netobserv · msherif1234 · May 29, 2024
diff --git a/apis/flowcollector/v1beta1/flowcollector_types.go b/apis/flowcollector/v1beta1/flowcollector_types.go
@@ -150,14 +150,16 @@ type FlowCollectorIPFIX struct {
 // Agent feature, can be one of:<br>
 // - `PacketDrop`, to track packet drops.<br>
 // - `DNSTracking`, to track specific information on DNS traffic.<br>
-// - `FlowRTT`, to track TCP latency. [Unsupported (*)].<br>
-// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT"
+// - `FlowRTT`, to track TCP latency [Unsupported (*)].<br>
+// - `NetworkEvents`, to track Network events.<br>
+// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents"
 type AgentFeature string
 
 const (
-	PacketDrop  AgentFeature = "PacketDrop"
-	DNSTracking AgentFeature = "DNSTracking"
-	FlowRTT     AgentFeature = "FlowRTT"
+	PacketDrop    AgentFeature = "PacketDrop"
+	DNSTracking   AgentFeature = "DNSTracking"
+	FlowRTT       AgentFeature = "FlowRTT"
+	NetworkEvents AgentFeature = "NetworkEvents"
 )
 
 // Name of an eBPF agent alert.
@@ -325,6 +327,8 @@ type FlowCollectorEBPF struct {
 	// If the `spec.agent.ebpf.privileged` parameter is not set, an error is reported.<br>
 	// - `DNSTracking`: enable the DNS tracking feature.<br>
 	// - `FlowRTT`: enable flow latency (sRTT) extraction in the eBPF agent from TCP traffic.<br>
+	// - `NetworkEvents`: enable the Network events monitoring feature. This feature requires mounting
+	// the kernel debug filesystem, so the eBPF pod has to run as privileged.
 	// +optional
 	Features []AgentFeature `json:"features,omitempty"`
 

diff --git a/apis/flowcollector/v1beta2/flowcollector_types.go b/apis/flowcollector/v1beta2/flowcollector_types.go
@@ -175,13 +175,15 @@ type FlowCollectorIPFIX struct {
 // - `PacketDrop`, to track packet drops.<br>
 // - `DNSTracking`, to track specific information on DNS traffic.<br>
 // - `FlowRTT`, to track TCP latency.<br>
-// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT"
+// - `NetworkEvents`, to track Network events.<br>
+// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents"
 type AgentFeature string
 
 const (
-	PacketDrop  AgentFeature = "PacketDrop"
-	DNSTracking AgentFeature = "DNSTracking"
-	FlowRTT     AgentFeature = "FlowRTT"
+	PacketDrop    AgentFeature = "PacketDrop"
+	DNSTracking   AgentFeature = "DNSTracking"
+	FlowRTT       AgentFeature = "FlowRTT"
+	NetworkEvents AgentFeature = "NetworkEvents"
 )
 
 // Name of an eBPF agent alert.
@@ -349,6 +351,8 @@ type FlowCollectorEBPF struct {
 	// If the `spec.agent.ebpf.privileged` parameter is not set, an error is reported.<br>
 	// - `DNSTracking`: enable the DNS tracking feature.<br>
 	// - `FlowRTT`: enable flow latency (sRTT) extraction in the eBPF agent from TCP traffic.<br>
+	// - `NetworkEvents`: enable the Network events monitoring feature.  This feature requires mounting
+	// the kernel debug filesystem, so the eBPF pod has to run as privileged.
 	// +optional
 	Features []AgentFeature `json:"features,omitempty"`
 

diff --git a/bundle/manifests/flows.netobserv.io_flowcollectors.yaml b/bundle/manifests/flows.netobserv.io_flowcollectors.yaml
@@ -133,16 +133,20 @@ spec:
                           If the `spec.agent.ebpf.privileged` parameter is not set, an error is reported.<br>
                           - `DNSTracking`: enable the DNS tracking feature.<br>
                           - `FlowRTT`: enable flow latency (sRTT) extraction in the eBPF agent from TCP traffic.<br>
+                          - `NetworkEvents`: enable the Network events monitoring feature. This feature requires mounting
+                          the kernel debug filesystem, so the eBPF pod has to run as privileged.
                         items:
                           description: |-
                             Agent feature, can be one of:<br>
                             - `PacketDrop`, to track packet drops.<br>
                             - `DNSTracking`, to track specific information on DNS traffic.<br>
-                            - `FlowRTT`, to track TCP latency. [Unsupported (*)].<br>
+                            - `FlowRTT`, to track TCP latency [Unsupported (*)].<br>
+                            - `NetworkEvents`, to track Network events.<br>
                           enum:
                           - PacketDrop
                           - DNSTracking
                           - FlowRTT
+                          - NetworkEvents
                           type: string
                         type: array
                       flowFilter:
@@ -3710,16 +3714,20 @@ spec:
                           If the `spec.agent.ebpf.privileged` parameter is not set, an error is reported.<br>
                           - `DNSTracking`: enable the DNS tracking feature.<br>
                           - `FlowRTT`: enable flow latency (sRTT) extraction in the eBPF agent from TCP traffic.<br>
+                          - `NetworkEvents`: enable the Network events monitoring feature.  This feature requires mounting
+                          the kernel debug filesystem, so the eBPF pod has to run as privileged.
                         items:
                           description: |-
                             Agent feature, can be one of:<br>
                             - `PacketDrop`, to track packet drops.<br>
                             - `DNSTracking`, to track specific information on DNS traffic.<br>
                             - `FlowRTT`, to track TCP latency.<br>
+                            - `NetworkEvents`, to track Network events.<br>
                           enum:
                           - PacketDrop
                           - DNSTracking
                           - FlowRTT
+                          - NetworkEvents
                           type: string
                         type: array
                       flowFilter:

diff --git a/config/crd/bases/flows.netobserv.io_flowcollectors.yaml b/config/crd/bases/flows.netobserv.io_flowcollectors.yaml
@@ -118,16 +118,20 @@ spec:
                             If the `spec.agent.ebpf.privileged` parameter is not set, an error is reported.<br>
                             - `DNSTracking`: enable the DNS tracking feature.<br>
                             - `FlowRTT`: enable flow latency (sRTT) extraction in the eBPF agent from TCP traffic.<br>
+                            - `NetworkEvents`: enable the Network events monitoring feature. This feature requires mounting
+                            the kernel debug filesystem, so the eBPF pod has to run as privileged.
                           items:
                             description: |-
                               Agent feature, can be one of:<br>
                               - `PacketDrop`, to track packet drops.<br>
                               - `DNSTracking`, to track specific information on DNS traffic.<br>
-                              - `FlowRTT`, to track TCP latency. [Unsupported (*)].<br>
+                              - `FlowRTT`, to track TCP latency [Unsupported (*)].<br>
+                              - `NetworkEvents`, to track Network events.<br>
                             enum:
                               - PacketDrop
                               - DNSTracking
                               - FlowRTT
+                              - NetworkEvents
                             type: string
                           type: array
                         flowFilter:
@@ -3416,16 +3420,20 @@ spec:
                             If the `spec.agent.ebpf.privileged` parameter is not set, an error is reported.<br>
                             - `DNSTracking`: enable the DNS tracking feature.<br>
                             - `FlowRTT`: enable flow latency (sRTT) extraction in the eBPF agent from TCP traffic.<br>
+                            - `NetworkEvents`: enable the Network events monitoring feature.  This feature requires mounting
+                            the kernel debug filesystem, so the eBPF pod has to run as privileged.
                           items:
                             description: |-
                               Agent feature, can be one of:<br>
                               - `PacketDrop`, to track packet drops.<br>
                               - `DNSTracking`, to track specific information on DNS traffic.<br>
                               - `FlowRTT`, to track TCP latency.<br>
+                              - `NetworkEvents`, to track Network events.<br>
                             enum:
                               - PacketDrop
                               - DNSTracking
                               - FlowRTT
+                              - NetworkEvents
                             type: string
                           type: array
                         flowFilter:

diff --git a/config/samples/flows_v1beta2_flowcollector.yaml b/config/samples/flows_v1beta2_flowcollector.yaml
@@ -22,6 +22,7 @@ spec:
       # - "PacketDrop"
       # - "DNSTracking"
       # - "FlowRTT"
+      # - "NetworkEvents"
       interfaces: []
       excludeInterfaces: ["lo"]
       kafkaBatchSize: 1048576

diff --git a/controllers/consoleplugin/config/static-frontend-config.yaml b/controllers/consoleplugin/config/static-frontend-config.yaml
@@ -510,6 +510,14 @@ columns:
     default: true
     width: 5
     feature: flowRTT
+  - id: NetworkEvents
+    name: Network Events
+    tooltip: Network events flow monitor
+    field: NetworkEvents
+    filter: network_events
+    default: true
+    width: 15
+    feature: networkEvents
 filters:
   - id: cluster_name
     name: Cluster
@@ -885,7 +893,10 @@ filters:
     name: Flow RTT
     component: number
     hint: Specify a TCP smoothed Round Trip Time in nanoseconds.
-
+  - id: network_events
+    name: Network events flow monitoring
+    component: text
+    hint: Specify a single network event.
 # Fields definition, used to generate documentation
 # The "cardinalityWarn" property relates to how the field is suitable for usage as a metric label wrt cardinality; it may have 3 values: fine, careful, avoid
 fields:
@@ -1112,6 +1123,10 @@ fields:
     type: number
     description: TCP Smoothed Round Trip Time (SRTT), in nanoseconds
     cardinalityWarn: avoid
+  - name: NetworkEvents
+    type: string
+    description: Network events flow monitoring
+    cardinalityWarn: avoid
   - name: K8S_ClusterName
     type: string
     description: Cluster name or identifier

diff --git a/controllers/consoleplugin/consoleplugin_objects.go b/controllers/consoleplugin/consoleplugin_objects.go
@@ -448,6 +448,10 @@ func (b *builder) setFrontendConfig(fconf *cfg.FrontendConfig) error {
 		fconf.Features = append(fconf.Features, "flowRTT")
 	}
 
+	if helper.IsNetworkEventsEnabled(&b.desired.Agent.EBPF) {
+		fconf.Features = append(fconf.Features, "networkEvents")
+	}
+
 	if b.desired.Agent.EBPF.Advanced != nil {
 		if v, ok := b.desired.Agent.EBPF.Advanced.Env[ebpf.EnvDedupeJustMark]; ok {
 			dedupJustMark, err = strconv.ParseBool(v)

diff --git a/controllers/ebpf/agent_controller.go b/controllers/ebpf/agent_controller.go
@@ -56,6 +56,8 @@ const (
 	envEnablePktDrop              = "ENABLE_PKT_DROPS"
 	envEnableDNSTracking          = "ENABLE_DNS_TRACKING"
 	envEnableFlowRTT              = "ENABLE_RTT"
+	envEnableNetworkEvents        = "ENABLE_NETWORK_EVENTS_MONITORING"
+	envNetworkEventsGroupID       = "NETWORK_EVENTS_MONITORING_GROUP_ID"
 	envEnableMetrics              = "METRICS_ENABLE"
 	envMetricsPort                = "METRICS_SERVER_PORT"
 	envMetricPrefix               = "METRICS_PREFIX"
@@ -80,15 +82,22 @@ const (
 )
 
 const (
-	exportKafka                = "kafka"
-	exportGRPC                 = "grpc"
-	kafkaCerts                 = "kafka-certs"
-	averageMessageSize         = 100
-	bpfTraceMountName          = "bpf-kernel-debug"
-	bpfTraceMountPath          = "/sys/kernel/debug"
-	bpfNetNSMountName          = "var-run-netns"
-	bpfNetNSMountPath          = "/var/run/netns"
-	droppedFlowsAlertThreshold = 100
+	exportKafka                 = "kafka"
+	exportGRPC                  = "grpc"
+	kafkaCerts                  = "kafka-certs"
+	averageMessageSize          = 100
+	bpfTraceMountName           = "bpf-kernel-debug"
+	bpfTraceMountPath           = "/sys/kernel/debug"
+	bpfNetNSMountName           = "var-run-netns"
+	bpfNetNSMountPath           = "/var/run/netns"
+	droppedFlowsAlertThreshold  = 100
+	ovnObservMountName          = "var-run-ovn"
+	ovnObservMountPath          = "/var/run/ovn"
+	ovnObservHostMountPath      = "/var/run/ovn-ic"
+	ovsMountPath                = "/var/run/openvswitch"
+	ovsHostMountPath            = "/var/run/openvswitch"
+	ovsMountName                = "var-run-ovs"
+	defaultNetworkEventsGroupID = "10"
 )
 
 const (
@@ -301,6 +310,47 @@ func (c *AgentController) desired(ctx context.Context, coll *flowslatest.FlowCol
 		}
 	}
 
+	if helper.IsAgentFeatureEnabled(&coll.Spec.Agent.EBPF, flowslatest.NetworkEvents) {
+		if !coll.Spec.Agent.EBPF.Privileged {
+			rlog.Error(fmt.Errorf("invalid configuration"), "To use Network Events Monitor feature privileged mode needs to be enabled")
+		} else {
+			volume := corev1.Volume{
+				Name: ovnObservMountName,
+				VolumeSource: corev1.VolumeSource{
+					HostPath: &corev1.HostPathVolumeSource{
+						Type: newHostPathType(corev1.HostPathDirectory),
+						Path: ovnObservHostMountPath,
+					},
+				},
+			}
+			volumes = append(volumes, volume)
+			volumeMount := corev1.VolumeMount{
+				Name:             ovnObservMountName,
+				MountPath:        ovnObservMountPath,
+				MountPropagation: newMountPropagationMode(corev1.MountPropagationBidirectional),
+			}
+			volumeMounts = append(volumeMounts, volumeMount)
+
+			volume = corev1.Volume{
+				Name: ovsMountName,
+				VolumeSource: corev1.VolumeSource{
+					HostPath: &corev1.HostPathVolumeSource{
+						Type: newHostPathType(corev1.HostPathDirectory),
+						Path: ovsHostMountPath,
+					},
+				},
+			}
+			volumes = append(volumes, volume)
+			volumeMount = corev1.VolumeMount{
+				Name:             ovsMountName,
+				MountPath:        ovsMountPath,
+				MountPropagation: newMountPropagationMode(corev1.MountPropagationBidirectional),
+			}
+			volumeMounts = append(volumeMounts, volumeMount)
+		}
+
+	}
+
 	advancedConfig := helper.GetAdvancedAgentConfig(coll.Spec.Agent.EBPF.Advanced)
 
 	return &v1.DaemonSet{
@@ -522,6 +572,7 @@ func (c *AgentController) securityContext(coll *flowslatest.FlowCollector) *core
 	return sc
 }
 
+// nolint:golint,cyclop
 func (c *AgentController) setEnvConfig(coll *flowslatest.FlowCollector) []corev1.EnvVar {
 	var config []corev1.EnvVar
 
@@ -575,6 +626,13 @@ func (c *AgentController) setEnvConfig(coll *flowslatest.FlowCollector) []corev1
 		})
 	}
 
+	if helper.IsNetworkEventsEnabled(&coll.Spec.Agent.EBPF) {
+		config = append(config, corev1.EnvVar{
+			Name:  envEnableNetworkEvents,
+			Value: "true",
+		})
+	}
+
 	// set GOMEMLIMIT which allows specifying a soft memory cap to force GC when resource limit is reached
 	// to prevent OOM
 	if coll.Spec.Agent.EBPF.Resources.Limits.Memory() != nil {
@@ -619,6 +677,7 @@ func (c *AgentController) setEnvConfig(coll *flowslatest.FlowCollector) []corev1
 	dedupJustMark := DedupeJustMarkDefault
 	dedupMerge := DedupeMergeDefault
 	dnsTrackingPort := defaultDNSTrackingPort
+	networkEventsGroupID := defaultNetworkEventsGroupID
 	// we need to sort env map to keep idempotency,
 	// as equal maps could be iterated in different order
 	advancedConfig := helper.GetAdvancedAgentConfig(coll.Spec.Agent.EBPF.Advanced)
@@ -632,6 +691,8 @@ func (c *AgentController) setEnvConfig(coll *flowslatest.FlowCollector) []corev1
 			dedupMerge = v
 		} else if k == envDNSTrackingPort {
 			dnsTrackingPort = v
+		} else if k == envNetworkEventsGroupID {
+			networkEventsGroupID = v
 		} else {
 			config = append(config, corev1.EnvVar{Name: k, Value: v})
 		}
@@ -640,6 +701,7 @@ func (c *AgentController) setEnvConfig(coll *flowslatest.FlowCollector) []corev1
 	config = append(config, corev1.EnvVar{Name: envDedupe, Value: dedup})
 	config = append(config, corev1.EnvVar{Name: EnvDedupeJustMark, Value: dedupJustMark})
 	config = append(config, corev1.EnvVar{Name: envDNSTrackingPort, Value: dnsTrackingPort})
+	config = append(config, corev1.EnvVar{Name: envNetworkEventsGroupID, Value: networkEventsGroupID})
 	config = append(config, corev1.EnvVar{
 		Name: envAgentIP,
 		ValueFrom: &corev1.EnvVarSource{

diff --git a/controllers/flp/flp_pipeline_builder.go b/controllers/flp/flp_pipeline_builder.go
@@ -361,6 +361,16 @@ func (b *PipelineBuilder) addConnectionTracking(lastStage config.PipelineBuilder
 		outputFields = append(outputFields, outDNSTrackingFields...)
 	}
 
+	if helper.IsNetworkEventsEnabled(&b.desired.Agent.EBPF) {
+		outNetworkEventsFlowFields := []api.OutputField{
+			{
+				Name:      "NetworkEvents",
+				Operation: "last",
+			},
+		}
+		outputFields = append(outputFields, outNetworkEventsFlowFields...)
+	}
+
 	if helper.IsFlowRTTEnabled(&b.desired.Agent.EBPF) {
 		outputFields = append(outputFields, api.OutputField{
 			Name:      "MaxTimeFlowRttNs",

diff --git a/docs/FlowCollector.md b/docs/FlowCollector.md
@@ -289,7 +289,9 @@ Otherwise it is matched as a case-sensitive string.<br/>
 the kernel debug filesystem, so the eBPF pod has to run as privileged.
 If the `spec.agent.ebpf.privileged` parameter is not set, an error is reported.<br>
 - `DNSTracking`: enable the DNS tracking feature.<br>
-- `FlowRTT`: enable flow latency (sRTT) extraction in the eBPF agent from TCP traffic.<br><br/>
+- `FlowRTT`: enable flow latency (sRTT) extraction in the eBPF agent from TCP traffic.<br>
+- `NetworkEvents`: enable the Network events monitoring feature. This feature requires mounting
+the kernel debug filesystem, so the eBPF pod has to run as privileged.<br/>
         </td>
         <td>false</td>
       </tr><tr>
@@ -5944,7 +5946,9 @@ Otherwise it is matched as a case-sensitive string.<br/>
 the kernel debug filesystem, so the eBPF pod has to run as privileged.
 If the `spec.agent.ebpf.privileged` parameter is not set, an error is reported.<br>
 - `DNSTracking`: enable the DNS tracking feature.<br>
-- `FlowRTT`: enable flow latency (sRTT) extraction in the eBPF agent from TCP traffic.<br><br/>
+- `FlowRTT`: enable flow latency (sRTT) extraction in the eBPF agent from TCP traffic.<br>
+- `NetworkEvents`: enable the Network events monitoring feature.  This feature requires mounting
+the kernel debug filesystem, so the eBPF pod has to run as privileged.<br/>
         </td>
         <td>false</td>
       </tr><tr>

diff --git a/pkg/helper/flowcollector.go b/pkg/helper/flowcollector.go
@@ -119,6 +119,10 @@ func IsFlowRTTEnabled(spec *flowslatest.FlowCollectorEBPF) bool {
 	return IsAgentFeatureEnabled(spec, flowslatest.FlowRTT)
 }
 
+func IsNetworkEventsEnabled(spec *flowslatest.FlowCollectorEBPF) bool {
+	return IsAgentFeatureEnabled(spec, flowslatest.NetworkEvents)
+}
+
 func IsMultiClusterEnabled(spec *flowslatest.FlowCollectorFLP) bool {
 	return spec.MultiClusterDeployment != nil && *spec.MultiClusterDeployment
 }