Add controller to deploy netobserv network policy

netobserv · Jun 25, 2024 · bbc161d · bbc161d
1 parent bc0bcef
commit bbc161d
Show file tree

Hide file tree

Showing 18 changed files with 617 additions and 139 deletions.
diff --git a/apis/flowcollector/v1beta1/zz_generated.conversion.go b/apis/flowcollector/v1beta1/zz_generated.conversion.go
diff --git a/apis/flowcollector/v1beta2/flowcollector_types.go b/apis/flowcollector/v1beta2/flowcollector_types.go
@@ -84,6 +84,21 @@ type FlowCollectorSpec struct {
 	// +optional
 	// +k8s:conversion-gen=false
 	Exporters []*FlowCollectorExporter `json:"exporters"`
+
+	// `networkPolicy` define network policy settings for netobserv
+	// +k8s:conversion-gen=false
+	NetworkPolicy NetworkPolycy `json:"networkPolicy,omitempty"`
+}
+
+type NetworkPolycy struct {
+	// Set `deploy` to `false` to disable network policy deployment. It is enabled by default.
+	// +optional
+	Deploy *bool `json:"deploy,omitempty"`
+
+	// `additionalNamespaces` contains the interface names from where flows are collected. If empty, the agent
+	//+kubebuilder:default:={"openshift-console", "openshift-monitoring"}
+	//+optional
+	AdditionalNamespaces []string `json:"additionalNamespaces"`
 }
 
 type FlowCollectorAgentType string

diff --git a/apis/flowcollector/v1beta2/zz_generated.deepcopy.go b/apis/flowcollector/v1beta2/zz_generated.deepcopy.go
diff --git a/bundle/manifests/flows.netobserv.io_flowcollectors.yaml b/bundle/manifests/flows.netobserv.io_flowcollectors.yaml
@@ -6382,6 +6382,23 @@ spec:
                 default: netobserv
                 description: Namespace where NetObserv pods are deployed.
                 type: string
+              networkPolicy:
+                description: '`networkPolicy` define network policy settings for netobserv'
+                properties:
+                  additionalNamespaces:
+                    default:
+                    - openshift-console
+                    - openshift-monitoring
+                    description: '`additionalNamespaces` contains the interface names
+                      from where flows are collected. If empty, the agent'
+                    items:
+                      type: string
+                    type: array
+                  deploy:
+                    description: Set `deploy` to `false` to disable network policy
+                      deployment. It is enabled by default.
+                    type: boolean
+                type: object
               processor:
                 description: |-
                   `processor` defines the settings of the component that receives the flows from the agent,

diff --git a/bundle/manifests/netobserv-operator.clusterserviceversion.yaml b/bundle/manifests/netobserv-operator.clusterserviceversion.yaml
@@ -465,7 +465,6 @@ spec:
       name: flowcollectors.flows.netobserv.io
       specDescriptors:
       - description: defines the desired type of deployment for flow processing.
-        displayName: Deployment model
         path: deploymentModel
       - description: for flows extraction.
         displayName: Agent configuration
@@ -485,25 +484,20 @@ spec:
         path: agent.ebpf.privileged
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
-      - displayName: Cache active timeout
-        path: agent.ebpf.cacheActiveTimeout
+      - path: agent.ebpf.cacheActiveTimeout
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
-      - displayName: Cache max flows
-        path: agent.ebpf.cacheMaxFlows
+      - path: agent.ebpf.cacheMaxFlows
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
-      - displayName: Kafka batch size
-        path: agent.ebpf.kafkaBatchSize
+      - path: agent.ebpf.kafkaBatchSize
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:deploymentModel:Kafka
         - urn:alm:descriptor:com.tectonic.ui:advanced
-      - displayName: Log level
-        path: agent.ebpf.logLevel
+      - path: agent.ebpf.logLevel
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
-      - displayName: Image pull policy
-        path: agent.ebpf.imagePullPolicy
+      - path: agent.ebpf.imagePullPolicy
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:imagePullPolicy
         - urn:alm:descriptor:com.tectonic.ui:advanced
@@ -553,8 +547,7 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
-      - displayName: Cluster name
-        path: processor.clusterName
+      - path: processor.clusterName
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:processor.multiClusterDeployment:true
@@ -583,8 +576,7 @@ spec:
         path: processor.metrics.server.tls.providedCaFile
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:processor.metrics.server.tls.type:Provided
-      - displayName: Kafka consumer replicas
-        path: processor.kafkaConsumerReplicas
+      - path: processor.kafkaConsumerReplicas
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:deploymentModel:Kafka
         - urn:alm:descriptor:com.tectonic.ui:advanced
@@ -593,22 +585,18 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:deploymentModel:Kafka
         - urn:alm:descriptor:com.tectonic.ui:advanced
-      - displayName: Kafka consumer queue capacity
-        path: processor.kafkaConsumerQueueCapacity
+      - path: processor.kafkaConsumerQueueCapacity
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:deploymentModel:Kafka
         - urn:alm:descriptor:com.tectonic.ui:advanced
-      - displayName: Kafka consumer batch size
-        path: processor.kafkaConsumerBatchSize
+      - path: processor.kafkaConsumerBatchSize
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:deploymentModel:Kafka
         - urn:alm:descriptor:com.tectonic.ui:advanced
-      - displayName: Log level
-        path: processor.logLevel
+      - path: processor.logLevel
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
-      - displayName: Image pull policy
-        path: processor.imagePullPolicy
+      - path: processor.imagePullPolicy
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:imagePullPolicy
         - urn:alm:descriptor:com.tectonic.ui:advanced
@@ -619,42 +607,33 @@ spec:
       - description: for the flow store.
         displayName: Loki client settings
         path: loki
-      - displayName: Enable
-        path: loki.enable
+      - path: loki.enable
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
-      - displayName: Mode
-        path: loki.mode
+      - path: loki.mode
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:loki.enable:true
-      - displayName: Loki stack
-        path: loki.lokiStack
+      - path: loki.lokiStack
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:loki.mode:LokiStack
-      - displayName: Monolithic
-        path: loki.monolithic
+      - path: loki.monolithic
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:loki.mode:Monolithic
-      - displayName: Microservices
-        path: loki.microservices
+      - path: loki.microservices
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:loki.mode:Microservices
-      - displayName: Manual
-        path: loki.manual
+      - path: loki.manual
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:loki.mode:Manual
-      - displayName: Write batch wait
-        path: loki.writeBatchWait
+      - path: loki.writeBatchWait
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:loki.enable:true
         - urn:alm:descriptor:com.tectonic.ui:advanced
-      - displayName: Write batch size
-        path: loki.writeBatchSize
+      - path: loki.writeBatchSize
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:loki.enable:true
         - urn:alm:descriptor:com.tectonic.ui:advanced
-      - displayName: Write timeout
-        path: loki.writeTimeout
+      - path: loki.writeTimeout
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:loki.enable:true
         - urn:alm:descriptor:com.tectonic.ui:advanced
@@ -666,20 +645,16 @@ spec:
         path: consolePlugin
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:loki.enable:true
-      - displayName: Enable
-        path: consolePlugin.enable
+      - path: consolePlugin.enable
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
-      - displayName: Port naming
-        path: consolePlugin.portNaming
+      - path: consolePlugin.portNaming
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:consolePlugin.enable:true
-      - displayName: Quick filters
-        path: consolePlugin.quickFilters
+      - path: consolePlugin.quickFilters
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:consolePlugin.enable:true
-      - displayName: Replicas
-        path: consolePlugin.replicas
+      - path: consolePlugin.replicas
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:consolePlugin.enable:true
         - urn:alm:descriptor:com.tectonic.ui:advanced
@@ -688,13 +663,11 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:consolePlugin.enable:true
         - urn:alm:descriptor:com.tectonic.ui:advanced
-      - displayName: Log level
-        path: consolePlugin.logLevel
+      - path: consolePlugin.logLevel
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:consolePlugin.enable:true
         - urn:alm:descriptor:com.tectonic.ui:advanced
-      - displayName: Image pull policy
-        path: consolePlugin.imagePullPolicy
+      - path: consolePlugin.imagePullPolicy
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:imagePullPolicy"
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:consolePlugin.enable:true
@@ -708,7 +681,6 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:hidden
       - description: additional optional exporters for custom consumption or storage.
-        displayName: Exporters
         path: exporters
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
@@ -722,90 +694,6 @@ spec:
         path: exporters[0].kafka
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:exporters.type:Kafka
-      - displayName: Exclude interfaces
-        path: agent.ebpf.excludeInterfaces
-      - displayName: Features
-        path: agent.ebpf.features
-      - displayName: Interfaces
-        path: agent.ebpf.interfaces
-      - displayName: Metrics
-        path: agent.ebpf.metrics
-      - displayName: Disable alerts
-        path: agent.ebpf.metrics.disableAlerts
-      - displayName: Enable
-        path: agent.ebpf.metrics.enable
-      - displayName: Server
-        path: agent.ebpf.metrics.server
-      - displayName: Port
-        path: agent.ebpf.metrics.server.port
-      - displayName: Sampling
-        path: agent.ebpf.sampling
-      - displayName: Enable
-        path: consolePlugin.portNaming.enable
-      - displayName: Port names
-        path: consolePlugin.portNaming.portNames
-      - displayName: Address
-        path: kafka.address
-      - displayName: Topic
-        path: kafka.topic
-      - displayName: Name
-        path: loki.lokiStack.name
-      - displayName: Namespace
-        path: loki.lokiStack.namespace
-      - displayName: Auth token
-        path: loki.manual.authToken
-      - displayName: Ingester url
-        path: loki.manual.ingesterUrl
-      - displayName: Querier url
-        path: loki.manual.querierUrl
-      - displayName: Status url
-        path: loki.manual.statusUrl
-      - displayName: TenantID
-        path: loki.manual.tenantID
-      - displayName: Ingester url
-        path: loki.microservices.ingesterUrl
-      - displayName: Querier url
-        path: loki.microservices.querierUrl
-      - displayName: TenantID
-        path: loki.microservices.tenantID
-      - displayName: TenantID
-        path: loki.monolithic.tenantID
-      - displayName: Url
-        path: loki.monolithic.url
-      - displayName: Read timeout
-        path: loki.readTimeout
-      - displayName: Namespace
-        path: namespace
-      - displayName: Log types
-        path: processor.logTypes
-      - displayName: Disable alerts
-        path: processor.metrics.disableAlerts
-      - displayName: Include list
-        path: processor.metrics.includeList
-      - displayName: Port
-        path: processor.metrics.server.port
-      - displayName: Subnet labels
-        path: processor.subnetLabels
-      - displayName: Custom labels
-        path: processor.subnetLabels.customLabels
-      - displayName: Open shift auto detect
-        path: processor.subnetLabels.openShiftAutoDetect
-      - displayName: Prometheus
-        path: prometheus
-      - displayName: Querier
-        path: prometheus.querier
-      - displayName: Enable
-        path: prometheus.querier.enable
-      - displayName: Manual
-        path: prometheus.querier.manual
-      - displayName: Forward user token
-        path: prometheus.querier.manual.forwardUserToken
-      - displayName: Url
-        path: prometheus.querier.manual.url
-      - displayName: Mode
-        path: prometheus.querier.mode
-      - displayName: Timeout
-        path: prometheus.querier.timeout
       statusDescriptors:
       - description: Namespace where console plugin and flowlogs-pipeline have been
           deployed.
@@ -1070,6 +958,16 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - networking.k8s.io
+          resources:
+          - networkpolicies
+          verbs:
+          - create
+          - get
+          - list
+          - update
+          - watch
         - apiGroups:
           - operator.openshift.io
           resources: