From a491102a781272d7aef121806127c56220667415 Mon Sep 17 00:00:00 2001 From: Dimitri Nicolopoulos Date: Mon, 19 Jan 2026 15:26:11 -0800 Subject: [PATCH] [EV-6333] Clarify flow log policy fields in datatypes reference --- calico-cloud/observability/elastic/flow/datatypes.mdx | 8 ++++---- .../version-22-2/observability/elastic/flow/datatypes.mdx | 8 ++++---- .../observability/elastic/flow/datatypes.mdx | 8 ++++---- .../observability/elastic/flow/datatypes.mdx | 8 ++++---- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/calico-cloud/observability/elastic/flow/datatypes.mdx b/calico-cloud/observability/elastic/flow/datatypes.mdx index 9dc6c10913..93522a1408 100644 --- a/calico-cloud/observability/elastic/flow/datatypes.mdx +++ b/calico-cloud/observability/elastic/flow/datatypes.mdx @@ -71,10 +71,10 @@ The `policies` field contains four sub-fields, `all_policies`, `enforced_policie | Name | Datatype | Description | | --------------------------------- | ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `all_policies` | array of keywords | A comma-delimited list of all enforced and staged network policies that applied an action to the flow up until the first enforced policy to apply a verdict. | -| `enforced_policies` | array of keywords | A comma-delimited list of all enforced network policies that applied an action to the flow up until the first enforced policy to apply a verdict. | -| `pending_policies` | array of keywords | A comma-delimited list of all enforced and staged network policies that applied an action to the flow up until the first enforced or staged policy that applied a verdict. | -| `transit_policies` | array of keywords | A comma-delimited list of all host endpoint policies with `applyOnForward: true` that applied an action to the flow while in transit through the node (for forwarded traffic between network interfaces). Note that policies with `preDNAT: true` will also appear here when they apply to ingress traffic before DNAT processing. | +| `all_policies` | array of keywords | **Deprecated.** This field is a legacy field calculated at flow start time that combines both enforced and staged policies. Because it mixes actual verdicts with simulated ones, it can be misleading and is planned for removal.

**Note:** This field may still appear in logs from older clusters reporting to a newer management cluster. | +| `enforced_policies` | array of keywords | The policies that were actually enforced on the flow. This list is determined by the dataplane when the flow starts and remains fixed for the flow's lifetime. It represents the concrete actions taken on the traffic. | +| `pending_policies` | array of keywords | A simulation of what policy evaluation would look like at the time of log generation. It represents a hypothetical restart of the flow where all staged policies are considered active. This field captures types of updates such as: (1) changes to active policies made after the flow started (for example, if a new policy is added that would deny the flow if it restarted), (2) staged policies treated as if they were enforced, and (3) domain-based policies evaluated based on the DNS state at the time of log generation. | +| `transit_policies` | array of keywords | Policies applied to traffic transiting through the node (for example, policies applied to host endpoints with `applyOnForward: true`) or during pre-DNAT processing. This field functions like `enforced_policies` but specifically for traffic being evaluated at the host endpoint.

**Note**: This field is only populated when `flowLogsPolicyScope` is set to `AllPolicies` in the `FelixConfiguration`. | Each entry in the list has the following format: diff --git a/calico-cloud_versioned_docs/version-22-2/observability/elastic/flow/datatypes.mdx b/calico-cloud_versioned_docs/version-22-2/observability/elastic/flow/datatypes.mdx index f27988ab4a..a047f40580 100644 --- a/calico-cloud_versioned_docs/version-22-2/observability/elastic/flow/datatypes.mdx +++ b/calico-cloud_versioned_docs/version-22-2/observability/elastic/flow/datatypes.mdx @@ -71,10 +71,10 @@ The `policies` field contains four sub-fields, `all_policies`, `enforced_policie | Name | Datatype | Description | | --------------------------------- | ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `all_policies` | array of keywords | A comma-delimited list of all enforced and staged network policies that applied an action to the flow up until the first enforced policy to apply a verdict. | -| `enforced_policies` | array of keywords | A comma-delimited list of all enforced network policies that applied an action to the flow up until the first enforced policy to apply a verdict. | -| `pending_policies` | array of keywords | A comma-delimited list of all enforced and staged network policies that applied an action to the flow up until the first enforced or staged policy that applied a verdict. | -| `transit_policies` | array of keywords | A comma-delimited list of all host endpoint policies with `applyOnForward: true` that applied an action to the flow while in transit through the node (for forwarded traffic between network interfaces). Note that policies with `preDNAT: true` will also appear here when they apply to ingress traffic before DNAT processing. | +| `all_policies` | array of keywords | **Deprecated.** This field is a legacy field calculated at flow start time that combines both enforced and staged policies. Because it mixes actual verdicts with simulated ones, it can be misleading and is planned for removal.

**Note:** This field may still appear in logs from older clusters reporting to a newer management cluster. | +| `enforced_policies` | array of keywords | The policies that were actually enforced on the flow. This list is determined by the dataplane when the flow starts and remains fixed for the flow's lifetime. It represents the concrete actions taken on the traffic. | +| `pending_policies` | array of keywords | A simulation of what policy evaluation would look like at the time of log generation. It represents a hypothetical restart of the flow where all staged policies are considered active. This field captures types of updates such as: (1) changes to active policies made after the flow started (for example, if a new policy is added that would deny the flow if it restarted), (2) staged policies treated as if they were enforced, and (3) domain-based policies evaluated based on the DNS state at the time of log generation. | +| `transit_policies` | array of keywords | Policies applied to traffic transiting through the node (for example, policies applied to host endpoints with `applyOnForward: true`) or during pre-DNAT processing. This field functions like `enforced_policies` but specifically for traffic being evaluated at the host endpoint.

**Note**: This field is only populated when `flowLogsPolicyScope` is set to `AllPolicies` in the `FelixConfiguration`. | Each entry in the list has the following format: diff --git a/calico-enterprise/observability/elastic/flow/datatypes.mdx b/calico-enterprise/observability/elastic/flow/datatypes.mdx index 8289cde196..be3ea64603 100644 --- a/calico-enterprise/observability/elastic/flow/datatypes.mdx +++ b/calico-enterprise/observability/elastic/flow/datatypes.mdx @@ -71,10 +71,10 @@ The `policies` field contains four sub-fields, `all_policies`, `enforced_policie | Name | Datatype | Description | | --------------------------------- | ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `all_policies` | array of keywords | A comma-delimited list of all enforced and staged network policies that applied an action to the flow up until the first enforced policy to apply a verdict. | -| `enforced_policies` | array of keywords | A comma-delimited list of all enforced network policies that applied an action to the flow up until the first enforced policy to apply a verdict. | -| `pending_policies` | array of keywords | A comma-delimited list of all enforced and staged network policies that applied an action to the flow up until the first enforced or staged policy that applied a verdict. | -| `transit_policies` | array of keywords | A comma-delimited list of all host endpoint policies with `applyOnForward: true` that applied an action to the flow while in transit through the node (for forwarded traffic between network interfaces). Note that policies with `preDNAT: true` will also appear here when they apply to ingress traffic before DNAT processing. | +| `all_policies` | array of keywords | **Deprecated.** This field is a legacy field calculated at flow start time that combines both enforced and staged policies. Because it mixes actual verdicts with simulated ones, it can be misleading and is planned for removal.

**Note:** This field may still appear in logs from older clusters reporting to a newer management cluster. | +| `enforced_policies` | array of keywords | The policies that were actually enforced on the flow. This list is determined by the dataplane when the flow starts and remains fixed for the flow's lifetime. It represents the concrete actions taken on the traffic. | +| `pending_policies` | array of keywords | A simulation of what policy evaluation would look like at the time of log generation. It represents a hypothetical restart of the flow where all staged policies are considered active. This field captures types of updates such as: (1) changes to active policies made after the flow started (for example, if a new policy is added that would deny the flow if it restarted), (2) staged policies treated as if they were enforced, and (3) domain-based policies evaluated based on the DNS state at the time of log generation. | +| `transit_policies` | array of keywords | Policies applied to traffic transiting through the node (for example, policies applied to host endpoints with `applyOnForward: true`) or during pre-DNAT processing. This field functions like `enforced_policies` but specifically for traffic being evaluated at the host endpoint.

**Note**: This field is only populated when `flowLogsPolicyScope` is set to `AllPolicies` in the `FelixConfiguration`. | Each entry in the list has the following format: diff --git a/calico-enterprise_versioned_docs/version-3.22-2/observability/elastic/flow/datatypes.mdx b/calico-enterprise_versioned_docs/version-3.22-2/observability/elastic/flow/datatypes.mdx index 6ffd8809ec..0bf9d3723d 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/observability/elastic/flow/datatypes.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/observability/elastic/flow/datatypes.mdx @@ -71,10 +71,10 @@ The `policies` field contains four sub-fields, `all_policies`, `enforced_policie | Name | Datatype | Description | | --------------------------------- | ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `all_policies` | array of keywords | A comma-delimited list of all enforced and staged network policies that applied an action to the flow up until the first enforced policy to apply a verdict. | -| `enforced_policies` | array of keywords | A comma-delimited list of all enforced network policies that applied an action to the flow up until the first enforced policy to apply a verdict. | -| `pending_policies` | array of keywords | A comma-delimited list of all enforced and staged network policies that applied an action to the flow up until the first enforced or staged policy that applied a verdict. | -| `transit_policies` | array of keywords | A comma-delimited list of all host endpoint policies with `applyOnForward: true` that applied an action to the flow while in transit through the node (for forwarded traffic between network interfaces). Note that policies with `preDNAT: true` will also appear here when they apply to ingress traffic before DNAT processing. | +| `all_policies` | array of keywords | **Deprecated.** This field is a legacy field calculated at flow start time that combines both enforced and staged policies. Because it mixes actual verdicts with simulated ones, it can be misleading and is planned for removal.

**Note:** This field may still appear in logs from older clusters reporting to a newer management cluster. | +| `enforced_policies` | array of keywords | The policies that were actually enforced on the flow. This list is determined by the dataplane when the flow starts and remains fixed for the flow's lifetime. It represents the concrete actions taken on the traffic. | +| `pending_policies` | array of keywords | A simulation of what policy evaluation would look like at the time of log generation. It represents a hypothetical restart of the flow where all staged policies are considered active. This field captures types of updates such as: (1) changes to active policies made after the flow started (for example, if a new policy is added that would deny the flow if it restarted), (2) staged policies treated as if they were enforced, and (3) domain-based policies evaluated based on the DNS state at the time of log generation. | +| `transit_policies` | array of keywords | Policies applied to traffic transiting through the node (for example, policies applied to host endpoints with `applyOnForward: true`) or during pre-DNAT processing. This field functions like `enforced_policies` but specifically for traffic being evaluated at the host endpoint.

**Note**: This field is only populated when `flowLogsPolicyScope` is set to `AllPolicies` in the `FelixConfiguration`. | Each entry in the list has the following format: