From 94fe36e5d693486f8cb88d0e2fdc5d256522b9ba Mon Sep 17 00:00:00 2001 From: Alon Girmonsky <1990761+alongir@users.noreply.github.com> Date: Wed, 12 Feb 2025 12:16:21 -0800 Subject: [PATCH] added a helm value to control the root fs mount set the default to false added documentation --- config/configStructs/tapConfig.go | 1 + helm-chart/README.md | 1 + helm-chart/templates/09-worker-daemon-set.yaml | 11 +++++++++++ helm-chart/values.yaml | 1 + 4 files changed, 14 insertions(+) diff --git a/config/configStructs/tapConfig.go b/config/configStructs/tapConfig.go index 15277497c..f39b8cfd9 100644 --- a/config/configStructs/tapConfig.go +++ b/config/configStructs/tapConfig.go @@ -313,6 +313,7 @@ type TapConfig struct { Pprof PprofConfig `yaml:"pprof" json:"pprof"` Misc MiscConfig `yaml:"misc" json:"misc"` SecurityContext SecurityContextConfig `yaml:"securityContext" json:"securityContext"` + ShortTermProcs bool `yaml:"shortTermProcs" json:"shortTermProcs" default:"false"` } func (config *TapConfig) PodRegex() *regexp.Regexp { diff --git a/helm-chart/README.md b/helm-chart/README.md index aba816ca0..4285357d3 100644 --- a/helm-chart/README.md +++ b/helm-chart/README.md @@ -205,6 +205,7 @@ Example for overriding image names: | `tap.globalFilter` | Prepends to any KFL filter and can be used to limit what is visible in the dashboard. For example, `redact("request.headers.Authorization")` will redact the appropriate field. Another example `!dns` will not show any DNS traffic. | `""` | | `tap.metrics.port` | Pod port used to expose Prometheus metrics | `49100` | | `tap.enabledDissectors` | This is an array of strings representing the list of supported protocols. Remove or comment out redundant protocols (e.g., dns).| The default list excludes: `udp` and `tcp` | +| `tap.shortTermProcs` | This flag controls whether short living processes are detected (e.g. when someone uses CURL). In some very random edge-cases, this behavior may cause non-Kubeshark pods to not terminate. Therefore by default this option is turned off. Use with caution. | `false` | | `logs.file` | Logs dump path | `""` | | `pcapdump.enabled` | Enable recording of all traffic captured according to other parameters. Whatever Kubeshark captures, considering pod targeting rules, will be stored in pcap files ready to be viewed by tools | `true` | | `pcapdump.maxTime` | The time window into the past that will be stored. Older traffic will be discarded. | `2h` | diff --git a/helm-chart/templates/09-worker-daemon-set.yaml b/helm-chart/templates/09-worker-daemon-set.yaml index 0a7ff3a34..28e0d6949 100644 --- a/helm-chart/templates/09-worker-daemon-set.yaml +++ b/helm-chart/templates/09-worker-daemon-set.yaml @@ -303,6 +303,12 @@ spec: - mountPath: /etc/os-release name: os-release readOnly: true + {{- if .Values.tap.shortTermProcs }} + - mountPath: /hostroot + mountPropagation: HostToContainer + name: root + readOnly: true + {{- end }} {{- end }} dnsPolicy: ClusterFirstWithHostNet hostNetwork: true @@ -365,6 +371,11 @@ spec: - hostPath: path: /etc/os-release name: os-release + {{- if .Values.tap.shortTermProcs }} + - hostPath: + path: / + name: root + {{- end }} - name: data {{- if .Values.tap.persistentStorage }} persistentVolumeClaim: diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index 257f8c298..75525c774 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -209,6 +209,7 @@ tap: - SYS_PTRACE - SYS_RESOURCE - IPC_LOCK + shortTermProcs: false logs: file: "" grep: ""