Files
kubeshark/skills/install/references/cloud-storage.md
Alon Girmonsky ad9dfbf5f9 Add install skill for Kubeshark deployment guidance (#1933)
* Add install skill for Kubeshark deployment guidance

New skill that helps users install and configure Kubeshark with a clear
CLI vs Helm decision tree, opinionated production defaults, and
platform-specific storage class recommendations.

* Add user-invocable flag to install skill frontmatter

* Add backup/overwrite check guidance for ~/.kubeshark/ config files

---------

Co-authored-by: Alon Girmonsky <alongir@Alons-Mac-Studio.local>
2026-05-15 08:31:33 -07:00

2.5 KiB

Cloud Storage for Snapshots

This is a pointer to the authoritative cloud storage documentation maintained in the Helm chart:

Source of truth: helm-chart/docs/snapshots_cloud_storage.md

Always read that file for the latest configuration details, including:

  • Amazon S3 (static credentials, IRSA, cross-account AssumeRole)
  • Azure Blob Storage (storage key, Workload Identity / DefaultAzureCredential)
  • Google Cloud Storage (service account JSON, GKE Workload Identity)
  • IAM permissions and trust policy examples
  • ConfigMap and Secret setup patterns
  • Inline values vs. external ConfigMap/Secret approaches

Quick Reference

Helm Values Structure

tap:
  snapshots:
    cloud:
      provider: ""      # "s3", "azblob", or "gcs" (empty = disabled)
      prefix: ""        # Key prefix in the bucket/container
      configMaps: []    # Pre-existing ConfigMaps with cloud config env vars
      secrets: []       # Pre-existing Secrets with cloud credentials
      s3:
        bucket: ""
        region: ""
        accessKey: ""
        secretKey: ""
        roleArn: ""
        externalId: ""
      azblob:
        storageAccount: ""
        container: ""
        storageKey: ""
      gcs:
        bucket: ""
        project: ""
        credentialsJson: ""
Provider Production Recommendation
S3 (EKS) IRSA (IAM Roles for Service Accounts) — no static credentials
S3 (non-EKS) Static credentials via Secret, or default AWS credential chain
Azure Blob (AKS) Workload Identity / Managed Identity
Azure Blob (non-AKS) Storage account key via Secret
GCS (GKE) GKE Workload Identity — no JSON key file
GCS (non-GKE) Service account JSON key via Secret

Inline Values (Simplest Approach)

Set credentials directly in values.yaml. The Helm chart creates the necessary ConfigMap/Secret resources automatically.

S3:

tap:
  snapshots:
    cloud:
      provider: "s3"
      s3:
        bucket: my-kubeshark-snapshots
        region: us-east-1

GCS:

tap:
  snapshots:
    cloud:
      provider: "gcs"
      gcs:
        bucket: my-kubeshark-snapshots
        project: my-gcp-project

Azure Blob:

tap:
  snapshots:
    cloud:
      provider: "azblob"
      azblob:
        storageAccount: mykubesharksa
        container: snapshots

For production setups with proper IAM integration, see the full documentation in helm-chart/docs/snapshots_cloud_storage.md.