From 5242d9af078cc0e2c9ae7aac5f68e2bb32138181 Mon Sep 17 00:00:00 2001
From: Serhii Ponomarenko <116438358+tiptophelmet@users.noreply.github.com>
Date: Wed, 25 Dec 2024 22:33:16 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=82=20Add=20save/activate/delete=20rol?=
 =?UTF-8?q?e=20scripting=20permissions=20(#1675)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* 🛂 Add save/activate/delete role scripting permissions

* 🔧 Add scripting permissions to tap-config

* :hammer: Re-generate helm values & `complete.yaml`

* 📝 Add scripting permissions to helm chart docs

* 🏷️ Make scripting permissions `true` by default

---------

Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>
---
 config/configStruct.go            |  5 ++++
 config/configStructs/tapConfig.go | 19 ++++++++----
 helm-chart/README.md              |  2 +-
 helm-chart/values.yaml            |  4 +++
 manifests/complete.yaml           | 50 ++++++++++++++++++++++++++++---
 5 files changed, 69 insertions(+), 11 deletions(-)

diff --git a/config/configStruct.go b/config/configStruct.go
index 190ebd604..8e3470e59 100644
--- a/config/configStruct.go
+++ b/config/configStruct.go
@@ -62,6 +62,11 @@ func CreateDefaultConfig() ConfigStruct {
 							Filter:                  "",
 							CanDownloadPCAP:         true,
 							CanUseScripting:         true,
+							ScriptingPermissions: configStructs.ScriptingPermissions{
+								CanSave: true,
+								CanActivate: true,
+								CanDelete: true,
+							},
 							CanUpdateTargetedPods:   true,
 							CanStopTrafficCapturing: true,
 							ShowAdminConsoleLink:    true,
diff --git a/config/configStructs/tapConfig.go b/config/configStructs/tapConfig.go
index 40b44f6a8..1e5dd3610 100644
--- a/config/configStructs/tapConfig.go
+++ b/config/configStructs/tapConfig.go
@@ -117,13 +117,20 @@ type ResourcesConfig struct {
 	Tracer  ResourceRequirementsWorker `yaml:"tracer" json:"tracer"`
 }
 
+type ScriptingPermissions struct {
+	CanSave     bool `yaml:"canSave" json:"canSave" default:"true"`
+	CanActivate bool `yaml:"canActivate" json:"canActivate" default:"true"`
+	CanDelete   bool `yaml:"canDelete" json:"canDelete" default:"true"`
+}
+
 type Role struct {
-	Filter                  string `yaml:"filter" json:"filter" default:""`
-	CanDownloadPCAP         bool   `yaml:"canDownloadPCAP" json:"canDownloadPCAP" default:"false"`
-	CanUseScripting         bool   `yaml:"canUseScripting" json:"canUseScripting" default:"false"`
-	CanUpdateTargetedPods   bool   `yaml:"canUpdateTargetedPods" json:"canUpdateTargetedPods" default:"false"`
-	CanStopTrafficCapturing bool   `yaml:"canStopTrafficCapturing" json:"canStopTrafficCapturing" default:"false"`
-	ShowAdminConsoleLink    bool   `yaml:"showAdminConsoleLink" json:"showAdminConsoleLink" default:"false"`
+	Filter                  string               `yaml:"filter" json:"filter" default:""`
+	CanDownloadPCAP         bool                 `yaml:"canDownloadPCAP" json:"canDownloadPCAP" default:"false"`
+	CanUseScripting         bool                 `yaml:"canUseScripting" json:"canUseScripting" default:"false"`
+	ScriptingPermissions    ScriptingPermissions `yaml:"scriptingPermissions" json:"scriptingPermissions"`
+	CanUpdateTargetedPods   bool                 `yaml:"canUpdateTargetedPods" json:"canUpdateTargetedPods" default:"false"`
+	CanStopTrafficCapturing bool                 `yaml:"canStopTrafficCapturing" json:"canStopTrafficCapturing" default:"false"`
+	ShowAdminConsoleLink    bool                 `yaml:"showAdminConsoleLink" json:"showAdminConsoleLink" default:"false"`
 }
 
 type SamlConfig struct {
diff --git a/helm-chart/README.md b/helm-chart/README.md
index b2d2421b2..61a5b4d63 100644
--- a/helm-chart/README.md
+++ b/helm-chart/README.md
@@ -175,7 +175,7 @@ Example for overriding image names:
 | `tap.auth.saml.x509crt`                   | A self-signed X.509 `.cert` contents <br/>(effective, if `tap.auth.type = saml`)          | ``                                                      |
 | `tap.auth.saml.x509key`                   | A self-signed X.509 `.key` contents <br/>(effective, if `tap.auth.type = saml`)           | ``                                                      |
 | `tap.auth.saml.roleAttribute`             | A SAML attribute name corresponding to user's authorization role <br/>(effective, if `tap.auth.type = saml`)  | `role` |
-| `tap.auth.saml.roles`                     | A list of SAML authorization roles and their permissions <br/>(effective, if `tap.auth.type = saml`)  | `{"admin":{"canDownloadPCAP":true,"canUpdateTargetedPods":true,"canUseScripting":true, "canStopTrafficCapturing":true, "filter":"","showAdminConsoleLink":true}}` |
+| `tap.auth.saml.roles`                     | A list of SAML authorization roles and their permissions <br/>(effective, if `tap.auth.type = saml`)  | `{"admin":{"canDownloadPCAP":true,"canUpdateTargetedPods":true,"canUseScripting":true, "scriptingPermissions":{"canSave":true, "canActivate":true, "canDelete":true}, "canStopTrafficCapturing":true, "filter":"","showAdminConsoleLink":true}}` |
 | `tap.ingress.enabled`                     | Enable `Ingress`                                | `false`                                                 |
 | `tap.ingress.className`                   | Ingress class name                            | `""`                                                    |
 | `tap.ingress.host`                        | Host of the `Ingress`                          | `ks.svc.cluster.local`                                  |
diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml
index bf402e6fc..236b85968 100644
--- a/helm-chart/values.yaml
+++ b/helm-chart/values.yaml
@@ -85,6 +85,10 @@ tap:
           filter: ""
           canDownloadPCAP: true
           canUseScripting: true
+          scriptingPermissions:
+            canSave: true
+            canActivate: true
+            canDelete: true
           canUpdateTargetedPods: true
           canStopTrafficCapturing: true
           showAdminConsoleLink: true
diff --git a/manifests/complete.yaml b/manifests/complete.yaml
index f07d415a2..b12a12696 100644
--- a/manifests/complete.yaml
+++ b/manifests/complete.yaml
@@ -1,5 +1,5 @@
 ---
-# Source: kubeshark/templates/16-network-policies.yaml
+# Source: kubeshark/templates/17-network-policies.yaml
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -23,10 +23,13 @@ spec:
     - ports:
         - protocol: TCP
           port: 8080
+    - ports:
+        - protocol: TCP
+          port: 9100
   egress:
     - {}
 ---
-# Source: kubeshark/templates/16-network-policies.yaml
+# Source: kubeshark/templates/17-network-policies.yaml
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -53,7 +56,7 @@ spec:
   egress:
     - {}
 ---
-# Source: kubeshark/templates/16-network-policies.yaml
+# Source: kubeshark/templates/17-network-policies.yaml
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -236,7 +239,7 @@ data:
     AUTH_TYPE: 'oidc'
     AUTH_SAML_IDP_METADATA_URL: ''
     AUTH_SAML_ROLE_ATTRIBUTE: 'role'
-    AUTH_SAML_ROLES: '{"admin":{"canDownloadPCAP":true,"canStopTrafficCapturing":true,"canUpdateTargetedPods":true,"canUseScripting":true,"filter":"","showAdminConsoleLink":true}}'
+    AUTH_SAML_ROLES: '{"admin":{"canDownloadPCAP":true,"canStopTrafficCapturing":true,"canUpdateTargetedPods":true,"canUseScripting":true,"filter":"","scriptingPermissions":{"canActivate":true,"canDelete":true,"canSave":true},"showAdminConsoleLink":true}}'
     TELEMETRY_DISABLED: 'false'
     SCRIPTING_DISABLED: ''
     TARGETED_PODS_UPDATE_DISABLED: ''
@@ -457,6 +460,35 @@ spec:
     port: 49100
     targetPort: 49100
 ---
+# Source: kubeshark/templates/16-hub-service-metrics.yaml
+kind: Service
+apiVersion: v1
+metadata:
+  labels:
+    helm.sh/chart: kubeshark-52.3.92
+    app.kubernetes.io/name: kubeshark
+    app.kubernetes.io/instance: kubeshark
+    app.kubernetes.io/version: "52.3.92"
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    prometheus.io/scrape: 'true'
+    prometheus.io/port: '9100'
+  name: kubeshark-hub-metrics
+  namespace: default
+spec:
+  selector:
+    app.kubeshark.co/app: hub
+    helm.sh/chart: kubeshark-52.3.92
+    app.kubernetes.io/name: kubeshark
+    app.kubernetes.io/instance: kubeshark
+    app.kubernetes.io/version: "52.3.92"
+    app.kubernetes.io/managed-by: Helm
+  ports:
+  - name: metrics
+    protocol: TCP
+    port: 9100
+    targetPort: 9100
+---
 # Source: kubeshark/templates/09-worker-daemon-set.yaml
 apiVersion: apps/v1
 kind: DaemonSet
@@ -501,6 +533,8 @@ spec:
             - '49100'
             - -packet-capture
             - 'best'
+            - -loglevel
+            - 'warning'
             - -unixsocket
             - -servicemesh
             - -procfs
@@ -559,6 +593,10 @@ spec:
                 - SYS_ADMIN
                 - SYS_PTRACE
                 - DAC_OVERRIDE
+                - SYS_ADMIN
+                - SYS_PTRACE
+                - SYS_RESOURCE
+                - IPC_LOCK
               drop:
                 - ALL
           readinessProbe:
@@ -590,6 +628,8 @@ spec:
             - /hostproc
             - -disable-ebpf
             - -disable-tls-log
+            # - -loglevel
+            # - 'warning'
           image: 'docker.io/kubeshark/worker:v52.3.92'
           imagePullPolicy: Always
           name: tracer
@@ -725,6 +765,8 @@ spec:
             - ./hub
             - -port
             - "8080"
+            - -loglevel
+            - 'warning'
           env:
           - name: POD_NAME
             valueFrom: