Skip to content

Add CiliumFlowLogging configuring Hubble-exporters #26646

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 7 commits into from
Closed

Add CiliumFlowLogging configuring Hubble-exporters #26646

wants to merge 7 commits into from

Conversation

AwesomePatrol
Copy link
Contributor

@AwesomePatrol AwesomePatrol commented Jul 5, 2023
edited
Loading

Fixes: #25508

Add CiliumFlowLogging CRD which enables runtime configuration of exporting Hubble events to files to be later consumed by observability stack as logs

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jul 5, 2023
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Jul 5, 2023
@AwesomePatrol AwesomePatrol temporarily deployed to release-base-images July 6, 2023 12:27 — with GitHub Actions Inactive
@AwesomePatrol AwesomePatrol temporarily deployed to release-base-images July 6, 2023 14:52 — with GitHub Actions Inactive
This was referenced Jul 19, 2023
Merged
Merged
@AwesomePatrol AwesomePatrol force-pushed the flow-logging-crd branch 5 times, most recently from 4e83ff4 to 002f425 Compare July 26, 2023 11:17
@AwesomePatrol
Add CiliumFlowLogging CRD
758a526 
Signed-off-by: Aleksander Mistewicz <amistewicz@google.com>
@AwesomePatrol
Add CiliumFlowLogging watcher
649adce 
Signed-off-by: Aleksander Mistewicz <amistewicz@google.com>
@AwesomePatrol
Add Hubble Exporter Manager
6eaa7c2 
Signed-off-by: Aleksander Mistewicz <amistewicz@google.com>
@AwesomePatrol
Add rate limiter to Hubble exporter manager
e9ff5e0 
Signed-off-by: Aleksander Mistewicz <amistewicz@google.com>
@AwesomePatrol
Queue jobs in cases watcher is faster than Hubble
23523eb 
Signed-off-by: Aleksander Mistewicz <amistewicz@google.com>
@AwesomePatrol
Use Expiration of type meta/v1/Time instead of End
4ad7efc 
Signed-off-by: Aleksander Mistewicz <amistewicz@google.com>
@AwesomePatrol
Copy link
Contributor Author

/test

@AwesomePatrol AwesomePatrol marked this pull request as ready for review July 26, 2023 13:22
@AwesomePatrol AwesomePatrol requested review from a team as code owners July 26, 2023 13:22
@AwesomePatrol AwesomePatrol requested review from a team as code owners July 26, 2023 13:22
@gandro gandro requested a review from michi-covalent July 26, 2023 13:27
squeed
squeed reviewed Jul 27, 2023
View reviewed changes
squeed
squeed reviewed Jul 27, 2023
View reviewed changes
pkg/k8s/apis/cilium.io/v2alpha1/types.go Outdated
// Spec defines the desired specification/configuration of the flow logging.
//
// +kubebuilder:validation:Required
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Spec is immutable"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cute :-)

squeed
squeed reviewed Jul 27, 2023
View reviewed changes
pkg/k8s/apis/cilium.io/v2alpha1/types.go Outdated

// FlowLoggingSpec defines configuration of a flow logging task.
//
// +deepequal-gen=false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not auto-generate DeepEqual?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is not needed (in this version it won't handle object updates at all). IIRC there were some issues when I left the default.

squeed
squeed reviewed Jul 27, 2023
View reviewed changes
squeed
squeed reviewed Jul 27, 2023
View reviewed changes
pkg/k8s/apis/cilium.io/v2alpha1/types.go Outdated
//
// +kubebuilder:validation:Format=date-time
// +kubebuilder:validation:Optional
Expiration *metav1.Time `json:"end"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: convention is "expires". Also, the json tag should probably match the field name.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, I really like this idea. Are there any other limitations we might want to add? Maximum logged flows? Maxiumum rate? Sample rate?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rate is limited in the config map. Max logged flows is impossible to track across cilium-agent pod restarts.

I am not sure how a sample rate could be implemented and I think it is best to use TCP flags to narrow down information to connection open/close.

squeed
squeed reviewed Jul 27, 2023
View reviewed changes
squeed
squeed reviewed Jul 27, 2023
View reviewed changes
pkg/k8s/watchers/cilium_flow_logging.go
@@ -0,0 +1,123 @@
// SPDX-License-Identifier: Apache-2.0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In general, we avoid creating new watchers in this package, and prefer using the Resource[T] framework.

I realize this small comment is actually a fair bit of work :-(

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, I will look into that

squeed
squeed reviewed Jul 27, 2023
View reviewed changes
daemon/cmd/daemon.go
@@ -637,6 +639,8 @@ func newDaemon(ctx context.Context, cleaner *daemonCleanup, params *daemonParams

d.cgroupManager = manager.NewCgroupManager()

d.hubbleExporterManager = exporter.NewManager(d.ctx)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should probably be a Cell in the Hive. check out pkg/hive/examples for the basic structure.

@AwesomePatrol
Rename fields in CiliumFlowLogging
2a0e117 
Signed-off-by: Aleksander Mistewicz <amistewicz@google.com>
@gandro gandro removed their request for review July 27, 2023 15:28
jibi
jibi reviewed Aug 1, 2023
View reviewed changes
Makefile
@@ -219,7 +219,7 @@ GIT_VERSION: force
-include Makefile.docker

##@ API targets
CRD_OPTIONS ?= "crd:crdVersions=v1"
CRD_OPTIONS ?= "crd:crdVersions=v1,ignoreUnexportedFields=true"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what are the implication of this option?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See kubernetes-sigs/controller-tools#584 (it was cherry-picked into cilium's fork of controller-tools in cilium/controller-tools#3 and #26918)

It doesn't change other generated CRDs. It makes it possible to use types generated from protos directly without additional translation type.

AwesomePatrol
AwesomePatrol commented Aug 1, 2023
View reviewed changes
pkg/k8s/apis/cilium.io/v2alpha1/flowlogging.go
// List of field names that will be kept in the log output.
//
// +kubebuilder:validation:Optional
FieldMask []string `json:"fieldmask"`
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo: fieldMask

pkg/k8s/apis/cilium.io/v2alpha1/flowlogging.go
// disabled when empty.
//
// +kubebuilder:validation:Optional
ExcludeFilters []*flowpb.FlowFilter `json:"exludefilters"`
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo: excludeFilters

@AwesomePatrol AwesomePatrol marked this pull request as draft August 2, 2023 08:06
@AwesomePatrol AwesomePatrol mentioned this pull request Aug 3, 2023
Closed
@github-actions
Copy link

github-actions bot commented Sep 2, 2023

This pull request has been automatically marked as stale because it
has not had recent activity. It will be closed if no further activity
occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label Sep 2, 2023
@github-actions
Copy link

This pull request has not seen any activity since it was marked stale.
Closing.

@github-actions github-actions bot closed this Sep 16, 2023
@AwesomePatrol AwesomePatrol mentioned this pull request Sep 19, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jibi jibi jibi left review comments

@squeed squeed squeed left review comments

@youngnick youngnick Awaiting requested review from youngnick youngnick is a code owner automatically assigned from cilium/sig-agent

@derailed derailed Awaiting requested review from derailed derailed is a code owner automatically assigned from cilium/cli

@chancez chancez Awaiting requested review from chancez chancez is a code owner automatically assigned from cilium/sig-hubble

@michi-covalent michi-covalent Awaiting requested review from michi-covalent

Assignees
No one assigned
Labels
dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. kind/community-contribution This was a contribution made by a community member. stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CFP-2023-05-17: Hubble Flow Logs
3 participants
@AwesomePatrol @jibi @squeed