Restructure README: captures/processes/retains, cluster-wide PCAP

- Reorder hero bullets: PCAP Retention, L7 API Dissection, K8s Context - Add "Additional benefits" section for TLS decryption and L4 TCP Insights - Rename "Traffic Retention" to "Cluster-wide PCAP" with filtering details - Add Wireshark/tshark/AI agent download, separate cloud retention - Move Cluster-wide PCAP above L4/L7 Workload Map
2026-03-18 02:22:31 +00:00 · 2026-03-09 13:30:34 -07:00
8 changed files with 63 additions and 140 deletions
--- a/README.md
+++ b/README.md
@@ -21,13 +21,16 @@ Kubeshark captures cluster-wide network traffic at the speed and scale of Kubern
 Network data is available to **AI agents via [MCP](https://docs.kubeshark.com/en/mcp)** and to **human operators via a [dashboard](https://docs.kubeshark.com/en/v2)**.
-**What's captured, cluster-wide:**
+**Kubeshark captures, processes, and retains cluster-wide network traffic:**
- **L4 Packets & TCP Metrics** — retransmissions, RTT, window saturation, connection lifecycle, packet loss across every node-to-node path ([TCP insights →](https://docs.kubeshark.com/en/mcp/tcp_insights))
+- **PCAP Retention** — continuous raw packet capture with point-in-time snapshots, exportable for Wireshark ([Snapshots →](https://docs.kubeshark.com/en/v2/traffic_snapshots))
- **L7 API Calls** — real-time request/response matching with full payload parsing: HTTP, gRPC, GraphQL, Redis, Kafka, DNS ([API dissection →](https://docs.kubeshark.com/en/v2/l7_api_dissection))
+- **L7 API Dissection** — real-time request/response matching with full payload parsing: HTTP, gRPC, GraphQL, Redis, Kafka, DNS ([API dissection →](https://docs.kubeshark.com/en/v2/l7_api_dissection))
 - **Decrypted TLS** — eBPF-based TLS decryption without key management
 - **Kubernetes Context** — every packet and API call resolved to pod, service, namespace, and node
- **PCAP Retention** — point-in-time raw packet snapshots, exportable for Wireshark ([Snapshots →](https://docs.kubeshark.com/en/v2/traffic_snapshots))
+
 **Additional benefits:**
 - **Decrypted TLS** — eBPF-based TLS decryption without key management
 - **L4 TCP Insights** — retransmissions, RTT, window saturation, connection lifecycle, packet loss across every node-to-node path ([TCP insights →](https://docs.kubeshark.com/en/mcp/tcp_insights))
 ![Kubeshark](https://github.com/kubeshark/assets/raw/master/png/stream.png)
@@ -78,6 +81,16 @@ Cluster-wide request/response matching with full payloads, parsed according to p
 [Learn more →](https://docs.kubeshark.com/en/v2/l7_api_dissection)
 ### Cluster-wide PCAP
 Generate a cluster-wide PCAP file from any point in time. Filter by time range, specific nodes, and BPF expressions (e.g. `net`, `ip`, `port`, `host`) to capture exactly the traffic you need — across the entire cluster, in a single file. Download and analyze with Wireshark, tshark, or any PCAP-compatible tool — or let your AI agent download and analyze programmatically via MCP.
 Store snapshots locally or in S3/Azure Blob for long-term retention.
 ![Traffic Retention](https://github.com/kubeshark/assets/raw/master/png/snapshots.png)
 [Snapshots guide →](https://docs.kubeshark.com/en/v2/traffic_snapshots)
 ### L4/L7 Workload Map
 Cluster-wide view of service communication: dependencies, traffic flow, and anomalies across all nodes and namespaces.
@@ -86,14 +99,6 @@ Cluster-wide view of service communication: dependencies, traffic flow, and anom
 [Learn more →](https://docs.kubeshark.com/en/v2/service_map)
 ### Traffic Retention
 Continuous raw packet capture with point-in-time snapshots. Export PCAP files for offline analysis with Wireshark or other tools.
 ![Traffic Retention](https://github.com/kubeshark/assets/raw/master/png/snapshots.png)
 [Snapshots guide →](https://docs.kubeshark.com/en/v2/traffic_snapshots)
 ---
 ## Features
--- a/config/configStruct.go
+++ b/config/configStruct.go
@@ -153,7 +153,6 @@ func CreateDefaultConfig() ConfigStruct {
 			},
 			Dashboard: configStructs.DashboardConfig{
 				CompleteStreamingEnabled: true,
 				ClusterWideMapEnabled:    false,
 			},
 			Capture: configStructs.CaptureConfig{
 				Dissection: configStructs.DissectionConfig{
--- a/config/configStructs/tapConfig.go
+++ b/config/configStructs/tapConfig.go
@@ -202,7 +202,6 @@ type RoutingConfig struct {
 type DashboardConfig struct {
 	StreamingType            string `yaml:"streamingType" json:"streamingType" default:"connect-rpc"`
 	CompleteStreamingEnabled bool   `yaml:"completeStreamingEnabled" json:"completeStreamingEnabled" default:"true"`
 	ClusterWideMapEnabled    bool   `yaml:"clusterWideMapEnabled" json:"clusterWideMapEnabled" default:"false"`
 }
 type FrontRoutingConfig struct {
@@ -210,9 +209,9 @@ type FrontRoutingConfig struct {
 }
 type ReleaseConfig struct {
-	Repo          string `yaml:"repo" json:"repo" default:"https://helm.kubeshark.com"`
+	Repo      string `yaml:"repo" json:"repo" default:"https://helm.kubeshark.com"`
-	Name          string `yaml:"name" json:"name" default:"kubeshark"`
+	Name      string `yaml:"name" json:"name" default:"kubeshark"`
-	Namespace     string `yaml:"namespace" json:"namespace" default:"default"`
+	Namespace string `yaml:"namespace" json:"namespace" default:"default"`
 	HelmChartPath string `yaml:"helmChartPath" json:"helmChartPath" default:""`
 }
@@ -412,6 +411,7 @@ type TapConfig struct {
 	Gitops                         GitopsConfig            `yaml:"gitops" json:"gitops"`
 	Sentry                         SentryConfig            `yaml:"sentry" json:"sentry"`
 	DefaultFilter                  string                  `yaml:"defaultFilter" json:"defaultFilter" default:""`
 	LiveConfigMapChangesDisabled   bool                    `yaml:"liveConfigMapChangesDisabled" json:"liveConfigMapChangesDisabled" default:"false"`
 	GlobalFilter                   string                  `yaml:"globalFilter" json:"globalFilter" default:""`
 	EnabledDissectors              []string                `yaml:"enabledDissectors" json:"enabledDissectors"`
 	PortMapping                    PortMapping             `yaml:"portMapping" json:"portMapping"`
--- a/helm-chart/README.md
+++ b/helm-chart/README.md
@@ -232,6 +232,7 @@ Example for overriding image names:
 | `tap.sentry.enabled`                      | Enable sending of error logs to Sentry          | `false`                                                                                                                                                                                                                |
 | `tap.sentry.environment`                      | Sentry environment to label error logs with      | `production`                                                                                                                                                                                                                                     |
 | `tap.defaultFilter`                       | Sets the default dashboard KFL filter (e.g. `http`). By default, this value is set to filter out noisy protocols such as DNS, UDP, ICMP and TCP. The user can easily change this, **temporarily**, in the Dashboard. For a permanent change, you should change this value in the `values.yaml` or `config.yaml` file.        | `""`                                                                                                                                                                                                                                             |
 | `tap.liveConfigMapChangesDisabled`        | If set to `true`, all user functionality (scripting, targeting settings, global & default KFL modification, traffic recording, traffic capturing on/off, protocol dissectors) involving dynamic ConfigMap changes from UI will be disabled     | `false`                                                                                                                                                                                                                                          |
 | `tap.globalFilter`                        | Prepends to any KFL filter and can be used to limit what is visible in the dashboard. For example, `redact("request.headers.Authorization")` will redact the appropriate field. Another example `!dns` will not show any DNS traffic.      | `""`                                                                                                                                                                                                                                             |
 | `tap.metrics.port`                  | Pod port used to expose Prometheus metrics          | `49100`                                                                                                                                                                                                                                          |
 | `tap.enabledDissectors`                   | This is an array of strings representing the list of supported protocols. Remove or comment out redundant protocols (e.g., dns).| The default list excludes: `udp` and `tcp`                                                                                                                                                                                                       |
--- a/helm-chart/docs/snapshots_cloud_storage.md
+++ b/helm-chart/docs/snapshots_cloud_storage.md
@@ -95,85 +95,7 @@ helm install kubeshark kubeshark/kubeshark \
 ### Example: IRSA (recommended for EKS)
-[IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) lets EKS pods assume an IAM role without static credentials. EKS injects a short-lived token into the pod automatically.
+Create a ConfigMap with bucket configuration:
 **Prerequisites:**
 1. Your EKS cluster must have an [OIDC provider](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) associated with it.
 2. An IAM role with a trust policy that allows the Kubeshark service account to assume it.
 **Step 1 — Create an IAM policy scoped to your bucket:**
 ```json
 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:GetObjectVersion",
        "s3:DeleteObjectVersion",
        "s3:ListBucket",
        "s3:ListBucketVersions",
        "s3:GetBucketLocation",
        "s3:GetBucketVersioning"
      ],
      "Resource": [
        "arn:aws:s3:::my-kubeshark-snapshots",
        "arn:aws:s3:::my-kubeshark-snapshots/*"
      ]
    }
  ]
 }
 ```
 > For read-only access, remove `s3:PutObject`, `s3:DeleteObject`, and `s3:DeleteObjectVersion`.
 **Step 2 — Create an IAM role with IRSA trust policy:**
 ```bash
 # Get your cluster's OIDC provider URL
 OIDC_PROVIDER=$(aws eks describe-cluster --name CLUSTER_NAME \
  --query "cluster.identity.oidc.issuer" --output text | sed 's|https://||')
 # Create a trust policy
 # The default K8s SA name is "<release-name>-service-account" (e.g. "kubeshark-service-account")
 cat > trust-policy.json <<EOF
 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::ACCOUNT_ID:oidc-provider/${OIDC_PROVIDER}"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "${OIDC_PROVIDER}:sub": "system:serviceaccount:NAMESPACE:kubeshark-service-account",
          "${OIDC_PROVIDER}:aud": "sts.amazonaws.com"
        }
      }
    }
  ]
 }
 EOF
 # Create the role and attach your policy
 aws iam create-role \
  --role-name KubesharkS3Role \
  --assume-role-policy-document file://trust-policy.json
 aws iam put-role-policy \
  --role-name KubesharkS3Role \
  --policy-name KubesharkSnapshotsBucketAccess \
  --policy-document file://bucket-policy.json
 ```
 **Step 3 — Create a ConfigMap with bucket configuration:**
 ```yaml
 apiVersion: v1
@@ -185,12 +107,10 @@ data:
  SNAPSHOT_AWS_REGION: us-east-1
 ```
-**Step 4 — Set Helm values with `tap.annotations` to annotate the service account:**
+Set Helm values:
 ```yaml
 tap:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/KubesharkS3Role
  snapshots:
    cloud:
      provider: "s3"
@@ -198,17 +118,7 @@ tap:
        - kubeshark-s3-config
 ```
-Or via `--set`:
+The hub pod's service account must be annotated for IRSA with an IAM role that has S3 access to the bucket.
 ```bash
 helm install kubeshark kubeshark/kubeshark \
  --set tap.snapshots.cloud.provider=s3 \
  --set tap.snapshots.cloud.s3.bucket=my-kubeshark-snapshots \
  --set tap.snapshots.cloud.s3.region=us-east-1 \
  --set tap.annotations."eks\.amazonaws\.com/role-arn"=arn:aws:iam::ACCOUNT_ID:role/KubesharkS3Role
 ```
 No `accessKey`/`secretKey` is needed — EKS injects credentials automatically via the IRSA token.
 ### Example: Static Credentials
--- a/helm-chart/templates/06-front-deployment.yaml
+++ b/helm-chart/templates/06-front-deployment.yaml
@@ -26,15 +26,15 @@ spec:
        - env:
            - name: REACT_APP_AUTH_ENABLED
              value: '{{- if or (and .Values.cloudLicenseEnabled (not (empty .Values.license))) (not .Values.internetConnectivity) -}}
-                        {{ (default false .Values.demoModeEnabled) | ternary true ((and .Values.tap.auth.enabled (eq .Values.tap.auth.type "dex")) | ternary true false) }}
+                        {{ (and .Values.tap.auth.enabled (eq .Values.tap.auth.type "dex")) | ternary true false }}
                      {{- else -}}
-                        {{ .Values.cloudLicenseEnabled | ternary "true" ((default false .Values.demoModeEnabled) | ternary "true" .Values.tap.auth.enabled) }}
+                        {{ .Values.cloudLicenseEnabled | ternary "true" .Values.tap.auth.enabled }}
                      {{- end }}'
            - name: REACT_APP_AUTH_TYPE
              value: '{{- if and .Values.cloudLicenseEnabled (not (eq .Values.tap.auth.type "dex")) -}}
                        default
                      {{- else -}}
-                        {{ (default false .Values.demoModeEnabled) | ternary "default" .Values.tap.auth.type }}
+                        {{ .Values.tap.auth.type }}
                      {{- end }}'
            - name: REACT_APP_COMPLETE_STREAMING_ENABLED
              value: '{{- if and (hasKey .Values.tap "dashboard") (hasKey .Values.tap.dashboard "completeStreamingEnabled") -}}
@@ -55,22 +55,30 @@ spec:
                        false
                      {{- end }}'
            - name: REACT_APP_SCRIPTING_DISABLED
-              value: '{{ default false .Values.demoModeEnabled }}'
+              value: '{{- if .Values.tap.liveConfigMapChangesDisabled -}}
                        {{- if .Values.demoModeEnabled -}}
                          {{ .Values.demoModeEnabled | ternary false true }}
                        {{- else -}}
                          true
                        {{- end }}
                      {{- else -}}
                        false
                      {{- end }}'
            - name: REACT_APP_TARGETED_PODS_UPDATE_DISABLED
-              value: '{{ default false .Values.demoModeEnabled }}'
+              value: '{{ .Values.tap.liveConfigMapChangesDisabled }}'
            - name: REACT_APP_PRESET_FILTERS_CHANGING_ENABLED
-              value: '{{ not (default false .Values.demoModeEnabled) }}'
+              value: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "false" "true" }}'
            - name: REACT_APP_BPF_OVERRIDE_DISABLED
              value: '{{ eq .Values.tap.packetCapture "af_packet" | ternary "false" "true" }}'
            - name: REACT_APP_RECORDING_DISABLED
-              value: '{{ default false .Values.demoModeEnabled }}'
+              value: '{{ .Values.tap.liveConfigMapChangesDisabled }}'
            - name: REACT_APP_DISSECTION_ENABLED
              value: '{{ .Values.tap.capture.dissection.enabled | ternary "true" "false" }}'
            - name: REACT_APP_DISSECTION_CONTROL_ENABLED
-              value: '{{- if and (not .Values.demoModeEnabled) (not .Values.tap.capture.dissection.enabled) -}}
+              value: '{{- if and .Values.tap.liveConfigMapChangesDisabled (not .Values.tap.capture.dissection.enabled) -}}
                        true
                      {{- else -}}
-                        {{ not (default false .Values.demoModeEnabled) | ternary false true }}
+                        {{ not .Values.tap.liveConfigMapChangesDisabled | ternary "true" "false" }}
                      {{- end -}}'
            - name: 'REACT_APP_CLOUD_LICENSE_ENABLED'
              value: '{{- if or (and .Values.cloudLicenseEnabled (not (empty .Values.license))) (not .Values.internetConnectivity) -}}
@@ -83,13 +91,7 @@ spec:
            - name: REACT_APP_BETA_ENABLED
              value: '{{ default false .Values.betaEnabled | ternary "true" "false" }}'
            - name: REACT_APP_DISSECTORS_UPDATING_ENABLED
-              value: '{{ not (default false .Values.demoModeEnabled) }}'
+              value: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "false" "true" }}'
            - name: REACT_APP_SNAPSHOTS_UPDATING_ENABLED
              value: '{{ not (default false .Values.demoModeEnabled) }}'
            - name: REACT_APP_DEMO_MODE_ENABLED
              value: '{{ default false .Values.demoModeEnabled }}'
            - name: REACT_APP_CLUSTER_WIDE_MAP_ENABLED
              value: '{{ default false (((.Values).tap).dashboard).clusterWideMapEnabled }}'
            - name: REACT_APP_RAW_CAPTURE_ENABLED
              value: '{{ .Values.tap.capture.raw.enabled | ternary "true" "false" }}'
            - name: REACT_APP_SENTRY_ENABLED
--- a/helm-chart/templates/12-config-map.yaml
+++ b/helm-chart/templates/12-config-map.yaml
@@ -19,14 +19,14 @@ data:
    INGRESS_HOST: '{{ .Values.tap.ingress.host }}'
    PROXY_FRONT_PORT: '{{ .Values.tap.proxy.front.port }}'
    AUTH_ENABLED: '{{- if and .Values.cloudLicenseEnabled (not (empty .Values.license)) -}}
-                        {{ (default false .Values.demoModeEnabled) | ternary true ((and .Values.tap.auth.enabled (eq .Values.tap.auth.type "dex")) | ternary true false) }}
+                      {{ and .Values.tap.auth.enabled (eq .Values.tap.auth.type "dex") | ternary true false }}
                  {{- else -}}
-                        {{ .Values.cloudLicenseEnabled | ternary "true" ((default false .Values.demoModeEnabled) | ternary "true" .Values.tap.auth.enabled) }}
+                      {{ .Values.cloudLicenseEnabled | ternary "true" (.Values.tap.auth.enabled | ternary "true" "") }}
                  {{- end }}'
    AUTH_TYPE: '{{- if and .Values.cloudLicenseEnabled (not (eq .Values.tap.auth.type "dex")) -}}
                  default
                {{- else -}}
-                  {{ (default false .Values.demoModeEnabled) | ternary "default" .Values.tap.auth.type }}
+                  {{ .Values.tap.auth.type }}
                {{- end }}'
    AUTH_SAML_IDP_METADATA_URL: '{{ .Values.tap.auth.saml.idpMetadataUrl }}'
    AUTH_SAML_ROLE_ATTRIBUTE: '{{ .Values.tap.auth.saml.roleAttribute }}'
@@ -44,14 +44,22 @@ data:
                                      false
                                    {{- end }}'
    TELEMETRY_DISABLED: '{{ not .Values.internetConnectivity | ternary "true" (not .Values.tap.telemetry.enabled | ternary "true" "false") }}'
-    SCRIPTING_DISABLED: '{{ default false .Values.demoModeEnabled }}'
+    SCRIPTING_DISABLED: '{{- if .Values.tap.liveConfigMapChangesDisabled -}}
-    TARGETED_PODS_UPDATE_DISABLED: '{{ default false .Values.demoModeEnabled }}'
+                           {{- if .Values.demoModeEnabled -}}
-    PRESET_FILTERS_CHANGING_ENABLED: '{{ not (default false .Values.demoModeEnabled) }}'
+                             {{ .Values.demoModeEnabled | ternary false true }}
-    RECORDING_DISABLED: '{{ (default false .Values.demoModeEnabled) | ternary true false }}'
+                           {{- else -}}
-    DISSECTION_CONTROL_ENABLED: '{{- if and (not .Values.demoModeEnabled) (not .Values.tap.capture.dissection.enabled) -}}
+                             true
                           {{- end }}
                         {{- else -}}
                           false
                         {{- end }}'
    TARGETED_PODS_UPDATE_DISABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "true" "" }}'
    PRESET_FILTERS_CHANGING_ENABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "false" "true" }}'
    RECORDING_DISABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "true" "" }}'
    DISSECTION_CONTROL_ENABLED: '{{- if and .Values.tap.liveConfigMapChangesDisabled (not .Values.tap.capture.dissection.enabled) -}}
                                     true
                                   {{- else -}}
-                                     {{ (default false .Values.demoModeEnabled) | ternary false true }}
+                                     {{ not .Values.tap.liveConfigMapChangesDisabled | ternary "true" "false" }}
                                   {{- end }}'
    GLOBAL_FILTER: {{ include "kubeshark.escapeDoubleQuotes" .Values.tap.globalFilter | quote }}
    DEFAULT_FILTER: {{ include "kubeshark.escapeDoubleQuotes" .Values.tap.defaultFilter | quote }}
@@ -68,9 +76,7 @@ data:
    DUPLICATE_TIMEFRAME: '{{ .Values.tap.misc.duplicateTimeframe }}'
    ENABLED_DISSECTORS: '{{ gt (len .Values.tap.enabledDissectors) 0 | ternary (join "," .Values.tap.enabledDissectors) "" }}'
    CUSTOM_MACROS: '{{ toJson .Values.tap.customMacros }}'
-    DISSECTORS_UPDATING_ENABLED: '{{ not (default false .Values.demoModeEnabled) }}'
+    DISSECTORS_UPDATING_ENABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "false" "true" }}'
    SNAPSHOTS_UPDATING_ENABLED: '{{ not (default false .Values.demoModeEnabled) }}'
    DEMO_MODE_ENABLED: '{{ default false .Values.demoModeEnabled }}'
    DETECT_DUPLICATES: '{{ .Values.tap.misc.detectDuplicates | ternary "true" "false" }}'
    PCAP_DUMP_ENABLE: '{{ .Values.pcapdump.enabled }}'
    PCAP_TIME_INTERVAL: '{{ .Values.pcapdump.timeInterval }}'
--- a/helm-chart/values.yaml
+++ b/helm-chart/values.yaml
@@ -185,7 +185,6 @@ tap:
  dashboard:
    streamingType: connect-rpc
    completeStreamingEnabled: true
    clusterWideMapEnabled: false
  telemetry:
    enabled: true
  resourceGuard:
@@ -198,6 +197,7 @@ tap:
    enabled: false
    environment: production
  defaultFilter: ""
  liveConfigMapChangesDisabled: false
  globalFilter: ""
  enabledDissectors:
  - amqp