--- apiVersion: apps/v1 kind: DaemonSet metadata: labels: app.kubeshark.com/app: worker sidecar.istio.io/inject: "false" {{- include "kubeshark.labels" . | nindent 4 }} {{- if .Values.tap.annotations }} annotations: {{- toYaml .Values.tap.annotations | nindent 4 }} {{- end }} name: kubeshark-worker-daemon-set namespace: {{ .Release.Namespace }} spec: selector: matchLabels: app.kubeshark.com/app: worker {{- include "kubeshark.selectorLabels" . | nindent 6 }} template: metadata: labels: app.kubeshark.com/app: worker {{- include "kubeshark.labels" . | nindent 8 }} name: kubeshark-worker-daemon-set namespace: kubeshark spec: {{- if or .Values.tap.mountBpf .Values.tap.persistentStorage}} initContainers: {{- end }} {{- if .Values.tap.mountBpf }} - command: - /bin/sh - -c - mkdir -p /sys/fs/bpf && mount | grep -q '/sys/fs/bpf' || mount -t bpf bpf /sys/fs/bpf {{- if .Values.tap.docker.overrideTag.worker }} image: '{{ .Values.tap.docker.registry }}/worker:{{ .Values.tap.docker.overrideTag.worker }}{{ include "kubeshark.dockerTagDebugVersion" . }}' {{ else }} image: '{{ .Values.tap.docker.registry }}/worker:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}{{ include "kubeshark.dockerTagDebugVersion" . }}' {{- end }} imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }} name: mount-bpf securityContext: privileged: true volumeMounts: - mountPath: /sys name: sys mountPropagation: Bidirectional {{- end }} {{- if .Values.tap.persistentStorage }} - command: - /bin/sh - -c - mkdir -p /app/data/$NODE_NAME && rm -rf /app/data/$NODE_NAME/tracer_* {{- if .Values.tap.docker.overrideTag.worker }} image: '{{ .Values.tap.docker.registry }}/worker:{{ .Values.tap.docker.overrideTag.worker }}{{ include "kubeshark.dockerTagDebugVersion" . }}' {{ else }} image: '{{ .Values.tap.docker.registry }}/worker:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}{{ include "kubeshark.dockerTagDebugVersion" . }}' {{- end }} imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }} name: cleanup-data-dir env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName volumeMounts: - mountPath: /app/data name: data {{- end }} containers: - command: - ./worker - -i - any - -port - '{{ .Values.tap.proxy.worker.srvPort }}' - -metrics-port - '{{ .Values.tap.metrics.port }}' - -packet-capture - '{{ .Values.tap.packetCapture }}' - -loglevel - '{{ .Values.logLevel | default "warning" }}' {{- if not .Values.tap.tls }} - -disable-tracer {{- end }} {{- if .Values.tap.serviceMesh }} - -servicemesh {{- end }} - -procfs - /hostproc {{- if .Values.tap.resourceGuard.enabled }} - -enable-resource-guard {{- end }} {{- if .Values.tap.watchdog.enabled }} - -enable-watchdog {{- end }} - -resolution-strategy - '{{ .Values.tap.misc.resolutionStrategy }}' - -staletimeout - '{{ .Values.tap.misc.staleTimeoutSeconds }}' - -storage-size - '{{ .Values.tap.storageLimit }}' - -capture-db-max-size - '{{ .Values.tap.capture.dbMaxSize }}' {{- if .Values.tap.docker.overrideImage.worker }} image: '{{ .Values.tap.docker.overrideImage.worker }}' {{- else if .Values.tap.docker.overrideTag.worker }} image: '{{ .Values.tap.docker.registry }}/worker:{{ .Values.tap.docker.overrideTag.worker }}{{ include "kubeshark.dockerTagDebugVersion" . }}' {{ else }} image: '{{ .Values.tap.docker.registry }}/worker:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}{{ include "kubeshark.dockerTagDebugVersion" . }}' {{- end }} imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }} name: sniffer ports: - containerPort: {{ .Values.tap.metrics.port }} protocol: TCP name: metrics env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: TCP_STREAM_CHANNEL_TIMEOUT_MS value: '{{ .Values.tap.misc.tcpStreamChannelTimeoutMs }}' - name: TCP_STREAM_CHANNEL_TIMEOUT_SHOW value: '{{ .Values.tap.misc.tcpStreamChannelTimeoutShow }}' - name: KUBESHARK_CLOUD_API_URL value: 'https://api.kubeshark.com' - name: PROFILING_ENABLED value: '{{ .Values.tap.pprof.enabled }}' - name: SENTRY_ENABLED value: '{{ (include "sentry.enabled" .) }}' - name: SENTRY_ENVIRONMENT value: '{{ .Values.tap.sentry.environment }}' resources: limits: {{ if ne (toString .Values.tap.resources.sniffer.limits.cpu) "0" }} cpu: {{ .Values.tap.resources.sniffer.limits.cpu }} {{ end }} {{ if ne (toString .Values.tap.resources.sniffer.limits.memory) "0" }} memory: {{ .Values.tap.resources.sniffer.limits.memory }} {{ end }} requests: {{ if ne (toString .Values.tap.resources.sniffer.requests.cpu) "0" }} cpu: {{ .Values.tap.resources.sniffer.requests.cpu }} {{ end }} {{ if ne (toString .Values.tap.resources.sniffer.requests.memory) "0" }} memory: {{ .Values.tap.resources.sniffer.requests.memory }} {{ end }} securityContext: privileged: {{ .Values.tap.securityContext.privileged }} {{- if not .Values.tap.securityContext.privileged }} {{- $aaProfile := .Values.tap.securityContext.appArmorProfile }} {{- $selinuxOpts := .Values.tap.securityContext.seLinuxOptions }} {{- if or (ne $aaProfile.type "") (ne $aaProfile.localhostProfile "") }} appArmorProfile: {{- if ne $aaProfile.type "" }} type: {{ $aaProfile.type }} {{- end }} {{- if ne $aaProfile.localhostProfile "" }} localhostProfile: {{ $aaProfile.localhostProfile }} {{- end }} {{- end }} {{- if or (ne $selinuxOpts.level "") (ne $selinuxOpts.role "") (ne $selinuxOpts.type "") (ne $selinuxOpts.user "") }} seLinuxOptions: {{- if ne $selinuxOpts.level "" }} level: {{ $selinuxOpts.level }} {{- end }} {{- if ne $selinuxOpts.role "" }} role: {{ $selinuxOpts.role }} {{- end }} {{- if ne $selinuxOpts.type "" }} type: {{ $selinuxOpts.type }} {{- end }} {{- if ne $selinuxOpts.user "" }} user: {{ $selinuxOpts.user }} {{- end }} {{- end }} capabilities: add: {{- range .Values.tap.securityContext.capabilities.networkCapture }} {{ print "- " . }} {{- end }} {{- if .Values.tap.serviceMesh }} {{- range .Values.tap.securityContext.capabilities.serviceMeshCapture }} {{ print "- " . }} {{- end }} {{- end }} {{- if .Values.tap.securityContext.capabilities.ebpfCapture }} {{- range .Values.tap.securityContext.capabilities.ebpfCapture }} {{ print "- " . }} {{- end }} {{- end }} drop: - ALL {{- end }} readinessProbe: periodSeconds: {{ .Values.tap.probes.sniffer.periodSeconds }} failureThreshold: {{ .Values.tap.probes.sniffer.failureThreshold }} successThreshold: {{ .Values.tap.probes.sniffer.successThreshold }} initialDelaySeconds: {{ .Values.tap.probes.sniffer.initialDelaySeconds }} tcpSocket: port: {{ .Values.tap.proxy.worker.srvPort }} livenessProbe: periodSeconds: {{ .Values.tap.probes.sniffer.periodSeconds }} failureThreshold: {{ .Values.tap.probes.sniffer.failureThreshold }} successThreshold: {{ .Values.tap.probes.sniffer.successThreshold }} initialDelaySeconds: {{ .Values.tap.probes.sniffer.initialDelaySeconds }} tcpSocket: port: {{ .Values.tap.proxy.worker.srvPort }} volumeMounts: - mountPath: /hostproc name: proc readOnly: true - mountPath: /sys name: sys readOnly: true mountPropagation: HostToContainer - mountPath: /app/data name: data {{- if .Values.tap.tls }} - command: - ./tracer - -procfs - /hostproc {{- if .Values.tap.disableTlsLog }} - -disable-tls-log {{- end }} {{- if .Values.tap.pprof.enabled }} - -port - '{{ add .Values.tap.proxy.worker.srvPort 1 }}' {{- end }} - -loglevel - '{{ .Values.logLevel | default "warning" }}' {{- if .Values.tap.docker.overrideTag.worker }} image: '{{ .Values.tap.docker.registry }}/worker:{{ .Values.tap.docker.overrideTag.worker }}{{ include "kubeshark.dockerTagDebugVersion" . }}' {{ else }} image: '{{ .Values.tap.docker.registry }}/worker:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}{{ include "kubeshark.dockerTagDebugVersion" . }}' {{- end }} imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }} name: tracer env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: PROFILING_ENABLED value: '{{ .Values.tap.pprof.enabled }}' - name: SENTRY_ENABLED value: '{{ (include "sentry.enabled" .) }}' - name: SENTRY_ENVIRONMENT value: '{{ .Values.tap.sentry.environment }}' resources: limits: {{ if ne (toString .Values.tap.resources.tracer.limits.cpu) "0" }} cpu: {{ .Values.tap.resources.tracer.limits.cpu }} {{ end }} {{ if ne (toString .Values.tap.resources.tracer.limits.memory) "0" }} memory: {{ .Values.tap.resources.tracer.limits.memory }} {{ end }} requests: {{ if ne (toString .Values.tap.resources.tracer.requests.cpu) "0" }} cpu: {{ .Values.tap.resources.tracer.requests.cpu }} {{ end }} {{ if ne (toString .Values.tap.resources.tracer.requests.memory) "0" }} memory: {{ .Values.tap.resources.tracer.requests.memory }} {{ end }} securityContext: privileged: {{ .Values.tap.securityContext.privileged }} {{- if not .Values.tap.securityContext.privileged }} {{- $aaProfile := .Values.tap.securityContext.appArmorProfile }} {{- $selinuxOpts := .Values.tap.securityContext.seLinuxOptions }} {{- if or (ne $aaProfile.type "") (ne $aaProfile.localhostProfile "") }} appArmorProfile: {{- if ne $aaProfile.type "" }} type: {{ $aaProfile.type }} {{- end }} {{- if ne $aaProfile.localhostProfile "" }} localhostProfile: {{ $aaProfile.localhostProfile }} {{- end }} {{- end }} {{- if or (ne $selinuxOpts.level "") (ne $selinuxOpts.role "") (ne $selinuxOpts.type "") (ne $selinuxOpts.user "") }} seLinuxOptions: {{- if ne $selinuxOpts.level "" }} level: {{ $selinuxOpts.level }} {{- end }} {{- if ne $selinuxOpts.role "" }} role: {{ $selinuxOpts.role }} {{- end }} {{- if ne $selinuxOpts.type "" }} type: {{ $selinuxOpts.type }} {{- end }} {{- if ne $selinuxOpts.user "" }} user: {{ $selinuxOpts.user }} {{- end }} {{- end }} capabilities: add: {{- range .Values.tap.securityContext.capabilities.ebpfCapture }} {{ print "- " . }} {{- end }} {{- range .Values.tap.securityContext.capabilities.networkCapture }} {{ print "- " . }} {{- end }} drop: - ALL {{- end }} volumeMounts: - mountPath: /hostproc name: proc readOnly: true - mountPath: /sys name: sys readOnly: true mountPropagation: HostToContainer - mountPath: /app/data name: data - mountPath: /etc/os-release name: os-release readOnly: true - mountPath: /hostroot mountPropagation: HostToContainer name: root readOnly: true {{- end }} dnsPolicy: ClusterFirstWithHostNet hostNetwork: {{ .Values.tap.hostNetwork }} serviceAccountName: {{ include "kubeshark.serviceAccountName" . }} {{- if .Values.tap.priorityClass }} priorityClassName: {{ .Values.tap.priorityClass | quote }} {{- end }} {{- if .Values.tap.tolerations.workers }} tolerations: {{- range .Values.tap.tolerations.workers }} - key: {{ .key | quote }} operator: {{ .operator | quote }} {{- if .value }} value: {{ .value | quote }} {{- end }} {{- if .effect }} effect: {{ .effect | quote }} {{- end }} {{- if .tolerationSeconds }} tolerationSeconds: {{ .tolerationSeconds }} {{- end }} {{- end }} {{- end }} {{- if gt (len .Values.tap.nodeSelectorTerms.workers) 0}} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: {{- toYaml .Values.tap.nodeSelectorTerms.workers | nindent 12 }} {{- end }} {{- if or .Values.tap.dns.nameservers .Values.tap.dns.searches .Values.tap.dns.options }} dnsConfig: {{- if .Values.tap.dns.nameservers }} nameservers: {{- range .Values.tap.dns.nameservers }} - {{ . | quote }} {{- end }} {{- end }} {{- if .Values.tap.dns.searches }} searches: {{- range .Values.tap.dns.searches }} - {{ . | quote }} {{- end }} {{- end }} {{- if .Values.tap.dns.options }} options: {{- range .Values.tap.dns.options }} - name: {{ .name | quote }} {{- if .value }} value: {{ .value | quote }} {{- end }} {{- end }} {{- end }} {{- end }} volumes: - hostPath: path: /proc name: proc - hostPath: path: /sys name: sys - name: lib-modules hostPath: path: /lib/modules - hostPath: path: /etc/os-release name: os-release {{- if .Values.tap.tls }} - hostPath: path: / name: root - name: data {{- end }} {{- if .Values.tap.persistentStorage }} persistentVolumeClaim: claimName: kubeshark-persistent-volume-claim {{- else }} emptyDir: sizeLimit: {{ .Values.tap.storageLimit }} {{- end }}