Skip to content

Commit 15494c8

Browse files
jotakjotak
authored
Improve doc for ebpf filters (#827)
* Improve doc for ebpf filters * address feedback * mention Accept is default * avoid parenthesis
1 parent 4fe7dc8 commit 15494c8

File tree

6 files changed

+116
-100
lines changed

6 files changed

+116
-100
lines changed

apis/flowcollector/v1beta2/flowcollector_types.go

Lines changed: 15 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -93,7 +93,7 @@ type FlowCollectorSpec struct {
9393
type NetworkPolicy struct {
9494
// Set `enable` to `true` to deploy network policies on the namespaces used by NetObserv (main and privileged). It is disabled by default.
9595
// These network policies better isolate the NetObserv components to prevent undesired connections to them.
96-
// We recommend you either enable it, or create your own network policy for NetObserv.
96+
// To increase the security of connections, enable this option or create your own network policy.
9797
// +optional
9898
Enable *bool `json:"enable,omitempty"`
9999

@@ -221,59 +221,60 @@ type EBPFFlowFilter struct {
221221
// Examples: `10.10.10.0/24` or `100:100:100:100::/64`
222222
CIDR string `json:"cidr,omitempty"`
223223

224-
// `action` defines the action to perform on the flows that match the filter.
224+
// `action` defines the action to perform on the flows that match the filter. The available options are `Accept`, which is the default, and `Reject`.
225225
// +kubebuilder:validation:Enum:="Accept";"Reject"
226226
Action string `json:"action,omitempty"`
227227

228-
// `protocol` defines the protocol to filter flows by.
228+
// `protocol` optionally defines a protocol to filter flows by. The available options are `TCP`, `UDP`, `ICMP`, `ICMPv6`, and `SCTP`.
229229
// +kubebuilder:validation:Enum:="TCP";"UDP";"ICMP";"ICMPv6";"SCTP"
230230
// +optional
231231
Protocol string `json:"protocol,omitempty"`
232232

233-
// `direction` defines the direction to filter flows by.
233+
// `direction` optionally defines a direction to filter flows by. The available options are `Ingress` and `Egress`.
234234
// +kubebuilder:validation:Enum:="Ingress";"Egress"
235235
// +optional
236236
Direction string `json:"direction,omitempty"`
237237

238-
// `tcpFlags` defines the TCP flags to filter flows by.
238+
// `tcpFlags` optionally defines TCP flags to filter flows by.
239+
// In addition to the standard flags (RFC-9293), you can also filter by one of the three following combinations: `SYN-ACK`, `FIN-ACK`, and `RST-ACK`.
239240
// +kubebuilder:validation:Enum:="SYN";"SYN-ACK";"ACK";"FIN";"RST";"URG";"ECE";"CWR";"FIN-ACK";"RST-ACK"
240241
// +optional
241242
TCPFlags string `json:"tcpFlags,omitempty"`
242243

243-
// `sourcePorts` defines the source ports to filter flows by.
244+
// `sourcePorts` optionally defines the source ports to filter flows by.
244245
// To filter a single port, set a single port as an integer value. For example, `sourcePorts: 80`.
245246
// To filter a range of ports, use a "start-end" range in string format. For example, `sourcePorts: "80-100"`.
246247
// To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.
247248
// +optional
248249
SourcePorts intstr.IntOrString `json:"sourcePorts,omitempty"`
249250

250-
// `destPorts` defines the destination ports to filter flows by.
251+
// `destPorts` optionally defines the destination ports to filter flows by.
251252
// To filter a single port, set a single port as an integer value. For example, `destPorts: 80`.
252253
// To filter a range of ports, use a "start-end" range in string format. For example, `destPorts: "80-100"`.
253254
// To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.
254255
// +optional
255256
DestPorts intstr.IntOrString `json:"destPorts,omitempty"`
256257

257-
// `ports` defines the ports to filter flows by. It is used both for source and destination ports.
258+
// `ports` optionally defines the ports to filter flows by. It is used both for source and destination ports.
258259
// To filter a single port, set a single port as an integer value. For example, `ports: 80`.
259260
// To filter a range of ports, use a "start-end" range in string format. For example, `ports: "80-100"`.
260261
// To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.
261262
Ports intstr.IntOrString `json:"ports,omitempty"`
262263

263-
// `peerIP` defines the IP address to filter flows by.
264+
// `peerIP` optionally defines the remote IP address to filter flows by.
264265
// Example: `10.10.10.10`.
265266
// +optional
266267
PeerIP string `json:"peerIP,omitempty"`
267268

268-
// `icmpCode`, for Internet Control Message Protocol (ICMP) traffic, defines the ICMP code to filter flows by.
269+
// `icmpCode`, for Internet Control Message Protocol (ICMP) traffic, optionally defines the ICMP code to filter flows by.
269270
// +optional
270271
ICMPCode *int `json:"icmpCode,omitempty"`
271272

272-
// `icmpType`, for ICMP traffic, defines the ICMP type to filter flows by.
273+
// `icmpType`, for ICMP traffic, optionally defines the ICMP type to filter flows by.
273274
// +optional
274275
ICMPType *int `json:"icmpType,omitempty"`
275276

276-
// `pktDrops` filters flows with packet drops
277+
// `pktDrops` optionally filters only flows containing packet drops.
277278
// +optional
278279
PktDrops *bool `json:"pktDrops,omitempty"`
279280
}
@@ -1029,7 +1030,7 @@ const (
10291030

10301031
type FileReference struct {
10311032
//+kubebuilder:validation:Enum=configmap;secret
1032-
// Type for the file reference: "configmap" or "secret".
1033+
// Type for the file reference: `configmap` or `secret`.
10331034
Type MountableType `json:"type,omitempty"`
10341035

10351036
// Name of the config map or secret containing the file.
@@ -1334,7 +1335,7 @@ const (
13341335

13351336
// `FlowCollectorExporter` defines an additional exporter to send enriched flows to.
13361337
type FlowCollectorExporter struct {
1337-
// `type` selects the type of exporters. The available options are `Kafka` and `IPFIX`.
1338+
// `type` selects the type of exporters. The available options are `Kafka`, `IPFIX`, and `OpenTelemetry`.
13381339
// +unionDiscriminator
13391340
// +kubebuilder:validation:Enum:="Kafka";"IPFIX";"OpenTelemetry"
13401341
// +kubebuilder:validation:Required

bundle/manifests/flows.netobserv.io_flowcollectors.yaml

Lines changed: 34 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -3753,7 +3753,8 @@ spec:
37533753
properties:
37543754
action:
37553755
description: '`action` defines the action to perform on
3756-
the flows that match the filter.'
3756+
the flows that match the filter. The available options
3757+
are `Accept`, which is the default, and `Reject`.'
37573758
enum:
37583759
- Accept
37593760
- Reject
@@ -3768,14 +3769,15 @@ spec:
37683769
- type: integer
37693770
- type: string
37703771
description: |-
3771-
`destPorts` defines the destination ports to filter flows by.
3772+
`destPorts` optionally defines the destination ports to filter flows by.
37723773
To filter a single port, set a single port as an integer value. For example, `destPorts: 80`.
37733774
To filter a range of ports, use a "start-end" range in string format. For example, `destPorts: "80-100"`.
37743775
To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.
37753776
x-kubernetes-int-or-string: true
37763777
direction:
3777-
description: '`direction` defines the direction to filter
3778-
flows by.'
3778+
description: '`direction` optionally defines a direction
3779+
to filter flows by. The available options are `Ingress`
3780+
and `Egress`.'
37793781
enum:
37803782
- Ingress
37813783
- Egress
@@ -3786,34 +3788,36 @@ spec:
37863788
type: boolean
37873789
icmpCode:
37883790
description: '`icmpCode`, for Internet Control Message
3789-
Protocol (ICMP) traffic, defines the ICMP code to filter
3790-
flows by.'
3791+
Protocol (ICMP) traffic, optionally defines the ICMP
3792+
code to filter flows by.'
37913793
type: integer
37923794
icmpType:
3793-
description: '`icmpType`, for ICMP traffic, defines the
3794-
ICMP type to filter flows by.'
3795+
description: '`icmpType`, for ICMP traffic, optionally
3796+
defines the ICMP type to filter flows by.'
37953797
type: integer
37963798
peerIP:
37973799
description: |-
3798-
`peerIP` defines the IP address to filter flows by.
3800+
`peerIP` optionally defines the remote IP address to filter flows by.
37993801
Example: `10.10.10.10`.
38003802
type: string
38013803
pktDrops:
3802-
description: '`pktDrops` filters flows with packet drops'
3804+
description: '`pktDrops` optionally filters only flows
3805+
containing packet drops.'
38033806
type: boolean
38043807
ports:
38053808
anyOf:
38063809
- type: integer
38073810
- type: string
38083811
description: |-
3809-
`ports` defines the ports to filter flows by. It is used both for source and destination ports.
3812+
`ports` optionally defines the ports to filter flows by. It is used both for source and destination ports.
38103813
To filter a single port, set a single port as an integer value. For example, `ports: 80`.
38113814
To filter a range of ports, use a "start-end" range in string format. For example, `ports: "80-100"`.
38123815
To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.
38133816
x-kubernetes-int-or-string: true
38143817
protocol:
3815-
description: '`protocol` defines the protocol to filter
3816-
flows by.'
3818+
description: '`protocol` optionally defines a protocol
3819+
to filter flows by. The available options are `TCP`,
3820+
`UDP`, `ICMP`, `ICMPv6`, and `SCTP`.'
38173821
enum:
38183822
- TCP
38193823
- UDP
@@ -3826,14 +3830,15 @@ spec:
38263830
- type: integer
38273831
- type: string
38283832
description: |-
3829-
`sourcePorts` defines the source ports to filter flows by.
3833+
`sourcePorts` optionally defines the source ports to filter flows by.
38303834
To filter a single port, set a single port as an integer value. For example, `sourcePorts: 80`.
38313835
To filter a range of ports, use a "start-end" range in string format. For example, `sourcePorts: "80-100"`.
38323836
To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.
38333837
x-kubernetes-int-or-string: true
38343838
tcpFlags:
3835-
description: '`tcpFlags` defines the TCP flags to filter
3836-
flows by.'
3839+
description: |-
3840+
`tcpFlags` optionally defines TCP flags to filter flows by.
3841+
In addition to the standard flags (RFC-9293), you can also filter by one of the three following combinations: `SYN-ACK`, `FIN-ACK`, and `RST-ACK`.
38373842
enum:
38383843
- SYN
38393844
- SYN-ACK
@@ -3978,7 +3983,7 @@ spec:
39783983
type: string
39793984
type:
39803985
description: 'Type for the file reference:
3981-
"configmap" or "secret".'
3986+
`configmap` or `secret`.'
39823987
enum:
39833988
- configmap
39843989
- secret
@@ -5738,8 +5743,8 @@ spec:
57385743
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
57395744
type: string
57405745
type:
5741-
description: 'Type for the file reference: "configmap"
5742-
or "secret".'
5746+
description: 'Type for the file reference: `configmap`
5747+
or `secret`.'
57435748
enum:
57445749
- configmap
57455750
- secret
@@ -5764,8 +5769,8 @@ spec:
57645769
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
57655770
type: string
57665771
type:
5767-
description: 'Type for the file reference: "configmap"
5768-
or "secret".'
5772+
description: 'Type for the file reference: `configmap`
5773+
or `secret`.'
57695774
enum:
57705775
- configmap
57715776
- secret
@@ -6017,7 +6022,7 @@ spec:
60176022
type: object
60186023
type:
60196024
description: '`type` selects the type of exporters. The available
6020-
options are `Kafka` and `IPFIX`.'
6025+
options are `Kafka`, `IPFIX`, and `OpenTelemetry`.'
60216026
enum:
60226027
- Kafka
60236028
- IPFIX
@@ -6057,8 +6062,8 @@ spec:
60576062
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
60586063
type: string
60596064
type:
6060-
description: 'Type for the file reference: "configmap"
6061-
or "secret".'
6065+
description: 'Type for the file reference: `configmap`
6066+
or `secret`.'
60626067
enum:
60636068
- configmap
60646069
- secret
@@ -6082,8 +6087,8 @@ spec:
60826087
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
60836088
type: string
60846089
type:
6085-
description: 'Type for the file reference: "configmap"
6086-
or "secret".'
6090+
description: 'Type for the file reference: `configmap`
6091+
or `secret`.'
60876092
enum:
60886093
- configmap
60896094
- secret
@@ -6703,7 +6708,7 @@ spec:
67036708
description: |-
67046709
Set `enable` to `true` to deploy network policies on the namespaces used by NetObserv (main and privileged). It is disabled by default.
67056710
These network policies better isolate the NetObserv components to prevent undesired connections to them.
6706-
We recommend you either enable it, or create your own network policy for NetObserv.
6711+
To increase the security of connections, enable this option or create your own network policy.
67076712
type: boolean
67086713
type: object
67096714
processor:
@@ -8310,8 +8315,8 @@ spec:
83108315
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
83118316
type: string
83128317
type:
8313-
description: 'Type for the file reference: "configmap"
8314-
or "secret".'
8318+
description: 'Type for the file reference: `configmap`
8319+
or `secret`.'
83158320
enum:
83168321
- configmap
83178322
- secret

0 commit comments

Comments
 (0)