openclarity: global: imageRegistry: registry.durp.info apiserver: # -- Number of replicas for the API Server replicas: 1 database: postgresql: # -- Enable/disable Postgresql database enabled: true externalPostgresql: # -- Enable/disable external Postgresql database enabled: false # -- External Postgreqsl database host host: "" # -- External Postgresql database port port: 5432 auth: # -- Name of existing secret to use for PostgreSQL credentials that has the following keys: # username # password # database existingSecret: "" image: # -- API Server image registry registry: ghcr.io # -- API Server image repository repository: openclarity/openclarity-api-server # -- API Server image tag (immutable tags are recommended) tag: latest # -- API Server image digest. If set will override the tag. digest: "" # -- API Server image pull policy pullPolicy: IfNotPresent podSecurityContext: # -- Pod security context enabled enabled: true # -- Pod security context fsGroup fsGroup: 1001 containerSecurityContext: # -- Container security context enabled enabled: true # -- User ID which the containers should run as runAsUser: 1001 # -- Group ID which the containers should run as runAsGroup: 1001 # -- Whether the containers should run as a non-root user runAsNonRoot: true # -- Whether the container should run in privileged mode privileged: false # -- Force the child process to run as non-privileged allowPrivilegeEscalation: false # -- Mounts the container file system as ReadOnly readOnlyRootFilesystem: true capabilities: # -- List of capabilities to be dropped drop: - ALL # -- API Server log level logLevel: info resources: # -- The resources limits for the apiserver containers limits: {} # -- The requested resources for the apiserver containers requests: {} serviceAccount: # -- Enable creation of ServiceAccount create: true # -- The name of the ServiceAccount to use. # If not set and create is true, it will use the component's calculated name. name: "" # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. # Can be set to false if pods using this serviceAccount do not need to use K8s API. automountServiceAccountToken: false orchestrator: # -- Number of replicas for the Orchestrator service # Currently 1 supported. replicas: 1 image: # -- Orchestrator image registry registry: ghcr.io # -- Orchestrator image repository repository: openclarity/openclarity-orchestrator # -- Orchestrator image tag (immutable tags are recommended) tag: latest # -- Orchestrator image digest. If set will override the tag. digest: "" # -- Orchestrator image pull policy pullPolicy: IfNotPresent podSecurityContext: # -- Whether Orchestrator pod security context is enabled enabled: true # -- Orchestrator pod security context fsGroup fsGroup: 1001 containerSecurityContext: # -- Container security context enabled enabled: true # -- User ID which the containers should run as runAsUser: 1001 # -- Group ID which the containers should run as runAsGroup: 1001 # -- Whether the containers should run as a non-root user runAsNonRoot: true # -- Whether the container should run in privileged mode privileged: false # -- Force the child process to run as non-privileged allowPrivilegeEscalation: false # -- Mounts the container file system as ReadOnly readOnlyRootFilesystem: true capabilities: # -- List of capabilities to be dropped drop: - ALL # -- Orchestrator service log level logLevel: info resources: # -- The resources limits for the orchestrator containers limits: {} # -- The requested resources for the orchestrator containers requests: {} serviceAccount: # -- Enable creation of ServiceAccount create: true # -- The name of the ServiceAccount to use. # If not set and create is true, it will use the component's calculated name. name: "" # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. # Can be set to false if pods using this serviceAccount do not need to use K8s API. automountServiceAccountToken: true # -- Global policy used to determine when to clean up an AssetScan. # Possible options are: # Always - All AssetScans are cleaned up # OnSuccess - Only Successful AssetScans are cleaned up, Failed ones are left for debugging # Never - No AssetScans are cleaned up deleteJobPolicy: Always scannerImage: # -- Scanner Container image registry registry: ghcr.io # -- Scanner Container image repository repository: openclarity/openclarity-cli # -- Scanner Container image tag (immutable tags are recommended) tag: latest # -- Scanner Container image digest. If set will override the tag. digest: "" # -- Address that scanners can use to reach back to the API server scannerApiserverAddress: "" # -- Address that scanners can use to reach back to the Exploits server exploitsDBAddress: "" # -- Address that scanners can use to reach trivy server trivyServerAddress: "" # -- Address that scanners can use to reach the grype server grypeServerAddress: "" # -- Address that scanners can use to reach the freshclam mirror freshclamMirrorAddress: "" # -- Address that scanner can use to reach the yara rule server yaraRuleServerAddress: "" # -- Which provider driver to enable. # If enabling the Kubernetes provider ensure that the orchestrator # serviceAccount section is configured to allow access to the Kubernetes API. provider: "kubernetes" kubernetes: {} # Only for testing purposes docker: {} ui: # -- Number of replicas for the UI service replicas: 1 image: # -- UI image registry registry: ghcr.io # -- UI image repository repository: openclarity/openclarity-ui # -- UI image tag tag: latest # -- UI image digest. If set will override the tag digest: "" # -- UI Image pull policy pullPolicy: IfNotPresent resources: # -- The resources limits for the UI containers limits: {} # -- The requested resources for the UI containers requests: {} serviceAccount: # -- Enable creation of ServiceAccount create: true # -- The name of the ServiceAccount to use. # If not set and create is true, it will use the component's calculated name. name: "" # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. # Can be set to false if pods using this serviceAccount do not need to use K8s API. automountServiceAccountToken: true podSecurityContext: # -- Pod security context enabled enabled: true # -- Pod security context fsGroup fsGroup: 101 containerSecurityContext: # -- Container security context enabled enabled: true # -- User ID which the containers should run as runAsUser: 101 # -- Group ID which the containers should run as runAsGroup: 101 # -- Whether the containers should run as a non-root user runAsNonRoot: true # -- Whether the container should run in privileged mode privileged: false # -- Force the child process to run as non-privileged allowPrivilegeEscalation: false # -- Mounts the container file system as ReadOnly readOnlyRootFilesystem: true capabilities: # -- List of capabilities to be dropped drop: - ALL uibackend: # -- Number of replicas for the UI Backend service replicas: 1 image: # -- UI Backend image registry registry: ghcr.io # -- UI Backend image repository repository: openclarity/openclarity-ui-backend # -- UI Backend image tag tag: latest # -- UI Backend image digest. If set will override the tag. digest: "" # -- UI Backend image pull policy pullPolicy: IfNotPresent resources: # -- The resources limits for the UI backend containers limits: {} # -- The requested resources for the UI backend containers requests: {} serviceAccount: # -- Enable creation of ServiceAccount create: true # -- The name of the ServiceAccount to use. # If not set and create is true, it will use the component's calculated name. name: "" # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. # Can be set to false if pods using this serviceAccount do not need to use K8s API. automountServiceAccountToken: false podSecurityContext: # -- Pod security context enabled enabled: true # -- Pod security context fsGroup fsGroup: 1001 containerSecurityContext: # -- Container security context enabled enabled: true # -- User ID which the containers should run as runAsUser: 1001 # -- Group ID which the containers should run as runAsGroup: 1001 # -- Whether the containers should run as a non-root user runAsNonRoot: true # -- Whether the container should run in privileged mode privileged: false # -- Force the child process to run as non-privileged allowPrivilegeEscalation: false # -- Mounts the container file system as ReadOnly readOnlyRootFilesystem: true capabilities: # -- List of capabilities to be dropped drop: - ALL # -- Log level for the UI backend service logLevel: info gateway: # -- Number of replicas for the gateway replicas: 1 image: # -- Gateway service container registry registry: docker.io # -- Gateway service container repository repository: nginxinc/nginx-unprivileged # -- Gateway service container tag tag: 1.28.0 # -- Gateway image digest. If set will override the tag. digest: "" # -- Gateway service container pull policy pullPolicy: IfNotPresent resources: # -- The resources limits for the gateway containers limits: {} # -- The requested resources for the gateway containers requests: {} serviceAccount: # -- Enable creation of ServiceAccount create: true # -- The name of the ServiceAccount to use. # If not set and create is true, it will use the component's calculated name. name: "" # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. # Can be set to false if pods using this serviceAccount do not need to use K8s API. automountServiceAccountToken: false podSecurityContext: # -- Pod security context enabled enabled: true # -- Pod security context fsGroup fsGroup: 101 containerSecurityContext: # -- Container security context enabled enabled: true # -- User ID which the containers should run as runAsUser: 101 # -- Group ID which the containers should run as runAsGroup: 101 # -- Whether the containers should run as a non-root user runAsNonRoot: false # -- Whether the container should run in privileged mode privileged: false # -- Force the child process to run as non-privileged allowPrivilegeEscalation: false # -- Mounts the container file system as ReadOnly readOnlyRootFilesystem: true capabilities: # -- List of capabilities to be dropped drop: - ALL service: # -- Service type: ClusterIP, NodePort, LoadBalancer type: ClusterIP # -- Port configurations ports: http: 80 # -- NodePort configurations nodePorts: http: "" # -- Dedicated IP address used for service clusterIP: "" # -- Annotations set for service annotations: {} # -- External Traffic Policy configuration # Set the field to Cluster to route external traffic to all ready endpoints and Local to only route to ready node # local endpoints. externalTrafficPolicy: Cluster ingress: # -- Be careful when using ingress. As there is no authentication on openclarity, your instance may be accessible. # Make sure the ingress remains internal if you decide to enable it. enabled: false labels: {} annotations: {} # -- Optionally use ingressClassName instead of default ingress class. ingressClassName: "" hosts: # Hostname you want to use to access the UI - host: chart-example.local # paths will default to: # paths: # - pathType: Prefix # path: / paths: [] tls: [] # - secretName: chart-example-tls # hosts: # - chart-example.local postgresql: image: # -- Postgresql container registry registry: docker.io # -- Postgresql container repository repository: bitnami/postgresql # -- Postgresql container tag tag: 16.6.0-debian-12-r1 # -- Postgresql image digest. If set will override the tag. digest: "" # -- Postgresql container image pull policy pullPolicy: IfNotPresent primary: # -- Postgresql container resource preset # For more info see: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 resourcesPreset: "small" resources: # -- The resources limits for the postgresql containers limits: {} # -- The requested resources for the postgresql containers requests: {} serviceAccount: # -- Enable creation of ServiceAccount create: true # -- The name of the ServiceAccount to use. # If not set and create is true, it will use the component's calculated name. name: "" # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. # Can be set to false if pods using this serviceAccount do not need to use K8s API. automountServiceAccountToken: false auth: existingSecret: openclarity-postgres-secret podSecurityContext: # -- Pod security context enabled enabled: true # -- Pod security context fsGroup fsGroup: 1001 containerSecurityContext: # -- Container security context enabled enabled: true # -- User ID which the containers should run as runAsUser: 1001 # -- Group ID which the containers should run as runAsGroup: 1001 # -- Whether the containers should run as a non-root user runAsNonRoot: true # -- Whether the container should run in privileged mode privileged: false # -- Force the child process to run as non-privileged allowPrivilegeEscalation: false # -- Mounts the container file system as ReadOnly readOnlyRootFilesystem: true capabilities: # -- List of capabilities to be dropped drop: - ALL service: ports: # -- PostgreSQL service port postgresql: 5432 exploitDBServer: # -- Number of replicas for the exploit-db-server service replicas: 1 image: # -- Exploit DB Server container registry registry: ghcr.io # -- Exploit DB Server container repository repository: openclarity/exploit-db-server # -- Exploit DB Server container tag tag: v0.3.0 # -- Exploit DB Server image digest. If set will override the tag. digest: "" # -- Exploit DB Server image pull policy pullPolicy: IfNotPresent resources: # -- The resources limits for the exploit-db-server containers limits: {} # -- The requested resources for the exploit-db-server containers requests: {} serviceAccount: # -- Enable creation of ServiceAccount create: true # -- The name of the ServiceAccount to use. # If not set and create is true, it will use the component's calculated name. name: "" # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. # Can be set to false if pods using this serviceAccount do not need to use K8s API. automountServiceAccountToken: false podSecurityContext: # -- Pod security context enabled enabled: true # -- Pod security context fsGroup fsGroup: 1001 containerSecurityContext: # -- Container security context enabled enabled: false # -- User ID which the containers should run as runAsUser: 1001 # -- Group ID which the containers should run as runAsGroup: 1001 # -- Whether the containers should run as a non-root user runAsNonRoot: true # -- Whether the container should run in privileged mode privileged: false # -- Force the child process to run as non-privileged allowPrivilegeEscalation: false # -- Mounts the container file system as ReadOnly readOnlyRootFilesystem: true capabilities: # -- List of capabilities to be dropped drop: - ALL trivyServer: # -- Number of replicas for the trivy server service replicas: 1 image: # -- Trivy Server container registry registry: docker.io # -- Trivy Server container repository repository: aquasec/trivy # -- Trivy Server container tag tag: 0.58.2 # -- Trivy Server image digest. If set will override the tag. digest: "" # -- Trivy Server image pull policy pullPolicy: IfNotPresent resources: # -- The resources limits for the trivy server containers limits: {} # -- The requested resources for the trivy server containers requests: {} serviceAccount: # -- Enable creation of ServiceAccount create: true # -- The name of the ServiceAccount to use. # If not set and create is true, it will use the component's calculated name. name: "" # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. # Can be set to false if pods using this serviceAccount do not need to use K8s API. automountServiceAccountToken: false podSecurityContext: # -- Pod security context enabled enabled: true # -- Pod security context fsGroup fsGroup: 1001 containerSecurityContext: # -- Container security context enabled enabled: true # -- User ID which the containers should run as runAsUser: 1001 # -- Group ID which the containers should run as runAsGroup: 1001 # -- Whether the containers should run as a non-root user runAsNonRoot: true # -- Whether the container should run in privileged mode privileged: false # -- Force the child process to run as non-privileged allowPrivilegeEscalation: false # -- Mounts the container file system as ReadOnly readOnlyRootFilesystem: true capabilities: # -- List of capabilities to be dropped drop: - ALL grypeServer: # -- Number of replicas for the grype server service replicas: 1 image: # -- Grype server container registry registry: ghcr.io # -- Grype server container repository repository: openclarity/grype-server # -- Grype server container tag tag: v0.7.5 # -- Grype server image digest. If set will override the tag. digest: "" # -- Grype server image pull policy pullPolicy: IfNotPresent resources: # -- The resources limits for the grype server containers limits: {} # -- The requested resources for the grype server containers requests: {} serviceAccount: # -- Enable creation of ServiceAccount create: true # -- The name of the ServiceAccount to use. # If not set and create is true, it will use the component's calculated name. name: "" # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. # Can be set to false if pods using this serviceAccount do not need to use K8s API. automountServiceAccountToken: false podSecurityContext: # -- Pod security context enabled enabled: true # -- Pod security context fsGroup fsGroup: 1001 containerSecurityContext: # -- Container security context enabled enabled: true # -- User ID which the containers should run as runAsUser: 1001 # -- Group ID which the containers should run as runAsGroup: 1001 # -- Whether the containers should run as a non-root user runAsNonRoot: true # -- Whether the container should run in privileged mode privileged: false # -- Force the child process to run as non-privileged allowPrivilegeEscalation: false # -- Mounts the container file system as ReadOnly readOnlyRootFilesystem: true capabilities: # -- List of capabilities to be dropped drop: - ALL # -- Log level for the grype-server service logLevel: info freshclamMirror: # -- Number of replicas for the freshclam mirror service replicas: 1 image: # -- Freshclam Mirror container registry registry: ghcr.io # -- Freshclam Mirror container repository repository: openclarity/freshclam-mirror # -- Freshclam Mirror container tag tag: v0.3.1 # -- Freshclam Mirror image digest. If set will override the tag. digest: "" # -- Freshclam Mirror image pull policy pullPolicy: IfNotPresent resources: # -- The resources limits for the freshclam mirror containers limits: {} # -- The requested resources for the freshclam mirror containers requests: {} serviceAccount: # -- Enable creation of ServiceAccount create: true # -- The name of the ServiceAccount to use. # If not set and create is true, it will use the component's calculated name. name: "" # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. # Can be set to false if pods using this serviceAccount do not need to use K8s API. automountServiceAccountToken: false podSecurityContext: # -- Pod security context enabled enabled: false # -- Pod security context fsGroup fsGroup: 1001 containerSecurityContext: # -- Container security context enabled enabled: false # -- User ID which the containers should run as runAsUser: 1001 # -- Group ID which the containers should run as runAsGroup: 1001 # -- Whether the containers should run as a non-root user runAsNonRoot: true # -- Whether the container should run in privileged mode privileged: false # -- Force the child process to run as non-privileged allowPrivilegeEscalation: false # -- Mounts the container file system as ReadOnly readOnlyRootFilesystem: true capabilities: # -- List of capabilities to be dropped drop: - ALL swaggerUI: # -- Number of replicas for the swagger-ui service replicas: 1 image: # -- Swagger UI container registry registry: docker.io # -- Swagger UI container repository repository: swaggerapi/swagger-ui # -- Swagger UI container tag tag: v5.18.2 # -- Swagger UI image digest. If set will override the tag. digest: "" # -- Swagger UI image pull policy pullPolicy: IfNotPresent resources: # -- The resources limits for the swagger ui containers limits: {} # -- The requested resources for the swagger ui containers requests: {} serviceAccount: # -- Enable creation of ServiceAccount create: true # -- The name of the ServiceAccount to use. # If not set and create is true, it will use the component's calculated name. name: "" # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. # Can be set to false if pods using this serviceAccount do not need to use K8s API. automountServiceAccountToken: false podSecurityContext: # -- Pod security context enabled enabled: false # -- Pod security context fsGroup fsGroup: 101 containerSecurityContext: # -- Container security context enabled enabled: false # -- User ID which the containers should run as runAsUser: 0 # -- Group ID which the containers should run as runAsGroup: 0 # -- Whether the containers should run as a non-root user runAsNonRoot: false # -- Whether the container should run in privileged mode privileged: false # -- Force the child process to run as non-privileged allowPrivilegeEscalation: false # -- Mounts the container file system as ReadOnly readOnlyRootFilesystem: true capabilities: # -- List of capabilities to be dropped drop: - ALL yaraRuleServer: # -- Number of replicas for the Yara Rule Server service replicas: 1 image: # -- Yara Rule Server container registry registry: ghcr.io # -- Yara Rule Server container repository repository: openclarity/yara-rule-server # -- Yara Rule Server container tag tag: v0.3.0 # -- Yara Rule Server image digest. If set will override the tag. digest: "" # -- Yara Rule Server image pull policy pullPolicy: IfNotPresent resources: # -- The resources limits for the Yara Rule Server containers limits: {} # -- The requested resources for the Yara Rule Server containers requests: {} serviceAccount: # -- Enable creation of ServiceAccount create: true #false -- The name of the ServiceAccount to use. # If not set and create is true, it will use the component's calculated name. name: "" # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. # Can be set to false if pods using this serviceAccount do not need to use K8s API. automountServiceAccountToken: false podSecurityContext: # -- Pod security context enabled enabled: false # -- Pod security context fsGroup fsGroup: 1001 containerSecurityContext: # -- Container security context enabled enabled: false # -- User ID which the containers should run as runAsUser: 1001 # -- Group ID which the containers should run as runAsGroup: 1001 # -- Whether the containers should run as a non-root user runAsNonRoot: true # -- Whether the container should run in privileged mode privileged: false # -- Force the child process to run as non-privileged allowPrivilegeEscalation: false # -- Mounts the container file system as ReadOnly readOnlyRootFilesystem: true capabilities: # -- List of capabilities to be dropped drop: - ALL crDiscoveryServer: nodeSelector: {} tolerations: [] affinity: {} image: # -- Container Runtime Discovery Server container registry registry: ghcr.io # -- Container Runtime Discovery Server container repository repository: openclarity/openclarity-cr-discovery-server # -- Container Runtime Discovery Server container tag tag: latest # -- Container Runtime Discovery Server image digest. If set will override the tag. digest: "" # -- Container Runtime Discovery Server image pull policy pullPolicy: IfNotPresent # -- Environment variables to set in the Container Runtime Discovery Server container env: [] # - name: CONTAINERD_SOCK_ADDRESS # value: /var/run/containerd/containerd.sock containerRuntimePaths: - name: containerd path: /var/run/containerd readOnly: true - name: k3s-containerd path: /run/k3s/containerd readOnly: true - name: docker path: /var/lib/docker readOnly: true - name: crio path: /var/run/crio readOnly: true - name: crio-lib path: /var/lib/containers - name: crio-run path: /var/run/containers - name: crio-containers path: /etc/containers readOnly: true resources: # -- The resources limits for the container runtime discovery server containers limits: {} # -- The requested resources for the container runtime discovery server containers requests: {} serviceAccount: # -- Enable creation of ServiceAccount create: true # -- The name of the ServiceAccount to use. # If not set and create is true, it will use the component's calculated name. name: "" # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. # Can be set to false if pods using this serviceAccount do not need to use K8s API. automountServiceAccountToken: false podSecurityContext: # -- Pod security context enabled enabled: false # -- Pod security context fsGroup fsGroup: 1001 # In order to use CRI-O runtime you need to run OpenClarity # with the following configuration: # # containerSecurityContext: # enabled: true # privileged: true # readOnlyRootFilesystem: false containerSecurityContext: # -- Container security context enabled enabled: false # -- User ID which the containers should run as runAsUser: 1001 # -- Group ID which the containers should run as runAsGroup: 1001 # -- Whether the containers should run as a non-root user runAsNonRoot: true # -- Whether the container should run in privileged mode privileged: false # -- Force the child process to run as non-privileged allowPrivilegeEscalation: false # -- Mounts the container file system as ReadOnly readOnlyRootFilesystem: true capabilities: # -- List of capabilities to be dropped drop: - ALL