--- apiVersion: v1 kind: ConfigMap metadata: name: dkp-insights-1.0.1-d2iq-defaults namespace: ${releaseNamespace} data: values.yaml: | backend: alertExpirationTime: 72h alertmanager: db_channel_buffer_size: "16" apiPort: "8090" engineConfig: dkpIdentification: appRoots: Certificate-kapps: groupKind: group: cert-manager.io kind: Certificate nameRegexp: chartmuseum-tls|etcd-metrics-proxy-tls-cert|kommander-ca|kommander-karma-client-cert|kommander-kubecost-thanos-client-cert|kommander-thanos-client-cert ClusterIssuer-kapps: groupKind: group: cert-manager.io kind: ClusterIssuer nameRegexp: kommander-ca|selfsigned-issuer ClusterRole-kapps: groupKind: group: rbac.authorization.k8s.io kind: ClusterRole nameRegexp: check-dkp-ceph-crd|crd-controller-kommander-flux|dkp-centralized-kubecost-admin|dkp-centralized-kubecost-edit|dkp-centralized-kubecost-view|dkp-grafana-logging-admin|dkp-grafana-logging-edit|dkp-grafana-logging-view|dkp-jaeger-admin|dkp-jaeger-edit|dkp-jaeger-view|dkp-karma-admin|dkp-karma-edit|dkp-karma-view|dkp-kiali-admin|dkp-kiali-edit|dkp-kiali-view|dkp-kubecost-admin|dkp-kubecost-edit|dkp-kubecost-view|dkp-kubernetes-dashboard-admin|dkp-kubernetes-dashboard-edit|dkp-kubernetes-dashboard-view|dkp-thanos-query-admin|dkp-thanos-query-edit|dkp-thanos-query-view|dkp-traefik-admin|dkp-traefik-edit|dkp-traefik-view|etcd-metrics|etcd-metrics-proxy|flux-edit-kommander-flux|flux-view-kommander-flux|kubecost-configmap-edit ClusterRoleBinding-kapps: groupKind: group: rbac.authorization.k8s.io kind: ClusterRoleBinding nameRegexp: check-dkp-ceph-crd|cluster-reconciler-kommander-flux|crd-controller-kommander-flux|etcd-metrics-proxy|etcd-metrics-rolebinding|kubecost-configmap-edit ConfigMap-kapps: groupKind: group: "" kind: ConfigMap nameRegexp: .*?-d2iq-defaults|ai-navigator-app-config|alertmanager-app-dashboard-info|centralized-grafana-app-dashboard-info|dashboard-app-dashboard-info|grafana-app-dashboard-info|grafana-logging-app-dashboard-info|jaeger-app-dashboard-info|karma-app-dashboard-info|kiali-app-dashboard-info|kubecost-app-dashboard-info|prometheus-app-dashboard-info|rook-ceph-cluster-dashboard-info|traefik-app-dashboard-info|traefik-plugin-rewritebody ConstraintTemplate-kapps: groupKind: group: templates.gatekeeper.sh kind: ConstraintTemplate nameRegexp: requiredserviceaccountname CustomResourceDefinition-kapps: groupKind: group: apiextensions.k8s.io kind: CustomResourceDefinition nameRegexp: alerts.notification.toolkit.fluxcd.io|buckets.source.toolkit.fluxcd.io|gitrepositories.source.toolkit.fluxcd.io|helmcharts.source.toolkit.fluxcd.io|helmreleases.helm.toolkit.fluxcd.io|helmrepositories.source.toolkit.fluxcd.io|kustomizations.kustomize.toolkit.fluxcd.io|ocirepositories.source.toolkit.fluxcd.io|providers.notification.toolkit.fluxcd.io|receivers.notification.toolkit.fluxcd.io DaemonSet-kapps: groupKind: group: apps kind: DaemonSet nameRegexp: etcd-metrics-proxy Daemonsets-additional: groupKind: group: apps kind: DaemonSet nameRegexp: ebs-csi-node|calico-system|calico-node|csi-node-driver|capz-nmi|kube-prometheus-stack-prometheus-node-exporter|logging-operator-logging-fluentbit|kube-proxy|node-feature-discovery-worker|etcd-metrics-proxy|aws-cloud-controller-manager|istio-cni-node|dkp-insights-kubebench-.*? Deployment-kapps: groupKind: group: apps kind: Deployment nameRegexp: ai-navigator-app|helm-controller|kustomize-controller|not-used-in-a-patch|notification-controller|source-controller|velero-backup-storage-location-updater Deployments-additional: groupKind: group: apps kind: Deployment nameRegexp: calico-kube-controllers|calico-typha|capa-controller-manager|capg-controller-manager|capi-kubeadm-control-plane-controller-manager|capi-kubeadm-bootstrap-controller-manager|capv-controller-manager|capvcd-controller-manager|capz-controller-manager|cert-manager|cert-manager-cainjector|cert-manager-webhook|kommander-appmanagement|cluster-autoscaler|coredns|ebs-csi-controller|capi-kubeadm-control-plane-system|capi-system|capi-kubeadm-control-plane-system|capi-controller-manager|cappp-controller-manager|cappp-system|cluster-observer|ebs-csi-controller|tigera-operator|snapshot-controller|node-feature-discovery-master|velero-backup-storage-location-updater Deployments-additional-istio: groupKind: group: apps kind: Deployment nameRegexp: istiod|istio-ingressgateway FederatedTypeConfig-kapps: groupKind: group: core.kubefed.io kind: FederatedTypeConfig nameRegexp: clusterrolebindings.rbac.authorization.k8s.io|limitranges|networkpolicies.networking.k8s.io|resourcequotas|rolebindings.rbac.authorization.k8s.io|roles.rbac.authorization.k8s.io Flow-kapps: groupKind: group: logging.banzaicloud.io kind: Flow nameRegexp: project-logging-flow HelmRelease-additional: groupKind: group: helm.toolkit.fluxcd.io kind: HelmRelease nameRegexp: .*?-kubecost-.*?|.*?-prometheus-.*?|metallb|nvidia|cluster-observer-.*?|dkp-insights HelmRelease-kapps: groupKind: group: helm.toolkit.fluxcd.io kind: HelmRelease nameRegexp: ai-navigator-cluster-info-agent|ai-navigator-cluster-info-api|centralized-grafana|centralized-kubecost|cert-manager|cert-manager-crds|chartmuseum|dex|dex-k8s-authenticator|dkp-insights|dkp-insights-management|external-dns|fluent-bit|gatekeeper|gatekeeper-proxy-mutations|gitea|grafana-logging|grafana-loki|istio|jaeger|karma|karma-traefik|kiali|knative|kommander|kommander-appmanagement|kommander-ui|kube-oidc-proxy|kube-prometheus-stack|kubecost|kubecost-thanos-traefik|kubefed|kubernetes-dashboard|kubetunnel|logging-operator|logging-operator-logging|nfs-server-provisioner|nvidia-gpu-operator|object-bucket-claims|project-grafana-logging|project-grafana-loki|project-loki-object-bucket-claims|prometheus-adapter|prometheus-thanos-traefik|reloader|rook-ceph|rook-ceph-cluster|thanos|traefik|traefik-forward-auth|traefik-forward-auth-mgmt|velero Ingress-additional: groupKind: group: networking.k8s.io kind: Ingress nameRegexp: kubecost-grafana Ingress-kapps: groupKind: group: networking.k8s.io kind: Ingress nameRegexp: traefik-dashboard|velero-ceph Job-additional: groupKind: group: batch kind: Job nameRegexp: delete-jaeger-deployment|delete-node-exporter-daemonset|delete-prometheus-adapter-deployment|update-tenant-crd-metadata|delete-obc-jobs Job-kapps: groupKind: group: batch kind: Job nameRegexp: copy-kubecost-grafana-datasource-cm|create-kommander-thanos-query-stores-configmap|create-kubecost-thanos-query-stores-configmap|dkp-ceph-prereq-job|grafana-loki-pre-install|velero-pre-install Kustomization-additional: groupKind: group: kustomize.toolkit.fluxcd.io kind: Kustomization nameRegexp: fluent-bit-resource-quota|grafana-dashboards-core-components|grafana-dashboards-logging-operator|jaeger-pre-upgrade|kube-prometheus-stack-pre-upgrade|prometheus-adapter-pre-upgrade|rook-ceph-cluster-obc-pre-upgrade Kustomization-kapps: groupKind: group: kustomize.toolkit.fluxcd.io kind: Kustomization nameRegexp: ai-navigator-cluster-info-agent-helmrelease|ai-navigator-cluster-info-api-helmrelease|centralized-kubecost-post-install-jobs|centralized-kubecost-release|cert-manager-namespace|cert-manager-priorityclass-resource-quota|cert-manager-release|cert-manager-root-ca|dkp-insights-helmrelease|dkp-insights-management-helmrelease|etcd-metrics-proxy|gatekeeper-constraint-templates|gatekeeper-constraints|gatekeeper-release|grafana-loki-helmrelease|grafana-loki-pre-install|istio-helmrelease|jaeger-helmrelease|kube-federation-system-namespace|kube-prometheus-stack-helmrelease|kubefed-federatedtypeconfigs|kubefed-release|nvidia-gpu-operator-helmrelease|object-bucket-claims-helmrelease|prometheus-adapter-helmrelease|rook-ceph-cluster-helmrelease|rook-ceph-cluster-prereq-jobs-v1.12.6|rook-ceph-helmrelease|thanos-jobs|velero-helmrelease|velero-post-install|velero-pre-install Namespace-additional: groupKind: group: "" kind: Namespace nameRegexp: node-feature-discovery|calico-system|cap.*?-system|kube-node-lease|kube-public|kube-system|kubecost|metallb-system|tigera-operator Namespace-kapps: groupKind: group: "" kind: Namespace nameRegexp: cert-manager|kommander-flux|kube-federation-system NetworkPolicy-kapps: groupKind: group: networking.k8s.io kind: NetworkPolicy nameRegexp: allow-egress|allow-scraping|allow-source|allow-webhooks|not-used-in-a-patch Output-kapps: groupKind: group: logging.banzaicloud.io kind: Output nameRegexp: project-logging-loki PersistentVolumeClaim-kapps: groupKind: group: "" kind: PersistentVolumeClaim nameRegexp: chartmuseum Pod-additional: groupKind: group: "" kind: Pod nameRegexp: kube-scheduler-ip-.*?|check-dkp-loki-.*?|check-dkp-velero-.*? RequiredServiceAccountName-kapps: groupKind: group: constraints.gatekeeper.sh kind: RequiredServiceAccountName nameRegexp: helmrelease-must-have-sa|kustomization-must-have-sa ResourceQuota-kapps: groupKind: group: "" kind: ResourceQuota nameRegexp: cert-manager-critical-pods|critical-pods-kommander-flux Role-additional: groupKind: group: rbac.authorization.k8s.io kind: Role nameRegexp: jaeger-pre-upgrade|kps-pre-upgrade|obc-pre-upgrade|prometheus-adapter-pre-upgrade Role-kapps: groupKind: group: rbac.authorization.k8s.io kind: Role nameRegexp: ai-navigator-app|d2iq-traefik-certmanager-init|grafana-loki-pre-install|kommander-thanos-configmap-edit|kubecost-thanos-configmap-edit|velero-post-install|velero-pre-install RoleBinding-additional: groupKind: group: rbac.authorization.k8s.io kind: RoleBinding nameRegexp: jaeger-pre-upgrade|kps-pre-upgrade|obc-pre-upgrade|prometheus-adapter-pre-upgrade RoleBinding-kapps: groupKind: group: rbac.authorization.k8s.io kind: RoleBinding nameRegexp: ai-navigator-app|d2iq-traefik-certmanager-init|grafana-loki-pre-install|kommander-thanos-configmap-edit|kubecost-thanos-configmap-edit|velero-post-install|velero-pre-install Service-kapps: groupKind: group: "" kind: Service nameRegexp: ai-navigator-app|etcd-metrics-proxy|kommander-traefik-dashboard|kommander-traefik-prometheus|notification-controller|source-controller|webhook-receiver ServiceAccount-additional: groupKind: group: "" kind: ServiceAccount nameRegexp: jaeger-pre-upgrade|kps-pre-upgrade|prometheus-adapter-pre-upgrade|kube-prometheus-stack-prometheus|check-dkp-ceph-crd|obc-pre-upgrade|grafana-loki-pre-install ServiceAccount-kapps: groupKind: group: "" kind: ServiceAccount nameRegexp: ai-navigator-app|check-dkp-ceph-crd|etcd-metrics-proxy|grafana-loki-pre-install|helm-controller|kommander-thanos-configmap-edit|kubecost-configmap-edit|kubecost-thanos-configmap-edit|kustomize-controller|notification-controller|source-controller|velero-post-install|velero-pre-install enabled: true filteredNamespacesRegexp: cert-manager|calico-system|cap.*?-system|kommander-flux|kube-federation-system|kube-node-lease|kube-public|kube-system|kubecost|metallb-system|tigera-operator insightClassNames: Nova|Pluto|PolarisAudit mode: daytwo replay: apiServerService: dkp-insights-replay-troubleshoot-live eventExpirationTime: 1h livenessProbe: failureThreshold: 3 initialDelaySeconds: 60 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 log_level: INFO readinessProbe: failureThreshold: 3 initialDelaySeconds: 60 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 resources: limits: cpu: 1000m memory: 512Mi requests: cpu: 250m memory: 128Mi s3: bucketSize: 1G enableObjectBucketClaim: true endpoint: rook-ceph-rgw-dkp-object-store port: 80 region: us-east-1 storageClassName: dkp-object-store synchronous_view_details: false thresholds: storage: disk: critical: "0.95" notice: "0.80" warning: "0.90" pvc: critical: "0.95" notice: "0.80" warning: "0.90" webhookPort: "8080" cleanup: alertsTTL: 168h dbSizeLimit: 8Gi eventsTTL: 168h insightsTTL: 168h logLevel: INFO rejectedAlertsTTL: 168h resolutionAggregatesTTL: 10000h resources: limits: cpu: 250m memory: 128Mi requests: cpu: 100m memory: 64Mi schedule: '@every 37m' image: imagePullPolicy: IfNotPresent registry: docker.io repository: mesosphere/insights tag: v1.0.1 initdb: resources: limits: cpu: 250m memory: 128Mi requests: cpu: 100m memory: 64Mi kubeBench: config: image: pullPolicy: IfNotPresent repository: aquasec/kube-bench tag: v0.6.10 nodeSubsets: all-nodes: defaultSetup: nodes-default setupAutodetection: aks: nodes-aks eks: nodes-eks gke: nodes-gke tolerations: - effect: NoSchedule key: "" operator: Exists control-plane: defaultSetup: control-plane-default nodeSelector: node-role.kubernetes.io/control-plane: "" setupAutodetection: {} tolerations: - effect: NoSchedule key: node-role.kubernetes.io/control-plane operator: Exists - effect: NoSchedule key: node-role.kubernetes.io/master operator: Exists pause: image: pullPolicy: IfNotPresent repository: gcr.io/google_containers/pause tag: "3.2" resources: limits: cpu: 100m memory: 128Mi requests: cpu: 10m memory: 10Mi resources: limits: cpu: 100m memory: 512Mi requests: cpu: 100m memory: 512Mi setups: control-plane-default: additionalArgs: - --targets - master hostPID: true hostPaths: - /var/lib/etcd - /var/lib/kubelet - /var/lib/kube-scheduler - /var/lib/kube-controller-manager - /etc/systemd - /lib/systemd - /srv/kubernetes - /etc/kubernetes - /etc/cni/net.d/ - /opt/cni/bin/ - /etc/passwd - /etc/group skip: [] nodes-aks: additionalArgs: - --targets - node hostPID: true hostPaths: - /var/lib/kubelet - /etc/systemd - /etc/default - /etc/kubernetes skip: [] nodes-default: additionalArgs: - --targets - node hostPID: true hostPaths: - /var/lib/etcd - /var/lib/kubelet - /var/lib/kube-scheduler - /var/lib/kube-controller-manager - /etc/systemd - /lib/systemd - /srv/kubernetes - /etc/kubernetes - /etc/cni/net.d/ - /opt/cni/bin/ skip: [] nodes-eks: additionalArgs: - --targets - node hostPID: true hostPaths: - /var/lib/kubelet - /etc/systemd - /etc/kubernetes skip: [] nodes-gke: additionalArgs: - --targets - node,policies,managedservices hostPID: true hostPaths: - /var/lib/kubelet - /etc/systemd - /etc/kubernetes - /home/kubernetes skip: [] upload: logLevel: INFO resources: limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 64Mi enabled: true launcher: baseEvaluationTimeout: 1m daemonSetRemovalDelay: 0s daemonSetWaitTimeout: 240m logLevel: INFO resources: limits: cpu: 100m memory: 512Mi requests: cpu: 100m memory: 512Mi schedule: '@every 35m' nova: baseEvaluationTimeout: 1m enabled: true helmRepositoryURLs: [] image: pullPolicy: IfNotPresent repository: quay.io/fairwinds/nova tag: 3.4.0 resources: limits: cpu: 100m memory: 512Mi requests: cpu: 100m memory: 512Mi schedule: '@every 35m' upload: logLevel: INFO resources: limits: cpu: 250m memory: 128Mi requests: cpu: 100m memory: 64Mi pluto: baseEvaluationTimeout: 1m enabled: true image: pullPolicy: IfNotPresent repository: quay.io/fairwinds/pluto tag: v5.10.6 resources: limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi schedule: '@every 41m' upload: logLevel: INFO resources: limits: cpu: 250m memory: 128Mi requests: cpu: 100m memory: 64Mi polaris: baseEvaluationTimeout: 5m config: checks: cpuLimitsMissing: warning cpuRequestsMissing: warning dangerousCapabilities: danger deploymentMissingReplicas: warning hostIPCSet: danger hostNetworkSet: danger hostPIDSet: danger hostPortSet: warning insecureCapabilities: warning livenessProbeMissing: warning memoryLimitsMissing: warning memoryRequestsMissing: warning metadataAndNameMismatched: ignore missingPodDisruptionBudget: ignore notReadOnlyRootFilesystem: warning pdbDisruptionsIsZero: warning priorityClassNotSet: ignore privilegeEscalationAllowed: danger pullPolicyNotAlways: warning readinessProbeMissing: warning runAsPrivileged: danger runAsRootAllowed: danger tagNotSpecified: danger tlsSettingsMissing: warning enabled: true image: pullPolicy: IfNotPresent repository: quay.io/fairwinds/polaris tag: "5.1" resources: limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi schedule: '@every 37m' upload: logLevel: INFO resources: limits: cpu: 250m memory: 128Mi requests: cpu: 100m memory: 64Mi postgresql: global: connectionPool: connectionMaxLifetime: 1h maxIdleConnections: 30 maxOpenConnections: 50 postgresql: auth: database: dkp-insights postgresPassword: dkp-insights servicePort: 5432 primary: persistence: size: 8Gi priorityClassName: dkp-critical-priority resources: limits: cpu: 250m memory: 1Gi requests: cpu: 250m memory: 1Gi preUpgrade: resources: limits: cpu: 250m memory: 128Mi requests: cpu: 100m memory: 64Mi priorityClassName: dkp-critical-priority reforwarder: resources: limits: cpu: 250m memory: 128Mi requests: cpu: 100m memory: 64Mi resolutionCM: resources: limits: cpu: 250m memory: 128Mi requests: cpu: 100m memory: 64Mi selfAlerting: postgres: enabled: true memoryWorkingSetToRequestsThreshold: 0.75 trivy: baseEvaluationTimeout: 10m enabled: false envSecret: enabled: false name: dkp-insights-trivy-env image: imageFull: mesosphere/trivy-bundles:0.45.1-20231019T024033Z pullPolicy: IfNotPresent resources: limits: cpu: 200m memory: 10Gi requests: cpu: 200m memory: 10Gi schedule: '@every 2h' timeout: 90m upload: logLevel: INFO resources: limits: cpu: 250m memory: 128Mi requests: cpu: 100m memory: 64Mi uninstall: resources: limits: cpu: 250m memory: 128Mi requests: cpu: 100m memory: 64Mi