Install with Helm

Read the Helm section for most up-to-date instructions

While the CLI is a great option for on-demand usage and running on dev & test clusters, for a more permanent deployment, you can use Helm and add Kubeshark’s Helm repository:

Official

Add the Helm repo for Kubeshark:

helm repo add kubeshark https://helm.kubeshark.co

then install Kubeshark:

helm install kubeshark kubeshark/kubeshark

Local

Clone the repo:

git clone git@github.com:kubeshark/kubeshark.git --depth 1
cd kubeshark/helm-chart

Render the templates

helm template .

Install Kubeshark:

helm install kubeshark .

Uninstall Kubeshark:

helm uninstall kubeshark

Configuration

Parameter	Description	Default
`tap.docker.registry`	Docker registry to pull from	`docker.io/kubeshark`
`tap.docker.tag`	Tag of the Docker images	`latest`
`tap.docker.imagePullPolicy`	Kubernetes image pull policy	`Always`
`tap.docker.imagePullSecrets`	Kubernetes secrets to pull the images	`[]`
`tap.proxy.worker.srvPort`	Worker server port	`30001`
`tap.proxy.hub.port`	Hub service port	`8898`
`tap.proxy.hub.srvPort`	Hub server port	`8898`
`tap.proxy.front.port`	Front-facing service port	`8899`
`tap.proxy.host`	Proxy server’s IP	`127.0.0.1`
`tap.namespaces`	List of namespaces for the traffic capture	`[]`
`tap.release.repo`	URL of the Helm chart repository	`https://helm.kubeshark.co`
`tap.release.name`	Helm release name	`kubeshark`
`tap.release.namespace`	Helm release namespace	`default`
`tap.persistentStorage`	Use `persistentVolumeClaim` instead of `emptyDir`	`false`
`tap.persistentStorageStatic`	Use static persistent volume provisioning (explicitly defined `PersistentVolume` )	`false`
`tap.efsFileSytemIdAndPath`	EFS file system ID and, optionally, subpath and/or access point `<FileSystemId>:<Path>:<AccessPointId>`	""
`tap.storageLimit`	Limit of either the `emptyDir` or `persistentVolumeClaim`	`500Mi`
`tap.storageClass`	Storage class of the `PersistentVolumeClaim`	`standard`
`tap.dryRun`	Preview of all pods matching the regex, without tapping them	`false`
`tap.pcap`		`""`
`tap.resources.worker.limits.cpu`	CPU limit for worker	`750m`
`tap.resources.worker.limits.memory`	Memory limit for worker	`1Gi`
`tap.resources.worker.requests.cpu`	CPU request for worker	`50m`
`tap.resources.worker.requests.memory`	Memory request for worker	`50Mi`
`tap.resources.hub.limits.cpu`	CPU limit for hub	`750m`
`tap.resources.hub.limits.memory`	Memory limit for hub	`1Gi`
`tap.resources.hub.requests.cpu`	CPU request for hub	`50m`
`tap.resources.hub.requests.memory`	Memory request for hub	`50Mi`
`tap.serviceMesh`	Capture traffic from service meshes like Istio, Linkerd, Consul, etc.	`true`
`tap.tls`	Capture the encrypted/TLS traffic from cryptography libraries like OpenSSL	`true`
`tap.ignoreTainted`	Whether to ignore tainted nodes	`false`
`tap.labels`	Kubernetes labels to apply to all Kubeshark resources	`{}`
`tap.annotations`	Kubernetes annotations to apply to all Kubeshark resources	`{}`
`tap.nodeSelectorTerms`	Node selector terms	`[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]`
`tap.auth.enabled`	Enable authentication	`false`
`tap.auth.type`	Authentication type (1 option available: `saml`)	`saml`
`tap.auth.approvedEmails`	List of approved email addresses for authentication	`[]`
`tap.auth.approvedDomains`	List of approved email domains for authentication	`[]`
`tap.auth.saml.idpMetadataUrl`	SAML IDP metadata URL (effective, if `tap.auth.type = saml`)	“
`tap.auth.saml.x509crt`	A self-signed X.509 `.cert` contents (effective, if `tap.auth.type = saml`)	“
`tap.auth.saml.x509key`	A self-signed X.509 `.key` contents (effective, if `tap.auth.type = saml`)	“
`tap.auth.saml.roleAttribute`	A SAML attribute name corresponding to user’s authorization role (effective, if `tap.auth.type = saml`)	`role`
`tap.auth.saml.roles`	A list of SAML authorization roles and their permissions (effective, if `tap.auth.type = saml`)	`{"admin":{"canDownloadPCAP":true,"canReplayTraffic":true,"canUpdateTargetedPods":true,"canUseScripting":true,"filter":""}}`
`tap.ingress.enabled`	Enable `Ingress`	`false`
`tap.ingress.className`	Ingress class name	`""`
`tap.ingress.host`	Host of the `Ingress`	`ks.svc.cluster.local`
`tap.ingress.tls`	`Ingress` TLS configuration	`[]`
`tap.ingress.annotations`	`Ingress` annotations	`{}`
`tap.ipv6`	Enable IPv6 support for the front-end	`true`
`tap.debug`	Enable debug mode	`false`
`tap.kernelModule.enabled`	Use PF_RING kernel module(details)	`true`
`tap.kernelModule.image`	Container image containing PF_RING kernel module with supported kernel version(details)	“kubeshark/pf-ring-module:all”
`tap.kernelModule.unloadOnDestroy`	Create additional container which watches for pod termination and unloads PF_RING kernel module.	`false`
`tap.telemetry.enabled`	Enable anonymous usage statistics collection	`true`
`tap.defaultFilter`	Sets the default dashboard KFL filter (e.g. `http`)	`""`
`tap.globalFilter`	Prepends to any KFL filter and can be used to limit what is visible in the dashboard. For example, `redact("request.headers.Authorization")` will redact the appropriate field.	`""`
`logs.file`	Logs dump path	`""`
`kube.configPath`	Path to the `kubeconfig` file (`$HOME/.kube/config`)	`""`
`kube.context`	Kubernetes context to use for the deployment	`""`
`dumpLogs`	Enable dumping of logs	`false`
`headless`	Enable running in headless mode	`false`
`license`	License key for the Pro/Enterprise edition	`""`
`scripting.env`	Environment variables for the scripting	`{}`
`scripting.source`	Source directory of the scripts	`""`
`scripting.watchScripts`	Enable watch mode for the scripts in source directory	`true`
`tap.metrics.port`	Pod port used to expose Prometheus metrics	`49100`

KernelMapping pairs kernel versions with a DriverContainer image. Kernel versions can be matched literally or using a regular expression

Port-forward

Do the port forwarding:

kubectl port-forward service/kubeshark-front 8899:80

Visit localhost:8899

Increase the Worker’s Storage Limit

For example, change from the default 500Mi to 5Gi:

--set tap.storageLimit=5Gi

Add a License

When it’s necessary, you can use:

--set license=YOUR_LICENSE_GOES_HERE

Get your license from Kubeshark’s Admin Console.

Installing with Ingress (EKS) enabled

helm install kubeshark kubeshark/kubeshark -f values.yaml

Set this value.yaml:

tap:
  ingress:
    enabled: true
    className: "alb"
    host: ks.example.com
    tls: []
    annotations:
      alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:7..8:certificate/b...65c
      alb.ingress.kubernetes.io/target-type: ip
      alb.ingress.kubernetes.io/scheme: internet-facing

Disabling IPV6

Not all have IPV6 enabled, hence this has to be disabled as follows:

helm install kubeshark kubeshark/kubeshark \
  --set tap.ipv6=false

Metrics

Please refer to metrics documentation for details.

Installing with SAML enabled

Prerequisites:

1. Generate X.509 certificate & key (TL;DR: https://ubuntu.com/server/docs/security-certificates)

Example:

openssl genrsa -out mykey.key 2048
openssl req -new -key mykey.key -out mycsr.csr
openssl x509 -signkey mykey.key -in mycsr.csr -req -days 365 -out mycert.crt

What you get:

mycert.crt - use it for tap.auth.saml.x509crt
mykey.key - use it for tap.auth.saml.x509crt

2. Prepare your SAML IDP

You should set up the required SAML IDP (Google, Auth0, your custom IDP, etc.)

During setup, an IDP provider will typically request to enter:

Metadata URL
ACS URL (Assertion Consumer Service URL, aka Callback URL)
SLO URL (Single Logout URL)

Correspondingly, you will enter these (if you run the most default Kubeshark setup):

Otherwise, if you have tap.ingress.enabled == true, change protocol & domain respectively - showing example domain:

helm install kubeshark kubeshark/kubeshark -f values.yaml

Set this value.yaml:

tap:
  auth:
    enabled: true
    type: saml
    approvedEmails: []
    approvedDomains: []
    approvedTenants: []
    saml:
      idpMetadataUrl: "https://tiptophelmet.us.auth0.com/samlp/metadata/MpWiDCMMB5ShU1HRnhdb1sHM6VWqdnDG"
      x509crt: |
        -----BEGIN CERTIFICATE-----
        MIIDlTCCAn0CFFRUzMh+dZvp+FvWd4gRaiBVN8EvMA0GCSqGSIb3DQEBCwUAMIGG
        MSQwIgYJKoZIhvcNAQkBFhV3ZWJtYXN0ZXJAZXhhbXBsZS5jb20wHhcNMjMxMjI4
        ........<redacted: please, generate your own X.509 cert>........
        ZMzM7YscqZwoVhTOhrD4/5nIfOD/hTWG/MBe2Um1V1IYF8aVEllotTKTgsF6ZblA
        miCOgl6lIlZy
        -----END CERTIFICATE-----
      x509key: |
        -----BEGIN PRIVATE KEY-----
        MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDlgDFKsRHj+mok
        euOF0IpwToOEpQGtafB75ytv3psD/tQAzEIug+rkDriVvsfcvafj0qcaTeYvnCoz
        ........<redacted: please, generate your own X.509 key>.........
        sUpBCu0E3nRJM/QB2ui5KhNR7uvPSL+kSsaEq19/mXqsL+mRi9aqy2wMEvUSU/kt
        UaV5sbRtTzYLxpOSQyi8CEFA+A==
        -----END PRIVATE KEY-----

helm repo add kubeshark https://helm.kubeshark.co

Once the repository was added you can install Kubeshark:

helm install kubeshark kubeshark/kubeshark