github/kubeshark
1
0
Fork 0
mirror of https://github.com/kubeshark/kubeshark.git synced 2025-08-19 08:59:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add --ignoreTainted flag to tap command

Browse Source
This commit is contained in:
M. Mert Yildiran 2023-03-27 16:26:09 +03:00
parent 8b5e55d53a
commit e4684a10af
No known key found for this signature in database
GPG Key ID: DA5D6DCBB758A461
3 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cmd/tap.go
View File

@ -58,5 +58,6 @@ func init() {
tapCmd.Flags().StringP(configStructs.PcapLabel, "p", defaultTapConfig.Pcap, fmt.Sprintf("Capture from a PCAP snapshot of %s (.tar.gz) using your Docker Daemon instead of Kubernetes", misc.Software))
tapCmd.Flags().Bool(configStructs.ServiceMeshLabel, defaultTapConfig.ServiceMesh, "Capture the encrypted traffic if the cluster is configured with a service mesh and with mTLS")
tapCmd.Flags().Bool(configStructs.TlsLabel, defaultTapConfig.Tls, "Capture the traffic that's encrypted with OpenSSL or Go crypto/tls libraries")
tapCmd.Flags().Bool(configStructs.IgnoreTaintedLabel, defaultTapConfig.IgnoreTainted, "Ignore tainted pods while running Worker DaemonSet")
tapCmd.Flags().Bool(configStructs.DebugLabel, defaultTapConfig.Debug, "Enable the debug mode")
}

2
config/configStructs/tapConfig.go
View File

@ -24,6 +24,7 @@ const (
PcapLabel = "pcap"
ServiceMeshLabel = "servicemesh"
TlsLabel = "tls"
IgnoreTaintedLabel = "ignoreTainted"
DebugLabel = "debug"
)
@ -82,6 +83,7 @@ type TapConfig struct {
ServiceMesh bool `yaml:"servicemesh" default:"true"`
Tls bool `yaml:"tls" default:"true"`
PacketCapture string `yaml:"packetcapture" default:"libpcap"`
IgnoreTainted bool `yaml:"ignoreTainted" default:"false"`
Debug bool `yaml:"debug" default:"false"`
}

10
kubernetes/provider.go
View File

@ -10,6 +10,7 @@ import (
"path/filepath"
"regexp"
"github.com/kubeshark/kubeshark/config"
"github.com/kubeshark/kubeshark/config/configStructs"
"github.com/kubeshark/kubeshark/docker"
"github.com/kubeshark/kubeshark/misc"
@ -735,12 +736,19 @@ func (provider *Provider) ApplyWorkerDaemonSet(
affinity := applyconfcore.Affinity()
affinity.WithNodeAffinity(nodeAffinity)
var tolerations []*v1.TolerationApplyConfiguration
noExecuteToleration := applyconfcore.Toleration()
noExecuteToleration.WithOperator(core.TolerationOpExists)
noExecuteToleration.WithEffect(core.TaintEffectNoExecute)
tolerations = append(tolerations, noExecuteToleration)
noScheduleToleration := applyconfcore.Toleration()
noScheduleToleration.WithOperator(core.TolerationOpExists)
noScheduleToleration.WithEffect(core.TaintEffectNoSchedule)
if !config.Config.Tap.IgnoreTainted {
tolerations = append(tolerations, noScheduleToleration)
}
// Host procfs is needed inside the container because we need access to
// the network namespaces of processes on the machine.
@ -766,7 +774,7 @@ func (provider *Provider) ApplyWorkerDaemonSet(
}
podSpec.WithContainers(workerContainer)
podSpec.WithAffinity(affinity)
podSpec.WithTolerations(noExecuteToleration, noScheduleToleration)
podSpec.WithTolerations(tolerations...)
podSpec.WithVolumes(procfsVolume, sysfsVolume)
if len(imagePullSecrets) > 0 {