github/kubeshark
1
0
Fork 0
mirror of https://github.com/kubeshark/kubeshark.git synced 2025-08-19 00:49:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add stopAfter option to disable capture when inactive (#1778)

Browse Source 
* Add stopAfter option to disable capture when inactive

* Use 5m dorman

* Add capture stop after flag in hub
This commit is contained in:
Volodymyr Stoiko 2025-08-12 21:23:16 +03:00 committed by GitHub
parent 352484b5f6
commit 56b936b8b8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 38 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
config/configStruct.go
View File

@ -149,6 +149,10 @@ func CreateDefaultConfig() ConfigStruct {
Dashboard: configStructs.DashboardConfig{
CompleteStreamingEnabled: true,
},
Capture: configStructs.CaptureConfig{
Stopped: false,
StopAfter: "5m",
},
},
}
}

7
config/configStructs/tapConfig.go
View File

@ -298,6 +298,11 @@ type SeLinuxOptionsConfig struct {
User string `yaml:"user" json:"user"`
}
type CaptureConfig struct {
Stopped bool `yaml:"stopped" json:"stopped" default:"false"`
StopAfter string `yaml:"stopAfter" json:"stopAfter" default:"5m"`
}
type TapConfig struct {
Docker DockerConfig `yaml:"docker" json:"docker"`
Proxy ProxyConfig `yaml:"proxy" json:"proxy"`
@ -305,7 +310,7 @@ type TapConfig struct {
Namespaces []string `yaml:"namespaces" json:"namespaces" default:"[]"`
ExcludedNamespaces []string `yaml:"excludedNamespaces" json:"excludedNamespaces" default:"[]"`
BpfOverride string `yaml:"bpfOverride" json:"bpfOverride" default:""`
Stopped bool `yaml:"stopped" json:"stopped" default:"false"`
Capture CaptureConfig `yaml:"capture" json:"capture"`
Release ReleaseConfig `yaml:"release" json:"release"`
PersistentStorage bool `yaml:"persistentStorage" json:"persistentStorage" default:"false"`
PersistentStorageStatic bool `yaml:"persistentStorageStatic" json:"persistentStorageStatic" default:"false"`

39
helm-chart/README.md
View File

@ -112,7 +112,7 @@ Example for overriding image names:
```yaml
docker:
overrideImage:
overrideImage:
worker: docker.io/kubeshark/worker:v52.3.87
front: docker.io/kubeshark/front:v52.3.87
hub: docker.io/kubeshark/hub:v52.3.87
@ -138,7 +138,8 @@ Example for overriding image names:
| `tap.namespaces` | Target pods in namespaces | `[]` |
| `tap.excludedNamespaces` | Exclude pods in namespaces | `[]` |
| `tap.bpfOverride` | When using AF_PACKET as a traffic capture backend, override any existing pod targeting rules and set explicit BPF expression (e.g. `net 0.0.0.0/0`). | `[]` |
| `tap.stopped` | Set to `false` to have traffic processing start automatically. When set to `true`, traffic processing is stopped by default, resulting in almost no resource consumption (e.g. Kubeshark is dormant). This property can be dynamically control via the dashboard. | `false` |
| `tap.capture.stopped` | Set to `false` to have traffic processing start automatically. When set to `true`, traffic processing is stopped by default, resulting in almost no resource consumption (e.g. Kubeshark is dormant). This property can be dynamically control via the dashboard. | `false` |
| `tap.capture.stopAfter` | Set to a duration (e.g. `30s`) to have traffic processing stop after no websocket activity between worker and hub. | `30s` |
| `tap.release.repo` | URL of the Helm chart repository | `https://helm.kubeshark.co` |
| `tap.release.name` | Helm release name | `kubeshark` |
| `tap.release.namespace` | Helm release namespace | `default` |
@ -303,7 +304,7 @@ tap:
[**Click here to see full docs**](https://docs.kubeshark.co/en/saml#installing-with-oidc-enabled-dex-idp).
Choose this option, if **you already have a running instance** of Dex in your cluster &
Choose this option, if **you already have a running instance** of Dex in your cluster &
you want to set up Dex OIDC authentication for Kubeshark users.
Kubeshark supports authentication using [Dex - A Federated OpenID Connect Provider](https://dexidp.io/).
@ -345,7 +346,7 @@ Add these helm values to set up OIDC authentication powered by your Dex IdP:
```yaml
# values.yaml
tap:
tap:
auth:
enabled: true
type: dex
@ -375,7 +376,7 @@ Once you run `helm install kubeshark kubeshark/kubeshark -f ./values.yaml`, Kube
# Installing your own Dex IdP along with Kubeshark
Choose this option, if **you need to deploy an instance of Dex IdP** along with Kubeshark &
Choose this option, if **you need to deploy an instance of Dex IdP** along with Kubeshark &
set up Dex OIDC authentication for Kubeshark users.
Depending on Ingress enabled/disabled, your Dex configuration might differ.
@ -411,10 +412,10 @@ The following Dex settings will have these values:
Please, make sure to prepare the following things first.
1. Choose **[Connectors](https://dexidp.io/docs/connectors/)** to enable in Dex IdP.
1. Choose **[Connectors](https://dexidp.io/docs/connectors/)** to enable in Dex IdP.
- i.e. how many kind of "Log in with ..." options you'd like to offer your users
- You will need to specify connectors in `tap.auth.dexConfig.connectors`
2. Choose type of **[Storage](https://dexidp.io/docs/configuration/storage/)** to use in Dex IdP.
2. Choose type of **[Storage](https://dexidp.io/docs/configuration/storage/)** to use in Dex IdP.
- You will need to specify storage settings in `tap.auth.dexConfig.storage`
- default: `memory`
3. Decide on the OAuth2 `?state=` param expiration time:
@ -446,28 +447,28 @@ Make sure to:
Helm `values.yaml`:
```yaml
tap:
tap:
auth:
enabled: true
type: dex
dexOidc:
issuer: https://<your-ingress-hostname>/dex
# Client ID/secret must be taken from `tap.auth.dexConfig.staticClients -> id/secret`
clientId: kubeshark
clientSecret: create your own client password
refreshTokenLifetime: "3960h" # 165 days
oauth2StateParamExpiry: "10m"
bypassSslCaCheck: false
dexConfig:
# This field is REQUIRED!
#
#
# The base path of Dex and the external name of the OpenID Connect service.
# This is the canonical URL that all clients MUST use to refer to Dex. If a
# path is provided, Dex's HTTP service will listen at a non-root URL.
issuer: https://<your-ingress-hostname>/dex
# Expiration configuration for tokens, signing keys, etc.
expiry:
refreshTokens:
@ -475,15 +476,15 @@ tap:
absoluteLifetime: "3960h" # 165 days
# This field is REQUIRED!
#
#
# The storage configuration determines where Dex stores its state.
# See the documentation (https://dexidp.io/docs/storage/) for further information.
storage:
type: memory
# This field is REQUIRED!
#
# Attention:
#
# Attention:
# Do not change this field and its values.
# This field is required for internal Kubeshark-to-Dex communication.
#
@ -493,7 +494,7 @@ tap:
# This field is REQUIRED!
#
# Attention:
# Attention:
# Do not change this field and its values.
# This field is required for internal Kubeshark-to-Dex communication.
#
@ -519,10 +520,10 @@ tap:
# Connectors are used to authenticate users against upstream identity providers.
# See the documentation (https://dexidp.io/docs/connectors/) for further information.
#
# Attention:
# When you define a new connector, `config.redirectURI` must be:
# Attention:
# When you define a new connector, `config.redirectURI` must be:
# https://<your-ingress-hostname>/dex/callback
#
#
# Example with Google connector:
# connectors:
# - type: google

2
helm-chart/templates/04-hub-deployment.yaml
View File

@ -36,6 +36,8 @@ spec:
- "8080"
- -loglevel
- '{{ .Values.logLevel | default "warning" }}'
- -capture-stop-after
- "{{ .Values.tap.capture.stopAfter | default "5m" }}"
{{- if .Values.tap.gitops.enabled }}
- -gitops
{{- end }}

2
helm-chart/templates/06-front-deployment.yaml
View File

@ -65,7 +65,7 @@ spec:
- name: REACT_APP_RECORDING_DISABLED
value: '{{ .Values.tap.liveConfigMapChangesDisabled }}'
- name: REACT_APP_STOP_TRAFFIC_CAPTURING_DISABLED
value: '{{- if and .Values.tap.liveConfigMapChangesDisabled .Values.tap.stopped -}}
value: '{{- if and .Values.tap.liveConfigMapChangesDisabled .Values.tap.capture.stopped -}}
false
{{- else -}}
{{ .Values.tap.liveConfigMapChangesDisabled | ternary "true" "false" }}

4
helm-chart/templates/12-config-map.yaml
View File

@ -11,7 +11,7 @@ data:
NAMESPACES: '{{ gt (len .Values.tap.namespaces) 0 | ternary (join "," .Values.tap.namespaces) "" }}'
EXCLUDED_NAMESPACES: '{{ gt (len .Values.tap.excludedNamespaces) 0 | ternary (join "," .Values.tap.excludedNamespaces) "" }}'
BPF_OVERRIDE: '{{ .Values.tap.bpfOverride }}'
STOPPED: '{{ .Values.tap.stopped | ternary "true" "false" }}'
STOPPED: '{{ .Values.tap.capture.stopped | ternary "true" "false" }}'
SCRIPTING_SCRIPTS: '{}'
SCRIPTING_ACTIVE_SCRIPTS: '{{ gt (len .Values.scripting.active) 0 | ternary (join "," .Values.scripting.active) "" }}'
INGRESS_ENABLED: '{{ .Values.tap.ingress.enabled }}'
@ -55,7 +55,7 @@ data:
TARGETED_PODS_UPDATE_DISABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "true" "" }}'
PRESET_FILTERS_CHANGING_ENABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "false" "true" }}'
RECORDING_DISABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "true" "" }}'
STOP_TRAFFIC_CAPTURING_DISABLED: '{{- if and .Values.tap.liveConfigMapChangesDisabled .Values.tap.stopped -}}
STOP_TRAFFIC_CAPTURING_DISABLED: '{{- if and .Values.tap.liveConfigMapChangesDisabled .Values.tap.capture.stopped -}}
false
{{- else -}}
{{ .Values.tap.liveConfigMapChangesDisabled | ternary "true" "false" }}

4
helm-chart/values.yaml
View File

@ -26,7 +26,9 @@ tap:
namespaces: []
excludedNamespaces: []
bpfOverride: ""
stopped: false
capture:
stopped: false
stopAfter: 5m
release:
repo: https://helm.kubeshark.co
name: kubeshark