From 0386e579062a25c5825b1ffc80cfb77664dcc6ab Mon Sep 17 00:00:00 2001 From: Volodymyr Stoiko Date: Mon, 24 Mar 2025 20:02:57 +0200 Subject: [PATCH 1/5] Add watchdog option (#1723) * add watchdog * Enable watchdog on sniffer --- cmd/tap.go | 1 + config/configStructs/tapConfig.go | 6 ++++++ helm-chart/templates/09-worker-daemon-set.yaml | 3 +++ helm-chart/values.yaml | 2 ++ 4 files changed, 12 insertions(+) diff --git a/cmd/tap.go b/cmd/tap.go index e4a9101b5..86ee058a2 100644 --- a/cmd/tap.go +++ b/cmd/tap.go @@ -61,4 +61,5 @@ func init() { tapCmd.Flags().Bool(configStructs.IngressEnabledLabel, defaultTapConfig.Ingress.Enabled, "Enable Ingress") tapCmd.Flags().Bool(configStructs.TelemetryEnabledLabel, defaultTapConfig.Telemetry.Enabled, "Enable/disable Telemetry") tapCmd.Flags().Bool(configStructs.ResourceGuardEnabledLabel, defaultTapConfig.ResourceGuard.Enabled, "Enable/disable resource guard") + tapCmd.Flags().Bool(configStructs.WatchdogEnabled, defaultTapConfig.Watchdog.Enabled, "Enable/disable watchdog") } diff --git a/config/configStructs/tapConfig.go b/config/configStructs/tapConfig.go index 456f165a5..174a242d4 100644 --- a/config/configStructs/tapConfig.go +++ b/config/configStructs/tapConfig.go @@ -44,6 +44,7 @@ const ( PcapKubeconfig = "kubeconfig" PcapDumpEnabled = "enabled" PcapTime = "time" + WatchdogEnabled = "watchdogEnabled" ) type ResourceLimitsHub struct { @@ -209,6 +210,10 @@ type SentryConfig struct { Environment string `yaml:"environment" json:"environment" default:"production"` } +type WatchdogConfig struct { + Enabled bool `yaml:"enabled" json:"enabled" default:"true"` +} + type CapabilitiesConfig struct { NetworkCapture []string `yaml:"networkCapture" json:"networkCapture" default:"[]"` ServiceMeshCapture []string `yaml:"serviceMeshCapture" json:"serviceMeshCapture" default:"[]"` @@ -308,6 +313,7 @@ type TapConfig struct { Debug bool `yaml:"debug" json:"debug" default:"false"` Telemetry TelemetryConfig `yaml:"telemetry" json:"telemetry"` ResourceGuard ResourceGuardConfig `yaml:"resourceGuard" json:"resourceGuard"` + Watchdog WatchdogConfig `yaml:"watchdog" json:"watchdog"` Sentry SentryConfig `yaml:"sentry" json:"sentry"` DefaultFilter string `yaml:"defaultFilter" json:"defaultFilter" default:"!dns and !error"` LiveConfigMapChangesDisabled bool `yaml:"liveConfigMapChangesDisabled" json:"liveConfigMapChangesDisabled" default:"false"` diff --git a/helm-chart/templates/09-worker-daemon-set.yaml b/helm-chart/templates/09-worker-daemon-set.yaml index b7cc221c2..c71b84e30 100644 --- a/helm-chart/templates/09-worker-daemon-set.yaml +++ b/helm-chart/templates/09-worker-daemon-set.yaml @@ -68,6 +68,9 @@ spec: - /hostproc {{- if .Values.tap.resourceGuard.enabled }} - -enable-resource-guard + {{- end }} + {{- if .Values.tap.watchdog.enabled }} + - -enable-watchdog {{- end }} - -resolution-strategy - '{{ .Values.tap.misc.resolutionStrategy }}' diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index 834b13c8d..1c68a9cde 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -137,6 +137,8 @@ tap: enabled: true resourceGuard: enabled: false + watchdog: + enabled: true sentry: enabled: false environment: production From f85c7dfb4be51b83b4c341de4152dc3714b0e38b Mon Sep 17 00:00:00 2001 From: Serhii Ponomarenko <116438358+tiptophelmet@users.noreply.github.com> Date: Mon, 24 Mar 2025 23:05:38 +0200 Subject: [PATCH 2/5] :sparkles: OIDC support (Dex IdP) (#1722) * :wrench: Create dex config-map * :wrench: Create dex deployment * :wrench: Create dex service * :wrench: Create dex network policy * :wrench: Create dex network policy * :wrench: Add dex node selector terms * :wrench: Add a kubeshark-hub static client to dex config * :bug: Use correct redirect URI for `kubeshark-hub` client * :art: Remove unused/commented dex config options * :hammer: Create a helper template to pick Kubeshark client secret * :wrench: Adjust front deployment env to allow `dex` auth type * :wrench: Adjust configmap to allow `dex` auth type * :wrench: Create k8s secret to store dex yaml config * :wrench: Mount dex-yaml-conf secret into `dex-config.yaml` * :fire: Remove sample env var * :wrench: Create k8s config keys for Dex expiry settings * :wrench: Create k8s secret key for Dex client secret * :wrench: Deploy Dex resources if Dex auth is enabled * :wrench: Move `oauth2StateParamExpiry` under `customSettings` * :memo: Add basic helm-values docs to set up Dex auth * :sparkles: Separate Dex OIDC app settings from configuration * :memo: Update Dex documentation * :memo: Update Dex IdP documentation * :safety_vest: Add fallback value for OIDC issuer config * :safety_vest: Add fallback values for OIDC client ID/secret * :memo: Update Dex IdP documentation * :memo: Update Dex IdP documentation * :memo: Add reference to OIDC docs at `docs.kubeshark.co` --------- Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com> --- helm-chart/README.md | 225 +++++++++++++++++- helm-chart/templates/06-front-deployment.yaml | 14 +- helm-chart/templates/11-nginx-config-map.yaml | 17 +- helm-chart/templates/12-config-map.yaml | 11 +- helm-chart/templates/13-secret.yaml | 2 + helm-chart/templates/17-network-policies.yaml | 25 ++ helm-chart/templates/18-dex-deployment.yaml | 116 +++++++++ helm-chart/templates/19-dex-service.yaml | 25 ++ helm-chart/templates/20-dex-secret.yaml | 14 ++ helm-chart/templates/_helpers.tpl | 12 + helm-chart/values.yaml | 6 + 11 files changed, 458 insertions(+), 9 deletions(-) create mode 100644 helm-chart/templates/18-dex-deployment.yaml create mode 100644 helm-chart/templates/19-dex-service.yaml create mode 100644 helm-chart/templates/20-dex-secret.yaml diff --git a/helm-chart/README.md b/helm-chart/README.md index f3ec71252..4d0a16ffe 100644 --- a/helm-chart/README.md +++ b/helm-chart/README.md @@ -228,7 +228,7 @@ KernelMapping pairs kernel versions with a DriverContainer image. Kernel versions can be matched literally or using a regular expression -## Installing with SAML enabled +# Installing with SAML enabled ### Prerequisites: @@ -293,3 +293,226 @@ tap: UaV5sbRtTzYLxpOSQyi8CEFA+A== -----END PRIVATE KEY----- ``` + +# Installing with Dex OIDC authentication + +[**Click here to see full docs**](https://docs.kubeshark.co/en/saml#installing-with-oidc-enabled-dex-idp). + +Choose this option, if **you already have a running instance** of Dex in your cluster & +you want to set up Dex OIDC authentication for Kubeshark users. + +Kubeshark supports authentication using [Dex - A Federated OpenID Connect Provider](https://dexidp.io/). +Dex is an abstraction layer designed for integrating a wide variety of Identity Providers. + +**Requirement:** +Your Dex IdP must have a publicly accessible URL. + +### Pre-requisites: + +**1. If you configured Ingress for Kubeshark:** + +(see section: "Installing with Ingress (EKS) enabled") + +OAuth2 callback URL is:
+`https:///api/oauth2/callback` + +**2. If you did not configure Ingress for Kubeshark:** + +OAuth2 callback URL is:
+`http://0.0.0.0:8899/api/oauth2/callback` + +Use chosen OAuth2 callback URL to replace `` in Step 3. + +**3. Add this static client to your Dex IdP configuration (`config.yaml`):** +```yaml +staticClients: + - id: kubeshark + secret: create your own client password + name: Kubeshark + redirectURIs: + - https:///api/oauth2/callback +``` + +**Final step:** + +Add these helm values to set up OIDC authentication powered by your Dex IdP: + +```yaml +# values.yaml + +tap: + auth: + enabled: true + type: dex + dexOidc: + issuer: + clientId: kubeshark + clientSecret: create your own client password + refreshTokenLifetime: "3960h" # 165 days + oauth2StateParamExpiry: "10m" +``` + +Once you run `helm install kubeshark kubeshark/kubeshark -f ./values.yaml`, Kubeshark will be installed with (Dex) OIDC authentication enabled. + +--- + +# Installing your own Dex IdP along with Kubeshark + +Choose this option, if **you need to deploy an instance of Dex IdP** along with Kubeshark & +set up Dex OIDC authentication for Kubeshark users. + +Depending on Ingress enabled/disabled, your Dex configuration might differ. + +**Requirement:** +Please, configure Ingress using `tap.ingress` for your Kubeshark installation. For example: + +```yaml +tap: + ingress: + enabled: true + className: "alb" + host: ks.example.com + tls: [] + annotations: + alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:7..8:certificate/b...65c + alb.ingress.kubernetes.io/target-type: ip + alb.ingress.kubernetes.io/scheme: internet-facing +``` + +The following Dex settings will have these values: + +| Setting | Value | +|-------------------------------------------------------|----------------------------------------------| +| `tap.auth.dexOidc.issuer` | `https://ks.example.com/dex` | +| `tap.auth.dexConfig.issuer` | `https://ks.example.com/dex` | +| `tap.auth.dexConfig.staticClients -> redirectURIs` | `https://ks.example.com/api/oauth2/callback` | +| `tap.auth.dexConfig.connectors -> config.redirectURI` | `https://ks.example.com/dex/callback` | + +--- + +### Before proceeding with Dex IdP installation: + +Please, make sure to prepare the following things first. + +1. Choose **[Connectors](https://dexidp.io/docs/connectors/)** to enable in Dex IdP. + - i.e. how many kind of "Log in with ..." options you'd like to offer your users + - You will need to specify connectors in `tap.auth.dexConfig.connectors` +2. Choose type of **[Storage](https://dexidp.io/docs/configuration/storage/)** to use in Dex IdP. + - You will need to specify storage settings in `tap.auth.dexConfig.storage` + - default: `memory` +3. Decide on the OAuth2 `?state=` param expiration time: + - field: `tap.auth.dexOidc.oauth2StateParamExpiry` + - default: `10m` (10 minutes) + - valid time units are `s`, `m`, `h` +4. Decide on the refresh token expiration: + - field 1: `tap.auth.dexOidc.expiry.refreshTokenLifetime` + - field 2: `tap.auth.dexConfig.expiry.refreshTokens.absoluteLifetime` + - default: `3960h` (165 days) + - valid time units are `s`, `m`, `h` +5. Create a unique & secure password to set in these fields: + - field 1: `tap.auth.dexOidc.clientSecret` + - field 2: `tap.auth.dexConfig.staticClients -> secret` + - password must be the same for these 2 fields +6. Discover more possibilities of **[Dex Configuration](https://dexidp.io/docs/configuration/)** + - if you decide to include more configuration options, make sure to add them into `tap.auth.dexConfig` +--- + +### Once you are ready with all the points described above: + +Use these helm `values.yaml` fields to: +- Deploy your own instance of Dex IdP along with Kubeshark +- Enable OIDC authentication for Kubeshark users + +Make sure to: +- Replace `` with a correct Kubeshark Ingress host (`tap.auth.ingress.host`). + - refer to section **Installing with Ingress (EKS) enabled** to find out how you can configure Ingress host. + +Helm `values.yaml`: +```yaml +tap: + auth: + enabled: true + type: dex + dexOidc: + issuer: https:///dex + + # Client ID/secret must be taken from `tap.auth.dexConfig.staticClients -> id/secret` + clientId: kubeshark + clientSecret: create your own client password + + refreshTokenLifetime: "3960h" # 165 days + oauth2StateParamExpiry: "10m" + dexConfig: + # This field is REQUIRED! + # + # The base path of Dex and the external name of the OpenID Connect service. + # This is the canonical URL that all clients MUST use to refer to Dex. If a + # path is provided, Dex's HTTP service will listen at a non-root URL. + issuer: https:///dex + + # Expiration configuration for tokens, signing keys, etc. + expiry: + refreshTokens: + validIfNotUsedFor: "2160h" # 90 days + absoluteLifetime: "3960h" # 165 days + + # This field is REQUIRED! + # + # The storage configuration determines where Dex stores its state. + # See the documentation (https://dexidp.io/docs/storage/) for further information. + storage: + type: memory + + # This field is REQUIRED! + # + # Attention: + # Do not change this field and its values. + # This field is required for internal Kubeshark-to-Dex communication. + # + # HTTP service configuration + web: + http: 0.0.0.0:5556 + + # This field is REQUIRED! + # + # Attention: + # Do not change this field and its values. + # This field is required for internal Kubeshark-to-Dex communication. + # + # Telemetry configuration + telemetry: + http: 0.0.0.0:5558 + + # This field is REQUIRED! + # + # Static clients registered in Dex by default. + staticClients: + - id: kubeshark + secret: create your own client password + name: Kubeshark + redirectURIs: + - https:///api/oauth2/callback + + # Enable the password database. + # It's a "virtual" connector (identity provider) that stores + # login credentials in Dex's store. + enablePasswordDB: true + + # Connectors are used to authenticate users against upstream identity providers. + # See the documentation (https://dexidp.io/docs/connectors/) for further information. + # + # Attention: + # When you define a new connector, `config.redirectURI` must be: + # https:///dex/callback + # + # Example with Google connector: + # connectors: + # - type: google + # id: google + # name: Google + # config: + # clientID: your Google Cloud Auth app client ID + # clientSecret: your Google Auth app client ID + # redirectURI: https:///dex/callback + connectors: [] +``` diff --git a/helm-chart/templates/06-front-deployment.yaml b/helm-chart/templates/06-front-deployment.yaml index d8586d8be..1644bf450 100644 --- a/helm-chart/templates/06-front-deployment.yaml +++ b/helm-chart/templates/06-front-deployment.yaml @@ -26,12 +26,16 @@ spec: - env: - name: REACT_APP_AUTH_ENABLED value: '{{- if or (and .Values.cloudLicenseEnabled (not (empty .Values.license))) (not .Values.internetConnectivity) -}} - "false" - {{- else -}} - {{ .Values.cloudLicenseEnabled | ternary "true" .Values.tap.auth.enabled }} - {{- end }}' + {{ (and .Values.tap.auth.enabled (eq .Values.tap.auth.type "dex")) | ternary true false }} + {{- else -}} + {{ .Values.cloudLicenseEnabled | ternary "true" .Values.tap.auth.enabled }} + {{- end }}' - name: REACT_APP_AUTH_TYPE - value: '{{ not (eq .Values.tap.auth.type "") | ternary (.Values.cloudLicenseEnabled | ternary "oidc" .Values.tap.auth.type) " " }}' + value: '{{- if and .Values.cloudLicenseEnabled (not (eq .Values.tap.auth.type "dex")) -}} + default + {{- else -}} + {{ .Values.tap.auth.type }} + {{- end }}' - name: REACT_APP_AUTH_SAML_IDP_METADATA_URL value: '{{ not (eq .Values.tap.auth.saml.idpMetadataUrl "") | ternary .Values.tap.auth.saml.idpMetadataUrl " " }}' - name: REACT_APP_TIMEZONE diff --git a/helm-chart/templates/11-nginx-config-map.yaml b/helm-chart/templates/11-nginx-config-map.yaml index 22e085059..70a5cecd5 100644 --- a/helm-chart/templates/11-nginx-config-map.yaml +++ b/helm-chart/templates/11-nginx-config-map.yaml @@ -45,7 +45,22 @@ data: proxy_send_timeout 12s; proxy_pass_request_headers on; } - +{{- if .Values.tap.auth.dexConfig }} + location /dex { + rewrite ^/dex(.*)$ /dex$1 break; + proxy_pass http://kubeshark-dex; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header Upgrade websocket; + proxy_set_header Connection Upgrade; + proxy_set_header Authorization $http_authorization; + proxy_pass_header Authorization; + proxy_connect_timeout 4s; + proxy_read_timeout 120s; + proxy_send_timeout 12s; + proxy_pass_request_headers on; + } +{{- end }} location / { root /usr/share/nginx/html; index index.html index.htm; diff --git a/helm-chart/templates/12-config-map.yaml b/helm-chart/templates/12-config-map.yaml index 175a1b03b..3cf3d7144 100644 --- a/helm-chart/templates/12-config-map.yaml +++ b/helm-chart/templates/12-config-map.yaml @@ -18,14 +18,21 @@ data: INGRESS_HOST: '{{ .Values.tap.ingress.host }}' PROXY_FRONT_PORT: '{{ .Values.tap.proxy.front.port }}' AUTH_ENABLED: '{{- if and .Values.cloudLicenseEnabled (not (empty .Values.license)) -}} - "false" + {{ and .Values.tap.auth.enabled (eq .Values.tap.auth.type "dex") | ternary true false }} {{- else -}} {{ .Values.cloudLicenseEnabled | ternary "true" (.Values.tap.auth.enabled | ternary "true" "") }} {{- end }}' - AUTH_TYPE: '{{ .Values.cloudLicenseEnabled | ternary "oidc" (.Values.tap.auth.type) }}' + AUTH_TYPE: '{{- if and .Values.cloudLicenseEnabled (not (eq .Values.tap.auth.type "dex")) -}} + default + {{- else -}} + {{ .Values.tap.auth.type }} + {{- end }}' AUTH_SAML_IDP_METADATA_URL: '{{ .Values.tap.auth.saml.idpMetadataUrl }}' AUTH_SAML_ROLE_ATTRIBUTE: '{{ .Values.tap.auth.saml.roleAttribute }}' AUTH_SAML_ROLES: '{{ .Values.tap.auth.saml.roles | toJson }}' + AUTH_OIDC_ISSUER: '{{ default "not set" (((.Values.tap).auth).dexOidc).issuer }}' + AUTH_OIDC_REFRESH_TOKEN_LIFETIME: '{{ default "3960h" (((.Values.tap).auth).dexOidc).refreshTokenLifetime }}' + AUTH_OIDC_STATE_PARAM_EXPIRY: '{{ default "10m" (((.Values.tap).auth).dexOidc).oauth2StateParamExpiry }}' TELEMETRY_DISABLED: '{{ not .Values.internetConnectivity | ternary "true" (not .Values.tap.telemetry.enabled | ternary "true" "false") }}' SCRIPTING_DISABLED: '{{- if .Values.tap.liveConfigMapChangesDisabled -}} {{- if .Values.demoModeEnabled -}} diff --git a/helm-chart/templates/13-secret.yaml b/helm-chart/templates/13-secret.yaml index d1c431c18..026567ed2 100644 --- a/helm-chart/templates/13-secret.yaml +++ b/helm-chart/templates/13-secret.yaml @@ -9,6 +9,8 @@ metadata: stringData: LICENSE: '{{ .Values.license }}' SCRIPTING_ENV: '{{ .Values.scripting.env | toJson }}' + OIDC_CLIENT_ID: '{{ default "not set" (((.Values.tap).auth).dexOidc).clientId }}' + OIDC_CLIENT_SECRET: '{{ default "not set" (((.Values.tap).auth).dexOidc).clientSecret }}' --- diff --git a/helm-chart/templates/17-network-policies.yaml b/helm-chart/templates/17-network-policies.yaml index 276acd2db..9235daf75 100644 --- a/helm-chart/templates/17-network-policies.yaml +++ b/helm-chart/templates/17-network-policies.yaml @@ -53,6 +53,31 @@ spec: --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy +metadata: + labels: + {{- include "kubeshark.labels" . | nindent 4 }} + annotations: + {{- if .Values.tap.annotations }} + {{- toYaml .Values.tap.annotations | nindent 4 }} + {{- end }} + name: kubeshark-dex-network-policy + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + app.kubeshark.co/app: dex + policyTypes: + - Ingress + - Egress + ingress: + - ports: + - protocol: TCP + port: 5556 + egress: + - {} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy metadata: labels: {{- include "kubeshark.labels" . | nindent 4 }} diff --git a/helm-chart/templates/18-dex-deployment.yaml b/helm-chart/templates/18-dex-deployment.yaml new file mode 100644 index 000000000..ea2d07f73 --- /dev/null +++ b/helm-chart/templates/18-dex-deployment.yaml @@ -0,0 +1,116 @@ +{{- if .Values.tap.auth.dexConfig }} + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubeshark.co/app: dex + {{- include "kubeshark.labels" . | nindent 4 }} + annotations: + {{- if .Values.tap.annotations }} + {{- toYaml .Values.tap.annotations | nindent 4 }} + {{- end }} + name: {{ include "kubeshark.name" . }}-dex + namespace: {{ .Release.Namespace }} +spec: + replicas: 1 # Set the desired number of replicas + selector: + matchLabels: + app.kubeshark.co/app: dex + {{- include "kubeshark.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app.kubeshark.co/app: dex + {{- include "kubeshark.labels" . | nindent 8 }} + spec: + containers: + - name: kubeshark-dex + image: 'dexidp/dex:v2.42.0-alpine' + ports: + - name: http + containerPort: 5556 + protocol: TCP + - name: telemetry + containerPort: 5558 + protocol: TCP + args: + - dex + - serve + - /etc/dex/dex-config.yaml + imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }} + volumeMounts: + - name: dex-secret-conf-volume + mountPath: /etc/dex/dex-config.yaml + subPath: dex-config.yaml + readOnly: true + livenessProbe: + httpGet: + path: /healthz/live + port: 5558 + periodSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + initialDelaySeconds: 3 + readinessProbe: + httpGet: + path: /healthz/ready + port: 5558 + periodSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + initialDelaySeconds: 3 + timeoutSeconds: 1 + resources: + limits: + cpu: 750m + memory: 1Gi + requests: + cpu: 50m + memory: 50Mi + {{- if .Values.tap.docker.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.tap.docker.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- if gt (len .Values.tap.nodeSelectorTerms.dex) 0}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + {{- toYaml .Values.tap.nodeSelectorTerms.dex | nindent 12 }} +{{- end }} + {{- if or .Values.tap.dns.nameservers .Values.tap.dns.searches .Values.tap.dns.options }} + dnsConfig: + {{- if .Values.tap.dns.nameservers }} + nameservers: + {{- range .Values.tap.dns.nameservers }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- if .Values.tap.dns.searches }} + searches: + {{- range .Values.tap.dns.searches }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- if .Values.tap.dns.options }} + options: + {{- range .Values.tap.dns.options }} + - name: {{ .name | quote }} + {{- if .value }} + value: {{ .value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + volumes: + - name: dex-secret-conf-volume + secret: + secretName: kubeshark-dex-conf-secret + dnsPolicy: ClusterFirstWithHostNet + serviceAccountName: {{ include "kubeshark.serviceAccountName" . }} + +{{- end }} diff --git a/helm-chart/templates/19-dex-service.yaml b/helm-chart/templates/19-dex-service.yaml new file mode 100644 index 000000000..f10db2423 --- /dev/null +++ b/helm-chart/templates/19-dex-service.yaml @@ -0,0 +1,25 @@ +{{- if .Values.tap.auth.dexConfig }} + +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubeshark.co/app: dex + {{- include "kubeshark.labels" . | nindent 4 }} + annotations: + {{- if .Values.tap.annotations }} + {{- toYaml .Values.tap.annotations | nindent 4 }} + {{- end }} + name: kubeshark-dex + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: kubeshark-dex + port: 80 + targetPort: 5556 + selector: + app.kubeshark.co/app: dex + type: ClusterIP + +{{- end }} diff --git a/helm-chart/templates/20-dex-secret.yaml b/helm-chart/templates/20-dex-secret.yaml new file mode 100644 index 000000000..6355b57d4 --- /dev/null +++ b/helm-chart/templates/20-dex-secret.yaml @@ -0,0 +1,14 @@ +{{- if .Values.tap.auth.dexConfig }} + +kind: Secret +apiVersion: v1 +metadata: + name: kubeshark-dex-conf-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubeshark.co/app: hub + {{- include "kubeshark.labels" . | nindent 4 }} +data: + dex-config.yaml: {{ .Values.tap.auth.dexConfig | toYaml | b64enc | quote }} + +{{- end }} diff --git a/helm-chart/templates/_helpers.tpl b/helm-chart/templates/_helpers.tpl index 887a6cc7c..0230d06f6 100644 --- a/helm-chart/templates/_helpers.tpl +++ b/helm-chart/templates/_helpers.tpl @@ -86,3 +86,15 @@ Set sentry based on internet connectivity and telemetry {{- end -}} {{- $sentryEnabledVal -}} {{- end -}} + +{{/* +Dex IdP: retrieve a secret for static client with a specific ID +*/}} +{{- define "getDexKubesharkStaticClientSecret" -}} + {{- $clientId := .clientId -}} + {{- range .clients }} + {{- if eq .id $clientId }} + {{- .secret }} + {{- end }} + {{- end }} +{{- end }} diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index 1c68a9cde..11a3a7c98 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -99,6 +99,12 @@ tap: operator: In values: - linux + dex: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux tolerations: hub: [] workers: From c95d63feb0d7d0afc4c322c1776048f788905b5b Mon Sep 17 00:00:00 2001 From: Alon Girmonsky <1990761+alongir@users.noreply.github.com> Date: Mon, 24 Mar 2025 14:09:58 -0700 Subject: [PATCH 3/5] Sentry Enabled By Default (#1721) * Update values.yaml Enable Sentry by default. * Update README.md --- helm-chart/README.md | 2 +- helm-chart/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/helm-chart/README.md b/helm-chart/README.md index 4d0a16ffe..f9a077419 100644 --- a/helm-chart/README.md +++ b/helm-chart/README.md @@ -200,7 +200,7 @@ Example for overriding image names: | `tap.debug` | Enable debug mode | `false` | | `tap.telemetry.enabled` | Enable anonymous usage statistics collection | `true` | | `tap.resourceGuard.enabled` | Enable resource guard worker process, which watches RAM/disk usage and enables/disables traffic capture based on available resources | `false` | -| `tap.sentry.enabled` | Enable sending of error logs to Sentry | `false` | +| `tap.sentry.enabled` | Enable sending of error logs to Sentry | `true` (only for qualified users) | | `tap.sentry.environment` | Sentry environment to label error logs with | `production` | | `tap.defaultFilter` | Sets the default dashboard KFL filter (e.g. `http`). By default, this value is set to filter out noisy protocols such as DNS, UDP, ICMP and TCP. The user can easily change this, **temporarily**, in the Dashboard. For a permanent change, you should change this value in the `values.yaml` or `config.yaml` file. | `"!dns and !error"` | | `tap.liveConfigMapChangesDisabled` | If set to `true`, all user functionality (scripting, targeting settings, global & default KFL modification, traffic recording, traffic capturing on/off, protocol dissectors) involving dynamic ConfigMap changes from UI will be disabled | `false` | diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index 11a3a7c98..b36b610b9 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -146,7 +146,7 @@ tap: watchdog: enabled: true sentry: - enabled: false + enabled: true environment: production defaultFilter: "!dns and !error" liveConfigMapChangesDisabled: false From 453d27af4362a56f23caaad0300f7e5962507ce4 Mon Sep 17 00:00:00 2001 From: Serhii Ponomarenko <116438358+tiptophelmet@users.noreply.github.com> Date: Mon, 24 Mar 2025 23:23:41 +0200 Subject: [PATCH 4/5] :hammer: Create `tap.routing.front.basePath` flag (#1726) * :hammer: Add `tap.routing.front.basePath` helm value * :hammer: Use `tap.routing.front.basePath` to adjust nginx blocks * :hammer: Set `front` base path to empty string * :memo: Update `front` base path docs * :memo: Add `front` base path example * :memo: Add base-path to Kubeshark URL in instructions --------- Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com> --- config/configStructs/tapConfig.go | 9 ++++++++ helm-chart/README.md | 1 + helm-chart/templates/11-nginx-config-map.yaml | 23 +++++++++++++++---- helm-chart/templates/NOTES.txt | 4 ++-- helm-chart/values.yaml | 4 ++++ 5 files changed, 34 insertions(+), 7 deletions(-) diff --git a/config/configStructs/tapConfig.go b/config/configStructs/tapConfig.go index 174a242d4..1be086b04 100644 --- a/config/configStructs/tapConfig.go +++ b/config/configStructs/tapConfig.go @@ -191,6 +191,14 @@ type IngressConfig struct { Annotations map[string]string `yaml:"annotations" json:"annotations" default:"{}"` } +type RoutingConfig struct { + Front FrontRoutingConfig `yaml:"front" json:"front"` +} + +type FrontRoutingConfig struct { + BasePath string `yaml:"basePath" json:"basePath" default:""` +} + type ReleaseConfig struct { Repo string `yaml:"repo" json:"repo" default:"https://helm.kubeshark.co"` Name string `yaml:"name" json:"name" default:"kubeshark"` @@ -309,6 +317,7 @@ type TapConfig struct { Tolerations TolerationsConfig `yaml:"tolerations" json:"tolerations" default:"{}"` Auth AuthConfig `yaml:"auth" json:"auth"` Ingress IngressConfig `yaml:"ingress" json:"ingress"` + Routing RoutingConfig `yaml:"routing" json:"routing"` IPv6 bool `yaml:"ipv6" json:"ipv6" default:"true"` Debug bool `yaml:"debug" json:"debug" default:"false"` Telemetry TelemetryConfig `yaml:"telemetry" json:"telemetry"` diff --git a/helm-chart/README.md b/helm-chart/README.md index f9a077419..c18b30137 100644 --- a/helm-chart/README.md +++ b/helm-chart/README.md @@ -196,6 +196,7 @@ Example for overriding image names: | `tap.ingress.host` | Host of the `Ingress` | `ks.svc.cluster.local` | | `tap.ingress.tls` | `Ingress` TLS configuration | `[]` | | `tap.ingress.annotations` | `Ingress` annotations | `{}` | +| `tap.routing.front.basePath` | Set this value to serve `front` under specific base path. Example: `/custompath` (forward slash must be present) | `""` | | `tap.ipv6` | Enable IPv6 support for the front-end | `true` | | `tap.debug` | Enable debug mode | `false` | | `tap.telemetry.enabled` | Enable anonymous usage statistics collection | `true` | diff --git a/helm-chart/templates/11-nginx-config-map.yaml b/helm-chart/templates/11-nginx-config-map.yaml index 70a5cecd5..86323c710 100644 --- a/helm-chart/templates/11-nginx-config-map.yaml +++ b/helm-chart/templates/11-nginx-config-map.yaml @@ -20,8 +20,8 @@ data: client_header_buffer_size 32k; large_client_header_buffers 8 64k; - location /api { - rewrite ^/api(.*)$ $1 break; + location {{ default "" (((.Values.tap).routing).front).basePath }}/api { + rewrite ^{{ default "" (((.Values.tap).routing).front).basePath }}/api(.*)$ $1 break; proxy_pass http://kubeshark-hub; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $http_host; @@ -35,8 +35,8 @@ data: proxy_pass_request_headers on; } - location /saml { - rewrite ^/saml(.*)$ /saml$1 break; + location {{ default "" (((.Values.tap).routing).front).basePath }}/saml { + rewrite ^{{ default "" (((.Values.tap).routing).front).basePath }}/saml(.*)$ /saml$1 break; proxy_pass http://kubeshark-hub; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $http_host; @@ -45,9 +45,10 @@ data: proxy_send_timeout 12s; proxy_pass_request_headers on; } + {{- if .Values.tap.auth.dexConfig }} location /dex { - rewrite ^/dex(.*)$ /dex$1 break; + rewrite ^{{ default "" (((.Values.tap).routing).front).basePath }}/dex(.*)$ /dex$1 break; proxy_pass http://kubeshark-dex; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $http_host; @@ -61,6 +62,18 @@ data: proxy_pass_request_headers on; } {{- end }} + +{{- if (((.Values.tap).routing).front).basePath }} + location {{ .Values.tap.routing.front.basePath }} { + rewrite ^{{ .Values.tap.routing.front.basePath }}(.*)$ $1 break; + root /usr/share/nginx/html; + index index.html index.htm; + try_files $uri $uri/ /index.html; + expires -1; + add_header Cache-Control no-cache; + } +{{- end }} + location / { root /usr/share/nginx/html; index index.html index.htm; diff --git a/helm-chart/templates/NOTES.txt b/helm-chart/templates/NOTES.txt index 8b91df42d..b1a6a1d72 100644 --- a/helm-chart/templates/NOTES.txt +++ b/helm-chart/templates/NOTES.txt @@ -34,7 +34,7 @@ Notices: {{ if .Values.tap.ingress.enabled }} You can now access the application through the following URL: -http{{ if .Values.tap.ingress.tls }}s{{ end }}://{{ .Values.tap.ingress.host }} +http{{ if .Values.tap.ingress.tls }}s{{ end }}://{{ .Values.tap.ingress.host }}{{ default "" (((.Values.tap).routing).front).basePath }}/ {{- else }} To access the application, follow these steps: @@ -44,6 +44,6 @@ To access the application, follow these steps: kubectl port-forward -n {{ .Release.Namespace }} service/kubeshark-front 8899:80 2. Once port forwarding is done, you can access the application by visiting the following URL in your web browser: - http://0.0.0.0:8899 + http://0.0.0.0:8899{{ default "" (((.Values.tap).routing).front).basePath }}/ {{- end }} diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index b36b610b9..08d4024ed 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -137,6 +137,10 @@ tap: host: ks.svc.cluster.local tls: [] annotations: {} + routing: + front: + # Example: /custompath + basePath: "" ipv6: true debug: false telemetry: From dc50ef48fd6841d5d45c7a90e1a8aeb8ef66f9ee Mon Sep 17 00:00:00 2001 From: Alon Girmonsky <1990761+alongir@users.noreply.github.com> Date: Mon, 24 Mar 2025 15:03:27 -0700 Subject: [PATCH 5/5] :bookmark: Bump the Helm chart version to 52.6.0 --- helm-chart/Chart.yaml | 2 +- helm-chart/values.yaml | 9 +-- manifests/complete.yaml | 147 ++++++++++++++++++++++++---------------- 3 files changed, 92 insertions(+), 66 deletions(-) diff --git a/helm-chart/Chart.yaml b/helm-chart/Chart.yaml index 9d79fcace..6f5c76cce 100644 --- a/helm-chart/Chart.yaml +++ b/helm-chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: kubeshark -version: "52.5" +version: "52.6" description: The API Traffic Analyzer for Kubernetes home: https://kubeshark.co keywords: diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index 08d4024ed..97342ca36 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -99,12 +99,6 @@ tap: operator: In values: - linux - dex: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - linux tolerations: hub: [] workers: @@ -139,7 +133,6 @@ tap: annotations: {} routing: front: - # Example: /custompath basePath: "" ipv6: true debug: false @@ -150,7 +143,7 @@ tap: watchdog: enabled: true sentry: - enabled: true + enabled: false environment: production defaultFilter: "!dns and !error" liveConfigMapChangesDisabled: false diff --git a/manifests/complete.yaml b/manifests/complete.yaml index 6ea91458f..59209d76c 100644 --- a/manifests/complete.yaml +++ b/manifests/complete.yaml @@ -4,10 +4,10 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: labels: - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-hub-network-policy @@ -34,10 +34,10 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: labels: - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-front-network-policy @@ -61,10 +61,37 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: labels: - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" + app.kubernetes.io/managed-by: Helm + annotations: + name: kubeshark-dex-network-policy + namespace: default +spec: + podSelector: + matchLabels: + app.kubeshark.co/app: dex + policyTypes: + - Ingress + - Egress + ingress: + - ports: + - protocol: TCP + port: 5556 + egress: + - {} +--- +# Source: kubeshark/templates/17-network-policies.yaml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + helm.sh/chart: kubeshark-52.6 + app.kubernetes.io/name: kubeshark + app.kubernetes.io/instance: kubeshark + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-worker-network-policy @@ -90,10 +117,10 @@ apiVersion: v1 kind: ServiceAccount metadata: labels: - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-service-account @@ -107,14 +134,16 @@ metadata: namespace: default labels: app.kubeshark.co/app: hub - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm stringData: LICENSE: '' SCRIPTING_ENV: '{}' + OIDC_CLIENT_ID: 'not set' + OIDC_CLIENT_SECRET: 'not set' --- # Source: kubeshark/templates/13-secret.yaml kind: Secret @@ -124,10 +153,10 @@ metadata: namespace: default labels: app.kubeshark.co/app: hub - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm stringData: AUTH_SAML_X509_CRT: | @@ -140,10 +169,10 @@ metadata: namespace: default labels: app.kubeshark.co/app: hub - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm stringData: AUTH_SAML_X509_KEY: | @@ -155,10 +184,10 @@ metadata: name: kubeshark-nginx-config-map namespace: default labels: - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm data: default.conf: | @@ -219,10 +248,10 @@ metadata: namespace: default labels: app.kubeshark.co/app: hub - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm data: POD_REGEX: '.*' @@ -236,10 +265,13 @@ data: INGRESS_HOST: 'ks.svc.cluster.local' PROXY_FRONT_PORT: '8899' AUTH_ENABLED: 'true' - AUTH_TYPE: 'oidc' + AUTH_TYPE: 'default' AUTH_SAML_IDP_METADATA_URL: '' AUTH_SAML_ROLE_ATTRIBUTE: 'role' AUTH_SAML_ROLES: '{"admin":{"canDownloadPCAP":true,"canStopTrafficCapturing":true,"canUpdateTargetedPods":true,"canUseScripting":true,"filter":"","scriptingPermissions":{"canActivate":true,"canDelete":true,"canSave":true},"showAdminConsoleLink":true}}' + AUTH_OIDC_ISSUER: 'not set' + AUTH_OIDC_REFRESH_TOKEN_LIFETIME: '3960h' + AUTH_OIDC_STATE_PARAM_EXPIRY: '10m' TELEMETRY_DISABLED: 'false' SCRIPTING_DISABLED: 'false' TARGETED_PODS_UPDATE_DISABLED: '' @@ -271,10 +303,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-cluster-role-default @@ -319,10 +351,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-cluster-role-binding-default @@ -341,10 +373,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-self-config-role @@ -371,10 +403,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-self-config-role-binding @@ -394,10 +426,10 @@ kind: Service metadata: labels: app.kubeshark.co/app: hub - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-hub @@ -416,10 +448,10 @@ apiVersion: v1 kind: Service metadata: labels: - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-front @@ -438,10 +470,10 @@ kind: Service apiVersion: v1 metadata: labels: - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm annotations: prometheus.io/scrape: 'true' @@ -451,10 +483,10 @@ metadata: spec: selector: app.kubeshark.co/app: worker - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm ports: - name: metrics @@ -467,10 +499,10 @@ kind: Service apiVersion: v1 metadata: labels: - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm annotations: prometheus.io/scrape: 'true' @@ -480,10 +512,10 @@ metadata: spec: selector: app.kubeshark.co/app: hub - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm ports: - name: metrics @@ -498,10 +530,10 @@ metadata: labels: app.kubeshark.co/app: worker sidecar.istio.io/inject: "false" - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-worker-daemon-set @@ -516,10 +548,10 @@ spec: metadata: labels: app.kubeshark.co/app: worker - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm name: kubeshark-worker-daemon-set namespace: kubeshark @@ -529,7 +561,7 @@ spec: - /bin/sh - -c - mkdir -p /sys/fs/bpf && mount | grep -q '/sys/fs/bpf' || mount -t bpf bpf /sys/fs/bpf - image: 'docker.io/kubeshark/worker:v52.5' + image: 'docker.io/kubeshark/worker:v52.6' imagePullPolicy: Always name: mount-bpf securityContext: @@ -554,11 +586,12 @@ spec: - -servicemesh - -procfs - /hostproc + - -enable-watchdog - -resolution-strategy - 'auto' - -staletimeout - '30' - image: 'docker.io/kubeshark/worker:v52.5' + image: 'docker.io/kubeshark/worker:v52.6' imagePullPolicy: Always name: sniffer ports: @@ -632,7 +665,7 @@ spec: - -disable-tls-log - -loglevel - 'warning' - image: 'docker.io/kubeshark/worker:v52.5' + image: 'docker.io/kubeshark/worker:v52.6' imagePullPolicy: Always name: tracer env: @@ -724,10 +757,10 @@ kind: Deployment metadata: labels: app.kubeshark.co/app: hub - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-hub @@ -743,10 +776,10 @@ spec: metadata: labels: app.kubeshark.co/app: hub - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm spec: dnsPolicy: ClusterFirstWithHostNet @@ -776,7 +809,7 @@ spec: value: 'https://api.kubeshark.co' - name: PROFILING_ENABLED value: 'false' - image: 'docker.io/kubeshark/hub:v52.5' + image: 'docker.io/kubeshark/hub:v52.6' imagePullPolicy: Always readinessProbe: periodSeconds: 10 @@ -839,10 +872,10 @@ kind: Deployment metadata: labels: app.kubeshark.co/app: front - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-front @@ -858,10 +891,10 @@ spec: metadata: labels: app.kubeshark.co/app: front - helm.sh/chart: kubeshark-52.5 + helm.sh/chart: kubeshark-52.6 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "52.5" + app.kubernetes.io/version: "52.6" app.kubernetes.io/managed-by: Helm spec: containers: @@ -869,7 +902,7 @@ spec: - name: REACT_APP_AUTH_ENABLED value: 'true' - name: REACT_APP_AUTH_TYPE - value: 'oidc' + value: 'default' - name: REACT_APP_AUTH_SAML_IDP_METADATA_URL value: ' ' - name: REACT_APP_TIMEZONE @@ -898,7 +931,7 @@ spec: value: 'false' - name: REACT_APP_SENTRY_ENVIRONMENT value: 'production' - image: 'docker.io/kubeshark/front:v52.5' + image: 'docker.io/kubeshark/front:v52.6' imagePullPolicy: Always name: kubeshark-front livenessProbe: