From 1425eb0df29f1be088f7d82826120f6a0f6e13a3 Mon Sep 17 00:00:00 2001 From: Mohamed Mahmoud Date: Fri, 31 Jan 2025 13:01:10 -0500 Subject: [PATCH] IPsec support Signed-off-by: Mohamed Mahmoud --- apis/flowcollector/v1beta1/flowcollector_types.go | 5 ++++- apis/flowcollector/v1beta2/flowcollector_types.go | 5 ++++- .../flows.netobserv.io_flowcollectors.yaml | 6 ++++++ .../bases/flows.netobserv.io_flowcollectors.yaml | 6 ++++++ config/samples/flows_v1beta2_flowcollector.yaml | 1 + .../config/static-frontend-config.yaml | 13 +++++++++++++ controllers/consoleplugin/consoleplugin_objects.go | 4 ++++ controllers/ebpf/agent_controller.go | 8 ++++++++ docs/FlowCollector.md | 4 +++- pkg/helper/flowcollector.go | 4 ++++ 10 files changed, 53 insertions(+), 3 deletions(-) diff --git a/apis/flowcollector/v1beta1/flowcollector_types.go b/apis/flowcollector/v1beta1/flowcollector_types.go index 78e45fb19..99ea91f67 100644 --- a/apis/flowcollector/v1beta1/flowcollector_types.go +++ b/apis/flowcollector/v1beta1/flowcollector_types.go @@ -155,7 +155,8 @@ type FlowCollectorIPFIX struct { // - `PacketTranslation`, to enrich flows with packets translation information.
// - `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].
// - `UDNMapping`, to enable interfaces mappind to udn [Developer Preview].
-// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation";"EbpfManager";"UDNMapping" +// - `IPSEC`, to track flows with IPsec encryption.
+// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation";"EbpfManager";"UDNMapping";"IPSEC" type AgentFeature string const ( @@ -166,6 +167,7 @@ const ( PacketTranslation AgentFeature = "PacketTranslation" EbpfManager AgentFeature = "EbpfManager" UDNMapping AgentFeature = "UDNMapping" + IPSEC AgentFeature = "IPSEC" ) // Name of an eBPF agent alert. @@ -365,6 +367,7 @@ type FlowCollectorEBPF struct { // - `PacketTranslation`: enable enriching flows with packet's translation information.
// - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs.
// - `UDNMapping`, to enable interfaces mappind to udn.
+ // - `IPSEC`, to track flows with IPsec encryption.
// +optional Features []AgentFeature `json:"features,omitempty"` diff --git a/apis/flowcollector/v1beta2/flowcollector_types.go b/apis/flowcollector/v1beta2/flowcollector_types.go index d6d6120b7..f286b449d 100644 --- a/apis/flowcollector/v1beta2/flowcollector_types.go +++ b/apis/flowcollector/v1beta2/flowcollector_types.go @@ -178,7 +178,8 @@ type FlowCollectorIPFIX struct { // - `PacketTranslation`, to enrich flows with packets translation information.
// - `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].
// - `UDNMapping`, to enable interfaces mappind to udn [Developer Preview].
-// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation";"EbpfManager";"UDNMapping" +// - `IPSEC`, to track flows with IPsec encryption.
+// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation";"EbpfManager";"UDNMapping";"IPSEC" type AgentFeature string const ( @@ -189,6 +190,7 @@ const ( PacketTranslation AgentFeature = "PacketTranslation" EbpfManager AgentFeature = "EbpfManager" UDNMapping AgentFeature = "UDNMapping" + IPSEC AgentFeature = "IPSEC" ) // Name of an eBPF agent alert. @@ -391,6 +393,7 @@ type FlowCollectorEBPF struct { // - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs.
// IMPORTANT: This feature is available as a Developer Preview.
// - `UDNMapping`, to enable interfaces mappind to udn.
+ // - `IPSEC`, to track flows with IPsec encryption.
// This feature requires mounting the kernel debug filesystem, so the eBPF agent pods have to run as privileged. // It requires using the OVN-Kubernetes network plugin with the Observability feature. // IMPORTANT: This feature is available as a Developer Preview.
diff --git a/bundle/manifests/flows.netobserv.io_flowcollectors.yaml b/bundle/manifests/flows.netobserv.io_flowcollectors.yaml index 3529b1c6e..b6912820f 100644 --- a/bundle/manifests/flows.netobserv.io_flowcollectors.yaml +++ b/bundle/manifests/flows.netobserv.io_flowcollectors.yaml @@ -138,6 +138,7 @@ spec: - `PacketTranslation`: enable enriching flows with packet's translation information.
- `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs.
- `UDNMapping`, to enable interfaces mappind to udn.
+ - `IPSEC`, to track flows with IPsec encryption.
items: description: |- Agent feature, can be one of:
@@ -148,6 +149,7 @@ spec: - `PacketTranslation`, to enrich flows with packets translation information.
- `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].
- `UDNMapping`, to enable interfaces mappind to udn [Developer Preview].
+ - `IPSEC`, to track flows with IPsec encryption.
enum: - PacketDrop - DNSTracking @@ -156,6 +158,7 @@ spec: - PacketTranslation - EbpfManager - UDNMapping + - IPSEC type: string type: array flowFilter: @@ -3963,6 +3966,7 @@ spec: - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs.
IMPORTANT: This feature is available as a Developer Preview.
- `UDNMapping`, to enable interfaces mappind to udn.
+ - `IPSEC`, to track flows with IPsec encryption.
This feature requires mounting the kernel debug filesystem, so the eBPF agent pods have to run as privileged. It requires using the OVN-Kubernetes network plugin with the Observability feature. IMPORTANT: This feature is available as a Developer Preview.
@@ -3976,6 +3980,7 @@ spec: - `PacketTranslation`, to enrich flows with packets translation information.
- `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].
- `UDNMapping`, to enable interfaces mappind to udn [Developer Preview].
+ - `IPSEC`, to track flows with IPsec encryption.
enum: - PacketDrop - DNSTracking @@ -3984,6 +3989,7 @@ spec: - PacketTranslation - EbpfManager - UDNMapping + - IPSEC type: string type: array flowFilter: diff --git a/config/crd/bases/flows.netobserv.io_flowcollectors.yaml b/config/crd/bases/flows.netobserv.io_flowcollectors.yaml index a48070ee9..c2e45dd0f 100644 --- a/config/crd/bases/flows.netobserv.io_flowcollectors.yaml +++ b/config/crd/bases/flows.netobserv.io_flowcollectors.yaml @@ -123,6 +123,7 @@ spec: - `PacketTranslation`: enable enriching flows with packet's translation information.
- `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs.
- `UDNMapping`, to enable interfaces mappind to udn.
+ - `IPSEC`, to track flows with IPsec encryption.
items: description: |- Agent feature, can be one of:
@@ -133,6 +134,7 @@ spec: - `PacketTranslation`, to enrich flows with packets translation information.
- `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].
- `UDNMapping`, to enable interfaces mappind to udn [Developer Preview].
+ - `IPSEC`, to track flows with IPsec encryption.
enum: - PacketDrop - DNSTracking @@ -141,6 +143,7 @@ spec: - PacketTranslation - EbpfManager - UDNMapping + - IPSEC type: string type: array flowFilter: @@ -3645,6 +3648,7 @@ spec: - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs.
IMPORTANT: This feature is available as a Developer Preview.
- `UDNMapping`, to enable interfaces mappind to udn.
+ - `IPSEC`, to track flows with IPsec encryption.
This feature requires mounting the kernel debug filesystem, so the eBPF agent pods have to run as privileged. It requires using the OVN-Kubernetes network plugin with the Observability feature. IMPORTANT: This feature is available as a Developer Preview.
@@ -3658,6 +3662,7 @@ spec: - `PacketTranslation`, to enrich flows with packets translation information.
- `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].
- `UDNMapping`, to enable interfaces mappind to udn [Developer Preview].
+ - `IPSEC`, to track flows with IPsec encryption.
enum: - PacketDrop - DNSTracking @@ -3666,6 +3671,7 @@ spec: - PacketTranslation - EbpfManager - UDNMapping + - IPSEC type: string type: array flowFilter: diff --git a/config/samples/flows_v1beta2_flowcollector.yaml b/config/samples/flows_v1beta2_flowcollector.yaml index eefa02aa4..5367cca15 100644 --- a/config/samples/flows_v1beta2_flowcollector.yaml +++ b/config/samples/flows_v1beta2_flowcollector.yaml @@ -26,6 +26,7 @@ spec: # - "PacketTranslation" # - "EbpfManager" # - "UDNMapping" + # - "IPSEC" interfaces: [] excludeInterfaces: ["lo"] kafkaBatchSize: 1048576 diff --git a/controllers/consoleplugin/config/static-frontend-config.yaml b/controllers/consoleplugin/config/static-frontend-config.yaml index b9339b571..ebd0d9da1 100644 --- a/controllers/consoleplugin/config/static-frontend-config.yaml +++ b/controllers/consoleplugin/config/static-frontend-config.yaml @@ -657,6 +657,13 @@ columns: default: false width: 15 feature: packetTranslation + - id: IPsec + name: Encrypted + field: EncryptedFlow + filter: encrypted + default: true + width: 10 + feature: ipsec filters: - id: cluster_name name: Cluster @@ -1057,6 +1064,9 @@ filters: component: autocomplete category: destination hint: Specify a single port number or name. + - id: encrypted + name: encrypted flow + component: number scopes: - id: cluster name: Cluster @@ -1415,6 +1425,9 @@ fields: - name: K8S_ClusterName type: string description: Cluster name or identifier + - name: EncryptedFlow + type: boolean + description: encrypted flow - name: _RecordType type: string description: "Type of record: 'flowLog' for regular flow logs, or 'newConnection', 'heartbeat', 'endConnection' for conversation tracking" diff --git a/controllers/consoleplugin/consoleplugin_objects.go b/controllers/consoleplugin/consoleplugin_objects.go index dc1a278df..4aa2d9e53 100644 --- a/controllers/consoleplugin/consoleplugin_objects.go +++ b/controllers/consoleplugin/consoleplugin_objects.go @@ -466,6 +466,10 @@ func (b *builder) setFrontendConfig(fconf *cfg.FrontendConfig) error { fconf.Features = append(fconf.Features, "udnMapping") } + if helper.IsIPSecEnabled(&b.desired.Agent.EBPF) { + fconf.Features = append(fconf.Features, "ipsec") + } + if b.desired.Agent.EBPF.Advanced != nil { if v, ok := b.desired.Agent.EBPF.Advanced.Env[ebpf.EnvDedupeJustMark]; ok { dedupJustMark, err = strconv.ParseBool(v) diff --git a/controllers/ebpf/agent_controller.go b/controllers/ebpf/agent_controller.go index e4cea0f27..651ba86be 100644 --- a/controllers/ebpf/agent_controller.go +++ b/controllers/ebpf/agent_controller.go @@ -70,6 +70,7 @@ const ( envEnablePacketTranslation = "ENABLE_PKT_TRANSLATION" envEnableEbpfMgr = "EBPF_PROGRAM_MANAGER_MODE" envEnableUDNMapping = "ENABLE_UDN_MAPPING" + envEnableIPsec = "ENABLE_IPSEC_TRACKING" envListSeparator = "," ) @@ -752,6 +753,13 @@ func (c *AgentController) setEnvConfig(coll *flowslatest.FlowCollector) []corev1 }) } + if helper.IsIPSecEnabled(&coll.Spec.Agent.EBPF) { + config = append(config, corev1.EnvVar{ + Name: envEnableIPsec, + Value: "true", + }) + } + if helper.IsEBPFMetricsEnabled(&coll.Spec.Agent.EBPF) { config = append(config, corev1.EnvVar{ Name: envEnableMetrics, diff --git a/docs/FlowCollector.md b/docs/FlowCollector.md index f1cad2c0c..ed97ba74a 100644 --- a/docs/FlowCollector.md +++ b/docs/FlowCollector.md @@ -294,7 +294,8 @@ If the `spec.agent.ebpf.privileged` parameter is not set, an error is reported.< the kernel debug filesystem, so the eBPF pod has to run as privileged. - `PacketTranslation`: enable enriching flows with packet's translation information.
- `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs.
-- `UDNMapping`, to enable interfaces mappind to udn.

+- `UDNMapping`, to enable interfaces mappind to udn.
+- `IPSEC`, to track flows with IPsec encryption.

false @@ -6284,6 +6285,7 @@ IMPORTANT: This feature is available as a Developer Preview.
- `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs.
IMPORTANT: This feature is available as a Developer Preview.
- `UDNMapping`, to enable interfaces mappind to udn.
+- `IPSEC`, to track flows with IPsec encryption.
This feature requires mounting the kernel debug filesystem, so the eBPF agent pods have to run as privileged. It requires using the OVN-Kubernetes network plugin with the Observability feature. IMPORTANT: This feature is available as a Developer Preview.

diff --git a/pkg/helper/flowcollector.go b/pkg/helper/flowcollector.go index 2c48cda32..65e4a4eb5 100644 --- a/pkg/helper/flowcollector.go +++ b/pkg/helper/flowcollector.go @@ -138,6 +138,10 @@ func IsUDNMappingEnabled(spec *flowslatest.FlowCollectorEBPF) bool { return IsAgentFeatureEnabled(spec, flowslatest.UDNMapping) } +func IsIPSecEnabled(spec *flowslatest.FlowCollectorEBPF) bool { + return IsAgentFeatureEnabled(spec, flowslatest.IPSEC) +} + func IsConntrack(spec *flowslatest.FlowCollectorFLP) bool { return spec != nil && spec.LogTypes != nil && *spec.LogTypes != flowslatest.LogTypeFlows }