---
apiVersion: v1
kind: ConfigMap
metadata:
name: dkp-insights-1.0.1-d2iq-defaults
namespace: ${releaseNamespace}
data:
values.yaml: |
backend:
alertExpirationTime: 72h
alertmanager:
db_channel_buffer_size: "16"
apiPort: "8090"
engineConfig:
dkpIdentification:
appRoots:
Certificate-kapps:
groupKind:
group: cert-manager.io
kind: Certificate
nameRegexp: chartmuseum-tls|etcd-metrics-proxy-tls-cert|kommander-ca|kommander-karma-client-cert|kommander-kubecost-thanos-client-cert|kommander-thanos-client-cert
ClusterIssuer-kapps:
groupKind:
group: cert-manager.io
kind: ClusterIssuer
nameRegexp: kommander-ca|selfsigned-issuer
ClusterRole-kapps:
groupKind:
group: rbac.authorization.k8s.io
kind: ClusterRole
nameRegexp: check-dkp-ceph-crd|crd-controller-kommander-flux|dkp-centralized-kubecost-admin|dkp-centralized-kubecost-edit|dkp-centralized-kubecost-view|dkp-grafana-logging-admin|dkp-grafana-logging-edit|dkp-grafana-logging-view|dkp-jaeger-admin|dkp-jaeger-edit|dkp-jaeger-view|dkp-karma-admin|dkp-karma-edit|dkp-karma-view|dkp-kiali-admin|dkp-kiali-edit|dkp-kiali-view|dkp-kubecost-admin|dkp-kubecost-edit|dkp-kubecost-view|dkp-kubernetes-dashboard-admin|dkp-kubernetes-dashboard-edit|dkp-kubernetes-dashboard-view|dkp-thanos-query-admin|dkp-thanos-query-edit|dkp-thanos-query-view|dkp-traefik-admin|dkp-traefik-edit|dkp-traefik-view|etcd-metrics|etcd-metrics-proxy|flux-edit-kommander-flux|flux-view-kommander-flux|kubecost-configmap-edit
ClusterRoleBinding-kapps:
groupKind:
group: rbac.authorization.k8s.io
kind: ClusterRoleBinding
nameRegexp: check-dkp-ceph-crd|cluster-reconciler-kommander-flux|crd-controller-kommander-flux|etcd-metrics-proxy|etcd-metrics-rolebinding|kubecost-configmap-edit
ConfigMap-kapps:
groupKind:
group: ""
kind: ConfigMap
nameRegexp: .*?-d2iq-defaults|ai-navigator-app-config|alertmanager-app-dashboard-info|centralized-grafana-app-dashboard-info|dashboard-app-dashboard-info|grafana-app-dashboard-info|grafana-logging-app-dashboard-info|jaeger-app-dashboard-info|karma-app-dashboard-info|kiali-app-dashboard-info|kubecost-app-dashboard-info|prometheus-app-dashboard-info|rook-ceph-cluster-dashboard-info|traefik-app-dashboard-info|traefik-plugin-rewritebody
ConstraintTemplate-kapps:
groupKind:
group: templates.gatekeeper.sh
kind: ConstraintTemplate
nameRegexp: requiredserviceaccountname
CustomResourceDefinition-kapps:
groupKind:
group: apiextensions.k8s.io
kind: CustomResourceDefinition
nameRegexp: alerts.notification.toolkit.fluxcd.io|buckets.source.toolkit.fluxcd.io|gitrepositories.source.toolkit.fluxcd.io|helmcharts.source.toolkit.fluxcd.io|helmreleases.helm.toolkit.fluxcd.io|helmrepositories.source.toolkit.fluxcd.io|kustomizations.kustomize.toolkit.fluxcd.io|ocirepositories.source.toolkit.fluxcd.io|providers.notification.toolkit.fluxcd.io|receivers.notification.toolkit.fluxcd.io
DaemonSet-kapps:
groupKind:
group: apps
kind: DaemonSet
nameRegexp: etcd-metrics-proxy
Daemonsets-additional:
groupKind:
group: apps
kind: DaemonSet
nameRegexp: ebs-csi-node|calico-system|calico-node|csi-node-driver|capz-nmi|kube-prometheus-stack-prometheus-node-exporter|logging-operator-logging-fluentbit|kube-proxy|node-feature-discovery-worker|etcd-metrics-proxy|aws-cloud-controller-manager|istio-cni-node|dkp-insights-kubebench-.*?
Deployment-kapps:
groupKind:
group: apps
kind: Deployment
nameRegexp: ai-navigator-app|helm-controller|kustomize-controller|not-used-in-a-patch|notification-controller|source-controller|velero-backup-storage-location-updater
Deployments-additional:
groupKind:
group: apps
kind: Deployment
nameRegexp: calico-kube-controllers|calico-typha|capa-controller-manager|capg-controller-manager|capi-kubeadm-control-plane-controller-manager|capi-kubeadm-bootstrap-controller-manager|capv-controller-manager|capvcd-controller-manager|capz-controller-manager|cert-manager|cert-manager-cainjector|cert-manager-webhook|kommander-appmanagement|cluster-autoscaler|coredns|ebs-csi-controller|capi-kubeadm-control-plane-system|capi-system|capi-kubeadm-control-plane-system|capi-controller-manager|cappp-controller-manager|cappp-system|cluster-observer|ebs-csi-controller|tigera-operator|snapshot-controller|node-feature-discovery-master|velero-backup-storage-location-updater
Deployments-additional-istio:
groupKind:
group: apps
kind: Deployment
nameRegexp: istiod|istio-ingressgateway
FederatedTypeConfig-kapps:
groupKind:
group: core.kubefed.io
kind: FederatedTypeConfig
nameRegexp: clusterrolebindings.rbac.authorization.k8s.io|limitranges|networkpolicies.networking.k8s.io|resourcequotas|rolebindings.rbac.authorization.k8s.io|roles.rbac.authorization.k8s.io
Flow-kapps:
groupKind:
group: logging.banzaicloud.io
kind: Flow
nameRegexp: project-logging-flow
HelmRelease-additional:
groupKind:
group: helm.toolkit.fluxcd.io
kind: HelmRelease
nameRegexp: .*?-kubecost-.*?|.*?-prometheus-.*?|metallb|nvidia|cluster-observer-.*?|dkp-insights
HelmRelease-kapps:
groupKind:
group: helm.toolkit.fluxcd.io
kind: HelmRelease
nameRegexp: ai-navigator-cluster-info-agent|ai-navigator-cluster-info-api|centralized-grafana|centralized-kubecost|cert-manager|cert-manager-crds|chartmuseum|dex|dex-k8s-authenticator|dkp-insights|dkp-insights-management|external-dns|fluent-bit|gatekeeper|gatekeeper-proxy-mutations|gitea|grafana-logging|grafana-loki|istio|jaeger|karma|karma-traefik|kiali|knative|kommander|kommander-appmanagement|kommander-ui|kube-oidc-proxy|kube-prometheus-stack|kubecost|kubecost-thanos-traefik|kubefed|kubernetes-dashboard|kubetunnel|logging-operator|logging-operator-logging|nfs-server-provisioner|nvidia-gpu-operator|object-bucket-claims|project-grafana-logging|project-grafana-loki|project-loki-object-bucket-claims|prometheus-adapter|prometheus-thanos-traefik|reloader|rook-ceph|rook-ceph-cluster|thanos|traefik|traefik-forward-auth|traefik-forward-auth-mgmt|velero
Ingress-additional:
groupKind:
group: networking.k8s.io
kind: Ingress
nameRegexp: kubecost-grafana
Ingress-kapps:
groupKind:
group: networking.k8s.io
kind: Ingress
nameRegexp: traefik-dashboard|velero-ceph
Job-additional:
groupKind:
group: batch
kind: Job
nameRegexp: delete-jaeger-deployment|delete-node-exporter-daemonset|delete-prometheus-adapter-deployment|update-tenant-crd-metadata|delete-obc-jobs
Job-kapps:
groupKind:
group: batch
kind: Job
nameRegexp: copy-kubecost-grafana-datasource-cm|create-kommander-thanos-query-stores-configmap|create-kubecost-thanos-query-stores-configmap|dkp-ceph-prereq-job|grafana-loki-pre-install|velero-pre-install
Kustomization-additional:
groupKind:
group: kustomize.toolkit.fluxcd.io
kind: Kustomization
nameRegexp: fluent-bit-resource-quota|grafana-dashboards-core-components|grafana-dashboards-logging-operator|jaeger-pre-upgrade|kube-prometheus-stack-pre-upgrade|prometheus-adapter-pre-upgrade|rook-ceph-cluster-obc-pre-upgrade
Kustomization-kapps:
groupKind:
group: kustomize.toolkit.fluxcd.io
kind: Kustomization
nameRegexp: ai-navigator-cluster-info-agent-helmrelease|ai-navigator-cluster-info-api-helmrelease|centralized-kubecost-post-install-jobs|centralized-kubecost-release|cert-manager-namespace|cert-manager-priorityclass-resource-quota|cert-manager-release|cert-manager-root-ca|dkp-insights-helmrelease|dkp-insights-management-helmrelease|etcd-metrics-proxy|gatekeeper-constraint-templates|gatekeeper-constraints|gatekeeper-release|grafana-loki-helmrelease|grafana-loki-pre-install|istio-helmrelease|jaeger-helmrelease|kube-federation-system-namespace|kube-prometheus-stack-helmrelease|kubefed-federatedtypeconfigs|kubefed-release|nvidia-gpu-operator-helmrelease|object-bucket-claims-helmrelease|prometheus-adapter-helmrelease|rook-ceph-cluster-helmrelease|rook-ceph-cluster-prereq-jobs-v1.12.6|rook-ceph-helmrelease|thanos-jobs|velero-helmrelease|velero-post-install|velero-pre-install
Namespace-additional:
groupKind:
group: ""
kind: Namespace
nameRegexp: node-feature-discovery|calico-system|cap.*?-system|kube-node-lease|kube-public|kube-system|kubecost|metallb-system|tigera-operator
Namespace-kapps:
groupKind:
group: ""
kind: Namespace
nameRegexp: cert-manager|kommander-flux|kube-federation-system
NetworkPolicy-kapps:
groupKind:
group: networking.k8s.io
kind: NetworkPolicy
nameRegexp: allow-egress|allow-scraping|allow-source|allow-webhooks|not-used-in-a-patch
Output-kapps:
groupKind:
group: logging.banzaicloud.io
kind: Output
nameRegexp: project-logging-loki
PersistentVolumeClaim-kapps:
groupKind:
group: ""
kind: PersistentVolumeClaim
nameRegexp: chartmuseum
Pod-additional:
groupKind:
group: ""
kind: Pod
nameRegexp: kube-scheduler-ip-.*?|check-dkp-loki-.*?|check-dkp-velero-.*?
RequiredServiceAccountName-kapps:
groupKind:
group: constraints.gatekeeper.sh
kind: RequiredServiceAccountName
nameRegexp: helmrelease-must-have-sa|kustomization-must-have-sa
ResourceQuota-kapps:
groupKind:
group: ""
kind: ResourceQuota
nameRegexp: cert-manager-critical-pods|critical-pods-kommander-flux
Role-additional:
groupKind:
group: rbac.authorization.k8s.io
kind: Role
nameRegexp: jaeger-pre-upgrade|kps-pre-upgrade|obc-pre-upgrade|prometheus-adapter-pre-upgrade
Role-kapps:
groupKind:
group: rbac.authorization.k8s.io
kind: Role
nameRegexp: ai-navigator-app|d2iq-traefik-certmanager-init|grafana-loki-pre-install|kommander-thanos-configmap-edit|kubecost-thanos-configmap-edit|velero-post-install|velero-pre-install
RoleBinding-additional:
groupKind:
group: rbac.authorization.k8s.io
kind: RoleBinding
nameRegexp: jaeger-pre-upgrade|kps-pre-upgrade|obc-pre-upgrade|prometheus-adapter-pre-upgrade
RoleBinding-kapps:
groupKind:
group: rbac.authorization.k8s.io
kind: RoleBinding
nameRegexp: ai-navigator-app|d2iq-traefik-certmanager-init|grafana-loki-pre-install|kommander-thanos-configmap-edit|kubecost-thanos-configmap-edit|velero-post-install|velero-pre-install
Service-kapps:
groupKind:
group: ""
kind: Service
nameRegexp: ai-navigator-app|etcd-metrics-proxy|kommander-traefik-dashboard|kommander-traefik-prometheus|notification-controller|source-controller|webhook-receiver
ServiceAccount-additional:
groupKind:
group: ""
kind: ServiceAccount
nameRegexp: jaeger-pre-upgrade|kps-pre-upgrade|prometheus-adapter-pre-upgrade|kube-prometheus-stack-prometheus|check-dkp-ceph-crd|obc-pre-upgrade|grafana-loki-pre-install
ServiceAccount-kapps:
groupKind:
group: ""
kind: ServiceAccount
nameRegexp: ai-navigator-app|check-dkp-ceph-crd|etcd-metrics-proxy|grafana-loki-pre-install|helm-controller|kommander-thanos-configmap-edit|kubecost-configmap-edit|kubecost-thanos-configmap-edit|kustomize-controller|notification-controller|source-controller|velero-post-install|velero-pre-install
enabled: true
filteredNamespacesRegexp: cert-manager|calico-system|cap.*?-system|kommander-flux|kube-federation-system|kube-node-lease|kube-public|kube-system|kubecost|metallb-system|tigera-operator
insightClassNames: Nova|Pluto|PolarisAudit
mode: daytwo
replay:
apiServerService: dkp-insights-replay-troubleshoot-live
eventExpirationTime: 1h
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
log_level: INFO
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: 1000m
memory: 512Mi
requests:
cpu: 250m
memory: 128Mi
s3:
bucketSize: 1G
enableObjectBucketClaim: true
endpoint: rook-ceph-rgw-dkp-object-store
port: 80
region: us-east-1
storageClassName: dkp-object-store
synchronous_view_details: false
thresholds:
storage:
disk:
critical: "0.95"
notice: "0.80"
warning: "0.90"
pvc:
critical: "0.95"
notice: "0.80"
warning: "0.90"
webhookPort: "8080"
cleanup:
alertsTTL: 168h
dbSizeLimit: 8Gi
eventsTTL: 168h
insightsTTL: 168h
logLevel: INFO
rejectedAlertsTTL: 168h
resolutionAggregatesTTL: 10000h
resources:
limits:
cpu: 250m
memory: 128Mi
requests:
cpu: 100m
memory: 64Mi
schedule: '@every 37m'
image:
imagePullPolicy: IfNotPresent
registry: docker.io
repository: mesosphere/insights
tag: v1.0.1
initdb:
resources:
limits:
cpu: 250m
memory: 128Mi
requests:
cpu: 100m
memory: 64Mi
kubeBench:
config:
image:
pullPolicy: IfNotPresent
repository: aquasec/kube-bench
tag: v0.6.10
nodeSubsets:
all-nodes:
defaultSetup: nodes-default
setupAutodetection:
aks: nodes-aks
eks: nodes-eks
gke: nodes-gke
tolerations:
- effect: NoSchedule
key: ""
operator: Exists
control-plane:
defaultSetup: control-plane-default
nodeSelector:
node-role.kubernetes.io/control-plane: ""
setupAutodetection: {}
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
pause:
image:
pullPolicy: IfNotPresent
repository: gcr.io/google_containers/pause
tag: "3.2"
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 10m
memory: 10Mi
resources:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 100m
memory: 512Mi
setups:
control-plane-default:
additionalArgs:
- --targets
- master
hostPID: true
hostPaths:
- /var/lib/etcd
- /var/lib/kubelet
- /var/lib/kube-scheduler
- /var/lib/kube-controller-manager
- /etc/systemd
- /lib/systemd
- /srv/kubernetes
- /etc/kubernetes
- /etc/cni/net.d/
- /opt/cni/bin/
- /etc/passwd
- /etc/group
skip: []
nodes-aks:
additionalArgs:
- --targets
- node
hostPID: true
hostPaths:
- /var/lib/kubelet
- /etc/systemd
- /etc/default
- /etc/kubernetes
skip: []
nodes-default:
additionalArgs:
- --targets
- node
hostPID: true
hostPaths:
- /var/lib/etcd
- /var/lib/kubelet
- /var/lib/kube-scheduler
- /var/lib/kube-controller-manager
- /etc/systemd
- /lib/systemd
- /srv/kubernetes
- /etc/kubernetes
- /etc/cni/net.d/
- /opt/cni/bin/
skip: []
nodes-eks:
additionalArgs:
- --targets
- node
hostPID: true
hostPaths:
- /var/lib/kubelet
- /etc/systemd
- /etc/kubernetes
skip: []
nodes-gke:
additionalArgs:
- --targets
- node,policies,managedservices
hostPID: true
hostPaths:
- /var/lib/kubelet
- /etc/systemd
- /etc/kubernetes
- /home/kubernetes
skip: []
upload:
logLevel: INFO
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 64Mi
enabled: true
launcher:
baseEvaluationTimeout: 1m
daemonSetRemovalDelay: 0s
daemonSetWaitTimeout: 240m
logLevel: INFO
resources:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 100m
memory: 512Mi
schedule: '@every 35m'
nova:
baseEvaluationTimeout: 1m
enabled: true
helmRepositoryURLs: []
image:
pullPolicy: IfNotPresent
repository: quay.io/fairwinds/nova
tag: 3.4.0
resources:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 100m
memory: 512Mi
schedule: '@every 35m'
upload:
logLevel: INFO
resources:
limits:
cpu: 250m
memory: 128Mi
requests:
cpu: 100m
memory: 64Mi
pluto:
baseEvaluationTimeout: 1m
enabled: true
image:
pullPolicy: IfNotPresent
repository: quay.io/fairwinds/pluto
tag: v5.10.6
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
schedule: '@every 41m'
upload:
logLevel: INFO
resources:
limits:
cpu: 250m
memory: 128Mi
requests:
cpu: 100m
memory: 64Mi
polaris:
baseEvaluationTimeout: 5m
config:
checks:
cpuLimitsMissing: warning
cpuRequestsMissing: warning
dangerousCapabilities: danger
deploymentMissingReplicas: warning
hostIPCSet: danger
hostNetworkSet: danger
hostPIDSet: danger
hostPortSet: warning
insecureCapabilities: warning
livenessProbeMissing: warning
memoryLimitsMissing: warning
memoryRequestsMissing: warning
metadataAndNameMismatched: ignore
missingPodDisruptionBudget: ignore
notReadOnlyRootFilesystem: warning
pdbDisruptionsIsZero: warning
priorityClassNotSet: ignore
privilegeEscalationAllowed: danger
pullPolicyNotAlways: warning
readinessProbeMissing: warning
runAsPrivileged: danger
runAsRootAllowed: danger
tagNotSpecified: danger
tlsSettingsMissing: warning
enabled: true
image:
pullPolicy: IfNotPresent
repository: quay.io/fairwinds/polaris
tag: "5.1"
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
schedule: '@every 37m'
upload:
logLevel: INFO
resources:
limits:
cpu: 250m
memory: 128Mi
requests:
cpu: 100m
memory: 64Mi
postgresql:
global:
connectionPool:
connectionMaxLifetime: 1h
maxIdleConnections: 30
maxOpenConnections: 50
postgresql:
auth:
database: dkp-insights
postgresPassword: dkp-insights
servicePort: 5432
primary:
persistence:
size: 8Gi
priorityClassName: dkp-critical-priority
resources:
limits:
cpu: 250m
memory: 1Gi
requests:
cpu: 250m
memory: 1Gi
preUpgrade:
resources:
limits:
cpu: 250m
memory: 128Mi
requests:
cpu: 100m
memory: 64Mi
priorityClassName: dkp-critical-priority
reforwarder:
resources:
limits:
cpu: 250m
memory: 128Mi
requests:
cpu: 100m
memory: 64Mi
resolutionCM:
resources:
limits:
cpu: 250m
memory: 128Mi
requests:
cpu: 100m
memory: 64Mi
selfAlerting:
postgres:
enabled: true
memoryWorkingSetToRequestsThreshold: 0.75
trivy:
baseEvaluationTimeout: 10m
enabled: false
envSecret:
enabled: false
name: dkp-insights-trivy-env
image:
imageFull: mesosphere/trivy-bundles:0.45.1-20231019T024033Z
pullPolicy: IfNotPresent
resources:
limits:
cpu: 200m
memory: 10Gi
requests:
cpu: 200m
memory: 10Gi
schedule: '@every 2h'
timeout: 90m
upload:
logLevel: INFO
resources:
limits:
cpu: 250m
memory: 128Mi
requests:
cpu: 100m
memory: 64Mi
uninstall:
resources:
limits:
cpu: 250m
memory: 128Mi
requests:
cpu: 100m
memory: 64Mi