Configuration Library for Cluster Shield

The Cluster Shield configuration library lists all the major configurations supported by Cluster Shield components. This document is evolving and will be updated as new configurations are added to the product.

Generic Configuration

PropertyDescriptionRequiredDefault
cacheConfiguration for the cluster shield cache.No
cluster_configThe name of the cluster. Set a unique value for all the clusters being inspected.Yes
featuresFeatures configurations.Yes
kubernetesKubernetes configurations.Yes
log_levelThe minimum log severity to be reported in logs. Expected one of the following: err ,warn ,info ,debug ,trace.Yeswarn
monitoring_portThe HTTP Server port used to expose healthcheck and prometheus metrics.No8080
sslSSL configurations.Yes
sysdig_endpointThe configuration for the sysdig services.Yes

Features

PropertyDescriptionTypeRequiredDefaultExample
admission_controlConfigurations for the admission control feature.Admission ControlYes
auditConfigurations for the audit feature.AuditYes
container_vulnerability_managementConfigurations for the container vulnerability management feature.Container Vulnerability ManagementYes
kubernetes_metadataConfigurations for the Kubernetes metadata feature.Kubernetes MetadataYes
postureConfigurations for the posture feature.PostureYes

Kubernetes

PropertyDescriptionTypeRequiredDefaultExample
ca_cert_filePath to the CA Certificate file.stringNo/cert/ca.crt
root_namespaceRoot namespace to use for the kubernetes resources.stringNokube-systemkube-system
running_namespaceCurrent namespace to use for the kubernetes resources.stringNosysdig-agent
tls_cert_filePath to the TLS Certificate file.stringNo/cert/tls.crt
tls_private_key_filePath to the TLS Private Key file.stringNo/cert/tls.key

SSL

PropertyDescriptionTypeRequiredDefaultExample
verifyDefine if the client must verify the backend SSL certificate.booleanYestrue

Sysdig Endpoint

PropertyDescriptionTypeRequiredDefaultExample
access_keySysdig Agent Access Key.stringYes12345678-1234-1234-1234-123456789012
api_urlSysdig backend host. Expected format: uri.stringYeshttps://www.example.com
collectorHost and port to access Sysdig Collector endpoint. Expected format: hostport.stringNocollector.example.com:6443
regionThe region where the collector is located. Expected one of: custom ,au-syd-monitor ,au-syd-private-monitor ,au-syd-private-secure ,au-syd-secure ,au1 ,br-sao-monitor ,br-sao-private-monitor ,br-sao-private-secure ,br-sao-secure ,ca-tor-monitor ,ca-tor-private-monitor ,ca-tor-private-secure ,ca-tor-secure ,eu-de-monitor ,eu-de-private-monitor ,eu-de-private-secure ,eu-de-secure ,eu-gb-monitor ,eu-gb-private-monitor ,eu-gb-private-secure ,eu-gb-secure ,eu1 ,jp-osa-monitor ,jp-osa-private-monitor ,jp-osa-private-secure ,jp-osa-secure ,jp-tok-monitor ,jp-tok-private-monitor ,jp-tok-private-secure ,jp-tok-secure ,me2 ,us-east-monitor ,us-east-private-monitor ,us-east-private-secure ,us-east-secure ,us-south-monitor ,us-south-private-monitor ,us-south-private-secure ,us-south-secure ,us1 ,us2 ,us3 ,us4.stringYescustom
secure_api_tokenThe API Token to access Sysdig Secure.stringNo12345678-1234-1234-1234-123456789012

Admission Control

PropertyDescriptionTypeRequiredDefaultExample
deny_on_errorDeny request when an error happens inside the evaluation phase.booleanYesfalse
dry_runDry Run requests.booleanNotrue
enabledSpecify if the Admission Control is enabled.booleanYesfalse
http_portThe HTTP Server port to expose the webhook web server.integerYes8443
timeoutThe number of seconds for the request to time out.integerNo5
container_vulnerability_managementConfigurations for the container vulnerability management feature.AdmissionControlContainerVulnerabilityManagementYes

AdmissionControlContainerVulnerabilityManagement

PropertyDescriptionTypeRequiredDefaultExample
enabledEnable container vulnerability management checks.booleanNofalse

Audit

PropertyDescriptionTypeRequiredDefaultExample
enabledSpecify if the audit feature is enabled.booleanYesfalse
http_portHTTP Server port used to expose the webhook web server.integerYes6443
timeoutThe number of seconds for the request to time out.integerYes5

Cluster Configuration

PropertyDescriptionTypeRequiredDefaultExample
nameThe name of the cluster. Make sure to set a unique value for all the clusters being inspected.stringYesmy-cluster

Container Vulnerability Management

PropertyDescriptionTypeRequiredDefaultExample
enabledSpecify if the scanning feature is enabled.booleanYesfalse
in_useContainerVulnerabilityManagementInUseYes
local_clusterContainerVulnerabilityManagementLocalYes
platform_services_enabledSpecify if the platform services are enabled.booleanNotrue
registry_sslVerify SSL certificate when connecting to the registry.SSLYes
remote_clustersContainerVulnerabilityManagementRemoteYes

ContainerVulnerabilityManagementInUse

PropertyDescriptionTypeRequiredDefaultExample
enabledRetrieve in-use information from the backend and aggregate them on the scan results.booleanYestrue
integration_enabledShare in-use information with the external integrations.booleanYesfalse

ContainerVulnerabilityManagementLocal

PropertyDescriptionTypeRequiredDefaultExample
enabledSpecify if should scan only the local cluster.booleanNotrue
registry_secretsContainerVulnerabilityManagementLocalRegistrySecretNo

ContainerVulnerabilityManagementLocalRegistrySecret

PropertyDescriptionTypeRequiredDefaultExample
namespacestringYes
secretsarray[string]Yes

ContainerVulnerabilityManagementRemote

PropertyDescriptionTypeRequiredDefaultExample
enabledSpecify if it should scan remote clusters.booleanNofalse
kubeconfig_pathPath to the kubeconfig file.stringNo/path/to/kubeconfig

Kubernetes Metadata

PropertyDescriptionTypeRequiredDefaultExample
enabledSpecify if the Kubernetes Metadata feature is enabled.booleanYesfalse

Posture

PropertyDescriptionTypeRequiredDefaultExample
enabledSpecify if the Posture feature is enabled.booleanYesfalse

Cache

PropertyDescriptionTypeRequiredDefaultExample
backendDefine the cache backend to use. Expected one of: redis.stringNo
redisConfiguration for the cluster shield redis cache.CacheRedisNo

CacheRedis

PropertyDescriptionTypeRequiredDefaultExample
addressstringNo
databasestringNo
passwordstringNo
prefixstringNo
sentinel_addressesstringNo
sentinel_masterstringNo
tls_castringNo
tls_enabledbooleanNo
tls_skipbooleanNo
ttlstringNo
usernamestringNo