andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rancher-partner-charts/charts/crowdstrike/falcon-sensor/1.28.1/values.yaml

261 lines
8.1 KiB
YAML
Raw Blame History

# Default values for falcon-sensor.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
node:
# When enabled, Helm chart deploys the Falcon Sensors to Kubernetes nodes
enabled: true
# Overrides the backend leveraged by the Falcon Sensor (kernel, bpf)
backend: kernel
# Enable for use on Google's GKE Autopilot clusters
gke:
autopilot: false
daemonset:
# Annotations to apply to the daemonset
annotations: {}
# The key that is used to handle enabling/disabling sensor injection at the pod/node level
podAnnotationKey: sensor.falcon-system.crowdstrike.com/injection
# additionals labels
labels: {}
# Enable the priorityClass creation on chart installation
priorityClassCreate: false
# Assign a PriorityClassName to pods if set
priorityClassName: ""
priorityClassValue: 1000000000
tolerations:
# We want to schedule on control plane nodes where they are accessible
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
# Future taint for K8s >=1.24
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
- key: "kubernetes.azure.com/scalesetpriority"
operator: "Equal"
value: "spot"
effect: "NoSchedule"
# Daemonsets automatically get additional tolerations: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
# Allow setting additional node selections e.g. processor type
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: kubernetes.io/arch
# operator: In
# values:
# - amd64
nodeAffinity: {}
# Resource settings that can be set with backend is set to bpf only. Cannot be used when backend is set to kernel.
# This will be ignored if backend is set to kernel. Purposefully. The defaults are set to the minimum requirements.
# Depending on the size of your cluster and the node types, you may need to increase these values.
# resources:
# limits:
# cpu: 250m
# ephemeral-storage: 100Mi
# memory: 500Mi
# requests:
# cpu: 250m
# ephemeral-storage: 100Mi
# memory: 500Mi
# Update strategy to role out new daemonset configuration to the nodes.
updateStrategy: RollingUpdate
# Sets the max unavailable nodes. Default is 1 when no value exists.
maxUnavailable: 1
image:
repository: falcon-node-sensor
pullPolicy: Always
pullSecrets:
# Overrides the image tag. In general, tags should not be used (including semver tags or `latest`). This variable is provided for those
# who have yet to move off of using tags. The sha256 digest should be used in place of tags for increased security and image immutability.
tag: "latest"
# Setting a digest will override any tag and should be used instead of tags.
#
# Example digest variable configuration:
# digest: sha256:ffdc91f66ef8570bd7612cf19145563a787f552656f5eec43cd80ef9caca0398
digest:
# Value must be base64. This setting conflicts with node.image.pullSecrets
# The base64 encoded string of the docker config json for the pull secret can be
# gotten through:
# $ cat ~/.docker/config.json | base64 -
registryConfigJSON:
podAnnotations: {}
# How long to wait for Falcon pods to stop gracefully
terminationGracePeriod: 30
hooks:
# Settings for the node post-delete helm hook
postDelete:
enabled: true
container:
# When enabled, Helm chart deploys the Falcon Container Sensor to Pods through Webhooks
enabled: false
# Configure the number of replicas for the mutating webhook backend
replicas: 2
# Configure PodTopologySpread constraints to allow pods run on different nodes
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
crowdstrike.com/component: crowdstrike-falcon-injector
# Auto update the certificates every time there is an update
autoCertificateUpdate: true
# Update Webhook and roll out new Deployment on upgrade
autoDeploymentUpdate: true
# For AKS without the pulltoken option
azure:
enabled: false
# Path to the Kubernetes Azure config file on worker nodes
azureConfig: /etc/kubernetes/azure.json
# GCP GKE workload identity init container
gcp:
enabled: false
# Enable Network Policies within the Injector namespace to allow ingress
networkPolicy:
enabled: false
# Enable using hostNetwork for the injector pod
hostNetwork: false
# Disable injection for all Namespaces
disableNSInjection: false
# Disable injection for all Pods
disablePodInjection: false
# Certificate validity duration in number of days
certExpiration: 3650
# Configure the Injector Port
injectorPort: 4433
# Configure the requests and limits of the sensor
sensorResources:
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 10m
# memory: 20Mi
# For custom DNS configurations when .svc requires a domain for services
# For example if service.my-namespace.svc doesn't resolve and the cluster uses
# service.my-namespace.svc.testing.io, you would add testing.io as the value below.
# Otherwise, keep this blank.
domainName:
# Provide a Secret containing CA certificate files.
# All CA certificates need to be a valid secret key, and have the extension ".crt"
# Example: kubectl create secret generic external-registry-cas --from-file=/tmp/thawte-Primary-Root-CA.crt --from-file=/tmp/DigiCert-Global-Root-CA.crt
#
# registryCertSecret: external-registry-cas
registryCertSecret:
# The key that is used to handle enabling/disabling sensor injection at the namespace level
namespaceLabelKey: sensor.falcon-system.crowdstrike.com/injection
image:
repository: falcon-sensor
pullPolicy: Always
# Set to true if connecting to a registry that requires authentication
pullSecrets:
enable: false
name:
# Configure the list of namespaces that should have access to pull the Falcon
# sensor from a registry that requires authentication. This is a comma separated
# list. For example:
#
# namespaces: ns1,ns2,ns3
namespaces: ""
# Attempt to create the Falcon sensor pull secret in all Namespaces
# instead of using "container.image.pullSecrets.namespaces"
allNamespaces: false
# Value must be base64
# The base64 encoded string of the docker config json for the pull secret can be
# gotten through:
# $ cat ~/.docker/config.json | base64 -
registryConfigJSON:
# Overrides the image tag. In general, tags should not be used (including semver tags or `latest`). This variable is provided for those
# who have yet to move off of using tags. The sha256 digest should be used in place of tags for increased security and image immutability.
tag: "latest"
# Setting a digest will override any tag and should be used instead of tags.
#
# Example digest variable configuration:
# digest: sha256:ffdc91f66ef8570bd7612cf19145563a787f552656f5eec43cd80ef9caca0398
digest:
# Annotations to apply to the injector deployment
annotations: {}
# additionals labels to apply to the injector deployment
labels: {}
# Annotations to apply to the injector deployment
podAnnotations: {}
tolerations: []
# Configure the requests and limits of the injector container
resources:
# limits:
# cpu: 100m
# memory: 128Mi
requests:
cpu: 10m
memory: 20Mi
serviceAccount:
name: crowdstrike-falcon-sa
annotations: {}
# Deploys the test suite during install for testing purposes.
testing:
enabled: false
falcon:
cid:
apd:
aph:
app:
trace: none
feature:
message_log:
billing:
tags:
provisioning_token:
# Override various naming aspects of this chart
# Only edit these if you know what you're doing
nameOverride: ""
fullnameOverride: ""
Reference in New Issue View Git Blame Copy Permalink