generated from falcosecurity/template-repository
-
Notifications
You must be signed in to change notification settings - Fork 295
/
Copy pathvalues.yaml
222 lines (201 loc) · 8.36 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
# Default values for falco-exporter.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# -- service exposes the exporter service to be accessed from within the cluster.
service:
# -- type denotes the service type. Setting it to "ClusterIP" we ensure that are accessible
# from within the cluster.
type: ClusterIP
# -- clusterIP set to none. It's headless service.
clusterIP: None
# -- port is the port on which the Service will listen.
port: 9376
# -- targetPort is the port on which the Pod is listening.
targetPort: 9376
# -- labels set of labels to be applied to the service.
labels: {}
# -- annotations set of annotations to be applied to the service.
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "9376"
# -- mTLS mutual TLS for HTTP metrics server.
mTLS:
# -- enabled specifies whether the mTLS should be enabled.
enabled: false
# -- healthChecks contains the configuration for liveness and readiness probes.
healthChecks:
# -- livenessProbe is a diagnostic mechanism used to determine weather a container within a Pod is still running and healthy.
livenessProbe:
# -- probesPort is liveness probes port.
probesPort: 19376
# -- initialDelaySeconds tells the kubelet that it should wait X seconds before performing the first probe.
initialDelaySeconds: 60
# -- timeoutSeconds number of seconds after which the probe times out.
timeoutSeconds: 5
# -- periodSeconds specifies the interval at which the liveness probe will be repeated.
periodSeconds: 15
# -- readinessProbe is a mechanism used to determine whether a container within a Pod is ready to serve traffic.
readinessProbe:
# probesPort is readiness probes port
probesPort: 19376
# -- initialDelaySeconds tells the kubelet that it should wait X seconds before performing the first probe.
initialDelaySeconds: 30
# -- timeoutSeconds is the number of seconds after which the probe times out.
timeoutSeconds: 5
# -- periodSeconds specifies the interval at which the readiness probe will be repeated.
periodSeconds: 15
# -- image is the configuration for the exporter image.
image:
# -- registry is the image registry to pull from.
registry: docker.io
# -- repository is the image repository to pull from.
repository: falcosecurity/falco-exporter
# -- tag is image tag to pull.
tag: "0.8.3"
# -- pullPolicy is the policy used to determine when a node should attempt to pull the container image.
pullPolicy: IfNotPresent
# -- pullSecrets a list of secrets containing credentials used when pulling from private/secure registries.
imagePullSecrets: []
# -- nameOverride is the new name used to override the release name used for exporter's components.
nameOverride: ""
# -- fullNameOverride same as nameOverride but for the full name.
fullnameOverride: ""
# -- priorityClassName specifies the name of the PriorityClass for the pods.
priorityClassName: ""
# -- falco the configuration to connect falco.
falco:
# -- grpcUnixSocketPath path to the falco's grpc unix socket.
grpcUnixSocketPath: "unix:///run/falco/falco.sock"
# -- grpcTimeout timout value for grpc connection.
grpcTimeout: 2m
# -- serviceAccount is the configuration for the service account.
serviceAccount:
# create specifies whether a service account should be created.
create: true
# annotations to add to the service account
annotations: {}
# -- name is the name of the service account to use.
# If not set and create is true, a name is generated using the fullname template.
# If set and create is false, an already existing serviceAccount must be provided.
name: ""
# -- podSecurityPolicy holds the security policy settings for the pod.
podSecurityPolicy:
# -- create specifies whether a PSP, Role and RoleBinding should be created
create: false
# -- annotations to add to the PSP, Role and RoleBinding
annotations: {}
# -- name of the PSP, Role and RoleBinding to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
# -- podSecurityPolicy holds the security policy settings for the pod.
podSecurityContext:
{}
# fsGroup: 2000
# -- daemonset holds the configuration for the daemonset.
daemonset:
# updateStrategy perform rolling updates by default in the DaemonSet agent
# ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
updateStrategy:
# type of the strategy. Can also customize maxUnavailable or minReadySeconds based on your needs.
type: RollingUpdate
# -- annotations to add to the DaemonSet pods.
annotations: {}
# -- podLabels labels to add to the pods.
podLabels: {}
# -- securityContext holds the security context for the daemonset.
securityContext:
# -- capabilities to be assigned to the daemonset.
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
seccompProfile:
type: RuntimeDefault
# -- resources defines the computing resources (CPU and memory) that are allocated to the containers running within the Pod.
resources:
{}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# -- nodeSelector specifies a set of key-value pairs that must match labels assigned to nodes
# for the Pod to be eligible for scheduling on that node
nodeSelector: {}
# -- tolerations are applied to pods and allow them to be scheduled on nodes with matching taints.
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
# -- affinity allows pod placement based on node characteristics, or any other custom labels assigned to nodes.
affinity: {}
# -- serviceMonitor holds the configuration for the ServiceMonitor CRD.
# A ServiceMonitor is a custom resource definition (CRD) used to configure how Prometheus should
# discover and scrape metrics from the exporter service.
serviceMonitor:
# -- enable the deployment of a Service Monitor for the Prometheus Operator.
enabled: false
# -- additionalLabels specifies labels to be added on the Service Monitor.
additionalLabels: {}
# -- interval specifies the time interval at which Prometheus should scrape metrics from the service.
interval: ""
# -- scrapeTimeout determines the maximum time Prometheus should wait for a target to respond to a scrape request.
# If the target does not respond within the specified timeout, Prometheus considers the scrape as failed for
# that target.
scrapeTimeout: ""
# -- aditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.
additionalProperties: {}
# -- grafanaDashboard contains the configuration related to grafana dashboards.
grafanaDashboard:
# -- enabled specifies whether the dashboard should be deployed.
enabled: false
# -- folder creates and set folderAnnotation to specify where the dashboard is stored in grafana.
folder: ""
# -- folderAnnotation sets the annotation's name used by folderAnnotation in grafana's helm-chart.
folderAnnotation: "grafana_dashboard_folder"
# -- namespace specifies the namespace for the configmap.
namespace: default
# -- prometheusDatasourceName name of the data source.
prometheusDatasourceName: Prometheus
scc:
# true here enabled creation of Security Context Constraints in Openshift
create: true
# prometheusRules holds the configuration for alerting on priority events.
prometheusRules:
# -- enabled specifies whether the prometheus rules should be deployed.
enabled: false
alerts:
warning:
enabled: true
rate_interval: "5m"
threshold: 0
for: "15m"
error:
enabled: true
rate_interval: "5m"
threshold: 0
for: "15m"
critical:
enabled: true
rate_interval: "5m"
threshold: 0
for: "15m"
alert:
enabled: true
rate_interval: "5m"
threshold: 0
for: "5m"
emergency:
enabled: true
rate_interval: "1m"
threshold: 0
for: "1m"
additionalAlerts: {}