Configuration Library for Cluster Shield

The Cluster Shield configuration library lists all the major configurations supported by Cluster Shield components. This document is evolving and will be updated as new configurations are added to the product.

Generic Configuration

Property	Description	Required	Default
cache	Configuration for the cluster shield cache.	No
cluster_config	The name of the cluster. Set a unique value for all the clusters being inspected.	Yes
features	Features configurations.	Yes
kubernetes	Kubernetes configurations.	Yes
log_level	The minimum log severity to be reported in logs. Expected one of the following: `err` ,`warn` ,`info` ,`debug` ,`trace`.	Yes	`warn`
monitoring_port	The HTTP Server port used to expose healthcheck and prometheus metrics.	No	`8080`
ssl	SSL configurations.	Yes
sysdig_endpoint	The configuration for the sysdig services.	Yes

Features

Property	Description	Type	Required
admission_control	Configurations for the admission control feature.	Admission Control	Yes
audit	Configurations for the audit feature.	Audit	Yes
container_vulnerability_management	Configurations for the container vulnerability management feature.	Container Vulnerability Management	Yes
kubernetes_metadata	Configurations for the Kubernetes metadata feature.	Kubernetes Metadata	Yes
posture	Configurations for the posture feature.	Posture	Yes

Kubernetes

Property	Description	Type	Required	Default	Example
ca_cert_file	Path to the CA Certificate file.	string	No		`/cert/ca.crt`
root_namespace	Root namespace to use for the kubernetes resources.	string	No	`kube-system`	`kube-system`
running_namespace	Current namespace to use for the kubernetes resources.	string	No		`sysdig-agent`
tls_cert_file	Path to the TLS Certificate file.	string	No		`/cert/tls.crt`
tls_private_key_file	Path to the TLS Private Key file.	string	No		`/cert/tls.key`

SSL

Property	Description	Type	Required	Default	Example
verify	Define if the client must verify the backend SSL certificate.	boolean	Yes	`true`

Sysdig Endpoint

Property	Description	Type	Required	Default	Example
access_key	Sysdig Agent Access Key.	string	Yes		`12345678-1234-1234-1234-123456789012`
api_url	Sysdig backend host. Expected format: `uri`.	string	Yes		`https://www.example.com`
collector	Host and port to access Sysdig Collector endpoint. Expected format: `hostport`.	string	No		`collector.example.com:6443`
region	The region where the collector is located. Expected one of: `custom` ,`au-syd-monitor` ,`au-syd-private-monitor` ,`au-syd-private-secure` ,`au-syd-secure` ,`au1` ,`br-sao-monitor` ,`br-sao-private-monitor` ,`br-sao-private-secure` ,`br-sao-secure` ,`ca-tor-monitor` ,`ca-tor-private-monitor` ,`ca-tor-private-secure` ,`ca-tor-secure` ,`eu-de-monitor` ,`eu-de-private-monitor` ,`eu-de-private-secure` ,`eu-de-secure` ,`eu-gb-monitor` ,`eu-gb-private-monitor` ,`eu-gb-private-secure` ,`eu-gb-secure` ,`eu1` ,`in1` ,`jp-osa-monitor` ,`jp-osa-private-monitor` ,`jp-osa-private-secure` ,`jp-osa-secure` ,`jp-tok-monitor` ,`jp-tok-private-monitor` ,`jp-tok-private-secure` ,`jp-tok-secure` ,`me2` ,`us-east-monitor` ,`us-east-private-monitor` ,`us-east-private-secure` ,`us-east-secure` ,`us-south-monitor` ,`us-south-private-monitor` ,`us-south-private-secure` ,`us-south-secure` ,`us1` ,`us2` ,`us3` ,`us4`.	string	Yes	`custom`
secure_api_token	The API Token to access Sysdig Secure.	string	No		`12345678-1234-1234-1234-123456789012`

Admission Control

Property	Description	Type	Required	Default
deny_on_error	Deny request when an error happens inside the evaluation phase.	boolean	Yes	`false`
dry_run	Dry Run requests.	boolean	No	`true`
enabled	Specify if the Admission Control is enabled.	boolean	Yes	`false`
http_port	The HTTP Server port to expose the webhook web server.	integer	Yes	`8443`
timeout	The number of seconds for the request to time out.	integer	No	`5`
container_vulnerability_management	Configurations for the container vulnerability management feature.	AdmissionControlContainerVulnerabilityManagement	Yes

AdmissionControlContainerVulnerabilityManagement

Property	Description	Type	Required	Default	Example
enabled	Enable container vulnerability management checks.	boolean	No	`false`

Audit

Property	Description	Type	Required	Default
enabled	Specify if the audit feature is enabled.	boolean	Yes	`false`
http_port	HTTP Server port used to expose the webhook web server.	integer	Yes	`6443`
timeout	The number of seconds for the request to time out.	integer	Yes	`5`

Cluster Configuration

Property	Description	Type	Required	Default	Example
name	The name of the cluster. Make sure to set a unique value for all the clusters being inspected.	string	Yes		`my-cluster`

Container Vulnerability Management

Property	Description	Type	Required	Default
enabled	Specify if the scanning feature is enabled.	boolean	Yes	`false`
in_use		ContainerVulnerabilityManagementInUse	Yes
local_cluster		ContainerVulnerabilityManagementLocal	Yes
max_file_size_bytes	The maximum size in bytes allowed for a file to be analyzed.	integer	No	`104857600`
max_file_size_bytes_in_memory	The maximum size in bytes for a file to be analyzed in memory. The files larger than this size are temporarily copied to the filesystem.	integer	No	`26214400`
parallel_files_analysis_count	The maximum number of files that are analyzed in parallel.	integer	No	`5`
platform_services_enabled	Specify if the platform services are enabled.	boolean	No	`true`
registry_ssl	Verify SSL certificate when connecting to the registry.	SSL	Yes

ContainerVulnerabilityManagementInUse

Property	Description	Type	Required	Default	Example
enabled	Retrieve in-use information from the backend and aggregate them on the scan results.	boolean	Yes	`true`
integration_enabled	Share in-use information with the external integrations.	boolean	Yes	`false`

ContainerVulnerabilityManagementLocal

Property	Description	Type	Required	Default	Example
registry_secrets		ContainerVulnerabilityManagementLocalRegistrySecret	No

ContainerVulnerabilityManagementLocalRegistrySecret

Property	Description	Type	Required	Default	Example
namespace		string	Yes
secrets		array[string]	Yes

Kubernetes Metadata

Property	Description	Type	Required	Default	Example
enabled	Specify if the Kubernetes Metadata feature is enabled.	boolean	Yes	`false`
annotations_allowlist	List of Kubernetes annotations keys that will be sent to the Sysdig BE e.g. for generating KSM metrics. To include them, provide a list of resource names in their plural form and Kubernetes annotation keys you would like to allow for them. Annotation keys can contain wildcard character ‘’. A single ‘’ can be provided per resource to allow any annotation. By default, no annotations are allowed for any resource.	object	No	`{}`

Posture

Property	Description	Type	Required	Default	Example
enabled	Specify if the Posture feature is enabled.	boolean	Yes	`false`

Cache

Property	Description	Type	Required	Default	Example
backend	Define the cache backend to use. Expected one of: `redis`.	`string`	No
redis	Configuration for the cluster shield redis cache.	CacheRedis	No

CacheRedis

Property	Type	Required
address	string	No
database	string	No
password	string	No
prefix	string	No
sentinel_addresses	string	No
sentinel_master	string	No
tls_ca	string	No
tls_enabled	boolean	No
tls_skip	boolean	No
ttl	string	No
username	string	No

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.