twistlock-defender/values.yaml

DATA_FOLDER: /var/lib/twistlock               # Host folder where the defender data will be located
FIPS_ENABLED: "false"                         # Enables FIPS Cryptographic Modules
access_ca: ""                                 # Access CA
admission_cert:                               # Admission Controller Certificate. External Secret Key: ADMISSION_CERT
admission_key:                                # Admission Controller Key. External Secret Key: ADMISSION_KEY
admission_path:                               # Admission Controller Path
admission_add_delete: false                   # Enable monitoring of Delete Operation when using admission controller
cluster: ""                                   # Name of Cluster. Recommended for On-Prem Clusters. Required only if cluster_name_resolving_method is set to manual
cluster_name_resolving_method: default        # Method of retrieving the name of the cluster. Possible values: default (using Cloud Metadata), api-server (using Kubelet API) or manual
cluster_role_name: twistlock-view             # Name of the ClusterRole to be granted to the defender
collect_pod_labels: true                      # Collects Namespace and Deployment labels as part of the Pod information
container_runtime_socket_folder: /var/run     # Runtime socket where the container is located
containers_storage_mount: /var/lib/containerd # Path where the containers information are being stored
containers_storage_mount_rke2: /var/lib/rancher/rke2/agent/containerd # Path where the containers information are being stored for RKE clusters
cri_data_rke2_volume_name: cri-rke2-data      # Containers volume name for RKE Clusters
cri_data_volume_name: cri-data                # Containers volume name
defender_ca_cert:                             # *CA certificate for defender - console communication. External Secret Key: DEFENDER_CA
defender_client_cert:                         # Client certificate for defender - console communication. External Secret Key: DEFENDER_CLIENT_CERT
defender_client_key:                          # Client key for defender - console communication. External Secret Key: DEFENDER_CLIENT_KEY
defender_service_port: 9998                   # Admission Controller port
defender_type: cri                            # Type of defender
docker_socket_path: /var/run/docker.sock      # Container runtime socket path
gke_autopilot_annotation: ""                  # GKE autopilot annotation
host_custom_compliance: false                 # Check custom Compliance for the host
install_bundle:                               # Defender install bundle. External Secret: INSTALL_BUNDLE
requests_cpu: '"256m"'                        # CPU Request of the defender
# requests_memory: '"512Mi"'                    # Memory Request of the defender
limit_cpu: '"900m"'                          # CPU Limits of the defender
limit_memory: '"512Mi"'                      # Memory Limits of the defender
monitor_istio: false                          # Enable Istio Monitoring
monitor_service_accounts: true                # Enable monitoring of the Service Accounts
node_selector: ""                             # Node Selector of the defender
old_defender_ca_cert: ""                      # Old defender CA Cert
old_defender_client_cert: ""                  # Old defender client cert
old_defender_client_key: ""                   # Old defender client key
openshift: false                              # Verify if it's openshift deployment
privileged: "false"                           # Run defender as privileged
role_arn: ""                                  # Defender AWS IAM role
runc_proxy_sock_folder: /run                  # Runc socket folder
image_pull_secret: twistlock-pull-secret      # Name of the secret use to store the the registry information. Leave it blank if it's not required a secret to pull the image
image_name:                                   # Image of the defender
registry:                                     # Registry information to pull the defender image
  name:                                       # Name of the registry
  username:                                   # Name of the user
  password:                                   # Password of the user
  dockerconfigjson:                           # Base64 encoded dockerconfigjson
twistlock_secret: twistlock-secrets           # Name of the secret use to store defender certificates
env_secret: twistlock-env-secrets             # Name of the secret use to store environment variables
secret_store:                                 # Integrate with External Secrets Operator
  name:                                       # Name of the Secrets Store where the Access to Prisma is located
  kind: ClusterSecretStore                    # Secrets Store kind
  refresh_interval: 1h                        # Secrets refresh interval
  remote_key:                                 # Remote secret name for extracting the Defender secrets
selinux_header: ""                            # SE Linux header
selinux_options: ""                           # SE Linux Options
service_parameter:                            # Service Parameter value. External Secret Key: SERVICE_PARAMETER
talos: false                                  # Verify if it's TalOS deployment
twistlock_data_folder: /var/lib/twistlock     # Container folder where the defender data will be located
unique_hostname: true                         # Assign unique host names
ws_address:                                   # Web Socket address. External Secret Key: WS_ADDRESS
annotations:                                  # Defender DaemonSet annotations
#  annotation1: test
tolerations:                                  # Makes pods runnable on all nodes including master node.
#  - operator: Exists
#    effect: NoSchedule
#  - operator: Exists
#    effect: PreferNoSchedule
#  - operator: Exists
#    effect: NoExecute
labels:                                       # Defender DaemonSet labels
#  label1: test