Chapter 9. FlowCollector configuration parameters

agent

object

Agent configuration for flows extraction.

consolePlugin

object

consolePlugin defines the settings related to the OpenShift Container Platform Console plugin, when available.

deploymentModel

string

deploymentModel defines the desired type of deployment for flow processing. Possible values are:
- DIRECT (default) to make the flow processor listening directly from the agents.
- KAFKA to make flows sent to a Kafka pipeline before consumption by the processor.
Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).

exporters

array

exporters define additional optional exporters for custom consumption or storage.

kafka

object

Kafka configuration, allowing to use Kafka as a broker as part of the flow collection pipeline. Available when the spec.deploymentModel is KAFKA.

loki

object

Loki, the flow store, client settings.

namespace

string

Namespace where Network Observability pods are deployed.

processor

object

processor defines the settings of the component that receives the flows from the agent, enriches them, generates metrics, and forwards them to the Loki persistence layer and/or any available exporter.

ebpf

object

ebpf describes the settings related to the eBPF-based flow reporter when spec.agent.type is set to EBPF.

ipfix

object

ipfix [deprecated (*)] - describes the settings related to the IPFIX-based flow reporter when spec.agent.type is set to IPFIX.

type

string

type selects the flows tracing agent. Possible values are:
- EBPF (default) to use Network Observability eBPF agent.
- IPFIX [deprecated (*)] - to use the legacy IPFIX collector.
EBPF is recommended as it offers better performances and should work regardless of the CNI installed on the cluster. IPFIX works with OVN-Kubernetes CNI (other CNIs could work if they support exporting IPFIX, but they would require manual configuration).

cacheActiveTimeout

string

cacheActiveTimeout is the max period during which the reporter aggregates flows before sending. Increasing cacheMaxFlows and cacheActiveTimeout can decrease the network traffic overhead and the CPU load, however you can expect higher memory consumption and an increased latency in the flow collection.

cacheMaxFlows

integer

cacheMaxFlows is the max number of flows in an aggregate; when reached, the reporter sends the flows. Increasing cacheMaxFlows and cacheActiveTimeout can decrease the network traffic overhead and the CPU load, however you can expect higher memory consumption and an increased latency in the flow collection.

debug

object

debug allows setting some aspects of the internal configuration of the eBPF agent. This section is aimed exclusively for debugging and fine-grained performance optimizations, such as GOGC and GOMAXPROCS env vars. Users setting its values do it at their own risk.

excludeInterfaces

array (string)

excludeInterfaces contains the interface names that are excluded from flow tracing. An entry is enclosed by slashes, such as /br-/ and is matched as a regular expression. Otherwise it is matched as a case-sensitive string.

features

array (string)

List of additional features to enable. They are all disabled by default. Enabling additional features might have performance impacts. Possible values are:
- PacketDrop: enable the packets drop flows logging feature. This feature requires mounting the kernel debug filesystem, so the eBPF pod has to run as privileged. If the spec.agent.eBPF.privileged parameter is not set, an error is reported.
- DNSTracking: enable the DNS tracking feature. This feature requires mounting the kernel debug filesystem hence the eBPF pod has to run as privileged. If the spec.agent.eBPF.privileged parameter is not set, an error is reported.
- FlowRTT [unsupported (*)]: enable flow latency (RTT) calculations in the eBPF agent during TCP handshakes. This feature better works with sampling set to 1.

imagePullPolicy

string

imagePullPolicy is the Kubernetes pull policy for the image defined above

interfaces

array (string)

interfaces contains the interface names from where flows are collected. If empty, the agent fetches all the interfaces in the system, excepting the ones listed in ExcludeInterfaces. An entry is enclosed by slashes, such as /br-/, is matched as a regular expression. Otherwise it is matched as a case-sensitive string.

kafkaBatchSize

integer

kafkaBatchSize limits the maximum size of a request in bytes before being sent to a partition. Ignored when not using Kafka. Default: 10MB.

logLevel

string

logLevel defines the log level for the Network Observability eBPF Agent

privileged

boolean

Privileged mode for the eBPF Agent container. In general this setting can be ignored or set to false: in that case, the operator sets granular capabilities (BPF, PERFMON, NET_ADMIN, SYS_RESOURCE) to the container, to enable its correct operation. If for some reason these capabilities cannot be set, such as if an old kernel version not knowing CAP_BPF is in use, then you can turn on this mode for more global privileges.

resources

object

resources are the compute resources required by this container. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

sampling

integer

Sampling rate of the flow reporter. 100 means one flow on 100 is sent. 0 or 1 means all flows are sampled.

env

object (string)

env allows passing custom environment variables to underlying components. Useful for passing some very concrete performance-tuning options, such as GOGC and GOMAXPROCS, that should not be publicly exposed as part of the FlowCollector descriptor, as they are only useful in edge debug or support scenarios.

limits

integer-or-string

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests

integer-or-string

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

cacheActiveTimeout

string

cacheActiveTimeout is the max period during which the reporter aggregates flows before sending.

cacheMaxFlows

integer

cacheMaxFlows is the max number of flows in an aggregate; when reached, the reporter sends the flows.

clusterNetworkOperator

object

clusterNetworkOperator defines the settings related to the OpenShift Container Platform Cluster Network Operator, when available.

forceSampleAll

boolean

forceSampleAll allows disabling sampling in the IPFIX-based flow reporter. It is not recommended to sample all the traffic with IPFIX, as it might generate cluster instability. If you REALLY want to do that, set this flag to true. Use at your own risk. When it is set to true, the value of sampling is ignored.

ovnKubernetes

object

ovnKubernetes defines the settings of the OVN-Kubernetes CNI, when available. This configuration is used when using OVN’s IPFIX exports, without OpenShift Container Platform. When using OpenShift Container Platform, refer to the clusterNetworkOperator property instead.

sampling

integer

sampling is the sampling rate on the reporter. 100 means one flow on 100 is sent. To ensure cluster stability, it is not possible to set a value below 2. If you really want to sample every packet, which might impact the cluster stability, refer to forceSampleAll. Alternatively, you can use the eBPF Agent instead of IPFIX.

namespace

string

Namespace where the config map is going to be deployed.

containerName

string

containerName defines the name of the container to configure for IPFIX.

daemonSetName

string

daemonSetName defines the name of the DaemonSet controlling the OVN-Kubernetes pods.

namespace

string

Namespace where OVN-Kubernetes pods are deployed.

autoscaler

object

autoscaler spec of a horizontal pod autoscaler to set up for the plugin Deployment. Refer to HorizontalPodAutoscaler documentation (autoscaling/v2).

enable

boolean

enable the console plugin deployment. spec.Loki.enable must also be true

imagePullPolicy

string

imagePullPolicy is the Kubernetes pull policy for the image defined above

logLevel

string

logLevel for the console plugin backend

port

integer

port is the plugin service port. Do not use 9002, which is reserved for metrics.

portNaming

object

portNaming defines the configuration of the port-to-service name translation

quickFilters

array

quickFilters configures quick filter presets for the Console plugin

register

boolean

register allows, when set to true, to automatically register the provided console plugin with the OpenShift Container Platform Console operator. When set to false, you can still register it manually by editing console.operator.openshift.io/cluster with the following command: oc patch console.operator.openshift.io cluster --type='json' -p '[{"op": "add", "path": "/spec/plugins/-", "value": "netobserv-plugin"}]'

replicas

integer

replicas defines the number of replicas (pods) to start.

resources

object

resources, in terms of compute resources, required by this container. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

enable

boolean

Enable the console plugin port-to-service name translation

portNames

object (string)

portNames defines additional port names to use in the console, for example, portNames: {"3100": "loki"}.

default

boolean

default defines whether this filter should be active by default or not

filter

object (string)

filter is a set of keys and values to be set when this filter is selected. Each key can relate to a list of values using a coma-separated string, for example, filter: {"src_namespace": "namespace1,namespace2"}.

name

string

Name of the filter, that is displayed in the Console

limits

integer-or-string

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests

integer-or-string

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

ipfix

object

IPFIX configuration, such as the IP address and port to send enriched IPFIX flows to.

kafka

object

Kafka configuration, such as the address and topic, to send enriched flows to.

type

string

type selects the type of exporters. The available options are KAFKA and IPFIX.

targetHost

string

Address of the IPFIX external receiver

targetPort

integer

Port for the IPFIX external receiver

transport

string

Transport protocol (TCP or UDP) to be used for the IPFIX connection, defaults to TCP.

address

string

Address of the Kafka server

sasl

object

SASL authentication configuration. [Unsupported (*)].

tls

object

TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.

topic

string

Kafka topic to use. It must exist. Network Observability does not create it.

clientIDReference

object

Reference to the secret or config map containing the client ID

clientSecretReference

object

Reference to the secret or config map containing the client secret

type

string

Type of SASL authentication to use, or DISABLED if SASL is not used

file

string

File name within the config map or secret

name

string

Name of the config map or secret containing the file

namespace

string

Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the file reference: "configmap" or "secret"

file

string

File name within the config map or secret

name

string

Name of the config map or secret containing the file

namespace

string

Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the file reference: "configmap" or "secret"

caCert

object

caCert defines the reference of the certificate for the Certificate Authority

enable

boolean

Enable TLS

insecureSkipVerify

boolean

insecureSkipVerify allows skipping client-side verification of the server certificate. If set to true, the caCert field is ignored.

userCert

object

userCert defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS)

certFile

string

certFile defines the path to the certificate file name within the config map or secret

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret

certFile

string

certFile defines the path to the certificate file name within the config map or secret

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret

address

string

Address of the Kafka server

sasl

object

SASL authentication configuration. [Unsupported (*)].

tls

object

TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.

topic

string

Kafka topic to use. It must exist, Network Observability does not create it.

clientIDReference

object

Reference to the secret or config map containing the client ID

clientSecretReference

object

Reference to the secret or config map containing the client secret

type

string

Type of SASL authentication to use, or DISABLED if SASL is not used

file

string

File name within the config map or secret

name

string

Name of the config map or secret containing the file

namespace

string

Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the file reference: "configmap" or "secret"

file

string

File name within the config map or secret

name

string

Name of the config map or secret containing the file

namespace

string

Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the file reference: "configmap" or "secret"

caCert

object

caCert defines the reference of the certificate for the Certificate Authority

enable

boolean

Enable TLS

insecureSkipVerify

boolean

insecureSkipVerify allows skipping client-side verification of the server certificate. If set to true, the caCert field is ignored.

userCert

object

userCert defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS)

certFile

string

certFile defines the path to the certificate file name within the config map or secret

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret

certFile

string

certFile defines the path to the certificate file name within the config map or secret

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret

authToken

string

authToken describes the way to get a token to authenticate to Loki.
- DISABLED does not send any token with the request.
- FORWARD forwards the user token for authorization.
- HOST [deprecated (*)] - uses the local pod service account to authenticate to Loki.
When using the Loki Operator, this must be set to FORWARD.

batchSize

integer

batchSize is the maximum batch size (in bytes) of logs to accumulate before sending.

batchWait

string

batchWait is the maximum time to wait before sending a batch.

enable

boolean

Set to enable to store flows to Loki. It is required for the OpenShift Container Platform Console plugin installation.

maxBackoff

string

maxBackoff is the maximum backoff time for client connection between retries.

maxRetries

integer

maxRetries is the maximum number of retries for client connections.

minBackoff

string

minBackoff is the initial backoff time for client connection between retries.

querierUrl

string

querierURL specifies the address of the Loki querier service, in case it is different from the Loki ingester URL. If empty, the URL value is used (assuming that the Loki ingester and querier are in the same server). When using the Loki Operator, do not set it, since ingestion and queries use the Loki gateway.

staticLabels

object (string)

staticLabels is a map of common labels to set on each flow.

statusTls

object

TLS client configuration for Loki status URL.

statusUrl

string

statusURL specifies the address of the Loki /ready, /metrics and /config endpoints, in case it is different from the Loki querier URL. If empty, the querierURL value is used. This is useful to show error messages and some context in the frontend. When using the Loki Operator, set it to the Loki HTTP query frontend service, for example https://loki-query-frontend-http.netobserv.svc:3100/. statusTLS configuration is used when statusUrl is set.

tenantID

string

tenantID is the Loki X-Scope-OrgID that identifies the tenant for each request. When using the Loki Operator, set it to network, which corresponds to a special tenant mode.

timeout

string

timeout is the maximum time connection / request limit. A timeout of zero means no timeout.

tls

object

TLS client configuration for Loki URL.

url

string

url is the address of an existing Loki service to push the flows to. When using the Loki Operator, set it to the Loki gateway service with the network tenant set in path, for example https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network.

caCert

object

caCert defines the reference of the certificate for the Certificate Authority

enable

boolean

Enable TLS

insecureSkipVerify

boolean

insecureSkipVerify allows skipping client-side verification of the server certificate. If set to true, the caCert field is ignored.

userCert

object

userCert defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS)

certFile

string

certFile defines the path to the certificate file name within the config map or secret

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret

certFile

string

certFile defines the path to the certificate file name within the config map or secret

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret

caCert

object

caCert defines the reference of the certificate for the Certificate Authority

enable

boolean

Enable TLS

insecureSkipVerify

boolean

insecureSkipVerify allows skipping client-side verification of the server certificate. If set to true, the caCert field is ignored.

userCert

object

userCert defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS)

certFile

string

certFile defines the path to the certificate file name within the config map or secret

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret

certFile

string

certFile defines the path to the certificate file name within the config map or secret

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret

clusterName

string

clusterName is the name of the cluster to appear in the flows data. This is useful in a multi-cluster context. When using OpenShift Container Platform, leave empty to make it automatically determined.

conversationEndTimeout

string

conversationEndTimeout is the time to wait after a network flow is received, to consider the conversation ended. This delay is ignored when a FIN packet is collected for TCP flows (see conversationTerminatingTimeout instead).

conversationHeartbeatInterval

string

conversationHeartbeatInterval is the time to wait between "tick" events of a conversation

conversationTerminatingTimeout

string

conversationTerminatingTimeout is the time to wait from detected FIN flag to end a conversation. Only relevant for TCP flows.

debug

object

debug allows setting some aspects of the internal configuration of the flow processor. This section is aimed exclusively for debugging and fine-grained performance optimizations, such as GOGC and GOMAXPROCS env vars. Users setting its values do it at their own risk.

dropUnusedFields

boolean

dropUnusedFields allows, when set to true, to drop fields that are known to be unused by OVS, to save storage space.

enableKubeProbes

boolean

enableKubeProbes is a flag to enable or disable Kubernetes liveness and readiness probes

healthPort

integer

healthPort is a collector HTTP port in the Pod that exposes the health check API

imagePullPolicy

string

imagePullPolicy is the Kubernetes pull policy for the image defined above

kafkaConsumerAutoscaler

object

kafkaConsumerAutoscaler is the spec of a horizontal pod autoscaler to set up for flowlogs-pipeline-transformer, which consumes Kafka messages. This setting is ignored when Kafka is disabled. Refer to HorizontalPodAutoscaler documentation (autoscaling/v2).

kafkaConsumerBatchSize

integer

kafkaConsumerBatchSize indicates to the broker the maximum batch size, in bytes, that the consumer accepts. Ignored when not using Kafka. Default: 10MB.

kafkaConsumerQueueCapacity

integer

kafkaConsumerQueueCapacity defines the capacity of the internal message queue used in the Kafka consumer client. Ignored when not using Kafka.

kafkaConsumerReplicas

integer

kafkaConsumerReplicas defines the number of replicas (pods) to start for flowlogs-pipeline-transformer, which consumes Kafka messages. This setting is ignored when Kafka is disabled.

logLevel

string

logLevel of the processor runtime

logTypes

string

logTypes defines the desired record types to generate. Possible values are:
- FLOWS (default) to export regular network flows
- CONVERSATIONS to generate events for started conversations, ended conversations as well as periodic "tick" updates
- ENDED_CONVERSATIONS to generate only ended conversations events
- ALL to generate both network flows and all conversations events

metrics

object

Metrics define the processor configuration regarding metrics

port

integer

Port of the flow collector (host port). By convention, some values are forbidden. It must be greater than 1024 and different from 4500, 4789 and 6081.

profilePort

integer

profilePort allows setting up a Go pprof profiler listening to this port

resources

object

resources are the compute resources required by this container. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

env

object (string)

env allows passing custom environment variables to underlying components. Useful for passing some very concrete performance-tuning options, such as GOGC and GOMAXPROCS, that should not be publicly exposed as part of the FlowCollector descriptor, as they are only useful in edge debug or support scenarios.

disableAlerts

array (string)

disableAlerts is a list of alerts that should be disabled. Possible values are:
NetObservNoFlows, which is triggered when no flows are being observed for a certain period.
NetObservLokiError, which is triggered when flows are being dropped due to Loki errors.

ignoreTags

array (string)

ignoreTags is a list of tags to specify which metrics to ignore. Each metric is associated with a list of tags. More details in https://github.com/netobserv/network-observability-operator/tree/main/controllers/flowlogspipeline/metrics_definitions . Available tags are: egress, ingress, flows, bytes, packets, namespaces, nodes, workloads, nodes-flows, namespaces-flows, workloads-flows. Namespace-based metrics are covered by both workloads and namespaces tags, hence it is recommended to always ignore one of them (workloads offering a finer granularity).

server

object

Metrics server endpoint configuration for Prometheus scraper

port

integer

The prometheus HTTP port

tls

object

TLS configuration.

insecureSkipVerify

boolean

insecureSkipVerify allows skipping client-side verification of the provided certificate. If set to true, the providedCaFile field is ignored.

provided

object

TLS configuration when type is set to PROVIDED.

providedCaFile

object

Reference to the CA file when type is set to PROVIDED.

type

string

Select the type of TLS configuration:
- DISABLED (default) to not configure TLS for the endpoint. - PROVIDED to manually provide cert file and a key file. - AUTO to use OpenShift Container Platform auto generated certificate using annotations.

certFile

string

certFile defines the path to the certificate file name within the config map or secret

certKey

string

certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

name

string

Name of the config map or secret containing certificates

namespace

string

Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the certificate reference: configmap or secret

file

string

File name within the config map or secret

name

string

Name of the config map or secret containing the file

namespace

string

Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

type

string

Type for the file reference: "configmap" or "secret"

limits

integer-or-string

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests

integer-or-string

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/