Set pod labels to be optional fields in the network flow records

[yanjunz97]

The network flow record contains two fields related to pod labels, sourcePodLabel and destinationPodLabel. Sometimes long pod labels may cause problems. This PR sets the pod labels to be optional fields by adding a parameter includePodLabels in the flow aggregator configmap. By default, the pod labels will not be included in the flow records. If the user would like to include them, they can modify the flow aggregator configmap.

Signed-off-by: Yanjun Zhou zhouya@vmware.com

[codecov-commenter]

Codecov Report

Merging #2739 (b9d95d8) into main (0946ca6) will decrease coverage by 19.42%.
The diff coverage is 72.72%.

❗ Current head b9d95d8 differs from pull request most recent head 7f1ec92. Consider uploading reports for the commit 7f1ec92 to get more accurate results

@@             Coverage Diff             @@
##             main    #2739       +/-   ##
===========================================
- Coverage   60.31%   40.88%   -19.43%     
===========================================
  Files         284      158      -126     
  Lines       23470    19542     -3928     
===========================================
- Hits        14155     7990     -6165     
- Misses       7787    10802     +3015     
+ Partials     1528      750      -778     

Flag	Coverage Δ
kind-e2e-tests	?
unit-tests	40.88% <72.72%> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/flowaggregator/flowaggregator.go	21.20% <72.72%> (-48.09%)	⬇️
pkg/ovs/openflow/default.go	0.00% <0.00%> (-100.00%)	⬇️
pkg/util/runtime/runtime.go	0.00% <0.00%> (-100.00%)	⬇️
pkg/agent/cniserver/pod_configuration_linux.go	0.00% <0.00%> (-100.00%)	⬇️
pkg/ovs/openflow/logs.go	9.52% <0.00%> (-90.48%)	⬇️
pkg/apis/controlplane/register.go	0.00% <0.00%> (-90.00%)	⬇️
pkg/agent/nodeportlocal/k8s/annotations.go	0.00% <0.00%> (-83.88%)	⬇️
pkg/agent/agent_linux.go	0.00% <0.00%> (-80.00%)	⬇️
pkg/agent/client.go	0.00% <0.00%> (-77.42%)	⬇️
pkg/ovs/ovsconfig/ovs_client_linux.go	0.00% <0.00%> (-76.93%)	⬇️
... and 231 more

[dreamtalen]

Thanks Yanjun working on this.

[dreamtalen]

This line should be inside the if statement.

[yanjunz97]

Thanks for the review! It seems that in the if statement, we have really ensured the external fields to be filled. I added line 444 for the case that pod labels are not included. I tried to mark the external fields as filled to keep consistence with the case pod labels are provided. Should I just remove the line? Correct me if my understanding is wrong!

[dreamtalen]

Got it, missed you have this line inside the if statement, you could remove this else statement.

[yanjunz97]

done

[dreamtalen]

For e2e test, currently we are changing the config to include pod labels during e2e test and didn't add new test for not including pod labels situation to avoid making test longer, we would like to hear more options from @srikartati, do you think we need to add the test for the not including pod labels situation?

[srikartati]

That is fine but I see that the "false" case was skipped for unit tests. Maybe it can be added there to get coverage for it.
@zyiou plans to add flow aggregator restart test in e2e tests. This scenario of not including Pod labels could be covered then. Please take note of that.

[yanjunz97]

done

[srikartati]

"includePodLabels indicates whether source and destination Pod labels are included or not"

[yanjunz97]

done

[srikartati]

That is fine but I see that the "false" case was skipped for unit tests. Maybe it can be added there to get coverage for it.
@zyiou plans to add flow aggregator restart test in e2e tests. This scenario of not including Pod labels could be covered then. Please take note of that.

[dreamtalen]

Thanks @srikartati, Yanjun please make corresponding changes. Also, please modify the flow visibility doc since we have this new config.

[yanjunz97]

Thanks @dreamtalen and @srikartati . Starting to work on them.

[yanjunz97]

/test-e2e

[dreamtalen]

Same above.

[yanjunz97]

done

[dreamtalen]

Could we have a for loop here with true or false includePodLabels when creating flowAggregator object instead of copying these lines?

[yanjunz97]

Sounds good. Done.

[yanjunz97]

/test-all

[srikartati]

LGTM.
In general, I feel changing this option runtime is more useful to the user rather than enforcing a restart of the Flow Aggregator. We should support this through antctl in the future.

Any thoughts on how this can be extended to other K8s metadata fields if required?

[srikartati]

/test-ipv6-e2e /test-ipv6-only-e2e

[yanjunz97]

/test-all
/test-ipv6-e2e
/test-ipv6-only-e2e

[yanjunz97]

LGTM.
In general, I feel changing this option runtime is more useful to the user rather than enforcing a restart of the Flow Aggregator. We should support this through antctl in the future.

Any thoughts on how this can be extended to other K8s metadata fields if required?

I have not dug deep into the implementation of antctl. But it seems for the metadata fields in flow-aggregator configmap, all of them are parsed and saved in a variable of type flowAggregator, which is modifiable in runtime.

[yanjunz97]

/test-windows-networkpolicy
/test-networkpolicy
/test-all-features-conformance

[yanjunz97]

/test-windows-conformance
/test-windows-e2e
/test-windows-networkpolicy

[srikartati]

LGTM

[antoninbas]

I have a concern that this will make integration with other tools harder, as these tools (e.g. NetworkPolicy recommendation) may depend on these labels to function properly. @srikartati what's the plan in this case? It seems that we do not need a better solution for Pods with "long labels".

[antoninbas]

I'd rather define a more generic configuration parameter that can be extended later:

recordContents:
    podLabels: false

or recordInformation if it is preferred to recordContents.

This is the direction we are taking for other Antrea components as well. @srikartati what do you think?

[srikartati]

Yes. It is a good idea to make this extensible to multiple fields. However, this would only help with a small subset of fields that are added at the Flow Aggregator. We cannot truly disable the fields, especially the rest of Kubernetes metadata, which are added at the Flow Exporter--for this, we may need config map parameter in Antrea agent.
The rest of the fields that are added at the Aggregator are source and destination statistics, which I feel is not so significant to have this toggle option.

Maybe we could continue to have this option at the Aggregator and add this map-based data type in the Antrea Agent config map to disable at the Flow Exporter in a different PR.

[antoninbas]

I would say symmetry between the 2 configs is a good thing to have. There is also no telling whether we will include more information in the FlowAggregator in the future.

[srikartati]

It is a valid point that we may add new fields like pod labels in the future to the Flow Aggregator. Changing to map-based generic config parameter sounds good.

[antoninbas]

@yanjunz97 could you address this ^

[yanjunz97]

Sure. Start to work on it

[yanjunz97]

done

[srikartati]

I have a concern that this will make integration with other tools harder, as these tools (e.g. NetworkPolicy recommendation) may depend on these labels to function properly. @srikartati what's the plan in this case? It seems that we do not need a better solution for Pods with "long labels".

Yes, Network Policy Recommendation engine would need this. However, we have two options to deploy the reco engine--either inside or outside the cluster. If it is inside, netpol reco engine could fetch the labels from API server directly rather than getting from the flow record. Do you agree @dreamtalen?

And the other visibility application that would need labels is Monitoring UI, which can be customizable by the user.

[dreamtalen]

I have a concern that this will make integration with other tools harder, as these tools (e.g. NetworkPolicy recommendation) may depend on these labels to function properly. @srikartati what's the plan in this case? It seems that we do not need a better solution for Pods with "long labels".

Yes, Network Policy Recommendation engine would need this. However, we have two options to deploy the reco engine--either inside or outside the cluster. If it is inside, netpol reco engine could fetch the labels from API server directly rather than getting from the flow record. Do you agree @dreamtalen?

And the other visibility application that would need labels is Monitoring UI, which can be customizable by the user.

Yes, I agree. I have another option in my head on long term architecture design is that we could fill these pod labels info when doing the flow processing before store flow records in the database, so that np recommendation engine, UI, and performance analysis module could have these info when fetching flow records from db.

[antoninbas]

Yes, Network Policy Recommendation engine would need this. However, we have two options to deploy the reco engine--either inside or outside the cluster. If it is inside, netpol reco engine could fetch the labels from API server directly rather than getting from the flow record.

But since we do want to support out-of-cluster, what is the plan then? How will the label information be exported from the cluster?

[srikartati]

Yes, Network Policy Recommendation engine would need this. However, we have two options to deploy the reco engine--either inside or outside the cluster. If it is inside, netpol reco engine could fetch the labels from API server directly rather than getting from the flow record.

But since we do want to support out-of-cluster, what is the plan then? How will the label information be exported from the cluster?

Label information will be present along with fields in the flow record. It will either be added by the Flow Aggregator or a visibility application. The design for exporting the flow record out of the cluster is still WIP. Currently, we are focusing on supporting single cluster.

[antoninbas]

Suggested change

	# Provide whether source and destination Pod labels will be included in the flow record.
	# Determine whether source and destination Pod labels will be included in the flow records.

[yanjunz97]

done

[antoninbas]

@yanjunz97 could you address this ^

[antoninbas]

Suggested change

	return 0, fmt.Errorf("%s not present. returned error: %v", ie, err)
	return 0, fmt.Errorf("error when getting InformationElement %s from registry: %v", ie, err)

[yanjunz97]

done

[antoninbas]

nit: maybe use a less verbose syntax here

{ false, true },
{ true, true },
...

[yanjunz97]

done

[antoninbas]

I am not sure of the usefulness of defining an includePodLabels constant

[yanjunz97]

Just to keep the consistence with other variables. I'm ok to use true here if you think it is better.

[antoninbas]

Sorry, I closed this by mistake...

[yanjunz97]

/test-all
/test-ipv6-e2e
/test-ipv6-only-e2e

[srikartati]

Can we use simple type definition like featureGates in Antrea Agent? We can avoid a separate struct.
https://github.com/antrea-io/antrea/blob/main/cmd/antrea-agent/config.go#L23

[yanjunz97]

Thanks Srikar. Sounds good as we may only need boolean value in the RecordContents. Updated.

[yanjunz97]

/test-all
/test-ipv6-e2e
/test-ipv6-only-e2e

[srikartati]

"recordContents enables configuring some fields in the flow records, A field can be either included (true) or excluded (false) by providing a bool value."

[yanjunz97]

done

[srikartati]

Same as above

[yanjunz97]

done

[srikartati]

LGTM

[antoninbas]

LGTM, thanks for making the changes

[antoninbas]

/test-all

[yanjunz97]

/test-conformance

[antoninbas]

@yanjunz97 can you resolve the conflicts?

[yanjunz97]

/test-all
/test-ipv6-e2e
/test-ipv6-only-e2e

[antoninbas]

why are we using a map for this?

newFlowAggregator := func(bool includePodLabels) * flowAggregator {
    return &flowAggregator{...}
}
flowAggregatorWithPodLabels := newFlowAggregator(true)
flowAggregatorWithoutPodLabels := newFlowAggregator(false)

[yanjunz97]

Good idea! Updated

[antoninbas]

maybe unify the ifs?

[yanjunz97]

done

[antoninbas]

LGTM

[yanjunz97]

/test-all
/test-ipv6-e2e
/test-ipv6-only-e2e

[yanjunz97]

/test-all-features-conformance
/test-hw-offload