Update structs and docs (#1710)

Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>

cmd/tap.go

@@ -58,7 +58,6 @@ func init() {
 	tapCmd.Flags().Bool(configStructs.DryRunLabel, defaultTapConfig.DryRun, "Preview of all pods matching the regex, without tapping them")
 	tapCmd.Flags().Bool(configStructs.ServiceMeshLabel, defaultTapConfig.ServiceMesh, "Capture the encrypted traffic if the cluster is configured with a service mesh and with mTLS")
 	tapCmd.Flags().Bool(configStructs.TlsLabel, defaultTapConfig.Tls, "Capture the traffic that's encrypted with OpenSSL or Go crypto/tls libraries")
-	tapCmd.Flags().Bool(configStructs.IgnoreTaintedLabel, defaultTapConfig.IgnoreTainted, "Ignore tainted pods while running Worker DaemonSet")
 	tapCmd.Flags().Bool(configStructs.IngressEnabledLabel, defaultTapConfig.Ingress.Enabled, "Enable Ingress")
 	tapCmd.Flags().Bool(configStructs.TelemetryEnabledLabel, defaultTapConfig.Telemetry.Enabled, "Enable/disable Telemetry")
 	tapCmd.Flags().Bool(configStructs.ResourceGuardEnabledLabel, defaultTapConfig.ResourceGuard.Enabled, "Enable/disable resource guard")

config/configStruct.go

@@ -51,6 +51,14 @@ func CreateDefaultConfig() ConfigStruct {
 					},
 				},
 			},
+			Tolerations: configStructs.TolerationsConfig{
+				Workers: []v1.Toleration{
+					{
+						Effect:   v1.TaintEffect("NoExecute"),
+						Operator: v1.TolerationOpExists,
+					},
+				},
+			},
 			SecurityContext: configStructs.SecurityContextConfig{
 				Privileged: true,
 				// Capabilities used only when running in unprivileged mode

config/configStructs/tapConfig.go

@@ -139,6 +139,12 @@ type NodeSelectorTermsConfig struct {
 	Front   []v1.NodeSelectorTerm `yaml:"front" json:"front" default:"[]"`
 }
 
+type TolerationsConfig struct {
+	Hub     []v1.Toleration `yaml:"hub" json:"hub" default:"[]"`
+	Workers []v1.Toleration `yaml:"workers" json:"workers" default:"[]"`
+	Front   []v1.Toleration `yaml:"front" json:"front" default:"[]"`
+}
+
 type ProbeConfig struct {
 	InitialDelaySeconds int `yaml:"initialDelaySeconds" json:"initialDelaySeconds" default:"15"`
 	PeriodSeconds       int `yaml:"periodSeconds" json:"periodSeconds" default:"10"`
@@ -292,10 +298,10 @@ type TapConfig struct {
 	Tls                          bool                    `yaml:"tls" json:"tls" default:"true"`
 	DisableTlsLog                bool                    `yaml:"disableTlsLog" json:"disableTlsLog" default:"true"`
 	PacketCapture                string                  `yaml:"packetCapture" json:"packetCapture" default:"best"`
-	IgnoreTainted                bool                    `yaml:"ignoreTainted" json:"ignoreTainted" default:"false"`
 	Labels                       map[string]string       `yaml:"labels" json:"labels" default:"{}"`
 	Annotations                  map[string]string       `yaml:"annotations" json:"annotations" default:"{}"`
 	NodeSelectorTerms            NodeSelectorTermsConfig `yaml:"nodeSelectorTerms" json:"nodeSelectorTerms" default:"{}"`
+	Tolerations                  TolerationsConfig       `yaml:"tolerations" json:"tolerations" default:"{}"`
 	Auth                         AuthConfig              `yaml:"auth" json:"auth"`
 	Ingress                      IngressConfig           `yaml:"ingress" json:"ingress"`
 	IPv6                         bool                    `yaml:"ipv6" json:"ipv6" default:"true"`

helm-chart/README.md

@@ -174,12 +174,14 @@ Example for overriding image names:
 | `tap.serviceMesh`                         | Capture traffic from service meshes like Istio, Linkerd, Consul, etc.          | `true`                                                  |
 | `tap.tls`                                 | Capture the encrypted/TLS traffic from cryptography libraries like OpenSSL                         | `true`                                                  |
 | `tap.disableTlsLog`                       | Suppress logging for TLS/eBPF                 | `true`                                                 |
-| `tap.ignoreTainted`                       | Whether to ignore tainted nodes               | `false`                                                 |
 | `tap.labels`                              | Kubernetes labels to apply to all Kubeshark resources  | `{}`                                                    |
 | `tap.annotations`                         | Kubernetes annotations to apply to all Kubeshark resources | `{}`                                                |
-| `tap.nodeSelectorTerms.Workers`                   | Node selector terms for workers components                       | `[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]` |
+| `tap.nodeSelectorTerms.workers`                   | Node selector terms for workers components                       | `[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]` |
-| `tap.nodeSelectorTerms.Hub`                   | Node selector terms for hub component                 | `[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]` |
+| `tap.nodeSelectorTerms.hub`                   | Node selector terms for hub component                 | `[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]` |
-| `tap.nodeSelectorTerms.Front`                   | Node selector terms for front-end component                         | `[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]` |
+| `tap.nodeSelectorTerms.front`                   | Node selector terms for front-end component                         | `[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]` |
+| `tap.tolerations.workers`                  | Tolerations for workers components                         | `[ {"operator": "Exists", "effect": "NoExecute"}` |
+| `tap.tolerations.hub`                  | Tolerations for hub component                         | `[]` |
+| `tap.tolerations.front`                  | Tolerations for front-end component                         | `[]` |
 | `tap.auth.enabled`                        | Enable authentication                         | `false`                                                 |
 | `tap.auth.type`                           | Authentication type (1 option available: `saml`)      | `saml`                                              |
 | `tap.auth.approvedEmails`                 | List of approved email addresses for authentication              | `[]`                                                    |

helm-chart/templates/04-hub-deployment.yaml

@@ -128,6 +128,22 @@ spec:
         {{- end }}
         {{- end }}
       {{- end }}
+      {{- if .Values.tap.tolerations.hub }}
+      tolerations:
+      {{- range .Values.tap.tolerations.hub }}
+        - key: {{ .key | quote }}
+          operator: {{ .operator | quote }}
+          {{- if .value }}
+          value: {{ .value | quote }}
+          {{- end }}
+          {{- if .effect }}
+          effect: {{ .effect | quote }}
+          {{- end }}
+          {{- if .tolerationSeconds }}
+          tolerationSeconds: {{ .tolerationSeconds }}
+          {{- end }}
+      {{- end }}
+      {{- end }}
       volumes:
       - name: saml-x509-volume
         projected:

helm-chart/templates/06-front-deployment.yaml

@@ -149,6 +149,22 @@ spec:
         {{- end }}
         {{- end }}
       {{- end }}
+      {{- if .Values.tap.tolerations.front }}
+      tolerations:
+      {{- range .Values.tap.tolerations.front }}
+        - key: {{ .key | quote }}
+          operator: {{ .operator | quote }}
+          {{- if .value }}
+          value: {{ .value | quote }}
+          {{- end }}
+          {{- if .effect }}
+          effect: {{ .effect | quote }}
+          {{- end }}
+          {{- if .tolerationSeconds }}
+          tolerationSeconds: {{ .tolerationSeconds }}
+          {{- end }}
+      {{- end }}
+      {{- end }}
       volumes:
         - name: nginx-config
           configMap:

helm-chart/templates/09-worker-daemon-set.yaml

@@ -311,14 +311,22 @@ spec:
       dnsPolicy: ClusterFirstWithHostNet
       hostNetwork: true
       serviceAccountName: {{ include "kubeshark.serviceAccountName" . }}
-      terminationGracePeriodSeconds: 0
+      {{- if .Values.tap.tolerations.workers }}
       tolerations:
-        - effect: NoExecute
+      {{- range .Values.tap.tolerations.workers }}
-          operator: Exists
+        - key: {{ .key | quote }}
-{{- if not .Values.tap.ignoreTainted }}
+          operator: {{ .operator | quote }}
-        - effect: NoSchedule
+          {{- if .value }}
-          operator: Exists
+          value: {{ .value | quote }}
-{{- end }}
+          {{- end }}
+          {{- if .effect }}
+          effect: {{ .effect | quote }}
+          {{- end }}
+          {{- if .tolerationSeconds }}
+          tolerationSeconds: {{ .tolerationSeconds }}
+          {{- end }}
+      {{- end }}
+      {{- end }}
     {{- if .Values.tap.docker.imagePullSecrets }}
       imagePullSecrets:
         {{- range .Values.tap.docker.imagePullSecrets }}

helm-chart/values.yaml

@@ -78,7 +78,6 @@ tap:
   tls: true
   disableTlsLog: true
   packetCapture: best
-  ignoreTainted: false
   labels: {}
   annotations: {}
   nodeSelectorTerms:
@@ -100,6 +99,12 @@ tap:
         operator: In
         values:
         - linux
+  tolerations:
+    hub: []
+    workers:
+    - operator: Exists
+      effect: NoExecute
+    front: []
   auth:
     enabled: false
     type: saml