Cloud Scanning

Cloud Scanning

This chart deploys the Sysdig Cloud scanning on your Kubernetes cluster. See Cloud Scanning configuration on Cloud Scanning documentation for more information.

⚠️ Deprecated Module
Use Cloud-Connector scanning configuration instead of this module

Installing the Chart

Add the Sysdig Helm charts repository and deploy the chart:

$ helm repo add sysdig https://charts.sysdig.com

$ helm install --create-namespace -n cloud-scanning cloud-scanning -f values.yaml sysdig/cloud-scanning

Verify the integrity and origin

Sysdig Helm Charts are signed so users can verify the integrity and origin of each chart, the steps are as follows:

Import the Public Key

$ curl -o "/tmp/sysdig_public.gpg" "https://charts.sysdig.com/public.gpg"
$ gpg --import /tmp/sysdig_public.gpg

Verify the Chart

To check the integrity and the origin of the charts, append the --verify flag to the install, upgrade, and pull helm commands.

Configuration

You can use the Helm chart to update the default Cloud Scanning configurations by using either of the following:

Using the Key-Value Pair

Specify each parameter using the --set key=value[,key=value] argument to the helm install command.

For example:

$ helm install my-release \
    --set sysdig.secureAPIToken=YOUR-KEY-HERE \
    sysdig/cloud-scanning

Using values.yaml

The values.yaml file specifies the values for the Cloud Scanning configuration parameters. You can add the configuration to the values.yaml file, then use it in the helm install command.

$ helm install my-release -f values.yaml sysdig/cloud-scanning

Configuration Parameters

The following table lists the configurable parameters of the Sysdig Cloud Scanning chart and their default values:

Parameter Description Default
replicaCount Amount of replicas for Cloud Scanning 1
image.repository The image repository to pull from sysdiglabs/cloud-scanning
image.pullPolicy The image pull policy IfNotPresent
imagePullSecrets The image pull secrets []
nameOverride Chart name override ` `
fullnameOverride Chart full name override ` `
serviceAccount.create Create the service account true
serviceAccount.annotations Extra annotations for serviceAccount {}
serviceAccount.name Use this value as serviceAccount Name ` `
rbac.create Create and use RBAC resources true
podSecurityContext Configure deployment PSP’s { capabilities: drop: - ALL readOnlyRootFileSystem: true runAsNonRoot: true }
securityContext Configure securityContext {}
service.type Use this type as service ClusterIP
service.port Configure port for the service 5000
resources.limits.cpu Configure resource limits for cpu 256m
resources.limits.memory Configure resource limits for memory 512Mi
resources.requests.cpu Configure resource requests for cpu 256m
resources.requests.memory Configure resource requests for memory 512Mi
nodeSelector Configure nodeSelector for scheduling {}
nodeSelector Configure nodeSelector for scheduling {}
tolerations Tolerations for scheduling []
affinity Configure affinity rules {}
extraEnvVars Extra environment variables to be set []
aws.accessKeyId AWS Credentials AccessKeyID ` `
aws.secretAccessKey AWS Credentials: SecretAccessKey ` `
aws.region AWS Region ` `
gcp.credentials GCP Credentials JSON ` `
sysdig.url Sysdig Secure URL https://secure.sysdig.com
sysdig.secureAPIToken API Token to access Sysdig Secure ` `
existingSecretName Provide an existing secret name (see details in values.yaml) instead of creating a new one from provided values ` `
sysdig.verifySSL Verify SSL certificate true
ecrScanning Enable scanning for images pushed to ECR true
ecsScanning Enable scanning for images of tasks or services running in ECS true
codeBuildProject Name of the CodeBuild exeuting the scanner ` `
sqsQueueUrl URL of the SQS queue for CloudTrail events ` `
secureAPITokenSecret Secret name that contains the API Token for Secure (required to inline-scan without leaking the secret) ` `