diff --git a/apis/flowcollector/v1beta1/flowcollector_types.go b/apis/flowcollector/v1beta1/flowcollector_types.go
index e413ccbd0..774115e2a 100644
--- a/apis/flowcollector/v1beta1/flowcollector_types.go
+++ b/apis/flowcollector/v1beta1/flowcollector_types.go
@@ -19,6 +19,7 @@ import (
ascv2 "k8s.io/api/autoscaling/v2"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/util/intstr"
)
// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.
@@ -166,6 +167,66 @@ type EBPFMetrics struct {
Enable *bool `json:"enable,omitempty"`
}
+// FlowFilterConfig defines the configuration of the flow filter.
+type FlowFilterConfig struct {
+ // FlowFilterIPCIDR defines the IP CIDR to filter flows by.
+ // Example: 10.10.10.0/24 or 100:100:100:100::/64
+ FlowFilterIPCIDR string `json:"cidr,omitempty"`
+
+ // FlowFilterAction defines the action to perform on the flows that match the filter.
+ // +kubebuilder:validation:Enum:="Accept";"Reject"
+ FlowFilterAction string `json:"action,omitempty"`
+
+ // FlowFilterProtocol defines the protocol to filter flows by.
+ // +kubebuilder:validation:Enum:="TCP";"UDP";"ICMP";"ICMPv6";"SCTP"
+ // +optional
+ FlowFilterProtocol string `json:"protocol,omitempty"`
+
+ // FlowFilterDirection defines the direction to filter flows by.
+ // +kubebuilder:validation:Enum:="Ingress";"Egress"
+ // +optional
+ FLowFilterDirection string `json:"direction,omitempty"`
+
+ // FlowFilterSourcePorts defines the source ports to filter flows by.
+ // To filter a single port, set a single port as an integer value. For example sourcePorts: 80.
+ // To filter a range of ports, use a "start-end" range, string format. For example sourcePorts: "80-100".
+ // +optional
+ FlowFilterSourcePorts intstr.IntOrString `json:"sourcePorts,omitempty"`
+
+ // FlowFilterDestPorts defines the destination ports to filter flows by.
+ // To filter a single port, set a single port as an integer value. For example destPorts: 80.
+ // To filter a range of ports, use a "start-end" range, string format. For example destPorts: "80-100".
+ // +optional
+ FlowFilterDestPorts intstr.IntOrString `json:"destPorts,omitempty"`
+
+ // FlowFilterPorts defines the ports to filter flows by. it can be user for either source or destination ports.
+ // To filter a single port, set a single port as an integer value. For example ports: 80.
+ // To filter a range of ports, use a "start-end" range, string format. For example ports: "80-10
+ FlowFilterPorts intstr.IntOrString `json:"ports,omitempty"`
+
+ // FlowFilterPeerIPAddress defines the IP address to filter flows by.
+ // Example: 10.10.10.10
+ // +optional
+ FlowFilterPeerIPAddress string `json:"peerIPAddress,omitempty"`
+
+ // FlowFilterICMPType defines the ICMP type to filter flows by.
+ // +optional
+ FlowFilterICMPType *int `json:"icmpType,omitempty"`
+
+ // FlowFilterICMPCode defines the ICMP code to filter flows by.
+ // +optional
+ FlowFilterICMPCode *int `json:"icmpCode,omitempty"`
+}
+
+// `EBPFFlowFilter` defines the desired eBPF agent configuration regarding flow filtering
+type EBPFFlowFilter struct {
+ // Set `enable` to `true` to enable eBPF flow filtering feature.
+ Enable *bool `json:"enable,omitempty"`
+
+ // `config` defines the configuration of the flow filter.
+ Config FlowFilterConfig `json:"config,omitempty"`
+}
+
// `FlowCollectorEBPF` defines a FlowCollector that uses eBPF to collect the flows information
type FlowCollectorEBPF struct {
// Important: Run "make generate" to regenerate code after modifying this file
@@ -251,6 +312,10 @@ type FlowCollectorEBPF struct {
// `metrics` defines the eBPF agent configuration regarding metrics
// +optional
Metrics EBPFMetrics `json:"metrics,omitempty"`
+
+ // `flowFilter` defines the eBPF agent configuration regarding flow filtering
+ // +optional
+ FlowFilter *EBPFFlowFilter `json:"flowFilter,omitempty"`
}
// `FlowCollectorKafka` defines the desired Kafka config of FlowCollector
diff --git a/apis/flowcollector/v1beta1/zz_generated.conversion.go b/apis/flowcollector/v1beta1/zz_generated.conversion.go
index ea755fbda..ec677c4ac 100644
--- a/apis/flowcollector/v1beta1/zz_generated.conversion.go
+++ b/apis/flowcollector/v1beta1/zz_generated.conversion.go
@@ -78,6 +78,16 @@ func RegisterConversions(s *runtime.Scheme) error {
}); err != nil {
return err
}
+ if err := s.AddGeneratedConversionFunc((*EBPFFlowFilter)(nil), (*v1beta2.EBPFFlowFilter)(nil), func(a, b interface{}, scope conversion.Scope) error {
+ return Convert_v1beta1_EBPFFlowFilter_To_v1beta2_EBPFFlowFilter(a.(*EBPFFlowFilter), b.(*v1beta2.EBPFFlowFilter), scope)
+ }); err != nil {
+ return err
+ }
+ if err := s.AddGeneratedConversionFunc((*v1beta2.EBPFFlowFilter)(nil), (*EBPFFlowFilter)(nil), func(a, b interface{}, scope conversion.Scope) error {
+ return Convert_v1beta2_EBPFFlowFilter_To_v1beta1_EBPFFlowFilter(a.(*v1beta2.EBPFFlowFilter), b.(*EBPFFlowFilter), scope)
+ }); err != nil {
+ return err
+ }
if err := s.AddGeneratedConversionFunc((*EBPFMetrics)(nil), (*v1beta2.EBPFMetrics)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1beta1_EBPFMetrics_To_v1beta2_EBPFMetrics(a.(*EBPFMetrics), b.(*v1beta2.EBPFMetrics), scope)
}); err != nil {
@@ -148,6 +158,16 @@ func RegisterConversions(s *runtime.Scheme) error {
}); err != nil {
return err
}
+ if err := s.AddGeneratedConversionFunc((*FlowFilterConfig)(nil), (*v1beta2.FlowFilterConfig)(nil), func(a, b interface{}, scope conversion.Scope) error {
+ return Convert_v1beta1_FlowFilterConfig_To_v1beta2_FlowFilterConfig(a.(*FlowFilterConfig), b.(*v1beta2.FlowFilterConfig), scope)
+ }); err != nil {
+ return err
+ }
+ if err := s.AddGeneratedConversionFunc((*v1beta2.FlowFilterConfig)(nil), (*FlowFilterConfig)(nil), func(a, b interface{}, scope conversion.Scope) error {
+ return Convert_v1beta2_FlowFilterConfig_To_v1beta1_FlowFilterConfig(a.(*v1beta2.FlowFilterConfig), b.(*FlowFilterConfig), scope)
+ }); err != nil {
+ return err
+ }
if err := s.AddGeneratedConversionFunc((*MetricsServerConfig)(nil), (*v1beta2.MetricsServerConfig)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1beta1_MetricsServerConfig_To_v1beta2_MetricsServerConfig(a.(*MetricsServerConfig), b.(*v1beta2.MetricsServerConfig), scope)
}); err != nil {
@@ -445,6 +465,32 @@ func Convert_v1beta2_ConsolePluginPortConfig_To_v1beta1_ConsolePluginPortConfig(
return autoConvert_v1beta2_ConsolePluginPortConfig_To_v1beta1_ConsolePluginPortConfig(in, out, s)
}
+func autoConvert_v1beta1_EBPFFlowFilter_To_v1beta2_EBPFFlowFilter(in *EBPFFlowFilter, out *v1beta2.EBPFFlowFilter, s conversion.Scope) error {
+ out.Enable = (*bool)(unsafe.Pointer(in.Enable))
+ if err := Convert_v1beta1_FlowFilterConfig_To_v1beta2_FlowFilterConfig(&in.Config, &out.Config, s); err != nil {
+ return err
+ }
+ return nil
+}
+
+// Convert_v1beta1_EBPFFlowFilter_To_v1beta2_EBPFFlowFilter is an autogenerated conversion function.
+func Convert_v1beta1_EBPFFlowFilter_To_v1beta2_EBPFFlowFilter(in *EBPFFlowFilter, out *v1beta2.EBPFFlowFilter, s conversion.Scope) error {
+ return autoConvert_v1beta1_EBPFFlowFilter_To_v1beta2_EBPFFlowFilter(in, out, s)
+}
+
+func autoConvert_v1beta2_EBPFFlowFilter_To_v1beta1_EBPFFlowFilter(in *v1beta2.EBPFFlowFilter, out *EBPFFlowFilter, s conversion.Scope) error {
+ out.Enable = (*bool)(unsafe.Pointer(in.Enable))
+ if err := Convert_v1beta2_FlowFilterConfig_To_v1beta1_FlowFilterConfig(&in.Config, &out.Config, s); err != nil {
+ return err
+ }
+ return nil
+}
+
+// Convert_v1beta2_EBPFFlowFilter_To_v1beta1_EBPFFlowFilter is an autogenerated conversion function.
+func Convert_v1beta2_EBPFFlowFilter_To_v1beta1_EBPFFlowFilter(in *v1beta2.EBPFFlowFilter, out *EBPFFlowFilter, s conversion.Scope) error {
+ return autoConvert_v1beta2_EBPFFlowFilter_To_v1beta1_EBPFFlowFilter(in, out, s)
+}
+
func autoConvert_v1beta1_EBPFMetrics_To_v1beta2_EBPFMetrics(in *EBPFMetrics, out *v1beta2.EBPFMetrics, s conversion.Scope) error {
if err := Convert_v1beta1_MetricsServerConfig_To_v1beta2_MetricsServerConfig(&in.Server, &out.Server, s); err != nil {
return err
@@ -611,6 +657,7 @@ func autoConvert_v1beta1_FlowCollectorEBPF_To_v1beta2_FlowCollectorEBPF(in *Flow
if err := Convert_v1beta1_EBPFMetrics_To_v1beta2_EBPFMetrics(&in.Metrics, &out.Metrics, s); err != nil {
return err
}
+ out.FlowFilter = (*v1beta2.EBPFFlowFilter)(unsafe.Pointer(in.FlowFilter))
return nil
}
@@ -630,6 +677,7 @@ func autoConvert_v1beta2_FlowCollectorEBPF_To_v1beta1_FlowCollectorEBPF(in *v1be
if err := Convert_v1beta2_EBPFMetrics_To_v1beta1_EBPFMetrics(&in.Metrics, &out.Metrics, s); err != nil {
return err
}
+ out.FlowFilter = (*EBPFFlowFilter)(unsafe.Pointer(in.FlowFilter))
return nil
}
@@ -966,6 +1014,44 @@ func Convert_v1beta2_FlowCollectorStatus_To_v1beta1_FlowCollectorStatus(in *v1be
return autoConvert_v1beta2_FlowCollectorStatus_To_v1beta1_FlowCollectorStatus(in, out, s)
}
+func autoConvert_v1beta1_FlowFilterConfig_To_v1beta2_FlowFilterConfig(in *FlowFilterConfig, out *v1beta2.FlowFilterConfig, s conversion.Scope) error {
+ out.FlowFilterIPCIDR = in.FlowFilterIPCIDR
+ out.FlowFilterAction = in.FlowFilterAction
+ out.FlowFilterProtocol = in.FlowFilterProtocol
+ out.FLowFilterDirection = in.FLowFilterDirection
+ out.FlowFilterSourcePorts = in.FlowFilterSourcePorts
+ out.FlowFilterDestPorts = in.FlowFilterDestPorts
+ out.FlowFilterPorts = in.FlowFilterPorts
+ out.FlowFilterPeerIPAddress = in.FlowFilterPeerIPAddress
+ out.FlowFilterICMPType = (*int)(unsafe.Pointer(in.FlowFilterICMPType))
+ out.FlowFilterICMPCode = (*int)(unsafe.Pointer(in.FlowFilterICMPCode))
+ return nil
+}
+
+// Convert_v1beta1_FlowFilterConfig_To_v1beta2_FlowFilterConfig is an autogenerated conversion function.
+func Convert_v1beta1_FlowFilterConfig_To_v1beta2_FlowFilterConfig(in *FlowFilterConfig, out *v1beta2.FlowFilterConfig, s conversion.Scope) error {
+ return autoConvert_v1beta1_FlowFilterConfig_To_v1beta2_FlowFilterConfig(in, out, s)
+}
+
+func autoConvert_v1beta2_FlowFilterConfig_To_v1beta1_FlowFilterConfig(in *v1beta2.FlowFilterConfig, out *FlowFilterConfig, s conversion.Scope) error {
+ out.FlowFilterIPCIDR = in.FlowFilterIPCIDR
+ out.FlowFilterAction = in.FlowFilterAction
+ out.FlowFilterProtocol = in.FlowFilterProtocol
+ out.FLowFilterDirection = in.FLowFilterDirection
+ out.FlowFilterSourcePorts = in.FlowFilterSourcePorts
+ out.FlowFilterDestPorts = in.FlowFilterDestPorts
+ out.FlowFilterPorts = in.FlowFilterPorts
+ out.FlowFilterPeerIPAddress = in.FlowFilterPeerIPAddress
+ out.FlowFilterICMPType = (*int)(unsafe.Pointer(in.FlowFilterICMPType))
+ out.FlowFilterICMPCode = (*int)(unsafe.Pointer(in.FlowFilterICMPCode))
+ return nil
+}
+
+// Convert_v1beta2_FlowFilterConfig_To_v1beta1_FlowFilterConfig is an autogenerated conversion function.
+func Convert_v1beta2_FlowFilterConfig_To_v1beta1_FlowFilterConfig(in *v1beta2.FlowFilterConfig, out *FlowFilterConfig, s conversion.Scope) error {
+ return autoConvert_v1beta2_FlowFilterConfig_To_v1beta1_FlowFilterConfig(in, out, s)
+}
+
func autoConvert_v1beta1_MetricsServerConfig_To_v1beta2_MetricsServerConfig(in *MetricsServerConfig, out *v1beta2.MetricsServerConfig, s conversion.Scope) error {
out.Port = in.Port
if err := Convert_v1beta1_ServerTLS_To_v1beta2_ServerTLS(&in.TLS, &out.TLS, s); err != nil {
diff --git a/apis/flowcollector/v1beta1/zz_generated.deepcopy.go b/apis/flowcollector/v1beta1/zz_generated.deepcopy.go
index c60245ce8..6610c8f81 100644
--- a/apis/flowcollector/v1beta1/zz_generated.deepcopy.go
+++ b/apis/flowcollector/v1beta1/zz_generated.deepcopy.go
@@ -122,6 +122,27 @@ func (in *DebugConfig) DeepCopy() *DebugConfig {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EBPFFlowFilter) DeepCopyInto(out *EBPFFlowFilter) {
+ *out = *in
+ if in.Enable != nil {
+ in, out := &in.Enable, &out.Enable
+ *out = new(bool)
+ **out = **in
+ }
+ in.Config.DeepCopyInto(&out.Config)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EBPFFlowFilter.
+func (in *EBPFFlowFilter) DeepCopy() *EBPFFlowFilter {
+ if in == nil {
+ return nil
+ }
+ out := new(EBPFFlowFilter)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *EBPFMetrics) DeepCopyInto(out *EBPFMetrics) {
*out = *in
@@ -303,6 +324,11 @@ func (in *FlowCollectorEBPF) DeepCopyInto(out *FlowCollectorEBPF) {
copy(*out, *in)
}
in.Metrics.DeepCopyInto(&out.Metrics)
+ if in.FlowFilter != nil {
+ in, out := &in.FlowFilter, &out.FlowFilter
+ *out = new(EBPFFlowFilter)
+ (*in).DeepCopyInto(*out)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FlowCollectorEBPF.
@@ -617,6 +643,34 @@ func (in *FlowCollectorStatus) DeepCopy() *FlowCollectorStatus {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FlowFilterConfig) DeepCopyInto(out *FlowFilterConfig) {
+ *out = *in
+ out.FlowFilterSourcePorts = in.FlowFilterSourcePorts
+ out.FlowFilterDestPorts = in.FlowFilterDestPorts
+ out.FlowFilterPorts = in.FlowFilterPorts
+ if in.FlowFilterICMPType != nil {
+ in, out := &in.FlowFilterICMPType, &out.FlowFilterICMPType
+ *out = new(int)
+ **out = **in
+ }
+ if in.FlowFilterICMPCode != nil {
+ in, out := &in.FlowFilterICMPCode, &out.FlowFilterICMPCode
+ *out = new(int)
+ **out = **in
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FlowFilterConfig.
+func (in *FlowFilterConfig) DeepCopy() *FlowFilterConfig {
+ if in == nil {
+ return nil
+ }
+ out := new(FlowFilterConfig)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *MetricsServerConfig) DeepCopyInto(out *MetricsServerConfig) {
*out = *in
diff --git a/apis/flowcollector/v1beta2/flowcollector_types.go b/apis/flowcollector/v1beta2/flowcollector_types.go
index 9cc6c5b4a..b209b5827 100644
--- a/apis/flowcollector/v1beta2/flowcollector_types.go
+++ b/apis/flowcollector/v1beta2/flowcollector_types.go
@@ -19,6 +19,7 @@ import (
ascv2 "k8s.io/api/autoscaling/v2"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/util/intstr"
)
// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.
@@ -173,6 +174,66 @@ type EBPFMetrics struct {
Enable *bool `json:"enable,omitempty"`
}
+// FlowFilterConfig defines the configuration of the flow filter.
+type FlowFilterConfig struct {
+ // FlowFilterIPCIDR defines the IP CIDR to filter flows by.
+ // Example: 10.10.10.0/24 or 100:100:100:100::/64
+ FlowFilterIPCIDR string `json:"cidr,omitempty"`
+
+ // FlowFilterAction defines the action to perform on the flows that match the filter.
+ // +kubebuilder:validation:Enum:="Accept";"Reject"
+ FlowFilterAction string `json:"action,omitempty"`
+
+ // FlowFilterProtocol defines the protocol to filter flows by.
+ // +kubebuilder:validation:Enum:="TCP";"UDP";"ICMP";"ICMPv6";"SCTP"
+ // +optional
+ FlowFilterProtocol string `json:"protocol,omitempty"`
+
+ // FlowFilterDirection defines the direction to filter flows by.
+ // +kubebuilder:validation:Enum:="Ingress";"Egress"
+ // +optional
+ FLowFilterDirection string `json:"direction,omitempty"`
+
+ // FlowFilterSourcePorts defines the source ports to filter flows by.
+ // To filter a single port, set a single port as an integer value. For example sourcePorts: 80.
+ // To filter a range of ports, use a "start-end" range, string format. For example sourcePorts: "80-100".
+ // +optional
+ FlowFilterSourcePorts intstr.IntOrString `json:"sourcePorts,omitempty"`
+
+ // FlowFilterDestPorts defines the destination ports to filter flows by.
+ // To filter a single port, set a single port as an integer value. For example destPorts: 80.
+ // To filter a range of ports, use a "start-end" range, string format. For example destPorts: "80-100".
+ // +optional
+ FlowFilterDestPorts intstr.IntOrString `json:"destPorts,omitempty"`
+
+ // FlowFilterPorts defines the ports to filter flows by. it can be user for either source or destination ports.
+ // To filter a single port, set a single port as an integer value. For example ports: 80.
+ // To filter a range of ports, use a "start-end" range, string format. For example ports: "80-10
+ FlowFilterPorts intstr.IntOrString `json:"ports,omitempty"`
+
+ // FlowFilterPeerIPAddress defines the IP address to filter flows by.
+ // Example: 10.10.10.10
+ // +optional
+ FlowFilterPeerIPAddress string `json:"peerIPAddress,omitempty"`
+
+ // FlowFilterICMPType defines the ICMP type to filter flows by.
+ // +optional
+ FlowFilterICMPType *int `json:"icmpType,omitempty"`
+
+ // FlowFilterICMPCode defines the ICMP code to filter flows by.
+ // +optional
+ FlowFilterICMPCode *int `json:"icmpCode,omitempty"`
+}
+
+// `EBPFFlowFilter` defines the desired eBPF agent configuration regarding flow filtering
+type EBPFFlowFilter struct {
+ // Set `enable` to `true` to enable eBPF flow filtering feature.
+ Enable *bool `json:"enable,omitempty"`
+
+ // `config` defines the configuration of the flow filter.
+ Config FlowFilterConfig `json:"config,omitempty"`
+}
+
// `FlowCollectorEBPF` defines a FlowCollector that uses eBPF to collect the flows information
type FlowCollectorEBPF struct {
// Important: Run "make generate" to regenerate code after modifying this file
@@ -258,6 +319,10 @@ type FlowCollectorEBPF struct {
// `metrics` defines the eBPF agent configuration regarding metrics
// +optional
Metrics EBPFMetrics `json:"metrics,omitempty"`
+
+ // `flowFilter` defines the eBPF agent configuration regarding flow filtering
+ // +optional
+ FlowFilter *EBPFFlowFilter `json:"flowFilter,omitempty"`
}
// `FlowCollectorKafka` defines the desired Kafka config of FlowCollector
diff --git a/apis/flowcollector/v1beta2/zz_generated.deepcopy.go b/apis/flowcollector/v1beta2/zz_generated.deepcopy.go
index 01d31f194..28a6e7a69 100644
--- a/apis/flowcollector/v1beta2/zz_generated.deepcopy.go
+++ b/apis/flowcollector/v1beta2/zz_generated.deepcopy.go
@@ -295,6 +295,27 @@ func (in *ConsolePluginPortConfig) DeepCopy() *ConsolePluginPortConfig {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EBPFFlowFilter) DeepCopyInto(out *EBPFFlowFilter) {
+ *out = *in
+ if in.Enable != nil {
+ in, out := &in.Enable, &out.Enable
+ *out = new(bool)
+ **out = **in
+ }
+ in.Config.DeepCopyInto(&out.Config)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EBPFFlowFilter.
+func (in *EBPFFlowFilter) DeepCopy() *EBPFFlowFilter {
+ if in == nil {
+ return nil
+ }
+ out := new(EBPFFlowFilter)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *EBPFMetrics) DeepCopyInto(out *EBPFMetrics) {
*out = *in
@@ -475,6 +496,11 @@ func (in *FlowCollectorEBPF) DeepCopyInto(out *FlowCollectorEBPF) {
copy(*out, *in)
}
in.Metrics.DeepCopyInto(&out.Metrics)
+ if in.FlowFilter != nil {
+ in, out := &in.FlowFilter, &out.FlowFilter
+ *out = new(EBPFFlowFilter)
+ (*in).DeepCopyInto(*out)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FlowCollectorEBPF.
@@ -753,6 +779,34 @@ func (in *FlowCollectorStatus) DeepCopy() *FlowCollectorStatus {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FlowFilterConfig) DeepCopyInto(out *FlowFilterConfig) {
+ *out = *in
+ out.FlowFilterSourcePorts = in.FlowFilterSourcePorts
+ out.FlowFilterDestPorts = in.FlowFilterDestPorts
+ out.FlowFilterPorts = in.FlowFilterPorts
+ if in.FlowFilterICMPType != nil {
+ in, out := &in.FlowFilterICMPType, &out.FlowFilterICMPType
+ *out = new(int)
+ **out = **in
+ }
+ if in.FlowFilterICMPCode != nil {
+ in, out := &in.FlowFilterICMPCode, &out.FlowFilterICMPCode
+ *out = new(int)
+ **out = **in
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FlowFilterConfig.
+func (in *FlowFilterConfig) DeepCopy() *FlowFilterConfig {
+ if in == nil {
+ return nil
+ }
+ out := new(FlowFilterConfig)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LokiManualParams) DeepCopyInto(out *LokiManualParams) {
*out = *in
diff --git a/bundle/manifests/flows.netobserv.io_flowcollectors.yaml b/bundle/manifests/flows.netobserv.io_flowcollectors.yaml
index 254c5bb4f..cd0c613b2 100644
--- a/bundle/manifests/flows.netobserv.io_flowcollectors.yaml
+++ b/bundle/manifests/flows.netobserv.io_flowcollectors.yaml
@@ -146,6 +146,89 @@ spec:
- FlowRTT
type: string
type: array
+ flowFilter:
+ description: '`flowFilter` defines the eBPF agent configuration
+ regarding flow filtering'
+ properties:
+ config:
+ description: '`config` defines the configuration of the
+ flow filter.'
+ properties:
+ action:
+ description: FlowFilterAction defines the action to
+ perform on the flows that match the filter.
+ enum:
+ - Accept
+ - Reject
+ type: string
+ cidr:
+ description: |-
+ FlowFilterIPCIDR defines the IP CIDR to filter flows by.
+ Example: 10.10.10.0/24 or 100:100:100:100::/64
+ type: string
+ destPorts:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ FlowFilterDestPorts defines the destination ports to filter flows by.
+ To filter a single port, set a single port as an integer value. For example destPorts: 80.
+ To filter a range of ports, use a "start-end" range, string format. For example destPorts: "80-100".
+ x-kubernetes-int-or-string: true
+ direction:
+ description: FlowFilterDirection defines the direction
+ to filter flows by.
+ enum:
+ - Ingress
+ - Egress
+ type: string
+ icmpCode:
+ description: FlowFilterICMPCode defines the ICMP code
+ to filter flows by.
+ type: integer
+ icmpType:
+ description: FlowFilterICMPType defines the ICMP type
+ to filter flows by.
+ type: integer
+ peerIPAddress:
+ description: |-
+ FlowFilterPeerIPAddress defines the IP address to filter flows by.
+ Example: 10.10.10.10
+ type: string
+ ports:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ FlowFilterPorts defines the ports to filter flows by. it can be user for either source or destination ports.
+ To filter a single port, set a single port as an integer value. For example ports: 80.
+ To filter a range of ports, use a "start-end" range, string format. For example ports: "80-10
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: FlowFilterProtocol defines the protocol
+ to filter flows by.
+ enum:
+ - TCP
+ - UDP
+ - ICMP
+ - ICMPv6
+ - SCTP
+ type: string
+ sourcePorts:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ FlowFilterSourcePorts defines the source ports to filter flows by.
+ To filter a single port, set a single port as an integer value. For example sourcePorts: 80.
+ To filter a range of ports, use a "start-end" range, string format. For example sourcePorts: "80-100".
+ x-kubernetes-int-or-string: true
+ type: object
+ enable:
+ description: Set `enable` to `true` to enable eBPF flow
+ filtering feature.
+ type: boolean
+ type: object
imagePullPolicy:
default: IfNotPresent
description: '`imagePullPolicy` is the Kubernetes pull policy
@@ -2236,10 +2319,9 @@ spec:
subnets in OpenShift.'
properties:
customLabels:
- description: '`customLabels` allows to customize subnets and
- IPs labelling, such as to identify cluster-external workloads
- or web services. If you enable `openShiftAutoDetect`, `customLabels`
- can override the detected subnets in case they overlap.'
+ description: |-
+ `customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services.
+ If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap.
items:
description: SubnetLabel allows to label subnets and IPs,
such as to identify cluster-external workloads or web
@@ -2256,10 +2338,9 @@ spec:
type: object
type: array
openShiftAutoDetect:
- description: '`openShiftAutoDetect` allows, when set to `true`,
- to detect automatically the machines, pods and services
- subnets based on the OpenShift install configuration and
- the Cluster Network Operator configuration.'
+ description: |-
+ `openShiftAutoDetect` allows, when set to `true`, to detect automatically the machines, pods and services subnets based on the
+ OpenShift install configuration and the Cluster Network Operator configuration.
type: boolean
type: object
type: object
@@ -2891,6 +2972,89 @@ spec:
- FlowRTT
type: string
type: array
+ flowFilter:
+ description: '`flowFilter` defines the eBPF agent configuration
+ regarding flow filtering'
+ properties:
+ config:
+ description: '`config` defines the configuration of the
+ flow filter.'
+ properties:
+ action:
+ description: FlowFilterAction defines the action to
+ perform on the flows that match the filter.
+ enum:
+ - Accept
+ - Reject
+ type: string
+ cidr:
+ description: |-
+ FlowFilterIPCIDR defines the IP CIDR to filter flows by.
+ Example: 10.10.10.0/24 or 100:100:100:100::/64
+ type: string
+ destPorts:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ FlowFilterDestPorts defines the destination ports to filter flows by.
+ To filter a single port, set a single port as an integer value. For example destPorts: 80.
+ To filter a range of ports, use a "start-end" range, string format. For example destPorts: "80-100".
+ x-kubernetes-int-or-string: true
+ direction:
+ description: FlowFilterDirection defines the direction
+ to filter flows by.
+ enum:
+ - Ingress
+ - Egress
+ type: string
+ icmpCode:
+ description: FlowFilterICMPCode defines the ICMP code
+ to filter flows by.
+ type: integer
+ icmpType:
+ description: FlowFilterICMPType defines the ICMP type
+ to filter flows by.
+ type: integer
+ peerIPAddress:
+ description: |-
+ FlowFilterPeerIPAddress defines the IP address to filter flows by.
+ Example: 10.10.10.10
+ type: string
+ ports:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ FlowFilterPorts defines the ports to filter flows by. it can be user for either source or destination ports.
+ To filter a single port, set a single port as an integer value. For example ports: 80.
+ To filter a range of ports, use a "start-end" range, string format. For example ports: "80-10
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: FlowFilterProtocol defines the protocol
+ to filter flows by.
+ enum:
+ - TCP
+ - UDP
+ - ICMP
+ - ICMPv6
+ - SCTP
+ type: string
+ sourcePorts:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ FlowFilterSourcePorts defines the source ports to filter flows by.
+ To filter a single port, set a single port as an integer value. For example sourcePorts: 80.
+ To filter a range of ports, use a "start-end" range, string format. For example sourcePorts: "80-100".
+ x-kubernetes-int-or-string: true
+ type: object
+ enable:
+ description: Set `enable` to `true` to enable eBPF flow
+ filtering feature.
+ type: boolean
+ type: object
imagePullPolicy:
default: IfNotPresent
description: '`imagePullPolicy` is the Kubernetes pull policy
@@ -6074,10 +6238,9 @@ spec:
subnets in OpenShift.'
properties:
customLabels:
- description: '`customLabels` allows to customize subnets and
- IPs labelling, such as to identify cluster-external workloads
- or web services. If you enable `openShiftAutoDetect`, `customLabels`
- can override the detected subnets in case they overlap.'
+ description: |-
+ `customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services.
+ If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap.
items:
description: SubnetLabel allows to label subnets and IPs,
such as to identify cluster-external workloads or web
@@ -6094,10 +6257,9 @@ spec:
type: object
type: array
openShiftAutoDetect:
- description: '`openShiftAutoDetect` allows, when set to `true`,
- to detect automatically the machines, pods and services
- subnets based on the OpenShift install configuration and
- the Cluster Network Operator configuration.'
+ description: |-
+ `openShiftAutoDetect` allows, when set to `true`, to detect automatically the machines, pods and services subnets based on the
+ OpenShift install configuration and the Cluster Network Operator configuration.
type: boolean
type: object
type: object
diff --git a/bundle/manifests/netobserv-operator.clusterserviceversion.yaml b/bundle/manifests/netobserv-operator.clusterserviceversion.yaml
index 44d285a55..a78a172d3 100644
--- a/bundle/manifests/netobserv-operator.clusterserviceversion.yaml
+++ b/bundle/manifests/netobserv-operator.clusterserviceversion.yaml
@@ -696,6 +696,32 @@ spec:
path: agent.ebpf.excludeInterfaces
- displayName: Features
path: agent.ebpf.features
+ - displayName: Flow filter
+ path: agent.ebpf.flowFilter
+ - displayName: Config
+ path: agent.ebpf.flowFilter.config
+ - displayName: Action
+ path: agent.ebpf.flowFilter.config.action
+ - displayName: Cidr
+ path: agent.ebpf.flowFilter.config.cidr
+ - displayName: Dest ports
+ path: agent.ebpf.flowFilter.config.destPorts
+ - displayName: Direction
+ path: agent.ebpf.flowFilter.config.direction
+ - displayName: Icmp code
+ path: agent.ebpf.flowFilter.config.icmpCode
+ - displayName: Icmp type
+ path: agent.ebpf.flowFilter.config.icmpType
+ - displayName: PeerIP address
+ path: agent.ebpf.flowFilter.config.peerIPAddress
+ - displayName: Ports
+ path: agent.ebpf.flowFilter.config.ports
+ - displayName: Protocol
+ path: agent.ebpf.flowFilter.config.protocol
+ - displayName: Source ports
+ path: agent.ebpf.flowFilter.config.sourcePorts
+ - displayName: Enable
+ path: agent.ebpf.flowFilter.enable
- displayName: Interfaces
path: agent.ebpf.interfaces
- displayName: Metrics
diff --git a/config/crd/bases/flows.netobserv.io_flowcollectors.yaml b/config/crd/bases/flows.netobserv.io_flowcollectors.yaml
index 10239825a..9d5a9c96f 100644
--- a/config/crd/bases/flows.netobserv.io_flowcollectors.yaml
+++ b/config/crd/bases/flows.netobserv.io_flowcollectors.yaml
@@ -130,6 +130,81 @@ spec:
- FlowRTT
type: string
type: array
+ flowFilter:
+ description: '`flowFilter` defines the eBPF agent configuration regarding flow filtering'
+ properties:
+ config:
+ description: '`config` defines the configuration of the flow filter.'
+ properties:
+ action:
+ description: FlowFilterAction defines the action to perform on the flows that match the filter.
+ enum:
+ - Accept
+ - Reject
+ type: string
+ cidr:
+ description: |-
+ FlowFilterIPCIDR defines the IP CIDR to filter flows by.
+ Example: 10.10.10.0/24 or 100:100:100:100::/64
+ type: string
+ destPorts:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ FlowFilterDestPorts defines the destination ports to filter flows by.
+ To filter a single port, set a single port as an integer value. For example destPorts: 80.
+ To filter a range of ports, use a "start-end" range, string format. For example destPorts: "80-100".
+ x-kubernetes-int-or-string: true
+ direction:
+ description: FlowFilterDirection defines the direction to filter flows by.
+ enum:
+ - Ingress
+ - Egress
+ type: string
+ icmpCode:
+ description: FlowFilterICMPCode defines the ICMP code to filter flows by.
+ type: integer
+ icmpType:
+ description: FlowFilterICMPType defines the ICMP type to filter flows by.
+ type: integer
+ peerIPAddress:
+ description: |-
+ FlowFilterPeerIPAddress defines the IP address to filter flows by.
+ Example: 10.10.10.10
+ type: string
+ ports:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ FlowFilterPorts defines the ports to filter flows by. it can be user for either source or destination ports.
+ To filter a single port, set a single port as an integer value. For example ports: 80.
+ To filter a range of ports, use a "start-end" range, string format. For example ports: "80-10
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: FlowFilterProtocol defines the protocol to filter flows by.
+ enum:
+ - TCP
+ - UDP
+ - ICMP
+ - ICMPv6
+ - SCTP
+ type: string
+ sourcePorts:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ FlowFilterSourcePorts defines the source ports to filter flows by.
+ To filter a single port, set a single port as an integer value. For example sourcePorts: 80.
+ To filter a range of ports, use a "start-end" range, string format. For example sourcePorts: "80-100".
+ x-kubernetes-int-or-string: true
+ type: object
+ enable:
+ description: Set `enable` to `true` to enable eBPF flow filtering feature.
+ type: boolean
+ type: object
imagePullPolicy:
default: IfNotPresent
description: '`imagePullPolicy` is the Kubernetes pull policy for the image defined above'
@@ -2048,7 +2123,9 @@ spec:
description: '`subnetLabels` allows to define custom labels on subnets and IPs or to enable automatic labelling of recognized subnets in OpenShift.'
properties:
customLabels:
- description: '`customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services. If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap.'
+ description: |-
+ `customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services.
+ If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap.
items:
description: SubnetLabel allows to label subnets and IPs, such as to identify cluster-external workloads or web services.
properties:
@@ -2063,7 +2140,9 @@ spec:
type: object
type: array
openShiftAutoDetect:
- description: '`openShiftAutoDetect` allows, when set to `true`, to detect automatically the machines, pods and services subnets based on the OpenShift install configuration and the Cluster Network Operator configuration.'
+ description: |-
+ `openShiftAutoDetect` allows, when set to `true`, to detect automatically the machines, pods and services subnets based on the
+ OpenShift install configuration and the Cluster Network Operator configuration.
type: boolean
type: object
type: object
@@ -2682,6 +2761,81 @@ spec:
- FlowRTT
type: string
type: array
+ flowFilter:
+ description: '`flowFilter` defines the eBPF agent configuration regarding flow filtering'
+ properties:
+ config:
+ description: '`config` defines the configuration of the flow filter.'
+ properties:
+ action:
+ description: FlowFilterAction defines the action to perform on the flows that match the filter.
+ enum:
+ - Accept
+ - Reject
+ type: string
+ cidr:
+ description: |-
+ FlowFilterIPCIDR defines the IP CIDR to filter flows by.
+ Example: 10.10.10.0/24 or 100:100:100:100::/64
+ type: string
+ destPorts:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ FlowFilterDestPorts defines the destination ports to filter flows by.
+ To filter a single port, set a single port as an integer value. For example destPorts: 80.
+ To filter a range of ports, use a "start-end" range, string format. For example destPorts: "80-100".
+ x-kubernetes-int-or-string: true
+ direction:
+ description: FlowFilterDirection defines the direction to filter flows by.
+ enum:
+ - Ingress
+ - Egress
+ type: string
+ icmpCode:
+ description: FlowFilterICMPCode defines the ICMP code to filter flows by.
+ type: integer
+ icmpType:
+ description: FlowFilterICMPType defines the ICMP type to filter flows by.
+ type: integer
+ peerIPAddress:
+ description: |-
+ FlowFilterPeerIPAddress defines the IP address to filter flows by.
+ Example: 10.10.10.10
+ type: string
+ ports:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ FlowFilterPorts defines the ports to filter flows by. it can be user for either source or destination ports.
+ To filter a single port, set a single port as an integer value. For example ports: 80.
+ To filter a range of ports, use a "start-end" range, string format. For example ports: "80-10
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: FlowFilterProtocol defines the protocol to filter flows by.
+ enum:
+ - TCP
+ - UDP
+ - ICMP
+ - ICMPv6
+ - SCTP
+ type: string
+ sourcePorts:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ FlowFilterSourcePorts defines the source ports to filter flows by.
+ To filter a single port, set a single port as an integer value. For example sourcePorts: 80.
+ To filter a range of ports, use a "start-end" range, string format. For example sourcePorts: "80-100".
+ x-kubernetes-int-or-string: true
+ type: object
+ enable:
+ description: Set `enable` to `true` to enable eBPF flow filtering feature.
+ type: boolean
+ type: object
imagePullPolicy:
default: IfNotPresent
description: '`imagePullPolicy` is the Kubernetes pull policy for the image defined above'
@@ -5659,7 +5813,9 @@ spec:
description: '`SubnetLabels` allows to define custom labels on subnets and IPs or to enable automatic labelling of recognized subnets in OpenShift.'
properties:
customLabels:
- description: '`customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services. If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap.'
+ description: |-
+ `customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services.
+ If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap.
items:
description: SubnetLabel allows to label subnets and IPs, such as to identify cluster-external workloads or web services.
properties:
@@ -5674,7 +5830,9 @@ spec:
type: object
type: array
openShiftAutoDetect:
- description: '`openShiftAutoDetect` allows, when set to `true`, to detect automatically the machines, pods and services subnets based on the OpenShift install configuration and the Cluster Network Operator configuration.'
+ description: |-
+ `openShiftAutoDetect` allows, when set to `true`, to detect automatically the machines, pods and services subnets based on the
+ OpenShift install configuration and the Cluster Network Operator configuration.
type: boolean
type: object
type: object
diff --git a/controllers/ebpf/agent_controller.go b/controllers/ebpf/agent_controller.go
index 4a4db1582..37d439ee7 100644
--- a/controllers/ebpf/agent_controller.go
+++ b/controllers/ebpf/agent_controller.go
@@ -21,6 +21,7 @@ import (
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
+ "k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/utils/ptr"
"sigs.k8s.io/controller-runtime/pkg/log"
)
@@ -60,6 +61,20 @@ const (
envMetricPrefix = "METRICS_PREFIX"
envMetricsTLSCertPath = "METRICS_TLS_CERT_PATH"
envMetricsTLSKeyPath = "METRICS_TLS_KEY_PATH"
+ envEnableFlowFilter = "ENABLE_FLOW_FILTER"
+ envFlowFilterIPCIDR = "FLOW_FILTER_IP_CIDR"
+ envFlowFilterAction = "FLOW_FILTER_ACTION"
+ envFlowFilterDirection = "FLOW_FILTER_DIRECTION"
+ envFlowFilterProtocol = "FLOW_FILTER_PROTOCOL"
+ envFlowFilterSourcePort = "FLOW_FILTER_SOURCE_PORT"
+ envFlowFilterDestPort = "FLOW_FILTER_DESTINATION_PORT"
+ envFlowFilterPort = "FLOW_FILTER_PORT"
+ envFlowFilterSourcePortRange = "FLOW_FILTER_SOURCE_PORT_RANGE"
+ envFlowFilterDestPortRange = "FLOW_FILTER_DESTINATION_PORT_RANGE"
+ envFlowFilterPortRange = "FLOW_FILTER_PORT_RANGE"
+ envFlowFilterICMPType = "FLOW_FILTER_ICMP_TYPE"
+ envFlowFilterICMPCode = "FLOW_FILTER_ICMP_CODE"
+ envFlowFilterPeerIPAddress = "FLOW_FILTER_PEER_IP"
envListSeparator = ","
)
@@ -394,9 +409,89 @@ func (c *AgentController) envConfig(ctx context.Context, coll *flowslatest.FlowC
Value: strconv.Itoa(int(*advancedConfig.Port)),
})
}
+
+ if helper.IsEBFPFlowFilterEnabled(&coll.Spec.Agent.EBPF) {
+ config = append(config, corev1.EnvVar{Name: envEnableFlowFilter, Value: "true"})
+
+ config = append(config, c.configureFlowFilter(&coll.Spec.Agent.EBPF.FlowFilter.Config, config)...)
+ }
+
return config, nil
}
+func (c *AgentController) configureFlowFilter(filter *flowslatest.FlowFilterConfig, config []corev1.EnvVar) []corev1.EnvVar {
+ if filter.FlowFilterIPCIDR != "" {
+ config = append(config, corev1.EnvVar{Name: envFlowFilterIPCIDR,
+ Value: filter.FlowFilterIPCIDR,
+ })
+ }
+ if filter.FlowFilterAction != "" {
+ config = append(config, corev1.EnvVar{Name: envFlowFilterAction,
+ Value: filter.FlowFilterAction,
+ })
+ }
+ if filter.FLowFilterDirection != "" {
+ config = append(config, corev1.EnvVar{Name: envFlowFilterDirection,
+ Value: filter.FLowFilterDirection,
+ })
+ }
+ if filter.FlowFilterProtocol != "" {
+ config = append(config, corev1.EnvVar{Name: envFlowFilterProtocol,
+ Value: filter.FlowFilterProtocol,
+ })
+ switch filter.FlowFilterProtocol {
+ case "TCP", "UDP", "SCTP":
+ if filter.FlowFilterSourcePorts.Type == intstr.String {
+ config = append(config, corev1.EnvVar{Name: envFlowFilterSourcePortRange,
+ Value: filter.FlowFilterSourcePorts.String(),
+ })
+ }
+ if filter.FlowFilterSourcePorts.Type == intstr.Int {
+ config = append(config, corev1.EnvVar{Name: envFlowFilterSourcePort,
+ Value: strconv.Itoa(filter.FlowFilterSourcePorts.IntValue()),
+ })
+ }
+ if filter.FlowFilterDestPorts.Type == intstr.String {
+ config = append(config, corev1.EnvVar{Name: envFlowFilterDestPortRange,
+ Value: filter.FlowFilterDestPorts.String(),
+ })
+ }
+ if filter.FlowFilterDestPorts.Type == intstr.Int {
+ config = append(config, corev1.EnvVar{Name: envFlowFilterDestPort,
+ Value: strconv.Itoa(filter.FlowFilterDestPorts.IntValue()),
+ })
+ }
+ if filter.FlowFilterPorts.Type == intstr.String {
+ config = append(config, corev1.EnvVar{Name: envFlowFilterPortRange,
+ Value: filter.FlowFilterPorts.String(),
+ })
+ }
+ if filter.FlowFilterPorts.Type == intstr.Int {
+ config = append(config, corev1.EnvVar{Name: envFlowFilterPort,
+ Value: strconv.Itoa(filter.FlowFilterPorts.IntValue()),
+ })
+ }
+
+ case "ICMP", "ICMPv6":
+ if *filter.FlowFilterICMPType != 0 {
+ config = append(config, corev1.EnvVar{Name: envFlowFilterICMPType,
+ Value: strconv.Itoa(*filter.FlowFilterICMPType),
+ })
+ }
+ if *filter.FlowFilterICMPCode != 0 {
+ config = append(config, corev1.EnvVar{Name: envFlowFilterICMPCode,
+ Value: strconv.Itoa(*filter.FlowFilterICMPCode)})
+ }
+ }
+ }
+
+ if filter.FlowFilterPeerIPAddress != "" {
+ config = append(config, corev1.EnvVar{Name: envFlowFilterPeerIPAddress,
+ Value: filter.FlowFilterPeerIPAddress})
+ }
+ return config
+}
+
func (c *AgentController) securityContext(coll *flowslatest.FlowCollector) *corev1.SecurityContext {
if coll.Spec.Agent.EBPF.Privileged {
return &corev1.SecurityContext{
diff --git a/docs/FlowCollector.md b/docs/FlowCollector.md
index 9c28391c8..059fde9fb 100644
--- a/docs/FlowCollector.md
+++ b/docs/FlowCollector.md
@@ -285,6 +285,13 @@ If the `spec.agent.ebpf.privileged` parameter is not set, an error is reported.<
- `FlowRTT` [unsupported (*)]: enable flow latency (RTT) calculations in the eBPF agent during TCP handshakes. This feature better works with `sampling` set to 1.
false |
+
+ | flowFilter |
+ object |
+
+ `flowFilter` defines the eBPF agent configuration regarding flow filtering
+ |
+ false |
| imagePullPolicy |
enum |
@@ -399,6 +406,144 @@ in edge debug or support scenarios.
+### FlowCollector.spec.agent.ebpf.flowFilter
+[↩ Parent](#flowcollectorspecagentebpf)
+
+
+
+`flowFilter` defines the eBPF agent configuration regarding flow filtering
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | config |
+ object |
+
+ `config` defines the configuration of the flow filter.
+ |
+ false |
+
+ | enable |
+ boolean |
+
+ Set `enable` to `true` to enable eBPF flow filtering feature.
+ |
+ false |
+
+
+
+
+### FlowCollector.spec.agent.ebpf.flowFilter.config
+[↩ Parent](#flowcollectorspecagentebpfflowfilter)
+
+
+
+`config` defines the configuration of the flow filter.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | action |
+ enum |
+
+ FlowFilterAction defines the action to perform on the flows that match the filter.
+
+ Enum: Accept, Reject
+ |
+ false |
+
+ | cidr |
+ string |
+
+ FlowFilterIPCIDR defines the IP CIDR to filter flows by.
+Example: 10.10.10.0/24 or 100:100:100:100::/64
+ |
+ false |
+
+ | destPorts |
+ int or string |
+
+ FlowFilterDestPorts defines the destination ports to filter flows by.
+To filter a single port, set a single port as an integer value. For example destPorts: 80.
+To filter a range of ports, use a "start-end" range, string format. For example destPorts: "80-100".
+ |
+ false |
+
+ | direction |
+ enum |
+
+ FlowFilterDirection defines the direction to filter flows by.
+
+ Enum: Ingress, Egress
+ |
+ false |
+
+ | icmpCode |
+ integer |
+
+ FlowFilterICMPCode defines the ICMP code to filter flows by.
+ |
+ false |
+
+ | icmpType |
+ integer |
+
+ FlowFilterICMPType defines the ICMP type to filter flows by.
+ |
+ false |
+
+ | peerIPAddress |
+ string |
+
+ FlowFilterPeerIPAddress defines the IP address to filter flows by.
+Example: 10.10.10.10
+ |
+ false |
+
+ | ports |
+ int or string |
+
+ FlowFilterPorts defines the ports to filter flows by. it can be user for either source or destination ports.
+To filter a single port, set a single port as an integer value. For example ports: 80.
+To filter a range of ports, use a "start-end" range, string format. For example ports: "80-10
+ |
+ false |
+
+ | protocol |
+ enum |
+
+ FlowFilterProtocol defines the protocol to filter flows by.
+
+ Enum: TCP, UDP, ICMP, ICMPv6, SCTP
+ |
+ false |
+
+ | sourcePorts |
+ int or string |
+
+ FlowFilterSourcePorts defines the source ports to filter flows by.
+To filter a single port, set a single port as an integer value. For example sourcePorts: 80.
+To filter a range of ports, use a "start-end" range, string format. For example sourcePorts: "80-100".
+ |
+ false |
+
+
+
+
### FlowCollector.spec.agent.ebpf.metrics
[↩ Parent](#flowcollectorspecagentebpf)
@@ -5020,14 +5165,16 @@ inside a container.
customLabels |
[]object |
- `customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services. If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap.
+ `customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services.
+If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap.
|
false |
| openShiftAutoDetect |
boolean |
- `openShiftAutoDetect` allows, when set to `true`, to detect automatically the machines, pods and services subnets based on the OpenShift install configuration and the Cluster Network Operator configuration.
+ `openShiftAutoDetect` allows, when set to `true`, to detect automatically the machines, pods and services subnets based on the
+OpenShift install configuration and the Cluster Network Operator configuration.
|
false |
@@ -5478,6 +5625,13 @@ If the `spec.agent.ebpf.privileged` parameter is not set, an error is reported.<
- `FlowRTT`: enable flow latency (RTT) calculations in the eBPF agent during TCP handshakes. This feature better works with `sampling` set to 1.
false |
+
+ | flowFilter |
+ object |
+
+ `flowFilter` defines the eBPF agent configuration regarding flow filtering
+ |
+ false |
| imagePullPolicy |
enum |
@@ -6978,6 +7132,144 @@ If specified, the pod's scheduling constraints. For documentation, refer to http
+### FlowCollector.spec.agent.ebpf.flowFilter
+[↩ Parent](#flowcollectorspecagentebpf-1)
+
+
+
+`flowFilter` defines the eBPF agent configuration regarding flow filtering
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | config |
+ object |
+
+ `config` defines the configuration of the flow filter.
+ |
+ false |
+
+ | enable |
+ boolean |
+
+ Set `enable` to `true` to enable eBPF flow filtering feature.
+ |
+ false |
+
+
+
+
+### FlowCollector.spec.agent.ebpf.flowFilter.config
+[↩ Parent](#flowcollectorspecagentebpfflowfilter-1)
+
+
+
+`config` defines the configuration of the flow filter.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | action |
+ enum |
+
+ FlowFilterAction defines the action to perform on the flows that match the filter.
+
+ Enum: Accept, Reject
+ |
+ false |
+
+ | cidr |
+ string |
+
+ FlowFilterIPCIDR defines the IP CIDR to filter flows by.
+Example: 10.10.10.0/24 or 100:100:100:100::/64
+ |
+ false |
+
+ | destPorts |
+ int or string |
+
+ FlowFilterDestPorts defines the destination ports to filter flows by.
+To filter a single port, set a single port as an integer value. For example destPorts: 80.
+To filter a range of ports, use a "start-end" range, string format. For example destPorts: "80-100".
+ |
+ false |
+
+ | direction |
+ enum |
+
+ FlowFilterDirection defines the direction to filter flows by.
+
+ Enum: Ingress, Egress
+ |
+ false |
+
+ | icmpCode |
+ integer |
+
+ FlowFilterICMPCode defines the ICMP code to filter flows by.
+ |
+ false |
+
+ | icmpType |
+ integer |
+
+ FlowFilterICMPType defines the ICMP type to filter flows by.
+ |
+ false |
+
+ | peerIPAddress |
+ string |
+
+ FlowFilterPeerIPAddress defines the IP address to filter flows by.
+Example: 10.10.10.10
+ |
+ false |
+
+ | ports |
+ int or string |
+
+ FlowFilterPorts defines the ports to filter flows by. it can be user for either source or destination ports.
+To filter a single port, set a single port as an integer value. For example ports: 80.
+To filter a range of ports, use a "start-end" range, string format. For example ports: "80-10
+ |
+ false |
+
+ | protocol |
+ enum |
+
+ FlowFilterProtocol defines the protocol to filter flows by.
+
+ Enum: TCP, UDP, ICMP, ICMPv6, SCTP
+ |
+ false |
+
+ | sourcePorts |
+ int or string |
+
+ FlowFilterSourcePorts defines the source ports to filter flows by.
+To filter a single port, set a single port as an integer value. For example sourcePorts: 80.
+To filter a range of ports, use a "start-end" range, string format. For example sourcePorts: "80-100".
+ |
+ false |
+
+
+
+
### FlowCollector.spec.agent.ebpf.metrics
[↩ Parent](#flowcollectorspecagentebpf-1)
@@ -14996,14 +15288,16 @@ inside a container.
customLabels |
[]object |
- `customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services. If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap.
+ `customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services.
+If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap.
|
false |
| openShiftAutoDetect |
boolean |
- `openShiftAutoDetect` allows, when set to `true`, to detect automatically the machines, pods and services subnets based on the OpenShift install configuration and the Cluster Network Operator configuration.
+ `openShiftAutoDetect` allows, when set to `true`, to detect automatically the machines, pods and services subnets based on the
+OpenShift install configuration and the Cluster Network Operator configuration.
|
false |
diff --git a/pkg/helper/flowcollector.go b/pkg/helper/flowcollector.go
index 7eaa8d67d..7dd78ca7e 100644
--- a/pkg/helper/flowcollector.go
+++ b/pkg/helper/flowcollector.go
@@ -118,6 +118,10 @@ func IsSubnetLabelsEnabled(spec *flowslatest.FlowCollectorFLP) bool {
return AutoDetectOpenShiftNetworks(spec) || len(spec.SubnetLabels.CustomLabels) > 0
}
+func IsEBFPFlowFilterEnabled(spec *flowslatest.FlowCollectorEBPF) bool {
+ return spec.FlowFilter != nil && spec.FlowFilter.Enable != nil && *spec.FlowFilter.Enable
+}
+
func PtrBool(b *bool) bool {
if b == nil {
return false