added a helm value to control the root fs mount

set the default to false added documentation
2025-06-28 09:10:09 +00:00 · 2025-02-12 12:16:21 -08:00 · 2025-02-12 12:16:21 -08:00 · 94fe36e5d6
commit 94fe36e5d6
parent 70a9024bbe
4 changed files with 14 additions and 0 deletions
--- a/config/configStructs/tapConfig.go
+++ b/config/configStructs/tapConfig.go
@ -313,6 +313,7 @@ type TapConfig struct {
 	Pprof                        PprofConfig             `yaml:"pprof" json:"pprof"`
 	Misc                         MiscConfig              `yaml:"misc" json:"misc"`
 	SecurityContext              SecurityContextConfig   `yaml:"securityContext" json:"securityContext"`
+	ShortTermProcs               bool                    `yaml:"shortTermProcs" json:"shortTermProcs" default:"false"`
 }

 func (config *TapConfig) PodRegex() *regexp.Regexp {
--- a/helm-chart/README.md
+++ b/helm-chart/README.md
@ -205,6 +205,7 @@ Example for overriding image names:
 | `tap.globalFilter`                        | Prepends to any KFL filter and can be used to limit what is visible in the dashboard. For example, `redact("request.headers.Authorization")` will redact the appropriate field. Another example `!dns` will not show any DNS traffic.      | `""`                                        |
 | `tap.metrics.port`                  | Pod port used to expose Prometheus metrics          | `49100`                                                  |
 | `tap.enabledDissectors`                   | This is an array of strings representing the list of supported protocols. Remove or comment out redundant protocols (e.g., dns).| The default list excludes: `udp` and `tcp` |
+| `tap.shortTermProcs`                    | This flag controls whether short living processes are detected (e.g. when someone uses CURL). In some very random edge-cases, this behavior may cause non-Kubeshark pods to not terminate. Therefore by default this option is turned off. Use with caution.  | `false` |
 | `logs.file`                               | Logs dump path                      | `""`                                                    |
 | `pcapdump.enabled`                        | Enable recording of all traffic captured according to other parameters. Whatever Kubeshark captures, considering pod targeting rules, will be stored in pcap files ready to be viewed by tools                 | `true`                                                                                                  |
 | `pcapdump.maxTime`                        | The time window into the past that will be stored. Older traffic will be discarded.  | `2h`  |
--- a/helm-chart/templates/09-worker-daemon-set.yaml
+++ b/helm-chart/templates/09-worker-daemon-set.yaml
@ -303,6 +303,12 @@ spec:
            - mountPath: /etc/os-release
              name: os-release
              readOnly: true
+            {{- if .Values.tap.shortTermProcs }}
+            - mountPath: /hostroot
+              mountPropagation: HostToContainer
+              name: root
+              readOnly: true
+            {{- end }}
      {{- end }}
      dnsPolicy: ClusterFirstWithHostNet
      hostNetwork: true
@ -365,6 +371,11 @@ spec:
        - hostPath:
            path: /etc/os-release
          name: os-release
+        {{- if .Values.tap.shortTermProcs }}
+        - hostPath:
+            path: /
+          name: root
+        {{- end }}
        - name: data
 {{- if .Values.tap.persistentStorage }}
          persistentVolumeClaim:
--- a/helm-chart/values.yaml
+++ b/helm-chart/values.yaml
@ -209,6 +209,7 @@ tap:
      - SYS_PTRACE
      - SYS_RESOURCE
      - IPC_LOCK
+  shortTermProcs: false
 logs:
  file: ""
  grep: ""