-
Notifications
You must be signed in to change notification settings - Fork 71
/
values.yaml
184 lines (148 loc) · 5.13 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
# Default values for snyk-monitor.
# The snyk-monitor relies on several k8s secrets in order to be configured properly.
# These secrets are named "snyk-monitor-secrets", though you can change the name.
# The secrets should be created externally, before applying this Helm chart.
# The currently used keys within the secret are: "dockercfg.json", "integrationId".
monitorSecrets: snyk-monitor
certsConfigMap: snyk-monitor-certs
registriesConfConfigMap: snyk-monitor-registries-conf
# An external ConfigMap to use for loading policies into snyk-monitor.
# If not set, defaultWorkloadPoliciesMap will be used.
workloadPoliciesMap: ""
# A list of Snyk Organization public IDs to let snyk-monitor know in which Organization to auto-import and auto-delete scanned images.
# This is used to populate the default workload policy file.
policyOrgs: []
# Default rego workload policies to install.
# Setting `workloadPoliciesMap` will overwrite this.
defaultWorkloadPoliciesMap: snyk-monitor-workload-policies
# One of: Cluster, Namespaced
# Cluster - creates a ClusterRole and ClusterRoleBinding with the ServiceAccount
# Namespaced - creates a Role and RoleBinding with the ServiceAccount
scope: Cluster
# The endpoint that being used to transmit monitored information
integrationApi: ""
# The registry from which to pull the snyk-monitor image.
image:
repository: snyk/kubernetes-monitor
tag: IMAGE_TAG_OVERRIDE_WHEN_PUBLISHING
pullPolicy: Always
# If deploying in an air-gapped environment that can't pull from DockerHub, override the initContainer's image here for one that is accessible to your environment.
initContainerImage:
repository: busybox
tag: latest
# The snyk-monitor requires knowing the cluster name so that it can organise
# scanned workloads. The Kubernetes API does not provide an API to query this.
# Set the name of the cluster, otherwise the snyk-monitor will set this to a default value.
clusterName: ""
# The snyk-monitor requires disk storage to temporarily pull container images and to scan them for vulnerabilities.
# This value controls how much disk storage _at most_ may be allocated for the snyk-monitor. Unless overridden by the `pvc` value, the snyk-monitor mounts an emptyDir for storage.
temporaryStorageSize: 50Gi # Applies to PVC too
# Change "enabled" to true to use a PVC instead of emptyDir for local storage.
# Change "create" to true if you want to create the PVC (useful for first time run).
pvc:
enabled: false
name: snyk-monitor-pvc
create: false
## snyk-monitor data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClassName: "-"
# Additional annotations for the Kubernetes ServiceAccount
rbac:
serviceAccount:
annotations: {}
labels: {}
# General-purpose environment variables
envs:
# Node.js in-container process memory enhancements
nodeEnvVars:
- name: V8_MAX_OLD_SPACE_SIZE
value: "2048"
- name: UV_THREADPOOL_SIZE
value: "24"
- name: NODE_OPTIONS
value: --max_old_space_size=2048
# Variables related to AKS
azureEnvVars:
- name: AZURE_CLIENT_ID
value: ""
extraCaCerts: /srv/app/certs/ca.pem
# CPU/Mem requests and limits for snyk-monitor
requests:
cpu: "250m"
memory: "400Mi"
limits:
cpu: "1"
memory: "2Gi"
http_proxy:
https_proxy:
no_proxy:
use_keepalive: true
skip_k8s_jobs:
# Override default (INFO) log level if less verbosity needed
log_level:
nodeSelector: {}
nodeAffinity:
disableBetaArchNodeSelector: true
kubernetesIoArch:
- amd64
kubernetesIoOs:
- linux
# Additional labels and annotations for the snyk-monitor Deployment's Pod
metadata:
labels: {}
annotations: {}
# Override the NetworkPolicy
networkPolicy:
enabled: true
egress:
- {}
# Override the excluded namespaces
excludedNamespaces:
# Allow specifying a fsGroup in the PodSpec securityContext:
# spec:
# template:
# spec:
# securityContext:
# fsGroup: <-- here
securityContext:
fsGroup:
# Set node tolerations for snyk-monitor
tolerations: []
# A projected volume maps several existing volume sources into the same directory.
# https://kubernetes.io/docs/concepts/storage/volumes/#projected
volumes:
projected:
serviceAccountToken: false
skopeo:
compression:
level: 6
workers:
count: 5
sysdig:
enabled: false
secretName: sysdig-eve-secret
# The minumum pollingIntervalMins is 30
pollingIntervalMins: 30
strategy:
type: RollingUpdate
initContainers:
enabled: true
# Additional volumes for the deployment, available to all containers
extraVolumes: []
# - name: my-empty-dir
# emptyDir: {}
# Additional volume mounts for the snyk-monitor container
extraVolumeMounts: []
# - name: extras
# mountPath: /mnt/my-empty-dir
# readOnly: true
# Additional init containers, templated
extraInitContainers: []
# - name: wait-for-condition
# image: "{{ .Values.initContainerImage.repository }}:{{ .Values.initContainerImage.tag }}"
# command: ['sh', '-c', 'sleep 10 || :']