diff --git a/cmd/tap.go b/cmd/tap.go
index e4a9101b5..86ee058a2 100644
--- a/cmd/tap.go
+++ b/cmd/tap.go
@@ -61,4 +61,5 @@ func init() {
tapCmd.Flags().Bool(configStructs.IngressEnabledLabel, defaultTapConfig.Ingress.Enabled, "Enable Ingress")
tapCmd.Flags().Bool(configStructs.TelemetryEnabledLabel, defaultTapConfig.Telemetry.Enabled, "Enable/disable Telemetry")
tapCmd.Flags().Bool(configStructs.ResourceGuardEnabledLabel, defaultTapConfig.ResourceGuard.Enabled, "Enable/disable resource guard")
+ tapCmd.Flags().Bool(configStructs.WatchdogEnabled, defaultTapConfig.Watchdog.Enabled, "Enable/disable watchdog")
}
diff --git a/config/configStructs/tapConfig.go b/config/configStructs/tapConfig.go
index 456f165a5..1be086b04 100644
--- a/config/configStructs/tapConfig.go
+++ b/config/configStructs/tapConfig.go
@@ -44,6 +44,7 @@ const (
PcapKubeconfig = "kubeconfig"
PcapDumpEnabled = "enabled"
PcapTime = "time"
+ WatchdogEnabled = "watchdogEnabled"
)
type ResourceLimitsHub struct {
@@ -190,6 +191,14 @@ type IngressConfig struct {
Annotations map[string]string `yaml:"annotations" json:"annotations" default:"{}"`
}
+type RoutingConfig struct {
+ Front FrontRoutingConfig `yaml:"front" json:"front"`
+}
+
+type FrontRoutingConfig struct {
+ BasePath string `yaml:"basePath" json:"basePath" default:""`
+}
+
type ReleaseConfig struct {
Repo string `yaml:"repo" json:"repo" default:"https://helm.kubeshark.co"`
Name string `yaml:"name" json:"name" default:"kubeshark"`
@@ -209,6 +218,10 @@ type SentryConfig struct {
Environment string `yaml:"environment" json:"environment" default:"production"`
}
+type WatchdogConfig struct {
+ Enabled bool `yaml:"enabled" json:"enabled" default:"true"`
+}
+
type CapabilitiesConfig struct {
NetworkCapture []string `yaml:"networkCapture" json:"networkCapture" default:"[]"`
ServiceMeshCapture []string `yaml:"serviceMeshCapture" json:"serviceMeshCapture" default:"[]"`
@@ -304,10 +317,12 @@ type TapConfig struct {
Tolerations TolerationsConfig `yaml:"tolerations" json:"tolerations" default:"{}"`
Auth AuthConfig `yaml:"auth" json:"auth"`
Ingress IngressConfig `yaml:"ingress" json:"ingress"`
+ Routing RoutingConfig `yaml:"routing" json:"routing"`
IPv6 bool `yaml:"ipv6" json:"ipv6" default:"true"`
Debug bool `yaml:"debug" json:"debug" default:"false"`
Telemetry TelemetryConfig `yaml:"telemetry" json:"telemetry"`
ResourceGuard ResourceGuardConfig `yaml:"resourceGuard" json:"resourceGuard"`
+ Watchdog WatchdogConfig `yaml:"watchdog" json:"watchdog"`
Sentry SentryConfig `yaml:"sentry" json:"sentry"`
DefaultFilter string `yaml:"defaultFilter" json:"defaultFilter" default:"!dns and !error"`
LiveConfigMapChangesDisabled bool `yaml:"liveConfigMapChangesDisabled" json:"liveConfigMapChangesDisabled" default:"false"`
diff --git a/helm-chart/Chart.yaml b/helm-chart/Chart.yaml
index 9d79fcace..6f5c76cce 100644
--- a/helm-chart/Chart.yaml
+++ b/helm-chart/Chart.yaml
@@ -1,6 +1,6 @@
apiVersion: v2
name: kubeshark
-version: "52.5"
+version: "52.6"
description: The API Traffic Analyzer for Kubernetes
home: https://kubeshark.co
keywords:
diff --git a/helm-chart/README.md b/helm-chart/README.md
index f3ec71252..c18b30137 100644
--- a/helm-chart/README.md
+++ b/helm-chart/README.md
@@ -196,11 +196,12 @@ Example for overriding image names:
| `tap.ingress.host` | Host of the `Ingress` | `ks.svc.cluster.local` |
| `tap.ingress.tls` | `Ingress` TLS configuration | `[]` |
| `tap.ingress.annotations` | `Ingress` annotations | `{}` |
+| `tap.routing.front.basePath` | Set this value to serve `front` under specific base path. Example: `/custompath` (forward slash must be present) | `""` |
| `tap.ipv6` | Enable IPv6 support for the front-end | `true` |
| `tap.debug` | Enable debug mode | `false` |
| `tap.telemetry.enabled` | Enable anonymous usage statistics collection | `true` |
| `tap.resourceGuard.enabled` | Enable resource guard worker process, which watches RAM/disk usage and enables/disables traffic capture based on available resources | `false` |
-| `tap.sentry.enabled` | Enable sending of error logs to Sentry | `false` |
+| `tap.sentry.enabled` | Enable sending of error logs to Sentry | `true` (only for qualified users) |
| `tap.sentry.environment` | Sentry environment to label error logs with | `production` |
| `tap.defaultFilter` | Sets the default dashboard KFL filter (e.g. `http`). By default, this value is set to filter out noisy protocols such as DNS, UDP, ICMP and TCP. The user can easily change this, **temporarily**, in the Dashboard. For a permanent change, you should change this value in the `values.yaml` or `config.yaml` file. | `"!dns and !error"` |
| `tap.liveConfigMapChangesDisabled` | If set to `true`, all user functionality (scripting, targeting settings, global & default KFL modification, traffic recording, traffic capturing on/off, protocol dissectors) involving dynamic ConfigMap changes from UI will be disabled | `false` |
@@ -228,7 +229,7 @@ KernelMapping pairs kernel versions with a
DriverContainer image. Kernel versions can be matched
literally or using a regular expression
-## Installing with SAML enabled
+# Installing with SAML enabled
### Prerequisites:
@@ -293,3 +294,226 @@ tap:
UaV5sbRtTzYLxpOSQyi8CEFA+A==
-----END PRIVATE KEY-----
```
+
+# Installing with Dex OIDC authentication
+
+[**Click here to see full docs**](https://docs.kubeshark.co/en/saml#installing-with-oidc-enabled-dex-idp).
+
+Choose this option, if **you already have a running instance** of Dex in your cluster &
+you want to set up Dex OIDC authentication for Kubeshark users.
+
+Kubeshark supports authentication using [Dex - A Federated OpenID Connect Provider](https://dexidp.io/).
+Dex is an abstraction layer designed for integrating a wide variety of Identity Providers.
+
+**Requirement:**
+Your Dex IdP must have a publicly accessible URL.
+
+### Pre-requisites:
+
+**1. If you configured Ingress for Kubeshark:**
+
+(see section: "Installing with Ingress (EKS) enabled")
+
+OAuth2 callback URL is:
+`https:///api/oauth2/callback`
+
+**2. If you did not configure Ingress for Kubeshark:**
+
+OAuth2 callback URL is:
+`http://0.0.0.0:8899/api/oauth2/callback`
+
+Use chosen OAuth2 callback URL to replace `` in Step 3.
+
+**3. Add this static client to your Dex IdP configuration (`config.yaml`):**
+```yaml
+staticClients:
+ - id: kubeshark
+ secret: create your own client password
+ name: Kubeshark
+ redirectURIs:
+ - https:///api/oauth2/callback
+```
+
+**Final step:**
+
+Add these helm values to set up OIDC authentication powered by your Dex IdP:
+
+```yaml
+# values.yaml
+
+tap:
+ auth:
+ enabled: true
+ type: dex
+ dexOidc:
+ issuer:
+ clientId: kubeshark
+ clientSecret: create your own client password
+ refreshTokenLifetime: "3960h" # 165 days
+ oauth2StateParamExpiry: "10m"
+```
+
+Once you run `helm install kubeshark kubeshark/kubeshark -f ./values.yaml`, Kubeshark will be installed with (Dex) OIDC authentication enabled.
+
+---
+
+# Installing your own Dex IdP along with Kubeshark
+
+Choose this option, if **you need to deploy an instance of Dex IdP** along with Kubeshark &
+set up Dex OIDC authentication for Kubeshark users.
+
+Depending on Ingress enabled/disabled, your Dex configuration might differ.
+
+**Requirement:**
+Please, configure Ingress using `tap.ingress` for your Kubeshark installation. For example:
+
+```yaml
+tap:
+ ingress:
+ enabled: true
+ className: "alb"
+ host: ks.example.com
+ tls: []
+ annotations:
+ alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:7..8:certificate/b...65c
+ alb.ingress.kubernetes.io/target-type: ip
+ alb.ingress.kubernetes.io/scheme: internet-facing
+```
+
+The following Dex settings will have these values:
+
+| Setting | Value |
+|-------------------------------------------------------|----------------------------------------------|
+| `tap.auth.dexOidc.issuer` | `https://ks.example.com/dex` |
+| `tap.auth.dexConfig.issuer` | `https://ks.example.com/dex` |
+| `tap.auth.dexConfig.staticClients -> redirectURIs` | `https://ks.example.com/api/oauth2/callback` |
+| `tap.auth.dexConfig.connectors -> config.redirectURI` | `https://ks.example.com/dex/callback` |
+
+---
+
+### Before proceeding with Dex IdP installation:
+
+Please, make sure to prepare the following things first.
+
+1. Choose **[Connectors](https://dexidp.io/docs/connectors/)** to enable in Dex IdP.
+ - i.e. how many kind of "Log in with ..." options you'd like to offer your users
+ - You will need to specify connectors in `tap.auth.dexConfig.connectors`
+2. Choose type of **[Storage](https://dexidp.io/docs/configuration/storage/)** to use in Dex IdP.
+ - You will need to specify storage settings in `tap.auth.dexConfig.storage`
+ - default: `memory`
+3. Decide on the OAuth2 `?state=` param expiration time:
+ - field: `tap.auth.dexOidc.oauth2StateParamExpiry`
+ - default: `10m` (10 minutes)
+ - valid time units are `s`, `m`, `h`
+4. Decide on the refresh token expiration:
+ - field 1: `tap.auth.dexOidc.expiry.refreshTokenLifetime`
+ - field 2: `tap.auth.dexConfig.expiry.refreshTokens.absoluteLifetime`
+ - default: `3960h` (165 days)
+ - valid time units are `s`, `m`, `h`
+5. Create a unique & secure password to set in these fields:
+ - field 1: `tap.auth.dexOidc.clientSecret`
+ - field 2: `tap.auth.dexConfig.staticClients -> secret`
+ - password must be the same for these 2 fields
+6. Discover more possibilities of **[Dex Configuration](https://dexidp.io/docs/configuration/)**
+ - if you decide to include more configuration options, make sure to add them into `tap.auth.dexConfig`
+---
+
+### Once you are ready with all the points described above:
+
+Use these helm `values.yaml` fields to:
+- Deploy your own instance of Dex IdP along with Kubeshark
+- Enable OIDC authentication for Kubeshark users
+
+Make sure to:
+- Replace `` with a correct Kubeshark Ingress host (`tap.auth.ingress.host`).
+ - refer to section **Installing with Ingress (EKS) enabled** to find out how you can configure Ingress host.
+
+Helm `values.yaml`:
+```yaml
+tap:
+ auth:
+ enabled: true
+ type: dex
+ dexOidc:
+ issuer: https:///dex
+
+ # Client ID/secret must be taken from `tap.auth.dexConfig.staticClients -> id/secret`
+ clientId: kubeshark
+ clientSecret: create your own client password
+
+ refreshTokenLifetime: "3960h" # 165 days
+ oauth2StateParamExpiry: "10m"
+ dexConfig:
+ # This field is REQUIRED!
+ #
+ # The base path of Dex and the external name of the OpenID Connect service.
+ # This is the canonical URL that all clients MUST use to refer to Dex. If a
+ # path is provided, Dex's HTTP service will listen at a non-root URL.
+ issuer: https:///dex
+
+ # Expiration configuration for tokens, signing keys, etc.
+ expiry:
+ refreshTokens:
+ validIfNotUsedFor: "2160h" # 90 days
+ absoluteLifetime: "3960h" # 165 days
+
+ # This field is REQUIRED!
+ #
+ # The storage configuration determines where Dex stores its state.
+ # See the documentation (https://dexidp.io/docs/storage/) for further information.
+ storage:
+ type: memory
+
+ # This field is REQUIRED!
+ #
+ # Attention:
+ # Do not change this field and its values.
+ # This field is required for internal Kubeshark-to-Dex communication.
+ #
+ # HTTP service configuration
+ web:
+ http: 0.0.0.0:5556
+
+ # This field is REQUIRED!
+ #
+ # Attention:
+ # Do not change this field and its values.
+ # This field is required for internal Kubeshark-to-Dex communication.
+ #
+ # Telemetry configuration
+ telemetry:
+ http: 0.0.0.0:5558
+
+ # This field is REQUIRED!
+ #
+ # Static clients registered in Dex by default.
+ staticClients:
+ - id: kubeshark
+ secret: create your own client password
+ name: Kubeshark
+ redirectURIs:
+ - https:///api/oauth2/callback
+
+ # Enable the password database.
+ # It's a "virtual" connector (identity provider) that stores
+ # login credentials in Dex's store.
+ enablePasswordDB: true
+
+ # Connectors are used to authenticate users against upstream identity providers.
+ # See the documentation (https://dexidp.io/docs/connectors/) for further information.
+ #
+ # Attention:
+ # When you define a new connector, `config.redirectURI` must be:
+ # https:///dex/callback
+ #
+ # Example with Google connector:
+ # connectors:
+ # - type: google
+ # id: google
+ # name: Google
+ # config:
+ # clientID: your Google Cloud Auth app client ID
+ # clientSecret: your Google Auth app client ID
+ # redirectURI: https:///dex/callback
+ connectors: []
+```
diff --git a/helm-chart/templates/06-front-deployment.yaml b/helm-chart/templates/06-front-deployment.yaml
index d8586d8be..1644bf450 100644
--- a/helm-chart/templates/06-front-deployment.yaml
+++ b/helm-chart/templates/06-front-deployment.yaml
@@ -26,12 +26,16 @@ spec:
- env:
- name: REACT_APP_AUTH_ENABLED
value: '{{- if or (and .Values.cloudLicenseEnabled (not (empty .Values.license))) (not .Values.internetConnectivity) -}}
- "false"
- {{- else -}}
- {{ .Values.cloudLicenseEnabled | ternary "true" .Values.tap.auth.enabled }}
- {{- end }}'
+ {{ (and .Values.tap.auth.enabled (eq .Values.tap.auth.type "dex")) | ternary true false }}
+ {{- else -}}
+ {{ .Values.cloudLicenseEnabled | ternary "true" .Values.tap.auth.enabled }}
+ {{- end }}'
- name: REACT_APP_AUTH_TYPE
- value: '{{ not (eq .Values.tap.auth.type "") | ternary (.Values.cloudLicenseEnabled | ternary "oidc" .Values.tap.auth.type) " " }}'
+ value: '{{- if and .Values.cloudLicenseEnabled (not (eq .Values.tap.auth.type "dex")) -}}
+ default
+ {{- else -}}
+ {{ .Values.tap.auth.type }}
+ {{- end }}'
- name: REACT_APP_AUTH_SAML_IDP_METADATA_URL
value: '{{ not (eq .Values.tap.auth.saml.idpMetadataUrl "") | ternary .Values.tap.auth.saml.idpMetadataUrl " " }}'
- name: REACT_APP_TIMEZONE
diff --git a/helm-chart/templates/09-worker-daemon-set.yaml b/helm-chart/templates/09-worker-daemon-set.yaml
index b7cc221c2..c71b84e30 100644
--- a/helm-chart/templates/09-worker-daemon-set.yaml
+++ b/helm-chart/templates/09-worker-daemon-set.yaml
@@ -68,6 +68,9 @@ spec:
- /hostproc
{{- if .Values.tap.resourceGuard.enabled }}
- -enable-resource-guard
+ {{- end }}
+ {{- if .Values.tap.watchdog.enabled }}
+ - -enable-watchdog
{{- end }}
- -resolution-strategy
- '{{ .Values.tap.misc.resolutionStrategy }}'
diff --git a/helm-chart/templates/11-nginx-config-map.yaml b/helm-chart/templates/11-nginx-config-map.yaml
index 22e085059..86323c710 100644
--- a/helm-chart/templates/11-nginx-config-map.yaml
+++ b/helm-chart/templates/11-nginx-config-map.yaml
@@ -20,8 +20,8 @@ data:
client_header_buffer_size 32k;
large_client_header_buffers 8 64k;
- location /api {
- rewrite ^/api(.*)$ $1 break;
+ location {{ default "" (((.Values.tap).routing).front).basePath }}/api {
+ rewrite ^{{ default "" (((.Values.tap).routing).front).basePath }}/api(.*)$ $1 break;
proxy_pass http://kubeshark-hub;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
@@ -35,8 +35,8 @@ data:
proxy_pass_request_headers on;
}
- location /saml {
- rewrite ^/saml(.*)$ /saml$1 break;
+ location {{ default "" (((.Values.tap).routing).front).basePath }}/saml {
+ rewrite ^{{ default "" (((.Values.tap).routing).front).basePath }}/saml(.*)$ /saml$1 break;
proxy_pass http://kubeshark-hub;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
@@ -46,6 +46,34 @@ data:
proxy_pass_request_headers on;
}
+{{- if .Values.tap.auth.dexConfig }}
+ location /dex {
+ rewrite ^{{ default "" (((.Values.tap).routing).front).basePath }}/dex(.*)$ /dex$1 break;
+ proxy_pass http://kubeshark-dex;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header Host $http_host;
+ proxy_set_header Upgrade websocket;
+ proxy_set_header Connection Upgrade;
+ proxy_set_header Authorization $http_authorization;
+ proxy_pass_header Authorization;
+ proxy_connect_timeout 4s;
+ proxy_read_timeout 120s;
+ proxy_send_timeout 12s;
+ proxy_pass_request_headers on;
+ }
+{{- end }}
+
+{{- if (((.Values.tap).routing).front).basePath }}
+ location {{ .Values.tap.routing.front.basePath }} {
+ rewrite ^{{ .Values.tap.routing.front.basePath }}(.*)$ $1 break;
+ root /usr/share/nginx/html;
+ index index.html index.htm;
+ try_files $uri $uri/ /index.html;
+ expires -1;
+ add_header Cache-Control no-cache;
+ }
+{{- end }}
+
location / {
root /usr/share/nginx/html;
index index.html index.htm;
diff --git a/helm-chart/templates/12-config-map.yaml b/helm-chart/templates/12-config-map.yaml
index 47ece8d77..6239aaa88 100644
--- a/helm-chart/templates/12-config-map.yaml
+++ b/helm-chart/templates/12-config-map.yaml
@@ -18,14 +18,21 @@ data:
INGRESS_HOST: '{{ .Values.tap.ingress.host }}'
PROXY_FRONT_PORT: '{{ .Values.tap.proxy.front.port }}'
AUTH_ENABLED: '{{- if and .Values.cloudLicenseEnabled (not (empty .Values.license)) -}}
- "false"
+ {{ and .Values.tap.auth.enabled (eq .Values.tap.auth.type "dex") | ternary true false }}
{{- else -}}
{{ .Values.cloudLicenseEnabled | ternary "true" (.Values.tap.auth.enabled | ternary "true" "") }}
{{- end }}'
- AUTH_TYPE: '{{ .Values.cloudLicenseEnabled | ternary "oidc" (.Values.tap.auth.type) }}'
+ AUTH_TYPE: '{{- if and .Values.cloudLicenseEnabled (not (eq .Values.tap.auth.type "dex")) -}}
+ default
+ {{- else -}}
+ {{ .Values.tap.auth.type }}
+ {{- end }}'
AUTH_SAML_IDP_METADATA_URL: '{{ .Values.tap.auth.saml.idpMetadataUrl }}'
AUTH_SAML_ROLE_ATTRIBUTE: '{{ .Values.tap.auth.saml.roleAttribute }}'
AUTH_SAML_ROLES: '{{ .Values.tap.auth.saml.roles | toJson }}'
+ AUTH_OIDC_ISSUER: '{{ default "not set" (((.Values.tap).auth).dexOidc).issuer }}'
+ AUTH_OIDC_REFRESH_TOKEN_LIFETIME: '{{ default "3960h" (((.Values.tap).auth).dexOidc).refreshTokenLifetime }}'
+ AUTH_OIDC_STATE_PARAM_EXPIRY: '{{ default "10m" (((.Values.tap).auth).dexOidc).oauth2StateParamExpiry }}'
TELEMETRY_DISABLED: '{{ not .Values.internetConnectivity | ternary "true" (not .Values.tap.telemetry.enabled | ternary "true" "false") }}'
SCRIPTING_DISABLED: '{{- if .Values.tap.liveConfigMapChangesDisabled -}}
{{- if .Values.demoModeEnabled -}}
diff --git a/helm-chart/templates/13-secret.yaml b/helm-chart/templates/13-secret.yaml
index ab7f69630..d5093d8c8 100644
--- a/helm-chart/templates/13-secret.yaml
+++ b/helm-chart/templates/13-secret.yaml
@@ -9,6 +9,8 @@ metadata:
stringData:
LICENSE: '{{ .Values.license }}'
SCRIPTING_ENV: '{{ .Values.scripting.env | toJson }}'
+ OIDC_CLIENT_ID: '{{ default "not set" (((.Values.tap).auth).dexOidc).clientId }}'
+ OIDC_CLIENT_SECRET: '{{ default "not set" (((.Values.tap).auth).dexOidc).clientSecret }}'
---
diff --git a/helm-chart/templates/17-network-policies.yaml b/helm-chart/templates/17-network-policies.yaml
index 276acd2db..9235daf75 100644
--- a/helm-chart/templates/17-network-policies.yaml
+++ b/helm-chart/templates/17-network-policies.yaml
@@ -53,6 +53,31 @@ spec:
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
+metadata:
+ labels:
+ {{- include "kubeshark.labels" . | nindent 4 }}
+ annotations:
+ {{- if .Values.tap.annotations }}
+ {{- toYaml .Values.tap.annotations | nindent 4 }}
+ {{- end }}
+ name: kubeshark-dex-network-policy
+ namespace: {{ .Release.Namespace }}
+spec:
+ podSelector:
+ matchLabels:
+ app.kubeshark.co/app: dex
+ policyTypes:
+ - Ingress
+ - Egress
+ ingress:
+ - ports:
+ - protocol: TCP
+ port: 5556
+ egress:
+ - {}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
metadata:
labels:
{{- include "kubeshark.labels" . | nindent 4 }}
diff --git a/helm-chart/templates/18-dex-deployment.yaml b/helm-chart/templates/18-dex-deployment.yaml
new file mode 100644
index 000000000..ea2d07f73
--- /dev/null
+++ b/helm-chart/templates/18-dex-deployment.yaml
@@ -0,0 +1,116 @@
+{{- if .Values.tap.auth.dexConfig }}
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app.kubeshark.co/app: dex
+ {{- include "kubeshark.labels" . | nindent 4 }}
+ annotations:
+ {{- if .Values.tap.annotations }}
+ {{- toYaml .Values.tap.annotations | nindent 4 }}
+ {{- end }}
+ name: {{ include "kubeshark.name" . }}-dex
+ namespace: {{ .Release.Namespace }}
+spec:
+ replicas: 1 # Set the desired number of replicas
+ selector:
+ matchLabels:
+ app.kubeshark.co/app: dex
+ {{- include "kubeshark.selectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ labels:
+ app.kubeshark.co/app: dex
+ {{- include "kubeshark.labels" . | nindent 8 }}
+ spec:
+ containers:
+ - name: kubeshark-dex
+ image: 'dexidp/dex:v2.42.0-alpine'
+ ports:
+ - name: http
+ containerPort: 5556
+ protocol: TCP
+ - name: telemetry
+ containerPort: 5558
+ protocol: TCP
+ args:
+ - dex
+ - serve
+ - /etc/dex/dex-config.yaml
+ imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }}
+ volumeMounts:
+ - name: dex-secret-conf-volume
+ mountPath: /etc/dex/dex-config.yaml
+ subPath: dex-config.yaml
+ readOnly: true
+ livenessProbe:
+ httpGet:
+ path: /healthz/live
+ port: 5558
+ periodSeconds: 1
+ failureThreshold: 3
+ successThreshold: 1
+ initialDelaySeconds: 3
+ readinessProbe:
+ httpGet:
+ path: /healthz/ready
+ port: 5558
+ periodSeconds: 1
+ failureThreshold: 3
+ successThreshold: 1
+ initialDelaySeconds: 3
+ timeoutSeconds: 1
+ resources:
+ limits:
+ cpu: 750m
+ memory: 1Gi
+ requests:
+ cpu: 50m
+ memory: 50Mi
+ {{- if .Values.tap.docker.imagePullSecrets }}
+ imagePullSecrets:
+ {{- range .Values.tap.docker.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+{{- if gt (len .Values.tap.nodeSelectorTerms.dex) 0}}
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ {{- toYaml .Values.tap.nodeSelectorTerms.dex | nindent 12 }}
+{{- end }}
+ {{- if or .Values.tap.dns.nameservers .Values.tap.dns.searches .Values.tap.dns.options }}
+ dnsConfig:
+ {{- if .Values.tap.dns.nameservers }}
+ nameservers:
+ {{- range .Values.tap.dns.nameservers }}
+ - {{ . | quote }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.tap.dns.searches }}
+ searches:
+ {{- range .Values.tap.dns.searches }}
+ - {{ . | quote }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.tap.dns.options }}
+ options:
+ {{- range .Values.tap.dns.options }}
+ - name: {{ .name | quote }}
+ {{- if .value }}
+ value: {{ .value | quote }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ volumes:
+ - name: dex-secret-conf-volume
+ secret:
+ secretName: kubeshark-dex-conf-secret
+ dnsPolicy: ClusterFirstWithHostNet
+ serviceAccountName: {{ include "kubeshark.serviceAccountName" . }}
+
+{{- end }}
diff --git a/helm-chart/templates/19-dex-service.yaml b/helm-chart/templates/19-dex-service.yaml
new file mode 100644
index 000000000..f10db2423
--- /dev/null
+++ b/helm-chart/templates/19-dex-service.yaml
@@ -0,0 +1,25 @@
+{{- if .Values.tap.auth.dexConfig }}
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubeshark.co/app: dex
+ {{- include "kubeshark.labels" . | nindent 4 }}
+ annotations:
+ {{- if .Values.tap.annotations }}
+ {{- toYaml .Values.tap.annotations | nindent 4 }}
+ {{- end }}
+ name: kubeshark-dex
+ namespace: {{ .Release.Namespace }}
+spec:
+ ports:
+ - name: kubeshark-dex
+ port: 80
+ targetPort: 5556
+ selector:
+ app.kubeshark.co/app: dex
+ type: ClusterIP
+
+{{- end }}
diff --git a/helm-chart/templates/20-dex-secret.yaml b/helm-chart/templates/20-dex-secret.yaml
new file mode 100644
index 000000000..6355b57d4
--- /dev/null
+++ b/helm-chart/templates/20-dex-secret.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.tap.auth.dexConfig }}
+
+kind: Secret
+apiVersion: v1
+metadata:
+ name: kubeshark-dex-conf-secret
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubeshark.co/app: hub
+ {{- include "kubeshark.labels" . | nindent 4 }}
+data:
+ dex-config.yaml: {{ .Values.tap.auth.dexConfig | toYaml | b64enc | quote }}
+
+{{- end }}
diff --git a/helm-chart/templates/NOTES.txt b/helm-chart/templates/NOTES.txt
index 8b91df42d..b1a6a1d72 100644
--- a/helm-chart/templates/NOTES.txt
+++ b/helm-chart/templates/NOTES.txt
@@ -34,7 +34,7 @@ Notices:
{{ if .Values.tap.ingress.enabled }}
You can now access the application through the following URL:
-http{{ if .Values.tap.ingress.tls }}s{{ end }}://{{ .Values.tap.ingress.host }}
+http{{ if .Values.tap.ingress.tls }}s{{ end }}://{{ .Values.tap.ingress.host }}{{ default "" (((.Values.tap).routing).front).basePath }}/
{{- else }}
To access the application, follow these steps:
@@ -44,6 +44,6 @@ To access the application, follow these steps:
kubectl port-forward -n {{ .Release.Namespace }} service/kubeshark-front 8899:80
2. Once port forwarding is done, you can access the application by visiting the following URL in your web browser:
- http://0.0.0.0:8899
+ http://0.0.0.0:8899{{ default "" (((.Values.tap).routing).front).basePath }}/
{{- end }}
diff --git a/helm-chart/templates/_helpers.tpl b/helm-chart/templates/_helpers.tpl
index 887a6cc7c..0230d06f6 100644
--- a/helm-chart/templates/_helpers.tpl
+++ b/helm-chart/templates/_helpers.tpl
@@ -86,3 +86,15 @@ Set sentry based on internet connectivity and telemetry
{{- end -}}
{{- $sentryEnabledVal -}}
{{- end -}}
+
+{{/*
+Dex IdP: retrieve a secret for static client with a specific ID
+*/}}
+{{- define "getDexKubesharkStaticClientSecret" -}}
+ {{- $clientId := .clientId -}}
+ {{- range .clients }}
+ {{- if eq .id $clientId }}
+ {{- .secret }}
+ {{- end }}
+ {{- end }}
+{{- end }}
diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml
index 834b13c8d..97342ca36 100644
--- a/helm-chart/values.yaml
+++ b/helm-chart/values.yaml
@@ -131,12 +131,17 @@ tap:
host: ks.svc.cluster.local
tls: []
annotations: {}
+ routing:
+ front:
+ basePath: ""
ipv6: true
debug: false
telemetry:
enabled: true
resourceGuard:
enabled: false
+ watchdog:
+ enabled: true
sentry:
enabled: false
environment: production
diff --git a/manifests/complete.yaml b/manifests/complete.yaml
index ff5739386..7eb95606d 100644
--- a/manifests/complete.yaml
+++ b/manifests/complete.yaml
@@ -4,10 +4,10 @@ apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
annotations:
name: kubeshark-hub-network-policy
@@ -34,10 +34,10 @@ apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
annotations:
name: kubeshark-front-network-policy
@@ -61,10 +61,37 @@ apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
+ app.kubernetes.io/managed-by: Helm
+ annotations:
+ name: kubeshark-dex-network-policy
+ namespace: default
+spec:
+ podSelector:
+ matchLabels:
+ app.kubeshark.co/app: dex
+ policyTypes:
+ - Ingress
+ - Egress
+ ingress:
+ - ports:
+ - protocol: TCP
+ port: 5556
+ egress:
+ - {}
+---
+# Source: kubeshark/templates/17-network-policies.yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ labels:
+ helm.sh/chart: kubeshark-52.6
+ app.kubernetes.io/name: kubeshark
+ app.kubernetes.io/instance: kubeshark
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
annotations:
name: kubeshark-worker-network-policy
@@ -90,10 +117,10 @@ apiVersion: v1
kind: ServiceAccount
metadata:
labels:
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
annotations:
name: kubeshark-service-account
@@ -107,14 +134,16 @@ metadata:
namespace: default
labels:
app.kubeshark.co/app: hub
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
stringData:
LICENSE: ''
SCRIPTING_ENV: '{}'
+ OIDC_CLIENT_ID: 'not set'
+ OIDC_CLIENT_SECRET: 'not set'
---
# Source: kubeshark/templates/13-secret.yaml
kind: Secret
@@ -124,10 +153,10 @@ metadata:
namespace: default
labels:
app.kubeshark.co/app: hub
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
stringData:
AUTH_SAML_X509_CRT: |
@@ -140,10 +169,10 @@ metadata:
namespace: default
labels:
app.kubeshark.co/app: hub
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
stringData:
AUTH_SAML_X509_KEY: |
@@ -155,10 +184,10 @@ metadata:
name: kubeshark-nginx-config-map
namespace: default
labels:
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
data:
default.conf: |
@@ -219,10 +248,10 @@ metadata:
namespace: default
labels:
app.kubeshark.co/app: hub
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
data:
POD_REGEX: '.*'
@@ -236,10 +265,13 @@ data:
INGRESS_HOST: 'ks.svc.cluster.local'
PROXY_FRONT_PORT: '8899'
AUTH_ENABLED: 'true'
- AUTH_TYPE: 'oidc'
+ AUTH_TYPE: 'default'
AUTH_SAML_IDP_METADATA_URL: ''
AUTH_SAML_ROLE_ATTRIBUTE: 'role'
AUTH_SAML_ROLES: '{"admin":{"canDownloadPCAP":true,"canStopTrafficCapturing":true,"canUpdateTargetedPods":true,"canUseScripting":true,"filter":"","scriptingPermissions":{"canActivate":true,"canDelete":true,"canSave":true},"showAdminConsoleLink":true}}'
+ AUTH_OIDC_ISSUER: 'not set'
+ AUTH_OIDC_REFRESH_TOKEN_LIFETIME: '3960h'
+ AUTH_OIDC_STATE_PARAM_EXPIRY: '10m'
TELEMETRY_DISABLED: 'false'
SCRIPTING_DISABLED: 'false'
TARGETED_PODS_UPDATE_DISABLED: ''
@@ -271,10 +303,10 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
annotations:
name: kubeshark-cluster-role-default
@@ -319,10 +351,10 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
annotations:
name: kubeshark-cluster-role-binding-default
@@ -341,10 +373,10 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
annotations:
name: kubeshark-self-config-role
@@ -371,10 +403,10 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
annotations:
name: kubeshark-self-config-role-binding
@@ -394,10 +426,10 @@ kind: Service
metadata:
labels:
app.kubeshark.co/app: hub
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
annotations:
name: kubeshark-hub
@@ -416,10 +448,10 @@ apiVersion: v1
kind: Service
metadata:
labels:
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
annotations:
name: kubeshark-front
@@ -438,10 +470,10 @@ kind: Service
apiVersion: v1
metadata:
labels:
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
annotations:
prometheus.io/scrape: 'true'
@@ -451,10 +483,10 @@ metadata:
spec:
selector:
app.kubeshark.co/app: worker
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
ports:
- name: metrics
@@ -467,10 +499,10 @@ kind: Service
apiVersion: v1
metadata:
labels:
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
annotations:
prometheus.io/scrape: 'true'
@@ -480,10 +512,10 @@ metadata:
spec:
selector:
app.kubeshark.co/app: hub
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
ports:
- name: metrics
@@ -498,10 +530,10 @@ metadata:
labels:
app.kubeshark.co/app: worker
sidecar.istio.io/inject: "false"
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
annotations:
name: kubeshark-worker-daemon-set
@@ -516,10 +548,10 @@ spec:
metadata:
labels:
app.kubeshark.co/app: worker
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
name: kubeshark-worker-daemon-set
namespace: kubeshark
@@ -529,7 +561,7 @@ spec:
- /bin/sh
- -c
- mkdir -p /sys/fs/bpf && mount | grep -q '/sys/fs/bpf' || mount -t bpf bpf /sys/fs/bpf
- image: 'docker.io/kubeshark/worker:v52.5'
+ image: 'docker.io/kubeshark/worker:v52.6'
imagePullPolicy: Always
name: mount-bpf
securityContext:
@@ -554,11 +586,12 @@ spec:
- -servicemesh
- -procfs
- /hostproc
+ - -enable-watchdog
- -resolution-strategy
- 'auto'
- -staletimeout
- '30'
- image: 'docker.io/kubeshark/worker:v52.5'
+ image: 'docker.io/kubeshark/worker:v52.6'
imagePullPolicy: Always
name: sniffer
ports:
@@ -632,7 +665,7 @@ spec:
- -disable-tls-log
- -loglevel
- 'warning'
- image: 'docker.io/kubeshark/worker:v52.5'
+ image: 'docker.io/kubeshark/worker:v52.6'
imagePullPolicy: Always
name: tracer
env:
@@ -724,10 +757,10 @@ kind: Deployment
metadata:
labels:
app.kubeshark.co/app: hub
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
annotations:
name: kubeshark-hub
@@ -743,10 +776,10 @@ spec:
metadata:
labels:
app.kubeshark.co/app: hub
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
spec:
dnsPolicy: ClusterFirstWithHostNet
@@ -776,7 +809,7 @@ spec:
value: 'https://api.kubeshark.co'
- name: PROFILING_ENABLED
value: 'false'
- image: 'docker.io/kubeshark/hub:v52.5'
+ image: 'docker.io/kubeshark/hub:v52.6'
imagePullPolicy: Always
readinessProbe:
periodSeconds: 10
@@ -839,10 +872,10 @@ kind: Deployment
metadata:
labels:
app.kubeshark.co/app: front
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
annotations:
name: kubeshark-front
@@ -858,10 +891,10 @@ spec:
metadata:
labels:
app.kubeshark.co/app: front
- helm.sh/chart: kubeshark-52.5
+ helm.sh/chart: kubeshark-52.6
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
- app.kubernetes.io/version: "52.5"
+ app.kubernetes.io/version: "52.6"
app.kubernetes.io/managed-by: Helm
spec:
containers:
@@ -869,7 +902,7 @@ spec:
- name: REACT_APP_AUTH_ENABLED
value: 'true'
- name: REACT_APP_AUTH_TYPE
- value: 'oidc'
+ value: 'default'
- name: REACT_APP_AUTH_SAML_IDP_METADATA_URL
value: ' '
- name: REACT_APP_TIMEZONE
@@ -898,7 +931,7 @@ spec:
value: 'false'
- name: REACT_APP_SENTRY_ENVIRONMENT
value: 'production'
- image: 'docker.io/kubeshark/front:v52.5'
+ image: 'docker.io/kubeshark/front:v52.6'
imagePullPolicy: Always
name: kubeshark-front
livenessProbe: