Update README and fix broken links (#1846 )

* Update README with new structure and AI focus * Update AI section: AI-Powered Root Cause Analysis with agents * updated links * added an image to the API context * some fixes to the readme * Remove TODO comments - using real images * Fix broken MCP Registry links in mcp/README.md Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Rename generic capture to l7 dissection specific config (#1841 )
2026-02-15 10:29:55 +00:00 · 2026-02-13 15:43:04 -08:00 · 2026-02-11 11:27:37 -08:00 · 2026-02-10 10:40:48 -08:00 · 2026-02-09 13:39:33 -08:00 · 2026-02-09 13:03:51 -08:00
119 changed files with 11295 additions and 3968 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,16 +0,0 @@
-# Files
-.dockerignore
-.editorconfig
-.gitignore
-Dockerfile
-Makefile
-LICENSE
-**/*.md
-**/*_test.go
-*.out
-
-# Folders
-.git/
-.github/
-build/
-**/node_modules/
--- a/.github/static/kubeshark.rb.tmpl
+++ b/.github/static/kubeshark.rb.tmpl
@@ -0,0 +1,46 @@
+# typed: false
+# frozen_string_literal: true
+
+class Kubeshark < Formula
+  desc ""
+  homepage "https://github.com/kubeshark/kubeshark"
+  version "${CLEAN_VERSION}"
+
+  on_macos do
+    if Hardware::CPU.arm?
+      url "https://github.com/kubeshark/kubeshark/releases/download/${FULL_VERSION}/kubeshark_darwin_arm64"
+      sha256 "${DARWIN_ARM64_SHA256}"
+
+      def install
+        bin.install "kubeshark_darwin_arm64" => "kubeshark"
+      end
+    end
+    if Hardware::CPU.intel?
+      url "https://github.com/kubeshark/kubeshark/releases/download/${FULL_VERSION}/kubeshark_darwin_amd64"
+      sha256 "${DARWIN_AMD64_SHA256}"
+
+      def install
+        bin.install "kubeshark_darwin_amd64" => "kubeshark"
+      end
+    end
+  end
+
+  on_linux do
+    if Hardware::CPU.intel?
+      url "https://github.com/kubeshark/kubeshark/releases/download/${FULL_VERSION}/kubeshark_linux_amd64"
+      sha256 "${LINUX_AMD64_SHA256}"
+
+      def install
+        bin.install "kubeshark_linux_amd64" => "kubeshark"
+      end
+    end
+    if Hardware::CPU.arm? && Hardware::CPU.is_64_bit?
+      url "https://github.com/kubeshark/kubeshark/releases/download/${FULL_VERSION}/kubeshark_linux_arm64"
+      sha256 "${LINUX_ARM64_SHA256}"
+
+      def install
+        bin.install "kubeshark_linux_arm64" => "kubeshark"
+      end
+    end
+  end
+end
--- a/.github/workflows/helm.yml
+++ b/.github/workflows/helm.yml
@@ -0,0 +1,36 @@
+on:
+  push:
+    # Sequence of patterns matched against refs/tags
+    tags:
+    - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
+
+name: Release Helm Charts
+
+jobs:
+  release:
+    # depending on default permission settings for your org (contents being read-only or read-write for workloads), you will have to add permissions
+    # see: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+
+      - name: Run chart-releaser
+        uses: helm/chart-releaser-action@v1.5.0
+        with:
+          charts_dir: .
+          charts_repo_url: https://kubeshark.github.io/kubeshark
+        env:
+          CR_TOKEN: "${{ secrets.HELM_TOKEN }}"
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -16,16 +16,18 @@ jobs:
    name: Golint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - name: Checkout
+        uses: actions/checkout@v3
        with:
          fetch-depth: 2

-      - uses: actions/setup-go@v2
+      - name: Set up Go
+        uses: actions/setup-go@v4
        with:
-          go-version: '^1.17'
+          go-version-file: 'go.mod'

      - name: Go lint
-        uses: golangci/golangci-lint-action@v2
+        uses: golangci/golangci-lint-action@v3
        with:
          version: latest
          args: --timeout=10m
--- a/.github/workflows/mcp-publish.yml
+++ b/.github/workflows/mcp-publish.yml
@@ -0,0 +1,201 @@
+name: MCP Registry Publish
+
+on:
+  workflow_call:
+    inputs:
+      release_tag:
+        description: 'Release tag to publish (e.g., v52.13.0)'
+        type: string
+        required: true
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: 'Dry run - generate server.json but skip actual publishing'
+        type: boolean
+        default: true
+      release_tag:
+        description: 'Release tag to publish (e.g., v52.13.0)'
+        type: string
+        required: true
+
+jobs:
+  mcp-publish:
+    name: Publish to MCP Registry
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # Required for OIDC authentication with MCP Registry
+      contents: read   # Required for checkout
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+
+      - name: Determine version
+        id: version
+        shell: bash
+        run: |
+          # inputs.release_tag works for both workflow_call and workflow_dispatch
+          VERSION="${{ inputs.release_tag }}"
+          echo "tag=${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "Publishing MCP server for version: ${VERSION}"
+
+      - name: Download SHA256 files from release
+        shell: bash
+        run: |
+          VERSION="${{ steps.version.outputs.tag }}"
+          mkdir -p bin
+          echo "Downloading SHA256 checksums from release ${VERSION}..."
+          for platform in darwin_arm64 darwin_amd64 linux_arm64 linux_amd64 windows_amd64; do
+            url="https://github.com/kubeshark/kubeshark/releases/download/${VERSION}/kubeshark-mcp_${platform}.mcpb.sha256"
+            echo "  Fetching ${platform}..."
+            if ! curl -sfL "${url}" -o "bin/kubeshark-mcp_${platform}.mcpb.sha256"; then
+              echo "::warning::Failed to download SHA256 for ${platform}"
+            fi
+          done
+          echo "Downloaded checksums:"
+          ls -la bin/*.sha256 2>/dev/null || echo "No SHA256 files found"
+
+      - name: Generate server.json
+        shell: bash
+        run: |
+          VERSION="${{ steps.version.outputs.tag }}"
+          CLEAN_VERSION="${VERSION#v}"
+
+          # Read SHA256 hashes
+          get_sha256() {
+            local file="bin/kubeshark-mcp_$1.mcpb.sha256"
+            if [ -f "$file" ]; then
+              awk '{print $1}' "$file"
+            else
+              echo "HASH_NOT_FOUND"
+            fi
+          }
+
+          DARWIN_ARM64_SHA256=$(get_sha256 "darwin_arm64")
+          DARWIN_AMD64_SHA256=$(get_sha256 "darwin_amd64")
+          LINUX_ARM64_SHA256=$(get_sha256 "linux_arm64")
+          LINUX_AMD64_SHA256=$(get_sha256 "linux_amd64")
+          WINDOWS_AMD64_SHA256=$(get_sha256 "windows_amd64")
+
+          echo "SHA256 hashes:"
+          echo "  darwin_arm64: ${DARWIN_ARM64_SHA256}"
+          echo "  darwin_amd64: ${DARWIN_AMD64_SHA256}"
+          echo "  linux_arm64:  ${LINUX_ARM64_SHA256}"
+          echo "  linux_amd64:  ${LINUX_AMD64_SHA256}"
+          echo "  windows_amd64: ${WINDOWS_AMD64_SHA256}"
+
+          # Generate server.json using jq for proper formatting
+          jq -n \
+            --arg version "$CLEAN_VERSION" \
+            --arg full_version "$VERSION" \
+            --arg darwin_arm64_sha "$DARWIN_ARM64_SHA256" \
+            --arg darwin_amd64_sha "$DARWIN_AMD64_SHA256" \
+            --arg linux_arm64_sha "$LINUX_ARM64_SHA256" \
+            --arg linux_amd64_sha "$LINUX_AMD64_SHA256" \
+            --arg windows_amd64_sha "$WINDOWS_AMD64_SHA256" \
+            '{
+              "$schema": "https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json",
+              "name": "io.github.kubeshark/mcp",
+              "displayName": "Kubeshark",
+              "description": "Real-time Kubernetes network traffic visibility and API analysis for HTTP, gRPC, Redis, Kafka, DNS.",
+              "icon": "https://raw.githubusercontent.com/kubeshark/assets/refs/heads/master/logo/ico/icon.ico",
+              "repository": { "url": "https://github.com/kubeshark/kubeshark", "source": "github" },
+              "homepage": "https://kubeshark.com",
+              "license": "Apache-2.0",
+              "version": $version,
+              "authors": [{ "name": "Kubeshark", "url": "https://kubeshark.com" }],
+              "categories": ["kubernetes", "networking", "observability", "debugging", "security"],
+              "tags": ["kubernetes", "network", "traffic", "api", "http", "grpc", "kafka", "redis", "dns", "pcap", "wireshark", "tcpdump", "observability", "debugging", "microservices"],
+              "packages": [
+                { "registryType": "mcpb", "identifier": ("https://github.com/kubeshark/kubeshark/releases/download/" + $full_version + "/kubeshark-mcp_darwin_arm64.mcpb"), "fileSha256": $darwin_arm64_sha, "transport": { "type": "stdio" } },
+                { "registryType": "mcpb", "identifier": ("https://github.com/kubeshark/kubeshark/releases/download/" + $full_version + "/kubeshark-mcp_darwin_amd64.mcpb"), "fileSha256": $darwin_amd64_sha, "transport": { "type": "stdio" } },
+                { "registryType": "mcpb", "identifier": ("https://github.com/kubeshark/kubeshark/releases/download/" + $full_version + "/kubeshark-mcp_linux_arm64.mcpb"), "fileSha256": $linux_arm64_sha, "transport": { "type": "stdio" } },
+                { "registryType": "mcpb", "identifier": ("https://github.com/kubeshark/kubeshark/releases/download/" + $full_version + "/kubeshark-mcp_linux_amd64.mcpb"), "fileSha256": $linux_amd64_sha, "transport": { "type": "stdio" } },
+                { "registryType": "mcpb", "identifier": ("https://github.com/kubeshark/kubeshark/releases/download/" + $full_version + "/kubeshark-mcp_windows_amd64.mcpb"), "fileSha256": $windows_amd64_sha, "transport": { "type": "stdio" } }
+              ],
+              "tools": [
+                { "name": "check_kubeshark_status", "description": "Check if Kubeshark is currently running in the cluster.", "mode": "proxy" },
+                { "name": "start_kubeshark", "description": "Deploy Kubeshark to the Kubernetes cluster. Requires --allow-destructive flag.", "mode": "proxy", "destructive": true },
+                { "name": "stop_kubeshark", "description": "Remove Kubeshark from the Kubernetes cluster. Requires --allow-destructive flag.", "mode": "proxy", "destructive": true },
+                { "name": "list_workloads", "description": "List pods, services, namespaces, and nodes with observed L7 traffic.", "mode": "all" },
+                { "name": "list_api_calls", "description": "Query L7 API transactions (HTTP, gRPC, Redis, Kafka, DNS) with KFL filtering.", "mode": "all" },
+                { "name": "get_api_call", "description": "Get detailed information about a specific API call including headers and body.", "mode": "all" },
+                { "name": "get_api_stats", "description": "Get aggregated API statistics and metrics.", "mode": "all" },
+                { "name": "list_l4_flows", "description": "List L4 (TCP/UDP) network flows with traffic statistics.", "mode": "all" },
+                { "name": "get_l4_flow_summary", "description": "Get L4 connectivity summary including top talkers and cross-namespace traffic.", "mode": "all" },
+                { "name": "list_snapshots", "description": "List all PCAP snapshots.", "mode": "all" },
+                { "name": "create_snapshot", "description": "Create a new PCAP snapshot of captured traffic.", "mode": "all" },
+                { "name": "get_dissection_status", "description": "Check L7 protocol parsing status.", "mode": "all" },
+                { "name": "enable_dissection", "description": "Enable L7 protocol dissection.", "mode": "all" },
+                { "name": "disable_dissection", "description": "Disable L7 protocol dissection.", "mode": "all" }
+              ],
+              "prompts": [
+                { "name": "analyze_traffic", "description": "Analyze API traffic patterns and identify issues" },
+                { "name": "find_errors", "description": "Find and summarize API errors and failures" },
+                { "name": "trace_request", "description": "Trace a request path through microservices" },
+                { "name": "show_topology", "description": "Show service communication topology" },
+                { "name": "latency_analysis", "description": "Analyze latency patterns and identify slow endpoints" },
+                { "name": "security_audit", "description": "Audit traffic for security concerns" },
+                { "name": "compare_traffic", "description": "Compare traffic patterns between time periods" },
+                { "name": "debug_connection", "description": "Debug connectivity issues between services" }
+              ],
+              "configuration": {
+                "properties": {
+                  "url": { "type": "string", "description": "Direct URL to Kubeshark Hub (e.g., https://kubeshark.example.com). When set, connects directly without kubectl/proxy.", "examples": ["https://kubeshark.example.com", "http://localhost:8899"] },
+                  "kubeconfig": { "type": "string", "description": "Path to kubeconfig file for proxy mode.", "examples": ["~/.kube/config", "/path/to/.kube/config"] },
+                  "allow-destructive": { "type": "boolean", "description": "Enable destructive operations (start_kubeshark, stop_kubeshark). Default: false for safety.", "default": false }
+                }
+              },
+              "modes": {
+                "url": { "description": "Connect directly to an existing Kubeshark deployment via URL. Cluster management tools are disabled.", "args": ["mcp", "--url", "${url}"] },
+                "proxy": { "description": "Connect via kubectl port-forward. Requires kubeconfig access to the cluster.", "args": ["mcp", "--kubeconfig", "${kubeconfig}"] },
+                "proxy-destructive": { "description": "Proxy mode with destructive operations enabled.", "args": ["mcp", "--kubeconfig", "${kubeconfig}", "--allow-destructive"] }
+              }
+            }' > mcp/server.json
+
+          echo ""
+          echo "Generated server.json:"
+          cat mcp/server.json
+
+      - name: Install mcp-publisher
+        shell: bash
+        run: |
+          echo "Installing mcp-publisher..."
+          curl -sfL "https://github.com/modelcontextprotocol/registry/releases/latest/download/mcp-publisher_linux_amd64.tar.gz" | tar xz
+          chmod +x mcp-publisher
+          sudo mv mcp-publisher /usr/local/bin/
+          echo "mcp-publisher installed successfully"
+
+      - name: Login to MCP Registry
+        if: github.event_name != 'workflow_dispatch' || github.event.inputs.dry_run != 'true'
+        shell: bash
+        run: mcp-publisher login github
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Publish to MCP Registry
+        if: github.event_name != 'workflow_dispatch' || github.event.inputs.dry_run != 'true'
+        shell: bash
+        run: |
+          cd mcp
+          echo "Publishing to MCP Registry..."
+          if ! mcp-publisher publish; then
+            echo "::error::Failed to publish to MCP Registry"
+            exit 1
+          fi
+          echo "Successfully published to MCP Registry"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Dry-run summary
+        if: github.event_name == 'workflow_dispatch' && github.event.inputs.dry_run == 'true'
+        shell: bash
+        run: |
+          echo "=============================================="
+          echo "DRY RUN - Would publish the following server.json"
+          echo "=============================================="
+          cat mcp/server.json
+          echo ""
+          echo "=============================================="
+          echo "SHA256 checksums downloaded:"
+          echo "=============================================="
+          cat bin/*.sha256 2>/dev/null || echo "No SHA256 files found"
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,7 +1,8 @@
 on:
  push:
+    # Sequence of patterns matched against refs/tags
    tags:
-      - '*'
+    - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10

 name: Release

@@ -13,22 +14,26 @@ jobs:
  release:
    name: Build and publish a new release
    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.version.outputs.tag }}
    steps:
-      - name: Set up Go 1.17
-        uses: actions/setup-go@v2
-        with:
-          go-version: '1.17'
-
      - name: Check out the repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version-file: 'go.mod'

      - name: Version
        id: version
        shell: bash
        run: |
-          echo "##[set-output name=tag;]$(echo ${GITHUB_REF#refs/*/})"
-          echo "##[set-output name=build_timestamp;]$(echo $(date +%s))"
-          echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+          {
+            echo "tag=${GITHUB_REF#refs/*/}"
+            echo "build_timestamp=$(date +%s)"
+            echo "branch=${GITHUB_REF#refs/heads/}"
+          } >> "$GITHUB_OUTPUT"

      - name: Build
        run: make build-all VER='${{ steps.version.outputs.tag }}' BUILD_TIMESTAMP='${{ steps.version.outputs.build_timestamp }}'
@@ -38,38 +43,35 @@ jobs:
        run: |
          echo '${{ steps.version.outputs.tag }}' >> bin/version.txt

+      - name: Create MCP Registry artifacts
+        shell: bash
+        run: |
+          cd bin
+          # Create .mcpb copies for MCP Registry (URL must contain "mcp")
+          for f in kubeshark_linux_amd64 kubeshark_linux_arm64 kubeshark_darwin_amd64 kubeshark_darwin_arm64; do
+            if [ -f "$f" ]; then
+              cp "$f" "${f/kubeshark_/kubeshark-mcp_}.mcpb"
+              shasum -a 256 "${f/kubeshark_/kubeshark-mcp_}.mcpb" > "${f/kubeshark_/kubeshark-mcp_}.mcpb.sha256"
+            fi
+          done
+          # Handle Windows executable
+          if [ -f "kubeshark.exe" ]; then
+            cp kubeshark.exe kubeshark-mcp_windows_amd64.mcpb
+            shasum -a 256 kubeshark-mcp_windows_amd64.mcpb > kubeshark-mcp_windows_amd64.mcpb.sha256
+          fi
+
      - name: Release
        uses: ncipollo/release-action@v1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          artifacts: "bin/*"
          tag: ${{ steps.version.outputs.tag }}
-          prerelease: true
+          prerelease: false
          bodyFile: 'bin/README.md'

-  brew-tap:
-    name: Create Homebrew formulae
-    runs-on: ubuntu-latest
+  mcp-publish:
+    name: Publish to MCP Registry
    needs: [release]
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-
-      - name: Fetch all tags
-        run: git fetch --force --tags
-
-      - name: Set up Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: 1.17
-
-      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2
-        with:
-          distribution: goreleaser
-          version: ${{ env.GITHUB_REF_NAME }}
-          args: release --rm-dist
-        env:
-          GITHUB_TOKEN: ${{ secrets.HOMEBREW_TOKEN }}
+    uses: ./.github/workflows/mcp-publish.yml
+    with:
+      release_tag: ${{ needs.release.outputs.version }}
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -15,17 +15,17 @@ jobs:
    timeout-minutes: 20
    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          fetch-depth: 2

-      - name: Set up Go 1.17
-        uses: actions/setup-go@v2
+      - name: Set up Go
+        uses: actions/setup-go@v4
        with:
-          go-version: '^1.17'
+          go-version-file: 'go.mod'

      - name: Test
        run: make test

      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v2
+        uses: codecov/codecov-action@v3
--- a/.gitignore
+++ b/.gitignore
@@ -56,4 +56,11 @@ cypress.env.json
 # Object files
 *.o

+# Binaries
 bin
+
+# Scripts
+scripts/
+
+# CWD config YAML
+kubeshark.yaml
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,4 +1,4 @@
-![Kubeshark: The API Traffic Viewer for Kubernetes](https://raw.githubusercontent.com/kubeshark/assets/master/svg/kubeshark-logo.svg)
+![Kubeshark: The API Traffic Analyzer for Kubernetes](https://raw.githubusercontent.com/kubeshark/assets/master/svg/kubeshark-logo.svg)

 # Contributing to Kubeshark

@@ -7,7 +7,7 @@ Please read and follow the guidelines below.

 ## Communication

-* Before starting work on a major feature, please reach out to us via [GitHub](https://github.com/kubeshark/kubeshark), [Discord](https://discord.gg/WkvRGMUcx7), [Slack](https://join.slack.com/t/kubeshark/shared_invite/zt-1k3sybpq9-uAhFkuPJiJftKniqrGHGhg), [email](mailto:info@kubeshark.co), etc. We will make sure no one else is already working on it. A _major feature_ is defined as any change that is > 100 LOC altered (not including tests), or changes any user-facing behavior
+* Before starting work on a major feature, please reach out to us via [GitHub](https://github.com/kubeshark/kubeshark), [Discord](https://discord.gg/WkvRGMUcx7), [Slack](https://join.slack.com/t/kubeshark/shared_invite/zt-1k3sybpq9-uAhFkuPJiJftKniqrGHGhg), [email](mailto:info@kubeshark.com), etc. We will make sure no one else is already working on it. A _major feature_ is defined as any change that is > 100 LOC altered (not including tests), or changes any user-facing behavior
 * Small patches and bug fixes don't need prior communication.

 ## Contribution Requirements
--- a/238
+++ b/238
@@ -9,21 +9,29 @@ COMMIT_HASH=$(shell git rev-parse HEAD)
 GIT_BRANCH=$(shell git branch --show-current | tr '[:upper:]' '[:lower:]')
 GIT_VERSION=$(shell git branch --show-current | tr '[:upper:]' '[:lower:]')
 BUILD_TIMESTAMP=$(shell date +%s)
-export VER?=0.0
+export VER?=0.0.0

 help: ## Print this help message.
 	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)

-build-debug:  ## Build for debuging.
+build-debug:  ## Build for debugging.
+	export CGO_ENABLED=1
 	export GCLFAGS='-gcflags="all=-N -l"'
 	${MAKE} build-base

 build: ## Build.
+	export CGO_ENABLED=0
+	export LDFLAGS_EXT='-extldflags=-static -s -w'
+	${MAKE} build-base
+
+build-race: ## Build with -race flag.
+	export CGO_ENABLED=1
+	export GCLFAGS='-race'
 	export LDFLAGS_EXT='-extldflags=-static -s -w'
 	${MAKE} build-base

 build-base: ## Build binary (select the platform via GOOS / GOARCH env variables).
-	CGO_ENABLED=0 go build ${GCLFAGS} -ldflags="${LDFLAGS_EXT} \
+	go build ${GCLFAGS} -ldflags="${LDFLAGS_EXT} \
 					-X 'github.com/kubeshark/kubeshark/misc.GitCommitHash=$(COMMIT_HASH)' \
 					-X 'github.com/kubeshark/kubeshark/misc.Branch=$(GIT_BRANCH)' \
 					-X 'github.com/kubeshark/kubeshark/misc.BuildTimestamp=$(BUILD_TIMESTAMP)' \
@@ -32,15 +40,30 @@ build-base: ## Build binary (select the platform via GOOS / GOARCH env variables
 					-o bin/kubeshark_$(SUFFIX) kubeshark.go && \
 	cd bin && shasum -a 256 kubeshark_${SUFFIX} > kubeshark_${SUFFIX}.sha256

+build-brew: ## Build binary for brew/core CI
+	go build ${GCLFAGS} -ldflags="${LDFLAGS_EXT} \
+					-X 'github.com/kubeshark/kubeshark/misc.GitCommitHash=$(COMMIT_HASH)' \
+					-X 'github.com/kubeshark/kubeshark/misc.Branch=$(GIT_BRANCH)' \
+					-X 'github.com/kubeshark/kubeshark/misc.BuildTimestamp=$(BUILD_TIMESTAMP)' \
+					-X 'github.com/kubeshark/kubeshark/misc.Platform=$(SUFFIX)' \
+					-X 'github.com/kubeshark/kubeshark/misc.Ver=$(VER)'" \
+					-o kubeshark kubeshark.go
+
+build-windows-amd64:
+	$(MAKE) build GOOS=windows GOARCH=amd64 && \
+	mv ./bin/kubeshark_windows_amd64 ./bin/kubeshark.exe && \
+	rm bin/kubeshark_windows_amd64.sha256 && \
+	cd bin && shasum -a 256 kubeshark.exe > kubeshark.exe.sha256
+
 build-all: ## Build for all supported platforms.
+	export CGO_ENABLED=0
 	echo "Compiling for every OS and Platform" && \
 	mkdir -p bin && sed s/_VER_/$(VER)/g RELEASE.md.TEMPLATE >  bin/README.md && \
 	$(MAKE) build GOOS=linux GOARCH=amd64 && \
 	$(MAKE) build GOOS=linux GOARCH=arm64 && \
 	$(MAKE) build GOOS=darwin GOARCH=amd64 && \
 	$(MAKE) build GOOS=darwin GOARCH=arm64 && \
-	$(MAKE) build GOOS=windows GOARCH=amd64 && \
-	mv ./bin/kubeshark_windows_amd64 ./bin/kubeshark.exe && \
+	$(MAKE) build-windows-amd64 && \
 	echo "---------" && \
 	find ./bin -ls

@@ -51,5 +74,210 @@ clean: ## Clean all build artifacts.
 test: ## Run cli tests.
 	@go test ./... -coverpkg=./... -race -coverprofile=coverage.out -covermode=atomic

+test-integration: ## Run integration tests (requires Kubernetes cluster).
+	@echo "Running integration tests..."
+	@LOG_FILE=$$(mktemp /tmp/integration-test.XXXXXX.log); \
+	go test -tags=integration -timeout $${INTEGRATION_TIMEOUT:-5m} -v ./integration/... 2>&1 | tee $$LOG_FILE; \
+	status=$$?; \
+	echo ""; \
+	echo "========================================"; \
+	echo "         INTEGRATION TEST SUMMARY"; \
+	echo "========================================"; \
+	grep -E "^(--- PASS|--- FAIL|--- SKIP)" $$LOG_FILE || true; \
+	echo "----------------------------------------"; \
+	pass=$$(grep -c "^--- PASS" $$LOG_FILE 2>/dev/null || true); \
+	fail=$$(grep -c "^--- FAIL" $$LOG_FILE 2>/dev/null || true); \
+	skip=$$(grep -c "^--- SKIP" $$LOG_FILE 2>/dev/null || true); \
+	echo "PASSED:  $${pass:-0}"; \
+	echo "FAILED:  $${fail:-0}"; \
+	echo "SKIPPED: $${skip:-0}"; \
+	echo "========================================"; \
+	rm -f $$LOG_FILE; \
+	exit $$status
+
+test-integration-mcp: ## Run only MCP integration tests.
+	@echo "Running MCP integration tests..."
+	@LOG_FILE=$$(mktemp /tmp/integration-test.XXXXXX.log); \
+	go test -tags=integration -timeout $${INTEGRATION_TIMEOUT:-5m} -v ./integration/ -run "MCP" 2>&1 | tee $$LOG_FILE; \
+	status=$$?; \
+	echo ""; \
+	echo "========================================"; \
+	echo "         INTEGRATION TEST SUMMARY"; \
+	echo "========================================"; \
+	grep -E "^(--- PASS|--- FAIL|--- SKIP)" $$LOG_FILE || true; \
+	echo "----------------------------------------"; \
+	pass=$$(grep -c "^--- PASS" $$LOG_FILE 2>/dev/null || true); \
+	fail=$$(grep -c "^--- FAIL" $$LOG_FILE 2>/dev/null || true); \
+	skip=$$(grep -c "^--- SKIP" $$LOG_FILE 2>/dev/null || true); \
+	echo "PASSED:  $${pass:-0}"; \
+	echo "FAILED:  $${fail:-0}"; \
+	echo "SKIPPED: $${skip:-0}"; \
+	echo "========================================"; \
+	rm -f $$LOG_FILE; \
+	exit $$status
+
+test-integration-short: ## Run quick integration tests (skips long-running tests).
+	@echo "Running quick integration tests..."
+	@LOG_FILE=$$(mktemp /tmp/integration-test.XXXXXX.log); \
+	go test -tags=integration -timeout $${INTEGRATION_TIMEOUT:-2m} -short -v ./integration/... 2>&1 | tee $$LOG_FILE; \
+	status=$$?; \
+	echo ""; \
+	echo "========================================"; \
+	echo "         INTEGRATION TEST SUMMARY"; \
+	echo "========================================"; \
+	grep -E "^(--- PASS|--- FAIL|--- SKIP)" $$LOG_FILE || true; \
+	echo "----------------------------------------"; \
+	pass=$$(grep -c "^--- PASS" $$LOG_FILE 2>/dev/null || true); \
+	fail=$$(grep -c "^--- FAIL" $$LOG_FILE 2>/dev/null || true); \
+	skip=$$(grep -c "^--- SKIP" $$LOG_FILE 2>/dev/null || true); \
+	echo "PASSED:  $${pass:-0}"; \
+	echo "FAILED:  $${fail:-0}"; \
+	echo "SKIPPED: $${skip:-0}"; \
+	echo "========================================"; \
+	rm -f $$LOG_FILE; \
+	exit $$status
+
 lint: ## Lint the source code.
 	golangci-lint run
+
+kubectl-view-all-resources: ## This command outputs all Kubernetes resources using YAML format and pipes it to VS Code
+	./kubectl.sh view-all-resources
+
+kubectl-view-kubeshark-resources: ## This command outputs all Kubernetes resources in "kubeshark" namespace using YAML format and pipes it to VS Code
+	./kubectl.sh view-kubeshark-resources
+
+generate-helm-values: ## Generate the Helm values from config.yaml
+# 	[ -f ~/.kubeshark/config.yaml ] && mv ~/.kubeshark/config.yaml ~/.kubeshark/config.yaml.old
+	bin/kubeshark__ config>helm-chart/values.yaml
+# 	[ -f ~/.kubeshark/config.yaml.old ] && mv ~/.kubeshark/config.yaml.old ~/.kubeshark/config.yaml
+# 	sed -i 's/^license:.*/license: ""/' helm-chart/values.yaml && sed -i '1i # find a detailed description here: https://github.com/kubeshark/kubeshark/blob/master/helm-chart/README.md' helm-chart/values.yaml 
+
+generate-manifests: ## Generate the manifests from the Helm chart using default configuration
+	helm template kubeshark -n default ./helm-chart > ./manifests/complete.yaml
+
+logs-sniffer:
+	export LOGS_POD_PREFIX=kubeshark-worker-
+	export LOGS_CONTAINER='-c sniffer'
+	export LOGS_FOLLOW=
+	${MAKE} logs
+
+logs-sniffer-follow:
+	export LOGS_POD_PREFIX=kubeshark-worker-
+	export LOGS_CONTAINER='-c sniffer'
+	export LOGS_FOLLOW=--follow
+	${MAKE} logs
+
+logs-tracer:
+	export LOGS_POD_PREFIX=kubeshark-worker-
+	export LOGS_CONTAINER='-c tracer'
+	export LOGS_FOLLOW=
+	${MAKE} logs
+
+logs-tracer-follow:
+	export LOGS_POD_PREFIX=kubeshark-worker-
+	export LOGS_CONTAINER='-c tracer'
+	export LOGS_FOLLOW=--follow
+	${MAKE} logs
+
+logs-worker: logs-sniffer
+
+logs-worker-follow: logs-sniffer-follow
+
+logs-hub:
+	export LOGS_POD_PREFIX=kubeshark-hub
+	export LOGS_FOLLOW=
+	${MAKE} logs
+
+logs-hub-follow:
+	export LOGS_POD_PREFIX=kubeshark-hub
+	export LOGS_FOLLOW=--follow
+	${MAKE} logs
+
+logs-front:
+	export LOGS_POD_PREFIX=kubeshark-front
+	export LOGS_FOLLOW=
+	${MAKE} logs
+
+logs-front-follow:
+	export LOGS_POD_PREFIX=kubeshark-front
+	export LOGS_FOLLOW=--follow
+	${MAKE} logs
+
+logs:
+	kubectl logs $$(kubectl get pods | awk '$$1 ~ /^$(LOGS_POD_PREFIX)/' | awk 'END {print $$1}') $(LOGS_CONTAINER) $(LOGS_FOLLOW)
+
+ssh-node:
+	kubectl ssh node $$(kubectl get nodes | awk 'END {print $$1}')
+
+exec-worker:
+	export EXEC_POD_PREFIX=kubeshark-worker-
+	${MAKE} exec
+
+exec-hub:
+	export EXEC_POD_PREFIX=kubeshark-hub
+	${MAKE} exec
+
+exec-front:
+	export EXEC_POD_PREFIX=kubeshark-front
+	${MAKE} exec
+
+exec:
+	kubectl exec --stdin --tty $$(kubectl get pods | awk '$$1 ~ /^$(EXEC_POD_PREFIX)/' | awk 'END {print $$1}') -- /bin/sh
+
+helm-install:
+	cd helm-chart && helm install kubeshark . --set tap.docker.tag=$(TAG) && cd ..
+
+helm-install-debug:
+	cd helm-chart && helm install kubeshark . --set tap.docker.tag=$(TAG) --set tap.debug=true && cd ..
+
+helm-install-profile:
+	cd helm-chart && helm install kubeshark . --set tap.docker.tag=$(TAG) --set tap.pprof.enabled=true && cd ..
+
+helm-uninstall:
+	helm uninstall kubeshark
+
+proxy:
+	kubeshark proxy
+
+port-forward:
+	kubectl port-forward $$(kubectl get pods | awk '$$1 ~ /^$(POD_PREFIX)/' | awk 'END {print $$1}') $(SRC_PORT):$(DST_PORT)
+
+release:
+	@cd ../worker && git checkout master && git pull && git tag -d v$(VERSION); git tag v$(VERSION) && git push origin --tags
+	@cd ../tracer && git checkout master && git pull && git tag -d v$(VERSION); git tag v$(VERSION) && git push origin --tags
+	@cd ../hub && git checkout master && git pull && git tag -d v$(VERSION); git tag v$(VERSION) && git push origin --tags
+	@cd ../front && git checkout master && git pull && git tag -d v$(VERSION); git tag v$(VERSION) && git push origin --tags
+	@cd ../kubeshark && git checkout master && git pull && sed -i "s/^version:.*/version: \"$(shell echo $(VERSION) | sed -E 's/^([0-9]+\.[0-9]+\.[0-9]+)\..*/\1/')\"/" helm-chart/Chart.yaml && make
+	@if [ "$(shell uname)" = "Darwin" ]; then \
+		codesign --sign - --force --preserve-metadata=entitlements,requirements,flags,runtime ./bin/kubeshark__; \
+	fi
+	@make generate-helm-values && make generate-manifests
+	@git add -A . && git commit -m ":bookmark: Bump the Helm chart version to $(VERSION)" && git push
+	@git tag -d v$(VERSION); git tag v$(VERSION) && git push origin --tags
+	@rm -rf ../kubeshark.github.io/charts/chart && mkdir ../kubeshark.github.io/charts/chart && cp -r helm-chart/ ../kubeshark.github.io/charts/chart/
+	@cd ../kubeshark.github.io/ && git add -A . && git commit -m ":sparkles: Update the Helm chart" && git push
+	@cd ../kubeshark
+
+release-dry-run:
+	@cd ../worker && git checkout master && git pull 
+	@cd ../tracer && git checkout master && git pull 
+	@cd ../hub && git checkout master && git pull
+	@cd ../front && git checkout master && git pull 
+	@cd ../kubeshark && sed -i "s/^version:.*/version: \"$(shell echo $(VERSION) | sed -E 's/^([0-9]+\.[0-9]+\.[0-9]+)\..*/\1/')\"/" helm-chart/Chart.yaml && make
+	@if [ "$(shell uname)" = "Darwin" ]; then \
+		codesign --sign - --force --preserve-metadata=entitlements,requirements,flags,runtime ./bin/kubeshark__; \
+	fi
+	@make generate-helm-values && make generate-manifests
+	@rm -rf ../kubeshark.github.io/charts/chart && mkdir ../kubeshark.github.io/charts/chart && cp -r helm-chart/ ../kubeshark.github.io/charts/chart/
+	@cd ../kubeshark.github.io/
+	@cd ../kubeshark
+
+branch:
+	@cd ../worker && git checkout master && git pull && git checkout -b $(name); git push --set-upstream origin $(name)
+	@cd ../hub && git checkout master && git pull && git checkout -b $(name); git push --set-upstream origin $(name)
+	@cd ../front && git checkout master && git pull && git checkout -b $(name); git push --set-upstream origin $(name)
+
+switch-to-branch:
+	@cd ../worker && git checkout $(name)
+	@cd ../hub && git checkout $(name)
+	@cd ../front && git checkout $(name)
--- a/README.md
+++ b/README.md
@@ -1,84 +1,132 @@
 <p align="center">
-  <img src="https://raw.githubusercontent.com/kubeshark/assets/master/svg/kubeshark-logo.svg" alt="Kubeshark: Traffic viewer for Kubernetes." height="128px"/>
+  <img src="https://raw.githubusercontent.com/kubeshark/assets/master/svg/kubeshark-logo.svg" alt="Kubeshark" height="120px"/>
 </p>

 <p align="center">
-    <a href="https://github.com/kubeshark/kubeshark/blob/main/LICENSE">
-        <img alt="GitHub License" src="https://img.shields.io/github/license/kubeshark/kubeshark?logo=GitHub&style=flat-square">
-    </a>
-    <a href="https://github.com/kubeshark/kubeshark/releases/latest">
-        <img alt="GitHub Latest Release" src="https://img.shields.io/github/v/release/kubeshark/kubeshark?logo=GitHub&style=flat-square">
-    </a>
-    <a href="https://hub.docker.com/r/kubeshark/kubeshark">
-      <img alt="Docker pulls" src="https://img.shields.io/docker/pulls/kubeshark/kubeshark?color=%23099cec&logo=Docker&style=flat-square">
-    </a>
-    <a href="https://hub.docker.com/r/kubeshark/kubeshark">
-      <img alt="Image size" src="https://img.shields.io/docker/image-size/kubeshark/kubeshark/latest?logo=Docker&style=flat-square">
-    </a>
-		<a href="https://discord.gg/WkvRGMUcx7">
-      <img alt="Discord" src="https://img.shields.io/discord/1042559155224973352?logo=Discord&style=flat-square&label=discord">
-    </a>
-    <a href="https://join.slack.com/t/kubeshark/shared_invite/zt-1m90td3n7-VHxN_~V5kVp80SfQW3SfpA">
-      <img alt="Slack" src="https://img.shields.io/badge/slack-join_chat-green?logo=Slack&style=flat-square&label=slack">
-    </a>
+    <a href="https://github.com/kubeshark/kubeshark/releases/latest"><img alt="Release" src="https://img.shields.io/github/v/release/kubeshark/kubeshark?logo=GitHub&style=flat-square"></a>
+    <a href="https://hub.docker.com/r/kubeshark/worker"><img alt="Docker pulls" src="https://img.shields.io/docker/pulls/kubeshark/worker?color=%23099cec&logo=Docker&style=flat-square"></a>
+    <a href="https://discord.gg/WkvRGMUcx7"><img alt="Discord" src="https://img.shields.io/discord/1042559155224973352?logo=Discord&style=flat-square&label=discord"></a>
+    <a href="https://join.slack.com/t/kubeshark/shared_invite/zt-3jdcdgxdv-1qNkhBh9c6CFoE7bSPkpBQ"><img alt="Slack" src="https://img.shields.io/badge/slack-join_chat-green?logo=Slack&style=flat-square"></a>
 </p>

+<p align="center"><b>Network Intelligence for Kubernetes</b></p>
+
 <p align="center">
-  <b>
-    <a href="https://github.com/kubeshark/kubeshark/releases/latest">V38.2</a> is out with <a href="https://docs.kubeshark.co/en/pcap_export_import">PCAP</a> export, <a href="https://docs.kubeshark.co/en/dns">DNS</a>, <a href="https://docs.kubeshark.co/en/service_map">Identity-aware Service Map</a> and so much more. Read about it <a href="https://kubeshark.co/pcap-or-it-didnt-happen">here</a>.
-  </b>
+  <a href="https://demo.kubeshark.com/">Live Demo</a> · <a href="https://docs.kubeshark.com">Docs</a>
 </p>

-**Kubeshark** is an API Traffic Viewer for [**Kubernetes**](https://kubernetes.io/) providing real-time, protocol-aware visibility into Kubernetes’ internal network, capturing, dissecting and monitoring all traffic and payloads going in, out and across containers, pods, nodes and clusters.
+---

-![Simple UI](https://github.com/kubeshark/assets/raw/master/png/kubeshark-ui.png)
+* **Cluster-wide, real-time visibility into every packet, API call, and service interaction.** 
+* Replay any moment in time. 
+* Resolve incidents at the speed of LLMs. 100% on-premises.

-Think [TCPDump](https://en.wikipedia.org/wiki/Tcpdump) and [Wireshark](https://www.wireshark.org/) re-invented for Kubernetes
+![Kubeshark](https://github.com/kubeshark/assets/raw/master/png/stream.png)

-## Getting Started
+---

-Download **Kubeshark**'s binary distribution [latest release](https://github.com/kubeshark/kubeshark/releases/latest) and run following one of these examples:
+## Get Started

-```shell
-kubeshark tap
+```bash
+helm repo add kubeshark https://helm.kubeshark.com
+helm install kubeshark kubeshark/kubeshark
 ```

-```shell
-kubeshark tap -A
-```
+Dashboard opens automatically. You're capturing traffic.

-```shell
-kubeshark tap -n sock-shop "(catalo*|front-end*)"
-```
+**With AI** — connect your assistant and debug with natural language:

-Running any of the :point_up: above commands will open the [Web UI](https://docs.kubeshark.co/en/ui) in your browser which streams the traffic in your Kubernetes cluster in real-time.
-
-### Homebrew
-
-[Homebrew](https://brew.sh/) :beer: users can add Kubeshark formulae with:
-
-```shell
-brew tap kubeshark/kubeshark
-```
-
-and install Kubeshark CLI with:
-
-```shell
+```bash
 brew install kubeshark
+claude mcp add kubeshark -- kubeshark mcp
 ```

-## Building From Source
+> *"Why did checkout fail at 2:15 PM?"*
+> *"Which services have error rates above 1%?"*

-Clone this repository and run `make` command to build it. After the build is complete, the executable can be found at `./bin/kubeshark__`.
+[MCP setup guide →](https://docs.kubeshark.com/en/mcp)

-## Documentation
+---

-To learn more, read the [documentation](https://docs.kubeshark.co).
+## Why Kubeshark
+
+- **Instant root cause** — trace requests across services, see exact errors
+- **Zero instrumentation** — no code changes, no SDKs, just deploy
+- **Full payload capture** — request/response bodies, headers, timing
+- **TLS decryption** — see encrypted traffic without managing keys
+- **AI-ready** — query traffic with natural language via MCP
+
+---
+
+### Traffic Analysis and API Dissection
+
+Capture and inspect every API call across your cluster—HTTP, gRPC, Redis, Kafka, DNS, and more. Request/response matching with full payloads, parsed according to protocol specifications. Headers, timing, and complete context. Zero instrumentation required.
+
+![API context](https://github.com/kubeshark/assets/raw/master/png/api_context.png)
+
+[Learn more →](https://docs.kubeshark.com/en/v2/l7_api_dissection)
+
+### L4/L7 Workload Map
+
+Visualize how your services communicate. See dependencies, traffic flow, and identify anomalies at a glance.
+
+![Service Map](https://github.com/kubeshark/assets/raw/master/png/servicemap.png)
+
+[Learn more →](https://docs.kubeshark.com/en/v2/service_map)
+
+### AI-Powered Root Cause Analysis
+
+Resolve production issues in minutes instead of hours. Connect your AI assistant and investigate incidents using natural language. Build network-aware AI agents for forensics, monitoring, compliance, and security.
+
+> *"Why did checkout fail at 2:15 PM?"*
+> *"Which services have error rates above 1%?"*
+> *"Trace request abc123 through all services"*
+
+Works with Claude Code, Cursor, and any MCP-compatible AI.
+
+[MCP setup guide →](https://docs.kubeshark.com/en/mcp)
+
+### Traffic Retention
+
+Retain every packet. Take snapshots. Export PCAP files. Replay any moment in time.
+
+![Traffic Retention](https://github.com/kubeshark/assets/raw/master/png/snapshots.png)
+
+[Snapshots guide →](https://docs.kubeshark.com/en/v2/traffic_snapshots)
+
+---
+
+## Features
+
+| Feature | Description |
+|---------|-------------|
+| [**Raw Capture**](https://docs.kubeshark.com/en/v2/raw_capture) | Continuous cluster-wide packet capture with minimal overhead |
+| [**Traffic Snapshots**](https://docs.kubeshark.com/en/v2/traffic_snapshots) | Point-in-time snapshots, export as PCAP for Wireshark |
+| [**L7 API Dissection**](https://docs.kubeshark.com/en/v2/l7_api_dissection) | Request/response matching with full payloads and protocol parsing |
+| [**Protocol Support**](https://docs.kubeshark.com/en/protocols) | HTTP, gRPC, GraphQL, Redis, Kafka, DNS, and more |
+| [**TLS Decryption**](https://docs.kubeshark.com/en/encrypted_traffic) | eBPF-based decryption without key management |
+| [**AI-Powered Analysis**](https://docs.kubeshark.com/en/v2/ai_powered_analysis) | Query traffic with Claude, Cursor, or any MCP-compatible AI |
+| [**Display Filters**](https://docs.kubeshark.com/en/v2/kfl2) | Wireshark-inspired display filters for precise traffic analysis |
+| [**100% On-Premises**](https://docs.kubeshark.com/en/air_gapped) | Air-gapped support, no external dependencies |
+
+---
+
+## Install
+
+| Method | Command |
+|--------|---------|
+| Helm | `helm repo add kubeshark https://helm.kubeshark.com && helm install kubeshark kubeshark/kubeshark` |
+| Homebrew | `brew install kubeshark && kubeshark tap` |
+| Binary | [Download](https://github.com/kubeshark/kubeshark/releases/latest) |
+
+[Installation guide →](https://docs.kubeshark.com/en/install)
+
+---

 ## Contributing

-We :heart: pull requests! See [CONTRIBUTING.md](CONTRIBUTING.md) for the contribution guide.
+We welcome contributions. See [CONTRIBUTING.md](CONTRIBUTING.md).

-## Code of Conduct
+## License

-This project is for everyone. We ask that our users and contributors take a few minutes to review our [Code of Conduct](CODE_OF_CONDUCT.md).
+[Apache-2.0](LICENSE)
--- a/RELEASE.md.TEMPLATE
+++ b/RELEASE.md.TEMPLATE
@@ -1,5 +1,5 @@
 # Kubeshark release _VER_
-Kubeshark CHANGELOG is now part of [Kubeshark wiki](https://github.com/kubeshark/kubeshark/wiki/CHANGELOG)
+Release notes coming soon ..

 ## Download Kubeshark for your platform

@@ -10,7 +10,7 @@ curl -Lo kubeshark https://github.com/kubeshark/kubeshark/releases/download/_VER

 **Mac** (AArch64/Apple M1 silicon)
 ```
-rm -f kubeshark && curl -Lo kubeshark https://github.com/kubeshark/kubeshark/releases/download/_VER_/kubeshark_darwin_arm64 && chmod 755 kubeshark
+curl -Lo kubeshark https://github.com/kubeshark/kubeshark/releases/download/_VER_/kubeshark_darwin_arm64 && chmod 755 kubeshark
 ```

 **Linux** (x86-64)
--- a/cmd/check.go
+++ b/cmd/check.go
@@ -1,21 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-
-	"github.com/kubeshark/kubeshark/misc"
-	"github.com/spf13/cobra"
-)
-
-var checkCmd = &cobra.Command{
-	Use:   "check",
-	Short: fmt.Sprintf("Check the %s resources for potential problems", misc.Software),
-	RunE: func(cmd *cobra.Command, args []string) error {
-		runCheck()
-		return nil
-	},
-}
-
-func init() {
-	rootCmd.AddCommand(checkCmd)
-}
--- a/cmd/check/kubernetesApi.go
+++ b/cmd/check/kubernetesApi.go
@@ -1,28 +0,0 @@
-package check
-
-import (
-	"github.com/kubeshark/kubeshark/config"
-	"github.com/kubeshark/kubeshark/kubernetes"
-	"github.com/kubeshark/kubeshark/semver"
-	"github.com/rs/zerolog/log"
-)
-
-func KubernetesApi() (*kubernetes.Provider, *semver.SemVersion, bool) {
-	log.Info().Str("procedure", "kubernetes-api").Msg("Checking:")
-
-	kubernetesProvider, err := kubernetes.NewProvider(config.Config.KubeConfigPath(), config.Config.Kube.Context)
-	if err != nil {
-		log.Error().Err(err).Msg("Can't initialize the client!")
-		return nil, nil, false
-	}
-	log.Info().Msg("Initialization of the client is passed.")
-
-	kubernetesVersion, err := kubernetesProvider.GetKubernetesVersion()
-	if err != nil {
-		log.Error().Err(err).Msg("Can't query the Kubernetes API!")
-		return nil, nil, false
-	}
-	log.Info().Msg("Querying the Kubernetes API is passed.")
-
-	return kubernetesProvider, kubernetesVersion, true
-}
--- a/cmd/check/kubernetesPermissions.go
+++ b/cmd/check/kubernetesPermissions.go
@@ -1,91 +0,0 @@
-package check
-
-import (
-	"context"
-	"embed"
-	"fmt"
-
-	"github.com/kubeshark/kubeshark/config"
-	"github.com/kubeshark/kubeshark/kubernetes"
-	"github.com/rs/zerolog/log"
-	rbac "k8s.io/api/rbac/v1"
-	"k8s.io/client-go/kubernetes/scheme"
-)
-
-func KubernetesPermissions(ctx context.Context, embedFS embed.FS, kubernetesProvider *kubernetes.Provider) bool {
-	log.Info().Str("procedure", "kubernetes-permissions").Msg("Checking:")
-
-	var filePath string
-	if config.Config.IsNsRestrictedMode() {
-		filePath = "permissionFiles/permissions-ns-tap.yaml"
-	} else {
-		filePath = "permissionFiles/permissions-all-namespaces-tap.yaml"
-	}
-
-	data, err := embedFS.ReadFile(filePath)
-	if err != nil {
-		log.Error().Err(err).Msg("While checking Kubernetes permissions!")
-		return false
-	}
-
-	decode := scheme.Codecs.UniversalDeserializer().Decode
-	obj, _, err := decode(data, nil, nil)
-	if err != nil {
-		log.Error().Err(err).Msg("While checking Kubernetes permissions!")
-		return false
-	}
-
-	switch resource := obj.(type) {
-	case *rbac.Role:
-		return checkRulesPermissions(ctx, kubernetesProvider, resource.Rules, config.Config.SelfNamespace)
-	case *rbac.ClusterRole:
-		return checkRulesPermissions(ctx, kubernetesProvider, resource.Rules, "")
-	}
-
-	log.Error().Msg("While checking Kubernetes permissions! Resource of types 'Role' or 'ClusterRole' are not found in permission files.")
-	return false
-}
-
-func checkRulesPermissions(ctx context.Context, kubernetesProvider *kubernetes.Provider, rules []rbac.PolicyRule, namespace string) bool {
-	permissionsExist := true
-
-	for _, rule := range rules {
-		for _, group := range rule.APIGroups {
-			for _, resource := range rule.Resources {
-				for _, verb := range rule.Verbs {
-					exist, err := kubernetesProvider.CanI(ctx, namespace, resource, verb, group)
-					permissionsExist = checkPermissionExist(group, resource, verb, namespace, exist, err) && permissionsExist
-				}
-			}
-		}
-	}
-
-	return permissionsExist
-}
-
-func checkPermissionExist(group string, resource string, verb string, namespace string, exist bool, err error) bool {
-	var groupAndNamespace string
-	if group != "" && namespace != "" {
-		groupAndNamespace = fmt.Sprintf("in api group '%v' and namespace '%v'", group, namespace)
-	} else if group != "" {
-		groupAndNamespace = fmt.Sprintf("in api group '%v'", group)
-	} else if namespace != "" {
-		groupAndNamespace = fmt.Sprintf("in namespace '%v'", namespace)
-	}
-
-	if err != nil {
-		log.Error().
-			Str("verb", verb).
-			Str("resource", resource).
-			Str("group-and-namespace", groupAndNamespace).
-			Err(err).
-			Msg("While checking Kubernetes permissions!")
-		return false
-	} else if !exist {
-		log.Error().Msg(fmt.Sprintf("Can't %v %v %v", verb, resource, groupAndNamespace))
-		return false
-	}
-
-	log.Info().Msg(fmt.Sprintf("Can %v %v %v", verb, resource, groupAndNamespace))
-	return true
-}
--- a/cmd/check/kubernetesResources.go
+++ b/cmd/check/kubernetesResources.go
@@ -1,118 +0,0 @@
-package check
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/kubeshark/kubeshark/config"
-	"github.com/kubeshark/kubeshark/kubernetes"
-	"github.com/rs/zerolog/log"
-)
-
-func KubernetesResources(ctx context.Context, kubernetesProvider *kubernetes.Provider) bool {
-	log.Info().Str("procedure", "k8s-components").Msg("Checking:")
-
-	exist, err := kubernetesProvider.DoesNamespaceExist(ctx, config.Config.SelfNamespace)
-	allResourcesExist := checkResourceExist(config.Config.SelfNamespace, "namespace", exist, err)
-
-	exist, err = kubernetesProvider.DoesServiceAccountExist(ctx, config.Config.SelfNamespace, kubernetes.ServiceAccountName)
-	allResourcesExist = checkResourceExist(kubernetes.ServiceAccountName, "service account", exist, err) && allResourcesExist
-
-	if config.Config.IsNsRestrictedMode() {
-		exist, err = kubernetesProvider.DoesRoleExist(ctx, config.Config.SelfNamespace, kubernetes.RoleName)
-		allResourcesExist = checkResourceExist(kubernetes.RoleName, "role", exist, err) && allResourcesExist
-
-		exist, err = kubernetesProvider.DoesRoleBindingExist(ctx, config.Config.SelfNamespace, kubernetes.RoleBindingName)
-		allResourcesExist = checkResourceExist(kubernetes.RoleBindingName, "role binding", exist, err) && allResourcesExist
-	} else {
-		exist, err = kubernetesProvider.DoesClusterRoleExist(ctx, kubernetes.ClusterRoleName)
-		allResourcesExist = checkResourceExist(kubernetes.ClusterRoleName, "cluster role", exist, err) && allResourcesExist
-
-		exist, err = kubernetesProvider.DoesClusterRoleBindingExist(ctx, kubernetes.ClusterRoleBindingName)
-		allResourcesExist = checkResourceExist(kubernetes.ClusterRoleBindingName, "cluster role binding", exist, err) && allResourcesExist
-	}
-
-	exist, err = kubernetesProvider.DoesServiceExist(ctx, config.Config.SelfNamespace, kubernetes.HubServiceName)
-	allResourcesExist = checkResourceExist(kubernetes.HubServiceName, "service", exist, err) && allResourcesExist
-
-	allResourcesExist = checkPodResourcesExist(ctx, kubernetesProvider) && allResourcesExist
-
-	return allResourcesExist
-}
-
-func checkPodResourcesExist(ctx context.Context, kubernetesProvider *kubernetes.Provider) bool {
-	if pods, err := kubernetesProvider.ListPodsByAppLabel(ctx, config.Config.SelfNamespace, kubernetes.HubPodName); err != nil {
-		log.Error().
-			Str("name", kubernetes.HubPodName).
-			Err(err).
-			Msg("While checking if pod is running!")
-		return false
-	} else if len(pods) == 0 {
-		log.Error().
-			Str("name", kubernetes.HubPodName).
-			Msg("Pod doesn't exist!")
-		return false
-	} else if !kubernetes.IsPodRunning(&pods[0]) {
-		log.Error().
-			Str("name", kubernetes.HubPodName).
-			Msg("Pod is not running!")
-		return false
-	}
-
-	log.Info().
-		Str("name", kubernetes.HubPodName).
-		Msg("Pod is running.")
-
-	if pods, err := kubernetesProvider.ListPodsByAppLabel(ctx, config.Config.SelfNamespace, kubernetes.WorkerPodName); err != nil {
-		log.Error().
-			Str("name", kubernetes.WorkerPodName).
-			Err(err).
-			Msg("While checking if pods are running!")
-		return false
-	} else {
-		workers := 0
-		notRunningWorkers := 0
-
-		for _, pod := range pods {
-			workers += 1
-			if !kubernetes.IsPodRunning(&pod) {
-				notRunningWorkers += 1
-			}
-		}
-
-		if notRunningWorkers > 0 {
-			log.Error().
-				Str("name", kubernetes.WorkerPodName).
-				Msg(fmt.Sprintf("%d/%d pods are not running!", notRunningWorkers, workers))
-			return false
-		}
-
-		log.Info().
-			Str("name", kubernetes.WorkerPodName).
-			Msg(fmt.Sprintf("All %d pods are running.", workers))
-		return true
-	}
-}
-
-func checkResourceExist(resourceName string, resourceType string, exist bool, err error) bool {
-	if err != nil {
-		log.Error().
-			Str("name", resourceName).
-			Str("type", resourceType).
-			Err(err).
-			Msg("Checking if resource exists!")
-		return false
-	} else if !exist {
-		log.Error().
-			Str("name", resourceName).
-			Str("type", resourceType).
-			Msg("Resource doesn't exist!")
-		return false
-	}
-
-	log.Info().
-		Str("name", resourceName).
-		Str("type", resourceType).
-		Msg("Resource exist.")
-	return true
-}
--- a/cmd/check/kubernetesVersion.go
+++ b/cmd/check/kubernetesVersion.go
@@ -1,22 +0,0 @@
-package check
-
-import (
-	"fmt"
-
-	"github.com/kubeshark/kubeshark/kubernetes"
-	"github.com/kubeshark/kubeshark/semver"
-	"github.com/kubeshark/kubeshark/utils"
-	"github.com/rs/zerolog/log"
-)
-
-func KubernetesVersion(kubernetesVersion *semver.SemVersion) bool {
-	log.Info().Str("procedure", "kubernetes-version").Msg("Checking:")
-
-	if err := kubernetes.ValidateKubernetesVersion(kubernetesVersion); err != nil {
-		log.Error().Str("k8s-version", string(*kubernetesVersion)).Err(err).Msg(fmt.Sprintf(utils.Red, "The cluster does not have the minimum required Kubernetes API version!"))
-		return false
-	}
-
-	log.Info().Str("k8s-version", string(*kubernetesVersion)).Msg("Minimum required Kubernetes API version is passed.")
-	return true
-}
--- a/cmd/check/serverConnection.go
+++ b/cmd/check/serverConnection.go
@@ -1,40 +0,0 @@
-package check
-
-import (
-	"github.com/kubeshark/kubeshark/config"
-	"github.com/kubeshark/kubeshark/internal/connect"
-	"github.com/kubeshark/kubeshark/kubernetes"
-	"github.com/rs/zerolog/log"
-)
-
-func ServerConnection(kubernetesProvider *kubernetes.Provider) bool {
-	log.Info().Str("procedure", "server-connectivity").Msg("Checking:")
-
-	var connectedToHub, connectedToFront bool
-
-	if err := checkProxy(kubernetes.GetLocalhostOnPort(config.Config.Tap.Proxy.Hub.SrcPort), "/echo", kubernetesProvider); err != nil {
-		log.Error().Err(err).Msg("Couldn't connect to Hub using proxy!")
-	} else {
-		connectedToHub = true
-		log.Info().Msg("Connected successfully to Hub using proxy.")
-	}
-
-	if err := checkProxy(kubernetes.GetLocalhostOnPort(config.Config.Tap.Proxy.Front.SrcPort), "", kubernetesProvider); err != nil {
-		log.Error().Err(err).Msg("Couldn't connect to Front using proxy!")
-	} else {
-		connectedToFront = true
-		log.Info().Msg("Connected successfully to Front using proxy.")
-	}
-
-	return connectedToHub && connectedToFront
-}
-
-func checkProxy(serverUrl string, path string, kubernetesProvider *kubernetes.Provider) error {
-	log.Info().Str("url", serverUrl).Msg("Connecting:")
-	connector := connect.NewConnector(serverUrl, connect.DefaultRetries, connect.DefaultTimeout)
-	if err := connector.TestConnection(path); err != nil {
-		return err
-	}
-
-	return nil
-}
--- a/cmd/checkRunner.go
+++ b/cmd/checkRunner.go
@@ -1,53 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"embed"
-	"fmt"
-	"os"
-
-	"github.com/kubeshark/kubeshark/cmd/check"
-	"github.com/kubeshark/kubeshark/misc"
-	"github.com/kubeshark/kubeshark/utils"
-	"github.com/rs/zerolog/log"
-)
-
-var (
-	//go:embed permissionFiles
-	embedFS embed.FS
-)
-
-func runCheck() {
-	log.Info().Msg(fmt.Sprintf("Checking the %s resources...", misc.Software))
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel() // cancel will be called when this function exits
-
-	kubernetesProvider, kubernetesVersion, checkPassed := check.KubernetesApi()
-
-	if checkPassed {
-		checkPassed = check.KubernetesVersion(kubernetesVersion)
-	}
-
-	if checkPassed {
-		checkPassed = check.KubernetesPermissions(ctx, embedFS, kubernetesProvider)
-	}
-
-	if checkPassed {
-		checkPassed = check.KubernetesResources(ctx, kubernetesProvider)
-	}
-
-	if checkPassed {
-		checkPassed = check.ServerConnection(kubernetesProvider)
-	}
-
-	if checkPassed {
-		log.Info().Msg(fmt.Sprintf(utils.Green, "All checks are passed."))
-	} else {
-		log.Error().
-			Str("command1", fmt.Sprintf("%s %s", misc.Program, cleanCmd.Use)).
-			Str("command2", fmt.Sprintf("%s %s", misc.Program, tapCmd.Use)).
-			Msg(fmt.Sprintf(utils.Red, fmt.Sprintf("There are issues in your %s resources! Run these commands:", misc.Software)))
-		os.Exit(1)
-	}
-}
--- a/cmd/clean.go
+++ b/cmd/clean.go
@@ -3,7 +3,12 @@ package cmd
 import (
 	"fmt"

+	"github.com/creasty/defaults"
+	"github.com/kubeshark/kubeshark/config"
+	"github.com/kubeshark/kubeshark/config/configStructs"
+	"github.com/kubeshark/kubeshark/kubernetes/helm"
 	"github.com/kubeshark/kubeshark/misc"
+	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 )

@@ -11,11 +16,27 @@ var cleanCmd = &cobra.Command{
 	Use:   "clean",
 	Short: fmt.Sprintf("Removes all %s resources", misc.Software),
 	RunE: func(cmd *cobra.Command, args []string) error {
-		performCleanCommand()
+		resp, err := helm.NewHelm(
+			config.Config.Tap.Release.Repo,
+			config.Config.Tap.Release.Name,
+			config.Config.Tap.Release.Namespace,
+		).Uninstall()
+		if err != nil {
+			log.Error().Err(err).Send()
+		} else {
+			log.Info().Msgf("Uninstalled the Helm release: %s", resp.Release.Name)
+		}
 		return nil
 	},
 }

 func init() {
 	rootCmd.AddCommand(cleanCmd)
+
+	defaultTapConfig := configStructs.TapConfig{}
+	if err := defaults.Set(&defaultTapConfig); err != nil {
+		log.Debug().Err(err).Send()
+	}
+
+	cleanCmd.Flags().StringP(configStructs.ReleaseNamespaceLabel, "s", defaultTapConfig.Release.Namespace, "Release namespace of Kubeshark")
 }
--- a/cmd/cleanRunner.go
+++ b/cmd/cleanRunner.go
@@ -1,14 +0,0 @@
-package cmd
-
-import (
-	"github.com/kubeshark/kubeshark/config"
-)
-
-func performCleanCommand() {
-	kubernetesProvider, err := getKubernetesProviderForCli()
-	if err != nil {
-		return
-	}
-
-	finishSelfExecution(kubernetesProvider, config.Config.IsNsRestrictedMode(), config.Config.SelfNamespace, false)
-}
--- a/cmd/common.go
+++ b/cmd/common.go
@@ -14,20 +14,19 @@ import (
 	"github.com/kubeshark/kubeshark/kubernetes"
 	"github.com/kubeshark/kubeshark/misc"
 	"github.com/kubeshark/kubeshark/misc/fsUtils"
-	"github.com/kubeshark/kubeshark/resources"
 	"github.com/rs/zerolog/log"
 )

 func startProxyReportErrorIfAny(kubernetesProvider *kubernetes.Provider, ctx context.Context, serviceName string, podName string, proxyPortLabel string, srcPort uint16, dstPort uint16, healthCheck string) {
-	httpServer, err := kubernetes.StartProxy(kubernetesProvider, config.Config.Tap.Proxy.Host, srcPort, config.Config.SelfNamespace, serviceName)
+	httpServer, err := kubernetes.StartProxy(kubernetesProvider, config.Config.Tap.Proxy.Host, srcPort, config.Config.Tap.Release.Namespace, serviceName)
 	if err != nil {
 		log.Error().
 			Err(errormessage.FormatError(err)).
-			Msg(fmt.Sprintf("Error occured while running K8s proxy. Try setting different port using --%s", proxyPortLabel))
+			Msg(fmt.Sprintf("Error occurred while running K8s proxy. Try setting different port using --%s", proxyPortLabel))
 		return
 	}

-	connector := connect.NewConnector(kubernetes.GetLocalhostOnPort(srcPort), connect.DefaultRetries, connect.DefaultTimeout)
+	connector := connect.NewConnector(kubernetes.GetProxyOnPort(srcPort), connect.DefaultRetries, connect.DefaultTimeout)
 	if err := connector.TestConnection(healthCheck); err != nil {
 		log.Warn().
 			Str("service", serviceName).
@@ -39,15 +38,15 @@ func startProxyReportErrorIfAny(kubernetesProvider *kubernetes.Provider, ctx con
 		}

 		podRegex, _ := regexp.Compile(podName)
-		if _, err := kubernetes.NewPortForward(kubernetesProvider, config.Config.SelfNamespace, podRegex, srcPort, dstPort, ctx); err != nil {
+		if _, err := kubernetes.NewPortForward(kubernetesProvider, config.Config.Tap.Release.Namespace, podRegex, srcPort, dstPort, ctx); err != nil {
 			log.Error().
 				Str("pod-regex", podRegex.String()).
 				Err(errormessage.FormatError(err)).
-				Msg(fmt.Sprintf("Error occured while running port forward. Try setting different port using --%s", proxyPortLabel))
+				Msg(fmt.Sprintf("Error occurred while running port forward. Try setting different port using --%s", proxyPortLabel))
 			return
 		}

-		connector = connect.NewConnector(kubernetes.GetLocalhostOnPort(srcPort), connect.DefaultRetries, connect.DefaultTimeout)
+		connector = connect.NewConnector(kubernetes.GetProxyOnPort(srcPort), connect.DefaultRetries, connect.DefaultTimeout)
 		if err := connector.TestConnection(healthCheck); err != nil {
 			log.Error().
 				Str("service", serviceName).
@@ -58,7 +57,7 @@ func startProxyReportErrorIfAny(kubernetesProvider *kubernetes.Provider, ctx con
 	}
 }

-func getKubernetesProviderForCli() (*kubernetes.Provider, error) {
+func getKubernetesProviderForCli(silent bool, dontCheckVersion bool) (*kubernetes.Provider, error) {
 	kubeConfigPath := config.Config.KubeConfigPath()
 	kubernetesProvider, err := kubernetes.NewProvider(kubeConfigPath, config.Config.Kube.Context)
 	if err != nil {
@@ -66,22 +65,26 @@ func getKubernetesProviderForCli() (*kubernetes.Provider, error) {
 		return nil, err
 	}

-	log.Info().Str("path", kubeConfigPath).Msg("Using kubeconfig:")
+	if !silent {
+		log.Info().Str("path", kubeConfigPath).Msg("Using kubeconfig:")
+	}

 	if err := kubernetesProvider.ValidateNotProxy(); err != nil {
 		handleKubernetesProviderError(err)
 		return nil, err
 	}

-	kubernetesVersion, err := kubernetesProvider.GetKubernetesVersion()
-	if err != nil {
-		handleKubernetesProviderError(err)
-		return nil, err
-	}
+	if !dontCheckVersion {
+		kubernetesVersion, err := kubernetesProvider.GetKubernetesVersion()
+		if err != nil {
+			handleKubernetesProviderError(err)
+			return nil, err
+		}

-	if err := kubernetes.ValidateKubernetesVersion(kubernetesVersion); err != nil {
-		handleKubernetesProviderError(err)
-		return nil, err
+		if err := kubernetes.ValidateKubernetesVersion(kubernetesVersion); err != nil {
+			handleKubernetesProviderError(err)
+			return nil, err
+		}
 	}

 	return kubernetesProvider, nil
@@ -96,13 +99,10 @@ func handleKubernetesProviderError(err error) {
 	}
 }

-func finishSelfExecution(kubernetesProvider *kubernetes.Provider, isNsRestrictedMode bool, selfNamespace string, withoutCleanup bool) {
+func finishSelfExecution(kubernetesProvider *kubernetes.Provider) {
 	removalCtx, cancel := context.WithTimeout(context.Background(), cleanupTimeout)
 	defer cancel()
 	dumpLogsIfNeeded(removalCtx, kubernetesProvider)
-	if !withoutCleanup {
-		resources.CleanUpSelfResources(removalCtx, cancel, kubernetesProvider, isNsRestrictedMode, selfNamespace)
-	}
 }

 func dumpLogsIfNeeded(ctx context.Context, kubernetesProvider *kubernetes.Provider) {
@@ -111,7 +111,7 @@ func dumpLogsIfNeeded(ctx context.Context, kubernetesProvider *kubernetes.Provid
 	}
 	dotDir := misc.GetDotFolderPath()
 	filePath := path.Join(dotDir, fmt.Sprintf("%s_logs_%s.zip", misc.Program, time.Now().Format("2006_01_02__15_04_05")))
-	if err := fsUtils.DumpLogs(ctx, kubernetesProvider, filePath); err != nil {
+	if err := fsUtils.DumpLogs(ctx, kubernetesProvider, filePath, config.Config.Logs.Grep); err != nil {
 		log.Error().Err(err).Msg("Failed to dump logs.")
 	}
 }
--- a/cmd/config.go
+++ b/cmd/config.go
@@ -16,27 +16,26 @@ var configCmd = &cobra.Command{
 	Use:   "config",
 	Short: fmt.Sprintf("Generate %s config with default values", misc.Software),
 	RunE: func(cmd *cobra.Command, args []string) error {
-		configWithDefaults, err := config.GetConfigWithDefaults()
-		if err != nil {
-			log.Error().Err(err).Msg("Failed generating config with defaults.")
-			return nil
-		}
-
 		if config.Config.Config.Regenerate {
-			if err := config.WriteConfig(configWithDefaults); err != nil {
+			defaultConfig := config.CreateDefaultConfig()
+			if err := defaults.Set(&defaultConfig); err != nil {
+				log.Error().Err(err).Send()
+				return nil
+			}
+			if err := config.WriteConfig(&defaultConfig); err != nil {
 				log.Error().Err(err).Msg("Failed generating config with defaults.")
 				return nil
 			}

-			log.Info().Str("config-path", config.Config.ConfigFilePath).Msg("Template file written to config path.")
+			log.Info().Str("config-path", config.ConfigFilePath).Msg("Template file written to config path.")
 		} else {
-			template, err := utils.PrettyYaml(configWithDefaults)
+			template, err := utils.PrettyYaml(config.Config)
 			if err != nil {
 				log.Error().Err(err).Msg("Failed converting config with defaults to YAML.")
 				return nil
 			}

-			log.Debug().Str("template", template).Msg("Writing template config...")
+			log.Debug().Str("template", template).Msg("Printing template config...")
 			fmt.Printf("%v", template)
 		}

@@ -52,5 +51,5 @@ func init() {
 		log.Debug().Err(err).Send()
 	}

-	configCmd.Flags().BoolP(configStructs.RegenerateConfigName, "r", defaultConfig.Config.Regenerate, fmt.Sprintf("Regenerate the config file with default values to path %s or to chosen path using --%s", defaultConfig.ConfigFilePath, config.ConfigFilePathCommandName))
+	configCmd.Flags().BoolP(configStructs.RegenerateConfigName, "r", defaultConfig.Config.Regenerate, fmt.Sprintf("Regenerate the config file with default values to path %s", config.GetConfigFilePath(nil)))
 }
--- a/cmd/console.go
+++ b/cmd/console.go
@@ -0,0 +1,156 @@
+package cmd
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+	"os"
+	"os/signal"
+	"strings"
+	"time"
+
+	"github.com/creasty/defaults"
+	"github.com/gorilla/websocket"
+	"github.com/kubeshark/kubeshark/config"
+	"github.com/kubeshark/kubeshark/config/configStructs"
+	"github.com/kubeshark/kubeshark/kubernetes"
+	"github.com/kubeshark/kubeshark/utils"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+)
+
+var consoleCmd = &cobra.Command{
+	Use:   "console",
+	Short: "Stream the scripting console logs into shell",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		runConsole()
+		return nil
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(consoleCmd)
+
+	defaultTapConfig := configStructs.TapConfig{}
+	if err := defaults.Set(&defaultTapConfig); err != nil {
+		log.Debug().Err(err).Send()
+	}
+
+	consoleCmd.Flags().Uint16(configStructs.ProxyFrontPortLabel, defaultTapConfig.Proxy.Front.Port, "Provide a custom port for the Kubeshark")
+	consoleCmd.Flags().String(configStructs.ProxyHostLabel, defaultTapConfig.Proxy.Host, "Provide a custom host for the Kubeshark")
+	consoleCmd.Flags().StringP(configStructs.ReleaseNamespaceLabel, "s", defaultTapConfig.Release.Namespace, "Release namespace of Kubeshark")
+}
+
+func runConsoleWithoutProxy() {
+	log.Info().Msg("Starting scripting console ...")
+	time.Sleep(5 * time.Second)
+	hubUrl := kubernetes.GetHubUrl()
+	for {
+
+		// Attempt to connect to the Hub every second
+		response, err := http.Get(fmt.Sprintf("%s/echo", hubUrl))
+		if err != nil || response.StatusCode != 200 {
+			log.Info().Msg(fmt.Sprintf(utils.Yellow, "Couldn't connect to Hub."))
+			time.Sleep(5 * time.Second)
+			continue
+		}
+
+		interrupt := make(chan os.Signal, 1)
+		signal.Notify(interrupt, os.Interrupt)
+
+		log.Info().Str("host", config.Config.Tap.Proxy.Host).Str("url", hubUrl).Msg("Connecting to:")
+		u := url.URL{
+			Scheme: "ws",
+			Host:   fmt.Sprintf("%s:%d", config.Config.Tap.Proxy.Host, config.Config.Tap.Proxy.Front.Port),
+			Path:   "/api/scripts/logs",
+		}
+		headers := http.Header{}
+		headers.Set(utils.X_KUBESHARK_CAPTURE_HEADER_KEY, utils.X_KUBESHARK_CAPTURE_HEADER_IGNORE_VALUE)
+		headers.Set("License-Key", config.Config.License)
+
+		c, _, err := websocket.DefaultDialer.Dial(u.String(), headers)
+		if err != nil {
+			log.Error().Err(err).Msg("Websocket dial error, retrying in 5 seconds...")
+			time.Sleep(5 * time.Second) // Delay before retrying
+			continue
+		}
+		defer c.Close()
+
+		done := make(chan struct{})
+
+		go func() {
+			defer close(done)
+			for {
+				_, message, err := c.ReadMessage()
+				if err != nil {
+					log.Error().Err(err).Msg("Error reading websocket message, reconnecting...")
+					break // Break to reconnect
+				}
+
+				msg := string(message)
+				if strings.Contains(msg, ":ERROR]") {
+					msg = fmt.Sprintf(utils.Red, msg)
+					fmt.Fprintln(os.Stderr, msg)
+				} else {
+					fmt.Fprintln(os.Stdout, msg)
+				}
+			}
+		}()
+
+		ticker := time.NewTicker(time.Second)
+		defer ticker.Stop()
+
+		select {
+		case <-done:
+			log.Warn().Msg(fmt.Sprintf(utils.Yellow, "Connection closed, reconnecting..."))
+			time.Sleep(5 * time.Second) // Delay before reconnecting
+			continue                    // Reconnect after error
+		case <-interrupt:
+			err := c.WriteMessage(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, ""))
+			if err != nil {
+				log.Error().Err(err).Send()
+				continue
+			}
+
+			select {
+			case <-done:
+			case <-time.After(time.Second):
+			}
+			return
+		}
+	}
+}
+
+func runConsole() {
+	go runConsoleWithoutProxy()
+
+	// Create interrupt channel and setup signal handling once
+	interrupt := make(chan os.Signal, 1)
+	signal.Notify(interrupt, os.Interrupt)
+	done := make(chan struct{})
+
+	ticker := time.NewTicker(5 * time.Second)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-interrupt:
+			// Handle interrupt and exit gracefully
+			log.Warn().Msg(fmt.Sprintf(utils.Yellow, "Received interrupt, exiting..."))
+			select {
+			case <-done:
+			case <-time.After(time.Second):
+			}
+			return
+
+		case <-ticker.C:
+			// Attempt to connect to the Hub every second
+			hubUrl := kubernetes.GetHubUrl()
+			response, err := http.Get(fmt.Sprintf("%s/echo", hubUrl))
+			if err != nil || response.StatusCode != 200 {
+				log.Info().Msg(fmt.Sprintf(utils.Yellow, "Couldn't connect to Hub. Establishing proxy..."))
+				runProxy(false, true)
+			}
+		}
+	}
+}
--- a/cmd/license.go
+++ b/cmd/license.go
@@ -0,0 +1,21 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/kubeshark/kubeshark/config"
+	"github.com/spf13/cobra"
+)
+
+var licenseCmd = &cobra.Command{
+	Use:   "license",
+	Short: "Print the license loaded string",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		fmt.Println(config.Config.License)
+		return nil
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(licenseCmd)
+}
--- a/cmd/logs.go
+++ b/cmd/logs.go
@@ -18,7 +18,7 @@ var logsCmd = &cobra.Command{
 	Use:   "logs",
 	Short: "Create a ZIP file with logs for GitHub issues or troubleshooting",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		kubernetesProvider, err := getKubernetesProviderForCli()
+		kubernetesProvider, err := getKubernetesProviderForCli(false, false)
 		if err != nil {
 			return nil
 		}
@@ -30,7 +30,7 @@ var logsCmd = &cobra.Command{

 		log.Debug().Str("logs-path", config.Config.Logs.FilePath()).Msg("Using this logs path...")

-		if dumpLogsErr := fsUtils.DumpLogs(ctx, kubernetesProvider, config.Config.Logs.FilePath()); dumpLogsErr != nil {
+		if dumpLogsErr := fsUtils.DumpLogs(ctx, kubernetesProvider, config.Config.Logs.FilePath(), config.Config.Logs.Grep); dumpLogsErr != nil {
 			log.Error().Err(dumpLogsErr).Msg("Failed to dump logs.")
 		}

@@ -47,4 +47,5 @@ func init() {
 	}

 	logsCmd.Flags().StringP(configStructs.FileLogsName, "f", defaultLogsConfig.FileStr, fmt.Sprintf("Path for zip file (default current <pwd>\\%s_logs.zip)", misc.Program))
+	logsCmd.Flags().StringP(configStructs.GrepLogsName, "g", defaultLogsConfig.Grep, "Regexp to do grepping on the logs")
 }
--- a/cmd/mcp.go
+++ b/cmd/mcp.go
@@ -0,0 +1,125 @@
+package cmd
+
+import (
+	"github.com/kubeshark/kubeshark/config"
+	"github.com/spf13/cobra"
+)
+
+var mcpURL string
+var mcpKubeconfig string
+var mcpListTools bool
+var mcpConfig bool
+var mcpAllowDestructive bool
+
+var mcpCmd = &cobra.Command{
+	Use:   "mcp",
+	Short: "Run MCP (Model Context Protocol) server for AI assistant integration",
+	Long: `Run an MCP server over stdio that exposes Kubeshark's L7 API visibility
+to AI assistants like Claude Desktop.
+
+TOOLS PROVIDED:
+
+Cluster Management (work without Kubeshark running):
+  - check_kubeshark_status: Check if Kubeshark is running in the cluster
+  - start_kubeshark: Start Kubeshark to capture traffic
+  - stop_kubeshark: Stop Kubeshark and clean up resources
+
+Traffic Analysis (require Kubeshark running):
+  - list_workloads: Discover pods, services, namespaces, and nodes with L7 traffic
+  - list_api_calls: Query L7 API transactions (HTTP, gRPC, etc.)
+  - get_api_call: Get detailed information about a specific API call
+  - get_api_stats: Get aggregated API statistics
+
+CONFIGURATION:
+
+To use with Claude Desktop, add to your claude_desktop_config.json
+(typically at ~/Library/Application Support/Claude/claude_desktop_config.json):
+
+  {
+    "mcpServers": {
+      "kubeshark": {
+        "command": "/path/to/kubeshark",
+        "args": ["mcp", "--kubeconfig", "/Users/YOUR_USERNAME/.kube/config"]
+      }
+    }
+  }
+
+DIRECT URL MODE:
+
+If Kubeshark is already running and accessible via URL (e.g., exposed via ingress),
+you can connect directly without needing kubectl/kubeconfig:
+
+  {
+    "mcpServers": {
+      "kubeshark": {
+        "command": "/path/to/kubeshark",
+        "args": ["mcp", "--url", "https://kubeshark.example.com"]
+      }
+    }
+  }
+
+In URL mode, destructive tools (start/stop) are disabled since Kubeshark is
+managed externally. The check_kubeshark_status tool remains available to confirm connectivity.
+
+DESTRUCTIVE OPERATIONS:
+
+By default, destructive operations (start_kubeshark, stop_kubeshark) are disabled
+to prevent accidental cluster modifications. To enable them, use --allow-destructive:
+
+  {
+    "mcpServers": {
+      "kubeshark": {
+        "command": "/path/to/kubeshark",
+        "args": ["mcp", "--allow-destructive", "--kubeconfig", "/path/to/.kube/config"]
+      }
+    }
+  }
+
+CUSTOM SETTINGS:
+
+To use custom settings when starting Kubeshark, use the --set flag:
+
+  {
+    "mcpServers": {
+      "kubeshark": {
+        "command": "/path/to/kubeshark",
+        "args": ["mcp", "--set", "tap.docker.tag=v52.3"],
+        ...
+      }
+    }
+  }
+
+Multiple --set flags can be used for different settings.`,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		// Handle --mcp-config flag
+		if mcpConfig {
+			printMCPConfig(mcpURL, mcpKubeconfig)
+			return nil
+		}
+
+		// Set kubeconfig path if provided
+		if mcpKubeconfig != "" {
+			config.Config.Kube.ConfigPathStr = mcpKubeconfig
+		}
+
+		// Handle --list-tools flag
+		if mcpListTools {
+			listMCPTools(mcpURL)
+			return nil
+		}
+
+		setFlags, _ := cmd.Flags().GetStringSlice(config.SetCommandName)
+		runMCPWithConfig(setFlags, mcpURL, mcpAllowDestructive)
+		return nil
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(mcpCmd)
+
+	mcpCmd.Flags().StringVar(&mcpURL, "url", "", "Direct URL to Kubeshark (e.g., https://kubeshark.example.com). When set, connects directly without kubectl/proxy and disables start/stop tools.")
+	mcpCmd.Flags().StringVar(&mcpKubeconfig, "kubeconfig", "", "Path to kubeconfig file (e.g., /Users/me/.kube/config)")
+	mcpCmd.Flags().BoolVar(&mcpListTools, "list-tools", false, "List available MCP tools and exit")
+	mcpCmd.Flags().BoolVar(&mcpConfig, "mcp-config", false, "Print MCP client configuration JSON and exit")
+	mcpCmd.Flags().BoolVar(&mcpAllowDestructive, "allow-destructive", false, "Enable destructive operations (start_kubeshark, stop_kubeshark). Without this flag, only read-only traffic analysis tools are available.")
+}
--- a/cmd/mcpRunner.go
+++ b/cmd/mcpRunner.go
--- a/cmd/mcp_test.go
+++ b/cmd/mcp_test.go
@@ -0,0 +1,495 @@
+package cmd
+
+import (
+	"bytes"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+)
+
+func newTestMCPServer() *mcpServer {
+	return &mcpServer{httpClient: &http.Client{}, stdin: &bytes.Buffer{}, stdout: &bytes.Buffer{}}
+}
+
+func sendRequest(s *mcpServer, method string, id any, params any) string {
+	req := jsonRPCRequest{
+		JSONRPC: "2.0",
+		ID:      id,
+		Method:  method,
+	}
+	if params != nil {
+		paramsBytes, _ := json.Marshal(params)
+		req.Params = paramsBytes
+	}
+
+	s.handleRequest(&req)
+
+	output := s.stdout.(*bytes.Buffer).String()
+	s.stdout.(*bytes.Buffer).Reset()
+	return output
+}
+
+func parseResponse(t *testing.T, output string) jsonRPCResponse {
+	var resp jsonRPCResponse
+	if err := json.Unmarshal([]byte(strings.TrimSpace(output)), &resp); err != nil {
+		t.Fatalf("Failed to parse response: %v\nOutput: %s", err, output)
+	}
+	return resp
+}
+
+func TestMCP_Initialize(t *testing.T) {
+	s := newTestMCPServer()
+	resp := parseResponse(t, sendRequest(s, "initialize", 1, nil))
+
+	if resp.ID != float64(1) || resp.Error != nil {
+		t.Fatalf("Expected ID 1 with no error, got ID=%v, error=%v", resp.ID, resp.Error)
+	}
+
+	result := resp.Result.(map[string]any)
+	if result["protocolVersion"] != "2024-11-05" {
+		t.Errorf("Expected protocolVersion 2024-11-05, got %v", result["protocolVersion"])
+	}
+	if result["serverInfo"].(map[string]any)["name"] != "kubeshark-mcp" {
+		t.Error("Expected server name kubeshark-mcp")
+	}
+	if !strings.Contains(result["instructions"].(string), "check_kubeshark_status") {
+		t.Error("Instructions should mention check_kubeshark_status")
+	}
+	if _, ok := result["capabilities"].(map[string]any)["prompts"]; !ok {
+		t.Error("Expected prompts capability")
+	}
+}
+
+func TestMCP_Ping(t *testing.T) {
+	resp := parseResponse(t, sendRequest(newTestMCPServer(), "ping", 42, nil))
+	if resp.ID != float64(42) || resp.Error != nil || len(resp.Result.(map[string]any)) != 0 {
+		t.Errorf("Expected ID 42, no error, empty result")
+	}
+}
+
+func TestMCP_InitializedNotification(t *testing.T) {
+	s := newTestMCPServer()
+	for _, method := range []string{"initialized", "notifications/initialized"} {
+		if output := sendRequest(s, method, nil, nil); output != "" {
+			t.Errorf("Expected no output for %s, got: %s", method, output)
+		}
+	}
+}
+
+func TestMCP_UnknownMethod(t *testing.T) {
+	resp := parseResponse(t, sendRequest(newTestMCPServer(), "unknown/method", 1, nil))
+	if resp.Error == nil || resp.Error.Code != -32601 {
+		t.Fatalf("Expected error code -32601, got %v", resp.Error)
+	}
+}
+
+func TestMCP_PromptsList(t *testing.T) {
+	resp := parseResponse(t, sendRequest(newTestMCPServer(), "prompts/list", 1, nil))
+	if resp.Error != nil {
+		t.Fatalf("Unexpected error: %v", resp.Error)
+	}
+	prompts := resp.Result.(map[string]any)["prompts"].([]any)
+	if len(prompts) != 1 || prompts[0].(map[string]any)["name"] != "kubeshark_usage" {
+		t.Error("Expected 1 prompt named 'kubeshark_usage'")
+	}
+}
+
+func TestMCP_PromptsGet(t *testing.T) {
+	resp := parseResponse(t, sendRequest(newTestMCPServer(), "prompts/get", 1, map[string]any{"name": "kubeshark_usage"}))
+	if resp.Error != nil {
+		t.Fatalf("Unexpected error: %v", resp.Error)
+	}
+	messages := resp.Result.(map[string]any)["messages"].([]any)
+	if len(messages) == 0 {
+		t.Fatal("Expected at least one message")
+	}
+	text := messages[0].(map[string]any)["content"].(map[string]any)["text"].(string)
+	for _, phrase := range []string{"check_kubeshark_status", "start_kubeshark", "stop_kubeshark"} {
+		if !strings.Contains(text, phrase) {
+			t.Errorf("Prompt should contain '%s'", phrase)
+		}
+	}
+}
+
+func TestMCP_PromptsGet_UnknownPrompt(t *testing.T) {
+	resp := parseResponse(t, sendRequest(newTestMCPServer(), "prompts/get", 1, map[string]any{"name": "unknown"}))
+	if resp.Error == nil || resp.Error.Code != -32602 {
+		t.Fatalf("Expected error code -32602, got %v", resp.Error)
+	}
+}
+
+func TestMCP_ToolsList_CLIOnly(t *testing.T) {
+	resp := parseResponse(t, sendRequest(newTestMCPServer(), "tools/list", 1, nil))
+	if resp.Error != nil {
+		t.Fatalf("Unexpected error: %v", resp.Error)
+	}
+	tools := resp.Result.(map[string]any)["tools"].([]any)
+	if len(tools) != 1 || tools[0].(map[string]any)["name"] != "check_kubeshark_status" {
+		t.Error("Expected only check_kubeshark_status tool")
+	}
+}
+
+func TestMCP_ToolsList_WithDestructive(t *testing.T) {
+	s := &mcpServer{httpClient: &http.Client{}, stdin: &bytes.Buffer{}, stdout: &bytes.Buffer{}, allowDestructive: true}
+	resp := parseResponse(t, sendRequest(s, "tools/list", 1, nil))
+	if resp.Error != nil {
+		t.Fatalf("Unexpected error: %v", resp.Error)
+	}
+	tools := resp.Result.(map[string]any)["tools"].([]any)
+	toolNames := make(map[string]bool)
+	for _, tool := range tools {
+		toolNames[tool.(map[string]any)["name"].(string)] = true
+	}
+	for _, expected := range []string{"check_kubeshark_status", "start_kubeshark", "stop_kubeshark"} {
+		if !toolNames[expected] {
+			t.Errorf("Missing expected tool: %s", expected)
+		}
+	}
+}
+
+func TestMCP_ToolsList_WithHubBackend(t *testing.T) {
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/" || r.URL.Path == "" {
+			_, _ = w.Write([]byte(`{"name":"hub","tools":[{"name":"list_workloads","description":"","inputSchema":{}},{"name":"list_api_calls","description":"","inputSchema":{}}]}`))
+		}
+	}))
+	defer mockServer.Close()
+
+	s := &mcpServer{httpClient: &http.Client{}, stdin: &bytes.Buffer{}, stdout: &bytes.Buffer{}, hubBaseURL: mockServer.URL, backendInitialized: true, allowDestructive: true}
+	resp := parseResponse(t, sendRequest(s, "tools/list", 1, nil))
+	if resp.Error != nil {
+		t.Fatalf("Unexpected error: %v", resp.Error)
+	}
+	tools := resp.Result.(map[string]any)["tools"].([]any)
+	// Should have CLI tools (3) + Hub tools (2) = 5 tools
+	if len(tools) < 5 {
+		t.Errorf("Expected at least 5 tools, got %d", len(tools))
+	}
+}
+
+func TestMCP_ToolsCallUnknownTool(t *testing.T) {
+	s, mockServer := newTestMCPServerWithMockBackend(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusNotFound)
+	})
+	defer mockServer.Close()
+
+	resp := parseResponse(t, sendRequest(s, "tools/call", 1, mcpCallToolParams{Name: "unknown"}))
+	if !resp.Result.(map[string]any)["isError"].(bool) {
+		t.Error("Expected isError=true for unknown tool")
+	}
+}
+
+func TestMCP_ToolsCallInvalidParams(t *testing.T) {
+	s := newTestMCPServer()
+	req := jsonRPCRequest{JSONRPC: "2.0", ID: 1, Method: "tools/call", Params: json.RawMessage(`"invalid"`)}
+	s.handleRequest(&req)
+	resp := parseResponse(t, s.stdout.(*bytes.Buffer).String())
+	if resp.Error == nil || resp.Error.Code != -32602 {
+		t.Fatalf("Expected error code -32602")
+	}
+}
+
+func TestMCP_CheckKubesharkStatus(t *testing.T) {
+	for _, tc := range []struct {
+		name string
+		args map[string]any
+	}{
+		{"no_config", map[string]any{}},
+		{"with_namespace", map[string]any{"release_namespace": "custom-ns"}},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			resp := parseResponse(t, sendRequest(newTestMCPServer(), "tools/call", 1, mcpCallToolParams{Name: "check_kubeshark_status", Arguments: tc.args}))
+			if resp.Error != nil {
+				t.Fatalf("Unexpected error: %v", resp.Error)
+			}
+			content := resp.Result.(map[string]any)["content"].([]any)
+			if len(content) == 0 || content[0].(map[string]any)["text"].(string) == "" {
+				t.Error("Expected non-empty response")
+			}
+		})
+	}
+}
+
+func newTestMCPServerWithMockBackend(handler http.HandlerFunc) (*mcpServer, *httptest.Server) {
+	mockServer := httptest.NewServer(handler)
+	return &mcpServer{httpClient: &http.Client{}, stdin: &bytes.Buffer{}, stdout: &bytes.Buffer{}, hubBaseURL: mockServer.URL, backendInitialized: true}, mockServer
+}
+
+type hubToolCallRequest struct {
+	Tool      string         `json:"tool"`
+	Arguments map[string]any `json:"arguments"`
+}
+
+func newMockHubHandler(t *testing.T, handler func(req hubToolCallRequest) (string, int)) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/tools/call" || r.Method != http.MethodPost {
+			w.WriteHeader(http.StatusNotFound)
+			return
+		}
+		var req hubToolCallRequest
+		_ = json.NewDecoder(r.Body).Decode(&req)
+		resp, status := handler(req)
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(resp))
+	}
+}
+
+func TestMCP_ListWorkloads(t *testing.T) {
+	s, mockServer := newTestMCPServerWithMockBackend(newMockHubHandler(t, func(req hubToolCallRequest) (string, int) {
+		if req.Tool != "list_workloads" {
+			t.Errorf("Expected tool 'list_workloads', got %s", req.Tool)
+		}
+		return `{"workloads": [{"name": "test-pod"}]}`, http.StatusOK
+	}))
+	defer mockServer.Close()
+
+	resp := parseResponse(t, sendRequest(s, "tools/call", 1, mcpCallToolParams{Name: "list_workloads", Arguments: map[string]any{"type": "pod"}}))
+	if resp.Error != nil {
+		t.Fatalf("Unexpected error: %v", resp.Error)
+	}
+	text := resp.Result.(map[string]any)["content"].([]any)[0].(map[string]any)["text"].(string)
+	if !strings.Contains(text, "test-pod") {
+		t.Errorf("Expected 'test-pod' in response")
+	}
+}
+
+func TestMCP_ListAPICalls(t *testing.T) {
+	s, mockServer := newTestMCPServerWithMockBackend(newMockHubHandler(t, func(req hubToolCallRequest) (string, int) {
+		if req.Tool != "list_api_calls" {
+			t.Errorf("Expected tool 'list_api_calls', got %s", req.Tool)
+		}
+		return `{"calls": [{"id": "123", "path": "/api/users"}]}`, http.StatusOK
+	}))
+	defer mockServer.Close()
+
+	resp := parseResponse(t, sendRequest(s, "tools/call", 1, mcpCallToolParams{Name: "list_api_calls", Arguments: map[string]any{"proto": "http"}}))
+	if resp.Error != nil {
+		t.Fatalf("Unexpected error: %v", resp.Error)
+	}
+	if !strings.Contains(resp.Result.(map[string]any)["content"].([]any)[0].(map[string]any)["text"].(string), "/api/users") {
+		t.Error("Expected '/api/users' in response")
+	}
+}
+
+func TestMCP_GetAPICall(t *testing.T) {
+	s, mockServer := newTestMCPServerWithMockBackend(newMockHubHandler(t, func(req hubToolCallRequest) (string, int) {
+		if req.Tool != "get_api_call" || req.Arguments["id"] != "abc123" {
+			t.Errorf("Expected get_api_call with id=abc123")
+		}
+		return `{"id": "abc123", "path": "/api/orders"}`, http.StatusOK
+	}))
+	defer mockServer.Close()
+
+	resp := parseResponse(t, sendRequest(s, "tools/call", 1, mcpCallToolParams{Name: "get_api_call", Arguments: map[string]any{"id": "abc123"}}))
+	if resp.Error != nil || !strings.Contains(resp.Result.(map[string]any)["content"].([]any)[0].(map[string]any)["text"].(string), "abc123") {
+		t.Error("Expected response containing 'abc123'")
+	}
+}
+
+func TestMCP_GetAPICall_MissingID(t *testing.T) {
+	s, mockServer := newTestMCPServerWithMockBackend(newMockHubHandler(t, func(req hubToolCallRequest) (string, int) {
+		return `{"error": "id is required"}`, http.StatusBadRequest
+	}))
+	defer mockServer.Close()
+
+	resp := parseResponse(t, sendRequest(s, "tools/call", 1, mcpCallToolParams{Name: "get_api_call", Arguments: map[string]any{}}))
+	if !resp.Result.(map[string]any)["isError"].(bool) {
+		t.Error("Expected isError=true")
+	}
+}
+
+func TestMCP_GetAPIStats(t *testing.T) {
+	s, mockServer := newTestMCPServerWithMockBackend(newMockHubHandler(t, func(req hubToolCallRequest) (string, int) {
+		if req.Tool != "get_api_stats" {
+			t.Errorf("Expected get_api_stats")
+		}
+		return `{"stats": {"total_calls": 1000}}`, http.StatusOK
+	}))
+	defer mockServer.Close()
+
+	resp := parseResponse(t, sendRequest(s, "tools/call", 1, mcpCallToolParams{Name: "get_api_stats", Arguments: map[string]any{"ns": "prod"}}))
+	if resp.Error != nil || !strings.Contains(resp.Result.(map[string]any)["content"].([]any)[0].(map[string]any)["text"].(string), "total_calls") {
+		t.Error("Expected 'total_calls' in response")
+	}
+}
+
+func TestMCP_APITools_BackendError(t *testing.T) {
+	s, mockServer := newTestMCPServerWithMockBackend(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusInternalServerError)
+	})
+	defer mockServer.Close()
+
+	resp := parseResponse(t, sendRequest(s, "tools/call", 1, mcpCallToolParams{Name: "list_workloads"}))
+	if !resp.Result.(map[string]any)["isError"].(bool) {
+		t.Error("Expected isError=true for backend error")
+	}
+}
+
+func TestMCP_APITools_BackendConnectionError(t *testing.T) {
+	s := &mcpServer{httpClient: &http.Client{}, stdin: &bytes.Buffer{}, stdout: &bytes.Buffer{}, hubBaseURL: "http://localhost:99999", backendInitialized: true}
+	resp := parseResponse(t, sendRequest(s, "tools/call", 1, mcpCallToolParams{Name: "list_workloads"}))
+	if !resp.Result.(map[string]any)["isError"].(bool) {
+		t.Error("Expected isError=true for connection error")
+	}
+}
+
+func TestMCP_RunLoop_ParseError(t *testing.T) {
+	output := &bytes.Buffer{}
+	s := &mcpServer{httpClient: &http.Client{}, stdin: strings.NewReader("invalid\n"), stdout: output}
+	s.run()
+	if resp := parseResponse(t, output.String()); resp.Error == nil || resp.Error.Code != -32700 {
+		t.Fatalf("Expected error code -32700")
+	}
+}
+
+func TestMCP_RunLoop_MultipleRequests(t *testing.T) {
+	output := &bytes.Buffer{}
+	s := &mcpServer{httpClient: &http.Client{}, stdin: strings.NewReader(`{"jsonrpc":"2.0","id":1,"method":"ping"}
+{"jsonrpc":"2.0","id":2,"method":"ping"}
+`), stdout: output}
+	s.run()
+	if lines := strings.Split(strings.TrimSpace(output.String()), "\n"); len(lines) != 2 {
+		t.Fatalf("Expected 2 responses, got %d", len(lines))
+	}
+}
+
+func TestMCP_RunLoop_EmptyLines(t *testing.T) {
+	output := &bytes.Buffer{}
+	s := &mcpServer{httpClient: &http.Client{}, stdin: strings.NewReader("\n\n{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"ping\"}\n"), stdout: output}
+	s.run()
+	if lines := strings.Split(strings.TrimSpace(output.String()), "\n"); len(lines) != 1 {
+		t.Fatalf("Expected 1 response, got %d", len(lines))
+	}
+}
+
+func TestMCP_ResponseFormat(t *testing.T) {
+	s := newTestMCPServer()
+	// Numeric ID
+	if resp := parseResponse(t, sendRequest(s, "ping", 123, nil)); resp.ID != float64(123) || resp.JSONRPC != "2.0" {
+		t.Errorf("Expected ID 123 and jsonrpc 2.0")
+	}
+	// String ID
+	if resp := parseResponse(t, sendRequest(s, "ping", "str", nil)); resp.ID != "str" {
+		t.Errorf("Expected ID 'str'")
+	}
+}
+
+func TestMCP_ToolCallResult_ContentFormat(t *testing.T) {
+	s, mockServer := newTestMCPServerWithMockBackend(func(w http.ResponseWriter, r *http.Request) {
+		_, _ = w.Write([]byte(`{"data": "test"}`))
+	})
+	defer mockServer.Close()
+
+	resp := parseResponse(t, sendRequest(s, "tools/call", 1, mcpCallToolParams{Name: "list_workloads"}))
+	content := resp.Result.(map[string]any)["content"].([]any)
+	if len(content) == 0 || content[0].(map[string]any)["type"] != "text" {
+		t.Error("Expected content with type=text")
+	}
+}
+
+func TestMCP_CommandArgs(t *testing.T) {
+	// Test start command args building
+	for _, tc := range []struct {
+		args     map[string]any
+		expected string
+	}{
+		{map[string]any{}, "tap --set headless=true"},
+		{map[string]any{"pod_regex": "nginx.*"}, "tap nginx.* --set headless=true"},
+		{map[string]any{"namespaces": "default"}, "tap -n default --set headless=true"},
+		{map[string]any{"release_namespace": "ks"}, "tap -s ks --set headless=true"},
+	} {
+		cmdArgs := []string{"tap"}
+		if v, _ := tc.args["pod_regex"].(string); v != "" {
+			cmdArgs = append(cmdArgs, v)
+		}
+		if v, _ := tc.args["namespaces"].(string); v != "" {
+			for _, ns := range strings.Split(v, ",") {
+				cmdArgs = append(cmdArgs, "-n", strings.TrimSpace(ns))
+			}
+		}
+		if v, _ := tc.args["release_namespace"].(string); v != "" {
+			cmdArgs = append(cmdArgs, "-s", v)
+		}
+		cmdArgs = append(cmdArgs, "--set", "headless=true")
+		if got := strings.Join(cmdArgs, " "); got != tc.expected {
+			t.Errorf("Expected %q, got %q", tc.expected, got)
+		}
+	}
+}
+
+func TestMCP_PrettyPrintJSON(t *testing.T) {
+	s, mockServer := newTestMCPServerWithMockBackend(func(w http.ResponseWriter, r *http.Request) {
+		_, _ = w.Write([]byte(`{"key":"value"}`))
+	})
+	defer mockServer.Close()
+
+	resp := parseResponse(t, sendRequest(s, "tools/call", 1, mcpCallToolParams{Name: "list_workloads"}))
+	text := resp.Result.(map[string]any)["content"].([]any)[0].(map[string]any)["text"].(string)
+	if !strings.Contains(text, "\n") {
+		t.Error("Expected pretty-printed JSON")
+	}
+}
+
+func TestMCP_SpecialCharsAndEdgeCases(t *testing.T) {
+	s, mockServer := newTestMCPServerWithMockBackend(func(w http.ResponseWriter, r *http.Request) {
+		_, _ = w.Write([]byte(`{}`))
+	})
+	defer mockServer.Close()
+
+	// Test special chars, empty args, nil args
+	for _, args := range []map[string]any{
+		{"path": "/api?id=123"},
+		{"id": "abc/123"},
+		{},
+		nil,
+	} {
+		resp := parseResponse(t, sendRequest(s, "tools/call", 1, mcpCallToolParams{Name: "list_workloads", Arguments: args}))
+		if resp.Error != nil {
+			t.Errorf("Unexpected error with args %v: %v", args, resp.Error)
+		}
+	}
+}
+
+func TestMCP_BackendInitialization_Concurrent(t *testing.T) {
+	s := newTestMCPServer()
+	done := make(chan bool, 10)
+	for i := 0; i < 10; i++ {
+		go func() { s.ensureBackendConnection(); done <- true }()
+	}
+	for i := 0; i < 10; i++ {
+		<-done
+	}
+}
+
+func TestMCP_FullConversation(t *testing.T) {
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/" {
+			_, _ = w.Write([]byte(`{"name":"hub","tools":[{"name":"list_workloads","description":"","inputSchema":{}}]}`))
+		} else if r.URL.Path == "/tools/call" {
+			_, _ = w.Write([]byte(`{"data":"ok"}`))
+		}
+	}))
+	defer mockServer.Close()
+
+	input := `{"jsonrpc":"2.0","id":1,"method":"initialize"}
+{"jsonrpc":"2.0","method":"notifications/initialized"}
+{"jsonrpc":"2.0","id":2,"method":"tools/list"}
+{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"list_workloads","arguments":{}}}
+`
+	output := &bytes.Buffer{}
+	s := &mcpServer{httpClient: &http.Client{}, stdin: strings.NewReader(input), stdout: output, hubBaseURL: mockServer.URL, backendInitialized: true}
+	s.run()
+
+	lines := strings.Split(strings.TrimSpace(output.String()), "\n")
+	if len(lines) != 3 { // 3 responses (notification has no response)
+		t.Errorf("Expected 3 responses, got %d", len(lines))
+	}
+	for i, line := range lines {
+		var resp jsonRPCResponse
+		if err := json.Unmarshal([]byte(line), &resp); err != nil || resp.Error != nil {
+			t.Errorf("Response %d: parse error or unexpected error", i)
+		}
+	}
+}
--- a/cmd/pcapDump.go
+++ b/cmd/pcapDump.go
@@ -0,0 +1,110 @@
+package cmd
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/creasty/defaults"
+	"github.com/kubeshark/kubeshark/config/configStructs"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/client-go/util/homedir"
+)
+
+// pcapDumpCmd represents the consolidated pcapdump command
+var pcapDumpCmd = &cobra.Command{
+	Use:   "pcapdump",
+	Short: "Store all captured traffic (including decrypted TLS) in a PCAP file.",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		// Retrieve the kubeconfig path from the flag
+		kubeconfig, _ := cmd.Flags().GetString(configStructs.PcapKubeconfig)
+
+		// If kubeconfig is not provided, use the default location
+		if kubeconfig == "" {
+			if home := homedir.HomeDir(); home != "" {
+				kubeconfig = filepath.Join(home, ".kube", "config")
+			} else {
+				return errors.New("kubeconfig flag not provided and no home directory available for default config location")
+			}
+		}
+
+		debugEnabled, _ := cmd.Flags().GetBool("debug")
+		if debugEnabled {
+			zerolog.SetGlobalLevel(zerolog.DebugLevel)
+			log.Debug().Msg("Debug logging enabled")
+		} else {
+			zerolog.SetGlobalLevel(zerolog.InfoLevel)
+		}
+
+		// Use the current context in kubeconfig
+		config, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
+		if err != nil {
+			return fmt.Errorf("Error building kubeconfig: %w", err)
+		}
+
+		clientset, err := kubernetes.NewForConfig(config)
+		if err != nil {
+			return fmt.Errorf("Error creating Kubernetes client: %w", err)
+		}
+
+		// Parse the `--time` flag
+		timeIntervalStr, _ := cmd.Flags().GetString("time")
+		var cutoffTime *time.Time // Use a pointer to distinguish between provided and not provided
+		if timeIntervalStr != "" {
+			duration, err := time.ParseDuration(timeIntervalStr)
+			if err != nil {
+				return fmt.Errorf("Invalid format %w", err)
+			}
+			tempCutoffTime := time.Now().Add(-duration)
+			cutoffTime = &tempCutoffTime
+		}
+
+		// Test the dest dir if provided
+		destDir, _ := cmd.Flags().GetString(configStructs.PcapDest)
+		if destDir != "" {
+			info, err := os.Stat(destDir)
+			if os.IsNotExist(err) {
+				return fmt.Errorf("Directory does not exist: %s", destDir)
+			}
+			if err != nil {
+				return fmt.Errorf("Error checking dest directory: %w", err)
+			}
+			if !info.IsDir() {
+				return fmt.Errorf("Dest path is not a directory: %s", destDir)
+			}
+			tempFile, err := os.CreateTemp(destDir, "write-test-*")
+			if err != nil {
+				return fmt.Errorf("Directory %s is not writable", destDir)
+			}
+			_ = os.Remove(tempFile.Name())
+		}
+
+		log.Info().Msg("Copying PCAP files")
+		err = copyPcapFiles(clientset, config, destDir, cutoffTime)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(pcapDumpCmd)
+
+	defaultPcapDumpConfig := configStructs.PcapDumpConfig{}
+	if err := defaults.Set(&defaultPcapDumpConfig); err != nil {
+		log.Debug().Err(err).Send()
+	}
+
+	pcapDumpCmd.Flags().String(configStructs.PcapTime, "", "Time interval (e.g., 10m, 1h) in the past for which the pcaps are copied")
+	pcapDumpCmd.Flags().String(configStructs.PcapDest, "", "Local destination path for copied PCAP files (can not be used together with --enabled)")
+	pcapDumpCmd.Flags().String(configStructs.PcapKubeconfig, "", "Path for kubeconfig (if not provided the default location will be checked)")
+	pcapDumpCmd.Flags().Bool("debug", false, "Enable debug logging")
+}
--- a/cmd/pcapDumpRunner.go
+++ b/cmd/pcapDumpRunner.go
@@ -0,0 +1,371 @@
+package cmd
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/kubeshark/gopacket/pcapgo"
+	"github.com/rs/zerolog/log"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	clientk8s "k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/remotecommand"
+)
+
+const (
+	label                 = "app.kubeshark.com/app=worker"
+	srcDir                = "pcapdump"
+	maxSnaplen     uint32 = 262144
+	maxTimePerFile        = time.Minute * 5
+)
+
+// PodFileInfo represents information about a pod, its namespace, and associated files
+type PodFileInfo struct {
+	Pod         corev1.Pod
+	SrcDir      string
+	Files       []string
+	CopiedFiles []string
+}
+
+// listWorkerPods fetches all worker pods from multiple namespaces
+func listWorkerPods(ctx context.Context, clientset *clientk8s.Clientset, namespaces []string) ([]*PodFileInfo, error) {
+	var podFileInfos []*PodFileInfo
+	var errs []error
+	labelSelector := label
+
+	for _, namespace := range namespaces {
+		// List all pods matching the label in the current namespace
+		pods, err := clientset.CoreV1().Pods(namespace).List(ctx, metav1.ListOptions{
+			LabelSelector: labelSelector,
+		})
+		if err != nil {
+			errs = append(errs, fmt.Errorf("failed to list worker pods in namespace %s: %w", namespace, err))
+			continue
+		}
+
+		for _, pod := range pods.Items {
+			podFileInfos = append(podFileInfos, &PodFileInfo{
+				Pod: pod,
+			})
+		}
+	}
+
+	return podFileInfos, errors.Join(errs...)
+}
+
+// listFilesInPodDir lists all files in the specified directory inside the pod across multiple namespaces
+func listFilesInPodDir(ctx context.Context, clientset *clientk8s.Clientset, config *rest.Config, pod *PodFileInfo, cutoffTime *time.Time) error {
+	nodeName := pod.Pod.Spec.NodeName
+	srcFilePath := filepath.Join("data", nodeName, srcDir)
+
+	cmd := []string{"ls", srcFilePath}
+	req := clientset.CoreV1().RESTClient().Post().
+		Resource("pods").
+		Name(pod.Pod.Name).
+		Namespace(pod.Pod.Namespace).
+		SubResource("exec").
+		Param("container", "sniffer").
+		Param("stdout", "true").
+		Param("stderr", "true").
+		Param("command", cmd[0]).
+		Param("command", cmd[1])
+
+	exec, err := remotecommand.NewSPDYExecutor(config, "POST", req.URL())
+	if err != nil {
+		return err
+	}
+
+	var stdoutBuf bytes.Buffer
+	var stderrBuf bytes.Buffer
+
+	// Execute the command to list files
+	err = exec.StreamWithContext(ctx, remotecommand.StreamOptions{
+		Stdout: &stdoutBuf,
+		Stderr: &stderrBuf,
+	})
+	if err != nil {
+		return err
+	}
+
+	// Split the output (file names) into a list
+	files := strings.Split(strings.TrimSpace(stdoutBuf.String()), "\n")
+	if len(files) == 0 {
+		// No files were found in the target dir for this pod
+		return nil
+	}
+
+	var filteredFiles []string
+	var fileProcessingErrs []error
+	// Filter files based on cutoff time if provided
+	for _, file := range files {
+		if cutoffTime != nil {
+			parts := strings.Split(file, "-")
+			if len(parts) < 2 {
+				continue
+			}
+
+			timestampStr := parts[len(parts)-2] + parts[len(parts)-1][:6] // Extract YYYYMMDDHHMMSS
+			fileTime, err := time.Parse("20060102150405", timestampStr)
+			if err != nil {
+				fileProcessingErrs = append(fileProcessingErrs, fmt.Errorf("failed parse file timestamp %s: %w", file, err))
+				continue
+			}
+
+			if fileTime.Before(*cutoffTime) {
+				continue
+			}
+		}
+		// Add file to filtered list
+		filteredFiles = append(filteredFiles, file)
+	}
+
+	pod.SrcDir = srcDir
+	pod.Files = filteredFiles
+
+	return errors.Join(fileProcessingErrs...)
+}
+
+// copyFileFromPod copies a single file from a pod to a local destination
+func copyFileFromPod(ctx context.Context, clientset *kubernetes.Clientset, config *rest.Config, pod *PodFileInfo, srcFile, destFile string) error {
+	// Construct the complete path using /data, the node name, srcDir, and srcFile
+	nodeName := pod.Pod.Spec.NodeName
+	srcFilePath := filepath.Join("data", nodeName, srcDir, srcFile)
+
+	// Execute the `cat` command to read the file at the srcFilePath
+	cmd := []string{"cat", srcFilePath}
+	req := clientset.CoreV1().RESTClient().Post().
+		Resource("pods").
+		Name(pod.Pod.Name).
+		Namespace(pod.Pod.Namespace).
+		SubResource("exec").
+		Param("container", "sniffer").
+		Param("stdout", "true").
+		Param("stderr", "true").
+		Param("command", cmd[0]).
+		Param("command", cmd[1])
+
+	exec, err := remotecommand.NewSPDYExecutor(config, "POST", req.URL())
+	if err != nil {
+		return fmt.Errorf("failed to initialize executor for pod %s in namespace %s: %w", pod.Pod.Name, pod.Pod.Namespace, err)
+	}
+
+	// Create the local file to write the content to
+	outFile, err := os.Create(destFile)
+	if err != nil {
+		return fmt.Errorf("failed to create destination file: %w", err)
+	}
+	defer outFile.Close()
+
+	// Capture stderr for error logging
+	var stderrBuf bytes.Buffer
+
+	// Stream the file content from the pod to the local file
+	err = exec.StreamWithContext(ctx, remotecommand.StreamOptions{
+		Stdout: outFile,
+		Stderr: &stderrBuf,
+	})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func mergePCAPs(outputFile string, inputFiles []string) error {
+	// Create the output file
+	f, err := os.Create(outputFile)
+	if err != nil {
+		return fmt.Errorf("failed to create output file: %w", err)
+	}
+	defer f.Close()
+
+	bufWriter := bufio.NewWriterSize(f, 4*1024*1024)
+	defer bufWriter.Flush()
+
+	// Create the PCAP writer
+	writer := pcapgo.NewWriter(bufWriter)
+	err = writer.WriteFileHeader(maxSnaplen, 1)
+	if err != nil {
+		return fmt.Errorf("failed to write PCAP file header: %w", err)
+	}
+
+	var mergingErrs []error
+
+	for _, inputFile := range inputFiles {
+		// Open the input file
+		file, err := os.Open(inputFile)
+		if err != nil {
+			mergingErrs = append(mergingErrs, fmt.Errorf("failed to open %s: %w", inputFile, err))
+			continue
+		}
+
+		fileInfo, err := file.Stat()
+		if err != nil {
+			mergingErrs = append(mergingErrs, fmt.Errorf("failed to stat file %s: %w", inputFile, err))
+			file.Close()
+			continue
+		}
+
+		if fileInfo.Size() == 0 {
+			// Skip empty files
+			log.Debug().Msgf("Skipped empty file: %s", inputFile)
+			file.Close()
+			continue
+		}
+
+		// Create the PCAP reader for the input file
+		reader, err := pcapgo.NewReader(file)
+		if err != nil {
+			mergingErrs = append(mergingErrs, fmt.Errorf("failed to create pcapng reader for %v: %w", file.Name(), err))
+			file.Close()
+			continue
+		}
+
+		for {
+			// Read packet data
+			data, ci, err := reader.ReadPacketData()
+			if err != nil {
+				if errors.Is(err, io.EOF) || errors.Is(err, io.ErrUnexpectedEOF) {
+					break
+				}
+				mergingErrs = append(mergingErrs, fmt.Errorf("error reading packet from file %s: %w", file.Name(), err))
+				break
+			}
+
+			// Write the packet to the output file
+			err = writer.WritePacket(ci, data)
+			if err != nil {
+				log.Error().Err(err).Msgf("Error writing packet to output file")
+				mergingErrs = append(mergingErrs, fmt.Errorf("error writing packet to output file: %w", err))
+				break
+			}
+		}
+
+		file.Close()
+	}
+
+	log.Debug().Err(errors.Join(mergingErrs...))
+
+	return nil
+}
+
+func copyPcapFiles(clientset *kubernetes.Clientset, config *rest.Config, destDir string, cutoffTime *time.Time) error {
+	// List all namespaces
+	namespaceList, err := clientset.CoreV1().Namespaces().List(context.TODO(), metav1.ListOptions{})
+	if err != nil {
+		return err
+	}
+
+	var targetNamespaces []string
+	for _, ns := range namespaceList.Items {
+		targetNamespaces = append(targetNamespaces, ns.Name)
+	}
+
+	// List all worker pods
+	workerPods, err := listWorkerPods(context.Background(), clientset, targetNamespaces)
+	if err != nil {
+		if len(workerPods) == 0 {
+			return err
+		}
+		log.Debug().Err(err).Msg("error while listing worker pods")
+	}
+
+	var wg sync.WaitGroup
+
+	// Launch a goroutine for each pod
+	for _, pod := range workerPods {
+		wg.Add(1)
+
+		go func(pod *PodFileInfo) {
+			defer wg.Done()
+
+			// List files for the current pod
+			err := listFilesInPodDir(context.Background(), clientset, config, pod, cutoffTime)
+			if err != nil {
+				log.Debug().Err(err).Msgf("error listing files in pod %s", pod.Pod.Name)
+				return
+			}
+
+			// Copy files from the pod
+			for _, file := range pod.Files {
+				destFile := filepath.Join(destDir, file)
+
+				// Add a timeout context for file copy
+				ctx, cancel := context.WithTimeout(context.Background(), maxTimePerFile)
+				err := copyFileFromPod(ctx, clientset, config, pod, file, destFile)
+				cancel()
+				if err != nil {
+					log.Debug().Err(err).Msgf("error copying file %s from pod %s in namespace %s", file, pod.Pod.Name, pod.Pod.Namespace)
+					continue
+				}
+
+				log.Info().Msgf("Copied file %s from pod %s to %s", file, pod.Pod.Name, destFile)
+				pod.CopiedFiles = append(pod.CopiedFiles, destFile)
+			}
+		}(pod)
+	}
+
+	// Wait for all goroutines to complete
+	wg.Wait()
+
+	var copiedFiles []string
+	for _, pod := range workerPods {
+		copiedFiles = append(copiedFiles, pod.CopiedFiles...)
+	}
+
+	if len(copiedFiles) == 0 {
+		log.Info().Msg("No pcaps available to copy on the workers")
+		return nil
+	}
+
+	// Generate a temporary filename for the merged file
+	tempMergedFile := copiedFiles[0] + "_temp"
+
+	// Merge PCAP files
+	err = mergePCAPs(tempMergedFile, copiedFiles)
+	if err != nil {
+		os.Remove(tempMergedFile)
+		return fmt.Errorf("error merging files: %w", err)
+	}
+
+	// Remove the original files after merging
+	for _, file := range copiedFiles {
+		if err = os.Remove(file); err != nil {
+			log.Debug().Err(err).Msgf("error removing file %s", file)
+		}
+	}
+
+	clusterID, err := getClusterID(clientset)
+	if err != nil {
+		return fmt.Errorf("failed to get cluster ID: %w", err)
+	}
+	timestamp := time.Now().Format("2006-01-02_15-04")
+	// Rename the temp file to the final name
+	finalMergedFile := filepath.Join(destDir, fmt.Sprintf("%s-%s.pcap", clusterID, timestamp))
+	err = os.Rename(tempMergedFile, finalMergedFile)
+	if err != nil {
+		return err
+	}
+
+	log.Info().Msgf("Merged file created: %s", finalMergedFile)
+	return nil
+}
+
+func getClusterID(clientset *kubernetes.Clientset) (string, error) {
+	namespace, err := clientset.CoreV1().Namespaces().Get(context.TODO(), "kube-system", metav1.GetOptions{})
+	if err != nil {
+		return "", fmt.Errorf("failed to get kube-system namespace UID: %w", err)
+	}
+	return string(namespace.UID), nil
+}
--- a/cmd/permissionFiles/permissions-all-namespaces-debug-optional.yaml
+++ b/cmd/permissionFiles/permissions-all-namespaces-debug-optional.yaml
@@ -1,25 +0,0 @@
-# This example shows permissions that enrich the logs with additional info
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-debug-clusterrole
-rules:
- apiGroups: ["events.k8s.io"]
-  resources: ["events"]
-  verbs: ["watch"]
- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["get"]
---
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-debug-clusterrolebindings
-subjects:
- kind: User
-  name: user-with-clusterwide-access
-  apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: ClusterRole
-  name: kubeshark-runner-debug-clusterrole
-  apiGroup: rbac.authorization.k8s.io
--- a/cmd/permissionFiles/permissions-all-namespaces-ip-resolution-optional.yaml
+++ b/cmd/permissionFiles/permissions-all-namespaces-ip-resolution-optional.yaml
@@ -1,37 +0,0 @@
-# This example shows permissions that are required for Kubeshark to resolve IPs to service names
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-resolver-clusterrole
-rules:
- apiGroups: [""]
-  resources: ["serviceaccounts"]
-  verbs: ["get", "create"]
- apiGroups: ["rbac.authorization.k8s.io"]
-  resources: ["clusterroles"]
-  verbs: ["get", "list", "create", "delete"]
- apiGroups: ["rbac.authorization.k8s.io"]
-  resources: ["clusterrolebindings"]
-  verbs: ["get", "list", "create", "delete"]
- apiGroups: ["", "apps", "extensions"]
-  resources: ["pods"]
-  verbs: ["get", "list", "watch"]
- apiGroups: ["", "apps", "extensions"]
-  resources: ["services"]
-  verbs: ["get", "list", "watch"]
- apiGroups: ["", "apps", "extensions"]
-  resources: ["endpoints"]
-  verbs: ["get", "list", "watch"]
---
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-resolver-clusterrolebindings
-subjects:
- kind: User
-  name: user-with-clusterwide-access
-  apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: ClusterRole
-  name: kubeshark-resolver-clusterrole
-  apiGroup: rbac.authorization.k8s.io
--- a/cmd/permissionFiles/permissions-all-namespaces-tap.yaml
+++ b/cmd/permissionFiles/permissions-all-namespaces-tap.yaml
@@ -1,40 +0,0 @@
-# This example shows the permissions that are required in order to run the `kubeshark tap` command
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-clusterrole
-rules:
- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["list", "watch", "create"]
- apiGroups: [""]
-  resources: ["services"]
-  verbs: ["get", "create"]
- apiGroups: ["apps"]
-  resources: ["daemonsets"]
-  verbs: ["create", "patch"]
- apiGroups: [""]
-  resources: ["namespaces"]
-  verbs: ["list", "watch", "create", "delete"]
- apiGroups: [""]
-  resources: ["services/proxy"]
-  verbs: ["get", "create"]
- apiGroups: [""]
-  resources: ["configmaps"]
-  verbs: ["create"]
- apiGroups: [""]
-  resources: ["pods/log"]
-  verbs: ["get"]
---
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-clusterrolebindings
-subjects:
- kind: User
-  name: user-with-clusterwide-access
-  apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: ClusterRole
-  name: kubeshark-runner-clusterrole
-  apiGroup: rbac.authorization.k8s.io
--- a/cmd/permissionFiles/permissions-ns-debug-optional.yaml
+++ b/cmd/permissionFiles/permissions-ns-debug-optional.yaml
@@ -1,25 +0,0 @@
-# This example shows permissions that enrich the logs with additional info in namespace-restricted mode
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-debug-role
-rules:
- apiGroups: ["events.k8s.io"]
-  resources: ["events"]
-  verbs: ["watch"]
- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["get"]
---
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-debug-rolebindings
-subjects:
- kind: User
-  name: user-with-restricted-access
-  apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: Role
-  name: kubeshark-runner-debug-role
-  apiGroup: rbac.authorization.k8s.io
--- a/cmd/permissionFiles/permissions-ns-ip-resolution-optional.yaml
+++ b/cmd/permissionFiles/permissions-ns-ip-resolution-optional.yaml
@@ -1,37 +0,0 @@
-# This example shows permissions that are required for Kubeshark to resolve IPs to service names in namespace-restricted mode
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-resolver-role
-rules:
- apiGroups: [""]
-  resources: ["serviceaccounts"]
-  verbs: ["get", "list", "create", "delete"]
- apiGroups: ["rbac.authorization.k8s.io"]
-  resources: ["roles"]
-  verbs: ["get", "list", "create", "delete"]
- apiGroups: ["rbac.authorization.k8s.io"]
-  resources: ["rolebindings"]
-  verbs: ["get", "list", "create", "delete"]
- apiGroups: ["", "apps", "extensions"]
-  resources: ["pods"]
-  verbs: ["get", "list", "watch"]
- apiGroups: ["", "apps", "extensions"]
-  resources: ["services"]
-  verbs: ["get", "list", "watch"]
- apiGroups: ["", "apps", "extensions"]
-  resources: ["endpoints"]
-  verbs: ["get", "list", "watch"]
---
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-resolver-rolebindings
-subjects:
- kind: User
-  name: user-with-restricted-access
-  apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: Role
-  name: kubeshark-resolver-role
-  apiGroup: rbac.authorization.k8s.io
--- a/cmd/permissionFiles/permissions-ns-tap.yaml
+++ b/cmd/permissionFiles/permissions-ns-tap.yaml
@@ -1,37 +0,0 @@
-# This example shows the permissions that are required in order to run the `kubeshark tap` command in namespace-restricted mode
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-role
-rules:
- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["list", "watch", "create"]
- apiGroups: [""]
-  resources: ["services"]
-  verbs: ["get", "create", "delete"]
- apiGroups: ["apps"]
-  resources: ["daemonsets"]
-  verbs: ["create", "patch", "delete"]
- apiGroups: [""]
-  resources: ["services/proxy"]
-  verbs: ["get", "create", "delete"]
- apiGroups: [""]
-  resources: ["configmaps"]
-  verbs: ["create", "delete"]
- apiGroups: [""]
-  resources: ["pods/log"]
-  verbs: ["get"]
---
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-rolebindings
-subjects:
- kind: User
-  name: user-with-restricted-access
-  apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: Role
-  name: kubeshark-runner-role
-  apiGroup: rbac.authorization.k8s.io
--- a/cmd/pprof.go
+++ b/cmd/pprof.go
@@ -0,0 +1,32 @@
+package cmd
+
+import (
+	"github.com/creasty/defaults"
+	"github.com/kubeshark/kubeshark/config/configStructs"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+)
+
+var pprofCmd = &cobra.Command{
+	Use:   "pprof",
+	Short: "Select a Kubeshark container and open the pprof web UI in the browser",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		runPprof()
+		return nil
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(pprofCmd)
+
+	defaultTapConfig := configStructs.TapConfig{}
+	if err := defaults.Set(&defaultTapConfig); err != nil {
+		log.Debug().Err(err).Send()
+	}
+
+	pprofCmd.Flags().Uint16(configStructs.ProxyFrontPortLabel, defaultTapConfig.Proxy.Front.Port, "Provide a custom port for the proxy/port-forward")
+	pprofCmd.Flags().String(configStructs.ProxyHostLabel, defaultTapConfig.Proxy.Host, "Provide a custom host for the proxy/port-forward")
+	pprofCmd.Flags().StringP(configStructs.ReleaseNamespaceLabel, "s", defaultTapConfig.Release.Namespace, "Release namespace of Kubeshark")
+	pprofCmd.Flags().Uint16(configStructs.PprofPortLabel, defaultTapConfig.Pprof.Port, "Provide a custom port for the pprof server")
+	pprofCmd.Flags().String(configStructs.PprofViewLabel, defaultTapConfig.Pprof.View, "Change the default view of the pprof web interface")
+}
--- a/cmd/pprofRunner.go
+++ b/cmd/pprofRunner.go
@@ -0,0 +1,176 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/go-cmd/cmd"
+	"github.com/kubeshark/kubeshark/config"
+	"github.com/kubeshark/kubeshark/kubernetes"
+	"github.com/kubeshark/kubeshark/utils"
+	"github.com/rivo/tview"
+	"github.com/rs/zerolog/log"
+	v1 "k8s.io/api/core/v1"
+)
+
+func runPprof() {
+	runProxy(false, true)
+
+	provider, err := getKubernetesProviderForCli(false, false)
+	if err != nil {
+		return
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	hubPods, err := provider.ListPodsByAppLabel(ctx, config.Config.Tap.Release.Namespace, map[string]string{kubernetes.AppLabelKey: "hub"})
+	if err != nil {
+		log.Error().
+			Err(err).
+			Msg("Failed to list hub pods!")
+		cancel()
+		return
+	}
+
+	workerPods, err := provider.ListPodsByAppLabel(ctx, config.Config.Tap.Release.Namespace, map[string]string{kubernetes.AppLabelKey: "worker"})
+	if err != nil {
+		log.Error().
+			Err(err).
+			Msg("Failed to list worker pods!")
+		cancel()
+		return
+	}
+
+	fullscreen := true
+
+	app := tview.NewApplication()
+	list := tview.NewList()
+
+	var currentCmd *cmd.Cmd
+
+	i := 48
+	for _, pod := range hubPods {
+		for _, container := range pod.Spec.Containers {
+			log.Info().Str("pod", pod.Name).Str("container", container.Name).Send()
+			homeUrl := fmt.Sprintf("%s/debug/pprof/", kubernetes.GetHubUrl())
+			modal := buildNewModal(
+				pod,
+				container,
+				homeUrl,
+				app,
+				list,
+				fullscreen,
+				currentCmd,
+			)
+			list.AddItem(fmt.Sprintf("pod: %s container: %s", pod.Name, container.Name), pod.Spec.NodeName, rune(i), func() {
+				app.SetRoot(modal, fullscreen)
+			})
+			i++
+		}
+	}
+
+	for _, pod := range workerPods {
+		for _, container := range pod.Spec.Containers {
+			log.Info().Str("pod", pod.Name).Str("container", container.Name).Send()
+			homeUrl := fmt.Sprintf("%s/pprof/%s/%s/", kubernetes.GetHubUrl(), pod.Status.HostIP, container.Name)
+			modal := buildNewModal(
+				pod,
+				container,
+				homeUrl,
+				app,
+				list,
+				fullscreen,
+				currentCmd,
+			)
+			list.AddItem(fmt.Sprintf("pod: %s container: %s", pod.Name, container.Name), pod.Spec.NodeName, rune(i), func() {
+				app.SetRoot(modal, fullscreen)
+			})
+			i++
+		}
+	}
+
+	list.AddItem("Quit", "Press to exit", 'q', func() {
+		if currentCmd != nil {
+			err = currentCmd.Stop()
+			if err != nil {
+				log.Error().Err(err).Str("name", currentCmd.Name).Msg("Failed to stop process!")
+			}
+		}
+		app.Stop()
+	})
+
+	if err := app.SetRoot(list, fullscreen).EnableMouse(true).Run(); err != nil {
+		panic(err)
+	}
+}
+
+func buildNewModal(
+	pod v1.Pod,
+	container v1.Container,
+	homeUrl string,
+	app *tview.Application,
+	list *tview.List,
+	fullscreen bool,
+	currentCmd *cmd.Cmd,
+) *tview.Modal {
+	return tview.NewModal().
+		SetText(fmt.Sprintf("pod: %s container: %s", pod.Name, container.Name)).
+		AddButtons([]string{
+			"Open Debug Home Page",
+			"Profile: CPU",
+			"Profile: Memory",
+			"Profile: Goroutine",
+			"Cancel",
+		}).
+		SetDoneFunc(func(buttonIndex int, buttonLabel string) {
+			var err error
+			port := fmt.Sprintf(":%d", config.Config.Tap.Pprof.Port)
+			view := fmt.Sprintf("http://localhost%s/ui/%s", port, config.Config.Tap.Pprof.View)
+
+			switch buttonLabel {
+			case "Open Debug Home Page":
+				utils.OpenBrowser(homeUrl)
+			case "Profile: CPU":
+				if currentCmd != nil {
+					err = currentCmd.Stop()
+					if err != nil {
+						log.Error().Err(err).Str("name", currentCmd.Name).Msg("Failed to stop process!")
+					}
+				}
+				currentCmd = cmd.NewCmd("go", "tool", "pprof", "-http", port, "-no_browser", fmt.Sprintf("%sprofile", homeUrl))
+				currentCmd.Start()
+				utils.OpenBrowser(view)
+			case "Profile: Memory":
+				if currentCmd != nil {
+					err = currentCmd.Stop()
+					if err != nil {
+						log.Error().Err(err).Str("name", currentCmd.Name).Msg("Failed to stop process!")
+					}
+				}
+				currentCmd = cmd.NewCmd("go", "tool", "pprof", "-http", port, "-no_browser", fmt.Sprintf("%sheap", homeUrl))
+				currentCmd.Start()
+				utils.OpenBrowser(view)
+			case "Profile: Goroutine":
+				if currentCmd != nil {
+					err = currentCmd.Stop()
+					if err != nil {
+						log.Error().Err(err).Str("name", currentCmd.Name).Msg("Failed to stop process!")
+					}
+				}
+				currentCmd = cmd.NewCmd("go", "tool", "pprof", "-http", port, "-no_browser", fmt.Sprintf("%sgoroutine", homeUrl))
+				currentCmd.Start()
+				utils.OpenBrowser(view)
+			case "Cancel":
+				if currentCmd != nil {
+					err = currentCmd.Stop()
+					if err != nil {
+						log.Error().Err(err).Str("name", currentCmd.Name).Msg("Failed to stop process!")
+					}
+				}
+				fallthrough
+			default:
+				app.SetRoot(list, fullscreen)
+			}
+		})
+}
--- a/cmd/proxy.go
+++ b/cmd/proxy.go
@@ -9,9 +9,9 @@ import (

 var proxyCmd = &cobra.Command{
 	Use:   "proxy",
-	Short: "Open the web UI (front-end) in the browser via proxy/port-forward.",
+	Short: "Open the web UI (front-end) in the browser via proxy/port-forward",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		runProxy()
+		runProxy(true, false)
 		return nil
 	},
 }
@@ -24,7 +24,7 @@ func init() {
 		log.Debug().Err(err).Send()
 	}

-	proxyCmd.Flags().Uint16(configStructs.ProxyFrontPortLabel, defaultTapConfig.Proxy.Front.SrcPort, "Provide a custom port for the front-end proxy/port-forward.")
-	proxyCmd.Flags().Uint16(configStructs.ProxyHubPortLabel, defaultTapConfig.Proxy.Hub.SrcPort, "Provide a custom port for the Hub proxy/port-forward.")
-	proxyCmd.Flags().String(configStructs.ProxyHostLabel, defaultTapConfig.Proxy.Host, "Provide a custom host for the proxy/port-forward.")
+	proxyCmd.Flags().Uint16(configStructs.ProxyFrontPortLabel, defaultTapConfig.Proxy.Front.Port, "Provide a custom port for the proxy/port-forward")
+	proxyCmd.Flags().String(configStructs.ProxyHostLabel, defaultTapConfig.Proxy.Host, "Provide a custom host for the proxy/port-forward")
+	proxyCmd.Flags().StringP(configStructs.ReleaseNamespaceLabel, "s", defaultTapConfig.Release.Namespace, "Release namespace of Kubeshark")
 }
--- a/cmd/proxyRunner.go
+++ b/cmd/proxyRunner.go
@@ -14,8 +14,8 @@ import (
 	"github.com/rs/zerolog/log"
 )

-func runProxy() {
-	kubernetesProvider, err := getKubernetesProviderForCli()
+func runProxy(block bool, noBrowser bool) {
+	kubernetesProvider, err := getKubernetesProviderForCli(false, false)
 	if err != nil {
 		return
 	}
@@ -23,7 +23,7 @@ func runProxy() {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()

-	exists, err := kubernetesProvider.DoesServiceExist(ctx, config.Config.SelfNamespace, kubernetes.FrontServiceName)
+	exists, err := kubernetesProvider.DoesServiceExist(ctx, config.Config.Tap.Release.Namespace, kubernetes.FrontServiceName)
 	if err != nil {
 		log.Error().
 			Str("service", kubernetes.FrontServiceName).
@@ -42,7 +42,7 @@ func runProxy() {
 		return
 	}

-	exists, err = kubernetesProvider.DoesServiceExist(ctx, config.Config.SelfNamespace, kubernetes.HubServiceName)
+	exists, err = kubernetesProvider.DoesServiceExist(ctx, config.Config.Tap.Release.Namespace, kubernetes.HubServiceName)
 	if err != nil {
 		log.Error().
 			Str("service", kubernetes.HubServiceName).
@@ -63,45 +63,15 @@ func runProxy() {

 	var establishedProxy bool

-	hubUrl := kubernetes.GetLocalhostOnPort(config.Config.Tap.Proxy.Hub.SrcPort)
-	response, err := http.Get(fmt.Sprintf("%s/", hubUrl))
-	if err == nil && response.StatusCode == 200 {
-		log.Info().
-			Str("service", kubernetes.HubServiceName).
-			Int("port", int(config.Config.Tap.Proxy.Hub.SrcPort)).
-			Msg("Found a running service.")
-
-		okToOpen("Hub", hubUrl, true)
-	} else {
-		startProxyReportErrorIfAny(
-			kubernetesProvider,
-			ctx,
-			kubernetes.HubServiceName,
-			kubernetes.HubPodName,
-			configStructs.ProxyHubPortLabel,
-			config.Config.Tap.Proxy.Hub.SrcPort,
-			config.Config.Tap.Proxy.Hub.DstPort,
-			"/echo",
-		)
-		connector := connect.NewConnector(hubUrl, connect.DefaultRetries, connect.DefaultTimeout)
-		if err := connector.TestConnection("/echo"); err != nil {
-			log.Error().Msg(fmt.Sprintf(utils.Red, "Couldn't connect to Hub."))
-			return
-		}
-
-		establishedProxy = true
-		okToOpen("Hub", hubUrl, true)
-	}
-
-	frontUrl := kubernetes.GetLocalhostOnPort(config.Config.Tap.Proxy.Front.SrcPort)
-	response, err = http.Get(fmt.Sprintf("%s/", frontUrl))
+	frontUrl := kubernetes.GetProxyOnPort(config.Config.Tap.Proxy.Front.Port)
+	response, err := http.Get(fmt.Sprintf("%s/", frontUrl))
 	if err == nil && response.StatusCode == 200 {
 		log.Info().
 			Str("service", kubernetes.FrontServiceName).
-			Int("port", int(config.Config.Tap.Proxy.Front.SrcPort)).
+			Int("port", int(config.Config.Tap.Proxy.Front.Port)).
 			Msg("Found a running service.")

-		okToOpen("Kubeshark", frontUrl, false)
+		okToOpen("Kubeshark", frontUrl, noBrowser)
 	} else {
 		startProxyReportErrorIfAny(
 			kubernetesProvider,
@@ -109,8 +79,8 @@ func runProxy() {
 			kubernetes.FrontServiceName,
 			kubernetes.FrontPodName,
 			configStructs.ProxyFrontPortLabel,
-			config.Config.Tap.Proxy.Front.SrcPort,
-			config.Config.Tap.Proxy.Front.DstPort,
+			config.Config.Tap.Proxy.Front.Port,
+			configStructs.ContainerPort,
 			"",
 		)
 		connector := connect.NewConnector(frontUrl, connect.DefaultRetries, connect.DefaultTimeout)
@@ -120,12 +90,12 @@ func runProxy() {
 		}

 		establishedProxy = true
-		okToOpen("Kubeshark", frontUrl, false)
+		okToOpen("Kubeshark", frontUrl, noBrowser)
 	}
-
-	if establishedProxy {
+	if establishedProxy && block {
 		utils.WaitForTermination(ctx, cancel)
 	}
+
 }

 func okToOpen(name string, url string, noBrowser bool) {
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -12,10 +12,10 @@ import (

 var rootCmd = &cobra.Command{
 	Use:   "kubeshark",
-	Short: fmt.Sprintf("%s: The API Traffic Viewer for Kubernetes", misc.Software),
-	Long: fmt.Sprintf(`%s: The API Traffic Viewer for Kubernetes
+	Short: fmt.Sprintf("%s: %s", misc.Software, misc.Description),
+	Long: fmt.Sprintf(`%s: %s
 An extensible Kubernetes-aware network sniffer and kernel tracer.
-For more info: %s`, misc.Software, misc.Website),
+For more info: %s`, misc.Software, misc.Description, misc.Website),
 	PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
 		if err := config.InitConfig(cmd); err != nil {
 			log.Fatal().Err(err).Send()
@@ -32,8 +32,8 @@ func init() {
 	}

 	rootCmd.PersistentFlags().StringSlice(config.SetCommandName, []string{}, fmt.Sprintf("Override values using --%s", config.SetCommandName))
-	rootCmd.PersistentFlags().String(config.ConfigFilePathCommandName, defaultConfig.ConfigFilePath, fmt.Sprintf("Override config file path using --%s", config.ConfigFilePathCommandName))
-	rootCmd.PersistentFlags().BoolP(config.DebugFlag, "d", false, "Enable debug mode.")
+	rootCmd.PersistentFlags().BoolP(config.DebugFlag, "d", false, "Enable debug mode")
+	rootCmd.PersistentFlags().String(config.ConfigPathFlag, "", fmt.Sprintf("Set the config path, default: %s", config.GetConfigFilePath(nil)))
 }

 // Execute adds all child commands to the root command and sets flags appropriately.
--- a/cmd/scripts.go
+++ b/cmd/scripts.go
@@ -0,0 +1,383 @@
+package cmd
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"os"
+	"os/signal"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/creasty/defaults"
+	"github.com/fsnotify/fsnotify"
+	"github.com/kubeshark/kubeshark/config"
+	"github.com/kubeshark/kubeshark/config/configStructs"
+	"github.com/kubeshark/kubeshark/kubernetes"
+	"github.com/kubeshark/kubeshark/misc"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/watch"
+)
+
+var scriptsCmd = &cobra.Command{
+	Use:   "scripts",
+	Short: "Watch the `scripting.source` and/or `scripting.sources` folders for changes and update the scripts",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		runScripts()
+		return nil
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(scriptsCmd)
+
+	defaultTapConfig := configStructs.TapConfig{}
+	if err := defaults.Set(&defaultTapConfig); err != nil {
+		log.Debug().Err(err).Send()
+	}
+
+	scriptsCmd.Flags().Uint16(configStructs.ProxyFrontPortLabel, defaultTapConfig.Proxy.Front.Port, "Provide a custom port for the Kubeshark")
+	scriptsCmd.Flags().String(configStructs.ProxyHostLabel, defaultTapConfig.Proxy.Host, "Provide a custom host for the Kubeshark")
+	scriptsCmd.Flags().StringP(configStructs.ReleaseNamespaceLabel, "s", defaultTapConfig.Release.Namespace, "Release namespace of Kubeshark")
+}
+
+func runScripts() {
+	if config.Config.Scripting.Source == "" && len(config.Config.Scripting.Sources) == 0 {
+		log.Error().Msg("Both `scripting.source` and `scripting.sources` fields are empty.")
+		return
+	}
+
+	kubernetesProvider, err := getKubernetesProviderForCli(false, false)
+	if err != nil {
+		log.Error().Err(err).Send()
+		return
+	}
+
+	var wg sync.WaitGroup
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	signalChan := make(chan os.Signal, 1)
+	signal.Notify(signalChan, os.Interrupt)
+
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		watchConfigMap(ctx, kubernetesProvider)
+	}()
+
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		watchScripts(ctx, kubernetesProvider, true)
+	}()
+
+	go func() {
+		<-signalChan
+		log.Debug().Msg("Received interrupt, stopping watchers.")
+		cancel()
+	}()
+
+	wg.Wait()
+
+}
+
+func createScript(provider *kubernetes.Provider, script misc.ConfigMapScript) (index int64, err error) {
+	const maxRetries = 5
+	var scripts map[int64]misc.ConfigMapScript
+
+	for i := 0; i < maxRetries; i++ {
+		scripts, err = kubernetes.ConfigGetScripts(provider)
+		if err != nil {
+			return
+		}
+		script.Active = kubernetes.IsActiveScript(provider, script.Title)
+		index = 0
+		if script.Title != "New Script" {
+			for i, v := range scripts {
+				if index <= i {
+					index = i + 1
+				}
+				if v.Title == script.Title {
+					index = int64(i)
+				}
+			}
+		}
+		scripts[index] = script
+
+		log.Info().Str("title", script.Title).Bool("Active", script.Active).Int64("Index", index).Msg("Creating script")
+		var data []byte
+		data, err = json.Marshal(scripts)
+		if err != nil {
+			return
+		}
+
+		_, err = kubernetes.SetConfig(provider, kubernetes.CONFIG_SCRIPTING_SCRIPTS, string(data))
+		if err == nil {
+			return index, nil
+		}
+
+		if k8serrors.IsConflict(err) {
+			log.Debug().Err(err).Msg("Conflict detected, retrying update...")
+			time.Sleep(500 * time.Millisecond)
+			continue
+		}
+
+		return 0, err
+	}
+
+	log.Error().Msg("Max retries reached for creating script due to conflicts.")
+	return 0, errors.New("max retries reached due to conflicts while creating script")
+}
+
+func updateScript(provider *kubernetes.Provider, index int64, script misc.ConfigMapScript) (err error) {
+	var scripts map[int64]misc.ConfigMapScript
+	scripts, err = kubernetes.ConfigGetScripts(provider)
+	if err != nil {
+		return
+	}
+	script.Active = kubernetes.IsActiveScript(provider, script.Title)
+	scripts[index] = script
+
+	var data []byte
+	data, err = json.Marshal(scripts)
+	if err != nil {
+		return
+	}
+
+	_, err = kubernetes.SetConfig(provider, kubernetes.CONFIG_SCRIPTING_SCRIPTS, string(data))
+	if err != nil {
+		return
+	}
+
+	return
+}
+
+func deleteScript(provider *kubernetes.Provider, index int64) (err error) {
+	var scripts map[int64]misc.ConfigMapScript
+	scripts, err = kubernetes.ConfigGetScripts(provider)
+	if err != nil {
+		return
+	}
+	err = kubernetes.DeleteActiveScriptByTitle(provider, scripts[index].Title)
+	if err != nil {
+		return
+	}
+	delete(scripts, index)
+
+	var data []byte
+	data, err = json.Marshal(scripts)
+	if err != nil {
+		return
+	}
+
+	_, err = kubernetes.SetConfig(provider, kubernetes.CONFIG_SCRIPTING_SCRIPTS, string(data))
+	if err != nil {
+		return
+	}
+
+	return
+}
+
+func watchScripts(ctx context.Context, provider *kubernetes.Provider, block bool) {
+	files := make(map[string]int64)
+
+	scripts, err := config.Config.Scripting.GetScripts()
+	if err != nil {
+		log.Error().Err(err).Send()
+		return
+	}
+
+	for _, script := range scripts {
+		index, err := createScript(provider, script.ConfigMap())
+		if err != nil {
+			log.Error().Err(err).Send()
+			continue
+		}
+
+		files[script.Path] = index
+	}
+
+	watcher, err := fsnotify.NewWatcher()
+	if err != nil {
+		log.Error().Err(err).Send()
+		return
+	}
+	if block {
+		defer watcher.Close()
+	}
+
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	signalChan := make(chan os.Signal, 1)
+	signal.Notify(signalChan, os.Interrupt)
+
+	go func() {
+		<-signalChan
+		log.Debug().Msg("Received interrupt, stopping script watch.")
+		cancel()
+		watcher.Close()
+	}()
+
+	if err := watcher.Add(config.Config.Scripting.Source); err != nil {
+		log.Error().Err(err).Msg("Failed to add scripting source to watcher")
+		return
+	}
+
+	go func() {
+		for {
+			select {
+			case <-ctx.Done():
+				log.Debug().Msg("Script watcher exiting gracefully.")
+				return
+
+			// watch for events
+			case event := <-watcher.Events:
+				if !strings.HasSuffix(event.Name, "js") {
+					log.Info().Str("file", event.Name).Msg("Ignoring file")
+					continue
+				}
+				switch event.Op {
+				case fsnotify.Create:
+					script, err := misc.ReadScriptFile(event.Name)
+					if err != nil {
+						log.Error().Err(err).Send()
+						continue
+					}
+
+					index, err := createScript(provider, script.ConfigMap())
+					if err != nil {
+						log.Error().Err(err).Send()
+						continue
+					}
+
+					files[script.Path] = index
+
+				case fsnotify.Write:
+					index := files[event.Name]
+					script, err := misc.ReadScriptFile(event.Name)
+					if err != nil {
+						log.Error().Err(err).Send()
+						continue
+					}
+
+					err = updateScript(provider, index, script.ConfigMap())
+					if err != nil {
+						log.Error().Err(err).Send()
+						continue
+					}
+
+				case fsnotify.Rename:
+					index := files[event.Name]
+					err := deleteScript(provider, index)
+					if err != nil {
+						log.Error().Err(err).Send()
+						continue
+					}
+
+				default:
+					// pass
+				}
+
+			case err, ok := <-watcher.Errors:
+				if !ok {
+					log.Info().Msg("Watcher errors channel closed.")
+					return
+				}
+				log.Error().Err(err).Msg("Watcher error encountered")
+			}
+		}
+	}()
+
+	if err := watcher.Add(config.Config.Scripting.Source); err != nil {
+		log.Error().Err(err).Send()
+	}
+
+	for _, source := range config.Config.Scripting.Sources {
+		if err := watcher.Add(source); err != nil {
+			log.Error().Err(err).Send()
+		}
+	}
+
+	log.Info().Str("folder", config.Config.Scripting.Source).Interface("folders", config.Config.Scripting.Sources).Msg("Watching scripts against changes:")
+
+	if block {
+		<-ctx.Done()
+	}
+}
+
+func watchConfigMap(ctx context.Context, provider *kubernetes.Provider) {
+	clientset := provider.GetClientSet()
+	configMapName := kubernetes.SELF_RESOURCES_PREFIX + kubernetes.SUFFIX_CONFIG_MAP
+
+	for {
+		select {
+		case <-ctx.Done():
+			log.Info().Msg("ConfigMap watcher exiting gracefully.")
+			return
+
+		default:
+			watcher, err := clientset.CoreV1().ConfigMaps(config.Config.Tap.Release.Namespace).Watch(context.TODO(), metav1.ListOptions{
+				FieldSelector: "metadata.name=" + configMapName,
+			})
+			if err != nil {
+				log.Warn().Err(err).Msg("ConfigMap not found, retrying in 5 seconds...")
+				time.Sleep(5 * time.Second)
+				continue
+			}
+
+			// Create a goroutine to process events
+			watcherClosed := make(chan struct{})
+			go func() {
+				defer close(watcherClosed)
+				for event := range watcher.ResultChan() {
+					if event.Type == watch.Added {
+						log.Info().Msg("ConfigMap created or modified")
+						runScriptsSync(provider)
+					} else if event.Type == watch.Deleted {
+						log.Warn().Msg("ConfigMap deleted, waiting for recreation...")
+						break
+					}
+				}
+			}()
+
+			// Wait for either context cancellation or watcher completion
+			select {
+			case <-ctx.Done():
+				watcher.Stop()
+				log.Info().Msg("ConfigMap watcher stopping due to context cancellation")
+				return
+			case <-watcherClosed:
+				log.Info().Msg("Watcher closed, restarting...")
+			}
+
+			time.Sleep(5 * time.Second)
+		}
+	}
+}
+
+func runScriptsSync(provider *kubernetes.Provider) {
+	files := make(map[string]int64)
+
+	scripts, err := config.Config.Scripting.GetScripts()
+	if err != nil {
+		log.Error().Err(err).Send()
+		return
+	}
+
+	for _, script := range scripts {
+		index, err := createScript(provider, script.ConfigMap())
+		if err != nil {
+			log.Error().Err(err).Send()
+			continue
+		}
+		files[script.Path] = index
+	}
+	log.Info().Msg("Synchronized scripts with ConfigMap.")
+}
--- a/cmd/tap.go
+++ b/cmd/tap.go
@@ -2,21 +2,18 @@ package cmd

 import (
 	"errors"
-	"fmt"

 	"github.com/creasty/defaults"
 	"github.com/kubeshark/kubeshark/config"
 	"github.com/kubeshark/kubeshark/config/configStructs"
 	"github.com/kubeshark/kubeshark/errormessage"
-	"github.com/kubeshark/kubeshark/misc"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 )

 var tapCmd = &cobra.Command{
 	Use:   "tap [POD REGEX]",
-	Short: "Capture the network traffic in your Kubernetes cluster.",
-	Long:  "Capture the network traffic in your Kubernetes cluster.",
+	Short: "Capture the network traffic in your Kubernetes cluster",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		tap()
 		return nil
@@ -44,19 +41,25 @@ func init() {
 		log.Debug().Err(err).Send()
 	}

-	tapCmd.Flags().StringP(configStructs.DockerRegistryLabel, "r", defaultTapConfig.Docker.Registry, "The Docker registry that's hosting the images.")
-	tapCmd.Flags().StringP(configStructs.DockerTagLabel, "t", defaultTapConfig.Docker.Tag, "The tag of the Docker images that are going to be pulled.")
-	tapCmd.Flags().String(configStructs.DockerImagePullPolicy, defaultTapConfig.Docker.ImagePullPolicy, "ImagePullPolicy for the Docker images.")
-	tapCmd.Flags().StringSlice(configStructs.DockerImagePullSecrets, defaultTapConfig.Docker.ImagePullSecrets, "ImagePullSecrets for the Docker images.")
-	tapCmd.Flags().Uint16(configStructs.ProxyFrontPortLabel, defaultTapConfig.Proxy.Front.SrcPort, "Provide a custom port for the front-end proxy/port-forward.")
-	tapCmd.Flags().Uint16(configStructs.ProxyHubPortLabel, defaultTapConfig.Proxy.Hub.SrcPort, "Provide a custom port for the Hub proxy/port-forward.")
-	tapCmd.Flags().String(configStructs.ProxyHostLabel, defaultTapConfig.Proxy.Host, "Provide a custom host for the proxy/port-forward.")
-	tapCmd.Flags().StringSliceP(configStructs.NamespacesLabel, "n", defaultTapConfig.Namespaces, "Namespaces selector.")
-	tapCmd.Flags().BoolP(configStructs.AllNamespacesLabel, "A", defaultTapConfig.AllNamespaces, "Tap all namespaces.")
-	tapCmd.Flags().String(configStructs.StorageLimitLabel, defaultTapConfig.StorageLimit, "Override the default storage limit. (per node)")
-	tapCmd.Flags().Bool(configStructs.DryRunLabel, defaultTapConfig.DryRun, "Preview of all pods matching the regex, without tapping them.")
-	tapCmd.Flags().StringP(configStructs.PcapLabel, "p", defaultTapConfig.Pcap, fmt.Sprintf("Capture from a PCAP snapshot of %s (.tar.gz) using your Docker Daemon instead of Kubernetes.", misc.Software))
-	tapCmd.Flags().Bool(configStructs.ServiceMeshLabel, defaultTapConfig.ServiceMesh, "Capture the encrypted traffic if the cluster is configured with a service mesh and with mTLS.")
-	tapCmd.Flags().Bool(configStructs.TlsLabel, defaultTapConfig.Tls, "Capture the traffic that's encrypted with OpenSSL or Go crypto/tls libraries.")
-	tapCmd.Flags().Bool(configStructs.DebugLabel, defaultTapConfig.Debug, "Enable the debug mode.")
+	tapCmd.Flags().StringP(configStructs.DockerRegistryLabel, "r", defaultTapConfig.Docker.Registry, "The Docker registry that's hosting the images")
+	tapCmd.Flags().StringP(configStructs.DockerTagLabel, "t", defaultTapConfig.Docker.Tag, "The tag of the Docker images that are going to be pulled")
+	tapCmd.Flags().String(configStructs.DockerImagePullPolicy, defaultTapConfig.Docker.ImagePullPolicy, "ImagePullPolicy for the Docker images")
+	tapCmd.Flags().StringSlice(configStructs.DockerImagePullSecrets, defaultTapConfig.Docker.ImagePullSecrets, "ImagePullSecrets for the Docker images")
+	tapCmd.Flags().Uint16(configStructs.ProxyFrontPortLabel, defaultTapConfig.Proxy.Front.Port, "Provide a custom port for the proxy/port-forward")
+	tapCmd.Flags().String(configStructs.ProxyHostLabel, defaultTapConfig.Proxy.Host, "Provide a custom host for the proxy/port-forward")
+	tapCmd.Flags().StringSliceP(configStructs.NamespacesLabel, "n", defaultTapConfig.Namespaces, "Namespaces selector")
+	tapCmd.Flags().StringSliceP(configStructs.ExcludedNamespacesLabel, "e", defaultTapConfig.ExcludedNamespaces, "Excluded namespaces")
+	tapCmd.Flags().StringP(configStructs.ReleaseNamespaceLabel, "s", defaultTapConfig.Release.Namespace, "Release namespace of Kubeshark")
+	tapCmd.Flags().Bool(configStructs.PersistentStorageLabel, defaultTapConfig.PersistentStorage, "Enable persistent storage (PersistentVolumeClaim)")
+	tapCmd.Flags().Bool(configStructs.PersistentStorageStaticLabel, defaultTapConfig.PersistentStorageStatic, "Persistent storage static provision")
+	tapCmd.Flags().String(configStructs.EfsFileSytemIdAndPathLabel, defaultTapConfig.EfsFileSytemIdAndPath, "EFS file system ID")
+	tapCmd.Flags().String(configStructs.StorageLimitLabel, defaultTapConfig.StorageLimit, "Override the default storage limit (per node)")
+	tapCmd.Flags().String(configStructs.StorageClassLabel, defaultTapConfig.StorageClass, "Override the default storage class of the PersistentVolumeClaim (per node)")
+	tapCmd.Flags().Bool(configStructs.DryRunLabel, defaultTapConfig.DryRun, "Preview of all pods matching the regex, without tapping them")
+	tapCmd.Flags().Bool(configStructs.ServiceMeshLabel, defaultTapConfig.ServiceMesh, "Capture the encrypted traffic if the cluster is configured with a service mesh and with mTLS")
+	tapCmd.Flags().Bool(configStructs.TlsLabel, defaultTapConfig.Tls, "Capture the traffic that's encrypted with OpenSSL or Go crypto/tls libraries")
+	tapCmd.Flags().Bool(configStructs.IngressEnabledLabel, defaultTapConfig.Ingress.Enabled, "Enable Ingress")
+	tapCmd.Flags().Bool(configStructs.TelemetryEnabledLabel, defaultTapConfig.Telemetry.Enabled, "Enable/disable Telemetry")
+	tapCmd.Flags().Bool(configStructs.ResourceGuardEnabledLabel, defaultTapConfig.ResourceGuard.Enabled, "Enable/disable resource guard")
+	tapCmd.Flags().Bool(configStructs.WatchdogEnabled, defaultTapConfig.Watchdog.Enabled, "Enable/disable watchdog")
 }
--- a/cmd/tapPcapRunner.go
+++ b/cmd/tapPcapRunner.go
@@ -1,353 +0,0 @@
-package cmd
-
-import (
-	"bufio"
-	"context"
-	"encoding/json"
-	"fmt"
-	"io"
-	"os"
-
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/client"
-	"github.com/docker/go-connections/nat"
-	"github.com/kubeshark/kubeshark/config"
-	"github.com/kubeshark/kubeshark/docker"
-	"github.com/kubeshark/kubeshark/internal/connect"
-	"github.com/kubeshark/kubeshark/kubernetes"
-	"github.com/kubeshark/kubeshark/misc"
-	"github.com/kubeshark/kubeshark/utils"
-	"github.com/rs/zerolog/log"
-	v1 "k8s.io/api/core/v1"
-)
-
-func logPullingImage(image string, reader io.ReadCloser) {
-	scanner := bufio.NewScanner(reader)
-	for scanner.Scan() {
-		text := scanner.Text()
-		var data map[string]interface{}
-		if err := json.Unmarshal([]byte(text), &data); err != nil {
-			log.Error().Err(err).Send()
-			continue
-		}
-
-		var id string
-		if val, ok := data["id"]; ok {
-			id = val.(string)
-		}
-
-		var status string
-		if val, ok := data["status"]; ok {
-			status = val.(string)
-		}
-
-		var progress string
-		if val, ok := data["progress"]; ok {
-			progress = val.(string)
-		}
-
-		e := log.Info()
-		if image != "" {
-			e = e.Str("image", image)
-		}
-
-		if progress != "" {
-			e = e.Str("progress", progress)
-		}
-
-		e.Msg(fmt.Sprintf("[%-12s] %-18s", id, status))
-	}
-}
-
-func pullImages(ctx context.Context, cli *client.Client, imageFront string, imageHub string, imageWorker string) error {
-	readerFront, err := cli.ImagePull(ctx, imageFront, types.ImagePullOptions{})
-	if err != nil {
-		return err
-	}
-	defer readerFront.Close()
-	logPullingImage(imageFront, readerFront)
-
-	readerHub, err := cli.ImagePull(ctx, imageHub, types.ImagePullOptions{})
-	if err != nil {
-		return err
-	}
-	defer readerHub.Close()
-	logPullingImage(imageHub, readerHub)
-
-	readerWorker, err := cli.ImagePull(ctx, imageWorker, types.ImagePullOptions{})
-	if err != nil {
-		return err
-	}
-	defer readerWorker.Close()
-	logPullingImage(imageWorker, readerWorker)
-
-	return nil
-}
-
-func cleanUpOldContainers(
-	ctx context.Context,
-	cli *client.Client,
-	nameFront string,
-	nameHub string,
-	nameWorker string,
-) error {
-	containers, err := cli.ContainerList(ctx, types.ContainerListOptions{})
-	if err != nil {
-		return err
-	}
-
-	for _, container := range containers {
-		f := fmt.Sprintf("/%s", nameFront)
-		h := fmt.Sprintf("/%s", nameHub)
-		w := fmt.Sprintf("/%s", nameWorker)
-		if utils.Contains(container.Names, f) || utils.Contains(container.Names, h) || utils.Contains(container.Names, w) {
-			err = cli.ContainerRemove(ctx, container.ID, types.ContainerRemoveOptions{Force: true})
-			if err != nil {
-				return err
-			}
-		}
-	}
-
-	return nil
-}
-
-func createAndStartContainers(
-	ctx context.Context,
-	cli *client.Client,
-	imageFront string,
-	imageHub string,
-	imageWorker string,
-	tarReader io.Reader,
-) (
-	respFront container.ContainerCreateCreatedBody,
-	respHub container.ContainerCreateCreatedBody,
-	respWorker container.ContainerCreateCreatedBody,
-	workerIPAddr string,
-	err error,
-) {
-	log.Info().Msg("Creating containers...")
-
-	nameFront := fmt.Sprintf("%s-front", misc.Program)
-	nameHub := fmt.Sprintf("%s-hub", misc.Program)
-	nameWorker := fmt.Sprintf("%s-worker", misc.Program)
-
-	err = cleanUpOldContainers(ctx, cli, nameFront, nameHub, nameWorker)
-	if err != nil {
-		return
-	}
-
-	hostIP := "0.0.0.0"
-
-	hostConfigFront := &container.HostConfig{
-		PortBindings: nat.PortMap{
-			nat.Port(fmt.Sprintf("%d/tcp", config.Config.Tap.Proxy.Front.DstPort)): []nat.PortBinding{
-				{
-					HostIP:   hostIP,
-					HostPort: fmt.Sprintf("%d", config.Config.Tap.Proxy.Front.SrcPort),
-				},
-			},
-		},
-	}
-
-	respFront, err = cli.ContainerCreate(ctx, &container.Config{
-		Image: imageFront,
-		Tty:   false,
-		Env: []string{
-			"REACT_APP_DEFAULT_FILTER= ",
-			"REACT_APP_HUB_HOST= ",
-			fmt.Sprintf("REACT_APP_HUB_PORT=%d", config.Config.Tap.Proxy.Hub.SrcPort),
-		},
-	}, hostConfigFront, nil, nil, nameFront)
-	if err != nil {
-		return
-	}
-
-	hostConfigHub := &container.HostConfig{
-		PortBindings: nat.PortMap{
-			nat.Port(fmt.Sprintf("%d/tcp", config.Config.Tap.Proxy.Hub.DstPort)): []nat.PortBinding{
-				{
-					HostIP:   hostIP,
-					HostPort: fmt.Sprintf("%d", config.Config.Tap.Proxy.Hub.SrcPort),
-				},
-			},
-		},
-	}
-
-	cmdHub := []string{"-port", fmt.Sprintf("%d", config.Config.Tap.Proxy.Hub.DstPort)}
-	if config.DebugMode {
-		cmdHub = append(cmdHub, fmt.Sprintf("-%s", config.DebugFlag))
-	}
-
-	respHub, err = cli.ContainerCreate(ctx, &container.Config{
-		Image:        imageHub,
-		Cmd:          cmdHub,
-		Tty:          false,
-		ExposedPorts: nat.PortSet{nat.Port(fmt.Sprintf("%d/tcp", config.Config.Tap.Proxy.Hub.DstPort)): {}},
-	}, hostConfigHub, nil, nil, nameHub)
-	if err != nil {
-		return
-	}
-
-	cmdWorker := []string{"-f", "./import", "-port", fmt.Sprintf("%d", config.Config.Tap.Proxy.Worker.DstPort)}
-	if config.DebugMode {
-		cmdWorker = append(cmdWorker, fmt.Sprintf("-%s", config.DebugFlag))
-	}
-
-	respWorker, err = cli.ContainerCreate(ctx, &container.Config{
-		Image: imageWorker,
-		Cmd:   cmdWorker,
-		Tty:   false,
-	}, nil, nil, nil, nameWorker)
-	if err != nil {
-		return
-	}
-
-	if err = cli.CopyToContainer(ctx, respWorker.ID, "/app/import", tarReader, types.CopyToContainerOptions{}); err != nil {
-		return
-	}
-
-	log.Info().Msg("Starting containers...")
-
-	if err = cli.ContainerStart(ctx, respFront.ID, types.ContainerStartOptions{}); err != nil {
-		return
-	}
-
-	if err = cli.ContainerStart(ctx, respHub.ID, types.ContainerStartOptions{}); err != nil {
-		return
-	}
-
-	if err = cli.ContainerStart(ctx, respWorker.ID, types.ContainerStartOptions{}); err != nil {
-		return
-	}
-
-	var containerWorker types.ContainerJSON
-	containerWorker, err = cli.ContainerInspect(ctx, respWorker.ID)
-	if err != nil {
-		return
-	}
-
-	workerIPAddr = containerWorker.NetworkSettings.IPAddress
-
-	return
-}
-
-func stopAndRemoveContainers(
-	ctx context.Context,
-	cli *client.Client,
-	respFront container.ContainerCreateCreatedBody,
-	respHub container.ContainerCreateCreatedBody,
-	respWorker container.ContainerCreateCreatedBody,
-) (err error) {
-	log.Warn().Msg("Stopping containers...")
-	err = cli.ContainerStop(ctx, respFront.ID, nil)
-	if err != nil {
-		return
-	}
-	err = cli.ContainerStop(ctx, respHub.ID, nil)
-	if err != nil {
-		return
-	}
-	err = cli.ContainerStop(ctx, respWorker.ID, nil)
-	if err != nil {
-		return
-	}
-
-	log.Warn().Msg("Removing containers...")
-	err = cli.ContainerRemove(ctx, respFront.ID, types.ContainerRemoveOptions{})
-	if err != nil {
-		return
-	}
-	err = cli.ContainerRemove(ctx, respHub.ID, types.ContainerRemoveOptions{})
-	if err != nil {
-		return
-	}
-	err = cli.ContainerRemove(ctx, respWorker.ID, types.ContainerRemoveOptions{})
-	if err != nil {
-		return
-	}
-
-	return
-}
-
-func pcap(tarPath string) {
-	docker.SetRegistry(config.Config.Tap.Docker.Registry)
-	docker.SetTag(config.Config.Tap.Docker.Tag)
-
-	ctx := context.Background()
-	cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
-	if err != nil {
-		log.Error().Err(err).Send()
-		return
-	}
-	defer cli.Close()
-
-	imageFront := docker.GetFrontImage()
-	imageHub := docker.GetHubImage()
-	imageWorker := docker.GetWorkerImage()
-
-	err = pullImages(ctx, cli, imageFront, imageHub, imageWorker)
-	if err != nil {
-		log.Error().Err(err).Send()
-		return
-	}
-
-	tarFile, err := os.Open(tarPath)
-	if err != nil {
-		log.Error().Err(err).Send()
-		return
-	}
-	defer tarFile.Close()
-	tarReader := bufio.NewReader(tarFile)
-
-	respFront, respHub, respWorker, workerIPAddr, err := createAndStartContainers(
-		ctx,
-		cli,
-		imageFront,
-		imageHub,
-		imageWorker,
-		tarReader,
-	)
-	if err != nil {
-		log.Error().Err(err).Send()
-		return
-	}
-
-	workerPod := &v1.Pod{
-		Spec: v1.PodSpec{
-			NodeName: "docker",
-		},
-		Status: v1.PodStatus{
-			PodIP: workerIPAddr,
-			Phase: v1.PodRunning,
-			ContainerStatuses: []v1.ContainerStatus{
-				{
-					Ready: true,
-				},
-			},
-		},
-	}
-
-	connector = connect.NewConnector(kubernetes.GetLocalhostOnPort(config.Config.Tap.Proxy.Hub.SrcPort), connect.DefaultRetries, connect.DefaultTimeout)
-	connector.PostWorkerPodToHub(workerPod)
-
-	log.Info().
-		Str("url", kubernetes.GetLocalhostOnPort(config.Config.Tap.Proxy.Hub.SrcPort)).
-		Msg(fmt.Sprintf(utils.Green, "Hub is available at:"))
-
-	url := kubernetes.GetLocalhostOnPort(config.Config.Tap.Proxy.Front.SrcPort)
-	log.Info().Str("url", url).Msg(fmt.Sprintf(utils.Green, fmt.Sprintf("%s is available at:", misc.Software)))
-
-	if !config.Config.HeadlessMode {
-		utils.OpenBrowser(url)
-	}
-
-	ctxC, cancel := context.WithCancel(context.Background())
-	defer cancel()
-	utils.WaitForTermination(ctxC, cancel)
-
-	err = stopAndRemoveContainers(ctx, cli, respFront, respHub, respWorker)
-	if err != nil {
-		log.Error().Err(err).Send()
-	}
-}
--- a/cmd/tapRunner.go
+++ b/cmd/tapRunner.go
@@ -2,20 +2,19 @@ package cmd

 import (
 	"context"
-	"errors"
+	"encoding/json"
 	"fmt"
+	"os"
 	"regexp"
+	"strings"
+	"sync"
 	"time"

-	"github.com/kubeshark/kubeshark/docker"
-	"github.com/kubeshark/kubeshark/internal/connect"
+	"github.com/kubeshark/kubeshark/kubernetes/helm"
 	"github.com/kubeshark/kubeshark/misc"
-	"github.com/kubeshark/kubeshark/resources"
 	"github.com/kubeshark/kubeshark/utils"

 	core "k8s.io/api/core/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	"github.com/kubeshark/kubeshark/config"
 	"github.com/kubeshark/kubeshark/config/configStructs"
@@ -27,49 +26,45 @@ import (
 const cleanupTimeout = time.Minute

 type tapState struct {
-	startTime                time.Time
-	targetNamespaces         []string
-	selfServiceAccountExists bool
+	startTime        time.Time
+	targetNamespaces []string
 }

 var state tapState
-var connector *connect.Connector
-var hubPodReady bool
-var frontPodReady bool
-var proxyDone bool
+
+type Readiness struct {
+	Hub   bool
+	Front bool
+	Proxy bool
+	sync.Mutex
+}
+
+var ready *Readiness

 func tap() {
+	ready = &Readiness{}
 	state.startTime = time.Now()
-	docker.SetRegistry(config.Config.Tap.Docker.Registry)
-	docker.SetTag(config.Config.Tap.Docker.Tag)
-	log.Info().Str("registry", docker.GetRegistry()).Str("tag", docker.GetTag()).Msg("Using Docker:")
-	if config.Config.Tap.Pcap != "" {
-		pcap(config.Config.Tap.Pcap)
-		return
-	}
+	log.Info().Str("registry", config.Config.Tap.Docker.Registry).Str("tag", config.Config.Tap.Docker.Tag).Msg("Using Docker:")

 	log.Info().
 		Str("limit", config.Config.Tap.StorageLimit).
-		Msg(fmt.Sprintf("%s will store the traffic up to a limit (per node). Oldest TCP streams will be removed once the limit is reached.", misc.Software))
+		Msg(fmt.Sprintf("%s will store the traffic up to a limit (per node). Oldest TCP/UDP streams will be removed once the limit is reached.", misc.Software))

-	connector = connect.NewConnector(kubernetes.GetLocalhostOnPort(config.Config.Tap.Proxy.Hub.SrcPort), connect.DefaultRetries, connect.DefaultTimeout)
-
-	kubernetesProvider, err := getKubernetesProviderForCli()
+	kubernetesProvider, err := getKubernetesProviderForCli(false, false)
 	if err != nil {
+		log.Error().Err(err).Send()
 		return
 	}

 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel() // cancel will be called when this function exits

-	state.targetNamespaces = getNamespaces(kubernetesProvider)
+	state.targetNamespaces = kubernetesProvider.GetNamespaces()

-	if config.Config.IsNsRestrictedMode() {
-		if len(state.targetNamespaces) != 1 || !utils.Contains(state.targetNamespaces, config.Config.SelfNamespace) {
-			log.Error().Msg(fmt.Sprintf("%s can't resolve IPs in other namespaces when running in namespace restricted mode. You can use the same namespace for --%s and --%s", misc.Software, configStructs.NamespacesLabel, config.SelfNamespaceConfigName))
-			return
-		}
-	}
+	log.Info().
+		Bool("enabled", config.Config.Tap.Telemetry.Enabled).
+		Str("notice", "Telemetry can be disabled by setting the flag: --telemetry-enabled=false").
+		Msg("Telemetry")

 	log.Info().Strs("namespaces", state.targetNamespaces).Msg("Targeting pods in:")

@@ -82,35 +77,47 @@ func tap() {
 	}

 	log.Info().Msg(fmt.Sprintf("Waiting for the creation of %s resources...", misc.Software))
-	if state.selfServiceAccountExists, err = resources.CreateHubResources(ctx, kubernetesProvider, config.Config.IsNsRestrictedMode(), config.Config.SelfNamespace, config.Config.Tap.Resources.Hub, config.Config.ImagePullPolicy(), config.Config.ImagePullSecrets(), config.Config.Tap.Debug); err != nil {
-		var statusError *k8serrors.StatusError
-		if errors.As(err, &statusError) && (statusError.ErrStatus.Reason == metav1.StatusReasonAlreadyExists) {
-			log.Info().Msg(fmt.Sprintf("%s is already running in this namespace, change the `selfnamespace` configuration or run `%s clean` to remove the currently running %s instance.", misc.Software, misc.Program, misc.Software))
-			connector.PostRegexToHub(config.Config.Tap.PodRegexStr, state.targetNamespaces)
-			log.Info().Msg("Updated the targeted pods. Exiting.")
-		} else {
-			defer resources.CleanUpSelfResources(ctx, cancel, kubernetesProvider, config.Config.IsNsRestrictedMode(), config.Config.SelfNamespace)
-			log.Error().Err(errormessage.FormatError(err)).Msg("Error creating resources!")
-		}

-		return
+	rel, err := helm.NewHelm(
+		config.Config.Tap.Release.Repo,
+		config.Config.Tap.Release.Name,
+		config.Config.Tap.Release.Namespace,
+	).Install()
+	if err != nil {
+		if err.Error() != "cannot re-use a name that is still in use" {
+			log.Error().Err(err).Send()
+			os.Exit(1)
+		}
+		log.Info().Msg("Found an existing installation, skipping Helm install...")
+
+		updateConfig(kubernetesProvider)
+		postFrontStarted(ctx, kubernetesProvider, cancel)
+	} else {
+		log.Info().Msgf("Installed the Helm release: %s", rel.Name)
+
+		go watchHubEvents(ctx, kubernetesProvider, cancel)
+		go watchHubPod(ctx, kubernetesProvider, cancel)
+		go watchFrontPod(ctx, kubernetesProvider, cancel)
 	}

 	defer finishTapExecution(kubernetesProvider)

-	go watchHubEvents(ctx, kubernetesProvider, cancel)
-	go watchHubPod(ctx, kubernetesProvider, cancel)
-	go watchFrontPod(ctx, kubernetesProvider, cancel)
-
 	// block until exit signal or error
 	utils.WaitForTermination(ctx, cancel)
+
+	if !config.Config.Tap.Ingress.Enabled {
+		printProxyCommandSuggestion()
+	}
+}
+
+func printProxyCommandSuggestion() {
 	log.Warn().
 		Str("command", fmt.Sprintf("%s proxy", misc.Program)).
 		Msg(fmt.Sprintf(utils.Yellow, "To re-establish a proxy/port-forward, run:"))
 }

 func finishTapExecution(kubernetesProvider *kubernetes.Provider) {
-	finishSelfExecution(kubernetesProvider, config.Config.IsNsRestrictedMode(), config.Config.SelfNamespace, true)
+	finishSelfExecution(kubernetesProvider)
 }

 /*
@@ -141,9 +148,9 @@ func printNoPodsFoundSuggestion(targetNamespaces []string) {
 }

 func watchHubPod(ctx context.Context, kubernetesProvider *kubernetes.Provider, cancel context.CancelFunc) {
-	podExactRegex := regexp.MustCompile(fmt.Sprintf("^%s$", kubernetes.HubPodName))
+	podExactRegex := regexp.MustCompile(fmt.Sprintf("^%s", kubernetes.HubPodName))
 	podWatchHelper := kubernetes.NewPodWatchHelper(kubernetesProvider, podExactRegex)
-	eventChan, errorChan := kubernetes.FilteredWatch(ctx, podWatchHelper, []string{config.Config.SelfNamespace}, podWatchHelper)
+	eventChan, errorChan := kubernetes.FilteredWatch(ctx, podWatchHelper, []string{config.Config.Tap.Release.Namespace}, podWatchHelper)
 	isPodReady := false

 	timeAfter := time.After(120 * time.Second)
@@ -178,12 +185,23 @@ func watchHubPod(ctx context.Context, kubernetesProvider *kubernetes.Provider, c

 				if modifiedPod.Status.Phase == core.PodRunning && !isPodReady {
 					isPodReady = true
-					hubPodReady = true
-					postHubStarted(ctx, kubernetesProvider, cancel)
+
+					ready.Lock()
+					ready.Hub = true
+					ready.Unlock()
+					log.Info().Str("pod", kubernetes.HubPodName).Msg("Ready.")
 				}

+				ready.Lock()
+				proxyDone := ready.Proxy
+				hubPodReady := ready.Hub
+				frontPodReady := ready.Front
+				ready.Unlock()
+
 				if !proxyDone && hubPodReady && frontPodReady {
-					proxyDone = true
+					ready.Lock()
+					ready.Proxy = true
+					ready.Unlock()
 					postFrontStarted(ctx, kubernetesProvider, cancel)
 				}
 			case kubernetes.EventBookmark:
@@ -199,7 +217,7 @@ func watchHubPod(ctx context.Context, kubernetesProvider *kubernetes.Provider, c

 			log.Error().
 				Str("pod", kubernetes.HubPodName).
-				Str("namespace", config.Config.SelfNamespace).
+				Str("namespace", config.Config.Tap.Release.Namespace).
 				Err(err).
 				Msg("Failed creating pod.")
 			cancel()
@@ -221,9 +239,9 @@ func watchHubPod(ctx context.Context, kubernetesProvider *kubernetes.Provider, c
 }

 func watchFrontPod(ctx context.Context, kubernetesProvider *kubernetes.Provider, cancel context.CancelFunc) {
-	podExactRegex := regexp.MustCompile(fmt.Sprintf("^%s$", kubernetes.FrontPodName))
+	podExactRegex := regexp.MustCompile(fmt.Sprintf("^%s", kubernetes.FrontPodName))
 	podWatchHelper := kubernetes.NewPodWatchHelper(kubernetesProvider, podExactRegex)
-	eventChan, errorChan := kubernetes.FilteredWatch(ctx, podWatchHelper, []string{config.Config.SelfNamespace}, podWatchHelper)
+	eventChan, errorChan := kubernetes.FilteredWatch(ctx, podWatchHelper, []string{config.Config.Tap.Release.Namespace}, podWatchHelper)
 	isPodReady := false

 	timeAfter := time.After(120 * time.Second)
@@ -258,11 +276,22 @@ func watchFrontPod(ctx context.Context, kubernetesProvider *kubernetes.Provider,

 				if modifiedPod.Status.Phase == core.PodRunning && !isPodReady {
 					isPodReady = true
-					frontPodReady = true
+					ready.Lock()
+					ready.Front = true
+					ready.Unlock()
+					log.Info().Str("pod", kubernetes.FrontPodName).Msg("Ready.")
 				}

+				ready.Lock()
+				proxyDone := ready.Proxy
+				hubPodReady := ready.Hub
+				frontPodReady := ready.Front
+				ready.Unlock()
+
 				if !proxyDone && hubPodReady && frontPodReady {
-					proxyDone = true
+					ready.Lock()
+					ready.Proxy = true
+					ready.Unlock()
 					postFrontStarted(ctx, kubernetesProvider, cancel)
 				}
 			case kubernetes.EventBookmark:
@@ -278,10 +307,9 @@ func watchFrontPod(ctx context.Context, kubernetesProvider *kubernetes.Provider,

 			log.Error().
 				Str("pod", kubernetes.FrontPodName).
-				Str("namespace", config.Config.SelfNamespace).
+				Str("namespace", config.Config.Tap.Release.Namespace).
 				Err(err).
 				Msg("Failed creating pod.")
-			cancel()

 		case <-timeAfter:
 			if !isPodReady {
@@ -302,7 +330,7 @@ func watchFrontPod(ctx context.Context, kubernetesProvider *kubernetes.Provider,
 func watchHubEvents(ctx context.Context, kubernetesProvider *kubernetes.Provider, cancel context.CancelFunc) {
 	podExactRegex := regexp.MustCompile(fmt.Sprintf("^%s", kubernetes.HubPodName))
 	eventWatchHelper := kubernetes.NewEventWatchHelper(kubernetesProvider, podExactRegex, "pod")
-	eventChan, errorChan := kubernetes.FilteredWatch(ctx, eventWatchHelper, []string{config.Config.SelfNamespace}, eventWatchHelper)
+	eventChan, errorChan := kubernetes.FilteredWatch(ctx, eventWatchHelper, []string{config.Config.Tap.Release.Namespace}, eventWatchHelper)
 	for {
 		select {
 		case wEvent, ok := <-eventChan:
@@ -368,40 +396,6 @@ func watchHubEvents(ctx context.Context, kubernetesProvider *kubernetes.Provider
 	}
 }

-func postHubStarted(ctx context.Context, kubernetesProvider *kubernetes.Provider, cancel context.CancelFunc) {
-	startProxyReportErrorIfAny(
-		kubernetesProvider,
-		ctx,
-		kubernetes.HubServiceName,
-		kubernetes.HubPodName,
-		configStructs.ProxyHubPortLabel,
-		config.Config.Tap.Proxy.Hub.SrcPort,
-		config.Config.Tap.Proxy.Hub.DstPort,
-		"/echo",
-	)
-
-	err := kubernetes.CreateWorkers(
-		kubernetesProvider,
-		state.selfServiceAccountExists,
-		ctx,
-		config.Config.SelfNamespace,
-		config.Config.Tap.Resources.Worker,
-		config.Config.ImagePullPolicy(),
-		config.Config.ImagePullSecrets(),
-		config.Config.Tap.ServiceMesh,
-		config.Config.Tap.Tls,
-		config.Config.Tap.Debug,
-	)
-	if err != nil {
-		log.Error().Err(err).Send()
-	}
-
-	connector.PostRegexToHub(config.Config.Tap.PodRegexStr, state.targetNamespaces)
-
-	url := kubernetes.GetLocalhostOnPort(config.Config.Tap.Proxy.Hub.SrcPort)
-	log.Info().Str("url", url).Msg(fmt.Sprintf(utils.Green, "Hub is available at:"))
-}
-
 func postFrontStarted(ctx context.Context, kubernetesProvider *kubernetes.Provider, cancel context.CancelFunc) {
 	startProxyReportErrorIfAny(
 		kubernetesProvider,
@@ -409,29 +403,67 @@ func postFrontStarted(ctx context.Context, kubernetesProvider *kubernetes.Provid
 		kubernetes.FrontServiceName,
 		kubernetes.FrontPodName,
 		configStructs.ProxyFrontPortLabel,
-		config.Config.Tap.Proxy.Front.SrcPort,
-		config.Config.Tap.Proxy.Front.DstPort,
+		config.Config.Tap.Proxy.Front.Port,
+		configStructs.ContainerPort,
 		"",
 	)

-	url := kubernetes.GetLocalhostOnPort(config.Config.Tap.Proxy.Front.SrcPort)
+	var url string
+	if config.Config.Tap.Ingress.Enabled {
+		url = fmt.Sprintf("http://%s", config.Config.Tap.Ingress.Host)
+	} else {
+		url = kubernetes.GetProxyOnPort(config.Config.Tap.Proxy.Front.Port)
+	}
 	log.Info().Str("url", url).Msg(fmt.Sprintf(utils.Green, fmt.Sprintf("%s is available at:", misc.Software)))

 	if !config.Config.HeadlessMode {
 		utils.OpenBrowser(url)
 	}
-}

-func getNamespaces(kubernetesProvider *kubernetes.Provider) []string {
-	if config.Config.Tap.AllNamespaces {
-		return []string{kubernetes.K8sAllNamespaces}
-	} else if len(config.Config.Tap.Namespaces) > 0 {
-		return utils.Unique(config.Config.Tap.Namespaces)
-	} else {
-		currentNamespace, err := kubernetesProvider.CurrentNamespace()
-		if err != nil {
-			log.Fatal().Err(err).Msg("Error getting current namespace!")
-		}
-		return []string{currentNamespace}
+	for !ready.Hub {
+		time.Sleep(100 * time.Millisecond)
+	}
+
+
+	if (config.Config.Scripting.Source != "" || len(config.Config.Scripting.Sources) > 0) && config.Config.Scripting.WatchScripts {
+		watchScripts(ctx, kubernetesProvider, false)
+	}
+
+	if config.Config.Scripting.Console {
+		go runConsoleWithoutProxy()
 	}
 }
+
+func updateConfig(kubernetesProvider *kubernetes.Provider) {
+	_, _ = kubernetes.SetSecret(kubernetesProvider, kubernetes.SECRET_LICENSE, config.Config.License)
+	_, _ = kubernetes.SetConfig(kubernetesProvider, kubernetes.CONFIG_POD_REGEX, config.Config.Tap.PodRegexStr)
+	_, _ = kubernetes.SetConfig(kubernetesProvider, kubernetes.CONFIG_NAMESPACES, strings.Join(config.Config.Tap.Namespaces, ","))
+	_, _ = kubernetes.SetConfig(kubernetesProvider, kubernetes.CONFIG_EXCLUDED_NAMESPACES, strings.Join(config.Config.Tap.ExcludedNamespaces, ","))
+
+	data, err := json.Marshal(config.Config.Scripting.Env)
+	if err != nil {
+		log.Error().Str("config", kubernetes.CONFIG_SCRIPTING_ENV).Err(err).Send()
+		return
+	} else {
+		_, _ = kubernetes.SetConfig(kubernetesProvider, kubernetes.CONFIG_SCRIPTING_ENV, string(data))
+	}
+
+	ingressEnabled := ""
+	if config.Config.Tap.Ingress.Enabled {
+		ingressEnabled = "true"
+	}
+
+	authEnabled := ""
+	if config.Config.Tap.Auth.Enabled {
+		authEnabled = "true"
+	}
+
+	_, _ = kubernetes.SetConfig(kubernetesProvider, kubernetes.CONFIG_INGRESS_ENABLED, ingressEnabled)
+	_, _ = kubernetes.SetConfig(kubernetesProvider, kubernetes.CONFIG_INGRESS_HOST, config.Config.Tap.Ingress.Host)
+
+	_, _ = kubernetes.SetConfig(kubernetesProvider, kubernetes.CONFIG_PROXY_FRONT_PORT, fmt.Sprint(config.Config.Tap.Proxy.Front.Port))
+
+	_, _ = kubernetes.SetConfig(kubernetesProvider, kubernetes.CONFIG_AUTH_ENABLED, authEnabled)
+	_, _ = kubernetes.SetConfig(kubernetesProvider, kubernetes.CONFIG_AUTH_TYPE, config.Config.Tap.Auth.Type)
+	_, _ = kubernetes.SetConfig(kubernetesProvider, kubernetes.CONFIG_AUTH_SAML_IDP_METADATA_URL, config.Config.Tap.Auth.Saml.IdpMetadataUrl)
+}
--- a/config/config.go
+++ b/config/config.go
@@ -5,18 +5,21 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"path"
+	"path/filepath"
 	"reflect"
 	"strconv"
 	"strings"

 	"github.com/creasty/defaults"
+	"github.com/goccy/go-yaml"
+	"github.com/kubeshark/kubeshark/misc"
 	"github.com/kubeshark/kubeshark/misc/version"
 	"github.com/kubeshark/kubeshark/utils"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
-	"gopkg.in/yaml.v3"
 )

 const (
@@ -25,19 +28,21 @@ const (
 	FieldNameTag   = "yaml"
 	ReadonlyTag    = "readonly"
 	DebugFlag      = "debug"
+	ConfigPathFlag = "config-path"
 )

 var (
-	Config    ConfigStruct
-	DebugMode bool
-	cmdName   string
+	Config         ConfigStruct
+	DebugMode      bool
+	cmdName        string
+	ConfigFilePath string
 )

 func InitConfig(cmd *cobra.Command) error {
 	var err error
 	DebugMode, err = cmd.Flags().GetBool(DebugFlag)
 	if err != nil {
-		log.Error().Err(err).Msg(fmt.Sprintf("Can't recieve '%s' flag", DebugFlag))
+		log.Error().Err(err).Msg(fmt.Sprintf("Can't receive '%s' flag", DebugFlag))
 	}

 	if DebugMode {
@@ -48,21 +53,45 @@ func InitConfig(cmd *cobra.Command) error {
 		return nil
 	}

-	go version.CheckNewerVersion()
+	if !utils.Contains([]string{
+		"console",
+		"pro",
+		"manifests",
+		"license",
+		"mcp",
+	}, cmd.Use) {
+		go version.CheckNewerVersion()
+	}

 	Config = CreateDefaultConfig()
+	Config.Tap.Debug = DebugMode
+	if DebugMode {
+		Config.LogLevel = "debug"
+	}
 	cmdName = cmd.Name()
+	if utils.Contains([]string{
+		"clean",
+		"console",
+		"pro",
+		"proxy",
+		"scripts",
+		"pprof",
+	}, cmdName) {
+		cmdName = "tap"
+	}

 	if err := defaults.Set(&Config); err != nil {
 		return err
 	}

-	configFilePathFlag := cmd.Flags().Lookup(ConfigFilePathCommandName)
-	configFilePath := configFilePathFlag.Value.String()
-	if err := loadConfigFile(configFilePath, &Config); err != nil {
-		if configFilePathFlag.Changed || !os.IsNotExist(err) {
+	ConfigFilePath = GetConfigFilePath(cmd)
+	if err := loadConfigFile(&Config, utils.Contains([]string{
+		"manifests",
+		"license",
+	}, cmd.Use)); err != nil {
+		if !os.IsNotExist(err) {
 			return fmt.Errorf("invalid config, %w\n"+
-				"you can regenerate the file by removing it (%v) and using `kubeshark config -r`", err, configFilePath)
+				"you can regenerate the file by removing it (%v) and using `kubeshark config -r`", err, ConfigFilePath)
 		}
 	}

@@ -92,29 +121,74 @@ func WriteConfig(config *ConfigStruct) error {
 	}

 	data := []byte(template)
-	if err := os.WriteFile(Config.ConfigFilePath, data, 0644); err != nil {
+
+	if _, err := os.Stat(ConfigFilePath); os.IsNotExist(err) {
+		err = os.MkdirAll(filepath.Dir(ConfigFilePath), 0700)
+		if err != nil {
+			return fmt.Errorf("failed creating directories, err: %v", err)
+		}
+	}
+
+	if err := os.WriteFile(ConfigFilePath, data, 0644); err != nil {
 		return fmt.Errorf("failed writing config, err: %v", err)
 	}

 	return nil
 }

-func loadConfigFile(configFilePath string, config *ConfigStruct) error {
-	reader, openErr := os.Open(configFilePath)
-	if openErr != nil {
-		return openErr
+func GetConfigFilePath(cmd *cobra.Command) string {
+	defaultConfigPath := path.Join(misc.GetDotFolderPath(), "config.yaml")
+
+	cwd, err := os.Getwd()
+	if err != nil {
+		return defaultConfigPath
 	}

-	buf, readErr := io.ReadAll(reader)
-	if readErr != nil {
-		return readErr
+	if cmd != nil {
+		configPathOverride, err := cmd.Flags().GetString(ConfigPathFlag)
+		if err == nil {
+			if configPathOverride != "" {
+				resolvedConfigPath, err := filepath.Abs(configPathOverride)
+				if err != nil {
+					log.Error().Err(err).Msg("--config-path flag path cannot be resolved")
+				} else {
+					return resolvedConfigPath
+				}
+			}
+		} else {
+			log.Error().Err(err).Msg("--config-path flag parser error")
+		}
+	}
+
+	cwdConfig := filepath.Join(cwd, fmt.Sprintf("%s.yaml", misc.Program))
+	reader, err := os.Open(cwdConfig)
+	if err != nil {
+		return defaultConfigPath
+	} else {
+		reader.Close()
+		return cwdConfig
+	}
+}
+
+func loadConfigFile(config *ConfigStruct, silent bool) error {
+	reader, err := os.Open(ConfigFilePath)
+	if err != nil {
+		return err
+	}
+	defer reader.Close()
+
+	buf, err := io.ReadAll(reader)
+	if err != nil {
+		return err
 	}

 	if err := yaml.Unmarshal(buf, config); err != nil {
 		return err
 	}

-	log.Info().Str("path", configFilePath).Msg("Found config file!")
+	if !silent {
+		log.Info().Str("path", ConfigFilePath).Msg("Found config file!")
+	}

 	return nil
 }
@@ -123,15 +197,18 @@ func initFlag(f *pflag.Flag) {
 	configElemValue := reflect.ValueOf(&Config).Elem()

 	var flagPath []string
-	if !utils.Contains([]string{ConfigFilePathCommandName}, f.Name) {
-		flagPath = append(flagPath, cmdName)
-	}
+	flagPath = append(flagPath, cmdName)

 	flagPath = append(flagPath, strings.Split(f.Name, "-")...)

+	flagPathJoined := strings.Join(flagPath, ".")
+	if strings.HasSuffix(flagPathJoined, ".config.path") {
+		return
+	}
+
 	sliceValue, isSliceValue := f.Value.(pflag.SliceValue)
 	if !isSliceValue {
-		if err := mergeFlagValue(configElemValue, flagPath, strings.Join(flagPath, "."), f.Value.String()); err != nil {
+		if err := mergeFlagValue(configElemValue, flagPath, flagPathJoined, f.Value.String()); err != nil {
 			log.Warn().Err(err).Send()
 		}
 		return
@@ -144,7 +221,7 @@ func initFlag(f *pflag.Flag) {
 		return
 	}

-	if err := mergeFlagValues(configElemValue, flagPath, strings.Join(flagPath, "."), sliceValue.GetSlice()); err != nil {
+	if err := mergeFlagValues(configElemValue, flagPath, flagPathJoined, sliceValue.GetSlice()); err != nil {
 		log.Warn().Err(err).Send()
 	}
 }
@@ -180,7 +257,7 @@ func mergeSetFlag(configElemValue reflect.Value, setValues []string) error {
 	}

 	if len(setErrors) > 0 {
-		return fmt.Errorf(strings.Join(setErrors, "\n"))
+		return errors.New(strings.Join(setErrors, "\n"))
 	}

 	return nil
--- a/config/configStruct.go
+++ b/config/configStruct.go
@@ -2,43 +2,196 @@ package config

 import (
 	"os"
-	"path"
 	"path/filepath"

 	"github.com/kubeshark/kubeshark/config/configStructs"
-	"github.com/kubeshark/kubeshark/misc"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/util/homedir"
 )

 const (
-	SelfNamespaceConfigName   = "selfnamespace"
-	ConfigFilePathCommandName = "configpath"
-	KubeConfigPathConfigName  = "kube-configpath"
+	KubeConfigPathConfigName = "kube-configPath"
 )

 func CreateDefaultConfig() ConfigStruct {
-	return ConfigStruct{}
+	return ConfigStruct{
+		Tap: configStructs.TapConfig{
+			NodeSelectorTerms: configStructs.NodeSelectorTermsConfig{
+				Workers: []v1.NodeSelectorTerm{
+					{
+						MatchExpressions: []v1.NodeSelectorRequirement{
+							{
+								Key:      "kubernetes.io/os",
+								Operator: v1.NodeSelectorOpIn,
+								Values:   []string{"linux"},
+							},
+						},
+					},
+				},
+				Hub: []v1.NodeSelectorTerm{
+					{
+						MatchExpressions: []v1.NodeSelectorRequirement{
+							{
+								Key:      "kubernetes.io/os",
+								Operator: v1.NodeSelectorOpIn,
+								Values:   []string{"linux"},
+							},
+						},
+					},
+				},
+				Front: []v1.NodeSelectorTerm{
+					{
+						MatchExpressions: []v1.NodeSelectorRequirement{
+							{
+								Key:      "kubernetes.io/os",
+								Operator: v1.NodeSelectorOpIn,
+								Values:   []string{"linux"},
+							},
+						},
+					},
+				},
+				Dex: []v1.NodeSelectorTerm{
+					{
+						MatchExpressions: []v1.NodeSelectorRequirement{
+							{
+								Key:      "kubernetes.io/os",
+								Operator: v1.NodeSelectorOpIn,
+								Values:   []string{"linux"},
+							},
+						},
+					},
+				},
+			},
+			Tolerations: configStructs.TolerationsConfig{
+				Workers: []v1.Toleration{
+					{
+						Effect:   v1.TaintEffect("NoExecute"),
+						Operator: v1.TolerationOpExists,
+					},
+				},
+			},
+			SecurityContext: configStructs.SecurityContextConfig{
+				Privileged: true,
+				// Capabilities used only when running in unprivileged mode
+				Capabilities: configStructs.CapabilitiesConfig{
+					NetworkCapture: []string{
+						// NET_RAW is required to listen the network traffic
+						"NET_RAW",
+						// NET_ADMIN is required to listen the network traffic
+						"NET_ADMIN",
+					},
+					ServiceMeshCapture: []string{
+						// SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8)
+						"SYS_ADMIN",
+						// SYS_PTRACE is required to set netns to other process + to open libssl.so of other process
+						"SYS_PTRACE",
+						// DAC_OVERRIDE is required to read /proc/PID/environ
+						"DAC_OVERRIDE",
+					},
+					EBPFCapture: []string{
+						// SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8)
+						"SYS_ADMIN",
+						// SYS_PTRACE is required to set netns to other process + to open libssl.so of other process
+						"SYS_PTRACE",
+						// SYS_RESOURCE is required to change rlimits for eBPF
+						"SYS_RESOURCE",
+						// IPC_LOCK is required for ebpf perf buffers allocations after some amount of size buffer size:
+						// https://github.com/kubeshark/tracer/blob/13e24725ba8b98216dd0e553262e6d9c56dce5fa/main.go#L82)
+						"IPC_LOCK",
+					},
+				},
+			},
+			Auth: configStructs.AuthConfig{
+				Saml: configStructs.SamlConfig{
+					RoleAttribute: "role",
+					Roles: map[string]configStructs.Role{
+						"admin": {
+							Filter:          "",
+							CanDownloadPCAP: true,
+							CanUseScripting: true,
+							ScriptingPermissions: configStructs.ScriptingPermissions{
+								CanSave:     true,
+								CanActivate: true,
+								CanDelete:   true,
+							},
+							CanUpdateTargetedPods:   true,
+							CanStopTrafficCapturing: true,
+							CanControlDissection:    true,
+							ShowAdminConsoleLink:    true,
+						},
+					},
+				},
+			},
+			EnabledDissectors: []string{
+				"amqp",
+				"dns",
+				"http",
+				"icmp",
+				"kafka",
+				"redis",
+				// "sctp",
+				// "syscall",
+				// "tcp",
+				// "udp",
+				"ws",
+				// "tlsx",
+				"ldap",
+				"radius",
+				"diameter",
+				"udp-flow",
+				"tcp-flow",
+				"udp-conn",
+				"tcp-conn",
+			},
+			PortMapping: configStructs.PortMapping{
+				HTTP:     []uint16{80, 443, 8080},
+				AMQP:     []uint16{5671, 5672},
+				KAFKA:    []uint16{9092},
+				REDIS:    []uint16{6379},
+				LDAP:     []uint16{389},
+				DIAMETER: []uint16{3868},
+			},
+			Dashboard: configStructs.DashboardConfig{
+				CompleteStreamingEnabled: true,
+			},
+			Capture: configStructs.CaptureConfig{
+				Dissection: configStructs.DissectionConfig{
+					Enabled:   true,
+					StopAfter: "5m",
+				},
+			},
+		},
+	}
 }

 type KubeConfig struct {
-	ConfigPathStr string `yaml:"configpath"`
-	Context       string `yaml:"context"`
+	ConfigPathStr string `yaml:"configPath" json:"configPath"`
+	Context       string `yaml:"context" json:"context"`
+}
+
+type ManifestsConfig struct {
+	Dump bool `yaml:"dump" json:"dump"`
 }

 type ConfigStruct struct {
-	Tap            configStructs.TapConfig    `yaml:"tap"`
-	Logs           configStructs.LogsConfig   `yaml:"logs"`
-	Config         configStructs.ConfigConfig `yaml:"config,omitempty"`
-	Kube           KubeConfig                 `yaml:"kube"`
-	SelfNamespace  string                     `yaml:"selfnamespace" default:"kubeshark"`
-	DumpLogs       bool                       `yaml:"dumplogs" default:"false"`
-	ConfigFilePath string                     `yaml:"configpath,omitempty" readonly:""`
-	HeadlessMode   bool                       `yaml:"headless" default:"false"`
-}
-
-func (config *ConfigStruct) SetDefaults() {
-	config.ConfigFilePath = path.Join(misc.GetDotFolderPath(), "config.yaml")
+	Tap                  configStructs.TapConfig       `yaml:"tap" json:"tap"`
+	Logs                 configStructs.LogsConfig      `yaml:"logs" json:"logs"`
+	Config               configStructs.ConfigConfig    `yaml:"config,omitempty" json:"config,omitempty"`
+	PcapDump             configStructs.PcapDumpConfig  `yaml:"pcapdump" json:"pcapdump"`
+	Kube                 KubeConfig                    `yaml:"kube" json:"kube"`
+	DumpLogs             bool                          `yaml:"dumpLogs" json:"dumpLogs" default:"false"`
+	HeadlessMode         bool                          `yaml:"headless" json:"headless" default:"false"`
+	License              string                        `yaml:"license" json:"license" default:""`
+	CloudApiUrl          string                        `yaml:"cloudApiUrl" json:"cloudApiUrl" default:"https://api.kubeshark.com"`
+	CloudLicenseEnabled  bool                          `yaml:"cloudLicenseEnabled" json:"cloudLicenseEnabled" default:"true"`
+	DemoModeEnabled      bool                          `yaml:"demoModeEnabled" json:"demoModeEnabled" default:"false"`
+	SupportChatEnabled   bool                          `yaml:"supportChatEnabled" json:"supportChatEnabled" default:"false"`
+	BetaEnabled          bool                          `yaml:"betaEnabled" json:"betaEnabled" default:"false"`
+	InternetConnectivity bool                          `yaml:"internetConnectivity" json:"internetConnectivity" default:"true"`
+	Scripting            configStructs.ScriptingConfig `yaml:"scripting" json:"scripting"`
+	Manifests            ManifestsConfig               `yaml:"manifests,omitempty" json:"manifests,omitempty"`
+	Timezone             string                        `yaml:"timezone" json:"timezone"`
+	LogLevel             string                        `yaml:"logLevel" json:"logLevel" default:"warning"`
 }

 func (config *ConfigStruct) ImagePullPolicy() v1.PullPolicy {
@@ -54,10 +207,6 @@ func (config *ConfigStruct) ImagePullSecrets() []v1.LocalObjectReference {
 	return ref
 }

-func (config *ConfigStruct) IsNsRestrictedMode() bool {
-	return config.SelfNamespace != misc.Program // Notice "kubeshark" string must match the default SelfNamespace
-}
-
 func (config *ConfigStruct) KubeConfigPath() string {
 	if config.Kube.ConfigPathStr != "" {
 		return config.Kube.ConfigPathStr
--- a/config/configStructs/configConfig.go
+++ b/config/configStructs/configConfig.go
@@ -5,5 +5,5 @@ const (
 )

 type ConfigConfig struct {
-	Regenerate bool `yaml:"regenerate,omitempty" default:"false" readonly:""`
+	Regenerate bool `yaml:"regenerate,omitempty" json:"regenerate,omitempty" default:"false" readonly:""`
 }
--- a/config/configStructs/logsConfig.go
+++ b/config/configStructs/logsConfig.go
@@ -10,10 +10,12 @@ import (

 const (
 	FileLogsName = "file"
+	GrepLogsName = "grep"
 )

 type LogsConfig struct {
-	FileStr string `yaml:"file"`
+	FileStr string `yaml:"file" json:"file"`
+	Grep    string `yaml:"grep" json:"grep"`
 }

 func (config *LogsConfig) Validate() error {
--- a/config/configStructs/scriptingConfig.go
+++ b/config/configStructs/scriptingConfig.go
@@ -0,0 +1,93 @@
+package configStructs
+
+import (
+	"fmt"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/kubeshark/kubeshark/misc"
+	"github.com/rs/zerolog/log"
+)
+
+type ScriptingConfig struct {
+	Enabled      bool                   `yaml:"enabled" json:"enabled" default:"false"`
+	Env          map[string]interface{} `yaml:"env" json:"env" default:"{}"`
+	Source       string                 `yaml:"source" json:"source" default:""`
+	Sources      []string               `yaml:"sources" json:"sources" default:"[]"`
+	WatchScripts bool                   `yaml:"watchScripts" json:"watchScripts" default:"true"`
+	Active       []string               `yaml:"active" json:"active" default:"[]"`
+	Console      bool                   `yaml:"console" json:"console" default:"true"`
+}
+
+func (config *ScriptingConfig) GetScripts() (scripts []*misc.Script, err error) {
+	// Check if both Source and Sources are empty
+	if config.Source == "" && len(config.Sources) == 0 {
+		return nil, nil
+	}
+
+	var allFiles []struct {
+		Source string
+		File   fs.DirEntry
+	}
+
+	// Handle single Source directory
+	if config.Source != "" {
+		files, err := os.ReadDir(config.Source)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read directory %s: %v", config.Source, err)
+		}
+		for _, file := range files {
+			allFiles = append(allFiles, struct {
+				Source string
+				File   fs.DirEntry
+			}{Source: config.Source, File: file})
+		}
+	}
+
+	// Handle multiple Sources directories
+	if len(config.Sources) > 0 {
+		for _, source := range config.Sources {
+			files, err := os.ReadDir(source)
+			if err != nil {
+				return nil, fmt.Errorf("failed to read directory %s: %v", source, err)
+			}
+			for _, file := range files {
+				allFiles = append(allFiles, struct {
+					Source string
+					File   fs.DirEntry
+				}{Source: source, File: file})
+			}
+		}
+	}
+
+	// Iterate over all collected files
+	for _, f := range allFiles {
+		if f.File.IsDir() {
+			continue
+		}
+
+		// Construct the full path based on the relevant source directory
+		path := filepath.Join(f.Source, f.File.Name())
+		if !strings.HasSuffix(f.File.Name(), ".js") { // Use file name suffix for skipping non-JS files
+			log.Info().Str("path", path).Msg("Skipping non-JS file")
+			continue
+		}
+
+		// Read the script file
+		var script *misc.Script
+		script, err = misc.ReadScriptFile(path)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read script file %s: %v", path, err)
+		}
+
+		// Append the valid script to the scripts slice
+		scripts = append(scripts, script)
+
+		log.Debug().Str("path", path).Msg("Found script:")
+	}
+
+	// Return the collected scripts and nil error if successful
+	return scripts, nil
+}
--- a/config/configStructs/tapConfig.go
+++ b/config/configStructs/tapConfig.go
@@ -4,77 +4,385 @@ import (
 	"fmt"
 	"regexp"

-	"github.com/kubeshark/kubeshark/kubernetes"
-	"github.com/kubeshark/kubeshark/utils"
-	"github.com/rs/zerolog/log"
+	v1 "k8s.io/api/core/v1"
+	networking "k8s.io/api/networking/v1"
 )

 const (
-	DockerRegistryLabel    = "docker-registry"
-	DockerTagLabel         = "docker-tag"
-	DockerImagePullPolicy  = "docker-imagepullpolicy"
-	DockerImagePullSecrets = "docker-imagepullsecrets"
-	ProxyFrontPortLabel    = "proxy-front-port"
-	ProxyHubPortLabel      = "proxy-hub-port"
-	ProxyHostLabel         = "proxy-host"
-	NamespacesLabel        = "namespaces"
-	AllNamespacesLabel     = "allnamespaces"
-	StorageLimitLabel      = "storagelimit"
-	DryRunLabel            = "dryrun"
-	PcapLabel              = "pcap"
-	ServiceMeshLabel       = "servicemesh"
-	TlsLabel               = "tls"
-	DebugLabel             = "debug"
+	DockerRegistryLabel          = "docker-registry"
+	DockerTagLabel               = "docker-tag"
+	DockerImagePullPolicy        = "docker-imagePullPolicy"
+	DockerImagePullSecrets       = "docker-imagePullSecrets"
+	ProxyFrontPortLabel          = "proxy-front-port"
+	ProxyHubPortLabel            = "proxy-hub-port"
+	ProxyHostLabel               = "proxy-host"
+	NamespacesLabel              = "namespaces"
+	ExcludedNamespacesLabel      = "excludedNamespaces"
+	ReleaseNamespaceLabel        = "release-namespace"
+	PersistentStorageLabel       = "persistentStorage"
+	PersistentStorageStaticLabel = "persistentStorageStatic"
+	EfsFileSytemIdAndPathLabel   = "efsFileSytemIdAndPath"
+	StorageLimitLabel            = "storageLimit"
+	StorageClassLabel            = "storageClass"
+	DryRunLabel                  = "dryRun"
+	PcapLabel                    = "pcap"
+	ServiceMeshLabel             = "serviceMesh"
+	TlsLabel                     = "tls"
+	IgnoreTaintedLabel           = "ignoreTainted"
+	IngressEnabledLabel          = "ingress-enabled"
+	TelemetryEnabledLabel        = "telemetry-enabled"
+	ResourceGuardEnabledLabel    = "resource-guard-enabled"
+	PprofPortLabel               = "pprof-port"
+	PprofViewLabel               = "pprof-view"
+	DebugLabel                   = "debug"
+	ContainerPort                = 8080
+	ContainerPortStr             = "8080"
+	PcapDest                     = "dest"
+	PcapMaxSize                  = "maxSize"
+	PcapMaxTime                  = "maxTime"
+	PcapTimeInterval             = "timeInterval"
+	PcapKubeconfig               = "kubeconfig"
+	PcapDumpEnabled              = "enabled"
+	PcapTime                     = "time"
+	WatchdogEnabled              = "watchdogEnabled"
 )

+type ResourceLimitsHub struct {
+	CPU    string `yaml:"cpu" json:"cpu" default:"0"`
+	Memory string `yaml:"memory" json:"memory" default:"5Gi"`
+}
+
+type ResourceLimitsWorker struct {
+	CPU    string `yaml:"cpu" json:"cpu" default:"0"`
+	Memory string `yaml:"memory" json:"memory" default:"3Gi"`
+}
+
+type ResourceRequests struct {
+	CPU    string `yaml:"cpu" json:"cpu" default:"50m"`
+	Memory string `yaml:"memory" json:"memory" default:"50Mi"`
+}
+
+type ResourceRequirementsHub struct {
+	Limits   ResourceLimitsHub `yaml:"limits" json:"limits"`
+	Requests ResourceRequests  `yaml:"requests" json:"requests"`
+}
+
+type ResourceRequirementsWorker struct {
+	Limits   ResourceLimitsHub `yaml:"limits" json:"limits"`
+	Requests ResourceRequests  `yaml:"requests" json:"requests"`
+}
+
 type WorkerConfig struct {
-	SrcPort uint16 `yaml:"port" default:"8897"`
-	DstPort uint16 `yaml:"srvport" default:"8897"`
+	SrvPort uint16 `yaml:"srvPort" json:"srvPort" default:"48999"`
 }

 type HubConfig struct {
-	SrcPort uint16 `yaml:"port" default:"8898"`
-	DstPort uint16 `yaml:"srvport" default:"80"`
+	SrvPort uint16 `yaml:"srvPort" json:"srvPort" default:"8898"`
 }

 type FrontConfig struct {
-	SrcPort uint16 `yaml:"port" default:"8899"`
-	DstPort uint16 `yaml:"srvport" default:"80"`
+	Port uint16 `yaml:"port" json:"port" default:"8899"`
 }

 type ProxyConfig struct {
-	Worker WorkerConfig `yaml:"worker"`
-	Hub    HubConfig    `yaml:"hub"`
-	Front  FrontConfig  `yaml:"front"`
-	Host   string       `yaml:"host" default:"127.0.0.1"`
+	Worker WorkerConfig `yaml:"worker" json:"worker"`
+	Hub    HubConfig    `yaml:"hub" json:"hub"`
+	Front  FrontConfig  `yaml:"front" json:"front"`
+	Host   string       `yaml:"host" json:"host" default:"127.0.0.1"`
+}
+
+type OverrideImageConfig struct {
+	Worker string `yaml:"worker" json:"worker"`
+	Hub    string `yaml:"hub" json:"hub"`
+	Front  string `yaml:"front" json:"front"`
+}
+type OverrideTagConfig struct {
+	Worker string `yaml:"worker" json:"worker"`
+	Hub    string `yaml:"hub" json:"hub"`
+	Front  string `yaml:"front" json:"front"`
 }

 type DockerConfig struct {
-	Registry         string   `yaml:"registry" default:"docker.io/kubeshark"`
-	Tag              string   `yaml:"tag" default:"latest"`
-	ImagePullPolicy  string   `yaml:"imagepullpolicy" default:"Always"`
-	ImagePullSecrets []string `yaml:"imagepullsecrets"`
+	Registry         string              `yaml:"registry" json:"registry" default:"docker.io/kubeshark"`
+	Tag              string              `yaml:"tag" json:"tag" default:""`
+	TagLocked        bool                `yaml:"tagLocked" json:"tagLocked" default:"true"`
+	ImagePullPolicy  string              `yaml:"imagePullPolicy" json:"imagePullPolicy" default:"Always"`
+	ImagePullSecrets []string            `yaml:"imagePullSecrets" json:"imagePullSecrets"`
+	OverrideImage    OverrideImageConfig `yaml:"overrideImage" json:"overrideImage"`
+	OverrideTag      OverrideTagConfig   `yaml:"overrideTag" json:"overrideTag"`
+}
+
+type DnsConfig struct {
+	Nameservers []string          `yaml:"nameservers" json:"nameservers" default:"[]"`
+	Searches    []string          `yaml:"searches" json:"searches" default:"[]"`
+	Options     []DnsConfigOption `yaml:"options" json:"options" default:"[]"`
+}
+
+type DnsConfigOption struct {
+	Name  string `yaml:"name" json:"name"`
+	Value string `yaml:"value" json:"value"`
 }

 type ResourcesConfig struct {
-	Worker kubernetes.Resources `yaml:"worker"`
-	Hub    kubernetes.Resources `yaml:"hub"`
+	Hub     ResourceRequirementsHub    `yaml:"hub" json:"hub"`
+	Sniffer ResourceRequirementsWorker `yaml:"sniffer" json:"sniffer"`
+	Tracer  ResourceRequirementsWorker `yaml:"tracer" json:"tracer"`
+}
+
+type ProbesConfig struct {
+	Hub     ProbeConfig `yaml:"hub" json:"hub"`
+	Sniffer ProbeConfig `yaml:"sniffer" json:"sniffer"`
+}
+
+type NodeSelectorTermsConfig struct {
+	Hub     []v1.NodeSelectorTerm `yaml:"hub" json:"hub" default:"[]"`
+	Workers []v1.NodeSelectorTerm `yaml:"workers" json:"workers" default:"[]"`
+	Front   []v1.NodeSelectorTerm `yaml:"front" json:"front" default:"[]"`
+	Dex     []v1.NodeSelectorTerm `yaml:"dex" json:"dex" default:"[]"`
+}
+
+type TolerationsConfig struct {
+	Hub     []v1.Toleration `yaml:"hub" json:"hub" default:"[]"`
+	Workers []v1.Toleration `yaml:"workers" json:"workers" default:"[]"`
+	Front   []v1.Toleration `yaml:"front" json:"front" default:"[]"`
+}
+
+type ProbeConfig struct {
+	InitialDelaySeconds int `yaml:"initialDelaySeconds" json:"initialDelaySeconds" default:"5"`
+	PeriodSeconds       int `yaml:"periodSeconds" json:"periodSeconds" default:"5"`
+	SuccessThreshold    int `yaml:"successThreshold" json:"successThreshold" default:"1"`
+	FailureThreshold    int `yaml:"failureThreshold" json:"failureThreshold" default:"3"`
+}
+
+type ScriptingPermissions struct {
+	CanSave     bool `yaml:"canSave" json:"canSave" default:"true"`
+	CanActivate bool `yaml:"canActivate" json:"canActivate" default:"true"`
+	CanDelete   bool `yaml:"canDelete" json:"canDelete" default:"true"`
+}
+
+type Role struct {
+	Filter                  string               `yaml:"filter" json:"filter" default:""`
+	CanDownloadPCAP         bool                 `yaml:"canDownloadPCAP" json:"canDownloadPCAP" default:"false"`
+	CanUseScripting         bool                 `yaml:"canUseScripting" json:"canUseScripting" default:"false"`
+	ScriptingPermissions    ScriptingPermissions `yaml:"scriptingPermissions" json:"scriptingPermissions"`
+	CanUpdateTargetedPods   bool                 `yaml:"canUpdateTargetedPods" json:"canUpdateTargetedPods" default:"false"`
+	CanStopTrafficCapturing bool                 `yaml:"canStopTrafficCapturing" json:"canStopTrafficCapturing" default:"false"`
+	CanControlDissection    bool                 `yaml:"canControlDissection" json:"canControlDissection" default:"false"`
+	ShowAdminConsoleLink    bool                 `yaml:"showAdminConsoleLink" json:"showAdminConsoleLink" default:"false"`
+}
+
+type SamlConfig struct {
+	IdpMetadataUrl string          `yaml:"idpMetadataUrl" json:"idpMetadataUrl"`
+	X509crt        string          `yaml:"x509crt" json:"x509crt"`
+	X509key        string          `yaml:"x509key" json:"x509key"`
+	RoleAttribute  string          `yaml:"roleAttribute" json:"roleAttribute"`
+	Roles          map[string]Role `yaml:"roles" json:"roles"`
+}
+
+type AuthConfig struct {
+	Enabled bool       `yaml:"enabled" json:"enabled" default:"false"`
+	Type    string     `yaml:"type" json:"type" default:"saml"`
+	Saml    SamlConfig `yaml:"saml" json:"saml"`
+}
+
+type IngressConfig struct {
+	Enabled     bool                    `yaml:"enabled" json:"enabled" default:"false"`
+	ClassName   string                  `yaml:"className" json:"className" default:""`
+	Host        string                  `yaml:"host" json:"host" default:"ks.svc.cluster.local"`
+	Path        string                  `yaml:"path" json:"path" default:"/"`
+	TLS         []networking.IngressTLS `yaml:"tls" json:"tls" default:"[]"`
+	Annotations map[string]string       `yaml:"annotations" json:"annotations" default:"{}"`
+}
+
+type RoutingConfig struct {
+	Front FrontRoutingConfig `yaml:"front" json:"front"`
+}
+
+type DashboardConfig struct {
+	StreamingType            string `yaml:"streamingType" json:"streamingType" default:"connect-rpc"`
+	CompleteStreamingEnabled bool   `yaml:"completeStreamingEnabled" json:"completeStreamingEnabled" default:"true"`
+}
+
+type FrontRoutingConfig struct {
+	BasePath string `yaml:"basePath" json:"basePath" default:""`
+}
+
+type ReleaseConfig struct {
+	Repo      string `yaml:"repo" json:"repo" default:"https://helm.kubeshark.com"`
+	Name      string `yaml:"name" json:"name" default:"kubeshark"`
+	Namespace string `yaml:"namespace" json:"namespace" default:"default"`
+}
+
+type TelemetryConfig struct {
+	Enabled bool `yaml:"enabled" json:"enabled" default:"true"`
+}
+
+type ResourceGuardConfig struct {
+	Enabled bool `yaml:"enabled" json:"enabled" default:"false"`
+}
+
+type SentryConfig struct {
+	Enabled     bool   `yaml:"enabled" json:"enabled" default:"false"`
+	Environment string `yaml:"environment" json:"environment" default:"production"`
+}
+
+type WatchdogConfig struct {
+	Enabled bool `yaml:"enabled" json:"enabled" default:"false"`
+}
+
+type GitopsConfig struct {
+	Enabled bool `yaml:"enabled" json:"enabled" default:"false"`
+}
+
+type CapabilitiesConfig struct {
+	NetworkCapture     []string `yaml:"networkCapture" json:"networkCapture"  default:"[]"`
+	ServiceMeshCapture []string `yaml:"serviceMeshCapture" json:"serviceMeshCapture"  default:"[]"`
+	EBPFCapture        []string `yaml:"ebpfCapture" json:"ebpfCapture"  default:"[]"`
+}
+
+type MetricsConfig struct {
+	Port uint16 `yaml:"port" json:"port" default:"49100"`
+}
+
+type PprofConfig struct {
+	Enabled bool   `yaml:"enabled" json:"enabled" default:"false"`
+	Port    uint16 `yaml:"port" json:"port" default:"8000"`
+	View    string `yaml:"view" json:"view" default:"flamegraph"`
+}
+
+type MiscConfig struct {
+	JsonTTL                     string `yaml:"jsonTTL" json:"jsonTTL" default:"5m"`
+	PcapTTL                     string `yaml:"pcapTTL" json:"pcapTTL" default:"0"`
+	PcapErrorTTL                string `yaml:"pcapErrorTTL" json:"pcapErrorTTL" default:"0"`
+	TrafficSampleRate           int    `yaml:"trafficSampleRate" json:"trafficSampleRate" default:"100"`
+	TcpStreamChannelTimeoutMs   int    `yaml:"tcpStreamChannelTimeoutMs" json:"tcpStreamChannelTimeoutMs" default:"10000"`
+	TcpStreamChannelTimeoutShow bool   `yaml:"tcpStreamChannelTimeoutShow" json:"tcpStreamChannelTimeoutShow" default:"false"`
+	ResolutionStrategy          string `yaml:"resolutionStrategy" json:"resolutionStrategy" default:"auto"`
+	DuplicateTimeframe          string `yaml:"duplicateTimeframe" json:"duplicateTimeframe" default:"200ms"`
+	DetectDuplicates            bool   `yaml:"detectDuplicates" json:"detectDuplicates" default:"false"`
+	StaleTimeoutSeconds         int    `yaml:"staleTimeoutSeconds" json:"staleTimeoutSeconds" default:"30"`
+}
+
+type PcapDumpConfig struct {
+	PcapDumpEnabled  bool   `yaml:"enabled" json:"enabled" default:"false"`
+	PcapTimeInterval string `yaml:"timeInterval" json:"timeInterval" default:"1m"`
+	PcapMaxTime      string `yaml:"maxTime" json:"maxTime" default:"1h"`
+	PcapMaxSize      string `yaml:"maxSize" json:"maxSize" default:"500MB"`
+	PcapTime         string `yaml:"time" json:"time" default:"time"`
+	PcapDebug        bool   `yaml:"debug" json:"debug" default:"false"`
+	PcapDest         string `yaml:"dest" json:"dest" default:""`
+}
+
+type PortMapping struct {
+	HTTP     []uint16 `yaml:"http" json:"http"`
+	AMQP     []uint16 `yaml:"amqp" json:"amqp"`
+	KAFKA    []uint16 `yaml:"kafka" json:"kafka"`
+	REDIS    []uint16 `yaml:"redis" json:"redis"`
+	LDAP     []uint16 `yaml:"ldap" json:"ldap"`
+	DIAMETER []uint16 `yaml:"diameter" json:"diameter"`
+}
+
+type SecurityContextConfig struct {
+	Privileged      bool                  `yaml:"privileged" json:"privileged" default:"true"`
+	AppArmorProfile AppArmorProfileConfig `yaml:"appArmorProfile" json:"appArmorProfile"`
+	SeLinuxOptions  SeLinuxOptionsConfig  `yaml:"seLinuxOptions" json:"seLinuxOptions"`
+	Capabilities    CapabilitiesConfig    `yaml:"capabilities" json:"capabilities"`
+}
+
+type AppArmorProfileConfig struct {
+	Type             string `yaml:"type" json:"type"`
+	LocalhostProfile string `yaml:"localhostProfile" json:"localhostProfile"`
+}
+
+type SeLinuxOptionsConfig struct {
+	Level string `yaml:"level" json:"level"`
+	Role  string `yaml:"role" json:"role"`
+	Type  string `yaml:"type" json:"type"`
+	User  string `yaml:"user" json:"user"`
+}
+
+type RawCaptureConfig struct {
+	Enabled     bool   `yaml:"enabled" json:"enabled" default:"true"`
+	StorageSize string `yaml:"storageSize" json:"storageSize" default:"1Gi"`
+}
+
+type SnapshotsConfig struct {
+	StorageClass string `yaml:"storageClass" json:"storageClass" default:""`
+	StorageSize  string `yaml:"storageSize" json:"storageSize" default:"20Gi"`
+}
+
+type DelayedDissectionConfig struct {
+	Image  string `yaml:"image" json:"image" default:"kubeshark/worker:master"`
+	CPU    string `yaml:"cpu" json:"cpu" default:"1"`
+	Memory string `yaml:"memory" json:"memory" default:"4Gi"`
+}
+
+type DissectionConfig struct {
+	Enabled   bool   `yaml:"enabled" json:"enabled" default:"true"`
+	StopAfter string `yaml:"stopAfter" json:"stopAfter" default:"5m"`
+}
+
+type CaptureConfig struct {
+	Dissection  DissectionConfig `yaml:"dissection" json:"dissection"`
+	CaptureSelf bool             `yaml:"captureSelf" json:"captureSelf" default:"false"`
+	Raw         RawCaptureConfig `yaml:"raw" json:"raw"`
+	DbMaxSize   string           `yaml:"dbMaxSize" json:"dbMaxSize" default:"500Mi"`
 }

 type TapConfig struct {
-	Docker        DockerConfig    `yaml:"docker"`
-	Proxy         ProxyConfig     `yaml:"proxy"`
-	PodRegexStr   string          `yaml:"regex" default:".*"`
-	Namespaces    []string        `yaml:"namespaces"`
-	AllNamespaces bool            `yaml:"allnamespaces" default:"false"`
-	StorageLimit  string          `yaml:"storagelimit" default:"200MB"`
-	DryRun        bool            `yaml:"dryrun" default:"false"`
-	Pcap          string          `yaml:"pcap" default:""`
-	Resources     ResourcesConfig `yaml:"resources"`
-	ServiceMesh   bool            `yaml:"servicemesh" default:"true"`
-	Tls           bool            `yaml:"tls" default:"true"`
-	PacketCapture string          `yaml:"packetcapture" default:"libpcap"`
-	Debug         bool            `yaml:"debug" default:"false"`
+	Docker                         DockerConfig            `yaml:"docker" json:"docker"`
+	Proxy                          ProxyConfig             `yaml:"proxy" json:"proxy"`
+	PodRegexStr                    string                  `yaml:"regex" json:"regex" default:".*"`
+	Namespaces                     []string                `yaml:"namespaces" json:"namespaces" default:"[]"`
+	ExcludedNamespaces             []string                `yaml:"excludedNamespaces" json:"excludedNamespaces" default:"[]"`
+	BpfOverride                    string                  `yaml:"bpfOverride" json:"bpfOverride" default:""`
+	Capture                        CaptureConfig           `yaml:"capture" json:"capture"`
+	DelayedDissection              DelayedDissectionConfig `yaml:"delayedDissection" json:"delayedDissection"`
+	Snapshots                      SnapshotsConfig         `yaml:"snapshots" json:"snapshots"`
+	Release                        ReleaseConfig           `yaml:"release" json:"release"`
+	PersistentStorage              bool                    `yaml:"persistentStorage" json:"persistentStorage" default:"false"`
+	PersistentStorageStatic        bool                    `yaml:"persistentStorageStatic" json:"persistentStorageStatic" default:"false"`
+	PersistentStoragePvcVolumeMode string                  `yaml:"persistentStoragePvcVolumeMode" json:"persistentStoragePvcVolumeMode" default:"FileSystem"`
+	EfsFileSytemIdAndPath          string                  `yaml:"efsFileSytemIdAndPath" json:"efsFileSytemIdAndPath" default:""`
+	Secrets                        []string                `yaml:"secrets" json:"secrets" default:"[]"`
+	StorageLimit                   string                  `yaml:"storageLimit" json:"storageLimit" default:"10Gi"`
+	StorageClass                   string                  `yaml:"storageClass" json:"storageClass" default:"standard"`
+	DryRun                         bool                    `yaml:"dryRun" json:"dryRun" default:"false"`
+	DnsConfig                      DnsConfig               `yaml:"dns" json:"dns"`
+	Resources                      ResourcesConfig         `yaml:"resources" json:"resources"`
+	Probes                         ProbesConfig            `yaml:"probes" json:"probes"`
+	ServiceMesh                    bool                    `yaml:"serviceMesh" json:"serviceMesh" default:"true"`
+	Tls                            bool                    `yaml:"tls" json:"tls" default:"true"`
+	DisableTlsLog                  bool                    `yaml:"disableTlsLog" json:"disableTlsLog" default:"true"`
+	PacketCapture                  string                  `yaml:"packetCapture" json:"packetCapture" default:"best"`
+	Labels                         map[string]string       `yaml:"labels" json:"labels" default:"{}"`
+	Annotations                    map[string]string       `yaml:"annotations" json:"annotations" default:"{}"`
+	NodeSelectorTerms              NodeSelectorTermsConfig `yaml:"nodeSelectorTerms" json:"nodeSelectorTerms" default:"{}"`
+	Tolerations                    TolerationsConfig       `yaml:"tolerations" json:"tolerations" default:"{}"`
+	Auth                           AuthConfig              `yaml:"auth" json:"auth"`
+	Ingress                        IngressConfig           `yaml:"ingress" json:"ingress"`
+	PriorityClass                  string                  `yaml:"priorityClass" json:"priorityClass" default:""`
+	Routing                        RoutingConfig           `yaml:"routing" json:"routing"`
+	IPv6                           bool                    `yaml:"ipv6" json:"ipv6" default:"true"`
+	Debug                          bool                    `yaml:"debug" json:"debug" default:"false"`
+	Dashboard                      DashboardConfig         `yaml:"dashboard" json:"dashboard"`
+	Telemetry                      TelemetryConfig         `yaml:"telemetry" json:"telemetry"`
+	ResourceGuard                  ResourceGuardConfig     `yaml:"resourceGuard" json:"resourceGuard"`
+	Watchdog                       WatchdogConfig          `yaml:"watchdog" json:"watchdog"`
+	Gitops                         GitopsConfig            `yaml:"gitops" json:"gitops"`
+	Sentry                         SentryConfig            `yaml:"sentry" json:"sentry"`
+	DefaultFilter                  string                  `yaml:"defaultFilter" json:"defaultFilter" default:""`
+	LiveConfigMapChangesDisabled   bool                    `yaml:"liveConfigMapChangesDisabled" json:"liveConfigMapChangesDisabled" default:"false"`
+	GlobalFilter                   string                  `yaml:"globalFilter" json:"globalFilter" default:""`
+	EnabledDissectors              []string                `yaml:"enabledDissectors" json:"enabledDissectors"`
+	PortMapping                    PortMapping             `yaml:"portMapping" json:"portMapping"`
+	CustomMacros                   map[string]string       `yaml:"customMacros" json:"customMacros" default:"{\"https\":\"tls and (http or http2)\"}"`
+	Metrics                        MetricsConfig           `yaml:"metrics" json:"metrics"`
+	Pprof                          PprofConfig             `yaml:"pprof" json:"pprof"`
+	Misc                           MiscConfig              `yaml:"misc" json:"misc"`
+	SecurityContext                SecurityContextConfig   `yaml:"securityContext" json:"securityContext"`
+	MountBpf                       bool                    `yaml:"mountBpf" json:"mountBpf" default:"true"`
+	HostNetwork                    bool                    `yaml:"hostNetwork" json:"hostNetwork" default:"true"`
 }

 func (config *TapConfig) PodRegex() *regexp.Regexp {
@@ -82,24 +390,11 @@ func (config *TapConfig) PodRegex() *regexp.Regexp {
 	return podRegex
 }

-func (config *TapConfig) StorageLimitBytes() int64 {
-	storageLimitBytes, err := utils.HumanReadableToBytes(config.StorageLimit)
-	if err != nil {
-		log.Fatal().Err(err).Send()
-	}
-	return storageLimitBytes
-}
-
 func (config *TapConfig) Validate() error {
 	_, compileErr := regexp.Compile(config.PodRegexStr)
 	if compileErr != nil {
 		return fmt.Errorf("%s is not a valid regex %s", config.PodRegexStr, compileErr)
 	}

-	_, parseHumanDataSizeErr := utils.HumanReadableToBytes(config.StorageLimit)
-	if parseHumanDataSizeErr != nil {
-		return fmt.Errorf("Could not parse --%s value %s", StorageLimitLabel, config.StorageLimit)
-	}
-
 	return nil
 }
--- a/docker/images.go
+++ b/docker/images.go
@@ -1,53 +0,0 @@
-package docker
-
-import (
-	"fmt"
-	"strings"
-)
-
-const (
-	hub    = "hub"
-	worker = "worker"
-	front  = "front"
-)
-
-var (
-	registry = "docker.io/kubeshark/"
-	tag      = "latest"
-)
-
-func GetRegistry() string {
-	return registry
-}
-
-func SetRegistry(value string) {
-	if strings.HasPrefix(value, "docker.io/kubeshark") {
-		registry = "docker.io/kubeshark/"
-	} else {
-		registry = value
-	}
-}
-
-func GetTag() string {
-	return tag
-}
-
-func SetTag(value string) {
-	tag = value
-}
-
-func getImage(image string) string {
-	return fmt.Sprintf("%s%s:%s", registry, image, tag)
-}
-
-func GetHubImage() string {
-	return getImage(hub)
-}
-
-func GetWorkerImage() string {
-	return getImage(worker)
-}
-
-func GetFrontImage() string {
-	return getImage(front)
-}
--- a/errormessage/errormessage.go
+++ b/errormessage/errormessage.go
@@ -6,24 +6,25 @@ import (
 	regexpsyntax "regexp/syntax"

 	"github.com/kubeshark/kubeshark/config"
+	"github.com/kubeshark/kubeshark/config/configStructs"
 	"github.com/kubeshark/kubeshark/misc"

 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 )

-// formatError wraps error with a detailed message that is meant for the user.
+// FormatError wraps error with a detailed message that is meant for the user.
 // While the errors are meant to be displayed, they are not meant to be exported as classes outsite of CLI.
 func FormatError(err error) error {
 	var errorNew error
 	if k8serrors.IsForbidden(err) {
 		errorNew = fmt.Errorf("insufficient permissions: %w. "+
 			"supply the required permission or control %s's access to namespaces by setting %s "+
-			"in the config file or setting the targeted namespace with --%s %s=<NAMEPSACE>",
+			"in the config file or setting the targeted namespace with --%s %s=<NAMESPACE>",
 			err,
 			misc.Software,
-			config.SelfNamespaceConfigName,
+			configStructs.ReleaseNamespaceLabel,
 			config.SetCommandName,
-			config.SelfNamespaceConfigName)
+			configStructs.ReleaseNamespaceLabel)
 	} else if syntaxError, isSyntaxError := asRegexSyntaxError(err); isSyntaxError {
 		errorNew = fmt.Errorf("regex %s is invalid: %w", syntaxError.Expr, err)
 	} else {
--- a/go.mod
+++ b/go.mod
@@ -1,106 +1,143 @@
 module github.com/kubeshark/kubeshark

-go 1.17
+go 1.24.0
+
+toolchain go1.24.5

 require (
 	github.com/creasty/defaults v1.5.2
-	github.com/docker/docker v20.10.22+incompatible
-	github.com/docker/go-connections v0.4.0
-	github.com/docker/go-units v0.4.0
+	github.com/fsnotify/fsnotify v1.7.0
+	github.com/go-cmd/cmd v1.4.3
+	github.com/goccy/go-yaml v1.11.2
 	github.com/google/go-github/v37 v37.0.0
-	github.com/kubeshark/base v0.5.1
+	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674
+	github.com/kubeshark/gopacket v1.1.39
+	github.com/pkg/errors v0.9.1
+	github.com/rivo/tview v0.0.0-20240818110301-fd649dbf1223
+	github.com/robertkrimen/otto v0.2.1
 	github.com/rs/zerolog v1.28.0
-	github.com/spf13/cobra v1.3.0
-	github.com/spf13/pflag v1.0.5
-	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.23.3
-	k8s.io/apimachinery v0.23.3
-	k8s.io/client-go v0.23.3
-	k8s.io/kubectl v0.23.3
+	github.com/spf13/cobra v1.9.1
+	github.com/spf13/pflag v1.0.6
+	github.com/tanqiangyes/grep-go v0.0.0-20220515134556-b36bff9c3d8e
+	helm.sh/helm/v3 v3.18.4
+	k8s.io/api v0.33.2
+	k8s.io/apimachinery v0.33.2
+	k8s.io/client-go v0.33.2
+	k8s.io/kubectl v0.33.2
 )

 require (
-	cloud.google.com/go/compute v1.2.0 // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
-	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.24 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.18 // indirect
-	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
-	github.com/Azure/go-autorest/logger v0.2.1 // indirect
-	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	dario.cat/mergo v1.0.1 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
+	github.com/BurntSushi/toml v1.5.0 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
-	github.com/Microsoft/go-winio v0.6.0 // indirect
-	github.com/PuerkitoBio/purell v1.1.1 // indirect
-	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
-	github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/distribution v2.7.1+incompatible // indirect
-	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.3.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
+	github.com/Masterminds/squirrel v1.5.4 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/chai2010/gettext-go v1.0.2 // indirect
+	github.com/containerd/containerd v1.7.27 // indirect
+	github.com/containerd/errdefs v0.3.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/containerd/platforms v0.2.1 // indirect
+	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/evanphx/json-patch v5.9.11+incompatible // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
-	github.com/fvbommel/sortorder v1.0.2 // indirect
+	github.com/fatih/color v1.13.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/gdamore/encoding v1.0.0 // indirect
+	github.com/gdamore/tcell/v2 v2.7.1 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
-	github.com/go-logr/logr v1.2.3 // indirect
-	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.19.6 // indirect
-	github.com/go-openapi/swag v0.21.1 // indirect
+	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-playground/validator/v10 v10.14.0 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/google/btree v1.0.1 // indirect
-	github.com/google/go-cmp v0.5.7 // indirect
+	github.com/google/btree v1.1.3 // indirect
+	github.com/google/gnostic-models v0.6.9 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/google/uuid v1.3.0 // indirect
-	github.com/googleapis/gnostic v0.5.5 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
-	github.com/imdario/mergo v0.3.12 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jmoiron/sqlx v1.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/kubeshark/tracerproto v1.0.0 // indirect
+	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
+	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
+	github.com/lib/pq v1.10.9 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
+	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.16 // indirect
+	github.com/mattn/go-isatty v0.0.19 // indirect
+	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
-	github.com/moby/spdystream v0.2.0 // indirect
-	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moby/spdystream v0.5.0 // indirect
+	github.com/moby/term v0.5.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
-	github.com/morikuni/aec v1.0.0 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.0.2 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/russross/blackfriday v1.6.0 // indirect
-	github.com/sirupsen/logrus v1.7.0 // indirect
-	github.com/stretchr/testify v1.8.1 // indirect
-	github.com/xlab/treeprint v1.1.0 // indirect
-	go.starlark.net v0.0.0-20220203230714-bb14e151c28f // indirect
-	golang.org/x/crypto v0.0.0-20220208050332-20e1d8d225ab // indirect
-	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
-	golang.org/x/net v0.2.0 // indirect
-	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
-	golang.org/x/sys v0.2.0 // indirect
-	golang.org/x/term v0.2.0 // indirect
-	golang.org/x/text v0.4.0 // indirect
-	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11 // indirect
-	golang.org/x/tools v0.1.12 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.27.1 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/rubenv/sql-migrate v1.8.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/spf13/cast v1.7.0 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	github.com/xlab/treeprint v1.2.0 // indirect
+	golang.org/x/crypto v0.39.0 // indirect
+	golang.org/x/net v0.40.0 // indirect
+	golang.org/x/oauth2 v0.28.0 // indirect
+	golang.org/x/sync v0.15.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/text v0.26.0 // indirect
+	golang.org/x/time v0.9.0 // indirect
+	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect
+	google.golang.org/grpc v1.68.1 // indirect
+	google.golang.org/protobuf v1.36.5 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/cli-runtime v0.23.3 // indirect
-	k8s.io/component-base v0.23.3 // indirect
-	k8s.io/klog/v2 v2.40.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20220124234850-424119656bbf // indirect
-	k8s.io/utils v0.0.0-20220127004650-9b3446523e65 // indirect
-	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
-	sigs.k8s.io/kustomize/api v0.11.1 // indirect
-	sigs.k8s.io/kustomize/kyaml v0.13.3 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
+	gopkg.in/sourcemap.v1 v1.0.5 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/apiextensions-apiserver v0.33.2 // indirect
+	k8s.io/apiserver v0.33.2 // indirect
+	k8s.io/cli-runtime v0.33.2 // indirect
+	k8s.io/component-base v0.33.2 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
+	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
+	oras.land/oras-go/v2 v2.6.0 // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+	sigs.k8s.io/kustomize/api v0.19.0 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.19.0 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/helm-chart/Chart.yaml
+++ b/helm-chart/Chart.yaml
@@ -0,0 +1,25 @@
+apiVersion: v2
+name: kubeshark
+version: "52.12.0"
+description: The API Traffic Analyzer for Kubernetes
+home: https://kubeshark.com
+keywords:
+  - kubeshark
+  - packet capture
+  - traffic capture
+  - traffic analyzer
+  - network sniffer
+  - observability
+  - devops
+  - microservice
+  - forensics
+  - api
+kubeVersion: '>= 1.16.0-0'
+maintainers:
+  - email: support@kubeshark.com
+    name: Kubeshark
+    url: https://kubeshark.com
+sources:
+  - https://github.com/kubeshark/kubeshark/tree/master/helm-chart
+type: application
+icon: https://raw.githubusercontent.com/kubeshark/assets/master/logo/vector/logo.svg
--- a/helm-chart/LICENSE
+++ b/helm-chart/LICENSE
@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2022 Kubeshark
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
--- a/helm-chart/README.md
+++ b/helm-chart/README.md
@@ -0,0 +1,544 @@
+# Helm Chart of Kubeshark
+
+## Official
+
+Add the Helm repo for Kubeshark:
+
+```shell
+helm repo add kubeshark https://helm.kubeshark.com
+```
+
+then install Kubeshark:
+
+```shell
+helm install kubeshark kubeshark/kubeshark
+```
+
+## Local
+
+Clone the repo:
+
+```shell
+git clone git@github.com:kubeshark/kubeshark.git --depth 1
+cd kubeshark/helm-chart
+```
+
+In case you want to clone a specific tag of the repo (e.g. `v52.3.59`):
+
+```shell
+git clone git@github.com:kubeshark/kubeshark.git --depth 1 --branch <tag>
+cd kubeshark/helm-chart
+```
+> See the list of available tags here: https://github.com/kubeshark/kubeshark/tags
+
+Render the templates
+
+```shell
+helm template .
+```
+
+Install Kubeshark:
+
+```shell
+helm install kubeshark .
+```
+
+Uninstall Kubeshark:
+
+```shell
+helm uninstall kubeshark
+```
+
+## Port-forward
+
+Do the port forwarding:
+
+```shell
+kubectl port-forward service/kubeshark-front 8899:80
+```
+
+Visit [localhost:8899](http://localhost:8899)
+
+You can also use `kubeshark proxy` for a more stable port-forward connection.
+
+## Add a License Key
+
+When it's necessary, you can use:
+
+```shell
+--set license=YOUR_LICENSE_GOES_HERE
+```
+
+Get your license from Kubeshark's [Admin Console](https://console.kubeshark.com/).
+
+## Installing with Ingress (EKS) enabled
+
+```shell
+helm install kubeshark kubeshark/kubeshark -f values.yaml
+```
+
+Set this `value.yaml`:
+```shell
+tap:
+  ingress:
+    enabled: true
+    className: "alb"
+    host: ks.example.com
+    tls: []
+    annotations:
+      alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:7..8:certificate/b...65c
+      alb.ingress.kubernetes.io/target-type: ip
+      alb.ingress.kubernetes.io/scheme: internet-facing
+```
+
+## Disabling IPV6
+
+Not all have IPV6 enabled, hence this has to be disabled as follows:
+
+```shell
+helm install kubeshark kubeshark/kubeshark \
+  --set tap.ipv6=false
+```
+
+## Prometheus Metrics
+
+Please refer to [metrics](./metrics.md) documentation for details.
+
+## Override Tag, Tags, Images
+
+In addition to using a private registry, you can further override the images' tag, specific image tags and specific image names.
+
+Example for overriding image names:
+
+```yaml
+  docker:
+    overrideImage:
+      worker: docker.io/kubeshark/worker:v52.3.87
+      front:  docker.io/kubeshark/front:v52.3.87
+      hub:    docker.io/kubeshark/hub:v52.3.87
+```
+
+## Configuration
+
+| Parameter                                 | Description                                   | Default                                                                                                                                                                                                                                          |
+|-------------------------------------------|-----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `tap.docker.registry`                     | Docker registry to pull from                  | `docker.io/kubeshark`                                                                                                                                                                                                                            |
+| `tap.docker.tag`                          | Tag of the Docker images                      | `latest`                                                                                                                                                                                                                                         |
+| `tap.docker.tagLocked`                    | Lock the Docker image tags to prevent automatic upgrades to the latest branch image version. | `true`                                                                                                                                                                                                                                           |
+| `tap.docker.tagLocked`                    | If `false` - use latest minor tag             | `true`                                                                                                                                                                                                                                           |
+| `tap.docker.imagePullPolicy`              | Kubernetes image pull policy                  | `Always`                                                                                                                                                                                                                                         |
+| `tap.docker.imagePullSecrets`             | Kubernetes secrets to pull the images         | `[]`                                                                                                                                                                                                                                             |
+| `tap.docker.overrideImage`                | Can be used to directly override image names  | `""`                                                                                                                                                                                                                                             |
+| `tap.docker.overrideTag`                  | Can be used to override image tags            | `""`                                                                                                                                                                                                                                             |
+| `tap.proxy.hub.srvPort`                   | Hub server port. Change if already occupied.  | `8898`                                                                                                                                                                                                                                           |
+| `tap.proxy.worker.srvPort`                | Worker server port. Change if already occupied.| `48999`                                                                                                                                                                                                                                          |
+| `tap.proxy.front.port`                    | Front service port. Change if already occupied.| `8899`                                                                                                                                                                                                                                           |
+| `tap.proxy.host`                          | Change to 0.0.0.0 top open up to the world.   | `127.0.0.1`                                                                                                                                                                                                                                      |
+| `tap.regex`                               | Target (process traffic from) pods that match regex | `.*`                                                                                                                                                                                                                                             |
+| `tap.namespaces`                          | Target pods in namespaces                     | `[]`                                                                                                                                                                                                                                             |
+| `tap.excludedNamespaces`                  | Exclude pods in namespaces                    | `[]`                                                                                                                                                                                                                                             |
+| `tap.bpfOverride`                         | When using AF_PACKET as a traffic capture backend, override any existing pod targeting rules and set explicit BPF expression (e.g. `net 0.0.0.0/0`).                                                          | `[]`                                                                                                                                                                                                                                             |
+| `tap.capture.dissection.enabled`                    | Set to `true` to have L7 protocol dissection start automatically. When set to `false`, dissection is disabled by default. This property can be dynamically controlled via the dashboard.      | `true`                                                                                                                                                                                                                                           |
+| `tap.capture.dissection.stopAfter`                  | Set to a duration (e.g. `30s`) to have L7 dissection stop after no activity.     | `5m`                                                                                                                                                                                                                                             |
+| `tap.capture.raw.enabled`                           | Enable raw capture of packets and syscalls to disk for offline analysis      | `true`                                                                                                                                                                                                                                          |
+| `tap.capture.raw.storageSize`                       | Maximum storage size for raw capture files (supports K8s quantity format: `1Gi`, `500Mi`, etc.)     | `1Gi`                                                                                                                                                                                                                                            |
+| `tap.capture.dbMaxSize`                           | Maximum size for capture database (e.g., `4Gi`, `2000Mi`). When empty, automatically uses 80% of allocated storage (`tap.storageLimit`).     | `""`                                                                                                                                                                                                                                             |
+| `tap.snapshots.storageClass`                      | Storage class for snapshots volume. When empty, uses `emptyDir`. When set, creates a PVC with this storage class | `""`                                                                                                                                                                                                                                             |
+| `tap.snapshots.storageSize`                       | Storage size for snapshots volume (supports K8s quantity format: `1Gi`, `500Mi`, etc.)     | `10Gi`                                                                                                                                                                                                                                            |
+| `tap.release.repo`                        | URL of the Helm chart repository              | `https://helm.kubeshark.com`                                                                                                                                                                                                                        |
+| `tap.release.name`                        | Helm release name                             | `kubeshark`                                                                                                                                                                                                                                      |
+| `tap.release.namespace`                   | Helm release namespace                        | `default`                                                                                                                                                                                                                                        |
+| `tap.persistentStorage`                   | Use `persistentVolumeClaim` instead of `emptyDir` | `false`                                                                                                                                                                                                                                          |
+| `tap.persistentStorageStatic`             | Use static persistent volume provisioning (explicitly defined `PersistentVolume` ) | `false`                                                                                                                                                                                                                                          |
+| `tap.persistentStoragePvcVolumeMode` | Set the pvc volume mode (Filesystem\|Block) | `Filesystem`                                                                                                                                                                                                                                     |
+| `tap.efsFileSytemIdAndPath`               | [EFS file system ID and, optionally, subpath and/or access point](https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/examples/kubernetes/access_points/README.md) `<FileSystemId>:<Path>:<AccessPointId>`  | ""                                                                                                                                                                                                                                               |
+| `tap.storageLimit`                        | Limit of either the `emptyDir` or `persistentVolumeClaim` | `5Gi`                                                                                                                                                                                                                                            |
+| `tap.storageClass`                        | Storage class of the `PersistentVolumeClaim`          | `standard`                                                                                                                                                                                                                                       |
+| `tap.dryRun`                              | Preview of all pods matching the regex, without tapping them    | `false`                                                                                                                                                                                                                                          |
+| `tap.dnsConfig.nameservers`               | Nameservers to use for DNS resolution          | `[]`                                                                                                                                                                                                                                             |
+| `tap.dnsConfig.searches`                  | Search domains to use for DNS resolution       | `[]`                                                                                                                                                                                                                                             |
+| `tap.dnsConfig.options`                   | DNS options to use for DNS resolution          | `[]`                                                                                                                                                                                                                                             |
+| `tap.resources.hub.limits.cpu`            | CPU limit for hub                             | `""`  (no limit)                                                                                                                                                                                                                                 |
+| `tap.resources.hub.limits.memory`         | Memory limit for hub                          | `5Gi`                                                                                                                                                                                                                                            |
+| `tap.resources.hub.requests.cpu`          | CPU request for hub                           | `50m`                                                                                                                                                                                                                                            |
+| `tap.resources.hub.requests.memory`       | Memory request for hub                        | `50Mi`                                                                                                                                                                                                                                           |
+| `tap.resources.sniffer.limits.cpu`        | CPU limit for sniffer                         | `""`  (no limit)                                                                                                                                                                                                                                 |
+| `tap.resources.sniffer.limits.memory`     | Memory limit for sniffer                      | `3Gi`                                                                                                                                                                                                                                            |
+| `tap.resources.sniffer.requests.cpu`      | CPU request for sniffer                       | `50m`                                                                                                                                                                                                                                            |
+| `tap.resources.sniffer.requests.memory`   | Memory request for sniffer                    | `50Mi`                                                                                                                                                                                                                                           |
+| `tap.resources.tracer.limits.cpu`         | CPU limit for tracer                          | `""`  (no limit)                                                                                                                                                                                                                                 |
+| `tap.resources.tracer.limits.memory`      | Memory limit for tracer                       | `3Gi`                                                                                                                                                                                                                                            |
+| `tap.resources.tracer.requests.cpu`       | CPU request for tracer                        | `50m`                                                                                                                                                                                                                                            |
+| `tap.resources.tracer.requests.memory`    | Memory request for tracer                     | `50Mi`                                                                                                                                                                                                                                           |
+| `tap.probes.hub.initialDelaySeconds`      | Initial delay before probing the hub         | `15`                                                                                                                                                                                                                                             |
+| `tap.probes.hub.periodSeconds`            | Period between probes for the hub             | `10`                                                                                                                                                                                                                                             |
+| `tap.probes.hub.successThreshold`         | Number of successful probes before considering the hub healthy | `1`                                                                                                                                                                                                                                              |
+| `tap.probes.hub.failureThreshold`         | Number of failed probes before considering the hub unhealthy | `3`                                                                                                                                                                                                                                              |
+| `tap.probes.sniffer.initialDelaySeconds`  | Initial delay before probing the sniffer     | `15`                                                                                                                                                                                                                                             |
+| `tap.probes.sniffer.periodSeconds`        | Period between probes for the sniffer         | `10`                                                                                                                                                                                                                                             |
+| `tap.probes.sniffer.successThreshold`     | Number of successful probes before considering the sniffer healthy | `1`                                                                                                                                                                                                                                              |
+| `tap.probes.sniffer.failureThreshold`     | Number of failed probes before considering the sniffer unhealthy | `3`                                                                                                                                                                                                                                              |
+| `tap.serviceMesh`                         | Capture traffic from service meshes like Istio, Linkerd, Consul, etc.          | `true`                                                                                                                                                                                                                                           |
+| `tap.tls`                                 | Capture the encrypted/TLS traffic from cryptography libraries like OpenSSL                         | `true`                                                                                                                                                                                                                                           |
+| `tap.disableTlsLog`                       | Suppress logging for TLS/eBPF                 | `true`                                                                                                                                                                                                                                           |
+| `tap.labels`                              | Kubernetes labels to apply to all Kubeshark resources  | `{}`                                                                                                                                                                                                                                             |
+| `tap.annotations`                         | Kubernetes annotations to apply to all Kubeshark resources | `{}`                                                                                                                                                                                                                                             |
+| `tap.nodeSelectorTerms.workers`                   | Node selector terms for workers components                       | `[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]`                                                                                                                                                         |
+| `tap.nodeSelectorTerms.hub`                   | Node selector terms for hub component                 | `[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]`                                                                                                                                                         |
+| `tap.nodeSelectorTerms.front`                   | Node selector terms for front-end component                         | `[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]`                                                                                                                                                         |
+| `tap.priorityClass`                   | Priority class name for Kubeshark components                         | `""`                                                                                                                                                                                                                                             |
+| `tap.tolerations.workers`                  | Tolerations for workers components                         | `[ {"operator": "Exists", "effect": "NoExecute"}`                                                                                                                                                                                                |
+| `tap.tolerations.hub`                  | Tolerations for hub component                         | `[]`                                                                                                                                                                                                                                             |
+| `tap.tolerations.front`                  | Tolerations for front-end component                         | `[]`                                                                                                                                                                                                                                             |
+| `tap.auth.enabled`                        | Enable authentication                         | `false`                                                                                                                                                                                                                                          |
+| `tap.auth.type`                           | Authentication type (1 option available: `saml`)      | `saml`                                                                                                                                                                                                                                           |
+| `tap.auth.approvedEmails`                 | List of approved email addresses for authentication              | `[]`                                                                                                                                                                                                                                             |
+| `tap.auth.approvedDomains`                | List of approved email domains for authentication                | `[]`                                                                                                                                                                                                                                             |
+| `tap.auth.saml.idpMetadataUrl`                    | SAML IDP metadata URL <br/>(effective, if `tap.auth.type = saml`)                                  | ``                                                                                                                                                                                                                                               |
+| `tap.auth.saml.x509crt`                   | A self-signed X.509 `.cert` contents <br/>(effective, if `tap.auth.type = saml`)          | ``                                                                                                                                                                                                                                               |
+| `tap.auth.saml.x509key`                   | A self-signed X.509 `.key` contents <br/>(effective, if `tap.auth.type = saml`)           | ``                                                                                                                                                                                                                                               |
+| `tap.auth.saml.roleAttribute`             | A SAML attribute name corresponding to user's authorization role <br/>(effective, if `tap.auth.type = saml`)  | `role`                                                                                                                                                                                                                                           |
+| `tap.auth.saml.roles`                     | A list of SAML authorization roles and their permissions <br/>(effective, if `tap.auth.type = saml`)  | `{"admin":{"canDownloadPCAP":true,"canUpdateTargetedPods":true,"canUseScripting":true, "scriptingPermissions":{"canSave":true, "canActivate":true, "canDelete":true}, "canStopTrafficCapturing":true, "canControlDissection":true, "filter":"","showAdminConsoleLink":true}}` |
+| `tap.ingress.enabled`                     | Enable `Ingress`                                | `false`                                                                                                                                                                                                                                          |
+| `tap.ingress.className`                   | Ingress class name                            | `""`                                                                                                                                                                                                                                             |
+| `tap.ingress.host`                        | Host of the `Ingress`                          | `ks.svc.cluster.local`                                                                                                                                                                                                                           |
+| `tap.ingress.tls`                         | `Ingress` TLS configuration                     | `[]`                                                                                                                                                                                                                                             |
+| `tap.ingress.annotations`                 | `Ingress` annotations                           | `{}`                                                                                                                                                                                                                                             |
+| `tap.routing.front.basePath`             | Set this value to serve `front` under specific base path. Example: `/custompath` (forward slash must be present)         | `""`                                                                                                                                                                                                                                             |
+| `tap.ipv6`                                | Enable IPv6 support for the front-end                        | `true`                                                                                                                                                                                                                                           |
+| `tap.debug`                               | Enable debug mode                             | `false`                                                                                                                                                                                                                                          |
+| `tap.telemetry.enabled`                   | Enable anonymous usage statistics collection           | `true`                                                                                                                                                                                                                                           |
+| `tap.resourceGuard.enabled`               | Enable resource guard worker process, which watches RAM/disk usage and enables/disables traffic capture based on available resources | `false`                                                                                                                                                                                                                                          |
+| `tap.secrets`                             | List of secrets to be used as source for environment variables (e.g. `kubeshark-license`) | `[]`                                                                                                                                                                                                                                             |
+| `tap.sentry.enabled`                      | Enable sending of error logs to Sentry          | `true` (only for qualified users)                                                                                                                                                                                                                |
+| `tap.sentry.environment`                      | Sentry environment to label error logs with      | `production`                                                                                                                                                                                                                                     |
+| `tap.defaultFilter`                       | Sets the default dashboard KFL filter (e.g. `http`). By default, this value is set to filter out noisy protocols such as DNS, UDP, ICMP and TCP. The user can easily change this, **temporarily**, in the Dashboard. For a permanent change, you should change this value in the `values.yaml` or `config.yaml` file.        | `""`                                                                                                                                                                                                                                             |
+| `tap.liveConfigMapChangesDisabled`        | If set to `true`, all user functionality (scripting, targeting settings, global & default KFL modification, traffic recording, traffic capturing on/off, protocol dissectors) involving dynamic ConfigMap changes from UI will be disabled     | `false`                                                                                                                                                                                                                                          |
+| `tap.globalFilter`                        | Prepends to any KFL filter and can be used to limit what is visible in the dashboard. For example, `redact("request.headers.Authorization")` will redact the appropriate field. Another example `!dns` will not show any DNS traffic.      | `""`                                                                                                                                                                                                                                             |
+| `tap.metrics.port`                  | Pod port used to expose Prometheus metrics          | `49100`                                                                                                                                                                                                                                          |
+| `tap.enabledDissectors`                   | This is an array of strings representing the list of supported protocols. Remove or comment out redundant protocols (e.g., dns).| The default list excludes: `udp` and `tcp`                                                                                                                                                                                                       |
+| `tap.mountBpf`                            | BPF filesystem needs to be mounted for eBPF to work properly. This helm value determines whether Kubeshark will attempt to mount the filesystem. This option is not required if filesystem is already mounts. │ `true`|
+| `tap.hostNetwork`                         | Enable host network mode for worker DaemonSet pods. When enabled, worker pods use the host's network namespace for direct network access. | `true`                                                                                                                                                                                                                                           |
+| `tap.gitops.enabled`                          | Enable GitOps functionality. This will allow you to use GitOps to manage your Kubeshark configuration. | `false`                                                                                                                                                                                                                                          |
+| `logs.file`                               | Logs dump path                      | `""`                                                                                                                                                                                                                                             |
+| `pcapdump.enabled`                        | Enable recording of all traffic captured according to other parameters. Whatever Kubeshark captures, considering pod targeting rules, will be stored in pcap files ready to be viewed by tools                 | `false`                                                                                                                                                                                                                                           |
+| `pcapdump.maxTime`                        | The time window into the past that will be stored. Older traffic will be discarded.  | `2h`                                                                                                                                                                                                                                             |
+| `pcapdump.maxSize`                        | The maximum storage size the PCAP files will consume. Old files that cause to surpass storage consumption will get discarded.   | `500MB`                                                                                                                                                                                                                                          |
+| `kube.configPath`                         | Path to the `kubeconfig` file (`$HOME/.kube/config`)            | `""`                                                                                                                                                                                                                                             |
+| `kube.context`                            | Kubernetes context to use for the deployment  | `""`                                                                                                                                                                                                                                             |
+| `dumpLogs`                                | Enable dumping of logs         | `false`                                                                                                                                                                                                                                          |
+| `headless`                                | Enable running in headless mode               | `false`                                                                                                                                                                                                                                          |
+| `license`                                 | License key for the Pro/Enterprise edition    | `""`                                                                                                                                                                                                                                             |
+| `scripting.enabled`                       | Enables scripting                              | `false`                                                                                                                                                                                                                                          |
+| `scripting.env`                           | Environment variables for the scripting      | `{}`                                                                                                                                                                                                                                             |
+| `scripting.source`                        | Source directory of the scripts                | `""`                                                                                                                                                                                                                                             |
+| `scripting.watchScripts`                  | Enable watch mode for the scripts in source directory          | `true`                                                                                                                                                                                                                                           |
+| `timezone`                                | IANA time zone applied to time shown in the front-end | `""` (local time zone applies)                                                                                                                                                                                                                   |
+| `supportChatEnabled`                      | Enable real-time support chat channel based on Intercom | `false`                                                                                                                                                                                                                                          |
+| `internetConnectivity`                    | Turns off API requests that are dependent on Internet connectivity such as `telemetry` and `online-support`. | `true`                                                                                                                                                                                                                                           |
+
+KernelMapping pairs kernel versions with a
+                            DriverContainer image. Kernel versions can be matched
+                            literally or using a regular expression
+
+# Installing with SAML enabled
+
+### Prerequisites:
+
+##### 1. Generate X.509 certificate & key (TL;DR: https://ubuntu.com/server/docs/security-certificates)
+
+**Example:**
+```
+openssl genrsa -out mykey.key 2048
+openssl req -new -key mykey.key -out mycsr.csr
+openssl x509 -signkey mykey.key -in mycsr.csr -req -days 365 -out mycert.crt
+```
+
+**What you get:**
+- `mycert.crt` - use it for `tap.auth.saml.x509crt`
+- `mykey.key` - use it for `tap.auth.saml.x509crt`
+
+##### 2. Prepare your SAML IDP
+
+You should set up the required SAML IDP (Google, Auth0, your custom IDP, etc.)
+
+During setup, an IDP provider will typically request to enter:
+- Metadata URL
+- ACS URL (Assertion Consumer Service URL, aka Callback URL)
+- SLO URL (Single Logout URL)
+
+Correspondingly, you will enter these (if you run the most default Kubeshark setup):
+- [http://localhost:8899/saml/metadata](http://localhost:8899/saml/metadata)
+- [http://localhost:8899/saml/acs](http://localhost:8899/saml/acs)
+- [http://localhost:8899/saml/slo](http://localhost:8899/saml/slo)
+
+Otherwise, if you have `tap.ingress.enabled == true`, change protocol & domain respectively - showing example domain:
+- [https://kubeshark.example.com/saml/metadata](https://kubeshark.example.com/saml/metadata)
+- [https://kubeshark.example.com/saml/acs](https://kubeshark.example.com/saml/acs)
+- [https://kubeshark.example.com/saml/slo](https://kubeshark.example.com/saml/slo)
+
+```shell
+helm install kubeshark kubeshark/kubeshark -f values.yaml
+```
+
+Set this `value.yaml`:
+```shell
+tap:
+  auth:
+    enabled: true
+    type: saml
+    saml:
+      idpMetadataUrl: "https://ti..th0.com/samlp/metadata/MpWiDCM..qdnDG"
+      x509crt: |
+        -----BEGIN CERTIFICATE-----
+        MIIDlTCCAn0CFFRUzMh+dZvp+FvWd4gRaiBVN8EvMA0GCSqGSIb3DQEBCwUAMIGG
+        MSQwIgYJKoZIhvcNAQkBFhV3ZWJtYXN0ZXJAZXhhbXBsZS5jb20wHhcNMjMxMjI4
+        ........<redacted: please, generate your own X.509 cert>........
+        ZMzM7YscqZwoVhTOhrD4/5nIfOD/hTWG/MBe2Um1V1IYF8aVEllotTKTgsF6ZblA
+        miCOgl6lIlZy
+        -----END CERTIFICATE-----
+      x509key: |
+        -----BEGIN PRIVATE KEY-----
+        MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDlgDFKsRHj+mok
+        euOF0IpwToOEpQGtafB75ytv3psD/tQAzEIug+rkDriVvsfcvafj0qcaTeYvnCoz
+        ........<redacted: please, generate your own X.509 key>.........
+        sUpBCu0E3nRJM/QB2ui5KhNR7uvPSL+kSsaEq19/mXqsL+mRi9aqy2wMEvUSU/kt
+        UaV5sbRtTzYLxpOSQyi8CEFA+A==
+        -----END PRIVATE KEY-----
+```
+
+# Installing with Dex OIDC authentication
+
+[**Click here to see full docs**](https://docs.kubeshark.com/en/saml#installing-with-oidc-enabled-dex-idp).
+
+Choose this option, if **you already have a running instance** of Dex in your cluster &
+you want to set up Dex OIDC authentication for Kubeshark users.
+
+Kubeshark supports authentication using [Dex - A Federated OpenID Connect Provider](https://dexidp.io/).
+Dex is an abstraction layer designed for integrating a wide variety of Identity Providers.
+
+**Requirement:**
+Your Dex IdP must have a publicly accessible URL.
+
+### Pre-requisites:
+
+**1. If you configured Ingress for Kubeshark:**
+
+(see section: "Installing with Ingress (EKS) enabled")
+
+OAuth2 callback URL is: <br/>
+`https://<kubeshark-ingress-hostname>/api/oauth2/callback`
+
+**2. If you did not configure Ingress for Kubeshark:**
+
+OAuth2 callback URL is: <br/>
+`http://0.0.0.0:8899/api/oauth2/callback`
+
+Use chosen OAuth2 callback URL to replace `<your-kubeshark-host>` in Step 3.
+
+**3. Add this static client to your Dex IdP configuration (`config.yaml`):**
+```yaml
+staticClients:
+   - id: kubeshark
+     secret: create your own client password
+     name: Kubeshark
+     redirectURIs:
+     - https://<your-kubeshark-host>/api/oauth2/callback
+```
+
+**Final step:**
+
+Add these helm values to set up OIDC authentication powered by your Dex IdP:
+
+```yaml
+# values.yaml
+
+tap:
+  auth:
+    enabled: true
+    type: dex
+    dexOidc:
+      issuer: <put Dex IdP issuer URL here>
+      clientId: kubeshark
+      clientSecret: create your own client password
+      refreshTokenLifetime: "3960h" # 165 days
+      oauth2StateParamExpiry: "10m"
+      bypassSslCaCheck: false
+```
+
+---
+
+**Note:**<br/>
+Set `tap.auth.dexOidc.bypassSslCaCheck: true`
+to allow Kubeshark communication with Dex IdP having an unknown SSL Certificate Authority.
+
+This setting allows you to prevent such SSL CA-related errors:<br/>
+`tls: failed to verify certificate: x509: certificate signed by unknown authority`
+
+---
+
+Once you run `helm install kubeshark kubeshark/kubeshark -f ./values.yaml`, Kubeshark will be installed with (Dex) OIDC authentication enabled.
+
+---
+
+# Installing your own Dex IdP along with Kubeshark
+
+Choose this option, if **you need to deploy an instance of Dex IdP** along with Kubeshark &
+set up Dex OIDC authentication for Kubeshark users.
+
+Depending on Ingress enabled/disabled, your Dex configuration might differ.
+
+**Requirement:**
+Please, configure Ingress using `tap.ingress` for your Kubeshark installation. For example:
+
+```yaml
+tap:
+  ingress:
+    enabled: true
+    className: "alb"
+    host: ks.example.com
+    tls: []
+    annotations:
+      alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:7..8:certificate/b...65c
+      alb.ingress.kubernetes.io/target-type: ip
+      alb.ingress.kubernetes.io/scheme: internet-facing
+```
+
+The following Dex settings will have these values:
+
+| Setting                                               | Value                                        |
+|-------------------------------------------------------|----------------------------------------------|
+| `tap.auth.dexOidc.issuer`                             | `https://ks.example.com/dex`                 |
+| `tap.auth.dexConfig.issuer`                           | `https://ks.example.com/dex`                 |
+| `tap.auth.dexConfig.staticClients -> redirectURIs`    | `https://ks.example.com/api/oauth2/callback` |
+| `tap.auth.dexConfig.connectors -> config.redirectURI` | `https://ks.example.com/dex/callback`        |
+
+---
+
+### Before proceeding with Dex IdP installation:
+
+Please, make sure to prepare the following things first.
+
+1. Choose **[Connectors](https://dexidp.io/docs/connectors/)** to enable in Dex IdP.
+   - i.e. how many kind of "Log in with ..." options you'd like to offer your users
+   - You will need to specify connectors in `tap.auth.dexConfig.connectors`
+2. Choose type of **[Storage](https://dexidp.io/docs/configuration/storage/)** to use in Dex IdP.
+   - You will need to specify storage settings in `tap.auth.dexConfig.storage`
+   - default: `memory`
+3. Decide on the OAuth2 `?state=` param expiration time:
+   - field: `tap.auth.dexOidc.oauth2StateParamExpiry`
+   - default: `10m` (10 minutes)
+   - valid time units are `s`, `m`, `h`
+4. Decide on the refresh token expiration:
+    - field 1: `tap.auth.dexOidc.expiry.refreshTokenLifetime`
+    - field 2: `tap.auth.dexConfig.expiry.refreshTokens.absoluteLifetime`
+    - default: `3960h` (165 days)
+    - valid time units are `s`, `m`, `h`
+5. Create a unique & secure password to set in these fields:
+    - field 1: `tap.auth.dexOidc.clientSecret`
+    - field 2: `tap.auth.dexConfig.staticClients -> secret`
+    - password must be the same for these 2 fields
+6. Discover more possibilities of **[Dex Configuration](https://dexidp.io/docs/configuration/)**
+   - if you decide to include more configuration options, make sure to add them into `tap.auth.dexConfig`
+---
+
+### Once you are ready with all the points described above:
+
+Use these helm `values.yaml` fields to:
+- Deploy your own instance of Dex IdP along with Kubeshark
+- Enable OIDC authentication for Kubeshark users
+
+Make sure to:
+- Replace `<your-ingress-hostname>` with a correct Kubeshark Ingress host (`tap.auth.ingress.host`).
+  - refer to section **Installing with Ingress (EKS) enabled** to find out how you can configure Ingress host.
+
+Helm `values.yaml`:
+```yaml
+tap:
+  auth:
+    enabled: true
+    type: dex
+    dexOidc:
+      issuer: https://<your-ingress-hostname>/dex
+
+      # Client ID/secret must be taken from `tap.auth.dexConfig.staticClients -> id/secret`
+      clientId: kubeshark
+      clientSecret: create your own client password
+
+      refreshTokenLifetime: "3960h" # 165 days
+      oauth2StateParamExpiry: "10m"
+      bypassSslCaCheck: false
+    dexConfig:
+      # This field is REQUIRED!
+      #
+      # The base path of Dex and the external name of the OpenID Connect service.
+      # This is the canonical URL that all clients MUST use to refer to Dex. If a
+      # path is provided, Dex's HTTP service will listen at a non-root URL.
+      issuer: https://<your-ingress-hostname>/dex
+
+      # Expiration configuration for tokens, signing keys, etc.
+      expiry:
+        refreshTokens:
+          validIfNotUsedFor: "2160h" # 90 days
+          absoluteLifetime: "3960h"  # 165 days
+
+      # This field is REQUIRED!
+      #
+      # The storage configuration determines where Dex stores its state.
+      # See the documentation (https://dexidp.io/docs/storage/) for further information.
+      storage:
+        type: memory
+
+      # This field is REQUIRED!
+      #
+      # Attention:
+      # Do not change this field and its values.
+      # This field is required for internal Kubeshark-to-Dex communication.
+      #
+      # HTTP service configuration
+      web:
+        http: 0.0.0.0:5556
+
+      # This field is REQUIRED!
+      #
+      # Attention:
+      # Do not change this field and its values.
+      # This field is required for internal Kubeshark-to-Dex communication.
+      #
+      # Telemetry configuration
+      telemetry:
+        http: 0.0.0.0:5558
+
+      # This field is REQUIRED!
+      #
+      # Static clients registered in Dex by default.
+      staticClients:
+        - id: kubeshark
+          secret: create your own client password
+          name: Kubeshark
+          redirectURIs:
+          - https://<your-ingress-hostname>/api/oauth2/callback
+
+      # Enable the password database.
+      # It's a "virtual" connector (identity provider) that stores
+      # login credentials in Dex's store.
+      enablePasswordDB: true
+
+      # Connectors are used to authenticate users against upstream identity providers.
+      # See the documentation (https://dexidp.io/docs/connectors/) for further information.
+      #
+      # Attention:
+      # When you define a new connector, `config.redirectURI` must be:
+      # https://<your-ingress-hostname>/dex/callback
+      #
+      # Example with Google connector:
+      # connectors:
+      #  - type: google
+      #    id: google
+      #    name: Google
+      #    config:
+      #      clientID: your Google Cloud Auth app client ID
+      #      clientSecret: your Google Auth app client ID
+      #      redirectURI: https://<your-ingress-hostname>/dex/callback
+      connectors: []
+```
--- a/helm-chart/metrics.md
+++ b/helm-chart/metrics.md
@@ -0,0 +1,56 @@
+# Metrics
+
+Kubeshark provides metrics from `worker` components.
+It can be useful for monitoring and debugging purpose.
+
+## Configuration
+
+By default, Kubeshark uses port `49100` to expose metrics via service `kubeshark-worker-metrics`.
+
+In case you use [kube-prometheus-stack] (https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) community Helm chart, additional scrape configuration for Kubeshark worker metrics endpoint can be configured with values:
+
+```
+prometheus:
+  enabled: true
+  prometheusSpec:
+    additionalScrapeConfigs: |
+      - job_name: 'kubeshark-worker-metrics'
+        kubernetes_sd_configs:
+          - role: endpoints
+        relabel_configs:
+          - source_labels: [__meta_kubernetes_pod_name]
+            target_label: pod
+          - source_labels: [__meta_kubernetes_pod_node_name]
+            target_label: node
+          - source_labels: [__meta_kubernetes_endpoint_port_name]
+            action: keep
+            regex: ^metrics$
+          - source_labels: [__address__, __meta_kubernetes_endpoint_port_number]
+            action: replace
+            regex: ([^:]+)(?::\d+)?
+            replacement: $1:49100
+            target_label: __address__
+          - action: labelmap
+            regex: __meta_kubernetes_service_label_(.+)
+```
+
+
+## Available metrics
+
+| Name | Type | Description | 
+| --- | --- | --- | 
+| kubeshark_received_packets_total | Counter | Total number of packets received | 
+| kubeshark_dropped_packets_total | Counter | Total number of packets dropped | 
+| kubeshark_dropped_chunks_total  | Counter | Total number of dropped packet chunks | 
+| kubeshark_processed_bytes_total | Counter | Total number of bytes processed |
+| kubeshark_tcp_packets_total | Counter | Total number of TCP packets | 
+| kubeshark_dns_packets_total | Counter | Total number of DNS packets | 
+| kubeshark_icmp_packets_total | Counter | Total number of ICMP packets | 
+| kubeshark_reassembled_tcp_payloads_total | Counter | Total number of reassembled TCP payloads |
+| kubeshark_matched_pairs_total | Counter | Total number of matched pairs | 
+| kubeshark_dropped_tcp_streams_total | Counter | Total number of dropped TCP streams | 
+| kubeshark_live_tcp_streams | Gauge | Number of live TCP streams |
+
+## Ready-to-use Dashboard
+
+You can import a ready-to-use dashboard from [Grafana's Dashboards Portal](https://grafana.com/grafana/dashboards/21332-kubeshark-dashboard-v3-4/).
--- a/helm-chart/templates/01-service-account.yaml
+++ b/helm-chart/templates/01-service-account.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  {{- if .Values.tap.annotations }}
+  annotations:
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: {{ include "kubeshark.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- if .Values.tap.docker.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.tap.docker.imagePullSecrets }}
+  - name: {{ . }}
+  {{- end }}
+{{- end }}
--- a/helm-chart/templates/02-cluster-role.yaml
+++ b/helm-chart/templates/02-cluster-role.yaml
@@ -0,0 +1,94 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  {{- if .Values.tap.annotations }}
+  annotations:
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: kubeshark-cluster-role-{{ .Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups:
+      - ""
+      - extensions
+      - apps
+    resources:
+      - nodes
+      - pods
+      - services
+      - endpoints
+      - persistentvolumeclaims
+    verbs:
+      - list
+      - get
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+    - networking.k8s.io
+    resources:
+    - networkpolicies
+    verbs:
+    - get
+    - list
+    - watch
+    - create
+    - update
+    - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  annotations:
+  {{- if .Values.tap.annotations }}
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: kubeshark-self-config-role
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups:
+      - ""
+      - v1
+    resourceNames:
+      - kubeshark-secret
+      - kubeshark-config-map
+      - kubeshark-secret-default
+      - kubeshark-config-map-default
+    resources:
+      - secrets
+      - configmaps
+    verbs:
+      - create
+      - get
+      - watch
+      - list
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+      - v1
+    resources:
+      - secrets
+      - configmaps
+      - pods/log
+    verbs:
+      - create
+      - get
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+    verbs:
+      - "*"
--- a/helm-chart/templates/03-cluster-role-binding.yaml
+++ b/helm-chart/templates/03-cluster-role-binding.yaml
@@ -0,0 +1,40 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  {{- if .Values.tap.annotations }}
+  annotations:
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: kubeshark-cluster-role-binding-{{ .Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubeshark-cluster-role-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "kubeshark.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  annotations:
+  {{- if .Values.tap.annotations }}
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: kubeshark-self-config-role-binding
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: kubeshark-self-config-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "kubeshark.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
--- a/helm-chart/templates/04-hub-deployment.yaml
+++ b/helm-chart/templates/04-hub-deployment.yaml
@@ -0,0 +1,193 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubeshark.com/app: hub
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  {{- if .Values.tap.annotations }}
+  annotations:
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: {{ include "kubeshark.name" . }}-hub
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1  # Set the desired number of replicas
+  selector:
+    matchLabels:
+      app.kubeshark.com/app: hub
+      {{- include "kubeshark.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        app.kubeshark.com/app: hub
+        {{- include "kubeshark.labels" . | nindent 8 }}
+    spec:
+      dnsPolicy: ClusterFirstWithHostNet
+      serviceAccountName: {{ include "kubeshark.serviceAccountName" . }}
+      {{- if .Values.tap.priorityClass }}
+      priorityClassName: {{ .Values.tap.priorityClass | quote }}
+      {{- end }}
+      containers:
+        - name: hub
+          command:
+            - ./hub
+            - -port
+            - "8080"
+            - -loglevel
+            - '{{ .Values.logLevel | default "warning" }}'
+            - -capture-stop-after
+            - "{{ if hasKey .Values.tap.capture.dissection "stopAfter" }}{{ .Values.tap.capture.dissection.stopAfter }}{{ else }}5m{{ end }}"
+            - -snapshot-size-limit
+            - '{{ .Values.tap.snapshots.storageSize }}'
+            {{- if .Values.tap.delayedDissection.image }}
+            - -dissector-image
+            - '{{ .Values.tap.delayedDissection.image }}'
+            {{- end }}
+            {{- if .Values.tap.delayedDissection.cpu }}
+            - -dissector-cpu
+            - '{{ .Values.tap.delayedDissection.cpu }}'
+            {{- end }}
+            {{- if .Values.tap.delayedDissection.memory }}
+            - -dissector-memory
+            - '{{ .Values.tap.delayedDissection.memory }}'
+            {{- end }}
+            {{- if .Values.tap.gitops.enabled }}
+            - -gitops
+            {{- end }}
+            - -cloud-api-url
+            - '{{ .Values.cloudApiUrl }}'
+          {{- if .Values.tap.secrets }}
+          envFrom:
+            {{- range .Values.tap.secrets }}
+            - secretRef:
+                name: {{ . }}
+            {{- end }}
+          {{- end }}
+          env:
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: SENTRY_ENABLED
+            value: '{{ (include "sentry.enabled" .) }}'
+          - name: SENTRY_ENVIRONMENT
+            value: '{{ .Values.tap.sentry.environment }}'
+          - name: PROFILING_ENABLED
+            value: '{{ .Values.tap.pprof.enabled }}'
+        {{- if .Values.tap.docker.overrideImage.hub }}
+          image: '{{ .Values.tap.docker.overrideImage.hub }}'
+        {{- else if .Values.tap.docker.overrideTag.hub }}
+          image: '{{ .Values.tap.docker.registry }}/hub:{{ .Values.tap.docker.overrideTag.hub }}'
+        {{ else }}
+          image: '{{ .Values.tap.docker.registry }}/hub:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}'
+        {{- end }}
+          imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }}
+          readinessProbe:
+            periodSeconds: {{ .Values.tap.probes.hub.periodSeconds }}
+            failureThreshold: {{ .Values.tap.probes.hub.failureThreshold }}
+            successThreshold: {{ .Values.tap.probes.hub.successThreshold }}
+            initialDelaySeconds: {{ .Values.tap.probes.hub.initialDelaySeconds }}
+            tcpSocket:
+              port: 8080
+          livenessProbe:
+            periodSeconds: {{ .Values.tap.probes.hub.periodSeconds }}
+            failureThreshold: {{ .Values.tap.probes.hub.failureThreshold }}
+            successThreshold: {{ .Values.tap.probes.hub.successThreshold }}
+            initialDelaySeconds: {{ .Values.tap.probes.hub.initialDelaySeconds }}
+            tcpSocket:
+              port: 8080
+          resources:
+            limits:
+              {{ if ne (toString .Values.tap.resources.hub.limits.cpu) "0" }}
+              cpu: {{ .Values.tap.resources.hub.limits.cpu }}
+              {{ end }}
+              {{ if ne (toString .Values.tap.resources.hub.limits.memory) "0" }}
+              memory: {{ .Values.tap.resources.hub.limits.memory }}
+              {{ end }}
+            requests:
+              {{ if ne (toString .Values.tap.resources.hub.requests.cpu) "0" }}
+              cpu: {{ .Values.tap.resources.hub.requests.cpu }}
+              {{ end }}
+              {{ if ne (toString .Values.tap.resources.hub.requests.memory) "0" }}
+              memory: {{ .Values.tap.resources.hub.requests.memory }}
+              {{ end }}
+          volumeMounts:
+          - name: saml-x509-volume
+            mountPath: "/etc/saml/x509"
+            readOnly: true
+          - name: snapshots-volume
+            mountPath: "/app/data/snapshots"
+{{- if gt (len .Values.tap.nodeSelectorTerms.hub) 0}}
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              {{- toYaml .Values.tap.nodeSelectorTerms.hub | nindent 12 }}
+{{- end }}
+      {{- if or .Values.tap.dns.nameservers .Values.tap.dns.searches .Values.tap.dns.options }}
+      dnsConfig:
+        {{- if .Values.tap.dns.nameservers }}
+        nameservers:
+        {{- range .Values.tap.dns.nameservers }}
+          - {{ . | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.tap.dns.searches }}
+        searches:
+        {{- range .Values.tap.dns.searches }}
+          - {{ . | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.tap.dns.options }}
+        options:
+        {{- range .Values.tap.dns.options }}
+          - name: {{ .name | quote }}
+            {{- if .value }}
+            value: {{ .value | quote }}
+            {{- end }}
+        {{- end }}
+        {{- end }}
+      {{- end }}
+      {{- if .Values.tap.tolerations.hub }}
+      tolerations:
+      {{- range .Values.tap.tolerations.hub }}
+        - key: {{ .key | quote }}
+          operator: {{ .operator | quote }}
+          {{- if .value }}
+          value: {{ .value | quote }}
+          {{- end }}
+          {{- if .effect }}
+          effect: {{ .effect | quote }}
+          {{- end }}
+          {{- if .tolerationSeconds }}
+          tolerationSeconds: {{ .tolerationSeconds }}
+          {{- end }}
+      {{- end }}
+      {{- end }}
+      volumes:
+      - name: saml-x509-volume
+        projected:
+          sources:
+          - secret:
+              name: kubeshark-saml-x509-crt-secret
+              items:
+              - key: AUTH_SAML_X509_CRT
+                path: kubeshark.crt
+          - secret:
+              name: kubeshark-saml-x509-key-secret
+              items:
+              - key: AUTH_SAML_X509_KEY
+                path: kubeshark.key
+      - name: snapshots-volume
+        {{- if .Values.tap.snapshots.storageClass }}
+        persistentVolumeClaim:
+          claimName: {{ include "kubeshark.name" . }}-snapshots-pvc
+        {{- else }}
+        emptyDir:
+          sizeLimit: {{ .Values.tap.snapshots.storageSize }}
+        {{- end }}
--- a/helm-chart/templates/05-hub-service.yaml
+++ b/helm-chart/templates/05-hub-service.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubeshark.com/app: hub
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  {{- if .Values.tap.annotations }}
+  annotations:
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: kubeshark-hub
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+    - name: kubeshark-hub
+      port: 80
+      targetPort: 8080
+  selector:
+    app.kubeshark.com/app: hub
+  type: ClusterIP
--- a/helm-chart/templates/06-front-deployment.yaml
+++ b/helm-chart/templates/06-front-deployment.yaml
@@ -0,0 +1,192 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubeshark.com/app: front
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  {{- if .Values.tap.annotations }}
+  annotations:
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: {{ include "kubeshark.name" . }}-front
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1  # Set the desired number of replicas
+  selector:
+    matchLabels:
+      app.kubeshark.com/app: front
+      {{- include "kubeshark.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        app.kubeshark.com/app: front
+        {{- include "kubeshark.labels" . | nindent 8 }}
+    spec:
+      containers:
+        - env:
+            - name: REACT_APP_AUTH_ENABLED
+              value: '{{- if or (and .Values.cloudLicenseEnabled (not (empty .Values.license))) (not .Values.internetConnectivity) -}}
+                        {{ (and .Values.tap.auth.enabled (eq .Values.tap.auth.type "dex")) | ternary true false }}
+                      {{- else -}}
+                        {{ .Values.cloudLicenseEnabled | ternary "true" .Values.tap.auth.enabled }}
+                      {{- end }}'
+            - name: REACT_APP_AUTH_TYPE
+              value: '{{- if and .Values.cloudLicenseEnabled (not (eq .Values.tap.auth.type "dex")) -}}
+                        default
+                      {{- else -}}
+                        {{ .Values.tap.auth.type }}
+                      {{- end }}'
+            - name: REACT_APP_COMPLETE_STREAMING_ENABLED
+              value: '{{- if and (hasKey .Values.tap "dashboard") (hasKey .Values.tap.dashboard "completeStreamingEnabled") -}}
+                        {{ eq .Values.tap.dashboard.completeStreamingEnabled true | ternary "true" "false" }}
+                      {{- else -}}
+                        true
+                      {{- end }}'
+            - name: REACT_APP_STREAMING_TYPE
+              value: '{{ default "" (((.Values).tap).dashboard).streamingType }}'
+            - name: REACT_APP_AUTH_SAML_IDP_METADATA_URL
+              value: '{{ not (eq .Values.tap.auth.saml.idpMetadataUrl "") | ternary .Values.tap.auth.saml.idpMetadataUrl " " }}'
+            - name: REACT_APP_TIMEZONE
+              value: '{{ not (eq .Values.timezone "") | ternary .Values.timezone " " }}'
+            - name: REACT_APP_SCRIPTING_HIDDEN
+              value: '{{- if and .Values.scripting (eq (.Values.scripting.enabled | toString) "false") -}}
+                        true
+                      {{- else -}}
+                        false
+                      {{- end }}'
+            - name: REACT_APP_SCRIPTING_DISABLED
+              value: '{{- if .Values.tap.liveConfigMapChangesDisabled -}}
+                        {{- if .Values.demoModeEnabled -}}
+                          {{ .Values.demoModeEnabled | ternary false true }}
+                        {{- else -}}
+                          true
+                        {{- end }}
+                      {{- else -}}
+                        false
+                      {{- end }}'
+            - name: REACT_APP_TARGETED_PODS_UPDATE_DISABLED
+              value: '{{ .Values.tap.liveConfigMapChangesDisabled }}'
+            - name: REACT_APP_PRESET_FILTERS_CHANGING_ENABLED
+              value: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "false" "true" }}'
+            - name: REACT_APP_BPF_OVERRIDE_DISABLED
+              value: '{{ eq .Values.tap.packetCapture "af_packet" | ternary "false" "true" }}'
+            - name: REACT_APP_RECORDING_DISABLED
+              value: '{{ .Values.tap.liveConfigMapChangesDisabled }}'
+            - name: REACT_APP_DISSECTION_ENABLED
+              value: '{{ .Values.tap.capture.dissection.enabled | ternary "true" "false" }}'
+            - name: REACT_APP_DISSECTION_CONTROL_ENABLED
+              value: '{{- if and .Values.tap.liveConfigMapChangesDisabled (not .Values.tap.capture.dissection.enabled) -}}
+                        true
+                      {{- else -}}
+                        {{ not .Values.tap.liveConfigMapChangesDisabled | ternary "true" "false" }}
+                      {{- end -}}'
+            - name: 'REACT_APP_CLOUD_LICENSE_ENABLED'
+              value: '{{- if or (and .Values.cloudLicenseEnabled (not (empty .Values.license))) (not .Values.internetConnectivity) -}}
+                        "false"
+                      {{- else -}}
+                        {{ .Values.cloudLicenseEnabled }}
+                      {{- end }}'
+            - name: REACT_APP_SUPPORT_CHAT_ENABLED
+              value: '{{ and .Values.supportChatEnabled .Values.internetConnectivity | ternary "true" "false" }}'
+            - name: REACT_APP_BETA_ENABLED
+              value: '{{ default false .Values.betaEnabled | ternary "true" "false" }}'
+            - name: REACT_APP_DISSECTORS_UPDATING_ENABLED
+              value: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "false" "true" }}'
+            - name: REACT_APP_RAW_CAPTURE_ENABLED
+              value: '{{ .Values.tap.capture.raw.enabled | ternary "true" "false" }}'
+            - name: REACT_APP_SENTRY_ENABLED
+              value: '{{ (include "sentry.enabled" .) }}'
+            - name: REACT_APP_SENTRY_ENVIRONMENT
+              value: '{{ .Values.tap.sentry.environment }}'
+        {{- if .Values.tap.docker.overrideImage.front }}
+          image: '{{ .Values.tap.docker.overrideImage.front }}'
+        {{- else if .Values.tap.docker.overrideTag.front }}
+          image: '{{ .Values.tap.docker.registry }}/front:{{ .Values.tap.docker.overrideTag.front }}'
+        {{ else }}
+          image: '{{ .Values.tap.docker.registry }}/front:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}'
+        {{- end }}
+          imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }}
+          name: kubeshark-front
+          livenessProbe:
+            periodSeconds: 1
+            failureThreshold: 3
+            successThreshold: 1
+            initialDelaySeconds: 3
+            tcpSocket:
+              port: 8080
+          readinessProbe:
+            periodSeconds: 1
+            failureThreshold: 3
+            successThreshold: 1
+            initialDelaySeconds: 3
+            tcpSocket:
+              port: 8080
+            timeoutSeconds: 1
+          resources:
+            limits:
+              cpu: 750m
+              memory: 1Gi
+            requests:
+              cpu: 50m
+              memory: 50Mi
+          volumeMounts:
+            - name: nginx-config
+              mountPath: /etc/nginx/conf.d/default.conf
+              subPath: default.conf
+              readOnly: true
+{{- if gt (len .Values.tap.nodeSelectorTerms.front) 0}}
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              {{- toYaml .Values.tap.nodeSelectorTerms.front | nindent 12 }}
+{{- end }}
+      {{- if or .Values.tap.dns.nameservers .Values.tap.dns.searches .Values.tap.dns.options }}
+      dnsConfig:
+        {{- if .Values.tap.dns.nameservers }}
+        nameservers:
+        {{- range .Values.tap.dns.nameservers }}
+          - {{ . | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.tap.dns.searches }}
+        searches:
+        {{- range .Values.tap.dns.searches }}
+          - {{ . | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.tap.dns.options }}
+        options:
+        {{- range .Values.tap.dns.options }}
+          - name: {{ .name | quote }}
+            {{- if .value }}
+            value: {{ .value | quote }}
+            {{- end }}
+        {{- end }}
+        {{- end }}
+      {{- end }}
+      {{- if .Values.tap.tolerations.front }}
+      tolerations:
+      {{- range .Values.tap.tolerations.front }}
+        - key: {{ .key | quote }}
+          operator: {{ .operator | quote }}
+          {{- if .value }}
+          value: {{ .value | quote }}
+          {{- end }}
+          {{- if .effect }}
+          effect: {{ .effect | quote }}
+          {{- end }}
+          {{- if .tolerationSeconds }}
+          tolerationSeconds: {{ .tolerationSeconds }}
+          {{- end }}
+      {{- end }}
+      {{- end }}
+      volumes:
+        - name: nginx-config
+          configMap:
+            name: kubeshark-nginx-config-map
+      dnsPolicy: ClusterFirstWithHostNet
+      serviceAccountName: {{ include "kubeshark.serviceAccountName" . }}
+      {{- if .Values.tap.priorityClass }}
+      priorityClassName: {{ .Values.tap.priorityClass | quote }}
+      {{- end }}
--- a/helm-chart/templates/07-front-service.yaml
+++ b/helm-chart/templates/07-front-service.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  {{- if .Values.tap.annotations }}
+  annotations:
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: kubeshark-front
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+    - name: kubeshark-front
+      port: 80
+      targetPort: 8080
+  selector:
+    app.kubeshark.com/app: front
+  type: ClusterIP
--- a/helm-chart/templates/08-persistent-volume-claim.yaml
+++ b/helm-chart/templates/08-persistent-volume-claim.yaml
@@ -0,0 +1,44 @@
+---
+{{- if .Values.tap.persistentStorageStatic }}
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: kubeshark-persistent-volume
+  namespace: {{ .Release.Namespace }}
+spec:
+  capacity:
+    storage: {{ .Values.tap.storageLimit }}
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: {{ .Values.tap.storageClass }}
+  {{- if .Values.tap.efsFileSytemIdAndPath }}
+  csi:
+    driver: efs.csi.aws.com
+    volumeHandle: {{ .Values.tap.efsFileSytemIdAndPath }}
+  {{ end }}
+---
+{{ end }}
+{{- if .Values.tap.persistentStorage }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  {{- if .Values.tap.annotations }}
+  annotations:
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: kubeshark-persistent-volume-claim
+  namespace: {{ .Release.Namespace }}
+spec:
+  volumeMode: {{ .Values.tap.persistentStoragePvcVolumeMode }}
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: {{ .Values.tap.storageLimit }}
+  storageClassName: {{ .Values.tap.storageClass }}
+status: {}
+{{- end }}
--- a/helm-chart/templates/09-snapshots-pvc.yaml
+++ b/helm-chart/templates/09-snapshots-pvc.yaml
@@ -0,0 +1,22 @@
+---
+{{- if .Values.tap.snapshots.storageClass }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  {{- if .Values.tap.annotations }}
+  annotations:
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: {{ include "kubeshark.name" . }}-snapshots-pvc
+  namespace: {{ .Release.Namespace }}
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.tap.snapshots.storageSize }}
+  storageClassName: {{ .Values.tap.snapshots.storageClass }}
+status: {}
+{{- end }}
--- a/helm-chart/templates/09-worker-daemon-set.yaml
+++ b/helm-chart/templates/09-worker-daemon-set.yaml
@@ -0,0 +1,413 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app.kubeshark.com/app: worker
+    sidecar.istio.io/inject: "false"
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  {{- if .Values.tap.annotations }}
+  annotations:
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: kubeshark-worker-daemon-set
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    matchLabels:
+      app.kubeshark.com/app: worker
+      {{- include "kubeshark.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        app.kubeshark.com/app: worker
+        {{- include "kubeshark.labels" . | nindent 8 }}
+      name: kubeshark-worker-daemon-set
+      namespace: kubeshark
+    spec:
+      {{- if or .Values.tap.mountBpf .Values.tap.persistentStorage}}
+      initContainers:
+      {{- end }}
+      {{- if .Values.tap.mountBpf }}
+        - command:
+          - /bin/sh
+          - -c
+          - mkdir -p /sys/fs/bpf && mount | grep -q '/sys/fs/bpf' || mount -t bpf bpf /sys/fs/bpf
+          {{- if .Values.tap.docker.overrideTag.worker }}
+          image: '{{ .Values.tap.docker.registry }}/worker:{{ .Values.tap.docker.overrideTag.worker }}{{ include "kubeshark.dockerTagDebugVersion" . }}'
+        {{ else }}
+          image: '{{ .Values.tap.docker.registry }}/worker:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}{{ include "kubeshark.dockerTagDebugVersion" . }}'
+        {{- end }}
+          imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }}
+          name: mount-bpf
+          securityContext:
+            privileged: true
+          volumeMounts:
+          - mountPath: /sys
+            name: sys
+            mountPropagation: Bidirectional
+      {{- end }}
+      {{- if .Values.tap.persistentStorage }}
+        - command:
+          - /bin/sh
+          - -c
+          - mkdir -p /app/data/$NODE_NAME && rm -rf /app/data/$NODE_NAME/tracer_*
+          {{- if .Values.tap.docker.overrideTag.worker }}
+          image: '{{ .Values.tap.docker.registry }}/worker:{{ .Values.tap.docker.overrideTag.worker }}{{ include "kubeshark.dockerTagDebugVersion" . }}'
+        {{ else }}
+          image: '{{ .Values.tap.docker.registry }}/worker:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}{{ include "kubeshark.dockerTagDebugVersion" . }}'
+        {{- end }}
+          imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }}
+          name: cleanup-data-dir
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          volumeMounts:
+          - mountPath: /app/data
+            name: data
+      {{- end }}
+      containers:
+        - command:
+            - ./worker
+            - -i
+            - any
+            - -port
+            - '{{ .Values.tap.proxy.worker.srvPort }}'
+            - -metrics-port
+            - '{{ .Values.tap.metrics.port }}'
+            - -packet-capture
+            - '{{ .Values.tap.packetCapture }}'
+            - -loglevel
+            - '{{ .Values.logLevel | default "warning" }}'
+          {{- if not .Values.tap.tls }}
+            - -disable-tracer
+          {{- end }}
+          {{- if .Values.tap.serviceMesh }}
+            - -servicemesh
+          {{- end }}
+            - -procfs
+            - /hostproc
+          {{- if .Values.tap.resourceGuard.enabled }}
+            - -enable-resource-guard
+          {{- end }}
+          {{- if .Values.tap.watchdog.enabled }}
+            - -enable-watchdog
+          {{- end }}
+            - -resolution-strategy
+            - '{{ .Values.tap.misc.resolutionStrategy }}'
+            - -staletimeout
+            - '{{ .Values.tap.misc.staleTimeoutSeconds }}'
+            - -storage-size
+            - '{{ .Values.tap.storageLimit }}'
+            - -capture-db-max-size
+            - '{{ .Values.tap.capture.dbMaxSize }}'
+            - -cloud-api-url
+            - '{{ .Values.cloudApiUrl }}'
+        {{- if .Values.tap.docker.overrideImage.worker }}
+          image: '{{ .Values.tap.docker.overrideImage.worker }}'
+        {{- else if .Values.tap.docker.overrideTag.worker }}
+          image: '{{ .Values.tap.docker.registry }}/worker:{{ .Values.tap.docker.overrideTag.worker }}{{ include "kubeshark.dockerTagDebugVersion" . }}'
+        {{ else }}
+          image: '{{ .Values.tap.docker.registry }}/worker:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}{{ include "kubeshark.dockerTagDebugVersion" . }}'
+        {{- end }}
+          imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }}
+          name: sniffer
+          ports:
+            - containerPort: {{ .Values.tap.metrics.port }}
+              protocol: TCP
+              name: metrics
+          env:
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: TCP_STREAM_CHANNEL_TIMEOUT_MS
+            value: '{{ .Values.tap.misc.tcpStreamChannelTimeoutMs }}'
+          - name: TCP_STREAM_CHANNEL_TIMEOUT_SHOW
+            value: '{{ .Values.tap.misc.tcpStreamChannelTimeoutShow }}'
+          - name: PROFILING_ENABLED
+            value: '{{ .Values.tap.pprof.enabled }}'
+          - name: SENTRY_ENABLED
+            value: '{{ (include "sentry.enabled" .) }}'
+          - name: SENTRY_ENVIRONMENT
+            value: '{{ .Values.tap.sentry.environment }}'
+          resources:
+            limits:
+              {{ if ne (toString .Values.tap.resources.sniffer.limits.cpu) "0" }}
+              cpu: {{ .Values.tap.resources.sniffer.limits.cpu }}
+              {{ end }}
+              {{ if ne (toString .Values.tap.resources.sniffer.limits.memory) "0" }}
+              memory: {{ .Values.tap.resources.sniffer.limits.memory }}
+              {{ end }}
+            requests:
+              {{ if ne (toString .Values.tap.resources.sniffer.requests.cpu) "0" }}
+              cpu: {{ .Values.tap.resources.sniffer.requests.cpu }}
+              {{ end }}
+              {{ if ne (toString .Values.tap.resources.sniffer.requests.memory) "0" }}
+              memory: {{ .Values.tap.resources.sniffer.requests.memory }}
+              {{ end }}
+          securityContext:
+            privileged: {{ .Values.tap.securityContext.privileged }}
+            {{- if not .Values.tap.securityContext.privileged }}
+            {{- $aaProfile := .Values.tap.securityContext.appArmorProfile }}
+            {{- $selinuxOpts := .Values.tap.securityContext.seLinuxOptions }}
+            {{- if or (ne $aaProfile.type "") (ne $aaProfile.localhostProfile "") }}
+            appArmorProfile:
+              {{- if ne $aaProfile.type "" }}
+              type: {{ $aaProfile.type }}
+              {{- end }}
+              {{- if ne $aaProfile.localhostProfile "" }}
+              localhostProfile: {{ $aaProfile.localhostProfile }}
+              {{- end }}
+            {{- end }}
+            {{- if or (ne $selinuxOpts.level "") (ne $selinuxOpts.role "") (ne $selinuxOpts.type "") (ne $selinuxOpts.user "") }}
+            seLinuxOptions:
+              {{- if ne $selinuxOpts.level "" }}
+              level: {{ $selinuxOpts.level }}
+              {{- end }}
+              {{- if ne $selinuxOpts.role "" }}
+              role: {{ $selinuxOpts.role }}
+              {{- end }}
+              {{- if ne $selinuxOpts.type "" }}
+              type: {{ $selinuxOpts.type }}
+              {{- end }}
+              {{- if ne $selinuxOpts.user "" }}
+              user: {{ $selinuxOpts.user }}
+              {{- end }}
+            {{- end }}
+            capabilities:
+              add:
+                {{- range .Values.tap.securityContext.capabilities.networkCapture }}
+                {{ print "- " . }}
+                {{- end }}
+                {{- if .Values.tap.serviceMesh }}
+                {{- range .Values.tap.securityContext.capabilities.serviceMeshCapture }}
+                {{ print "- " . }}
+                {{- end }}
+                {{- end }}
+                {{- if .Values.tap.securityContext.capabilities.ebpfCapture }}
+                {{- range .Values.tap.securityContext.capabilities.ebpfCapture }}
+                {{ print "- " . }}
+                {{- end }}
+                {{- end }}
+              drop:
+                - ALL
+            {{- end }}
+          readinessProbe:
+            periodSeconds: {{ .Values.tap.probes.sniffer.periodSeconds }}
+            failureThreshold: {{ .Values.tap.probes.sniffer.failureThreshold }}
+            successThreshold: {{ .Values.tap.probes.sniffer.successThreshold }}
+            initialDelaySeconds: {{ .Values.tap.probes.sniffer.initialDelaySeconds }}
+            tcpSocket:
+              port: {{ .Values.tap.proxy.worker.srvPort }}
+          livenessProbe:
+            periodSeconds: {{ .Values.tap.probes.sniffer.periodSeconds }}
+            failureThreshold: {{ .Values.tap.probes.sniffer.failureThreshold }}
+            successThreshold: {{ .Values.tap.probes.sniffer.successThreshold }}
+            initialDelaySeconds: {{ .Values.tap.probes.sniffer.initialDelaySeconds }}
+            tcpSocket:
+              port: {{ .Values.tap.proxy.worker.srvPort }}
+          volumeMounts:
+            - mountPath: /hostproc
+              name: proc
+              readOnly: true
+            - mountPath: /sys
+              name: sys
+              readOnly: true
+              mountPropagation: HostToContainer
+            - mountPath: /app/data
+              name: data
+      {{- if .Values.tap.tls }}
+        - command:
+            - ./tracer
+            - -procfs
+            - /hostproc
+          {{- if .Values.tap.disableTlsLog }}
+            - -disable-tls-log
+          {{- end }}
+          {{- if .Values.tap.pprof.enabled }}
+            - -port
+            - '{{ add .Values.tap.proxy.worker.srvPort 1 }}'
+          {{- end }}
+            - -loglevel
+            - '{{ .Values.logLevel | default "warning" }}'
+        {{- if .Values.tap.docker.overrideTag.worker }}
+          image: '{{ .Values.tap.docker.registry }}/worker:{{ .Values.tap.docker.overrideTag.worker }}{{ include "kubeshark.dockerTagDebugVersion" . }}'
+        {{ else }}
+          image: '{{ .Values.tap.docker.registry }}/worker:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}{{ include "kubeshark.dockerTagDebugVersion" . }}'
+        {{- end }}
+          imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }}
+          name: tracer
+          env:
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: PROFILING_ENABLED
+            value: '{{ .Values.tap.pprof.enabled }}'
+          - name: SENTRY_ENABLED
+            value: '{{ (include "sentry.enabled" .) }}'
+          - name: SENTRY_ENVIRONMENT
+            value: '{{ .Values.tap.sentry.environment }}'
+          resources:
+            limits:
+              {{ if ne (toString .Values.tap.resources.tracer.limits.cpu) "0" }}
+              cpu: {{ .Values.tap.resources.tracer.limits.cpu }}
+              {{ end }}
+              {{ if ne (toString .Values.tap.resources.tracer.limits.memory) "0" }}
+              memory: {{ .Values.tap.resources.tracer.limits.memory }}
+              {{ end }}
+            requests:
+              {{ if ne (toString .Values.tap.resources.tracer.requests.cpu) "0" }}
+              cpu: {{ .Values.tap.resources.tracer.requests.cpu }}
+              {{ end }}
+              {{ if ne (toString .Values.tap.resources.tracer.requests.memory) "0" }}
+              memory: {{ .Values.tap.resources.tracer.requests.memory }}
+              {{ end }}
+          securityContext:
+            privileged: {{ .Values.tap.securityContext.privileged }}
+            {{- if not .Values.tap.securityContext.privileged }}
+            {{- $aaProfile := .Values.tap.securityContext.appArmorProfile }}
+            {{- $selinuxOpts := .Values.tap.securityContext.seLinuxOptions }}
+            {{- if or (ne $aaProfile.type "") (ne $aaProfile.localhostProfile "") }}
+            appArmorProfile:
+              {{- if ne $aaProfile.type "" }}
+              type: {{ $aaProfile.type }}
+              {{- end }}
+              {{- if ne $aaProfile.localhostProfile "" }}
+              localhostProfile: {{ $aaProfile.localhostProfile }}
+              {{- end }}
+            {{- end }}
+            {{- if or (ne $selinuxOpts.level "") (ne $selinuxOpts.role "") (ne $selinuxOpts.type "") (ne $selinuxOpts.user "") }}
+            seLinuxOptions:
+              {{- if ne $selinuxOpts.level "" }}
+              level: {{ $selinuxOpts.level }}
+              {{- end }}
+              {{- if ne $selinuxOpts.role "" }}
+              role: {{ $selinuxOpts.role }}
+              {{- end }}
+              {{- if ne $selinuxOpts.type "" }}
+              type: {{ $selinuxOpts.type }}
+              {{- end }}
+              {{- if ne $selinuxOpts.user "" }}
+              user: {{ $selinuxOpts.user }}
+              {{- end }}
+            {{- end }}
+            capabilities:
+              add:
+                {{- range .Values.tap.securityContext.capabilities.ebpfCapture }}
+                {{ print "- " . }}
+                {{- end }}
+                {{- range .Values.tap.securityContext.capabilities.networkCapture }}
+                {{ print "- " . }}
+                {{- end }}
+              drop:
+                - ALL
+            {{- end }}
+          volumeMounts:
+            - mountPath: /hostproc
+              name: proc
+              readOnly: true
+            - mountPath: /sys
+              name: sys
+              readOnly: true
+              mountPropagation: HostToContainer
+            - mountPath: /app/data
+              name: data
+            - mountPath: /etc/os-release
+              name: os-release
+              readOnly: true
+            - mountPath: /hostroot
+              mountPropagation: HostToContainer
+              name: root
+              readOnly: true
+      {{- end }}
+      dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: {{ .Values.tap.hostNetwork }}
+      serviceAccountName: {{ include "kubeshark.serviceAccountName" . }}
+      {{- if .Values.tap.priorityClass }}
+      priorityClassName: {{ .Values.tap.priorityClass | quote }}
+      {{- end }}
+      {{- if .Values.tap.tolerations.workers }}
+      tolerations:
+      {{- range .Values.tap.tolerations.workers }}
+        - key: {{ .key | quote }}
+          operator: {{ .operator | quote }}
+          {{- if .value }}
+          value: {{ .value | quote }}
+          {{- end }}
+          {{- if .effect }}
+          effect: {{ .effect | quote }}
+          {{- end }}
+          {{- if .tolerationSeconds }}
+          tolerationSeconds: {{ .tolerationSeconds }}
+          {{- end }}
+      {{- end }}
+      {{- end }}
+{{- if gt (len .Values.tap.nodeSelectorTerms.workers) 0}}
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              {{- toYaml .Values.tap.nodeSelectorTerms.workers | nindent 12 }}
+{{- end }}
+      {{- if or .Values.tap.dns.nameservers .Values.tap.dns.searches .Values.tap.dns.options }}
+      dnsConfig:
+        {{- if .Values.tap.dns.nameservers }}
+        nameservers:
+        {{- range .Values.tap.dns.nameservers }}
+          - {{ . | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.tap.dns.searches }}
+        searches:
+        {{- range .Values.tap.dns.searches }}
+          - {{ . | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.tap.dns.options }}
+        options:
+        {{- range .Values.tap.dns.options }}
+          - name: {{ .name | quote }}
+            {{- if .value }}
+            value: {{ .value | quote }}
+            {{- end }}
+        {{- end }}
+        {{- end }}
+      {{- end }}
+      volumes:
+        - hostPath:
+            path: /proc
+          name: proc
+        - hostPath:
+            path: /sys
+          name: sys
+        - name: lib-modules
+          hostPath:
+            path: /lib/modules
+        - hostPath:
+            path: /etc/os-release
+          name: os-release
+        {{- if .Values.tap.tls }}
+        - hostPath:
+            path: /
+          name: root
+        {{- end }}
+        - name: data
+{{- if .Values.tap.persistentStorage }}
+          persistentVolumeClaim:
+            claimName: kubeshark-persistent-volume-claim
+{{- else }}
+          emptyDir:
+            sizeLimit: {{ .Values.tap.storageLimit }}
+{{- end }}
--- a/helm-chart/templates/10-ingress.yaml
+++ b/helm-chart/templates/10-ingress.yaml
@@ -0,0 +1,39 @@
+---
+{{- if .Values.tap.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.org/websocket-services: "kubeshark-front"
+{{- if .Values.tap.annotations }}
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+{{- end }}
+  {{- if .Values.tap.ingress.annotations }}
+    {{- toYaml .Values.tap.ingress.annotations | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  name: kubeshark-ingress
+  namespace: {{ .Release.Namespace }}
+spec:
+  {{- if .Values.tap.ingress.className }}
+  ingressClassName: {{ .Values.tap.ingress.className }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.tap.ingress.host }}
+      http:
+        paths:
+          - backend:
+              service:
+                name: kubeshark-front
+                port:
+                  number: 80
+            path: {{ default "/" (((.Values).tap).ingress).path }}
+            pathType: Prefix
+  {{- if .Values.tap.ingress.tls }}
+  tls:
+    {{- toYaml .Values.tap.ingress.tls | nindent 2 }}
+  {{- end }}
+status:
+  loadBalancer: {}
+{{- end }}
--- a/helm-chart/templates/11-nginx-config-map.yaml
+++ b/helm-chart/templates/11-nginx-config-map.yaml
@@ -0,0 +1,89 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kubeshark-nginx-config-map
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "kubeshark.labels" . | nindent 4 }}
+data:
+  default.conf: |
+    server {
+      listen 8080;
+{{- if .Values.tap.ipv6 }}
+      listen [::]:8080;
+{{- end }}
+      access_log /dev/stdout;
+      error_log /dev/stdout;
+
+      client_body_buffer_size     64k;
+      client_header_buffer_size   32k;
+      large_client_header_buffers 8 64k;
+
+      location {{ default "" (((.Values.tap).routing).front).basePath }}/api {
+        rewrite ^{{ default "" (((.Values.tap).routing).front).basePath }}/api(.*)$ $1 break;
+        proxy_pass http://kubeshark-hub;
+        proxy_set_header   X-Forwarded-For $remote_addr;
+        proxy_set_header   Host $http_host;
+        proxy_set_header Upgrade websocket;
+        proxy_set_header Connection Upgrade;
+        proxy_set_header  Authorization $http_authorization;
+        proxy_pass_header Authorization;
+        proxy_connect_timeout 4s;
+        proxy_read_timeout 120s;
+        proxy_send_timeout 12s;
+        proxy_pass_request_headers      on;
+      }
+
+      location {{ default "" (((.Values.tap).routing).front).basePath }}/saml {
+        rewrite ^{{ default "" (((.Values.tap).routing).front).basePath }}/saml(.*)$ /saml$1 break;
+        proxy_pass http://kubeshark-hub;
+        proxy_set_header   X-Forwarded-For $remote_addr;
+        proxy_set_header   Host $http_host;
+        proxy_connect_timeout 4s;
+        proxy_read_timeout 120s;
+        proxy_send_timeout 12s;
+        proxy_pass_request_headers on;
+      }
+
+{{- if .Values.tap.auth.dexConfig }}
+       location /dex {
+        rewrite ^{{ default "" (((.Values.tap).routing).front).basePath }}/dex(.*)$ /dex$1 break;
+        proxy_pass http://kubeshark-dex;
+        proxy_set_header   X-Forwarded-For $remote_addr;
+        proxy_set_header   Host $http_host;
+        proxy_set_header Upgrade websocket;
+        proxy_set_header Connection Upgrade;
+        proxy_set_header  Authorization $http_authorization;
+        proxy_pass_header Authorization;
+        proxy_connect_timeout 4s;
+        proxy_read_timeout 120s;
+        proxy_send_timeout 12s;
+        proxy_pass_request_headers      on;
+      }
+{{- end }}
+
+{{- if (((.Values.tap).routing).front).basePath }}
+      location {{ .Values.tap.routing.front.basePath }} {
+        rewrite ^{{ .Values.tap.routing.front.basePath }}(.*)$ $1 break;
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+        try_files $uri $uri/ /index.html;
+        expires -1;
+        add_header Cache-Control no-cache;
+      }
+{{- end }}
+
+      location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+        try_files $uri $uri/ /index.html;
+        expires -1;
+        add_header Cache-Control no-cache;
+      }
+      error_page   500 502 503 504  /50x.html;
+      location = /50x.html {
+        root   /usr/share/nginx/html;
+      }
+    }
+
--- a/helm-chart/templates/12-config-map.yaml
+++ b/helm-chart/templates/12-config-map.yaml
@@ -0,0 +1,87 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ include "kubeshark.configmapName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubeshark.com/app: hub
+    {{- include "kubeshark.labels" . | nindent 4 }}
+data:
+    POD_REGEX: '{{ .Values.tap.regex }}'
+    NAMESPACES: '{{ gt (len .Values.tap.namespaces) 0 | ternary (join "," .Values.tap.namespaces) "" }}'
+    EXCLUDED_NAMESPACES: '{{ gt (len .Values.tap.excludedNamespaces) 0 | ternary (join "," .Values.tap.excludedNamespaces) "" }}'
+    BPF_OVERRIDE: '{{ .Values.tap.bpfOverride }}'
+    DISSECTION_ENABLED: '{{ .Values.tap.capture.dissection.enabled | ternary "true" "false" }}'
+    CAPTURE_SELF: '{{ .Values.tap.capture.captureSelf | ternary "true" "false" }}'
+    SCRIPTING_SCRIPTS: '{}'
+    SCRIPTING_ACTIVE_SCRIPTS: '{{ gt (len .Values.scripting.active) 0 | ternary (join "," .Values.scripting.active) "" }}'
+    INGRESS_ENABLED: '{{ .Values.tap.ingress.enabled }}'
+    INGRESS_HOST: '{{ .Values.tap.ingress.host }}'
+    PROXY_FRONT_PORT: '{{ .Values.tap.proxy.front.port }}'
+    AUTH_ENABLED: '{{- if and .Values.cloudLicenseEnabled (not (empty .Values.license)) -}}
+                      {{ and .Values.tap.auth.enabled (eq .Values.tap.auth.type "dex") | ternary true false }}
+                  {{- else -}}
+                      {{ .Values.cloudLicenseEnabled | ternary "true" (.Values.tap.auth.enabled | ternary "true" "") }}
+                  {{- end }}'
+    AUTH_TYPE: '{{- if and .Values.cloudLicenseEnabled (not (eq .Values.tap.auth.type "dex")) -}}
+                  default
+                {{- else -}}
+                  {{ .Values.tap.auth.type }}
+                {{- end }}'
+    AUTH_SAML_IDP_METADATA_URL: '{{ .Values.tap.auth.saml.idpMetadataUrl }}'
+    AUTH_SAML_ROLE_ATTRIBUTE: '{{ .Values.tap.auth.saml.roleAttribute }}'
+    AUTH_SAML_ROLES: '{{ .Values.tap.auth.saml.roles | toJson }}'
+    AUTH_OIDC_ISSUER: '{{ default "not set" (((.Values.tap).auth).dexOidc).issuer }}'
+    AUTH_OIDC_REFRESH_TOKEN_LIFETIME: '{{ default "3960h" (((.Values.tap).auth).dexOidc).refreshTokenLifetime }}'
+    AUTH_OIDC_STATE_PARAM_EXPIRY: '{{ default "10m" (((.Values.tap).auth).dexOidc).oauth2StateParamExpiry }}'
+    AUTH_OIDC_BYPASS_SSL_CA_CHECK: '{{- if and
+                                      (hasKey .Values.tap "auth")
+                                      (hasKey .Values.tap.auth "dexOidc")
+                                      (hasKey .Values.tap.auth.dexOidc "bypassSslCaCheck")
+                                    -}}
+                                      {{ eq .Values.tap.auth.dexOidc.bypassSslCaCheck true | ternary "true" "false" }}
+                                    {{- else -}}
+                                      false
+                                    {{- end }}'
+    TELEMETRY_DISABLED: '{{ not .Values.internetConnectivity | ternary "true" (not .Values.tap.telemetry.enabled | ternary "true" "false") }}'
+    SCRIPTING_DISABLED: '{{- if .Values.tap.liveConfigMapChangesDisabled -}}
+                           {{- if .Values.demoModeEnabled -}}
+                             {{ .Values.demoModeEnabled | ternary false true }}
+                           {{- else -}}
+                             true
+                           {{- end }}
+                         {{- else -}}
+                           false
+                         {{- end }}'
+    TARGETED_PODS_UPDATE_DISABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "true" "" }}'
+    PRESET_FILTERS_CHANGING_ENABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "false" "true" }}'
+    RECORDING_DISABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "true" "" }}'
+    DISSECTION_CONTROL_ENABLED: '{{- if and .Values.tap.liveConfigMapChangesDisabled (not .Values.tap.capture.dissection.enabled) -}}
+                                     true
+                                   {{- else -}}
+                                     {{ not .Values.tap.liveConfigMapChangesDisabled | ternary "true" "false" }}
+                                   {{- end }}'
+    GLOBAL_FILTER: {{ include "kubeshark.escapeDoubleQuotes" .Values.tap.globalFilter | quote }}
+    DEFAULT_FILTER: {{ include "kubeshark.escapeDoubleQuotes" .Values.tap.defaultFilter | quote }}
+    TRAFFIC_SAMPLE_RATE: '{{ .Values.tap.misc.trafficSampleRate }}'
+    JSON_TTL: '{{ .Values.tap.misc.jsonTTL }}'
+    PCAP_TTL: '{{ .Values.tap.misc.pcapTTL }}'
+    PCAP_ERROR_TTL: '{{ .Values.tap.misc.pcapErrorTTL }}'
+    TIMEZONE: '{{ not (eq .Values.timezone "") | ternary .Values.timezone " " }}'
+    CLOUD_LICENSE_ENABLED: '{{- if and .Values.cloudLicenseEnabled (not (empty .Values.license)) -}}
+                              false
+                            {{- else -}}
+                              {{ .Values.cloudLicenseEnabled }}
+                            {{- end }}'
+    DUPLICATE_TIMEFRAME: '{{ .Values.tap.misc.duplicateTimeframe }}'
+    ENABLED_DISSECTORS: '{{ gt (len .Values.tap.enabledDissectors) 0 | ternary (join "," .Values.tap.enabledDissectors) "" }}'
+    CUSTOM_MACROS: '{{ toJson .Values.tap.customMacros }}'
+    DISSECTORS_UPDATING_ENABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "false" "true" }}'
+    DETECT_DUPLICATES: '{{ .Values.tap.misc.detectDuplicates | ternary "true" "false" }}'
+    PCAP_DUMP_ENABLE: '{{ .Values.pcapdump.enabled }}'
+    PCAP_TIME_INTERVAL: '{{ .Values.pcapdump.timeInterval }}'
+    PCAP_MAX_TIME: '{{ .Values.pcapdump.maxTime }}'
+    PCAP_MAX_SIZE: '{{ .Values.pcapdump.maxSize }}'
+    PORT_MAPPING: '{{ toJson .Values.tap.portMapping }}'
+    RAW_CAPTURE_ENABLED: '{{ .Values.tap.capture.raw.enabled | ternary "true" "false" }}'
+    RAW_CAPTURE_STORAGE_SIZE: '{{ .Values.tap.capture.raw.storageSize }}'
--- a/helm-chart/templates/13-secret.yaml
+++ b/helm-chart/templates/13-secret.yaml
@@ -0,0 +1,43 @@
+kind: Secret
+apiVersion: v1
+metadata:
+  name: {{ include "kubeshark.secretName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubeshark.com/app: hub
+    {{- include "kubeshark.labels" . | nindent 4 }}
+stringData:
+    LICENSE: '{{ .Values.license }}'
+    SCRIPTING_ENV: '{{ .Values.scripting.env | toJson }}'
+    OIDC_CLIENT_ID: '{{ default "not set" (((.Values.tap).auth).dexOidc).clientId }}'
+    OIDC_CLIENT_SECRET: '{{ default "not set" (((.Values.tap).auth).dexOidc).clientSecret }}'
+
+---
+
+kind: Secret
+apiVersion: v1
+metadata:
+  name: kubeshark-saml-x509-crt-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubeshark.com/app: hub
+    {{- include "kubeshark.labels" . | nindent 4 }}
+stringData:
+  AUTH_SAML_X509_CRT: |
+    {{ .Values.tap.auth.saml.x509crt | nindent 4 }}
+
+---
+
+kind: Secret
+apiVersion: v1
+metadata:
+  name: kubeshark-saml-x509-key-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubeshark.com/app: hub
+    {{- include "kubeshark.labels" . | nindent 4 }}
+stringData:
+  AUTH_SAML_X509_KEY: |
+    {{ .Values.tap.auth.saml.x509key | nindent 4 }}
+
+---
--- a/helm-chart/templates/14-openshift-security-context-constraints.yaml
+++ b/helm-chart/templates/14-openshift-security-context-constraints.yaml
@@ -0,0 +1,53 @@
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }}
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  labels:
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install
+  {{- if .Values.tap.annotations }}
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: kubeshark-scc
+priority: 10
+allowPrivilegedContainer: true
+allowHostDirVolumePlugin: true
+allowHostNetwork: true
+allowHostPorts: true
+allowHostPID: true
+allowHostIPC: true
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+  - MKNOD
+allowedCapabilities:
+  - NET_RAW
+  - NET_ADMIN
+  - SYS_ADMIN
+  - SYS_PTRACE
+  - DAC_OVERRIDE
+  - SYS_RESOURCE
+  - SYS_MODULE
+  - IPC_LOCK
+runAsUser:
+  type: RunAsAny
+fsGroup:
+  type: MustRunAs
+seLinuxContext:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+seccompProfiles:
+- '*'
+volumes:
+  - configMap
+  - downwardAPI
+  - emptyDir
+  - persistentVolumeClaim
+  - secret
+  - hostPath
+  - projected
+  - ephemeral
+users:
+  - system:serviceaccount:{{ .Release.Namespace }}:kubeshark-service-account
+{{- end }}
--- a/helm-chart/templates/15-worker-service-metrics.yaml
+++ b/helm-chart/templates/15-worker-service-metrics.yaml
@@ -0,0 +1,23 @@
+---
+kind: Service
+apiVersion: v1
+metadata:
+  labels:
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  annotations:
+    prometheus.io/scrape: 'true'
+    prometheus.io/port: '{{ .Values.tap.metrics.port }}'
+  {{- if .Values.tap.annotations }}
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: kubeshark-worker-metrics
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    app.kubeshark.com/app: worker
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  ports:
+  - name: metrics
+    protocol: TCP
+    port: {{ .Values.tap.metrics.port }}
+    targetPort: {{ .Values.tap.metrics.port }}
--- a/helm-chart/templates/16-hub-service-metrics.yaml
+++ b/helm-chart/templates/16-hub-service-metrics.yaml
@@ -0,0 +1,23 @@
+---
+kind: Service
+apiVersion: v1
+metadata:
+  labels:
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  annotations:
+    prometheus.io/scrape: 'true'
+    prometheus.io/port: '9100'
+  {{- if .Values.tap.annotations }}
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: kubeshark-hub-metrics
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    app.kubeshark.com/app: hub
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  ports:
+  - name: metrics
+    protocol: TCP
+    port: 9100
+    targetPort: 9100
--- a/helm-chart/templates/17-network-policies.yaml
+++ b/helm-chart/templates/17-network-policies.yaml
@@ -0,0 +1,104 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  {{- if .Values.tap.annotations }}
+  annotations:
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: kubeshark-hub-network-policy
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubeshark.com/app: hub
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 8080
+    - ports:
+        - protocol: TCP
+          port: 9100
+  egress:
+    - {}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  annotations:
+  {{- if .Values.tap.annotations }}
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: kubeshark-front-network-policy
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubeshark.com/app: front
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 8080
+  egress:
+    - {}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  annotations:
+  {{- if .Values.tap.annotations }}
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: kubeshark-dex-network-policy
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubeshark.com/app: dex
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 5556
+  egress:
+    - {}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  annotations:
+  {{- if .Values.tap.annotations }}
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: kubeshark-worker-network-policy
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubeshark.com/app: worker
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: {{ .Values.tap.proxy.worker.srvPort }}
+        - protocol: TCP
+          port: {{ .Values.tap.metrics.port }}
+  egress:
+    - {}
--- a/helm-chart/templates/18-cleanup-job.yaml
+++ b/helm-chart/templates/18-cleanup-job.yaml
@@ -0,0 +1,27 @@
+{{ if .Values.tap.gitops.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: kubeshark-cleanup-job
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  template:
+    spec:
+      serviceAccountName: {{ include "kubeshark.serviceAccountName" . }}
+      {{- if .Values.tap.priorityClass }}
+      priorityClassName: {{ .Values.tap.priorityClass | quote }}
+      {{- end }}
+      restartPolicy: Never
+      containers:
+        - name: cleanup
+        {{- if .Values.tap.docker.overrideImage.hub }}
+          image: '{{ .Values.tap.docker.overrideImage.hub }}'
+        {{- else if .Values.tap.docker.overrideTag.hub }}
+          image: '{{ .Values.tap.docker.registry }}/hub:{{ .Values.tap.docker.overrideTag.hub }}'
+        {{ else }}
+          image: '{{ .Values.tap.docker.registry }}/hub:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}'
+        {{- end }}
+          command: ["/app/cleanup"]
+{{ end -}}
--- a/helm-chart/templates/18-dex-deployment.yaml
+++ b/helm-chart/templates/18-dex-deployment.yaml
@@ -0,0 +1,112 @@
+{{- if .Values.tap.auth.dexConfig }}
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubeshark.com/app: dex
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  {{- if .Values.tap.annotations }}
+  annotations:
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: {{ include "kubeshark.name" . }}-dex
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1  # Set the desired number of replicas
+  selector:
+    matchLabels:
+      app.kubeshark.com/app: dex
+      {{- include "kubeshark.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        app.kubeshark.com/app: dex
+        {{- include "kubeshark.labels" . | nindent 8 }}
+    spec:
+      containers:
+        - name: kubeshark-dex
+          image: 'dexidp/dex:v2.42.0-alpine'
+          ports:
+            - name: http
+              containerPort: 5556
+              protocol: TCP
+            - name: telemetry
+              containerPort: 5558
+              protocol: TCP
+          args:
+          - dex
+          - serve
+          - /etc/dex/dex-config.yaml
+          imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }}
+          volumeMounts:
+            - name: dex-secret-conf-volume
+              mountPath: /etc/dex/dex-config.yaml
+              subPath: dex-config.yaml
+              readOnly: true
+          livenessProbe:
+            httpGet:
+              path: /healthz/live
+              port: 5558
+            periodSeconds: 1
+            failureThreshold: 3
+            successThreshold: 1
+            initialDelaySeconds: 3
+          readinessProbe:
+            httpGet:
+              path: /healthz/ready
+              port: 5558
+            periodSeconds: 1
+            failureThreshold: 3
+            successThreshold: 1
+            initialDelaySeconds: 3
+            timeoutSeconds: 1
+          resources:
+            limits:
+              cpu: 750m
+              memory: 1Gi
+            requests:
+              cpu: 50m
+              memory: 50Mi
+{{- if gt (len .Values.tap.nodeSelectorTerms.dex) 0}}
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              {{- toYaml .Values.tap.nodeSelectorTerms.dex | nindent 12 }}
+{{- end }}
+      {{- if or .Values.tap.dns.nameservers .Values.tap.dns.searches .Values.tap.dns.options }}
+      dnsConfig:
+        {{- if .Values.tap.dns.nameservers }}
+        nameservers:
+        {{- range .Values.tap.dns.nameservers }}
+          - {{ . | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.tap.dns.searches }}
+        searches:
+        {{- range .Values.tap.dns.searches }}
+          - {{ . | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.tap.dns.options }}
+        options:
+        {{- range .Values.tap.dns.options }}
+          - name: {{ .name | quote }}
+            {{- if .value }}
+            value: {{ .value | quote }}
+            {{- end }}
+        {{- end }}
+        {{- end }}
+      {{- end }}
+      volumes:
+        - name: dex-secret-conf-volume
+          secret:
+            secretName: kubeshark-dex-conf-secret
+      dnsPolicy: ClusterFirstWithHostNet
+      serviceAccountName: {{ include "kubeshark.serviceAccountName" . }}
+      {{- if .Values.tap.priorityClass }}
+      priorityClassName: {{ .Values.tap.priorityClass | quote }}
+      {{- end }}
+{{- end }}
--- a/helm-chart/templates/19-dex-service.yaml
+++ b/helm-chart/templates/19-dex-service.yaml
@@ -0,0 +1,25 @@
+{{- if .Values.tap.auth.dexConfig }}
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubeshark.com/app: dex
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  {{- if .Values.tap.annotations }}
+  annotations:
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: kubeshark-dex
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+    - name: kubeshark-dex
+      port: 80
+      targetPort: 5556
+  selector:
+    app.kubeshark.com/app: dex
+  type: ClusterIP
+
+{{- end }}
--- a/helm-chart/templates/20-dex-secret.yaml
+++ b/helm-chart/templates/20-dex-secret.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.tap.auth.dexConfig }}
+
+kind: Secret
+apiVersion: v1
+metadata:
+  name: kubeshark-dex-conf-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubeshark.com/app: hub
+    {{- include "kubeshark.labels" . | nindent 4 }}
+data:
+  dex-config.yaml: {{ .Values.tap.auth.dexConfig | toYaml | b64enc | quote }}
+
+{{- end }}
--- a/helm-chart/templates/NOTES.txt
+++ b/helm-chart/templates/NOTES.txt
@@ -0,0 +1,53 @@
+Thank you for installing {{ title .Chart.Name }}.
+
+Registry: {{ .Values.tap.docker.registry }}
+Tag: {{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (printf "v%s" .Chart.Version) }}
+{{- if .Values.tap.docker.overrideTag.worker }}
+Overridden worker tag: {{ .Values.tap.docker.overrideTag.worker }}
+{{- end }}
+{{- if .Values.tap.docker.overrideTag.hub }}
+Overridden hub tag: {{ .Values.tap.docker.overrideTag.hub }}
+{{- end }}
+{{- if .Values.tap.docker.overrideTag.front }}
+Overridden front tag: {{ .Values.tap.docker.overrideTag.front }}
+{{- end }}
+{{- if .Values.tap.docker.overrideImage.worker }}
+Overridden worker image: {{ .Values.tap.docker.overrideImage.worker }}
+{{- end }}
+{{- if .Values.tap.docker.overrideImage.hub }}
+Overridden hub image: {{ .Values.tap.docker.overrideImage.hub }}
+{{- end }}
+{{- if .Values.tap.docker.overrideImage.front }}
+Overridden front image: {{ .Values.tap.docker.overrideImage.front }}
+{{- end }}
+
+Your deployment has been successful. The release is named `{{ .Release.Name }}` and it has been deployed in the `{{ .Release.Namespace }}` namespace.
+
+Notices:
+{{- if .Values.supportChatEnabled}}
+- Support chat using Intercom is enabled. It can be disabled using `--set supportChatEnabled=false`
+{{- end }}
+{{- if eq .Values.license ""}}
+- No license key was detected. 
+- Authenticate through the dashboard to activate a complementary COMMUNITY license.
+- If you have an Enterprise license, download the license key from https://console.kubeshark.com/
+- An Enterprise license-key can be added as 'license: <license>' in helm values or as `--set license=<license>` or as `LICENSE` via mounted secret (`tap.secrets`).
+- Contact us to get an Enterprise license: https://kubeshark.com/contact-us.
+{{- end }}
+{{ if .Values.tap.ingress.enabled }}
+
+You can now access the application through the following URL:
+http{{ if .Values.tap.ingress.tls }}s{{ end }}://{{ .Values.tap.ingress.host }}{{ default "" (((.Values.tap).routing).front).basePath }}/
+
+{{- else }}
+To access the application, follow these steps:
+
+1. Perform port forwarding with the following commands:
+
+    kubectl port-forward -n {{ .Release.Namespace }} service/kubeshark-front 8899:80
+    you could also run: `kubeshark proxy` (which simply manages the port-forward connection)
+
+2. Once port forwarding is done, you can access the application by visiting the following URL in your web browser:
+    http://127.0.0.1:8899{{ default "" (((.Values.tap).routing).front).basePath }}/
+
+{{- end }}
--- a/helm-chart/templates/_helpers.tpl
+++ b/helm-chart/templates/_helpers.tpl
@@ -0,0 +1,112 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "kubeshark.name" -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "kubeshark.fullname" -}}
+{{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "kubeshark.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "kubeshark.labels" -}}
+helm.sh/chart: {{ include "kubeshark.chart" . }}
+{{ include "kubeshark.selectorLabels" . }}
+app.kubernetes.io/version: {{ .Chart.Version | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Values.tap.labels }}
+{{ toYaml .Values.tap.labels }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "kubeshark.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "kubeshark.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "kubeshark.serviceAccountName" -}}
+{{- printf "%s-service-account" .Release.Name }}
+{{- end }}
+
+{{/*
+Set configmap and secret names based on gitops.enabled
+*/}}
+{{- define "kubeshark.configmapName" -}}
+kubeshark-config-map{{ if .Values.tap.gitops.enabled }}-default{{ end }}
+{{- end -}}
+
+{{- define "kubeshark.secretName" -}}
+kubeshark-secret{{ if .Values.tap.gitops.enabled }}-default{{ end }}
+{{- end -}}
+
+
+{{/*
+Escape double quotes in a string
+*/}}
+{{- define "kubeshark.escapeDoubleQuotes" -}}
+  {{- regexReplaceAll "\"" . "\"" -}}
+{{- end -}}
+
+{{/*
+Define debug docker tag suffix
+*/}}
+{{- define "kubeshark.dockerTagDebugVersion" -}}
+{{- .Values.tap.pprof.enabled | ternary "-debug" "" }}
+{{- end -}}
+
+{{/*
+Create docker tag default version
+*/}}
+{{- define "kubeshark.defaultVersion" -}}
+{{- $defaultVersion := (printf "v%s" .Chart.Version) -}}
+{{- if .Values.tap.docker.tagLocked }}
+  {{- $defaultVersion = regexReplaceAll "^([^.]+\\.[^.]+).*" $defaultVersion "$1" -}}
+{{- end }}
+{{- $defaultVersion }}
+{{- end -}}
+
+{{/*
+Set sentry based on internet connectivity and telemetry
+*/}}
+{{- define "sentry.enabled" -}}
+  {{- $sentryEnabledVal := .Values.tap.sentry.enabled -}}
+  {{- if not .Values.internetConnectivity -}}
+    {{- $sentryEnabledVal = false -}}
+  {{- else if not .Values.tap.telemetry.enabled -}}
+    {{- $sentryEnabledVal = false -}}
+  {{- end -}}
+  {{- $sentryEnabledVal -}}
+{{- end -}}
+
+{{/*
+Dex IdP: retrieve a secret for static client with a specific ID
+*/}}
+{{- define "getDexKubesharkStaticClientSecret" -}}
+  {{- $clientId := .clientId -}}
+  {{- range .clients }}
+    {{- if eq .id $clientId }}
+      {{- .secret }}
+    {{- end }}
+  {{- end }}
+{{- end }}
--- a/helm-chart/values.yaml
+++ b/helm-chart/values.yaml
@@ -0,0 +1,288 @@
+tap:
+  docker:
+    registry: docker.io/kubeshark
+    tag: ""
+    tagLocked: true
+    imagePullPolicy: Always
+    imagePullSecrets: []
+    overrideImage:
+      worker: ""
+      hub: ""
+      front: ""
+    overrideTag:
+      worker: ""
+      hub: ""
+      front: ""
+  proxy:
+    worker:
+      srvPort: 48999
+    hub:
+      srvPort: 8898
+    front:
+      port: 8899
+    host: 127.0.0.1
+  regex: .*
+  namespaces: []
+  excludedNamespaces: []
+  bpfOverride: ""
+  capture:
+    dissection:
+      enabled: true
+      stopAfter: 5m
+    captureSelf: false
+    raw:
+      enabled: true
+      storageSize: 1Gi
+    dbMaxSize: 500Mi
+  delayedDissection:
+    image: kubeshark/worker:master
+    cpu: "1"
+    memory: 4Gi
+  snapshots:
+    storageClass: ""
+    storageSize: 20Gi
+  release:
+    repo: https://helm.kubeshark.com
+    name: kubeshark
+    namespace: default
+  persistentStorage: false
+  persistentStorageStatic: false
+  persistentStoragePvcVolumeMode: FileSystem
+  efsFileSytemIdAndPath: ""
+  secrets: []
+  storageLimit: 10Gi
+  storageClass: standard
+  dryRun: false
+  dns:
+    nameservers: []
+    searches: []
+    options: []
+  resources:
+    hub:
+      limits:
+        cpu: "0"
+        memory: 5Gi
+      requests:
+        cpu: 50m
+        memory: 50Mi
+    sniffer:
+      limits:
+        cpu: "0"
+        memory: 5Gi
+      requests:
+        cpu: 50m
+        memory: 50Mi
+    tracer:
+      limits:
+        cpu: "0"
+        memory: 5Gi
+      requests:
+        cpu: 50m
+        memory: 50Mi
+  probes:
+    hub:
+      initialDelaySeconds: 5
+      periodSeconds: 5
+      successThreshold: 1
+      failureThreshold: 3
+    sniffer:
+      initialDelaySeconds: 5
+      periodSeconds: 5
+      successThreshold: 1
+      failureThreshold: 3
+  serviceMesh: true
+  tls: true
+  disableTlsLog: true
+  packetCapture: best
+  labels: {}
+  annotations: {}
+  nodeSelectorTerms:
+    hub:
+    - matchExpressions:
+      - key: kubernetes.io/os
+        operator: In
+        values:
+        - linux
+    workers:
+    - matchExpressions:
+      - key: kubernetes.io/os
+        operator: In
+        values:
+        - linux
+    front:
+    - matchExpressions:
+      - key: kubernetes.io/os
+        operator: In
+        values:
+        - linux
+    dex:
+    - matchExpressions:
+      - key: kubernetes.io/os
+        operator: In
+        values:
+        - linux
+  tolerations:
+    hub: []
+    workers:
+    - operator: Exists
+      effect: NoExecute
+    front: []
+  auth:
+    enabled: false
+    type: saml
+    saml:
+      idpMetadataUrl: ""
+      x509crt: ""
+      x509key: ""
+      roleAttribute: role
+      roles:
+        admin:
+          filter: ""
+          canDownloadPCAP: true
+          canUseScripting: true
+          scriptingPermissions:
+            canSave: true
+            canActivate: true
+            canDelete: true
+          canUpdateTargetedPods: true
+          canStopTrafficCapturing: true
+          canControlDissection: true
+          showAdminConsoleLink: true
+  ingress:
+    enabled: false
+    className: ""
+    host: ks.svc.cluster.local
+    path: /
+    tls: []
+    annotations: {}
+  priorityClass: ""
+  routing:
+    front:
+      basePath: ""
+  ipv6: true
+  debug: false
+  dashboard:
+    streamingType: connect-rpc
+    completeStreamingEnabled: true
+  telemetry:
+    enabled: true
+  resourceGuard:
+    enabled: false
+  watchdog:
+    enabled: false
+  gitops:
+    enabled: false
+  sentry:
+    enabled: false
+    environment: production
+  defaultFilter: ""
+  liveConfigMapChangesDisabled: false
+  globalFilter: ""
+  enabledDissectors:
+  - amqp
+  - dns
+  - http
+  - icmp
+  - kafka
+  - redis
+  - ws
+  - ldap
+  - radius
+  - diameter
+  - udp-flow
+  - tcp-flow
+  - tcp-conn
+  - udp-conn
+  portMapping:
+    http:
+    - 80
+    - 443
+    - 8080
+    amqp:
+    - 5671
+    - 5672
+    kafka:
+    - 9092
+    redis:
+    - 6379
+    ldap:
+    - 389
+    diameter:
+    - 3868
+  customMacros:
+    https: tls and (http or http2)
+  metrics:
+    port: 49100
+  pprof:
+    enabled: false
+    port: 8000
+    view: flamegraph
+  misc:
+    jsonTTL: 5m
+    pcapTTL: "0"
+    pcapErrorTTL: "0"
+    trafficSampleRate: 100
+    tcpStreamChannelTimeoutMs: 10000
+    tcpStreamChannelTimeoutShow: false
+    resolutionStrategy: auto
+    duplicateTimeframe: 200ms
+    detectDuplicates: false
+    staleTimeoutSeconds: 30
+  securityContext:
+    privileged: true
+    appArmorProfile:
+      type: ""
+      localhostProfile: ""
+    seLinuxOptions:
+      level: ""
+      role: ""
+      type: ""
+      user: ""
+    capabilities:
+      networkCapture:
+      - NET_RAW
+      - NET_ADMIN
+      serviceMeshCapture:
+      - SYS_ADMIN
+      - SYS_PTRACE
+      - DAC_OVERRIDE
+      ebpfCapture:
+      - SYS_ADMIN
+      - SYS_PTRACE
+      - SYS_RESOURCE
+      - IPC_LOCK
+  mountBpf: true
+  hostNetwork: true
+logs:
+  file: ""
+  grep: ""
+pcapdump:
+  enabled: false
+  timeInterval: 1m
+  maxTime: 1h
+  maxSize: 500MB
+  time: time
+  debug: false
+  dest: ""
+kube:
+  configPath: ""
+  context: ""
+dumpLogs: false
+headless: false
+license: ""
+cloudApiUrl: "https://api.kubeshark.com"
+cloudLicenseEnabled: true
+demoModeEnabled: false
+supportChatEnabled: false
+betaEnabled: false
+internetConnectivity: true
+scripting:
+  enabled: false
+  env: {}
+  source: ""
+  sources: []
+  watchScripts: true
+  active: []
+  console: true
+timezone: ""
+logLevel: warning
--- a/install.sh
+++ b/install.sh
@@ -0,0 +1,94 @@
+#!/bin/sh
+
+EXE_NAME=kubeshark
+ALIAS_NAME=ks
+PROG_NAME=Kubeshark
+INSTALL_PATH=/usr/local/bin/$EXE_NAME
+ALIAS_PATH=/usr/local/bin/$ALIAS_NAME
+REPO=https://github.com/kubeshark/kubeshark
+OS=$(echo $(uname -s) | tr '[:upper:]' '[:lower:]')
+ARCH=$(echo $(uname -m) | tr '[:upper:]' '[:lower:]')
+SUPPORTED_PAIRS="linux_amd64 linux_arm64 darwin_amd64 darwin_arm64"
+
+ESC="\033["
+F_DEFAULT=39
+F_RED=31
+F_GREEN=32
+F_YELLOW=33
+B_DEFAULT=49
+B_RED=41
+B_BLUE=44
+B_LIGHT_BLUE=104
+
+if [ "$ARCH" = "x86_64" ]; then
+    ARCH="amd64"
+fi
+
+if [ "$ARCH" = "aarch64" ]; then
+    ARCH="arm64"
+fi
+
+echo $SUPPORTED_PAIRS | grep -w -q "${OS}_${ARCH}"
+
+if [ $? != 0 ] ; then
+	echo "\n${ESC}${F_RED}m🛑 Unsupported OS \"$OS\" or architecture \"$ARCH\". Failed to install $PROG_NAME.${ESC}${F_DEFAULT}m"
+    echo "${ESC}${B_RED}mPlease report 🐛 to $REPO/issues${ESC}${F_DEFAULT}m"
+	exit 1
+fi
+
+# Check for Homebrew and kubeshark installation
+if command -v brew >/dev/null; then
+    if brew list kubeshark &>/dev/null; then
+        echo "📦 Found $PROG_NAME instance installed with Homebrew"
+		echo "${ESC}${F_GREEN}m⬇️ Removing before installation with script${ESC}${F_DEFAULT}m"
+        brew uninstall kubeshark
+    fi
+fi
+
+echo "\n🦈 ${ESC}${F_DEFAULT};${B_BLUE}m Started to download $PROG_NAME ${ESC}${B_DEFAULT};${F_DEFAULT}m"
+
+if curl -# --fail -Lo $EXE_NAME ${REPO}/releases/latest/download/${EXE_NAME}_${OS}_${ARCH} ; then
+    chmod +x $PWD/$EXE_NAME
+    echo "\n${ESC}${F_GREEN}m⬇️  $PROG_NAME is downloaded into $PWD/$EXE_NAME${ESC}${F_DEFAULT}m"
+else
+    echo "\n${ESC}${F_RED}m🛑 Couldn't download ${REPO}/releases/latest/download/${EXE_NAME}_${OS}_${ARCH}\n\
+  ⚠️  Check your internet connection.\n\
+  ⚠️  Make sure 'curl' command is available.\n\
+  ⚠️  Make sure there is no directory named '${EXE_NAME}' in ${PWD}\n\
+${ESC}${F_DEFAULT}m"
+    echo "${ESC}${B_RED}mPlease report 🐛 to $REPO/issues${ESC}${F_DEFAULT}m"
+    exit 1
+fi
+
+use_cmd=$EXE_NAME
+printf "Do you want to install system-wide? Requires sudo 😇 (y/N)? "
+old_stty_cfg=$(stty -g)
+stty raw -echo ; answer=$(head -c 1) ; stty $old_stty_cfg
+if echo "$answer" | grep -iq "^y" ;then
+    echo "$answer"
+    sudo mv ./$EXE_NAME $INSTALL_PATH || exit 1
+    echo "${ESC}${F_GREEN}m$PROG_NAME is installed into $INSTALL_PATH${ESC}${F_DEFAULT}m\n"
+
+	ls $ALIAS_PATH >> /dev/null 2>&1
+	if [ $? != 0 ] ; then
+		printf "Do you want to add 'ks' alias for Kubeshark? (y/N)? "
+		old_stty_cfg=$(stty -g)
+		stty raw -echo ; answer=$(head -c 1) ; stty $old_stty_cfg
+		if echo "$answer" | grep -iq "^y" ; then
+			echo "$answer"
+			sudo ln -s $INSTALL_PATH $ALIAS_PATH
+
+			use_cmd=$ALIAS_NAME
+		else
+			echo "$answer"
+		fi
+	else
+		use_cmd=$ALIAS_NAME
+	fi
+else
+	echo "$answer"
+	use_cmd="./$EXE_NAME"
+fi
+
+echo "${ESC}${F_GREEN}m✅ You can use the ${ESC}${F_DEFAULT};${B_LIGHT_BLUE}m $use_cmd ${ESC}${B_DEFAULT};${F_GREEN}m command now.${ESC}${F_DEFAULT}m"
+echo "\n${ESC}${F_YELLOW}mPlease give us a star 🌟 on ${ESC}${F_DEFAULT}m$REPO${ESC}${F_YELLOW}m if you ❤️  $PROG_NAME!${ESC}${F_DEFAULT}m"
--- a/integration/README.md
+++ b/integration/README.md
@@ -0,0 +1,57 @@
+# Integration Tests
+
+This directory contains integration tests that run against a real Kubernetes cluster.
+
+## Prerequisites
+
+1. **Kubernetes cluster** - A running cluster accessible via `kubectl`
+2. **kubectl** - Configured with appropriate context
+3. **Go 1.21+** - For running tests
+
+## Running Tests
+
+```bash
+# Run all integration tests
+make test-integration
+
+# Run specific command tests
+make test-integration-mcp
+
+# Run with verbose output
+make test-integration-verbose
+
+# Run with custom timeout (default: 5m)
+INTEGRATION_TIMEOUT=10m make test-integration
+```
+
+## Environment Variables
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `KUBESHARK_BINARY` | Auto-built | Path to pre-built kubeshark binary |
+| `INTEGRATION_TIMEOUT` | `5m` | Test timeout duration |
+| `KUBECONFIG` | `~/.kube/config` | Kubernetes config file |
+| `INTEGRATION_SKIP_CLEANUP` | `false` | Skip cleanup after tests (for debugging) |
+
+## Test Structure
+
+```
+integration/
+├── README.md           # This file
+├── common_test.go      # Shared test helpers
+├── mcp_test.go         # MCP command integration tests
+├── tap_test.go         # Tap command tests (future)
+└── ...                 # Additional command tests
+```
+
+## Writing New Tests
+
+1. Create `<command>_test.go` with build tag `//go:build integration`
+2. Use helpers from `common_test.go`: `requireKubernetesCluster(t)`, `getKubesharkBinary(t)`, `cleanupKubeshark(t, binary)`
+
+## CI/CD Integration
+
+```bash
+# JSON output for CI parsing
+go test -tags=integration -json ./integration/...
+```
--- a/integration/common_test.go
+++ b/integration/common_test.go
@@ -0,0 +1,217 @@
+//go:build integration
+
+// Package integration contains integration tests that run against a real Kubernetes cluster.
+// Run with: go test -tags=integration ./integration/...
+package integration
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+)
+
+const (
+	binaryName     = "kubeshark"
+	defaultTimeout = 2 * time.Minute
+	startupTimeout = 3 * time.Minute
+)
+
+var (
+	// binaryPath caches the built binary path
+	binaryPath string
+	buildOnce  sync.Once
+	buildErr   error
+)
+
+// requireKubernetesCluster skips the test if no Kubernetes cluster is available.
+func requireKubernetesCluster(t *testing.T) {
+	t.Helper()
+	if !hasKubernetesCluster() {
+		t.Skip("Skipping: no Kubernetes cluster available")
+	}
+}
+
+// hasKubernetesCluster returns true if a Kubernetes cluster is accessible.
+func hasKubernetesCluster() bool {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+	return exec.CommandContext(ctx, "kubectl", "cluster-info").Run() == nil
+}
+
+// getKubesharkBinary returns the path to the kubeshark binary, building it if necessary.
+func getKubesharkBinary(t *testing.T) string {
+	t.Helper()
+
+	// Check if binary path is provided via environment
+	if envBinary := os.Getenv("KUBESHARK_BINARY"); envBinary != "" {
+		if _, err := os.Stat(envBinary); err == nil {
+			return envBinary
+		}
+		t.Fatalf("KUBESHARK_BINARY set but file not found: %s", envBinary)
+	}
+
+	// Build once per test run
+	buildOnce.Do(func() {
+		binaryPath, buildErr = buildBinary(t)
+	})
+
+	if buildErr != nil {
+		t.Fatalf("Failed to build binary: %v", buildErr)
+	}
+
+	return binaryPath
+}
+
+// buildBinary compiles the binary and returns its path.
+func buildBinary(t *testing.T) (string, error) {
+	t.Helper()
+
+	// Find project root (directory containing go.mod)
+	projectRoot, err := findProjectRoot()
+	if err != nil {
+		return "", fmt.Errorf("finding project root: %w", err)
+	}
+
+	outputPath := filepath.Join(projectRoot, "bin", binaryName+"_integration_test")
+
+	t.Logf("Building %s binary at %s", binaryName, outputPath)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+	defer cancel()
+
+	cmd := exec.CommandContext(ctx, "go", "build",
+		"-o", outputPath,
+		filepath.Join(projectRoot, binaryName+".go"),
+	)
+	cmd.Dir = projectRoot
+
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return "", fmt.Errorf("build failed: %w\nOutput: %s", err, output)
+	}
+
+	return outputPath, nil
+}
+
+// findProjectRoot locates the project root by finding go.mod
+func findProjectRoot() (string, error) {
+	dir, err := os.Getwd()
+	if err != nil {
+		return "", err
+	}
+
+	for {
+		if _, err := os.Stat(filepath.Join(dir, "go.mod")); err == nil {
+			return dir, nil
+		}
+
+		parent := filepath.Dir(dir)
+		if parent == dir {
+			return "", fmt.Errorf("could not find go.mod in any parent directory")
+		}
+		dir = parent
+	}
+}
+
+// runKubeshark executes the kubeshark binary with the given arguments.
+// Returns combined stdout/stderr and any error.
+func runKubeshark(t *testing.T, binary string, args ...string) (string, error) {
+	t.Helper()
+	return runKubesharkWithTimeout(t, binary, defaultTimeout, args...)
+}
+
+// runKubesharkWithTimeout executes the kubeshark binary with a custom timeout.
+func runKubesharkWithTimeout(t *testing.T, binary string, timeout time.Duration, args ...string) (string, error) {
+	t.Helper()
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	t.Logf("Running: %s %s", binary, strings.Join(args, " "))
+
+	cmd := exec.CommandContext(ctx, binary, args...)
+
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	err := cmd.Run()
+
+	output := stdout.String()
+	if stderr.Len() > 0 {
+		output += "\n[stderr]\n" + stderr.String()
+	}
+
+	if ctx.Err() == context.DeadlineExceeded {
+		return output, fmt.Errorf("command timed out after %v", timeout)
+	}
+
+	return output, err
+}
+
+// cleanupKubeshark ensures Kubeshark is not running in the cluster.
+func cleanupKubeshark(t *testing.T, binary string) {
+	t.Helper()
+
+	if os.Getenv("INTEGRATION_SKIP_CLEANUP") == "true" {
+		t.Log("Skipping cleanup (INTEGRATION_SKIP_CLEANUP=true)")
+		return
+	}
+
+	t.Log("Cleaning up any existing Kubeshark installation...")
+
+	// Run clean command, ignore errors (might not be installed)
+	_, _ = runKubeshark(t, binary, "clean")
+
+	// Wait a moment for resources to be deleted
+	time.Sleep(2 * time.Second)
+}
+
+// waitForKubesharkReady waits for Kubeshark to be ready after starting.
+func waitForKubesharkReady(t *testing.T, binary string, timeout time.Duration) error {
+	t.Helper()
+
+	t.Log("Waiting for Kubeshark to be ready...")
+
+	deadline := time.Now().Add(timeout)
+
+	for time.Now().Before(deadline) {
+		// Check if pods are running
+		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+		cmd := exec.CommandContext(ctx, "kubectl", "get", "pods", "-l", "app.kubernetes.io/name=kubeshark", "-o", "jsonpath={.items[*].status.phase}")
+		output, err := cmd.Output()
+		cancel()
+
+		if err == nil && strings.Contains(string(output), "Running") {
+			t.Log("Kubeshark is ready")
+			return nil
+		}
+
+		time.Sleep(5 * time.Second)
+	}
+
+	return fmt.Errorf("timeout waiting for Kubeshark to be ready")
+}
+
+// isKubesharkRunning checks if Kubeshark is currently running in the cluster.
+func isKubesharkRunning(t *testing.T) bool {
+	t.Helper()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	cmd := exec.CommandContext(ctx, "kubectl", "get", "pods", "-l", "app.kubernetes.io/name=kubeshark", "-o", "name")
+	output, err := cmd.Output()
+	if err != nil {
+		return false
+	}
+
+	return strings.TrimSpace(string(output)) != ""
+}
--- a/integration/mcp_test.go
+++ b/integration/mcp_test.go
@@ -0,0 +1,529 @@
+//go:build integration
+
+package integration
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"encoding/json"
+	"io"
+	"os/exec"
+	"strings"
+	"testing"
+	"time"
+)
+
+// MCPRequest represents a JSON-RPC request
+type MCPRequest struct {
+	JSONRPC string      `json:"jsonrpc"`
+	ID      int         `json:"id"`
+	Method  string      `json:"method"`
+	Params  interface{} `json:"params,omitempty"`
+}
+
+// MCPResponse represents a JSON-RPC response
+type MCPResponse struct {
+	JSONRPC string          `json:"jsonrpc"`
+	ID      int             `json:"id"`
+	Result  json.RawMessage `json:"result,omitempty"`
+	Error   *MCPError       `json:"error,omitempty"`
+}
+
+// MCPError represents a JSON-RPC error
+type MCPError struct {
+	Code    int    `json:"code"`
+	Message string `json:"message"`
+}
+
+// mcpSession represents a running MCP server session
+type mcpSession struct {
+	cmd    *exec.Cmd
+	stdin  io.WriteCloser
+	stdout *bufio.Reader
+	stderr *bytes.Buffer // Captured stderr for debugging
+	cancel context.CancelFunc
+}
+
+// startMCPSession starts an MCP server and returns a session for sending requests.
+// By default, starts in read-only mode (no --allow-destructive).
+func startMCPSession(t *testing.T, binary string, args ...string) *mcpSession {
+	t.Helper()
+
+	ctx, cancel := context.WithCancel(context.Background())
+
+	cmdArgs := append([]string{"mcp"}, args...)
+	cmd := exec.CommandContext(ctx, binary, cmdArgs...)
+
+	stdin, err := cmd.StdinPipe()
+	if err != nil {
+		cancel()
+		t.Fatalf("Failed to create stdin pipe: %v", err)
+	}
+
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		cancel()
+		t.Fatalf("Failed to create stdout pipe: %v", err)
+	}
+
+	// Capture stderr for debugging
+	var stderrBuf bytes.Buffer
+	cmd.Stderr = &stderrBuf
+
+	if err := cmd.Start(); err != nil {
+		cancel()
+		t.Fatalf("Failed to start MCP server: %v", err)
+	}
+
+	return &mcpSession{
+		cmd:    cmd,
+		stdin:  stdin,
+		stdout: bufio.NewReader(stdout),
+		stderr: &stderrBuf,
+		cancel: cancel,
+	}
+}
+
+// startMCPSessionWithDestructive starts an MCP server with --allow-destructive flag.
+func startMCPSessionWithDestructive(t *testing.T, binary string, args ...string) *mcpSession {
+	t.Helper()
+	allArgs := append([]string{"--allow-destructive"}, args...)
+	return startMCPSession(t, binary, allArgs...)
+}
+
+// sendRequest sends a JSON-RPC request and returns the response (30s timeout).
+func (s *mcpSession) sendRequest(t *testing.T, req MCPRequest) MCPResponse {
+	t.Helper()
+	return s.sendRequestWithTimeout(t, req, 30*time.Second)
+}
+
+// sendRequestWithTimeout sends a JSON-RPC request with a custom timeout.
+func (s *mcpSession) sendRequestWithTimeout(t *testing.T, req MCPRequest, timeout time.Duration) MCPResponse {
+	t.Helper()
+
+	reqBytes, err := json.Marshal(req)
+	if err != nil {
+		t.Fatalf("Failed to marshal request: %v", err)
+	}
+
+	t.Logf("Sending: %s", string(reqBytes))
+
+	if _, err := s.stdin.Write(append(reqBytes, '\n')); err != nil {
+		t.Fatalf("Failed to write request: %v", err)
+	}
+
+	// Read response with timeout
+	responseChan := make(chan string, 1)
+	errChan := make(chan error, 1)
+
+	go func() {
+		line, err := s.stdout.ReadString('\n')
+		if err != nil {
+			errChan <- err
+			return
+		}
+		responseChan <- line
+	}()
+
+	select {
+	case line := <-responseChan:
+		t.Logf("Received: %s", strings.TrimSpace(line))
+		var resp MCPResponse
+		if err := json.Unmarshal([]byte(line), &resp); err != nil {
+			t.Fatalf("Failed to unmarshal response: %v\nResponse: %s", err, line)
+		}
+		return resp
+	case err := <-errChan:
+		t.Fatalf("Failed to read response: %v", err)
+		return MCPResponse{}
+	case <-time.After(timeout):
+		t.Fatalf("Timeout waiting for MCP response after %v", timeout)
+		return MCPResponse{}
+	}
+}
+
+// callTool invokes an MCP tool and returns the response (30s timeout).
+func (s *mcpSession) callTool(t *testing.T, id int, toolName string, args map[string]interface{}) MCPResponse {
+	t.Helper()
+	return s.callToolWithTimeout(t, id, toolName, args, 30*time.Second)
+}
+
+// callToolWithTimeout invokes an MCP tool with a custom timeout.
+func (s *mcpSession) callToolWithTimeout(t *testing.T, id int, toolName string, args map[string]interface{}, timeout time.Duration) MCPResponse {
+	t.Helper()
+
+	return s.sendRequestWithTimeout(t, MCPRequest{
+		JSONRPC: "2.0",
+		ID:      id,
+		Method:  "tools/call",
+		Params: map[string]interface{}{
+			"name":      toolName,
+			"arguments": args,
+		},
+	}, timeout)
+}
+
+// close terminates the MCP session.
+func (s *mcpSession) close() {
+	s.cancel()
+	_ = s.cmd.Wait()
+}
+
+// getStderr returns any captured stderr output (useful for debugging failures).
+func (s *mcpSession) getStderr() string {
+	if s.stderr == nil {
+		return ""
+	}
+	return s.stderr.String()
+}
+
+// initialize sends the MCP initialize request and returns the response.
+func (s *mcpSession) initialize(t *testing.T, id int) MCPResponse {
+	t.Helper()
+	return s.sendRequest(t, MCPRequest{
+		JSONRPC: "2.0",
+		ID:      id,
+		Method:  "initialize",
+		Params: map[string]interface{}{
+			"protocolVersion": "2024-11-05",
+			"capabilities":    map[string]interface{}{},
+			"clientInfo":      map[string]interface{}{"name": "test", "version": "1.0"},
+		},
+	})
+}
+
+// TestMCP_Initialize tests the MCP initialization handshake.
+func TestMCP_Initialize(t *testing.T) {
+	requireKubernetesCluster(t)
+	session := startMCPSession(t, getKubesharkBinary(t))
+	defer session.close()
+
+	resp := session.initialize(t, 1)
+	if resp.Error != nil {
+		t.Fatalf("Initialize failed: %s", resp.Error.Message)
+	}
+
+	var result map[string]interface{}
+	if err := json.Unmarshal(resp.Result, &result); err != nil {
+		t.Fatalf("Failed to parse result: %v", err)
+	}
+
+	if _, ok := result["capabilities"]; !ok {
+		t.Error("Response missing capabilities")
+	}
+	if _, ok := result["serverInfo"]; !ok {
+		t.Error("Response missing serverInfo")
+	}
+}
+
+// TestMCP_ToolsList_ReadOnly tests that tools/list returns only safe tools in read-only mode.
+func TestMCP_ToolsList_ReadOnly(t *testing.T) {
+	requireKubernetesCluster(t)
+	session := startMCPSession(t, getKubesharkBinary(t))
+	defer session.close()
+
+	session.initialize(t, 1)
+	resp := session.sendRequest(t, MCPRequest{JSONRPC: "2.0", ID: 2, Method: "tools/list"})
+	if resp.Error != nil {
+		t.Fatalf("tools/list failed: %s", resp.Error.Message)
+	}
+
+	var result struct {
+		Tools []struct{ Name string `json:"name"` } `json:"tools"`
+	}
+	if err := json.Unmarshal(resp.Result, &result); err != nil {
+		t.Fatalf("Failed to parse result: %v", err)
+	}
+
+	toolNames := make(map[string]bool)
+	for _, tool := range result.Tools {
+		toolNames[tool.Name] = true
+	}
+
+	if !toolNames["check_kubeshark_status"] {
+		t.Error("Missing expected tool: check_kubeshark_status")
+	}
+	if toolNames["start_kubeshark"] || toolNames["stop_kubeshark"] {
+		t.Error("Destructive tools should not be available in read-only mode")
+	}
+}
+
+// TestMCP_ToolsList_WithDestructive tests that tools/list includes destructive tools when flag is set.
+func TestMCP_ToolsList_WithDestructive(t *testing.T) {
+	requireKubernetesCluster(t)
+	session := startMCPSessionWithDestructive(t, getKubesharkBinary(t))
+	defer session.close()
+
+	session.initialize(t, 1)
+	resp := session.sendRequest(t, MCPRequest{JSONRPC: "2.0", ID: 2, Method: "tools/list"})
+	if resp.Error != nil {
+		t.Fatalf("tools/list failed: %s", resp.Error.Message)
+	}
+
+	var result struct {
+		Tools []struct{ Name string `json:"name"` } `json:"tools"`
+	}
+	if err := json.Unmarshal(resp.Result, &result); err != nil {
+		t.Fatalf("Failed to parse result: %v", err)
+	}
+
+	toolNames := make(map[string]bool)
+	for _, tool := range result.Tools {
+		toolNames[tool.Name] = true
+	}
+
+	for _, expected := range []string{"check_kubeshark_status", "start_kubeshark", "stop_kubeshark"} {
+		if !toolNames[expected] {
+			t.Errorf("Missing expected tool: %s", expected)
+		}
+	}
+}
+
+// TestMCP_CheckKubesharkStatus_NotRunning tests check_kubeshark_status when Kubeshark is not running.
+func TestMCP_CheckKubesharkStatus_NotRunning(t *testing.T) {
+	requireKubernetesCluster(t)
+	binary := getKubesharkBinary(t)
+	cleanupKubeshark(t, binary)
+
+	session := startMCPSession(t, binary)
+	defer session.close()
+
+	session.initialize(t, 1)
+	resp := session.callTool(t, 2, "check_kubeshark_status", nil)
+	if resp.Error != nil {
+		t.Fatalf("check_kubeshark_status failed: %s", resp.Error.Message)
+	}
+
+	var result struct {
+		Content []struct{ Text string `json:"text"` } `json:"content"`
+	}
+	if err := json.Unmarshal(resp.Result, &result); err != nil {
+		t.Fatalf("Failed to parse result: %v", err)
+	}
+
+	if len(result.Content) == 0 || (!strings.Contains(result.Content[0].Text, "not running") && !strings.Contains(result.Content[0].Text, "NOT")) {
+		t.Errorf("Expected 'not running' status")
+	}
+}
+
+// TestMCP_StartKubeshark tests the start_kubeshark tool.
+func TestMCP_StartKubeshark(t *testing.T) {
+	if testing.Short() {
+		t.Skip("Skipping in short mode")
+	}
+	requireKubernetesCluster(t)
+	binary := getKubesharkBinary(t)
+	cleanupKubeshark(t, binary)
+	t.Cleanup(func() { cleanupKubeshark(t, binary) })
+
+	session := startMCPSessionWithDestructive(t, binary)
+	defer session.close()
+
+	session.initialize(t, 1)
+	resp := session.callToolWithTimeout(t, 2, "start_kubeshark", nil, 3*time.Minute)
+	if resp.Error != nil {
+		t.Fatalf("start_kubeshark failed: %s", resp.Error.Message)
+	}
+
+	if !isKubesharkRunning(t) {
+		t.Error("Kubeshark should be running after start_kubeshark")
+	}
+}
+
+// TestMCP_StartKubeshark_WithoutFlag tests that start_kubeshark fails without --allow-destructive.
+func TestMCP_StartKubeshark_WithoutFlag(t *testing.T) {
+	requireKubernetesCluster(t)
+	session := startMCPSession(t, getKubesharkBinary(t))
+	defer session.close()
+
+	session.initialize(t, 1)
+	resp := session.callTool(t, 2, "start_kubeshark", nil)
+
+	var result struct {
+		Content []struct{ Text string `json:"text"` } `json:"content"`
+		IsError bool                                  `json:"isError"`
+	}
+	if err := json.Unmarshal(resp.Result, &result); err != nil {
+		t.Fatalf("Failed to parse result: %v", err)
+	}
+
+	if !result.IsError {
+		t.Error("Expected isError=true without --allow-destructive")
+	}
+}
+
+// TestMCP_StopKubeshark tests the stop_kubeshark tool.
+func TestMCP_StopKubeshark(t *testing.T) {
+	if testing.Short() {
+		t.Skip("Skipping in short mode")
+	}
+	requireKubernetesCluster(t)
+	binary := getKubesharkBinary(t)
+
+	session := startMCPSessionWithDestructive(t, binary)
+	defer session.close()
+
+	session.initialize(t, 0)
+
+	// Start Kubeshark if not running
+	if !isKubesharkRunning(t) {
+		resp := session.callToolWithTimeout(t, 1, "start_kubeshark", nil, 2*time.Minute)
+		if resp.Error != nil {
+			t.Skipf("Could not start Kubeshark: %v", resp.Error.Message)
+		}
+	}
+
+	resp := session.callToolWithTimeout(t, 2, "stop_kubeshark", nil, 2*time.Minute)
+	if resp.Error != nil {
+		t.Fatalf("stop_kubeshark failed: %s", resp.Error.Message)
+	}
+
+	time.Sleep(5 * time.Second)
+	if isKubesharkRunning(t) {
+		t.Error("Kubeshark should not be running after stop_kubeshark")
+	}
+}
+
+// TestMCP_StopKubeshark_WithoutFlag tests that stop_kubeshark fails without --allow-destructive.
+func TestMCP_StopKubeshark_WithoutFlag(t *testing.T) {
+	requireKubernetesCluster(t)
+	session := startMCPSession(t, getKubesharkBinary(t))
+	defer session.close()
+
+	session.initialize(t, 1)
+	resp := session.callTool(t, 2, "stop_kubeshark", nil)
+
+	var result struct {
+		IsError bool `json:"isError"`
+	}
+	if err := json.Unmarshal(resp.Result, &result); err != nil {
+		t.Fatalf("Failed to parse result: %v", err)
+	}
+
+	if !result.IsError {
+		t.Error("Expected isError=true without --allow-destructive")
+	}
+}
+
+// TestMCP_FullLifecycle tests the complete lifecycle: check -> start -> check -> stop -> check
+func TestMCP_FullLifecycle(t *testing.T) {
+	if testing.Short() {
+		t.Skip("Skipping in short mode")
+	}
+	requireKubernetesCluster(t)
+	binary := getKubesharkBinary(t)
+	cleanupKubeshark(t, binary)
+
+	session := startMCPSessionWithDestructive(t, binary)
+	defer session.close()
+
+	session.initialize(t, 1)
+
+	// Check -> Start -> Check -> Stop -> Check
+	if resp := session.callTool(t, 2, "check_kubeshark_status", nil); resp.Error != nil {
+		t.Fatalf("Initial status check failed: %s", resp.Error.Message)
+	}
+
+	if resp := session.callToolWithTimeout(t, 3, "start_kubeshark", nil, 3*time.Minute); resp.Error != nil {
+		t.Fatalf("Start failed: %s", resp.Error.Message)
+	}
+	if err := waitForKubesharkReady(t, binary, startupTimeout); err != nil {
+		t.Fatalf("Kubeshark did not become ready: %v", err)
+	}
+
+	if resp := session.callTool(t, 4, "check_kubeshark_status", nil); resp.Error != nil {
+		t.Fatalf("Status check after start failed: %s", resp.Error.Message)
+	}
+
+	if resp := session.callToolWithTimeout(t, 5, "stop_kubeshark", nil, 2*time.Minute); resp.Error != nil {
+		t.Fatalf("Stop failed: %s", resp.Error.Message)
+	}
+	time.Sleep(5 * time.Second)
+
+	if resp := session.callTool(t, 6, "check_kubeshark_status", nil); resp.Error != nil {
+		t.Fatalf("Final status check failed: %s", resp.Error.Message)
+	}
+}
+
+// TestMCP_APIToolsRequireKubeshark tests that API tools return helpful errors when Kubeshark isn't running.
+func TestMCP_APIToolsRequireKubeshark(t *testing.T) {
+	requireKubernetesCluster(t)
+	binary := getKubesharkBinary(t)
+	cleanupKubeshark(t, binary)
+
+	session := startMCPSession(t, binary)
+	defer session.close()
+
+	session.initialize(t, 1)
+
+	for i, tool := range []string{"list_workloads", "list_api_calls", "get_api_stats"} {
+		resp := session.callTool(t, i+2, tool, nil)
+		// Either error or helpful message is acceptable
+		if resp.Error != nil {
+			t.Logf("%s returned error (expected): %s", tool, resp.Error.Message)
+		}
+	}
+}
+
+// TestMCP_SetFlags tests that --set flags are passed correctly.
+func TestMCP_SetFlags(t *testing.T) {
+	requireKubernetesCluster(t)
+	session := startMCPSession(t, getKubesharkBinary(t), "--set", "tap.namespaces={default}")
+	defer session.close()
+
+	session.initialize(t, 1)
+	resp := session.sendRequest(t, MCPRequest{JSONRPC: "2.0", ID: 2, Method: "tools/list"})
+	if resp.Error != nil {
+		t.Fatalf("tools/list failed with --set flags: %s", resp.Error.Message)
+	}
+}
+
+// BenchmarkMCP_CheckStatus benchmarks the check_kubeshark_status tool.
+func BenchmarkMCP_CheckStatus(b *testing.B) {
+	if testing.Short() {
+		b.Skip("Skipping benchmark in short mode")
+	}
+	if !hasKubernetesCluster() {
+		b.Skip("Skipping: no Kubernetes cluster available")
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	cmd := exec.CommandContext(ctx, getKubesharkBinary(b), "mcp")
+	stdin, _ := cmd.StdinPipe()
+	stdout, _ := cmd.StdoutPipe()
+	reader := bufio.NewReader(stdout)
+
+	if err := cmd.Start(); err != nil {
+		b.Fatalf("Failed to start MCP: %v", err)
+	}
+	defer func() { cancel(); _ = cmd.Wait() }()
+
+	// Initialize
+	initReq, _ := json.Marshal(MCPRequest{
+		JSONRPC: "2.0", ID: 0, Method: "initialize",
+		Params: map[string]interface{}{
+			"protocolVersion": "2024-11-05",
+			"capabilities":    map[string]interface{}{},
+			"clientInfo":      map[string]interface{}{"name": "bench", "version": "1.0"},
+		},
+	})
+	_, _ = stdin.Write(append(initReq, '\n'))
+	_, _ = reader.ReadString('\n')
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		req, _ := json.Marshal(MCPRequest{
+			JSONRPC: "2.0", ID: i + 1, Method: "tools/call",
+			Params: map[string]interface{}{"name": "check_kubeshark_status", "arguments": map[string]interface{}{}},
+		})
+		if _, err := stdin.Write(append(req, '\n')); err != nil {
+			b.Fatalf("Write failed: %v", err)
+		}
+		if _, err := reader.ReadString('\n'); err != nil {
+			b.Fatalf("Read failed: %v", err)
+		}
+	}
+}
--- a/internal/connect/hub.go
+++ b/internal/connect/hub.go
@@ -4,8 +4,10 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
 	"net/url"
+	"os"
 	"time"

 	"github.com/kubeshark/kubeshark/config"
@@ -23,6 +25,7 @@ type Connector struct {

 const DefaultRetries = 3
 const DefaultTimeout = 2 * time.Second
+const DefaultSleep = 1 * time.Second

 func NewConnector(url string, retries int, timeout time.Duration) *Connector {
 	return &Connector{
@@ -44,7 +47,7 @@ func (connector *Connector) TestConnection(path string) error {
 			break
 		}
 		retriesLeft -= 1
-		time.Sleep(time.Second)
+		time.Sleep(5 * DefaultSleep)
 	}

 	if retriesLeft == 0 {
@@ -70,61 +73,30 @@ func (connector *Connector) PostWorkerPodToHub(pod *v1.Pod) {
 	} else {
 		ok := false
 		for !ok {
-			if _, err = utils.Post(postWorkerUrl, "application/json", bytes.NewBuffer(podMarshalled), connector.client); err != nil {
+			var resp *http.Response
+			if resp, err = utils.Post(postWorkerUrl, "application/json", bytes.NewBuffer(podMarshalled), connector.client, config.Config.License); err != nil || resp.StatusCode != http.StatusOK {
 				if _, ok := err.(*url.Error); ok {
 					break
 				}
-				log.Debug().Err(err).Msg("Failed sending the Worker pod to Hub:")
+				log.Warn().Err(err).Msg("Failed sending the Worker pod to Hub. Retrying...")
 			} else {
-				ok = true
 				log.Debug().Interface("worker-pod", pod).Msg("Reported worker pod to Hub:")
-				connector.PostStorageLimitToHub(config.Config.Tap.StorageLimitBytes())
+				return
 			}
-			time.Sleep(time.Second)
+			time.Sleep(DefaultSleep)
 		}
 	}
 }

-type postStorageLimit struct {
-	Limit int64 `json:"limit"`
+type postLicenseRequest struct {
+	License string `json:"license"`
 }

-func (connector *Connector) PostStorageLimitToHub(limit int64) {
-	payload := &postStorageLimit{
-		Limit: limit,
-	}
-	postStorageLimitUrl := fmt.Sprintf("%s/pcaps/set-storage-limit", connector.url)
+func (connector *Connector) PostLicense(license string) {
+	postLicenseUrl := fmt.Sprintf("%s/license", connector.url)

-	if payloadMarshalled, err := json.Marshal(payload); err != nil {
-		log.Error().Err(err).Msg("Failed to marshal the storage limit:")
-	} else {
-		ok := false
-		for !ok {
-			if _, err = utils.Post(postStorageLimitUrl, "application/json", bytes.NewBuffer(payloadMarshalled), connector.client); err != nil {
-				if _, ok := err.(*url.Error); ok {
-					break
-				}
-				log.Debug().Err(err).Msg("Failed sending the storage limit to Hub:")
-			} else {
-				ok = true
-				log.Debug().Int("limit", int(limit)).Msg("Reported storage limit to Hub:")
-			}
-			time.Sleep(time.Second)
-		}
-	}
-}
-
-type postRegexRequest struct {
-	Regex      string   `json:"regex"`
-	Namespaces []string `json:"namespaces"`
-}
-
-func (connector *Connector) PostRegexToHub(regex string, namespaces []string) {
-	postRegexUrl := fmt.Sprintf("%s/pods/regex", connector.url)
-
-	payload := postRegexRequest{
-		Regex:      regex,
-		Namespaces: namespaces,
+	payload := postLicenseRequest{
+		License: license,
 	}

 	if payloadMarshalled, err := json.Marshal(payload); err != nil {
@@ -132,16 +104,54 @@ func (connector *Connector) PostRegexToHub(regex string, namespaces []string) {
 	} else {
 		ok := false
 		for !ok {
-			if _, err = utils.Post(postRegexUrl, "application/json", bytes.NewBuffer(payloadMarshalled), connector.client); err != nil {
+			var resp *http.Response
+			if resp, err = utils.Post(postLicenseUrl, "application/json", bytes.NewBuffer(payloadMarshalled), connector.client, config.Config.License); err != nil || resp.StatusCode != http.StatusOK {
 				if _, ok := err.(*url.Error); ok {
 					break
 				}
-				log.Debug().Err(err).Msg("Failed sending the payload to Hub:")
+				log.Warn().Err(err).Msg("Failed sending the license to Hub. Retrying...")
 			} else {
-				ok = true
-				log.Debug().Str("regex", regex).Strs("namespaces", namespaces).Msg("Reported payload to Hub:")
+				log.Debug().Str("license", license).Msg("Reported license to Hub:")
+				return
 			}
-			time.Sleep(time.Second)
+			time.Sleep(DefaultSleep)
+		}
+	}
+}
+
+func (connector *Connector) PostPcapsMerge(out *os.File) {
+	postEnvUrl := fmt.Sprintf("%s/pcaps/merge", connector.url)
+
+	if envMarshalled, err := json.Marshal(map[string]string{"query": ""}); err != nil {
+		log.Error().Err(err).Msg("Failed to marshal the env:")
+	} else {
+		ok := false
+		for !ok {
+			var resp *http.Response
+			if resp, err = utils.Post(postEnvUrl, "application/json", bytes.NewBuffer(envMarshalled), connector.client, config.Config.License); err != nil || resp.StatusCode != http.StatusOK {
+				if _, ok := err.(*url.Error); ok {
+					break
+				}
+				log.Warn().Err(err).Msg("Failed exported PCAP download. Retrying...")
+			} else {
+				defer resp.Body.Close()
+
+				// Check server response
+				if resp.StatusCode != http.StatusOK {
+					log.Error().Str("status", resp.Status).Err(err).Msg("Failed exported PCAP download.")
+					return
+				}
+
+				// Writer the body to file
+				_, err = io.Copy(out, resp.Body)
+				if err != nil {
+					log.Error().Err(err).Msg("Failed writing PCAP export:")
+					return
+				}
+				log.Info().Str("path", out.Name()).Msg("Downloaded exported PCAP:")
+				return
+			}
+			time.Sleep(DefaultSleep)
 		}
 	}
 }
--- a/kubectl.sh
+++ b/kubectl.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# Useful kubectl commands for Kubeshark development
+
+# This command outputs all Kubernetes resources using YAML format and pipes it to VS Code
+if [ $1 = "view-all-resources" ] ; then
+  kubectl get $(kubectl api-resources | awk '{print $1}' | tail -n +2 | tr '\n' ',' | sed s/,\$//) -o yaml |  code -
+fi
+
+# This command outputs all Kubernetes resources in "kubeshark" namespace using YAML format and pipes it to VS Code
+if [[ $1 = "view-kubeshark-resources" ]] ; then
+  kubectl get $(kubectl api-resources | awk '{print $1}' | tail -n +2 | tr '\n' ',' | sed s/,\$//) -n kubeshark -o yaml |  code -
+fi
--- a/kubernetes/config.go
+++ b/kubernetes/config.go
@@ -0,0 +1,139 @@
+package kubernetes
+
+import (
+	"context"
+	"encoding/json"
+	"slices"
+	"strings"
+
+	"github.com/kubeshark/kubeshark/config"
+	"github.com/kubeshark/kubeshark/misc"
+	"github.com/rs/zerolog/log"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	SUFFIX_SECRET                     = "secret"
+	SUFFIX_CONFIG_MAP                 = "config-map"
+	SECRET_LICENSE                    = "LICENSE"
+	CONFIG_POD_REGEX                  = "POD_REGEX"
+	CONFIG_NAMESPACES                 = "NAMESPACES"
+	CONFIG_EXCLUDED_NAMESPACES        = "EXCLUDED_NAMESPACES"
+	CONFIG_SCRIPTING_ENV              = "SCRIPTING_ENV"
+	CONFIG_INGRESS_ENABLED            = "INGRESS_ENABLED"
+	CONFIG_INGRESS_HOST               = "INGRESS_HOST"
+	CONFIG_PROXY_FRONT_PORT           = "PROXY_FRONT_PORT"
+	CONFIG_AUTH_ENABLED               = "AUTH_ENABLED"
+	CONFIG_AUTH_TYPE                  = "AUTH_TYPE"
+	CONFIG_AUTH_SAML_IDP_METADATA_URL = "AUTH_SAML_IDP_METADATA_URL"
+	CONFIG_SCRIPTING_SCRIPTS          = "SCRIPTING_SCRIPTS"
+	CONFIG_SCRIPTING_ACTIVE_SCRIPTS   = "SCRIPTING_ACTIVE_SCRIPTS"
+	CONFIG_PCAP_DUMP_ENABLE           = "PCAP_DUMP_ENABLE"
+	CONFIG_TIME_INTERVAL              = "TIME_INTERVAL"
+	CONFIG_MAX_TIME                   = "MAX_TIME"
+	CONFIG_MAX_SIZE                   = "MAX_SIZE"
+)
+
+func SetSecret(provider *Provider, key string, value string) (updated bool, err error) {
+	var secret *v1.Secret
+	secret, err = provider.clientSet.CoreV1().Secrets(config.Config.Tap.Release.Namespace).Get(context.TODO(), SELF_RESOURCES_PREFIX+SUFFIX_SECRET, metav1.GetOptions{})
+	if err != nil {
+		return
+	}
+
+	if secret.StringData[key] != value {
+		updated = true
+	}
+	secret.Data[key] = []byte(value)
+
+	_, err = provider.clientSet.CoreV1().Secrets(config.Config.Tap.Release.Namespace).Update(context.TODO(), secret, metav1.UpdateOptions{})
+	if err == nil {
+		if updated {
+			log.Info().Str("secret", key).Str("value", value).Msg("Updated:")
+		}
+	} else {
+		log.Error().Str("secret", key).Err(err).Send()
+	}
+	return
+}
+
+func GetConfig(provider *Provider, key string) (value string, err error) {
+	var configMap *v1.ConfigMap
+	configMap, err = provider.clientSet.CoreV1().ConfigMaps(config.Config.Tap.Release.Namespace).Get(context.TODO(), SELF_RESOURCES_PREFIX+SUFFIX_CONFIG_MAP, metav1.GetOptions{})
+	if err != nil {
+		return
+	}
+
+	value = configMap.Data[key]
+	return
+}
+
+func SetConfig(provider *Provider, key string, value string) (updated bool, err error) {
+	var configMap *v1.ConfigMap
+	configMap, err = provider.clientSet.CoreV1().ConfigMaps(config.Config.Tap.Release.Namespace).Get(context.TODO(), SELF_RESOURCES_PREFIX+SUFFIX_CONFIG_MAP, metav1.GetOptions{})
+	if err != nil {
+		return
+	}
+
+	if configMap.Data[key] != value {
+		updated = true
+	}
+	configMap.Data[key] = value
+
+	_, err = provider.clientSet.CoreV1().ConfigMaps(config.Config.Tap.Release.Namespace).Update(context.TODO(), configMap, metav1.UpdateOptions{})
+	if err == nil {
+		if updated {
+			log.Info().
+				Str("config", key).
+				Str("value", func() string {
+					if len(value) > 10 {
+						return value[:10]
+					}
+					return value
+				}()).
+				Int("length", len(value)).
+				Msg("Updated. Printing only 10 first characters of value:")
+		}
+	} else {
+		log.Error().Str("config", key).Err(err).Send()
+	}
+	return
+}
+
+func ConfigGetScripts(provider *Provider) (scripts map[int64]misc.ConfigMapScript, err error) {
+	var data string
+	data, err = GetConfig(provider, CONFIG_SCRIPTING_SCRIPTS)
+	if err != nil {
+		return
+	}
+
+	err = json.Unmarshal([]byte(data), &scripts)
+	return
+}
+
+func IsActiveScript(provider *Provider, title string) bool {
+	configActiveScripts, err := GetConfig(provider, CONFIG_SCRIPTING_ACTIVE_SCRIPTS)
+	if err != nil {
+		return false
+	}
+	return strings.Contains(configActiveScripts, title)
+}
+
+func DeleteActiveScriptByTitle(provider *Provider, title string) (err error) {
+	configActiveScripts, err := GetConfig(provider, CONFIG_SCRIPTING_ACTIVE_SCRIPTS)
+	if err != nil {
+		return err
+	}
+	activeScripts := strings.Split(configActiveScripts, ",")
+
+	idx := slices.Index(activeScripts, title)
+	if idx != -1 {
+		activeScripts = slices.Delete(activeScripts, idx, idx+1)
+		_, err = SetConfig(provider, CONFIG_SCRIPTING_ACTIVE_SCRIPTS, strings.Join(activeScripts, ","))
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
--- a/kubernetes/consts.go
+++ b/kubernetes/consts.go
@@ -1,24 +1,12 @@
 package kubernetes

 const (
-	SelfResourcesPrefix        = "kubeshark-"
-	FrontPodName               = SelfResourcesPrefix + "front"
+	SELF_RESOURCES_PREFIX      = "kubeshark-"
+	FrontPodName               = SELF_RESOURCES_PREFIX + "front"
 	FrontServiceName           = FrontPodName
-	HubPodName                 = SelfResourcesPrefix + "hub"
+	HubPodName                 = SELF_RESOURCES_PREFIX + "hub"
 	HubServiceName             = HubPodName
-	ClusterRoleBindingName     = SelfResourcesPrefix + "cluster-role-binding"
-	ClusterRoleName            = SelfResourcesPrefix + "cluster-role"
 	K8sAllNamespaces           = ""
-	RoleBindingName            = SelfResourcesPrefix + "role-binding"
-	RoleName                   = SelfResourcesPrefix + "role"
-	ServiceAccountName         = SelfResourcesPrefix + "service-account"
-	WorkerDaemonSetName        = SelfResourcesPrefix + "worker-daemon-set"
-	WorkerPodName              = SelfResourcesPrefix + "worker"
 	MinKubernetesServerVersion = "1.16.0"
-)
-
-const (
-	LabelPrefixApp = "app.kubernetes.io/"
-	LabelManagedBy = LabelPrefixApp + "managed-by"
-	LabelCreatedBy = LabelPrefixApp + "created-by"
+	AppLabelKey                = "app.kubeshark.com/app"
 )
--- a/kubernetes/cp.go
+++ b/kubernetes/cp.go
@@ -0,0 +1,192 @@
+package kubernetes
+
+import (
+	"archive/tar"
+	"bufio"
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+
+	"github.com/rs/zerolog/log"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/tools/remotecommand"
+)
+
+func CopyFromPod(ctx context.Context, provider *Provider, pod v1.Pod, srcPath string, dstPath string) error {
+	const containerName = "sniffer"
+	cmdArr := []string{"tar", "cf", "-", srcPath}
+	req := provider.clientSet.CoreV1().RESTClient().
+		Post().
+		Namespace(pod.Namespace).
+		Resource("pods").
+		Name(pod.Name).
+		SubResource("exec").
+		VersionedParams(&v1.PodExecOptions{
+			Container: containerName,
+			Command:   cmdArr,
+			Stdin:     true,
+			Stdout:    true,
+			Stderr:    true,
+			TTY:       false,
+		}, scheme.ParameterCodec)
+
+	exec, err := remotecommand.NewSPDYExecutor(&provider.clientConfig, "POST", req.URL())
+	if err != nil {
+		return err
+	}
+
+	reader, outStream := io.Pipe()
+	errReader, errStream := io.Pipe()
+	go logErrors(errReader, pod)
+	go func() {
+		defer outStream.Close()
+		err = exec.StreamWithContext(ctx, remotecommand.StreamOptions{
+			Stdin:  os.Stdin,
+			Stdout: outStream,
+			Stderr: errStream,
+			Tty:    false,
+		})
+		if err != nil {
+			log.Error().Err(err).Str("pod", pod.Name).Msg("SPDYExecutor:")
+		}
+	}()
+
+	prefix := getPrefix(srcPath)
+	prefix = path.Clean(prefix)
+	prefix = stripPathShortcuts(prefix)
+	dstPath = path.Join(dstPath, path.Base(prefix))
+	err = untarAll(reader, dstPath, prefix)
+	// fo(reader)
+	return err
+}
+
+// func fo(fi io.Reader) {
+// 	fo, err := os.Create("output.tar")
+// 	if err != nil {
+// 		panic(err)
+// 	}
+
+// 	// make a buffer to keep chunks that are read
+// 	buf := make([]byte, 1024)
+// 	for {
+// 		// read a chunk
+// 		n, err := fi.Read(buf)
+// 		if err != nil && err != io.EOF {
+// 			panic(err)
+// 		}
+// 		if n == 0 {
+// 			break
+// 		}
+
+// 		// write a chunk
+// 		if _, err := fo.Write(buf[:n]); err != nil {
+// 			panic(err)
+// 		}
+// 	}
+// }
+
+func logErrors(reader io.Reader, pod v1.Pod) {
+	r := bufio.NewReader(reader)
+	for {
+		msg, _, err := r.ReadLine()
+		log.Warn().Str("pod", pod.Name).Str("msg", string(msg)).Msg("SPDYExecutor:")
+		if err != nil {
+			if err != io.EOF {
+				log.Error().Err(err).Send()
+			}
+			return
+		}
+	}
+}
+
+func untarAll(reader io.Reader, destDir, prefix string) error {
+	tarReader := tar.NewReader(reader)
+	for {
+		header, err := tarReader.Next()
+		if err != nil {
+			if err != io.EOF {
+				return err
+			}
+			break
+		}
+
+		if !strings.HasPrefix(header.Name, prefix) {
+			return fmt.Errorf("tar contents corrupted")
+		}
+
+		mode := header.FileInfo().Mode()
+		destFileName := filepath.Join(destDir, header.Name[len(prefix):])
+
+		baseName := filepath.Dir(destFileName)
+		if err := os.MkdirAll(baseName, 0755); err != nil {
+			return err
+		}
+		if header.FileInfo().IsDir() {
+			if err := os.MkdirAll(destFileName, 0755); err != nil {
+				return err
+			}
+			continue
+		}
+
+		evaledPath, err := filepath.EvalSymlinks(baseName)
+		if err != nil {
+			return err
+		}
+
+		if mode&os.ModeSymlink != 0 {
+			linkname := header.Linkname
+
+			if !filepath.IsAbs(linkname) {
+				_ = filepath.Join(evaledPath, linkname)
+			}
+
+			if err := os.Symlink(linkname, destFileName); err != nil {
+				return err
+			}
+		} else {
+			outFile, err := os.Create(destFileName)
+			if err != nil {
+				return err
+			}
+			defer outFile.Close()
+			if _, err := io.Copy(outFile, tarReader); err != nil {
+				return err
+			}
+			if err := outFile.Close(); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+func getPrefix(file string) string {
+	return strings.TrimLeft(file, "/")
+}
+
+func stripPathShortcuts(p string) string {
+	newPath := p
+	trimmed := strings.TrimPrefix(newPath, "../")
+
+	for trimmed != newPath {
+		newPath = trimmed
+		trimmed = strings.TrimPrefix(newPath, "../")
+	}
+
+	// trim leftover {".", ".."}
+	if newPath == "." || newPath == ".." {
+		newPath = ""
+	}
+
+	if len(newPath) > 0 && string(newPath[0]) == "/" {
+		return newPath[1:]
+	}
+
+	return newPath
+}
--- a/kubernetes/helm/helm.go
+++ b/kubernetes/helm/helm.go
@@ -0,0 +1,186 @@
+package helm
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/kubeshark/kubeshark/config"
+	"github.com/kubeshark/kubeshark/misc"
+	"github.com/pkg/errors"
+	"github.com/rs/zerolog/log"
+	"helm.sh/helm/v3/pkg/action"
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chart/loader"
+	"helm.sh/helm/v3/pkg/cli"
+	"helm.sh/helm/v3/pkg/downloader"
+	"helm.sh/helm/v3/pkg/getter"
+	"helm.sh/helm/v3/pkg/kube"
+	"helm.sh/helm/v3/pkg/registry"
+	"helm.sh/helm/v3/pkg/release"
+	"helm.sh/helm/v3/pkg/repo"
+)
+
+const ENV_HELM_DRIVER = "HELM_DRIVER"
+
+var settings = cli.New()
+
+type Helm struct {
+	repo             string
+	releaseName      string
+	releaseNamespace string
+}
+
+func NewHelm(repo string, releaseName string, releaseNamespace string) *Helm {
+	return &Helm{
+		repo:             repo,
+		releaseName:      releaseName,
+		releaseNamespace: releaseNamespace,
+	}
+}
+
+func parseOCIRef(chartRef string) (string, string, error) {
+	refTagRegexp := regexp.MustCompile(`^(oci://[^:]+(:[0-9]{1,5})?[^:]+):(.*)$`)
+	caps := refTagRegexp.FindStringSubmatch(chartRef)
+	if len(caps) != 4 {
+		return "", "", errors.Errorf("improperly formatted oci chart reference: %s", chartRef)
+	}
+	chartRef = caps[1]
+	tag := caps[3]
+
+	return chartRef, tag, nil
+}
+
+func (h *Helm) Install() (rel *release.Release, err error) {
+	kubeConfigPath := config.Config.KubeConfigPath()
+	actionConfig := new(action.Configuration)
+	if err = actionConfig.Init(kube.GetConfig(kubeConfigPath, "", h.releaseNamespace), h.releaseNamespace, os.Getenv(ENV_HELM_DRIVER), func(format string, v ...interface{}) {
+		log.Info().Msgf(format, v...)
+	}); err != nil {
+		return
+	}
+
+	client := action.NewInstall(actionConfig)
+	client.Namespace = h.releaseNamespace
+	client.ReleaseName = h.releaseName
+
+	chartPath := os.Getenv(fmt.Sprintf("%s_HELM_CHART_PATH", strings.ToUpper(misc.Program)))
+	if chartPath == "" {
+		var chartURL string
+		chartURL, err = repo.FindChartInRepoURL(h.repo, h.releaseName, "", "", "", "", getter.All(&cli.EnvSettings{}))
+		if err != nil {
+			return
+		}
+
+		var cp string
+		cp, err = client.ChartPathOptions.LocateChart(chartURL, settings)
+		if err != nil {
+			return
+		}
+
+		m := &downloader.Manager{
+			Out:              os.Stdout,
+			ChartPath:        cp,
+			Keyring:          client.ChartPathOptions.Keyring,
+			SkipUpdate:       false,
+			Getters:          getter.All(settings),
+			RepositoryConfig: settings.RepositoryConfig,
+			RepositoryCache:  settings.RepositoryCache,
+			Debug:            settings.Debug,
+		}
+
+		dl := downloader.ChartDownloader{
+			Out:              m.Out,
+			Verify:           m.Verify,
+			Keyring:          m.Keyring,
+			RepositoryConfig: m.RepositoryConfig,
+			RepositoryCache:  m.RepositoryCache,
+			RegistryClient:   m.RegistryClient,
+			Getters:          m.Getters,
+			Options: []getter.Option{
+				getter.WithInsecureSkipVerifyTLS(false),
+			},
+		}
+
+		repoPath := filepath.Dir(m.ChartPath)
+		err = os.MkdirAll(repoPath, os.ModePerm)
+		if err != nil {
+			return
+		}
+
+		version := ""
+		if registry.IsOCI(chartURL) {
+			chartURL, version, err = parseOCIRef(chartURL)
+			if err != nil {
+				return
+			}
+			dl.Options = append(dl.Options,
+				getter.WithRegistryClient(m.RegistryClient),
+				getter.WithTagName(version))
+		}
+
+		log.Info().
+			Str("url", chartURL).
+			Str("repo-path", repoPath).
+			Msg("Downloading Helm chart:")
+
+		if _, _, err = dl.DownloadTo(chartURL, version, repoPath); err != nil {
+			return
+		}
+
+		chartPath = m.ChartPath
+	}
+	var chart *chart.Chart
+	chart, err = loader.Load(chartPath)
+	if err != nil {
+		return
+	}
+
+	log.Info().
+		Str("release", chart.Metadata.Name).
+		Str("version", chart.Metadata.Version).
+		Strs("source", chart.Metadata.Sources).
+		Str("kube-version", chart.Metadata.KubeVersion).
+		Msg("Installing using Helm:")
+
+	var configMarshalled []byte
+	configMarshalled, err = json.Marshal(config.Config)
+	if err != nil {
+		return
+	}
+
+	var configUnmarshalled map[string]interface{}
+	err = json.Unmarshal(configMarshalled, &configUnmarshalled)
+	if err != nil {
+		return
+	}
+
+	rel, err = client.Run(chart, configUnmarshalled)
+	if err != nil {
+		return
+	}
+
+	return
+}
+
+func (h *Helm) Uninstall() (resp *release.UninstallReleaseResponse, err error) {
+	kubeConfigPath := config.Config.KubeConfigPath()
+	actionConfig := new(action.Configuration)
+	if err = actionConfig.Init(kube.GetConfig(kubeConfigPath, "", h.releaseNamespace), h.releaseNamespace, os.Getenv(ENV_HELM_DRIVER), func(format string, v ...interface{}) {
+		log.Info().Msgf(format, v...)
+	}); err != nil {
+		return
+	}
+
+	client := action.NewUninstall(actionConfig)
+
+	resp, err = client.Run(h.releaseName)
+	if err != nil {
+		return
+	}
+
+	return
+}
--- a/kubernetes/provider.go
+++ b/kubernetes/provider.go
@@ -1,38 +1,30 @@
 package kubernetes

 import (
+	"bufio"
 	"bytes"
 	"context"
-	"errors"
 	"fmt"
 	"io"
 	"net/url"
 	"path/filepath"
 	"regexp"
+	"strings"

-	"github.com/kubeshark/kubeshark/docker"
+	"github.com/kubeshark/kubeshark/config"
 	"github.com/kubeshark/kubeshark/misc"
 	"github.com/kubeshark/kubeshark/semver"
+	"github.com/kubeshark/kubeshark/utils"
 	"github.com/rs/zerolog/log"
-	auth "k8s.io/api/authorization/v1"
+	"github.com/tanqiangyes/grep-go/reader"
 	core "k8s.io/api/core/v1"
-	rbac "k8s.io/api/rbac/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/version"
-	"k8s.io/apimachinery/pkg/watch"
-	applyconfapp "k8s.io/client-go/applyconfigurations/apps/v1"
-	applyconfcore "k8s.io/client-go/applyconfigurations/core/v1"
-	applyconfmeta "k8s.io/client-go/applyconfigurations/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"k8s.io/client-go/rest"
-	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/clientcmd"
-	watchtools "k8s.io/client-go/tools/watch"
 )

 type Provider struct {
@@ -43,14 +35,6 @@ type Provider struct {
 	createdBy        string
 }

-const (
-	fieldManagerName = "kubeshark-manager"
-	procfsVolumeName = "proc"
-	procfsMountPath  = "/hostproc"
-	sysfsVolumeName  = "sys"
-	sysfsMountPath   = "/sys"
-)
-
 func NewProvider(kubeConfigPath string, contextName string) (*Provider, error) {
 	kubernetesConfig := loadKubernetesConfiguration(kubeConfigPath, contextName)
 	restClientConfig, err := kubernetesConfig.ClientConfig()
@@ -89,360 +73,11 @@ func NewProvider(kubeConfigPath string, contextName string) (*Provider, error) {
 	}, nil
 }

-//NewProviderInCluster Used in another repo that calls this function
-func NewProviderInCluster() (*Provider, error) {
-	restClientConfig, err := rest.InClusterConfig()
-	if err != nil {
-		return nil, err
-	}
-	clientSet, err := getClientSet(restClientConfig)
-	if err != nil {
-		return nil, err
-	}
-
-	return &Provider{
-		clientSet:        clientSet,
-		kubernetesConfig: nil, // not relevant in cluster
-		clientConfig:     *restClientConfig,
-		managedBy:        misc.Program,
-		createdBy:        misc.Program,
-	}, nil
-}
-
-func (provider *Provider) CurrentNamespace() (string, error) {
-	if provider.kubernetesConfig == nil {
-		return "", errors.New("kubernetesConfig is nil, The CLI will not work with in-cluster kubernetes config, use a kubeconfig file when initializing the Provider")
-	}
-	ns, _, err := provider.kubernetesConfig.Namespace()
-	return ns, err
-}
-
-func (provider *Provider) WaitUtilNamespaceDeleted(ctx context.Context, name string) error {
-	fieldSelector := fmt.Sprintf("metadata.name=%s", name)
-	var limit int64 = 1
-	lw := &cache.ListWatch{
-		ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
-			options.FieldSelector = fieldSelector
-			options.Limit = limit
-			return provider.clientSet.CoreV1().Namespaces().List(ctx, options)
-		},
-		WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
-			options.FieldSelector = fieldSelector
-			options.Limit = limit
-			return provider.clientSet.CoreV1().Namespaces().Watch(ctx, options)
-		},
-	}
-
-	var preconditionFunc watchtools.PreconditionFunc = func(store cache.Store) (bool, error) {
-		_, exists, err := store.Get(&core.Namespace{ObjectMeta: metav1.ObjectMeta{Name: name}})
-		if err != nil {
-			return false, err
-		}
-		if exists {
-			return false, nil
-		}
-		return true, nil
-	}
-
-	conditionFunc := func(e watch.Event) (bool, error) {
-		if e.Type == watch.Deleted {
-			return true, nil
-		}
-		return false, nil
-	}
-
-	obj := &core.Namespace{}
-	_, err := watchtools.UntilWithSync(ctx, lw, obj, preconditionFunc, conditionFunc)
-
-	return err
-}
-
-func (provider *Provider) CreateNamespace(ctx context.Context, name string) (*core.Namespace, error) {
-	namespaceSpec := &core.Namespace{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: name,
-			Labels: map[string]string{
-				LabelManagedBy: provider.managedBy,
-				LabelCreatedBy: provider.createdBy,
-			},
-		},
-	}
-	return provider.clientSet.CoreV1().Namespaces().Create(ctx, namespaceSpec, metav1.CreateOptions{})
-}
-
-type PodOptions struct {
-	Namespace          string
-	PodName            string
-	PodImage           string
-	ServiceAccountName string
-	Resources          Resources
-	ImagePullPolicy    core.PullPolicy
-	ImagePullSecrets   []core.LocalObjectReference
-	Debug              bool
-}
-
-func (provider *Provider) BuildHubPod(opts *PodOptions) (*core.Pod, error) {
-	cpuLimit, err := resource.ParseQuantity(opts.Resources.CpuLimit)
-	if err != nil {
-		return nil, fmt.Errorf("invalid cpu limit for %s container", opts.PodName)
-	}
-	memLimit, err := resource.ParseQuantity(opts.Resources.MemoryLimit)
-	if err != nil {
-		return nil, fmt.Errorf("invalid memory limit for %s container", opts.PodName)
-	}
-	cpuRequests, err := resource.ParseQuantity(opts.Resources.CpuRequests)
-	if err != nil {
-		return nil, fmt.Errorf("invalid cpu request for %s container", opts.PodName)
-	}
-	memRequests, err := resource.ParseQuantity(opts.Resources.MemoryRequests)
-	if err != nil {
-		return nil, fmt.Errorf("invalid memory request for %s container", opts.PodName)
-	}
-
-	command := []string{
-		"./hub",
-	}
-
-	if opts.Debug {
-		command = append(command, "-debug")
-	}
-
-	containers := []core.Container{
-		{
-			Name:            opts.PodName,
-			Image:           opts.PodImage,
-			ImagePullPolicy: opts.ImagePullPolicy,
-			Command:         command,
-			Resources: core.ResourceRequirements{
-				Limits: core.ResourceList{
-					"cpu":    cpuLimit,
-					"memory": memLimit,
-				},
-				Requests: core.ResourceList{
-					"cpu":    cpuRequests,
-					"memory": memRequests,
-				},
-			},
-		},
-	}
-
-	pod := &core.Pod{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: opts.PodName,
-			Labels: map[string]string{
-				"app":          opts.PodName,
-				LabelManagedBy: provider.managedBy,
-				LabelCreatedBy: provider.createdBy,
-			},
-		},
-		Spec: core.PodSpec{
-			Containers:                    containers,
-			DNSPolicy:                     core.DNSClusterFirstWithHostNet,
-			TerminationGracePeriodSeconds: new(int64),
-			Tolerations: []core.Toleration{
-				{
-					Operator: core.TolerationOpExists,
-					Effect:   core.TaintEffectNoExecute,
-				},
-				{
-					Operator: core.TolerationOpExists,
-					Effect:   core.TaintEffectNoSchedule,
-				},
-			},
-			ImagePullSecrets: opts.ImagePullSecrets,
-		},
-	}
-
-	//define the service account only when it exists to prevent pod crash
-	if opts.ServiceAccountName != "" {
-		pod.Spec.ServiceAccountName = opts.ServiceAccountName
-	}
-	return pod, nil
-}
-
-func (provider *Provider) BuildFrontPod(opts *PodOptions, hubHost string, hubPort string) (*core.Pod, error) {
-	cpuLimit, err := resource.ParseQuantity(opts.Resources.CpuLimit)
-	if err != nil {
-		return nil, fmt.Errorf("invalid cpu limit for %s container", opts.PodName)
-	}
-	memLimit, err := resource.ParseQuantity(opts.Resources.MemoryLimit)
-	if err != nil {
-		return nil, fmt.Errorf("invalid memory limit for %s container", opts.PodName)
-	}
-	cpuRequests, err := resource.ParseQuantity(opts.Resources.CpuRequests)
-	if err != nil {
-		return nil, fmt.Errorf("invalid cpu request for %s container", opts.PodName)
-	}
-	memRequests, err := resource.ParseQuantity(opts.Resources.MemoryRequests)
-	if err != nil {
-		return nil, fmt.Errorf("invalid memory request for %s container", opts.PodName)
-	}
-
-	volumeMounts := []core.VolumeMount{}
-	volumes := []core.Volume{}
-
-	containers := []core.Container{
-		{
-			Name:            opts.PodName,
-			Image:           docker.GetFrontImage(),
-			ImagePullPolicy: opts.ImagePullPolicy,
-			VolumeMounts:    volumeMounts,
-			ReadinessProbe: &core.Probe{
-				FailureThreshold: 3,
-				ProbeHandler: core.ProbeHandler{
-					TCPSocket: &core.TCPSocketAction{
-						Port: intstr.Parse("80"),
-					},
-				},
-				PeriodSeconds:    1,
-				SuccessThreshold: 1,
-				TimeoutSeconds:   1,
-			},
-			Resources: core.ResourceRequirements{
-				Limits: core.ResourceList{
-					"cpu":    cpuLimit,
-					"memory": memLimit,
-				},
-				Requests: core.ResourceList{
-					"cpu":    cpuRequests,
-					"memory": memRequests,
-				},
-			},
-			Env: []core.EnvVar{
-				{
-					Name:  "REACT_APP_DEFAULT_FILTER",
-					Value: " ",
-				},
-				{
-					Name:  "REACT_APP_HUB_HOST",
-					Value: " ",
-				},
-				{
-					Name:  "REACT_APP_HUB_PORT",
-					Value: hubPort,
-				},
-			},
-		},
-	}
-
-	pod := &core.Pod{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: opts.PodName,
-			Labels: map[string]string{
-				"app":          opts.PodName,
-				LabelManagedBy: provider.managedBy,
-				LabelCreatedBy: provider.createdBy,
-			},
-		},
-		Spec: core.PodSpec{
-			Containers:                    containers,
-			Volumes:                       volumes,
-			DNSPolicy:                     core.DNSClusterFirstWithHostNet,
-			TerminationGracePeriodSeconds: new(int64),
-			Tolerations: []core.Toleration{
-				{
-					Operator: core.TolerationOpExists,
-					Effect:   core.TaintEffectNoExecute,
-				},
-				{
-					Operator: core.TolerationOpExists,
-					Effect:   core.TaintEffectNoSchedule,
-				},
-			},
-			ImagePullSecrets: opts.ImagePullSecrets,
-		},
-	}
-
-	//define the service account only when it exists to prevent pod crash
-	if opts.ServiceAccountName != "" {
-		pod.Spec.ServiceAccountName = opts.ServiceAccountName
-	}
-	return pod, nil
-}
-
-func (provider *Provider) CreatePod(ctx context.Context, namespace string, podSpec *core.Pod) (*core.Pod, error) {
-	return provider.clientSet.CoreV1().Pods(namespace).Create(ctx, podSpec, metav1.CreateOptions{})
-}
-
-func (provider *Provider) CreateService(ctx context.Context, namespace string, serviceName string, appLabelValue string, targetPort int, port int32) (*core.Service, error) {
-	service := core.Service{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: serviceName,
-			Labels: map[string]string{
-				LabelManagedBy: provider.managedBy,
-				LabelCreatedBy: provider.createdBy,
-			},
-		},
-		Spec: core.ServiceSpec{
-			Ports: []core.ServicePort{
-				{
-					Name:       serviceName,
-					TargetPort: intstr.FromInt(targetPort),
-					Port:       port,
-				},
-			},
-			Type:     core.ServiceTypeClusterIP,
-			Selector: map[string]string{"app": appLabelValue},
-		},
-	}
-	return provider.clientSet.CoreV1().Services(namespace).Create(ctx, &service, metav1.CreateOptions{})
-}
-
-func (provider *Provider) CanI(ctx context.Context, namespace string, resource string, verb string, group string) (bool, error) {
-	selfSubjectAccessReview := &auth.SelfSubjectAccessReview{
-		Spec: auth.SelfSubjectAccessReviewSpec{
-			ResourceAttributes: &auth.ResourceAttributes{
-				Namespace: namespace,
-				Resource:  resource,
-				Verb:      verb,
-				Group:     group,
-			},
-		},
-	}
-
-	response, err := provider.clientSet.AuthorizationV1().SelfSubjectAccessReviews().Create(ctx, selfSubjectAccessReview, metav1.CreateOptions{})
-	if err != nil {
-		return false, err
-	}
-
-	return response.Status.Allowed, nil
-}
-
-func (provider *Provider) DoesNamespaceExist(ctx context.Context, name string) (bool, error) {
-	namespaceResource, err := provider.clientSet.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{})
-	return provider.doesResourceExist(namespaceResource, err)
-}
-
-func (provider *Provider) DoesServiceAccountExist(ctx context.Context, namespace string, name string) (bool, error) {
-	serviceAccountResource, err := provider.clientSet.CoreV1().ServiceAccounts(namespace).Get(ctx, name, metav1.GetOptions{})
-	return provider.doesResourceExist(serviceAccountResource, err)
-}
-
 func (provider *Provider) DoesServiceExist(ctx context.Context, namespace string, name string) (bool, error) {
 	serviceResource, err := provider.clientSet.CoreV1().Services(namespace).Get(ctx, name, metav1.GetOptions{})
 	return provider.doesResourceExist(serviceResource, err)
 }

-func (provider *Provider) DoesClusterRoleExist(ctx context.Context, name string) (bool, error) {
-	clusterRoleResource, err := provider.clientSet.RbacV1().ClusterRoles().Get(ctx, name, metav1.GetOptions{})
-	return provider.doesResourceExist(clusterRoleResource, err)
-}
-
-func (provider *Provider) DoesClusterRoleBindingExist(ctx context.Context, name string) (bool, error) {
-	clusterRoleBindingResource, err := provider.clientSet.RbacV1().ClusterRoleBindings().Get(ctx, name, metav1.GetOptions{})
-	return provider.doesResourceExist(clusterRoleBindingResource, err)
-}
-
-func (provider *Provider) DoesRoleExist(ctx context.Context, namespace string, name string) (bool, error) {
-	roleResource, err := provider.clientSet.RbacV1().Roles(namespace).Get(ctx, name, metav1.GetOptions{})
-	return provider.doesResourceExist(roleResource, err)
-}
-
-func (provider *Provider) DoesRoleBindingExist(ctx context.Context, namespace string, name string) (bool, error) {
-	roleBindingResource, err := provider.clientSet.RbacV1().RoleBindings(namespace).Get(ctx, name, metav1.GetOptions{})
-	return provider.doesResourceExist(roleBindingResource, err)
-}
-
 func (provider *Provider) doesResourceExist(resource interface{}, err error) (bool, error) {
 	// Getting NotFound error is the expected behavior when a resource does not exist.
 	if k8serrors.IsNotFound(err) {
@@ -456,419 +91,6 @@ func (provider *Provider) doesResourceExist(resource interface{}, err error) (bo
 	return resource != nil, nil
 }

-func (provider *Provider) CreateSelfRBAC(ctx context.Context, namespace string, serviceAccountName string, clusterRoleName string, clusterRoleBindingName string, version string, resources []string) error {
-	serviceAccount := &core.ServiceAccount{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: serviceAccountName,
-			Labels: map[string]string{
-				fmt.Sprintf("%s-cli-version", misc.Program): version,
-				LabelManagedBy: provider.managedBy,
-				LabelCreatedBy: provider.createdBy,
-			},
-		},
-	}
-	clusterRole := &rbac.ClusterRole{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: clusterRoleName,
-			Labels: map[string]string{
-				fmt.Sprintf("%s-cli-version", misc.Program): version,
-				LabelManagedBy: provider.managedBy,
-				LabelCreatedBy: provider.createdBy,
-			},
-		},
-		Rules: []rbac.PolicyRule{
-			{
-				APIGroups: []string{"", "extensions", "apps"},
-				Resources: resources,
-				Verbs:     []string{"list", "get", "watch"},
-			},
-		},
-	}
-	clusterRoleBinding := &rbac.ClusterRoleBinding{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: clusterRoleBindingName,
-			Labels: map[string]string{
-				fmt.Sprintf("%s-cli-version", misc.Program): version,
-				LabelManagedBy: provider.managedBy,
-				LabelCreatedBy: provider.createdBy,
-			},
-		},
-		RoleRef: rbac.RoleRef{
-			Name:     clusterRoleName,
-			Kind:     "ClusterRole",
-			APIGroup: "rbac.authorization.k8s.io",
-		},
-		Subjects: []rbac.Subject{
-			{
-				Kind:      "ServiceAccount",
-				Name:      serviceAccountName,
-				Namespace: namespace,
-			},
-		},
-	}
-	_, err := provider.clientSet.CoreV1().ServiceAccounts(namespace).Create(ctx, serviceAccount, metav1.CreateOptions{})
-	if err != nil && !k8serrors.IsAlreadyExists(err) {
-		return err
-	}
-	_, err = provider.clientSet.RbacV1().ClusterRoles().Create(ctx, clusterRole, metav1.CreateOptions{})
-	if err != nil && !k8serrors.IsAlreadyExists(err) {
-		return err
-	}
-	_, err = provider.clientSet.RbacV1().ClusterRoleBindings().Create(ctx, clusterRoleBinding, metav1.CreateOptions{})
-	if err != nil && !k8serrors.IsAlreadyExists(err) {
-		return err
-	}
-	return nil
-}
-
-func (provider *Provider) CreateSelfRBACNamespaceRestricted(ctx context.Context, namespace string, serviceAccountName string, roleName string, roleBindingName string, version string) error {
-	serviceAccount := &core.ServiceAccount{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: serviceAccountName,
-			Labels: map[string]string{
-				fmt.Sprintf("%s-cli-version", misc.Program): version,
-				LabelManagedBy: provider.managedBy,
-				LabelCreatedBy: provider.createdBy,
-			},
-		},
-	}
-	role := &rbac.Role{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: roleName,
-			Labels: map[string]string{
-				fmt.Sprintf("%s-cli-version", misc.Program): version,
-				LabelManagedBy: provider.managedBy,
-				LabelCreatedBy: provider.createdBy,
-			},
-		},
-		Rules: []rbac.PolicyRule{
-			{
-				APIGroups: []string{"", "extensions", "apps"},
-				Resources: []string{"pods", "services", "endpoints"},
-				Verbs:     []string{"list", "get", "watch"},
-			},
-		},
-	}
-	roleBinding := &rbac.RoleBinding{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: roleBindingName,
-			Labels: map[string]string{
-				fmt.Sprintf("%s-cli-version", misc.Program): version,
-				LabelManagedBy: provider.managedBy,
-				LabelCreatedBy: provider.createdBy,
-			},
-		},
-		RoleRef: rbac.RoleRef{
-			Name:     roleName,
-			Kind:     "Role",
-			APIGroup: "rbac.authorization.k8s.io",
-		},
-		Subjects: []rbac.Subject{
-			{
-				Kind:      "ServiceAccount",
-				Name:      serviceAccountName,
-				Namespace: namespace,
-			},
-		},
-	}
-	_, err := provider.clientSet.CoreV1().ServiceAccounts(namespace).Create(ctx, serviceAccount, metav1.CreateOptions{})
-	if err != nil && !k8serrors.IsAlreadyExists(err) {
-		return err
-	}
-	_, err = provider.clientSet.RbacV1().Roles(namespace).Create(ctx, role, metav1.CreateOptions{})
-	if err != nil && !k8serrors.IsAlreadyExists(err) {
-		return err
-	}
-	_, err = provider.clientSet.RbacV1().RoleBindings(namespace).Create(ctx, roleBinding, metav1.CreateOptions{})
-	if err != nil && !k8serrors.IsAlreadyExists(err) {
-		return err
-	}
-	return nil
-}
-
-func (provider *Provider) RemoveNamespace(ctx context.Context, name string) error {
-	err := provider.clientSet.CoreV1().Namespaces().Delete(ctx, name, metav1.DeleteOptions{})
-	return provider.handleRemovalError(err)
-}
-
-func (provider *Provider) RemoveClusterRole(ctx context.Context, name string) error {
-	err := provider.clientSet.RbacV1().ClusterRoles().Delete(ctx, name, metav1.DeleteOptions{})
-	return provider.handleRemovalError(err)
-}
-
-func (provider *Provider) RemoveClusterRoleBinding(ctx context.Context, name string) error {
-	err := provider.clientSet.RbacV1().ClusterRoleBindings().Delete(ctx, name, metav1.DeleteOptions{})
-	return provider.handleRemovalError(err)
-}
-
-func (provider *Provider) RemoveRoleBinding(ctx context.Context, namespace string, name string) error {
-	err := provider.clientSet.RbacV1().RoleBindings(namespace).Delete(ctx, name, metav1.DeleteOptions{})
-	return provider.handleRemovalError(err)
-}
-
-func (provider *Provider) RemoveRole(ctx context.Context, namespace string, name string) error {
-	err := provider.clientSet.RbacV1().Roles(namespace).Delete(ctx, name, metav1.DeleteOptions{})
-	return provider.handleRemovalError(err)
-}
-
-func (provider *Provider) RemoveServiceAccount(ctx context.Context, namespace string, name string) error {
-	err := provider.clientSet.CoreV1().ServiceAccounts(namespace).Delete(ctx, name, metav1.DeleteOptions{})
-	return provider.handleRemovalError(err)
-}
-
-func (provider *Provider) RemovePod(ctx context.Context, namespace string, podName string) error {
-	err := provider.clientSet.CoreV1().Pods(namespace).Delete(ctx, podName, metav1.DeleteOptions{})
-	return provider.handleRemovalError(err)
-}
-
-func (provider *Provider) RemoveConfigMap(ctx context.Context, namespace string, configMapName string) error {
-	err := provider.clientSet.CoreV1().ConfigMaps(namespace).Delete(ctx, configMapName, metav1.DeleteOptions{})
-	return provider.handleRemovalError(err)
-}
-
-func (provider *Provider) RemoveService(ctx context.Context, namespace string, serviceName string) error {
-	err := provider.clientSet.CoreV1().Services(namespace).Delete(ctx, serviceName, metav1.DeleteOptions{})
-	return provider.handleRemovalError(err)
-}
-
-func (provider *Provider) RemoveDaemonSet(ctx context.Context, namespace string, daemonSetName string) error {
-	err := provider.clientSet.AppsV1().DaemonSets(namespace).Delete(ctx, daemonSetName, metav1.DeleteOptions{})
-	return provider.handleRemovalError(err)
-}
-
-func (provider *Provider) handleRemovalError(err error) error {
-	// Ignore NotFound - There is nothing to delete.
-	// Ignore Forbidden - Assume that a user could not have created the resource in the first place.
-	if k8serrors.IsNotFound(err) || k8serrors.IsForbidden(err) {
-		return nil
-	}
-
-	return err
-}
-
-func (provider *Provider) ApplyWorkerDaemonSet(
-	ctx context.Context,
-	namespace string,
-	daemonSetName string,
-	podImage string,
-	workerPodName string,
-	serviceAccountName string,
-	resources Resources,
-	imagePullPolicy core.PullPolicy,
-	imagePullSecrets []core.LocalObjectReference,
-	serviceMesh bool,
-	tls bool,
-	debug bool,
-) error {
-	log.Debug().
-		Str("namespace", namespace).
-		Str("daemonset-name", daemonSetName).
-		Str("image", podImage).
-		Str("pod", workerPodName).
-		Msg("Applying worker DaemonSets.")
-
-	command := []string{"./worker", "-i", "any", "-port", "8897"}
-
-	if debug {
-		command = append(command, "-debug")
-	}
-
-	if serviceMesh {
-		command = append(command, "-servicemesh")
-	}
-
-	if tls {
-		command = append(command, "-tls")
-	}
-
-	if serviceMesh || tls {
-		command = append(command, "-procfs", procfsMountPath)
-	}
-
-	workerContainer := applyconfcore.Container()
-	workerContainer.WithName(workerPodName)
-	workerContainer.WithImage(podImage)
-	workerContainer.WithImagePullPolicy(imagePullPolicy)
-
-	caps := applyconfcore.Capabilities().WithDrop("ALL")
-
-	caps = caps.WithAdd("NET_RAW").WithAdd("NET_ADMIN") // to listen to traffic using libpcap
-
-	if serviceMesh || tls {
-		caps = caps.WithAdd("SYS_ADMIN")  // to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8)
-		caps = caps.WithAdd("SYS_PTRACE") // to set netns to other process + to open libssl.so of other process
-
-		if serviceMesh {
-			caps = caps.WithAdd("DAC_OVERRIDE") // to read /proc/PID/environ
-		}
-
-		if tls {
-			caps = caps.WithAdd("SYS_RESOURCE") // to change rlimits for eBPF
-		}
-	}
-
-	workerContainer.WithSecurityContext(applyconfcore.SecurityContext().WithCapabilities(caps))
-
-	workerContainer.WithCommand(command...)
-
-	if debug {
-		workerContainer.WithEnv(
-			applyconfcore.EnvVar().WithName("MEMORY_PROFILING_ENABLED").WithValue("true"),
-			applyconfcore.EnvVar().WithName("MEMORY_PROFILING_INTERVAL_SECONDS").WithValue("10"),
-			applyconfcore.EnvVar().WithName("MEMORY_USAGE_INTERVAL_MILLISECONDS").WithValue("500"),
-		)
-	}
-
-	cpuLimit, err := resource.ParseQuantity(resources.CpuLimit)
-	if err != nil {
-		return fmt.Errorf("invalid cpu limit for %s container", workerPodName)
-	}
-	memLimit, err := resource.ParseQuantity(resources.MemoryLimit)
-	if err != nil {
-		return fmt.Errorf("invalid memory limit for %s container", workerPodName)
-	}
-	cpuRequests, err := resource.ParseQuantity(resources.CpuRequests)
-	if err != nil {
-		return fmt.Errorf("invalid cpu request for %s container", workerPodName)
-	}
-	memRequests, err := resource.ParseQuantity(resources.MemoryRequests)
-	if err != nil {
-		return fmt.Errorf("invalid memory request for %s container", workerPodName)
-	}
-	workerResourceLimits := core.ResourceList{
-		"cpu":    cpuLimit,
-		"memory": memLimit,
-	}
-	workerResourceRequests := core.ResourceList{
-		"cpu":    cpuRequests,
-		"memory": memRequests,
-	}
-	workerResources := applyconfcore.ResourceRequirements().WithRequests(workerResourceRequests).WithLimits(workerResourceLimits)
-	workerContainer.WithResources(workerResources)
-
-	nodeAffinity := applyconfcore.NodeAffinity()
-	affinity := applyconfcore.Affinity()
-	affinity.WithNodeAffinity(nodeAffinity)
-
-	noExecuteToleration := applyconfcore.Toleration()
-	noExecuteToleration.WithOperator(core.TolerationOpExists)
-	noExecuteToleration.WithEffect(core.TaintEffectNoExecute)
-	noScheduleToleration := applyconfcore.Toleration()
-	noScheduleToleration.WithOperator(core.TolerationOpExists)
-	noScheduleToleration.WithEffect(core.TaintEffectNoSchedule)
-
-	// Host procfs is needed inside the container because we need access to
-	//	the network namespaces of processes on the machine.
-	//
-	procfsVolume := applyconfcore.Volume()
-	procfsVolume.WithName(procfsVolumeName).WithHostPath(applyconfcore.HostPathVolumeSource().WithPath("/proc"))
-	procfsVolumeMount := applyconfcore.VolumeMount().WithName(procfsVolumeName).WithMountPath(procfsMountPath).WithReadOnly(true)
-	workerContainer.WithVolumeMounts(procfsVolumeMount)
-
-	// We need access to /sys in order to install certain eBPF tracepoints
-	//
-	sysfsVolume := applyconfcore.Volume()
-	sysfsVolume.WithName(sysfsVolumeName).WithHostPath(applyconfcore.HostPathVolumeSource().WithPath("/sys"))
-	sysfsVolumeMount := applyconfcore.VolumeMount().WithName(sysfsVolumeName).WithMountPath(sysfsMountPath).WithReadOnly(true)
-	workerContainer.WithVolumeMounts(sysfsVolumeMount)
-
-	podSpec := applyconfcore.PodSpec()
-	podSpec.WithHostNetwork(true)
-	podSpec.WithDNSPolicy(core.DNSClusterFirstWithHostNet)
-	podSpec.WithTerminationGracePeriodSeconds(0)
-	if serviceAccountName != "" {
-		podSpec.WithServiceAccountName(serviceAccountName)
-	}
-	podSpec.WithContainers(workerContainer)
-	podSpec.WithAffinity(affinity)
-	podSpec.WithTolerations(noExecuteToleration, noScheduleToleration)
-	podSpec.WithVolumes(procfsVolume, sysfsVolume)
-
-	if len(imagePullSecrets) > 0 {
-		localObjectReference := applyconfcore.LocalObjectReference()
-		for _, secret := range imagePullSecrets {
-			localObjectReference.WithName(secret.Name)
-		}
-		podSpec.WithImagePullSecrets(localObjectReference)
-	}
-
-	podTemplate := applyconfcore.PodTemplateSpec()
-	podTemplate.WithLabels(map[string]string{
-		"app":          workerPodName,
-		LabelManagedBy: provider.managedBy,
-		LabelCreatedBy: provider.createdBy,
-	})
-	podTemplate.WithSpec(podSpec)
-
-	labelSelector := applyconfmeta.LabelSelector()
-	labelSelector.WithMatchLabels(map[string]string{"app": workerPodName})
-
-	applyOptions := metav1.ApplyOptions{
-		Force:        true,
-		FieldManager: fieldManagerName,
-	}
-
-	daemonSet := applyconfapp.DaemonSet(daemonSetName, namespace)
-	daemonSet.
-		WithLabels(map[string]string{
-			LabelManagedBy: provider.managedBy,
-			LabelCreatedBy: provider.createdBy,
-		}).
-		WithSpec(applyconfapp.DaemonSetSpec().WithSelector(labelSelector).WithTemplate(podTemplate))
-
-	_, err = provider.clientSet.AppsV1().DaemonSets(namespace).Apply(ctx, daemonSet, applyOptions)
-	return err
-}
-
-func (provider *Provider) ResetWorkerDaemonSet(ctx context.Context, namespace string, daemonSetName string, podImage string, workerPodName string) error {
-	workerContainer := applyconfcore.Container()
-	workerContainer.WithName(workerPodName)
-	workerContainer.WithImage(podImage)
-
-	nodeSelectorRequirement := applyconfcore.NodeSelectorRequirement()
-	nodeSelectorRequirement.WithKey(fmt.Sprintf("%s-non-existing-label", misc.Program))
-	nodeSelectorRequirement.WithOperator(core.NodeSelectorOpExists)
-	nodeSelectorTerm := applyconfcore.NodeSelectorTerm()
-	nodeSelectorTerm.WithMatchExpressions(nodeSelectorRequirement)
-	nodeSelector := applyconfcore.NodeSelector()
-	nodeSelector.WithNodeSelectorTerms(nodeSelectorTerm)
-	nodeAffinity := applyconfcore.NodeAffinity()
-	nodeAffinity.WithRequiredDuringSchedulingIgnoredDuringExecution(nodeSelector)
-	affinity := applyconfcore.Affinity()
-	affinity.WithNodeAffinity(nodeAffinity)
-
-	podSpec := applyconfcore.PodSpec()
-	podSpec.WithContainers(workerContainer)
-	podSpec.WithAffinity(affinity)
-
-	podTemplate := applyconfcore.PodTemplateSpec()
-	podTemplate.WithLabels(map[string]string{
-		"app":          workerPodName,
-		LabelManagedBy: provider.managedBy,
-		LabelCreatedBy: provider.createdBy,
-	})
-	podTemplate.WithSpec(podSpec)
-
-	labelSelector := applyconfmeta.LabelSelector()
-	labelSelector.WithMatchLabels(map[string]string{"app": workerPodName})
-
-	applyOptions := metav1.ApplyOptions{
-		Force:        true,
-		FieldManager: fieldManagerName,
-	}
-
-	daemonSet := applyconfapp.DaemonSet(daemonSetName, namespace)
-	daemonSet.
-		WithLabels(map[string]string{
-			LabelManagedBy: provider.managedBy,
-			LabelCreatedBy: provider.createdBy,
-		}).
-		WithSpec(applyconfapp.DaemonSetSpec().WithSelector(labelSelector).WithTemplate(podTemplate))
-
-	_, err := provider.clientSet.AppsV1().DaemonSets(namespace).Apply(ctx, daemonSet, applyOptions)
-	return err
-}
-
 func (provider *Provider) listPodsImpl(ctx context.Context, regex *regexp.Regexp, namespaces []string, listOptions metav1.ListOptions) ([]core.Pod, error) {
 	var pods []core.Pod
 	for _, namespace := range namespaces {
@@ -893,10 +115,6 @@ func (provider *Provider) ListAllPodsMatchingRegex(ctx context.Context, regex *r
 	return provider.listPodsImpl(ctx, regex, namespaces, metav1.ListOptions{})
 }

-func (provider *Provider) GetPod(ctx context.Context, namespaces string, podName string) (*core.Pod, error) {
-	return provider.clientSet.CoreV1().Pods(namespaces).Get(ctx, podName, metav1.GetOptions{})
-}
-
 func (provider *Provider) ListAllRunningPodsMatchingRegex(ctx context.Context, regex *regexp.Regexp, namespaces []string) ([]core.Pod, error) {
 	pods, err := provider.ListAllPodsMatchingRegex(ctx, regex, namespaces)
 	if err != nil {
@@ -912,8 +130,14 @@ func (provider *Provider) ListAllRunningPodsMatchingRegex(ctx context.Context, r
 	return matchingPods, nil
 }

-func (provider *Provider) ListPodsByAppLabel(ctx context.Context, namespaces string, labelName string) ([]core.Pod, error) {
-	pods, err := provider.clientSet.CoreV1().Pods(namespaces).List(ctx, metav1.ListOptions{LabelSelector: fmt.Sprintf("app=%s", labelName)})
+func (provider *Provider) ListPodsByAppLabel(ctx context.Context, namespaces string, labels map[string]string) ([]core.Pod, error) {
+	pods, err := provider.clientSet.CoreV1().Pods(namespaces).List(ctx, metav1.ListOptions{
+		LabelSelector: metav1.FormatLabelSelector(
+			&metav1.LabelSelector{
+				MatchLabels: labels,
+			},
+		),
+	})
 	if err != nil {
 		return nil, err
 	}
@@ -921,16 +145,7 @@ func (provider *Provider) ListPodsByAppLabel(ctx context.Context, namespaces str
 	return pods.Items, err
 }

-func (provider *Provider) ListAllNamespaces(ctx context.Context) ([]core.Namespace, error) {
-	namespaces, err := provider.clientSet.CoreV1().Namespaces().List(ctx, metav1.ListOptions{})
-	if err != nil {
-		return nil, err
-	}
-
-	return namespaces.Items, err
-}
-
-func (provider *Provider) GetPodLogs(ctx context.Context, namespace string, podName string, containerName string) (string, error) {
+func (provider *Provider) GetPodLogs(ctx context.Context, namespace string, podName string, containerName string, grep string) (string, error) {
 	podLogOpts := core.PodLogOptions{Container: containerName}
 	req := provider.clientSet.CoreV1().Pods(namespace).GetLogs(podName, &podLogOpts)
 	podLogs, err := req.Stream(ctx)
@@ -942,8 +157,26 @@ func (provider *Provider) GetPodLogs(ctx context.Context, namespace string, podN
 	if _, err = io.Copy(buf, podLogs); err != nil {
 		return "", fmt.Errorf("error copy information from podLogs to buf, ns: %s, pod: %s, %w", namespace, podName, err)
 	}
-	str := buf.String()
-	return str, nil
+
+	if grep != "" {
+		finder, err := reader.NewFinder(grep, true, true)
+		if err != nil {
+			panic(err)
+		}
+
+		read, err := reader.NewStdReader(bufio.NewReader(buf), []reader.Finder{finder})
+		if err != nil {
+			panic(err)
+		}
+		read.Run()
+		result := read.Result()[0]
+
+		log.Info().Str("namespace", namespace).Str("pod", podName).Str("container", containerName).Int("lines", len(result.Lines)).Str("grep", grep).Send()
+		return strings.Join(result.MatchString, "\n"), nil
+	} else {
+		log.Info().Str("namespace", namespace).Str("pod", podName).Str("container", containerName).Send()
+		return buf.String(), nil
+	}
 }

 func (provider *Provider) GetNamespaceEvents(ctx context.Context, namespace string) (string, error) {
@@ -955,41 +188,6 @@ func (provider *Provider) GetNamespaceEvents(ctx context.Context, namespace stri
 	return eventList.String(), nil
 }

-func (provider *Provider) ListManagedServiceAccounts(ctx context.Context, namespace string) (*core.ServiceAccountList, error) {
-	listOptions := metav1.ListOptions{
-		LabelSelector: fmt.Sprintf("%s=%s", LabelManagedBy, provider.managedBy),
-	}
-	return provider.clientSet.CoreV1().ServiceAccounts(namespace).List(ctx, listOptions)
-}
-
-func (provider *Provider) ListManagedClusterRoles(ctx context.Context) (*rbac.ClusterRoleList, error) {
-	listOptions := metav1.ListOptions{
-		LabelSelector: fmt.Sprintf("%s=%s", LabelManagedBy, provider.managedBy),
-	}
-	return provider.clientSet.RbacV1().ClusterRoles().List(ctx, listOptions)
-}
-
-func (provider *Provider) ListManagedClusterRoleBindings(ctx context.Context) (*rbac.ClusterRoleBindingList, error) {
-	listOptions := metav1.ListOptions{
-		LabelSelector: fmt.Sprintf("%s=%s", LabelManagedBy, provider.managedBy),
-	}
-	return provider.clientSet.RbacV1().ClusterRoleBindings().List(ctx, listOptions)
-}
-
-func (provider *Provider) ListManagedRoles(ctx context.Context, namespace string) (*rbac.RoleList, error) {
-	listOptions := metav1.ListOptions{
-		LabelSelector: fmt.Sprintf("%s=%s", LabelManagedBy, provider.managedBy),
-	}
-	return provider.clientSet.RbacV1().Roles(namespace).List(ctx, listOptions)
-}
-
-func (provider *Provider) ListManagedRoleBindings(ctx context.Context, namespace string) (*rbac.RoleBindingList, error) {
-	listOptions := metav1.ListOptions{
-		LabelSelector: fmt.Sprintf("%s=%s", LabelManagedBy, provider.managedBy),
-	}
-	return provider.clientSet.RbacV1().RoleBindings(namespace).List(ctx, listOptions)
-}
-
 // ValidateNotProxy We added this after a customer tried to run kubeshark from lens, which used len's kube config, which have cluster server configuration, which points to len's local proxy.
 // The workaround was to use the user's local default kube config.
 // For now - we are blocking the option to run kubeshark through a proxy to k8s server
@@ -1029,6 +227,30 @@ func (provider *Provider) GetKubernetesVersion() (*semver.SemVersion, error) {
 	return &serverVersionSemVer, nil
 }

+func (provider *Provider) GetNamespaces() (namespaces []string) {
+	if len(config.Config.Tap.Namespaces) > 0 {
+		namespaces = utils.Unique(config.Config.Tap.Namespaces)
+	} else {
+		namespaceList, err := provider.clientSet.CoreV1().Namespaces().List(context.TODO(), metav1.ListOptions{})
+		if err != nil {
+			log.Error().Err(err).Send()
+			return
+		}
+
+		for _, ns := range namespaceList.Items {
+			namespaces = append(namespaces, ns.Name)
+		}
+	}
+
+	namespaces = utils.Diff(namespaces, config.Config.Tap.ExcludedNamespaces)
+
+	return
+}
+
+func (provider *Provider) GetClientSet() *kubernetes.Clientset {
+	return provider.clientSet
+}
+
 func getClientSet(config *rest.Config) (*kubernetes.Clientset, error) {
 	clientSet, err := kubernetes.NewForConfig(config)
 	if err != nil {
--- a/kubernetes/proxy.go
+++ b/kubernetes/proxy.go
@@ -11,6 +11,7 @@ import (
 	"strings"
 	"time"

+	"github.com/kubeshark/kubeshark/config"
 	"github.com/rs/zerolog/log"
 	"k8s.io/apimachinery/pkg/util/httpstream"
 	"k8s.io/client-go/tools/portforward"
@@ -23,6 +24,7 @@ const selfServicePort = 80

 func StartProxy(kubernetesProvider *Provider, proxyHost string, srcPort uint16, selfNamespace string, selfServiceName string) (*http.Server, error) {
 	log.Info().
+		Str("proxy-host", proxyHost).
 		Str("namespace", selfNamespace).
 		Str("service", selfServiceName).
 		Int("src-port", int(srcPort)).
@@ -66,8 +68,12 @@ func getSelfHubProxiedHostAndPath(selfNamespace string, selfServiceName string)
 	return fmt.Sprintf("/api/v1/namespaces/%s/services/%s:%d/proxy", selfNamespace, selfServiceName, selfServicePort)
 }

-func GetLocalhostOnPort(port uint16) string {
-	return fmt.Sprintf("http://localhost:%d", port)
+func GetProxyOnPort(port uint16) string {
+	return fmt.Sprintf("http://%s:%d", config.Config.Tap.Proxy.Host, port)
+}
+
+func GetHubUrl() string {
+	return fmt.Sprintf("%s/api", GetProxyOnPort(config.Config.Tap.Proxy.Front.Port))
 }

 func getRerouteHttpHandlerSelfAPI(proxyHandler http.Handler, selfNamespace string, selfServiceName string) http.Handler {
@@ -100,7 +106,7 @@ func getRerouteHttpHandlerSelfStatic(proxyHandler http.Handler, selfNamespace st
 }

 func NewPortForward(kubernetesProvider *Provider, namespace string, podRegex *regexp.Regexp, srcPort uint16, dstPort uint16, ctx context.Context) (*portforward.PortForwarder, error) {
-	pods, err := kubernetesProvider.ListAllRunningPodsMatchingRegex(ctx, podRegex, []string{namespace})
+	pods, err := kubernetesProvider.ListPodsByAppLabel(ctx, namespace, map[string]string{AppLabelKey: "front"})
 	if err != nil {
 		return nil, err
 	} else if len(pods) == 0 {
@@ -132,6 +138,7 @@ func NewPortForward(kubernetesProvider *Provider, namespace string, podRegex *re
 	go func() {
 		if err = forwarder.ForwardPorts(); err != nil {
 			log.Error().Err(err).Msg("While Kubernetes port-forwarding!")
+			log.Info().Str("command", fmt.Sprintf("kubectl port-forward -n %s service/kubeshark-front 8899:80", config.Config.Tap.Release.Namespace)).Msg("Please try running:")
 			return
 		}
 	}()
--- a/kubernetes/structs.go
+++ b/kubernetes/structs.go
@@ -1,8 +0,0 @@
-package kubernetes
-
-type Resources struct {
-	CpuLimit       string `yaml:"cpu-limit" default:"750m"`
-	MemoryLimit    string `yaml:"memory-limit" default:"1Gi"`
-	CpuRequests    string `yaml:"cpu-requests" default:"50m"`
-	MemoryRequests string `yaml:"memory-requests" default:"50Mi"`
-}
--- a/kubernetes/utils.go
+++ b/kubernetes/utils.go
@@ -1,55 +0,0 @@
-package kubernetes
-
-import (
-	"github.com/kubeshark/base/pkg/models"
-	core "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-func GetNodeHostToTargetedPodsMap(targetedPods []core.Pod) models.NodeToPodsMap {
-	nodeToTargetedPodsMap := make(models.NodeToPodsMap)
-	for _, pod := range targetedPods {
-		minimizedPod := getMinimizedPod(pod)
-
-		existingList := nodeToTargetedPodsMap[pod.Spec.NodeName]
-		if existingList == nil {
-			nodeToTargetedPodsMap[pod.Spec.NodeName] = []core.Pod{minimizedPod}
-		} else {
-			nodeToTargetedPodsMap[pod.Spec.NodeName] = append(nodeToTargetedPodsMap[pod.Spec.NodeName], minimizedPod)
-		}
-	}
-	return nodeToTargetedPodsMap
-}
-
-func getMinimizedPod(fullPod core.Pod) core.Pod {
-	return core.Pod{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      fullPod.Name,
-			Namespace: fullPod.Namespace,
-		},
-		Status: core.PodStatus{
-			PodIP:             fullPod.Status.PodIP,
-			ContainerStatuses: getMinimizedContainerStatuses(fullPod),
-		},
-	}
-}
-
-func getMinimizedContainerStatuses(fullPod core.Pod) []core.ContainerStatus {
-	result := make([]core.ContainerStatus, len(fullPod.Status.ContainerStatuses))
-
-	for i, container := range fullPod.Status.ContainerStatuses {
-		result[i] = core.ContainerStatus{
-			ContainerID: container.ContainerID,
-		}
-	}
-
-	return result
-}
-
-func GetPodInfosForPods(pods []core.Pod) []*models.PodInfo {
-	podInfos := make([]*models.PodInfo, 0)
-	for _, pod := range pods {
-		podInfos = append(podInfos, &models.PodInfo{Name: pod.Name, Namespace: pod.Namespace, NodeName: pod.Spec.NodeName})
-	}
-	return podInfos
-}
--- a/kubernetes/workers.go
+++ b/kubernetes/workers.go
@@ -1,54 +0,0 @@
-package kubernetes
-
-import (
-	"context"
-
-	"github.com/kubeshark/kubeshark/docker"
-	"github.com/rs/zerolog/log"
-	core "k8s.io/api/core/v1"
-)
-
-func CreateWorkers(
-	kubernetesProvider *Provider,
-	selfServiceAccountExists bool,
-	ctx context.Context,
-	namespace string,
-	resources Resources,
-	imagePullPolicy core.PullPolicy,
-	imagePullSecrets []core.LocalObjectReference,
-	serviceMesh bool,
-	tls bool,
-	debug bool,
-) error {
-	image := docker.GetWorkerImage()
-
-	var serviceAccountName string
-	if selfServiceAccountExists {
-		serviceAccountName = ServiceAccountName
-	} else {
-		serviceAccountName = ""
-	}
-
-	log.Info().Msg("Creating the worker DaemonSet...")
-
-	if err := kubernetesProvider.ApplyWorkerDaemonSet(
-		ctx,
-		namespace,
-		WorkerDaemonSetName,
-		image,
-		WorkerPodName,
-		serviceAccountName,
-		resources,
-		imagePullPolicy,
-		imagePullSecrets,
-		serviceMesh,
-		tls,
-		debug,
-	); err != nil {
-		return err
-	}
-
-	log.Info().Msg("Successfully created the worker DaemonSet.")
-
-	return nil
-}
--- a/Show More
+++ b/Show More