From 77878e97f5eaf30c00f3490584f512aa47554c48 Mon Sep 17 00:00:00 2001 From: Alon Girmonsky <1990761+alongir@users.noreply.github.com> Date: Sat, 30 Dec 2023 18:47:26 -0800 Subject: [PATCH] Tracer, ServiceMesh - Disable by default and some docs updates (#1472) * Disabled Tracer by default As Tracer requires significantly more resources and elevated security capability, it is recommended to have it disabled by default and enabled on demand. * Updated the tap.tls default value to false * added description to the default and global KFL filters * serviceMesh false by default As serviceMesh requires elevated security permissions. Furthermore this capability is required only in a fraction of the userbase. Some service mesh versions/configurations aren't supported. Therefore, it is recommended to start as disabled and enable on-demand * Update the readme related to the service mesh default value Set the default value of serviceMesh to false as among other things, it requires elevated security permissions and therefore should be enabled on demand. --- helm-chart/README.md | 8 +++++--- helm-chart/values.yaml | 4 ++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/helm-chart/README.md b/helm-chart/README.md index f39e6f7e5..dd24c58a2 100644 --- a/helm-chart/README.md +++ b/helm-chart/README.md @@ -136,8 +136,8 @@ helm install kubeshark kubeshark/kubeshark \ | `tap.resources.hub.limits.memory` | Memory limit for hub | `1Gi` | | `tap.resources.hub.requests.cpu` | CPU request for hub | `50m` | | `tap.resources.hub.requests.memory` | Memory request for hub | `50Mi` | -| `tap.serviceMesh` | Capture traffic from service meshes like Istio, Linkerd, Consul, etc. | `true` | -| `tap.tls` | Capture the encrypted/TLS traffic from cryptography libraries like OpenSSL | `true` | +| `tap.serviceMesh` | Capture traffic from service meshes like Istio, Linkerd, Consul, etc. | `false` | +| `tap.tls` | Capture the encrypted/TLS traffic from cryptography libraries like OpenSSL | `false` | | `tap.ignoreTainted` | Whether to ignore tainted nodes | `false` | | `tap.labels` | Kubernetes labels to apply to all Kubeshark resources | `{}` | | `tap.annotations` | Kubernetes annotations to apply to all Kubeshark resources | `{}` | @@ -157,6 +157,8 @@ helm install kubeshark kubeshark/kubeshark \ | `tap.kernelModule.imageRepoSecret` | ImageRepoSecret is an optional secret that is used to pull both the module loader container([details](PF_RING.md)) | "" | | `tap.kernelModule.kernelMappings` |List of mappings between kernel version and container loader([details](PF_RING.md)) | `[{'regexp': '.+$', 'containerImage': 'kubehq/pf-ring-module:${KERNEL_FULL_VERSION}'}]` | | `tap.telemetry.enabled` | Enable anonymous usage statistics collection | `true` | +| `tap.defaultFilter` | Sets the default dashboard KFL filter (e.g. `http`) | `""` | +| `tap.globalFilter` | Prepends to any KFL filter and can be used to limit what is visible in the dashboard. For example, `redact("request.headers.Authorization")` will redact the appropriate field. | `""` | | `logs.file` | Logs dump path | `""` | | `kube.configPath` | Path to the `kubeconfig` file (`$HOME/.kube/config`) | `""` | | `kube.context` | Kubernetes context to use for the deployment | `""` | @@ -169,4 +171,4 @@ helm install kubeshark kubeshark/kubeshark \ KernelMapping pairs kernel versions with a DriverContainer image. Kernel versions can be matched - literally or using a regular expression \ No newline at end of file + literally or using a regular expression diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index afc745c9b..7cd38a2a6 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -39,8 +39,8 @@ tap: requests: cpu: 50m memory: 50Mi - serviceMesh: true - tls: true + serviceMesh: false + tls: false ignoreTainted: false labels: {} annotations: {}