diff --git a/config/samples/flowmetrics/tls_egress_traffic.yaml b/config/samples/flowmetrics/tls_egress_traffic.yaml new file mode 100644 index 000000000..44bce96d2 --- /dev/null +++ b/config/samples/flowmetrics/tls_egress_traffic.yaml @@ -0,0 +1,37 @@ +apiVersion: flows.netobserv.io/v1alpha1 +kind: FlowMetric +metadata: + name: tls-egress-traffic + namespace: netobserv +spec: + type: Counter + valueField: Bytes + labels: [SrcSubnetLabel,SrcK8S_Namespace,SrcK8S_OwnerName,SrcK8S_OwnerType,DstSubnetLabel,DstK8S_Namespace,DstK8S_OwnerName,DstK8S_OwnerType,Proto,TLSVersion] + direction: Egress + filters: + - field: SrcK8S_Namespace + matchType: Presence + charts: + - dashboardName: TLS + title: "Egress TLS traffic" + unit: percent + type: SingleStat + queries: + - promQL: 'sum(rate(netobserv_tls_egress_traffic{TLSVersion!=""}[2m])) / sum(rate(netobserv_tls_egress_traffic[2m]))' + legend: "" + - dashboardName: TLS + sectionName: Per namespace + title: Egress traffic without TLS + unit: Bps + type: StackArea + queries: + - promQL: 'topk(10, sum(rate(netobserv_tls_egress_traffic{TLSVersion=""}[2m])) by (SrcK8S_Namespace))' + legend: "{{SrcK8S_Namespace}}" + - dashboardName: TLS + sectionName: Per version + title: Egress traffic per TLS version + unit: Bps + type: StackArea + queries: + - promQL: 'topk(10, sum(rate(netobserv_tls_egress_traffic{TLSVersion!~"|.*0x.*"}[2m])) by (TLSVersion))' + legend: "{{TLSVersion}}" diff --git a/config/samples/flowmetrics/tls_ingress_traffic.yaml b/config/samples/flowmetrics/tls_ingress_traffic.yaml new file mode 100644 index 000000000..7960247fb --- /dev/null +++ b/config/samples/flowmetrics/tls_ingress_traffic.yaml @@ -0,0 +1,37 @@ +apiVersion: flows.netobserv.io/v1alpha1 +kind: FlowMetric +metadata: + name: tls-ingress-traffic + namespace: netobserv +spec: + type: Counter + valueField: Bytes + labels: [SrcSubnetLabel,SrcK8S_Namespace,SrcK8S_OwnerName,SrcK8S_OwnerType,DstSubnetLabel,DstK8S_Namespace,DstK8S_OwnerName,DstK8S_OwnerType,Proto,TLSVersion] + direction: Ingress + filters: + - field: DstK8S_Namespace + matchType: Presence + charts: + - dashboardName: TLS + title: "Ingress TLS traffic" + unit: percent + type: SingleStat + queries: + - promQL: 'sum(rate(netobserv_tls_ingress_traffic{TLSVersion!=""}[2m])) / sum(rate(netobserv_tls_ingress_traffic[2m]))' + legend: "" + - dashboardName: TLS + sectionName: Per namespace + title: Ingress traffic without TLS + unit: Bps + type: StackArea + queries: + - promQL: 'topk(10, sum(rate(netobserv_tls_ingress_traffic{TLSVersion=""}[2m])) by (DstK8S_Namespace))' + legend: "{{DstK8S_Namespace}}" + - dashboardName: TLS + sectionName: Per version + title: Ingress traffic per TLS version + unit: Bps + type: StackArea + queries: + - promQL: 'topk(10, sum(rate(netobserv_tls_ingress_traffic{TLSVersion!~"|.*0x.*"}[2m])) by (TLSVersion))' + legend: "{{TLSVersion}}" diff --git a/internal/controller/consoleplugin/config/static-frontend-config.yaml b/internal/controller/consoleplugin/config/static-frontend-config.yaml index 1dff419d6..858d1d651 100644 --- a/internal/controller/consoleplugin/config/static-frontend-config.yaml +++ b/internal/controller/consoleplugin/config/static-frontend-config.yaml @@ -396,7 +396,7 @@ columns: default: false width: 15 - id: Proto - group: L3 Layer + group: Protocol Info name: Protocol tooltip: The value of the protocol number in the IP packet header field: Proto @@ -404,36 +404,45 @@ columns: default: true width: 10 - id: Dscp - group: L3 Layer + group: Protocol Info name: DSCP tooltip: The value of the Differentiated Services Code Point field: Dscp filter: dscp + default: false + width: 10 + - id: TCPFlags + group: Protocol Info + name: TCP Flags + tooltip: Logical OR combination of unique TCP flags comprised in the flow, according to RFC-9293, with additional custom values. + field: Flags + filter: tcp_flags + default: false + width: 10 + - id: TLSVersion + group: Protocol Info + name: TLS Version + tooltip: TLS Version found in the packets header + field: TLSVersion + filter: tls_version default: true width: 10 - id: IcmpType - group: ICMP - name: Type + group: Protocol Info + name: ICMP Type tooltip: The type of the ICMP message field: IcmpType filter: icmp_type default: false width: 10 - id: IcmpCode - group: ICMP - name: Code + group: Protocol Info + name: ICMP Code tooltip: The code of the ICMP message field: IcmpCode filter: icmp_code default: false width: 10 - - id: TCPFlags - name: TCP Flags - tooltip: Logical OR combination of unique TCP flags comprised in the flow, according to RFC-9293, with additional custom values. - field: Flags - filter: tcp_flags - default: false - width: 10 - id: FlowDirection name: Node Direction tooltip: The interpreted direction of the flow observed at the Node observation point. @@ -945,6 +954,11 @@ filters: - A protocol number like 6, 17 - A IANA name like TCP, UDP docUrl: https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml + - id: tls_version + name: TLS version + component: text + placeholder: 'E.g: TLS 1.2' + hint: Specify a version of TLS. - id: dscp name: DSCP component: autocomplete @@ -1324,6 +1338,9 @@ fields: - name: Proto type: number description: L4 protocol + - name: TLSVersion + type: string + description: TLS version - name: Dscp type: number description: Differentiated Services Code Point (DSCP) value diff --git a/internal/pkg/helper/cardinality/cardinality.json b/internal/pkg/helper/cardinality/cardinality.json index eef215fc7..d5d9397e9 100644 --- a/internal/pkg/helper/cardinality/cardinality.json +++ b/internal/pkg/helper/cardinality/cardinality.json @@ -67,6 +67,7 @@ "XlatDstAddr": "avoid", "Udns": "careful", "IPSecStatus": "fine", + "TLSVersion": "fine", "_RecordType": "fine", "_HashId": "avoid" } diff --git a/internal/pkg/metrics/predefined_metrics.go b/internal/pkg/metrics/predefined_metrics.go index a086a6800..9e40852b4 100644 --- a/internal/pkg/metrics/predefined_metrics.go +++ b/internal/pkg/metrics/predefined_metrics.go @@ -23,9 +23,9 @@ const ( var ( latencyBuckets = []string{".005", ".01", ".02", ".03", ".04", ".05", ".075", ".1", ".25", "1"} mapLabels = map[string][]string{ - tagNodes: {"K8S_ClusterName", "SrcK8S_Zone", "DstK8S_Zone", "SrcK8S_HostName", "DstK8S_HostName"}, - tagNamespaces: {"K8S_ClusterName", "SrcK8S_Zone", "DstK8S_Zone", "SrcK8S_Namespace", "DstK8S_Namespace", "K8S_FlowLayer", "SrcSubnetLabel", "DstSubnetLabel"}, - tagWorkloads: {"K8S_ClusterName", "SrcK8S_Zone", "DstK8S_Zone", "SrcK8S_Namespace", "DstK8S_Namespace", "K8S_FlowLayer", "SrcSubnetLabel", "DstSubnetLabel", "SrcK8S_OwnerName", "DstK8S_OwnerName", "SrcK8S_OwnerType", "DstK8S_OwnerType", "SrcK8S_Type", "DstK8S_Type"}, + tagNodes: {"K8S_ClusterName", "SrcK8S_Zone", "DstK8S_Zone", "SrcK8S_HostName", "DstK8S_HostName", "TLSVersion"}, + tagNamespaces: {"K8S_ClusterName", "SrcK8S_Zone", "DstK8S_Zone", "SrcK8S_Namespace", "DstK8S_Namespace", "K8S_FlowLayer", "SrcSubnetLabel", "DstSubnetLabel", "TLSVersion"}, + tagWorkloads: {"K8S_ClusterName", "SrcK8S_Zone", "DstK8S_Zone", "SrcK8S_Namespace", "DstK8S_Namespace", "K8S_FlowLayer", "SrcSubnetLabel", "DstSubnetLabel", "SrcK8S_OwnerName", "DstK8S_OwnerName", "SrcK8S_OwnerType", "DstK8S_OwnerType", "SrcK8S_Type", "DstK8S_Type", "TLSVersion"}, } mapValueFields = map[string]string{ tagBytes: "Bytes", @@ -321,6 +321,9 @@ func GetDefinitions(fc *flowslatest.FlowCollectorSpec, allMetrics bool) []metric if !fc.Processor.IsMultiClusterEnabled() { labelsToRemove = append(labelsToRemove, "K8S_ClusterName") } + if !fc.Agent.EBPF.IsTLSTrackingEnabled() { + labelsToRemove = append(labelsToRemove, "TLSVersion") + } var filterRecordType *metricslatest.MetricFilter if fc.Processor.LogTypes != nil {