One conflict in helm-chart/values.yaml::tap.auth — master still
carries the legacy AUTH_ROLES schema (per-role AuthorizedActions
struct with canDownloadPCAP / scriptingPermissions / etc).
permissions-refactoring replaced it with the post-#782 shape
(rolesClaim/defaultRole/groupMapping/roles).
Kept the permissions-refactoring shape — locked decision per
plans/permissions-decisions.md (Q1, Q2). Helm template still
renders AUTH_ROLES + AUTH_GROUP_MAPPING + AUTH_ROLES_CLAIM
correctly.
Chart-side companion to hub commit 67162b2e (Phase C of the permissions
refactor). Operators can now declare named roles with their own
capability set + namespace scope under tap.auth.roles; the
12-config-map renders these as AUTH_ROLES JSON for the hub to consume.
- config/configStructs: AuthConfig.Roles map[string]RoleConfig with
Capabilities + Namespaces; doc comments updated for groupMapping +
defaultRole to reflect that user-defined names are now accepted.
- config/configStruct.go: zero-value initializer for Roles so
`kubeshark config` renders `roles: {}` consistently.
- helm-chart/templates/12-config-map.yaml: AUTH_ROLES emits the
full roles map as JSON; hub-side syncAuthRoles validates names
(kubeshark-* prefix reserved) and capabilities (unknown caps
warn-dropped).
- helm-chart/values.yaml: regenerated. Diff is the single `roles: {}`
line under tap.auth.
Spot-checked the rendered ConfigMap:
AUTH_ROLES: '{"payments-viewer":{"capabilities":["snapshot:read",
"dissection:live"],
"namespaces":"payments"}}'
which is exactly the shape the hub parser expects.
Per round-2 permissions clarifications: SSO users whose claim doesn't
match any built-in role and isn't in AUTH_GROUP_MAPPING should fall
back to a read-only baseline instead of strict-deny ("").
defaultRole="" causes the dashboard to 403-storm gated endpoints from
unmatched users; viewer (snapshot:read only) gives them a sensible
read-only UX while still preventing any state change.
Companion to kubeshark/hub#permissions-refactoring. Aligns the CLI
config struct, chart values, and rendered ConfigMap with the
post-refactor hub.
config/configStructs/tapConfig.go:
- Drop AuthConfig.Roles (admin-authored map[string]Role) and the
Role + ScriptingPermissions structs they referenced.
- Drop AuthConfig.DefaultFilter (no namespace scoping in v1).
- Add AuthConfig.GroupMapping (map[string]string) — SSO group name
→ built-in role translation.
- Tighten DefaultRole godoc to reference the four built-in role
constants (kubeshark-admin / kubeshark-realtime /
kubeshark-snapshot / kubeshark-viewer) and the strict-deny
semantics on empty.
config/configStruct.go:
- Drop the legacy "admin" entry from the AuthConfig default —
operators now configure DefaultRole + GroupMapping instead.
- Default RolesClaim is now "groups" (Okta/OIDC convention; was
"role"), matching the hub's runtime default.
helm-chart/templates/12-config-map.yaml:
- Drop AUTH_ROLES emission (key no longer read by hub).
- Add AUTH_GROUP_MAPPING emission from tap.auth.groupMapping (JSON
map; hub validates each value against the built-in role names at
sync time).
helm-chart/values.yaml: regenerated from the Go config — drops the
tap.auth.roles block, adds tap.auth.groupMapping with the new
documentation header for DefaultRole.
Breaking change: deployments carrying tap.auth.roles in their values
will silently lose those role definitions. Migration is to remove the
roles: block and either (a) name their SSO groups to match the four
built-in role constants, or (b) populate tap.auth.groupMapping with
explicit translations.
* Migrate auth.saml.roles to unified auth.roles
Follows the hub-side introduction of the backend-neutral AUTH_ROLES /
AUTH_ROLES_CLAIM / AUTH_DEFAULT_ROLE config (hub commit 51177bcb).
CLI and Helm chart now surface the unified location:
tap.auth.roles — map of role -> permissions (shared SAML/OIDC)
tap.auth.rolesClaim — token/assertion claim name carrying roles
tap.auth.defaultRole — fallback role for authenticated users with
no matching role in their token
Helm ConfigMap template emits AUTH_ROLES / AUTH_ROLES_CLAIM /
AUTH_DEFAULT_ROLE and no longer emits AUTH_SAML_ROLES or
AUTH_SAML_ROLE_ATTRIBUTE. Hub's back-compat fallback still reads those
keys from any existing ConfigMap that hasn't been helm-upgraded.
Legacy struct fields (SamlConfig.Roles, SamlConfig.RoleAttribute) stay
in place so existing values.yaml files with auth.saml.roles still parse
without errors, but the CLI and the chart ignore them. Follow-up release
can remove the struct fields once telemetry confirms migration.
Breaking for users with customized auth.saml.roles in their values.yaml
— the customization is masked by the new default auth.roles.admin and
must be migrated to auth.roles for the custom permissions to take
effect. Documented in the chart README and release notes.
Part of authz-refactoring (Step 2 of hub-oidc-rbac.md, CLI side).
* Remove legacy
* Align CLI + Helm chart with hub AUTH_TYPE rename
Follows hub commit 11564fef. The canonical AUTH_TYPE is now `oidc` for
generic OIDC; `dex` is a permanent alias; `descope` is a new explicit
label. This change surfaces the new vocabulary in the CLI config struct
and the Helm chart, and renames the nested `auth.dexOidc` values.yaml
field to `auth.oidc` for consistency.
Helm chart:
- 12-config-map.yaml: AUTH_OIDC_* keys now read `.Values.tap.auth.oidc.*`
instead of `auth.dexOidc.*`. The cloud-license override that forced
AUTH_TYPE=default unless the admin picked `dex` now accepts `oidc` too.
- 13-secret.yaml: OIDC_CLIENT_ID / OIDC_CLIENT_SECRET read from
`auth.oidc.*` (was `auth.dexOidc.*`).
- 06-front-deployment.yaml: REACT_APP_AUTH_ENABLED / REACT_APP_AUTH_TYPE
conditionals accept both `oidc` and `dex` where they previously only
matched `dex`.
- values.yaml: comment on `tap.auth.type` lists valid values and flags
the breaking change.
- README.md: `tap.auth.type` row lists valid values. All `dexOidc`
references renamed to `oidc`. Sample values.yaml blocks now show
`type: oidc` as the canonical form.
CLI:
- config/configStructs/tapConfig.go: AuthConfig.Type documented with the
full list of valid values and the migration hint.
Breaking changes (repeated in release notes):
1. `tap.auth.type: oidc` now routes to the generic OIDC middleware
(previously Descope). Switch to `tap.auth.type: descope` or `default`
if you were using `oidc` for Descope.
2. `tap.auth.dexOidc.*` values are no longer read. Rename to
`tap.auth.oidc.*`. No fallback.
3. `tap.auth.type: dex` continues to work — permanent alias of `oidc`.
Part of authz-refactoring (Step 4 of hub-oidc-rbac.md, CLI/Helm side).
* default kfl
* Authz Refactoring: Step 8: namespaces-list role filter
Align with hub PR kubeshark/hub#756. Per-role auth.roles[].filter (KFL)
is replaced by auth.roles[].namespaces (comma-separated list with "*",
literal, and glob semantics). Standalone tap.auth.defaultFilter knob
removed.
helm-chart/values.yaml
- admin role example uses namespaces: "*" instead of filter: "".
- Comment block explains the new namespaces semantics.
- defaultFilter: "" entry + accompanying comment block deleted.
helm-chart/templates/12-config-map.yaml
- AUTH_DEFAULT_FILTER ConfigMap entry removed (hub no longer reads it).
helm-chart/README.md
- tap.auth.defaultFilter row removed.
- tap.auth.roles default value example updated: filter: "" → namespaces: "*";
description gains the per-role namespaces semantics legend.
Add mongodb to the enabled dissectors list and port mapping (27017)
in both Go config defaults and Helm chart values.
Co-authored-by: Alon Girmonsky <alongir@Alons-Mac-Studio.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* In preparation for v200
* updated README
* Enable raw capture
* changed 0.0.0.0 to 127.0.0.1
as 0.0.0.0 is insecure address
* added tip: kubeshark proxy
* added new TCP/UDP connection dissectors
Set API2 as the default
* increased storageLimit per worker.
* Updated makefile
* updated the complementary license
to the end of Jan 2026.
* readme touch ups
* Updated snapshot image
* updated license
removed dashboard subproject
* Disable Intercom support by default.
Support can be enabled using a helm flag.
* updated the license notification
as a result of a successful helm installation.
* GenAI assistant enabled by default
* updated helm values
* removed the tap.debug field
from the tapConfig struct
* Revert "removed the tap.debug field"
This reverts commit f911c02f0d.
* support the -d --debug command
with the new logLevel flag
* Add cmd to copy pcaps from worker
* Update commands to merge pcaps
* Remove test img
* Remove usage of http endpoint in copy
* Unify commands
* Add copy flag
* Address review comments
* Update k8s config path processing
* Remove debug prints
* setting the pcapSrcDit to the name of the command
* Update values.yaml
* Remove the start,stop and copy flags
* Clean up the the code a bit
Changed the logic so it's either copy or start/stop.
Works well for a first version.
* Improved the logic
* Changed pcapdump enable flag to boolean
* Added helm value documentation
* minor default configuration changes
* Fix default val for enabled
* Final changes
Cleaned up the helm worker template
Improve the logic a bit
* Code cleanup
Changed instances of `enable` to `enabled` for purpose of consistency
Removed unused helm environment variables
* Enable merging all node files to a single file.
Before the outcome had been a merged file per node.
Now the outcome is a single merged file for all nodes.
* Committed for testing purpose
* Reduced the initial disk foot print to 10MB per node
---------
Co-authored-by: bogdan.balan1 <bogdanvalentin.balan@1nce.com>
Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>
* Add `udp` to list of enabled dissectors
* ignore udp as part of a global filter
* have globalFilter ignore udp and icmp
* Have globalFilter ignore udp and icmp
* Update README.md
---------
Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>
* tcp dissector enabled by default
* changing the readme
In support of having the `tcp` dissector enabled by default.
* Update values.yaml
* Update complete.yaml
* updated the defaultFilter default value
1. Start with some level of "noise reduction" (`tcp` and `dns`).
2. Provide a hint how to use a display filter to filter out protocol aliases.
* Update values.yaml
filter out DNS and TCP
* Update complete.yaml
Filter out DNS and TCP
* Update README.md
Filter out TCP and DNS by default
TCP dissector can be added as a helm value. This dissector shouldn't be used in production clusters, as enabling this dissector will consume enormous amounts of CPU and memory.
TODO: Have the TCP dissector adhere to pod targeting rules.