diff --git a/modules/network-observability-flowcollector-api-specifications.adoc b/modules/network-observability-flowcollector-api-specifications.adoc index ba8b0b3ee469..367042fbd4e4 100644 --- a/modules/network-observability-flowcollector-api-specifications.adoc +++ b/modules/network-observability-flowcollector-api-specifications.adoc @@ -202,7 +202,7 @@ Otherwise it is matched as a case-sensitive string. | `features` | `array (string)` -| List of additional features to enable. They are all disabled by default. Enabling additional features might have performance impacts. A possible value is `+`. +| List of additional features to enable. They are all disabled by default. Enabling additional features might have performance impacts. Possible values are: + - `PacketDrop`: enable the packets drop flows logging feature. This feature requires mounting the kernel debug filesystem, so the eBPF agent pods have to run as privileged. @@ -377,7 +377,7 @@ Type:: | `action` | `string` -| `action` defines the action to perform on the flows that match the filter. +| `action` defines the action to perform on the flows that match the filter. The available options are `Accept`, which is the default, and `Reject`. | `cidr` | `string` @@ -386,14 +386,14 @@ Examples: `10.10.10.0/24` or `100:100:100:100::/64` | `destPorts` | `integer-or-string` -| `destPorts` defines the destination ports to filter flows by. +| `destPorts` optionally defines the destination ports to filter flows by. To filter a single port, set a single port as an integer value. For example, `destPorts: 80`. To filter a range of ports, use a "start-end" range in string format. For example, `destPorts: "80-100"`. To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`. | `direction` | `string` -| `direction` defines the direction to filter flows by. +| `direction` optionally defines a direction to filter flows by. The available options are `Ingress` and `Egress`. | `enable` | `boolean` @@ -401,42 +401,43 @@ To filter two ports, use a "port1,port2" in string format. For example, `ports: | `icmpCode` | `integer` -| `icmpCode`, for Internet Control Message Protocol (ICMP) traffic, defines the ICMP code to filter flows by. +| `icmpCode`, for Internet Control Message Protocol (ICMP) traffic, optionally defines the ICMP code to filter flows by. | `icmpType` | `integer` -| `icmpType`, for ICMP traffic, defines the ICMP type to filter flows by. +| `icmpType`, for ICMP traffic, optionally defines the ICMP type to filter flows by. | `peerIP` | `string` -| `peerIP` defines the IP address to filter flows by. +| `peerIP` optionally defines the remote IP address to filter flows by. Example: `10.10.10.10`. | `pktDrops` | `boolean` -| `pktDrops` filters flows with packet drops +| `pktDrops` optionally filters only flows containing packet drops. | `ports` | `integer-or-string` -| `ports` defines the ports to filter flows by. It is used both for source and destination ports. +| `ports` optionally defines the ports to filter flows by. It is used both for source and destination ports. To filter a single port, set a single port as an integer value. For example, `ports: 80`. To filter a range of ports, use a "start-end" range in string format. For example, `ports: "80-100"`. To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`. | `protocol` | `string` -| `protocol` defines the protocol to filter flows by. +| `protocol` optionally defines a protocol to filter flows by. The available options are `TCP`, `UDP`, `ICMP`, `ICMPv6` and `SCTP`. | `sourcePorts` | `integer-or-string` -| `sourcePorts` defines the source ports to filter flows by. +| `sourcePorts` optionally defines the source ports to filter flows by. To filter a single port, set a single port as an integer value. For example, `sourcePorts: 80`. To filter a range of ports, use a "start-end" range in string format. For example, `sourcePorts: "80-100"`. To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`. | `tcpFlags` | `string` -| `tcpFlags` defines the TCP flags to filter flows by. +| `tcpFlags` optionally defines TCP flags to filter flows by. +In addition to the standard flags (RFC-9293), you can also filter by one of the three following combinations: `SYN-ACK`, `FIN-ACK` and `RST-ACK`. |=== == .spec.agent.ebpf.metrics @@ -461,7 +462,7 @@ Type:: | `disableAlerts` is a list of alerts that should be disabled. Possible values are: + -`NetObservDroppedFlows` is triggered when the eBPF agent is missing packets or flows, such as when the eBPF hashmap is busy or full, or the capacity limiter is triggered. + +`NetObservDroppedFlows`, which is triggered when the eBPF agent is missing packets or flows, such as when the BPF hashmap is busy or full, or the capacity limiter is being triggered. + | `enable` @@ -611,7 +612,7 @@ If the namespace is different, the config map or the secret is copied so that it | `type` | `string` -| Type for the file reference: "configmap" or "secret". +| Type for the file reference: `configmap` or `secret`. |=== == .spec.agent.ebpf.resources @@ -978,7 +979,7 @@ Required:: | `type` | `string` -| `type` selects the type of exporters. The available options are `Kafka` and `IPFIX`. +| `type` selects the type of exporters. The available options are `Kafka`, `IPFIX` and `OpenTelemetry`. |=== == .spec.exporters[].ipfix @@ -1003,11 +1004,11 @@ Required:: | `targetHost` | `string` -| Address of the IPFIX external receiver +| Address of the IPFIX external receiver. | `targetPort` | `integer` -| Port for the IPFIX external receiver +| Port for the IPFIX external receiver. | `transport` | `string` @@ -1113,7 +1114,7 @@ If the namespace is different, the config map or the secret is copied so that it | `type` | `string` -| Type for the file reference: "configmap" or "secret". +| Type for the file reference: `configmap` or `secret`. |=== == .spec.exporters[].kafka.sasl.clientSecretReference @@ -1148,7 +1149,7 @@ If the namespace is different, the config map or the secret is copied so that it | `type` | `string` -| Type for the file reference: "configmap" or "secret". +| Type for the file reference: `configmap` or `secret`. |=== == .spec.exporters[].kafka.tls @@ -1170,7 +1171,7 @@ Type:: | `caCert` | `object` -| `caCert` defines the reference of the certificate for the Certificate Authority +| `caCert` defines the reference of the certificate for the Certificate Authority. | `enable` | `boolean` @@ -1183,14 +1184,14 @@ If set to `true`, the `caCert` field is ignored. | `userCert` | `object` -| `userCert` defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS) +| `userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property. |=== == .spec.exporters[].kafka.tls.caCert Description:: + -- -`caCert` defines the reference of the certificate for the Certificate Authority +`caCert` defines the reference of the certificate for the Certificate Authority. -- Type:: @@ -1229,7 +1230,7 @@ If the namespace is different, the config map or the secret is copied so that it Description:: + -- -`userCert` defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS) +`userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property. -- Type:: @@ -1624,7 +1625,7 @@ If the namespace is different, the config map or the secret is copied so that it | `type` | `string` -| Type for the file reference: "configmap" or "secret". +| Type for the file reference: `configmap` or `secret`. |=== == .spec.kafka.sasl.clientSecretReference @@ -1659,7 +1660,7 @@ If the namespace is different, the config map or the secret is copied so that it | `type` | `string` -| Type for the file reference: "configmap" or "secret". +| Type for the file reference: `configmap` or `secret`. |=== == .spec.kafka.tls @@ -1681,7 +1682,7 @@ Type:: | `caCert` | `object` -| `caCert` defines the reference of the certificate for the Certificate Authority +| `caCert` defines the reference of the certificate for the Certificate Authority. | `enable` | `boolean` @@ -1694,14 +1695,14 @@ If set to `true`, the `caCert` field is ignored. | `userCert` | `object` -| `userCert` defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS) +| `userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property. |=== == .spec.kafka.tls.caCert Description:: + -- -`caCert` defines the reference of the certificate for the Certificate Authority +`caCert` defines the reference of the certificate for the Certificate Authority. -- Type:: @@ -1740,7 +1741,7 @@ If the namespace is different, the config map or the secret is copied so that it Description:: + -- -`userCert` defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS) +`userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property. -- Type:: @@ -2010,7 +2011,7 @@ Type:: | `caCert` | `object` -| `caCert` defines the reference of the certificate for the Certificate Authority +| `caCert` defines the reference of the certificate for the Certificate Authority. | `enable` | `boolean` @@ -2023,14 +2024,14 @@ If set to `true`, the `caCert` field is ignored. | `userCert` | `object` -| `userCert` defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS) +| `userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property. |=== == .spec.loki.manual.statusTls.caCert Description:: + -- -`caCert` defines the reference of the certificate for the Certificate Authority +`caCert` defines the reference of the certificate for the Certificate Authority. -- Type:: @@ -2069,7 +2070,7 @@ If the namespace is different, the config map or the secret is copied so that it Description:: + -- -`userCert` defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS) +`userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property. -- Type:: @@ -2123,7 +2124,7 @@ Type:: | `caCert` | `object` -| `caCert` defines the reference of the certificate for the Certificate Authority +| `caCert` defines the reference of the certificate for the Certificate Authority. | `enable` | `boolean` @@ -2136,14 +2137,14 @@ If set to `true`, the `caCert` field is ignored. | `userCert` | `object` -| `userCert` defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS) +| `userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property. |=== == .spec.loki.manual.tls.caCert Description:: + -- -`caCert` defines the reference of the certificate for the Certificate Authority +`caCert` defines the reference of the certificate for the Certificate Authority. -- Type:: @@ -2182,7 +2183,7 @@ If the namespace is different, the config map or the secret is copied so that it Description:: + -- -`userCert` defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS) +`userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property. -- Type:: @@ -2272,7 +2273,7 @@ Type:: | `caCert` | `object` -| `caCert` defines the reference of the certificate for the Certificate Authority +| `caCert` defines the reference of the certificate for the Certificate Authority. | `enable` | `boolean` @@ -2285,14 +2286,14 @@ If set to `true`, the `caCert` field is ignored. | `userCert` | `object` -| `userCert` defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS) +| `userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property. |=== == .spec.loki.microservices.tls.caCert Description:: + -- -`caCert` defines the reference of the certificate for the Certificate Authority +`caCert` defines the reference of the certificate for the Certificate Authority. -- Type:: @@ -2331,7 +2332,7 @@ If the namespace is different, the config map or the secret is copied so that it Description:: + -- -`userCert` defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS) +`userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property. -- Type:: @@ -2417,7 +2418,7 @@ Type:: | `caCert` | `object` -| `caCert` defines the reference of the certificate for the Certificate Authority +| `caCert` defines the reference of the certificate for the Certificate Authority. | `enable` | `boolean` @@ -2430,14 +2431,14 @@ If set to `true`, the `caCert` field is ignored. | `userCert` | `object` -| `userCert` defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS) +| `userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property. |=== == .spec.loki.monolithic.tls.caCert Description:: + -- -`caCert` defines the reference of the certificate for the Certificate Authority +`caCert` defines the reference of the certificate for the Certificate Authority. -- Type:: @@ -2476,7 +2477,7 @@ If the namespace is different, the config map or the secret is copied so that it Description:: + -- -`userCert` defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS) +`userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property. -- Type:: @@ -2538,7 +2539,7 @@ configuration, you can disable it and install your own instead. | `boolean` | Set `enable` to `true` to deploy network policies on the namespaces used by Network Observability (main and privileged). It is disabled by default. These network policies better isolate the Network Observability components to prevent undesired connections to them. -Either enable it, or create your own network policy for Network Observability. +We recommend you either enable it, or create your own network policy for Network Observability. |=== == .spec.processor @@ -2773,8 +2774,8 @@ Description:: + -- Define secondary networks to be checked for resources identification. -To guarantee a correct identification, the indexed values must form an unique identifier across the cluster. -If the same index is used by several resources, those resources might be wrongly labeled. +To guarantee a correct identification, indexed values must form an unique identifier across the cluster. +If the same index is used by several resources, those resources might be incorrectly labeled. -- Type:: @@ -3010,7 +3011,7 @@ If the namespace is different, the config map or the secret is copied so that it | `type` | `string` -| Type for the file reference: "configmap" or "secret". +| Type for the file reference: `configmap` or `secret`. |=== == .spec.processor.resources @@ -3236,7 +3237,7 @@ Type:: | `caCert` | `object` -| `caCert` defines the reference of the certificate for the Certificate Authority +| `caCert` defines the reference of the certificate for the Certificate Authority. | `enable` | `boolean` @@ -3249,14 +3250,14 @@ If set to `true`, the `caCert` field is ignored. | `userCert` | `object` -| `userCert` defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS) +| `userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property. |=== == .spec.prometheus.querier.manual.tls.caCert Description:: + -- -`caCert` defines the reference of the certificate for the Certificate Authority +`caCert` defines the reference of the certificate for the Certificate Authority. -- Type:: @@ -3295,7 +3296,7 @@ If the namespace is different, the config map or the secret is copied so that it Description:: + -- -`userCert` defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS) +`userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property. -- Type::