🔖 Bump the Helm chart version to 52.1.45

1. removed cloud URL from config map
2. added to hub's and worker's deployments

Makefile

@@ -157,7 +157,7 @@ release:
 	@cd ../worker && git checkout master && git pull && git tag -d v$(VERSION); git tag v$(VERSION) && git push origin --tags
 	@cd ../hub && git checkout master && git pull && git tag -d v$(VERSION); git tag v$(VERSION) && git push origin --tags
 	@cd ../front && git checkout master && git pull && git tag -d v$(VERSION); git tag v$(VERSION) && git push origin --tags
-	@cd ../kubeshark && sed -i 's/^version:.*/version: "$(VERSION)"/' helm-chart/Chart.yaml
+	@cd ../kubeshark && sed -i 's/^version:.*/version: "$(VERSION)"/' helm-chart/Chart.yaml && make && make generate-helm-values && make generate-manifests
 	@git add -A . && git commit -m ":bookmark: Bump the Helm chart version to $(VERSION)" && git push
 	@git tag v$(VERSION) && git push origin --tags
 	@cd helm-chart && cp -r . ../../kubeshark.github.io/charts/chart

README.md

@@ -23,11 +23,9 @@
 <p align="center">
   <b>
 	  NEW: 
-	  <a href="https://github.com/kubeshark/kubeshark/releases/latest">Version 52.0.0</a> 
-	  now available, featuring a new 
-	  <a href="https://docs.kubeshark.co/en/traffic_recorder">Traffic Recorder</a> 
-	  and  
-	  <a href="https://docs.kubeshark.co/en/half_connections">Half & Erroneous Connection Analysis</a>.
+	  <a href="https://github.com/kubeshark/kubeshark/releases/latest">Version 52.1.30</a> 
+	  now available, featuring enhanced 
+	  <a href="https://docs.kubeshark.co/en/half_connections">Network Error Detection & Analysis</a>.
   </b>
 </p>
 

cmd/tapRunner.go

@@ -461,8 +461,5 @@ func updateConfig(kubernetesProvider *kubernetes.Provider) {
 
 	_, _ = kubernetes.SetConfig(kubernetesProvider, kubernetes.CONFIG_AUTH_ENABLED, authEnabled)
 	_, _ = kubernetes.SetConfig(kubernetesProvider, kubernetes.CONFIG_AUTH_TYPE, config.Config.Tap.Auth.Type)
-	_, _ = kubernetes.SetConfig(kubernetesProvider, kubernetes.CONFIG_AUTH_APPROVED_EMAILS, strings.Join(config.Config.Tap.Auth.ApprovedEmails, ","))
-	_, _ = kubernetes.SetConfig(kubernetesProvider, kubernetes.CONFIG_AUTH_APPROVED_DOMAINS, strings.Join(config.Config.Tap.Auth.ApprovedDomains, ","))
-	_, _ = kubernetes.SetConfig(kubernetesProvider, kubernetes.CONFIG_AUTH_APPROVED_TENANTS, strings.Join(config.Config.Tap.Auth.ApprovedTenants, ","))
 	_, _ = kubernetes.SetConfig(kubernetesProvider, kubernetes.CONFIG_AUTH_SAML_IDP_METADATA_URL, config.Config.Tap.Auth.Saml.IdpMetadataUrl)
 }

config/configStruct.go

@@ -57,10 +57,13 @@ func CreateDefaultConfig() ConfigStruct {
 					"SYS_RESOURCE",
 					// CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9)
 					"CHECKPOINT_RESTORE",
+					// IPC_LOCK is required for ebpf perf rings (kernel > )
+					"IPC_LOCK",
 				},
 			},
 			Auth: configStructs.AuthConfig{
 				Saml: configStructs.SamlConfig{
+					RoleAttribute: "role",
 					Roles: map[string]configStructs.Role{
 						"admin": {
 							Filter:                "",
@@ -68,6 +71,7 @@ func CreateDefaultConfig() ConfigStruct {
 							CanDownloadPCAP:       true,
 							CanUseScripting:       true,
 							CanUpdateTargetedPods: true,
+							ShowAdminConsoleLink:  true,
 						},
 					},
 				},

config/configStructs/tapConfig.go

@@ -88,22 +88,21 @@ type Role struct {
 	CanDownloadPCAP       bool   `yaml:"canDownloadPCAP" json:"canDownloadPCAP" default:"false"`
 	CanUseScripting       bool   `yaml:"canUseScripting" json:"canUseScripting" default:"false"`
 	CanUpdateTargetedPods bool   `yaml:"canUpdateTargetedPods" json:"canUpdateTargetedPods" default:"false"`
+	ShowAdminConsoleLink  bool   `yaml:"showAdminConsoleLink" json:"showAdminConsoleLink" default:"false"`
 }
 
 type SamlConfig struct {
 	IdpMetadataUrl string          `yaml:"idpMetadataUrl" json:"idpMetadataUrl"`
 	X509crt        string          `yaml:"x509crt" json:"x509crt"`
 	X509key        string          `yaml:"x509key" json:"x509key"`
+	RoleAttribute  string          `yaml:"roleAttribute" json:"roleAttribute"`
 	Roles          map[string]Role `yaml:"roles" json:"roles"`
 }
 
 type AuthConfig struct {
-	Enabled         bool       `yaml:"enabled" json:"enabled" default:"false"`
-	Type            string     `yaml:"type" json:"type" default:"saml"`
-	ApprovedEmails  []string   `yaml:"approvedEmails" json:"approvedEmails"  default:"[]"`
-	ApprovedDomains []string   `yaml:"approvedDomains" json:"approvedDomains"  default:"[]"`
-	ApprovedTenants []string   `yaml:"approvedTenants" json:"approvedTenants"  default:"[]"`
-	Saml            SamlConfig `yaml:"saml" json:"saml"`
+	Enabled bool       `yaml:"enabled" json:"enabled" default:"false"`
+	Type    string     `yaml:"type" json:"type" default:"saml"`
+	Saml    SamlConfig `yaml:"saml" json:"saml"`
 }
 
 type IngressConfig struct {
@@ -141,6 +140,12 @@ type MetricsConfig struct {
 	Port uint16 `yaml:"port" json:"port" default:"49100"`
 }
 
+type MiscConfig struct {
+	JsonTTL      string `yaml:"jsonTTL" json:"jsonTTL" default:"5m"`
+	PcapTTL      string `yaml:"pcapTTL" json:"pcapTTL" default:"10s"`
+	PcapErrorTTL string `yaml:"pcapErrorTTL" json:"pcapErrorTTL" default:"60s"`
+}
+
 type TapConfig struct {
 	Docker                    DockerConfig          `yaml:"docker" json:"docker"`
 	Proxy                     ProxyConfig           `yaml:"proxy" json:"proxy"`
@@ -173,6 +178,7 @@ type TapConfig struct {
 	Metrics                   MetricsConfig         `yaml:"metrics" json:"metrics"`
 	TrafficSampleRate         int                   `yaml:"trafficSampleRate" json:"trafficSampleRate" default:"100"`
 	TcpStreamChannelTimeoutMs int                   `yaml:"tcpStreamChannelTimeoutMs" json:"tcpStreamChannelTimeoutMs" default:"10000"`
+	Misc                      MiscConfig            `yaml:"misc" json:"misc"`
 }
 
 func (config *TapConfig) PodRegex() *regexp.Regexp {

helm-chart/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: kubeshark
-version: "52.1.9"
+version: "52.1.45"
 description: The API Traffic Analyzer for Kubernetes
 home: https://kubeshark.co
 keywords:

helm-chart/README.md

@@ -1,6 +1,6 @@
 # Helm Chart of Kubeshark
 
-## Officially
+## Official
 
 Add the Helm repo for Kubeshark:
 
@@ -14,7 +14,7 @@ then install Kubeshark:
 helm install kubeshark kubeshark/kubeshark
 ```
 
-## Locally
+## Local
 
 Clone the repo:
 
@@ -41,7 +41,7 @@ Uninstall Kubeshark:
 helm uninstall kubeshark
 ```
 
-## Accessing
+## Port-forward
 
 Do the port forwarding:
 
@@ -51,6 +51,25 @@ kubectl port-forward service/kubeshark-front 8899:80
 
 Visit [localhost:8899](http://localhost:8899)
 
+
+## Increase the Worker's Storage Limit
+
+For example, change from the default 500Mi to 5Gi:
+
+```shell
+--set tap.storageLimit=5Gi
+```
+
+## Add a License
+
+When it's necessary, you can use:
+
+```shell
+--set license=YOUR_LICENSE_GOES_HERE
+```
+
+Get your license from Kubeshark's [Admin Console](https://console.kubeshark.co/).
+
 ## Installing with Ingress (EKS) enabled
 
 ```shell
@@ -71,93 +90,6 @@ tap:
       alb.ingress.kubernetes.io/scheme: internet-facing
 ```
 
-## Installing with SAML enabled
-
-### Prerequisites:
-
-##### 1. Generate X.509 certificate & key (TL;DR: https://ubuntu.com/server/docs/security-certificates)
-
-**Example:**
-```
-openssl genrsa -out mykey.key 2048
-openssl req -new -key mykey.key -out mycsr.csr
-openssl x509 -signkey mykey.key -in mycsr.csr -req -days 365 -out mycert.crt
-```
-
-**What you get:**
-- `mycert.crt` - use it for `tap.auth.saml.x509crt`
-- `mykey.key` - use it for `tap.auth.saml.x509crt`
-
-##### 2. Prepare your SAML IDP
-
-You should set up the required SAML IDP (Google, Auth0, your custom IDP, etc.)
-
-During setup, an IDP provider will typically request to enter:
-- Metadata URL
-- ACS URL (Assertion Consumer Service URL, aka Callback URL)
-- SLO URL (Single Logout URL)
-
-Correspondingly, you will enter these (if you run the most default Kubeshark setup):
-- [http://localhost:8899/saml/metadata](http://localhost:8899/saml/metadata)
-- [http://localhost:8899/saml/acs](http://localhost:8899/saml/acs)
-- [http://localhost:8899/saml/slo](http://localhost:8899/saml/slo)
-
-Otherwise, if you have `tap.ingress.enabled == true`, change protocol & domain respectively - showing example domain:
-- [https://kubeshark.example.com/saml/metadata](https://kubeshark.example.com/saml/metadata)
-- [https://kubeshark.example.com/saml/acs](https://kubeshark.example.com/saml/acs)
-- [https://kubeshark.example.com/saml/slo](https://kubeshark.example.com/saml/slo)
-
-```shell
-helm install kubeshark kubeshark/kubeshark -f values.yaml
-```
-
-Set this `value.yaml`:
-```shell
-tap:
-  auth:
-    enabled: true
-    type: saml
-    approvedEmails: []
-    approvedDomains: []
-    approvedTenants: []
-    saml:
-      idpMetadataUrl: "https://tiptophelmet.us.auth0.com/samlp/metadata/MpWiDCMMB5ShU1HRnhdb1sHM6VWqdnDG"
-      x509crt: |
-        -----BEGIN CERTIFICATE-----
-        MIIDlTCCAn0CFFRUzMh+dZvp+FvWd4gRaiBVN8EvMA0GCSqGSIb3DQEBCwUAMIGG
-        MSQwIgYJKoZIhvcNAQkBFhV3ZWJtYXN0ZXJAZXhhbXBsZS5jb20wHhcNMjMxMjI4
-        ........<redacted: please, generate your own X.509 cert>........
-        ZMzM7YscqZwoVhTOhrD4/5nIfOD/hTWG/MBe2Um1V1IYF8aVEllotTKTgsF6ZblA
-        miCOgl6lIlZy
-        -----END CERTIFICATE-----
-      x509key: |
-        -----BEGIN PRIVATE KEY-----
-        MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDlgDFKsRHj+mok
-        euOF0IpwToOEpQGtafB75ytv3psD/tQAzEIug+rkDriVvsfcvafj0qcaTeYvnCoz
-        ........<redacted: please, generate your own X.509 key>.........
-        sUpBCu0E3nRJM/QB2ui5KhNR7uvPSL+kSsaEq19/mXqsL+mRi9aqy2wMEvUSU/kt
-        UaV5sbRtTzYLxpOSQyi8CEFA+A==
-        -----END PRIVATE KEY-----
-```
-
-## Add a License
-
-When it's necessary, you can use:
-
-```shell
---set license=YOUR_LICENSE_GOES_HERE
-```
-
-Get your license from Kubeshark's [Admin Console](https://console.kubeshark.co/).
-
-## Increase the Worker's Storage Limit
-
-For example, change from the default 500Mi to 1Gi:
-
-```shell
---set tap.storageLimit=1Gi
-```
-
 ## Disabling IPV6
 
 Not all have IPV6 enabled, hence this has to be disabled as follows:
@@ -216,6 +148,8 @@ Please refer to [metrics](./metrics.md) documentation for details.
 | `tap.auth.saml.idpMetadataUrl`                    | SAML IDP metadata URL <br/>(effective, if `tap.auth.type = saml`)                                  | ``                                                      |
 | `tap.auth.saml.x509crt`                   | A self-signed X.509 `.cert` contents <br/>(effective, if `tap.auth.type = saml`)          | ``                                                      |
 | `tap.auth.saml.x509key`                   | A self-signed X.509 `.key` contents <br/>(effective, if `tap.auth.type = saml`)           | ``                                                      |
+| `tap.auth.saml.roleAttribute`             | A SAML attribute name corresponding to user's authorization role <br/>(effective, if `tap.auth.type = saml`)  | `role` |
+| `tap.auth.saml.roles`                     | A list of SAML authorization roles and their permissions <br/>(effective, if `tap.auth.type = saml`)  | `{"admin":{"canDownloadPCAP":true,"canReplayTraffic":true,"canUpdateTargetedPods":true,"canUseScripting":true,"filter":"","showAdminConsoleLink":true}}` |
 | `tap.ingress.enabled`                     | Enable `Ingress`                                | `false`                                                 |
 | `tap.ingress.className`                   | Ingress class name                            | `""`                                                    |
 | `tap.ingress.host`                        | Host of the `Ingress`                          | `ks.svc.cluster.local`                                  |
@@ -243,3 +177,69 @@ Please refer to [metrics](./metrics.md) documentation for details.
 KernelMapping pairs kernel versions with a
                             DriverContainer image. Kernel versions can be matched
                             literally or using a regular expression
+
+## Installing with SAML enabled
+
+### Prerequisites:
+
+##### 1. Generate X.509 certificate & key (TL;DR: https://ubuntu.com/server/docs/security-certificates)
+
+**Example:**
+```
+openssl genrsa -out mykey.key 2048
+openssl req -new -key mykey.key -out mycsr.csr
+openssl x509 -signkey mykey.key -in mycsr.csr -req -days 365 -out mycert.crt
+```
+
+**What you get:**
+- `mycert.crt` - use it for `tap.auth.saml.x509crt`
+- `mykey.key` - use it for `tap.auth.saml.x509crt`
+
+##### 2. Prepare your SAML IDP
+
+You should set up the required SAML IDP (Google, Auth0, your custom IDP, etc.)
+
+During setup, an IDP provider will typically request to enter:
+- Metadata URL
+- ACS URL (Assertion Consumer Service URL, aka Callback URL)
+- SLO URL (Single Logout URL)
+
+Correspondingly, you will enter these (if you run the most default Kubeshark setup):
+- [http://localhost:8899/saml/metadata](http://localhost:8899/saml/metadata)
+- [http://localhost:8899/saml/acs](http://localhost:8899/saml/acs)
+- [http://localhost:8899/saml/slo](http://localhost:8899/saml/slo)
+
+Otherwise, if you have `tap.ingress.enabled == true`, change protocol & domain respectively - showing example domain:
+- [https://kubeshark.example.com/saml/metadata](https://kubeshark.example.com/saml/metadata)
+- [https://kubeshark.example.com/saml/acs](https://kubeshark.example.com/saml/acs)
+- [https://kubeshark.example.com/saml/slo](https://kubeshark.example.com/saml/slo)
+
+```shell
+helm install kubeshark kubeshark/kubeshark -f values.yaml
+```
+
+Set this `value.yaml`:
+```shell
+tap:
+  auth:
+    enabled: true
+    type: saml
+    saml:
+      idpMetadataUrl: "https://tiptophelmet.us.auth0.com/samlp/metadata/MpWiDCMMB5ShU1HRnhdb1sHM6VWqdnDG"
+      x509crt: |
+        -----BEGIN CERTIFICATE-----
+        MIIDlTCCAn0CFFRUzMh+dZvp+FvWd4gRaiBVN8EvMA0GCSqGSIb3DQEBCwUAMIGG
+        MSQwIgYJKoZIhvcNAQkBFhV3ZWJtYXN0ZXJAZXhhbXBsZS5jb20wHhcNMjMxMjI4
+        ........<redacted: please, generate your own X.509 cert>........
+        ZMzM7YscqZwoVhTOhrD4/5nIfOD/hTWG/MBe2Um1V1IYF8aVEllotTKTgsF6ZblA
+        miCOgl6lIlZy
+        -----END CERTIFICATE-----
+      x509key: |
+        -----BEGIN PRIVATE KEY-----
+        MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDlgDFKsRHj+mok
+        euOF0IpwToOEpQGtafB75ytv3psD/tQAzEIug+rkDriVvsfcvafj0qcaTeYvnCoz
+        ........<redacted: please, generate your own X.509 key>.........
+        sUpBCu0E3nRJM/QB2ui5KhNR7uvPSL+kSsaEq19/mXqsL+mRi9aqy2wMEvUSU/kt
+        UaV5sbRtTzYLxpOSQyi8CEFA+A==
+        -----END PRIVATE KEY-----
+```

helm-chart/metrics.md

@@ -48,4 +48,8 @@ prometheus:
 | kubeshark_reassembled_tcp_payloads_total | Counter | Total number of reassembled TCP payloads |
 | kubeshark_matched_pairs_total | Counter | Total number of matched pairs | 
 | kubeshark_dropped_tcp_streams_total | Counter | Total number of dropped TCP streams | 
-| kubeshark_live_tcp_streams | Gauge | Number of live TCP streams |
+| kubeshark_live_tcp_streams | Gauge | Number of live TCP streams |
+
+## Ready-to-use Dashboard
+
+You can import a ready-to-use dashboard from [Grafana's Dashboards Portal](https://grafana.com/grafana/dashboards/20359-kubeshark-dashboard-v1-0-003/).

helm-chart/templates/04-hub-deployment.yaml

@@ -41,6 +41,8 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+          - name: KUBESHARK_CLOUD_API_URL
+            value: 'https://api.kubeshark.co'
           image: '{{ .Values.tap.docker.registry }}/hub:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (printf "v%s" .Chart.Version) }}'
           imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }}
           readinessProbe:

helm-chart/templates/09-worker-daemon-set.yaml

@@ -51,6 +51,7 @@ spec:
             - '{{ .Values.tap.proxy.worker.srvPort }}'
             - -metrics-port
             - '{{ .Values.tap.metrics.port }}'
+            - -unixsocket
           {{- if .Values.tap.serviceMesh }}
             - -servicemesh
           {{- end }}
@@ -61,6 +62,8 @@ spec:
           {{- end }}
           {{- if .Values.tap.debug }}
             - -debug
+            - -dumptracer
+            - "100000000"
           {{- end }}
           image: '{{ .Values.tap.docker.registry }}/worker:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (printf "v%s" .Chart.Version) }}'
           imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }}
@@ -80,6 +83,8 @@ spec:
                 fieldPath: metadata.namespace
           - name: TCP_STREAM_CHANNEL_TIMEOUT_MS
             value: '{{ .Values.tap.tcpStreamChannelTimeoutMs }}'
+          - name: KUBESHARK_CLOUD_API_URL
+            value: 'https://api.kubeshark.co'
           resources:
             limits:
               cpu: {{ .Values.tap.resources.sniffer.limits.cpu }}

helm-chart/templates/12-config-map.yaml

@@ -15,12 +15,13 @@ data:
     PROXY_FRONT_PORT: '{{ .Values.tap.proxy.front.port }}'
     AUTH_ENABLED: '{{ .Values.tap.auth.enabled | ternary "true" "" }}'
     AUTH_TYPE: '{{ .Values.tap.auth.type }}'
-    AUTH_APPROVED_EMAILS: '{{ gt (len .Values.tap.auth.approvedEmails) 0 | ternary (join "," .Values.tap.auth.approvedEmails) "" }}'
-    AUTH_APPROVED_DOMAINS: '{{ gt (len .Values.tap.auth.approvedDomains) 0 | ternary (join "," .Values.tap.auth.approvedDomains) "" }}'
-    AUTH_APPROVED_TENANTS: '{{ gt (len .Values.tap.auth.approvedTenants) 0 | ternary (join "," .Values.tap.auth.approvedTenants) "" }}'
     AUTH_SAML_IDP_METADATA_URL: '{{ .Values.tap.auth.saml.idpMetadataUrl }}'
+    AUTH_SAML_ROLE_ATTRIBUTE: '{{ .Values.tap.auth.saml.roleAttribute }}'
     AUTH_SAML_ROLES: '{{ .Values.tap.auth.saml.roles | toJson }}'
     TELEMETRY_DISABLED: '{{ not .Values.tap.telemetry.enabled | ternary "true" "" }}'
     REPLAY_DISABLED: '{{ .Values.tap.replayDisabled | ternary "true" "" }}'
     GLOBAL_FILTER: {{ include "kubeshark.escapeDoubleQuotes" .Values.tap.globalFilter | quote }}
     TRAFFIC_SAMPLE_RATE: '{{ .Values.tap.trafficSampleRate }}'
+    JSON_TTL: '{{ .Values.tap.misc.jsonTTL }}'
+    PCAP_TTL: '{{ .Values.tap.misc.pcapTTL }}'
+    PCAP_ERROR_TTL: '{{ .Values.tap.misc.pcapErrorTTL }}'

helm-chart/values.yaml

@@ -60,13 +60,11 @@ tap:
   auth:
     enabled: false
     type: saml
-    approvedEmails: []
-    approvedDomains: []
-    approvedTenants: []
     saml:
       idpMetadataUrl: ""
       x509crt: ""
       x509key: ""
+      roleAttribute: role
       roles:
         admin:
           filter: ""
@@ -74,6 +72,7 @@ tap:
           canDownloadPCAP: true
           canUseScripting: true
           canUpdateTargetedPods: true
+          showAdminConsoleLink: true
   ingress:
     enabled: false
     className: ""
@@ -106,11 +105,16 @@ tap:
     - SYS_PTRACE
     - SYS_RESOURCE
     - CHECKPOINT_RESTORE
+    - IPC_LOCK
   globalFilter: ""
   metrics:
     port: 49100
   trafficSampleRate: 100
   tcpStreamChannelTimeoutMs: 10000
+  misc:
+    jsonTTL: 5m
+    pcapTTL: 10s
+    pcapErrorTTL: 60s
 logs:
   file: ""
 kube:

kubernetes/config.go

@@ -21,9 +21,6 @@ const (
 	CONFIG_PROXY_FRONT_PORT           = "PROXY_FRONT_PORT"
 	CONFIG_AUTH_ENABLED               = "AUTH_ENABLED"
 	CONFIG_AUTH_TYPE                  = "AUTH_TYPE"
-	CONFIG_AUTH_APPROVED_EMAILS       = "AUTH_APPROVED_EMAILS"
-	CONFIG_AUTH_APPROVED_DOMAINS      = "AUTH_APPROVED_DOMAINS"
-	CONFIG_AUTH_APPROVED_TENANTS      = "AUTH_APPROVED_TENANTS"
 	CONFIG_AUTH_SAML_IDP_METADATA_URL = "AUTH_SAML_IDP_METADATA_URL"
 )
 

manifests/complete.yaml

@@ -4,10 +4,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: kubeshark-52.1.0
+    helm.sh/chart: kubeshark-52.1.45
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.1.0"
+    app.kubernetes.io/version: "52.1.45"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-service-account
@@ -21,10 +21,10 @@ metadata:
   namespace: default
   labels:
     app.kubeshark.co/app: hub
-    helm.sh/chart: kubeshark-52.1.0
+    helm.sh/chart: kubeshark-52.1.45
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.1.0"
+    app.kubernetes.io/version: "52.1.45"
     app.kubernetes.io/managed-by: Helm
 stringData:
     LICENSE: ''
@@ -38,10 +38,10 @@ metadata:
   namespace: default
   labels:
     app.kubeshark.co/app: hub
-    helm.sh/chart: kubeshark-52.1.0
+    helm.sh/chart: kubeshark-52.1.45
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.1.0"
+    app.kubernetes.io/version: "52.1.45"
     app.kubernetes.io/managed-by: Helm
 stringData:
   AUTH_SAML_X509_CRT: |
@@ -54,10 +54,10 @@ metadata:
   namespace: default
   labels:
     app.kubeshark.co/app: hub
-    helm.sh/chart: kubeshark-52.1.0
+    helm.sh/chart: kubeshark-52.1.45
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.1.0"
+    app.kubernetes.io/version: "52.1.45"
     app.kubernetes.io/managed-by: Helm
 stringData:
   AUTH_SAML_X509_KEY: |
@@ -69,10 +69,10 @@ metadata:
   name: kubeshark-nginx-config-map
   namespace: default
   labels:
-    helm.sh/chart: kubeshark-52.1.0
+    helm.sh/chart: kubeshark-52.1.45
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.1.0"
+    app.kubernetes.io/version: "52.1.45"
     app.kubernetes.io/managed-by: Helm
 data:
   default.conf: |
@@ -133,10 +133,10 @@ metadata:
   namespace: default
   labels:
     app.kubeshark.co/app: hub
-    helm.sh/chart: kubeshark-52.1.0
+    helm.sh/chart: kubeshark-52.1.45
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.1.0"
+    app.kubernetes.io/version: "52.1.45"
     app.kubernetes.io/managed-by: Helm
 data:
     POD_REGEX: '.*'
@@ -147,25 +147,26 @@ data:
     PROXY_FRONT_PORT: '8899'
     AUTH_ENABLED: ''
     AUTH_TYPE: 'saml'
-    AUTH_APPROVED_EMAILS: ''
-    AUTH_APPROVED_DOMAINS: ''
-    AUTH_APPROVED_TENANTS: ''
     AUTH_SAML_IDP_METADATA_URL: ''
-    AUTH_SAML_ROLES: '{"admin":{"canDownloadPCAP":true,"canReplayTraffic":true,"canUpdateTargetedPods":true,"canUseScripting":true,"filter":""}}'
+    AUTH_SAML_ROLE_ATTRIBUTE: 'role'
+    AUTH_SAML_ROLES: '{"admin":{"canDownloadPCAP":true,"canReplayTraffic":true,"canUpdateTargetedPods":true,"canUseScripting":true,"filter":"","showAdminConsoleLink":true}}'
     TELEMETRY_DISABLED: ''
     REPLAY_DISABLED: ''
     GLOBAL_FILTER: ""
     TRAFFIC_SAMPLE_RATE: '100'
+    JSON_TTL: '5m'
+    PCAP_TTL: '10s'
+    PCAP_ERROR_TTL: '60s'
 ---
 # Source: kubeshark/templates/02-cluster-role.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: kubeshark-52.1.0
+    helm.sh/chart: kubeshark-52.1.45
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.1.0"
+    app.kubernetes.io/version: "52.1.45"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-cluster-role
@@ -190,10 +191,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: kubeshark-52.1.0
+    helm.sh/chart: kubeshark-52.1.45
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.1.0"
+    app.kubernetes.io/version: "52.1.45"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-cluster-role-binding
@@ -212,10 +213,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: kubeshark-52.1.0
+    helm.sh/chart: kubeshark-52.1.45
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.1.0"
+    app.kubernetes.io/version: "52.1.45"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-self-config-role
@@ -241,10 +242,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: kubeshark-52.1.0
+    helm.sh/chart: kubeshark-52.1.45
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.1.0"
+    app.kubernetes.io/version: "52.1.45"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-self-config-role-binding
@@ -264,10 +265,10 @@ kind: Service
 metadata:
   labels:
     app.kubeshark.co/app: hub
-    helm.sh/chart: kubeshark-52.1.0
+    helm.sh/chart: kubeshark-52.1.45
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.1.0"
+    app.kubernetes.io/version: "52.1.45"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-hub
@@ -286,10 +287,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: kubeshark-52.1.0
+    helm.sh/chart: kubeshark-52.1.45
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.1.0"
+    app.kubernetes.io/version: "52.1.45"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-front
@@ -315,10 +316,10 @@ metadata:
 spec:
   selector:
     app.kubeshark.co/app: worker
-    helm.sh/chart: kubeshark-52.1.0
+    helm.sh/chart: kubeshark-52.1.45
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.1.0"
+    app.kubernetes.io/version: "52.1.45"
     app.kubernetes.io/managed-by: Helm
   ports:
   - name: metrics
@@ -333,10 +334,10 @@ metadata:
   labels:
     app.kubeshark.co/app: worker
     sidecar.istio.io/inject: "false"
-    helm.sh/chart: kubeshark-52.1.0
+    helm.sh/chart: kubeshark-52.1.45
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.1.0"
+    app.kubernetes.io/version: "52.1.45"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-worker-daemon-set
@@ -345,19 +346,19 @@ spec:
   selector:
     matchLabels:
       app.kubeshark.co/app: worker
-      helm.sh/chart: kubeshark-52.1.0
+      helm.sh/chart: kubeshark-52.1.45
       app.kubernetes.io/name: kubeshark
       app.kubernetes.io/instance: kubeshark
-      app.kubernetes.io/version: "52.1.0"
+      app.kubernetes.io/version: "52.1.45"
       app.kubernetes.io/managed-by: Helm
   template:
     metadata:
       labels:
         app.kubeshark.co/app: worker
-        helm.sh/chart: kubeshark-52.1.0
+        helm.sh/chart: kubeshark-52.1.45
         app.kubernetes.io/name: kubeshark
         app.kubernetes.io/instance: kubeshark
-        app.kubernetes.io/version: "52.1.0"
+        app.kubernetes.io/version: "52.1.45"
         app.kubernetes.io/managed-by: Helm
       name: kubeshark-worker-daemon-set
       namespace: kubeshark
@@ -384,11 +385,12 @@ spec:
             - '30001'
             - -metrics-port
             - '49100'
+            - -unixsocket
             - -servicemesh
             - -procfs
             - /hostproc
             - -kernel-module
-          image: 'docker.io/kubeshark/worker:v52.1.0'
+          image: 'docker.io/kubeshark/worker:v52.1.45'
           imagePullPolicy: Always
           name: sniffer
           ports:
@@ -406,6 +408,8 @@ spec:
                 fieldPath: metadata.namespace
           - name: TCP_STREAM_CHANNEL_TIMEOUT_MS
             value: '10000'
+          - name: KUBESHARK_CLOUD_API_URL
+            value: 'https://api.kubeshark.co'
           resources:
             limits:
               cpu: 750m
@@ -451,7 +455,7 @@ spec:
             - ./tracer
             - -procfs
             - /hostproc
-          image: 'docker.io/kubeshark/worker:v52.1.0'
+          image: 'docker.io/kubeshark/worker:v52.1.45'
           imagePullPolicy: Always
           name: tracer
           env:
@@ -477,6 +481,7 @@ spec:
                 - SYS_PTRACE
                 - SYS_RESOURCE
                 - CHECKPOINT_RESTORE
+                - IPC_LOCK
               drop:
                 - ALL
           volumeMounts:
@@ -526,10 +531,10 @@ kind: Deployment
 metadata:
   labels:
     app.kubeshark.co/app: hub
-    helm.sh/chart: kubeshark-52.1.0
+    helm.sh/chart: kubeshark-52.1.45
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.1.0"
+    app.kubernetes.io/version: "52.1.45"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-hub
@@ -539,19 +544,19 @@ spec:
   selector:
     matchLabels:
       app.kubeshark.co/app: hub
-      helm.sh/chart: kubeshark-52.1.0
+      helm.sh/chart: kubeshark-52.1.45
       app.kubernetes.io/name: kubeshark
       app.kubernetes.io/instance: kubeshark
-      app.kubernetes.io/version: "52.1.0"
+      app.kubernetes.io/version: "52.1.45"
       app.kubernetes.io/managed-by: Helm
   template:
     metadata:
       labels:
         app.kubeshark.co/app: hub
-        helm.sh/chart: kubeshark-52.1.0
+        helm.sh/chart: kubeshark-52.1.45
         app.kubernetes.io/name: kubeshark
         app.kubernetes.io/instance: kubeshark
-        app.kubernetes.io/version: "52.1.0"
+        app.kubernetes.io/version: "52.1.45"
         app.kubernetes.io/managed-by: Helm
     spec:
       dnsPolicy: ClusterFirstWithHostNet
@@ -569,7 +574,9 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
-          image: 'docker.io/kubeshark/hub:v52.1.0'
+          - name: KUBESHARK_CLOUD_API_URL
+            value: 'https://api.kubeshark.co'
+          image: 'docker.io/kubeshark/hub:v52.1.45'
           imagePullPolicy: Always
           readinessProbe:
             periodSeconds: 1
@@ -617,10 +624,10 @@ kind: Deployment
 metadata:
   labels:
     app.kubeshark.co/app: front
-    helm.sh/chart: kubeshark-52.1.0
+    helm.sh/chart: kubeshark-52.1.45
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.1.0"
+    app.kubernetes.io/version: "52.1.45"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-front
@@ -630,19 +637,19 @@ spec:
   selector:
     matchLabels:
       app.kubeshark.co/app: front
-      helm.sh/chart: kubeshark-52.1.0
+      helm.sh/chart: kubeshark-52.1.45
       app.kubernetes.io/name: kubeshark
       app.kubernetes.io/instance: kubeshark
-      app.kubernetes.io/version: "52.1.0"
+      app.kubernetes.io/version: "52.1.45"
       app.kubernetes.io/managed-by: Helm
   template:
     metadata:
       labels:
         app.kubeshark.co/app: front
-        helm.sh/chart: kubeshark-52.1.0
+        helm.sh/chart: kubeshark-52.1.45
         app.kubernetes.io/name: kubeshark
         app.kubernetes.io/instance: kubeshark
-        app.kubernetes.io/version: "52.1.0"
+        app.kubernetes.io/version: "52.1.45"
         app.kubernetes.io/managed-by: Helm
     spec:
       containers:
@@ -654,10 +661,10 @@ spec:
             - name: REACT_APP_AUTH_TYPE
               value: 'saml'
             - name: REACT_APP_AUTH_SAML_IDP_METADATA_URL
-              value: ''
+              value: ' '
             - name: REACT_APP_REPLAY_DISABLED
               value: 'false'
-          image: 'docker.io/kubeshark/front:v52.1.0'
+          image: 'docker.io/kubeshark/front:v52.1.45'
           imagePullPolicy: Always
           name: kubeshark-front
           livenessProbe:

manifests/prometheus/kube_prometheus_stack.yaml

@@ -0,0 +1,25 @@
+grafana:
+  additionalDataSources: []
+prometheus:
+  prometheusSpec:
+    scrapeInterval: 10s
+    evaluationInterval: 30s
+    additionalScrapeConfigs: |
+      - job_name: 'kubeshark-worker-metrics'
+        kubernetes_sd_configs:
+          - role: endpoints
+        relabel_configs:
+          - source_labels: [__meta_kubernetes_pod_name]
+            target_label: pod
+          - source_labels: [__meta_kubernetes_pod_node_name]
+            target_label: node
+          - source_labels: [__meta_kubernetes_endpoint_port_name]
+            action: keep
+            regex: ^metrics$
+          - source_labels: [__address__, __meta_kubernetes_endpoint_port_number]
+            action: replace
+            regex: ([^:]+)(?::\d+)?
+            replacement: $1:49100
+            target_label: __address__
+          - action: labelmap
+            regex: __meta_kubernetes_service_label_(.+)