Add docs for theia and policy recommendation CLI #36
Conversation
dreamtalen
force-pushed
the
cli-doc
branch
2 times, most recently
from
f444a11
to
f670dd9
Compare
|
|
||
| ## Deployment | ||
|
|
||
| To use the NetworkPolicy recommendation feature, please follow this [doc](https://github.com/antrea-io/antrea/blob/main/docs/network-flow-visibility.md) to deploy Flow Exporter and Flow Aggregator first. |
There was a problem hiding this comment.
Copy my comments here too:
We received a valid feedback the deployment steps are too complex to follow, and can be a big challenge for a normal user. Could we have an all-in-one quick-start to deploy everything, rather than refer to multiple docs? At least, we should have a quick-start to deploy Grafana Flow Collector with default settings, and then this doc can point to that.
There was a problem hiding this comment.
For your reference, this is the quick-start we are adding for multi-cluster (yes it still looks complex without any automation): antrea-io/antrea#3853 (comment)
But I do not mean you should create a separate quick-start doc. I kindof suggest to add a quick-start (or just call call it installation) section to the Theia network-flow-visibility doc with all steps to quickly set up all components (Antrea, Flow Aggregator, Grafana, etc.), with default settings (the simpler the better).
There was a problem hiding this comment.
Thank Jianjun, for the quick-start, I think using helm is the simplest way to achieve that. After #31 is merged, all the needed steps will be:
- Deploy Antrea with Flow Exporter, and Flow Aggregator following a doc inside the Antrea repo.
- Run the helm install command of Theia to deploy Clickhouse, grafana, spark operator, etc.
Is this good enough now? Or we'd better come up with a solution to deploy all components in one step?
There was a problem hiding this comment.
@dreamtalen - as a user, ideally I would be able to deploy antrea + theia by:
- setting mandatory parameters in values.yaml
- do something like
helm install theia && helm install antrea(or the other way around)
So, your plan looks quite good, but in the quick start doc I think it's better to provide users a way to do things very quickly only using helm (e.g.: not 1) set config values for antrea; 2) deploy antrea with helm; 3) do some config changes; 4)set config values for Theia; 5) deploy theia with helm
dreamtalen
force-pushed
the
cli-doc
branch
2 times, most recently
from
4bead5b
to
a5030ae
Compare
docs/theia.md
Outdated
| @@ -0,0 +1,68 @@ | |||
| # Theia | |||
There was a problem hiding this comment.
We should use "theia" to refer to the CLI tool.
Maybe use "theia Command-line Tool" or "Theia Command-line Tool" as the title
There was a problem hiding this comment.
Thanks, changed to "Theia Command-line Tool" now.
docs/theia.md
Outdated
| @@ -0,0 +1,68 @@ | |||
| # Theia | |||
|
|
|||
| Theia is the command-line tool which provides access to Theia network flow | |||
There was a problem hiding this comment.
Thanks, addressed.
docs/theia.md
Outdated
|
|
||
| <!-- toc --> | ||
| - [Installation](#installation) | ||
| - [Compile](#compile) |
There was a problem hiding this comment.
"Compilation" to be consistent with others.
There was a problem hiding this comment.
Thanks, addressed.
docs/theia.md
Outdated
| theia help | ||
| ``` | ||
|
|
||
| For Linux, we also publish binaries for Arm-based systems. |
There was a problem hiding this comment.
It is a single binary? Then: "binary"
There was a problem hiding this comment.
I took a look at antctl release and found there will be two binaries for arm and arm64
There was a problem hiding this comment.
Imho this statement is probably misplaced here. Here we expect instructions for fetching an installing the CLI. This note about ARM support can be in the paragraph at lines 16-18
|
|
||
| We need to install the [Kubernetes Operator for Apache Spark](https://github.com/GoogleCloudPlatform/spark-on-k8s-operator) | ||
| in the cluster. | ||
| Our policy recommendation logic is implemented as a [Spark](https://github.com/apache/spark) application, |
There was a problem hiding this comment.
Do you want a new line or not? If not do not switch to a new line for each sentence.
There was a problem hiding this comment.
Thanks, addressed.
| Our policy recommendation logic is implemented as a [Spark](https://github.com/apache/spark) application, | ||
| the Kubernetes Operator for Apache Spark helps us schedule the Spark job in the Kubernetes cluster. | ||
|
|
||
| Please run the following command: |
There was a problem hiding this comment.
Thanks, addressed.
| helm install policy-reco spark-operator/spark-operator --namespace flow-visibility --set image.tag=latest | ||
| ``` | ||
|
|
||
| This will install the Kubernetes Operator for Apache Spark into the `flow-visibility` namespace. |
There was a problem hiding this comment.
Thanks, addressed.
| The goal of this feature is to aid the cluster admin or developers to secure | ||
| their applications based on the idea of the Zero Trust model. | ||
|
|
||
| ## Deployment |
There was a problem hiding this comment.
Call it Installation or Preparation
There was a problem hiding this comment.
Thanks, addressed.
|
|
||
| ## Deployment | ||
|
|
||
| To use the NetworkPolicy recommendation feature, please follow this [doc](https://github.com/antrea-io/antrea/blob/main/docs/network-flow-visibility.md) |
There was a problem hiding this comment.
I am fine to merge the current version first, but again let us work on a single all-in-one quick-start (probably as a section of network-flow-visibility.md) to configure Exporter, deploy Flow Aggregator and Collector before we release 0.1!
| [Grafana Flow Collector](network-flow-visibility.md#grafana-flow-collector) to generate | ||
| [Kubernetes NetworkPolicies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) | ||
| or [Antrea NetworkPolicies](https://github.com/antrea-io/antrea/blob/main/docs/antrea-network-policy.md). | ||
| The goal of this feature is to aid the cluster admin or developers to secure |
There was a problem hiding this comment.
Consider rephrase:
This feature assists cluster administrators and app developers in securing their applications according to Zero Trust principles
There was a problem hiding this comment.
Thanks, addressed.
|
|
||
| ## Deployment | ||
|
|
||
| To use the NetworkPolicy recommendation feature, please follow this [doc](https://github.com/antrea-io/antrea/blob/main/docs/network-flow-visibility.md) |
There was a problem hiding this comment.
Consider rephrase:
Theia's NetworkPolicy Recommendation capablity leverages Antrea Flow Exporter and Flow Aggreator. Before leveraging this feature, follow this doc to ensure they are deployed.
There was a problem hiding this comment.
Thanks, addressed.
|
|
||
| To use the NetworkPolicy recommendation feature, please follow this [doc](https://github.com/antrea-io/antrea/blob/main/docs/network-flow-visibility.md) | ||
| to deploy Flow Exporter and Flow Aggregator first. | ||
| Please update the `#podLabels: false` to `podLabels: true` inside |
There was a problem hiding this comment.
Consider rephrase:
In addition, ensure podLabels: true is set in Flow Aggregator Configuration, as Theia's NetworkPolicy Recommendation (let's be consistent in the way we call things) feature needs to process pod label information.
There was a problem hiding this comment.
Thanks, addressed.
| because policy recommendation feature needs Pod labels information to recommend network policies. | ||
|
|
||
| Then, please follow these [deployment steps](network-flow-visibility.md#deployment-steps) | ||
| to deploy the Grafana Flow Collector. |
There was a problem hiding this comment.
I would just say "deploy Theia". does that make sense?
There was a problem hiding this comment.
Sounds good to me, actually user could finish deployment here with helm install after PR#31 merged.
| Then, please follow these [deployment steps](network-flow-visibility.md#deployment-steps) | ||
| to deploy the Grafana Flow Collector. | ||
|
|
||
| After we finish the deployment of Grafana Flow Collector and can see some flow records in the Grafana UI, |
There was a problem hiding this comment.
Is it required that we verify flows are visibile in Grafana?
Otherwise I'd just write: "Once Theia is deployed, the Kubernetes Operator for Apache Spark will need to be installed in the cluster.
There was a problem hiding this comment.
Comment out these lines now since user won't need to deploy Spark Operator separately after PR#31 merged.
|
|
||
| We need to install the [Kubernetes Operator for Apache Spark](https://github.com/GoogleCloudPlatform/spark-on-k8s-operator) | ||
| in the cluster. | ||
| Our policy recommendation logic is implemented as a [Spark](https://github.com/apache/spark) application, |
There was a problem hiding this comment.
consider use consistent naming. In line with the previous comments this could be "Theia's NetworkPolicy Recommendation", but that's just an idea...
There was a problem hiding this comment.
Thanks, changed the title and filename accordingly.
| - `theia pr status` | ||
| - `theia pr retrieve` | ||
|
|
||
| To see all options and usage examples of these commands, you may run `theia policy-recommendation [subcommand] --help`. In the following sections, we will go through a simple example to utilize these commands with default options. |
There was a problem hiding this comment.
Nit: Perhaps the last sentence in not needed.
docs/theia.md
Outdated
| @@ -0,0 +1,68 @@ | |||
| # Theia | |||
|
|
|||
| Theia is the command-line tool which provides access to Theia network flow | |||
There was a problem hiding this comment.
Honest question: should we refer to theia with lowercase initial and monospaced font?
docs/theia.md
Outdated
|
|
||
| ## Installation | ||
|
|
||
| Starting with Theia release v0.1, we publish the theia binaries for |
There was a problem hiding this comment.
This probably just a personal prefenrence, but to me seems documentation is best written in 3rd person.
E.g.:
theia binaries are published for different OS/CPU Architecture combionations. Refer to the...
There was a problem hiding this comment.
Sounds good to me, changed.
docs/theia.md
Outdated
| ## Compile | ||
|
|
||
| If you made some changes on theia code and would like to compile | ||
| and test locally, please run these commands inside the Theia main directory: |
There was a problem hiding this comment.
this paragraph seems redundant. Maybe just
In order to compile theia the following commands should be run from Theia's main directory:
There was a problem hiding this comment.
Thanks, addressed.
dreamtalen
force-pushed
the
cli-doc
branch
3 times, most recently
from
7337c25
to
30202dd
Compare
docs/networkpolicy-recommendation.md
Outdated
|
|
||
| ## Perform NetworkPolicy Recommendation | ||
|
|
||
| Currently, the NetworkPolicy recommendation feature only supports command line interaction through `theia`. |
There was a problem hiding this comment.
Opinion: I would rephrase this as "Users can leverage Theia's NetworkPolicy recommendation feature through theia CLI."
There was a problem hiding this comment.
Thanks, addressed.
docs/networkpolicy-recommendation.md
Outdated
| `theia` is the command-line tool which provides access to Theia network flow visibility capabilities. | ||
| To get more information about `theia`, please refer to this [doc](theia.md). | ||
|
|
||
| We have 3 `theia` commands for the policy recommendation feature: |
There was a problem hiding this comment.
Usual opinion about impersonal docs: "There are 3 theia commands for..."
docs/networkpolicy-recommendation.md
Outdated
|
|
||
| ### Run a policy recommendation job | ||
|
|
||
| The `theia policy-recommendation run` command can run a new policy recommendation job. |
There was a problem hiding this comment.
Thanks, addressed.
docs/networkpolicy-recommendation.md
Outdated
|
|
||
| The `theia policy-recommendation status` command is used to check the status of a previous policy recommendation job. | ||
|
|
||
| For example the job we just created above, we could check the status of it by: |
There was a problem hiding this comment.
s/status of it/its status/
Also consider replacing "by" with "via" or "through"
There was a problem hiding this comment.
Thanks, addressed.
docs/networkpolicy-recommendation.md
Outdated
|
|
||
| It will return the status of this policy recommendation job like `SUBMITTED`, `RUNNING`, `COMPLETED`, and `FAILED`. | ||
|
|
||
| For a complete list of the possible status of a policy recommendation job, please refer to the definition [here](https://github.com/GoogleCloudPlatform/spark-on-k8s-operator/blob/3b58b2632545b1f20e105a6080d6597513af60da/pkg/apis/sparkoperator.k8s.io/v1beta2/types.go#L331). |
There was a problem hiding this comment.
"statuses" (plural)
Isn't there a documentation link you could share instead of a pointer to spark operator code?
There was a problem hiding this comment.
Sure, I replaced it with an api-doc link
docs/theia.md
Outdated
| theia help | ||
| ``` | ||
|
|
||
| For Linux, we also publish binaries for Arm-based systems. |
There was a problem hiding this comment.
Imho this statement is probably misplaced here. Here we expect instructions for fetching an installing the CLI. This note about ARM support can be in the paragraph at lines 16-18
docs/theia.md
Outdated
| ## Compilation | ||
|
|
||
| In order to compile `theia` the following commands should be run from | ||
| Theia's main directory: |
There was a problem hiding this comment.
Should Windows compilation instructions be provided as well?
There was a problem hiding this comment.
I didn't include the compilation of Windows because I think make won't work on Windows. Or maybe we could delete the whole Compilation paragraph since I find antctl doc only provides instructions on installation: https://github.com/antrea-io/antrea/blob/main/docs/antctl.md#installation
There was a problem hiding this comment.
I agree with removal. The section isn't really adding any useful info
docs/networkpolicy-recommendation.md
Outdated
| Then, please follow these [deployment steps](network-flow-visibility.md#deployment-steps) | ||
| to deploy Theia. | ||
|
|
||
| Commet out following lines since user won't need to deploy Spark Operator separately after PR#31 merged. |
There was a problem hiding this comment.
I think the Installation section might become obsolete considering spark-operator is also being adding to flow-visibility.yaml?
I would probably list "pre-requisites" here, and namely:
- flow exporter must be enabled (which is a pre-requisite for all network visibility)
- flow aggregator must store pod label
It is also true that we want to have a "hard way" installation story (the one below), but it should be - in my opinion - together with flow visibility installation info
There was a problem hiding this comment.
Prerequisite sounds good to me, updated this doc first, and will change the flow visibility doc after we finalized the overall install story.
docs/networkpolicy-recommendation.md
Outdated
| ### Run a policy recommendation job | ||
|
|
||
| The `theia policy-recommendation run` command can run a new policy recommendation job. | ||
| If the new policy recommendation job is created successfully, the `recommendation ID` of this job will be returned: |
There was a problem hiding this comment.
A few words about the ID? It will be needed for status/retrieve, so customers need to store it somewhere. Otherwise, it may be ignored and seems we don't have a way for customers to get it back?
There was a problem hiding this comment.
That's a very valuable usability advice, @ziyouw - I've bee thinking too that we need a story to manage recommendations jobs (for instance at some point we want to delete them!).
We need additional CLI commands to list/delete recommendation jobs. I will create a new github issue to track this.
There was a problem hiding this comment.
Sure, added a short description of ID here.
dreamtalen
force-pushed
the
cli-doc
branch
4 times, most recently
from
1f4ca82
to
5581f39
Compare
Signed-off-by: Yongming Ding <dyongming@vmware.com>
| curl -Lo ./theia "https://github.com/antrea-io/theia/releases/download/<TAG>/theia-$(uname)-x86_64" | ||
| chmod +x ./theia | ||
| mv ./theia /some-dir-in-your-PATH/theia | ||
| theia help |
There was a problem hiding this comment.
Maybe remove this command, as it is not about installation?
There was a problem hiding this comment.
Hi Jianjun, I was following the convention in the antctl doc here. I think this help command could help users verify the installation is successful.
docs/networkpolicy-recommendation.md
Outdated
| ``` | ||
|
|
||
| To apply recommended policies in the cluster, we can save the recommended | ||
| policies to a yml file and apply it through `kubectl`: |
There was a problem hiding this comment.
Thanks, addressed.
docs/networkpolicy-recommendation.md
Outdated
|
|
||
| ## Prerequisite | ||
|
|
||
| - [Flow Exporter]( |
There was a problem hiding this comment.
Could we simply point to network-flow-visibility.md which should include a section to install everything?
There was a problem hiding this comment.
Yes, we will change this link to a quick-start section in network-flow-visibility.md in the future. Once we finalized the installation story, adding the helm chart for Flow Aggregator, etc.
There was a problem hiding this comment.
Could we have the change in Theia 0.1? Again, the current installation steps are too hard for users to follow.
There was a problem hiding this comment.
Got it, according to the discussion inside team yesterday, we plan to add a Flow Aggregator chart in Theia first since Antrea won't ship helm charts in v1.7, and the whole installation steps will be kubectl apply -f antrea.yaml && helm install flow-aggregator && helm install theia.
For the work estimate of this change, I would like to transfer this question to @salv-orlando
cc. @yanjunz97
There was a problem hiding this comment.
Even if we cannot get charts for Flow Aggregator in 1.7, let us at least clean up installation section in network-flow-visibility.md to document the basic steps to stet up everything with default settings, and then this doc can point to that.
There was a problem hiding this comment.
We plan to have a PR containing the Flow Aggregator chart and quick-start section merged by the end of this week.
|
Hi @jianjuns @salv-orlando @ziyouw, may I know if you have further comments on this PR (except the quick-start section which will be included in a separate PR)? |
docs/networkpolicy-recommendation.md
Outdated
|
|
||
| ## Prerequisite | ||
|
|
||
| - [Flow Exporter]( |
There was a problem hiding this comment.
OK, changed the Flow Aggregator to Antrea Flow Aggregator too.
docs/networkpolicy-recommendation.md
Outdated
| is enabled | ||
| - [Antrea Flow Aggregator]( | ||
| https://github.com/antrea-io/antrea/blob/main/docs/network-flow-visibility.md#flow-aggregator) | ||
| is deployed and stores Pod labels |
There was a problem hiding this comment.
Probably "and configured to store Pod labels"?
There was a problem hiding this comment.
Sounds good to me.
Signed-off-by: Yongming Ding <dyongming@vmware.com>
Sure, thanks for the reviews! |
Signed-off-by: Yongming Ding dyongming@vmware.com