/
flow-aggregator.yml
469 lines (433 loc) · 13.9 KB
/
flow-aggregator.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
apiVersion: v1
kind: Namespace
metadata:
labels:
app: flow-aggregator
name: flow-aggregator
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: flow-aggregator
name: flow-aggregator
namespace: flow-aggregator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: flow-aggregator
name: flow-exporter-role
namespace: flow-aggregator
rules:
- apiGroups:
- ""
resourceNames:
- flow-aggregator-ca
resources:
- configmaps
verbs:
- get
- apiGroups:
- ""
resourceNames:
- flow-aggregator-client-tls
resources:
- secrets
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: flow-aggregator
name: flow-aggregator-role
rules:
- apiGroups:
- ""
resourceNames:
- flow-aggregator-ca
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- get
- list
- watch
- apiGroups:
- ""
resourceNames:
- extension-apiserver-authentication
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resourceNames:
- flow-aggregator-client-tls
resources:
- secrets
verbs:
- get
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- apiGroups:
- ""
resourceNames:
- flow-aggregator-configmap
resources:
- configmaps
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: flow-aggregator
name: flow-exporter-role-binding
namespace: flow-aggregator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: flow-exporter-role
subjects:
- kind: ServiceAccount
name: antrea-agent
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: flow-aggregator
name: flow-aggregator-cluster-id-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: antrea-cluster-identity-reader
subjects:
- kind: ServiceAccount
name: flow-aggregator
namespace: flow-aggregator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: flow-aggregator
name: flow-aggregator-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: flow-aggregator-role
subjects:
- kind: ServiceAccount
name: flow-aggregator
namespace: flow-aggregator
---
apiVersion: v1
data:
flow-aggregator.conf: |
# Provide the active flow record timeout as a duration string. This determines
# how often the flow aggregator exports the active flow records to the flow
# collector. Thus, for flows with a continuous stream of packets, a flow record
# will be exported to the collector once the elapsed time since the last export
# event in the flow aggregator is equal to the value of this timeout.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
activeFlowRecordTimeout: 60s
# Provide the inactive flow record timeout as a duration string. This determines
# how often the flow aggregator exports the inactive flow records to the flow
# collector. A flow record is considered to be inactive if no matching record
# has been received by the flow aggregator in the specified interval.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
inactiveFlowRecordTimeout: 90s
# Provide the transport protocol for the flow aggregator collecting process, which is tls, tcp or udp.
aggregatorTransportProtocol: "tls"
# Provide an extra DNS name or IP address of flow aggregator for generating TLS certificate.
flowAggregatorAddress: ""
# recordContents enables configuring some fields in the flow records. Fields can
# be excluded to reduce record size, but some features or external tooling may
# depend on these fields.
recordContents:
# Determine whether source and destination Pod labels will be included in the flow records.
podLabels: false
# apiServer contains APIServer related configuration options.
apiServer:
# The port for the flow-aggregator APIServer to serve on.
apiPort: 10348
# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
# https://golang.org/pkg/crypto/tls/#pkg-constants
# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
# prefer TLS1.3 Cipher Suites whenever possible.
tlsCipherSuites: ""
# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
tlsMinVersion: ""
# flowCollector contains external IPFIX or JSON collector related configuration options.
flowCollector:
# Enable is the switch to enable exporting flow records to external flow collector.
enable: false
# Provide the flow collector address as string with format <IP>:<port>[:<proto>], where proto is tcp or udp.
# If no L4 transport proto is given, we consider tcp as default.
address: ""
# Provide the 32-bit Observation Domain ID which will uniquely identify this instance of the flow
# aggregator to an external flow collector. If omitted, an Observation Domain ID will be generated
# from the persistent cluster UUID generated by Antrea. Failing that (e.g. because the cluster UUID
# is not available), a value will be randomly generated, which may vary across restarts of the flow
# aggregator.
#observationDomainID:
# Provide format for records sent to the configured flow collector.
# Supported formats are IPFIX and JSON.
recordFormat: "IPFIX"
# clickHouse contains ClickHouse related configuration options.
clickHouse:
# Enable is the switch to enable exporting flow records to ClickHouse.
enable: false
# Database is the name of database where Antrea "flows" table is created.
database: "default"
# DatabaseURL is the url to the database. Provide the database URL as a string with format
# <Protocol>://<ClickHouse server FQDN or IP>:<ClickHouse port>. The protocol has to be
# one of the following: "tcp", "tls", "http", "https". When "tls" or "https" is used, tls
# will be enabled.
databaseURL: "tcp://clickhouse-clickhouse.flow-visibility.svc:9000"
# TLS configuration options, when using TLS to connect to the ClickHouse service.
tls:
# InsecureSkipVerify determines whether to skip the verification of the server's certificate chain and host name.
# Default is false.
insecureSkipVerify: false
# CACert indicates whether to use custom CA certificate. Default root CAs will be used if this field is false.
# If true, a Secret named "clickhouse-ca" must be provided with the following keys:
# ca.crt: <CA certificate>
caCert: false
# Debug enables debug logs from ClickHouse sql driver.
debug: false
# Compress enables lz4 compression when committing flow records.
compress: true
# CommitInterval is the periodical interval between batch commit of flow records to DB.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
# The minimum interval is 1s based on ClickHouse documentation for best performance.
commitInterval: "8s"
# s3Uploader contains configuration options for uploading flow records to AWS S3.
s3Uploader:
# Enable is the switch to enable exporting flow records to AWS S3.
# At the moment, the flow aggregator will look for the "standard" environment variables to
# authenticate to AWS. These can be static credentials (AWS_ACCESS_KEY_ID,
# AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN) or a Web Identity Token
# (AWS_WEB_IDENTITY_TOKEN_FILE).
enable: false
# BucketName is the name of the S3 bucket to which flow records will be uploaded. If this
# field is empty, initialization will fail.
bucketName: ""
# BucketPrefix is the prefix ("folder") under which flow records will be uploaded. If this
# is omitted, flow records will be uploaded to the root of the bucket.
bucketPrefix: ""
# Region is used as a "hint" to get the region in which the provided bucket is located.
# An error will occur if the bucket does not exist in the AWS partition the region hint
# belongs to. If region is omitted, the value of the AWS_REGION environment variable will
# be used, and if it is missing, we will default to "us-west-2".
region: "us-west-2"
# RecordFormat defines the format of the flow records uploaded to S3. Only "CSV" is
# supported at the moment.
recordFormat: "CSV"
# Compress enables gzip compression when uploading files to S3. Defaults to true.
compress: true
# MaxRecordsPerFile is the maximum number of records per file uploaded. It is not recommended
# to change this value.
maxRecordsPerFile: 1e+06
# UploadInterval is the duration between each file upload to S3.
uploadInterval: "60s"
# FlowLogger contains configuration options for writing flow records to a local log file.
flowLogger:
# Enable is the switch to enable writing flow records to a local log file.
enable: false
# Path is the path to the local log file.
path: "/tmp/antrea-flows.log"
# MaxSize is the maximum size in MB of a log file before it gets rotated.
maxSize: 100
# MaxBackups is the maximum number of old log files to retain. If set to 0, all log files will be
# retained (unless MaxAge causes them to be deleted).
maxBackups: 3
# MaxAge is the maximum number of days to retain old log files based on the timestamp encoded in
# their filename. The default (0) is not to remove old log files based on age.
maxAge: 0
# Compress enables gzip compression on rotated files.
compress: true
# RecordFormat defines the format of the flow records logged to file. Only "CSV" is supported at
# the moment.
recordFormat: "CSV"
# Filters can be used to select which flow records to log to file. The provided filters are OR-ed
# to determine whether a specific flow should be logged.
filters:
[]
# PrettyPrint enables conversion of some numeric fields to a more meaningful string
# representation.
prettyPrint: true
kind: ConfigMap
metadata:
labels:
app: flow-aggregator
name: flow-aggregator-configmap
namespace: flow-aggregator
---
apiVersion: v1
kind: Secret
metadata:
labels:
app: flow-aggregator
name: clickhouse-secret
namespace: flow-aggregator
stringData:
password: clickhouse_operator_password
username: clickhouse_operator
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
labels:
app: flow-aggregator
name: flow-aggregator-aws-credentials
namespace: flow-aggregator
stringData:
aws_access_key_id: changeme
aws_secret_access_key: changeme
aws_session_token: ""
type: Opaque
---
apiVersion: v1
kind: Service
metadata:
labels:
app: flow-aggregator
name: flow-aggregator
namespace: flow-aggregator
spec:
ports:
- name: ipfix-udp
port: 4739
protocol: UDP
targetPort: 4739
- name: ipfix-tcp
port: 4739
protocol: TCP
targetPort: 4739
selector:
app: flow-aggregator
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: flow-aggregator
name: flow-aggregator
namespace: flow-aggregator
spec:
replicas: 1
selector:
matchLabels:
app: flow-aggregator
template:
metadata:
labels:
app: flow-aggregator
spec:
containers:
- args:
- --config
- /etc/flow-aggregator/flow-aggregator.conf
- --logtostderr=false
- --log_dir=/var/log/antrea/flow-aggregator
- --alsologtostderr
- --log_file_max_size=100
- --log_file_max_num=4
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CH_USERNAME
valueFrom:
secretKeyRef:
key: username
name: clickhouse-secret
- name: CH_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: clickhouse-secret
- name: FA_CONFIG_MAP_NAME
value: flow-aggregator-configmap
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
key: aws_access_key_id
name: flow-aggregator-aws-credentials
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
key: aws_secret_access_key
name: flow-aggregator-aws-credentials
- name: AWS_SESSION_TOKEN
valueFrom:
secretKeyRef:
key: aws_session_token
name: flow-aggregator-aws-credentials
image: antrea/flow-aggregator:latest
imagePullPolicy: IfNotPresent
name: flow-aggregator
ports:
- containerPort: 4739
volumeMounts:
- mountPath: /etc/flow-aggregator
name: flow-aggregator-config
readOnly: true
- mountPath: /var/log/antrea/flow-aggregator
name: host-var-log-antrea-flow-aggregator
- mountPath: /etc/flow-aggregator/certs
name: clickhouse-ca
nodeSelector:
kubernetes.io/arch: amd64
kubernetes.io/os: linux
serviceAccountName: flow-aggregator
volumes:
- configMap:
name: flow-aggregator-configmap
name: flow-aggregator-config
- hostPath:
path: /var/log/antrea/flow-aggregator
type: DirectoryOrCreate
name: host-var-log-antrea-flow-aggregator
- name: clickhouse-ca
secret:
defaultMode: 256
optional: true
secretName: clickhouse-ca