diff --git a/cmd/tap.go b/cmd/tap.go index dcc8f8662..e4a9101b5 100644 --- a/cmd/tap.go +++ b/cmd/tap.go @@ -58,7 +58,6 @@ func init() { tapCmd.Flags().Bool(configStructs.DryRunLabel, defaultTapConfig.DryRun, "Preview of all pods matching the regex, without tapping them") tapCmd.Flags().Bool(configStructs.ServiceMeshLabel, defaultTapConfig.ServiceMesh, "Capture the encrypted traffic if the cluster is configured with a service mesh and with mTLS") tapCmd.Flags().Bool(configStructs.TlsLabel, defaultTapConfig.Tls, "Capture the traffic that's encrypted with OpenSSL or Go crypto/tls libraries") - tapCmd.Flags().Bool(configStructs.IgnoreTaintedLabel, defaultTapConfig.IgnoreTainted, "Ignore tainted pods while running Worker DaemonSet") tapCmd.Flags().Bool(configStructs.IngressEnabledLabel, defaultTapConfig.Ingress.Enabled, "Enable Ingress") tapCmd.Flags().Bool(configStructs.TelemetryEnabledLabel, defaultTapConfig.Telemetry.Enabled, "Enable/disable Telemetry") tapCmd.Flags().Bool(configStructs.ResourceGuardEnabledLabel, defaultTapConfig.ResourceGuard.Enabled, "Enable/disable resource guard") diff --git a/config/configStruct.go b/config/configStruct.go index 74ce9d9ac..a911dc64c 100644 --- a/config/configStruct.go +++ b/config/configStruct.go @@ -51,6 +51,14 @@ func CreateDefaultConfig() ConfigStruct { }, }, }, + Tolerations: configStructs.TolerationsConfig{ + Workers: []v1.Toleration{ + { + Effect: v1.TaintEffect("NoExecute"), + Operator: v1.TolerationOpExists, + }, + }, + }, SecurityContext: configStructs.SecurityContextConfig{ Privileged: true, // Capabilities used only when running in unprivileged mode diff --git a/config/configStructs/tapConfig.go b/config/configStructs/tapConfig.go index aef362dc2..456f165a5 100644 --- a/config/configStructs/tapConfig.go +++ b/config/configStructs/tapConfig.go @@ -139,6 +139,12 @@ type NodeSelectorTermsConfig struct { Front []v1.NodeSelectorTerm `yaml:"front" json:"front" default:"[]"` } +type TolerationsConfig struct { + Hub []v1.Toleration `yaml:"hub" json:"hub" default:"[]"` + Workers []v1.Toleration `yaml:"workers" json:"workers" default:"[]"` + Front []v1.Toleration `yaml:"front" json:"front" default:"[]"` +} + type ProbeConfig struct { InitialDelaySeconds int `yaml:"initialDelaySeconds" json:"initialDelaySeconds" default:"15"` PeriodSeconds int `yaml:"periodSeconds" json:"periodSeconds" default:"10"` @@ -292,10 +298,10 @@ type TapConfig struct { Tls bool `yaml:"tls" json:"tls" default:"true"` DisableTlsLog bool `yaml:"disableTlsLog" json:"disableTlsLog" default:"true"` PacketCapture string `yaml:"packetCapture" json:"packetCapture" default:"best"` - IgnoreTainted bool `yaml:"ignoreTainted" json:"ignoreTainted" default:"false"` Labels map[string]string `yaml:"labels" json:"labels" default:"{}"` Annotations map[string]string `yaml:"annotations" json:"annotations" default:"{}"` NodeSelectorTerms NodeSelectorTermsConfig `yaml:"nodeSelectorTerms" json:"nodeSelectorTerms" default:"{}"` + Tolerations TolerationsConfig `yaml:"tolerations" json:"tolerations" default:"{}"` Auth AuthConfig `yaml:"auth" json:"auth"` Ingress IngressConfig `yaml:"ingress" json:"ingress"` IPv6 bool `yaml:"ipv6" json:"ipv6" default:"true"` diff --git a/helm-chart/README.md b/helm-chart/README.md index 1838302ed..f3ec71252 100644 --- a/helm-chart/README.md +++ b/helm-chart/README.md @@ -174,12 +174,14 @@ Example for overriding image names: | `tap.serviceMesh` | Capture traffic from service meshes like Istio, Linkerd, Consul, etc. | `true` | | `tap.tls` | Capture the encrypted/TLS traffic from cryptography libraries like OpenSSL | `true` | | `tap.disableTlsLog` | Suppress logging for TLS/eBPF | `true` | -| `tap.ignoreTainted` | Whether to ignore tainted nodes | `false` | | `tap.labels` | Kubernetes labels to apply to all Kubeshark resources | `{}` | | `tap.annotations` | Kubernetes annotations to apply to all Kubeshark resources | `{}` | -| `tap.nodeSelectorTerms.Workers` | Node selector terms for workers components | `[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]` | -| `tap.nodeSelectorTerms.Hub` | Node selector terms for hub component | `[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]` | -| `tap.nodeSelectorTerms.Front` | Node selector terms for front-end component | `[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]` | +| `tap.nodeSelectorTerms.workers` | Node selector terms for workers components | `[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]` | +| `tap.nodeSelectorTerms.hub` | Node selector terms for hub component | `[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]` | +| `tap.nodeSelectorTerms.front` | Node selector terms for front-end component | `[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]` | +| `tap.tolerations.workers` | Tolerations for workers components | `[ {"operator": "Exists", "effect": "NoExecute"}` | +| `tap.tolerations.hub` | Tolerations for hub component | `[]` | +| `tap.tolerations.front` | Tolerations for front-end component | `[]` | | `tap.auth.enabled` | Enable authentication | `false` | | `tap.auth.type` | Authentication type (1 option available: `saml`) | `saml` | | `tap.auth.approvedEmails` | List of approved email addresses for authentication | `[]` | diff --git a/helm-chart/templates/04-hub-deployment.yaml b/helm-chart/templates/04-hub-deployment.yaml index e0c0a0609..f2755eb04 100644 --- a/helm-chart/templates/04-hub-deployment.yaml +++ b/helm-chart/templates/04-hub-deployment.yaml @@ -128,6 +128,22 @@ spec: {{- end }} {{- end }} {{- end }} + {{- if .Values.tap.tolerations.hub }} + tolerations: + {{- range .Values.tap.tolerations.hub }} + - key: {{ .key | quote }} + operator: {{ .operator | quote }} + {{- if .value }} + value: {{ .value | quote }} + {{- end }} + {{- if .effect }} + effect: {{ .effect | quote }} + {{- end }} + {{- if .tolerationSeconds }} + tolerationSeconds: {{ .tolerationSeconds }} + {{- end }} + {{- end }} + {{- end }} volumes: - name: saml-x509-volume projected: diff --git a/helm-chart/templates/06-front-deployment.yaml b/helm-chart/templates/06-front-deployment.yaml index 57b925dba..d8586d8be 100644 --- a/helm-chart/templates/06-front-deployment.yaml +++ b/helm-chart/templates/06-front-deployment.yaml @@ -149,6 +149,22 @@ spec: {{- end }} {{- end }} {{- end }} + {{- if .Values.tap.tolerations.front }} + tolerations: + {{- range .Values.tap.tolerations.front }} + - key: {{ .key | quote }} + operator: {{ .operator | quote }} + {{- if .value }} + value: {{ .value | quote }} + {{- end }} + {{- if .effect }} + effect: {{ .effect | quote }} + {{- end }} + {{- if .tolerationSeconds }} + tolerationSeconds: {{ .tolerationSeconds }} + {{- end }} + {{- end }} + {{- end }} volumes: - name: nginx-config configMap: diff --git a/helm-chart/templates/09-worker-daemon-set.yaml b/helm-chart/templates/09-worker-daemon-set.yaml index ac0bcb65f..b7cc221c2 100644 --- a/helm-chart/templates/09-worker-daemon-set.yaml +++ b/helm-chart/templates/09-worker-daemon-set.yaml @@ -311,14 +311,22 @@ spec: dnsPolicy: ClusterFirstWithHostNet hostNetwork: true serviceAccountName: {{ include "kubeshark.serviceAccountName" . }} - terminationGracePeriodSeconds: 0 + {{- if .Values.tap.tolerations.workers }} tolerations: - - effect: NoExecute - operator: Exists -{{- if not .Values.tap.ignoreTainted }} - - effect: NoSchedule - operator: Exists -{{- end }} + {{- range .Values.tap.tolerations.workers }} + - key: {{ .key | quote }} + operator: {{ .operator | quote }} + {{- if .value }} + value: {{ .value | quote }} + {{- end }} + {{- if .effect }} + effect: {{ .effect | quote }} + {{- end }} + {{- if .tolerationSeconds }} + tolerationSeconds: {{ .tolerationSeconds }} + {{- end }} + {{- end }} + {{- end }} {{- if .Values.tap.docker.imagePullSecrets }} imagePullSecrets: {{- range .Values.tap.docker.imagePullSecrets }} diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index 57328c826..70f631dd4 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -78,7 +78,6 @@ tap: tls: true disableTlsLog: true packetCapture: best - ignoreTainted: false labels: {} annotations: {} nodeSelectorTerms: @@ -100,6 +99,12 @@ tap: operator: In values: - linux + tolerations: + hub: [] + workers: + - operator: Exists + effect: NoExecute + front: [] auth: enabled: false type: saml