diff --git a/config/configStruct.go b/config/configStruct.go
index 190ebd604..8e3470e59 100644
--- a/config/configStruct.go
+++ b/config/configStruct.go
@@ -62,6 +62,11 @@ func CreateDefaultConfig() ConfigStruct {
Filter: "",
CanDownloadPCAP: true,
CanUseScripting: true,
+ ScriptingPermissions: configStructs.ScriptingPermissions{
+ CanSave: true,
+ CanActivate: true,
+ CanDelete: true,
+ },
CanUpdateTargetedPods: true,
CanStopTrafficCapturing: true,
ShowAdminConsoleLink: true,
diff --git a/config/configStructs/tapConfig.go b/config/configStructs/tapConfig.go
index 40b44f6a8..1e5dd3610 100644
--- a/config/configStructs/tapConfig.go
+++ b/config/configStructs/tapConfig.go
@@ -117,13 +117,20 @@ type ResourcesConfig struct {
Tracer ResourceRequirementsWorker `yaml:"tracer" json:"tracer"`
}
+type ScriptingPermissions struct {
+ CanSave bool `yaml:"canSave" json:"canSave" default:"true"`
+ CanActivate bool `yaml:"canActivate" json:"canActivate" default:"true"`
+ CanDelete bool `yaml:"canDelete" json:"canDelete" default:"true"`
+}
+
type Role struct {
- Filter string `yaml:"filter" json:"filter" default:""`
- CanDownloadPCAP bool `yaml:"canDownloadPCAP" json:"canDownloadPCAP" default:"false"`
- CanUseScripting bool `yaml:"canUseScripting" json:"canUseScripting" default:"false"`
- CanUpdateTargetedPods bool `yaml:"canUpdateTargetedPods" json:"canUpdateTargetedPods" default:"false"`
- CanStopTrafficCapturing bool `yaml:"canStopTrafficCapturing" json:"canStopTrafficCapturing" default:"false"`
- ShowAdminConsoleLink bool `yaml:"showAdminConsoleLink" json:"showAdminConsoleLink" default:"false"`
+ Filter string `yaml:"filter" json:"filter" default:""`
+ CanDownloadPCAP bool `yaml:"canDownloadPCAP" json:"canDownloadPCAP" default:"false"`
+ CanUseScripting bool `yaml:"canUseScripting" json:"canUseScripting" default:"false"`
+ ScriptingPermissions ScriptingPermissions `yaml:"scriptingPermissions" json:"scriptingPermissions"`
+ CanUpdateTargetedPods bool `yaml:"canUpdateTargetedPods" json:"canUpdateTargetedPods" default:"false"`
+ CanStopTrafficCapturing bool `yaml:"canStopTrafficCapturing" json:"canStopTrafficCapturing" default:"false"`
+ ShowAdminConsoleLink bool `yaml:"showAdminConsoleLink" json:"showAdminConsoleLink" default:"false"`
}
type SamlConfig struct {
diff --git a/helm-chart/README.md b/helm-chart/README.md
index b2d2421b2..61a5b4d63 100644
--- a/helm-chart/README.md
+++ b/helm-chart/README.md
@@ -175,7 +175,7 @@ Example for overriding image names:
| `tap.auth.saml.x509crt` | A self-signed X.509 `.cert` contents
(effective, if `tap.auth.type = saml`) | `` |
| `tap.auth.saml.x509key` | A self-signed X.509 `.key` contents
(effective, if `tap.auth.type = saml`) | `` |
| `tap.auth.saml.roleAttribute` | A SAML attribute name corresponding to user's authorization role
(effective, if `tap.auth.type = saml`) | `role` |
-| `tap.auth.saml.roles` | A list of SAML authorization roles and their permissions
(effective, if `tap.auth.type = saml`) | `{"admin":{"canDownloadPCAP":true,"canUpdateTargetedPods":true,"canUseScripting":true, "canStopTrafficCapturing":true, "filter":"","showAdminConsoleLink":true}}` |
+| `tap.auth.saml.roles` | A list of SAML authorization roles and their permissions
(effective, if `tap.auth.type = saml`) | `{"admin":{"canDownloadPCAP":true,"canUpdateTargetedPods":true,"canUseScripting":true, "scriptingPermissions":{"canSave":true, "canActivate":true, "canDelete":true}, "canStopTrafficCapturing":true, "filter":"","showAdminConsoleLink":true}}` |
| `tap.ingress.enabled` | Enable `Ingress` | `false` |
| `tap.ingress.className` | Ingress class name | `""` |
| `tap.ingress.host` | Host of the `Ingress` | `ks.svc.cluster.local` |
diff --git a/helm-chart/templates/09-worker-daemon-set.yaml b/helm-chart/templates/09-worker-daemon-set.yaml
index c7a9b60f3..76308647f 100644
--- a/helm-chart/templates/09-worker-daemon-set.yaml
+++ b/helm-chart/templates/09-worker-daemon-set.yaml
@@ -25,6 +25,39 @@ spec:
name: kubeshark-worker-daemon-set
namespace: kubeshark
spec:
+ initContainers:
+ - command:
+ - /bin/sh
+ - -c
+ - mkdir -p /sys/fs/bpf && mount | grep -q '/sys/fs/bpf' || mount -t bpf bpf /sys/fs/bpf
+ {{- if .Values.tap.docker.overrideTag.worker }}
+ image: '{{ .Values.tap.docker.registry }}/worker:{{ .Values.tap.docker.overrideTag.worker }}{{ include "kubeshark.dockerTagDebugVersion" . }}'
+ {{ else }}
+ image: '{{ .Values.tap.docker.registry }}/worker:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}{{ include "kubeshark.dockerTagDebugVersion" . }}'
+ {{- end }}
+ imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }}
+ name: check-bpf
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - mountPath: /sys
+ name: sys
+ mountPropagation: Bidirectional
+ - command:
+ - ./tracer
+ - -init-bpf
+ {{- if .Values.tap.docker.overrideTag.worker }}
+ image: '{{ .Values.tap.docker.registry }}/worker:{{ .Values.tap.docker.overrideTag.worker }}{{ include "kubeshark.dockerTagDebugVersion" . }}'
+ {{ else }}
+ image: '{{ .Values.tap.docker.registry }}/worker:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}{{ include "kubeshark.dockerTagDebugVersion" . }}'
+ {{- end }}
+ imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }}
+ name: init-bpf
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - mountPath: /sys
+ name: sys
containers:
- command:
- ./worker
diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml
index bf402e6fc..236b85968 100644
--- a/helm-chart/values.yaml
+++ b/helm-chart/values.yaml
@@ -85,6 +85,10 @@ tap:
filter: ""
canDownloadPCAP: true
canUseScripting: true
+ scriptingPermissions:
+ canSave: true
+ canActivate: true
+ canDelete: true
canUpdateTargetedPods: true
canStopTrafficCapturing: true
showAdminConsoleLink: true
diff --git a/manifests/complete.yaml b/manifests/complete.yaml
index f07d415a2..7224a231c 100644
--- a/manifests/complete.yaml
+++ b/manifests/complete.yaml
@@ -1,5 +1,5 @@
---
-# Source: kubeshark/templates/16-network-policies.yaml
+# Source: kubeshark/templates/17-network-policies.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
@@ -23,10 +23,13 @@ spec:
- ports:
- protocol: TCP
port: 8080
+ - ports:
+ - protocol: TCP
+ port: 9100
egress:
- {}
---
-# Source: kubeshark/templates/16-network-policies.yaml
+# Source: kubeshark/templates/17-network-policies.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
@@ -53,7 +56,7 @@ spec:
egress:
- {}
---
-# Source: kubeshark/templates/16-network-policies.yaml
+# Source: kubeshark/templates/17-network-policies.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
@@ -236,7 +239,7 @@ data:
AUTH_TYPE: 'oidc'
AUTH_SAML_IDP_METADATA_URL: ''
AUTH_SAML_ROLE_ATTRIBUTE: 'role'
- AUTH_SAML_ROLES: '{"admin":{"canDownloadPCAP":true,"canStopTrafficCapturing":true,"canUpdateTargetedPods":true,"canUseScripting":true,"filter":"","showAdminConsoleLink":true}}'
+ AUTH_SAML_ROLES: '{"admin":{"canDownloadPCAP":true,"canStopTrafficCapturing":true,"canUpdateTargetedPods":true,"canUseScripting":true,"filter":"","scriptingPermissions":{"canActivate":true,"canDelete":true,"canSave":true},"showAdminConsoleLink":true}}'
TELEMETRY_DISABLED: 'false'
SCRIPTING_DISABLED: ''
TARGETED_PODS_UPDATE_DISABLED: ''
@@ -457,6 +460,35 @@ spec:
port: 49100
targetPort: 49100
---
+# Source: kubeshark/templates/16-hub-service-metrics.yaml
+kind: Service
+apiVersion: v1
+metadata:
+ labels:
+ helm.sh/chart: kubeshark-52.3.92
+ app.kubernetes.io/name: kubeshark
+ app.kubernetes.io/instance: kubeshark
+ app.kubernetes.io/version: "52.3.92"
+ app.kubernetes.io/managed-by: Helm
+ annotations:
+ prometheus.io/scrape: 'true'
+ prometheus.io/port: '9100'
+ name: kubeshark-hub-metrics
+ namespace: default
+spec:
+ selector:
+ app.kubeshark.co/app: hub
+ helm.sh/chart: kubeshark-52.3.92
+ app.kubernetes.io/name: kubeshark
+ app.kubernetes.io/instance: kubeshark
+ app.kubernetes.io/version: "52.3.92"
+ app.kubernetes.io/managed-by: Helm
+ ports:
+ - name: metrics
+ protocol: TCP
+ port: 9100
+ targetPort: 9100
+---
# Source: kubeshark/templates/09-worker-daemon-set.yaml
apiVersion: apps/v1
kind: DaemonSet
@@ -490,6 +522,31 @@ spec:
name: kubeshark-worker-daemon-set
namespace: kubeshark
spec:
+ initContainers:
+ - command:
+ - /bin/sh
+ - -c
+ - mkdir -p /sys/fs/bpf && mount | grep -q '/sys/fs/bpf' || mount -t bpf bpf /sys/fs/bpf
+ image: 'docker.io/kubeshark/worker:v52.3.92'
+ imagePullPolicy: Always
+ name: check-bpf
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - mountPath: /sys
+ name: sys
+ mountPropagation: Bidirectional
+ - command:
+ - ./tracer
+ - -init-bpf
+ image: 'docker.io/kubeshark/worker:v52.3.92'
+ imagePullPolicy: Always
+ name: init-bpf
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - mountPath: /sys
+ name: sys
containers:
- command:
- ./worker
@@ -501,6 +558,8 @@ spec:
- '49100'
- -packet-capture
- 'best'
+ - -loglevel
+ - 'warning'
- -unixsocket
- -servicemesh
- -procfs
@@ -559,6 +618,10 @@ spec:
- SYS_ADMIN
- SYS_PTRACE
- DAC_OVERRIDE
+ - SYS_ADMIN
+ - SYS_PTRACE
+ - SYS_RESOURCE
+ - IPC_LOCK
drop:
- ALL
readinessProbe:
@@ -590,6 +653,8 @@ spec:
- /hostproc
- -disable-ebpf
- -disable-tls-log
+ # - -loglevel
+ # - 'warning'
image: 'docker.io/kubeshark/worker:v52.3.92'
imagePullPolicy: Always
name: tracer
@@ -725,6 +790,8 @@ spec:
- ./hub
- -port
- "8080"
+ - -loglevel
+ - 'warning'
env:
- name: POD_NAME
valueFrom: