From 56b936b8b8cbf74bf0f755e2663e062ad25ee17a Mon Sep 17 00:00:00 2001 From: Volodymyr Stoiko Date: Tue, 12 Aug 2025 21:23:16 +0300 Subject: [PATCH] Add stopAfter option to disable capture when inactive (#1778) * Add stopAfter option to disable capture when inactive * Use 5m dorman * Add capture stop after flag in hub --- config/configStruct.go | 4 ++ config/configStructs/tapConfig.go | 7 +++- helm-chart/README.md | 39 ++++++++++--------- helm-chart/templates/04-hub-deployment.yaml | 2 + helm-chart/templates/06-front-deployment.yaml | 2 +- helm-chart/templates/12-config-map.yaml | 4 +- helm-chart/values.yaml | 4 +- 7 files changed, 38 insertions(+), 24 deletions(-) diff --git a/config/configStruct.go b/config/configStruct.go index f012c684f..6092173fc 100644 --- a/config/configStruct.go +++ b/config/configStruct.go @@ -149,6 +149,10 @@ func CreateDefaultConfig() ConfigStruct { Dashboard: configStructs.DashboardConfig{ CompleteStreamingEnabled: true, }, + Capture: configStructs.CaptureConfig{ + Stopped: false, + StopAfter: "5m", + }, }, } } diff --git a/config/configStructs/tapConfig.go b/config/configStructs/tapConfig.go index 9fda21fe5..cd56b6c87 100644 --- a/config/configStructs/tapConfig.go +++ b/config/configStructs/tapConfig.go @@ -298,6 +298,11 @@ type SeLinuxOptionsConfig struct { User string `yaml:"user" json:"user"` } +type CaptureConfig struct { + Stopped bool `yaml:"stopped" json:"stopped" default:"false"` + StopAfter string `yaml:"stopAfter" json:"stopAfter" default:"5m"` +} + type TapConfig struct { Docker DockerConfig `yaml:"docker" json:"docker"` Proxy ProxyConfig `yaml:"proxy" json:"proxy"` @@ -305,7 +310,7 @@ type TapConfig struct { Namespaces []string `yaml:"namespaces" json:"namespaces" default:"[]"` ExcludedNamespaces []string `yaml:"excludedNamespaces" json:"excludedNamespaces" default:"[]"` BpfOverride string `yaml:"bpfOverride" json:"bpfOverride" default:""` - Stopped bool `yaml:"stopped" json:"stopped" default:"false"` + Capture CaptureConfig `yaml:"capture" json:"capture"` Release ReleaseConfig `yaml:"release" json:"release"` PersistentStorage bool `yaml:"persistentStorage" json:"persistentStorage" default:"false"` PersistentStorageStatic bool `yaml:"persistentStorageStatic" json:"persistentStorageStatic" default:"false"` diff --git a/helm-chart/README.md b/helm-chart/README.md index e3746e12d..bf5c0f856 100644 --- a/helm-chart/README.md +++ b/helm-chart/README.md @@ -112,7 +112,7 @@ Example for overriding image names: ```yaml docker: - overrideImage: + overrideImage: worker: docker.io/kubeshark/worker:v52.3.87 front: docker.io/kubeshark/front:v52.3.87 hub: docker.io/kubeshark/hub:v52.3.87 @@ -138,7 +138,8 @@ Example for overriding image names: | `tap.namespaces` | Target pods in namespaces | `[]` | | `tap.excludedNamespaces` | Exclude pods in namespaces | `[]` | | `tap.bpfOverride` | When using AF_PACKET as a traffic capture backend, override any existing pod targeting rules and set explicit BPF expression (e.g. `net 0.0.0.0/0`). | `[]` | -| `tap.stopped` | Set to `false` to have traffic processing start automatically. When set to `true`, traffic processing is stopped by default, resulting in almost no resource consumption (e.g. Kubeshark is dormant). This property can be dynamically control via the dashboard. | `false` | +| `tap.capture.stopped` | Set to `false` to have traffic processing start automatically. When set to `true`, traffic processing is stopped by default, resulting in almost no resource consumption (e.g. Kubeshark is dormant). This property can be dynamically control via the dashboard. | `false` | +| `tap.capture.stopAfter` | Set to a duration (e.g. `30s`) to have traffic processing stop after no websocket activity between worker and hub. | `30s` | | `tap.release.repo` | URL of the Helm chart repository | `https://helm.kubeshark.co` | | `tap.release.name` | Helm release name | `kubeshark` | | `tap.release.namespace` | Helm release namespace | `default` | @@ -303,7 +304,7 @@ tap: [**Click here to see full docs**](https://docs.kubeshark.co/en/saml#installing-with-oidc-enabled-dex-idp). -Choose this option, if **you already have a running instance** of Dex in your cluster & +Choose this option, if **you already have a running instance** of Dex in your cluster & you want to set up Dex OIDC authentication for Kubeshark users. Kubeshark supports authentication using [Dex - A Federated OpenID Connect Provider](https://dexidp.io/). @@ -345,7 +346,7 @@ Add these helm values to set up OIDC authentication powered by your Dex IdP: ```yaml # values.yaml -tap: +tap: auth: enabled: true type: dex @@ -375,7 +376,7 @@ Once you run `helm install kubeshark kubeshark/kubeshark -f ./values.yaml`, Kube # Installing your own Dex IdP along with Kubeshark -Choose this option, if **you need to deploy an instance of Dex IdP** along with Kubeshark & +Choose this option, if **you need to deploy an instance of Dex IdP** along with Kubeshark & set up Dex OIDC authentication for Kubeshark users. Depending on Ingress enabled/disabled, your Dex configuration might differ. @@ -411,10 +412,10 @@ The following Dex settings will have these values: Please, make sure to prepare the following things first. -1. Choose **[Connectors](https://dexidp.io/docs/connectors/)** to enable in Dex IdP. +1. Choose **[Connectors](https://dexidp.io/docs/connectors/)** to enable in Dex IdP. - i.e. how many kind of "Log in with ..." options you'd like to offer your users - You will need to specify connectors in `tap.auth.dexConfig.connectors` -2. Choose type of **[Storage](https://dexidp.io/docs/configuration/storage/)** to use in Dex IdP. +2. Choose type of **[Storage](https://dexidp.io/docs/configuration/storage/)** to use in Dex IdP. - You will need to specify storage settings in `tap.auth.dexConfig.storage` - default: `memory` 3. Decide on the OAuth2 `?state=` param expiration time: @@ -446,28 +447,28 @@ Make sure to: Helm `values.yaml`: ```yaml -tap: +tap: auth: enabled: true type: dex dexOidc: issuer: https:///dex - + # Client ID/secret must be taken from `tap.auth.dexConfig.staticClients -> id/secret` clientId: kubeshark clientSecret: create your own client password - + refreshTokenLifetime: "3960h" # 165 days oauth2StateParamExpiry: "10m" bypassSslCaCheck: false dexConfig: # This field is REQUIRED! - # + # # The base path of Dex and the external name of the OpenID Connect service. # This is the canonical URL that all clients MUST use to refer to Dex. If a # path is provided, Dex's HTTP service will listen at a non-root URL. issuer: https:///dex - + # Expiration configuration for tokens, signing keys, etc. expiry: refreshTokens: @@ -475,15 +476,15 @@ tap: absoluteLifetime: "3960h" # 165 days # This field is REQUIRED! - # + # # The storage configuration determines where Dex stores its state. # See the documentation (https://dexidp.io/docs/storage/) for further information. storage: type: memory # This field is REQUIRED! - # - # Attention: + # + # Attention: # Do not change this field and its values. # This field is required for internal Kubeshark-to-Dex communication. # @@ -493,7 +494,7 @@ tap: # This field is REQUIRED! # - # Attention: + # Attention: # Do not change this field and its values. # This field is required for internal Kubeshark-to-Dex communication. # @@ -519,10 +520,10 @@ tap: # Connectors are used to authenticate users against upstream identity providers. # See the documentation (https://dexidp.io/docs/connectors/) for further information. # - # Attention: - # When you define a new connector, `config.redirectURI` must be: + # Attention: + # When you define a new connector, `config.redirectURI` must be: # https:///dex/callback - # + # # Example with Google connector: # connectors: # - type: google diff --git a/helm-chart/templates/04-hub-deployment.yaml b/helm-chart/templates/04-hub-deployment.yaml index ce9b810c1..6ddcd70c1 100644 --- a/helm-chart/templates/04-hub-deployment.yaml +++ b/helm-chart/templates/04-hub-deployment.yaml @@ -36,6 +36,8 @@ spec: - "8080" - -loglevel - '{{ .Values.logLevel | default "warning" }}' + - -capture-stop-after + - "{{ .Values.tap.capture.stopAfter | default "5m" }}" {{- if .Values.tap.gitops.enabled }} - -gitops {{- end }} diff --git a/helm-chart/templates/06-front-deployment.yaml b/helm-chart/templates/06-front-deployment.yaml index c3657d56c..1641ab94e 100644 --- a/helm-chart/templates/06-front-deployment.yaml +++ b/helm-chart/templates/06-front-deployment.yaml @@ -65,7 +65,7 @@ spec: - name: REACT_APP_RECORDING_DISABLED value: '{{ .Values.tap.liveConfigMapChangesDisabled }}' - name: REACT_APP_STOP_TRAFFIC_CAPTURING_DISABLED - value: '{{- if and .Values.tap.liveConfigMapChangesDisabled .Values.tap.stopped -}} + value: '{{- if and .Values.tap.liveConfigMapChangesDisabled .Values.tap.capture.stopped -}} false {{- else -}} {{ .Values.tap.liveConfigMapChangesDisabled | ternary "true" "false" }} diff --git a/helm-chart/templates/12-config-map.yaml b/helm-chart/templates/12-config-map.yaml index 90bedb07e..7a7fc8300 100644 --- a/helm-chart/templates/12-config-map.yaml +++ b/helm-chart/templates/12-config-map.yaml @@ -11,7 +11,7 @@ data: NAMESPACES: '{{ gt (len .Values.tap.namespaces) 0 | ternary (join "," .Values.tap.namespaces) "" }}' EXCLUDED_NAMESPACES: '{{ gt (len .Values.tap.excludedNamespaces) 0 | ternary (join "," .Values.tap.excludedNamespaces) "" }}' BPF_OVERRIDE: '{{ .Values.tap.bpfOverride }}' - STOPPED: '{{ .Values.tap.stopped | ternary "true" "false" }}' + STOPPED: '{{ .Values.tap.capture.stopped | ternary "true" "false" }}' SCRIPTING_SCRIPTS: '{}' SCRIPTING_ACTIVE_SCRIPTS: '{{ gt (len .Values.scripting.active) 0 | ternary (join "," .Values.scripting.active) "" }}' INGRESS_ENABLED: '{{ .Values.tap.ingress.enabled }}' @@ -55,7 +55,7 @@ data: TARGETED_PODS_UPDATE_DISABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "true" "" }}' PRESET_FILTERS_CHANGING_ENABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "false" "true" }}' RECORDING_DISABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "true" "" }}' - STOP_TRAFFIC_CAPTURING_DISABLED: '{{- if and .Values.tap.liveConfigMapChangesDisabled .Values.tap.stopped -}} + STOP_TRAFFIC_CAPTURING_DISABLED: '{{- if and .Values.tap.liveConfigMapChangesDisabled .Values.tap.capture.stopped -}} false {{- else -}} {{ .Values.tap.liveConfigMapChangesDisabled | ternary "true" "false" }} diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index b11e905cf..22a368a2d 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -26,7 +26,9 @@ tap: namespaces: [] excludedNamespaces: [] bpfOverride: "" - stopped: false + capture: + stopped: false + stopAfter: 5m release: repo: https://helm.kubeshark.co name: kubeshark