/
values.yaml
290 lines (244 loc) · 12 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
# Default values for gremlin.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
image:
repository: gremlin/gremlin
tag: latest
pullPolicy: Always
pullSecret:
chaoimage:
repository: gremlin/chao
tag: latest
pullPolicy: Always
pullSecret:
nameOverride: ""
fullnameOverride: ""
nodeSelector: {}
tolerations: []
affinity: {}
gremlin:
# gremlin.apparmor -
# Gremlin assumes apparmor is not enabled by default and so it will not specify any apparmor profile to use
# You may need to provide a specific profile if your environment requires it.
#
# NOTE: Gremlin requires a privileged apparmor profile such as `unconfined` to carry out Process Killer attacks
# at the host-level (e.g. any root-owned process)
apparmor:
collect:
# gremlin.collect.processes -
# Specifies whether Gremlin should collect process information
processes: false
# gremlin.hostPID -
# This must be true for Gremlin container drivers: `docker-runc`, `crio-runc` and `containerd-runc`. It is also
# required for any Gremlin installation that wishes to carry out Process Killer attacks at the host-level
# (e.g. any root-owned process)
#
# NOTE: this is disabled by default to maintain behavior of previous versions
hostPID: false
# gremlin.hostNetwork -
# This must be true for any Gremlin installation that wishes to carry out network attacks at the host-level
# (e.g. impact network traffic to all host processes and containers)
hostNetwork: false
# gremlin.installApparmorProfile -
# This controls if gremlin installs it's own apparmor profile. This is only necessary if you're running apparmor
installApparmorProfile: false
# gremlin.installK8sClient -
# Determines if the `chao` deployment should be installed. This deployment launches an agent that enabled Kubernetes
# targeting for Gremlin attacks
installK8sClient: true
client:
# gremlin.client.tags -
# A string of comma separated key=value pairs that are used to decorate the Gremlin agent with tags.
#
# NOTE: This value's commas must be escaped. See https://github.com/gremlin/helm/issues/8
tags: ""
container:
# gremlin.container.driver -
# Specifies which container driver with which to run Gremlin. Possible values and their meanings:
# docker = Provides legacy integration with Docker containers
# Implies host mounts [/var/run/docker.sock]
# Does not support the systemd cgroup driver
#
# docker-runc = Provides full integration with Docker containers
# Implies host mounts [/var/run/docker.sock, /run/docker/runtime-runc/moby]
#
# crio-runc = Provides full integration with Cri-O containers
# Implies host mounts [/run/crio/crio.sock, /run/runc]
#
# containerd-runc = Provides full integration with Containerd containers
# Implies host mounts [/run/containers/containers.sock, /run/containerd/runc/k8s.io]
#
# any = Useful when the Cluster's container runtime is not known.
# Helm will provide file access to all drivers so that Gremlin can choose.
# Implies host mounts [/var/run/docker.sock, /run/docker/runtime-runc/moby,
# /run/crio/crio.sock, /run/runc,
# /run/containers/containers.sock, /run/containerd/runc/k8s.io]
#
driver: docker
cgroup:
# gremlin.cgroup.root -
# Specifies the absolute path for the cgroup controller root on target host systems
root: /sys/fs/cgroup
serviceAccount:
# gremlin.serviceAccount.create -
# Specifies whether Gremlin's kubernetes service account should be created by this helm chart. When true, this
# creates a service account with the name `gremlin`, along with ClusterRole and ClusterRole bindings that enable
# Gremlin's requirements (see gremlin.podSecurity.podSecurityPolicy and
# gremlin.podSecurity.securityContextConstraints)
create: true
podSecurity:
# gremlin.podSecurity.allowPrivilegeEscalation -
# Allows Gremlin containers privilege escalation powers
allowPrivilegeEscalation: false
# gremlin.podSecurity.capabilities -
# Specifies which Linux capabilities should be granted to Gremlin. Each capability is provided to the Gremlin
# Daemonset as well as any pod security resource that governs it. Capabilities that are required for specific
# attacks can be removed from this list if running such attacks are not desired.
capabilities:
- KILL # Required to run Process Killer attacks
- NET_ADMIN # Required to run network attacks
- SYS_BOOT # Required to run Shutdown attacks
- SYS_TIME # Required to run Time Travel attacks
- SYS_ADMIN # Required by container drivers: docker-runc, crio-runc, containerd-runc
# to run attacks against running containers
- SYS_PTRACE # Required by container drivers: docker-runc, crio-runc, containerd-runc
# to determine if Gremlin is in the host's pid namespace
- SETFCAP # Required by container drivers: docker-runc, crio-runc, containerd-runc
# to set capabilities on Gremlin attack sidecars
- AUDIT_WRITE # Required by container drivers: docker-runc, crio-runc, containerd-runc
# to write to the Kernel's audit log
- MKNOD # Required by container drivers: docker-runc, crio-runc, containerd-runc
# to create new devices for Gremlin attack sidecars
- SYS_CHROOT # Required by container drivers: docker-runc, crio-runc, containerd-runc
# to create and enter new namespaces for Gremlin attack sidecars
- NET_RAW # Required by container drivers: docker-runc, crio-runc, containerd-runc
# Not actively used by Gremlin but requested by sidecars
# This capability will be removed in a later release
# gremlin.podSecurity.readOnlyRootFilesystem -
# Forces the Gremlin Daemonset containers to run with a read-only root filesystem
readOnlyRootFilesystem: false
# gremlin.podSecurity.supplementalGroups -
# Specifies the Linux groups the Gremlin Daemonset containers should run as
supplementalGroups:
rule: RunAsAny
# gremlin.podSecurity.fsGroup -
# Specifies the Linux groups applied to mounted volumes
fsGroup:
rule: RunAsAny
# gremlin.podSecurity.volumes -
# Specifies the volume types the Gremlin Daemonset is allowed to use
volumes:
- configMap # Required when the Gremlin Daemonset installs a seccomp profile (see gremlin.podSecurity.seccomp)
- secret # Required to store and load secret information like certificates that authenticate Gremlin
- hostPath # Required by Gremlin to store attack logs (/var/log/gremlin) and attack state (/var/lib/gremlin)
podSecurityPolicy:
# gremlin.podSecurity.podSecurityPolicy.create -
# When true, Gremlin creates and uses a custom PodSecurityPolicy, granting all behaviors Gremlin needs
create: false
# gremlin.podSecurity.podSecurityPolicy.seLinux
# Sets the SecurityContext for the PSP used by the Gremlin Daemonset
seLinux:
rule: MustRunAs
seLinuxOptions:
type: gremlin.process
level: s0-s0:c0.c1023
# gremlin.podSecurity.podSecurityPolicy.runAsUser -
# Specifies the Linux user the Gremlin Daemonset containers should run as
runAsUser:
rule: RunAsAny
securityContextConstraints:
# gremlin.podSecurity.securityContextConstraints.create -
# When true, Gremlin creates and uses a custom SecurityContextConstraints, granting all behaviors Gremlin needs
create: false
# gremlin.podSecurity.securityContextConstraints.allowHostDirVolumePlugin -
# Specifies whether the Gremlin Daemonset has access to host path directories as mounted volumes
allowHostDirVolumePlugin: true
# gremlin.podSecurity.securityContextConstraints.seLinuxContext
# Sets the SecurityContext for the SCC used by the Gremlin Daemonset
seLinuxContext:
type: MustRunAs
seLinuxOptions:
type: gremlin.process
level: s0-s0:c0.c1023
# gremlin.podSecurity.securityContextConstraints.runAsUser -
# Specifies the Linux user the Gremlin Daemonset containers should run as
runAsUser:
type: RunAsAny
# gremlin.podSecurity.privileged -
# Determines whether the Gremlin Daemonset should run privileged containers
privileged: false
# gremlin.podSecurity.seccomp -
# All of Gremlin's behavior runs under Docker's default seccomp profile. For systems with a more restrictive
# runtime/default profile, Gremlin can create and the specific seccomp profile it needs.
seccomp:
# gremlin.podSecurity.seccomp.enabled -
# Determines whether the Gremlin Daemonset should be annotated with the seccomp profile specified by
# gremlin.podSecurity.seccomp.profile
enabled: false
# gremlin.podSecurity.seccomp.profile -
# Describes the name of the seccomp profile to use
#
# NOTE: When this value is `localhost/gremlin`, Gremlin will create its own custom seccomp profile
profile: localhost/gremlin
# gremlin.podSecurity.seccomp.root
# The absolute path pointing to the seccomp profile root on cluster nodes
root: /var/lib/kubelet/seccomp
# gremlin.resources -
# Set resource requests and limits
# See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers
#
# NOTE: This resource specification affects the Gremlin agent which is used for host attacks. This resource
# Attacks targeting other Kubernetes pods will use the resource specification of their target.
resources: {}
secret:
# Gremlin supports both `certificate` and `secret` types
# To manage secrets with helm, set `managed=true` and fill in either the certificate auth or secret auth sections
type: certificate
managed: false
# team identifier (e.g. 11111111-1111-1111-1111-111111111111)
teamID:
# string uniquely identifying this kubernetes cluster in Gremlin (e.g. my-cluster)
clusterID:
## Certificate auth requires: `certificate` and `key`
# team certificate (e.g. -----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----)
certificate:
# team private key (e.g. -----BEGIN EC PRIVATE KEY-----...-----END EC PRIVATE KEY-----)
key:
## Secret auth requires: `teamSecret`
# team secret (e.g. 00000000-0000-0000-0000-000000000000)
teamSecret:
proxy:
# gremlin.proxy.url -
# Specifies the http proxy that the Gremlin Agent and Gremlin Kubernetes agent should use to communicate with
# api.gremlin.com. This value is ignored when blank or absent.
url:
chao:
nodeSelector: {}
tolerations: []
affinity: {}
ssl:
# ssl.certFile -
# Add a certificate file to Gremlin's set of certificate authorities. This argument expects a file containing the
# certificate(s) you wish to add. When set, this chart creates secret (`ssl-cert-file`) with the contents and passes
# it to both agents. This value is ignored when blank or absent.
certFile:
# ssl.certDir -
# sets the SSL_CERT_DIR environment variable on the both agents. Unlike ssl.certFile, this value accepts only a
# path to an existing directory on the Kubernetes nodes. This value is ignored when blank or absent.
certDir:
containerDrivers:
docker-runc:
runtimeSocket: "/var/run/docker.sock"
runtimeRunc: "/run/docker/runtime-runc/moby"
name: "docker"
containerd-runc:
runtimeSocket: "/run/containerd/containerd.sock"
runtimeRunc: "/run/containerd/runc/k8s.io"
name: "containerd"
crio-runc:
runtimeSocket: "/run/crio/crio.sock"
runtimeRunc: "/run/runc"
name: "crio"
docker:
runtimeSocket: "/var/run/docker.sock"
name: "docker"