New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add docs for theia and policy recommendation CLI #36
Conversation
f444a11
to
f670dd9
Compare
|
||
## Deployment | ||
|
||
To use the NetworkPolicy recommendation feature, please follow this [doc](https://github.com/antrea-io/antrea/blob/main/docs/network-flow-visibility.md) to deploy Flow Exporter and Flow Aggregator first. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copy my comments here too:
We received a valid feedback the deployment steps are too complex to follow, and can be a big challenge for a normal user. Could we have an all-in-one quick-start to deploy everything, rather than refer to multiple docs? At least, we should have a quick-start to deploy Grafana Flow Collector with default settings, and then this doc can point to that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For your reference, this is the quick-start we are adding for multi-cluster (yes it still looks complex without any automation): antrea-io/antrea#3853 (comment)
But I do not mean you should create a separate quick-start doc. I kindof suggest to add a quick-start (or just call call it installation) section to the Theia network-flow-visibility doc with all steps to quickly set up all components (Antrea, Flow Aggregator, Grafana, etc.), with default settings (the simpler the better).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank Jianjun, for the quick-start, I think using helm is the simplest way to achieve that. After #31 is merged, all the needed steps will be:
- Deploy Antrea with Flow Exporter, and Flow Aggregator following a doc inside the Antrea repo.
- Run the helm install command of Theia to deploy Clickhouse, grafana, spark operator, etc.
Is this good enough now? Or we'd better come up with a solution to deploy all components in one step?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dreamtalen - as a user, ideally I would be able to deploy antrea + theia by:
- setting mandatory parameters in values.yaml
- do something like
helm install theia && helm install antrea
(or the other way around)
So, your plan looks quite good, but in the quick start doc I think it's better to provide users a way to do things very quickly only using helm (e.g.: not 1) set config values for antrea; 2) deploy antrea with helm; 3) do some config changes; 4)set config values for Theia; 5) deploy theia with helm
4bead5b
to
a5030ae
Compare
docs/theia.md
Outdated
@@ -0,0 +1,68 @@ | |||
# Theia |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should use "theia" to refer to the CLI tool.
Maybe use "theia Command-line Tool" or "Theia Command-line Tool" as the title
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, changed to "Theia Command-line Tool" now.
docs/theia.md
Outdated
@@ -0,0 +1,68 @@ | |||
# Theia | |||
|
|||
Theia is the command-line tool which provides access to Theia network flow |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use "theia
" in the text.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, addressed.
docs/theia.md
Outdated
|
||
<!-- toc --> | ||
- [Installation](#installation) | ||
- [Compile](#compile) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Compilation" to be consistent with others.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, addressed.
docs/theia.md
Outdated
theia help | ||
``` | ||
|
||
For Linux, we also publish binaries for Arm-based systems. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is a single binary? Then: "binary"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I took a look at antctl release and found there will be two binaries for arm and arm64
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Imho this statement is probably misplaced here. Here we expect instructions for fetching an installing the CLI. This note about ARM support can be in the paragraph at lines 16-18
|
||
We need to install the [Kubernetes Operator for Apache Spark](https://github.com/GoogleCloudPlatform/spark-on-k8s-operator) | ||
in the cluster. | ||
Our policy recommendation logic is implemented as a [Spark](https://github.com/apache/spark) application, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you want a new line or not? If not do not switch to a new line for each sentence.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, addressed.
Our policy recommendation logic is implemented as a [Spark](https://github.com/apache/spark) application, | ||
the Kubernetes Operator for Apache Spark helps us schedule the Spark job in the Kubernetes cluster. | ||
|
||
Please run the following command: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
commands
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, addressed.
helm install policy-reco spark-operator/spark-operator --namespace flow-visibility --set image.tag=latest | ||
``` | ||
|
||
This will install the Kubernetes Operator for Apache Spark into the `flow-visibility` namespace. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Namespace
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, addressed.
The goal of this feature is to aid the cluster admin or developers to secure | ||
their applications based on the idea of the Zero Trust model. | ||
|
||
## Deployment |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Call it Installation or Preparation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, addressed.
|
||
## Deployment | ||
|
||
To use the NetworkPolicy recommendation feature, please follow this [doc](https://github.com/antrea-io/antrea/blob/main/docs/network-flow-visibility.md) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am fine to merge the current version first, but again let us work on a single all-in-one quick-start (probably as a section of network-flow-visibility.md) to configure Exporter, deploy Flow Aggregator and Collector before we release 0.1!
[Grafana Flow Collector](network-flow-visibility.md#grafana-flow-collector) to generate | ||
[Kubernetes NetworkPolicies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) | ||
or [Antrea NetworkPolicies](https://github.com/antrea-io/antrea/blob/main/docs/antrea-network-policy.md). | ||
The goal of this feature is to aid the cluster admin or developers to secure |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider rephrase:
This feature assists cluster administrators and app developers in securing their applications according to Zero Trust principles
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, addressed.
|
||
## Deployment | ||
|
||
To use the NetworkPolicy recommendation feature, please follow this [doc](https://github.com/antrea-io/antrea/blob/main/docs/network-flow-visibility.md) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider rephrase:
Theia's NetworkPolicy Recommendation capablity leverages Antrea Flow Exporter and Flow Aggreator. Before leveraging this feature, follow this doc to ensure they are deployed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, addressed.
|
||
To use the NetworkPolicy recommendation feature, please follow this [doc](https://github.com/antrea-io/antrea/blob/main/docs/network-flow-visibility.md) | ||
to deploy Flow Exporter and Flow Aggregator first. | ||
Please update the `#podLabels: false` to `podLabels: true` inside |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider rephrase:
In addition, ensure podLabels: true is set in Flow Aggregator Configuration, as Theia's NetworkPolicy Recommendation (let's be consistent in the way we call things) feature needs to process pod label information.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, addressed.
because policy recommendation feature needs Pod labels information to recommend network policies. | ||
|
||
Then, please follow these [deployment steps](network-flow-visibility.md#deployment-steps) | ||
to deploy the Grafana Flow Collector. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would just say "deploy Theia". does that make sense?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good to me, actually user could finish deployment here with helm install after PR#31 merged.
Then, please follow these [deployment steps](network-flow-visibility.md#deployment-steps) | ||
to deploy the Grafana Flow Collector. | ||
|
||
After we finish the deployment of Grafana Flow Collector and can see some flow records in the Grafana UI, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it required that we verify flows are visibile in Grafana?
Otherwise I'd just write: "Once Theia is deployed, the Kubernetes Operator for Apache Spark will need to be installed in the cluster.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comment out these lines now since user won't need to deploy Spark Operator separately after PR#31 merged.
|
||
We need to install the [Kubernetes Operator for Apache Spark](https://github.com/GoogleCloudPlatform/spark-on-k8s-operator) | ||
in the cluster. | ||
Our policy recommendation logic is implemented as a [Spark](https://github.com/apache/spark) application, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
consider use consistent naming. In line with the previous comments this could be "Theia's NetworkPolicy Recommendation", but that's just an idea...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, changed the title and filename accordingly.
- `theia pr status` | ||
- `theia pr retrieve` | ||
|
||
To see all options and usage examples of these commands, you may run `theia policy-recommendation [subcommand] --help`. In the following sections, we will go through a simple example to utilize these commands with default options. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: Perhaps the last sentence in not needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, removed.
docs/theia.md
Outdated
@@ -0,0 +1,68 @@ | |||
# Theia | |||
|
|||
Theia is the command-line tool which provides access to Theia network flow |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Honest question: should we refer to theia
with lowercase initial and monospaced font?
docs/theia.md
Outdated
|
||
## Installation | ||
|
||
Starting with Theia release v0.1, we publish the theia binaries for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This probably just a personal prefenrence, but to me seems documentation is best written in 3rd person.
E.g.:
theia
binaries are published for different OS/CPU Architecture combionations. Refer to the...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good to me, changed.
docs/theia.md
Outdated
## Compile | ||
|
||
If you made some changes on theia code and would like to compile | ||
and test locally, please run these commands inside the Theia main directory: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this paragraph seems redundant. Maybe just
In order to compile theia
the following commands should be run from Theia's main directory:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, addressed.
7337c25
to
30202dd
Compare
docs/networkpolicy-recommendation.md
Outdated
|
||
## Perform NetworkPolicy Recommendation | ||
|
||
Currently, the NetworkPolicy recommendation feature only supports command line interaction through `theia`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Opinion: I would rephrase this as "Users can leverage Theia's NetworkPolicy recommendation feature through theia
CLI."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, addressed.
docs/networkpolicy-recommendation.md
Outdated
`theia` is the command-line tool which provides access to Theia network flow visibility capabilities. | ||
To get more information about `theia`, please refer to this [doc](theia.md). | ||
|
||
We have 3 `theia` commands for the policy recommendation feature: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Usual opinion about impersonal docs: "There are 3 theia
commands for..."
docs/networkpolicy-recommendation.md
Outdated
|
||
### Run a policy recommendation job | ||
|
||
The `theia policy-recommendation run` command can run a new policy recommendation job. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/can run/triggers/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, addressed.
docs/networkpolicy-recommendation.md
Outdated
|
||
The `theia policy-recommendation status` command is used to check the status of a previous policy recommendation job. | ||
|
||
For example the job we just created above, we could check the status of it by: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/status of it/its status/
Also consider replacing "by" with "via" or "through"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, addressed.
docs/networkpolicy-recommendation.md
Outdated
|
||
It will return the status of this policy recommendation job like `SUBMITTED`, `RUNNING`, `COMPLETED`, and `FAILED`. | ||
|
||
For a complete list of the possible status of a policy recommendation job, please refer to the definition [here](https://github.com/GoogleCloudPlatform/spark-on-k8s-operator/blob/3b58b2632545b1f20e105a6080d6597513af60da/pkg/apis/sparkoperator.k8s.io/v1beta2/types.go#L331). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"statuses" (plural)
Isn't there a documentation link you could share instead of a pointer to spark operator code?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, I replaced it with an api-doc link
docs/theia.md
Outdated
theia help | ||
``` | ||
|
||
For Linux, we also publish binaries for Arm-based systems. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Imho this statement is probably misplaced here. Here we expect instructions for fetching an installing the CLI. This note about ARM support can be in the paragraph at lines 16-18
docs/theia.md
Outdated
## Compilation | ||
|
||
In order to compile `theia` the following commands should be run from | ||
Theia's main directory: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should Windows compilation instructions be provided as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't include the compilation of Windows because I think make
won't work on Windows. Or maybe we could delete the whole Compilation
paragraph since I find antctl
doc only provides instructions on installation: https://github.com/antrea-io/antrea/blob/main/docs/antctl.md#installation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with removal. The section isn't really adding any useful info
docs/networkpolicy-recommendation.md
Outdated
Then, please follow these [deployment steps](network-flow-visibility.md#deployment-steps) | ||
to deploy Theia. | ||
|
||
Commet out following lines since user won't need to deploy Spark Operator separately after PR#31 merged. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the Installation section might become obsolete considering spark-operator is also being adding to flow-visibility.yaml?
I would probably list "pre-requisites" here, and namely:
- flow exporter must be enabled (which is a pre-requisite for all network visibility)
- flow aggregator must store pod label
It is also true that we want to have a "hard way" installation story (the one below), but it should be - in my opinion - together with flow visibility installation info
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Prerequisite
sounds good to me, updated this doc first, and will change the flow visibility
doc after we finalized the overall install story.
docs/networkpolicy-recommendation.md
Outdated
### Run a policy recommendation job | ||
|
||
The `theia policy-recommendation run` command can run a new policy recommendation job. | ||
If the new policy recommendation job is created successfully, the `recommendation ID` of this job will be returned: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few words about the ID? It will be needed for status/retrieve, so customers need to store it somewhere. Otherwise, it may be ignored and seems we don't have a way for customers to get it back?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a very valuable usability advice, @ziyouw - I've bee thinking too that we need a story to manage recommendations jobs (for instance at some point we want to delete them!).
We need additional CLI commands to list/delete recommendation jobs. I will create a new github issue to track this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, added a short description of ID here.
1f4ca82
to
5581f39
Compare
Signed-off-by: Yongming Ding <dyongming@vmware.com>
curl -Lo ./theia "https://github.com/antrea-io/theia/releases/download/<TAG>/theia-$(uname)-x86_64" | ||
chmod +x ./theia | ||
mv ./theia /some-dir-in-your-PATH/theia | ||
theia help |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe remove this command, as it is not about installation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Jianjun, I was following the convention in the antctl doc here. I think this help
command could help users verify the installation is successful.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok. NP to me.
docs/networkpolicy-recommendation.md
Outdated
``` | ||
|
||
To apply recommended policies in the cluster, we can save the recommended | ||
policies to a yml file and apply it through `kubectl`: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yml -> YAML
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
through -> using
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, addressed.
docs/networkpolicy-recommendation.md
Outdated
|
||
## Prerequisite | ||
|
||
- [Flow Exporter]( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we simply point to network-flow-visibility.md which should include a section to install everything?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we will change this link to a quick-start section in network-flow-visibility.md
in the future. Once we finalized the installation story, adding the helm chart for Flow Aggregator, etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we have the change in Theia 0.1? Again, the current installation steps are too hard for users to follow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it, according to the discussion inside team yesterday, we plan to add a Flow Aggregator chart in Theia first since Antrea won't ship helm charts in v1.7, and the whole installation steps will be kubectl apply -f antrea.yaml && helm install flow-aggregator && helm install theia
.
For the work estimate of this change, I would like to transfer this question to @salv-orlando
cc. @yanjunz97
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even if we cannot get charts for Flow Aggregator in 1.7, let us at least clean up installation section in network-flow-visibility.md to document the basic steps to stet up everything with default settings, and then this doc can point to that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We plan to have a PR containing the Flow Aggregator chart and quick-start section merged by the end of this week.
Hi @jianjuns @salv-orlando @ziyouw, may I know if you have further comments on this PR (except the quick-start section which will be included in a separate PR)? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Two nits. Otherwise, LGTM
docs/networkpolicy-recommendation.md
Outdated
|
||
## Prerequisite | ||
|
||
- [Flow Exporter]( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Antrea Flow Exporter"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, changed the Flow Aggregator
to Antrea Flow Aggregator
too.
docs/networkpolicy-recommendation.md
Outdated
is enabled | ||
- [Antrea Flow Aggregator]( | ||
https://github.com/antrea-io/antrea/blob/main/docs/network-flow-visibility.md#flow-aggregator) | ||
is deployed and stores Pod labels |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably "and configured to store Pod labels"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good to me.
Signed-off-by: Yongming Ding <dyongming@vmware.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dreamtalen : would you merge this one first?
Sure, thanks for the reviews! |
Signed-off-by: Yongming Ding dyongming@vmware.com