mirror of
https://github.com/kubeshark/kubeshark.git
synced 2025-09-01 18:47:39 +00:00
🔥 Remove --insertion-filter and --redact options from tap command
This commit is contained in:
M. Mert Yildiran
@@ -53,9 +53,7 @@ func init() {
|
|||||||
tapCmd.Flags().String(configStructs.ProxyHostLabel, defaultTapConfig.ProxyHost, "Provide a custom host for the proxy/port-forward.")
|
tapCmd.Flags().String(configStructs.ProxyHostLabel, defaultTapConfig.ProxyHost, "Provide a custom host for the proxy/port-forward.")
|
||||||
tapCmd.Flags().StringSliceP(configStructs.NamespacesLabel, "n", defaultTapConfig.Namespaces, "Namespaces selector.")
|
tapCmd.Flags().StringSliceP(configStructs.NamespacesLabel, "n", defaultTapConfig.Namespaces, "Namespaces selector.")
|
||||||
tapCmd.Flags().BoolP(configStructs.AllNamespacesLabel, "A", defaultTapConfig.AllNamespaces, "Tap all namespaces.")
|
tapCmd.Flags().BoolP(configStructs.AllNamespacesLabel, "A", defaultTapConfig.AllNamespaces, "Tap all namespaces.")
|
||||||
tapCmd.Flags().Bool(configStructs.EnableRedactionLabel, defaultTapConfig.EnableRedaction, "Enables redaction of potentially sensitive request/response headers and body values.")
|
|
||||||
tapCmd.Flags().String(configStructs.HumanMaxEntriesDBSizeLabel, defaultTapConfig.HumanMaxEntriesDBSize, "Override the default max entries db size.")
|
tapCmd.Flags().String(configStructs.HumanMaxEntriesDBSizeLabel, defaultTapConfig.HumanMaxEntriesDBSize, "Override the default max entries db size.")
|
||||||
tapCmd.Flags().String(configStructs.InsertionFilterName, defaultTapConfig.InsertionFilter, "Set the insertion filter. Accepts string or a file path.")
|
|
||||||
tapCmd.Flags().Bool(configStructs.DryRunLabel, defaultTapConfig.DryRun, "Preview of all pods matching the regex, without tapping them.")
|
tapCmd.Flags().Bool(configStructs.DryRunLabel, defaultTapConfig.DryRun, "Preview of all pods matching the regex, without tapping them.")
|
||||||
tapCmd.Flags().Bool(configStructs.ServiceMeshName, defaultTapConfig.ServiceMesh, "Record decrypted traffic if the cluster is configured with a service mesh and with mtls.")
|
tapCmd.Flags().Bool(configStructs.ServiceMeshName, defaultTapConfig.ServiceMesh, "Record decrypted traffic if the cluster is configured with a service mesh and with mtls.")
|
||||||
tapCmd.Flags().Bool(configStructs.TlsName, defaultTapConfig.Tls, "Record tls traffic.")
|
tapCmd.Flags().Bool(configStructs.TlsName, defaultTapConfig.Tls, "Record tls traffic.")
|
||||||
|
|||||||
@@ -111,7 +111,6 @@ func finishTapExecution(kubernetesProvider *kubernetes.Provider) {
|
|||||||
func getTapConfig() *models.Config {
|
func getTapConfig() *models.Config {
|
||||||
conf := models.Config{
|
conf := models.Config{
|
||||||
MaxDBSizeBytes: config.Config.Tap.MaxEntriesDBSizeBytes(),
|
MaxDBSizeBytes: config.Config.Tap.MaxEntriesDBSizeBytes(),
|
||||||
InsertionFilter: config.Config.Tap.GetInsertionFilter(),
|
|
||||||
PullPolicy: config.Config.ImagePullPolicyStr,
|
PullPolicy: config.Config.ImagePullPolicyStr,
|
||||||
WorkerResources: config.Config.Tap.WorkerResources,
|
WorkerResources: config.Config.Tap.WorkerResources,
|
||||||
ResourcesNamespace: config.Config.ResourcesNamespace,
|
ResourcesNamespace: config.Config.ResourcesNamespace,
|
||||||
|
|||||||
@@ -2,14 +2,10 @@ package configStructs
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/fs"
|
|
||||||
"os"
|
|
||||||
"regexp"
|
"regexp"
|
||||||
"strings"
|
|
||||||
|
|
||||||
"github.com/kubeshark/base/pkg/models"
|
"github.com/kubeshark/base/pkg/models"
|
||||||
"github.com/kubeshark/kubeshark/utils"
|
"github.com/kubeshark/kubeshark/utils"
|
||||||
"github.com/rs/zerolog/log"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
@@ -20,9 +16,7 @@ const (
|
|||||||
ProxyHostLabel = "proxy-host"
|
ProxyHostLabel = "proxy-host"
|
||||||
NamespacesLabel = "namespaces"
|
NamespacesLabel = "namespaces"
|
||||||
AllNamespacesLabel = "all-namespaces"
|
AllNamespacesLabel = "all-namespaces"
|
||||||
EnableRedactionLabel = "redact"
|
|
||||||
HumanMaxEntriesDBSizeLabel = "max-entries-db-size"
|
HumanMaxEntriesDBSizeLabel = "max-entries-db-size"
|
||||||
InsertionFilterName = "insertion-filter"
|
|
||||||
DryRunLabel = "dry-run"
|
DryRunLabel = "dry-run"
|
||||||
ServiceMeshName = "service-mesh"
|
ServiceMeshName = "service-mesh"
|
||||||
TlsName = "tls"
|
TlsName = "tls"
|
||||||
@@ -40,25 +34,16 @@ type FrontConfig struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
type TapConfig struct {
|
type TapConfig struct {
|
||||||
Hub HubConfig `yaml:"hub"`
|
Hub HubConfig `yaml:"hub"`
|
||||||
Front FrontConfig `yaml:"front"`
|
Front FrontConfig `yaml:"front"`
|
||||||
DockerRegistry string `yaml:"docker-registry" default:"docker.io/kubeshark"`
|
DockerRegistry string `yaml:"docker-registry" default:"docker.io/kubeshark"`
|
||||||
DockerTag string `yaml:"docker-tag" default:"latest"`
|
DockerTag string `yaml:"docker-tag" default:"latest"`
|
||||||
PodRegexStr string `yaml:"regex" default:".*"`
|
PodRegexStr string `yaml:"regex" default:".*"`
|
||||||
ProxyHost string `yaml:"proxy-host" default:"127.0.0.1"`
|
ProxyHost string `yaml:"proxy-host" default:"127.0.0.1"`
|
||||||
Namespaces []string `yaml:"namespaces"`
|
Namespaces []string `yaml:"namespaces"`
|
||||||
AllNamespaces bool `yaml:"all-namespaces" default:"false"`
|
AllNamespaces bool `yaml:"all-namespaces" default:"false"`
|
||||||
IgnoredUserAgents []string `yaml:"ignored-user-agents"`
|
IgnoredUserAgents []string `yaml:"ignored-user-agents"`
|
||||||
EnableRedaction bool `yaml:"redact" default:"false"`
|
|
||||||
RedactPatterns struct {
|
|
||||||
RequestHeaders []string `yaml:"request-headers"`
|
|
||||||
ResponseHeaders []string `yaml:"response-headers"`
|
|
||||||
RequestBody []string `yaml:"request-body"`
|
|
||||||
ResponseBody []string `yaml:"response-body"`
|
|
||||||
RequestQueryParams []string `yaml:"request-query-params"`
|
|
||||||
} `yaml:"redact-patterns"`
|
|
||||||
HumanMaxEntriesDBSize string `yaml:"max-entries-db-size" default:"200MB"`
|
HumanMaxEntriesDBSize string `yaml:"max-entries-db-size" default:"200MB"`
|
||||||
InsertionFilter string `yaml:"insertion-filter" default:""`
|
|
||||||
DryRun bool `yaml:"dry-run" default:"false"`
|
DryRun bool `yaml:"dry-run" default:"false"`
|
||||||
HubResources models.Resources `yaml:"hub-resources"`
|
HubResources models.Resources `yaml:"hub-resources"`
|
||||||
WorkerResources models.Resources `yaml:"worker-resources"`
|
WorkerResources models.Resources `yaml:"worker-resources"`
|
||||||
@@ -78,61 +63,6 @@ func (config *TapConfig) MaxEntriesDBSizeBytes() int64 {
|
|||||||
return maxEntriesDBSizeBytes
|
return maxEntriesDBSizeBytes
|
||||||
}
|
}
|
||||||
|
|
||||||
func (config *TapConfig) GetInsertionFilter() string {
|
|
||||||
insertionFilter := config.InsertionFilter
|
|
||||||
if fs.ValidPath(insertionFilter) {
|
|
||||||
if _, err := os.Stat(insertionFilter); err == nil {
|
|
||||||
b, err := os.ReadFile(insertionFilter)
|
|
||||||
if err != nil {
|
|
||||||
log.Warn().Err(err).Str("insertion-filter-path", insertionFilter).Msg("Couldn't read the file! Defaulting to string.")
|
|
||||||
} else {
|
|
||||||
insertionFilter = string(b)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
redactFilter := getRedactFilter(config)
|
|
||||||
if insertionFilter != "" && redactFilter != "" {
|
|
||||||
log.Info().Str("filter", insertionFilter).Msg("Using insertion filter:")
|
|
||||||
return fmt.Sprintf("(%s) and (%s)", insertionFilter, redactFilter)
|
|
||||||
} else if insertionFilter == "" && redactFilter != "" {
|
|
||||||
return redactFilter
|
|
||||||
}
|
|
||||||
|
|
||||||
return insertionFilter
|
|
||||||
}
|
|
||||||
|
|
||||||
func getRedactFilter(config *TapConfig) string {
|
|
||||||
if !config.EnableRedaction {
|
|
||||||
return ""
|
|
||||||
}
|
|
||||||
|
|
||||||
var redactValues []string
|
|
||||||
for _, requestHeader := range config.RedactPatterns.RequestHeaders {
|
|
||||||
redactValues = append(redactValues, fmt.Sprintf("request.headers['%s']", requestHeader))
|
|
||||||
}
|
|
||||||
for _, responseHeader := range config.RedactPatterns.ResponseHeaders {
|
|
||||||
redactValues = append(redactValues, fmt.Sprintf("response.headers['%s']", responseHeader))
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, requestBody := range config.RedactPatterns.RequestBody {
|
|
||||||
redactValues = append(redactValues, fmt.Sprintf("request.postData.text.json()...%s", requestBody))
|
|
||||||
}
|
|
||||||
for _, responseBody := range config.RedactPatterns.ResponseBody {
|
|
||||||
redactValues = append(redactValues, fmt.Sprintf("response.content.text.json()...%s", responseBody))
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, requestQueryParams := range config.RedactPatterns.RequestQueryParams {
|
|
||||||
redactValues = append(redactValues, fmt.Sprintf("request.queryString['%s']", requestQueryParams))
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(redactValues) == 0 {
|
|
||||||
return ""
|
|
||||||
}
|
|
||||||
|
|
||||||
return fmt.Sprintf("redact(\"%s\")", strings.Join(redactValues, "\",\""))
|
|
||||||
}
|
|
||||||
|
|
||||||
func (config *TapConfig) Validate() error {
|
func (config *TapConfig) Validate() error {
|
||||||
_, compileErr := regexp.Compile(config.PodRegexStr)
|
_, compileErr := regexp.Compile(config.PodRegexStr)
|
||||||
if compileErr != nil {
|
if compileErr != nil {
|
||||||
|
|||||||
Reference in New Issue
Block a user