forked from CrowdStrike/falcon-helm
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvalues.yaml
231 lines (187 loc) · 7.14 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
# Default values for falcon-sensor.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
node:
# When enabled, Helm chart deploys the Falcon Sensors to Kubernetes nodes
enabled: true
# Overrides the backend leveraged by the Falcon Sensor (kernel, bpf)
backend: kernel
daemonset:
# Annotations to apply to the daemonset
annotations: {}
# The key that is used to handle enabling/disabling sensor injection at the pod/node level
podAnnotationKey: sensor.falcon-system.crowdstrike.com/injection
# additionals labels
labels: {}
# Assign a PriorityClassName to pods if set
priorityClassName: ""
tolerations:
# We want to schedule on control plane nodes where they are accessible
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
# Future taint for K8s >=1.24
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
- key: "kubernetes.azure.com/scalesetpriority"
operator: "Equal"
value: "spot"
effect: "NoSchedule"
# Daemonsets automatically get additional tolerations: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
# Allow setting additional node selections e.g. processor type
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: kubernetes.io/arch
# operator: In
# values:
# - amd64
nodeAffinity: {}
# Update strategy to role out new daemonset configuration to the nodes.
updateStrategy: RollingUpdate
# Sets the max unavailable nodes. Default is 1 when no value exists.
maxUnavailable: 1
image:
repository: falcon-node-sensor
pullPolicy: Always
pullSecrets:
# Overrides the image tag. In general, tags should not be used (including semver tags or `latest`). This variable is provided for those
# who have yet to move off of using tags. The sha256 digest should be used in place of tags for increased security and image immutability.
tag: "latest"
# Setting a digest will override any tag and should be used instead of tags.
#
# Example digest variable configuration:
# digest: sha256:ffdc91f66ef8570bd7612cf19145563a787f552656f5eec43cd80ef9caca0398
digest:
# Value must be base64. This setting conflicts with node.image.pullSecrets
# The base64 encoded string of the docker config json for the pull secret can be
# gotten through:
# $ cat ~/.docker/config.json | base64 -
registryConfigJSON:
podAnnotations: {}
# How long to wait for Falcon pods to stop gracefully
terminationGracePeriod: 30
container:
# When enabled, Helm chart deploys the Falcon Container Sensor to Pods through Webhooks
enabled: false
# Configure the number of replicas for the mutating webhook backend
replicas: 2
# Configure PodTopologySpread constraints to allow pods run on different nodes
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
crowdstrike.com/component: crowdstrike-falcon-injector
# Auto update the certificates every time there is an update
autoCertificateUpdate: true
# Update Webhook and roll out new Deployment on upgrade
autoDeploymentUpdate: true
# For AKS without the pulltoken option
azure:
enabled: false
# Path to the Kubernetes Azure config file on worker nodes
azureConfig: /etc/kubernetes/azure.json
# GCP GKE workload identity init container
gcp:
enabled: false
# Enable Network Policies within the Injector namespace to allow ingress
networkPolicy:
enabled: false
# Disable injection for all Namespaces
disableNSInjection: false
# Disable injection for all Pods
disablePodInjection: false
# Certificate validity duration in number of days
certExpiration: 3650
# Configure the Injector Port
injectorPort: 4433
# Configure the requests and limits of the sensor
sensorResources:
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 10m
# memory: 20Mi
# For custom DNS configurations when .svc requires a domain for services
# For example if service.my-namespace.svc doesn't resolve and the cluster uses
# service.my-namespace.svc.testing.io, you would add testing.io as the value below.
# Otherwise, keep this blank.
domainName:
# Provide a Secret containing CA certificate files.
# All CA certificates need to be a valid secret key, and have the extension ".crt"
# Example: kubectl create secret generic external-registry-cas --from-file=/tmp/thawte-Primary-Root-CA.crt --from-file=/tmp/DigiCert-Global-Root-CA.crt
#
# registryCertSecret: external-registry-cas
registryCertSecret:
# The key that is used to handle enabling/disabling sensor injection at the namespace level
namespaceLabelKey: sensor.falcon-system.crowdstrike.com/injection
image:
repository: falcon-sensor
pullPolicy: Always
# Set to true if connecting to a registry that requires authentication
pullSecrets:
enable: false
name:
# Configure the list of namespaces that should have access to pull the Falcon
# sensor from a registry that requires authentication. This is a comma separated
# list. For example:
#
# namespaces: ns1,ns2,ns3
namespaces:
# Attempt to create the Falcon sensor pull secret in all Namespaces
# instead of using "container.image.pullSecrets.namespaces"
allNamespaces: false
# Value must be base64
# The base64 encoded string of the docker config json for the pull secret can be
# gotten through:
# $ cat ~/.docker/config.json | base64 -
registryConfigJSON:
# Overrides the image tag. In general, tags should not be used (including semver tags or `latest`). This variable is provided for those
# who have yet to move off of using tags. The sha256 digest should be used in place of tags for increased security and image immutability.
tag: "latest"
# Setting a digest will override any tag and should be used instead of tags.
#
# Example digest variable configuration:
# digest: sha256:ffdc91f66ef8570bd7612cf19145563a787f552656f5eec43cd80ef9caca0398
digest:
# Annotations to apply to the injector deployment
annotations: {}
# additionals labels to apply to the injector deployment
labels: {}
# Annotations to apply to the injector deployment
podAnnotations: {}
tolerations: []
resources:
# limits:
# cpu: 100m
# memory: 128Mi
requests:
cpu: 10m
memory: 20Mi
serviceAccount:
name: crowdstrike-falcon-sa
annotations: {}
# Deploys the test suite during install for testing purposes.
testing:
enabled: false
falcon:
cid:
apd:
aph:
app:
trace: none
feature:
message_log:
billing:
tags:
provisioning_token:
# Override various naming aspects of this chart
# Only edit these if you know what you're doing
nameOverride: ""
fullnameOverride: ""