NETOBSERV-1190: change DNS to use latency instead of TS (#395)

* NETOBSERV-979: Add TCP drop to netobserv operator

Signed-off-by: msherif1234 <mmahmoud@redhat.com>

* Add scc rbac to fix issues with scc constraint

when creating ebpf pod in privileged mode we
got Error creating: pods "netobserv-ebpf-agent-"
is forbidden: unable to validate against any
security context constraint

Signed-off-by: msherif1234 <mmahmoud@redhat.com>

* Add DNS tracker operator changes

Signed-off-by: msherif1234 <mmahmoud@redhat.com>

* Address PR review comments

Signed-off-by: msherif1234 <mmahmoud@redhat.com>

* list enabled features in console plugin configmap

* fix TcpDrop fields case

* NETOBSERV-1191: fix updating tcpdrop and dns configs

Signed-off-by: msherif1234 <mmahmoud@redhat.com>

* fix linter complicity error

Signed-off-by: msherif1234 <mmahmoud@redhat.com>

* NETOBSERV-1190: use DNS latency instead of TS

This PR depends on PR #331 so 331 need to be merged 1st

Signed-off-by: msherif1234 <mmahmoud@redhat.com>

---------

Signed-off-by: msherif1234 <mmahmoud@redhat.com>
Co-authored-by: Julien Pinsonneau <91894519+jpinsonneau@users.noreply.github.com>

api/v1alpha1/flowcollector_webhook.go

@@ -63,6 +63,14 @@ func (r *FlowCollector) ConvertTo(dstRaw conversion.Hub) error {
 	}
 
 	dst.Spec.Loki.Enable = restored.Spec.Loki.Enable
+	if restored.Spec.Agent.EBPF.EnableTCPDrop != nil {
+		*dst.Spec.Agent.EBPF.EnableTCPDrop = *restored.Spec.Agent.EBPF.EnableTCPDrop
+	}
+
+	if restored.Spec.Agent.EBPF.EnableDNSTracking != nil {
+		*dst.Spec.Agent.EBPF.EnableDNSTracking = *restored.Spec.Agent.EBPF.EnableDNSTracking
+	}
+
 	dst.Spec.Loki.StatusTLS = restored.Spec.Loki.StatusTLS
 	dst.Spec.Kafka.SASL = restored.Spec.Kafka.SASL
 
@@ -147,3 +155,10 @@ func Convert_v1beta1_FlowCollectorConsolePlugin_To_v1alpha1_FlowCollectorConsole
 func Convert_v1beta1_FlowCollectorExporter_To_v1alpha1_FlowCollectorExporter(in *v1beta1.FlowCollectorExporter, out *FlowCollectorExporter, s apiconversion.Scope) error {
 	return autoConvert_v1beta1_FlowCollectorExporter_To_v1alpha1_FlowCollectorExporter(in, out, s)
 }
+
+// This function need to be manually created because conversion-gen not able to create it intentionally because
+// we have new defined fields in v1beta1 not in v1alpha1
+// nolint:golint,stylecheck,revive
+func Convert_v1beta1_FlowCollectorEBPF_To_v1alpha1_FlowCollectorEBPF(in *v1beta1.FlowCollectorEBPF, out *FlowCollectorEBPF, s apiconversion.Scope) error {
+	return autoConvert_v1beta1_FlowCollectorEBPF_To_v1alpha1_FlowCollectorEBPF(in, out, s)
+}

api/v1beta1/flowcollector_types.go

@@ -221,6 +221,20 @@ type FlowCollectorEBPF struct {
 	// such as GOGC and GOMAXPROCS env vars. Users setting its values do it at their own risk.
 	// +optional
 	Debug DebugConfig `json:"debug,omitempty"`
+
+	// Enable the TCP drop flows logging feature. This feature requires mounting
+	// the kernel debug filesystem, so the eBPF pod has to run as privileged.
+	// If the spec.agent.eBPF.privileged parameter is not set, an error is reported.
+	//+kubebuilder:default:=false
+	//+optional
+	EnableTCPDrop *bool `json:"enableTCPDrop,omitempty"`
+
+	// Enable the DNS tracking feature. This feature requires mounting
+	// the kernel debug filesystem hence the eBPF pod has to run as privileged.
+	// If the spec.agent.eBPF.privileged parameter is not set, an error is reported.
+	//+kubebuilder:default:=false
+	//+optional
+	EnableDNSTracking *bool `json:"enableDNSTracking,omitempty"`
 }
 
 // `FlowCollectorKafka` defines the desired Kafka config of FlowCollector

bundle/manifests/flows.netobserv.io_flowcollectors.yaml

@@ -2302,6 +2302,20 @@ spec:
                               they are only useful in edge debug or support scenarios.'
                             type: object
                         type: object
+                      enableDNSTracking:
+                        default: false
+                        description: Enable the DNS tracking feature. This feature
+                          requires mounting the kernel debug filesystem hence the
+                          eBPF pod has to run as privileged. If the spec.agent.eBPF.privileged
+                          parameter is not set, an error is reported.
+                        type: boolean
+                      enableTCPDrop:
+                        default: false
+                        description: Enable the TCP drop flows logging feature. This
+                          feature requires mounting the kernel debug filesystem, so
+                          the eBPF pod has to run as privileged. If the spec.agent.eBPF.privileged
+                          parameter is not set, an error is reported.
+                        type: boolean
                       excludeInterfaces:
                         default:
                         - lo

bundle/manifests/netobserv-operator.clusterserviceversion.yaml

@@ -175,13 +175,16 @@ metadata:
               "ebpf": {
                 "cacheActiveTimeout": "5s",
                 "cacheMaxFlows": 100000,
+                "enableDNSTracking": false,
+                "enableTCPDrop": false,
                 "excludeInterfaces": [
                   "lo"
                 ],
                 "imagePullPolicy": "IfNotPresent",
                 "interfaces": [],
                 "kafkaBatchSize": 10485760,
                 "logLevel": "info",
+                "privileged": false,
                 "resources": {
                   "limits": {
                     "memory": "800Mi"

config/crd/bases/flows.netobserv.io_flowcollectors.yaml

@@ -2289,6 +2289,20 @@ spec:
                               they are only useful in edge debug or support scenarios.'
                             type: object
                         type: object
+                      enableDNSTracking:
+                        default: false
+                        description: Enable the DNS tracking feature. This feature
+                          requires mounting the kernel debug filesystem hence the
+                          eBPF pod has to run as privileged. If the spec.agent.eBPF.privileged
+                          parameter is not set, an error is reported.
+                        type: boolean
+                      enableTCPDrop:
+                        default: false
+                        description: Enable the TCP drop flows logging feature. This
+                          feature requires mounting the kernel debug filesystem, so
+                          the eBPF pod has to run as privileged. If the spec.agent.eBPF.privileged
+                          parameter is not set, an error is reported.
+                        type: boolean
                       excludeInterfaces:
                         default:
                         - lo

config/samples/flows_v1beta1_flowcollector.yaml

@@ -12,6 +12,9 @@ spec:
       sampling: 50
       cacheActiveTimeout: 5s
       cacheMaxFlows: 100000
+      privileged: false
+      enableTCPDrop: false
+      enableDNSTracking: false
       interfaces: [ ]
       excludeInterfaces: [ "lo" ]
       logLevel: info

controllers/consoleplugin/consoleplugin_objects.go

@@ -348,12 +348,24 @@ func (b *builder) metricsService() *corev1.Service {
 func (b *builder) configMap() (*corev1.ConfigMap, string) {
 	outputRecordTypes := helper.GetRecordTypes(&b.desired.Processor)
 
+	var features []string
+	if b.desired.Agent.Type == flowslatest.AgentEBPF {
+		if helper.IsTCPDropEnabled(b.desired) {
+			features = append(features, "tcpDrop")
+		}
+
+		if helper.IsDNSTrackingEnabled(b.desired) {
+			features = append(features, "dnsTracking")
+		}
+	}
+
 	config := map[string]interface{}{
 		"recordTypes":     outputRecordTypes,
 		"portNaming":      b.desired.ConsolePlugin.PortNaming,
 		"quickFilters":    b.desired.ConsolePlugin.QuickFilters,
 		"alertNamespaces": []string{b.namespace},
 		"sampling":        helper.GetSampling(b.desired),
+		"features":        features,
 	}
 
 	configStr := "{}"