From 5ca9d01b03f421bf2781237b95c7456211277cdf Mon Sep 17 00:00:00 2001 From: k8spacket Date: Sat, 17 Feb 2024 12:38:57 +0100 Subject: [PATCH] 2.0.0 (#29) --- charts/k8spacket/Chart.yaml | 4 +-- charts/k8spacket/templates/clusterrole.yaml | 1 + charts/k8spacket/templates/daemonset.yaml | 23 ++++++------- charts/k8spacket/values.yaml | 36 ++++++++++++--------- 4 files changed, 35 insertions(+), 29 deletions(-) diff --git a/charts/k8spacket/Chart.yaml b/charts/k8spacket/Chart.yaml index 9dae72d..07f2243 100644 --- a/charts/k8spacket/Chart.yaml +++ b/charts/k8spacket/Chart.yaml @@ -5,5 +5,5 @@ description: A Helm chart for k8spacket tool maintainers: - name: k8spacket email: k8spacket@gmail.com -version: 1.2.1 -appVersion: 1.2.1 +version: 2.0.0 +appVersion: 2.0.0 diff --git a/charts/k8spacket/templates/clusterrole.yaml b/charts/k8spacket/templates/clusterrole.yaml index ef73f12..175b3ea 100644 --- a/charts/k8spacket/templates/clusterrole.yaml +++ b/charts/k8spacket/templates/clusterrole.yaml @@ -9,6 +9,7 @@ rules: resources: - "pods" - "services" + - "nodes" verbs: - "get" - "watch" diff --git a/charts/k8spacket/templates/daemonset.yaml b/charts/k8spacket/templates/daemonset.yaml index 3b9d641..4fec9c7 100644 --- a/charts/k8spacket/templates/daemonset.yaml +++ b/charts/k8spacket/templates/daemonset.yaml @@ -75,28 +75,29 @@ spec: - name: K8S_PACKET_NAME_LABEL_VALUE value: {{ include "k8spacket.name" . }} - name: K8S_PACKET_HIDE_SRC_PORT - value: {{ .Values.k8sPacket.metrics.hideSourcePort | quote}} + value: {{ .Values.k8sPacket.metrics.hideSourcePort | quote }} - name: K8S_PACKET_REVERSE_GEOIP2_DB_PATH value: {{ .Values.k8sPacket.metrics.reverseLookup.geoipDBPath }} - name: K8S_PACKET_REVERSE_WHOIS_REGEXP value: {{ .Values.k8sPacket.metrics.reverseLookup.whoisRegexp }} - - name: K8S_PACKET_TCP_ASSEMBLER_MAX_PAGES_PER_CONN - value: {{ .Values.k8sPacket.tcp.assembler.maxPagesPerConnection | quote}} - - name: K8S_PACKET_TCP_ASSEMBLER_MAX_PAGES_TOTAL - value: {{ .Values.k8sPacket.tcp.assembler.maxPagesTotal | quote}} - - name: K8S_PACKET_TCP_ASSEMBLER_FLUSHING_PERIOD - value: {{ .Values.k8sPacket.tcp.assembler.flushing.periodDuration }} - - name: K8S_PACKET_TCP_ASSEMBLER_FLUSHING_CLOSE_OLDER_THAN - value: {{ .Values.k8sPacket.tcp.assembler.flushing.closeOlderThanDuration }} - name: K8S_PACKET_TCP_LISTENER_PORT value: {{ .Values.k8sPacket.tcp.listener.port | quote }} - name: K8S_PACKET_TCP_LISTENER_INTERFACES_COMMAND value: {{ .Values.k8sPacket.tcp.listener.interfaces.command }} - name: K8S_PACKET_TCP_LISTENER_INTERFACES_REFRESH_PERIOD value: {{ .Values.k8sPacket.tcp.listener.interfaces.refreshPeriod }} + - name: K8S_PACKET_TCP_PERSISTENT_DURATION + value: {{ .Values.k8sPacket.tcp.connection.persistentDuration }} + - name: K8S_PACKET_TLS_CERTIFICATE_CACHE_TTL + value: {{ .Values.k8sPacket.tls.certificate.cache.ttl }} volumeMounts: - mountPath: /home/k8spacket/plugins name: plugins + - mountPath: /sys/kernel/tracing + name: tracing volumes: - - emptyDir: {} - name: plugins + - name: plugins + emptyDir: {} + - name: tracing + hostPath: + path: /sys/kernel/tracing \ No newline at end of file diff --git a/charts/k8spacket/values.yaml b/charts/k8spacket/values.yaml index 8b5d259..24a9ad1 100644 --- a/charts/k8spacket/values.yaml +++ b/charts/k8spacket/values.yaml @@ -25,12 +25,16 @@ podAnnotations: {} priorityClassName: "" podSecurityContext: - runAsUser: 1000 + runAsUser: 0 securityContext: allowPrivilegeEscalation: true capabilities: - add: [ "NET_ADMIN", "NET_RAW" ] + add: + - BPF + - NET_ADMIN + - SYS_ADMIN + - SYS_RESOURCE # requires on kernels < 5.11 to remove memlock (error: failed to set memlock rlimit: operation not permitted) service: type: ClusterIP @@ -41,19 +45,19 @@ service: resources: requests: - memory: "1000Mi" - cpu: "250m" + memory: "100Mi" + cpu: "50m" limits: - memory: "1500Mi" - cpu: "500m" + memory: "200Mi" + cpu: "300m" tolerations: [] k8sPacket: ## Available plugin releases. Custom plugins can be provided plugins: - - https://github.com/k8spacket/plugins/releases/download/v1.2.1/nodegraph-$(arch).so - - https://github.com/k8spacket/plugins/releases/download/v1.2.1/tls-parser-$(arch).so + - https://github.com/k8spacket/plugins/releases/download/v2.0.0/nodegraph-$(arch).so + - https://github.com/k8spacket/plugins/releases/download/v2.0.0/tls-parser-$(arch).so metrics: ## Hide source port when 'true' (set to string value 'dynamic' instead of decimal real source port) for Prometheus metrics cardinality reasons hideSourcePort: true @@ -64,6 +68,9 @@ k8sPacket: ## Whois result match regexp whoisRegexp: "(?:OrgName:|org-name:)\\s*(.*)" tcp: + connection: + ## When a connection is treated as persistent + persistentDuration: 10s listener: port: 6676 interfaces: @@ -71,11 +78,8 @@ k8sPacket: command: "ip address | grep @ | sed -E 's/.* (\\w+)@.*/\\1/' | tr '\\n' ',' | sed 's/.$//'" ## How often refresh the list of network interfaces to listen refreshPeriod: "10s" - assembler: - ## See: https://pkg.go.dev/github.com/google/gopacket/tcpassembly#AssemblerOptions - maxPagesPerConnection: 50 - maxPagesTotal: 50 - ## Every (periodDuration) seconds, flush connections that haven't seen activity in the past (closeOlderThanDuration) seconds. - flushing: - periodDuration: "10s" - closeOlderThanDuration: "20s" + tls: + certificate: + cache: + ## How long scraped TLS certificates are stored in a cache + ttl: "24h" \ No newline at end of file