Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 17. FlowCollector API reference

The 

FlowCollector
API is the underlying schema used to pilot and configure the deployments for collecting network flows. This reference guide helps you manage those critical settings.

17.1. FlowCollector API specifications
Link kopieren

Description
FlowCollector is the schema for the network flows collection API, which pilots and configures the underlying deployments.
Type
object
Expand
PropertyTypeDescription

apiVersion
 

string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and might reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 

kind
 

string

Kind is a string value representing the REST resource this object represents. Servers might infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 

metadata
 

object

Standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 

spec
 

object

Defines the desired state of the FlowCollector resource.

*: the mention of "unsupported" or "deprecated" for a feature throughout this document means that this feature is not officially supported by Red Hat. It might have been, for example, contributed by the community and accepted without a formal agreement for maintenance. The product maintainers might provide some support for these features as a best effort only.

17.1.1. .metadata
Link kopieren

Description
Standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
Type
object

17.1.2. .spec
Link kopieren

Description

Defines the desired state of the FlowCollector resource.

*: the mention of "unsupported" or "deprecated" for a feature throughout this document means that this feature is not officially supported by Red Hat. It might have been, for example, contributed by the community and accepted without a formal agreement for maintenance. The product maintainers might provide some support for these features as a best effort only.

Type
object
Expand
PropertyTypeDescription

agent
 

object

Agent configuration for flows extraction. 

consolePlugin
 

object
 

consolePlugin
defines the settings related to the OpenShift Container Platform Console plugin, when available. 

deploymentModel
 

string
 

deploymentModel
defines the desired type of deployment for flow processing. Possible values are:

- 

Service
(default) to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.

- 

Kafka
to make flows sent to a Kafka pipeline before consumption by the processor.

- 

Direct
to make the flow processor listen directly from the agents using the host network, backed by a DaemonSet. Only recommended on small clusters, below 15 nodes.

Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).

Direct
is not recommended on large clusters as it is less memory efficient. 

exporters
 

array
 

exporters
defines additional optional exporters for custom consumption or storage. 

kafka
 

object

Kafka configuration, allowing to use Kafka as a broker as part of the flow collection pipeline. Available when the 

spec.deploymentModel
is 
Kafka
. 

loki
 

object
 

loki
, the flow store, client settings. 

namespace
 

string

Namespace where Network Observability pods are deployed. 

networkPolicy
 

object
 

networkPolicy
defines network policy settings for Network Observability components isolation. 

processor
 

object
 

processor
defines the settings of the component that receives the flows from the agent, enriches them, generates metrics, and forwards them to the Loki persistence layer and/or any available exporter. 

prometheus
 

object
 

prometheus
defines Prometheus settings, such as querier configuration used to fetch metrics from the Console plugin.

17.1.3. .spec.agent
Link kopieren

Description
Agent configuration for flows extraction.
Type
object
Expand
PropertyTypeDescription

ebpf
 

object
 

ebpf
describes the settings related to the eBPF-based flow reporter when 
spec.agent.type
is set to 
eBPF
. 

type
 

string
 

type
[deprecated (*)] selects the flows tracing agent. Previously, this field allowed to select between 
eBPF
or 
IPFIX
. Only 
eBPF
is allowed now, so this field is deprecated and is planned for removal in a future version of the API.

17.1.4. .spec.agent.ebpf
Link kopieren

Description
ebpf describes the settings related to the eBPF-based flow reporter when spec.agent.type is set to eBPF.
Type
object
Expand
PropertyTypeDescription

advanced
 

object
 

advanced
allows setting some aspects of the internal configuration of the eBPF agent. This section is aimed mostly for debugging and fine-grained performance optimizations, such as 
GOGC
and 
GOMAXPROCS
environment variables. Set these values at your own risk. You can also override the default Linux capabilities from there. 

cacheActiveTimeout
 

string
 

cacheActiveTimeout
is the period during which the agent aggregates flows before sending. Increasing 
cacheMaxFlows
and 
cacheActiveTimeout
can decrease the network traffic overhead and the CPU load, however you can expect higher memory consumption and an increased latency in the flow collection. 

cacheMaxFlows
 

integer
 

cacheMaxFlows
is the maximum number of flows in an aggregate; when reached, the reporter sends the flows. Increasing 
cacheMaxFlows
and 
cacheActiveTimeout
can decrease the network traffic overhead and the CPU load, however you can expect higher memory consumption and an increased latency in the flow collection. 

excludeInterfaces
 

array (string)
 

excludeInterfaces
contains the interface names that are excluded from flow tracing. An entry enclosed by slashes, such as 
/br-/
, is matched as a regular expression. Otherwise it is matched as a case-sensitive string. 

features
 

array (string)

List of additional features to enable. They are all disabled by default. Enabling additional features might have performance impacts. Possible values are:

- 

PacketDrop
: Enable the packets drop flows logging feature. This feature requires mounting the kernel debug filesystem, so the eBPF agent pods must run as privileged. If the 
spec.agent.ebpf.privileged
parameter is not set, an error is reported.

- 

DNSTracking
: Enable the DNS tracking feature.

- 

FlowRTT
: Enable flow latency (sRTT) extraction in the eBPF agent from TCP traffic.

- 

NetworkEvents
: Enable the network events monitoring feature, such as correlating flows and network policies. This feature requires mounting the kernel debug filesystem, so the eBPF agent pods must run as privileged. It requires using the OVN-Kubernetes network plugin with the Observability feature. IMPORTANT: This feature is available as a Technology Preview.

- 

PacketTranslation
: Enable enriching flows with packet translation information, such as Service NAT.

- 

EbpfManager
: [Unsupported (*)]. Use eBPF Manager to manage Network Observability eBPF programs. Pre-requisite: the eBPF Manager operator (or upstream bpfman operator) must be installed.

- 

UDNMapping
: Enable interfaces mapping to User Defined Networks (UDN).

This feature requires mounting the kernel debug filesystem, so the eBPF agent pods must run as privileged. It requires using the OVN-Kubernetes network plugin with the Observability feature.

- 

IPSec
, to track flows between nodes with IPsec encryption. 

flowFilter
 

object
 

flowFilter
defines the eBPF agent configuration regarding flow filtering. 

imagePullPolicy
 

string
 

imagePullPolicy
is the Kubernetes pull policy for the image defined above 

interfaces
 

array (string)
 

interfaces
contains the interface names from where flows are collected. If empty, the agent fetches all the interfaces in the system, excepting the ones listed in 
excludeInterfaces
. An entry enclosed by slashes, such as 
/br-/
, is matched as a regular expression. Otherwise it is matched as a case-sensitive string. 

kafkaBatchSize
 

integer
 

kafkaBatchSize
limits the maximum size of a request in bytes before being sent to a partition. Ignored when not using Kafka. Default: 1MB. 

logLevel
 

string
 

logLevel
defines the log level for the Network Observability eBPF Agent 

metrics
 

object
 

metrics
defines the eBPF agent configuration regarding metrics. 

privileged
 

boolean

Privileged mode for the eBPF Agent container. When set to 

true
, the agent is able to capture more traffic, including from secondary interfaces. When ignored or set to 
false
, the operator sets granular capabilities (BPF, PERFMON, NET_ADMIN) to the container. Some agent features require the privileged mode, such as packet drops tracking (see 
features
) and SR-IOV support. 

resources
 

object
 

resources
are the compute resources required by this container. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ 

sampling
 

integer

Sampling interval of the eBPF probe. 100 means one packet on 100 is sent. 0 or 1 means all packets are sampled.

17.1.5. .spec.agent.ebpf.advanced
Link kopieren

Description
advanced allows setting some aspects of the internal configuration of the eBPF agent. This section is aimed mostly for debugging and fine-grained performance optimizations, such as GOGC and GOMAXPROCS environment variables. Set these values at your own risk. You can also override the default Linux capabilities from there.
Type
object
Expand
PropertyTypeDescription

capOverride
 

array (string)

Linux capabilities override, when not running as privileged. Default capabilities are BPF, PERFMON and NET_ADMIN. 

env
 

object (string)
 

env
allows passing custom environment variables to underlying components. Useful for passing some very concrete performance-tuning options, such as 
GOGC
and 
GOMAXPROCS
, that should not be publicly exposed as part of the FlowCollector descriptor, as they are only useful in edge debug or support scenarios. 

scheduling
 

object

scheduling controls how the pods are scheduled on nodes.

17.1.6. .spec.agent.ebpf.advanced.scheduling
Link kopieren

Description
scheduling controls how the pods are scheduled on nodes.
Type
object
Expand
PropertyTypeDescription

affinity
 

object

If specified, the pod’s scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling. 

nodeSelector
 

object (string)
 

nodeSelector
allows scheduling of pods only onto nodes that have each of the specified labels. For documentation, refer to https://kubernetes.io/docs/concepts/configuration/assign-pod-node/. 

priorityClassName
 

string

If specified, indicates the pod’s priority. For documentation, refer to https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#how-to-use-priority-and-preemption. If not specified, default priority is used, or zero if there is no default. 

tolerations
 

array
 

tolerations
is a list of tolerations that allow the pod to schedule onto nodes with matching taints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.

17.1.7. .spec.agent.ebpf.advanced.scheduling.affinity
Link kopieren

Description
If specified, the pod’s scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
Type
object

17.1.8. .spec.agent.ebpf.advanced.scheduling.tolerations
Link kopieren

Description
tolerations is a list of tolerations that allow the pod to schedule onto nodes with matching taints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
Type
array

17.1.9. .spec.agent.ebpf.flowFilter
Link kopieren

Description
flowFilter defines the eBPF agent configuration regarding flow filtering.
Type
object
Expand
PropertyTypeDescription

action
 

string
 

action
defines the action to perform on the flows that match the filter. The available options are 
Accept
, which is the default, and 
Reject
. 

cidr
 

string
 

cidr
defines the IP CIDR to filter flows by. Examples: 
10.10.10.0/24
or 
100:100:100:100::/64
 

destPorts
 

integer-or-string
 

destPorts
optionally defines the destination ports to filter flows by. To filter a single port, set a single port as an integer value. For example, 
destPorts: 80
. To filter a range of ports, use a "start-end" range in string format. For example, 
destPorts: "80-100"
. To filter two ports, use a "port1,port2" in string format. For example, 
ports: "80,100"
. 

direction
 

string
 

direction
optionally defines a direction to filter flows by. The available options are 
Ingress
and 
Egress
. 

enable
 

boolean

Set 

enable
to 
true
to enable the eBPF flow filtering feature. 

icmpCode
 

integer
 

icmpCode
, for Internet Control Message Protocol (ICMP) traffic, optionally defines the ICMP code to filter flows by. 

icmpType
 

integer
 

icmpType
, for ICMP traffic, optionally defines the ICMP type to filter flows by. 

peerCIDR
 

string
 

peerCIDR
defines the Peer IP CIDR to filter flows by. Examples: 
10.10.10.0/24
or 
100:100:100:100::/64
 

peerIP
 

string
 

peerIP
optionally defines the remote IP address to filter flows by. Example: 
10.10.10.10
. 

pktDrops
 

boolean
 

pktDrops
optionally filters only flows containing packet drops. 

ports
 

integer-or-string
 

ports
optionally defines the ports to filter flows by. It is used both for source and destination ports. To filter a single port, set a single port as an integer value. For example, 
ports: 80
. To filter a range of ports, use a "start-end" range in string format. For example, 
ports: "80-100"
. To filter two ports, use a "port1,port2" in string format. For example, 
ports: "80,100"
. 

protocol
 

string
 

protocol
optionally defines a protocol to filter flows by. The available options are 
TCP
, 
UDP
, 
ICMP
, 
ICMPv6
, and 
SCTP
. 

rules
 

array
 

rules
defines a list of filtering rules on the eBPF Agents. When filtering is enabled, by default, flows that don’t match any rule are rejected. To change the default, you can define a rule that accepts everything: 
{ action: "Accept", cidr: "0.0.0.0/0" }
, and then refine with rejecting rules. 

sampling
 

integer
 

sampling
is the sampling interval for the matched packets, overriding the global sampling defined at 
spec.agent.ebpf.sampling
. 

sourcePorts
 

integer-or-string
 

sourcePorts
optionally defines the source ports to filter flows by. To filter a single port, set a single port as an integer value. For example, 
sourcePorts: 80
. To filter a range of ports, use a "start-end" range in string format. For example, 
sourcePorts: "80-100"
. To filter two ports, use a "port1,port2" in string format. For example, 
ports: "80,100"
. 

tcpFlags
 

string
 

tcpFlags
optionally defines TCP flags to filter flows by. In addition to the standard flags (RFC-9293), you can also filter by one of the three following combinations: 
SYN-ACK
, 
FIN-ACK
, and 
RST-ACK
.

17.1.10. .spec.agent.ebpf.flowFilter.rules
Link kopieren

Description
rules defines a list of filtering rules on the eBPF Agents. When filtering is enabled, by default, flows that don’t match any rule are rejected. To change the default, you can define a rule that accepts everything: { action: "Accept", cidr: "0.0.0.0/0" }, and then refine with rejecting rules.
Type
array

17.1.11. .spec.agent.ebpf.flowFilter.rules[]
Link kopieren

Description
EBPFFlowFilterRule defines the desired eBPF agent configuration regarding flow filtering rule.
Type
object
Expand
PropertyTypeDescription

action
 

string
 

action
defines the action to perform on the flows that match the filter. The available options are 
Accept
, which is the default, and 
Reject
. 

cidr
 

string
 

cidr
defines the IP CIDR to filter flows by. Examples: 
10.10.10.0/24
or 
100:100:100:100::/64
 

destPorts
 

integer-or-string
 

destPorts
optionally defines the destination ports to filter flows by. To filter a single port, set a single port as an integer value. For example, 
destPorts: 80
. To filter a range of ports, use a "start-end" range in string format. For example, 
destPorts: "80-100"
. To filter two ports, use a "port1,port2" in string format. For example, 
ports: "80,100"
. 

direction
 

string
 

direction
optionally defines a direction to filter flows by. The available options are 
Ingress
and 
Egress
. 

icmpCode
 

integer
 

icmpCode
, for Internet Control Message Protocol (ICMP) traffic, optionally defines the ICMP code to filter flows by. 

icmpType
 

integer
 

icmpType
, for ICMP traffic, optionally defines the ICMP type to filter flows by. 

peerCIDR
 

string
 

peerCIDR
defines the Peer IP CIDR to filter flows by. Examples: 
10.10.10.0/24
or 
100:100:100:100::/64
 

peerIP
 

string
 

peerIP
optionally defines the remote IP address to filter flows by. Example: 
10.10.10.10
. 

pktDrops
 

boolean
 

pktDrops
optionally filters only flows containing packet drops. 

ports
 

integer-or-string
 

ports
optionally defines the ports to filter flows by. It is used both for source and destination ports. To filter a single port, set a single port as an integer value. For example, 
ports: 80
. To filter a range of ports, use a "start-end" range in string format. For example, 
ports: "80-100"
. To filter two ports, use a "port1,port2" in string format. For example, 
ports: "80,100"
. 

protocol
 

string
 

protocol
optionally defines a protocol to filter flows by. The available options are 
TCP
, 
UDP
, 
ICMP
, 
ICMPv6
, and 
SCTP
. 

sampling
 

integer
 

sampling
is the sampling interval for the matched packets, overriding the global sampling defined at 
spec.agent.ebpf.sampling
. 

sourcePorts
 

integer-or-string
 

sourcePorts
optionally defines the source ports to filter flows by. To filter a single port, set a single port as an integer value. For example, 
sourcePorts: 80
. To filter a range of ports, use a "start-end" range in string format. For example, 
sourcePorts: "80-100"
. To filter two ports, use a "port1,port2" in string format. For example, 
ports: "80,100"
. 

tcpFlags
 

string
 

tcpFlags
optionally defines TCP flags to filter flows by. In addition to the standard flags (RFC-9293), you can also filter by one of the three following combinations: 
SYN-ACK
, 
FIN-ACK
, and 
RST-ACK
.

17.1.12. .spec.agent.ebpf.metrics
Link kopieren

Description
metrics defines the eBPF agent configuration regarding metrics.
Type
object
Expand
PropertyTypeDescription

disableAlerts
 

array (string)
 

disableAlerts
is a list of alerts that should be disabled. Possible values are:

NetObservDroppedFlows
, which is triggered when the eBPF agent is missing packets or flows, such as when the BPF hashmap is busy or full, or the capacity limiter is being triggered.

enable
 

boolean

Set 

enable
to 
false
to disable eBPF agent metrics collection. It is enabled by default. 

server
 

object

Metrics server endpoint configuration for the Prometheus scraper.

17.1.13. .spec.agent.ebpf.metrics.server
Link kopieren

Description
Metrics server endpoint configuration for the Prometheus scraper.
Type
object
Expand
PropertyTypeDescription

port
 

integer

The metrics server HTTP port. 

tls
 

object

TLS configuration.

17.1.14. .spec.agent.ebpf.metrics.server.tls
Link kopieren

Description
TLS configuration.
Type
object
Required
  • type
Expand
PropertyTypeDescription

insecureSkipVerify
 

boolean
 

insecureSkipVerify
allows skipping client-side verification of the provided certificate. If set to 
true
, the 
providedCaFile
field is ignored. 

provided
 

object

TLS configuration when 

type
is set to 
Provided
. 

providedCaFile
 

object

Reference to the CA file when 

type
is set to 
Provided
. 

type
 

string

Select the type of TLS configuration:

- 

Disabled
(default) to not configure TLS for the endpoint. - 
Provided
to manually provide cert file and a key file. [Unsupported (*)]. - 
Auto
to use OpenShift Container Platform auto generated certificate using annotations.

17.1.15. .spec.agent.ebpf.metrics.server.tls.provided
Link kopieren

Description
TLS configuration when type is set to Provided.
Type
object
Expand
PropertyTypeDescription

certFile
 

string
 

certFile
defines the path to the certificate file name within the config map or secret. 

certKey
 

string
 

certKey
defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary. 

name
 

string

Name of the config map or secret containing certificates. 

namespace
 

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the certificate reference: 

configmap
or 
secret
.

17.1.16. .spec.agent.ebpf.metrics.server.tls.providedCaFile
Link kopieren

Description
Reference to the CA file when type is set to Provided.
Type
object
Expand
PropertyTypeDescription

file
 

string

File name within the config map or secret. 

name
 

string

Name of the config map or secret containing the file. 

namespace
 

string

Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the file reference: 

configmap
or 
secret
.

17.1.17. .spec.agent.ebpf.resources
Link kopieren

Description
resources are the compute resources required by this container. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Type
object
Expand
PropertyTypeDescription

limits
 

integer-or-string

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ 

requests
 

integer-or-string

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

17.1.18. .spec.consolePlugin
Link kopieren

Description
consolePlugin defines the settings related to the OpenShift Container Platform Console plugin, when available.
Type
object
Expand
PropertyTypeDescription

advanced
 

object
 

advanced
allows setting some aspects of the internal configuration of the console plugin. This section is aimed mostly for debugging and fine-grained performance optimizations, such as 
GOGC
and 
GOMAXPROCS
environment variables. Set these values at your own risk. 

autoscaler
 

object
 

autoscaler
[deprecated (*)] spec of a horizontal pod autoscaler to set up for the plugin Deployment. Deprecation notice: managed autoscaler will be removed in a future version. You might configure instead an autoscaler of your choice, and set 
spec.consolePlugin.unmanagedReplicas
to 
true
. Refer to HorizontalPodAutoscaler documentation (autoscaling/v2). 

enable
 

boolean

Enables the console plugin deployment. 

imagePullPolicy
 

string
 

imagePullPolicy
is the Kubernetes pull policy for the image defined above. 

logLevel
 

string
 

logLevel
for the console plugin backend. 

portNaming
 

object
 

portNaming
defines the configuration of the port-to-service name translation. 

quickFilters
 

array
 

quickFilters
configures quick filter presets for the Console plugin. Filters for external traffic assume the subnet labels are configured to distinguish internal and external traffic (see 
spec.processor.subnetLabels
). 

replicas
 

integer
 

replicas
defines the number of replicas (pods) to start. 

resources
 

object
 

resources
, in terms of compute resources, required by this container. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/. 

standalone
 

boolean

Deploy as a standalone console, instead of a plugin of the OpenShift Container Platform Console. This is not recommended when using with OpenShift Container Platform, as it doesn’t provide an integrated experience. [Unsupported (*)]. 

unmanagedReplicas
 

boolean

If 

unmanagedReplicas
is 
true
, the operator will not reconcile 
replicas
. This is useful when using a pod autoscaler.

17.1.19. .spec.consolePlugin.advanced
Link kopieren

Description
advanced allows setting some aspects of the internal configuration of the console plugin. This section is aimed mostly for debugging and fine-grained performance optimizations, such as GOGC and GOMAXPROCS environment variables. Set these values at your own risk.
Type
object
Expand
PropertyTypeDescription

args
 

array (string)
 

args
allows passing custom arguments to underlying components. Useful for overriding some parameters, such as a URL or a configuration path, that should not be publicly exposed as part of the FlowCollector descriptor, as they are only useful in edge debug or support scenarios. 

env
 

object (string)
 

env
allows passing custom environment variables to underlying components. Useful for passing some very concrete performance-tuning options, such as 
GOGC
and 
GOMAXPROCS
, that should not be publicly exposed as part of the FlowCollector descriptor, as they are only useful in edge debug or support scenarios. 

port
 

integer
 

port
is the plugin service port. Do not use 9002, which is reserved for metrics. 

register
 

boolean
 

register
allows, when set to 
true
, to automatically register the provided console plugin with the OpenShift Container Platform Console operator. When set to 
false
, you can still register it manually by editing console.operator.openshift.io/cluster with the following command: 
oc patch console.operator.openshift.io cluster --type='json' -p '[{"op": "add", "path": "/spec/plugins/-", "value": "netobserv-plugin"}]'
 

scheduling
 

object
 

scheduling
controls how the pods are scheduled on nodes.

17.1.20. .spec.consolePlugin.advanced.scheduling
Link kopieren

Description
scheduling controls how the pods are scheduled on nodes.
Type
object
Expand
PropertyTypeDescription

affinity
 

object

If specified, the pod’s scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling. 

nodeSelector
 

object (string)
 

nodeSelector
allows scheduling of pods only onto nodes that have each of the specified labels. For documentation, refer to https://kubernetes.io/docs/concepts/configuration/assign-pod-node/. 

priorityClassName
 

string

If specified, indicates the pod’s priority. For documentation, refer to https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#how-to-use-priority-and-preemption. If not specified, default priority is used, or zero if there is no default. 

tolerations
 

array
 

tolerations
is a list of tolerations that allow the pod to schedule onto nodes with matching taints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.

17.1.21. .spec.consolePlugin.advanced.scheduling.affinity
Link kopieren

Description
If specified, the pod’s scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
Type
object

17.1.22. .spec.consolePlugin.advanced.scheduling.tolerations
Link kopieren

Description
tolerations is a list of tolerations that allow the pod to schedule onto nodes with matching taints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
Type
array

17.1.23. .spec.consolePlugin.autoscaler
Link kopieren

Description
autoscaler [deprecated (*)] spec of a horizontal pod autoscaler to set up for the plugin Deployment. Deprecation notice: managed autoscaler will be removed in a future version. You might configure instead an autoscaler of your choice, and set spec.consolePlugin.unmanagedReplicas to true. Refer to HorizontalPodAutoscaler documentation (autoscaling/v2).
Type
object

17.1.24. .spec.consolePlugin.portNaming
Link kopieren

Description
portNaming defines the configuration of the port-to-service name translation.
Type
object
Expand
PropertyTypeDescription

enable
 

boolean

Enable the console plugin port-to-service name translation 

portNames
 

object (string)
 

portNames
defines additional port names to use in the console, for example, 
portNames: {"3100": "loki"}
.

17.1.25. .spec.consolePlugin.quickFilters
Link kopieren

Description
quickFilters configures quick filter presets for the Console plugin. Filters for external traffic assume the subnet labels are configured to distinguish internal and external traffic (see spec.processor.subnetLabels).
Type
array

17.1.26. .spec.consolePlugin.quickFilters[]
Link kopieren

Description
QuickFilter defines preset configuration for Console’s quick filters
Type
object
Required
  • filter
     
  • name
Expand
PropertyTypeDescription

default
 

boolean
 

default
defines whether this filter should be active by default or not 

filter
 

object (string)
 

filter
is a set of keys and values to be set when this filter is selected. Each key can relate to a list of values using a coma-separated string, for example, 
filter: {"src_namespace": "namespace1,namespace2"}
. 

name
 

string

Name of the filter, that is displayed in the Console

17.1.27. .spec.consolePlugin.resources
Link kopieren

Description
resources, in terms of compute resources, required by this container. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/.
Type
object
Expand
PropertyTypeDescription

limits
 

integer-or-string

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ 

requests
 

integer-or-string

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

17.1.28. .spec.exporters
Link kopieren

Description
exporters defines additional optional exporters for custom consumption or storage.
Type
array

17.1.29. .spec.exporters[]
Link kopieren

Description
FlowCollectorExporter defines an additional exporter to send enriched flows to.
Type
object
Required
  • type
Expand
PropertyTypeDescription

ipfix
 

object

IPFIX configuration, such as the IP address and port to send enriched IPFIX flows to. 

kafka
 

object

Kafka configuration, such as the address and topic, to send enriched flows to. 

openTelemetry
 

object

OpenTelemetry configuration, such as the IP address and port to send enriched logs or metrics to. 

type
 

string
 

type
selects the type of exporters. The available options are 
Kafka
, 
IPFIX
, and 
OpenTelemetry
.

17.1.30. .spec.exporters[].ipfix
Link kopieren

Description
IPFIX configuration, such as the IP address and port to send enriched IPFIX flows to.
Type
object
Required
  • enterpriseID
     
  • targetHost
     
  • targetPort
Expand
PropertyTypeDescription

enterpriseID
 

integer

EnterpriseID, or Private Enterprise Number (PEN). To date, Network Observability does not own an assigned number, so it is left open for configuration. The PEN is needed to collect non standard data, such as Kubernetes names, RTT, etc. 

targetHost
 

string

Address of the IPFIX external receiver. 

targetPort
 

integer

Port for the IPFIX external receiver. 

transport
 

string

Transport protocol (

TCP
or 
UDP
) to be used for the IPFIX connection, defaults to 
TCP
.

17.1.31. .spec.exporters[].kafka
Link kopieren

Description
Kafka configuration, such as the address and topic, to send enriched flows to.
Type
object
Required
  • address
     
  • topic
Expand
PropertyTypeDescription

address
 

string

Address of the Kafka server 

sasl
 

object

SASL authentication configuration. [Unsupported (*)]. 

tls
 

object

TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093. 

topic
 

string

Kafka topic to use. It must exist. Network Observability does not create it.

17.1.32. .spec.exporters[].kafka.sasl
Link kopieren

Description
SASL authentication configuration. [Unsupported (*)].
Type
object
Expand
PropertyTypeDescription

clientIDReference
 

object

Reference to the secret or config map containing the client ID 

clientSecretReference
 

object

Reference to the secret or config map containing the client secret 

type
 

string

Type of SASL authentication to use, or 

Disabled
if SASL is not used

17.1.33. .spec.exporters[].kafka.sasl.clientIDReference
Link kopieren

Description
Reference to the secret or config map containing the client ID
Type
object
Expand
PropertyTypeDescription

file
 

string

File name within the config map or secret. 

name
 

string

Name of the config map or secret containing the file. 

namespace
 

string

Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the file reference: 

configmap
or 
secret
.

17.1.34. .spec.exporters[].kafka.sasl.clientSecretReference
Link kopieren

Description
Reference to the secret or config map containing the client secret
Type
object
Expand
PropertyTypeDescription

file
 

string

File name within the config map or secret. 

name
 

string

Name of the config map or secret containing the file. 

namespace
 

string

Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the file reference: 

configmap
or 
secret
.

17.1.35. .spec.exporters[].kafka.tls
Link kopieren

Description
TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
Type
object
Expand
PropertyTypeDescription

caCert
 

object
 

caCert
defines the reference of the certificate for the Certificate Authority. 

enable
 

boolean

Enable TLS 

insecureSkipVerify
 

boolean
 

insecureSkipVerify
allows skipping client-side verification of the server certificate. If set to 
true
, the 
caCert
field is ignored. 

userCert
 

object
 

userCert
defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

17.1.36. .spec.exporters[].kafka.tls.caCert
Link kopieren

Description
caCert defines the reference of the certificate for the Certificate Authority.
Type
object
Expand
PropertyTypeDescription

certFile
 

string
 

certFile
defines the path to the certificate file name within the config map or secret. 

certKey
 

string
 

certKey
defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary. 

name
 

string

Name of the config map or secret containing certificates. 

namespace
 

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the certificate reference: 

configmap
or 
secret
.

17.1.37. .spec.exporters[].kafka.tls.userCert
Link kopieren

Description
userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.
Type
object
Expand
PropertyTypeDescription

certFile
 

string
 

certFile
defines the path to the certificate file name within the config map or secret. 

certKey
 

string
 

certKey
defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary. 

name
 

string

Name of the config map or secret containing certificates. 

namespace
 

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the certificate reference: 

configmap
or 
secret
.

17.1.38. .spec.exporters[].openTelemetry
Link kopieren

Description
OpenTelemetry configuration, such as the IP address and port to send enriched logs or metrics to.
Type
object
Required
  • targetHost
     
  • targetPort
Expand
PropertyTypeDescription

fieldsMapping
 

array

Custom fields mapping to an OpenTelemetry conformant format. By default, Network Observability format proposal is used: https://github.com/rhobs/observability-data-model/blob/main/network-observability.md#format-proposal . As there is currently no accepted standard for L3 or L4 enriched network logs, you can freely override it with your own. 

headers
 

object (string)

Headers to add to messages (optional) 

logs
 

object

OpenTelemetry configuration for logs. 

metrics
 

object

OpenTelemetry configuration for metrics. 

protocol
 

string

Protocol of the OpenTelemetry connection. The available options are 

http
and 
grpc
. 

targetHost
 

string

Address of the OpenTelemetry receiver. 

targetPort
 

integer

Port for the OpenTelemetry receiver. 

tls
 

object

TLS client configuration.

17.1.39. .spec.exporters[].openTelemetry.fieldsMapping
Link kopieren

Description
Custom fields mapping to an OpenTelemetry conformant format. By default, Network Observability format proposal is used: https://github.com/rhobs/observability-data-model/blob/main/network-observability.md#format-proposal . As there is currently no accepted standard for L3 or L4 enriched network logs, you can freely override it with your own.
Type
array

17.1.40. .spec.exporters[].openTelemetry.fieldsMapping[]
Link kopieren

Description
Type
object
Expand
PropertyTypeDescription

input
 

string

 

multiplier
 

integer

 

output
 

string

 

17.1.41. .spec.exporters[].openTelemetry.logs
Link kopieren

Description
OpenTelemetry configuration for logs.
Type
object
Expand
PropertyTypeDescription

enable
 

boolean

Set 

enable
to 
true
to send logs to an OpenTelemetry receiver.

17.1.42. .spec.exporters[].openTelemetry.metrics
Link kopieren

Description
OpenTelemetry configuration for metrics.
Type
object
Expand
PropertyTypeDescription

enable
 

boolean

Set 

enable
to 
true
to send metrics to an OpenTelemetry receiver. 

pushTimeInterval
 

string

Specify how often metrics are sent to a collector.

17.1.43. .spec.exporters[].openTelemetry.tls
Link kopieren

Description
TLS client configuration.
Type
object
Expand
PropertyTypeDescription

caCert
 

object
 

caCert
defines the reference of the certificate for the Certificate Authority. 

enable
 

boolean

Enable TLS 

insecureSkipVerify
 

boolean
 

insecureSkipVerify
allows skipping client-side verification of the server certificate. If set to 
true
, the 
caCert
field is ignored. 

userCert
 

object
 

userCert
defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

17.1.44. .spec.exporters[].openTelemetry.tls.caCert
Link kopieren

Description
caCert defines the reference of the certificate for the Certificate Authority.
Type
object
Expand
PropertyTypeDescription

certFile
 

string
 

certFile
defines the path to the certificate file name within the config map or secret. 

certKey
 

string
 

certKey
defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary. 

name
 

string

Name of the config map or secret containing certificates. 

namespace
 

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the certificate reference: 

configmap
or 
secret
.

17.1.45. .spec.exporters[].openTelemetry.tls.userCert
Link kopieren

Description
userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.
Type
object
Expand
PropertyTypeDescription

certFile
 

string
 

certFile
defines the path to the certificate file name within the config map or secret. 

certKey
 

string
 

certKey
defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary. 

name
 

string

Name of the config map or secret containing certificates. 

namespace
 

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the certificate reference: 

configmap
or 
secret
.

17.1.46. .spec.kafka
Link kopieren

Description
Kafka configuration, allowing to use Kafka as a broker as part of the flow collection pipeline. Available when the spec.deploymentModel is Kafka.
Type
object
Required
  • address
     
  • topic
Expand
PropertyTypeDescription

address
 

string

Address of the Kafka server 

sasl
 

object

SASL authentication configuration. [Unsupported (*)]. 

tls
 

object

TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093. 

topic
 

string

Kafka topic to use. It must exist. Network Observability does not create it.

17.1.47. .spec.kafka.sasl
Link kopieren

Description
SASL authentication configuration. [Unsupported (*)].
Type
object
Expand
PropertyTypeDescription

clientIDReference
 

object

Reference to the secret or config map containing the client ID 

clientSecretReference
 

object

Reference to the secret or config map containing the client secret 

type
 

string

Type of SASL authentication to use, or 

Disabled
if SASL is not used

17.1.48. .spec.kafka.sasl.clientIDReference
Link kopieren

Description
Reference to the secret or config map containing the client ID
Type
object
Expand
PropertyTypeDescription

file
 

string

File name within the config map or secret. 

name
 

string

Name of the config map or secret containing the file. 

namespace
 

string

Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the file reference: 

configmap
or 
secret
.

17.1.49. .spec.kafka.sasl.clientSecretReference
Link kopieren

Description
Reference to the secret or config map containing the client secret
Type
object
Expand
PropertyTypeDescription

file
 

string

File name within the config map or secret. 

name
 

string

Name of the config map or secret containing the file. 

namespace
 

string

Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the file reference: 

configmap
or 
secret
.

17.1.50. .spec.kafka.tls
Link kopieren

Description
TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
Type
object
Expand
PropertyTypeDescription

caCert
 

object
 

caCert
defines the reference of the certificate for the Certificate Authority. 

enable
 

boolean

Enable TLS 

insecureSkipVerify
 

boolean
 

insecureSkipVerify
allows skipping client-side verification of the server certificate. If set to 
true
, the 
caCert
field is ignored. 

userCert
 

object
 

userCert
defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

17.1.51. .spec.kafka.tls.caCert
Link kopieren

Description
caCert defines the reference of the certificate for the Certificate Authority.
Type
object
Expand
PropertyTypeDescription

certFile
 

string
 

certFile
defines the path to the certificate file name within the config map or secret. 

certKey
 

string
 

certKey
defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary. 

name
 

string

Name of the config map or secret containing certificates. 

namespace
 

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the certificate reference: 

configmap
or 
secret
.

17.1.52. .spec.kafka.tls.userCert
Link kopieren

Description
userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.
Type
object
Expand
PropertyTypeDescription

certFile
 

string
 

certFile
defines the path to the certificate file name within the config map or secret. 

certKey
 

string
 

certKey
defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary. 

name
 

string

Name of the config map or secret containing certificates. 

namespace
 

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the certificate reference: 

configmap
or 
secret
.

17.1.53. .spec.loki
Link kopieren

Description
loki, the flow store, client settings.
Type
object
Required
  • mode
Expand
PropertyTypeDescription

advanced
 

object
 

advanced
allows setting some aspects of the internal configuration of the Loki clients. This section is aimed mostly for debugging and fine-grained performance optimizations. 

enable
 

boolean

Set 

enable
to 
true
to store flows in Loki. The Console plugin can use either Loki or Prometheus as a data source for metrics (see also 
spec.prometheus.querier
), or both. Not all queries are transposable from Loki to Prometheus. Hence, if Loki is disabled, some features of the plugin are disabled as well, such as getting per-pod information or viewing raw flows. If both Prometheus and Loki are enabled, Prometheus takes precedence and Loki is used as a fallback for queries that Prometheus cannot handle. If they are both disabled, the Console plugin is not deployed. 

lokiStack
 

object

Loki configuration for 

LokiStack
mode. This is useful for an easy Loki Operator configuration. It is ignored for other modes. 

manual
 

object

Loki configuration for 

Manual
mode. This is the most flexible configuration. It is ignored for other modes. 

microservices
 

object

Loki configuration for 

Microservices
mode. Use this option when Loki is installed using the microservices deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#microservices-mode). It is ignored for other modes. 

mode
 

string
 

mode
must be set according to the installation mode of Loki:

- Use 

LokiStack
when Loki is managed using the Loki Operator

- Use 

Monolithic
when Loki is installed as a monolithic workload

- Use 

Microservices
when Loki is installed as microservices, but without Loki Operator

- Use 

Manual
if none of the options above match your setup

monolithic
 

object

Loki configuration for 

Monolithic
mode. Use this option when Loki is installed using the monolithic deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#monolithic-mode). It is ignored for other modes. 

readTimeout
 

string
 

readTimeout
is the maximum console plugin loki query total time limit. A timeout of zero means no timeout. 

writeBatchSize
 

integer
 

writeBatchSize
is the maximum batch size (in bytes) of Loki logs to accumulate before sending. 

writeBatchWait
 

string
 

writeBatchWait
is the maximum time to wait before sending a Loki batch. 

writeTimeout
 

string
 

writeTimeout
is the maximum Loki time connection / request limit. A timeout of zero means no timeout.

17.1.54. .spec.loki.advanced
Link kopieren

Description
advanced allows setting some aspects of the internal configuration of the Loki clients. This section is aimed mostly for debugging and fine-grained performance optimizations.
Type
object
Expand
PropertyTypeDescription

excludeLabels
 

array (string)
 

excludeLabels
is a list of fields to be excluded from the list of Loki labels. [Unsupported (*)]. 

staticLabels
 

object (string)
 

staticLabels
is a map of common labels to set on each flow in Loki storage. 

writeMaxBackoff
 

string
 

writeMaxBackoff
is the maximum backoff time for Loki client connection between retries. 

writeMaxRetries
 

integer
 

writeMaxRetries
is the maximum number of retries for Loki client connections. 

writeMinBackoff
 

string
 

writeMinBackoff
is the initial backoff time for Loki client connection between retries.

17.1.55. .spec.loki.lokiStack
Link kopieren

Description
Loki configuration for LokiStack mode. This is useful for an easy Loki Operator configuration. It is ignored for other modes.
Type
object
Required
  • name
Expand
PropertyTypeDescription

name
 

string

Name of an existing LokiStack resource to use. 

namespace
 

string

Namespace where this 

LokiStack
resource is located. If omitted, it is assumed to be the same as 
spec.namespace
.

17.1.56. .spec.loki.manual
Link kopieren

Description
Loki configuration for Manual mode. This is the most flexible configuration. It is ignored for other modes.
Type
object
Expand
PropertyTypeDescription

authToken
 

string
 

authToken
describes the way to get a token to authenticate to Loki.

- 

Disabled
does not send any token with the request.

- 

Forward
forwards the user token for authorization.

- 

Host
[deprecated (*)] - uses the local pod service account to authenticate to Loki.

When using the Loki Operator, this must be set to 

Forward
. 

ingesterUrl
 

string
 

ingesterUrl
is the address of an existing Loki ingester service to push the flows to. When using the Loki Operator, set it to the Loki gateway service with the 
network
tenant set in path, for example https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network. 

querierUrl
 

string
 

querierUrl
specifies the address of the Loki querier service. When using the Loki Operator, set it to the Loki gateway service with the 
network
tenant set in path, for example https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network. 

statusTls
 

object

TLS client configuration for Loki status URL. 

statusUrl
 

string
 

statusUrl
specifies the address of the Loki 
/ready
, 
/metrics
and 
/config
endpoints, in case it is different from the Loki querier URL. If empty, the 
querierUrl
value is used. This is useful to show error messages and some context in the frontend. When using the Loki Operator, set it to the Loki HTTP query frontend service, for example https://loki-query-frontend-http.netobserv.svc:3100/. 
statusTLS
configuration is used when 
statusUrl
is set. 

tenantID
 

string
 

tenantID
is the Loki 
X-Scope-OrgID
that identifies the tenant for each request. When using the Loki Operator, set it to 
network
, which corresponds to a special tenant mode. 

tls
 

object

TLS client configuration for Loki URL.

17.1.57. .spec.loki.manual.statusTls
Link kopieren

Description
TLS client configuration for Loki status URL.
Type
object
Expand
PropertyTypeDescription

caCert
 

object
 

caCert
defines the reference of the certificate for the Certificate Authority. 

enable
 

boolean

Enable TLS 

insecureSkipVerify
 

boolean
 

insecureSkipVerify
allows skipping client-side verification of the server certificate. If set to 
true
, the 
caCert
field is ignored. 

userCert
 

object
 

userCert
defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

17.1.58. .spec.loki.manual.statusTls.caCert
Link kopieren

Description
caCert defines the reference of the certificate for the Certificate Authority.
Type
object
Expand
PropertyTypeDescription

certFile
 

string
 

certFile
defines the path to the certificate file name within the config map or secret. 

certKey
 

string
 

certKey
defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary. 

name
 

string

Name of the config map or secret containing certificates. 

namespace
 

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the certificate reference: 

configmap
or 
secret
.

17.1.59. .spec.loki.manual.statusTls.userCert
Link kopieren

Description
userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.
Type
object
Expand
PropertyTypeDescription

certFile
 

string
 

certFile
defines the path to the certificate file name within the config map or secret. 

certKey
 

string
 

certKey
defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary. 

name
 

string

Name of the config map or secret containing certificates. 

namespace
 

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the certificate reference: 

configmap
or 
secret
.

17.1.60. .spec.loki.manual.tls
Link kopieren

Description
TLS client configuration for Loki URL.
Type
object
Expand
PropertyTypeDescription

caCert
 

object
 

caCert
defines the reference of the certificate for the Certificate Authority. 

enable
 

boolean

Enable TLS 

insecureSkipVerify
 

boolean
 

insecureSkipVerify
allows skipping client-side verification of the server certificate. If set to 
true
, the 
caCert
field is ignored. 

userCert
 

object
 

userCert
defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

17.1.61. .spec.loki.manual.tls.caCert
Link kopieren

Description
caCert defines the reference of the certificate for the Certificate Authority.
Type
object
Expand
PropertyTypeDescription

certFile
 

string
 

certFile
defines the path to the certificate file name within the config map or secret. 

certKey
 

string
 

certKey
defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary. 

name
 

string

Name of the config map or secret containing certificates. 

namespace
 

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the certificate reference: 

configmap
or 
secret
.

17.1.62. .spec.loki.manual.tls.userCert
Link kopieren

Description
userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.
Type
object
Expand
PropertyTypeDescription

certFile
 

string
 

certFile
defines the path to the certificate file name within the config map or secret. 

certKey
 

string
 

certKey
defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary. 

name
 

string

Name of the config map or secret containing certificates. 

namespace
 

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the certificate reference: 

configmap
or 
secret
.

17.1.63. .spec.loki.microservices
Link kopieren

Description
Loki configuration for Microservices mode. Use this option when Loki is installed using the microservices deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#microservices-mode). It is ignored for other modes.
Type
object
Expand
PropertyTypeDescription

ingesterUrl
 

string
 

ingesterUrl
is the address of an existing Loki ingester service to push the flows to. 

querierUrl
 

string
 

querierURL
specifies the address of the Loki querier service. 

tenantID
 

string
 

tenantID
is the Loki 
X-Scope-OrgID
header that identifies the tenant for each request. 

tls
 

object

TLS client configuration for Loki URL.

17.1.64. .spec.loki.microservices.tls
Link kopieren

Description
TLS client configuration for Loki URL.
Type
object
Expand
PropertyTypeDescription

caCert
 

object
 

caCert
defines the reference of the certificate for the Certificate Authority. 

enable
 

boolean

Enable TLS 

insecureSkipVerify
 

boolean
 

insecureSkipVerify
allows skipping client-side verification of the server certificate. If set to 
true
, the 
caCert
field is ignored. 

userCert
 

object
 

userCert
defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

17.1.65. .spec.loki.microservices.tls.caCert
Link kopieren

Description
caCert defines the reference of the certificate for the Certificate Authority.
Type
object
Expand
PropertyTypeDescription

certFile
 

string
 

certFile
defines the path to the certificate file name within the config map or secret. 

certKey
 

string
 

certKey
defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary. 

name
 

string

Name of the config map or secret containing certificates. 

namespace
 

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the certificate reference: 

configmap
or 
secret
.

17.1.66. .spec.loki.microservices.tls.userCert
Link kopieren

Description
userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.
Type
object
Expand
PropertyTypeDescription

certFile
 

string
 

certFile
defines the path to the certificate file name within the config map or secret. 

certKey
 

string
 

certKey
defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary. 

name
 

string

Name of the config map or secret containing certificates. 

namespace
 

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the certificate reference: 

configmap
or 
secret
.

17.1.67. .spec.loki.monolithic
Link kopieren

Description
Loki configuration for Monolithic mode. Use this option when Loki is installed using the monolithic deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#monolithic-mode). It is ignored for other modes.
Type
object
Expand
PropertyTypeDescription

installDemoLoki
 

boolean

Set 

installDemoLoki
to 
true
to automatically create Loki deployment, service and storage. This is useful for development and demo purposes. Do not use it in production. [Unsupported (*)]. 

tenantID
 

string
 

tenantID
is the Loki 
X-Scope-OrgID
header that identifies the tenant for each request. 

tls
 

object

TLS client configuration for Loki URL. 

url
 

string
 

url
is the unique address of an existing Loki service that points to both the ingester and the querier.

17.1.68. .spec.loki.monolithic.tls
Link kopieren

Description
TLS client configuration for Loki URL.
Type
object
Expand
PropertyTypeDescription

caCert
 

object
 

caCert
defines the reference of the certificate for the Certificate Authority. 

enable
 

boolean

Enable TLS 

insecureSkipVerify
 

boolean
 

insecureSkipVerify
allows skipping client-side verification of the server certificate. If set to 
true
, the 
caCert
field is ignored. 

userCert
 

object
 

userCert
defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

17.1.69. .spec.loki.monolithic.tls.caCert
Link kopieren

Description
caCert defines the reference of the certificate for the Certificate Authority.
Type
object
Expand
PropertyTypeDescription

certFile
 

string
 

certFile
defines the path to the certificate file name within the config map or secret. 

certKey
 

string
 

certKey
defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary. 

name
 

string

Name of the config map or secret containing certificates. 

namespace
 

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the certificate reference: 

configmap
or 
secret
.

17.1.70. .spec.loki.monolithic.tls.userCert
Link kopieren

Description
userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.
Type
object
Expand
PropertyTypeDescription

certFile
 

string
 

certFile
defines the path to the certificate file name within the config map or secret. 

certKey
 

string
 

certKey
defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary. 

name
 

string

Name of the config map or secret containing certificates. 

namespace
 

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the certificate reference: 

configmap
or 
secret
.

17.1.71. .spec.networkPolicy
Link kopieren

Description
networkPolicy defines network policy settings for Network Observability components isolation.
Type
object
Expand
PropertyTypeDescription

additionalNamespaces
 

array (string)
 

additionalNamespaces
contains additional namespaces allowed to connect to the Network Observability namespace. It provides flexibility in the network policy configuration, but if you need a more specific configuration, you can disable it and install your own instead. 

enable
 

boolean

Deploys network policies on the namespaces used by Network Observability (main and privileged). These network policies better isolate the Network Observability components to prevent undesired connections from and to them. This option is enabled by default when using with OVNKubernetes, and disabled otherwise (it has not been tested with other CNIs). When disabled, you can manually create the network policies for the Network Observability components.

17.1.72. .spec.processor
Link kopieren

Description
processor defines the settings of the component that receives the flows from the agent, enriches them, generates metrics, and forwards them to the Loki persistence layer and/or any available exporter.
Type
object
Expand
PropertyTypeDescription

addZone
 

boolean
 

addZone
allows availability zone awareness by labeling flows with their source and destination zones. This feature requires the "topology.kubernetes.io/zone" label to be set on nodes. 

advanced
 

object
 

advanced
allows setting some aspects of the internal configuration of the flow processor. This section is aimed mostly for debugging and fine-grained performance optimizations, such as 
GOGC
and 
GOMAXPROCS
environment variables. Set these values at your own risk. 

clusterName
 

string
 

clusterName
is the name of the cluster to appear in the flows data. This is useful in a multi-cluster context. When using OpenShift Container Platform, leave empty to make it automatically determined. 

consumerReplicas
 

integer
 

consumerReplicas
defines the number of replicas (pods) to start for 
flowlogs-pipeline
, default is 3. This setting is ignored when 
spec.deploymentModel
is 
Direct
or when 
spec.processor.unmanagedReplicas
is 
true
. 

deduper
 

object
 

deduper
allows you to sample or drop flows identified as duplicates, in order to save on resource usage. 

filters
 

array
 

filters
lets you define custom filters to limit the amount of generated flows. These filters provide more flexibility than the eBPF Agent filters (in 
spec.agent.ebpf.flowFilter
), such as allowing to filter by Kubernetes namespace, but with a lesser improvement in performance. 

imagePullPolicy
 

string
 

imagePullPolicy
is the Kubernetes pull policy for the image defined above 

kafkaConsumerAutoscaler
 

object
 

kafkaConsumerAutoscaler
[deprecated (*)] is the spec of a horizontal pod autoscaler to set up for 
flowlogs-pipeline-transformer
, which consumes Kafka messages. This setting is ignored when Kafka is disabled. Deprecation notice: managed autoscaler will be removed in a future version. You might configure instead an autoscaler of your choice, and set 
spec.processor.unmanagedReplicas
to 
true
. Refer to HorizontalPodAutoscaler documentation (autoscaling/v2). 

kafkaConsumerBatchSize
 

integer
 

kafkaConsumerBatchSize
indicates to the broker the maximum batch size, in bytes, that the consumer accepts. Ignored when not using Kafka. Default: 10MB. 

kafkaConsumerQueueCapacity
 

integer
 

kafkaConsumerQueueCapacity
defines the capacity of the internal message queue used in the Kafka consumer client. Ignored when not using Kafka. 

kafkaConsumerReplicas
 

integer
 

kafkaConsumerReplicas
[deprecated (*)] defines the number of replicas (pods) to start for 
flowlogs-pipeline-transformer
, which consumes Kafka messages. This setting is ignored when Kafka is disabled. Deprecation notice: use 
spec.processor.consumerReplicas
instead. 

logLevel
 

string
 

logLevel
of the processor runtime 

logTypes
 

string
 

logTypes
defines the desired record types to generate. Possible values are:

- 

Flows
to export regular network flows. This is the default.

- 

Conversations
to generate events for started conversations, ended conversations as well as periodic "tick" updates. Note that in this mode, Prometheus metrics are not accurate on long-standing conversations.

- 

EndedConversations
to generate only ended conversations events. Note that in this mode, Prometheus metrics are not accurate on long-standing conversations.

- 

All
to generate both network flows and all conversations events. It is not recommended due to the impact on resources footprint.

metrics
 

object
 

Metrics
define the processor configuration regarding metrics 

multiClusterDeployment
 

boolean

Set 

multiClusterDeployment
to 
true
to enable multi clusters feature. This adds 
clusterName
label to flows data 

resources
 

object
 

resources
are the compute resources required by this container. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ 

slicesConfig
 

object

Global configuration managing FlowCollectorSlices custom resources. 

subnetLabels
 

object
 

subnetLabels
allows to define custom labels on subnets and IPs or to enable automatic labeling of recognized subnets in OpenShift Container Platform, which is used to identify cluster external traffic. When a subnet matches the source or destination IP of a flow, a corresponding field is added: 
SrcSubnetLabel
or 
DstSubnetLabel
. 

unmanagedReplicas
 

boolean

If 

unmanagedReplicas
is 
true
, the operator will not reconcile 
consumerReplicas
. This is useful when using a pod autoscaler.

17.1.73. .spec.processor.advanced
Link kopieren

Description
advanced allows setting some aspects of the internal configuration of the flow processor. This section is aimed mostly for debugging and fine-grained performance optimizations, such as GOGC and GOMAXPROCS environment variables. Set these values at your own risk.
Type
object
Expand
PropertyTypeDescription

conversationEndTimeout
 

string
 

conversationEndTimeout
is the time to wait after a network flow is received, to consider the conversation ended. This delay is ignored when a FIN packet is collected for TCP flows (see 
conversationTerminatingTimeout
instead). 

conversationHeartbeatInterval
 

string
 

conversationHeartbeatInterval
is the time to wait between "tick" events of a conversation 

conversationTerminatingTimeout
 

string
 

conversationTerminatingTimeout
is the time to wait from detected FIN flag to end a conversation. Only relevant for TCP flows. 

dropUnusedFields
 

boolean
 

dropUnusedFields
[deprecated (*)] this setting is not used anymore. 

enableKubeProbes
 

boolean
 

enableKubeProbes
is a flag to enable or disable Kubernetes liveness and readiness probes 

env
 

object (string)
 

env
allows passing custom environment variables to underlying components. Useful for passing some very concrete performance-tuning options, such as 
GOGC
and 
GOMAXPROCS
, that should not be publicly exposed as part of the FlowCollector descriptor, as they are only useful in edge debug or support scenarios. 

healthPort
 

integer
 

healthPort
is a collector HTTP port in the Pod that exposes the health check API 

port
 

integer

Port of the flow collector (host port). By convention, some values are forbidden. It must be greater than 1024 and different from 4500, 4789 and 6081. 

profilePort
 

integer
 

profilePort
allows setting up a Go pprof profiler listening to this port 

scheduling
 

object

scheduling controls how the pods are scheduled on nodes. 

secondaryNetworks
 

array

Defines secondary networks to be checked for resources identification. To guarantee a correct identification, indexed values must form an unique identifier across the cluster. If the same index is used by several resources, those resources might be incorrectly labeled.

17.1.74. .spec.processor.advanced.scheduling
Link kopieren

Description
scheduling controls how the pods are scheduled on nodes.
Type
object
Expand
PropertyTypeDescription

affinity
 

object

If specified, the pod’s scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling. 

nodeSelector
 

object (string)
 

nodeSelector
allows scheduling of pods only onto nodes that have each of the specified labels. For documentation, refer to https://kubernetes.io/docs/concepts/configuration/assign-pod-node/. 

priorityClassName
 

string

If specified, indicates the pod’s priority. For documentation, refer to https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#how-to-use-priority-and-preemption. If not specified, default priority is used, or zero if there is no default. 

tolerations
 

array
 

tolerations
is a list of tolerations that allow the pod to schedule onto nodes with matching taints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.

17.1.75. .spec.processor.advanced.scheduling.affinity
Link kopieren

Description
If specified, the pod’s scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
Type
object

17.1.76. .spec.processor.advanced.scheduling.tolerations
Link kopieren

Description
tolerations is a list of tolerations that allow the pod to schedule onto nodes with matching taints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
Type
array

17.1.77. .spec.processor.advanced.secondaryNetworks
Link kopieren

Description
Defines secondary networks to be checked for resources identification. To guarantee a correct identification, indexed values must form an unique identifier across the cluster. If the same index is used by several resources, those resources might be incorrectly labeled.
Type
array

17.1.78. .spec.processor.advanced.secondaryNetworks[]
Link kopieren

Description
Type
object
Required
  • index
     
  • name
Expand
PropertyTypeDescription

index
 

array (string)
 

index
is a list of fields to use for indexing the pods. They should form a unique Pod identifier across the cluster. Can be any of: 
MAC
, 
IP
, 
Interface
. Fields absent from the 'k8s.v1.cni.cncf.io/network-status' annotation must not be added to the index. 

name
 

string
 

name
should match the network name as visible in the pods annotation 'k8s.v1.cni.cncf.io/network-status'.

17.1.79. .spec.processor.deduper
Link kopieren

Description
deduper allows you to sample or drop flows identified as duplicates, in order to save on resource usage.
Type
object
Expand
PropertyTypeDescription

mode
 

string

Set the Processor de-duplication mode. It comes in addition to the Agent-based deduplication, since the Agent cannot de-duplicate same flows reported from different nodes.

- Use 

Drop
to drop every flow considered as duplicates, allowing saving more on resource usage but potentially losing some information such as the network interfaces used from peer, or network events.

- Use 

Sample
to randomly keep only one flow on 50, which is the default, among the ones considered as duplicates. This is a compromise between dropping every duplicate or keeping every duplicate. This sampling action comes in addition to the Agent-based sampling. If both Agent and Processor sampling values are 
50
, the combined sampling is 1:2500.

- Use 

Disabled
to turn off Processor-based de-duplication.

sampling
 

integer
 

sampling
is the sampling interval when deduper 
mode
is 
Sample
. For example, a value of 
50
means that 1 flow in 50 is sampled.

17.1.80. .spec.processor.filters
Link kopieren

Description
filters lets you define custom filters to limit the amount of generated flows. These filters provide more flexibility than the eBPF Agent filters (in spec.agent.ebpf.flowFilter), such as allowing to filter by Kubernetes namespace, but with a lesser improvement in performance.
Type
array

17.1.81. .spec.processor.filters[]
Link kopieren

Description
FLPFilterSet defines the desired configuration for FLP-based filtering satisfying all conditions.
Type
object
Expand
PropertyTypeDescription

outputTarget
 

string

If specified, these filters target a single output: 

Loki
, 
Metrics
or 
Exporters
. By default, all outputs are targeted. 

query
 

string

A query that selects the network flows to keep. More information about this query language in https://github.com/netobserv/flowlogs-pipeline/blob/main/docs/filtering.md. 

sampling
 

integer
 

sampling
is an optional sampling interval to apply to this filter. For example, a value of 
50
means that 1 matching flow in 50 is sampled.

17.1.82. .spec.processor.kafkaConsumerAutoscaler
Link kopieren

Description
kafkaConsumerAutoscaler [deprecated (*)] is the spec of a horizontal pod autoscaler to set up for flowlogs-pipeline-transformer, which consumes Kafka messages. This setting is ignored when Kafka is disabled. Deprecation notice: managed autoscaler will be removed in a future version. You might configure instead an autoscaler of your choice, and set spec.processor.unmanagedReplicas to true. Refer to HorizontalPodAutoscaler documentation (autoscaling/v2).
Type
object

17.1.83. .spec.processor.metrics
Link kopieren

Description
Metrics define the processor configuration regarding metrics
Type
object
Expand
PropertyTypeDescription

disableAlerts
 

array (string)
 

disableAlerts
is a list of alert groups that should be disabled from the default set of alerts. Possible values are: 
NetObservNoFlows
, 
NetObservLokiError
, 
PacketDropsByKernel
, 
PacketDropsByDevice
, 
IPsecErrors
, 
NetpolDenied
, 
LatencyHighTrend
, 
DNSErrors
, 
DNSNxDomain
, 
ExternalEgressHighTrend
, 
ExternalIngressHighTrend
, 
Ingress5xxErrors
, 
IngressHTTPLatencyTrend
. More information on alerts: https://github.com/netobserv/network-observability-operator/blob/main/docs/HealthRules.md 

healthRules
 

array
 

healthRules
is a list of health rules to be created for Prometheus, organized by templates and variants. Each health rule can be configured to generate either alerts or recording rules based on the mode field. More information on health rules: https://github.com/netobserv/network-observability-operator/blob/main/docs/HealthRules.md 

includeList
 

array (string)
 

includeList
is a list of metric names to specify which ones to generate. The names correspond to the names in Prometheus without the prefix. For example, 
namespace_egress_packets_total
shows up as 
netobserv_namespace_egress_packets_total
in Prometheus. Note that the more metrics you add, the bigger is the impact on Prometheus workload resources. Metrics enabled by default are: 
namespace_flows_total
, 
node_ingress_bytes_total
, 
node_egress_bytes_total
, 
workload_ingress_bytes_total
, 
workload_egress_bytes_total
, 
namespace_drop_packets_total
(when 
PacketDrop
feature is enabled), 
namespace_rtt_seconds
(when 
FlowRTT
feature is enabled), 
namespace_dns_latency_seconds
(when 
DNSTracking
feature is enabled), 
namespace_network_policy_events_total
(when 
NetworkEvents
feature is enabled). More information, with full list of available metrics: https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md 

server
 

object

Metrics server endpoint configuration for Prometheus scraper

17.1.84. .spec.processor.metrics.healthRules
Link kopieren

Description
healthRules is a list of health rules to be created for Prometheus, organized by templates and variants. Each health rule can be configured to generate either alerts or recording rules based on the mode field. More information on health rules: https://github.com/netobserv/network-observability-operator/blob/main/docs/HealthRules.md
Type
array

17.1.85. .spec.processor.metrics.healthRules[]
Link kopieren

Description
Type
object
Required
  • template
     
  • variants
Expand
PropertyTypeDescription

mode
 

string

Mode defines whether this health rule should be generated as an alert or a recording rule. Possible values are: 

Alert
(default), 
Recording
. Recording rules violations are visible in the Network Health dashboard without generating any Prometheus alert. This provides an alternative way of getting Health information for SRE and cluster admins who might find many new alerts burdensome. 

template
 

string

Health rule template name. Possible values are: 

PacketDropsByKernel
, 
PacketDropsByDevice
, 
IPsecErrors
, 
NetpolDenied
, 
LatencyHighTrend
, 
DNSErrors
, 
DNSNxDomain
, 
ExternalEgressHighTrend
, 
ExternalIngressHighTrend
, 
Ingress5xxErrors
, 
IngressHTTPLatencyTrend
. Note: 
NetObservNoFlows
and 
NetObservLokiError
are alert-only and cannot be used as health rules. More information on health rules: https://github.com/netobserv/network-observability-operator/blob/main/docs/HealthRules.md 

variants
 

array

A list of variants for this template

17.1.86. .spec.processor.metrics.healthRules[].variants
Link kopieren

Description
A list of variants for this template
Type
array

17.1.87. .spec.processor.metrics.healthRules[].variants[]
Link kopieren

Description
Type
object
Required
  • thresholds
Expand
PropertyTypeDescription

groupBy
 

string

Optional grouping criteria, possible values are: 

Node
, 
Namespace
, 
Workload
. 

lowVolumeThreshold
 

string

The low volume threshold allows to ignore metrics with a too low volume of traffic, in order to improve signal-to-noise. It is provided as an absolute rate (bytes per second or packets per second, depending on the context). When provided, it must be parsable as a float. 

mode
 

string

Mode overrides the health rule mode for this specific variant. If not specified, inherits from the parent health rule’s mode. Possible values are: 

Alert
, 
Recording
. 

thresholds
 

object

Thresholds of the health rule per severity. They are expressed as a percentage of errors above which the alert is triggered. They must be parsable as floats. Required for both alert and recording modes 

trendDuration
 

string

For trending health rules, the duration interval for baseline comparison. For example, "2h" means comparing against a 2-hours average. Defaults to 2h. 

trendOffset
 

string

For trending health rules, the time offset for baseline comparison. For example, "1d" means comparing against yesterday. Defaults to 1d.

17.1.88. .spec.processor.metrics.healthRules[].variants[].thresholds
Link kopieren

Description
Thresholds of the health rule per severity. They are expressed as a percentage of errors above which the alert is triggered. They must be parsable as floats. Required for both alert and recording modes
Type
object
Expand
PropertyTypeDescription

critical
 

string

Threshold for severity 

critical
. Leave empty to not generate a Critical alert. 

info
 

string

Threshold for severity 

info
. Leave empty to not generate an Info alert. 

warning
 

string

Threshold for severity 

warning
. Leave empty to not generate a Warning alert.

17.1.89. .spec.processor.metrics.server
Link kopieren

Description
Metrics server endpoint configuration for Prometheus scraper
Type
object
Expand
PropertyTypeDescription

port
 

integer

The metrics server HTTP port. 

tls
 

object

TLS configuration.

17.1.90. .spec.processor.metrics.server.tls
Link kopieren

Description
TLS configuration.
Type
object
Required
  • type
Expand
PropertyTypeDescription

insecureSkipVerify
 

boolean
 

insecureSkipVerify
allows skipping client-side verification of the provided certificate. If set to 
true
, the 
providedCaFile
field is ignored. 

provided
 

object

TLS configuration when 

type
is set to 
Provided
. 

providedCaFile
 

object

Reference to the CA file when 

type
is set to 
Provided
. 

type
 

string

Select the type of TLS configuration:

- 

Disabled
(default) to not configure TLS for the endpoint. - 
Provided
to manually provide cert file and a key file. [Unsupported (*)]. - 
Auto
to use OpenShift Container Platform auto generated certificate using annotations.

17.1.91. .spec.processor.metrics.server.tls.provided
Link kopieren

Description
TLS configuration when type is set to Provided.
Type
object
Expand
PropertyTypeDescription

certFile
 

string
 

certFile
defines the path to the certificate file name within the config map or secret. 

certKey
 

string
 

certKey
defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary. 

name
 

string

Name of the config map or secret containing certificates. 

namespace
 

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the certificate reference: 

configmap
or 
secret
.

17.1.92. .spec.processor.metrics.server.tls.providedCaFile
Link kopieren

Description
Reference to the CA file when type is set to Provided.
Type
object
Expand
PropertyTypeDescription

file
 

string

File name within the config map or secret. 

name
 

string

Name of the config map or secret containing the file. 

namespace
 

string

Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the file reference: 

configmap
or 
secret
.

17.1.93. .spec.processor.resources
Link kopieren

Description
resources are the compute resources required by this container. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Type
object
Expand
PropertyTypeDescription

limits
 

integer-or-string

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ 

requests
 

integer-or-string

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

17.1.94. .spec.processor.slicesConfig
Link kopieren

Description
Global configuration managing FlowCollectorSlices custom resources.
Type
object
Required
  • enable
Expand
PropertyTypeDescription

collectionMode
 

string
 

collectionMode
determines how the FlowCollectorSlice custom resources impacts the flow collection process:

- When set to 

AlwaysCollect
, all flows are collected regardless of the presence of FlowCollectorSlice.

- When set to 

AllowList
, only the flows related to namespaces where a FlowCollectorSlice resource is present, or configured via the global 
namespacesAllowList
, are collected.

enable
 

boolean
 

enable
determines if the FlowCollectorSlice feature is enabled. If not, all resources of kind FlowCollectorSlice are simply ignored. 

namespacesAllowList
 

array (string)
 

namespacesAllowList
is a list of namespaces for which flows are always collected, regardless of the presence of FlowCollectorSlice in those namespaces. An entry enclosed by slashes, such as 
/openshift-.*/
, is matched as a regular expression. This setting is ignored if 
collectionMode
is different from 
AllowList
.

17.1.95. .spec.processor.subnetLabels
Link kopieren

Description
subnetLabels allows to define custom labels on subnets and IPs or to enable automatic labeling of recognized subnets in OpenShift Container Platform, which is used to identify cluster external traffic. When a subnet matches the source or destination IP of a flow, a corresponding field is added: SrcSubnetLabel or DstSubnetLabel.
Type
object
Expand
PropertyTypeDescription

customLabels
 

array
 

customLabels
allows you to customize subnets and IPs labeling, such as to identify cluster external workloads or web services. External subnets must be labeled with the prefix 
EXT:
, or not labeled at all, in order to work with default quick filters and some metrics examples provided.

If 

openShiftAutoDetect
is disabled or you are not using OpenShift Container Platform, it is recommended to manually configure labels for the cluster subnets, to distinguish internal traffic from external traffic.

If 

openShiftAutoDetect
is enabled, 
customLabels
overrides the detected subnets when they overlap.

openShiftAutoDetect
 

boolean
 

openShiftAutoDetect
allows, when set to 
true
, to detect automatically the machines, pods and services subnets based on the OpenShift Container Platform install configuration and the Cluster Network Operator configuration. Indirectly, this is a way to accurately detect external traffic: flows that are not labeled for those subnets are external to the cluster. Enabled by default on OpenShift Container Platform.

17.1.96. .spec.processor.subnetLabels.customLabels
Link kopieren

Description

customLabels
allows you to customize subnets and IPs labeling, such as to identify cluster external workloads or web services. External subnets must be labeled with the prefix 
EXT:
, or not labeled at all, in order to work with default quick filters and some metrics examples provided.

If 

openShiftAutoDetect
is disabled or you are not using OpenShift Container Platform, it is recommended to manually configure labels for the cluster subnets, to distinguish internal traffic from external traffic.

If 

openShiftAutoDetect
is enabled, 
customLabels
overrides the detected subnets when they overlap.

Type
array

17.1.97. .spec.processor.subnetLabels.customLabels[]
Link kopieren

Description
SubnetLabel allows to label subnets and IPs, such as to identify cluster-external workloads or web services.
Type
object
Required
  • cidrs
     
  • name
Expand
PropertyTypeDescription

cidrs
 

array (string)

List of CIDRs, such as 

["1.2.3.4/32"]
. 

name
 

string

Label name, used to flag matching flows. External subnets must be labeled with the prefix 

EXT:
, or not labeled at all, in order to work with default quick filters and some metrics examples provided.

17.1.98. .spec.prometheus
Link kopieren

Description
prometheus defines Prometheus settings, such as querier configuration used to fetch metrics from the Console plugin.
Type
object
Expand
PropertyTypeDescription

querier
 

object

Prometheus querying configuration, such as client settings, used in the Console plugin.

17.1.99. .spec.prometheus.querier
Link kopieren

Description
Prometheus querying configuration, such as client settings, used in the Console plugin.
Type
object
Required
  • mode
Expand
PropertyTypeDescription

enable
 

boolean

When 

enable
is 
true
, the Console plugin queries flow metrics from Prometheus instead of Loki whenever possible. It is enbaled by default: set it to 
false
to disable this feature. The Console plugin can use either Loki or Prometheus as a data source for metrics (see also 
spec.loki
), or both. Not all queries are transposable from Loki to Prometheus. Hence, if Loki is disabled, some features of the plugin are disabled as well, such as getting per-pod information or viewing raw flows. If both Prometheus and Loki are enabled, Prometheus takes precedence and Loki is used as a fallback for queries that Prometheus cannot handle. If they are both disabled, the Console plugin is not deployed. 

manual
 

object

Prometheus configuration for 

Manual
mode. 

mode
 

string
 

mode
must be set according to the type of Prometheus installation that stores Network Observability metrics:

- Use 

Auto
to try configuring automatically. In OpenShift Container Platform, it uses the Thanos querier from OpenShift Container Platform Cluster Monitoring.

- Use 

Manual
for a manual setup.

timeout
 

string
 

timeout
is the read timeout for console plugin queries to Prometheus. A timeout of zero means no timeout.

17.1.100. .spec.prometheus.querier.manual
Link kopieren

Description
Prometheus configuration for Manual mode.
Type
object
Expand
PropertyTypeDescription

alertManager
 

object

AlertManager configuration. This is used in the console to query silenced alerts, for displaying health information. When used in OpenShift Container Platform it can be left empty to use the Console API instead. [Unsupported (*)]. 

forwardUserToken
 

boolean

Set 

true
to forward logged in user token in queries to Prometheus 

tls
 

object

TLS client configuration for Prometheus URL. 

url
 

string
 

url
is the address of an existing Prometheus service to use for querying metrics.

17.1.101. .spec.prometheus.querier.manual.alertManager
Link kopieren

Description
AlertManager configuration. This is used in the console to query silenced alerts, for displaying health information. When used in OpenShift Container Platform it can be left empty to use the Console API instead. [Unsupported (*)].
Type
object
Expand
PropertyTypeDescription

tls
 

object

TLS client configuration for Prometheus AlertManager URL. 

url
 

string
 

url
is the address of an existing Prometheus AlertManager service to use for querying alerts.

17.1.102. .spec.prometheus.querier.manual.alertManager.tls
Link kopieren

Description
TLS client configuration for Prometheus AlertManager URL.
Type
object
Expand
PropertyTypeDescription

caCert
 

object
 

caCert
defines the reference of the certificate for the Certificate Authority. 

enable
 

boolean

Enable TLS 

insecureSkipVerify
 

boolean
 

insecureSkipVerify
allows skipping client-side verification of the server certificate. If set to 
true
, the 
caCert
field is ignored. 

userCert
 

object
 

userCert
defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

17.1.103. .spec.prometheus.querier.manual.alertManager.tls.caCert
Link kopieren

Description
caCert defines the reference of the certificate for the Certificate Authority.
Type
object
Expand
PropertyTypeDescription

certFile
 

string
 

certFile
defines the path to the certificate file name within the config map or secret. 

certKey
 

string
 

certKey
defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary. 

name
 

string

Name of the config map or secret containing certificates. 

namespace
 

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the certificate reference: 

configmap
or 
secret
.

17.1.104. .spec.prometheus.querier.manual.alertManager.tls.userCert
Link kopieren

Description
userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.
Type
object
Expand
PropertyTypeDescription

certFile
 

string
 

certFile
defines the path to the certificate file name within the config map or secret. 

certKey
 

string
 

certKey
defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary. 

name
 

string

Name of the config map or secret containing certificates. 

namespace
 

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the certificate reference: 

configmap
or 
secret
.

17.1.105. .spec.prometheus.querier.manual.tls
Link kopieren

Description
TLS client configuration for Prometheus URL.
Type
object
Expand
PropertyTypeDescription

caCert
 

object
 

caCert
defines the reference of the certificate for the Certificate Authority. 

enable
 

boolean

Enable TLS 

insecureSkipVerify
 

boolean
 

insecureSkipVerify
allows skipping client-side verification of the server certificate. If set to 
true
, the 
caCert
field is ignored. 

userCert
 

object
 

userCert
defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

17.1.106. .spec.prometheus.querier.manual.tls.caCert
Link kopieren

Description
caCert defines the reference of the certificate for the Certificate Authority.
Type
object
Expand
PropertyTypeDescription

certFile
 

string
 

certFile
defines the path to the certificate file name within the config map or secret. 

certKey
 

string
 

certKey
defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary. 

name
 

string

Name of the config map or secret containing certificates. 

namespace
 

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the certificate reference: 

configmap
or 
secret
.

17.1.107. .spec.prometheus.querier.manual.tls.userCert
Link kopieren

Description
userCert defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.
Type
object
Expand
PropertyTypeDescription

certFile
 

string
 

certFile
defines the path to the certificate file name within the config map or secret. 

certKey
 

string
 

certKey
defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary. 

name
 

string

Name of the config map or secret containing certificates. 

namespace
 

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required. 

type
 

string

Type for the certificate reference: 

configmap
or 
secret
.

Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2026 Red HatNach oben