DeveloperDurp/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add openclarity

Browse Source
This commit is contained in:
DeveloperDurp
2025-03-31 05:23:01 -05:00
parent c66c651402
commit 5269bc1e2c
3 changed files with 957 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
infra/openclarity/Chart.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v2
name: openclarity
description: A Helm chart for Kubernetes
type: application
version: 0.1.0
appVersion: "1.16.0"
dependencies:
- name: openclarity
repository: oci://ghcr.io/openclarity/charts/openclarity
version: 1.1.3

30
infra/openclarity/templates/secret.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: openclarity-postgres-secret
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: openclarity-postgres-secret
data:
- secretKey: username
remoteRef:
key: kv/openclarity/postgres
property: username
- secretKey: password
remoteRef:
key: kv/openclarity/postgres
property: password
- secretKey: database
remoteRef:
key: kv/openclarity/postgres
property: database

915
infra/openclarity/values.yaml Normal file
View File

@@ -0,0 +1,915 @@
openclarity:
global:
imageRegistry: registry.durp.info
apiserver:
# -- Number of replicas for the API Server
replicas: 1
database:
postgresql:
# -- Enable/disable Postgresql database
enabled: true
externalPostgresql:
# -- Enable/disable external Postgresql database
enabled: false
# -- External Postgreqsl database host
host: ""
# -- External Postgresql database port
port: 5432
auth:
# -- Name of existing secret to use for PostgreSQL credentials that has the following keys:
# username
# password
# database
existingSecret: ""
image:
# -- API Server image registry
registry: ghcr.io
# -- API Server image repository
repository: openclarity/openclarity-api-server
# -- API Server image tag (immutable tags are recommended)
tag: latest
# -- API Server image digest. If set will override the tag.
digest: ""
# -- API Server image pull policy
pullPolicy: IfNotPresent
podSecurityContext:
# -- Pod security context enabled
enabled: true
# -- Pod security context fsGroup
fsGroup: 1001
containerSecurityContext:
# -- Container security context enabled
enabled: true
# -- User ID which the containers should run as
runAsUser: 1001
# -- Group ID which the containers should run as
runAsGroup: 1001
# -- Whether the containers should run as a non-root user
runAsNonRoot: true
# -- Whether the container should run in privileged mode
privileged: false
# -- Force the child process to run as non-privileged
allowPrivilegeEscalation: false
# -- Mounts the container file system as ReadOnly
readOnlyRootFilesystem: true
capabilities:
# -- List of capabilities to be dropped
drop:
- ALL
# -- API Server log level
logLevel: info
resources:
# -- The resources limits for the apiserver containers
limits: {}
# -- The requested resources for the apiserver containers
requests: {}
serviceAccount:
# -- Enable creation of ServiceAccount
create: true
# -- The name of the ServiceAccount to use.
# If not set and create is true, it will use the component's calculated name.
name: ""
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
automountServiceAccountToken: false
orchestrator:
# -- Number of replicas for the Orchestrator service
# Currently 1 supported.
replicas: 1
image:
# -- Orchestrator image registry
registry: ghcr.io
# -- Orchestrator image repository
repository: openclarity/openclarity-orchestrator
# -- Orchestrator image tag (immutable tags are recommended)
tag: latest
# -- Orchestrator image digest. If set will override the tag.
digest: ""
# -- Orchestrator image pull policy
pullPolicy: IfNotPresent
podSecurityContext:
# -- Whether Orchestrator pod security context is enabled
enabled: true
# -- Orchestrator pod security context fsGroup
fsGroup: 1001
containerSecurityContext:
# -- Container security context enabled
enabled: true
# -- User ID which the containers should run as
runAsUser: 1001
# -- Group ID which the containers should run as
runAsGroup: 1001
# -- Whether the containers should run as a non-root user
runAsNonRoot: true
# -- Whether the container should run in privileged mode
privileged: false
# -- Force the child process to run as non-privileged
allowPrivilegeEscalation: false
# -- Mounts the container file system as ReadOnly
readOnlyRootFilesystem: true
capabilities:
# -- List of capabilities to be dropped
drop:
- ALL
# -- Orchestrator service log level
logLevel: info
resources:
# -- The resources limits for the orchestrator containers
limits: {}
# -- The requested resources for the orchestrator containers
requests: {}
serviceAccount:
# -- Enable creation of ServiceAccount
create: true
# -- The name of the ServiceAccount to use.
# If not set and create is true, it will use the component's calculated name.
name: ""
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
automountServiceAccountToken: false
# -- Global policy used to determine when to clean up an AssetScan.
# Possible options are:
# Always - All AssetScans are cleaned up
# OnSuccess - Only Successful AssetScans are cleaned up, Failed ones are left for debugging
# Never - No AssetScans are cleaned up
deleteJobPolicy: Always
scannerImage:
# -- Scanner Container image registry
registry: ghcr.io
# -- Scanner Container image repository
repository: openclarity/openclarity-cli
# -- Scanner Container image tag (immutable tags are recommended)
tag: latest
# -- Scanner Container image digest. If set will override the tag.
digest: ""
# -- Address that scanners can use to reach back to the API server
scannerApiserverAddress: ""
# -- Address that scanners can use to reach back to the Exploits server
exploitsDBAddress: ""
# -- Address that scanners can use to reach trivy server
trivyServerAddress: ""
# -- Address that scanners can use to reach the grype server
grypeServerAddress: ""
# -- Address that scanners can use to reach the freshclam mirror
freshclamMirrorAddress: ""
# -- Address that scanner can use to reach the yara rule server
yaraRuleServerAddress: ""
# -- Which provider driver to enable.
# If enabling the Kubernetes provider ensure that the orchestrator
# serviceAccount section is configured to allow access to the Kubernetes API.
provider: "kubernetes"
kubernetes: {}
# Only for testing purposes
docker: {}
ui:
# -- Number of replicas for the UI service
replicas: 1
image:
# -- UI image registry
registry: ghcr.io
# -- UI image repository
repository: openclarity/openclarity-ui
# -- UI image tag
tag: latest
# -- UI image digest. If set will override the tag
digest: ""
# -- UI Image pull policy
pullPolicy: IfNotPresent
resources:
# -- The resources limits for the UI containers
limits: {}
# -- The requested resources for the UI containers
requests: {}
serviceAccount:
# -- Enable creation of ServiceAccount
create: true
# -- The name of the ServiceAccount to use.
# If not set and create is true, it will use the component's calculated name.
name: ""
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
automountServiceAccountToken: true
podSecurityContext:
# -- Pod security context enabled
enabled: true
# -- Pod security context fsGroup
fsGroup: 101
containerSecurityContext:
# -- Container security context enabled
enabled: true
# -- User ID which the containers should run as
runAsUser: 101
# -- Group ID which the containers should run as
runAsGroup: 101
# -- Whether the containers should run as a non-root user
runAsNonRoot: true
# -- Whether the container should run in privileged mode
privileged: false
# -- Force the child process to run as non-privileged
allowPrivilegeEscalation: false
# -- Mounts the container file system as ReadOnly
readOnlyRootFilesystem: true
capabilities:
# -- List of capabilities to be dropped
drop:
- ALL
uibackend:
# -- Number of replicas for the UI Backend service
replicas: 1
image:
# -- UI Backend image registry
registry: ghcr.io
# -- UI Backend image repository
repository: openclarity/openclarity-ui-backend
# -- UI Backend image tag
tag: latest
# -- UI Backend image digest. If set will override the tag.
digest: ""
# -- UI Backend image pull policy
pullPolicy: IfNotPresent
resources:
# -- The resources limits for the UI backend containers
limits: {}
# -- The requested resources for the UI backend containers
requests: {}
serviceAccount:
# -- Enable creation of ServiceAccount
create: true
# -- The name of the ServiceAccount to use.
# If not set and create is true, it will use the component's calculated name.
name: ""
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
automountServiceAccountToken: false
podSecurityContext:
# -- Pod security context enabled
enabled: true
# -- Pod security context fsGroup
fsGroup: 1001
containerSecurityContext:
# -- Container security context enabled
enabled: true
# -- User ID which the containers should run as
runAsUser: 1001
# -- Group ID which the containers should run as
runAsGroup: 1001
# -- Whether the containers should run as a non-root user
runAsNonRoot: true
# -- Whether the container should run in privileged mode
privileged: false
# -- Force the child process to run as non-privileged
allowPrivilegeEscalation: false
# -- Mounts the container file system as ReadOnly
readOnlyRootFilesystem: true
capabilities:
# -- List of capabilities to be dropped
drop:
- ALL
# -- Log level for the UI backend service
logLevel: info
gateway:
# -- Number of replicas for the gateway
replicas: 1
image:
# -- Gateway service container registry
registry: docker.io
# -- Gateway service container repository
repository: nginxinc/nginx-unprivileged
# -- Gateway service container tag
tag: 1.27.3
# -- Gateway image digest. If set will override the tag.
digest: ""
# -- Gateway service container pull policy
pullPolicy: IfNotPresent
resources:
# -- The resources limits for the gateway containers
limits: {}
# -- The requested resources for the gateway containers
requests: {}
serviceAccount:
# -- Enable creation of ServiceAccount
create: true
# -- The name of the ServiceAccount to use.
# If not set and create is true, it will use the component's calculated name.
name: ""
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
automountServiceAccountToken: false
podSecurityContext:
# -- Pod security context enabled
enabled: true
# -- Pod security context fsGroup
fsGroup: 101
containerSecurityContext:
# -- Container security context enabled
enabled: true
# -- User ID which the containers should run as
runAsUser: 101
# -- Group ID which the containers should run as
runAsGroup: 101
# -- Whether the containers should run as a non-root user
runAsNonRoot: false
# -- Whether the container should run in privileged mode
privileged: false
# -- Force the child process to run as non-privileged
allowPrivilegeEscalation: false
# -- Mounts the container file system as ReadOnly
readOnlyRootFilesystem: true
capabilities:
# -- List of capabilities to be dropped
drop:
- ALL
service:
# -- Service type: ClusterIP, NodePort, LoadBalancer
type: ClusterIP
# -- Port configurations
ports:
http: 80
# -- NodePort configurations
nodePorts:
http: ""
# -- Dedicated IP address used for service
clusterIP: ""
# -- Annotations set for service
annotations: {}
# -- External Traffic Policy configuration
# Set the field to Cluster to route external traffic to all ready endpoints and Local to only route to ready node
# local endpoints.
externalTrafficPolicy: Cluster
ingress:
# -- Be careful when using ingress. As there is no authentication on openclarity, your instance may be accessible.
# Make sure the ingress remains internal if you decide to enable it.
enabled: false
labels: {}
annotations: {}
# -- Optionally use ingressClassName instead of default ingress class.
ingressClassName: ""
hosts:
# Hostname you want to use to access the UI
- host: chart-example.local
# paths will default to:
# paths:
# - pathType: Prefix
# path: /
paths: []
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
postgresql:
image:
# -- Postgresql container registry
registry: docker.io
# -- Postgresql container repository
repository: bitnami/postgresql
# -- Postgresql container tag
tag: 16.6.0-debian-12-r1
# -- Postgresql image digest. If set will override the tag.
digest: ""
# -- Postgresql container image pull policy
pullPolicy: IfNotPresent
primary:
# -- Postgresql container resource preset
# For more info see: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
resourcesPreset: "small"
resources:
# -- The resources limits for the postgresql containers
limits: {}
# -- The requested resources for the postgresql containers
requests: {}
serviceAccount:
# -- Enable creation of ServiceAccount
create: true
# -- The name of the ServiceAccount to use.
# If not set and create is true, it will use the component's calculated name.
name: ""
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
automountServiceAccountToken: false
auth:
existingSecret: openclarity-postgres-secret
podSecurityContext:
# -- Pod security context enabled
enabled: true
# -- Pod security context fsGroup
fsGroup: 1001
containerSecurityContext:
# -- Container security context enabled
enabled: true
# -- User ID which the containers should run as
runAsUser: 1001
# -- Group ID which the containers should run as
runAsGroup: 1001
# -- Whether the containers should run as a non-root user
runAsNonRoot: true
# -- Whether the container should run in privileged mode
privileged: false
# -- Force the child process to run as non-privileged
allowPrivilegeEscalation: false
# -- Mounts the container file system as ReadOnly
readOnlyRootFilesystem: true
capabilities:
# -- List of capabilities to be dropped
drop:
- ALL
service:
ports:
# -- PostgreSQL service port
postgresql: 5432
exploitDBServer:
# -- Number of replicas for the exploit-db-server service
replicas: 1
image:
# -- Exploit DB Server container registry
registry: ghcr.io
# -- Exploit DB Server container repository
repository: openclarity/exploit-db-server
# -- Exploit DB Server container tag
tag: v0.3.0
# -- Exploit DB Server image digest. If set will override the tag.
digest: ""
# -- Exploit DB Server image pull policy
pullPolicy: IfNotPresent
resources:
# -- The resources limits for the exploit-db-server containers
limits: {}
# -- The requested resources for the exploit-db-server containers
requests: {}
serviceAccount:
# -- Enable creation of ServiceAccount
create: true
# -- The name of the ServiceAccount to use.
# If not set and create is true, it will use the component's calculated name.
name: ""
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
automountServiceAccountToken: false
podSecurityContext:
# -- Pod security context enabled
enabled: true
# -- Pod security context fsGroup
fsGroup: 1001
containerSecurityContext:
# -- Container security context enabled
enabled: false
# -- User ID which the containers should run as
runAsUser: 1001
# -- Group ID which the containers should run as
runAsGroup: 1001
# -- Whether the containers should run as a non-root user
runAsNonRoot: true
# -- Whether the container should run in privileged mode
privileged: false
# -- Force the child process to run as non-privileged
allowPrivilegeEscalation: false
# -- Mounts the container file system as ReadOnly
readOnlyRootFilesystem: true
capabilities:
# -- List of capabilities to be dropped
drop:
- ALL
trivyServer:
# -- Number of replicas for the trivy server service
replicas: 1
image:
# -- Trivy Server container registry
registry: docker.io
# -- Trivy Server container repository
repository: aquasec/trivy
# -- Trivy Server container tag
tag: 0.58.2
# -- Trivy Server image digest. If set will override the tag.
digest: ""
# -- Trivy Server image pull policy
pullPolicy: IfNotPresent
resources:
# -- The resources limits for the trivy server containers
limits: {}
# -- The requested resources for the trivy server containers
requests: {}
serviceAccount:
# -- Enable creation of ServiceAccount
create: true
# -- The name of the ServiceAccount to use.
# If not set and create is true, it will use the component's calculated name.
name: ""
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
automountServiceAccountToken: false
podSecurityContext:
# -- Pod security context enabled
enabled: true
# -- Pod security context fsGroup
fsGroup: 1001
containerSecurityContext:
# -- Container security context enabled
enabled: true
# -- User ID which the containers should run as
runAsUser: 1001
# -- Group ID which the containers should run as
runAsGroup: 1001
# -- Whether the containers should run as a non-root user
runAsNonRoot: true
# -- Whether the container should run in privileged mode
privileged: false
# -- Force the child process to run as non-privileged
allowPrivilegeEscalation: false
# -- Mounts the container file system as ReadOnly
readOnlyRootFilesystem: true
capabilities:
# -- List of capabilities to be dropped
drop:
- ALL
grypeServer:
# -- Number of replicas for the grype server service
replicas: 1
image:
# -- Grype server container registry
registry: ghcr.io
# -- Grype server container repository
repository: openclarity/grype-server
# -- Grype server container tag
tag: v0.7.5
# -- Grype server image digest. If set will override the tag.
digest: ""
# -- Grype server image pull policy
pullPolicy: IfNotPresent
resources:
# -- The resources limits for the grype server containers
limits: {}
# -- The requested resources for the grype server containers
requests: {}
serviceAccount:
# -- Enable creation of ServiceAccount
create: true
# -- The name of the ServiceAccount to use.
# If not set and create is true, it will use the component's calculated name.
name: ""
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
automountServiceAccountToken: false
podSecurityContext:
# -- Pod security context enabled
enabled: true
# -- Pod security context fsGroup
fsGroup: 1001
containerSecurityContext:
# -- Container security context enabled
enabled: true
# -- User ID which the containers should run as
runAsUser: 1001
# -- Group ID which the containers should run as
runAsGroup: 1001
# -- Whether the containers should run as a non-root user
runAsNonRoot: true
# -- Whether the container should run in privileged mode
privileged: false
# -- Force the child process to run as non-privileged
allowPrivilegeEscalation: false
# -- Mounts the container file system as ReadOnly
readOnlyRootFilesystem: true
capabilities:
# -- List of capabilities to be dropped
drop:
- ALL
# -- Log level for the grype-server service
logLevel: info
freshclamMirror:
# -- Number of replicas for the freshclam mirror service
replicas: 1
image:
# -- Freshclam Mirror container registry
registry: ghcr.io
# -- Freshclam Mirror container repository
repository: openclarity/freshclam-mirror
# -- Freshclam Mirror container tag
tag: v0.3.1
# -- Freshclam Mirror image digest. If set will override the tag.
digest: ""
# -- Freshclam Mirror image pull policy
pullPolicy: IfNotPresent
resources:
# -- The resources limits for the freshclam mirror containers
limits: {}
# -- The requested resources for the freshclam mirror containers
requests: {}
serviceAccount:
# -- Enable creation of ServiceAccount
create: true
# -- The name of the ServiceAccount to use.
# If not set and create is true, it will use the component's calculated name.
name: ""
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
automountServiceAccountToken: false
podSecurityContext:
# -- Pod security context enabled
enabled: false
# -- Pod security context fsGroup
fsGroup: 1001
containerSecurityContext:
# -- Container security context enabled
enabled: false
# -- User ID which the containers should run as
runAsUser: 1001
# -- Group ID which the containers should run as
runAsGroup: 1001
# -- Whether the containers should run as a non-root user
runAsNonRoot: true
# -- Whether the container should run in privileged mode
privileged: false
# -- Force the child process to run as non-privileged
allowPrivilegeEscalation: false
# -- Mounts the container file system as ReadOnly
readOnlyRootFilesystem: true
capabilities:
# -- List of capabilities to be dropped
drop:
- ALL
swaggerUI:
# -- Number of replicas for the swagger-ui service
replicas: 1
image:
# -- Swagger UI container registry
registry: docker.io
# -- Swagger UI container repository
repository: swaggerapi/swagger-ui
# -- Swagger UI container tag
tag: v5.18.2
# -- Swagger UI image digest. If set will override the tag.
digest: ""
# -- Swagger UI image pull policy
pullPolicy: IfNotPresent
resources:
# -- The resources limits for the swagger ui containers
limits: {}
# -- The requested resources for the swagger ui containers
requests: {}
serviceAccount:
# -- Enable creation of ServiceAccount
create: true
# -- The name of the ServiceAccount to use.
# If not set and create is true, it will use the component's calculated name.
name: ""
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
automountServiceAccountToken: false
podSecurityContext:
# -- Pod security context enabled
enabled: false
# -- Pod security context fsGroup
fsGroup: 101
containerSecurityContext:
# -- Container security context enabled
enabled: false
# -- User ID which the containers should run as
runAsUser: 0
# -- Group ID which the containers should run as
runAsGroup: 0
# -- Whether the containers should run as a non-root user
runAsNonRoot: false
# -- Whether the container should run in privileged mode
privileged: false
# -- Force the child process to run as non-privileged
allowPrivilegeEscalation: false
# -- Mounts the container file system as ReadOnly
readOnlyRootFilesystem: true
capabilities:
# -- List of capabilities to be dropped
drop:
- ALL
yaraRuleServer:
# -- Number of replicas for the Yara Rule Server service
replicas: 1
image:
# -- Yara Rule Server container registry
registry: ghcr.io
# -- Yara Rule Server container repository
repository: openclarity/yara-rule-server
# -- Yara Rule Server container tag
tag: v0.3.0
# -- Yara Rule Server image digest. If set will override the tag.
digest: ""
# -- Yara Rule Server image pull policy
pullPolicy: IfNotPresent
resources:
# -- The resources limits for the Yara Rule Server containers
limits: {}
# -- The requested resources for the Yara Rule Server containers
requests: {}
serviceAccount:
# -- Enable creation of ServiceAccount
create: true
# -- The name of the ServiceAccount to use.
# If not set and create is true, it will use the component's calculated name.
name: ""
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
automountServiceAccountToken: false
podSecurityContext:
# -- Pod security context enabled
enabled: false
# -- Pod security context fsGroup
fsGroup: 1001
containerSecurityContext:
# -- Container security context enabled
enabled: false
# -- User ID which the containers should run as
runAsUser: 1001
# -- Group ID which the containers should run as
runAsGroup: 1001
# -- Whether the containers should run as a non-root user
runAsNonRoot: true
# -- Whether the container should run in privileged mode
privileged: false
# -- Force the child process to run as non-privileged
allowPrivilegeEscalation: false
# -- Mounts the container file system as ReadOnly
readOnlyRootFilesystem: true
capabilities:
# -- List of capabilities to be dropped
drop:
- ALL
crDiscoveryServer:
nodeSelector: {}
tolerations: []
affinity: {}
image:
# -- Container Runtime Discovery Server container registry
registry: ghcr.io
# -- Container Runtime Discovery Server container repository
repository: openclarity/openclarity-cr-discovery-server
# -- Container Runtime Discovery Server container tag
tag: latest
# -- Container Runtime Discovery Server image digest. If set will override the tag.
digest: ""
# -- Container Runtime Discovery Server image pull policy
pullPolicy: IfNotPresent
# -- Environment variables to set in the Container Runtime Discovery Server container
env: []
# - name: CONTAINERD_SOCK_ADDRESS
# value: /var/run/containerd/containerd.sock
containerRuntimePaths:
- name: containerd
path: /var/run/containerd
readOnly: true
- name: k3s-containerd
path: /run/k3s/containerd
readOnly: true
- name: docker
path: /var/lib/docker
readOnly: true
- name: crio
path: /var/run/crio
readOnly: true
- name: crio-lib
path: /var/lib/containers
- name: crio-run
path: /var/run/containers
- name: crio-containers
path: /etc/containers
readOnly: true
resources:
# -- The resources limits for the container runtime discovery server containers
limits: {}
# -- The requested resources for the container runtime discovery server containers
requests: {}
serviceAccount:
# -- Enable creation of ServiceAccount
create: true
# -- The name of the ServiceAccount to use.
# If not set and create is true, it will use the component's calculated name.
name: ""
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
automountServiceAccountToken: false
podSecurityContext:
# -- Pod security context enabled
enabled: false
# -- Pod security context fsGroup
fsGroup: 1001
# In order to use CRI-O runtime you need to run OpenClarity
# with the following configuration:
#
# containerSecurityContext:
# enabled: true
# privileged: true
# readOnlyRootFilesystem: false
containerSecurityContext:
# -- Container security context enabled
enabled: false
# -- User ID which the containers should run as
runAsUser: 1001
# -- Group ID which the containers should run as
runAsGroup: 1001
# -- Whether the containers should run as a non-root user
runAsNonRoot: true
# -- Whether the container should run in privileged mode
privileged: false
# -- Force the child process to run as non-privileged
allowPrivilegeEscalation: false
# -- Mounts the container file system as ReadOnly
readOnlyRootFilesystem: true
capabilities:
# -- List of capabilities to be dropped
drop:
- ALL