# Default values for checkmk. # This is a YAML-formatted file. # Declare variables to be passed into your templates. nameOverride: "" fullnameOverride: "" kubeVersionOverride: "" ## k3s and Rancher RKE2 host containerd in a different location. ## If you are using one of them, or containerd is located in an alternate location, please uncomment / adapt the override. #containerdOverride: "/run/k3s/containerd/containerd.sock" ## GKE Autopilot Configuration ## Enable for GKE Autopilot clusters. ## Requirements: Deploy allowlist-synchronizer CRD first: [https://github.com/checkmk/checkmk_kube_agent/tree/main/deploy/manifests/gke-allowlist/cmk-allowlist-synchronizer.yaml] ## See: https://cloud.google.com/kubernetes-engine/docs/how-to/run-autopilot-partner-workloads gkeAutopilot: ## Enable GKE Autopilot specific configurations enabled: false ## Must match the allowlist entry configured in your GKE Autopilot cluster via allowlist-synchronizer CRD. ## Update this value if your cluster uses a different allowlist version ## For private mirrors, ensure the image digest in the allowlist matches the deployed image tag matchingAllowlist: "checkmk-node-collector-container-metrics-v1.1.0" tlsCommunication: enabled: false verifySsl: false # clusterCollectorKey: |- # -----BEGIN EC PRIVATE KEY----- # XYZ # -----END EC PRIVATE KEY----- # clusterCollectorCert: |- # -----BEGIN CERTIFICATE----- # XYZ # -----END CERTIFICATE----- # checkmkCaCert: |- # -----BEGIN CERTIFICATE----- # XYZ # -----END CERTIFICATE----- imagePullSecrets: [] image: # Overrides the image tag whose default is the chart appVersion. # ref: https://hub.docker.com/r/checkmk/kubernetes-collector/tags tag: "main_2024.04.26" # main_ rbac: # PodSecurityPolicies (PSPs) were deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25. # This section will be removed as soon as we do not support versions below v1.25 anymore. pspEnabled: false pspAnnotations: ## Specify psp annotations ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl ## seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' serviceAccount: ## Specifies whether a service account should be created create: true ## The name of the service account to use. ## If not set, service account name is using the fullname template: "[fullname]-checkmk" # name: "" ## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ networkPolicy: # keep in mind: your cluster network plugin has to support NetworkPolicies, otherwise they won't have any effect enabled: false # specify ipBlock cidrs here to allow ingress to the cluster-collector # this is required for the checkmk servers to be able to scrape data from checkmk, so include the resprective ip range(s) here allowIngressFromCIDRs: [] # - 127.0.0.1/32 # e.g. Checkmk Server # - 127.0.0.1/24 # e.g. Metallb speakers # the cluster-collector needs to be able to contact the kube-apiserver # you have three options here to choose from, depending on your cluster setup: # 1) if your apiserver resides outside the cluster, resp. you have a kubernetes endpoint available (check via "kubectl -n default get ep kubernetes") # we can make use of helm lookup to automatically inject the endpoiƄt (cidr + port) here. # This is the most comfortable one, just note that helm lookup won't work on a "helm template" or "helm diff" command. # (see also: https://helm.sh/docs/chart_template_guide/functions_and_pipelines/#using-the-lookup-function) # 2) similar to 1) you can also specify the "ipBlockCidr" directly. Make sure to disable "enableCidrLookup", and also fill the "port". # 3) if the apiserver resides inside the cluster, disable "enableCidrLookup", unset "ipBlockCidr", and fill the "labelSelectors" section # with the name of the namespace where the kube-apiserver is availabe, and the label key and label value that defines your kube-apiserver pod. egressKubeApiserver: enableCidrLookup: true # ipBlockCidr: 172.31.0.3/32 # port: 6443 # labelSelectors: # namespace: kube-system # key: app # value: kube-apiserver ## Configuration for cluster-collector clusterCollector: image: repository: checkmk/kubernetes-collector pullPolicy: IfNotPresent # tag: "" # Override global image.tag if needed # address controls on which interfaces the kubernetes-collector will listen # use "[::]" to listen on all interfaces in an IPv6 cluster address: "0.0.0.0" # can be: "debug", "info", "warning" (default), "critical" logLevel: warning # cacheMaxsize set the maximum number of metric entries the cluster collector can hold at a time # For smaller clusters, you can decrease it to e.g. 10000 # For larger cluster, increase the value in case there are gaps in the graphs cacheMaxsize: "50000" podAnnotations: {} podSecurityContext: {} # fsGroup: 2000 securityContext: seccompProfile: type: RuntimeDefault allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsGroup: 10001 runAsNonRoot: true runAsUser: 10001 service: # if required specify "NodePort" here to expose the cluster-collector via the "nodePort" specified below type: ClusterIP port: 8080 # nodePort: 30035 annotations: {} ingress: enabled: false className: "" annotations: nginx.ingress.kubernetes.io/rewrite-target: / hosts: - host: checkmk-cluster-collector.local paths: - path: / pathType: Prefix tls: [] # - secretName: chart-example-tls # hosts: # - chart-example.local livenessProbe: initialDelaySeconds: 3 periodSeconds: 10 timeoutSeconds: 2 failureThreshold: 3 readinessProbe: initialDelaySeconds: 3 periodSeconds: 10 timeoutSeconds: 2 failureThreshold: 3 httpHeaders: [ ] ## Configure resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} # limits: # cpu: 300m # memory: 200Mi # requests: # cpu: 150m # memory: 200Mi nodeSelector: {} tolerations: [] affinity: {} ## Configuration for node-collector components (cadvisor, container-metrics, machine-sections) nodeCollector: # logLevel for container-metrics and machine-sections; can be: "debug", "info", "warning" (default), "critical" logLevel: warning # Pods of nodeCollectors will typically be ready for a short amount of time before detecting # problems. The value below ensures, that they don't become available as well. minReadySeconds: 15 # Annotations to be added to node-collector pods podAnnotations: {} podSecurityContext: {} # fsGroup: 2000 ## Assign a nodeSelector if operating a hybrid cluster ## nodeSelector: {} # beta.kubernetes.io/arch: amd64 # beta.kubernetes.io/os: linux tolerations: [] # - effect: NoSchedule # operator: Exists ## Assign a PriorityClassName to pods if set # priorityClassName: "" cadvisor: image: repository: checkmk/cadvisor-patched pullPolicy: IfNotPresent # tag: "" # Override global image.tag if needed additionalArgs: - "--housekeeping_interval=30s" - "--max_housekeeping_interval=35s" - "--event_storage_event_limit=default=0" - "--event_storage_age_limit=default=0" - "--store_container_labels=false" - "--whitelisted_container_labels=io.kubernetes.container.name,io.kubernetes.pod.name,io.kubernetes.pod.namespace,io.kubernetes.pod.uid" - "--global_housekeeping_interval=30s" - "--event_storage_event_limit=default=0" - "--event_storage_age_limit=default=0" - "--enable_metrics=cpu,memory" - "--allow_dynamic_housekeeping=true" - "--storage_duration=1m0s" securityContext: seccompProfile: type: RuntimeDefault allowPrivilegeEscalation: false capabilities: drop: - ALL add: ["SYS_PTRACE"] privileged: false readOnlyRootFilesystem: true ## Configure resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} # limits: # cpu: 300m # memory: 200Mi # requests: # cpu: 150m # memory: 200Mi # Configuration for containerd socket (used by cadvisor in the node collector). # This section is optional and only needed if CPU/Memory metrics are missing the required labels. # Access to the container runtime socket (e.g., for metrics collection). # Known limitation: # - When Kubernetes nodes run with cgroup v2 (common in newer distros), # cAdvisor cannot properly map container metadata (pod name, namespace, labels) # from cgroups alone. # - To work around this, the container runtime socket must be mounted inside the cAdvisor pod # so that cAdvisor can query containerd directly for metadata via its gRPC interface. # # To locate the correct socket path on your host node, run: # find / -type s -name 'containerd.sock' 2>/dev/null # # The path varies depending on your Kubernetes setup: # - MicroK8s: /var/snap/microk8s/common/run/containerd.sock # - Standard containerd: /run/containerd/containerd.sock # - k3s: /run/k3s/containerd/containerd.sock # # mountPath is where the socket is available inside the container. # hostPath is the full path to the socket file on the Kubernetes node. # # Example to enable: # containerdSocket: # enabled: true # name: containerdsock # mountPath: /var/snap/microk8s/common/run/containerd.sock # hostPath: /var/snap/microk8s/common/run/containerd.sock containerMetricsCollector: image: repository: checkmk/kubernetes-collector pullPolicy: IfNotPresent # tag: "" # Override global image.tag if needed securityContext: seccompProfile: type: RuntimeDefault allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsGroup: 10001 runAsNonRoot: true runAsUser: 10001 ## Configure resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} # limits: # cpu: 300m # memory: 200Mi # requests: # cpu: 150m # memory: 200Mi machineSectionsCollector: image: repository: checkmk/kubernetes-collector pullPolicy: IfNotPresent # tag: "" # Override global image.tag if needed securityContext: seccompProfile: type: RuntimeDefault allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsGroup: 10001 runAsNonRoot: true runAsUser: 10001 ## Configure resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: # limits: # cpu: 300m # memory: 200Mi # requests: # cpu: 150m # memory: 200Mi checkmkAgentTimeout: 5 # the machine sections collector can collect monitoring information for network interfaces of the underlying node. # this means that the '/sys' directory of the node will be mounted into the container. # the pod security policy is adjusted accordingly. networkInterfaceMonitoring: enabled: false # in order to collect information about the underlying host machine, it's necessary to mount # the filesystem of the host machine (e.g. '/') into the docker container. # extraHostPathMounts: # - name: run # mountPath: "/host/run" # hostPath: # path: /run # type: Directory # - name: boot # mountPath: "/host/boot" # hostPath: # path: /boot # type: Directory