From a9efc6beabe96c87d3a280e4d614976761efbf17 Mon Sep 17 00:00:00 2001 From: "matteo.dipierro" Date: Tue, 24 Oct 2023 14:53:31 +0200 Subject: [PATCH] chore(sysdig, node-analyzer): bump sysdig/vuln-runtime-scanner to v1.6.3 --- charts/node-analyzer/Chart.yaml | 2 +- charts/node-analyzer/README.md | 2 +- charts/node-analyzer/values.yaml | 2 +- charts/sysdig/Chart.yaml | 2 +- charts/sysdig/README.md | 316 +++++++++++++++---------------- charts/sysdig/values.yaml | 2 +- 6 files changed, 163 insertions(+), 163 deletions(-) diff --git a/charts/node-analyzer/Chart.yaml b/charts/node-analyzer/Chart.yaml index 6eed856db..ea2fbabcd 100644 --- a/charts/node-analyzer/Chart.yaml +++ b/charts/node-analyzer/Chart.yaml @@ -3,7 +3,7 @@ name: node-analyzer description: Sysdig Node Analyzer # currently matching Sysdig's appVersion 1.14.34 -version: 1.17.12 +version: 1.17.13 appVersion: 12.8.0 keywords: - monitoring diff --git a/charts/node-analyzer/README.md b/charts/node-analyzer/README.md index 111ac0c84..c3ee89ba9 100644 --- a/charts/node-analyzer/README.md +++ b/charts/node-analyzer/README.md @@ -196,7 +196,7 @@ The following table lists the configurable parameters of the Sysdig Node Analyze | `nodeAnalyzer.runtimeScanner.extraMounts` | Specifies a container engine custom socket path (docker, containerd, CRI-O). | | | `nodeAnalyzer.runtimeScanner.storageClassName` | Specifies the Runtime Scanner storage class to use instead of emptyDir for ephemeral storage. | `` | | `nodeAnalyzer.runtimeScanner.image.repository` | Specifies the image repository to pull the Runtime Scanner from. | `sysdig/vuln-runtime-scanner` | -| `nodeAnalyzer.runtimeScanner.image.tag` | Specifies the image tag to pull the Runtime Scanner. | `1.6.2` | +| `nodeAnalyzer.runtimeScanner.image.tag` | Specifies the image tag to pull the Runtime Scanner. | `1.6.3` | | `nodeAnalyzer.runtimeScanner.image.digest` | Specifies the image digest to pull. | ` ` | | `nodeAnalyzer.runtimeScanner.image.pullPolicy` | Specifies the image pull policy for the Runtime Scanner. | `""` | | `nodeAnalyzer.runtimeScanner.resources.requests.cpu` | Specifies the Runtime Scanner CPU requests per node. | `150m` | diff --git a/charts/node-analyzer/values.yaml b/charts/node-analyzer/values.yaml index 30852b2b1..355dbdce0 100644 --- a/charts/node-analyzer/values.yaml +++ b/charts/node-analyzer/values.yaml @@ -289,7 +289,7 @@ nodeAnalyzer: probesPort: 7002 image: repository: sysdig/vuln-runtime-scanner - tag: "1.6.2" + tag: "1.6.3" digest: pullPolicy: storageClassName: diff --git a/charts/sysdig/Chart.yaml b/charts/sysdig/Chart.yaml index c3315d9f3..08dc0d858 100644 --- a/charts/sysdig/Chart.yaml +++ b/charts/sysdig/Chart.yaml @@ -15,4 +15,4 @@ name: sysdig sources: - https://app.sysdigcloud.com/#/settings/user - https://github.com/draios/sysdig -version: 1.16.17 +version: 1.16.18 diff --git a/charts/sysdig/README.md b/charts/sysdig/README.md index a3a1220fa..ab4624cc1 100644 --- a/charts/sysdig/README.md +++ b/charts/sysdig/README.md @@ -148,165 +148,165 @@ The following table lists the configurable parameters of the Sysdig chart and th ### General Parameters -| Parameter | Description | Default | -| ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ | -| `image.registry` | Sysdig Agent image registry. | `quay.io` | -| `image.repository` | The image repository to pull from. | `sysdig/agent` | -| `image.tag` | The image tag to pull | `12.16.0` | -| `image.digest` | The image digest to pull. | ` ` | -| `image.pullPolicy` | The Image pull policy. | `IfNotPresent` | -| `image.pullSecrets` | Image pull secrets. | `nil` | -| `resourceProfile` | Sysdig Agent resource profile. See [Resource profiles](#resource-profiles). | `small` | -| `resources.requests.cpu` | The CPU requested to be run in a node. | ` ` | -| `resources.requests.memory` | The memory requested to be run in a node. | ` ` | -| `resources.limits.cpu` | The CPU limit. | ` ` | -| `resources.limits.memory` | The memory limit. | ` ` | -| `gke.autopilot` | If set to `true`, the agent configuration will be overridden to run on GKE Autopilot clusters. | `false` | -| `rbac.create` | If set to `true`, RBAC resources are created and used. | `true` | -| `scc.create` | Creates OpenShift's Security Context constrain.t | `true` | -| `psp.create` | Creates Pod Security Policy to allow the agent that is running in clusters with PSP enabled. | `true` | -| `serviceAccount.create` | Creates the serviceAccount. | `true` | -| `serviceAccount.name` | The value you specify will be used as the `serviceAccountName`. | ` ` | -| `priorityClassName` | Sets the priority class for the agent daemonset. | `""` | -| `daemonset.deploy` | Deploys the agent daemonset. | `true` | -| `daemonset.env` | Environment variables for the agent container. Provide as map of `VAR: val`. | `{}` | -| `daemonset.updateStrategy.type` | The updateStrategy for updating the daemonset. | `RollingUpdate` | -| `daemonset.updateStrategy.type.maxUnavailable` | The maximum number of pods that can be unavailable during the update process. | | -| `daemonset.nodeSelector` | Node Selector. | `{}` | -| `daemonset.arch` | Allowed architectures for scheduling. | `[ amd64, arm64, s390x ]` | -| `daemonset.os` | Allowed operating systems for scheduling. | `[ linux ]` | -| `daemonset.affinity` | Node affinities. Overrides `daemonset.arch` and `daemonset.os` values. | `{}` | -| `daemonset.annotations` | The custom annotations for DaemonSet. | `{}` | -| `daemonset.labels` | The custom labels for daemonset as a multi-line templated string map or as YAML. | | -| `daemonset.probes.initialDelay` | Specifies the initial delay for liveness and readiness probes. DaemonSet. | `{}` | -| `daemonset.kmodule.env` | Environment variables for the kernel module image builder. Provide as map of `VAR: val`. | `{}` | -| `slim.enabled` | Uses the slim-based Sysdig Agent image. | `true` | -| `slim.image.repository` | The slim Agent image repository. | `sysdig/agent-slim` | -| `slim.kmoduleImage.repository` | The repository to pull the kernel module image builder from. | `sysdig/agent-kmodule` | -| `slim.kmoduleImage.digest` | The image digest to pull. | ` ` | -| `slim.resources.requests.cpu` | The CPU requested for building the kernel module. | `1000m` | -| `slim.resources.requests.memory` | The memory requested for building the kernel module. | `348Mi` | -| `slim.resources.limits.cpu` | The CPU limit for building the kernel module | `1000m` | -| `slim.resources.limits.memory` | The memory limit for building the kernel module. | `512Mi` | -| `ebpf.enabled` | Enables eBPF support for Sysdig instead of `sysdig-probe` kernel module. | `false` | -| `ebpf.settings.mountEtcVolume` | Detects which kernel version are running in Google COS. | `true` | -| `clusterName` | Set sa cluster name to identify events using *kubernetes.cluster.name* tag. | ` ` | -| `sysdig.accessKey` | Your Sysdig Agent Access Key. | ` ` Either accessKey or existingAccessKeySecret is required | -| `sysdig.existingAccessKeySecret` | Alternativel to providing the Sysdig Access Key. Specifies the name of a Kubernetes secret containing an `access-key` entry. | ` ` Either accessKey or existingAccessKeySecret is required | -| `sysdig.disableCaptures` | Disables capture functionality. See [Capture](https://docs.sysdig.com/en/disable-captures.html). | `false` | -| `sysdig.settings` | Specifies the additional settings that are included in the agent configuration file, `dragent.yaml`. | `{}` | -| `secure.enabled` | Enables Sysdig Secure. | `true` | -| `secure.vulnerabilityManagement.newEngineOnly` | Enables only the new vulnerabilty management engines | `false` | -| `auditLog.enabled` | Enables Kubernetes audit log support for Sysdig Secure. | `false` | -| `auditLog.auditServerUrl` | The URL where Sysdig Agent listens for Kubernetesaudit log events. | `0.0.0.0` | -| `auditLog.auditServerPort` | The port where Sysdig Agent listens for Kubernetes audit log events. | `7765` | -| `auditLog.dynamicBackend.enabled` | Deploys the Audit Sink where Sysdig listens for Kubernetes audit log events. | `false` | -| `customAppChecks` | The custom app checks deployed with your agent. | `{}` | -| `tolerations` | The tolerations for scheduling. | `node-role.kubernetes.io/master:NoSchedule` | -| `leaderelection.enable` | Uses the agent leader election algorithm. | `false` | -| `prometheus.file` | Uses file to configure promscrape. | `false` | -| `prometheus.yaml` | The `prometheus.yaml` content to configure metric collection: relabelling and filtering | ` ` | -| `extraVolumes.volumes` | Additional volumes to mount in the sysdig agent to pass new secrets or ConfigMaps. | `[]` | -| `extraVolumes.mounts` | The mount points for additional volumes. | `[]` | -| `extraSecrets` | Allows passing extra secrets that can be mounted via extraVolumes. | `[]` | -| `kspm.deploy` | Enables Sysdig KSPM node analyzer and KSPM collector. | `false` | -| `nodeAnalyzer.deploy` | Deploys the Node Analyzer. | `true` | -| `nodeAnalyzer.apiEndpoint` | Sysdig secure API endpoint without the protocol: `secure.sysdig.com` | ` ` | -| `nodeAnalyzer.sslVerifyCertificate` | Set to `false` to allow insecure connections to the Sysdig backend, such as in an on-prem deployment. | | -| `nodeAnalyzer.debug` | Set to `true` to show debug logging. Useful for troubleshooting. | | -| `nodeAnalyzer.labels` | NodeAnalyzer specific labels as a multi-line templated string map or as YAML. | | -| `nodeAnalyzer.priorityClassName` | The priority class name variable. | | -| `nodeAnalyzer.httpProxy` | The proxy configuration variables. | | -| `nodeAnalyzer.httpsProxy` | The secure proxy configuration variables. | | -| `nodeAnalyzer.noProxy` | The no proxy configuration variables. | | -| `nodeAnalyzer.pullSecrets` | The image pull secrets for the Node Analyzer containers. | `nil` | -| `nodeAnalyzer.imageAnalyzer.deploy` | Deploys the Image Analyzer. | `true ` | -| `nodeAnalyzer.imageAnalyzer.image.repository` | The image repository to pull the Node Image Analyzer from. | `sysdig/node-image-analyzer` | -| `nodeAnalyzer.imageAnalyzer.image.tag` | The image tag to pull the Node Image Analyzer. | `0.1.29` | -| `nodeAnalyzer.imageAnalyzer.image.digest` | The image digest to pull. | ` ` | -| `nodeAnalyzer.imageAnalyzer.image.pullPolicy` | The Image pull policy for the Node Image Analyzer. | `IfNotPresent` | -| `nodeAnalyzer.imageAnalyzer.dockerSocketPath` | The Docker socket path. | | -| `nodeAnalyzer.imageAnalyzer.criSocketPath` | The socket path to a CRI compatible runtime, such as CRI-O. | | -| `nodeAnalyzer.imageAnalyzer.containerdSocketPath` | The socket path to a CRI-Containerd daemon. | | -| `nodeAnalyzer.imageAnalyzer.extraVolumes.volumes` | Additional volumes to mount in the Node Image Analyzer. For example, docker socket. | `[]` | -| `nodeAnalyzer.imageAnalyzer.extraVolumes.mounts` | The mount points for additional volumes. | `[]` | -| `nodeAnalyzer.imageAnalyzer.resources.requests.cpu` | Node Image Analyzer CPU requests per node. | `150m` | -| `nodeAnalyzer.imageAnalyzer.resources.requests.memory` | Node Image Analyzer Memory requests per node. | `512Mi` | -| `nodeAnalyzer.imageAnalyzer.resources.limits.cpu` | Node Image Analyzer CPU limit per node. | `500m` | -| `nodeAnalyzer.imageAnalyzer.resources.limits.memory` | Node Image Analyzer Memory limit per node. | `1536Mi` | -| `nodeAnalyzer.imageAnalyzer.env` | The extra environment variables that will be passed onto pods. | `{}` | -| `nodeAnalyzer.hostAnalyzer.deploy` | Deploys the Host Analyzer. | `true ` | -| `nodeAnalyzer.hostAnalyzer.image.repository` | The image repository to pull the Host Analyzer from. | `sysdig/host-analyzer` | -| `nodeAnalyzer.hostAnalyzer.image.tag` | The image tag to pull the Host Analyzer. | `0.1.17` | -| `nodeAnalyzer.hostAnalyzer.image.digest` | The image digest to pull. | ` ` | -| `nodeAnalyzer.hostAnalyzer.image.pullPolicy` | The Image pull policy for the Host Analyzer. | `IfNotPresent` | -| `nodeAnalyzer.hostAnalyzer.schedule` | The scanning schedule specification for the host analyzer expressed as a crontab. | `@dailydefault` | +| Parameter | Description | Default | +| ------------------------------------------------------------ | ------------------------------------------------------------ |--------------------------------------------------------------------------------| +| `image.registry` | Sysdig Agent image registry. | `quay.io` | +| `image.repository` | The image repository to pull from. | `sysdig/agent` | +| `image.tag` | The image tag to pull | `12.16.0` | +| `image.digest` | The image digest to pull. | ` ` | +| `image.pullPolicy` | The Image pull policy. | `IfNotPresent` | +| `image.pullSecrets` | Image pull secrets. | `nil` | +| `resourceProfile` | Sysdig Agent resource profile. See [Resource profiles](#resource-profiles). | `small` | +| `resources.requests.cpu` | The CPU requested to be run in a node. | ` ` | +| `resources.requests.memory` | The memory requested to be run in a node. | ` ` | +| `resources.limits.cpu` | The CPU limit. | ` ` | +| `resources.limits.memory` | The memory limit. | ` ` | +| `gke.autopilot` | If set to `true`, the agent configuration will be overridden to run on GKE Autopilot clusters. | `false` | +| `rbac.create` | If set to `true`, RBAC resources are created and used. | `true` | +| `scc.create` | Creates OpenShift's Security Context constrain.t | `true` | +| `psp.create` | Creates Pod Security Policy to allow the agent that is running in clusters with PSP enabled. | `true` | +| `serviceAccount.create` | Creates the serviceAccount. | `true` | +| `serviceAccount.name` | The value you specify will be used as the `serviceAccountName`. | ` ` | +| `priorityClassName` | Sets the priority class for the agent daemonset. | `""` | +| `daemonset.deploy` | Deploys the agent daemonset. | `true` | +| `daemonset.env` | Environment variables for the agent container. Provide as map of `VAR: val`. | `{}` | +| `daemonset.updateStrategy.type` | The updateStrategy for updating the daemonset. | `RollingUpdate` | +| `daemonset.updateStrategy.type.maxUnavailable` | The maximum number of pods that can be unavailable during the update process. | | +| `daemonset.nodeSelector` | Node Selector. | `{}` | +| `daemonset.arch` | Allowed architectures for scheduling. | `[ amd64, arm64, s390x ]` | +| `daemonset.os` | Allowed operating systems for scheduling. | `[ linux ]` | +| `daemonset.affinity` | Node affinities. Overrides `daemonset.arch` and `daemonset.os` values. | `{}` | +| `daemonset.annotations` | The custom annotations for DaemonSet. | `{}` | +| `daemonset.labels` | The custom labels for daemonset as a multi-line templated string map or as YAML. | | +| `daemonset.probes.initialDelay` | Specifies the initial delay for liveness and readiness probes. DaemonSet. | `{}` | +| `daemonset.kmodule.env` | Environment variables for the kernel module image builder. Provide as map of `VAR: val`. | `{}` | +| `slim.enabled` | Uses the slim-based Sysdig Agent image. | `true` | +| `slim.image.repository` | The slim Agent image repository. | `sysdig/agent-slim` | +| `slim.kmoduleImage.repository` | The repository to pull the kernel module image builder from. | `sysdig/agent-kmodule` | +| `slim.kmoduleImage.digest` | The image digest to pull. | ` ` | +| `slim.resources.requests.cpu` | The CPU requested for building the kernel module. | `1000m` | +| `slim.resources.requests.memory` | The memory requested for building the kernel module. | `348Mi` | +| `slim.resources.limits.cpu` | The CPU limit for building the kernel module | `1000m` | +| `slim.resources.limits.memory` | The memory limit for building the kernel module. | `512Mi` | +| `ebpf.enabled` | Enables eBPF support for Sysdig instead of `sysdig-probe` kernel module. | `false` | +| `ebpf.settings.mountEtcVolume` | Detects which kernel version are running in Google COS. | `true` | +| `clusterName` | Set sa cluster name to identify events using *kubernetes.cluster.name* tag. | ` ` | +| `sysdig.accessKey` | Your Sysdig Agent Access Key. | ` ` Either accessKey or existingAccessKeySecret is required | +| `sysdig.existingAccessKeySecret` | Alternativel to providing the Sysdig Access Key. Specifies the name of a Kubernetes secret containing an `access-key` entry. | ` ` Either accessKey or existingAccessKeySecret is required | +| `sysdig.disableCaptures` | Disables capture functionality. See [Capture](https://docs.sysdig.com/en/disable-captures.html). | `false` | +| `sysdig.settings` | Specifies the additional settings that are included in the agent configuration file, `dragent.yaml`. | `{}` | +| `secure.enabled` | Enables Sysdig Secure. | `true` | +| `secure.vulnerabilityManagement.newEngineOnly` | Enables only the new vulnerabilty management engines | `false` | +| `auditLog.enabled` | Enables Kubernetes audit log support for Sysdig Secure. | `false` | +| `auditLog.auditServerUrl` | The URL where Sysdig Agent listens for Kubernetesaudit log events. | `0.0.0.0` | +| `auditLog.auditServerPort` | The port where Sysdig Agent listens for Kubernetes audit log events. | `7765` | +| `auditLog.dynamicBackend.enabled` | Deploys the Audit Sink where Sysdig listens for Kubernetes audit log events. | `false` | +| `customAppChecks` | The custom app checks deployed with your agent. | `{}` | +| `tolerations` | The tolerations for scheduling. | `node-role.kubernetes.io/master:NoSchedule` | +| `leaderelection.enable` | Uses the agent leader election algorithm. | `false` | +| `prometheus.file` | Uses file to configure promscrape. | `false` | +| `prometheus.yaml` | The `prometheus.yaml` content to configure metric collection: relabelling and filtering | ` ` | +| `extraVolumes.volumes` | Additional volumes to mount in the sysdig agent to pass new secrets or ConfigMaps. | `[]` | +| `extraVolumes.mounts` | The mount points for additional volumes. | `[]` | +| `extraSecrets` | Allows passing extra secrets that can be mounted via extraVolumes. | `[]` | +| `kspm.deploy` | Enables Sysdig KSPM node analyzer and KSPM collector. | `false` | +| `nodeAnalyzer.deploy` | Deploys the Node Analyzer. | `true` | +| `nodeAnalyzer.apiEndpoint` | Sysdig secure API endpoint without the protocol: `secure.sysdig.com` | ` ` | +| `nodeAnalyzer.sslVerifyCertificate` | Set to `false` to allow insecure connections to the Sysdig backend, such as in an on-prem deployment. | | +| `nodeAnalyzer.debug` | Set to `true` to show debug logging. Useful for troubleshooting. | | +| `nodeAnalyzer.labels` | NodeAnalyzer specific labels as a multi-line templated string map or as YAML. | | +| `nodeAnalyzer.priorityClassName` | The priority class name variable. | | +| `nodeAnalyzer.httpProxy` | The proxy configuration variables. | | +| `nodeAnalyzer.httpsProxy` | The secure proxy configuration variables. | | +| `nodeAnalyzer.noProxy` | The no proxy configuration variables. | | +| `nodeAnalyzer.pullSecrets` | The image pull secrets for the Node Analyzer containers. | `nil` | +| `nodeAnalyzer.imageAnalyzer.deploy` | Deploys the Image Analyzer. | `true ` | +| `nodeAnalyzer.imageAnalyzer.image.repository` | The image repository to pull the Node Image Analyzer from. | `sysdig/node-image-analyzer` | +| `nodeAnalyzer.imageAnalyzer.image.tag` | The image tag to pull the Node Image Analyzer. | `0.1.29` | +| `nodeAnalyzer.imageAnalyzer.image.digest` | The image digest to pull. | ` ` | +| `nodeAnalyzer.imageAnalyzer.image.pullPolicy` | The Image pull policy for the Node Image Analyzer. | `IfNotPresent` | +| `nodeAnalyzer.imageAnalyzer.dockerSocketPath` | The Docker socket path. | | +| `nodeAnalyzer.imageAnalyzer.criSocketPath` | The socket path to a CRI compatible runtime, such as CRI-O. | | +| `nodeAnalyzer.imageAnalyzer.containerdSocketPath` | The socket path to a CRI-Containerd daemon. | | +| `nodeAnalyzer.imageAnalyzer.extraVolumes.volumes` | Additional volumes to mount in the Node Image Analyzer. For example, docker socket. | `[]` | +| `nodeAnalyzer.imageAnalyzer.extraVolumes.mounts` | The mount points for additional volumes. | `[]` | +| `nodeAnalyzer.imageAnalyzer.resources.requests.cpu` | Node Image Analyzer CPU requests per node. | `150m` | +| `nodeAnalyzer.imageAnalyzer.resources.requests.memory` | Node Image Analyzer Memory requests per node. | `512Mi` | +| `nodeAnalyzer.imageAnalyzer.resources.limits.cpu` | Node Image Analyzer CPU limit per node. | `500m` | +| `nodeAnalyzer.imageAnalyzer.resources.limits.memory` | Node Image Analyzer Memory limit per node. | `1536Mi` | +| `nodeAnalyzer.imageAnalyzer.env` | The extra environment variables that will be passed onto pods. | `{}` | +| `nodeAnalyzer.hostAnalyzer.deploy` | Deploys the Host Analyzer. | `true ` | +| `nodeAnalyzer.hostAnalyzer.image.repository` | The image repository to pull the Host Analyzer from. | `sysdig/host-analyzer` | +| `nodeAnalyzer.hostAnalyzer.image.tag` | The image tag to pull the Host Analyzer. | `0.1.17` | +| `nodeAnalyzer.hostAnalyzer.image.digest` | The image digest to pull. | ` ` | +| `nodeAnalyzer.hostAnalyzer.image.pullPolicy` | The Image pull policy for the Host Analyzer. | `IfNotPresent` | +| `nodeAnalyzer.hostAnalyzer.schedule` | The scanning schedule specification for the host analyzer expressed as a crontab. | `@dailydefault` | | `nodeAnalyzer.hostAnalyzer.dirsToScan` | The list of directories to inspect during the scan. | `/etc,/var/lib/dpkg,/usr/local,/usr/lib/sysimage/rpm,/var/lib/rpm,/lib/apk/db` | -| `nodeAnalyzer.hostAnalyzer.maxSendAttempts` | The number of times the analysis collector is allowed to retry sending results. | `3` | -| `nodeAnalyzer.hostAnalyzer.resources.requests.cpu` | Host Analyzer CPU requests per node. | `150m` | -| `nodeAnalyzer.hostAnalyzer.resources.requests.memory` | Host Analyzer memory requests per node. | `512Mi` | -| `nodeAnalyzer.hostAnalyzer.resources.limits.cpu` | Host Analyzer CPU limit per node. | `500m` | -| `nodeAnalyzer.hostAnalyzer.resources.limits.memory` | Host Analyzer Memory limit per node. | `1536Mi` | -| `nodeAnalyzer.hostAnalyzer.env` | The extra environment variables that will be passed onto pods. | `{}` | -| `nodeAnalyzer.benchmarkRunner.deploy` | Deploys the Benchmark Runner. | `true ` | -| `nodeAnalyzer.benchmarkRunner.image.repository` | The image repository to pull the Benchmark Runner from. | `sysdig/compliance-benchmark-runner` | -| `nodeAnalyzer.benchmarkRunner.image.tag` | The image tag to pull the Benchmark Runner. | `1.1.0.8` | -| `nodeAnalyzer.benchmarkRunner.image.digest` | The image digest to pull. | ` ` | -| `nodeAnalyzer.benchmarkRunner.image.pullPolicy` | The Image pull policy for the Benchmark Runner. | `IfNotPresent` | -| `nodeAnalyzer.benchmarkRunner.includeSensitivePermissions` | Grants the service account elevated permissions to run CIS Benchmark for OS4. | `false` | -| `nodeAnalyzer.benchmarkRunner.resources.requests.cpu` | Benchmark Runner CPU requests per node. | `150m` | -| `nodeAnalyzer.benchmarkRunner.resources.requests.memory` | Benchmark Runner memory requests per node. | `128Mi` | -| `nodeAnalyzer.benchmarkRunner.resources.limits.cpu` | Benchmark Runner CPU limit per node. | `500m` | -| `nodeAnalyzer.benchmarkRunner.resources.limits.memory` | Benchmark Runner memory limit per node. | `256Mi` | -| `nodeAnalyzer.benchmarkRunner.env` | The extra environment variables that will be passed onto pods. | `{}` | -| `nodeAnalyzer.runtimeScanner.deploy` | Deploys the Runtime Scanner. | `false` | -| `nodeAnalyzer.runtimeScanner.extraMounts` | Specifies a container engine custom socket path (docker, containerd, CRI-O). | | -| `nodeAnalyzer.runtimeScanner.image.repository` | The image repository to pull the Runtime Scanner from. | `sysdig/vuln-runtime-scanner` | -| `nodeAnalyzer.runtimeScanner.image.tag` | The image tag to pull the Runtime Scanner. | `1.5.7` | -| `nodeAnalyzer.runtimeScanner.image.digest` | The image digest to pull. | ` ` | -| `nodeAnalyzer.runtimeScanner.image.pullPolicy` | The image pull policy for the Runtime Scanner. | `IfNotPresent` | -| `nodeAnalyzer.runtimeScanner.resources.requests.cpu` | Runtime Scanner CPU requests per node. | `250m` | -| `nodeAnalyzer.runtimeScanner.resources.requests.memory` | Runtime Scanner memory requests per node. | `512Mi` | -| `nodeAnalyzer.runtimeScanner.resources.requests.ephemeral-storage` | Runtime Scanner Storage requests per node. | `2Gi` | -| `nodeAnalyzer.runtimeScanner.resources.limits.cpu` | Runtime Scanner CPU limit per node. | `500m` | -| `nodeAnalyzer.runtimeScanner.resources.limits.memory` | Runtime Scanner memory limit per node. | `1536Mi` | -| `nodeAnalyzer.runtimeScanner.resources.limits.ephemeral-storage` | Runtime Scanner storage limit per node. | `4Gi` | -| `nodeAnalyzer.runtimeScanner.env` | The extra environment variables that will be passed onto pods. | `{}` | -| `nodeAnalyzer.runtimeScanner.settings.eveEnabled` | Enables Sysdig Eve. | `false` | -| `nodeAnalyzer.runtimeScanner.eveConnector.image.repository` | The image repository to pull the Eve Connector from. | `sysdig/eveclient-api` | -| `nodeAnalyzer.runtimeScanner.eveConnector.image.tag` | The image tag to pull the Eve Connector. | `1.1.0` | -| `nodeAnalyzer.runtimeScanner.eveConnector.deploy` | Enables Sysdig Eve Connector for third-party integrations. | `false` | -| `nodeAnalyzer.runtimeScanner.eveConnector.resources.requests.cpu` | Eve Connector CPU requests per node. | `100m` | -| `nodeAnalyzer.runtimeScanner.eveConnector.resources.requests.memory` | Eve Connector Memory requests per node. | `128Mi` | -| `nodeAnalyzer.runtimeScanner.eveConnector.resources.limits.cpu` | Eve Connector CPU limits per node. | `1000m` | -| `nodeAnalyzer.runtimeScanner.eveConnector.resources.limits.memory` | Eve Connector memory limits per node. | `512Mi` | -| `nodeAnalyzer.runtimeScanner.eveConnector.settings.replicas` | Eve Connector deployment replicas. | `1` | -| `nodeAnalyzer.kspmAnalyzer.debug` | Set to `true` to show KSPM node analyzer debug logging; useful for troubleshooting. | `false` | -| `nodeAnalyzer.kspmAnalyzer.image.repository` | The image repository to pull the KSPM node analyzer from. | `sysdig/kspm-analyzer` | -| `nodeAnalyzer.kspmAnalyzer.image.tag` | The image tag to pull the KSPM node analyzer. | `1.5.0` | -| `nodeAnalyzer.kspmAnalyzer.image.digest` | The image digest to pull. | ` ` | -| `nodeAnalyzer.kspmAnalyzer.image.pullPolicy` | The image pull policy for the KSPM node analyzer. | `IfNotPresent` | -| `nodeAnalyzer.kspmAnalyzer.resources.requests.cpu` | KSPM node analyzer CPU requests per node. | `150m` | -| `nodeAnalyzer.kspmAnalyzer.resources.requests.memory` | KSPM node analyzer Memory requests per node. | `256Mi` | -| `nodeAnalyzer.kspmAnalyzer.resources.limits.cpu` | KSPM node analyzer CPU limits per node. | `500m` | -| `nodeAnalyzer.kspmAnalyzer.resources.limits.memory` | KSPM node analyzer memory limits per node. | `1536Mi` | -| `nodeAnalyzer.kspmAnalyzer.env` | The extra environment variables that will be passed onto pods. | `{}` | -| `kspmCollector.image.tag` | The image tag to pull the KSPM collector. | `1.5.0` | -| `kspmCollector.image.digest` | The image digest to pull. | ` ` | -| `kspmCollector.image.pullPolicy` | The image pull policy for the KSPM collector. | `IfNotPresent` | -| `kspmCollector.settings.replicas` | KSPM collector deployment replicas. | `1` | -| `kspmCollector.settings.namespaces.included` | The namespaces to include in the KSPM collector scans, when empty scans all. | `` | -| `kspmCollector.settings.namespaces.excluded` | The namespaces to exclude in the KSPM collector scans. | `` | -| `kspmCollector.settings.workloads.included` | The workloads to include in the KSPM collector scans, when empty scans all. | `` | -| `kspmCollector.settings.workloads.excluded` | The workloads to exclude in the KSPM collector scans, when empty scans all. | `` | -| `kspmCollector.settings.healthIntervalMin` | The interval in minutes for KSPM collector health status messages. | `5` | -| `kspmCollector.resources.requests.cpu` | KSPM collector CPU requests per node. | `150m` | -| `kspmCollector.resources.requests.memory` | KSPM collector memory requests per node. | `256Mi` | -| `kspmCollector.resources.limits.cpu` | KSPM collector CPU limits per node. | `500m` | -| `kspmCollector.resources.limits.memory` | KSPM collector memory limits per node. | `1536Mi` | -| `kspmCollector.env` | The extra environment variables that will be passed onto pods. | `{}` | -| `nodeAnalyzer.nodeSelector` | Node Selector. | `{}` | -| `nodeAnalyzer.affinity` | Node affinities. | `schedule on amd64 and linux` | +| `nodeAnalyzer.hostAnalyzer.maxSendAttempts` | The number of times the analysis collector is allowed to retry sending results. | `3` | +| `nodeAnalyzer.hostAnalyzer.resources.requests.cpu` | Host Analyzer CPU requests per node. | `150m` | +| `nodeAnalyzer.hostAnalyzer.resources.requests.memory` | Host Analyzer memory requests per node. | `512Mi` | +| `nodeAnalyzer.hostAnalyzer.resources.limits.cpu` | Host Analyzer CPU limit per node. | `500m` | +| `nodeAnalyzer.hostAnalyzer.resources.limits.memory` | Host Analyzer Memory limit per node. | `1536Mi` | +| `nodeAnalyzer.hostAnalyzer.env` | The extra environment variables that will be passed onto pods. | `{}` | +| `nodeAnalyzer.benchmarkRunner.deploy` | Deploys the Benchmark Runner. | `true ` | +| `nodeAnalyzer.benchmarkRunner.image.repository` | The image repository to pull the Benchmark Runner from. | `sysdig/compliance-benchmark-runner` | +| `nodeAnalyzer.benchmarkRunner.image.tag` | The image tag to pull the Benchmark Runner. | `1.1.0.8` | +| `nodeAnalyzer.benchmarkRunner.image.digest` | The image digest to pull. | ` ` | +| `nodeAnalyzer.benchmarkRunner.image.pullPolicy` | The Image pull policy for the Benchmark Runner. | `IfNotPresent` | +| `nodeAnalyzer.benchmarkRunner.includeSensitivePermissions` | Grants the service account elevated permissions to run CIS Benchmark for OS4. | `false` | +| `nodeAnalyzer.benchmarkRunner.resources.requests.cpu` | Benchmark Runner CPU requests per node. | `150m` | +| `nodeAnalyzer.benchmarkRunner.resources.requests.memory` | Benchmark Runner memory requests per node. | `128Mi` | +| `nodeAnalyzer.benchmarkRunner.resources.limits.cpu` | Benchmark Runner CPU limit per node. | `500m` | +| `nodeAnalyzer.benchmarkRunner.resources.limits.memory` | Benchmark Runner memory limit per node. | `256Mi` | +| `nodeAnalyzer.benchmarkRunner.env` | The extra environment variables that will be passed onto pods. | `{}` | +| `nodeAnalyzer.runtimeScanner.deploy` | Deploys the Runtime Scanner. | `false` | +| `nodeAnalyzer.runtimeScanner.extraMounts` | Specifies a container engine custom socket path (docker, containerd, CRI-O). | | +| `nodeAnalyzer.runtimeScanner.image.repository` | The image repository to pull the Runtime Scanner from. | `sysdig/vuln-runtime-scanner` | +| `nodeAnalyzer.runtimeScanner.image.tag` | The image tag to pull the Runtime Scanner. | `1.6.3` | +| `nodeAnalyzer.runtimeScanner.image.digest` | The image digest to pull. | ` ` | +| `nodeAnalyzer.runtimeScanner.image.pullPolicy` | The image pull policy for the Runtime Scanner. | `IfNotPresent` | +| `nodeAnalyzer.runtimeScanner.resources.requests.cpu` | Runtime Scanner CPU requests per node. | `250m` | +| `nodeAnalyzer.runtimeScanner.resources.requests.memory` | Runtime Scanner memory requests per node. | `512Mi` | +| `nodeAnalyzer.runtimeScanner.resources.requests.ephemeral-storage` | Runtime Scanner Storage requests per node. | `2Gi` | +| `nodeAnalyzer.runtimeScanner.resources.limits.cpu` | Runtime Scanner CPU limit per node. | `500m` | +| `nodeAnalyzer.runtimeScanner.resources.limits.memory` | Runtime Scanner memory limit per node. | `1536Mi` | +| `nodeAnalyzer.runtimeScanner.resources.limits.ephemeral-storage` | Runtime Scanner storage limit per node. | `4Gi` | +| `nodeAnalyzer.runtimeScanner.env` | The extra environment variables that will be passed onto pods. | `{}` | +| `nodeAnalyzer.runtimeScanner.settings.eveEnabled` | Enables Sysdig Eve. | `false` | +| `nodeAnalyzer.runtimeScanner.eveConnector.image.repository` | The image repository to pull the Eve Connector from. | `sysdig/eveclient-api` | +| `nodeAnalyzer.runtimeScanner.eveConnector.image.tag` | The image tag to pull the Eve Connector. | `1.1.0` | +| `nodeAnalyzer.runtimeScanner.eveConnector.deploy` | Enables Sysdig Eve Connector for third-party integrations. | `false` | +| `nodeAnalyzer.runtimeScanner.eveConnector.resources.requests.cpu` | Eve Connector CPU requests per node. | `100m` | +| `nodeAnalyzer.runtimeScanner.eveConnector.resources.requests.memory` | Eve Connector Memory requests per node. | `128Mi` | +| `nodeAnalyzer.runtimeScanner.eveConnector.resources.limits.cpu` | Eve Connector CPU limits per node. | `1000m` | +| `nodeAnalyzer.runtimeScanner.eveConnector.resources.limits.memory` | Eve Connector memory limits per node. | `512Mi` | +| `nodeAnalyzer.runtimeScanner.eveConnector.settings.replicas` | Eve Connector deployment replicas. | `1` | +| `nodeAnalyzer.kspmAnalyzer.debug` | Set to `true` to show KSPM node analyzer debug logging; useful for troubleshooting. | `false` | +| `nodeAnalyzer.kspmAnalyzer.image.repository` | The image repository to pull the KSPM node analyzer from. | `sysdig/kspm-analyzer` | +| `nodeAnalyzer.kspmAnalyzer.image.tag` | The image tag to pull the KSPM node analyzer. | `1.5.0` | +| `nodeAnalyzer.kspmAnalyzer.image.digest` | The image digest to pull. | ` ` | +| `nodeAnalyzer.kspmAnalyzer.image.pullPolicy` | The image pull policy for the KSPM node analyzer. | `IfNotPresent` | +| `nodeAnalyzer.kspmAnalyzer.resources.requests.cpu` | KSPM node analyzer CPU requests per node. | `150m` | +| `nodeAnalyzer.kspmAnalyzer.resources.requests.memory` | KSPM node analyzer Memory requests per node. | `256Mi` | +| `nodeAnalyzer.kspmAnalyzer.resources.limits.cpu` | KSPM node analyzer CPU limits per node. | `500m` | +| `nodeAnalyzer.kspmAnalyzer.resources.limits.memory` | KSPM node analyzer memory limits per node. | `1536Mi` | +| `nodeAnalyzer.kspmAnalyzer.env` | The extra environment variables that will be passed onto pods. | `{}` | +| `kspmCollector.image.tag` | The image tag to pull the KSPM collector. | `1.5.0` | +| `kspmCollector.image.digest` | The image digest to pull. | ` ` | +| `kspmCollector.image.pullPolicy` | The image pull policy for the KSPM collector. | `IfNotPresent` | +| `kspmCollector.settings.replicas` | KSPM collector deployment replicas. | `1` | +| `kspmCollector.settings.namespaces.included` | The namespaces to include in the KSPM collector scans, when empty scans all. | `` | +| `kspmCollector.settings.namespaces.excluded` | The namespaces to exclude in the KSPM collector scans. | `` | +| `kspmCollector.settings.workloads.included` | The workloads to include in the KSPM collector scans, when empty scans all. | `` | +| `kspmCollector.settings.workloads.excluded` | The workloads to exclude in the KSPM collector scans, when empty scans all. | `` | +| `kspmCollector.settings.healthIntervalMin` | The interval in minutes for KSPM collector health status messages. | `5` | +| `kspmCollector.resources.requests.cpu` | KSPM collector CPU requests per node. | `150m` | +| `kspmCollector.resources.requests.memory` | KSPM collector memory requests per node. | `256Mi` | +| `kspmCollector.resources.limits.cpu` | KSPM collector CPU limits per node. | `500m` | +| `kspmCollector.resources.limits.memory` | KSPM collector memory limits per node. | `1536Mi` | +| `kspmCollector.env` | The extra environment variables that will be passed onto pods. | `{}` | +| `nodeAnalyzer.nodeSelector` | Node Selector. | `{}` | +| `nodeAnalyzer.affinity` | Node affinities. | `schedule on amd64 and linux` | ### Node Image Analyzer Parameters (Deprecated by `nodeAnalyzer`) diff --git a/charts/sysdig/values.yaml b/charts/sysdig/values.yaml index 5d5380efe..402cfa65b 100644 --- a/charts/sysdig/values.yaml +++ b/charts/sysdig/values.yaml @@ -432,7 +432,7 @@ nodeAnalyzer: deploy: false image: repository: sysdig/vuln-runtime-scanner - tag: 1.5.7 + tag: 1.6.3 digest: null pullPolicy: IfNotPresent extraMounts: []