diff --git a/config/configStruct.go b/config/configStruct.go index 7666f5fde..62fb81355 100644 --- a/config/configStruct.go +++ b/config/configStruct.go @@ -59,6 +59,19 @@ func CreateDefaultConfig() ConfigStruct { "CHECKPOINT_RESTORE", }, }, + Auth: configStructs.AuthConfig{ + Saml: configStructs.SamlConfig{ + Roles: map[string]configStructs.Role{ + "admin": { + Filter: "", + CanReplayTraffic: true, + CanDownloadPCAP: true, + CanUseScripting: true, + CanUpdateTargetedPods: true, + }, + }, + }, + }, }, } } diff --git a/config/configStructs/tapConfig.go b/config/configStructs/tapConfig.go index 4fa455c7f..c2ec517a8 100644 --- a/config/configStructs/tapConfig.go +++ b/config/configStructs/tapConfig.go @@ -82,10 +82,19 @@ type ResourcesConfig struct { Tracer ResourceRequirements `yaml:"tracer" json:"tracer"` } +type Role struct { + Filter string `yaml:"filter" json:"filter" default:""` + CanReplayTraffic bool `yaml:"canReplayTraffic" json:"canReplayTraffic" default:"false"` + CanDownloadPCAP bool `yaml:"canDownloadPCAP" json:"canDownloadPCAP" default:"false"` + CanUseScripting bool `yaml:"canUseScripting" json:"canUseScripting" default:"false"` + CanUpdateTargetedPods bool `yaml:"canUpdateTargetedPods" json:"canUpdateTargetedPods" default:"false"` +} + type SamlConfig struct { - IdpMetadataUrl string `yaml:"idpMetadataUrl" json:"idpMetadataUrl"` - X509crt string `yaml:"x509crt" json:"x509crt"` - X509key string `yaml:"x509key" json:"x509key"` + IdpMetadataUrl string `yaml:"idpMetadataUrl" json:"idpMetadataUrl"` + X509crt string `yaml:"x509crt" json:"x509crt"` + X509key string `yaml:"x509key" json:"x509key"` + Roles map[string]Role `yaml:"roles" json:"roles"` } type AuthConfig struct { diff --git a/helm-chart/templates/12-config-map.yaml b/helm-chart/templates/12-config-map.yaml index 24cfcf00c..cd769e857 100644 --- a/helm-chart/templates/12-config-map.yaml +++ b/helm-chart/templates/12-config-map.yaml @@ -19,6 +19,7 @@ data: AUTH_APPROVED_DOMAINS: '{{ gt (len .Values.tap.auth.approvedDomains) 0 | ternary (join "," .Values.tap.auth.approvedDomains) "" }}' AUTH_APPROVED_TENANTS: '{{ gt (len .Values.tap.auth.approvedTenants) 0 | ternary (join "," .Values.tap.auth.approvedTenants) "" }}' AUTH_SAML_IDP_METADATA_URL: '{{ .Values.tap.auth.saml.idpMetadataUrl }}' + AUTH_SAML_ROLES: '{{ .Values.tap.auth.saml.roles | toJson }}' TELEMETRY_DISABLED: '{{ not .Values.tap.telemetry.enabled | ternary "true" "" }}' REPLAY_DISABLED: '{{ .Values.tap.replayDisabled | ternary "true" "" }}' GLOBAL_FILTER: {{ include "kubeshark.escapeDoubleQuotes" .Values.tap.globalFilter | quote }} diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index 9bfabb719..ced7a7ca6 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -67,6 +67,13 @@ tap: idpMetadataUrl: "" x509crt: "" x509key: "" + roles: + admin: + filter: "" + canReplayTraffic: true + canDownloadPCAP: true + canUseScripting: true + canUpdateTargetedPods: true ingress: enabled: false className: "" diff --git a/manifests/complete.yaml b/manifests/complete.yaml index 13005b6a9..6fa066f1c 100644 --- a/manifests/complete.yaml +++ b/manifests/complete.yaml @@ -30,6 +30,38 @@ stringData: LICENSE: '' SCRIPTING_ENV: '{}' --- +# Source: kubeshark/templates/13-secret.yaml +kind: Secret +apiVersion: v1 +metadata: + name: kubeshark-saml-x509-crt-secret + namespace: default + labels: + app.kubeshark.co/app: hub + helm.sh/chart: kubeshark-52.1.0 + app.kubernetes.io/name: kubeshark + app.kubernetes.io/instance: kubeshark + app.kubernetes.io/version: "52.1.0" + app.kubernetes.io/managed-by: Helm +stringData: + AUTH_SAML_X509_CRT: | +--- +# Source: kubeshark/templates/13-secret.yaml +kind: Secret +apiVersion: v1 +metadata: + name: kubeshark-saml-x509-key-secret + namespace: default + labels: + app.kubeshark.co/app: hub + helm.sh/chart: kubeshark-52.1.0 + app.kubernetes.io/name: kubeshark + app.kubernetes.io/instance: kubeshark + app.kubernetes.io/version: "52.1.0" + app.kubernetes.io/managed-by: Helm +stringData: + AUTH_SAML_X509_KEY: | +--- # Source: kubeshark/templates/11-nginx-config-map.yaml apiVersion: v1 kind: ConfigMap @@ -50,6 +82,10 @@ data: access_log /dev/stdout; error_log /dev/stdout; + client_body_buffer_size 64k; + client_header_buffer_size 32k; + large_client_header_buffers 8 64k; + location /api { rewrite ^/api(.*)$ $1 break; proxy_pass http://kubeshark-hub; @@ -65,6 +101,17 @@ data: proxy_pass_request_headers on; } + location /saml { + rewrite ^/saml(.*)$ /saml$1 break; + proxy_pass http://kubeshark-hub; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $http_host; + proxy_connect_timeout 4s; + proxy_read_timeout 120s; + proxy_send_timeout 12s; + proxy_pass_request_headers on; + } + location / { root /usr/share/nginx/html; index index.html index.htm; @@ -95,10 +142,16 @@ data: POD_REGEX: '.*' NAMESPACES: '' SCRIPTING_SCRIPTS: '{}' + INGRESS_ENABLED: 'false' + INGRESS_HOST: 'ks.svc.cluster.local' + PROXY_FRONT_PORT: '8899' AUTH_ENABLED: '' + AUTH_TYPE: 'saml' AUTH_APPROVED_EMAILS: '' AUTH_APPROVED_DOMAINS: '' AUTH_APPROVED_TENANTS: '' + AUTH_SAML_IDP_METADATA_URL: '' + AUTH_SAML_ROLES: '{"admin":{"canDownloadPCAP":true,"canReplayTraffic":true,"canUpdateTargetedPods":true,"canUseScripting":true,"filter":""}}' TELEMETRY_DISABLED: '' REPLAY_DISABLED: '' GLOBAL_FILTER: "" @@ -539,6 +592,24 @@ spec: requests: cpu: 50m memory: 50Mi + volumeMounts: + - name: saml-x509-volume + mountPath: "/etc/saml/x509" + readOnly: true + volumes: + - name: saml-x509-volume + projected: + sources: + - secret: + name: kubeshark-saml-x509-crt-secret + items: + - key: AUTH_SAML_X509_CRT + path: kubeshark.crt + - secret: + name: kubeshark-saml-x509-key-secret + items: + - key: AUTH_SAML_X509_KEY + path: kubeshark.key --- # Source: kubeshark/templates/06-front-deployment.yaml apiVersion: apps/v1 @@ -580,6 +651,10 @@ spec: value: ' ' - name: REACT_APP_AUTH_ENABLED value: 'false' + - name: REACT_APP_AUTH_TYPE + value: 'saml' + - name: REACT_APP_AUTH_SAML_IDP_METADATA_URL + value: '' - name: REACT_APP_REPLAY_DISABLED value: 'false' image: 'docker.io/kubeshark/front:v52.1.0'