--- apiVersion: v1 kind: Namespace metadata: labels: app: flow-aggregator name: flow-aggregator --- # Source: flow-aggregator/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: labels: app: flow-aggregator name: flow-aggregator namespace: flow-aggregator --- # Source: flow-aggregator/templates/secrets.yaml apiVersion: v1 kind: Secret metadata: labels: app: flow-aggregator name: clickhouse-secret namespace: flow-aggregator type: Opaque stringData: username: clickhouse_operator password: clickhouse_operator_password --- # Source: flow-aggregator/templates/secrets.yaml apiVersion: v1 kind: Secret metadata: labels: app: flow-aggregator name: flow-aggregator-aws-credentials namespace: flow-aggregator type: Opaque stringData: aws_access_key_id: "changeme" aws_secret_access_key: "changeme" aws_session_token: "" --- # Source: flow-aggregator/templates/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: flow-aggregator-configmap namespace: flow-aggregator labels: app: flow-aggregator data: flow-aggregator.conf: | # Mode in which to run the flow aggregator. Must be one of "Aggregate" or "Proxy". In Aggregate # mode, flow records received from source and destination are aggregated and sent as one flow # record. In Proxy mode, flow records are enhanced with some additional information, then sent # directly without buffering or aggregation. mode: Aggregate # Provide the active flow record timeout as a duration string. This determines # how often the flow aggregator exports the active flow records to the flow # collector. Thus, for flows with a continuous stream of packets, a flow record # will be exported to the collector once the elapsed time since the last export # event in the flow aggregator is equal to the value of this timeout. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". activeFlowRecordTimeout: 60s # Provide the inactive flow record timeout as a duration string. This determines # how often the flow aggregator exports the inactive flow records to the flow # collector. A flow record is considered to be inactive if no matching record # has been received by the flow aggregator in the specified interval. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". inactiveFlowRecordTimeout: 90s # Provide the transport protocol for the flow aggregator collecting process, which must be one of # "tls", "tcp", "udp" or "none". Note that this only applies to the IPFIX collector. The gRPC # collector will always run (and always use mTLS), regardless of this configuration. When using # "none", the IPFIX collector will be disabled. aggregatorTransportProtocol: "tls" # Provide an extra DNS name or IP address of flow aggregator for generating TLS certificate. flowAggregatorAddress: "" # recordContents enables configuring some fields in the flow records. Fields can # be excluded to reduce record size, but some features or external tooling may # depend on these fields. recordContents: # Determine whether source and destination Pod labels will be included in the flow records. podLabels: false # apiServer contains APIServer related configuration options. apiServer: # The port for the flow-aggregator APIServer to serve on. apiPort: 10348 # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. # https://golang.org/pkg/crypto/tls/#pkg-constants # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always # prefer TLS1.3 Cipher Suites whenever possible. tlsCipherSuites: "" # TLS min version from: VersionTLS12, VersionTLS13. # The current default is VersionTLS12. tlsMinVersion: "" # flowCollector contains external IPFIX or JSON collector related configuration options. flowCollector: # Enable is the switch to enable exporting flow records to external flow collector. enable: false # Provide the flow collector address as string with format :[:], where proto is tcp or udp. # If no L4 transport proto is given, we consider tcp as default. address: "" # Provide the 32-bit Observation Domain ID which will uniquely identify this instance of the flow # aggregator to an external flow collector. If omitted, an Observation Domain ID will be generated # from the persistent cluster UUID generated by Antrea. Failing that (e.g. because the cluster UUID # is not available), a value will be randomly generated, which may vary across restarts of the flow # aggregator. #observationDomainID: # Provide format for records sent to the configured flow collector. # Supported formats are IPFIX and JSON. recordFormat: "IPFIX" # Template retransmission interval when using the udp protocol to export records. # The value must be provided as a duration string. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". templateRefreshTimeout: "600s" # Maximum message size to use for IPFIX records. If set to 0 (recommended), a reasonable default # value will be used based on the protocol (tcp or udp) used to connect to the collector. # Min valid value is 512 and max valid value is 65535. maxIPFIXMsgSize: 0 # TLS / mTLS configuration when exporting to the flowCollector. tls: # Enable TLS. enable: false # Name of the Secret containing the CA certificate used to authenticate the # flowCollector. Default root CAs will be used if this field is empty. The Secret must be # created in the Namespace in which the Flow Aggregator is deployed, and it must contain the # ca.crt key. caSecretName: "" # ServerName is used to verify the hostname on the returned certificates. It is also included in # the client's handshake (SNI) to support virtual hosting unless it is an IP address. If this # field is omitted, the hostname used for certificate verification will default to the provided # server address (flowCollector.address). serverName: "" # Name of the Secret containing the client's certificate and private key for mTLS. If omitted, # client authentication will be disabled. The Secret must be created in Namespace in which the # Flow Aggregator is deployed, and it must be of type kubernetes.io/tls and contain the tls.crt # and tls.key keys. clientSecretName: "" # Minimum TLS version from: VersionTLS12, VersionTLS13. # The current default is VersionTLS12. minVersion: "" # Include the names of K8s objects (Pods, Nodes, ...) as information elements in exported records. # Defaults to true. includeK8sNames: true # Include the UIDs of K8s objects (Pods, Nodes, ...) as information elements in exported records. # Defaults to false. includeK8sUIDs: false # clickHouse contains ClickHouse related configuration options. clickHouse: # Enable is the switch to enable exporting flow records to ClickHouse. enable: false # Database is the name of database where Antrea "flows" table is created. database: "default" # DatabaseURL is the url to the database. Provide the database URL as a string with format # ://:. The protocol has to be # one of the following: "tcp", "tls", "http", "https". When "tls" or "https" is used, tls # will be enabled. databaseURL: "tcp://clickhouse-clickhouse.flow-visibility.svc:9000" # TLS configuration options, when using TLS to connect to the ClickHouse service. tls: # InsecureSkipVerify determines whether to skip the verification of the server's certificate chain and host name. # Default is false. insecureSkipVerify: false # CACert indicates whether to use custom CA certificate. Default root CAs will be used if this field is false. # If true, a Secret named "clickhouse-ca" must be provided with the following keys: # ca.crt: caCert: false # Debug enables debug logs from ClickHouse sql driver. debug: false # Compress enables lz4 compression when committing flow records. compress: true # CommitInterval is the periodical interval between batch commit of flow records to DB. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". # The minimum interval is 1s based on ClickHouse documentation for best performance. commitInterval: "8s" # s3Uploader contains configuration options for uploading flow records to AWS S3. s3Uploader: # Enable is the switch to enable exporting flow records to AWS S3. # At the moment, the flow aggregator will look for the "standard" environment variables to # authenticate to AWS. These can be static credentials (AWS_ACCESS_KEY_ID, # AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN) or a Web Identity Token # (AWS_WEB_IDENTITY_TOKEN_FILE). enable: false # BucketName is the name of the S3 bucket to which flow records will be uploaded. If this # field is empty, initialization will fail. bucketName: "" # BucketPrefix is the prefix ("folder") under which flow records will be uploaded. If this # is omitted, flow records will be uploaded to the root of the bucket. bucketPrefix: "" # Region is used as a "hint" to get the region in which the provided bucket is located. # An error will occur if the bucket does not exist in the AWS partition the region hint # belongs to. If region is omitted, the value of the AWS_REGION environment variable will # be used, and if it is missing, we will default to "us-west-2". region: "us-west-2" # RecordFormat defines the format of the flow records uploaded to S3. Only "CSV" is # supported at the moment. recordFormat: "CSV" # Compress enables gzip compression when uploading files to S3. Defaults to true. compress: true # MaxRecordsPerFile is the maximum number of records per file uploaded. It is not recommended # to change this value. maxRecordsPerFile: 1e+06 # UploadInterval is the duration between each file upload to S3. uploadInterval: "60s" # FlowLogger contains configuration options for writing flow records to a local log file. flowLogger: # Enable is the switch to enable writing flow records to a local log file. enable: false # Path is the path to the local log file. path: "/tmp/antrea-flows.log" # MaxSize is the maximum size in MB of a log file before it gets rotated. maxSize: 100 # MaxBackups is the maximum number of old log files to retain. If set to 0, all log files will be # retained (unless MaxAge causes them to be deleted). maxBackups: 3 # MaxAge is the maximum number of days to retain old log files based on the timestamp encoded in # their filename. The default (0) is not to remove old log files based on age. maxAge: 0 # Compress enables gzip compression on rotated files. compress: true # RecordFormat defines the format of the flow records logged to file. Only "CSV" is supported at # the moment. recordFormat: "CSV" # Filters can be used to select which flow records to log to file. The provided filters are OR-ed # to determine whether a specific flow should be logged. filters: [] # PrettyPrint enables conversion of some numeric fields to a more meaningful string # representation. prettyPrint: true # Provide a clusterID to be added to records. By default this ID is an auto-generated UUID which # can be found in the antrea-cluster-identity ConfigMap. Currently this is only consumed by the # flowCollector (IPFIX) exporter. clusterID: "" --- # Source: flow-aggregator/templates/clusterrole.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: app: flow-aggregator name: flow-aggregator-role rules: - apiGroups: [""] resources: ["pods", "nodes", "services"] verbs: ["get", "list", "watch"] --- # Source: flow-aggregator/templates/clusterrolebindings.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: app: flow-aggregator name: flow-aggregator-cluster-role-binding subjects: - kind: ServiceAccount name: flow-aggregator namespace: flow-aggregator roleRef: kind: ClusterRole name: flow-aggregator-role apiGroup: rbac.authorization.k8s.io --- # Source: flow-aggregator/templates/clusterrolebindings.yaml # For auth delegation to apiserver kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: app: flow-aggregator name: flow-aggregator-auth-delegator-cluster-role-binding subjects: - kind: ServiceAccount name: flow-aggregator namespace: flow-aggregator roleRef: kind: ClusterRole name: system:auth-delegator apiGroup: rbac.authorization.k8s.io --- # Source: flow-aggregator/templates/id-reader-clusterrole.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: app: flow-aggregator name: flow-aggregator-cluster-id-reader roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: antrea-cluster-identity-reader subjects: - kind: ServiceAccount name: flow-aggregator namespace: flow-aggregator --- # Source: flow-aggregator/templates/roles.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: app: flow-aggregator name: flow-aggregator-exporter-role namespace: flow-aggregator rules: - apiGroups: [""] resources: ["configmaps"] resourceNames: ["flow-aggregator-ca"] verbs: ["get"] - apiGroups: [""] resources: ["secrets"] resourceNames: ["flow-aggregator-client-tls"] verbs: ["get"] --- # Source: flow-aggregator/templates/roles.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: app: flow-aggregator name: flow-aggregator-role namespace: flow-aggregator rules: # RBAC to create / update / get flow-aggregator-ca ConfigMap - apiGroups: [""] resources: ["configmaps"] verbs: ["create"] - apiGroups: [""] resources: ["configmaps"] resourceNames: ["flow-aggregator-ca"] verbs: ["get", "list", "watch", "update"] # RBAC to create / update / get flow-aggregator-client-tls Secret - apiGroups: [""] resources: ["secrets"] verbs: ["create"] - apiGroups: [""] resources: ["secrets"] resourceNames: ["flow-aggregator-ca-tls", "flow-aggregator-client-tls"] verbs: ["get", "list", "watch", "update"] # RBAC to get / update flow-aggregator-configmap ConfigMap (required by antctl) - apiGroups: [""] resources: ["configmaps"] resourceNames: ["flow-aggregator-configmap"] verbs: ["get", "update"] --- # Source: flow-aggregator/templates/rolebindings.yaml kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: app: flow-aggregator name: flow-aggregator-exporter-role-binding namespace: flow-aggregator subjects: - kind: ServiceAccount name: antrea-agent namespace: kube-system roleRef: kind: Role name: flow-aggregator-exporter-role apiGroup: rbac.authorization.k8s.io --- # Source: flow-aggregator/templates/rolebindings.yaml kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: app: flow-aggregator name: flow-aggregator-role-binding namespace: flow-aggregator subjects: - kind: ServiceAccount name: flow-aggregator namespace: flow-aggregator roleRef: kind: Role name: flow-aggregator-role apiGroup: rbac.authorization.k8s.io --- # Source: flow-aggregator/templates/rolebindings.yaml # For auth delegation to apiserver kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: app: flow-aggregator name: flow-aggregator-extension-apiserver-authentication-reader-role-binding namespace: kube-system subjects: - kind: ServiceAccount name: flow-aggregator namespace: flow-aggregator roleRef: kind: Role name: extension-apiserver-authentication-reader apiGroup: rbac.authorization.k8s.io --- # Source: flow-aggregator/templates/service.yaml apiVersion: v1 kind: Service metadata: labels: app: flow-aggregator name: flow-aggregator namespace: flow-aggregator spec: selector: app: flow-aggregator ports: - name: ipfix-udp port: 4739 protocol: UDP targetPort: ipfix-udp - name: ipfix-tcp port: 4739 protocol: TCP targetPort: ipfix-tcp - name: grpc port: 14739 protocol: TCP targetPort: grpc --- # Source: flow-aggregator/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: labels: app: flow-aggregator name: flow-aggregator namespace: flow-aggregator spec: replicas: 1 selector: matchLabels: app: flow-aggregator template: metadata: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments checksum/config: 90ac254e5326185b3bdb2ae70568457015f7505606d73b3f27d948872479a279 labels: app: flow-aggregator spec: hostNetwork: false containers: - name: flow-aggregator image: "antrea/flow-aggregator:latest" imagePullPolicy: IfNotPresent args: - --config=/etc/flow-aggregator/flow-aggregator.conf - --logtostderr=false - --log_dir=/var/log/antrea/flow-aggregator - --alsologtostderr - --log_file_max_size=100 - --log_file_max_num=4 env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: CH_USERNAME valueFrom: secretKeyRef: name: clickhouse-secret key: username - name: CH_PASSWORD valueFrom: secretKeyRef: name: clickhouse-secret key: password - name: FA_CONFIG_MAP_NAME value: flow-aggregator-configmap - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: name: flow-aggregator-aws-credentials key: aws_access_key_id - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: name: flow-aggregator-aws-credentials key: aws_secret_access_key - name: AWS_SESSION_TOKEN valueFrom: secretKeyRef: name: flow-aggregator-aws-credentials key: aws_session_token ports: - name: ipfix-udp containerPort: 4739 protocol: UDP - name: ipfix-tcp containerPort: 4739 protocol: TCP - name: grpc containerPort: 14739 protocol: TCP volumeMounts: - mountPath: /etc/flow-aggregator name: flow-aggregator-config readOnly: true - mountPath: /var/log/antrea/flow-aggregator name: host-var-log-antrea-flow-aggregator - name: certs mountPath: /etc/flow-aggregator/certs readOnly: true resources: requests: cpu: 500m memory: 256Mi nodeSelector: kubernetes.io/os: linux kubernetes.io/arch: amd64 priorityClassName: system-cluster-critical serviceAccountName: flow-aggregator volumes: - name: certs projected: defaultMode: 0400 sources: # We add these secrets even if flowCollector.enable is false, or if flowCollector.tls.enable # is false, as it is more convenient. Note that the secrets are optional. - secret: name: clickhouse-ca items: - key: ca.crt path: clickhouse/ca.crt optional: true - name: flow-aggregator-config configMap: name: flow-aggregator-configmap - name: host-var-log-antrea-flow-aggregator hostPath: path: /var/log/antrea/flow-aggregator type: DirectoryOrCreate