--- # Source: kubeshark/templates/17-network-policies.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: labels: helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-hub-network-policy namespace: default spec: podSelector: matchLabels: app.kubeshark.co/app: hub policyTypes: - Ingress - Egress ingress: - ports: - protocol: TCP port: 8080 - ports: - protocol: TCP port: 9100 egress: - {} --- # Source: kubeshark/templates/17-network-policies.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: labels: helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-front-network-policy namespace: default spec: podSelector: matchLabels: app.kubeshark.co/app: front policyTypes: - Ingress - Egress ingress: - ports: - protocol: TCP port: 8080 egress: - {} --- # Source: kubeshark/templates/17-network-policies.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: labels: helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-worker-network-policy namespace: default spec: podSelector: matchLabels: app.kubeshark.co/app: worker policyTypes: - Ingress - Egress ingress: - ports: - protocol: TCP port: 48999 - protocol: TCP port: 49100 egress: - {} --- # Source: kubeshark/templates/01-service-account.yaml apiVersion: v1 kind: ServiceAccount metadata: labels: helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-service-account namespace: default --- # Source: kubeshark/templates/13-secret.yaml kind: Secret apiVersion: v1 metadata: name: kubeshark-secret namespace: default labels: app.kubeshark.co/app: hub helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm stringData: LICENSE: '' SCRIPTING_ENV: '{}' --- # Source: kubeshark/templates/13-secret.yaml kind: Secret apiVersion: v1 metadata: name: kubeshark-saml-x509-crt-secret namespace: default labels: app.kubeshark.co/app: hub helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm stringData: AUTH_SAML_X509_CRT: | --- # Source: kubeshark/templates/13-secret.yaml kind: Secret apiVersion: v1 metadata: name: kubeshark-saml-x509-key-secret namespace: default labels: app.kubeshark.co/app: hub helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm stringData: AUTH_SAML_X509_KEY: | --- # Source: kubeshark/templates/11-nginx-config-map.yaml apiVersion: v1 kind: ConfigMap metadata: name: kubeshark-nginx-config-map namespace: default labels: helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm data: default.conf: | server { listen 8080; listen [::]:8080; access_log /dev/stdout; error_log /dev/stdout; client_body_buffer_size 64k; client_header_buffer_size 32k; large_client_header_buffers 8 64k; location /api { rewrite ^/api(.*)$ $1 break; proxy_pass http://kubeshark-hub; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $http_host; proxy_set_header Upgrade websocket; proxy_set_header Connection Upgrade; proxy_set_header Authorization $http_authorization; proxy_pass_header Authorization; proxy_connect_timeout 4s; proxy_read_timeout 120s; proxy_send_timeout 12s; proxy_pass_request_headers on; } location /saml { rewrite ^/saml(.*)$ /saml$1 break; proxy_pass http://kubeshark-hub; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $http_host; proxy_connect_timeout 4s; proxy_read_timeout 120s; proxy_send_timeout 12s; proxy_pass_request_headers on; } location / { root /usr/share/nginx/html; index index.html index.htm; try_files $uri $uri/ /index.html; expires -1; add_header Cache-Control no-cache; } error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } --- # Source: kubeshark/templates/12-config-map.yaml kind: ConfigMap apiVersion: v1 metadata: name: kubeshark-config-map namespace: default labels: app.kubeshark.co/app: hub helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm data: POD_REGEX: '.*' NAMESPACES: '' EXCLUDED_NAMESPACES: '' BPF_OVERRIDE: '' STOPPED: 'false' SCRIPTING_SCRIPTS: '{}' SCRIPTING_ACTIVE_SCRIPTS: '' INGRESS_ENABLED: 'false' INGRESS_HOST: 'ks.svc.cluster.local' PROXY_FRONT_PORT: '8899' AUTH_ENABLED: 'true' AUTH_TYPE: 'oidc' AUTH_SAML_IDP_METADATA_URL: '' AUTH_SAML_ROLE_ATTRIBUTE: 'role' AUTH_SAML_ROLES: '{"admin":{"canDownloadPCAP":true,"canStopTrafficCapturing":true,"canUpdateTargetedPods":true,"canUseScripting":true,"filter":"","scriptingPermissions":{"canActivate":true,"canDelete":true,"canSave":true},"showAdminConsoleLink":true}}' TELEMETRY_DISABLED: 'false' SCRIPTING_DISABLED: '' TARGETED_PODS_UPDATE_DISABLED: '' PRESET_FILTERS_CHANGING_ENABLED: 'true' RECORDING_DISABLED: '' STOP_TRAFFIC_CAPTURING_DISABLED: 'false' GLOBAL_FILTER: "" DEFAULT_FILTER: "!dns and !error" TRAFFIC_SAMPLE_RATE: '100' JSON_TTL: '5m' PCAP_TTL: '10s' PCAP_ERROR_TTL: '60s' TIMEZONE: ' ' CLOUD_LICENSE_ENABLED: 'true' DUPLICATE_TIMEFRAME: '200ms' ENABLED_DISSECTORS: 'amqp,dns,http,icmp,kafka,redis,sctp,syscall,ws,ldap,radius,diameter' CUSTOM_MACROS: '{"https":"tls and (http or http2)"}' DISSECTORS_UPDATING_ENABLED: 'true' DETECT_DUPLICATES: 'false' PCAP_DUMP_ENABLE: 'true' PCAP_TIME_INTERVAL: '1m' PCAP_MAX_TIME: '1h' PCAP_MAX_SIZE: '500MB' PORT_MAPPING: '{"amqp":[5671,5672],"diameter":[3868],"http":[80,443,8080],"kafka":[9092],"ldap":[389],"redis":[6379]}' --- # Source: kubeshark/templates/02-cluster-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-cluster-role-default namespace: default rules: - apiGroups: - "" - extensions - apps resources: - nodes - pods - services - endpoints - persistentvolumeclaims verbs: - list - get - watch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - get - list - watch - create - update - delete --- # Source: kubeshark/templates/03-cluster-role-binding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-cluster-role-binding-default namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubeshark-cluster-role-default subjects: - kind: ServiceAccount name: kubeshark-service-account namespace: default --- # Source: kubeshark/templates/02-cluster-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-self-config-role namespace: default rules: - apiGroups: - "" - v1 resourceNames: - kubeshark-secret - kubeshark-config-map resources: - secrets - configmaps verbs: - get - watch - list - update - patch --- # Source: kubeshark/templates/03-cluster-role-binding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-self-config-role-binding namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: kubeshark-self-config-role subjects: - kind: ServiceAccount name: kubeshark-service-account namespace: default --- # Source: kubeshark/templates/05-hub-service.yaml apiVersion: v1 kind: Service metadata: labels: app.kubeshark.co/app: hub helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-hub namespace: default spec: ports: - name: kubeshark-hub port: 80 targetPort: 8080 selector: app.kubeshark.co/app: hub type: ClusterIP --- # Source: kubeshark/templates/07-front-service.yaml apiVersion: v1 kind: Service metadata: labels: helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-front namespace: default spec: ports: - name: kubeshark-front port: 80 targetPort: 8080 selector: app.kubeshark.co/app: front type: ClusterIP --- # Source: kubeshark/templates/15-worker-service-metrics.yaml kind: Service apiVersion: v1 metadata: labels: helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm annotations: prometheus.io/scrape: 'true' prometheus.io/port: '49100' name: kubeshark-worker-metrics namespace: default spec: selector: app.kubeshark.co/app: worker helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm ports: - name: metrics protocol: TCP port: 49100 targetPort: 49100 --- # Source: kubeshark/templates/16-hub-service-metrics.yaml kind: Service apiVersion: v1 metadata: labels: helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm annotations: prometheus.io/scrape: 'true' prometheus.io/port: '9100' name: kubeshark-hub-metrics namespace: default spec: selector: app.kubeshark.co/app: hub helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm ports: - name: metrics protocol: TCP port: 9100 targetPort: 9100 --- # Source: kubeshark/templates/09-worker-daemon-set.yaml apiVersion: apps/v1 kind: DaemonSet metadata: labels: app.kubeshark.co/app: worker sidecar.istio.io/inject: "false" helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-worker-daemon-set namespace: default spec: selector: matchLabels: app.kubeshark.co/app: worker app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark template: metadata: labels: app.kubeshark.co/app: worker helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm name: kubeshark-worker-daemon-set namespace: kubeshark spec: initContainers: - command: - /bin/sh - -c - mkdir -p /sys/fs/bpf && mount | grep -q '/sys/fs/bpf' || mount -t bpf bpf /sys/fs/bpf image: 'docker.io/kubeshark/worker:v52.4' imagePullPolicy: Always name: mount-bpf securityContext: privileged: true volumeMounts: - mountPath: /sys name: sys mountPropagation: Bidirectional containers: - command: - ./worker - -i - any - -port - '48999' - -metrics-port - '49100' - -packet-capture - 'best' - -loglevel - 'warning' - -servicemesh - -procfs - /hostproc - -resolution-strategy - 'auto' - -staletimeout - '30' image: 'docker.io/kubeshark/worker:v52.4' imagePullPolicy: Always name: sniffer ports: - containerPort: 49100 protocol: TCP name: metrics env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: TCP_STREAM_CHANNEL_TIMEOUT_MS value: '10000' - name: TCP_STREAM_CHANNEL_TIMEOUT_SHOW value: 'false' - name: KUBESHARK_CLOUD_API_URL value: 'https://api.kubeshark.co' - name: PROFILING_ENABLED value: 'false' - name: SENTRY_ENABLED value: 'false' - name: SENTRY_ENVIRONMENT value: 'production' resources: limits: memory: 5Gi requests: cpu: 50m memory: 50Mi securityContext: privileged: true readinessProbe: periodSeconds: 10 failureThreshold: 3 successThreshold: 1 initialDelaySeconds: 15 tcpSocket: port: 48999 livenessProbe: periodSeconds: 10 failureThreshold: 3 successThreshold: 1 initialDelaySeconds: 15 tcpSocket: port: 48999 volumeMounts: - mountPath: /hostproc name: proc readOnly: true - mountPath: /sys name: sys readOnly: true mountPropagation: HostToContainer - mountPath: /app/data name: data - command: - ./tracer - -procfs - /hostproc - -disable-tls-log - -loglevel - 'warning' image: 'docker.io/kubeshark/worker:v52.4' imagePullPolicy: Always name: tracer env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: PROFILING_ENABLED value: 'false' - name: SENTRY_ENABLED value: 'false' - name: SENTRY_ENVIRONMENT value: 'production' resources: limits: memory: 5Gi requests: cpu: 50m memory: 50Mi securityContext: privileged: true volumeMounts: - mountPath: /hostproc name: proc readOnly: true - mountPath: /sys name: sys readOnly: true mountPropagation: HostToContainer - mountPath: /app/data name: data - mountPath: /etc/os-release name: os-release readOnly: true dnsPolicy: ClusterFirstWithHostNet hostNetwork: true serviceAccountName: kubeshark-service-account terminationGracePeriodSeconds: 0 tolerations: - effect: NoExecute operator: Exists - effect: NoSchedule operator: Exists affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/os operator: In values: - linux volumes: - hostPath: path: /proc name: proc - hostPath: path: /sys name: sys - name: lib-modules hostPath: path: /lib/modules - hostPath: path: /etc/os-release name: os-release - name: data emptyDir: sizeLimit: 5000Mi --- # Source: kubeshark/templates/04-hub-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubeshark.co/app: hub helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-hub namespace: default spec: replicas: 1 # Set the desired number of replicas selector: matchLabels: app.kubeshark.co/app: hub app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark template: metadata: labels: app.kubeshark.co/app: hub helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm spec: dnsPolicy: ClusterFirstWithHostNet serviceAccountName: kubeshark-service-account containers: - name: hub command: - ./hub - -port - "8080" - -loglevel - 'warning' env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: SENTRY_ENABLED value: 'false' - name: SENTRY_ENVIRONMENT value: 'production' - name: KUBESHARK_CLOUD_API_URL value: 'https://api.kubeshark.co' - name: PROFILING_ENABLED value: 'false' image: 'docker.io/kubeshark/hub:v52.4' imagePullPolicy: Always readinessProbe: periodSeconds: 10 failureThreshold: 3 successThreshold: 1 initialDelaySeconds: 15 tcpSocket: port: 8080 livenessProbe: periodSeconds: 10 failureThreshold: 3 successThreshold: 1 initialDelaySeconds: 15 tcpSocket: port: 8080 resources: limits: memory: 5Gi requests: cpu: 50m memory: 50Mi volumeMounts: - name: saml-x509-volume mountPath: "/etc/saml/x509" readOnly: true affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/os operator: In values: - linux volumes: - name: saml-x509-volume projected: sources: - secret: name: kubeshark-saml-x509-crt-secret items: - key: AUTH_SAML_X509_CRT path: kubeshark.crt - secret: name: kubeshark-saml-x509-key-secret items: - key: AUTH_SAML_X509_KEY path: kubeshark.key --- # Source: kubeshark/templates/06-front-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubeshark.co/app: front helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-front namespace: default spec: replicas: 1 # Set the desired number of replicas selector: matchLabels: app.kubeshark.co/app: front app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark template: metadata: labels: app.kubeshark.co/app: front helm.sh/chart: kubeshark-52.4 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark app.kubernetes.io/version: "52.4" app.kubernetes.io/managed-by: Helm spec: containers: - env: - name: REACT_APP_AUTH_ENABLED value: 'true' - name: REACT_APP_AUTH_TYPE value: 'oidc' - name: REACT_APP_AUTH_SAML_IDP_METADATA_URL value: ' ' - name: REACT_APP_TIMEZONE value: ' ' - name: REACT_APP_SCRIPTING_DISABLED value: 'false' - name: REACT_APP_TARGETED_PODS_UPDATE_DISABLED value: 'false' - name: REACT_APP_PRESET_FILTERS_CHANGING_ENABLED value: 'true' - name: REACT_APP_BPF_OVERRIDE_DISABLED value: 'false' - name: REACT_APP_RECORDING_DISABLED value: 'false' - name: REACT_APP_STOP_TRAFFIC_CAPTURING_DISABLED value: 'false' - name: 'REACT_APP_CLOUD_LICENSE_ENABLED' value: 'true' - name: REACT_APP_SUPPORT_CHAT_ENABLED value: 'true' - name: REACT_APP_DISSECTORS_UPDATING_ENABLED value: 'true' - name: REACT_APP_SENTRY_ENABLED value: 'false' - name: REACT_APP_SENTRY_ENVIRONMENT value: 'production' image: 'docker.io/kubeshark/front:v52.4' imagePullPolicy: Always name: kubeshark-front livenessProbe: periodSeconds: 1 failureThreshold: 3 successThreshold: 1 initialDelaySeconds: 3 tcpSocket: port: 8080 readinessProbe: periodSeconds: 1 failureThreshold: 3 successThreshold: 1 initialDelaySeconds: 3 tcpSocket: port: 8080 timeoutSeconds: 1 resources: limits: cpu: 750m memory: 1Gi requests: cpu: 50m memory: 50Mi volumeMounts: - name: nginx-config mountPath: /etc/nginx/conf.d/default.conf subPath: default.conf readOnly: true affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/os operator: In values: - linux volumes: - name: nginx-config configMap: name: kubeshark-nginx-config-map dnsPolicy: ClusterFirstWithHostNet serviceAccountName: kubeshark-service-account