From 3a1ad64b4c092c1c6775b9912727bf8e99aa1f84 Mon Sep 17 00:00:00 2001 From: theechofive <32634559+theechofive@users.noreply.github.com> Date: Fri, 10 Apr 2026 19:23:31 +0300 Subject: [PATCH 1/2] fix: add subPathExpr to worker DaemonSet for shared persistent storage (#1901) Co-authored-by: Volodymyr Stoiko Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com> --- helm-chart/templates/09-worker-daemon-set.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/helm-chart/templates/09-worker-daemon-set.yaml b/helm-chart/templates/09-worker-daemon-set.yaml index 8f8225d70..e9a8d4ef1 100644 --- a/helm-chart/templates/09-worker-daemon-set.yaml +++ b/helm-chart/templates/09-worker-daemon-set.yaml @@ -131,6 +131,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName - name: TCP_STREAM_CHANNEL_TIMEOUT_MS value: '{{ .Values.tap.misc.tcpStreamChannelTimeoutMs }}' - name: TCP_STREAM_CHANNEL_TIMEOUT_SHOW @@ -227,6 +231,9 @@ spec: mountPropagation: HostToContainer - mountPath: /app/data name: data +{{- if .Values.tap.persistentStorage }} + subPathExpr: $(NODE_NAME) +{{- end }} {{- if .Values.tap.tls }} - command: - ./tracer @@ -257,6 +264,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName - name: PROFILING_ENABLED value: '{{ .Values.tap.pprof.enabled }}' - name: SENTRY_ENABLED @@ -328,6 +339,9 @@ spec: mountPropagation: HostToContainer - mountPath: /app/data name: data +{{- if .Values.tap.persistentStorage }} + subPathExpr: $(NODE_NAME) +{{- end }} - mountPath: /etc/os-release name: os-release readOnly: true From 31129e570a6c03d0ea1105e32f0f28b5b6f4b535 Mon Sep 17 00:00:00 2001 From: Volodymyr Stoiko Date: Fri, 10 Apr 2026 19:51:44 +0300 Subject: [PATCH 2/2] Provide external volume for dissection job (#1905) * Pass dissection storage configuration * add dissection storage test * Allow pvc management * Use snapshot storage config as default for dissection storage config --------- Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com> --- config/configStructs/tapConfig.go | 6 +- helm-chart/README.md | 2 + helm-chart/templates/02-cluster-role.yaml | 9 ++ helm-chart/templates/04-hub-deployment.yaml | 10 ++ helm-chart/tests/dissection_storage_test.yaml | 127 ++++++++++++++++++ helm-chart/values.yaml | 2 + 6 files changed, 154 insertions(+), 2 deletions(-) create mode 100644 helm-chart/tests/dissection_storage_test.yaml diff --git a/config/configStructs/tapConfig.go b/config/configStructs/tapConfig.go index 1199f2355..3d8c88ac1 100644 --- a/config/configStructs/tapConfig.go +++ b/config/configStructs/tapConfig.go @@ -354,8 +354,10 @@ type SnapshotsConfig struct { } type DelayedDissectionConfig struct { - CPU string `yaml:"cpu" json:"cpu" default:"1"` - Memory string `yaml:"memory" json:"memory" default:"4Gi"` + CPU string `yaml:"cpu" json:"cpu" default:"1"` + Memory string `yaml:"memory" json:"memory" default:"4Gi"` + StorageSize string `yaml:"storageSize" json:"storageSize" default:""` + StorageClass string `yaml:"storageClass" json:"storageClass" default:""` } type DissectionConfig struct { diff --git a/helm-chart/README.md b/helm-chart/README.md index 17c613d7e..1c03373c6 100644 --- a/helm-chart/README.md +++ b/helm-chart/README.md @@ -164,6 +164,8 @@ Example for overriding image names: | `tap.snapshots.cloud.gcs.credentialsJson` | Service account JSON key. When set, the chart auto-creates a Secret with `SNAPSHOT_GCS_CREDENTIALS_JSON`. | `""` | | `tap.delayedDissection.cpu` | CPU allocation for delayed dissection jobs | `1` | | `tap.delayedDissection.memory` | Memory allocation for delayed dissection jobs | `4Gi` | +| `tap.delayedDissection.storageSize` | Storage size for dissection job PVC. When empty, falls back to `tap.snapshots.local.storageSize`. When the resolved value is non-empty, a PVC is created; otherwise an `emptyDir` is used. | `""` | +| `tap.delayedDissection.storageClass` | Storage class for dissection job PVC. When empty, falls back to `tap.snapshots.local.storageClass`. | `""` | | `tap.release.repo` | URL of the Helm chart repository | `https://helm.kubeshark.com` | | `tap.release.name` | Helm release name | `kubeshark` | | `tap.release.namespace` | Helm release namespace | `default` | diff --git a/helm-chart/templates/02-cluster-role.yaml b/helm-chart/templates/02-cluster-role.yaml index 6e610fd9f..fc1750499 100644 --- a/helm-chart/templates/02-cluster-role.yaml +++ b/helm-chart/templates/02-cluster-role.yaml @@ -86,6 +86,15 @@ rules: verbs: - create - get + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - get + - list + - delete - apiGroups: - batch resources: diff --git a/helm-chart/templates/04-hub-deployment.yaml b/helm-chart/templates/04-hub-deployment.yaml index 047b22595..5c20a1d6e 100644 --- a/helm-chart/templates/04-hub-deployment.yaml +++ b/helm-chart/templates/04-hub-deployment.yaml @@ -56,6 +56,16 @@ spec: - -dissector-memory - '{{ .Values.tap.delayedDissection.memory }}' {{- end }} + {{- $dissectorStorageSize := .Values.tap.delayedDissection.storageSize | default .Values.tap.snapshots.local.storageSize }} + {{- if $dissectorStorageSize }} + - -dissector-storage-size + - '{{ $dissectorStorageSize }}' + {{- end }} + {{- $dissectorStorageClass := .Values.tap.delayedDissection.storageClass | default .Values.tap.snapshots.local.storageClass }} + {{- if $dissectorStorageClass }} + - -dissector-storage-class + - '{{ $dissectorStorageClass }}' + {{- end }} {{- if .Values.tap.gitops.enabled }} - -gitops {{- end }} diff --git a/helm-chart/tests/dissection_storage_test.yaml b/helm-chart/tests/dissection_storage_test.yaml new file mode 100644 index 000000000..ceca10a3f --- /dev/null +++ b/helm-chart/tests/dissection_storage_test.yaml @@ -0,0 +1,127 @@ +suite: dissection storage configuration +templates: + - templates/04-hub-deployment.yaml +tests: + - it: should fallback to snapshot storageSize when dissection storageSize is empty + asserts: + - contains: + path: spec.template.spec.containers[0].command + content: -dissector-storage-size + - contains: + path: spec.template.spec.containers[0].command + content: "20Gi" + + - it: should fallback to snapshot storageClass when dissection storageClass is empty + set: + tap.snapshots.local.storageClass: gp2 + asserts: + - contains: + path: spec.template.spec.containers[0].command + content: -dissector-storage-class + - contains: + path: spec.template.spec.containers[0].command + content: gp2 + + - it: should not render dissector-storage-class when both dissection and snapshot storageClass are empty + asserts: + - notContains: + path: spec.template.spec.containers[0].command + content: -dissector-storage-class + + - it: should prefer dissection storageSize over snapshot storageSize + set: + tap.delayedDissection.storageSize: 100Gi + tap.snapshots.local.storageSize: 50Gi + asserts: + - contains: + path: spec.template.spec.containers[0].command + content: -dissector-storage-size + - contains: + path: spec.template.spec.containers[0].command + content: "100Gi" + + - it: should prefer dissection storageClass over snapshot storageClass + set: + tap.delayedDissection.storageClass: io2 + tap.snapshots.local.storageClass: gp2 + asserts: + - contains: + path: spec.template.spec.containers[0].command + content: -dissector-storage-class + - contains: + path: spec.template.spec.containers[0].command + content: io2 + + - it: should fallback to snapshot config for both storageSize and storageClass + set: + tap.snapshots.local.storageSize: 30Gi + tap.snapshots.local.storageClass: gp3 + asserts: + - contains: + path: spec.template.spec.containers[0].command + content: -dissector-storage-size + - contains: + path: spec.template.spec.containers[0].command + content: "30Gi" + - contains: + path: spec.template.spec.containers[0].command + content: -dissector-storage-class + - contains: + path: spec.template.spec.containers[0].command + content: gp3 + + - it: should not render dissector-storage-size when both dissection and snapshot storageSize are empty + set: + tap.delayedDissection.storageSize: "" + tap.snapshots.local.storageSize: "" + asserts: + - notContains: + path: spec.template.spec.containers[0].command + content: -dissector-storage-size + + - it: should render all dissector args together with custom values + set: + tap.delayedDissection.cpu: "4" + tap.delayedDissection.memory: 8Gi + tap.delayedDissection.storageSize: 200Gi + tap.delayedDissection.storageClass: local-path + asserts: + - contains: + path: spec.template.spec.containers[0].command + content: -dissector-cpu + - contains: + path: spec.template.spec.containers[0].command + content: "4" + - contains: + path: spec.template.spec.containers[0].command + content: -dissector-memory + - contains: + path: spec.template.spec.containers[0].command + content: 8Gi + - contains: + path: spec.template.spec.containers[0].command + content: -dissector-storage-size + - contains: + path: spec.template.spec.containers[0].command + content: "200Gi" + - contains: + path: spec.template.spec.containers[0].command + content: -dissector-storage-class + - contains: + path: spec.template.spec.containers[0].command + content: local-path + + - it: should still render existing dissector-cpu and dissector-memory args + asserts: + - contains: + path: spec.template.spec.containers[0].command + content: -dissector-cpu + - contains: + path: spec.template.spec.containers[0].command + content: "1" + - contains: + path: spec.template.spec.containers[0].command + content: -dissector-memory + - contains: + path: spec.template.spec.containers[0].command + content: 4Gi diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index 8a024cde6..6ef893a0b 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -37,6 +37,8 @@ tap: delayedDissection: cpu: "1" memory: 4Gi + storageSize: "" + storageClass: "" snapshots: local: storageClass: ""