diff --git a/config/configStruct.go b/config/configStruct.go index c1cd3c715..6abd1889c 100644 --- a/config/configStruct.go +++ b/config/configStruct.go @@ -150,6 +150,7 @@ type ConfigStruct struct { HeadlessMode bool `yaml:"headless" json:"headless" default:"false"` License string `yaml:"license" json:"license" default:""` CloudLicenseEnabled bool `yaml:"cloudLicenseEnabled" json:"cloudLicenseEnabled" default:"true"` + DemoModeEnabled bool `yaml:"demoModeEnabled" json:"demoModeEnabled" default:"false"` SupportChatEnabled bool `yaml:"supportChatEnabled" json:"supportChatEnabled" default:"true"` InternetConnectivity bool `yaml:"internetConnectivity" json:"internetConnectivity" default:"true"` Scripting configStructs.ScriptingConfig `yaml:"scripting" json:"scripting"` diff --git a/config/configStructs/tapConfig.go b/config/configStructs/tapConfig.go index 15277497c..aef362dc2 100644 --- a/config/configStructs/tapConfig.go +++ b/config/configStructs/tapConfig.go @@ -313,6 +313,7 @@ type TapConfig struct { Pprof PprofConfig `yaml:"pprof" json:"pprof"` Misc MiscConfig `yaml:"misc" json:"misc"` SecurityContext SecurityContextConfig `yaml:"securityContext" json:"securityContext"` + MountBpf bool `yaml:"mountBpf" json:"mountBpf" default:"true"` } func (config *TapConfig) PodRegex() *regexp.Regexp { diff --git a/helm-chart/README.md b/helm-chart/README.md index aba816ca0..1838302ed 100644 --- a/helm-chart/README.md +++ b/helm-chart/README.md @@ -205,6 +205,7 @@ Example for overriding image names: | `tap.globalFilter` | Prepends to any KFL filter and can be used to limit what is visible in the dashboard. For example, `redact("request.headers.Authorization")` will redact the appropriate field. Another example `!dns` will not show any DNS traffic. | `""` | | `tap.metrics.port` | Pod port used to expose Prometheus metrics | `49100` | | `tap.enabledDissectors` | This is an array of strings representing the list of supported protocols. Remove or comment out redundant protocols (e.g., dns).| The default list excludes: `udp` and `tcp` | +| `tap.mountBpf` | BPF filesystem needs to be mounted for eBPF to work properly. This helm value determines whether Kubeshark will attempt to mount the filesystem. This option is not required if filesystem is already mounts. │ `true`| | `logs.file` | Logs dump path | `""` | | `pcapdump.enabled` | Enable recording of all traffic captured according to other parameters. Whatever Kubeshark captures, considering pod targeting rules, will be stored in pcap files ready to be viewed by tools | `true` | | `pcapdump.maxTime` | The time window into the past that will be stored. Older traffic will be discarded. | `2h` | diff --git a/helm-chart/templates/06-front-deployment.yaml b/helm-chart/templates/06-front-deployment.yaml index c7ce3532b..46907f837 100644 --- a/helm-chart/templates/06-front-deployment.yaml +++ b/helm-chart/templates/06-front-deployment.yaml @@ -37,7 +37,15 @@ spec: - name: REACT_APP_TIMEZONE value: '{{ not (eq .Values.timezone "") | ternary .Values.timezone " " }}' - name: REACT_APP_SCRIPTING_DISABLED - value: '{{ .Values.tap.liveConfigMapChangesDisabled }}' + value: '{{- if .Values.tap.liveConfigMapChangesDisabled -}} + {{- if .Values.demoModeEnabled -}} + {{ .Values.demoModeEnabled | ternary false true }} + {{- else -}} + true + {{- end }} + {{- else -}} + false + {{- end }}' - name: REACT_APP_TARGETED_PODS_UPDATE_DISABLED value: '{{ .Values.tap.liveConfigMapChangesDisabled }}' - name: REACT_APP_PRESET_FILTERS_CHANGING_ENABLED diff --git a/helm-chart/templates/12-config-map.yaml b/helm-chart/templates/12-config-map.yaml index 30ae2fa19..cd5745344 100644 --- a/helm-chart/templates/12-config-map.yaml +++ b/helm-chart/templates/12-config-map.yaml @@ -27,7 +27,15 @@ data: AUTH_SAML_ROLE_ATTRIBUTE: '{{ .Values.tap.auth.saml.roleAttribute }}' AUTH_SAML_ROLES: '{{ .Values.tap.auth.saml.roles | toJson }}' TELEMETRY_DISABLED: '{{ not .Values.internetConnectivity | ternary "true" (not .Values.tap.telemetry.enabled | ternary "true" "false") }}' - SCRIPTING_DISABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "true" "" }}' + SCRIPTING_DISABLED: '{{- if .Values.tap.liveConfigMapChangesDisabled -}} + {{- if .Values.demoModeEnabled -}} + {{ .Values.demoModeEnabled | ternary false true }} + {{- else -}} + true + {{- end }} + {{- else -}} + false + {{- end }}' TARGETED_PODS_UPDATE_DISABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "true" "" }}' PRESET_FILTERS_CHANGING_ENABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "false" "true" }}' RECORDING_DISABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "true" "" }}' diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index 257f8c298..900141b40 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -209,6 +209,7 @@ tap: - SYS_PTRACE - SYS_RESOURCE - IPC_LOCK + mountBpf: true logs: file: "" grep: "" diff --git a/manifests/complete.yaml b/manifests/complete.yaml index 8db5b820e..a40cbe676 100644 --- a/manifests/complete.yaml +++ b/manifests/complete.yaml @@ -523,6 +523,20 @@ spec: name: kubeshark-worker-daemon-set namespace: kubeshark spec: + initContainers: + - command: + - /bin/sh + - -c + - mkdir -p /sys/fs/bpf && mount | grep -q '/sys/fs/bpf' || mount -t bpf bpf /sys/fs/bpf + image: 'docker.io/kubeshark/worker:v52.4' + imagePullPolicy: Always + name: mount-bpf + securityContext: + privileged: true + volumeMounts: + - mountPath: /sys + name: sys + mountPropagation: Bidirectional containers: - command: - ./worker