Merge pull request #94524 from ovalenti/ovalenti/external-IPs-GA

gaurav-nelson · web-flow · commit e1ce6aedb48e · 2025-06-23T09:41:57.000+10:00
[RHACS] Documentation updates for ROX#29130: External IPs GA
diff --git a/modules/enabling-external-ip-collection-central.adoc b/modules/enabling-external-ip-collection-central.adoc
diff --git a/modules/visualizing-external-entities-known-limitations.adoc b/modules/visualizing-external-entities-known-limitations.adoc
@@ -8,6 +8,10 @@
 [role="_abstract"]
 The following are some known limitations of the Visualizing external entities feature:
 
-* When you enable external IP collection for a cluster, Collector in those clusters report more information to Sensor and to Central. This might create scalability issues if the workload in the cluster communicates with a large number of distinct external peers. It is recommended that you do not enable this feature on clusters with communication patterns involving more than 10,000 distinct external entities.
 * You cannot see external IP addresses if they are part of CIDR blocks.
-* When you enable external IP collection, external IP addresses might appear in a deployment's network baseline.
+* When you enable external IP collection for a cluster, the Collector in those clusters reports more information to Sensor and Central. Enabling external IP collection might create scalability issues if the workload in the cluster communicates with a large number of distinct external peers. Red{nbsp}Hat recommends that you turn off this feature on clusters with communication patterns involving more than 10,000 distinct external entities. However, if the pattern is mostly ingress or egress, you can overcome the scaling issue by enabling external IPs only in the opposite direction. For more information, see "Using Collector runtime configuration" in the Additional resources section.
++
+[NOTE]
+====
+During a test, Red{nbsp}Hat generated 20 flows per second with external entities, leading to a daily increase of 450 MB in Central memory usage. This memory persisted even after deleting the deployments. Turning off external IPs at the Collector level stops further memory growth in Central caused by external IPs. To clear most of the memory used by external IPs, turn off external IPs at the Central level by setting the `ROX_EXTERNAL_IPS` environment variable to `false` and the `ROX_EXTERNAL_IPS_PRUNING` environment variable to `true`.
+====
diff --git a/operating/using-collector-runtime-configuration.adoc b/operating/using-collector-runtime-configuration.adoc
@@ -4,21 +4,22 @@
 include::modules/common-attributes.adoc[]
 
 :FeatureName: Using Collector runtime configuration
-include::snippets/technology-preview.adoc[]
 :!FeatureName:
 
 toc::[]
 
 [role="_abstract"]
-Collector runtime configuration enables you to modify some collector behaviors without restarting Collector. Collector runtime configuration is set using a `ConfigMap` object called `collector-config`. When you create or update the `ConfigMap` object, Collector refreshes the runtime configuration. When you delete the `ConfigMap` object, the settings revert to the default runtime configuration values.
+You can use the Collector runtime configuration to modify some collector behaviors without restarting Collector. Set the Collector runtime configuration by using a `ConfigMap` object called `collector-config`. When you create or update the `ConfigMap` object, Collector refreshes the runtime configuration. When you delete the `ConfigMap` object, the settings revert to the default runtime configuration values.
 
-Currently, only two settings are controlled by using Collector runtime configuration:
+You can control the following settings using the Collector runtime configuration:
 
 * `networking.externalIps.enabled` controls if the visualizing external entities feature is enabled or disabled. The default is `DISABLED`. In release 4.6, this setting was `networking.externalIps.enable` and was a boolean. For more information, see xref:../operating/visualizing-external-entities.adoc#visualizing-external-entities[Visualizing external entities].
 
+* `networking.externalIps.direction` specifies the direction for collecting external IPs. The values are `INGRESS`, `EGRESS`, or `BOTH` (default). For example, when you select `EGRESS` it provides details for all outgoing connections while aggregating the incoming ones.
+
 * `networking.maxConnectionsPerMinute` is the maximum number of open networking connections reported by Collector per container per minute. The default value is 2048.
 
-The following example enables the visualizing external entities feature and sets `maxConnectionsPerMinute` to 2048.
+The following example enables the visualizing external entities for outgoing connections only and sets `maxConnectionsPerMinute` to 2048.
 
 [source,yaml]
 ----
@@ -32,6 +33,8 @@ data:
     networking:
       externalIps:
         enabled: ENABLED
+        direction: EGRESS <2>
       maxConnectionsPerMinute: 2048
 ----
 <1> {product-title-short} mounts this file at `/etc/stackrox/runtime_config.yaml`.
+<2> The `direction` setting is optional. If you do not specify it, the default value is `BOTH`, which collects both ingress and egress connections.
diff --git a/operating/visualizing-external-entities.adoc b/operating/visualizing-external-entities.adoc
@@ -7,25 +7,29 @@ include::modules/common-attributes.adoc[]
 toc::[]
 
 :FeatureName: Visualizing external entities
-include::snippets/technology-preview.adoc[]
 :!FeatureName:
 
 [role="_abstract"]
 
 Understanding the interactions between your cluster and external entities is essential for incident response and network policy management. With the Visualizing external entities feature, you can view the external IP addresses that interact with your cluster.
 
-You can view external entities in the Network Graph by selecting the External Entities graph node or query external entities by using the API.
+You can view external entities in the Network Graph by selecting the External Entities graph node or by checking the deployment flows tab.
+
+You can also query external entities using the API.
 
 [NOTE]
 ====
-Visualizing external entities is an opt-in feature that is disabled by default. To enable this feature, you must enable external IP collection in Central and secured clusters, as described in the following sections.
+Visualizing external entities is an opt-in feature that is disabled by default. To enable this feature, you must enable external IP collection in secured clusters, as described in the following section.
 ====
 
-include::modules/enabling-external-ip-collection-central.adoc[leveloffset=+1]
-
 include::modules/enabling-external-ip-collection-secured-clusters.adoc[leveloffset=+1]
 
 include::modules/querying-external-entities-using-api.adoc[leveloffset=+1]
 
 include::modules/visualizing-external-entities-known-limitations.adoc[leveloffset=+1]
 
+[role="_additional-resources"]
+[id="additional-resources_{context}"]
+== Additional resources
+
+* xref:../operating/using-collector-runtime-configuration.adoc#using-collector-runtime-configuration[Using collector runtime configuration]
