diff --git a/charts/chart/Chart.yaml b/charts/chart/Chart.yaml index 90dc1b0..a5921e3 100644 --- a/charts/chart/Chart.yaml +++ b/charts/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: kubeshark -version: "52.3.82" +version: "52.3.83" description: The API Traffic Analyzer for Kubernetes home: https://kubeshark.co keywords: diff --git a/charts/chart/README.md b/charts/chart/README.md index 41446c1..71f635e 100644 --- a/charts/chart/README.md +++ b/charts/chart/README.md @@ -59,16 +59,9 @@ kubectl port-forward service/kubeshark-front 8899:80 Visit [localhost:8899](http://localhost:8899) +You can also use `kubeshark proxy` for a more stable port-forward connection. -## Increase the Worker's Storage Limit - -For example, change from the default 500Mi to 5Gi: - -```shell ---set tap.storageLimit=5Gi -``` - -## Add a License +## Add a License Key When it's necessary, you can use: @@ -107,7 +100,7 @@ helm install kubeshark kubeshark/kubeshark \ --set tap.ipv6=false ``` -## Metrics +## Prometheus Metrics Please refer to [metrics](./metrics.md) documentation for details. @@ -179,13 +172,17 @@ Please refer to [metrics](./metrics.md) documentation for details. | `tap.kernelModule.image` | Container image containing PF_RING kernel module with supported kernel version([details](PF_RING.md)) | "kubeshark/pf-ring-module:all" | | `tap.kernelModule.unloadOnDestroy` | Create additional container which watches for pod termination and unloads PF_RING kernel module. | `false`| | `tap.telemetry.enabled` | Enable anonymous usage statistics collection | `true` | +| `tap.resourceGuard.enabled` | Enable resource guard worker process, which watches RAM/disk usage and enables/disables traffic capture based on available resources | `false` | | `tap.sentry.enabled` | Enable sending of error logs to Sentry | `false` | | `tap.sentry.environment` | Sentry environment to label error logs with | `production` | -| `tap.defaultFilter` | Sets the default dashboard KFL filter (e.g. `http`). By default, this value is set to filter out DNS and TCP entries. The user can easily change this in the Dashboard. | `"!dns and !tcp"` | +| `tap.defaultFilter` | Sets the default dashboard KFL filter (e.g. `http`). By default, this value is set to filter out noisy protocols such as DNS, UDP, ICMP and TCP. The user can easily change this in the Dashboard. You can also change this value to change this behavior. | `"!dns and !tcp and !udp and !icmp"` | | `tap.globalFilter` | Prepends to any KFL filter and can be used to limit what is visible in the dashboard. For example, `redact("request.headers.Authorization")` will redact the appropriate field. Another example `!dns` will not show any DNS traffic. | `""` | | `tap.metrics.port` | Pod port used to expose Prometheus metrics | `49100` | | `tap.enabledDissectors` | This is an array of strings representing the list of supported protocols. Remove or comment out redundant protocols (e.g., dns).| The default list includes: amqp, dns , http, icmp, kafka, redis,sctp, syscall, tcp, ws. | | `logs.file` | Logs dump path | `""` | +| `pcapdump.enabled` | Enable recording of all traffic captured according to other parameters. Whatever Kubeshark captures, considering pod targeting rules, will be stored in pcap files ready to be viewed by tools | `true` | +| `pcapdump.maxTime` | The time window into the past that will be stored. Older traffic will be discarded. | `2h` | +| `pcapdump.maxSize` | The maximum storage size the PCAP files will consume. Old files that cause to surpass storage consumption will get discarded. | `500MB` | | `kube.configPath` | Path to the `kubeconfig` file (`$HOME/.kube/config`) | `""` | | `kube.context` | Kubernetes context to use for the deployment | `""` | | `dumpLogs` | Enable dumping of logs | `false` | @@ -250,7 +247,7 @@ tap: enabled: true type: saml saml: - idpMetadataUrl: "https://tiptophelmet.us.auth0.com/samlp/metadata/MpWiDCMMB5ShU1HRnhdb1sHM6VWqdnDG" + idpMetadataUrl: "https://ti..th0.com/samlp/metadata/MpWiDCM..qdnDG" x509crt: | -----BEGIN CERTIFICATE----- MIIDlTCCAn0CFFRUzMh+dZvp+FvWd4gRaiBVN8EvMA0GCSqGSIb3DQEBCwUAMIGG diff --git a/charts/chart/metrics.md b/charts/chart/metrics.md index 5ba09f4..3bc50a9 100644 --- a/charts/chart/metrics.md +++ b/charts/chart/metrics.md @@ -52,4 +52,4 @@ prometheus: ## Ready-to-use Dashboard -You can import a ready-to-use dashboard from [Grafana's Dashboards Portal](https://grafana.com/grafana/dashboards/20359-kubeshark-dashboard-v1-0-003/). +You can import a ready-to-use dashboard from [Grafana's Dashboards Portal](https://grafana.com/grafana/dashboards/21332-kubeshark-dashboard-v3-4/). diff --git a/charts/chart/templates/02-cluster-role.yaml b/charts/chart/templates/02-cluster-role.yaml index 8231b53..75a1dd1 100644 --- a/charts/chart/templates/02-cluster-role.yaml +++ b/charts/chart/templates/02-cluster-role.yaml @@ -58,5 +58,6 @@ rules: verbs: - get - watch + - list - update - patch diff --git a/charts/chart/templates/06-front-deployment.yaml b/charts/chart/templates/06-front-deployment.yaml index 6536a90..25b061d 100644 --- a/charts/chart/templates/06-front-deployment.yaml +++ b/charts/chart/templates/06-front-deployment.yaml @@ -24,8 +24,6 @@ spec: spec: containers: - env: - - name: REACT_APP_DEFAULT_FILTER - value: '{{ not (eq .Values.tap.defaultFilter "") | ternary .Values.tap.defaultFilter " " }}' - name: REACT_APP_AUTH_ENABLED value: '{{- if or (and .Values.cloudLicenseEnabled (not (empty .Values.license))) (not .Values.internetConnectivity) -}} "false" @@ -42,6 +40,8 @@ spec: value: '{{ .Values.tap.scriptingDisabled }}' - name: REACT_APP_TARGETED_PODS_UPDATE_DISABLED value: '{{ .Values.tap.targetedPodsUpdateDisabled }}' + - name: REACT_APP_PRESET_FILTERS_CHANGING_ENABLED + value: '{{ .Values.tap.presetFiltersChangingEnabled }}' - name: REACT_APP_BPF_OVERRIDE_DISABLED value: '{{ eq .Values.tap.packetCapture "ebpf" | ternary "true" "false" }}' - name: REACT_APP_RECORDING_DISABLED diff --git a/charts/chart/templates/09-worker-daemon-set.yaml b/charts/chart/templates/09-worker-daemon-set.yaml index f1db6ae..298ef5d 100644 --- a/charts/chart/templates/09-worker-daemon-set.yaml +++ b/charts/chart/templates/09-worker-daemon-set.yaml @@ -59,7 +59,9 @@ spec: - '{{ .Values.tap.metrics.port }}' - -packet-capture - '{{ .Values.tap.packetCapture }}' + {{- if .Values.tap.tls }} - -unixsocket + {{- end }} {{- if .Values.tap.serviceMesh }} - -servicemesh {{- end }} @@ -70,9 +72,14 @@ spec: {{- end }} {{- if ne .Values.tap.packetCapture "ebpf" }} - -disable-ebpf + {{- end }} + {{- if .Values.tap.resourceGuard.enabled }} + - -enable-resource-guard {{- end }} - -resolution-strategy - '{{ .Values.tap.misc.resolutionStrategy }}' + - -staletimeout + - '{{ .Values.tap.misc.staleTimeoutSeconds }}' {{- if .Values.tap.debug }} - -debug {{- end }} @@ -247,6 +254,10 @@ spec: - mountPath: /etc/os-release name: os-release readOnly: true + - mountPath: /hostroot + mountPropagation: HostToContainer + name: root + readOnly: true {{- end }} dnsPolicy: ClusterFirstWithHostNet hostNetwork: true @@ -279,6 +290,9 @@ spec: - hostPath: path: /etc/os-release name: os-release + - hostPath: + path: / + name: root - name: data {{- if .Values.tap.persistentStorage }} persistentVolumeClaim: diff --git a/charts/chart/templates/12-config-map.yaml b/charts/chart/templates/12-config-map.yaml index e17dbf3..07aeff8 100644 --- a/charts/chart/templates/12-config-map.yaml +++ b/charts/chart/templates/12-config-map.yaml @@ -28,6 +28,7 @@ data: TELEMETRY_DISABLED: '{{ not .Values.internetConnectivity | ternary "true" (not .Values.tap.telemetry.enabled | ternary "true" "false") }}' SCRIPTING_DISABLED: '{{ .Values.tap.scriptingDisabled | ternary "true" "" }}' TARGETED_PODS_UPDATE_DISABLED: '{{ .Values.tap.targetedPodsUpdateDisabled | ternary "true" "" }}' + PRESET_FILTERS_CHANGING_ENABLED: '{{ .Values.tap.presetFiltersChangingEnabled | ternary "true" "" }}' RECORDING_DISABLED: '{{ .Values.tap.recordingDisabled | ternary "true" "" }}' STOP_TRAFFIC_CAPTURING_DISABLED: '{{- if and .Values.tap.stopTrafficCapturingDisabled .Values.tap.stopped -}} false @@ -35,6 +36,7 @@ data: {{ .Values.tap.stopTrafficCapturingDisabled | ternary "true" "false" }} {{- end }}' GLOBAL_FILTER: {{ include "kubeshark.escapeDoubleQuotes" .Values.tap.globalFilter | quote }} + DEFAULT_FILTER: {{ include "kubeshark.escapeDoubleQuotes" .Values.tap.defaultFilter | quote }} TRAFFIC_SAMPLE_RATE: '{{ .Values.tap.misc.trafficSampleRate }}' JSON_TTL: '{{ .Values.tap.misc.jsonTTL }}' PCAP_TTL: '{{ .Values.tap.misc.pcapTTL }}' @@ -49,4 +51,8 @@ data: ENABLED_DISSECTORS: '{{ gt (len .Values.tap.enabledDissectors) 0 | ternary (join "," .Values.tap.enabledDissectors) "" }}' DISSECTORS_UPDATING_ENABLED: '{{ .Values.dissectorsUpdatingEnabled | ternary "true" "false" }}' DETECT_DUPLICATES: '{{ .Values.tap.misc.detectDuplicates | ternary "true" "false" }}' - + PCAP_DUMP_ENABLE: '{{ .Values.pcapdump.enabled }}' + PCAP_TIME_INTERVAL: '{{ .Values.pcapdump.timeInterval }}' + PCAP_MAX_TIME: '{{ .Values.pcapdump.maxTime }}' + PCAP_MAX_SIZE: '{{ .Values.pcapdump.maxSize }}' + PCAP_SRC_DIR: '{{ .Values.pcapdump.pcapSrcDir }}' diff --git a/charts/chart/values.yaml b/charts/chart/values.yaml index 86d83c0..31496e7 100644 --- a/charts/chart/values.yaml +++ b/charts/chart/values.yaml @@ -98,12 +98,15 @@ tap: unloadOnDestroy: false telemetry: enabled: true + resourceGuard: + enabled: false sentry: enabled: false environment: production - defaultFilter: "!dns and !tcp" + defaultFilter: "!dns and !tcp and !udp and !icmp" scriptingDisabled: false targetedPodsUpdateDisabled: false + presetFiltersChangingEnabled: false recordingDisabled: false stopTrafficCapturingDisabled: false capabilities: @@ -132,7 +135,9 @@ tap: - sctp - syscall - tcp + - udp - ws + - tls metrics: port: 49100 pprof: @@ -149,9 +154,16 @@ tap: resolutionStrategy: auto duplicateTimeframe: 200ms detectDuplicates: false + staleTimeoutSeconds: 30 logs: file: "" grep: "" +pcapdump: + enabled: true + timeInterval: 1m + maxTime: 1h + maxSize: 500MB + pcapSrcDir: pcapdump kube: configPath: "" context: ""