KSPM Collector
See the Actionable Compliance documentation for details on the Actionable Compliance feature. The KSPM Collector collects Kubernetes resource manifests and sends them to be evaluated against compliance policies. The scan results are displayed in Sysdig Secure’s Actionable Compliance screens.
Installing the Chart
Add Sysdig Helm charts repository:
$ helm repo add sysdig https://charts.sysdig.com
Deploy the kspm collector
$ helm install --create-namespace -n kspm-collector kspm-collector -f values.yaml sysdig/kspm-collector
Configuration
The following table lists the configurable parameters of the Sysdig KSPM Collector chart and their default values:
| Parameter | Description | Default |
|---|---|---|
global.proxy.httpProxy |
Sets HTTP_PROXY on the KSPM Collector containers |
"" |
global.proxy.httpsProxy |
Sets HTTPS_PROXY on the KSPM Collector containers |
"" |
global.proxy.noProxy |
Sets NO_PROXY on the KSPM Collector containers |
"" |
global.sslVerifyCertificate |
Sets NATS_INSECURE env variable on the KSPM Collector Containers |
|
global.kspm.deploy |
Enables Sysdig KSPM node analyzer & KSPM collector | true |
sysdig.accessKey |
Your Sysdig Access Key | ` ` Either accessKey or existingAccessKeySecret is required |
sysdig.existingAccessKeySecret |
Alternatively, specify the name of a Kubernetes secret containing an ‘access-key’ entry | ` ` Either accessKey or existingAccessKeySecret is required |
rbac.create |
If true, create & use RBAC resources | true |
serviceAccount.create |
Create serviceAccount | true |
serviceAccount.name |
Use this value as serviceAccountName | kspm-collector |
clusterName |
Set a cluster name to identify events using kubernetes.cluster.name tag | ` ` |
image.registry |
KSPM Collector image registry | quay.io |
image.repository |
The image repository to pull from | sysdig/kspm-collector |
image.tag |
The image tag to pull | 1.8.0 |
image.digest |
The image digest to pull | ` ` |
image.pullPolicy |
The Image pull policy | Always |
replicas |
KSPM collector deployment replicas | 1 |
namespaces.included |
Namespaces to include in the KSPM collector scans, when empty scans all | `` |
namespaces.excluded |
Namespaces to exclude in the KSPM collector scans | `` |
workloads.included |
Workloads to include in the KSPM collector scans, when empty scans all | `` |
workloads.excluded |
Workloads to exclude in the KSPM collector scans, when empty scans all | `` |
healthIntervalMin |
Minutes interval for KSPM collector health status messages | 5 |
resources.requests.cpu |
KSPM collector CPU requests | 150m |
resources.requests.memory |
KSPM collector Memory requests | 256Mi |
resources.limits.cpu |
KSPM collector CPU limits | 500m |
resources.limits.memory |
KSPM collector Memory limits | 1536Mi |
apiEndpoint |
kspmCollector apiEndpoint | "" |
httpProxy |
Proxy configuration variables | |
httpsProxy |
Proxy configuration variables | |
noProxy |
Proxy configuration variables | |
sslVerifyCertificate |
Sets NATS_INSECURE env variable on the KSPM Collector Containers |
|
arch |
Allowed architectures for scheduling | [ amd64, arm64 ] |
os |
Allowed OSes for scheduling | [ linux ] |
affinity |
Node affinities. Overrides arch and os values |
{} |
Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,
$ helm install --namespace kspmcollector kspm-collector \
--set sysdig.accessKey=YOUR-KEY-HERE, \
sysdig/kspm-collector
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
$ helm install --namespace kspmcollector kspm-collector -f values.yaml sysdig/kspm-collector
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
$ helm install my-release-name -f values.yaml sysdig/kspm-collector