* Migrate auth.saml.roles to unified auth.roles
Follows the hub-side introduction of the backend-neutral AUTH_ROLES /
AUTH_ROLES_CLAIM / AUTH_DEFAULT_ROLE config (hub commit 51177bcb).
CLI and Helm chart now surface the unified location:
tap.auth.roles — map of role -> permissions (shared SAML/OIDC)
tap.auth.rolesClaim — token/assertion claim name carrying roles
tap.auth.defaultRole — fallback role for authenticated users with
no matching role in their token
Helm ConfigMap template emits AUTH_ROLES / AUTH_ROLES_CLAIM /
AUTH_DEFAULT_ROLE and no longer emits AUTH_SAML_ROLES or
AUTH_SAML_ROLE_ATTRIBUTE. Hub's back-compat fallback still reads those
keys from any existing ConfigMap that hasn't been helm-upgraded.
Legacy struct fields (SamlConfig.Roles, SamlConfig.RoleAttribute) stay
in place so existing values.yaml files with auth.saml.roles still parse
without errors, but the CLI and the chart ignore them. Follow-up release
can remove the struct fields once telemetry confirms migration.
Breaking for users with customized auth.saml.roles in their values.yaml
— the customization is masked by the new default auth.roles.admin and
must be migrated to auth.roles for the custom permissions to take
effect. Documented in the chart README and release notes.
Part of authz-refactoring (Step 2 of hub-oidc-rbac.md, CLI side).
* Remove legacy
* Align CLI + Helm chart with hub AUTH_TYPE rename
Follows hub commit 11564fef. The canonical AUTH_TYPE is now `oidc` for
generic OIDC; `dex` is a permanent alias; `descope` is a new explicit
label. This change surfaces the new vocabulary in the CLI config struct
and the Helm chart, and renames the nested `auth.dexOidc` values.yaml
field to `auth.oidc` for consistency.
Helm chart:
- 12-config-map.yaml: AUTH_OIDC_* keys now read `.Values.tap.auth.oidc.*`
instead of `auth.dexOidc.*`. The cloud-license override that forced
AUTH_TYPE=default unless the admin picked `dex` now accepts `oidc` too.
- 13-secret.yaml: OIDC_CLIENT_ID / OIDC_CLIENT_SECRET read from
`auth.oidc.*` (was `auth.dexOidc.*`).
- 06-front-deployment.yaml: REACT_APP_AUTH_ENABLED / REACT_APP_AUTH_TYPE
conditionals accept both `oidc` and `dex` where they previously only
matched `dex`.
- values.yaml: comment on `tap.auth.type` lists valid values and flags
the breaking change.
- README.md: `tap.auth.type` row lists valid values. All `dexOidc`
references renamed to `oidc`. Sample values.yaml blocks now show
`type: oidc` as the canonical form.
CLI:
- config/configStructs/tapConfig.go: AuthConfig.Type documented with the
full list of valid values and the migration hint.
Breaking changes (repeated in release notes):
1. `tap.auth.type: oidc` now routes to the generic OIDC middleware
(previously Descope). Switch to `tap.auth.type: descope` or `default`
if you were using `oidc` for Descope.
2. `tap.auth.dexOidc.*` values are no longer read. Rename to
`tap.auth.oidc.*`. No fallback.
3. `tap.auth.type: dex` continues to work — permanent alias of `oidc`.
Part of authz-refactoring (Step 4 of hub-oidc-rbac.md, CLI/Helm side).
* default kfl
* Authz Refactoring: Step 8: namespaces-list role filter
Align with hub PR kubeshark/hub#756. Per-role auth.roles[].filter (KFL)
is replaced by auth.roles[].namespaces (comma-separated list with "*",
literal, and glob semantics). Standalone tap.auth.defaultFilter knob
removed.
helm-chart/values.yaml
- admin role example uses namespaces: "*" instead of filter: "".
- Comment block explains the new namespaces semantics.
- defaultFilter: "" entry + accompanying comment block deleted.
helm-chart/templates/12-config-map.yaml
- AUTH_DEFAULT_FILTER ConfigMap entry removed (hub no longer reads it).
helm-chart/README.md
- tap.auth.defaultFilter row removed.
- tap.auth.roles default value example updated: filter: "" → namespaces: "*";
description gains the per-role namespaces semantics legend.
Add mongodb to the enabled dissectors list and port mapping (27017)
in both Go config defaults and Helm chart values.
Co-authored-by: Alon Girmonsky <alongir@Alons-Mac-Studio.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Allow users to specify a local Helm chart folder via CLI flag or config,
which takes precedence over the KUBESHARK_HELM_CHART_PATH env variable and
the remote Helm repo. Also update nginx proxy config to disable buffering
for better streaming and large snapshot support.
* Add MCP (Model Context Protocol) server command
Implement `kubeshark mcp` command that runs an MCP server over stdio,
enabling AI assistants to query Kubeshark's network visibility data.
Features:
- MCP protocol implementation (JSON-RPC 2.0 over stdio)
- Dynamic tool discovery from Hub's /api/mcp endpoint
- Local cluster management tools (check_kubeshark_status, start_kubeshark, stop_kubeshark)
- --url flag for direct connection to existing Kubeshark deployment
- --kubeconfig flag for proxy mode with kubectl
- --allow-destructive flag to enable start/stop operations (safe by default)
- --list-tools flag to display available tools
- --mcp-config flag to generate MCP client configuration
- 5-minute cache TTL for Hub tools/prompts
- Prompts for common analysis tasks
* Address code review comments for MCP implementation
- Add 30s timeout to HTTP client to prevent hanging requests
- Add scanner.Err() check after stdin processing loop
- Close HTTP response bodies to prevent resource leaks
- Add goroutine to wait on started process to prevent zombies
- Simplify polling loop by removing ineffective context check
- Advertise check_kubeshark_status in URL mode (was callable but hidden)
- Update documentation to clarify URL mode only disables start/stop
* Fix lint errors in mcpRunner.go
- Use type conversion instead of struct literals for hubMCPTool -> mcpTool
and hubMCPPromptArg -> mcpPromptArg (S1016 gosimple)
- Lowercase error string to follow Go conventions (ST1005 staticcheck)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* In preparation for v200
* updated README
* Enable raw capture
* changed 0.0.0.0 to 127.0.0.1
as 0.0.0.0 is insecure address
* added tip: kubeshark proxy
* added new TCP/UDP connection dissectors
Set API2 as the default
* increased storageLimit per worker.
* Updated makefile
* updated the complementary license
to the end of Jan 2026.
* readme touch ups
* Updated snapshot image
* updated license
removed dashboard subproject
* 🔨 Add `tap.dashboard.streamingType` helm value
* 🔨 Add `streamingType` to tap config
* 🔨 Adjust `REACT_APP_STREAMING_TYPE` front env value
* 🔨 Use default empty string for `streamingType` value