Merge branch 'master' into close_file

README.md

@@ -23,7 +23,7 @@
 <p align="center">
   <b>
 	  Want to see Kubeshark in action,  right now? Visit this
-	  <a href="https://demo.kubeshark.co/">live demo deploymenet</a> of Kubeshark.
+	  <a href="https://demo.kubeshark.co/">live demo deployment</a> of Kubeshark.
   </b>
 </p>
 

cmd/common.go

@@ -22,7 +22,7 @@ func startProxyReportErrorIfAny(kubernetesProvider *kubernetes.Provider, ctx con
 	if err != nil {
 		log.Error().
 			Err(errormessage.FormatError(err)).
-			Msg(fmt.Sprintf("Error occured while running K8s proxy. Try setting different port using --%s", proxyPortLabel))
+			Msg(fmt.Sprintf("Error occurred while running K8s proxy. Try setting different port using --%s", proxyPortLabel))
 		return
 	}
 
@@ -42,7 +42,7 @@ func startProxyReportErrorIfAny(kubernetesProvider *kubernetes.Provider, ctx con
 			log.Error().
 				Str("pod-regex", podRegex.String()).
 				Err(errormessage.FormatError(err)).
-				Msg(fmt.Sprintf("Error occured while running port forward. Try setting different port using --%s", proxyPortLabel))
+				Msg(fmt.Sprintf("Error occurred while running port forward. Try setting different port using --%s", proxyPortLabel))
 			return
 		}
 

config/config.go

@@ -41,7 +41,7 @@ func InitConfig(cmd *cobra.Command) error {
 	var err error
 	DebugMode, err = cmd.Flags().GetBool(DebugFlag)
 	if err != nil {
-		log.Error().Err(err).Msg(fmt.Sprintf("Can't recieve '%s' flag", DebugFlag))
+		log.Error().Err(err).Msg(fmt.Sprintf("Can't receive '%s' flag", DebugFlag))
 	}
 
 	if DebugMode {

config/configStruct.go

@@ -87,16 +87,17 @@ type ManifestsConfig struct {
 }
 
 type ConfigStruct struct {
-	Tap          configStructs.TapConfig       `yaml:"tap" json:"tap"`
-	Logs         configStructs.LogsConfig      `yaml:"logs" json:"logs"`
-	Config       configStructs.ConfigConfig    `yaml:"config,omitempty" json:"config,omitempty"`
-	Kube         KubeConfig                    `yaml:"kube" json:"kube"`
-	DumpLogs     bool                          `yaml:"dumpLogs" json:"dumpLogs" default:"false"`
-	HeadlessMode bool                          `yaml:"headless" json:"headless" default:"false"`
-	License      string                        `yaml:"license" json:"license" default:""`
-	Scripting    configStructs.ScriptingConfig `yaml:"scripting" json:"scripting"`
-	Manifests    ManifestsConfig               `yaml:"manifests,omitempty" json:"manifests,omitempty"`
-	Timezone     string                        `yaml:"timezone" json:"timezone"`
+	Tap                 configStructs.TapConfig       `yaml:"tap" json:"tap"`
+	Logs                configStructs.LogsConfig      `yaml:"logs" json:"logs"`
+	Config              configStructs.ConfigConfig    `yaml:"config,omitempty" json:"config,omitempty"`
+	Kube                KubeConfig                    `yaml:"kube" json:"kube"`
+	DumpLogs            bool                          `yaml:"dumpLogs" json:"dumpLogs" default:"false"`
+	HeadlessMode        bool                          `yaml:"headless" json:"headless" default:"false"`
+	License             string                        `yaml:"license" json:"license" default:""`
+	CloudLicenseEnabled bool                          `yaml:"cloudLicenseEnabled" json:"cloudLicenseEnabled" default:"true"`
+	Scripting           configStructs.ScriptingConfig `yaml:"scripting" json:"scripting"`
+	Manifests           ManifestsConfig               `yaml:"manifests,omitempty" json:"manifests,omitempty"`
+	Timezone            string                        `yaml:"timezone" json:"timezone"`
 }
 
 func (config *ConfigStruct) ImagePullPolicy() v1.PullPolicy {

config/configStructs/tapConfig.go

@@ -141,9 +141,12 @@ type MetricsConfig struct {
 }
 
 type MiscConfig struct {
-	JsonTTL      string `yaml:"jsonTTL" json:"jsonTTL" default:"5m"`
-	PcapTTL      string `yaml:"pcapTTL" json:"pcapTTL" default:"10s"`
-	PcapErrorTTL string `yaml:"pcapErrorTTL" json:"pcapErrorTTL" default:"60s"`
+	JsonTTL                     string `yaml:"jsonTTL" json:"jsonTTL" default:"5m"`
+	PcapTTL                     string `yaml:"pcapTTL" json:"pcapTTL" default:"10s"`
+	PcapErrorTTL                string `yaml:"pcapErrorTTL" json:"pcapErrorTTL" default:"60s"`
+	TrafficSampleRate           int    `yaml:"trafficSampleRate" json:"trafficSampleRate" default:"100"`
+	TcpStreamChannelTimeoutMs   int    `yaml:"tcpStreamChannelTimeoutMs" json:"tcpStreamChannelTimeoutMs" default:"10000"`
+	TcpStreamChannelTimeoutShow bool   `yaml:"tcpStreamChannelTimeoutShow" json:"tcpStreamChannelTimeoutShow" default:"false"`
 }
 
 type TapConfig struct {
@@ -180,8 +183,6 @@ type TapConfig struct {
 	Capabilities               CapabilitiesConfig    `yaml:"capabilities" json:"capabilities"`
 	GlobalFilter               string                `yaml:"globalFilter" json:"globalFilter"`
 	Metrics                    MetricsConfig         `yaml:"metrics" json:"metrics"`
-	TrafficSampleRate          int                   `yaml:"trafficSampleRate" json:"trafficSampleRate" default:"100"`
-	TcpStreamChannelTimeoutMs  int                   `yaml:"tcpStreamChannelTimeoutMs" json:"tcpStreamChannelTimeoutMs" default:"10000"`
 	Misc                       MiscConfig            `yaml:"misc" json:"misc"`
 }
 

helm-chart/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: kubeshark
-version: "52.2.1"
+version: "52.3.0"
 description: The API Traffic Analyzer for Kubernetes
 home: https://kubeshark.co
 keywords:

helm-chart/templates/02-cluster-role.yaml

@@ -24,13 +24,13 @@ rules:
       - list
       - get
       - watch
-  - apiGroups: 
+  - apiGroups:
       - ""
-    resources: 
+    resources:
       - namespaces
-    verbs: 
+    verbs:
       - get
-    resourceNames: 
+    resourceNames:
       - kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1

helm-chart/templates/04-hub-deployment.yaml

@@ -16,7 +16,7 @@ spec:
   selector:
     matchLabels:
       app.kubeshark.co/app: hub
-      {{- include "kubeshark.labels" . | nindent 6 }}
+      {{- include "kubeshark.selectorLabels" . | nindent 6 }}
   template:
     metadata:
       labels:

helm-chart/templates/06-front-deployment.yaml

@@ -15,7 +15,7 @@ spec:
   selector:
     matchLabels:
       app.kubeshark.co/app: front
-      {{- include "kubeshark.labels" . | nindent 6 }}
+      {{- include "kubeshark.selectorLabels" . | nindent 6 }}
   template:
     metadata:
       labels:
@@ -27,9 +27,13 @@ spec:
             - name: REACT_APP_DEFAULT_FILTER
               value: '{{ not (eq .Values.tap.defaultFilter "") | ternary .Values.tap.defaultFilter " " }}'
             - name: REACT_APP_AUTH_ENABLED
-              value: '{{ .Values.tap.auth.enabled }}'
+              value: '{{- if and .Values.cloudLicenseEnabled (not (empty .Values.license)) -}}
+                      "false"
+                    {{- else -}}
+                      {{ .Values.cloudLicenseEnabled | ternary "true" .Values.tap.auth.enabled }}
+                    {{- end }}'
             - name: REACT_APP_AUTH_TYPE
-              value: '{{ not (eq .Values.tap.auth.type "") | ternary .Values.tap.auth.type " " }}'
+              value: '{{ not (eq .Values.tap.auth.type "") | ternary (.Values.cloudLicenseEnabled | ternary "oidc" .Values.tap.auth.type) " " }}'
             - name: REACT_APP_AUTH_SAML_IDP_METADATA_URL
               value: '{{ not (eq .Values.tap.auth.saml.idpMetadataUrl "") | ternary .Values.tap.auth.saml.idpMetadataUrl " " }}'
             - name: REACT_APP_TIMEZONE
@@ -42,6 +46,12 @@ spec:
               value: '{{ .Values.tap.targetedPodsUpdateDisabled }}'
             - name: REACT_APP_RECORDING_DISABLED
               value: '{{ .Values.tap.recordingDisabled }}'
+            - name: 'REACT_APP_CLOUD_LICENSE_ENABLED'
+              value: '{{- if and .Values.cloudLicenseEnabled (not (empty .Values.license)) -}}
+                        "false"
+                      {{- else -}}
+                        {{ .Values.cloudLicenseEnabled }}
+                      {{- end }}'
           image: '{{ .Values.tap.docker.registry }}/front:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (printf "v%s" .Chart.Version) }}'
           imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }}
           name: kubeshark-front

helm-chart/templates/09-worker-daemon-set.yaml

@@ -16,7 +16,7 @@ spec:
   selector:
     matchLabels:
       app.kubeshark.co/app: worker
-      {{- include "kubeshark.labels" . | nindent 6 }}
+      {{- include "kubeshark.selectorLabels" . | nindent 6 }}
   template:
     metadata:
       labels:
@@ -84,7 +84,9 @@ spec:
               fieldRef:
                 fieldPath: metadata.namespace
           - name: TCP_STREAM_CHANNEL_TIMEOUT_MS
-            value: '{{ .Values.tap.tcpStreamChannelTimeoutMs }}'
+            value: '{{ .Values.tap.misc.tcpStreamChannelTimeoutMs }}'
+          - name: TCP_STREAM_CHANNEL_TIMEOUT_SHOW
+            value: '{{ .Values.tap.misc.tcpStreamChannelTimeoutShow }}'
           - name: KUBESHARK_CLOUD_API_URL
             value: 'https://api.kubeshark.co'
           resources:
@@ -134,7 +136,7 @@ spec:
         - name: unload-pf-ring
           image: {{ .Values.tap.kernelModule.image }}
           command: ["/bin/sh"]
-          args: ["-c", "trap 'rmmod pf_ring && sleep 3' SIGTERM; while true; do sleep 1; done"] 
+          args: ["-c", "trap 'rmmod pf_ring && sleep 3' SIGTERM; while true; do sleep 1; done"]
           securityContext:
             capabilities:
               add:
@@ -177,6 +179,9 @@ spec:
                 {{- range .Values.tap.capabilities.ebpfCapture }}
                 {{ print "- " . }}
                 {{- end }}
+                {{- range .Values.tap.capabilities.networkCapture }}
+                {{ print "- " . }}
+                {{- end }}
               drop:
                 - ALL
           volumeMounts:

helm-chart/templates/12-config-map.yaml

@@ -13,8 +13,12 @@ data:
     INGRESS_ENABLED: '{{ .Values.tap.ingress.enabled }}'
     INGRESS_HOST: '{{ .Values.tap.ingress.host }}'
     PROXY_FRONT_PORT: '{{ .Values.tap.proxy.front.port }}'
-    AUTH_ENABLED: '{{ .Values.tap.auth.enabled | ternary "true" "" }}'
-    AUTH_TYPE: '{{ .Values.tap.auth.type }}'
+    AUTH_ENABLED: '{{- if and .Values.cloudLicenseEnabled (not (empty .Values.license)) -}}
+                      "false"
+                  {{- else -}}
+                      {{ .Values.cloudLicenseEnabled | ternary "true" (.Values.tap.auth.enabled | ternary "true" "") }}
+                  {{- end }}'
+    AUTH_TYPE: '{{ .Values.cloudLicenseEnabled | ternary "oidc" (.Values.tap.auth.type) }}'
     AUTH_SAML_IDP_METADATA_URL: '{{ .Values.tap.auth.saml.idpMetadataUrl }}'
     AUTH_SAML_ROLE_ATTRIBUTE: '{{ .Values.tap.auth.saml.roleAttribute }}'
     AUTH_SAML_ROLES: '{{ .Values.tap.auth.saml.roles | toJson }}'
@@ -24,8 +28,14 @@ data:
     TARGETED_PODS_UPDATE_DISABLED: '{{ .Values.tap.targetedPodsUpdateDisabled | ternary "true" "" }}'
     RECORDING_DISABLED: '{{ .Values.tap.recordingDisabled | ternary "true" "" }}'
     GLOBAL_FILTER: {{ include "kubeshark.escapeDoubleQuotes" .Values.tap.globalFilter | quote }}
-    TRAFFIC_SAMPLE_RATE: '{{ .Values.tap.trafficSampleRate }}'
+    TRAFFIC_SAMPLE_RATE: '{{ .Values.tap.misc.trafficSampleRate }}'
     JSON_TTL: '{{ .Values.tap.misc.jsonTTL }}'
     PCAP_TTL: '{{ .Values.tap.misc.pcapTTL }}'
     PCAP_ERROR_TTL: '{{ .Values.tap.misc.pcapErrorTTL }}'
     TIMEZONE: '{{ not (eq .Values.timezone "") | ternary .Values.timezone " " }}'
+    CLOUD_LICENSE_ENABLED: '{{- if and .Values.cloudLicenseEnabled (not (empty .Values.license)) -}}
+                              false
+                            {{- else -}}
+                              {{ .Values.cloudLicenseEnabled }}
+                            {{- end }}'
+

helm-chart/templates/14-openshift-security-context-constraints.yaml

@@ -28,6 +28,7 @@ allowedCapabilities:
   - DAC_OVERRIDE
   - SYS_RESOURCE
   - SYS_MODULE
+  - IPC_LOCK
 runAsUser:
   type: RunAsAny
 fsGroup:

helm-chart/values.yaml

@@ -111,12 +111,13 @@ tap:
   globalFilter: ""
   metrics:
     port: 49100
-  trafficSampleRate: 100
-  tcpStreamChannelTimeoutMs: 10000
   misc:
     jsonTTL: 5m
     pcapTTL: 10s
     pcapErrorTTL: 60s
+    trafficSampleRate: 100
+    tcpStreamChannelTimeoutMs: 10000
+    tcpStreamChannelTimeoutShow: false
 logs:
   file: ""
 kube:
@@ -125,6 +126,7 @@ kube:
 dumpLogs: false
 headless: false
 license: ""
+cloudLicenseEnabled: true
 scripting:
   env: {}
   source: ""