mirror of
https://github.com/nold360/hive-apps
synced 2025-01-25 00:14:24 +00:00
175 lines
4.8 KiB
YAML
175 lines
4.8 KiB
YAML
enabled: true
|
|
imagePullPolicy: IfNotPresent
|
|
imagePullSecrets: []
|
|
serviceAccount:
|
|
create: true
|
|
annotations: {}
|
|
name: ""
|
|
podAnnotations: {}
|
|
podSecurityContext: {}
|
|
nodeSelector: {}
|
|
tolerations:
|
|
- operator: Exists
|
|
affinity: {}
|
|
extraHostPathMounts: []
|
|
extraConfigmapMounts: []
|
|
daemonSetAnnotations: {}
|
|
extraVolumes: []
|
|
updateStrategy: {}
|
|
daemonSetLabelsOverride: {}
|
|
selectorLabelsOverride: {}
|
|
podLabelsOverride: {}
|
|
serviceLabelsOverride: {}
|
|
|
|
# Set DNS policy for tetragon pods.
|
|
#
|
|
# Recommended DNS policy for tetragon pod depends on whether the export container
|
|
# needs to resolve external DNS names (e.g. an S3 URL) or internal ones (e.g. a Kubernetes
|
|
# DNS name for elasticsearch service).
|
|
#
|
|
# - For external DNS names, use "Default" so that the export container continues to function
|
|
# properly in case there is a connectivity issue between the export container and core-dns.
|
|
# - For internal DNS names, use "ClusterFirstWithHostNet" so that the export container can
|
|
# resolve them.
|
|
#
|
|
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
|
|
dnsPolicy: Default
|
|
|
|
# exportDirectory specifies directory to put Hubble and FGS JSON export files.
|
|
exportDirectory: "/var/run/cilium/tetragon"
|
|
# exportFileRotationInterval specifies file creation interval for hubble-export-s3.
|
|
exportFileCreationInterval: "120s"
|
|
|
|
#
|
|
# Configures whether Tetragon pods run on the host network.
|
|
#
|
|
# IMPORTANT: Tetragon must be on the host network for the process visibility to
|
|
# function properly.
|
|
#
|
|
hostNetwork: true
|
|
|
|
tetragon:
|
|
enabled: true
|
|
image:
|
|
override: ~
|
|
repository: quay.io/cilium/tetragon
|
|
tag: v0.8.0
|
|
resources: {}
|
|
extraArgs: {}
|
|
extraEnv: []
|
|
# extraEnv:
|
|
# - name: foo
|
|
# value: bar
|
|
extraVolumeMounts: []
|
|
securityContext:
|
|
privileged: true
|
|
|
|
# Tetragon puts processes in an LRU cache. The cache is used to find ancestors for subsequently exec'ed
|
|
# processes.
|
|
processCacheSize: 65536
|
|
|
|
# JSON export filename. Set it to an empty string to disable JSON export altogether.
|
|
exportFilename: tetragon.log
|
|
|
|
# Size in megabytes at which to rotate JSON export files.
|
|
exportFileMaxSizeMB: 10
|
|
|
|
# Number of rotated files to retain.
|
|
exportFileMaxBackups: 5
|
|
|
|
# Compress rotated JSON export files.
|
|
exportFileCompress: false
|
|
|
|
# Rate-limit event export (events per minute), Set to -1 to export all events.
|
|
exportRateLimit: -1
|
|
|
|
# Allowlist for JSON export. For example, to export only process_connect events from
|
|
# the default namespace:
|
|
#
|
|
# exportAllowList: |
|
|
# {"namespace":["default"],"event_set":["PROCESS_EXEC"]}
|
|
exportAllowList: |-
|
|
{"event_set":["PROCESS_EXEC", "PROCESS_EXIT", "PROCESS_KPROBE"]}
|
|
|
|
# Denylist for JSON export. For example, to exclude exec events that look similar to
|
|
# Kubernetes health checks and all the events from kube-system namespace and the host:
|
|
#
|
|
# exportDenyList: |
|
|
# {"health_check":true}
|
|
# {"namespace":["kube-system",""]}
|
|
#
|
|
exportDenyList: |-
|
|
{"health_check":true}
|
|
{"namespace":["", "cilium", "kube-system"]}
|
|
|
|
# Access Kubernetes API to associate Tetragon events with Kubernetes pods.
|
|
enableK8sAPI: true
|
|
|
|
# Access Cilium API to associate Tetragon events with Cilium endpoints and DNS cache.
|
|
enableCiliumAPI: true
|
|
|
|
# enableProcessCred enables Capabilities visibility in exec and kprobe events.
|
|
enableProcessCred: true
|
|
|
|
# enableProcessNs enables Namespaces visibility in exec and kprobe events.
|
|
enableProcessNs: true
|
|
|
|
# Set --btf option to explicitly specify an absolute path to a btf file. For advanced users only.
|
|
btf: ""
|
|
|
|
# Override the command. For advanced users only.
|
|
commandOverride: []
|
|
|
|
# Override the arguments. For advanced users only.
|
|
argsOverride: []
|
|
|
|
prometheus:
|
|
# -- Whether to enable exposing Tetragon metrics.
|
|
enabled: true
|
|
# -- The port at which to expose metrics.
|
|
port: 2112
|
|
serviceMonitor:
|
|
# -- Whether to create a 'ServiceMonitor' resource targeting the 'tetragon' pods.
|
|
enabled: false
|
|
# -- The set of labels to place on the 'ServiceMonitor' resource.
|
|
labelsOverride: {}
|
|
|
|
tetragonOperator:
|
|
# -- Enable the tetragon-operator component (required).
|
|
enabled: true
|
|
|
|
# -- tetragon-operator image.
|
|
image:
|
|
override: ~
|
|
repository: quay.io/cilium/tetragon-operator
|
|
tag: v0.8.0
|
|
# tetragon-operator image-digest
|
|
suffix: ""
|
|
|
|
export:
|
|
# "stdout". "" to disable.
|
|
mode: "stdout"
|
|
resources: {}
|
|
extraArgs: {}
|
|
extraEnv: []
|
|
# extraEnv:
|
|
# - name: foo
|
|
# value: bar
|
|
extraVolumeMounts: []
|
|
securityContext: {}
|
|
|
|
# Override the command. For advanced users only.
|
|
commandOverride: [ ]
|
|
|
|
# Override the arguments. For advanced users only.
|
|
argsOverride: [ ]
|
|
|
|
# filenames defines list of files for fluentd to tail and export.
|
|
filenames:
|
|
- tetragon.log
|
|
|
|
stdout:
|
|
image:
|
|
override: ~
|
|
repository: quay.io/cilium/hubble-export-stdout
|
|
tag: v1.0.2
|