github/kubeshark
1
0
Fork 0
mirror of https://github.com/kubeshark/kubeshark.git synced 2025-07-17 09:51:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

🔨 Add AUTH_SAML_ROLES field to ConfigMap

Browse Source
This commit is contained in:
M. Mert Yildiran 2024-01-23 23:22:06 +03:00
parent a8dd332ff8
commit f9e0c36d5f
No known key found for this signature in database
GPG Key ID: DA5D6DCBB758A461
5 changed files with 108 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
config/configStruct.go
View File

@ -59,6 +59,19 @@ func CreateDefaultConfig() ConfigStruct {
"CHECKPOINT_RESTORE", "CHECKPOINT_RESTORE",
}, },
}, },
Auth: configStructs.AuthConfig{
Saml: configStructs.SamlConfig{
Roles: map[string]configStructs.Role{
"admin": {
Filter: "",
CanReplayTraffic: true,
CanDownloadPCAP: true,
CanUseScripting: true,
CanUpdateTargetedPods: true,
},
},
},
},
}, },
} }
} }

15
config/configStructs/tapConfig.go
View File

@ -82,10 +82,19 @@ type ResourcesConfig struct {
Tracer ResourceRequirements `yaml:"tracer" json:"tracer"` Tracer ResourceRequirements `yaml:"tracer" json:"tracer"`
} }
type Role struct {
Filter string `yaml:"filter" json:"filter" default:""`
CanReplayTraffic bool `yaml:"canReplayTraffic" json:"canReplayTraffic" default:"false"`
CanDownloadPCAP bool `yaml:"canDownloadPCAP" json:"canDownloadPCAP" default:"false"`
CanUseScripting bool `yaml:"canUseScripting" json:"canUseScripting" default:"false"`
CanUpdateTargetedPods bool `yaml:"canUpdateTargetedPods" json:"canUpdateTargetedPods" default:"false"`
}
type SamlConfig struct { type SamlConfig struct {
IdpMetadataUrl string `yaml:"idpMetadataUrl" json:"idpMetadataUrl"` IdpMetadataUrl string `yaml:"idpMetadataUrl" json:"idpMetadataUrl"`
X509crt string `yaml:"x509crt" json:"x509crt"` X509crt string `yaml:"x509crt" json:"x509crt"`
X509key string `yaml:"x509key" json:"x509key"` X509key string `yaml:"x509key" json:"x509key"`
Roles map[string]Role `yaml:"roles" json:"roles"`
} }
type AuthConfig struct { type AuthConfig struct {

1
helm-chart/templates/12-config-map.yaml
View File

@ -19,6 +19,7 @@ data:
AUTH_APPROVED_DOMAINS: '{{ gt (len .Values.tap.auth.approvedDomains) 0 | ternary (join "," .Values.tap.auth.approvedDomains) "" }}' AUTH_APPROVED_DOMAINS: '{{ gt (len .Values.tap.auth.approvedDomains) 0 | ternary (join "," .Values.tap.auth.approvedDomains) "" }}'
AUTH_APPROVED_TENANTS: '{{ gt (len .Values.tap.auth.approvedTenants) 0 | ternary (join "," .Values.tap.auth.approvedTenants) "" }}' AUTH_APPROVED_TENANTS: '{{ gt (len .Values.tap.auth.approvedTenants) 0 | ternary (join "," .Values.tap.auth.approvedTenants) "" }}'
AUTH_SAML_IDP_METADATA_URL: '{{ .Values.tap.auth.saml.idpMetadataUrl }}' AUTH_SAML_IDP_METADATA_URL: '{{ .Values.tap.auth.saml.idpMetadataUrl }}'
AUTH_SAML_ROLES: '{{ .Values.tap.auth.saml.roles | toJson }}'
TELEMETRY_DISABLED: '{{ not .Values.tap.telemetry.enabled | ternary "true" "" }}' TELEMETRY_DISABLED: '{{ not .Values.tap.telemetry.enabled | ternary "true" "" }}'
REPLAY_DISABLED: '{{ .Values.tap.replayDisabled | ternary "true" "" }}' REPLAY_DISABLED: '{{ .Values.tap.replayDisabled | ternary "true" "" }}'
GLOBAL_FILTER: {{ include "kubeshark.escapeDoubleQuotes" .Values.tap.globalFilter | quote }} GLOBAL_FILTER: {{ include "kubeshark.escapeDoubleQuotes" .Values.tap.globalFilter | quote }}

7
helm-chart/values.yaml
View File

@ -67,6 +67,13 @@ tap:
idpMetadataUrl: "" idpMetadataUrl: ""
x509crt: "" x509crt: ""
x509key: "" x509key: ""
roles:
admin:
filter: ""
canReplayTraffic: true
canDownloadPCAP: true
canUseScripting: true
canUpdateTargetedPods: true
ingress: ingress:
enabled: false enabled: false
className: "" className: ""

75
manifests/complete.yaml
View File

@ -30,6 +30,38 @@ stringData:
LICENSE: '' LICENSE: ''
SCRIPTING_ENV: '{}' SCRIPTING_ENV: '{}'
--- ---
# Source: kubeshark/templates/13-secret.yaml
kind: Secret
apiVersion: v1
metadata:
name: kubeshark-saml-x509-crt-secret
namespace: default
labels:
app.kubeshark.co/app: hub
helm.sh/chart: kubeshark-52.1.0
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
app.kubernetes.io/version: "52.1.0"
app.kubernetes.io/managed-by: Helm
stringData:
AUTH_SAML_X509_CRT: |
---
# Source: kubeshark/templates/13-secret.yaml
kind: Secret
apiVersion: v1
metadata:
name: kubeshark-saml-x509-key-secret
namespace: default
labels:
app.kubeshark.co/app: hub
helm.sh/chart: kubeshark-52.1.0
app.kubernetes.io/name: kubeshark
app.kubernetes.io/instance: kubeshark
app.kubernetes.io/version: "52.1.0"
app.kubernetes.io/managed-by: Helm
stringData:
AUTH_SAML_X509_KEY: |
---
# Source: kubeshark/templates/11-nginx-config-map.yaml # Source: kubeshark/templates/11-nginx-config-map.yaml
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
@ -50,6 +82,10 @@ data:
access_log /dev/stdout; access_log /dev/stdout;
error_log /dev/stdout; error_log /dev/stdout;
client_body_buffer_size 64k;
client_header_buffer_size 32k;
large_client_header_buffers 8 64k;
location /api { location /api {
rewrite ^/api(.*)$ $1 break; rewrite ^/api(.*)$ $1 break;
proxy_pass http://kubeshark-hub; proxy_pass http://kubeshark-hub;
@ -65,6 +101,17 @@ data:
proxy_pass_request_headers on; proxy_pass_request_headers on;
} }
location /saml {
rewrite ^/saml(.*)$ /saml$1 break;
proxy_pass http://kubeshark-hub;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_connect_timeout 4s;
proxy_read_timeout 120s;
proxy_send_timeout 12s;
proxy_pass_request_headers on;
}
location / { location / {
root /usr/share/nginx/html; root /usr/share/nginx/html;
index index.html index.htm; index index.html index.htm;
@ -95,10 +142,16 @@ data:
POD_REGEX: '.*' POD_REGEX: '.*'
NAMESPACES: '' NAMESPACES: ''
SCRIPTING_SCRIPTS: '{}' SCRIPTING_SCRIPTS: '{}'
INGRESS_ENABLED: 'false'
INGRESS_HOST: 'ks.svc.cluster.local'
PROXY_FRONT_PORT: '8899'
AUTH_ENABLED: '' AUTH_ENABLED: ''
AUTH_TYPE: 'saml'
AUTH_APPROVED_EMAILS: '' AUTH_APPROVED_EMAILS: ''
AUTH_APPROVED_DOMAINS: '' AUTH_APPROVED_DOMAINS: ''
AUTH_APPROVED_TENANTS: '' AUTH_APPROVED_TENANTS: ''
AUTH_SAML_IDP_METADATA_URL: ''
AUTH_SAML_ROLES: '{"admin":{"canDownloadPCAP":true,"canReplayTraffic":true,"canUpdateTargetedPods":true,"canUseScripting":true,"filter":""}}'
TELEMETRY_DISABLED: '' TELEMETRY_DISABLED: ''
REPLAY_DISABLED: '' REPLAY_DISABLED: ''
GLOBAL_FILTER: "" GLOBAL_FILTER: ""
@ -539,6 +592,24 @@ spec:
requests: requests:
cpu: 50m cpu: 50m
memory: 50Mi memory: 50Mi
volumeMounts:
- name: saml-x509-volume
mountPath: "/etc/saml/x509"
readOnly: true
volumes:
- name: saml-x509-volume
projected:
sources:
- secret:
name: kubeshark-saml-x509-crt-secret
items:
- key: AUTH_SAML_X509_CRT
path: kubeshark.crt
- secret:
name: kubeshark-saml-x509-key-secret
items:
- key: AUTH_SAML_X509_KEY
path: kubeshark.key
--- ---
# Source: kubeshark/templates/06-front-deployment.yaml # Source: kubeshark/templates/06-front-deployment.yaml
apiVersion: apps/v1 apiVersion: apps/v1
@ -580,6 +651,10 @@ spec:
value: ' ' value: ' '
- name: REACT_APP_AUTH_ENABLED - name: REACT_APP_AUTH_ENABLED
value: 'false' value: 'false'
- name: REACT_APP_AUTH_TYPE
value: 'saml'
- name: REACT_APP_AUTH_SAML_IDP_METADATA_URL
value: ''
- name: REACT_APP_REPLAY_DISABLED - name: REACT_APP_REPLAY_DISABLED
value: 'false' value: 'false'
image: 'docker.io/kubeshark/front:v52.1.0' image: 'docker.io/kubeshark/front:v52.1.0'