mirror of https://github.com/kubeshark/kubeshark.git synced 2026-05-06 01:07:13 +00:00

Files

Alon Girmonsky 77878e97f5 Tracer, ServiceMesh - Disable by default and some docs updates (#1472 )

* Disabled Tracer by default

As Tracer requires significantly more resources and elevated security capability, it is recommended to have it disabled by default and enabled on demand.

* Updated the tap.tls default value to false

* added description to the default and global KFL filters

* serviceMesh false by default

As serviceMesh requires elevated security permissions.
Furthermore this capability is required only in a fraction of the userbase. Some service mesh versions/configurations aren't supported. Therefore, it is recommended to start as disabled and enable on-demand

* Update the readme related to the service mesh default value

Set the default value of serviceMesh to false as among other things, it requires elevated security permissions and therefore should be enabled on demand.

2023-12-30 18:47:26 -08:00

templates

🔨 Add KernelModuleConfig struct to TapConfig

2023-12-28 22:09:01 +03:00

Chart.yaml

🔖 Bump the Helm chart version to 52.0.0

2023-12-19 20:20:43 +03:00

LICENSE

✨ Copy the license into Helm chart

2023-04-11 19:29:19 +03:00

PF_RING.md

Add PF_RING related changes to docs and helm (#1471 )

2023-12-27 19:01:20 -08:00

README.md

Tracer, ServiceMesh - Disable by default and some docs updates (#1472 )

2023-12-30 18:47:26 -08:00

values.yaml

Tracer, ServiceMesh - Disable by default and some docs updates (#1472 )

2023-12-30 18:47:26 -08:00

README.md

Helm Chart of Kubeshark

Officially

Add the Helm repo for Kubeshark:

helm repo add kubeshark https://helm.kubeshark.co

then install Kubeshark:

helm install kubeshark kubeshark/kubeshark

Locally

Clone the repo:

git clone git@github.com:kubeshark/kubeshark.git --depth 1
cd kubeshark/helm-chart

Render the templates

helm template .

Install Kubeshark:

helm install kubeshark .

Uninstall Kubeshark:

helm uninstall kubeshark

Accessing

Do the port forwarding:

kubectl port-forward service/kubeshark-front 8899:80

Visit localhost:8899

Installing with Ingress (EKS) and enable Auth

helm install kubeshark kubeshark/kubeshark -f values.yaml

Set this value.yaml:

tap:
  auth:
    enabled: true
    approvedEmails:
    - john.doe@example.com
    approvedDomains: []
    approvedTenants: []
  ingress:
    enabled: true
    className: "alb"
    host: ks.example.com
    tls: []
    annotations:
      alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:7..8:certificate/b...65c
      alb.ingress.kubernetes.io/target-type: ip
      alb.ingress.kubernetes.io/scheme: internet-facing

Add a License

When it's necessary, you can use:

--set license=YOUR_LICENSE_GOES_HERE

Get your license from Kubeshark's Admin Console.

Increase the Worker's Storage Limit

For example, change from the default 500Mi to 1Gi:

--set tap.storageLimit=1Gi

Disabling IPV6

Not all have IPV6 enabled, hence this has to be disabled as follows:

helm install kubeshark kubeshark/kubeshark \
  --set tap.ipv6=false

Configuration

Parameter	Description	Default
`tap.docker.registry`	Docker registry to pull from	`docker.io/kubeshark`
`tap.docker.tag`	Tag of the Docker images	`latest`
`tap.docker.imagePullPolicy`	Kubernetes image pull policy	`Always`
`tap.docker.imagePullSecrets`	Kubernetes secrets to pull the images	`[]`
`tap.proxy.worker.srvPort`	Worker server port	`30001`
`tap.proxy.hub.port`	Hub service port	`8898`
`tap.proxy.hub.srvPort`	Hub server port	`8898`
`tap.proxy.front.port`	Front-facing service port	`8899`
`tap.proxy.host`	Proxy server's IP	`127.0.0.1`
`tap.namespaces`	List of namespaces for the traffic capture	`[]`
`tap.release.repo`	URL of the Helm chart repository	`https://helm.kubeshark.co`
`tap.release.name`	Helm release name	`kubeshark`
`tap.release.namespace`	Helm release namespace	`default`
`tap.persistentStorage`	Use `persistentVolumeClaim` instead of `emptyDir`	`false`
`tap.persistentStorageStatic`	Use static persistent volume provisioning (explicitly defined `PersistentVolume` )	`false`
`tap.efsFileSytemIdAndPath`	EFS file system ID and, optionally, subpath and/or access point `<FileSystemId>:<Path>:<AccessPointId>`	""
`tap.storageLimit`	Limit of either the `emptyDir` or `persistentVolumeClaim`	`500Mi`
`tap.storageClass`	Storage class of the `PersistentVolumeClaim`	`standard`
`tap.dryRun`	Preview of all pods matching the regex, without tapping them	`false`
`tap.pcap`		`""`
`tap.resources.worker.limits.cpu`	CPU limit for worker	`750m`
`tap.resources.worker.limits.memory`	Memory limit for worker	`1Gi`
`tap.resources.worker.requests.cpu`	CPU request for worker	`50m`
`tap.resources.worker.requests.memory`	Memory request for worker	`50Mi`
`tap.resources.hub.limits.cpu`	CPU limit for hub	`750m`
`tap.resources.hub.limits.memory`	Memory limit for hub	`1Gi`
`tap.resources.hub.requests.cpu`	CPU request for hub	`50m`
`tap.resources.hub.requests.memory`	Memory request for hub	`50Mi`
`tap.serviceMesh`	Capture traffic from service meshes like Istio, Linkerd, Consul, etc.	`false`
`tap.tls`	Capture the encrypted/TLS traffic from cryptography libraries like OpenSSL	`false`
`tap.ignoreTainted`	Whether to ignore tainted nodes	`false`
`tap.labels`	Kubernetes labels to apply to all Kubeshark resources	`{}`
`tap.annotations`	Kubernetes annotations to apply to all Kubeshark resources	`{}`
`tap.nodeSelectorTerms`	Node selector terms	`[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]`
`tap.auth.enabled`	Enable authentication	`false`
`tap.auth.approvedEmails`	List of approved email addresses for authentication	`[]`
`tap.auth.approvedDomains`	List of approved email domains for authentication	`[]`
`tap.ingress.enabled`	Enable `Ingress`	`false`
`tap.ingress.className`	Ingress class name	`""`
`tap.ingress.host`	Host of the `Ingress`	`ks.svc.cluster.local`
`tap.ingress.tls`	`Ingress` TLS configuration	`[]`
`tap.ingress.annotations`	`Ingress` annotations	`{}`
`tap.ipv6`	Enable IPv6 support for the front-end	`true`
`tap.debug`	Enable debug mode	`false`
`tap.kernelModule.enabled`	Use PF_RING kernel module(details)	`true`
`tap.kernelModule.mode`	PF_RING kernel module loading approach(details)	`auto`
`tap.kernelModule.imageRepoSecret`	ImageRepoSecret is an optional secret that is used to pull both the module loader container(details)	""
`tap.kernelModule.kernelMappings`	List of mappings between kernel version and container loader(details)	`[{'regexp': '.+$', 'containerImage': 'kubehq/pf-ring-module:${KERNEL_FULL_VERSION}'}]`
`tap.telemetry.enabled`	Enable anonymous usage statistics collection	`true`
`tap.defaultFilter`	Sets the default dashboard KFL filter (e.g. `http`)	`""`
`tap.globalFilter`	Prepends to any KFL filter and can be used to limit what is visible in the dashboard. For example, `redact("request.headers.Authorization")` will redact the appropriate field.	`""`
`logs.file`	Logs dump path	`""`
`kube.configPath`	Path to the `kubeconfig` file (`$HOME/.kube/config`)	`""`
`kube.context`	Kubernetes context to use for the deployment	`""`
`dumpLogs`	Enable dumping of logs	`false`
`headless`	Enable running in headless mode	`false`
`license`	License key for the Pro/Enterprise edition	`""`
`scripting.env`	Environment variables for the scripting	`{}`
`scripting.source`	Source directory of the scripts	`""`
`scripting.watchScripts`	Enable watch mode for the scripts in source directory	`true`

KernelMapping pairs kernel versions with a DriverContainer image. Kernel versions can be matched literally or using a regular expression