From e46d15d71185c0e2cab6780b8153ec918b022609 Mon Sep 17 00:00:00 2001
From: Rakesh Bajpayee <153479979+Helion55@users.noreply.github.com>
Date: Wed, 22 Jan 2025 12:39:42 +0530
Subject: [PATCH 01/12] initial commit for the helm charts
---
helm/netobserv/Chart.yaml | 24 +
helm/netobserv/templates/clusterRole.yaml | 215 +
helm/netobserv/templates/deployment.yaml | 111 +
.../flows.netobserv.io_flowcollectors.yaml | 8394 +++++++++++++++++
.../flows.netobserv.io_flowmetrics.yaml | 320 +
...netobserv-manager-config_v1_configmap.yaml | 19 +
.../netobserv-metrics-service_v1_service.yaml | 19 +
.../netobserv-webhook-service_v1_service.yaml | 21 +
helm/netobserv/templates/role.yaml | 37 +
helm/netobserv/values.yaml | 0
10 files changed, 9160 insertions(+)
create mode 100644 helm/netobserv/Chart.yaml
create mode 100644 helm/netobserv/templates/clusterRole.yaml
create mode 100644 helm/netobserv/templates/deployment.yaml
create mode 100644 helm/netobserv/templates/flows.netobserv.io_flowcollectors.yaml
create mode 100644 helm/netobserv/templates/flows.netobserv.io_flowmetrics.yaml
create mode 100644 helm/netobserv/templates/netobserv-manager-config_v1_configmap.yaml
create mode 100644 helm/netobserv/templates/netobserv-metrics-service_v1_service.yaml
create mode 100644 helm/netobserv/templates/netobserv-webhook-service_v1_service.yaml
create mode 100644 helm/netobserv/templates/role.yaml
create mode 100644 helm/netobserv/values.yaml
diff --git a/helm/netobserv/Chart.yaml b/helm/netobserv/Chart.yaml
new file mode 100644
index 0000000000..25cd2cb7a7
--- /dev/null
+++ b/helm/netobserv/Chart.yaml
@@ -0,0 +1,24 @@
+apiVersion: v2
+name: Netobserv
+description: A Helm chart to install Network Observability Operator on k8s
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.0.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.6.1"
diff --git a/helm/netobserv/templates/clusterRole.yaml b/helm/netobserv/templates/clusterRole.yaml
new file mode 100644
index 0000000000..0ce7ac7b48
--- /dev/null
+++ b/helm/netobserv/templates/clusterRole.yaml
@@ -0,0 +1,215 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cluterRole
+rules:
+- nonResourceURLs:
+ - /metrics
+ verbs:
+ - get
+- apiGroups:
+ - apiregistration.k8s.io
+ resources:
+ - apiservices
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - apps
+ resources:
+ - daemonsets
+ - deployments
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - apps
+ resources:
+ - replicasets
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+- apiGroups:
+ - autoscaling
+ resources:
+ - horizontalpodautoscalers
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - config.openshift.io
+ resources:
+ - clusterversions
+ - networks
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - console.openshift.io
+ resources:
+ - consoleplugins
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ - namespaces
+ - secrets
+ - serviceaccounts
+ - services
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ - nodes
+ - pods
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - endpoints
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - flows.netobserv.io
+ resources:
+ - flowcollectors
+ - flowmetrics
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - flows.netobserv.io
+ resources:
+ - flowcollectors/finalizers
+ verbs:
+ - update
+- apiGroups:
+ - flows.netobserv.io
+ resources:
+ - flowcollectors/status
+ - flowmetrics/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - loki.grafana.com
+ resourceNames:
+ - logs
+ resources:
+ - network
+ verbs:
+ - create
+ - get
+- apiGroups:
+ - monitoring.coreos.com
+ resources:
+ - prometheusrules
+ - servicemonitors
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - operator.openshift.io
+ resources:
+ - consoles
+ verbs:
+ - get
+ - list
+ - update
+ - watch
+- apiGroups:
+ - rbac.authorization.k8s.io
+ resources:
+ - clusterrolebindings
+ - clusterroles
+ - rolebindings
+ - roles
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - update
+ - watch
+- apiGroups:
+ - security.openshift.io
+ resources:
+ - securitycontextconstraints
+ verbs:
+ - create
+ - list
+ - update
+ - watch
+- apiGroups:
+ - security.openshift.io
+ resourceNames:
+ - hostnetwork
+ resources:
+ - securitycontextconstraints
+ verbs:
+ - use
+- apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+- apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
+serviceAccountName: netobserv-controller-manager
\ No newline at end of file
diff --git a/helm/netobserv/templates/deployment.yaml b/helm/netobserv/templates/deployment.yaml
new file mode 100644
index 0000000000..7a04ebc3c3
--- /dev/null
+++ b/helm/netobserv/templates/deployment.yaml
@@ -0,0 +1,111 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: wnetobserv-controller-manager
+ labels:
+ app: netobserv-operator
+ control-plane: controller-manager
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: netobserv-operator
+ control-plane: controller-manager
+ strategy: {}
+ template:
+ metadata:
+ labels:
+ app: netobserv-operator
+ control-plane: controller-manager
+ spec:
+ containers:
+ - args:
+ - --health-probe-bind-address=:8081
+ - --metrics-bind-address=127.0.0.1:8080
+ - --leader-elect
+ - --ebpf-agent-image=$(RELATED_IMAGE_EBPF_AGENT)
+ - --flowlogs-pipeline-image=$(RELATED_IMAGE_FLOWLOGS_PIPELINE)
+ - --console-plugin-image=$(RELATED_IMAGE_CONSOLE_PLUGIN)
+ - --downstream-deployment=$(DOWNSTREAM_DEPLOYMENT)
+ - --profiling-bind-address=$(PROFILING_BIND_ADDRESS)
+ command:
+ - /manager
+ env:
+ - name: RELATED_IMAGE_EBPF_AGENT
+ value: quay.io/netobserv/netobserv-ebpf-agent:v1.6.2-community
+ - name: RELATED_IMAGE_FLOWLOGS_PIPELINE
+ value: quay.io/netobserv/flowlogs-pipeline:v1.6.2-community
+ - name: RELATED_IMAGE_CONSOLE_PLUGIN
+ value: quay.io/netobserv/network-observability-console-plugin:v1.6.2-community
+ - name: DOWNSTREAM_DEPLOYMENT
+ value: "false"
+ - name: PROFILING_BIND_ADDRESS
+ image: quay.io/netobserv/network-observability-operator:1.6.2-community
+ imagePullPolicy: Always
+ livenessProbe:
+ httpGet:
+ path: /healthz
+ port: 8081
+ initialDelaySeconds: 15
+ periodSeconds: 20
+ name: manager
+ ports:
+ - containerPort: 9443
+ name: webhook-server
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ path: /readyz
+ port: 8081
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ resources:
+ limits:
+ memory: 400Mi
+ requests:
+ cpu: 100m
+ memory: 100Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ volumeMounts:
+ - mountPath: /tmp/k8s-webhook-server/serving-certs
+ name: cert
+ readOnly: true
+ - args:
+ - --secure-listen-address=0.0.0.0:8443
+ - --upstream=http://127.0.0.1:8080/
+ - --logtostderr=true
+ - --v=10
+ - --http2-disable
+ image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
+ name: kube-rbac-proxy
+ ports:
+ - containerPort: 8443
+ name: https
+ protocol: TCP
+ resources:
+ limits:
+ cpu: 500m
+ memory: 128Mi
+ requests:
+ cpu: 5m
+ memory: 64Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ securityContext:
+ runAsNonRoot: true
+ serviceAccountName: netobserv-controller-manager
+ terminationGracePeriodSeconds: 10
+ volumes:
+ - name: cert
+ secret:
+ defaultMode: 420
+ secretName: webhook-server-cert
\ No newline at end of file
diff --git a/helm/netobserv/templates/flows.netobserv.io_flowcollectors.yaml b/helm/netobserv/templates/flows.netobserv.io_flowcollectors.yaml
new file mode 100644
index 0000000000..2c301ee3b1
--- /dev/null
+++ b/helm/netobserv/templates/flows.netobserv.io_flowcollectors.yaml
@@ -0,0 +1,8394 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.14.0
+ creationTimestamp: null
+ name: flowcollectors.flows.netobserv.io
+spec:
+ conversion:
+ strategy: Webhook
+ webhook:
+ clientConfig:
+ service:
+ name: netobserv-webhook-service
+ namespace: netobserv
+ path: /convert
+ conversionReviewVersions:
+ - v1
+ group: flows.netobserv.io
+ names:
+ kind: FlowCollector
+ listKind: FlowCollectorList
+ plural: flowcollectors
+ singular: flowcollector
+ scope: Cluster
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.agent.type
+ name: Agent
+ type: string
+ - jsonPath: .spec.agent.ebpf.sampling
+ name: Sampling (EBPF)
+ type: string
+ - jsonPath: .spec.deploymentModel
+ name: Deployment Model
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+ name: Status
+ type: string
+ deprecated: true
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: '`FlowCollector` is the schema for the network flows collection
+ API, which pilots and configures the underlying deployments.'
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ properties:
+ name:
+ pattern: ^cluster$
+ type: string
+ type: object
+ spec:
+ description: |-
+ Defines the desired state of the FlowCollector resource.
+
+ *: the mention of "unsupported", or "deprecated" for a feature throughout this document means that this feature
+ is not officially supported by Red Hat. It might have been, for example, contributed by the community
+ and accepted without a formal agreement for maintenance. The product maintainers might provide some support
+ for these features as a best effort only.
+ properties:
+ agent:
+ description: Agent configuration for flows extraction.
+ properties:
+ ebpf:
+ description: |-
+ `ebpf` describes the settings related to the eBPF-based flow reporter when `spec.agent.type`
+ is set to `EBPF`.
+ properties:
+ cacheActiveTimeout:
+ default: 5s
+ description: |-
+ `cacheActiveTimeout` is the max period during which the reporter aggregates flows before sending.
+ Increasing `cacheMaxFlows` and `cacheActiveTimeout` can decrease the network traffic overhead and the CPU load,
+ however you can expect higher memory consumption and an increased latency in the flow collection.
+ pattern: ^\d+(ns|ms|s|m)?$
+ type: string
+ cacheMaxFlows:
+ default: 100000
+ description: |-
+ `cacheMaxFlows` is the max number of flows in an aggregate; when reached, the reporter sends the flows.
+ Increasing `cacheMaxFlows` and `cacheActiveTimeout` can decrease the network traffic overhead and the CPU load,
+ however you can expect higher memory consumption and an increased latency in the flow collection.
+ format: int32
+ minimum: 1
+ type: integer
+ debug:
+ description: |-
+ `debug` allows setting some aspects of the internal configuration of the eBPF agent.
+ This section is aimed exclusively for debugging and fine-grained performance optimizations,
+ such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
+ properties:
+ env:
+ additionalProperties:
+ type: string
+ description: |-
+ `env` allows passing custom environment variables to underlying components. Useful for passing
+ some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be
+ publicly exposed as part of the FlowCollector descriptor, as they are only useful
+ in edge debug or support scenarios.
+ type: object
+ type: object
+ excludeInterfaces:
+ default:
+ - lo
+ description: |-
+ `excludeInterfaces` contains the interface names that are excluded from flow tracing.
+ An entry enclosed by slashes, such as `/br-/`, is matched as a regular expression.
+ Otherwise it is matched as a case-sensitive string.
+ items:
+ type: string
+ type: array
+ features:
+ description: |-
+ List of additional features to enable. They are all disabled by default. Enabling additional features might have performance impacts. Possible values are:
+ - `PacketDrop`: enable the packets drop flows logging feature. This feature requires mounting
+ the kernel debug filesystem, so the eBPF pod has to run as privileged.
+ If the `spec.agent.ebpf.privileged` parameter is not set, an error is reported.
+ - `DNSTracking`: enable the DNS tracking feature.
+ - `FlowRTT`: enable flow latency (sRTT) extraction in the eBPF agent from TCP traffic.
+ items:
+ description: |-
+ Agent feature, can be one of:
+ - `PacketDrop`, to track packet drops.
+ - `DNSTracking`, to track specific information on DNS traffic.
+ - `FlowRTT`, to track TCP latency. [Unsupported (*)].
+ enum:
+ - PacketDrop
+ - DNSTracking
+ - FlowRTT
+ type: string
+ type: array
+ flowFilter:
+ description: '`flowFilter` defines the eBPF agent configuration
+ regarding flow filtering'
+ properties:
+ action:
+ description: Action defines the action to perform on the
+ flows that match the filter.
+ enum:
+ - Accept
+ - Reject
+ type: string
+ cidr:
+ description: |-
+ CIDR defines the IP CIDR to filter flows by.
+ Example: 10.10.10.0/24 or 100:100:100:100::/64
+ type: string
+ destPorts:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ DestPorts defines the destination ports to filter flows by.
+ To filter a single port, set a single port as an integer value. For example, destPorts: 80.
+ To filter a range of ports, use a "start-end" range, string format. For example, destPorts: "80-100".
+ To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.
+ x-kubernetes-int-or-string: true
+ direction:
+ description: Direction defines the direction to filter
+ flows by.
+ enum:
+ - Ingress
+ - Egress
+ type: string
+ enable:
+ description: Set `enable` to `true` to enable eBPF flow
+ filtering feature.
+ type: boolean
+ icmpCode:
+ description: ICMPCode defines the ICMP code to filter
+ flows by.
+ type: integer
+ icmpType:
+ description: ICMPType defines the ICMP type to filter
+ flows by.
+ type: integer
+ peerIP:
+ description: |-
+ PeerIP defines the IP address to filter flows by.
+ Example: 10.10.10.10
+ type: string
+ ports:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Ports defines the ports to filter flows by. it can be user for either source or destination ports.
+ To filter a single port, set a single port as an integer value. For example, ports: 80.
+ To filter a range of ports, use a "start-end" range, string format. For example, ports: "80-100".
+ To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: Protocol defines the protocol to filter flows
+ by.
+ enum:
+ - TCP
+ - UDP
+ - ICMP
+ - ICMPv6
+ - SCTP
+ type: string
+ sourcePorts:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SourcePorts defines the source ports to filter flows by.
+ To filter a single port, set a single port as an integer value. For example, sourcePorts: 80.
+ To filter a range of ports, use a "start-end" range, string format. For example, sourcePorts: "80-100".
+ To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.
+ x-kubernetes-int-or-string: true
+ type: object
+ imagePullPolicy:
+ default: IfNotPresent
+ description: '`imagePullPolicy` is the Kubernetes pull policy
+ for the image defined above'
+ enum:
+ - IfNotPresent
+ - Always
+ - Never
+ type: string
+ interfaces:
+ description: |-
+ `interfaces` contains the interface names from where flows are collected. If empty, the agent
+ fetches all the interfaces in the system, excepting the ones listed in ExcludeInterfaces.
+ An entry enclosed by slashes, such as `/br-/`, is matched as a regular expression.
+ Otherwise it is matched as a case-sensitive string.
+ items:
+ type: string
+ type: array
+ kafkaBatchSize:
+ default: 1048576
+ description: '`kafkaBatchSize` limits the maximum size of
+ a request in bytes before being sent to a partition. Ignored
+ when not using Kafka. Default: 1MB.'
+ type: integer
+ logLevel:
+ default: info
+ description: '`logLevel` defines the log level for the NetObserv
+ eBPF Agent'
+ enum:
+ - trace
+ - debug
+ - info
+ - warn
+ - error
+ - fatal
+ - panic
+ type: string
+ metrics:
+ description: '`metrics` defines the eBPF agent configuration
+ regarding metrics'
+ properties:
+ disableAlerts:
+ description: |-
+ `disableAlerts` is a list of alerts that should be disabled.
+ Possible values are:
+ `NetObservDroppedFlows`, which is triggered when the eBPF agent is missing packets or flows, such as when the BPF hashmap is busy or full, or the capacity limiter being triggered.
+ items:
+ description: |-
+ Name of an eBPF agent alert.
+ Possible values are:
+ `NetObservDroppedFlows`, which is triggered when the eBPF agent is missing packets or flows, such as when the BPF hashmap is busy or full, or the capacity limiter being triggered.
+ enum:
+ - NetObservDroppedFlows
+ type: string
+ type: array
+ enable:
+ description: Set `enable` to `false` to disable eBPF agent
+ metrics collection, by default it's `true`.
+ type: boolean
+ server:
+ description: Metrics server endpoint configuration for
+ Prometheus scraper
+ properties:
+ port:
+ description: The prometheus HTTP port
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ tls:
+ description: TLS configuration.
+ properties:
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the provided certificate.
+ If set to `true`, the `providedCaFile` field is ignored.
+ type: boolean
+ provided:
+ description: TLS configuration when `type` is
+ set to `PROVIDED`.
+ properties:
+ certFile:
+ description: '`certFile` defines the path
+ to the certificate file name within the
+ config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to
+ the certificate private key file name within
+ the config map or secret. Omit when the
+ key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret
+ containing certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ providedCaFile:
+ description: Reference to the CA file when `type`
+ is set to `PROVIDED`.
+ properties:
+ file:
+ description: File name within the config map
+ or secret
+ type: string
+ name:
+ description: Name of the config map or secret
+ containing the file
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference:
+ "configmap" or "secret"'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type:
+ default: DISABLED
+ description: |-
+ Select the type of TLS configuration:
+ - `DISABLED` (default) to not configure TLS for the endpoint.
+ - `PROVIDED` to manually provide cert file and a key file. [Unsupported (*)].
+ - `AUTO` to use OpenShift auto generated certificate using annotations.
+ enum:
+ - DISABLED
+ - PROVIDED
+ - AUTO
+ type: string
+ type: object
+ type: object
+ type: object
+ privileged:
+ description: |-
+ Privileged mode for the eBPF Agent container. When ignored or set to `false`, the operator sets
+ granular capabilities (BPF, PERFMON, NET_ADMIN, SYS_RESOURCE) to the container.
+ If for some reason these capabilities cannot be set, such as if an old kernel version not knowing CAP_BPF
+ is in use, then you can turn on this mode for more global privileges.
+ Some agent features require the privileged mode, such as packet drops tracking (see `features`) and SR-IOV support.
+ type: boolean
+ resources:
+ default:
+ limits:
+ memory: 800Mi
+ requests:
+ cpu: 100m
+ memory: 50Mi
+ description: |-
+ `resources` are the compute resources required by this container.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ sampling:
+ default: 50
+ description: Sampling rate of the flow reporter. 100 means
+ one flow on 100 is sent. 0 or 1 means all flows are sampled.
+ format: int32
+ minimum: 0
+ type: integer
+ type: object
+ ipfix:
+ description: |-
+ `ipfix` [deprecated (*)] - describes the settings related to the IPFIX-based flow reporter when `spec.agent.type`
+ is set to `IPFIX`.
+ properties:
+ cacheActiveTimeout:
+ default: 20s
+ description: '`cacheActiveTimeout` is the max period during
+ which the reporter aggregates flows before sending.'
+ pattern: ^\d+(ns|ms|s|m)?$
+ type: string
+ cacheMaxFlows:
+ default: 400
+ description: '`cacheMaxFlows` is the max number of flows in
+ an aggregate; when reached, the reporter sends the flows.'
+ format: int32
+ minimum: 0
+ type: integer
+ clusterNetworkOperator:
+ description: '`clusterNetworkOperator` defines the settings
+ related to the OpenShift Cluster Network Operator, when
+ available.'
+ properties:
+ namespace:
+ default: openshift-network-operator
+ description: Namespace where the config map is going
+ to be deployed.
+ type: string
+ type: object
+ forceSampleAll:
+ default: false
+ description: |-
+ `forceSampleAll` allows disabling sampling in the IPFIX-based flow reporter.
+ It is not recommended to sample all the traffic with IPFIX, as it might generate cluster instability.
+ If you REALLY want to do that, set this flag to `true`. Use at your own risk.
+ When it is set to `true`, the value of `sampling` is ignored.
+ type: boolean
+ ovnKubernetes:
+ description: '`ovnKubernetes` defines the settings of the
+ OVN-Kubernetes CNI, when available. This configuration is
+ used when using OVN''s IPFIX exports, without OpenShift.
+ When using OpenShift, refer to the `clusterNetworkOperator`
+ property instead.'
+ properties:
+ containerName:
+ default: ovnkube-node
+ description: '`containerName` defines the name of the
+ container to configure for IPFIX.'
+ type: string
+ daemonSetName:
+ default: ovnkube-node
+ description: '`daemonSetName` defines the name of the
+ DaemonSet controlling the OVN-Kubernetes pods.'
+ type: string
+ namespace:
+ default: ovn-kubernetes
+ description: Namespace where OVN-Kubernetes pods are deployed.
+ type: string
+ type: object
+ sampling:
+ default: 400
+ description: |-
+ `sampling` is the sampling rate on the reporter. 100 means one flow on 100 is sent.
+ To ensure cluster stability, it is not possible to set a value below 2.
+ If you really want to sample every packet, which might impact the cluster stability,
+ refer to `forceSampleAll`. Alternatively, you can use the eBPF Agent instead of IPFIX.
+ format: int32
+ minimum: 2
+ type: integer
+ type: object
+ type:
+ default: EBPF
+ description: |-
+ `type` [deprecated (*)] selects the flows tracing agent. The only possible value is `EBPF` (default), to use NetObserv eBPF agent.
+ Previously, using an IPFIX collector was allowed, but was deprecated and it is now removed.
+ Setting `IPFIX` is ignored and still use the eBPF Agent.
+ Since there is only a single option here, this field will be remove in a future API version.
+ enum:
+ - EBPF
+ - IPFIX
+ type: string
+ type: object
+ consolePlugin:
+ description: '`consolePlugin` defines the settings related to the
+ OpenShift Console plugin, when available.'
+ properties:
+ autoscaler:
+ description: '`autoscaler` spec of a horizontal pod autoscaler
+ to set up for the plugin Deployment.'
+ properties:
+ maxReplicas:
+ default: 3
+ description: '`maxReplicas` is the upper limit for the number
+ of pods that can be set by the autoscaler; cannot be smaller
+ than MinReplicas.'
+ format: int32
+ type: integer
+ metrics:
+ description: Metrics used by the pod autoscaler. For documentation,
+ refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2/
+ items:
+ properties:
+ containerResource:
+ properties:
+ container:
+ type: string
+ name:
+ type: string
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - container
+ - name
+ - target
+ type: object
+ external:
+ properties:
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - metric
+ - target
+ type: object
+ object:
+ properties:
+ describedObject:
+ properties:
+ apiVersion:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - describedObject
+ - metric
+ - target
+ type: object
+ pods:
+ properties:
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - metric
+ - target
+ type: object
+ resource:
+ properties:
+ name:
+ type: string
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - target
+ type: object
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ type: array
+ minReplicas:
+ description: |-
+ `minReplicas` is the lower limit for the number of replicas to which the autoscaler
+ can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the
+ alpha feature gate HPAScaleToZero is enabled and at least one Object or External
+ metric is configured. Scaling is active as long as at least one metric value is
+ available.
+ format: int32
+ type: integer
+ status:
+ default: DISABLED
+ description: |-
+ `status` describes the desired status regarding deploying an horizontal pod autoscaler.
+ - `DISABLED` does not deploy an horizontal pod autoscaler.
+ - `ENABLED` deploys an horizontal pod autoscaler.
+ enum:
+ - DISABLED
+ - ENABLED
+ type: string
+ type: object
+ enable:
+ default: true
+ description: |-
+ Enables the console plugin deployment.
+ `spec.loki.enable` must also be `true`
+ type: boolean
+ imagePullPolicy:
+ default: IfNotPresent
+ description: '`imagePullPolicy` is the Kubernetes pull policy
+ for the image defined above'
+ enum:
+ - IfNotPresent
+ - Always
+ - Never
+ type: string
+ logLevel:
+ default: info
+ description: '`logLevel` for the console plugin backend'
+ enum:
+ - trace
+ - debug
+ - info
+ - warn
+ - error
+ - fatal
+ - panic
+ type: string
+ port:
+ default: 9001
+ description: '`port` is the plugin service port. Do not use 9002,
+ which is reserved for metrics.'
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ portNaming:
+ default:
+ enable: true
+ description: '`portNaming` defines the configuration of the port-to-service
+ name translation'
+ properties:
+ enable:
+ default: true
+ description: Enable the console plugin port-to-service name
+ translation
+ type: boolean
+ portNames:
+ additionalProperties:
+ type: string
+ description: |-
+ `portNames` defines additional port names to use in the console,
+ for example, `portNames: {"3100": "loki"}`.
+ type: object
+ type: object
+ quickFilters:
+ default:
+ - default: true
+ filter:
+ flow_layer: app
+ name: Applications
+ - filter:
+ flow_layer: infra
+ name: Infrastructure
+ - default: true
+ filter:
+ dst_kind: Pod
+ src_kind: Pod
+ name: Pods network
+ - filter:
+ dst_kind: Service
+ name: Services network
+ description: '`quickFilters` configures quick filter presets for
+ the Console plugin'
+ items:
+ description: '`QuickFilter` defines preset configuration for
+ Console''s quick filters'
+ properties:
+ default:
+ description: '`default` defines whether this filter should
+ be active by default or not'
+ type: boolean
+ filter:
+ additionalProperties:
+ type: string
+ description: |-
+ `filter` is a set of keys and values to be set when this filter is selected. Each key can relate to a list of values using a coma-separated string,
+ for example, `filter: {"src_namespace": "namespace1,namespace2"}`.
+ type: object
+ name:
+ description: Name of the filter, that is displayed in the
+ Console
+ type: string
+ required:
+ - filter
+ - name
+ type: object
+ type: array
+ register:
+ default: true
+ description: |-
+ `register` allows, when set to `true`, to automatically register the provided console plugin with the OpenShift Console operator.
+ When set to `false`, you can still register it manually by editing console.operator.openshift.io/cluster with the following command:
+ `oc patch console.operator.openshift.io cluster --type='json' -p '[{"op": "add", "path": "/spec/plugins/-", "value": "netobserv-plugin"}]'`
+ type: boolean
+ replicas:
+ default: 1
+ description: '`replicas` defines the number of replicas (pods)
+ to start.'
+ format: int32
+ minimum: 0
+ type: integer
+ resources:
+ default:
+ limits:
+ memory: 100Mi
+ requests:
+ cpu: 100m
+ memory: 50Mi
+ description: |-
+ `resources`, in terms of compute resources, required by this container.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ type: object
+ deploymentModel:
+ default: DIRECT
+ description: |-
+ `deploymentModel` defines the desired type of deployment for flow processing. Possible values are:
+ - `DIRECT` (default) to make the flow processor listening directly from the agents.
+ - `KAFKA` to make flows sent to a Kafka pipeline before consumption by the processor.
+ Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).
+ enum:
+ - DIRECT
+ - KAFKA
+ type: string
+ exporters:
+ description: '`exporters` define additional optional exporters for
+ custom consumption or storage.'
+ items:
+ description: '`FlowCollectorExporter` defines an additional exporter
+ to send enriched flows to.'
+ properties:
+ ipfix:
+ description: IPFIX configuration, such as the IP address and
+ port to send enriched IPFIX flows to.
+ properties:
+ targetHost:
+ default: ""
+ description: Address of the IPFIX external receiver
+ type: string
+ targetPort:
+ description: Port for the IPFIX external receiver
+ type: integer
+ transport:
+ description: Transport protocol (`TCP` or `UDP`) to be used
+ for the IPFIX connection, defaults to `TCP`.
+ enum:
+ - TCP
+ - UDP
+ type: string
+ required:
+ - targetHost
+ - targetPort
+ type: object
+ kafka:
+ description: Kafka configuration, such as the address and topic,
+ to send enriched flows to.
+ properties:
+ address:
+ default: ""
+ description: Address of the Kafka server
+ type: string
+ sasl:
+ description: SASL authentication configuration. [Unsupported
+ (*)].
+ properties:
+ clientIDReference:
+ description: Reference to the secret or config map containing
+ the client ID
+ properties:
+ file:
+ description: File name within the config map or
+ secret
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ the file
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference: "configmap"
+ or "secret"'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ clientSecretReference:
+ description: Reference to the secret or config map containing
+ the client secret
+ properties:
+ file:
+ description: File name within the config map or
+ secret
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ the file
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference: "configmap"
+ or "secret"'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type:
+ default: DISABLED
+ description: Type of SASL authentication to use, or
+ `DISABLED` if SASL is not used
+ enum:
+ - DISABLED
+ - PLAIN
+ - SCRAM-SHA512
+ type: string
+ type: object
+ tls:
+ description: TLS client configuration. When using TLS, verify
+ that the address matches the Kafka port used for TLS,
+ generally 9093.
+ properties:
+ caCert:
+ description: '`caCert` defines the reference of the
+ certificate for the Certificate Authority'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the
+ certificate file name within the config map or
+ secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the
+ certificate private key file name within the config
+ map or secret. Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ enable:
+ default: false
+ description: Enable TLS
+ type: boolean
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+ If set to `true`, the `caCert` field is ignored.
+ type: boolean
+ userCert:
+ description: '`userCert` defines the user certificate
+ reference and is used for mTLS (you can ignore it
+ when using one-way TLS)'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the
+ certificate file name within the config map or
+ secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the
+ certificate private key file name within the config
+ map or secret. Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type: object
+ topic:
+ default: ""
+ description: Kafka topic to use. It must exist. NetObserv
+ does not create it.
+ type: string
+ required:
+ - address
+ - topic
+ type: object
+ type:
+ description: '`type` selects the type of exporters. The available
+ options are `KAFKA` and `IPFIX`.'
+ enum:
+ - KAFKA
+ - IPFIX
+ type: string
+ required:
+ - type
+ type: object
+ type: array
+ kafka:
+ description: Kafka configuration, allowing to use Kafka as a broker
+ as part of the flow collection pipeline. Available when the `spec.deploymentModel`
+ is `KAFKA`.
+ properties:
+ address:
+ default: ""
+ description: Address of the Kafka server
+ type: string
+ sasl:
+ description: SASL authentication configuration. [Unsupported (*)].
+ properties:
+ clientIDReference:
+ description: Reference to the secret or config map containing
+ the client ID
+ properties:
+ file:
+ description: File name within the config map or secret
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ the file
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference: "configmap"
+ or "secret"'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ clientSecretReference:
+ description: Reference to the secret or config map containing
+ the client secret
+ properties:
+ file:
+ description: File name within the config map or secret
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ the file
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference: "configmap"
+ or "secret"'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type:
+ default: DISABLED
+ description: Type of SASL authentication to use, or `DISABLED`
+ if SASL is not used
+ enum:
+ - DISABLED
+ - PLAIN
+ - SCRAM-SHA512
+ type: string
+ type: object
+ tls:
+ description: TLS client configuration. When using TLS, verify
+ that the address matches the Kafka port used for TLS, generally
+ 9093.
+ properties:
+ caCert:
+ description: '`caCert` defines the reference of the certificate
+ for the Certificate Authority'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference: `configmap`
+ or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ enable:
+ default: false
+ description: Enable TLS
+ type: boolean
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+ If set to `true`, the `caCert` field is ignored.
+ type: boolean
+ userCert:
+ description: '`userCert` defines the user certificate reference
+ and is used for mTLS (you can ignore it when using one-way
+ TLS)'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference: `configmap`
+ or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type: object
+ topic:
+ default: ""
+ description: Kafka topic to use. It must exist. NetObserv does
+ not create it.
+ type: string
+ required:
+ - address
+ - topic
+ type: object
+ loki:
+ description: '`loki`, the flow store, client settings.'
+ properties:
+ authToken:
+ default: DISABLED
+ description: |-
+ `authToken` describes the way to get a token to authenticate to Loki.
+ - `DISABLED` does not send any token with the request.
+ - `FORWARD` forwards the user token for authorization.
+ - `HOST` [deprecated (*)] - uses the local pod service account to authenticate to Loki.
+ When using the Loki Operator, this must be set to `FORWARD`.
+ enum:
+ - DISABLED
+ - HOST
+ - FORWARD
+ type: string
+ batchSize:
+ default: 102400
+ description: '`batchSize` is the maximum batch size (in bytes)
+ of logs to accumulate before sending.'
+ format: int64
+ minimum: 1
+ type: integer
+ batchWait:
+ default: 1s
+ description: '`batchWait` is the maximum time to wait before sending
+ a batch.'
+ type: string
+ enable:
+ default: true
+ description: |-
+ Set `enable` to `true` to store flows in Loki.
+ The Console plugin can use either Loki or Prometheus as a data source for metrics (see also `spec.prometheus.querier`), or both.
+ Not all queries are transposable from Loki to Prometheus. Hence, if Loki is disabled, some features of the plugin are disabled as well,
+ such as getting per-pod information or viewing raw flows.
+ If both Prometheus and Loki are enabled, Prometheus takes precedence and Loki is used as a fallback for queries that Prometheus cannot handle.
+ If they are both disabled, the Console plugin is not deployed.
+ type: boolean
+ maxBackoff:
+ default: 5s
+ description: '`maxBackoff` is the maximum backoff time for client
+ connection between retries.'
+ type: string
+ maxRetries:
+ default: 2
+ description: '`maxRetries` is the maximum number of retries for
+ client connections.'
+ format: int32
+ minimum: 0
+ type: integer
+ minBackoff:
+ default: 1s
+ description: '`minBackoff` is the initial backoff time for client
+ connection between retries.'
+ type: string
+ querierUrl:
+ description: |-
+ `querierURL` specifies the address of the Loki querier service, in case it is different from the
+ Loki ingester URL. If empty, the URL value is used (assuming that the Loki ingester
+ and querier are in the same server). When using the Loki Operator, do not set it, since
+ ingestion and queries use the Loki gateway.
+ type: string
+ readTimeout:
+ default: 30s
+ description: |-
+ `readTimeout` is the maximum loki query total time limit.
+ A timeout of zero means no timeout.
+ type: string
+ staticLabels:
+ additionalProperties:
+ type: string
+ default:
+ app: netobserv-flowcollector
+ description: '`staticLabels` is a map of common labels to set
+ on each flow.'
+ type: object
+ statusTls:
+ description: TLS client configuration for Loki status URL.
+ properties:
+ caCert:
+ description: '`caCert` defines the reference of the certificate
+ for the Certificate Authority'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference: `configmap`
+ or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ enable:
+ default: false
+ description: Enable TLS
+ type: boolean
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+ If set to `true`, the `caCert` field is ignored.
+ type: boolean
+ userCert:
+ description: '`userCert` defines the user certificate reference
+ and is used for mTLS (you can ignore it when using one-way
+ TLS)'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference: `configmap`
+ or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type: object
+ statusUrl:
+ description: |-
+ `statusURL` specifies the address of the Loki `/ready`, `/metrics` and `/config` endpoints, in case it is different from the
+ Loki querier URL. If empty, the `querierURL` value is used.
+ This is useful to show error messages and some context in the frontend.
+ When using the Loki Operator, set it to the Loki HTTP query frontend service, for example
+ https://loki-query-frontend-http.netobserv.svc:3100/.
+ `statusTLS` configuration is used when `statusUrl` is set.
+ type: string
+ tenantID:
+ default: netobserv
+ description: |-
+ `tenantID` is the Loki `X-Scope-OrgID` that identifies the tenant for each request.
+ When using the Loki Operator, set it to `network`, which corresponds to a special tenant mode.
+ type: string
+ timeout:
+ default: 10s
+ description: |-
+ `timeout` is the maximum processor time connection / request limit.
+ A timeout of zero means no timeout.
+ type: string
+ tls:
+ description: TLS client configuration for Loki URL.
+ properties:
+ caCert:
+ description: '`caCert` defines the reference of the certificate
+ for the Certificate Authority'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference: `configmap`
+ or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ enable:
+ default: false
+ description: Enable TLS
+ type: boolean
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+ If set to `true`, the `caCert` field is ignored.
+ type: boolean
+ userCert:
+ description: '`userCert` defines the user certificate reference
+ and is used for mTLS (you can ignore it when using one-way
+ TLS)'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference: `configmap`
+ or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type: object
+ url:
+ default: http://loki:3100/
+ description: |-
+ `url` is the address of an existing Loki service to push the flows to. When using the Loki Operator,
+ set it to the Loki gateway service with the `network` tenant set in path, for example
+ https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network.
+ type: string
+ type: object
+ namespace:
+ default: netobserv
+ description: Namespace where NetObserv pods are deployed.
+ type: string
+ processor:
+ description: |-
+ `processor` defines the settings of the component that receives the flows from the agent,
+ enriches them, generates metrics, and forwards them to the Loki persistence layer and/or any available exporter.
+ properties:
+ addZone:
+ description: |-
+ `addZone` allows availability zone awareness by labelling flows with their source and destination zones.
+ This feature requires the "topology.kubernetes.io/zone" label to be set on nodes.
+ type: boolean
+ clusterName:
+ default: ""
+ description: '`clusterName` is the name of the cluster to appear
+ in the flows data. This is useful in a multi-cluster context.
+ When using OpenShift, leave empty to make it automatically determined.'
+ type: string
+ conversationEndTimeout:
+ default: 10s
+ description: |-
+ `conversationEndTimeout` is the time to wait after a network flow is received, to consider the conversation ended.
+ This delay is ignored when a FIN packet is collected for TCP flows (see `conversationTerminatingTimeout` instead).
+ type: string
+ conversationHeartbeatInterval:
+ default: 30s
+ description: '`conversationHeartbeatInterval` is the time to wait
+ between "tick" events of a conversation'
+ type: string
+ conversationTerminatingTimeout:
+ default: 5s
+ description: '`conversationTerminatingTimeout` is the time to
+ wait from detected FIN flag to end a conversation. Only relevant
+ for TCP flows.'
+ type: string
+ debug:
+ description: |-
+ `debug` allows setting some aspects of the internal configuration of the flow processor.
+ This section is aimed exclusively for debugging and fine-grained performance optimizations,
+ such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
+ properties:
+ env:
+ additionalProperties:
+ type: string
+ description: |-
+ `env` allows passing custom environment variables to underlying components. Useful for passing
+ some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be
+ publicly exposed as part of the FlowCollector descriptor, as they are only useful
+ in edge debug or support scenarios.
+ type: object
+ type: object
+ dropUnusedFields:
+ default: true
+ description: '`dropUnusedFields` [deprecated (*)] this setting
+ is not used anymore.'
+ type: boolean
+ enableKubeProbes:
+ default: true
+ description: '`enableKubeProbes` is a flag to enable or disable
+ Kubernetes liveness and readiness probes'
+ type: boolean
+ healthPort:
+ default: 8080
+ description: '`healthPort` is a collector HTTP port in the Pod
+ that exposes the health check API'
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ imagePullPolicy:
+ default: IfNotPresent
+ description: '`imagePullPolicy` is the Kubernetes pull policy
+ for the image defined above'
+ enum:
+ - IfNotPresent
+ - Always
+ - Never
+ type: string
+ kafkaConsumerAutoscaler:
+ description: |-
+ `kafkaConsumerAutoscaler` is the spec of a horizontal pod autoscaler to set up for `flowlogs-pipeline-transformer`, which consumes Kafka messages.
+ This setting is ignored when Kafka is disabled.
+ properties:
+ maxReplicas:
+ default: 3
+ description: '`maxReplicas` is the upper limit for the number
+ of pods that can be set by the autoscaler; cannot be smaller
+ than MinReplicas.'
+ format: int32
+ type: integer
+ metrics:
+ description: Metrics used by the pod autoscaler. For documentation,
+ refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2/
+ items:
+ properties:
+ containerResource:
+ properties:
+ container:
+ type: string
+ name:
+ type: string
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - container
+ - name
+ - target
+ type: object
+ external:
+ properties:
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - metric
+ - target
+ type: object
+ object:
+ properties:
+ describedObject:
+ properties:
+ apiVersion:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - describedObject
+ - metric
+ - target
+ type: object
+ pods:
+ properties:
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - metric
+ - target
+ type: object
+ resource:
+ properties:
+ name:
+ type: string
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - target
+ type: object
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ type: array
+ minReplicas:
+ description: |-
+ `minReplicas` is the lower limit for the number of replicas to which the autoscaler
+ can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the
+ alpha feature gate HPAScaleToZero is enabled and at least one Object or External
+ metric is configured. Scaling is active as long as at least one metric value is
+ available.
+ format: int32
+ type: integer
+ status:
+ default: DISABLED
+ description: |-
+ `status` describes the desired status regarding deploying an horizontal pod autoscaler.
+ - `DISABLED` does not deploy an horizontal pod autoscaler.
+ - `ENABLED` deploys an horizontal pod autoscaler.
+ enum:
+ - DISABLED
+ - ENABLED
+ type: string
+ type: object
+ kafkaConsumerBatchSize:
+ default: 10485760
+ description: '`kafkaConsumerBatchSize` indicates to the broker
+ the maximum batch size, in bytes, that the consumer accepts.
+ Ignored when not using Kafka. Default: 10MB.'
+ type: integer
+ kafkaConsumerQueueCapacity:
+ default: 1000
+ description: '`kafkaConsumerQueueCapacity` defines the capacity
+ of the internal message queue used in the Kafka consumer client.
+ Ignored when not using Kafka.'
+ type: integer
+ kafkaConsumerReplicas:
+ default: 3
+ description: |-
+ `kafkaConsumerReplicas` defines the number of replicas (pods) to start for `flowlogs-pipeline-transformer`, which consumes Kafka messages.
+ This setting is ignored when Kafka is disabled.
+ format: int32
+ minimum: 0
+ type: integer
+ logLevel:
+ default: info
+ description: '`logLevel` of the processor runtime'
+ enum:
+ - trace
+ - debug
+ - info
+ - warn
+ - error
+ - fatal
+ - panic
+ type: string
+ logTypes:
+ default: FLOWS
+ description: |-
+ `logTypes` defines the desired record types to generate. Possible values are:
+ - `FLOWS` (default) to export regular network flows
+ - `CONVERSATIONS` to generate events for started conversations, ended conversations as well as periodic "tick" updates
+ - `ENDED_CONVERSATIONS` to generate only ended conversations events
+ - `ALL` to generate both network flows and all conversations events
+ enum:
+ - FLOWS
+ - CONVERSATIONS
+ - ENDED_CONVERSATIONS
+ - ALL
+ type: string
+ metrics:
+ description: '`Metrics` define the processor configuration regarding
+ metrics'
+ properties:
+ disableAlerts:
+ description: |-
+ `disableAlerts` is a list of alerts that should be disabled.
+ Possible values are:
+ `NetObservNoFlows`, which is triggered when no flows are being observed for a certain period.
+ `NetObservLokiError`, which is triggered when flows are being dropped due to Loki errors.
+ items:
+ description: |-
+ Name of a processor alert.
+ Possible values are:
+ - `NetObservNoFlows`, which is triggered when no flows are being observed for a certain period.
+ - `NetObservLokiError`, which is triggered when flows are being dropped due to Loki errors.
+ enum:
+ - NetObservNoFlows
+ - NetObservLokiError
+ type: string
+ type: array
+ ignoreTags:
+ default:
+ - egress
+ - packets
+ - nodes-flows
+ - namespaces-flows
+ - workloads-flows
+ - namespaces
+ description: |-
+ `ignoreTags` [deprecated (*)] is a list of tags to specify which metrics to ignore. Each metric is associated with a list of tags. More details in https://github.com/netobserv/network-observability-operator/tree/main/controllers/flowlogspipeline/metrics_definitions .
+ Available tags are: `egress`, `ingress`, `flows`, `bytes`, `packets`, `namespaces`, `nodes`, `workloads`, `nodes-flows`, `namespaces-flows`, `workloads-flows`.
+ Namespace-based metrics are covered by both `workloads` and `namespaces` tags, hence it is recommended to always ignore one of them (`workloads` offering a finer granularity).
+ Deprecation notice: use `includeList` instead.
+ items:
+ type: string
+ type: array
+ includeList:
+ description: |-
+ `includeList` is a list of metric names to specify which ones to generate.
+ The names correspond to the names in Prometheus without the prefix. For example,
+ `namespace_egress_packets_total` will show up as `netobserv_namespace_egress_packets_total` in Prometheus.
+ Note that the more metrics you add, the bigger is the impact on Prometheus workload resources.
+ Metrics enabled by default are:
+ `namespace_flows_total`, `node_ingress_bytes_total`, `workload_ingress_bytes_total`, `namespace_drop_packets_total` (when `PacketDrop` feature is enabled),
+ `namespace_rtt_seconds` (when `FlowRTT` feature is enabled), `namespace_dns_latency_seconds` (when `DNSTracking` feature is enabled).
+ More information, with full list of available metrics: https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md
+ items:
+ description: Metric name. More information in https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md.
+ enum:
+ - namespace_egress_bytes_total
+ - namespace_egress_packets_total
+ - namespace_ingress_bytes_total
+ - namespace_ingress_packets_total
+ - namespace_flows_total
+ - node_egress_bytes_total
+ - node_egress_packets_total
+ - node_ingress_bytes_total
+ - node_ingress_packets_total
+ - node_flows_total
+ - workload_egress_bytes_total
+ - workload_egress_packets_total
+ - workload_ingress_bytes_total
+ - workload_ingress_packets_total
+ - workload_flows_total
+ - namespace_drop_bytes_total
+ - namespace_drop_packets_total
+ - node_drop_bytes_total
+ - node_drop_packets_total
+ - workload_drop_bytes_total
+ - workload_drop_packets_total
+ - namespace_rtt_seconds
+ - node_rtt_seconds
+ - workload_rtt_seconds
+ - namespace_dns_latency_seconds
+ - node_dns_latency_seconds
+ - workload_dns_latency_seconds
+ type: string
+ type: array
+ server:
+ description: Metrics server endpoint configuration for Prometheus
+ scraper
+ properties:
+ port:
+ description: The prometheus HTTP port
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ tls:
+ description: TLS configuration.
+ properties:
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the provided certificate.
+ If set to `true`, the `providedCaFile` field is ignored.
+ type: boolean
+ provided:
+ description: TLS configuration when `type` is set
+ to `PROVIDED`.
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the
+ certificate file name within the config map
+ or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the
+ certificate private key file name within the
+ config map or secret. Omit when the key is not
+ necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret
+ containing certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ providedCaFile:
+ description: Reference to the CA file when `type`
+ is set to `PROVIDED`.
+ properties:
+ file:
+ description: File name within the config map or
+ secret
+ type: string
+ name:
+ description: Name of the config map or secret
+ containing the file
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference: "configmap"
+ or "secret"'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type:
+ default: DISABLED
+ description: |-
+ Select the type of TLS configuration:
+ - `DISABLED` (default) to not configure TLS for the endpoint.
+ - `PROVIDED` to manually provide cert file and a key file. [Unsupported (*)].
+ - `AUTO` to use OpenShift auto generated certificate using annotations.
+ enum:
+ - DISABLED
+ - PROVIDED
+ - AUTO
+ type: string
+ type: object
+ type: object
+ type: object
+ multiClusterDeployment:
+ default: false
+ description: Set `multiClusterDeployment` to `true` to enable
+ multi clusters feature. This adds clusterName label to flows
+ data
+ type: boolean
+ port:
+ default: 2055
+ description: |-
+ Port of the flow collector (host port).
+ By convention, some values are forbidden. It must be greater than 1024 and different from
+ 4500, 4789 and 6081.
+ format: int32
+ maximum: 65535
+ minimum: 1025
+ type: integer
+ profilePort:
+ description: '`profilePort` allows setting up a Go pprof profiler
+ listening to this port'
+ format: int32
+ maximum: 65535
+ minimum: 0
+ type: integer
+ resources:
+ default:
+ limits:
+ memory: 800Mi
+ requests:
+ cpu: 100m
+ memory: 100Mi
+ description: |-
+ `resources` are the compute resources required by this container.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ subnetLabels:
+ description: |-
+ `subnetLabels` allows to define custom labels on subnets and IPs or to enable automatic labelling of recognized subnets in OpenShift.
+ When a subnet matches the source or destination IP of a flow, a corresponding field is added: `SrcSubnetLabel` or `DstSubnetLabel`.
+ properties:
+ customLabels:
+ description: |-
+ `customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services.
+ If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap.
+ items:
+ description: SubnetLabel allows to label subnets and IPs,
+ such as to identify cluster-external workloads or web
+ services.
+ properties:
+ cidrs:
+ description: List of CIDRs, such as `["1.2.3.4/32"]`.
+ items:
+ type: string
+ type: array
+ name:
+ description: Label name, used to flag matching flows.
+ type: string
+ type: object
+ type: array
+ openShiftAutoDetect:
+ description: |-
+ `openShiftAutoDetect` allows, when set to `true`, to detect automatically the machines, pods and services subnets based on the
+ OpenShift install configuration and the Cluster Network Operator configuration. Indirectly, this is a way to accurately detect
+ external traffic: flows that are not labeled for those subnets are external to the cluster. Enabled by default on OpenShift.
+ type: boolean
+ type: object
+ type: object
+ prometheus:
+ description: '`prometheus` defines Prometheus settings, such as querier
+ configuration used to fetch metrics from the Console plugin.'
+ properties:
+ querier:
+ description: Prometheus querying configuration, such as client
+ settings, used in the Console plugin.
+ properties:
+ enable:
+ default: true
+ description: |-
+ Set `enable` to `true` to make the Console plugin querying flow metrics from Prometheus instead of Loki whenever possible.
+ The Console plugin can use either Loki or Prometheus as a data source for metrics (see also `spec.loki`), or both.
+ Not all queries are transposable from Loki to Prometheus. Hence, if Loki is disabled, some features of the plugin are disabled as well,
+ such as getting per-pod information or viewing raw flows.
+ If both Prometheus and Loki are enabled, Prometheus takes precedence and Loki is used as a fallback for queries that Prometheus cannot handle.
+ If they are both disabled, the Console plugin is not deployed.
+ type: boolean
+ manual:
+ description: Prometheus configuration for `Manual` mode.
+ properties:
+ forwardUserToken:
+ description: Set `true` to forward logged in user token
+ in queries to Prometheus
+ type: boolean
+ tls:
+ description: TLS client configuration for Prometheus URL.
+ properties:
+ caCert:
+ description: '`caCert` defines the reference of the
+ certificate for the Certificate Authority'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the
+ certificate file name within the config map
+ or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the
+ certificate private key file name within the
+ config map or secret. Omit when the key is not
+ necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret
+ containing certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ enable:
+ default: false
+ description: Enable TLS
+ type: boolean
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+ If set to `true`, the `caCert` field is ignored.
+ type: boolean
+ userCert:
+ description: '`userCert` defines the user certificate
+ reference and is used for mTLS (you can ignore it
+ when using one-way TLS)'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the
+ certificate file name within the config map
+ or secret'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the
+ certificate private key file name within the
+ config map or secret. Omit when the key is not
+ necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret
+ containing certificates
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type: object
+ url:
+ default: http://prometheus:9090
+ description: '`url` is the address of an existing Prometheus
+ service to use for querying metrics.'
+ type: string
+ type: object
+ mode:
+ default: Auto
+ description: |-
+ `mode` must be set according to the type of Prometheus installation that stores NetObserv metrics:
+ - Use `Auto` to try configuring automatically. In OpenShift, it uses the Thanos querier from OpenShift Cluster Monitoring
+ - Use `Manual` for a manual setup
+ enum:
+ - Manual
+ - Auto
+ type: string
+ timeout:
+ default: 30s
+ description: |-
+ `timeout` is the read timeout for console plugin queries to Prometheus.
+ A timeout of zero means no timeout.
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ description: '`FlowCollectorStatus` defines the observed state of FlowCollector'
+ properties:
+ conditions:
+ description: '`conditions` represent the latest available observations
+ of an object''s state'
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ namespace:
+ description: Namespace where console plugin and flowlogs-pipeline
+ have been deployed.
+ type: string
+ required:
+ - conditions
+ type: object
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .spec.agent.type
+ name: Agent
+ type: string
+ - jsonPath: .spec.agent.ebpf.sampling
+ name: Sampling (EBPF)
+ type: string
+ - jsonPath: .spec.deploymentModel
+ name: Deployment Model
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+ name: Status
+ type: string
+ name: v1beta2
+ schema:
+ openAPIV3Schema:
+ description: '`FlowCollector` is the schema for the network flows collection
+ API, which pilots and configures the underlying deployments.'
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: |-
+ Defines the desired state of the FlowCollector resource.
+
+ *: the mention of "unsupported" or "deprecated" for a feature throughout this document means that this feature
+ is not officially supported by Red Hat. It might have been, for example, contributed by the community
+ and accepted without a formal agreement for maintenance. The product maintainers might provide some support
+ for these features as a best effort only.
+ properties:
+ agent:
+ description: Agent configuration for flows extraction.
+ properties:
+ ebpf:
+ description: |-
+ `ebpf` describes the settings related to the eBPF-based flow reporter when `spec.agent.type`
+ is set to `eBPF`.
+ properties:
+ advanced:
+ description: |-
+ `advanced` allows setting some aspects of the internal configuration of the eBPF agent.
+ This section is aimed mostly for debugging and fine-grained performance optimizations,
+ such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
+ properties:
+ env:
+ additionalProperties:
+ type: string
+ description: |-
+ `env` allows passing custom environment variables to underlying components. Useful for passing
+ some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be
+ publicly exposed as part of the FlowCollector descriptor, as they are only useful
+ in edge debug or support scenarios.
+ type: object
+ scheduling:
+ description: scheduling controls how the pods are scheduled
+ on nodes.
+ properties:
+ affinity:
+ description: If specified, the pod's scheduling constraints.
+ For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ `nodeSelector` allows scheduling of pods only onto nodes that have each of the specified labels.
+ For documentation, refer to https://kubernetes.io/docs/concepts/configuration/assign-pod-node/.
+ type: object
+ x-kubernetes-map-type: atomic
+ priorityClassName:
+ description: |-
+ If specified, indicates the pod's priority. For documentation, refer to https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#how-to-use-priority-and-preemption.
+ If not specified, default priority is used, or zero if there is no default.
+ type: string
+ tolerations:
+ description: |-
+ `tolerations` is a list of tolerations that allow the pod to schedule onto nodes with matching taints.
+ For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ cacheActiveTimeout:
+ default: 5s
+ description: |-
+ `cacheActiveTimeout` is the max period during which the reporter aggregates flows before sending.
+ Increasing `cacheMaxFlows` and `cacheActiveTimeout` can decrease the network traffic overhead and the CPU load,
+ however you can expect higher memory consumption and an increased latency in the flow collection.
+ pattern: ^\d+(ns|ms|s|m)?$
+ type: string
+ cacheMaxFlows:
+ default: 100000
+ description: |-
+ `cacheMaxFlows` is the max number of flows in an aggregate; when reached, the reporter sends the flows.
+ Increasing `cacheMaxFlows` and `cacheActiveTimeout` can decrease the network traffic overhead and the CPU load,
+ however you can expect higher memory consumption and an increased latency in the flow collection.
+ format: int32
+ minimum: 1
+ type: integer
+ excludeInterfaces:
+ default:
+ - lo
+ description: |-
+ `excludeInterfaces` contains the interface names that are excluded from flow tracing.
+ An entry enclosed by slashes, such as `/br-/`, is matched as a regular expression.
+ Otherwise it is matched as a case-sensitive string.
+ items:
+ type: string
+ type: array
+ features:
+ description: |-
+ List of additional features to enable. They are all disabled by default. Enabling additional features might have performance impacts. Possible values are:
+ - `PacketDrop`: enable the packets drop flows logging feature. This feature requires mounting
+ the kernel debug filesystem, so the eBPF pod has to run as privileged.
+ If the `spec.agent.ebpf.privileged` parameter is not set, an error is reported.
+ - `DNSTracking`: enable the DNS tracking feature.
+ - `FlowRTT`: enable flow latency (sRTT) extraction in the eBPF agent from TCP traffic.
+ items:
+ description: |-
+ Agent feature, can be one of:
+ - `PacketDrop`, to track packet drops.
+ - `DNSTracking`, to track specific information on DNS traffic.
+ - `FlowRTT`, to track TCP latency.
+ enum:
+ - PacketDrop
+ - DNSTracking
+ - FlowRTT
+ type: string
+ type: array
+ flowFilter:
+ description: '`flowFilter` defines the eBPF agent configuration
+ regarding flow filtering.'
+ properties:
+ action:
+ description: '`action` defines the action to perform on
+ the flows that match the filter.'
+ enum:
+ - Accept
+ - Reject
+ type: string
+ cidr:
+ description: |-
+ `cidr` defines the IP CIDR to filter flows by.
+ Examples: `10.10.10.0/24` or `100:100:100:100::/64`
+ type: string
+ destPorts:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ `destPorts` defines the destination ports to filter flows by.
+ To filter a single port, set a single port as an integer value. For example, `destPorts: 80`.
+ To filter a range of ports, use a "start-end" range in string format. For example, `destPorts: "80-100"`.
+ To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.
+ x-kubernetes-int-or-string: true
+ direction:
+ description: '`direction` defines the direction to filter
+ flows by.'
+ enum:
+ - Ingress
+ - Egress
+ type: string
+ enable:
+ description: Set `enable` to `true` to enable the eBPF
+ flow filtering feature.
+ type: boolean
+ icmpCode:
+ description: '`icmpCode`, for Internet Control Message
+ Protocol (ICMP) traffic, defines the ICMP code to filter
+ flows by.'
+ type: integer
+ icmpType:
+ description: '`icmpType`, for ICMP traffic, defines the
+ ICMP type to filter flows by.'
+ type: integer
+ peerIP:
+ description: |-
+ `peerIP` defines the IP address to filter flows by.
+ Example: `10.10.10.10`.
+ type: string
+ ports:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ `ports` defines the ports to filter flows by. It is used both for source and destination ports.
+ To filter a single port, set a single port as an integer value. For example, `ports: 80`.
+ To filter a range of ports, use a "start-end" range in string format. For example, `ports: "80-100"`.
+ To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: '`protocol` defines the protocol to filter
+ flows by.'
+ enum:
+ - TCP
+ - UDP
+ - ICMP
+ - ICMPv6
+ - SCTP
+ type: string
+ sourcePorts:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ `sourcePorts` defines the source ports to filter flows by.
+ To filter a single port, set a single port as an integer value. For example, `sourcePorts: 80`.
+ To filter a range of ports, use a "start-end" range in string format. For example, `sourcePorts: "80-100"`.
+ To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.
+ x-kubernetes-int-or-string: true
+ type: object
+ imagePullPolicy:
+ default: IfNotPresent
+ description: '`imagePullPolicy` is the Kubernetes pull policy
+ for the image defined above'
+ enum:
+ - IfNotPresent
+ - Always
+ - Never
+ type: string
+ interfaces:
+ description: |-
+ `interfaces` contains the interface names from where flows are collected. If empty, the agent
+ fetches all the interfaces in the system, excepting the ones listed in `excludeInterfaces`.
+ An entry enclosed by slashes, such as `/br-/`, is matched as a regular expression.
+ Otherwise it is matched as a case-sensitive string.
+ items:
+ type: string
+ type: array
+ kafkaBatchSize:
+ default: 1048576
+ description: '`kafkaBatchSize` limits the maximum size of
+ a request in bytes before being sent to a partition. Ignored
+ when not using Kafka. Default: 1MB.'
+ type: integer
+ logLevel:
+ default: info
+ description: '`logLevel` defines the log level for the NetObserv
+ eBPF Agent'
+ enum:
+ - trace
+ - debug
+ - info
+ - warn
+ - error
+ - fatal
+ - panic
+ type: string
+ metrics:
+ description: '`metrics` defines the eBPF agent configuration
+ regarding metrics.'
+ properties:
+ disableAlerts:
+ description: |-
+ `disableAlerts` is a list of alerts that should be disabled.
+ Possible values are:
+ `NetObservDroppedFlows`, which is triggered when the eBPF agent is missing packets or flows, such as when the BPF hashmap is busy or full, or the capacity limiter is being triggered.
+ items:
+ description: |-
+ Name of an eBPF agent alert.
+ Possible values are:
+ `NetObservDroppedFlows`, which is triggered when the eBPF agent is missing packets or flows, such as when the BPF hashmap is busy or full, or the capacity limiter is being triggered.
+ enum:
+ - NetObservDroppedFlows
+ type: string
+ type: array
+ enable:
+ description: Set `enable` to `false` to disable eBPF agent
+ metrics collection. It is enabled by default.
+ type: boolean
+ server:
+ description: Metrics server endpoint configuration for
+ the Prometheus scraper.
+ properties:
+ port:
+ description: The metrics server HTTP port.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ tls:
+ description: TLS configuration.
+ properties:
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the provided certificate.
+ If set to `true`, the `providedCaFile` field is ignored.
+ type: boolean
+ provided:
+ description: TLS configuration when `type` is
+ set to `Provided`.
+ properties:
+ certFile:
+ description: '`certFile` defines the path
+ to the certificate file name within the
+ config map or secret.'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to
+ the certificate private key file name within
+ the config map or secret. Omit when the
+ key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret
+ containing certificates.
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`.'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ providedCaFile:
+ description: Reference to the CA file when `type`
+ is set to `Provided`.
+ properties:
+ file:
+ description: File name within the config map
+ or secret.
+ type: string
+ name:
+ description: Name of the config map or secret
+ containing the file.
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference:
+ "configmap" or "secret".'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type:
+ default: Disabled
+ description: |-
+ Select the type of TLS configuration:
+ - `Disabled` (default) to not configure TLS for the endpoint.
+ - `Provided` to manually provide cert file and a key file. [Unsupported (*)].
+ - `Auto` to use OpenShift auto generated certificate using annotations.
+ enum:
+ - Disabled
+ - Provided
+ - Auto
+ type: string
+ type: object
+ type: object
+ type: object
+ privileged:
+ description: |-
+ Privileged mode for the eBPF Agent container. When ignored or set to `false`, the operator sets
+ granular capabilities (BPF, PERFMON, NET_ADMIN, SYS_RESOURCE) to the container.
+ If for some reason these capabilities cannot be set, such as if an old kernel version not knowing CAP_BPF
+ is in use, then you can turn on this mode for more global privileges.
+ Some agent features require the privileged mode, such as packet drops tracking (see `features`) and SR-IOV support.
+ type: boolean
+ resources:
+ default:
+ limits:
+ memory: 800Mi
+ requests:
+ cpu: 100m
+ memory: 50Mi
+ description: |-
+ `resources` are the compute resources required by this container.
+ For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ sampling:
+ default: 50
+ description: Sampling rate of the flow reporter. 100 means
+ one flow on 100 is sent. 0 or 1 means all flows are sampled.
+ format: int32
+ minimum: 0
+ type: integer
+ type: object
+ ipfix:
+ description: |-
+ `ipfix` [deprecated (*)] - describes the settings related to the IPFIX-based flow reporter when `spec.agent.type`
+ is set to `IPFIX`.
+ properties:
+ cacheActiveTimeout:
+ default: 20s
+ description: '`cacheActiveTimeout` is the max period during
+ which the reporter aggregates flows before sending.'
+ pattern: ^\d+(ns|ms|s|m)?$
+ type: string
+ cacheMaxFlows:
+ default: 400
+ description: '`cacheMaxFlows` is the max number of flows in
+ an aggregate; when reached, the reporter sends the flows.'
+ format: int32
+ minimum: 0
+ type: integer
+ clusterNetworkOperator:
+ description: '`clusterNetworkOperator` defines the settings
+ related to the OpenShift Cluster Network Operator, when
+ available.'
+ properties:
+ namespace:
+ default: openshift-network-operator
+ description: Namespace where the config map is going
+ to be deployed.
+ type: string
+ type: object
+ forceSampleAll:
+ default: false
+ description: |-
+ `forceSampleAll` allows disabling sampling in the IPFIX-based flow reporter.
+ It is not recommended to sample all the traffic with IPFIX, as it might generate cluster instability.
+ If you REALLY want to do that, set this flag to `true`. Use at your own risk.
+ When it is set to `true`, the value of `sampling` is ignored.
+ type: boolean
+ ovnKubernetes:
+ description: '`ovnKubernetes` defines the settings of the
+ OVN-Kubernetes CNI, when available. This configuration is
+ used when using OVN''s IPFIX exports, without OpenShift.
+ When using OpenShift, refer to the `clusterNetworkOperator`
+ property instead.'
+ properties:
+ containerName:
+ default: ovnkube-node
+ description: '`containerName` defines the name of the
+ container to configure for IPFIX.'
+ type: string
+ daemonSetName:
+ default: ovnkube-node
+ description: '`daemonSetName` defines the name of the
+ DaemonSet controlling the OVN-Kubernetes pods.'
+ type: string
+ namespace:
+ default: ovn-kubernetes
+ description: Namespace where OVN-Kubernetes pods are deployed.
+ type: string
+ type: object
+ sampling:
+ default: 400
+ description: |-
+ `sampling` is the sampling rate on the reporter. 100 means one flow on 100 is sent.
+ To ensure cluster stability, it is not possible to set a value below 2.
+ If you really want to sample every packet, which might impact the cluster stability,
+ refer to `forceSampleAll`. Alternatively, you can use the eBPF Agent instead of IPFIX.
+ format: int32
+ minimum: 2
+ type: integer
+ type: object
+ type:
+ default: eBPF
+ description: |-
+ `type` [deprecated (*)] selects the flows tracing agent. Previously, this field allowed to select between `eBPF` or `IPFIX`.
+ Only `eBPF` is allowed now, so this field is deprecated and is planned for removal in a future version of the API.
+ enum:
+ - eBPF
+ - IPFIX
+ type: string
+ type: object
+ consolePlugin:
+ description: '`consolePlugin` defines the settings related to the
+ OpenShift Console plugin, when available.'
+ properties:
+ advanced:
+ description: |-
+ `advanced` allows setting some aspects of the internal configuration of the console plugin.
+ This section is aimed mostly for debugging and fine-grained performance optimizations,
+ such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
+ properties:
+ args:
+ description: |-
+ `args` allows passing custom arguments to underlying components. Useful for overriding
+ some parameters, such as a URL or a configuration path, that should not be
+ publicly exposed as part of the FlowCollector descriptor, as they are only useful
+ in edge debug or support scenarios.
+ items:
+ type: string
+ type: array
+ env:
+ additionalProperties:
+ type: string
+ description: |-
+ `env` allows passing custom environment variables to underlying components. Useful for passing
+ some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be
+ publicly exposed as part of the FlowCollector descriptor, as they are only useful
+ in edge debug or support scenarios.
+ type: object
+ port:
+ default: 9001
+ description: '`port` is the plugin service port. Do not use
+ 9002, which is reserved for metrics.'
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ register:
+ default: true
+ description: |-
+ `register` allows, when set to `true`, to automatically register the provided console plugin with the OpenShift Console operator.
+ When set to `false`, you can still register it manually by editing console.operator.openshift.io/cluster with the following command:
+ `oc patch console.operator.openshift.io cluster --type='json' -p '[{"op": "add", "path": "/spec/plugins/-", "value": "netobserv-plugin"}]'`
+ type: boolean
+ scheduling:
+ description: '`scheduling` controls how the pods are scheduled
+ on nodes.'
+ properties:
+ affinity:
+ description: If specified, the pod's scheduling constraints.
+ For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling rules
+ for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with matching
+ the corresponding nodeSelectorTerm, in
+ the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector
+ terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling rules
+ (e.g. co-locate this pod in the same node, zone,
+ etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added per-node
+ to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term,
+ associated with the corresponding weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added per-node
+ to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term,
+ associated with the corresponding weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ `nodeSelector` allows scheduling of pods only onto nodes that have each of the specified labels.
+ For documentation, refer to https://kubernetes.io/docs/concepts/configuration/assign-pod-node/.
+ type: object
+ x-kubernetes-map-type: atomic
+ priorityClassName:
+ description: |-
+ If specified, indicates the pod's priority. For documentation, refer to https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#how-to-use-priority-and-preemption.
+ If not specified, default priority is used, or zero if there is no default.
+ type: string
+ tolerations:
+ description: |-
+ `tolerations` is a list of tolerations that allow the pod to schedule onto nodes with matching taints.
+ For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ autoscaler:
+ description: '`autoscaler` spec of a horizontal pod autoscaler
+ to set up for the plugin Deployment.'
+ properties:
+ maxReplicas:
+ default: 3
+ description: '`maxReplicas` is the upper limit for the number
+ of pods that can be set by the autoscaler; cannot be smaller
+ than MinReplicas.'
+ format: int32
+ type: integer
+ metrics:
+ description: Metrics used by the pod autoscaler. For documentation,
+ refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2/
+ items:
+ properties:
+ containerResource:
+ properties:
+ container:
+ type: string
+ name:
+ type: string
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - container
+ - name
+ - target
+ type: object
+ external:
+ properties:
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - metric
+ - target
+ type: object
+ object:
+ properties:
+ describedObject:
+ properties:
+ apiVersion:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - describedObject
+ - metric
+ - target
+ type: object
+ pods:
+ properties:
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - metric
+ - target
+ type: object
+ resource:
+ properties:
+ name:
+ type: string
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - target
+ type: object
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ type: array
+ minReplicas:
+ description: |-
+ `minReplicas` is the lower limit for the number of replicas to which the autoscaler
+ can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the
+ alpha feature gate HPAScaleToZero is enabled and at least one Object or External
+ metric is configured. Scaling is active as long as at least one metric value is
+ available.
+ format: int32
+ type: integer
+ status:
+ default: Disabled
+ description: |-
+ `status` describes the desired status regarding deploying an horizontal pod autoscaler.
+ - `Disabled` does not deploy an horizontal pod autoscaler.
+ - `Enabled` deploys an horizontal pod autoscaler.
+ enum:
+ - Disabled
+ - Enabled
+ type: string
+ type: object
+ enable:
+ default: true
+ description: Enables the console plugin deployment.
+ type: boolean
+ imagePullPolicy:
+ default: IfNotPresent
+ description: '`imagePullPolicy` is the Kubernetes pull policy
+ for the image defined above'
+ enum:
+ - IfNotPresent
+ - Always
+ - Never
+ type: string
+ logLevel:
+ default: info
+ description: '`logLevel` for the console plugin backend'
+ enum:
+ - trace
+ - debug
+ - info
+ - warn
+ - error
+ - fatal
+ - panic
+ type: string
+ portNaming:
+ default:
+ enable: true
+ description: '`portNaming` defines the configuration of the port-to-service
+ name translation'
+ properties:
+ enable:
+ default: true
+ description: Enable the console plugin port-to-service name
+ translation
+ type: boolean
+ portNames:
+ additionalProperties:
+ type: string
+ description: |-
+ `portNames` defines additional port names to use in the console,
+ for example, `portNames: {"3100": "loki"}`.
+ type: object
+ type: object
+ quickFilters:
+ default:
+ - default: true
+ filter:
+ flow_layer: '"app"'
+ name: Applications
+ - filter:
+ flow_layer: '"infra"'
+ name: Infrastructure
+ - default: true
+ filter:
+ dst_kind: '"Pod"'
+ src_kind: '"Pod"'
+ name: Pods network
+ - filter:
+ dst_kind: '"Service"'
+ name: Services network
+ description: '`quickFilters` configures quick filter presets for
+ the Console plugin'
+ items:
+ description: '`QuickFilter` defines preset configuration for
+ Console''s quick filters'
+ properties:
+ default:
+ description: '`default` defines whether this filter should
+ be active by default or not'
+ type: boolean
+ filter:
+ additionalProperties:
+ type: string
+ description: |-
+ `filter` is a set of keys and values to be set when this filter is selected. Each key can relate to a list of values using a coma-separated string,
+ for example, `filter: {"src_namespace": "namespace1,namespace2"}`.
+ type: object
+ name:
+ description: Name of the filter, that is displayed in the
+ Console
+ type: string
+ required:
+ - filter
+ - name
+ type: object
+ type: array
+ replicas:
+ default: 1
+ description: '`replicas` defines the number of replicas (pods)
+ to start.'
+ format: int32
+ minimum: 0
+ type: integer
+ resources:
+ default:
+ limits:
+ memory: 100Mi
+ requests:
+ cpu: 100m
+ memory: 50Mi
+ description: |-
+ `resources`, in terms of compute resources, required by this container.
+ For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ type: object
+ deploymentModel:
+ default: Direct
+ description: |-
+ `deploymentModel` defines the desired type of deployment for flow processing. Possible values are:
+ - `Direct` (default) to make the flow processor listen directly from the agents.
+ - `Kafka` to make flows sent to a Kafka pipeline before consumption by the processor.
+ Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).
+ enum:
+ - Direct
+ - Kafka
+ type: string
+ exporters:
+ description: '`exporters` define additional optional exporters for
+ custom consumption or storage.'
+ items:
+ description: '`FlowCollectorExporter` defines an additional exporter
+ to send enriched flows to.'
+ properties:
+ ipfix:
+ description: IPFIX configuration, such as the IP address and
+ port to send enriched IPFIX flows to.
+ properties:
+ targetHost:
+ default: ""
+ description: Address of the IPFIX external receiver
+ type: string
+ targetPort:
+ description: Port for the IPFIX external receiver
+ type: integer
+ transport:
+ description: Transport protocol (`TCP` or `UDP`) to be used
+ for the IPFIX connection, defaults to `TCP`.
+ enum:
+ - TCP
+ - UDP
+ type: string
+ required:
+ - targetHost
+ - targetPort
+ type: object
+ kafka:
+ description: Kafka configuration, such as the address and topic,
+ to send enriched flows to.
+ properties:
+ address:
+ default: ""
+ description: Address of the Kafka server
+ type: string
+ sasl:
+ description: SASL authentication configuration. [Unsupported
+ (*)].
+ properties:
+ clientIDReference:
+ description: Reference to the secret or config map containing
+ the client ID
+ properties:
+ file:
+ description: File name within the config map or
+ secret.
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ the file.
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference: "configmap"
+ or "secret".'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ clientSecretReference:
+ description: Reference to the secret or config map containing
+ the client secret
+ properties:
+ file:
+ description: File name within the config map or
+ secret.
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ the file.
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference: "configmap"
+ or "secret".'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type:
+ default: Disabled
+ description: Type of SASL authentication to use, or
+ `Disabled` if SASL is not used
+ enum:
+ - Disabled
+ - Plain
+ - ScramSHA512
+ type: string
+ type: object
+ tls:
+ description: TLS client configuration. When using TLS, verify
+ that the address matches the Kafka port used for TLS,
+ generally 9093.
+ properties:
+ caCert:
+ description: '`caCert` defines the reference of the
+ certificate for the Certificate Authority'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the
+ certificate file name within the config map or
+ secret.'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the
+ certificate private key file name within the config
+ map or secret. Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates.
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`.'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ enable:
+ default: false
+ description: Enable TLS
+ type: boolean
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+ If set to `true`, the `caCert` field is ignored.
+ type: boolean
+ userCert:
+ description: '`userCert` defines the user certificate
+ reference and is used for mTLS (you can ignore it
+ when using one-way TLS)'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the
+ certificate file name within the config map or
+ secret.'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the
+ certificate private key file name within the config
+ map or secret. Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates.
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`.'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type: object
+ topic:
+ default: ""
+ description: Kafka topic to use. It must exist. NetObserv
+ does not create it.
+ type: string
+ required:
+ - address
+ - topic
+ type: object
+ type:
+ description: '`type` selects the type of exporters. The available
+ options are `Kafka` and `IPFIX`.'
+ enum:
+ - Kafka
+ - IPFIX
+ type: string
+ required:
+ - type
+ type: object
+ type: array
+ kafka:
+ description: Kafka configuration, allowing to use Kafka as a broker
+ as part of the flow collection pipeline. Available when the `spec.deploymentModel`
+ is `Kafka`.
+ properties:
+ address:
+ default: ""
+ description: Address of the Kafka server
+ type: string
+ sasl:
+ description: SASL authentication configuration. [Unsupported (*)].
+ properties:
+ clientIDReference:
+ description: Reference to the secret or config map containing
+ the client ID
+ properties:
+ file:
+ description: File name within the config map or secret.
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ the file.
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference: "configmap"
+ or "secret".'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ clientSecretReference:
+ description: Reference to the secret or config map containing
+ the client secret
+ properties:
+ file:
+ description: File name within the config map or secret.
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ the file.
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference: "configmap"
+ or "secret".'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type:
+ default: Disabled
+ description: Type of SASL authentication to use, or `Disabled`
+ if SASL is not used
+ enum:
+ - Disabled
+ - Plain
+ - ScramSHA512
+ type: string
+ type: object
+ tls:
+ description: TLS client configuration. When using TLS, verify
+ that the address matches the Kafka port used for TLS, generally
+ 9093.
+ properties:
+ caCert:
+ description: '`caCert` defines the reference of the certificate
+ for the Certificate Authority'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret.'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates.
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference: `configmap`
+ or `secret`.'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ enable:
+ default: false
+ description: Enable TLS
+ type: boolean
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+ If set to `true`, the `caCert` field is ignored.
+ type: boolean
+ userCert:
+ description: '`userCert` defines the user certificate reference
+ and is used for mTLS (you can ignore it when using one-way
+ TLS)'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret.'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates.
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference: `configmap`
+ or `secret`.'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type: object
+ topic:
+ default: ""
+ description: Kafka topic to use. It must exist. NetObserv does
+ not create it.
+ type: string
+ required:
+ - address
+ - topic
+ type: object
+ loki:
+ description: '`loki`, the flow store, client settings.'
+ properties:
+ advanced:
+ description: |-
+ `advanced` allows setting some aspects of the internal configuration of the Loki clients.
+ This section is aimed mostly for debugging and fine-grained performance optimizations.
+ properties:
+ staticLabels:
+ additionalProperties:
+ type: string
+ default:
+ app: netobserv-flowcollector
+ description: '`staticLabels` is a map of common labels to
+ set on each flow in Loki storage.'
+ type: object
+ writeMaxBackoff:
+ default: 5s
+ description: '`writeMaxBackoff` is the maximum backoff time
+ for Loki client connection between retries.'
+ type: string
+ writeMaxRetries:
+ default: 2
+ description: '`writeMaxRetries` is the maximum number of retries
+ for Loki client connections.'
+ format: int32
+ minimum: 0
+ type: integer
+ writeMinBackoff:
+ default: 1s
+ description: '`writeMinBackoff` is the initial backoff time
+ for Loki client connection between retries.'
+ type: string
+ type: object
+ enable:
+ default: true
+ description: |-
+ Set `enable` to `true` to store flows in Loki.
+ The Console plugin can use either Loki or Prometheus as a data source for metrics (see also `spec.prometheus.querier`), or both.
+ Not all queries are transposable from Loki to Prometheus. Hence, if Loki is disabled, some features of the plugin are disabled as well,
+ such as getting per-pod information or viewing raw flows.
+ If both Prometheus and Loki are enabled, Prometheus takes precedence and Loki is used as a fallback for queries that Prometheus cannot handle.
+ If they are both disabled, the Console plugin is not deployed.
+ type: boolean
+ lokiStack:
+ description: |-
+ Loki configuration for `LokiStack` mode. This is useful for an easy Loki Operator configuration.
+ It is ignored for other modes.
+ properties:
+ name:
+ default: loki
+ description: Name of an existing LokiStack resource to use.
+ type: string
+ namespace:
+ description: Namespace where this `LokiStack` resource is
+ located. If omitted, it is assumed to be the same as `spec.namespace`.
+ type: string
+ type: object
+ manual:
+ description: |-
+ Loki configuration for `Manual` mode. This is the most flexible configuration.
+ It is ignored for other modes.
+ properties:
+ authToken:
+ default: Disabled
+ description: |-
+ `authToken` describes the way to get a token to authenticate to Loki.
+ - `Disabled` does not send any token with the request.
+ - `Forward` forwards the user token for authorization.
+ - `Host` [deprecated (*)] - uses the local pod service account to authenticate to Loki.
+ When using the Loki Operator, this must be set to `Forward`.
+ enum:
+ - Disabled
+ - Host
+ - Forward
+ type: string
+ ingesterUrl:
+ default: http://loki:3100/
+ description: |-
+ `ingesterUrl` is the address of an existing Loki ingester service to push the flows to. When using the Loki Operator,
+ set it to the Loki gateway service with the `network` tenant set in path, for example
+ https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network.
+ type: string
+ querierUrl:
+ default: http://loki:3100/
+ description: |-
+ `querierUrl` specifies the address of the Loki querier service.
+ When using the Loki Operator, set it to the Loki gateway service with the `network` tenant set in path, for example
+ https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network.
+ type: string
+ statusTls:
+ description: TLS client configuration for Loki status URL.
+ properties:
+ caCert:
+ description: '`caCert` defines the reference of the certificate
+ for the Certificate Authority'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret.'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates.
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`.'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ enable:
+ default: false
+ description: Enable TLS
+ type: boolean
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+ If set to `true`, the `caCert` field is ignored.
+ type: boolean
+ userCert:
+ description: '`userCert` defines the user certificate
+ reference and is used for mTLS (you can ignore it when
+ using one-way TLS)'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret.'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates.
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`.'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type: object
+ statusUrl:
+ description: |-
+ `statusUrl` specifies the address of the Loki `/ready`, `/metrics` and `/config` endpoints, in case it is different from the
+ Loki querier URL. If empty, the `querierUrl` value is used.
+ This is useful to show error messages and some context in the frontend.
+ When using the Loki Operator, set it to the Loki HTTP query frontend service, for example
+ https://loki-query-frontend-http.netobserv.svc:3100/.
+ `statusTLS` configuration is used when `statusUrl` is set.
+ type: string
+ tenantID:
+ default: netobserv
+ description: |-
+ `tenantID` is the Loki `X-Scope-OrgID` that identifies the tenant for each request.
+ When using the Loki Operator, set it to `network`, which corresponds to a special tenant mode.
+ type: string
+ tls:
+ description: TLS client configuration for Loki URL.
+ properties:
+ caCert:
+ description: '`caCert` defines the reference of the certificate
+ for the Certificate Authority'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret.'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates.
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`.'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ enable:
+ default: false
+ description: Enable TLS
+ type: boolean
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+ If set to `true`, the `caCert` field is ignored.
+ type: boolean
+ userCert:
+ description: '`userCert` defines the user certificate
+ reference and is used for mTLS (you can ignore it when
+ using one-way TLS)'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret.'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates.
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`.'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type: object
+ type: object
+ microservices:
+ description: |-
+ Loki configuration for `Microservices` mode.
+ Use this option when Loki is installed using the microservices deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#microservices-mode).
+ It is ignored for other modes.
+ properties:
+ ingesterUrl:
+ default: http://loki-distributor:3100/
+ description: '`ingesterUrl` is the address of an existing
+ Loki ingester service to push the flows to.'
+ type: string
+ querierUrl:
+ default: http://loki-query-frontend:3100/
+ description: '`querierURL` specifies the address of the Loki
+ querier service.'
+ type: string
+ tenantID:
+ default: netobserv
+ description: '`tenantID` is the Loki `X-Scope-OrgID` header
+ that identifies the tenant for each request.'
+ type: string
+ tls:
+ description: TLS client configuration for Loki URL.
+ properties:
+ caCert:
+ description: '`caCert` defines the reference of the certificate
+ for the Certificate Authority'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret.'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates.
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`.'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ enable:
+ default: false
+ description: Enable TLS
+ type: boolean
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+ If set to `true`, the `caCert` field is ignored.
+ type: boolean
+ userCert:
+ description: '`userCert` defines the user certificate
+ reference and is used for mTLS (you can ignore it when
+ using one-way TLS)'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret.'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates.
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`.'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type: object
+ type: object
+ mode:
+ default: Monolithic
+ description: |-
+ `mode` must be set according to the installation mode of Loki:
+ - Use `LokiStack` when Loki is managed using the Loki Operator
+ - Use `Monolithic` when Loki is installed as a monolithic workload
+ - Use `Microservices` when Loki is installed as microservices, but without Loki Operator
+ - Use `Manual` if none of the options above match your setup
+ enum:
+ - Manual
+ - LokiStack
+ - Monolithic
+ - Microservices
+ type: string
+ monolithic:
+ description: |-
+ Loki configuration for `Monolithic` mode.
+ Use this option when Loki is installed using the monolithic deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#monolithic-mode).
+ It is ignored for other modes.
+ properties:
+ tenantID:
+ default: netobserv
+ description: '`tenantID` is the Loki `X-Scope-OrgID` header
+ that identifies the tenant for each request.'
+ type: string
+ tls:
+ description: TLS client configuration for Loki URL.
+ properties:
+ caCert:
+ description: '`caCert` defines the reference of the certificate
+ for the Certificate Authority'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret.'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates.
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`.'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ enable:
+ default: false
+ description: Enable TLS
+ type: boolean
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+ If set to `true`, the `caCert` field is ignored.
+ type: boolean
+ userCert:
+ description: '`userCert` defines the user certificate
+ reference and is used for mTLS (you can ignore it when
+ using one-way TLS)'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the certificate
+ file name within the config map or secret.'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the certificate
+ private key file name within the config map or secret.
+ Omit when the key is not necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret containing
+ certificates.
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`.'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type: object
+ url:
+ default: http://loki:3100/
+ description: '`url` is the unique address of an existing Loki
+ service that points to both the ingester and the querier.'
+ type: string
+ type: object
+ readTimeout:
+ default: 30s
+ description: |-
+ `readTimeout` is the maximum console plugin loki query total time limit.
+ A timeout of zero means no timeout.
+ type: string
+ writeBatchSize:
+ default: 102400
+ description: '`writeBatchSize` is the maximum batch size (in bytes)
+ of Loki logs to accumulate before sending.'
+ format: int64
+ minimum: 1
+ type: integer
+ writeBatchWait:
+ default: 1s
+ description: '`writeBatchWait` is the maximum time to wait before
+ sending a Loki batch.'
+ type: string
+ writeTimeout:
+ default: 10s
+ description: |-
+ `writeTimeout` is the maximum Loki time connection / request limit.
+ A timeout of zero means no timeout.
+ type: string
+ type: object
+ namespace:
+ default: netobserv
+ description: Namespace where NetObserv pods are deployed.
+ type: string
+ processor:
+ description: |-
+ `processor` defines the settings of the component that receives the flows from the agent,
+ enriches them, generates metrics, and forwards them to the Loki persistence layer and/or any available exporter.
+ properties:
+ addZone:
+ description: |-
+ `addZone` allows availability zone awareness by labelling flows with their source and destination zones.
+ This feature requires the "topology.kubernetes.io/zone" label to be set on nodes.
+ type: boolean
+ advanced:
+ description: |-
+ `advanced` allows setting some aspects of the internal configuration of the flow processor.
+ This section is aimed mostly for debugging and fine-grained performance optimizations,
+ such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
+ properties:
+ conversationEndTimeout:
+ default: 10s
+ description: |-
+ `conversationEndTimeout` is the time to wait after a network flow is received, to consider the conversation ended.
+ This delay is ignored when a FIN packet is collected for TCP flows (see `conversationTerminatingTimeout` instead).
+ type: string
+ conversationHeartbeatInterval:
+ default: 30s
+ description: '`conversationHeartbeatInterval` is the time
+ to wait between "tick" events of a conversation'
+ type: string
+ conversationTerminatingTimeout:
+ default: 5s
+ description: '`conversationTerminatingTimeout` is the time
+ to wait from detected FIN flag to end a conversation. Only
+ relevant for TCP flows.'
+ type: string
+ dropUnusedFields:
+ default: true
+ description: '`dropUnusedFields` [deprecated (*)] this setting
+ is not used anymore.'
+ type: boolean
+ enableKubeProbes:
+ default: true
+ description: '`enableKubeProbes` is a flag to enable or disable
+ Kubernetes liveness and readiness probes'
+ type: boolean
+ env:
+ additionalProperties:
+ type: string
+ description: |-
+ `env` allows passing custom environment variables to underlying components. Useful for passing
+ some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be
+ publicly exposed as part of the FlowCollector descriptor, as they are only useful
+ in edge debug or support scenarios.
+ type: object
+ healthPort:
+ default: 8080
+ description: '`healthPort` is a collector HTTP port in the
+ Pod that exposes the health check API'
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ port:
+ default: 2055
+ description: |-
+ Port of the flow collector (host port).
+ By convention, some values are forbidden. It must be greater than 1024 and different from
+ 4500, 4789 and 6081.
+ format: int32
+ maximum: 65535
+ minimum: 1025
+ type: integer
+ profilePort:
+ default: 6060
+ description: '`profilePort` allows setting up a Go pprof profiler
+ listening to this port'
+ format: int32
+ maximum: 65535
+ minimum: 0
+ type: integer
+ scheduling:
+ description: scheduling controls how the pods are scheduled
+ on nodes.
+ properties:
+ affinity:
+ description: If specified, the pod's scheduling constraints.
+ For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling rules
+ for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with matching
+ the corresponding nodeSelectorTerm, in
+ the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector
+ terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling rules
+ (e.g. co-locate this pod in the same node, zone,
+ etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added per-node
+ to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term,
+ associated with the corresponding weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added per-node
+ to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term,
+ associated with the corresponding weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ `nodeSelector` allows scheduling of pods only onto nodes that have each of the specified labels.
+ For documentation, refer to https://kubernetes.io/docs/concepts/configuration/assign-pod-node/.
+ type: object
+ x-kubernetes-map-type: atomic
+ priorityClassName:
+ description: |-
+ If specified, indicates the pod's priority. For documentation, refer to https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#how-to-use-priority-and-preemption.
+ If not specified, default priority is used, or zero if there is no default.
+ type: string
+ tolerations:
+ description: |-
+ `tolerations` is a list of tolerations that allow the pod to schedule onto nodes with matching taints.
+ For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ clusterName:
+ default: ""
+ description: '`clusterName` is the name of the cluster to appear
+ in the flows data. This is useful in a multi-cluster context.
+ When using OpenShift, leave empty to make it automatically determined.'
+ type: string
+ imagePullPolicy:
+ default: IfNotPresent
+ description: '`imagePullPolicy` is the Kubernetes pull policy
+ for the image defined above'
+ enum:
+ - IfNotPresent
+ - Always
+ - Never
+ type: string
+ kafkaConsumerAutoscaler:
+ description: |-
+ `kafkaConsumerAutoscaler` is the spec of a horizontal pod autoscaler to set up for `flowlogs-pipeline-transformer`, which consumes Kafka messages.
+ This setting is ignored when Kafka is disabled.
+ properties:
+ maxReplicas:
+ default: 3
+ description: '`maxReplicas` is the upper limit for the number
+ of pods that can be set by the autoscaler; cannot be smaller
+ than MinReplicas.'
+ format: int32
+ type: integer
+ metrics:
+ description: Metrics used by the pod autoscaler. For documentation,
+ refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2/
+ items:
+ properties:
+ containerResource:
+ properties:
+ container:
+ type: string
+ name:
+ type: string
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - container
+ - name
+ - target
+ type: object
+ external:
+ properties:
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - metric
+ - target
+ type: object
+ object:
+ properties:
+ describedObject:
+ properties:
+ apiVersion:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - describedObject
+ - metric
+ - target
+ type: object
+ pods:
+ properties:
+ metric:
+ properties:
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - metric
+ - target
+ type: object
+ resource:
+ properties:
+ name:
+ type: string
+ target:
+ properties:
+ averageUtilization:
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - target
+ type: object
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ type: array
+ minReplicas:
+ description: |-
+ `minReplicas` is the lower limit for the number of replicas to which the autoscaler
+ can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the
+ alpha feature gate HPAScaleToZero is enabled and at least one Object or External
+ metric is configured. Scaling is active as long as at least one metric value is
+ available.
+ format: int32
+ type: integer
+ status:
+ default: Disabled
+ description: |-
+ `status` describes the desired status regarding deploying an horizontal pod autoscaler.
+ - `Disabled` does not deploy an horizontal pod autoscaler.
+ - `Enabled` deploys an horizontal pod autoscaler.
+ enum:
+ - Disabled
+ - Enabled
+ type: string
+ type: object
+ kafkaConsumerBatchSize:
+ default: 10485760
+ description: '`kafkaConsumerBatchSize` indicates to the broker
+ the maximum batch size, in bytes, that the consumer accepts.
+ Ignored when not using Kafka. Default: 10MB.'
+ type: integer
+ kafkaConsumerQueueCapacity:
+ default: 1000
+ description: '`kafkaConsumerQueueCapacity` defines the capacity
+ of the internal message queue used in the Kafka consumer client.
+ Ignored when not using Kafka.'
+ type: integer
+ kafkaConsumerReplicas:
+ default: 3
+ description: |-
+ `kafkaConsumerReplicas` defines the number of replicas (pods) to start for `flowlogs-pipeline-transformer`, which consumes Kafka messages.
+ This setting is ignored when Kafka is disabled.
+ format: int32
+ minimum: 0
+ type: integer
+ logLevel:
+ default: info
+ description: '`logLevel` of the processor runtime'
+ enum:
+ - trace
+ - debug
+ - info
+ - warn
+ - error
+ - fatal
+ - panic
+ type: string
+ logTypes:
+ default: Flows
+ description: |-
+ `logTypes` defines the desired record types to generate. Possible values are:
+ - `Flows` (default) to export regular network flows
+ - `Conversations` to generate events for started conversations, ended conversations as well as periodic "tick" updates
+ - `EndedConversations` to generate only ended conversations events
+ - `All` to generate both network flows and all conversations events
+ enum:
+ - Flows
+ - Conversations
+ - EndedConversations
+ - All
+ type: string
+ metrics:
+ description: '`Metrics` define the processor configuration regarding
+ metrics'
+ properties:
+ disableAlerts:
+ description: |-
+ `disableAlerts` is a list of alerts that should be disabled.
+ Possible values are:
+ `NetObservNoFlows`, which is triggered when no flows are being observed for a certain period.
+ `NetObservLokiError`, which is triggered when flows are being dropped due to Loki errors.
+ items:
+ description: |-
+ Name of a processor alert.
+ Possible values are:
+ - `NetObservNoFlows`, which is triggered when no flows are being observed for a certain period.
+ - `NetObservLokiError`, which is triggered when flows are being dropped due to Loki errors.
+ enum:
+ - NetObservNoFlows
+ - NetObservLokiError
+ type: string
+ type: array
+ includeList:
+ description: |-
+ `includeList` is a list of metric names to specify which ones to generate.
+ The names correspond to the names in Prometheus without the prefix. For example,
+ `namespace_egress_packets_total` shows up as `netobserv_namespace_egress_packets_total` in Prometheus.
+ Note that the more metrics you add, the bigger is the impact on Prometheus workload resources.
+ Metrics enabled by default are:
+ `namespace_flows_total`, `node_ingress_bytes_total`, `workload_ingress_bytes_total`, `namespace_drop_packets_total` (when `PacketDrop` feature is enabled),
+ `namespace_rtt_seconds` (when `FlowRTT` feature is enabled), `namespace_dns_latency_seconds` (when `DNSTracking` feature is enabled).
+ More information, with full list of available metrics: https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md
+ items:
+ description: Metric name. More information in https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md.
+ enum:
+ - namespace_egress_bytes_total
+ - namespace_egress_packets_total
+ - namespace_ingress_bytes_total
+ - namespace_ingress_packets_total
+ - namespace_flows_total
+ - node_egress_bytes_total
+ - node_egress_packets_total
+ - node_ingress_bytes_total
+ - node_ingress_packets_total
+ - node_flows_total
+ - workload_egress_bytes_total
+ - workload_egress_packets_total
+ - workload_ingress_bytes_total
+ - workload_ingress_packets_total
+ - workload_flows_total
+ - namespace_drop_bytes_total
+ - namespace_drop_packets_total
+ - node_drop_bytes_total
+ - node_drop_packets_total
+ - workload_drop_bytes_total
+ - workload_drop_packets_total
+ - namespace_rtt_seconds
+ - node_rtt_seconds
+ - workload_rtt_seconds
+ - namespace_dns_latency_seconds
+ - node_dns_latency_seconds
+ - workload_dns_latency_seconds
+ type: string
+ type: array
+ server:
+ description: Metrics server endpoint configuration for Prometheus
+ scraper
+ properties:
+ port:
+ description: The metrics server HTTP port.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ tls:
+ description: TLS configuration.
+ properties:
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the provided certificate.
+ If set to `true`, the `providedCaFile` field is ignored.
+ type: boolean
+ provided:
+ description: TLS configuration when `type` is set
+ to `Provided`.
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the
+ certificate file name within the config map
+ or secret.'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the
+ certificate private key file name within the
+ config map or secret. Omit when the key is not
+ necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret
+ containing certificates.
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`.'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ providedCaFile:
+ description: Reference to the CA file when `type`
+ is set to `Provided`.
+ properties:
+ file:
+ description: File name within the config map or
+ secret.
+ type: string
+ name:
+ description: Name of the config map or secret
+ containing the file.
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the file reference: "configmap"
+ or "secret".'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type:
+ default: Disabled
+ description: |-
+ Select the type of TLS configuration:
+ - `Disabled` (default) to not configure TLS for the endpoint.
+ - `Provided` to manually provide cert file and a key file. [Unsupported (*)].
+ - `Auto` to use OpenShift auto generated certificate using annotations.
+ enum:
+ - Disabled
+ - Provided
+ - Auto
+ type: string
+ type: object
+ type: object
+ type: object
+ multiClusterDeployment:
+ default: false
+ description: Set `multiClusterDeployment` to `true` to enable
+ multi clusters feature. This adds `clusterName` label to flows
+ data
+ type: boolean
+ resources:
+ default:
+ limits:
+ memory: 800Mi
+ requests:
+ cpu: 100m
+ memory: 100Mi
+ description: |-
+ `resources` are the compute resources required by this container.
+ For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ subnetLabels:
+ description: |-
+ `subnetLabels` allows to define custom labels on subnets and IPs or to enable automatic labelling of recognized subnets in OpenShift, which is used to identify cluster external traffic.
+ When a subnet matches the source or destination IP of a flow, a corresponding field is added: `SrcSubnetLabel` or `DstSubnetLabel`.
+ properties:
+ customLabels:
+ description: |-
+ `customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services.
+ If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap.
+ items:
+ description: SubnetLabel allows to label subnets and IPs,
+ such as to identify cluster-external workloads or web
+ services.
+ properties:
+ cidrs:
+ description: List of CIDRs, such as `["1.2.3.4/32"]`.
+ items:
+ type: string
+ type: array
+ name:
+ description: Label name, used to flag matching flows.
+ type: string
+ type: object
+ type: array
+ openShiftAutoDetect:
+ description: |-
+ `openShiftAutoDetect` allows, when set to `true`, to detect automatically the machines, pods and services subnets based on the
+ OpenShift install configuration and the Cluster Network Operator configuration. Indirectly, this is a way to accurately detect
+ external traffic: flows that are not labeled for those subnets are external to the cluster. Enabled by default on OpenShift.
+ type: boolean
+ type: object
+ type: object
+ prometheus:
+ description: '`prometheus` defines Prometheus settings, such as querier
+ configuration used to fetch metrics from the Console plugin.'
+ properties:
+ querier:
+ description: Prometheus querying configuration, such as client
+ settings, used in the Console plugin.
+ properties:
+ enable:
+ description: |-
+ When `enable` is `true`, the Console plugin queries flow metrics from Prometheus instead of Loki whenever possible.
+ It is enbaled by default: set it to `false` to disable this feature.
+ The Console plugin can use either Loki or Prometheus as a data source for metrics (see also `spec.loki`), or both.
+ Not all queries are transposable from Loki to Prometheus. Hence, if Loki is disabled, some features of the plugin are disabled as well,
+ such as getting per-pod information or viewing raw flows.
+ If both Prometheus and Loki are enabled, Prometheus takes precedence and Loki is used as a fallback for queries that Prometheus cannot handle.
+ If they are both disabled, the Console plugin is not deployed.
+ type: boolean
+ manual:
+ description: Prometheus configuration for `Manual` mode.
+ properties:
+ forwardUserToken:
+ description: Set `true` to forward logged in user token
+ in queries to Prometheus
+ type: boolean
+ tls:
+ description: TLS client configuration for Prometheus URL.
+ properties:
+ caCert:
+ description: '`caCert` defines the reference of the
+ certificate for the Certificate Authority'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the
+ certificate file name within the config map
+ or secret.'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the
+ certificate private key file name within the
+ config map or secret. Omit when the key is not
+ necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret
+ containing certificates.
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`.'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ enable:
+ default: false
+ description: Enable TLS
+ type: boolean
+ insecureSkipVerify:
+ default: false
+ description: |-
+ `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+ If set to `true`, the `caCert` field is ignored.
+ type: boolean
+ userCert:
+ description: '`userCert` defines the user certificate
+ reference and is used for mTLS (you can ignore it
+ when using one-way TLS)'
+ properties:
+ certFile:
+ description: '`certFile` defines the path to the
+ certificate file name within the config map
+ or secret.'
+ type: string
+ certKey:
+ description: '`certKey` defines the path to the
+ certificate private key file name within the
+ config map or secret. Omit when the key is not
+ necessary.'
+ type: string
+ name:
+ description: Name of the config map or secret
+ containing certificates.
+ type: string
+ namespace:
+ default: ""
+ description: |-
+ Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+ If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+ type: string
+ type:
+ description: 'Type for the certificate reference:
+ `configmap` or `secret`.'
+ enum:
+ - configmap
+ - secret
+ type: string
+ type: object
+ type: object
+ url:
+ default: http://prometheus:9090
+ description: '`url` is the address of an existing Prometheus
+ service to use for querying metrics.'
+ type: string
+ type: object
+ mode:
+ default: Auto
+ description: |-
+ `mode` must be set according to the type of Prometheus installation that stores NetObserv metrics:
+ - Use `Auto` to try configuring automatically. In OpenShift, it uses the Thanos querier from OpenShift Cluster Monitoring
+ - Use `Manual` for a manual setup
+ enum:
+ - Manual
+ - Auto
+ type: string
+ timeout:
+ default: 30s
+ description: |-
+ `timeout` is the read timeout for console plugin queries to Prometheus.
+ A timeout of zero means no timeout.
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ description: '`FlowCollectorStatus` defines the observed state of FlowCollector'
+ properties:
+ conditions:
+ description: '`conditions` represent the latest available observations
+ of an object''s state'
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ namespace:
+ description: |-
+ Namespace where console plugin and flowlogs-pipeline have been deployed.
+ Deprecated: annotations are used instead
+ type: string
+ required:
+ - conditions
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
\ No newline at end of file
diff --git a/helm/netobserv/templates/flows.netobserv.io_flowmetrics.yaml b/helm/netobserv/templates/flows.netobserv.io_flowmetrics.yaml
new file mode 100644
index 0000000000..132fcf4e73
--- /dev/null
+++ b/helm/netobserv/templates/flows.netobserv.io_flowmetrics.yaml
@@ -0,0 +1,320 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.14.0
+ creationTimestamp: null
+ name: flowmetrics.flows.netobserv.io
+spec:
+ conversion:
+ strategy: Webhook
+ webhook:
+ clientConfig:
+ service:
+ name: netobserv-webhook-service
+ namespace: netobserv
+ path: /convert
+ conversionReviewVersions:
+ - v1
+ group: flows.netobserv.io
+ names:
+ kind: FlowMetric
+ listKind: FlowMetricList
+ plural: flowmetrics
+ singular: flowmetric
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.metricName
+ name: Metric Name
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+ name: Status
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="CardinalityOK")].reason
+ name: Cardinality
+ type: string
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: FlowMetric is the API allowing to create custom metrics from
+ the collected flow logs.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: |-
+ FlowMetricSpec defines the desired state of FlowMetric
+ The provided API allows you to customize these metrics according to your needs.
+ When adding new metrics or modifying existing labels, you must carefully monitor the memory
+ usage of Prometheus workloads as this could potentially have a high impact. Cf https://rhobs-handbook.netlify.app/products/openshiftmonitoring/telemetry.md/#what-is-the-cardinality-of-a-metric
+ To check the cardinality of all NetObserv metrics, run as `promql`: `count({__name__=~"netobserv.*"}) by (__name__)`.
+ properties:
+ buckets:
+ description: A list of buckets to use when `type` is "Histogram".
+ The list must be parsable as floats. When not set, Prometheus default
+ buckets are used.
+ items:
+ type: string
+ type: array
+ charts:
+ description: Charts configuration, for the OpenShift Console in the
+ administrator view, Dashboards menu.
+ items:
+ description: Configures charts / dashboard generation associated
+ to a metric
+ properties:
+ dashboardName:
+ default: Main
+ description: Name of the containing dashboard. If this name
+ does not refer to an existing dashboard, a new dashboard is
+ created.
+ type: string
+ queries:
+ description: |-
+ List of queries to be displayed on this chart. If `type` is `SingleStat` and multiple queries are provided,
+ this chart is automatically expanded in several panels (one per query).
+ items:
+ description: Configures PromQL queries
+ properties:
+ legend:
+ description: |-
+ The query legend that applies to each timeseries represented in this chart. When multiple timeseries are displayed, you should set a legend
+ that distinguishes each of them. It can be done with the following format: `{{ Label }}`. For example, if the `promQL` groups timeseries per
+ label such as: `sum(rate($METRIC[2m])) by (Label1, Label2)`, you may write as the legend: `Label1={{ Label1 }}, Label2={{ Label2 }}`.
+ type: string
+ promQL:
+ description: |-
+ The `promQL` query to be run against Prometheus. If the chart `type` is `SingleStat`, this query should only return
+ a single timeseries. For other types, a top 7 is displayed.
+ You can use `$METRIC` to refer to the metric defined in this resource. For example: `sum(rate($METRIC[2m]))`.
+ To learn more about `promQL`, refer to the Prometheus documentation: https://prometheus.io/docs/prometheus/latest/querying/basics/
+ type: string
+ top:
+ default: 7
+ description: Top N series to display per timestamp. Does
+ not apply to `SingleStat` chart type.
+ minimum: 1
+ type: integer
+ required:
+ - legend
+ - promQL
+ - top
+ type: object
+ type: array
+ sectionName:
+ description: |-
+ Name of the containing dashboard section. If this name does not refer to an existing section, a new section is created.
+ If `sectionName` is omitted or empty, the chart is placed in the global top section.
+ type: string
+ title:
+ description: Title of the chart.
+ type: string
+ type:
+ description: Type of the chart.
+ enum:
+ - SingleStat
+ - Line
+ - StackArea
+ type: string
+ unit:
+ description: Unit of this chart. Only a few units are currently
+ supported. Leave empty to use generic number.
+ enum:
+ - bytes
+ - seconds
+ - Bps
+ - pps
+ - percent
+ - ""
+ type: string
+ required:
+ - dashboardName
+ - queries
+ - title
+ - type
+ type: object
+ type: array
+ direction:
+ default: Any
+ description: |-
+ Filter for ingress, egress or any direction flows.
+ When set to `Ingress`, it is equivalent to adding the regular expression filter on `FlowDirection`: `0|2`.
+ When set to `Egress`, it is equivalent to adding the regular expression filter on `FlowDirection`: `1|2`.
+ enum:
+ - Any
+ - Egress
+ - Ingress
+ type: string
+ divider:
+ description: When nonzero, scale factor (divider) of the value. Metric
+ value = Flow value / Divider.
+ type: string
+ filters:
+ description: |-
+ `filters` is a list of fields and values used to restrict which flows are taken into account. Oftentimes, these filters must
+ be used to eliminate duplicates: `Duplicate != "true"` and `FlowDirection = "0"`.
+ Refer to the documentation for the list of available fields: https://docs.openshift.com/container-platform/latest/observability/network_observability/json-flows-format-reference.html.
+ items:
+ properties:
+ field:
+ description: Name of the field to filter on
+ type: string
+ matchType:
+ default: Equal
+ description: Type of matching to apply
+ enum:
+ - Equal
+ - NotEqual
+ - Presence
+ - Absence
+ - MatchRegex
+ - NotMatchRegex
+ type: string
+ value:
+ description: Value to filter on. When `matchType` is `Equal`
+ or `NotEqual`, you can use field injection with `$(SomeField)`
+ to refer to any other field of the flow.
+ type: string
+ required:
+ - field
+ - matchType
+ type: object
+ type: array
+ labels:
+ description: |-
+ `labels` is a list of fields that should be used as Prometheus labels, also known as dimensions.
+ From choosing labels results the level of granularity of this metric, and the available aggregations at query time.
+ It must be done carefully as it impacts the metric cardinality (cf https://rhobs-handbook.netlify.app/products/openshiftmonitoring/telemetry.md/#what-is-the-cardinality-of-a-metric).
+ In general, avoid setting very high cardinality labels such as IP or MAC addresses.
+ "SrcK8S_OwnerName" or "DstK8S_OwnerName" should be preferred over "SrcK8S_Name" or "DstK8S_Name" as much as possible.
+ Refer to the documentation for the list of available fields: https://docs.openshift.com/container-platform/latest/observability/network_observability/json-flows-format-reference.html.
+ items:
+ type: string
+ type: array
+ metricName:
+ description: Name of the metric. In Prometheus, it is automatically
+ prefixed with "netobserv_".
+ type: string
+ type:
+ description: |-
+ Metric type: "Counter" or "Histogram".
+ Use "Counter" for any value that increases over time and on which you can compute a rate, such as Bytes or Packets.
+ Use "Histogram" for any value that must be sampled independently, such as latencies.
+ enum:
+ - Counter
+ - Histogram
+ type: string
+ valueField:
+ description: |-
+ `valueField` is the flow field that must be used as a value for this metric. This field must hold numeric values.
+ Leave empty to count flows rather than a specific value per flow.
+ Refer to the documentation for the list of available fields: https://docs.openshift.com/container-platform/latest/observability/network_observability/json-flows-format-reference.html.
+ type: string
+ required:
+ - metricName
+ - type
+ type: object
+ status:
+ description: FlowMetricStatus defines the observed state of FlowMetric
+ properties:
+ conditions:
+ description: '`conditions` represent the latest available observations
+ of an object''s state'
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ required:
+ - conditions
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
\ No newline at end of file
diff --git a/helm/netobserv/templates/netobserv-manager-config_v1_configmap.yaml b/helm/netobserv/templates/netobserv-manager-config_v1_configmap.yaml
new file mode 100644
index 0000000000..bf94ef2fe7
--- /dev/null
+++ b/helm/netobserv/templates/netobserv-manager-config_v1_configmap.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+data:
+ controller_manager_config.yaml: |
+ apiVersion: controller-runtime.sigs.k8s.io/v1alpha1
+ kind: ControllerManagerConfig
+ health:
+ healthProbeBindAddress: :8081
+ metrics:
+ bindAddress: 127.0.0.1:8080
+ webhook:
+ port: 9443
+ leaderElection:
+ leaderElect: true
+ resourceName: 7a7ecdcd.netobserv.io
+kind: ConfigMap
+metadata:
+ labels:
+ app: netobserv-operator
+ name: netobserv-manager-config
\ No newline at end of file
diff --git a/helm/netobserv/templates/netobserv-metrics-service_v1_service.yaml b/helm/netobserv/templates/netobserv-metrics-service_v1_service.yaml
new file mode 100644
index 0000000000..fbcde347e6
--- /dev/null
+++ b/helm/netobserv/templates/netobserv-metrics-service_v1_service.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+ annotations:
+ service.beta.openshift.io/serving-cert-secret-name: manager-metrics-tls
+ creationTimestamp: null
+ labels:
+ control-plane: controller-manager
+ name: netobserv-metrics-service
+spec:
+ ports:
+ - name: https
+ port: 8443
+ protocol: TCP
+ targetPort: https
+ selector:
+ control-plane: controller-manager
+status:
+ loadBalancer: {}
\ No newline at end of file
diff --git a/helm/netobserv/templates/netobserv-webhook-service_v1_service.yaml b/helm/netobserv/templates/netobserv-webhook-service_v1_service.yaml
new file mode 100644
index 0000000000..a4fb9ccec2
--- /dev/null
+++ b/helm/netobserv/templates/netobserv-webhook-service_v1_service.yaml
@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/created-by: netobserv-operator
+ app.kubernetes.io/instance: webhook-service
+ app.kubernetes.io/managed-by: kustomize
+ app.kubernetes.io/name: service
+ app.kubernetes.io/part-of: netobserv-operator
+ name: netobserv-webhook-service
+spec:
+ ports:
+ - port: 443
+ protocol: TCP
+ targetPort: 9443
+ selector:
+ control-plane: controller-manager
+status:
+ loadBalancer: {}
\ No newline at end of file
diff --git a/helm/netobserv/templates/role.yaml b/helm/netobserv/templates/role.yaml
new file mode 100644
index 0000000000..d8fe1626c8
--- /dev/null
+++ b/helm/netobserv/templates/role.yaml
@@ -0,0 +1,37 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: role
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+serviceAccountName: netobserv-controller-manager
\ No newline at end of file
diff --git a/helm/netobserv/values.yaml b/helm/netobserv/values.yaml
new file mode 100644
index 0000000000..e69de29bb2
From 35dd089b197646041307afbb688512cf1b9666ab Mon Sep 17 00:00:00 2001
From: Rakesh Bajpayee <153479979+Helion55@users.noreply.github.com>
Date: Thu, 23 Jan 2025 19:26:47 +0530
Subject: [PATCH 02/12] Update helm/netobserv/templates/clusterRole.yaml
Co-authored-by: Joel Takvorian
---
helm/netobserv/templates/clusterRole.yaml | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/helm/netobserv/templates/clusterRole.yaml b/helm/netobserv/templates/clusterRole.yaml
index 0ce7ac7b48..1af1ad2d00 100644
--- a/helm/netobserv/templates/clusterRole.yaml
+++ b/helm/netobserv/templates/clusterRole.yaml
@@ -211,5 +211,4 @@ rules:
resources:
- subjectaccessreviews
verbs:
- - create
-serviceAccountName: netobserv-controller-manager
\ No newline at end of file
+ - create
\ No newline at end of file
From f6731043ad530c69596090d9e5a7804d33462465 Mon Sep 17 00:00:00 2001
From: Rakesh Bajpayee <153479979+Helion55@users.noreply.github.com>
Date: Thu, 23 Jan 2025 19:30:26 +0530
Subject: [PATCH 03/12] Update helm/netobserv/templates/deployment.yaml
Co-authored-by: Joel Takvorian
---
helm/netobserv/templates/deployment.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/helm/netobserv/templates/deployment.yaml b/helm/netobserv/templates/deployment.yaml
index 7a04ebc3c3..db0c9e4375 100644
--- a/helm/netobserv/templates/deployment.yaml
+++ b/helm/netobserv/templates/deployment.yaml
@@ -1,7 +1,7 @@
apiVersion: apps/v1
kind: Deployment
metadata:
- name: wnetobserv-controller-manager
+ name: netobserv-controller-manager
labels:
app: netobserv-operator
control-plane: controller-manager
From 2b6c30f93ed6b4d0b2306693e1965b16eb861fc6 Mon Sep 17 00:00:00 2001
From: Rakesh Bajpayee <153479979+Helion55@users.noreply.github.com>
Date: Thu, 23 Jan 2025 19:31:29 +0530
Subject: [PATCH 04/12] Update helm/netobserv/templates/deployment.yaml
Co-authored-by: Joel Takvorian
---
helm/netobserv/templates/deployment.yaml | 25 ------------------------
1 file changed, 25 deletions(-)
diff --git a/helm/netobserv/templates/deployment.yaml b/helm/netobserv/templates/deployment.yaml
index db0c9e4375..c3dfecb32f 100644
--- a/helm/netobserv/templates/deployment.yaml
+++ b/helm/netobserv/templates/deployment.yaml
@@ -75,31 +75,6 @@ spec:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
- - args:
- - --secure-listen-address=0.0.0.0:8443
- - --upstream=http://127.0.0.1:8080/
- - --logtostderr=true
- - --v=10
- - --http2-disable
- image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
- name: kube-rbac-proxy
- ports:
- - containerPort: 8443
- name: https
- protocol: TCP
- resources:
- limits:
- cpu: 500m
- memory: 128Mi
- requests:
- cpu: 5m
- memory: 64Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
securityContext:
runAsNonRoot: true
serviceAccountName: netobserv-controller-manager
From 484ec51ac0f0a03fe7b52f61c870e5b1e16e5cb6 Mon Sep 17 00:00:00 2001
From: Rakesh Bajpayee <153479979+Helion55@users.noreply.github.com>
Date: Thu, 23 Jan 2025 19:31:53 +0530
Subject: [PATCH 05/12] Update helm/netobserv/templates/deployment.yaml
Co-authored-by: Joel Takvorian
---
helm/netobserv/templates/deployment.yaml | 1 -
1 file changed, 1 deletion(-)
diff --git a/helm/netobserv/templates/deployment.yaml b/helm/netobserv/templates/deployment.yaml
index c3dfecb32f..812c05a7db 100644
--- a/helm/netobserv/templates/deployment.yaml
+++ b/helm/netobserv/templates/deployment.yaml
@@ -77,7 +77,6 @@ spec:
readOnly: true
securityContext:
runAsNonRoot: true
- serviceAccountName: netobserv-controller-manager
terminationGracePeriodSeconds: 10
volumes:
- name: cert
From 28b2b2961e2abe551dbf5a32655e5dcd60b6bf87 Mon Sep 17 00:00:00 2001
From: Rakesh Bajpayee <153479979+Helion55@users.noreply.github.com>
Date: Thu, 23 Jan 2025 19:32:09 +0530
Subject: [PATCH 06/12] Update
helm/netobserv/templates/flows.netobserv.io_flowmetrics.yaml
Co-authored-by: Joel Takvorian
---
helm/netobserv/templates/flows.netobserv.io_flowmetrics.yaml | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/helm/netobserv/templates/flows.netobserv.io_flowmetrics.yaml b/helm/netobserv/templates/flows.netobserv.io_flowmetrics.yaml
index 132fcf4e73..67f1bdfa49 100644
--- a/helm/netobserv/templates/flows.netobserv.io_flowmetrics.yaml
+++ b/helm/netobserv/templates/flows.netobserv.io_flowmetrics.yaml
@@ -95,8 +95,9 @@ spec:
legend:
description: |-
The query legend that applies to each timeseries represented in this chart. When multiple timeseries are displayed, you should set a legend
- that distinguishes each of them. It can be done with the following format: `{{ Label }}`. For example, if the `promQL` groups timeseries per
- label such as: `sum(rate($METRIC[2m])) by (Label1, Label2)`, you may write as the legend: `Label1={{ Label1 }}, Label2={{ Label2 }}`.
+ that distinguishes each of them. It can be done with the following format: {{`{{ Label }}`}}. For example, if the `promQL` groups timeseries per
+ label such as: `sum(rate($METRIC[2m])) by (Label1, Label2)`, you may write as the legend: {{`Label1={{ Label1 }}, Label2={{ Label2 }}`}}.
+
type: string
promQL:
description: |-
From b9ddece354d6b15654c6bf09fc3c8423668c706a Mon Sep 17 00:00:00 2001
From: Rakesh Bajpayee <153479979+Helion55@users.noreply.github.com>
Date: Thu, 23 Jan 2025 19:32:19 +0530
Subject: [PATCH 07/12] Update helm/netobserv/templates/role.yaml
Co-authored-by: Joel Takvorian
---
helm/netobserv/templates/role.yaml | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/helm/netobserv/templates/role.yaml b/helm/netobserv/templates/role.yaml
index d8fe1626c8..b6e06d4afe 100644
--- a/helm/netobserv/templates/role.yaml
+++ b/helm/netobserv/templates/role.yaml
@@ -33,5 +33,4 @@ rules:
- events
verbs:
- create
- - patch
-serviceAccountName: netobserv-controller-manager
\ No newline at end of file
+ - patch
\ No newline at end of file
From d968bcd9cc7b70cfd04de72d50cd84f1328179d3 Mon Sep 17 00:00:00 2001
From: Rakesh Bajpayee <153479979+Helion55@users.noreply.github.com>
Date: Thu, 23 Jan 2025 19:32:30 +0530
Subject: [PATCH 08/12] Update helm/netobserv/Chart.yaml
Co-authored-by: Joel Takvorian
---
helm/netobserv/Chart.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/helm/netobserv/Chart.yaml b/helm/netobserv/Chart.yaml
index 25cd2cb7a7..305f27770f 100644
--- a/helm/netobserv/Chart.yaml
+++ b/helm/netobserv/Chart.yaml
@@ -21,4 +21,4 @@ version: 1.0.0
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
-appVersion: "1.6.1"
+appVersion: "1.6.2-community"
From 64a45e4a6158c1f4d0a87380438257662661fcbf Mon Sep 17 00:00:00 2001
From: Rakesh Bajpayee <153479979+Helion55@users.noreply.github.com>
Date: Thu, 23 Jan 2025 19:33:02 +0530
Subject: [PATCH 09/12] Update helm/netobserv/Chart.yaml
Co-authored-by: Joel Takvorian
---
helm/netobserv/Chart.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/helm/netobserv/Chart.yaml b/helm/netobserv/Chart.yaml
index 305f27770f..93f842472c 100644
--- a/helm/netobserv/Chart.yaml
+++ b/helm/netobserv/Chart.yaml
@@ -15,7 +15,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.0
+version: 0.0.1
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
From 57f37257f061547924349c89a63ad0bdb933c506 Mon Sep 17 00:00:00 2001
From: Joel Takvorian
Date: Mon, 27 Jan 2025 11:41:30 +0100
Subject: [PATCH 10/12] Partially revert last commit, add certificate
---
helm/netobserv/templates/certificate.yaml | 21 ++
helm/netobserv/templates/clusterRole.yaml | 214 ------------------
helm/netobserv/templates/deployment.yaml | 108 ++++-----
.../flows.netobserv.io_flowcollectors.yaml | 2 +-
.../flows.netobserv.io_flowmetrics.yaml | 2 +-
.../netobserv-webhook-service_v1_service.yaml | 9 +-
helm/netobserv/templates/role.yaml | 36 ---
7 files changed, 78 insertions(+), 314 deletions(-)
create mode 100644 helm/netobserv/templates/certificate.yaml
delete mode 100644 helm/netobserv/templates/clusterRole.yaml
delete mode 100644 helm/netobserv/templates/role.yaml
diff --git a/helm/netobserv/templates/certificate.yaml b/helm/netobserv/templates/certificate.yaml
new file mode 100644
index 0000000000..64493b6327
--- /dev/null
+++ b/helm/netobserv/templates/certificate.yaml
@@ -0,0 +1,21 @@
+# The following manifests contain a self-signed issuer CR and a certificate CR.
+# More document can be found at https://docs.cert-manager.io
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: selfsigned-issuer
+spec:
+ selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: serving-cert
+spec:
+ dnsNames:
+ - netobserv-webhook-service.{{ .Release.Namespace }}.svc
+ - netobserv-webhook-service.{{ .Release.Namespace }}.svc.cluster.local
+ issuerRef:
+ kind: Issuer
+ name: selfsigned-issuer
+ secretName: webhook-server-cert
diff --git a/helm/netobserv/templates/clusterRole.yaml b/helm/netobserv/templates/clusterRole.yaml
deleted file mode 100644
index 1af1ad2d00..0000000000
--- a/helm/netobserv/templates/clusterRole.yaml
+++ /dev/null
@@ -1,214 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cluterRole
-rules:
-- nonResourceURLs:
- - /metrics
- verbs:
- - get
-- apiGroups:
- - apiregistration.k8s.io
- resources:
- - apiservices
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - apps
- resources:
- - daemonsets
- - deployments
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - apps
- resources:
- - replicasets
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - authentication.k8s.io
- resources:
- - tokenreviews
- verbs:
- - create
-- apiGroups:
- - autoscaling
- resources:
- - horizontalpodautoscalers
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - config.openshift.io
- resources:
- - clusterversions
- - networks
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - console.openshift.io
- resources:
- - consoleplugins
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - ""
- resources:
- - configmaps
- - namespaces
- - secrets
- - serviceaccounts
- - services
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - ""
- resources:
- - configmaps
- - nodes
- - pods
- - services
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ""
- resources:
- - endpoints
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - flows.netobserv.io
- resources:
- - flowcollectors
- - flowmetrics
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - flows.netobserv.io
- resources:
- - flowcollectors/finalizers
- verbs:
- - update
-- apiGroups:
- - flows.netobserv.io
- resources:
- - flowcollectors/status
- - flowmetrics/status
- verbs:
- - get
- - patch
- - update
-- apiGroups:
- - loki.grafana.com
- resourceNames:
- - logs
- resources:
- - network
- verbs:
- - create
- - get
-- apiGroups:
- - monitoring.coreos.com
- resources:
- - prometheusrules
- - servicemonitors
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - operator.openshift.io
- resources:
- - consoles
- verbs:
- - get
- - list
- - update
- - watch
-- apiGroups:
- - rbac.authorization.k8s.io
- resources:
- - clusterrolebindings
- - clusterroles
- - rolebindings
- - roles
- verbs:
- - create
- - delete
- - get
- - list
- - update
- - watch
-- apiGroups:
- - security.openshift.io
- resources:
- - securitycontextconstraints
- verbs:
- - create
- - list
- - update
- - watch
-- apiGroups:
- - security.openshift.io
- resourceNames:
- - hostnetwork
- resources:
- - securitycontextconstraints
- verbs:
- - use
-- apiGroups:
- - authentication.k8s.io
- resources:
- - tokenreviews
- verbs:
- - create
-- apiGroups:
- - authorization.k8s.io
- resources:
- - subjectaccessreviews
- verbs:
- - create
\ No newline at end of file
diff --git a/helm/netobserv/templates/deployment.yaml b/helm/netobserv/templates/deployment.yaml
index 812c05a7db..ae3c8a0058 100644
--- a/helm/netobserv/templates/deployment.yaml
+++ b/helm/netobserv/templates/deployment.yaml
@@ -28,58 +28,58 @@ spec:
- --console-plugin-image=$(RELATED_IMAGE_CONSOLE_PLUGIN)
- --downstream-deployment=$(DOWNSTREAM_DEPLOYMENT)
- --profiling-bind-address=$(PROFILING_BIND_ADDRESS)
- command:
- - /manager
- env:
- - name: RELATED_IMAGE_EBPF_AGENT
- value: quay.io/netobserv/netobserv-ebpf-agent:v1.6.2-community
- - name: RELATED_IMAGE_FLOWLOGS_PIPELINE
- value: quay.io/netobserv/flowlogs-pipeline:v1.6.2-community
- - name: RELATED_IMAGE_CONSOLE_PLUGIN
- value: quay.io/netobserv/network-observability-console-plugin:v1.6.2-community
- - name: DOWNSTREAM_DEPLOYMENT
- value: "false"
- - name: PROFILING_BIND_ADDRESS
- image: quay.io/netobserv/network-observability-operator:1.6.2-community
- imagePullPolicy: Always
- livenessProbe:
- httpGet:
- path: /healthz
- port: 8081
- initialDelaySeconds: 15
- periodSeconds: 20
- name: manager
- ports:
- - containerPort: 9443
- name: webhook-server
- protocol: TCP
- readinessProbe:
- httpGet:
- path: /readyz
- port: 8081
- initialDelaySeconds: 5
- periodSeconds: 10
- resources:
- limits:
- memory: 400Mi
- requests:
- cpu: 100m
- memory: 100Mi
+ command:
+ - /manager
+ env:
+ - name: RELATED_IMAGE_EBPF_AGENT
+ value: quay.io/netobserv/netobserv-ebpf-agent:v1.6.2-community
+ - name: RELATED_IMAGE_FLOWLOGS_PIPELINE
+ value: quay.io/netobserv/flowlogs-pipeline:v1.6.2-community
+ - name: RELATED_IMAGE_CONSOLE_PLUGIN
+ value: quay.io/netobserv/network-observability-console-plugin:v1.6.2-community
+ - name: DOWNSTREAM_DEPLOYMENT
+ value: "false"
+ - name: PROFILING_BIND_ADDRESS
+ image: quay.io/netobserv/network-observability-operator:1.6.2-community
+ imagePullPolicy: Always
+ livenessProbe:
+ httpGet:
+ path: /healthz
+ port: 8081
+ initialDelaySeconds: 15
+ periodSeconds: 20
+ name: manager
+ ports:
+ - containerPort: 9443
+ name: webhook-server
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ path: /readyz
+ port: 8081
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ resources:
+ limits:
+ memory: 400Mi
+ requests:
+ cpu: 100m
+ memory: 100Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ volumeMounts:
+ - mountPath: /tmp/k8s-webhook-server/serving-certs
+ name: cert
+ readOnly: true
securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- volumeMounts:
- - mountPath: /tmp/k8s-webhook-server/serving-certs
- name: cert
- readOnly: true
- securityContext:
- runAsNonRoot: true
- terminationGracePeriodSeconds: 10
- volumes:
- - name: cert
- secret:
- defaultMode: 420
- secretName: webhook-server-cert
\ No newline at end of file
+ runAsNonRoot: true
+ terminationGracePeriodSeconds: 10
+ volumes:
+ - name: cert
+ secret:
+ defaultMode: 420
+ secretName: webhook-server-cert
diff --git a/helm/netobserv/templates/flows.netobserv.io_flowcollectors.yaml b/helm/netobserv/templates/flows.netobserv.io_flowcollectors.yaml
index 2c301ee3b1..356d6f5f22 100644
--- a/helm/netobserv/templates/flows.netobserv.io_flowcollectors.yaml
+++ b/helm/netobserv/templates/flows.netobserv.io_flowcollectors.yaml
@@ -12,7 +12,7 @@ spec:
clientConfig:
service:
name: netobserv-webhook-service
- namespace: netobserv
+ namespace: {{ .Release.Namespace }}
path: /convert
conversionReviewVersions:
- v1
diff --git a/helm/netobserv/templates/flows.netobserv.io_flowmetrics.yaml b/helm/netobserv/templates/flows.netobserv.io_flowmetrics.yaml
index 67f1bdfa49..11b25a55ce 100644
--- a/helm/netobserv/templates/flows.netobserv.io_flowmetrics.yaml
+++ b/helm/netobserv/templates/flows.netobserv.io_flowmetrics.yaml
@@ -12,7 +12,7 @@ spec:
clientConfig:
service:
name: netobserv-webhook-service
- namespace: netobserv
+ namespace: {{ .Release.Namespace }}
path: /convert
conversionReviewVersions:
- v1
diff --git a/helm/netobserv/templates/netobserv-webhook-service_v1_service.yaml b/helm/netobserv/templates/netobserv-webhook-service_v1_service.yaml
index a4fb9ccec2..24e1c41b14 100644
--- a/helm/netobserv/templates/netobserv-webhook-service_v1_service.yaml
+++ b/helm/netobserv/templates/netobserv-webhook-service_v1_service.yaml
@@ -2,13 +2,6 @@ apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
- labels:
- app.kubernetes.io/component: webhook
- app.kubernetes.io/created-by: netobserv-operator
- app.kubernetes.io/instance: webhook-service
- app.kubernetes.io/managed-by: kustomize
- app.kubernetes.io/name: service
- app.kubernetes.io/part-of: netobserv-operator
name: netobserv-webhook-service
spec:
ports:
@@ -18,4 +11,4 @@ spec:
selector:
control-plane: controller-manager
status:
- loadBalancer: {}
\ No newline at end of file
+ loadBalancer: {}
diff --git a/helm/netobserv/templates/role.yaml b/helm/netobserv/templates/role.yaml
deleted file mode 100644
index b6e06d4afe..0000000000
--- a/helm/netobserv/templates/role.yaml
+++ /dev/null
@@ -1,36 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: role
-rules:
-- apiGroups:
- - ""
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
-- apiGroups:
- - ""
- resources:
- - events
- verbs:
- - create
- - patch
\ No newline at end of file
From 251a0696eece5c6b8df5662ccded8b0828973a2d Mon Sep 17 00:00:00 2001
From: Joel Takvorian
Date: Mon, 27 Jan 2025 14:55:35 +0100
Subject: [PATCH 11/12] Reintroduce rbac + service account
---
helm/netobserv/templates/deployment.yaml | 1 +
helm/netobserv/templates/roles.yaml | 307 +++++++++++++++++++++++
2 files changed, 308 insertions(+)
create mode 100644 helm/netobserv/templates/roles.yaml
diff --git a/helm/netobserv/templates/deployment.yaml b/helm/netobserv/templates/deployment.yaml
index ae3c8a0058..0e216e103f 100644
--- a/helm/netobserv/templates/deployment.yaml
+++ b/helm/netobserv/templates/deployment.yaml
@@ -77,6 +77,7 @@ spec:
readOnly: true
securityContext:
runAsNonRoot: true
+ serviceAccountName: netobserv-controller-manager
terminationGracePeriodSeconds: 10
volumes:
- name: cert
diff --git a/helm/netobserv/templates/roles.yaml b/helm/netobserv/templates/roles.yaml
new file mode 100644
index 0000000000..a3a1f174b6
--- /dev/null
+++ b/helm/netobserv/templates/roles.yaml
@@ -0,0 +1,307 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: netobserv-controller-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: netobserv-manager-role
+rules:
+- nonResourceURLs:
+ - /metrics
+ verbs:
+ - get
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ - namespaces
+ - secrets
+ - serviceaccounts
+ - services
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - endpoints
+ - nodes
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions/status
+ verbs:
+ - patch
+ - update
+- apiGroups:
+ - apiregistration.k8s.io
+ resources:
+ - apiservices
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - apps
+ resources:
+ - daemonsets
+ - deployments
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - apps
+ resources:
+ - replicasets
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+- apiGroups:
+ - autoscaling
+ resources:
+ - horizontalpodautoscalers
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - bpfman.io
+ resources:
+ - bpfapplications
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - config.openshift.io
+ resources:
+ - clusterversions
+ - networks
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - console.openshift.io
+ resources:
+ - consoleplugins
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - flows.netobserv.io
+ resources:
+ - flowcollectors
+ - flowmetrics
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - flows.netobserv.io
+ resources:
+ - flowcollectors/finalizers
+ verbs:
+ - update
+- apiGroups:
+ - flows.netobserv.io
+ resources:
+ - flowcollectors/status
+ - flowmetrics/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - loki.grafana.com
+ resourceNames:
+ - logs
+ resources:
+ - network
+ verbs:
+ - create
+ - get
+- apiGroups:
+ - metrics.k8s.io
+ resources:
+ - pods
+ verbs:
+ - create
+- apiGroups:
+ - monitoring.coreos.com
+ resources:
+ - prometheusrules
+ - servicemonitors
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - networkpolicies
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - operator.openshift.io
+ resources:
+ - consoles
+ verbs:
+ - get
+ - list
+ - update
+ - watch
+- apiGroups:
+ - rbac.authorization.k8s.io
+ resources:
+ - clusterrolebindings
+ - clusterroles
+ - rolebindings
+ - roles
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - update
+ - watch
+- apiGroups:
+ - security.openshift.io
+ resources:
+ - securitycontextconstraints
+ verbs:
+ - create
+ - list
+ - update
+ - watch
+- apiGroups:
+ - security.openshift.io
+ resourceNames:
+ - hostnetwork
+ resources:
+ - securitycontextconstraints
+ verbs:
+ - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: netobserv-manager-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: netobserv-manager-role
+subjects:
+- kind: ServiceAccount
+ name: netobserv-controller-manager
+ namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: netobserv-leader-election-role
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: netobserv-leader-election-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: netobserv-leader-election-role
+subjects:
+- kind: ServiceAccount
+ name: netobserv-controller-manager
+ namespace: {{ .Release.Namespace }}
+---
From fe90f58cf8a54928dc393c0e236fc287343d859f Mon Sep 17 00:00:00 2001
From: Joel Takvorian
Date: Tue, 28 Jan 2025 10:07:29 +0100
Subject: [PATCH 12/12] Allow configuring a custom certificate issuer instead
of self-signed
---
helm/netobserv/templates/certificate.yaml | 27 ++++++++++++++---------
helm/netobserv/values.yaml | 5 +++++
2 files changed, 22 insertions(+), 10 deletions(-)
diff --git a/helm/netobserv/templates/certificate.yaml b/helm/netobserv/templates/certificate.yaml
index 64493b6327..27a4a800fd 100644
--- a/helm/netobserv/templates/certificate.yaml
+++ b/helm/netobserv/templates/certificate.yaml
@@ -1,21 +1,28 @@
-# The following manifests contain a self-signed issuer CR and a certificate CR.
+# The following manifests contain a certificate CR and possibly a self-signed issuer.
# More document can be found at https://docs.cert-manager.io
apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
- name: selfsigned-issuer
-spec:
- selfSigned: {}
----
-apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: serving-cert
spec:
+ secretName: webhook-server-cert
dnsNames:
- netobserv-webhook-service.{{ .Release.Namespace }}.svc
- netobserv-webhook-service.{{ .Release.Namespace }}.svc.cluster.local
+{{ if .Values.certManager.existingIssuer.name }}
+ issuerRef:
+ kind: {{ .Values.certManager.existingIssuer.kind }}
+ name: {{ .Values.certManager.existingIssuer.name }}
+{{ else }}
issuerRef:
kind: Issuer
- name: selfsigned-issuer
- secretName: webhook-server-cert
+ name: self-signed
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: self-signed
+spec:
+ selfSigned: {}
+---
+{{ end }}
diff --git a/helm/netobserv/values.yaml b/helm/netobserv/values.yaml
index e69de29bb2..69d865c023 100644
--- a/helm/netobserv/values.yaml
+++ b/helm/netobserv/values.yaml
@@ -0,0 +1,5 @@
+certManager:
+ # if existingIssuer.name is not provided, a new self-signed Issuer will be created
+ existingIssuer:
+ kind: ClusterIssuer
+ name: ""