Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NETOBSERV-1062: Add TCP drop and DNS tracking to netobserv operator #331

Closed
wants to merge 8 commits into from
Closed

NETOBSERV-1062: Add TCP drop and DNS tracking to netobserv operator #331

wants to merge 8 commits into from

Conversation

msherif1234
Copy link
Contributor

@msherif1234 msherif1234 commented Apr 28, 2023
edited

TCPdrop tracepoint need special volume mount and added a flag to control TCPdrop feature
by default its turned off

@openshift-ci-robot
Copy link
Collaborator

openshift-ci-robot commented Apr 28, 2023
edited by openshift-ci bot

@msherif1234: This pull request references NETOBSERV-979 which is a valid jira issue.

In response to this:

TCPdrop tracepoint need special volume mount and added a flag to control TCPdrop feature its default to true

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot
Copy link
Collaborator

openshift-ci-robot commented Apr 28, 2023
edited by openshift-ci bot

@msherif1234: This pull request references NETOBSERV-979 which is a valid jira issue.

In response to this:

TCPdrop tracepoint need special volume mount and added a flag to control TCPdrop feature
by default its turned off

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@codecov
Copy link

codecov bot commented Apr 28, 2023
edited

Codecov Report

Merging #331 (93a46e1) into main (a4a3c26) will decrease coverage by 0.85%.
The diff coverage is 51.79%.

❗ Current head 93a46e1 differs from pull request most recent head def94dc. Consider uploading reports for the commit def94dc to get more accurate results

@@            Coverage Diff             @@
##             main     #331      +/-   ##
==========================================
- Coverage   54.52%   53.67%   -0.85%     
==========================================
  Files          44       44              
  Lines        5423     5559     +136     
==========================================
+ Hits         2957     2984      +27     
- Misses       2259     2359     +100     
- Partials      207      216       +9
Flag Coverage Δ
unittests 53.67% <51.79%> (-0.85%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
api/v1alpha1/flowcollector_webhook.go 0.00% <0.00%> (ø)
api/v1alpha1/zz_generated.conversion.go 0.26% <0.00%> (+<0.01%) ⬆️
api/v1beta1/flowcollector_types.go 100.00% <ø> (ø)
...ntrollers/ebpf/internal/permissions/permissions.go 45.23% <0.00%> (-1.39%) ⬇️
controllers/consoleplugin/consoleplugin_objects.go 95.42% <33.33%> (-1.64%) ⬇️
pkg/helper/flowcollector.go 66.66% <40.00%> (-3.47%) ⬇️
controllers/flowlogspipeline/flp_common_objects.go 81.31% <51.11%> (-5.28%) ⬇️
controllers/ebpf/agent_controller.go 70.70% <58.77%> (-10.36%) ⬇️
api/v1beta1/zz_generated.deepcopy.go 53.77% <100.00%> (+1.05%) ⬆️

@msherif1234
Copy link
Contributor Author

/ok-to-test

@openshift-ci openshift-ci bot added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Apr 29, 2023
@github-actions
Copy link

New images:

  • quay.io/netobserv/network-observability-operator:b82d0dc
  • quay.io/netobserv/network-observability-operator-bundle:v0.0.0-b82d0dc
  • quay.io/netobserv/network-observability-operator-catalog:v0.0.0-b82d0dc

They will expire after two weeks.

Catalog source:

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: netobserv-dev
  namespace: openshift-marketplace
spec:
  sourceType: grpc
  image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-b82d0dc
  displayName: NetObserv development catalog
  publisher: Me
  updateStrategy:
    registryPoll:
      interval: 1m

@github-actions github-actions bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Apr 29, 2023
@msherif1234
Copy link
Contributor Author

/ok-to-test

@openshift-ci openshift-ci bot added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Apr 29, 2023
@github-actions
Copy link

New images:

  • quay.io/netobserv/network-observability-operator:cbad56c
  • quay.io/netobserv/network-observability-operator-bundle:v0.0.0-cbad56c
  • quay.io/netobserv/network-observability-operator-catalog:v0.0.0-cbad56c

They will expire after two weeks.

Catalog source:

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: netobserv-dev
  namespace: openshift-marketplace
spec:
  sourceType: grpc
  image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-cbad56c
  displayName: NetObserv development catalog
  publisher: Me
  updateStrategy:
    registryPoll:
      interval: 1m

@github-actions github-actions bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label May 1, 2023
@msherif1234
Copy link
Contributor Author

/ok-to-test

@openshift-ci openshift-ci bot added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label May 1, 2023
@github-actions
Copy link

github-actions bot commented May 1, 2023

New images:

  • quay.io/netobserv/network-observability-operator:e760a39
  • quay.io/netobserv/network-observability-operator-bundle:v0.0.0-e760a39
  • quay.io/netobserv/network-observability-operator-catalog:v0.0.0-e760a39

They will expire after two weeks.

Catalog source:

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: netobserv-dev
  namespace: openshift-marketplace
spec:
  sourceType: grpc
  image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-e760a39
  displayName: NetObserv development catalog
  publisher: Me
  updateStrategy:
    registryPoll:
      interval: 1m

@jpinsonneau
Copy link
Contributor

After testing this on clusterbot 4.13 aws,large with enableTCPDrop: true, I get the following error:

Error creating: pods "netobserv-ebpf-agent-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used, spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.containers[0].securityContext.runAsUser: Invalid value: 0: must be in the ranges: [1000710000, 1000719999], spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed, spec.containers[0].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used, provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]

  relatedImages:
    - image: 'quay.io/netobserv/netobserv-ebpf-agent:adfa724'
      name: ebpf-agent
    - image: 'quay.io/netobserv/flowlogs-pipeline:06ebf5e'
      name: flowlogs-pipeline
    - image: 'quay.io/netobserv/network-observability-console-plugin:main'
      name: console-plugin

@jpinsonneau jpinsonneau mentioned this pull request May 2, 2023
Closed
6 tasks
@github-actions github-actions bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label May 2, 2023
@msherif1234
Copy link
Contributor Author

/ok-to-test

@openshift-ci openshift-ci bot added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label May 2, 2023
@github-actions
Copy link

github-actions bot commented May 2, 2023

New images:

  • quay.io/netobserv/network-observability-operator:fa97162
  • quay.io/netobserv/network-observability-operator-bundle:v0.0.0-fa97162
  • quay.io/netobserv/network-observability-operator-catalog:v0.0.0-fa97162

They will expire after two weeks.

Catalog source:

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: netobserv-dev
  namespace: openshift-marketplace
spec:
  sourceType: grpc
  image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-fa97162
  displayName: NetObserv development catalog
  publisher: Me
  updateStrategy:
    registryPoll:
      interval: 1m

@github-actions github-actions bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label May 9, 2023
@memodi
Copy link
Contributor

memodi commented Jul 13, 2023
edited

could we list these 3 options in flowcollector yaml config in order:

never mind, I think it follows alphabetical order.

@msherif1234
Copy link
Contributor Author

/ok-to-test

@openshift-ci openshift-ci bot added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jul 13, 2023
@github-actions
Copy link

New images:

  • quay.io/netobserv/network-observability-operator:ccabe88
  • quay.io/netobserv/network-observability-operator-bundle:v0.0.0-ccabe88
  • quay.io/netobserv/network-observability-operator-catalog:v0.0.0-ccabe88

They will expire after two weeks.

To deploy this build:

# Direct deployment, from operator repo
IMAGE=quay.io/netobserv/network-observability-operator:ccabe88 make deploy

# Or using operator-sdk
operator-sdk run bundle quay.io/netobserv/network-observability-operator-bundle:v0.0.0-ccabe88

Or as a Catalog Source:

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: netobserv-dev
  namespace: openshift-marketplace
spec:
  sourceType: grpc
  image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-ccabe88
  displayName: NetObserv development catalog
  publisher: Me
  updateStrategy:
    registryPoll:
      interval: 1m

@github-actions github-actions bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jul 14, 2023
@msherif1234
Copy link
Contributor Author

/ok-to-test

@openshift-ci openshift-ci bot added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jul 14, 2023
@github-actions
Copy link

New images:

  • quay.io/netobserv/network-observability-operator:13e79b8
  • quay.io/netobserv/network-observability-operator-bundle:v0.0.0-13e79b8
  • quay.io/netobserv/network-observability-operator-catalog:v0.0.0-13e79b8

They will expire after two weeks.

To deploy this build:

# Direct deployment, from operator repo
IMAGE=quay.io/netobserv/network-observability-operator:13e79b8 make deploy

# Or using operator-sdk
operator-sdk run bundle quay.io/netobserv/network-observability-operator-bundle:v0.0.0-13e79b8

Or as a Catalog Source:

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: netobserv-dev
  namespace: openshift-marketplace
spec:
  sourceType: grpc
  image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-13e79b8
  displayName: NetObserv development catalog
  publisher: Me
  updateStrategy:
    registryPoll:
      interval: 1m

@github-actions github-actions bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jul 14, 2023
@msherif1234
Copy link
Contributor Author

/ok-to-test

@openshift-ci openshift-ci bot added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jul 14, 2023
@github-actions
Copy link

New images:

  • quay.io/netobserv/network-observability-operator:63a535e
  • quay.io/netobserv/network-observability-operator-bundle:v0.0.0-63a535e
  • quay.io/netobserv/network-observability-operator-catalog:v0.0.0-63a535e

They will expire after two weeks.

To deploy this build:

# Direct deployment, from operator repo
IMAGE=quay.io/netobserv/network-observability-operator:63a535e make deploy

# Or using operator-sdk
operator-sdk run bundle quay.io/netobserv/network-observability-operator-bundle:v0.0.0-63a535e

Or as a Catalog Source:

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: netobserv-dev
  namespace: openshift-marketplace
spec:
  sourceType: grpc
  image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-63a535e
  displayName: NetObserv development catalog
  publisher: Me
  updateStrategy:
    registryPoll:
      interval: 1m

@msherif1234
NETOBSERV-1191: fix updating tcpdrop and dns configs
b2a29b1 
Signed-off-by: msherif1234 <mmahmoud@redhat.com>
@msherif1234
fix linter complicity error
def94dc 
Signed-off-by: msherif1234 <mmahmoud@redhat.com>
@github-actions github-actions bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jul 14, 2023
@msherif1234
Copy link
Contributor Author

/ok-to-test

@openshift-ci openshift-ci bot added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jul 14, 2023
@github-actions
Copy link

New images:

  • quay.io/netobserv/network-observability-operator:14a6c81
  • quay.io/netobserv/network-observability-operator-bundle:v0.0.0-14a6c81
  • quay.io/netobserv/network-observability-operator-catalog:v0.0.0-14a6c81

They will expire after two weeks.

To deploy this build:

# Direct deployment, from operator repo
IMAGE=quay.io/netobserv/network-observability-operator:14a6c81 make deploy

# Or using operator-sdk
operator-sdk run bundle quay.io/netobserv/network-observability-operator-bundle:v0.0.0-14a6c81

Or as a Catalog Source:

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: netobserv-dev
  namespace: openshift-marketplace
spec:
  sourceType: grpc
  image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-14a6c81
  displayName: NetObserv development catalog
  publisher: Me
  updateStrategy:
    registryPoll:
      interval: 1m

msherif1234 added a commit to msherif1234/network-observability-operator that referenced this pull request Jul 14, 2023
@msherif1234
NETOBSERV-1190: use DNS latency instead of TS
500c2c6 
This PR depends on PR netobserv#331 so 331 need to be merged 1st

Signed-off-by: msherif1234 <mmahmoud@redhat.com>
@msherif1234 msherif1234 mentioned this pull request Jul 14, 2023
Merged
@jotak
Copy link
Member

jotak commented Jul 17, 2023

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Jul 17, 2023
msherif1234 added a commit to msherif1234/network-observability-operator that referenced this pull request Jul 17, 2023
@msherif1234
NETOBSERV-1190: use DNS latency instead of TS
01ae4ec 
This PR depends on PR netobserv#331 so 331 need to be merged 1st

Signed-off-by: msherif1234 <mmahmoud@redhat.com>
msherif1234 added a commit to msherif1234/network-observability-operator that referenced this pull request Jul 17, 2023
@msherif1234
NETOBSERV-1190: use DNS latency instead of TS
97cd9d0 
This PR depends on PR netobserv#331 so 331 need to be merged 1st

Signed-off-by: msherif1234 <mmahmoud@redhat.com>
openshift-merge-robot pushed a commit that referenced this pull request Jul 17, 2023
@msherif1234 @jpinsonneau
NETOBSERV-1190: change DNS to use latency instead of TS (#395)
00caab5 
* NETOBSERV-979: Add TCP drop to netobserv operator

Signed-off-by: msherif1234 <mmahmoud@redhat.com>

* Add scc rbac to fix issues with scc constraint

when creating ebpf pod in privileged mode we
got Error creating: pods "netobserv-ebpf-agent-"
is forbidden: unable to validate against any
security context constraint

Signed-off-by: msherif1234 <mmahmoud@redhat.com>

* Add DNS tracker operator changes

Signed-off-by: msherif1234 <mmahmoud@redhat.com>

* Address PR review comments

Signed-off-by: msherif1234 <mmahmoud@redhat.com>

* list enabled features in console plugin configmap

* fix TcpDrop fields case

* NETOBSERV-1191: fix updating tcpdrop and dns configs

Signed-off-by: msherif1234 <mmahmoud@redhat.com>

* fix linter complicity error

Signed-off-by: msherif1234 <mmahmoud@redhat.com>

* NETOBSERV-1190: use DNS latency instead of TS

This PR depends on PR #331 so 331 need to be merged 1st

Signed-off-by: msherif1234 <mmahmoud@redhat.com>

---------

Signed-off-by: msherif1234 <mmahmoud@redhat.com>
Co-authored-by: Julien Pinsonneau <91894519+jpinsonneau@users.noreply.github.com>
@msherif1234
Copy link
Contributor Author

already been done via #395

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jotak jotak jotak left review comments

@eranra eranra eranra left review comments

@skrthomas skrthomas skrthomas left review comments

@jpinsonneau jpinsonneau jpinsonneau left review comments

Assignees

@jotak jotak

@jpinsonneau jpinsonneau

Labels
breaking-change This pull request has breaking changes. They should be described in PR description. jira/valid-reference lgtm ok-to-test To set manually when a PR is safe to test. Triggers image build on PR.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
9 participants
@msherif1234 @openshift-ci-robot @jpinsonneau @jotak @memodi @Amoghrd @eranra @skrthomas @openshift-merge-robot