Raw Capture Configuration

Configure raw capture to control storage allocation, capture scope, and buffer sizes.

Basic Configuration

Enable and configure raw capture in your Helm values:

tap:
  capture:
    raw:
      enabled: true           # Enable raw capture
      storageSize: 1Gi        # Node-level FIFO buffer size

When enabled, raw capture continuously stores all L4 traffic matching your Capture Filters.

Storage Configuration

Node-Level FIFO Buffer

Each worker node maintains a FIFO (first-in, first-out) buffer for raw traffic:

tap:
  capture:
    raw:
      storageSize: 1Gi        # Size per node

When the buffer fills, older data is automatically recycled. Larger buffers retain longer time windows.

Sizing guidance:

  • Traffic volume depends on your workload
  • Monitor actual usage to tune the size
  • Consider peak traffic periods

Snapshot Storage

Traffic Snapshots are stored separately and persist indefinitely.

Local Storage

Configure dedicated local storage for snapshots:

tap:
  snapshots:
    local:
      storageClass: ""          # Storage class for snapshot PVCs
      storageSize: 20Gi         # Size allocated for snapshots

AWS Example:

tap:
  snapshots:
    local:
      storageClass: gp2
      storageSize: 1000Gi

With a dedicated storage class, snapshot storage can be far larger than node-local storage.

Cloud Storage

Snapshots can also be uploaded to cloud object storage (Amazon S3 or Azure Blob Storage) for cross-cluster sharing, backup/restore, and long-term retention:

tap:
  snapshots:
    cloud:
      provider: "s3"           # "s3" or "azblob" (empty = disabled)
      configMaps:
        - kubeshark-s3-config  # ConfigMap with bucket/region
      secrets:
        - kubeshark-s3-creds   # Secret with credentials (optional)

See Cloud Storage for Snapshots for detailed setup instructions including IRSA, static credentials, and Azure Workload Identity.

Capture Filters

Raw capture adheres to Capture Filters. Use filters to target specific workloads and reduce storage usage:

tap:
  regex: .*                   # Pod name regex
  namespaces: []              # Target namespaces (empty = all)
  excludedNamespaces: []      # Namespaces to exclude

Examples

Capture only specific namespaces:

tap:
  namespaces:
    - production
    - staging

Exclude system namespaces:

tap:
  excludedNamespaces:
    - kube-system
    - monitoring

Target specific pods:

tap:
  regex: "frontend-.*|backend-.*"

Database Size

Configure the maximum size for dissected API data:

tap:
  capture:
    dbMaxSize: 500Mi          # Maximum database size

This controls storage for L7 dissection results, not raw capture data.

Independence from L7 Dissection

Raw capture operates independently from real-time L7 API dissection:

tap:
  capture:
    stopped: false            # Whether L7 dissection is stopped
    stopAfter: 5m             # Auto-stop dissection after idle period
    raw:
      enabled: true           # Raw capture continues regardless
  • stopped: true stops L7 dissection but raw capture continues
  • raw.enabled: true enables raw capture regardless of dissection state

This allows continuous raw capture with minimal overhead while enabling L7 dissection on demand.

Complete Example

tap:
  # Capture filters
  regex: .*
  namespaces:
    - default
    - production
  excludedNamespaces:
    - kube-system

  capture:
    stopped: false            # L7 dissection enabled
    stopAfter: 5m             # Auto-stop after 5 minutes idle
    raw:
      enabled: true           # Raw capture always on
      storageSize: 2Gi        # 2GB per node
    dbMaxSize: 500Mi          # 500MB for dissection DB

  snapshots:
    local:
      storageClass: gp2         # AWS storage class
      storageSize: 100Gi        # 100GB for snapshots

What’s Next