From 5269bc1e2cf89c45433152f87c1a713d675ee312 Mon Sep 17 00:00:00 2001 From: DeveloperDurp Date: Mon, 31 Mar 2025 05:23:01 -0500 Subject: [PATCH] Add openclarity --- infra/openclarity/Chart.yaml | 12 + infra/openclarity/templates/secret.yaml | 30 + infra/openclarity/values.yaml | 915 ++++++++++++++++++++++++ 3 files changed, 957 insertions(+) create mode 100644 infra/openclarity/Chart.yaml create mode 100644 infra/openclarity/templates/secret.yaml create mode 100644 infra/openclarity/values.yaml diff --git a/infra/openclarity/Chart.yaml b/infra/openclarity/Chart.yaml new file mode 100644 index 0000000..e600b41 --- /dev/null +++ b/infra/openclarity/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: openclarity +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: + - name: openclarity + repository: oci://ghcr.io/openclarity/charts/openclarity + version: 1.1.3 diff --git a/infra/openclarity/templates/secret.yaml b/infra/openclarity/templates/secret.yaml new file mode 100644 index 0000000..8435129 --- /dev/null +++ b/infra/openclarity/templates/secret.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + +--- + +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: openclarity-postgres-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: openclarity-postgres-secret + data: + - secretKey: username + remoteRef: + key: kv/openclarity/postgres + property: username + - secretKey: password + remoteRef: + key: kv/openclarity/postgres + property: password + - secretKey: database + remoteRef: + key: kv/openclarity/postgres + property: database diff --git a/infra/openclarity/values.yaml b/infra/openclarity/values.yaml new file mode 100644 index 0000000..1af2179 --- /dev/null +++ b/infra/openclarity/values.yaml @@ -0,0 +1,915 @@ +openclarity: + global: + imageRegistry: registry.durp.info + + apiserver: + # -- Number of replicas for the API Server + replicas: 1 + + database: + postgresql: + # -- Enable/disable Postgresql database + enabled: true + externalPostgresql: + # -- Enable/disable external Postgresql database + enabled: false + # -- External Postgreqsl database host + host: "" + # -- External Postgresql database port + port: 5432 + auth: + # -- Name of existing secret to use for PostgreSQL credentials that has the following keys: + # username + # password + # database + existingSecret: "" + + image: + # -- API Server image registry + registry: ghcr.io + # -- API Server image repository + repository: openclarity/openclarity-api-server + # -- API Server image tag (immutable tags are recommended) + tag: latest + # -- API Server image digest. If set will override the tag. + digest: "" + # -- API Server image pull policy + pullPolicy: IfNotPresent + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + # -- API Server log level + logLevel: info + + resources: + # -- The resources limits for the apiserver containers + limits: {} + # -- The requested resources for the apiserver containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + orchestrator: + # -- Number of replicas for the Orchestrator service + # Currently 1 supported. + replicas: 1 + + image: + # -- Orchestrator image registry + registry: ghcr.io + # -- Orchestrator image repository + repository: openclarity/openclarity-orchestrator + # -- Orchestrator image tag (immutable tags are recommended) + tag: latest + # -- Orchestrator image digest. If set will override the tag. + digest: "" + # -- Orchestrator image pull policy + pullPolicy: IfNotPresent + + podSecurityContext: + # -- Whether Orchestrator pod security context is enabled + enabled: true + # -- Orchestrator pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + # -- Orchestrator service log level + logLevel: info + + resources: + # -- The resources limits for the orchestrator containers + limits: {} + # -- The requested resources for the orchestrator containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + # -- Global policy used to determine when to clean up an AssetScan. + # Possible options are: + # Always - All AssetScans are cleaned up + # OnSuccess - Only Successful AssetScans are cleaned up, Failed ones are left for debugging + # Never - No AssetScans are cleaned up + deleteJobPolicy: Always + + scannerImage: + # -- Scanner Container image registry + registry: ghcr.io + # -- Scanner Container image repository + repository: openclarity/openclarity-cli + # -- Scanner Container image tag (immutable tags are recommended) + tag: latest + # -- Scanner Container image digest. If set will override the tag. + digest: "" + + # -- Address that scanners can use to reach back to the API server + scannerApiserverAddress: "" + + # -- Address that scanners can use to reach back to the Exploits server + exploitsDBAddress: "" + + # -- Address that scanners can use to reach trivy server + trivyServerAddress: "" + + # -- Address that scanners can use to reach the grype server + grypeServerAddress: "" + + # -- Address that scanners can use to reach the freshclam mirror + freshclamMirrorAddress: "" + + # -- Address that scanner can use to reach the yara rule server + yaraRuleServerAddress: "" + + # -- Which provider driver to enable. + # If enabling the Kubernetes provider ensure that the orchestrator + # serviceAccount section is configured to allow access to the Kubernetes API. + provider: "kubernetes" + + kubernetes: {} + + # Only for testing purposes + docker: {} + + ui: + # -- Number of replicas for the UI service + replicas: 1 + + image: + # -- UI image registry + registry: ghcr.io + # -- UI image repository + repository: openclarity/openclarity-ui + # -- UI image tag + tag: latest + # -- UI image digest. If set will override the tag + digest: "" + # -- UI Image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the UI containers + limits: {} + # -- The requested resources for the UI containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: true + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 101 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 101 + # -- Group ID which the containers should run as + runAsGroup: 101 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + uibackend: + # -- Number of replicas for the UI Backend service + replicas: 1 + + image: + # -- UI Backend image registry + registry: ghcr.io + # -- UI Backend image repository + repository: openclarity/openclarity-ui-backend + # -- UI Backend image tag + tag: latest + # -- UI Backend image digest. If set will override the tag. + digest: "" + # -- UI Backend image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the UI backend containers + limits: {} + # -- The requested resources for the UI backend containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + # -- Log level for the UI backend service + logLevel: info + + gateway: + # -- Number of replicas for the gateway + replicas: 1 + + image: + # -- Gateway service container registry + registry: docker.io + # -- Gateway service container repository + repository: nginxinc/nginx-unprivileged + # -- Gateway service container tag + tag: 1.27.3 + # -- Gateway image digest. If set will override the tag. + digest: "" + # -- Gateway service container pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the gateway containers + limits: {} + # -- The requested resources for the gateway containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 101 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 101 + # -- Group ID which the containers should run as + runAsGroup: 101 + # -- Whether the containers should run as a non-root user + runAsNonRoot: false + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + service: + # -- Service type: ClusterIP, NodePort, LoadBalancer + type: ClusterIP + # -- Port configurations + ports: + http: 80 + # -- NodePort configurations + nodePorts: + http: "" + # -- Dedicated IP address used for service + clusterIP: "" + # -- Annotations set for service + annotations: {} + # -- External Traffic Policy configuration + # Set the field to Cluster to route external traffic to all ready endpoints and Local to only route to ready node + # local endpoints. + externalTrafficPolicy: Cluster + + ingress: + # -- Be careful when using ingress. As there is no authentication on openclarity, your instance may be accessible. + # Make sure the ingress remains internal if you decide to enable it. + enabled: false + labels: {} + annotations: {} + + # -- Optionally use ingressClassName instead of default ingress class. + ingressClassName: "" + + hosts: + # Hostname you want to use to access the UI + - host: chart-example.local + # paths will default to: + # paths: + # - pathType: Prefix + # path: / + paths: [] + + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + postgresql: + image: + # -- Postgresql container registry + registry: docker.io + # -- Postgresql container repository + repository: bitnami/postgresql + # -- Postgresql container tag + tag: 16.6.0-debian-12-r1 + # -- Postgresql image digest. If set will override the tag. + digest: "" + # -- Postgresql container image pull policy + pullPolicy: IfNotPresent + primary: + # -- Postgresql container resource preset + # For more info see: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + resourcesPreset: "small" + + resources: + # -- The resources limits for the postgresql containers + limits: {} + # -- The requested resources for the postgresql containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + auth: + existingSecret: openclarity-postgres-secret + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + service: + ports: + # -- PostgreSQL service port + postgresql: 5432 + + exploitDBServer: + # -- Number of replicas for the exploit-db-server service + replicas: 1 + + image: + # -- Exploit DB Server container registry + registry: ghcr.io + # -- Exploit DB Server container repository + repository: openclarity/exploit-db-server + # -- Exploit DB Server container tag + tag: v0.3.0 + # -- Exploit DB Server image digest. If set will override the tag. + digest: "" + # -- Exploit DB Server image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the exploit-db-server containers + limits: {} + # -- The requested resources for the exploit-db-server containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: false + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + trivyServer: + # -- Number of replicas for the trivy server service + replicas: 1 + + image: + # -- Trivy Server container registry + registry: docker.io + # -- Trivy Server container repository + repository: aquasec/trivy + # -- Trivy Server container tag + tag: 0.58.2 + # -- Trivy Server image digest. If set will override the tag. + digest: "" + # -- Trivy Server image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the trivy server containers + limits: {} + # -- The requested resources for the trivy server containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + grypeServer: + # -- Number of replicas for the grype server service + replicas: 1 + + image: + # -- Grype server container registry + registry: ghcr.io + # -- Grype server container repository + repository: openclarity/grype-server + # -- Grype server container tag + tag: v0.7.5 + # -- Grype server image digest. If set will override the tag. + digest: "" + # -- Grype server image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the grype server containers + limits: {} + # -- The requested resources for the grype server containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + # -- Log level for the grype-server service + logLevel: info + + freshclamMirror: + # -- Number of replicas for the freshclam mirror service + replicas: 1 + + image: + # -- Freshclam Mirror container registry + registry: ghcr.io + # -- Freshclam Mirror container repository + repository: openclarity/freshclam-mirror + # -- Freshclam Mirror container tag + tag: v0.3.1 + # -- Freshclam Mirror image digest. If set will override the tag. + digest: "" + # -- Freshclam Mirror image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the freshclam mirror containers + limits: {} + # -- The requested resources for the freshclam mirror containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: false + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: false + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + swaggerUI: + # -- Number of replicas for the swagger-ui service + replicas: 1 + + image: + # -- Swagger UI container registry + registry: docker.io + # -- Swagger UI container repository + repository: swaggerapi/swagger-ui + # -- Swagger UI container tag + tag: v5.18.2 + # -- Swagger UI image digest. If set will override the tag. + digest: "" + # -- Swagger UI image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the swagger ui containers + limits: {} + # -- The requested resources for the swagger ui containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: false + # -- Pod security context fsGroup + fsGroup: 101 + + containerSecurityContext: + # -- Container security context enabled + enabled: false + # -- User ID which the containers should run as + runAsUser: 0 + # -- Group ID which the containers should run as + runAsGroup: 0 + # -- Whether the containers should run as a non-root user + runAsNonRoot: false + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + yaraRuleServer: + # -- Number of replicas for the Yara Rule Server service + replicas: 1 + + image: + # -- Yara Rule Server container registry + registry: ghcr.io + # -- Yara Rule Server container repository + repository: openclarity/yara-rule-server + # -- Yara Rule Server container tag + tag: v0.3.0 + # -- Yara Rule Server image digest. If set will override the tag. + digest: "" + # -- Yara Rule Server image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the Yara Rule Server containers + limits: {} + # -- The requested resources for the Yara Rule Server containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: false + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: false + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + crDiscoveryServer: + nodeSelector: {} + tolerations: [] + affinity: {} + image: + # -- Container Runtime Discovery Server container registry + registry: ghcr.io + # -- Container Runtime Discovery Server container repository + repository: openclarity/openclarity-cr-discovery-server + # -- Container Runtime Discovery Server container tag + tag: latest + # -- Container Runtime Discovery Server image digest. If set will override the tag. + digest: "" + # -- Container Runtime Discovery Server image pull policy + pullPolicy: IfNotPresent + + # -- Environment variables to set in the Container Runtime Discovery Server container + env: [] + # - name: CONTAINERD_SOCK_ADDRESS + # value: /var/run/containerd/containerd.sock + containerRuntimePaths: + - name: containerd + path: /var/run/containerd + readOnly: true + - name: k3s-containerd + path: /run/k3s/containerd + readOnly: true + - name: docker + path: /var/lib/docker + readOnly: true + - name: crio + path: /var/run/crio + readOnly: true + - name: crio-lib + path: /var/lib/containers + - name: crio-run + path: /var/run/containers + - name: crio-containers + path: /etc/containers + readOnly: true + resources: + # -- The resources limits for the container runtime discovery server containers + limits: {} + # -- The requested resources for the container runtime discovery server containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: false + # -- Pod security context fsGroup + fsGroup: 1001 + + # In order to use CRI-O runtime you need to run OpenClarity + # with the following configuration: + # + # containerSecurityContext: + # enabled: true + # privileged: true + # readOnlyRootFilesystem: false + containerSecurityContext: + # -- Container security context enabled + enabled: false + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL \ No newline at end of file