✨ Update the Helm chart

kubeshark · Oct 10, 2024 · 36339f2 · 36339f2
1 parent 108803f
commit 36339f2
Show file tree

Hide file tree

Showing 8 changed files with 48 additions and 18 deletions.
diff --git a/charts/chart/Chart.yaml b/charts/chart/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: kubeshark
-version: "52.3.82"
+version: "52.3.83"
 description: The API Traffic Analyzer for Kubernetes
 home: https://kubeshark.co
 keywords:

diff --git a/charts/chart/README.md b/charts/chart/README.md
@@ -59,16 +59,9 @@ kubectl port-forward service/kubeshark-front 8899:80
 
 Visit [localhost:8899](http://localhost:8899)
 
+You can also use `kubeshark proxy` for a more stable port-forward connection.
 
-## Increase the Worker's Storage Limit
-
-For example, change from the default 500Mi to 5Gi:
-
-```shell
---set tap.storageLimit=5Gi
-```
-
-## Add a License
+## Add a License Key
 
 When it's necessary, you can use:
 
@@ -107,7 +100,7 @@ helm install kubeshark kubeshark/kubeshark \
   --set tap.ipv6=false
 ```
 
-## Metrics
+## Prometheus Metrics
 
 Please refer to [metrics](./metrics.md) documentation for details.
 
@@ -179,13 +172,17 @@ Please refer to [metrics](./metrics.md) documentation for details.
 | `tap.kernelModule.image`                  | Container image containing PF_RING kernel module with supported kernel version([details](PF_RING.md))      | "kubeshark/pf-ring-module:all"                                                 |
 | `tap.kernelModule.unloadOnDestroy`        | Create additional container which watches for pod termination and unloads PF_RING kernel module. | `false`|
 | `tap.telemetry.enabled`                   | Enable anonymous usage statistics collection           | `true`                                                  |
+| `tap.resourceGuard.enabled`               | Enable resource guard worker process, which watches RAM/disk usage and enables/disables traffic capture based on available resources | `false` |
 | `tap.sentry.enabled`                      | Enable sending of error logs to Sentry          | `false`                                                  |
 | `tap.sentry.environment`                      | Sentry environment to label error logs with      | `production`                                                  |
-| `tap.defaultFilter`                       | Sets the default dashboard KFL filter (e.g. `http`). By default, this value is set to filter out DNS  and TCP entries. The user can easily change this in the Dashboard.         | `"!dns and !tcp"`                                                  |
+| `tap.defaultFilter`                       | Sets the default dashboard KFL filter (e.g. `http`). By default, this value is set to filter out noisy protocols such as DNS, UDP, ICMP and TCP. The user can easily change this in the Dashboard. You can also change this value to change this behavior.        | `"!dns and !tcp and !udp and !icmp"`                                                  |
 | `tap.globalFilter`                        | Prepends to any KFL filter and can be used to limit what is visible in the dashboard. For example, `redact("request.headers.Authorization")` will redact the appropriate field. Another example `!dns` will not show any DNS traffic.      | `""`                                        |
 | `tap.metrics.port`                  | Pod port used to expose Prometheus metrics          | `49100`                                                  |
 | `tap.enabledDissectors`                   | This is an array of strings representing the list of supported protocols. Remove or comment out redundant protocols (e.g., dns).| The default list includes: amqp, dns , http, icmp, kafka, redis,sctp, syscall, tcp, ws.  |
 | `logs.file`                               | Logs dump path                      | `""`                                                    |
+| `pcapdump.enabled`                        | Enable recording of all traffic captured according to other parameters. Whatever Kubeshark captures, considering pod targeting rules, will be stored in pcap files ready to be viewed by tools                 | `true`                                                                                                  |
+| `pcapdump.maxTime`                        | The time window into the past that will be stored. Older traffic will be discarded.  | `2h`  |
+| `pcapdump.maxSize`                        | The maximum storage size the PCAP files will consume. Old files that cause to surpass storage consumption will get discarded.   | `500MB`  |
 | `kube.configPath`                         | Path to the `kubeconfig` file (`$HOME/.kube/config`)            | `""`                                                    |
 | `kube.context`                            | Kubernetes context to use for the deployment  | `""`                                                    |
 | `dumpLogs`                                | Enable dumping of logs         | `false`                                                 |
@@ -250,7 +247,7 @@ tap:
     enabled: true
     type: saml
     saml:
-      idpMetadataUrl: "https://tiptophelmet.us.auth0.com/samlp/metadata/MpWiDCMMB5ShU1HRnhdb1sHM6VWqdnDG"
+      idpMetadataUrl: "https://ti..th0.com/samlp/metadata/MpWiDCM..qdnDG"
       x509crt: |
         -----BEGIN CERTIFICATE-----
         MIIDlTCCAn0CFFRUzMh+dZvp+FvWd4gRaiBVN8EvMA0GCSqGSIb3DQEBCwUAMIGG

diff --git a/charts/chart/metrics.md b/charts/chart/metrics.md
@@ -52,4 +52,4 @@ prometheus:
 
 ## Ready-to-use Dashboard
 
-You can import a ready-to-use dashboard from [Grafana's Dashboards Portal](https://grafana.com/grafana/dashboards/20359-kubeshark-dashboard-v1-0-003/).
+You can import a ready-to-use dashboard from [Grafana's Dashboards Portal](https://grafana.com/grafana/dashboards/21332-kubeshark-dashboard-v3-4/).
diff --git a/charts/chart/templates/02-cluster-role.yaml b/charts/chart/templates/02-cluster-role.yaml
@@ -58,5 +58,6 @@ rules:
     verbs:
       - get
       - watch
+      - list
       - update
       - patch
diff --git a/charts/chart/templates/06-front-deployment.yaml b/charts/chart/templates/06-front-deployment.yaml
@@ -24,8 +24,6 @@ spec:
     spec:
       containers:
         - env:
-            - name: REACT_APP_DEFAULT_FILTER
-              value: '{{ not (eq .Values.tap.defaultFilter "") | ternary .Values.tap.defaultFilter " " }}'
             - name: REACT_APP_AUTH_ENABLED
               value: '{{- if or (and .Values.cloudLicenseEnabled (not (empty .Values.license))) (not .Values.internetConnectivity) -}}
                       "false"
@@ -42,6 +40,8 @@ spec:
               value: '{{ .Values.tap.scriptingDisabled }}'
             - name: REACT_APP_TARGETED_PODS_UPDATE_DISABLED
               value: '{{ .Values.tap.targetedPodsUpdateDisabled }}'
+            - name: REACT_APP_PRESET_FILTERS_CHANGING_ENABLED
+              value: '{{ .Values.tap.presetFiltersChangingEnabled }}'
             - name: REACT_APP_BPF_OVERRIDE_DISABLED
               value: '{{ eq .Values.tap.packetCapture "ebpf" | ternary "true" "false" }}'
             - name: REACT_APP_RECORDING_DISABLED

diff --git a/charts/chart/templates/09-worker-daemon-set.yaml b/charts/chart/templates/09-worker-daemon-set.yaml
@@ -59,7 +59,9 @@ spec:
             - '{{ .Values.tap.metrics.port }}'
             - -packet-capture
             - '{{ .Values.tap.packetCapture }}'
+          {{- if .Values.tap.tls }}
             - -unixsocket
+          {{- end }}
           {{- if .Values.tap.serviceMesh }}
             - -servicemesh
           {{- end }}
@@ -70,9 +72,14 @@ spec:
           {{- end }}
           {{- if ne .Values.tap.packetCapture "ebpf" }}
             - -disable-ebpf
+          {{- end }}
+          {{- if .Values.tap.resourceGuard.enabled }}
+            - -enable-resource-guard
           {{- end }}
             - -resolution-strategy
             - '{{ .Values.tap.misc.resolutionStrategy }}'
+            - -staletimeout
+            - '{{ .Values.tap.misc.staleTimeoutSeconds }}'
           {{- if .Values.tap.debug }}
             - -debug
           {{- end }}
@@ -247,6 +254,10 @@ spec:
             - mountPath: /etc/os-release
               name: os-release
               readOnly: true
+            - mountPath: /hostroot
+              mountPropagation: HostToContainer
+              name: root
+              readOnly: true
       {{- end }}
       dnsPolicy: ClusterFirstWithHostNet
       hostNetwork: true
@@ -279,6 +290,9 @@ spec:
         - hostPath:
             path: /etc/os-release
           name: os-release
+        - hostPath:
+            path: /
+          name: root
         - name: data
 {{- if .Values.tap.persistentStorage }}
           persistentVolumeClaim:

diff --git a/charts/chart/templates/12-config-map.yaml b/charts/chart/templates/12-config-map.yaml
@@ -28,13 +28,15 @@ data:
     TELEMETRY_DISABLED: '{{ not .Values.internetConnectivity | ternary "true" (not .Values.tap.telemetry.enabled | ternary "true" "false") }}'
     SCRIPTING_DISABLED: '{{ .Values.tap.scriptingDisabled | ternary "true" "" }}'
     TARGETED_PODS_UPDATE_DISABLED: '{{ .Values.tap.targetedPodsUpdateDisabled | ternary "true" "" }}'
+    PRESET_FILTERS_CHANGING_ENABLED: '{{ .Values.tap.presetFiltersChangingEnabled | ternary "true" "" }}'
     RECORDING_DISABLED: '{{ .Values.tap.recordingDisabled | ternary "true" "" }}'
     STOP_TRAFFIC_CAPTURING_DISABLED: '{{- if and .Values.tap.stopTrafficCapturingDisabled .Values.tap.stopped -}}
                                         false
                                       {{- else -}}
                                         {{ .Values.tap.stopTrafficCapturingDisabled | ternary "true" "false" }}
                                       {{- end }}'
     GLOBAL_FILTER: {{ include "kubeshark.escapeDoubleQuotes" .Values.tap.globalFilter | quote }}
+    DEFAULT_FILTER: {{ include "kubeshark.escapeDoubleQuotes" .Values.tap.defaultFilter | quote }}
     TRAFFIC_SAMPLE_RATE: '{{ .Values.tap.misc.trafficSampleRate }}'
     JSON_TTL: '{{ .Values.tap.misc.jsonTTL }}'
     PCAP_TTL: '{{ .Values.tap.misc.pcapTTL }}'
@@ -49,4 +51,8 @@ data:
     ENABLED_DISSECTORS: '{{ gt (len .Values.tap.enabledDissectors) 0 | ternary (join "," .Values.tap.enabledDissectors) "" }}'
     DISSECTORS_UPDATING_ENABLED: '{{ .Values.dissectorsUpdatingEnabled | ternary "true" "false" }}'
     DETECT_DUPLICATES: '{{ .Values.tap.misc.detectDuplicates | ternary "true" "false" }}'
-
+    PCAP_DUMP_ENABLE: '{{ .Values.pcapdump.enabled }}'
+    PCAP_TIME_INTERVAL: '{{ .Values.pcapdump.timeInterval }}'
+    PCAP_MAX_TIME: '{{ .Values.pcapdump.maxTime }}'
+    PCAP_MAX_SIZE: '{{ .Values.pcapdump.maxSize }}'
+    PCAP_SRC_DIR: '{{ .Values.pcapdump.pcapSrcDir }}'
diff --git a/charts/chart/values.yaml b/charts/chart/values.yaml
@@ -98,12 +98,15 @@ tap:
     unloadOnDestroy: false
   telemetry:
     enabled: true
+  resourceGuard:
+    enabled: false
   sentry:
     enabled: false
     environment: production
-  defaultFilter: "!dns and !tcp"
+  defaultFilter: "!dns and !tcp and !udp and !icmp"
   scriptingDisabled: false
   targetedPodsUpdateDisabled: false
+  presetFiltersChangingEnabled: false
   recordingDisabled: false
   stopTrafficCapturingDisabled: false
   capabilities:
@@ -132,7 +135,9 @@ tap:
   - sctp
   - syscall
   - tcp
+  - udp
   - ws
+  - tls
   metrics:
     port: 49100
   pprof:
@@ -149,9 +154,16 @@ tap:
     resolutionStrategy: auto
     duplicateTimeframe: 200ms
     detectDuplicates: false
+    staleTimeoutSeconds: 30
 logs:
   file: ""
   grep: ""
+pcapdump:
+  enabled: true
+  timeInterval: 1m
+  maxTime: 1h
+  maxSize: 500MB
+  pcapSrcDir: pcapdump
 kube:
   configPath: ""
   context: ""