/
values.yaml
129 lines (119 loc) · 7.8 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
# -- Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)
imagePullSecrets: []
image:
repository: securecodebox/auto-discovery-kubernetes
tag: null
# -- Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
pullPolicy: IfNotPresent
config:
# config is using kubebuilder config framework, it may look like this is a crd but its not, see https://book.kubebuilder.io/component-config-tutorial/tutorial.html
apiVersion: config.securecodebox.io/v1
kind: AutoDiscoveryConfig
cluster:
name: docker-desktop
resourceInclusion:
mode: enabled-per-namespace
serviceAutoDiscovery:
enabled: true
# -- interval in which every service is re-checked for updated pods, if service object is updated directly this the service will get reconciled immediately
passiveReconcileInterval: 1m
scanConfigs:
# -- scanType used for the scans created by the serviceAutoDiscovery
- scanType: zap-advanced-scan
# -- unique name to distinguish scans
name: "zap"
# -- parameters used for the scans created by the serviceAutoDiscovery, all parameters support templating
parameters:
- "-t"
- "{{ .Host.Type }}://{{ .Service.Name }}.{{ .Service.Namespace }}.svc:{{ .Host.Port }}"
# -- interval in which scans are automatically repeated. If the target is updated (meaning a new image revision is deployed) the scan will repeated beforehand and the interval is reset.
repeatInterval: "168h"
# -- labels to be added to the scans started by the auto-discovery, all label values support templating
labels: {}
# -- annotations to be added to the scans started by the auto-discovery, all annotation values support templating
annotations:
defectdojo.securecodebox.io/product-name: "{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}"
defectdojo.securecodebox.io/product-tags: "cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"
defectdojo.securecodebox.io/engagement-name: "{{ .Target.Name }}"
defectdojo.securecodebox.io/engagement-version: "{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}"
# -- volumes to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes
# the fields: `name`, `secret.secretName`, `configMap.name` of each volume support templating
volumes: []
# -- volumeMounts to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1
# the fields: `name`, `mountPath`, `subPath`, `subPathExpr` of each volumeMount support templating
volumeMounts: []
# -- HookSelector allows to specify a LabelSelector with which the hooks are selected, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
# Both matchLabels and matchExpressions are supported.
# All values in the matchLabels map support templating.
# MatchExpressions support templating in the `key` field and in every entry in the `values` list. If a value in the list renders to an empty string it is removed from the list.
hookSelector: {}
containerAutoDiscovery:
enabled: false
# -- interval in which every pod is re-checked for updates, currently used to periodically check if the configured scantype is installed in the namespace of the pod
passiveReconcileInterval: 1m
scanConfigs:
- scanType: trivy-image-autodiscovery
# -- unique name to distinguish scans
name: "trivy"
# -- parameters used for the scans created by the containerAutoDiscovery, all parameters support templating
parameters:
- "{{ .ImageID }}"
# -- interval in which scans are automatically repeated. If the target is updated (meaning a new image revision is deployed) the scan will repeated beforehand and the interval is reset.
repeatInterval: "168h"
# -- labels to be added to the scans started by the auto-discovery, all label values support templating
labels: {}
# -- annotations to be added to the scans started by the auto-discovery, all annotation values support templating
annotations:
defectdojo.securecodebox.io/product-name: "{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}"
defectdojo.securecodebox.io/product-tags: "cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"
defectdojo.securecodebox.io/engagement-name: "{{ .Target.Name }}"
defectdojo.securecodebox.io/engagement-version: "{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}"
# -- volumes to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes
# the fields: `name`, `secret.secretName`, `configMap.name` of each volume support templating
volumes: []
# -- volumeMounts to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1
# the fields: `name`, `mountPath`, `subPath`, `subPathExpr` of each volumeMount support templating
volumeMounts: []
# -- hookSelector allows to specify a LabelSelector with which the hooks are selected, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
# Both matchLabels and matchExpressions are supported.
# All values in the matchLabels map support templating.
# MatchExpressions support templating in the `key` field and in every entry in the `values` list. If a value in the list renders to an empty string it is removed from the list.
hookSelector: {}
imagePullSecretConfig:
mapImagePullSecretsToEnvironmentVariables: true
usernameEnvironmentVariableName: "TRIVY_USERNAME"
passwordEnvironmentVariableName: "TRIVY_PASSWORD"
health:
healthProbeBindAddress: :8081
metrics:
bindAddress: 127.0.0.1:8080
leaderElection:
leaderElect: true
resourceName: 0e41a1f4.securecodebox.io
# -- Sets the securityContext on the operators container level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
securityContext:
# securityContext.runAsNonRoot -- Enforces that the Operator image is run as a non root user
runAsNonRoot: true
# securityContext.readOnlyRootFilesystem -- Prevents write access to the containers file system
readOnlyRootFilesystem: true
# securityContext.allowPrivilegeEscalation -- Ensure that users privileges cannot be escalated
allowPrivilegeEscalation: false
# securityContext.privileged -- Ensures that the operator container is not run in privileged mode
privileged: false
capabilities:
drop:
# securityContext.capabilities.drop[0] -- This drops all linux privileges from the operator container. They are not required
- all
# -- Sets the securityContext on the operators pod level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
podSecurityContext: {}
# resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/)
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 100m
memory: 20Mi