# Default values for the starboard-operator Helm chart, these are used to render # the templates into valid k8s Resources. # targetNamespace defines where you want starboard-operator to operate. By # default it will only operate in the namespace its installed in, but you can # specify another namespace, or a comma separated list of namespaces, or set it # to a blank string to let it operate in all namespaces. targetNamespaces: "{{ .Release.Namespace }}" nameOverride: "" fullnameOverride: "" operator: replicas: 1 # leaderElectionId determines the name of the resource that leader election # will use for holding the leader lock. leaderElectionId: "starboard-operator" # vulnerabilityScannerEnabled the flag to enable vulnerability scanner vulnerabilityScannerEnabled: true # configAuditScannerEnabled the flag to enable configuration audit scanner configAuditScannerEnabled: true # kubernetesBenchmarkEnabled the flag to enable CIS Kubernetes Benchmark scanner kubernetesBenchmarkEnabled: true # batchDeleteLimit the maximum number of config audit reports deleted by the operator when the plugin's config has changed. batchDeleteLimit: 10 # batchDeleteDelay the duration to wait before deleting another batch of config audit reports. batchDeleteDelay: 10s image: repository: "aquasec/starboard-operator" # tag is an override of the image tag, which is by default set by the # appVersion field in Chart.yaml. tag: "" pullPolicy: "" pullSecrets: [] # service only expose a metrics endpoint for prometheus to scrape, # starboard-operator does not have a user interface. service: type: ClusterIP metricsPort: 80 annotations: prometheus.io/scrape: "true" prometheus.io/path: /metrics # envSecret represent a k8s Secret resource that will be referenced to mount # environment variables. envSecret: # create specifies whether a k8s Secret should be created with a given # stringData. If this is set to false, only the keys defined in stringData # will be optionally mounted from the named secret, rather than all keys in # the named k8s Secret. create: true # name specifies the name of the k8s Secret to reference. If not set, a name # is generated using the fullname template. name is currently required to be # hardcoded to starboard-operator as the starboard-operator binary makes a # hardcoded reference to that name: # https://github.com/aquasecurity/starboard/blob/ad6b9b99931d7524806f79b1329fdda82c75a715/pkg/operator/scanner.go#L26-L28 name: "starboard-operator" # stringData specifies key value pairs to be added to the k8s Secret and # mounted by the Pod as environment variables. # # NOTE: OPERATOR_NAMESPACE will be set based on where this Helm chart was # installed, and you are required to specify targetNamespace instead of # OPERATOR_TARGET_NAMESPACE below for this Helm chart to function # properly. stringData: OPERATOR_LOG_DEV_MODE: "false" starboard: # vulnerabilityReportsPlugin the name of the plugin that generates vulnerability reports. Either `Trivy` or `Aqua`. vulnerabilityReportsPlugin: "Trivy" # configAuditReportsPlugin the name of the plugin that generates config audit reports. Either `Polaris` or `Conftest`. configAuditReportsPlugin: "Polaris" # scanJobTolerations tolerations to be applied to the scanner pods so that they can run on nodes with matching taints scanJobTolerations: [] # If you do want to specify tolerations, uncomment the following lines, adjust them as necessary, and remove the # square brackets after 'scanJobTolerations:'. # - key: "key1" # operator: "Equal" # value: "value1" # effect: "NoSchedule" # scanJobAnnotations comma-separated representation of the annotations which the user wants the scanner pods to be # annotated with. Example: `foo=bar,env=stage` will annotate the scanner pods with the annotations `foo: bar` and `env: stage` scanJobAnnotations: "" trivy: # imageRef the Trivy image reference. imageRef: docker.io/aquasec/trivy:0.19.2 # mode is the Trivy client mode. Either Standalone or ClientServer. Depending # on the active mode other settings might be applicable or required. mode: Standalone # httpProxy is the HTTP proxy used by Trivy to download the vulnerabilities database from GitHub. # # httpProxy: # httpsProxy is the HTTPS proxy used by Trivy to download the vulnerabilities database from GitHub. # # httpsProxy: # noProxy is a comma separated list of IPs and domain names that are not subject to proxy settings. # # noProxy: # severity is a comma separated list of severity levels reported by Trivy. severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL # ignoreUnfixed is the flag to show only fixed vulnerabilities in # vulnerabilities reported by Trivy. Set to "true" to enable it. # # ignoreUnfixed: "true" # resources resource requests and limits resources: requests: cpu: 100m memory: 100M limits: cpu: 500m memory: 500M # githubToken is the GitHub access token used by Trivy to download the vulnerabilities # database from GitHub. Only applicable in Standalone mode. # # githubToken: "*****" # serverURL is the endpoint URL of the Trivy server. Required in ClientServer mode. # # serverURL: "https://trivy.trivy:4975" # serverToken is the token to authenticate Trivy client with Trivy server. Only # applicable in ClientServer mode. # # serverToken: "*****" # serverTokenHeader is the name of the HTTP header used to send the authentication # token to Trivy server. Only application in ClientServer mode when # trivy.serverToken is specified. serverTokenHeader: "Trivy-Token" # serverCustomHeaders is a comma separated list of custom HTTP headers sent by # Trivy client to Trivy server. Only applicable in ClientServer mode. # # serverCustomHeaders: "foo=bar" kubeBench: imageRef: docker.io/aquasec/kube-bench:0.6.3 polaris: imageRef: quay.io/fairwinds/polaris:4.0 # resources resource requests and limits resources: requests: cpu: 50m memory: 50M limits: cpu: 300m memory: 300M config: checks: # reliability multipleReplicasForDeployment: ignore priorityClassNotSet: ignore # resources cpuRequestsMissing: warning cpuLimitsMissing: warning memoryRequestsMissing: warning memoryLimitsMissing: warning # images tagNotSpecified: danger pullPolicyNotAlways: ignore # healthChecks readinessProbeMissing: warning livenessProbeMissing: warning # networking hostNetworkSet: warning hostPortSet: warning # security hostIPCSet: danger hostPIDSet: danger notReadOnlyRootFilesystem: warning privilegeEscalationAllowed: danger runAsRootAllowed: warning runAsPrivileged: danger dangerousCapabilities: danger insecureCapabilities: warning exemptions: - controllerNames: - kube-apiserver - kube-proxy - kube-scheduler - etcd-manager-events - kube-controller-manager - kube-dns - etcd-manager-main rules: - hostPortSet - hostNetworkSet - readinessProbeMissing - livenessProbeMissing - cpuRequestsMissing - cpuLimitsMissing - memoryRequestsMissing - memoryLimitsMissing - runAsRootAllowed - runAsPrivileged - notReadOnlyRootFilesystem - hostPIDSet - controllerNames: - kube-flannel-ds rules: - notReadOnlyRootFilesystem - runAsRootAllowed - notReadOnlyRootFilesystem - readinessProbeMissing - livenessProbeMissing - cpuLimitsMissing - controllerNames: - cert-manager rules: - notReadOnlyRootFilesystem - runAsRootAllowed - readinessProbeMissing - livenessProbeMissing - controllerNames: - cluster-autoscaler rules: - notReadOnlyRootFilesystem - runAsRootAllowed - readinessProbeMissing - controllerNames: - vpa rules: - runAsRootAllowed - readinessProbeMissing - livenessProbeMissing - notReadOnlyRootFilesystem - controllerNames: - datadog rules: - runAsRootAllowed - readinessProbeMissing - livenessProbeMissing - notReadOnlyRootFilesystem - controllerNames: - nginx-ingress-controller rules: - privilegeEscalationAllowed - insecureCapabilities - runAsRootAllowed - controllerNames: - dns-controller - datadog-datadog - kube-flannel-ds - kube2iam - aws-iam-authenticator - datadog - kube2iam rules: - hostNetworkSet - controllerNames: - aws-iam-authenticator - aws-cluster-autoscaler - kube-state-metrics - dns-controller - external-dns - dnsmasq - autoscaler - kubernetes-dashboard - install-cni - kube2iam rules: - readinessProbeMissing - livenessProbeMissing - controllerNames: - aws-iam-authenticator - nginx-ingress-default-backend - aws-cluster-autoscaler - kube-state-metrics - dns-controller - external-dns - kubedns - dnsmasq - autoscaler - tiller - kube2iam rules: - runAsRootAllowed - controllerNames: - aws-iam-authenticator - nginx-ingress-controller - nginx-ingress-default-backend - aws-cluster-autoscaler - kube-state-metrics - dns-controller - external-dns - kubedns - dnsmasq - autoscaler - tiller - kube2iam rules: - notReadOnlyRootFilesystem - controllerNames: - cert-manager - dns-controller - kubedns - dnsmasq - autoscaler - insights-agent-goldilocks-vpa-install - datadog rules: - cpuRequestsMissing - cpuLimitsMissing - memoryRequestsMissing - memoryLimitsMissing - controllerNames: - kube2iam - kube-flannel-ds rules: - runAsPrivileged - controllerNames: - kube-hunter rules: - hostPIDSet - controllerNames: - polaris - kube-hunter - goldilocks - insights-agent-goldilocks-vpa-install rules: - notReadOnlyRootFilesystem - controllerNames: - insights-agent-goldilocks-controller rules: - livenessProbeMissing - readinessProbeMissing - controllerNames: - insights-agent-goldilocks-vpa-install - kube-hunter rules: - runAsRootAllowed conftest: # imageRef the image reference imageRef: docker.io/openpolicyagent/conftest:v0.25.0 # resources resource requests and limits resources: requests: cpu: 50m memory: 50M limits: cpu: 300m memory: 300M aqua: # imageRef Aqua scanner image reference. The tag determines the version of the scanner binary executable and it must # be compatible with version of Aqua server. imageRef: docker.io/aquasec/scanner:5.3 # serverURL the endpoint URL of Aqua management console serverURL: # username the Aqua management console username username: # password the Aqua management console password password: rbac: create: true serviceAccount: # Specifies whether a service account should be created. create: true annotations: {} # name specifies the name of the k8s Service Account. If not set and create is # true, a name is generated using the fullname template. name: "" podAnnotations: {} podSecurityContext: {} # fsGroup: 2000 securityContext: privileged: false allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi nodeSelector: {} tolerations: [] affinity: {}