forked from trendmicro/cloudone-container-security-helm
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathvalues.yaml
More file actions
397 lines (340 loc) · 12.4 KB
/
values.yaml
File metadata and controls
397 lines (340 loc) · 12.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
# Default values for Trend Micro Cloud One - Container Security.
# This is a YAML-formatted file.
cloudOne:
## API key to be used with Trend Micro Cloud One Container Security
##
## Default value: (none)
apiKey:
## endpoint is the url of Trend Micro Cloud One Container Security service
## Allows for full endpoint to be provided or the Cloud One region (ex: us-1).
##
## Default value: https://container.us-1.cloudone.trendmicro.com
endpoint: https://container.us-1.cloudone.trendmicro.com
admissionController:
enabled: true
## validationNamespaceSelector is a namespace selector defined so that matching namespaces will
## be subject to validation.
##
## For more information about namespace selectors, please see
## https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
## https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
validationNamespaceSelector:
matchExpressions:
- key: ignoreAdmissionControl
operator: DoesNotExist
## enableKubeSystem will tell the admission controller to not ignore requests from the kube-system
## namespace.
##
## Default value: false
##
## WARNING: Enabling this could lead to your cluster to be unresponsive, depending on the policy set.
## Only enable this with the greatest of care.
enableKubeSystem: false
## failurePolicy defines the bahaviour if an unreconized error or timeout occurs. Enabling
## this while not tagging kube-system to be ignored can easily cause the cluster to be
## unresponsive.
##
## Default value: Ignore
failurePolicy: Ignore
certificate:
## commonName is the common name to use in the default signed certificate.
##
## Default value:
commonName:
## ipAlternativeNames is a list of IP addresses to include as alternate names.
## in the default signed certificate.
##
## Default value: []
ipAlternativeNames: []
## dnsAlternativeNames is a list of DNS names to include as alternate names
## in the default signed certificate.
##
## Default value: []
dnsAlternativeNames: []
## lifetime is the lifetime in days of the default signed certificate.
##
## Default value: 3650
lifetime: 3650
oversight:
enabled: true
## enableKubeSystem will tell the Oversight controller to not ignore requests from the kube-system
## namespace.
##
## Default value: false
##
## WARNING: Enabling this could lead to your cluster to be unresponsive, depending on the policy set.
## Only enable this with the greatest of care.
enableKubeSystem: false
## syncPeriod is the time interval that how often Trend Micro Cloud One Container Security will evaluate
## the running pods.
##
## Default value: 3600s
## Minimum value: 600s
##
syncPeriod: 3600s
## enableNetworkPolicyCreation will tell the Oversight controller to create the Kubernetes network policy if it doesn't exist.
## The created network policy is used to perform `isolate` mitigation. The created network policy will not get cleaned up automatically.
##
## Default value: true
##
enableNetworkPolicyCreation: true
runtimeSecurity:
enabled: false
securityContextConstraints:
# enable the Security Context Constraints creation in Openshift
create: true
serviceAccount:
## enable the service account creation. Each component with specific permission will use individual service account.
## If set to false, the default service account will be used, which might not have sufficient permission and introduce the failure.
##
## Default value: true
create: true
oversight:
## The name of the service account to use.
## If not set and create is true, a name is generated using the fullname of oversight template
name: ''
## Annotations to add to the service account
annotations: {}
usage:
## The name of the service account to use.
## If not set and create is true, a name is generated using the fullname of oversight template
name: ''
## Annotations to add to the service account
annotations: {}
scout:
## The name of the service account to use.
## If not set and create is true, a name is generated using the fullname of scout template
name: ''
## Annotations to add to the service account
annotations: {}
rbac:
# Create and use rbac resources
create: true
networkPolicy:
## enabled the network policy.
##
## Default value: true
enabled: true
telemetry:
## enabled controls whether telemetry events will be sent.
##
## Default value: true
enabled: true
## endpoint is the endpoint of the telemetry service.
##
## Default value: https://telemetry.deepsecurity.trendmicro.com
endpoint: https://telemetry.deepsecurity.trendmicro.com
## interval controls the maximum interval between telemetry data reports
##
## Default value: 8h
interval: 8h
## publicKey is the public key used when communicating with the telemetry service.
##
## Default value: (built-in)
publicKey:
## apiKey is the API key used when communicating with the telemetry service.
##
## Default value: (built-in)
apiKey:
## securityContext specifies the security contexts that we'll apply to the pods.
##
## NOTE: securityContext does not apply to scout, since it requires special privileges
securityContext:
## enabled is a global flag controlling whether security contexts are included at all in the manifest
## Default value: true
enabled: true
## default is the default security context that we'll apply at the pod and container level.
## if `securityContext.enabled` is true, the `pod` value will be inserted into the `Deployment` manifest
## as part of the pod template and the `container` value will be inserted at the container level.
default:
pod:
runAsNonRoot: true
container:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
# seLinuxOptions: "If unspecified, the container runtime will allocate a random SELinux context for each container": this seems appropriate.
runAsUser: 65532 # nonroot user
proxy:
## httpProxy, if set, will be used as the proxy for outbound HTTP traffic.
##
## The value may be either a complete URL or a `host[:port]`, in which
## case the `http` scheme is assumed.
##
## Default value: (none)
httpProxy:
## httpsProxy, if set, will be used as the proxy for outbound HTTPS traffic.
## If `httpsProxy` is not set, `httpProxy`
## is also checked and will be used if set.
##
## The value may be either a complete URL or a `host[:port]`, in which
## case the `http` scheme is assumed.
##
## Default value: (none)
httpsProxy:
## noProxy, if set, is a list of hosts or `host:port` combinations which
## should not be accessed through the proxy.
##
## Default value: (none)
noProxy: []
## username, if set, is the user name to provide to the outbound proxy when making requests.
##
## Default value: (none)
username:
## password, if set, is the password to provide to the outbound proxy when making requests.
##
## Default value: (none)
password:
resources:
defaults: {}
oversight:
limits:
cpu: 800m
memory: 1Gi
requests:
cpu: 100m
memory: 20Mi
usage:
limits:
cpu: 800m
memory: 1Gi
requests:
cpu: 100m
memory: 20Mi
scout:
requests:
cpu: 100m
memory: 512Mi
limits:
cpu: 1000m
memory: 1024Mi
nodeSelector:
## nodeSelector if set, ensures pods are only assigned to a particular set of nodes.
## Defaults apply to all pods created by this chart unless overridden by a non default configuration.
##
## Default Value: {}
defaults: {}
tolerations:
## tolerations if set, allows (but does not require) the pods to schedule onto nodes with matching taints.
## Defaults apply to all pods created by this chart unless overridden by a non default configuration.
##
## Default Value: {}
defaults: []
affinity:
## affinity if set, provides the ability constrain which nodes your pod is eligible to be scheduled on, based on labels.
## Defaults apply to all pods created by this chart unless overridden by a non default configuration.
##
## Default Value: {}
defaults: {}
## replicas if set, allows for additional replica counts to be set for specified pods.
## NOTE: replicas does not apply to scout
##
## Default Value: {}
replicas: {}
## extraLabels is a dictionary of additional labels that will be added to all resources created by this chart.
##
## Default Value: {}
extraLabels: {}
podAnnotations:
## podAnnotations if set, applies additional pod annotations to all pods unless overridden by a non default configuration.
##
## Default Value: {}
defaults: {}
priorityClassName:
## podAnnotations if set, applies priority class to all pods unless overridden by a non default configuration.
##
## Default Value: (none)
default:
scout:
exclusion:
## List of namespaces for which Scout Runtime Security feature will not trigger events.
##
## Default Value:
## - kube-system
namespaces:
- kube-system
## If set to true, excludeSameNamespace will add the namespace in which this helm chart is deployed as an excluded namespace.
##
## Default Value: true
excludeSameNamespace: true
falco:
## extraArgs, if set will apply additional arguments to falco container
##
## Default Value: []
extraArgs: []
## env, if set will apply additional environment variables to the falco container
##
## Default Value: []
env: {}
docker:
## Determines if the docker socket is mounted in the falco container.
## Required for docker based runtimes
enabled: true
## socket, determines which socket to mount for enabling docker based runtimes.
socket: /var/run/docker.sock
cri:
## Determines if the cri (containerd or crio) socket is mounted in the falco container.
## Required for cri based runtimes
enabled: true
## socket, determines which socket to mount for enabling cri based runtimes.
## Default value: (determined by platform)
socket:
scout:
## extraArgs, if set will apply additional arguments to scout container
##
## Default Value: []
extraArgs: []
## env, if set will apply additional environment variables to the scout container
##
## Default Value: []
env: {}
images:
defaults:
## Default registry to pull images from. This can be overridden for
## each image by specifying the registry attribute at the image level.
## If no registry is provided, images will be pulled from your default
## registry (which may be Docker Hub).
##
## Default value: blank
# registry:
## Default project / organization to pull images from. This can be
## overridden for each image by specifying the project attribute at the
## image level.
##
## Default value: trendmicrocloudone
# project: trendmicrocloudone
## Default tag for images to pull. This can be overridden for each image
## by specifying the tag attribute at the image level.
tag: 2.1.3
## Default pull policy for images. This can be overridden for each image
## by specifying the pullPolicy attribute at the image level.
##
## Default value: IfNotPresent
pullPolicy: IfNotPresent
## Default secret for pulling images. This can be overridden for each
## image by specifying the imagePullSecret attribute at the image level.
##
## Default value: none
# imagePullSecret:
admissionController:
repository: admission-controller
digest: sha256:6d42cc616f95b070977cf88ab00100471014fdbbab83ce1bdbbd054e54a37be3
oversight:
repository: oversight-controller
digest: sha256:60165af787fa0a9a43a0d0e9fa57801d4dfe0c787d5c5ac4a9d2a3fc8a2e80d6
usage:
repository: usage-controller
digest: sha256:d113bdb1a32ef10b1d45d149d5b4dc9eeaf4edbca9778396d341d85ab8ffdf87
rbacProxy:
repository: rbac-proxy
digest: sha256:c43be26f3ce3e934e9c1d12bb00b79201940cee1c22b0f445538fbf82645166a
falco:
repository: falco
digest: sha256:2d4288fe9bd6dd26b79fc834fc3ed521684d00a0036f094b9b1980187ec48a5b
scout:
repository: scout
digest: sha256:c383ce9b0df90bb2690c1f6d9808ad82216924f7a595da57f8de80d3babedb28