Helm chart configuration

Learn about the Helm chart configuration parameters you can use when you install or upgrade the StackRox Kubernetes Security Platform by using Helm.

This topic describes Helm charts configuration parameters that you can use with helm install and helm upgrade commands by using the --set flag or configuring the chart’s values.

The StackRox Helm chart repository includes the following charts to install various components of the StackRox Kubernetes Security Platform:

The Secured Cluster Services Helm chart is only available for the StackRox Kubernetes Security Platform version 3.0.55 and newer.

For configuring the StackRox Kubernetes Security Platform between version 3.0.41 and 3.0.54, use the Sensor Helm chart.

Central services Helm chart

We recommended the following files for configuring the Helm chart for installing or upgrading the StackRox Kubernetes Security Platform:

  • These parameters are only applicable for the StackRox Kubernetes Security Platform version 3.0.50 and newer.

  • The certificates and private keys you specify for various parameters:

    • must be PEM encoded, and

    • must begin and end with the header and footer values.

      For example:

      Copy
      central:
        defaultTLS:
          cert: |
            -----BEGIN CERTIFICATE-----
            <PEM-encoded-CA-certificate>
            -----END CERTIFICATE-----
          key: |
            -----BEGIN RSA PRIVATE KEY-----
            <PEM-encoded-CA-private-key>
            -----END RSA PRIVATE KEY-----

Public configuration file

This section lists the configurable parameters of the values-public.yaml file.

Image pull secrets

Image pull secrets are the credentials required for pulling images from your registry.

ParameterDescription
imagePullSecrets.allowNoneUse true if you’re using a custom registry and it allows pulling images without credentials.
imagePullSecrets.useExistingA comma-seprated list of secrets as values. For example, secret1, secret2. Use this option if you have already created pre-existing image pull secrets with the given name in the target namespace.
imagePullSecrets.useFromDefaultServiceAccountUse true if you’ve already configured the default service account in the target namespace with sufficiently scoped image pull secrets.

Image

Image declares the configuration to set up a main registry which the Helm chart uses to resolve images for central.image, scanner.image, and scanner.dbImage parameters.

ParameterDescription
image.registryAddress of your image registry. Either use a hostname, such as stackrox.io, or a remote registry hostname, such as us.gcr.io/stackrox-mirror.

Environment variables

The StackRox Kubernetes Security Platform automatically detects your cluster environment and sets values for env.openshift, env.istio, and env.platform. Only set these values to override the automatic cluster environment detection.

ParameterDescription
env.openshiftUse true for installing on an OpenShift cluster and overriding automatic cluster environment detection.
env.istioUse true for installing on an Istio enabled cluster and overriding automatic cluster environment detection.
env.platformThe platform on which you are installing the StackRox Kubernetes Security Platform. Set its value to default or gke to specify cluster platform and override automatic cluster environment detection.
env.offlineModeUse true to use the StackRox Kubernetes Security Platform in offline mode.

Central

Configurable parameters for Central.

  • You must specify a persistent storage option, either hostPath or persistentVolumeClaim.
  • For exposing Central deployment for external access. You must specify one parameter, either central.exposure.loadBalancer, central.exposure.nodePort, or central.exposure.route. When you don’t specify any value for these parameters, you must manually expose Central or access it by using port-forwarding.
ParameterDescription
central.disableTelemetryUse true to disable online telemetry data collection.
central.endpointsConfigThe endpoint configuration options for Central.
central.nodeSelectorSpecify a node selector label (as label-key: label-value) to force Central to only schedule on nodes with the specified label.
central.image.registryA custom registry that overrides the global image.registry parameter for the Central image.
central.image.nameThe custom image name that overrides the default Central image name (main).
central.image.tagThe custom image tag that overrides the default tag for Central image. If you specify you own image tag during a new installation, you must manually increment this tag when you to upgrade to a new version by running the helm upgrade command. We recommend that if you mirror Central images in your own registry, don’t modify the original image tags.
central.image.fullRefFull reference including registry address, image name, and image tag for the Central image. Setting a value for this parameter overrides the central.image.registry, central.image.name, and central.image.tag parameters.
central.resources.requests.memoryThe memory request for Central to override the default value.
central.resources.requests.cpuThe CPU request for Central to override the default value.
central.resources.limits.memoryThe memory limit for Central to override the default value.
central.resources.limits.cpuThe CPU limit for Central to override the default value.
central.persistence.hostPathThe path on the node where the StackRox Kubernetes Security Platform should create a database volume.
central.persistence.persistentVolumeClaim.claimNameThe of the Kubernetes persistent volume claim (PVC) you are using.
central.persistence.persistentVolumeClaim.createClaimUse true to create a new persistent volume claim, or false to use an existing claim.
central.persistence.persistentVolumeClaim.sizeThe size (in GiB) of the persistent volume managed by the specified claim.
central.exposure.loadBalancer.enabledUse true to expose Central by using a load balancer.
central.exposure.loadBalancer.portThe port number on which to expose Central. The default port number is 443.
central.exposure.nodePort.enabledUse true to expose Central by using the NodePort service.
central.exposure.nodePort.portThe port number on which to expose Central. When you skip this parameter, Kubernetes automatically assigns a port number (recommended).
central.exposure.route.enabledUse true to expose Central by using a route. This parameter is only available for OpenShift clusters.

Scanner

Configurable parameters for Scanner.

ParameterDescription
scanner.disableUse true to install the StackRox Kubernetes Security Platform without Scanner. When you use it with helm upgrade command, Helm removes existing Scanner deployment.
scanner.replicasThe number of replicas to create for the Scanner deployment. When you use it with the scanner.autoscaling parameter, this value sets the initial number of replicas.
scanner.logLevelConfigure log level for Scanner. We recommend that you don’t change the default value (INFO) of log level.
scanner.autoscaling.disableUse true to disable autoscaling for Scanner deployment. When you disable auto scaling, the minReplicas and maxReplicas parameters won’t have any effect.
scanner.autoscaling.minReplicasThe minimum number of replicas for autoscaling.
scanner.autoscaling.maxReplicasThe maximum number of replicas for autoscaling.
scanner.resources.requests.memoryThe memory request for Scanner to override the default value.
scanner.resources.requests.cpuThe CPU request for Scanner to override the default value.
scanner.resources.limits.memoryThe memory limit for Scanner to override the default value.
scanner.resources.limits.cpuThe CPU limit for Scanner to override the default value.
scanner.dbResources.requests.memoryThe memory request for Scanner database deployment to override the default values.
scanner.dbResources.requests.cpuThe CPU request for Scanner database deployment to override the default values.
scanner.dbResources.limits.memoryThe memory limit for Scanner database deployment to override the default values.
scanner.dbResources.limits.cpuThe CPU limit for Scanner database deployment to override the default values.
scanner.image.registryA custom registry for the Scanner image.
scanner.image.nameThe custom image name that overrides the default Scanner image name (scanner).
scanner.dbImage.registryA custom registry for the Scanner DB image.
scanner.dbImage.nameThe custom image name that overrides the default Scanner DB image name (scanner-db).

Customization

Use these parameters to specify additional attributes for all objects that the StackRox Kubernetes Security Platform creates.

ParameterDescription
customize.labelsA custom label to attach to all objects.
customize.annotationsA custom annotation to attach to all objects.
customize.podLabelsA custom label to attach to all deployments.
customize.podAnnotationsA custom annotation to attach to all deployments.
customize.envVarsA custom environment variable for all containers in all objects.
customize.central.labelsA custom label to attach to all objects that Central creates.
customize.central.annotationsA custom annotation to attach to all objects that Central creates.
customize.central.podLabelsA custom label to attach to all Central deployments.
customize.central.podAnnotationsA custom annotation to attach to all Central deployments.
customize.central.envVarsA custom environment variable for all Central containers.
customize.scanner.labelsA custom label to attach to all objects that Scanner creates.
customize.scanner.annotationsA custom annotation to attach to all objects that Scanner creates.
customize.scanner.podLabelsA custom label to attach to all Scanner deployments.
customize.scanner.podAnnotationsA custom annotation to attach to all Scanner deployments.
customize.scanner.envVarsA custom environment variable for all Scanner containers.
customize.scanner-db.labelsA custom label to attach to all objects that Scanner DB creates.
customize.scanner-db.annotationsA custom annotation to attach to all objects that Scanner DB creates.
customize.scanner-db.podLabelsA custom label to attach to all Scanner DB deployments.
customize.scanner-db.podAnnotationsA custom annotation to attach to all Scanner DB deployments.
customize.scanner-db.envVarsA custom environment variable for all Scanner DB containers.

You can also use:

  • the customize.other.service/*.labels and the customize.other.service/*.annotations parameters, to specify labels and annotations for all objects.
  • or, provide a specific service name, for example, customize.other.service/central-loadbalancer.labels and customize.other.service/central-loadbalancer.annotations as parameters and set their value.

Advanced customization

The parameters specified in this section are for information only. We don’t support the StackRox Kubernetes Security Platform instances with modified namespace and release names.

ParameterDescription
allowNonstandardNamespaceUse true to deploy the StackRox Kubernetes Security Platform into a namespace other than the default namespace stackrox.
allowNonstandardReleaseNameUse true to deploy the StackRox Kubernetes Security Platform with a release name other than the default stackrox-central-services.

Private configuration file

This section lists the configurable parameters of the values-private.yaml file. There are no default values for these parameters.

License

Beginning from the StackRox Kubernetes Security Platform version 3.0.58.0, we’ve removed all licensing restrictions.

The StackRox Kubernetes Security Platform license key. You can skip providing a license key during installation, however you won’t be able to use the StackRox Kubernetes Security Platform unless you activate your license.

ParameterDescription
licenseKeyThe StackRox Kubernetes Security Platform license key

Image pull secrets

The credentials required for pulling images from your registry.

  • If you are using the stackrox.io registry, you must specify the imagePullSecrets.username and imagePullSecrets.password parameters.

  • If you are using a custom registry, you must also specify the image.registry parameter.

  • If you don’t use username and password to log into your custom registry, you must specify one of the following parameters:

    • imagePullSecrets.allowNone
    • imagePullSecrets.useExisting
    • imagePullSecrets.useFromDefaultServiceAccount
ParameterDescription
imagePullSecrets.usernameThe username for your registry.
imagePullSecrets.passwordThe password (for the selected username) of your registry.
imagePullSecrets.allowNoneUse true if you’re using a custom registry and it allows pulling images without credentials.
imagePullSecrets.useExistingA comma-seprated list of secrets as values. For example, secret1, secret2, ... . Use this option if you have already created pre-existing image pull secrets with the given name in the target namespace.
imagePullSecrets.useFromDefaultServiceAccountUse true if you’ve already configured the default service account in the target namespace with sufficiently scoped image pull secrets.

Proxy configuration

If you are installing the StackRox Kubernetes Security Platform in a cluster that requires a proxy to connect to external services, you must specify your proxy configuration using the proxyConfig parameter. For example:

Copy
env:
  proxyConfig: |
    url: http://proxy.name:port
    username: username
    password: password
    excludes:
    - some.domain
ParameterDescription
env.proxyConfigYour proxy configuration.

Central

Configurable parameters for Central.

For a new installation, you can skip the following parameters and let Helm chart autogenerate values for them. If you’d like to modify these when upgrading to a new version, specify the values for the following parameters:

  • central.jwtSigner.key
  • central.serviceTLS.cert
  • central.serviceTLS.key
  • central.adminPassword.value
  • central.adminPassword.htpasswd

For setting the administrator password, you can only use either central.adminPassword.value or central.adminPassword.htpasswd, but not both.

ParameterDescription
central.jwtSigner.keyA private key which the StackRox Kubernetes Security Platform should use for signing JSON web tokens (JWTs) for authentication.
central.serviceTLS.certAn internal certificate that the central.stackrox service should use for deploying Central.
central.serviceTLS.keyThe internal certificate key that the central.stackrox service should use.
central.defaultTLS.certThe user-facing certificate that Central should use. You must manually provide this value for new installation. If you are upgrading, the StackRox Kubernetes Security Platform uses the existing certificate and its key.
central.defaultTLS.keyThe user-facing certificate key that Central should use. You must manually provide this value for new installation. If you are upgrading, the StackRox Kubernetes Security Platform uses the existing certificate and its key.
central.adminPassword.valueAdministrator password for logging into the StackRox Kubernetes Security Platform.
central.adminPassword.htpasswdAdministrator password for logging into the StackRox Kubernetes Security Platform. This password is stored in hashed format using bcrypt.

If you are using central.adminPassword.htpasswd parameter, you must use a bcrypt encoded password hash. You can run the command htpasswd -nB admin to generate a password hash. For example,

Copy
htpasswd: |
  admin:<bcrypt-hash>

Scanner

Configurable parameters for Scanner.

For a new installation, you can skip the following parameters and the Helm chart autogenerates values for them. Otherwise, if you are upgrading to a new version, specify the values for the following parameters:

  • scanner.dbPassword.value
  • scanner.serviceTLS.cert
  • scanner.serviceTLS.key
  • scanner.dbServiceTLS.cert
  • scanner.dbServiceTLS.key
ParameterDescription
scanner.dbPassword.valueThe password to use for authentication with Scanner database. Usually, you shouldn’t specify this parameter as the StackRox Kubernetes Security Platform uses this value internally.
scanner.serviceTLS.certAn internal certificate that the scanner.stackrox service should use for deploying Scanner.
scanner.serviceTLS.keyThe internal certificate key that the scanner.stackrox service should use.
scanner.dbServiceTLS.certAn internal certificate that the scanner-db.stackrox service should use for deploying Scanner database.
scanner.dbServiceTLS.keyThe internal certificate key that the scanner-db.stackrox service should use.

Secured Cluster Services Helm chart

  • The Secured Cluster Services Helm chart is only available for the StackRox Kubernetes Security Platform version 3.0.55 and newer. For configuring the StackRox Kubernetes Security Platform between version 3.0.41 and 3.0.54, use the Sensor Helm chart.
  • If you are using the Secured Cluster Services Helm chart, don’t modify the values.yaml file that’s part of the chart.

We recommend that you always store the configuration in separate files:

  • values-public.yaml: include all non-sensitive configuration options in this file.
  • values-private.yaml: include all sensitive configuration options such as image pull secrets or certificates and keys.

Configuration

ParameterDescription
clusterNameName of your cluster.
centralEndpointAddress of the Central endpoint, including the port number. If you are using a non-gRPC capable LoadBalancer, use the WebSocket protocol by prefixing the endpoint address with wss://.
sensor.endpointAddress of the Sensor endpoint including port number.
image.main.nameRepository from which to download the main image.
image.collector.nameRepository from which to download the collector image.
image.main.registryAddress of the registry you are using for main image.
image.collector.registryAddress of the registry you are using for collector image.
image.main.pullPolicyImage pull policy for main images.
image.collector.pullPolicyImage pull policy for collector images.
image.main.tagTag of main image to use.
image.collector.tagTag of collector image to use.
collector.collectionMethodEither EBPF, KERNEL_MODULE, or NO_COLLECTION.
admissionControl.listenOnCreatesThis setting controls whether Kubernetes is configured to contact the StackRox Kubernetes Security Platform with AdmissionReview requests for workload creation events.
admissionControl.listenOnUpdatesWhen you keep it as false, the StackRox Kubernetes Security Platform creates the ValidatingWebhookConfiguration in a way that causes the Kubernetes API server not to send object update events. Since the volume of object updates is usually higher than the object creates, leaving this as false limits the load on the admission control service and decreases the chances of a malfunctioning admission control service.
admissionControl.listenOnEventsThis setting controls whether the cluster is configured to contact the StackRox Kubernetes Security Platform with AdmissionReview requests for Kubernetes exec and portforward events. This setting isn’t supported in OpenShift.
admissionControl.dynamic.enforceOnCreatesIt controls whether the StackRox Kubernetes Security Platform evaluates policies; if it’s disabled, all AdmissionReview requests are automatically accepted.
admissionControl.dynamic.enforceOnUpdatesThis controls the behavior of the admission control service. You must specify listenOnUpdates as true for this to work.
admissionControl.dynamic.scanInlineIf you set this option to true, the admission control service requests an image scan before making an admission decision. Since image scans take several seconds, we recommend that you enable this option only if you can ensure that all images used in your cluster are scanned before deployment (for example, by a CI integration during image build). This option corresponds to the Contact image scanners option in the StackRox Portal.
admissionControl.dynamic.disableBypassSet it to true to disable bypassing the admission controller.
admissionControl.dynamic.timeoutThe maximum time in seconds, the StackRox Kubernetes Security Platform should wait while evaluating admission review requests. Use this to set request timeouts when you enable image scanning. If the image scan runs longer than the specified time, the StackRox Kubernetes Security Platform accepts the request.
registryOverrideUse this parameter to override the default docker.io registry. Specify the name of your registry if you are using some other registry.
collector.disableTaintTolerationsIf you specify false, tolerations are applied to collector, and the collector pods can schedule onto all nodes with taints. If you specify it as true, no tolerations are applied, and the collector pods won’t scheduled onto nodes with taints.
createUpgraderServiceAccountSpecify true to create the sensor-upgrader account. By default, the StackRox Kubernetes Security Platform creates a service account called sensor-upgrader in each secured cluster. This account is highly privileged but is only used during upgrades. If you don’t create this account, you will have to complete future upgrades manually if the Sensor doesn’t have enough permissions. See Enable automatic upgrades for secured clusters for more information.
createSecretsSpecify false to skip the orchestrator secret creation for the sensor, collector, and admission controller.
collector.slimModeSpecify true if you want to use a slim Collector image for deploying Collector. Using slim Collector images requires Central to provide the matching kernel module or eBPF probe. If you are running the StackRox Kubernetes Security Platform in offline mode, you must download a kernel support package from stackrox.io and upload it to Central for slim Collectors to function. Otherwise, you must ensure that Central can access the online probe repository hosted at https://collector-modules.stackrox.io/.
sensor.resourcesResource specification for Sensor.
admissionControl.resourcesResource specification for Admission Control.
collector.resourcesResource specification for Collector.
collector.complianceResourcesResource specification for Collector’s Compliance container.
exposeMonitoringIf you set this option to true, the StackRox Kubernetes Security Platform exposes Prometheus metrics endpoints on port number 9090 for the Sensor, Collector, and the Admission control service.

Environment variables

You can specify environment variables for sensor and admission controller in the following format:

Copy
customize:
  envVars:
    ENV_VAR1: "value1"
    ENV_VAR2: "value2"

The customize setting allows specifying custom Kubernetes metadata (labels and annotations) for all objects created by this Helm chart and additional pod labels, pod annotations, and container environment variables for workloads.

The configuration is hierarchical, in the sense that metadata defined at a more generic scope (for example, for all objects) can be overridden by metadata defined at a narrower scope (for example, only for the sensor deployment).

For example:

Copy
customize:
  # Extra metadata for all objects.
  labels:
    my-label-key: my-label-value
  annotations:
    my-annotation-key: my-annotation-value
  # Extra pod metadata for all objects (only has an effect for workloads, i.e., deployments and daemonsets).
  podLabels:
    my-pod-label-key: my-pod-label-value
  podAnnotations:
    my-pod-annotation-key: my-pod-annotation-value
  # Extra environment variables for all containers in all workloads.
  envVars:
    MY_ENV_VAR_NAME: MY_ENV_VAR_VALUE
  # Extra metadata for the central deployment only.
  sensor:
    labels: {}
    annotations: {}
    podLabels: {}
    podAnnotations: {}
    envVars: {}
  # Extra metadata for the collector deployment only.
  collector:
    labels: {}
    annotations: {}
    podLabels: {}
    podAnnotations: {}
    envVars: {}
  # Extra metadata for the admission-control deployment only.
  admission-control:
    labels: {}
    annotations: {}
    podLabels: {}
    podAnnotations: {}
    envVars: {}
  # Extra metadata for all other objects. The keys in the following map can be
  # an object name of the form "service/sensor", or a reference to all
  # objects of a given type in the form "service/*". The values under each key
  # are the five metadata overrides (labels, annotations, podLabels, podAnnotations, envVars)
  # as specified above, though only the first two will be relevant for non-workload
  # object types.
  other:
    "service/*":
      labels: {}
      annotations: {}

Sensor Helm chart

The Sensor Helm chart is only available for the StackRox Kubernetes Security Platform version between 3.0.41 and 3.0.54.

For configuring the StackRox Kubernetes Security Platform version 3.0.55 or newer, use the Secured Cluster Services Helm chart.

To configure the Sensor Helm chart, modify the values.yaml file based on your environment.

Configuration

The following table lists the most common configuration parameters of this Helm chart and their default values.

ParameterDescriptionDefault value
cluster.nameName of your cluster.
cluster.typeEither Kubernetes (KUBERNETES_CLUSTER) or OpenShift (OPENSHIFT_CLUSTER) cluster.KUBERNETES_CLUSTER
endpoint.centralAddress of the Central endpoint, including the port number (without a trailing slash). If you are using a non-gRPC capable LoadBalancer, use the WebSocket protocol by prefixing the endpoint address with wss://.central.stackrox:443
endpoint.advertisedAddress of the Sensor endpoint including port number. No trailing slash.sensor.stackrox:443
image.repository.mainRepository from which to download the main image.main
image.repository.collectorRepository from which to download the collector image.collector
image.registry.mainAddress of the registry you are using for main image.stackrox.io
image.registry.collectorAddress of the registry you are using for collector image.collector.stackrox.io
config.collectionMethodEither EBPF, KERNEL_MODULE, or NO_COLLECTION.KERNEL_MODULE
config.admissionControl.createServiceThis setting controls whether Kubernetes is configured to contact the StackRox Kubernetes Security Platform with AdmissionReview requests.false
config.admissionControl.listenOnUpdatesWhen you keep it as false, the StackRox Kubernetes Security Platform creates the ValidatingWebhookConfiguration in a way that causes the Kubernetes API server not to send object update events. Since the volume of object updates is usually higher than the object creates, leaving this as false limits the load on the admission control service and decreases the chances of a malfunctioning admission control service.false
config.admissionControl.enableServiceIt controls whether the StackRox Kubernetes Security Platform evaluates policies; if it’s disabled, all AdmissionReview requests are automatically accepted.false
config.admissionControl.enforceOnUpdatesThis controls the behavior of the admission control service. You must specify listenOnUpdates as true for this to work.false
config.admissionControl.scanInlinefalse
config.admissionControl.disableBypassSet it to true to disable bypassing the admission controller.false
config.admissionControl.timeoutThe maximum time in seconds, the StackRox Kubernetes Security Platform should wait while evaluating admission review requests. Use it to set request timeouts when you enable image scanning. If the image scan runs longer than the specified time, the StackRox Kubernetes Security Platform accepts the request. Other enforcement options, such as scaling the deployment to zero replicas, are still applied later if the image violates applicable policies.3
config.registryOverrideUse this parameter to override the default docker.io registry. Specify the name of your registry if you are using some other registry.
config.disableTaintTolerationsIf you specify false, tolerations are applied to collector, and the collector pods can schedule onto all nodes with taints. If you specify it as true, no tolerations are applied, and the collector pods won’t scheduled onto nodes with taints.false
config.createUpgraderServiceAccountSpecify true to create the sensor-upgrader account. By default, the StackRox Kubernetes Security Platform creates a service account called sensor-upgrader in each secured cluster. This account is highly privileged but is only used during upgrades. If you don’t create this account, you will have to complete future upgrades manually if the Sensor doesn’t have enough permissions. See Enable automatic upgrades for secured clusters for more information.false
config.createSecretsSpecify false to skip the orchestrator secret creation for the sensor, collector, and admission controller.true
config.offlineModeSpecify true if you are installing sensor in offline mode so that StackRox Kubernetes Security Platform doesn’t try to reach internet.false
config.slimCollectorSpecify true if you want to use a slim Collector image for deploying Collector. Using slim Collector images requires Central to provide the matching kernel module or eBPF probe. If you are running the StackRox Kubernetes Security Platform in offline mode, you must download a kernel support package from stackrox.io and upload it to Central for slim Collectors to function. Otherwise, you must ensure that Central can access the online probe repository hosted at https://collector-modules.stackrox.io/.false
envVarsSpecify environment variables for sensor and admission controller. Each environment variable will have a Name and a Value[]
customizeModern interface for specifying custom metadata for resources, including labels, annotations and environment variables. See below for more information.{}
imagePullSecrets.useExistingSpecify existing Kubernetes image pull secrets that should be used for trying to pull StackRox images.[]
mainImagePullSecrets.useExistingSpecify existing Kubernetes image pull secrets that should be used for trying to pull StackRox main images.imagePullSecrets.useExisting
collectorImagePullSecrets.useExistingSpecify existing Kubernetes image pull secrets that should be used for trying to pull StackRox collector images.imagePullSecrets.useExisting

Advanced parameters which should only be necessary in non-standard environments:

ParameterDescriptionDefault value
image.tag.mainTag of main image to use.null
image.tag.collectorTag of collector image to use.null
image.pullPolicy.mainImage pull policy for main images.IfNotPresent
image.pullPolicy.collectorImage pull policy for collector images.IfNotPresent if slimCollector is enabled, Always otherwise.
config.sensorResourcesResource specification for Sensor.See below.
config.collectorResourcesResource specification for Collector.See below.
config.complianceResourcesResource specification for Collector’s Compliance container.See below.
config.admissionControlResourcesResource specification for Admission Control.See below.

Default resources

The default resource settings for each container are defined under specific paths in the file internal/defaults.yaml in this chart. The following table lists the paths to the respective defaults for each chart configuration parameter:

ParameterPath in internal/defaults.yaml
config.sensorResourcesdefaults.sensor.resources
config.collectorResourcesdefaults.collector.resources
config.complianceResourcesdefaults.collector.complianceResources
config.admissionControlResourcesdefaults.admissionControl.resources

Customization Settings

The customize setting allows specifying custom Kubernetes metadata (labels and annotations) for all objects instantiated by this Helm chart, additional pod labels, pod annotations, and container environment variables for workloads.

The configuration is hierarchical, in the sense that metadata that’s defined at a more generic scope (for example, for all objects) can be overridden by metadata defined at a narrower scope (for example, only for the sensor deployment).

For example:

Copy
customize:
  # Extra metadata for all objects.
  labels:
    my-label-key: my-label-value
  annotations:
    my-annotation-key: my-annotation-value
  # Extra pod metadata for all objects.
  podLabels:
    my-pod-label-key: my-pod-label-value
  podAnnotations:
    my-pod-annotation-key: my-pod-annotation-value
  # Extra environment variables for all containers in all workloads.
  envVars:
    MY_ENV_VAR_NAME: MY_ENV_VAR_VALUE
  # Extra metadata for the central deployment only.
  sensor:
    labels: {}
    annotations: {}
    podLabels: {}
    podAnnotations: {}
    envVars: {}
  # Extra metadata for the collector deployment only.
  collector:
    labels: {}
    annotations: {}
    podLabels: {}
    podAnnotations: {}
    envVars: {}
  # Extra metadata for the admission-control deployment only.
  admission-control:
    labels: {}
    annotations: {}
    podLabels: {}
    podAnnotations: {}
    envVars: {}
  # Extra metadata for all other objects. The keys in the following map can be
  # an object name of the form "service/sensor", or a reference to all
  # objects of a given type in the form "service/*". The values under each key
  # are the five metadata overrides (labels, annotations, podLabels, podAnnotations, envVars)
  # as specified above, though only the first two will be relevant for non-workload
  # object types.
  other:
    "service/*":
      labels: {}
      annotations: {}

Environment Variables

The following table lists the acceptable environment variables for the setup.sh script included in this Helm chart and their default values:

Environment VariableDescriptionDefault value
ROX_NO_IMAGE_PULL_SECRETSBy default, the script creates image pull secrets as Kubernetes Secrets. To disable this
behavior, set the value of the ROX_NO_IMAGE_PULL_SECRETS environment variable as true.false

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.