-
Notifications
You must be signed in to change notification settings - Fork 164
Expand file tree
/
Copy pathkubernetesSecurityPostureManagement.yaml
More file actions
208 lines (170 loc) · 5.67 KB
/
kubernetesSecurityPostureManagement.yaml
File metadata and controls
208 lines (170 loc) · 5.67 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
apiVersion: dynatrace.com/v1beta5
kind: DynaKube
metadata:
name: dynakube
namespace: dynatrace
# annotations:
# feature.dynatrace.com/k8s-app-enabled: "true"
spec:
# Link to api reference for further information: https://docs.dynatrace.com/docs/ingest-from/setup-on-k8s/reference/dynakube-parameters
# Required: Dynatrace apiUrl including the `/api` path at the end.
apiUrl: https://ENVIRONMENTID.live.dynatrace.com/api
# Optional: Name of the secret holding the tokens used for connecting to Dynatrace.
#
# tokens: ""
# Optional: Defines a custom pull secret in case you use a private registry when pulling images from the Dynatrace environment
#
# customPullSecret: "custom-pull-secret"
# Optional: Disable certificate check for the connection between Dynatrace Operator and the Dynatrace Cluster.
#
# skipCertCheck: false
# Optional: Set custom proxy settings either directly or from a secret with the field 'proxy'
#
# proxy:
# value: my-proxy-url.com
# valueFrom: name-of-my-proxy-secret
# Optional: Add custom RootCAs from a configmap.
#
# trustedCAs: name-of-my-ca-configmap
# Optional: Set a network zone for the OneAgent and ActiveGate pods.
#
# networkZone: name-of-my-network-zone
# Optional: Configure istio to allow access to the Dynatrace Cluster from the OneAgent or ActiveGate pods.
#
# enableIstio: true
# Optional: Minimum minutes between Dynatrace API requests.
#
# dynatraceApiRequestThreshold: 15
# Configuration for Metadata Enrichment.
#
# metadataEnrichment:
# enabled: true
# Optional: The namespaces where you want Dynatrace Operator to inject
#
# namespaceSelector:
# matchLabels:
# app: my-app
# matchExpressions:
# - key: app
# operator: In
# values: [my-frontend, my-backend, my-database]
kspm:
# Define the host paths that are mounted to the container.
#
# Suggested list of paths:
mappedHostPaths:
- /boot
- /etc
- /proc/sys/kernel
- /sys/fs
- /sys/kernel/security/apparmor
- /usr/lib/systemd/system
- /var/lib
# Configuration for ActiveGate instances.
#
activeGate:
# Defines the ActiveGate capabilities
#
capabilities:
- kubernetes-monitoring
# Optional: Amount of replicas of ActiveGate pods.
#
# replicas: 1
# Optional: Use a custom ActiveGate image
#
# image: ""
# Optional: Set the ActiveGate group
#
# group: ""
# Optional: Add a custom properties file by providing it as a value or by referencing it from a secret.
#
# customProperties:
# value: |
# [kubernetes_monitoring]
# kubernetes_configuration_dataset_pipeline_enabled = true
# kubernetes_configuration_dataset_pipeline_include_node_config = true
# Optional: Resource settings for ActiveGate container.
#
resources:
requests:
cpu: 500m
memory: 1.5Gi
limits:
cpu: 1000m
memory: 1.5Gi
# Optional: Specify the node selector that controls on which nodes ActiveGate will be deployed.
#
# nodeSelector: {}
# Optional: Set tolerations for the ActiveGate pods.
#
# tolerations:
# - effect: NoSchedule
# key: node-role.kubernetes.io/master
# operator: Exists
# Optional: Add custom labels to ActiveGate pods
#
# labels:
# custom: label
# Optional: Add custom environment variables to ActiveGate pods
#
# env: []
# Optional: Name of a secret containing ActiveGate TLS certificate, key, and password.
#
# tlsSecretName: "my-tls-secret"
# Optional: Set the DNS policy for ActiveGate pods.
#
# dnsPolicy: "Default"
# Optional: Assign a priority class to the ActiveGate pods.
#
# priorityClassName: priority-class
# Optional: Add custom annotations to ActiveGate pods
#
# annotations:
# custom: annotation
# Optional: Add TopologySpreadConstraints to the ActiveGate pods
#
# topologySpreadConstraints: []
templates:
kspmNodeConfigurationCollector:
# Required: Configure the image for the Node Configuration Collector.
imageRef:
repository: public.ecr.aws/dynatrace/dynatrace-k8s-node-config-collector
tag: <tag>
# Optional: Define the update strategy for the Node Configuration Collector daemonSet
#
# updateStrategy: {}
# Optional: Add custom labels to NNode Configuration Collector pods
#
# labels:
# custom: label
# Optional: Add custom annotations to Node Configuration Collector pods.
#
# annotations:
# custom: annotation
# Optional: Specify the node selector that controls on which nodes OneAgent will be deployed.
#
# nodeSelector: {}
# Optional: Define the nodeAffinity for the DaemonSet of the Node Configuration Collector
#
# nodeAffinity: {}
# Optional: Assign a priority class to the Node Configuration Collector pods.
#
# priorityClassName: priority-class
# Optional: Tolerations to include with the Node Configuration Collector DaemonSet.
#
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
# Optional: Resource settings for Node Configuration Collector container.
#
# resources: {}
# Optional: Set additional arguments to the Node Configuration Collector.
#
# args: []
# Optional: Set additional environment variables for the Node Configuration Collector pods.
#
# env: []