Add netpol events as predefined metrics

3 new metrics:
- node_network_policy_events_total
- namespace_network_policy_events_total (enabled by default)
- workload_network_policy_events_total

And their related charts

Author: jotak

apis/flowcollector/v1beta1/flowcollector_webhook_test.go

@@ -123,7 +123,14 @@ func TestBeta1ConversionRoundtrip_Metrics(t *testing.T) {
 	err := initial.ConvertTo(&converted)
 	assert.NoError(err)
 
-	expectedDefaultMetrics := []v1beta2.FLPMetric{"namespace_egress_packets_total", "namespace_flows_total", "namespace_rtt_seconds", "namespace_drop_packets_total", "namespace_dns_latency_seconds"}
+	expectedDefaultMetrics := []v1beta2.FLPMetric{
+		"namespace_egress_packets_total",
+		"namespace_flows_total",
+		"namespace_rtt_seconds",
+		"namespace_drop_packets_total",
+		"namespace_dns_latency_seconds",
+		"namespace_network_policy_events_total",
+	}
 	assert.Equal([]v1beta2.FLPAlert{v1beta2.AlertLokiError}, converted.Spec.Processor.Metrics.DisableAlerts)
 	assert.NotNil(converted.Spec.Processor.Metrics.IncludeList)
 	assert.Equal(expectedDefaultMetrics, *converted.Spec.Processor.Metrics.IncludeList)

apis/flowcollector/v1beta2/flowcollector_types.go

@@ -530,7 +530,7 @@ const (
 )
 
 // Metric name. More information in https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md.
-// +kubebuilder:validation:Enum:="namespace_egress_bytes_total";"namespace_egress_packets_total";"namespace_ingress_bytes_total";"namespace_ingress_packets_total";"namespace_flows_total";"node_egress_bytes_total";"node_egress_packets_total";"node_ingress_bytes_total";"node_ingress_packets_total";"node_flows_total";"workload_egress_bytes_total";"workload_egress_packets_total";"workload_ingress_bytes_total";"workload_ingress_packets_total";"workload_flows_total";"namespace_drop_bytes_total";"namespace_drop_packets_total";"node_drop_bytes_total";"node_drop_packets_total";"workload_drop_bytes_total";"workload_drop_packets_total";"namespace_rtt_seconds";"node_rtt_seconds";"workload_rtt_seconds";"namespace_dns_latency_seconds";"node_dns_latency_seconds";"workload_dns_latency_seconds"
+// +kubebuilder:validation:Enum:="namespace_egress_bytes_total";"namespace_egress_packets_total";"namespace_ingress_bytes_total";"namespace_ingress_packets_total";"namespace_flows_total";"node_egress_bytes_total";"node_egress_packets_total";"node_ingress_bytes_total";"node_ingress_packets_total";"node_flows_total";"workload_egress_bytes_total";"workload_egress_packets_total";"workload_ingress_bytes_total";"workload_ingress_packets_total";"workload_flows_total";"namespace_drop_bytes_total";"namespace_drop_packets_total";"node_drop_bytes_total";"node_drop_packets_total";"workload_drop_bytes_total";"workload_drop_packets_total";"namespace_rtt_seconds";"node_rtt_seconds";"workload_rtt_seconds";"namespace_dns_latency_seconds";"node_dns_latency_seconds";"workload_dns_latency_seconds";"node_network_policy_events_total";"namespace_network_policy_events_total";"workload_network_policy_events_total"
 type FLPMetric string
 
 // `FLPMetrics` define the desired FLP configuration regarding metrics
@@ -546,7 +546,8 @@ type FLPMetrics struct {
 	// Metrics enabled by default are:
 	// `namespace_flows_total`, `node_ingress_bytes_total`, `node_egress_bytes_total`, `workload_ingress_bytes_total`,
 	// `workload_egress_bytes_total`, `namespace_drop_packets_total` (when `PacketDrop` feature is enabled),
-	// `namespace_rtt_seconds` (when `FlowRTT` feature is enabled), `namespace_dns_latency_seconds` (when `DNSTracking` feature is enabled).
+	// `namespace_rtt_seconds` (when `FlowRTT` feature is enabled), `namespace_dns_latency_seconds` (when `DNSTracking` feature is enabled),
+	// `namespace_network_policy_events_total` (when `NetworkEvents` feature is enabled).
 	// More information, with full list of available metrics: https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md
 	// +optional
 	IncludeList *[]FLPMetric `json:"includeList,omitempty"`

bundle/manifests/flows.netobserv.io_flowcollectors.yaml

@@ -8205,7 +8205,8 @@ spec:
                           Metrics enabled by default are:
                           `namespace_flows_total`, `node_ingress_bytes_total`, `node_egress_bytes_total`, `workload_ingress_bytes_total`,
                           `workload_egress_bytes_total`, `namespace_drop_packets_total` (when `PacketDrop` feature is enabled),
-                          `namespace_rtt_seconds` (when `FlowRTT` feature is enabled), `namespace_dns_latency_seconds` (when `DNSTracking` feature is enabled).
+                          `namespace_rtt_seconds` (when `FlowRTT` feature is enabled), `namespace_dns_latency_seconds` (when `DNSTracking` feature is enabled),
+                          `namespace_network_policy_events_total` (when `NetworkEvents` feature is enabled).
                           More information, with full list of available metrics: https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md
                         items:
                           description: Metric name. More information in https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md.
@@ -8237,6 +8238,9 @@ spec:
                           - namespace_dns_latency_seconds
                           - node_dns_latency_seconds
                           - workload_dns_latency_seconds
+                          - node_network_policy_events_total
+                          - namespace_network_policy_events_total
+                          - workload_network_policy_events_total
                           type: string
                         type: array
                       server:

config/crd/bases/flows.netobserv.io_flowcollectors.yaml

@@ -7585,7 +7585,8 @@ spec:
                             Metrics enabled by default are:
                             `namespace_flows_total`, `node_ingress_bytes_total`, `node_egress_bytes_total`, `workload_ingress_bytes_total`,
                             `workload_egress_bytes_total`, `namespace_drop_packets_total` (when `PacketDrop` feature is enabled),
-                            `namespace_rtt_seconds` (when `FlowRTT` feature is enabled), `namespace_dns_latency_seconds` (when `DNSTracking` feature is enabled).
+                            `namespace_rtt_seconds` (when `FlowRTT` feature is enabled), `namespace_dns_latency_seconds` (when `DNSTracking` feature is enabled),
+                            `namespace_network_policy_events_total` (when `NetworkEvents` feature is enabled).
                             More information, with full list of available metrics: https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md
                           items:
                             description: Metric name. More information in https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md.
@@ -7617,6 +7618,9 @@ spec:
                               - namespace_dns_latency_seconds
                               - node_dns_latency_seconds
                               - workload_dns_latency_seconds
+                              - node_network_policy_events_total
+                              - namespace_network_policy_events_total
+                              - workload_network_policy_events_total
                             type: string
                           type: array
                         server:

docs/FlowCollector.md

@@ -16877,7 +16877,8 @@ Note that the more metrics you add, the bigger is the impact on Prometheus workl
 Metrics enabled by default are:
 `namespace_flows_total`, `node_ingress_bytes_total`, `node_egress_bytes_total`, `workload_ingress_bytes_total`,
 `workload_egress_bytes_total`, `namespace_drop_packets_total` (when `PacketDrop` feature is enabled),
-`namespace_rtt_seconds` (when `FlowRTT` feature is enabled), `namespace_dns_latency_seconds` (when `DNSTracking` feature is enabled).
+`namespace_rtt_seconds` (when `FlowRTT` feature is enabled), `namespace_dns_latency_seconds` (when `DNSTracking` feature is enabled),
+`namespace_network_policy_events_total` (when `NetworkEvents` feature is enabled).
 More information, with full list of available metrics: https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md<br/>
         </td>
         <td>false</td>

docs/Metrics.md

@@ -51,6 +51,11 @@ When the `DNSTracking` feature is enabled in `spec.agent.ebpf.features`, additio
 - `node_dns_latency_seconds`
 - `workload_dns_latency_seconds` `**`
 
+When the `NetworkEvents` feature is enabled in `spec.agent.ebpf.features`, 
+- `namespace_network_policy_events_total` `*`
+- `node_network_policy_events_total`
+- `workload_network_policy_events_total`
+
 ## Custom metrics using the FlowMetrics API
 
 The FlowMetrics API ([spec reference](./FlowMetric.md)) has been designed to give you full control on the metrics generation out of the NetObserv' enriched NetFlow data.

pkg/dashboards/dashboard_test.go

@@ -21,9 +21,9 @@ func TestCreateFlowMetricsDashboard_All(t *testing.T) {
 
 	assert.Equal("NetObserv / Main", d.Title)
 
-	assert.Equal([]string{"Overview", "Traffic rates", "TCP latencies", "Byte and packet drops", "DNS"}, d.Titles())
+	assert.Equal([]string{"Overview", "Traffic rates", "TCP latencies", "Byte and packet drops", "DNS", "Network Policy"}, d.Titles())
 
-	assert.Len(d.Rows[0].Panels, 16)
+	assert.Len(d.Rows[0].Panels, 18)
 	assert.Len(d.Rows[1].Panels, 20)
 
 	p := d.FindPanel("Top egress traffic per node")

pkg/metrics/predefined_charts.go

@@ -203,6 +203,49 @@ func dnsCharts(group string) []metricslatest.Chart {
 	}, group, "")...)
 }
 
+func netpolCharts(group string) []metricslatest.Chart {
+	sectionName := "Network Policy"
+	charts := []metricslatest.Chart{
+		{
+			Type:          metricslatest.ChartTypeSingleStat,
+			SectionName:   "",
+			DashboardName: mainDashboard,
+			Title:         "Policy drop rate",
+			Queries:       []metricslatest.Query{{PromQL: `sum(rate($METRIC{action="drop"}[2m]))`}},
+		},
+		{
+			Type:          metricslatest.ChartTypeSingleStat,
+			SectionName:   "",
+			DashboardName: mainDashboard,
+			Title:         "Policy allow rate",
+			Queries:       []metricslatest.Query{{PromQL: `sum(rate($METRIC{action=~"allow.*"}[2m]))`}},
+		},
+	}
+
+	charts = append(charts,
+		chartVariantsFor(&metricslatest.Chart{
+			Type:          metricslatest.ChartTypeStackArea,
+			SectionName:   sectionName,
+			DashboardName: mainDashboard,
+			Title:         "Drop rate",
+			Queries: []metricslatest.Query{{
+				PromQL: `sum(rate($METRIC{action="drop",$FILTERS}[2m])) by (type,direction,$LABELS)`,
+				Legend: "$LEGEND, {{ type }}, {{ direction }}",
+			}},
+		}, group, "")...)
+	return append(charts,
+		chartVariantsFor(&metricslatest.Chart{
+			Type:          metricslatest.ChartTypeStackArea,
+			SectionName:   sectionName,
+			DashboardName: mainDashboard,
+			Title:         "Allow rate",
+			Queries: []metricslatest.Query{{
+				PromQL: `sum(rate($METRIC{action=~"allow.*",$FILTERS}[2m])) by (type,direction,$LABELS)`,
+				Legend: "$LEGEND, {{ type }}, {{ direction }}",
+			}},
+		}, group, "")...)
+}
+
 func chartVariantsFor(chart *metricslatest.Chart, group, unit string) []metricslatest.Chart {
 	switch group {
 	case tagNodes:

pkg/metrics/predefined_metrics.go

@@ -43,6 +43,7 @@ var (
 		"namespace_drop_packets_total",
 		"namespace_rtt_seconds",
 		"namespace_dns_latency_seconds",
+		"namespace_network_policy_events_total",
 	}
 	// More metrics enabled when Loki is disabled, to avoid loss of information
 	DefaultIncludeListLokiDisabled = []string{
@@ -57,6 +58,7 @@ var (
 		"workload_drop_packets_total",
 		"workload_rtt_seconds",
 		"workload_dns_latency_seconds",
+		"namespace_network_policy_events_total",
 	}
 	// Pre-deprecation default IgnoreTags list (1.4) - used before switching to whitelist approach,
 	// to make sure there is no unintended new metrics being collected
@@ -163,6 +165,28 @@ func init() {
 			},
 			tags: []string{group, "dns"},
 		})
+
+		// Netpol metrics
+		netpolLabels := labels
+		netpolLabels = append(netpolLabels, "NetworkEvents>Type", "NetworkEvents>Namespace", "NetworkEvents>Name", "NetworkEvents>Action", "NetworkEvents>Direction")
+		predefinedMetrics = append(predefinedMetrics, taggedMetricDefinition{
+			FlowMetricSpec: metricslatest.FlowMetricSpec{
+				MetricName: fmt.Sprintf("%s_network_policy_events_total", groupTrimmed),
+				Type:       "counter",
+				Labels:     netpolLabels,
+				Filters:    []metricslatest.MetricFilter{{Field: "NetworkEvents>Feature", Value: "acl"}},
+				Flatten:    []string{"NetworkEvents"},
+				Remap: map[string]string{
+					"NetworkEvents>Type":      "type",
+					"NetworkEvents>Namespace": "namespace",
+					"NetworkEvents>Name":      "name",
+					"NetworkEvents>Action":    "action",
+					"NetworkEvents>Direction": "direction",
+				},
+				Charts: netpolCharts(group),
+			},
+			tags: []string{group, "network-policy"},
+		})
 	}
 }
 
@@ -253,6 +277,9 @@ func GetIncludeList(spec *flowslatest.FlowCollectorSpec) []string {
 	if !helper.IsDNSTrackingEnabled(&spec.Agent.EBPF) {
 		list = removeMetricsByPattern(list, "_dns_")
 	}
+	if !helper.IsNetworkEventsEnabled(&spec.Agent.EBPF) {
+		list = removeMetricsByPattern(list, "_network_policy_")
+	}
 	return list
 }
 

pkg/metrics/predefined_metrics_test.go

@@ -19,14 +19,17 @@ func TestIncludeExclude(t *testing.T) {
 		"node_rtt_seconds",
 		"node_drop_bytes_total",
 		"node_dns_latency_seconds",
+		"node_network_policy_events_total",
 		"namespace_ingress_bytes_total",
 		"namespace_rtt_seconds",
 		"namespace_drop_bytes_total",
 		"namespace_dns_latency_seconds",
+		"namespace_network_policy_events_total",
 		"workload_ingress_bytes_total",
 		"workload_rtt_seconds",
 		"workload_drop_bytes_total",
 		"workload_dns_latency_seconds",
+		"workload_network_policy_events_total",
 	}, *res)
 
 	// IgnoreTags set, Include list set => keep include list