IPsec support

Signed-off-by: Mohamed Mahmoud <[email protected]>

Author: msherif1234

apis/flowcollector/v1beta1/flowcollector_types.go

@@ -155,7 +155,8 @@ type FlowCollectorIPFIX struct {
 // - `PacketTranslation`, to enrich flows with packets translation information. <br>
 // - `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].<br>
 // - `UDNMapping`, to enable interfaces mappind to udn [Developer Preview]. <br>
-// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation";"EbpfManager";"UDNMapping"
+// - `IPSEC`, to track flows with IPsec encryption. <br>
+// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation";"EbpfManager";"UDNMapping";"IPSEC"
 type AgentFeature string
 
 const (
@@ -166,6 +167,7 @@ const (
 	PacketTranslation AgentFeature = "PacketTranslation"
 	EbpfManager       AgentFeature = "EbpfManager"
 	UDNMapping        AgentFeature = "UDNMapping"
+	IPSEC             AgentFeature = "IPSEC"
 )
 
 // Name of an eBPF agent alert.
@@ -365,6 +367,7 @@ type FlowCollectorEBPF struct {
 	// - `PacketTranslation`: enable enriching flows with packet's translation information. <br>
 	// - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs. <br>
 	// - `UDNMapping`, to enable interfaces mappind to udn. <br>
+	// - `IPSEC`, to track flows with IPsec encryption. <br>
 	// +optional
 	Features []AgentFeature `json:"features,omitempty"`
 

apis/flowcollector/v1beta2/flowcollector_types.go

@@ -178,7 +178,8 @@ type FlowCollectorIPFIX struct {
 // - `PacketTranslation`, to enrich flows with packets translation information. <br>
 // - `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].<br>
 // - `UDNMapping`, to enable interfaces mappind to udn [Developer Preview]. <br>
-// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation";"EbpfManager";"UDNMapping"
+// - `IPSEC`, to track flows with IPsec encryption. <br>
+// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation";"EbpfManager";"UDNMapping";"IPSEC"
 type AgentFeature string
 
 const (
@@ -189,6 +190,7 @@ const (
 	PacketTranslation AgentFeature = "PacketTranslation"
 	EbpfManager       AgentFeature = "EbpfManager"
 	UDNMapping        AgentFeature = "UDNMapping"
+	IPSEC             AgentFeature = "IPSEC"
 )
 
 // Name of an eBPF agent alert.
@@ -391,6 +393,7 @@ type FlowCollectorEBPF struct {
 	// - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs. <br>
 	// IMPORTANT: This feature is available as a Developer Preview.<br>
 	// - `UDNMapping`, to enable interfaces mappind to udn. <br>
+	// - `IPSEC`, to track flows with IPsec encryption. <br>
 	// This feature requires mounting the kernel debug filesystem, so the eBPF agent pods have to run as privileged.
 	// It requires using the OVN-Kubernetes network plugin with the Observability feature.
 	// IMPORTANT: This feature is available as a Developer Preview.<br>

bundle/manifests/flows.netobserv.io_flowcollectors.yaml

@@ -138,6 +138,7 @@ spec:
                           - `PacketTranslation`: enable enriching flows with packet's translation information. <br>
                           - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs. <br>
                           - `UDNMapping`, to enable interfaces mappind to udn. <br>
+                          - `IPSEC`, to track flows with IPsec encryption. <br>
                         items:
                           description: |-
                             Agent feature, can be one of:<br>
@@ -148,6 +149,7 @@ spec:
                             - `PacketTranslation`, to enrich flows with packets translation information. <br>
                             - `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].<br>
                             - `UDNMapping`, to enable interfaces mappind to udn [Developer Preview]. <br>
+                            - `IPSEC`, to track flows with IPsec encryption. <br>
                           enum:
                           - PacketDrop
                           - DNSTracking
@@ -156,6 +158,7 @@ spec:
                           - PacketTranslation
                           - EbpfManager
                           - UDNMapping
+                          - IPSEC
                           type: string
                         type: array
                       flowFilter:
@@ -3963,6 +3966,7 @@ spec:
                           - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs. <br>
                           IMPORTANT: This feature is available as a Developer Preview.<br>
                           - `UDNMapping`, to enable interfaces mappind to udn. <br>
+                          - `IPSEC`, to track flows with IPsec encryption. <br>
                           This feature requires mounting the kernel debug filesystem, so the eBPF agent pods have to run as privileged.
                           It requires using the OVN-Kubernetes network plugin with the Observability feature.
                           IMPORTANT: This feature is available as a Developer Preview.<br>
@@ -3976,6 +3980,7 @@ spec:
                             - `PacketTranslation`, to enrich flows with packets translation information. <br>
                             - `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].<br>
                             - `UDNMapping`, to enable interfaces mappind to udn [Developer Preview]. <br>
+                            - `IPSEC`, to track flows with IPsec encryption. <br>
                           enum:
                           - PacketDrop
                           - DNSTracking
@@ -3984,6 +3989,7 @@ spec:
                           - PacketTranslation
                           - EbpfManager
                           - UDNMapping
+                          - IPSEC
                           type: string
                         type: array
                       flowFilter:

config/crd/bases/flows.netobserv.io_flowcollectors.yaml

@@ -123,6 +123,7 @@ spec:
                             - `PacketTranslation`: enable enriching flows with packet's translation information. <br>
                             - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs. <br>
                             - `UDNMapping`, to enable interfaces mappind to udn. <br>
+                            - `IPSEC`, to track flows with IPsec encryption. <br>
                           items:
                             description: |-
                               Agent feature, can be one of:<br>
@@ -133,6 +134,7 @@ spec:
                               - `PacketTranslation`, to enrich flows with packets translation information. <br>
                               - `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].<br>
                               - `UDNMapping`, to enable interfaces mappind to udn [Developer Preview]. <br>
+                              - `IPSEC`, to track flows with IPsec encryption. <br>
                             enum:
                               - PacketDrop
                               - DNSTracking
@@ -141,6 +143,7 @@ spec:
                               - PacketTranslation
                               - EbpfManager
                               - UDNMapping
+                              - IPSEC
                             type: string
                           type: array
                         flowFilter:
@@ -3645,6 +3648,7 @@ spec:
                             - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs. <br>
                             IMPORTANT: This feature is available as a Developer Preview.<br>
                             - `UDNMapping`, to enable interfaces mappind to udn. <br>
+                            - `IPSEC`, to track flows with IPsec encryption. <br>
                             This feature requires mounting the kernel debug filesystem, so the eBPF agent pods have to run as privileged.
                             It requires using the OVN-Kubernetes network plugin with the Observability feature.
                             IMPORTANT: This feature is available as a Developer Preview.<br>
@@ -3658,6 +3662,7 @@ spec:
                               - `PacketTranslation`, to enrich flows with packets translation information. <br>
                               - `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].<br>
                               - `UDNMapping`, to enable interfaces mappind to udn [Developer Preview]. <br>
+                              - `IPSEC`, to track flows with IPsec encryption. <br>
                             enum:
                               - PacketDrop
                               - DNSTracking
@@ -3666,6 +3671,7 @@ spec:
                               - PacketTranslation
                               - EbpfManager
                               - UDNMapping
+                              - IPSEC
                             type: string
                           type: array
                         flowFilter:

config/samples/flows_v1beta2_flowcollector.yaml

@@ -26,6 +26,7 @@ spec:
       # - "PacketTranslation"
       # - "EbpfManager"
       # - "UDNMapping"
+      # - "IPSEC"
       interfaces: []
       excludeInterfaces: ["lo"]
       kafkaBatchSize: 1048576

controllers/consoleplugin/config/static-frontend-config.yaml

@@ -657,6 +657,13 @@ columns:
     default: false
     width: 15
     feature: packetTranslation
+  - id: IPsec
+    name: Encrypted
+    field: EncryptedFlow
+    filter: encrypted
+    default: true
+    width: 10
+    feature: ipsec
 filters:
   - id: cluster_name
     name: Cluster
@@ -1057,6 +1064,9 @@ filters:
     component: autocomplete
     category: destination
     hint: Specify a single port number or name.
+  - id: encrypted
+    name: encrypted flow
+    component: number
 scopes:
   - id: cluster
     name: Cluster
@@ -1415,6 +1425,9 @@ fields:
   - name: K8S_ClusterName
     type: string
     description: Cluster name or identifier
+  - name: EncryptedFlow
+    type: boolean
+    description: encrypted flow
   - name: _RecordType
     type: string
     description: "Type of record: 'flowLog' for regular flow logs, or 'newConnection', 'heartbeat', 'endConnection' for conversation tracking"

controllers/consoleplugin/consoleplugin_objects.go

@@ -466,6 +466,10 @@ func (b *builder) setFrontendConfig(fconf *cfg.FrontendConfig) error {
 		fconf.Features = append(fconf.Features, "udnMapping")
 	}
 
+	if helper.IsIPSecEnabled(&b.desired.Agent.EBPF) {
+		fconf.Features = append(fconf.Features, "ipsec")
+	}
+
 	if b.desired.Agent.EBPF.Advanced != nil {
 		if v, ok := b.desired.Agent.EBPF.Advanced.Env[ebpf.EnvDedupeJustMark]; ok {
 			dedupJustMark, err = strconv.ParseBool(v)

controllers/ebpf/agent_controller.go

@@ -70,6 +70,7 @@ const (
 	envEnablePacketTranslation    = "ENABLE_PKT_TRANSLATION"
 	envEnableEbpfMgr              = "EBPF_PROGRAM_MANAGER_MODE"
 	envEnableUDNMapping           = "ENABLE_UDN_MAPPING"
+	envEnableIPsec                = "ENABLE_IPSEC_TRACKING"
 	envListSeparator              = ","
 )
 
@@ -752,6 +753,13 @@ func (c *AgentController) setEnvConfig(coll *flowslatest.FlowCollector) []corev1
 		})
 	}
 
+	if helper.IsIPSecEnabled(&coll.Spec.Agent.EBPF) {
+		config = append(config, corev1.EnvVar{
+			Name:  envEnableIPsec,
+			Value: "true",
+		})
+	}
+
 	if helper.IsEBPFMetricsEnabled(&coll.Spec.Agent.EBPF) {
 		config = append(config, corev1.EnvVar{
 			Name:  envEnableMetrics,

docs/FlowCollector.md

@@ -294,7 +294,8 @@ If the `spec.agent.ebpf.privileged` parameter is not set, an error is reported.<
 the kernel debug filesystem, so the eBPF pod has to run as privileged.
 - `PacketTranslation`: enable enriching flows with packet's translation information. <br>
 - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs. <br>
-- `UDNMapping`, to enable interfaces mappind to udn. <br><br/>
+- `UDNMapping`, to enable interfaces mappind to udn. <br>
+- `IPSEC`, to track flows with IPsec encryption. <br><br/>
         </td>
         <td>false</td>
       </tr><tr>
@@ -6284,6 +6285,7 @@ IMPORTANT: This feature is available as a Developer Preview.<br>
 - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs. <br>
 IMPORTANT: This feature is available as a Developer Preview.<br>
 - `UDNMapping`, to enable interfaces mappind to udn. <br>
+- `IPSEC`, to track flows with IPsec encryption. <br>
 This feature requires mounting the kernel debug filesystem, so the eBPF agent pods have to run as privileged.
 It requires using the OVN-Kubernetes network plugin with the Observability feature.
 IMPORTANT: This feature is available as a Developer Preview.<br><br/>

pkg/helper/flowcollector.go

@@ -138,6 +138,10 @@ func IsUDNMappingEnabled(spec *flowslatest.FlowCollectorEBPF) bool {
 	return IsAgentFeatureEnabled(spec, flowslatest.UDNMapping)
 }
 
+func IsIPSecEnabled(spec *flowslatest.FlowCollectorEBPF) bool {
+	return IsAgentFeatureEnabled(spec, flowslatest.IPSEC)
+}
+
 func IsConntrack(spec *flowslatest.FlowCollectorFLP) bool {
 	return spec != nil && spec.LogTypes != nil && *spec.LogTypes != flowslatest.LogTypeFlows
 }