Add raw capture config parameters (#1789)

* Add raw capture config parameters

* upd

* upd

config/configStructs/tapConfig.go

@@ -300,9 +300,15 @@ type SeLinuxOptionsConfig struct {
 	User  string `yaml:"user" json:"user"`
 }
 
+type RawCaptureConfig struct {
+	Enabled     bool   `yaml:"enabled" json:"enabled" default:"false"`
+	StorageSize string `yaml:"storageSize" json:"storageSize" default:"1Gi"`
+}
+
 type CaptureConfig struct {
-	Stopped     bool   `yaml:"stopped" json:"stopped" default:"false"`
-	StopAfter   string `yaml:"stopAfter" json:"stopAfter" default:"5m"`
+	Stopped   bool             `yaml:"stopped" json:"stopped" default:"false"`
+	StopAfter string           `yaml:"stopAfter" json:"stopAfter" default:"5m"`
+	Raw       RawCaptureConfig `yaml:"raw" json:"raw"`
 	DbMaxSize   string `yaml:"dbMaxSize" json:"dbMaxSize" default:""`
 }
 

helm-chart/README.md

@@ -140,6 +140,8 @@ Example for overriding image names:
 | `tap.bpfOverride`                         | When using AF_PACKET as a traffic capture backend, override any existing pod targeting rules and set explicit BPF expression (e.g. `net 0.0.0.0/0`).                                                          | `[]`                                                    |
 | `tap.capture.stopped`                             | Set to `false` to have traffic processing start automatically. When set to `true`, traffic processing is stopped by default, resulting in almost no resource consumption (e.g. Kubeshark is dormant). This property can be dynamically control via the dashboard.      | `false`                                                                                                                                                |
 | `tap.capture.stopAfter`                             | Set to a duration (e.g. `30s`) to have traffic processing stop after no websocket activity between worker and hub.     | `30s`                                                                                                                                                |
+| `tap.capture.raw.enabled`                           | Enable raw capture of packets and syscalls to disk for offline analysis      | `false`                                                                                                                                                |
+| `tap.capture.raw.storageSize`                       | Maximum storage size for raw capture files (supports K8s quantity format: `1Gi`, `500Mi`, etc.)     | `1Gi`                                                                                                                                                |
 | `tap.capture.dbMaxSize`                           | Maximum size for capture database (e.g., `4Gi`, `2000Mi`). When empty, automatically uses 80% of allocated storage (`tap.storageLimit`).     | `""`                                                                                                                                                |
 | `tap.release.repo`                        | URL of the Helm chart repository              | `https://helm.kubeshark.co`                             |
 | `tap.release.name`                        | Helm release name                             | `kubeshark`                                             |

helm-chart/templates/12-config-map.yaml

@@ -83,3 +83,5 @@ data:
     PCAP_MAX_TIME: '{{ .Values.pcapdump.maxTime }}'
     PCAP_MAX_SIZE: '{{ .Values.pcapdump.maxSize }}'
     PORT_MAPPING: '{{ toJson .Values.tap.portMapping }}'
+    RAW_CAPTURE: '{{ .Values.tap.capture.raw.enabled | ternary "true" "false" }}'
+    RAW_CAPTURE_STORAGE_SIZE: '{{ .Values.tap.capture.raw.storageSize }}'

helm-chart/values.yaml

@@ -29,6 +29,9 @@ tap:
   capture:
     stopped: false
     stopAfter: 5m
+    raw:
+      enabled: false
+      storageSize: 1Gi
     dbMaxSize: ""
   release:
     repo: https://helm.kubeshark.co