Install with Helm
Read the Helm section for most up-to-date instructions
While the CLI is a great option for on-demand usage and running on dev & test clusters, for a more permanent deployment, you can use Helm and add Kubeshark’s Helm repository:
Official
Add the Helm repo for Kubeshark:
helm repo add kubeshark https://helm.kubeshark.co
then install Kubeshark:
helm install kubeshark kubeshark/kubeshark
Local
Clone the repo:
git clone git@github.com:kubeshark/kubeshark.git --depth 1
cd kubeshark/helm-chart
Render the templates
helm template .
Install Kubeshark:
helm install kubeshark .
Uninstall Kubeshark:
helm uninstall kubeshark
Configuration
Parameter | Description | Default |
---|---|---|
tap.docker.registry | Docker registry to pull from | docker.io/kubeshark |
tap.docker.tag | Tag of the Docker images | latest |
tap.docker.imagePullPolicy | Kubernetes image pull policy | Always |
tap.docker.imagePullSecrets | Kubernetes secrets to pull the images | [] |
tap.proxy.worker.srvPort | Worker server port | 30001 |
tap.proxy.hub.port | Hub service port | 8898 |
tap.proxy.hub.srvPort | Hub server port | 8898 |
tap.proxy.front.port | Front-facing service port | 8899 |
tap.proxy.host | Proxy server’s IP | 127.0.0.1 |
tap.namespaces | List of namespaces for the traffic capture | [] |
tap.release.repo | URL of the Helm chart repository | https://helm.kubeshark.co |
tap.release.name | Helm release name | kubeshark |
tap.release.namespace | Helm release namespace | default |
tap.persistentStorage | Use persistentVolumeClaim instead of emptyDir | false |
tap.persistentStorageStatic | Use static persistent volume provisioning (explicitly defined PersistentVolume ) | false |
tap.efsFileSytemIdAndPath | EFS file system ID and, optionally, subpath and/or access point <FileSystemId>:<Path>:<AccessPointId> | "" |
tap.storageLimit | Limit of either the emptyDir or persistentVolumeClaim | 500Mi |
tap.storageClass | Storage class of the PersistentVolumeClaim | standard |
tap.dryRun | Preview of all pods matching the regex, without tapping them | false |
tap.pcap | "" | |
tap.resources.worker.limits.cpu | CPU limit for worker | 750m |
tap.resources.worker.limits.memory | Memory limit for worker | 1Gi |
tap.resources.worker.requests.cpu | CPU request for worker | 50m |
tap.resources.worker.requests.memory | Memory request for worker | 50Mi |
tap.resources.hub.limits.cpu | CPU limit for hub | 750m |
tap.resources.hub.limits.memory | Memory limit for hub | 1Gi |
tap.resources.hub.requests.cpu | CPU request for hub | 50m |
tap.resources.hub.requests.memory | Memory request for hub | 50Mi |
tap.serviceMesh | Capture traffic from service meshes like Istio, Linkerd, Consul, etc. | true |
tap.tls | Capture the encrypted/TLS traffic from cryptography libraries like OpenSSL | true |
tap.ignoreTainted | Whether to ignore tainted nodes | false |
tap.labels | Kubernetes labels to apply to all Kubeshark resources | {} |
tap.annotations | Kubernetes annotations to apply to all Kubeshark resources | {} |
tap.nodeSelectorTerms | Node selector terms | [{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}] |
tap.auth.enabled | Enable authentication | false |
tap.auth.type | Authentication type (1 option available: saml ) | saml |
tap.auth.approvedEmails | List of approved email addresses for authentication | [] |
tap.auth.approvedDomains | List of approved email domains for authentication | [] |
tap.auth.saml.idpMetadataUrl | SAML IDP metadata URL (effective, if tap.auth.type = saml ) | “ |
tap.auth.saml.x509crt | A self-signed X.509 .cert contents (effective, if tap.auth.type = saml ) | “ |
tap.auth.saml.x509key | A self-signed X.509 .key contents (effective, if tap.auth.type = saml ) | “ |
tap.auth.saml.roleAttribute | A SAML attribute name corresponding to user’s authorization role (effective, if tap.auth.type = saml ) | role |
tap.auth.saml.roles | A list of SAML authorization roles and their permissions (effective, if tap.auth.type = saml ) | {"admin":{"canDownloadPCAP":true,"canReplayTraffic":true,"canUpdateTargetedPods":true,"canUseScripting":true,"filter":""}} |
tap.ingress.enabled | Enable Ingress | false |
tap.ingress.className | Ingress class name | "" |
tap.ingress.host | Host of the Ingress | ks.svc.cluster.local |
tap.ingress.tls | Ingress TLS configuration | [] |
tap.ingress.annotations | Ingress annotations | {} |
tap.ipv6 | Enable IPv6 support for the front-end | true |
tap.debug | Enable debug mode | false |
tap.kernelModule.enabled | Use PF_RING kernel module(details) | true |
tap.kernelModule.image | Container image containing PF_RING kernel module with supported kernel version(details) | “kubeshark/pf-ring-module:all” |
tap.kernelModule.unloadOnDestroy | Create additional container which watches for pod termination and unloads PF_RING kernel module. | false |
tap.telemetry.enabled | Enable anonymous usage statistics collection | true |
tap.defaultFilter | Sets the default dashboard KFL filter (e.g. http ) | "" |
tap.globalFilter | Prepends to any KFL filter and can be used to limit what is visible in the dashboard. For example, redact("request.headers.Authorization") will redact the appropriate field. | "" |
logs.file | Logs dump path | "" |
kube.configPath | Path to the kubeconfig file ($HOME/.kube/config ) | "" |
kube.context | Kubernetes context to use for the deployment | "" |
dumpLogs | Enable dumping of logs | false |
headless | Enable running in headless mode | false |
license | License key for the Pro/Enterprise edition | "" |
scripting.env | Environment variables for the scripting | {} |
scripting.source | Source directory of the scripts | "" |
scripting.watchScripts | Enable watch mode for the scripts in source directory | true |
tap.metrics.port | Pod port used to expose Prometheus metrics | 49100 |
KernelMapping pairs kernel versions with a DriverContainer image. Kernel versions can be matched literally or using a regular expression
Port-forward
Do the port forwarding:
kubectl port-forward service/kubeshark-front 8899:80
Visit localhost:8899
Increase the Worker’s Storage Limit
For example, change from the default 500Mi to 5Gi:
--set tap.storageLimit=5Gi
Add a License
When it’s necessary, you can use:
--set license=YOUR_LICENSE_GOES_HERE
Get your license from Kubeshark’s Admin Console.
Installing with Ingress (EKS) enabled
helm install kubeshark kubeshark/kubeshark -f values.yaml
Set this value.yaml
:
tap:
ingress:
enabled: true
className: "alb"
host: ks.example.com
tls: []
annotations:
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:7..8:certificate/b...65c
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/scheme: internet-facing
Disabling IPV6
Not all have IPV6 enabled, hence this has to be disabled as follows:
helm install kubeshark kubeshark/kubeshark \
--set tap.ipv6=false
Metrics
Please refer to metrics documentation for details.
Installing with SAML enabled
Prerequisites:
1. Generate X.509 certificate & key (TL;DR: https://ubuntu.com/server/docs/security-certificates)
Example:
openssl genrsa -out mykey.key 2048
openssl req -new -key mykey.key -out mycsr.csr
openssl x509 -signkey mykey.key -in mycsr.csr -req -days 365 -out mycert.crt
What you get:
mycert.crt
- use it fortap.auth.saml.x509crt
mykey.key
- use it fortap.auth.saml.x509crt
2. Prepare your SAML IDP
You should set up the required SAML IDP (Google, Auth0, your custom IDP, etc.)
During setup, an IDP provider will typically request to enter:
- Metadata URL
- ACS URL (Assertion Consumer Service URL, aka Callback URL)
- SLO URL (Single Logout URL)
Correspondingly, you will enter these (if you run the most default Kubeshark setup):
Otherwise, if you have tap.ingress.enabled == true
, change protocol & domain respectively - showing example domain:
- https://kubeshark.example.com/saml/metadata
- https://kubeshark.example.com/saml/acs
- https://kubeshark.example.com/saml/slo
helm install kubeshark kubeshark/kubeshark -f values.yaml
Set this value.yaml
:
tap:
auth:
enabled: true
type: saml
approvedEmails: []
approvedDomains: []
approvedTenants: []
saml:
idpMetadataUrl: "https://tiptophelmet.us.auth0.com/samlp/metadata/MpWiDCMMB5ShU1HRnhdb1sHM6VWqdnDG"
x509crt: |
-----BEGIN CERTIFICATE-----
MIIDlTCCAn0CFFRUzMh+dZvp+FvWd4gRaiBVN8EvMA0GCSqGSIb3DQEBCwUAMIGG
MSQwIgYJKoZIhvcNAQkBFhV3ZWJtYXN0ZXJAZXhhbXBsZS5jb20wHhcNMjMxMjI4
........<redacted: please, generate your own X.509 cert>........
ZMzM7YscqZwoVhTOhrD4/5nIfOD/hTWG/MBe2Um1V1IYF8aVEllotTKTgsF6ZblA
miCOgl6lIlZy
-----END CERTIFICATE-----
x509key: |
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDlgDFKsRHj+mok
euOF0IpwToOEpQGtafB75ytv3psD/tQAzEIug+rkDriVvsfcvafj0qcaTeYvnCoz
........<redacted: please, generate your own X.509 key>.........
sUpBCu0E3nRJM/QB2ui5KhNR7uvPSL+kSsaEq19/mXqsL+mRi9aqy2wMEvUSU/kt
UaV5sbRtTzYLxpOSQyi8CEFA+A==
-----END PRIVATE KEY-----
helm repo add kubeshark https://helm.kubeshark.co
Once the repository was added you can install Kubeshark:
helm install kubeshark kubeshark/kubeshark