--- # Source: kubeshark/templates/01-service-account.yaml apiVersion: v1 kind: ServiceAccount metadata: labels: helm.sh/chart: kubeshark-52.0.0 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.0.0" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-service-account namespace: default --- # Source: kubeshark/templates/13-secret.yaml kind: Secret apiVersion: v1 metadata: name: kubeshark-secret namespace: default labels: app.kubeshark.co/app: hub helm.sh/chart: kubeshark-52.0.0 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.0.0" app.kubernetes.io/managed-by: Helm stringData: LICENSE: '' SCRIPTING_ENV: '{}' --- # Source: kubeshark/templates/11-nginx-config-map.yaml apiVersion: v1 kind: ConfigMap metadata: name: kubeshark-nginx-config-map namespace: default labels: helm.sh/chart: kubeshark-52.0.0 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.0.0" app.kubernetes.io/managed-by: Helm data: default.conf: | server { listen 80; listen [::]:80; access_log /dev/stdout; error_log /dev/stdout; location /api { rewrite ^/api(.*)$ $1 break; proxy_pass http://kubeshark-hub; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $http_host; proxy_set_header Upgrade websocket; proxy_set_header Connection Upgrade; proxy_set_header Authorization $http_authorization; proxy_pass_header Authorization; proxy_connect_timeout 4s; proxy_read_timeout 120s; proxy_send_timeout 12s; proxy_pass_request_headers on; } location / { root /usr/share/nginx/html; index index.html index.htm; try_files $uri $uri/ /index.html; expires -1; add_header Cache-Control no-cache; } error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } --- # Source: kubeshark/templates/12-config-map.yaml kind: ConfigMap apiVersion: v1 metadata: name: kubeshark-config-map namespace: default labels: app.kubeshark.co/app: hub helm.sh/chart: kubeshark-52.0.0 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.0.0" app.kubernetes.io/managed-by: Helm data: POD_REGEX: '.*' NAMESPACES: '' SCRIPTING_SCRIPTS: '{}' AUTH_ENABLED: '' AUTH_APPROVED_EMAILS: '' AUTH_APPROVED_DOMAINS: '' AUTH_APPROVED_TENANTS: '' TELEMETRY_DISABLED: '' REPLAY_DISABLED: '' --- # Source: kubeshark/templates/02-cluster-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: helm.sh/chart: kubeshark-52.0.0 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.0.0" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-cluster-role namespace: default rules: - apiGroups: - "" - extensions - apps resources: - pods - services - endpoints - persistentvolumeclaims verbs: - list - get - watch --- # Source: kubeshark/templates/03-cluster-role-binding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: helm.sh/chart: kubeshark-52.0.0 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.0.0" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-cluster-role-binding namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubeshark-cluster-role subjects: - kind: ServiceAccount name: kubeshark-service-account namespace: default --- # Source: kubeshark/templates/02-cluster-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: helm.sh/chart: kubeshark-52.0.0 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.0.0" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-self-config-role namespace: default rules: - apiGroups: - "" - v1 resourceNames: - kubeshark-secret - kubeshark-config-map resources: - secrets - configmaps verbs: - get - watch - update --- # Source: kubeshark/templates/03-cluster-role-binding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: helm.sh/chart: kubeshark-52.0.0 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.0.0" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-self-config-role-binding namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: kubeshark-self-config-role subjects: - kind: ServiceAccount name: kubeshark-service-account namespace: default --- # Source: kubeshark/templates/05-hub-service.yaml apiVersion: v1 kind: Service metadata: labels: app.kubeshark.co/app: hub helm.sh/chart: kubeshark-52.0.0 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.0.0" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-hub namespace: default spec: ports: - name: kubeshark-hub port: 80 targetPort: 80 selector: app.kubeshark.co/app: hub type: ClusterIP --- # Source: kubeshark/templates/07-front-service.yaml apiVersion: v1 kind: Service metadata: labels: helm.sh/chart: kubeshark-52.0.0 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.0.0" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-front namespace: default spec: ports: - name: kubeshark-front port: 80 targetPort: 80 selector: app.kubeshark.co/app: front type: ClusterIP --- # Source: kubeshark/templates/09-worker-daemon-set.yaml apiVersion: apps/v1 kind: DaemonSet metadata: labels: app.kubeshark.co/app: worker sidecar.istio.io/inject: "false" helm.sh/chart: kubeshark-52.0.0 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.0.0" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-worker-daemon-set namespace: default spec: selector: matchLabels: app.kubeshark.co/app: worker helm.sh/chart: kubeshark-52.0.0 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.0.0" app.kubernetes.io/managed-by: Helm template: metadata: labels: app.kubeshark.co/app: worker helm.sh/chart: kubeshark-52.0.0 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.0.0" app.kubernetes.io/managed-by: Helm name: kubeshark-worker-daemon-set namespace: kubeshark spec: containers: - command: - ./worker - -i - any - -port - '30001' - -servicemesh - -procfs - /hostproc image: 'docker.io/kubeshark/worker:v52.0.0' imagePullPolicy: Always name: sniffer env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace resources: limits: cpu: 750m memory: 1Gi requests: cpu: 50m memory: 50Mi securityContext: capabilities: add: # NET_RAW is required to listen the network traffic - NET_RAW # NET_ADMIN is required to listen the network traffic - NET_ADMIN # SYS_MODULE is required to install kernel modules - SYS_MODULE # SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8) - SYS_ADMIN # SYS_PTRACE is required to set netns to other process + to open libssl.so of other process - SYS_PTRACE # DAC_OVERRIDE is required to read /proc/PID/environ - DAC_OVERRIDE # CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9) - CHECKPOINT_RESTORE drop: - ALL readinessProbe: periodSeconds: 1 failureThreshold: 3 successThreshold: 1 initialDelaySeconds: 5 tcpSocket: port: 30001 livenessProbe: periodSeconds: 1 failureThreshold: 3 successThreshold: 1 initialDelaySeconds: 5 tcpSocket: port: 30001 volumeMounts: - mountPath: /hostproc name: proc readOnly: true - mountPath: /sys name: sys readOnly: true - mountPath: /app/data name: data - command: - ./tracer - -procfs - /hostproc image: 'docker.io/kubeshark/worker:v52.0.0' imagePullPolicy: Always name: tracer env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace securityContext: capabilities: add: # SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8) - SYS_ADMIN # SYS_PTRACE is required to set netns to other process + to open libssl.so of other process - SYS_PTRACE # SYS_RESOURCE is required to change rlimits for eBPF - SYS_RESOURCE # CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9) - CHECKPOINT_RESTORE drop: - ALL volumeMounts: - mountPath: /hostproc name: proc readOnly: true - mountPath: /sys name: sys readOnly: true - mountPath: /app/data name: data dnsPolicy: ClusterFirstWithHostNet hostNetwork: true serviceAccountName: kubeshark-service-account terminationGracePeriodSeconds: 0 tolerations: - effect: NoExecute operator: Exists - effect: NoSchedule operator: Exists affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/os operator: In values: - linux volumes: - hostPath: path: /proc name: proc - hostPath: path: /sys name: sys - name: data emptyDir: sizeLimit: 500Mi --- # Source: kubeshark/templates/04-hub-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubeshark.co/app: hub helm.sh/chart: kubeshark-52.0.0 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.0.0" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-hub namespace: default spec: replicas: 1 # Set the desired number of replicas selector: matchLabels: app.kubeshark.co/app: hub helm.sh/chart: kubeshark-52.0.0 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.0.0" app.kubernetes.io/managed-by: Helm template: metadata: labels: app.kubeshark.co/app: hub helm.sh/chart: kubeshark-52.0.0 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.0.0" app.kubernetes.io/managed-by: Helm spec: dnsPolicy: ClusterFirstWithHostNet serviceAccountName: kubeshark-service-account containers: - name: kubeshark-hub command: - ./hub env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: 'docker.io/kubeshark/hub:v52.0.0' imagePullPolicy: Always readinessProbe: periodSeconds: 1 failureThreshold: 3 successThreshold: 1 initialDelaySeconds: 3 tcpSocket: port: 80 livenessProbe: periodSeconds: 1 failureThreshold: 3 successThreshold: 1 initialDelaySeconds: 3 tcpSocket: port: 80 resources: limits: cpu: 750m memory: 1Gi requests: cpu: 50m memory: 50Mi --- # Source: kubeshark/templates/06-front-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubeshark.co/app: front helm.sh/chart: kubeshark-52.0.0 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.0.0" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-front namespace: default spec: replicas: 1 # Set the desired number of replicas selector: matchLabels: app.kubeshark.co/app: front helm.sh/chart: kubeshark-52.0.0 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.0.0" app.kubernetes.io/managed-by: Helm template: metadata: labels: app.kubeshark.co/app: front helm.sh/chart: kubeshark-52.0.0 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.0.0" app.kubernetes.io/managed-by: Helm spec: containers: - env: - name: REACT_APP_DEFAULT_FILTER value: ' ' - name: REACT_APP_AUTH_ENABLED value: 'false' image: 'docker.io/kubeshark/front:v52.0.0' imagePullPolicy: Always name: kubeshark-front livenessProbe: periodSeconds: 1 failureThreshold: 3 successThreshold: 1 initialDelaySeconds: 3 tcpSocket: port: 80 readinessProbe: periodSeconds: 1 failureThreshold: 3 successThreshold: 1 initialDelaySeconds: 3 tcpSocket: port: 80 timeoutSeconds: 1 resources: limits: cpu: 750m memory: 1Gi requests: cpu: 50m memory: 50Mi volumeMounts: - name: nginx-config mountPath: /etc/nginx/conf.d/default.conf subPath: default.conf readOnly: true volumes: - name: nginx-config configMap: name: kubeshark-nginx-config-map dnsPolicy: ClusterFirstWithHostNet serviceAccountName: kubeshark-service-account