# Default values for Sysdig Monitor and Secure Helm package. global: clusterConfig: {} sysdig: region: "us1" proxy: {} gke: # true here enables the deployment on gke autopilot clusters autopilot: false ephemeralStorage: "500Mi" image: pullSecrets: [] pullPolicy: IfNotPresent ssl: ca: # For outbound connections (secure backend, proxy,...) # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. certs: [] # Example of certificate # certs: # - | # -----BEGIN CERTIFICATE----- # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= # -----END CERTIFICATE----- # - | # -----BEGIN CERTIFICATE----- # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= # -----END CERTIFICATE----- # Filename that is used when creating the secret. Required if cert is provided. keyName: null # Provide the name of an existing Secret that contains the CA required existingCaSecret: null # Provide the filename that is defined inside the existing Secret existingCaSecretKeyName: null # Provide the name of an existing ConfigMap that contains the CA required existingCaConfigMap: null # Provide the filename that is defined inside the existing ConfigMap existingCaConfigMapKeyName: null namespace: "" image: # This is a hack to support RELATED_IMAGE_ feature in Helm based # Operators # # As long as I don't want to people to use this, I will keep it undocumented overrideValue: null registry: quay.io repository: sysdig/agent tag: 14.4.0 # Specify a imagePullPolicy # Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' # ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images pullPolicy: [] # Optionally specify an array of imagePullSecrets. # Secrets must be manually created in the namespace. # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # # pullSecrets: # - name: myRegistrKeySecretName windows: enabled: false nodeSelector: {} image: registry: quay.io repository: sysdig/agent-windows tag: 1.3.2 # Specify an imagePullPolicy # Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' # ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images pullPolicy: [] # Optionally specify an array of imagePullSecrets. # Secrets must be manually created in the namespace. # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # # pullSecrets: # - name: myRegistrKeySecretName resources: # sizing TBD requests: cpu: 250m memory: 348Mi limits: cpu: 1000m memory: 512Mi affinity: {} tolerations: [] extraVolumes: volumes: [] mounts: [] # Allow passing extra volumes to the windows agent to mount secrets or certificates # to authenticate in different services. (See extraVolumes in the linux agent) # Specify a predefined resource profile. # # Available options are: # * small # Defined as: # requests: # cpu: 1000m # memory: 1024Mi # limits: # cpu: 1000m # memory: 1024Mi # # * medium # Defined as: # requests: # cpu: 3000m # memory: 3072Mi # limits: # cpu: 3000m # memory: 3072Mi # # * large # Defined as: # requests: # cpu: 5000m # memory: 6144Mi # limits: # cpu: 5000m # memory: 6144Mi resourceProfile: small # resources: # requests: # cpu: m # memory: Mi # limits: # cpu: m # memory: Mi gke: # true here enables the deployment on gke autopilot clusters autopilot: false createPriorityClass: false ephemeralStorage: "500Mi" rbac: # true here enables creation of rbac resources create: true scc: # true here enables creation of Security Context Constraints in Openshift create: true psp: # true here enables creation of Pod Security Policy to allow the agent run with the required permissions create: true serviceAccount: # Create and use serviceAccount resources create: true # Use this value as serviceAccountName name: null daemonset: deploy: true # Perform rolling updates by default in the DaemonSet agent # ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ updateStrategy: # You can also customize maxUnavailable, maxSurge or minReadySeconds if you # need it type: RollingUpdate rollingUpdate: {} ## Extra environment variables that will be pass onto deployment pods env: {} nodeSelector: {} # arch and os will be used to template out a node affinity block matching everything in each list. If affinity is # defined, these fields will be ignored arch: - amd64 - arm64 - s390x os: - linux # Allow the DaemonSet to schedule using affinity rules # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity affinity: {} # Allow the DaemonSet to set annotations annotations: {} # Allow the DaemonSet to set labels labels: {} # readiness probe delays probes: initialDelay: 90 periodDelay: 10 failureThreshold: 9 kmodule: env: {} extraVolumes: volumes: [] mounts: [] # If is behind a proxy you can set the proxy server # This proxy settings apply for the App-Checks. # If you need to configure the agent to allow it to communicate with the Sysdig collector through an HTTP proxy check: # https://docs.sysdig.com/en/enable-http-proxy-for-agents.html proxy: httpProxy: null httpsProxy: null noProxy: null # Set daemonset timezone timezone: null # Create the priorityClass defined below createPriorityClass: false # Set daemonset priorityClassName priorityClassName: null # Set daemonset priorityClassValue priorityClassValue: 10 ebpf: # Enable eBPF support for Sysdig Agent enabled: false # Define the kind of eBPF driver that will be used by the agent. Can be `legacy_ebpf` or `universal_ebpf` kind: legacy_ebpf # Run the Sysdig Agent container as privileged. When set to false, eBPF must be enabled privileged: true slim: # Uses a slim version of the Sysdig Agent enabled: true # The image repo to be used for slim Agents image: repository: sysdig/agent-slim # When using slim the kernel module is built in other container, which # contains the toolchain required to build the kernel module. kmoduleImage: repository: sysdig/agent-kmodule digest: null resources: # Resources required by the kernel module builder image. These are some # a sane defaults ones, but you can tweak or ask Sysdig Support for more # info about this requests: cpu: 250m memory: 348Mi limits: cpu: 1000m memory: 512Mi # For Sysdig On-Prem installations or for custom collector settings, set the following fields collectorSettings: collectorHost: null collectorPort: null ssl: null sslVerifyCertificate: null # Setting a cluster name allows you to filter events from this cluster using kubernetes.cluster.name clusterName: "" sysdig: # Required: You need your Sysdig Agent access key before running agents, either specifying 'accessKey' here, or using 'existingAccessKeySecret' accessKey: "" # Alternatively, specify the name of a Kubernetes secret containing an 'access-key' entry existingAccessKeySecret: "" # Disable capture functionality. (See https://docs.sysdig.com/en/disable-captures.html) disableCaptures: false # Advanced settings. Any option in here will be directly translated into dragent.yaml in the Configmap settings: {} ### Example: Agent tags # tags: linux:ubuntu,dept:dev,local:nyc ### Example: Proxy configuration. (See https://docs.sysdig.com/en/enable-http-proxy-for-agents.html) # ssl: false # http_proxy: # proxy_host: squid.yourdomain.com # proxy_port: 3128 # ssl: false ### Example: Configure app checks (See https://docs.sysdig.com/en/integrate-applications-default-app-checks) # app_checks: # - name: redis-6380 # check_module: redisdb # pattern: # comm: redis-server # conf: # host: 127.0.0.1 # port: 6380 # password: # - name: ntp # interval: 60 # pattern: # comm: systemd # conf: # host: us.pool.ntp.org secure: # true here enables Sysdig Secure: container run-time security & forensics enabled: true monitor: # true here enables Sysdig Monitor components enabled: true auditLog: # true here activates the K8s Audit Log feature for Sysdig Secure enabled: true auditServerUrl: 0.0.0.0 auditServerPort: 7765 dynamicBackend: # true here configures an AuditSink who will receive the K8s audit logs enabled: false # Promscrape prometheus.yaml not configured by default prometheus: file: false yaml: {} extraVolumes: volumes: [] mounts: [] # Allow passing extra volumes to the agent to mount secrets or certificates # to authenticate in different services. # Any kind of volume can be passed. Example: # # extraVolumes: # volumes: # - name: sysdig-new-cm # configMap: # name: my-cm # optional: true # - name: sysdig-new-secret # secret: # secretName: my-secret # mounts: # - mountPath: /opt/draios/cm # name: sysdig-new-cm # - mountPath: /opt/draios/secret # name: sysdig-new-secret extraSecrets: [] # Allow passing extra secrets that can be mounted via extraVolumes # # extraSecrets: # - name: sysdig-new-secret # data: # sysdig-new-password-key1: bXlwYXNzd29yZA== # sysdig-new-password-key2: bXlwYXNzd29yZA== # Allow sysdig to run on Kubernetes 1.6 masters. tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master - effect: NoSchedule key: node-role.kubernetes.io/control-plane - effect: NoSchedule key: node-role.kubernetes.io/controlplane operator: Equal value: "true" - effect: NoExecute key: node-role.kubernetes.io/etcd operator: Equal value: "true" - effect: NoExecute key: CriticalAddonsOnly operator: Equal value: "true" leaderelection: enable: false localForwarder: enabled: false # If existingSecretName is set to anything different than an empty string # the local forwarder secret generation is skipped and the existing secret # name is used to mount the secret volume instead of the one defined in # the secrets template existingSecretName: "" transmitMessageTypes: - POLICY_EVENTS - SECURE_AUDIT integrations: [] delegatedAgentDeployment: # Enable a specialized installation where an Agent Deployment is installed # in addition to the traditional DaemonSet. The DaemonSet Agents will not # be configured to communicate with the Kubernetes API Server, but the # smaller set of Agents deployed in the Deployment will. This is a specialized # installation type to reduce load on the Kubernetes API servers on clusters # with very large node counts. enabled: false delegated_nodes: -1 deployment: # affinity: {} arch: - amd64 - arm64 - s390x env: {} os: - linux labels: {} # readiness probes delays probes: initialDelay: 90 periodDelay: 10 failureThreshold: 9 progressDeadlineSeconds: 600 replicas: 1 resources: limits: cpu: 1000m memory: 1Gi requests: cpu: 250m memory: 384Mi revisionHistoryLimit: 10 updateStrategy: rollingUpdate: maxSurge: 25% maxUnavailable: 25% type: RollingUpdate # Allow direct setting of Agent log priority levels for console and file logs (info|debug) logPriority: null ssl: ca: # For outbound connections (secure backend, proxy,...) # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. certs: [] # Example of certificate # certs: # - | # -----BEGIN CERTIFICATE----- # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= # -----END CERTIFICATE----- # - | # -----BEGIN CERTIFICATE----- # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= # -----END CERTIFICATE----- # Filename that is used when creating the secret. Required if cert is provided. keyName: null # Provide the name of an existing Secret that contains the CA required existingCaSecret: null # Provide the filename that is defined inside the existing Secret existingCaSecretKeyName: null # Provide the name of an existing ConfigMap that contains the CA required existingCaConfigMap: null # Provide the filename that is defined inside the existing ConfigMap existingCaConfigMapKeyName: null tests: skip: false timeout: 300s image: repo: quay.io/sysdig/sysdig-kubectl tag: 1.34.1-1.5.17 # Allow to modify DNS policy dnsPolicy: null customSecurityContext: {}