# Default values for the starboard-operator Helm chart, these are used to render
# the templates into valid k8s Resources.
# managedBy is similar to .Release.Service but allows to overwrite the value
managedBy: Helm
# targetNamespace defines where you want starboard-operator to operate. By
# default, it's a blank string to select all namespaces, but you can specify
# another namespace, or a comma separated list of namespaces.
targetNamespaces: ""
# excludeNamespaces is a comma separated list of namespaces (or glob patterns)
# to be excluded from scanning. Only applicable in the all namespaces install
# mode, i.e. when the targetNamespaces values is a blank string.
excludeNamespaces: "kube-system,{{ .Release.Namespace }}"
nameOverride: ""
fullnameOverride: ""
operator:
# replicas the number of replicas of the operator's pod
replicas: 1
# leaderElectionId determines the name of the resource that leader election
# will use for holding the leader lock.
leaderElectionId: "starboard-lock"
# logDevMode the flag to enable development mode (more human-readable output, extra stack traces and logging information, etc)
logDevMode: false
# scanJobTimeout the length of time to wait before giving up on a scan job
scanJobTimeout: 5m
# scanJobsConcurrentLimit the maximum number of scan jobs create by the operator
scanJobsConcurrentLimit: 10
# scanJobsRetryDelay the duration to wait before retrying a failed scan job
scanJobsRetryDelay: 30s
# vulnerabilityScannerEnabled the flag to enable vulnerability scanner
vulnerabilityScannerEnabled: true
# vulnerabilityScannerReportTTL the flag to set how long a vulnerability report should exist. "" means that the vulnerabilityScannerReportTTL feature is disabled
vulnerabilityScannerReportTTL: ""
# configAuditScannerEnabled the flag to enable configuration audit scanner
configAuditScannerEnabled: false
# configAuditScannerBuiltIn the flag to enable built-in configuration audit scanner
configAuditScannerBuiltIn: true
# kubernetesBenchmarkEnabled the flag to enable CIS Kubernetes Benchmark scanner
kubernetesBenchmarkEnabled: true
# clusterComplianceEnabled the flag to enable CIS Kubernetes Benchmark scanner
clusterComplianceEnabled: true
# batchDeleteLimit the maximum number of config audit reports deleted by the operator when the plugin's config has changed.
batchDeleteLimit: 10
# vulnerabilityScannerScanOnlyCurrentRevisions the flag to only create vulnerability scans on the current revision of a deployment.
vulnerabilityScannerScanOnlyCurrentRevisions: false
# batchDeleteDelay the duration to wait before deleting another batch of config audit reports.
batchDeleteDelay: 10s
image:
repository: "docker.io/aquasec/starboard-operator"
# tag is an override of the image tag, which is by default set by the
# appVersion field in Chart.yaml.
tag: ""
pullPolicy: IfNotPresent
pullSecrets: []
# service only expose a metrics endpoint for prometheus to scrape,
# starboard-operator does not have a user interface.
service:
type: ClusterIP
metricsPort: 80
annotations:
prometheus.io/scrape: "true"
prometheus.io/path: /metrics
starboard:
# vulnerabilityReportsPlugin the name of the plugin that generates vulnerability reports. Either `Trivy` or `Aqua`.
vulnerabilityReportsPlugin: "Trivy"
# configAuditReportsPlugin the name of the plugin that generates config audit reports. Either `Polaris` or `Conftest`.
configAuditReportsPlugin: "Polaris"
# scanJobTolerations tolerations to be applied to the scanner pods so that they can run on nodes with matching taints
scanJobTolerations: []
# If you do want to specify tolerations, uncomment the following lines, adjust them as necessary, and remove the
# square brackets after 'scanJobTolerations:'.
# - key: "key1"
# operator: "Equal"
# value: "value1"
# effect: "NoSchedule"
# scanJobAnnotations comma-separated representation of the annotations which the user wants the scanner pods to be
# annotated with. Example: `foo=bar,env=stage` will annotate the scanner pods with the annotations `foo: bar` and `env: stage`
scanJobAnnotations: ""
# scanJobPodTemplateLabels comma-separated representation of the labels which the user wants the scanner pods to be
# labeled with. Example: `foo=bar,env=stage` will labeled the scanner pods with the labels `foo: bar` and `env: stage`
scanJobPodTemplateLabels: ""
trivy:
# createConfig indicates whether to create config objects
createConfig: true
# imageRef the Trivy image reference.
imageRef: docker.io/aquasec/trivy:0.24.2
# mode is the Trivy client mode. Either Standalone or ClientServer. Depending
# on the active mode other settings might be applicable or required.
mode: Standalone
# httpProxy is the HTTP proxy used by Trivy to download the vulnerabilities database from GitHub.
#
# httpProxy:
# httpsProxy is the HTTPS proxy used by Trivy to download the vulnerabilities database from GitHub.
#
# httpsProxy:
# noProxy is a comma separated list of IPs and domain names that are not subject to proxy settings.
#
# noProxy:
# Registries without SSL. There can be multiple registries with different keys.
nonSslRegistries: {}
# pocRegistry: poc.myregistry.harbor.com.pl
# qaRegistry: qa.registry.aquasec.com
# internalRegistry: registry.registry.svc:5000
# severity is a comma separated list of severity levels reported by Trivy.
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
# ignoreUnfixed is the flag to show only fixed vulnerabilities in
# vulnerabilities reported by Trivy. Set to "true" to enable it.
#
ignoreUnfixed: "false"
# timeout is the duration to wait for scan completion.
timeout: "5m0s"
# ignoreFile can be used to tell Trivy to ignore vulnerabilities by ID (one per line)
#
# ignoreFile: |
# CVE-1970-0001
# CVE-1970-0002
# resources resource requests and limits
resources:
requests:
cpu: 100m
memory: 100M
limits:
cpu: 500m
memory: 500M
# githubToken is the GitHub access token used by Trivy to download the vulnerabilities
# database from GitHub. Only applicable in Standalone mode.
#
# githubToken: "*****"
# serverURL is the endpoint URL of the Trivy server. Required in ClientServer mode.
#
# serverURL: "https://trivy.trivy:4975"
# serverInsecure is the flag to enable insecure connection to the Trivy server.
#
# serverInsecure: true
# serverToken is the token to authenticate Trivy client with Trivy server. Only
# applicable in ClientServer mode.
#
# serverToken: "*****"
# serverTokenHeader is the name of the HTTP header used to send the authentication
# token to Trivy server. Only application in ClientServer mode when
# trivy.serverToken is specified.
serverTokenHeader: "Trivy-Token"
# serverCustomHeaders is a comma separated list of custom HTTP headers sent by
# Trivy client to Trivy server. Only applicable in ClientServer mode.
#
# serverCustomHeaders: "foo=bar"
kubeBench:
imageRef: docker.io/aquasec/kube-bench:v0.6.6
polaris:
# createConfig indicates whether to create config objects
createConfig: true
# imageRef the image reference
imageRef: quay.io/fairwinds/polaris:4.2
# resources resource requests and limits
resources:
requests:
cpu: 50m
memory: 50M
limits:
cpu: 300m
memory: 300M
config:
checks:
# reliability
multipleReplicasForDeployment: ignore
priorityClassNotSet: ignore
# resources
cpuRequestsMissing: warning
cpuLimitsMissing: warning
memoryRequestsMissing: warning
memoryLimitsMissing: warning
# images
tagNotSpecified: danger
pullPolicyNotAlways: ignore
# healthChecks
readinessProbeMissing: warning
livenessProbeMissing: warning
# networking
hostNetworkSet: warning
hostPortSet: warning
# security
hostIPCSet: danger
hostPIDSet: danger
notReadOnlyRootFilesystem: warning
privilegeEscalationAllowed: danger
runAsRootAllowed: warning
runAsPrivileged: danger
dangerousCapabilities: danger
insecureCapabilities: warning
exemptions:
- controllerNames:
- kube-apiserver
- kube-proxy
- kube-scheduler
- etcd-manager-events
- kube-controller-manager
- kube-dns
- etcd-manager-main
rules:
- hostPortSet
- hostNetworkSet
- readinessProbeMissing
- livenessProbeMissing
- cpuRequestsMissing
- cpuLimitsMissing
- memoryRequestsMissing
- memoryLimitsMissing
- runAsRootAllowed
- runAsPrivileged
- notReadOnlyRootFilesystem
- hostPIDSet
- controllerNames:
- kube-flannel-ds
rules:
- notReadOnlyRootFilesystem
- runAsRootAllowed
- notReadOnlyRootFilesystem
- readinessProbeMissing
- livenessProbeMissing
- cpuLimitsMissing
- controllerNames:
- cert-manager
rules:
- notReadOnlyRootFilesystem
- runAsRootAllowed
- readinessProbeMissing
- livenessProbeMissing
- controllerNames:
- cluster-autoscaler
rules:
- notReadOnlyRootFilesystem
- runAsRootAllowed
- readinessProbeMissing
- controllerNames:
- vpa
rules:
- runAsRootAllowed
- readinessProbeMissing
- livenessProbeMissing
- notReadOnlyRootFilesystem
- controllerNames:
- datadog
rules:
- runAsRootAllowed
- readinessProbeMissing
- livenessProbeMissing
- notReadOnlyRootFilesystem
- controllerNames:
- nginx-ingress-controller
rules:
- privilegeEscalationAllowed
- insecureCapabilities
- runAsRootAllowed
- controllerNames:
- dns-controller
- datadog-datadog
- kube-flannel-ds
- kube2iam
- aws-iam-authenticator
- datadog
- kube2iam
rules:
- hostNetworkSet
- controllerNames:
- aws-iam-authenticator
- aws-cluster-autoscaler
- kube-state-metrics
- dns-controller
- external-dns
- dnsmasq
- autoscaler
- kubernetes-dashboard
- install-cni
- kube2iam
rules:
- readinessProbeMissing
- livenessProbeMissing
- controllerNames:
- aws-iam-authenticator
- nginx-ingress-default-backend
- aws-cluster-autoscaler
- kube-state-metrics
- dns-controller
- external-dns
- kubedns
- dnsmasq
- autoscaler
- tiller
- kube2iam
rules:
- runAsRootAllowed
- controllerNames:
- aws-iam-authenticator
- nginx-ingress-controller
- nginx-ingress-default-backend
- aws-cluster-autoscaler
- kube-state-metrics
- dns-controller
- external-dns
- kubedns
- dnsmasq
- autoscaler
- tiller
- kube2iam
rules:
- notReadOnlyRootFilesystem
- controllerNames:
- cert-manager
- dns-controller
- kubedns
- dnsmasq
- autoscaler
- insights-agent-goldilocks-vpa-install
- datadog
rules:
- cpuRequestsMissing
- cpuLimitsMissing
- memoryRequestsMissing
- memoryLimitsMissing
- controllerNames:
- kube2iam
- kube-flannel-ds
rules:
- runAsPrivileged
- controllerNames:
- kube-hunter
rules:
- hostPIDSet
- controllerNames:
- polaris
- kube-hunter
- goldilocks
- insights-agent-goldilocks-vpa-install
rules:
- notReadOnlyRootFilesystem
- controllerNames:
- insights-agent-goldilocks-controller
rules:
- livenessProbeMissing
- readinessProbeMissing
- controllerNames:
- insights-agent-goldilocks-vpa-install
- kube-hunter
rules:
- runAsRootAllowed
conftest:
# createConfig indicates whether to create config objects
createConfig: true
# imageRef the image reference
imageRef: docker.io/openpolicyagent/conftest:v0.30.0
# resources resource requests and limits
resources:
requests:
cpu: 50m
memory: 50M
limits:
cpu: 300m
memory: 300M
library: {}
# kubernetes.rego: |
# << REGO >>
# utils.rego: |
# << REGO >>
policy: {}
# access_to_host_pid:
# rego: |
# << REGO >>
# kinds: Workload
# configmap_with_sensitive_data:
# rego: |
# << REGO >>
# kinds: ConfigMap
aqua:
# imageRef Aqua scanner image reference. The tag determines the version of the scanner binary executable and it must
# be compatible with version of Aqua server.
imageRef: docker.io/aquasec/scanner:5.3
# serverURL the endpoint URL of Aqua management console
serverURL:
# username the Aqua management console username
username:
# password the Aqua management console password
password:
rbac:
create: true
serviceAccount:
# Specifies whether a service account should be created.
create: true
annotations: {}
# name specifies the name of the k8s Service Account. If not set and create is
# true, a name is generated using the fullname template.
name: ""
# podAnnotations annotations added to the operator's pod
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext:
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}