Skip to content

NETOBSERV-2047: extend flow filter apis to introduce peerCIDR#989

Merged
msherif1234 merged 2 commits intonetobserv:mainfrom
msherif1234:peerCIDR
Jan 22, 2025
Merged

NETOBSERV-2047: extend flow filter apis to introduce peerCIDR#989
msherif1234 merged 2 commits intonetobserv:mainfrom
msherif1234:peerCIDR

Conversation

@msherif1234
Copy link
Contributor

@msherif1234 msherif1234 commented Jan 7, 2025

Description

Add peer cidr option to ebpf flow filtering

Dependencies

netobserv/netobserv-ebpf-agent#501

Checklist

If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that.

  • Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix (in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes).
  • Does this PR require product documentation?
    • If so, make sure the JIRA epic is labeled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs.
  • Does this PR require a product release notes entry?
    • If so, fill in "Release Note Text" in the JIRA.
  • Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc.
    • If so, make sure it is described in the JIRA ticket.
  • QE requirements (check 1 from the list):
    • Standard QE validation, with pre-merge tests unless stated otherwise.
    • Regression tests only (e.g. refactoring with no user-facing change).
    • No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team).

@msherif1234
Copy link
Contributor Author

msherif1234 commented Jan 7, 2025

/ok-to-test

@openshift-ci openshift-ci bot added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jan 7, 2025
@msherif1234 msherif1234 changed the title Peer cidr extend flow filter apis to introduce peerCIDR Jan 7, 2025
@github-actions
Copy link

github-actions bot commented Jan 7, 2025

New images:

  • quay.io/netobserv/network-observability-operator:bd3270c
  • quay.io/netobserv/network-observability-operator-bundle:v0.0.0-bd3270c
  • quay.io/netobserv/network-observability-operator-catalog:v0.0.0-bd3270c

They will expire after two weeks.

To deploy this build:

# Direct deployment, from operator repo
IMAGE=quay.io/netobserv/network-observability-operator:bd3270c make deploy

# Or using operator-sdk
operator-sdk run bundle quay.io/netobserv/network-observability-operator-bundle:v0.0.0-bd3270c

Or as a Catalog Source:

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: netobserv-dev
  namespace: openshift-marketplace
spec:
  sourceType: grpc
  image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-bd3270c
  displayName: NetObserv development catalog
  publisher: Me
  updateStrategy:
    registryPoll:
      interval: 1m

@msherif1234 msherif1234 requested a review from jotak January 8, 2025 12:18
@msherif1234 msherif1234 changed the title extend flow filter apis to introduce peerCIDR NETOBSERV-2047: extend flow filter apis to introduce peerCIDR Jan 9, 2025
@openshift-ci-robot
Copy link
Collaborator

openshift-ci-robot commented Jan 9, 2025
edited by openshift-ci bot
Loading

@msherif1234: This pull request references NETOBSERV-2047 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.

Details

In response to this:

Description

Add peer cidr option to ebpf flow filtering

Dependencies

netobserv/netobserv-ebpf-agent#501

Checklist

If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that.

  • Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix (in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes).
  • Does this PR require product documentation?
  • If so, make sure the JIRA epic is labeled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs.
  • Does this PR require a product release notes entry?
  • If so, fill in "Release Note Text" in the JIRA.
  • Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc.
  • If so, make sure it is described in the JIRA ticket.
  • QE requirements (check 1 from the list):
  • Standard QE validation, with pre-merge tests unless stated otherwise.
  • Regression tests only (e.g. refactoring with no user-facing change).
  • No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@github-actions github-actions bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jan 21, 2025
@msherif1234
Copy link
Contributor Author

msherif1234 commented Jan 21, 2025

/ok-to-test

@openshift-ci openshift-ci bot added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jan 21, 2025
@github-actions
Copy link

github-actions bot commented Jan 21, 2025

New images:

  • quay.io/netobserv/network-observability-operator:e3e39f6
  • quay.io/netobserv/network-observability-operator-bundle:v0.0.0-e3e39f6
  • quay.io/netobserv/network-observability-operator-catalog:v0.0.0-e3e39f6

They will expire after two weeks.

To deploy this build:

# Direct deployment, from operator repo
IMAGE=quay.io/netobserv/network-observability-operator:e3e39f6 make deploy

# Or using operator-sdk
operator-sdk run bundle quay.io/netobserv/network-observability-operator-bundle:v0.0.0-e3e39f6

Or as a Catalog Source:

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: netobserv-dev
  namespace: openshift-marketplace
spec:
  sourceType: grpc
  image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-e3e39f6
  displayName: NetObserv development catalog
  publisher: Me
  updateStrategy:
    registryPoll:
      interval: 1m

@codecov
Copy link

codecov bot commented Jan 21, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 38.46154% with 8 lines in your changes missing coverage. Please review.

Project coverage is 62.55%. Comparing base (4ca7fb9) to head (d242131).
Report is 4 commits behind head on main.

Files with missing lines Patch % Lines
controllers/ebpf/agent_controller.go 0.00% 6 Missing ⚠️
...s/flowcollector/v1beta1/zz_generated.conversion.go 0.00% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #989      +/-   ##
==========================================
- Coverage   62.58%   62.55%   -0.03%     
==========================================
  Files          77       77              
  Lines       11560    11570      +10     
==========================================
+ Hits         7235     7238       +3     
- Misses       3870     3879       +9     
+ Partials      455      453       -2
Flag Coverage Δ
unittests 62.55% <38.46%> (-0.03%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
apis/flowcollector/v1beta1/flowcollector_types.go 100.00% <ø> (ø)
apis/flowcollector/v1beta2/flowcollector_types.go 100.00% <ø> (ø)
...lector/v1beta2/flowcollector_validation_webhook.go 68.55% <100.00%> (+0.32%) ⬆️
...s/flowcollector/v1beta1/zz_generated.conversion.go 33.09% <0.00%> (-0.06%) ⬇️
controllers/ebpf/agent_controller.go 45.96% <0.00%> (-0.46%) ⬇️

... and 5 files with indirect coverage changes

@msherif1234 msherif1234 mentioned this pull request Jan 21, 2025
Merged
11 tasks
@jotak
Copy link
Member

jotak commented Jan 22, 2025

I have an error from the validation webhook when I try to test the acceptance criteria. That's because the webhook still expects one single rule per CIDR key, but now it should be one single rule per couple <cidr, peer cidr> , right?

@github-actions github-actions bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jan 22, 2025
@msherif1234
Copy link
Contributor Author

msherif1234 commented Jan 22, 2025

I have an error from the validation webhook when I try to test the acceptance criteria. That's because the webhook still expects one single rule per CIDR key, but now it should be one single rule per couple <cidr, peer cidr> , right?

updated my PR

@jotak
Copy link
Member

jotak commented Jan 22, 2025

Something doesn't work as I would expect with this rule:

        rules:
        - action: Accept
          cidr: 0.0.0.0/0
        - action: Reject
          cidr: 172.0.0.0/8
          peerCIDR: 172.0.0.0/8
        - action: Reject
          cidr: 10.0.0.0/8
          peerCIDR: 10.0.0.0/8
        - action: Reject
          cidr: 172.0.0.0/8
          peerCIDR: 10.0.0.0/8

It should allow traffic between external IPs to internal (e.g. 8.8.8.8 to 10.0.0.1) , and between internal to external (e.g. 10.0.0.1 to 8.8.8.8), but it only works for external to internal.

image

@msherif1234
Copy link
Contributor Author

msherif1234 commented Jan 22, 2025

/ok-to-test

@openshift-ci openshift-ci bot added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jan 22, 2025
@github-actions
Copy link

github-actions bot commented Jan 22, 2025

New images:

  • quay.io/netobserv/network-observability-operator:b5d7082
  • quay.io/netobserv/network-observability-operator-bundle:v0.0.0-b5d7082
  • quay.io/netobserv/network-observability-operator-catalog:v0.0.0-b5d7082

They will expire after two weeks.

To deploy this build:

# Direct deployment, from operator repo
IMAGE=quay.io/netobserv/network-observability-operator:b5d7082 make deploy

# Or using operator-sdk
operator-sdk run bundle quay.io/netobserv/network-observability-operator-bundle:v0.0.0-b5d7082

Or as a Catalog Source:

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: netobserv-dev
  namespace: openshift-marketplace
spec:
  sourceType: grpc
  image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-b5d7082
  displayName: NetObserv development catalog
  publisher: Me
  updateStrategy:
    registryPoll:
      interval: 1m

jotak
jotak approved these changes Jan 22, 2025
View reviewed changes
Copy link
Member

@jotak jotak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Jan 22, 2025
@msherif1234
Add peerCIDR flow filter config
b5add4a 
Signed-off-by: Mohamed Mahmoud <mmahmoud@redhat.com>
@msherif1234
update ebpf agent pkgt and update go mod
e882152 
Signed-off-by: Mohamed Mahmoud <mmahmoud@redhat.com>
@openshift-ci openshift-ci bot removed the lgtm label Jan 22, 2025
@openshift-ci
Copy link

openshift-ci bot commented Jan 22, 2025

New changes are detected. LGTM label has been removed.

@github-actions github-actions bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jan 22, 2025
@msherif1234
Copy link
Contributor Author

msherif1234 commented Jan 22, 2025

rebase and update agent pkg

@openshift-ci
Copy link

openshift-ci bot commented Jan 22, 2025

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@msherif1234 msherif1234 merged commit b3a8dc3 into netobserv:main Jan 22, 2025
7 of 12 checks passed
@msherif1234 msherif1234 deleted the peerCIDR branch January 22, 2025 18:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jotak jotak jotak approved these changes

Assignees

@jotak jotak

Labels

approved jira/valid-reference lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@msherif1234 @openshift-ci-robot @jotak