Kubeshark on Openshift


  1. An active Redhat account
  2. An active AWS account
  3. Have the following CLIs installed and configured: rosa, aws and oc.

If you don’t have an Openshift cluster, you can follow the instructions below to install one.

Adding Constraints

Kubeshark requires adding the following SCCs: privileged and anyuid to the following service accounts: default and kubeshark-service-account in the namespace Kubeshark is about to run in (e.g. default).

oc adm policy add-scc-to-user privileged -z default -n default
oc adm policy add-scc-to-user anyuid -z default -n default
oc adm policy add-scc-to-user privileged -z kubeshark-service-account -n default
oc adm policy add-scc-to-user anyuid -z kubeshark-service-account -n default

Install Kubeshark

You can now install Kubeshark:

sh <(curl -Ls https://kubeshark.co/install)

Change the Workers Pods

Running Kubeshark requires some configuration changes, disabling properties that are still not fully supported:

kubeshark tap --set tap.proxy.worker.srvPort=30001 --set tap.tls=false

That’s it, your good to go!

TL;DR - Create an Openshift Cluster

Get rosa token from here.

Login to Openshift:

rosa login --token="eyJh..."

Ensure AWS CLI is installed and configure:

aws configure

Read more about how to install AWS CLI here.

Create the require roles in AWS for an Openshift Cluster

rosa create account-roles --mode auto

ROSA account roles

Create an Openshift cluster

rosa create cluster --cluster-name <cluster-name> --sts --mode auto

Choose ManagedOpenShift-Installer-Role when asked:

Select role

You can track the cluster creation progress with:

rosa logs install -c <cluster-name> --watch

Once the cluster is created, create a cluster-admin user:

rosa create admin --cluster=<cluster-name>

Follow the on-screen instruction to log in to the actual cluster. Something like:

oc login https://api.kubeshark.ABC1.p1.openshiftapps.com:6443 --username cluster-admin --password <super_long_pwd>

Verify all nodes are in Ready status:

oc get nodes