2.0.0 (#29)

k8spacket · Feb 17, 2024 · 5ca9d01 · 5ca9d01
1 parent 8be064c
commit 5ca9d01
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 29 deletions.
diff --git a/charts/k8spacket/Chart.yaml b/charts/k8spacket/Chart.yaml
@@ -5,5 +5,5 @@ description: A Helm chart for k8spacket tool
 maintainers:
   - name: k8spacket
     email: k8spacket@gmail.com
-version: 1.2.1
-appVersion: 1.2.1
+version: 2.0.0
+appVersion: 2.0.0
diff --git a/charts/k8spacket/templates/clusterrole.yaml b/charts/k8spacket/templates/clusterrole.yaml
@@ -9,6 +9,7 @@ rules:
     resources:
     - "pods"
     - "services"
+    - "nodes"
     verbs:
     - "get"
     - "watch"

diff --git a/charts/k8spacket/templates/daemonset.yaml b/charts/k8spacket/templates/daemonset.yaml
@@ -75,28 +75,29 @@ spec:
           - name: K8S_PACKET_NAME_LABEL_VALUE
             value: {{ include "k8spacket.name" . }}
           - name: K8S_PACKET_HIDE_SRC_PORT
-            value: {{ .Values.k8sPacket.metrics.hideSourcePort | quote}}
+            value: {{ .Values.k8sPacket.metrics.hideSourcePort | quote }}
           - name: K8S_PACKET_REVERSE_GEOIP2_DB_PATH
             value: {{ .Values.k8sPacket.metrics.reverseLookup.geoipDBPath }}
           - name: K8S_PACKET_REVERSE_WHOIS_REGEXP
             value: {{ .Values.k8sPacket.metrics.reverseLookup.whoisRegexp }}
-          - name: K8S_PACKET_TCP_ASSEMBLER_MAX_PAGES_PER_CONN
-            value: {{ .Values.k8sPacket.tcp.assembler.maxPagesPerConnection | quote}}
-          - name: K8S_PACKET_TCP_ASSEMBLER_MAX_PAGES_TOTAL
-            value: {{ .Values.k8sPacket.tcp.assembler.maxPagesTotal | quote}}
-          - name: K8S_PACKET_TCP_ASSEMBLER_FLUSHING_PERIOD
-            value: {{ .Values.k8sPacket.tcp.assembler.flushing.periodDuration }}
-          - name: K8S_PACKET_TCP_ASSEMBLER_FLUSHING_CLOSE_OLDER_THAN
-            value: {{ .Values.k8sPacket.tcp.assembler.flushing.closeOlderThanDuration }}
           - name: K8S_PACKET_TCP_LISTENER_PORT
             value: {{ .Values.k8sPacket.tcp.listener.port | quote }}
           - name: K8S_PACKET_TCP_LISTENER_INTERFACES_COMMAND
             value: {{ .Values.k8sPacket.tcp.listener.interfaces.command }}
           - name: K8S_PACKET_TCP_LISTENER_INTERFACES_REFRESH_PERIOD
             value: {{ .Values.k8sPacket.tcp.listener.interfaces.refreshPeriod }}
+          - name: K8S_PACKET_TCP_PERSISTENT_DURATION
+            value: {{ .Values.k8sPacket.tcp.connection.persistentDuration }}
+          - name: K8S_PACKET_TLS_CERTIFICATE_CACHE_TTL
+            value: {{ .Values.k8sPacket.tls.certificate.cache.ttl }}
           volumeMounts:
             - mountPath: /home/k8spacket/plugins
               name: plugins
+            - mountPath: /sys/kernel/tracing
+              name: tracing
       volumes:
-        - emptyDir: {}
-          name: plugins
+        - name: plugins
+          emptyDir: {}
+        - name: tracing
+          hostPath:
+            path: /sys/kernel/tracing
diff --git a/charts/k8spacket/values.yaml b/charts/k8spacket/values.yaml
@@ -25,12 +25,16 @@ podAnnotations: {}
 priorityClassName: ""
 
 podSecurityContext:
-  runAsUser: 1000
+  runAsUser: 0
 
 securityContext:
   allowPrivilegeEscalation: true
   capabilities:
-    add: [ "NET_ADMIN", "NET_RAW" ]
+    add:
+    - BPF
+    - NET_ADMIN
+    - SYS_ADMIN
+    - SYS_RESOURCE  # requires on kernels < 5.11 to remove memlock (error: failed to set memlock rlimit: operation not permitted)
 
 service:
   type: ClusterIP
@@ -41,19 +45,19 @@ service:
 
 resources:
   requests:
-    memory: "1000Mi"
-    cpu: "250m"
+    memory: "100Mi"
+    cpu: "50m"
   limits:
-    memory: "1500Mi"
-    cpu: "500m"
+    memory: "200Mi"
+    cpu: "300m"
 
 tolerations: []
 
 k8sPacket:
   ## Available plugin releases. Custom plugins can be provided
   plugins:
-    - https://github.com/k8spacket/plugins/releases/download/v1.2.1/nodegraph-$(arch).so
-    - https://github.com/k8spacket/plugins/releases/download/v1.2.1/tls-parser-$(arch).so
+    - https://github.com/k8spacket/plugins/releases/download/v2.0.0/nodegraph-$(arch).so
+    - https://github.com/k8spacket/plugins/releases/download/v2.0.0/tls-parser-$(arch).so
   metrics:
     ## Hide source port when 'true' (set to string value 'dynamic' instead of decimal real source port) for Prometheus metrics cardinality reasons
     hideSourcePort: true
@@ -64,18 +68,18 @@ k8sPacket:
       ## Whois result match regexp
       whoisRegexp: "(?:OrgName:|org-name:)\\s*(.*)"
   tcp:
+    connection:
+      ## When a connection is treated as persistent
+      persistentDuration: 10s
     listener:
       port: 6676
       interfaces:
         ## Command to achieve containers network interfaces
         command: "ip address | grep @ | sed -E 's/.* (\\w+)@.*/\\1/' | tr '\\n' ',' | sed 's/.$//'"
         ## How often refresh the list of network interfaces to listen
         refreshPeriod: "10s"
-    assembler:
-      ## See: https://pkg.go.dev/github.com/google/gopacket/tcpassembly#AssemblerOptions
-      maxPagesPerConnection: 50
-      maxPagesTotal: 50
-      ## Every (periodDuration) seconds, flush connections that haven't seen activity in the past (closeOlderThanDuration) seconds.
-      flushing:
-        periodDuration: "10s"
-        closeOlderThanDuration: "20s"
+  tls:
+    certificate:
+      cache:
+        ## How long scraped TLS certificates are stored in a cache
+        ttl: "24h"