Files
kubeshark/helm-chart/values.yaml
Volodymyr Stoiko 8186b7891b Authz refactoring (helm chart + CLI) (#1921)
* Migrate auth.saml.roles to unified auth.roles

Follows the hub-side introduction of the backend-neutral AUTH_ROLES /
AUTH_ROLES_CLAIM / AUTH_DEFAULT_ROLE config (hub commit 51177bcb).
CLI and Helm chart now surface the unified location:

  tap.auth.roles         — map of role -> permissions (shared SAML/OIDC)
  tap.auth.rolesClaim    — token/assertion claim name carrying roles
  tap.auth.defaultRole   — fallback role for authenticated users with
                           no matching role in their token

Helm ConfigMap template emits AUTH_ROLES / AUTH_ROLES_CLAIM /
AUTH_DEFAULT_ROLE and no longer emits AUTH_SAML_ROLES or
AUTH_SAML_ROLE_ATTRIBUTE. Hub's back-compat fallback still reads those
keys from any existing ConfigMap that hasn't been helm-upgraded.

Legacy struct fields (SamlConfig.Roles, SamlConfig.RoleAttribute) stay
in place so existing values.yaml files with auth.saml.roles still parse
without errors, but the CLI and the chart ignore them. Follow-up release
can remove the struct fields once telemetry confirms migration.

Breaking for users with customized auth.saml.roles in their values.yaml
— the customization is masked by the new default auth.roles.admin and
must be migrated to auth.roles for the custom permissions to take
effect. Documented in the chart README and release notes.

Part of authz-refactoring (Step 2 of hub-oidc-rbac.md, CLI side).

* Remove legacy

* Align CLI + Helm chart with hub AUTH_TYPE rename

Follows hub commit 11564fef. The canonical AUTH_TYPE is now `oidc` for
generic OIDC; `dex` is a permanent alias; `descope` is a new explicit
label. This change surfaces the new vocabulary in the CLI config struct
and the Helm chart, and renames the nested `auth.dexOidc` values.yaml
field to `auth.oidc` for consistency.

Helm chart:
- 12-config-map.yaml: AUTH_OIDC_* keys now read `.Values.tap.auth.oidc.*`
  instead of `auth.dexOidc.*`. The cloud-license override that forced
  AUTH_TYPE=default unless the admin picked `dex` now accepts `oidc` too.
- 13-secret.yaml: OIDC_CLIENT_ID / OIDC_CLIENT_SECRET read from
  `auth.oidc.*` (was `auth.dexOidc.*`).
- 06-front-deployment.yaml: REACT_APP_AUTH_ENABLED / REACT_APP_AUTH_TYPE
  conditionals accept both `oidc` and `dex` where they previously only
  matched `dex`.
- values.yaml: comment on `tap.auth.type` lists valid values and flags
  the breaking change.
- README.md: `tap.auth.type` row lists valid values. All `dexOidc`
  references renamed to `oidc`. Sample values.yaml blocks now show
  `type: oidc` as the canonical form.

CLI:
- config/configStructs/tapConfig.go: AuthConfig.Type documented with the
  full list of valid values and the migration hint.

Breaking changes (repeated in release notes):
1. `tap.auth.type: oidc` now routes to the generic OIDC middleware
   (previously Descope). Switch to `tap.auth.type: descope` or `default`
   if you were using `oidc` for Descope.
2. `tap.auth.dexOidc.*` values are no longer read. Rename to
   `tap.auth.oidc.*`. No fallback.
3. `tap.auth.type: dex` continues to work — permanent alias of `oidc`.

Part of authz-refactoring (Step 4 of hub-oidc-rbac.md, CLI/Helm side).

* default kfl

* Authz Refactoring: Step 8: namespaces-list role filter

Align with hub PR kubeshark/hub#756. Per-role auth.roles[].filter (KFL)
is replaced by auth.roles[].namespaces (comma-separated list with "*",
literal, and glob semantics). Standalone tap.auth.defaultFilter knob
removed.

helm-chart/values.yaml
- admin role example uses namespaces: "*" instead of filter: "".
- Comment block explains the new namespaces semantics.
- defaultFilter: "" entry + accompanying comment block deleted.

helm-chart/templates/12-config-map.yaml
- AUTH_DEFAULT_FILTER ConfigMap entry removed (hub no longer reads it).

helm-chart/README.md
- tap.auth.defaultFilter row removed.
- tap.auth.roles default value example updated: filter: "" → namespaces: "*";
  description gains the per-role namespaces semantics legend.
2026-05-06 09:08:21 -07:00

343 lines
6.9 KiB
YAML

tap:
docker:
registry: docker.io/kubeshark
tag: ""
tagLocked: true
imagePullPolicy: Always
imagePullSecrets: []
overrideImage:
worker: ""
hub: ""
front: ""
overrideTag:
worker: ""
hub: ""
front: ""
proxy:
worker:
srvPort: 48999
hub:
srvPort: 8898
front:
port: 8899
host: 127.0.0.1
regex: .*
namespaces: []
excludedNamespaces: []
bpfOverride: ""
capture:
dissection:
enabled: true
stopAfter: 5m
captureSelf: false
raw:
enabled: true
storageSize: 1Gi
dbMaxSize: 500Mi
delayedDissection:
cpu: "1"
memory: 4Gi
storageSize: ""
storageClass: ""
snapshots:
local:
storageClass: ""
storageSize: 20Gi
cloud:
provider: ""
prefix: ""
configMaps: []
secrets: []
s3:
bucket: ""
region: ""
accessKey: ""
secretKey: ""
roleArn: ""
externalId: ""
azblob:
storageAccount: ""
container: ""
storageKey: ""
gcs:
bucket: ""
project: ""
credentialsJson: ""
release:
repo: https://helm.kubeshark.com
name: kubeshark
namespace: default
helmChartPath: ""
persistentStorage: false
persistentStorageStatic: false
persistentStoragePvcVolumeMode: FileSystem
efsFileSytemIdAndPath: ""
secrets: []
storageLimit: 10Gi
storageClass: standard
dryRun: false
dns:
nameservers: []
searches: []
options: []
resources:
hub:
limits:
cpu: "0"
memory: 5Gi
requests:
cpu: 50m
memory: 50Mi
sniffer:
limits:
cpu: "0"
memory: 5Gi
requests:
cpu: 50m
memory: 50Mi
tracer:
limits:
cpu: "0"
memory: 5Gi
requests:
cpu: 50m
memory: 50Mi
probes:
hub:
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
failureThreshold: 3
sniffer:
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
failureThreshold: 3
serviceMesh: true
tls: true
disableTlsLog: true
packetCapture: best
labels: {}
annotations: {}
nodeSelectorTerms:
hub:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
workers:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
front:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
dex:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
tolerations:
hub: []
workers:
- operator: Exists
effect: NoExecute
front: []
auth:
enabled: false
# Valid values: saml, oidc (generic OIDC — Dex, Okta, Auth0, Keycloak,
# Azure AD, Google, …), dex (permanent alias of oidc), descope, default
# (also Descope). Was previously misnamed: prior releases routed `oidc`
# to Descope. See release notes for migration.
type: saml
# Name of the JWT claim (OIDC) or SAML attribute carrying role memberships.
rolesClaim: role
# Optional: role name inside `roles` applied as a fallback when an
# authenticated user has no matching role in their token/assertion.
# Empty string means no fallback (authenticated but no elevated permissions).
defaultRole: ""
# Backend-neutral role map shared by SAML and OIDC. Empty/unset grants
# nothing — admins opt into elevated access by populating this map.
#
# Per-role `namespaces` controls which Kubernetes namespaces the role's
# users are allowed to see traffic for. Comma-separated list:
# "" — deny all (explicit deny-default for this role).
# "*" — allow every namespace (no scope filter applied).
# "foo" — only the literal namespace "foo" (src or dst).
# "foo,bar" — OR over both literal namespaces.
# "foo-*" — glob expansion against the cluster's known namespaces.
roles:
admin:
namespaces: "*"
canDownloadPCAP: true
canUseScripting: true
scriptingPermissions:
canSave: true
canActivate: true
canDelete: true
canUpdateTargetedPods: true
canStopTrafficCapturing: true
canControlDissection: true
showAdminConsoleLink: true
saml:
idpMetadataUrl: ""
x509crt: ""
x509key: ""
ingress:
enabled: false
className: ""
host: ks.svc.cluster.local
path: /
tls: []
annotations: {}
priorityClass: ""
routing:
front:
basePath: ""
ipv6: true
debug: false
dashboard:
streamingType: connect-rpc
completeStreamingEnabled: true
clusterWideMapEnabled: false
entriesLimit: "300000"
telemetry:
enabled: true
resourceGuard:
enabled: false
watchdog:
enabled: false
gitops:
enabled: false
sentry:
enabled: false
environment: production
defaultFilter: ""
globalFilter: ""
enabledDissectors:
- amqp
- dns
- http
- icmp
- kafka
- mongodb
- mysql
- postgresql
- redis
- ws
- ldap
- radius
- diameter
- udp-flow
- tcp-flow
- udp-conn
- tcp-conn
portMapping:
http:
- 80
- 443
- 8080
amqp:
- 5671
- 5672
kafka:
- 9092
mongodb:
- 27017
mysql:
- 3306
postgresql:
- 5432
redis:
- 6379
ldap:
- 389
diameter:
- 3868
customMacros:
https: tls and (http or http2)
metrics:
port: 49100
pprof:
enabled: false
port: 8000
view: flamegraph
misc:
jsonTTL: 5m
pcapTTL: "0"
pcapErrorTTL: "0"
trafficSampleRate: 100
tcpStreamChannelTimeoutMs: 10000
tcpStreamChannelTimeoutShow: false
resolutionStrategy: auto
duplicateTimeframe: 200ms
detectDuplicates: false
staleTimeoutSeconds: 30
tcpFlowTimeout: 1200
udpFlowTimeout: 1200
securityContext:
privileged: true
appArmorProfile:
type: ""
localhostProfile: ""
seLinuxOptions:
level: ""
role: ""
type: ""
user: ""
capabilities:
networkCapture:
- NET_RAW
- NET_ADMIN
serviceMeshCapture:
- SYS_ADMIN
- SYS_PTRACE
- DAC_OVERRIDE
ebpfCapture:
- SYS_ADMIN
- SYS_PTRACE
- SYS_RESOURCE
- IPC_LOCK
mountBpf: true
hostNetwork: true
logs:
file: ""
grep: ""
pcapdump:
enabled: false
timeInterval: 1m
maxTime: 1h
maxSize: 500MB
time: time
debug: false
dest: ""
kube:
configPath: ""
context: ""
dumpLogs: false
headless: false
license: ""
cloudApiUrl: https://api.kubeshark.com
cloudLicenseEnabled: true
demoModeEnabled: false
supportChatEnabled: false
betaEnabled: false
internetConnectivity: true
scripting:
enabled: false
env: {}
source: ""
sources: []
watchScripts: true
active: []
console: true
timezone: ""
logLevel: warning