Quick filters, a.k.a preset filters, are config-defined filters that show up in the Console plugin UI.
You can define any number of them in the FlowCollector config, and set any of them being active by default.
A single filter is defined as a map of keys and values, values being themselves a list, as a comma-separated string.
Like in the UI, exact matches are possible using double-quotes around values. Else, partial matches are used for textual values.
The bang (!) character, placed at the end of a key, means negation.
As an example, here are the filters provided with the default FlowCollector:
quickFilters:
- name: Applications # Name displayed in the UI
filter:
src_namespace!: 'openshift-,netobserv' # filter key (src_namespace), negated (!), containing values "openshift-" or "netobserv"
dst_namespace!: 'openshift-,netobserv' # same as above for dst_namespace key
default: true # this filter will be active by default
- name: Infrastructure
filter:
src_namespace: 'openshift-,netobserv'
dst_namespace: 'openshift-,netobserv'
- name: Pods network
filter:
src_kind: 'Pod'
dst_kind: 'Pod'
default: true
- name: Services network
filter:
dst_kind: 'Service'To recap, the filter named "Applications" shows all traffic that do not originate from, nor destinate to, any "openshift-*" or "netobserv" namespaces. It corresponds to what we assume being user applications traffic, as opposed to infrastructure traffic.
If for some reason this definition does not apply well to your situation, you can just modify the filters from the FlowCollector custom resource.
Note: the filter matching type, "all of" or "any of", is not controlled from there: this is a UI setting that the users can modify from the query options. We recommend designing these filters assuming the default matching type is used, which is "all of" (ie. filters are ANDed).
- name: External traffic
filter:
owner_name: '""'This filter may not be 100% accurate but gives an idea how we can achieve getting cluster-egress traffic only.
It sets common used source ports to filter out, in order to evict ingress responses from the results.
Note that it does not provide the egress response traffic.
- name: External egress traffic
filter:
dst_owner_name: '""'
src_port!: "443,80" - name: Host-network traffic
filter:
src_kind: 'Node'Here is a list of all available filter keys:
Note: "Common" means filters for any of source or destination. For example, filtering name: 'my-pod' means all traffic from my-pod + all traffic to my-pod, regardless of the matching type used (all of / any of).
| Common | Source | Destination | Description |
|---|---|---|---|
| namespace | src_namespace | dst_namespace | Filter traffic related to a specific namespace. |
| name | src_name | dst_name | Filter traffic related to a given leaf resource name, such as a specific pods, service or node (for host-network traffic). |
| kind | src_kind | dst_kind | Filter traffic related to a given resource kind. It can be the kind of the leaf resource (Pod, Service or Node), or of the owner resource (e.g. Deployment, StatefulSet, etc.) |
| owner_name | src_owner_name | dst_owner_name | Filter traffic related to a given resource owner, that is, a workload / a set of pods. For example, it can be a Deployment name, a StatefulSet name, etc. |
| resource | src_resource | dst_resource | Filter traffic related to a specific resource denotated by its canonical name, that identifies it uniquely. The canonical notation is kind.namespace.name for namespaced kinds, or node.name for nodes. E.g: Deployment.my-namespace.my-web-server. |
| address | src_address | dst_address | Filter traffic related to an IP address. IPv4 and IPv6 are supported. CIDR ranges are also supported. |
| mac | src_mac | dst_mac | Filter traffic related to a MAC address. |
| port | src_port | dst_port | Filter traffic related to a specific port. |
| host_address | src_host_address | dst_host_address | Filter traffic related to the host IP where pods are running. |
| protocol | N/A | N/A | Filter traffic related to a protocol (e.g. TCP, UDP, etc.). |