values.yaml

# Default values for Trend Micro Cloud One - Container Security.
# This is a YAML-formatted file.

cloudOne:
  ## API key to be used with Trend Micro Cloud One Container Security
  ##
  ## Default value: (none)
  apiKey:
  ## endpoint is the url of Trend Micro Cloud One Container Security service
  ## Allows for full endpoint to be provided or the Cloud One region (ex: us-1).
  ##
  ## Default value: https://container.us-1.cloudone.trendmicro.com
  endpoint: https://container.us-1.cloudone.trendmicro.com

  exclusion:
    ## List of namespaces for which events will not be generated
    ##
    ## Default Value:
    ##  - kube-system
    namespaces:
    - kube-system

  admissionController:
    enabled: true

    ## validationNamespaceSelector is a namespace selector defined so that matching namespaces will
    ## be subject to validation.
    ##
    ## For more information about namespace selectors, please see
    ## https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
    ## https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
    validationNamespaceSelector:
      matchExpressions:
      - key: ignoreAdmissionControl
        operator: DoesNotExist

    ## failurePolicy defines the bahaviour if an unreconized error or timeout occurs. Enabling
    ## this while not tagging kube-system to be ignored can easily cause the cluster to be
    ## unresponsive.
    ##
    ## Default value: Ignore
    failurePolicy: Ignore

    ## When scannerValidation is enabled, admission-controller validates the user who handle scan jobs for runtime vulnerability scanning feature.
    ## After enabling this, only default scan-manager service account, kube-system components and usernames in the below trustedScanOperators list can handle scan jobs.
    ##
    ## Default value: false
    scannerValidation: false

    ## List of K8s usernames that admission-controller will let handle scan jobs pods
    ##
    ## Default value:
    ##  - aksService
    trustedScanOperators:
    - aksService

    certificate:
      ## commonName is the common name to use in the default signed certificate.
      ##
      ## Default value:
      commonName:

      ## ipAlternativeNames is a list of IP addresses to include as alternate names.
      ## in the default signed certificate.
      ##
      ## Default value: []
      ipAlternativeNames: []

      ## dnsAlternativeNames is a list of DNS names to include as alternate names
      ## in the default signed certificate.
      ##
      ## Default value: []
      dnsAlternativeNames: []

      ## lifetime is the lifetime in days of the default signed certificate.
      ##
      ## Default value: 3650
      lifetime: 3650

    ## webhookTimeoutSeconds defines the timeout used in validating admission webhook.
    ##
    ## Default value: 30
    webhookTimeoutSeconds: 30

    ## logLevel sets the log verbosity level. Supported values are debug, info, and error
    ##
    ## Default value: info
    logLevel: info

  oversight:
    enabled: true

    ## syncPeriod is the time interval that how often Trend Micro Cloud One Container Security will evaluate
    ## the running pods.
    ##
    ## Default value: 3600s
    ## Minimum value: 600s
    ##
    syncPeriod: 3600s

    ## pageSize is the maximum page size when fetching list of pods.
    ##
    ## Default value: 100
    ## Minimum value: 1
    ##
    pageSize: 100

    ## enableNetworkPolicyCreation will tell the Oversight controller to create the Kubernetes network policy if it doesn't exist.
    ## The created network policy is used to perform `isolate` mitigation. The created network policy will not get cleaned up automatically.
    ##
    ## Default value: true
    ##
    enableNetworkPolicyCreation: true

    ## logLevel sets the log verbosity level. Supported values are debug, info, and error
    ##
    ## Default value: info
    logLevel: info

  workloadOperator:
    ## logLevel sets the log verbosity level. Supported values are debug, info, and error
    ##
    ## Default value: info
    logLevel: info

  scanManager:
    ## Maximum number of scan jobs running at once.
    ##
    ## Default value: 5
    ## Maximum value: 100
    ## Minimum value: 3
    ##
    maxJobCount: 5
    ## activeDeadlineSeconds is the maximum duration a scan job can run before timing out.
    ##
    ## Default value: 3600
    ##
    activeDeadlineSeconds: 3600

    ## logLevel sets the log verbosity level. Supported values are debug, info, and error
    ##
    ## Default value: info
    logLevel: info

  runtimeSecurity:
    enabled: false
    customRules:
      enabled: false
      output:
        json: true
        splunk:
          url: https://splunkserver/services/collector/raw
          headers:
          - ''

  complianceScan:
    enabled: true
    ## activeDeadlineSeconds is the maximum duration a compliance scan job can run before timing out.
    ##
    ## Default value: 600
    ##
    activeDeadlineSeconds: 600

  vulnerabilityScanning:
    enabled: false

  fargateInjector:
    enabled: false
    logLevel: error
    certificate:
      ## commonName is the common name to use in the default signed certificate.
      ##
      ## Default value:
      commonName:

      ## ipAlternativeNames is a list of IP addresses to include as alternate names.
      ## in the default signed certificate.
      ##
      ## Default value: []
      ipAlternativeNames: []

      ## dnsAlternativeNames is a list of DNS names to include as alternate names
      ## in the default signed certificate.
      ##
      ## Default value: []
      dnsAlternativeNames: []

      ## lifetime is the lifetime in days of the default signed certificate.
      ##
      ## Default value: 3650
      lifetime: 3650

    ## failurePolicy defines the bahaviour if an unreconized error or timeout occurs. Enabling
    ## this while not tagging kube-system to be ignored can easily cause the cluster to be
    ## unresponsive.
    ##
    ## Default value: Ignore
    failurePolicy: Ignore

  inventoryCollection:
    ## enable the inventory collection feature
    enabled: false
    ## Minimum value: 5m
    ## Maximum value: 1d
    period: 5m

  k8sMetaCollector:
    ## grpc authentication settings
    grpcAuth:
      ## authentication mode, insecure or tls
      type: tls

      ## certificate settings
      certificate:
        ## lifetime is the lifetime in days of the default signed certificate.
        ##
        ## Default value: 3650
        lifetime: 3650

    ## logLevel sets the log verbosity level. Supported values are debug, info, and error
    ##
    ## Default value: info 
    logLevel: info

  kubeRbacProxy:
    certificate:
      ## commonName is the common name to use in the default signed certificate.
      ##
      ## Default value:
      commonName:

      ## ipAlternativeNames is a list of IP addresses to include as alternate names.
      ## in the default signed certificate.
      ##
      ## Default value: []
      ipAlternativeNames: []

      ## dnsAlternativeNames is a list of DNS names to include as alternate names
      ## in the default signed certificate.
      ##
      ## Default value: []
      dnsAlternativeNames: []

      ## lifetime is the lifetime in days of the default signed certificate.
      ##
      ## Default value: 3650
      lifetime: 3650

  ## malwareScanning is a section that controls the malware scanning feature.
  malwareScanning:
    enabled: false
    excludedPaths: []
    scanTimeoutSeconds: 300

    scanner:
      ## scanner is a section that controls the malware scanner engine.
      enableScanCache: false
      scanLog: false
      port: 50051
      logLevel: info

      autoscaling:
        enabled: false
        minReplicas: 1
        maxReplicas: 2
        targetCPUUtilization: 800
      readinessProbe:
        tcpSocket:
          port: 50051
        initialDelaySeconds: 300

  policyOperator:
    ## enable the cluster-managed policy feature
    enabled: false

    ## Minimum value: 5m
    ## Maximum value: 1h
    reconciliationPeriod: 5m

    ## clusterPolicyName is the name of the policy that will be reconciled by the policy operator
    ## Only one policy can be reconciled by the policy operator and applied to the cluster
    ## Use the name defined here as the name of the cluster policy custom resource
    ## The policy name will also be used as vision one policy name
    ##
    ## Default value: trendmicro-cluster-policy
    clusterPolicyName: trendmicro-cluster-policy

    ## logLevel sets the log verbosity level. Supported values are debug, info, and error
    ##
    ## Default value: info
    logLevel: info

securityContextConstraints:
  # enable the Security Context Constraints creation in Openshift
  create: true

serviceAccount:
  ## enable the service account creation. Each component with specific permission will use individual service account.
  ## If set to false, the default service account will be used, which might not have sufficient permission and introduce the failure.
  ##
  ## Default value: true
  create: true

  admissionController:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of admissionController template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

  oversight:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of oversight template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

    ## Size of the buffer that will receive mitigation requests
    ##
    ## Default value: 50
    mitigationHandlerBufferSize: 50

    ## Security context constraints to add to the service account
    securityContextConstraints:
      allowHostDirVolumePlugin: false
      allowHostIPC: false
      allowHostNetwork: false
      allowHostPID: false
      allowHostPorts: false
      allowPrivilegedContainer: false
      allowedCapabilities: []
      apiVersion: security.openshift.io/v1
      defaultAddCapabilities: []
      kind: SecurityContextConstraints
      priority:
      readOnlyRootFilesystem: false
      requiredDropCapabilities: []
      runAsUser:
        type: RunAsAny
      seLinuxContext:
        type: MustRunAs
      supplementalGroups:
        type: RunAsAny
      seccompProfiles:
      - '*'

  usage:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of usage template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

  scout:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of scout template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

  scanManager:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of scanManager template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

  scanJob:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of scanJob template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

  complianceScanJob:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of complianceScanJob template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

  workloadOperator:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of jobManager template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

  fargateInjector:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of scout template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

  k8sMetaCollector:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of k8sMetaCollector template
    name: ''

    ## Annotations to add to the service account
    annotations: {}
  policyOperator:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of policyOperator template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

  malwareScanner:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of malwareScanner template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

rbac:
  # Create and use rbac resources
  create: true

networkPolicy:
  ## enabled the network policy.
  ##
  ## Default value: true
  enabled: true
  ## k8s-metacollector network policy, default false
  k8sMetaCollector:
    enabled: false
  ## malwareScanner network policy, default false
  malwareScanner:
    enabled: false

telemetry:
  ## enabled controls whether telemetry events will be sent.
  ##
  ## Default value: true
  enabled: true

  ## endpoint is the endpoint of the telemetry service.
  ##
  ## Default value: https://telemetry.deepsecurity.trendmicro.com
  endpoint: https://telemetry.deepsecurity.trendmicro.com

  ## interval controls the maximum interval between telemetry data reports
  ##
  ## Default value: 8h
  interval: 8h

  ## publicKey is the public key used when communicating with the telemetry service.
  ##
  ## Default value: (built-in)
  publicKey:

  ## apiKey is the API key used when communicating with the telemetry service.
  ##
  ## Default value: (built-in)
  apiKey:

## securityContext specifies the security contexts that we'll apply to the pods.
##
## To use on bottlerocket, set
## securityContext.scout.scout.allowPrivilegeEscalation=true
## securityContext.scout.scout.privileged=true
securityContext:
  ## enabled is a global flag controlling whether security contexts are included at all in the manifest
  ## Default value: true
  enabled: true

  ## default is the default security context that we'll apply at the pod and container level.
  ## if `securityContext.enabled` is true, the `pod` value will be inserted into the `Deployment` manifest
  ## as part of the pod template and the `container` value will be inserted at the container level.
  default:
    pod:
      runAsNonRoot: true
    container:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      # seLinuxOptions: "If unspecified, the container runtime will allocate a random SELinux context for each container": this seems appropriate.
      runAsUser: 65532 # nonroot user
  scanner:
    pod:
      runAsNonRoot: true
    target:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
        add: []
      privileged: false
      readOnlyRootFilesystem: true
      runAsNonRoot: false
      runAsUser: 0 #root user
    init:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      runAsUser: 65532 # nonroot user
  scout:
    pod:
      runAsNonRoot: true
    scout:
      allowPrivilegeEscalation: true
      capabilities:
        drop:
        - ALL
        add:
        - SYS_PTRACE
      privileged: true
      readOnlyRootFilesystem: true
      runAsNonRoot: false
      runAsUser: 0
    downloader:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsNonRoot: false
      runAsUser: 0
    falco:
      privileged: true
      readOnlyRootFilesystem: true
      runAsNonRoot: false
      runAsUser: 0

  malwareScanner:
    pod:
      runAsNonRoot: false
    scanner:
      privileged: true
      runAsNonRoot: false
      runAsUser: 0

proxy:
  ## httpProxy, if set, will be used as the proxy for outbound HTTP traffic.
  ##
  ## The value may be either a complete URL, a `http://host[:port]` when using a http proxy, or `socks5://host[:port]` when using a socks proxy
  ##
  ## Default value: (none)
  httpProxy:

  ## httpsProxy, if set, will be used as the proxy for outbound HTTPS traffic.
  ## If `httpsProxy` is not set, `httpProxy`
  ## is also checked and will be used if set.
  ##
  ## The value may be either a complete URL, a `http://host[:port]` when using a http proxy, or `socks5://host[:port]` when using a socks proxy
  ##
  ## Default value: (none)
  httpsProxy:

  ## noProxy is a comma-separated list of hosts or CIDR blocks that should not be proxied.
  ##
  ## The value may be a comma-separated list of hosts or CIDR blocks. Ex: "localhost,127.0.0.0/8"
  ##
  ## Default value: (none)
  noProxy:

  ## username, if set, is the user name to provide to the outbound proxy when making requests.
  ##
  ## Default value: (none)
  username:

  ## password, if set, is the password to provide to the outbound proxy when making requests.
  ##
  ## Default value: (none)
  password:

  ## If set to true, Container Security Controllers will not use a proxy when communicating with the Kubernetes service host
  ##
  ## Default value: true
  excludeKubernetesServiceHost: true


logConfig:
  ## devel sets the log mode defaults to development mode if set to true
  ## Development mode defaults encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn) 
  ## Production Mode defaults(encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error)
  devel: false

  ## logLevel sets the log verbosity level. Supported values are debug, info, and error
  ## Overrides the logLevel set for each component
  ##
  ## Default value: 
  logLevel:

  ## encoder sets the log encoder. Supported values are json and console
  ##
  ## Default value: json
  encoder: json

  ## stackTraceLevel sets the level above which stacktraces are captured 
  ## Supported values are info, error or panic
  ##
  ## Default value: error
  stacktraceLevel: error

  ## timeEncoding sets the time encoding format 
  ## Supported values are epoch, millis, nano, iso8601, rfc3339 or rfc3339nano
  ##
  ## Default value: epoch
  timeEncoding: epoch

tlsConfig:
  ## minTLSVersion is the minimum TLS version that the server will accept.
  ## Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants.
  ##
  ## Default value: VersionTLS12
  minTLSVersion: VersionTLS12

  ## cipherSuites is a list of supported secure go cipher suites for TLS 1.2 and 1.3.
  ## The list of supported cipher suites can be found at https://golang.org/pkg/crypto/tls/#pkg-constants
  ##
  ## Default value: List of secure cipher suites
  cipherSuites:
  - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  - TLS_AES_128_GCM_SHA256
  - TLS_AES_256_GCM_SHA384
  - TLS_CHACHA20_POLY1305_SHA256

resources:
  defaults: {}
  oversight:
    requests:
      cpu: 100m
      memory: 20Mi
    limits:
      cpu: 800m
      memory: 1Gi
  usage:
    requests:
      cpu: 100m
      memory: 20Mi
    limits:
      cpu: 800m
      memory: 1Gi
  scout:
    requests:
      cpu: 100m
      memory: 256Mi
    limits:
      cpu: 1000m
      memory: 1024Mi
  falco:
    requests:
      cpu: 100m
      memory: 512Mi
    limits:
      cpu: 1000m
      memory: 1024Mi
  scanManager:
    requests:
      cpu: 100m
      memory: 20Mi
    limits:
      cpu: 800m
      memory: 1Gi
  workloadOperator:
    requests:
      cpu: 100m
      memory: 512Mi
    limits:
      cpu: 1000m
      memory: 1024Mi
  scanner:
    requests:
      cpu: 50m
      memory: 64Mi
    limits:
      ## no cpu limits specified because it can cause cpu throttle
      memory: 512Mi
  fargateInjector:
    requests:
      cpu: 100m
      memory: 256Mi
    limits:
      cpu: 1000m
      memory: 512Mi
  complianceScanner:
    requests:
      cpu: 50m
      memory: 64Mi
    limits:
      ## no cpu limits specified because it can cause cpu throttle
      memory: 512Mi
  k8sMetaCollector:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: 1000m
      memory: 1024Mi
  policyOperator:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: 1000m
      memory: 1024Mi
  malwareScanner:
    requests:
      cpu: 100m
      memory: 1Gi
    limits:
      cpu: 1000m
      memory: 2Gi

nodeSelector:
  ## nodeSelector if set, ensures pods are only assigned to a particular set of nodes.
  ## Defaults apply to all pods created by this chart unless overridden by a non default configuration.
  ##
  ## Default Value: {}
  defaults: {}

tolerations:
  ## tolerations if set, allows (but does not require) the pods to schedule onto nodes with matching taints.
  ## Defaults apply to all pods created by this chart unless overridden by a non default configuration.
  ##
  ## Default Value: {}
  defaults: []

affinity:
  ## affinity if set, provides the ability constrain which nodes your pod is eligible to be scheduled on, based on labels.
  ## Defaults apply to all pods created by this chart unless overridden by a non default configuration.
  ##
  ## Default Value: {}
  defaults: {}

## replicas if set, allows for additional replica counts to be set for specified pods.
## NOTE: replicas does not apply to scout
##
## Default Value: {}
replicas: {}

## extraLabels is a dictionary of additional labels that will be added to all resources created by this chart.
##
## Default Value: {}
extraLabels: {}

podAnnotations:
  ## podAnnotations if set, applies additional pod annotations to all pods unless overridden by a non default configuration.
  ##
  ## Default Value: {}
  defaults: {}

priorityClassName:
  ## podAnnotations if set, applies priority class to all pods unless overridden by a non default configuration.
  ##
  ## Default Value: (none)
  default:

scout:
  ## If set to true, excludeSameNamespace will add the namespace in which this helm chart is deployed as an excluded namespace.
  ##
  ## Default Value: true
  excludeSameNamespace: true

  falco:
    ## apiUrl, provide the URL Falco should use to connect to the Kubernetes API.
    ##
    ## Default Value: https://$(KUBERNETES_SERVICE_HOST)
    apiUrl: https://$(KUBERNETES_SERVICE_HOST)

    ## extraArgs, if set will apply additional arguments to falco container
    ##
    ## Default Value: []
    extraArgs: []
    ## env, if set will apply additional environment variables to the falco container
    ##
    ## Default Value: []
    env: {}

    ## extra configs applied to falco container
    config: {}

    docker:
      ## Determines if the docker socket is mounted in the falco container.
      ## Required for docker based runtimes
      enabled: true

      ## socket, determines which socket to mount for enabling docker based runtimes.
      socket: /var/run/docker.sock

    cri:
      ## Determines if the cri (containerd or crio) socket is mounted in the falco container.
      ## Required for cri based runtimes
      enabled: true

      ## socket, determines which socket to mount for enabling cri based runtimes.
      ## Default value: (determined by platform)
      socket:

    dockershim:
      ## Determines if the dockershim socket is mounted in the falco container.
      ## Required for bottlerocket
      enabled: true

      ## socket, determines which socket to mount for enabling dockershim based runtimes.
      ## Default value: (determined by platform)
      socket:

    k0s:
      ## Determines if the k0s socket is mounted in the falco container.
      enabled: true

      ## socket, determines which socket to mount for enabling k0s based runtimes.
      socket:

    k3s:
      ## Determines if the k3s socket is mounted in the falco container.
      enabled: true

      ## socket, determines which socket to mount for enabling k3s based runtimes.
      socket:

    ## modernBpf, determine if falco uses ebpf CO-RE if kernel supports.
    ## If it is false or kernel doesn't support ebpf CO-RE, the ebpf driver will be downloaded from Trend Micro Cloud One Container Security service.
    ## Default value: true
    modernBpf: true

    ## stdout_enabled sets the status of stdout log output
    ##
    ## Default Value: false
    stdout_enabled: false

    ## syslog_enabled sets the status of syslog output
    ##
    ## Default Value: false
    syslog_enabled: false

  scout:
    ## falcoInternalEvent, determines how to deal with falco internal event
    ## sysevent: send the internal events as system events to container security backend
    ## log: log the internal events into scout's log
    falcoInternalEvent: [log, sysevent]

    ## extraArgs, if set will apply additional arguments to scout container
    ##
    ## Default Value: []
    extraArgs: []

    ## env, if set will apply additional environment variables to the scout container
    ##
    ## Default Value: []
    env: {}

    ## logLevel sets the log verbosity level. Supported values are debug, info, and error
    ##
    ## Default value: info
    logLevel: info

  downloader:
    ## extraArgs, if set will apply additional arguments to scout container
    ##
    ## Default Value: []
    extraArgs: []

    ## env, if set will apply additional environment variables to the scout container
    ##
    ## Default Value: []
    env: {}

    ## componentType, the type of component to download
    componentType: falco-ebpf-program

    ## componentDir, the directory where the component to be downloaded
    componentDir: /var/component

malwareScanner:
  defaultExcludedPaths:
  - /proc
  - /dev
  - /sys
  scanWorkerCount: 5

images:
  defaults:
    ## Default registry to pull images from. This can be overridden for
    ## each image by specifying the registry attribute at the image level.
    ## If no registry is provided, images will be pulled from your default
    ## registry (which may be Amazon ECR Public Gallery).
    ##
    ## The images can also be accessed in Docker Hub by leaving the registry field blank.
    # registry:
    ##
    ## Default value: public.ecr.aws
    registry: public.ecr.aws

    ## Default project / organization to pull images from. This can be
    ## overridden for each image by specifying the project attribute at the
    ## image level.
    ##
    ## The images can also be accessed in Docker Hub under trendmicrocloudone project
    # project: trendmicrocloudone
    ##
    ## Default value: trendmicro/container-security
    project: trendmicro/container-security

    ## Default tag for images to pull. This can be overridden for each image
    ## by specifying the tag attribute at the image level.
    tag: 2.4.3

    ## Default pull policy for images. This can be overridden for each image
    ## by specifying the pullPolicy attribute at the image level.
    ##
    ## Default value: IfNotPresent
    pullPolicy: IfNotPresent

    ## Default secret for pulling images. This can be overridden for each
    ## image by specifying the imagePullSecret attribute at the image level.
    ##
    ## Default value: none
    # imagePullSecret:
  admissionController:
    repository: admission-controller
    digest: sha256:7eda014ed641b9d83d024ef328ae82f102402e2ce16494c7a118a75e8f3dc960

  oversight:
    repository: oversight-controller
    digest: sha256:b277e0dbbdf376219d0143b8813844d3dd8c489153f0d65e0f3f5733ac511c47

  usage:
    repository: usage-controller
    digest: sha256:7506eb95d7a4d08827250c4e44aa807f007aca3742b01e855a13f2efa9293448

  rbacProxy:
    repository: rbac-proxy
    digest: sha256:cf702fe130af0be68b29e5abc269e0556493d0eaadd2b59d3ef0266b56d2429d

  falco:
    repository: falco
    digest: sha256:66a35a3f1200fc37ec48a3bfd9ce2ea5261552d647e3039616e1c423c1b404ba

  scout:
    repository: scout
    digest: sha256:51585703524b717a78317c42b92341a4f45f8c254617ed94f9d23f1bb6868623

  scanManager:
    repository: scan-manager
    digest: sha256:9e1bb550cf29666bb98d08f6d0ae1a11eedf0844ad0db06c56138777272c3eda

  scanJob:
    repository: scan-job
    digest: sha256:c11973b07a7e53da9dec070a7844795f45066191b9734ce9271c0e9fbee0e6d5

  complianceScanJob:
    repository: compliance-scan-job
    digest: sha256:3dfbf17bfac77a9bcab12339a5a488a17b56a229326cb09e2895ea45aca499bc

  workloadOperator:
    repository: workload-operator
    digest: sha256:77cbddc919b440382a21102007e0b04cdebb23a586b0613b83a6019ecf962500

  fargateInjector:
    repository: fargate-tool
    digest: sha256:2ca3c779fdc6412ad5575a2cc8febe15e96ec56711d89e3564f9c968fc03dbc5

  pdig:
    repository: pdig
    digest: sha256:cb38872e6013b7e6ea837612d6819dad066721dc9f60bbda1e453ac5338161fa

  k8sMetaCollector:
    repository: k8s-metacollector
    digest: sha256:c19b86eea4af2ae9878d84cb25a35b9b1d7f4013f1f732e0cfd3a3bba9fc5cf8

  policyOperator:
    repository: policy-operator
    digest: sha256:9fa022bca41c1a4e60c4dff56a01b0bf2e9670c71d8f46945d7573b8b4e7a018

  malwareScanner:
    repository: malware-scanner
    digest: sha256:aee886896786c00ec05d59f6e0122f3b655e1d81b7e361e903cc28880d3d2c35

##
## Determine whether to use existing secrets in the target namespace rather than
## specifying in overrides.yaml. Useful if you want to manage secrets on your own, e.g., in argocd.
##
## When this is enabled, typically you will need these secrets created in your target namespace.
## (names may vary depending on your settings):
##
## - trendmicro-container-security-auth
## - trendmicro-container-security-outbound-proxy-credentials
##
## You can fill overrides.yaml and use helm install --dry-run to generate these secret's
## template.
##
## After deployment, if you update the secret after deployment, you will need to restart pods of
## container security to make changes take effect.
##
useExistingSecrets:
  ## containerSecurityAuth, if set to true, will use the existing secret for container security authentication.
  ## The secret should be named trendmicro-container-security-auth in the target namespace if this is enabled.
  ## The secret should contain base64 encoded cloud one api key in the api.key field.
  ##
  ## Default value: false
  containerSecurityAuth: false

  ## outboundProxy, if set to true, will use the existing secret for outbound proxy.
  ## The secret should be named trendmicro-container-security-outbound-proxy-credentials in the target namespace if this is enabled.
  ## For secret format, see templates/outbound-proxy.yaml
  ##
  ## Default value: false
  outboundProxy: false