NETOBSERV-1426: detect external workloads / openshift subnets (#559)

Configure columns & filters for subnet labels

Fix reading machine network

Document overlaps between customLabels and autoDetect

Rebased & address feedback

- rebased / bump FLP
- read external ips config
- read from config.Network rather than operator.Network, as it's
  considered the best source of truth

apis/flowcollector/v1beta1/flowcollector_types.go

@@ -505,6 +505,10 @@ type FlowCollectorFLP struct {
 	// This feature requires the "topology.kubernetes.io/zone" label to be set on nodes.
 	AddZone *bool `json:"addZone,omitempty"`
 
+	//+optional
+	// `subnetLabels` allows to define custom labels on subnets and IPs or to enable automatic labelling of recognized subnets in OpenShift.
+	SubnetLabels SubnetLabels `json:"subnetLabels,omitempty"`
+
 	// `debug` allows setting some aspects of the internal configuration of the flow processor.
 	// This section is aimed exclusively for debugging and fine-grained performance optimizations,
 	// such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
@@ -844,6 +848,29 @@ type DebugConfig struct {
 	Env map[string]string `json:"env,omitempty"`
 }
 
+// `SubnetLabels` allows to define custom labels on subnets and IPs or to enable automatic labelling of recognized subnets in OpenShift.
+type SubnetLabels struct {
+	// `openShiftAutoDetect` allows, when set to `true`, to detect automatically the machines, pods and services subnets based on the
+	// OpenShift install configuration and the Cluster Network Operator configuration.
+	//+optional
+	OpenShiftAutoDetect *bool `json:"openShiftAutoDetect,omitempty"`
+
+	// `customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services.
+	// If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap.
+	//+optional
+	CustomLabels []SubnetLabel `json:"customLabels,omitempty"`
+}
+
+// SubnetLabel allows to label subnets and IPs, such as to identify cluster-external workloads or web services.
+type SubnetLabel struct {
+	// List of CIDRs, such as `["1.2.3.4/32"]`.
+	//+required
+	CIDRs []string `json:"cidrs,omitempty"` // Note, starting with k8s 1.31 / ocp 4.16 there's a new way to validate CIDR such as `+kubebuilder:validation:XValidation:rule="isCIDR(self)",message="field should be in CIDR notation format"`. But older versions would reject the CRD so we cannot implement it now to maintain compatibility.
+	// Label name, used to flag matching flows.
+	//+required
+	Name string `json:"name,omitempty"`
+}
+
 // Add more exporter types below
 type ExporterType string
 

apis/flowcollector/v1beta2/flowcollector_types.go

@@ -462,6 +462,10 @@ type FlowCollectorFLP struct {
 	// This feature requires the "topology.kubernetes.io/zone" label to be set on nodes.
 	AddZone *bool `json:"addZone,omitempty"`
 
+	//+optional
+	// `SubnetLabels` allows to define custom labels on subnets and IPs or to enable automatic labelling of recognized subnets in OpenShift.
+	SubnetLabels SubnetLabels `json:"subnetLabels,omitempty"`
+
 	// `advanced` allows setting some aspects of the internal configuration of the flow processor.
 	// This section is aimed mostly for debugging and fine-grained performance optimizations,
 	// such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
@@ -1055,6 +1059,29 @@ type AdvancedPluginConfig struct {
 	PriorityClassName string `json:"priorityClassName,omitempty"`
 }
 
+// `SubnetLabels` allows to define custom labels on subnets and IPs or to enable automatic labelling of recognized subnets in OpenShift.
+type SubnetLabels struct {
+	// `openShiftAutoDetect` allows, when set to `true`, to detect automatically the machines, pods and services subnets based on the
+	// OpenShift install configuration and the Cluster Network Operator configuration.
+	//+optional
+	OpenShiftAutoDetect *bool `json:"openShiftAutoDetect,omitempty"`
+
+	// `customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services.
+	// If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap.
+	//+optional
+	CustomLabels []SubnetLabel `json:"customLabels,omitempty"`
+}
+
+// SubnetLabel allows to label subnets and IPs, such as to identify cluster-external workloads or web services.
+type SubnetLabel struct {
+	// List of CIDRs, such as `["1.2.3.4/32"]`.
+	//+required
+	CIDRs []string `json:"cidrs,omitempty"` // Note, starting with k8s 1.31 / ocp 4.16 there's a new way to validate CIDR such as `+kubebuilder:validation:XValidation:rule="isCIDR(self)",message="field should be in CIDR notation format"`. But older versions would reject the CRD so we cannot implement it now to maintain compatibility.
+	// Label name, used to flag matching flows.
+	//+required
+	Name string `json:"name,omitempty"`
+}
+
 // Add more exporter types below
 type ExporterType string
 

bundle/manifests/flows.netobserv.io_flowcollectors.yaml

@@ -2272,6 +2272,38 @@ spec:
                           Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                         type: object
                     type: object
+                  subnetLabels:
+                    description: '`subnetLabels` allows to define custom labels on
+                      subnets and IPs or to enable automatic labelling of recognized
+                      subnets in OpenShift.'
+                    properties:
+                      customLabels:
+                        description: '`customLabels` allows to customize subnets and
+                          IPs labelling, such as to identify cluster-external workloads
+                          or web services. If you enable `openShiftAutoDetect`, `customLabels`
+                          can override the detected subnets in case they overlap.'
+                        items:
+                          description: SubnetLabel allows to label subnets and IPs,
+                            such as to identify cluster-external workloads or web
+                            services.
+                          properties:
+                            cidrs:
+                              description: List of CIDRs, such as `["1.2.3.4/32"]`.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: Label name, used to flag matching flows.
+                              type: string
+                          type: object
+                        type: array
+                      openShiftAutoDetect:
+                        description: '`openShiftAutoDetect` allows, when set to `true`,
+                          to detect automatically the machines, pods and services
+                          subnets based on the OpenShift install configuration and
+                          the Cluster Network Operator configuration.'
+                        type: boolean
+                    type: object
                 type: object
             type: object
           status:
@@ -6104,6 +6136,38 @@ spec:
                           Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                         type: object
                     type: object
+                  subnetLabels:
+                    description: '`SubnetLabels` allows to define custom labels on
+                      subnets and IPs or to enable automatic labelling of recognized
+                      subnets in OpenShift.'
+                    properties:
+                      customLabels:
+                        description: '`customLabels` allows to customize subnets and
+                          IPs labelling, such as to identify cluster-external workloads
+                          or web services. If you enable `openShiftAutoDetect`, `customLabels`
+                          can override the detected subnets in case they overlap.'
+                        items:
+                          description: SubnetLabel allows to label subnets and IPs,
+                            such as to identify cluster-external workloads or web
+                            services.
+                          properties:
+                            cidrs:
+                              description: List of CIDRs, such as `["1.2.3.4/32"]`.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: Label name, used to flag matching flows.
+                              type: string
+                          type: object
+                        type: array
+                      openShiftAutoDetect:
+                        description: '`openShiftAutoDetect` allows, when set to `true`,
+                          to detect automatically the machines, pods and services
+                          subnets based on the OpenShift install configuration and
+                          the Cluster Network Operator configuration.'
+                        type: boolean
+                    type: object
                 type: object
             type: object
           status:

bundle/manifests/netobserv-operator.clusterserviceversion.yaml

@@ -752,6 +752,12 @@ spec:
         path: processor.metrics.includeList
       - displayName: Port
         path: processor.metrics.server.port
+      - displayName: Subnet labels
+        path: processor.subnetLabels
+      - displayName: Custom labels
+        path: processor.subnetLabels.customLabels
+      - displayName: Open shift auto detect
+        path: processor.subnetLabels.openShiftAutoDetect
       statusDescriptors:
       - description: Namespace where console plugin and flowlogs-pipeline have been
           deployed.
@@ -904,6 +910,7 @@ spec:
           - config.openshift.io
           resources:
           - clusterversions
+          - networks
           verbs:
           - get
           - list