NETOBSERV-1110: Enable support for Flow RTT

api/v1alpha1/flowcollector_webhook.go

@@ -63,12 +63,9 @@ func (r *FlowCollector) ConvertTo(dstRaw conversion.Hub) error {
 	}
 
 	dst.Spec.Loki.Enable = restored.Spec.Loki.Enable
-	if restored.Spec.Agent.EBPF.EnablePktDrop != nil {
-		*dst.Spec.Agent.EBPF.EnablePktDrop = *restored.Spec.Agent.EBPF.EnablePktDrop
-	}
 
-	if restored.Spec.Agent.EBPF.EnableDNSTracking != nil {
-		*dst.Spec.Agent.EBPF.EnableDNSTracking = *restored.Spec.Agent.EBPF.EnableDNSTracking
+	if restored.Spec.Agent.EBPF.Features != nil {
+		dst.Spec.Agent.EBPF.Features = restored.Spec.Agent.EBPF.Features
 	}
 
 	dst.Spec.Loki.StatusTLS = restored.Spec.Loki.StatusTLS

api/v1beta1/flowcollector_types.go

@@ -146,6 +146,19 @@ type FlowCollectorIPFIX struct {
 	OVNKubernetes OVNKubernetesConfig `json:"ovnKubernetes,omitempty" mapstructure:"-"`
 }
 
+// Agent feature, can be one of:<br>
+// - `PKT_DROP`, to track packet drops.<br>
+// - `DNS_TRACKING`, to track specific information on DNS traffic.<br>
+// - `FLOW_RTT`, to track L4 latency. <i>Unsupported (*)</i><br>
+// +kubebuilder:validation:Enum:="PKT_DROP";"DNS_TRACKING";"FLOW_RTT"
+type AgentFeature string
+
+const (
+	PktDrop     AgentFeature = "PKT_DROP"
+	DNSTracking AgentFeature = "DNS_TRACKING"
+	FlowRTT     AgentFeature = "FLOW_RTT"
+)
+
 // `FlowCollectorEBPF` defines a FlowCollector that uses eBPF to collect the flows information
 type FlowCollectorEBPF struct {
 	// Important: Run "make generate" to regenerate code after modifying this file
@@ -219,19 +232,17 @@ type FlowCollectorEBPF struct {
 	// +optional
 	Debug DebugConfig `json:"debug,omitempty"`
 
-	// Enable the Packets drop flows logging feature. This feature requires mounting
+	// List of additional features to enable. They are all disabled by default. Enabling additional features may have performance impacts. Possible values are:<br>
+	// - `PKT_DROP`: enable the packets drop flows logging feature. This feature requires mounting
 	// the kernel debug filesystem, so the eBPF pod has to run as privileged.
-	// If the spec.agent.eBPF.privileged parameter is not set, an error is reported.
-	//+kubebuilder:default:=false
-	//+optional
-	EnablePktDrop *bool `json:"enablePktDrop,omitempty"`
-
-	// Enable the DNS tracking feature. This feature requires mounting
+	// If the `spec.agent.eBPF.privileged` parameter is not set, an error is reported.<br>
+	// - `DNS_TRACKING`: enable the DNS tracking feature. This feature requires mounting
 	// the kernel debug filesystem hence the eBPF pod has to run as privileged.
-	// If the spec.agent.eBPF.privileged parameter is not set, an error is reported.
-	//+kubebuilder:default:=false
-	//+optional
-	EnableDNSTracking *bool `json:"enableDNSTracking,omitempty"`
+	// If the `spec.agent.eBPF.privileged` parameter is not set, an error is reported.<br>
+	// - `FLOW_RTT` <i>Unsupported (*)</i>: allows enabling flow latency (RTT) calculations in the eBPF agent during TCP handshakes.
+	// This feature needs both INGRESS and EGRESS direction flow capture and will be disabled if they are not both enabled.<br>
+	// +optional
+	Features []AgentFeature `json:"features,omitempty"`
 }
 
 // `FlowCollectorKafka` defines the desired Kafka config of FlowCollector

bundle/manifests/flows.netobserv.io_flowcollectors.yaml

@@ -2300,20 +2300,6 @@ spec:
                               they are only useful in edge debug or support scenarios.'
                             type: object
                         type: object
-                      enableDNSTracking:
-                        default: false
-                        description: Enable the DNS tracking feature. This feature
-                          requires mounting the kernel debug filesystem hence the
-                          eBPF pod has to run as privileged. If the spec.agent.eBPF.privileged
-                          parameter is not set, an error is reported.
-                        type: boolean
-                      enablePktDrop:
-                        default: false
-                        description: Enable the Packets drop flows logging feature.
-                          This feature requires mounting the kernel debug filesystem,
-                          so the eBPF pod has to run as privileged. If the spec.agent.eBPF.privileged
-                          parameter is not set, an error is reported.
-                        type: boolean
                       excludeInterfaces:
                         default:
                         - lo
@@ -2324,6 +2310,33 @@ spec:
                         items:
                           type: string
                         type: array
+                      features:
+                        description: 'List of additional features to enable. They
+                          are all disabled by default. Enabling additional features
+                          may have performance impacts. Possible values are:<br> -
+                          `PKT_DROP`: enable the packets drop flows logging feature.
+                          This feature requires mounting the kernel debug filesystem,
+                          so the eBPF pod has to run as privileged. If the `spec.agent.eBPF.privileged`
+                          parameter is not set, an error is reported.<br> - `DNS_TRACKING`:
+                          enable the DNS tracking feature. This feature requires mounting
+                          the kernel debug filesystem hence the eBPF pod has to run
+                          as privileged. If the `spec.agent.eBPF.privileged` parameter
+                          is not set, an error is reported.<br> - `FLOW_RTT` <i>Unsupported
+                          (*)</i>: allows enabling flow latency (RTT) calculations
+                          in the eBPF agent during TCP handshakes. This feature needs
+                          both INGRESS and EGRESS direction flow capture and will
+                          be disabled if they are not both enabled.<br>'
+                        items:
+                          description: Agent feature, can be one of:<br> - `PKT_DROP`,
+                            to track packet drops.<br> - `DNS_TRACKING`, to track
+                            specific information on DNS traffic.<br> - `FLOW_RTT`,
+                            to track L4 latency. <i>Unsupported (*)</i><br>
+                          enum:
+                          - PKT_DROP
+                          - DNS_TRACKING
+                          - FLOW_RTT
+                          type: string
+                        type: array
                       imagePullPolicy:
                         default: IfNotPresent
                         description: '`imagePullPolicy` is the Kubernetes pull policy

bundle/manifests/netobserv-operator.clusterserviceversion.yaml

@@ -175,8 +175,6 @@ metadata:
               "ebpf": {
                 "cacheActiveTimeout": "5s",
                 "cacheMaxFlows": 100000,
-                "enableDNSTracking": false,
-                "enablePktDrop": false,
                 "excludeInterfaces": [
                   "lo"
                 ],

config/crd/bases/flows.netobserv.io_flowcollectors.yaml

@@ -2287,20 +2287,6 @@ spec:
                               they are only useful in edge debug or support scenarios.'
                             type: object
                         type: object
-                      enableDNSTracking:
-                        default: false
-                        description: Enable the DNS tracking feature. This feature
-                          requires mounting the kernel debug filesystem hence the
-                          eBPF pod has to run as privileged. If the spec.agent.eBPF.privileged
-                          parameter is not set, an error is reported.
-                        type: boolean
-                      enablePktDrop:
-                        default: false
-                        description: Enable the Packets drop flows logging feature.
-                          This feature requires mounting the kernel debug filesystem,
-                          so the eBPF pod has to run as privileged. If the spec.agent.eBPF.privileged
-                          parameter is not set, an error is reported.
-                        type: boolean
                       excludeInterfaces:
                         default:
                         - lo
@@ -2311,6 +2297,33 @@ spec:
                         items:
                           type: string
                         type: array
+                      features:
+                        description: 'List of additional features to enable. They
+                          are all disabled by default. Enabling additional features
+                          may have performance impacts. Possible values are:<br> -
+                          `PKT_DROP`: enable the packets drop flows logging feature.
+                          This feature requires mounting the kernel debug filesystem,
+                          so the eBPF pod has to run as privileged. If the `spec.agent.eBPF.privileged`
+                          parameter is not set, an error is reported.<br> - `DNS_TRACKING`:
+                          enable the DNS tracking feature. This feature requires mounting
+                          the kernel debug filesystem hence the eBPF pod has to run
+                          as privileged. If the `spec.agent.eBPF.privileged` parameter
+                          is not set, an error is reported.<br> - `FLOW_RTT` <i>Unsupported
+                          (*)</i>: allows enabling flow latency (RTT) calculations
+                          in the eBPF agent during TCP handshakes. This feature needs
+                          both INGRESS and EGRESS direction flow capture and will
+                          be disabled if they are not both enabled.<br>'
+                        items:
+                          description: Agent feature, can be one of:<br> - `PKT_DROP`,
+                            to track packet drops.<br> - `DNS_TRACKING`, to track
+                            specific information on DNS traffic.<br> - `FLOW_RTT`,
+                            to track L4 latency. <i>Unsupported (*)</i><br>
+                          enum:
+                          - PKT_DROP
+                          - DNS_TRACKING
+                          - FLOW_RTT
+                          type: string
+                        type: array
                       imagePullPolicy:
                         default: IfNotPresent
                         description: '`imagePullPolicy` is the Kubernetes pull policy

config/samples/flows_v1beta1_flowcollector.yaml

@@ -13,8 +13,10 @@ spec:
       cacheActiveTimeout: 5s
       cacheMaxFlows: 100000
       privileged: false
-      enablePktDrop: false
-      enableDNSTracking: false
+      # features: 
+      # - "PKT_DROP"
+      # - "DNS_TRACKING"
+      # - "FLOW_RTT"
       interfaces: [ ]
       excludeInterfaces: [ "lo" ]
       logLevel: info

controllers/consoleplugin/consoleplugin_objects.go

@@ -350,13 +350,17 @@ func (b *builder) configMap() (*corev1.ConfigMap, string) {
 
 	var features []string
 	if helper.UseEBPF(b.desired) {
-		if helper.IsPktDropEnabled(b.desired) {
+		if helper.IsPktDropEnabled(&b.desired.Agent.EBPF) {
 			features = append(features, "pktDrop")
 		}
 
-		if helper.IsDNSTrackingEnabled(b.desired) {
+		if helper.IsDNSTrackingEnabled(&b.desired.Agent.EBPF) {
 			features = append(features, "dnsTracking")
 		}
+
+		if helper.IsFlowRTTEnabled(&b.desired.Agent.EBPF) {
+			features = append(features, "flowRTT")
+		}
 	}
 
 	config := map[string]interface{}{

controllers/ebpf/agent_controller.go

@@ -57,6 +57,7 @@ const (
 	envGoMemLimit                 = "GOMEMLIMIT"
 	envEnablePktDrop              = "ENABLE_PKT_DROPS"
 	envEnableDNSTracking          = "ENABLE_DNS_TRACKING"
+	envEnableFlowRTT              = "ENABLE_RTT"
 	envListSeparator              = ","
 )
 
@@ -185,10 +186,9 @@ func (c *AgentController) desired(ctx context.Context, coll *flowslatest.FlowCol
 	volumeMounts := c.volumes.GetMounts()
 	volumes := c.volumes.GetVolumes()
 
-	if helper.IsPktDropEnabled(&coll.Spec) || helper.IsDNSTrackingEnabled(&coll.Spec) {
+	if helper.IsFeatureEnabled(&coll.Spec.Agent.EBPF, flowslatest.PktDrop) || helper.IsFeatureEnabled(&coll.Spec.Agent.EBPF, flowslatest.DNSTracking) {
 		if !coll.Spec.Agent.EBPF.Privileged {
-			rlog.Error(fmt.Errorf("invalid configuration"),
-				"To use PktDrop and/or DNSTracking feature(s) privileged mode needs to be enabled", nil)
+			rlog.Error(fmt.Errorf("invalid configuration"), "To use PktDrop and/or DNSTracking feature(s) privileged mode needs to be enabled")
 		} else {
 			volume := corev1.Volume{
 				Name: bpfTraceMountName,
@@ -407,6 +407,13 @@ func (c *AgentController) setEnvConfig(coll *flowslatest.FlowCollector) []corev1
 		})
 	}
 
+	if helper.IsFlowRTTEnabled(&coll.Spec.Agent.EBPF) {
+		config = append(config, corev1.EnvVar{
+			Name:  envEnableFlowRTT,
+			Value: "true",
+		})
+	}
+
 	// set GOMEMLIMIT which allows specifying a soft memory cap to force GC when resource limit is reached
 	// to prevent OOM
 	if coll.Spec.Agent.EBPF.Resources.Limits.Memory() != nil {
@@ -418,14 +425,14 @@ func (c *AgentController) setEnvConfig(coll *flowslatest.FlowCollector) []corev1
 		}
 	}
 
-	if helper.IsPktDropEnabled(&coll.Spec) {
+	if helper.IsPktDropEnabled(&coll.Spec.Agent.EBPF) {
 		config = append(config, corev1.EnvVar{
 			Name:  envEnablePktDrop,
 			Value: "true",
 		})
 	}
 
-	if helper.IsDNSTrackingEnabled(&coll.Spec) {
+	if helper.IsDNSTrackingEnabled(&coll.Spec.Agent.EBPF) {
 		config = append(config, corev1.EnvVar{
 			Name:  envEnableDNSTracking,
 			Value: "true",

controllers/ebpf/internal/permissions/permissions.go

@@ -155,14 +155,9 @@ func (c *Reconciler) reconcileOpenshiftPermissions(
 	} else {
 		scc.AllowedCapabilities = AllowedCapabilities
 	}
-	if (desired.EnablePktDrop != nil && *desired.EnablePktDrop) ||
-		(desired.EnableDNSTracking != nil && *desired.EnableDNSTracking) {
+	if helper.IsPktDropEnabled(desired) || helper.IsDNSTrackingEnabled(desired) {
 		scc.AllowHostDirVolumePlugin = true
 	}
-	if (desired.EnablePktDrop != nil && !*desired.EnablePktDrop) &&
-		(desired.EnableDNSTracking != nil && !*desired.EnableDNSTracking) {
-		scc.AllowHostDirVolumePlugin = false
-	}
 	actual := &osv1.SecurityContextConstraints{}
 	if err := c.Get(ctx, client.ObjectKeyFromObject(scc), actual); err != nil {
 		if errors.IsNotFound(err) {

controllers/flowcollector_controller_iso_test.go

@@ -98,8 +98,7 @@ func flowCollectorIsoSpecs() {
 					ExcludeInterfaces:  []string{},
 					Privileged:         false,
 					KafkaBatchSize:     0,
-					EnablePktDrop:      pointer.Bool(false),
-					EnableDNSTracking:  pointer.Bool(false),
+					Features:           nil,
 				},
 			},
 			ConsolePlugin: flowslatest.FlowCollectorConsolePlugin{

controllers/flowlogspipeline/flp_common_objects.go

@@ -436,7 +436,7 @@ func (b *builder) addConnectionTracking(indexFields []string, lastStage config.P
 		},
 	}
 
-	if helper.IsPktDropEnabled(b.desired) {
+	if helper.IsPktDropEnabled(&b.desired.Agent.EBPF) {
 		outputPktDropFields := []api.OutputField{
 			{
 				Name:      "PktDropBytes",
@@ -468,7 +468,7 @@ func (b *builder) addConnectionTracking(indexFields []string, lastStage config.P
 		outputFields = append(outputFields, outputPktDropFields...)
 	}
 
-	if helper.IsDNSTrackingEnabled(b.desired) {
+	if helper.IsDNSTrackingEnabled(&b.desired.Agent.EBPF) {
 		outDNSTrackingFields := []api.OutputField{
 			{
 				Name:      "DnsFlagsResponseCode",
@@ -482,6 +482,14 @@ func (b *builder) addConnectionTracking(indexFields []string, lastStage config.P
 		outputFields = append(outputFields, outDNSTrackingFields...)
 	}
 
+	if helper.IsFlowRTTEnabled(&b.desired.Agent.EBPF) {
+		outputFields = append(outputFields, api.OutputField{
+			Name:      "MaxTimeFlowRttNs",
+			Operation: "max",
+			Input:     "TimeFlowRttNs",
+		})
+	}
+
 	// Connection tracking stage (only if LogTypes is not FLOWS)
 	if b.desired.Processor.LogTypes != nil && *b.desired.Processor.LogTypes != flowslatest.LogTypeFlows {
 		indexFields = append(indexFields, constants.LokiConnectionIndexFields...)

docs/FlowCollector.md

@@ -4070,24 +4070,6 @@ Agent configuration for flows extraction.
           `debug` allows setting some aspects of the internal configuration of the eBPF agent. This section is aimed exclusively for debugging and fine-grained performance optimizations, such as GOGC and GOMAXPROCS env vars. Users setting its values do it at their own risk.<br/>
         </td>
         <td>false</td>
-      </tr><tr>
-        <td><b>enableDNSTracking</b></td>
-        <td>boolean</td>
-        <td>
-          Enable the DNS tracking feature. This feature requires mounting the kernel debug filesystem hence the eBPF pod has to run as privileged. If the spec.agent.eBPF.privileged parameter is not set, an error is reported.<br/>
-          <br/>
-            <i>Default</i>: false<br/>
-        </td>
-        <td>false</td>
-      </tr><tr>
-        <td><b>enablePktDrop</b></td>
-        <td>boolean</td>
-        <td>
-          Enable the Packets drop flows logging feature. This feature requires mounting the kernel debug filesystem, so the eBPF pod has to run as privileged. If the spec.agent.eBPF.privileged parameter is not set, an error is reported.<br/>
-          <br/>
-            <i>Default</i>: false<br/>
-        </td>
-        <td>false</td>
       </tr><tr>
         <td><b>excludeInterfaces</b></td>
         <td>[]string</td>
@@ -4097,6 +4079,13 @@ Agent configuration for flows extraction.
             <i>Default</i>: [lo]<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b>features</b></td>
+        <td>[]enum</td>
+        <td>
+          List of additional features to enable. They are all disabled by default. Enabling additional features may have performance impacts. Possible values are:<br> - `PKT_DROP`: enable the packets drop flows logging feature. This feature requires mounting the kernel debug filesystem, so the eBPF pod has to run as privileged. If the `spec.agent.eBPF.privileged` parameter is not set, an error is reported.<br> - `DNS_TRACKING`: enable the DNS tracking feature. This feature requires mounting the kernel debug filesystem hence the eBPF pod has to run as privileged. If the `spec.agent.eBPF.privileged` parameter is not set, an error is reported.<br> - `FLOW_RTT` <i>Unsupported (*)</i>: allows enabling flow latency (RTT) calculations in the eBPF agent during TCP handshakes. This feature needs both INGRESS and EGRESS direction flow capture and will be disabled if they are not both enabled.<br><br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b>imagePullPolicy</b></td>
         <td>enum</td>