OSDOCS-10856: Add bpfman Operator #80208
Conversation
|
@jab-rh: This pull request references OSDOCS-10856 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-reference
openshift-ci
bot
added
the
size/M
openshift-ci
bot
added
size/L
|
@skrthomas, this PR covers the bpfman Operator installation and usage. Somehow this aligns with OSDOCS-10882. |
|
@msherif1234, this is a documentation draft for the bfpman Operator that discusses installation and a high level overview of usage for the upcoming 4.17 release. Can you take a look when you have time? Thanks! |
|
@anuragthehatter, can you take a look when you have some time? Thanks! |
|
@bmcelvee, this fails on ROSA builds; How do I know if I should be including this in the ROSA topic map? Thanks! |
|
@jab-rh thanks. Its my understanding that the NetObserv piece for this is only coming in 4.18 timeframe. That's as of maybe a couple weeks ago when I asked. |
|
Since this is tech preview, I don't believe it will be applicable to ROSA until it fully GAs. Conditionalizing the content should clear the build errors (ifndef for ROSA and OSD). @rafael-azevedo would you be able to confirm or point us to someone who can? Thanks! |
networking/network_security/ingress-node-firewall-operator.adoc
Outdated
Show resolved
Hide resolved
jab-rh
changed the title
modules/bpfman-infw-configure.adoc
Outdated
| [id="bpfman-infw-configure_{context}"] | ||
| = Configuring Ingress Node Firewall Operator to use the bpfman Operator | ||
|
|
||
| As a cluster administrator, you can configure the Ingress Node Firewall Operator to the use bpfman Operator to manage BPF programs. |
There was a problem hiding this comment.
I think this is a confusing way to say this. It's more that we are using bpfman to manage INFW's bpf
There was a problem hiding this comment.
Here's a thought on some potential alternative language?
| As a cluster administrator, you can configure the Ingress Node Firewall Operator to the use bpfman Operator to manage BPF programs. | |
| The Ingress Node Firewall employs [BPF](https://www.kernel.org/doc/html/latest/bpf/index.html) programs to implement some of its key firewall functionality. By default these BPF programs are loaded into the Kernel using a mechanism specific to the Ingress Node Firewall but the operator can be optionally configured to use [bpfman](https://bpfman.io) to load and manage these programs instead, adding additional security and observability functionality. |
| @@ -0,0 +1,93 @@ | |||
| // Module included in the following assemblies: | |||
There was a problem hiding this comment.
I think we have this issue with other operators -- but why are we including the documentation here to install bpfman rather than link to the bpfman documentation itself?
| [id="nw-bpfman-operator-installing-console_{context}"] | ||
| = Installing the bpfman Operator using the web console | ||
|
|
||
| As a cluster administrator, you can install the bpfman Operator using the web console. |
There was a problem hiding this comment.
I think we have this issue with other operators -- but why are we including the documentation here to install bpfman rather than link to the bpfman documentation itself?
There was a problem hiding this comment.
@davegord, does the upstream documentation describe how to install this on Red Hat OpenShift?
There was a problem hiding this comment.
@davegord, historically we've always documented how to install Operators on Red Hat OpenShift in our OpenShift documentation. I can ask my content strategist if we can omit this, but I think including it provides a better user experience.
| eBPF CRDs: A set of CRDs like XdpProgram and TcProgram for loading eBPF programs, and a bpfman-generated CRD (BpfProgram) for representing the state of loaded programs. | ||
| bpfman-agent:: Runs within a daemonset container, ensuring eBPF programs on each node are in the desired state. | ||
| bpfman-operator:: Manages the lifecycle of the bpfman-agent and CRDs in the cluster using the Operator SDK. | ||
|
|
There was a problem hiding this comment.
This whole section I think needs to be either reworked or removed. We shouldn't call this an "open source project". I assume this was taken from the bpfman.io site but this is not appropriate for our downstream/product documentation.
There was a problem hiding this comment.
@davegord, sure, I'm open to suggestions for what content to include here. Thanks!
There was a problem hiding this comment.
I think it's based on some upstream content, but not word for word. Is anyone going to take a pass at it?
There was a problem hiding this comment.
@anfredette, a pass, in so far as, this content is incorrect or not relevant here? Thanks!
|
@anuragthehatter, ping |
| -- | ||
| where: | ||
|
|
||
| `<ebpf_mode>`: Specifies whether the Ingress Node Firewall Operator uses the bpfman Operator to manage BPF programs. |
There was a problem hiding this comment.
Do you need to mention this can be true or false?
| eBPF CRDs: A set of CRDs like XdpProgram and TcProgram for loading eBPF programs, and a bpfman-generated CRD (BpfProgram) for representing the state of loaded programs. | ||
| bpfman-agent:: Runs within a daemonset container, ensuring eBPF programs on each node are in the desired state. | ||
| bpfman-operator:: Manages the lifecycle of the bpfman-agent and CRDs in the cluster using the Operator SDK. | ||
|
|
There was a problem hiding this comment.
I think it's based on some upstream content, but not word for word. Is anyone going to take a pass at it?
jab-rh
added
the
peer-review-needed
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ curl https://github.com/bpfman/bpfman/releases/download/v0.5.0/go-xdp-counter-install-selinux.yaml -o go-xdp-counter-install-selinux.yaml |
There was a problem hiding this comment.
There are a few spots in these docs where the links are to v0.5.0. They should globally be changed to v0.5.1. Hopefully before docs freeze we will have a v0.5.2 and they can change to v0.5.2, but they should be moved to v0.5.1 for now.
| $ curl https://github.com/bpfman/bpfman/releases/download/v0.5.0/go-xdp-counter-install-selinux.yaml -o go-xdp-counter-install-selinux.yaml | |
| $ curl https://github.com/bpfman/bpfman/releases/download/v0.5.1/go-xdp-counter-install-selinux.yaml -o go-xdp-counter-install-selinux.yaml |
networking/network_security/bpfman-operator/bpfman-operator-deploy.adoc
Outdated
Show resolved
Hide resolved
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ curl https://github.com/bpfman/bpfman/releases/download/v0.5.0/go-xdp-counter-install-selinux.yaml -o go-xdp-counter-install-selinux.yaml |
There was a problem hiding this comment.
Test the curl command. I tried it and it created an empty file. I replaced curl with wget (removed the -o as well) and downloaded fine, so the link is valid. Not sure why the curl failed for me.
There was a problem hiding this comment.
I found the issue. The link is a redirect under the covers. wget follows redirects by default, curl does not. To fix the command, add a -L:
| $ curl https://github.com/bpfman/bpfman/releases/download/v0.5.0/go-xdp-counter-install-selinux.yaml -o go-xdp-counter-install-selinux.yaml | |
| $ curl -L https://github.com/bpfman/bpfman/releases/download/v0.5.0/go-xdp-counter-install-selinux.yaml -o go-xdp-counter-install-selinux.yaml |
|
|
||
| .Procedure | ||
|
|
||
| * Edit the `IngressNodeFirewallConfig` object named `ingressnodefirewallconfig` and set `ebpfProgramManagerMode` field: |
There was a problem hiding this comment.
@davegord I think within OCP, bpfman is named "eBPF Program Manager", or something like that? Should all references to bpfman in OCP docs use that?
jldohmann
added
the
peer-review-in-progress
|
@jab-rh what versions of the docs does this need to be published in? |
| selinuxprofile.security-profiles-operator.x-k8s.io/bpfman-secure created | ||
| ---- | ||
|
|
||
| . To confirm that the eBPF sample application deployed successfully, enter the following command: |
There was a problem hiding this comment.
it might be nice to group all these confirmation steps into a single step (with substeps) or a separated verification section
networking/network_security/bpfman-operator/bpfman-operator-about.adoc
Outdated
Show resolved
Hide resolved
networking/network_security/bpfman-operator/bpfman-operator-about.adoc
Outdated
Show resolved
Hide resolved
networking/network_security/bpfman-operator/bpfman-operator-about.adoc
Outdated
Show resolved
Hide resolved
networking/network_security/bpfman-operator/bpfman-operator-install.adoc
Outdated
Show resolved
Hide resolved
networking/network_security/ingress-node-firewall-operator.adoc
Outdated
Show resolved
Hide resolved
networking/network_security/ebpf_manager/ebpf-manager-operator-install.adoc
Outdated
Show resolved
Hide resolved
networking/network_security/ingress-node-firewall-operator.adoc
Outdated
Show resolved
Hide resolved
jab-rh
force-pushed
the
OSDOCS-10856
branch
from
d480eb2 to
d3a9576
Compare
jab-rh
force-pushed
the
OSDOCS-10856
branch
from
d3a9576 to
21df905
Compare
|
@jab-rh: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
The This is because your PR targets the If the update in your PR does NOT apply to version 4.18 onward, please re-target this PR to go directly into the appropriate version branch or branches (enterprise-4.x) instead of main. |
|
@anfredette: changing LGTM is restricted to collaborators In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/lgtm |
|
@Billy99, please open a new issue in the OSDOCS project to capture what you'd like to see with that list of limitations. |
|
/lgtm |
|
/cherrypick enterprise-4.17 |
|
/cherrypick enterprise-4.18 |
|
@kalexand-rh: new pull request created: #82744 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@kalexand-rh: new pull request created: #82745 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Version(s): 4.17+
Issue:
Link to docs preview:
QE review:
Additional information: