github/kubeshark
1
0
Fork 0
mirror of https://github.com/kubeshark/kubeshark.git synced 2025-06-23 14:58:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Tracer, ServiceMesh - Disable by default and some docs updates (#1472)

Browse Source 
* Disabled Tracer by default

As Tracer requires significantly more resources and elevated security capability, it is recommended to have it disabled by default and enabled on demand.

* Updated the tap.tls default value to false

* added description to the default and global KFL filters

* serviceMesh false by default

As serviceMesh requires elevated security permissions.
Furthermore this capability is required only in a fraction of the userbase. Some service mesh versions/configurations aren't supported. Therefore, it is recommended to start as disabled and enable on-demand

* Update the readme related to the service mesh default value

Set the default value of serviceMesh to false as among other things, it requires elevated security permissions and therefore should be enabled on demand.
This commit is contained in:
Alon Girmonsky 2023-12-30 18:47:26 -08:00 committed by GitHub
parent 36767eda27
commit 77878e97f5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
helm-chart/README.md
View File

@ -136,8 +136,8 @@ helm install kubeshark kubeshark/kubeshark \
| `tap.resources.hub.limits.memory` | Memory limit for hub | `1Gi` |
| `tap.resources.hub.requests.cpu` | CPU request for hub | `50m` |
| `tap.resources.hub.requests.memory` | Memory request for hub | `50Mi` |
| `tap.serviceMesh` | Capture traffic from service meshes like Istio, Linkerd, Consul, etc. | `true` |
| `tap.tls` | Capture the encrypted/TLS traffic from cryptography libraries like OpenSSL | `true` |
| `tap.serviceMesh` | Capture traffic from service meshes like Istio, Linkerd, Consul, etc. | `false` |
| `tap.tls` | Capture the encrypted/TLS traffic from cryptography libraries like OpenSSL | `false` |
| `tap.ignoreTainted` | Whether to ignore tainted nodes | `false` |
| `tap.labels` | Kubernetes labels to apply to all Kubeshark resources | `{}` |
| `tap.annotations` | Kubernetes annotations to apply to all Kubeshark resources | `{}` |
@ -157,6 +157,8 @@ helm install kubeshark kubeshark/kubeshark \
| `tap.kernelModule.imageRepoSecret` | ImageRepoSecret is an optional secret that is used to pull both the module loader container([details](PF_RING.md)) | "" |
| `tap.kernelModule.kernelMappings` |List of mappings between kernel version and container loader([details](PF_RING.md)) | `[{'regexp': '.+$', 'containerImage': 'kubehq/pf-ring-module:${KERNEL_FULL_VERSION}'}]` |
| `tap.telemetry.enabled` | Enable anonymous usage statistics collection | `true` |
| `tap.defaultFilter` | Sets the default dashboard KFL filter (e.g. `http`) | `""` |
| `tap.globalFilter` | Prepends to any KFL filter and can be used to limit what is visible in the dashboard. For example, `redact("request.headers.Authorization")` will redact the appropriate field. | `""` |
| `logs.file` | Logs dump path | `""` |
| `kube.configPath` | Path to the `kubeconfig` file (`$HOME/.kube/config`) | `""` |
| `kube.context` | Kubernetes context to use for the deployment | `""` |
@ -169,4 +171,4 @@ helm install kubeshark kubeshark/kubeshark \
KernelMapping pairs kernel versions with a
DriverContainer image. Kernel versions can be matched
literally or using a regular expression
literally or using a regular expression

4
helm-chart/values.yaml
View File

@ -39,8 +39,8 @@ tap:
requests:
cpu: 50m
memory: 50Mi
serviceMesh: true
tls: true
serviceMesh: false
tls: false
ignoreTainted: false
labels: {}
annotations: {}