Helm Configuration Reference
On this page
Complete reference for Kubeshark Helm configuration values.
Traffic Capture
Pod Targeting
Parameter Description Default tap.regexPod name regex pattern .*tap.namespacesTarget specific namespaces []tap.excludedNamespacesExclude specific namespaces []tap.bpfOverrideBPF expression (overrides above) []
Capture Control
Parameter Description Default tap.capture.dissection.enabledEnable L7 traffic indexing at startup truetap.capture.dissection.stopAfterAuto-stop indexing after inactivity 5mtap.capture.captureSelfInclude Kubeshark’s own traffic falsetap.capture.raw.enabledEnable raw packet capture truetap.capture.raw.storageSizeFIFO buffer size per node 1Gitap.capture.dbMaxSizeMax indexing database size 500Mi
Dashboard
Parameter Description Default tap.dashboard.streamingTypeDashboard streaming protocol connect-rpctap.dashboard.completeStreamingEnabledEnable complete streaming truetap.dashboard.clusterWideMapEnabledEnable L4 cluster-wide connectivity map (experimental) false
Delayed Indexing
Parameter Description Default tap.delayedDissection.cpuCPU allocation for delayed indexing jobs 1tap.delayedDissection.memoryMemory allocation for delayed indexing jobs 4Gi
Protocol & TLS
Parameter Description Default tap.tlsCapture encrypted/TLS traffic truetap.disableTlsLogSuppress TLS/eBPF logging truetap.serviceMeshCapture service mesh traffic (Istio, Linkerd) truetap.enabledDissectorsEnabled protocol dissectors All except UDP/TCP
Filters
Parameter Description Default tap.defaultFilterDefault dashboard KFL filter ""tap.globalFilterGlobal KFL filter for all views ""
Storage
Ephemeral Storage
Parameter Description Default tap.storageLimitStorage limit for emptyDir/PVC 10Gi
Persistent Storage
Parameter Description Default tap.persistentStorageUse PersistentVolumeClaim falsetap.persistentStorageStaticUse static volume provisioning falsetap.persistentStoragePvcVolumeModePVC volume mode Filesystemtap.storageClassStorage class for PVC standardtap.efsFileSytemIdAndPathAWS EFS configuration ""
Snapshots — Local Storage
Parameter Description Default tap.snapshots.local.storageClassStorage class for local snapshots volume. When empty, uses emptyDir. When set, creates a PVC with this storage class ""tap.snapshots.local.storageSizeStorage size for local snapshots volume 20Gi
Snapshots — Cloud Storage
Parameter Description Default tap.snapshots.cloud.providerCloud storage provider: s3 or azblob. Empty string disables cloud storage. See Cloud Storage for Snapshots . ""tap.snapshots.cloud.prefixKey prefix in the bucket/container (e.g. snapshots/) ""tap.snapshots.cloud.configMapsNames of pre-existing ConfigMaps with cloud storage env vars. Alternative to inline s3/azblob values below. []tap.snapshots.cloud.secretsNames of pre-existing Secrets with cloud storage credentials. Alternative to inline s3/azblob values below. []tap.snapshots.cloud.s3.bucketS3 bucket name. Auto-creates a ConfigMap with SNAPSHOT_AWS_BUCKET. ""tap.snapshots.cloud.s3.regionAWS region for the S3 bucket ""tap.snapshots.cloud.s3.accessKeyAWS access key ID. Auto-creates a Secret with SNAPSHOT_AWS_ACCESS_KEY. ""tap.snapshots.cloud.s3.secretKeyAWS secret access key. Auto-creates a Secret with SNAPSHOT_AWS_SECRET_KEY. ""tap.snapshots.cloud.s3.roleArnIAM role ARN to assume via STS for cross-account S3 access ""tap.snapshots.cloud.s3.externalIdExternal ID for the STS AssumeRole call ""tap.snapshots.cloud.azblob.storageAccountAzure storage account name. Auto-creates a ConfigMap with SNAPSHOT_AZBLOB_STORAGE_ACCOUNT. ""tap.snapshots.cloud.azblob.containerAzure blob container name ""tap.snapshots.cloud.azblob.storageKeyAzure storage account access key. Auto-creates a Secret with SNAPSHOT_AZBLOB_STORAGE_KEY. ""
Resources
Hub
Parameter Description Default tap.resources.hub.limits.cpuCPU limit "" (unlimited)tap.resources.hub.limits.memoryMemory limit 5Gitap.resources.hub.requests.cpuCPU request 50mtap.resources.hub.requests.memoryMemory request 50Mi
Sniffer (Worker)
Parameter Description Default tap.resources.sniffer.limits.cpuCPU limit "" (unlimited)tap.resources.sniffer.limits.memoryMemory limit 5Gitap.resources.sniffer.requests.cpuCPU request 50mtap.resources.sniffer.requests.memoryMemory request 50Mi
Tracer
Parameter Description Default tap.resources.tracer.limits.cpuCPU limit "" (unlimited)tap.resources.tracer.limits.memoryMemory limit 5Gitap.resources.tracer.requests.cpuCPU request 50mtap.resources.tracer.requests.memoryMemory request 50Mi
Traffic Sampling
Parameter Description Default tap.packetCapturePacket capture backend: best, af_packet, or pf_ring besttap.misc.trafficSampleRatePercentage of traffic to process (0-100) 100tap.misc.tcpStreamChannelTimeoutMsTimeout in milliseconds for TCP stream channel 10000
Networking
Ports
Parameter Description Default tap.proxy.hub.srvPortHub server port 8898tap.proxy.worker.srvPortWorker server port 48999tap.proxy.front.portFront-end port 8899tap.proxy.hostProxy host address 127.0.0.1
Network Settings
Parameter Description Default tap.ipv6Enable IPv6 support truetap.hostNetworkEnable host network for workers true
DNS
Parameter Description Default tap.dns.nameserversCustom nameservers []tap.dns.searchesDNS search domains []tap.dns.optionsDNS options []
Ingress
Parameter Description Default tap.ingress.enabledEnable Ingress falsetap.ingress.classNameIngress class name ""tap.ingress.hostIngress hostname ks.svc.cluster.localtap.ingress.tlsTLS configuration []tap.ingress.annotationsIngress annotations {}
Routing
Parameter Description Default tap.routing.front.basePathBase path for front-end ""
Authentication
General
Parameter Description Default tap.auth.enabledEnable authentication falsetap.auth.typeAuth backend: saml, oidc (generic OIDC — Dex, Okta, Auth0, Keycloak, Azure AD, Google), dex (permanent alias of oidc), descope, default (also Descope) samltap.auth.approvedEmailsApproved email addresses []tap.auth.approvedDomainsApproved email domains []
Roles & Authorization
The roles map is shared by both SAML and OIDC backends — admins maintain a single role definition and switch backends without rewriting it.
Parameter Description Default tap.auth.rolesRole-name → permission map. Each role carries action flags plus namespaces (comma list controlling traffic visibility — "" deny, "*" allow-all, "foo" literal, "foo,bar" OR, "foo-*" glob expansion against the cluster’s watched namespaces). See SAML or OIDC for the full per-role schema. {}tap.auth.rolesClaimJWT claim name (OIDC) or SAML attribute name carrying the user’s role memberships role (SAML) / groups (OIDC)tap.auth.defaultRoleName of a role inside tap.auth.roles applied when an authenticated user has no matching role in their token/assertion. Empty string means no fallback (authenticated but no elevated permissions). ""
Breaking changes since the unified rollout:
Empty/unset tap.auth.roles no longer grants all permissions — it grants none. Set tap.auth.defaultRole to keep a “every authenticated user gets X” baseline.
Per-role filter (raw KFL string) was replaced with namespaces (comma list). Configs carrying filter: are silently ignored; migrate.
tap.auth.defaultFilter is removed; namespaces: "" is the explicit per-role deny-default.Legacy tap.auth.saml.roles and tap.auth.saml.roleAttribute are no longer read; migrate to the top-level keys above.
SAML
Parameter Description Default tap.auth.saml.idpMetadataUrlIdP metadata URL ""tap.auth.saml.x509crtX.509 certificate ""tap.auth.saml.x509keyX.509 private key ""
OIDC
Parameter Description Default tap.auth.oidc.issuerOIDC issuer URL (Dex, Okta, Auth0, Keycloak, Azure AD, Google, …) ""tap.auth.oidc.clientIdClient ID ""tap.auth.oidc.clientSecretClient secret ""tap.auth.oidc.refreshTokenLifetimeRefresh token lifetime 3960htap.auth.oidc.oauth2StateParamExpiryOAuth2 state param expiry 10mtap.auth.oidc.bypassSslCaCheckBypass SSL CA check on the issuer false
Breaking change: tap.auth.type=oidc now routes to the generic OIDC middleware. Earlier releases routed oidc to Descope. If you were using oidc to mean Descope, switch to tap.auth.type=descope (or default). The dex label remains a permanent alias of oidc.
Scheduling
Node Selection
Parameter Description Default tap.nodeSelectorTerms.workersWorker node selectors Linux only tap.nodeSelectorTerms.hubHub node selectors Linux only tap.nodeSelectorTerms.frontFront-end node selectors Linux only
Tolerations
Parameter Description Default tap.tolerations.workersWorker tolerations [{"operator": "Exists", "effect": "NoExecute"}]tap.tolerations.hubHub tolerations []tap.tolerations.frontFront-end tolerations []
Other
Parameter Description Default tap.priorityClassPriority class name ""
Docker Registry
Parameter Description Default tap.docker.registryDocker registry docker.io/kubesharktap.docker.tagImage tag latesttap.docker.tagLockedLock tags (prevent upgrades) truetap.docker.imagePullPolicyPull policy Alwaystap.docker.imagePullSecretsPull secrets []tap.docker.overrideImageOverride image names ""tap.docker.overrideTagOverride image tags ""
Health Probes
Hub
Parameter Description Default tap.probes.hub.initialDelaySecondsInitial delay 5tap.probes.hub.periodSecondsCheck period 5tap.probes.hub.successThresholdSuccess threshold 1tap.probes.hub.failureThresholdFailure threshold 3
Sniffer
Parameter Description Default tap.probes.sniffer.initialDelaySecondsInitial delay 5tap.probes.sniffer.periodSecondsCheck period 5tap.probes.sniffer.successThresholdSuccess threshold 1tap.probes.sniffer.failureThresholdFailure threshold 3
Monitoring
Parameter Description Default tap.metrics.portPrometheus metrics port 49100tap.telemetry.enabledUsage statistics truetap.sentry.enabledSentry error logging falsetap.sentry.environmentSentry environment production
Parameter Description Default tap.labelsLabels for all resources {}tap.annotationsAnnotations for resources {}
Scripting
Parameter Description Default scripting.envEnvironment variables {}scripting.sourceScript source directory ""scripting.watchScriptsWatch mode for scripts true
PCAP Recording
Parameter Description Default pcapdump.enabledEnable PCAP recording falsepcapdump.maxTimeTime window for stored traffic 2hpcapdump.maxSizeMax PCAP storage 500MB
General
Parameter Description Default licenseLicense key (Community, Pro, or Enterprise) ""timezoneIANA time zone "" (local)headlessHeadless mode falseinternetConnectivityAllow internet requests truesupportChatEnabledIntercom support chat false
Kubernetes
Parameter Description Default kube.configPathPath to kubeconfig ""kube.contextKubernetes context ""
Logging
Parameter Description Default logs.fileLog file path ""dumpLogsEnable log dumping false
Debug
Parameter Description Default tap.dryRunPreview pods without tapping falsetap.debugDebug mode falsetap.mountBpfMount BPF filesystem true
Advanced
Parameter Description Default tap.resourceGuard.enabledResource usage monitoring falsetap.liveConfigMapChangesDisabledDisable dynamic ConfigMap changes falsetap.gitops.enabledGitOps functionality falsetap.secretsSecrets for env variables []
Release
Parameter Description Default tap.release.repoHelm chart repository https://helm.kubeshark.comtap.release.nameHelm release name kubesharktap.release.namespaceHelm release namespace default
Installation Examples
Basic Installation
helm install kubeshark kubeshark/kubeshark With Values File
helm install kubeshark kubeshark/kubeshark -f values.yaml Common Options
helm install kubeshark kubeshark/kubeshark \ --set tap.capture.raw.enabled=true \ --set tap.capture.raw.storageSize=2Gi \ --set tap.namespaces= "{default,production}" \ --set tap.ingress.enabled=true Production Example
tap : # Target specific namespaces namespaces : - production excludedNamespaces : - kube-system - monitoring # Capture settings capture : dissection : enabled : true stopAfter : 0 # Never auto-stop raw : enabled : true storageSize : 5Gi # Snapshots snapshots : local : storageClass : gp2 storageSize : 100Gi cloud : provider : "s3" s3 : bucket : my-kubeshark-snapshots region : us-east-1 # Resources resources : hub : limits : memory : 4Gi sniffer : limits : memory : 2Gi # Ingress ingress : enabled : true className : nginx host : kubeshark.example.com tls : - secretName : kubeshark-tls hosts : - kubeshark.example.com
More