Configuration
Configure the Network Operator -- collection mode, intervals, environment variables, and resource tuning.
Configuration
The Network Operator (zxporter-netmon) is configured through a combination of command-line flags and environment variables, typically set via the Helm chart values.
Collection Mode
The operator supports three backends for collecting network flows. Set the mode via the collector-mode flag:
| Mode | Flag Value | Best For | Requirements |
|---|---|---|---|
| Netfilter | netfilter (default) | Most clusters | Linux kernel with conntrack |
| eBPF | ebpf | High-traffic nodes | Kernel BTF support |
| Cilium | cilium | Cilium CNI clusters | Cilium eBPF maps at /sys/fs/bpf/cilium/ |
All three modes produce identical output. Choose based on your cluster's CNI and kernel capabilities.
If your cluster uses Cilium as its CNI, use cilium mode to avoid duplicate eBPF instrumentation and leverage Cilium's existing flow data.
Command-Line Flags
| Flag | Default | Description |
|---|---|---|
-metrics-bind-address | :8081 | HTTP server listen address for health and metrics endpoints |
-read-interval | 5s | How often to read the conntrack/eBPF flow table |
-cleanup-interval | 60s | How often to clean up stale flow entries |
-collector-mode | netfilter | Collection backend: netfilter, ebpf, or cilium |
-standalone | false | Disable Kubernetes connection (development/testing only) |
-metrics-kubeconfig | (auto) | Path to kubeconfig file; auto-discovered from in-cluster config if empty |
Environment Variables
| Variable | Required | Description |
|---|---|---|
NODE_NAME | Yes | Current node name (auto-injected via Kubernetes downward API) |
DAKR_URL | Yes | Control plane endpoint (e.g., https://dakr.devzero.io) |
CLUSTER_TOKEN | Yes | Authentication token for the DevZero control plane |
CLUSTER_ID | Yes | Cluster identifier used in health reports |
FLUSH_INTERVAL | No | How often to flush metrics to the control plane (default: 60s) |
Data Collection Intervals
The operator runs three periodic loops:
| Loop | Default Interval | What It Does |
|---|---|---|
| Collect | 5s | Reads the flow table, calculates deltas from cached entries, enriches with pod metadata |
| Cleanup | 60s | Removes stale entries for pods that no longer exist |
| Flush | 60s | Sends accumulated delta metrics to the DevZero control plane and resets counters |
The collect interval controls granularity — shorter intervals catch short-lived connections but increase CPU usage. The flush interval controls how often data reaches the platform for cost calculation.
Helm Chart Values
image:
repository: devzeroinc/zxporter-netmon
tag: "v0.0.65"
config:
collectorMode: "netfilter" # or "ebpf", "cilium"
exportInterval: "60s"
dakrUrl: "" # Required: control plane URL
clusterToken: "" # Required: cluster auth token
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 100m
memory: 128MiSecurity Context
The operator requires elevated privileges to access the kernel's network flow data:
securityContext:
privileged: true
capabilities:
add:
- NET_ADMIN # conntrack table and eBPF access
- SYS_RESOURCE # eBPF memory locking
hostNetwork: true # required to see node-level flows
dnsPolicy: ClusterFirstWithHostNet # resolve cluster DNS over host networkThe operator requires hostNetwork: true and privileged: true to access node-level conntrack entries and attach eBPF programs. These are standard requirements for network monitoring DaemonSets.
Resource Tuning
The default resource requests (50m CPU, 64Mi memory) are sized for clusters with moderate traffic. For high-traffic nodes (>10,000 active connections), consider increasing limits:
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 200m
memory: 256MiMonitor the operator's own resource usage via:
kubectl top pods -n devzero-zxporter -l app=zxporter-netmon