forked from CrowdStrike/falcon-helm
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvalues.yaml
186 lines (149 loc) · 5.52 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
# Default values for falcon-image-analyzer.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
daemonset:
enabled: false
deployment:
enabled: false
# override this value if needed
# default to 500 as kubectl
watcher:
listPageSize: 500
# Do not override anywhere in values - Always 1 for Deployment. NA for daemonset
replicaCount: 1
image:
repository: registry.crowdstrike.com/falcon-imageanalyzer/us-1/release/falcon-imageanalyzer
# Overrides the image tag. In general, tags should not be used (including semver tags or `latest`). This variable is provided for those
# who have yet to move off of using tags. The sha256 digest should be used in place of tags for increased security and image immutability.
tag:
# Setting a digest will override any tag and should be used instead of tags.
#
# Example digest variable configuration:
# digest: sha256:ffdc91f66ef8570bd7612cf19145563a787f552656f5eec43cd80ef9caca0398
digest:
pullPolicy: Always
# use this to refer to an existing secret in the namespace falcon-image-analyzer
pullSecret:
# Value must be base64. This setting conflicts with image.pullSecret
# The base64 encoded string of the docker config json for the pull secret can be
# gotten through:
# $ cat ~/.docker/config.json | base64 -
registryConfigJSON:
envFrom:
- configMapRef:
name: agent-config
nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Annotations to add to the service account
name: ""
annotations: {}
volumeMounts:
- mountPath: /tmp
name: tmp-volume
podAnnotations: {}
podSecurityContext: {}
securityContext: {}
nodeSelector: {}
resources: {}
tolerations: []
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
- key: kubernetes.io/arch
operator: In
values:
- amd64
priorityClassName: ""
# For AKS without the pulltoken option
azure:
enabled: false
# Path to the Kubernetes Azure config file on worker nodes
azureConfig: /etc/kubernetes/azure.json
# GCP GKE workload identity init container
gcp:
enabled: false
exclusions:
# provide a comma separate list of name spaces that you want to be
# excluded from IAR scanning.
# Note that all pods will be excluded.
# Use this param when you install IAR on a cluster that already has pods running and want to be excluded
# For excluding only specific pods or excluding namespaces AFTER iar has been installed , please refer to README
# For e.g.
# exclusions:
# namespace: "ns1,ns2"
namespace: ""
# provide a comma separate list of
# registries ( without transport http/https:// ) to be excluded
# from IAR scanning.
# Note that any pods running any image with the registry will be excluded
# Use this param when you install IAR on a cluster that already has pods running and want to be excluded
# for E.g.
# exclusions:
# registry: "index.docker.io,my.private.registry,localhost,localhost:1234"
registry: ""
# Use this param to provide the comma separated registry secrets of the form namsepace1:secretname1,namespace:secret2
# each secret should be of type docker-registry for each of the private registry that is used.
# for e.g. a docker-registry secret can be created as below
# kubectl create secret docker-registry regcred \
# --docker-server=my-artifactory.jfrog.io \
# --docker-username=read-only \
# --docker-password=my-super-secret-pass \
# --docker-email=johndoe@example.com -n my-app-ns
#
# use the above secret as "my-app-ns:regcred"
privateRegistries:
credentials: ""
# This is a mandatory mount for both deployment and daemon set.
# this is used as a tmp working space for image storage.
# adjust this space to any comfortable value. The max Size should be equals
# to the largest image possible to run in the container.
# for e.g. if the largest possible image is in the range of 1-4g put 4Gi as the value.
volumes:
- name: tmp-volume
emptyDir:
sizeLimit: 20Gi
# use this field to set the output terminal of logs
# 1 = stdout ( some cloud providers like GCP assume any output on stderr to be critical err and display on console ) .
# 2 = stderr/default ( stderr is the normal output for logs )
# any other value will be defaulted to stderr
# https://stackoverflow.com/questions/4919093/should-i-log-messages-to-stderr-or-stdout/4919110#4919110 )
log:
output: 2
# Set this flag to true to send scan error stats to cs cloud.
# These events can be searched in investigate>events / advanced events search
# note that if true, agent will send an error for image for first time only.
# Repeated errors for same images will not be sent to preserve network footprint
scanStats:
enabled: false
crowdstrikeConfig:
clusterName: ""
# These are special Kubernetes SDK Verbose Logs. Helpful for troubleshooting kube API.
# Only Enable for extreme troubleshooting.
enableKlogs: "false"
enableDebug: "false"
clientID: ""
clientSecret: ""
cid: ""
# Use the value for the crowdstrike Artifactory
# Token retrieved by calling container-security
# /entities/image-registry-credentials/v1
dockerAPIToken: ""
# Use this value if you have an existing secret
# defined in your k8s that may contain secrets
# for falcon api client id and pw
existingSecret: ""
agentRegion: "autodiscovery"
agentRuntime: ""
agentRuntimeSocket: ""
agentMaxConsumerThreads: "1"
proxyConfig:
HTTP_PROXY: ""
HTTPS_PROXY: ""
NO_PROXY: ""