eBPF Flows Configuration
Configuring The eBPF Flows Data Source In Coordimap
The flows datasource captures runtime network activity with eBPF. This is different from cloud-provider flow logs. Instead of reading flow telemetry from AWS or GCP logging systems, the agent attaches eBPF probes to network interfaces and observes traffic directly.
This datasource is useful when you want low-level runtime visibility from a host or a Kubernetes node environment.
When To Use flows
Use the flows datasource when you want to:
- capture runtime network connections directly from the host
- observe traffic in environments where cloud flow logs are unavailable or incomplete
- map pod-level traffic when the agent is deployed in Kubernetes and given the right external mappings
Prerequisites
The eBPF flow crawler requires system-level tooling and kernel support.
Expected dependencies include:
clangllvmbpftool
Kubernetes mode requires external mappings
When deployedAt is set to kubernetes, external_mappings is required.
The agent validates these mappings and expects Kubernetes cluster scope values
to line up with the Kubernetes crawler scope_id.
Configuration File
coordimap:
api_key: ${COORDIMAP_API_KEY}
data_sources:
- type: flows
data_source_id: <YOUR_DATASOURCE_ID_FROM_UI>
config:
- name: interface_name
value: all
- name: deployedAt
value: kubernetes
- name: external_mappings
value: "*@<KUBERNETES_CLUSTER_UID>"
- name: crawl_interval
value: "30s"Configuration Options
Prop
Type
Kubernetes Mapping Guidance
If you run the flows crawler in Kubernetes mode, the mappings should ultimately resolve to the same Kubernetes cluster UID used by the Kubernetes crawler scope_id.
Understanding external_mappings
The flows crawler uses external_mappings to tell Coordimap which Kubernetes cluster scope should own the captured runtime traffic.
Format:
<mapping-key>@<mapping-value>Common Kubernetes-mode example:
*@6f5f56e3-0123-4567-89ab-6c8f1e2a0cdeIn that example:
*means the mapping applies broadly6f5f56e3-0123-4567-89ab-6c8f1e2a0cdeis the Kubernetes cluster UID used asscope_id
If the mapping value does not match the Kubernetes cluster UID used by the Kubernetes crawler, the agent can reject the configuration or produce flow data that does not attach to the expected cluster objects.
Example Kubernetes UID lookup:
kubectl get namespace kube-system -o jsonpath='{.metadata.uid}'That consistency is what allows Coordimap to attach runtime flow observations to the correct cluster objects.
Related Reading
Google Cloud Platform Configuration
Configure Coordimap for Google Cloud with the correct scope_id, service account credentials, crawl settings, and optional VPC Flow Logs.
Configuration
Configure the Coordimap AWS Flow Logs data source with the right scope_id, S3 log settings, AWS credentials, and crawl intervals for network flow ingestion.