Raw Capture Configuration
Configure raw capture to control storage allocation, capture scope, and buffer sizes.
Basic Configuration
Enable and configure raw capture in your Helm values:
tap:
capture:
raw:
enabled: true # Enable raw capture
storageSize: 1Gi # Node-level FIFO buffer sizeWhen enabled, raw capture continuously stores all L4 traffic matching your Capture Filters.
Storage Configuration
Node-Level FIFO Buffer
Each worker node maintains a FIFO (first-in, first-out) buffer for raw traffic:
tap:
capture:
raw:
storageSize: 1Gi # Size per nodeWhen the buffer fills, older data is automatically recycled. Larger buffers retain longer time windows.
Sizing guidance:
- Traffic volume depends on your workload
- Monitor actual usage to tune the size
- Consider peak traffic periods
Snapshot Storage
Traffic Snapshots are stored separately and persist indefinitely.
Local Storage
Configure dedicated local storage for snapshots:
tap:
snapshots:
local:
storageClass: "" # Storage class for snapshot PVCs
storageSize: 20Gi # Size allocated for snapshotsAWS Example:
tap:
snapshots:
local:
storageClass: gp2
storageSize: 1000GiWith a dedicated storage class, snapshot storage can be far larger than node-local storage.
Cloud Storage
Snapshots can also be uploaded to cloud object storage (Amazon S3 or Azure Blob Storage) for cross-cluster sharing, backup/restore, and long-term retention.
Inline configuration (simplest approach):
tap:
snapshots:
cloud:
provider: "s3"
s3:
bucket: my-kubeshark-snapshots
region: us-east-1Or using external ConfigMaps/Secrets:
tap:
snapshots:
cloud:
provider: "s3"
configMaps:
- kubeshark-s3-config # ConfigMap with bucket/region
secrets:
- kubeshark-s3-creds # Secret with credentials (optional)See Cloud Storage for Snapshots for detailed setup instructions including inline values, IRSA, static credentials, and Azure Workload Identity.
Capture Filters
Raw capture adheres to Capture Filters. Use filters to target specific workloads and reduce storage usage:
tap:
regex: .* # Pod name regex
namespaces: [] # Target namespaces (empty = all)
excludedNamespaces: [] # Namespaces to excludeExamples
Capture only specific namespaces:
tap:
namespaces:
- production
- stagingExclude system namespaces:
tap:
excludedNamespaces:
- kube-system
- monitoringTarget specific pods:
tap:
regex: "frontend-.*|backend-.*"Database Size
Configure the maximum size for dissected API data:
tap:
capture:
dbMaxSize: 500Mi # Maximum database sizeThis controls storage for L7 dissection results, not raw capture data.
Independence from L7 Dissection
Raw capture operates independently from real-time L7 API dissection:
tap:
capture:
dissection:
enabled: true # Whether L7 dissection is active
stopAfter: 5m # Auto-stop dissection after idle period
raw:
enabled: true # Raw capture continues regardlessdissection.enabled: falsestops L7 dissection but raw capture continuesraw.enabled: trueenables raw capture regardless of dissection state
This allows continuous raw capture with minimal overhead while enabling L7 dissection on demand.
Complete Example
tap:
# Capture filters
regex: .*
namespaces:
- default
- production
excludedNamespaces:
- kube-system
capture:
dissection:
enabled: true # L7 dissection enabled
stopAfter: 5m # Auto-stop after 5 minutes idle
raw:
enabled: true # Raw capture always on
storageSize: 2Gi # 2GB per node
dbMaxSize: 500Mi # 500MB for dissection DB
snapshots:
local:
storageClass: gp2 # AWS storage class
storageSize: 100Gi # 100GB for snapshots
cloud:
provider: "s3" # Upload snapshots to S3
s3:
bucket: my-kubeshark-snapshots
region: us-east-1What’s Next
- Raw Capture — Overview of raw capture capabilities
- Traffic Snapshots — Create and manage snapshots
- Capture Filters — Target specific workloads