diff --git a/build/charts/antrea/README.md b/build/charts/antrea/README.md index 08592c267f1..cc2f921bc1a 100644 --- a/build/charts/antrea/README.md +++ b/build/charts/antrea/README.md @@ -71,10 +71,11 @@ Kubernetes: `>= 1.16.0-0` | egress.maxEgressIPsPerNode | int | `255` | The maximum number of Egress IPs that can be assigned to a Node. It's useful when the Node network restricts the number of secondary IPs a Node can have, e.g. EKS. It must not be greater than 255. | | enableBridgingMode | bool | `false` | Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected to the OVS bridge. | | featureGates | object | `{}` | To explicitly enable or disable a FeatureGate and bypass the Antrea defaults, add an entry to the dictionary with the FeatureGate's name as the key and a boolean as the value. | -| flowCollector.activeFlowExportTimeout | string | `"5s"` | timeout after which a flow record is sent to the collector for active flows. | -| flowCollector.collectorAddr | string | `"flow-aggregator/flow-aggregator:4739:tls"` | IPFIX collector address as a string with format :[][:]. If the collector is running in-cluster as a Service, set to /. | -| flowCollector.flowPollInterval | string | `"5s"` | Determines how often the flow exporter polls for new connections. | -| flowCollector.idleFlowExportTimeout | string | `"15s"` | timeout after which a flow record is sent to the collector for idle flows. | +| flowExporter.activeFlowExportTimeout | string | `"5s"` | timeout after which a flow record is sent to the collector for active flows. | +| flowExporter.enable | bool | `false` | Enable the flow exporter feature. | +| flowExporter.flowCollectorAddr | string | `"flow-aggregator/flow-aggregator:4739:tls"` | IPFIX collector address as a string with format :[][:]. If the collector is running in-cluster as a Service, set to /. | +| flowExporter.flowPollInterval | string | `"5s"` | Determines how often the flow exporter polls for new connections. | +| flowExporter.idleFlowExportTimeout | string | `"15s"` | timeout after which a flow record is sent to the collector for idle flows. | | hostGateway | string | `"antrea-gw0"` | Name of the interface antrea-agent will create and use for host <-> Pod communication. | | image | object | `{"pullPolicy":"IfNotPresent","repository":"antrea/antrea-ubuntu","tag":""}` | Container image to use for Antrea components. | | ipsec.authenticationMode | string | `"psk"` | The authentication mode to use for IPsec. Must be one of "psk" or "cert". | diff --git a/build/charts/antrea/conf/antrea-agent.conf b/build/charts/antrea/conf/antrea-agent.conf index 7335a097946..dc0a7faea3c 100644 --- a/build/charts/antrea/conf/antrea-agent.conf +++ b/build/charts/antrea/conf/antrea-agent.conf @@ -193,37 +193,46 @@ apiPort: {{ .Values.agent.apiPort }} # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. enablePrometheusMetrics: {{ .Values.agent.enablePrometheusMetrics }} -# Provide the IPFIX collector address as a string with format :[][:]. -# HOST can either be the DNS name, IP, or Service name of the Flow Collector. If -# using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be -# wrapped with []. When the collector is running in-cluster as a Service, set -# to /. For example, -# "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea -# Flow Aggregator Service. -# If PORT is empty, we default to 4739, the standard IPFIX port. -# If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and -# "udp" protocols. "tls" is used for securing communication between flow exporter and -# flow aggregator. -flowCollectorAddr: {{ .Values.flowCollector.collectorAddr | quote }} - -# Provide flow poll interval as a duration string. This determines how often the -# flow exporter dumps connections from the conntrack module. Flow poll interval -# should be greater than or equal to 1s (one second). -# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". -flowPollInterval: {{ .Values.flowCollector.flowPollInterval | quote }} - -# Provide the active flow export timeout, which is the timeout after which a flow -# record is sent to the collector for active flows. Thus, for flows with a continuous -# stream of packets, a flow record will be exported to the collector once the elapsed -# time since the last export event is equal to the value of this timeout. -# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". -activeFlowExportTimeout: {{ .Values.flowCollector.activeFlowExportTimeout | quote }} - -# Provide the idle flow export timeout, which is the timeout after which a flow -# record is sent to the collector for idle flows. A flow is considered idle if no -# packet matching this flow has been observed since the last export event. -# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". -idleFlowExportTimeout: {{ .Values.flowCollector.idleFlowExportTimeout | quote }} + +flowExporter: + {{- with .Values.flowExporter }} + # Enable FlowExporter, a feature used to export polled conntrack connections as + # IPFIX flow records from each agent to a configured collector. To enable this + # feature, you need to set "enable" to true, and ensure that the FlowExporter + # feature gate is also enabled. + enable: {{ .enable }} + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If + # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be + # wrapped with []. When the collector is running in-cluster as a Service, set + # to /. For example, + # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea + # Flow Aggregator Service. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + flowCollectorAddr: {{ .flowCollectorAddr | quote }} + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + flowPollInterval: {{ .flowPollInterval | quote }} + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + activeFlowExportTimeout: {{ .activeFlowExportTimeout | quote }} + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + idleFlowExportTimeout: {{ .idleFlowExportTimeout | quote }} +{{- end }} nodePortLocal: {{- with .Values.nodePortLocal }} diff --git a/build/charts/antrea/values.yaml b/build/charts/antrea/values.yaml index aaaef299754..76d01ec2568 100644 --- a/build/charts/antrea/values.yaml +++ b/build/charts/antrea/values.yaml @@ -298,11 +298,13 @@ controller: requests: cpu: "200m" -flowCollector: +flowExporter: + # -- Enable the flow exporter feature. + enable: false # -- IPFIX collector address as a string with format :[][:]. # If the collector is running in-cluster as a Service, set to # /. - collectorAddr: "flow-aggregator/flow-aggregator:4739:tls" + flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls" # -- Determines how often the flow exporter polls for new connections. flowPollInterval: "5s" # -- timeout after which a flow record is sent to the collector for active diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml index 295b1b695a6..e8b2d22073e 100644 --- a/build/yamls/antrea-aks.yml +++ b/build/yamls/antrea-aks.yml @@ -3159,37 +3159,44 @@ data: # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. enablePrometheusMetrics: true - # Provide the IPFIX collector address as a string with format :[][:]. - # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If - # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be - # wrapped with []. When the collector is running in-cluster as a Service, set - # to /. For example, - # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea - # Flow Aggregator Service. - # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and - # "udp" protocols. "tls" is used for securing communication between flow exporter and - # flow aggregator. - flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls" - # Provide flow poll interval as a duration string. This determines how often the - # flow exporter dumps connections from the conntrack module. Flow poll interval - # should be greater than or equal to 1s (one second). - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - flowPollInterval: "5s" + flowExporter: + # Enable FlowExporter, a feature used to export polled conntrack connections as + # IPFIX flow records from each agent to a configured collector. To enable this + # feature, you need to set "enable" to true, and ensure that the FlowExporter + # feature gate is also enabled. + enable: false + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If + # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be + # wrapped with []. When the collector is running in-cluster as a Service, set + # to /. For example, + # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea + # Flow Aggregator Service. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls" - # Provide the active flow export timeout, which is the timeout after which a flow - # record is sent to the collector for active flows. Thus, for flows with a continuous - # stream of packets, a flow record will be exported to the collector once the elapsed - # time since the last export event is equal to the value of this timeout. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - activeFlowExportTimeout: "5s" + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + flowPollInterval: "5s" - # Provide the idle flow export timeout, which is the timeout after which a flow - # record is sent to the collector for idle flows. A flow is considered idle if no - # packet matching this flow has been observed since the last export event. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - idleFlowExportTimeout: "15s" + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + activeFlowExportTimeout: "5s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + idleFlowExportTimeout: "15s" nodePortLocal: # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To @@ -4364,7 +4371,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 7b3f20e4be884c2def359ef222cf07498761ff76b66e893d9afa325761354c9f + checksum/config: abf7cb1c21b730664510e8a762d967df5c620467f12bf3e0bae41df73489de65 labels: app: antrea component: antrea-agent @@ -4605,7 +4612,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 7b3f20e4be884c2def359ef222cf07498761ff76b66e893d9afa325761354c9f + checksum/config: abf7cb1c21b730664510e8a762d967df5c620467f12bf3e0bae41df73489de65 labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml index bafb9450370..116ebf97b44 100644 --- a/build/yamls/antrea-eks.yml +++ b/build/yamls/antrea-eks.yml @@ -3159,37 +3159,44 @@ data: # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. enablePrometheusMetrics: true - # Provide the IPFIX collector address as a string with format :[][:]. - # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If - # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be - # wrapped with []. When the collector is running in-cluster as a Service, set - # to /. For example, - # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea - # Flow Aggregator Service. - # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and - # "udp" protocols. "tls" is used for securing communication between flow exporter and - # flow aggregator. - flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls" - # Provide flow poll interval as a duration string. This determines how often the - # flow exporter dumps connections from the conntrack module. Flow poll interval - # should be greater than or equal to 1s (one second). - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - flowPollInterval: "5s" + flowExporter: + # Enable FlowExporter, a feature used to export polled conntrack connections as + # IPFIX flow records from each agent to a configured collector. To enable this + # feature, you need to set "enable" to true, and ensure that the FlowExporter + # feature gate is also enabled. + enable: false + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If + # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be + # wrapped with []. When the collector is running in-cluster as a Service, set + # to /. For example, + # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea + # Flow Aggregator Service. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls" - # Provide the active flow export timeout, which is the timeout after which a flow - # record is sent to the collector for active flows. Thus, for flows with a continuous - # stream of packets, a flow record will be exported to the collector once the elapsed - # time since the last export event is equal to the value of this timeout. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - activeFlowExportTimeout: "5s" + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + flowPollInterval: "5s" - # Provide the idle flow export timeout, which is the timeout after which a flow - # record is sent to the collector for idle flows. A flow is considered idle if no - # packet matching this flow has been observed since the last export event. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - idleFlowExportTimeout: "15s" + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + activeFlowExportTimeout: "5s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + idleFlowExportTimeout: "15s" nodePortLocal: # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To @@ -4364,7 +4371,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 7b3f20e4be884c2def359ef222cf07498761ff76b66e893d9afa325761354c9f + checksum/config: abf7cb1c21b730664510e8a762d967df5c620467f12bf3e0bae41df73489de65 labels: app: antrea component: antrea-agent @@ -4606,7 +4613,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 7b3f20e4be884c2def359ef222cf07498761ff76b66e893d9afa325761354c9f + checksum/config: abf7cb1c21b730664510e8a762d967df5c620467f12bf3e0bae41df73489de65 labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml index a6c0e508494..68470ecebeb 100644 --- a/build/yamls/antrea-gke.yml +++ b/build/yamls/antrea-gke.yml @@ -3159,37 +3159,44 @@ data: # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. enablePrometheusMetrics: true - # Provide the IPFIX collector address as a string with format :[][:]. - # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If - # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be - # wrapped with []. When the collector is running in-cluster as a Service, set - # to /. For example, - # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea - # Flow Aggregator Service. - # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and - # "udp" protocols. "tls" is used for securing communication between flow exporter and - # flow aggregator. - flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls" - # Provide flow poll interval as a duration string. This determines how often the - # flow exporter dumps connections from the conntrack module. Flow poll interval - # should be greater than or equal to 1s (one second). - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - flowPollInterval: "5s" + flowExporter: + # Enable FlowExporter, a feature used to export polled conntrack connections as + # IPFIX flow records from each agent to a configured collector. To enable this + # feature, you need to set "enable" to true, and ensure that the FlowExporter + # feature gate is also enabled. + enable: false + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If + # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be + # wrapped with []. When the collector is running in-cluster as a Service, set + # to /. For example, + # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea + # Flow Aggregator Service. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls" - # Provide the active flow export timeout, which is the timeout after which a flow - # record is sent to the collector for active flows. Thus, for flows with a continuous - # stream of packets, a flow record will be exported to the collector once the elapsed - # time since the last export event is equal to the value of this timeout. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - activeFlowExportTimeout: "5s" + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + flowPollInterval: "5s" - # Provide the idle flow export timeout, which is the timeout after which a flow - # record is sent to the collector for idle flows. A flow is considered idle if no - # packet matching this flow has been observed since the last export event. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - idleFlowExportTimeout: "15s" + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + activeFlowExportTimeout: "5s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + idleFlowExportTimeout: "15s" nodePortLocal: # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To @@ -4364,7 +4371,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: b7f4a912f5e4d42314ea1667b8e2f3d97a7666e7379ed4f65f9299a3f37399c2 + checksum/config: e119a0592b2cef130a915258e9f23a8e4ed0aa28685841dc6f0d4b72a6983beb labels: app: antrea component: antrea-agent @@ -4603,7 +4610,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: b7f4a912f5e4d42314ea1667b8e2f3d97a7666e7379ed4f65f9299a3f37399c2 + checksum/config: e119a0592b2cef130a915258e9f23a8e4ed0aa28685841dc6f0d4b72a6983beb labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml index 0db8c87cf57..72b5ae5ba17 100644 --- a/build/yamls/antrea-ipsec.yml +++ b/build/yamls/antrea-ipsec.yml @@ -3172,37 +3172,44 @@ data: # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. enablePrometheusMetrics: true - # Provide the IPFIX collector address as a string with format :[][:]. - # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If - # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be - # wrapped with []. When the collector is running in-cluster as a Service, set - # to /. For example, - # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea - # Flow Aggregator Service. - # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and - # "udp" protocols. "tls" is used for securing communication between flow exporter and - # flow aggregator. - flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls" - # Provide flow poll interval as a duration string. This determines how often the - # flow exporter dumps connections from the conntrack module. Flow poll interval - # should be greater than or equal to 1s (one second). - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - flowPollInterval: "5s" + flowExporter: + # Enable FlowExporter, a feature used to export polled conntrack connections as + # IPFIX flow records from each agent to a configured collector. To enable this + # feature, you need to set "enable" to true, and ensure that the FlowExporter + # feature gate is also enabled. + enable: false + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If + # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be + # wrapped with []. When the collector is running in-cluster as a Service, set + # to /. For example, + # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea + # Flow Aggregator Service. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls" - # Provide the active flow export timeout, which is the timeout after which a flow - # record is sent to the collector for active flows. Thus, for flows with a continuous - # stream of packets, a flow record will be exported to the collector once the elapsed - # time since the last export event is equal to the value of this timeout. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - activeFlowExportTimeout: "5s" + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + flowPollInterval: "5s" - # Provide the idle flow export timeout, which is the timeout after which a flow - # record is sent to the collector for idle flows. A flow is considered idle if no - # packet matching this flow has been observed since the last export event. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - idleFlowExportTimeout: "15s" + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + activeFlowExportTimeout: "5s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + idleFlowExportTimeout: "15s" nodePortLocal: # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To @@ -4377,7 +4384,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: d5789c48750f03a8652da56fc0e7f6cd4b12911fff41a84c8426245270fd5ec2 + checksum/config: 373bbb8d6a42a8f3e546ea446fd078c04e947093e68e0c1c973f4c696bf8d607 checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4 labels: app: antrea @@ -4662,7 +4669,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: d5789c48750f03a8652da56fc0e7f6cd4b12911fff41a84c8426245270fd5ec2 + checksum/config: 373bbb8d6a42a8f3e546ea446fd078c04e947093e68e0c1c973f4c696bf8d607 labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml index 9c6cc68528a..f3f18f3a3a3 100644 --- a/build/yamls/antrea.yml +++ b/build/yamls/antrea.yml @@ -3159,37 +3159,44 @@ data: # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. enablePrometheusMetrics: true - # Provide the IPFIX collector address as a string with format :[][:]. - # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If - # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be - # wrapped with []. When the collector is running in-cluster as a Service, set - # to /. For example, - # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea - # Flow Aggregator Service. - # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and - # "udp" protocols. "tls" is used for securing communication between flow exporter and - # flow aggregator. - flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls" - # Provide flow poll interval as a duration string. This determines how often the - # flow exporter dumps connections from the conntrack module. Flow poll interval - # should be greater than or equal to 1s (one second). - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - flowPollInterval: "5s" + flowExporter: + # Enable FlowExporter, a feature used to export polled conntrack connections as + # IPFIX flow records from each agent to a configured collector. To enable this + # feature, you need to set "enable" to true, and ensure that the FlowExporter + # feature gate is also enabled. + enable: false + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If + # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be + # wrapped with []. When the collector is running in-cluster as a Service, set + # to /. For example, + # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea + # Flow Aggregator Service. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls" - # Provide the active flow export timeout, which is the timeout after which a flow - # record is sent to the collector for active flows. Thus, for flows with a continuous - # stream of packets, a flow record will be exported to the collector once the elapsed - # time since the last export event is equal to the value of this timeout. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - activeFlowExportTimeout: "5s" + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + flowPollInterval: "5s" - # Provide the idle flow export timeout, which is the timeout after which a flow - # record is sent to the collector for idle flows. A flow is considered idle if no - # packet matching this flow has been observed since the last export event. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - idleFlowExportTimeout: "15s" + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + activeFlowExportTimeout: "5s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + idleFlowExportTimeout: "15s" nodePortLocal: # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To @@ -4364,7 +4371,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 1f7ec3f7c131b06c35ae624655ebbf81ca332c08abcfcddd434dd3c0a5387dab + checksum/config: 7e1d1a60a99fdbe25ff10b92e85ff234a5769c02bd9ae0ead56a3fe0a8ad118d labels: app: antrea component: antrea-agent @@ -4603,7 +4610,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 1f7ec3f7c131b06c35ae624655ebbf81ca332c08abcfcddd434dd3c0a5387dab + checksum/config: 7e1d1a60a99fdbe25ff10b92e85ff234a5769c02bd9ae0ead56a3fe0a8ad118d labels: app: antrea component: antrea-controller diff --git a/ci/kind/values-flow-exporter.yml b/ci/kind/values-flow-exporter.yml index ff606cd67c3..ee3ceff45cc 100644 --- a/ci/kind/values-flow-exporter.yml +++ b/ci/kind/values-flow-exporter.yml @@ -1,4 +1,5 @@ -flowCollector: +flowExporter: + enable: true flowPollInterval: "1s" activeFlowExportTimeout: "2s" idleFlowExportTimeout: "1s" diff --git a/cmd/antrea-agent/agent.go b/cmd/antrea-agent/agent.go index afb3e494213..bfcd250ca33 100644 --- a/cmd/antrea-agent/agent.go +++ b/cmd/antrea-agent/agent.go @@ -150,7 +150,7 @@ func run(o *Options) error { features.DefaultFeatureGate.Enabled(features.AntreaPolicy), l7NetworkPolicyEnabled, o.enableEgress, - features.DefaultFeatureGate.Enabled(features.FlowExporter), + features.DefaultFeatureGate.Enabled(features.FlowExporter) && o.config.FlowExporter.Enable, o.config.AntreaProxy.ProxyAll, connectUplinkToBridge, multicastEnabled, @@ -596,7 +596,7 @@ func run(o *Options) error { } var flowExporter *exporter.FlowExporter - if features.DefaultFeatureGate.Enabled(features.FlowExporter) { + if features.DefaultFeatureGate.Enabled(features.FlowExporter) && o.config.FlowExporter.Enable { flowExporterOptions := &flowexporter.FlowExporterOptions{ FlowCollectorAddr: o.flowCollectorAddr, FlowCollectorProto: o.flowCollectorProto, @@ -859,7 +859,7 @@ func run(o *Options) error { go ofClient.StartPacketInHandler(stopCh) // Start the goroutine to periodically export IPFIX flow records. - if features.DefaultFeatureGate.Enabled(features.FlowExporter) { + if features.DefaultFeatureGate.Enabled(features.FlowExporter) && o.config.FlowExporter.Enable { go flowExporter.Run(stopCh) } diff --git a/cmd/antrea-agent/options.go b/cmd/antrea-agent/options.go index 48975047dfd..5dce409deb3 100644 --- a/cmd/antrea-agent/options.go +++ b/cmd/antrea-agent/options.go @@ -48,9 +48,9 @@ const ( defaultFlowCollectorAddress = "flow-aggregator/flow-aggregator:4739:tls" defaultFlowCollectorTransport = "tls" defaultFlowCollectorPort = "4739" - defaultFlowPollInterval = 5 * time.Second - defaultActiveFlowExportTimeout = 30 * time.Second - defaultIdleFlowExportTimeout = 15 * time.Second + defaultFlowPollInterval = "5s" + defaultActiveFlowExportTimeout = "5s" + defaultIdleFlowExportTimeout = "15s" defaultIGMPQueryInterval = 125 * time.Second defaultStaleConnectionTimeout = 5 * time.Minute defaultNPLPortRange = "61000-62000" @@ -231,7 +231,7 @@ func (o *Options) validateAntreaProxyConfig() error { func (o *Options) validateFlowExporterConfig() error { if features.DefaultFeatureGate.Enabled(features.FlowExporter) { - host, port, proto, err := flowexport.ParseFlowCollectorAddr(o.config.FlowCollectorAddr, defaultFlowCollectorPort, defaultFlowCollectorTransport) + host, port, proto, err := flowexport.ParseFlowCollectorAddr(o.config.FlowExporter.FlowCollectorAddr, defaultFlowCollectorPort, defaultFlowCollectorTransport) if err != nil { return err } @@ -239,16 +239,16 @@ func (o *Options) validateFlowExporterConfig() error { o.flowCollectorProto = proto // Parse the given flowPollInterval config - if o.config.FlowPollInterval != "" { - flowPollInterval, err := flowexport.ParseFlowIntervalString(o.config.FlowPollInterval) + if o.config.FlowExporter.FlowPollInterval != "" { + flowPollInterval, err := flowexport.ParseFlowIntervalString(o.config.FlowExporter.FlowPollInterval) if err != nil { return err } o.pollInterval = flowPollInterval } // Parse the given activeFlowExportTimeout config - if o.config.ActiveFlowExportTimeout != "" { - o.activeFlowTimeout, err = time.ParseDuration(o.config.ActiveFlowExportTimeout) + if o.config.FlowExporter.ActiveFlowExportTimeout != "" { + o.activeFlowTimeout, err = time.ParseDuration(o.config.FlowExporter.ActiveFlowExportTimeout) if err != nil { return fmt.Errorf("ActiveFlowExportTimeout is not provided in right format") } @@ -258,8 +258,8 @@ func (o *Options) validateFlowExporterConfig() error { } } // Parse the given inactiveFlowExportTimeout config - if o.config.IdleFlowExportTimeout != "" { - o.idleFlowTimeout, err = time.ParseDuration(o.config.IdleFlowExportTimeout) + if o.config.FlowExporter.IdleFlowExportTimeout != "" { + o.idleFlowTimeout, err = time.ParseDuration(o.config.FlowExporter.IdleFlowExportTimeout) if err != nil { return fmt.Errorf("IdleFlowExportTimeout is not provided in right format") } @@ -277,6 +277,8 @@ func (o *Options) validateFlowExporterConfig() error { } else { o.staleConnectionTimeout = defaultStaleConnectionTimeout } + } else if o.config.FlowExporter.Enable { + klog.InfoS("The FlowExporter.enable config option is set to true, but it will be ignored because the FlowExporter feature gate is disabled") } return nil } @@ -394,17 +396,33 @@ func (o *Options) setK8sNodeDefaultOptions() { } if features.DefaultFeatureGate.Enabled(features.FlowExporter) { - if o.config.FlowCollectorAddr == "" { - o.config.FlowCollectorAddr = defaultFlowCollectorAddress + if o.config.FlowExporter.FlowCollectorAddr == "" { + o.config.FlowExporter.FlowCollectorAddr = defaultFlowCollectorAddress + if o.config.FlowCollectorAddr != "" { + klog.InfoS("The flowCollectorAddr option is deprecated, please use flowExporter.flowCollectorAddr instead") + o.config.FlowExporter.FlowCollectorAddr = o.config.FlowCollectorAddr + } } - if o.config.FlowPollInterval == "" { - o.pollInterval = defaultFlowPollInterval + if o.config.FlowExporter.FlowPollInterval == "" { + o.config.FlowExporter.FlowPollInterval = defaultFlowPollInterval + if o.config.FlowPollInterval != "" { + klog.InfoS("The flowPollInterval option is deprecated, please use flowExporter.flowPollInterval instead") + o.config.FlowExporter.FlowPollInterval = o.config.FlowPollInterval + } } - if o.config.ActiveFlowExportTimeout == "" { - o.activeFlowTimeout = defaultActiveFlowExportTimeout + if o.config.FlowExporter.ActiveFlowExportTimeout == "" { + o.config.FlowExporter.ActiveFlowExportTimeout = defaultActiveFlowExportTimeout + if o.config.ActiveFlowExportTimeout != "" { + klog.InfoS("The activeFlowExportTimeout option is deprecated, please use flowExporter.activeFlowExportTimeout instead") + o.config.FlowExporter.ActiveFlowExportTimeout = o.config.ActiveFlowExportTimeout + } } - if o.config.IdleFlowExportTimeout == "" { - o.idleFlowTimeout = defaultIdleFlowExportTimeout + if o.config.FlowExporter.IdleFlowExportTimeout == "" { + o.config.FlowExporter.IdleFlowExportTimeout = defaultIdleFlowExportTimeout + if o.config.IdleFlowExportTimeout != "" { + klog.InfoS("The idleFlowExportTimeout option is deprecated, please use flowExporter.idleFlowExportTimeout instead") + o.config.FlowExporter.IdleFlowExportTimeout = o.config.IdleFlowExportTimeout + } } } diff --git a/docs/network-flow-visibility.md b/docs/network-flow-visibility.md index c7960d58b2b..8ca6be22f33 100644 --- a/docs/network-flow-visibility.md +++ b/docs/network-flow-visibility.md @@ -6,6 +6,7 @@ - [Overview](#overview) - [Flow Exporter](#flow-exporter) - [Configuration](#configuration) + - [Configuration pre Antrea v1.13](#configuration-pre-antrea-v113) - [IPFIX Information Elements (IEs) in a Flow Record](#ipfix-information-elements-ies-in-a-flow-record) - [IEs from IANA-assigned IE Registry](#ies-from-iana-assigned-ie-registry) - [IEs from Reverse IANA-assigned IE Registry](#ies-from-reverse-iana-assigned-ie-registry) @@ -61,8 +62,11 @@ library. ### Configuration -To enable the Flow Exporter feature at the Antrea Agent, the following config -parameters have to be set in the Antrea Agent ConfigMap: +In addition to enabling the Flow Exporter feature gate (if needed), you need to +ensure that the `flowExporter.enable` flag is set to true in the Antrea Agent +configuration. + +your `antrea-agent` ConfigMap should look like this: ```yaml antrea-agent.conf: | @@ -71,49 +75,66 @@ parameters have to be set in the Antrea Agent ConfigMap: # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each agent to a configured collector. FlowExporter: true - # Provide the IPFIX collector address as a string with format :[][:]. - # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If - # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be - # wrapped with []. When the collector is running in-cluster as a Service, set - # to /. For example, - # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea - # Flow Aggregator Service. - # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and - # "udp" protocols. "tls" is used for securing communication between flow exporter and - # flow aggregator. - #flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls" - - # Provide flow poll interval as a duration string. This determines how often the - # flow exporter dumps connections from the conntrack module. Flow poll interval - # should be greater than or equal to 1s (one second). - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #flowPollInterval: "5s" - - # Provide the active flow export timeout, which is the timeout after which a flow - # record is sent to the collector for active flows. Thus, for flows with a continuous - # stream of packets, a flow record will be exported to the collector once the elapsed - # time since the last export event is equal to the value of this timeout. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #activeFlowExportTimeout: "60s" - - # Provide the idle flow export timeout, which is the timeout after which a flow - # record is sent to the collector for idle flows. A flow is considered idle if no - # packet matching this flow has been observed since the last export event. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #idleFlowExportTimeout: "15s" + flowExporter: + # Enable FlowExporter, a feature used to export polled conntrack connections as + # IPFIX flow records from each agent to a configured collector. To enable this + # feature, you need to set "enable" to true, and ensure that the FlowExporter + # feature gate is also enabled. + enable: true + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If + # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be + # wrapped with []. When the collector is running in-cluster as a Service, set + # to /. For example, + # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea + # Flow Aggregator Service. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + activeFlowExportTimeout: "5s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + idleFlowExportTimeout: "15s" ``` -Please note that the default value for `flowCollectorAddr` is `"flow-aggregator/flow-aggregator:4739:tls"`, -which enables the Flow Exporter to connect the Flow Aggregator Service, assuming it is running in -the same K8 cluster with the Name and Namespace set to `flow-aggregator`. If you deploy the Flow -Aggregator Service with a different Name and Namespace, then set `flowCollectorAddr` appropriately. +Please note that the default value for `flowExporter.flowCollectorAddr` is +`"flow-aggregator/flow-aggregator:4739:tls"`, which enables the Flow Exporter to connect +the Flow Aggregator Service, assuming it is running in the same K8 cluster with the Name +and Namespace set to `flow-aggregator`. If you deploy the Flow Aggregator Service with +a different Name and Namespace, then set `flowExporter.flowCollectorAddr` appropriately. Please note that the default values for -`flowPollInterval`, `activeFlowExportTimeout`, and `idleFlowExportTimeout` parameters are set to 5s, 60s, and 15s, respectively. +`flowExporter.flowPollInterval`, `flowExporter.activeFlowExportTimeout`, and +`flowExporter.idleFlowExportTimeout` parameters are set to 5s, 5s, and 15s, respectively. TLS communication between the Flow Exporter and the Flow Aggregator is enabled by default. Please modify them as per your requirements. +#### Configuration pre Antrea v1.13 + +Prior to the Antrea v1.13 release, the `flowExporter` option group in the +Antrea Agent configuration did not exist. To enable the Flow Exporter feature, +one simply needed to enable the feature gate, and the Flow Exporter related +configuration could be configured using the (now deprecated) `flowCollectorAddr`, +`flowPollInterval`, `activeFlowExportTimeout`, `idleFlowExportTimeout` +parameters. + ### IPFIX Information Elements (IEs) in a Flow Record There are 34 IPFIX IEs in each exported flow record, which are defined in the diff --git a/pkg/config/agent/config.go b/pkg/config/agent/config.go index 8885919f8b2..2ad10cf47b3 100644 --- a/pkg/config/agent/config.go +++ b/pkg/config/agent/config.go @@ -133,43 +133,20 @@ type AgentConfig struct { // Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener // Defaults to true. EnablePrometheusMetrics *bool `yaml:"enablePrometheusMetrics,omitempty"` - // Provide the IPFIX collector address as a string with format :[][:]. - // HOST can either be the DNS name, IP, or Service name of the Flow Collector. If - // using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be - // wrapped with []. When the collector is running in-cluster as a Service, set - // to /. For example, - // "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea - // Flow Aggregator Service. - // If PORT is empty, we default to 4739, the standard IPFIX port. - // If no PROTO is given, we consider "tcp" as default. We support "tcp" and - // "udp" L4 transport protocols. - // Defaults to "flow-aggregator/flow-aggregator:4739:tcp". + // Deprecated. Use the FlowExporter config options instead. FlowCollectorAddr string `yaml:"flowCollectorAddr,omitempty"` - // Provide flow poll interval in format "0s". This determines how often flow - // exporter dumps connections in conntrack module. Flow poll interval should - // be greater than or equal to 1s(one second). - // Defaults to "5s". Valid time units are "ns", "us" (or "µs"), "ms", "s", - // "m", "h". + // Deprecated. Use the FlowExporter config options instead. FlowPollInterval string `yaml:"flowPollInterval,omitempty"` - // Provide the active flow export timeout, which is the timeout after which - // a flow record is sent to the collector for active flows. Thus, for flows - // with a continuous stream of packets, a flow record will be exported to the - // collector once the elapsed time since the last export event is equal to the - // value of this timeout. - // Defaults to "30s". Valid time units are "ns", "us" (or "µs"), "ms", "s", - // "m", "h". + // Deprecated. Use the FlowExporter config options instead. ActiveFlowExportTimeout string `yaml:"activeFlowExportTimeout,omitempty"` - // Provide the idle flow export timeout, which is the timeout after which a - // flow record is sent to the collector for idle flows. A flow is considered - // idle if no packet matching this flow has been observed since the last export - // event. - // Defaults to "15s". Valid time units are "ns", "us" (or "µs"), "ms", "s", - // "m", "h". + // Deprecated. Use the FlowExporter config options instead. IdleFlowExportTimeout string `yaml:"idleFlowExportTimeout,omitempty"` // Deprecated. Use the NodePortLocal config options instead. NPLPortRange string `yaml:"nplPortRange,omitempty"` // NodePortLocal (NPL) configuration options. NodePortLocal NodePortLocalConfig `yaml:"nodePortLocal,omitempty"` + // FlowExporter configuration options. + FlowExporter FlowExporterConfig `yaml:"flowExporter,omitempty"` // Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. // Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. KubeAPIServerOverride string `yaml:"kubeAPIServerOverride,omitempty"` @@ -260,6 +237,47 @@ type NodePortLocalConfig struct { PortRange string `yaml:"portRange,omitempty"` } +type FlowExporterConfig struct { + // Enable FlowExporter, a feature used to export polled conntrack connections as + // IPFIX flow records from each agent to a configured collector. To enable this + // feature, you need to set "enable" to true, and ensure that the FlowExporter + // feature gate is also enabled. + Enable bool `yaml:"enable,omitempty"` + // Provide the IPFIX collector address as a string with format :[][:]. + // HOST can either be the DNS name, IP, or Service name of the Flow Collector. If + // using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be + // wrapped with []. When the collector is running in-cluster as a Service, set + // to /. For example, + // "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea + // Flow Aggregator Service. + // If PORT is empty, we default to 4739, the standard IPFIX port. + // If no PROTO is given, we consider "tcp" as default. We support "tcp" and + // "udp" L4 transport protocols. + // Defaults to "flow-aggregator/flow-aggregator:4739:tcp". + FlowCollectorAddr string `yaml:"flowCollectorAddr,omitempty"` + // Provide flow poll interval in format "0s". This determines how often flow + // exporter dumps connections in conntrack module. Flow poll interval should + // be greater than or equal to 1s(one second). + // Defaults to "5s". Valid time units are "ns", "us" (or "µs"), "ms", "s", + // "m", "h". + FlowPollInterval string `yaml:"flowPollInterval,omitempty"` + // Provide the active flow export timeout, which is the timeout after which + // a flow record is sent to the collector for active flows. Thus, for flows + // with a continuous stream of packets, a flow record will be exported to the + // collector once the elapsed time since the last export event is equal to the + // value of this timeout. + // Defaults to "30s". Valid time units are "ns", "us" (or "µs"), "ms", "s", + // "m", "h". + ActiveFlowExportTimeout string `yaml:"activeFlowExportTimeout,omitempty"` + // Provide the idle flow export timeout, which is the timeout after which a + // flow record is sent to the collector for idle flows. A flow is considered + // idle if no packet matching this flow has been observed since the last export + // event. + // Defaults to "15s". Valid time units are "ns", "us" (or "µs"), "ms", "s", + // "m", "h". + IdleFlowExportTimeout string `yaml:"idleFlowExportTimeout,omitempty"` +} + type MulticastConfig struct { // To enable Multicast, you need to set "enable" to true, and ensure that the // Multicast feature gate is also enabled (which is the default).