-
Notifications
You must be signed in to change notification settings - Fork 213
/
values.yaml
332 lines (267 loc) · 12.5 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
# Default values for the trivy-operator Helm chart, these are used to render
# the templates into valid k8s Resources.
# managedBy is similar to .Release.Service but allows to overwrite the value
managedBy: Helm
# targetNamespace defines where you want trivy-operator to operate. By
# default, it's a blank string to select all namespaces, but you can specify
# another namespace, or a comma separated list of namespaces.
targetNamespaces: ""
# excludeNamespaces is a comma separated list of namespaces (or glob patterns)
# to be excluded from scanning. Only applicable in the all namespaces install
# mode, i.e. when the targetNamespaces values is a blank string.
excludeNamespaces: "kube-system"
# targetWorkloads is a comma seperated list of Kubernetes workload resources
# to be included in the vulnerability and config-audit scans
# if left blank, all workload resources will be scanned
targetWorkloads: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job"
nameOverride: ""
fullnameOverride: ""
operator:
# namespace to install the operator, defaults to the .Release.Namespace
namespace: ""
# replicas the number of replicas of the operator's pod
replicas: 1
# additional labels for the operator pod
podLabels: {}
# leaderElectionId determines the name of the resource that leader election
# will use for holding the leader lock.
leaderElectionId: "trivyoperator-lock"
# logDevMode the flag to enable development mode (more human-readable output, extra stack traces and logging information, etc)
logDevMode: false
# scanJobTimeout the length of time to wait before giving up on a scan job
scanJobTimeout: 5m
# scanJobsConcurrentLimit the maximum number of scan jobs create by the operator
scanJobsConcurrentLimit: 10
# scanJobsRetryDelay the duration to wait before retrying a failed scan job
scanJobsRetryDelay: 30s
# vulnerabilityScannerEnabled the flag to enable vulnerability scanner
vulnerabilityScannerEnabled: true
# vulnerabilityScannerReportTTL the flag to set how long a vulnerability report should exist. "" means that the vulnerabilityScannerReportTTL feature is disabled
vulnerabilityScannerReportTTL: "24h"
# configAuditScannerEnabled the flag to enable configuration audit scanner
configAuditScannerEnabled: true
# rbacAssessmentScannerEnabled the flag to enable rbac assessment scanner
rbacAssessmentScannerEnabled: true
# clusterComplianceEnabled the flag to enable cluster compliance report generation
clusterComplianceEnabled: false
# batchDeleteLimit the maximum number of config audit reports deleted by the operator when the plugin's config has changed.
batchDeleteLimit: 10
# vulnerabilityScannerScanOnlyCurrentRevisions the flag to only create vulnerability scans on the current revision of a deployment.
vulnerabilityScannerScanOnlyCurrentRevisions: true
# configAuditScannerScanOnlyCurrentRevisions the flag to only create config audit scans on the current revision of a deployment.
configAuditScannerScanOnlyCurrentRevisions: true
# batchDeleteDelay the duration to wait before deleting another batch of config audit reports.
batchDeleteDelay: 10s
# accessGlobalSecretsAndServiceAccount The flag to enable access to global secrets/service accounts to allow `vulnerability scan job` to pull images from private registries
accessGlobalSecretsAndServiceAccount: true
# metricsFindingsEnabled the flag to enable metrics for findings
metricsFindingsEnabled: true
# metricsVulnIdEnabled the flag to enable metrics about cve vulns id
# be aware of metrics cardinality is significantly increased with this feature enabled.
metricsVulnIdEnabled: false
# exposedSecretScannerEnabled the flag to enable exposed secret scanner
exposedSecretScannerEnabled: true
# webhookBroadcastURL the flag to set reports should be sent to a webhook endpoint. "" means that the webhookBroadcastURL feature is disabled
webhookBroadcastURL: ""
# webhookBroadcastTimeout the flag to set timeout for webhook requests if webhookBroadcastURL is enabled
webhookBroadcastTimeout: 30s
# privateRegistryScanSecretsNames is map of namespace:secrets which can be used to authenticate in private registries in case if there no imagePullSecrets provided
privateRegistryScanSecretsNames: {}
image:
repository: "ghcr.io/aquasecurity/trivy-operator"
# tag is an override of the image tag, which is by default set by the
# appVersion field in Chart.yaml.
tag: ""
pullPolicy: IfNotPresent
pullSecrets: []
# service only expose a metrics endpoint for prometheus to scrape,
# trivy-operator does not have a user interface.
service:
metricsPort: 80
# Prometheus ServiceMonitor configuration
serviceMonitor:
# enabled determines whether a serviceMonitor should be deployed
enabled: false
# The namespace where Prometheus expects to find service monitors
# namespace: ""
interval: ""
# Additional labels for the serviceMonitor
labels: {}
# honorLabels: true
trivyOperator:
# vulnerabilityReportsPlugin the name of the plugin that generates vulnerability reports `Trivy`
vulnerabilityReportsPlugin: "Trivy"
# configAuditReportsPlugin the name of the plugin that generates config audit reports.
configAuditReportsPlugin: "Trivy"
# scanJobTolerations tolerations to be applied to the scanner pods so that they can run on nodes with matching taints
scanJobTolerations: []
# If you do want to specify tolerations, uncomment the following lines, adjust them as necessary, and remove the
# square brackets after 'scanJobTolerations:'.
# - key: "key1"
# operator: "Equal"
# value: "value1"
# effect: "NoSchedule"
# scanJobNodeSelector nodeSelector to be applied to the scanner pods so that they can run on nodes with matching labels
scanJobNodeSelector: {}
# If you do want to specify nodeSelector, uncomment the following lines, adjust them as necessary, and remove the
# square brackets after 'scanJobNodeSelector:'.
# nodeType: worker
# cpu: sandylake
# teamOwner: operators
# scanJobAnnotations comma-separated representation of the annotations which the user wants the scanner pods to be
# annotated with. Example: `foo=bar,env=stage` will annotate the scanner pods with the annotations `foo: bar` and `env: stage`
scanJobAnnotations: ""
# scanJobPodTemplateLabels comma-separated representation of the labels which the user wants the scanner pods to be
# labeled with. Example: `foo=bar,env=stage` will labeled the scanner pods with the labels `foo: bar` and `env: stage`
scanJobPodTemplateLabels: ""
# scanJobPodTemplatePodSecurityContext podSecurityContext the user wants the scanner pods to be amended with.
# Example:
# RunAsUser: 10000
# RunAsGroup: 10000
# RunAsNonRoot: true
scanJobPodTemplatePodSecurityContext: {}
# scanJobPodTemplateContainerSecurityContext SecurityContext the user wants the scanner containers (and their
# initContainers) to be amended with.
scanJobPodTemplateContainerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
# For filesystem scanning, Trivy needs to run as the root user
# runAsUser: 0
trivy:
# createConfig indicates whether to create config objects
createConfig: true
# repository of the Trivy image
repository: ghcr.io/aquasecurity/trivy
# tag version of the Trivy image
tag: 0.31.3
# mode is the Trivy client mode. Either Standalone or ClientServer. Depending
# on the active mode other settings might be applicable or required.
mode: Standalone
# additionalVulnerabilityReportFields is a comma separated list of additional fields which
# can be added to the VulnerabilityReport. Supported parameters: Description, Links, CVSS and Target
additionalVulnerabilityReportFields: ""
# httpProxy is the HTTP proxy used by Trivy to download the vulnerabilities database from GitHub.
#
# httpProxy:
# httpsProxy is the HTTPS proxy used by Trivy to download the vulnerabilities database from GitHub.
#
# httpsProxy:
# noProxy is a comma separated list of IPs and domain names that are not subject to proxy settings.
#
# noProxy:
# Registries without SSL. There can be multiple registries with different keys.
nonSslRegistries: {}
# pocRegistry: poc.myregistry.harbor.com.pl
# qaRegistry: qa.registry.aquasec.com
# internalRegistry: registry.registry.svc:5000
# The registry to which insecure connections are allowed. There can be multiple registries with different keys.
insecureRegistries: {}
# pocRegistry: poc.myregistry.harbor.com.pl
# qaRegistry: qa.registry.aquasec.com
# internalRegistry: registry.registry.svc:5000
# Mirrored registries. There can be multiple registries with different keys.
# Make sure to quote registries containing dots
registry:
mirror: {}
# "docker.io": docker-mirror.example.com
# severity is a comma separated list of severity levels reported by Trivy.
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
# ignoreUnfixed is the flag to show only fixed vulnerabilities in
# vulnerabilities reported by Trivy. Set to true to enable it.
#
ignoreUnfixed: false
# timeout is the duration to wait for scan completion.
timeout: "5m0s"
# ignoreFile can be used to tell Trivy to ignore vulnerabilities by ID (one per line)
#
# ignoreFile: |
# CVE-1970-0001
# CVE-1970-0002
# resources resource requests and limits
resources:
requests:
cpu: 100m
memory: 100M
limits:
cpu: 500m
memory: 500M
# githubToken is the GitHub access token used by Trivy to download the vulnerabilities
# database from GitHub. Only applicable in Standalone mode.
#
# githubToken: "*****"
# serverURL is the endpoint URL of the Trivy server. Required in ClientServer mode.
#
# serverURL: "https://trivy.trivy:4975"
# serverInsecure is the flag to enable insecure connection to the Trivy server.
#
# serverInsecure: true
# serverToken is the token to authenticate Trivy client with Trivy server. Only
# applicable in ClientServer mode.
#
# serverToken: "*****"
# serverTokenHeader is the name of the HTTP header used to send the authentication
# token to Trivy server. Only application in ClientServer mode when
# trivy.serverToken is specified.
serverTokenHeader: "Trivy-Token"
# serverCustomHeaders is a comma separated list of custom HTTP headers sent by
# Trivy client to Trivy server. Only applicable in ClientServer mode.
#
# serverCustomHeaders: "foo=bar"
dbRepository: "ghcr.io/aquasecurity/trivy-db"
# The Flag to enable insecure connection for downloading trivy-db via proxy (air-gaped env)
#
dbRepositoryInsecure: "false"
# The Flag to enable the usage of builtin rego policies by default
#
useBuiltinRegoPolicies: "true"
# The Flag is the list of supported kinds separated by comma delimiter to be scanned by the config audit scanner
#
supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
# command. Either `image` or `filesystem` scanning, depending on the target type required for the scan.
# For 'filesystem' scanning, ensure that the `trivyOperator.scanJobPodTemplateContainerSecurityContext` is configured
# to run as the root user (runAsUser = 0).
command: image
compliance:
# failEntriesLimit the flag to limit the number of fail entries per control check in the cluster compliance detail report
failEntriesLimit: 10
rbac:
create: true
serviceAccount:
# Specifies whether a service account should be created.
create: true
annotations: {}
# name specifies the name of the k8s Service Account. If not set and create is
# true, a name is generated using the fullname template.
name: ""
# podAnnotations annotations added to the operator's pod
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext:
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}
priorityClassName: ""
# automountServiceAccountToken the flag to enable automount for service account token
automountServiceAccountToken: true