IPsec support

Signed-off-by: Mohamed Mahmoud <[email protected]>
netobserv · Feb 13, 2025 · 33a2b12 · 33a2b12
1 parent 4425ad2
commit 33a2b12
Show file tree

Hide file tree

Showing 10 changed files with 56 additions and 5 deletions.
diff --git a/apis/flowcollector/v1beta1/flowcollector_types.go b/apis/flowcollector/v1beta1/flowcollector_types.go
@@ -155,7 +155,8 @@ type FlowCollectorIPFIX struct {
 // - `PacketTranslation`, to enrich flows with packets translation information. <br>
 // - `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].<br>
 // - `UDNMapping`, to enable interfaces mapping to udn [Developer Preview]. <br>
-// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation";"EbpfManager";"UDNMapping"
+// - `IPSEC`, to track flows with IPsec encryption. <br>
+// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation";"EbpfManager";"UDNMapping";"IPSEC"
 type AgentFeature string
 
 const (
@@ -166,6 +167,7 @@ const (
 	PacketTranslation AgentFeature = "PacketTranslation"
 	EbpfManager       AgentFeature = "EbpfManager"
 	UDNMapping        AgentFeature = "UDNMapping"
+	IPSEC             AgentFeature = "IPSEC"
 )
 
 // Name of an eBPF agent alert.
@@ -367,6 +369,7 @@ type FlowCollectorEBPF struct {
 	// - `PacketTranslation`: enable enriching flows with packet's translation information. <br>
 	// - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs. <br>
 	// - `UDNMapping`, to enable interfaces mapping to udn. <br>
+	// - `IPSEC`, to track flows with IPsec encryption. <br>
 	// +optional
 	Features []AgentFeature `json:"features,omitempty"`
 

diff --git a/apis/flowcollector/v1beta2/flowcollector_types.go b/apis/flowcollector/v1beta2/flowcollector_types.go
@@ -178,7 +178,8 @@ type FlowCollectorIPFIX struct {
 // - `PacketTranslation`, to enrich flows with packets translation information, such as Service NAT.<br>
 // - `EbpfManager`, to enable using eBPF Manager to manage NetObserv eBPF programs. [Unsupported (*)].<br>
 // - `UDNMapping`, to enable interfaces mapping to UDN. [Unsupported (*)].<br>
-// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation";"EbpfManager";"UDNMapping"
+// - `IPSEC`, to track flows with IPsec encryption. <br>
+// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation";"EbpfManager";"UDNMapping";"IPSEC"
 type AgentFeature string
 
 const (
@@ -189,6 +190,7 @@ const (
 	PacketTranslation AgentFeature = "PacketTranslation"
 	EbpfManager       AgentFeature = "EbpfManager"
 	UDNMapping        AgentFeature = "UDNMapping"
+	IPSEC             AgentFeature = "IPSEC"
 )
 
 // Name of an eBPF agent alert.
@@ -395,6 +397,7 @@ type FlowCollectorEBPF struct {
 	// - `UDNMapping`: [Unsupported (*)]. Enable interfaces mapping to User Defined Networks (UDN). <br>
 	// This feature requires mounting the kernel debug filesystem, so the eBPF agent pods must run as privileged.
 	// It requires using the OVN-Kubernetes network plugin with the Observability feature.
+	// - `IPSEC`, to track flows with IPsec encryption. <br>
 	// +optional
 	Features []AgentFeature `json:"features,omitempty"`
 

diff --git a/bundle/manifests/flows.netobserv.io_flowcollectors.yaml b/bundle/manifests/flows.netobserv.io_flowcollectors.yaml
@@ -138,6 +138,7 @@ spec:
                           - `PacketTranslation`: enable enriching flows with packet's translation information. <br>
                           - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs. <br>
                           - `UDNMapping`, to enable interfaces mapping to udn. <br>
+                          - `IPSEC`, to track flows with IPsec encryption. <br>
                         items:
                           description: |-
                             Agent feature, can be one of:<br>
@@ -148,6 +149,7 @@ spec:
                             - `PacketTranslation`, to enrich flows with packets translation information. <br>
                             - `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].<br>
                             - `UDNMapping`, to enable interfaces mapping to udn [Developer Preview]. <br>
+                            - `IPSEC`, to track flows with IPsec encryption. <br>
                           enum:
                           - PacketDrop
                           - DNSTracking
@@ -156,6 +158,7 @@ spec:
                           - PacketTranslation
                           - EbpfManager
                           - UDNMapping
+                          - IPSEC
                           type: string
                         type: array
                       flowFilter:
@@ -3966,6 +3969,7 @@ spec:
                           - `UDNMapping`: [Unsupported (*)]. Enable interfaces mapping to User Defined Networks (UDN). <br>
                           This feature requires mounting the kernel debug filesystem, so the eBPF agent pods must run as privileged.
                           It requires using the OVN-Kubernetes network plugin with the Observability feature.
+                          - `IPSEC`, to track flows with IPsec encryption. <br>
                         items:
                           description: |-
                             Agent feature, can be one of:<br>
@@ -3976,6 +3980,7 @@ spec:
                             - `PacketTranslation`, to enrich flows with packets translation information, such as Service NAT.<br>
                             - `EbpfManager`, to enable using eBPF Manager to manage NetObserv eBPF programs. [Unsupported (*)].<br>
                             - `UDNMapping`, to enable interfaces mapping to UDN. [Unsupported (*)].<br>
+                            - `IPSEC`, to track flows with IPsec encryption. <br>
                           enum:
                           - PacketDrop
                           - DNSTracking
@@ -3984,6 +3989,7 @@ spec:
                           - PacketTranslation
                           - EbpfManager
                           - UDNMapping
+                          - IPSEC
                           type: string
                         type: array
                       flowFilter:

diff --git a/config/crd/bases/flows.netobserv.io_flowcollectors.yaml b/config/crd/bases/flows.netobserv.io_flowcollectors.yaml
@@ -123,6 +123,7 @@ spec:
                             - `PacketTranslation`: enable enriching flows with packet's translation information. <br>
                             - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs. <br>
                             - `UDNMapping`, to enable interfaces mapping to udn. <br>
+                            - `IPSEC`, to track flows with IPsec encryption. <br>
                           items:
                             description: |-
                               Agent feature, can be one of:<br>
@@ -133,6 +134,7 @@ spec:
                               - `PacketTranslation`, to enrich flows with packets translation information. <br>
                               - `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].<br>
                               - `UDNMapping`, to enable interfaces mapping to udn [Developer Preview]. <br>
+                              - `IPSEC`, to track flows with IPsec encryption. <br>
                             enum:
                               - PacketDrop
                               - DNSTracking
@@ -141,6 +143,7 @@ spec:
                               - PacketTranslation
                               - EbpfManager
                               - UDNMapping
+                              - IPSEC
                             type: string
                           type: array
                         flowFilter:
@@ -3649,6 +3652,7 @@ spec:
                             - `UDNMapping`: [Unsupported (*)]. Enable interfaces mapping to User Defined Networks (UDN). <br>
                             This feature requires mounting the kernel debug filesystem, so the eBPF agent pods must run as privileged.
                             It requires using the OVN-Kubernetes network plugin with the Observability feature.
+                            - `IPSEC`, to track flows with IPsec encryption. <br>
                           items:
                             description: |-
                               Agent feature, can be one of:<br>
@@ -3659,6 +3663,7 @@ spec:
                               - `PacketTranslation`, to enrich flows with packets translation information, such as Service NAT.<br>
                               - `EbpfManager`, to enable using eBPF Manager to manage NetObserv eBPF programs. [Unsupported (*)].<br>
                               - `UDNMapping`, to enable interfaces mapping to UDN. [Unsupported (*)].<br>
+                              - `IPSEC`, to track flows with IPsec encryption. <br>
                             enum:
                               - PacketDrop
                               - DNSTracking
@@ -3667,6 +3672,7 @@ spec:
                               - PacketTranslation
                               - EbpfManager
                               - UDNMapping
+                              - IPSEC
                             type: string
                           type: array
                         flowFilter:

diff --git a/config/samples/flows_v1beta2_flowcollector.yaml b/config/samples/flows_v1beta2_flowcollector.yaml
@@ -26,6 +26,7 @@ spec:
       # - "PacketTranslation"
       # - "EbpfManager"
       # - "UDNMapping"
+      # - "IPSEC"
       interfaces: []
       excludeInterfaces: ["lo"]
       kafkaBatchSize: 1048576

diff --git a/controllers/consoleplugin/config/static-frontend-config.yaml b/controllers/consoleplugin/config/static-frontend-config.yaml
@@ -657,6 +657,13 @@ columns:
     default: false
     width: 15
     feature: packetTranslation
+  - id: IPsec
+    name: Encrypted
+    field: EncryptedFlow
+    filter: encrypted
+    default: true
+    width: 10
+    feature: ipsec
 filters:
   - id: cluster_name
     name: Cluster
@@ -1057,6 +1064,9 @@ filters:
     component: autocomplete
     category: destination
     hint: Specify a single port number or name.
+  - id: encrypted
+    name: encrypted flow
+    component: number
 scopes:
   - id: cluster
     name: Cluster
@@ -1415,6 +1425,9 @@ fields:
   - name: K8S_ClusterName
     type: string
     description: Cluster name or identifier
+  - name: EncryptedFlow
+    type: number
+    description: encrypted flow
   - name: _RecordType
     type: string
     description: "Type of record: `flowLog` for regular flow logs, or `newConnection`, `heartbeat`, `endConnection` for conversation tracking"

diff --git a/controllers/consoleplugin/consoleplugin_objects.go b/controllers/consoleplugin/consoleplugin_objects.go
@@ -466,6 +466,10 @@ func (b *builder) setFrontendConfig(fconf *cfg.FrontendConfig) error {
 		fconf.Features = append(fconf.Features, "udnMapping")
 	}
 
+	if helper.IsIPSecEnabled(&b.desired.Agent.EBPF) {
+		fconf.Features = append(fconf.Features, "ipsec")
+	}
+
 	if b.desired.Agent.EBPF.Advanced != nil {
 		if v, ok := b.desired.Agent.EBPF.Advanced.Env[ebpf.EnvDedupeJustMark]; ok {
 			dedupJustMark, err = strconv.ParseBool(v)

diff --git a/controllers/ebpf/agent_controller.go b/controllers/ebpf/agent_controller.go
@@ -70,6 +70,7 @@ const (
 	envEnablePacketTranslation    = "ENABLE_PKT_TRANSLATION"
 	envEnableEbpfMgr              = "EBPF_PROGRAM_MANAGER_MODE"
 	envEnableUDNMapping           = "ENABLE_UDN_MAPPING"
+	envEnableIPsec                = "ENABLE_IPSEC_TRACKING"
 	envListSeparator              = ","
 )
 
@@ -370,7 +371,8 @@ func (c *AgentController) desired(ctx context.Context, coll *flowslatest.FlowCol
 					Driver: "csi.bpfman.io",
 					VolumeAttributes: map[string]string{
 						"csi.bpfman.io/program": "netobserv",
-						"csi.bpfman.io/maps":    "aggregated_flows,additional_flow_metrics,direct_flows,dns_flows,filter_map,peer_filter_map,global_counters,packet_record",
+						"csi.bpfman.io/maps": "aggregated_flows,additional_flow_metrics,direct_flows," +
+							"dns_flows,filter_map,peer_filter_map,global_counters,packet_record,ipsec_ingress_map,ipsec_egress_map",
 					},
 				},
 			},
@@ -752,6 +754,13 @@ func (c *AgentController) setEnvConfig(coll *flowslatest.FlowCollector) []corev1
 		})
 	}
 
+	if helper.IsIPSecEnabled(&coll.Spec.Agent.EBPF) {
+		config = append(config, corev1.EnvVar{
+			Name:  envEnableIPsec,
+			Value: "true",
+		})
+	}
+
 	if helper.IsEBPFMetricsEnabled(&coll.Spec.Agent.EBPF) {
 		config = append(config, corev1.EnvVar{
 			Name:  envEnableMetrics,

diff --git a/docs/FlowCollector.md b/docs/FlowCollector.md
@@ -294,7 +294,8 @@ If the `spec.agent.ebpf.privileged` parameter is not set, an error is reported.<
 the kernel debug filesystem, so the eBPF pod has to run as privileged.
 - `PacketTranslation`: enable enriching flows with packet's translation information. <br>
 - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs. <br>
-- `UDNMapping`, to enable interfaces mapping to udn. <br><br/>
+- `UDNMapping`, to enable interfaces mapping to udn. <br>
+- `IPSEC`, to track flows with IPsec encryption. <br><br/>
         </td>
         <td>false</td>
       </tr><tr>
@@ -6286,7 +6287,8 @@ IMPORTANT: This feature is available as a Technology Preview.<br>
 - `EbpfManager`: [Unsupported (*)]. Use eBPF Manager to manage NetObserv eBPF programs. Pre-requisite: the eBPF Manager operator (or upstream bpfman operator) must be installed.<br>
 - `UDNMapping`: [Unsupported (*)]. Enable interfaces mapping to User Defined Networks (UDN). <br>
 This feature requires mounting the kernel debug filesystem, so the eBPF agent pods must run as privileged.
-It requires using the OVN-Kubernetes network plugin with the Observability feature.<br/>
+It requires using the OVN-Kubernetes network plugin with the Observability feature.
+- `IPSEC`, to track flows with IPsec encryption. <br><br/>
         </td>
         <td>false</td>
       </tr><tr>

diff --git a/pkg/helper/flowcollector.go b/pkg/helper/flowcollector.go
@@ -138,6 +138,10 @@ func IsUDNMappingEnabled(spec *flowslatest.FlowCollectorEBPF) bool {
 	return IsAgentFeatureEnabled(spec, flowslatest.UDNMapping)
 }
 
+func IsIPSecEnabled(spec *flowslatest.FlowCollectorEBPF) bool {
+	return IsAgentFeatureEnabled(spec, flowslatest.IPSEC)
+}
+
 func IsConntrack(spec *flowslatest.FlowCollectorFLP) bool {
 	return spec != nil && spec.LogTypes != nil && *spec.LogTypes != flowslatest.LogTypeFlows
 }