# Default values for Sysdig Monitor and Secure Helm package. image: # This is a hack to support RELATED_IMAGE_ feature in Helm based # Operators # # As long as I don't want to people to use this, I will keep it undocumented overrideValue: registry: docker.io repository: sysdig/agent tag: 10.3.0 # Specify a imagePullPolicy # Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' # ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images pullPolicy: IfNotPresent # Optionally specify an array of imagePullSecrets. # Secrets must be manually created in the namespace. # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # # pullSecrets: # - name: myRegistrKeySecretName resources: # Although resources needed are subjective on the actual workload we provide # a sane defaults ones. If you have more questions or concerns, please refer # to Sysdig Support for more info about it requests: cpu: 600m memory: 512Mi limits: cpu: 2000m memory: 1536Mi rbac: # true here enables creation of rbac resources create: true scc: # true here enabled creation of Security Context Constraints in Openshift create: true serviceAccount: # Create and use serviceAccount resources create: true # Use this value as serviceAccountName name: daemonset: # Perform rolling updates by default in the DaemonSet agent # ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ updateStrategy: # You can also customize maxUnavailable, maxSurge or minReadySeconds if you # need it type: RollingUpdate ## Extra environment variables that will be pass onto deployment pods env: {} # Allow the DaemonSet to schedule using affinity rules # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/arch operator: In values: - amd64 - key: kubernetes.io/os operator: In values: - linux - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - key: beta.kubernetes.io/os operator: In values: - linux # Allow the DaemonSet to set annotations annotations: {} # If is behind a proxy you can set the proxy server proxy: httpProxy: httpsProxy: noProxy: # Set daemonset timezone timezone: # Set daemonset priorityClassName priorityClassName: ebpf: # Enable eBPF support for Sysdig Agent enabled: false settings: # Needed to correctly detect the kernel version for the eBPF program # Set to false if not running on Google COS mountEtcVolume: true slim: # Uses a slim version of the Sysdig Agent enabled: false # When using slim the kernel module is built in other container, which # contains the toolchain required to build the kernel module. kmoduleImage: repository: sysdig/agent-kmodule resources: # Resources required by the kernel module builder image. These are some # a sane defaults ones, but you can tweak or ask Sysdig Support for more # info about this requests: cpu: 1000m memory: 348Mi limits: memory: 512Mi # For Sysdig On-Prem installations or for custom collector settings, set the following fields collectorSettings: collectorHost: collectorPort: ssl: sslVerifyCertificate: # Setting a cluster name allows you to filter events from this cluster using kubernetes.cluster.name clusterName: "" sysdig: # Required: You need your Sysdig Agent access key before running agents. accessKey: "" # Disable capture functionality (see https://docs.sysdig.com/en/disable-captures.html) disableCaptures: false # Advanced settings. Any option in here will be directly translated into dragent.yaml in the Configmap settings: {} ### Agent tags # tags: linux:ubuntu,dept:dev,local:nyc secure: # true here enables Sysdig Secure: container run-time security & forensics enabled: true auditLog: # true here activates the K8s Audit Log feature for Sysdig Secure enabled: false auditServerUrl: 0.0.0.0 auditServerPort: 7765 dynamicBackend: # true here configures an AuditSink who will receive the K8s audit logs enabled: false nodeImageAnalyzer: deploy: false image: repository: sysdig/node-image-analyzer tag: 0.1.0 pullPolicy: IfNotPresent # pullSecrets: # - name: myRegistrKeySecretName resources: requests: cpu: 250m memory: 512Mi limits: cpu: 500m memory: 1024Mi # Additional advanced settings settings: {} customAppChecks: {} # Allow passing custom app checks for Sysdig Agent. # Example: # # sample.py: |- # from checks import AgentCheck # # class MyCustomCheck(AgentCheck): # def check(self, instance): # self.gauge("testhelm", 1) # Promscrape prometheus.yaml not configured by default prometheus: file: false yaml: {} extraVolumes: volumes: [] mounts: [] # Allow passing extra volumes to the agent to mount secrets or certificates # to authenticate in different services. # Any kind of volume can be passed. Example: # # extraVolumes: # volumes: # - name: sysdig-new-cm # configMap: # name: my-cm # optional: true # - name: sysdig-new-secret # secret: # secretName: my-secret # mounts: # - mountPath: /opt/draios/cm # name: sysdig-new-cm # - mountPath: /opt/draios/secret # name: sysdig-new-secret # Allow sysdig to run on Kubernetes 1.6 masters. tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master