diff --git a/charts/cluster-scanner/Chart.yaml b/charts/cluster-scanner/Chart.yaml index 0f100406d..65370a84a 100644 --- a/charts/cluster-scanner/Chart.yaml +++ b/charts/cluster-scanner/Chart.yaml @@ -3,7 +3,7 @@ name: cluster-scanner description: Sysdig Cluster Scanner type: application -version: 0.13.6 +version: 0.13.7 appVersion: "0.1.0" home: https://www.sysdig.com/ diff --git a/charts/cluster-scanner/README.md b/charts/cluster-scanner/README.md index 6fb0279cd..4ae038f4c 100644 --- a/charts/cluster-scanner/README.md +++ b/charts/cluster-scanner/README.md @@ -25,7 +25,7 @@ $ pre-commit run -a $ helm repo add sysdig https://charts.sysdig.com $ helm repo update $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.13.6 \ + --create-namespace -n sysdig --version=0.13.7 \ --set global.clusterConfig.name=CLUSTER_NAME \ --set global.sysdig.region=SYSDIG_REGION \ --set global.sysdig.accessKey=YOUR-KEY-HERE @@ -55,7 +55,7 @@ To install the chart with the release name `cluster-scanner`, run: ```console $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.13.6 \ + --create-namespace -n sysdig --version=0.13.7 \ --set global.clusterConfig.name=CLUSTER_NAME \ --set global.sysdig.region=SYSDIG_REGION \ --set global.sysdig.accessKey=YOUR-KEY-HERE @@ -86,86 +86,87 @@ The command removes all the Kubernetes components associated with the chart and The following table lists the configurable parameters of the `cluster-scanner` chart and their default values. -| Parameter | Description | Default | -|------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------| -| global.clusterConfig.name | The name of the cluster. Make sure to set a unique value for all the clusters being inspected. | "" | -| global.sysdig.accessKey | Your Sysdig Agent Access Key | "" | -| global.sysdig.region | Region name for Sysdig. Valid options: `us1`, `us2`, `us3`, `us4`, `eu1`, `au1`. When no region is suitable (e.g. on-premise installations) set the `global.sysdig.apiHost: ""` parameter. | "us1" | -| global.image.pullSecrets | The pull secrets for Cluster Scanner | [] | -| global.image.pullPolicy | The pull policy for Cluster Scanner | IfNotPresent | -| global.proxy | Global HTTP Proxy settings. | {} | -| global.loggingLevel | Set the logging level to use, useful for troubleshooting. Valid values, sorted by increasing level of verbosity are: `PANIC`, `FATAL`, `ERROR`, `WARN`, `INFO`, `DEBUG`, `TRACE`. | "INFO" | -| global.ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] | -| global.ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. | | -| global.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | | -| global.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret | | -| global.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | | -| global.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap | | -| eveEnabled | Enables Sysdig Eve to retrieve the list of running packages. | true | -| eveIntegrationEnabled | Enables the integration with Sysdig Eve. Stores the list of running packages to Sysdig backend. It implies `eveEnabled: true`. | true | -| rootNamespace | The namespace to use to retrieve the cluster UID | "kube-system" | -| replicaCount | | 2 | -| sslVerifyCertificate | Optional parameter used to check the compatibility of cluster-scanner component versions with the on-premised backend version. If you are running an on-prem version of the Sysdig backend, you MUST set this parameter with the version of Sysdig backend you are using. If you are runinng on SaaS, do NOT provide this parameter. E.g. if `onPremCompatibilityVersion=6.2`, we ensure that the image tag is < 0.5.0 for both the Runtime Status Integrator and the Image SBOM Extractor. onPremCompatibilityVersion: "6.2" Can be set to false to allow insecure connections to the Sysdig backend, such as for on-premise installs that use self-signed certificates. By default, certificates are always verified. | true | -| sslVerifyRegistryCertificate | Can be set to false to allow insecure connections registries, Such as for registries with self-signed or private certificates. By default, certificates are always verified. | true | -| runtimeStatusIntegrator.image.registry | The image registry to use for the Runtime Status Integrator component of Cluster Scanner | quay.io | -| runtimeStatusIntegrator.image.repository | The image repository to use for pulling the Runtime Status Integrator image | sysdig/runtime-status-integrator | -| runtimeStatusIntegrator.image.tag | | "0.8.4" | -| runtimeStatusIntegrator.localCluster | Restrict access to specific Docker secrets when Cluster Scanner is running. The default behavior is listing all secrets. See `values.yaml` for an example. Optional. | | -| runtimeStatusIntegrator.ports.metrics | The port to be used to expose prometheus metrics for the Runtime Status Integrator | 25000 | -| runtimeStatusIntegrator.ports.probes | The port to be used for healthcheck probes for the Runtime Status Integrator | 7000 | -| runtimeStatusIntegrator.resources.limits.cpu | Runtime Status Integrator CPU limit per replica | "1" | -| runtimeStatusIntegrator.resources.limits.memory | Runtime Status Integrator Memory limit per replica | 350Mi | -| runtimeStatusIntegrator.resources.requests.cpu | Runtime Status Integrator CPU requests per replica | "350m" | -| runtimeStatusIntegrator.resources.requests.memory | Runtime Status Integrator Memory requests per replica | 350Mi | -| runtimeStatusIntegrator.env | Runtime Status Integrator env allows the definition of environment variables | {} | -| runtimeStatusIntegrator.natsJS.user | The username to be used in the NATS JetStream instance the Runtime Status Integrator is going to start | "default-user" | -| runtimeStatusIntegrator.natsJS.tls.enabled | | true | -| runtimeStatusIntegrator.natsJS.tls.verifyCertificate | Can be set to false to allow insecure connections to the NATS JetStream instance | true | -| imageSbomExtractor.image.registry | The image registry to use for the Image SBOM Extractor component of Cluster Scanner | quay.io | -| imageSbomExtractor.image.repository | The image repository to use for pulling the Image SBOM Extractor image | sysdig/image-sbom-extractor | -| imageSbomExtractor.image.tag | | "0.8.4" | -| imageSbomExtractor.ports.metrics | The port to be used to expose prometheus metrics for the Image SBOM Extractor | 25001 | -| imageSbomExtractor.ports.probes | The port to be used for healthcheck probes for the Image SBOM Extractor | 7001 | -| imageSbomExtractor.resources.limits.cpu | Image SBOM Extractor CPU limit per replica | "1" | -| imageSbomExtractor.resources.limits.memory | Image SBOM Extractor Memory limit per replica | 350Mi | -| imageSbomExtractor.resources.requests.cpu | Image SBOM Extractor CPU requests per replica | "350m" | -| imageSbomExtractor.resources.requests.memory | Image SBOM Extractor Memory requests per replica | 350Mi | -| imageSbomExtractor.env | Image SBOM Extractor env allows the definition of environment variables | {} | -| imageSbomExtractor.cache.type | The type of cache to use. Allowed values are `local`, `distributed` and `distributed,local`. When specified more than one, the cache precedence will be applied from right to left. Eg: `distributed,local` will try to hit the local one first, than fallback to distributed one (redis) When setting `distributed`, you should also setup redis settings below accordingly with your redis installation. | "local" | -| imageSbomExtractor.cache.local.maxSizeBytes | The maximum size in bytes of the local cache. By default it is set to 35MB | "36700160" | -| imageSbomExtractor.cache.local.maxElementSizeBytes | When using `local` as cache type, restrict the maximum size of elements to be cached. By default it is set to 100KB | "102400" | -| imageSbomExtractor.cache.local.ttl | The TTL for items in the local cache. By default it is set to 7 days. | "168h" | -| imageSbomExtractor.mirrors | Provide optional registry mirrors configuration to be used by Image SBOM Extractor to pull images. [Only Docker HUB images](https://docs.docker.com/registry/recipes/mirror/#gotcha) are going to be pulled from the provided mirrors. The configuration is similar to the one currently supported by the docker-daemon where multiple mirrors (potentially insecure), can be specified. See https://docs.docker.com/registry/recipes/mirror/#configure-the-docker-daemon and https://docs.docker.com/registry/insecure/ .
Example:
`mirrors:`
`registryMirrors:`
`- insecure.mirror.acme.com`
`- secure.mirror.acme.com`
`insecureRegistries:`
`- insecure.mirror.acme.com` | {} | -| nameOverride | Chart name override | "" | -| fullnameOverride | Chart full name override | "" | -| serviceAccount.create | Specifies whether a service account should be created | true | -| serviceAccount.annotations | Annotations to add to the service account | {} | -| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" | -| podAnnotations.prometheus.io/scrape | | "true" | -| podAnnotations.prometheus.io/path | | "/metrics" | -| podAnnotations.prometheus.io/port | | "25000" | -| podSecurityContext | Set Cluster Scanner pod security context | {} | -| securityContext | Set Cluster Scanner security context | {} | -| selectorLabels | Set Cluster Scanner Selector Labels | {} | -| nodeSelector.kubernetes.io/arch | Cluster Scanner is only supported on nodes with amd64 architecture | amd64 | -| tolerations | Set Cluster Scanner scheduling tolerations | [] | -| affinity | Set Cluster Scanner affinity | {} | -| ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] | -| ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. | | -| ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | | -| ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret | | -| ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | | -| ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap | | -| disablePlatformScanning | Option to make it possible to disable platform services | false | -| podLabels | Set Cluster Scanner pod labels | {} | -| labels | Set Cluster Scanner labels | {} | +| Parameter | Description | Default | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------| +| global.clusterConfig.name | The name of the cluster. Make sure to set a unique value for all the clusters being inspected. | "" | +| global.sysdig.accessKey | Your Sysdig Agent Access Key | "" | +| global.sysdig.region | Region name for Sysdig. Valid options: `us1`, `us2`, `us3`, `us4`, `eu1`, `au1`. When no region is suitable (e.g. on-premise installations) set the `global.sysdig.apiHost: ""` parameter. | "us1" | +| global.image.pullSecrets | The pull secrets for Cluster Scanner | [] | +| global.image.pullPolicy | The pull policy for Cluster Scanner | IfNotPresent | +| global.proxy | Global HTTP Proxy settings. | {} | +| global.loggingLevel | Set the logging level to use, useful for troubleshooting. Valid values, sorted by increasing level of verbosity are: `PANIC`, `FATAL`, `ERROR`, `WARN`, `INFO`, `DEBUG`, `TRACE`. | "INFO" | +| global.ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] | +| global.ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. | | +| global.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | | +| global.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret | | +| global.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | | +| global.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap | | +| eveEnabled | Enables Sysdig Eve to retrieve the list of running packages. | true | +| eveIntegrationEnabled | Enables the integration with Sysdig Eve. Stores the list of running packages to Sysdig backend. It implies `eveEnabled: true`. | true | +| rootNamespace | The namespace to use to retrieve the cluster UID | "kube-system" | +| replicaCount | | 2 | +| onPremCompatibilityVersion | Optional parameter used to check the compatibility of cluster-scanner component versions with the on-premised backend version. If you are running an on-prem version of the Sysdig backend, you MUST set this parameter with the version of Sysdig backend you are using. If you are runinng on SaaS, do NOT provide this parameter. E.g. if `onPremCompatibilityVersion=6.2`, we ensure that the image tag is < 0.5.0 for both the Runtime Status Integrator and the Image SBOM Extractor. | | +| sslVerifyCertificate | Can be set to false to allow insecure connections to the Sysdig backend, such as for on-premise installs that use self-signed certificates. By default, certificates are always verified. | true | +| sslVerifyRegistryCertificate | Can be set to false to allow insecure connections registries, Such as for registries with self-signed or private certificates. By default, certificates are always verified. | true | +| runtimeStatusIntegrator.image.registry | The image registry to use for the Runtime Status Integrator component of Cluster Scanner | quay.io | +| runtimeStatusIntegrator.image.repository | The image repository to use for pulling the Runtime Status Integrator image | sysdig/runtime-status-integrator | +| runtimeStatusIntegrator.image.tag | | "0.8.4" | +| runtimeStatusIntegrator.localCluster | Restrict access to specific Docker secrets when Cluster Scanner is running. The default behavior is listing all secrets. See `values.yaml` for an example. Optional. | | +| runtimeStatusIntegrator.ports.metrics | The port to be used to expose prometheus metrics for the Runtime Status Integrator | 25000 | +| runtimeStatusIntegrator.ports.probes | The port to be used for healthcheck probes for the Runtime Status Integrator | 7000 | +| runtimeStatusIntegrator.resources.limits.cpu | Runtime Status Integrator CPU limit per replica | "1" | +| runtimeStatusIntegrator.resources.limits.memory | Runtime Status Integrator Memory limit per replica | 350Mi | +| runtimeStatusIntegrator.resources.requests.cpu | Runtime Status Integrator CPU requests per replica | "350m" | +| runtimeStatusIntegrator.resources.requests.memory | Runtime Status Integrator Memory requests per replica | 350Mi | +| runtimeStatusIntegrator.env | Runtime Status Integrator env allows the definition of environment variables | {} | +| runtimeStatusIntegrator.natsJS.user | The username to be used in the NATS JetStream instance the Runtime Status Integrator is going to start | "default-user" | +| runtimeStatusIntegrator.natsJS.tls.enabled | | true | +| runtimeStatusIntegrator.natsJS.tls.verifyCertificate | Can be set to false to allow insecure connections to the NATS JetStream instance | true | +| imageSbomExtractor.image.registry | The image registry to use for the Image SBOM Extractor component of Cluster Scanner | quay.io | +| imageSbomExtractor.image.repository | The image repository to use for pulling the Image SBOM Extractor image | sysdig/image-sbom-extractor | +| imageSbomExtractor.image.tag | | "0.8.4" | +| imageSbomExtractor.ports.metrics | The port to be used to expose prometheus metrics for the Image SBOM Extractor | 25001 | +| imageSbomExtractor.ports.probes | The port to be used for healthcheck probes for the Image SBOM Extractor | 7001 | +| imageSbomExtractor.resources.limits.cpu | Image SBOM Extractor CPU limit per replica | "1" | +| imageSbomExtractor.resources.limits.memory | Image SBOM Extractor Memory limit per replica | 350Mi | +| imageSbomExtractor.resources.requests.cpu | Image SBOM Extractor CPU requests per replica | "350m" | +| imageSbomExtractor.resources.requests.memory | Image SBOM Extractor Memory requests per replica | 350Mi | +| imageSbomExtractor.env | Image SBOM Extractor env allows the definition of environment variables | {} | +| imageSbomExtractor.cache.type | The type of cache to use. Allowed values are `local`, `distributed` and `distributed,local`. When specified more than one, the cache precedence will be applied from right to left. Eg: `distributed,local` will try to hit the local one first, than fallback to distributed one (redis) When setting `distributed`, you should also setup redis settings below accordingly with your redis installation. | "local" | +| imageSbomExtractor.cache.local.maxSizeBytes | The maximum size in bytes of the local cache. By default it is set to 35MB | "36700160" | +| imageSbomExtractor.cache.local.maxElementSizeBytes | When using `local` as cache type, restrict the maximum size of elements to be cached. By default it is set to 100KB | "102400" | +| imageSbomExtractor.cache.local.ttl | The TTL for items in the local cache. By default it is set to 7 days. | "168h" | +| imageSbomExtractor.mirrors | Provide optional registry mirrors configuration to be used by Image SBOM Extractor to pull images. [Only Docker HUB images](https://docs.docker.com/registry/recipes/mirror/#gotcha) are going to be pulled from the provided mirrors. The configuration is similar to the one currently supported by the docker-daemon where multiple mirrors (potentially insecure), can be specified. See https://docs.docker.com/registry/recipes/mirror/#configure-the-docker-daemon and https://docs.docker.com/registry/insecure/ .
Example:
`mirrors:`
`registryMirrors:`
`- insecure.mirror.acme.com`
`- secure.mirror.acme.com`
`insecureRegistries:`
`- insecure.mirror.acme.com` | {} | +| nameOverride | Chart name override | "" | +| fullnameOverride | Chart full name override | "" | +| serviceAccount.create | Specifies whether a service account should be created | true | +| serviceAccount.annotations | Annotations to add to the service account | {} | +| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" | +| podAnnotations.prometheus.io/scrape | | "true" | +| podAnnotations.prometheus.io/path | | "/metrics" | +| podAnnotations.prometheus.io/port | | "25000" | +| podSecurityContext | Set Cluster Scanner pod security context | {} | +| securityContext | Set Cluster Scanner security context | {} | +| selectorLabels | Set Cluster Scanner Selector Labels | {} | +| nodeSelector.kubernetes.io/arch | Cluster Scanner is only supported on nodes with amd64 architecture | amd64 | +| tolerations | Set Cluster Scanner scheduling tolerations | [] | +| affinity | Set Cluster Scanner affinity | {} | +| ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] | +| ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. | | +| ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | | +| ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret | | +| ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | | +| ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap | | +| disablePlatformScanning | Option to make it possible to disable platform services | false | +| podLabels | Set Cluster Scanner pod labels | {} | +| labels | Set Cluster Scanner labels | {} | Specify each parameter using the **`--set key=value[,key=value]`** argument to `helm upgrade --install`. For example: ```console $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.13.6 \ + --create-namespace -n sysdig --version=0.13.7 \ --set global.sysdig.region="us1" ``` @@ -174,7 +175,7 @@ installing the chart. For example: ```console $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.13.6 \ + --create-namespace -n sysdig --version=0.13.7 \ --values values.yaml ``` diff --git a/charts/cluster-scanner/values.yaml b/charts/cluster-scanner/values.yaml index d5edc9731..7fffe0e82 100644 --- a/charts/cluster-scanner/values.yaml +++ b/charts/cluster-scanner/values.yaml @@ -85,7 +85,7 @@ replicaCount: 2 # E.g. if `onPremCompatibilityVersion=6.2`, we ensure that the image # tag is < 0.5.0 for both the Runtime Status Integrator and the Image SBOM # Extractor. -# onPremCompatibilityVersion: "6.2" +onPremCompatibilityVersion: # Can be set to false to allow insecure connections to the Sysdig backend, # such as for on-premise installs that use self-signed certificates.