificate reference
+ and is used for mTLS (you can ignore it when using one-way
+ TLS)'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference: `configmap`
+ or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type: object
+ url:
+ default: http://loki:3100/
+ description: |-
+ `url` is the address of an existing Loki service to push the flows to. When using the Loki Operator,
+ set it to the Loki gateway service with the `network` tenant set in path, for example
+ https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network.
+ type: string
+ type: object
+ namespace:
+ default: netobserv
+ description: Namespace where NetObserv pods are deployed.
+ type: string
+ processor:
+ description: |-
+ `processor` defines the settings of the component that receives the flows from the agent,
+ enriches them, generates metrics, and forwards them to the Loki persistence layer and/or any available exporter.
+ properties:
+ addZone:
+ description: |-
+ `addZone` allows availability zone awareness by labelling flows with their source and destination zones.
+ This feature requires the "topology.kubernetes.io/zone" label to be set on nodes.
+ type: boolean
+ clusterName:
+ default: ""
+ description: '`clusterName` is the name of the cluster to appear
+ in the flows data. This is useful in a multi-cluster context.
+ When using OpenShift, leave empty to make it automatically determined.'
+ type: string
+ conversationEndTimeout:
+ default: 10s
+ description: |-
+ `conversationEndTimeout` is the time to wait after a network flow is received, to consider the conversation ended.
+ This delay is ignored when a FIN packet is collected for TCP flows (see `conversationTerminatingTimeout` instead).
+ type: string
+ conversationHeartbeatInterval:
+ default: 30s
+ description: '`conversationHeartbeatInterval` is the time to wait
+ between "tick" events of a conversation'
+ type: string
+ conversationTerminatingTimeout:
+ default: 5s
+ description: '`conversationTerminatingTimeout` is the time to
+ wait from detected FIN flag to end a conversation. Only relevant
+ for TCP flows.'
+ type: string
+ debug:
+ description: |-
+ `debug` allows setting some aspects of the internal configuration of the flow processor.
+ This section is aimed exclusively for debugging and fine-grained performance optimizations,
+ such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
+ properties:
+ env:
+ additionalProperties:
+ type: string
+ description: |-
+ `env` allows passing custom environment variables to underlying components. Useful for passing
+ some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be
+ publicly exposed as part of the FlowCollector descriptor, as they are only useful
+ in edge debug or support scenarios.
+ type: object
+ type: object
+ dropUnusedFields:
+ default: true
+ description: '`dropUnusedFields` [deprecated (*)] this setting
+ is not used anymore.'
+ type: boolean
+ enableKubeProbes:
+ default: true
+ description: '`enableKubeProbes` is a flag to enable or disable
+ Kubernetes liveness and readiness probes'
+ type: boolean
+ healthPort:
+ default: 8080
+ description: '`healthPort` is a collector HTTP port in the Pod
+ that exposes the health check API'
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ imagePullPolicy:
+ default: IfNotPresent
+ description: '`imagePullPolicy` is the Kubernetes pull policy
+ for the image defined above'
+ enum:
+ - IfNotPresent
+ - Always
+ - Never
+ type: string
+ kafkaConsumerAutoscaler:
+ description: |-
+ `kafkaConsumerAutoscaler` is the spec of a horizontal pod autoscaler to set up for `flowlogs-pipeline-transformer`, which consumes Kafka messages.
+ This setting is ignored when Kafka is disabled.
+ properties:
+ maxReplicas:
+ default: 3
+ description: '`maxReplicas` is the upper limit for the number
+ of pods that can be set by the autoscaler; cannot be smaller
+ than MinReplicas.'
+ format: int32
+ type: integer
+ metrics:
+ description: Metrics used by the pod autoscaler. For documentation,
+ refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2/
+ items:
+ properties:
+ containerResource:
+ properties:
+ container:
+ type: string
+ name:
+ type: string
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - container
+ - name
+ - target
+ type: object
+ external:
+ properties:
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - metric
+ - target
+ type: object
+ object:
+ properties:
+ describedObject:
+ properties:
+ apiVersion:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - describedObject
+ - metric
+ - target
+ type: object
+ pods:
+ properties:
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - metric
+ - target
+ type: object
+ resource:
+ properties:
+ name:
+ type: string
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - target
+ type: object
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ type: array
+ minReplicas:
+ description: |-
+ `minReplicas` is the lower limit for the number of replicas to which the autoscaler
+ can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the
+ alpha feature gate HPAScaleToZero is enabled and at least one Object or External
+ metric is configured. Scaling is active as long as at least one metric value is
+ available.
+ format: int32
+ type: integer
+ status:
+ default: DISABLED
+ description: |-
+ `status` describes the desired status regarding deploying an horizontal pod autoscaler.
+ - `DISABLED` does not deploy an horizontal pod autoscaler.
+ - `ENABLED` deploys an horizontal pod autoscaler.
+ enum:
+ - DISABLED
+ - ENABLED
+ type: string
+ type: object
+ kafkaConsumerBatchSize:
+ default: 10485760
+ description: '`kafkaConsumerBatchSize` indicates to the broker
+ the maximum batch size, in bytes, that the consumer accepts.
+ Ignored when not using Kafka. Default: 10MB.'
+ type: integer
+ kafkaConsumerQueueCapacity:
+ default: 1000
+ description: '`kafkaConsumerQueueCapacity` defines the capacity
+ of the internal message queue used in the Kafka consumer client.
+ Ignored when not using Kafka.'
+ type: integer
+ kafkaConsumerReplicas:
+ default: 3
+ description: |-
+ `kafkaConsumerReplicas` defines the number of replicas (pods) to start for `flowlogs-pipeline-transformer`, which consumes Kafka messages.
+ This setting is ignored when Kafka is disabled.
+ format: int32
+ minimum: 0
+ type: integer
+ logLevel:
+ default: info
+ description: '`logLevel` of the processor runtime'
+ enum:
+ - trace
+ - debug
+ - info
+ - warn
+ - error
+ - fatal
+ - panic
+ type: string
+ logTypes:
+ default: FLOWS
+ description: |-
+ `logTypes` defines the desired record types to generate. Possible values are:
+ - `FLOWS` (default) to export regular network flows
+ - `CONVERSATIONS` to generate events for started conversations, ended conversations as well as periodic "tick" updates
+ - `ENDED_CONVERSATIONS` to generate only ended conversations events
+ - `ALL` to generate both network flows and all conversations events
+ enum:
+ - FLOWS
+ - CONVERSATIONS
+ - ENDED_CONVERSATIONS
+ - ALL
+ type: string
+ metrics:
+ description: '`Metrics` define the processor configuration regarding
+ metrics'
+ properties:
+ disableAlerts:
+ description: |-
+ `disableAlerts` is a list of alerts that should be disabled.
+ Possible values are:
+ `NetObservNoFlows`, which is triggered when no flows are being observed for a certain period.
+ `NetObservLokiError`, which is triggered when flows are being dropped due to Loki errors.
+ items:
+ description: |-
+ Name of a processor alert.
+ Possible values are:
+ - `NetObservNoFlows`, which is triggered when no flows are being observed for a certain period.
+ - `NetObservLokiError`, which is triggered when flows are being dropped due to Loki errors.
+ enum:
+ - NetObservNoFlows
+ - NetObservLokiError
+ type: string
+ type: array
+ ignoreTags:
+ default:
+ - egress
+ - packets
+ - nodes-flows
+ - namespaces-flows
+ - workloads-flows
+ - namespaces
+ description: |-
+ `ignoreTags` [deprecated (*)] is a list of tags to specify which metrics to ignore. Each metric is associated with a list of tags. More details in https://github.com/netobserv/network-observability-operator/tree/main/controllers/flowlogspipeline/metrics_definitions .
+ Available tags are: `egress`, `ingress`, `flows`, `bytes`, `packets`, `namespaces`, `nodes`, `workloads`, `nodes-flows`, `namespaces-flows`, `workloads-flows`.
+ Namespace-based metrics are covered by both `workloads` and `namespaces` tags, hence it is recommended to always ignore one of them (`workloads` offering a finer granularity).
+ Deprecation notice: use `includeList` instead.
+ items:
+ type: string
+ type: array
+ includeList:
+ description: |-
+ `includeList` is a list of metric names to specify which ones to generate.
+ The names correspond to the names in Prometheus without the prefix. For example,
+ `namespace_egress_packets_total` will show up as `netobserv_namespace_egress_packets_total` in Prometheus.
+ Note that the more metrics you add, the bigger is the impact on Prometheus workload resources.
+ Metrics enabled by default are:
+ `namespace_flows_total`, `node_ingress_bytes_total`, `workload_ingress_bytes_total`, `namespace_drop_packets_total` (when `PacketDrop` feature is enabled),
+ `namespace_rtt_seconds` (when `FlowRTT` feature is enabled), `namespace_dns_latency_seconds` (when `DNSTracking` feature is enabled).
+ More information, with full list of available metrics: https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md
+ items:
+ description: Metric name. More information in https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md.
+ enum:
+ - namespace_egress_bytes_total
+ - namespace_egress_packets_total
+ - namespace_ingress_bytes_total
+ - namespace_ingress_packets_total
+ - namespace_flows_total
+ - node_egress_bytes_total
+ - node_egress_packets_total
+ - node_ingress_bytes_total
+ - node_ingress_packets_total
+ - node_flows_total
+ - workload_egress_bytes_total
+ - workload_egress_packets_total
+ - workload_ingress_bytes_total
+ - workload_ingress_packets_total
+ - workload_flows_total
+ - namespace_drop_bytes_total
+ - namespace_drop_packets_total
+ - node_drop_bytes_total
+ - node_drop_packets_total
+ - workload_drop_bytes_total
+ - workload_drop_packets_total
+ - namespace_rtt_seconds
+ - node_rtt_seconds
+ - workload_rtt_seconds
+ - namespace_dns_latency_seconds
+ - node_dns_latency_seconds
+ - workload_dns_latency_seconds
+ type: string
+ type: array
+ server:
+ description: Metrics server endpoint configuration for Prometheus
+ scraper
+ properties:
+ port:
+ description: The prometheus HTTP port
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ tls:
+ description: TLS configuration.
+ properties:
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the provided certificate.
+ If set to `true`, the `providedCaFile` field is ignored.
+ type: boolean
+ provided:
+ description: TLS configuration when `type` is set
+ to `PROVIDED`.
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the
+ certificate file name within the config map
+ or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the
+ certificate private key file name within the
+ config map or secret. Omit when the key is not
+ necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret
+ containing certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ providedCaFile:
+ description: Reference to the CA file when `type`
+ is set to `PROVIDED`.
+ properties:
+ file:
+ description: File name within the config map or
+ secret
+ type: string
+ name:
+ description: Name of the config map or secret
+ containing the file
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference: "configmap"
+ or "secret"'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type:
+ default: DISABLED
+ description: |-
+ Select the type of TLS configuration:
+ - `DISABLED` (default) to not configure TLS for the endpoint.
+ - `PROVIDED` to manually provide cert file and a key file. [Unsupported (*)].
+ - `AUTO` to use OpenShift auto generated certificate using annotations.
+ enum:
+ - DISABLED
+ - PROVIDED
+ - AUTO
+ type: string
+ type: object
+ type: object
+ type: object
+ multiClusterDeployment:
+ default: false
+ description: Set `multiClusterDeployment` to `true` to enable
+ multi clusters feature. This adds clusterName label to flows
+ data
+ type: boolean
+ port:
+ default: 2055
+ description: |-
+ Port of the flow collector (host port).
+ By convention, some values are forbidden. It must be greater than 1024 and different from
+ 4500, 4789 and 6081.
+ format: int32
+ maximum: 65535
+ minimum: 1025
+ type: integer
+ profilePort:
+ description: '`profilePort` allows setting up a Go pprof profiler
+ listening to this port'
+ format: int32
+ maximum: 65535
+ minimum: 0
+ type: integer
+ resources:
+ default:
+ limits:
+ memory: 800Mi
+ requests:
+ cpu: 100m
+ memory: 100Mi
+ description: |-
+ `resources` are the compute resources required by this container.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ subnetLabels:
+ description: |-
+ `subnetLabels` allows to define custom labels on subnets and IPs or to enable automatic labelling of recognized subnets in OpenShift.
+ When a subnet matches the source or destination IP of a flow, a corresponding field is added: `SrcSubnetLabel` or `DstSubnetLabel`.
+ properties:
+ customLabels:
+ description: |-
+ `customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services.
+ If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap.
+ items:
+ description: SubnetLabel allows to label subnets and IPs,
+ such as to identify cluster-external workloads or web
+ services.
+ properties:
+ cidrs:
+ description: List of CIDRs, such as `["1.2.3.4/32"]`.
+ items:
+ type: string
+ type: array
+ name:
+ description: Label name, used to flag matching flows.
+ type: string
+ type: object
+ type: array
+ openShiftAutoDetect:
+ description: |-
+ `openShiftAutoDetect` allows, when set to `true`, to detect automatically the machines, pods and services subnets based on the
+ OpenShift install configuration and the Cluster Network Operator configuration. Indirectly, this is a way to accurately detect
+ external traffic: flows that are not labeled for those subnets are external to the cluster. Enabled by default on OpenShift.
+ type: boolean
+ type: object
+ type: object
+ type: object
+ status:
+ description: '`FlowCollectorStatus` defines the observed state of FlowCollector'
+ properties:
+ conditions:
+ description: '`conditions` represent the latest available observations
+ of an object''s state'
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ namespace:
+ description: Namespace where console plugin and flowlogs-pipeline
+ have been deployed.
+ type: string
+ required:
+ - conditions
+ type: object
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .spec.agent.type
+ name: Agent
+ type: string
+ - jsonPath: .spec.agent.ebpf.sampling
+ name: Sampling (EBPF)
+ type: string
+ - jsonPath: .spec.deploymentModel
+ name: Deployment Model
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+ name: Status
+ type: string
+ name: v1beta2
+ schema:
+ openAPIV3Schema:
+ description: '`FlowCollector` is the schema for the network flows collection
+ API, which pilots and configures the underlying deployments.'
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: |-
+ Defines the desired state of the FlowCollector resource.
+
+ *: the mention of "unsupported", or "deprecated" for a feature throughout this document means that this feature
+ is not officially supported by Red Hat. It might have been, for example, contributed by the community
+ and accepted without a formal agreement for maintenance. The product maintainers might provide some support
+ for these features as a best effort only.
+ properties:
+ agent:
+ description: Agent configuration for flows extraction.
+ properties:
+ ebpf:
+ description: |-
+ `ebpf` describes the settings related to the eBPF-based flow reporter when `spec.agent.type`
+ is set to `eBPF`.
+ properties:
+ advanced:
+ description: |-
+ `advanced` allows setting some aspects of the internal configuration of the eBPF agent.
+ This section is aimed mostly for debugging and fine-grained performance optimizations,
+ such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
+ properties:
+ env:
+ additionalProperties:
+ type: string
+ description: |-
+ `env` allows passing custom environment variables to underlying components. Useful for passing
+ some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be
+ publicly exposed as part of the FlowCollector descriptor, as they are only useful
+ in edge debug or support scenarios.
+ type: object
+ scheduling:
+ description: scheduling controls whether the pod will
+ be scheduled or not.
+ properties:
+ affinity:
+ description: If specified, the pod's scheduling constraints.
+ For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+ Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+ Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+ Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+ Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ type: object
+ type: object
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ NodeSelector is a selector which must be true for the pod to fit on a node.
+ Selector which must match a node's labels for the pod to be scheduled on that node.
+ More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+ type: object
+ x-kubernetes-map-type: atomic
+ priorityClassName:
+ description: |-
+ If specified, indicates the pod's priority. "system-node-critical" and
+ "system-cluster-critical" are two special keywords which indicate the
+ highest priorities with the former being the highest priority. Any other
+ name must be defined by creating a PriorityClass object with that name.
+ If not specified, the pod priority will be default or zero if there is no
+ default.
+ type: string
+ tolerations:
+ description: tolerations is a list of tolerations
+ that allow the pod to schedule onto nodes with matching
+ taints.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ cacheActiveTimeout:
+ default: 5s
+ description: |-
+ `cacheActiveTimeout` is the max period during which the reporter aggregates flows before sending.
+ Increasing `cacheMaxFlows` and `cacheActiveTimeout` can decrease the network traffic overhead and the CPU load,
+ however you can expect higher memory consumption and an increased latency in the flow collection.
+ pattern: ^\d+(ns|ms|s|m)?$
+ type: string
+ cacheMaxFlows:
+ default: 100000
+ description: |-
+ `cacheMaxFlows` is the max number of flows in an aggregate; when reached, the reporter sends the flows.
+ Increasing `cacheMaxFlows` and `cacheActiveTimeout` can decrease the network traffic overhead and the CPU load,
+ however you can expect higher memory consumption and an increased latency in the flow collection.
+ format: int32
+ minimum: 1
+ type: integer
+ excludeInterfaces:
+ default:
+ - lo
+ description: |-
+ `excludeInterfaces` contains the interface names that are excluded from flow tracing.
+ An entry enclosed by slashes, such as `/br-/`, is matched as a regular expression.
+ Otherwise it is matched as a case-sensitive string.
+ items:
+ type: string
+ type: array
+ features:
+ description: |-
+ List of additional features to enable. They are all disabled by default. Enabling additional features might have performance impacts. Possible values are:
+ - `PacketDrop`: enable the packets drop flows logging feature. This feature requires mounting
+ the kernel debug filesystem, so the eBPF pod has to run as privileged.
+ If the `spec.agent.ebpf.privileged` parameter is not set, an error is reported.
+ - `DNSTracking`: enable the DNS tracking feature.
+ - `FlowRTT`: enable flow latency (RTT) calculations in the eBPF agent during TCP handshakes. This feature better works with `sampling` set to 1.
+ items:
+ description: |-
+ Agent feature, can be one of:
+ - `PacketDrop`, to track packet drops.
+ - `DNSTracking`, to track specific information on DNS traffic.
+ - `FlowRTT`, to track TCP latency.
+ enum:
+ - PacketDrop
+ - DNSTracking
+ - FlowRTT
+ type: string
+ type: array
+ flowFilter:
+ description: '`flowFilter` defines the eBPF agent configuration
+ regarding flow filtering'
+ properties:
+ action:
+ description: Action defines the action to perform on the
+ flows that match the filter.
+ enum:
+ - Accept
+ - Reject
+ type: string
+ cidr:
+ description: |-
+ CIDR defines the IP CIDR to filter flows by.
+ Example: 10.10.10.0/24 or 100:100:100:100::/64
+ type: string
+ destPorts:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ DestPorts defines the destination ports to filter flows by.
+ To filter a single port, set a single port as an integer value. For example destPorts: 80.
+ To filter a range of ports, use a "start-end" range, string format. For example destPorts: "80-100".
+ x-kubernetes-int-or-string: true
+ direction:
+ description: Direction defines the direction to filter
+ flows by.
+ enum:
+ - Ingress
+ - Egress
+ type: string
+ enable:
+ description: Set `enable` to `true` to enable eBPF flow
+ filtering feature.
+ type: boolean
+ icmpCode:
+ description: ICMPCode defines the ICMP code to filter
+ flows by.
+ type: integer
+ icmpType:
+ description: ICMPType defines the ICMP type to filter
+ flows by.
+ type: integer
+ peerIP:
+ description: |-
+ PeerIP defines the IP address to filter flows by.
+ Example: 10.10.10.10
+ type: string
+ ports:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Ports defines the ports to filter flows by. it can be user for either source or destination ports.
+ To filter a single port, set a single port as an integer value. For example ports: 80.
+ To filter a range of ports, use a "start-end" range, string format. For example ports: "80-10
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: Protocol defines the protocol to filter flows
+ by.
+ enum:
+ - TCP
+ - UDP
+ - ICMP
+ - ICMPv6
+ - SCTP
+ type: string
+ sourcePorts:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SourcePorts defines the source ports to filter flows by.
+ To filter a single port, set a single port as an integer value. For example sourcePorts: 80.
+ To filter a range of ports, use a "start-end" range, string format. For example sourcePorts: "80-100".
+ x-kubernetes-int-or-string: true
+ type: object
+ imagePullPolicy:
+ default: IfNotPresent
+ description: '`imagePullPolicy` is the Kubernetes pull policy
+ for the image defined above'
+ enum:
+ - IfNotPresent
+ - Always
+ - Never
+ type: string
+ interfaces:
+ description: |-
+ `interfaces` contains the interface names from where flows are collected. If empty, the agent
+ fetches all the interfaces in the system, excepting the ones listed in ExcludeInterfaces.
+ An entry enclosed by slashes, such as `/br-/`, is matched as a regular expression.
+ Otherwise it is matched as a case-sensitive string.
+ items:
+ type: string
+ type: array
+ kafkaBatchSize:
+ default: 1048576
+ description: '`kafkaBatchSize` limits the maximum size of
+ a request in bytes before being sent to a partition. Ignored
+ when not using Kafka. Default: 1MB.'
+ type: integer
+ logLevel:
+ default: info
+ description: '`logLevel` defines the log level for the NetObserv
+ eBPF Agent'
+ enum:
+ - trace
+ - debug
+ - info
+ - warn
+ - error
+ - fatal
+ - panic
+ type: string
+ metrics:
+ description: '`metrics` defines the eBPF agent configuration
+ regarding metrics'
+ properties:
+ disableAlerts:
+ description: |-
+ `disableAlerts` is a list of alerts that should be disabled.
+ Possible values are:
+ `NetObservDroppedFlows`, which is triggered when eBPF agent hashmap table is full.
+ items:
+ description: |-
+ Name of a ebpf agent alert.
+ Possible values are:
+ - `NetObservDroppedFlows`, which is triggered when eBPF agent hashmap table is full.
+ enum:
+ - NetObservDroppedFlows
+ type: string
+ type: array
+ enable:
+ description: Set `enable` to `true` to enable eBPF agent
+ metrics collection.
+ type: boolean
+ server:
+ description: Metrics server endpoint configuration for
+ Prometheus scraper
+ properties:
+ port:
+ description: The prometheus HTTP port
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ tls:
+ description: TLS configuration.
+ properties:
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the provided certificate.
+ If set to `true`, the `providedCaFile` field is ignored.
+ type: boolean
+ provided:
+ description: TLS configuration when `type` is
+ set to `Provided`.
+ properties:
+ certFile:
+ description: '`certFile` defines the path
+ to the certificate file name within the
+ config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to
+ the certificate private key file name within
+ the config map or secret. Omit when the
+ key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret
+ containing certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ providedCaFile:
+ description: Reference to the CA file when `type`
+ is set to `Provided`.
+ properties:
+ file:
+ description: File name within the config map
+ or secret
+ type: string
+ name:
+ description: Name of the config map or secret
+ containing the file
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference:
+ "configmap" or "secret"'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type:
+ default: Disabled
+ description: |-
+ Select the type of TLS configuration:
+ - `Disabled` (default) to not configure TLS for the endpoint.
+ - `Provided` to manually provide cert file and a key file. [Unsupported (*)].
+ - `Auto` to use OpenShift auto generated certificate using annotations.
+ enum:
+ - Disabled
+ - Provided
+ - Auto
+ type: string
+ type: object
+ type: object
+ type: object
+ privileged:
+ description: |-
+ Privileged mode for the eBPF Agent container. When ignored or set to `false`, the operator sets
+ granular capabilities (BPF, PERFMON, NET_ADMIN, SYS_RESOURCE) to the container.
+ If for some reason these capabilities cannot be set, such as if an old kernel version not knowing CAP_BPF
+ is in use, then you can turn on this mode for more global privileges.
+ Some agent features require the privileged mode, such as packet drops tracking (see `features`) and SR-IOV support.
+ type: boolean
+ resources:
+ default:
+ limits:
+ memory: 800Mi
+ requests:
+ cpu: 100m
+ memory: 50Mi
+ description: |-
+ `resources` are the compute resources required by this container.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ sampling:
+ default: 50
+ description: Sampling rate of the flow reporter. 100 means
+ one flow on 100 is sent. 0 or 1 means all flows are sampled.
+ format: int32
+ minimum: 0
+ type: integer
+ type: object
+ ipfix:
+ description: |-
+ `ipfix` [deprecated (*)] - describes the settings related to the IPFIX-based flow reporter when `spec.agent.type`
+ is set to `IPFIX`.
+ properties:
+ cacheActiveTimeout:
+ default: 20s
+ description: '`cacheActiveTimeout` is the max period during
+ which the reporter aggregates flows before sending.'
+ pattern: ^\d+(ns|ms|s|m)?$
+ type: string
+ cacheMaxFlows:
+ default: 400
+ description: '`cacheMaxFlows` is the max number of flows in
+ an aggregate; when reached, the reporter sends the flows.'
+ format: int32
+ minimum: 0
+ type: integer
+ clusterNetworkOperator:
+ description: '`clusterNetworkOperator` defines the settings
+ related to the OpenShift Cluster Network Operator, when
+ available.'
+ properties:
+ namespace:
+ default: openshift-network-operator
+ description: Namespace where the config map is going
+ to be deployed.
+ type: string
+ type: object
+ forceSampleAll:
+ default: false
+ description: |-
+ `forceSampleAll` allows disabling sampling in the IPFIX-based flow reporter.
+ It is not recommended to sample all the traffic with IPFIX, as it might generate cluster instability.
+ If you REALLY want to do that, set this flag to `true`. Use at your own risk.
+ When it is set to `true`, the value of `sampling` is ignored.
+ type: boolean
+ ovnKubernetes:
+ description: '`ovnKubernetes` defines the settings of the
+ OVN-Kubernetes CNI, when available. This configuration is
+ used when using OVN''s IPFIX exports, without OpenShift.
+ When using OpenShift, refer to the `clusterNetworkOperator`
+ property instead.'
+ properties:
+ containerName:
+ default: ovnkube-node
+ description: '`containerName` defines the name of the
+ container to configure for IPFIX.'
+ type: string
+ daemonSetName:
+ default: ovnkube-node
+ description: '`daemonSetName` defines the name of the
+ DaemonSet controlling the OVN-Kubernetes pods.'
+ type: string
+ namespace:
+ default: ovn-kubernetes
+ description: Namespace where OVN-Kubernetes pods are deployed.
+ type: string
+ type: object
+ sampling:
+ default: 400
+ description: |-
+ `sampling` is the sampling rate on the reporter. 100 means one flow on 100 is sent.
+ To ensure cluster stability, it is not possible to set a value below 2.
+ If you really want to sample every packet, which might impact the cluster stability,
+ refer to `forceSampleAll`. Alternatively, you can use the eBPF Agent instead of IPFIX.
+ format: int32
+ minimum: 2
+ type: integer
+ type: object
+ type:
+ default: eBPF
+ description: |-
+ `type` [deprecated (*)] selects the flows tracing agent. The only possible value is `eBPF` (default), to use NetObserv eBPF agent.
+ Previously, using an IPFIX collector was allowed, but was deprecated and it is now removed.
+ Setting `IPFIX` is ignored and still use the eBPF Agent.
+ Since there is only a single option here, this field will be remove in a future API version.
+ enum:
+ - eBPF
+ - IPFIX
+ type: string
+ type: object
+ consolePlugin:
+ description: '`consolePlugin` defines the settings related to the
+ OpenShift Console plugin, when available.'
+ properties:
+ advanced:
+ description: |-
+ `advanced` allows setting some aspects of the internal configuration of the console plugin.
+ This section is aimed mostly for debugging and fine-grained performance optimizations,
+ such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
+ properties:
+ args:
+ description: |-
+ `args` allows passing custom arguments to underlying components. Useful for overriding
+ some parameters, such as an url or a configuration path, that should not be
+ publicly exposed as part of the FlowCollector descriptor, as they are only useful
+ in edge debug or support scenarios.
+ items:
+ type: string
+ type: array
+ env:
+ additionalProperties:
+ type: string
+ description: |-
+ `env` allows passing custom environment variables to underlying components. Useful for passing
+ some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be
+ publicly exposed as part of the FlowCollector descriptor, as they are only useful
+ in edge debug or support scenarios.
+ type: object
+ port:
+ default: 9001
+ description: '`port` is the plugin service port. Do not use
+ 9002, which is reserved for metrics.'
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ register:
+ default: true
+ description: |-
+ `register` allows, when set to `true`, to automatically register the provided console plugin with the OpenShift Console operator.
+ When set to `false`, you can still register it manually by editing console.operator.openshift.io/cluster with the following command:
+ `oc patch console.operator.openshift.io cluster --type='json' -p '[{"op": "add", "path": "/spec/plugins/-", "value": "netobserv-plugin"}]'`
+ type: boolean
+ scheduling:
+ description: scheduling controls whether the pod will be scheduled
+ or not.
+ properties:
+ affinity:
+ description: If specified, the pod's scheduling constraints.
+ For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling rules
+ for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with matching
+ the corresponding nodeSelectorTerm, in
+ the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector
+ terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling rules
+ (e.g. co-locate this pod in the same node, zone,
+ etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added per-node
+ to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term,
+ associated with the corresponding weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+ Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+ Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added per-node
+ to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term,
+ associated with the corresponding weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+ Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+ Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ type: object
+ type: object
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ NodeSelector is a selector which must be true for the pod to fit on a node.
+ Selector which must match a node's labels for the pod to be scheduled on that node.
+ More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+ type: object
+ x-kubernetes-map-type: atomic
+ priorityClassName:
+ description: |-
+ If specified, indicates the pod's priority. "system-node-critical" and
+ "system-cluster-critical" are two special keywords which indicate the
+ highest priorities with the former being the highest priority. Any other
+ name must be defined by creating a PriorityClass object with that name.
+ If not specified, the pod priority will be default or zero if there is no
+ default.
+ type: string
+ tolerations:
+ description: tolerations is a list of tolerations that
+ allow the pod to schedule onto nodes with matching taints.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ autoscaler:
+ description: '`autoscaler` spec of a horizontal pod autoscaler
+ to set up for the plugin Deployment.'
+ properties:
+ maxReplicas:
+ default: 3
+ description: '`maxReplicas` is the upper limit for the number
+ of pods that can be set by the autoscaler; cannot be smaller
+ than MinReplicas.'
+ format: int32
+ type: integer
+ metrics:
+ description: Metrics used by the pod autoscaler. For documentation,
+ refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2/
+ items:
+ properties:
+ containerResource:
+ properties:
+ container:
+ type: string
+ name:
+ type: string
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - container
+ - name
+ - target
+ type: object
+ external:
+ properties:
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - metric
+ - target
+ type: object
+ object:
+ properties:
+ describedObject:
+ properties:
+ apiVersion:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - describedObject
+ - metric
+ - target
+ type: object
+ pods:
+ properties:
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - metric
+ - target
+ type: object
+ resource:
+ properties:
+ name:
+ type: string
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - target
+ type: object
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ type: array
+ minReplicas:
+ description: |-
+ `minReplicas` is the lower limit for the number of replicas to which the autoscaler
+ can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the
+ alpha feature gate HPAScaleToZero is enabled and at least one Object or External
+ metric is configured. Scaling is active as long as at least one metric value is
+ available.
+ format: int32
+ type: integer
+ status:
+ default: Disabled
+ description: |-
+ `status` describes the desired status regarding deploying an horizontal pod autoscaler.
+ - `Disabled` does not deploy an horizontal pod autoscaler.
+ - `Enabled` deploys an horizontal pod autoscaler.
+ enum:
+ - Disabled
+ - Enabled
+ type: string
+ type: object
+ enable:
+ default: true
+ description: |-
+ Enables the console plugin deployment.
+ `spec.loki.enable` must also be `true`
+ type: boolean
+ imagePullPolicy:
+ default: IfNotPresent
+ description: '`imagePullPolicy` is the Kubernetes pull policy
+ for the image defined above'
+ enum:
+ - IfNotPresent
+ - Always
+ - Never
+ type: string
+ logLevel:
+ default: info
+ description: '`logLevel` for the console plugin backend'
+ enum:
+ - trace
+ - debug
+ - info
+ - warn
+ - error
+ - fatal
+ - panic
+ type: string
+ portNaming:
+ default:
+ enable: true
+ description: '`portNaming` defines the configuration of the port-to-service
+ name translation'
+ properties:
+ enable:
+ default: true
+ description: Enable the console plugin port-to-service name
+ translation
+ type: boolean
+ portNames:
+ additionalProperties:
+ type: string
+ description: |-
+ `portNames` defines additional port names to use in the console,
+ for example, `portNames: {"3100": "loki"}`.
+ type: object
+ type: object
+ quickFilters:
+ default:
+ - default: true
+ filter:
+ flow_layer: app
+ name: Applications
+ - filter:
+ flow_layer: infra
+ name: Infrastructure
+ - default: true
+ filter:
+ dst_kind: Pod
+ src_kind: Pod
+ name: Pods network
+ - filter:
+ dst_kind: Service
+ name: Services network
+ description: '`quickFilters` configures quick filter presets for
+ the Console plugin'
+ items:
+ description: '`QuickFilter` defines preset configuration for
+ Console''s quick filters'
+ properties:
+ default:
+ description: '`default` defines whether this filter should
+ be active by default or not'
+ type: boolean
+ filter:
+ additionalProperties:
+ type: string
+ description: |-
+ `filter` is a set of keys and values to be set when this filter is selected. Each key can relate to a list of values using a coma-separated string,
+ for example, `filter: {"src_namespace": "namespace1,namespace2"}`.
+ type: object
+ name:
+ description: Name of the filter, that is displayed in the
+ Console
+ type: string
+ required:
+ - filter
+ - name
+ type: object
+ type: array
+ replicas:
+ default: 1
+ description: '`replicas` defines the number of replicas (pods)
+ to start.'
+ format: int32
+ minimum: 0
+ type: integer
+ resources:
+ default:
+ limits:
+ memory: 100Mi
+ requests:
+ cpu: 100m
+ memory: 50Mi
+ description: |-
+ `resources`, in terms of compute resources, required by this container.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ type: object
+ deploymentModel:
+ default: Direct
+ description: |-
+ `deploymentModel` defines the desired type of deployment for flow processing. Possible values are:
+ - `Direct` (default) to make the flow processor listening directly from the agents.
+ - `Kafka` to make flows sent to a Kafka pipeline before consumption by the processor.
+ Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).
+ enum:
+ - Direct
+ - Kafka
+ type: string
+ exporters:
+ description: '`exporters` define additional optional exporters for
+ custom consumption or storage.'
+ items:
+ description: '`FlowCollectorExporter` defines an additional exporter
+ to send enriched flows to.'
+ properties:
+ ipfix:
+ description: IPFIX configuration, such as the IP address and
+ port to send enriched IPFIX flows to.
+ properties:
+ targetHost:
+ default: ""
+ description: Address of the IPFIX external receiver
+ type: string
+ targetPort:
+ description: Port for the IPFIX external receiver
+ type: integer
+ transport:
+ description: Transport protocol (`TCP` or `UDP`) to be used
+ for the IPFIX connection, defaults to `TCP`.
+ enum:
+ - TCP
+ - UDP
+ type: string
+ required:
+ - targetHost
+ - targetPort
+ type: object
+ kafka:
+ description: Kafka configuration, such as the address and topic,
+ to send enriched flows to.
+ properties:
+ address:
+ default: ""
+ description: Address of the Kafka server
+ type: string
+ sasl:
+ description: SASL authentication configuration. [Unsupported
+ (*)].
+ properties:
+ clientIDReference:
+ description: Reference to the secret or config map containing
+ the client ID
+ properties:
+ file:
+ description: File name within the config map or
+ secret
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ the file
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference: "configmap"
+ or "secret"'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ clientSecretReference:
+ description: Reference to the secret or config map containing
+ the client secret
+ properties:
+ file:
+ description: File name within the config map or
+ secret
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ the file
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference: "configmap"
+ or "secret"'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type:
+ default: Disabled
+ description: Type of SASL authentication to use, or
+ `Disabled` if SASL is not used
+ enum:
+ - Disabled
+ - Plain
+ - ScramSHA512
+ type: string
+ type: object
+ tls:
+ description: TLS client configuration. When using TLS, verify
+ that the address matches the Kafka port used for TLS,
+ generally 9093.
+ properties:
+ caCert:
+ description: '`caCert` defines the reference of the
+ certificate for the Certificate Authority'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the
+ certificate file name within the config map or
+ secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the
+ certificate private key file name within the config
+ map or secret. Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ enable:
+ default: false
+ description: Enable TLS
+ type: boolean
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+ If set to `true`, the `caCert` field is ignored.
+ type: boolean
+ userCert:
+ description: '`userCert` defines the user certificate
+ reference and is used for mTLS (you can ignore it
+ when using one-way TLS)'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the
+ certificate file name within the config map or
+ secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the
+ certificate private key file name within the config
+ map or secret. Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type: object
+ topic:
+ default: ""
+ description: Kafka topic to use. It must exist. NetObserv
+ does not create it.
+ type: string
+ required:
+ - address
+ - topic
+ type: object
+ type:
+ description: '`type` selects the type of exporters. The available
+ options are `Kafka` and `IPFIX`.'
+ enum:
+ - Kafka
+ - IPFIX
+ type: string
+ required:
+ - type
+ type: object
+ type: array
+ kafka:
+ description: Kafka configuration, allowing to use Kafka as a broker
+ as part of the flow collection pipeline. Available when the `spec.deploymentModel`
+ is `Kafka`.
+ properties:
+ address:
+ default: ""
+ description: Address of the Kafka server
+ type: string
+ sasl:
+ description: SASL authentication configuration. [Unsupported (*)].
+ properties:
+ clientIDReference:
+ description: Reference to the secret or config map containing
+ the client ID
+ properties:
+ file:
+ description: File name within the config map or secret
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ the file
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference: "configmap"
+ or "secret"'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ clientSecretReference:
+ description: Reference to the secret or config map containing
+ the client secret
+ properties:
+ file:
+ description: File name within the config map or secret
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ the file
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference: "configmap"
+ or "secret"'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type:
+ default: Disabled
+ description: Type of SASL authentication to use, or `Disabled`
+ if SASL is not used
+ enum:
+ - Disabled
+ - Plain
+ - ScramSHA512
+ type: string
+ type: object
+ tls:
+ description: TLS client configuration. When using TLS, verify
+ that the address matches the Kafka port used for TLS, generally
+ 9093.
+ properties:
+ caCert:
+ description: '`caCert` defines the reference of the certificate
+ for the Certificate Authority'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference: `configmap`
+ or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ enable:
+ default: false
+ description: Enable TLS
+ type: boolean
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+ If set to `true`, the `caCert` field is ignored.
+ type: boolean
+ userCert:
+ description: '`userCert` defines the user certificate reference
+ and is used for mTLS (you can ignore it when using one-way
+ TLS)'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference: `configmap`
+ or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type: object
+ topic:
+ default: ""
+ description: Kafka topic to use. It must exist. NetObserv does
+ not create it.
+ type: string
+ required:
+ - address
+ - topic
+ type: object
+ loki:
+ description: '`loki`, the flow store, client settings.'
+ properties:
+ advanced:
+ description: |-
+ `advanced` allows setting some aspects of the internal configuration of the Loki clients.
+ This section is aimed mostly for debugging and fine-grained performance optimizations.
+ properties:
+ staticLabels:
+ additionalProperties:
+ type: string
+ default:
+ app: netobserv-flowcollector
+ description: '`staticLabels` is a map of common labels to
+ set on each flow in Loki storage.'
+ type: object
+ writeMaxBackoff:
+ default: 5s
+ description: '`writeMaxBackoff` is the maximum backoff time
+ for Loki client connection between retries.'
+ type: string
+ writeMaxRetries:
+ default: 2
+ description: '`writeMaxRetries` is the maximum number of retries
+ for Loki client connections.'
+ format: int32
+ minimum: 0
+ type: integer
+ writeMinBackoff:
+ default: 1s
+ description: '`writeMinBackoff` is the initial backoff time
+ for Loki client connection between retries.'
+ type: string
+ type: object
+ enable:
+ default: true
+ description: Set `enable` to `true` to store flows in Loki. It
+ is required for the OpenShift Console plugin installation.
+ type: boolean
+ lokiStack:
+ description: |-
+ Loki configuration for `LokiStack` mode. This is useful for an easy loki-operator configuration.
+ It is ignored for other modes.
+ properties:
+ name:
+ default: loki
+ description: Name of an existing LokiStack resource to use.
+ type: string
+ namespace:
+ description: Namespace where this `LokiStack` resource is
+ located. If omitted, it is assumed to be the same as `spec.namespace`.
+ type: string
+ type: object
+ manual:
+ description: |-
+ Loki configuration for `Manual` mode. This is the most flexible configuration.
+ It is ignored for other modes.
+ properties:
+ authToken:
+ default: Disabled
+ description: |-
+ `authToken` describes the way to get a token to authenticate to Loki.
+ - `Disabled` does not send any token with the request.
+ - `Forward` forwards the user token for authorization.
+ - `Host` [deprecated (*)] - uses the local pod service account to authenticate to Loki.
+ When using the Loki Operator, this must be set to `Forward`.
+ enum:
+ - Disabled
+ - Host
+ - Forward
+ type: string
+ ingesterUrl:
+ default: http://loki:3100/
+ description: |-
+ `ingesterUrl` is the address of an existing Loki ingester service to push the flows to. When using the Loki Operator,
+ set it to the Loki gateway service with the `network` tenant set in path, for example
+ https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network.
+ type: string
+ querierUrl:
+ default: http://loki:3100/
+ description: |-
+ `querierUrl` specifies the address of the Loki querier service.
+ When using the Loki Operator, set it to the Loki gateway service with the `network` tenant set in path, for example
+ https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network.
+ type: string
+ statusTls:
+ description: TLS client configuration for Loki status URL.
+ properties:
+ caCert:
+ description: '`caCert` defines the reference of the certificate
+ for the Certificate Authority'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ enable:
+ default: false
+ description: Enable TLS
+ type: boolean
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+ If set to `true`, the `caCert` field is ignored.
+ type: boolean
+ userCert:
+ description: '`userCert` defines the user certificate
+ reference and is used for mTLS (you can ignore it when
+ using one-way TLS)'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type: object
+ statusUrl:
+ description: |-
+ `statusUrl` specifies the address of the Loki `/ready`, `/metrics` and `/config` endpoints, in case it is different from the
+ Loki querier URL. If empty, the `querierUrl` value is used.
+ This is useful to show error messages and some context in the frontend.
+ When using the Loki Operator, set it to the Loki HTTP query frontend service, for example
+ https://loki-query-frontend-http.netobserv.svc:3100/.
+ `statusTLS` configuration is used when `statusUrl` is set.
+ type: string
+ tenantID:
+ default: netobserv
+ description: |-
+ `tenantID` is the Loki `X-Scope-OrgID` that identifies the tenant for each request.
+ When using the Loki Operator, set it to `network`, which corresponds to a special tenant mode.
+ type: string
+ tls:
+ description: TLS client configuration for Loki URL.
+ properties:
+ caCert:
+ description: '`caCert` defines the reference of the certificate
+ for the Certificate Authority'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ enable:
+ default: false
+ description: Enable TLS
+ type: boolean
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+ If set to `true`, the `caCert` field is ignored.
+ type: boolean
+ userCert:
+ description: '`userCert` defines the user certificate
+ reference and is used for mTLS (you can ignore it when
+ using one-way TLS)'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type: object
+ type: object
+ microservices:
+ description: |-
+ Loki configuration for `Microservices` mode.
+ Use this option when Loki is installed using the microservices deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#microservices-mode).
+ It is ignored for other modes.
+ properties:
+ ingesterUrl:
+ default: http://loki-distributor:3100/
+ description: '`ingesterUrl` is the address of an existing
+ Loki ingester service to push the flows to.'
+ type: string
+ querierUrl:
+ default: http://loki-query-frontend:3100/
+ description: '`querierURL` specifies the address of the Loki
+ querier service.'
+ type: string
+ tenantID:
+ default: netobserv
+ description: '`tenantID` is the Loki `X-Scope-OrgID` header
+ that identifies the tenant for each request.'
+ type: string
+ tls:
+ description: TLS client configuration for Loki URL.
+ properties:
+ caCert:
+ description: '`caCert` defines the reference of the certificate
+ for the Certificate Authority'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ enable:
+ default: false
+ description: Enable TLS
+ type: boolean
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+ If set to `true`, the `caCert` field is ignored.
+ type: boolean
+ userCert:
+ description: '`userCert` defines the user certificate
+ reference and is used for mTLS (you can ignore it when
+ using one-way TLS)'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type: object
+ type: object
+ mode:
+ default: Monolithic
+ description: |-
+ `mode` must be set according to the installation mode of Loki:
+ - Use `LokiStack` when Loki is managed using the Loki Operator
+ - Use `Monolithic` when Loki is installed as a monolithic workload
+ - Use `Microservices` when Loki is installed as microservices, but without Loki Operator
+ - Use `Manual` if none of the options above match your setup
+ enum:
+ - Manual
+ - LokiStack
+ - Monolithic
+ - Microservices
+ type: string
+ monolithic:
+ description: |-
+ Loki configuration for `Monolithic` mode.
+ Use this option when Loki is installed using the monolithic deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#monolithic-mode).
+ It is ignored for other modes.
+ properties:
+ tenantID:
+ default: netobserv
+ description: '`tenantID` is the Loki `X-Scope-OrgID` header
+ that identifies the tenant for each request.'
+ type: string
+ tls:
+ description: TLS client configuration for Loki URL.
+ properties:
+ caCert:
+ description: '`caCert` defines the reference of the certificate
+ for the Certificate Authority'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ enable:
+ default: false
+ description: Enable TLS
+ type: boolean
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+ If set to `true`, the `caCert` field is ignored.
+ type: boolean
+ userCert:
+ description: '`userCert` defines the user certificate
+ reference and is used for mTLS (you can ignore it when
+ using one-way TLS)'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type: object
+ url:
+ default: http://loki:3100/
+ description: '`url` is the unique address of an existing Loki
+ service that points to both the ingester and the querier.'
+ type: string
+ type: object
+ readTimeout:
+ default: 30s
+ description: |-
+ `readTimeout` is the maximum console plugin loki query total time limit.
+ A timeout of zero means no timeout.
+ type: string
+ writeBatchSize:
+ default: 102400
+ description: '`writeBatchSize` is the maximum batch size (in bytes)
+ of Loki logs to accumulate before sending.'
+ format: int64
+ minimum: 1
+ type: integer
+ writeBatchWait:
+ default: 1s
+ description: '`writeBatchWait` is the maximum time to wait before
+ sending a Loki batch.'
+ type: string
+ writeTimeout:
+ default: 10s
+ description: |-
+ `writeTimeout` is the maximum Loki time connection / request limit.
+ A timeout of zero means no timeout.
+ type: string
+ type: object
+ namespace:
+ default: netobserv
+ description: Namespace where NetObserv pods are deployed.
+ type: string
+ processor:
+ description: |-
+ `processor` defines the settings of the component that receives the flows from the agent,
+ enriches them, generates metrics, and forwards them to the Loki persistence layer and/or any available exporter.
+ properties:
+ addZone:
+ description: |-
+ `addZone` allows availability zone awareness by labelling flows with their source and destination zones.
+ This feature requires the "topology.kubernetes.io/zone" label to be set on nodes.
+ type: boolean
+ advanced:
+ description: |-
+ `advanced` allows setting some aspects of the internal configuration of the flow processor.
+ This section is aimed mostly for debugging and fine-grained performance optimizations,
+ such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
+ properties:
+ conversationEndTimeout:
+ default: 10s
+ description: |-
+ `conversationEndTimeout` is the time to wait after a network flow is received, to consider the conversation ended.
+ This delay is ignored when a FIN packet is collected for TCP flows (see `conversationTerminatingTimeout` instead).
+ type: string
+ conversationHeartbeatInterval:
+ default: 30s
+ description: '`conversationHeartbeatInterval` is the time
+ to wait between "tick" events of a conversation'
+ type: string
+ conversationTerminatingTimeout:
+ default: 5s
+ description: '`conversationTerminatingTimeout` is the time
+ to wait from detected FIN flag to end a conversation. Only
+ relevant for TCP flows.'
+ type: string
+ dropUnusedFields:
+ default: true
+ description: '`dropUnusedFields` [deprecated (*)] this setting
+ is not used anymore.'
+ type: boolean
+ enableKubeProbes:
+ default: true
+ description: '`enableKubeProbes` is a flag to enable or disable
+ Kubernetes liveness and readiness probes'
+ type: boolean
+ env:
+ additionalProperties:
+ type: string
+ description: |-
+ `env` allows passing custom environment variables to underlying components. Useful for passing
+ some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be
+ publicly exposed as part of the FlowCollector descriptor, as they are only useful
+ in edge debug or support scenarios.
+ type: object
+ healthPort:
+ default: 8080
+ description: '`healthPort` is a collector HTTP port in the
+ Pod that exposes the health check API'
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ port:
+ default: 2055
+ description: |-
+ Port of the flow collector (host port).
+ By convention, some values are forbidden. It must be greater than 1024 and different from
+ 4500, 4789 and 6081.
+ format: int32
+ maximum: 65535
+ minimum: 1025
+ type: integer
+ profilePort:
+ default: 6060
+ description: '`profilePort` allows setting up a Go pprof profiler
+ listening to this port'
+ format: int32
+ maximum: 65535
+ minimum: 0
+ type: integer
+ scheduling:
+ description: scheduling controls whether the pod will be scheduled
+ or not.
+ properties:
+ affinity:
+ description: If specified, the pod's scheduling constraints.
+ For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling rules
+ for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with matching
+ the corresponding nodeSelectorTerm, in
+ the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector
+ terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling rules
+ (e.g. co-locate this pod in the same node, zone,
+ etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added per-node
+ to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term,
+ associated with the corresponding weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+ Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+ Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added per-node
+ to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term,
+ associated with the corresponding weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+ Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+ Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ type: object
+ type: object
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ NodeSelector is a selector which must be true for the pod to fit on a node.
+ Selector which must match a node's labels for the pod to be scheduled on that node.
+ More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+ type: object
+ x-kubernetes-map-type: atomic
+ priorityClassName:
+ description: |-
+ If specified, indicates the pod's priority. "system-node-critical" and
+ "system-cluster-critical" are two special keywords which indicate the
+ highest priorities with the former being the highest priority. Any other
+ name must be defined by creating a PriorityClass object with that name.
+ If not specified, the pod priority will be default or zero if there is no
+ default.
+ type: string
+ tolerations:
+ description: tolerations is a list of tolerations that
+ allow the pod to schedule onto nodes with matching taints.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ clusterName:
+ default: ""
+ description: '`clusterName` is the name of the cluster to appear
+ in the flows data. This is useful in a multi-cluster context.
+ When using OpenShift, leave empty to make it automatically determined.'
+ type: string
+ imagePullPolicy:
+ default: IfNotPresent
+ description: '`imagePullPolicy` is the Kubernetes pull policy
+ for the image defined above'
+ enum:
+ - IfNotPresent
+ - Always
+ - Never
+ type: string
+ kafkaConsumerAutoscaler:
+ description: |-
+ `kafkaConsumerAutoscaler` is the spec of a horizontal pod autoscaler to set up for `flowlogs-pipeline-transformer`, which consumes Kafka messages.
+ This setting is ignored when Kafka is disabled.
+ properties:
+ maxReplicas:
+ default: 3
+ description: '`maxReplicas` is the upper limit for the number
+ of pods that can be set by the autoscaler; cannot be smaller
+ than MinReplicas.'
+ format: int32
+ type: integer
+ metrics:
+ description: Metrics used by the pod autoscaler. For documentation,
+ refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2/
+ items:
+ properties:
+ containerResource:
+ properties:
+ container:
+ type: string
+ name:
+ type: string
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - container
+ - name
+ - target
+ type: object
+ external:
+ properties:
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - metric
+ - target
+ type: object
+ object:
+ properties:
+ describedObject:
+ properties:
+ apiVersion:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - describedObject
+ - metric
+ - target
+ type: object
+ pods:
+ properties:
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - metric
+ - target
+ type: object
+ resource:
+ properties:
+ name:
+ type: string
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - target
+ type: object
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ type: array
+ minReplicas:
+ description: |-
+ `minReplicas` is the lower limit for the number of replicas to which the autoscaler
+ can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the
+ alpha feature gate HPAScaleToZero is enabled and at least one Object or External
+ metric is configured. Scaling is active as long as at least one metric value is
+ available.
+ format: int32
+ type: integer
+ status:
+ default: Disabled
+ description: |-
+ `status` describes the desired status regarding deploying an horizontal pod autoscaler.
+ - `Disabled` does not deploy an horizontal pod autoscaler.
+ - `Enabled` deploys an horizontal pod autoscaler.
+ enum:
+ - Disabled
+ - Enabled
+ type: string
+ type: object
+ kafkaConsumerBatchSize:
+ default: 10485760
+ description: '`kafkaConsumerBatchSize` indicates to the broker
+ the maximum batch size, in bytes, that the consumer accepts.
+ Ignored when not using Kafka. Default: 10MB.'
+ type: integer
+ kafkaConsumerQueueCapacity:
+ default: 1000
+ description: '`kafkaConsumerQueueCapacity` defines the capacity
+ of the internal message queue used in the Kafka consumer client.
+ Ignored when not using Kafka.'
+ type: integer
+ kafkaConsumerReplicas:
+ default: 3
+ description: |-
+ `kafkaConsumerReplicas` defines the number of replicas (pods) to start for `flowlogs-pipeline-transformer`, which consumes Kafka messages.
+ This setting is ignored when Kafka is disabled.
+ format: int32
+ minimum: 0
+ type: integer
+ logLevel:
+ default: info
+ description: '`logLevel` of the processor runtime'
+ enum:
+ - trace
+ - debug
+ - info
+ - warn
+ - error
+ - fatal
+ - panic
+ type: string
+ logTypes:
+ default: Flows
+ description: |-
+ `logTypes` defines the desired record types to generate. Possible values are:
+ - `Flows` (default) to export regular network flows
+ - `Conversations` to generate events for started conversations, ended conversations as well as periodic "tick" updates
+ - `EndedConversations` to generate only ended conversations events
+ - `All` to generate both network flows and all conversations events
+ enum:
+ - Flows
+ - Conversations
+ - EndedConversations
+ - All
+ type: string
+ metrics:
+ description: '`Metrics` define the processor configuration regarding
+ metrics'
+ properties:
+ disableAlerts:
+ description: |-
+ `disableAlerts` is a list of alerts that should be disabled.
+ Possible values are:
+ `NetObservNoFlows`, which is triggered when no flows are being observed for a certain period.
+ `NetObservLokiError`, which is triggered when flows are being dropped due to Loki errors.
+ items:
+ description: |-
+ Name of a processor alert.
+ Possible values are:
+ - `NetObservNoFlows`, which is triggered when no flows are being observed for a certain period.
+ - `NetObservLokiError`, which is triggered when flows are being dropped due to Loki errors.
+ enum:
+ - NetObservNoFlows
+ - NetObservLokiError
+ type: string
+ type: array
+ includeList:
+ description: |-
+ `includeList` is a list of metric names to specify which ones to generate.
+ The names correspond to the names in Prometheus without the prefix. For example,
+ `namespace_egress_packets_total` shows up as `netobserv_namespace_egress_packets_total` in Prometheus.
+ Note that the more metrics you add, the bigger is the impact on Prometheus workload resources.
+ Metrics enabled by default are:
+ `namespace_flows_total`, `node_ingress_bytes_total`, `workload_ingress_bytes_total`, `namespace_drop_packets_total` (when `PacketDrop` feature is enabled),
+ `namespace_rtt_seconds` (when `FlowRTT` feature is enabled), `namespace_dns_latency_seconds` (when `DNSTracking` feature is enabled).
+ More information, with full list of available metrics: https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md
+ items:
+ description: Metric name. More information in https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md.
+ enum:
+ - namespace_egress_bytes_total
+ - namespace_egress_packets_total
+ - namespace_ingress_bytes_total
+ - namespace_ingress_packets_total
+ - namespace_flows_total
+ - node_egress_bytes_total
+ - node_egress_packets_total
+ - node_ingress_bytes_total
+ - node_ingress_packets_total
+ - node_flows_total
+ - workload_egress_bytes_total
+ - workload_egress_packets_total
+ - workload_ingress_bytes_total
+ - workload_ingress_packets_total
+ - workload_flows_total
+ - namespace_drop_bytes_total
+ - namespace_drop_packets_total
+ - node_drop_bytes_total
+ - node_drop_packets_total
+ - workload_drop_bytes_total
+ - workload_drop_packets_total
+ - namespace_rtt_seconds
+ - node_rtt_seconds
+ - workload_rtt_seconds
+ - namespace_dns_latency_seconds
+ - node_dns_latency_seconds
+ - workload_dns_latency_seconds
+ type: string
+ type: array
+ server:
+ description: Metrics server endpoint configuration for Prometheus
+ scraper
+ properties:
+ port:
+ description: The prometheus HTTP port
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ tls:
+ description: TLS configuration.
+ properties:
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the provided certificate.
+ If set to `true`, the `providedCaFile` field is ignored.
+ type: boolean
+ provided:
+ description: TLS configuration when `type` is set
+ to `Provided`.
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the
+ certificate file name within the config map
+ or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the
+ certificate private key file name within the
+ config map or secret. Omit when the key is not
+ necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret
+ containing certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ providedCaFile:
+ description: Reference to the CA file when `type`
+ is set to `Provided`.
+ properties:
+ file:
+ description: File name within the config map or
+ secret
+ type: string
+ name:
+ description: Name of the config map or secret
+ containing the file
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference: "configmap"
+ or "secret"'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type:
+ default: Disabled
+ description: |-
+ Select the type of TLS configuration:
+ - `Disabled` (default) to not configure TLS for the endpoint.
+ - `Provided` to manually provide cert file and a key file. [Unsupported (*)].
+ - `Auto` to use OpenShift auto generated certificate using annotations.
+ enum:
+ - Disabled
+ - Provided
+ - Auto
+ type: string
+ type: object
+ type: object
+ type: object
+ multiClusterDeployment:
+ default: false
+ description: Set `multiClusterDeployment` to `true` to enable
+ multi clusters feature. This adds `clusterName` label to flows
+ data
+ type: boolean
+ resources:
+ default:
+ limits:
+ memory: 800Mi
+ requests:
+ cpu: 100m
+ memory: 100Mi
+ description: |-
+ `resources` are the compute resources required by this container.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ subnetLabels:
+ description: |-
+ `SubnetLabels` allows to define custom labels on subnets and IPs or to enable automatic labelling of recognized subnets in OpenShift.
+ When a subnet matches the source or destination IP of a flow, a corresponding field is added: `SrcSubnetLabel` or `DstSubnetLabel`.
+ properties:
+ customLabels:
+ description: |-
+ `customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services.
+ If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap.
+ items:
+ description: SubnetLabel allows to label subnets and IPs,
+ such as to identify cluster-external workloads or web
+ services.
+ properties:
+ cidrs:
+ description: List of CIDRs, such as `["1.2.3.4/32"]`.
+ items:
+ type: string
+ type: array
+ name:
+ description: Label name, used to flag matching flows.
+ type: string
+ type: object
+ type: array
+ openShiftAutoDetect:
+ description: |-
+ `openShiftAutoDetect` allows, when set to `true`, to detect automatically the machines, pods and services subnets based on the
+ OpenShift install configuration and the Cluster Network Operator configuration. Indirectly, this is a way to accurately detect
+ external traffic: flows that are not labeled for those subnets are external to the cluster. Enabled by default on OpenShift.
+ type: boolean
+ type: object
+ type: object
+ type: object
+ status:
+ description: '`FlowCollectorStatus` defines the observed state of FlowCollector'
+ properties:
+ conditions:
+ description: '`conditions` represent the latest available observations
+ of an object''s state'
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ namespace:
+ description: |-
+ Namespace where console plugin and flowlogs-pipeline have been deployed.
+ Deprecated: annotations are used instead
+ type: string
+ required:
+ - conditions
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.14.0
+ service.beta.openshift.io/inject-cabundle: "true"
+ name: flowmetrics.flows.netobserv.io
+spec:
+ conversion:
+ strategy: Webhook
+ webhook:
+ clientConfig:
+ service:
+ name: netobserv-webhook-service
+ namespace: netobserv
+ path: /convert
+ conversionReviewVersions:
+ - v1
+ group: flows.netobserv.io
+ names:
+ kind: FlowMetric
+ listKind: FlowMetricList
+ plural: flowmetrics
+ singular: flowmetric
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: FlowMetric is the Schema for the flowmetrics API
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: |-
+ FlowMetricSpec defines the desired state of FlowMetric
+ The provided API allows you to customize these metrics according to your needs.
+ When adding new metrics or modifying existing labels, you must carefully monitor the memory
+ usage of Prometheus workloads as this could potentially have a high impact. Cf https://rhobs-handbook.netlify.app/products/openshiftmonitoring/telemetry.md/#what-is-the-cardinality-of-a-metric
+ To check the cardinality of all NetObserv metrics, run as `promql`: `count({__name__=~"netobserv.*"}) by (__name__)`.
+ properties:
+ buckets:
+ description: A list of buckets to use when `type` is "Histogram".
+ The list must be parseable as floats. When not set, Prometheus default
+ buckets are used.
+ items:
+ type: string
+ type: array
+ charts:
+ description: Charts configuration, for the OpenShift Console in the
+ administrator view, Dashboards menu.
+ items:
+ description: Configures charts / dashboard generation associated
+ to a metric
+ properties:
+ dashboardName:
+ default: Main
+ description: Name of the containing dashboard. If this name
+ does not refer to an existing dashboard, a new dashboard is
+ created.
+ type: string
+ queries:
+ description: |-
+ List of queries to be displayed on this chart. If `type` is `SingleStat` and multiple queries are provided,
+ this chart is automatically expanded in several panels (one per query).
+ items:
+ description: Configures PromQL queries
+ properties:
+ legend:
+ description: |-
+ The query legend that applies to each timeseries represented in this chart. When multiple timeseries are displayed, you should set a legend
+ that distinguishes each of them. It can be done with the following format: `{{ Label }}`. For example, if the `promQL` groups timeseries per
+ label such as: `sum(rate($METRIC[2m])) by (Label1, Label2)`, you may write as the legend: `Label1={{ Label1 }}, Label2={{ Label2 }}`.
+ type: string
+ promQL:
+ description: |-
+ The `promQL` query to be run against Prometheus. If the chart `type` is `SingleStat`, this query should only return
+ a single timeseries. For other types, a top 7 is displayed.
+ You can use `$METRIC` to refer to the metric defined in this resource. For example: `sum(rate($METRIC[2m]))`.
+ To learn more about `promQL`, refer to the Prometheus documentation: https://prometheus.io/docs/prometheus/latest/querying/basics/
+ type: string
+ top:
+ default: 7
+ description: Top N series to display per timestamp. Does
+ not apply to `SingleStat` chart type.
+ minimum: 1
+ type: integer
+ required:
+ - legend
+ - promQL
+ - top
+ type: object
+ type: array
+ sectionName:
+ description: |-
+ Name of the containing dashboard section. If this name does not refer to an existing section, a new section is created.
+ If `sectionName` is omitted or empty, the chart is placed in the global top section.
+ type: string
+ title:
+ description: Title of the chart.
+ type: string
+ type:
+ description: Type of the chart.
+ enum:
+ - SingleStat
+ - Line
+ - StackArea
+ type: string
+ unit:
+ description: Unit of this chart. Only a few units are currently
+ supported. Leave empty to use generic number.
+ enum:
+ - bytes
+ - seconds
+ - Bps
+ - pps
+ - percent
+ type: string
+ required:
+ - dashboardName
+ - queries
+ - title
+ - type
+ type: object
+ type: array
+ direction:
+ default: Any
+ description: |-
+ Filter for ingress, egress or any direction flows.
+ When set to `Ingress`, it is equivalent to adding the regex filter on `FlowDirection`: `0|2`.
+ When set to `Egress`, it is equivalent to adding the regex filter on `FlowDirection`: `1|2`.
+ enum:
+ - Any
+ - Egress
+ - Ingress
+ type: string
+ divider:
+ description: When non-zero, scale factor (divider) of the value. Metric
+ value = Flow value / Divider.
+ type: string
+ filters:
+ description: |-
+ `filters` is a list of fields and values used to restrict which flows are taken into account. Oftentimes, these filters must
+ be used to eliminate duplicates: `Duplicate != "true"` and `FlowDirection = "0"`.
+ Refer to the documentation for the list of available fields: https://docs.openshift.com/container-platform/latest/observability/network_observability/json-flows-format-reference.html.
+ items:
+ properties:
+ field:
+ description: Name of the field to filter on
+ type: string
+ matchType:
+ default: Equal
+ description: Type of matching to apply
+ enum:
+ - Equal
+ - NotEqual
+ - Presence
+ - Absence
+ - MatchRegex
+ - NotMatchRegex
+ type: string
+ value:
+ description: Value to filter on. When `matchType` is `Equal`
+ or `NotEqual`, you can use field injection with `$(SomeField)`
+ to refer to any other field of the flow.
+ type: string
+ required:
+ - field
+ - matchType
+ type: object
+ type: array
+ labels:
+ description: |-
+ `labels` is a list of fields that should be used as Prometheus labels, also known as dimensions.
+ From choosing labels results the level of granularity of this metric, as well as the available aggregations at query time.
+ It must be done carefully as it impacts the metric cardinality (cf https://rhobs-handbook.netlify.app/products/openshiftmonitoring/telemetry.md/#what-is-the-cardinality-of-a-metric).
+ In general, avoid setting very high cardinality labels such as IP or MAC addresses.
+ "SrcK8S_OwnerName" or "DstK8S_OwnerName" should be preferred over "SrcK8S_Name" or "DstK8S_Name" as much as possible.
+ Refer to the documentation for the list of available fields: https://docs.openshift.com/container-platform/latest/observability/network_observability/json-flows-format-reference.html.
+ items:
+ type: string
+ type: array
+ metricName:
+ description: Name of the metric. In Prometheus, it is automatically
+ prefixed with "netobserv_".
+ type: string
+ type:
+ description: |-
+ Metric type: "Counter" or "Histogram".
+ Use "Counter" for any value that increases over time and on which you can compute a rate, such as Bytes or Packets.
+ Use "Histogram" for any value that must be sampled independently, such as latencies.
+ enum:
+ - Counter
+ - Histogram
+ type: string
+ valueField:
+ description: |-
+ `valueField` is the flow field that must be used as a value for this metric. This field must hold numeric values.
+ Leave empty to count flows rather than a specific value per flow.
+ Refer to the documentation for the list of available fields: https://docs.openshift.com/container-platform/latest/observability/network_observability/json-flows-format-reference.html.
+ type: string
+ required:
+ - metricName
+ - type
+ type: object
+ status:
+ description: FlowMetricStatus defines the observed state of FlowMetric
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
\ No newline at end of file
diff --git a/charts/network-observability-operator/templates/_helpers.tpl b/charts/network-observability-operator/templates/_helpers.tpl
new file mode 100644
index 0000000000..0d34fcaeec
--- /dev/null
+++ b/charts/network-observability-operator/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "network-observability-operator.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "network-observability-operator.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "network-observability-operator.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "network-observability-operator.labels" -}}
+helm.sh/chart: {{ include "network-observability-operator.chart" . }}
+{{ include "network-observability-operator.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "network-observability-operator.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "network-observability-operator.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "network-observability-operator.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "network-observability-operator.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/charts/network-observability-operator/templates/cert.yaml b/charts/network-observability-operator/templates/cert.yaml
new file mode 100644
index 0000000000..df894d0c01
--- /dev/null
+++ b/charts/network-observability-operator/templates/cert.yaml
@@ -0,0 +1,25 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: selfsigned-issuer
+spec:
+ selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ include "network-observability-operator.fullname" . }}-ca
+spec:
+ isCA: true
+ commonName: {{ include "network-observability-operator.fullname" . }}-ca
+ subject:
+ organizations:
+ - Plural
+ secretName: webhook-server-cert
+ privateKey:
+ algorithm: ECDSA
+ size: 256
+ issuerRef:
+ name: selfsigned-issuer
+ kind: Issuer
+ group: cert-manager.io
\ No newline at end of file
diff --git a/charts/network-observability-operator/templates/config.yaml b/charts/network-observability-operator/templates/config.yaml
new file mode 100644
index 0000000000..768c34f469
--- /dev/null
+++ b/charts/network-observability-operator/templates/config.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+data:
+ controller_manager_config.yaml: |
+ apiVersion: controller-runtime.sigs.k8s.io/v1alpha1
+ kind: ControllerManagerConfig
+ health:
+ healthProbeBindAddress: :8081
+ metrics:
+ bindAddress: 127.0.0.1:8080
+ webhook:
+ port: 9443
+ leaderElection:
+ leaderElect: true
+ resourceName: 7a7ecdcd.netobserv.io
+kind: ConfigMap
+metadata:
+ labels:
+ {{- include "network-observability-operator.labels" . | nindent 4 }}
+ name: netobserv-manager-config
\ No newline at end of file
diff --git a/charts/network-observability-operator/templates/deployment.yaml b/charts/network-observability-operator/templates/deployment.yaml
new file mode 100644
index 0000000000..6d89aae890
--- /dev/null
+++ b/charts/network-observability-operator/templates/deployment.yaml
@@ -0,0 +1,161 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ include "network-observability-operator.fullname" . }}
+ labels:
+ {{- include "network-observability-operator.labels" . | nindent 4 }}
+spec:
+ progressDeadlineSeconds: 600
+ {{- if not .Values.autoscaling.enabled }}
+ replicas: {{ .Values.replicaCount }}
+ {{- end }}
+ selector:
+ matchLabels:
+ {{- include "network-observability-operator.selectorLabels" . | nindent 6 }}
+ strategy:
+ rollingUpdate:
+ maxSurge: 25%
+ maxUnavailable: 25%
+ type: RollingUpdate
+ template:
+ metadata:
+ {{- with .Values.podAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ {{- include "network-observability-operator.labels" . | nindent 8 }}
+ {{- with .Values.podLabels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ spec:
+ containers:
+ - args: {{- toYaml .Values.controllerManager.manager.args | nindent 10 }}
+ command:
+ - /manager
+ env:
+ - name: ENABLE_WEBHOOKS
+ value: "false"
+ - name: RELATED_IMAGE_EBPF_AGENT
+ value: quay.io/netobserv/netobserv-ebpf-agent:v0.3.3
+ - name: RELATED_IMAGE_FLOWLOGS_PIPELINE
+ value: quay.io/netobserv/flowlogs-pipeline:v0.1.11
+ - name: RELATED_IMAGE_CONSOLE_PLUGIN
+ value: quay.io/netobserv/network-observability-console-plugin:v0.1.12
+ - name: DOWNSTREAM_DEPLOYMENT
+ value: "false"
+ - name: PROFILING_BIND_ADDRESS
+ - name: OPERATOR_CONDITION_NAME
+ value: netobserv-operator.v1.0.5
+ image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag | default (printf "%s" .Chart.AppVersion) }}
+ imagePullPolicy: {{ .Values.controllerManager.manager.imagePullPolicy }}
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 8081
+ scheme: HTTP
+ initialDelaySeconds: 15
+ periodSeconds: 20
+ successThreshold: 1
+ timeoutSeconds: 1
+ name: manager
+ ports:
+ - containerPort: 9443
+ name: webhook-server
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /readyz
+ port: 8081
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources: {{- toYaml .Values.controllerManager.manager.resources | nindent 12
+ }}
+ securityContext: {{- toYaml .Values.controllerManager.manager.containerSecurityContext
+ | nindent 12 }}
+ volumeMounts:
+ - mountPath: /tmp/k8s-webhook-server/serving-certs
+ name: cert
+ readOnly: true
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ - args: {{- toYaml .Values.controllerManager.kubeRbacProxy.args | nindent 10 }}
+ env:
+ - name: OPERATOR_CONDITION_NAME
+ value: {{ quote .Values.controllerManager.kubeRbacProxy.operatorConditionName }}
+ image: {{ .Values.controllerManager.kubeRbacProxy.image.repository }}:{{ .Values.controllerManager.kubeRbacProxy.image.tag | default (printf "v%s" .Chart.AppVersion) }}
+ name: kube-rbac-proxy
+ ports:
+ - containerPort: 8443
+ name: https
+ protocol: TCP
+ resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent
+ 12 }}
+ securityContext: {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext
+ | nindent 12 }}
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ schedulerName: default-scheduler
+ securityContext:
+ runAsNonRoot: true
+ serviceAccount: {{ include "network-observability-operator.serviceAccountName" . }}
+ serviceAccountName: {{ include "network-observability-operator.serviceAccountName" . }}
+ terminationGracePeriodSeconds: 10
+ volumes:
+ - name: cert
+ secret:
+ defaultMode: 420
+ secretName: webhook-server-cert
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ annotations:
+ service.beta.openshift.io/inject-cabundle: "true"
+ name: netobserv-validating-webhook-configuration
+webhooks:
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: netobserv-webhook-service
+ namespace: '{{ .Release.Namespace }}'
+ path: /validate-netobserv-io-v1beta2-flowcollector
+ failurePolicy: Fail
+ name: flowcollectorconversionwebhook.netobserv.io
+ rules:
+ - apiGroups:
+ - netobserv.io
+ apiVersions:
+ - v1beta2
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - flowcollectors
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: netobserv-webhook-service
+ namespace: '{{ .Release.Namespace }}'
+ path: /validate-flows-netobserv-io-v1alpha1-flowmetric
+ failurePolicy: Fail
+ name: flowmetricvalidationwebhook.netobserv.io
+ rules:
+ - apiGroups:
+ - flows.netobserv.io
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - flowmetrics
+ sideEffects: None
diff --git a/charts/network-observability-operator/templates/flows_flowcollector.yaml b/charts/network-observability-operator/templates/flows_flowcollector.yaml
new file mode 100644
index 0000000000..51ad27d115
--- /dev/null
+++ b/charts/network-observability-operator/templates/flows_flowcollector.yaml
@@ -0,0 +1,129 @@
+apiVersion: flows.netobserv.io/v1beta2
+kind: FlowCollector
+metadata:
+ name: cluster
+spec:
+ namespace: '{{ .Release.Namespace }}'
+ deploymentModel: Direct
+ agent:
+ type: eBPF
+ ebpf:
+ imagePullPolicy: IfNotPresent
+ logLevel: info
+ sampling: 50
+ cacheActiveTimeout: 5s
+ cacheMaxFlows: 100000
+ # Change privileged to "true" on old kernel version not knowing CAP_BPF or when using "PacketDrop" feature
+ privileged: false
+ # features:
+ # - "PacketDrop"
+ # - "DNSTracking"
+ # - "FlowRTT"
+ interfaces: []
+ excludeInterfaces: ["lo"]
+ kafkaBatchSize: 1048576
+ #flowFilter:
+ # action: Accept
+ # cidr: 0.0.0.0/0
+ # protocol: UDP
+ # sourcePorts: 53
+ # enable: true
+ metrics:
+ enable: false
+ server:
+ port: 9400
+ # Custom optionnal resources configuration
+ resources:
+ requests:
+ memory: 50Mi
+ cpu: 100m
+ limits:
+ memory: 800Mi
+ processor:
+ imagePullPolicy: IfNotPresent
+ logLevel: info
+ # Change logTypes to "CONVERSATIONS" or "ALL" to enable conversation tracking
+ logTypes: Flows
+ # Append a unique cluster name to each record
+ # clusterName:
+ # addZone: true
+ # subnetLabels:
+ # openShiftAutoDetect: true
+ # customLabels:
+ # - cidrs: []
+ # name: ""
+ metrics:
+ server:
+ port: 9401
+ disableAlerts: []
+ # includeList:
+ # - "node_ingress_bytes_total"
+ # - "workload_ingress_bytes_total"
+ # - "namespace_flows_total"
+ # - "namespace_drop_packets_total"
+ # - "namespace_rtt_seconds"
+ # Custom optionnal resources configuration
+ resources:
+ requests:
+ memory: 100Mi
+ cpu: 100m
+ limits:
+ memory: 800Mi
+ loki: {{- toYaml .Values.loki | nindent 4 }}
+ consolePlugin:
+ enable: true
+ imagePullPolicy: IfNotPresent
+ logLevel: info
+ # Scaling configuration
+ replicas: 1
+ autoscaler:
+ status: Disabled
+ minReplicas: 1
+ maxReplicas: 3
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ target:
+ type: Utilization
+ averageUtilization: 50
+ # Custom optionnal port-to-service name translation
+ portNaming:
+ enable: true
+ portNames:
+ "3100": loki
+ # Custom optionnal filter presets
+ quickFilters:
+ - name: Applications
+ filter:
+ flow_layer: 'app'
+ default: true
+ - name: Infrastructure
+ filter:
+ flow_layer: 'infra'
+ - name: Pods network
+ filter:
+ src_kind: 'Pod'
+ dst_kind: 'Pod'
+ default: true
+ - name: Services network
+ filter:
+ dst_kind: 'Service'
+ # Custom optionnal resources configuration
+ resources:
+ requests:
+ memory: 50Mi
+ cpu: 100m
+ limits:
+ memory: 100Mi
+ exporters: []
+ # - type: Kafka
+ # kafka:
+ # address: "kafka-cluster-kafka-bootstrap.netobserv"
+ # topic: netobserv-flows-export
+ # or
+ # - type: IPFIX
+ # ipfix:
+ # targetHost: "ipfix-collector.ipfix.svc.cluster.local"
+ # targetPort: 4739
+ # transport: TCP or UDP (optional - defaults to TCP)
diff --git a/charts/network-observability-operator/templates/rbac.yaml b/charts/network-observability-operator/templates/rbac.yaml
new file mode 100644
index 0000000000..50a460e771
--- /dev/null
+++ b/charts/network-observability-operator/templates/rbac.yaml
@@ -0,0 +1,303 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: netobserv-leader-election-role
+ namespace: '{{ .Release.Namespace }}'
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: netobserv-manager-role
+rules:
+ - nonResourceURLs:
+ - /metrics
+ verbs:
+ - get
+ - apiGroups:
+ - apiregistration.k8s.io
+ resources:
+ - apiservices
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - apps
+ resources:
+ - daemonsets
+ - deployments
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - apps
+ resources:
+ - replicasets
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+ - apiGroups:
+ - autoscaling
+ resources:
+ - horizontalpodautoscalers
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - config.openshift.io
+ resources:
+ - clusterversions
+ - networks
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - console.openshift.io
+ resources:
+ - consoleplugins
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ - namespaces
+ - secrets
+ - serviceaccounts
+ - services
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - endpoints
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - nodes
+ - pods
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - flows.netobserv.io
+ resources:
+ - flowcollectors
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - flows.netobserv.io
+ resources:
+ - flowcollectors/finalizers
+ verbs:
+ - update
+ - apiGroups:
+ - flows.netobserv.io
+ resources:
+ - flowcollectors/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - flows.netobserv.io
+ resources:
+ - flowmetrics
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - loki.grafana.com
+ resourceNames:
+ - logs
+ resources:
+ - network
+ verbs:
+ - create
+ - get
+ - apiGroups:
+ - monitoring.coreos.com
+ resources:
+ - prometheusrules
+ - servicemonitors
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - operator.openshift.io
+ resources:
+ - consoles
+ verbs:
+ - get
+ - list
+ - update
+ - watch
+ - apiGroups:
+ - rbac.authorization.k8s.io
+ resources:
+ - clusterrolebindings
+ - clusterroles
+ - rolebindings
+ - roles
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - update
+ - watch
+ - apiGroups:
+ - security.openshift.io
+ resources:
+ - securitycontextconstraints
+ verbs:
+ - create
+ - list
+ - update
+ - watch
+ - apiGroups:
+ - security.openshift.io
+ resourceNames:
+ - hostnetwork
+ resources:
+ - securitycontextconstraints
+ verbs:
+ - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: netobserv-proxy-role
+rules:
+ - apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+ - apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: netobserv-leader-election-rolebinding
+ namespace: '{{ .Release.Namespace }}'
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: netobserv-leader-election-role
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "network-observability-operator.serviceAccountName" . }}
+ namespace: '{{ .Release.Namespace }}'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: netobserv-manager-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: netobserv-manager-role
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "network-observability-operator.serviceAccountName" . }}
+ namespace: '{{ .Release.Namespace }}'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: netobserv-proxy-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: netobserv-proxy-role
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "network-observability-operator.serviceAccountName" . }}
+ namespace: '{{ .Release.Namespace }}'
\ No newline at end of file
diff --git a/charts/network-observability-operator/templates/service.yaml b/charts/network-observability-operator/templates/service.yaml
new file mode 100644
index 0000000000..1d479f5016
--- /dev/null
+++ b/charts/network-observability-operator/templates/service.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: netobserv-metrics-service
+ labels:
+ {{- include "network-observability-operator.labels" . | nindent 4 }}
+spec:
+ ports:
+ - name: https
+ port: 8443
+ protocol: TCP
+ targetPort: https
+ selector:
+ {{- include "network-observability-operator.selectorLabels" . | nindent 4 }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ {{- include "network-observability-operator.labels" . | nindent 4 }}
+ name: netobserv-webhook-service
+spec:
+ ports:
+ - port: 443
+ protocol: TCP
+ targetPort: 9443
+ selector:
+ {{- include "network-observability-operator.selectorLabels" . | nindent 4 }}
\ No newline at end of file
diff --git a/charts/network-observability-operator/templates/serviceaccount.yaml b/charts/network-observability-operator/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..dd5a5e63a3
--- /dev/null
+++ b/charts/network-observability-operator/templates/serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "network-observability-operator.serviceAccountName" . }}
+ labels:
+ {{- include "network-observability-operator.labels" . | nindent 4 }}
+ {{- with .Values.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/network-observability-operator/values.yaml b/charts/network-observability-operator/values.yaml
new file mode 100644
index 0000000000..4baa865074
--- /dev/null
+++ b/charts/network-observability-operator/values.yaml
@@ -0,0 +1,98 @@
+replicaCount: 1
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+ # Specifies whether a service account should be created
+ create: true
+ # Annotations to add to the service account
+ annotations: {}
+ # The name of the service account to use.
+ # If not set and create is true, a name is generated using the fullname template
+ name: ""
+
+podAnnotations: {}
+podLabels: {}
+
+autoscaling:
+ enabled: false
+ minReplicas: 1
+ maxReplicas: 100
+ targetCPUUtilizationPercentage: 80
+
+loki:
+ enable: true
+ mode: Monolithic
+ monolithic:
+ url: 'http://loki.netobserv.svc:3100/'
+ tenantID: netobserv
+ tls:
+ enable: false
+ caCert:
+ type: configmap
+ name: loki-gateway-ca-bundle
+ certFile: service-ca.crt
+ lokiStack:
+ name: loki
+ # Change loki operator instance namespace
+ # namespace: loki-operator
+ # Console plugin read timeout
+ readTimeout: 30s
+ # Write stage configuration
+ writeTimeout: 10s
+ writeBatchWait: 1s
+ writeBatchSize: 10485760
+controllerManager:
+ kubeRbacProxy:
+ operatorConditionName: netobserv-operator.v1.0.5
+ args:
+ - --secure-listen-address=0.0.0.0:8443
+ - --upstream=http://127.0.0.1:8080/
+ - --logtostderr=true
+ - --v=0
+ containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ image:
+ repository: gcr.io/kubebuilder/kube-rbac-proxy
+ tag: v0.15.0
+ resources:
+ limits:
+ cpu: 500m
+ memory: 128Mi
+ requests:
+ cpu: 5m
+ memory: 64Mi
+ manager:
+ args:
+ - --health-probe-bind-address=:8081
+ - --metrics-bind-address=127.0.0.1:8080
+ - --leader-elect
+ - --ebpf-agent-image=$(RELATED_IMAGE_EBPF_AGENT)
+ - --flowlogs-pipeline-image=$(RELATED_IMAGE_FLOWLOGS_PIPELINE)
+ - --console-plugin-image=$(RELATED_IMAGE_CONSOLE_PLUGIN)
+ - --downstream-deployment=$(DOWNSTREAM_DEPLOYMENT)
+ - --profiling-bind-address=$(PROFILING_BIND_ADDRESS)
+ - --enable-http2=false
+ containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ image:
+ repository: quay.io/netobserv/network-observability-operator
+ tag: ~
+ imagePullPolicy: IfNotPresent
+ resources:
+ limits:
+ cpu: 500m
+ memory: 400Mi
+ requests:
+ cpu: 100m
+ memory: 100Mi
+ replicas: 1
+ serviceAccount:
+ annotations: {}
\ No newline at end of file
diff --git a/charts/network-observability-operator/values.yaml.liquid b/charts/network-observability-operator/values.yaml.liquid
new file mode 100644
index 0000000000..ab2a5334d0
--- /dev/null
+++ b/charts/network-observability-operator/values.yaml.liquid
@@ -0,0 +1,5 @@
+{% if configuration.lokiUrl -%}
+loki:
+ monolithic:
+ url: {{ configuration.lokiUrl }}
+{%- endif -%}