From 43ea385837d1aa2b86bf6ed7b021caa26a4c7bc5 Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Tue, 14 May 2024 11:21:24 +0200 Subject: [PATCH 1/9] add network-observability-operator --- .../.helmignore | 23 + .../network-observability-operator/Chart.yaml | 6 + .../flowcollectors.flows.netobserv.io.yaml | 8232 +++++++++++++++++ .../templates/_helpers.tpl | 62 + .../templates/cert.yaml | 25 + .../templates/config.yaml | 19 + .../templates/deployment.yaml | 195 + .../templates/loki.yaml | 143 + .../templates/rbac.yaml | 303 + .../templates/service.yaml | 28 + .../templates/serviceaccount.yaml | 12 + .../templates/storage.yaml | 11 + .../values.yaml | 23 + 13 files changed, 9082 insertions(+) create mode 100644 charts/network-observability-operator/.helmignore create mode 100644 charts/network-observability-operator/Chart.yaml create mode 100644 charts/network-observability-operator/crds/flowcollectors.flows.netobserv.io.yaml create mode 100644 charts/network-observability-operator/templates/_helpers.tpl create mode 100644 charts/network-observability-operator/templates/cert.yaml create mode 100644 charts/network-observability-operator/templates/config.yaml create mode 100644 charts/network-observability-operator/templates/deployment.yaml create mode 100644 charts/network-observability-operator/templates/loki.yaml create mode 100644 charts/network-observability-operator/templates/rbac.yaml create mode 100644 charts/network-observability-operator/templates/service.yaml create mode 100644 charts/network-observability-operator/templates/serviceaccount.yaml create mode 100644 charts/network-observability-operator/templates/storage.yaml create mode 100644 charts/network-observability-operator/values.yaml diff --git a/charts/network-observability-operator/.helmignore b/charts/network-observability-operator/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/charts/network-observability-operator/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/network-observability-operator/Chart.yaml b/charts/network-observability-operator/Chart.yaml new file mode 100644 index 0000000000..2eac899e69 --- /dev/null +++ b/charts/network-observability-operator/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: network-observability-operator +description: A Helm chart for Kubernetes +appVersion: 1.0.5 +type: application +version: 0.1.0 diff --git a/charts/network-observability-operator/crds/flowcollectors.flows.netobserv.io.yaml b/charts/network-observability-operator/crds/flowcollectors.flows.netobserv.io.yaml new file mode 100644 index 0000000000..b0a6b61256 --- /dev/null +++ b/charts/network-observability-operator/crds/flowcollectors.flows.netobserv.io.yaml @@ -0,0 +1,8232 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + service.beta.openshift.io/inject-cabundle: "true" + name: flowcollectors.flows.netobserv.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: netobserv-webhook-service + namespace: netobserv + path: /convert + conversionReviewVersions: + - v1beta1 + - v1beta2 + group: flows.netobserv.io + names: + kind: FlowCollector + listKind: FlowCollectorList + plural: flowcollectors + singular: flowcollector + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.agent.type + name: Agent + type: string + - jsonPath: .spec.agent.ebpf.sampling + name: Sampling (EBPF) + type: string + - jsonPath: .spec.deploymentModel + name: Deployment Model + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].reason + name: Status + type: string + deprecated: true + name: v1beta1 + schema: + openAPIV3Schema: + description: '`FlowCollector` is the schema for the network flows collection + API, which pilots and configures the underlying deployments.' + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + properties: + name: + pattern: ^cluster$ + type: string + type: object + spec: + description: |- + Defines the desired state of the FlowCollector resource. +

+ *: the mention of "unsupported", or "deprecated" for a feature throughout this document means that this feature + is not officially supported by Red Hat. It might have been, for example, contributed by the community + and accepted without a formal agreement for maintenance. The product maintainers might provide some support + for these features as a best effort only. + properties: + agent: + description: Agent configuration for flows extraction. + properties: + ebpf: + description: |- + `ebpf` describes the settings related to the eBPF-based flow reporter when `spec.agent.type` + is set to `EBPF`. + properties: + cacheActiveTimeout: + default: 5s + description: |- + `cacheActiveTimeout` is the max period during which the reporter aggregates flows before sending. + Increasing `cacheMaxFlows` and `cacheActiveTimeout` can decrease the network traffic overhead and the CPU load, + however you can expect higher memory consumption and an increased latency in the flow collection. + pattern: ^\d+(ns|ms|s|m)?$ + type: string + cacheMaxFlows: + default: 100000 + description: |- + `cacheMaxFlows` is the max number of flows in an aggregate; when reached, the reporter sends the flows. + Increasing `cacheMaxFlows` and `cacheActiveTimeout` can decrease the network traffic overhead and the CPU load, + however you can expect higher memory consumption and an increased latency in the flow collection. + format: int32 + minimum: 1 + type: integer + debug: + description: |- + `debug` allows setting some aspects of the internal configuration of the eBPF agent. + This section is aimed exclusively for debugging and fine-grained performance optimizations, + such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk. + properties: + env: + additionalProperties: + type: string + description: |- + `env` allows passing custom environment variables to underlying components. Useful for passing + some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be + publicly exposed as part of the FlowCollector descriptor, as they are only useful + in edge debug or support scenarios. + type: object + type: object + excludeInterfaces: + default: + - lo + description: |- + `excludeInterfaces` contains the interface names that are excluded from flow tracing. + An entry enclosed by slashes, such as `/br-/`, is matched as a regular expression. + Otherwise it is matched as a case-sensitive string. + items: + type: string + type: array + features: + description: |- + List of additional features to enable. They are all disabled by default. Enabling additional features might have performance impacts. Possible values are:
+ - `PacketDrop`: enable the packets drop flows logging feature. This feature requires mounting + the kernel debug filesystem, so the eBPF pod has to run as privileged. + If the `spec.agent.ebpf.privileged` parameter is not set, an error is reported.
+ - `DNSTracking`: enable the DNS tracking feature.
+ - `FlowRTT` [unsupported (*)]: enable flow latency (RTT) calculations in the eBPF agent during TCP handshakes. This feature better works with `sampling` set to 1.
+ items: + description: |- + Agent feature, can be one of:
+ - `PacketDrop`, to track packet drops.
+ - `DNSTracking`, to track specific information on DNS traffic.
+ - `FlowRTT`, to track TCP latency. [Unsupported (*)].
+ enum: + - PacketDrop + - DNSTracking + - FlowRTT + type: string + type: array + flowFilter: + description: '`flowFilter` defines the eBPF agent configuration + regarding flow filtering' + properties: + action: + description: Action defines the action to perform on the + flows that match the filter. + enum: + - Accept + - Reject + type: string + cidr: + description: |- + CIDR defines the IP CIDR to filter flows by. + Example: 10.10.10.0/24 or 100:100:100:100::/64 + type: string + destPorts: + anyOf: + - type: integer + - type: string + description: |- + DestPorts defines the destination ports to filter flows by. + To filter a single port, set a single port as an integer value. For example destPorts: 80. + To filter a range of ports, use a "start-end" range, string format. For example destPorts: "80-100". + x-kubernetes-int-or-string: true + direction: + description: Direction defines the direction to filter + flows by. + enum: + - Ingress + - Egress + type: string + enable: + description: Set `enable` to `true` to enable eBPF flow + filtering feature. + type: boolean + icmpCode: + description: ICMPCode defines the ICMP code to filter + flows by. + type: integer + icmpType: + description: ICMPType defines the ICMP type to filter + flows by. + type: integer + peerIP: + description: |- + PeerIP defines the IP address to filter flows by. + Example: 10.10.10.10 + type: string + ports: + anyOf: + - type: integer + - type: string + description: |- + Ports defines the ports to filter flows by. it can be user for either source or destination ports. + To filter a single port, set a single port as an integer value. For example ports: 80. + To filter a range of ports, use a "start-end" range, string format. For example ports: "80-10 + x-kubernetes-int-or-string: true + protocol: + description: Protocol defines the protocol to filter flows + by. + enum: + - TCP + - UDP + - ICMP + - ICMPv6 + - SCTP + type: string + sourcePorts: + anyOf: + - type: integer + - type: string + description: |- + SourcePorts defines the source ports to filter flows by. + To filter a single port, set a single port as an integer value. For example sourcePorts: 80. + To filter a range of ports, use a "start-end" range, string format. For example sourcePorts: "80-100". + x-kubernetes-int-or-string: true + type: object + imagePullPolicy: + default: IfNotPresent + description: '`imagePullPolicy` is the Kubernetes pull policy + for the image defined above' + enum: + - IfNotPresent + - Always + - Never + type: string + interfaces: + description: |- + `interfaces` contains the interface names from where flows are collected. If empty, the agent + fetches all the interfaces in the system, excepting the ones listed in ExcludeInterfaces. + An entry enclosed by slashes, such as `/br-/`, is matched as a regular expression. + Otherwise it is matched as a case-sensitive string. + items: + type: string + type: array + kafkaBatchSize: + default: 1048576 + description: '`kafkaBatchSize` limits the maximum size of + a request in bytes before being sent to a partition. Ignored + when not using Kafka. Default: 1MB.' + type: integer + logLevel: + default: info + description: '`logLevel` defines the log level for the NetObserv + eBPF Agent' + enum: + - trace + - debug + - info + - warn + - error + - fatal + - panic + type: string + metrics: + description: '`metrics` defines the eBPF agent configuration + regarding metrics' + properties: + disableAlerts: + description: |- + `disableAlerts` is a list of alerts that should be disabled. + Possible values are:
+ `NetObservDroppedFlows`, which is triggered when eBPF agent hashmap table is full.
+ items: + description: |- + Name of a ebpf agent alert. + Possible values are:
+ - `NetObservDroppedFlows`, which is triggered when eBPF agent hashmap table is full.
+ enum: + - NetObservDroppedFlows + type: string + type: array + enable: + description: Set `enable` to `true` to enable eBPF agent + metrics collection. + type: boolean + server: + description: Metrics server endpoint configuration for + Prometheus scraper + properties: + port: + description: The prometheus HTTP port + format: int32 + maximum: 65535 + minimum: 1 + type: integer + tls: + description: TLS configuration. + properties: + insecureSkipVerify: + default: false + description: |- + `insecureSkipVerify` allows skipping client-side verification of the provided certificate. + If set to `true`, the `providedCaFile` field is ignored. + type: boolean + provided: + description: TLS configuration when `type` is + set to `PROVIDED`. + properties: + certFile: + description: '`certFile` defines the path + to the certificate file name within the + config map or secret' + type: string + certKey: + description: '`certKey` defines the path to + the certificate private key file name within + the config map or secret. Omit when the + key is not necessary.' + type: string + name: + description: Name of the config map or secret + containing certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: + `configmap` or `secret`' + enum: + - configmap + - secret + type: string + type: object + providedCaFile: + description: Reference to the CA file when `type` + is set to `PROVIDED`. + properties: + file: + description: File name within the config map + or secret + type: string + name: + description: Name of the config map or secret + containing the file + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the file reference: + "configmap" or "secret"' + enum: + - configmap + - secret + type: string + type: object + type: + default: DISABLED + description: |- + Select the type of TLS configuration:
+ - `DISABLED` (default) to not configure TLS for the endpoint. + - `PROVIDED` to manually provide cert file and a key file. [Unsupported (*)]. + - `AUTO` to use OpenShift auto generated certificate using annotations. + enum: + - DISABLED + - PROVIDED + - AUTO + type: string + type: object + type: object + type: object + privileged: + description: |- + Privileged mode for the eBPF Agent container. When ignored or set to `false`, the operator sets + granular capabilities (BPF, PERFMON, NET_ADMIN, SYS_RESOURCE) to the container. + If for some reason these capabilities cannot be set, such as if an old kernel version not knowing CAP_BPF + is in use, then you can turn on this mode for more global privileges. + Some agent features require the privileged mode, such as packet drops tracking (see `features`) and SR-IOV support. + type: boolean + resources: + default: + limits: + memory: 800Mi + requests: + cpu: 100m + memory: 50Mi + description: |- + `resources` are the compute resources required by this container. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + sampling: + default: 50 + description: Sampling rate of the flow reporter. 100 means + one flow on 100 is sent. 0 or 1 means all flows are sampled. + format: int32 + minimum: 0 + type: integer + type: object + ipfix: + description: |- + `ipfix` [deprecated (*)] - describes the settings related to the IPFIX-based flow reporter when `spec.agent.type` + is set to `IPFIX`. + properties: + cacheActiveTimeout: + default: 20s + description: '`cacheActiveTimeout` is the max period during + which the reporter aggregates flows before sending.' + pattern: ^\d+(ns|ms|s|m)?$ + type: string + cacheMaxFlows: + default: 400 + description: '`cacheMaxFlows` is the max number of flows in + an aggregate; when reached, the reporter sends the flows.' + format: int32 + minimum: 0 + type: integer + clusterNetworkOperator: + description: '`clusterNetworkOperator` defines the settings + related to the OpenShift Cluster Network Operator, when + available.' + properties: + namespace: + default: openshift-network-operator + description: Namespace where the config map is going + to be deployed. + type: string + type: object + forceSampleAll: + default: false + description: |- + `forceSampleAll` allows disabling sampling in the IPFIX-based flow reporter. + It is not recommended to sample all the traffic with IPFIX, as it might generate cluster instability. + If you REALLY want to do that, set this flag to `true`. Use at your own risk. + When it is set to `true`, the value of `sampling` is ignored. + type: boolean + ovnKubernetes: + description: '`ovnKubernetes` defines the settings of the + OVN-Kubernetes CNI, when available. This configuration is + used when using OVN''s IPFIX exports, without OpenShift. + When using OpenShift, refer to the `clusterNetworkOperator` + property instead.' + properties: + containerName: + default: ovnkube-node + description: '`containerName` defines the name of the + container to configure for IPFIX.' + type: string + daemonSetName: + default: ovnkube-node + description: '`daemonSetName` defines the name of the + DaemonSet controlling the OVN-Kubernetes pods.' + type: string + namespace: + default: ovn-kubernetes + description: Namespace where OVN-Kubernetes pods are deployed. + type: string + type: object + sampling: + default: 400 + description: |- + `sampling` is the sampling rate on the reporter. 100 means one flow on 100 is sent. + To ensure cluster stability, it is not possible to set a value below 2. + If you really want to sample every packet, which might impact the cluster stability, + refer to `forceSampleAll`. Alternatively, you can use the eBPF Agent instead of IPFIX. + format: int32 + minimum: 2 + type: integer + type: object + type: + default: EBPF + description: |- + `type` [deprecated (*)] selects the flows tracing agent. The only possible value is `EBPF` (default), to use NetObserv eBPF agent.
+ Previously, using an IPFIX collector was allowed, but was deprecated and it is now removed.
+ Setting `IPFIX` is ignored and still use the eBPF Agent. + Since there is only a single option here, this field will be remove in a future API version. + enum: + - EBPF + - IPFIX + type: string + type: object + consolePlugin: + description: '`consolePlugin` defines the settings related to the + OpenShift Console plugin, when available.' + properties: + autoscaler: + description: '`autoscaler` spec of a horizontal pod autoscaler + to set up for the plugin Deployment.' + properties: + maxReplicas: + default: 3 + description: '`maxReplicas` is the upper limit for the number + of pods that can be set by the autoscaler; cannot be smaller + than MinReplicas.' + format: int32 + type: integer + metrics: + description: Metrics used by the pod autoscaler. For documentation, + refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2/ + items: + properties: + containerResource: + properties: + container: + type: string + name: + type: string + target: + properties: + averageUtilization: + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + type: string + value: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - container + - name + - target + type: object + external: + properties: + metric: + properties: + name: + type: string + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + properties: + averageUtilization: + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + type: string + value: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - metric + - target + type: object + object: + properties: + describedObject: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + metric: + properties: + name: + type: string + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + properties: + averageUtilization: + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + type: string + value: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - describedObject + - metric + - target + type: object + pods: + properties: + metric: + properties: + name: + type: string + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + properties: + averageUtilization: + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + type: string + value: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - metric + - target + type: object + resource: + properties: + name: + type: string + target: + properties: + averageUtilization: + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + type: string + value: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - name + - target + type: object + type: + type: string + required: + - type + type: object + type: array + minReplicas: + description: |- + `minReplicas` is the lower limit for the number of replicas to which the autoscaler + can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the + alpha feature gate HPAScaleToZero is enabled and at least one Object or External + metric is configured. Scaling is active as long as at least one metric value is + available. + format: int32 + type: integer + status: + default: DISABLED + description: |- + `status` describes the desired status regarding deploying an horizontal pod autoscaler.
+ - `DISABLED` does not deploy an horizontal pod autoscaler.
+ - `ENABLED` deploys an horizontal pod autoscaler.
+ enum: + - DISABLED + - ENABLED + type: string + type: object + enable: + default: true + description: |- + Enables the console plugin deployment. + `spec.loki.enable` must also be `true` + type: boolean + imagePullPolicy: + default: IfNotPresent + description: '`imagePullPolicy` is the Kubernetes pull policy + for the image defined above' + enum: + - IfNotPresent + - Always + - Never + type: string + logLevel: + default: info + description: '`logLevel` for the console plugin backend' + enum: + - trace + - debug + - info + - warn + - error + - fatal + - panic + type: string + port: + default: 9001 + description: '`port` is the plugin service port. Do not use 9002, + which is reserved for metrics.' + format: int32 + maximum: 65535 + minimum: 1 + type: integer + portNaming: + default: + enable: true + description: '`portNaming` defines the configuration of the port-to-service + name translation' + properties: + enable: + default: true + description: Enable the console plugin port-to-service name + translation + type: boolean + portNames: + additionalProperties: + type: string + description: |- + `portNames` defines additional port names to use in the console, + for example, `portNames: {"3100": "loki"}`. + type: object + type: object + quickFilters: + default: + - default: true + filter: + flow_layer: app + name: Applications + - filter: + flow_layer: infra + name: Infrastructure + - default: true + filter: + dst_kind: Pod + src_kind: Pod + name: Pods network + - filter: + dst_kind: Service + name: Services network + description: '`quickFilters` configures quick filter presets for + the Console plugin' + items: + description: '`QuickFilter` defines preset configuration for + Console''s quick filters' + properties: + default: + description: '`default` defines whether this filter should + be active by default or not' + type: boolean + filter: + additionalProperties: + type: string + description: |- + `filter` is a set of keys and values to be set when this filter is selected. Each key can relate to a list of values using a coma-separated string, + for example, `filter: {"src_namespace": "namespace1,namespace2"}`. + type: object + name: + description: Name of the filter, that is displayed in the + Console + type: string + required: + - filter + - name + type: object + type: array + register: + default: true + description: |- + `register` allows, when set to `true`, to automatically register the provided console plugin with the OpenShift Console operator. + When set to `false`, you can still register it manually by editing console.operator.openshift.io/cluster with the following command: + `oc patch console.operator.openshift.io cluster --type='json' -p '[{"op": "add", "path": "/spec/plugins/-", "value": "netobserv-plugin"}]'` + type: boolean + replicas: + default: 1 + description: '`replicas` defines the number of replicas (pods) + to start.' + format: int32 + minimum: 0 + type: integer + resources: + default: + limits: + memory: 100Mi + requests: + cpu: 100m + memory: 50Mi + description: |- + `resources`, in terms of compute resources, required by this container. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + type: object + deploymentModel: + default: DIRECT + description: |- + `deploymentModel` defines the desired type of deployment for flow processing. Possible values are:
+ - `DIRECT` (default) to make the flow processor listening directly from the agents.
+ - `KAFKA` to make flows sent to a Kafka pipeline before consumption by the processor.
+ Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka). + enum: + - DIRECT + - KAFKA + type: string + exporters: + description: '`exporters` define additional optional exporters for + custom consumption or storage.' + items: + description: '`FlowCollectorExporter` defines an additional exporter + to send enriched flows to.' + properties: + ipfix: + description: IPFIX configuration, such as the IP address and + port to send enriched IPFIX flows to. + properties: + targetHost: + default: "" + description: Address of the IPFIX external receiver + type: string + targetPort: + description: Port for the IPFIX external receiver + type: integer + transport: + description: Transport protocol (`TCP` or `UDP`) to be used + for the IPFIX connection, defaults to `TCP`. + enum: + - TCP + - UDP + type: string + required: + - targetHost + - targetPort + type: object + kafka: + description: Kafka configuration, such as the address and topic, + to send enriched flows to. + properties: + address: + default: "" + description: Address of the Kafka server + type: string + sasl: + description: SASL authentication configuration. [Unsupported + (*)]. + properties: + clientIDReference: + description: Reference to the secret or config map containing + the client ID + properties: + file: + description: File name within the config map or + secret + type: string + name: + description: Name of the config map or secret containing + the file + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the file reference: "configmap" + or "secret"' + enum: + - configmap + - secret + type: string + type: object + clientSecretReference: + description: Reference to the secret or config map containing + the client secret + properties: + file: + description: File name within the config map or + secret + type: string + name: + description: Name of the config map or secret containing + the file + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the file reference: "configmap" + or "secret"' + enum: + - configmap + - secret + type: string + type: object + type: + default: DISABLED + description: Type of SASL authentication to use, or + `DISABLED` if SASL is not used + enum: + - DISABLED + - PLAIN + - SCRAM-SHA512 + type: string + type: object + tls: + description: TLS client configuration. When using TLS, verify + that the address matches the Kafka port used for TLS, + generally 9093. + properties: + caCert: + description: '`caCert` defines the reference of the + certificate for the Certificate Authority' + properties: + certFile: + description: '`certFile` defines the path to the + certificate file name within the config map or + secret' + type: string + certKey: + description: '`certKey` defines the path to the + certificate private key file name within the config + map or secret. Omit when the key is not necessary.' + type: string + name: + description: Name of the config map or secret containing + certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: + `configmap` or `secret`' + enum: + - configmap + - secret + type: string + type: object + enable: + default: false + description: Enable TLS + type: boolean + insecureSkipVerify: + default: false + description: |- + `insecureSkipVerify` allows skipping client-side verification of the server certificate. + If set to `true`, the `caCert` field is ignored. + type: boolean + userCert: + description: '`userCert` defines the user certificate + reference and is used for mTLS (you can ignore it + when using one-way TLS)' + properties: + certFile: + description: '`certFile` defines the path to the + certificate file name within the config map or + secret' + type: string + certKey: + description: '`certKey` defines the path to the + certificate private key file name within the config + map or secret. Omit when the key is not necessary.' + type: string + name: + description: Name of the config map or secret containing + certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: + `configmap` or `secret`' + enum: + - configmap + - secret + type: string + type: object + type: object + topic: + default: "" + description: Kafka topic to use. It must exist. NetObserv + does not create it. + type: string + required: + - address + - topic + type: object + type: + description: '`type` selects the type of exporters. The available + options are `KAFKA` and `IPFIX`.' + enum: + - KAFKA + - IPFIX + type: string + required: + - type + type: object + type: array + kafka: + description: Kafka configuration, allowing to use Kafka as a broker + as part of the flow collection pipeline. Available when the `spec.deploymentModel` + is `KAFKA`. + properties: + address: + default: "" + description: Address of the Kafka server + type: string + sasl: + description: SASL authentication configuration. [Unsupported (*)]. + properties: + clientIDReference: + description: Reference to the secret or config map containing + the client ID + properties: + file: + description: File name within the config map or secret + type: string + name: + description: Name of the config map or secret containing + the file + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the file reference: "configmap" + or "secret"' + enum: + - configmap + - secret + type: string + type: object + clientSecretReference: + description: Reference to the secret or config map containing + the client secret + properties: + file: + description: File name within the config map or secret + type: string + name: + description: Name of the config map or secret containing + the file + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the file reference: "configmap" + or "secret"' + enum: + - configmap + - secret + type: string + type: object + type: + default: DISABLED + description: Type of SASL authentication to use, or `DISABLED` + if SASL is not used + enum: + - DISABLED + - PLAIN + - SCRAM-SHA512 + type: string + type: object + tls: + description: TLS client configuration. When using TLS, verify + that the address matches the Kafka port used for TLS, generally + 9093. + properties: + caCert: + description: '`caCert` defines the reference of the certificate + for the Certificate Authority' + properties: + certFile: + description: '`certFile` defines the path to the certificate + file name within the config map or secret' + type: string + certKey: + description: '`certKey` defines the path to the certificate + private key file name within the config map or secret. + Omit when the key is not necessary.' + type: string + name: + description: Name of the config map or secret containing + certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: `configmap` + or `secret`' + enum: + - configmap + - secret + type: string + type: object + enable: + default: false + description: Enable TLS + type: boolean + insecureSkipVerify: + default: false + description: |- + `insecureSkipVerify` allows skipping client-side verification of the server certificate. + If set to `true`, the `caCert` field is ignored. + type: boolean + userCert: + description: '`userCert` defines the user certificate reference + and is used for mTLS (you can ignore it when using one-way + TLS)' + properties: + certFile: + description: '`certFile` defines the path to the certificate + file name within the config map or secret' + type: string + certKey: + description: '`certKey` defines the path to the certificate + private key file name within the config map or secret. + Omit when the key is not necessary.' + type: string + name: + description: Name of the config map or secret containing + certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: `configmap` + or `secret`' + enum: + - configmap + - secret + type: string + type: object + type: object + topic: + default: "" + description: Kafka topic to use. It must exist. NetObserv does + not create it. + type: string + required: + - address + - topic + type: object + loki: + description: '`loki`, the flow store, client settings.' + properties: + authToken: + default: DISABLED + description: |- + `authToken` describes the way to get a token to authenticate to Loki.
+ - `DISABLED` does not send any token with the request.
+ - `FORWARD` forwards the user token for authorization.
+ - `HOST` [deprecated (*)] - uses the local pod service account to authenticate to Loki.
+ When using the Loki Operator, this must be set to `FORWARD`. + enum: + - DISABLED + - HOST + - FORWARD + type: string + batchSize: + default: 102400 + description: '`batchSize` is the maximum batch size (in bytes) + of logs to accumulate before sending.' + format: int64 + minimum: 1 + type: integer + batchWait: + default: 1s + description: '`batchWait` is the maximum time to wait before sending + a batch.' + type: string + enable: + default: true + description: Set `enable` to `true` to store flows in Loki. It + is required for the OpenShift Console plugin installation. + type: boolean + maxBackoff: + default: 5s + description: '`maxBackoff` is the maximum backoff time for client + connection between retries.' + type: string + maxRetries: + default: 2 + description: '`maxRetries` is the maximum number of retries for + client connections.' + format: int32 + minimum: 0 + type: integer + minBackoff: + default: 1s + description: '`minBackoff` is the initial backoff time for client + connection between retries.' + type: string + querierUrl: + description: |- + `querierURL` specifies the address of the Loki querier service, in case it is different from the + Loki ingester URL. If empty, the URL value is used (assuming that the Loki ingester + and querier are in the same server). When using the Loki Operator, do not set it, since + ingestion and queries use the Loki gateway. + type: string + readTimeout: + default: 30s + description: |- + `readTimeout` is the maximum loki query total time limit. + A timeout of zero means no timeout. + type: string + staticLabels: + additionalProperties: + type: string + default: + app: netobserv-flowcollector + description: '`staticLabels` is a map of common labels to set + on each flow.' + type: object + statusTls: + description: TLS client configuration for Loki status URL. + properties: + caCert: + description: '`caCert` defines the reference of the certificate + for the Certificate Authority' + properties: + certFile: + description: '`certFile` defines the path to the certificate + file name within the config map or secret' + type: string + certKey: + description: '`certKey` defines the path to the certificate + private key file name within the config map or secret. + Omit when the key is not necessary.' + type: string + name: + description: Name of the config map or secret containing + certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: `configmap` + or `secret`' + enum: + - configmap + - secret + type: string + type: object + enable: + default: false + description: Enable TLS + type: boolean + insecureSkipVerify: + default: false + description: |- + `insecureSkipVerify` allows skipping client-side verification of the server certificate. + If set to `true`, the `caCert` field is ignored. + type: boolean + userCert: + description: '`userCert` defines the user certificate reference + and is used for mTLS (you can ignore it when using one-way + TLS)' + properties: + certFile: + description: '`certFile` defines the path to the certificate + file name within the config map or secret' + type: string + certKey: + description: '`certKey` defines the path to the certificate + private key file name within the config map or secret. + Omit when the key is not necessary.' + type: string + name: + description: Name of the config map or secret containing + certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: `configmap` + or `secret`' + enum: + - configmap + - secret + type: string + type: object + type: object + statusUrl: + description: |- + `statusURL` specifies the address of the Loki `/ready`, `/metrics` and `/config` endpoints, in case it is different from the + Loki querier URL. If empty, the `querierURL` value is used. + This is useful to show error messages and some context in the frontend. + When using the Loki Operator, set it to the Loki HTTP query frontend service, for example + https://loki-query-frontend-http.netobserv.svc:3100/. + `statusTLS` configuration is used when `statusUrl` is set. + type: string + tenantID: + default: netobserv + description: |- + `tenantID` is the Loki `X-Scope-OrgID` that identifies the tenant for each request. + When using the Loki Operator, set it to `network`, which corresponds to a special tenant mode. + type: string + timeout: + default: 10s + description: |- + `timeout` is the maximum processor time connection / request limit. + A timeout of zero means no timeout. + type: string + tls: + description: TLS client configuration for Loki URL. + properties: + caCert: + description: '`caCert` defines the reference of the certificate + for the Certificate Authority' + properties: + certFile: + description: '`certFile` defines the path to the certificate + file name within the config map or secret' + type: string + certKey: + description: '`certKey` defines the path to the certificate + private key file name within the config map or secret. + Omit when the key is not necessary.' + type: string + name: + description: Name of the config map or secret containing + certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: `configmap` + or `secret`' + enum: + - configmap + - secret + type: string + type: object + enable: + default: false + description: Enable TLS + type: boolean + insecureSkipVerify: + default: false + description: |- + `insecureSkipVerify` allows skipping client-side verification of the server certificate. + If set to `true`, the `caCert` field is ignored. + type: boolean + userCert: + description: '`userCert` defines the user certificate reference + and is used for mTLS (you can ignore it when using one-way + TLS)' + properties: + certFile: + description: '`certFile` defines the path to the certificate + file name within the config map or secret' + type: string + certKey: + description: '`certKey` defines the path to the certificate + private key file name within the config map or secret. + Omit when the key is not necessary.' + type: string + name: + description: Name of the config map or secret containing + certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: `configmap` + or `secret`' + enum: + - configmap + - secret + type: string + type: object + type: object + url: + default: http://loki:3100/ + description: |- + `url` is the address of an existing Loki service to push the flows to. When using the Loki Operator, + set it to the Loki gateway service with the `network` tenant set in path, for example + https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network. + type: string + type: object + namespace: + default: netobserv + description: Namespace where NetObserv pods are deployed. + type: string + processor: + description: |- + `processor` defines the settings of the component that receives the flows from the agent, + enriches them, generates metrics, and forwards them to the Loki persistence layer and/or any available exporter. + properties: + addZone: + description: |- + `addZone` allows availability zone awareness by labelling flows with their source and destination zones. + This feature requires the "topology.kubernetes.io/zone" label to be set on nodes. + type: boolean + clusterName: + default: "" + description: '`clusterName` is the name of the cluster to appear + in the flows data. This is useful in a multi-cluster context. + When using OpenShift, leave empty to make it automatically determined.' + type: string + conversationEndTimeout: + default: 10s + description: |- + `conversationEndTimeout` is the time to wait after a network flow is received, to consider the conversation ended. + This delay is ignored when a FIN packet is collected for TCP flows (see `conversationTerminatingTimeout` instead). + type: string + conversationHeartbeatInterval: + default: 30s + description: '`conversationHeartbeatInterval` is the time to wait + between "tick" events of a conversation' + type: string + conversationTerminatingTimeout: + default: 5s + description: '`conversationTerminatingTimeout` is the time to + wait from detected FIN flag to end a conversation. Only relevant + for TCP flows.' + type: string + debug: + description: |- + `debug` allows setting some aspects of the internal configuration of the flow processor. + This section is aimed exclusively for debugging and fine-grained performance optimizations, + such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk. + properties: + env: + additionalProperties: + type: string + description: |- + `env` allows passing custom environment variables to underlying components. Useful for passing + some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be + publicly exposed as part of the FlowCollector descriptor, as they are only useful + in edge debug or support scenarios. + type: object + type: object + dropUnusedFields: + default: true + description: '`dropUnusedFields` [deprecated (*)] this setting + is not used anymore.' + type: boolean + enableKubeProbes: + default: true + description: '`enableKubeProbes` is a flag to enable or disable + Kubernetes liveness and readiness probes' + type: boolean + healthPort: + default: 8080 + description: '`healthPort` is a collector HTTP port in the Pod + that exposes the health check API' + format: int32 + maximum: 65535 + minimum: 1 + type: integer + imagePullPolicy: + default: IfNotPresent + description: '`imagePullPolicy` is the Kubernetes pull policy + for the image defined above' + enum: + - IfNotPresent + - Always + - Never + type: string + kafkaConsumerAutoscaler: + description: |- + `kafkaConsumerAutoscaler` is the spec of a horizontal pod autoscaler to set up for `flowlogs-pipeline-transformer`, which consumes Kafka messages. + This setting is ignored when Kafka is disabled. + properties: + maxReplicas: + default: 3 + description: '`maxReplicas` is the upper limit for the number + of pods that can be set by the autoscaler; cannot be smaller + than MinReplicas.' + format: int32 + type: integer + metrics: + description: Metrics used by the pod autoscaler. For documentation, + refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2/ + items: + properties: + containerResource: + properties: + container: + type: string + name: + type: string + target: + properties: + averageUtilization: + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + type: string + value: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - container + - name + - target + type: object + external: + properties: + metric: + properties: + name: + type: string + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + properties: + averageUtilization: + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + type: string + value: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - metric + - target + type: object + object: + properties: + describedObject: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + metric: + properties: + name: + type: string + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + properties: + averageUtilization: + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + type: string + value: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - describedObject + - metric + - target + type: object + pods: + properties: + metric: + properties: + name: + type: string + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + properties: + averageUtilization: + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + type: string + value: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - metric + - target + type: object + resource: + properties: + name: + type: string + target: + properties: + averageUtilization: + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + type: string + value: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - name + - target + type: object + type: + type: string + required: + - type + type: object + type: array + minReplicas: + description: |- + `minReplicas` is the lower limit for the number of replicas to which the autoscaler + can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the + alpha feature gate HPAScaleToZero is enabled and at least one Object or External + metric is configured. Scaling is active as long as at least one metric value is + available. + format: int32 + type: integer + status: + default: DISABLED + description: |- + `status` describes the desired status regarding deploying an horizontal pod autoscaler.
+ - `DISABLED` does not deploy an horizontal pod autoscaler.
+ - `ENABLED` deploys an horizontal pod autoscaler.
+ enum: + - DISABLED + - ENABLED + type: string + type: object + kafkaConsumerBatchSize: + default: 10485760 + description: '`kafkaConsumerBatchSize` indicates to the broker + the maximum batch size, in bytes, that the consumer accepts. + Ignored when not using Kafka. Default: 10MB.' + type: integer + kafkaConsumerQueueCapacity: + default: 1000 + description: '`kafkaConsumerQueueCapacity` defines the capacity + of the internal message queue used in the Kafka consumer client. + Ignored when not using Kafka.' + type: integer + kafkaConsumerReplicas: + default: 3 + description: |- + `kafkaConsumerReplicas` defines the number of replicas (pods) to start for `flowlogs-pipeline-transformer`, which consumes Kafka messages. + This setting is ignored when Kafka is disabled. + format: int32 + minimum: 0 + type: integer + logLevel: + default: info + description: '`logLevel` of the processor runtime' + enum: + - trace + - debug + - info + - warn + - error + - fatal + - panic + type: string + logTypes: + default: FLOWS + description: |- + `logTypes` defines the desired record types to generate. Possible values are:
+ - `FLOWS` (default) to export regular network flows
+ - `CONVERSATIONS` to generate events for started conversations, ended conversations as well as periodic "tick" updates
+ - `ENDED_CONVERSATIONS` to generate only ended conversations events
+ - `ALL` to generate both network flows and all conversations events
+ enum: + - FLOWS + - CONVERSATIONS + - ENDED_CONVERSATIONS + - ALL + type: string + metrics: + description: '`Metrics` define the processor configuration regarding + metrics' + properties: + disableAlerts: + description: |- + `disableAlerts` is a list of alerts that should be disabled. + Possible values are:
+ `NetObservNoFlows`, which is triggered when no flows are being observed for a certain period.
+ `NetObservLokiError`, which is triggered when flows are being dropped due to Loki errors.
+ items: + description: |- + Name of a processor alert. + Possible values are:
+ - `NetObservNoFlows`, which is triggered when no flows are being observed for a certain period.
+ - `NetObservLokiError`, which is triggered when flows are being dropped due to Loki errors.
+ enum: + - NetObservNoFlows + - NetObservLokiError + type: string + type: array + ignoreTags: + default: + - egress + - packets + - nodes-flows + - namespaces-flows + - workloads-flows + - namespaces + description: |- + `ignoreTags` [deprecated (*)] is a list of tags to specify which metrics to ignore. Each metric is associated with a list of tags. More details in https://github.com/netobserv/network-observability-operator/tree/main/controllers/flowlogspipeline/metrics_definitions . + Available tags are: `egress`, `ingress`, `flows`, `bytes`, `packets`, `namespaces`, `nodes`, `workloads`, `nodes-flows`, `namespaces-flows`, `workloads-flows`. + Namespace-based metrics are covered by both `workloads` and `namespaces` tags, hence it is recommended to always ignore one of them (`workloads` offering a finer granularity).
+ Deprecation notice: use `includeList` instead. + items: + type: string + type: array + includeList: + description: |- + `includeList` is a list of metric names to specify which ones to generate. + The names correspond to the names in Prometheus without the prefix. For example, + `namespace_egress_packets_total` will show up as `netobserv_namespace_egress_packets_total` in Prometheus. + Note that the more metrics you add, the bigger is the impact on Prometheus workload resources. + Metrics enabled by default are: + `namespace_flows_total`, `node_ingress_bytes_total`, `workload_ingress_bytes_total`, `namespace_drop_packets_total` (when `PacketDrop` feature is enabled), + `namespace_rtt_seconds` (when `FlowRTT` feature is enabled), `namespace_dns_latency_seconds` (when `DNSTracking` feature is enabled). + More information, with full list of available metrics: https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md + items: + description: Metric name. More information in https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md. + enum: + - namespace_egress_bytes_total + - namespace_egress_packets_total + - namespace_ingress_bytes_total + - namespace_ingress_packets_total + - namespace_flows_total + - node_egress_bytes_total + - node_egress_packets_total + - node_ingress_bytes_total + - node_ingress_packets_total + - node_flows_total + - workload_egress_bytes_total + - workload_egress_packets_total + - workload_ingress_bytes_total + - workload_ingress_packets_total + - workload_flows_total + - namespace_drop_bytes_total + - namespace_drop_packets_total + - node_drop_bytes_total + - node_drop_packets_total + - workload_drop_bytes_total + - workload_drop_packets_total + - namespace_rtt_seconds + - node_rtt_seconds + - workload_rtt_seconds + - namespace_dns_latency_seconds + - node_dns_latency_seconds + - workload_dns_latency_seconds + type: string + type: array + server: + description: Metrics server endpoint configuration for Prometheus + scraper + properties: + port: + description: The prometheus HTTP port + format: int32 + maximum: 65535 + minimum: 1 + type: integer + tls: + description: TLS configuration. + properties: + insecureSkipVerify: + default: false + description: |- + `insecureSkipVerify` allows skipping client-side verification of the provided certificate. + If set to `true`, the `providedCaFile` field is ignored. + type: boolean + provided: + description: TLS configuration when `type` is set + to `PROVIDED`. + properties: + certFile: + description: '`certFile` defines the path to the + certificate file name within the config map + or secret' + type: string + certKey: + description: '`certKey` defines the path to the + certificate private key file name within the + config map or secret. Omit when the key is not + necessary.' + type: string + name: + description: Name of the config map or secret + containing certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: + `configmap` or `secret`' + enum: + - configmap + - secret + type: string + type: object + providedCaFile: + description: Reference to the CA file when `type` + is set to `PROVIDED`. + properties: + file: + description: File name within the config map or + secret + type: string + name: + description: Name of the config map or secret + containing the file + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the file reference: "configmap" + or "secret"' + enum: + - configmap + - secret + type: string + type: object + type: + default: DISABLED + description: |- + Select the type of TLS configuration:
+ - `DISABLED` (default) to not configure TLS for the endpoint. + - `PROVIDED` to manually provide cert file and a key file. [Unsupported (*)]. + - `AUTO` to use OpenShift auto generated certificate using annotations. + enum: + - DISABLED + - PROVIDED + - AUTO + type: string + type: object + type: object + type: object + multiClusterDeployment: + default: false + description: Set `multiClusterDeployment` to `true` to enable + multi clusters feature. This adds clusterName label to flows + data + type: boolean + port: + default: 2055 + description: |- + Port of the flow collector (host port). + By convention, some values are forbidden. It must be greater than 1024 and different from + 4500, 4789 and 6081. + format: int32 + maximum: 65535 + minimum: 1025 + type: integer + profilePort: + description: '`profilePort` allows setting up a Go pprof profiler + listening to this port' + format: int32 + maximum: 65535 + minimum: 0 + type: integer + resources: + default: + limits: + memory: 800Mi + requests: + cpu: 100m + memory: 100Mi + description: |- + `resources` are the compute resources required by this container. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + subnetLabels: + description: |- + `subnetLabels` allows to define custom labels on subnets and IPs or to enable automatic labelling of recognized subnets in OpenShift. + When a subnet matches the source or destination IP of a flow, a corresponding field is added: `SrcSubnetLabel` or `DstSubnetLabel`. + properties: + customLabels: + description: |- + `customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services. + If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap. + items: + description: SubnetLabel allows to label subnets and IPs, + such as to identify cluster-external workloads or web + services. + properties: + cidrs: + description: List of CIDRs, such as `["1.2.3.4/32"]`. + items: + type: string + type: array + name: + description: Label name, used to flag matching flows. + type: string + type: object + type: array + openShiftAutoDetect: + description: |- + `openShiftAutoDetect` allows, when set to `true`, to detect automatically the machines, pods and services subnets based on the + OpenShift install configuration and the Cluster Network Operator configuration. Indirectly, this is a way to accurately detect + external traffic: flows that are not labeled for those subnets are external to the cluster. Enabled by default on OpenShift. + type: boolean + type: object + type: object + type: object + status: + description: '`FlowCollectorStatus` defines the observed state of FlowCollector' + properties: + conditions: + description: '`conditions` represent the latest available observations + of an object''s state' + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + namespace: + description: Namespace where console plugin and flowlogs-pipeline + have been deployed. + type: string + required: + - conditions + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.agent.type + name: Agent + type: string + - jsonPath: .spec.agent.ebpf.sampling + name: Sampling (EBPF) + type: string + - jsonPath: .spec.deploymentModel + name: Deployment Model + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].reason + name: Status + type: string + name: v1beta2 + schema: + openAPIV3Schema: + description: '`FlowCollector` is the schema for the network flows collection + API, which pilots and configures the underlying deployments.' + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + Defines the desired state of the FlowCollector resource. +

+ *: the mention of "unsupported", or "deprecated" for a feature throughout this document means that this feature + is not officially supported by Red Hat. It might have been, for example, contributed by the community + and accepted without a formal agreement for maintenance. The product maintainers might provide some support + for these features as a best effort only. + properties: + agent: + description: Agent configuration for flows extraction. + properties: + ebpf: + description: |- + `ebpf` describes the settings related to the eBPF-based flow reporter when `spec.agent.type` + is set to `eBPF`. + properties: + advanced: + description: |- + `advanced` allows setting some aspects of the internal configuration of the eBPF agent. + This section is aimed mostly for debugging and fine-grained performance optimizations, + such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk. + properties: + env: + additionalProperties: + type: string + description: |- + `env` allows passing custom environment variables to underlying components. Useful for passing + some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be + publicly exposed as part of the FlowCollector descriptor, as they are only useful + in edge debug or support scenarios. + type: object + scheduling: + description: scheduling controls whether the pod will + be scheduled or not. + properties: + affinity: + description: If specified, the pod's scheduling constraints. + For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with + matching the corresponding nodeSelectorTerm, + in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node + selector terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same node, + zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + type: object + x-kubernetes-map-type: atomic + priorityClassName: + description: |- + If specified, indicates the pod's priority. "system-node-critical" and + "system-cluster-critical" are two special keywords which indicate the + highest priorities with the former being the highest priority. Any other + name must be defined by creating a PriorityClass object with that name. + If not specified, the pod priority will be default or zero if there is no + default. + type: string + tolerations: + description: tolerations is a list of tolerations + that allow the pod to schedule onto nodes with matching + taints. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + cacheActiveTimeout: + default: 5s + description: |- + `cacheActiveTimeout` is the max period during which the reporter aggregates flows before sending. + Increasing `cacheMaxFlows` and `cacheActiveTimeout` can decrease the network traffic overhead and the CPU load, + however you can expect higher memory consumption and an increased latency in the flow collection. + pattern: ^\d+(ns|ms|s|m)?$ + type: string + cacheMaxFlows: + default: 100000 + description: |- + `cacheMaxFlows` is the max number of flows in an aggregate; when reached, the reporter sends the flows. + Increasing `cacheMaxFlows` and `cacheActiveTimeout` can decrease the network traffic overhead and the CPU load, + however you can expect higher memory consumption and an increased latency in the flow collection. + format: int32 + minimum: 1 + type: integer + excludeInterfaces: + default: + - lo + description: |- + `excludeInterfaces` contains the interface names that are excluded from flow tracing. + An entry enclosed by slashes, such as `/br-/`, is matched as a regular expression. + Otherwise it is matched as a case-sensitive string. + items: + type: string + type: array + features: + description: |- + List of additional features to enable. They are all disabled by default. Enabling additional features might have performance impacts. Possible values are:
+ - `PacketDrop`: enable the packets drop flows logging feature. This feature requires mounting + the kernel debug filesystem, so the eBPF pod has to run as privileged. + If the `spec.agent.ebpf.privileged` parameter is not set, an error is reported.
+ - `DNSTracking`: enable the DNS tracking feature.
+ - `FlowRTT`: enable flow latency (RTT) calculations in the eBPF agent during TCP handshakes. This feature better works with `sampling` set to 1.
+ items: + description: |- + Agent feature, can be one of:
+ - `PacketDrop`, to track packet drops.
+ - `DNSTracking`, to track specific information on DNS traffic.
+ - `FlowRTT`, to track TCP latency.
+ enum: + - PacketDrop + - DNSTracking + - FlowRTT + type: string + type: array + flowFilter: + description: '`flowFilter` defines the eBPF agent configuration + regarding flow filtering' + properties: + action: + description: Action defines the action to perform on the + flows that match the filter. + enum: + - Accept + - Reject + type: string + cidr: + description: |- + CIDR defines the IP CIDR to filter flows by. + Example: 10.10.10.0/24 or 100:100:100:100::/64 + type: string + destPorts: + anyOf: + - type: integer + - type: string + description: |- + DestPorts defines the destination ports to filter flows by. + To filter a single port, set a single port as an integer value. For example destPorts: 80. + To filter a range of ports, use a "start-end" range, string format. For example destPorts: "80-100". + x-kubernetes-int-or-string: true + direction: + description: Direction defines the direction to filter + flows by. + enum: + - Ingress + - Egress + type: string + enable: + description: Set `enable` to `true` to enable eBPF flow + filtering feature. + type: boolean + icmpCode: + description: ICMPCode defines the ICMP code to filter + flows by. + type: integer + icmpType: + description: ICMPType defines the ICMP type to filter + flows by. + type: integer + peerIP: + description: |- + PeerIP defines the IP address to filter flows by. + Example: 10.10.10.10 + type: string + ports: + anyOf: + - type: integer + - type: string + description: |- + Ports defines the ports to filter flows by. it can be user for either source or destination ports. + To filter a single port, set a single port as an integer value. For example ports: 80. + To filter a range of ports, use a "start-end" range, string format. For example ports: "80-10 + x-kubernetes-int-or-string: true + protocol: + description: Protocol defines the protocol to filter flows + by. + enum: + - TCP + - UDP + - ICMP + - ICMPv6 + - SCTP + type: string + sourcePorts: + anyOf: + - type: integer + - type: string + description: |- + SourcePorts defines the source ports to filter flows by. + To filter a single port, set a single port as an integer value. For example sourcePorts: 80. + To filter a range of ports, use a "start-end" range, string format. For example sourcePorts: "80-100". + x-kubernetes-int-or-string: true + type: object + imagePullPolicy: + default: IfNotPresent + description: '`imagePullPolicy` is the Kubernetes pull policy + for the image defined above' + enum: + - IfNotPresent + - Always + - Never + type: string + interfaces: + description: |- + `interfaces` contains the interface names from where flows are collected. If empty, the agent + fetches all the interfaces in the system, excepting the ones listed in ExcludeInterfaces. + An entry enclosed by slashes, such as `/br-/`, is matched as a regular expression. + Otherwise it is matched as a case-sensitive string. + items: + type: string + type: array + kafkaBatchSize: + default: 1048576 + description: '`kafkaBatchSize` limits the maximum size of + a request in bytes before being sent to a partition. Ignored + when not using Kafka. Default: 1MB.' + type: integer + logLevel: + default: info + description: '`logLevel` defines the log level for the NetObserv + eBPF Agent' + enum: + - trace + - debug + - info + - warn + - error + - fatal + - panic + type: string + metrics: + description: '`metrics` defines the eBPF agent configuration + regarding metrics' + properties: + disableAlerts: + description: |- + `disableAlerts` is a list of alerts that should be disabled. + Possible values are:
+ `NetObservDroppedFlows`, which is triggered when eBPF agent hashmap table is full.
+ items: + description: |- + Name of a ebpf agent alert. + Possible values are:
+ - `NetObservDroppedFlows`, which is triggered when eBPF agent hashmap table is full.
+ enum: + - NetObservDroppedFlows + type: string + type: array + enable: + description: Set `enable` to `true` to enable eBPF agent + metrics collection. + type: boolean + server: + description: Metrics server endpoint configuration for + Prometheus scraper + properties: + port: + description: The prometheus HTTP port + format: int32 + maximum: 65535 + minimum: 1 + type: integer + tls: + description: TLS configuration. + properties: + insecureSkipVerify: + default: false + description: |- + `insecureSkipVerify` allows skipping client-side verification of the provided certificate. + If set to `true`, the `providedCaFile` field is ignored. + type: boolean + provided: + description: TLS configuration when `type` is + set to `Provided`. + properties: + certFile: + description: '`certFile` defines the path + to the certificate file name within the + config map or secret' + type: string + certKey: + description: '`certKey` defines the path to + the certificate private key file name within + the config map or secret. Omit when the + key is not necessary.' + type: string + name: + description: Name of the config map or secret + containing certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: + `configmap` or `secret`' + enum: + - configmap + - secret + type: string + type: object + providedCaFile: + description: Reference to the CA file when `type` + is set to `Provided`. + properties: + file: + description: File name within the config map + or secret + type: string + name: + description: Name of the config map or secret + containing the file + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the file reference: + "configmap" or "secret"' + enum: + - configmap + - secret + type: string + type: object + type: + default: Disabled + description: |- + Select the type of TLS configuration:
+ - `Disabled` (default) to not configure TLS for the endpoint. + - `Provided` to manually provide cert file and a key file. [Unsupported (*)]. + - `Auto` to use OpenShift auto generated certificate using annotations. + enum: + - Disabled + - Provided + - Auto + type: string + type: object + type: object + type: object + privileged: + description: |- + Privileged mode for the eBPF Agent container. When ignored or set to `false`, the operator sets + granular capabilities (BPF, PERFMON, NET_ADMIN, SYS_RESOURCE) to the container. + If for some reason these capabilities cannot be set, such as if an old kernel version not knowing CAP_BPF + is in use, then you can turn on this mode for more global privileges. + Some agent features require the privileged mode, such as packet drops tracking (see `features`) and SR-IOV support. + type: boolean + resources: + default: + limits: + memory: 800Mi + requests: + cpu: 100m + memory: 50Mi + description: |- + `resources` are the compute resources required by this container. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + sampling: + default: 50 + description: Sampling rate of the flow reporter. 100 means + one flow on 100 is sent. 0 or 1 means all flows are sampled. + format: int32 + minimum: 0 + type: integer + type: object + ipfix: + description: |- + `ipfix` [deprecated (*)] - describes the settings related to the IPFIX-based flow reporter when `spec.agent.type` + is set to `IPFIX`. + properties: + cacheActiveTimeout: + default: 20s + description: '`cacheActiveTimeout` is the max period during + which the reporter aggregates flows before sending.' + pattern: ^\d+(ns|ms|s|m)?$ + type: string + cacheMaxFlows: + default: 400 + description: '`cacheMaxFlows` is the max number of flows in + an aggregate; when reached, the reporter sends the flows.' + format: int32 + minimum: 0 + type: integer + clusterNetworkOperator: + description: '`clusterNetworkOperator` defines the settings + related to the OpenShift Cluster Network Operator, when + available.' + properties: + namespace: + default: openshift-network-operator + description: Namespace where the config map is going + to be deployed. + type: string + type: object + forceSampleAll: + default: false + description: |- + `forceSampleAll` allows disabling sampling in the IPFIX-based flow reporter. + It is not recommended to sample all the traffic with IPFIX, as it might generate cluster instability. + If you REALLY want to do that, set this flag to `true`. Use at your own risk. + When it is set to `true`, the value of `sampling` is ignored. + type: boolean + ovnKubernetes: + description: '`ovnKubernetes` defines the settings of the + OVN-Kubernetes CNI, when available. This configuration is + used when using OVN''s IPFIX exports, without OpenShift. + When using OpenShift, refer to the `clusterNetworkOperator` + property instead.' + properties: + containerName: + default: ovnkube-node + description: '`containerName` defines the name of the + container to configure for IPFIX.' + type: string + daemonSetName: + default: ovnkube-node + description: '`daemonSetName` defines the name of the + DaemonSet controlling the OVN-Kubernetes pods.' + type: string + namespace: + default: ovn-kubernetes + description: Namespace where OVN-Kubernetes pods are deployed. + type: string + type: object + sampling: + default: 400 + description: |- + `sampling` is the sampling rate on the reporter. 100 means one flow on 100 is sent. + To ensure cluster stability, it is not possible to set a value below 2. + If you really want to sample every packet, which might impact the cluster stability, + refer to `forceSampleAll`. Alternatively, you can use the eBPF Agent instead of IPFIX. + format: int32 + minimum: 2 + type: integer + type: object + type: + default: eBPF + description: |- + `type` [deprecated (*)] selects the flows tracing agent. The only possible value is `eBPF` (default), to use NetObserv eBPF agent.
+ Previously, using an IPFIX collector was allowed, but was deprecated and it is now removed.
+ Setting `IPFIX` is ignored and still use the eBPF Agent. + Since there is only a single option here, this field will be remove in a future API version. + enum: + - eBPF + - IPFIX + type: string + type: object + consolePlugin: + description: '`consolePlugin` defines the settings related to the + OpenShift Console plugin, when available.' + properties: + advanced: + description: |- + `advanced` allows setting some aspects of the internal configuration of the console plugin. + This section is aimed mostly for debugging and fine-grained performance optimizations, + such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk. + properties: + args: + description: |- + `args` allows passing custom arguments to underlying components. Useful for overriding + some parameters, such as an url or a configuration path, that should not be + publicly exposed as part of the FlowCollector descriptor, as they are only useful + in edge debug or support scenarios. + items: + type: string + type: array + env: + additionalProperties: + type: string + description: |- + `env` allows passing custom environment variables to underlying components. Useful for passing + some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be + publicly exposed as part of the FlowCollector descriptor, as they are only useful + in edge debug or support scenarios. + type: object + port: + default: 9001 + description: '`port` is the plugin service port. Do not use + 9002, which is reserved for metrics.' + format: int32 + maximum: 65535 + minimum: 1 + type: integer + register: + default: true + description: |- + `register` allows, when set to `true`, to automatically register the provided console plugin with the OpenShift Console operator. + When set to `false`, you can still register it manually by editing console.operator.openshift.io/cluster with the following command: + `oc patch console.operator.openshift.io cluster --type='json' -p '[{"op": "add", "path": "/spec/plugins/-", "value": "netobserv-plugin"}]'` + type: boolean + scheduling: + description: scheduling controls whether the pod will be scheduled + or not. + properties: + affinity: + description: If specified, the pod's scheduling constraints. + For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in + the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same node, + zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + type: object + x-kubernetes-map-type: atomic + priorityClassName: + description: |- + If specified, indicates the pod's priority. "system-node-critical" and + "system-cluster-critical" are two special keywords which indicate the + highest priorities with the former being the highest priority. Any other + name must be defined by creating a PriorityClass object with that name. + If not specified, the pod priority will be default or zero if there is no + default. + type: string + tolerations: + description: tolerations is a list of tolerations that + allow the pod to schedule onto nodes with matching taints. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + autoscaler: + description: '`autoscaler` spec of a horizontal pod autoscaler + to set up for the plugin Deployment.' + properties: + maxReplicas: + default: 3 + description: '`maxReplicas` is the upper limit for the number + of pods that can be set by the autoscaler; cannot be smaller + than MinReplicas.' + format: int32 + type: integer + metrics: + description: Metrics used by the pod autoscaler. For documentation, + refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2/ + items: + properties: + containerResource: + properties: + container: + type: string + name: + type: string + target: + properties: + averageUtilization: + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + type: string + value: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - container + - name + - target + type: object + external: + properties: + metric: + properties: + name: + type: string + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + properties: + averageUtilization: + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + type: string + value: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - metric + - target + type: object + object: + properties: + describedObject: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + metric: + properties: + name: + type: string + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + properties: + averageUtilization: + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + type: string + value: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - describedObject + - metric + - target + type: object + pods: + properties: + metric: + properties: + name: + type: string + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + properties: + averageUtilization: + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + type: string + value: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - metric + - target + type: object + resource: + properties: + name: + type: string + target: + properties: + averageUtilization: + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + type: string + value: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - name + - target + type: object + type: + type: string + required: + - type + type: object + type: array + minReplicas: + description: |- + `minReplicas` is the lower limit for the number of replicas to which the autoscaler + can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the + alpha feature gate HPAScaleToZero is enabled and at least one Object or External + metric is configured. Scaling is active as long as at least one metric value is + available. + format: int32 + type: integer + status: + default: Disabled + description: |- + `status` describes the desired status regarding deploying an horizontal pod autoscaler.
+ - `Disabled` does not deploy an horizontal pod autoscaler.
+ - `Enabled` deploys an horizontal pod autoscaler.
+ enum: + - Disabled + - Enabled + type: string + type: object + enable: + default: true + description: |- + Enables the console plugin deployment. + `spec.loki.enable` must also be `true` + type: boolean + imagePullPolicy: + default: IfNotPresent + description: '`imagePullPolicy` is the Kubernetes pull policy + for the image defined above' + enum: + - IfNotPresent + - Always + - Never + type: string + logLevel: + default: info + description: '`logLevel` for the console plugin backend' + enum: + - trace + - debug + - info + - warn + - error + - fatal + - panic + type: string + portNaming: + default: + enable: true + description: '`portNaming` defines the configuration of the port-to-service + name translation' + properties: + enable: + default: true + description: Enable the console plugin port-to-service name + translation + type: boolean + portNames: + additionalProperties: + type: string + description: |- + `portNames` defines additional port names to use in the console, + for example, `portNames: {"3100": "loki"}`. + type: object + type: object + quickFilters: + default: + - default: true + filter: + flow_layer: app + name: Applications + - filter: + flow_layer: infra + name: Infrastructure + - default: true + filter: + dst_kind: Pod + src_kind: Pod + name: Pods network + - filter: + dst_kind: Service + name: Services network + description: '`quickFilters` configures quick filter presets for + the Console plugin' + items: + description: '`QuickFilter` defines preset configuration for + Console''s quick filters' + properties: + default: + description: '`default` defines whether this filter should + be active by default or not' + type: boolean + filter: + additionalProperties: + type: string + description: |- + `filter` is a set of keys and values to be set when this filter is selected. Each key can relate to a list of values using a coma-separated string, + for example, `filter: {"src_namespace": "namespace1,namespace2"}`. + type: object + name: + description: Name of the filter, that is displayed in the + Console + type: string + required: + - filter + - name + type: object + type: array + replicas: + default: 1 + description: '`replicas` defines the number of replicas (pods) + to start.' + format: int32 + minimum: 0 + type: integer + resources: + default: + limits: + memory: 100Mi + requests: + cpu: 100m + memory: 50Mi + description: |- + `resources`, in terms of compute resources, required by this container. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + type: object + deploymentModel: + default: Direct + description: |- + `deploymentModel` defines the desired type of deployment for flow processing. Possible values are:
+ - `Direct` (default) to make the flow processor listening directly from the agents.
+ - `Kafka` to make flows sent to a Kafka pipeline before consumption by the processor.
+ Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka). + enum: + - Direct + - Kafka + type: string + exporters: + description: '`exporters` define additional optional exporters for + custom consumption or storage.' + items: + description: '`FlowCollectorExporter` defines an additional exporter + to send enriched flows to.' + properties: + ipfix: + description: IPFIX configuration, such as the IP address and + port to send enriched IPFIX flows to. + properties: + targetHost: + default: "" + description: Address of the IPFIX external receiver + type: string + targetPort: + description: Port for the IPFIX external receiver + type: integer + transport: + description: Transport protocol (`TCP` or `UDP`) to be used + for the IPFIX connection, defaults to `TCP`. + enum: + - TCP + - UDP + type: string + required: + - targetHost + - targetPort + type: object + kafka: + description: Kafka configuration, such as the address and topic, + to send enriched flows to. + properties: + address: + default: "" + description: Address of the Kafka server + type: string + sasl: + description: SASL authentication configuration. [Unsupported + (*)]. + properties: + clientIDReference: + description: Reference to the secret or config map containing + the client ID + properties: + file: + description: File name within the config map or + secret + type: string + name: + description: Name of the config map or secret containing + the file + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the file reference: "configmap" + or "secret"' + enum: + - configmap + - secret + type: string + type: object + clientSecretReference: + description: Reference to the secret or config map containing + the client secret + properties: + file: + description: File name within the config map or + secret + type: string + name: + description: Name of the config map or secret containing + the file + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the file reference: "configmap" + or "secret"' + enum: + - configmap + - secret + type: string + type: object + type: + default: Disabled + description: Type of SASL authentication to use, or + `Disabled` if SASL is not used + enum: + - Disabled + - Plain + - ScramSHA512 + type: string + type: object + tls: + description: TLS client configuration. When using TLS, verify + that the address matches the Kafka port used for TLS, + generally 9093. + properties: + caCert: + description: '`caCert` defines the reference of the + certificate for the Certificate Authority' + properties: + certFile: + description: '`certFile` defines the path to the + certificate file name within the config map or + secret' + type: string + certKey: + description: '`certKey` defines the path to the + certificate private key file name within the config + map or secret. Omit when the key is not necessary.' + type: string + name: + description: Name of the config map or secret containing + certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: + `configmap` or `secret`' + enum: + - configmap + - secret + type: string + type: object + enable: + default: false + description: Enable TLS + type: boolean + insecureSkipVerify: + default: false + description: |- + `insecureSkipVerify` allows skipping client-side verification of the server certificate. + If set to `true`, the `caCert` field is ignored. + type: boolean + userCert: + description: '`userCert` defines the user certificate + reference and is used for mTLS (you can ignore it + when using one-way TLS)' + properties: + certFile: + description: '`certFile` defines the path to the + certificate file name within the config map or + secret' + type: string + certKey: + description: '`certKey` defines the path to the + certificate private key file name within the config + map or secret. Omit when the key is not necessary.' + type: string + name: + description: Name of the config map or secret containing + certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: + `configmap` or `secret`' + enum: + - configmap + - secret + type: string + type: object + type: object + topic: + default: "" + description: Kafka topic to use. It must exist. NetObserv + does not create it. + type: string + required: + - address + - topic + type: object + type: + description: '`type` selects the type of exporters. The available + options are `Kafka` and `IPFIX`.' + enum: + - Kafka + - IPFIX + type: string + required: + - type + type: object + type: array + kafka: + description: Kafka configuration, allowing to use Kafka as a broker + as part of the flow collection pipeline. Available when the `spec.deploymentModel` + is `Kafka`. + properties: + address: + default: "" + description: Address of the Kafka server + type: string + sasl: + description: SASL authentication configuration. [Unsupported (*)]. + properties: + clientIDReference: + description: Reference to the secret or config map containing + the client ID + properties: + file: + description: File name within the config map or secret + type: string + name: + description: Name of the config map or secret containing + the file + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the file reference: "configmap" + or "secret"' + enum: + - configmap + - secret + type: string + type: object + clientSecretReference: + description: Reference to the secret or config map containing + the client secret + properties: + file: + description: File name within the config map or secret + type: string + name: + description: Name of the config map or secret containing + the file + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the file reference: "configmap" + or "secret"' + enum: + - configmap + - secret + type: string + type: object + type: + default: Disabled + description: Type of SASL authentication to use, or `Disabled` + if SASL is not used + enum: + - Disabled + - Plain + - ScramSHA512 + type: string + type: object + tls: + description: TLS client configuration. When using TLS, verify + that the address matches the Kafka port used for TLS, generally + 9093. + properties: + caCert: + description: '`caCert` defines the reference of the certificate + for the Certificate Authority' + properties: + certFile: + description: '`certFile` defines the path to the certificate + file name within the config map or secret' + type: string + certKey: + description: '`certKey` defines the path to the certificate + private key file name within the config map or secret. + Omit when the key is not necessary.' + type: string + name: + description: Name of the config map or secret containing + certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: `configmap` + or `secret`' + enum: + - configmap + - secret + type: string + type: object + enable: + default: false + description: Enable TLS + type: boolean + insecureSkipVerify: + default: false + description: |- + `insecureSkipVerify` allows skipping client-side verification of the server certificate. + If set to `true`, the `caCert` field is ignored. + type: boolean + userCert: + description: '`userCert` defines the user certificate reference + and is used for mTLS (you can ignore it when using one-way + TLS)' + properties: + certFile: + description: '`certFile` defines the path to the certificate + file name within the config map or secret' + type: string + certKey: + description: '`certKey` defines the path to the certificate + private key file name within the config map or secret. + Omit when the key is not necessary.' + type: string + name: + description: Name of the config map or secret containing + certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: `configmap` + or `secret`' + enum: + - configmap + - secret + type: string + type: object + type: object + topic: + default: "" + description: Kafka topic to use. It must exist. NetObserv does + not create it. + type: string + required: + - address + - topic + type: object + loki: + description: '`loki`, the flow store, client settings.' + properties: + advanced: + description: |- + `advanced` allows setting some aspects of the internal configuration of the Loki clients. + This section is aimed mostly for debugging and fine-grained performance optimizations. + properties: + staticLabels: + additionalProperties: + type: string + default: + app: netobserv-flowcollector + description: '`staticLabels` is a map of common labels to + set on each flow in Loki storage.' + type: object + writeMaxBackoff: + default: 5s + description: '`writeMaxBackoff` is the maximum backoff time + for Loki client connection between retries.' + type: string + writeMaxRetries: + default: 2 + description: '`writeMaxRetries` is the maximum number of retries + for Loki client connections.' + format: int32 + minimum: 0 + type: integer + writeMinBackoff: + default: 1s + description: '`writeMinBackoff` is the initial backoff time + for Loki client connection between retries.' + type: string + type: object + enable: + default: true + description: Set `enable` to `true` to store flows in Loki. It + is required for the OpenShift Console plugin installation. + type: boolean + lokiStack: + description: |- + Loki configuration for `LokiStack` mode. This is useful for an easy loki-operator configuration. + It is ignored for other modes. + properties: + name: + default: loki + description: Name of an existing LokiStack resource to use. + type: string + namespace: + description: Namespace where this `LokiStack` resource is + located. If omitted, it is assumed to be the same as `spec.namespace`. + type: string + type: object + manual: + description: |- + Loki configuration for `Manual` mode. This is the most flexible configuration. + It is ignored for other modes. + properties: + authToken: + default: Disabled + description: |- + `authToken` describes the way to get a token to authenticate to Loki.
+ - `Disabled` does not send any token with the request.
+ - `Forward` forwards the user token for authorization.
+ - `Host` [deprecated (*)] - uses the local pod service account to authenticate to Loki.
+ When using the Loki Operator, this must be set to `Forward`. + enum: + - Disabled + - Host + - Forward + type: string + ingesterUrl: + default: http://loki:3100/ + description: |- + `ingesterUrl` is the address of an existing Loki ingester service to push the flows to. When using the Loki Operator, + set it to the Loki gateway service with the `network` tenant set in path, for example + https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network. + type: string + querierUrl: + default: http://loki:3100/ + description: |- + `querierUrl` specifies the address of the Loki querier service. + When using the Loki Operator, set it to the Loki gateway service with the `network` tenant set in path, for example + https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network. + type: string + statusTls: + description: TLS client configuration for Loki status URL. + properties: + caCert: + description: '`caCert` defines the reference of the certificate + for the Certificate Authority' + properties: + certFile: + description: '`certFile` defines the path to the certificate + file name within the config map or secret' + type: string + certKey: + description: '`certKey` defines the path to the certificate + private key file name within the config map or secret. + Omit when the key is not necessary.' + type: string + name: + description: Name of the config map or secret containing + certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: + `configmap` or `secret`' + enum: + - configmap + - secret + type: string + type: object + enable: + default: false + description: Enable TLS + type: boolean + insecureSkipVerify: + default: false + description: |- + `insecureSkipVerify` allows skipping client-side verification of the server certificate. + If set to `true`, the `caCert` field is ignored. + type: boolean + userCert: + description: '`userCert` defines the user certificate + reference and is used for mTLS (you can ignore it when + using one-way TLS)' + properties: + certFile: + description: '`certFile` defines the path to the certificate + file name within the config map or secret' + type: string + certKey: + description: '`certKey` defines the path to the certificate + private key file name within the config map or secret. + Omit when the key is not necessary.' + type: string + name: + description: Name of the config map or secret containing + certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: + `configmap` or `secret`' + enum: + - configmap + - secret + type: string + type: object + type: object + statusUrl: + description: |- + `statusUrl` specifies the address of the Loki `/ready`, `/metrics` and `/config` endpoints, in case it is different from the + Loki querier URL. If empty, the `querierUrl` value is used. + This is useful to show error messages and some context in the frontend. + When using the Loki Operator, set it to the Loki HTTP query frontend service, for example + https://loki-query-frontend-http.netobserv.svc:3100/. + `statusTLS` configuration is used when `statusUrl` is set. + type: string + tenantID: + default: netobserv + description: |- + `tenantID` is the Loki `X-Scope-OrgID` that identifies the tenant for each request. + When using the Loki Operator, set it to `network`, which corresponds to a special tenant mode. + type: string + tls: + description: TLS client configuration for Loki URL. + properties: + caCert: + description: '`caCert` defines the reference of the certificate + for the Certificate Authority' + properties: + certFile: + description: '`certFile` defines the path to the certificate + file name within the config map or secret' + type: string + certKey: + description: '`certKey` defines the path to the certificate + private key file name within the config map or secret. + Omit when the key is not necessary.' + type: string + name: + description: Name of the config map or secret containing + certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: + `configmap` or `secret`' + enum: + - configmap + - secret + type: string + type: object + enable: + default: false + description: Enable TLS + type: boolean + insecureSkipVerify: + default: false + description: |- + `insecureSkipVerify` allows skipping client-side verification of the server certificate. + If set to `true`, the `caCert` field is ignored. + type: boolean + userCert: + description: '`userCert` defines the user certificate + reference and is used for mTLS (you can ignore it when + using one-way TLS)' + properties: + certFile: + description: '`certFile` defines the path to the certificate + file name within the config map or secret' + type: string + certKey: + description: '`certKey` defines the path to the certificate + private key file name within the config map or secret. + Omit when the key is not necessary.' + type: string + name: + description: Name of the config map or secret containing + certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: + `configmap` or `secret`' + enum: + - configmap + - secret + type: string + type: object + type: object + type: object + microservices: + description: |- + Loki configuration for `Microservices` mode. + Use this option when Loki is installed using the microservices deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#microservices-mode). + It is ignored for other modes. + properties: + ingesterUrl: + default: http://loki-distributor:3100/ + description: '`ingesterUrl` is the address of an existing + Loki ingester service to push the flows to.' + type: string + querierUrl: + default: http://loki-query-frontend:3100/ + description: '`querierURL` specifies the address of the Loki + querier service.' + type: string + tenantID: + default: netobserv + description: '`tenantID` is the Loki `X-Scope-OrgID` header + that identifies the tenant for each request.' + type: string + tls: + description: TLS client configuration for Loki URL. + properties: + caCert: + description: '`caCert` defines the reference of the certificate + for the Certificate Authority' + properties: + certFile: + description: '`certFile` defines the path to the certificate + file name within the config map or secret' + type: string + certKey: + description: '`certKey` defines the path to the certificate + private key file name within the config map or secret. + Omit when the key is not necessary.' + type: string + name: + description: Name of the config map or secret containing + certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: + `configmap` or `secret`' + enum: + - configmap + - secret + type: string + type: object + enable: + default: false + description: Enable TLS + type: boolean + insecureSkipVerify: + default: false + description: |- + `insecureSkipVerify` allows skipping client-side verification of the server certificate. + If set to `true`, the `caCert` field is ignored. + type: boolean + userCert: + description: '`userCert` defines the user certificate + reference and is used for mTLS (you can ignore it when + using one-way TLS)' + properties: + certFile: + description: '`certFile` defines the path to the certificate + file name within the config map or secret' + type: string + certKey: + description: '`certKey` defines the path to the certificate + private key file name within the config map or secret. + Omit when the key is not necessary.' + type: string + name: + description: Name of the config map or secret containing + certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: + `configmap` or `secret`' + enum: + - configmap + - secret + type: string + type: object + type: object + type: object + mode: + default: Monolithic + description: |- + `mode` must be set according to the installation mode of Loki:
+ - Use `LokiStack` when Loki is managed using the Loki Operator
+ - Use `Monolithic` when Loki is installed as a monolithic workload
+ - Use `Microservices` when Loki is installed as microservices, but without Loki Operator
+ - Use `Manual` if none of the options above match your setup
+ enum: + - Manual + - LokiStack + - Monolithic + - Microservices + type: string + monolithic: + description: |- + Loki configuration for `Monolithic` mode. + Use this option when Loki is installed using the monolithic deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#monolithic-mode). + It is ignored for other modes. + properties: + tenantID: + default: netobserv + description: '`tenantID` is the Loki `X-Scope-OrgID` header + that identifies the tenant for each request.' + type: string + tls: + description: TLS client configuration for Loki URL. + properties: + caCert: + description: '`caCert` defines the reference of the certificate + for the Certificate Authority' + properties: + certFile: + description: '`certFile` defines the path to the certificate + file name within the config map or secret' + type: string + certKey: + description: '`certKey` defines the path to the certificate + private key file name within the config map or secret. + Omit when the key is not necessary.' + type: string + name: + description: Name of the config map or secret containing + certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: + `configmap` or `secret`' + enum: + - configmap + - secret + type: string + type: object + enable: + default: false + description: Enable TLS + type: boolean + insecureSkipVerify: + default: false + description: |- + `insecureSkipVerify` allows skipping client-side verification of the server certificate. + If set to `true`, the `caCert` field is ignored. + type: boolean + userCert: + description: '`userCert` defines the user certificate + reference and is used for mTLS (you can ignore it when + using one-way TLS)' + properties: + certFile: + description: '`certFile` defines the path to the certificate + file name within the config map or secret' + type: string + certKey: + description: '`certKey` defines the path to the certificate + private key file name within the config map or secret. + Omit when the key is not necessary.' + type: string + name: + description: Name of the config map or secret containing + certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: + `configmap` or `secret`' + enum: + - configmap + - secret + type: string + type: object + type: object + url: + default: http://loki:3100/ + description: '`url` is the unique address of an existing Loki + service that points to both the ingester and the querier.' + type: string + type: object + readTimeout: + default: 30s + description: |- + `readTimeout` is the maximum console plugin loki query total time limit. + A timeout of zero means no timeout. + type: string + writeBatchSize: + default: 102400 + description: '`writeBatchSize` is the maximum batch size (in bytes) + of Loki logs to accumulate before sending.' + format: int64 + minimum: 1 + type: integer + writeBatchWait: + default: 1s + description: '`writeBatchWait` is the maximum time to wait before + sending a Loki batch.' + type: string + writeTimeout: + default: 10s + description: |- + `writeTimeout` is the maximum Loki time connection / request limit. + A timeout of zero means no timeout. + type: string + type: object + namespace: + default: netobserv + description: Namespace where NetObserv pods are deployed. + type: string + processor: + description: |- + `processor` defines the settings of the component that receives the flows from the agent, + enriches them, generates metrics, and forwards them to the Loki persistence layer and/or any available exporter. + properties: + addZone: + description: |- + `addZone` allows availability zone awareness by labelling flows with their source and destination zones. + This feature requires the "topology.kubernetes.io/zone" label to be set on nodes. + type: boolean + advanced: + description: |- + `advanced` allows setting some aspects of the internal configuration of the flow processor. + This section is aimed mostly for debugging and fine-grained performance optimizations, + such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk. + properties: + conversationEndTimeout: + default: 10s + description: |- + `conversationEndTimeout` is the time to wait after a network flow is received, to consider the conversation ended. + This delay is ignored when a FIN packet is collected for TCP flows (see `conversationTerminatingTimeout` instead). + type: string + conversationHeartbeatInterval: + default: 30s + description: '`conversationHeartbeatInterval` is the time + to wait between "tick" events of a conversation' + type: string + conversationTerminatingTimeout: + default: 5s + description: '`conversationTerminatingTimeout` is the time + to wait from detected FIN flag to end a conversation. Only + relevant for TCP flows.' + type: string + dropUnusedFields: + default: true + description: '`dropUnusedFields` [deprecated (*)] this setting + is not used anymore.' + type: boolean + enableKubeProbes: + default: true + description: '`enableKubeProbes` is a flag to enable or disable + Kubernetes liveness and readiness probes' + type: boolean + env: + additionalProperties: + type: string + description: |- + `env` allows passing custom environment variables to underlying components. Useful for passing + some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be + publicly exposed as part of the FlowCollector descriptor, as they are only useful + in edge debug or support scenarios. + type: object + healthPort: + default: 8080 + description: '`healthPort` is a collector HTTP port in the + Pod that exposes the health check API' + format: int32 + maximum: 65535 + minimum: 1 + type: integer + port: + default: 2055 + description: |- + Port of the flow collector (host port). + By convention, some values are forbidden. It must be greater than 1024 and different from + 4500, 4789 and 6081. + format: int32 + maximum: 65535 + minimum: 1025 + type: integer + profilePort: + default: 6060 + description: '`profilePort` allows setting up a Go pprof profiler + listening to this port' + format: int32 + maximum: 65535 + minimum: 0 + type: integer + scheduling: + description: scheduling controls whether the pod will be scheduled + or not. + properties: + affinity: + description: If specified, the pod's scheduling constraints. + For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in + the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same node, + zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + type: object + x-kubernetes-map-type: atomic + priorityClassName: + description: |- + If specified, indicates the pod's priority. "system-node-critical" and + "system-cluster-critical" are two special keywords which indicate the + highest priorities with the former being the highest priority. Any other + name must be defined by creating a PriorityClass object with that name. + If not specified, the pod priority will be default or zero if there is no + default. + type: string + tolerations: + description: tolerations is a list of tolerations that + allow the pod to schedule onto nodes with matching taints. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + clusterName: + default: "" + description: '`clusterName` is the name of the cluster to appear + in the flows data. This is useful in a multi-cluster context. + When using OpenShift, leave empty to make it automatically determined.' + type: string + imagePullPolicy: + default: IfNotPresent + description: '`imagePullPolicy` is the Kubernetes pull policy + for the image defined above' + enum: + - IfNotPresent + - Always + - Never + type: string + kafkaConsumerAutoscaler: + description: |- + `kafkaConsumerAutoscaler` is the spec of a horizontal pod autoscaler to set up for `flowlogs-pipeline-transformer`, which consumes Kafka messages. + This setting is ignored when Kafka is disabled. + properties: + maxReplicas: + default: 3 + description: '`maxReplicas` is the upper limit for the number + of pods that can be set by the autoscaler; cannot be smaller + than MinReplicas.' + format: int32 + type: integer + metrics: + description: Metrics used by the pod autoscaler. For documentation, + refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2/ + items: + properties: + containerResource: + properties: + container: + type: string + name: + type: string + target: + properties: + averageUtilization: + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + type: string + value: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - container + - name + - target + type: object + external: + properties: + metric: + properties: + name: + type: string + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + properties: + averageUtilization: + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + type: string + value: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - metric + - target + type: object + object: + properties: + describedObject: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + metric: + properties: + name: + type: string + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + properties: + averageUtilization: + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + type: string + value: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - describedObject + - metric + - target + type: object + pods: + properties: + metric: + properties: + name: + type: string + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + properties: + averageUtilization: + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + type: string + value: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - metric + - target + type: object + resource: + properties: + name: + type: string + target: + properties: + averageUtilization: + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + type: string + value: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - name + - target + type: object + type: + type: string + required: + - type + type: object + type: array + minReplicas: + description: |- + `minReplicas` is the lower limit for the number of replicas to which the autoscaler + can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the + alpha feature gate HPAScaleToZero is enabled and at least one Object or External + metric is configured. Scaling is active as long as at least one metric value is + available. + format: int32 + type: integer + status: + default: Disabled + description: |- + `status` describes the desired status regarding deploying an horizontal pod autoscaler.
+ - `Disabled` does not deploy an horizontal pod autoscaler.
+ - `Enabled` deploys an horizontal pod autoscaler.
+ enum: + - Disabled + - Enabled + type: string + type: object + kafkaConsumerBatchSize: + default: 10485760 + description: '`kafkaConsumerBatchSize` indicates to the broker + the maximum batch size, in bytes, that the consumer accepts. + Ignored when not using Kafka. Default: 10MB.' + type: integer + kafkaConsumerQueueCapacity: + default: 1000 + description: '`kafkaConsumerQueueCapacity` defines the capacity + of the internal message queue used in the Kafka consumer client. + Ignored when not using Kafka.' + type: integer + kafkaConsumerReplicas: + default: 3 + description: |- + `kafkaConsumerReplicas` defines the number of replicas (pods) to start for `flowlogs-pipeline-transformer`, which consumes Kafka messages. + This setting is ignored when Kafka is disabled. + format: int32 + minimum: 0 + type: integer + logLevel: + default: info + description: '`logLevel` of the processor runtime' + enum: + - trace + - debug + - info + - warn + - error + - fatal + - panic + type: string + logTypes: + default: Flows + description: |- + `logTypes` defines the desired record types to generate. Possible values are:
+ - `Flows` (default) to export regular network flows
+ - `Conversations` to generate events for started conversations, ended conversations as well as periodic "tick" updates
+ - `EndedConversations` to generate only ended conversations events
+ - `All` to generate both network flows and all conversations events
+ enum: + - Flows + - Conversations + - EndedConversations + - All + type: string + metrics: + description: '`Metrics` define the processor configuration regarding + metrics' + properties: + disableAlerts: + description: |- + `disableAlerts` is a list of alerts that should be disabled. + Possible values are:
+ `NetObservNoFlows`, which is triggered when no flows are being observed for a certain period.
+ `NetObservLokiError`, which is triggered when flows are being dropped due to Loki errors.
+ items: + description: |- + Name of a processor alert. + Possible values are:
+ - `NetObservNoFlows`, which is triggered when no flows are being observed for a certain period.
+ - `NetObservLokiError`, which is triggered when flows are being dropped due to Loki errors.
+ enum: + - NetObservNoFlows + - NetObservLokiError + type: string + type: array + includeList: + description: |- + `includeList` is a list of metric names to specify which ones to generate. + The names correspond to the names in Prometheus without the prefix. For example, + `namespace_egress_packets_total` shows up as `netobserv_namespace_egress_packets_total` in Prometheus. + Note that the more metrics you add, the bigger is the impact on Prometheus workload resources. + Metrics enabled by default are: + `namespace_flows_total`, `node_ingress_bytes_total`, `workload_ingress_bytes_total`, `namespace_drop_packets_total` (when `PacketDrop` feature is enabled), + `namespace_rtt_seconds` (when `FlowRTT` feature is enabled), `namespace_dns_latency_seconds` (when `DNSTracking` feature is enabled). + More information, with full list of available metrics: https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md + items: + description: Metric name. More information in https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md. + enum: + - namespace_egress_bytes_total + - namespace_egress_packets_total + - namespace_ingress_bytes_total + - namespace_ingress_packets_total + - namespace_flows_total + - node_egress_bytes_total + - node_egress_packets_total + - node_ingress_bytes_total + - node_ingress_packets_total + - node_flows_total + - workload_egress_bytes_total + - workload_egress_packets_total + - workload_ingress_bytes_total + - workload_ingress_packets_total + - workload_flows_total + - namespace_drop_bytes_total + - namespace_drop_packets_total + - node_drop_bytes_total + - node_drop_packets_total + - workload_drop_bytes_total + - workload_drop_packets_total + - namespace_rtt_seconds + - node_rtt_seconds + - workload_rtt_seconds + - namespace_dns_latency_seconds + - node_dns_latency_seconds + - workload_dns_latency_seconds + type: string + type: array + server: + description: Metrics server endpoint configuration for Prometheus + scraper + properties: + port: + description: The prometheus HTTP port + format: int32 + maximum: 65535 + minimum: 1 + type: integer + tls: + description: TLS configuration. + properties: + insecureSkipVerify: + default: false + description: |- + `insecureSkipVerify` allows skipping client-side verification of the provided certificate. + If set to `true`, the `providedCaFile` field is ignored. + type: boolean + provided: + description: TLS configuration when `type` is set + to `Provided`. + properties: + certFile: + description: '`certFile` defines the path to the + certificate file name within the config map + or secret' + type: string + certKey: + description: '`certKey` defines the path to the + certificate private key file name within the + config map or secret. Omit when the key is not + necessary.' + type: string + name: + description: Name of the config map or secret + containing certificates + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the certificate reference: + `configmap` or `secret`' + enum: + - configmap + - secret + type: string + type: object + providedCaFile: + description: Reference to the CA file when `type` + is set to `Provided`. + properties: + file: + description: File name within the config map or + secret + type: string + name: + description: Name of the config map or secret + containing the file + type: string + namespace: + default: "" + description: |- + Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed. + If the namespace is different, the config map or the secret is copied so that it can be mounted as required. + type: string + type: + description: 'Type for the file reference: "configmap" + or "secret"' + enum: + - configmap + - secret + type: string + type: object + type: + default: Disabled + description: |- + Select the type of TLS configuration:
+ - `Disabled` (default) to not configure TLS for the endpoint. + - `Provided` to manually provide cert file and a key file. [Unsupported (*)]. + - `Auto` to use OpenShift auto generated certificate using annotations. + enum: + - Disabled + - Provided + - Auto + type: string + type: object + type: object + type: object + multiClusterDeployment: + default: false + description: Set `multiClusterDeployment` to `true` to enable + multi clusters feature. This adds `clusterName` label to flows + data + type: boolean + resources: + default: + limits: + memory: 800Mi + requests: + cpu: 100m + memory: 100Mi + description: |- + `resources` are the compute resources required by this container. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + subnetLabels: + description: |- + `SubnetLabels` allows to define custom labels on subnets and IPs or to enable automatic labelling of recognized subnets in OpenShift. + When a subnet matches the source or destination IP of a flow, a corresponding field is added: `SrcSubnetLabel` or `DstSubnetLabel`. + properties: + customLabels: + description: |- + `customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services. + If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap. + items: + description: SubnetLabel allows to label subnets and IPs, + such as to identify cluster-external workloads or web + services. + properties: + cidrs: + description: List of CIDRs, such as `["1.2.3.4/32"]`. + items: + type: string + type: array + name: + description: Label name, used to flag matching flows. + type: string + type: object + type: array + openShiftAutoDetect: + description: |- + `openShiftAutoDetect` allows, when set to `true`, to detect automatically the machines, pods and services subnets based on the + OpenShift install configuration and the Cluster Network Operator configuration. Indirectly, this is a way to accurately detect + external traffic: flows that are not labeled for those subnets are external to the cluster. Enabled by default on OpenShift. + type: boolean + type: object + type: object + type: object + status: + description: '`FlowCollectorStatus` defines the observed state of FlowCollector' + properties: + conditions: + description: '`conditions` represent the latest available observations + of an object''s state' + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + namespace: + description: |- + Namespace where console plugin and flowlogs-pipeline have been deployed. + Deprecated: annotations are used instead + type: string + required: + - conditions + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + service.beta.openshift.io/inject-cabundle: "true" + name: flowmetrics.flows.netobserv.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: netobserv-webhook-service + namespace: netobserv + path: /convert + conversionReviewVersions: + - v1 + group: flows.netobserv.io + names: + kind: FlowMetric + listKind: FlowMetricList + plural: flowmetrics + singular: flowmetric + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: FlowMetric is the Schema for the flowmetrics API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + FlowMetricSpec defines the desired state of FlowMetric + The provided API allows you to customize these metrics according to your needs.
+ When adding new metrics or modifying existing labels, you must carefully monitor the memory + usage of Prometheus workloads as this could potentially have a high impact. Cf https://rhobs-handbook.netlify.app/products/openshiftmonitoring/telemetry.md/#what-is-the-cardinality-of-a-metric
+ To check the cardinality of all NetObserv metrics, run as `promql`: `count({__name__=~"netobserv.*"}) by (__name__)`. + properties: + buckets: + description: A list of buckets to use when `type` is "Histogram". + The list must be parseable as floats. When not set, Prometheus default + buckets are used. + items: + type: string + type: array + charts: + description: Charts configuration, for the OpenShift Console in the + administrator view, Dashboards menu. + items: + description: Configures charts / dashboard generation associated + to a metric + properties: + dashboardName: + default: Main + description: Name of the containing dashboard. If this name + does not refer to an existing dashboard, a new dashboard is + created. + type: string + queries: + description: |- + List of queries to be displayed on this chart. If `type` is `SingleStat` and multiple queries are provided, + this chart is automatically expanded in several panels (one per query). + items: + description: Configures PromQL queries + properties: + legend: + description: |- + The query legend that applies to each timeseries represented in this chart. When multiple timeseries are displayed, you should set a legend + that distinguishes each of them. It can be done with the following format: `{{ Label }}`. For example, if the `promQL` groups timeseries per + label such as: `sum(rate($METRIC[2m])) by (Label1, Label2)`, you may write as the legend: `Label1={{ Label1 }}, Label2={{ Label2 }}`. + type: string + promQL: + description: |- + The `promQL` query to be run against Prometheus. If the chart `type` is `SingleStat`, this query should only return + a single timeseries. For other types, a top 7 is displayed. + You can use `$METRIC` to refer to the metric defined in this resource. For example: `sum(rate($METRIC[2m]))`. + To learn more about `promQL`, refer to the Prometheus documentation: https://prometheus.io/docs/prometheus/latest/querying/basics/ + type: string + top: + default: 7 + description: Top N series to display per timestamp. Does + not apply to `SingleStat` chart type. + minimum: 1 + type: integer + required: + - legend + - promQL + - top + type: object + type: array + sectionName: + description: |- + Name of the containing dashboard section. If this name does not refer to an existing section, a new section is created. + If `sectionName` is omitted or empty, the chart is placed in the global top section. + type: string + title: + description: Title of the chart. + type: string + type: + description: Type of the chart. + enum: + - SingleStat + - Line + - StackArea + type: string + unit: + description: Unit of this chart. Only a few units are currently + supported. Leave empty to use generic number. + enum: + - bytes + - seconds + - Bps + - pps + - percent + type: string + required: + - dashboardName + - queries + - title + - type + type: object + type: array + direction: + default: Any + description: |- + Filter for ingress, egress or any direction flows. + When set to `Ingress`, it is equivalent to adding the regex filter on `FlowDirection`: `0|2`. + When set to `Egress`, it is equivalent to adding the regex filter on `FlowDirection`: `1|2`. + enum: + - Any + - Egress + - Ingress + type: string + divider: + description: When non-zero, scale factor (divider) of the value. Metric + value = Flow value / Divider. + type: string + filters: + description: |- + `filters` is a list of fields and values used to restrict which flows are taken into account. Oftentimes, these filters must + be used to eliminate duplicates: `Duplicate != "true"` and `FlowDirection = "0"`. + Refer to the documentation for the list of available fields: https://docs.openshift.com/container-platform/latest/observability/network_observability/json-flows-format-reference.html. + items: + properties: + field: + description: Name of the field to filter on + type: string + matchType: + default: Equal + description: Type of matching to apply + enum: + - Equal + - NotEqual + - Presence + - Absence + - MatchRegex + - NotMatchRegex + type: string + value: + description: Value to filter on. When `matchType` is `Equal` + or `NotEqual`, you can use field injection with `$(SomeField)` + to refer to any other field of the flow. + type: string + required: + - field + - matchType + type: object + type: array + labels: + description: |- + `labels` is a list of fields that should be used as Prometheus labels, also known as dimensions. + From choosing labels results the level of granularity of this metric, as well as the available aggregations at query time. + It must be done carefully as it impacts the metric cardinality (cf https://rhobs-handbook.netlify.app/products/openshiftmonitoring/telemetry.md/#what-is-the-cardinality-of-a-metric). + In general, avoid setting very high cardinality labels such as IP or MAC addresses. + "SrcK8S_OwnerName" or "DstK8S_OwnerName" should be preferred over "SrcK8S_Name" or "DstK8S_Name" as much as possible. + Refer to the documentation for the list of available fields: https://docs.openshift.com/container-platform/latest/observability/network_observability/json-flows-format-reference.html. + items: + type: string + type: array + metricName: + description: Name of the metric. In Prometheus, it is automatically + prefixed with "netobserv_". + type: string + type: + description: |- + Metric type: "Counter" or "Histogram". + Use "Counter" for any value that increases over time and on which you can compute a rate, such as Bytes or Packets. + Use "Histogram" for any value that must be sampled independently, such as latencies. + enum: + - Counter + - Histogram + type: string + valueField: + description: |- + `valueField` is the flow field that must be used as a value for this metric. This field must hold numeric values. + Leave empty to count flows rather than a specific value per flow. + Refer to the documentation for the list of available fields: https://docs.openshift.com/container-platform/latest/observability/network_observability/json-flows-format-reference.html. + type: string + required: + - metricName + - type + type: object + status: + description: FlowMetricStatus defines the observed state of FlowMetric + type: object + type: object + served: true + storage: true + subresources: + status: {} \ No newline at end of file diff --git a/charts/network-observability-operator/templates/_helpers.tpl b/charts/network-observability-operator/templates/_helpers.tpl new file mode 100644 index 0000000000..0d34fcaeec --- /dev/null +++ b/charts/network-observability-operator/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "network-observability-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "network-observability-operator.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "network-observability-operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "network-observability-operator.labels" -}} +helm.sh/chart: {{ include "network-observability-operator.chart" . }} +{{ include "network-observability-operator.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "network-observability-operator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "network-observability-operator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "network-observability-operator.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "network-observability-operator.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/network-observability-operator/templates/cert.yaml b/charts/network-observability-operator/templates/cert.yaml new file mode 100644 index 0000000000..df894d0c01 --- /dev/null +++ b/charts/network-observability-operator/templates/cert.yaml @@ -0,0 +1,25 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "network-observability-operator.fullname" . }}-ca +spec: + isCA: true + commonName: {{ include "network-observability-operator.fullname" . }}-ca + subject: + organizations: + - Plural + secretName: webhook-server-cert + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: selfsigned-issuer + kind: Issuer + group: cert-manager.io \ No newline at end of file diff --git a/charts/network-observability-operator/templates/config.yaml b/charts/network-observability-operator/templates/config.yaml new file mode 100644 index 0000000000..768c34f469 --- /dev/null +++ b/charts/network-observability-operator/templates/config.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 7a7ecdcd.netobserv.io +kind: ConfigMap +metadata: + labels: + {{- include "network-observability-operator.labels" . | nindent 4 }} + name: netobserv-manager-config \ No newline at end of file diff --git a/charts/network-observability-operator/templates/deployment.yaml b/charts/network-observability-operator/templates/deployment.yaml new file mode 100644 index 0000000000..6799b1d25e --- /dev/null +++ b/charts/network-observability-operator/templates/deployment.yaml @@ -0,0 +1,195 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "network-observability-operator.fullname" . }} + labels: + {{- include "network-observability-operator.labels" . | nindent 4 }} +spec: + progressDeadlineSeconds: 600 + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "network-observability-operator.selectorLabels" . | nindent 6 }} + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "network-observability-operator.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + containers: + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --ebpf-agent-image=$(RELATED_IMAGE_EBPF_AGENT) + - --flowlogs-pipeline-image=$(RELATED_IMAGE_FLOWLOGS_PIPELINE) + - --console-plugin-image=$(RELATED_IMAGE_CONSOLE_PLUGIN) + - --downstream-deployment=$(DOWNSTREAM_DEPLOYMENT) + - --profiling-bind-address=$(PROFILING_BIND_ADDRESS) + - --enable-http2=false + command: + - /manager + env: + - name: ENABLE_WEBHOOKS + value: "false" + - name: RELATED_IMAGE_EBPF_AGENT + value: quay.io/netobserv/netobserv-ebpf-agent:v0.3.3 + - name: RELATED_IMAGE_FLOWLOGS_PIPELINE + value: quay.io/netobserv/flowlogs-pipeline:v0.1.11 + - name: RELATED_IMAGE_CONSOLE_PLUGIN + value: quay.io/netobserv/network-observability-console-plugin:v0.1.12 + - name: DOWNSTREAM_DEPLOYMENT + value: "false" + - name: PROFILING_BIND_ADDRESS + - name: OPERATOR_CONDITION_NAME + value: netobserv-operator.v1.0.5 + image: quay.io/netobserv/network-observability-operator:1.0.5 + imagePullPolicy: Always + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 8081 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 20 + successThreshold: 1 + timeoutSeconds: 1 + name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 8081 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + memory: 400Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + - --http2-disable + env: + - name: OPERATOR_CONDITION_NAME + value: netobserv-operator.v1.0.5 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + runAsNonRoot: true + serviceAccount: {{ include "network-observability-operator.serviceAccountName" . }} + serviceAccountName: {{ include "network-observability-operator.serviceAccountName" . }} + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + service.beta.openshift.io/inject-cabundle: "true" + name: netobserv-validating-webhook-configuration +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: netobserv-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /validate-netobserv-io-v1beta2-flowcollector + failurePolicy: Fail + name: flowcollectorconversionwebhook.netobserv.io + rules: + - apiGroups: + - netobserv.io + apiVersions: + - v1beta2 + operations: + - CREATE + - UPDATE + resources: + - flowcollectors + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: netobserv-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /validate-flows-netobserv-io-v1alpha1-flowmetric + failurePolicy: Fail + name: flowmetricvalidationwebhook.netobserv.io + rules: + - apiGroups: + - flows.netobserv.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - flowmetrics + sideEffects: None diff --git a/charts/network-observability-operator/templates/loki.yaml b/charts/network-observability-operator/templates/loki.yaml new file mode 100644 index 0000000000..32ad248038 --- /dev/null +++ b/charts/network-observability-operator/templates/loki.yaml @@ -0,0 +1,143 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: loki-config +data: + local-config.yaml: | + auth_enabled: false + server: + http_listen_port: 3100 + grpc_listen_port: 9096 + grpc_server_max_recv_msg_size: 10485760 + http_server_read_timeout: 1m + http_server_write_timeout: 1m + log_level: error + target: all + common: + path_prefix: /loki-store + storage: + filesystem: + chunks_directory: /loki-store/chunks + rules_directory: /loki-store/rules + replication_factor: 1 + ring: + instance_addr: 127.0.0.1 + kvstore: + store: inmemory + compactor: + compaction_interval: 5m + retention_enabled: true + retention_delete_delay: 2h + retention_delete_worker_count: 150 + frontend: + compress_responses: true + ingester: + chunk_encoding: snappy + chunk_retain_period: 1m + query_range: + align_queries_with_step: true + cache_results: true + max_retries: 5 + results_cache: + cache: + enable_fifocache: true + fifocache: + max_size_bytes: 500MB + validity: 24h + parallelise_shardable_queries: true + query_scheduler: + max_outstanding_requests_per_tenant: 2048 + schema_config: + configs: + - from: 2022-01-01 + store: boltdb-shipper + object_store: filesystem + schema: v11 + index: + prefix: index_ + period: 24h + storage_config: + filesystem: + directory: /loki-store/storage + boltdb_shipper: + active_index_directory: /loki-store/index + shared_store: filesystem + cache_location: /loki-store/boltdb-cache + cache_ttl: 24h + limits_config: + ingestion_rate_strategy: global + ingestion_rate_mb: 10 + ingestion_burst_size_mb: 10 + max_label_name_length: 1024 + max_label_value_length: 2048 + max_label_names_per_series: 30 + reject_old_samples: true + reject_old_samples_max_age: 15m + creation_grace_period: 10m + enforce_metric_name: false + max_line_size: 256000 + max_line_size_truncate: false + max_entries_limit_per_query: 10000 + max_streams_per_user: 0 + max_global_streams_per_user: 0 + unordered_writes: true + max_chunks_per_query: 2000000 + max_query_length: 721h + max_query_parallelism: 32 + max_query_series: 10000 + cardinality_limit: 100000 + max_streams_matchers_per_query: 1000 + max_concurrent_tail_requests: 10 + retention_period: 24h + max_cache_freshness_per_query: 5m + max_queriers_per_tenant: 0 + per_stream_rate_limit: 3MB + per_stream_rate_limit_burst: 15MB + max_query_lookback: 0 + min_sharding_lookback: 0s + split_queries_by_interval: 1m +--- +apiVersion: v1 +kind: Pod +metadata: + name: loki + labels: + app: loki +spec: + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + fsGroup: 1000 + volumes: + - name: loki-store + persistentVolumeClaim: + claimName: loki-store + - name: loki-config + configMap: + name: loki-config + containers: + - name: loki + image: grafana/loki:2.9.0 + volumeMounts: + - mountPath: "/loki-store" + name: loki-store + - mountPath: "/etc/loki" + name: loki-config + securityContext: + seccompProfile: + type: RuntimeDefault + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL +--- +kind: Service +apiVersion: v1 +metadata: + name: loki +spec: + selector: + app: loki + ports: + - port: 3100 + protocol: TCP diff --git a/charts/network-observability-operator/templates/rbac.yaml b/charts/network-observability-operator/templates/rbac.yaml new file mode 100644 index 0000000000..50a460e771 --- /dev/null +++ b/charts/network-observability-operator/templates/rbac.yaml @@ -0,0 +1,303 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: netobserv-leader-election-role + namespace: '{{ .Release.Namespace }}' +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: netobserv-manager-role +rules: + - nonResourceURLs: + - /metrics + verbs: + - get + - apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - daemonsets + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - config.openshift.io + resources: + - clusterversions + - networks + verbs: + - get + - list + - watch + - apiGroups: + - console.openshift.io + resources: + - consoleplugins + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - configmaps + - namespaces + - secrets + - serviceaccounts + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - nodes + - pods + - services + verbs: + - get + - list + - watch + - apiGroups: + - flows.netobserv.io + resources: + - flowcollectors + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - flows.netobserv.io + resources: + - flowcollectors/finalizers + verbs: + - update + - apiGroups: + - flows.netobserv.io + resources: + - flowcollectors/status + verbs: + - get + - patch + - update + - apiGroups: + - flows.netobserv.io + resources: + - flowmetrics + verbs: + - get + - list + - watch + - apiGroups: + - loki.grafana.com + resourceNames: + - logs + resources: + - network + verbs: + - create + - get + - apiGroups: + - monitoring.coreos.com + resources: + - prometheusrules + - servicemonitors + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - operator.openshift.io + resources: + - consoles + verbs: + - get + - list + - update + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + verbs: + - create + - list + - update + - watch + - apiGroups: + - security.openshift.io + resourceNames: + - hostnetwork + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: netobserv-proxy-role +rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: netobserv-leader-election-rolebinding + namespace: '{{ .Release.Namespace }}' +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: netobserv-leader-election-role +subjects: + - kind: ServiceAccount + name: {{ include "network-observability-operator.serviceAccountName" . }} + namespace: '{{ .Release.Namespace }}' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: netobserv-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: netobserv-manager-role +subjects: + - kind: ServiceAccount + name: {{ include "network-observability-operator.serviceAccountName" . }} + namespace: '{{ .Release.Namespace }}' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: netobserv-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: netobserv-proxy-role +subjects: + - kind: ServiceAccount + name: {{ include "network-observability-operator.serviceAccountName" . }} + namespace: '{{ .Release.Namespace }}' \ No newline at end of file diff --git a/charts/network-observability-operator/templates/service.yaml b/charts/network-observability-operator/templates/service.yaml new file mode 100644 index 0000000000..1d479f5016 --- /dev/null +++ b/charts/network-observability-operator/templates/service.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Service +metadata: + name: netobserv-metrics-service + labels: + {{- include "network-observability-operator.labels" . | nindent 4 }} +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + {{- include "network-observability-operator.selectorLabels" . | nindent 4 }} +--- +apiVersion: v1 +kind: Service +metadata: + labels: + {{- include "network-observability-operator.labels" . | nindent 4 }} + name: netobserv-webhook-service +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + {{- include "network-observability-operator.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/network-observability-operator/templates/serviceaccount.yaml b/charts/network-observability-operator/templates/serviceaccount.yaml new file mode 100644 index 0000000000..dd5a5e63a3 --- /dev/null +++ b/charts/network-observability-operator/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "network-observability-operator.serviceAccountName" . }} + labels: + {{- include "network-observability-operator.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/network-observability-operator/templates/storage.yaml b/charts/network-observability-operator/templates/storage.yaml new file mode 100644 index 0000000000..172d0662b5 --- /dev/null +++ b/charts/network-observability-operator/templates/storage.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: loki-store +spec: + resources: + requests: + storage: 10G + volumeMode: Filesystem + accessModes: + - ReadWriteOnce diff --git a/charts/network-observability-operator/values.yaml b/charts/network-observability-operator/values.yaml new file mode 100644 index 0000000000..7b92b3aef0 --- /dev/null +++ b/charts/network-observability-operator/values.yaml @@ -0,0 +1,23 @@ +replicaCount: 1 +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} +podLabels: {} + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + From 7367f46846c2db9f934208a69afb929e96fed430 Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Tue, 14 May 2024 14:55:41 +0200 Subject: [PATCH 2/9] add flowcollector --- .../templates/flows_flowcollector.yaml | 156 ++++++++++++++++++ 1 file changed, 156 insertions(+) create mode 100644 charts/network-observability-operator/templates/flows_flowcollector.yaml diff --git a/charts/network-observability-operator/templates/flows_flowcollector.yaml b/charts/network-observability-operator/templates/flows_flowcollector.yaml new file mode 100644 index 0000000000..9cefceb14b --- /dev/null +++ b/charts/network-observability-operator/templates/flows_flowcollector.yaml @@ -0,0 +1,156 @@ +apiVersion: flows.netobserv.io/v1beta2 +kind: FlowCollector +metadata: + name: cluster +spec: + namespace: default + deploymentModel: Direct + agent: + type: eBPF + ebpf: + imagePullPolicy: IfNotPresent + logLevel: info + sampling: 50 + cacheActiveTimeout: 5s + cacheMaxFlows: 100000 + # Change privileged to "true" on old kernel version not knowing CAP_BPF or when using "PacketDrop" feature + privileged: false + # features: + # - "PacketDrop" + # - "DNSTracking" + # - "FlowRTT" + interfaces: [] + excludeInterfaces: ["lo"] + kafkaBatchSize: 1048576 + #flowFilter: + # action: Accept + # cidr: 0.0.0.0/0 + # protocol: UDP + # sourcePorts: 53 + # enable: true + metrics: + enable: false + server: + port: 9400 + # Custom optionnal resources configuration + resources: + requests: + memory: 50Mi + cpu: 100m + limits: + memory: 800Mi + processor: + imagePullPolicy: IfNotPresent + logLevel: info + # Change logTypes to "CONVERSATIONS" or "ALL" to enable conversation tracking + logTypes: Flows + # Append a unique cluster name to each record + # clusterName: + # addZone: true + # subnetLabels: + # openShiftAutoDetect: true + # customLabels: + # - cidrs: [] + # name: "" + metrics: + server: + port: 9401 + disableAlerts: [] + # includeList: + # - "node_ingress_bytes_total" + # - "workload_ingress_bytes_total" + # - "namespace_flows_total" + # - "namespace_drop_packets_total" + # - "namespace_rtt_seconds" + # Kafka consumer stage configuration + kafkaConsumerReplicas: 3 + kafkaConsumerAutoscaler: null + kafkaConsumerQueueCapacity: 1000 + kafkaConsumerBatchSize: 10485760 + # Custom optionnal resources configuration + resources: + requests: + memory: 100Mi + cpu: 100m + limits: + memory: 800Mi + loki: + enable: true + # Change mode to "LokiStack" to use with the loki operator + mode: Monolithic + monolithic: + url: 'http://loki.{{ .Release.Namespace }}.svc:3100/' + tenantID: netobserv + tls: + enable: false + caCert: + type: configmap + name: loki-gateway-ca-bundle + certFile: service-ca.crt + lokiStack: + name: loki + # Change loki operator instance namespace + # namespace: loki-operator + # Console plugin read timeout + readTimeout: 30s + # Write stage configuration + writeTimeout: 10s + writeBatchWait: 1s + writeBatchSize: 10485760 + consolePlugin: + enable: true + imagePullPolicy: IfNotPresent + logLevel: info + # Scaling configuration + replicas: 1 + autoscaler: + status: Disabled + minReplicas: 1 + maxReplicas: 3 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 50 + # Custom optionnal port-to-service name translation + portNaming: + enable: true + portNames: + "3100": loki + # Custom optionnal filter presets + quickFilters: + - name: Applications + filter: + flow_layer: 'app' + default: true + - name: Infrastructure + filter: + flow_layer: 'infra' + - name: Pods network + filter: + src_kind: 'Pod' + dst_kind: 'Pod' + default: true + - name: Services network + filter: + dst_kind: 'Service' + # Custom optionnal resources configuration + resources: + requests: + memory: 50Mi + cpu: 100m + limits: + memory: 100Mi + exporters: [] + # - type: Kafka + # kafka: + # address: "kafka-cluster-kafka-bootstrap.netobserv" + # topic: netobserv-flows-export + # or + # - type: IPFIX + # ipfix: + # targetHost: "ipfix-collector.ipfix.svc.cluster.local" + # targetPort: 4739 + # transport: TCP or UDP (optional - defaults to TCP) From 8793b1266cae94ff930cd03f455e127b2de5f9d4 Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Tue, 14 May 2024 14:58:53 +0200 Subject: [PATCH 3/9] add flowcollector --- .../templates/flows_flowcollector.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/network-observability-operator/templates/flows_flowcollector.yaml b/charts/network-observability-operator/templates/flows_flowcollector.yaml index 9cefceb14b..0f6b4f6c4c 100644 --- a/charts/network-observability-operator/templates/flows_flowcollector.yaml +++ b/charts/network-observability-operator/templates/flows_flowcollector.yaml @@ -3,7 +3,7 @@ kind: FlowCollector metadata: name: cluster spec: - namespace: default + namespace: '{{ .Release.Namespace }}' deploymentModel: Direct agent: type: eBPF From d134a360699575acbea5e518a396b6eef4b987a1 Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Tue, 14 May 2024 15:19:44 +0200 Subject: [PATCH 4/9] add flowcollector --- .../templates/flows_flowcollector.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/charts/network-observability-operator/templates/flows_flowcollector.yaml b/charts/network-observability-operator/templates/flows_flowcollector.yaml index 0f6b4f6c4c..bb99158e03 100644 --- a/charts/network-observability-operator/templates/flows_flowcollector.yaml +++ b/charts/network-observability-operator/templates/flows_flowcollector.yaml @@ -62,11 +62,6 @@ spec: # - "namespace_flows_total" # - "namespace_drop_packets_total" # - "namespace_rtt_seconds" - # Kafka consumer stage configuration - kafkaConsumerReplicas: 3 - kafkaConsumerAutoscaler: null - kafkaConsumerQueueCapacity: 1000 - kafkaConsumerBatchSize: 10485760 # Custom optionnal resources configuration resources: requests: From 59e697b219307f0e4c4def63f6d1c421395fb4de Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Tue, 14 May 2024 15:44:44 +0200 Subject: [PATCH 5/9] delete loki --- .../templates/flows_flowcollector.yaml | 9 +- .../templates/loki.yaml | 143 ------------------ .../templates/storage.yaml | 11 -- .../values.yaml | 1 + .../values.yaml.liquid | 3 + 5 files changed, 5 insertions(+), 162 deletions(-) delete mode 100644 charts/network-observability-operator/templates/loki.yaml delete mode 100644 charts/network-observability-operator/templates/storage.yaml create mode 100644 charts/network-observability-operator/values.yaml.liquid diff --git a/charts/network-observability-operator/templates/flows_flowcollector.yaml b/charts/network-observability-operator/templates/flows_flowcollector.yaml index bb99158e03..9d8d8b4525 100644 --- a/charts/network-observability-operator/templates/flows_flowcollector.yaml +++ b/charts/network-observability-operator/templates/flows_flowcollector.yaml @@ -74,14 +74,7 @@ spec: # Change mode to "LokiStack" to use with the loki operator mode: Monolithic monolithic: - url: 'http://loki.{{ .Release.Namespace }}.svc:3100/' - tenantID: netobserv - tls: - enable: false - caCert: - type: configmap - name: loki-gateway-ca-bundle - certFile: service-ca.crt + url: {{ .Values.lokiUrl }} lokiStack: name: loki # Change loki operator instance namespace diff --git a/charts/network-observability-operator/templates/loki.yaml b/charts/network-observability-operator/templates/loki.yaml deleted file mode 100644 index 32ad248038..0000000000 --- a/charts/network-observability-operator/templates/loki.yaml +++ /dev/null @@ -1,143 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: loki-config -data: - local-config.yaml: | - auth_enabled: false - server: - http_listen_port: 3100 - grpc_listen_port: 9096 - grpc_server_max_recv_msg_size: 10485760 - http_server_read_timeout: 1m - http_server_write_timeout: 1m - log_level: error - target: all - common: - path_prefix: /loki-store - storage: - filesystem: - chunks_directory: /loki-store/chunks - rules_directory: /loki-store/rules - replication_factor: 1 - ring: - instance_addr: 127.0.0.1 - kvstore: - store: inmemory - compactor: - compaction_interval: 5m - retention_enabled: true - retention_delete_delay: 2h - retention_delete_worker_count: 150 - frontend: - compress_responses: true - ingester: - chunk_encoding: snappy - chunk_retain_period: 1m - query_range: - align_queries_with_step: true - cache_results: true - max_retries: 5 - results_cache: - cache: - enable_fifocache: true - fifocache: - max_size_bytes: 500MB - validity: 24h - parallelise_shardable_queries: true - query_scheduler: - max_outstanding_requests_per_tenant: 2048 - schema_config: - configs: - - from: 2022-01-01 - store: boltdb-shipper - object_store: filesystem - schema: v11 - index: - prefix: index_ - period: 24h - storage_config: - filesystem: - directory: /loki-store/storage - boltdb_shipper: - active_index_directory: /loki-store/index - shared_store: filesystem - cache_location: /loki-store/boltdb-cache - cache_ttl: 24h - limits_config: - ingestion_rate_strategy: global - ingestion_rate_mb: 10 - ingestion_burst_size_mb: 10 - max_label_name_length: 1024 - max_label_value_length: 2048 - max_label_names_per_series: 30 - reject_old_samples: true - reject_old_samples_max_age: 15m - creation_grace_period: 10m - enforce_metric_name: false - max_line_size: 256000 - max_line_size_truncate: false - max_entries_limit_per_query: 10000 - max_streams_per_user: 0 - max_global_streams_per_user: 0 - unordered_writes: true - max_chunks_per_query: 2000000 - max_query_length: 721h - max_query_parallelism: 32 - max_query_series: 10000 - cardinality_limit: 100000 - max_streams_matchers_per_query: 1000 - max_concurrent_tail_requests: 10 - retention_period: 24h - max_cache_freshness_per_query: 5m - max_queriers_per_tenant: 0 - per_stream_rate_limit: 3MB - per_stream_rate_limit_burst: 15MB - max_query_lookback: 0 - min_sharding_lookback: 0s - split_queries_by_interval: 1m ---- -apiVersion: v1 -kind: Pod -metadata: - name: loki - labels: - app: loki -spec: - securityContext: - runAsGroup: 1000 - runAsUser: 1000 - fsGroup: 1000 - volumes: - - name: loki-store - persistentVolumeClaim: - claimName: loki-store - - name: loki-config - configMap: - name: loki-config - containers: - - name: loki - image: grafana/loki:2.9.0 - volumeMounts: - - mountPath: "/loki-store" - name: loki-store - - mountPath: "/etc/loki" - name: loki-config - securityContext: - seccompProfile: - type: RuntimeDefault - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL ---- -kind: Service -apiVersion: v1 -metadata: - name: loki -spec: - selector: - app: loki - ports: - - port: 3100 - protocol: TCP diff --git a/charts/network-observability-operator/templates/storage.yaml b/charts/network-observability-operator/templates/storage.yaml deleted file mode 100644 index 172d0662b5..0000000000 --- a/charts/network-observability-operator/templates/storage.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: loki-store -spec: - resources: - requests: - storage: 10G - volumeMode: Filesystem - accessModes: - - ReadWriteOnce diff --git a/charts/network-observability-operator/values.yaml b/charts/network-observability-operator/values.yaml index 7b92b3aef0..ba67e295bc 100644 --- a/charts/network-observability-operator/values.yaml +++ b/charts/network-observability-operator/values.yaml @@ -21,3 +21,4 @@ autoscaling: maxReplicas: 100 targetCPUUtilizationPercentage: 80 +lokiUrl: 'http://loki.svc:3100/' \ No newline at end of file diff --git a/charts/network-observability-operator/values.yaml.liquid b/charts/network-observability-operator/values.yaml.liquid new file mode 100644 index 0000000000..892d6b6dbf --- /dev/null +++ b/charts/network-observability-operator/values.yaml.liquid @@ -0,0 +1,3 @@ +{% if configuration.lokiUrl -%} +lokiUrl: {{ configuration.lokiUrl }} +{%- endif -%} From 32e85ade102e76675d2674aea74aade7ee393bac Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Wed, 15 May 2024 12:48:01 +0200 Subject: [PATCH 6/9] extend configuration --- .../templates/deployment.yaml | 62 ++++----------- .../templates/flows_flowcollector.yaml | 17 +---- .../values.yaml | 76 ++++++++++++++++++- .../values.yaml.liquid | 4 +- 4 files changed, 93 insertions(+), 66 deletions(-) diff --git a/charts/network-observability-operator/templates/deployment.yaml b/charts/network-observability-operator/templates/deployment.yaml index 6799b1d25e..14073c2ef8 100644 --- a/charts/network-observability-operator/templates/deployment.yaml +++ b/charts/network-observability-operator/templates/deployment.yaml @@ -30,16 +30,7 @@ spec: {{- end }} spec: containers: - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --ebpf-agent-image=$(RELATED_IMAGE_EBPF_AGENT) - - --flowlogs-pipeline-image=$(RELATED_IMAGE_FLOWLOGS_PIPELINE) - - --console-plugin-image=$(RELATED_IMAGE_CONSOLE_PLUGIN) - - --downstream-deployment=$(DOWNSTREAM_DEPLOYMENT) - - --profiling-bind-address=$(PROFILING_BIND_ADDRESS) - - --enable-http2=false + - args: {{- toYaml .Values.controllerManager.manager.args | nindent 10 }} command: - /manager env: @@ -56,8 +47,8 @@ spec: - name: PROFILING_BIND_ADDRESS - name: OPERATOR_CONDITION_NAME value: netobserv-operator.v1.0.5 - image: quay.io/netobserv/network-observability-operator:1.0.5 - imagePullPolicy: Always + image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag | default (printf "v%s" .Chart.AppVersion) }} + imagePullPolicy: {{ .Values.controllerManager.manager.imagePullPolicy }} livenessProbe: failureThreshold: 3 httpGet: @@ -83,55 +74,30 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 - resources: - limits: - memory: 400Mi - requests: - cpu: 100m - memory: 100Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true + resources: {{- toYaml .Values.controllerManager.manager.resources | nindent 10 + }} + securityContext: {{- toYaml .Values.controllerManager.manager.containerSecurityContext + | nindent 10 }} volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - - --http2-disable + - args: {{- toYaml .Values.controllerManager.kubeRbacProxy.args | nindent 10 }} env: - name: OPERATOR_CONDITION_NAME - value: netobserv-operator.v1.0.5 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0 - imagePullPolicy: IfNotPresent + value: {{ quote .Values.controllerManager.kubeRbacProxy.operatorConditionName }} + image: {{ .Values.controllerManager.kubeRbacProxy.image.repository }}:{{ .Values.controllerManager.kubeRbacProxy.image.tag | default (printf "v%s" .Chart.AppVersion) }} name: kube-rbac-proxy ports: - containerPort: 8443 name: https protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File + resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent + 10 }} + securityContext: {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext + | nindent 10 }} dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler diff --git a/charts/network-observability-operator/templates/flows_flowcollector.yaml b/charts/network-observability-operator/templates/flows_flowcollector.yaml index 9d8d8b4525..51ad27d115 100644 --- a/charts/network-observability-operator/templates/flows_flowcollector.yaml +++ b/charts/network-observability-operator/templates/flows_flowcollector.yaml @@ -69,22 +69,7 @@ spec: cpu: 100m limits: memory: 800Mi - loki: - enable: true - # Change mode to "LokiStack" to use with the loki operator - mode: Monolithic - monolithic: - url: {{ .Values.lokiUrl }} - lokiStack: - name: loki - # Change loki operator instance namespace - # namespace: loki-operator - # Console plugin read timeout - readTimeout: 30s - # Write stage configuration - writeTimeout: 10s - writeBatchWait: 1s - writeBatchSize: 10485760 + loki: {{- toYaml .Values.loki | nindent 4 }} consolePlugin: enable: true imagePullPolicy: IfNotPresent diff --git a/charts/network-observability-operator/values.yaml b/charts/network-observability-operator/values.yaml index ba67e295bc..92f834504f 100644 --- a/charts/network-observability-operator/values.yaml +++ b/charts/network-observability-operator/values.yaml @@ -21,4 +21,78 @@ autoscaling: maxReplicas: 100 targetCPUUtilizationPercentage: 80 -lokiUrl: 'http://loki.svc:3100/' \ No newline at end of file +loki: + enable: true + mode: Monolithic + monolithic: + url: 'http://loki.netobserv.svc:3100/' + tenantID: netobserv + tls: + enable: false + caCert: + type: configmap + name: loki-gateway-ca-bundle + certFile: service-ca.crt + lokiStack: + name: loki + # Change loki operator instance namespace + # namespace: loki-operator + # Console plugin read timeout + readTimeout: 30s + # Write stage configuration + writeTimeout: 10s + writeBatchWait: 1s + writeBatchSize: 10485760 +controllerManager: + kubeRbacProxy: + operatorConditionName: netobserv-operator.v1.0.5 + args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + image: + repository: gcr.io/kubebuilder/kube-rbac-proxy + tag: v0.15.0 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + manager: + args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --ebpf-agent-image=$(RELATED_IMAGE_EBPF_AGENT) + - --flowlogs-pipeline-image=$(RELATED_IMAGE_FLOWLOGS_PIPELINE) + - --console-plugin-image=$(RELATED_IMAGE_CONSOLE_PLUGIN) + - --downstream-deployment=$(DOWNSTREAM_DEPLOYMENT) + - --profiling-bind-address=$(PROFILING_BIND_ADDRESS) + - --enable-http2=false + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + image: + repository: quay.io/netobserv/network-observability-operator + tag: ~ + imagePullPolicy: IfNotPresent + resources: + limits: + cpu: 500m + memory: 1.5Gi + requests: + cpu: 50m + memory: 200Mi + replicas: 1 + serviceAccount: + annotations: {} \ No newline at end of file diff --git a/charts/network-observability-operator/values.yaml.liquid b/charts/network-observability-operator/values.yaml.liquid index 892d6b6dbf..ab2a5334d0 100644 --- a/charts/network-observability-operator/values.yaml.liquid +++ b/charts/network-observability-operator/values.yaml.liquid @@ -1,3 +1,5 @@ {% if configuration.lokiUrl -%} -lokiUrl: {{ configuration.lokiUrl }} +loki: + monolithic: + url: {{ configuration.lokiUrl }} {%- endif -%} From 5deddf0b408a886b23897fb18bf7b813394a77a4 Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Wed, 15 May 2024 12:53:08 +0200 Subject: [PATCH 7/9] fix deployment chart --- .../templates/deployment.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/network-observability-operator/templates/deployment.yaml b/charts/network-observability-operator/templates/deployment.yaml index 14073c2ef8..d59785b1e9 100644 --- a/charts/network-observability-operator/templates/deployment.yaml +++ b/charts/network-observability-operator/templates/deployment.yaml @@ -74,10 +74,10 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 - resources: {{- toYaml .Values.controllerManager.manager.resources | nindent 10 + resources: {{- toYaml .Values.controllerManager.manager.resources | nindent 12 }} securityContext: {{- toYaml .Values.controllerManager.manager.containerSecurityContext - | nindent 10 }} + | nindent 12 }} volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert @@ -95,9 +95,9 @@ spec: name: https protocol: TCP resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent - 10 }} + 12 }} securityContext: {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext - | nindent 10 }} + | nindent 12 }} dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler From 35dc26c8a77acdab9a6dcd15aba00b1c78945d22 Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Wed, 15 May 2024 12:57:06 +0200 Subject: [PATCH 8/9] set limits --- charts/network-observability-operator/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/network-observability-operator/values.yaml b/charts/network-observability-operator/values.yaml index 92f834504f..4baa865074 100644 --- a/charts/network-observability-operator/values.yaml +++ b/charts/network-observability-operator/values.yaml @@ -89,10 +89,10 @@ controllerManager: resources: limits: cpu: 500m - memory: 1.5Gi + memory: 400Mi requests: - cpu: 50m - memory: 200Mi + cpu: 100m + memory: 100Mi replicas: 1 serviceAccount: annotations: {} \ No newline at end of file From 2fd968a51463cf6001a074c42a28b208921546c8 Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Wed, 15 May 2024 13:08:40 +0200 Subject: [PATCH 9/9] fix image tag --- charts/network-observability-operator/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/network-observability-operator/templates/deployment.yaml b/charts/network-observability-operator/templates/deployment.yaml index d59785b1e9..6d89aae890 100644 --- a/charts/network-observability-operator/templates/deployment.yaml +++ b/charts/network-observability-operator/templates/deployment.yaml @@ -47,7 +47,7 @@ spec: - name: PROFILING_BIND_ADDRESS - name: OPERATOR_CONDITION_NAME value: netobserv-operator.v1.0.5 - image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag | default (printf "v%s" .Chart.AppVersion) }} + image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag | default (printf "%s" .Chart.AppVersion) }} imagePullPolicy: {{ .Values.controllerManager.manager.imagePullPolicy }} livenessProbe: failureThreshold: 3