KSPM Collector
See the Actionable Compliance documentation for details on the Actionable Compliance feature. The KSPM Collector collects Kubernetes resource manifests and sends them to be evaluated against compliance policies. The scan results are displayed in Sysdig Secure’s Actionable Compliance screens.
Installing the Chart
Add Sysdig Helm charts repository:
$ helm repo add sysdig https://charts.sysdig.com
Deploy the kspm collector
$ helm install --create-namespace -n kspm-collector kspm-collector -f values.yaml sysdig/kspm-collector
Configuration
The following table lists the configurable parameters of the Sysdig KSPM Collector chart and their default values:
| Parameter | Description | Default |
|---|---|---|
global.proxy.httpProxy |
Sets HTTP_PROXY on the KSPM Collector containers |
"" |
global.proxy.httpsProxy |
Sets HTTPS_PROXY on the KSPM Collector containers |
"" |
global.proxy.noProxy |
Sets NO_PROXY on the KSPM Collector containers |
"" |
global.sslVerifyCertificate |
Sets NATS_INSECURE env variable on the KSPM Collector Containers |
|
global.kspm.deploy |
Enables Sysdig KSPM node analyzer & KSPM collector | true |
sysdig.accessKey |
Your Sysdig Access Key | ` ` Either accessKey or existingAccessKeySecret is required |
sysdig.existingAccessKeySecret |
Alternatively, specify the name of a Kubernetes secret containing an ‘access-key’ entry | ` ` Either accessKey or existingAccessKeySecret is required |
rbac.create |
If true, create & use RBAC resources | true |
serviceAccount.create |
Create serviceAccount | true |
serviceAccount.name |
Use this value as serviceAccountName | kspm-collector |
clusterName |
Set a cluster name to identify events using kubernetes.cluster.name tag | ` ` |
image.registry |
KSPM Collector image registry | quay.io |
image.repository |
The image repository to pull from | sysdig/kspm-collector |
image.tag |
The image tag to pull | 1.24.0 |
image.digest |
The image digest to pull | ` ` |
image.pullPolicy |
The Image pull policy | Always |
imagePullSecrets |
The Image pull secret | [] |
replicas |
KSPM collector deployment replicas | 1 |
namespaces.included |
Namespaces to include in the KSPM collector scans, when empty scans all | `` |
namespaces.excluded |
Namespaces to exclude in the KSPM collector scans | `` |
nodeSelector |
Node Selector | {} |
workloads.included |
Workloads to include in the KSPM collector scans, when empty scans all | `` |
workloads.excluded |
Workloads to exclude in the KSPM collector scans, when empty scans all | `` |
healthIntervalMin |
Minutes interval for KSPM collector health status messages | 5 |
resources.requests.cpu |
KSPM collector CPU requests | 150m |
resources.requests.memory |
KSPM collector memory requests | 256Mi |
resources.limits.cpu |
KSPM collector CPU limits | 500m |
resources.limits.memory |
KSPM collector memory limits | 1536Mi |
priorityClassName |
Name of an existing PriorityClass for the KSPM Collector to use | {} |
apiEndpoint |
kspmCollector apiEndpoint | "" |
httpProxy |
Proxy configuration variables | |
httpsProxy |
Proxy configuration variables | |
noProxy |
Proxy configuration variables | |
sslVerifyCertificate |
Sets NATS_INSECURE env variable on the KSPM Collector Containers |
|
arch |
Allowed architectures for scheduling | [ amd64, arm64 ] |
os |
Allowed OSes for scheduling | [ linux ] |
affinity |
Node affinities. Overrides arch and os values |
{} |
labels |
KSPM collector specific labels (as a multi-line templated string map or as YAML) | {} |
port |
KSPM collector port for health checks | 8080 |
psp.create |
Create Pod Security Policy to allow the KSPM Collector running in clusters with PSP enabled | true |
readinessProbe.enabled |
KSPM collector readinessProbe enablement | true |
livenessProbe.enabled |
KSPM collector livenessProbe enablement | true |
scc.create |
Create OpenShift’s Security Context Constraint | true |
securityContext.runAsNonRoot |
make KSPM collector run as non root | true |
securityContext.runAsUser |
make KSPM collector run as user with this ID | 10001 |
securityContext.runAsGroup |
make KSPM collector run as group with this ID | 10001 |
securityContext.readOnlyRootFilesystem |
make KSPM collector root file system read only | true |
securityContext.allowPrivilegeEscalation |
allow KSPM collector apps to gain priviledges stronger than their parent process | false |
securityContext.capabilities.drop |
Linux capabilities to be taken from KSPM collector | ['all'] |
tolerations |
The tolerations for scheduling | kubernetes.io/arch=arm64:NoSchedule |
Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,
$ helm install --namespace kspmcollector kspm-collector \
--set sysdig.accessKey=YOUR-KEY-HERE, \
sysdig/kspm-collector
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
$ helm install --namespace kspmcollector kspm-collector -f values.yaml sysdig/kspm-collector
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
$ helm install my-release-name -f values.yaml sysdig/kspm-collector
Running helm unit tests
The sysdiglabs/charts repository uses the following helm unittest plugin: https://github.com/quintush/helm-unittest
You can test the changes to your chart by running the test suites as follows:
helm unittest --helm3 .
The helm unit tests are in the tests folder. It is recommended to add new tests as new features are added here.