Configuration Library for Cluster Shield
The Cluster Shield configuration library lists all the major configurations supported by Cluster Shield components. This document is evolving and will be updated as new configurations are added to the product.
Generic Configuration
Property | Description | Required | Default |
---|---|---|---|
cache | Configuration for the cluster shield cache. | No | |
cluster_config | The name of the cluster. Set a unique value for all the clusters being inspected. | Yes | |
features | Features configurations. | Yes | |
kubernetes | Kubernetes configurations. | Yes | |
log_level | The minimum log severity to be reported in logs. Expected one of the following: err ,warn ,info ,debug ,trace . | Yes | warn |
monitoring_port | The HTTP Server port used to expose healthcheck and prometheus metrics. | No | 8080 |
ssl | SSL configurations. | Yes | |
sysdig_endpoint | The configuration for the sysdig services. | Yes |
Features
Property | Description | Type | Required | Default | Example |
---|---|---|---|---|---|
admission_control | Configurations for the admission control feature. This feature is in active development. See Admission Control. | Admission Control | Yes | ||
audit | Configurations for the audit feature. | Audit | Yes | ||
container_vulnerability_management | Configurations for the container vulnerability management feature. | Container Vulnerability Management | Yes | ||
kubernetes_metadata | Configurations for the Kubernetes metadata feature. | Kubernetes Metadata | Yes | ||
posture | Configurations for the posture feature. | Posture | Yes |
Kubernetes
Property | Description | Type | Required | Default | Example |
---|---|---|---|---|---|
ca_cert_file | Path to the CA Certificate file. | string | No | /cert/ca.crt | |
root_namespace | Root namespace to use for the kubernetes resources. | string | No | kube-system | kube-system |
running_namespace | Current namespace to use for the kubernetes resources. | string | No | sysdig-agent | |
tls_cert_file | Path to the TLS Certificate file. | string | No | /cert/tls.crt | |
tls_private_key_file | Path to the TLS Private Key file. | string | No | /cert/tls.key |
SSL
Property | Description | Type | Required | Default | Example |
---|---|---|---|---|---|
verify | Define if the client must verify the backend SSL certificate. | boolean | Yes | true |
Sysdig Endpoint
Property | Description | Type | Required | Default | Example |
---|---|---|---|---|---|
access_key | Sysdig Agent Access Key. | string | Yes | 12345678-1234-1234-1234-123456789012 | |
api_url | Sysdig backend host. Expected format: uri . | string | Yes | https://www.example.com | |
collector | Host and port to access Sysdig Collector endpoint. Expected format: hostport . | string | No | collector.example.com:6443 | |
region | The region where the collector is located. Expected one of: custom ,au-syd-monitor ,au-syd-private-monitor ,au-syd-private-secure ,au-syd-secure ,au1 ,br-sao-monitor ,br-sao-private-monitor ,br-sao-private-secure ,br-sao-secure ,ca-tor-monitor ,ca-tor-private-monitor ,ca-tor-private-secure ,ca-tor-secure ,eu-de-monitor ,eu-de-private-monitor ,eu-de-private-secure ,eu-de-secure ,eu-gb-monitor ,eu-gb-private-monitor ,eu-gb-private-secure ,eu-gb-secure ,eu1 ,in1 ,jp-osa-monitor ,jp-osa-private-monitor ,jp-osa-private-secure ,jp-osa-secure ,jp-tok-monitor ,jp-tok-private-monitor ,jp-tok-private-secure ,jp-tok-secure ,me2 ,us-east-monitor ,us-east-private-monitor ,us-east-private-secure ,us-east-secure ,us-south-monitor ,us-south-private-monitor ,us-south-private-secure ,us-south-secure ,us1 ,us2 ,us3 ,us4 . | string | Yes | custom | |
secure_api_token | The API Token to access Sysdig Secure. | string | No | 12345678-1234-1234-1234-123456789012 |
Admission Control
The new Admission Control feature for Vulnerability Management (VM) and Kubernetes Security Posture Management (KSPM) in Cluster Shield is in active development. If you are interested in using this feature, contact your Sysdig representative.
Property | Description | Type | Required | Default | Example |
---|---|---|---|---|---|
deny_on_error | Deny request when an error happens inside the evaluation phase. | boolean | Yes | false | |
dry_run | Dry Run requests. | boolean | No | true | |
enabled | Specify if the Admission Control is enabled. | boolean | Yes | false | |
excluded_namespaces | List of namespaces to exclude from the admission control feature. | array[string] | No | [] | |
http_port | The HTTP Server port to expose the webhook web server. | integer | Yes | 8443 | |
timeout | The number of seconds for the request to time out. | integer | No | 5 | |
container_vulnerability_management | Configurations for the container vulnerability management feature. | AdmissionControlContainerVulnerabilityManagement | Yes |
AdmissionControlContainerVulnerabilityManagement
Property | Description | Type | Required | Default | Example |
---|---|---|---|---|---|
enabled | Enable container vulnerability management checks. | boolean | No | false |
Audit
Property | Description | Type | Required | Default | Example |
---|---|---|---|---|---|
enabled | Specify if the audit feature is enabled. | boolean | Yes | false | |
excluded_namespaces | List of namespaces to exclude from the audit feature. | array[string] | No | [] | |
http_port | HTTP Server port used to expose the webhook web server. | integer | Yes | 6443 | |
timeout | The number of seconds for the request to time out. | integer | Yes | 5 | |
webhook_rules | List of rules used to determine if a request should be audited. | array[object] | No | [map[apiGroups:[ apps autoscaling batch networking.k8s.io rbac.authorization.k8s.io extensions] apiVersions:[*] operations:[*] resources:[*/*] scope:*]] |
Cluster Configuration
Property | Description | Type | Required | Default | Example |
---|---|---|---|---|---|
name | The name of the cluster. Make sure to set a unique value for all the clusters being inspected. | string | Yes | my-cluster | |
tags | Tags you want to apply to the metadata sent to the Sysdig BE. They are used for instance as additional labels to the KSM metrics. | object | No |
Container Vulnerability Management
Property | Description | Type | Required | Default | Example |
---|---|---|---|---|---|
enabled | Specify if the scanning feature is enabled. | boolean | Yes | false | |
in_use | ContainerVulnerabilityManagementInUse | Yes | |||
local_cluster | ContainerVulnerabilityManagementLocal | Yes | |||
max_file_size_bytes | The maximum size in bytes allowed for a file to be analyzed. | integer | No | 104857600 | |
max_file_size_bytes_in_memory | The maximum size in bytes for a file to be analyzed in memory. The files larger than this size are temporarily copied to the filesystem. | integer | No | 26214400 | |
parallel_files_analysis_count | The maximum number of files that are analyzed in parallel. | integer | No | 5 | |
platform_services_enabled | Specify if the platform services are enabled. | boolean | No | true | |
registry_ssl | Verify SSL certificate when connecting to the registry. | SSL | Yes |
ContainerVulnerabilityManagementInUse
Property | Description | Type | Required | Default | Example |
---|---|---|---|---|---|
enabled | Retrieve in-use information from the backend and aggregate them on the scan results. | boolean | Yes | true | |
integration_enabled | Share in-use information with the external integrations. | boolean | Yes | false |
ContainerVulnerabilityManagementLocal
Property | Description | Type | Required | Default | Example |
---|---|---|---|---|---|
registry_secrets | ContainerVulnerabilityManagementLocalRegistrySecret | No |
ContainerVulnerabilityManagementLocalRegistrySecret
Property | Description | Type | Required | Default | Example |
---|---|---|---|---|---|
namespace | string | Yes | |||
secrets | array[string] | Yes |
Kubernetes Metadata
Property | Description | Type | Required | Default | Example |
---|---|---|---|---|---|
enabled | Specify if the Kubernetes Metadata feature is enabled. | boolean | Yes | false | |
annotations_allowlist | List of Kubernetes annotations keys that will be sent to the Sysdig BE e.g. for generating KSM metrics. To include them, provide a list of resource names in their plural form and Kubernetes annotation keys you would like to allow for them. Annotation keys can contain wildcard character ‘’. A single ‘’ can be provided per resource to allow any annotation. By default, no annotations are allowed for any resource. | object | No | {} |
Posture
Property | Description | Type | Required | Default | Example |
---|---|---|---|---|---|
enabled | Specify if the Posture feature is enabled. | boolean | Yes | false |
Cache
Property | Description | Type | Required | Default | Example |
---|---|---|---|---|---|
backend | Define the cache backend to use. Expected one of: redis . | string | No | ||
redis | Configuration for the cluster shield redis cache. | CacheRedis | No |
CacheRedis
Property | Description | Type | Required | Default | Example |
---|---|---|---|---|---|
address | string | No | |||
database | string | No | |||
password | string | No | |||
prefix | string | No | |||
sentinel_addresses | string | No | |||
sentinel_master | string | No | |||
tls_ca | string | No | |||
tls_enabled | boolean | No | |||
tls_skip | boolean | No | |||
ttl | string | No | |||
username | string | No |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.