mirror of
https://github.com/kubeshark/kubeshark.git
synced 2025-06-21 05:53:29 +00:00
Merge branch 'master' into ebpf-default
This commit is contained in:
Alon Girmonsky
GitHub
commit
4726a2d248
@ -62,6 +62,11 @@ func CreateDefaultConfig() ConfigStruct {
|
|||||||
Filter: "",
|
Filter: "",
|
||||||
CanDownloadPCAP: true,
|
CanDownloadPCAP: true,
|
||||||
CanUseScripting: true,
|
CanUseScripting: true,
|
||||||
|
ScriptingPermissions: configStructs.ScriptingPermissions{
|
||||||
|
CanSave: true,
|
||||||
|
CanActivate: true,
|
||||||
|
CanDelete: true,
|
||||||
|
},
|
||||||
CanUpdateTargetedPods: true,
|
CanUpdateTargetedPods: true,
|
||||||
CanStopTrafficCapturing: true,
|
CanStopTrafficCapturing: true,
|
||||||
ShowAdminConsoleLink: true,
|
ShowAdminConsoleLink: true,
|
||||||
|
|||||||
@ -117,13 +117,20 @@ type ResourcesConfig struct {
|
|||||||
Tracer ResourceRequirementsWorker `yaml:"tracer" json:"tracer"`
|
Tracer ResourceRequirementsWorker `yaml:"tracer" json:"tracer"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type ScriptingPermissions struct {
|
||||||
|
CanSave bool `yaml:"canSave" json:"canSave" default:"true"`
|
||||||
|
CanActivate bool `yaml:"canActivate" json:"canActivate" default:"true"`
|
||||||
|
CanDelete bool `yaml:"canDelete" json:"canDelete" default:"true"`
|
||||||
|
}
|
||||||
|
|
||||||
type Role struct {
|
type Role struct {
|
||||||
Filter string `yaml:"filter" json:"filter" default:""`
|
Filter string `yaml:"filter" json:"filter" default:""`
|
||||||
CanDownloadPCAP bool `yaml:"canDownloadPCAP" json:"canDownloadPCAP" default:"false"`
|
CanDownloadPCAP bool `yaml:"canDownloadPCAP" json:"canDownloadPCAP" default:"false"`
|
||||||
CanUseScripting bool `yaml:"canUseScripting" json:"canUseScripting" default:"false"`
|
CanUseScripting bool `yaml:"canUseScripting" json:"canUseScripting" default:"false"`
|
||||||
CanUpdateTargetedPods bool `yaml:"canUpdateTargetedPods" json:"canUpdateTargetedPods" default:"false"`
|
ScriptingPermissions ScriptingPermissions `yaml:"scriptingPermissions" json:"scriptingPermissions"`
|
||||||
CanStopTrafficCapturing bool `yaml:"canStopTrafficCapturing" json:"canStopTrafficCapturing" default:"false"`
|
CanUpdateTargetedPods bool `yaml:"canUpdateTargetedPods" json:"canUpdateTargetedPods" default:"false"`
|
||||||
ShowAdminConsoleLink bool `yaml:"showAdminConsoleLink" json:"showAdminConsoleLink" default:"false"`
|
CanStopTrafficCapturing bool `yaml:"canStopTrafficCapturing" json:"canStopTrafficCapturing" default:"false"`
|
||||||
|
ShowAdminConsoleLink bool `yaml:"showAdminConsoleLink" json:"showAdminConsoleLink" default:"false"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type SamlConfig struct {
|
type SamlConfig struct {
|
||||||
|
|||||||
@ -175,7 +175,7 @@ Example for overriding image names:
|
|||||||
| `tap.auth.saml.x509crt` | A self-signed X.509 `.cert` contents <br/>(effective, if `tap.auth.type = saml`) | `` |
|
| `tap.auth.saml.x509crt` | A self-signed X.509 `.cert` contents <br/>(effective, if `tap.auth.type = saml`) | `` |
|
||||||
| `tap.auth.saml.x509key` | A self-signed X.509 `.key` contents <br/>(effective, if `tap.auth.type = saml`) | `` |
|
| `tap.auth.saml.x509key` | A self-signed X.509 `.key` contents <br/>(effective, if `tap.auth.type = saml`) | `` |
|
||||||
| `tap.auth.saml.roleAttribute` | A SAML attribute name corresponding to user's authorization role <br/>(effective, if `tap.auth.type = saml`) | `role` |
|
| `tap.auth.saml.roleAttribute` | A SAML attribute name corresponding to user's authorization role <br/>(effective, if `tap.auth.type = saml`) | `role` |
|
||||||
| `tap.auth.saml.roles` | A list of SAML authorization roles and their permissions <br/>(effective, if `tap.auth.type = saml`) | `{"admin":{"canDownloadPCAP":true,"canUpdateTargetedPods":true,"canUseScripting":true, "canStopTrafficCapturing":true, "filter":"","showAdminConsoleLink":true}}` |
|
| `tap.auth.saml.roles` | A list of SAML authorization roles and their permissions <br/>(effective, if `tap.auth.type = saml`) | `{"admin":{"canDownloadPCAP":true,"canUpdateTargetedPods":true,"canUseScripting":true, "scriptingPermissions":{"canSave":true, "canActivate":true, "canDelete":true}, "canStopTrafficCapturing":true, "filter":"","showAdminConsoleLink":true}}` |
|
||||||
| `tap.ingress.enabled` | Enable `Ingress` | `false` |
|
| `tap.ingress.enabled` | Enable `Ingress` | `false` |
|
||||||
| `tap.ingress.className` | Ingress class name | `""` |
|
| `tap.ingress.className` | Ingress class name | `""` |
|
||||||
| `tap.ingress.host` | Host of the `Ingress` | `ks.svc.cluster.local` |
|
| `tap.ingress.host` | Host of the `Ingress` | `ks.svc.cluster.local` |
|
||||||
|
|||||||
@ -25,6 +25,39 @@ spec:
|
|||||||
name: kubeshark-worker-daemon-set
|
name: kubeshark-worker-daemon-set
|
||||||
namespace: kubeshark
|
namespace: kubeshark
|
||||||
spec:
|
spec:
|
||||||
|
initContainers:
|
||||||
|
- command:
|
||||||
|
- /bin/sh
|
||||||
|
- -c
|
||||||
|
- mkdir -p /sys/fs/bpf && mount | grep -q '/sys/fs/bpf' || mount -t bpf bpf /sys/fs/bpf
|
||||||
|
{{- if .Values.tap.docker.overrideTag.worker }}
|
||||||
|
image: '{{ .Values.tap.docker.registry }}/worker:{{ .Values.tap.docker.overrideTag.worker }}{{ include "kubeshark.dockerTagDebugVersion" . }}'
|
||||||
|
{{ else }}
|
||||||
|
image: '{{ .Values.tap.docker.registry }}/worker:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}{{ include "kubeshark.dockerTagDebugVersion" . }}'
|
||||||
|
{{- end }}
|
||||||
|
imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }}
|
||||||
|
name: check-bpf
|
||||||
|
securityContext:
|
||||||
|
privileged: true
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /sys
|
||||||
|
name: sys
|
||||||
|
mountPropagation: Bidirectional
|
||||||
|
- command:
|
||||||
|
- ./tracer
|
||||||
|
- -init-bpf
|
||||||
|
{{- if .Values.tap.docker.overrideTag.worker }}
|
||||||
|
image: '{{ .Values.tap.docker.registry }}/worker:{{ .Values.tap.docker.overrideTag.worker }}{{ include "kubeshark.dockerTagDebugVersion" . }}'
|
||||||
|
{{ else }}
|
||||||
|
image: '{{ .Values.tap.docker.registry }}/worker:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}{{ include "kubeshark.dockerTagDebugVersion" . }}'
|
||||||
|
{{- end }}
|
||||||
|
imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }}
|
||||||
|
name: init-bpf
|
||||||
|
securityContext:
|
||||||
|
privileged: true
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /sys
|
||||||
|
name: sys
|
||||||
containers:
|
containers:
|
||||||
- command:
|
- command:
|
||||||
- ./worker
|
- ./worker
|
||||||
|
|||||||
@ -85,6 +85,10 @@ tap:
|
|||||||
filter: ""
|
filter: ""
|
||||||
canDownloadPCAP: true
|
canDownloadPCAP: true
|
||||||
canUseScripting: true
|
canUseScripting: true
|
||||||
|
scriptingPermissions:
|
||||||
|
canSave: true
|
||||||
|
canActivate: true
|
||||||
|
canDelete: true
|
||||||
canUpdateTargetedPods: true
|
canUpdateTargetedPods: true
|
||||||
canStopTrafficCapturing: true
|
canStopTrafficCapturing: true
|
||||||
showAdminConsoleLink: true
|
showAdminConsoleLink: true
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
---
|
---
|
||||||
# Source: kubeshark/templates/16-network-policies.yaml
|
# Source: kubeshark/templates/17-network-policies.yaml
|
||||||
apiVersion: networking.k8s.io/v1
|
apiVersion: networking.k8s.io/v1
|
||||||
kind: NetworkPolicy
|
kind: NetworkPolicy
|
||||||
metadata:
|
metadata:
|
||||||
@ -23,10 +23,13 @@ spec:
|
|||||||
- ports:
|
- ports:
|
||||||
- protocol: TCP
|
- protocol: TCP
|
||||||
port: 8080
|
port: 8080
|
||||||
|
- ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: 9100
|
||||||
egress:
|
egress:
|
||||||
- {}
|
- {}
|
||||||
---
|
---
|
||||||
# Source: kubeshark/templates/16-network-policies.yaml
|
# Source: kubeshark/templates/17-network-policies.yaml
|
||||||
apiVersion: networking.k8s.io/v1
|
apiVersion: networking.k8s.io/v1
|
||||||
kind: NetworkPolicy
|
kind: NetworkPolicy
|
||||||
metadata:
|
metadata:
|
||||||
@ -53,7 +56,7 @@ spec:
|
|||||||
egress:
|
egress:
|
||||||
- {}
|
- {}
|
||||||
---
|
---
|
||||||
# Source: kubeshark/templates/16-network-policies.yaml
|
# Source: kubeshark/templates/17-network-policies.yaml
|
||||||
apiVersion: networking.k8s.io/v1
|
apiVersion: networking.k8s.io/v1
|
||||||
kind: NetworkPolicy
|
kind: NetworkPolicy
|
||||||
metadata:
|
metadata:
|
||||||
@ -236,7 +239,7 @@ data:
|
|||||||
AUTH_TYPE: 'oidc'
|
AUTH_TYPE: 'oidc'
|
||||||
AUTH_SAML_IDP_METADATA_URL: ''
|
AUTH_SAML_IDP_METADATA_URL: ''
|
||||||
AUTH_SAML_ROLE_ATTRIBUTE: 'role'
|
AUTH_SAML_ROLE_ATTRIBUTE: 'role'
|
||||||
AUTH_SAML_ROLES: '{"admin":{"canDownloadPCAP":true,"canStopTrafficCapturing":true,"canUpdateTargetedPods":true,"canUseScripting":true,"filter":"","showAdminConsoleLink":true}}'
|
AUTH_SAML_ROLES: '{"admin":{"canDownloadPCAP":true,"canStopTrafficCapturing":true,"canUpdateTargetedPods":true,"canUseScripting":true,"filter":"","scriptingPermissions":{"canActivate":true,"canDelete":true,"canSave":true},"showAdminConsoleLink":true}}'
|
||||||
TELEMETRY_DISABLED: 'false'
|
TELEMETRY_DISABLED: 'false'
|
||||||
SCRIPTING_DISABLED: ''
|
SCRIPTING_DISABLED: ''
|
||||||
TARGETED_PODS_UPDATE_DISABLED: ''
|
TARGETED_PODS_UPDATE_DISABLED: ''
|
||||||
@ -457,6 +460,35 @@ spec:
|
|||||||
port: 49100
|
port: 49100
|
||||||
targetPort: 49100
|
targetPort: 49100
|
||||||
---
|
---
|
||||||
|
# Source: kubeshark/templates/16-hub-service-metrics.yaml
|
||||||
|
kind: Service
|
||||||
|
apiVersion: v1
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
helm.sh/chart: kubeshark-52.3.92
|
||||||
|
app.kubernetes.io/name: kubeshark
|
||||||
|
app.kubernetes.io/instance: kubeshark
|
||||||
|
app.kubernetes.io/version: "52.3.92"
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
annotations:
|
||||||
|
prometheus.io/scrape: 'true'
|
||||||
|
prometheus.io/port: '9100'
|
||||||
|
name: kubeshark-hub-metrics
|
||||||
|
namespace: default
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
app.kubeshark.co/app: hub
|
||||||
|
helm.sh/chart: kubeshark-52.3.92
|
||||||
|
app.kubernetes.io/name: kubeshark
|
||||||
|
app.kubernetes.io/instance: kubeshark
|
||||||
|
app.kubernetes.io/version: "52.3.92"
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
ports:
|
||||||
|
- name: metrics
|
||||||
|
protocol: TCP
|
||||||
|
port: 9100
|
||||||
|
targetPort: 9100
|
||||||
|
---
|
||||||
# Source: kubeshark/templates/09-worker-daemon-set.yaml
|
# Source: kubeshark/templates/09-worker-daemon-set.yaml
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: DaemonSet
|
kind: DaemonSet
|
||||||
@ -490,6 +522,31 @@ spec:
|
|||||||
name: kubeshark-worker-daemon-set
|
name: kubeshark-worker-daemon-set
|
||||||
namespace: kubeshark
|
namespace: kubeshark
|
||||||
spec:
|
spec:
|
||||||
|
initContainers:
|
||||||
|
- command:
|
||||||
|
- /bin/sh
|
||||||
|
- -c
|
||||||
|
- mkdir -p /sys/fs/bpf && mount | grep -q '/sys/fs/bpf' || mount -t bpf bpf /sys/fs/bpf
|
||||||
|
image: 'docker.io/kubeshark/worker:v52.3.92'
|
||||||
|
imagePullPolicy: Always
|
||||||
|
name: check-bpf
|
||||||
|
securityContext:
|
||||||
|
privileged: true
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /sys
|
||||||
|
name: sys
|
||||||
|
mountPropagation: Bidirectional
|
||||||
|
- command:
|
||||||
|
- ./tracer
|
||||||
|
- -init-bpf
|
||||||
|
image: 'docker.io/kubeshark/worker:v52.3.92'
|
||||||
|
imagePullPolicy: Always
|
||||||
|
name: init-bpf
|
||||||
|
securityContext:
|
||||||
|
privileged: true
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /sys
|
||||||
|
name: sys
|
||||||
containers:
|
containers:
|
||||||
- command:
|
- command:
|
||||||
- ./worker
|
- ./worker
|
||||||
@ -501,6 +558,8 @@ spec:
|
|||||||
- '49100'
|
- '49100'
|
||||||
- -packet-capture
|
- -packet-capture
|
||||||
- 'best'
|
- 'best'
|
||||||
|
- -loglevel
|
||||||
|
- 'warning'
|
||||||
- -unixsocket
|
- -unixsocket
|
||||||
- -servicemesh
|
- -servicemesh
|
||||||
- -procfs
|
- -procfs
|
||||||
@ -559,6 +618,10 @@ spec:
|
|||||||
- SYS_ADMIN
|
- SYS_ADMIN
|
||||||
- SYS_PTRACE
|
- SYS_PTRACE
|
||||||
- DAC_OVERRIDE
|
- DAC_OVERRIDE
|
||||||
|
- SYS_ADMIN
|
||||||
|
- SYS_PTRACE
|
||||||
|
- SYS_RESOURCE
|
||||||
|
- IPC_LOCK
|
||||||
drop:
|
drop:
|
||||||
- ALL
|
- ALL
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
@ -590,6 +653,8 @@ spec:
|
|||||||
- /hostproc
|
- /hostproc
|
||||||
- -disable-ebpf
|
- -disable-ebpf
|
||||||
- -disable-tls-log
|
- -disable-tls-log
|
||||||
|
# - -loglevel
|
||||||
|
# - 'warning'
|
||||||
image: 'docker.io/kubeshark/worker:v52.3.92'
|
image: 'docker.io/kubeshark/worker:v52.3.92'
|
||||||
imagePullPolicy: Always
|
imagePullPolicy: Always
|
||||||
name: tracer
|
name: tracer
|
||||||
@ -725,6 +790,8 @@ spec:
|
|||||||
- ./hub
|
- ./hub
|
||||||
- -port
|
- -port
|
||||||
- "8080"
|
- "8080"
|
||||||
|
- -loglevel
|
||||||
|
- 'warning'
|
||||||
env:
|
env:
|
||||||
- name: POD_NAME
|
- name: POD_NAME
|
||||||
valueFrom:
|
valueFrom:
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user