Skip to content

Commit

Permalink
Improve doc for ebpf filters (#827)
Browse files Browse the repository at this point in the history 
* Improve doc for ebpf filters

* address feedback

* mention Accept is default

* avoid parenthesis
  • Loading branch information
@jotak
jotak authored Nov 21, 2024
1 parent 4fe7dc8 commit 15494c8
Show file tree
Hide file tree
Showing 6 changed files with 116 additions and 100 deletions.
29 changes: 15 additions & 14 deletions apis/flowcollector/v1beta2/flowcollector_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ type FlowCollectorSpec struct {
type NetworkPolicy struct {
// Set `enable` to `true` to deploy network policies on the namespaces used by NetObserv (main and privileged). It is disabled by default.
// These network policies better isolate the NetObserv components to prevent undesired connections to them.
// We recommend you either enable it, or create your own network policy for NetObserv.
// To increase the security of connections, enable this option or create your own network policy.
// +optional
Enable *bool `json:"enable,omitempty"`

Expand Down Expand Up @@ -221,59 +221,60 @@ type EBPFFlowFilter struct {
// Examples: `10.10.10.0/24` or `100:100:100:100::/64`
CIDR string `json:"cidr,omitempty"`

// `action` defines the action to perform on the flows that match the filter.
// `action` defines the action to perform on the flows that match the filter. The available options are `Accept`, which is the default, and `Reject`.
// +kubebuilder:validation:Enum:="Accept";"Reject"
Action string `json:"action,omitempty"`

// `protocol` defines the protocol to filter flows by.
// `protocol` optionally defines a protocol to filter flows by. The available options are `TCP`, `UDP`, `ICMP`, `ICMPv6`, and `SCTP`.
// +kubebuilder:validation:Enum:="TCP";"UDP";"ICMP";"ICMPv6";"SCTP"
// +optional
Protocol string `json:"protocol,omitempty"`

// `direction` defines the direction to filter flows by.
// `direction` optionally defines a direction to filter flows by. The available options are `Ingress` and `Egress`.
// +kubebuilder:validation:Enum:="Ingress";"Egress"
// +optional
Direction string `json:"direction,omitempty"`

// `tcpFlags` defines the TCP flags to filter flows by.
// `tcpFlags` optionally defines TCP flags to filter flows by.
// In addition to the standard flags (RFC-9293), you can also filter by one of the three following combinations: `SYN-ACK`, `FIN-ACK`, and `RST-ACK`.
// +kubebuilder:validation:Enum:="SYN";"SYN-ACK";"ACK";"FIN";"RST";"URG";"ECE";"CWR";"FIN-ACK";"RST-ACK"
// +optional
TCPFlags string `json:"tcpFlags,omitempty"`

// `sourcePorts` defines the source ports to filter flows by.
// `sourcePorts` optionally defines the source ports to filter flows by.
// To filter a single port, set a single port as an integer value. For example, `sourcePorts: 80`.
// To filter a range of ports, use a "start-end" range in string format. For example, `sourcePorts: "80-100"`.
// To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.
// +optional
SourcePorts intstr.IntOrString `json:"sourcePorts,omitempty"`

// `destPorts` defines the destination ports to filter flows by.
// `destPorts` optionally defines the destination ports to filter flows by.
// To filter a single port, set a single port as an integer value. For example, `destPorts: 80`.
// To filter a range of ports, use a "start-end" range in string format. For example, `destPorts: "80-100"`.
// To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.
// +optional
DestPorts intstr.IntOrString `json:"destPorts,omitempty"`

// `ports` defines the ports to filter flows by. It is used both for source and destination ports.
// `ports` optionally defines the ports to filter flows by. It is used both for source and destination ports.
// To filter a single port, set a single port as an integer value. For example, `ports: 80`.
// To filter a range of ports, use a "start-end" range in string format. For example, `ports: "80-100"`.
// To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.
Ports intstr.IntOrString `json:"ports,omitempty"`

// `peerIP` defines the IP address to filter flows by.
// `peerIP` optionally defines the remote IP address to filter flows by.
// Example: `10.10.10.10`.
// +optional
PeerIP string `json:"peerIP,omitempty"`

// `icmpCode`, for Internet Control Message Protocol (ICMP) traffic, defines the ICMP code to filter flows by.
// `icmpCode`, for Internet Control Message Protocol (ICMP) traffic, optionally defines the ICMP code to filter flows by.
// +optional
ICMPCode *int `json:"icmpCode,omitempty"`

// `icmpType`, for ICMP traffic, defines the ICMP type to filter flows by.
// `icmpType`, for ICMP traffic, optionally defines the ICMP type to filter flows by.
// +optional
ICMPType *int `json:"icmpType,omitempty"`

// `pktDrops` filters flows with packet drops
// `pktDrops` optionally filters only flows containing packet drops.
// +optional
PktDrops *bool `json:"pktDrops,omitempty"`
}
Expand Down Expand Up @@ -1029,7 +1030,7 @@ const (

type FileReference struct {
//+kubebuilder:validation:Enum=configmap;secret
// Type for the file reference: "configmap" or "secret".
// Type for the file reference: `configmap` or `secret`.
Type MountableType `json:"type,omitempty"`

// Name of the config map or secret containing the file.
Expand Down Expand Up @@ -1334,7 +1335,7 @@ const (

// `FlowCollectorExporter` defines an additional exporter to send enriched flows to.
type FlowCollectorExporter struct {
// `type` selects the type of exporters. The available options are `Kafka` and `IPFIX`.
// `type` selects the type of exporters. The available options are `Kafka`, `IPFIX`, and `OpenTelemetry`.
// +unionDiscriminator
// +kubebuilder:validation:Enum:="Kafka";"IPFIX";"OpenTelemetry"
// +kubebuilder:validation:Required
Expand Down
63 changes: 34 additions & 29 deletions bundle/manifests/flows.netobserv.io_flowcollectors.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3753,7 +3753,8 @@ spec:
properties:
action:
description: '`action` defines the action to perform on
the flows that match the filter.'
the flows that match the filter. The available options
are `Accept`, which is the default, and `Reject`.'
enum:
- Accept
- Reject
Expand All @@ -3768,14 +3769,15 @@ spec:
- type: integer
- type: string
description: |-
`destPorts` defines the destination ports to filter flows by.
`destPorts` optionally defines the destination ports to filter flows by.
To filter a single port, set a single port as an integer value. For example, `destPorts: 80`.
To filter a range of ports, use a "start-end" range in string format. For example, `destPorts: "80-100"`.
To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.
x-kubernetes-int-or-string: true
direction:
description: '`direction` defines the direction to filter
flows by.'
description: '`direction` optionally defines a direction
to filter flows by. The available options are `Ingress`
and `Egress`.'
enum:
- Ingress
- Egress
Expand All @@ -3786,34 +3788,36 @@ spec:
type: boolean
icmpCode:
description: '`icmpCode`, for Internet Control Message
Protocol (ICMP) traffic, defines the ICMP code to filter
flows by.'
Protocol (ICMP) traffic, optionally defines the ICMP
code to filter flows by.'
type: integer
icmpType:
description: '`icmpType`, for ICMP traffic, defines the
ICMP type to filter flows by.'
description: '`icmpType`, for ICMP traffic, optionally
defines the ICMP type to filter flows by.'
type: integer
peerIP:
description: |-
`peerIP` defines the IP address to filter flows by.
`peerIP` optionally defines the remote IP address to filter flows by.
Example: `10.10.10.10`.
type: string
pktDrops:
description: '`pktDrops` filters flows with packet drops'
description: '`pktDrops` optionally filters only flows
containing packet drops.'
type: boolean
ports:
anyOf:
- type: integer
- type: string
description: |-
`ports` defines the ports to filter flows by. It is used both for source and destination ports.
`ports` optionally defines the ports to filter flows by. It is used both for source and destination ports.
To filter a single port, set a single port as an integer value. For example, `ports: 80`.
To filter a range of ports, use a "start-end" range in string format. For example, `ports: "80-100"`.
To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.
x-kubernetes-int-or-string: true
protocol:
description: '`protocol` defines the protocol to filter
flows by.'
description: '`protocol` optionally defines a protocol
to filter flows by. The available options are `TCP`,
`UDP`, `ICMP`, `ICMPv6`, and `SCTP`.'
enum:
- TCP
- UDP
Expand All @@ -3826,14 +3830,15 @@ spec:
- type: integer
- type: string
description: |-
`sourcePorts` defines the source ports to filter flows by.
`sourcePorts` optionally defines the source ports to filter flows by.
To filter a single port, set a single port as an integer value. For example, `sourcePorts: 80`.
To filter a range of ports, use a "start-end" range in string format. For example, `sourcePorts: "80-100"`.
To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.
x-kubernetes-int-or-string: true
tcpFlags:
description: '`tcpFlags` defines the TCP flags to filter
flows by.'
description: |-
`tcpFlags` optionally defines TCP flags to filter flows by.
In addition to the standard flags (RFC-9293), you can also filter by one of the three following combinations: `SYN-ACK`, `FIN-ACK`, and `RST-ACK`.
enum:
- SYN
- SYN-ACK
Expand Down Expand Up @@ -3978,7 +3983,7 @@ spec:
type: string
type:
description: 'Type for the file reference:
"configmap" or "secret".'
`configmap` or `secret`.'
enum:
- configmap
- secret
Expand Down Expand Up @@ -5738,8 +5743,8 @@ spec:
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
type: string
type:
description: 'Type for the file reference: "configmap"
or "secret".'
description: 'Type for the file reference: `configmap`
or `secret`.'
enum:
- configmap
- secret
Expand All @@ -5764,8 +5769,8 @@ spec:
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
type: string
type:
description: 'Type for the file reference: "configmap"
or "secret".'
description: 'Type for the file reference: `configmap`
or `secret`.'
enum:
- configmap
- secret
Expand Down Expand Up @@ -6017,7 +6022,7 @@ spec:
type: object
type:
description: '`type` selects the type of exporters. The available
options are `Kafka` and `IPFIX`.'
options are `Kafka`, `IPFIX`, and `OpenTelemetry`.'
enum:
- Kafka
- IPFIX
Expand Down Expand Up @@ -6057,8 +6062,8 @@ spec:
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
type: string
type:
description: 'Type for the file reference: "configmap"
or "secret".'
description: 'Type for the file reference: `configmap`
or `secret`.'
enum:
- configmap
- secret
Expand All @@ -6082,8 +6087,8 @@ spec:
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
type: string
type:
description: 'Type for the file reference: "configmap"
or "secret".'
description: 'Type for the file reference: `configmap`
or `secret`.'
enum:
- configmap
- secret
Expand Down Expand Up @@ -6703,7 +6708,7 @@ spec:
description: |-
Set `enable` to `true` to deploy network policies on the namespaces used by NetObserv (main and privileged). It is disabled by default.
These network policies better isolate the NetObserv components to prevent undesired connections to them.
We recommend you either enable it, or create your own network policy for NetObserv.
To increase the security of connections, enable this option or create your own network policy.
type: boolean
type: object
processor:
Expand Down Expand Up @@ -8310,8 +8315,8 @@ spec:
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
type: string
type:
description: 'Type for the file reference: "configmap"
or "secret".'
description: 'Type for the file reference: `configmap`
or `secret`.'
enum:
- configmap
- secret
Expand Down
Loading

0 comments on commit 15494c8

Please sign in to comment.