915 lines
30 KiB
YAML
915 lines
30 KiB
YAML
openclarity:
|
|
global:
|
|
imageRegistry: registry.durp.info
|
|
|
|
apiserver:
|
|
# -- Number of replicas for the API Server
|
|
replicas: 1
|
|
|
|
database:
|
|
postgresql:
|
|
# -- Enable/disable Postgresql database
|
|
enabled: true
|
|
externalPostgresql:
|
|
# -- Enable/disable external Postgresql database
|
|
enabled: false
|
|
# -- External Postgreqsl database host
|
|
host: ""
|
|
# -- External Postgresql database port
|
|
port: 5432
|
|
auth:
|
|
# -- Name of existing secret to use for PostgreSQL credentials that has the following keys:
|
|
# username
|
|
# password
|
|
# database
|
|
existingSecret: ""
|
|
|
|
image:
|
|
# -- API Server image registry
|
|
registry: ghcr.io
|
|
# -- API Server image repository
|
|
repository: openclarity/openclarity-api-server
|
|
# -- API Server image tag (immutable tags are recommended)
|
|
tag: latest
|
|
# -- API Server image digest. If set will override the tag.
|
|
digest: ""
|
|
# -- API Server image pull policy
|
|
pullPolicy: IfNotPresent
|
|
|
|
podSecurityContext:
|
|
# -- Pod security context enabled
|
|
enabled: true
|
|
# -- Pod security context fsGroup
|
|
fsGroup: 1001
|
|
|
|
containerSecurityContext:
|
|
# -- Container security context enabled
|
|
enabled: true
|
|
# -- User ID which the containers should run as
|
|
runAsUser: 1001
|
|
# -- Group ID which the containers should run as
|
|
runAsGroup: 1001
|
|
# -- Whether the containers should run as a non-root user
|
|
runAsNonRoot: true
|
|
# -- Whether the container should run in privileged mode
|
|
privileged: false
|
|
# -- Force the child process to run as non-privileged
|
|
allowPrivilegeEscalation: false
|
|
# -- Mounts the container file system as ReadOnly
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
# -- List of capabilities to be dropped
|
|
drop:
|
|
- ALL
|
|
|
|
# -- API Server log level
|
|
logLevel: info
|
|
|
|
resources:
|
|
# -- The resources limits for the apiserver containers
|
|
limits: {}
|
|
# -- The requested resources for the apiserver containers
|
|
requests: {}
|
|
|
|
serviceAccount:
|
|
# -- Enable creation of ServiceAccount
|
|
create: true
|
|
# -- The name of the ServiceAccount to use.
|
|
# If not set and create is true, it will use the component's calculated name.
|
|
name: ""
|
|
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
|
|
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
|
|
automountServiceAccountToken: false
|
|
|
|
orchestrator:
|
|
# -- Number of replicas for the Orchestrator service
|
|
# Currently 1 supported.
|
|
replicas: 1
|
|
|
|
image:
|
|
# -- Orchestrator image registry
|
|
registry: ghcr.io
|
|
# -- Orchestrator image repository
|
|
repository: openclarity/openclarity-orchestrator
|
|
# -- Orchestrator image tag (immutable tags are recommended)
|
|
tag: latest
|
|
# -- Orchestrator image digest. If set will override the tag.
|
|
digest: ""
|
|
# -- Orchestrator image pull policy
|
|
pullPolicy: IfNotPresent
|
|
|
|
podSecurityContext:
|
|
# -- Whether Orchestrator pod security context is enabled
|
|
enabled: true
|
|
# -- Orchestrator pod security context fsGroup
|
|
fsGroup: 1001
|
|
|
|
containerSecurityContext:
|
|
# -- Container security context enabled
|
|
enabled: true
|
|
# -- User ID which the containers should run as
|
|
runAsUser: 1001
|
|
# -- Group ID which the containers should run as
|
|
runAsGroup: 1001
|
|
# -- Whether the containers should run as a non-root user
|
|
runAsNonRoot: true
|
|
# -- Whether the container should run in privileged mode
|
|
privileged: false
|
|
# -- Force the child process to run as non-privileged
|
|
allowPrivilegeEscalation: false
|
|
# -- Mounts the container file system as ReadOnly
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
# -- List of capabilities to be dropped
|
|
drop:
|
|
- ALL
|
|
|
|
# -- Orchestrator service log level
|
|
logLevel: info
|
|
|
|
resources:
|
|
# -- The resources limits for the orchestrator containers
|
|
limits: {}
|
|
# -- The requested resources for the orchestrator containers
|
|
requests: {}
|
|
|
|
serviceAccount:
|
|
# -- Enable creation of ServiceAccount
|
|
create: true
|
|
# -- The name of the ServiceAccount to use.
|
|
# If not set and create is true, it will use the component's calculated name.
|
|
name: ""
|
|
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
|
|
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
|
|
automountServiceAccountToken: true
|
|
|
|
# -- Global policy used to determine when to clean up an AssetScan.
|
|
# Possible options are:
|
|
# Always - All AssetScans are cleaned up
|
|
# OnSuccess - Only Successful AssetScans are cleaned up, Failed ones are left for debugging
|
|
# Never - No AssetScans are cleaned up
|
|
deleteJobPolicy: Always
|
|
|
|
scannerImage:
|
|
# -- Scanner Container image registry
|
|
registry: ghcr.io
|
|
# -- Scanner Container image repository
|
|
repository: openclarity/openclarity-cli
|
|
# -- Scanner Container image tag (immutable tags are recommended)
|
|
tag: latest
|
|
# -- Scanner Container image digest. If set will override the tag.
|
|
digest: ""
|
|
|
|
# -- Address that scanners can use to reach back to the API server
|
|
scannerApiserverAddress: ""
|
|
|
|
# -- Address that scanners can use to reach back to the Exploits server
|
|
exploitsDBAddress: ""
|
|
|
|
# -- Address that scanners can use to reach trivy server
|
|
trivyServerAddress: ""
|
|
|
|
# -- Address that scanners can use to reach the grype server
|
|
grypeServerAddress: ""
|
|
|
|
# -- Address that scanners can use to reach the freshclam mirror
|
|
freshclamMirrorAddress: ""
|
|
|
|
# -- Address that scanner can use to reach the yara rule server
|
|
yaraRuleServerAddress: ""
|
|
|
|
# -- Which provider driver to enable.
|
|
# If enabling the Kubernetes provider ensure that the orchestrator
|
|
# serviceAccount section is configured to allow access to the Kubernetes API.
|
|
provider: "kubernetes"
|
|
|
|
kubernetes: {}
|
|
|
|
# Only for testing purposes
|
|
docker: {}
|
|
|
|
ui:
|
|
# -- Number of replicas for the UI service
|
|
replicas: 1
|
|
|
|
image:
|
|
# -- UI image registry
|
|
registry: ghcr.io
|
|
# -- UI image repository
|
|
repository: openclarity/openclarity-ui
|
|
# -- UI image tag
|
|
tag: latest
|
|
# -- UI image digest. If set will override the tag
|
|
digest: ""
|
|
# -- UI Image pull policy
|
|
pullPolicy: IfNotPresent
|
|
|
|
resources:
|
|
# -- The resources limits for the UI containers
|
|
limits: {}
|
|
# -- The requested resources for the UI containers
|
|
requests: {}
|
|
|
|
serviceAccount:
|
|
# -- Enable creation of ServiceAccount
|
|
create: true
|
|
# -- The name of the ServiceAccount to use.
|
|
# If not set and create is true, it will use the component's calculated name.
|
|
name: ""
|
|
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
|
|
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
|
|
automountServiceAccountToken: true
|
|
|
|
podSecurityContext:
|
|
# -- Pod security context enabled
|
|
enabled: true
|
|
# -- Pod security context fsGroup
|
|
fsGroup: 101
|
|
|
|
containerSecurityContext:
|
|
# -- Container security context enabled
|
|
enabled: true
|
|
# -- User ID which the containers should run as
|
|
runAsUser: 101
|
|
# -- Group ID which the containers should run as
|
|
runAsGroup: 101
|
|
# -- Whether the containers should run as a non-root user
|
|
runAsNonRoot: true
|
|
# -- Whether the container should run in privileged mode
|
|
privileged: false
|
|
# -- Force the child process to run as non-privileged
|
|
allowPrivilegeEscalation: false
|
|
# -- Mounts the container file system as ReadOnly
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
# -- List of capabilities to be dropped
|
|
drop:
|
|
- ALL
|
|
|
|
uibackend:
|
|
# -- Number of replicas for the UI Backend service
|
|
replicas: 1
|
|
|
|
image:
|
|
# -- UI Backend image registry
|
|
registry: ghcr.io
|
|
# -- UI Backend image repository
|
|
repository: openclarity/openclarity-ui-backend
|
|
# -- UI Backend image tag
|
|
tag: latest
|
|
# -- UI Backend image digest. If set will override the tag.
|
|
digest: ""
|
|
# -- UI Backend image pull policy
|
|
pullPolicy: IfNotPresent
|
|
|
|
resources:
|
|
# -- The resources limits for the UI backend containers
|
|
limits: {}
|
|
# -- The requested resources for the UI backend containers
|
|
requests: {}
|
|
|
|
serviceAccount:
|
|
# -- Enable creation of ServiceAccount
|
|
create: true
|
|
# -- The name of the ServiceAccount to use.
|
|
# If not set and create is true, it will use the component's calculated name.
|
|
name: ""
|
|
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
|
|
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
|
|
automountServiceAccountToken: false
|
|
|
|
podSecurityContext:
|
|
# -- Pod security context enabled
|
|
enabled: true
|
|
# -- Pod security context fsGroup
|
|
fsGroup: 1001
|
|
|
|
containerSecurityContext:
|
|
# -- Container security context enabled
|
|
enabled: true
|
|
# -- User ID which the containers should run as
|
|
runAsUser: 1001
|
|
# -- Group ID which the containers should run as
|
|
runAsGroup: 1001
|
|
# -- Whether the containers should run as a non-root user
|
|
runAsNonRoot: true
|
|
# -- Whether the container should run in privileged mode
|
|
privileged: false
|
|
# -- Force the child process to run as non-privileged
|
|
allowPrivilegeEscalation: false
|
|
# -- Mounts the container file system as ReadOnly
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
# -- List of capabilities to be dropped
|
|
drop:
|
|
- ALL
|
|
|
|
# -- Log level for the UI backend service
|
|
logLevel: info
|
|
|
|
gateway:
|
|
# -- Number of replicas for the gateway
|
|
replicas: 1
|
|
|
|
image:
|
|
# -- Gateway service container registry
|
|
registry: docker.io
|
|
# -- Gateway service container repository
|
|
repository: nginxinc/nginx-unprivileged
|
|
# -- Gateway service container tag
|
|
tag: 1.29.0
|
|
# -- Gateway image digest. If set will override the tag.
|
|
digest: ""
|
|
# -- Gateway service container pull policy
|
|
pullPolicy: IfNotPresent
|
|
|
|
resources:
|
|
# -- The resources limits for the gateway containers
|
|
limits: {}
|
|
# -- The requested resources for the gateway containers
|
|
requests: {}
|
|
|
|
serviceAccount:
|
|
# -- Enable creation of ServiceAccount
|
|
create: true
|
|
# -- The name of the ServiceAccount to use.
|
|
# If not set and create is true, it will use the component's calculated name.
|
|
name: ""
|
|
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
|
|
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
|
|
automountServiceAccountToken: false
|
|
|
|
podSecurityContext:
|
|
# -- Pod security context enabled
|
|
enabled: true
|
|
# -- Pod security context fsGroup
|
|
fsGroup: 101
|
|
|
|
containerSecurityContext:
|
|
# -- Container security context enabled
|
|
enabled: true
|
|
# -- User ID which the containers should run as
|
|
runAsUser: 101
|
|
# -- Group ID which the containers should run as
|
|
runAsGroup: 101
|
|
# -- Whether the containers should run as a non-root user
|
|
runAsNonRoot: false
|
|
# -- Whether the container should run in privileged mode
|
|
privileged: false
|
|
# -- Force the child process to run as non-privileged
|
|
allowPrivilegeEscalation: false
|
|
# -- Mounts the container file system as ReadOnly
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
# -- List of capabilities to be dropped
|
|
drop:
|
|
- ALL
|
|
|
|
service:
|
|
# -- Service type: ClusterIP, NodePort, LoadBalancer
|
|
type: ClusterIP
|
|
# -- Port configurations
|
|
ports:
|
|
http: 80
|
|
# -- NodePort configurations
|
|
nodePorts:
|
|
http: ""
|
|
# -- Dedicated IP address used for service
|
|
clusterIP: ""
|
|
# -- Annotations set for service
|
|
annotations: {}
|
|
# -- External Traffic Policy configuration
|
|
# Set the field to Cluster to route external traffic to all ready endpoints and Local to only route to ready node
|
|
# local endpoints.
|
|
externalTrafficPolicy: Cluster
|
|
|
|
ingress:
|
|
# -- Be careful when using ingress. As there is no authentication on openclarity, your instance may be accessible.
|
|
# Make sure the ingress remains internal if you decide to enable it.
|
|
enabled: false
|
|
labels: {}
|
|
annotations: {}
|
|
|
|
# -- Optionally use ingressClassName instead of default ingress class.
|
|
ingressClassName: ""
|
|
|
|
hosts:
|
|
# Hostname you want to use to access the UI
|
|
- host: chart-example.local
|
|
# paths will default to:
|
|
# paths:
|
|
# - pathType: Prefix
|
|
# path: /
|
|
paths: []
|
|
|
|
tls: []
|
|
# - secretName: chart-example-tls
|
|
# hosts:
|
|
# - chart-example.local
|
|
|
|
postgresql:
|
|
image:
|
|
# -- Postgresql container registry
|
|
registry: docker.io
|
|
# -- Postgresql container repository
|
|
repository: bitnami/postgresql
|
|
# -- Postgresql container tag
|
|
tag: 16.6.0-debian-12-r1
|
|
# -- Postgresql image digest. If set will override the tag.
|
|
digest: ""
|
|
# -- Postgresql container image pull policy
|
|
pullPolicy: IfNotPresent
|
|
primary:
|
|
# -- Postgresql container resource preset
|
|
# For more info see: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
|
resourcesPreset: "small"
|
|
|
|
resources:
|
|
# -- The resources limits for the postgresql containers
|
|
limits: {}
|
|
# -- The requested resources for the postgresql containers
|
|
requests: {}
|
|
|
|
serviceAccount:
|
|
# -- Enable creation of ServiceAccount
|
|
create: true
|
|
# -- The name of the ServiceAccount to use.
|
|
# If not set and create is true, it will use the component's calculated name.
|
|
name: ""
|
|
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
|
|
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
|
|
automountServiceAccountToken: false
|
|
|
|
auth:
|
|
existingSecret: openclarity-postgres-secret
|
|
|
|
podSecurityContext:
|
|
# -- Pod security context enabled
|
|
enabled: true
|
|
# -- Pod security context fsGroup
|
|
fsGroup: 1001
|
|
|
|
containerSecurityContext:
|
|
# -- Container security context enabled
|
|
enabled: true
|
|
# -- User ID which the containers should run as
|
|
runAsUser: 1001
|
|
# -- Group ID which the containers should run as
|
|
runAsGroup: 1001
|
|
# -- Whether the containers should run as a non-root user
|
|
runAsNonRoot: true
|
|
# -- Whether the container should run in privileged mode
|
|
privileged: false
|
|
# -- Force the child process to run as non-privileged
|
|
allowPrivilegeEscalation: false
|
|
# -- Mounts the container file system as ReadOnly
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
# -- List of capabilities to be dropped
|
|
drop:
|
|
- ALL
|
|
|
|
service:
|
|
ports:
|
|
# -- PostgreSQL service port
|
|
postgresql: 5432
|
|
|
|
exploitDBServer:
|
|
# -- Number of replicas for the exploit-db-server service
|
|
replicas: 1
|
|
|
|
image:
|
|
# -- Exploit DB Server container registry
|
|
registry: ghcr.io
|
|
# -- Exploit DB Server container repository
|
|
repository: openclarity/exploit-db-server
|
|
# -- Exploit DB Server container tag
|
|
tag: v0.3.0
|
|
# -- Exploit DB Server image digest. If set will override the tag.
|
|
digest: ""
|
|
# -- Exploit DB Server image pull policy
|
|
pullPolicy: IfNotPresent
|
|
|
|
resources:
|
|
# -- The resources limits for the exploit-db-server containers
|
|
limits: {}
|
|
# -- The requested resources for the exploit-db-server containers
|
|
requests: {}
|
|
|
|
serviceAccount:
|
|
# -- Enable creation of ServiceAccount
|
|
create: true
|
|
# -- The name of the ServiceAccount to use.
|
|
# If not set and create is true, it will use the component's calculated name.
|
|
name: ""
|
|
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
|
|
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
|
|
automountServiceAccountToken: false
|
|
|
|
podSecurityContext:
|
|
# -- Pod security context enabled
|
|
enabled: true
|
|
# -- Pod security context fsGroup
|
|
fsGroup: 1001
|
|
|
|
containerSecurityContext:
|
|
# -- Container security context enabled
|
|
enabled: false
|
|
# -- User ID which the containers should run as
|
|
runAsUser: 1001
|
|
# -- Group ID which the containers should run as
|
|
runAsGroup: 1001
|
|
# -- Whether the containers should run as a non-root user
|
|
runAsNonRoot: true
|
|
# -- Whether the container should run in privileged mode
|
|
privileged: false
|
|
# -- Force the child process to run as non-privileged
|
|
allowPrivilegeEscalation: false
|
|
# -- Mounts the container file system as ReadOnly
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
# -- List of capabilities to be dropped
|
|
drop:
|
|
- ALL
|
|
|
|
trivyServer:
|
|
# -- Number of replicas for the trivy server service
|
|
replicas: 1
|
|
|
|
image:
|
|
# -- Trivy Server container registry
|
|
registry: docker.io
|
|
# -- Trivy Server container repository
|
|
repository: aquasec/trivy
|
|
# -- Trivy Server container tag
|
|
tag: 0.64.1
|
|
# -- Trivy Server image digest. If set will override the tag.
|
|
digest: ""
|
|
# -- Trivy Server image pull policy
|
|
pullPolicy: IfNotPresent
|
|
|
|
resources:
|
|
# -- The resources limits for the trivy server containers
|
|
limits: {}
|
|
# -- The requested resources for the trivy server containers
|
|
requests: {}
|
|
|
|
serviceAccount:
|
|
# -- Enable creation of ServiceAccount
|
|
create: true
|
|
# -- The name of the ServiceAccount to use.
|
|
# If not set and create is true, it will use the component's calculated name.
|
|
name: ""
|
|
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
|
|
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
|
|
automountServiceAccountToken: false
|
|
|
|
podSecurityContext:
|
|
# -- Pod security context enabled
|
|
enabled: true
|
|
# -- Pod security context fsGroup
|
|
fsGroup: 1001
|
|
|
|
containerSecurityContext:
|
|
# -- Container security context enabled
|
|
enabled: true
|
|
# -- User ID which the containers should run as
|
|
runAsUser: 1001
|
|
# -- Group ID which the containers should run as
|
|
runAsGroup: 1001
|
|
# -- Whether the containers should run as a non-root user
|
|
runAsNonRoot: true
|
|
# -- Whether the container should run in privileged mode
|
|
privileged: false
|
|
# -- Force the child process to run as non-privileged
|
|
allowPrivilegeEscalation: false
|
|
# -- Mounts the container file system as ReadOnly
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
# -- List of capabilities to be dropped
|
|
drop:
|
|
- ALL
|
|
|
|
grypeServer:
|
|
# -- Number of replicas for the grype server service
|
|
replicas: 1
|
|
|
|
image:
|
|
# -- Grype server container registry
|
|
registry: ghcr.io
|
|
# -- Grype server container repository
|
|
repository: openclarity/grype-server
|
|
# -- Grype server container tag
|
|
tag: v0.7.5
|
|
# -- Grype server image digest. If set will override the tag.
|
|
digest: ""
|
|
# -- Grype server image pull policy
|
|
pullPolicy: IfNotPresent
|
|
|
|
resources:
|
|
# -- The resources limits for the grype server containers
|
|
limits: {}
|
|
# -- The requested resources for the grype server containers
|
|
requests: {}
|
|
|
|
serviceAccount:
|
|
# -- Enable creation of ServiceAccount
|
|
create: true
|
|
# -- The name of the ServiceAccount to use.
|
|
# If not set and create is true, it will use the component's calculated name.
|
|
name: ""
|
|
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
|
|
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
|
|
automountServiceAccountToken: false
|
|
|
|
podSecurityContext:
|
|
# -- Pod security context enabled
|
|
enabled: true
|
|
# -- Pod security context fsGroup
|
|
fsGroup: 1001
|
|
|
|
containerSecurityContext:
|
|
# -- Container security context enabled
|
|
enabled: true
|
|
# -- User ID which the containers should run as
|
|
runAsUser: 1001
|
|
# -- Group ID which the containers should run as
|
|
runAsGroup: 1001
|
|
# -- Whether the containers should run as a non-root user
|
|
runAsNonRoot: true
|
|
# -- Whether the container should run in privileged mode
|
|
privileged: false
|
|
# -- Force the child process to run as non-privileged
|
|
allowPrivilegeEscalation: false
|
|
# -- Mounts the container file system as ReadOnly
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
# -- List of capabilities to be dropped
|
|
drop:
|
|
- ALL
|
|
|
|
# -- Log level for the grype-server service
|
|
logLevel: info
|
|
|
|
freshclamMirror:
|
|
# -- Number of replicas for the freshclam mirror service
|
|
replicas: 1
|
|
|
|
image:
|
|
# -- Freshclam Mirror container registry
|
|
registry: ghcr.io
|
|
# -- Freshclam Mirror container repository
|
|
repository: openclarity/freshclam-mirror
|
|
# -- Freshclam Mirror container tag
|
|
tag: v0.3.1
|
|
# -- Freshclam Mirror image digest. If set will override the tag.
|
|
digest: ""
|
|
# -- Freshclam Mirror image pull policy
|
|
pullPolicy: IfNotPresent
|
|
|
|
resources:
|
|
# -- The resources limits for the freshclam mirror containers
|
|
limits: {}
|
|
# -- The requested resources for the freshclam mirror containers
|
|
requests: {}
|
|
|
|
serviceAccount:
|
|
# -- Enable creation of ServiceAccount
|
|
create: true
|
|
# -- The name of the ServiceAccount to use.
|
|
# If not set and create is true, it will use the component's calculated name.
|
|
name: ""
|
|
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
|
|
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
|
|
automountServiceAccountToken: false
|
|
|
|
podSecurityContext:
|
|
# -- Pod security context enabled
|
|
enabled: false
|
|
# -- Pod security context fsGroup
|
|
fsGroup: 1001
|
|
|
|
containerSecurityContext:
|
|
# -- Container security context enabled
|
|
enabled: false
|
|
# -- User ID which the containers should run as
|
|
runAsUser: 1001
|
|
# -- Group ID which the containers should run as
|
|
runAsGroup: 1001
|
|
# -- Whether the containers should run as a non-root user
|
|
runAsNonRoot: true
|
|
# -- Whether the container should run in privileged mode
|
|
privileged: false
|
|
# -- Force the child process to run as non-privileged
|
|
allowPrivilegeEscalation: false
|
|
# -- Mounts the container file system as ReadOnly
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
# -- List of capabilities to be dropped
|
|
drop:
|
|
- ALL
|
|
|
|
swaggerUI:
|
|
# -- Number of replicas for the swagger-ui service
|
|
replicas: 1
|
|
|
|
image:
|
|
# -- Swagger UI container registry
|
|
registry: docker.io
|
|
# -- Swagger UI container repository
|
|
repository: swaggerapi/swagger-ui
|
|
# -- Swagger UI container tag
|
|
tag: v5.30.1
|
|
# -- Swagger UI image digest. If set will override the tag.
|
|
digest: ""
|
|
# -- Swagger UI image pull policy
|
|
pullPolicy: IfNotPresent
|
|
|
|
resources:
|
|
# -- The resources limits for the swagger ui containers
|
|
limits: {}
|
|
# -- The requested resources for the swagger ui containers
|
|
requests: {}
|
|
|
|
serviceAccount:
|
|
# -- Enable creation of ServiceAccount
|
|
create: true
|
|
# -- The name of the ServiceAccount to use.
|
|
# If not set and create is true, it will use the component's calculated name.
|
|
name: ""
|
|
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
|
|
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
|
|
automountServiceAccountToken: false
|
|
|
|
podSecurityContext:
|
|
# -- Pod security context enabled
|
|
enabled: false
|
|
# -- Pod security context fsGroup
|
|
fsGroup: 101
|
|
|
|
containerSecurityContext:
|
|
# -- Container security context enabled
|
|
enabled: false
|
|
# -- User ID which the containers should run as
|
|
runAsUser: 0
|
|
# -- Group ID which the containers should run as
|
|
runAsGroup: 0
|
|
# -- Whether the containers should run as a non-root user
|
|
runAsNonRoot: false
|
|
# -- Whether the container should run in privileged mode
|
|
privileged: false
|
|
# -- Force the child process to run as non-privileged
|
|
allowPrivilegeEscalation: false
|
|
# -- Mounts the container file system as ReadOnly
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
# -- List of capabilities to be dropped
|
|
drop:
|
|
- ALL
|
|
|
|
yaraRuleServer:
|
|
# -- Number of replicas for the Yara Rule Server service
|
|
replicas: 1
|
|
|
|
image:
|
|
# -- Yara Rule Server container registry
|
|
registry: ghcr.io
|
|
# -- Yara Rule Server container repository
|
|
repository: openclarity/yara-rule-server
|
|
# -- Yara Rule Server container tag
|
|
tag: v0.3.0
|
|
# -- Yara Rule Server image digest. If set will override the tag.
|
|
digest: ""
|
|
# -- Yara Rule Server image pull policy
|
|
pullPolicy: IfNotPresent
|
|
|
|
resources:
|
|
# -- The resources limits for the Yara Rule Server containers
|
|
limits: {}
|
|
# -- The requested resources for the Yara Rule Server containers
|
|
requests: {}
|
|
|
|
serviceAccount:
|
|
# -- Enable creation of ServiceAccount
|
|
create: true
|
|
#false -- The name of the ServiceAccount to use.
|
|
# If not set and create is true, it will use the component's calculated name.
|
|
name: ""
|
|
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
|
|
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
|
|
automountServiceAccountToken: false
|
|
|
|
podSecurityContext:
|
|
# -- Pod security context enabled
|
|
enabled: false
|
|
# -- Pod security context fsGroup
|
|
fsGroup: 1001
|
|
|
|
containerSecurityContext:
|
|
# -- Container security context enabled
|
|
enabled: false
|
|
# -- User ID which the containers should run as
|
|
runAsUser: 1001
|
|
# -- Group ID which the containers should run as
|
|
runAsGroup: 1001
|
|
# -- Whether the containers should run as a non-root user
|
|
runAsNonRoot: true
|
|
# -- Whether the container should run in privileged mode
|
|
privileged: false
|
|
# -- Force the child process to run as non-privileged
|
|
allowPrivilegeEscalation: false
|
|
# -- Mounts the container file system as ReadOnly
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
# -- List of capabilities to be dropped
|
|
drop:
|
|
- ALL
|
|
|
|
crDiscoveryServer:
|
|
nodeSelector: {}
|
|
tolerations: []
|
|
affinity: {}
|
|
image:
|
|
# -- Container Runtime Discovery Server container registry
|
|
registry: ghcr.io
|
|
# -- Container Runtime Discovery Server container repository
|
|
repository: openclarity/openclarity-cr-discovery-server
|
|
# -- Container Runtime Discovery Server container tag
|
|
tag: latest
|
|
# -- Container Runtime Discovery Server image digest. If set will override the tag.
|
|
digest: ""
|
|
# -- Container Runtime Discovery Server image pull policy
|
|
pullPolicy: IfNotPresent
|
|
|
|
# -- Environment variables to set in the Container Runtime Discovery Server container
|
|
env: []
|
|
# - name: CONTAINERD_SOCK_ADDRESS
|
|
# value: /var/run/containerd/containerd.sock
|
|
containerRuntimePaths:
|
|
- name: containerd
|
|
path: /var/run/containerd
|
|
readOnly: true
|
|
- name: k3s-containerd
|
|
path: /run/k3s/containerd
|
|
readOnly: true
|
|
- name: docker
|
|
path: /var/lib/docker
|
|
readOnly: true
|
|
- name: crio
|
|
path: /var/run/crio
|
|
readOnly: true
|
|
- name: crio-lib
|
|
path: /var/lib/containers
|
|
- name: crio-run
|
|
path: /var/run/containers
|
|
- name: crio-containers
|
|
path: /etc/containers
|
|
readOnly: true
|
|
resources:
|
|
# -- The resources limits for the container runtime discovery server containers
|
|
limits: {}
|
|
# -- The requested resources for the container runtime discovery server containers
|
|
requests: {}
|
|
|
|
serviceAccount:
|
|
# -- Enable creation of ServiceAccount
|
|
create: true
|
|
# -- The name of the ServiceAccount to use.
|
|
# If not set and create is true, it will use the component's calculated name.
|
|
name: ""
|
|
# -- Allows auto mount of ServiceAccountToken on the serviceAccount created.
|
|
# Can be set to false if pods using this serviceAccount do not need to use K8s API.
|
|
automountServiceAccountToken: false
|
|
|
|
podSecurityContext:
|
|
# -- Pod security context enabled
|
|
enabled: false
|
|
# -- Pod security context fsGroup
|
|
fsGroup: 1001
|
|
|
|
# In order to use CRI-O runtime you need to run OpenClarity
|
|
# with the following configuration:
|
|
#
|
|
# containerSecurityContext:
|
|
# enabled: true
|
|
# privileged: true
|
|
# readOnlyRootFilesystem: false
|
|
containerSecurityContext:
|
|
# -- Container security context enabled
|
|
enabled: false
|
|
# -- User ID which the containers should run as
|
|
runAsUser: 1001
|
|
# -- Group ID which the containers should run as
|
|
runAsGroup: 1001
|
|
# -- Whether the containers should run as a non-root user
|
|
runAsNonRoot: true
|
|
# -- Whether the container should run in privileged mode
|
|
privileged: false
|
|
# -- Force the child process to run as non-privileged
|
|
allowPrivilegeEscalation: false
|
|
# -- Mounts the container file system as ReadOnly
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
# -- List of capabilities to be dropped
|
|
drop:
|
|
- ALL |