Install with Helm

Read the Helm section for most up-to-date instructions

While the CLI is a great option for on-demand usage and running on dev & test clusters, for a more permanent deployment, you can use Helm and add Kubeshark’s Helm repository:


Add the Helm repo for Kubeshark:

helm repo add kubeshark

then install Kubeshark:

helm install kubeshark kubeshark/kubeshark


Clone the repo:

git clone --depth 1
cd kubeshark/helm-chart

Render the templates

helm template .

Install Kubeshark:

helm install kubeshark .

Uninstall Kubeshark:

helm uninstall kubeshark


tap.docker.registryDocker registry to pull
tap.docker.tagTag of the Docker imageslatest
tap.docker.imagePullPolicyKubernetes image pull policyAlways
tap.docker.imagePullSecretsKubernetes secrets to pull the images[]
tap.proxy.worker.srvPortWorker server port30001
tap.proxy.hub.portHub service port8898
tap.proxy.hub.srvPortHub server port8898
tap.proxy.front.portFront-facing service port8899
tap.proxy.hostProxy server’s IP127.0.0.1
tap.namespacesList of namespaces for the traffic capture[]
tap.release.repoURL of the Helm chart repository
tap.release.nameHelm release namekubeshark
tap.release.namespaceHelm release namespacedefault
tap.persistentStorageUse persistentVolumeClaim instead of emptyDirfalse
tap.persistentStorageStaticUse static persistent volume provisioning (explicitly defined PersistentVolume )false
tap.efsFileSytemIdAndPathEFS file system ID and, optionally, subpath and/or access point <FileSystemId>:<Path>:<AccessPointId>""
tap.storageLimitLimit of either the emptyDir or persistentVolumeClaim500Mi
tap.storageClassStorage class of the PersistentVolumeClaimstandard
tap.dryRunPreview of all pods matching the regex, without tapping themfalse
tap.resources.worker.limits.cpuCPU limit for worker750m
tap.resources.worker.limits.memoryMemory limit for worker1Gi
tap.resources.worker.requests.cpuCPU request for worker50m
tap.resources.worker.requests.memoryMemory request for worker50Mi
tap.resources.hub.limits.cpuCPU limit for hub750m
tap.resources.hub.limits.memoryMemory limit for hub1Gi
tap.resources.hub.requests.cpuCPU request for hub50m
tap.resources.hub.requests.memoryMemory request for hub50Mi
tap.serviceMeshCapture traffic from service meshes like Istio, Linkerd, Consul, etc.true
tap.tlsCapture the encrypted/TLS traffic from cryptography libraries like OpenSSLtrue
tap.ignoreTaintedWhether to ignore tainted nodesfalse
tap.labelsKubernetes labels to apply to all Kubeshark resources{}
tap.annotationsKubernetes annotations to apply to all Kubeshark resources{}
tap.nodeSelectorTermsNode selector terms[{"matchExpressions":[{"key":"","operator":"In","values":["linux"]}]}]
tap.auth.enabledEnable authenticationfalse
tap.auth.typeAuthentication type (1 option available: saml)saml
tap.auth.approvedEmailsList of approved email addresses for authentication[]
tap.auth.approvedDomainsList of approved email domains for authentication[]
tap.auth.saml.idpMetadataUrlSAML IDP metadata URL
(effective, if tap.auth.type = saml)
tap.auth.saml.x509crtA self-signed X.509 .cert contents
(effective, if tap.auth.type = saml)
tap.auth.saml.x509keyA self-signed X.509 .key contents
(effective, if tap.auth.type = saml)
tap.auth.saml.roleAttributeA SAML attribute name corresponding to user’s authorization role
(effective, if tap.auth.type = saml)
tap.auth.saml.rolesA list of SAML authorization roles and their permissions
(effective, if tap.auth.type = saml)
tap.ingress.enabledEnable Ingressfalse
tap.ingress.classNameIngress class name""
tap.ingress.hostHost of the Ingressks.svc.cluster.local
tap.ingress.tlsIngress TLS configuration[]
tap.ingress.annotationsIngress annotations{}
tap.ipv6Enable IPv6 support for the front-endtrue
tap.debugEnable debug modefalse
tap.kernelModule.enabledUse PF_RING kernel module(details)true
tap.kernelModule.imageContainer image containing PF_RING kernel module with supported kernel version(details)“kubeshark/pf-ring-module:all”
tap.kernelModule.unloadOnDestroyCreate additional container which watches for pod termination and unloads PF_RING kernel module.false
tap.telemetry.enabledEnable anonymous usage statistics collectiontrue
tap.defaultFilterSets the default dashboard KFL filter (e.g. http)""
tap.globalFilterPrepends to any KFL filter and can be used to limit what is visible in the dashboard. For example, redact("request.headers.Authorization") will redact the appropriate field.""
logs.fileLogs dump path""
kube.configPathPath to the kubeconfig file ($HOME/.kube/config)""
kube.contextKubernetes context to use for the deployment""
dumpLogsEnable dumping of logsfalse
headlessEnable running in headless modefalse
licenseLicense key for the Pro/Enterprise edition""
scripting.envEnvironment variables for the scripting{}
scripting.sourceSource directory of the scripts""
scripting.watchScriptsEnable watch mode for the scripts in source directorytrue
tap.metrics.portPod port used to expose Prometheus metrics49100

KernelMapping pairs kernel versions with a DriverContainer image. Kernel versions can be matched literally or using a regular expression


Do the port forwarding:

kubectl port-forward service/kubeshark-front 8899:80

Visit localhost:8899

Increase the Worker’s Storage Limit

For example, change from the default 500Mi to 5Gi:

--set tap.storageLimit=5Gi

Add a License

When it’s necessary, you can use:


Get your license from Kubeshark’s Admin Console.

Installing with Ingress (EKS) enabled

helm install kubeshark kubeshark/kubeshark -f values.yaml

Set this value.yaml:

    enabled: true
    className: "alb"
    tls: []
    annotations: arn:aws:acm:us-east-1:7..8:certificate/b...65c ip internet-facing

Disabling IPV6

Not all have IPV6 enabled, hence this has to be disabled as follows:

helm install kubeshark kubeshark/kubeshark \
  --set tap.ipv6=false


Please refer to metrics documentation for details.

Installing with SAML enabled


1. Generate X.509 certificate & key (TL;DR:


openssl genrsa -out mykey.key 2048
openssl req -new -key mykey.key -out mycsr.csr
openssl x509 -signkey mykey.key -in mycsr.csr -req -days 365 -out mycert.crt

What you get:

  • mycert.crt - use it for tap.auth.saml.x509crt
  • mykey.key - use it for tap.auth.saml.x509crt
2. Prepare your SAML IDP

You should set up the required SAML IDP (Google, Auth0, your custom IDP, etc.)

During setup, an IDP provider will typically request to enter:

  • Metadata URL
  • ACS URL (Assertion Consumer Service URL, aka Callback URL)
  • SLO URL (Single Logout URL)

Correspondingly, you will enter these (if you run the most default Kubeshark setup):

Otherwise, if you have tap.ingress.enabled == true, change protocol & domain respectively - showing example domain:

helm install kubeshark kubeshark/kubeshark -f values.yaml

Set this value.yaml:

    enabled: true
    type: saml
    approvedEmails: []
    approvedDomains: []
    approvedTenants: []
      idpMetadataUrl: ""
      x509crt: |
        -----BEGIN CERTIFICATE-----
        ........<redacted: please, generate your own X.509 cert>........
        -----END CERTIFICATE-----
      x509key: |
        -----BEGIN PRIVATE KEY-----
        ........<redacted: please, generate your own X.509 key>.........
        -----END PRIVATE KEY-----
helm repo add kubeshark

Once the repository was added you can install Kubeshark:

helm install kubeshark kubeshark/kubeshark