updated README and yml files (#249)

* updated README and yml files

* fix perms

---------

Co-authored-by: Julien Pinsonneau <[email protected]>

Author: KalmanMeth

deployments/README.md

@@ -9,4 +9,23 @@ but the files contained here are useful for documentation and manual testing.
 * `flp-daemonset-cap.yml`, same as `flp-daemonset.yml`, but assigning individual capabilities instead
   of deploying a fully-privileged container.
 * `flp-service.yml`, shows how to deploy/configure the Agent when Flowlogs Pipeline is deployed
-  as a service, explicitly setting the host configuration as the service name.
+  as a service, explicitly setting the host configuration as the service name.
+
+For manual testing, apply the permissions needed to run ebpf.
+
+'''
+kubectl apply -f ./perms.yml
+'''
+
+Then, create deploy loki.
+
+'''
+curl -S -L https://raw.githubusercontent.com/netobserv/documents/main/examples/zero-click-loki/1-storage.yaml | kubectl create -n netobserv -f - 
+curl -S -L https://raw.githubusercontent.com/netobserv/documents/main/examples/zero-click-loki/2-loki.yaml       | kubectl create -n netobserv -f - 
+'''
+
+Finally bring up ebpf and flp.
+
+'''
+kubectl apply -f ./flp-service.yml
+'''

deployments/flp-daemonset-cap.yml

@@ -4,6 +4,7 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   name: netobserv-ebpf-agent
+  namespace: netobserv
   labels:
     k8s-app: netobserv-ebpf-agent
 spec:
@@ -15,7 +16,7 @@ spec:
       labels:
         k8s-app: netobserv-ebpf-agent
     spec:
-      serviceAccountName: netobserv-account
+      serviceAccountName: netobserv
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
       containers:
@@ -42,6 +43,7 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   name: flp
+  namespace: netobserv
   labels:
     k8s-app: flp
 spec:
@@ -53,7 +55,7 @@ spec:
       labels:
         k8s-app: flp
     spec:
-      serviceAccountName: netobserv-account
+      serviceAccountName: netobserv
       containers:
         - name: flowlogs-pipeline
           image: quay.io/netobserv/flowlogs-pipeline:main
@@ -79,10 +81,8 @@ data:
     log-level: debug
     pipeline:
       - name: ingest
-      - name: decode
-        follows: ingest
       - name: enrich
-        follows: decode
+        follows: ingest
       - name: loki
         follows: enrich
     parameters:
@@ -91,9 +91,6 @@ data:
           type: grpc
           grpc:
             port: 9999
-      - name: decode
-        decode:
-          type: protobuf
       - name: enrich
         transform:
           type: network
@@ -109,7 +106,6 @@ data:
         write:
           type: loki
           loki:
-            type: loki
             staticLabels:
               app: netobserv-flowcollector
             labels:
@@ -118,19 +114,15 @@ data:
               - "DstK8S_Namespace"
               - "DstK8S_OwnerName"
               - "FlowDirection"
-            url: http://loki:3100
+            url: http://loki.netobserv.svc:3100
             timestampLabel: TimeFlowEndMs
             timestampScale: 1ms
 ---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: netobserv-account
----
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: netobserv
+  namespace: netobserv
 rules:
   - apiGroups:
       - apps
@@ -159,11 +151,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: netobserv
+  namespace: netobserv
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: netobserv
 subjects:
   - kind: ServiceAccount
-    name: netobserv-account
-    namespace: default
+    name: netobserv
+    namespace: netobserv

deployments/flp-daemonset.yml

@@ -4,6 +4,7 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   name: netobserv-ebpf-agent
+  namespace: netobserv
   labels:
     k8s-app: netobserv-ebpf-agent
 spec:
@@ -15,7 +16,7 @@ spec:
       labels:
         k8s-app: netobserv-ebpf-agent
     spec:
-      serviceAccountName: netobserv-account
+      serviceAccountName: netobserv
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
       containers:
@@ -37,6 +38,7 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   name: flp
+  namespace: netobserv
   labels:
     k8s-app: flp
 spec:
@@ -48,7 +50,7 @@ spec:
       labels:
         k8s-app: flp
     spec:
-      serviceAccountName: netobserv-account
+      serviceAccountName: netobserv
       containers:
         - name: packet-counter
           image: quay.io/netobserv/flowlogs-pipeline:main
@@ -70,15 +72,14 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: flp-config
+  namespace: netobserv
 data:
   config.yaml: |
     log-level: debug
     pipeline:
       - name: ingest
-      - name: decode
-        follows: ingest
       - name: enrich
-        follows: decode
+        follows: ingest
       - name: loki
         follows: enrich
     parameters:
@@ -87,9 +88,6 @@ data:
           type: grpc
           grpc:
             port: 9999
-      - name: decode
-        decode:
-          type: protobuf
       - name: enrich
         transform:
           type: network
@@ -105,7 +103,6 @@ data:
         write:
           type: loki
           loki:
-            type: loki
             staticLabels:
               app: netobserv-flowcollector
             labels:
@@ -114,19 +111,15 @@ data:
               - "DstK8S_Namespace"
               - "DstK8S_OwnerName"
               - "FlowDirection"
-            url: http://loki:3100
+            url: http://loki.netobserv.svc:3100
             timestampLabel: TimeFlowEndMs
             timestampScale: 1ms
 ---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: netobserv-account
----
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: netobserv
+  namespace: netobserv
 rules:
   - apiGroups:
       - apps
@@ -155,11 +148,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: netobserv
+  namespace: netobserv
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: netobserv
 subjects:
   - kind: ServiceAccount
-    name: netobserv-account
-    namespace: default
+    name: netobserv
+    namespace: netobserv

deployments/flp-service.yml

@@ -4,6 +4,7 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   name: netobserv-ebpf-agent
+  namespace: netobserv
   labels:
     k8s-app: netobserv-ebpf-agent
 spec:
@@ -15,7 +16,7 @@ spec:
       labels:
         k8s-app: netobserv-ebpf-agent
     spec:
-      serviceAccountName: netobserv-account
+      serviceAccountName: netobserv
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
       containers:
@@ -35,6 +36,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: flp
+  namespace: netobserv
   labels:
     k8s-app: flp
 spec:
@@ -50,6 +52,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: flp
+  namespace: netobserv
   labels:
     k8s-app: flp
 spec:
@@ -62,7 +65,7 @@ spec:
       labels:
         k8s-app: flp
     spec:
-      serviceAccountName: netobserv-account
+      serviceAccountName: netobserv
       containers:
         - name: packet-counter
           image: quay.io/netobserv/flowlogs-pipeline:main
@@ -83,15 +86,14 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: flp-config
+  namespace: netobserv
 data:
   config.yaml: |
     log-level: debug
     pipeline:
       - name: ingest
-      - name: decode
-        follows: ingest
       - name: enrich
-        follows: decode
+        follows: ingest
       - name: loki
         follows: enrich
     parameters:
@@ -100,9 +102,6 @@ data:
           type: grpc
           grpc:
             port: 9999
-      - name: decode
-        decode:
-          type: protobuf
       - name: enrich
         transform:
           type: network
@@ -118,7 +117,6 @@ data:
         write:
           type: loki
           loki:
-            type: loki
             staticLabels:
               app: netobserv-flowcollector
             labels:
@@ -127,19 +125,15 @@ data:
               - "DstK8S_Namespace"
               - "DstK8S_OwnerName"
               - "FlowDirection"
-            url: http://loki:3100
+            url: http://loki.netobserv.svc:3100
             timestampLabel: TimeFlowEndMs
             timestampScale: 1ms
 ---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: netobserv-account
----
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: netobserv
+  namespace: netobserv
 rules:
   - apiGroups:
       - apps
@@ -168,11 +162,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: netobserv
+  namespace: netobserv
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: netobserv
 subjects:
   - kind: ServiceAccount
-    name: netobserv-account
-    namespace: default
+    name: netobserv
+    namespace: netobserv

deployments/perms.yml

@@ -0,0 +1,42 @@
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: netobserv
+  labels:
+    app: netobserv
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: netobserv
+  namespace: netobserv
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: netobserv
+  namespace: netobserv
+rules:
+  - apiGroups:
+     - security.openshift.io
+    resourceNames:
+     - privileged
+    resources:
+     - securitycontextconstraints
+    verbs:
+     - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: netobserv
+  namespace: netobserv
+subjects:
+  - kind: ServiceAccount
+    name: netobserv
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: netobserv