Configuration Library for Cluster Shield

The Cluster Shield configuration library lists all the major configurations supported by Cluster Shield components. This document is evolving and will be updated as new configurations are added to the product.

Generic Configuration

PropertyDescriptionRequiredDefault
cacheConfiguration for the cluster shield cache.No
cluster_configThe name of the cluster. Set a unique value for all the clusters being inspected.Yes
featuresFeatures configurations.Yes
kubernetesKubernetes configurations.Yes
log_levelThe minimum log severity to be reported in logs. Expected one of the following: err ,warn ,info ,debug ,trace.Yeswarn
monitoring_portThe HTTP Server port used to expose healthcheck and prometheus metrics.No8080
sslSSL configurations.Yes
sysdig_endpointThe configuration for the sysdig services.Yes

Features

PropertyDescriptionTypeRequiredDefaultExample
admission_controlConfigurations for the admission control feature. This feature is in active development. See Admission Control.Admission ControlYes
auditConfigurations for the audit feature.AuditYes
container_vulnerability_managementConfigurations for the container vulnerability management feature.Container Vulnerability ManagementYes
kubernetes_metadataConfigurations for the Kubernetes metadata feature.Kubernetes MetadataYes
postureConfigurations for the posture feature.PostureYes

Kubernetes

PropertyDescriptionTypeRequiredDefaultExample
ca_cert_filePath to the CA Certificate file.stringNo/cert/ca.crt
root_namespaceRoot namespace to use for the kubernetes resources.stringNokube-systemkube-system
running_namespaceCurrent namespace to use for the kubernetes resources.stringNosysdig-agent
tls_cert_filePath to the TLS Certificate file.stringNo/cert/tls.crt
tls_private_key_filePath to the TLS Private Key file.stringNo/cert/tls.key

SSL

PropertyDescriptionTypeRequiredDefaultExample
verifyDefine if the client must verify the backend SSL certificate.booleanYestrue

Sysdig Endpoint

PropertyDescriptionTypeRequiredDefaultExample
access_keySysdig Agent Access Key.stringYes12345678-1234-1234-1234-123456789012
api_urlSysdig backend host. Expected format: uri.stringYeshttps://www.example.com
collectorHost and port to access Sysdig Collector endpoint. Expected format: hostport.stringNocollector.example.com:6443
regionThe region where the collector is located. Expected one of: custom ,au-syd-monitor ,au-syd-private-monitor ,au-syd-private-secure ,au-syd-secure ,au1 ,br-sao-monitor ,br-sao-private-monitor ,br-sao-private-secure ,br-sao-secure ,ca-tor-monitor ,ca-tor-private-monitor ,ca-tor-private-secure ,ca-tor-secure ,eu-de-monitor ,eu-de-private-monitor ,eu-de-private-secure ,eu-de-secure ,eu-gb-monitor ,eu-gb-private-monitor ,eu-gb-private-secure ,eu-gb-secure ,eu1 ,in1 ,jp-osa-monitor ,jp-osa-private-monitor ,jp-osa-private-secure ,jp-osa-secure ,jp-tok-monitor ,jp-tok-private-monitor ,jp-tok-private-secure ,jp-tok-secure ,me2 ,us-east-monitor ,us-east-private-monitor ,us-east-private-secure ,us-east-secure ,us-south-monitor ,us-south-private-monitor ,us-south-private-secure ,us-south-secure ,us1 ,us2 ,us3 ,us4.stringYescustom
secure_api_tokenThe API Token to access Sysdig Secure.stringNo12345678-1234-1234-1234-123456789012

Admission Control

The new Admission Control feature for Vulnerability Management (VM) and Kubernetes Security Posture Management (KSPM) in Cluster Shield is in active development. If you are interested in using this feature, contact your Sysdig representative.

PropertyDescriptionTypeRequiredDefaultExample
deny_on_errorDeny request when an error happens inside the evaluation phase.booleanYesfalse
dry_runDry Run requests.booleanNotrue
enabledSpecify if the Admission Control is enabled.booleanYesfalse
excluded_namespacesList of namespaces to exclude from the admission control feature.array[string]No[]
http_portThe HTTP Server port to expose the webhook web server.integerYes8443
timeoutThe number of seconds for the request to time out.integerNo5
container_vulnerability_managementConfigurations for the container vulnerability management feature.AdmissionControlContainerVulnerabilityManagementYes

AdmissionControlContainerVulnerabilityManagement

PropertyDescriptionTypeRequiredDefaultExample
enabledEnable container vulnerability management checks.booleanNofalse

Audit

PropertyDescriptionTypeRequiredDefaultExample
enabledSpecify if the audit feature is enabled.booleanYesfalse
excluded_namespacesList of namespaces to exclude from the audit feature.array[string]No[]
http_portHTTP Server port used to expose the webhook web server.integerYes6443
timeoutThe number of seconds for the request to time out.integerYes5
webhook_rulesList of rules used to determine if a request should be audited.array[object]No[map[apiGroups:[ apps autoscaling batch networking.k8s.io rbac.authorization.k8s.io extensions] apiVersions:[*] operations:[*] resources:[*/*] scope:*]]

Cluster Configuration

PropertyDescriptionTypeRequiredDefaultExample
nameThe name of the cluster. Make sure to set a unique value for all the clusters being inspected.stringYesmy-cluster
tagsTags you want to apply to the metadata sent to the Sysdig BE. They are used for instance as additional labels to the KSM metrics.objectNo

Container Vulnerability Management

PropertyDescriptionTypeRequiredDefaultExample
enabledSpecify if the scanning feature is enabled.booleanYesfalse
in_useContainerVulnerabilityManagementInUseYes
local_clusterContainerVulnerabilityManagementLocalYes
max_file_size_bytesThe maximum size in bytes allowed for a file to be analyzed.integerNo104857600
max_file_size_bytes_in_memoryThe maximum size in bytes for a file to be analyzed in memory. The files larger than this size are temporarily copied to the filesystem.integerNo26214400
parallel_files_analysis_countThe maximum number of files that are analyzed in parallel.integerNo5
platform_services_enabledSpecify if the platform services are enabled.booleanNotrue
registry_sslVerify SSL certificate when connecting to the registry.SSLYes

ContainerVulnerabilityManagementInUse

PropertyDescriptionTypeRequiredDefaultExample
enabledRetrieve in-use information from the backend and aggregate them on the scan results.booleanYestrue
integration_enabledShare in-use information with the external integrations.booleanYesfalse

ContainerVulnerabilityManagementLocal

PropertyDescriptionTypeRequiredDefaultExample
registry_secretsContainerVulnerabilityManagementLocalRegistrySecretNo

ContainerVulnerabilityManagementLocalRegistrySecret

PropertyDescriptionTypeRequiredDefaultExample
namespacestringYes
secretsarray[string]Yes

Kubernetes Metadata

PropertyDescriptionTypeRequiredDefaultExample
enabledSpecify if the Kubernetes Metadata feature is enabled.booleanYesfalse
annotations_allowlistList of Kubernetes annotations keys that will be sent to the Sysdig BE e.g. for generating KSM metrics. To include them, provide a list of resource names in their plural form and Kubernetes annotation keys you would like to allow for them. Annotation keys can contain wildcard character ‘’. A single ‘’ can be provided per resource to allow any annotation. By default, no annotations are allowed for any resource.objectNo{}

Posture

PropertyDescriptionTypeRequiredDefaultExample
enabledSpecify if the Posture feature is enabled.booleanYesfalse

Cache

PropertyDescriptionTypeRequiredDefaultExample
backendDefine the cache backend to use. Expected one of: redis.stringNo
redisConfiguration for the cluster shield redis cache.CacheRedisNo

CacheRedis

PropertyDescriptionTypeRequiredDefaultExample
addressstringNo
databasestringNo
passwordstringNo
prefixstringNo
sentinel_addressesstringNo
sentinel_masterstringNo
tls_castringNo
tls_enabledbooleanNo
tls_skipbooleanNo
ttlstringNo
usernamestringNo