diff --git a/falco/.helmignore b/falco/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/falco/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/falco/BREAKING-CHANGES.md b/falco/BREAKING-CHANGES.md new file mode 100644 index 0000000..5881962 --- /dev/null +++ b/falco/BREAKING-CHANGES.md @@ -0,0 +1,230 @@ +# Helm chart Breaking Changes + - [4.0.0](#400) + - [Drivers](#drivers) + - [K8s Collector](#k8s-collector) + - [Plugins](#plugins) + - [3.0.0](#300) + - [Falcoctl](#falcoctl-support) + - [Rulesfiles](#rulesfiles) + - [Falco Images](#drop-support-for-falcosecurityfalco-image) + - [Driver Loader Init Container](#driver-loader-simplified-logic) + +## 4.0.0 +### Drivers +The `driver` section has been reworked based on the following PR: https://github.com/falcosecurity/falco/pull/2413. +It is an attempt to uniform how a driver is configured in Falco. +It also groups the configuration based on the driver type. +Some of the drivers has been renamed: +* kernel modules has been renamed from `module` to `kmod`; +* the ebpf probe has not been changed. It's still `ebpf`; +* the modern ebpf probe has been renamed from `modern-bpf` to `modern_ebpf`. + +The `gvisor` configuration has been moved under the `driver` section since it is considered a driver on its own. + +### K8s Collector +The old Kubernetes client has been removed in Falco 0.37.0. For more info checkout this issue: https://github.com/falcosecurity/falco/issues/2973#issuecomment-1877803422. +The [k8s-metacollector](https://github.com/falcosecurity/k8s-metacollector) and [k8s-meta](https://github.com/falcosecurity/plugins/tree/master/plugins/k8smeta) substitute +the old implementation. + +The following resources needed by Falco to connect to the API server are no longer needed and has been removed from the chart: +* service account; +* cluster role; +* cluster role binding. + +When the `collectors.kubernetes` is enabled the chart deploys the [k8s-metacollector](https://github.com/falcosecurity/k8s-metacollector) and configures Falco to load the +[k8s-meta](https://github.com/falcosecurity/plugins/tree/master/plugins/k8smeta) plugin. + +By default, the `collectors.kubernetes.enabled` is off; for more info, see the following issue: https://github.com/falcosecurity/falco/issues/2995. + +### Plugins +The Falco docker image does not ship anymore the plugins: https://github.com/falcosecurity/falco/pull/2997. +For this reason, the `resolveDeps` is now enabled in relevant values files (ie. `values-k8saudit.yaml`). +When installing `rulesfile` artifacts `falcoctl` will try to resolve its dependencies and install the required plugins. + +## 3.0.0 +The new chart deploys new *k8s* resources and new configuration variables have been added to the `values.yaml` file. People upgrading the chart from `v2.x.y` have to port their configuration variables to the new `values.yaml` file used by the `v3.0.0` chart. + +If you still want to use the old values, because you do not want to take advantage of the new and shiny **falcoctl** tool then just run: +```bash= +helm upgrade falco falcosecurity/falco \ + --namespace=falco \ + --reuse-values \ + --set falcoctl.artifact.install.enabled=false \ + --set falcoctl.artifact.follow.enabled=false +``` +This way you will upgrade Falco to `v0.34.0`. + +**NOTE**: The new version of Falco itself, installed by the chart, does not introduce breaking changes. You can port your previous Falco configuration to the new `values.yaml` by copy-pasting it. + + +### Falcoctl support + +[Falcoctl](https://github.com/falcosecurity/falcoctl) is a new tool born to automatize operations when deploying Falco. + +Before the `v3.0.0` of the charts *rulesfiles* and *plugins* were shipped bundled in the Falco docker image. It precluded the possibility to update the *rulesfiles* and *plugins* until a new version of Falco was released. Operators had to manually update the *rulesfiles or add new *plugins* to Falco. The process was cumbersome and error-prone. Operators had to create their own Falco docker images with the new plugins baked into it or wait for a new Falco release. + +Starting from the `v3.0.0` chart release, we add support for **falcoctl** in the charts. By deploying it alongside Falco it allows to: +- *install* artifacts of the Falco ecosystem (i.e plugins and rules at the moment of writing) +- *follow* those artifacts(only *rulesfile* artifacts are recommended), to keep them up-to-date with the latest releases of the Falcosecurity organization. This allows, for instance, to update rules detecting new vulnerabilities or security issues without the need to redeploy Falco. + +The chart deploys *falcoctl* using an *init container* and/or *sidecar container*. The first one is used to install artifacts and make them available to Falco at start-up time, the latter runs alongside Falco and updates the local artifacts when new updates are detected. + + Based on your deployment scenario: + +1. Falco without *plugins* and you just want to upgrade to the new Falco version: + ```bash= + helm upgrade falco falcosecurity/falco \ + --namespace=falco \ + --reuse-values \ + --set falcoctl.artifact.install.enabled=false \ + --set falcoctl.artifact.follow.enabled=false + ``` + When upgrading an existing release, *helm* uses the new chart version. Since we added new template files and changed the values schema(added new parameters) we explicitly disable the **falcoctl** tool. By doing so, the command will reuse the existing configuration but will deploy Falco version `0.34.0` + +2. Falco without *plugins* and you want to automatically get new *falco-rules* as soon as they are released: + ```bash= + helm upgrade falco falcosecurity/falco \ + --namespace=falco \ + ``` + Helm first applies the values coming from the new chart version, then overrides them using the values of the previous release. The outcome is a new release of Falco that: + * uses the previous configuration; + * runs Falco version `0.34.0`; + * uses **falcoctl** to install and automatically update the [*falco-rules*](https://github.com/falcosecurity/rules/); + * checks for new updates every 6h (default value). + + +3. Falco with *plugins* and you want just to upgrade Falco: + ```bash= + helm upgrade falco falcosecurity/falco \ + --namespace=falco \ + --reuse-values \ + --set falcoctl.artifact.install.enabled=false \ + --set falcoctl.artifact.follow.enabled=false + ``` + Very similar to scenario `1.` +4. Falco with plugins and you want to use **falcoctl** to download the plugins' *rulesfiles*: + * Save **falcoctl** configuration to file: + ```yaml= + cat << EOF > ./falcoctl-values.yaml + #################### + # falcoctl config # + #################### + falcoctl: + image: + # -- The image pull policy. + pullPolicy: IfNotPresent + # -- The image registry to pull from. + registry: docker.io + # -- The image repository to pull from. + repository: falcosecurity/falcoctl + # -- Overrides the image tag whose default is the chart appVersion. + tag: "main" + artifact: + # -- Runs "falcoctl artifact install" command as an init container. It is used to install artfacts before + # Falco starts. It provides them to Falco by using an emptyDir volume. + install: + enabled: true + # -- Extra environment variables that will be pass onto falcoctl-artifact-install init container. + env: {} + # -- Arguments to pass to the falcoctl-artifact-install init container. + args: ["--verbose"] + # -- Resources requests and limits for the falcoctl-artifact-install init container. + resources: {} + # -- Security context for the falcoctl init container. + securityContext: {} + # -- Runs "falcoctl artifact follow" command as a sidecar container. It is used to automatically check for + # updates given a list of artifacts. If an update is found it downloads and installs it in a shared folder (emptyDir) + # that is accessible by Falco. Rulesfiles are automatically detected and loaded by Falco once they are installed in the + # correct folder by falcoctl. To prevent new versions of artifacts from breaking Falco, the tool checks if it is compatible + # with the running version of Falco before installing it. + follow: + enabled: true + # -- Extra environment variables that will be pass onto falcoctl-artifact-follow sidecar container. + env: {} + # -- Arguments to pass to the falcoctl-artifact-follow sidecar container. + args: ["--verbose"] + # -- Resources requests and limits for the falcoctl-artifact-follow sidecar container. + resources: {} + # -- Security context for the falcoctl-artifact-follow sidecar container. + securityContext: {} + # -- Configuration file of the falcoctl tool. It is saved in a configmap and mounted on the falcotl containers. + config: + # -- List of indexes that falcoctl downloads and uses to locate and download artiafcts. For more info see: + # https://github.com/falcosecurity/falcoctl/blob/main/proposals/20220916-rules-and-plugin-distribution.md#index-file-overview + indexes: + - name: falcosecurity + url: https://falcosecurity.github.io/falcoctl/index.yaml + # -- Configuration used by the artifact commands. + artifact: + + # -- List of artifact types that falcoctl will handle. If the configured refs resolves to an artifact whose type is not contained + # in the list it will refuse to downloade and install that artifact. + allowedTypes: + - rulesfile + install: + # -- Do not resolve the depenencies for artifacts. By default is true, but for our use carse we disable it. + resolveDeps: false + # -- List of artifacts to be installed by the falcoctl init container. + refs: [k8saudit-rules:0.5] + # -- Directory where the *rulesfiles* are saved. The path is relative to the container, which in this case is an emptyDir + # mounted also by the Falco pod. + rulesfilesDir: /rulesfiles + # -- Same as the one above but for the artifacts. + pluginsDir: /plugins + follow: + # -- List of artifacts to be installed by the falcoctl init container. + refs: [k8saudit-rules:0.5] + # -- Directory where the *rulesfiles* are saved. The path is relative to the container, which in this case is an emptyDir + # mounted also by the Falco pod. + rulesfilesDir: /rulesfiles + # -- Same as the one above but for the artifacts. + pluginsDir: /plugins + EOF + ``` + * Set `falcoctl.artifact.install.enabled=true` to install *rulesfiles* of the loaded plugins. Configure **falcoctl** to install the *rulesfiles* of the plugins you are loading with Falco. For example, if you are loading **k8saudit** plugin then you need to set `falcoctl.config.artifact.install.refs=[k8saudit-rules:0.5]`. When Falco is deployed the **falcoctl** init container will download the specified artifacts based on their tag. + * Set `falcoctl.artifact.follow.enabled=true` to keep updated *rulesfiles* of the loaded plugins. + * Proceed to upgrade your Falco release by running: + ```bash= + helm upgrade falco falcosecurity/falco \ + --namespace=falco \ + --reuse-values \ + --values=./falcoctl-values.yaml + ``` +5. Falco with **multiple sources** enabled (syscalls + plugins): + 1. Upgrading Falco to the new version: + ```bash= + helm upgrade falco falcosecurity/falco \ + --namespace=falco \ + --reuse-values \ + --set falcoctl.artifact.install.enabled=false \ + --set falcoctl.artifact.follow.enabled=false + ``` + 2. Upgrading Falco and leveraging **falcoctl** for rules and plugins. Refer to point 4. for **falcoctl** configuration. + + +### Rulesfiles +Starting from `v0.3.0`, the chart drops the bundled **rulesfiles**. The previous version was used to create a configmap containing the following **rulesfiles**: +* application_rules.yaml +* aws_cloudtrail_rules.yaml +* falco_rules.local.yaml +* falco_rules.yaml +* k8s_audit_rules.yaml + +The reason why we are dropping them is pretty simple, the files are already shipped within the Falco image and do not apport any benefit. On the other hand, we had to manually update those files for each Falco release. + +For users out there, do not worry, we have you covered. As said before the **rulesfiles** are already shipped inside +the Falco image. Still, this solution has some drawbacks such as users having to wait for the next releases of Falco +to get the latest version of those **rulesfiles**. Or they could manually update them by using the [custom rules](. +/README.md#loading-custom-rules). + +We came up with a better solution and that is **falcoctl**. Users can configure the **falcoctl** tool to fetch and install the latest **rulesfiles** as provided by the *falcosecurity* organization. For more info, please check the **falcoctl** section. + +**NOTE**: if any user (wrongly) used to customize those files before deploying Falco please switch to using the +[custom rules](./README.md#loading-custom-rules). + +### Drop support for `falcosecurity/falco` image + +Starting from version `v2.0.0` of the chart the`falcosecurity/falco-no-driver` is the default image. We were still supporting the `falcosecurity/falco` image in `v2.0.0`. But in `v2.2.0` we broke the chart when using the `falcosecurity/falco` image. For more info please check out the following issue: https://github.com/falcosecurity/charts/issues/419 + +#### Driver-loader simplified logic +There is only one switch to **enable/disable** the driver-loader init container: driver.loader.enabled=true. This simplification comes as a direct consequence of dropping support for the `falcosecurity/falco` image. For more info: https://github.com/falcosecurity/charts/issues/418 diff --git a/falco/CHANGELOG.md b/falco/CHANGELOG.md new file mode 100644 index 0000000..004968a --- /dev/null +++ b/falco/CHANGELOG.md @@ -0,0 +1,1047 @@ +# Change Log + +This file documents all notable changes to Falco Helm Chart. The release +numbering uses [semantic versioning](http://semver.org). + +## v4.2.5 + +* fix docs + +## v4.2.4 + +* bump falcosidekick dependency version to v0.7.15 install latest version through falco chart + +## v4.2.3 + +* fix(falco/helpers): adjust formatting to be compatible with older helm versions + +## v4.2.2 + +* fix(falco/README): dead link + +## v4.2.1 +* fix(falco/README): typos, formatting and broken links + +## v4.2.0 + +* Bump falco to v0.37.1 and falcoctl to v0.7.2 + +## v4.1.2 +* Fix links in output after falco install without sidekick + +## v4.1.1 + +* Update README.md. + +## v4.1.0 + +* Reintroduce the service account. + +## v4.0.0 +The new chart introduces some breaking changes. For folks upgrading Falco please see the BREAKING-CHANGES.md file. + +* Uniform driver names and configuration to the Falco one: https://github.com/falcosecurity/falco/pull/2413; +* Fix usernames and groupnames resolution by mounting the `/etc` filesystem; +* Drop old kubernetes collector related resources; +* Introduce the new k8s-metacollector and k8smeta plugin (experimental); +* Enable the dependency resolver for artifacts in falcoctl since the Falco image does not ship anymore the plugins; +* Bump Falco to 0.37.0; +* Bump falcoctl to 0.7.0. + +## v3.8.7 + +* Upgrade falcosidekick chart to `v0.7.11`. + +## v3.8.6 + +* no changes to the chart itself. Updated README.md and makefile. + +## v3.8.5 + +* Add mTLS cryptographic material load via Helm for Falco + +## v3.8.4 + +* Upgrade Falco to 0.36.2: https://github.com/falcosecurity/falco/releases/tag/0.36.2 + +## v3.8.3 + +* Upgrade falcosidekick chart to `v0.7.7`. + +## v3.8.2 + +* Upgrade falcosidekick chart to `v0.7.6`. + +## v3.8.1 + +* noop change just to test the ci + +## v3.8.0 + +* Upgrade Falco to 0.36.1: https://github.com/falcosecurity/falco/releases/tag/0.36.1 +* Sync values.yaml with 0.36.1 falco.yaml config file. + +## v3.7.1 + +* Update readme + +## v3.7.0 + +* Upgrade Falco to 0.36. https://github.com/falcosecurity/falco/releases/tag/0.36.0 +* Sync values.yaml with upstream falco.yaml config file. +* Upgrade falcoctl to 0.6.2. For more info see the release notes: https://github.com/falcosecurity/falcoctl/releases/tag/v0.6.2 + +## v3.6.2 + +* Cleanup wrong files + +## v3.6.1 + +* Upgrade falcosidekick chart to `v0.7.1`. + +## v3.6.0 + +* Add `outputs` field to falco configuration + +## v3.5.0 + +## Major Changes + +* Support configuration of revisionHistoryLimit of the deployment + +## v3.4.1 + +* Upgrade falcosidekick chart to `v0.6.3`. + +## v3.4.0 + +* Introduce an ability to use an additional volumeMounts for `falcoctl-artifact-install` and `falcoctl-artifact-follow` containers. + +## v3.3.1 + +* No changes made to the falco chart, only some fixes in the makefile + +## v3.3.0 +* Upgrade Falco to 0.35.1. For more info see the release notes: https://github.com/falcosecurity/falco/releases/tag/0.35.1 +* Upgrade falcoctl to 0.5.1. For more info see the release notes: https://github.com/falcosecurity/falcoctl/releases/tag/v0.5.1 +* Introduce least privileged mode in modern ebpf. For more info see: https://falco.org/docs/event-sources/kernel/#least-privileged-mode-2 + +## v3.2.1 +* Set falco.http_output.url to empty string in values.yaml file + +## v3.2.0 +* Upgrade Falco to 0.35.0. For more info see the release notes: https://github.com/falcosecurity/falco/releases/tag/0.35.0 +* Sync values.yaml with upstream falco.yaml config file. +* Upgrade falcoctl to 0.5.0. For more info see the release notes: https://github.com/falcosecurity/falcoctl/releases/tag/v0.5.0 +* The tag used to install and follow the falco rules is `1` +* The tag used to install and follow the k8saudit rules is `0.6` + +## v3.1.5 + +* Use list as default for env parameter of init and follow containers + +## v3.1.4 + +* Fix typo in values-k8audit file + +## v3.1.3 + +* Updates the grpc-service to use the correct label selector + +## v3.1.2 + +* Bump `falcosidekick` dependency to 0.6.1 + +## v3.1.1 +* Update `k8saudit` section in README.md file. + +## v3.1.0 +* Upgrade Falco to 0.34.1 + +## v3.0.0 +* Drop support for falcosecuriy/falco image, only the init container approach is supported out of the box; +* Simplify the driver-loader init container logic; +* Support **falcoctl** tool in the chart: + * Install the *rulesfile* artifacts; + * Follow the *rulesfile* artifacts in order to have the latest rules once they are released from falcosecurity org; +* Support the **modern-bpf** probe a new driver (experimental) +* Add a new file *BREAKING_CHANGES.md* to document the breaking changes and how to update the new chart. + +## v2.5.5 + +* Bump `falcosidekick` dependency to 0.5.16 + +## v2.5.4 + +* Fix incorrect entry in v2.5.2 changelog + +## v2.5.3 + +* Bump `falcosidekick` dependency to 0.5.14 + +## v2.5.2 + +* Fixed notes template to only include daemon set info if set to daemon set + +## v2.5.1 + +* Update README to clarify driver behavior for chart + +## v2.5.0 + +* Support custom dictionaries when setting environment variables + +Note: this is a breaking change. If you were passing _objects_ to `extra.env` or `driver.loader.initContainer.env` , you will need to update your values file to pass _lists_. + +## v2.4.7 + +* Add `controller.annotations` configuration + +## v2.4.6 + +* Bump `falcosidekick` dependency to 0.5.11 + +## v2.4.5 + +* Bump `falcosidekick` dependency to 0.5.10 + +## v2.4.4 + +* Update README for gRPC + +## v2.4.3 + +* Update README for gVisor and GKE + +## v2.4.2 + +* Add toleration for node-role.kubernetes.io/control-plane + +## v2.4.1 + +* Fixed error in values.yaml comments + +## v2.4.0 + +* Add support for Falco+gVisor +* Add new preset `values.yaml `file for gVisor-enabled GKE clusters + +## v2.3.1 + +* Fixed incorrect spelling of `been` + +## v2.3.0 + +* Add variable namespaceOverride to allow setting release namespace in values + +## v2.2.0 + +* Change the grpc socket path from `unix:///var/run/falco/falco.soc` to `unix:///run/falco/falco.sock`. Please note that this change is potentially a breaking change if upgrading falco from a previous version and you have external consumers of the grpc socket. + +## v2.1.0 + +* Bump Falco to 0.33.0 +* Implicitly disable `syscall` source when not required +* Update `values.yaml` to reflect the new configuration options in Falco 0.33.0 +* Mount `/sys/module/falco` when deployed using the `kernel module` +* Update rulesets for falco and plugins + +## v2.0.18 + +* Bump `falcosidekick` dependency to 0.5.9 + +## v2.0.17 + +* Fix: remove `namespace` from `clusterrole` and `clusterrolebinding` metadata + +## v2.0.16 + +* Allow setting `resources` and `securityContext` on the `falco-driver-loader` init container + +## v2.0.15 + +* Allow passing args to the `falco-driver-loader` init container + +## v2.0.14 + +* Fix debugfs mount when `falco-no-driver` image and ebpf driver is used + +## v2.0.13 + +* Upgrade Falco to 0.32.2 + +## v2.0.12 + +* Fully disable the driver when running in CI + +## v2.0.11 + +* Correct CI values. + +## v2.0.10 + +* Fix name of the falco certs secret. + +## v2.0.9 + +* Fix the `certs-secret.yaml` template by correctly pointing to the root context when using the helpers. + +## v2.0.8 + +* When using ebpf probe Falco is deployed in `privileged` mode instead of `least privileged`. + +## v2.0.7 + +* Fix templating for priorityClassName in pod-template.tpl + +## v2.0.6 + +* Add ability to enable `tty` for the falco container. Needed to force falco logs to be immediately displayed as they are emitted. Useful in test/debug scenarios. + +## v2.0.5 + +* Mount `/proc` only when syscall data source is enabled (default). This behaviour can be overridden via `mounts.enforceProcMount` for edge cases where the `/proc` `hostPath` mount is required without having the syscall data source enabled at the same time. + +## v2.0.4 + +* Fix templating for init containers in pod-template.tpl + +## v2.0.3 + +* Add ability to specify extra environment variables to driver loader initContainer + +## v2.0.2 + +update(falco/OWNERS): move inactive approvers to emeritus_approvers + +## v2.0.1 + +* Add description for configuration variable in values.yaml +* Add linting target in Makefile +* Remove configuration values table from README.md +* Fix section titles in README.md + +## v2.0.0 + +**Note** +*This release is a complete refactor of the Falco Helm Chart. Thus, it introduces some breaking changes.* +*Please, do not reuse values from previous chart installations.* + +* Upgrade Falco to 0.32.1 +* Massive refactoring of the chart implementation +* Add ability to use either a daemonset or a deployment (depending on the installation scenario) +* Add ability to specify custom network services +* New settings for the drivers configuration +* New Makefile to generate helm documentation +* Add values-k8saudit.yaml preset for the k8saudit plugin +* Fix use `load_plugins` instead of `loadPlugins` in Falco configuration +* Update `containerSecurityContext` (former `securityContext`) now takes precedence over auto configs +* Move `leastPriviledged` mode under eBPF and add missing `SYS_PTRACE` cap +* Update group values for metadata collection under "collectors" +* Remove several settings in favour of `extra.env` +* Use chart `appVersion` as default image tag +* Move setting from `image.pullSecrets` to `imagePullSecrets` +* Add an option to set desidered replicas +* Improve selector labels +* Modernize labels and improve internal helpers +* Deprecate PSP (template removed) +* Fake event generator removed from this chart + +## v1.19.4 + +* Bump Falco Sidekick dependency. + +## v1.19.3 + +* Add `watchConfigFiles` value to falco README + +## v1.19.2 + +* Bump Falco Sidekick dependency. +* Add support for DaemonSet podSecurityContext and securityContext. + +## v1.19.1 + +* Fix the changelog for 1.19.0 + +## v1.19.0 + +* Upgrade to Falco 0.32.0 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.32.0/CHANGELOG.md)) +* Various Falco config settings were updated for Falco 0.32.0 + +### Breaking Changes + +* Audit Log is now supported via k8saudit plugin (when enabled, syscall instrumentation will be disabled) +* dynamicBackend support for Audit Log is now deprecated + +## v1.18.6 + +* Bump falcosidekick chart dependency (fix issue with the UI) + +## v1.18.5 + +* Bump falcosidekick chart dependency + +## v1.18.4 + +* Now the url to falcosidekick on NOTES.txt on falco helm chart points to the right place. + +## v1.18.3 + +* Fix for [issue 318](https://github.com/falcosecurity/charts/issues/318) - Missing comma in k8s_audit_rules.yaml. + +## v1.18.2 + +* Further fix for `--reuse-values` option after the introduction of `crio.enabled`. + +## v1.18.1 + +* Workaround to make this chart work with Helm `--reuse-values` option after the introduction of `crio.enabled`. + +## v1.18.0 + +* Added support for cri-o + +## v1.17.6 + +Remove whitespace around `falco.httpOutput.url` to fix the error `libcurl error: URL using bad/illegal format or missing URL`. + +## v1.17.5 + +* Changed `falco.httpOutput.url` so that it always overrides the default URL, even when falcosidekick is enabled. (NOTE: don't use this version, see v1.17.6) + +## v1.17.4 + +* Upgrade to Falco 0.31.1 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.31.1/CHANGELOG.md)) +* Update rulesets from Falco 0.31.1 + +## v1.17.3 + +* Fix quoting around `--k8s-node` + +## v1.17.2 + +* Add `leastPrivileged.enabled` configuration + +## v1.17.1 + +* Fixed `priority` level `info` change to `informational` + +## v1.17.0 + +* Upgrade to Falco 0.31.0 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.31.0/CHANGELOG.md)) +* Update rulesets from Falco 0.31.0 +* Update several configuration options under the `falco` node to reflect the new Falco version +* Initial plugins support + +## v1.16.4 + +* Bump falcosidekick chart dependency + +## v1.16.2 + +* Add `serviceAccount.annotations` configuration + +## v1.16.1 + +* Fixed string escaping for `--k8s-node` + +## v1.16.0 + +* Upgrade to Falco 0.30.0 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.30.0/CHANGELOG.md)) +* Update rulesets from Falco 0.30.0 +* Add `kubernetesSupport.enableNodeFilter` configuration to enable node filtering when requesting pods metadata from Kubernetes +* Add `falco.metadataDownload` configuration for fine-tuning container orchestrator metadata fetching params +* Add `falco.jsonIncludeTagsProperty` configuration to include tags in the JSON output + +## v1.15.7 + +* Removed `maxSurge` reference from comment in Falco's `values.yaml` file. + +## v1.15.6 + +* Update `Falcosidekick` chart to 0.3.13 + +## v1.15.4 + +* Update `Falcosidekick` chart to 0.3.12 + +## v1.15.3 + +* Upgrade to Falco 0.29.1 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.29.1/CHANGELOG.md)) +* Update rulesets from Falco 0.29.1 + +## v1.15.2 + +* Add ability to use an existing secret of key, cert, ca as well as pem bundle instead of creating it from files + +## v1.15.1 + +* Fixed liveness and readiness probes schema when ssl is enabled + +## v1.14.1 + +* Update `Falcosidekick` chart to 0.3.8 + +## v1.14.1 + +* Update image tag to 0.29.0 in values.yaml + +## v1.14.0 + +* Upgrade to Falco 0.29.0 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.29.0/CHANGELOG.md)) +* Update rulesets from Falco 0.29.0 + +## v1.13.2 + +* Fixed incorrect spelling of `fullfqdn` + +## v1.13.1 + +* Fix port for readinessProbe and livenessProbe + +## v1.13.0 + +* Add liveness and readiness probes to Falco + +## v1.12.0 + +* Add `kubernetesSupport` configuration to make Kubernetes Falco support optional in the daemonset (enabled by default) + +## v1.11.1 + +* Upgrade to Falco 0.28.1 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.28.1/CHANGELOG.md)) + +## v1.11.0 + +* Bump up version of chart for `Falcosidekick` dependency to `v3.5.0` + +## v1.10.0 + +* Add `falcosidekick.fullfqdn` option to connect `falco` to `falcosidekick` with full FQDN +* Bump up version of chart for `Falcosidekick` dependency + +## v1.9.0 + +* Upgrade to Falco 0.28.0 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.28.0/CHANGELOG.md)) +* Update rulesets from Falco 0.28.0 + +## v1.8.1 + +* Bump up version of chart for `Falcosidekick` dependency + +## v1.8.0 + +* Bump up version of chart for `Falcosidekick` dependency + +## v1.7.10 + +* Update rule `Write below monitored dir` description + +## v1.7.9 + +* Add a documentation section about the driver + +## v1.7.8 + +* Increase CPU limit default value + +## v1.7.7 + +* Add a documentation section about using init containers + +## v1.7.6 + +* Correct icon URL +## v1.7.5 + +* Update downstream sidekick chart + +## v1.7.4 + +* Add `ebpf.probe.path` configuration option + +## v1.7.3 + +* Bump up version of chart for `Falcosidekick` dependency + +## v1.7.2 + +* Fix `falco` configmap when `Falcosidekick` is enabled, wrong service name was used + +## v1.7.1 + +* Correct image tag for Falco 0.27.0 + +## v1.7.0 + +* Upgrade to Falco 0.27.0 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.27.0/CHANGELOG.md)) +* Add `falco.output_timeout` configuration setting + +## v1.6.1 + +### Minor Changes + +* Add `falcosidekick` as an optional dependency + +## v1.6.0 + +### Minor Changes + +* Remove deprecated integrations (see [#123](https://github.com/falcosecurity/charts/issues/123)) + +## v1.5.8 + +### Minor Changes + +* Add value `extraVolumes`, allow adding extra volumes to falco daemonset +* Add value `extraVolumeMounts`, allow adding extra volumeMounts to falco container in falco daemonset + +## v1.5.6 + +### Minor Changes + +* Add `falco.webserver.sslEnabled` config, enabling SSL support +* Add `falco.webserver.nodePort` configuration as an alternative way for exposing the AuditLog webhook (disabled by default) + +## v1.5.5 + +### Minor Changes + +* Support release namespace configuration + +## v1.5.4 + +### Minor Changes + +* Upgrade to Falco 0.26.2, `DRIVERS_REPO` now defaults to https://download.falco.org/?prefix=driver/ (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.26.2/CHANGELOG.md)) + +## v1.5.3 + +### Minor Changes + +* Deprecation notice for gcscc, natsOutput, snsOutput, pubsubOutput integrations +* Clean up old references from documentation + +## v1.5.2 + +### Minor Changes + +* Add Pod Security Policy Support for the fake event generator + +## v1.5.1 + +### Minor Changes + +* Replace extensions apiGroup/apiVersion because of deprecation + +## v1.5.0 + +### Minor Changes + +* Upgrade to Falco 0.26.1 +* Update ruleset from Falco 0.26.1 +* Automatically set the appropriate apiVersion for rbac + +## v1.4.0 + +### Minor Changes + +* Allow adding InitContainers to Falco pod with `extraInitContainers` configuration + +## v1.3.0 + +### Minor Changes + +* Upgrade to Falco 0.25.0 +* Update ruleset from Falco 0.25.0 + +## v1.2.3 + +### Minor Changes + +* Fix duplicate mount point problem when both gRPC and NATS integrations are enabled + +## v1.2.2 + +### Minor Changes + +* Allow configuration using values for `imagePullSecrets` setting +* Add `docker.io/falcosecurity/falco` image to `falco_privileged_images` macro + +## v1.2.1 + +### Minor Changes + +* Add SecurityContextConstraint to allow deploying in Openshift + +## v1.2.0 + +### Minor Changes + +* Upgrade to Falco 0.24.0 +* Update ruleset from Falco 0.24.0 +* gRPC Unix Socket support +* Set default threadiness to 0 ("auto" behavior) for the gRPC server + +## v1.1.10 + +### Minor Changes + +* Switch to `falcosecurity/event-generator` +* Allow configuration using values for `fakeEventGenerator.args` setting +* Update ruleset +* New releasing mechanism + +## v1.1.9 + +### Minor Changes + +* Add missing privileges for the apps Kubernetes API group +* Allow client config url for Audit Sink with `auditLog.dynamicBackend.url` + +## v1.1.8 + +### Minor Changes + +* Upgrade to Falco 0.23.0 +* Correct socket path for `--cri` flag +* Always mount `/etc` (required by `falco-driver-loader`) + +## v1.1.7 + +### Minor Changes + +* Add pod annotation support for daemonset + +## v1.1.6 + +### Minor Changes + +* Upgrade to Falco 0.21.0 +* Upgrade rules to Falco 0.21.0 + +## v1.1.5 + +### Minor Changes + +* Add headless service for gRPC server +* Allow gRPC certificates configuration by using `--set-file` + +## v1.1.4 + +### Minor Changes + +* Make `/lib/modules` writable from the container + +## v1.1.3 + +### Minor Changes + +* Allow configuration using values for `grpc` setting +* Allow configuration using values for `grpc_output` setting + +## v1.1.2 + +### Minor Changes + +* Upgrade to Falco 0.20.0 +* Upgrade rules to Falco 0.20.0 + +## v1.1.1 + +### Minor Changes + +* Upgrade to Falco 0.19.0 +* Upgrade rules to Falco 0.19.0 +* Remove Sysdig references, Falco is a project by its own name + +## v1.1.0 + +### Minor Changes + +* Revamp auditLog feature +* Upgrade to latest version (0.18.0) +* Replace CRI references with containerD + +## v1.0.12 + +### Minor Changes + +* Support multiple lines for `falco.programOutput.program` + +## v1.0.11 + +### Minor Changes + +* Add affinity + +## v1.0.10 + +### Minor Changes + +* Migrate API versions from deprecated, removed versions to support Kubernetes v1.16 + +## v1.0.9 + +### Minor Changes + +* Restrict the access to `/dev` on underlying host to read only + +## v1.0.8 + +### Minor Changes + +* Upgrade to Falco 0.17.1 +* Upgrade rules to Falco 0.17.1 + +## v1.0.7 + +### Minor Changes + +* Allow configuration using values for `nodeSelector` setting + +## v1.0.6 + +### Minor Changes + +* Falco does a rollingUpgrade when the falco or falco-rules configMap changes + with a helm upgrade + +## v1.0.5 + +### Minor Changes + +* Add 3 resources (`daemonsets`, `deployments`, `replicasets`) to the ClusterRole resource list + Ref: [PR#514](https://github.com/falcosecurity/falco/pull/514) from Falco repository + +## v1.0.4 + +### Minor Changes + +* Upgrade to Falco 0.17.0 +* Upgrade rules to Falco 0.17.0 + +## v1.0.3 + +### Minor Changes + +* Support [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/) + +## v1.0.2 + +### Minor Changes + +* Upgrade to Falco 0.16.0 +* Upgrade rules to Falco 0.16.0 + +## v1.0.1 + +### Minor Changes + +* Extra environment variables passed to daemonset pods + +## v1.0.0 + +### Major Changes + +* Add support for K8s audit logging + +## v0.9.1 + +### Minor Changes + +* Allow configuration using values for `time_format_iso8601` setting +* Allow configuration using values for `syscall_event_drops` setting +* Allow configuration using values for `http_output` setting +* Add CHANGELOG entry for v0.8.0, [not present on its PR](https://github.com/helm/charts/pull/14813#issuecomment-506821432) + +## v0.9.0 + +### Major Changes + +* Add nestorsalceda as an approver + +## v0.8.0 + +### Major Changes + +* Allow configuration of Pod Security Policy. This is needed to get Falco + running when the Admission Controller is enabled. + +## v0.7.10 + +### Minor Changes + +* Fix bug with Google Cloud Security Command Center and Falco integration + +## v0.7.9 + +### Minor Changes + +* Upgrade to Falco 0.15.3 +* Upgrade rules to Falco 0.15.3 + +## v0.7.8 + +### Minor Changes + +* Add TZ parameter for time correlation in Falco logs + +## v0.7.7 + +### Minor Changes + +* Upgrade to Falco 0.15.1 +* Upgrade rules to Falco 0.15.1 + +## v0.7.6 + +### Major Changes + +* Allow to enable/disable usage of the docker socket +* Configurable docker socket path +* CRI support, configurable CRI socket +* Allow to enable/disable usage of the CRI socket + +## v0.7.5 + +### Minor Changes + +* Upgrade to Falco 0.15.0 +* Upgrade rules to Falco 0.15.0 + +## v0.7.4 + +### Minor Changes + +* Use the KUBERNETES_SERVICE_HOST environment variable to connect to Kubernetes + API instead of using a fixed name + +## v0.7.3 + +### Minor Changes + +* Remove the toJson pipeline when storing Google Credentials. It makes strange + stuff with double quotes and does not allow to use base64 encoded credentials + +## v0.7.2 + +### Minor Changes + +* Fix typos in README.md + +## v0.7.1 + +### Minor Changes + +* Add Google Pub/Sub Output integration + +## v0.7.0 + +### Major Changes + +* Disable eBPF by default on Falco. We activated eBPF by default to make the + CI pass, but now we found a better method to make the CI pass without + bothering our users. + +## v0.6.0 + +### Major Changes + +* Upgrade to Falco 0.14.0 +* Upgrade rules to Falco 0.14.0 +* Enable eBPF by default on Falco +* Allow to download Falco images from different registries than `docker.io` +* Use rollingUpdate strategy by default +* Provide sane defauls for falco resource management + +## v0.5.6 + +### Minor Changes + +* Allow extra container args + +## v0.5.5 + +### Minor Changes + +* Update correct slack example + +## v0.5.4 + +### Minor Changes + +* Using Falco version 0.13.0 instead of latest. + +## v0.5.3 + +### Minor Changes + +* Update falco_rules.yaml file to use the same rules that Falco 0.13.0 + +## v0.5.2 + +### Minor Changes + +* Falco was accepted as a CNCF project. Fix references and download image from + falcosecurity organization. + +## v0.5.1 + +### Minor Changes + +* Allow falco to resolve cluster hostnames when running with ebpf.hostNetwork: true + +## v0.5.0 + +### Major Changes + +* Add Amazon SNS Output integration + +## v0.4.0 + +### Major Changes + +* Allow Falco to be run with a HTTP proxy server + +## v0.3.1 + +### Minor Changes + +* Mount in memory volume for shm. It was used in volumes but was not mounted. + +## v0.3.0 + +### Major Changes + +* Add eBPF support for Falco. Falco can now read events via an eBPF program + loaded into the kernel instead of the `falco-probe` kernel module. + +## v0.2.1 + +### Minor Changes + +* Update falco_rules.yaml file to use the same rules that Falco 0.11.1 + +## v0.2.0 + +### Major Changes + +* Add NATS Output integration + +### Minor Changes + +* Fix value mismatch between code and documentation + +## v0.1.1 + +### Minor Changes + +* Fix several typos + +## v0.1.0 + +### Major Changes + +* Initial release of Sysdig Falco Helm Chart diff --git a/falco/Chart.lock b/falco/Chart.lock new file mode 100644 index 0000000..c609fd0 --- /dev/null +++ b/falco/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: falcosidekick + repository: https://falcosecurity.github.io/charts + version: 0.7.15 +- name: k8s-metacollector + repository: https://falcosecurity.github.io/charts + version: 0.1.7 +digest: sha256:b1aa7f7bdaae7ea209e1be0f7e81b9dae7ec11c2a5ab0f18c2e590f847db3e8a +generated: "2024-03-14T08:54:41.502551723Z" diff --git a/falco/Chart.yaml b/falco/Chart.yaml new file mode 100644 index 0000000..e45cf93 --- /dev/null +++ b/falco/Chart.yaml @@ -0,0 +1,28 @@ +apiVersion: v2 +appVersion: 0.37.1 +dependencies: +- condition: falcosidekick.enabled + name: falcosidekick + repository: https://falcosecurity.github.io/charts + version: 0.7.15 +- condition: collectors.kubernetes.enabled + name: k8s-metacollector + repository: https://falcosecurity.github.io/charts + version: 0.1.* +description: Falco +home: https://falco.org +icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/falco/horizontal/color/falco-horizontal-color.svg +keywords: +- monitoring +- security +- alerting +- metric +- troubleshooting +- run-time +maintainers: +- email: cncf-falco-dev@lists.cncf.io + name: The Falco Authors +name: falco +sources: +- https://github.com/falcosecurity/falco +version: 4.2.5 diff --git a/falco/OWNERS b/falco/OWNERS new file mode 100644 index 0000000..6b2ec52 --- /dev/null +++ b/falco/OWNERS @@ -0,0 +1,2 @@ +emeritus_approvers: + - bencer diff --git a/falco/README.gotmpl b/falco/README.gotmpl new file mode 100644 index 0000000..a50c32d --- /dev/null +++ b/falco/README.gotmpl @@ -0,0 +1,589 @@ +# Falco + +[Falco](https://falco.org) is a *Cloud Native Runtime Security* tool designed to detect anomalous activity in your applications. You can use Falco to monitor runtime security of your Kubernetes applications and internal components. + +## Introduction + +The deployment of Falco in a Kubernetes cluster is managed through a **Helm chart**. This chart manages the lifecycle of Falco in a cluster by handling all the k8s objects needed by Falco to be seamlessly integrated in your environment. Based on the configuration in [values.yaml](./values.yaml) file, the chart will render and install the required k8s objects. Keep in mind that Falco could be deployed in your cluster using a `daemonset` or a `deployment`. See next sections for more info. + +## Attention + +Before installing Falco in a Kubernetes cluster, a user should check that the kernel version used in the nodes is supported by the community. Also, before reporting any issue with Falco (missing kernel image, CrashLoopBackOff and similar), make sure to read [about the driver](#about-the-driver) section and adjust your setup as required. + +## Adding `falcosecurity` repository + +Before installing the chart, add the `falcosecurity` charts repository: + +```bash +helm repo add falcosecurity https://falcosecurity.github.io/charts +helm repo update +``` + +## Installing the Chart + +To install the chart with the release name `falco` in namespace `falco` run: + +```bash +helm install falco falcosecurity/falco \ + --create-namespace \ + --namespace falco +``` + +After a few minutes Falco instances should be running on all your nodes. The status of Falco pods can be inspected through *kubectl*: +```bash +kubectl get pods -n falco -o wide +``` +If everything went smoothly, you should observe an output similar to the following, indicating that all Falco instances are up and running in you cluster: + +```bash +NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES +falco-57w7q 1/1 Running 0 3m12s 10.244.0.1 control-plane +falco-h4596 1/1 Running 0 3m12s 10.244.1.2 worker-node-1 +falco-kb55h 1/1 Running 0 3m12s 10.244.2.3 worker-node-2 +``` +The cluster in our example has three nodes, one *control-plane* node and two *worker* nodes. The default configuration in [values.yaml](./values.yaml) of our helm chart deploys Falco using a `daemonset`. That's the reason why we have one Falco pod in each node. +> **Tip**: List Falco release using `helm list -n falco`, a release is a name used to track a specific deployment. + +### Falco, Event Sources and Kubernetes +Starting from Falco 0.31.0 the [new plugin system](https://falco.org/docs/plugins/) is stable and production ready. The **plugin system** can be seen as the next step in the evolution of Falco. Historically, Falco monitored system events from the **kernel** trying to detect malicious behaviors on Linux systems. It also had the capability to process k8s Audit Logs to detect suspicious activities in Kubernetes clusters. Since Falco 0.32.0 all the related code to the k8s Audit Logs in Falco was removed and ported in a [plugin](https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit). At the time being Falco supports different event sources coming from **plugins** or **drivers** (system events). + +Note that **a Falco instance can handle multiple event sources in parallel**. you can deploy Falco leveraging **drivers** for syscall events and at the same time loading **plugins**. A step by step guide on how to deploy Falco with multiple sources can be found [here](https://falco.org/docs/getting-started/third-party/learning/#falco-with-multiple-sources). + +#### About Drivers + +Falco needs a **driver** to analyze the system workload and pass security events to userspace. The supported drivers are: + +* [Kernel module](https://falco.org/docs/event-sources/drivers/#kernel-module) +* [eBPF probe](https://falco.org/docs/event-sources/drivers/#ebpf-probe) +* [Modern eBPF probe](https://falco.org/docs/event-sources/drivers/#modern-ebpf-probe) + +The driver should be installed on the node where Falco is running. The _kernel module_ (default option) and the _eBPF probe_ are installed on the node through an *init container* (i.e. `falco-driver-loader`) that tries download a prebuilt driver or build it on-the-fly as a fallback. The _Modern eBPF probe_ doesn't require an init container because it is shipped directly into the Falco binary. However, the _Modern eBPF probe_ requires [recent BPF features](https://falco.org/docs/event-sources/kernel/#modern-ebpf-probe). + +##### Pre-built drivers + +The [kernel-crawler](https://github.com/falcosecurity/kernel-crawler) automatically discovers kernel versions and flavors. At the time being, it runs weekly. We have a site where users can check for the discovered kernel flavors and versions, [example for Amazon Linux 2](https://falcosecurity.github.io/kernel-crawler/?arch=x86_64&target=AmazonLinux2). + +The discovery of a kernel version by the [kernel-crawler](https://falcosecurity.github.io/kernel-crawler/) does not imply that pre-built kernel modules and bpf probes are available. That is because once kernel-crawler has discovered new kernels versions, the drivers need to be built by jobs running on our [Driver Build Grid infra](https://github.com/falcosecurity/test-infra#dbg). Please keep in mind that the building process is based on best effort. Users can check the existence of prebuilt modules at the following [link](https://download.falco.org/driver/site/index.html?lib=3.0.1%2Bdriver&target=all&arch=all&kind=all). + +##### Building the driver on the fly (fallback) + +If a prebuilt driver is not available for your distribution/kernel, users can build the driver by them self or install the kernel headers on the nodes, and the init container (falco-driver-loader) will try and build the driver on the fly. + +Falco needs **kernel headers** installed on the host as a prerequisite to build the driver on the fly correctly. You can find instructions for installing the kernel headers for your system under the [Install section](https://falco.org/docs/getting-started/installation/) of the official documentation. + +##### Selecting a different driver loader image + +Note that since Falco 0.36.0 and Helm chart version 3.7.0 the driver loader image has been updated to be compatible with newer kernels (5.x and above) meaning that if you have an older kernel version and you are trying to build the kernel module you may experience issues. In that case you can use the `falco-driver-loader-legacy` image to use the previous version of the toolchain. To do so you can set the appropriate value, i.e. `--set driver.loader.initContainer.image.repository=falcosecurity/falco-driver-loader-legacy`. + +#### About Plugins +[Plugins](https://falco.org/docs/plugins/) are used to extend Falco to support new **data sources**. The current **plugin framework** supports *plugins* with the following *capabilities*: + +* Event sourcing capability; +* Field extraction capability; + +Plugin capabilities are *composable*, we can have a single plugin with both capabilities. Or on the other hand, we can load two different plugins each with its capability, one plugin as a source of events and another as an extractor. A good example of this is the [Kubernetes Audit Events](https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit) and the [Falcosecurity Json](https://github.com/falcosecurity/plugins/tree/master/plugins/json) *plugins*. By deploying them both we have support for the **K8s Audit Logs** in Falco + +Note that **the driver is not required when using plugins**. + +#### About gVisor +gVisor is an application kernel, written in Go, that implements a substantial portion of the Linux system call interface. It provides an additional layer of isolation between running applications and the host operating system. For more information please consult the [official docs](https://gvisor.dev/docs/). In version `0.32.1`, Falco first introduced support for gVisor by leveraging the stream of system call information coming from gVisor. +Falco requires the version of [runsc](https://gvisor.dev/docs/user_guide/install/) to be equal to or above `20220704.0`. The following snippet shows the gVisor configuration variables found in [values.yaml](./values.yaml): +```yaml +driver: + gvisor: + enabled: true + runsc: + path: /home/containerd/usr/local/sbin + root: /run/containerd/runsc + config: /run/containerd/runsc/config.toml +``` +Falco uses the [runsc](https://gvisor.dev/docs/user_guide/install/) binary to interact with sandboxed containers. The following variables need to be set: +* `runsc.path`: absolute path of the `runsc` binary in the k8s nodes; +* `runsc.root`: absolute path of the root directory of the `runsc` container runtime. It is of vital importance for Falco since `runsc` stores there the information of the workloads handled by it; +* `runsc.config`: absolute path of the `runsc` configuration file, used by Falco to set its configuration and make aware `gVisor` of its presence. + +If you want to know more how Falco uses those configuration paths please have a look at the `falco.gvisor.initContainer` helper in [helpers.tpl](./templates/_helpers.tpl). +A preset `values.yaml` file [values-gvisor-gke.yaml](./values-gvisor-gke.yaml) is provided and can be used as it is to deploy Falco with gVisor support in a [GKE](https://cloud.google.com/kubernetes-engine/docs/how-to/sandbox-pods) cluster. It is also a good starting point for custom deployments. + +##### Example: running Falco on GKE, with or without gVisor-enabled pods + +If you use GKE with k8s version at least `1.24.4-gke.1800` or `1.25.0-gke.200` with gVisor sandboxed pods, you can install a Falco instance to monitor them with, e.g.: + +``` +helm install falco-gvisor falcosecurity/falco \ + --create-namespace \ + --namespace falco-gvisor \ + -f https://raw.githubusercontent.com/falcosecurity/charts/master/charts/falco/values-gvisor-gke.yaml +``` + +Note that the instance of Falco above will only monitor gVisor sandboxed workloads on gVisor-enabled node pools. If you also need to monitor regular workloads on regular node pools you can use the eBPF driver as usual: + +``` +helm install falco falcosecurity/falco \ + --create-namespace \ + --namespace falco \ + --set driver.kind=ebpf +``` + +The two instances of Falco will operate independently and can be installed, uninstalled or configured as needed. If you were already monitoring your regular node pools with eBPF you don't need to reinstall it. + +##### Falco+gVisor additional resources +An exhaustive blog post about Falco and gVisor can be found on the [Falco blog](https://falco.org/blog/intro-gvisor-falco/). +If you need help on how to set gVisor in your environment please have a look at the [gVisor official docs](https://gvisor.dev/docs/user_guide/quick_start/kubernetes/) + +### About Falco Artifacts +Historically **rules files** and **plugins** used to be shipped inside the Falco docker image and/or inside the chart. Starting from version `v0.3.0` of the chart, the [**falcoctl tool**](https://github.com/falcosecurity/falcoctl) can be used to install/update **rules files** and **plugins**. When referring to such objects we will use the term **artifact**. For more info please check out the following [proposal](https://github.com/falcosecurity/falcoctl/blob/main/proposals/20220916-rules-and-plugin-distribution.md). + +The default configuration of the chart for new installations is to use the **falcoctl** tool to handle **artifacts**. The chart will deploy two new containers along the Falco one: +* `falcoctl-artifact-install` an init container that makes sure to install the configured **artifacts** before the Falco container starts; +* `falcoctl-artifact-follow` a sidecar container that periodically checks for new artifacts (currently only *falco-rules*) and downloads them; + +For more info on how to enable/disable and configure the **falcoctl** tool checkout the config values [here](./README.md#Configuration) and the [upgrading notes](./BREAKING-CHANGES.md#300) + +### Deploying Falco in Kubernetes +After the clarification of the different [**event sources**](#falco-event-sources-and-kubernetes) and how they are consumed by Falco using the **drivers** and the **plugins**, now let us discuss how Falco is deployed in Kubernetes. + +The chart deploys Falco using a `daemonset` or a `deployment` depending on the **event sources**. + +#### Daemonset +When using the [drivers](#about-the-driver), Falco is deployed as `daemonset`. By using a `daemonset`, k8s assures that a Falco instance will be running in each of our nodes even when we add new nodes to our cluster. So it is the perfect match when we need to monitor all the nodes in our cluster. + +**Kernel module** +To run Falco with the [kernel module](https://falco.org/docs/event-sources/drivers/#kernel-module) you can use the default values of the helm chart: + +```bash +helm install falco falcosecurity/falco \ + --create-namespace \ + --namespace falco +``` + +**eBPF probe** + +To run Falco with the [eBPF probe](https://falco.org/docs/event-sources/drivers/#ebpf-probe) you just need to set `driver.kind=ebpf` as shown in the following snippet: + +```bash +helm install falco falcosecurity/falco \ + --create-namespace \ + --namespace falco \ + --set driver.kind=ebpf +``` + +There are other configurations related to the eBPF probe, for more info please check the [values.yaml](./values.yaml) file. After you have made your changes to the configuration file you just need to run: + +```bash +helm install falco falcosecurity/falco \ + --create-namespace \ + --namespace "your-custom-name-space" \ + -f "path-to-custom-values.yaml-file" +``` + +**modern eBPF probe** + +To run Falco with the [modern eBPF probe](https://falco.org/docs/event-sources/drivers/#modern-ebpf-probe-experimental) you just need to set `driver.kind=modern_bpf` as shown in the following snippet: + +```bash +helm install falco falcosecurity/falco \ + --create-namespace \ + --namespace falco \ + --set driver.kind=modern_ebpf +``` + +#### Deployment +In the scenario when Falco is used with **plugins** as data sources, then the best option is to deploy it as a k8s `deployment`. **Plugins** could be of two types, the ones that follow the **push model** or the **pull model**. A plugin that adopts the firs model expects to receive the data from a remote source in a given endpoint. They just expose and endpoint and wait for data to be posted, for example [Kubernetes Audit Events](https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit) expects the data to be sent by the *k8s api server* when configured in such way. On the other hand other plugins that abide by the **pull model** retrieves the data from a given remote service. +The following points explain why a k8s `deployment` is suitable when deploying Falco with plugins: + +* need to be reachable when ingesting logs directly from remote services; +* need only one active replica, otherwise events will be sent/received to/from different Falco instances; + + +## Uninstalling the Chart + +To uninstall a Falco release from your Kubernetes cluster always you helm. It will take care to remove all components deployed by the chart and clean up your environment. The following command will remove a release called `falco` in namespace `falco`; + +```bash +helm uninstall falco --namespace falco +``` + +## Showing logs generated by Falco container +There are many reasons why we would have to inspect the messages emitted by the Falco container. When deployed in Kubernetes the Falco logs can be inspected through: +```bash +kubectl logs -n falco falco-pod-name +``` +where `falco-pods-name` is the name of the Falco pod running in your cluster. +The command described above will just display the logs emitted by falco until the moment you run the command. The `-f` flag comes handy when we are doing live testing or debugging and we want to have the Falco logs as soon as they are emitted. The following command: +```bash +kubectl logs -f -n falco falco-pod-name +``` +The `-f (--follow)` flag follows the logs and live stream them to your terminal and it is really useful when you are debugging a new rule and want to make sure that the rule is triggered when some actions are performed in the system. + +If we need to access logs of a previous Falco run we do that by adding the `-p (--previous)` flag: +```bash +kubectl logs -p -n falco falco-pod-name +``` +A scenario when we need the `-p (--previous)` flag is when we have a restart of a Falco pod and want to check what went wrong. + +### Enabling real time logs +By default in Falco the output is buffered. When live streaming logs we will notice delays between the logs output (rules triggering) and the event happening. +In order to enable the logs to be emitted without delays you need to set `.Values.tty=true` in [values.yaml](./values.yaml) file. + +## K8s-metacollector +Starting from Falco `0.37` the old [k8s-client](https://github.com/falcosecurity/falco/issues/2973) has been removed. +A new component named [k8s-metacollector](https://github.com/falcosecurity/k8s-metacollector) replaces it. +The *k8s-metacollector* is a self-contained module that can be deployed within a Kubernetes cluster to perform the task of gathering metadata +from various Kubernetes resources and subsequently transmitting this collected metadata to designated subscribers. + +Kubernetes' resources for which metadata will be collected and sent to Falco: +* pods; +* namespaces; +* deployments; +* replicationcontrollers; +* replicasets; +* services; + +### Plugin +Since the *k8s-metacollector* is standalone, deployed in the cluster as a deployment, Falco instances need to connect to the component +in order to retrieve the `metadata`. Here it comes the [k8smeta](https://github.com/falcosecurity/plugins/tree/master/plugins/k8smeta) plugin. +The plugin gathers details about Kubernetes resources from the *k8s-metacollector*. It then stores this information +in tables and provides access to Falco upon request. The plugin specifically acquires data for the node where the +associated Falco instance is deployed, resulting in node-level granularity. + +### Exported Fields: Old and New +The old [k8s-client](https://github.com/falcosecurity/falco/issues/2973) used to populate the +[k8s](https://falco.org/docs/reference/rules/supported-fields/#field-class-k8s) fields. The **k8s** field class is still +available in Falco, for compatibility reasons, but most of the fields will return `N/A`. The following fields are still +usable and will return meaningful data when the `container runtime collectors` are enabled: +* k8s.pod.name; +* k8s.pod.id; +* k8s.pod.label; +* k8s.pod.labels; +* k8s.pod.ip; +* k8s.pod.cni.json; +* k8s.pod.namespace.name; + +The [k8smeta](https://github.com/falcosecurity/plugins/tree/master/plugins/k8smeta) plugin exports a whole new +[field class]https://github.com/falcosecurity/plugins/tree/master/plugins/k8smeta#supported-fields. Note that the new +`k8smeta.*` fields are usable only when the **k8smeta** plugin is loaded in Falco. + +### Enabling the k8s-metacollector +The following command will deploy Falco + k8s-metacollector + k8smeta: +```bash +helm install falco falcosecurity/falco \ + --namespace falco \ + --create-namespace \ + --set collectors.kubernetes.enabled=true +``` + +## Loading custom rules + +Falco ships with a nice default ruleset. It is a good starting point but sooner or later, we are going to need to add custom rules which fit our needs. + +So the question is: How can we load custom rules in our Falco deployment? + +We are going to create a file that contains custom rules so that we can keep it in a Git repository. + +```bash +cat custom-rules.yaml +``` + +And the file looks like this one: + +```yaml +customRules: + rules-traefik.yaml: |- + - macro: traefik_consider_syscalls + condition: (evt.num < 0) + + - macro: app_traefik + condition: container and container.image startswith "traefik" + + # Restricting listening ports to selected set + + - list: traefik_allowed_inbound_ports_tcp + items: [443, 80, 8080] + + - rule: Unexpected inbound tcp connection traefik + desc: Detect inbound traffic to traefik using tcp on a port outside of expected set + condition: inbound and evt.rawres >= 0 and not fd.sport in (traefik_allowed_inbound_ports_tcp) and app_traefik + output: Inbound network connection to traefik on unexpected port (command=%proc.cmdline pid=%proc.pid connection=%fd.name sport=%fd.sport user=%user.name %container.info image=%container.image) + priority: NOTICE + + # Restricting spawned processes to selected set + + - list: traefik_allowed_processes + items: ["traefik"] + + - rule: Unexpected spawned process traefik + desc: Detect a process started in a traefik container outside of an expected set + condition: spawned_process and not proc.name in (traefik_allowed_processes) and app_traefik + output: Unexpected process spawned in traefik container (command=%proc.cmdline pid=%proc.pid user=%user.name %container.info image=%container.image) + priority: NOTICE +``` + +So next step is to use the custom-rules.yaml file for installing the Falco Helm chart. + +```bash +helm install falco -f custom-rules.yaml falcosecurity/falco +``` + +And we will see in our logs something like: + +```bash +Tue Jun 5 15:08:57 2018: Loading rules from file /etc/falco/rules.d/rules-traefik.yaml: +``` + +And this means that our Falco installation has loaded the rules and is ready to help us. + +## Kubernetes Audit Log + +The Kubernetes Audit Log is now supported via the built-in [k8saudit](https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit) plugin. It is entirely up to you to set up the [webhook backend](https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/#webhook-backend) of the Kubernetes API server to forward the Audit Log event to the Falco listening port. + +The following snippet shows how to deploy Falco with the [k8saudit](https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit) plugin: +```yaml +# -- Disable the drivers since we want to deploy only the k8saudit plugin. +driver: + enabled: false + +# -- Disable the collectors, no syscall events to enrich with metadata. +collectors: + enabled: false + +# -- Deploy Falco as a deployment. One instance of Falco is enough. Anyway the number of replicas is configurable. +controller: + kind: deployment + deployment: + # -- Number of replicas when installing Falco using a deployment. Change it if you really know what you are doing. + # For more info check the section on Plugins in the README.md file. + replicas: 1 + + +falcoctl: + artifact: + install: + # -- Enable the init container. We do not recommend installing (or following) plugins for security reasons since they are executable objects. + enabled: true + follow: + # -- Enable the sidecar container. We do not support it yet for plugins. It is used only for rules feed such as k8saudit-rules rules. + enabled: true + config: + artifact: + install: + # -- Resolve the dependencies for artifacts. + resolveDeps: true + # -- List of artifacts to be installed by the falcoctl init container. + # Only rulesfile, the plugin will be installed as a dependency. + refs: [k8saudit-rules:0.5] + follow: + # -- List of artifacts to be followed by the falcoctl sidecar container. + refs: [k8saudit-rules:0.5] + +services: + - name: k8saudit-webhook + type: NodePort + ports: + - port: 9765 # See plugin open_params + nodePort: 30007 + protocol: TCP + +falco: + rules_file: + - /etc/falco/k8s_audit_rules.yaml + - /etc/falco/rules.d + plugins: + - name: k8saudit + library_path: libk8saudit.so + init_config: + "" + # maxEventBytes: 1048576 + # sslCertificate: /etc/falco/falco.pem + open_params: "http://:9765/k8s-audit" + - name: json + library_path: libjson.so + init_config: "" + # Plugins that Falco will load. Note: the same plugins are installed by the falcoctl-artifact-install init container. + load_plugins: [k8saudit, json] + +``` +Here is the explanation of the above configuration: +* disable the drivers by setting `driver.enabled=false`; +* disable the collectors by setting `collectors.enabled=false`; +* deploy the Falco using a k8s *deployment* by setting `controller.kind=deployment`; +* make our Falco instance reachable by the `k8s api-server` by configuring a service for it in `services`; +* enable the `falcoctl-artifact-install` init container; +* configure `falcoctl-artifact-install` to install the required plugins; +* disable the `falcoctl-artifact-follow` sidecar container; +* load the correct ruleset for our plugin in `falco.rulesFile`; +* configure the plugins to be loaded, in this case, the `k8saudit` and `json`; +* and finally we add our plugins in the `load_plugins` to be loaded by Falco. + +The configuration can be found in the [values-k8saudit.yaml(./values-k8saudit.yaml] file ready to be used: + + +```bash +#make sure the falco namespace exists +helm install falco falcosecurity/falco \ + --create-namespace \ + --namespace falco \ + -f ./values-k8saudit.yaml +``` +After a few minutes a Falco instance should be running on your cluster. The status of Falco pod can be inspected through *kubectl*: +```bash +kubectl get pods -n falco -o wide +``` +If everything went smoothly, you should observe an output similar to the following, indicating that the Falco instance is up and running: + +```bash +NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES +falco-64484d9579-qckms 1/1 Running 0 101s 10.244.2.2 worker-node-2 +``` + +Furthermore you can check that Falco logs through *kubectl logs* + +```bash +kubectl logs -n falco falco-64484d9579-qckms +``` +In the logs you should have something similar to the following, indicating that Falco has loaded the required plugins: +```bash +Fri Jul 8 16:07:24 2022: Falco version 0.32.0 (driver version 39ae7d40496793cf3d3e7890c9bbdc202263836b) +Fri Jul 8 16:07:24 2022: Falco initialized with configuration file /etc/falco/falco.yaml +Fri Jul 8 16:07:24 2022: Loading plugin (k8saudit) from file /usr/share/falco/plugins/libk8saudit.so +Fri Jul 8 16:07:24 2022: Loading plugin (json) from file /usr/share/falco/plugins/libjson.so +Fri Jul 8 16:07:24 2022: Loading rules from file /etc/falco/k8s_audit_rules.yaml: +Fri Jul 8 16:07:24 2022: Starting internal webserver, listening on port 8765 +``` +*Note that the support for the dynamic backend (also known as the `AuditSink` object) has been deprecated from Kubernetes and removed from this chart.* + +### Manual setup with NodePort on kOps + +Using `kops edit cluster`, ensure these options are present, then run `kops update cluster` and `kops rolling-update cluster`: +```yaml +spec: + kubeAPIServer: + auditLogMaxBackups: 1 + auditLogMaxSize: 10 + auditLogPath: /var/log/k8s-audit.log + auditPolicyFile: /srv/kubernetes/assets/audit-policy.yaml + auditWebhookBatchMaxWait: 5s + auditWebhookConfigFile: /srv/kubernetes/assets/webhook-config.yaml + fileAssets: + - content: | + # content of the webserver CA certificate + # remove this fileAsset and certificate-authority from webhook-config if using http + name: audit-ca.pem + roles: + - Master + - content: | + apiVersion: v1 + kind: Config + clusters: + - name: falco + cluster: + # remove 'certificate-authority' when using 'http' + certificate-authority: /srv/kubernetes/assets/audit-ca.pem + server: https://localhost:32765/k8s-audit + contexts: + - context: + cluster: falco + user: "" + name: default-context + current-context: default-context + preferences: {} + users: [] + name: webhook-config.yaml + roles: + - Master + - content: | + # ... paste audit-policy.yaml here ... + # https://raw.githubusercontent.com/falcosecurity/plugins/master/plugins/k8saudit/configs/audit-policy.yaml + name: audit-policy.yaml + roles: + - Master +``` +## Enabling gRPC + +The Falco gRPC server and the Falco gRPC Outputs APIs are not enabled by default. +Moreover, Falco supports running a gRPC server with two main binding types: +- Over a local **Unix socket** with no authentication +- Over the **network** with mandatory mutual TLS authentication (mTLS) + +> **Tip**: Once gRPC is enabled, you can deploy [falco-exporter](https://github.com/falcosecurity/falco-exporter) to export metrics to Prometheus. + +### gRPC over unix socket (default) + +The preferred way to use the gRPC is over a Unix socket. + +To install Falco with gRPC enabled over a **unix socket**, you have to: + +```shell +helm install falco falcosecurity/falco \ + --create-namespace \ + --namespace falco \ + --set falco.grpc.enabled=true \ + --set falco.grpc_output.enabled=true +``` + +### gRPC over network + +The gRPC server over the network can only be used with mutual authentication between the clients and the server using TLS certificates. +How to generate the certificates is [documented here](https://falco.org/docs/grpc/#generate-valid-ca). + +To install Falco with gRPC enabled over the **network**, you have to: + +```shell +helm install falco falcosecurity/falco \ + --create-namespace \ + --namespace falco \ + --set falco.grpc.enabled=true \ + --set falco.grpc_output.enabled=true \ + --set falco.grpc.unixSocketPath="" \ + --set-file certs.server.key=/path/to/server.key \ + --set-file certs.server.crt=/path/to/server.crt \ + --set-file certs.ca.crt=/path/to/ca.crt + +``` + +## Enable http_output + +HTTP output enables Falco to send events through HTTP(S) via the following configuration: + +```shell +helm install falco falcosecurity/falco \ + --create-namespace \ + --namespace falco \ + --set falco.http_output.enabled=true \ + --set falco.http_output.url="http://some.url/some/path/" \ + --set falco.json_output=true \ + --set json_include_output_property=true +``` + +Additionally, you can enable mTLS communication and load HTTP client cryptographic material via: + +```shell +helm install falco falcosecurity/falco \ + --create-namespace \ + --namespace falco \ + --set falco.http_output.enabled=true \ + --set falco.http_output.url="https://some.url/some/path/" \ + --set falco.json_output=true \ + --set json_include_output_property=true \ + --set falco.http_output.mtls=true \ + --set falco.http_output.client_cert="/etc/falco/certs/client/client.crt" \ + --set falco.http_output.client_key="/etc/falco/certs/client/client.key" \ + --set falco.http_output.ca_cert="/etc/falco/certs/client/ca.crt" \ + --set-file certs.client.key="/path/to/client.key",certs.client.crt="/path/to/client.crt",certs.ca.crt="/path/to/cacert.crt" +``` + +Or instead of directly setting the files via `--set-file`, mounting an existing volume with the `certs.existingClientSecret` value. + +## Deploy Falcosidekick with Falco + +[`Falcosidekick`](https://github.com/falcosecurity/falcosidekick) can be installed with `Falco` by setting `--set falcosidekick.enabled=true`. This setting automatically configures all options of `Falco` for working with `Falcosidekick`. +All values for the configuration of `Falcosidekick` are available by prefixing them with `falcosidekick.`. The full list of available values is [here](https://github.com/falcosecurity/charts/tree/master/charts/falcosidekick#configuration). +For example, to enable the deployment of [`Falcosidekick-UI`](https://github.com/falcosecurity/falcosidekick-ui), add `--set falcosidekick.enabled=true --set falcosidekick.webui.enabled=true`. + +If you use a Proxy in your cluster, the requests between `Falco` and `Falcosidekick` might be captured, use the full FQDN of `Falcosidekick` by using `--set falcosidekick.fullfqdn=true` to avoid that. + +## Configuration + +The following table lists the main configurable parameters of the {{ template "chart.name" . }} chart v{{ template "chart.version" . }} and their default values. See [values.yaml](./values.yaml) for full list. + +{{ template "chart.valuesSection" . }} diff --git a/falco/README.md b/falco/README.md new file mode 100644 index 0000000..3bcdd66 --- /dev/null +++ b/falco/README.md @@ -0,0 +1,758 @@ +# Falco + +[Falco](https://falco.org) is a *Cloud Native Runtime Security* tool designed to detect anomalous activity in your applications. You can use Falco to monitor runtime security of your Kubernetes applications and internal components. + +## Introduction + +The deployment of Falco in a Kubernetes cluster is managed through a **Helm chart**. This chart manages the lifecycle of Falco in a cluster by handling all the k8s objects needed by Falco to be seamlessly integrated in your environment. Based on the configuration in [values.yaml](./values.yaml) file, the chart will render and install the required k8s objects. Keep in mind that Falco could be deployed in your cluster using a `daemonset` or a `deployment`. See next sections for more info. + +## Attention + +Before installing Falco in a Kubernetes cluster, a user should check that the kernel version used in the nodes is supported by the community. Also, before reporting any issue with Falco (missing kernel image, CrashLoopBackOff and similar), make sure to read [about the driver](#about-the-driver) section and adjust your setup as required. + +## Adding `falcosecurity` repository + +Before installing the chart, add the `falcosecurity` charts repository: + +```bash +helm repo add falcosecurity https://falcosecurity.github.io/charts +helm repo update +``` + +## Installing the Chart + +To install the chart with the release name `falco` in namespace `falco` run: + +```bash +helm install falco falcosecurity/falco \ + --create-namespace \ + --namespace falco +``` + +After a few minutes Falco instances should be running on all your nodes. The status of Falco pods can be inspected through *kubectl*: +```bash +kubectl get pods -n falco -o wide +``` +If everything went smoothly, you should observe an output similar to the following, indicating that all Falco instances are up and running in you cluster: + +```bash +NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES +falco-57w7q 1/1 Running 0 3m12s 10.244.0.1 control-plane +falco-h4596 1/1 Running 0 3m12s 10.244.1.2 worker-node-1 +falco-kb55h 1/1 Running 0 3m12s 10.244.2.3 worker-node-2 +``` +The cluster in our example has three nodes, one *control-plane* node and two *worker* nodes. The default configuration in [values.yaml](./values.yaml) of our helm chart deploys Falco using a `daemonset`. That's the reason why we have one Falco pod in each node. +> **Tip**: List Falco release using `helm list -n falco`, a release is a name used to track a specific deployment. + +### Falco, Event Sources and Kubernetes +Starting from Falco 0.31.0 the [new plugin system](https://falco.org/docs/plugins/) is stable and production ready. The **plugin system** can be seen as the next step in the evolution of Falco. Historically, Falco monitored system events from the **kernel** trying to detect malicious behaviors on Linux systems. It also had the capability to process k8s Audit Logs to detect suspicious activities in Kubernetes clusters. Since Falco 0.32.0 all the related code to the k8s Audit Logs in Falco was removed and ported in a [plugin](https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit). At the time being Falco supports different event sources coming from **plugins** or **drivers** (system events). + +Note that **a Falco instance can handle multiple event sources in parallel**. you can deploy Falco leveraging **drivers** for syscall events and at the same time loading **plugins**. A step by step guide on how to deploy Falco with multiple sources can be found [here](https://falco.org/docs/getting-started/third-party/learning/#falco-with-multiple-sources). + +#### About Drivers + +Falco needs a **driver** to analyze the system workload and pass security events to userspace. The supported drivers are: + +* [Kernel module](https://falco.org/docs/event-sources/drivers/#kernel-module) +* [eBPF probe](https://falco.org/docs/event-sources/drivers/#ebpf-probe) +* [Modern eBPF probe](https://falco.org/docs/event-sources/drivers/#modern-ebpf-probe) + +The driver should be installed on the node where Falco is running. The _kernel module_ (default option) and the _eBPF probe_ are installed on the node through an *init container* (i.e. `falco-driver-loader`) that tries download a prebuilt driver or build it on-the-fly as a fallback. The _Modern eBPF probe_ doesn't require an init container because it is shipped directly into the Falco binary. However, the _Modern eBPF probe_ requires [recent BPF features](https://falco.org/docs/event-sources/kernel/#modern-ebpf-probe). + +##### Pre-built drivers + +The [kernel-crawler](https://github.com/falcosecurity/kernel-crawler) automatically discovers kernel versions and flavors. At the time being, it runs weekly. We have a site where users can check for the discovered kernel flavors and versions, [example for Amazon Linux 2](https://falcosecurity.github.io/kernel-crawler/?arch=x86_64&target=AmazonLinux2). + +The discovery of a kernel version by the [kernel-crawler](https://falcosecurity.github.io/kernel-crawler/) does not imply that pre-built kernel modules and bpf probes are available. That is because once kernel-crawler has discovered new kernels versions, the drivers need to be built by jobs running on our [Driver Build Grid infra](https://github.com/falcosecurity/test-infra#dbg). Please keep in mind that the building process is based on best effort. Users can check the existence of prebuilt modules at the following [link](https://download.falco.org/driver/site/index.html?lib=3.0.1%2Bdriver&target=all&arch=all&kind=all). + +##### Building the driver on the fly (fallback) + +If a prebuilt driver is not available for your distribution/kernel, users can build the driver by them self or install the kernel headers on the nodes, and the init container (falco-driver-loader) will try and build the driver on the fly. + +Falco needs **kernel headers** installed on the host as a prerequisite to build the driver on the fly correctly. You can find instructions for installing the kernel headers for your system under the [Install section](https://falco.org/docs/getting-started/installation/) of the official documentation. + +##### Selecting a different driver loader image + +Note that since Falco 0.36.0 and Helm chart version 3.7.0 the driver loader image has been updated to be compatible with newer kernels (5.x and above) meaning that if you have an older kernel version and you are trying to build the kernel module you may experience issues. In that case you can use the `falco-driver-loader-legacy` image to use the previous version of the toolchain. To do so you can set the appropriate value, i.e. `--set driver.loader.initContainer.image.repository=falcosecurity/falco-driver-loader-legacy`. + +#### About Plugins +[Plugins](https://falco.org/docs/plugins/) are used to extend Falco to support new **data sources**. The current **plugin framework** supports *plugins* with the following *capabilities*: + +* Event sourcing capability; +* Field extraction capability; + +Plugin capabilities are *composable*, we can have a single plugin with both capabilities. Or on the other hand, we can load two different plugins each with its capability, one plugin as a source of events and another as an extractor. A good example of this is the [Kubernetes Audit Events](https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit) and the [Falcosecurity Json](https://github.com/falcosecurity/plugins/tree/master/plugins/json) *plugins*. By deploying them both we have support for the **K8s Audit Logs** in Falco + +Note that **the driver is not required when using plugins**. + +#### About gVisor +gVisor is an application kernel, written in Go, that implements a substantial portion of the Linux system call interface. It provides an additional layer of isolation between running applications and the host operating system. For more information please consult the [official docs](https://gvisor.dev/docs/). In version `0.32.1`, Falco first introduced support for gVisor by leveraging the stream of system call information coming from gVisor. +Falco requires the version of [runsc](https://gvisor.dev/docs/user_guide/install/) to be equal to or above `20220704.0`. The following snippet shows the gVisor configuration variables found in [values.yaml](./values.yaml): +```yaml +driver: + gvisor: + enabled: true + runsc: + path: /home/containerd/usr/local/sbin + root: /run/containerd/runsc + config: /run/containerd/runsc/config.toml +``` +Falco uses the [runsc](https://gvisor.dev/docs/user_guide/install/) binary to interact with sandboxed containers. The following variables need to be set: +* `runsc.path`: absolute path of the `runsc` binary in the k8s nodes; +* `runsc.root`: absolute path of the root directory of the `runsc` container runtime. It is of vital importance for Falco since `runsc` stores there the information of the workloads handled by it; +* `runsc.config`: absolute path of the `runsc` configuration file, used by Falco to set its configuration and make aware `gVisor` of its presence. + +If you want to know more how Falco uses those configuration paths please have a look at the `falco.gvisor.initContainer` helper in [helpers.tpl](./templates/_helpers.tpl). +A preset `values.yaml` file [values-gvisor-gke.yaml](./values-gvisor-gke.yaml) is provided and can be used as it is to deploy Falco with gVisor support in a [GKE](https://cloud.google.com/kubernetes-engine/docs/how-to/sandbox-pods) cluster. It is also a good starting point for custom deployments. + +##### Example: running Falco on GKE, with or without gVisor-enabled pods + +If you use GKE with k8s version at least `1.24.4-gke.1800` or `1.25.0-gke.200` with gVisor sandboxed pods, you can install a Falco instance to monitor them with, e.g.: + +``` +helm install falco-gvisor falcosecurity/falco \ + --create-namespace \ + --namespace falco-gvisor \ + -f https://raw.githubusercontent.com/falcosecurity/charts/master/charts/falco/values-gvisor-gke.yaml +``` + +Note that the instance of Falco above will only monitor gVisor sandboxed workloads on gVisor-enabled node pools. If you also need to monitor regular workloads on regular node pools you can use the eBPF driver as usual: + +``` +helm install falco falcosecurity/falco \ + --create-namespace \ + --namespace falco \ + --set driver.kind=ebpf +``` + +The two instances of Falco will operate independently and can be installed, uninstalled or configured as needed. If you were already monitoring your regular node pools with eBPF you don't need to reinstall it. + +##### Falco+gVisor additional resources +An exhaustive blog post about Falco and gVisor can be found on the [Falco blog](https://falco.org/blog/intro-gvisor-falco/). +If you need help on how to set gVisor in your environment please have a look at the [gVisor official docs](https://gvisor.dev/docs/user_guide/quick_start/kubernetes/) + +### About Falco Artifacts +Historically **rules files** and **plugins** used to be shipped inside the Falco docker image and/or inside the chart. Starting from version `v0.3.0` of the chart, the [**falcoctl tool**](https://github.com/falcosecurity/falcoctl) can be used to install/update **rules files** and **plugins**. When referring to such objects we will use the term **artifact**. For more info please check out the following [proposal](https://github.com/falcosecurity/falcoctl/blob/main/proposals/20220916-rules-and-plugin-distribution.md). + +The default configuration of the chart for new installations is to use the **falcoctl** tool to handle **artifacts**. The chart will deploy two new containers along the Falco one: +* `falcoctl-artifact-install` an init container that makes sure to install the configured **artifacts** before the Falco container starts; +* `falcoctl-artifact-follow` a sidecar container that periodically checks for new artifacts (currently only *falco-rules*) and downloads them; + +For more info on how to enable/disable and configure the **falcoctl** tool checkout the config values [here](./README.md#Configuration) and the [upgrading notes](./BREAKING-CHANGES.md#300) + +### Deploying Falco in Kubernetes +After the clarification of the different [**event sources**](#falco-event-sources-and-kubernetes) and how they are consumed by Falco using the **drivers** and the **plugins**, now let us discuss how Falco is deployed in Kubernetes. + +The chart deploys Falco using a `daemonset` or a `deployment` depending on the **event sources**. + +#### Daemonset +When using the [drivers](#about-the-driver), Falco is deployed as `daemonset`. By using a `daemonset`, k8s assures that a Falco instance will be running in each of our nodes even when we add new nodes to our cluster. So it is the perfect match when we need to monitor all the nodes in our cluster. + +**Kernel module** +To run Falco with the [kernel module](https://falco.org/docs/event-sources/drivers/#kernel-module) you can use the default values of the helm chart: + +```bash +helm install falco falcosecurity/falco \ + --create-namespace \ + --namespace falco +``` + +**eBPF probe** + +To run Falco with the [eBPF probe](https://falco.org/docs/event-sources/drivers/#ebpf-probe) you just need to set `driver.kind=ebpf` as shown in the following snippet: + +```bash +helm install falco falcosecurity/falco \ + --create-namespace \ + --namespace falco \ + --set driver.kind=ebpf +``` + +There are other configurations related to the eBPF probe, for more info please check the [values.yaml](./values.yaml) file. After you have made your changes to the configuration file you just need to run: + +```bash +helm install falco falcosecurity/falco \ + --create-namespace \ + --namespace "your-custom-name-space" \ + -f "path-to-custom-values.yaml-file" +``` + +**modern eBPF probe** + +To run Falco with the [modern eBPF probe](https://falco.org/docs/event-sources/drivers/#modern-ebpf-probe-experimental) you just need to set `driver.kind=modern_bpf` as shown in the following snippet: + +```bash +helm install falco falcosecurity/falco \ + --create-namespace \ + --namespace falco \ + --set driver.kind=modern_ebpf +``` + +#### Deployment +In the scenario when Falco is used with **plugins** as data sources, then the best option is to deploy it as a k8s `deployment`. **Plugins** could be of two types, the ones that follow the **push model** or the **pull model**. A plugin that adopts the firs model expects to receive the data from a remote source in a given endpoint. They just expose and endpoint and wait for data to be posted, for example [Kubernetes Audit Events](https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit) expects the data to be sent by the *k8s api server* when configured in such way. On the other hand other plugins that abide by the **pull model** retrieves the data from a given remote service. +The following points explain why a k8s `deployment` is suitable when deploying Falco with plugins: + +* need to be reachable when ingesting logs directly from remote services; +* need only one active replica, otherwise events will be sent/received to/from different Falco instances; + +## Uninstalling the Chart + +To uninstall a Falco release from your Kubernetes cluster always you helm. It will take care to remove all components deployed by the chart and clean up your environment. The following command will remove a release called `falco` in namespace `falco`; + +```bash +helm uninstall falco --namespace falco +``` + +## Showing logs generated by Falco container +There are many reasons why we would have to inspect the messages emitted by the Falco container. When deployed in Kubernetes the Falco logs can be inspected through: +```bash +kubectl logs -n falco falco-pod-name +``` +where `falco-pods-name` is the name of the Falco pod running in your cluster. +The command described above will just display the logs emitted by falco until the moment you run the command. The `-f` flag comes handy when we are doing live testing or debugging and we want to have the Falco logs as soon as they are emitted. The following command: +```bash +kubectl logs -f -n falco falco-pod-name +``` +The `-f (--follow)` flag follows the logs and live stream them to your terminal and it is really useful when you are debugging a new rule and want to make sure that the rule is triggered when some actions are performed in the system. + +If we need to access logs of a previous Falco run we do that by adding the `-p (--previous)` flag: +```bash +kubectl logs -p -n falco falco-pod-name +``` +A scenario when we need the `-p (--previous)` flag is when we have a restart of a Falco pod and want to check what went wrong. + +### Enabling real time logs +By default in Falco the output is buffered. When live streaming logs we will notice delays between the logs output (rules triggering) and the event happening. +In order to enable the logs to be emitted without delays you need to set `.Values.tty=true` in [values.yaml](./values.yaml) file. + +## K8s-metacollector +Starting from Falco `0.37` the old [k8s-client](https://github.com/falcosecurity/falco/issues/2973) has been removed. +A new component named [k8s-metacollector](https://github.com/falcosecurity/k8s-metacollector) replaces it. +The *k8s-metacollector* is a self-contained module that can be deployed within a Kubernetes cluster to perform the task of gathering metadata +from various Kubernetes resources and subsequently transmitting this collected metadata to designated subscribers. + +Kubernetes' resources for which metadata will be collected and sent to Falco: +* pods; +* namespaces; +* deployments; +* replicationcontrollers; +* replicasets; +* services; + +### Plugin +Since the *k8s-metacollector* is standalone, deployed in the cluster as a deployment, Falco instances need to connect to the component +in order to retrieve the `metadata`. Here it comes the [k8smeta](https://github.com/falcosecurity/plugins/tree/master/plugins/k8smeta) plugin. +The plugin gathers details about Kubernetes resources from the *k8s-metacollector*. It then stores this information +in tables and provides access to Falco upon request. The plugin specifically acquires data for the node where the +associated Falco instance is deployed, resulting in node-level granularity. + +### Exported Fields: Old and New +The old [k8s-client](https://github.com/falcosecurity/falco/issues/2973) used to populate the +[k8s](https://falco.org/docs/reference/rules/supported-fields/#field-class-k8s) fields. The **k8s** field class is still +available in Falco, for compatibility reasons, but most of the fields will return `N/A`. The following fields are still +usable and will return meaningful data when the `container runtime collectors` are enabled: +* k8s.pod.name; +* k8s.pod.id; +* k8s.pod.label; +* k8s.pod.labels; +* k8s.pod.ip; +* k8s.pod.cni.json; +* k8s.pod.namespace.name; + +The [k8smeta](https://github.com/falcosecurity/plugins/tree/master/plugins/k8smeta) plugin exports a whole new +[field class]https://github.com/falcosecurity/plugins/tree/master/plugins/k8smeta#supported-fields. Note that the new +`k8smeta.*` fields are usable only when the **k8smeta** plugin is loaded in Falco. + +### Enabling the k8s-metacollector +The following command will deploy Falco + k8s-metacollector + k8smeta: +```bash +helm install falco falcosecurity/falco \ + --namespace falco \ + --create-namespace \ + --set collectors.kubernetes.enabled=true +``` + +## Loading custom rules + +Falco ships with a nice default ruleset. It is a good starting point but sooner or later, we are going to need to add custom rules which fit our needs. + +So the question is: How can we load custom rules in our Falco deployment? + +We are going to create a file that contains custom rules so that we can keep it in a Git repository. + +```bash +cat custom-rules.yaml +``` + +And the file looks like this one: + +```yaml +customRules: + rules-traefik.yaml: |- + - macro: traefik_consider_syscalls + condition: (evt.num < 0) + + - macro: app_traefik + condition: container and container.image startswith "traefik" + + # Restricting listening ports to selected set + + - list: traefik_allowed_inbound_ports_tcp + items: [443, 80, 8080] + + - rule: Unexpected inbound tcp connection traefik + desc: Detect inbound traffic to traefik using tcp on a port outside of expected set + condition: inbound and evt.rawres >= 0 and not fd.sport in (traefik_allowed_inbound_ports_tcp) and app_traefik + output: Inbound network connection to traefik on unexpected port (command=%proc.cmdline pid=%proc.pid connection=%fd.name sport=%fd.sport user=%user.name %container.info image=%container.image) + priority: NOTICE + + # Restricting spawned processes to selected set + + - list: traefik_allowed_processes + items: ["traefik"] + + - rule: Unexpected spawned process traefik + desc: Detect a process started in a traefik container outside of an expected set + condition: spawned_process and not proc.name in (traefik_allowed_processes) and app_traefik + output: Unexpected process spawned in traefik container (command=%proc.cmdline pid=%proc.pid user=%user.name %container.info image=%container.image) + priority: NOTICE +``` + +So next step is to use the custom-rules.yaml file for installing the Falco Helm chart. + +```bash +helm install falco -f custom-rules.yaml falcosecurity/falco +``` + +And we will see in our logs something like: + +```bash +Tue Jun 5 15:08:57 2018: Loading rules from file /etc/falco/rules.d/rules-traefik.yaml: +``` + +And this means that our Falco installation has loaded the rules and is ready to help us. + +## Kubernetes Audit Log + +The Kubernetes Audit Log is now supported via the built-in [k8saudit](https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit) plugin. It is entirely up to you to set up the [webhook backend](https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/#webhook-backend) of the Kubernetes API server to forward the Audit Log event to the Falco listening port. + +The following snippet shows how to deploy Falco with the [k8saudit](https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit) plugin: +```yaml +# -- Disable the drivers since we want to deploy only the k8saudit plugin. +driver: + enabled: false + +# -- Disable the collectors, no syscall events to enrich with metadata. +collectors: + enabled: false + +# -- Deploy Falco as a deployment. One instance of Falco is enough. Anyway the number of replicas is configurable. +controller: + kind: deployment + deployment: + # -- Number of replicas when installing Falco using a deployment. Change it if you really know what you are doing. + # For more info check the section on Plugins in the README.md file. + replicas: 1 + +falcoctl: + artifact: + install: + # -- Enable the init container. We do not recommend installing (or following) plugins for security reasons since they are executable objects. + enabled: true + follow: + # -- Enable the sidecar container. We do not support it yet for plugins. It is used only for rules feed such as k8saudit-rules rules. + enabled: true + config: + artifact: + install: + # -- Resolve the dependencies for artifacts. + resolveDeps: true + # -- List of artifacts to be installed by the falcoctl init container. + # Only rulesfile, the plugin will be installed as a dependency. + refs: [k8saudit-rules:0.5] + follow: + # -- List of artifacts to be followed by the falcoctl sidecar container. + refs: [k8saudit-rules:0.5] + +services: + - name: k8saudit-webhook + type: NodePort + ports: + - port: 9765 # See plugin open_params + nodePort: 30007 + protocol: TCP + +falco: + rules_file: + - /etc/falco/k8s_audit_rules.yaml + - /etc/falco/rules.d + plugins: + - name: k8saudit + library_path: libk8saudit.so + init_config: + "" + # maxEventBytes: 1048576 + # sslCertificate: /etc/falco/falco.pem + open_params: "http://:9765/k8s-audit" + - name: json + library_path: libjson.so + init_config: "" + # Plugins that Falco will load. Note: the same plugins are installed by the falcoctl-artifact-install init container. + load_plugins: [k8saudit, json] + +``` +Here is the explanation of the above configuration: +* disable the drivers by setting `driver.enabled=false`; +* disable the collectors by setting `collectors.enabled=false`; +* deploy the Falco using a k8s *deployment* by setting `controller.kind=deployment`; +* make our Falco instance reachable by the `k8s api-server` by configuring a service for it in `services`; +* enable the `falcoctl-artifact-install` init container; +* configure `falcoctl-artifact-install` to install the required plugins; +* disable the `falcoctl-artifact-follow` sidecar container; +* load the correct ruleset for our plugin in `falco.rulesFile`; +* configure the plugins to be loaded, in this case, the `k8saudit` and `json`; +* and finally we add our plugins in the `load_plugins` to be loaded by Falco. + +The configuration can be found in the [values-k8saudit.yaml(./values-k8saudit.yaml] file ready to be used: + +```bash +#make sure the falco namespace exists +helm install falco falcosecurity/falco \ + --create-namespace \ + --namespace falco \ + -f ./values-k8saudit.yaml +``` +After a few minutes a Falco instance should be running on your cluster. The status of Falco pod can be inspected through *kubectl*: +```bash +kubectl get pods -n falco -o wide +``` +If everything went smoothly, you should observe an output similar to the following, indicating that the Falco instance is up and running: + +```bash +NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES +falco-64484d9579-qckms 1/1 Running 0 101s 10.244.2.2 worker-node-2 +``` + +Furthermore you can check that Falco logs through *kubectl logs* + +```bash +kubectl logs -n falco falco-64484d9579-qckms +``` +In the logs you should have something similar to the following, indicating that Falco has loaded the required plugins: +```bash +Fri Jul 8 16:07:24 2022: Falco version 0.32.0 (driver version 39ae7d40496793cf3d3e7890c9bbdc202263836b) +Fri Jul 8 16:07:24 2022: Falco initialized with configuration file /etc/falco/falco.yaml +Fri Jul 8 16:07:24 2022: Loading plugin (k8saudit) from file /usr/share/falco/plugins/libk8saudit.so +Fri Jul 8 16:07:24 2022: Loading plugin (json) from file /usr/share/falco/plugins/libjson.so +Fri Jul 8 16:07:24 2022: Loading rules from file /etc/falco/k8s_audit_rules.yaml: +Fri Jul 8 16:07:24 2022: Starting internal webserver, listening on port 8765 +``` +*Note that the support for the dynamic backend (also known as the `AuditSink` object) has been deprecated from Kubernetes and removed from this chart.* + +### Manual setup with NodePort on kOps + +Using `kops edit cluster`, ensure these options are present, then run `kops update cluster` and `kops rolling-update cluster`: +```yaml +spec: + kubeAPIServer: + auditLogMaxBackups: 1 + auditLogMaxSize: 10 + auditLogPath: /var/log/k8s-audit.log + auditPolicyFile: /srv/kubernetes/assets/audit-policy.yaml + auditWebhookBatchMaxWait: 5s + auditWebhookConfigFile: /srv/kubernetes/assets/webhook-config.yaml + fileAssets: + - content: | + # content of the webserver CA certificate + # remove this fileAsset and certificate-authority from webhook-config if using http + name: audit-ca.pem + roles: + - Master + - content: | + apiVersion: v1 + kind: Config + clusters: + - name: falco + cluster: + # remove 'certificate-authority' when using 'http' + certificate-authority: /srv/kubernetes/assets/audit-ca.pem + server: https://localhost:32765/k8s-audit + contexts: + - context: + cluster: falco + user: "" + name: default-context + current-context: default-context + preferences: {} + users: [] + name: webhook-config.yaml + roles: + - Master + - content: | + # ... paste audit-policy.yaml here ... + # https://raw.githubusercontent.com/falcosecurity/plugins/master/plugins/k8saudit/configs/audit-policy.yaml + name: audit-policy.yaml + roles: + - Master +``` +## Enabling gRPC + +The Falco gRPC server and the Falco gRPC Outputs APIs are not enabled by default. +Moreover, Falco supports running a gRPC server with two main binding types: +- Over a local **Unix socket** with no authentication +- Over the **network** with mandatory mutual TLS authentication (mTLS) + +> **Tip**: Once gRPC is enabled, you can deploy [falco-exporter](https://github.com/falcosecurity/falco-exporter) to export metrics to Prometheus. + +### gRPC over unix socket (default) + +The preferred way to use the gRPC is over a Unix socket. + +To install Falco with gRPC enabled over a **unix socket**, you have to: + +```shell +helm install falco falcosecurity/falco \ + --create-namespace \ + --namespace falco \ + --set falco.grpc.enabled=true \ + --set falco.grpc_output.enabled=true +``` + +### gRPC over network + +The gRPC server over the network can only be used with mutual authentication between the clients and the server using TLS certificates. +How to generate the certificates is [documented here](https://falco.org/docs/grpc/#generate-valid-ca). + +To install Falco with gRPC enabled over the **network**, you have to: + +```shell +helm install falco falcosecurity/falco \ + --create-namespace \ + --namespace falco \ + --set falco.grpc.enabled=true \ + --set falco.grpc_output.enabled=true \ + --set falco.grpc.unixSocketPath="" \ + --set-file certs.server.key=/path/to/server.key \ + --set-file certs.server.crt=/path/to/server.crt \ + --set-file certs.ca.crt=/path/to/ca.crt + +``` + +## Enable http_output + +HTTP output enables Falco to send events through HTTP(S) via the following configuration: + +```shell +helm install falco falcosecurity/falco \ + --create-namespace \ + --namespace falco \ + --set falco.http_output.enabled=true \ + --set falco.http_output.url="http://some.url/some/path/" \ + --set falco.json_output=true \ + --set json_include_output_property=true +``` + +Additionally, you can enable mTLS communication and load HTTP client cryptographic material via: + +```shell +helm install falco falcosecurity/falco \ + --create-namespace \ + --namespace falco \ + --set falco.http_output.enabled=true \ + --set falco.http_output.url="https://some.url/some/path/" \ + --set falco.json_output=true \ + --set json_include_output_property=true \ + --set falco.http_output.mtls=true \ + --set falco.http_output.client_cert="/etc/falco/certs/client/client.crt" \ + --set falco.http_output.client_key="/etc/falco/certs/client/client.key" \ + --set falco.http_output.ca_cert="/etc/falco/certs/client/ca.crt" \ + --set-file certs.client.key="/path/to/client.key",certs.client.crt="/path/to/client.crt",certs.ca.crt="/path/to/cacert.crt" +``` + +Or instead of directly setting the files via `--set-file`, mounting an existing volume with the `certs.existingClientSecret` value. + +## Deploy Falcosidekick with Falco + +[`Falcosidekick`](https://github.com/falcosecurity/falcosidekick) can be installed with `Falco` by setting `--set falcosidekick.enabled=true`. This setting automatically configures all options of `Falco` for working with `Falcosidekick`. +All values for the configuration of `Falcosidekick` are available by prefixing them with `falcosidekick.`. The full list of available values is [here](https://github.com/falcosecurity/charts/tree/master/charts/falcosidekick#configuration). +For example, to enable the deployment of [`Falcosidekick-UI`](https://github.com/falcosecurity/falcosidekick-ui), add `--set falcosidekick.enabled=true --set falcosidekick.webui.enabled=true`. + +If you use a Proxy in your cluster, the requests between `Falco` and `Falcosidekick` might be captured, use the full FQDN of `Falcosidekick` by using `--set falcosidekick.fullfqdn=true` to avoid that. + +## Configuration + +The following table lists the main configurable parameters of the falco chart v4.2.5 and their default values. See [values.yaml](./values.yaml) for full list. + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity constraint for pods' scheduling. | +| certs | object | `{"ca":{"crt":""},"client":{"crt":"","key":""},"existingClientSecret":"","existingSecret":"","server":{"crt":"","key":""}}` | certificates used by webserver and grpc server. paste certificate content or use helm with --set-file or use existing secret containing key, crt, ca as well as pem bundle | +| certs.ca.crt | string | `""` | CA certificate used by gRPC, webserver and AuditSink validation. | +| certs.client.crt | string | `""` | Certificate used by http mTLS client. | +| certs.client.key | string | `""` | Key used by http mTLS client. | +| certs.existingSecret | string | `""` | Existing secret containing the following key, crt and ca as well as the bundle pem. | +| certs.server.crt | string | `""` | Certificate used by gRPC and webserver. | +| certs.server.key | string | `""` | Key used by gRPC and webserver. | +| collectors.containerd.enabled | bool | `true` | Enable ContainerD support. | +| collectors.containerd.socket | string | `"/run/containerd/containerd.sock"` | The path of the ContainerD socket. | +| collectors.crio.enabled | bool | `true` | Enable CRI-O support. | +| collectors.crio.socket | string | `"/run/crio/crio.sock"` | The path of the CRI-O socket. | +| collectors.docker.enabled | bool | `true` | Enable Docker support. | +| collectors.docker.socket | string | `"/var/run/docker.sock"` | The path of the Docker daemon socket. | +| collectors.enabled | bool | `true` | Enable/disable all the metadata collectors. | +| collectors.kubernetes | object | `{"collectorHostname":"","collectorPort":"","enabled":false,"pluginRef":"ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.1.0"}` | kubernetes holds the configuration for the kubernetes collector. Starting from version 0.37.0 of Falco, the legacy kubernetes client has been removed. A new standalone component named k8s-metacollector and a Falco plugin have been developed to solve the issues that were present in the old implementation. More info here: https://github.com/falcosecurity/falco/issues/2973 | +| collectors.kubernetes.collectorHostname | string | `""` | collectorHostname is the address of the k8s-metacollector. When not specified it will be set to match k8s-metacollector service. e.x: falco-k8smetacollecto.falco.svc. If for any reason you need to override it, make sure to set here the address of the k8s-metacollector. It is used by the k8smeta plugin to connect to the k8s-metacollector. | +| collectors.kubernetes.collectorPort | string | `""` | collectorPort designates the port on which the k8s-metacollector gRPC service listens. If not specified the value of the port named `broker-grpc` in k8s-metacollector.service.ports is used. The default values is 45000. It is used by the k8smeta plugin to connect to the k8s-metacollector. | +| collectors.kubernetes.enabled | bool | `false` | enabled specifies whether the Kubernetes metadata should be collected using the k8smeta plugin and the k8s-metacollector component. It will deploy the k8s-metacollector external component that fetches Kubernetes metadata and pushes them to Falco instances. For more info see: https://github.com/falcosecurity/k8s-metacollector https://github.com/falcosecurity/charts/tree/master/charts/k8s-metacollector When this option is disabled, Falco falls back to the container annotations to grab the metadata. In such a case, only the ID, name, namespace, labels of the pod will be available. | +| collectors.kubernetes.pluginRef | string | `"ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.1.0"` | pluginRef is the OCI reference for the k8smeta plugin. It could be a full reference such as: "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.1.0". Or just name + tag: k8smeta:0.1.0. | +| containerSecurityContext | object | `{}` | Set securityContext for the Falco container.For more info see the "falco.securityContext" helper in "pod-template.tpl" | +| controller.annotations | object | `{}` | | +| controller.daemonset.updateStrategy.type | string | `"RollingUpdate"` | Perform rolling updates by default in the DaemonSet agent ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ | +| controller.deployment.replicas | int | `1` | Number of replicas when installing Falco using a deployment. Change it if you really know what you are doing. For more info check the section on Plugins in the README.md file. | +| controller.kind | string | `"daemonset"` | | +| customRules | object | `{}` | Third party rules enabled for Falco. More info on the dedicated section in README.md file. | +| driver.ebpf | object | `{"bufSizePreset":4,"dropFailedExit":false,"hostNetwork":false,"leastPrivileged":false,"path":"${HOME}/.falco/falco-bpf.o"}` | Configuration section for ebpf driver. | +| driver.ebpf.bufSizePreset | int | `4` | bufSizePreset determines the size of the shared space between Falco and its drivers. This shared space serves as a temporary storage for syscall events. | +| driver.ebpf.dropFailedExit | bool | `false` | dropFailedExit if set true drops failed system call exit events before pushing them to userspace. | +| driver.ebpf.hostNetwork | bool | `false` | Needed to enable eBPF JIT at runtime for performance reasons. Can be skipped if eBPF JIT is enabled from outside the container | +| driver.ebpf.leastPrivileged | bool | `false` | Constrain Falco with capabilities instead of running a privileged container. Ensure the eBPF driver is enabled (i.e., setting the `driver.kind` option to `ebpf`). Capabilities used: {CAP_SYS_RESOURCE, CAP_SYS_ADMIN, CAP_SYS_PTRACE}. On kernel versions >= 5.8 'CAP_PERFMON' and 'CAP_BPF' could replace 'CAP_SYS_ADMIN' but please pay attention to the 'kernel.perf_event_paranoid' value on your system. Usually 'kernel.perf_event_paranoid>2' means that you cannot use 'CAP_PERFMON' and you should fallback to 'CAP_SYS_ADMIN', but the behavior changes across different distros. Read more on that here: https://falco.org/docs/event-sources/kernel/#least-privileged-mode-1 | +| driver.ebpf.path | string | `"${HOME}/.falco/falco-bpf.o"` | path where the eBPF probe is located. It comes handy when the probe have been installed in the nodes using tools other than the init container deployed with the chart. | +| driver.enabled | bool | `true` | Set it to false if you want to deploy Falco without the drivers. Always set it to false when using Falco with plugins. | +| driver.gvisor | object | `{"runsc":{"config":"/run/containerd/runsc/config.toml","path":"/home/containerd/usr/local/sbin","root":"/run/containerd/runsc"}}` | Gvisor configuration. Based on your system you need to set the appropriate values. Please, remember to add pod tolerations and affinities in order to schedule the Falco pods in the gVisor enabled nodes. | +| driver.gvisor.runsc | object | `{"config":"/run/containerd/runsc/config.toml","path":"/home/containerd/usr/local/sbin","root":"/run/containerd/runsc"}` | Runsc container runtime configuration. Falco needs to interact with it in order to intercept the activity of the sandboxed pods. | +| driver.gvisor.runsc.config | string | `"/run/containerd/runsc/config.toml"` | Absolute path of the `runsc` configuration file, used by Falco to set its configuration and make aware `gVisor` of its presence. | +| driver.gvisor.runsc.path | string | `"/home/containerd/usr/local/sbin"` | Absolute path of the `runsc` binary in the k8s nodes. | +| driver.gvisor.runsc.root | string | `"/run/containerd/runsc"` | Absolute path of the root directory of the `runsc` container runtime. It is of vital importance for Falco since `runsc` stores there the information of the workloads handled by it; | +| driver.kind | string | `"kmod"` | kind tells Falco which driver to use. Available options: kmod (kernel driver), ebpf (eBPF probe), modern_ebpf (modern eBPF probe). | +| driver.kmod | object | `{"bufSizePreset":4,"dropFailedExit":false}` | kmod holds the configuration for the kernel module. | +| driver.kmod.bufSizePreset | int | `4` | bufSizePreset determines the size of the shared space between Falco and its drivers. This shared space serves as a temporary storage for syscall events. | +| driver.kmod.dropFailedExit | bool | `false` | dropFailedExit if set true drops failed system call exit events before pushing them to userspace. | +| driver.loader | object | `{"enabled":true,"initContainer":{"args":[],"env":[],"image":{"pullPolicy":"IfNotPresent","registry":"docker.io","repository":"falcosecurity/falco-driver-loader","tag":""},"resources":{},"securityContext":{}}}` | Configuration for the Falco init container. | +| driver.loader.enabled | bool | `true` | Enable/disable the init container. | +| driver.loader.initContainer.args | list | `[]` | Arguments to pass to the Falco driver loader init container. | +| driver.loader.initContainer.env | list | `[]` | Extra environment variables that will be pass onto Falco driver loader init container. | +| driver.loader.initContainer.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy. | +| driver.loader.initContainer.image.registry | string | `"docker.io"` | The image registry to pull from. | +| driver.loader.initContainer.image.repository | string | `"falcosecurity/falco-driver-loader"` | The image repository to pull from. | +| driver.loader.initContainer.resources | object | `{}` | Resources requests and limits for the Falco driver loader init container. | +| driver.loader.initContainer.securityContext | object | `{}` | Security context for the Falco driver loader init container. Overrides the default security context. If driver.kind == "module" you must at least set `privileged: true`. | +| driver.modernEbpf.bufSizePreset | int | `4` | bufSizePreset determines the size of the shared space between Falco and its drivers. This shared space serves as a temporary storage for syscall events. | +| driver.modernEbpf.cpusForEachBuffer | int | `2` | cpusForEachBuffer is the index that controls how many CPUs to assign to a single syscall buffer. | +| driver.modernEbpf.dropFailedExit | bool | `false` | dropFailedExit if set true drops failed system call exit events before pushing them to userspace. | +| driver.modernEbpf.leastPrivileged | bool | `false` | Constrain Falco with capabilities instead of running a privileged container. Ensure the modern bpf driver is enabled (i.e., setting the `driver.kind` option to `modern-bpf`). Capabilities used: {CAP_SYS_RESOURCE, CAP_BPF, CAP_PERFMON, CAP_SYS_PTRACE}. Read more on that here: https://falco.org/docs/event-sources/kernel/#least-privileged-mode-2 | +| extra.args | list | `[]` | Extra command-line arguments. | +| extra.env | list | `[]` | Extra environment variables that will be pass onto Falco containers. | +| extra.initContainers | list | `[]` | Additional initContainers for Falco pods. | +| falco.base_syscalls | object | `{"custom_set":[],"repair":false}` | - [Suggestions] NOTE: setting `base_syscalls.repair: true` automates the following suggestions for you. These suggestions are subject to change as Falco and its state engine evolve. For execve* events: Some Falco fields for an execve* syscall are retrieved from the associated `clone`, `clone3`, `fork`, `vfork` syscalls when spawning a new process. The `close` syscall is used to purge file descriptors from Falco's internal thread / process cache table and is necessary for rules relating to file descriptors (e.g. open, openat, openat2, socket, connect, accept, accept4 ... and many more) Consider enabling the following syscalls in `base_syscalls.custom_set` for process rules: [clone, clone3, fork, vfork, execve, execveat, close] For networking related events: While you can log `connect` or `accept*` syscalls without the socket syscall, the log will not contain the ip tuples. Additionally, for `listen` and `accept*` syscalls, the `bind` syscall is also necessary. We recommend the following as the minimum set for networking-related rules: [clone, clone3, fork, vfork, execve, execveat, close, socket, bind, getsockopt] Lastly, for tracking the correct `uid`, `gid` or `sid`, `pgid` of a process when the running process opens a file or makes a network connection, consider adding the following to the above recommended syscall sets: ... setresuid, setsid, setuid, setgid, setpgid, setresgid, setsid, capset, chdir, chroot, fchdir ... | +| falco.buffered_outputs | bool | `false` | Enabling buffering for the output queue can offer performance optimization, efficient resource usage, and smoother data flow, resulting in a more reliable output mechanism. By default, buffering is disabled (false). | +| falco.file_output | object | `{"enabled":false,"filename":"./events.txt","keep_alive":false}` | When appending Falco alerts to a file, each new alert will be added to a new line. It's important to note that Falco does not perform log rotation for this file. If the `keep_alive` option is set to `true`, the file will be opened once and continuously written to, else the file will be reopened for each output message. Furthermore, the file will be closed and reopened if Falco receives the SIGUSR1 signal. | +| falco.grpc | object | `{"bind_address":"unix:///run/falco/falco.sock","enabled":false,"threadiness":0}` | gRPC server using a local unix socket | +| falco.grpc.threadiness | int | `0` | When the `threadiness` value is set to 0, Falco will automatically determine the appropriate number of threads based on the number of online cores in the system. | +| falco.grpc_output | object | `{"enabled":false}` | Use gRPC as an output service. gRPC is a modern and high-performance framework for remote procedure calls (RPC). It utilizes protocol buffers for efficient data serialization. The gRPC output in Falco provides a modern and efficient way to integrate with other systems. By default the setting is turned off. Enabling this option stores output events in memory until they are consumed by a gRPC client. Ensure that you have a consumer for the output events or leave it disabled. | +| falco.http_output | object | `{"ca_bundle":"","ca_cert":"","ca_path":"/etc/falco/certs/","client_cert":"/etc/falco/certs/client/client.crt","client_key":"/etc/falco/certs/client/client.key","compress_uploads":false,"echo":false,"enabled":false,"insecure":false,"keep_alive":false,"mtls":false,"url":"","user_agent":"falcosecurity/falco"}` | Send logs to an HTTP endpoint or webhook. | +| falco.http_output.ca_bundle | string | `""` | Path to a specific file that will be used as the CA certificate store. | +| falco.http_output.ca_cert | string | `""` | Path to the CA certificate that can verify the remote server. | +| falco.http_output.ca_path | string | `"/etc/falco/certs/"` | Path to a folder that will be used as the CA certificate store. CA certificate need to be stored as indivitual PEM files in this directory. | +| falco.http_output.client_cert | string | `"/etc/falco/certs/client/client.crt"` | Path to the client cert. | +| falco.http_output.client_key | string | `"/etc/falco/certs/client/client.key"` | Path to the client key. | +| falco.http_output.compress_uploads | bool | `false` | compress_uploads whether to compress data sent to http endpoint. | +| falco.http_output.echo | bool | `false` | Whether to echo server answers to stdout | +| falco.http_output.insecure | bool | `false` | Tell Falco to not verify the remote server. | +| falco.http_output.keep_alive | bool | `false` | keep_alive whether to keep alive the connection. | +| falco.http_output.mtls | bool | `false` | Tell Falco to use mTLS | +| falco.json_include_output_property | bool | `true` | When using JSON output in Falco, you have the option to include the "output" property itself in the generated JSON output. The "output" property provides additional information about the purpose of the rule. To reduce the logging volume, it is recommended to turn it off if it's not necessary for your use case. | +| falco.json_include_tags_property | bool | `true` | When using JSON output in Falco, you have the option to include the "tags" field of the rules in the generated JSON output. The "tags" field provides additional metadata associated with the rule. To reduce the logging volume, if the tags associated with the rule are not needed for your use case or can be added at a later stage, it is recommended to turn it off. | +| falco.json_output | bool | `false` | When enabled, Falco will output alert messages and rules file loading/validation results in JSON format, making it easier for downstream programs to process and consume the data. By default, this option is disabled. | +| falco.libs_logger | object | `{"enabled":false,"severity":"debug"}` | The `libs_logger` setting in Falco determines the minimum log level to include in the logs related to the functioning of the software of the underlying `libs` library, which Falco utilizes. This setting is independent of the `priority` field of rules and the `log_level` setting that controls Falco's operational logs. It allows you to specify the desired log level for the `libs` library specifically, providing more granular control over the logging behavior of the underlying components used by Falco. Only logs of a certain severity level or higher will be emitted. Supported levels: "emergency", "alert", "critical", "error", "warning", "notice", "info", "debug". It is not recommended for production use. | +| falco.load_plugins | list | `[]` | Add here all plugins and their configuration. Please consult the plugins documentation for more info. Remember to add the plugins name in "load_plugins: []" in order to load them in Falco. | +| falco.log_level | string | `"info"` | The `log_level` setting determines the minimum log level to include in Falco's logs related to the functioning of the software. This setting is separate from the `priority` field of rules and specifically controls the log level of Falco's operational logging. By specifying a log level, you can control the verbosity of Falco's operational logs. Only logs of a certain severity level or higher will be emitted. Supported levels: "emergency", "alert", "critical", "error", "warning", "notice", "info", "debug". | +| falco.log_stderr | bool | `true` | Send information logs to stderr. Note these are *not* security notification logs! These are just Falco lifecycle (and possibly error) logs. | +| falco.log_syslog | bool | `true` | Send information logs to syslog. Note these are *not* security notification logs! These are just Falco lifecycle (and possibly error) logs. | +| falco.metrics | object | `{"convert_memory_to_mb":true,"enabled":false,"include_empty_values":false,"interval":"1h","kernel_event_counters_enabled":true,"libbpf_stats_enabled":true,"output_rule":true,"resource_utilization_enabled":true,"state_counters_enabled":true}` | - [Usage] `enabled`: Disabled by default. `interval`: The stats interval in Falco follows the time duration definitions used by Prometheus. https://prometheus.io/docs/prometheus/latest/querying/basics/#time-durations Time durations are specified as a number, followed immediately by one of the following units: ms - millisecond s - second m - minute h - hour d - day - assuming a day has always 24h w - week - assuming a week has always 7d y - year - assuming a year has always 365d Example of a valid time duration: 1h30m20s10ms A minimum interval of 100ms is enforced for metric collection. However, for production environments, we recommend selecting one of the following intervals for optimal monitoring: 15m 30m 1h 4h 6h `output_rule`: To enable seamless metrics and performance monitoring, we recommend emitting metrics as the rule "Falco internal: metrics snapshot". This option is particularly useful when Falco logs are preserved in a data lake. Please note that to use this option, the Falco rules config `priority` must be set to `info` at a minimum. `output_file`: Append stats to a `jsonl` file. Use with caution in production as Falco does not automatically rotate the file. `resource_utilization_enabled`: Emit CPU and memory usage metrics. CPU usage is reported as a percentage of one CPU and can be normalized to the total number of CPUs to determine overall usage. Memory metrics are provided in raw units (`kb` for `RSS`, `PSS` and `VSZ` or `bytes` for `container_memory_used`) and can be uniformly converted to megabytes (MB) using the `convert_memory_to_mb` functionality. In environments such as Kubernetes when deployed as daemonset, it is crucial to track Falco's container memory usage. To customize the path of the memory metric file, you can create an environment variable named `FALCO_CGROUP_MEM_PATH` and set it to the desired file path. By default, Falco uses the file `/sys/fs/cgroup/memory/memory.usage_in_bytes` to monitor container memory usage, which aligns with Kubernetes' `container_memory_working_set_bytes` metric. Finally, we emit the overall host CPU and memory usages, along with the total number of processes and open file descriptors (fds) on the host, obtained from the proc file system unrelated to Falco's monitoring. These metrics help assess Falco's usage in relation to the server's workload intensity. `state_counters_enabled`: Emit counters related to Falco's state engine, including added, removed threads or file descriptors (fds), and failed lookup, store, or retrieve actions in relation to Falco's underlying process cache table (threadtable). We also log the number of currently cached containers if applicable. `kernel_event_counters_enabled`: Emit kernel side event and drop counters, as an alternative to `syscall_event_drops`, but with some differences. These counters reflect monotonic values since Falco's start and are exported at a constant stats interval. `libbpf_stats_enabled`: Exposes statistics similar to `bpftool prog show`, providing information such as the number of invocations of each BPF program attached by Falco and the time spent in each program measured in nanoseconds. To enable this feature, the kernel must be >= 5.1, and the kernel configuration `/proc/sys/kernel/bpf_stats_enabled` must be set. This option, or an equivalent statistics feature, is not available for non `*bpf*` drivers. Additionally, please be aware that the current implementation of `libbpf` does not support granularity of statistics at the bpf tail call level. `include_empty_values`: When the option is set to true, fields with an empty numeric value will be included in the output. However, this rule does not apply to high-level fields such as `n_evts` or `n_drops`; they will always be included in the output even if their value is empty. This option can be beneficial for exploring the data schema and ensuring that fields with empty values are included in the output. todo: prometheus export option todo: syscall_counters_enabled option | +| falco.output_timeout | int | `2000` | The `output_timeout` parameter specifies the duration, in milliseconds, to wait before considering the deadline exceeded. By default, the timeout is set to 2000ms (2 seconds), meaning that the consumer of Falco outputs can block the Falco output channel for up to 2 seconds without triggering a timeout error. Falco actively monitors the performance of output channels. With this setting the timeout error can be logged, but please note that this requires setting Falco's operational logs `log_level` to a minimum of `notice`. It's important to note that Falco outputs will not be discarded from the output queue. This means that if an output channel becomes blocked indefinitely, it indicates a potential issue that needs to be addressed by the user. | +| falco.outputs | object | `{"max_burst":1000,"rate":0}` | A throttling mechanism, implemented as a token bucket, can be used to control the rate of Falco outputs. Each event source has its own rate limiter, ensuring that alerts from one source do not affect the throttling of others. The following options control the mechanism: - rate: the number of tokens (i.e. right to send a notification) gained per second. When 0, the throttling mechanism is disabled. Defaults to 0. - max_burst: the maximum number of tokens outstanding. Defaults to 1000. For example, setting the rate to 1 allows Falco to send up to 1000 notifications initially, followed by 1 notification per second. The burst capacity is fully restored after 1000 seconds of no activity. Throttling can be useful in various scenarios, such as preventing notification floods, managing system load, controlling event processing, or complying with rate limits imposed by external systems or APIs. It allows for better resource utilization, avoids overwhelming downstream systems, and helps maintain a balanced and controlled flow of notifications. With the default settings, the throttling mechanism is disabled. | +| falco.outputs_queue | object | `{"capacity":0}` | Falco utilizes tbb::concurrent_bounded_queue for handling outputs, and this parameter allows you to customize the queue capacity. Please refer to the official documentation: https://oneapi-src.github.io/oneTBB/main/tbb_userguide/Concurrent_Queue_Classes.html. On a healthy system with optimized Falco rules, the queue should not fill up. If it does, it is most likely happening due to the entire event flow being too slow, indicating that the server is under heavy load. `capacity`: the maximum number of items allowed in the queue is determined by this value. Setting the value to 0 (which is the default) is equivalent to keeping the queue unbounded. In other words, when this configuration is set to 0, the number of allowed items is effectively set to the largest possible long value, disabling this setting. In the case of an unbounded queue, if the available memory on the system is consumed, the Falco process would be OOM killed. When using this option and setting the capacity, the current event would be dropped, and the event loop would continue. This behavior mirrors kernel-side event drops when the buffer between kernel space and user space is full. | +| falco.plugins | list | `[{"init_config":null,"library_path":"libk8saudit.so","name":"k8saudit","open_params":"http://:9765/k8s-audit"},{"library_path":"libcloudtrail.so","name":"cloudtrail"},{"init_config":"","library_path":"libjson.so","name":"json"}]` | Customize subsettings for each enabled plugin. These settings will only be applied when the corresponding plugin is enabled using the `load_plugins` option. | +| falco.priority | string | `"debug"` | Any rule with a priority level more severe than or equal to the specified minimum level will be loaded and run by Falco. This allows you to filter and control the rules based on their severity, ensuring that only rules of a certain priority or higher are active and evaluated by Falco. Supported levels: "emergency", "alert", "critical", "error", "warning", "notice", "info", "debug" | +| falco.program_output | object | `{"enabled":false,"keep_alive":false,"program":"jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"}` | Redirect the output to another program or command. Possible additional things you might want to do with program output: - send to a slack webhook: program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX" - logging (alternate method than syslog): program: logger -t falco-test - send over a network connection: program: nc host.example.com 80 If `keep_alive` is set to `true`, the program will be started once and continuously written to, with each output message on its own line. If `keep_alive` is set to `false`, the program will be re-spawned for each output message. Furthermore, the program will be re-spawned if Falco receives the SIGUSR1 signal. | +| falco.rule_matching | string | `"first"` | | +| falco.rules_file | list | `["/etc/falco/falco_rules.yaml","/etc/falco/falco_rules.local.yaml","/etc/falco/rules.d"]` | The location of the rules files that will be consumed by Falco. | +| falco.stdout_output | object | `{"enabled":true}` | Redirect logs to standard output. | +| falco.syscall_event_drops | object | `{"actions":["log","alert"],"max_burst":1,"rate":0.03333,"simulate_drops":false,"threshold":0.1}` | For debugging/testing it is possible to simulate the drops using the `simulate_drops: true`. In this case the threshold does not apply. | +| falco.syscall_event_drops.actions | list | `["log","alert"]` | Actions to be taken when system calls were dropped from the circular buffer. | +| falco.syscall_event_drops.max_burst | int | `1` | Max burst of messages emitted. | +| falco.syscall_event_drops.rate | float | `0.03333` | Rate at which log/alert messages are emitted. | +| falco.syscall_event_drops.simulate_drops | bool | `false` | Flag to enable drops for debug purposes. | +| falco.syscall_event_drops.threshold | float | `0.1` | The messages are emitted when the percentage of dropped system calls with respect the number of events in the last second is greater than the given threshold (a double in the range [0, 1]). | +| falco.syscall_event_timeouts | object | `{"max_consecutives":1000}` | Generates Falco operational logs when `log_level=notice` at minimum Falco utilizes a shared buffer between the kernel and userspace to receive events, such as system call information, in userspace. However, there may be cases where timeouts occur in the underlying libraries due to issues in reading events or the need to skip a particular event. While it is uncommon for Falco to experience consecutive event timeouts, it has the capability to detect such situations. You can configure the maximum number of consecutive timeouts without an event after which Falco will generate an alert, but please note that this requires setting Falco's operational logs `log_level` to a minimum of `notice`. The default value is set to 1000 consecutive timeouts without receiving any events. The mapping of this value to a time interval depends on the CPU frequency. | +| falco.syslog_output | object | `{"enabled":true}` | Send logs to syslog. | +| falco.time_format_iso_8601 | bool | `false` | When enabled, Falco will display log and output messages with times in the ISO 8601 format. By default, times are shown in the local time zone determined by the /etc/localtime configuration. | +| falco.watch_config_files | bool | `true` | Watch config file and rules files for modification. When a file is modified, Falco will propagate new config, by reloading itself. | +| falco.webserver | object | `{"enabled":true,"k8s_healthz_endpoint":"/healthz","listen_port":8765,"ssl_certificate":"/etc/falco/falco.pem","ssl_enabled":false,"threadiness":0}` | Falco supports an embedded webserver that runs within the Falco process, providing a lightweight and efficient way to expose web-based functionalities without the need for an external web server. The following endpoints are exposed: - /healthz: designed to be used for checking the health and availability of the Falco application (the name of the endpoint is configurable). - /versions: responds with a JSON object containing the version numbers of the internal Falco components (similar output as `falco --version -o json_output=true`). Please note that the /versions endpoint is particularly useful for other Falco services, such as `falcoctl`, to retrieve information about a running Falco instance. If you plan to use `falcoctl` locally or with Kubernetes, make sure the Falco webserver is enabled. The behavior of the webserver can be controlled with the following options, which are enabled by default: The `ssl_certificate` option specifies a combined SSL certificate and corresponding key that are contained in a single file. You can generate a key/cert as follows: $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem $ cat certificate.pem key.pem > falco.pem $ sudo cp falco.pem /etc/falco/falco.pem | +| falcoctl.artifact.follow | object | `{"args":["--log-format=json"],"enabled":true,"env":[],"mounts":{"volumeMounts":[]},"resources":{},"securityContext":{}}` | Runs "falcoctl artifact follow" command as a sidecar container. It is used to automatically check for updates given a list of artifacts. If an update is found it downloads and installs it in a shared folder (emptyDir) that is accessible by Falco. Rulesfiles are automatically detected and loaded by Falco once they are installed in the correct folder by falcoctl. To prevent new versions of artifacts from breaking Falco, the tool checks if it is compatible with the running version of Falco before installing it. | +| falcoctl.artifact.follow.args | list | `["--log-format=json"]` | Arguments to pass to the falcoctl-artifact-follow sidecar container. | +| falcoctl.artifact.follow.env | list | `[]` | Extra environment variables that will be pass onto falcoctl-artifact-follow sidecar container. | +| falcoctl.artifact.follow.mounts | object | `{"volumeMounts":[]}` | A list of volume mounts you want to add to the falcoctl-artifact-follow sidecar container. | +| falcoctl.artifact.follow.resources | object | `{}` | Resources requests and limits for the falcoctl-artifact-follow sidecar container. | +| falcoctl.artifact.follow.securityContext | object | `{}` | Security context for the falcoctl-artifact-follow sidecar container. | +| falcoctl.artifact.install | object | `{"args":["--log-format=json"],"enabled":true,"env":[],"mounts":{"volumeMounts":[]},"resources":{},"securityContext":{}}` | Runs "falcoctl artifact install" command as an init container. It is used to install artfacts before Falco starts. It provides them to Falco by using an emptyDir volume. | +| falcoctl.artifact.install.args | list | `["--log-format=json"]` | Arguments to pass to the falcoctl-artifact-install init container. | +| falcoctl.artifact.install.env | list | `[]` | Extra environment variables that will be pass onto falcoctl-artifact-install init container. | +| falcoctl.artifact.install.mounts | object | `{"volumeMounts":[]}` | A list of volume mounts you want to add to the falcoctl-artifact-install init container. | +| falcoctl.artifact.install.resources | object | `{}` | Resources requests and limits for the falcoctl-artifact-install init container. | +| falcoctl.artifact.install.securityContext | object | `{}` | Security context for the falcoctl init container. | +| falcoctl.config | object | `{"artifact":{"allowedTypes":["rulesfile","plugin"],"follow":{"every":"6h","falcoversions":"http://localhost:8765/versions","pluginsDir":"/plugins","refs":["falco-rules:3"],"rulesfilesDir":"/rulesfiles"},"install":{"pluginsDir":"/plugins","refs":["falco-rules:3"],"resolveDeps":true,"rulesfilesDir":"/rulesfiles"}},"indexes":[{"name":"falcosecurity","url":"https://falcosecurity.github.io/falcoctl/index.yaml"}]}` | Configuration file of the falcoctl tool. It is saved in a configmap and mounted on the falcotl containers. | +| falcoctl.config.artifact | object | `{"allowedTypes":["rulesfile","plugin"],"follow":{"every":"6h","falcoversions":"http://localhost:8765/versions","pluginsDir":"/plugins","refs":["falco-rules:3"],"rulesfilesDir":"/rulesfiles"},"install":{"pluginsDir":"/plugins","refs":["falco-rules:3"],"resolveDeps":true,"rulesfilesDir":"/rulesfiles"}}` | Configuration used by the artifact commands. | +| falcoctl.config.artifact.allowedTypes | list | `["rulesfile","plugin"]` | List of artifact types that falcoctl will handle. If the configured refs resolves to an artifact whose type is not contained in the list it will refuse to downloade and install that artifact. | +| falcoctl.config.artifact.follow.every | string | `"6h"` | How often the tool checks for new versions of the followed artifacts. | +| falcoctl.config.artifact.follow.falcoversions | string | `"http://localhost:8765/versions"` | HTTP endpoint that serves the api versions of the Falco instance. It is used to check if the new versions are compatible with the running Falco instance. | +| falcoctl.config.artifact.follow.pluginsDir | string | `"/plugins"` | See the fields of the artifact.install section. | +| falcoctl.config.artifact.follow.refs | list | `["falco-rules:3"]` | List of artifacts to be followed by the falcoctl sidecar container. | +| falcoctl.config.artifact.follow.rulesfilesDir | string | `"/rulesfiles"` | See the fields of the artifact.install section. | +| falcoctl.config.artifact.install.pluginsDir | string | `"/plugins"` | Same as the one above but for the artifacts. | +| falcoctl.config.artifact.install.refs | list | `["falco-rules:3"]` | List of artifacts to be installed by the falcoctl init container. | +| falcoctl.config.artifact.install.resolveDeps | bool | `true` | Resolve the dependencies for artifacts. | +| falcoctl.config.artifact.install.rulesfilesDir | string | `"/rulesfiles"` | Directory where the rulesfiles are saved. The path is relative to the container, which in this case is an emptyDir mounted also by the Falco pod. | +| falcoctl.config.indexes | list | `[{"name":"falcosecurity","url":"https://falcosecurity.github.io/falcoctl/index.yaml"}]` | List of indexes that falcoctl downloads and uses to locate and download artiafcts. For more info see: https://github.com/falcosecurity/falcoctl/blob/main/proposals/20220916-rules-and-plugin-distribution.md#index-file-overview | +| falcoctl.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy. | +| falcoctl.image.registry | string | `"docker.io"` | The image registry to pull from. | +| falcoctl.image.repository | string | `"falcosecurity/falcoctl"` | The image repository to pull from. | +| falcoctl.image.tag | string | `"0.7.2"` | The image tag to pull. | +| falcosidekick | object | `{"enabled":false,"fullfqdn":false,"listenPort":""}` | For configuration values, see https://github.com/falcosecurity/charts/blob/master/charts/falcosidekick/values.yaml | +| falcosidekick.enabled | bool | `false` | Enable falcosidekick deployment. | +| falcosidekick.fullfqdn | bool | `false` | Enable usage of full FQDN of falcosidekick service (useful when a Proxy is used). | +| falcosidekick.listenPort | string | `""` | Listen port. Default value: 2801 | +| fullnameOverride | string | `""` | Same as nameOverride but for the fullname. | +| healthChecks | object | `{"livenessProbe":{"initialDelaySeconds":60,"periodSeconds":15,"timeoutSeconds":5},"readinessProbe":{"initialDelaySeconds":30,"periodSeconds":15,"timeoutSeconds":5}}` | Parameters used | +| healthChecks.livenessProbe.initialDelaySeconds | int | `60` | Tells the kubelet that it should wait X seconds before performing the first probe. | +| healthChecks.livenessProbe.periodSeconds | int | `15` | Specifies that the kubelet should perform the check every x seconds. | +| healthChecks.livenessProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. | +| healthChecks.readinessProbe.initialDelaySeconds | int | `30` | Tells the kubelet that it should wait X seconds before performing the first probe. | +| healthChecks.readinessProbe.periodSeconds | int | `15` | Specifies that the kubelet should perform the check every x seconds. | +| healthChecks.readinessProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. | +| image.pullPolicy | string | `"IfNotPresent"` | The image pull policy. | +| image.registry | string | `"docker.io"` | The image registry to pull from. | +| image.repository | string | `"falcosecurity/falco-no-driver"` | The image repository to pull from | +| image.tag | string | `""` | The image tag to pull. Overrides the image tag whose default is the chart appVersion. | +| imagePullSecrets | list | `[]` | Secrets containing credentials when pulling from private/secure registries. | +| mounts.enforceProcMount | bool | `false` | By default, `/proc` from the host is only mounted into the Falco pod when `driver.enabled` is set to `true`. This flag allows it to override this behaviour for edge cases where `/proc` is needed but syscall data source is not enabled at the same time (e.g. for specific plugins). | +| mounts.volumeMounts | list | `[]` | A list of volumes you want to add to the Falco pods. | +| mounts.volumes | list | `[]` | A list of volumes you want to add to the Falco pods. | +| nameOverride | string | `""` | Put here the new name if you want to override the release name used for Falco components. | +| namespaceOverride | string | `""` | Override the deployment namespace | +| nodeSelector | object | `{}` | Selectors used to deploy Falco on a given node/nodes. | +| podAnnotations | object | `{}` | Add additional pod annotations | +| podLabels | object | `{}` | Add additional pod labels | +| podPriorityClassName | string | `nil` | Set pod priorityClassName | +| podSecurityContext | object | `{}` | Set securityContext for the pods These security settings are overriden by the ones specified for the specific containers when there is overlap. | +| resources.limits | object | `{"cpu":"1000m","memory":"1024Mi"}` | Maximum amount of resources that Falco container could get. If you are enabling more than one source in falco, than consider to increase the cpu limits. | +| resources.requests | object | `{"cpu":"100m","memory":"512Mi"}` | Although resources needed are subjective on the actual workload we provide a sane defaults ones. If you have more questions or concerns, please refer to #falco slack channel for more info about it. | +| scc.create | bool | `true` | Create OpenShift's Security Context Constraint. | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. | +| serviceAccount.create | bool | `false` | Specifies whether a service account should be created. | +| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | +| services | string | `nil` | Network services configuration (scenario requirement) Add here your services to be deployed together with Falco. | +| tolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"}]` | Tolerations to allow Falco to run on Kubernetes masters. | +| tty | bool | `false` | Attach the Falco process to a tty inside the container. Needed to flush Falco logs as soon as they are emitted. Set it to "true" when you need the Falco logs to be immediately displayed. | diff --git a/falco/charts/falcosidekick/CHANGELOG.md b/falco/charts/falcosidekick/CHANGELOG.md new file mode 100644 index 0000000..6bb53dd --- /dev/null +++ b/falco/charts/falcosidekick/CHANGELOG.md @@ -0,0 +1,620 @@ +# Change Log + +This file documents all notable changes to Falcosidekick Helm Chart. The release +numbering uses [semantic versioning](http://semver.org). + +Before release 0.1.20, the helm chart can be found in `falcosidekick` [repository](https://github.com/falcosecurity/falcosidekick/tree/master/deploy/helm/falcosidekick). + +## 0.7.15 + +- Fix ServiceMonitor selector labels + +## 0.7.14 + +- Fix duplicate component labels + +## 0.7.13 + +- Fix ServiceMonitor port name and selector labels + +## 0.7.12 + +- Align README values with the values.yaml file + +## 0.7.11 + +- Fix a link in the falcosidekick README to the policy report output documentation + +## 0.7.10 + +- Set Helm recommended labels (`app.kubernetes.io/name`, `app.kubernetes.io/instance`, `app.kubernetes.io/version`, `helm.sh/chart`, `app.kubernetes.io/part-of`, `app.kubernetes.io/managed-by`) using helpers.tpl + +## 0.7.9 + +- noop change to the chart itself. Updated makefile. + +## 0.7.8 + +- Fix the condition for missing cert files + +## 0.7.7 + +- Support extraArgs in the helm chart + +## 0.7.6 + +- Fix the behavior with the `AWS IRSA` with a new value `aws.config.useirsa` +- Add a section in the README to describe how to use a subpath for `Falcosidekick-ui` ingress +- Add a `ServiceMonitor` for prometheus-operator +- Add a `PrometheusRule` for prometheus-operator + +## 0.7.5 + +- noop change just to test the ci + +## 0.7.4 + +- Fix volume mount when `config.tlsserver.servercrt`, `config.tlsserver.serverkey` and `config.tlsserver.cacrt` variables are defined. + +## 0.7.3 + +- Allow to set (m)TLS Server cryptographic material via `config.tlsserver.servercrt`, `config.tlsserver.serverkey` and `config.tlsserver.cacrt` variables or through `config.tlsserver.existingSecret` variables. + +## 0.7.2 + +- Fix the wrong key of the secret for the user + +## 0.7.1 + +- Allow to set a password `webui.redis.password` for Redis for `Falcosidekick-UI` +- The user for `Falcosidekick-UI` is now set with an env var from a secret + +## 0.7.0 + +- Support configuration of revisionHistoryLimit of the deployments + +## 0.6.3 + +- Update Falcosidekick to 2.28.0 +- Add Mutual TLS Client config +- Add TLS Server config +- Add `bracketreplacer` config +- Add `customseveritymap` to `alertmanager` output +- Add Drop Event config to `alertmanager` output +- Add `customheaders` to `elasticsearch` output +- Add `customheaders` to `loki` output +- Add `customheaders` to `grafana` output +- Add `rolearn` and `externalid` for `aws` outputs +- Add `method` to `webhook` output +- Add `customattributes` to `gcp.pubsub` output +- Add `region` to `pargerduty` output +- Add `topiccreation` and `tls` to `kafka` output +- Add `Grafana OnCall` output +- Add `Redis` output +- Add `Telegram` output +- Add `N8N` output +- Add `OpenObserver` output + +## 0.6.2 + +- Fix interpolation of `SYSLOG_PORT` + +## 0.6.1 + +- Add `webui.allowcors` value for `Falcosidekick-UI` + +## 0.6.0 + +- Change the docker image for the redis pod for falcosidekick-ui + +## 0.5.16 + +- Add `affinity`, `nodeSelector` and `tolerations` values for the Falcosidekick test-connection pod + +## 0.5.15 + +- Set extra labels and annotations for `AlertManager` only if they're not empty + +## 0.5.14 + +- Fix Prometheus extralabels configuration in Falcosidekick + +## 0.5.13 + +- Fix missing quotes in Falcosidekick-UI ttl argument + +## 0.5.12 + +- Fix missing space in Falcosidekick-UI ttl argument + +## 0.5.11 + +- Fix missing space in Falcosidekick-UI arguments + +## 0.5.10 + +- upgrade Falcosidekick image to 2.27.0 +- upgrade Falcosidekick-UI image to 2.1.0 +- Add `Yandex Data Streams` output +- Add `Node-Red` output +- Add `MQTT` output +- Add `Zincsearch` output +- Add `Gotify` output +- Add `Spyderbat` output +- Add `Tekton` output +- Add `TimescaleDB` output +- Add `AWS Security Lake` output +- Add `config.templatedfields` to set templated fields +- Add `config.slack.channel` to override `Slack` channel +- Add `config.alertmanager.extralabels` and `config.alertmanager.extraannotations` for `AlertManager` output +- Add `config.influxdb.token`, `config.influxdb.organization` and `config.influxdb.precision` for `InfluxDB` output +- Add `config.aws.checkidentity` to disallow STS checks +- Add `config.smtp.authmechanism`, `config.smtp.token`, `config.smtp.identity`, `config.smtp.trace` to manage `SMTP` auth +- Update default doc type for `Elastichsearch` +- Add `config.loki.user`, `config.loki.apikey` to manage auth to Grafana Cloud for `Loki` output +- Add `config.kafka.sasl`, `config.kafka.async`, `config.kafka.compression`, `config.kafka.balancer`, `config.kafka.clientid` to manage auth and communication for `Kafka` output +- Add `config.syslog.format` to manage the format of `Syslog` payload +- Add `webui.ttl` to set TTL of keys in Falcosidekick-UI +- Add `webui.loglevel` to set log level in Falcosidekick-UI +- Add `webui.user` to set log user:password in Falcosidekick-UI + +## 0.5.9 + +- Fix: remove `namespace` from `clusterrole` and `clusterrolebinding` metadata + +## 0.5.8 + +- Support `storageEnabled` for `redis` to allow ephemeral installs + +## 0.5.7 + +- Removing unused Kafka config values + +## 0.5.6 + +- Fixing Syslog's port import in `secrets.yaml` + +## 0.5.5 + +- Add `webui.externalRedis` with `enabled`, `url` and `port` to values to set an external Redis database with RediSearch > v2 for the WebUI +- Add `webui.redis.enabled` option to disable the deployment of the database. +- `webui.redis.enabled ` and `webui.externalRedis.enabled` are mutually exclusive + +## 0.5.4 + +- Upgrade image to fix Panic of `Prometheus` output when `customfields` is set +- Add `extralabels` for `Loki` and `Prometheus` outputs to set fields to use as labels +- Add `expiresafter` for `AlertManager` output + +## 0.5.3 + +- Support full configuration of `securityContext` blocks in falcosidekick and falcosidekick-ui deployments, and redis statefulset. + +## 0.5.2 + +- Update Falcosidekick-UI image (fix wrong redirect to localhost when an ingress is used) + +## 0.5.1 + +- Support `ingressClassName` field in falcosidekick ingresses. + +## 0.5.0 + +### Major Changes + +- Add `Policy Report` output +- Add `Syslog` output +- Add `AWS Kinesis` output +- Add `Zoho Cliq` output +- Support IRSA for AWS authentication +- Upgrade Falcosidekick-UI to v2.0.1 + +### Minor changes + +- Allow to set custom Labels for pods + +## 0.4.5 + +- Allow additional service-ui annotations + +## 0.4.4 + +- Fix output after chart installation when ingress is enable + +## 0.4.3 + +- Support `annotation` block in service + +## 0.4.2 + +- Fix: Added the rule to use the podsecuritypolicy +- Fix: Added `ServiceAccountName` to the UI deployment + +## 0.4.1 + +- Removes duplicate `Fission` keys from secret + +## 0.4.0 + +### Major Changes + +- Support Ingress API version `networking.k8s.io/v1`, see `ingress.hosts` and `webui.ingress.hosts` in [values.yaml](values.yaml) for a breaking change in the `path` parameter + +## 0.3.17 + +- Fix: Remove the value for bucket of `Yandex S3`, it enabled the output by default + +## 0.3.16 + +### Major Changes + +- Fix: set correct new image 2.24.0 + +## 0.3.15 + +### Major Changes + +- Add `Fission` output + +## 0.3.14 + +### Major Changes + +- Add `Grafana` output +- Add `Yandex Cloud S3` output +- Add `Kafka REST` output + +### Minor changes + +- Docker image is now available on AWS ECR Public Gallery (`--set image.registry=public.ecr.aws`) + +## 0.3.13 + +### Minor changes + +- Enable extra volumes and volumemounts for `falcosidekick` via values + +## 0.3.12 + +- Add AWS configuration field `config.aws.rolearn` + +## 0.3.11 + +### Minor changes + +- Make image registries for `falcosidekick` and `falcosidekick-ui` configurable + +## 0.3.10 + +### Minor changes + +- Fix table formatting in `README.md` + +## 0.3.9 + +### Fixes + +- Add missing `imagePullSecrets` in `falcosidekick/templates/deployment-ui.yaml` + +## 0.3.8 + +### Major Changes + +- Add `GCP Cloud Run` output +- Add `GCP Cloud Functions` output +- Add `Wavefront` output +- Allow MutualTLS for some outputs +- Add basic auth for Elasticsearch output + +## 0.3.7 + +### Minor changes + +- Fix table formatting in `README.md` +- Fix `config.azure.eventHub` parameter name in `README.md` + +## 0.3.6 + +### Fixes + +- Point to the correct name of aadpodidentnity + +## 0.3.5 + +### Minor Changes + +- Fix link to Falco in the `README.md` + +## 0.3.4 + +### Major Changes + +- Bump up version (`v1.0.1`) of image for `falcosidekick-ui` + +## 0.3.3 + +### Minor Changes + +- Set default values for `OpenFaaS` output type parameters +- Fixes of documentation + +## 0.3.2 + +### Fixes + +- Add config checksum annotation to deployment pods to restart pods on config change +- Fix statsd config options in the secret to make them match the docs + +## 0.3.1 + +### Fixes + +- Fix for `s3.bucket`, it should be empty + +## 0.3.0 + +### Major Changes + +- Add `AWS S3` output +- Add `GCP Storage` output +- Add `RabbitMQ` output +- Add `OpenFaas` output + +## 0.2.9 + +### Major Changes + +- Updated falcosidekuck-ui default image version to `v0.2.0` + +## 0.2.8 + +### Fixes + +- Fixed to specify `kafka.hostPort` instead of `kafka.url` + +## 0.2.7 + +### Fixes + +- Fixed missing hyphen in podidentity + +## 0.2.6 + +### Fixes + +- Fix repo and tag for `ui` image + +## 0.2.5 + +### Major Changes + +- Add `CLOUDEVENTS` output +- Add `WEBUI` output + +### Minor Changes + +- Add details about syntax for adding `custom_fields` + +## 0.2.4 + +### Minor Changes + +- Add `DATADOG_HOST` to secret + +## 0.2.3 + +### Minor Changes + +- Allow additional pod annotations +- Remove namespace condition in aad-pod-identity + +## 0.2.2 + +### Major Changes + +- Add `Kubeless` output + +## 0.2.1 + +### Major Changes + +- Add `PagerDuty` output + +## 0.2.0 + +### Major Changes + +- Add option to use an existing secret +- Add option to add extra environment variables +- Add `Stan` output + +### Minor Changes + +- Use the Existing secret resource and add all possible variables to there, and make it simpler to read and less error-prone in the deployment resource + +## 0.1.37 + +### Minor Changes + +- Fix aws keys not being added to the deployment + +## 0.1.36 + +### Minor Changes + +- Fix helm test + +## 0.1.35 + +### Major Changes + +- Update image to use release 2.19.1 + +## 0.1.34 + +- New outputs can be set : `Kafka`, `AWS CloudWatchLogs` + +## 0.1.33 + +### Minor Changes + +- Fixed GCP Pub/Sub values references in `deployment.yaml` + +## 0.1.32 + +### Major Changes + +- Support release namespace configuration + +## 0.1.31 + +### Major Changes + +- New outputs can be set : `Googlechat` + +## 0.1.30 + +### Major changes + +- New output can be set : `GCP PubSub` +- Custom Headers can be set for `Webhook` output +- Fix typo `aipKey` for OpsGenie output + +## 0.1.29 + +- Fix falcosidekick configuration table to use full path of configuration properties in the `README.md` + +## 0.1.28 + +### Major changes + +- New output can be set : `AWS SNS` +- Metrics in `prometheus` format can be scrapped from `/metrics` URI + +## 0.1.27 + +### Minor Changes + +- Replace extensions apiGroup/apiVersion because of deprecation + +## 0.1.26 + +### Minor Changes + +- Allow the creation of a PodSecurityPolicy, disabled by default + +## 0.1.25 + +### Minor Changes + +- Allow the configuration of the Pod securityContext, set default runAsUser and fsGroup values + +## 0.1.24 + +### Minor Changes + +- Remove duplicated `webhook` block in `values.yaml` + +## 0.1.23 + +- fake release for triggering CI for auto-publishing + +## 0.1.22 + +### Major Changes + +- Add `imagePullSecrets` + +## 0.1.21 + +### Minor Changes + +- Fix `Azure Indentity` case sensitive value + +## 0.1.20 + +### Major Changes + +- New outputs can be set : `Azure Event Hubs`, `Discord` + +### Minor Changes + +- Fix wrong port name in output + +## 0.1.17 + +### Major Changes + +- New outputs can be set : `Mattermost`, `Rocketchat` + +## 0.1.11 + +### Major Changes + +- Add Pod Security Policy + +## 0.1.11 + +### Minor Changes + +- Fix wrong value reference for Elasticsearch output in deployment.yaml + +## 0.1.10 + +### Major Changes + +- New output can be set : `DogStatsD` + +## 0.1.9 + +### Major Changes + +- New output can be set : `StatsD` + +## 0.1.7 + +### Major Changes + +- New output can be set : `Opsgenie` + +## 0.1.6 + +### Major Changes + +- New output can be set : `NATS` + +## 0.1.5 + +### Major Changes + +- `Falcosidekick` and its chart are now part of `falcosecurity` organization + +## 0.1.4 + +### Minor Changes + +- Use more recent image with `Golang` 1.14 + +## 0.1.3 + +### Major Changes + +- New output can be set : `Loki` + +## 0.1.2 + +### Major Changes + +- New output can be set : `SMTP` + +## 0.1.1 + +### Major Changes + +- New outputs can be set : `AWS Lambda`, `AWS SQS`, `Teams` + +## 0.1.0 + +### Major Changes + +- Initial release of Falcosidekick Helm Chart diff --git a/falco/charts/falcosidekick/Chart.yaml b/falco/charts/falcosidekick/Chart.yaml new file mode 100644 index 0000000..c5b2206 --- /dev/null +++ b/falco/charts/falcosidekick/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +appVersion: 2.28.0 +description: Connect Falco to your ecosystem +home: https://github.com/falcosecurity/falcosidekick +icon: https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png +keywords: +- monitoring +- security +- alerting +maintainers: +- email: cncf-falco-dev@lists.cncf.io + name: Issif +name: falcosidekick +sources: +- https://github.com/falcosecurity/falcosidekick +version: 0.7.15 diff --git a/falco/charts/falcosidekick/README.gotmpl b/falco/charts/falcosidekick/README.gotmpl new file mode 100644 index 0000000..3d3b89b --- /dev/null +++ b/falco/charts/falcosidekick/README.gotmpl @@ -0,0 +1,187 @@ +# Falcosidekick + +![falcosidekick](https://github.com/falcosecurity/falcosidekick/raw/master/imgs/falcosidekick_color.png) + +![release](https://flat.badgen.net/github/release/falcosecurity/falcosidekick/latest?color=green) ![last commit](https://flat.badgen.net/github/last-commit/falcosecurity/falcosidekick) ![licence](https://flat.badgen.net/badge/license/MIT/blue) ![docker pulls](https://flat.badgen.net/docker/pulls/falcosecurity/falcosidekick?icon=docker) + +## Description + +A simple daemon for connecting [`Falco`](https://github.com/falcosecurity/falco) to your ecossytem. It takes a `Falco`'s events and +forward them to different outputs in a fan-out way. + +It works as a single endpoint for as many as you want `Falco` instances : + +![falco_with_falcosidekick](https://github.com/falcosecurity/falcosidekick/raw/master/imgs/falco_with_falcosidekick.png) + +## Outputs + +`Falcosidekick` manages a large variety of outputs with different purposes. + +> **Note** +Follow the links to get the configuration of each output. + +### Chat + +- [**Slack**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/slack.md) +- [**Rocketchat**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/rocketchat.md) +- [**Mattermost**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/mattermost.md) +- [**Teams**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/teams.md) +- [**Discord**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/discord.md) +- [**Google Chat**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/googlechat.md) +- [**Zoho Cliq**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/cliq.md) +- [**Telegram**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/telegram.md) + +### Metrics / Observability + +- [**Datadog**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/datadog.md) +- [**Influxdb**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/influxdb.md) +- [**StatsD**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/statsd.md) (for monitoring of `falcosidekick`) +- [**DogStatsD**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/dogstatsd.md) (for monitoring of `falcosidekick`) +- [**Prometheus**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/prometheus.md) (for both events and monitoring of `falcosidekick`) +- [**Wavefront**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/wavefront.md) +- [**Spyderbat**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/spyderbat.md) +- [**TimescaleDB**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/timescaledb.md) +- [**Dynatrace**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/dynatrace.md) + +### Alerting + +- [**AlertManager**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/alertmanager.md) +- [**Opsgenie**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/opsgenie.md) +- [**PagerDuty**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/pagerduty.md) +- [**Grafana OnCall**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/grafana_oncall.md) + +### Logs + +- [**Elasticsearch**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/elasticsearch.md) +- [**Loki**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/loki.md) +- [**AWS CloudWatchLogs**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_cloudwatch_logs.md) +- [**Grafana**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/grafana.md) +- [**Syslog**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/syslog.md) +- [**Zincsearch**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs//zincsearch.md) +- [**OpenObserve**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/openobserve.md) + +### Object Storage + +- [**AWS S3**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_s3.md) +- [**GCP Storage**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gcp_storage.md) +- [**Yandex S3 Storage**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/yandex_s3.md) + +### FaaS / Serverless + +- [**AWS Lambda**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_lambda.md) +- [**GCP Cloud Run**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gcp_cloud_run.md) +- [**GCP Cloud Functions**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gcp_cloud_functions.md) +- [**Fission**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/fission.md) +- [**KNative (CloudEvents)**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/cloudevents.md) +- [**Kubeless**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/kubeless.md) +- [**OpenFaaS**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/openfaas.md) +- [**Tekton**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/tekton.md) + +### Message queue / Streaming + +- [**NATS**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/nats.md) +- [**STAN (NATS Streaming)**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/stan.md) +- [**AWS SQS**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_sqs.md) +- [**AWS SNS**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_sns.md) +- [**AWS Kinesis**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_kinesis.md) +- [**GCP PubSub**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gcp_pub_sub.md) +- [**Apache Kafka**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/kafka.md) +- [**Kafka Rest Proxy**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/kafkarest.md) +- [**RabbitMQ**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/rabbitmq.md) +- [**Azure Event Hubs**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/azure_event_hub.md) +- [**Yandex Data Streams**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/yandex_datastreams.md) +- [**MQTT**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/mqtt.md) +- [**Gotify**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gotify.md) + +### Email + +- [**SMTP**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/smtp.md) + +### Database + +- [**Redis**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/redis.md) + +### Web + +- [**Webhook**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/webhook.md) +- [**Node-RED**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/nodered.md) +- [**WebUI (Falcosidekick UI)**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/falcosidekick-ui.md) + +### SIEM + +- [**AWS Security Lake**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_security_lake.md) + +### Workflow + +- [**n8n**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/n8n.md) + +### Other +- [**Policy Report**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/policy_report.md) + +## Adding `falcosecurity` repository + +Prior to install the chart, add the `falcosecurity` charts repository: + +```bash +helm repo add falcosecurity https://falcosecurity.github.io/charts +helm repo update +``` + +## Installing the Chart + +### Install Falco + Falcosidekick + Falcosidekick-ui + +To install the chart with the release name `falcosidekick` run: + +```bash +helm install falcosidekick falcosecurity/falcosidekick --set webui.enabled=true +``` + +### With Helm chart of Falco + +`Falco`, `Falcosidekick` and `Falcosidekick-ui` can be installed together in one command. All values to configure `Falcosidekick` will have to be +prefixed with `falcosidekick.`. + +```bash +helm install falco falcosecurity/falco --set falcosidekick.enabled=true --set falcosidekick.webui.enabled=true +``` + +After a few seconds, Falcosidekick should be running. + +> **Tip**: List all releases using `helm list`, a release is a name used to track a specific deployment + +## Minimum Kubernetes version + +The minimum Kubernetes version required is 1.17.x + +## Uninstalling the Chart + +To uninstall the `falcosidekick` deployment: + +```bash +helm uninstall falcosidekick +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following table lists the main configurable parameters of the Falcosidekick chart and their default values. See `values.yaml` for full list. + +{{ template "chart.valuesSection" . }} + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Metrics + +A `prometheus` endpoint can be scrapped at `/metrics`. + +## Access Falcosidekick UI through an Ingress and a subpath + +You may want to access the `WebUI (Falcosidekick UI)`](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/falcosidekick-ui.md) dashboard not from `/` but from `/subpath` and use an Ingress, here's an example of annotations to add to the Ingress for `nginx-ingress controller`: + +```yaml +nginx.ingress.kubernetes.io/rewrite-target: /$2 +nginx.ingress.kubernetes.io/use-regex: "true" +``` diff --git a/falco/charts/falcosidekick/README.md b/falco/charts/falcosidekick/README.md new file mode 100644 index 0000000..54eba1f --- /dev/null +++ b/falco/charts/falcosidekick/README.md @@ -0,0 +1,655 @@ +# Falcosidekick + +![falcosidekick](https://github.com/falcosecurity/falcosidekick/raw/master/imgs/falcosidekick_color.png) + +![release](https://flat.badgen.net/github/release/falcosecurity/falcosidekick/latest?color=green) ![last commit](https://flat.badgen.net/github/last-commit/falcosecurity/falcosidekick) ![licence](https://flat.badgen.net/badge/license/MIT/blue) ![docker pulls](https://flat.badgen.net/docker/pulls/falcosecurity/falcosidekick?icon=docker) + +## Description + +A simple daemon for connecting [`Falco`](https://github.com/falcosecurity/falco) to your ecossytem. It takes a `Falco`'s events and +forward them to different outputs in a fan-out way. + +It works as a single endpoint for as many as you want `Falco` instances : + +![falco_with_falcosidekick](https://github.com/falcosecurity/falcosidekick/raw/master/imgs/falco_with_falcosidekick.png) + +## Outputs + +`Falcosidekick` manages a large variety of outputs with different purposes. + +> **Note** +Follow the links to get the configuration of each output. + +### Chat + +- [**Slack**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/slack.md) +- [**Rocketchat**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/rocketchat.md) +- [**Mattermost**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/mattermost.md) +- [**Teams**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/teams.md) +- [**Discord**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/discord.md) +- [**Google Chat**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/googlechat.md) +- [**Zoho Cliq**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/cliq.md) +- [**Telegram**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/telegram.md) + +### Metrics / Observability + +- [**Datadog**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/datadog.md) +- [**Influxdb**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/influxdb.md) +- [**StatsD**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/statsd.md) (for monitoring of `falcosidekick`) +- [**DogStatsD**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/dogstatsd.md) (for monitoring of `falcosidekick`) +- [**Prometheus**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/prometheus.md) (for both events and monitoring of `falcosidekick`) +- [**Wavefront**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/wavefront.md) +- [**Spyderbat**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/spyderbat.md) +- [**TimescaleDB**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/timescaledb.md) +- [**Dynatrace**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/dynatrace.md) + +### Alerting + +- [**AlertManager**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/alertmanager.md) +- [**Opsgenie**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/opsgenie.md) +- [**PagerDuty**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/pagerduty.md) +- [**Grafana OnCall**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/grafana_oncall.md) + +### Logs + +- [**Elasticsearch**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/elasticsearch.md) +- [**Loki**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/loki.md) +- [**AWS CloudWatchLogs**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_cloudwatch_logs.md) +- [**Grafana**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/grafana.md) +- [**Syslog**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/syslog.md) +- [**Zincsearch**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs//zincsearch.md) +- [**OpenObserve**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/openobserve.md) + +### Object Storage + +- [**AWS S3**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_s3.md) +- [**GCP Storage**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gcp_storage.md) +- [**Yandex S3 Storage**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/yandex_s3.md) + +### FaaS / Serverless + +- [**AWS Lambda**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_lambda.md) +- [**GCP Cloud Run**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gcp_cloud_run.md) +- [**GCP Cloud Functions**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gcp_cloud_functions.md) +- [**Fission**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/fission.md) +- [**KNative (CloudEvents)**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/cloudevents.md) +- [**Kubeless**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/kubeless.md) +- [**OpenFaaS**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/openfaas.md) +- [**Tekton**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/tekton.md) + +### Message queue / Streaming + +- [**NATS**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/nats.md) +- [**STAN (NATS Streaming)**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/stan.md) +- [**AWS SQS**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_sqs.md) +- [**AWS SNS**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_sns.md) +- [**AWS Kinesis**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_kinesis.md) +- [**GCP PubSub**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gcp_pub_sub.md) +- [**Apache Kafka**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/kafka.md) +- [**Kafka Rest Proxy**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/kafkarest.md) +- [**RabbitMQ**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/rabbitmq.md) +- [**Azure Event Hubs**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/azure_event_hub.md) +- [**Yandex Data Streams**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/yandex_datastreams.md) +- [**MQTT**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/mqtt.md) +- [**Gotify**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gotify.md) + +### Email + +- [**SMTP**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/smtp.md) + +### Database + +- [**Redis**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/redis.md) + +### Web + +- [**Webhook**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/webhook.md) +- [**Node-RED**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/nodered.md) +- [**WebUI (Falcosidekick UI)**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/falcosidekick-ui.md) + +### SIEM + +- [**AWS Security Lake**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_security_lake.md) + +### Workflow + +- [**n8n**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/n8n.md) + +### Other +- [**Policy Report**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/policy_report.md) + +## Adding `falcosecurity` repository + +Prior to install the chart, add the `falcosecurity` charts repository: + +```bash +helm repo add falcosecurity https://falcosecurity.github.io/charts +helm repo update +``` + +## Installing the Chart + +### Install Falco + Falcosidekick + Falcosidekick-ui + +To install the chart with the release name `falcosidekick` run: + +```bash +helm install falcosidekick falcosecurity/falcosidekick --set webui.enabled=true +``` + +### With Helm chart of Falco + +`Falco`, `Falcosidekick` and `Falcosidekick-ui` can be installed together in one command. All values to configure `Falcosidekick` will have to be +prefixed with `falcosidekick.`. + +```bash +helm install falco falcosecurity/falco --set falcosidekick.enabled=true --set falcosidekick.webui.enabled=true +``` + +After a few seconds, Falcosidekick should be running. + +> **Tip**: List all releases using `helm list`, a release is a name used to track a specific deployment + +## Minimum Kubernetes version + +The minimum Kubernetes version required is 1.17.x + +## Uninstalling the Chart + +To uninstall the `falcosidekick` deployment: + +```bash +helm uninstall falcosidekick +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following table lists the main configurable parameters of the Falcosidekick chart and their default values. See `values.yaml` for full list. + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity for the Sidekick pods | +| config.alertmanager.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.alertmanager.customseveritymap | string | `""` | comma separated list of tuple composed of a ':' separated Falco priority and Alertmanager severity that is used to override the severity label associated to the priority level of falco event. Example: debug:value_1,critical:value2. Default mapping: emergency:critical,alert:critical,critical:critical,error:warning,warning:warning,notice:information,informational:information,debug:information. | +| config.alertmanager.dropeventdefaultpriority | string | `"critical"` | default priority of dropped events, values are emergency|alert|critical|error|warning|notice|informational|debug | +| config.alertmanager.dropeventthresholds | string | `"10000:critical, 1000:critical, 100:critical, 10:warning, 1:warning"` | comma separated list of priority re-evaluation thresholds of dropped events composed of a ':' separated integer threshold and string priority. Example: `10000:critical, 100:warning, 1:informational` | +| config.alertmanager.endpoint | string | `"/api/v1/alerts"` | alertmanager endpoint on which falcosidekick posts alerts, choice is: `"/api/v1/alerts" or "/api/v2/alerts" , default is "/api/v1/alerts"` | +| config.alertmanager.expireafter | string | `""` | if set to a non-zero value, alert expires after that time in seconds (default: 0) | +| config.alertmanager.extraannotations | string | `""` | comma separated list of annotations composed of a ':' separated name and value that is added to the Alerts. Example: my_annotation_1:my_value_1, my_annotation_1:my_value_2 | +| config.alertmanager.extralabels | string | `""` | comma separated list of labels composed of a ':' separated name and value that is added to the Alerts. Example: my_label_1:my_value_1, my_label_1:my_value_2 | +| config.alertmanager.hostport | string | `""` | AlertManager , if not `empty`, AlertManager is *enabled* | +| config.alertmanager.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.alertmanager.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | +| config.aws.accesskeyid | string | `""` | AWS Access Key Id (optionnal if you use EC2 Instance Profile) | +| config.aws.checkidentity | bool | `true` | check the identity credentials, set to false for locale developments | +| config.aws.cloudwatchlogs.loggroup | string | `""` | AWS CloudWatch Logs Group name, if not empty, CloudWatch Logs output is *enabled* | +| config.aws.cloudwatchlogs.logstream | string | `""` | AWS CloudWatch Logs Stream name, if empty, Falcosidekick will try to create a log stream | +| config.aws.cloudwatchlogs.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.aws.externalid | string | `""` | External id for the role to assume (optional if you use EC2 Instance Profile) | +| config.aws.kinesis.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.aws.kinesis.streamname | string | `""` | AWS Kinesis Stream Name, if not empty, Kinesis output is *enabled* | +| config.aws.lambda.functionname | string | `""` | AWS Lambda Function Name, if not empty, AWS Lambda output is *enabled* | +| config.aws.lambda.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.aws.region | string | `""` | AWS Region (optionnal if you use EC2 Instance Profile) | +| config.aws.rolearn | string | `""` | AWS IAM role ARN for falcosidekick service account to associate with (optionnal if you use EC2 Instance Profile) | +| config.aws.s3.bucket | string | `""` | AWS S3, bucket name | +| config.aws.s3.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.aws.s3.prefix | string | `""` | AWS S3, name of prefix, keys will have format: s3:////YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json | +| config.aws.secretaccesskey | string | `""` | AWS Secret Access Key (optionnal if you use EC2 Instance Profile) | +| config.aws.securitylake.accountid | string | `""` | Account ID | +| config.aws.securitylake.batchsize | int | `1000` | Max number of events by parquet file | +| config.aws.securitylake.bucket | string | `""` | Bucket for AWS SecurityLake data, if not empty, AWS SecurityLake output is enabled | +| config.aws.securitylake.interval | int | `5` | Time in minutes between two puts to S3 (must be between 5 and 60min) | +| config.aws.securitylake.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.aws.securitylake.prefix | string | `""` | Prefix for keys | +| config.aws.securitylake.region | string | `""` | Bucket Region | +| config.aws.sns.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.aws.sns.rawjson | bool | `false` | Send RawJSON from `falco` or parse it to AWS SNS | +| config.aws.sns.topicarn | string | `""` | AWS SNS TopicARN, if not empty, AWS SNS output is *enabled* | +| config.aws.sqs.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.aws.sqs.url | string | `""` | AWS SQS Queue URL, if not empty, AWS SQS output is *enabled* | +| config.aws.useirsa | bool | `true` | Use IRSA, if true, the rolearn value will be used to set the ServiceAccount annotations and not the env var | +| config.azure.eventHub.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.azure.eventHub.name | string | `""` | Name of the Hub, if not empty, EventHub is *enabled* | +| config.azure.eventHub.namespace | string | `""` | Name of the space the Hub is in | +| config.azure.podIdentityClientID | string | `""` | Azure Identity Client ID | +| config.azure.podIdentityName | string | `""` | Azure Identity name | +| config.azure.resourceGroupName | string | `""` | Azure Resource Group name | +| config.azure.subscriptionID | string | `""` | Azure Subscription ID | +| config.bracketreplacer | string | `""` | if not empty, the brackets in keys of Output Fields are replaced | +| config.cliq.icon | string | `""` | Cliq icon (avatar) | +| config.cliq.messageformat | string | `""` | a Go template to format Google Chat Text above Attachment, displayed in addition to the output from `cliq.outputformat`. If empty, no Text is displayed before sections. | +| config.cliq.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.cliq.outputformat | string | `"all"` | `all` (default), `text` (only text is displayed in Cliq), `fields` (only fields are displayed in Cliq) | +| config.cliq.useemoji | bool | `true` | Prefix message text with an emoji | +| config.cliq.webhookurl | string | `""` | Zoho Cliq Channel URL (ex: ), if not empty, Cliq Chat output is *enabled* | +| config.cloudevents.address | string | `""` | CloudEvents consumer http address, if not empty, CloudEvents output is *enabled* | +| config.cloudevents.extension | string | `""` | Extensions to add in the outbound Event, useful for routing | +| config.cloudevents.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.customfields | string | `""` | a list of escaped comma separated custom fields to add to falco events, syntax is "key:value\,key:value" | +| config.datadog.apikey | string | `""` | Datadog API Key, if not `empty`, Datadog output is *enabled* | +| config.datadog.host | string | `""` | Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "" | +| config.datadog.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.debug | bool | `false` | DEBUG environment variable | +| config.discord.icon | string | `""` | Discord icon (avatar) | +| config.discord.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.discord.webhookurl | string | `""` | Discord WebhookURL (ex: ...), if not empty, Discord output is *enabled* | +| config.dogstatsd.forwarder | string | `""` | The address for the DogStatsD forwarder, in the form , if not empty DogStatsD is *enabled* | +| config.dogstatsd.namespace | string | `"falcosidekick."` | A prefix for all metrics | +| config.dogstatsd.tags | string | `""` | A comma-separated list of tags to add to all metrics | +| config.elasticsearch.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.elasticsearch.customheaders | string | `""` | a list of comma separated custom headers to add, syntax is "key:value,key:value" | +| config.elasticsearch.hostport | string | `""` | Elasticsearch , if not `empty`, Elasticsearch is *enabled* | +| config.elasticsearch.index | string | `"falco"` | Elasticsearch index | +| config.elasticsearch.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.elasticsearch.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | +| config.elasticsearch.password | string | `""` | use this password to authenticate to Elasticsearch if the password is not empty | +| config.elasticsearch.suffix | string | `"daily"` | | +| config.elasticsearch.type | string | `"_doc"` | Elasticsearch document type | +| config.elasticsearch.username | string | `""` | use this username to authenticate to Elasticsearch if the username is not empty | +| config.existingSecret | string | `""` | Existing secret with configuration | +| config.extraArgs | list | `[]` | Extra command-line arguments | +| config.extraEnv | list | `[]` | Extra environment variables | +| config.fission.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.fission.function | string | `""` | Name of Fission function, if not empty, Fission is enabled | +| config.fission.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.fission.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | +| config.fission.routernamespace | string | `"fission"` | Namespace of Fission Router, "fission" (default) | +| config.fission.routerport | int | `80` | Port of service of Fission Router | +| config.fission.routerservice | string | `"router"` | Service of Fission Router, "router" (default) | +| config.gcp.cloudfunctions.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.gcp.cloudfunctions.name | string | `""` | The name of the Cloud Function which is in form `projects//locations//functions/` | +| config.gcp.cloudrun.endpoint | string | `""` | the URL of the Cloud Run function | +| config.gcp.cloudrun.jwt | string | `""` | JWT for the private access to Cloud Run function | +| config.gcp.cloudrun.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.gcp.credentials | string | `""` | Base64 encoded JSON key file for the GCP service account | +| config.gcp.pubsub.customattributes | string | `""` | a list of comma separated custom headers to add, syntax is "key:value,key:value" | +| config.gcp.pubsub.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.gcp.pubsub.projectid | string | `""` | The GCP Project ID containing the Pub/Sub Topic | +| config.gcp.pubsub.topic | string | `""` | Name of the Pub/Sub topic | +| config.gcp.storage.bucket | string | `""` | The name of the bucket | +| config.gcp.storage.minimumpriority | string | `"debug"` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.gcp.storage.prefix | string | `""` | Name of prefix, keys will have format: gs:////YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json | +| config.googlechat.messageformat | string | `""` | a Go template to format Google Chat Text above Attachment, displayed in addition to the output from `config.googlechat.outputformat`. If empty, no Text is displayed before Attachment | +| config.googlechat.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.googlechat.outputformat | string | `"all"` | `all` (default), `text` (only text is displayed in Google chat) | +| config.googlechat.webhookurl | string | `""` | Google Chat Webhook URL (ex: ), if not `empty`, Google Chat output is *enabled* | +| config.gotify.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.gotify.format | string | `"markdown"` | Format of the messages (plaintext, markdown, json) | +| config.gotify.hostport | string | `""` | http://{domain or ip}:{port}, if not empty, Gotify output is enabled | +| config.gotify.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.gotify.token | string | `""` | API Token | +| config.grafana.allfieldsastags | bool | `false` | if true, all custom fields are added as tags (default: false) | +| config.grafana.apikey | string | `""` | API Key to authenticate to Grafana, if not empty, Grafana output is *enabled* | +| config.grafana.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.grafana.customheaders | string | `""` | a list of comma separated custom headers to add, syntax is "key:value,key:value" | +| config.grafana.dashboardid | string | `""` | annotations are scoped to a specific dashboard. Optionnal. | +| config.grafana.hostport | string | `""` | or ip}:{port}, if not empty, Grafana output is *enabled* | +| config.grafana.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.grafana.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | +| config.grafana.panelid | string | `""` | annotations are scoped to a specific panel. Optionnal. | +| config.grafanaoncall.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.grafanaoncall.customheaders | string | `""` | a list of comma separated custom headers to add, syntax is "key:value,key:value" | +| config.grafanaoncall.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.grafanaoncall.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | +| config.grafanaoncall.webhookurl | string | `""` | if not empty, Grafana OnCall output is enabled | +| config.influxdb.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.influxdb.database | string | `"falco"` | Influxdb database | +| config.influxdb.hostport | string | `""` | Influxdb , if not `empty`, Influxdb is *enabled* | +| config.influxdb.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.influxdb.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | +| config.influxdb.organization | string | `""` | Influxdb organization | +| config.influxdb.password | string | `""` | Password to use if auth is *enabled* in Influxdb | +| config.influxdb.precision | string | `"ns"` | write precision | +| config.influxdb.token | string | `""` | API token to use if auth in enabled in Influxdb (disables user and password) | +| config.influxdb.user | string | `""` | User to use if auth is *enabled* in Influxdb | +| config.kafka.async | bool | `false` | produce messages without blocking | +| config.kafka.balancer | string | `"round_robin"` | partition balancing strategy when producing | +| config.kafka.clientid | string | `""` | specify a client.id when communicating with the broker for tracing | +| config.kafka.compression | string | `"NONE"` | enable message compression using this algorithm, no compression (GZIP|SNAPPY|LZ4|ZSTD|NONE) | +| config.kafka.hostport | string | `""` | comma separated list of Apache Kafka bootstrap nodes for establishing the initial connection to the cluster (ex: localhost:9092,localhost:9093). Defaults to port 9092 if no port is specified after the domain, if not empty, Kafka output is *enabled* | +| config.kafka.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.kafka.password | string | `""` | use this password to authenticate to Kafka via SASL | +| config.kafka.requiredacks | string | `"NONE"` | number of acknowledges from partition replicas required before receiving | +| config.kafka.sasl | string | `""` | SASL authentication mechanism, if empty, no authentication (PLAIN|SCRAM_SHA256|SCRAM_SHA512) | +| config.kafka.tls | bool | `false` | Use TLS for the connections | +| config.kafka.topic | string | `""` | Name of the topic, if not empty, Kafka output is enabled | +| config.kafka.topiccreation | bool | `false` | auto create the topic if it doesn't exist | +| config.kafka.username | string | `""` | use this username to authenticate to Kafka via SASL | +| config.kafkarest.address | string | `""` | The full URL to the topic (example "http://kafkarest:8082/topics/test") | +| config.kafkarest.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.kafkarest.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.kafkarest.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | +| config.kafkarest.version | int | `2` | Kafka Rest Proxy API version 2|1 (default: 2) | +| config.kubeless.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.kubeless.function | string | `""` | Name of Kubeless function, if not empty, EventHub is *enabled* | +| config.kubeless.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.kubeless.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | +| config.kubeless.namespace | string | `""` | Namespace of Kubeless function (mandatory) | +| config.kubeless.port | int | `8080` | Port of service of Kubeless function. Default is `8080` | +| config.loki.apikey | string | `""` | API Key for Grafana Logs | +| config.loki.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.loki.customheaders | string | `""` | a list of comma separated custom headers to add, syntax is "key:value,key:value" | +| config.loki.endpoint | string | `"/loki/api/v1/push"` | Loki endpoint URL path, more info: | +| config.loki.extralabels | string | `""` | comma separated list of fields to use as labels additionally to rule, source, priority, tags and custom_fields | +| config.loki.hostport | string | `""` | Loki , if not `empty`, Loki is *enabled* | +| config.loki.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.loki.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | +| config.loki.tenant | string | `""` | Loki tenant, if not `empty`, Loki tenant is *enabled* | +| config.loki.user | string | `""` | user for Grafana Logs | +| config.mattermost.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.mattermost.footer | string | `""` | Mattermost Footer | +| config.mattermost.icon | string | `""` | Mattermost icon (avatar) | +| config.mattermost.messageformat | string | `""` | a Go template to format Mattermost Text above Attachment, displayed in addition to the output from `slack.outputformat`. If empty, no Text is displayed before Attachment | +| config.mattermost.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.mattermost.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | +| config.mattermost.outputformat | string | `"all"` | `all` (default), `text` (only text is displayed in Slack), `fields` (only fields are displayed in Mattermost) | +| config.mattermost.username | string | `""` | Mattermost username | +| config.mattermost.webhookurl | string | `""` | Mattermost Webhook URL (ex: ), if not `empty`, Mattermost output is *enabled* | +| config.mqtt.broker | string | `""` | Broker address, can start with tcp:// or ssl://, if not empty, MQTT output is enabled | +| config.mqtt.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.mqtt.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.mqtt.password | string | `""` | Password if the authentication is enabled in the broker | +| config.mqtt.qos | int | `0` | QOS for messages | +| config.mqtt.retained | bool | `false` | If true, messages are retained | +| config.mqtt.topic | string | `"falco/events"` | Topic for messages | +| config.mqtt.user | string | `""` | User if the authentication is enabled in the broker | +| config.mutualtlsclient.cacertfile | string | `""` | CA certification file for server certification for mutual TLS authentication, takes priority over mutualtlsfilespath if not empty | +| config.mutualtlsclient.certfile | string | `""` | client certification file for mutual TLS client certification, takes priority over mutualtlsfilespath if not empty | +| config.mutualtlsclient.keyfile | string | `""` | client key file for mutual TLS client certification, takes priority over mutualtlsfilespath if not empty | +| config.mutualtlsfilespath | string | `"/etc/certs"` | folder which will used to store client.crt, client.key and ca.crt files for mutual tls for outputs, will be deprecated in the future (default: "/etc/certs") | +| config.n8n.address | string | `""` | N8N address, if not empty, N8N output is enabled | +| config.n8n.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.n8n.headerauthname | string | `""` | Header Auth Key to authenticate with N8N | +| config.n8n.headerauthvalue | string | `""` | Header Auth Value to authenticate with N8N | +| config.n8n.minimumpriority | string | `""` | minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" | +| config.n8n.password | string | `""` | Password to authenticate with N8N in basic auth | +| config.n8n.user | string | `""` | Username to authenticate with N8N in basic auth | +| config.nats.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.nats.hostport | string | `""` | NATS "nats://host:port", if not `empty`, NATS is *enabled* | +| config.nats.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.nats.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | +| config.nodered.address | string | `""` | Node-RED address, if not empty, Node-RED output is enabled | +| config.nodered.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.nodered.customheaders | string | `""` | Custom headers to add in POST, useful for Authentication, syntax is "key:value\,key:value" | +| config.nodered.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.nodered.password | string | `""` | Password if Basic Auth is enabled for 'http in' node in Node-RED | +| config.nodered.user | string | `""` | User if Basic Auth is enabled for 'http in' node in Node-RED | +| config.openfaas.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.openfaas.functionname | string | `""` | Name of OpenFaaS function, if not empty, OpenFaaS is *enabled* | +| config.openfaas.functionnamespace | string | `"openfaas-fn"` | Namespace of OpenFaaS function, "openfaas-fn" (default) | +| config.openfaas.gatewaynamespace | string | `"openfaas"` | Namespace of OpenFaaS Gateway, "openfaas" (default) | +| config.openfaas.gatewayport | int | `8080` | Port of service of OpenFaaS Gateway Default is `8080` | +| config.openfaas.gatewayservice | string | `"gateway"` | Service of OpenFaaS Gateway, "gateway" (default) | +| config.openfaas.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.openfaas.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | +| config.openobserve.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.openobserve.customheaders | string | `""` | a list of comma separated custom headers to add, syntax is "key:value,key:value" | +| config.openobserve.hostport | string | `""` | http://{domain or ip}:{port}, if not empty, OpenObserve output is enabled | +| config.openobserve.minimumpriority | string | `""` | minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" | +| config.openobserve.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | +| config.openobserve.organizationname | string | `"default"` | Organization name | +| config.openobserve.password | string | `""` | use this password to authenticate to OpenObserve if the password is not empty | +| config.openobserve.streamname | string | `"falco"` | Stream name | +| config.openobserve.username | string | `""` | use this username to authenticate to OpenObserve if the username is not empty | +| config.opsgenie.apikey | string | `""` | Opsgenie API Key, if not empty, Opsgenie output is *enabled* | +| config.opsgenie.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.opsgenie.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.opsgenie.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | +| config.opsgenie.region | `us` or `eu` | `""` | region of your domain | +| config.pagerduty.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.pagerduty.region | string | `"us"` | Pagerduty Region, can be 'us' or 'eu' | +| config.pagerduty.routingkey | string | `""` | Pagerduty Routing Key, if not empty, Pagerduty output is *enabled* | +| config.policyreport.enabled | bool | `false` | if true; policyreport output is *enabled* | +| config.policyreport.kubeconfig | string | `"~/.kube/config"` | Kubeconfig file to use (only if falcosidekick is running outside the cluster) | +| config.policyreport.maxevents | int | `1000` | the max number of events that can be in a policyreport | +| config.policyreport.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.policyreport.prunebypriority | bool | `false` | if true; the events with lowest severity are pruned first, in FIFO order | +| config.prometheus.extralabels | string | `""` | comma separated list of fields to use as labels additionally to rule, source, priority, tags and custom_fields | +| config.rabbitmq.minimumpriority | string | `"debug"` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.rabbitmq.queue | string | `""` | Rabbitmq Queue name | +| config.rabbitmq.url | string | `""` | Rabbitmq URL, if not empty, Rabbitmq output is *enabled* | +| config.redis.address | string | `""` | Redis address, if not empty, Redis output is enabled | +| config.redis.database | int | `0` | Redis database number | +| config.redis.key | string | `"falco"` | Redis storage key name for hashmap, list | +| config.redis.minimumpriority | string | `""` | minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" | +| config.redis.password | string | `""` | Password to authenticate with Redis | +| config.redis.storagetype | string | `"list"` | Redis storage type: hashmap or list | +| config.rocketchat.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.rocketchat.icon | string | `""` | Rocketchat icon (avatar) | +| config.rocketchat.messageformat | string | `""` | a Go template to format Rocketchat Text above Attachment, displayed in addition to the output from `slack.outputformat`. If empty, no Text is displayed before Attachment | +| config.rocketchat.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.rocketchat.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | +| config.rocketchat.outputformat | string | `"all"` | `all` (default), `text` (only text is displayed in Rocketcaht), `fields` (only fields are displayed in Rocketchat) | +| config.rocketchat.username | string | `""` | Rocketchat username | +| config.rocketchat.webhookurl | string | `""` | Rocketchat Webhook URL (ex: ), if not `empty`, Rocketchat output is *enabled* | +| config.slack.channel | string | `""` | Slack channel (optionnal) | +| config.slack.footer | string | `""` | Slack Footer | +| config.slack.icon | string | `""` | Slack icon (avatar) | +| config.slack.messageformat | string | `""` | a Go template to format Slack Text above Attachment, displayed in addition to the output from `slack.outputformat`. If empty, no Text is displayed before Attachment | +| config.slack.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.slack.outputformat | string | `"all"` | `all` (default), `text` (only text is displayed in Slack), `fields` (only fields are displayed in Slack) | +| config.slack.username | string | `""` | Slack username | +| config.slack.webhookurl | string | `""` | Slack Webhook URL (ex: ), if not `empty`, Slack output is *enabled* | +| config.smtp.authmechanism | string | `"plain"` | SASL Mechanisms : plain, oauthbearer, external, anonymous or "" (disable SASL) | +| config.smtp.from | string | `""` | Sender address (mandatory if SMTP output is *enabled*) | +| config.smtp.hostport | string | `""` | "host:port" address of SMTP server, if not empty, SMTP output is *enabled* | +| config.smtp.identity | string | `""` | identity string for Plain and External Mechanisms | +| config.smtp.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.smtp.outputformat | string | `"html"` | html, text | +| config.smtp.password | string | `""` | password to access SMTP server | +| config.smtp.tls | bool | `true` | use TLS connection (true/false) | +| config.smtp.to | string | `""` | comma-separated list of Recipident addresses, can't be empty (mandatory if SMTP output is *enabled*) | +| config.smtp.token | string | `""` | OAuthBearer token for OAuthBearer Mechanism | +| config.smtp.trace | string | `""` | trace string for Anonymous Mechanism | +| config.smtp.user | string | `""` | user to access SMTP server | +| config.spyderbat.apikey | string | `""` | Spyderbat API key with access to the organization | +| config.spyderbat.apiurl | string | `"https://api.spyderbat.com"` | Spyderbat API url | +| config.spyderbat.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.spyderbat.orguid | string | `""` | Organization to send output to, if not empty, Spyderbat output is enabled | +| config.spyderbat.source | string | `"falcosidekick"` | Spyderbat source ID, max 32 characters | +| config.spyderbat.sourcedescription | string | `""` | Spyderbat source description and display name if not empty, max 256 characters | +| config.stan.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.stan.clientid | string | `""` | Client ID, if not empty, STAN output is *enabled* | +| config.stan.clusterid | string | `""` | Cluster name, if not empty, STAN output is *enabled* | +| config.stan.hostport | string | `""` | Stan nats://{domain or ip}:{port}, if not empty, STAN output is *enabled* | +| config.stan.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.stan.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | +| config.statsd.forwarder | string | `""` | The address for the StatsD forwarder, in the form , if not empty StatsD is *enabled* | +| config.statsd.namespace | string | `"falcosidekick."` | A prefix for all metrics | +| config.syslog.format | string | `"json"` | Syslog payload format. It can be either "json" or "cef" | +| config.syslog.host | string | `""` | Syslog Host, if not empty, Syslog output is *enabled* | +| config.syslog.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.syslog.port | string | `""` | Syslog endpoint port number | +| config.syslog.protocol | string | `"tcp"` | Syslog transport protocol. It can be either "tcp" or "udp" | +| config.teams.activityimage | string | `""` | Teams section image | +| config.teams.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.teams.outputformat | string | `"all"` | `all` (default), `text` (only text is displayed in Teams), `facts` (only facts are displayed in Teams) | +| config.teams.webhookurl | string | `""` | Teams Webhook URL (ex: "), if not `empty`, Teams output is *enabled* | +| config.tekton.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.tekton.eventlistener | string | `""` | EventListener address, if not empty, Tekton output is enabled | +| config.tekton.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.telegram.chatid | string | `""` | telegram Identifier of the shared chat | +| config.telegram.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.telegram.minimumpriority | string | `""` | minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" | +| config.telegram.token | string | `""` | telegram bot authentication token | +| config.templatedfields | string | `""` | a list of escaped comma separated Go templated fields to add to falco events, syntax is "key:template\,key:template" | +| config.timescaledb.database | string | `""` | TimescaleDB database used | +| config.timescaledb.host | string | `""` | TimescaleDB host, if not empty, TImescaleDB output is enabled | +| config.timescaledb.hypertablename | string | `"falco_events"` | Hypertable to store data events (default: falco_events) See TimescaleDB setup for more info | +| config.timescaledb.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.timescaledb.password | string | `"postgres"` | Password to authenticate with TimescaleDB | +| config.timescaledb.port | int | `5432` | TimescaleDB port (default: 5432) | +| config.timescaledb.user | string | `"postgres"` | Username to authenticate with TimescaleDB | +| config.tlsserver.cacertfile | string | `"/etc/certs/server/ca.crt"` | CA certification file path for client certification if mutualtls is true | +| config.tlsserver.cacrt | string | `""` | | +| config.tlsserver.certfile | string | `"/etc/certs/server/server.crt"` | server certification file path for TLS Server | +| config.tlsserver.deploy | bool | `false` | if true TLS server will be deployed instead of HTTP | +| config.tlsserver.existingSecret | string | `""` | existing secret with server.crt, server.key and ca.crt files for TLS Server | +| config.tlsserver.keyfile | string | `"/etc/certs/server/server.key"` | server key file path for TLS Server | +| config.tlsserver.mutualtls | bool | `false` | if true mutual TLS server will be deployed instead of TLS, deploy also has to be true | +| config.tlsserver.notlspaths | string | `"/ping"` | a comma separated list of endpoints, if not empty, and tlsserver.deploy is true, a separate http server will be deployed for the specified endpoints (/ping endpoint needs to be notls for Kubernetes to be able to perform the healthchecks) | +| config.tlsserver.notlsport | int | `2810` | port to serve http server serving selected endpoints | +| config.tlsserver.servercrt | string | `""` | server.crt file for TLS Server | +| config.tlsserver.serverkey | string | `""` | server.key file for TLS Server | +| config.wavefront.batchsize | int | `10000` | Wavefront batch size. If empty uses the default 10000. Only used when endpointtype is 'direct' | +| config.wavefront.endpointhost | string | `""` | Wavefront endpoint address (only the host). If not empty, with endpointhost, Wavefront output is *enabled* | +| config.wavefront.endpointmetricport | int | `2878` | Port to send metrics. Only used when endpointtype is 'proxy' | +| config.wavefront.endpointtoken | string | `""` | Wavefront token. Must be used only when endpointtype is 'direct' | +| config.wavefront.endpointtype | string | `""` | Wavefront endpoint type, must be 'direct' or 'proxy'. If not empty, with endpointhost, Wavefront output is *enabled* | +| config.wavefront.flushintervalseconds | int | `1` | Wavefront flush interval in seconds. Defaults to 1 | +| config.wavefront.metricname | string | `"falco.alert"` | Metric to be created in Wavefront. Defaults to falco.alert | +| config.wavefront.minimumpriority | string | `"debug"` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.webhook.address | string | `""` | Webhook address, if not empty, Webhook output is *enabled* | +| config.webhook.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.webhook.customHeaders | string | `""` | a list of comma separated custom headers to add, syntax is "key:value\,key:value" | +| config.webhook.method | string | `"POST"` | HTTP method: POST or PUT | +| config.webhook.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.webhook.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | +| config.yandex.accesskeyid | string | `""` | yandex access key | +| config.yandex.datastreams.endpoint | string | `""` | yandex data streams endpoint (default: https://yds.serverless.yandexcloud.net) | +| config.yandex.datastreams.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.yandex.datastreams.streamname | string | `""` | stream name in format /${region}/${folder_id}/${ydb_id}/${stream_name} | +| config.yandex.region | string | `""` | yandex storage region (default: ru-central-1) | +| config.yandex.s3.bucket | string | `""` | Yandex storage, bucket name | +| config.yandex.s3.endpoint | string | `""` | yandex storage endpoint (default: https://storage.yandexcloud.net) | +| config.yandex.s3.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.yandex.s3.prefix | string | `""` | name of prefix, keys will have format: s3:////YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json | +| config.yandex.secretaccesskey | string | `""` | yandex secret access key | +| config.zincsearch.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.zincsearch.hostport | string | `""` | http://{domain or ip}:{port}, if not empty, ZincSearch output is enabled | +| config.zincsearch.index | string | `"falco"` | index | +| config.zincsearch.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.zincsearch.password | string | `""` | use this password to authenticate to ZincSearch | +| config.zincsearch.username | string | `""` | use this username to authenticate to ZincSearch | +| extraVolumeMounts | list | `[]` | Extra volume mounts for sidekick deployment | +| extraVolumes | list | `[]` | Extra volumes for sidekick deployment | +| fullnameOverride | string | `""` | Override the name | +| image | object | `{"pullPolicy":"IfNotPresent","registry":"docker.io","repository":"falcosecurity/falcosidekick","tag":"2.28.0"}` | number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) revisionHistoryLimit: 1 | +| image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | +| image.registry | string | `"docker.io"` | The image registry to pull from | +| image.repository | string | `"falcosecurity/falcosidekick"` | The image repository to pull from | +| image.tag | string | `"2.28.0"` | The image tag to pull | +| imagePullSecrets | list | `[]` | Secrets for the registry | +| ingress.annotations | object | `{}` | Ingress annotations | +| ingress.enabled | bool | `false` | Whether to create the ingress | +| ingress.hosts | list | `[{"host":"falcosidekick.local","paths":[{"path":"/"}]}]` | Ingress hosts | +| ingress.tls | list | `[]` | Ingress TLS configuration | +| nameOverride | string | `""` | Override name | +| nodeSelector | object | `{}` | Sidekick nodeSelector field | +| podAnnotations | object | `{}` | additions annotations on the pods | +| podLabels | object | `{}` | additions labels on the pods | +| podSecurityContext | object | `{"fsGroup":1234,"runAsUser":1234}` | Sidekick pod securityContext | +| podSecurityPolicy | object | `{"create":false}` | podSecurityPolicy | +| podSecurityPolicy.create | bool | `false` | Whether to create a podSecurityPolicy | +| priorityClassName | string | `""` | Name of the priority class to be used by the Sidekickpods, priority class needs to be created beforehand | +| prometheusRules.alerts.additionalAlerts | object | `{}` | | +| prometheusRules.alerts.alert.enabled | bool | `true` | enable the high rate rule for the alert events | +| prometheusRules.alerts.alert.rate_interval | string | `"5m"` | rate interval for the high rate rule for the alert events | +| prometheusRules.alerts.alert.threshold | int | `0` | threshold for the high rate rule for the alert events | +| prometheusRules.alerts.critical.enabled | bool | `true` | enable the high rate rule for the critical events | +| prometheusRules.alerts.critical.rate_interval | string | `"5m"` | rate interval for the high rate rule for the critical events | +| prometheusRules.alerts.critical.threshold | int | `0` | threshold for the high rate rule for the critical events | +| prometheusRules.alerts.emergency.enabled | bool | `true` | enable the high rate rule for the emergency events | +| prometheusRules.alerts.emergency.rate_interval | string | `"5m"` | rate interval for the high rate rule for the emergency events | +| prometheusRules.alerts.emergency.threshold | int | `0` | threshold for the high rate rule for the emergency events | +| prometheusRules.alerts.error.enabled | bool | `true` | enable the high rate rule for the error events | +| prometheusRules.alerts.error.rate_interval | string | `"5m"` | rate interval for the high rate rule for the error events | +| prometheusRules.alerts.error.threshold | int | `0` | threshold for the high rate rule for the error events | +| prometheusRules.alerts.output.enabled | bool | `true` | enable the high rate rule for the errors with the outputs | +| prometheusRules.alerts.output.rate_interval | string | `"5m"` | rate interval for the high rate rule for the errors with the outputs | +| prometheusRules.alerts.output.threshold | int | `0` | threshold for the high rate rule for the errors with the outputs | +| prometheusRules.alerts.warning.enabled | bool | `true` | enable the high rate rule for the warning events | +| prometheusRules.alerts.warning.rate_interval | string | `"5m"` | rate interval for the high rate rule for the warning events | +| prometheusRules.alerts.warning.threshold | int | `0` | threshold for the high rate rule for the warning events | +| prometheusRules.enabled | bool | `false` | enable the creation of PrometheusRules for alerting | +| replicaCount | int | `2` | number of running pods | +| resources | object | `{}` | The resources for falcosdekick pods | +| securityContext | object | `{}` | Sidekick container securityContext | +| service.annotations | object | `{}` | Service annotations | +| service.port | int | `2801` | Service port | +| service.type | string | `"ClusterIP"` | Service type | +| serviceMonitor.additionalLabels | object | `{}` | specify Additional labels to be added on the Service Monitor. | +| serviceMonitor.enabled | bool | `false` | enable the deployment of a Service Monitor for the Prometheus Operator. | +| serviceMonitor.interval | string | `""` | specify a user defined interval. When not specified Prometheus default interval is used. | +| serviceMonitor.scrapeTimeout | string | `""` | specify a user defined scrape timeout. When not specified Prometheus default scrape timeout is used. | +| testConnection.affinity | object | `{}` | Affinity for the test connection pod | +| testConnection.nodeSelector | object | `{}` | test connection nodeSelector field | +| testConnection.tolerations | list | `[]` | Tolerations for pod assignment | +| tolerations | list | `[]` | Tolerations for pod assignment | +| webui.affinity | object | `{}` | Affinity for the Web UI pods | +| webui.allowcors | bool | `false` | Allow CORS | +| webui.disableauth | bool | `false` | Disable the basic auth | +| webui.enabled | bool | `false` | enable Falcosidekick-UI | +| webui.existingSecret | string | `""` | Existing secret with configuration | +| webui.externalRedis.enabled | bool | `false` | Enable or disable the usage of an external Redis. Is mutually exclusive with webui.redis.enabled. | +| webui.externalRedis.port | int | `6379` | The port of the external Redis database with RediSearch > v2 | +| webui.externalRedis.url | string | `""` | The URL of the external Redis database with RediSearch > v2 | +| webui.image.pullPolicy | string | `"IfNotPresent"` | The web UI image pull policy | +| webui.image.registry | string | `"docker.io"` | The web UI image registry to pull from | +| webui.image.repository | string | `"falcosecurity/falcosidekick-ui"` | The web UI image repository to pull from | +| webui.image.tag | string | `"2.2.0"` | The web UI image tag to pull | +| webui.ingress.annotations | object | `{}` | Web UI ingress annotations | +| webui.ingress.enabled | bool | `false` | Whether to create the Web UI ingress | +| webui.ingress.hosts | list | `[{"host":"falcosidekick-ui.local","paths":[{"path":"/"}]}]` | Web UI ingress hosts configuration | +| webui.ingress.tls | list | `[]` | Web UI ingress TLS configuration | +| webui.loglevel | string | `"info"` | Log level ("debug", "info", "warning", "error") | +| webui.nodeSelector | object | `{}` | Web UI nodeSelector field | +| webui.podAnnotations | object | `{}` | additions annotations on the pods web UI | +| webui.podLabels | object | `{}` | additions labels on the pods web UI | +| webui.podSecurityContext | object | `{"fsGroup":1234,"runAsUser":1234}` | Web UI pod securityContext | +| webui.priorityClassName | string | `""` | Name of the priority class to be used by the Web UI pods, priority class needs to be created beforehand | +| webui.redis.affinity | object | `{}` | Affinity for the Web UI Redis pods | +| webui.redis.enabled | bool | `true` | Is mutually exclusive with webui.externalRedis.enabled | +| webui.redis.existingSecret | string | `""` | Existing secret with configuration | +| webui.redis.image.pullPolicy | string | `"IfNotPresent"` | The web UI image pull policy | +| webui.redis.image.registry | string | `"docker.io"` | The web UI Redis image registry to pull from | +| webui.redis.image.repository | string | `"redis/redis-stack"` | The web UI Redis image repository to pull from | +| webui.redis.image.tag | string | `"6.2.6-v3"` | The web UI Redis image tag to pull from | +| webui.redis.nodeSelector | object | `{}` | Web UI Redis nodeSelector field | +| webui.redis.password | string | `""` | Set a password for Redis | +| webui.redis.podAnnotations | object | `{}` | additions annotations on the pods | +| webui.redis.podLabels | object | `{}` | additions labels on the pods | +| webui.redis.podSecurityContext | object | `{}` | Web UI Redis pod securityContext | +| webui.redis.priorityClassName | string | `""` | Name of the priority class to be used by the Web UI Redis pods, priority class needs to be created beforehand | +| webui.redis.resources | object | `{}` | The resources for the redis pod | +| webui.redis.securityContext | object | `{}` | Web UI Redis container securityContext | +| webui.redis.service.annotations | object | `{}` | The web UI Redis service annotations (use this to set a internal LB, for example.) | +| webui.redis.service.port | int | `6379` | The web UI Redis service port dor the falcosidekick-ui | +| webui.redis.service.targetPort | int | `6379` | The web UI Redis service targetPort | +| webui.redis.service.type | string | `"ClusterIP"` | The web UI Redis service type (i. e: LoadBalancer) | +| webui.redis.storageClass | string | `""` | Storage class of the PVC for the redis pod | +| webui.redis.storageEnabled | bool | `true` | Enable the PVC for the redis pod | +| webui.redis.storageSize | string | `"1Gi"` | Size of the PVC for the redis pod | +| webui.redis.tolerations | list | `[]` | Tolerations for pod assignment | +| webui.replicaCount | int | `2` | number of running pods | +| webui.resources | object | `{}` | The resources for the web UI pods | +| webui.securityContext | object | `{}` | Web UI container securityContext | +| webui.service.annotations | object | `{}` | The web UI service annotations (use this to set a internal LB, for example.) | +| webui.service.nodePort | int | `30282` | The web UI service nodePort | +| webui.service.port | int | `2802` | The web UI service port dor the falcosidekick-ui | +| webui.service.targetPort | int | `2802` | The web UI service targetPort | +| webui.service.type | string | `"ClusterIP"` | The web UI service type | +| webui.tolerations | list | `[]` | Tolerations for pod assignment | +| webui.ttl | int | `0` | TTL for keys, the syntax in X, with : s, m, d, w (0 for no ttl) | +| webui.user | string | `"admin:admin"` | User in format : | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Metrics + +A `prometheus` endpoint can be scrapped at `/metrics`. + +## Access Falcosidekick UI through an Ingress and a subpath + +You may want to access the `WebUI (Falcosidekick UI)`](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/falcosidekick-ui.md) dashboard not from `/` but from `/subpath` and use an Ingress, here's an example of annotations to add to the Ingress for `nginx-ingress controller`: + +```yaml +nginx.ingress.kubernetes.io/rewrite-target: /$2 +nginx.ingress.kubernetes.io/use-regex: "true" +``` diff --git a/falco/charts/falcosidekick/templates/NOTES.txt b/falco/charts/falcosidekick/templates/NOTES.txt new file mode 100644 index 0000000..bee1a21 --- /dev/null +++ b/falco/charts/falcosidekick/templates/NOTES.txt @@ -0,0 +1,44 @@ +1. Get the URL for Falcosidekick by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "falcosidekick.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "falcosidekick.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "falcosidekick.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + kubectl port-forward svc/{{ include "falcosidekick.name" . }} {{ .Values.service.port }}:{{ .Values.service.port }} --namespace {{ .Release.Namespace }} + echo "Visit http://127.0.0.1:{{ .Values.service.port }} to use your application" +{{- end }} +{{- if .Values.webui.enabled }} +2. Get the URL for Falcosidekick-UI (WebUI) by running these commands: +{{- if .Values.webui.ingress.enabled }} +{{- range $host := .Values.webui.ingress.hosts }} + http{{ if $.Values.webui.ingress.tls }}s{{ end }}://{{ $host.host }}{{ index .paths 0 }} +{{- end }} +{{- else if contains "NodePort" .Values.webui.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "falcosidekick.fullname" . }})-ui + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT/ui +{{- else if contains "LoadBalancer" .Values.webui.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "falcosidekick.fullname" . }}-ui' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "falcosidekick.fullname" . }}-ui -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.webui.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + kubectl port-forward svc/{{ include "falcosidekick.name" . }}-ui {{ .Values.webui.service.port }}:{{ .Values.webui.service.port }} --namespace {{ .Release.Namespace }} + echo "Visit http://127.0.0.1:{{ .Values.webui.service.port }}/ui to use your application" +{{- end }} +{{ else }} +2. Try to enable Falcosidekick-UI (WebUI) by adding this argument to your command: + --set webui.enabled=true +{{- end }} + diff --git a/falco/charts/falcosidekick/templates/_helpers.tpl b/falco/charts/falcosidekick/templates/_helpers.tpl new file mode 100644 index 0000000..b5290e8 --- /dev/null +++ b/falco/charts/falcosidekick/templates/_helpers.tpl @@ -0,0 +1,80 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "falcosidekick.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "falcosidekick.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "falcosidekick.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "falcosidekick.ingress.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19-0" .Capabilities.KubeVersion.Version) -}} + {{- print "networking.k8s.io/v1" -}} + {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- else -}} + {{- print "extensions/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "falcosidekick.labels" -}} +helm.sh/chart: {{ include "falcosidekick.chart" . }} +{{ include "falcosidekick.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/part-of: {{ include "falcosidekick.name" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "falcosidekick.selectorLabels" -}} +app.kubernetes.io/name: {{ include "falcosidekick.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Return if ingress is stable. +*/}} +{{- define "falcosidekick.ingress.isStable" -}} + {{- eq (include "falcosidekick.ingress.apiVersion" .) "networking.k8s.io/v1" -}} +{{- end -}} + +{{/* +Return if ingress supports pathType. +*/}} +{{- define "falcosidekick.ingress.supportsPathType" -}} + {{- or (eq (include "falcosidekick.ingress.isStable" .) "true") (and (eq (include "falcosidekick.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}} +{{- end -}} diff --git a/falco/charts/falcosidekick/templates/aadpodidentity.yaml b/falco/charts/falcosidekick/templates/aadpodidentity.yaml new file mode 100644 index 0000000..329c47b --- /dev/null +++ b/falco/charts/falcosidekick/templates/aadpodidentity.yaml @@ -0,0 +1,25 @@ +{{- if and .Values.config.azure.podIdentityClientID .Values.config.azure.podIdentityName -}} +--- +apiVersion: "aadpodidentity.k8s.io/v1" +kind: AzureIdentity +metadata: + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: core + name: {{ include "falcosidekick.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + type: 0 + resourceID: /subscriptions/{{ .Values.config.azure.subscriptionID }}/resourcegroups/{{ .Values.config.azure.resourceGroupName }}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{{ .Values.config.azure.podIdentityName }} + clientID: {{ .Values.config.azure.podIdentityClientID }} +--- +apiVersion: "aadpodidentity.k8s.io/v1" +kind: AzureIdentityBinding +metadata: + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + name: {{ include "falcosidekick.fullname" . }} +spec: + azureIdentity: {{ include "falcosidekick.fullname" . }} + selector: {{ include "falcosidekick.fullname" . }} +{{- end }} diff --git a/falco/charts/falcosidekick/templates/certs-secret.yaml b/falco/charts/falcosidekick/templates/certs-secret.yaml new file mode 100644 index 0000000..8f24de1 --- /dev/null +++ b/falco/charts/falcosidekick/templates/certs-secret.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.config.tlsserver.serverkey .Values.config.tlsserver.servercrt .Values.config.tlsserver.cacrt }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "falcosidekick.fullname" . }}-certs + namespace: {{ .Release.Namespace }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: core +type: Opaque +data: + {{ $key := .Values.config.tlsserver.serverkey }} + server.key: {{ $key | b64enc | quote }} + {{ $crt := .Values.config.tlsserver.servercrt }} + server.crt: {{ $crt | b64enc | quote }} + falcosidekick.pem: {{ print $key $crt | b64enc | quote }} + ca.crt: {{ .Values.config.tlsserver.cacrt | b64enc | quote }} + ca.pem: {{ .Values.config.tlsserver.cacrt | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/falco/charts/falcosidekick/templates/clusterrole.yaml b/falco/charts/falcosidekick/templates/clusterrole.yaml new file mode 100644 index 0000000..81588c8 --- /dev/null +++ b/falco/charts/falcosidekick/templates/clusterrole.yaml @@ -0,0 +1,19 @@ +{{- if .Values.podSecurityPolicy.create }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "falcosidekick.fullname" .}} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: core +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "falcosidekick.fullname" . }} + verbs: + - use +{{- end }} diff --git a/falco/charts/falcosidekick/templates/deployment-ui.yaml b/falco/charts/falcosidekick/templates/deployment-ui.yaml new file mode 100644 index 0000000..582884c --- /dev/null +++ b/falco/charts/falcosidekick/templates/deployment-ui.yaml @@ -0,0 +1,233 @@ +{{- if .Values.webui.enabled }} +{{- if and .Values.webui.redis.enabled .Values.webui.externalRedis.enabled }} + {{ fail "Both webui.redis and webui.externalRedis modules are enabled. Please disable one of them." }} +{{- else if and (not .Values.webui.redis.enabled) (not .Values.webui.externalRedis.enabled) }} + {{ fail "Neither the included Redis nor the external Redis is enabled. Please enable one of them." }} +{{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "falcosidekick.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: ui +spec: + replicas: {{ .Values.webui.replicaCount }} + {{- if .Values.webui.revisionHistoryLimit }} + revisionHistoryLimit: {{ .Values.webui.revisionHistoryLimit }} + {{- end }} + selector: + matchLabels: + {{- include "falcosidekick.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: ui + template: + metadata: + labels: + {{- include "falcosidekick.labels" . | nindent 8 }} + app.kubernetes.io/component: ui + {{- if .Values.webui.podLabels }} +{{ toYaml .Values.webui.podLabels | indent 8 }} + {{- end }} + {{- if .Values.webui.podAnnotations }} + annotations: +{{ toYaml .Values.webui.podAnnotations | indent 8 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + serviceAccountName: {{ include "falcosidekick.fullname" . }}-ui + {{- if .Values.webui.priorityClassName }} + priorityClassName: "{{ .Values.webui.priorityClassName }}" + {{- end }} + {{- if .Values.webui.podSecurityContext }} + securityContext: + {{- toYaml .Values.webui.podSecurityContext | nindent 8}} + {{- end }} + containers: + - name: {{ .Chart.Name }}-ui + image: "{{ .Values.webui.image.registry }}/{{ .Values.webui.image.repository }}:{{ .Values.webui.image.tag }}" + imagePullPolicy: {{ .Values.webui.image.pullPolicy }} + envFrom: + - secretRef: + {{- if .Values.webui.existingSecret }} + name: {{ .Values.webui.existingSecret }} + {{- else }} + name: {{ include "falcosidekick.fullname" . }}-ui + {{- end }} + args: + - "-r" + {{- if .Values.webui.redis.enabled }} + - {{ include "falcosidekick.fullname" . }}-ui-redis{{ if .Values.webui.redis.fullfqdn }}.{{ .Release.Namespace }}.svc.cluster.local{{ end }}:{{ .Values.webui.redis.service.port | default "6379" }} + {{- else if .Values.webui.externalRedis.enabled }} + - "{{ required "External Redis is enabled. Please set the URL to the database." .Values.webui.externalRedis.url }}:{{ .Values.webui.externalRedis.port | default "6379" }}" + {{- end}} + {{- if .Values.webui.ttl }} + - "-t" + - {{ .Values.webui.ttl | quote }} + {{- end}} + {{- if .Values.webui.loglevel }} + - "-l" + - {{ .Values.webui.loglevel }} + {{- end}} + {{- if .Values.webui.allowcors }} + - "-x" + {{- end}} + {{- if .Values.webui.disableauth }} + - "-d" + {{- end}} + ports: + - name: http + containerPort: 2802 + protocol: TCP + livenessProbe: + httpGet: + path: /api/v1/healthz + port: http + initialDelaySeconds: 10 + periodSeconds: 5 + readinessProbe: + httpGet: + path: /api/v1/healthz + port: http + initialDelaySeconds: 10 + periodSeconds: 5 + {{- if .Values.webui.securityContext }} + securityContext: + {{- toYaml .Values.webui.securityContext | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.webui.resources | nindent 12 }} + {{- with .Values.webui.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.webui.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.webui.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- if .Values.webui.redis.enabled }} +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "falcosidekick.fullname" . }}-ui-redis + namespace: {{ .Release.Namespace }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: ui-redis +spec: + replicas: 1 + serviceName: {{ include "falcosidekick.fullname" . }}-ui-redis + selector: + matchLabels: + {{- include "falcosidekick.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: ui-redis + template: + metadata: + labels: + {{- include "falcosidekick.labels" . | nindent 8 }} + app.kubernetes.io/component: ui-redis + {{- if .Values.webui.redis.podLabels }} +{{ toYaml .Values.webui.redis.podLabels | indent 8 }} + {{- end }} + {{- if .Values.webui.redis.podAnnotations }} + annotations: +{{ toYaml .Values.webui.redis.podAnnotations | indent 8 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + serviceAccountName: {{ include "falcosidekick.fullname" . }}-ui + {{- if .Values.webui.redis.priorityClassName }} + priorityClassName: "{{ .Values.webui.redis.priorityClassName }}" + {{- end }} + {{- if .Values.webui.redis.podSecurityContext }} + securityContext: + {{- toYaml .Values.webui.redis.podSecurityContext | nindent 8}} + {{- end }} + containers: + - name: redis + image: "{{ .Values.webui.redis.image.registry }}/{{ .Values.webui.redis.image.repository }}:{{ .Values.webui.redis.image.tag }}" + imagePullPolicy: {{ .Values.webui.redis.image.pullPolicy }} + {{- if .Values.webui.redis.password }} + envFrom: + - secretRef: + {{- if .Values.webui.redis.existingSecret }} + name: {{ .Values.webui.redis.existingSecret }} + {{- else }} + name: {{ include "falcosidekick.fullname" . }}-ui-redis + {{- end }} + {{- end}} + args: [] + ports: + - name: redis + containerPort: 6379 + protocol: TCP + livenessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 2 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 2 + successThreshold: 1 + failureThreshold: 3 + {{- if .Values.webui.redis.securityContext }} + securityContext: + {{- toYaml .Values.webui.redis.securityContext | nindent 12 }} + {{- end }} + {{- if .Values.webui.redis.storageEnabled }} + volumeMounts: + - name: {{ include "falcosidekick.fullname" . }}-ui-redis-data + mountPath: /data + {{- end }} + resources: + {{- toYaml .Values.webui.redis.resources | nindent 12 }} + {{- with .Values.webui.redis.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.webui.redis.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.webui.redis.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.webui.redis.storageEnabled }} + volumeClaimTemplates: + - metadata: + name: {{ include "falcosidekick.fullname" . }}-ui-redis-data + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: {{ .Values.webui.redis.storageSize }} + {{- if .Values.webui.redis.storageClass }} + storageClassName: {{ .Values.webui.redis.storageClass }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/falco/charts/falcosidekick/templates/deployment.yaml b/falco/charts/falcosidekick/templates/deployment.yaml new file mode 100644 index 0000000..cbf0b7f --- /dev/null +++ b/falco/charts/falcosidekick/templates/deployment.yaml @@ -0,0 +1,175 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "falcosidekick.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: core +spec: + replicas: {{ .Values.replicaCount }} + {{- if .Values.revisionHistoryLimit }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- end }} + selector: + matchLabels: + {{- include "falcosidekick.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: core + template: + metadata: + labels: + {{- include "falcosidekick.labels" . | nindent 8 }} + app.kubernetes.io/component: core + {{- if and .Values.config.azure.podIdentityClientID .Values.config.azure.podIdentityName }} + aadpodidbinding: {{ include "falcosidekick.fullname" . }} + {{- end }} + {{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} + {{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + serviceAccountName: {{ include "falcosidekick.fullname" . }} + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" + {{- end }} + {{- if .Values.podSecurityContext }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8}} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 2801 + protocol: TCP + {{- if .Values.config.tlsserver.deploy }} + - name: http-notls + containerPort: 2810 + protocol: TCP + {{- end }} + livenessProbe: + httpGet: + path: /ping + {{- if .Values.config.tlsserver.deploy }} + port: http-notls + {{- else }} + port: http + {{- end }} + initialDelaySeconds: 10 + periodSeconds: 5 + readinessProbe: + httpGet: + path: /ping + {{- if .Values.config.tlsserver.deploy }} + port: http-notls + {{- else }} + port: http + {{- end }} + initialDelaySeconds: 10 + periodSeconds: 5 + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + {{- if .Values.config.extraArgs }} + args: + {{ toYaml .Values.config.extraArgs | nindent 12 }} + {{- end }} + envFrom: + - secretRef: + {{- if .Values.config.existingSecret }} + name: {{ .Values.config.existingSecret }} + {{- else }} + name: {{ include "falcosidekick.fullname" . }} + {{- end }} + env: + - name: DEBUG + value: {{ .Values.config.debug | quote }} + - name: CUSTOMFIELDS + value: {{ .Values.config.customfields | quote }} + - name: TEMPLATEDFIELDS + value: {{ .Values.config.templatedfields | quote }} + - name: BRACKETREPLACER + value: {{ .Values.config.bracketreplacer | quote }} + - name: MUTUALTLSFILESPATH + value: {{ .Values.config.mutualtlsfilespath | quote }} + - name: MUTUALTLSCLIENT_CERTFILE + value: {{ .Values.config.mutualtlsclient.certfile | quote }} + - name: MUTUALTLSCLIENT_KEYFILE + value: {{ .Values.config.mutualtlsclient.keyfile | quote }} + - name: MUTUALTLSCLIENT_CACERTFILE + value: {{ .Values.config.mutualtlsclient.cacertfile | quote }} + {{- if .Values.config.tlsserver.deploy }} + - name: TLSSERVER_DEPLOY + value: {{ .Values.config.tlsserver.deploy | quote }} + - name: TLSSERVER_CERTFILE + value: {{ .Values.config.tlsserver.certfile | quote }} + - name: TLSSERVER_KEYFILE + value: {{ .Values.config.tlsserver.keyfile | quote }} + - name: TLSSERVER_CACERTFILE + value: {{ .Values.config.tlsserver.cacertfile | quote }} + - name: TLSSERVER_MUTUALTLS + value: {{ .Values.config.tlsserver.mutualtls | quote }} + - name: TLSSERVER_NOTLSPORT + value: {{ .Values.config.tlsserver.notlsport | quote }} + - name: TLSSERVER_NOTLSPATHS + value: {{ .Values.config.tlsserver.notlspaths | quote }} + {{- end }} + + {{- if .Values.config.extraEnv }} + {{ toYaml .Values.config.extraEnv | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- if or .Values.extraVolumeMounts (and .Values.config.tlsserver.deploy (or .Values.config.tlsserver.existingSecret .Values.config.tlsserver.serverkey .Values.config.tlsserver.servercrt .Values.config.tlsserver.cacrt)) }} + volumeMounts: + {{- if and .Values.config.tlsserver.deploy (or .Values.config.tlsserver.existingSecret .Values.config.tlsserver.serverkey .Values.config.tlsserver.servercrt .Values.config.tlsserver.cacrt) }} + - mountPath: /etc/certs/server + name: certs-volume + readOnly: true + {{- end }} + {{- if or .Values.extraVolumeMounts }} +{{ toYaml .Values.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if or .Values.extraVolumes (and .Values.config.tlsserver.deploy (or .Values.config.tlsserver.existingSecret .Values.config.tlsserver.serverkey .Values.config.tlsserver.servercrt .Values.config.tlsserver.cacrt)) }} + volumes: + {{- if and .Values.config.tlsserver.deploy (or .Values.config.tlsserver.existingSecret .Values.config.tlsserver.serverkey .Values.config.tlsserver.servercrt .Values.config.tlsserver.cacrt) }} + - name: certs-volume + secret: + {{- if .Values.config.tlsserver.existingSecret }} + secretName: {{.Values.config.tlsserver.existingSecret }} + {{- else }} + secretName: {{ include "falcosidekick.fullname" . }}-certs + {{- end }} + {{- end }} + {{- if or .Values.extraVolumes }} +{{ toYaml .Values.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + diff --git a/falco/charts/falcosidekick/templates/ingress-ui.yaml b/falco/charts/falcosidekick/templates/ingress-ui.yaml new file mode 100644 index 0000000..5c695f4 --- /dev/null +++ b/falco/charts/falcosidekick/templates/ingress-ui.yaml @@ -0,0 +1,54 @@ +{{- if and .Values.webui.enabled .Values.webui.ingress.enabled -}} +{{- $fullName := include "falcosidekick.fullname" . -}} +{{- $ingressApiIsStable := eq (include "falcosidekick.ingress.isStable" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "falcosidekick.ingress.supportsPathType" .) "true" -}} +--- +apiVersion: {{ include "falcosidekick.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }}-ui + namespace: {{ .Release.Namespace }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: ui + {{- with .Values.webui.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if .Values.webui.ingress.ingressClassName }} + ingressClassName: {{ .Values.webui.ingress.ingressClassName }} +{{- end }} +{{- if .Values.webui.ingress.tls }} + tls: + {{- range .Values.webui.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.webui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if $ingressSupportsPathType }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $fullName }}-ui + port: + name: http + {{- else }} + serviceName: {{ $fullName }}-ui + servicePort: http + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/falco/charts/falcosidekick/templates/ingress.yaml b/falco/charts/falcosidekick/templates/ingress.yaml new file mode 100644 index 0000000..0f43daa --- /dev/null +++ b/falco/charts/falcosidekick/templates/ingress.yaml @@ -0,0 +1,54 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "falcosidekick.fullname" . -}} +{{- $ingressApiIsStable := eq (include "falcosidekick.ingress.isStable" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "falcosidekick.ingress.supportsPathType" .) "true" -}} +--- +apiVersion: {{ include "falcosidekick.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: core + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if .Values.ingress.ingressClassName }} + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- end }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if $ingressSupportsPathType }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $fullName }} + port: + name: http + {{- else }} + serviceName: {{ $fullName }} + servicePort: http + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/falco/charts/falcosidekick/templates/podsecuritypolicy.yaml b/falco/charts/falcosidekick/templates/podsecuritypolicy.yaml new file mode 100644 index 0000000..80ce088 --- /dev/null +++ b/falco/charts/falcosidekick/templates/podsecuritypolicy.yaml @@ -0,0 +1,33 @@ +{{- if .Values.podSecurityPolicy.create}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "falcosidekick.fullname" . }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: core +spec: + privileged: false + allowPrivilegeEscalation: false + hostNetwork: false + readOnlyRootFilesystem: true + requiredDropCapabilities: + - ALL + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + runAsUser: + rule: MustRunAsNonRoot + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - secret +{{- end }} diff --git a/falco/charts/falcosidekick/templates/prometheusrule.yaml b/falco/charts/falcosidekick/templates/prometheusrule.yaml new file mode 100644 index 0000000..39cfd9f --- /dev/null +++ b/falco/charts/falcosidekick/templates/prometheusrule.yaml @@ -0,0 +1,92 @@ +{{- if and .Values.prometheusRules.enabled .Values.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ include "falcosidekick.fullname" . }} + {{- if .Values.prometheusRules.namespace }} + namespace: {{ .Values.prometheusRules.namespace }} + {{- end }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: core + {{- if .Values.prometheusRules.additionalLabels }} + {{- toYaml .Values.prometheusRules.additionalLabels | nindent 4 }} + {{- end }} +spec: + groups: + - name: falcosidekick + rules: + {{- if .Values.prometheusRules.enabled }} + - alert: FalcosidekickAbsent + expr: absent(up{job="{{- include "falcosidekick.fullname" . }}"}) + for: 10m + annotations: + summary: Falcosidekick has dissapeared from Prometheus service discovery. + description: No metrics are being scraped from falcosidekick. No events will trigger any alerts. + labels: + severity: critical + {{- end }} + {{- if .Values.prometheusRules.alerts.warning.enabled }} + - alert: FalcoWarningEventsRateHigh + annotations: + summary: Falco is experiencing high rate of warning events + description: A high rate of warning events are being detected by Falco + expr: rate(falco_events{priority="4"}[{{ .Values.prometheusRules.alerts.warning.rate_interval }}]) > {{ .Values.prometheusRules.alerts.warning.threshold }} + for: 15m + labels: + severity: warning + {{- end }} + {{- if .Values.prometheusRules.alerts.error.enabled }} + - alert: FalcoErrorEventsRateHigh + annotations: + summary: Falco is experiencing high rate of error events + description: A high rate of error events are being detected by Falco + expr: rate(falco_events{priority="3"}[{{ .Values.prometheusRules.alerts.error.rate_interval }}]) > {{ .Values.prometheusRules.alerts.error.threshold }} + for: 15m + labels: + severity: warning + {{- end }} + {{- if .Values.prometheusRules.alerts.critical.enabled }} + - alert: FalcoCriticalEventsRateHigh + annotations: + summary: Falco is experiencing high rate of critical events + description: A high rate of critical events are being detected by Falco + expr: rate(falco_events{priority="2"}[{{ .Values.prometheusRules.alerts.critical.rate_interval }}]) > {{ .Values.prometheusRules.alerts.critical.threshold }} + for: 15m + labels: + severity: critical + {{- end }} + {{- if .Values.prometheusRules.alerts.alert.enabled }} + - alert: FalcoAlertEventsRateHigh + annotations: + summary: Falco is experiencing high rate of alert events + description: A high rate of alert events are being detected by Falco + expr: rate(falco_events{priority="1"}[{{ .Values.prometheusRules.alerts.alert.rate_interval }}]) > {{ .Values.prometheusRules.alerts.alert.threshold }} + for: 5m + labels: + severity: critical + {{- end }} + {{- if .Values.prometheusRules.alerts.emergency.enabled }} + - alert: FalcoEmergencyEventsRateHigh + annotations: + summary: Falco is experiencing high rate of emergency events + description: A high rate of emergency events are being detected by Falco + expr: rate(falco_events{priority="0"}[{{ .Values.prometheusRules.alerts.emergency.rate_interval }}]) > {{ .Values.prometheusRules.alerts.emergency.threshold }} + for: 1m + labels: + severity: critical + {{- end }} + {{- if .Values.prometheusRules.alerts.output.enabled }} + - alert: FalcoEmergencyEventsRateHigh + annotations: + summary: Falcosidekick is experiencing high rate of errors for an output + description: A high rate of errors are being detecting for an output + expr: rate(falcosidekick_output{status="error"}[{{ .Values.prometheusRules.alerts.output.rate_interval }}]) by (destination) > {{ .Values.prometheusRules.alerts.output.threshold }} + for: 1m + labels: + severity: warning + {{- end }} + {{- with .Values.prometheusRules.additionalAlerts }} + {{ . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/falco/charts/falcosidekick/templates/rbac-ui.yaml b/falco/charts/falcosidekick/templates/rbac-ui.yaml new file mode 100644 index 0000000..6a3c0d1 --- /dev/null +++ b/falco/charts/falcosidekick/templates/rbac-ui.yaml @@ -0,0 +1,37 @@ +{{- if .Values.webui.enabled -}} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "falcosidekick.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: ui +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "falcosidekick.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: ui +rules: [] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "falcosidekick.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: ui +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "falcosidekick.fullname" . }}-ui +subjects: +- kind: ServiceAccount + name: {{ include "falcosidekick.fullname" . }}-ui +{{- end }} diff --git a/falco/charts/falcosidekick/templates/rbac.yaml b/falco/charts/falcosidekick/templates/rbac.yaml new file mode 100644 index 0000000..bf601c6 --- /dev/null +++ b/falco/charts/falcosidekick/templates/rbac.yaml @@ -0,0 +1,92 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "falcosidekick.fullname" . }} + namespace: {{ .Release.Namespace }} + {{- if and .Values.config.aws.useirsa .Values.config.aws.rolearn }} + annotations: + eks.amazonaws.com/role-arn: {{ .Values.config.aws.rolearn }} + {{- end }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: core +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "falcosidekick.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: core +rules: +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get +{{- if .Values.podSecurityPolicy.create }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "falcosidekick.fullname" . }} + verbs: + - use +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "falcosidekick.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: core +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "falcosidekick.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "falcosidekick.fullname" . }} +{{- if .Values.config.policyreport.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "falcosidekick.fullname" . }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: core +rules: +- apiGroups: + - "wgpolicyk8s.io" + resources: + - policyreports + - clusterpolicyreports + verbs: + - get + - create + - delete + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "falcosidekick.fullname" . }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: core +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "falcosidekick.fullname" . }} +subjects: +- kind: ServiceAccount + namespace: {{ .Release.Namespace }} + name: {{ include "falcosidekick.fullname" . }} +{{- end }} diff --git a/falco/charts/falcosidekick/templates/secrets-ui.yaml b/falco/charts/falcosidekick/templates/secrets-ui.yaml new file mode 100644 index 0000000..225f134 --- /dev/null +++ b/falco/charts/falcosidekick/templates/secrets-ui.yaml @@ -0,0 +1,37 @@ +{{- if .Values.webui.enabled -}} +{{- if eq .Values.webui.existingSecret "" }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "falcosidekick.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: ui +type: Opaque +data: + {{- if .Values.webui.user }} + FALCOSIDEKICK_UI_USER: "{{ .Values.webui.user | b64enc}}" + {{- end }} + {{- if .Values.webui.redis.password }} + FALCOSIDEKICK_UI_REDIS_PASSWORD: "{{ .Values.webui.redis.password | b64enc}}" + {{- end }} +{{- end }} +{{- if eq .Values.webui.redis.existingSecret "" }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "falcosidekick.fullname" . }}-ui-redis + namespace: {{ .Release.Namespace }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: ui +type: Opaque +data: + {{- if .Values.webui.redis.password }} + REDIS_ARGS: "{{ printf "--requirepass %s" .Values.webui.redis.password | b64enc}}" + {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/falco/charts/falcosidekick/templates/secrets.yaml b/falco/charts/falcosidekick/templates/secrets.yaml new file mode 100644 index 0000000..adae94b --- /dev/null +++ b/falco/charts/falcosidekick/templates/secrets.yaml @@ -0,0 +1,451 @@ +{{- if eq .Values.config.existingSecret "" }} +{{- $fullName := include "falcosidekick.fullname" . -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "falcosidekick.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: core +type: Opaque +data: + # Slack Output + SLACK_WEBHOOKURL: "{{ .Values.config.slack.webhookurl | b64enc }}" + SLACK_CHANNEL: "{{ .Values.config.slack.channel | b64enc }}" + SLACK_OUTPUTFORMAT: "{{ .Values.config.slack.outputformat | b64enc }}" + SLACK_FOOTER: "{{ .Values.config.slack.footer | b64enc }}" + SLACK_ICON: "{{ .Values.config.slack.icon | b64enc }}" + SLACK_USERNAME: "{{ .Values.config.slack.username | b64enc }}" + SLACK_MINIMUMPRIORITY: "{{ .Values.config.slack.minimumpriority | b64enc }}" + SLACK_MESSAGEFORMAT: "{{ .Values.config.slack.messageformat | b64enc }}" + + # RocketChat Output + ROCKETCHAT_WEBHOOKURL: "{{ .Values.config.rocketchat.webhookurl | b64enc }}" + ROCKETCHAT_OUTPUTFORMAT: "{{ .Values.config.rocketchat.outputformat | b64enc }}" + ROCKETCHAT_ICON: "{{ .Values.config.rocketchat.icon | b64enc }}" + ROCKETCHAT_USERNAME: "{{ .Values.config.rocketchat.username | b64enc }}" + ROCKETCHAT_MINIMUMPRIORITY: "{{ .Values.config.rocketchat.minimumpriority | b64enc }}" + ROCKETCHAT_MESSAGEFORMAT: "{{ .Values.config.rocketchat.messageformat | b64enc }}" + ROCKETCHAT_MUTUALTLS: "{{ .Values.config.rocketchat.mutualtls | printf "%t" | b64enc }}" + ROCKETCHAT_CHECKCERT: "{{ .Values.config.rocketchat.checkcert | printf "%t" | b64enc }}" + + # Mattermost Output + MATTERMOST_WEBHOOKURL: "{{ .Values.config.mattermost.webhookurl | b64enc }}" + MATTERMOST_OUTPUTFORMAT: "{{ .Values.config.mattermost.outputformat | b64enc }}" + MATTERMOST_FOOTER: "{{ .Values.config.mattermost.footer | b64enc }}" + MATTERMOST_ICON: "{{ .Values.config.mattermost.icon | b64enc }}" + MATTERMOST_USERNAME: "{{ .Values.config.mattermost.username | b64enc }}" + MATTERMOST_MINIMUMPRIORITY: "{{ .Values.config.mattermost.minimumpriority | b64enc }}" + MATTERMOST_MESSAGEFORMAT: "{{ .Values.config.mattermost.messageformat | b64enc }}" + MATTERMOST_MUTUALTLS: "{{ .Values.config.mattermost.mutualtls | printf "%t" | b64enc }}" + MATTERMOST_CHECKCERT: "{{ .Values.config.mattermost.checkcert | printf "%t" | b64enc }}" + + # Teams Output + TEAMS_WEBHOOKURL: "{{ .Values.config.teams.webhookurl | b64enc }}" + TEAMS_OUTPUTFORMAT: "{{ .Values.config.teams.outputformat | b64enc }}" + TEAMS_ACTIVITYIMAGE: "{{ .Values.config.teams.activityimage | b64enc }}" + TEAMS_MINIMUMPRIORITY: "{{ .Values.config.teams.minimumpriority | b64enc }}" + + # Datadog Output + DATADOG_APIKEY: "{{ .Values.config.datadog.apikey | b64enc }}" + DATADOG_HOST: "{{ .Values.config.datadog.host | b64enc }}" + DATADOG_MINIMUMPRIORITY: "{{ .Values.config.datadog.minimumpriority | b64enc }}" + + # AlertManager Output + ALERTMANAGER_HOSTPORT: "{{ .Values.config.alertmanager.hostport | b64enc }}" + ALERTMANAGER_ENDPOINT: "{{ .Values.config.alertmanager.endpoint | b64enc }}" + ALERTMANAGER_EXPIRESAFTER: "{{ .Values.config.alertmanager.expireafter | b64enc }}" + {{- if .Values.config.alertmanager.extralabels }} + ALERTMANAGER_EXTRALABELS: "{{ .Values.config.alertmanager.extralabels | b64enc }}" + {{- end }} + {{- if .Values.config.alertmanager.extraannotations }} + ALERTMANAGER_EXTRAANNOTATIONS: "{{ .Values.config.alertmanager.extraannotations | b64enc }}" + {{- end }} + {{- if .Values.config.alertmanager.customseveritymap }} + ALERTMANAGER_CUSTOMSEVERITYMAP: "{{ .Values.config.alertmanager.customseveritymap | b64enc }}" + {{- end }} + {{- if .Values.config.alertmanager.dropeventdefaultpriority }} + ALERTMANAGER_DROPEVENTDEFAULTPRIORITY: "{{ .Values.config.alertmanager.dropeventdefaultpriority | b64enc }}" + {{- end }} + {{- if .Values.config.alertmanager.dropeventthresholds }} + ALERTMANAGER_DROPEVENTTHRESHOLDS: "{{ .Values.config.alertmanager.dropeventthresholds | b64enc }}" + {{- end }} + ALERTMANAGER_MINIMUMPRIORITY: "{{ .Values.config.alertmanager.minimumpriority | b64enc }}" + ALERTMANAGER_MUTUALTLS: "{{ .Values.config.alertmanager.mutualtls | printf "%t" | b64enc }}" + ALERTMANAGER_CHECKCERT: "{{ .Values.config.alertmanager.checkcert | printf "%t" | b64enc }}" + + # InfluxDB Output + INFLUXDB_USER: "{{ .Values.config.influxdb.user | b64enc }}" + INFLUXDB_PASSWORD: "{{ .Values.config.influxdb.password | b64enc }}" + INFLUXDB_TOKEN: "{{ .Values.config.influxdb.token | b64enc }}" + INFLUXDB_HOSTPORT: "{{ .Values.config.influxdb.hostport | b64enc }}" + INFLUXDB_ORGANIZATION: "{{ .Values.config.influxdb.organization | b64enc }}" + INFLUXDB_PRECISION: "{{ .Values.config.influxdb.precision | b64enc }}" + INFLUXDB_MINIMUMPRIORITY: "{{ .Values.config.influxdb.minimumpriority | b64enc }}" + INFLUXDB_DATABASE: "{{ .Values.config.influxdb.database | b64enc }}" + INFLUXDB_MUTUALTLS: "{{ .Values.config.influxdb.mutualtls | printf "%t" | b64enc }}" + INFLUXDB_CHECKCERT: "{{ .Values.config.influxdb.checkcert | printf "%t" | b64enc }}" + + # AWS Output + AWS_ACCESSKEYID: "{{ .Values.config.aws.accesskeyid | b64enc }}" + {{- if not .Values.config.aws.useirsa }} + AWS_ROLEARN: "{{ .Values.config.aws.rolearn | b64enc }}" + AWS_EXTERNALID: "{{ .Values.config.aws.externalid | b64enc }}" + {{- end }} + AWS_SECRETACCESSKEY: "{{ .Values.config.aws.secretaccesskey | b64enc }}" + AWS_REGION: "{{ .Values.config.aws.region | b64enc }}" + AWS_CHECKIDENTITY: "{{ .Values.config.aws.checkidentity | printf "%t" | b64enc }}" + AWS_LAMBDA_FUNCTIONNAME: "{{ .Values.config.aws.lambda.functionname | b64enc }}" + AWS_LAMBDA_MINIMUMPRIORITY: "{{ .Values.config.aws.lambda.minimumpriority | b64enc }}" + AWS_CLOUDWATCHLOGS_LOGGROUP: "{{ .Values.config.aws.cloudwatchlogs.loggroup | b64enc }}" + AWS_CLOUDWATCHLOGS_LOGSTREAM: "{{ .Values.config.aws.cloudwatchlogs.logstream | b64enc }}" + AWS_CLOUDWATCHLOGS_MINIMUMPRIORITY: "{{ .Values.config.aws.cloudwatchlogs.minimumpriority | b64enc }}" + AWS_SNS_TOPICARN: "{{ .Values.config.aws.sns.topicarn | b64enc }}" + AWS_SNS_RAWJSON: "{{ .Values.config.aws.sns.rawjson| printf "%t" | b64enc }}" + AWS_SNS_MINIMUMPRIORITY: "{{ .Values.config.aws.sns.minimumpriority | b64enc }}" + AWS_SQS_URL: "{{ .Values.config.aws.sqs.url | b64enc }}" + AWS_SQS_MINIMUMPRIORITY: "{{ .Values.config.aws.sqs.minimumpriority | b64enc }}" + AWS_S3_BUCKET: "{{ .Values.config.aws.s3.bucket | b64enc }}" + AWS_S3_PREFIX: "{{ .Values.config.aws.s3.prefix | b64enc }}" + AWS_S3_MINIMUMPRIORITY: "{{ .Values.config.aws.s3.minimumpriority | b64enc }}" + AWS_KINESIS_STREAMNAME: "{{ .Values.config.aws.kinesis.streamname | b64enc }}" + AWS_KINESIS_MINIMUMPRIORITY: "{{ .Values.config.aws.kinesis.minimumpriority | b64enc }}" + AWS_SECURITYLAKE_BUCKET: "{{ .Values.config.aws.securitylake.bucket | b64enc }}" + AWS_SECURITYLAKE_REGION: "{{ .Values.config.aws.securitylake.region | b64enc }}" + AWS_SECURITYLAKE_PREFIX: "{{ .Values.config.aws.securitylake.prefix | b64enc }}" + AWS_SECURITYLAKE_ACCOUNTID: "{{ .Values.config.aws.securitylake.accountid | b64enc }}" + AWS_SECURITYLAKE_INTERVAL: "{{ .Values.config.aws.securitylake.interval | toString | b64enc }}" + AWS_SECURITYLAKE_BATCHSIZE: "{{ .Values.config.aws.securitylake.batchsize | toString | b64enc }}" + AWS_SECURITYLAKE_MINIMUMPRIORITY: "{{ .Values.config.aws.securitylake.minimumpriority | b64enc }}" + + # SMTP Output + SMTP_USER: "{{ .Values.config.smtp.user | b64enc }}" + SMTP_PASSWORD: "{{ .Values.config.smtp.password | b64enc }}" + SMTP_AUTHMECHANISM: "{{ .Values.config.smtp.authmechanism | b64enc }}" + SMTP_TLS: "{{ .Values.config.smtp.tls | printf "%t" | b64enc }}" + SMTP_HOSTPORT: "{{ .Values.config.smtp.hostport | b64enc }}" + SMTP_FROM: "{{ .Values.config.smtp.from | b64enc }}" + SMTP_TO: "{{ .Values.config.smtp.to | b64enc }}" + SMTP_TOKEN: "{{ .Values.config.smtp.token | b64enc }}" + SMTP_IDENTITY: "{{ .Values.config.smtp.identity | b64enc }}" + SMTP_TRACE: "{{ .Values.config.smtp.trace | b64enc }}" + SMTP_OUTPUTFORMAT: "{{ .Values.config.smtp.outputformat | b64enc }}" + SMTP_MINIMUMPRIORITY: "{{ .Values.config.smtp.minimumpriority | b64enc }}" + + # OpsGenie Output + OPSGENIE_APIKEY: "{{ .Values.config.opsgenie.apikey | b64enc }}" + OPSGENIE_REGION: "{{ .Values.config.opsgenie.region | b64enc }}" + OPSGENIE_MINIMUMPRIORITY: "{{ .Values.config.opsgenie.minimumpriority | b64enc }}" + OPSGENIE_MUTUALTLS: "{{ .Values.config.opsgenie.mutualtls | printf "%t" | b64enc }}" + OPSGENIE_CHECKCERT: "{{ .Values.config.opsgenie.checkcert | printf "%t" | b64enc }}" + + # Discord Output + DISCORD_WEBHOOKURL: "{{ .Values.config.discord.webhookurl | b64enc }}" + DISCORD_ICON: "{{ .Values.config.discord.icon | b64enc }}" + DISCORD_MINIMUMPRIORITY: "{{ .Values.config.discord.minimumpriority | b64enc }}" + + # GCP Output + GCP_CREDENTIALS: "{{ .Values.config.gcp.credentials | b64enc }}" + GCP_PUBSUB_PROJECTID: "{{ .Values.config.gcp.pubsub.projectid | b64enc }}" + GCP_PUBSUB_TOPIC: "{{ .Values.config.gcp.pubsub.topic | b64enc }}" + GCP_PUBSUB_CUSTOMATTRIBUTES: "{{ .Values.config.gcp.pubsub.customattributes | b64enc }}" + GCP_PUBSUB_MINIMUMPRIORITY: "{{ .Values.config.gcp.pubsub.minimumpriority | b64enc }}" + GCP_STORAGE_BUCKET: "{{ .Values.config.gcp.storage.bucket | b64enc }}" + GCP_STORAGE_PREFIX: "{{ .Values.config.gcp.storage.prefix | b64enc }}" + GCP_STORAGE_MINIMUMPRIORITY: "{{ .Values.config.gcp.storage.minimumpriority | b64enc }}" + GCP_CLOUDFUNCTIONS_NAME: "{{ .Values.config.gcp.cloudfunctions.name | b64enc }}" + GCP_CLOUDFUNCTIONS_MINIMUMPRIORITY: "{{ .Values.config.gcp.cloudfunctions.minimumpriority | b64enc }}" + GCP_CLOUDRUN_ENDPOINT: "{{ .Values.config.gcp.cloudrun.endpoint | b64enc }}" + GCP_CLOUDRUN_JWT: "{{ .Values.config.gcp.cloudrun.jwt | b64enc }}" + GCP_CLOUDRUN_MINIMUMPRIORITY: "{{ .Values.config.gcp.cloudrun.minimumpriority | b64enc }}" + + # GoogleChat Output + GOOGLECHAT_WEBHOOKURL: "{{ .Values.config.googlechat.webhookurl | b64enc }}" + GOOGLECHAT_OUTPUTFORMAT: "{{ .Values.config.googlechat.outputformat | b64enc }}" + GOOGLECHAT_MINIMUMPRIORITY: "{{ .Values.config.googlechat.minimumpriority | b64enc }}" + GOOGLECHAT_MESSAGEFORMAT: "{{ .Values.config.googlechat.messageformat | b64enc }}" + + # ElasticSearch Output + ELASTICSEARCH_HOSTPORT: "{{ .Values.config.elasticsearch.hostport | b64enc }}" + ELASTICSEARCH_INDEX: "{{ .Values.config.elasticsearch.index | b64enc }}" + ELASTICSEARCH_TYPE: "{{ .Values.config.elasticsearch.type | b64enc }}" + ELASTICSEARCH_SUFFIX: "{{ .Values.config.elasticsearch.suffix | b64enc }}" + ELASTICSEARCH_MINIMUMPRIORITY: "{{ .Values.config.elasticsearch.minimumpriority | b64enc }}" + ELASTICSEARCH_MUTUALTLS: "{{ .Values.config.elasticsearch.mutualtls | printf "%t" | b64enc }}" + ELASTICSEARCH_CHECKCERT: "{{ .Values.config.elasticsearch.checkcert | printf "%t" | b64enc }}" + ELASTICSEARCH_USERNAME: "{{ .Values.config.elasticsearch.username | b64enc }}" + ELASTICSEARCH_PASSWORD: "{{ .Values.config.elasticsearch.password | b64enc }}" + ELASTICSEARCH_CUSTOMHEADERS: "{{ .Values.config.elasticsearch.customheaders | b64enc }}" + + # Loki Output + LOKI_HOSTPORT: "{{ .Values.config.loki.hostport | b64enc }}" + LOKI_ENDPOINT: "{{ .Values.config.loki.endpoint | b64enc }}" + LOKI_USER: "{{ .Values.config.loki.user | b64enc }}" + LOKI_APIKEY: "{{ .Values.config.loki.apikey | b64enc }}" + LOKI_TENANT: "{{ .Values.config.loki.tenant | b64enc }}" + LOKI_EXTRALABELS: "{{ .Values.config.loki.extralabels | b64enc }}" + LOKI_CUSTOMHEADERS: "{{ .Values.config.loki.customheaders | b64enc }}" + LOKI_MINIMUMPRIORITY: "{{ .Values.config.loki.minimumpriority | b64enc }}" + LOKI_MUTUALTLS: "{{ .Values.config.loki.mutualtls | printf "%t" | b64enc }}" + LOKI_CHECKCERT: "{{ .Values.config.loki.checkcert | printf "%t" | b64enc }}" + + # Prometheus Output + PROMETHEUS_EXTRALABELS: "{{ .Values.config.prometheus.extralabels | b64enc }}" + + # Nats Output + NATS_HOSTPORT: "{{ .Values.config.nats.hostport | b64enc }}" + NATS_MINIMUMPRIORITY: "{{ .Values.config.nats.minimumpriority | b64enc }}" + NATS_MUTUALTLS: "{{ .Values.config.nats.mutualtls | printf "%t" | b64enc }}" + NATS_CHECKCERT: "{{ .Values.config.nats.checkcert | printf "%t" | b64enc }}" + + # Stan Output + STAN_HOSTPORT: "{{ .Values.config.stan.hostport | b64enc }}" + STAN_CLUSTERID: "{{ .Values.config.stan.clusterid | b64enc }}" + STAN_CLIENTID: "{{ .Values.config.stan.clientid | b64enc }}" + STAN_MINIMUMPRIORITY: "{{ .Values.config.stan.minimumpriority | b64enc }}" + STAN_MUTUALTLS: "{{ .Values.config.stan.mutualtls | printf "%t" | b64enc }}" + STAN_CHECKCERT: "{{ .Values.config.stan.checkcert | printf "%t" | b64enc }}" + + # Statsd + STATSD_FORWARDER: "{{ .Values.config.statsd.forwarder | b64enc }}" + STATSD_NAMESPACE: "{{ .Values.config.statsd.namespace | b64enc }}" + + # Dogstatsd + DOGSTATSD_FORWARDER: "{{ .Values.config.dogstatsd.forwarder | b64enc }}" + DOGSTATSD_NAMESPACE: "{{ .Values.config.dogstatsd.namespace | b64enc }}" + DOGSTATSD_TAGS: "{{ .Values.config.dogstatsd.tags | b64enc }}" + + # WebHook Output + WEBHOOK_ADDRESS: "{{ .Values.config.webhook.address | b64enc }}" + WEBHOOK_METHOD: "{{ .Values.config.webhook.method | b64enc }}" + WEBHOOK_CUSTOMHEADERS: "{{ .Values.config.webhook.customHeaders | b64enc }}" + WEBHOOK_MINIMUMPRIORITY: "{{ .Values.config.webhook.minimumpriority | b64enc }}" + WEBHOOK_MUTUALTLS: "{{ .Values.config.webhook.mutualtls | printf "%t" | b64enc }}" + WEBHOOK_CHECKCERT: "{{ .Values.config.webhook.checkcert | printf "%t" | b64enc }}" + + # Azure Output + AZURE_EVENTHUB_NAME: "{{ .Values.config.azure.eventHub.name | b64enc }}" + AZURE_EVENTHUB_NAMESPACE: "{{ .Values.config.azure.eventHub.namespace | b64enc }}" + AZURE_EVENTHUB_MINIMUMPRIORITY: "{{ .Values.config.azure.eventHub.minimumpriority | b64enc }}" + + # Kafka Output + KAFKA_HOSTPORT: "{{ .Values.config.kafka.hostport | b64enc }}" + KAFKA_TOPIC: "{{ .Values.config.kafka.topic | b64enc }}" + KAFKA_SASL: "{{ .Values.config.kafka.sasl | b64enc }}" + KAFKA_TLS: "{{ .Values.config.kafka.tls | printf "%t" |b64enc }}" + KAFKA_USERNAME: "{{ .Values.config.kafka.username | b64enc }}" + KAFKA_PASSWORD: "{{ .Values.config.kafka.password | b64enc }}" + KAFKA_ASYNC: "{{ .Values.config.kafka.async | printf "%t" | b64enc }}" + KAFKA_REQUIREDACKS: "{{ .Values.config.kafka.requiredacks | b64enc }}" + KAFKA_COMPRESSION: "{{ .Values.config.kafka.compression | b64enc }}" + KAFKA_BALANCER: "{{ .Values.config.kafka.balancer | b64enc }}" + KAFKA_TOPICCREATION: "{{ .Values.config.kafka.topiccreation | printf "%t" | b64enc }}" + KAFKA_CLIENTID: "{{ .Values.config.kafka.clientid | b64enc }}" + KAFKA_MINIMUMPRIORITY: "{{ .Values.config.kafka.minimumpriority | b64enc }}" + + # PagerDuty Output + PAGERDUTY_ROUTINGKEY: "{{ .Values.config.pagerduty.routingkey | b64enc }}" + PAGERDUTY_REGION: "{{ .Values.config.pagerduty.region | b64enc }}" + PAGERDUTY_MINIMUMPRIORITY: "{{ .Values.config.pagerduty.minimumpriority | b64enc }}" + + # Kubeless Output + KUBELESS_FUNCTION: "{{ .Values.config.kubeless.function | b64enc }}" + KUBELESS_NAMESPACE: "{{ .Values.config.kubeless.namespace | b64enc }}" + KUBELESS_PORT: "{{ .Values.config.kubeless.port | toString | b64enc }}" + KUBELESS_MINIMUMPRIORITY: "{{ .Values.config.kubeless.minimumpriority | b64enc }}" + KUBELESS_MUTUALTLS: "{{ .Values.config.kubeless.mutualtls | printf "%t" | b64enc }}" + KUBELESS_CHECKCERT: "{{ .Values.config.kubeless.checkcert | printf "%t" | b64enc }}" + + # OpenFaaS + OPENFAAS_GATEWAYNAMESPACE: "{{ .Values.config.openfaas.gatewaynamespace | b64enc }}" + OPENFAAS_GATEWAYSERVICE: "{{ .Values.config.openfaas.gatewayservice | b64enc }}" + OPENFAAS_FUNCTIONNAME: "{{ .Values.config.openfaas.functionname | b64enc }}" + OPENFAAS_FUNCTIONNAMESPACE: "{{ .Values.config.openfaas.functionnamespace | b64enc }}" + OPENFAAS_GATEWAYPORT: "{{ .Values.config.openfaas.gatewayport | toString | b64enc }}" + OPENFAAS_MINIMUMPRIORITY: "{{ .Values.config.openfaas.minimumpriority | b64enc }}" + OPENFAAS_MUTUALTLS: "{{ .Values.config.openfaas.mutualtls | printf "%t" | b64enc }}" + OPENFAAS_CHECKCERT: "{{ .Values.config.openfaas.checkcert | printf "%t" | b64enc }}" + + # Cloud Events Output + CLOUDEVENTS_ADDRESS: "{{ .Values.config.cloudevents.address | b64enc }}" + CLOUDEVENTS_EXTENSION: "{{ .Values.config.cloudevents.extension | b64enc }}" + CLOUDEVENTS_MINIMUMPRIORITY: "{{ .Values.config.cloudevents.minimumpriority | b64enc }}" + + # RabbitMQ Output + RABBITMQ_URL: "{{ .Values.config.rabbitmq.url | b64enc}}" + RABBITMQ_QUEUE: "{{ .Values.config.rabbitmq.queue | b64enc}}" + RABBITMQ_MINIMUMPRIORITY: "{{ .Values.config.rabbitmq.minimumpriority | b64enc}}" + + # Wavefront Output + WAVEFRONT_ENDPOINTTYPE: "{{ .Values.config.wavefront.endpointtype | b64enc}}" + WAVEFRONT_ENDPOINTHOST: "{{ .Values.config.wavefront.endpointhost | b64enc}}" + WAVEFRONT_ENDPOINTTOKEN: "{{ .Values.config.wavefront.endpointtoken | b64enc}}" + WAVEFRONT_ENDPOINTMETRICPORT: "{{ .Values.config.wavefront.endpointmetricport | toString | b64enc}}" + WAVEFRONT_FLUSHINTERVALSECONDS: "{{ .Values.config.wavefront.flushintervalseconds | toString | b64enc}}" + WAVEFRONT_BATCHSIZE: "{{ .Values.config.wavefront.batchsize | toString | b64enc}}" + WAVEFRONT_METRICNAME: "{{ .Values.config.wavefront.metricname | b64enc}}" + WAVEFRONT_MINIMUMPRIORITY: "{{ .Values.config.wavefront.minimumpriority | b64enc}}" + + # Grafana Output + GRAFANA_HOSTPORT: "{{ .Values.config.grafana.hostport | b64enc}}" + GRAFANA_APIKEY: "{{ .Values.config.grafana.apikey | b64enc}}" + GRAFANA_DASHBOARDID: "{{ .Values.config.grafana.dashboardid | toString | b64enc}}" + GRAFANA_PANELID: "{{ .Values.config.grafana.panelid | toString | b64enc}}" + GRAFANA_ALLFIELDSASTAGS: "{{ .Values.config.grafana.allfieldsastags | printf "%t" | b64enc}}" + GRAFANA_CUSTOMHEADERS: "{{ .Values.config.grafana.customheaders | b64enc}}" + GRAFANA_MUTUALTLS: "{{ .Values.config.grafana.mutualtls | printf "%t" | b64enc}}" + GRAFANA_CHECKCERT: "{{ .Values.config.grafana.checkcert | printf "%t" | b64enc}}" + GRAFANA_MINIMUMPRIORITY: "{{ .Values.config.grafana.minimumpriority | b64enc}}" + + # Grafana On Call Output + GRAFANAONCALL_WEBHOOKURL: "{{ .Values.config.grafanaoncall.webhookurl | b64enc}}" + GRAFANAONCALL_CUSTOMHEADERS: "{{ .Values.config.grafanaoncall.customheaders | b64enc}}" + GRAFANAONCALL_CHECKCERT: "{{ .Values.config.grafanaoncall.checkcert | printf "%t" | b64enc}}" + GRAFANAONCALL_MUTUALTLS: "{{ .Values.config.grafanaoncall.mutualtls | printf "%t" | b64enc}}" + GRAFANAONCALL_MINIMUMPRIORITY: "{{ .Values.config.grafanaoncall.minimumpriority | b64enc}}" + + # Fission Output + FISSION_FUNCTION: "{{ .Values.config.fission.function | b64enc}}" + FISSION_ROUTERNAMESPACE: "{{ .Values.config.fission.routernamespace | b64enc}}" + FISSION_ROUTERSERVICE: "{{ .Values.config.fission.routerservice | b64enc}}" + FISSION_ROUTERPORT: "{{ .Values.config.fission.routerport | toString | b64enc}}" + FISSION_MINIMUMPRIORITY: "{{ .Values.config.fission.minimumpriority| b64enc}}" + FISSION_MUTUALTLS: "{{ .Values.config.fission.mutualtls | printf "%t" | b64enc}}" + FISSION_CHECKCERT: "{{ .Values.config.fission.checkcert | printf "%t" | b64enc}}" + + # Yandex Output + YANDEX_ACCESSKEYID: "{{ .Values.config.yandex.accesskeyid | b64enc}}" + YANDEX_SECRETACCESSKEY: "{{ .Values.config.yandex.secretaccesskey | b64enc}}" + YANDEX_REGION: "{{ .Values.config.yandex.region | b64enc}}" + YANDEX_S3_ENDPOINT: "{{ .Values.config.yandex.s3.endpoint | b64enc}}" + YANDEX_S3_BUCKET: "{{ .Values.config.yandex.s3.bucket | b64enc}}" + YANDEX_S3_PREFIX: "{{ .Values.config.yandex.s3.prefix | b64enc}}" + YANDEX_S3_MINIMUMPRIORITY: "{{ .Values.config.yandex.s3.minimumpriority | b64enc}}" + YANDEX_DATASTREAMS_ENDPOINT: "{{ .Values.config.yandex.datastreams.endpoint | b64enc}}" + YANDEX_DATASTREAMS_STREAMNAME: "{{ .Values.config.yandex.datastreams.streamname | b64enc}}" + YANDEX_DATASTREAMS_MINIMUMPRIORITY: "{{ .Values.config.yandex.datastreams.minimumpriority | b64enc}}" + + # KafkaRest Output + KAFKAREST_ADDRESS: "{{ .Values.config.kafkarest.address | b64enc}}" + KAFKAREST_VERSION: "{{ .Values.config.kafkarest.version | toString | b64enc}}" + KAFKAREST_MINIMUMPRIORITY : "{{ .Values.config.kafkarest.minimumpriority | b64enc}}" + KAFKAREST_MUTUALTLS : "{{ .Values.config.kafkarest.mutualtls | printf "%t" | b64enc}}" + KAFKAREST_CHECKCERT : "{{ .Values.config.kafkarest.checkcert | printf "%t" | b64enc}}" + + # Syslog + SYSLOG_HOST: "{{ .Values.config.syslog.host | b64enc}}" + SYSLOG_PORT: "{{ .Values.config.syslog.port | toString | b64enc}}" + SYSLOG_PROTOCOL: "{{ .Values.config.syslog.protocol | b64enc}}" + SYSLOG_FORMAT: "{{ .Values.config.syslog.format | b64enc}}" + SYSLOG_MINIMUMPRIORITY : "{{ .Values.config.syslog.minimumpriority | b64enc}}" + + # Zoho Cliq + CLIQ_WEBHOOKURL: "{{ .Values.config.cliq.webhookurl | b64enc}}" + CLIQ_ICON: "{{ .Values.config.cliq.icon | b64enc}}" + CLIQ_USEEMOJI: "{{ .Values.config.cliq.useemoji | printf "%t" | b64enc}}" + CLIQ_OUTPUTFORMAT: "{{ .Values.config.cliq.outputformat | b64enc}}" + CLIQ_MESSAGEFORMAT: "{{ .Values.config.cliq.messageformat | b64enc}}" + CLIQ_MINIMUMPRIORITY : "{{ .Values.config.cliq.minimumpriority | b64enc}}" + + # Policy Reporter + POLICYREPORT_ENABLED: "{{ .Values.config.policyreport.enabled | printf "%t"| b64enc}}" + POLICYREPORT_KUBECONFIG: "{{ .Values.config.policyreport.kubeconfig | b64enc}}" + POLICYREPORT_MAXEVENTS: "{{ .Values.config.policyreport.maxevents | toString | b64enc}}" + POLICYREPORT_PRUNEBYPRIORITY: "{{ .Values.config.policyreport.prunebypriority | printf "%t" | b64enc}}" + POLICYREPORT_MINIMUMPRIORITY : "{{ .Values.config.policyreport.minimumpriority | b64enc}}" + + # Node Red + NODERED_ADDRESS: "{{ .Values.config.nodered.address | b64enc}}" + NODERED_USER: "{{ .Values.config.nodered.user | b64enc}}" + NODERED_PASSWORD: "{{ .Values.config.nodered.password | b64enc}}" + NODERED_CUSTOMHEADERS: "{{ .Values.config.nodered.customheaders | b64enc}}" + NODERED_CHECKCERT : "{{ .Values.config.nodered.checkcert | printf "%t" | b64enc}}" + NODERED_MINIMUMPRIORITY : "{{ .Values.config.nodered.minimumpriority | b64enc}}" + + # MQTT + MQTT_BROKER: "{{ .Values.config.mqtt.broker | b64enc}}" + MQTT_TOPIC: "{{ .Values.config.mqtt.topic | b64enc}}" + MQTT_QOS: "{{ .Values.config.mqtt.qos | toString | b64enc}}" + MQTT_RETAINED : "{{ .Values.config.mqtt.retained | printf "%t" | b64enc}}" + MQTT_USER: "{{ .Values.config.mqtt.user | b64enc}}" + MQTT_PASSWORD: "{{ .Values.config.mqtt.password | b64enc}}" + MQTT_CHECKCERT : "{{ .Values.config.mqtt.checkcert | printf "%t" | b64enc}}" + MQTT_MINIMUMPRIORITY : "{{ .Values.config.mqtt.minimumpriority | b64enc}}" + + # Zincsearch + ZINCSEARCH_HOSTPORT: "{{ .Values.config.zincsearch.hostport | b64enc}}" + ZINCSEARCH_INDEX: "{{ .Values.config.zincsearch.index | b64enc}}" + ZINCSEARCH_USERNAME: "{{ .Values.config.zincsearch.username | b64enc}}" + ZINCSEARCH_PASSWORD: "{{ .Values.config.zincsearch.password | b64enc}}" + ZINCSEARCH_CHECKCERT : "{{ .Values.config.zincsearch.checkcert | printf "%t" | b64enc}}" + ZINCSEARCH_MINIMUMPRIORITY : "{{ .Values.config.zincsearch.minimumpriority | b64enc}}" + + # Gotify + GOTIFY_HOSTPORT: "{{ .Values.config.gotify.hostport | b64enc}}" + GOTIFY_TOKEN: "{{ .Values.config.gotify.token | b64enc}}" + GOTIFY_FORMAT: "{{ .Values.config.gotify.format | b64enc}}" + GOTIFY_CHECKCERT : "{{ .Values.config.gotify.checkcert | printf "%t" | b64enc}}" + GOTIFY_MINIMUMPRIORITY : "{{ .Values.config.gotify.minimumpriority | b64enc}}" + + # Tekton + TEKTON_EVENTLISTENER: "{{ .Values.config.tekton.eventlistener | b64enc}}" + TEKTON_CHECKCERT : "{{ .Values.config.tekton.checkcert | printf "%t" | b64enc}}" + TEKTON_MINIMUMPRIORITY : "{{ .Values.config.tekton.minimumpriority | b64enc}}" + + # Spyderbat + SPYDERBAT_ORGUID: "{{ .Values.config.spyderbat.orguid | b64enc}}" + SPYDERBAT_APIKEY: "{{ .Values.config.spyderbat.apikey | b64enc}}" + SPYDERBAT_APIURL: "{{ .Values.config.spyderbat.apiurl | b64enc}}" + SPYDERBAT_SOURCE: "{{ .Values.config.spyderbat.source | b64enc}}" + SPYDERBAT_SOURCEDESCRIPTION: "{{ .Values.config.spyderbat.sourcedescription | b64enc}}" + SPYDERBAT_MINIMUMPRIORITY : "{{ .Values.config.spyderbat.minimumpriority | b64enc}}" + + # TimescaleDB + TIMESCALEDB_HOST: "{{ .Values.config.timescaledb.host | b64enc}}" + TIMESCALEDB_PORT: "{{ .Values.config.timescaledb.port | toString | b64enc}}" + TIMESCALEDB_USER: "{{ .Values.config.timescaledb.user | b64enc}}" + TIMESCALEDB_PASSWORD: "{{ .Values.config.timescaledb.password | b64enc}}" + TIMESCALEDB_DATABASE: "{{ .Values.config.timescaledb.database | b64enc}}" + TIMESCALEDB_HYPERTABLENAME: "{{ .Values.config.timescaledb.hypertablename | b64enc}}" + TIMESCALEDB_MINIMUMPRIORITY : "{{ .Values.config.timescaledb.minimumpriority | b64enc}}" + + # Redis Output + REDIS_ADDRESS: "{{ .Values.config.redis.address | b64enc}}" + REDIS_PASSWORD: "{{ .Values.config.redis.password | b64enc}}" + REDIS_DATABASE: "{{ .Values.config.redis.database | toString | b64enc}}" + REDIS_KEY: "{{ .Values.config.redis.key | b64enc}}" + REDIS_STORAGETYPE: "{{ .Values.config.redis.storagetype | b64enc}}" + REDIS_MINIMUMPRIORITY : "{{ .Values.config.redis.minimumpriority | b64enc}}" + + # TELEGRAM Output + TELEGRAM_TOKEN: "{{ .Values.config.telegram.token | b64enc}}" + TELEGRAM_CHATID: "{{ .Values.config.telegram.chatid | b64enc}}" + TELEGRAM_MINIMUMPRIORITY : "{{ .Values.config.telegram.minimumpriority | b64enc}}" + TELEGRAM_CHECKCERT : "{{ .Values.config.telegram.checkcert | printf "%t" | b64enc}}" + + # N8N Output + N8N_ADDRESS: "{{ .Values.config.n8n.address | b64enc}}" + N8N_USER: "{{ .Values.config.n8n.user | b64enc}}" + N8N_PASSWORD: "{{ .Values.config.n8n.password | b64enc}}" + N8N_MINIMUMPRIORITY : "{{ .Values.config.n8n.minimumpriority | b64enc}}" + N8N_CHECKCERT : "{{ .Values.config.n8n.checkcert | printf "%t" | b64enc}}" + + # Open Observe Output + OPENOBSERVE_HOSTPORT: "{{ .Values.config.openobserve.hostport | b64enc}}" + OPENOBSERVE_USERNAME: "{{ .Values.config.openobserve.username | b64enc}}" + OPENOBSERVE_PASSWORD: "{{ .Values.config.openobserve.password | b64enc}}" + OPENOBSERVE_CHECKCERT : "{{ .Values.config.openobserve.checkcert | printf "%t" | b64enc}}" + OPENOBSERVE_MUTUALTLS : "{{ .Values.config.openobserve.mutualtls | printf "%t" | b64enc}}" + OPENOBSERVE_CUSTOMHEADERS : "{{ .Values.config.openobserve.customheaders | b64enc}}" + OPENOBSERVE_ORGANIZATIONNAME: "{{ .Values.config.openobserve.organizationname | b64enc}}" + OPENOBSERVE_STREAMNAME: "{{ .Values.config.openobserve.streamname | b64enc}}" + OPENOBSERVE_MINIMUMPRIORITY : "{{ .Values.config.openobserve.minimumpriority | b64enc}}" + + # WebUI Output + {{- if .Values.webui.enabled -}} + {{ $weburl := printf "http://%s-ui:2802" (include "falcosidekick.fullname" .) }} + WEBUI_URL: "{{ $weburl | b64enc }}" + {{- end }} +{{- end }} diff --git a/falco/charts/falcosidekick/templates/service-ui.yaml b/falco/charts/falcosidekick/templates/service-ui.yaml new file mode 100644 index 0000000..0ba7469 --- /dev/null +++ b/falco/charts/falcosidekick/templates/service-ui.yaml @@ -0,0 +1,53 @@ +{{- if .Values.webui.enabled -}} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "falcosidekick.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: ui + {{- with .Values.webui.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.webui.service.type }} + ports: + - port: {{ .Values.webui.service.port }} + {{ if eq .Values.webui.service.type "NodePort" }} + nodePort: {{ .Values.webui.service.nodePort }} + {{ end }} + targetPort: {{ .Values.webui.service.targetPort }} + protocol: TCP + name: http + selector: + {{- include "falcosidekick.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: ui +{{- if .Values.webui.redis.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "falcosidekick.fullname" . }}-ui-redis + namespace: {{ .Release.Namespace }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: ui + {{- with .Values.webui.redis.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + ports: + - port: {{ .Values.webui.redis.service.port }} + targetPort: {{ .Values.webui.redis.service.targetPort }} + protocol: TCP + name: redis + selector: + {{- include "falcosidekick.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: ui-redis +{{- end }} +{{- end }} diff --git a/falco/charts/falcosidekick/templates/service.yaml b/falco/charts/falcosidekick/templates/service.yaml new file mode 100644 index 0000000..290083b --- /dev/null +++ b/falco/charts/falcosidekick/templates/service.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "falcosidekick.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: core + {{- with .Values.service.annotations }} + annotations: + prometheus.io/scrape: "true" + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + {{- if not (eq .Values.config.tlsserver.notlspaths "") }} + - port: {{ .Values.config.tlsserver.notlsport }} + targetPort: http-notls + protocol: TCP + name: http-notls + {{- end }} + selector: + {{- include "falcosidekick.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: core diff --git a/falco/charts/falcosidekick/templates/servicemonitor.yaml b/falco/charts/falcosidekick/templates/servicemonitor.yaml new file mode 100644 index 0000000..1d89bd9 --- /dev/null +++ b/falco/charts/falcosidekick/templates/servicemonitor.yaml @@ -0,0 +1,26 @@ +{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "falcosidekick.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: core + {{- range $key, $value := .Values.serviceMonitor.additionalLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + endpoints: + - port: http + {{- if .Values.serviceMonitor.interval }} + interval: {{ .Values.serviceMonitor.interval }} + {{- end }} + {{- if .Values.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }} + {{- end }} + selector: + matchLabels: + {{- include "falcosidekick.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: core +{{- end }} \ No newline at end of file diff --git a/falco/charts/falcosidekick/templates/tests/test-connection.yaml b/falco/charts/falcosidekick/templates/tests/test-connection.yaml new file mode 100644 index 0000000..f4ca33c --- /dev/null +++ b/falco/charts/falcosidekick/templates/tests/test-connection.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "falcosidekick.fullname" . }}-test-connection" + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }} + helm.sh/chart: {{ include "falcosidekick.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: curl + image: appropriate/curl + command: ['curl'] + args: ["-X", "POST", '{{ include "falcosidekick.fullname" . }}:{{ .Values.service.port }}/ping'] + restartPolicy: Never + {{- with .Values.testConnection.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.testConnection.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.testConnection.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/falco/charts/falcosidekick/values.yaml b/falco/charts/falcosidekick/values.yaml new file mode 100644 index 0000000..ba52090 --- /dev/null +++ b/falco/charts/falcosidekick/values.yaml @@ -0,0 +1,1178 @@ +# Default values for falcosidekick. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- number of running pods +replicaCount: 2 + +# -- number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) +# revisionHistoryLimit: 1 + +image: + # -- The image registry to pull from + registry: docker.io + # -- The image repository to pull from + repository: falcosecurity/falcosidekick + # -- The image tag to pull + tag: 2.28.0 + # -- The image pull policy + pullPolicy: IfNotPresent + +# -- Sidekick pod securityContext +podSecurityContext: + runAsUser: 1234 + fsGroup: 1234 + +# -- Sidekick container securityContext +securityContext: {} + +# One or more secrets to be used when pulling images +# -- Secrets for the registry +imagePullSecrets: [] +# - registrySecretName + +# -- Override name +nameOverride: "" +# -- Override the name +fullnameOverride: "" + +# -- podSecurityPolicy +podSecurityPolicy: + # -- Whether to create a podSecurityPolicy + create: false + +# -- Name of the priority class to be used by the Sidekickpods, priority class needs to be created beforehand +priorityClassName: "" + +# -- additions labels on the pods +podLabels: {} +# -- additions annotations on the pods +podAnnotations: {} + +serviceMonitor: + # -- enable the deployment of a Service Monitor for the Prometheus Operator. + enabled: false + # -- specify Additional labels to be added on the Service Monitor. + additionalLabels: {} + # -- specify a user defined interval. When not specified Prometheus default interval is used. + interval: "" + # -- specify a user defined scrape timeout. When not specified Prometheus default scrape timeout is used. + scrapeTimeout: "" + +prometheusRules: + # -- enable the creation of PrometheusRules for alerting + enabled: false + alerts: + warning: + # -- enable the high rate rule for the warning events + enabled: true + # -- rate interval for the high rate rule for the warning events + rate_interval: "5m" + # -- threshold for the high rate rule for the warning events + threshold: 0 + error: + # -- enable the high rate rule for the error events + enabled: true + # -- rate interval for the high rate rule for the error events + rate_interval: "5m" + # -- threshold for the high rate rule for the error events + threshold: 0 + critical: + # -- enable the high rate rule for the critical events + enabled: true + # -- rate interval for the high rate rule for the critical events + rate_interval: "5m" + # -- threshold for the high rate rule for the critical events + threshold: 0 + alert: + # -- enable the high rate rule for the alert events + enabled: true + # -- rate interval for the high rate rule for the alert events + rate_interval: "5m" + # -- threshold for the high rate rule for the alert events + threshold: 0 + emergency: + # -- enable the high rate rule for the emergency events + enabled: true + # -- rate interval for the high rate rule for the emergency events + rate_interval: "5m" + # -- threshold for the high rate rule for the emergency events + threshold: 0 + output: + # -- enable the high rate rule for the errors with the outputs + enabled: true + # -- rate interval for the high rate rule for the errors with the outputs + rate_interval: "5m" + # -- threshold for the high rate rule for the errors with the outputs + threshold: 0 + additionalAlerts: {} + +config: + # -- Existing secret with configuration + existingSecret: "" + # -- Extra environment variables + extraEnv: [] + # -- Extra command-line arguments + extraArgs: [] + # -- DEBUG environment variable + debug: false + # -- a list of escaped comma separated custom fields to add to falco events, syntax is "key:value\,key:value" + customfields: "" + # -- a list of escaped comma separated Go templated fields to add to falco events, syntax is "key:template\,key:template" + templatedfields: "" + # -- if not empty, the brackets in keys of Output Fields are replaced + bracketreplacer: "" + # -- folder which will used to store client.crt, client.key and ca.crt files for mutual tls for outputs, will be deprecated in the future (default: "/etc/certs") + mutualtlsfilespath: "/etc/certs" + + mutualtlsclient: + # -- client certification file for mutual TLS client certification, takes priority over mutualtlsfilespath if not empty + certfile: "" + # -- client key file for mutual TLS client certification, takes priority over mutualtlsfilespath if not empty + keyfile: "" + # -- CA certification file for server certification for mutual TLS authentication, takes priority over mutualtlsfilespath if not empty + cacertfile: "" + + tlsserver: + # -- if true TLS server will be deployed instead of HTTP + deploy: false + # -- existing secret with server.crt, server.key and ca.crt files for TLS Server + existingSecret: "" + # -- server.crt file for TLS Server + servercrt: "" + # -- server certification file path for TLS Server + certfile: "/etc/certs/server/server.crt" + # -- server.key file for TLS Server + serverkey: "" + # -- server key file path for TLS Server + keyfile: "/etc/certs/server/server.key" + # -- if true mutual TLS server will be deployed instead of TLS, deploy also has to be true + mutualtls: false + # ca.crt file for client certification if mutualtls is true + cacrt: "" + # -- CA certification file path for client certification if mutualtls is true + cacertfile: "/etc/certs/server/ca.crt" + # -- port to serve http server serving selected endpoints + notlsport: 2810 + # -- a comma separated list of endpoints, if not empty, and tlsserver.deploy is true, a separate http server will be deployed for the specified endpoints (/ping endpoint needs to be notls for Kubernetes to be able to perform the healthchecks) + notlspaths: "/ping" + + slack: + # -- Slack Webhook URL (ex: ), if not `empty`, Slack output is *enabled* + webhookurl: "" + # -- Slack channel (optionnal) + channel: "" + # -- Slack Footer + footer: "" + # -- Slack icon (avatar) + icon: "" + # -- Slack username + username: "" + # -- `all` (default), `text` (only text is displayed in Slack), `fields` (only fields are displayed in Slack) + outputformat: "all" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + # -- a Go template to format Slack Text above Attachment, displayed in addition to the output from `slack.outputformat`. If empty, no Text is displayed before Attachment + messageformat: "" + + rocketchat: + # -- Rocketchat Webhook URL (ex: ), if not `empty`, Rocketchat output is *enabled* + webhookurl: "" + # -- Rocketchat icon (avatar) + icon: "" + # -- Rocketchat username + username: "" + # -- `all` (default), `text` (only text is displayed in Rocketcaht), `fields` (only fields are displayed in Rocketchat) + outputformat: "all" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + # -- a Go template to format Rocketchat Text above Attachment, displayed in addition to the output from `slack.outputformat`. If empty, no Text is displayed before Attachment + messageformat: "" + # -- if true, checkcert flag will be ignored (server cert will always be checked) + mutualtls: false + # -- check if ssl certificate of the output is valid + checkcert: true + + mattermost: + # -- Mattermost Webhook URL (ex: ), if not `empty`, Mattermost output is *enabled* + webhookurl: "" + # -- Mattermost Footer + footer: "" + # -- Mattermost icon (avatar) + icon: "" + # -- Mattermost username + username: "" + # -- `all` (default), `text` (only text is displayed in Slack), `fields` (only fields are displayed in Mattermost) + outputformat: "all" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + # -- a Go template to format Mattermost Text above Attachment, displayed in addition to the output from `slack.outputformat`. If empty, no Text is displayed before Attachment + messageformat: "" + # -- if true, checkcert flag will be ignored (server cert will always be checked) + mutualtls: false + # -- check if ssl certificate of the output is valid + checkcert: true + + teams: + # -- Teams Webhook URL (ex: "), if not `empty`, Teams output is *enabled* + webhookurl: "" + # -- Teams section image + activityimage: "" + # -- `all` (default), `text` (only text is displayed in Teams), `facts` (only facts are displayed in Teams) + outputformat: "all" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + + datadog: + # -- Datadog API Key, if not `empty`, Datadog output is *enabled* + apikey: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + # -- Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "" + host: "" + + alertmanager: + # -- AlertManager , if not `empty`, AlertManager is *enabled* + hostport: "" + # -- alertmanager endpoint on which falcosidekick posts alerts, choice is: `"/api/v1/alerts" or "/api/v2/alerts" , default is "/api/v1/alerts"` + endpoint: "/api/v1/alerts" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + # -- if set to a non-zero value, alert expires after that time in seconds (default: 0) + expireafter: "" + # -- comma separated list of labels composed of a ':' separated name and value that is added to the Alerts. Example: my_label_1:my_value_1, my_label_1:my_value_2 + extralabels: "" + # -- comma separated list of annotations composed of a ':' separated name and value that is added to the Alerts. Example: my_annotation_1:my_value_1, my_annotation_1:my_value_2 + extraannotations: "" + # -- comma separated list of tuple composed of a ':' separated Falco priority and Alertmanager severity that is used to override the severity label associated to the priority level of falco event. Example: debug:value_1,critical:value2. Default mapping: emergency:critical,alert:critical,critical:critical,error:warning,warning:warning,notice:information,informational:information,debug:information. + customseveritymap: "" + # -- default priority of dropped events, values are emergency|alert|critical|error|warning|notice|informational|debug + dropeventdefaultpriority: "critical" + # -- comma separated list of priority re-evaluation thresholds of dropped events composed of a ':' separated integer threshold and string priority. Example: `10000:critical, 100:warning, 1:informational` + dropeventthresholds: "10000:critical, 1000:critical, 100:critical, 10:warning, 1:warning" + # -- if true, checkcert flag will be ignored (server cert will always be checked) + mutualtls: false + # -- check if ssl certificate of the output is valid + checkcert: true + + elasticsearch: + # -- Elasticsearch , if not `empty`, Elasticsearch is *enabled* + hostport: "" + # -- Elasticsearch index + index: "falco" + # -- Elasticsearch document type + type: "_doc" + # date suffix for index rotation : daily, monthly, annually, none + suffix: "daily" + # -- use this username to authenticate to Elasticsearch if the username is not empty + username: "" + # -- use this password to authenticate to Elasticsearch if the password is not empty + password: "" + # -- a list of comma separated custom headers to add, syntax is "key:value,key:value" + customheaders: "" + # -- if true, checkcert flag will be ignored (server cert will always be checked) + mutualtls: false + # -- check if ssl certificate of the output is valid + checkcert: true + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + + influxdb: + # -- Influxdb , if not `empty`, Influxdb is *enabled* + hostport: "" + # -- Influxdb database + database: "falco" + # -- Influxdb organization + organization: "" + # -- write precision + precision: "ns" + # -- User to use if auth is *enabled* in Influxdb + user: "" + # -- Password to use if auth is *enabled* in Influxdb + password: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + # -- API token to use if auth in enabled in Influxdb (disables user and password) + token: "" + # -- if true, checkcert flag will be ignored (server cert will always be checked) + mutualtls: false + # -- check if ssl certificate of the output is valid + checkcert: true + + loki: + # -- Loki , if not `empty`, Loki is *enabled* + hostport: "" + # -- user for Grafana Logs + user: "" + # -- API Key for Grafana Logs + apikey: "" + # -- Loki endpoint URL path, more info: + endpoint: "/loki/api/v1/push" + # -- Loki tenant, if not `empty`, Loki tenant is *enabled* + tenant: "" + # -- comma separated list of fields to use as labels additionally to rule, source, priority, tags and custom_fields + extralabels: "" + # -- a list of comma separated custom headers to add, syntax is "key:value,key:value" + customheaders: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + # -- if true, checkcert flag will be ignored (server cert will always be checked) + mutualtls: false + # -- check if ssl certificate of the output is valid + checkcert: true + + prometheus: + # -- comma separated list of fields to use as labels additionally to rule, source, priority, tags and custom_fields + extralabels: "" + + nats: + # -- NATS "nats://host:port", if not `empty`, NATS is *enabled* + hostport: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + # -- if true, checkcert flag will be ignored (server cert will always be checked) + mutualtls: false + # -- check if ssl certificate of the output is valid + checkcert: true + + stan: + # -- Stan nats://{domain or ip}:{port}, if not empty, STAN output is *enabled* + hostport: "" + # -- Cluster name, if not empty, STAN output is *enabled* + clusterid: "" + # -- Client ID, if not empty, STAN output is *enabled* + clientid: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + # -- if true, checkcert flag will be ignored (server cert will always be checked) + mutualtls: false + # -- check if ssl certificate of the output is valid + checkcert: true + + aws: + # -- Use IRSA, if true, the rolearn value will be used to set the ServiceAccount annotations and not the env var + useirsa: true + # -- AWS IAM role ARN for falcosidekick service account to associate with (optionnal if you use EC2 Instance Profile) + rolearn: "" + # -- External id for the role to assume (optional if you use EC2 Instance Profile) + externalid: "" + # -- AWS Access Key Id (optionnal if you use EC2 Instance Profile) + accesskeyid: "" + # -- AWS Secret Access Key (optionnal if you use EC2 Instance Profile) + secretaccesskey: "" + # -- AWS Region (optionnal if you use EC2 Instance Profile) + region: "" + # -- check the identity credentials, set to false for locale developments + checkidentity: true + cloudwatchlogs: + # -- AWS CloudWatch Logs Group name, if not empty, CloudWatch Logs output is *enabled* + loggroup: "" + # -- AWS CloudWatch Logs Stream name, if empty, Falcosidekick will try to create a log stream + logstream: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + lambda: + # -- AWS Lambda Function Name, if not empty, AWS Lambda output is *enabled* + functionname: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + sns: + # -- AWS SNS TopicARN, if not empty, AWS SNS output is *enabled* + topicarn: "" + # -- Send RawJSON from `falco` or parse it to AWS SNS + rawjson: false + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + sqs: + # -- AWS SQS Queue URL, if not empty, AWS SQS output is *enabled* + url: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + s3: + # -- AWS S3, bucket name + bucket: "" + # -- AWS S3, name of prefix, keys will have format: s3:////YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json + prefix: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + kinesis: + # -- AWS Kinesis Stream Name, if not empty, Kinesis output is *enabled* + streamname: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + securitylake: + # -- Bucket for AWS SecurityLake data, if not empty, AWS SecurityLake output is enabled + bucket: "" + # -- Bucket Region + region: "" + # -- Prefix for keys + prefix: "" + # -- Account ID + accountid: "" + # -- Time in minutes between two puts to S3 (must be between 5 and 60min) + interval: 5 + # -- Max number of events by parquet file + batchsize: 1000 + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + + smtp: + # -- "host:port" address of SMTP server, if not empty, SMTP output is *enabled* + hostport: "" + # -- use TLS connection (true/false) + tls: true + # -- SASL Mechanisms : plain, oauthbearer, external, anonymous or "" (disable SASL) + authmechanism: "plain" + # -- user to access SMTP server + user: "" + # -- password to access SMTP server + password: "" + # -- OAuthBearer token for OAuthBearer Mechanism + token: "" + # -- identity string for Plain and External Mechanisms + identity: "" + # -- trace string for Anonymous Mechanism + trace: "" + # -- Sender address (mandatory if SMTP output is *enabled*) + from: "" + # -- comma-separated list of Recipident addresses, can't be empty (mandatory if SMTP output is *enabled*) + to: "" + # -- html, text + outputformat: "html" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + + opsgenie: + # -- Opsgenie API Key, if not empty, Opsgenie output is *enabled* + apikey: "" + # -- (`us` or `eu`) region of your domain + region: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + # -- if true, checkcert flag will be ignored (server cert will always be checked) + mutualtls: false + # -- check if ssl certificate of the output is valid + checkcert: true + + statsd: + # -- The address for the StatsD forwarder, in the form , if not empty StatsD is *enabled* + forwarder: "" + # -- A prefix for all metrics + namespace: "falcosidekick." + + dogstatsd: + # -- The address for the DogStatsD forwarder, in the form , if not empty DogStatsD is *enabled* + forwarder: "" + # -- A prefix for all metrics + namespace: "falcosidekick." + # -- A comma-separated list of tags to add to all metrics + tags: "" + + webhook: + # -- Webhook address, if not empty, Webhook output is *enabled* + address: "" + # -- HTTP method: POST or PUT + method: "POST" + # -- a list of comma separated custom headers to add, syntax is "key:value\,key:value" + customHeaders: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + # -- if true, checkcert flag will be ignored (server cert will always be checked) + mutualtls: false + # -- check if ssl certificate of the output is valid + checkcert: true + + azure: + # -- Azure Subscription ID + subscriptionID: "" + # -- Azure Resource Group name + resourceGroupName: "" + # -- Azure Identity Client ID + podIdentityClientID: "" + # -- Azure Identity name + podIdentityName: "" + eventHub: + # -- Name of the space the Hub is in + namespace: "" + # -- Name of the Hub, if not empty, EventHub is *enabled* + name: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + + discord: + # -- Discord WebhookURL (ex: ...), if not empty, Discord output is *enabled* + webhookurl: "" + # -- Discord icon (avatar) + icon: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + + gcp: + # -- Base64 encoded JSON key file for the GCP service account + credentials: "" + pubsub: + # -- The GCP Project ID containing the Pub/Sub Topic + projectid: "" + # -- Name of the Pub/Sub topic + topic: "" + # -- a list of comma separated custom headers to add, syntax is "key:value,key:value" + customattributes: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + storage: + # -- Name of prefix, keys will have format: gs:////YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json + prefix: "" + # -- The name of the bucket + bucket: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "debug" + cloudfunctions: + # -- The name of the Cloud Function which is in form `projects//locations//functions/` + name: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + cloudrun: + # -- the URL of the Cloud Run function + endpoint: "" # the URL of the Cloud Run function + # -- JWT for the private access to Cloud Run function + jwt: "" # JWT for the private access to Cloud Run function + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + + googlechat: + # -- Google Chat Webhook URL (ex: ), if not `empty`, Google Chat output is *enabled* + webhookurl: "" + # -- `all` (default), `text` (only text is displayed in Google chat) + outputformat: "all" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + # -- a Go template to format Google Chat Text above Attachment, displayed in addition to the output from `config.googlechat.outputformat`. If empty, no Text is displayed before Attachment + messageformat: "" + + kafka: + # -- comma separated list of Apache Kafka bootstrap nodes for establishing the initial connection to the cluster (ex: localhost:9092,localhost:9093). Defaults to port 9092 if no port is specified after the domain, if not empty, Kafka output is *enabled* + hostport: "" + # -- Name of the topic, if not empty, Kafka output is enabled + topic: "" + # -- SASL authentication mechanism, if empty, no authentication (PLAIN|SCRAM_SHA256|SCRAM_SHA512) + sasl: "" + # -- Use TLS for the connections + tls: false + # -- use this username to authenticate to Kafka via SASL + username: "" + # -- use this password to authenticate to Kafka via SASL + password: "" + # -- produce messages without blocking + async: false + # -- number of acknowledges from partition replicas required before receiving + requiredacks: NONE + # -- enable message compression using this algorithm, no compression (GZIP|SNAPPY|LZ4|ZSTD|NONE) + compression: "NONE" + # -- partition balancing strategy when producing + balancer: "round_robin" + # -- auto create the topic if it doesn't exist + topiccreation: false + # -- specify a client.id when communicating with the broker for tracing + clientid: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + + pagerduty: + # -- Pagerduty Routing Key, if not empty, Pagerduty output is *enabled* + routingkey: "" + # -- Pagerduty Region, can be 'us' or 'eu' + region: "us" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + + kubeless: + # -- Name of Kubeless function, if not empty, EventHub is *enabled* + function: "" + # -- Namespace of Kubeless function (mandatory) + namespace: "" + # -- Port of service of Kubeless function. Default is `8080` + port: 8080 + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + # -- if true, checkcert flag will be ignored (server cert will always be checked) + mutualtls: false + # -- check if ssl certificate of the output is valid + checkcert: true + + openfaas: + # -- Name of OpenFaaS function, if not empty, OpenFaaS is *enabled* + functionname: "" + # -- Namespace of OpenFaaS function, "openfaas-fn" (default) + functionnamespace: "openfaas-fn" + # -- Service of OpenFaaS Gateway, "gateway" (default) + gatewayservice: "gateway" + # -- Port of service of OpenFaaS Gateway Default is `8080` + gatewayport: 8080 + # -- Namespace of OpenFaaS Gateway, "openfaas" (default) + gatewaynamespace: "openfaas" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + # -- if true, checkcert flag will be ignored (server cert will always be checked) + mutualtls: false + # -- check if ssl certificate of the output is valid + checkcert: true + + cloudevents: + # -- CloudEvents consumer http address, if not empty, CloudEvents output is *enabled* + address: "" + # -- Extensions to add in the outbound Event, useful for routing + extension: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + + rabbitmq: + # -- Rabbitmq URL, if not empty, Rabbitmq output is *enabled* + url: "" + # -- Rabbitmq Queue name + queue: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "debug" + + wavefront: + # -- Wavefront endpoint type, must be 'direct' or 'proxy'. If not empty, with endpointhost, Wavefront output is *enabled* + endpointtype: "" + # -- Wavefront endpoint address (only the host). If not empty, with endpointhost, Wavefront output is *enabled* + endpointhost: "" + # -- Wavefront token. Must be used only when endpointtype is 'direct' + endpointtoken: "" + # -- Port to send metrics. Only used when endpointtype is 'proxy' + endpointmetricport: 2878 + # -- Metric to be created in Wavefront. Defaults to falco.alert + metricname: "falco.alert" + # -- Wavefront batch size. If empty uses the default 10000. Only used when endpointtype is 'direct' + batchsize: 10000 + # -- Wavefront flush interval in seconds. Defaults to 1 + flushintervalseconds: 1 + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "debug" + + grafana: + # -- or ip}:{port}, if not empty, Grafana output is *enabled* + hostport: "" + # -- API Key to authenticate to Grafana, if not empty, Grafana output is *enabled* + apikey: "" + # -- annotations are scoped to a specific dashboard. Optionnal. + dashboardid: "" + # -- annotations are scoped to a specific panel. Optionnal. + panelid: "" + # -- if true, all custom fields are added as tags (default: false) + allfieldsastags: false + # -- a list of comma separated custom headers to add, syntax is "key:value,key:value" + customheaders: "" + # -- if true, checkcert flag will be ignored (server cert will always be checked) + mutualtls: false + # -- check if ssl certificate of the output is valid + checkcert: true + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + + grafanaoncall: + # -- if not empty, Grafana OnCall output is enabled + webhookurl: "" + # -- a list of comma separated custom headers to add, syntax is "key:value,key:value" + customheaders: "" + # -- if true, checkcert flag will be ignored (server cert will always be checked) + mutualtls: false + # -- check if ssl certificate of the output is valid + checkcert: true + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + + fission: + # -- Name of Fission function, if not empty, Fission is enabled + function: "" + # -- Namespace of Fission Router, "fission" (default) + routernamespace: "fission" + # -- Service of Fission Router, "router" (default) + routerservice: "router" + # -- Port of service of Fission Router + routerport: 80 # Port of service of Fission Router + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + # -- check if ssl certificate of the output is valid + checkcert: true + # -- if true, checkcert flag will be ignored (server cert will always be checked) + mutualtls: false + + yandex: + # -- yandex access key + accesskeyid: "" + # -- yandex secret access key + secretaccesskey: "" + # -- yandex storage region (default: ru-central-1) + region: "" + s3: + # -- yandex storage endpoint (default: https://storage.yandexcloud.net) + endpoint: "" + # -- Yandex storage, bucket name + bucket: "" + # -- name of prefix, keys will have format: s3:////YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json + prefix: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + datastreams: + # -- yandex data streams endpoint (default: https://yds.serverless.yandexcloud.net) + endpoint: "" + # -- stream name in format /${region}/${folder_id}/${ydb_id}/${stream_name} + streamname: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + + kafkarest: + # -- The full URL to the topic (example "http://kafkarest:8082/topics/test") + address: "" + # -- Kafka Rest Proxy API version 2|1 (default: 2) + version: 2 + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + # -- if true, checkcert flag will be ignored (server cert will always be checked) + mutualtls: false + # -- check if ssl certificate of the output is valid + checkcert: true + + syslog: + # -- Syslog Host, if not empty, Syslog output is *enabled* + host: "" + # -- Syslog endpoint port number + port: "" + # -- Syslog transport protocol. It can be either "tcp" or "udp" + protocol: "tcp" + # -- Syslog payload format. It can be either "json" or "cef" + format: "json" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + + cliq: + # -- Zoho Cliq Channel URL (ex: ), if not empty, Cliq Chat output is *enabled* + webhookurl: "" + # -- Cliq icon (avatar) + icon: "" + # -- Prefix message text with an emoji + useemoji: true + # -- `all` (default), `text` (only text is displayed in Cliq), `fields` (only fields are displayed in Cliq) + outputformat: "all" + # -- a Go template to format Google Chat Text above Attachment, displayed in addition to the output from `cliq.outputformat`. If empty, no Text is displayed before sections. + messageformat: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + + policyreport: + # -- if true; policyreport output is *enabled* + enabled: false + # -- Kubeconfig file to use (only if falcosidekick is running outside the cluster) + kubeconfig: "~/.kube/config" + # -- the max number of events that can be in a policyreport + maxevents: 1000 + # -- if true; the events with lowest severity are pruned first, in FIFO order + prunebypriority: false + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + + nodered: + # -- Node-RED address, if not empty, Node-RED output is enabled + address: "" + # -- User if Basic Auth is enabled for 'http in' node in Node-RED + user: "" + # -- Password if Basic Auth is enabled for 'http in' node in Node-RED + password: "" + # -- Custom headers to add in POST, useful for Authentication, syntax is "key:value\,key:value" + customheaders: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + # -- check if ssl certificate of the output is valid + checkcert: true + + mqtt: + # -- Broker address, can start with tcp:// or ssl://, if not empty, MQTT output is enabled + broker: "" + # -- Topic for messages + topic: "falco/events" + # -- QOS for messages + qos: 0 + # -- If true, messages are retained + retained: false + # -- User if the authentication is enabled in the broker + user: "" + # -- Password if the authentication is enabled in the broker + password: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + # -- check if ssl certificate of the output is valid + checkcert: true + + zincsearch: + # -- http://{domain or ip}:{port}, if not empty, ZincSearch output is enabled + hostport: "" + # -- index + index: "falco" + # -- use this username to authenticate to ZincSearch + username: "" + # -- use this password to authenticate to ZincSearch + password: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + # -- check if ssl certificate of the output is valid + checkcert: true + + gotify: + # -- http://{domain or ip}:{port}, if not empty, Gotify output is enabled + hostport: "" + # -- API Token + token: "" + # -- Format of the messages (plaintext, markdown, json) + format: "markdown" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + # -- check if ssl certificate of the output is valid + checkcert: true + + tekton: + # -- EventListener address, if not empty, Tekton output is enabled + eventlistener: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + # -- check if ssl certificate of the output is valid + checkcert: true + + spyderbat: + # -- Organization to send output to, if not empty, Spyderbat output is enabled + orguid: "" + # -- Spyderbat API key with access to the organization + apikey: "" + # -- Spyderbat API url + apiurl: "https://api.spyderbat.com" + # -- Spyderbat source ID, max 32 characters + source: "falcosidekick" + # -- Spyderbat source description and display name if not empty, max 256 characters + sourcedescription: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + + timescaledb: + # -- TimescaleDB host, if not empty, TImescaleDB output is enabled + host: "" + # -- TimescaleDB port (default: 5432) + port: 5432 + # -- Username to authenticate with TimescaleDB + user: "postgres" + # -- Password to authenticate with TimescaleDB + password: "postgres" + # -- TimescaleDB database used + database: "" + # -- Hypertable to store data events (default: falco_events) See TimescaleDB setup for more info + hypertablename: "falco_events" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + + redis: + # -- Redis address, if not empty, Redis output is enabled + address: "" + # -- Password to authenticate with Redis + password: "" + # -- Redis database number + database: 0 + # -- Redis storage type: hashmap or list + storagetype: "list" + # -- Redis storage key name for hashmap, list + key: "falco" + # -- minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" + minimumpriority: "" + + telegram: + # -- telegram bot authentication token + token: "" + # -- telegram Identifier of the shared chat + chatid: "" + # -- check if ssl certificate of the output is valid + checkcert: true + # -- minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" + minimumpriority: "" + + n8n: + # -- N8N address, if not empty, N8N output is enabled + address: "" + # -- Username to authenticate with N8N in basic auth + user: "" + # -- Password to authenticate with N8N in basic auth + password: "" + # -- Header Auth Key to authenticate with N8N + headerauthname: "" + # -- Header Auth Value to authenticate with N8N + headerauthvalue: "" + # -- check if ssl certificate of the output is valid + checkcert: true + # -- minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" + minimumpriority: "" + + openobserve: + # -- http://{domain or ip}:{port}, if not empty, OpenObserve output is enabled + hostport: "" + # -- Organization name + organizationname: "default" + # -- Stream name + streamname: "falco" + # -- minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" + minimumpriority: "" + # -- if true, checkcert flag will be ignored (server cert will always be checked) + mutualtls: false + # -- check if ssl certificate of the output is valid + checkcert: true + # -- use this username to authenticate to OpenObserve if the username is not empty + username: "" + # -- use this password to authenticate to OpenObserve if the password is not empty + password: "" + # -- a list of comma separated custom headers to add, syntax is "key:value,key:value" + customheaders: "" + +service: + # -- Service type + type: ClusterIP + # -- Service port + port: 2801 + # -- Service annotations + annotations: {} + # networking.gke.io/load-balancer-type: Internal + +ingress: + # -- Whether to create the ingress + enabled: false + # -- Ingress annotations + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # -- Ingress hosts + hosts: + - host: falcosidekick.local + paths: + - path: / + # -- pathType (e.g. ImplementationSpecific, Prefix, .. etc.) + # pathType: Prefix + # -- Ingress TLS configuration + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +# -- The resources for falcosdekick pods +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +# -- Sidekick nodeSelector field +nodeSelector: {} + +# -- Tolerations for pod assignment +tolerations: [] + +# -- Affinity for the Sidekick pods +affinity: {} + +# -- Extra volumes for sidekick deployment +extraVolumes: [] +# - name: optional-mtls-volume +# configMap: +# name: falco-certs-optional +# optional: true +# items: +# - key: mtlscert.optional.tls +# path: mtlscert.optional.tls + +# -- Extra volume mounts for sidekick deployment +extraVolumeMounts: [] +# - mountPath: /etc/certs/mtlscert.optional.tls +# name: optional-mtls-volume + +testConnection: + # -- test connection nodeSelector field + nodeSelector: {} + + # -- Tolerations for pod assignment + tolerations: [] + + # -- Affinity for the test connection pod + affinity: {} + +webui: + # -- enable Falcosidekick-UI + enabled: false + # -- number of running pods + replicaCount: 2 + # -- number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) + # revisionHistoryLimit: 1 + # -- Log level ("debug", "info", "warning", "error") + loglevel: "info" + # -- TTL for keys, the syntax in X, with : s, m, d, w (0 for no ttl) + ttl: 0 + # -- User in format : + user: "admin:admin" + # -- Disable the basic auth + disableauth: false + # -- Existing secret with configuration + existingSecret: "" + # -- Allow CORS + allowcors: false + image: + # -- The web UI image registry to pull from + registry: docker.io + # -- The web UI image repository to pull from + repository: falcosecurity/falcosidekick-ui + # -- The web UI image tag to pull + tag: "2.2.0" + # -- The web UI image pull policy + pullPolicy: IfNotPresent + + # -- Web UI pod securityContext + podSecurityContext: + runAsUser: 1234 + fsGroup: 1234 + + # -- Web UI container securityContext + securityContext: {} + + # -- Name of the priority class to be used by the Web UI pods, priority class needs to be created beforehand + priorityClassName: "" + + # -- additions labels on the pods web UI + podLabels: {} + # -- additions annotations on the pods web UI + podAnnotations: {} + + service: + # -- The web UI service type + type: ClusterIP + # -- The web UI service port dor the falcosidekick-ui + port: 2802 + # -- The web UI service nodePort + nodePort: 30282 + # -- The web UI service targetPort + targetPort: 2802 + # -- The web UI service annotations (use this to set a internal LB, for example.) + annotations: {} + # service.beta.kubernetes.io/aws-load-balancer-internal: "true" + + ingress: + # -- Whether to create the Web UI ingress + enabled: false + # -- Web UI ingress annotations + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # -- Web UI ingress hosts configuration + hosts: + - host: falcosidekick-ui.local + paths: + - path: / + # -- Web UI ingress TLS configuration + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + # -- The resources for the web UI pods + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + # -- Web UI nodeSelector field + nodeSelector: {} + # -- Tolerations for pod assignment + tolerations: [] + # -- Affinity for the Web UI pods + affinity: {} + externalRedis: + # -- Enable or disable the usage of an external Redis. Is mutually exclusive with webui.redis.enabled. + enabled: false + # -- The URL of the external Redis database with RediSearch > v2 + url: "" + # -- The port of the external Redis database with RediSearch > v2 + port: 6379 + redis: + # -- Is mutually exclusive with webui.externalRedis.enabled + enabled: true + image: + # -- The web UI Redis image registry to pull from + registry: docker.io + # -- The web UI Redis image repository to pull from + repository: redis/redis-stack + # -- The web UI Redis image tag to pull from + tag: "6.2.6-v3" + # -- The web UI image pull policy + pullPolicy: IfNotPresent + + # -- Existing secret with configuration + existingSecret: "" + + # -- Set a password for Redis + password: "" + + # -- Name of the priority class to be used by the Web UI Redis pods, priority class needs to be created beforehand + priorityClassName: "" + + # -- additions labels on the pods + podLabels: {} + # -- additions annotations on the pods + podAnnotations: {} + + # -- Enable the PVC for the redis pod + storageEnabled: true + # -- Size of the PVC for the redis pod + storageSize: "1Gi" + # -- Storage class of the PVC for the redis pod + storageClass: "" + + service: + # -- The web UI Redis service type (i. e: LoadBalancer) + type: ClusterIP + # -- The web UI Redis service port dor the falcosidekick-ui + port: 6379 + # -- The web UI Redis service targetPort + targetPort: 6379 + # -- The web UI Redis service annotations (use this to set a internal LB, for example.) + annotations: {} + + # -- Web UI Redis pod securityContext + podSecurityContext: {} + + # -- Web UI Redis container securityContext + securityContext: {} + + # -- The resources for the redis pod + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + # -- Web UI Redis nodeSelector field + nodeSelector: {} + + # -- Tolerations for pod assignment + tolerations: [] + + # -- Affinity for the Web UI Redis pods + affinity: {} diff --git a/falco/charts/k8s-metacollector/.helmignore b/falco/charts/k8s-metacollector/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/falco/charts/k8s-metacollector/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/falco/charts/k8s-metacollector/CHANGELOG.md b/falco/charts/k8s-metacollector/CHANGELOG.md new file mode 100644 index 0000000..ccf8d9e --- /dev/null +++ b/falco/charts/k8s-metacollector/CHANGELOG.md @@ -0,0 +1,44 @@ + +# Change Log + +This file documents all notable changes to `k8s-metacollector` Helm Chart. The release +numbering uses [semantic versioning](http://semver.org). + +## v0.1.7 + +* Lower initial delay seconds for readiness and liveness probes; + +## v0.1.6 + +* Add grafana dashboard; + +## v0.1.5 + +* Fix service monitor indentation; + +## v0.1.4 + +* Lower `interval` and `scrape_timeout` values for service monitor; +* +## v0.1.3 + +* Bump application version to 0.1.3 + +## v0.1.2 + +### Major Changes + +* Update unit tests; + +## v0.1.1 + +### Major Changes + +* Add `work in progress` disclaimer; +* Update chart info. + +## v0.1.0 + +### Major Changes + +* Initial release of k8s-metacollector Helm Chart. **Note:** the chart uses the `main` tag, since we don't have released the k8s-metacollector yet. \ No newline at end of file diff --git a/falco/charts/k8s-metacollector/Chart.yaml b/falco/charts/k8s-metacollector/Chart.yaml new file mode 100644 index 0000000..684370b --- /dev/null +++ b/falco/charts/k8s-metacollector/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v2 +appVersion: 0.1.0 +description: Install k8s-metacollector to fetch and distribute Kubernetes metadata + to Falco instances. +home: https://github.com/falcosecurity/k8s-metacollector +maintainers: +- email: cncf-falco-dev@lists.cncf.io + name: The Falco Authors +name: k8s-metacollector +sources: +- https://github.com/falcosecurity/k8s-metacollector +type: application +version: 0.1.7 diff --git a/falco/charts/k8s-metacollector/README.gotmpl b/falco/charts/k8s-metacollector/README.gotmpl new file mode 100644 index 0000000..96d017f --- /dev/null +++ b/falco/charts/k8s-metacollector/README.gotmpl @@ -0,0 +1,71 @@ +# k8s-metacollector + +[k8s-metacollector](https://github.com/falcosecurity/k8s-metacollector) is a self-contained module that can be deployed within a Kubernetes cluster to perform the task of gathering metadata from various Kubernetes resources and subsequently transmitting this collected metadata to designated subscribers. + +## Introduction + +This chart installs the [k8s-metacollector](https://github.com/falcosecurity/k8s-metacollector) in a kubernetes cluster. The main application will be deployed as Kubernetes deployment with replica count equal to 1. In order for the application to work correctly the following resources will be created: +* ServiceAccount; +* ClusterRole; +* ClusterRoleBinding; +* Service; +* ServiceMonitor (optional); + +*Note*: Incrementing the number of replicas is not recommended. The [k8s-metacollector](https://github.com/falcosecurity/k8s-metacollector) does not implement memory sharding techniques. Furthermore, events are distributed over `gRPC` using `streams` which does not work well with load balancing mechanisms implemented by Kubernetes. + +## Adding `falcosecurity` repository + +Before installing the chart, add the `falcosecurity` charts repository: + +```bash +helm repo add falcosecurity https://falcosecurity.github.io/charts +helm repo update +``` + +## Installing the Chart + +To install the chart with default values and release name `k8s-metacollector` run: + +```bash +helm install k8s-metacollector falcosecurity/k8s-metacollector --namespace metacollector --create-namespace +``` + +After a few seconds, k8s-metacollector should be running in the `metacollector` namespace. + +### Enabling ServiceMonitor +Assuming that Prometheus scrapes only the ServiceMonitors that present a `release label` the following command will install and label the ServiceMonitor: + +```bash +helm install k8s-metacollector falcosecurity/k8s-metacollector \ + --create-namespace \ + --namespace metacollector \ + --set serviceMonitor.create=true \ + --set serviceMonitor.labels.release="kube-prometheus-stack" +``` + +### Deploying the Grafana Dashboard +By setting `grafana.dashboards.enabled=true` the k8s-metacollector's grafana dashboard is deployed in the cluster using a configmap. +Based in Grafana's configuration, the configmap could be scraped by Grafana dashboard sidecar. +The following command will deploy the k8s-metacollector + serviceMonitor + grafana dashboard: + +```bash +helm install k8s-metacollector falcosecurity/k8s-metacollector \ + --create-namespace \ + --namespace metacollector \ + --set serviceMonitor.create=true \ + --set serviceMonitor.labels.release="kube-prometheus-stack" \ + --set grafana.dashboards.enabled=true +``` + +## Uninstalling the Chart +To uninstall the `k8s-metacollector` release in namespace `metacollector`: +```bash +helm uninstall k8s-metacollector --namespace metacollector +``` +The command removes all the Kubernetes resources associated with the chart and deletes the release. + +## Configuration + +The following table lists the main configurable parameters of the {{ template "chart.name" . }} chart v{{ template "chart.version" . }} and their default values. See `values.yaml` for full list. + +{{ template "chart.valuesSection" . }} diff --git a/falco/charts/k8s-metacollector/README.md b/falco/charts/k8s-metacollector/README.md new file mode 100644 index 0000000..7f1e3af --- /dev/null +++ b/falco/charts/k8s-metacollector/README.md @@ -0,0 +1,150 @@ +# k8s-metacollector + +[k8s-metacollector](https://github.com/falcosecurity/k8s-metacollector) is a self-contained module that can be deployed within a Kubernetes cluster to perform the task of gathering metadata from various Kubernetes resources and subsequently transmitting this collected metadata to designated subscribers. + +## Introduction + +This chart installs the [k8s-metacollector](https://github.com/falcosecurity/k8s-metacollector) in a kubernetes cluster. The main application will be deployed as Kubernetes deployment with replica count equal to 1. In order for the application to work correctly the following resources will be created: +* ServiceAccount; +* ClusterRole; +* ClusterRoleBinding; +* Service; +* ServiceMonitor (optional); + +*Note*: Incrementing the number of replicas is not recommended. The [k8s-metacollector](https://github.com/falcosecurity/k8s-metacollector) does not implement memory sharding techniques. Furthermore, events are distributed over `gRPC` using `streams` which does not work well with load balancing mechanisms implemented by Kubernetes. + +## Adding `falcosecurity` repository + +Before installing the chart, add the `falcosecurity` charts repository: + +```bash +helm repo add falcosecurity https://falcosecurity.github.io/charts +helm repo update +``` + +## Installing the Chart + +To install the chart with default values and release name `k8s-metacollector` run: + +```bash +helm install k8s-metacollector falcosecurity/k8s-metacollector --namespace metacollector --create-namespace +``` + +After a few seconds, k8s-metacollector should be running in the `metacollector` namespace. + +### Enabling ServiceMonitor +Assuming that Prometheus scrapes only the ServiceMonitors that present a `release label` the following command will install and label the ServiceMonitor: + +```bash +helm install k8s-metacollector falcosecurity/k8s-metacollector \ + --create-namespace \ + --namespace metacollector \ + --set serviceMonitor.create=true \ + --set serviceMonitor.labels.release="kube-prometheus-stack" +``` + +### Deploying the Grafana Dashboard +By setting `grafana.dashboards.enabled=true` the k8s-metacollector's grafana dashboard is deployed in the cluster using a configmap. +Based in Grafana's configuration, the configmap could be scraped by Grafana dashboard sidecar. +The following command will deploy the k8s-metacollector + serviceMonitor + grafana dashboard: + +```bash +helm install k8s-metacollector falcosecurity/k8s-metacollector \ + --create-namespace \ + --namespace metacollector \ + --set serviceMonitor.create=true \ + --set serviceMonitor.labels.release="kube-prometheus-stack" \ + --set grafana.dashboards.enabled=true +``` + +## Uninstalling the Chart +To uninstall the `k8s-metacollector` release in namespace `metacollector`: +```bash +helm uninstall k8s-metacollector --namespace metacollector +``` +The command removes all the Kubernetes resources associated with the chart and deletes the release. + +## Configuration + +The following table lists the main configurable parameters of the k8s-metacollector chart v0.1.7 and their default values. See `values.yaml` for full list. + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | affinity allows pod placement based on node characteristics, or any other custom labels assigned to nodes. | +| containerSecurityContext | object | `{"capabilities":{"drop":["ALL"]}}` | containerSecurityContext holds the security settings for the container. | +| containerSecurityContext.capabilities | object | `{"drop":["ALL"]}` | capabilities fine-grained privileges that can be assigned to processes. | +| containerSecurityContext.capabilities.drop | list | `["ALL"]` | drop drops the given set of privileges. | +| fullnameOverride | string | `""` | fullNameOverride same as nameOverride but for the full name. | +| grafana | object | `{"dashboards":{"configMaps":{"collector":{"folder":"","name":"k8s-metacollector-grafana-dashboard","namespace":""}},"enabled":false}}` | grafana contains the configuration related to grafana. | +| grafana.dashboards | object | `{"configMaps":{"collector":{"folder":"","name":"k8s-metacollector-grafana-dashboard","namespace":""}},"enabled":false}` | dashboards contains configuration for grafana dashboards. | +| grafana.dashboards.configMaps | object | `{"collector":{"folder":"","name":"k8s-metacollector-grafana-dashboard","namespace":""}}` | configmaps to be deployed that contain a grafana dashboard. | +| grafana.dashboards.configMaps.collector | object | `{"folder":"","name":"k8s-metacollector-grafana-dashboard","namespace":""}` | collector contains the configuration for collector's dashboard. | +| grafana.dashboards.configMaps.collector.folder | string | `""` | folder where the dashboard is stored by grafana. | +| grafana.dashboards.configMaps.collector.name | string | `"k8s-metacollector-grafana-dashboard"` | name specifies the name for the configmap. | +| grafana.dashboards.configMaps.collector.namespace | string | `""` | namespace specifies the namespace for the configmap. | +| grafana.dashboards.enabled | bool | `false` | enabled specifies whether the dashboards should be deployed. | +| healthChecks | object | `{"livenessProbe":{"httpGet":{"path":"/healthz","port":8081},"initialDelaySeconds":45,"periodSeconds":15,"timeoutSeconds":5},"readinessProbe":{"httpGet":{"path":"/readyz","port":8081},"initialDelaySeconds":30,"periodSeconds":15,"timeoutSeconds":5}}` | healthChecks contains the configuration for liveness and readiness probes. | +| healthChecks.livenessProbe | object | `{"httpGet":{"path":"/healthz","port":8081},"initialDelaySeconds":45,"periodSeconds":15,"timeoutSeconds":5}` | livenessProbe is a diagnostic mechanism used to determine wether a container within a Pod is still running and healthy. | +| healthChecks.livenessProbe.httpGet | object | `{"path":"/healthz","port":8081}` | httpGet specifies that the liveness probe will make an HTTP GET request to check the health of the container. | +| healthChecks.livenessProbe.httpGet.path | string | `"/healthz"` | path is the specific endpoint on which the HTTP GET request will be made. | +| healthChecks.livenessProbe.httpGet.port | int | `8081` | port is the port on which the container exposes the "/healthz" endpoint. | +| healthChecks.livenessProbe.initialDelaySeconds | int | `45` | initialDelaySeconds tells the kubelet that it should wait X seconds before performing the first probe. | +| healthChecks.livenessProbe.periodSeconds | int | `15` | periodSeconds specifies the interval at which the liveness probe will be repeated. | +| healthChecks.livenessProbe.timeoutSeconds | int | `5` | timeoutSeconds is the number of seconds after which the probe times out. | +| healthChecks.readinessProbe | object | `{"httpGet":{"path":"/readyz","port":8081},"initialDelaySeconds":30,"periodSeconds":15,"timeoutSeconds":5}` | readinessProbe is a mechanism used to determine whether a container within a Pod is ready to serve traffic. | +| healthChecks.readinessProbe.httpGet | object | `{"path":"/readyz","port":8081}` | httpGet specifies that the readiness probe will make an HTTP GET request to check whether the container is ready. | +| healthChecks.readinessProbe.httpGet.path | string | `"/readyz"` | path is the specific endpoint on which the HTTP GET request will be made. | +| healthChecks.readinessProbe.httpGet.port | int | `8081` | port is the port on which the container exposes the "/readyz" endpoint. | +| healthChecks.readinessProbe.initialDelaySeconds | int | `30` | initialDelaySeconds tells the kubelet that it should wait X seconds before performing the first probe. | +| healthChecks.readinessProbe.periodSeconds | int | `15` | periodSeconds specifies the interval at which the readiness probe will be repeated. | +| healthChecks.readinessProbe.timeoutSeconds | int | `5` | timeoutSeconds is the number of seconds after which the probe times out. | +| image | object | `{"pullPolicy":"IfNotPresent","pullSecrets":[],"registry":"docker.io","repository":"falcosecurity/k8s-metacollector","tag":""}` | image is the configuration for the k8s-metacollector image. | +| image.pullPolicy | string | `"IfNotPresent"` | pullPolicy is the policy used to determine when a node should attempt to pull the container image. | +| image.pullSecrets | list | `[]` | pullSecects a list of secrets containing credentials used when pulling from private/secure registries. | +| image.registry | string | `"docker.io"` | registry is the image registry to pull from. | +| image.repository | string | `"falcosecurity/k8s-metacollector"` | repository is the image repository to pull from | +| image.tag | string | `""` | tag is image tag to pull. Overrides the image tag whose default is the chart appVersion. | +| nameOverride | string | `""` | nameOverride is the new name used to override the release name used for k8s-metacollector components. | +| namespaceOverride | string | `""` | namespaceOverride overrides the deployment namespace. It's useful for multi-namespace deployments in combined charts. | +| nodeSelector | object | `{}` | nodeSelector specifies a set of key-value pairs that must match labels assigned to nodes for the Pod to be eligible for scheduling on that node. | +| podAnnotations | object | `{}` | podAnnotations are custom annotations to be added to the pod. | +| podSecurityContext | object | `{"fsGroup":1000,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000}` | These settings are override by the ones specified for the container when there is overlap. | +| podSecurityContext.fsGroup | int | `1000` | fsGroup specifies the group ID (GID) that should be used for the volume mounted within a Pod. | +| podSecurityContext.runAsGroup | int | `1000` | runAsGroup specifies the group ID (GID) that the containers inside the pod should run as. | +| podSecurityContext.runAsNonRoot | bool | `true` | runAsNonRoot when set to true enforces that the specified container runs as a non-root user. | +| podSecurityContext.runAsUser | int | `1000` | runAsUser specifies the user ID (UID) that the containers inside the pod should run as. | +| replicaCount | int | `1` | replicaCount is the number of identical copies of the k8s-metacollector. | +| resources | object | `{}` | resources defines the computing resources (CPU and memory) that are allocated to the containers running within the Pod. | +| service | object | `{"create":true,"ports":{"broker-grpc":{"port":45000,"protocol":"TCP","targetPort":"broker-grpc"},"health-probe":{"port":8081,"protocol":"TCP","targetPort":"health-probe"},"metrics":{"port":8080,"protocol":"TCP","targetPort":"metrics"}},"type":"ClusterIP"}` | service exposes the k8s-metacollector services to be accessed from within the cluster. ref: https://kubernetes.io/docs/concepts/services-networking/service/ | +| service.create | bool | `true` | enabled specifies whether a service should be created. | +| service.ports | object | `{"broker-grpc":{"port":45000,"protocol":"TCP","targetPort":"broker-grpc"},"health-probe":{"port":8081,"protocol":"TCP","targetPort":"health-probe"},"metrics":{"port":8080,"protocol":"TCP","targetPort":"metrics"}}` | ports denotes all the ports on which the Service will listen. | +| service.ports.broker-grpc | object | `{"port":45000,"protocol":"TCP","targetPort":"broker-grpc"}` | broker-grpc denotes a listening service named "grpc-broker" | +| service.ports.broker-grpc.port | int | `45000` | port is the port on which the Service will listen. | +| service.ports.broker-grpc.protocol | string | `"TCP"` | protocol specifies the network protocol that the Service should use for the associated port. | +| service.ports.broker-grpc.targetPort | string | `"broker-grpc"` | targetPort is the port on which the Pod is listening. | +| service.ports.health-probe | object | `{"port":8081,"protocol":"TCP","targetPort":"health-probe"}` | health-probe denotes a listening service named "health-probe" | +| service.ports.health-probe.port | int | `8081` | port is the port on which the Service will listen. | +| service.ports.health-probe.protocol | string | `"TCP"` | protocol specifies the network protocol that the Service should use for the associated port. | +| service.ports.health-probe.targetPort | string | `"health-probe"` | targetPort is the port on which the Pod is listening. | +| service.ports.metrics | object | `{"port":8080,"protocol":"TCP","targetPort":"metrics"}` | metrics denotes a listening service named "metrics". | +| service.ports.metrics.port | int | `8080` | port is the port on which the Service will listen. | +| service.ports.metrics.protocol | string | `"TCP"` | protocol specifies the network protocol that the Service should use for the associated port. | +| service.ports.metrics.targetPort | string | `"metrics"` | targetPort is the port on which the Pod is listening. | +| service.type | string | `"ClusterIP"` | type denotes the service type. Setting it to "ClusterIP" we ensure that are accessible from within the cluster. | +| serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | serviceAccount is the configuration for the service account. | +| serviceAccount.annotations | object | `{}` | annotations to add to the service account. | +| serviceAccount.create | bool | `true` | create specifies whether a service account should be created. | +| serviceAccount.name | string | `""` | If not set and create is true, a name is generated using the full name template. | +| serviceMonitor | object | `{"create":false,"interval":"15s","labels":{},"path":"/metrics","relabelings":[],"scheme":"http","scrapeTimeout":"10s","targetLabels":[],"tlsConfig":{}}` | serviceMonitor holds the configuration for the ServiceMonitor CRD. A ServiceMonitor is a custom resource definition (CRD) used to configure how Prometheus should discover and scrape metrics from the k8s-metacollector service. | +| serviceMonitor.create | bool | `false` | create specifies whether a ServiceMonitor CRD should be created for a prometheus operator. https://github.com/coreos/prometheus-operator Enable it only if the ServiceMonitor CRD is installed in your cluster. | +| serviceMonitor.interval | string | `"15s"` | interval specifies the time interval at which Prometheus should scrape metrics from the service. | +| serviceMonitor.labels | object | `{}` | labels set of labels to be applied to the ServiceMonitor resource. If your Prometheus deployment is configured to use serviceMonitorSelector, then add the right label here in order for the ServiceMonitor to be selected for target discovery. | +| serviceMonitor.path | string | `"/metrics"` | path at which the metrics are expose by the k8s-metacollector. | +| serviceMonitor.relabelings | list | `[]` | relabelings configures the relabeling rules to apply the target’s metadata labels. | +| serviceMonitor.scheme | string | `"http"` | scheme specifies network protocol used by the metrics endpoint. In this case HTTP. | +| serviceMonitor.scrapeTimeout | string | `"10s"` | scrapeTimeout determines the maximum time Prometheus should wait for a target to respond to a scrape request. If the target does not respond within the specified timeout, Prometheus considers the scrape as failed for that target. | +| serviceMonitor.targetLabels | list | `[]` | targetLabels defines the labels which are transferred from the associated Kubernetes service object onto the ingested metrics. | +| serviceMonitor.tlsConfig | object | `{}` | tlsConfig specifies TLS (Transport Layer Security) configuration for secure communication when scraping metrics from a service. It allows you to define the details of the TLS connection, such as CA certificate, client certificate, and client key. Currently, the k8s-metacollector does not support TLS configuration for the metrics endpoint. | +| tolerations | list | `[]` | tolerations are applied to pods and allow them to be scheduled on nodes with matching taints. | diff --git a/falco/charts/k8s-metacollector/dashboards/k8s-metacollector-dashboard.json b/falco/charts/k8s-metacollector/dashboards/k8s-metacollector-dashboard.json new file mode 100644 index 0000000..62b721d --- /dev/null +++ b/falco/charts/k8s-metacollector/dashboards/k8s-metacollector-dashboard.json @@ -0,0 +1,1600 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "description": "", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": 17, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "continuous-GrYlRd" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 20, + "gradientMode": "scheme", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "smooth", + "lineWidth": 3, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 0 + }, + "id": 2, + "interval": "1m", + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "8.4.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "code", + "exemplar": true, + "expr": "rate(process_cpu_seconds_total{namespace=\"$namespace\", pod=\"$pod\"}[5m]) * 100", + "format": "time_series", + "interval": "", + "intervalFactor": 2, + "legendFormat": "Pod: {{pod}} | Container: {{container}}", + "range": true, + "refId": "A", + "step": 10 + } + ], + "title": "Controller CPU Usage", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "continuous-GrYlRd" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 20, + "gradientMode": "scheme", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "smooth", + "lineWidth": 3, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 0 + }, + "id": 4, + "interval": "1m", + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "8.4.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "builder", + "exemplar": true, + "expr": "process_resident_memory_bytes{namespace=\"$namespace\", pod=\"$pod\"}", + "format": "time_series", + "interval": "", + "intervalFactor": 2, + "legendFormat": "Pod: {{pod}} | Container: {{container}}", + "range": true, + "refId": "A", + "step": 10 + } + ], + "title": "Controller Memory Usage", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "description": "Number of subscribers", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "blue", + "mode": "fixed" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 8 + }, + "id": 41, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "9.5.1", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "builder", + "expr": "meta_collector_server_subscribers{namespace=\"$namespace\", pod=\"$pod\", job=\"$job\"}", + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Subscribers", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "blue", + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "mappings": [] + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 8 + }, + "id": 40, + "options": { + "displayLabels": [ + "name" + ], + "legend": { + "displayMode": "table", + "placement": "right", + "showLegend": true, + "values": [ + "value", + "percent" + ] + }, + "pieType": "pie", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "9.5.1", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "builder", + "expr": "sum by(type) (meta_collector_broker_queue_adds{pod=\"$pod\", namespace=\"$namespace\"})", + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Events Added To Broker Queue Per Type", + "type": "piechart" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "blue", + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "mappings": [] + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 7, + "y": 16 + }, + "id": 23, + "options": { + "displayLabels": [], + "legend": { + "displayMode": "table", + "placement": "right", + "showLegend": true, + "values": [ + "value", + "percent" + ] + }, + "pieType": "pie", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "9.5.1", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "builder", + "expr": "sum by(controller) (controller_runtime_reconcile_total{pod=\"$pod\", namespace=\"$namespace\"})", + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Reconciles Per collector", + "type": "piechart" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "description": "Events sent to subscribers", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 24 + }, + "id": 17, + "options": { + "displayMode": "gradient", + "minVizHeight": 10, + "minVizWidth": 0, + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showUnfilled": true, + "valueMode": "color" + }, + "pluginVersion": "9.5.1", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(kind) (meta_collector_broker_dispatched_events{pod=\"$pod\", namespace=\"$namespace\"})", + "format": "time_series", + "legendFormat": "{{kind}}", + "range": true, + "refId": "A" + } + ], + "title": "Events Dispatched Per Resource Kind", + "type": "bargauge" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 24 + }, + "id": 26, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "9.5.1", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "builder", + "expr": "sum by(job) (meta_collector_broker_dispatched_events{pod=\"$pod\", namespace=\"$namespace\"})", + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Total Events Dispatched", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "semi-dark-orange", + "mode": "fixed" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 32 + }, + "id": 24, + "options": { + "displayMode": "gradient", + "minVizHeight": 10, + "minVizWidth": 0, + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showUnfilled": true, + "valueMode": "color" + }, + "pluginVersion": "9.5.1", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "builder", + "expr": "sum by(name) (meta_collector_collector_event_api_server_received{pod=\"$pod\", namespace=\"$namespace\", source=\"api-server\"})", + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Events From Api Server Per collector", + "type": "bargauge" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 32 + }, + "id": 25, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "9.5.1", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "builder", + "expr": "sum(meta_collector_collector_event_api_server_received{pod=\"$pod\", namespace=\"$namespace\", source=\"api-server\"})", + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Events Received from api-server", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "description": "How long in seconds an item stays in workqueue before being requested", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 40 + }, + "id": 30, + "options": { + "legend": { + "calcs": [ + "max", + "mean" + ], + "displayMode": "list", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "histogram_quantile(0.50, sum(rate(workqueue_queue_duration_seconds_bucket{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name, le))", + "interval": "", + "legendFormat": "P50 {{name}} {{instance}} ", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "histogram_quantile(0.90, sum(rate(workqueue_queue_duration_seconds_bucket{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name, le))", + "hide": false, + "interval": "", + "legendFormat": "P90 {{name}} {{instance}} ", + "refId": "B" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "histogram_quantile(0.99, sum(rate(workqueue_queue_duration_seconds_bucket{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name, le))", + "hide": false, + "interval": "", + "legendFormat": "P99 {{name}} {{instance}} ", + "refId": "C" + } + ], + "title": "Seconds For Items Stay In Queue (before being requested) (P50, P90, P99)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "description": "How long in seconds an item stays in the broker queue before being processed by the broker.", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "s" + }, + "overrides": [ + { + "__systemRef": "hideSeriesFrom", + "matcher": { + "id": "byNames", + "options": { + "mode": "exclude", + "names": [ + "P50 blockingChannel 10.16.1.4:8080 " + ], + "prefix": "All except:", + "readOnly": true + } + }, + "properties": [ + { + "id": "custom.hideFrom", + "value": { + "legend": false, + "tooltip": false, + "viz": true + } + } + ] + } + ] + }, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 40 + }, + "id": 13, + "options": { + "legend": { + "calcs": [ + "max", + "mean" + ], + "displayMode": "list", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "builder", + "exemplar": true, + "expr": "histogram_quantile(0.5, sum by(instance, name, le) (rate(meta_collector_broker_queue_duration_seconds_bucket{pod=\"$pod\", namespace=\"$namespace\"}[5m])))", + "interval": "", + "legendFormat": "P50 {{name}} {{instance}} ", + "range": true, + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "builder", + "exemplar": true, + "expr": "histogram_quantile(0.9, sum by(instance, name, le) (rate(broker_queue_duration_seconds_bucket{pod=\"$pod\", namespace=\"$namespace\"}[5m])))", + "hide": false, + "interval": "", + "legendFormat": "P90 {{name}} {{instance}} ", + "range": true, + "refId": "B" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "builder", + "exemplar": true, + "expr": "histogram_quantile(0.99, sum by(instance, name, le) (rate(broker_queue_duration_seconds_bucket{pod=\"$pod\", namespace=\"$namespace\"}[5m])))", + "hide": false, + "interval": "", + "legendFormat": "P99 {{name}} {{instance}} ", + "range": true, + "refId": "C" + } + ], + "title": "Seconds For Items Stay In Broker Queue (before being proccesed) (P50, P90, P99)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "description": "How long in seconds processing an item from workqueue takes.", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 47 + }, + "id": 29, + "options": { + "legend": { + "calcs": [ + "max", + "mean" + ], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "histogram_quantile(0.50, sum(rate(workqueue_work_duration_seconds_bucket{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name, le))", + "interval": "", + "legendFormat": "P50 {{name}} {{instance}} ", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "histogram_quantile(0.90, sum(rate(workqueue_work_duration_seconds_bucket{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name, le))", + "hide": false, + "interval": "", + "legendFormat": "P90 {{name}} {{instance}} ", + "refId": "B" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "histogram_quantile(0.99, sum(rate(workqueue_work_duration_seconds_bucket{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name, le))", + "hide": false, + "interval": "", + "legendFormat": "P99 {{name}} {{instance}} ", + "refId": "C" + } + ], + "title": "Seconds Processing Items From WorkQueue (P50, P90, P99)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "description": "Total number of retries handled by workqueue", + "fieldConfig": { + "defaults": { + "color": { + "mode": "continuous-GrYlRd" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 20, + "gradientMode": "scheme", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "smooth", + "lineWidth": 3, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "ops" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 47 + }, + "id": 34, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "sum(rate(workqueue_retries_total{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name)", + "interval": "", + "legendFormat": "{{name}} {{instance}} ", + "refId": "A" + } + ], + "title": "Work Queue Retries Rate", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "continuous-GrYlRd" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 20, + "gradientMode": "scheme", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "smooth", + "lineWidth": 3, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "ops" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 54 + }, + "id": 33, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "8.4.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "sum(rate(workqueue_adds_total{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, name)", + "interval": "", + "legendFormat": "{{name}} {{instance}}", + "refId": "A" + } + ], + "title": "Work Queue Add Rate", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "description": "Total number of reconciliation errors per controller", + "fieldConfig": { + "defaults": { + "color": { + "mode": "continuous-GrYlRd" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 20, + "gradientMode": "scheme", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "smooth", + "lineWidth": 3, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "cpm" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 54 + }, + "id": 32, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "code", + "exemplar": true, + "expr": "sum(rate(controller_runtime_reconcile_errors_total{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, pod)", + "interval": "", + "legendFormat": "{{instance}} {{pod}}", + "range": true, + "refId": "A" + } + ], + "title": "Reconciliation Error Count Per Controller", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "description": "Total number of reconciliations per controller", + "fieldConfig": { + "defaults": { + "color": { + "mode": "continuous-GrYlRd" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 20, + "gradientMode": "scheme", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "smooth", + "lineWidth": 3, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "cpm" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 61 + }, + "id": 31, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "code", + "exemplar": true, + "expr": "sum(rate(controller_runtime_reconcile_total{job=\"$job\", namespace=\"$namespace\"}[5m])) by (instance, pod)", + "interval": "", + "legendFormat": "{{instance}} {{pod}}", + "range": true, + "refId": "A" + } + ], + "title": "Total Reconciliation Count Per Controller", + "type": "timeseries" + } + ], + "refresh": "5s", + "schemaVersion": 38, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "meta-collector", + "value": "meta-collector" + }, + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "definition": "label_values(meta_collector_server_subscribers,namespace)", + "hide": 0, + "includeAll": false, + "multi": false, + "name": "namespace", + "options": [], + "query": { + "query": "label_values(meta_collector_server_subscribers,namespace)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "current": { + "selected": false, + "text": "meta-collector-585d94f758-bpsxm", + "value": "meta-collector-585d94f758-bpsxm" + }, + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "definition": "label_values(meta_collector_server_subscribers{namespace=~\"$namespace\"},pod)", + "hide": 0, + "includeAll": false, + "multi": false, + "name": "pod", + "options": [], + "query": { + "query": "label_values(meta_collector_server_subscribers{namespace=~\"$namespace\"},pod)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "current": { + "selected": false, + "text": "meta-collector", + "value": "meta-collector" + }, + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "definition": "label_values(controller_runtime_reconcile_total{namespace=~\"$namespace\"},job)", + "hide": 0, + "includeAll": false, + "multi": false, + "name": "job", + "options": [], + "query": { + "query": "label_values(controller_runtime_reconcile_total{namespace=~\"$namespace\"},job)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + } + ] + }, + "time": { + "from": "now-30m", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "Falco Meta Collector", + "uid": "T0NvRcb4z", + "version": 1, + "weekStart": "" +} diff --git a/falco/charts/k8s-metacollector/templates/NOTES.txt b/falco/charts/k8s-metacollector/templates/NOTES.txt new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/falco/charts/k8s-metacollector/templates/NOTES.txt @@ -0,0 +1 @@ + diff --git a/falco/charts/k8s-metacollector/templates/_helpers.tpl b/falco/charts/k8s-metacollector/templates/_helpers.tpl new file mode 100644 index 0000000..4603c49 --- /dev/null +++ b/falco/charts/k8s-metacollector/templates/_helpers.tpl @@ -0,0 +1,121 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "k8s-metacollector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "k8s-metacollector.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "k8s-metacollector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "k8s-metacollector.namespace" -}} +{{- default .Release.Namespace .Values.namespaceOverride -}} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "k8s-metacollector.labels" -}} +helm.sh/chart: {{ include "k8s-metacollector.chart" . }} +{{ include "k8s-metacollector.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/component: "metadata-collector" +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "k8s-metacollector.selectorLabels" -}} +app.kubernetes.io/name: {{ include "k8s-metacollector.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Return the proper k8s-metacollector image name +*/}} +{{- define "k8s-metacollector.image" -}} +" +{{- with .Values.image.registry -}} + {{- . }}/ +{{- end -}} +{{- .Values.image.repository }}: +{{- .Values.image.tag | default .Chart.AppVersion -}} +" +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "k8s-metacollector.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "k8s-metacollector.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Generate the ports for the service +*/}} +{{- define "k8s-metacollector.servicePorts" -}} +{{- if .Values.service.create }} +{{- with .Values.service.ports }} +{{- range $key, $value := . }} +- name: {{ $key }} +{{- range $key1, $value1 := $value }} + {{ $key1}}: {{ $value1 }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Generate the ports for the container +*/}} +{{- define "k8s-metacollector.containerPorts" -}} +{{- if .Values.service.create }} +{{- with .Values.service.ports }} +{{- range $key, $value := . }} +- name: "{{ $key }}" +{{- range $key1, $value1 := $value }} + {{- if ne $key1 "targetPort" }} + {{- if eq $key1 "port" }} + containerPort: {{ $value1 }} + {{- else }} + {{ $key1}}: {{ $value1 }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/falco/charts/k8s-metacollector/templates/clusterrole.yaml b/falco/charts/k8s-metacollector/templates/clusterrole.yaml new file mode 100644 index 0000000..335eed3 --- /dev/null +++ b/falco/charts/k8s-metacollector/templates/clusterrole.yaml @@ -0,0 +1,39 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "k8s-metacollector.fullname" . }} + labels: + {{- include "k8s-metacollector.labels" . | nindent 4 }} +rules: + - apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - endpoints + - namespaces + - pods + - replicationcontrollers + - services + verbs: + - get + - list + - watch + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + {{- end }} diff --git a/falco/charts/k8s-metacollector/templates/clusterrolebinding.yaml b/falco/charts/k8s-metacollector/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..fa37ef7 --- /dev/null +++ b/falco/charts/k8s-metacollector/templates/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "k8s-metacollector.fullname" . }} + labels: + {{- include "k8s-metacollector.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "k8s-metacollector.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "k8s-metacollector.serviceAccountName" . }} + namespace: {{ include "k8s-metacollector.namespace" . }} + {{- end }} diff --git a/falco/charts/k8s-metacollector/templates/collector-dashboard-grafana.yaml b/falco/charts/k8s-metacollector/templates/collector-dashboard-grafana.yaml new file mode 100644 index 0000000..857fe6b --- /dev/null +++ b/falco/charts/k8s-metacollector/templates/collector-dashboard-grafana.yaml @@ -0,0 +1,21 @@ +{{- if .Values.grafana.dashboards.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.grafana.dashboards.configMaps.collector.name }} + {{ if .Values.grafana.dashboards.configMaps.collector.namespace }} + namespace: {{ .Values.grafana.dashboards.configMaps.collector.namespace }} + {{- else -}} + namespace: {{ include "k8s-metacollector.namespace" . }} + {{- end }} + labels: + grafana_dashboard: "1" + {{- if .Values.grafana.dashboards.configMaps.collector.folder }} + annotations: + k8s-sidecar-target-directory: /tmp/dashboards/{{ .Values.grafana.dashboards.configMaps.collector.folder}} + grafana_dashboard_folder: {{ .Values.grafana.dashboards.configMaps.collector.folder }} + {{- end }} +data: + dashboard.json: |- + {{- .Files.Get "dashboards/k8s-metacollector-dashboard.json" | nindent 4 }} + {{- end -}} diff --git a/falco/charts/k8s-metacollector/templates/deployment.yaml b/falco/charts/k8s-metacollector/templates/deployment.yaml new file mode 100644 index 0000000..896248c --- /dev/null +++ b/falco/charts/k8s-metacollector/templates/deployment.yaml @@ -0,0 +1,62 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "k8s-metacollector.fullname" . }} + namespace: {{ include "k8s-metacollector.namespace" . }} + labels: + {{- include "k8s-metacollector.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "k8s-metacollector.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "k8s-metacollector.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "k8s-metacollector.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + image: {{ include "k8s-metacollector.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - /meta-collector + args: + - run + ports: + {{- include "k8s-metacollector.containerPorts" . | indent 12}} + {{- with .Values.healthChecks.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 12}} + {{- end }} + {{- with .Values.healthChecks.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12}} + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/falco/charts/k8s-metacollector/templates/service.yaml b/falco/charts/k8s-metacollector/templates/service.yaml new file mode 100644 index 0000000..ff2076b --- /dev/null +++ b/falco/charts/k8s-metacollector/templates/service.yaml @@ -0,0 +1,15 @@ +{{- if .Values.service.create}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "k8s-metacollector.fullname" . }} + namespace: {{ include "k8s-metacollector.namespace" . }} + labels: + {{- include "k8s-metacollector.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + {{- include "k8s-metacollector.servicePorts" . | indent 4 }} + selector: + {{- include "k8s-metacollector.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/falco/charts/k8s-metacollector/templates/serviceaccount.yaml b/falco/charts/k8s-metacollector/templates/serviceaccount.yaml new file mode 100644 index 0000000..35051a9 --- /dev/null +++ b/falco/charts/k8s-metacollector/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "k8s-metacollector.serviceAccountName" . }} + namespace: {{ include "k8s-metacollector.namespace" . }} + labels: + {{- include "k8s-metacollector.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/falco/charts/k8s-metacollector/templates/servicemonitor.yaml b/falco/charts/k8s-metacollector/templates/servicemonitor.yaml new file mode 100644 index 0000000..50d3535 --- /dev/null +++ b/falco/charts/k8s-metacollector/templates/servicemonitor.yaml @@ -0,0 +1,47 @@ +{{- if .Values.serviceMonitor.create }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "k8s-metacollector.fullname" . }} + {{- if .Values.serviceMonitor.namespace }} + namespace: {{ tpl .Values.serviceMonitor.namespace . }} + {{- else }} + namespace: {{ include "k8s-metacollector.namespace" . }} + {{- end }} + labels: + {{- include "k8s-metacollector.labels" . | nindent 4 }} + {{- with .Values.serviceMonitor.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + endpoints: + - port: {{ .Values.service.ports.metrics.targetPort }} + {{- with .Values.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + honorLabels: true + path: {{ .Values.serviceMonitor.path }} + scheme: {{ .Values.serviceMonitor.scheme }} + {{- with .Values.serviceMonitor.tlsConfig }} + tlsConfig: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 6 }} + {{- end }} + jobLabel: "{{ .Release.Name }}" + selector: + matchLabels: + {{- include "k8s-metacollector.selectorLabels" . | nindent 6 }} + namespaceSelector: + matchNames: + - {{ include "k8s-metacollector.namespace" . }} + {{- with .Values.serviceMonitor.targetLabels }} + targetLabels: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/falco/charts/k8s-metacollector/tests/unit/chartInfo.go b/falco/charts/k8s-metacollector/tests/unit/chartInfo.go new file mode 100644 index 0000000..11b4b3d --- /dev/null +++ b/falco/charts/k8s-metacollector/tests/unit/chartInfo.go @@ -0,0 +1,34 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 The Falco Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package unit + +import ( + "testing" + + "github.com/gruntwork-io/terratest/modules/helm" + "gopkg.in/yaml.v3" +) + +func chartInfo(t *testing.T, chartPath string) (map[string]interface{}, error) { + // Get chart info. + output, err := helm.RunHelmCommandAndGetOutputE(t, &helm.Options{}, "show", "chart", chartPath) + if err != nil { + return nil, err + } + chartInfo := map[string]interface{}{} + err = yaml.Unmarshal([]byte(output), &chartInfo) + return chartInfo, err +} diff --git a/falco/charts/k8s-metacollector/tests/unit/commonMetaFields_test.go b/falco/charts/k8s-metacollector/tests/unit/commonMetaFields_test.go new file mode 100644 index 0000000..17b3f92 --- /dev/null +++ b/falco/charts/k8s-metacollector/tests/unit/commonMetaFields_test.go @@ -0,0 +1,222 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 The Falco Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package unit + +import ( + "fmt" + "path/filepath" + "testing" + + "github.com/gruntwork-io/terratest/modules/helm" + "github.com/stretchr/testify/require" + "github.com/stretchr/testify/suite" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" +) + +type commonMetaFieldsTest struct { + suite.Suite + chartPath string + releaseName string + namespace string + templates []string +} + +func TestCommonMetaFields(t *testing.T) { + t.Parallel() + // Template files that will be rendered. + templateFiles := []string{ + "templates/clusterrole.yaml", + "templates/clusterrolebinding.yaml", + "templates/deployment.yaml", + "templates/service.yaml", + "templates/serviceaccount.yaml", + "templates/servicemonitor.yaml", + } + + chartFullPath, err := filepath.Abs(chartPath) + require.NoError(t, err) + + suite.Run(t, &commonMetaFieldsTest{ + Suite: suite.Suite{}, + chartPath: chartFullPath, + releaseName: "releasename-test", + namespace: "metacollector-test", + templates: templateFiles, + }) +} + +func (s *commonMetaFieldsTest) TestNameOverride() { + cInfo, err := chartInfo(s.T(), s.chartPath) + s.NoError(err) + chartName, found := cInfo["name"] + s.True(found) + + testCases := []struct { + name string + values map[string]string + expected string + }{ + { + "defaultValues, release name does not contain chart name", + map[string]string{ + "serviceMonitor.create": "true", + }, + fmt.Sprintf("%s-%s", s.releaseName, chartName), + }, + { + "overrideFullName", + map[string]string{ + "fullnameOverride": "metadata", + "serviceMonitor.create": "true", + }, + "metadata", + }, + { + "overrideFullName, longer than 63 chars", + map[string]string{ + "fullnameOverride": "aVeryLongNameForTheReleaseThatIsLongerThanSixtyThreeCharsaVeryLongNameForTheReleaseThatIsLongerThanSixtyThreeChars", + "serviceMonitor.create": "true", + }, + "aVeryLongNameForTheReleaseThatIsLongerThanSixtyThreeCharsaVeryL", + }, + { + "overrideName, not containing release name", + map[string]string{ + "nameOverride": "metadata", + "serviceMonitor.create": "true", + }, + fmt.Sprintf("%s-metadata", s.releaseName), + }, + + { + "overrideName, release name contains the name", + map[string]string{ + "nameOverride": "releasename", + "serviceMonitor.create": "true", + }, + s.releaseName, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetValues: testCase.values} + for _, template := range s.templates { + // Render the current template. + output := helm.RenderTemplate(s.T(), options, s.chartPath, s.releaseName, []string{template}) + // Unmarshal output to a map. + var resource unstructured.Unstructured + helm.UnmarshalK8SYaml(s.T(), output, &resource) + + s.Equal(testCase.expected, resource.GetName(), "should be equal") + } + }) + } +} + +func (s *commonMetaFieldsTest) TestNamespaceOverride() { + testCases := []struct { + name string + values map[string]string + expected string + }{ + { + "defaultValues", + map[string]string{ + "serviceMonitor.create": "true", + }, + "default", + }, + { + "overrideNamespace", + map[string]string{ + "namespaceOverride": "metacollector", + "serviceMonitor.create": "true", + }, + "metacollector", + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetValues: testCase.values} + for _, template := range s.templates { + // Render the current template. + output := helm.RenderTemplate(s.T(), options, s.chartPath, s.releaseName, []string{template}) + // Unmarshal output to a map. + var resource unstructured.Unstructured + helm.UnmarshalK8SYaml(s.T(), output, &resource) + if resource.GetKind() == "ClusterRole" || resource.GetKind() == "ClusterRoleBinding" { + continue + } + s.Equal(testCase.expected, resource.GetNamespace(), "should be equal") + } + }) + } +} + +// TestLabels tests that all rendered resources have the same base set of labels. +func (s *commonMetaFieldsTest) TestLabels() { + // Get chart info. + cInfo, err := chartInfo(s.T(), s.chartPath) + s.NoError(err) + // Get app version. + appVersion, found := cInfo["appVersion"] + s.True(found, "should find app version in chart info") + appVersion = appVersion.(string) + // Get chart version. + chartVersion, found := cInfo["version"] + s.True(found, "should find chart version in chart info") + // Get chart name. + chartName, found := cInfo["name"] + s.True(found, "should find chart name in chart info") + chartName = chartName.(string) + expectedLabels := map[string]string{ + "helm.sh/chart": fmt.Sprintf("%s-%s", chartName, chartVersion), + "app.kubernetes.io/name": chartName.(string), + "app.kubernetes.io/instance": s.releaseName, + "app.kubernetes.io/version": appVersion.(string), + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/component": "metadata-collector", + } + + // Adjust the values to render all components. + options := helm.Options{SetValues: map[string]string{"serviceMonitor.create": "true"}} + + for _, template := range s.templates { + // Render the current template. + output := helm.RenderTemplate(s.T(), &options, s.chartPath, s.releaseName, []string{template}) + // Unmarshal output to a map. + var resource unstructured.Unstructured + helm.UnmarshalK8SYaml(s.T(), output, &resource) + labels := resource.GetLabels() + s.Len(labels, len(expectedLabels), "should have the same number of labels") + for key, value := range labels { + expectedVal := expectedLabels[key] + s.Equal(expectedVal, value) + } + } +} diff --git a/falco/charts/k8s-metacollector/tests/unit/defaultResources_test.go b/falco/charts/k8s-metacollector/tests/unit/defaultResources_test.go new file mode 100644 index 0000000..9697412 --- /dev/null +++ b/falco/charts/k8s-metacollector/tests/unit/defaultResources_test.go @@ -0,0 +1,76 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 The Falco Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package unit + +import ( + "path/filepath" + "regexp" + "strings" + "testing" + + "github.com/gruntwork-io/terratest/modules/helm" + "github.com/stretchr/testify/require" + "k8s.io/utils/strings/slices" +) + +const chartPath = "../../" + +// Using the default values we want to test that all the expected resources are rendered. +func TestRenderedResourcesWithDefaultValues(t *testing.T) { + t.Parallel() + + helmChartPath, err := filepath.Abs(chartPath) + require.NoError(t, err) + + releaseName := "rendered-resources" + + // Template files that we expect to be rendered. + templateFiles := []string{ + "clusterrole.yaml", + "clusterrolebinding.yaml", + "deployment.yaml", + "service.yaml", + "serviceaccount.yaml", + } + + require.NoError(t, err) + + options := &helm.Options{} + + // Template the chart using the default values.yaml file. + output, err := helm.RenderTemplateE(t, options, helmChartPath, releaseName, nil) + require.NoError(t, err) + + // Extract all rendered files from the output. + pattern := `# Source: k8s-metacollector/templates/([^\n]+)` + re := regexp.MustCompile(pattern) + matches := re.FindAllStringSubmatch(output, -1) + + var renderedTemplates []string + for _, match := range matches { + // Filter out test templates. + if !strings.Contains(match[1], "test-") { + renderedTemplates = append(renderedTemplates, match[1]) + } + } + + // Assert that the rendered resources are equal tho the expected ones. + require.Equal(t, len(renderedTemplates), len(templateFiles), "should be equal") + + for _, rendered := range renderedTemplates { + require.True(t, slices.Contains(templateFiles, rendered), "template files should contain all the rendered files") + } +} diff --git a/falco/charts/k8s-metacollector/tests/unit/deploymentTemplate_test.go b/falco/charts/k8s-metacollector/tests/unit/deploymentTemplate_test.go new file mode 100644 index 0000000..4b3fa1c --- /dev/null +++ b/falco/charts/k8s-metacollector/tests/unit/deploymentTemplate_test.go @@ -0,0 +1,862 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 The Falco Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package unit + +import ( + "encoding/json" + "fmt" + "path/filepath" + "reflect" + "testing" + + "github.com/gruntwork-io/terratest/modules/helm" + "github.com/stretchr/testify/require" + "github.com/stretchr/testify/suite" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" +) + +type deploymentTemplateTest struct { + suite.Suite + chartPath string + releaseName string + namespace string + templates []string +} + +func TestDeploymentTemplate(t *testing.T) { + t.Parallel() + + chartFullPath, err := filepath.Abs(chartPath) + require.NoError(t, err) + + suite.Run(t, &deploymentTemplateTest{ + Suite: suite.Suite{}, + chartPath: chartFullPath, + releaseName: "k8s-metacollector-test", + namespace: "metacollector-test", + templates: []string{"templates/deployment.yaml"}, + }) +} + +func (s *deploymentTemplateTest) TestImage() { + // Get chart info. + cInfo, err := chartInfo(s.T(), s.chartPath) + s.NoError(err) + // Extract the appVersion. + appVersion, found := cInfo["appVersion"] + s.True(found, "should find app version from chart info") + + testCases := []struct { + name string + values map[string]string + expected string + }{ + { + "defaultValues", + nil, + fmt.Sprintf("docker.io/falcosecurity/k8s-metacollector:%s", appVersion), + }, + { + "changingImageTag", + map[string]string{ + "image.tag": "testingTag", + }, + "docker.io/falcosecurity/k8s-metacollector:testingTag", + }, + { + "changingImageRepo", + map[string]string{ + "image.repository": "falcosecurity/testingRepository", + }, + fmt.Sprintf("docker.io/falcosecurity/testingRepository:%s", appVersion), + }, + { + "changingImageRegistry", + map[string]string{ + "image.registry": "ghcr.io", + }, + fmt.Sprintf("ghcr.io/falcosecurity/k8s-metacollector:%s", appVersion), + }, + { + "changingAllImageFields", + map[string]string{ + "image.registry": "ghcr.io", + "image.repository": "falcosecurity/testingRepository", + "image.tag": "testingTag", + }, + "ghcr.io/falcosecurity/testingRepository:testingTag", + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetValues: testCase.values} + output, err := helm.RenderTemplateE(subT, options, s.chartPath, s.releaseName, s.templates) + s.NoError(err, "should succeed") + + var deployment appsv1.Deployment + helm.UnmarshalK8SYaml(subT, output, &deployment) + + s.Equal(testCase.expected, deployment.Spec.Template.Spec.Containers[0].Image, "should be equal") + }) + } +} + +func (s *deploymentTemplateTest) TestImagePullPolicy() { + testCases := []struct { + name string + values map[string]string + expected string + }{ + { + "defaultValues", + nil, + "IfNotPresent", + }, + { + "changingPullPolicy", + map[string]string{ + "image.pullPolicy": "Always", + }, + "Always", + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetValues: testCase.values} + output, err := helm.RenderTemplateE(subT, options, s.chartPath, s.releaseName, s.templates) + s.NoError(err, "should succeed") + + var deployment appsv1.Deployment + helm.UnmarshalK8SYaml(subT, output, &deployment) + + s.Equal(testCase.expected, string(deployment.Spec.Template.Spec.Containers[0].ImagePullPolicy), "should be equal") + }) + } +} + +func (s *deploymentTemplateTest) TestImagePullSecrets() { + testCases := []struct { + name string + values map[string]string + expected string + }{ + { + "defaultValues", + nil, + "", + }, + { + "changingPullPolicy", + map[string]string{ + "image.pullSecrets[0].name": "my-pull-secret", + }, + "my-pull-secret", + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetValues: testCase.values} + output, err := helm.RenderTemplateE(subT, options, s.chartPath, s.releaseName, s.templates) + s.NoError(err, "should succeed") + + var deployment appsv1.Deployment + helm.UnmarshalK8SYaml(subT, output, &deployment) + if testCase.expected == "" { + s.Nil(deployment.Spec.Template.Spec.ImagePullSecrets, "should be nil") + } else { + s.Equal(testCase.expected, deployment.Spec.Template.Spec.ImagePullSecrets[0].Name, "should be equal") + } + }) + } +} + +func (s *deploymentTemplateTest) TestServiceAccount() { + testCases := []struct { + name string + values map[string]string + expected string + }{ + { + "defaultValues", + nil, + s.releaseName, + }, + { + "changingServiceAccountName", + map[string]string{ + "serviceAccount.name": "service-account", + }, + "service-account", + }, + { + "disablingServiceAccount", + map[string]string{ + "serviceAccount.create": "false", + }, + "default", + }, + { + "disablingServiceAccountAndSettingName", + map[string]string{ + "serviceAccount.create": "false", + "serviceAccount.name": "service-account", + }, + "service-account", + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetValues: testCase.values} + output, err := helm.RenderTemplateE(subT, options, s.chartPath, s.releaseName, s.templates) + s.NoError(err, "should succeed") + + var deployment appsv1.Deployment + helm.UnmarshalK8SYaml(subT, output, &deployment) + + s.Equal(testCase.expected, deployment.Spec.Template.Spec.ServiceAccountName, "should be equal") + }) + } +} + +func (s *deploymentTemplateTest) TestPodAnnotations() { + testCases := []struct { + name string + values map[string]string + expected map[string]string + }{ + { + "defaultValues", + nil, + nil, + }, + { + "settingPodAnnotations", + map[string]string{ + "podAnnotations.my-annotation": "annotationValue", + }, + map[string]string{ + "my-annotation": "annotationValue", + }, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetValues: testCase.values} + output, err := helm.RenderTemplateE(subT, options, s.chartPath, s.releaseName, s.templates) + s.NoError(err, "should succeed") + + var deployment appsv1.Deployment + helm.UnmarshalK8SYaml(subT, output, &deployment) + + if testCase.expected == nil { + s.Nil(deployment.Spec.Template.Annotations, "should be nil") + } else { + for key, val := range testCase.expected { + val1 := deployment.Spec.Template.Annotations[key] + s.Equal(val, val1, "should contain all the added annotations") + } + } + }) + } +} + +func (s *deploymentTemplateTest) TestPodSecurityContext() { + testCases := []struct { + name string + values map[string]string + expected func(psc *corev1.PodSecurityContext) + }{ + { + "defaultValues", + nil, + func(psc *corev1.PodSecurityContext) { + s.Equal(true, *psc.RunAsNonRoot, "runAsNonRoot should be set to true") + s.Equal(int64(1000), *psc.RunAsUser, "runAsUser should be set to 1000") + s.Equal(int64(1000), *psc.FSGroup, "fsGroup should be set to 1000") + s.Equal(int64(1000), *psc.RunAsGroup, "runAsGroup should be set to 1000") + s.Nil(psc.SELinuxOptions) + s.Nil(psc.WindowsOptions) + s.Nil(psc.SupplementalGroups) + s.Nil(psc.Sysctls) + s.Nil(psc.FSGroupChangePolicy) + s.Nil(psc.SeccompProfile) + }, + }, + { + "changingServiceAccountName", + map[string]string{ + "podSecurityContext": "null", + }, + func(psc *corev1.PodSecurityContext) { + s.Nil(psc, "podSecurityContext should be set to nil") + }, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetValues: testCase.values} + output, err := helm.RenderTemplateE(subT, options, s.chartPath, s.releaseName, s.templates) + s.NoError(err, "should succeed") + + var deployment appsv1.Deployment + helm.UnmarshalK8SYaml(subT, output, &deployment) + + testCase.expected(deployment.Spec.Template.Spec.SecurityContext) + }) + } +} + +func (s *deploymentTemplateTest) TestContainerSecurityContext() { + testCases := []struct { + name string + values map[string]string + expected func(sc *corev1.SecurityContext) + }{ + { + "defaultValues", + nil, + func(sc *corev1.SecurityContext) { + s.Len(sc.Capabilities.Drop, 1, "capabilities in drop should be set to one") + s.Equal("ALL", string(sc.Capabilities.Drop[0]), "should drop all capabilities") + s.Nil(sc.Capabilities.Add) + s.Nil(sc.Privileged) + s.Nil(sc.SELinuxOptions) + s.Nil(sc.WindowsOptions) + s.Nil(sc.RunAsUser) + s.Nil(sc.RunAsGroup) + s.Nil(sc.RunAsNonRoot) + s.Nil(sc.ReadOnlyRootFilesystem) + s.Nil(sc.AllowPrivilegeEscalation) + s.Nil(sc.ProcMount) + s.Nil(sc.SeccompProfile) + }, + }, + { + "changingServiceAccountName", + map[string]string{ + "containerSecurityContext": "null", + }, + func(sc *corev1.SecurityContext) { + s.Nil(sc, "containerSecurityContext should be set to nil") + }, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetValues: testCase.values} + output, err := helm.RenderTemplateE(subT, options, s.chartPath, s.releaseName, s.templates) + s.NoError(err, "should succeed") + + var deployment appsv1.Deployment + helm.UnmarshalK8SYaml(subT, output, &deployment) + + testCase.expected(deployment.Spec.Template.Spec.Containers[0].SecurityContext) + }) + } +} + +func (s *deploymentTemplateTest) TestResources() { + testCases := []struct { + name string + values map[string]string + expected func(res corev1.ResourceRequirements) + }{ + { + "defaultValues", + nil, + func(res corev1.ResourceRequirements) { + s.Nil(res.Claims) + s.Nil(res.Requests) + s.Nil(res.Limits) + }, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetValues: testCase.values} + output, err := helm.RenderTemplateE(subT, options, s.chartPath, s.releaseName, s.templates) + s.NoError(err, "should succeed") + + var deployment appsv1.Deployment + helm.UnmarshalK8SYaml(subT, output, &deployment) + + testCase.expected(deployment.Spec.Template.Spec.Containers[0].Resources) + }) + } +} + +func (s *deploymentTemplateTest) TestNodeSelector() { + testCases := []struct { + name string + values map[string]string + expected func(ns map[string]string) + }{ + { + "defaultValues", + nil, + func(ns map[string]string) { + s.Nil(ns, "should be nil") + }, + }, + { + "Setting nodeSelector", + map[string]string{ + "nodeSelector.mySelector": "myNode", + }, + func(ns map[string]string) { + value, ok := ns["mySelector"] + s.True(ok, "should find the key") + s.Equal("myNode", value, "should be equal") + }, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetValues: testCase.values} + output, err := helm.RenderTemplateE(subT, options, s.chartPath, s.releaseName, s.templates) + s.NoError(err, "should succeed") + + var deployment appsv1.Deployment + helm.UnmarshalK8SYaml(subT, output, &deployment) + + testCase.expected(deployment.Spec.Template.Spec.NodeSelector) + }) + } +} + +func (s *deploymentTemplateTest) TestTolerations() { + tolerationString := `[ + { + "key": "key1", + "operator": "Equal", + "value": "value1", + "effect": "NoSchedule" + } +]` + var tolerations []corev1.Toleration + + err := json.Unmarshal([]byte(tolerationString), &tolerations) + s.NoError(err) + + testCases := []struct { + name string + values map[string]string + expected func(tol []corev1.Toleration) + }{ + { + "defaultValues", + nil, + func(tol []corev1.Toleration) { + s.Nil(tol, "should be nil") + }, + }, + { + "Setting tolerations", + map[string]string{ + "tolerations": tolerationString, + }, + func(tol []corev1.Toleration) { + s.Len(tol, 1, "should have only one toleration") + s.True(reflect.DeepEqual(tol[0], tolerations[0]), "should be equal") + }, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetJsonValues: testCase.values} + output, err := helm.RenderTemplateE(subT, options, s.chartPath, s.releaseName, s.templates) + s.NoError(err, "should succeed") + + var deployment appsv1.Deployment + helm.UnmarshalK8SYaml(subT, output, &deployment) + + testCase.expected(deployment.Spec.Template.Spec.Tolerations) + }) + } +} + +func (s *deploymentTemplateTest) TestAffinity() { + affinityString := `{ + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchExpressions": [ + { + "key": "disktype", + "operator": "In", + "values": [ + "ssd" + ] + } + ] + } + ] + } + } +}` + var affinity corev1.Affinity + + err := json.Unmarshal([]byte(affinityString), &affinity) + s.NoError(err) + + testCases := []struct { + name string + values map[string]string + expected func(aff *corev1.Affinity) + }{ + { + "defaultValues", + nil, + func(aff *corev1.Affinity) { + s.Nil(aff, "should be nil") + }, + }, + { + "Setting affinity", + map[string]string{ + "affinity": affinityString, + }, + func(aff *corev1.Affinity) { + s.True(reflect.DeepEqual(affinity, *aff), "should be equal") + }, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetJsonValues: testCase.values} + output, err := helm.RenderTemplateE(subT, options, s.chartPath, s.releaseName, s.templates) + s.NoError(err, "should succeed") + + var deployment appsv1.Deployment + helm.UnmarshalK8SYaml(subT, output, &deployment) + + testCase.expected(deployment.Spec.Template.Spec.Affinity) + }) + } +} + +func (s *deploymentTemplateTest) TestLiveness() { + livenessProbeString := `{ + "httpGet": { + "path": "/healthz", + "port": 8081 + }, + "initialDelaySeconds": 45, + "timeoutSeconds": 5, + "periodSeconds": 15 +}` + var liveness corev1.Probe + + err := json.Unmarshal([]byte(livenessProbeString), &liveness) + s.NoError(err) + + testCases := []struct { + name string + values map[string]string + expected func(probe *corev1.Probe) + }{ + { + "defaultValues", + nil, + func(probe *corev1.Probe) { + s.True(reflect.DeepEqual(*probe, liveness), "should be equal") + }, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetJsonValues: testCase.values} + output, err := helm.RenderTemplateE(subT, options, s.chartPath, s.releaseName, s.templates) + s.NoError(err, "should succeed") + + var deployment appsv1.Deployment + helm.UnmarshalK8SYaml(subT, output, &deployment) + + testCase.expected(deployment.Spec.Template.Spec.Containers[0].LivenessProbe) + }) + } +} + +func (s *deploymentTemplateTest) TestReadiness() { + readinessProbeString := `{ + "httpGet": { + "path": "/readyz", + "port": 8081 + }, + "initialDelaySeconds": 30, + "timeoutSeconds": 5, + "periodSeconds": 15 +}` + var readiness corev1.Probe + + err := json.Unmarshal([]byte(readinessProbeString), &readiness) + s.NoError(err) + + testCases := []struct { + name string + values map[string]string + expected func(probe *corev1.Probe) + }{ + { + "defaultValues", + nil, + func(probe *corev1.Probe) { + s.True(reflect.DeepEqual(*probe, readiness), "should be equal") + }, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetJsonValues: testCase.values} + output, err := helm.RenderTemplateE(subT, options, s.chartPath, s.releaseName, s.templates) + s.NoError(err, "should succeed") + + var deployment appsv1.Deployment + helm.UnmarshalK8SYaml(subT, output, &deployment) + + testCase.expected(deployment.Spec.Template.Spec.Containers[0].ReadinessProbe) + }) + } +} + +func (s *deploymentTemplateTest) TestContainerPorts() { + + newPorts := `{ + "enabled": true, + "type": "ClusterIP", + "ports": { + "metrics": { + "port": 8080, + "targetPort": "metrics", + "protocol": "TCP" + }, + "health-probe": { + "port": 8081, + "targetPort": "health-probe", + "protocol": "TCP" + }, + "broker-grpc": { + "port": 45000, + "targetPort": "broker-grpc", + "protocol": "TCP" + }, + "myNewPort": { + "port": 1111, + "targetPort": "myNewPort", + "protocol": "UDP" + } + } +}` + testCases := []struct { + name string + values map[string]string + expected func(p []corev1.ContainerPort) + }{ + { + "defaultValues", + nil, + func(p []corev1.ContainerPort) { + portsJSON := `[ + { + "name": "broker-grpc", + "containerPort": 45000, + "protocol": "TCP" + }, + { + "name": "health-probe", + "containerPort": 8081, + "protocol": "TCP" + }, + { + "name": "metrics", + "containerPort": 8080, + "protocol": "TCP" + } +]` + var ports []corev1.ContainerPort + + err := json.Unmarshal([]byte(portsJSON), &ports) + s.NoError(err) + s.True(reflect.DeepEqual(ports, p), "should be equal") + }, + }, + { + "addNewPort", + map[string]string{ + "service": newPorts, + }, + func(p []corev1.ContainerPort) { + portsJSON := `[ + { + "name": "broker-grpc", + "containerPort": 45000, + "protocol": "TCP" + }, + { + "name": "health-probe", + "containerPort": 8081, + "protocol": "TCP" + }, + { + "name": "metrics", + "containerPort": 8080, + "protocol": "TCP" + }, + { + "name": "myNewPort", + "containerPort": 1111, + "protocol": "UDP" + } +]` + var ports []corev1.ContainerPort + + err := json.Unmarshal([]byte(portsJSON), &ports) + s.NoError(err) + s.True(reflect.DeepEqual(ports, p), "should be equal") + }, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetJsonValues: testCase.values} + output, err := helm.RenderTemplateE(subT, options, s.chartPath, s.releaseName, s.templates) + s.NoError(err, "should succeed") + + var deployment appsv1.Deployment + helm.UnmarshalK8SYaml(subT, output, &deployment) + + testCase.expected(deployment.Spec.Template.Spec.Containers[0].Ports) + }) + } +} + +func (s *deploymentTemplateTest) TestReplicaCount() { + testCases := []struct { + name string + values map[string]string + expected int32 + }{ + { + "defaultValues", + nil, + 1, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetValues: testCase.values} + output, err := helm.RenderTemplateE(subT, options, s.chartPath, s.releaseName, s.templates) + s.NoError(err, "should succeed") + + var deployment appsv1.Deployment + helm.UnmarshalK8SYaml(subT, output, &deployment) + + s.Equal(testCase.expected, (*deployment.Spec.Replicas), "should be equal") + }) + } +} diff --git a/falco/charts/k8s-metacollector/tests/unit/grafanaDashboards_test.go b/falco/charts/k8s-metacollector/tests/unit/grafanaDashboards_test.go new file mode 100644 index 0000000..50b7f61 --- /dev/null +++ b/falco/charts/k8s-metacollector/tests/unit/grafanaDashboards_test.go @@ -0,0 +1,144 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 The Falco Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package unit + +import ( + "fmt" + "io" + "os" + "path/filepath" + "strings" + "testing" + + "github.com/gruntwork-io/terratest/modules/helm" + "github.com/stretchr/testify/require" + "github.com/stretchr/testify/suite" + corev1 "k8s.io/api/core/v1" +) + +type grafanaDashboardsTemplateTest struct { + suite.Suite + chartPath string + releaseName string + namespace string + templates []string +} + +func TestGrafanaDashboardsTemplate(t *testing.T) { + t.Parallel() + + chartFullPath, err := filepath.Abs(chartPath) + require.NoError(t, err) + + suite.Run(t, &grafanaDashboardsTemplateTest{ + Suite: suite.Suite{}, + chartPath: chartFullPath, + releaseName: "k8s-metacollector-test", + namespace: "metacollector-test", + templates: []string{"templates/collector-dashboard-grafana.yaml"}, + }) +} + +func (g *grafanaDashboardsTemplateTest) TestCreationDefaultValues() { + // Render the dashboard configmap and check that it has not been rendered. + _, err := helm.RenderTemplateE(g.T(), &helm.Options{}, g.chartPath, g.releaseName, g.templates, fmt.Sprintf("--namespace=%s", g.namespace)) + g.Error(err, "should error") + g.Equal("error while running command: exit status 1; Error: could not find template templates/collector-dashboard-grafana.yaml in chart", err.Error()) +} + +func (g *grafanaDashboardsTemplateTest) TestConfig() { + testCases := []struct { + name string + values map[string]string + expected func(cm *corev1.ConfigMap) + }{ + {"dashboard enabled", + map[string]string{ + "grafana.dashboards.enabled": "true", + }, + func(cm *corev1.ConfigMap) { + // Check that the name is the expected one. + g.Equal("k8s-metacollector-grafana-dashboard", cm.Name) + // Check the namespace. + g.Equal(g.namespace, cm.Namespace) + g.Nil(cm.Annotations) + }, + }, + {"namespace", + map[string]string{ + "grafana.dashboards.enabled": "true", + "grafana.dashboards.configMaps.collector.namespace": "custom-namespace", + }, + func(cm *corev1.ConfigMap) { + // Check that the name is the expected one. + g.Equal("k8s-metacollector-grafana-dashboard", cm.Name) + // Check the namespace. + g.Equal("custom-namespace", cm.Namespace) + g.Nil(cm.Annotations) + }, + }, + {"folder", + map[string]string{ + "grafana.dashboards.enabled": "true", + "grafana.dashboards.configMaps.collector.folder": "custom-folder", + }, + func(cm *corev1.ConfigMap) { + // Check that the name is the expected one. + g.Equal("k8s-metacollector-grafana-dashboard", cm.Name) + g.NotNil(cm.Annotations) + g.Len(cm.Annotations, 2) + // Check sidecar annotation. + val, ok := cm.Annotations["k8s-sidecar-target-directory"] + g.True(ok) + g.Equal("/tmp/dashboards/custom-folder", val) + // Check grafana annotation. + val, ok = cm.Annotations["grafana_dashboard_folder"] + g.True(ok) + g.Equal("custom-folder", val) + }, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + g.Run(testCase.name, func() { + subT := g.T() + subT.Parallel() + + options := &helm.Options{SetValues: testCase.values} + + // Render the configmap unmarshal it. + output, err := helm.RenderTemplateE(subT, options, g.chartPath, g.releaseName, g.templates, "--namespace="+g.namespace) + g.NoError(err, "should succeed") + var cfgMap corev1.ConfigMap + helm.UnmarshalK8SYaml(subT, output, &cfgMap) + + // Common checks + // Check that contains the right label. + g.Contains(cfgMap.Labels, "grafana_dashboard") + // Check that the dashboard is contained in the config map. + file, err := os.Open("../../dashboards/k8s-metacollector-dashboard.json") + g.NoError(err) + content, err := io.ReadAll(file) + g.NoError(err) + cfgData, ok := cfgMap.Data["dashboard.json"] + g.True(ok) + g.Equal(strings.TrimRight(string(content), "\n"), cfgData) + testCase.expected(&cfgMap) + }) + } +} diff --git a/falco/charts/k8s-metacollector/tests/unit/serviceAccountTemplate_test.go b/falco/charts/k8s-metacollector/tests/unit/serviceAccountTemplate_test.go new file mode 100644 index 0000000..b208f60 --- /dev/null +++ b/falco/charts/k8s-metacollector/tests/unit/serviceAccountTemplate_test.go @@ -0,0 +1,172 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 The Falco Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package unit + +import ( + "path/filepath" + "testing" + + "github.com/gruntwork-io/terratest/modules/helm" + "github.com/stretchr/testify/require" + "github.com/stretchr/testify/suite" + corev1 "k8s.io/api/core/v1" + rbacv1 "k8s.io/api/rbac/v1" +) + +// Type used to implement the testing suite for service account +// and the related resources: clusterrole, clusterrolebinding +type serviceAccountTemplateTest struct { + suite.Suite + chartPath string + releaseName string + namespace string + templates []string +} + +func TestServiceAccountTemplate(t *testing.T) { + t.Parallel() + + chartFullPath, err := filepath.Abs(chartPath) + require.NoError(t, err) + + suite.Run(t, &serviceAccountTemplateTest{ + Suite: suite.Suite{}, + chartPath: chartFullPath, + releaseName: "k8s-metacollector-test", + namespace: "metacollector-test", + templates: []string{"templates/serviceaccount.yaml"}, + }) +} + +func (s *serviceAccountTemplateTest) TestSVCAccountResourceCreation() { + testCases := []struct { + name string + values map[string]string + }{ + {"defaultValues", + nil, + }, + {"changeName", + map[string]string{ + "serviceAccount.name": "TestName", + }, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetValues: testCase.values} + + // Render the service account and unmarshal it. + output, err := helm.RenderTemplateE(subT, options, s.chartPath, s.releaseName, s.templates) + s.NoError(err, "should succeed") + var svcAccount corev1.ServiceAccount + helm.UnmarshalK8SYaml(subT, output, &svcAccount) + + // Render the clusterRole and unmarshal it. + output, err = helm.RenderTemplateE(subT, options, s.chartPath, s.releaseName, []string{"templates/clusterrole.yaml"}) + s.NoError(err, "should succeed") + var clusterRole rbacv1.ClusterRole + helm.UnmarshalK8SYaml(subT, output, &clusterRole) + + output, err = helm.RenderTemplateE(subT, options, s.chartPath, s.releaseName, []string{"templates/clusterrolebinding.yaml"}) + s.NoError(err, "should succeed") + var clusterRoleBinding rbacv1.ClusterRoleBinding + helm.UnmarshalK8SYaml(subT, output, &clusterRoleBinding) + + // Check that clusterRoleBinding references the right svc account. + s.Equal(svcAccount.Name, clusterRoleBinding.Subjects[0].Name, "should be the same") + s.Equal(svcAccount.Namespace, clusterRoleBinding.Subjects[0].Namespace, "should be the same") + + // Check that clusterRobeBinding references the right clusterRole. + s.Equal(clusterRole.Name, clusterRoleBinding.RoleRef.Name) + + if testCase.values != nil { + s.Equal("TestName", svcAccount.Name) + } + }) + } +} + +func (s *serviceAccountTemplateTest) TestSVCAccountResourceNonCreation() { + options := &helm.Options{SetValues: map[string]string{"serviceAccount.create": "false"}} + // Render the service account and unmarshal it. + _, err := helm.RenderTemplateE(s.T(), options, s.chartPath, s.releaseName, s.templates) + s.Error(err, "should error") + s.Equal("error while running command: exit status 1; Error: could not find template templates/serviceaccount.yaml in chart", err.Error()) + + // Render the clusterRole and unmarshal it. + _, err = helm.RenderTemplateE(s.T(), options, s.chartPath, s.releaseName, []string{"templates/clusterrole.yaml"}) + s.Error(err, "should error") + s.Equal("error while running command: exit status 1; Error: could not find template templates/clusterrole.yaml in chart", err.Error()) + + _, err = helm.RenderTemplateE(s.T(), options, s.chartPath, s.releaseName, []string{"templates/clusterrolebinding.yaml"}) + s.Error(err, "should error") + s.Equal("error while running command: exit status 1; Error: could not find template templates/clusterrolebinding.yaml in chart", err.Error()) +} + +func (s *serviceAccountTemplateTest) TestSVCAccountAnnotations() { + testCases := []struct { + name string + values map[string]string + expected map[string]string + }{ + { + "defaultValues", + nil, + nil, + }, + { + "settingSvcAccountAnnotations", + map[string]string{ + "serviceAccount.annotations.my-annotation": "annotationValue", + }, + map[string]string{ + "my-annotation": "annotationValue", + }, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetValues: testCase.values} + // Render the service account and unmarshal it. + output, err := helm.RenderTemplateE(subT, options, s.chartPath, s.releaseName, s.templates) + s.NoError(err, "should succeed") + var svcAccount corev1.ServiceAccount + helm.UnmarshalK8SYaml(subT, output, &svcAccount) + + if testCase.expected == nil { + s.Nil(svcAccount.Annotations, "should be nil") + } else { + for key, val := range testCase.expected { + val1 := svcAccount.Annotations[key] + s.Equal(val, val1, "should contain all the added annotations") + } + } + }) + } +} diff --git a/falco/charts/k8s-metacollector/tests/unit/serviceMonitorTemplate_test.go b/falco/charts/k8s-metacollector/tests/unit/serviceMonitorTemplate_test.go new file mode 100644 index 0000000..865e7a0 --- /dev/null +++ b/falco/charts/k8s-metacollector/tests/unit/serviceMonitorTemplate_test.go @@ -0,0 +1,93 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 The Falco Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package unit + +import ( + "encoding/json" + "path/filepath" + "reflect" + "testing" + + "github.com/gruntwork-io/terratest/modules/helm" + monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1" + "github.com/stretchr/testify/require" + "github.com/stretchr/testify/suite" +) + +type serviceMonitorTemplateTest struct { + suite.Suite + chartPath string + releaseName string + namespace string + templates []string +} + +func TestServiceMonitorTemplate(t *testing.T) { + t.Parallel() + + chartFullPath, err := filepath.Abs(chartPath) + require.NoError(t, err) + + suite.Run(t, &serviceMonitorTemplateTest{ + Suite: suite.Suite{}, + chartPath: chartFullPath, + releaseName: "k8s-metacollector-test", + namespace: "metacollector-test", + templates: []string{"templates/servicemonitor.yaml"}, + }) +} + +func (s *serviceMonitorTemplateTest) TestCreationDefaultValues() { + // Render the servicemonitor and check that it has not been rendered. + _, err := helm.RenderTemplateE(s.T(), &helm.Options{}, s.chartPath, s.releaseName, s.templates) + s.Error(err, "should error") + s.Equal("error while running command: exit status 1; Error: could not find template templates/servicemonitor.yaml in chart", err.Error()) +} + +func (s *serviceMonitorTemplateTest) TestEndpoint() { + defaultEndpointsJSON := `[ + { + "port": "metrics", + "interval": "15s", + "scrapeTimeout": "10s", + "honorLabels": true, + "path": "/metrics", + "scheme": "http" + } +]` + var defaultEndpoints []monitoringv1.Endpoint + err := json.Unmarshal([]byte(defaultEndpointsJSON), &defaultEndpoints) + s.NoError(err) + + options := &helm.Options{SetValues: map[string]string{"serviceMonitor.create": "true"}} + output := helm.RenderTemplate(s.T(), options, s.chartPath, s.releaseName, s.templates) + + var svcMonitor monitoringv1.ServiceMonitor + helm.UnmarshalK8SYaml(s.T(), output, &svcMonitor) + + s.Len(svcMonitor.Spec.Endpoints, 1, "should have only one endpoint") + s.True(reflect.DeepEqual(svcMonitor.Spec.Endpoints[0], defaultEndpoints[0])) +} + +func (s *serviceMonitorTemplateTest) TestNamespaceSelector() { + options := &helm.Options{SetValues: map[string]string{"serviceMonitor.create": "true"}} + output := helm.RenderTemplate(s.T(), options, s.chartPath, s.releaseName, s.templates) + + var svcMonitor monitoringv1.ServiceMonitor + helm.UnmarshalK8SYaml(s.T(), output, &svcMonitor) + s.Len(svcMonitor.Spec.NamespaceSelector.MatchNames, 1) + s.Equal("default", svcMonitor.Spec.NamespaceSelector.MatchNames[0]) +} diff --git a/falco/charts/k8s-metacollector/tests/unit/serviceTemplate_test.go b/falco/charts/k8s-metacollector/tests/unit/serviceTemplate_test.go new file mode 100644 index 0000000..5f7fbd1 --- /dev/null +++ b/falco/charts/k8s-metacollector/tests/unit/serviceTemplate_test.go @@ -0,0 +1,220 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 The Falco Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package unit + +import ( + "encoding/json" + "path/filepath" + "reflect" + "testing" + + "github.com/gruntwork-io/terratest/modules/helm" + "github.com/stretchr/testify/require" + "github.com/stretchr/testify/suite" + corev1 "k8s.io/api/core/v1" +) + +type serviceTemplateTest struct { + suite.Suite + chartPath string + releaseName string + namespace string + templates []string +} + +func TestServiceTemplate(t *testing.T) { + t.Parallel() + + chartFullPath, err := filepath.Abs(chartPath) + require.NoError(t, err) + + suite.Run(t, &serviceTemplateTest{ + Suite: suite.Suite{}, + chartPath: chartFullPath, + releaseName: "test", + namespace: "metacollector-test", + templates: []string{"templates/service.yaml"}, + }) +} + +func (s *serviceTemplateTest) TestServiceCreateFalse() { + options := &helm.Options{SetValues: map[string]string{"service.create": "false"}} + // Render the service account and unmarshal it. + _, err := helm.RenderTemplateE(s.T(), options, s.chartPath, s.releaseName, s.templates) + s.Error(err, "should error") + s.Equal("error while running command: exit status 1; Error: could not find template templates/service.yaml in chart", err.Error()) +} + +func (s *serviceTemplateTest) TestServiceType() { + testCases := []struct { + name string + values map[string]string + expected string + }{ + {"defaultValues", + nil, + "ClusterIP", + }, + {"NodePort", + map[string]string{ + "service.type": "NodePort", + }, + "NodePort", + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetValues: testCase.values} + + // Render the service and unmarshal it. + output, err := helm.RenderTemplateE(subT, options, s.chartPath, s.releaseName, s.templates) + s.NoError(err, "should succeed") + var svc corev1.Service + helm.UnmarshalK8SYaml(subT, output, &svc) + + s.Equal(testCase.expected, string(svc.Spec.Type)) + }) + } +} + +func (s *serviceTemplateTest) TestServicePorts() { + newPorts := `{ + "enabled": true, + "type": "ClusterIP", + "ports": { + "metrics": { + "port": 8080, + "targetPort": "metrics", + "protocol": "TCP" + }, + "health-probe": { + "port": 8081, + "targetPort": "health-probe", + "protocol": "TCP" + }, + "broker-grpc": { + "port": 45000, + "targetPort": "broker-grpc", + "protocol": "TCP" + }, + "myNewPort": { + "port": 1111, + "targetPort": "myNewPort", + "protocol": "UDP" + } + } +}` + testCases := []struct { + name string + values map[string]string + expected func(p []corev1.ServicePort) + }{ + { + "defaultValues", + nil, + func(p []corev1.ServicePort) { + portsJSON := `[ + { + "name": "broker-grpc", + "port": 45000, + "protocol": "TCP", + "targetPort": "broker-grpc" + }, + { + "name": "health-probe", + "port": 8081, + "protocol": "TCP", + "targetPort": "health-probe" + }, + { + "name": "metrics", + "port": 8080, + "protocol": "TCP", + "targetPort": "metrics" + } +]` + var ports []corev1.ServicePort + + err := json.Unmarshal([]byte(portsJSON), &ports) + s.NoError(err) + s.True(reflect.DeepEqual(ports, p), "should be equal") + }, + }, + { + "addNewPort", + map[string]string{ + "service": newPorts, + }, + func(p []corev1.ServicePort) { + portsJSON := `[ + { + "name": "broker-grpc", + "port": 45000, + "protocol": "TCP", + "targetPort": "broker-grpc" + }, + { + "name": "health-probe", + "port": 8081, + "protocol": "TCP", + "targetPort": "health-probe" + }, + { + "name": "metrics", + "port": 8080, + "protocol": "TCP", + "targetPort": "metrics" + }, + { + "name": "myNewPort", + "port": 1111, + "protocol": "UDP", + "targetPort": "myNewPort" + } +]` + var ports []corev1.ServicePort + + err := json.Unmarshal([]byte(portsJSON), &ports) + s.NoError(err) + s.True(reflect.DeepEqual(ports, p), "should be equal") + }, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetJsonValues: testCase.values} + output, err := helm.RenderTemplateE(subT, options, s.chartPath, s.releaseName, s.templates) + s.NoError(err, "should succeed") + + var svc corev1.Service + helm.UnmarshalK8SYaml(subT, output, &svc) + + testCase.expected(svc.Spec.Ports) + }) + } +} diff --git a/falco/charts/k8s-metacollector/values.yaml b/falco/charts/k8s-metacollector/values.yaml new file mode 100644 index 0000000..b6dcc25 --- /dev/null +++ b/falco/charts/k8s-metacollector/values.yaml @@ -0,0 +1,202 @@ +# Default values for k8s-metacollector. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- replicaCount is the number of identical copies of the k8s-metacollector. +replicaCount: 1 + +# -- image is the configuration for the k8s-metacollector image. +image: + # -- pullPolicy is the policy used to determine when a node should attempt to pull the container image. + pullPolicy: IfNotPresent + # -- pullSecects a list of secrets containing credentials used when pulling from private/secure registries. + pullSecrets: [] + # -- registry is the image registry to pull from. + registry: docker.io + # -- repository is the image repository to pull from + repository: falcosecurity/k8s-metacollector + # -- tag is image tag to pull. Overrides the image tag whose default is the chart appVersion. + tag: "" + +# -- nameOverride is the new name used to override the release name used for k8s-metacollector components. +nameOverride: "" +# -- fullNameOverride same as nameOverride but for the full name. +fullnameOverride: "" +# -- namespaceOverride overrides the deployment namespace. It's useful for multi-namespace deployments in combined charts. +namespaceOverride: "" + + +# -- serviceAccount is the configuration for the service account. +serviceAccount: + # -- create specifies whether a service account should be created. + create: true + # -- annotations to add to the service account. + annotations: {} + # -- name is name of the service account to use. + # -- If not set and create is true, a name is generated using the full name template. + name: "" + +# -- podAnnotations are custom annotations to be added to the pod. +podAnnotations: {} + +# -- podSecurityContext holds the security settings for the pod. +# -- These settings are override by the ones specified for the container when there is overlap. +podSecurityContext: + # -- runAsNonRoot when set to true enforces that the specified container runs as a non-root user. + runAsNonRoot: true + # -- runAsUser specifies the user ID (UID) that the containers inside the pod should run as. + runAsUser: 1000 + # -- runAsGroup specifies the group ID (GID) that the containers inside the pod should run as. + runAsGroup: 1000 + # -- fsGroup specifies the group ID (GID) that should be used for the volume mounted within a Pod. + fsGroup: 1000 + +# -- containerSecurityContext holds the security settings for the container. +containerSecurityContext: + # -- capabilities fine-grained privileges that can be assigned to processes. + capabilities: + # -- drop drops the given set of privileges. + drop: + - ALL + +# -- service exposes the k8s-metacollector services to be accessed from within the cluster. +# ref: https://kubernetes.io/docs/concepts/services-networking/service/ +service: + # -- enabled specifies whether a service should be created. + create: true + # -- type denotes the service type. Setting it to "ClusterIP" we ensure that are accessible + # from within the cluster. + type: ClusterIP + # -- ports denotes all the ports on which the Service will listen. + ports: + # -- metrics denotes a listening service named "metrics". + metrics: + # -- port is the port on which the Service will listen. + port: 8080 + # -- targetPort is the port on which the Pod is listening. + targetPort: "metrics" + # -- protocol specifies the network protocol that the Service should use for the associated port. + protocol: "TCP" + # -- health-probe denotes a listening service named "health-probe" + health-probe: + # -- port is the port on which the Service will listen. + port: 8081 + # -- targetPort is the port on which the Pod is listening. + targetPort: "health-probe" + # -- protocol specifies the network protocol that the Service should use for the associated port. + protocol: "TCP" + # -- broker-grpc denotes a listening service named "grpc-broker" + broker-grpc: + # -- port is the port on which the Service will listen. + port: 45000 + # -- targetPort is the port on which the Pod is listening. + targetPort: "broker-grpc" + # -- protocol specifies the network protocol that the Service should use for the associated port. + protocol: "TCP" + +# -- serviceMonitor holds the configuration for the ServiceMonitor CRD. +# A ServiceMonitor is a custom resource definition (CRD) used to configure how Prometheus should +# discover and scrape metrics from the k8s-metacollector service. +serviceMonitor: + # -- create specifies whether a ServiceMonitor CRD should be created for a prometheus operator. + # https://github.com/coreos/prometheus-operator + # Enable it only if the ServiceMonitor CRD is installed in your cluster. + create: false + # -- path at which the metrics are expose by the k8s-metacollector. + path: /metrics + # -- labels set of labels to be applied to the ServiceMonitor resource. + # If your Prometheus deployment is configured to use serviceMonitorSelector, then add the right + # label here in order for the ServiceMonitor to be selected for target discovery. + labels: {} + # -- interval specifies the time interval at which Prometheus should scrape metrics from the service. + interval: 15s + # -- scheme specifies network protocol used by the metrics endpoint. In this case HTTP. + scheme: http + # -- tlsConfig specifies TLS (Transport Layer Security) configuration for secure communication when + # scraping metrics from a service. It allows you to define the details of the TLS connection, such as + # CA certificate, client certificate, and client key. Currently, the k8s-metacollector does not support + # TLS configuration for the metrics endpoint. + tlsConfig: {} + # insecureSkipVerify: false + # caFile: /path/to/ca.crt + # certFile: /path/to/client.crt + # keyFile: /path/to/client.key + # -- scrapeTimeout determines the maximum time Prometheus should wait for a target to respond to a scrape request. + # If the target does not respond within the specified timeout, Prometheus considers the scrape as failed for + # that target. + scrapeTimeout: 10s + # -- relabelings configures the relabeling rules to apply the target’s metadata labels. + relabelings: [] + # -- targetLabels defines the labels which are transferred from the associated Kubernetes service object onto the ingested metrics. + targetLabels: [] + +# -- resources defines the computing resources (CPU and memory) that are allocated to the containers running within the Pod. +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +# -- nodeSelector specifies a set of key-value pairs that must match labels assigned to nodes +# for the Pod to be eligible for scheduling on that node. +nodeSelector: {} + +# -- tolerations are applied to pods and allow them to be scheduled on nodes with matching taints. +tolerations: [] + +# -- affinity allows pod placement based on node characteristics, or any other custom labels assigned to nodes. +affinity: {} + +# -- healthChecks contains the configuration for liveness and readiness probes. +healthChecks: + # -- livenessProbe is a diagnostic mechanism used to determine wether a container within a Pod is still running and healthy. + livenessProbe: + # -- httpGet specifies that the liveness probe will make an HTTP GET request to check the health of the container. + httpGet: + # -- path is the specific endpoint on which the HTTP GET request will be made. + path: /healthz + # -- port is the port on which the container exposes the "/healthz" endpoint. + port: 8081 + # -- initialDelaySeconds tells the kubelet that it should wait X seconds before performing the first probe. + initialDelaySeconds: 45 + # -- timeoutSeconds is the number of seconds after which the probe times out. + timeoutSeconds: 5 + # -- periodSeconds specifies the interval at which the liveness probe will be repeated. + periodSeconds: 15 + # -- readinessProbe is a mechanism used to determine whether a container within a Pod is ready to serve traffic. + readinessProbe: + # -- httpGet specifies that the readiness probe will make an HTTP GET request to check whether the container is ready. + httpGet: + # -- path is the specific endpoint on which the HTTP GET request will be made. + path: /readyz + # -- port is the port on which the container exposes the "/readyz" endpoint. + port: 8081 + # -- initialDelaySeconds tells the kubelet that it should wait X seconds before performing the first probe. + initialDelaySeconds: 30 + # -- timeoutSeconds is the number of seconds after which the probe times out. + timeoutSeconds: 5 + # -- periodSeconds specifies the interval at which the readiness probe will be repeated. + periodSeconds: 15 + +# -- grafana contains the configuration related to grafana. +grafana: + # -- dashboards contains configuration for grafana dashboards. + dashboards: + # -- enabled specifies whether the dashboards should be deployed. + enabled: false + # --configmaps to be deployed that contain a grafana dashboard. + configMaps: + # -- collector contains the configuration for collector's dashboard. + collector: + # -- name specifies the name for the configmap. + name: k8s-metacollector-grafana-dashboard + # -- namespace specifies the namespace for the configmap. + namespace: "" + # -- folder where the dashboard is stored by grafana. + folder: "" diff --git a/falco/ci/ci-values.yaml b/falco/ci/ci-values.yaml new file mode 100644 index 0000000..6b15620 --- /dev/null +++ b/falco/ci/ci-values.yaml @@ -0,0 +1,16 @@ +# CI values for Falco. +# The following values will bypass the installation of the kernel module +# and disable the kernel space driver. + +# disable the kernel space driver +driver: + enabled: false + +# make Falco run in userspace only mode +extra: + args: + - --userspace + +# enforce /proc mounting since Falco still tries to scan it +mounts: + enforceProcMount: true diff --git a/falco/templates/NOTES.txt b/falco/templates/NOTES.txt new file mode 100644 index 0000000..b077ff7 --- /dev/null +++ b/falco/templates/NOTES.txt @@ -0,0 +1,46 @@ +{{- if eq .Values.controller.kind "daemonset" }} +Falco agents are spinning up on each node in your cluster. After a few +seconds, they are going to start monitoring your containers looking for +security issues. +{{printf "\n" }} +{{- end}} +{{- if .Values.integrations }} +WARNING: The following integrations have been deprecated and removed + - gcscc + - natsOutput + - snsOutput + - pubsubOutput +Consider to use falcosidekick (https://github.com/falcosecurity/falcosidekick) as replacement. +{{- else }} +No further action should be required. +{{- end }} +{{printf "\n" }} + +{{- if not .Values.falcosidekick.enabled }} +Tip: +You can easily forward Falco events to Slack, Kafka, AWS Lambda and more with falcosidekick. +Full list of outputs: https://github.com/falcosecurity/charts/tree/master/charts/falcosidekick. +You can enable its deployment with `--set falcosidekick.enabled=true` or in your values.yaml. +See: https://github.com/falcosecurity/charts/blob/master/charts/falcosidekick/values.yaml for configuration values. + +{{- end}} + + +{{- if (has .Values.driver.kind (list "module" "modern-bpf")) -}} +{{- println }} +WARNING(drivers): +{{- printf "\nThe driver kind: \"%s\" is an alias and might be removed in the future.\n" .Values.driver.kind -}} +{{- $driver := "" -}} +{{- if eq .Values.driver.kind "module" -}} +{{- $driver = "kmod" -}} +{{- else if eq .Values.driver.kind "modern-bpf" -}} +{{- $driver = "modern_ebpf" -}} +{{- end -}} +{{- printf "Please use \"%s\" instead." $driver}} +{{- end -}} + +{{- if and (not (empty .Values.falco.load_plugins)) (or .Values.falcoctl.artifact.follow.enabled .Values.falcoctl.artifact.install.enabled) }} + +WARNING: +{{ printf "It seems you are loading the following plugins %v, please make sure to install them by adding the correct reference to falcoctl.config.artifact.install.refs: %v" .Values.falco.load_plugins .Values.falcoctl.config.artifact.install.refs -}} +{{- end }} \ No newline at end of file diff --git a/falco/templates/_helpers.tpl b/falco/templates/_helpers.tpl new file mode 100644 index 0000000..f54d9ee --- /dev/null +++ b/falco/templates/_helpers.tpl @@ -0,0 +1,411 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "falco.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "falco.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "falco.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Allow the release namespace to be overridden +*/}} +{{- define "falco.namespace" -}} +{{- default .Release.Namespace .Values.namespaceOverride -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "falco.labels" -}} +helm.sh/chart: {{ include "falco.chart" . }} +{{ include "falco.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "falco.selectorLabels" -}} +app.kubernetes.io/name: {{ include "falco.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Renders a value that contains template. +Usage: +{{ include "falco.renderTemplate" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "falco.renderTemplate" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "falco.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "falco.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Return the proper Falco image name +*/}} +{{- define "falco.image" -}} +{{- with .Values.image.registry -}} + {{- . }}/ +{{- end -}} +{{- .Values.image.repository }}: +{{- .Values.image.tag | default .Chart.AppVersion -}} +{{- end -}} + +{{/* +Return the proper Falco driver loader image name +*/}} +{{- define "falco.driverLoader.image" -}} +{{- with .Values.driver.loader.initContainer.image.registry -}} + {{- . }}/ +{{- end -}} +{{- .Values.driver.loader.initContainer.image.repository }}: +{{- .Values.driver.loader.initContainer.image.tag | default .Chart.AppVersion -}} +{{- end -}} + +{{/* +Return the proper Falcoctl image name +*/}} +{{- define "falcoctl.image" -}} +{{ printf "%s/%s:%s" .Values.falcoctl.image.registry .Values.falcoctl.image.repository .Values.falcoctl.image.tag }} +{{- end -}} + +{{/* +Extract the unixSocket's directory path +*/}} +{{- define "falco.unixSocketDir" -}} +{{- if and .Values.falco.grpc.enabled .Values.falco.grpc.bind_address (hasPrefix "unix://" .Values.falco.grpc.bind_address) -}} +{{- .Values.falco.grpc.bind_address | trimPrefix "unix://" | dir -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for rbac. +*/}} +{{- define "rbac.apiVersion" -}} +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- end -}} +{{- end -}} + +{{/* + Build http url for falcosidekick. +*/}} +{{- define "falcosidekick.url" -}} +{{- if not .Values.falco.http_output.url -}} + {{- $falcoName := include "falco.fullname" . -}} + {{- $listenPort := .Values.falcosidekick.listenport | default "2801" -}} + {{- if .Values.falcosidekick.fullfqdn -}} + {{- printf "http://%s-falcosidekick.%s.svc.cluster.local:%s" $falcoName .Release.Namespace $listenPort -}} + {{- else -}} + {{- printf "http://%s-falcosidekick:%s" $falcoName $listenPort -}} + {{- end -}} +{{- else -}} + {{- .Values.falco.http_output.url -}} +{{- end -}} +{{- end -}} + + +{{/* +Set appropriate falco configuration if falcosidekick has been configured. +*/}} +{{- define "falco.falcosidekickConfig" -}} +{{- if .Values.falcosidekick.enabled -}} + {{- $_ := set .Values.falco "json_output" true -}} + {{- $_ := set .Values.falco "json_include_output_property" true -}} + {{- $_ := set .Values.falco.http_output "enabled" true -}} + {{- $_ := set .Values.falco.http_output "url" (include "falcosidekick.url" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get port from .Values.falco.grpc.bind_addres. +*/}} +{{- define "grpc.port" -}} +{{- $error := "unable to extract listenPort from .Values.falco.grpc.bind_address. Make sure it is in the correct format" -}} +{{- if and .Values.falco.grpc.enabled .Values.falco.grpc.bind_address (not (hasPrefix "unix://" .Values.falco.grpc.bind_address)) -}} + {{- $tokens := split ":" .Values.falco.grpc.bind_address -}} + {{- if $tokens._1 -}} + {{- $tokens._1 -}} + {{- else -}} + {{- fail $error -}} + {{- end -}} +{{- else -}} + {{- fail $error -}} +{{- end -}} +{{- end -}} + +{{/* +Disable the syscall source if some conditions are met. +By default the syscall source is always enabled in falco. If no syscall source is enabled, falco +exits. Here we check that no producers for syscalls event has been configured, and if true +we just disable the sycall source. +*/}} +{{- define "falco.configSyscallSource" -}} +{{- $userspaceDisabled := true -}} +{{- $gvisorDisabled := (ne .Values.driver.kind "gvisor") -}} +{{- $driverDisabled := (not .Values.driver.enabled) -}} +{{- if or (has "-u" .Values.extra.args) (has "--userspace" .Values.extra.args) -}} +{{- $userspaceDisabled = false -}} +{{- end -}} +{{- if and $driverDisabled $userspaceDisabled $gvisorDisabled }} +- --disable-source +- syscall +{{- end -}} +{{- end -}} + +{{/* +We need the falco binary in order to generate the configuration for gVisor. This init container +is deployed within the Falco pod when gVisor is enabled. The image is the same as the one of Falco we are +deploying and the configuration logic is a bash script passed as argument on the fly. This solution should +be temporary and will stay here until we move this logic to the falcoctl tool. +*/}} +{{- define "falco.gvisor.initContainer" -}} +- name: {{ .Chart.Name }}-gvisor-init + image: {{ include "falco.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - /bin/bash + - -c + - | + set -o errexit + set -o nounset + set -o pipefail + + root={{ .Values.driver.gvisor.runsc.root }} + config={{ .Values.driver.gvisor.runsc.config }} + + echo "* Configuring Falco+gVisor integration...". + # Check if gVisor is configured on the node. + echo "* Checking for /host${config} file..." + if [[ -f /host${config} ]]; then + echo "* Generating the Falco configuration..." + /usr/bin/falco --gvisor-generate-config=${root}/falco.sock > /host${root}/pod-init.json + sed -E -i.orig '/"ignore_missing" : true,/d' /host${root}/pod-init.json + if [[ -z $(grep pod-init-config /host${config}) ]]; then + echo "* Updating the runsc config file /host${config}..." + echo " pod-init-config = \"${root}/pod-init.json\"" >> /host${config} + fi + # Endpoint inside the container is different from outside, add + # "/host" to the endpoint path inside the container. + echo "* Setting the updated Falco configuration to /gvisor-config/pod-init.json..." + sed 's/"endpoint" : "\/run/"endpoint" : "\/host\/run/' /host${root}/pod-init.json > /gvisor-config/pod-init.json + else + echo "* File /host${config} not found." + echo "* Please make sure that the gVisor is configured in the current node and/or the runsc root and config file path are correct" + exit -1 + fi + echo "* Falco+gVisor correctly configured." + exit 0 + volumeMounts: + - mountPath: /host{{ .Values.driver.gvisor.runsc.path }} + name: runsc-path + readOnly: true + - mountPath: /host{{ .Values.driver.gvisor.runsc.root }} + name: runsc-root + - mountPath: /host{{ .Values.driver.gvisor.runsc.config }} + name: runsc-config + - mountPath: /gvisor-config + name: falco-gvisor-config +{{- end -}} + + +{{- define "falcoctl.initContainer" -}} +- name: falcoctl-artifact-install + image: {{ include "falcoctl.image" . }} + imagePullPolicy: {{ .Values.falcoctl.image.pullPolicy }} + args: + - artifact + - install + {{- with .Values.falcoctl.artifact.install.args }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.falcoctl.artifact.install.resources }} + resources: + {{- toYaml . | nindent 4 }} + {{- end }} + securityContext: + {{- if .Values.falcoctl.artifact.install.securityContext }} + {{- toYaml .Values.falcoctl.artifact.install.securityContext | nindent 4 }} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.falcoctl.config.artifact.install.pluginsDir }} + name: plugins-install-dir + - mountPath: {{ .Values.falcoctl.config.artifact.install.rulesfilesDir }} + name: rulesfiles-install-dir + - mountPath: /etc/falcoctl + name: falcoctl-config-volume + {{- with .Values.falcoctl.artifact.install.mounts.volumeMounts }} + {{- toYaml . | nindent 4 }} + {{- end }} + env: + {{- if .Values.falcoctl.artifact.install.env }} + {{- include "falco.renderTemplate" ( dict "value" .Values.falcoctl.artifact.install.env "context" $) | nindent 4 }} + {{- end }} +{{- end -}} + +{{- define "falcoctl.sidecar" -}} +- name: falcoctl-artifact-follow + image: {{ include "falcoctl.image" . }} + imagePullPolicy: {{ .Values.falcoctl.image.pullPolicy }} + args: + - artifact + - follow + {{- with .Values.falcoctl.artifact.follow.args }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.falcoctl.artifact.follow.resources }} + resources: + {{- toYaml . | nindent 4 }} + {{- end }} + securityContext: + {{- if .Values.falcoctl.artifact.follow.securityContext }} + {{- toYaml .Values.falcoctl.artifact.follow.securityContext | nindent 4 }} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.falcoctl.config.artifact.follow.pluginsDir }} + name: plugins-install-dir + - mountPath: {{ .Values.falcoctl.config.artifact.follow.rulesfilesDir }} + name: rulesfiles-install-dir + - mountPath: /etc/falcoctl + name: falcoctl-config-volume + {{- with .Values.falcoctl.artifact.follow.mounts.volumeMounts }} + {{- toYaml . | nindent 4 }} + {{- end }} + env: + {{- if .Values.falcoctl.artifact.follow.env }} + {{- include "falco.renderTemplate" ( dict "value" .Values.falcoctl.artifact.follow.env "context" $) | nindent 4 }} + {{- end }} +{{- end -}} + + +{{/* + Build configuration for k8smeta plugin and update the relevant variables. + * The configuration that needs to be built up is the initconfig section: + init_config: + collectorPort: 0 + collectorHostname: "" + nodeName: "" + The falco chart exposes this configuriotino through two variable: + * collectors.kubenetetes.collectorHostname; + * collectors.kubernetes.collectorPort; + If those two variable are not set, then we take those values from the k8smetacollector subchart. + The hostname is built using the name of the service that exposes the collector endpoints and the + port is directly taken form the service's port that exposes the gRPC endpoint. + We reuse the helpers from the k8smetacollector subchart, by passing down the variables. There is a + hardcoded values that is the chart name for the k8s-metacollector chart. + + * The falcoctl configuration is updated to allow plugin artifacts to be installed. The refs in the install + section are updated by adding the reference for the k8s meta plugin that needs to be installed. + NOTE: It seems that the named templates run during the validation process. And then again during the + render fase. In our case we are setting global variable that persist during the various phases. + We need to make the helper idempotent. +*/}} +{{- define "k8smeta.configuration" -}} +{{- if and .Values.collectors.kubernetes.enabled .Values.driver.enabled -}} +{{- $hostname := "" -}} +{{- if .Values.collectors.kubernetes.collectorHostname -}} +{{- $hostname = .Values.collectors.kubernetes.collectorHostname -}} +{{- else -}} +{{- $collectorContext := (dict "Release" .Release "Values" (index .Values "k8s-metacollector") "Chart" (dict "Name" "k8s-metacollector")) -}} +{{- $hostname = printf "%s.%s.svc" (include "k8s-metacollector.fullname" $collectorContext) (include "k8s-metacollector.namespace" $collectorContext) -}} +{{- end -}} +{{- $hasConfig := false -}} +{{- range .Values.falco.plugins -}} +{{- if eq (get . "name") "k8smeta" -}} +{{ $hasConfig = true -}} +{{- end -}} +{{- end -}} +{{- if not $hasConfig -}} +{{- $listenPort := default (index .Values "k8s-metacollector" "service" "ports" "broker-grpc" "port") .Values.collectors.kubernetes.collectorPort -}} +{{- $listenPort = int $listenPort -}} +{{- $pluginConfig := dict "name" "k8smeta" "library_path" "libk8smeta.so" "init_config" (dict "collectorHostname" $hostname "collectorPort" $listenPort "nodeName" "${FALCO_K8S_NODE_NAME}") -}} +{{- $newConfig := append .Values.falco.plugins $pluginConfig -}} +{{- $_ := set .Values.falco "plugins" ($newConfig | uniq) -}} +{{- $loadedPlugins := append .Values.falco.load_plugins "k8smeta" -}} +{{- $_ = set .Values.falco "load_plugins" ($loadedPlugins | uniq) -}} +{{- end -}} +{{- $_ := set .Values.falcoctl.config.artifact.install "refs" ((append .Values.falcoctl.config.artifact.install.refs .Values.collectors.kubernetes.pluginRef) | uniq)}} +{{- $_ = set .Values.falcoctl.config.artifact "allowedTypes" ((append .Values.falcoctl.config.artifact.allowedTypes "plugin") | uniq)}} +{{- end -}} +{{- end -}} + +{{/* +Based on the user input it populates the driver configuration in the falco config map. +*/}} +{{- define "falco.engineConfiguration" -}} +{{- if .Values.driver.enabled -}} +{{- $supportedDrivers := list "kmod" "ebpf" "modern_ebpf" "gvisor" -}} +{{- $aliasDrivers := list "module" "modern-bpf" -}} +{{- if and (not (has .Values.driver.kind $supportedDrivers)) (not (has .Values.driver.kind $aliasDrivers)) -}} +{{- fail (printf "unsupported driver kind: \"%s\". Supported drivers %s, alias %s" .Values.driver.kind $supportedDrivers $aliasDrivers) -}} +{{- end -}} +{{- if or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module") -}} +{{- $kmodConfig := dict "kind" "kmod" "kmod" (dict "buf_size_preset" .Values.driver.kmod.bufSizePreset "drop_failed_exit" .Values.driver.kmod.dropFailedExit) -}} +{{- $_ := set .Values.falco "engine" $kmodConfig -}} +{{- else if eq .Values.driver.kind "ebpf" -}} +{{- $ebpfConfig := dict "kind" "ebpf" "ebpf" (dict "buf_size_preset" .Values.driver.ebpf.bufSizePreset "drop_failed_exit" .Values.driver.ebpf.dropFailedExit "probe" .Values.driver.ebpf.path) -}} +{{- $_ := set .Values.falco "engine" $ebpfConfig -}} +{{- else if or (eq .Values.driver.kind "modern_ebpf") (eq .Values.driver.kind "modern-bpf") -}} +{{- $ebpfConfig := dict "kind" "modern_ebpf" "modern_ebpf" (dict "buf_size_preset" .Values.driver.modernEbpf.bufSizePreset "drop_failed_exit" .Values.driver.modernEbpf.dropFailedExit "cpus_for_each_buffer" .Values.driver.modernEbpf.cpusForEachBuffer) -}} +{{- $_ := set .Values.falco "engine" $ebpfConfig -}} +{{- else if eq .Values.driver.kind "gvisor" -}} +{{- $root := printf "/host%s/k8s.io" .Values.driver.gvisor.runsc.root -}} +{{- $gvisorConfig := dict "kind" "gvisor" "gvisor" (dict "config" "/gvisor-config/pod-init.json" "root" $root) -}} +{{- $_ := set .Values.falco "engine" $gvisorConfig -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +It returns "true" if the driver loader has to be enabled, otherwise false. +*/}} +{{- define "driverLoader.enabled" -}} +{{- if or (eq .Values.driver.kind "modern_ebpf") (eq .Values.driver.kind "modern-bpf") (eq .Values.driver.kind "gvisor") (not .Values.driver.enabled) (not .Values.driver.loader.enabled) -}} +false +{{- else -}} +true +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/falco/templates/certs-secret.yaml b/falco/templates/certs-secret.yaml new file mode 100644 index 0000000..176f157 --- /dev/null +++ b/falco/templates/certs-secret.yaml @@ -0,0 +1,19 @@ +{{- with .Values.certs }} +{{- if and .server.key .server.crt .ca.crt }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "falco.fullname" $ }}-certs + namespace: {{ include "falco.namespace" $ }} + labels: + {{- include "falco.labels" $ | nindent 4 }} +type: Opaque +data: + {{ $key := .server.key }} + server.key: {{ $key | b64enc | quote }} + {{ $crt := .server.crt }} + server.crt: {{ $crt | b64enc | quote }} + falco.pem: {{ print $key $crt | b64enc | quote }} + ca.crt: {{ .ca.crt | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/falco/templates/client-certs-secret.yaml b/falco/templates/client-certs-secret.yaml new file mode 100644 index 0000000..cd643ee --- /dev/null +++ b/falco/templates/client-certs-secret.yaml @@ -0,0 +1,18 @@ +{{- if and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "falco.fullname" . }}-client-certs + namespace: {{ .Release.Namespace }} + labels: + {{- include "falco.labels" $ | nindent 4 }} +type: Opaque +data: + {{ $key := .Values.certs.client.key }} + client.key: {{ $key | b64enc | quote }} + {{ $crt := .Values.certs.client.crt }} + client.crt: {{ $crt | b64enc | quote }} + falcoclient.pem: {{ print $key $crt | b64enc | quote }} + ca.crt: {{ .Values.certs.ca.crt | b64enc | quote }} + ca.pem: {{ .Values.certs.ca.crt | b64enc | quote }} +{{- end }} diff --git a/falco/templates/configmap.yaml b/falco/templates/configmap.yaml new file mode 100644 index 0000000..118c7f8 --- /dev/null +++ b/falco/templates/configmap.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "falco.fullname" . }} + namespace: {{ include "falco.namespace" . }} + labels: + {{- include "falco.labels" . | nindent 4 }} +data: + falco.yaml: |- + {{- include "falco.falcosidekickConfig" . }} + {{- include "k8smeta.configuration" . -}} + {{- include "falco.engineConfiguration" . -}} + {{- toYaml .Values.falco | nindent 4 }} diff --git a/falco/templates/daemonset.yaml b/falco/templates/daemonset.yaml new file mode 100644 index 0000000..503cadd --- /dev/null +++ b/falco/templates/daemonset.yaml @@ -0,0 +1,23 @@ +{{- if eq .Values.controller.kind "daemonset" }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "falco.fullname" . }} + namespace: {{ include "falco.namespace" . }} + labels: + {{- include "falco.labels" . | nindent 4 }} + {{- if .Values.controller.annotations }} + annotations: + {{ toYaml .Values.controller.annotations | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "falco.selectorLabels" . | nindent 6 }} + template: + {{- include "falco.podTemplate" . | nindent 4 }} + {{- with .Values.controller.daemonset.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/falco/templates/deployment.yaml b/falco/templates/deployment.yaml new file mode 100644 index 0000000..ad761b8 --- /dev/null +++ b/falco/templates/deployment.yaml @@ -0,0 +1,23 @@ +{{- if eq .Values.controller.kind "deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "falco.fullname" . }} + namespace: {{ include "falco.namespace" . }} + labels: + {{- include "falco.labels" . | nindent 4 }} + {{- if .Values.controller.annotations }} + annotations: + {{ toYaml .Values.controller.annotations | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.controller.deployment.replicas }} + {{- if .Values.controller.deployment.revisionHistoryLimit }} + revisionHistoryLimit: {{ .Values.controller.deployment.revisionHistoryLimit }} + {{- end }} + selector: + matchLabels: + {{- include "falco.selectorLabels" . | nindent 6 }} + template: + {{- include "falco.podTemplate" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/falco/templates/falcoctl-configmap.yaml b/falco/templates/falcoctl-configmap.yaml new file mode 100644 index 0000000..7b769e8 --- /dev/null +++ b/falco/templates/falcoctl-configmap.yaml @@ -0,0 +1,13 @@ +{{- if or .Values.falcoctl.artifact.install.enabled .Values.falcoctl.artifact.follow.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "falco.fullname" . }}-falcoctl + namespace: {{ include "falco.namespace" . }} + labels: + {{- include "falco.labels" . | nindent 4 }} +data: + falcoctl.yaml: |- + {{- include "k8smeta.configuration" . -}} + {{- toYaml .Values.falcoctl.config | nindent 4 }} +{{- end }} diff --git a/falco/templates/grpc-service.yaml b/falco/templates/grpc-service.yaml new file mode 100644 index 0000000..cdfbe14 --- /dev/null +++ b/falco/templates/grpc-service.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.falco.grpc.enabled .Values.falco.grpc.bind_address (not (hasPrefix "unix://" .Values.falco.grpc.bind_address)) }} +kind: Service +apiVersion: v1 +metadata: + name: {{ include "falco.fullname" . }}-grpc + namespace: {{ include "falco.namespace" . }} + labels: + {{- include "falco.labels" . | nindent 4 }} +spec: + clusterIP: None + selector: + {{- include "falco.selectorLabels" . | nindent 4 }} + ports: + - protocol: TCP + port: {{ include "grpc.port" . }} +{{- end }} \ No newline at end of file diff --git a/falco/templates/pod-template.tpl b/falco/templates/pod-template.tpl new file mode 100644 index 0000000..5eb5728 --- /dev/null +++ b/falco/templates/pod-template.tpl @@ -0,0 +1,421 @@ +{{- define "falco.podTemplate" -}} +metadata: + name: {{ include "falco.fullname" . }} + labels: + {{- include "falco.selectorLabels" . | nindent 4 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/rules: {{ include (print $.Template.BasePath "/rules-configmap.yaml") . | sha256sum }} + {{- if and .Values.certs (not .Values.certs.existingSecret) }} + checksum/certs: {{ include (print $.Template.BasePath "/certs-secret.yaml") . | sha256sum }} + {{- end }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + serviceAccountName: {{ include "falco.serviceAccountName" . }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 4}} + {{- end }} + {{- if .Values.driver.enabled }} + {{- if and (eq .Values.driver.kind "ebpf") .Values.driver.ebpf.hostNetwork }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + {{- end }} + {{- end }} + {{- if .Values.podPriorityClassName }} + priorityClassName: {{ .Values.podPriorityClassName }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if eq .Values.driver.kind "gvisor" }} + hostNetwork: true + hostPID: true + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: {{ include "falco.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: + {{- toYaml .Values.resources | nindent 8 }} + securityContext: + {{- include "falco.securityContext" . | nindent 8 }} + args: + - /usr/bin/falco + {{- include "falco.configSyscallSource" . | indent 8 }} + {{- with .Values.collectors }} + {{- if .enabled }} + {{- if .containerd.enabled }} + - --cri + - /run/containerd/containerd.sock + {{- end }} + {{- if .crio.enabled }} + - --cri + - /run/crio/crio.sock + {{- end }} + - -pk + {{- end }} + {{- end }} + {{- with .Values.extra.args }} + {{- toYaml . | nindent 8 }} + {{- end }} + env: + - name: FALCO_K8S_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.extra.env }} + {{- include "falco.renderTemplate" ( dict "value" .Values.extra.env "context" $) | nindent 8 }} + {{- end }} + tty: {{ .Values.tty }} + {{- if .Values.falco.webserver.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.healthChecks.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.healthChecks.livenessProbe.timeoutSeconds }} + periodSeconds: {{ .Values.healthChecks.livenessProbe.periodSeconds }} + httpGet: + path: {{ .Values.falco.webserver.k8s_healthz_endpoint }} + port: {{ .Values.falco.webserver.listen_port }} + {{- if .Values.falco.webserver.ssl_enabled }} + scheme: HTTPS + {{- end }} + readinessProbe: + initialDelaySeconds: {{ .Values.healthChecks.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.healthChecks.readinessProbe.timeoutSeconds }} + periodSeconds: {{ .Values.healthChecks.readinessProbe.periodSeconds }} + httpGet: + path: {{ .Values.falco.webserver.k8s_healthz_endpoint }} + port: {{ .Values.falco.webserver.listen_port }} + {{- if .Values.falco.webserver.ssl_enabled }} + scheme: HTTPS + {{- end }} + {{- end }} + volumeMounts: + {{- if or .Values.falcoctl.artifact.install.enabled .Values.falcoctl.artifact.follow.enabled }} + {{- if has "rulesfile" .Values.falcoctl.config.artifact.allowedTypes }} + - mountPath: /etc/falco + name: rulesfiles-install-dir + {{- end }} + {{- if has "plugin" .Values.falcoctl.config.artifact.allowedTypes }} + - mountPath: /usr/share/falco/plugins + name: plugins-install-dir + {{- end }} + {{- end }} + - mountPath: /root/.falco + name: root-falco-fs + {{- if or .Values.driver.enabled .Values.mounts.enforceProcMount }} + - mountPath: /host/proc + name: proc-fs + {{- end }} + {{- if and .Values.driver.enabled (not .Values.driver.loader.enabled) }} + readOnly: true + - mountPath: /host/boot + name: boot-fs + readOnly: true + - mountPath: /host/lib/modules + name: lib-modules + - mountPath: /host/usr + name: usr-fs + readOnly: true + {{- end }} + {{- if .Values.driver.enabled }} + - mountPath: /host/etc + name: etc-fs + readOnly: true + {{- end -}} + {{- if and .Values.driver.enabled (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module")) }} + - mountPath: /host/dev + name: dev-fs + readOnly: true + - name: sys-fs + mountPath: /sys/module/falco + {{- end }} + {{- if and .Values.driver.enabled (and (eq .Values.driver.kind "ebpf") (contains "falco-no-driver" .Values.image.repository)) }} + - name: debugfs + mountPath: /sys/kernel/debug + {{- end }} + {{- with .Values.collectors }} + {{- if .enabled }} + {{- if .docker.enabled }} + - mountPath: /host/var/run/docker.sock + name: docker-socket + {{- end }} + {{- if .containerd.enabled }} + - mountPath: /host/run/containerd/containerd.sock + name: containerd-socket + {{- end }} + {{- if .crio.enabled }} + - mountPath: /host/run/crio/crio.sock + name: crio-socket + {{- end }} + {{- end }} + {{- end }} + - mountPath: /etc/falco/falco.yaml + name: falco-yaml + subPath: falco.yaml + {{- if .Values.customRules }} + - mountPath: /etc/falco/rules.d + name: rules-volume + {{- end }} + {{- if or .Values.certs.existingSecret (and .Values.certs.server.key .Values.certs.server.crt .Values.certs.ca.crt) }} + - mountPath: /etc/falco/certs + name: certs-volume + readOnly: true + {{- end }} + {{- if or .Values.certs.existingSecret (and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt) }} + - mountPath: /etc/falco/certs/client + name: client-certs-volume + readOnly: true + {{- end }} + {{- include "falco.unixSocketVolumeMount" . | nindent 8 -}} + {{- with .Values.mounts.volumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if eq .Values.driver.kind "gvisor" }} + - mountPath: /usr/local/bin/runsc + name: runsc-path + readOnly: true + - mountPath: /host{{ .Values.driver.gvisor.runsc.root }} + name: runsc-root + - mountPath: /host{{ .Values.driver.gvisor.runsc.config }} + name: runsc-config + - mountPath: /gvisor-config + name: falco-gvisor-config + {{- end }} + {{- if .Values.falcoctl.artifact.follow.enabled }} + {{- include "falcoctl.sidecar" . | nindent 4 }} + {{- end }} + initContainers: + {{- with .Values.extra.initContainers }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if eq .Values.driver.kind "gvisor" }} + {{- include "falco.gvisor.initContainer" . | nindent 4 }} + {{- end }} + {{- if eq (include "driverLoader.enabled" .) "true" }} + {{- include "falco.driverLoader.initContainer" . | nindent 4 }} + {{- end }} + {{- if .Values.falcoctl.artifact.install.enabled }} + {{- include "falcoctl.initContainer" . | nindent 4 }} + {{- end }} + volumes: + {{- if or .Values.falcoctl.artifact.install.enabled .Values.falcoctl.artifact.follow.enabled }} + - name: plugins-install-dir + emptyDir: {} + - name: rulesfiles-install-dir + emptyDir: {} + {{- end }} + - name: root-falco-fs + emptyDir: {} + {{- if .Values.driver.enabled }} + - name: boot-fs + hostPath: + path: /boot + - name: lib-modules + hostPath: + path: /lib/modules + - name: usr-fs + hostPath: + path: /usr + - name: etc-fs + hostPath: + path: /etc + {{- end }} + {{- if and .Values.driver.enabled (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module")) }} + - name: dev-fs + hostPath: + path: /dev + - name: sys-fs + hostPath: + path: /sys/module/falco + {{- end }} + {{- if and .Values.driver.enabled (and (eq .Values.driver.kind "ebpf") (contains "falco-no-driver" .Values.image.repository)) }} + - name: debugfs + hostPath: + path: /sys/kernel/debug + {{- end }} + {{- with .Values.collectors }} + {{- if .enabled }} + {{- if .docker.enabled }} + - name: docker-socket + hostPath: + path: {{ .docker.socket }} + {{- end }} + {{- if .containerd.enabled }} + - name: containerd-socket + hostPath: + path: {{ .containerd.socket }} + {{- end }} + {{- if .crio.enabled }} + - name: crio-socket + hostPath: + path: {{ .crio.socket }} + {{- end }} + {{- end }} + {{- end }} + {{- if or .Values.driver.enabled .Values.mounts.enforceProcMount }} + - name: proc-fs + hostPath: + path: /proc + {{- end }} + {{- if eq .Values.driver.kind "gvisor" }} + - name: runsc-path + hostPath: + path: {{ .Values.driver.gvisor.runsc.path }}/runsc + type: File + - name: runsc-root + hostPath: + path: {{ .Values.driver.gvisor.runsc.root }} + - name: runsc-config + hostPath: + path: {{ .Values.driver.gvisor.runsc.config }} + type: File + - name: falco-gvisor-config + emptyDir: {} + {{- end }} + - name: falcoctl-config-volume + configMap: + name: {{ include "falco.fullname" . }}-falcoctl + items: + - key: falcoctl.yaml + path: falcoctl.yaml + - name: falco-yaml + configMap: + name: {{ include "falco.fullname" . }} + items: + - key: falco.yaml + path: falco.yaml + {{- if .Values.customRules }} + - name: rules-volume + configMap: + name: {{ include "falco.fullname" . }}-rules + {{- end }} + {{- if or .Values.certs.existingSecret (and .Values.certs.server.key .Values.certs.server.crt .Values.certs.ca.crt) }} + - name: certs-volume + secret: + {{- if .Values.certs.existingSecret }} + secretName: {{ .Values.certs.existingSecret }} + {{- else }} + secretName: {{ include "falco.fullname" . }}-certs + {{- end }} + {{- end }} + {{- if or .Values.certs.existingSecret (and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt) }} + - name: client-certs-volume + secret: + {{- if .Values.certs.existingClientSecret }} + secretName: {{ .Values.certs.existingClientSecret }} + {{- else }} + secretName: {{ include "falco.fullname" . }}-client-certs + {{- end }} + {{- end }} + {{- include "falco.unixSocketVolume" . | nindent 4 -}} + {{- with .Values.mounts.volumes }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end -}} + +{{- define "falco.driverLoader.initContainer" -}} +- name: {{ .Chart.Name }}-driver-loader + image: {{ include "falco.driverLoader.image" . }} + imagePullPolicy: {{ .Values.driver.loader.initContainer.image.pullPolicy }} + args: + {{- with .Values.driver.loader.initContainer.args }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if eq .Values.driver.kind "ebpf" }} + - ebpf + {{- end }} + {{- with .Values.driver.loader.initContainer.resources }} + resources: + {{- toYaml . | nindent 4 }} + {{- end }} + securityContext: + {{- if .Values.driver.loader.initContainer.securityContext }} + {{- toYaml .Values.driver.loader.initContainer.securityContext | nindent 4 }} + {{- else if (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module")) }} + privileged: true + {{- end }} + volumeMounts: + - mountPath: /root/.falco + name: root-falco-fs + - mountPath: /host/proc + name: proc-fs + readOnly: true + - mountPath: /host/boot + name: boot-fs + readOnly: true + - mountPath: /host/lib/modules + name: lib-modules + - mountPath: /host/usr + name: usr-fs + readOnly: true + - mountPath: /host/etc + name: etc-fs + readOnly: true + env: + {{- if .Values.driver.loader.initContainer.env }} + {{- include "falco.renderTemplate" ( dict "value" .Values.driver.loader.initContainer.env "context" $) | nindent 4 }} + {{- end }} +{{- end -}} + +{{- define "falco.securityContext" -}} +{{- $securityContext := dict -}} +{{- if .Values.driver.enabled -}} + {{- if (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module")) -}} + {{- $securityContext := set $securityContext "privileged" true -}} + {{- end -}} + {{- if eq .Values.driver.kind "ebpf" -}} + {{- if .Values.driver.ebpf.leastPrivileged -}} + {{- $securityContext := set $securityContext "capabilities" (dict "add" (list "SYS_ADMIN" "SYS_RESOURCE" "SYS_PTRACE")) -}} + {{- else -}} + {{- $securityContext := set $securityContext "privileged" true -}} + {{- end -}} + {{- end -}} + {{- if (or (eq .Values.driver.kind "modern_ebpf") (eq .Values.driver.kind "modern-bpf")) -}} + {{- if .Values.driver.modernEbpf.leastPrivileged -}} + {{- $securityContext := set $securityContext "capabilities" (dict "add" (list "BPF" "SYS_RESOURCE" "PERFMON" "SYS_PTRACE")) -}} + {{- else -}} + {{- $securityContext := set $securityContext "privileged" true -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if not (empty (.Values.containerSecurityContext)) -}} + {{- toYaml .Values.containerSecurityContext }} +{{- else -}} + {{- toYaml $securityContext }} +{{- end -}} +{{- end -}} + + +{{- define "falco.unixSocketVolumeMount" -}} +{{- if and .Values.falco.grpc.enabled .Values.falco.grpc.bind_address (hasPrefix "unix://" .Values.falco.grpc.bind_address) }} +- mountPath: {{ include "falco.unixSocketDir" . }} + name: grpc-socket-dir +{{- end }} +{{- end -}} + +{{- define "falco.unixSocketVolume" -}} +{{- if and .Values.falco.grpc.enabled .Values.falco.grpc.bind_address (hasPrefix "unix://" .Values.falco.grpc.bind_address) }} +- name: grpc-socket-dir + hostPath: + path: {{ include "falco.unixSocketDir" . }} +{{- end }} +{{- end -}} diff --git a/falco/templates/rules-configmap.yaml b/falco/templates/rules-configmap.yaml new file mode 100644 index 0000000..4739bec --- /dev/null +++ b/falco/templates/rules-configmap.yaml @@ -0,0 +1,14 @@ +{{- if .Values.customRules }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "falco.fullname" . }}-rules + namespace: {{ include "falco.namespace" . }} + labels: + {{- include "falco.labels" . | nindent 4 }} +data: +{{- range $file, $content := .Values.customRules }} + {{ $file }}: |- +{{ $content | indent 4}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/falco/templates/securitycontextconstraints.yaml b/falco/templates/securitycontextconstraints.yaml new file mode 100644 index 0000000..41c26d4 --- /dev/null +++ b/falco/templates/securitycontextconstraints.yaml @@ -0,0 +1,43 @@ +{{- if and .Values.scc.create (.Capabilities.APIVersions.Has "security.openshift.io/v1") }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + annotations: + kubernetes.io/description: | + This provides the minimum requirements Falco to run in Openshift. + name: {{ include "falco.serviceAccountName" . }} + namespace: {{ include "falco.namespace" . }} + labels: + {{- include "falco.labels" . | nindent 4 }} +allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostNetwork: true +allowHostPID: true +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +allowedCapabilities: [] +allowedUnsafeSysctls: [] +defaultAddCapabilities: [] +fsGroup: + type: RunAsAny +groups: [] +priority: 0 +readOnlyRootFilesystem: false +requiredDropCapabilities: [] +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: +- '*' +supplementalGroups: + type: RunAsAny +users: +- system:serviceaccount:{{ include "falco.namespace" . }}:{{ include "falco.serviceAccountName" . }} +volumes: +- hostPath +- emptyDir +- secret +- configMap +{{- end }} \ No newline at end of file diff --git a/falco/templates/serviceaccount.yaml b/falco/templates/serviceaccount.yaml new file mode 100644 index 0000000..65493eb --- /dev/null +++ b/falco/templates/serviceaccount.yaml @@ -0,0 +1,14 @@ + +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "falco.serviceAccountName" . }} + namespace: {{ include "falco.namespace" . }} + labels: + {{- include "falco.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/falco/templates/services.yaml b/falco/templates/services.yaml new file mode 100644 index 0000000..d105a7d --- /dev/null +++ b/falco/templates/services.yaml @@ -0,0 +1,18 @@ +{{- with $dot := . }} +{{- range $service := $dot.Values.services }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "falco.fullname" $dot }}-{{ $service.name }} + namespace: {{ include "falco.namespace" $dot }} + labels: + {{- include "falco.labels" $dot | nindent 4 }} +spec: + {{- with $service }} + {{- omit . "name" "selector" | toYaml | nindent 2 }} + {{- end}} + selector: + {{- include "falco.selectorLabels" $dot | nindent 4 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/falco/tests/unit/consts.go b/falco/tests/unit/consts.go new file mode 100644 index 0000000..54c4db5 --- /dev/null +++ b/falco/tests/unit/consts.go @@ -0,0 +1,22 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 The Falco Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package unit + +const ( + releaseName = "rendered-resources" + patternK8sMetacollectorFiles = `# Source: falco/charts/k8s-metacollector/templates/([^\n]+)` + k8sMetaPluginName = "k8smeta" +) diff --git a/falco/tests/unit/doc.go b/falco/tests/unit/doc.go new file mode 100644 index 0000000..2448558 --- /dev/null +++ b/falco/tests/unit/doc.go @@ -0,0 +1,17 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 The Falco Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package unit contains the unit tests for the Falco chart. +package unit diff --git a/falco/tests/unit/driverConfig_test.go b/falco/tests/unit/driverConfig_test.go new file mode 100644 index 0000000..91edf9e --- /dev/null +++ b/falco/tests/unit/driverConfig_test.go @@ -0,0 +1,302 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 The Falco Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package unit + +import ( + "fmt" + "path/filepath" + "strings" + "testing" + + "github.com/gruntwork-io/terratest/modules/helm" + "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" +) + +func TestDriverConfigInFalcoConfig(t *testing.T) { + t.Parallel() + + helmChartPath, err := filepath.Abs(chartPath) + require.NoError(t, err) + + testCases := []struct { + name string + values map[string]string + expected func(t *testing.T, config any) + }{ + { + "defaultValues", + nil, + func(t *testing.T, config any) { + require.Len(t, config, 2, "should have only two items") + kind, bufSizePreset, dropFailedExit, err := getKmodConfig(config) + require.NoError(t, err) + require.Equal(t, "kmod", kind) + require.Equal(t, float64(4), bufSizePreset) + require.False(t, dropFailedExit) + }, + }, + { + "kind=kmod", + map[string]string{ + "driver.kind": "kmod", + }, + func(t *testing.T, config any) { + require.Len(t, config, 2, "should have only two items") + kind, bufSizePreset, dropFailedExit, err := getKmodConfig(config) + require.NoError(t, err) + require.Equal(t, "kmod", kind) + require.Equal(t, float64(4), bufSizePreset) + require.False(t, dropFailedExit) + }, + }, + { + "kind=module(alias)", + map[string]string{ + "driver.kind": "module", + }, + func(t *testing.T, config any) { + require.Len(t, config, 2, "should have only two items") + kind, bufSizePreset, dropFailedExit, err := getKmodConfig(config) + require.NoError(t, err) + require.Equal(t, "kmod", kind) + require.Equal(t, float64(4), bufSizePreset) + require.False(t, dropFailedExit) + }, + }, + { + "kmod=onfig", + map[string]string{ + "driver.kmod.bufSizePreset": "6", + "driver.kmod.dropFailedExit": "true", + }, + func(t *testing.T, config any) { + require.Len(t, config, 2, "should have only two items") + kind, bufSizePreset, dropFailedExit, err := getKmodConfig(config) + require.NoError(t, err) + require.Equal(t, "kmod", kind) + require.Equal(t, float64(6), bufSizePreset) + require.True(t, dropFailedExit) + }, + }, + { + "kind=ebpf", + map[string]string{ + "driver.kind": "ebpf", + "driver.ebpf.bufSizePreset": "6", + "driver.ebpf.dropFailedExit": "true", + "driver.ebpf.path": "testing/Path/ebpf", + }, + func(t *testing.T, config any) { + require.Len(t, config, 2, "should have only two items") + kind, path, bufSizePreset, dropFailedExit, err := getEbpfConfig(config) + require.NoError(t, err) + require.Equal(t, "ebpf", kind) + require.Equal(t, "testing/Path/ebpf", path) + require.Equal(t, float64(6), bufSizePreset) + require.True(t, dropFailedExit) + }, + }, + { + "ebpf=config", + map[string]string{ + "driver.kind": "ebpf", + }, + func(t *testing.T, config any) { + require.Len(t, config, 2, "should have only two items") + kind, path, bufSizePreset, dropFailedExit, err := getEbpfConfig(config) + require.NoError(t, err) + require.Equal(t, "ebpf", kind) + require.Equal(t, "${HOME}/.falco/falco-bpf.o", path) + require.Equal(t, float64(4), bufSizePreset) + require.False(t, dropFailedExit) + }, + }, + { + "kind=modern_ebpf", + map[string]string{ + "driver.kind": "modern_ebpf", + }, + func(t *testing.T, config any) { + require.Len(t, config, 2, "should have only two items") + kind, bufSizePreset, cpusForEachBuffer, dropFailedExit, err := getModernEbpfConfig(config) + require.NoError(t, err) + require.Equal(t, "modern_ebpf", kind) + require.Equal(t, float64(4), bufSizePreset) + require.Equal(t, float64(2), cpusForEachBuffer) + require.False(t, dropFailedExit) + }, + }, + { + "kind=modern-bpf(alias)", + map[string]string{ + "driver.kind": "modern-bpf", + }, + func(t *testing.T, config any) { + require.Len(t, config, 2, "should have only two items") + kind, bufSizePreset, cpusForEachBuffer, dropFailedExit, err := getModernEbpfConfig(config) + require.NoError(t, err) + require.Equal(t, "modern_ebpf", kind) + require.Equal(t, float64(4), bufSizePreset) + require.Equal(t, float64(2), cpusForEachBuffer) + require.False(t, dropFailedExit) + }, + }, + { + "modernEbpf=config", + map[string]string{ + "driver.kind": "modern-bpf", + "driver.modernEbpf.bufSizePreset": "6", + "driver.modernEbpf.dropFailedExit": "true", + "driver.modernEbpf.cpusForEachBuffer": "8", + }, + func(t *testing.T, config any) { + require.Len(t, config, 2, "should have only two items") + kind, bufSizePreset, cpusForEachBuffer, dropFailedExit, err := getModernEbpfConfig(config) + require.NoError(t, err) + require.Equal(t, "modern_ebpf", kind) + require.Equal(t, float64(6), bufSizePreset) + require.Equal(t, float64(8), cpusForEachBuffer) + require.True(t, dropFailedExit) + }, + }, + { + "kind=gvisor", + map[string]string{ + "driver.kind": "gvisor", + }, + func(t *testing.T, config any) { + require.Len(t, config, 2, "should have only two items") + kind, config, root, err := getGvisorConfig(config) + require.NoError(t, err) + require.Equal(t, "gvisor", kind) + require.Equal(t, "/gvisor-config/pod-init.json", config) + require.Equal(t, "/host/run/containerd/runsc/k8s.io", root) + }, + }, + { + "gvisor=config", + map[string]string{ + "driver.kind": "gvisor", + "driver.gvisor.runsc.root": "/my/root/test", + }, + func(t *testing.T, config any) { + require.Len(t, config, 2, "should have only two items") + kind, config, root, err := getGvisorConfig(config) + require.NoError(t, err) + require.Equal(t, "gvisor", kind) + require.Equal(t, "/gvisor-config/pod-init.json", config) + require.Equal(t, "/host/my/root/test/k8s.io", root) + }, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + t.Run(testCase.name, func(t *testing.T) { + t.Parallel() + + options := &helm.Options{SetValues: testCase.values} + output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/configmap.yaml"}) + + var cm corev1.ConfigMap + helm.UnmarshalK8SYaml(t, output, &cm) + var config map[string]interface{} + + helm.UnmarshalK8SYaml(t, cm.Data["falco.yaml"], &config) + engine := config["engine"] + testCase.expected(t, engine) + }) + } +} + +func TestDriverConfigWithUnsupportedDriver(t *testing.T) { + t.Parallel() + + helmChartPath, err := filepath.Abs(chartPath) + require.NoError(t, err) + + values := map[string]string{ + "driver.kind": "notExisting", + } + options := &helm.Options{SetValues: values} + _, err = helm.RenderTemplateE(t, options, helmChartPath, releaseName, []string{"templates/configmap.yaml"}) + require.Error(t, err) + require.True(t, strings.Contains(err.Error(), "unsupported driver kind: \"notExisting\". Supported drivers [kmod ebpf modern_ebpf gvisor], alias [module modern-bpf]")) +} + +func getKmodConfig(config interface{}) (kind string, bufSizePreset float64, dropFailedExit bool, err error) { + configMap, ok := config.(map[string]interface{}) + if !ok { + err = fmt.Errorf("can't assert type of config") + return + } + + kind = configMap["kind"].(string) + kmod := configMap["kmod"].(map[string]interface{}) + bufSizePreset = kmod["buf_size_preset"].(float64) + dropFailedExit = kmod["drop_failed_exit"].(bool) + + return +} + +func getEbpfConfig(config interface{}) (kind, path string, bufSizePreset float64, dropFailedExit bool, err error) { + configMap, ok := config.(map[string]interface{}) + if !ok { + err = fmt.Errorf("can't assert type of config") + return + } + + kind = configMap["kind"].(string) + ebpf := configMap["ebpf"].(map[string]interface{}) + bufSizePreset = ebpf["buf_size_preset"].(float64) + dropFailedExit = ebpf["drop_failed_exit"].(bool) + path = ebpf["probe"].(string) + + return +} + +func getModernEbpfConfig(config interface{}) (kind string, bufSizePreset, cpusForEachBuffer float64, dropFailedExit bool, err error) { + configMap, ok := config.(map[string]interface{}) + if !ok { + err = fmt.Errorf("can't assert type of config") + return + } + + kind = configMap["kind"].(string) + modernEbpf := configMap["modern_ebpf"].(map[string]interface{}) + bufSizePreset = modernEbpf["buf_size_preset"].(float64) + dropFailedExit = modernEbpf["drop_failed_exit"].(bool) + cpusForEachBuffer = modernEbpf["cpus_for_each_buffer"].(float64) + + return +} + +func getGvisorConfig(cfg interface{}) (kind, config, root string, err error) { + configMap, ok := cfg.(map[string]interface{}) + if !ok { + err = fmt.Errorf("can't assert type of config") + return + } + + kind = configMap["kind"].(string) + gvisor := configMap["gvisor"].(map[string]interface{}) + config = gvisor["config"].(string) + root = gvisor["root"].(string) + + return +} diff --git a/falco/tests/unit/driverLoader_test.go b/falco/tests/unit/driverLoader_test.go new file mode 100644 index 0000000..ee7df6e --- /dev/null +++ b/falco/tests/unit/driverLoader_test.go @@ -0,0 +1,131 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 The Falco Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package unit + +import ( + "path/filepath" + "testing" + + "github.com/gruntwork-io/terratest/modules/helm" + "github.com/stretchr/testify/require" + appsv1 "k8s.io/api/apps/v1" +) + +// TestDriverLoaderEnabled tests the helper that enables the driver loader based on the configuration. +func TestDriverLoaderEnabled(t *testing.T) { + t.Parallel() + + helmChartPath, err := filepath.Abs(chartPath) + require.NoError(t, err) + + testCases := []struct { + name string + values map[string]string + expected bool + }{ + { + "defaultValues", + nil, + true, + }, + { + "driver.kind=modern-bpf", + map[string]string{ + "driver.kind": "modern-bpf", + }, + false, + }, + { + "driver.kind=modern_ebpf", + map[string]string{ + "driver.kind": "modern_ebpf", + }, + false, + }, + { + "driver.kind=gvisor", + map[string]string{ + "driver.kind": "gvisor", + }, + false, + }, + { + "driver.disabled", + map[string]string{ + "driver.enabled": "false", + }, + false, + }, + { + "driver.loader.disabled", + map[string]string{ + "driver.loader.enabled": "false", + }, + false, + }, + { + "driver.kind=kmod", + map[string]string{ + "driver.kind": "kmod", + }, + true, + }, + { + "driver.kind=module", + map[string]string{ + "driver.kind": "module", + }, + true, + }, + { + "driver.kind=ebpf", + map[string]string{ + "driver.kind": "ebpf", + }, + true, + }, + { + "driver.kind=kmod&driver.loader.disabled", + map[string]string{ + "driver.kind": "kmod", + "driver.loader.enabled": "false", + }, + false, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + t.Run(testCase.name, func(t *testing.T) { + t.Parallel() + + options := &helm.Options{SetValues: testCase.values} + output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/daemonset.yaml"}) + + var ds appsv1.DaemonSet + helm.UnmarshalK8SYaml(t, output, &ds) + found := false + for i := range ds.Spec.Template.Spec.InitContainers { + if ds.Spec.Template.Spec.InitContainers[i].Name == "falco-driver-loader" { + found = true + } + } + + require.Equal(t, testCase.expected, found) + }) + } +} diff --git a/falco/tests/unit/k8smetacollectorDependency_test.go b/falco/tests/unit/k8smetacollectorDependency_test.go new file mode 100644 index 0000000..6e886a0 --- /dev/null +++ b/falco/tests/unit/k8smetacollectorDependency_test.go @@ -0,0 +1,520 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 The Falco Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package unit + +import ( + "encoding/json" + "fmt" + "path/filepath" + "regexp" + "strings" + "testing" + + "github.com/gruntwork-io/terratest/modules/helm" + "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" + "slices" +) + +const chartPath = "../../" + +// Using the default values we want to test that all the expected resources for the k8s-metacollector are rendered. +func TestRenderedResourcesWithDefaultValues(t *testing.T) { + t.Parallel() + + helmChartPath, err := filepath.Abs(chartPath) + require.NoError(t, err) + + options := &helm.Options{} + // Template the chart using the default values.yaml file. + output, err := helm.RenderTemplateE(t, options, helmChartPath, releaseName, nil) + require.NoError(t, err) + + // Extract all rendered files from the output. + re := regexp.MustCompile(patternK8sMetacollectorFiles) + matches := re.FindAllStringSubmatch(output, -1) + require.Len(t, matches, 0) + +} + +func TestRenderedResourcesWhenNotEnabled(t *testing.T) { + t.Parallel() + + helmChartPath, err := filepath.Abs(chartPath) + require.NoError(t, err) + + // Template files that we expect to be rendered. + templateFiles := []string{ + "clusterrole.yaml", + "clusterrolebinding.yaml", + "deployment.yaml", + "service.yaml", + "serviceaccount.yaml", + } + + require.NoError(t, err) + + options := &helm.Options{SetValues: map[string]string{ + "collectors.kubernetes.enabled": "true", + }} + + // Template the chart using the default values.yaml file. + output, err := helm.RenderTemplateE(t, options, helmChartPath, releaseName, nil) + require.NoError(t, err) + + // Extract all rendered files from the output. + re := regexp.MustCompile(patternK8sMetacollectorFiles) + matches := re.FindAllStringSubmatch(output, -1) + + var renderedTemplates []string + for _, match := range matches { + // Filter out test templates. + if !strings.Contains(match[1], "test-") { + renderedTemplates = append(renderedTemplates, match[1]) + } + } + + // Assert that the rendered resources are equal tho the expected ones. + require.Equal(t, len(renderedTemplates), len(templateFiles), "should be equal") + + for _, rendered := range renderedTemplates { + require.True(t, slices.Contains(templateFiles, rendered), "template files should contain all the rendered files") + } +} + +func TestPluginConfigurationInFalcoConfig(t *testing.T) { + t.Parallel() + + helmChartPath, err := filepath.Abs(chartPath) + require.NoError(t, err) + + testCases := []struct { + name string + values map[string]string + expected func(t *testing.T, config any) + }{ + { + "defaultValues", + nil, + func(t *testing.T, config any) { + plugin := config.(map[string]interface{}) + // Get init config. + initConfig, ok := plugin["init_config"] + require.True(t, ok) + initConfigMap := initConfig.(map[string]interface{}) + // Check that the collector port is correctly set. + port := initConfigMap["collectorPort"] + require.Equal(t, float64(45000), port.(float64)) + // Check that the collector nodeName is correctly set. + nodeName := initConfigMap["nodeName"] + require.Equal(t, "${FALCO_K8S_NODE_NAME}", nodeName.(string)) + // Check that the collector hostname is correctly set. + hostName := initConfigMap["collectorHostname"] + require.Equal(t, fmt.Sprintf("%s-k8s-metacollector.default.svc", releaseName), hostName.(string)) + + // Check that the library path is set. + libPath := plugin["library_path"] + require.Equal(t, "libk8smeta.so", libPath) + }, + }, + { + "overrideK8s-metacollectorNamespace", + map[string]string{ + "k8s-metacollector.namespaceOverride": "test", + }, + func(t *testing.T, config any) { + plugin := config.(map[string]interface{}) + // Get init config. + initConfig, ok := plugin["init_config"] + require.True(t, ok) + initConfigMap := initConfig.(map[string]interface{}) + // Check that the collector port is correctly set. + port := initConfigMap["collectorPort"] + require.Equal(t, float64(45000), port.(float64)) + // Check that the collector nodeName is correctly set. + nodeName := initConfigMap["nodeName"] + require.Equal(t, "${FALCO_K8S_NODE_NAME}", nodeName.(string)) + // Check that the collector hostname is correctly set. + hostName := initConfigMap["collectorHostname"] + require.Equal(t, fmt.Sprintf("%s-k8s-metacollector.test.svc", releaseName), hostName.(string)) + + // Check that the library path is set. + libPath := plugin["library_path"] + require.Equal(t, "libk8smeta.so", libPath) + }, + }, + { + "overrideK8s-metacollectorName", + map[string]string{ + "k8s-metacollector.fullnameOverride": "collector", + }, + func(t *testing.T, config any) { + plugin := config.(map[string]interface{}) + // Get init config. + initConfig, ok := plugin["init_config"] + require.True(t, ok) + initConfigMap := initConfig.(map[string]interface{}) + // Check that the collector port is correctly set. + port := initConfigMap["collectorPort"] + require.Equal(t, float64(45000), port.(float64)) + // Check that the collector nodeName is correctly set. + nodeName := initConfigMap["nodeName"] + require.Equal(t, "${FALCO_K8S_NODE_NAME}", nodeName.(string)) + // Check that the collector hostname is correctly set. + hostName := initConfigMap["collectorHostname"] + require.Equal(t, "collector.default.svc", hostName.(string)) + + // Check that the library path is set. + libPath := plugin["library_path"] + require.Equal(t, "libk8smeta.so", libPath) + }, + }, + + { + "overrideK8s-metacollectorNamespaceAndName", + map[string]string{ + "k8s-metacollector.namespaceOverride": "test", + "k8s-metacollector.fullnameOverride": "collector", + }, + func(t *testing.T, config any) { + plugin := config.(map[string]interface{}) + // Get init config. + initConfig, ok := plugin["init_config"] + require.True(t, ok) + initConfigMap := initConfig.(map[string]interface{}) + // Check that the collector port is correctly set. + port := initConfigMap["collectorPort"] + require.Equal(t, float64(45000), port.(float64)) + // Check that the collector nodeName is correctly set. + nodeName := initConfigMap["nodeName"] + require.Equal(t, "${FALCO_K8S_NODE_NAME}", nodeName.(string)) + // Check that the collector hostname is correctly set. + hostName := initConfigMap["collectorHostname"] + require.Equal(t, "collector.test.svc", hostName.(string)) + + // Check that the library path is set. + libPath := plugin["library_path"] + require.Equal(t, "libk8smeta.so", libPath) + }, + }, + { + "set CollectorHostname", + map[string]string{ + "collectors.kubernetes.collectorHostname": "test", + }, + func(t *testing.T, config any) { + plugin := config.(map[string]interface{}) + // Get init config. + initConfig, ok := plugin["init_config"] + require.True(t, ok) + initConfigMap := initConfig.(map[string]interface{}) + // Check that the collector port is correctly set. + port := initConfigMap["collectorPort"] + require.Equal(t, float64(45000), port.(float64)) + // Check that the collector nodeName is correctly set. + nodeName := initConfigMap["nodeName"] + require.Equal(t, "${FALCO_K8S_NODE_NAME}", nodeName.(string)) + // Check that the collector hostname is correctly set. + hostName := initConfigMap["collectorHostname"] + require.Equal(t, "test", hostName.(string)) + + // Check that the library path is set. + libPath := plugin["library_path"] + require.Equal(t, "libk8smeta.so", libPath) + }, + }, + + { + "set CollectorHostname and namespace name", + map[string]string{ + "collectors.kubernetes.collectorHostname": "test-with-override", + "k8s-metacollector.namespaceOverride": "test", + "k8s-metacollector.fullnameOverride": "collector", + }, + func(t *testing.T, config any) { + plugin := config.(map[string]interface{}) + // Get init config. + initConfig, ok := plugin["init_config"] + require.True(t, ok) + initConfigMap := initConfig.(map[string]interface{}) + // Check that the collector port is correctly set. + port := initConfigMap["collectorPort"] + require.Equal(t, float64(45000), port.(float64)) + // Check that the collector nodeName is correctly set. + nodeName := initConfigMap["nodeName"] + require.Equal(t, "${FALCO_K8S_NODE_NAME}", nodeName.(string)) + // Check that the collector hostname is correctly set. + hostName := initConfigMap["collectorHostname"] + require.Equal(t, "test-with-override", hostName.(string)) + + // Check that the library path is set. + libPath := plugin["library_path"] + require.Equal(t, "libk8smeta.so", libPath) + }, + }, + + { + "set collectorPort", + map[string]string{ + "collectors.kubernetes.collectorPort": "8888", + }, + func(t *testing.T, config any) { + plugin := config.(map[string]interface{}) + // Get init config. + initConfig, ok := plugin["init_config"] + require.True(t, ok) + initConfigMap := initConfig.(map[string]interface{}) + // Check that the collector port is correctly set. + port := initConfigMap["collectorPort"] + require.Equal(t, float64(8888), port.(float64)) + // Check that the collector nodeName is correctly set. + nodeName := initConfigMap["nodeName"] + require.Equal(t, "${FALCO_K8S_NODE_NAME}", nodeName.(string)) + // Check that the collector hostname is correctly set. + hostName := initConfigMap["collectorHostname"] + require.Equal(t, fmt.Sprintf("%s-k8s-metacollector.default.svc", releaseName), hostName.(string)) + + // Check that the library path is set. + libPath := plugin["library_path"] + require.Equal(t, "libk8smeta.so", libPath) + }, + }, + { + "drive disabled", + map[string]string{ + "driver.enabled": "false", + }, + func(t *testing.T, config any) { + require.Nil(t, config) + }, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + t.Run(testCase.name, func(t *testing.T) { + t.Parallel() + + // Enable the collector. + if testCase.values != nil { + testCase.values["collectors.kubernetes.enabled"] = "true" + } else { + testCase.values = map[string]string{"collectors.kubernetes.enabled": "true"} + } + + options := &helm.Options{SetValues: testCase.values} + output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/configmap.yaml"}) + + var cm corev1.ConfigMap + helm.UnmarshalK8SYaml(t, output, &cm) + var config map[string]interface{} + + helm.UnmarshalK8SYaml(t, cm.Data["falco.yaml"], &config) + plugins := config["plugins"] + pluginsArray := plugins.([]interface{}) + found := false + // Find the k8smeta plugin configuration. + for _, plugin := range pluginsArray { + if name, ok := plugin.(map[string]interface{})["name"]; ok && name == k8sMetaPluginName { + testCase.expected(t, plugin) + found = true + } + } + if found { + // Check that the plugin has been added to the ones that need to be loaded. + loadplugins := config["load_plugins"] + require.True(t, slices.Contains(loadplugins.([]interface{}), k8sMetaPluginName)) + } else { + testCase.expected(t, nil) + loadplugins := config["load_plugins"] + require.True(t, !slices.Contains(loadplugins.([]interface{}), k8sMetaPluginName)) + } + }) + } +} + +// Test that the helper does not overwrite user's configuration. +func TestPluginConfigurationUniqueEntries(t *testing.T) { + t.Parallel() + + pluginsJSON := `[ + { + "init_config": null, + "library_path": "libk8saudit.so", + "name": "k8saudit", + "open_params": "http://:9765/k8s-audit" + }, + { + "library_path": "libcloudtrail.so", + "name": "cloudtrail" + }, + { + "init_config": "", + "library_path": "libjson.so", + "name": "json" + }, + { + "init_config": { + "collectorHostname": "rendered-resources-k8s-metacollector.default.svc", + "collectorPort": 45000, + "nodeName": "${FALCO_K8S_NODE_NAME}" + }, + "library_path": "libk8smeta.so", + "name": "k8smeta" + } +]` + + loadPluginsJSON := `[ + "k8smeta", + "k8saudit" +]` + helmChartPath, err := filepath.Abs(chartPath) + require.NoError(t, err) + + options := &helm.Options{SetJsonValues: map[string]string{ + "falco.plugins": pluginsJSON, + "falco.load_plugins": loadPluginsJSON, + }, SetValues: map[string]string{"collectors.kubernetes.enabled": "true"}} + output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/configmap.yaml"}) + + var cm corev1.ConfigMap + helm.UnmarshalK8SYaml(t, output, &cm) + var config map[string]interface{} + + helm.UnmarshalK8SYaml(t, cm.Data["falco.yaml"], &config) + plugins := config["plugins"] + + out, err := json.MarshalIndent(plugins, "", " ") + require.NoError(t, err) + require.Equal(t, pluginsJSON, string(out)) + pluginsArray := plugins.([]interface{}) + // Find the k8smeta plugin configuration. + numConfigK8smeta := 0 + for _, plugin := range pluginsArray { + if name, ok := plugin.(map[string]interface{})["name"]; ok && name == k8sMetaPluginName { + numConfigK8smeta++ + } + } + + require.Equal(t, 1, numConfigK8smeta) + + // Check that the plugin has been added to the ones that need to be loaded. + loadplugins := config["load_plugins"] + require.Len(t, loadplugins.([]interface{}), 2) + require.True(t, slices.Contains(loadplugins.([]interface{}), k8sMetaPluginName)) +} + +// Test that the helper does not overwrite user's configuration. +func TestFalcoctlRefs(t *testing.T) { + t.Parallel() + + pluginsJSON := `[ + { + "init_config": null, + "library_path": "libk8saudit.so", + "name": "k8saudit", + "open_params": "http://:9765/k8s-audit" + }, + { + "library_path": "libcloudtrail.so", + "name": "cloudtrail" + }, + { + "init_config": "", + "library_path": "libjson.so", + "name": "json" + }, + { + "init_config": { + "collectorHostname": "rendered-resources-k8s-metacollector.default.svc", + "collectorPort": 45000, + "nodeName": "${FALCO_K8S_NODE_NAME}" + }, + "library_path": "libk8smeta.so", + "name": "k8smeta" + } + ]` + + testFunc := func(t *testing.T, config any) { + // Get artifact configuration map. + configMap := config.(map[string]interface{}) + artifactConfig := (configMap["artifact"]).(map[string]interface{}) + // Test allowed types. + allowedTypes := artifactConfig["allowedTypes"] + require.Len(t, allowedTypes, 2) + require.True(t, slices.Contains(allowedTypes.([]interface{}), "plugin")) + require.True(t, slices.Contains(allowedTypes.([]interface{}), "rulesfile")) + // Test plugin reference. + refs := artifactConfig["install"].(map[string]interface{})["refs"].([]interface{}) + require.Len(t, refs, 2) + require.True(t, slices.Contains(refs, "falco-rules:3")) + require.True(t, slices.Contains(refs, "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.1.0")) + } + + testCases := []struct { + name string + valuesJSON map[string]string + expected func(t *testing.T, config any) + }{ + { + "defaultValues", + nil, + testFunc, + }, + { + "setPluginConfiguration", + map[string]string{ + "falco.plugins": pluginsJSON, + }, + testFunc, + }, + { + "driver disabled", + map[string]string{ + "driver.enabled": "false", + }, + func(t *testing.T, config any) { + // Get artifact configuration map. + configMap := config.(map[string]interface{}) + artifactConfig := (configMap["artifact"]).(map[string]interface{}) + // Test plugin reference. + refs := artifactConfig["install"].(map[string]interface{})["refs"].([]interface{}) + require.True(t, !slices.Contains(refs, "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.1.0")) + }, + }, + } + + helmChartPath, err := filepath.Abs(chartPath) + require.NoError(t, err) + + for _, testCase := range testCases { + testCase := testCase + + t.Run(testCase.name, func(t *testing.T) { + t.Parallel() + + options := &helm.Options{SetJsonValues: testCase.valuesJSON, SetValues: map[string]string{"collectors.kubernetes.enabled": "true"}} + output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/falcoctl-configmap.yaml"}) + + var cm corev1.ConfigMap + helm.UnmarshalK8SYaml(t, output, &cm) + var config map[string]interface{} + helm.UnmarshalK8SYaml(t, cm.Data["falcoctl.yaml"], &config) + testCase.expected(t, config) + }) + } +} diff --git a/falco/tests/unit/serviceAccount_test.go b/falco/tests/unit/serviceAccount_test.go new file mode 100644 index 0000000..d41f9cb --- /dev/null +++ b/falco/tests/unit/serviceAccount_test.go @@ -0,0 +1,59 @@ +package unit + +import ( + "github.com/gruntwork-io/terratest/modules/helm" + "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" + "path/filepath" + "strings" + "testing" +) + +func TestServiceAccount(t *testing.T) { + t.Parallel() + + helmChartPath, err := filepath.Abs(chartPath) + require.NoError(t, err) + + testCases := []struct { + name string + values map[string]string + expected func(t *testing.T, sa *corev1.ServiceAccount) + }{ + { + "defaultValues", + nil, + func(t *testing.T, sa *corev1.ServiceAccount) { + require.Equal(t, sa.Name, "") + }, + }, + { + "kind=kmod", + map[string]string{ + "serviceAccount.create": "true", + }, + func(t *testing.T, sa *corev1.ServiceAccount) { + require.Equal(t, sa.Name, "rendered-resources-falco") + }, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + t.Run(testCase.name, func(t *testing.T) { + t.Parallel() + + options := &helm.Options{SetValues: testCase.values} + output, err := helm.RenderTemplateE(t, options, helmChartPath, releaseName, []string{"templates/serviceaccount.yaml"}) + if err != nil { + require.True(t, strings.Contains(err.Error(), "Error: could not find template templates/serviceaccount.yaml in chart")) + } + + var sa corev1.ServiceAccount + helm.UnmarshalK8SYaml(t, output, &sa) + + testCase.expected(t, &sa) + }) + } +} diff --git a/falco/values-gvisor-gke.yaml b/falco/values-gvisor-gke.yaml new file mode 100644 index 0000000..d38f762 --- /dev/null +++ b/falco/values-gvisor-gke.yaml @@ -0,0 +1,63 @@ +# Default values to deploy Falco on GKE with gVisor. + +# Affinity constraint for pods' scheduling. +# Needed to deploy Falco on the gVisor enabled nodes. +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: sandbox.gke.io/runtime + operator: In + values: + - gvisor + +# Tolerations to allow Falco to run on Kubernetes 1.6 masters. +# Adds the neccesssary tolerations to allow Falco pods to be scheduled on the gVisor enabled nodes. +tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: sandbox.gke.io/runtime + operator: Equal + value: gvisor + +# Enable gVisor and set the appropriate paths. +driver: + enabled: true + kind: gvisor + gvisor: + runsc: + path: /home/containerd/usr/local/sbin + root: /run/containerd/runsc + config: /run/containerd/runsc/config.toml + +# Enable the containerd collector to enrich the syscall events with metadata. +collectors: + enabled: true + containerd: + enabled: true + socket: /run/containerd/containerd.sock + +falcoctl: + artifact: + install: + # -- Enable the init container. We do not recommend installing plugins for security reasons since they are executable objects. + # We install only "rulesfiles". + enabled: true + follow: + # -- Enable the sidecar container. We do not support it yet for plugins. It is used only for rules feed such as k8saudit-rules rules. + enabled: true + config: + artifact: + install: + # -- List of artifacts to be installed by the falcoctl init container. + # We do not recommend installing (or following) plugins for security reasons since they are executable objects. + refs: [falco-rules:3] + follow: + # -- List of artifacts to be followed by the falcoctl sidecar container. + # We do not recommend installing (or following) plugins for security reasons since they are executable objects. + refs: [falco-rules:3] + +# Set this to true to force Falco so output the logs as soon as they are emmitted. +tty: false diff --git a/falco/values-k8saudit.yaml b/falco/values-k8saudit.yaml new file mode 100644 index 0000000..21d9323 --- /dev/null +++ b/falco/values-k8saudit.yaml @@ -0,0 +1,59 @@ +# -- Disable the drivers since we want to deploy only the k8saudit plugin. +driver: + enabled: false + +# -- Disable the collectors, no syscall events to enrich with metadata. +collectors: + enabled: false + +# -- Deploy Falco as a deployment. One instance of Falco is enough. Anyway the number of replicas is configurabale. +controller: + kind: deployment + deployment: + # -- Number of replicas when installing Falco using a deployment. Change it if you really know what you are doing. + # For more info check the section on Plugins in the README.md file. + replicas: 1 + + +falcoctl: + artifact: + install: + # -- Enable the init container. + enabled: true + follow: + # -- Enable the sidecar container. + enabled: true + config: + artifact: + install: + # -- List of artifacts to be installed by the falcoctl init container. + refs: [k8saudit-rules:0.7] + follow: + # -- List of artifacts to be followed by the falcoctl sidecar container. + refs: [k8saudit-rules:0.7] + +services: + - name: k8saudit-webhook + type: NodePort + ports: + - port: 9765 # See plugin open_params + nodePort: 30007 + protocol: TCP + +falco: + rules_file: + - /etc/falco/k8s_audit_rules.yaml + - /etc/falco/rules.d + plugins: + - name: k8saudit + library_path: libk8saudit.so + init_config: + "" + # maxEventBytes: 1048576 + # sslCertificate: /etc/falco/falco.pem + open_params: "http://:9765/k8s-audit" + - name: json + library_path: libjson.so + init_config: "" + # Plugins that Falco will load. Note: the same plugins are installed by the falcoctl-artifact-install init container. + load_plugins: [k8saudit, json] diff --git a/falco/values-syscall-k8saudit.yaml b/falco/values-syscall-k8saudit.yaml new file mode 100644 index 0000000..91dcdbd --- /dev/null +++ b/falco/values-syscall-k8saudit.yaml @@ -0,0 +1,62 @@ +# Enable the driver, and choose between the kernel module or the ebpf probe. +# Default value: kernel module. +driver: + enabled: true + kind: module + +# Enable the collectors used to enrich the events with metadata. +# Check the values.yaml file for fine-grained options. +collectors: + enabled: true + +# We set the controller to daemonset since we have the syscalls source enabled. +# It will ensure that every node on our cluster will be monitored by Falco. +# Please note that the api-server will use the "k8saudit-webhook" service to send +# audit logs to the falco instances. That means that when we have multiple instances of Falco +# we can not predict to which instance the audit logs will be sent. When testing please check all +# the Falco instance to make sure that at least one of them have received the audit logs. +controller: + kind: daemonset + +falcoctl: + artifact: + install: + # -- Enable the init container. + enabled: true + follow: + # -- Enable the sidecar container. + enabled: true + config: + artifact: + install: + # -- List of artifacts to be installed by the falcoctl init container. + refs: [falco-rules:3, k8saudit-rules:0.7] + follow: + # -- List of artifacts to be followed by the falcoctl sidecar container. + refs: [falco-rules:3, k8saudit-rules:0.7] + +services: + - name: k8saudit-webhook + type: NodePort + ports: + - port: 9765 # See plugin open_params + nodePort: 30007 + protocol: TCP + +falco: + rules_file: + - /etc/falco/falco_rules.yaml + - /etc/falco/k8s_audit_rules.yaml + - /etc/falco/rules.d + plugins: + - name: k8saudit + library_path: libk8saudit.so + init_config: + "" + # maxEventBytes: 1048576 + # sslCertificate: /etc/falco/falco.pem + open_params: "http://:9765/k8s-audit" + - name: json + library_path: libjson.so + init_config: "" + load_plugins: [k8saudit, json] diff --git a/falco/values.home.yaml b/falco/values.home.yaml new file mode 100644 index 0000000..0ea2293 --- /dev/null +++ b/falco/values.home.yaml @@ -0,0 +1,1298 @@ +# Default values for Falco. + +############################### +# General deployment settings # +############################### + +image: + # -- The image pull policy. + pullPolicy: IfNotPresent + # -- The image registry to pull from. + registry: docker.io + # -- The image repository to pull from + repository: falcosecurity/falco-no-driver + # -- The image tag to pull. Overrides the image tag whose default is the chart appVersion. + tag: "" + +# -- Secrets containing credentials when pulling from private/secure registries. +imagePullSecrets: [] +# -- Put here the new name if you want to override the release name used for Falco components. +nameOverride: "" +# -- Same as nameOverride but for the fullname. +fullnameOverride: "" +# -- Override the deployment namespace +namespaceOverride: "" + +# -- Add additional pod annotations +podAnnotations: {} + +serviceAccount: + # -- Specifies whether a service account should be created. + create: false + # -- Annotations to add to the service account. + annotations: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +# -- Add additional pod labels +podLabels: {} + +# -- Set pod priorityClassName +podPriorityClassName: + +# -- Set securityContext for the pods +# These security settings are overriden by the ones specified for the specific +# containers when there is overlap. +podSecurityContext: {} + +# Note that `containerSecurityContext`: +# - will not apply to init containers, if any; +# - takes precedence over other automatic configurations (see below). +# +# Based on the `driver` configuration the auto generated settings are: +# 1) driver.enabled = false: +# securityContext: {} +# +# 2) driver.enabled = true and (driver.kind = module || driver.kind = modern-bpf): +# securityContext: +# privileged: true +# +# 3) driver.enabled = true and driver.kind = ebpf: +# securityContext: +# privileged: true +# +# 4) driver.enabled = true and driver.kind = ebpf and driver.ebpf.leastPrivileged = true +# securityContext: +# capabilities: +# add: +# - BPF +# - SYS_RESOURCE +# - PERFMON +# - SYS_PTRACE +# +# -- Set securityContext for the Falco container.For more info see the "falco.securityContext" helper in "pod-template.tpl" +containerSecurityContext: {} + +scc: + # -- Create OpenShift's Security Context Constraint. + create: true + +resources: + # -- Although resources needed are subjective on the actual workload we provide + # a sane defaults ones. If you have more questions or concerns, please refer + # to #falco slack channel for more info about it. + requests: + cpu: 100m + memory: 512Mi + # -- Maximum amount of resources that Falco container could get. + # If you are enabling more than one source in falco, than consider to increase + # the cpu limits. + limits: + cpu: 1000m + memory: 1024Mi +# -- Selectors used to deploy Falco on a given node/nodes. +nodeSelector: {} + +# -- Affinity constraint for pods' scheduling. +affinity: {} + +# -- Tolerations to allow Falco to run on Kubernetes masters. +tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + +# -- Parameters used +healthChecks: + livenessProbe: + # -- Tells the kubelet that it should wait X seconds before performing the first probe. + initialDelaySeconds: 60 + # -- Number of seconds after which the probe times out. + timeoutSeconds: 5 + # -- Specifies that the kubelet should perform the check every x seconds. + periodSeconds: 15 + readinessProbe: + # -- Tells the kubelet that it should wait X seconds before performing the first probe. + initialDelaySeconds: 30 + # -- Number of seconds after which the probe times out. + timeoutSeconds: 5 + # -- Specifies that the kubelet should perform the check every x seconds. + periodSeconds: 15 + +# -- Attach the Falco process to a tty inside the container. Needed to flush Falco logs as soon as they are emitted. +# Set it to "true" when you need the Falco logs to be immediately displayed. +tty: false + +######################### +# Scenario requirements # +######################### + +# Sensors dislocation configuration (scenario requirement) +controller: + # Available options: deployment, daemonset. + kind: daemonset + # Annotations to add to the daemonset or deployment + annotations: {} + daemonset: + updateStrategy: + # You can also customize maxUnavailable or minReadySeconds if you + # need it + # -- Perform rolling updates by default in the DaemonSet agent + # ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + type: RollingUpdate + deployment: + # -- Number of replicas when installing Falco using a deployment. Change it if you really know what you are doing. + # For more info check the section on Plugins in the README.md file. + replicas: 1 + # -- Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) + # revisionHistoryLimit: 1 + +# -- Network services configuration (scenario requirement) +# Add here your services to be deployed together with Falco. +services: + # Example configuration for the "k8sauditlog" plugin + # - name: k8saudit-webhook + # type: NodePort + # ports: + # - port: 9765 # See plugin open_params + # nodePort: 30007 + # protocol: TCP + +# File access configuration (scenario requirement) +mounts: + # -- A list of volumes you want to add to the Falco pods. + volumes: [] + # -- A list of volumes you want to add to the Falco pods. + volumeMounts: [] + # -- By default, `/proc` from the host is only mounted into the Falco pod when `driver.enabled` is set to `true`. This flag allows it to override this behaviour for edge cases where `/proc` is needed but syscall data source is not enabled at the same time (e.g. for specific plugins). + enforceProcMount: false + +# Driver settings (scenario requirement) +driver: + # -- Set it to false if you want to deploy Falco without the drivers. + # Always set it to false when using Falco with plugins. + enabled: true + # -- kind tells Falco which driver to use. Available options: kmod (kernel driver), ebpf (eBPF probe), modern_ebpf (modern eBPF probe). + kind: kmod + # -- kmod holds the configuration for the kernel module. + kmod: + # -- bufSizePreset determines the size of the shared space between Falco and its drivers. + # This shared space serves as a temporary storage for syscall events. + bufSizePreset: 4 + # -- dropFailedExit if set true drops failed system call exit events before pushing them to userspace. + dropFailedExit: false + # -- Configuration section for ebpf driver. + ebpf: + # -- path where the eBPF probe is located. It comes handy when the probe have been installed in the nodes using tools other than the init + # container deployed with the chart. + path: "${HOME}/.falco/falco-bpf.o" + # -- Needed to enable eBPF JIT at runtime for performance reasons. + # Can be skipped if eBPF JIT is enabled from outside the container + hostNetwork: false + # -- Constrain Falco with capabilities instead of running a privileged container. + # Ensure the eBPF driver is enabled (i.e., setting the `driver.kind` option to `ebpf`). + # Capabilities used: {CAP_SYS_RESOURCE, CAP_SYS_ADMIN, CAP_SYS_PTRACE}. + # On kernel versions >= 5.8 'CAP_PERFMON' and 'CAP_BPF' could replace 'CAP_SYS_ADMIN' but please pay attention to the 'kernel.perf_event_paranoid' value on your system. + # Usually 'kernel.perf_event_paranoid>2' means that you cannot use 'CAP_PERFMON' and you should fallback to 'CAP_SYS_ADMIN', but the behavior changes across different distros. + # Read more on that here: https://falco.org/docs/event-sources/kernel/#least-privileged-mode-1 + leastPrivileged: false + # -- bufSizePreset determines the size of the shared space between Falco and its drivers. + # This shared space serves as a temporary storage for syscall events. + bufSizePreset: 4 + # -- dropFailedExit if set true drops failed system call exit events before pushing them to userspace. + dropFailedExit: false + modernEbpf: + # -- Constrain Falco with capabilities instead of running a privileged container. + # Ensure the modern bpf driver is enabled (i.e., setting the `driver.kind` option to `modern-bpf`). + # Capabilities used: {CAP_SYS_RESOURCE, CAP_BPF, CAP_PERFMON, CAP_SYS_PTRACE}. + # Read more on that here: https://falco.org/docs/event-sources/kernel/#least-privileged-mode-2 + leastPrivileged: false + # -- bufSizePreset determines the size of the shared space between Falco and its drivers. + # This shared space serves as a temporary storage for syscall events. + bufSizePreset: 4 + # -- dropFailedExit if set true drops failed system call exit events before pushing them to userspace. + dropFailedExit: false + # -- cpusForEachBuffer is the index that controls how many CPUs to assign to a single syscall buffer. + cpusForEachBuffer: 2 + + # -- Gvisor configuration. Based on your system you need to set the appropriate values. + # Please, remember to add pod tolerations and affinities in order to schedule the Falco pods in the gVisor enabled nodes. + gvisor: + # -- Runsc container runtime configuration. Falco needs to interact with it in order to intercept the activity of the sandboxed pods. + runsc: + # -- Absolute path of the `runsc` binary in the k8s nodes. + path: /home/containerd/usr/local/sbin + # -- Absolute path of the root directory of the `runsc` container runtime. It is of vital importance for Falco since `runsc` stores there the information of the workloads handled by it; + root: /run/containerd/runsc + # -- Absolute path of the `runsc` configuration file, used by Falco to set its configuration and make aware `gVisor` of its presence. + config: /run/containerd/runsc/config.toml + + # -- Configuration for the Falco init container. + loader: + # -- Enable/disable the init container. + enabled: true + initContainer: + image: + # -- The image pull policy. + pullPolicy: IfNotPresent + # -- The image registry to pull from. + registry: docker.io + # -- The image repository to pull from. + repository: falcosecurity/falco-driver-loader + # -- Overrides the image tag whose default is the chart appVersion. + tag: "" + # -- Extra environment variables that will be pass onto Falco driver loader init container. + env: [] + # -- Arguments to pass to the Falco driver loader init container. + args: [] + # -- Resources requests and limits for the Falco driver loader init container. + resources: {} + # -- Security context for the Falco driver loader init container. Overrides the default security context. If driver.kind == "module" you must at least set `privileged: true`. + securityContext: {} + +# Collectors for data enrichment (scenario requirement) +collectors: + # -- Enable/disable all the metadata collectors. + enabled: true + + docker: + # -- Enable Docker support. + enabled: true + # -- The path of the Docker daemon socket. + socket: /var/run/docker.sock + + containerd: + # -- Enable ContainerD support. + enabled: true + # -- The path of the ContainerD socket. + socket: /run/containerd/containerd.sock + + crio: + # -- Enable CRI-O support. + enabled: true + # -- The path of the CRI-O socket. + socket: /run/crio/crio.sock + + # -- kubernetes holds the configuration for the kubernetes collector. Starting from version 0.37.0 of Falco, the legacy + # kubernetes client has been removed. A new standalone component named k8s-metacollector and a Falco plugin have been developed + # to solve the issues that were present in the old implementation. More info here: https://github.com/falcosecurity/falco/issues/2973 + kubernetes: + # -- enabled specifies whether the Kubernetes metadata should be collected using the k8smeta plugin and the k8s-metacollector component. + # It will deploy the k8s-metacollector external component that fetches Kubernetes metadata and pushes them to Falco instances. + # For more info see: + # https://github.com/falcosecurity/k8s-metacollector + # https://github.com/falcosecurity/charts/tree/master/charts/k8s-metacollector + # When this option is disabled, Falco falls back to the container annotations to grab the metadata. + # In such a case, only the ID, name, namespace, labels of the pod will be available. + enabled: true + # --pluginRef is the OCI reference for the k8smeta plugin. It could be a full reference such as: + # "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.1.0". Or just name + tag: k8smeta:0.1.0. + pluginRef: "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.1.0" + # -- collectorHostname is the address of the k8s-metacollector. When not specified it will be set to match + # k8s-metacollector service. e.x: falco-k8smetacollecto.falco.svc. If for any reason you need to override + # it, make sure to set here the address of the k8s-metacollector. + # It is used by the k8smeta plugin to connect to the k8s-metacollector. + collectorHostname: "" + # -- collectorPort designates the port on which the k8s-metacollector gRPC service listens. If not specified + # the value of the port named `broker-grpc` in k8s-metacollector.service.ports is used. The default values is 45000. + # It is used by the k8smeta plugin to connect to the k8s-metacollector. + collectorPort: "" + + +########################### +# Extras and customization # +############################ + +extra: + # -- Extra environment variables that will be pass onto Falco containers. + env: [] + # -- Extra command-line arguments. + args: [] + # -- Additional initContainers for Falco pods. + initContainers: [] + +# -- certificates used by webserver and grpc server. +# paste certificate content or use helm with --set-file +# or use existing secret containing key, crt, ca as well as pem bundle +certs: + # -- Existing secret containing the following key, crt and ca as well as the bundle pem. + existingSecret: "" + server: + # -- Key used by gRPC and webserver. + key: "" + # -- Certificate used by gRPC and webserver. + crt: "" + ca: + # -- CA certificate used by gRPC, webserver and AuditSink validation. + crt: "" + existingClientSecret: "" + client: + # -- Key used by http mTLS client. + key: "" + # -- Certificate used by http mTLS client. + crt: "" + +# -- Third party rules enabled for Falco. More info on the dedicated section in README.md file. +customRules: + {} + # Although Falco comes with a nice default rule set for detecting weird + # behavior in containers, our users are going to customize the run-time + # security rule sets or policies for the specific container images and + # applications they run. This feature can be handled in this section. + # + # Example: + # + # rules-traefik.yaml: |- + # [ rule body ] + +######################## +# Falco integrations # +######################## + +# -- For configuration values, see https://github.com/falcosecurity/charts/blob/master/charts/falcosidekick/values.yaml +falcosidekick: + # -- Enable falcosidekick deployment. + enabled: true + # -- Enable usage of full FQDN of falcosidekick service (useful when a Proxy is used). + fullfqdn: false + # -- Listen port. Default value: 2801 + listenPort: "" + +#################### +# falcoctl config # +#################### +falcoctl: + image: + # -- The image pull policy. + pullPolicy: IfNotPresent + # -- The image registry to pull from. + registry: docker.io + # -- The image repository to pull from. + repository: falcosecurity/falcoctl + # -- The image tag to pull. + tag: "0.7.2" + artifact: + # -- Runs "falcoctl artifact install" command as an init container. It is used to install artfacts before + # Falco starts. It provides them to Falco by using an emptyDir volume. + install: + enabled: true + # -- Extra environment variables that will be pass onto falcoctl-artifact-install init container. + env: [] + # -- Arguments to pass to the falcoctl-artifact-install init container. + args: ["--log-format=json"] + # -- Resources requests and limits for the falcoctl-artifact-install init container. + resources: {} + # -- Security context for the falcoctl init container. + securityContext: {} + # -- A list of volume mounts you want to add to the falcoctl-artifact-install init container. + mounts: + volumeMounts: [] + # -- Runs "falcoctl artifact follow" command as a sidecar container. It is used to automatically check for + # updates given a list of artifacts. If an update is found it downloads and installs it in a shared folder (emptyDir) + # that is accessible by Falco. Rulesfiles are automatically detected and loaded by Falco once they are installed in the + # correct folder by falcoctl. To prevent new versions of artifacts from breaking Falco, the tool checks if it is compatible + # with the running version of Falco before installing it. + follow: + enabled: true + # -- Extra environment variables that will be pass onto falcoctl-artifact-follow sidecar container. + env: [] + # -- Arguments to pass to the falcoctl-artifact-follow sidecar container. + args: ["--log-format=json"] + # -- Resources requests and limits for the falcoctl-artifact-follow sidecar container. + resources: {} + # -- Security context for the falcoctl-artifact-follow sidecar container. + securityContext: {} + # -- A list of volume mounts you want to add to the falcoctl-artifact-follow sidecar container. + mounts: + volumeMounts: [] + # -- Configuration file of the falcoctl tool. It is saved in a configmap and mounted on the falcotl containers. + config: + # -- List of indexes that falcoctl downloads and uses to locate and download artiafcts. For more info see: + # https://github.com/falcosecurity/falcoctl/blob/main/proposals/20220916-rules-and-plugin-distribution.md#index-file-overview + indexes: + - name: falcosecurity + url: https://falcosecurity.github.io/falcoctl/index.yaml + # -- Configuration used by the artifact commands. + artifact: + # -- List of artifact types that falcoctl will handle. If the configured refs resolves to an artifact whose type is not contained + # in the list it will refuse to downloade and install that artifact. + allowedTypes: + - rulesfile + - plugin + install: + # -- Resolve the dependencies for artifacts. + resolveDeps: true + # -- List of artifacts to be installed by the falcoctl init container. + refs: [falco-rules:3] + # -- Directory where the rulesfiles are saved. The path is relative to the container, which in this case is an emptyDir + # mounted also by the Falco pod. + rulesfilesDir: /rulesfiles + # -- Same as the one above but for the artifacts. + pluginsDir: /plugins + follow: + # -- List of artifacts to be followed by the falcoctl sidecar container. + refs: [falco-rules:3] + # -- How often the tool checks for new versions of the followed artifacts. + every: 6h + # -- HTTP endpoint that serves the api versions of the Falco instance. It is used to check if the new versions are compatible + # with the running Falco instance. + falcoversions: http://localhost:8765/versions + # -- See the fields of the artifact.install section. + rulesfilesDir: /rulesfiles + # -- See the fields of the artifact.install section. + pluginsDir: /plugins + +###################### +# falco.yaml config # +###################### +falco: + ##################### + # Falco rules files # + ##################### + + # [Stable] `rules_file` + # + # Falco rules can be specified using files or directories, which are loaded at + # startup. The name "rules_file" is maintained for backwards compatibility. If + # the entry is a file, it will be read directly. If the entry is a directory, + # all files within that directory will be read in alphabetical order. + # + # The falco_rules.yaml file ships with the Falco package and is overridden with + # every new software version. falco_rules.local.yaml is only created if it + # doesn't already exist. + # + # To customize the set of rules, you can add your modifications to any file. + # It's important to note that the files or directories are read in the order + # specified here. In addition, rules are loaded by Falco in the order they + # appear within each rule file. + # + # If you have any customizations intended to override a previous configuration, + # make sure they appear in later files to take precedence. On the other hand, if + # the conditions of rules with the same event type(s) have the potential to + # overshadow each other, ensure that the more important rule appears first. This + # is because rules are evaluated on a "first match wins" basis, where the first + # rule that matches the conditions will be applied, and subsequent rules will + # not be evaluated for the same event type. + # + # By arranging the order of files and rules thoughtfully, you can ensure that + # desired customizations and rule behaviors are prioritized and applied as + # intended. + # -- The location of the rules files that will be consumed by Falco. + rules_file: + - /etc/falco/falco_rules.yaml + - /etc/falco/falco_rules.local.yaml + - /etc/falco/rules.d + + # [Experimental] `rule_matching` + # + # - Falco has to be performant when evaluating rules against events. To quickly + # understand which rules could trigger on a specific event, Falco maintains + # buckets of rules sharing the same event type in a map. Then, the lookup + # in each bucket is performed through linear search. The `rule_matching` + # configuration key's values are: + # - "first": when evaluating conditions of rules in a bucket, Falco will stop + # to evaluate rules if it finds a matching rules. Since rules are stored + # in buckets in the order they are defined in the rules files, this option + # could prevent other rules to trigger even if their condition is met, causing + # a shadowing problem. + # - "all": with this value Falco will continue evaluating all the rules + # stored in the bucket, so that multiple rules could be triggered upon one + # event. + + rule_matching: first + + + # [Experimental] `outputs_queue` + # + # -- Falco utilizes tbb::concurrent_bounded_queue for handling outputs, and this parameter + # allows you to customize the queue capacity. Please refer to the official documentation: + # https://oneapi-src.github.io/oneTBB/main/tbb_userguide/Concurrent_Queue_Classes.html. + # On a healthy system with optimized Falco rules, the queue should not fill up. + # If it does, it is most likely happening due to the entire event flow being too slow, + # indicating that the server is under heavy load. + # + # `capacity`: the maximum number of items allowed in the queue is determined by this value. + # Setting the value to 0 (which is the default) is equivalent to keeping the queue unbounded. + # In other words, when this configuration is set to 0, the number of allowed items is + # effectively set to the largest possible long value, disabling this setting. + # + # In the case of an unbounded queue, if the available memory on the system is consumed, + # the Falco process would be OOM killed. When using this option and setting the capacity, + # the current event would be dropped, and the event loop would continue. This behavior mirrors + # kernel-side event drops when the buffer between kernel space and user space is full. + outputs_queue: + capacity: 0 + + + ################# + # Falco plugins # + ################# + + # [Stable] `load_plugins` and `plugins` + # + # --- [Description] + # + # Falco plugins enable integration with other services in the your ecosystem. + # They allow Falco to extend its functionality and leverage data sources such as + # Kubernetes audit logs or AWS CloudTrail logs. This enables Falco to perform + # fast on-host detections beyond syscalls and container events. The plugin + # system will continue to evolve with more specialized functionality in future + # releases. + # + # Please refer to the plugins repo at + # https://github.com/falcosecurity/plugins/blob/master/plugins/ for detailed + # documentation on the available plugins. This repository provides comprehensive + # information about each plugin and how to utilize them with Falco. + # + # Please note that if your intention is to enrich Falco syscall logs with fields + # such as `k8s.ns.name`, `k8s.pod.name`, and `k8s.pod.*`, you do not need to use + # the `k8saudit` plugin. This information is automatically extracted from the + # container runtime socket. The `k8saudit` plugin is specifically designed to + # integrate with Kubernetes audit logs and is not required for basic enrichment + # of syscall logs with Kubernetes-related fields. + # + # --- [Usage] + # + # Disabled by default, indicated by an empty `load_plugins` list. Each plugin meant + # to be enabled needs to be listed as explicit list item. + # + # For example, if you want to use the `k8saudit` plugin, + # ensure it is configured appropriately and then change this to: + # load_plugins: [k8saudit, json] + # -- Add here all plugins and their configuration. Please + # consult the plugins documentation for more info. Remember to add the plugins name in + # "load_plugins: []" in order to load them in Falco. + load_plugins: [] + + # -- Customize subsettings for each enabled plugin. These settings will only be + # applied when the corresponding plugin is enabled using the `load_plugins` + # option. + plugins: + - name: k8saudit + library_path: libk8saudit.so + init_config: + # maxEventSize: 262144 + # webhookMaxBatchSize: 12582912 + # sslCertificate: /etc/falco/falco.pem + open_params: "http://:9765/k8s-audit" + - name: cloudtrail + library_path: libcloudtrail.so + # see docs for init_config and open_params: + # https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md + - name: json + library_path: libjson.so + init_config: "" + + ###################### + # Falco config files # + ###################### + + # [Stable] `watch_config_files` + # + # Falco monitors configuration and rule files for changes and automatically + # reloads itself to apply the updated configuration when any modifications are + # detected. This feature is particularly useful when you want to make real-time + # changes to the configuration or rules of Falco without interrupting its + # operation or losing its state. For more information about Falco's state + # engine, please refer to the `base_syscalls` section. + # -- Watch config file and rules files for modification. + # When a file is modified, Falco will propagate new config, + # by reloading itself. + watch_config_files: true + + ########################## + # Falco outputs settings # + ########################## + + # [Stable] `time_format_iso_8601` + # + # -- When enabled, Falco will display log and output messages with times in the ISO + # 8601 format. By default, times are shown in the local time zone determined by + # the /etc/localtime configuration. + time_format_iso_8601: false + + # [Stable] `priority` + # + # -- Any rule with a priority level more severe than or equal to the specified + # minimum level will be loaded and run by Falco. This allows you to filter and + # control the rules based on their severity, ensuring that only rules of a + # certain priority or higher are active and evaluated by Falco. Supported + # levels: "emergency", "alert", "critical", "error", "warning", "notice", + # "info", "debug" + priority: debug + + # [Stable] `json_output` + # + # -- When enabled, Falco will output alert messages and rules file + # loading/validation results in JSON format, making it easier for downstream + # programs to process and consume the data. By default, this option is disabled. + json_output: false + + # [Stable] `json_include_output_property` + # + # -- When using JSON output in Falco, you have the option to include the "output" + # property itself in the generated JSON output. The "output" property provides + # additional information about the purpose of the rule. To reduce the logging + # volume, it is recommended to turn it off if it's not necessary for your use + # case. + json_include_output_property: true + + # [Stable] `json_include_tags_property` + # + # -- When using JSON output in Falco, you have the option to include the "tags" + # field of the rules in the generated JSON output. The "tags" field provides + # additional metadata associated with the rule. To reduce the logging volume, + # if the tags associated with the rule are not needed for your use case or can + # be added at a later stage, it is recommended to turn it off. + json_include_tags_property: true + + # [Stable] `buffered_outputs` + # + # -- Enabling buffering for the output queue can offer performance optimization, + # efficient resource usage, and smoother data flow, resulting in a more reliable + # output mechanism. By default, buffering is disabled (false). + buffered_outputs: false + + # [Stable] `outputs` + # + # -- A throttling mechanism, implemented as a token bucket, can be used to control + # the rate of Falco outputs. Each event source has its own rate limiter, + # ensuring that alerts from one source do not affect the throttling of others. + # The following options control the mechanism: + # - rate: the number of tokens (i.e. right to send a notification) gained per + # second. When 0, the throttling mechanism is disabled. Defaults to 0. + # - max_burst: the maximum number of tokens outstanding. Defaults to 1000. + # + # For example, setting the rate to 1 allows Falco to send up to 1000 + # notifications initially, followed by 1 notification per second. The burst + # capacity is fully restored after 1000 seconds of no activity. + # + # Throttling can be useful in various scenarios, such as preventing notification + # floods, managing system load, controlling event processing, or complying with + # rate limits imposed by external systems or APIs. It allows for better resource + # utilization, avoids overwhelming downstream systems, and helps maintain a + # balanced and controlled flow of notifications. + # + # With the default settings, the throttling mechanism is disabled. + outputs: + rate: 0 + max_burst: 1000 + + ########################## + # Falco outputs channels # + ########################## + + # Falco supports various output channels, such as syslog, stdout, file, gRPC, + # webhook, and more. You can enable or disable these channels as needed to + # control where Falco alerts and log messages are directed. This flexibility + # allows seamless integration with your preferred logging and alerting systems. + # Multiple outputs can be enabled simultaneously. + + # [Stable] `stdout_output` + # + # -- Redirect logs to standard output. + stdout_output: + enabled: true + + # [Stable] `syslog_output` + # + # -- Send logs to syslog. + syslog_output: + enabled: true + + # [Stable] `file_output` + # + # -- When appending Falco alerts to a file, each new alert will be added to a new + # line. It's important to note that Falco does not perform log rotation for this + # file. If the `keep_alive` option is set to `true`, the file will be opened once + # and continuously written to, else the file will be reopened for each output + # message. Furthermore, the file will be closed and reopened if Falco receives + # the SIGUSR1 signal. + file_output: + enabled: false + keep_alive: false + filename: ./events.txt + + # [Stable] `http_output` + # + # -- Send logs to an HTTP endpoint or webhook. + http_output: + enabled: false + url: "" + user_agent: "falcosecurity/falco" + # -- Tell Falco to not verify the remote server. + insecure: false + # -- Path to the CA certificate that can verify the remote server. + ca_cert: "" + # -- Path to a specific file that will be used as the CA certificate store. + ca_bundle: "" + # -- Path to a folder that will be used as the CA certificate store. CA certificate need to be + # stored as indivitual PEM files in this directory. + ca_path: "/etc/falco/certs/" + # -- Tell Falco to use mTLS + mtls: false + # -- Path to the client cert. + client_cert: "/etc/falco/certs/client/client.crt" + # -- Path to the client key. + client_key: "/etc/falco/certs/client/client.key" + # -- Whether to echo server answers to stdout + echo: false + # -- compress_uploads whether to compress data sent to http endpoint. + compress_uploads: false + # -- keep_alive whether to keep alive the connection. + keep_alive: false + + # [Stable] `program_output` + # + # -- Redirect the output to another program or command. + # + # Possible additional things you might want to do with program output: + # - send to a slack webhook: + # program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX" + # - logging (alternate method than syslog): + # program: logger -t falco-test + # - send over a network connection: + # program: nc host.example.com 80 + # If `keep_alive` is set to `true`, the program will be started once and + # continuously written to, with each output message on its own line. If + # `keep_alive` is set to `false`, the program will be re-spawned for each output + # message. Furthermore, the program will be re-spawned if Falco receives + # the SIGUSR1 signal. + program_output: + enabled: false + keep_alive: false + program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX" + + # [Stable] `grpc_output` + # + # -- Use gRPC as an output service. + # + # gRPC is a modern and high-performance framework for remote procedure calls + # (RPC). It utilizes protocol buffers for efficient data serialization. The gRPC + # output in Falco provides a modern and efficient way to integrate with other + # systems. By default the setting is turned off. Enabling this option stores + # output events in memory until they are consumed by a gRPC client. Ensure that + # you have a consumer for the output events or leave it disabled. + grpc_output: + enabled: false + + ########################## + # Falco exposed services # + ########################## + + # [Stable] `grpc` + # + # Falco provides support for running a gRPC server using two main binding types: + # 1. Over the network with mandatory mutual TLS authentication (mTLS), which + # ensures secure communication + # 2. Local Unix socket binding with no authentication. By default, the + # gRPCserver in Falco is turned off with no enabled services (see + # `grpc_output`setting). + # + # To configure the gRPC server in Falco, you can make the following changes to + # the options: + # + # - Uncomment the relevant configuration options related to the gRPC server. + # - Update the paths of the generated certificates for mutual TLS authentication + # if you choose to use mTLS. + # - Specify the address to bind and expose the gRPC server. + # - Adjust the threadiness configuration to control the number of threads and + # contexts used by the server. + # + # Keep in mind that if any issues arise while creating the gRPC server, the + # information will be logged, but it will not stop the main Falco daemon. + + # gRPC server using mTLS + # grpc: + # enabled: true + # bind_address: "0.0.0.0:5060" + # # When the `threadiness` value is set to 0, Falco will automatically determine + # # the appropriate number of threads based on the number of online cores in the system. + # threadiness: 0 + # private_key: "/etc/falco/certs/server.key" + # cert_chain: "/etc/falco/certs/server.crt" + # root_certs: "/etc/falco/certs/ca.crt" + + # -- gRPC server using a local unix socket + grpc: + enabled: false + bind_address: "unix:///run/falco/falco.sock" + # -- When the `threadiness` value is set to 0, Falco will automatically determine + # the appropriate number of threads based on the number of online cores in the system. + threadiness: 0 + + # [Stable] `webserver` + # + # -- Falco supports an embedded webserver that runs within the Falco process, + # providing a lightweight and efficient way to expose web-based functionalities + # without the need for an external web server. The following endpoints are + # exposed: + # - /healthz: designed to be used for checking the health and availability of + # the Falco application (the name of the endpoint is configurable). + # - /versions: responds with a JSON object containing the version numbers of the + # internal Falco components (similar output as `falco --version -o + # json_output=true`). + # + # Please note that the /versions endpoint is particularly useful for other Falco + # services, such as `falcoctl`, to retrieve information about a running Falco + # instance. If you plan to use `falcoctl` locally or with Kubernetes, make sure + # the Falco webserver is enabled. + # + # The behavior of the webserver can be controlled with the following options, + # which are enabled by default: + # + # The `ssl_certificate` option specifies a combined SSL certificate and + # corresponding key that are contained in a single file. You can generate a + # key/cert as follows: + # + # $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out + # certificate.pem $ cat certificate.pem key.pem > falco.pem $ sudo cp falco.pem + # /etc/falco/falco.pem + webserver: + enabled: true + # When the `threadiness` value is set to 0, Falco will automatically determine + # the appropriate number of threads based on the number of online cores in the system. + threadiness: 0 + listen_port: 8765 + k8s_healthz_endpoint: /healthz + ssl_enabled: false + ssl_certificate: /etc/falco/falco.pem + + ############################################################################## + # Falco logging / alerting / metrics related to software functioning (basic) # + ############################################################################## + + # [Stable] `log_stderr` and `log_syslog` + # + # Falco's logs related to the functioning of the software, which are not related + # to Falco alert outputs but rather its lifecycle, settings and potential + # errors, can be directed to stderr and/or syslog. + # -- Send information logs to stderr. Note these are *not* security + # notification logs! These are just Falco lifecycle (and possibly error) logs. + log_stderr: true + # -- Send information logs to syslog. Note these are *not* security + # notification logs! These are just Falco lifecycle (and possibly error) logs. + log_syslog: true + + # [Stable] `log_level` + # + # -- The `log_level` setting determines the minimum log level to include in Falco's + # logs related to the functioning of the software. This setting is separate from + # the `priority` field of rules and specifically controls the log level of + # Falco's operational logging. By specifying a log level, you can control the + # verbosity of Falco's operational logs. Only logs of a certain severity level + # or higher will be emitted. Supported levels: "emergency", "alert", "critical", + # "error", "warning", "notice", "info", "debug". + log_level: info + + # [Stable] `libs_logger` + # + # -- The `libs_logger` setting in Falco determines the minimum log level to include + # in the logs related to the functioning of the software of the underlying + # `libs` library, which Falco utilizes. This setting is independent of the + # `priority` field of rules and the `log_level` setting that controls Falco's + # operational logs. It allows you to specify the desired log level for the `libs` + # library specifically, providing more granular control over the logging + # behavior of the underlying components used by Falco. Only logs of a certain + # severity level or higher will be emitted. Supported levels: "emergency", + # "alert", "critical", "error", "warning", "notice", "info", "debug". It is not + # recommended for production use. + libs_logger: + enabled: false + severity: debug + + ################################################################################# + # Falco logging / alerting / metrics related to software functioning (advanced) # + ################################################################################# + + # [Stable] `output_timeout` + # + # Generates Falco operational logs when `log_level=notice` at minimum + # + # A timeout error occurs when a process or operation takes longer to complete + # than the allowed or expected time limit. In the context of Falco, an output + # timeout error refers to the situation where an output channel fails to deliver + # an alert within a specified deadline. Various reasons, such as network issues, + # resource constraints, or performance bottlenecks can cause timeouts. + # + # -- The `output_timeout` parameter specifies the duration, in milliseconds, to + # wait before considering the deadline exceeded. By default, the timeout is set + # to 2000ms (2 seconds), meaning that the consumer of Falco outputs can block + # the Falco output channel for up to 2 seconds without triggering a timeout + # error. + # + # Falco actively monitors the performance of output channels. With this setting + # the timeout error can be logged, but please note that this requires setting + # Falco's operational logs `log_level` to a minimum of `notice`. + # + # It's important to note that Falco outputs will not be discarded from the + # output queue. This means that if an output channel becomes blocked + # indefinitely, it indicates a potential issue that needs to be addressed by the + # user. + output_timeout: 2000 + + # [Stable] `syscall_event_timeouts` + # + # -- Generates Falco operational logs when `log_level=notice` at minimum + # + # Falco utilizes a shared buffer between the kernel and userspace to receive + # events, such as system call information, in userspace. However, there may be + # cases where timeouts occur in the underlying libraries due to issues in + # reading events or the need to skip a particular event. While it is uncommon + # for Falco to experience consecutive event timeouts, it has the capability to + # detect such situations. You can configure the maximum number of consecutive + # timeouts without an event after which Falco will generate an alert, but please + # note that this requires setting Falco's operational logs `log_level` to a + # minimum of `notice`. The default value is set to 1000 consecutive timeouts + # without receiving any events. The mapping of this value to a time interval + # depends on the CPU frequency. + syscall_event_timeouts: + max_consecutives: 1000 + + # [Stable] `syscall_event_drops` + # + # Generates "Falco internal: syscall event drop" rule output when `priority=debug` at minimum + # + # --- [Description] + # + # Falco uses a shared buffer between the kernel and userspace to pass system + # call information. When Falco detects that this buffer is full and system calls + # have been dropped, it can take one or more of the following actions: + # - ignore: do nothing (default when list of actions is empty) + # - log: log a DEBUG message noting that the buffer was full + # - alert: emit a Falco alert noting that the buffer was full + # - exit: exit Falco with a non-zero rc + # + # Notice it is not possible to ignore and log/alert messages at the same time. + # + # The rate at which log/alert messages are emitted is governed by a token + # bucket. The rate corresponds to one message every 30 seconds with a burst of + # one message (by default). + # + # The messages are emitted when the percentage of dropped system calls with + # respect the number of events in the last second is greater than the given + # threshold (a double in the range [0, 1]). If you want to be alerted on any + # drops, set the threshold to 0. + # + # For debugging/testing it is possible to simulate the drops using the + # `simulate_drops: true`. In this case the threshold does not apply. + # + # --- [Usage] + # + # Enabled by default, but requires Falco rules config `priority` set to `debug`. + # Emits a Falco rule named "Falco internal: syscall event drop" as many times in + # a given time period as dictated by the settings. Statistics here reflect the + # delta in a 1s time period. + # + # If instead you prefer periodic metrics of monotonic counters at a regular + # interval, which include syscall drop statistics and additional metrics, + # explore the `metrics` configuration option. + # -- For debugging/testing it is possible to simulate the drops using + # the `simulate_drops: true`. In this case the threshold does not apply. + syscall_event_drops: + # -- The messages are emitted when the percentage of dropped system calls + # with respect the number of events in the last second + # is greater than the given threshold (a double in the range [0, 1]). + threshold: .1 + # -- Actions to be taken when system calls were dropped from the circular buffer. + actions: + - log + - alert + # -- Rate at which log/alert messages are emitted. + rate: .03333 + # -- Max burst of messages emitted. + max_burst: 1 + # -- Flag to enable drops for debug purposes. + simulate_drops: false + + # [Experimental] `metrics` + # + # -- Generates "Falco internal: metrics snapshot" rule output when `priority=info` at minimum + # + # periodic metric snapshots (including stats and resource utilization) captured + # at regular intervals + # + # --- [Description] + # + # Consider these key points about the `metrics` feature in Falco: + # + # - It introduces a redesigned stats/metrics system. + # - Native support for resource utilization metrics and specialized performance + # metrics. + # - Metrics are emitted as monotonic counters at predefined intervals + # (snapshots). + # - All metrics are consolidated into a single log message, adhering to the + # established rules schema and naming conventions. + # - Additional info fields complement the metrics and facilitate customized + # statistical analyses and correlations. + # - The metrics framework is designed for easy future extension. + # + # The `metrics` feature follows a specific schema and field naming convention. + # All metrics are collected as subfields under the `output_fields` key, similar + # to regular Falco rules. Each metric field name adheres to the grammar used in + # Falco rules. There are two new field classes introduced: `falco.` and `scap.`. + # The `falco.` class represents userspace counters, statistics, resource + # utilization, or useful information fields. The `scap.` class represents + # counters and statistics mostly obtained from Falco's kernel instrumentation + # before events are sent to userspace, but can include scap userspace stats as + # well. + # + # It's important to note that the output fields and their names can be subject + # to change until the metrics feature reaches a stable release. + # + # To customize the hostname in Falco, you can set the environment variable + # `FALCO_HOSTNAME` to your desired hostname. This is particularly useful in + # Kubernetes deployments where the hostname can be set to the pod name. + # + # --- [Usage] + # + # `enabled`: Disabled by default. + # + # `interval`: The stats interval in Falco follows the time duration definitions + # used by Prometheus. + # https://prometheus.io/docs/prometheus/latest/querying/basics/#time-durations + # + # Time durations are specified as a number, followed immediately by one of the + # following units: + # + # ms - millisecond + # s - second + # m - minute + # h - hour + # d - day - assuming a day has always 24h + # w - week - assuming a week has always 7d + # y - year - assuming a year has always 365d + # + # Example of a valid time duration: 1h30m20s10ms + # + # A minimum interval of 100ms is enforced for metric collection. However, for + # production environments, we recommend selecting one of the following intervals + # for optimal monitoring: + # + # 15m + # 30m + # 1h + # 4h + # 6h + # + # `output_rule`: To enable seamless metrics and performance monitoring, we + # recommend emitting metrics as the rule "Falco internal: metrics snapshot". + # This option is particularly useful when Falco logs are preserved in a data + # lake. Please note that to use this option, the Falco rules config `priority` + # must be set to `info` at a minimum. + # + # `output_file`: Append stats to a `jsonl` file. Use with caution in production + # as Falco does not automatically rotate the file. + # + # `resource_utilization_enabled`: Emit CPU and memory usage metrics. CPU usage + # is reported as a percentage of one CPU and can be normalized to the total + # number of CPUs to determine overall usage. Memory metrics are provided in raw + # units (`kb` for `RSS`, `PSS` and `VSZ` or `bytes` for `container_memory_used`) + # and can be uniformly converted to megabytes (MB) using the + # `convert_memory_to_mb` functionality. In environments such as Kubernetes when + # deployed as daemonset, it is crucial to track Falco's container memory usage. + # To customize the path of the memory metric file, you can create an environment + # variable named `FALCO_CGROUP_MEM_PATH` and set it to the desired file path. By + # default, Falco uses the file `/sys/fs/cgroup/memory/memory.usage_in_bytes` to + # monitor container memory usage, which aligns with Kubernetes' + # `container_memory_working_set_bytes` metric. Finally, we emit the overall host + # CPU and memory usages, along with the total number of processes and open file + # descriptors (fds) on the host, obtained from the proc file system unrelated to + # Falco's monitoring. These metrics help assess Falco's usage in relation to the + # server's workload intensity. + # + # `state_counters_enabled`: Emit counters related to Falco's state engine, including + # added, removed threads or file descriptors (fds), and failed lookup, store, or + # retrieve actions in relation to Falco's underlying process cache table (threadtable). + # We also log the number of currently cached containers if applicable. + # + # `kernel_event_counters_enabled`: Emit kernel side event and drop counters, as + # an alternative to `syscall_event_drops`, but with some differences. These + # counters reflect monotonic values since Falco's start and are exported at a + # constant stats interval. + # + # `libbpf_stats_enabled`: Exposes statistics similar to `bpftool prog show`, + # providing information such as the number of invocations of each BPF program + # attached by Falco and the time spent in each program measured in nanoseconds. + # To enable this feature, the kernel must be >= 5.1, and the kernel + # configuration `/proc/sys/kernel/bpf_stats_enabled` must be set. This option, + # or an equivalent statistics feature, is not available for non `*bpf*` drivers. + # Additionally, please be aware that the current implementation of `libbpf` does + # not support granularity of statistics at the bpf tail call level. + # + # `include_empty_values`: When the option is set to true, fields with an empty + # numeric value will be included in the output. However, this rule does not + # apply to high-level fields such as `n_evts` or `n_drops`; they will always be + # included in the output even if their value is empty. This option can be + # beneficial for exploring the data schema and ensuring that fields with empty + # values are included in the output. + # todo: prometheus export option + # todo: syscall_counters_enabled option + metrics: + enabled: true + interval: 1h + output_rule: true + # output_file: /tmp/falco_stats.jsonl + resource_utilization_enabled: true + state_counters_enabled: true + kernel_event_counters_enabled: true + libbpf_stats_enabled: true + convert_memory_to_mb: true + include_empty_values: false + + + ####################################### + # Falco performance tuning (advanced) # + ####################################### + + # [Experimental] `base_syscalls`, use with caution, read carefully + # + # --- [Description] + # + # -- This option configures the set of syscalls that Falco traces. + # + # --- [Falco's State Engine] + # + # Falco requires a set of syscalls to build up state in userspace. For example, + # when spawning a new process or network connection, multiple syscalls are + # involved. Furthermore, properties of a process during its lifetime can be + # modified by syscalls. Falco accounts for this by enabling the collection of + # additional syscalls than the ones defined in the rules and by managing a smart + # process cache table in userspace. Processes are purged from this table when a + # process exits. + # + # By default, with + # ``` + # base_syscalls.custom_set = [] + # base_syscalls.repair = false + # ``` + # Falco enables tracing for a syscall set gathered: (1) from (enabled) Falco + # rules (2) from a static, more verbose set defined in + # `libsinsp::events::sinsp_state_sc_set` in + # libs/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp This allows Falco to + # successfully build up it's state engine and life-cycle management. + # + # If the default behavior described above does not fit the user's use case for + # Falco, the `base_syscalls` option allows for finer end-user control of + # syscalls traced by Falco. + # + # --- [base_syscalls.custom_set] + # + # CAUTION: Misconfiguration of this setting may result in incomplete Falco event + # logs or Falco being unable to trace events entirely. + # + # `base_syscalls.custom_set` allows the user to explicitly define an additional + # set of syscalls to be traced in addition to the syscalls from each enabled + # Falco rule. + # + # This is useful in lowering CPU utilization and further tailoring Falco to + # specific environments according to your threat model and budget constraints. + # + # --- [base_syscalls.repair] + # + # `base_syscalls.repair` is an alternative to Falco's default state engine + # enforcement. When enabled, this option is designed to (1) ensure that Falco's + # state engine is correctly and successfully built-up (2) be the most system + # resource-friendly by activating the least number of additional syscalls + # (outside of those enabled for enabled rules) + # + # Setting `base_syscalls.repair` to `true` allows Falco to automatically + # configure what is described in the [Suggestions] section below. + # + # `base_syscalls.repair` can be enabled with an empty custom set, meaning with + # the following, + # ``` + # base_syscalls.custom_set = [] + # base_syscalls.repair = true + # ``` + # Falco enables tracing for a syscall set gathered: (1) from (enabled) Falco + # rules (2) from minimal set of additional syscalls needed to "repair" the + # state engine and properly log event conditions specified in enabled Falco + # rules + # + # --- [Usage] + # + # List of system calls names (), negative ("!") + # notation supported. + # + # Example: base_syscalls.custom_set: [, , + # "!"] base_syscalls.repair: + # + # We recommend to only exclude syscalls, e.g. "!mprotect" if you need a fast + # deployment update (overriding rules), else remove unwanted syscalls from the + # Falco rules. + # + # Passing `-o "log_level=debug" -o "log_stderr=true" --dry-run` to Falco's cmd + # args will print the final set of syscalls to STDOUT. + # + # --- [Suggestions] + # + # NOTE: setting `base_syscalls.repair: true` automates the following suggestions + # for you. + # + # These suggestions are subject to change as Falco and its state engine evolve. + # + # For execve* events: Some Falco fields for an execve* syscall are retrieved + # from the associated `clone`, `clone3`, `fork`, `vfork` syscalls when spawning + # a new process. The `close` syscall is used to purge file descriptors from + # Falco's internal thread / process cache table and is necessary for rules + # relating to file descriptors (e.g. open, openat, openat2, socket, connect, + # accept, accept4 ... and many more) + # + # Consider enabling the following syscalls in `base_syscalls.custom_set` for + # process rules: [clone, clone3, fork, vfork, execve, execveat, close] + # + # For networking related events: While you can log `connect` or `accept*` + # syscalls without the socket syscall, the log will not contain the ip tuples. + # Additionally, for `listen` and `accept*` syscalls, the `bind` syscall is also + # necessary. + # + # We recommend the following as the minimum set for networking-related rules: + # [clone, clone3, fork, vfork, execve, execveat, close, socket, bind, + # getsockopt] + # + # Lastly, for tracking the correct `uid`, `gid` or `sid`, `pgid` of a process + # when the running process opens a file or makes a network connection, consider + # adding the following to the above recommended syscall sets: ... setresuid, + # setsid, setuid, setgid, setpgid, setresgid, setsid, capset, chdir, chroot, + # fchdir ... + base_syscalls: + custom_set: [] + repair: false + + ################################################# + # Falco cloud orchestration systems integration # + ################################################# + + # [Stable] Guidance for Kubernetes container engine command-line args settings + # + # Modern cloud environments, particularly Kubernetes, heavily rely on + # containerized workload deployments. When capturing events with Falco, it + # becomes essential to identify the owner of the workload for which events are + # being captured, such as syscall events. Falco integrates with the container + # runtime to enrich its events with container information, including fields like + # `container.image.repository`, `container.image.tag`, ... , `k8s.ns.name`, + # `k8s.pod.name`, `k8s.pod.*` in the Falco output (Falco retrieves Kubernetes + # namespace and pod name directly from the container runtime, see + # https://falco.org/docs/reference/rules/supported-fields/#field-class-container). + # + # Furthermore, Falco exposes container events themselves as a data source for + # alerting. To achieve this integration with the container runtime, Falco + # requires access to the runtime socket. By default, for Kubernetes, Falco + # attempts to connect to the following sockets: + # "/run/containerd/containerd.sock", "/run/crio/crio.sock", + # "/run/k3s/containerd/containerd.sock". If you have a custom path, you can use + # the `--cri` option to specify the correct location. + # + # In some cases, you may encounter empty fields for container metadata. To + # address this, you can explore the `--disable-cri-async` option, which disables + # asynchronous fetching if the fetch operation is not completing quickly enough. + # + # To get more information on these command-line arguments, you can run `falco + # --help` in your terminal to view their current descriptions. + # + # !!! The options mentioned here are not available in the falco.yaml + # configuration file. Instead, they can can be used as a command-line argument + # when running the Falco command. diff --git a/falco/values.yaml b/falco/values.yaml new file mode 100644 index 0000000..2713a8e --- /dev/null +++ b/falco/values.yaml @@ -0,0 +1,1298 @@ +# Default values for Falco. + +############################### +# General deployment settings # +############################### + +image: + # -- The image pull policy. + pullPolicy: IfNotPresent + # -- The image registry to pull from. + registry: docker.io + # -- The image repository to pull from + repository: falcosecurity/falco-no-driver + # -- The image tag to pull. Overrides the image tag whose default is the chart appVersion. + tag: "" + +# -- Secrets containing credentials when pulling from private/secure registries. +imagePullSecrets: [] +# -- Put here the new name if you want to override the release name used for Falco components. +nameOverride: "" +# -- Same as nameOverride but for the fullname. +fullnameOverride: "" +# -- Override the deployment namespace +namespaceOverride: "" + +# -- Add additional pod annotations +podAnnotations: {} + +serviceAccount: + # -- Specifies whether a service account should be created. + create: false + # -- Annotations to add to the service account. + annotations: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +# -- Add additional pod labels +podLabels: {} + +# -- Set pod priorityClassName +podPriorityClassName: + +# -- Set securityContext for the pods +# These security settings are overriden by the ones specified for the specific +# containers when there is overlap. +podSecurityContext: {} + +# Note that `containerSecurityContext`: +# - will not apply to init containers, if any; +# - takes precedence over other automatic configurations (see below). +# +# Based on the `driver` configuration the auto generated settings are: +# 1) driver.enabled = false: +# securityContext: {} +# +# 2) driver.enabled = true and (driver.kind = module || driver.kind = modern-bpf): +# securityContext: +# privileged: true +# +# 3) driver.enabled = true and driver.kind = ebpf: +# securityContext: +# privileged: true +# +# 4) driver.enabled = true and driver.kind = ebpf and driver.ebpf.leastPrivileged = true +# securityContext: +# capabilities: +# add: +# - BPF +# - SYS_RESOURCE +# - PERFMON +# - SYS_PTRACE +# +# -- Set securityContext for the Falco container.For more info see the "falco.securityContext" helper in "pod-template.tpl" +containerSecurityContext: {} + +scc: + # -- Create OpenShift's Security Context Constraint. + create: true + +resources: + # -- Although resources needed are subjective on the actual workload we provide + # a sane defaults ones. If you have more questions or concerns, please refer + # to #falco slack channel for more info about it. + requests: + cpu: 100m + memory: 512Mi + # -- Maximum amount of resources that Falco container could get. + # If you are enabling more than one source in falco, than consider to increase + # the cpu limits. + limits: + cpu: 1000m + memory: 1024Mi +# -- Selectors used to deploy Falco on a given node/nodes. +nodeSelector: {} + +# -- Affinity constraint for pods' scheduling. +affinity: {} + +# -- Tolerations to allow Falco to run on Kubernetes masters. +tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + +# -- Parameters used +healthChecks: + livenessProbe: + # -- Tells the kubelet that it should wait X seconds before performing the first probe. + initialDelaySeconds: 60 + # -- Number of seconds after which the probe times out. + timeoutSeconds: 5 + # -- Specifies that the kubelet should perform the check every x seconds. + periodSeconds: 15 + readinessProbe: + # -- Tells the kubelet that it should wait X seconds before performing the first probe. + initialDelaySeconds: 30 + # -- Number of seconds after which the probe times out. + timeoutSeconds: 5 + # -- Specifies that the kubelet should perform the check every x seconds. + periodSeconds: 15 + +# -- Attach the Falco process to a tty inside the container. Needed to flush Falco logs as soon as they are emitted. +# Set it to "true" when you need the Falco logs to be immediately displayed. +tty: false + +######################### +# Scenario requirements # +######################### + +# Sensors dislocation configuration (scenario requirement) +controller: + # Available options: deployment, daemonset. + kind: daemonset + # Annotations to add to the daemonset or deployment + annotations: {} + daemonset: + updateStrategy: + # You can also customize maxUnavailable or minReadySeconds if you + # need it + # -- Perform rolling updates by default in the DaemonSet agent + # ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + type: RollingUpdate + deployment: + # -- Number of replicas when installing Falco using a deployment. Change it if you really know what you are doing. + # For more info check the section on Plugins in the README.md file. + replicas: 1 + # -- Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) + # revisionHistoryLimit: 1 + +# -- Network services configuration (scenario requirement) +# Add here your services to be deployed together with Falco. +services: + # Example configuration for the "k8sauditlog" plugin + # - name: k8saudit-webhook + # type: NodePort + # ports: + # - port: 9765 # See plugin open_params + # nodePort: 30007 + # protocol: TCP + +# File access configuration (scenario requirement) +mounts: + # -- A list of volumes you want to add to the Falco pods. + volumes: [] + # -- A list of volumes you want to add to the Falco pods. + volumeMounts: [] + # -- By default, `/proc` from the host is only mounted into the Falco pod when `driver.enabled` is set to `true`. This flag allows it to override this behaviour for edge cases where `/proc` is needed but syscall data source is not enabled at the same time (e.g. for specific plugins). + enforceProcMount: false + +# Driver settings (scenario requirement) +driver: + # -- Set it to false if you want to deploy Falco without the drivers. + # Always set it to false when using Falco with plugins. + enabled: true + # -- kind tells Falco which driver to use. Available options: kmod (kernel driver), ebpf (eBPF probe), modern_ebpf (modern eBPF probe). + kind: kmod + # -- kmod holds the configuration for the kernel module. + kmod: + # -- bufSizePreset determines the size of the shared space between Falco and its drivers. + # This shared space serves as a temporary storage for syscall events. + bufSizePreset: 4 + # -- dropFailedExit if set true drops failed system call exit events before pushing them to userspace. + dropFailedExit: false + # -- Configuration section for ebpf driver. + ebpf: + # -- path where the eBPF probe is located. It comes handy when the probe have been installed in the nodes using tools other than the init + # container deployed with the chart. + path: "${HOME}/.falco/falco-bpf.o" + # -- Needed to enable eBPF JIT at runtime for performance reasons. + # Can be skipped if eBPF JIT is enabled from outside the container + hostNetwork: false + # -- Constrain Falco with capabilities instead of running a privileged container. + # Ensure the eBPF driver is enabled (i.e., setting the `driver.kind` option to `ebpf`). + # Capabilities used: {CAP_SYS_RESOURCE, CAP_SYS_ADMIN, CAP_SYS_PTRACE}. + # On kernel versions >= 5.8 'CAP_PERFMON' and 'CAP_BPF' could replace 'CAP_SYS_ADMIN' but please pay attention to the 'kernel.perf_event_paranoid' value on your system. + # Usually 'kernel.perf_event_paranoid>2' means that you cannot use 'CAP_PERFMON' and you should fallback to 'CAP_SYS_ADMIN', but the behavior changes across different distros. + # Read more on that here: https://falco.org/docs/event-sources/kernel/#least-privileged-mode-1 + leastPrivileged: false + # -- bufSizePreset determines the size of the shared space between Falco and its drivers. + # This shared space serves as a temporary storage for syscall events. + bufSizePreset: 4 + # -- dropFailedExit if set true drops failed system call exit events before pushing them to userspace. + dropFailedExit: false + modernEbpf: + # -- Constrain Falco with capabilities instead of running a privileged container. + # Ensure the modern bpf driver is enabled (i.e., setting the `driver.kind` option to `modern-bpf`). + # Capabilities used: {CAP_SYS_RESOURCE, CAP_BPF, CAP_PERFMON, CAP_SYS_PTRACE}. + # Read more on that here: https://falco.org/docs/event-sources/kernel/#least-privileged-mode-2 + leastPrivileged: false + # -- bufSizePreset determines the size of the shared space between Falco and its drivers. + # This shared space serves as a temporary storage for syscall events. + bufSizePreset: 4 + # -- dropFailedExit if set true drops failed system call exit events before pushing them to userspace. + dropFailedExit: false + # -- cpusForEachBuffer is the index that controls how many CPUs to assign to a single syscall buffer. + cpusForEachBuffer: 2 + + # -- Gvisor configuration. Based on your system you need to set the appropriate values. + # Please, remember to add pod tolerations and affinities in order to schedule the Falco pods in the gVisor enabled nodes. + gvisor: + # -- Runsc container runtime configuration. Falco needs to interact with it in order to intercept the activity of the sandboxed pods. + runsc: + # -- Absolute path of the `runsc` binary in the k8s nodes. + path: /home/containerd/usr/local/sbin + # -- Absolute path of the root directory of the `runsc` container runtime. It is of vital importance for Falco since `runsc` stores there the information of the workloads handled by it; + root: /run/containerd/runsc + # -- Absolute path of the `runsc` configuration file, used by Falco to set its configuration and make aware `gVisor` of its presence. + config: /run/containerd/runsc/config.toml + + # -- Configuration for the Falco init container. + loader: + # -- Enable/disable the init container. + enabled: true + initContainer: + image: + # -- The image pull policy. + pullPolicy: IfNotPresent + # -- The image registry to pull from. + registry: docker.io + # -- The image repository to pull from. + repository: falcosecurity/falco-driver-loader + # -- Overrides the image tag whose default is the chart appVersion. + tag: "" + # -- Extra environment variables that will be pass onto Falco driver loader init container. + env: [] + # -- Arguments to pass to the Falco driver loader init container. + args: [] + # -- Resources requests and limits for the Falco driver loader init container. + resources: {} + # -- Security context for the Falco driver loader init container. Overrides the default security context. If driver.kind == "module" you must at least set `privileged: true`. + securityContext: {} + +# Collectors for data enrichment (scenario requirement) +collectors: + # -- Enable/disable all the metadata collectors. + enabled: true + + docker: + # -- Enable Docker support. + enabled: true + # -- The path of the Docker daemon socket. + socket: /var/run/docker.sock + + containerd: + # -- Enable ContainerD support. + enabled: true + # -- The path of the ContainerD socket. + socket: /run/containerd/containerd.sock + + crio: + # -- Enable CRI-O support. + enabled: true + # -- The path of the CRI-O socket. + socket: /run/crio/crio.sock + + # -- kubernetes holds the configuration for the kubernetes collector. Starting from version 0.37.0 of Falco, the legacy + # kubernetes client has been removed. A new standalone component named k8s-metacollector and a Falco plugin have been developed + # to solve the issues that were present in the old implementation. More info here: https://github.com/falcosecurity/falco/issues/2973 + kubernetes: + # -- enabled specifies whether the Kubernetes metadata should be collected using the k8smeta plugin and the k8s-metacollector component. + # It will deploy the k8s-metacollector external component that fetches Kubernetes metadata and pushes them to Falco instances. + # For more info see: + # https://github.com/falcosecurity/k8s-metacollector + # https://github.com/falcosecurity/charts/tree/master/charts/k8s-metacollector + # When this option is disabled, Falco falls back to the container annotations to grab the metadata. + # In such a case, only the ID, name, namespace, labels of the pod will be available. + enabled: false + # --pluginRef is the OCI reference for the k8smeta plugin. It could be a full reference such as: + # "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.1.0". Or just name + tag: k8smeta:0.1.0. + pluginRef: "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.1.0" + # -- collectorHostname is the address of the k8s-metacollector. When not specified it will be set to match + # k8s-metacollector service. e.x: falco-k8smetacollecto.falco.svc. If for any reason you need to override + # it, make sure to set here the address of the k8s-metacollector. + # It is used by the k8smeta plugin to connect to the k8s-metacollector. + collectorHostname: "" + # -- collectorPort designates the port on which the k8s-metacollector gRPC service listens. If not specified + # the value of the port named `broker-grpc` in k8s-metacollector.service.ports is used. The default values is 45000. + # It is used by the k8smeta plugin to connect to the k8s-metacollector. + collectorPort: "" + + +########################### +# Extras and customization # +############################ + +extra: + # -- Extra environment variables that will be pass onto Falco containers. + env: [] + # -- Extra command-line arguments. + args: [] + # -- Additional initContainers for Falco pods. + initContainers: [] + +# -- certificates used by webserver and grpc server. +# paste certificate content or use helm with --set-file +# or use existing secret containing key, crt, ca as well as pem bundle +certs: + # -- Existing secret containing the following key, crt and ca as well as the bundle pem. + existingSecret: "" + server: + # -- Key used by gRPC and webserver. + key: "" + # -- Certificate used by gRPC and webserver. + crt: "" + ca: + # -- CA certificate used by gRPC, webserver and AuditSink validation. + crt: "" + existingClientSecret: "" + client: + # -- Key used by http mTLS client. + key: "" + # -- Certificate used by http mTLS client. + crt: "" + +# -- Third party rules enabled for Falco. More info on the dedicated section in README.md file. +customRules: + {} + # Although Falco comes with a nice default rule set for detecting weird + # behavior in containers, our users are going to customize the run-time + # security rule sets or policies for the specific container images and + # applications they run. This feature can be handled in this section. + # + # Example: + # + # rules-traefik.yaml: |- + # [ rule body ] + +######################## +# Falco integrations # +######################## + +# -- For configuration values, see https://github.com/falcosecurity/charts/blob/master/charts/falcosidekick/values.yaml +falcosidekick: + # -- Enable falcosidekick deployment. + enabled: false + # -- Enable usage of full FQDN of falcosidekick service (useful when a Proxy is used). + fullfqdn: false + # -- Listen port. Default value: 2801 + listenPort: "" + +#################### +# falcoctl config # +#################### +falcoctl: + image: + # -- The image pull policy. + pullPolicy: IfNotPresent + # -- The image registry to pull from. + registry: docker.io + # -- The image repository to pull from. + repository: falcosecurity/falcoctl + # -- The image tag to pull. + tag: "0.7.2" + artifact: + # -- Runs "falcoctl artifact install" command as an init container. It is used to install artfacts before + # Falco starts. It provides them to Falco by using an emptyDir volume. + install: + enabled: true + # -- Extra environment variables that will be pass onto falcoctl-artifact-install init container. + env: [] + # -- Arguments to pass to the falcoctl-artifact-install init container. + args: ["--log-format=json"] + # -- Resources requests and limits for the falcoctl-artifact-install init container. + resources: {} + # -- Security context for the falcoctl init container. + securityContext: {} + # -- A list of volume mounts you want to add to the falcoctl-artifact-install init container. + mounts: + volumeMounts: [] + # -- Runs "falcoctl artifact follow" command as a sidecar container. It is used to automatically check for + # updates given a list of artifacts. If an update is found it downloads and installs it in a shared folder (emptyDir) + # that is accessible by Falco. Rulesfiles are automatically detected and loaded by Falco once they are installed in the + # correct folder by falcoctl. To prevent new versions of artifacts from breaking Falco, the tool checks if it is compatible + # with the running version of Falco before installing it. + follow: + enabled: true + # -- Extra environment variables that will be pass onto falcoctl-artifact-follow sidecar container. + env: [] + # -- Arguments to pass to the falcoctl-artifact-follow sidecar container. + args: ["--log-format=json"] + # -- Resources requests and limits for the falcoctl-artifact-follow sidecar container. + resources: {} + # -- Security context for the falcoctl-artifact-follow sidecar container. + securityContext: {} + # -- A list of volume mounts you want to add to the falcoctl-artifact-follow sidecar container. + mounts: + volumeMounts: [] + # -- Configuration file of the falcoctl tool. It is saved in a configmap and mounted on the falcotl containers. + config: + # -- List of indexes that falcoctl downloads and uses to locate and download artiafcts. For more info see: + # https://github.com/falcosecurity/falcoctl/blob/main/proposals/20220916-rules-and-plugin-distribution.md#index-file-overview + indexes: + - name: falcosecurity + url: https://falcosecurity.github.io/falcoctl/index.yaml + # -- Configuration used by the artifact commands. + artifact: + # -- List of artifact types that falcoctl will handle. If the configured refs resolves to an artifact whose type is not contained + # in the list it will refuse to downloade and install that artifact. + allowedTypes: + - rulesfile + - plugin + install: + # -- Resolve the dependencies for artifacts. + resolveDeps: true + # -- List of artifacts to be installed by the falcoctl init container. + refs: [falco-rules:3] + # -- Directory where the rulesfiles are saved. The path is relative to the container, which in this case is an emptyDir + # mounted also by the Falco pod. + rulesfilesDir: /rulesfiles + # -- Same as the one above but for the artifacts. + pluginsDir: /plugins + follow: + # -- List of artifacts to be followed by the falcoctl sidecar container. + refs: [falco-rules:3] + # -- How often the tool checks for new versions of the followed artifacts. + every: 6h + # -- HTTP endpoint that serves the api versions of the Falco instance. It is used to check if the new versions are compatible + # with the running Falco instance. + falcoversions: http://localhost:8765/versions + # -- See the fields of the artifact.install section. + rulesfilesDir: /rulesfiles + # -- See the fields of the artifact.install section. + pluginsDir: /plugins + +###################### +# falco.yaml config # +###################### +falco: + ##################### + # Falco rules files # + ##################### + + # [Stable] `rules_file` + # + # Falco rules can be specified using files or directories, which are loaded at + # startup. The name "rules_file" is maintained for backwards compatibility. If + # the entry is a file, it will be read directly. If the entry is a directory, + # all files within that directory will be read in alphabetical order. + # + # The falco_rules.yaml file ships with the Falco package and is overridden with + # every new software version. falco_rules.local.yaml is only created if it + # doesn't already exist. + # + # To customize the set of rules, you can add your modifications to any file. + # It's important to note that the files or directories are read in the order + # specified here. In addition, rules are loaded by Falco in the order they + # appear within each rule file. + # + # If you have any customizations intended to override a previous configuration, + # make sure they appear in later files to take precedence. On the other hand, if + # the conditions of rules with the same event type(s) have the potential to + # overshadow each other, ensure that the more important rule appears first. This + # is because rules are evaluated on a "first match wins" basis, where the first + # rule that matches the conditions will be applied, and subsequent rules will + # not be evaluated for the same event type. + # + # By arranging the order of files and rules thoughtfully, you can ensure that + # desired customizations and rule behaviors are prioritized and applied as + # intended. + # -- The location of the rules files that will be consumed by Falco. + rules_file: + - /etc/falco/falco_rules.yaml + - /etc/falco/falco_rules.local.yaml + - /etc/falco/rules.d + + # [Experimental] `rule_matching` + # + # - Falco has to be performant when evaluating rules against events. To quickly + # understand which rules could trigger on a specific event, Falco maintains + # buckets of rules sharing the same event type in a map. Then, the lookup + # in each bucket is performed through linear search. The `rule_matching` + # configuration key's values are: + # - "first": when evaluating conditions of rules in a bucket, Falco will stop + # to evaluate rules if it finds a matching rules. Since rules are stored + # in buckets in the order they are defined in the rules files, this option + # could prevent other rules to trigger even if their condition is met, causing + # a shadowing problem. + # - "all": with this value Falco will continue evaluating all the rules + # stored in the bucket, so that multiple rules could be triggered upon one + # event. + + rule_matching: first + + + # [Experimental] `outputs_queue` + # + # -- Falco utilizes tbb::concurrent_bounded_queue for handling outputs, and this parameter + # allows you to customize the queue capacity. Please refer to the official documentation: + # https://oneapi-src.github.io/oneTBB/main/tbb_userguide/Concurrent_Queue_Classes.html. + # On a healthy system with optimized Falco rules, the queue should not fill up. + # If it does, it is most likely happening due to the entire event flow being too slow, + # indicating that the server is under heavy load. + # + # `capacity`: the maximum number of items allowed in the queue is determined by this value. + # Setting the value to 0 (which is the default) is equivalent to keeping the queue unbounded. + # In other words, when this configuration is set to 0, the number of allowed items is + # effectively set to the largest possible long value, disabling this setting. + # + # In the case of an unbounded queue, if the available memory on the system is consumed, + # the Falco process would be OOM killed. When using this option and setting the capacity, + # the current event would be dropped, and the event loop would continue. This behavior mirrors + # kernel-side event drops when the buffer between kernel space and user space is full. + outputs_queue: + capacity: 0 + + + ################# + # Falco plugins # + ################# + + # [Stable] `load_plugins` and `plugins` + # + # --- [Description] + # + # Falco plugins enable integration with other services in the your ecosystem. + # They allow Falco to extend its functionality and leverage data sources such as + # Kubernetes audit logs or AWS CloudTrail logs. This enables Falco to perform + # fast on-host detections beyond syscalls and container events. The plugin + # system will continue to evolve with more specialized functionality in future + # releases. + # + # Please refer to the plugins repo at + # https://github.com/falcosecurity/plugins/blob/master/plugins/ for detailed + # documentation on the available plugins. This repository provides comprehensive + # information about each plugin and how to utilize them with Falco. + # + # Please note that if your intention is to enrich Falco syscall logs with fields + # such as `k8s.ns.name`, `k8s.pod.name`, and `k8s.pod.*`, you do not need to use + # the `k8saudit` plugin. This information is automatically extracted from the + # container runtime socket. The `k8saudit` plugin is specifically designed to + # integrate with Kubernetes audit logs and is not required for basic enrichment + # of syscall logs with Kubernetes-related fields. + # + # --- [Usage] + # + # Disabled by default, indicated by an empty `load_plugins` list. Each plugin meant + # to be enabled needs to be listed as explicit list item. + # + # For example, if you want to use the `k8saudit` plugin, + # ensure it is configured appropriately and then change this to: + # load_plugins: [k8saudit, json] + # -- Add here all plugins and their configuration. Please + # consult the plugins documentation for more info. Remember to add the plugins name in + # "load_plugins: []" in order to load them in Falco. + load_plugins: [] + + # -- Customize subsettings for each enabled plugin. These settings will only be + # applied when the corresponding plugin is enabled using the `load_plugins` + # option. + plugins: + - name: k8saudit + library_path: libk8saudit.so + init_config: + # maxEventSize: 262144 + # webhookMaxBatchSize: 12582912 + # sslCertificate: /etc/falco/falco.pem + open_params: "http://:9765/k8s-audit" + - name: cloudtrail + library_path: libcloudtrail.so + # see docs for init_config and open_params: + # https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md + - name: json + library_path: libjson.so + init_config: "" + + ###################### + # Falco config files # + ###################### + + # [Stable] `watch_config_files` + # + # Falco monitors configuration and rule files for changes and automatically + # reloads itself to apply the updated configuration when any modifications are + # detected. This feature is particularly useful when you want to make real-time + # changes to the configuration or rules of Falco without interrupting its + # operation or losing its state. For more information about Falco's state + # engine, please refer to the `base_syscalls` section. + # -- Watch config file and rules files for modification. + # When a file is modified, Falco will propagate new config, + # by reloading itself. + watch_config_files: true + + ########################## + # Falco outputs settings # + ########################## + + # [Stable] `time_format_iso_8601` + # + # -- When enabled, Falco will display log and output messages with times in the ISO + # 8601 format. By default, times are shown in the local time zone determined by + # the /etc/localtime configuration. + time_format_iso_8601: false + + # [Stable] `priority` + # + # -- Any rule with a priority level more severe than or equal to the specified + # minimum level will be loaded and run by Falco. This allows you to filter and + # control the rules based on their severity, ensuring that only rules of a + # certain priority or higher are active and evaluated by Falco. Supported + # levels: "emergency", "alert", "critical", "error", "warning", "notice", + # "info", "debug" + priority: debug + + # [Stable] `json_output` + # + # -- When enabled, Falco will output alert messages and rules file + # loading/validation results in JSON format, making it easier for downstream + # programs to process and consume the data. By default, this option is disabled. + json_output: false + + # [Stable] `json_include_output_property` + # + # -- When using JSON output in Falco, you have the option to include the "output" + # property itself in the generated JSON output. The "output" property provides + # additional information about the purpose of the rule. To reduce the logging + # volume, it is recommended to turn it off if it's not necessary for your use + # case. + json_include_output_property: true + + # [Stable] `json_include_tags_property` + # + # -- When using JSON output in Falco, you have the option to include the "tags" + # field of the rules in the generated JSON output. The "tags" field provides + # additional metadata associated with the rule. To reduce the logging volume, + # if the tags associated with the rule are not needed for your use case or can + # be added at a later stage, it is recommended to turn it off. + json_include_tags_property: true + + # [Stable] `buffered_outputs` + # + # -- Enabling buffering for the output queue can offer performance optimization, + # efficient resource usage, and smoother data flow, resulting in a more reliable + # output mechanism. By default, buffering is disabled (false). + buffered_outputs: false + + # [Stable] `outputs` + # + # -- A throttling mechanism, implemented as a token bucket, can be used to control + # the rate of Falco outputs. Each event source has its own rate limiter, + # ensuring that alerts from one source do not affect the throttling of others. + # The following options control the mechanism: + # - rate: the number of tokens (i.e. right to send a notification) gained per + # second. When 0, the throttling mechanism is disabled. Defaults to 0. + # - max_burst: the maximum number of tokens outstanding. Defaults to 1000. + # + # For example, setting the rate to 1 allows Falco to send up to 1000 + # notifications initially, followed by 1 notification per second. The burst + # capacity is fully restored after 1000 seconds of no activity. + # + # Throttling can be useful in various scenarios, such as preventing notification + # floods, managing system load, controlling event processing, or complying with + # rate limits imposed by external systems or APIs. It allows for better resource + # utilization, avoids overwhelming downstream systems, and helps maintain a + # balanced and controlled flow of notifications. + # + # With the default settings, the throttling mechanism is disabled. + outputs: + rate: 0 + max_burst: 1000 + + ########################## + # Falco outputs channels # + ########################## + + # Falco supports various output channels, such as syslog, stdout, file, gRPC, + # webhook, and more. You can enable or disable these channels as needed to + # control where Falco alerts and log messages are directed. This flexibility + # allows seamless integration with your preferred logging and alerting systems. + # Multiple outputs can be enabled simultaneously. + + # [Stable] `stdout_output` + # + # -- Redirect logs to standard output. + stdout_output: + enabled: true + + # [Stable] `syslog_output` + # + # -- Send logs to syslog. + syslog_output: + enabled: true + + # [Stable] `file_output` + # + # -- When appending Falco alerts to a file, each new alert will be added to a new + # line. It's important to note that Falco does not perform log rotation for this + # file. If the `keep_alive` option is set to `true`, the file will be opened once + # and continuously written to, else the file will be reopened for each output + # message. Furthermore, the file will be closed and reopened if Falco receives + # the SIGUSR1 signal. + file_output: + enabled: false + keep_alive: false + filename: ./events.txt + + # [Stable] `http_output` + # + # -- Send logs to an HTTP endpoint or webhook. + http_output: + enabled: false + url: "" + user_agent: "falcosecurity/falco" + # -- Tell Falco to not verify the remote server. + insecure: false + # -- Path to the CA certificate that can verify the remote server. + ca_cert: "" + # -- Path to a specific file that will be used as the CA certificate store. + ca_bundle: "" + # -- Path to a folder that will be used as the CA certificate store. CA certificate need to be + # stored as indivitual PEM files in this directory. + ca_path: "/etc/falco/certs/" + # -- Tell Falco to use mTLS + mtls: false + # -- Path to the client cert. + client_cert: "/etc/falco/certs/client/client.crt" + # -- Path to the client key. + client_key: "/etc/falco/certs/client/client.key" + # -- Whether to echo server answers to stdout + echo: false + # -- compress_uploads whether to compress data sent to http endpoint. + compress_uploads: false + # -- keep_alive whether to keep alive the connection. + keep_alive: false + + # [Stable] `program_output` + # + # -- Redirect the output to another program or command. + # + # Possible additional things you might want to do with program output: + # - send to a slack webhook: + # program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX" + # - logging (alternate method than syslog): + # program: logger -t falco-test + # - send over a network connection: + # program: nc host.example.com 80 + # If `keep_alive` is set to `true`, the program will be started once and + # continuously written to, with each output message on its own line. If + # `keep_alive` is set to `false`, the program will be re-spawned for each output + # message. Furthermore, the program will be re-spawned if Falco receives + # the SIGUSR1 signal. + program_output: + enabled: false + keep_alive: false + program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX" + + # [Stable] `grpc_output` + # + # -- Use gRPC as an output service. + # + # gRPC is a modern and high-performance framework for remote procedure calls + # (RPC). It utilizes protocol buffers for efficient data serialization. The gRPC + # output in Falco provides a modern and efficient way to integrate with other + # systems. By default the setting is turned off. Enabling this option stores + # output events in memory until they are consumed by a gRPC client. Ensure that + # you have a consumer for the output events or leave it disabled. + grpc_output: + enabled: false + + ########################## + # Falco exposed services # + ########################## + + # [Stable] `grpc` + # + # Falco provides support for running a gRPC server using two main binding types: + # 1. Over the network with mandatory mutual TLS authentication (mTLS), which + # ensures secure communication + # 2. Local Unix socket binding with no authentication. By default, the + # gRPCserver in Falco is turned off with no enabled services (see + # `grpc_output`setting). + # + # To configure the gRPC server in Falco, you can make the following changes to + # the options: + # + # - Uncomment the relevant configuration options related to the gRPC server. + # - Update the paths of the generated certificates for mutual TLS authentication + # if you choose to use mTLS. + # - Specify the address to bind and expose the gRPC server. + # - Adjust the threadiness configuration to control the number of threads and + # contexts used by the server. + # + # Keep in mind that if any issues arise while creating the gRPC server, the + # information will be logged, but it will not stop the main Falco daemon. + + # gRPC server using mTLS + # grpc: + # enabled: true + # bind_address: "0.0.0.0:5060" + # # When the `threadiness` value is set to 0, Falco will automatically determine + # # the appropriate number of threads based on the number of online cores in the system. + # threadiness: 0 + # private_key: "/etc/falco/certs/server.key" + # cert_chain: "/etc/falco/certs/server.crt" + # root_certs: "/etc/falco/certs/ca.crt" + + # -- gRPC server using a local unix socket + grpc: + enabled: false + bind_address: "unix:///run/falco/falco.sock" + # -- When the `threadiness` value is set to 0, Falco will automatically determine + # the appropriate number of threads based on the number of online cores in the system. + threadiness: 0 + + # [Stable] `webserver` + # + # -- Falco supports an embedded webserver that runs within the Falco process, + # providing a lightweight and efficient way to expose web-based functionalities + # without the need for an external web server. The following endpoints are + # exposed: + # - /healthz: designed to be used for checking the health and availability of + # the Falco application (the name of the endpoint is configurable). + # - /versions: responds with a JSON object containing the version numbers of the + # internal Falco components (similar output as `falco --version -o + # json_output=true`). + # + # Please note that the /versions endpoint is particularly useful for other Falco + # services, such as `falcoctl`, to retrieve information about a running Falco + # instance. If you plan to use `falcoctl` locally or with Kubernetes, make sure + # the Falco webserver is enabled. + # + # The behavior of the webserver can be controlled with the following options, + # which are enabled by default: + # + # The `ssl_certificate` option specifies a combined SSL certificate and + # corresponding key that are contained in a single file. You can generate a + # key/cert as follows: + # + # $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out + # certificate.pem $ cat certificate.pem key.pem > falco.pem $ sudo cp falco.pem + # /etc/falco/falco.pem + webserver: + enabled: true + # When the `threadiness` value is set to 0, Falco will automatically determine + # the appropriate number of threads based on the number of online cores in the system. + threadiness: 0 + listen_port: 8765 + k8s_healthz_endpoint: /healthz + ssl_enabled: false + ssl_certificate: /etc/falco/falco.pem + + ############################################################################## + # Falco logging / alerting / metrics related to software functioning (basic) # + ############################################################################## + + # [Stable] `log_stderr` and `log_syslog` + # + # Falco's logs related to the functioning of the software, which are not related + # to Falco alert outputs but rather its lifecycle, settings and potential + # errors, can be directed to stderr and/or syslog. + # -- Send information logs to stderr. Note these are *not* security + # notification logs! These are just Falco lifecycle (and possibly error) logs. + log_stderr: true + # -- Send information logs to syslog. Note these are *not* security + # notification logs! These are just Falco lifecycle (and possibly error) logs. + log_syslog: true + + # [Stable] `log_level` + # + # -- The `log_level` setting determines the minimum log level to include in Falco's + # logs related to the functioning of the software. This setting is separate from + # the `priority` field of rules and specifically controls the log level of + # Falco's operational logging. By specifying a log level, you can control the + # verbosity of Falco's operational logs. Only logs of a certain severity level + # or higher will be emitted. Supported levels: "emergency", "alert", "critical", + # "error", "warning", "notice", "info", "debug". + log_level: info + + # [Stable] `libs_logger` + # + # -- The `libs_logger` setting in Falco determines the minimum log level to include + # in the logs related to the functioning of the software of the underlying + # `libs` library, which Falco utilizes. This setting is independent of the + # `priority` field of rules and the `log_level` setting that controls Falco's + # operational logs. It allows you to specify the desired log level for the `libs` + # library specifically, providing more granular control over the logging + # behavior of the underlying components used by Falco. Only logs of a certain + # severity level or higher will be emitted. Supported levels: "emergency", + # "alert", "critical", "error", "warning", "notice", "info", "debug". It is not + # recommended for production use. + libs_logger: + enabled: false + severity: debug + + ################################################################################# + # Falco logging / alerting / metrics related to software functioning (advanced) # + ################################################################################# + + # [Stable] `output_timeout` + # + # Generates Falco operational logs when `log_level=notice` at minimum + # + # A timeout error occurs when a process or operation takes longer to complete + # than the allowed or expected time limit. In the context of Falco, an output + # timeout error refers to the situation where an output channel fails to deliver + # an alert within a specified deadline. Various reasons, such as network issues, + # resource constraints, or performance bottlenecks can cause timeouts. + # + # -- The `output_timeout` parameter specifies the duration, in milliseconds, to + # wait before considering the deadline exceeded. By default, the timeout is set + # to 2000ms (2 seconds), meaning that the consumer of Falco outputs can block + # the Falco output channel for up to 2 seconds without triggering a timeout + # error. + # + # Falco actively monitors the performance of output channels. With this setting + # the timeout error can be logged, but please note that this requires setting + # Falco's operational logs `log_level` to a minimum of `notice`. + # + # It's important to note that Falco outputs will not be discarded from the + # output queue. This means that if an output channel becomes blocked + # indefinitely, it indicates a potential issue that needs to be addressed by the + # user. + output_timeout: 2000 + + # [Stable] `syscall_event_timeouts` + # + # -- Generates Falco operational logs when `log_level=notice` at minimum + # + # Falco utilizes a shared buffer between the kernel and userspace to receive + # events, such as system call information, in userspace. However, there may be + # cases where timeouts occur in the underlying libraries due to issues in + # reading events or the need to skip a particular event. While it is uncommon + # for Falco to experience consecutive event timeouts, it has the capability to + # detect such situations. You can configure the maximum number of consecutive + # timeouts without an event after which Falco will generate an alert, but please + # note that this requires setting Falco's operational logs `log_level` to a + # minimum of `notice`. The default value is set to 1000 consecutive timeouts + # without receiving any events. The mapping of this value to a time interval + # depends on the CPU frequency. + syscall_event_timeouts: + max_consecutives: 1000 + + # [Stable] `syscall_event_drops` + # + # Generates "Falco internal: syscall event drop" rule output when `priority=debug` at minimum + # + # --- [Description] + # + # Falco uses a shared buffer between the kernel and userspace to pass system + # call information. When Falco detects that this buffer is full and system calls + # have been dropped, it can take one or more of the following actions: + # - ignore: do nothing (default when list of actions is empty) + # - log: log a DEBUG message noting that the buffer was full + # - alert: emit a Falco alert noting that the buffer was full + # - exit: exit Falco with a non-zero rc + # + # Notice it is not possible to ignore and log/alert messages at the same time. + # + # The rate at which log/alert messages are emitted is governed by a token + # bucket. The rate corresponds to one message every 30 seconds with a burst of + # one message (by default). + # + # The messages are emitted when the percentage of dropped system calls with + # respect the number of events in the last second is greater than the given + # threshold (a double in the range [0, 1]). If you want to be alerted on any + # drops, set the threshold to 0. + # + # For debugging/testing it is possible to simulate the drops using the + # `simulate_drops: true`. In this case the threshold does not apply. + # + # --- [Usage] + # + # Enabled by default, but requires Falco rules config `priority` set to `debug`. + # Emits a Falco rule named "Falco internal: syscall event drop" as many times in + # a given time period as dictated by the settings. Statistics here reflect the + # delta in a 1s time period. + # + # If instead you prefer periodic metrics of monotonic counters at a regular + # interval, which include syscall drop statistics and additional metrics, + # explore the `metrics` configuration option. + # -- For debugging/testing it is possible to simulate the drops using + # the `simulate_drops: true`. In this case the threshold does not apply. + syscall_event_drops: + # -- The messages are emitted when the percentage of dropped system calls + # with respect the number of events in the last second + # is greater than the given threshold (a double in the range [0, 1]). + threshold: .1 + # -- Actions to be taken when system calls were dropped from the circular buffer. + actions: + - log + - alert + # -- Rate at which log/alert messages are emitted. + rate: .03333 + # -- Max burst of messages emitted. + max_burst: 1 + # -- Flag to enable drops for debug purposes. + simulate_drops: false + + # [Experimental] `metrics` + # + # -- Generates "Falco internal: metrics snapshot" rule output when `priority=info` at minimum + # + # periodic metric snapshots (including stats and resource utilization) captured + # at regular intervals + # + # --- [Description] + # + # Consider these key points about the `metrics` feature in Falco: + # + # - It introduces a redesigned stats/metrics system. + # - Native support for resource utilization metrics and specialized performance + # metrics. + # - Metrics are emitted as monotonic counters at predefined intervals + # (snapshots). + # - All metrics are consolidated into a single log message, adhering to the + # established rules schema and naming conventions. + # - Additional info fields complement the metrics and facilitate customized + # statistical analyses and correlations. + # - The metrics framework is designed for easy future extension. + # + # The `metrics` feature follows a specific schema and field naming convention. + # All metrics are collected as subfields under the `output_fields` key, similar + # to regular Falco rules. Each metric field name adheres to the grammar used in + # Falco rules. There are two new field classes introduced: `falco.` and `scap.`. + # The `falco.` class represents userspace counters, statistics, resource + # utilization, or useful information fields. The `scap.` class represents + # counters and statistics mostly obtained from Falco's kernel instrumentation + # before events are sent to userspace, but can include scap userspace stats as + # well. + # + # It's important to note that the output fields and their names can be subject + # to change until the metrics feature reaches a stable release. + # + # To customize the hostname in Falco, you can set the environment variable + # `FALCO_HOSTNAME` to your desired hostname. This is particularly useful in + # Kubernetes deployments where the hostname can be set to the pod name. + # + # --- [Usage] + # + # `enabled`: Disabled by default. + # + # `interval`: The stats interval in Falco follows the time duration definitions + # used by Prometheus. + # https://prometheus.io/docs/prometheus/latest/querying/basics/#time-durations + # + # Time durations are specified as a number, followed immediately by one of the + # following units: + # + # ms - millisecond + # s - second + # m - minute + # h - hour + # d - day - assuming a day has always 24h + # w - week - assuming a week has always 7d + # y - year - assuming a year has always 365d + # + # Example of a valid time duration: 1h30m20s10ms + # + # A minimum interval of 100ms is enforced for metric collection. However, for + # production environments, we recommend selecting one of the following intervals + # for optimal monitoring: + # + # 15m + # 30m + # 1h + # 4h + # 6h + # + # `output_rule`: To enable seamless metrics and performance monitoring, we + # recommend emitting metrics as the rule "Falco internal: metrics snapshot". + # This option is particularly useful when Falco logs are preserved in a data + # lake. Please note that to use this option, the Falco rules config `priority` + # must be set to `info` at a minimum. + # + # `output_file`: Append stats to a `jsonl` file. Use with caution in production + # as Falco does not automatically rotate the file. + # + # `resource_utilization_enabled`: Emit CPU and memory usage metrics. CPU usage + # is reported as a percentage of one CPU and can be normalized to the total + # number of CPUs to determine overall usage. Memory metrics are provided in raw + # units (`kb` for `RSS`, `PSS` and `VSZ` or `bytes` for `container_memory_used`) + # and can be uniformly converted to megabytes (MB) using the + # `convert_memory_to_mb` functionality. In environments such as Kubernetes when + # deployed as daemonset, it is crucial to track Falco's container memory usage. + # To customize the path of the memory metric file, you can create an environment + # variable named `FALCO_CGROUP_MEM_PATH` and set it to the desired file path. By + # default, Falco uses the file `/sys/fs/cgroup/memory/memory.usage_in_bytes` to + # monitor container memory usage, which aligns with Kubernetes' + # `container_memory_working_set_bytes` metric. Finally, we emit the overall host + # CPU and memory usages, along with the total number of processes and open file + # descriptors (fds) on the host, obtained from the proc file system unrelated to + # Falco's monitoring. These metrics help assess Falco's usage in relation to the + # server's workload intensity. + # + # `state_counters_enabled`: Emit counters related to Falco's state engine, including + # added, removed threads or file descriptors (fds), and failed lookup, store, or + # retrieve actions in relation to Falco's underlying process cache table (threadtable). + # We also log the number of currently cached containers if applicable. + # + # `kernel_event_counters_enabled`: Emit kernel side event and drop counters, as + # an alternative to `syscall_event_drops`, but with some differences. These + # counters reflect monotonic values since Falco's start and are exported at a + # constant stats interval. + # + # `libbpf_stats_enabled`: Exposes statistics similar to `bpftool prog show`, + # providing information such as the number of invocations of each BPF program + # attached by Falco and the time spent in each program measured in nanoseconds. + # To enable this feature, the kernel must be >= 5.1, and the kernel + # configuration `/proc/sys/kernel/bpf_stats_enabled` must be set. This option, + # or an equivalent statistics feature, is not available for non `*bpf*` drivers. + # Additionally, please be aware that the current implementation of `libbpf` does + # not support granularity of statistics at the bpf tail call level. + # + # `include_empty_values`: When the option is set to true, fields with an empty + # numeric value will be included in the output. However, this rule does not + # apply to high-level fields such as `n_evts` or `n_drops`; they will always be + # included in the output even if their value is empty. This option can be + # beneficial for exploring the data schema and ensuring that fields with empty + # values are included in the output. + # todo: prometheus export option + # todo: syscall_counters_enabled option + metrics: + enabled: false + interval: 1h + output_rule: true + # output_file: /tmp/falco_stats.jsonl + resource_utilization_enabled: true + state_counters_enabled: true + kernel_event_counters_enabled: true + libbpf_stats_enabled: true + convert_memory_to_mb: true + include_empty_values: false + + + ####################################### + # Falco performance tuning (advanced) # + ####################################### + + # [Experimental] `base_syscalls`, use with caution, read carefully + # + # --- [Description] + # + # -- This option configures the set of syscalls that Falco traces. + # + # --- [Falco's State Engine] + # + # Falco requires a set of syscalls to build up state in userspace. For example, + # when spawning a new process or network connection, multiple syscalls are + # involved. Furthermore, properties of a process during its lifetime can be + # modified by syscalls. Falco accounts for this by enabling the collection of + # additional syscalls than the ones defined in the rules and by managing a smart + # process cache table in userspace. Processes are purged from this table when a + # process exits. + # + # By default, with + # ``` + # base_syscalls.custom_set = [] + # base_syscalls.repair = false + # ``` + # Falco enables tracing for a syscall set gathered: (1) from (enabled) Falco + # rules (2) from a static, more verbose set defined in + # `libsinsp::events::sinsp_state_sc_set` in + # libs/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp This allows Falco to + # successfully build up it's state engine and life-cycle management. + # + # If the default behavior described above does not fit the user's use case for + # Falco, the `base_syscalls` option allows for finer end-user control of + # syscalls traced by Falco. + # + # --- [base_syscalls.custom_set] + # + # CAUTION: Misconfiguration of this setting may result in incomplete Falco event + # logs or Falco being unable to trace events entirely. + # + # `base_syscalls.custom_set` allows the user to explicitly define an additional + # set of syscalls to be traced in addition to the syscalls from each enabled + # Falco rule. + # + # This is useful in lowering CPU utilization and further tailoring Falco to + # specific environments according to your threat model and budget constraints. + # + # --- [base_syscalls.repair] + # + # `base_syscalls.repair` is an alternative to Falco's default state engine + # enforcement. When enabled, this option is designed to (1) ensure that Falco's + # state engine is correctly and successfully built-up (2) be the most system + # resource-friendly by activating the least number of additional syscalls + # (outside of those enabled for enabled rules) + # + # Setting `base_syscalls.repair` to `true` allows Falco to automatically + # configure what is described in the [Suggestions] section below. + # + # `base_syscalls.repair` can be enabled with an empty custom set, meaning with + # the following, + # ``` + # base_syscalls.custom_set = [] + # base_syscalls.repair = true + # ``` + # Falco enables tracing for a syscall set gathered: (1) from (enabled) Falco + # rules (2) from minimal set of additional syscalls needed to "repair" the + # state engine and properly log event conditions specified in enabled Falco + # rules + # + # --- [Usage] + # + # List of system calls names (), negative ("!") + # notation supported. + # + # Example: base_syscalls.custom_set: [, , + # "!"] base_syscalls.repair: + # + # We recommend to only exclude syscalls, e.g. "!mprotect" if you need a fast + # deployment update (overriding rules), else remove unwanted syscalls from the + # Falco rules. + # + # Passing `-o "log_level=debug" -o "log_stderr=true" --dry-run` to Falco's cmd + # args will print the final set of syscalls to STDOUT. + # + # --- [Suggestions] + # + # NOTE: setting `base_syscalls.repair: true` automates the following suggestions + # for you. + # + # These suggestions are subject to change as Falco and its state engine evolve. + # + # For execve* events: Some Falco fields for an execve* syscall are retrieved + # from the associated `clone`, `clone3`, `fork`, `vfork` syscalls when spawning + # a new process. The `close` syscall is used to purge file descriptors from + # Falco's internal thread / process cache table and is necessary for rules + # relating to file descriptors (e.g. open, openat, openat2, socket, connect, + # accept, accept4 ... and many more) + # + # Consider enabling the following syscalls in `base_syscalls.custom_set` for + # process rules: [clone, clone3, fork, vfork, execve, execveat, close] + # + # For networking related events: While you can log `connect` or `accept*` + # syscalls without the socket syscall, the log will not contain the ip tuples. + # Additionally, for `listen` and `accept*` syscalls, the `bind` syscall is also + # necessary. + # + # We recommend the following as the minimum set for networking-related rules: + # [clone, clone3, fork, vfork, execve, execveat, close, socket, bind, + # getsockopt] + # + # Lastly, for tracking the correct `uid`, `gid` or `sid`, `pgid` of a process + # when the running process opens a file or makes a network connection, consider + # adding the following to the above recommended syscall sets: ... setresuid, + # setsid, setuid, setgid, setpgid, setresgid, setsid, capset, chdir, chroot, + # fchdir ... + base_syscalls: + custom_set: [] + repair: false + + ################################################# + # Falco cloud orchestration systems integration # + ################################################# + + # [Stable] Guidance for Kubernetes container engine command-line args settings + # + # Modern cloud environments, particularly Kubernetes, heavily rely on + # containerized workload deployments. When capturing events with Falco, it + # becomes essential to identify the owner of the workload for which events are + # being captured, such as syscall events. Falco integrates with the container + # runtime to enrich its events with container information, including fields like + # `container.image.repository`, `container.image.tag`, ... , `k8s.ns.name`, + # `k8s.pod.name`, `k8s.pod.*` in the Falco output (Falco retrieves Kubernetes + # namespace and pod name directly from the container runtime, see + # https://falco.org/docs/reference/rules/supported-fields/#field-class-container). + # + # Furthermore, Falco exposes container events themselves as a data source for + # alerting. To achieve this integration with the container runtime, Falco + # requires access to the runtime socket. By default, for Kubernetes, Falco + # attempts to connect to the following sockets: + # "/run/containerd/containerd.sock", "/run/crio/crio.sock", + # "/run/k3s/containerd/containerd.sock". If you have a custom path, you can use + # the `--cri` option to specify the correct location. + # + # In some cases, you may encounter empty fields for container metadata. To + # address this, you can explore the `--disable-cri-async` option, which disables + # asynchronous fetching if the fetch operation is not completing quickly enough. + # + # To get more information on these command-line arguments, you can run `falco + # --help` in your terminal to view their current descriptions. + # + # !!! The options mentioned here are not available in the falco.yaml + # configuration file. Instead, they can can be used as a command-line argument + # when running the Falco command. diff --git a/kube-prometheus-stack/.editorconfig b/kube-prometheus-stack/.editorconfig new file mode 100644 index 0000000..f5ee2f4 --- /dev/null +++ b/kube-prometheus-stack/.editorconfig @@ -0,0 +1,5 @@ +root = true + +[files/dashboards/*.json] +indent_size = 2 +indent_style = space \ No newline at end of file diff --git a/kube-prometheus-stack/.helmignore b/kube-prometheus-stack/.helmignore new file mode 100644 index 0000000..9bdbec9 --- /dev/null +++ b/kube-prometheus-stack/.helmignore @@ -0,0 +1,29 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# helm/charts +OWNERS +hack/ +ci/ +kube-prometheus-*.tgz + +unittests/ +files/dashboards/ diff --git a/kube-prometheus-stack/CONTRIBUTING.md b/kube-prometheus-stack/CONTRIBUTING.md new file mode 100644 index 0000000..f6ce2a3 --- /dev/null +++ b/kube-prometheus-stack/CONTRIBUTING.md @@ -0,0 +1,12 @@ +# Contributing Guidelines + +## How to contribute to this chart + +1. Fork this repository, develop and test your Chart. +1. Bump the chart version for every change. +1. Ensure PR title has the prefix `[kube-prometheus-stack]` +1. When making changes to rules or dashboards, see the README.md section on how to sync data from upstream repositories +1. Check the `hack/minikube` folder has scripts to set up minikube and components of this chart that will allow all components to be scraped. You can use this configuration when validating your changes. +1. Check for changes of RBAC rules. +1. Check for changes in CRD specs. +1. PR must pass the linter (`helm lint`) diff --git a/kube-prometheus-stack/Chart.lock b/kube-prometheus-stack/Chart.lock new file mode 100644 index 0000000..62ded16 --- /dev/null +++ b/kube-prometheus-stack/Chart.lock @@ -0,0 +1,18 @@ +dependencies: +- name: crds + repository: "" + version: 0.0.0 +- name: kube-state-metrics + repository: https://prometheus-community.github.io/helm-charts + version: 5.16.4 +- name: prometheus-node-exporter + repository: https://prometheus-community.github.io/helm-charts + version: 4.31.0 +- name: grafana + repository: https://grafana.github.io/helm-charts + version: 7.3.7 +- name: prometheus-windows-exporter + repository: https://prometheus-community.github.io/helm-charts + version: 0.3.1 +digest: sha256:f359d9feb38d8859523056ddd2a078aa4880bf467219bf27972c87138e112ca7 +generated: "2024-03-14T22:04:16.515476846Z" diff --git a/kube-prometheus-stack/Chart.yaml b/kube-prometheus-stack/Chart.yaml new file mode 100644 index 0000000..823f938 --- /dev/null +++ b/kube-prometheus-stack/Chart.yaml @@ -0,0 +1,65 @@ +annotations: + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Chart Source + url: https://github.com/prometheus-community/helm-charts + - name: Upstream Project + url: https://github.com/prometheus-operator/kube-prometheus + artifacthub.io/operator: "true" +apiVersion: v2 +appVersion: v0.72.0 +dependencies: +- condition: crds.enabled + name: crds + repository: "" + version: 0.0.0 +- condition: kubeStateMetrics.enabled + name: kube-state-metrics + repository: https://prometheus-community.github.io/helm-charts + version: 5.16.* +- condition: nodeExporter.enabled + name: prometheus-node-exporter + repository: https://prometheus-community.github.io/helm-charts + version: 4.31.* +- condition: grafana.enabled + name: grafana + repository: https://grafana.github.io/helm-charts + version: 7.3.* +- condition: windowsMonitoring.enabled + name: prometheus-windows-exporter + repository: https://prometheus-community.github.io/helm-charts + version: 0.3.* +description: kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, + and Prometheus rules combined with documentation and scripts to provide easy to + operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus + Operator. +home: https://github.com/prometheus-operator/kube-prometheus +icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png +keywords: +- operator +- prometheus +- kube-prometheus +kubeVersion: '>=1.19.0-0' +maintainers: +- email: andrew@quadcorps.co.uk + name: andrewgkew +- email: gianrubio@gmail.com + name: gianrubio +- email: github.gkarthiks@gmail.com + name: gkarthiks +- email: kube-prometheus-stack@sisti.pt + name: GMartinez-Sisti +- email: github@jkroepke.de + name: jkroepke +- email: scott@r6by.com + name: scottrigby +- email: miroslav.hadzhiev@gmail.com + name: Xtigyro +- email: quentin.bisson@gmail.com + name: QuentinBisson +name: kube-prometheus-stack +sources: +- https://github.com/prometheus-community/helm-charts +- https://github.com/prometheus-operator/kube-prometheus +type: application +version: 57.0.3 diff --git a/kube-prometheus-stack/README.md b/kube-prometheus-stack/README.md new file mode 100644 index 0000000..e8b5333 --- /dev/null +++ b/kube-prometheus-stack/README.md @@ -0,0 +1,1048 @@ +# kube-prometheus-stack + +Installs the [kube-prometheus stack](https://github.com/prometheus-operator/kube-prometheus), a collection of Kubernetes manifests, [Grafana](http://grafana.com/) dashboards, and [Prometheus rules](https://prometheus.io/docs/prometheus/latest/configuration/recording_rules/) combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with [Prometheus](https://prometheus.io/) using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator). + +See the [kube-prometheus](https://github.com/prometheus-operator/kube-prometheus) README for details about components, dashboards, and alerts. + +_Note: This chart was formerly named `prometheus-operator` chart, now renamed to more clearly reflect that it installs the `kube-prometheus` project stack, within which Prometheus Operator is only one component._ + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3+ + +## Get Helm Repository Info + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo update +``` + +_See [`helm repo`](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Install Helm Chart + +```console +helm install [RELEASE_NAME] prometheus-community/kube-prometheus-stack +``` + +_See [configuration](#configuration) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Dependencies + +By default this chart installs additional, dependent charts: + +- [prometheus-community/kube-state-metrics](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics) +- [prometheus-community/prometheus-node-exporter](https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-node-exporter) +- [grafana/grafana](https://github.com/grafana/helm-charts/tree/main/charts/grafana) + +To disable dependencies during installation, see [multiple releases](#multiple-releases) below. + +_See [helm dependency](https://helm.sh/docs/helm/helm_dependency/) for command documentation._ + +## Uninstall Helm Chart + +```console +helm uninstall [RELEASE_NAME] +``` + +This removes all the Kubernetes components associated with the chart and deletes the release. + +_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._ + +CRDs created by this chart are not removed by default and should be manually cleaned up: + +```console +kubectl delete crd alertmanagerconfigs.monitoring.coreos.com +kubectl delete crd alertmanagers.monitoring.coreos.com +kubectl delete crd podmonitors.monitoring.coreos.com +kubectl delete crd probes.monitoring.coreos.com +kubectl delete crd prometheusagents.monitoring.coreos.com +kubectl delete crd prometheuses.monitoring.coreos.com +kubectl delete crd prometheusrules.monitoring.coreos.com +kubectl delete crd scrapeconfigs.monitoring.coreos.com +kubectl delete crd servicemonitors.monitoring.coreos.com +kubectl delete crd thanosrulers.monitoring.coreos.com +``` + +## Upgrading Chart + +```console +helm upgrade [RELEASE_NAME] prometheus-community/kube-prometheus-stack +``` + +With Helm v3, CRDs created by this chart are not updated by default and should be manually updated. +Consult also the [Helm Documentation on CRDs](https://helm.sh/docs/chart_best_practices/custom_resource_definitions). + +_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ + +### Upgrading an existing Release to a new major version + +A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an incompatible breaking change needing manual actions. + +### From 56.x to 57.x + +This version upgrades Prometheus-Operator to v0.72.0 + +Run these commands to update the CRDs before applying the upgrade. + +```console +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusagents.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_scrapeconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +### From 55.x to 56.x + +This version upgrades Prometheus-Operator to v0.71.0, Prometheus to 2.49.1 + +Run these commands to update the CRDs before applying the upgrade. + +```console +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.71.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.71.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.71.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.71.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.71.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusagents.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.71.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.71.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.71.0/example/prometheus-operator-crd/monitoring.coreos.com_scrapeconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.71.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.71.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +### From 54.x to 55.x + +This version upgrades Prometheus-Operator to v0.70.0 + +Run these commands to update the CRDs before applying the upgrade. + +```console +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusagents.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_scrapeconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +### From 53.x to 54.x + +Grafana Helm Chart has bumped to version 7 + +Please note Grafana Helm Chart [changelog](https://github.com/grafana/helm-charts/tree/main/charts/grafana#to-700). + +### From 52.x to 53.x + +This version upgrades Prometheus-Operator to v0.69.1, Prometheus to 2.47.2 + +Run these commands to update the CRDs before applying the upgrade. + +```console +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.69.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.69.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.69.1/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.69.1/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.69.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheusagents.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.69.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.69.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.69.1/example/prometheus-operator-crd/monitoring.coreos.com_scrapeconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.69.1/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.69.1/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +### From 51.x to 52.x + +This includes the ability to select between using existing secrets or create new secret objects for various thanos config. The defaults have not changed but if you were setting: + +- `thanosRuler.thanosRulerSpec.alertmanagersConfig` or +- `thanosRuler.thanosRulerSpec.objectStorageConfig` or +- `thanosRuler.thanosRulerSpec.queryConfig` or +- `prometheus.prometheusSpec.thanos.objectStorageConfig` + +you will have to need to set `existingSecret` or `secret` based on your requirement + +For instance, the `thanosRuler.thanosRulerSpec.alertmanagersConfig` used to be configured as follow: + +```yaml +thanosRuler: + thanosRulerSpec: + alertmanagersConfig: + alertmanagers: + - api_version: v2 + http_config: + basic_auth: + username: some_user + password: some_pass + static_configs: + - alertmanager.thanos.io + scheme: http + timeout: 10s +``` + +But it now moved to: + +```yaml +thanosRuler: + thanosRulerSpec: + alertmanagersConfig: + secret: + alertmanagers: + - api_version: v2 + http_config: + basic_auth: + username: some_user + password: some_pass + static_configs: + - alertmanager.thanos.io + scheme: http + timeout: 10s +``` + +or the `thanosRuler.thanosRulerSpec.objectStorageConfig` used to be configured as follow: + +```yaml +thanosRuler: + thanosRulerSpec: + objectStorageConfig: + name: existing-secret-not-created-by-this-chart + key: object-storage-configs.yaml +``` + +But it now moved to: + +```yaml +thanosRuler: + thanosRulerSpec: + objectStorageConfig: + existingSecret: + name: existing-secret-not-created-by-this-chart + key: object-storage-configs.yaml +``` + +### From 50.x to 51.x + +This version upgrades Prometheus-Operator to v0.68.0, Prometheus to 2.47.0 and Thanos to v0.32.2 + +Run these commands to update the CRDs before applying the upgrade. + +```console +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.68.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.68.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.68.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.68.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.68.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusagents.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.68.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.68.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.68.0/example/prometheus-operator-crd/monitoring.coreos.com_scrapeconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.68.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.68.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +### From 49.x to 50.x + +This version requires Kubernetes 1.19+. + +We do not expect any breaking changes in this version. + +### From 48.x to 49.x + +This version upgrades Prometheus-Operator to v0.67.1, 0, Alertmanager to v0.26.0, Prometheus to 2.46.0 and Thanos to v0.32.0 + +Run these commands to update the CRDs before applying the upgrade. + +```console +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.67.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.67.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.67.1/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.67.1/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.67.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheusagents.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.67.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.67.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.67.1/example/prometheus-operator-crd/monitoring.coreos.com_scrapeconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.67.1/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.67.1/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +### From 47.x to 48.x + +This version moved all CRDs into a dedicated sub-chart. No new CRDs are introduced in this version. +See [#3548](https://github.com/prometheus-community/helm-charts/issues/3548) for more context. + +We do not expect any breaking changes in this version. + +### From 46.x to 47.x + +This version upgrades Prometheus-Operator to v0.66.0 with new CRDs (PrometheusAgent and ScrapeConfig). + +Run these commands to update the CRDs before applying the upgrade. + +```console +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.66.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.66.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.66.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.66.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.66.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusagents.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.66.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.66.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.66.0/example/prometheus-operator-crd/monitoring.coreos.com_scrapeconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.66.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.66.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +### From 45.x to 46.x + +This version upgrades Prometheus-Operator to v0.65.1 with new CRDs (PrometheusAgent and ScrapeConfig), Prometheus to v2.44.0 and Thanos to v0.31.0. + +Run these commands to update the CRDs before applying the upgrade. + +```console +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.65.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.65.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.65.1/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.65.1/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.65.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheusagents.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.65.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.65.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.65.1/example/prometheus-operator-crd/monitoring.coreos.com_scrapeconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.65.1/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.65.1/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +### From 44.x to 45.x + +This version upgrades Prometheus-Operator to v0.63.0, Prometheus to v2.42.0 and Thanos to v0.30.2. + +Run these commands to update the CRDs before applying the upgrade. + +```console +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.63.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.63.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.63.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.63.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.63.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.63.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.63.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.63.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +### From 43.x to 44.x + +This version upgrades Prometheus-Operator to v0.62.0, Prometheus to v2.41.0 and Thanos to v0.30.1. + +Run these commands to update the CRDs before applying the upgrade. + +```console +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.62.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.62.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.62.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.62.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.62.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.62.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.62.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.62.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +If you have explicitly set `prometheusOperator.admissionWebhooks.failurePolicy`, this value is now always used even when `.prometheusOperator.admissionWebhooks.patch.enabled` is `true` (the default). + +The values for `prometheusOperator.image.tag` & `prometheusOperator.prometheusConfigReloader.image.tag` are now empty by default and the Chart.yaml `appVersion` field is used instead. + +### From 42.x to 43.x + +This version upgrades Prometheus-Operator to v0.61.1, Prometheus to v2.40.5 and Thanos to v0.29.0. + +Run these commands to update the CRDs before applying the upgrade. + +```console +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +### From 41.x to 42.x + +This includes the overridability of container registry for all containers at the global level using `global.imageRegistry` or per container image. The defaults have not changed but if you were using a custom image, you will have to override the registry of said custom container image before you upgrade. + +For instance, the prometheus-config-reloader used to be configured as follow: + +```yaml + image: + repository: quay.io/prometheus-operator/prometheus-config-reloader + tag: v0.60.1 + sha: "" +``` + +But it now moved to: + +```yaml + image: + registry: quay.io + repository: prometheus-operator/prometheus-config-reloader + tag: v0.60.1 + sha: "" +``` + +### From 40.x to 41.x + +This version upgrades Prometheus-Operator to v0.60.1, Prometheus to v2.39.1 and Thanos to v0.28.1. +This version also upgrades the Helm charts of kube-state-metrics to 4.20.2, prometheus-node-exporter to 4.3.0 and Grafana to 6.40.4. + +Run these commands to update the CRDs before applying the upgrade. + +```console +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.60.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.60.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.60.1/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.60.1/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.60.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.60.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.60.1/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.60.1/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +This version splits kubeScheduler recording and altering rules in separate config values. +Instead of `defaultRules.rules.kubeScheduler` the 2 new variables `defaultRules.rules.kubeSchedulerAlerting` and `defaultRules.rules.kubeSchedulerRecording` are used. + +### From 39.x to 40.x + +This version upgrades Prometheus-Operator to v0.59.1, Prometheus to v2.38.0, kube-state-metrics to v2.6.0 and Thanos to v0.28.0. +This version also upgrades the Helm charts of kube-state-metrics to 4.18.0 and prometheus-node-exporter to 4.2.0. + +Run these commands to update the CRDs before applying the upgrade. + +```console +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.59.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.59.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.59.1/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.59.1/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.59.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.59.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.59.1/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.59.1/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +Starting from prometheus-node-exporter version 4.0.0, the `node exporter` chart is using the [Kubernetes recommended labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/). Therefore you have to delete the daemonset before you upgrade. + +```console +kubectl delete daemonset -l app=prometheus-node-exporter +helm upgrade -i kube-prometheus-stack prometheus-community/kube-prometheus-stack +``` + +If you use your own custom [ServiceMonitor](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor) or [PodMonitor](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#podmonitor), please ensure to upgrade their `selector` fields accordingly to the new labels. + +### From 38.x to 39.x + +This upgraded prometheus-operator to v0.58.0 and prometheus to v2.37.0 + +Run these commands to update the CRDs before applying the upgrade. + +```console +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.58.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.58.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.58.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.58.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.58.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.58.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.58.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.58.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +### From 37.x to 38.x + +Reverted one of the default metrics relabelings for cAdvisor added in 36.x, due to it breaking container_network_* and various other statistics. If you do not want this change, you will need to override the `kubelet.cAdvisorMetricRelabelings`. + +### From 36.x to 37.x + +This includes some default metric relabelings for cAdvisor and apiserver metrics to reduce cardinality. If you do not want these defaults, you will need to override the `kubeApiServer.metricRelabelings` and or `kubelet.cAdvisorMetricRelabelings`. + +### From 35.x to 36.x + +This upgraded prometheus-operator to v0.57.0 and prometheus to v2.36.1 + +Run these commands to update the CRDs before applying the upgrade. + +```console +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.57.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.57.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.57.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.57.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.57.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.57.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.57.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.57.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +### From 34.x to 35.x + +This upgraded prometheus-operator to v0.56.0 and prometheus to v2.35.0 + +Run these commands to update the CRDs before applying the upgrade. + +```console +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.56.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.56.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.56.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.56.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.56.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.56.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.56.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.56.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +### From 33.x to 34.x + +This upgrades to prometheus-operator to v0.55.0 and prometheus to v2.33.5. + +Run these commands to update the CRDs before applying the upgrade. + +```console +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.55.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.55.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.55.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.55.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.55.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.55.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.55.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.55.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +### From 32.x to 33.x + +This upgrades the prometheus-node-exporter Chart to v3.0.0. Please review the changes to this subchart if you make customizations to hostMountPropagation. + +### From 31.x to 32.x + +This upgrades to prometheus-operator to v0.54.0 and prometheus to v2.33.1. It also changes the default for `grafana.serviceMonitor.enabled` to `true. + +Run these commands to update the CRDs before applying the upgrade. + +```console +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.54.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.54.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.54.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.54.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.54.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.54.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.54.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.54.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +### From 30.x to 31.x + +This version removes the built-in grafana ServiceMonitor and instead relies on the ServiceMonitor of the sub-chart. +`grafana.serviceMonitor.enabled` must be set instead of `grafana.serviceMonitor.selfMonitor` and the old ServiceMonitor may +need to be manually cleaned up after deploying the new release. + +### From 29.x to 30.x + +This version updates kube-state-metrics to 4.3.0 and uses the new option `kube-state-metrics.releaseLabel=true` which adds the "release" label to kube-state-metrics labels, making scraping of the metrics by kube-prometheus-stack work out of the box again, independent of the used kube-prometheus-stack release name. If you already set the "release" label via `kube-state-metrics.customLabels` you might have to remove that and use it via the new option. + +### From 28.x to 29.x + +This version makes scraping port for kube-controller-manager and kube-scheduler dynamic to reflect changes to default serving ports +for those components in Kubernetes versions v1.22 and v1.23 respectively. + +If you deploy on clusters using version v1.22+, kube-controller-manager will be scraped over HTTPS on port 10257. + +If you deploy on clusters running version v1.23+, kube-scheduler will be scraped over HTTPS on port 10259. + +### From 27.x to 28.x + +This version disables PodSecurityPolicies by default because they are deprecated in Kubernetes 1.21 and will be removed in Kubernetes 1.25. + +If you are using PodSecurityPolicies you can enable the previous behaviour by setting `kube-state-metrics.podSecurityPolicy.enabled`, `prometheus-node-exporter.rbac.pspEnabled`, `grafana.rbac.pspEnabled` and `global.rbac.pspEnabled` to `true`. + +### From 26.x to 27.x + +This version splits prometheus-node-exporter chart recording and altering rules in separate config values. +Instead of `defaultRules.rules.node` the 2 new variables `defaultRules.rules.nodeExporterAlerting` and `defaultRules.rules.nodeExporterRecording` are used. + +Also the following defaultRules.rules has been removed as they had no effect: `kubeApiserverError`, `kubePrometheusNodeAlerting`, `kubernetesAbsent`, `time`. + +The ability to set a rubookUrl via `defaultRules.rules.rubookUrl` was reintroduced. + +### From 25.x to 26.x + +This version enables the prometheus-node-exporter subchart servicemonitor by default again, by setting `prometheus-node-exporter.prometheus.monitor.enabled` to `true`. + +### From 24.x to 25.x + +This version upgrade to prometheus-operator v0.53.1. It removes support for setting a runbookUrl, since the upstream format for runbooks changed. + +```console +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.53.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.53.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.53.1/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.53.1/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.53.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.53.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.53.1/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.53.1/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +### From 23.x to 24.x + +The custom `ServiceMonitor` for the _kube-state-metrics_ & _prometheus-node-exporter_ charts have been removed in favour of the built-in sub-chart `ServiceMonitor`; for both sub-charts this means that `ServiceMonitor` customisations happen via the values passed to the chart. If you haven't directly customised this behaviour then there are no changes required to upgrade, but if you have please read the following. + +For _kube-state-metrics_ the `ServiceMonitor` customisation is now set via `kube-state-metrics.prometheus.monitor` and the `kubeStateMetrics.serviceMonitor.selfMonitor.enabled` value has moved to `kube-state-metrics.selfMonitor.enabled`. + +For _prometheus-node-exporter_ the `ServiceMonitor` customisation is now set via `prometheus-node-exporter.prometheus.monitor` and the `nodeExporter.jobLabel` values has moved to `prometheus-node-exporter.prometheus.monitor.jobLabel`. + +### From 22.x to 23.x + +Port names have been renamed for Istio's +[explicit protocol selection](https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selection/#explicit-protocol-selection). + +| | old value | new value | +|-|-----------|-----------| +| `alertmanager.alertmanagerSpec.portName` | `web` | `http-web` | +| `grafana.service.portName` | `service` | `http-web` | +| `prometheus-node-exporter.service.portName` | `metrics` (hardcoded) | `http-metrics` | +| `prometheus.prometheusSpec.portName` | `web` | `http-web` | + +### From 21.x to 22.x + +Due to the upgrade of the `kube-state-metrics` chart, removal of its deployment/stateful needs to done manually prior to upgrading: + +```console +kubectl delete deployments.apps -l app.kubernetes.io/instance=prometheus-operator,app.kubernetes.io/name=kube-state-metrics --cascade=orphan +``` + +or if you use autosharding: + +```console +kubectl delete statefulsets.apps -l app.kubernetes.io/instance=prometheus-operator,app.kubernetes.io/name=kube-state-metrics --cascade=orphan +``` + +### From 20.x to 21.x + +The config reloader values have been refactored. All the values have been moved to the key `prometheusConfigReloader` and the limits and requests can now be set separately. + +### From 19.x to 20.x + +Version 20 upgrades prometheus-operator from 0.50.x to 0.52.x. Helm does not automatically upgrade or install new CRDs on a chart upgrade, so you have to install the CRDs manually before updating: + +```console +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.52.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.52.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.52.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.52.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.52.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.52.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.52.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.52.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +### From 18.x to 19.x + +`kubeStateMetrics.serviceMonitor.namespaceOverride` was removed. +Please use `kube-state-metrics.namespaceOverride` instead. + +### From 17.x to 18.x + +Version 18 upgrades prometheus-operator from 0.49.x to 0.50.x. Helm does not automatically upgrade or install new CRDs on a chart upgrade, so you have to install the CRDs manually before updating: + +```console +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.50.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.50.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.50.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.50.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.50.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.50.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.50.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.50.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +### From 16.x to 17.x + +Version 17 upgrades prometheus-operator from 0.48.x to 0.49.x. Helm does not automatically upgrade or install new CRDs on a chart upgrade, so you have to install the CRDs manually before updating: + +```console +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.49.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.49.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.49.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.49.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.49.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.49.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.49.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.49.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +### From 15.x to 16.x + +Version 16 upgrades kube-state-metrics to v2.0.0. This includes changed command-line arguments and removed metrics, see this [blog post](https://kubernetes.io/blog/2021/04/13/kube-state-metrics-v-2-0/). This version also removes Grafana dashboards that supported Kubernetes 1.14 or earlier. + +### From 14.x to 15.x + +Version 15 upgrades prometheus-operator from 0.46.x to 0.47.x. Helm does not automatically upgrade or install new CRDs on a chart upgrade, so you have to install the CRDs manually before updating: + +```console +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.47.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.47.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.47.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.47.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.47.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.47.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.47.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +### From 13.x to 14.x + +Version 14 upgrades prometheus-operator from 0.45.x to 0.46.x. Helm does not automatically upgrade or install new CRDs on a chart upgrade, so you have to install the CRDs manually before updating: + +```console +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.46.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.46.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.46.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.46.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.46.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.46.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.46.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +### From 12.x to 13.x + +Version 13 upgrades prometheus-operator from 0.44.x to 0.45.x. Helm does not automatically upgrade or install new CRDs on a chart upgrade, so you have to install the CRD manually before updating: + +```console +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.45.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.45.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.45.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +``` + +### From 11.x to 12.x + +Version 12 upgrades prometheus-operator from 0.43.x to 0.44.x. Helm does not automatically upgrade or install new CRDs on a chart upgrade, so you have to install the CRD manually before updating: + +```console +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/release-0.44/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +``` + +The chart was migrated to support only helm v3 and later. + +### From 10.x to 11.x + +Version 11 upgrades prometheus-operator from 0.42.x to 0.43.x. Starting with 0.43.x an additional `AlertmanagerConfigs` CRD is introduced. Helm does not automatically upgrade or install new CRDs on a chart upgrade, so you have to install the CRD manually before updating: + +```console +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/release-0.43/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +``` + +Version 11 removes the deprecated tlsProxy via ghostunnel in favor of native TLS support the prometheus-operator gained with v0.39.0. + +### From 9.x to 10.x + +Version 10 upgrades prometheus-operator from 0.38.x to 0.42.x. Starting with 0.40.x an additional `Probes` CRD is introduced. Helm does not automatically upgrade or install new CRDs on a chart upgrade, so you have to install the CRD manually before updating: + +```console +kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/release-0.42/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +``` + +### From 8.x to 9.x + +Version 9 of the helm chart removes the existing `additionalScrapeConfigsExternal` in favour of `additionalScrapeConfigsSecret`. This change lets users specify the secret name and secret key to use for the additional scrape configuration of prometheus. This is useful for users that have prometheus-operator as a subchart and also have a template that creates the additional scrape configuration. + +### From 7.x to 8.x + +Due to new template functions being used in the rules in version 8.x.x of the chart, an upgrade to Prometheus Operator and Prometheus is necessary in order to support them. First, upgrade to the latest version of 7.x.x + +```console +helm upgrade [RELEASE_NAME] prometheus-community/kube-prometheus-stack --version 7.5.0 +``` + +Then upgrade to 8.x.x + +```console +helm upgrade [RELEASE_NAME] prometheus-community/kube-prometheus-stack --version [8.x.x] +``` + +Minimal recommended Prometheus version for this chart release is `2.12.x` + +### From 6.x to 7.x + +Due to a change in grafana subchart, version 7.x.x now requires Helm >= 2.12.0. + +### From 5.x to 6.x + +Due to a change in deployment labels of kube-state-metrics, the upgrade requires `helm upgrade --force` in order to re-create the deployment. If this is not done an error will occur indicating that the deployment cannot be modified: + +```console +invalid: spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"app.kubernetes.io/name":"kube-state-metrics"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable +``` + +If this error has already been encountered, a `helm history` command can be used to determine which release has worked, then `helm rollback` to the release, then `helm upgrade --force` to this new one + +## Configuration + +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments: + +```console +helm show values prometheus-community/kube-prometheus-stack +``` + +You may also `helm show values` on this chart's [dependencies](#dependencies) for additional options. + +### Multiple releases + +The same chart can be used to run multiple Prometheus instances in the same cluster if required. To achieve this, it is necessary to run only one instance of prometheus-operator and a pair of alertmanager pods for an HA configuration, while all other components need to be disabled. To disable a dependency during installation, set `kubeStateMetrics.enabled`, `nodeExporter.enabled` and `grafana.enabled` to `false`. + +## Work-Arounds for Known Issues + +### Running on private GKE clusters + +When Google configure the control plane for private clusters, they automatically configure VPC peering between your Kubernetes cluster’s network and a separate Google managed project. In order to restrict what Google are able to access within your cluster, the firewall rules configured restrict access to your Kubernetes pods. This means that in order to use the webhook component with a GKE private cluster, you must configure an additional firewall rule to allow the GKE control plane access to your webhook pod. + +You can read more information on how to add firewall rules for the GKE control plane nodes in the [GKE docs](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules) + +Alternatively, you can disable the hooks by setting `prometheusOperator.admissionWebhooks.enabled=false`. + +## PrometheusRules Admission Webhooks + +With Prometheus Operator version 0.30+, the core Prometheus Operator pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent malformed rules from being added to the cluster. + +### How the Chart Configures the Hooks + +A validating and mutating webhook configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks. + +1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits. +2. The prometheus operator pod is configured to use a TLS proxy container, which will load that certificate. +3. Validating and Mutating webhook configurations are created in the cluster, with their failure mode set to Ignore. This allows rules to be created by the same chart at the same time, even though the webhook has not yet been fully set up - it does not have the correct CA field set. +4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations + +### Alternatives + +It should be possible to use [jetstack/cert-manager](https://github.com/jetstack/cert-manager) if a more complete solution is required, but it has not been tested. + +You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `prometheusOperator.admissionWebhooks.certManager.enabled` value to true. + +### Limitations + +Because the operator can only run as a single pod, there is potential for this component failure to cause rule deployment failure. Because this risk is outweighed by the benefit of having validation, the feature is enabled by default. + +## Developing Prometheus Rules and Grafana Dashboards + +This chart Grafana Dashboards and Prometheus Rules are just a copy from [prometheus-operator/prometheus-operator](https://github.com/prometheus-operator/prometheus-operator) and other sources, synced (with alterations) by scripts in [hack](hack) folder. In order to introduce any changes you need to first [add them to the original repository](https://github.com/prometheus-operator/kube-prometheus/blob/main/docs/customizations/developing-prometheus-rules-and-grafana-dashboards.md) and then sync there by scripts. + +## Further Information + +For more in-depth documentation of configuration options meanings, please see + +- [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator) +- [Prometheus](https://prometheus.io/docs/introduction/overview/) +- [Grafana](https://github.com/grafana/helm-charts/tree/main/charts/grafana#grafana-helm-chart) + +## prometheus.io/scrape + +The prometheus operator does not support annotation-based discovery of services, using the `PodMonitor` or `ServiceMonitor` CRD in its place as they provide far more configuration options. +For information on how to use PodMonitors/ServiceMonitors, please see the documentation on the `prometheus-operator/prometheus-operator` documentation here: + +- [ServiceMonitors](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/getting-started.md#include-servicemonitors) +- [PodMonitors](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/getting-started.md#include-podmonitors) +- [Running Exporters](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/running-exporters.md) + +By default, Prometheus discovers PodMonitors and ServiceMonitors within its namespace, that are labeled with the same release tag as the prometheus-operator release. +Sometimes, you may need to discover custom PodMonitors/ServiceMonitors, for example used to scrape data from third-party applications. +An easy way of doing this, without compromising the default PodMonitors/ServiceMonitors discovery, is allowing Prometheus to discover all PodMonitors/ServiceMonitors within its namespace, without applying label filtering. +To do so, you can set `prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues` and `prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues` to `false`. + +## Migrating from stable/prometheus-operator chart + +## Zero downtime + +Since `kube-prometheus-stack` is fully compatible with the `stable/prometheus-operator` chart, a migration without downtime can be achieved. +However, the old name prefix needs to be kept. If you want the new name please follow the step by step guide below (with downtime). + +You can override the name to achieve this: + +```console +helm upgrade prometheus-operator prometheus-community/kube-prometheus-stack -n monitoring --reuse-values --set nameOverride=prometheus-operator +``` + +**Note**: It is recommended to run this first with `--dry-run --debug`. + +## Redeploy with new name (downtime) + +If the **prometheus-operator** values are compatible with the new **kube-prometheus-stack** chart, please follow the below steps for migration: + +> The guide presumes that chart is deployed in `monitoring` namespace and the deployments are running there. If in other namespace, please replace the `monitoring` to the deployed namespace. + +1. Patch the PersistenceVolume created/used by the prometheus-operator chart to `Retain` claim policy: + + ```console + kubectl patch pv/ -p '{"spec":{"persistentVolumeReclaimPolicy":"Retain"}}' + ``` + + **Note:** To execute the above command, the user must have a cluster wide permission. Please refer [Kubernetes RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) + +2. Uninstall the **prometheus-operator** release and delete the existing PersistentVolumeClaim, and verify PV become Released. + + ```console + helm uninstall prometheus-operator -n monitoring + kubectl delete pvc/ -n monitoring + ``` + + Additionally, you have to manually remove the remaining `prometheus-operator-kubelet` service. + + ```console + kubectl delete service/prometheus-operator-kubelet -n kube-system + ``` + + You can choose to remove all your existing CRDs (ServiceMonitors, Podmonitors, etc.) if you want to. + +3. Remove current `spec.claimRef` values to change the PV's status from Released to Available. + + ```console + kubectl patch pv/ --type json -p='[{"op": "remove", "path": "/spec/claimRef"}]' -n monitoring + ``` + +**Note:** To execute the above command, the user must have a cluster wide permission. Please refer to [Kubernetes RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) + +After these steps, proceed to a fresh **kube-prometheus-stack** installation and make sure the current release of **kube-prometheus-stack** matching the `volumeClaimTemplate` values in the `values.yaml`. + +The binding is done via matching a specific amount of storage requested and with certain access modes. + +For example, if you had storage specified as this with **prometheus-operator**: + +```yaml +volumeClaimTemplate: + spec: + storageClassName: gp2 + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 50Gi +``` + +You have to specify matching `volumeClaimTemplate` with 50Gi storage and `ReadWriteOnce` access mode. + +Additionally, you should check the current AZ of your legacy installation's PV, and configure the fresh release to use the same AZ as the old one. If the pods are in a different AZ than the PV, the release will fail to bind the existing one, hence creating a new PV. + +This can be achieved either by specifying the labels through `values.yaml`, e.g. setting `prometheus.prometheusSpec.nodeSelector` to: + +```yaml +nodeSelector: + failure-domain.beta.kubernetes.io/zone: east-west-1a +``` + +or passing these values as `--set` overrides during installation. + +The new release should now re-attach your previously released PV with its content. + +## Migrating from coreos/prometheus-operator chart + +The multiple charts have been combined into a single chart that installs prometheus operator, prometheus, alertmanager, grafana as well as the multitude of exporters necessary to monitor a cluster. + +There is no simple and direct migration path between the charts as the changes are extensive and intended to make the chart easier to support. + +The capabilities of the old chart are all available in the new chart, including the ability to run multiple prometheus instances on a single cluster - you will need to disable the parts of the chart you do not wish to deploy. + +You can check out the tickets for this change [here](https://github.com/prometheus-operator/prometheus-operator/issues/592) and [here](https://github.com/helm/charts/pull/6765). + +### High-level overview of Changes + +#### Added dependencies + +The chart has added 3 [dependencies](#dependencies). + +- Node-Exporter, Kube-State-Metrics: These components are loaded as dependencies into the chart, and are relatively simple components +- Grafana: The Grafana chart is more feature-rich than this chart - it contains a sidecar that is able to load data sources and dashboards from configmaps deployed into the same cluster. For more information check out the [documentation for the chart](https://github.com/grafana/helm-charts/blob/main/charts/grafana/README.md) + +#### Kubelet Service + +Because the kubelet service has a new name in the chart, make sure to clean up the old kubelet service in the `kube-system` namespace to prevent counting container metrics twice. + +#### Persistent Volumes + +If you would like to keep the data of the current persistent volumes, it should be possible to attach existing volumes to new PVCs and PVs that are created using the conventions in the new chart. For example, in order to use an existing Azure disk for a helm release called `prometheus-migration` the following resources can be created: + +```yaml +apiVersion: v1 +kind: PersistentVolume +metadata: + name: pvc-prometheus-migration-prometheus-0 +spec: + accessModes: + - ReadWriteOnce + azureDisk: + cachingMode: None + diskName: pvc-prometheus-migration-prometheus-0 + diskURI: /subscriptions/f5125d82-2622-4c50-8d25-3f7ba3e9ac4b/resourceGroups/sample-migration-resource-group/providers/Microsoft.Compute/disks/pvc-prometheus-migration-prometheus-0 + fsType: "" + kind: Managed + readOnly: false + capacity: + storage: 1Gi + persistentVolumeReclaimPolicy: Delete + storageClassName: prometheus + volumeMode: Filesystem +``` + +```yaml +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app.kubernetes.io/name: prometheus + prometheus: prometheus-migration-prometheus + name: prometheus-prometheus-migration-prometheus-db-prometheus-prometheus-migration-prometheus-0 + namespace: monitoring +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: prometheus + volumeMode: Filesystem + volumeName: pvc-prometheus-migration-prometheus-0 +``` + +The PVC will take ownership of the PV and when you create a release using a persistent volume claim template it will use the existing PVCs as they match the naming convention used by the chart. For other cloud providers similar approaches can be used. + +#### KubeProxy + +The metrics bind address of kube-proxy is default to `127.0.0.1:10249` that prometheus instances **cannot** access to. You should expose metrics by changing `metricsBindAddress` field value to `0.0.0.0:10249` if you want to collect them. + +Depending on the cluster, the relevant part `config.conf` will be in ConfigMap `kube-system/kube-proxy` or `kube-system/kube-proxy-config`. For example: + +```console +kubectl -n kube-system edit cm kube-proxy +``` + +```yaml +apiVersion: v1 +data: + config.conf: |- + apiVersion: kubeproxy.config.k8s.io/v1alpha1 + kind: KubeProxyConfiguration + # ... + # metricsBindAddress: 127.0.0.1:10249 + metricsBindAddress: 0.0.0.0:10249 + # ... + kubeconfig.conf: |- + # ... +kind: ConfigMap +metadata: + labels: + app: kube-proxy + name: kube-proxy + namespace: kube-system +``` diff --git a/kube-prometheus-stack/charts/crds/Chart.yaml b/kube-prometheus-stack/charts/crds/Chart.yaml new file mode 100644 index 0000000..adb9e4a --- /dev/null +++ b/kube-prometheus-stack/charts/crds/Chart.yaml @@ -0,0 +1,3 @@ +apiVersion: v2 +name: crds +version: 0.0.0 diff --git a/kube-prometheus-stack/charts/crds/README.md b/kube-prometheus-stack/charts/crds/README.md new file mode 100644 index 0000000..02092b9 --- /dev/null +++ b/kube-prometheus-stack/charts/crds/README.md @@ -0,0 +1,3 @@ +# crds subchart + +See: [https://github.com/prometheus-community/helm-charts/issues/3548](https://github.com/prometheus-community/helm-charts/issues/3548) diff --git a/kube-prometheus-stack/charts/crds/crds/crd-alertmanagerconfigs.yaml b/kube-prometheus-stack/charts/crds/crds/crd-alertmanagerconfigs.yaml new file mode 100644 index 0000000..e8b3cf5 --- /dev/null +++ b/kube-prometheus-stack/charts/crds/crds/crd-alertmanagerconfigs.yaml @@ -0,0 +1,5722 @@ +# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + operator.prometheus.io/version: 0.72.0 + name: alertmanagerconfigs.monitoring.coreos.com +spec: + group: monitoring.coreos.com + names: + categories: + - prometheus-operator + kind: AlertmanagerConfig + listKind: AlertmanagerConfigList + plural: alertmanagerconfigs + shortNames: + - amcfg + singular: alertmanagerconfig + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: AlertmanagerConfig configures the Prometheus Alertmanager, specifying + how alerts should be grouped, inhibited and notified to external systems. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AlertmanagerConfigSpec is a specification of the desired + behavior of the Alertmanager configuration. By definition, the Alertmanager + configuration only applies to alerts for which the `namespace` label + is equal to the namespace of the AlertmanagerConfig resource. + properties: + inhibitRules: + description: List of inhibition rules. The rules will only apply to + alerts matching the resource's namespace. + items: + description: InhibitRule defines an inhibition rule that allows + to mute alerts when other alerts are already firing. See https://prometheus.io/docs/alerting/latest/configuration/#inhibit_rule + properties: + equal: + description: Labels that must have an equal value in the source + and target alert for the inhibition to take effect. + items: + type: string + type: array + sourceMatch: + description: Matchers for which one or more alerts have to exist + for the inhibition to take effect. The operator enforces that + the alert matches the resource's namespace. + items: + description: Matcher defines how to match on alert's labels. + properties: + matchType: + description: Match operation available with AlertManager + >= v0.22.0 and takes precedence over Regex (deprecated) + if non-empty. + enum: + - '!=' + - = + - =~ + - '!~' + type: string + name: + description: Label to match. + minLength: 1 + type: string + regex: + description: 'Whether to match on equality (false) or + regular-expression (true). Deprecated: for AlertManager + >= v0.22.0, `matchType` should be used instead.' + type: boolean + value: + description: Label value to match. + type: string + required: + - name + type: object + type: array + targetMatch: + description: Matchers that have to be fulfilled in the alerts + to be muted. The operator enforces that the alert matches + the resource's namespace. + items: + description: Matcher defines how to match on alert's labels. + properties: + matchType: + description: Match operation available with AlertManager + >= v0.22.0 and takes precedence over Regex (deprecated) + if non-empty. + enum: + - '!=' + - = + - =~ + - '!~' + type: string + name: + description: Label to match. + minLength: 1 + type: string + regex: + description: 'Whether to match on equality (false) or + regular-expression (true). Deprecated: for AlertManager + >= v0.22.0, `matchType` should be used instead.' + type: boolean + value: + description: Label value to match. + type: string + required: + - name + type: object + type: array + type: object + type: array + muteTimeIntervals: + description: List of MuteTimeInterval specifying when the routes should + be muted. + items: + description: MuteTimeInterval specifies the periods in time when + notifications will be muted + properties: + name: + description: Name of the time interval + type: string + timeIntervals: + description: TimeIntervals is a list of TimeInterval + items: + description: TimeInterval describes intervals of time + properties: + daysOfMonth: + description: DaysOfMonth is a list of DayOfMonthRange + items: + description: DayOfMonthRange is an inclusive range of + days of the month beginning at 1 + properties: + end: + description: End of the inclusive range + maximum: 31 + minimum: -31 + type: integer + start: + description: Start of the inclusive range + maximum: 31 + minimum: -31 + type: integer + type: object + type: array + months: + description: Months is a list of MonthRange + items: + description: MonthRange is an inclusive range of months + of the year beginning in January Months can be specified + by name (e.g 'January') by numerical month (e.g '1') + or as an inclusive range (e.g 'January:March', '1:3', + '1:March') + pattern: ^((?i)january|february|march|april|may|june|july|august|september|october|november|december|[1-12])(?:((:((?i)january|february|march|april|may|june|july|august|september|october|november|december|[1-12]))$)|$) + type: string + type: array + times: + description: Times is a list of TimeRange + items: + description: TimeRange defines a start and end time + in 24hr format + properties: + endTime: + description: EndTime is the end time in 24hr format. + pattern: ^((([01][0-9])|(2[0-3])):[0-5][0-9])$|(^24:00$) + type: string + startTime: + description: StartTime is the start time in 24hr + format. + pattern: ^((([01][0-9])|(2[0-3])):[0-5][0-9])$|(^24:00$) + type: string + type: object + type: array + weekdays: + description: Weekdays is a list of WeekdayRange + items: + description: WeekdayRange is an inclusive range of days + of the week beginning on Sunday Days can be specified + by name (e.g 'Sunday') or as an inclusive range (e.g + 'Monday:Friday') + pattern: ^((?i)sun|mon|tues|wednes|thurs|fri|satur)day(?:((:(sun|mon|tues|wednes|thurs|fri|satur)day)$)|$) + type: string + type: array + years: + description: Years is a list of YearRange + items: + description: YearRange is an inclusive range of years + pattern: ^2\d{3}(?::2\d{3}|$) + type: string + type: array + type: object + type: array + type: object + type: array + receivers: + description: List of receivers. + items: + description: Receiver defines one or more notification integrations. + properties: + discordConfigs: + description: List of Discord configurations. + items: + description: DiscordConfig configures notifications via Discord. + See https://prometheus.io/docs/alerting/latest/configuration/#discord_config + properties: + apiURL: + description: The secret's key that contains the Discord + webhook URL. The secret needs to be in the same namespace + as the AlertmanagerConfig object and accessible by the + Prometheus Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + httpConfig: + description: HTTP client configuration. + properties: + authorization: + description: Authorization header configuration for + the client. This is mutually exclusive with BasicAuth + and is only available starting from Alertmanager + v0.22+. + properties: + credentials: + description: Selects a key of a Secret in the + namespace that contains the credentials for + authentication. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: + description: "Defines the authentication type. + The value is case-insensitive. \n \"Basic\" + is not a supported value. \n Default: \"Bearer\"" + type: string + type: object + basicAuth: + description: BasicAuth for the client. This is mutually + exclusive with Authorization. If both are defined, + BasicAuth takes precedence. + properties: + password: + description: '`password` specifies a key of a + Secret containing the password for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + username: + description: '`username` specifies a key of a + Secret containing the username for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + bearerTokenSecret: + description: The secret's key that contains the bearer + token to be used by the client for authentication. + The secret needs to be in the same namespace as + the AlertmanagerConfig object and accessible by + the Prometheus Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + followRedirects: + description: FollowRedirects specifies whether the + client should follow HTTP 3xx redirects. + type: boolean + oauth2: + description: OAuth2 client credentials used to fetch + a token for the targets. + properties: + clientId: + description: '`clientId` specifies a key of a + Secret or ConfigMap containing the OAuth2 client''s + ID.' + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + clientSecret: + description: '`clientSecret` specifies a key of + a Secret containing the OAuth2 client''s secret.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + endpointParams: + additionalProperties: + type: string + description: '`endpointParams` configures the + HTTP parameters to append to the token URL.' + type: object + scopes: + description: '`scopes` defines the OAuth2 scopes + used for the token request.' + items: + type: string + type: array + tokenUrl: + description: '`tokenURL` configures the URL to + fetch the token from.' + minLength: 1 + type: string + required: + - clientId + - clientSecret + - tokenUrl + type: object + proxyURL: + description: Optional proxy URL. + type: string + tlsConfig: + description: TLS configuration for the client. + properties: + ca: + description: Certificate authority used when verifying + server certificates. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + cert: + description: Client certificate to present when + doing client-authentication. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + insecureSkipVerify: + description: Disable target certificate validation. + type: boolean + keySecret: + description: Secret containing the client key + file for the targets. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + serverName: + description: Used to verify the hostname for the + targets. + type: string + type: object + type: object + message: + description: The template of the message's body. + type: string + sendResolved: + description: Whether or not to notify about resolved alerts. + type: boolean + title: + description: The template of the message's title. + type: string + required: + - apiURL + type: object + type: array + emailConfigs: + description: List of Email configurations. + items: + description: EmailConfig configures notifications via Email. + properties: + authIdentity: + description: The identity to use for authentication. + type: string + authPassword: + description: The secret's key that contains the password + to use for authentication. The secret needs to be in + the same namespace as the AlertmanagerConfig object + and accessible by the Prometheus Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + authSecret: + description: The secret's key that contains the CRAM-MD5 + secret. The secret needs to be in the same namespace + as the AlertmanagerConfig object and accessible by the + Prometheus Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + authUsername: + description: The username to use for authentication. + type: string + from: + description: The sender address. + type: string + headers: + description: Further headers email header key/value pairs. + Overrides any headers previously set by the notification + implementation. + items: + description: KeyValue defines a (key, value) tuple. + properties: + key: + description: Key of the tuple. + minLength: 1 + type: string + value: + description: Value of the tuple. + type: string + required: + - key + - value + type: object + type: array + hello: + description: The hostname to identify to the SMTP server. + type: string + html: + description: The HTML body of the email notification. + type: string + requireTLS: + description: The SMTP TLS requirement. Note that Go does + not support unencrypted connections to remote SMTP endpoints. + type: boolean + sendResolved: + description: Whether or not to notify about resolved alerts. + type: boolean + smarthost: + description: The SMTP host and port through which emails + are sent. E.g. example.com:25 + type: string + text: + description: The text body of the email notification. + type: string + tlsConfig: + description: TLS configuration + properties: + ca: + description: Certificate authority used when verifying + server certificates. + properties: + configMap: + description: ConfigMap containing data to use + for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use for + the targets. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + cert: + description: Client certificate to present when doing + client-authentication. + properties: + configMap: + description: ConfigMap containing data to use + for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use for + the targets. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + insecureSkipVerify: + description: Disable target certificate validation. + type: boolean + keySecret: + description: Secret containing the client key file + for the targets. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + serverName: + description: Used to verify the hostname for the targets. + type: string + type: object + to: + description: The email address to send notifications to. + type: string + type: object + type: array + msteamsConfigs: + description: List of MSTeams configurations. It requires Alertmanager + >= 0.26.0. + items: + description: MSTeamsConfig configures notifications via Microsoft + Teams. It requires Alertmanager >= 0.26.0. + properties: + httpConfig: + description: HTTP client configuration. + properties: + authorization: + description: Authorization header configuration for + the client. This is mutually exclusive with BasicAuth + and is only available starting from Alertmanager + v0.22+. + properties: + credentials: + description: Selects a key of a Secret in the + namespace that contains the credentials for + authentication. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: + description: "Defines the authentication type. + The value is case-insensitive. \n \"Basic\" + is not a supported value. \n Default: \"Bearer\"" + type: string + type: object + basicAuth: + description: BasicAuth for the client. This is mutually + exclusive with Authorization. If both are defined, + BasicAuth takes precedence. + properties: + password: + description: '`password` specifies a key of a + Secret containing the password for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + username: + description: '`username` specifies a key of a + Secret containing the username for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + bearerTokenSecret: + description: The secret's key that contains the bearer + token to be used by the client for authentication. + The secret needs to be in the same namespace as + the AlertmanagerConfig object and accessible by + the Prometheus Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + followRedirects: + description: FollowRedirects specifies whether the + client should follow HTTP 3xx redirects. + type: boolean + oauth2: + description: OAuth2 client credentials used to fetch + a token for the targets. + properties: + clientId: + description: '`clientId` specifies a key of a + Secret or ConfigMap containing the OAuth2 client''s + ID.' + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + clientSecret: + description: '`clientSecret` specifies a key of + a Secret containing the OAuth2 client''s secret.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + endpointParams: + additionalProperties: + type: string + description: '`endpointParams` configures the + HTTP parameters to append to the token URL.' + type: object + scopes: + description: '`scopes` defines the OAuth2 scopes + used for the token request.' + items: + type: string + type: array + tokenUrl: + description: '`tokenURL` configures the URL to + fetch the token from.' + minLength: 1 + type: string + required: + - clientId + - clientSecret + - tokenUrl + type: object + proxyURL: + description: Optional proxy URL. + type: string + tlsConfig: + description: TLS configuration for the client. + properties: + ca: + description: Certificate authority used when verifying + server certificates. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + cert: + description: Client certificate to present when + doing client-authentication. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + insecureSkipVerify: + description: Disable target certificate validation. + type: boolean + keySecret: + description: Secret containing the client key + file for the targets. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + serverName: + description: Used to verify the hostname for the + targets. + type: string + type: object + type: object + sendResolved: + description: Whether to notify about resolved alerts. + type: boolean + text: + description: Message body template. + type: string + title: + description: Message title template. + type: string + webhookUrl: + description: MSTeams webhook URL. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + required: + - webhookUrl + type: object + type: array + name: + description: Name of the receiver. Must be unique across all + items from the list. + minLength: 1 + type: string + opsgenieConfigs: + description: List of OpsGenie configurations. + items: + description: OpsGenieConfig configures notifications via OpsGenie. + See https://prometheus.io/docs/alerting/latest/configuration/#opsgenie_config + properties: + actions: + description: Comma separated list of actions that will + be available for the alert. + type: string + apiKey: + description: The secret's key that contains the OpsGenie + API key. The secret needs to be in the same namespace + as the AlertmanagerConfig object and accessible by the + Prometheus Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + apiURL: + description: The URL to send OpsGenie API requests to. + type: string + description: + description: Description of the incident. + type: string + details: + description: A set of arbitrary key/value pairs that provide + further detail about the incident. + items: + description: KeyValue defines a (key, value) tuple. + properties: + key: + description: Key of the tuple. + minLength: 1 + type: string + value: + description: Value of the tuple. + type: string + required: + - key + - value + type: object + type: array + entity: + description: Optional field that can be used to specify + which domain alert is related to. + type: string + httpConfig: + description: HTTP client configuration. + properties: + authorization: + description: Authorization header configuration for + the client. This is mutually exclusive with BasicAuth + and is only available starting from Alertmanager + v0.22+. + properties: + credentials: + description: Selects a key of a Secret in the + namespace that contains the credentials for + authentication. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: + description: "Defines the authentication type. + The value is case-insensitive. \n \"Basic\" + is not a supported value. \n Default: \"Bearer\"" + type: string + type: object + basicAuth: + description: BasicAuth for the client. This is mutually + exclusive with Authorization. If both are defined, + BasicAuth takes precedence. + properties: + password: + description: '`password` specifies a key of a + Secret containing the password for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + username: + description: '`username` specifies a key of a + Secret containing the username for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + bearerTokenSecret: + description: The secret's key that contains the bearer + token to be used by the client for authentication. + The secret needs to be in the same namespace as + the AlertmanagerConfig object and accessible by + the Prometheus Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + followRedirects: + description: FollowRedirects specifies whether the + client should follow HTTP 3xx redirects. + type: boolean + oauth2: + description: OAuth2 client credentials used to fetch + a token for the targets. + properties: + clientId: + description: '`clientId` specifies a key of a + Secret or ConfigMap containing the OAuth2 client''s + ID.' + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + clientSecret: + description: '`clientSecret` specifies a key of + a Secret containing the OAuth2 client''s secret.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + endpointParams: + additionalProperties: + type: string + description: '`endpointParams` configures the + HTTP parameters to append to the token URL.' + type: object + scopes: + description: '`scopes` defines the OAuth2 scopes + used for the token request.' + items: + type: string + type: array + tokenUrl: + description: '`tokenURL` configures the URL to + fetch the token from.' + minLength: 1 + type: string + required: + - clientId + - clientSecret + - tokenUrl + type: object + proxyURL: + description: Optional proxy URL. + type: string + tlsConfig: + description: TLS configuration for the client. + properties: + ca: + description: Certificate authority used when verifying + server certificates. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + cert: + description: Client certificate to present when + doing client-authentication. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + insecureSkipVerify: + description: Disable target certificate validation. + type: boolean + keySecret: + description: Secret containing the client key + file for the targets. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + serverName: + description: Used to verify the hostname for the + targets. + type: string + type: object + type: object + message: + description: Alert text limited to 130 characters. + type: string + note: + description: Additional alert note. + type: string + priority: + description: Priority level of alert. Possible values + are P1, P2, P3, P4, and P5. + type: string + responders: + description: List of responders responsible for notifications. + items: + description: OpsGenieConfigResponder defines a responder + to an incident. One of `id`, `name` or `username` + has to be defined. + properties: + id: + description: ID of the responder. + type: string + name: + description: Name of the responder. + type: string + type: + description: Type of responder. + enum: + - team + - teams + - user + - escalation + - schedule + minLength: 1 + type: string + username: + description: Username of the responder. + type: string + required: + - type + type: object + type: array + sendResolved: + description: Whether or not to notify about resolved alerts. + type: boolean + source: + description: Backlink to the sender of the notification. + type: string + tags: + description: Comma separated list of tags attached to + the notifications. + type: string + updateAlerts: + description: Whether to update message and description + of the alert in OpsGenie if it already exists By default, + the alert is never updated in OpsGenie, the new message + only appears in activity log. + type: boolean + type: object + type: array + pagerdutyConfigs: + description: List of PagerDuty configurations. + items: + description: PagerDutyConfig configures notifications via + PagerDuty. See https://prometheus.io/docs/alerting/latest/configuration/#pagerduty_config + properties: + class: + description: The class/type of the event. + type: string + client: + description: Client identification. + type: string + clientURL: + description: Backlink to the sender of notification. + type: string + component: + description: The part or component of the affected system + that is broken. + type: string + description: + description: Description of the incident. + type: string + details: + description: Arbitrary key/value pairs that provide further + detail about the incident. + items: + description: KeyValue defines a (key, value) tuple. + properties: + key: + description: Key of the tuple. + minLength: 1 + type: string + value: + description: Value of the tuple. + type: string + required: + - key + - value + type: object + type: array + group: + description: A cluster or grouping of sources. + type: string + httpConfig: + description: HTTP client configuration. + properties: + authorization: + description: Authorization header configuration for + the client. This is mutually exclusive with BasicAuth + and is only available starting from Alertmanager + v0.22+. + properties: + credentials: + description: Selects a key of a Secret in the + namespace that contains the credentials for + authentication. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: + description: "Defines the authentication type. + The value is case-insensitive. \n \"Basic\" + is not a supported value. \n Default: \"Bearer\"" + type: string + type: object + basicAuth: + description: BasicAuth for the client. This is mutually + exclusive with Authorization. If both are defined, + BasicAuth takes precedence. + properties: + password: + description: '`password` specifies a key of a + Secret containing the password for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + username: + description: '`username` specifies a key of a + Secret containing the username for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + bearerTokenSecret: + description: The secret's key that contains the bearer + token to be used by the client for authentication. + The secret needs to be in the same namespace as + the AlertmanagerConfig object and accessible by + the Prometheus Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + followRedirects: + description: FollowRedirects specifies whether the + client should follow HTTP 3xx redirects. + type: boolean + oauth2: + description: OAuth2 client credentials used to fetch + a token for the targets. + properties: + clientId: + description: '`clientId` specifies a key of a + Secret or ConfigMap containing the OAuth2 client''s + ID.' + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + clientSecret: + description: '`clientSecret` specifies a key of + a Secret containing the OAuth2 client''s secret.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + endpointParams: + additionalProperties: + type: string + description: '`endpointParams` configures the + HTTP parameters to append to the token URL.' + type: object + scopes: + description: '`scopes` defines the OAuth2 scopes + used for the token request.' + items: + type: string + type: array + tokenUrl: + description: '`tokenURL` configures the URL to + fetch the token from.' + minLength: 1 + type: string + required: + - clientId + - clientSecret + - tokenUrl + type: object + proxyURL: + description: Optional proxy URL. + type: string + tlsConfig: + description: TLS configuration for the client. + properties: + ca: + description: Certificate authority used when verifying + server certificates. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + cert: + description: Client certificate to present when + doing client-authentication. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + insecureSkipVerify: + description: Disable target certificate validation. + type: boolean + keySecret: + description: Secret containing the client key + file for the targets. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + serverName: + description: Used to verify the hostname for the + targets. + type: string + type: object + type: object + pagerDutyImageConfigs: + description: A list of image details to attach that provide + further detail about an incident. + items: + description: PagerDutyImageConfig attaches images to + an incident + properties: + alt: + description: Alt is the optional alternative text + for the image. + type: string + href: + description: Optional URL; makes the image a clickable + link. + type: string + src: + description: Src of the image being attached to + the incident + type: string + type: object + type: array + pagerDutyLinkConfigs: + description: A list of link details to attach that provide + further detail about an incident. + items: + description: PagerDutyLinkConfig attaches text links + to an incident + properties: + alt: + description: Text that describes the purpose of + the link, and can be used as the link's text. + type: string + href: + description: Href is the URL of the link to be attached + type: string + type: object + type: array + routingKey: + description: The secret's key that contains the PagerDuty + integration key (when using Events API v2). Either this + field or `serviceKey` needs to be defined. The secret + needs to be in the same namespace as the AlertmanagerConfig + object and accessible by the Prometheus Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + sendResolved: + description: Whether or not to notify about resolved alerts. + type: boolean + serviceKey: + description: The secret's key that contains the PagerDuty + service key (when using integration type "Prometheus"). + Either this field or `routingKey` needs to be defined. + The secret needs to be in the same namespace as the + AlertmanagerConfig object and accessible by the Prometheus + Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + severity: + description: Severity of the incident. + type: string + url: + description: The URL to send requests to. + type: string + type: object + type: array + pushoverConfigs: + description: List of Pushover configurations. + items: + description: PushoverConfig configures notifications via Pushover. + See https://prometheus.io/docs/alerting/latest/configuration/#pushover_config + properties: + device: + description: The name of a device to send the notification + to + type: string + expire: + description: How long your notification will continue + to be retried for, unless the user acknowledges the + notification. + pattern: ^(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?$ + type: string + html: + description: Whether notification message is HTML or plain + text. + type: boolean + httpConfig: + description: HTTP client configuration. + properties: + authorization: + description: Authorization header configuration for + the client. This is mutually exclusive with BasicAuth + and is only available starting from Alertmanager + v0.22+. + properties: + credentials: + description: Selects a key of a Secret in the + namespace that contains the credentials for + authentication. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: + description: "Defines the authentication type. + The value is case-insensitive. \n \"Basic\" + is not a supported value. \n Default: \"Bearer\"" + type: string + type: object + basicAuth: + description: BasicAuth for the client. This is mutually + exclusive with Authorization. If both are defined, + BasicAuth takes precedence. + properties: + password: + description: '`password` specifies a key of a + Secret containing the password for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + username: + description: '`username` specifies a key of a + Secret containing the username for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + bearerTokenSecret: + description: The secret's key that contains the bearer + token to be used by the client for authentication. + The secret needs to be in the same namespace as + the AlertmanagerConfig object and accessible by + the Prometheus Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + followRedirects: + description: FollowRedirects specifies whether the + client should follow HTTP 3xx redirects. + type: boolean + oauth2: + description: OAuth2 client credentials used to fetch + a token for the targets. + properties: + clientId: + description: '`clientId` specifies a key of a + Secret or ConfigMap containing the OAuth2 client''s + ID.' + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + clientSecret: + description: '`clientSecret` specifies a key of + a Secret containing the OAuth2 client''s secret.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + endpointParams: + additionalProperties: + type: string + description: '`endpointParams` configures the + HTTP parameters to append to the token URL.' + type: object + scopes: + description: '`scopes` defines the OAuth2 scopes + used for the token request.' + items: + type: string + type: array + tokenUrl: + description: '`tokenURL` configures the URL to + fetch the token from.' + minLength: 1 + type: string + required: + - clientId + - clientSecret + - tokenUrl + type: object + proxyURL: + description: Optional proxy URL. + type: string + tlsConfig: + description: TLS configuration for the client. + properties: + ca: + description: Certificate authority used when verifying + server certificates. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + cert: + description: Client certificate to present when + doing client-authentication. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + insecureSkipVerify: + description: Disable target certificate validation. + type: boolean + keySecret: + description: Secret containing the client key + file for the targets. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + serverName: + description: Used to verify the hostname for the + targets. + type: string + type: object + type: object + message: + description: Notification message. + type: string + priority: + description: Priority, see https://pushover.net/api#priority + type: string + retry: + description: How often the Pushover servers will send + the same notification to the user. Must be at least + 30 seconds. + pattern: ^(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?$ + type: string + sendResolved: + description: Whether or not to notify about resolved alerts. + type: boolean + sound: + description: The name of one of the sounds supported by + device clients to override the user's default sound + choice + type: string + title: + description: Notification title. + type: string + token: + description: The secret's key that contains the registered + application's API token, see https://pushover.net/apps. + The secret needs to be in the same namespace as the + AlertmanagerConfig object and accessible by the Prometheus + Operator. Either `token` or `tokenFile` is required. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + tokenFile: + description: The token file that contains the registered + application's API token, see https://pushover.net/apps. + Either `token` or `tokenFile` is required. It requires + Alertmanager >= v0.26.0. + type: string + url: + description: A supplementary URL shown alongside the message. + type: string + urlTitle: + description: A title for supplementary URL, otherwise + just the URL is shown + type: string + userKey: + description: The secret's key that contains the recipient + user's user key. The secret needs to be in the same + namespace as the AlertmanagerConfig object and accessible + by the Prometheus Operator. Either `userKey` or `userKeyFile` + is required. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + userKeyFile: + description: The user key file that contains the recipient + user's user key. Either `userKey` or `userKeyFile` is + required. It requires Alertmanager >= v0.26.0. + type: string + type: object + type: array + slackConfigs: + description: List of Slack configurations. + items: + description: SlackConfig configures notifications via Slack. + See https://prometheus.io/docs/alerting/latest/configuration/#slack_config + properties: + actions: + description: A list of Slack actions that are sent with + each notification. + items: + description: SlackAction configures a single Slack action + that is sent with each notification. See https://api.slack.com/docs/message-attachments#action_fields + and https://api.slack.com/docs/message-buttons for + more information. + properties: + confirm: + description: SlackConfirmationField protect users + from destructive actions or particularly distinguished + decisions by asking them to confirm their button + click one more time. See https://api.slack.com/docs/interactive-message-field-guide#confirmation_fields + for more information. + properties: + dismissText: + type: string + okText: + type: string + text: + minLength: 1 + type: string + title: + type: string + required: + - text + type: object + name: + type: string + style: + type: string + text: + minLength: 1 + type: string + type: + minLength: 1 + type: string + url: + type: string + value: + type: string + required: + - text + - type + type: object + type: array + apiURL: + description: The secret's key that contains the Slack + webhook URL. The secret needs to be in the same namespace + as the AlertmanagerConfig object and accessible by the + Prometheus Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + callbackId: + type: string + channel: + description: The channel or user to send notifications + to. + type: string + color: + type: string + fallback: + type: string + fields: + description: A list of Slack fields that are sent with + each notification. + items: + description: SlackField configures a single Slack field + that is sent with each notification. Each field must + contain a title, value, and optionally, a boolean + value to indicate if the field is short enough to + be displayed next to other fields designated as short. + See https://api.slack.com/docs/message-attachments#fields + for more information. + properties: + short: + type: boolean + title: + minLength: 1 + type: string + value: + minLength: 1 + type: string + required: + - title + - value + type: object + type: array + footer: + type: string + httpConfig: + description: HTTP client configuration. + properties: + authorization: + description: Authorization header configuration for + the client. This is mutually exclusive with BasicAuth + and is only available starting from Alertmanager + v0.22+. + properties: + credentials: + description: Selects a key of a Secret in the + namespace that contains the credentials for + authentication. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: + description: "Defines the authentication type. + The value is case-insensitive. \n \"Basic\" + is not a supported value. \n Default: \"Bearer\"" + type: string + type: object + basicAuth: + description: BasicAuth for the client. This is mutually + exclusive with Authorization. If both are defined, + BasicAuth takes precedence. + properties: + password: + description: '`password` specifies a key of a + Secret containing the password for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + username: + description: '`username` specifies a key of a + Secret containing the username for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + bearerTokenSecret: + description: The secret's key that contains the bearer + token to be used by the client for authentication. + The secret needs to be in the same namespace as + the AlertmanagerConfig object and accessible by + the Prometheus Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + followRedirects: + description: FollowRedirects specifies whether the + client should follow HTTP 3xx redirects. + type: boolean + oauth2: + description: OAuth2 client credentials used to fetch + a token for the targets. + properties: + clientId: + description: '`clientId` specifies a key of a + Secret or ConfigMap containing the OAuth2 client''s + ID.' + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + clientSecret: + description: '`clientSecret` specifies a key of + a Secret containing the OAuth2 client''s secret.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + endpointParams: + additionalProperties: + type: string + description: '`endpointParams` configures the + HTTP parameters to append to the token URL.' + type: object + scopes: + description: '`scopes` defines the OAuth2 scopes + used for the token request.' + items: + type: string + type: array + tokenUrl: + description: '`tokenURL` configures the URL to + fetch the token from.' + minLength: 1 + type: string + required: + - clientId + - clientSecret + - tokenUrl + type: object + proxyURL: + description: Optional proxy URL. + type: string + tlsConfig: + description: TLS configuration for the client. + properties: + ca: + description: Certificate authority used when verifying + server certificates. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + cert: + description: Client certificate to present when + doing client-authentication. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + insecureSkipVerify: + description: Disable target certificate validation. + type: boolean + keySecret: + description: Secret containing the client key + file for the targets. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + serverName: + description: Used to verify the hostname for the + targets. + type: string + type: object + type: object + iconEmoji: + type: string + iconURL: + type: string + imageURL: + type: string + linkNames: + type: boolean + mrkdwnIn: + items: + type: string + type: array + pretext: + type: string + sendResolved: + description: Whether or not to notify about resolved alerts. + type: boolean + shortFields: + type: boolean + text: + type: string + thumbURL: + type: string + title: + type: string + titleLink: + type: string + username: + type: string + type: object + type: array + snsConfigs: + description: List of SNS configurations + items: + description: SNSConfig configures notifications via AWS SNS. + See https://prometheus.io/docs/alerting/latest/configuration/#sns_configs + properties: + apiURL: + description: The SNS API URL i.e. https://sns.us-east-2.amazonaws.com. + If not specified, the SNS API URL from the SNS SDK will + be used. + type: string + attributes: + additionalProperties: + type: string + description: SNS message attributes. + type: object + httpConfig: + description: HTTP client configuration. + properties: + authorization: + description: Authorization header configuration for + the client. This is mutually exclusive with BasicAuth + and is only available starting from Alertmanager + v0.22+. + properties: + credentials: + description: Selects a key of a Secret in the + namespace that contains the credentials for + authentication. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: + description: "Defines the authentication type. + The value is case-insensitive. \n \"Basic\" + is not a supported value. \n Default: \"Bearer\"" + type: string + type: object + basicAuth: + description: BasicAuth for the client. This is mutually + exclusive with Authorization. If both are defined, + BasicAuth takes precedence. + properties: + password: + description: '`password` specifies a key of a + Secret containing the password for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + username: + description: '`username` specifies a key of a + Secret containing the username for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + bearerTokenSecret: + description: The secret's key that contains the bearer + token to be used by the client for authentication. + The secret needs to be in the same namespace as + the AlertmanagerConfig object and accessible by + the Prometheus Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + followRedirects: + description: FollowRedirects specifies whether the + client should follow HTTP 3xx redirects. + type: boolean + oauth2: + description: OAuth2 client credentials used to fetch + a token for the targets. + properties: + clientId: + description: '`clientId` specifies a key of a + Secret or ConfigMap containing the OAuth2 client''s + ID.' + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + clientSecret: + description: '`clientSecret` specifies a key of + a Secret containing the OAuth2 client''s secret.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + endpointParams: + additionalProperties: + type: string + description: '`endpointParams` configures the + HTTP parameters to append to the token URL.' + type: object + scopes: + description: '`scopes` defines the OAuth2 scopes + used for the token request.' + items: + type: string + type: array + tokenUrl: + description: '`tokenURL` configures the URL to + fetch the token from.' + minLength: 1 + type: string + required: + - clientId + - clientSecret + - tokenUrl + type: object + proxyURL: + description: Optional proxy URL. + type: string + tlsConfig: + description: TLS configuration for the client. + properties: + ca: + description: Certificate authority used when verifying + server certificates. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + cert: + description: Client certificate to present when + doing client-authentication. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + insecureSkipVerify: + description: Disable target certificate validation. + type: boolean + keySecret: + description: Secret containing the client key + file for the targets. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + serverName: + description: Used to verify the hostname for the + targets. + type: string + type: object + type: object + message: + description: The message content of the SNS notification. + type: string + phoneNumber: + description: Phone number if message is delivered via + SMS in E.164 format. If you don't specify this value, + you must specify a value for the TopicARN or TargetARN. + type: string + sendResolved: + description: Whether or not to notify about resolved alerts. + type: boolean + sigv4: + description: Configures AWS's Signature Verification 4 + signing process to sign requests. + properties: + accessKey: + description: AccessKey is the AWS API key. If not + specified, the environment variable `AWS_ACCESS_KEY_ID` + is used. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + profile: + description: Profile is the named AWS profile used + to authenticate. + type: string + region: + description: Region is the AWS region. If blank, the + region from the default credentials chain used. + type: string + roleArn: + description: RoleArn is the named AWS profile used + to authenticate. + type: string + secretKey: + description: SecretKey is the AWS API secret. If not + specified, the environment variable `AWS_SECRET_ACCESS_KEY` + is used. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + subject: + description: Subject line when the message is delivered + to email endpoints. + type: string + targetARN: + description: The mobile platform endpoint ARN if message + is delivered via mobile notifications. If you don't + specify this value, you must specify a value for the + topic_arn or PhoneNumber. + type: string + topicARN: + description: SNS topic ARN, i.e. arn:aws:sns:us-east-2:698519295917:My-Topic + If you don't specify this value, you must specify a + value for the PhoneNumber or TargetARN. + type: string + type: object + type: array + telegramConfigs: + description: List of Telegram configurations. + items: + description: TelegramConfig configures notifications via Telegram. + See https://prometheus.io/docs/alerting/latest/configuration/#telegram_config + properties: + apiURL: + description: The Telegram API URL i.e. https://api.telegram.org. + If not specified, default API URL will be used. + type: string + botToken: + description: "Telegram bot token. It is mutually exclusive + with `botTokenFile`. The secret needs to be in the same + namespace as the AlertmanagerConfig object and accessible + by the Prometheus Operator. \n Either `botToken` or + `botTokenFile` is required." + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + botTokenFile: + description: "File to read the Telegram bot token from. + It is mutually exclusive with `botToken`. Either `botToken` + or `botTokenFile` is required. \n It requires Alertmanager + >= v0.26.0." + type: string + chatID: + description: The Telegram chat ID. + format: int64 + type: integer + disableNotifications: + description: Disable telegram notifications + type: boolean + httpConfig: + description: HTTP client configuration. + properties: + authorization: + description: Authorization header configuration for + the client. This is mutually exclusive with BasicAuth + and is only available starting from Alertmanager + v0.22+. + properties: + credentials: + description: Selects a key of a Secret in the + namespace that contains the credentials for + authentication. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: + description: "Defines the authentication type. + The value is case-insensitive. \n \"Basic\" + is not a supported value. \n Default: \"Bearer\"" + type: string + type: object + basicAuth: + description: BasicAuth for the client. This is mutually + exclusive with Authorization. If both are defined, + BasicAuth takes precedence. + properties: + password: + description: '`password` specifies a key of a + Secret containing the password for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + username: + description: '`username` specifies a key of a + Secret containing the username for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + bearerTokenSecret: + description: The secret's key that contains the bearer + token to be used by the client for authentication. + The secret needs to be in the same namespace as + the AlertmanagerConfig object and accessible by + the Prometheus Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + followRedirects: + description: FollowRedirects specifies whether the + client should follow HTTP 3xx redirects. + type: boolean + oauth2: + description: OAuth2 client credentials used to fetch + a token for the targets. + properties: + clientId: + description: '`clientId` specifies a key of a + Secret or ConfigMap containing the OAuth2 client''s + ID.' + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + clientSecret: + description: '`clientSecret` specifies a key of + a Secret containing the OAuth2 client''s secret.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + endpointParams: + additionalProperties: + type: string + description: '`endpointParams` configures the + HTTP parameters to append to the token URL.' + type: object + scopes: + description: '`scopes` defines the OAuth2 scopes + used for the token request.' + items: + type: string + type: array + tokenUrl: + description: '`tokenURL` configures the URL to + fetch the token from.' + minLength: 1 + type: string + required: + - clientId + - clientSecret + - tokenUrl + type: object + proxyURL: + description: Optional proxy URL. + type: string + tlsConfig: + description: TLS configuration for the client. + properties: + ca: + description: Certificate authority used when verifying + server certificates. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + cert: + description: Client certificate to present when + doing client-authentication. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + insecureSkipVerify: + description: Disable target certificate validation. + type: boolean + keySecret: + description: Secret containing the client key + file for the targets. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + serverName: + description: Used to verify the hostname for the + targets. + type: string + type: object + type: object + message: + description: Message template + type: string + parseMode: + description: Parse mode for telegram message + enum: + - MarkdownV2 + - Markdown + - HTML + type: string + sendResolved: + description: Whether to notify about resolved alerts. + type: boolean + type: object + type: array + victoropsConfigs: + description: List of VictorOps configurations. + items: + description: VictorOpsConfig configures notifications via + VictorOps. See https://prometheus.io/docs/alerting/latest/configuration/#victorops_config + properties: + apiKey: + description: The secret's key that contains the API key + to use when talking to the VictorOps API. The secret + needs to be in the same namespace as the AlertmanagerConfig + object and accessible by the Prometheus Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + apiUrl: + description: The VictorOps API URL. + type: string + customFields: + description: Additional custom fields for notification. + items: + description: KeyValue defines a (key, value) tuple. + properties: + key: + description: Key of the tuple. + minLength: 1 + type: string + value: + description: Value of the tuple. + type: string + required: + - key + - value + type: object + type: array + entityDisplayName: + description: Contains summary of the alerted problem. + type: string + httpConfig: + description: The HTTP client's configuration. + properties: + authorization: + description: Authorization header configuration for + the client. This is mutually exclusive with BasicAuth + and is only available starting from Alertmanager + v0.22+. + properties: + credentials: + description: Selects a key of a Secret in the + namespace that contains the credentials for + authentication. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: + description: "Defines the authentication type. + The value is case-insensitive. \n \"Basic\" + is not a supported value. \n Default: \"Bearer\"" + type: string + type: object + basicAuth: + description: BasicAuth for the client. This is mutually + exclusive with Authorization. If both are defined, + BasicAuth takes precedence. + properties: + password: + description: '`password` specifies a key of a + Secret containing the password for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + username: + description: '`username` specifies a key of a + Secret containing the username for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + bearerTokenSecret: + description: The secret's key that contains the bearer + token to be used by the client for authentication. + The secret needs to be in the same namespace as + the AlertmanagerConfig object and accessible by + the Prometheus Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + followRedirects: + description: FollowRedirects specifies whether the + client should follow HTTP 3xx redirects. + type: boolean + oauth2: + description: OAuth2 client credentials used to fetch + a token for the targets. + properties: + clientId: + description: '`clientId` specifies a key of a + Secret or ConfigMap containing the OAuth2 client''s + ID.' + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + clientSecret: + description: '`clientSecret` specifies a key of + a Secret containing the OAuth2 client''s secret.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + endpointParams: + additionalProperties: + type: string + description: '`endpointParams` configures the + HTTP parameters to append to the token URL.' + type: object + scopes: + description: '`scopes` defines the OAuth2 scopes + used for the token request.' + items: + type: string + type: array + tokenUrl: + description: '`tokenURL` configures the URL to + fetch the token from.' + minLength: 1 + type: string + required: + - clientId + - clientSecret + - tokenUrl + type: object + proxyURL: + description: Optional proxy URL. + type: string + tlsConfig: + description: TLS configuration for the client. + properties: + ca: + description: Certificate authority used when verifying + server certificates. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + cert: + description: Client certificate to present when + doing client-authentication. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + insecureSkipVerify: + description: Disable target certificate validation. + type: boolean + keySecret: + description: Secret containing the client key + file for the targets. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + serverName: + description: Used to verify the hostname for the + targets. + type: string + type: object + type: object + messageType: + description: Describes the behavior of the alert (CRITICAL, + WARNING, INFO). + type: string + monitoringTool: + description: The monitoring tool the state message is + from. + type: string + routingKey: + description: A key used to map the alert to a team. + type: string + sendResolved: + description: Whether or not to notify about resolved alerts. + type: boolean + stateMessage: + description: Contains long explanation of the alerted + problem. + type: string + type: object + type: array + webexConfigs: + description: List of Webex configurations. + items: + description: WebexConfig configures notification via Cisco + Webex See https://prometheus.io/docs/alerting/latest/configuration/#webex_config + properties: + apiURL: + description: The Webex Teams API URL i.e. https://webexapis.com/v1/messages + Provide if different from the default API URL. + pattern: ^https?://.+$ + type: string + httpConfig: + description: The HTTP client's configuration. You must + supply the bot token via the `httpConfig.authorization` + field. + properties: + authorization: + description: Authorization header configuration for + the client. This is mutually exclusive with BasicAuth + and is only available starting from Alertmanager + v0.22+. + properties: + credentials: + description: Selects a key of a Secret in the + namespace that contains the credentials for + authentication. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: + description: "Defines the authentication type. + The value is case-insensitive. \n \"Basic\" + is not a supported value. \n Default: \"Bearer\"" + type: string + type: object + basicAuth: + description: BasicAuth for the client. This is mutually + exclusive with Authorization. If both are defined, + BasicAuth takes precedence. + properties: + password: + description: '`password` specifies a key of a + Secret containing the password for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + username: + description: '`username` specifies a key of a + Secret containing the username for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + bearerTokenSecret: + description: The secret's key that contains the bearer + token to be used by the client for authentication. + The secret needs to be in the same namespace as + the AlertmanagerConfig object and accessible by + the Prometheus Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + followRedirects: + description: FollowRedirects specifies whether the + client should follow HTTP 3xx redirects. + type: boolean + oauth2: + description: OAuth2 client credentials used to fetch + a token for the targets. + properties: + clientId: + description: '`clientId` specifies a key of a + Secret or ConfigMap containing the OAuth2 client''s + ID.' + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + clientSecret: + description: '`clientSecret` specifies a key of + a Secret containing the OAuth2 client''s secret.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + endpointParams: + additionalProperties: + type: string + description: '`endpointParams` configures the + HTTP parameters to append to the token URL.' + type: object + scopes: + description: '`scopes` defines the OAuth2 scopes + used for the token request.' + items: + type: string + type: array + tokenUrl: + description: '`tokenURL` configures the URL to + fetch the token from.' + minLength: 1 + type: string + required: + - clientId + - clientSecret + - tokenUrl + type: object + proxyURL: + description: Optional proxy URL. + type: string + tlsConfig: + description: TLS configuration for the client. + properties: + ca: + description: Certificate authority used when verifying + server certificates. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + cert: + description: Client certificate to present when + doing client-authentication. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + insecureSkipVerify: + description: Disable target certificate validation. + type: boolean + keySecret: + description: Secret containing the client key + file for the targets. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + serverName: + description: Used to verify the hostname for the + targets. + type: string + type: object + type: object + message: + description: Message template + type: string + roomID: + description: ID of the Webex Teams room where to send + the messages. + minLength: 1 + type: string + sendResolved: + description: Whether to notify about resolved alerts. + type: boolean + required: + - roomID + type: object + type: array + webhookConfigs: + description: List of webhook configurations. + items: + description: WebhookConfig configures notifications via a + generic receiver supporting the webhook payload. See https://prometheus.io/docs/alerting/latest/configuration/#webhook_config + properties: + httpConfig: + description: HTTP client configuration. + properties: + authorization: + description: Authorization header configuration for + the client. This is mutually exclusive with BasicAuth + and is only available starting from Alertmanager + v0.22+. + properties: + credentials: + description: Selects a key of a Secret in the + namespace that contains the credentials for + authentication. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: + description: "Defines the authentication type. + The value is case-insensitive. \n \"Basic\" + is not a supported value. \n Default: \"Bearer\"" + type: string + type: object + basicAuth: + description: BasicAuth for the client. This is mutually + exclusive with Authorization. If both are defined, + BasicAuth takes precedence. + properties: + password: + description: '`password` specifies a key of a + Secret containing the password for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + username: + description: '`username` specifies a key of a + Secret containing the username for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + bearerTokenSecret: + description: The secret's key that contains the bearer + token to be used by the client for authentication. + The secret needs to be in the same namespace as + the AlertmanagerConfig object and accessible by + the Prometheus Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + followRedirects: + description: FollowRedirects specifies whether the + client should follow HTTP 3xx redirects. + type: boolean + oauth2: + description: OAuth2 client credentials used to fetch + a token for the targets. + properties: + clientId: + description: '`clientId` specifies a key of a + Secret or ConfigMap containing the OAuth2 client''s + ID.' + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + clientSecret: + description: '`clientSecret` specifies a key of + a Secret containing the OAuth2 client''s secret.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + endpointParams: + additionalProperties: + type: string + description: '`endpointParams` configures the + HTTP parameters to append to the token URL.' + type: object + scopes: + description: '`scopes` defines the OAuth2 scopes + used for the token request.' + items: + type: string + type: array + tokenUrl: + description: '`tokenURL` configures the URL to + fetch the token from.' + minLength: 1 + type: string + required: + - clientId + - clientSecret + - tokenUrl + type: object + proxyURL: + description: Optional proxy URL. + type: string + tlsConfig: + description: TLS configuration for the client. + properties: + ca: + description: Certificate authority used when verifying + server certificates. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + cert: + description: Client certificate to present when + doing client-authentication. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + insecureSkipVerify: + description: Disable target certificate validation. + type: boolean + keySecret: + description: Secret containing the client key + file for the targets. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + serverName: + description: Used to verify the hostname for the + targets. + type: string + type: object + type: object + maxAlerts: + description: Maximum number of alerts to be sent per webhook + message. When 0, all alerts are included. + format: int32 + minimum: 0 + type: integer + sendResolved: + description: Whether or not to notify about resolved alerts. + type: boolean + url: + description: The URL to send HTTP POST requests to. `urlSecret` + takes precedence over `url`. One of `urlSecret` and + `url` should be defined. + type: string + urlSecret: + description: The secret's key that contains the webhook + URL to send HTTP requests to. `urlSecret` takes precedence + over `url`. One of `urlSecret` and `url` should be defined. + The secret needs to be in the same namespace as the + AlertmanagerConfig object and accessible by the Prometheus + Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: array + wechatConfigs: + description: List of WeChat configurations. + items: + description: WeChatConfig configures notifications via WeChat. + See https://prometheus.io/docs/alerting/latest/configuration/#wechat_config + properties: + agentID: + type: string + apiSecret: + description: The secret's key that contains the WeChat + API key. The secret needs to be in the same namespace + as the AlertmanagerConfig object and accessible by the + Prometheus Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + apiURL: + description: The WeChat API URL. + type: string + corpID: + description: The corp id for authentication. + type: string + httpConfig: + description: HTTP client configuration. + properties: + authorization: + description: Authorization header configuration for + the client. This is mutually exclusive with BasicAuth + and is only available starting from Alertmanager + v0.22+. + properties: + credentials: + description: Selects a key of a Secret in the + namespace that contains the credentials for + authentication. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: + description: "Defines the authentication type. + The value is case-insensitive. \n \"Basic\" + is not a supported value. \n Default: \"Bearer\"" + type: string + type: object + basicAuth: + description: BasicAuth for the client. This is mutually + exclusive with Authorization. If both are defined, + BasicAuth takes precedence. + properties: + password: + description: '`password` specifies a key of a + Secret containing the password for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + username: + description: '`username` specifies a key of a + Secret containing the username for authentication.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + bearerTokenSecret: + description: The secret's key that contains the bearer + token to be used by the client for authentication. + The secret needs to be in the same namespace as + the AlertmanagerConfig object and accessible by + the Prometheus Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + followRedirects: + description: FollowRedirects specifies whether the + client should follow HTTP 3xx redirects. + type: boolean + oauth2: + description: OAuth2 client credentials used to fetch + a token for the targets. + properties: + clientId: + description: '`clientId` specifies a key of a + Secret or ConfigMap containing the OAuth2 client''s + ID.' + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + clientSecret: + description: '`clientSecret` specifies a key of + a Secret containing the OAuth2 client''s secret.' + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + endpointParams: + additionalProperties: + type: string + description: '`endpointParams` configures the + HTTP parameters to append to the token URL.' + type: object + scopes: + description: '`scopes` defines the OAuth2 scopes + used for the token request.' + items: + type: string + type: array + tokenUrl: + description: '`tokenURL` configures the URL to + fetch the token from.' + minLength: 1 + type: string + required: + - clientId + - clientSecret + - tokenUrl + type: object + proxyURL: + description: Optional proxy URL. + type: string + tlsConfig: + description: TLS configuration for the client. + properties: + ca: + description: Certificate authority used when verifying + server certificates. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + cert: + description: Client certificate to present when + doing client-authentication. + properties: + configMap: + description: ConfigMap containing data to + use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use + for the targets. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + insecureSkipVerify: + description: Disable target certificate validation. + type: boolean + keySecret: + description: Secret containing the client key + file for the targets. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + serverName: + description: Used to verify the hostname for the + targets. + type: string + type: object + type: object + message: + description: API request data as defined by the WeChat + API. + type: string + messageType: + type: string + sendResolved: + description: Whether or not to notify about resolved alerts. + type: boolean + toParty: + type: string + toTag: + type: string + toUser: + type: string + type: object + type: array + required: + - name + type: object + type: array + route: + description: The Alertmanager route definition for alerts matching + the resource's namespace. If present, it will be added to the generated + Alertmanager configuration as a first-level route. + properties: + activeTimeIntervals: + description: ActiveTimeIntervals is a list of MuteTimeInterval + names when this route should be active. + items: + type: string + type: array + continue: + description: Boolean indicating whether an alert should continue + matching subsequent sibling nodes. It will always be overridden + to true for the first-level route by the Prometheus operator. + type: boolean + groupBy: + description: List of labels to group by. Labels must not be repeated + (unique list). Special label "..." (aggregate by all possible + labels), if provided, must be the only element in the list. + items: + type: string + type: array + groupInterval: + description: 'How long to wait before sending an updated notification. + Must match the regular expression`^(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?$` + Example: "5m"' + type: string + groupWait: + description: 'How long to wait before sending the initial notification. + Must match the regular expression`^(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?$` + Example: "30s"' + type: string + matchers: + description: 'List of matchers that the alert''s labels should + match. For the first level route, the operator removes any existing + equality and regexp matcher on the `namespace` label and adds + a `namespace: ` matcher.' + items: + description: Matcher defines how to match on alert's labels. + properties: + matchType: + description: Match operation available with AlertManager + >= v0.22.0 and takes precedence over Regex (deprecated) + if non-empty. + enum: + - '!=' + - = + - =~ + - '!~' + type: string + name: + description: Label to match. + minLength: 1 + type: string + regex: + description: 'Whether to match on equality (false) or regular-expression + (true). Deprecated: for AlertManager >= v0.22.0, `matchType` + should be used instead.' + type: boolean + value: + description: Label value to match. + type: string + required: + - name + type: object + type: array + muteTimeIntervals: + description: 'Note: this comment applies to the field definition + above but appears below otherwise it gets included in the generated + manifest. CRD schema doesn''t support self-referential types + for now (see https://github.com/kubernetes/kubernetes/issues/62872). + We have to use an alternative type to circumvent the limitation. + The downside is that the Kube API can''t validate the data beyond + the fact that it is a valid JSON representation. MuteTimeIntervals + is a list of MuteTimeInterval names that will mute this route + when matched,' + items: + type: string + type: array + receiver: + description: Name of the receiver for this route. If not empty, + it should be listed in the `receivers` field. + type: string + repeatInterval: + description: 'How long to wait before repeating the last notification. + Must match the regular expression`^(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?$` + Example: "4h"' + type: string + routes: + description: Child routes. + items: + x-kubernetes-preserve-unknown-fields: true + type: array + type: object + type: object + required: + - spec + type: object + served: true + storage: true diff --git a/kube-prometheus-stack/charts/crds/crds/crd-alertmanagers.yaml b/kube-prometheus-stack/charts/crds/crds/crd-alertmanagers.yaml new file mode 100644 index 0000000..e0e3ec2 --- /dev/null +++ b/kube-prometheus-stack/charts/crds/crds/crd-alertmanagers.yaml @@ -0,0 +1,7752 @@ +# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + operator.prometheus.io/version: 0.72.0 + name: alertmanagers.monitoring.coreos.com +spec: + group: monitoring.coreos.com + names: + categories: + - prometheus-operator + kind: Alertmanager + listKind: AlertmanagerList + plural: alertmanagers + shortNames: + - am + singular: alertmanager + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The version of Alertmanager + jsonPath: .spec.version + name: Version + type: string + - description: The number of desired replicas + jsonPath: .spec.replicas + name: Replicas + type: integer + - description: The number of ready replicas + jsonPath: .status.availableReplicas + name: Ready + type: integer + - jsonPath: .status.conditions[?(@.type == 'Reconciled')].status + name: Reconciled + type: string + - jsonPath: .status.conditions[?(@.type == 'Available')].status + name: Available + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Whether the resource reconciliation is paused or not + jsonPath: .status.paused + name: Paused + priority: 1 + type: boolean + name: v1 + schema: + openAPIV3Schema: + description: Alertmanager describes an Alertmanager cluster. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Specification of the desired behavior of the Alertmanager + cluster. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + additionalPeers: + description: AdditionalPeers allows injecting a set of additional + Alertmanagers to peer with to form a highly available cluster. + items: + type: string + type: array + affinity: + description: If specified, the pod's scheduling constraints. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the + pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node matches + the corresponding matchExpressions; the node(s) with the + highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding + nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to an update), the system may or may not try to + eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: A null or empty node selector term matches + no objects. The requirements of them are ANDed. The + TopologySelectorTerm type implements a subset of the + NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate + this pod in the same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select which pods will be taken into consideration. + The keys are used to lookup values from the incoming + pod labels, those key-value labels are merged + with `LabelSelector` as `key in (value)` to select + the group of existing pods which pods will be + taken into consideration for the incoming pod's + pod (anti) affinity. Keys that don't exist in + the incoming pod labels will be ignored. The default + value is empty. The same key is forbidden to exist + in both MatchLabelKeys and LabelSelector. Also, + MatchLabelKeys cannot be set when LabelSelector + isn't set. This is an alpha field and requires + enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label + keys to select which pods will be taken into consideration. + The keys are used to lookup values from the incoming + pod labels, those key-value labels are merged + with `LabelSelector` as `key notin (value)` to + select the group of existing pods which pods will + be taken into consideration for the incoming pod's + pod (anti) affinity. Keys that don't exist in + the incoming pod labels will be ignored. The default + value is empty. The same key is forbidden to exist + in both MismatchLabelKeys and LabelSelector. Also, + MismatchLabelKeys cannot be set when LabelSelector + isn't set. This is an alpha field and requires + enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may or may + not try to eventually evict the pod from its node. When + there are multiple elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, i.e. all terms + must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of + pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys + to select which pods will be taken into consideration. + The keys are used to lookup values from the incoming + pod labels, those key-value labels are merged with + `LabelSelector` as `key in (value)` to select the + group of existing pods which pods will be taken into + consideration for the incoming pod's pod (anti) affinity. + Keys that don't exist in the incoming pod labels will + be ignored. The default value is empty. The same key + is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector + isn't set. This is an alpha field and requires enabling + MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label + keys to select which pods will be taken into consideration. + The keys are used to lookup values from the incoming + pod labels, those key-value labels are merged with + `LabelSelector` as `key notin (value)` to select the + group of existing pods which pods will be taken into + consideration for the incoming pod's pod (anti) affinity. + Keys that don't exist in the incoming pod labels will + be ignored. The default value is empty. The same key + is forbidden to exist in both MismatchLabelKeys and + LabelSelector. Also, MismatchLabelKeys cannot be set + when LabelSelector isn't set. This is an alpha field + and requires enabling MatchLabelKeysInPodAffinity + feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied to the + union of the namespaces selected by this field and + the ones listed in the namespaces field. null selector + and null or empty namespaces list means "this pod's + namespace". An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace + names that the term applies to. The term is applied + to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. null or + empty namespaces list and null namespaceSelector means + "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of + any node on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. + avoid putting this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the anti-affinity expressions specified + by this field, but it may choose a node that violates one + or more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select which pods will be taken into consideration. + The keys are used to lookup values from the incoming + pod labels, those key-value labels are merged + with `LabelSelector` as `key in (value)` to select + the group of existing pods which pods will be + taken into consideration for the incoming pod's + pod (anti) affinity. Keys that don't exist in + the incoming pod labels will be ignored. The default + value is empty. The same key is forbidden to exist + in both MatchLabelKeys and LabelSelector. Also, + MatchLabelKeys cannot be set when LabelSelector + isn't set. This is an alpha field and requires + enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label + keys to select which pods will be taken into consideration. + The keys are used to lookup values from the incoming + pod labels, those key-value labels are merged + with `LabelSelector` as `key notin (value)` to + select the group of existing pods which pods will + be taken into consideration for the incoming pod's + pod (anti) affinity. Keys that don't exist in + the incoming pod labels will be ignored. The default + value is empty. The same key is forbidden to exist + in both MismatchLabelKeys and LabelSelector. Also, + MismatchLabelKeys cannot be set when LabelSelector + isn't set. This is an alpha field and requires + enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the anti-affinity requirements + specified by this field cease to be met at some point during + pod execution (e.g. due to a pod label update), the system + may or may not try to eventually evict the pod from its + node. When there are multiple elements, the lists of nodes + corresponding to each podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of + pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys + to select which pods will be taken into consideration. + The keys are used to lookup values from the incoming + pod labels, those key-value labels are merged with + `LabelSelector` as `key in (value)` to select the + group of existing pods which pods will be taken into + consideration for the incoming pod's pod (anti) affinity. + Keys that don't exist in the incoming pod labels will + be ignored. The default value is empty. The same key + is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector + isn't set. This is an alpha field and requires enabling + MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label + keys to select which pods will be taken into consideration. + The keys are used to lookup values from the incoming + pod labels, those key-value labels are merged with + `LabelSelector` as `key notin (value)` to select the + group of existing pods which pods will be taken into + consideration for the incoming pod's pod (anti) affinity. + Keys that don't exist in the incoming pod labels will + be ignored. The default value is empty. The same key + is forbidden to exist in both MismatchLabelKeys and + LabelSelector. Also, MismatchLabelKeys cannot be set + when LabelSelector isn't set. This is an alpha field + and requires enabling MatchLabelKeysInPodAffinity + feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied to the + union of the namespaces selected by this field and + the ones listed in the namespaces field. null selector + and null or empty namespaces list means "this pod's + namespace". An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace + names that the term applies to. The term is applied + to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. null or + empty namespaces list and null namespaceSelector means + "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of + any node on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + alertmanagerConfigMatcherStrategy: + description: The AlertmanagerConfigMatcherStrategy defines how AlertmanagerConfig + objects match the alerts. In the future more options may be added. + properties: + type: + default: OnNamespace + description: If set to `OnNamespace`, the operator injects a label + matcher matching the namespace of the AlertmanagerConfig object + for all its routes and inhibition rules. `None` will not add + any additional matchers other than the ones specified in the + AlertmanagerConfig. Default is `OnNamespace`. + enum: + - OnNamespace + - None + type: string + type: object + alertmanagerConfigNamespaceSelector: + description: Namespaces to be selected for AlertmanagerConfig discovery. + If nil, only check own namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + alertmanagerConfigSelector: + description: AlertmanagerConfigs to be selected for to merge and configure + Alertmanager with. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + alertmanagerConfiguration: + description: 'EXPERIMENTAL: alertmanagerConfiguration specifies the + configuration of Alertmanager. If defined, it takes precedence over + the `configSecret` field. This field may change in future releases.' + properties: + global: + description: Defines the global parameters of the Alertmanager + configuration. + properties: + httpConfig: + description: HTTP client configuration. + properties: + authorization: + description: Authorization header configuration for the + client. This is mutually exclusive with BasicAuth and + is only available starting from Alertmanager v0.22+. + properties: + credentials: + description: Selects a key of a Secret in the namespace + that contains the credentials for authentication. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: + description: "Defines the authentication type. The + value is case-insensitive. \n \"Basic\" is not a + supported value. \n Default: \"Bearer\"" + type: string + type: object + basicAuth: + description: BasicAuth for the client. This is mutually + exclusive with Authorization. If both are defined, BasicAuth + takes precedence. + properties: + password: + description: '`password` specifies a key of a Secret + containing the password for authentication.' + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + username: + description: '`username` specifies a key of a Secret + containing the username for authentication.' + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + bearerTokenSecret: + description: The secret's key that contains the bearer + token to be used by the client for authentication. The + secret needs to be in the same namespace as the Alertmanager + object and accessible by the Prometheus Operator. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + followRedirects: + description: FollowRedirects specifies whether the client + should follow HTTP 3xx redirects. + type: boolean + oauth2: + description: OAuth2 client credentials used to fetch a + token for the targets. + properties: + clientId: + description: '`clientId` specifies a key of a Secret + or ConfigMap containing the OAuth2 client''s ID.' + properties: + configMap: + description: ConfigMap containing data to use + for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use for + the targets. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + clientSecret: + description: '`clientSecret` specifies a key of a + Secret containing the OAuth2 client''s secret.' + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + endpointParams: + additionalProperties: + type: string + description: '`endpointParams` configures the HTTP + parameters to append to the token URL.' + type: object + scopes: + description: '`scopes` defines the OAuth2 scopes used + for the token request.' + items: + type: string + type: array + tokenUrl: + description: '`tokenURL` configures the URL to fetch + the token from.' + minLength: 1 + type: string + required: + - clientId + - clientSecret + - tokenUrl + type: object + proxyURL: + description: Optional proxy URL. + type: string + tlsConfig: + description: TLS configuration for the client. + properties: + ca: + description: Certificate authority used when verifying + server certificates. + properties: + configMap: + description: ConfigMap containing data to use + for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use for + the targets. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + cert: + description: Client certificate to present when doing + client-authentication. + properties: + configMap: + description: ConfigMap containing data to use + for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use for + the targets. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + insecureSkipVerify: + description: Disable target certificate validation. + type: boolean + keySecret: + description: Secret containing the client key file + for the targets. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + serverName: + description: Used to verify the hostname for the targets. + type: string + type: object + type: object + opsGenieApiKey: + description: The default OpsGenie API Key. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + opsGenieApiUrl: + description: The default OpsGenie API URL. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + pagerdutyUrl: + description: The default Pagerduty URL. + type: string + resolveTimeout: + description: ResolveTimeout is the default value used by alertmanager + if the alert does not include EndsAt, after this time passes + it can declare the alert as resolved if it has not been + updated. This has no impact on alerts from Prometheus, as + they always include EndsAt. + pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ + type: string + slackApiUrl: + description: The default Slack API URL. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + smtp: + description: Configures global SMTP parameters. + properties: + authIdentity: + description: SMTP Auth using PLAIN + type: string + authPassword: + description: SMTP Auth using LOGIN and PLAIN. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + authSecret: + description: SMTP Auth using CRAM-MD5. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + authUsername: + description: SMTP Auth using CRAM-MD5, LOGIN and PLAIN. + If empty, Alertmanager doesn't authenticate to the SMTP + server. + type: string + from: + description: The default SMTP From header field. + type: string + hello: + description: The default hostname to identify to the SMTP + server. + type: string + requireTLS: + description: The default SMTP TLS requirement. Note that + Go does not support unencrypted connections to remote + SMTP endpoints. + type: boolean + smartHost: + description: The default SMTP smarthost used for sending + emails. + properties: + host: + description: Defines the host's address, it can be + a DNS name or a literal IP address. + minLength: 1 + type: string + port: + description: Defines the host's port, it can be a + literal port number or a port name. + minLength: 1 + type: string + required: + - host + - port + type: object + type: object + type: object + name: + description: The name of the AlertmanagerConfig resource which + is used to generate the Alertmanager configuration. It must + be defined in the same namespace as the Alertmanager object. + The operator will not enforce a `namespace` label for routes + and inhibition rules. + minLength: 1 + type: string + templates: + description: Custom notification templates. + items: + description: SecretOrConfigMap allows to specify data as a Secret + or ConfigMap. Fields are mutually exclusive. + properties: + configMap: + description: ConfigMap containing data to use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use for the targets. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: array + type: object + automountServiceAccountToken: + description: 'AutomountServiceAccountToken indicates whether a service + account token should be automatically mounted in the pod. If the + service account has `automountServiceAccountToken: true`, set the + field to `false` to opt out of automounting API credentials.' + type: boolean + baseImage: + description: 'Base image that is used to deploy pods, without tag. + Deprecated: use ''image'' instead.' + type: string + clusterAdvertiseAddress: + description: 'ClusterAdvertiseAddress is the explicit address to advertise + in cluster. Needs to be provided for non RFC1918 [1] (public) addresses. + [1] RFC1918: https://tools.ietf.org/html/rfc1918' + type: string + clusterGossipInterval: + description: Interval between gossip attempts. + pattern: ^(0|(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ + type: string + clusterLabel: + description: Defines the identifier that uniquely identifies the Alertmanager + cluster. You should only set it when the Alertmanager cluster includes + Alertmanager instances which are external to this Alertmanager resource. + In practice, the addresses of the external instances are provided + via the `.spec.additionalPeers` field. + type: string + clusterPeerTimeout: + description: Timeout for cluster peering. + pattern: ^(0|(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ + type: string + clusterPushpullInterval: + description: Interval between pushpull attempts. + pattern: ^(0|(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ + type: string + configMaps: + description: ConfigMaps is a list of ConfigMaps in the same namespace + as the Alertmanager object, which shall be mounted into the Alertmanager + Pods. Each ConfigMap is added to the StatefulSet definition as a + volume named `configmap-`. The ConfigMaps are mounted + into `/etc/alertmanager/configmaps/` in the 'alertmanager' + container. + items: + type: string + type: array + configSecret: + description: "ConfigSecret is the name of a Kubernetes Secret in the + same namespace as the Alertmanager object, which contains the configuration + for this Alertmanager instance. If empty, it defaults to `alertmanager-`. + \n The Alertmanager configuration should be available under the + `alertmanager.yaml` key. Additional keys from the original secret + are copied to the generated secret and mounted into the `/etc/alertmanager/config` + directory in the `alertmanager` container. \n If either the secret + or the `alertmanager.yaml` key is missing, the operator provisions + a minimal Alertmanager configuration with one empty receiver (effectively + dropping alert notifications)." + type: string + containers: + description: 'Containers allows injecting additional containers. This + is meant to allow adding an authentication proxy to an Alertmanager + pod. Containers described here modify an operator generated container + if they share the same name and modifications are done via a strategic + merge patch. The current container names are: `alertmanager` and + `config-reloader`. Overriding containers is entirely outside the + scope of what the maintainers will support and by doing so, you + accept that this behaviour may break at any time without notice.' + items: + description: A single application container that you want to run + within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The container image''s + CMD is used if this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. If a variable + cannot be resolved, the reference in the input string will + be unchanged. Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)". Escaped references + will never be expanded, regardless of whether the variable + exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within a shell. + The container image''s ENTRYPOINT is used if this is not provided. + Variable references $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, the reference + in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: + i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether + the variable exists or not. Cannot be updated. More info: + https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set in the container. + Cannot be updated. + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be + a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. + If a variable cannot be resolved, the reference in the + input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable exists + or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports + metadata.name, metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment variables + in the container. The keys defined within a source must be + a C_IDENTIFIER. All invalid keys will be reported as an event + when the container is starting. When a key exists in multiple + sources, the value associated with the last source will take + precedence. Values defined by an Env with a duplicate key + will take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source of a set + of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap must be + defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend to each + key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management + to default or override container images in workload controllers + like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent + otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system should take + in response to container lifecycle events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately after a container + is created. If the handler fails, the container is terminated + and restarted according to its restart policy. Other management + of the container blocks until the hook completes. More + info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's + filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you need + to explicitly call out to that shell. Exit status + of 0 is treated as live/healthy and non-zero is + unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in + httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the + host. Defaults to HTTP. + type: string + required: + - port + type: object + sleep: + description: Sleep represents the duration that the + container should sleep before being terminated. + properties: + seconds: + description: Seconds is the number of seconds to + sleep. + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward compatibility. + There are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately before a container + is terminated due to an API request or management event + such as liveness/startup probe failure, preemption, resource + contention, etc. The handler is not called if the container + crashes or exits. The Pod''s termination grace period + countdown begins before the PreStop hook is executed. + Regardless of the outcome of the handler, the container + will eventually terminate within the Pod''s termination + grace period (unless delayed by finalizers). Other management + of the container blocks until the hook completes or until + the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's + filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you need + to explicitly call out to that shell. Exit status + of 0 is treated as live/healthy and non-zero is + unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in + httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the + host. Defaults to HTTP. + type: string + required: + - port + type: object + sleep: + description: Sleep represents the duration that the + container should sleep before being terminated. + properties: + seconds: + description: Seconds is the number of seconds to + sleep. + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward compatibility. + There are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. Container + will be restarted if the probe fails. Cannot be updated. More + info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for the + command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the + pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP + allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a TCP + port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and the + time when the processes are forcibly halted with a kill + signal. Set this value longer than the expected cleanup + time for your process. If this value is nil, the pod's + terminationGracePeriodSeconds will be used. Otherwise, + this value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity to + shut down). This is a beta field and requires enabling + ProbeTerminationGracePeriod feature gate. Minimum value + is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe times + out. Defaults to 1 second. Minimum value is 1. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as a DNS_LABEL. + Each container in a pod must have a unique name (DNS_LABEL). + Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. Not + specifying a port here DOES NOT prevent that port from being + exposed. Any port which is listening on the default "0.0.0.0" + address inside a container will be accessible from the network. + Modifying this array with strategic merge patch may corrupt + the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. + items: + description: ContainerPort represents a network port in a + single container. + properties: + containerPort: + description: Number of port to expose on the pod's IP + address. This must be a valid port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external port to. + type: string + hostPort: + description: Number of port to expose on the host. If + specified, this must be a valid port number, 0 < x < + 65536. If HostNetwork is specified, this must match + ContainerPort. Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an IANA_SVC_NAME + and unique within the pod. Each named port in a pod + must have a unique name. Name for the port that can + be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, TCP, or SCTP. + Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service readiness. + Container will be removed from service endpoints if the probe + fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for the + command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the + pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP + allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a TCP + port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and the + time when the processes are forcibly halted with a kill + signal. Set this value longer than the expected cleanup + time for your process. If this value is nil, the pod's + terminationGracePeriodSeconds will be used. Otherwise, + this value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity to + shut down). This is a beta field and requires enabling + ProbeTerminationGracePeriod feature gate. Minimum value + is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe times + out. Defaults to 1 second. Minimum value is 1. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents resource resize + policy for the container. + properties: + resourceName: + description: 'Name of the resource to which this resource + resize policy applies. Supported values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when specified resource + is resized. If not specified, it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + description: 'Compute Resources required by this container. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only + be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests + cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + restartPolicy: + description: 'RestartPolicy defines the restart behavior of + individual containers in a pod. This field may only be set + for init containers, and the only allowed value is "Always". + For non-init containers or when this field is not specified, + the restart behavior is defined by the Pod''s restart policy + and the container type. Setting the RestartPolicy as "Always" + for the init container will have the following effect: this + init container will be continually restarted on exit until + all regular containers have terminated. Once all regular containers + have completed, all init containers with restartPolicy "Always" + will be shut down. This lifecycle differs from normal init + containers and is often referred to as a "sidecar" container. + Although this init container still starts in the init container + sequence, it does not wait for the container to complete before + proceeding to the next init container. Instead, the next init + container starts immediately after this init container is + started, or after any startupProbe has successfully completed.' + type: string + securityContext: + description: 'SecurityContext defines the security options the + container should be run with. If set, the fields of SecurityContext + override the equivalent fields of PodSecurityContext. More + info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls whether + a process can gain more privileges than its parent process. + This bool directly controls if the no_new_privs flag will + be set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) run as Privileged + 2) has CAP_SYS_ADMIN Note that this field cannot be set + when spec.os.name is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when running containers. + Defaults to the default set of capabilities granted by + the container runtime. Note that this field cannot be + set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. Processes + in privileged containers are essentially equivalent to + root on the host. Defaults to false. Note that this field + cannot be set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of proc mount to + use for the containers. The default is DefaultProcMount + which uses the container runtime defaults for readonly + paths and masked paths. This requires the ProcMountType + feature flag to be enabled. Note that this field cannot + be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only root + filesystem. Default is false. Note that this field cannot + be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the container + process. Uses runtime default if unset. May also be set + in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a + non-root user. If true, the Kubelet will validate the + image at runtime to ensure that it does not run as UID + 0 (root) and fail to start the container if it does. If + unset or false, no such validation will be performed. + May also be set in PodSecurityContext. If set in both + SecurityContext and PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container + process. Defaults to user specified in image metadata + if unspecified. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to the container. + If unspecified, the container runtime will allocate a + random SELinux context for each container. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this container. + If seccomp options are provided at both the pod & container + level, the container options override the pod options. + Note that this field cannot be set when spec.os.name is + windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile defined + in a file on the node should be used. The profile + must be preconfigured on the node to work. Must be + a descending path, relative to the kubelet's configured + seccomp profile location. Must be set if type is "Localhost". + Must NOT be set for any other type. + type: string + type: + description: "type indicates which kind of seccomp profile + will be applied. Valid options are: \n Localhost - + a profile defined in a file on the node should be + used. RuntimeDefault - the container runtime default + profile should be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied to all + containers. If unspecified, the options from the PodSecurityContext + will be used. If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is + linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission + webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec named + by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container should + be run as a 'Host Process' container. All of a Pod's + containers must have the same effective HostProcess + value (it is not allowed to have a mix of HostProcess + containers and non-HostProcess containers). In addition, + if HostProcess is true then HostNetwork must also + be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the entrypoint + of the container process. Defaults to the user specified + in image metadata if unspecified. May also be set + in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: 'StartupProbe indicates that the Pod has successfully + initialized. If specified, no other probes are executed until + this completes successfully. If this probe fails, the Pod + will be restarted, just as if the livenessProbe failed. This + can be used to provide different probe parameters at the beginning + of a Pod''s lifecycle, when it might take a long time to load + data or warm a cache, than during steady-state operation. + This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for the + command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the + pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP + allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a TCP + port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and the + time when the processes are forcibly halted with a kill + signal. Set this value longer than the expected cleanup + time for your process. If this value is nil, the pod's + terminationGracePeriodSeconds will be used. Otherwise, + this value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity to + shut down). This is a beta field and requires enabling + ProbeTerminationGracePeriod feature gate. Minimum value + is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe times + out. Defaults to 1 second. Minimum value is 1. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate a buffer + for stdin in the container runtime. If this is not set, reads + from stdin in the container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should close the + stdin channel after it has been opened by a single attach. + When stdin is true the stdin stream will remain open across + multiple attach sessions. If stdinOnce is set to true, stdin + is opened on container start, is empty until the first client + attaches to stdin, and then remains open and accepts data + until the client disconnects, at which time stdin is closed + and remains closed until the container is restarted. If this + flag is false, a container processes that reads from stdin + will never receive an EOF. Default is false + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file to which the + container''s termination message will be written is mounted + into the container''s filesystem. Message written is intended + to be brief final status, such as an assertion failure message. + Will be truncated by the node if greater than 4096 bytes. + The total message length across all containers will be limited + to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message should be + populated. File will use the contents of terminationMessagePath + to populate the container status message on both success and + failure. FallbackToLogsOnError will use the last chunk of + container log output if the termination message file is empty + and the container exited with an error. The log output is + limited to 2048 bytes or 80 lines, whichever is smaller. Defaults + to File. Cannot be updated. + type: string + tty: + description: Whether this container should allocate a TTY for + itself, also requires 'stdin' to be true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block devices to be + used by the container. + items: + description: volumeDevice describes a mapping of a raw block + device within a container. + properties: + devicePath: + description: devicePath is the path inside of the container + that the device will be mapped to. + type: string + name: + description: name must match the name of a persistentVolumeClaim + in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's filesystem. + Cannot be updated. + items: + description: VolumeMount describes a mounting of a Volume + within a container. + properties: + mountPath: + description: Path within the container at which the volume + should be mounted. Must not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines how mounts are + propagated from the host to container and the other + way around. When not set, MountPropagationNone is used. + This field is beta in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write otherwise + (false or unspecified). Defaults to false. + type: boolean + subPath: + description: Path within the volume from which the container's + volume should be mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume from which + the container's volume should be mounted. Behaves similarly + to SubPath but environment variable references $(VAR_NAME) + are expanded using the container's environment. Defaults + to "" (volume's root). SubPathExpr and SubPath are mutually + exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not specified, + the container runtime's default will be used, which might + be configured in the container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + externalUrl: + description: The external URL the Alertmanager instances will be available + under. This is necessary to generate correct URLs. This is necessary + if Alertmanager is not served from root of a DNS name. + type: string + forceEnableClusterMode: + description: ForceEnableClusterMode ensures Alertmanager does not + deactivate the cluster mode when running with a single replica. + Use case is e.g. spanning an Alertmanager cluster across Kubernetes + clusters with a single replica in each. + type: boolean + hostAliases: + description: Pods' hostAliases configuration + items: + description: HostAlias holds the mapping between IP and hostnames + that will be injected as an entry in the pod's hosts file. + properties: + hostnames: + description: Hostnames for the above IP address. + items: + type: string + type: array + ip: + description: IP address of the host file entry. + type: string + required: + - hostnames + - ip + type: object + type: array + x-kubernetes-list-map-keys: + - ip + x-kubernetes-list-type: map + image: + description: Image if specified has precedence over baseImage, tag + and sha combinations. Specifying the version is still necessary + to ensure the Prometheus Operator knows what version of Alertmanager + is being configured. + type: string + imagePullPolicy: + description: Image pull policy for the 'alertmanager', 'init-config-reloader' + and 'config-reloader' containers. See https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy + for more details. + enum: + - "" + - Always + - Never + - IfNotPresent + type: string + imagePullSecrets: + description: An optional list of references to secrets in the same + namespace to use for pulling prometheus and alertmanager images + from registries see http://kubernetes.io/docs/user-guide/images#specifying-imagepullsecrets-on-a-pod + items: + description: LocalObjectReference contains enough information to + let you locate the referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + initContainers: + description: 'InitContainers allows adding initContainers to the pod + definition. Those can be used to e.g. fetch secrets for injection + into the Alertmanager configuration from external sources. Any errors + during the execution of an initContainer will lead to a restart + of the Pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + InitContainers described here modify an operator generated init + containers if they share the same name and modifications are done + via a strategic merge patch. The current init container name is: + `init-config-reloader`. Overriding init containers is entirely outside + the scope of what the maintainers will support and by doing so, + you accept that this behaviour may break at any time without notice.' + items: + description: A single application container that you want to run + within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The container image''s + CMD is used if this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. If a variable + cannot be resolved, the reference in the input string will + be unchanged. Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)". Escaped references + will never be expanded, regardless of whether the variable + exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within a shell. + The container image''s ENTRYPOINT is used if this is not provided. + Variable references $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, the reference + in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: + i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether + the variable exists or not. Cannot be updated. More info: + https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set in the container. + Cannot be updated. + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be + a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. + If a variable cannot be resolved, the reference in the + input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable exists + or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports + metadata.name, metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment variables + in the container. The keys defined within a source must be + a C_IDENTIFIER. All invalid keys will be reported as an event + when the container is starting. When a key exists in multiple + sources, the value associated with the last source will take + precedence. Values defined by an Env with a duplicate key + will take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source of a set + of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap must be + defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend to each + key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management + to default or override container images in workload controllers + like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent + otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system should take + in response to container lifecycle events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately after a container + is created. If the handler fails, the container is terminated + and restarted according to its restart policy. Other management + of the container blocks until the hook completes. More + info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's + filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you need + to explicitly call out to that shell. Exit status + of 0 is treated as live/healthy and non-zero is + unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in + httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the + host. Defaults to HTTP. + type: string + required: + - port + type: object + sleep: + description: Sleep represents the duration that the + container should sleep before being terminated. + properties: + seconds: + description: Seconds is the number of seconds to + sleep. + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward compatibility. + There are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately before a container + is terminated due to an API request or management event + such as liveness/startup probe failure, preemption, resource + contention, etc. The handler is not called if the container + crashes or exits. The Pod''s termination grace period + countdown begins before the PreStop hook is executed. + Regardless of the outcome of the handler, the container + will eventually terminate within the Pod''s termination + grace period (unless delayed by finalizers). Other management + of the container blocks until the hook completes or until + the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's + filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you need + to explicitly call out to that shell. Exit status + of 0 is treated as live/healthy and non-zero is + unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in + httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the + host. Defaults to HTTP. + type: string + required: + - port + type: object + sleep: + description: Sleep represents the duration that the + container should sleep before being terminated. + properties: + seconds: + description: Seconds is the number of seconds to + sleep. + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward compatibility. + There are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. Container + will be restarted if the probe fails. Cannot be updated. More + info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for the + command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the + pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP + allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a TCP + port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and the + time when the processes are forcibly halted with a kill + signal. Set this value longer than the expected cleanup + time for your process. If this value is nil, the pod's + terminationGracePeriodSeconds will be used. Otherwise, + this value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity to + shut down). This is a beta field and requires enabling + ProbeTerminationGracePeriod feature gate. Minimum value + is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe times + out. Defaults to 1 second. Minimum value is 1. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as a DNS_LABEL. + Each container in a pod must have a unique name (DNS_LABEL). + Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. Not + specifying a port here DOES NOT prevent that port from being + exposed. Any port which is listening on the default "0.0.0.0" + address inside a container will be accessible from the network. + Modifying this array with strategic merge patch may corrupt + the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. + items: + description: ContainerPort represents a network port in a + single container. + properties: + containerPort: + description: Number of port to expose on the pod's IP + address. This must be a valid port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external port to. + type: string + hostPort: + description: Number of port to expose on the host. If + specified, this must be a valid port number, 0 < x < + 65536. If HostNetwork is specified, this must match + ContainerPort. Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an IANA_SVC_NAME + and unique within the pod. Each named port in a pod + must have a unique name. Name for the port that can + be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, TCP, or SCTP. + Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service readiness. + Container will be removed from service endpoints if the probe + fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for the + command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the + pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP + allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a TCP + port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and the + time when the processes are forcibly halted with a kill + signal. Set this value longer than the expected cleanup + time for your process. If this value is nil, the pod's + terminationGracePeriodSeconds will be used. Otherwise, + this value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity to + shut down). This is a beta field and requires enabling + ProbeTerminationGracePeriod feature gate. Minimum value + is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe times + out. Defaults to 1 second. Minimum value is 1. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents resource resize + policy for the container. + properties: + resourceName: + description: 'Name of the resource to which this resource + resize policy applies. Supported values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when specified resource + is resized. If not specified, it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + description: 'Compute Resources required by this container. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only + be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests + cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + restartPolicy: + description: 'RestartPolicy defines the restart behavior of + individual containers in a pod. This field may only be set + for init containers, and the only allowed value is "Always". + For non-init containers or when this field is not specified, + the restart behavior is defined by the Pod''s restart policy + and the container type. Setting the RestartPolicy as "Always" + for the init container will have the following effect: this + init container will be continually restarted on exit until + all regular containers have terminated. Once all regular containers + have completed, all init containers with restartPolicy "Always" + will be shut down. This lifecycle differs from normal init + containers and is often referred to as a "sidecar" container. + Although this init container still starts in the init container + sequence, it does not wait for the container to complete before + proceeding to the next init container. Instead, the next init + container starts immediately after this init container is + started, or after any startupProbe has successfully completed.' + type: string + securityContext: + description: 'SecurityContext defines the security options the + container should be run with. If set, the fields of SecurityContext + override the equivalent fields of PodSecurityContext. More + info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls whether + a process can gain more privileges than its parent process. + This bool directly controls if the no_new_privs flag will + be set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) run as Privileged + 2) has CAP_SYS_ADMIN Note that this field cannot be set + when spec.os.name is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when running containers. + Defaults to the default set of capabilities granted by + the container runtime. Note that this field cannot be + set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. Processes + in privileged containers are essentially equivalent to + root on the host. Defaults to false. Note that this field + cannot be set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of proc mount to + use for the containers. The default is DefaultProcMount + which uses the container runtime defaults for readonly + paths and masked paths. This requires the ProcMountType + feature flag to be enabled. Note that this field cannot + be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only root + filesystem. Default is false. Note that this field cannot + be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the container + process. Uses runtime default if unset. May also be set + in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a + non-root user. If true, the Kubelet will validate the + image at runtime to ensure that it does not run as UID + 0 (root) and fail to start the container if it does. If + unset or false, no such validation will be performed. + May also be set in PodSecurityContext. If set in both + SecurityContext and PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container + process. Defaults to user specified in image metadata + if unspecified. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to the container. + If unspecified, the container runtime will allocate a + random SELinux context for each container. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this container. + If seccomp options are provided at both the pod & container + level, the container options override the pod options. + Note that this field cannot be set when spec.os.name is + windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile defined + in a file on the node should be used. The profile + must be preconfigured on the node to work. Must be + a descending path, relative to the kubelet's configured + seccomp profile location. Must be set if type is "Localhost". + Must NOT be set for any other type. + type: string + type: + description: "type indicates which kind of seccomp profile + will be applied. Valid options are: \n Localhost - + a profile defined in a file on the node should be + used. RuntimeDefault - the container runtime default + profile should be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied to all + containers. If unspecified, the options from the PodSecurityContext + will be used. If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is + linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission + webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec named + by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container should + be run as a 'Host Process' container. All of a Pod's + containers must have the same effective HostProcess + value (it is not allowed to have a mix of HostProcess + containers and non-HostProcess containers). In addition, + if HostProcess is true then HostNetwork must also + be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the entrypoint + of the container process. Defaults to the user specified + in image metadata if unspecified. May also be set + in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: 'StartupProbe indicates that the Pod has successfully + initialized. If specified, no other probes are executed until + this completes successfully. If this probe fails, the Pod + will be restarted, just as if the livenessProbe failed. This + can be used to provide different probe parameters at the beginning + of a Pod''s lifecycle, when it might take a long time to load + data or warm a cache, than during steady-state operation. + This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for the + command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the + pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP + allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a TCP + port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and the + time when the processes are forcibly halted with a kill + signal. Set this value longer than the expected cleanup + time for your process. If this value is nil, the pod's + terminationGracePeriodSeconds will be used. Otherwise, + this value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity to + shut down). This is a beta field and requires enabling + ProbeTerminationGracePeriod feature gate. Minimum value + is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe times + out. Defaults to 1 second. Minimum value is 1. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate a buffer + for stdin in the container runtime. If this is not set, reads + from stdin in the container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should close the + stdin channel after it has been opened by a single attach. + When stdin is true the stdin stream will remain open across + multiple attach sessions. If stdinOnce is set to true, stdin + is opened on container start, is empty until the first client + attaches to stdin, and then remains open and accepts data + until the client disconnects, at which time stdin is closed + and remains closed until the container is restarted. If this + flag is false, a container processes that reads from stdin + will never receive an EOF. Default is false + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file to which the + container''s termination message will be written is mounted + into the container''s filesystem. Message written is intended + to be brief final status, such as an assertion failure message. + Will be truncated by the node if greater than 4096 bytes. + The total message length across all containers will be limited + to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message should be + populated. File will use the contents of terminationMessagePath + to populate the container status message on both success and + failure. FallbackToLogsOnError will use the last chunk of + container log output if the termination message file is empty + and the container exited with an error. The log output is + limited to 2048 bytes or 80 lines, whichever is smaller. Defaults + to File. Cannot be updated. + type: string + tty: + description: Whether this container should allocate a TTY for + itself, also requires 'stdin' to be true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block devices to be + used by the container. + items: + description: volumeDevice describes a mapping of a raw block + device within a container. + properties: + devicePath: + description: devicePath is the path inside of the container + that the device will be mapped to. + type: string + name: + description: name must match the name of a persistentVolumeClaim + in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's filesystem. + Cannot be updated. + items: + description: VolumeMount describes a mounting of a Volume + within a container. + properties: + mountPath: + description: Path within the container at which the volume + should be mounted. Must not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines how mounts are + propagated from the host to container and the other + way around. When not set, MountPropagationNone is used. + This field is beta in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write otherwise + (false or unspecified). Defaults to false. + type: boolean + subPath: + description: Path within the volume from which the container's + volume should be mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume from which + the container's volume should be mounted. Behaves similarly + to SubPath but environment variable references $(VAR_NAME) + are expanded using the container's environment. Defaults + to "" (volume's root). SubPathExpr and SubPath are mutually + exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not specified, + the container runtime's default will be used, which might + be configured in the container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + listenLocal: + description: ListenLocal makes the Alertmanager server listen on loopback, + so that it does not bind against the Pod IP. Note this is only for + the Alertmanager UI, not the gossip communication. + type: boolean + logFormat: + description: Log format for Alertmanager to be configured with. + enum: + - "" + - logfmt + - json + type: string + logLevel: + description: Log level for Alertmanager to be configured with. + enum: + - "" + - debug + - info + - warn + - error + type: string + minReadySeconds: + description: Minimum number of seconds for which a newly created pod + should be ready without any of its container crashing for it to + be considered available. Defaults to 0 (pod will be considered available + as soon as it is ready) This is an alpha field from kubernetes 1.22 + until 1.24 which requires enabling the StatefulSetMinReadySeconds + feature gate. + format: int32 + type: integer + nodeSelector: + additionalProperties: + type: string + description: Define which Nodes the Pods are scheduled on. + type: object + paused: + description: If set to true all actions on the underlying managed + objects are not goint to be performed, except for delete actions. + type: boolean + podMetadata: + description: "PodMetadata configures labels and annotations which + are propagated to the Alertmanager pods. \n The following items + are reserved and cannot be overridden: * \"alertmanager\" label, + set to the name of the Alertmanager instance. * \"app.kubernetes.io/instance\" + label, set to the name of the Alertmanager instance. * \"app.kubernetes.io/managed-by\" + label, set to \"prometheus-operator\". * \"app.kubernetes.io/name\" + label, set to \"alertmanager\". * \"app.kubernetes.io/version\" + label, set to the Alertmanager version. * \"kubectl.kubernetes.io/default-container\" + annotation, set to \"alertmanager\"." + properties: + annotations: + additionalProperties: + type: string + description: 'Annotations is an unstructured key value map stored + with a resource that may be set by external tools to store and + retrieve arbitrary metadata. They are not queryable and should + be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations' + type: object + labels: + additionalProperties: + type: string + description: 'Map of string keys and values that can be used to + organize and categorize (scope and select) objects. May match + selectors of replication controllers and services. More info: + http://kubernetes.io/docs/user-guide/labels' + type: object + name: + description: 'Name must be unique within a namespace. Is required + when creating resources, although some resources may allow a + client to request the generation of an appropriate name automatically. + Name is primarily intended for creation idempotence and configuration + definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names' + type: string + type: object + portName: + default: web + description: Port name used for the pods and governing service. Defaults + to `web`. + type: string + priorityClassName: + description: Priority class assigned to the Pods + type: string + replicas: + description: Size is the expected size of the alertmanager cluster. + The controller will eventually make the size of the running cluster + equal to the expected size. + format: int32 + type: integer + resources: + description: Define resources requests and limits for single Pods. + properties: + claims: + description: "Claims lists the names of resources, defined in + spec.resourceClaims, that are used by this container. \n This + is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be set + for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in pod.spec.resourceClaims + of the Pod where this field is used. It makes that resource + available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources + allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + retention: + default: 120h + description: Time duration Alertmanager shall retain data for. Default + is '120h', and must match the regular expression `[0-9]+(ms|s|m|h)` + (milliseconds seconds minutes hours). + pattern: ^(0|(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ + type: string + routePrefix: + description: The route prefix Alertmanager registers HTTP handlers + for. This is useful, if using ExternalURL and a proxy is rewriting + HTTP routes of a request, and the actual ExternalURL is still true, + but the server serves requests under a different route prefix. For + example for use with `kubectl proxy`. + type: string + secrets: + description: Secrets is a list of Secrets in the same namespace as + the Alertmanager object, which shall be mounted into the Alertmanager + Pods. Each Secret is added to the StatefulSet definition as a volume + named `secret-`. The Secrets are mounted into `/etc/alertmanager/secrets/` + in the 'alertmanager' container. + items: + type: string + type: array + securityContext: + description: SecurityContext holds pod-level security attributes and + common container settings. This defaults to the default PodSecurityContext. + properties: + fsGroup: + description: "A special supplemental group that applies to all + containers in a pod. Some volume types allow the Kubelet to + change the ownership of that volume to be owned by the pod: + \n 1. The owning GID will be the FSGroup 2. The setgid bit is + set (new files created in the volume will be owned by FSGroup) + 3. The permission bits are OR'd with rw-rw---- \n If unset, + the Kubelet will not modify the ownership and permissions of + any volume. Note that this field cannot be set when spec.os.name + is windows." + format: int64 + type: integer + fsGroupChangePolicy: + description: 'fsGroupChangePolicy defines behavior of changing + ownership and permission of the volume before being exposed + inside Pod. This field will only apply to volume types which + support fsGroup based ownership(and permissions). It will have + no effect on ephemeral volume types such as: secret, configmaps + and emptydir. Valid values are "OnRootMismatch" and "Always". + If not specified, "Always" is used. Note that this field cannot + be set when spec.os.name is windows.' + type: string + runAsGroup: + description: The GID to run the entrypoint of the container process. + Uses runtime default if unset. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, the value + specified in SecurityContext takes precedence for that container. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a non-root + user. If true, the Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 (root) and fail to start + the container if it does. If unset or false, no such validation + will be performed. May also be set in SecurityContext. If set + in both SecurityContext and PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. + May also be set in SecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to all containers. + If unspecified, the container runtime will allocate a random + SELinux context for each container. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, the value + specified in SecurityContext takes precedence for that container. + Note that this field cannot be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies to + the container. + type: string + role: + description: Role is a SELinux role label that applies to + the container. + type: string + type: + description: Type is a SELinux type label that applies to + the container. + type: string + user: + description: User is a SELinux user label that applies to + the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by the containers in this + pod. Note that this field cannot be set when spec.os.name is + windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile defined + in a file on the node should be used. The profile must be + preconfigured on the node to work. Must be a descending + path, relative to the kubelet's configured seccomp profile + location. Must be set if type is "Localhost". Must NOT be + set for any other type. + type: string + type: + description: "type indicates which kind of seccomp profile + will be applied. Valid options are: \n Localhost - a profile + defined in a file on the node should be used. RuntimeDefault + - the container runtime default profile should be used. + Unconfined - no profile should be applied." + type: string + required: + - type + type: object + supplementalGroups: + description: A list of groups applied to the first process run + in each container, in addition to the container's primary GID, + the fsGroup (if specified), and group memberships defined in + the container image for the uid of the container process. If + unspecified, no additional groups are added to any container. + Note that group memberships defined in the container image for + the uid of the container process are still effective, even if + they are not included in this list. Note that this field cannot + be set when spec.os.name is windows. + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls used for + the pod. Pods with unsupported sysctls (by the container runtime) + might fail to launch. Note that this field cannot be set when + spec.os.name is windows. + items: + description: Sysctl defines a kernel parameter to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: The Windows specific settings applied to all containers. + If unspecified, the options within a container's SecurityContext + will be used. If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission + webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec named by + the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the GMSA + credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container should + be run as a 'Host Process' container. All of a Pod's containers + must have the same effective HostProcess value (it is not + allowed to have a mix of HostProcess containers and non-HostProcess + containers). In addition, if HostProcess is true then HostNetwork + must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the entrypoint + of the container process. Defaults to the user specified + in image metadata if unspecified. May also be set in PodSecurityContext. + If set in both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. + type: string + type: object + type: object + serviceAccountName: + description: ServiceAccountName is the name of the ServiceAccount + to use to run the Prometheus Pods. + type: string + sha: + description: 'SHA of Alertmanager container image to be deployed. + Defaults to the value of `version`. Similar to a tag, but the SHA + explicitly deploys an immutable container image. Version and Tag + are ignored if SHA is set. Deprecated: use ''image'' instead. The + image digest can be specified as part of the image URL.' + type: string + storage: + description: Storage is the definition of how storage will be used + by the Alertmanager instances. + properties: + disableMountSubPath: + description: 'Deprecated: subPath usage will be removed in a future + release.' + type: boolean + emptyDir: + description: 'EmptyDirVolumeSource to be used by the StatefulSet. + If specified, it takes precedence over `ephemeral` and `volumeClaimTemplate`. + More info: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir' + properties: + medium: + description: 'medium represents what type of storage medium + should back this directory. The default is "" which means + to use the node''s default medium. Must be an empty string + (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: 'sizeLimit is the total amount of local storage + required for this EmptyDir volume. The size limit is also + applicable for memory medium. The maximum usage on memory + medium EmptyDir would be the minimum value between the SizeLimit + specified here and the sum of memory limits of all containers + in a pod. The default is nil which means that the limit + is undefined. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: 'EphemeralVolumeSource to be used by the StatefulSet. + This is a beta field in k8s 1.21 and GA in 1.15. For lower versions, + starting with k8s 1.19, it requires enabling the GenericEphemeralVolume + feature gate. More info: https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes' + properties: + volumeClaimTemplate: + description: "Will be used to create a stand-alone PVC to + provision the volume. The pod in which this EphemeralVolumeSource + is embedded will be the owner of the PVC, i.e. the PVC will + be deleted together with the pod. The name of the PVC will + be `-` where `` is the + name from the `PodSpec.Volumes` array entry. Pod validation + will reject the pod if the concatenated name is not valid + for a PVC (for example, too long). \n An existing PVC with + that name that is not owned by the pod will *not* be used + for the pod to avoid using an unrelated volume by mistake. + Starting the pod is then blocked until the unrelated PVC + is removed. If such a pre-created PVC is meant to be used + by the pod, the PVC has to updated with an owner reference + to the pod once the pod exists. Normally this should not + be necessary, but it may be useful when manually reconstructing + a broken cluster. \n This field is read-only and no changes + will be made by Kubernetes to the PVC after it has been + created. \n Required, must not be nil." + properties: + metadata: + description: May contain labels and annotations that will + be copied into the PVC when creating it. No other fields + are allowed and will be rejected during validation. + type: object + spec: + description: The specification for the PersistentVolumeClaim. + The entire content is copied unchanged into the PVC + that gets created from this template. The same fields + as in a PersistentVolumeClaim are also valid here. + properties: + accessModes: + description: 'accessModes contains the desired access + modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'dataSource field can be used to specify + either: * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) If the + provisioner or an external controller can support + the specified data source, it will create a new + volume based on the contents of the specified data + source. When the AnyVolumeDataSource feature gate + is enabled, dataSource contents will be copied to + dataSourceRef, and dataSourceRef contents will be + copied to dataSource when dataSourceRef.namespace + is not specified. If the namespace is specified, + then dataSourceRef will not be copied to dataSource.' + properties: + apiGroup: + description: APIGroup is the group for the resource + being referenced. If APIGroup is not specified, + the specified Kind must be in the core API group. + For any other third-party types, APIGroup is + required. + type: string + kind: + description: Kind is the type of resource being + referenced + type: string + name: + description: Name is the name of resource being + referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: 'dataSourceRef specifies the object from + which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a + non-empty API group (non core object) or a PersistentVolumeClaim + object. When this field is specified, volume binding + will only succeed if the type of the specified object + matches some installed volume populator or dynamic + provisioner. This field will replace the functionality + of the dataSource field and as such if both fields + are non-empty, they must have the same value. For + backwards compatibility, when namespace isn''t specified + in dataSourceRef, both fields (dataSource and dataSourceRef) + will be set to the same value automatically if one + of them is empty and the other is non-empty. When + namespace is specified in dataSourceRef, dataSource + isn''t set to the same value and must be empty. + There are three important differences between dataSource + and dataSourceRef: * While dataSource only allows + two specific types of objects, dataSourceRef allows + any non-core object, as well as PersistentVolumeClaim + objects. * While dataSource ignores disallowed values + (dropping them), dataSourceRef preserves all values, + and generates an error if a disallowed value is + specified. * While dataSource only allows local + objects, dataSourceRef allows objects in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource + feature gate to be enabled. (Alpha) Using the namespace + field of dataSourceRef requires the CrossNamespaceVolumeDataSource + feature gate to be enabled.' + properties: + apiGroup: + description: APIGroup is the group for the resource + being referenced. If APIGroup is not specified, + the specified Kind must be in the core API group. + For any other third-party types, APIGroup is + required. + type: string + kind: + description: Kind is the type of resource being + referenced + type: string + name: + description: Name is the name of resource being + referenced + type: string + namespace: + description: Namespace is the namespace of resource + being referenced Note that when a namespace + is specified, a gateway.networking.k8s.io/ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept the + reference. See the ReferenceGrant documentation + for details. (Alpha) This field requires the + CrossNamespaceVolumeDataSource feature gate + to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: 'resources represents the minimum resources + the volume should have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed to specify + resource requirements that are lower than previous + value but must still be higher than capacity recorded + in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount + of compute resources required. If Requests is + omitted for a container, it defaults to Limits + if that is explicitly specified, otherwise to + an implementation-defined value. Requests cannot + exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: selector is a label query over volumes + to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: 'storageClassName is the name of the + StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeAttributesClassName: + description: 'volumeAttributesClassName may be used + to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update + the volume with the attributes defined in the corresponding + VolumeAttributesClass. This has a different purpose + than storageClassName, it can be changed after the + claim is created. An empty string value means that + no VolumeAttributesClass will be applied to the + claim but it''s not allowed to reset this field + to empty string once it is set. If unspecified and + the PersistentVolumeClaim is unbound, the default + VolumeAttributesClass will be set by the persistentvolume + controller if it exists. If the resource referred + to by volumeAttributesClass does not exist, this + PersistentVolumeClaim will be set to a Pending state, + as reflected by the modifyVolumeStatus field, until + such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass + (Alpha) Using this field requires the VolumeAttributesClass + feature gate to be enabled.' + type: string + volumeMode: + description: volumeMode defines what type of volume + is required by the claim. Value of Filesystem is + implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference to + the PersistentVolume backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + volumeClaimTemplate: + description: Defines the PVC spec to be used by the Prometheus + StatefulSets. The easiest way to use a volume that cannot be + automatically provisioned is to use a label selector alongside + manually created PersistentVolumes. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this + representation of an object. Servers should convert recognized + schemas to the latest internal value, and may reject unrecognized + values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST + resource this object represents. Servers may infer this + from the endpoint the client submits requests to. Cannot + be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + description: EmbeddedMetadata contains metadata relevant to + an EmbeddedResource. + properties: + annotations: + additionalProperties: + type: string + description: 'Annotations is an unstructured key value + map stored with a resource that may be set by external + tools to store and retrieve arbitrary metadata. They + are not queryable and should be preserved when modifying + objects. More info: http://kubernetes.io/docs/user-guide/annotations' + type: object + labels: + additionalProperties: + type: string + description: 'Map of string keys and values that can be + used to organize and categorize (scope and select) objects. + May match selectors of replication controllers and services. + More info: http://kubernetes.io/docs/user-guide/labels' + type: object + name: + description: 'Name must be unique within a namespace. + Is required when creating resources, although some resources + may allow a client to request the generation of an appropriate + name automatically. Name is primarily intended for creation + idempotence and configuration definition. Cannot be + updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names' + type: string + type: object + spec: + description: 'Defines the desired characteristics of a volume + requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + accessModes: + description: 'accessModes contains the desired access + modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'dataSource field can be used to specify + either: * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) If the provisioner + or an external controller can support the specified + data source, it will create a new volume based on the + contents of the specified data source. When the AnyVolumeDataSource + feature gate is enabled, dataSource contents will be + copied to dataSourceRef, and dataSourceRef contents + will be copied to dataSource when dataSourceRef.namespace + is not specified. If the namespace is specified, then + dataSourceRef will not be copied to dataSource.' + properties: + apiGroup: + description: APIGroup is the group for the resource + being referenced. If APIGroup is not specified, + the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: 'dataSourceRef specifies the object from + which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty + API group (non core object) or a PersistentVolumeClaim + object. When this field is specified, volume binding + will only succeed if the type of the specified object + matches some installed volume populator or dynamic provisioner. + This field will replace the functionality of the dataSource + field and as such if both fields are non-empty, they + must have the same value. For backwards compatibility, + when namespace isn''t specified in dataSourceRef, both + fields (dataSource and dataSourceRef) will be set to + the same value automatically if one of them is empty + and the other is non-empty. When namespace is specified + in dataSourceRef, dataSource isn''t set to the same + value and must be empty. There are three important differences + between dataSource and dataSourceRef: * While dataSource + only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim + objects. * While dataSource ignores disallowed values + (dropping them), dataSourceRef preserves all values, + and generates an error if a disallowed value is specified. + * While dataSource only allows local objects, dataSourceRef + allows objects in any namespaces. (Beta) Using this + field requires the AnyVolumeDataSource feature gate + to be enabled. (Alpha) Using the namespace field of + dataSourceRef requires the CrossNamespaceVolumeDataSource + feature gate to be enabled.' + properties: + apiGroup: + description: APIGroup is the group for the resource + being referenced. If APIGroup is not specified, + the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + namespace: + description: Namespace is the namespace of resource + being referenced Note that when a namespace is specified, + a gateway.networking.k8s.io/ReferenceGrant object + is required in the referent namespace to allow that + namespace's owner to accept the reference. See the + ReferenceGrant documentation for details. (Alpha) + This field requires the CrossNamespaceVolumeDataSource + feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: 'resources represents the minimum resources + the volume should have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed to specify resource + requirements that are lower than previous value but + must still be higher than capacity recorded in the status + field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount + of compute resources required. If Requests is omitted + for a container, it defaults to Limits if that is + explicitly specified, otherwise to an implementation-defined + value. Requests cannot exceed Limits. More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: selector is a label query over volumes to + consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values + array must be non-empty. If the operator is + Exists or DoesNotExist, the values array must + be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: 'storageClassName is the name of the StorageClass + required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeAttributesClassName: + description: 'volumeAttributesClassName may be used to + set the VolumeAttributesClass used by this claim. If + specified, the CSI driver will create or update the + volume with the attributes defined in the corresponding + VolumeAttributesClass. This has a different purpose + than storageClassName, it can be changed after the claim + is created. An empty string value means that no VolumeAttributesClass + will be applied to the claim but it''s not allowed to + reset this field to empty string once it is set. If + unspecified and the PersistentVolumeClaim is unbound, + the default VolumeAttributesClass will be set by the + persistentvolume controller if it exists. If the resource + referred to by volumeAttributesClass does not exist, + this PersistentVolumeClaim will be set to a Pending + state, as reflected by the modifyVolumeStatus field, + until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass + (Alpha) Using this field requires the VolumeAttributesClass + feature gate to be enabled.' + type: string + volumeMode: + description: volumeMode defines what type of volume is + required by the claim. Value of Filesystem is implied + when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference to the + PersistentVolume backing this claim. + type: string + type: object + status: + description: 'Deprecated: this field is never set.' + properties: + accessModes: + description: 'accessModes contains the actual access modes + the volume backing the PVC has. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + allocatedResourceStatuses: + additionalProperties: + description: When a controller receives persistentvolume + claim update with ClaimResourceStatus for a resource + that it does not recognizes, then it should ignore + that update and let other controllers handle it. + type: string + description: "allocatedResourceStatuses stores status + of resource being resized for the given PVC. Key names + follow standard Kubernetes label syntax. Valid values + are either: * Un-prefixed keys: - storage - the capacity + of the volume. * Custom resources must use implementation-defined + prefixed names such as \"example.com/my-custom-resource\" + Apart from above values - keys that are unprefixed or + have kubernetes.io prefix are considered reserved and + hence may not be used. \n ClaimResourceStatus can be + in any of following states: - ControllerResizeInProgress: + State set when resize controller starts resizing the + volume in control-plane. - ControllerResizeFailed: State + set when resize has failed in resize controller with + a terminal error. - NodeResizePending: State set when + resize controller has finished resizing the volume but + further resizing of volume is needed on the node. - + NodeResizeInProgress: State set when kubelet starts + resizing the volume. - NodeResizeFailed: State set when + resizing has failed in kubelet with a terminal error. + Transient errors don't set NodeResizeFailed. For example: + if expanding a PVC for more capacity - this field can + be one of the following states: - pvc.status.allocatedResourceStatus['storage'] + = \"ControllerResizeInProgress\" - pvc.status.allocatedResourceStatus['storage'] + = \"ControllerResizeFailed\" - pvc.status.allocatedResourceStatus['storage'] + = \"NodeResizePending\" - pvc.status.allocatedResourceStatus['storage'] + = \"NodeResizeInProgress\" - pvc.status.allocatedResourceStatus['storage'] + = \"NodeResizeFailed\" When this field is not set, it + means that no resize operation is in progress for the + given PVC. \n A controller that receives PVC update + with previously unknown resourceName or ClaimResourceStatus + should ignore the update for the purpose it was designed. + For example - a controller that only is responsible + for resizing capacity of the volume, should ignore PVC + updates that change other valid resources associated + with PVC. \n This is an alpha field and requires enabling + RecoverVolumeExpansionFailure feature." + type: object + x-kubernetes-map-type: granular + allocatedResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: "allocatedResources tracks the resources + allocated to a PVC including its capacity. Key names + follow standard Kubernetes label syntax. Valid values + are either: * Un-prefixed keys: - storage - the capacity + of the volume. * Custom resources must use implementation-defined + prefixed names such as \"example.com/my-custom-resource\" + Apart from above values - keys that are unprefixed or + have kubernetes.io prefix are considered reserved and + hence may not be used. \n Capacity reported here may + be larger than the actual capacity when a volume expansion + operation is requested. For storage quota, the larger + value from allocatedResources and PVC.spec.resources + is used. If allocatedResources is not set, PVC.spec.resources + alone is used for quota calculation. If a volume expansion + capacity request is lowered, allocatedResources is only + lowered if there are no expansion operations in progress + and if the actual volume capacity is equal or lower + than the requested capacity. \n A controller that receives + PVC update with previously unknown resourceName should + ignore the update for the purpose it was designed. For + example - a controller that only is responsible for + resizing capacity of the volume, should ignore PVC updates + that change other valid resources associated with PVC. + \n This is an alpha field and requires enabling RecoverVolumeExpansionFailure + feature." + type: object + capacity: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: capacity represents the actual resources + of the underlying volume. + type: object + conditions: + description: conditions is the current Condition of persistent + volume claim. If underlying persistent volume is being + resized then the Condition will be set to 'ResizeStarted'. + items: + description: PersistentVolumeClaimCondition contains + details about state of pvc + properties: + lastProbeTime: + description: lastProbeTime is the time we probed + the condition. + format: date-time + type: string + lastTransitionTime: + description: lastTransitionTime is the time the + condition transitioned from one status to another. + format: date-time + type: string + message: + description: message is the human-readable message + indicating details about last transition. + type: string + reason: + description: reason is a unique, this should be + a short, machine understandable string that gives + the reason for condition's last transition. If + it reports "ResizeStarted" that means the underlying + persistent volume is being resized. + type: string + status: + type: string + type: + description: PersistentVolumeClaimConditionType + is a valid value of PersistentVolumeClaimCondition.Type + type: string + required: + - status + - type + type: object + type: array + currentVolumeAttributesClassName: + description: currentVolumeAttributesClassName is the current + name of the VolumeAttributesClass the PVC is using. + When unset, there is no VolumeAttributeClass applied + to this PersistentVolumeClaim This is an alpha field + and requires enabling VolumeAttributesClass feature. + type: string + modifyVolumeStatus: + description: ModifyVolumeStatus represents the status + object of ControllerModifyVolume operation. When this + is unset, there is no ModifyVolume operation being attempted. + This is an alpha field and requires enabling VolumeAttributesClass + feature. + properties: + status: + description: 'status is the status of the ControllerModifyVolume + operation. It can be in any of following states: + - Pending Pending indicates that the PersistentVolumeClaim + cannot be modified due to unmet requirements, such + as the specified VolumeAttributesClass not existing. + - InProgress InProgress indicates that the volume + is being modified. - Infeasible Infeasible indicates + that the request has been rejected as invalid by + the CSI driver. To resolve the error, a valid VolumeAttributesClass + needs to be specified. Note: New statuses can be + added in the future. Consumers should check for + unknown statuses and fail appropriately.' + type: string + targetVolumeAttributesClassName: + description: targetVolumeAttributesClassName is the + name of the VolumeAttributesClass the PVC currently + being reconciled + type: string + required: + - status + type: object + phase: + description: phase represents the current phase of PersistentVolumeClaim. + type: string + type: object + type: object + type: object + tag: + description: 'Tag of Alertmanager container image to be deployed. + Defaults to the value of `version`. Version is ignored if Tag is + set. Deprecated: use ''image'' instead. The image tag can be specified + as part of the image URL.' + type: string + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: If specified, the pod's topology spread constraints. + items: + description: TopologySpreadConstraint specifies how to spread matching + pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching pods. Pods + that match this label selector are counted to determine the + number of pods in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: "MatchLabelKeys is a set of pod label keys to select + the pods over which spreading will be calculated. The keys + are used to lookup values from the incoming pod labels, those + key-value labels are ANDed with labelSelector to select the + group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in + both MatchLabelKeys and LabelSelector. MatchLabelKeys cannot + be set when LabelSelector isn't set. Keys that don't exist + in the incoming pod labels will be ignored. A null or empty + list means only match against labelSelector. \n This is a + beta field and requires the MatchLabelKeysInPodTopologySpread + feature gate to be enabled (enabled by default)." + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: 'MaxSkew describes the degree to which pods may + be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between the number + of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods + in an eligible domain or zero if the number of eligible domains + is less than MinDomains. For example, in a 3-zone cluster, + MaxSkew is set to 1, and pods with the same labelSelector + spread as 2/2/1: In this case, the global minimum is 1. | + zone1 | zone2 | zone3 | | P P | P P | P | - if MaxSkew + is 1, incoming pod can only be scheduled to zone3 to become + 2/2/2; scheduling it onto zone1(zone2) would make the ActualSkew(3-1) + on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming + pod can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence to topologies that satisfy + it. It''s a required field. Default value is 1 and 0 is not + allowed.' + format: int32 + type: integer + minDomains: + description: "MinDomains indicates a minimum number of eligible + domains. When the number of eligible domains with matching + topology keys is less than minDomains, Pod Topology Spread + treats \"global minimum\" as 0, and then the calculation of + Skew is performed. And when the number of eligible domains + with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. As a result, when + the number of eligible domains is less than minDomains, scheduler + won't schedule more than maxSkew Pods to those domains. If + value is nil, the constraint behaves as if MinDomains is equal + to 1. Valid values are integers greater than 0. When value + is not nil, WhenUnsatisfiable must be DoNotSchedule. \n For + example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains + is set to 5 and pods with the same labelSelector spread as + 2/2/2: | zone1 | zone2 | zone3 | | P P | P P | P P | + The number of domains is less than 5(MinDomains), so \"global + minimum\" is treated as 0. In this situation, new pod with + the same labelSelector cannot be scheduled, because computed + skew will be 3(3 - 0) if new Pod is scheduled to any of the + three zones, it will violate MaxSkew. \n This is a beta field + and requires the MinDomainsInPodTopologySpread feature gate + to be enabled (enabled by default)." + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how we will treat + Pod's nodeAffinity/nodeSelector when calculating pod topology + spread skew. Options are: - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: nodeAffinity/nodeSelector + are ignored. All nodes are included in the calculations. \n + If this value is nil, the behavior is equivalent to the Honor + policy. This is a beta-level feature default enabled by the + NodeInclusionPolicyInPodTopologySpread feature flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we will treat node + taints when calculating pod topology spread skew. Options + are: - Honor: nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + \n If this value is nil, the behavior is equivalent to the + Ignore policy. This is a beta-level feature default enabled + by the NodeInclusionPolicyInPodTopologySpread feature flag." + type: string + topologyKey: + description: TopologyKey is the key of node labels. Nodes that + have a label with this key and identical values are considered + to be in the same topology. We consider each + as a "bucket", and try to put balanced number of pods into + each bucket. We define a domain as a particular instance of + a topology. Also, we define an eligible domain as a domain + whose nodes meet the requirements of nodeAffinityPolicy and + nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", + each Node is a domain of that topology. And, if TopologyKey + is "topology.kubernetes.io/zone", each zone is a domain of + that topology. It's a required field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates how to deal with a + pod if it doesn''t satisfy the spread constraint. - DoNotSchedule + (default) tells the scheduler not to schedule it. - ScheduleAnyway + tells the scheduler to schedule the pod in any location, but + giving higher precedence to topologies that would help reduce + the skew. A constraint is considered "Unsatisfiable" for an + incoming pod if and only if every possible node assignment + for that pod would violate "MaxSkew" on some topology. For + example, in a 3-zone cluster, MaxSkew is set to 1, and pods + with the same labelSelector spread as 3/1/1: | zone1 | zone2 + | zone3 | | P P P | P | P | If WhenUnsatisfiable is + set to DoNotSchedule, incoming pod can only be scheduled to + zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on + zone2(zone3) satisfies MaxSkew(1). In other words, the cluster + can still be imbalanced, but scheduler won''t make it *more* + imbalanced. It''s a required field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + version: + description: Version the cluster should be on. + type: string + volumeMounts: + description: VolumeMounts allows configuration of additional VolumeMounts + on the output StatefulSet definition. VolumeMounts specified will + be appended to other VolumeMounts in the alertmanager container, + that are generated as a result of StorageSpec objects. + items: + description: VolumeMount describes a mounting of a Volume within + a container. + properties: + mountPath: + description: Path within the container at which the volume should + be mounted. Must not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines how mounts are propagated + from the host to container and the other way around. When + not set, MountPropagationNone is used. This field is beta + in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write otherwise + (false or unspecified). Defaults to false. + type: boolean + subPath: + description: Path within the volume from which the container's + volume should be mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume from which the + container's volume should be mounted. Behaves similarly to + SubPath but environment variable references $(VAR_NAME) are + expanded using the container's environment. Defaults to "" + (volume's root). SubPathExpr and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + volumes: + description: Volumes allows configuration of additional volumes on + the output StatefulSet definition. Volumes specified will be appended + to other volumes that are generated as a result of StorageSpec objects. + items: + description: Volume represents a named volume in a pod that may + be accessed by any container in the pod. + properties: + awsElasticBlockStore: + description: 'awsElasticBlockStore represents an AWS Disk resource + that is attached to a kubelet''s host machine and then exposed + to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + properties: + fsType: + description: 'fsType is the filesystem type of the volume + that you want to mount. Tip: Ensure that the filesystem + type is supported by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" + if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem from + compromising the machine' + type: string + partition: + description: 'partition is the partition in the volume that + you want to mount. If omitted, the default is to mount + by volume name. Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume partition + for /dev/sda is "0" (or you can leave the property empty).' + format: int32 + type: integer + readOnly: + description: 'readOnly value true will force the readOnly + setting in VolumeMounts. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: boolean + volumeID: + description: 'volumeID is unique ID of the persistent disk + resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: string + required: + - volumeID + type: object + azureDisk: + description: azureDisk represents an Azure Data Disk mount on + the host and bind mount to the pod. + properties: + cachingMode: + description: 'cachingMode is the Host Caching mode: None, + Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data disk in the + blob storage + type: string + diskURI: + description: diskURI is the URI of data disk in the blob + storage + type: string + fsType: + description: fsType is Filesystem type to mount. Must be + a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" + if unspecified. + type: string + kind: + description: 'kind expected values are Shared: multiple + blob disks per storage account Dedicated: single blob + disk per storage account Managed: azure managed data + disk (only in managed availability set). defaults to shared' + type: string + readOnly: + description: readOnly Defaults to false (read/write). ReadOnly + here will force the ReadOnly setting in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: azureFile represents an Azure File Service mount + on the host and bind mount to the pod. + properties: + readOnly: + description: readOnly defaults to false (read/write). ReadOnly + here will force the ReadOnly setting in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret that contains + Azure Storage Account Name and Key + type: string + shareName: + description: shareName is the azure share Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: cephFS represents a Ceph FS mount on the host that + shares a pod's lifetime + properties: + monitors: + description: 'monitors is Required: Monitors is a collection + of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + items: + type: string + type: array + path: + description: 'path is Optional: Used as the mounted root, + rather than the full Ceph tree, default is /' + type: string + readOnly: + description: 'readOnly is Optional: Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: boolean + secretFile: + description: 'secretFile is Optional: SecretFile is the + path to key ring for User, default is /etc/ceph/user.secret + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + secretRef: + description: 'secretRef is Optional: SecretRef is reference + to the authentication secret for User, default is empty. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is optional: User is the rados user name, + default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + required: + - monitors + type: object + cinder: + description: 'cinder represents a cinder volume attached and + mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type to mount. Must + be a filesystem type supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to + be "ext4" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + readOnly: + description: 'readOnly defaults to false (read/write). ReadOnly + here will force the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: boolean + secretRef: + description: 'secretRef is optional: points to a secret + object containing parameters used to connect to OpenStack.' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: 'volumeID used to identify the volume in cinder. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap that should populate + this volume + properties: + defaultMode: + description: 'defaultMode is optional: mode bits used to + set permissions on created files by default. Must be an + octal value between 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and decimal values, + JSON requires decimal values for mode bits. Defaults to + 0644. Directories within the path are not affected by + this setting. This might be in conflict with other options + that affect the file mode, like fsGroup, and the result + can be other mode bits set.' + format: int32 + type: integer + items: + description: items if unspecified, each key-value pair in + the Data field of the referenced ConfigMap will be projected + into the volume as a file whose name is the key and content + is the value. If specified, the listed keys will be projected + into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in + the ConfigMap, the volume setup will error unless it is + marked optional. Paths must be relative and may not contain + the '..' path or start with '..'. + items: + description: Maps a string key to a path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits used to + set permissions on this file. Must be an octal value + between 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and decimal values, + JSON requires decimal values for mode bits. If not + specified, the volume defaultMode will be used. + This might be in conflict with other options that + affect the file mode, like fsGroup, and the result + can be other mode bits set.' + format: int32 + type: integer + path: + description: path is the relative path of the file + to map the key to. May not be an absolute path. + May not contain the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: optional specify whether the ConfigMap or its + keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) represents ephemeral + storage that is handled by certain external CSI drivers (Beta + feature). + properties: + driver: + description: driver is the name of the CSI driver that handles + this volume. Consult with your admin for the correct name + as registered in the cluster. + type: string + fsType: + description: fsType to mount. Ex. "ext4", "xfs", "ntfs". + If not provided, the empty value is passed to the associated + CSI driver which will determine the default filesystem + to apply. + type: string + nodePublishSecretRef: + description: nodePublishSecretRef is a reference to the + secret object containing sensitive information to pass + to the CSI driver to complete the CSI NodePublishVolume + and NodeUnpublishVolume calls. This field is optional, + and may be empty if no secret is required. If the secret + object contains more than one secret, all secret references + are passed. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: readOnly specifies a read-only configuration + for the volume. Defaults to false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: volumeAttributes stores driver-specific properties + that are passed to the CSI driver. Consult your driver's + documentation for supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API about the pod + that should populate this volume + properties: + defaultMode: + description: 'Optional: mode bits to use on created files + by default. Must be a Optional: mode bits used to set + permissions on created files by default. Must be an octal + value between 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and decimal values, + JSON requires decimal values for mode bits. Defaults to + 0644. Directories within the path are not affected by + this setting. This might be in conflict with other options + that affect the file mode, like fsGroup, and the result + can be other mode bits set.' + format: int32 + type: integer + items: + description: Items is a list of downward API volume file + items: + description: DownwardAPIVolumeFile represents information + to create the file containing the pod field + properties: + fieldRef: + description: 'Required: Selects a field of the pod: + only annotations, labels, name and namespace are + supported.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode bits used to set permissions + on this file, must be an octal value between 0000 + and 0777 or a decimal value between 0 and 511. YAML + accepts both octal and decimal values, JSON requires + decimal values for mode bits. If not specified, + the volume defaultMode will be used. This might + be in conflict with other options that affect the + file mode, like fsGroup, and the result can be other + mode bits set.' + format: int32 + type: integer + path: + description: 'Required: Path is the relative path + name of the file to be created. Must not be absolute + or contain the ''..'' path. Must be utf-8 encoded. + The first item of the relative path must not start + with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, requests.cpu and requests.memory) + are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + emptyDir: + description: 'emptyDir represents a temporary directory that + shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + properties: + medium: + description: 'medium represents what type of storage medium + should back this directory. The default is "" which means + to use the node''s default medium. Must be an empty string + (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: 'sizeLimit is the total amount of local storage + required for this EmptyDir volume. The size limit is also + applicable for memory medium. The maximum usage on memory + medium EmptyDir would be the minimum value between the + SizeLimit specified here and the sum of memory limits + of all containers in a pod. The default is nil which means + that the limit is undefined. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: "ephemeral represents a volume that is handled + by a cluster storage driver. The volume's lifecycle is tied + to the pod that defines it - it will be created before the + pod starts, and deleted when the pod is removed. \n Use this + if: a) the volume is only needed while the pod runs, b) features + of normal volumes like restoring from snapshot or capacity + tracking are needed, c) the storage driver is specified through + a storage class, and d) the storage driver supports dynamic + volume provisioning through a PersistentVolumeClaim (see EphemeralVolumeSource + for more information on the connection between this volume + type and PersistentVolumeClaim). \n Use PersistentVolumeClaim + or one of the vendor-specific APIs for volumes that persist + for longer than the lifecycle of an individual pod. \n Use + CSI for light-weight local ephemeral volumes if the CSI driver + is meant to be used that way - see the documentation of the + driver for more information. \n A pod can use both types of + ephemeral volumes and persistent volumes at the same time." + properties: + volumeClaimTemplate: + description: "Will be used to create a stand-alone PVC to + provision the volume. The pod in which this EphemeralVolumeSource + is embedded will be the owner of the PVC, i.e. the PVC + will be deleted together with the pod. The name of the + PVC will be `-` where `` is the name from the `PodSpec.Volumes` array entry. + Pod validation will reject the pod if the concatenated + name is not valid for a PVC (for example, too long). \n + An existing PVC with that name that is not owned by the + pod will *not* be used for the pod to avoid using an unrelated + volume by mistake. Starting the pod is then blocked until + the unrelated PVC is removed. If such a pre-created PVC + is meant to be used by the pod, the PVC has to updated + with an owner reference to the pod once the pod exists. + Normally this should not be necessary, but it may be useful + when manually reconstructing a broken cluster. \n This + field is read-only and no changes will be made by Kubernetes + to the PVC after it has been created. \n Required, must + not be nil." + properties: + metadata: + description: May contain labels and annotations that + will be copied into the PVC when creating it. No other + fields are allowed and will be rejected during validation. + type: object + spec: + description: The specification for the PersistentVolumeClaim. + The entire content is copied unchanged into the PVC + that gets created from this template. The same fields + as in a PersistentVolumeClaim are also valid here. + properties: + accessModes: + description: 'accessModes contains the desired access + modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'dataSource field can be used to specify + either: * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) If the + provisioner or an external controller can support + the specified data source, it will create a new + volume based on the contents of the specified + data source. When the AnyVolumeDataSource feature + gate is enabled, dataSource contents will be copied + to dataSourceRef, and dataSourceRef contents will + be copied to dataSource when dataSourceRef.namespace + is not specified. If the namespace is specified, + then dataSourceRef will not be copied to dataSource.' + properties: + apiGroup: + description: APIGroup is the group for the resource + being referenced. If APIGroup is not specified, + the specified Kind must be in the core API + group. For any other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type of resource being + referenced + type: string + name: + description: Name is the name of resource being + referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: 'dataSourceRef specifies the object + from which to populate the volume with data, if + a non-empty volume is desired. This may be any + object from a non-empty API group (non core object) + or a PersistentVolumeClaim object. When this field + is specified, volume binding will only succeed + if the type of the specified object matches some + installed volume populator or dynamic provisioner. + This field will replace the functionality of the + dataSource field and as such if both fields are + non-empty, they must have the same value. For + backwards compatibility, when namespace isn''t + specified in dataSourceRef, both fields (dataSource + and dataSourceRef) will be set to the same value + automatically if one of them is empty and the + other is non-empty. When namespace is specified + in dataSourceRef, dataSource isn''t set to the + same value and must be empty. There are three + important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types + of objects, dataSourceRef allows any non-core + object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping + them), dataSourceRef preserves all values, and + generates an error if a disallowed value is specified. + * While dataSource only allows local objects, + dataSourceRef allows objects in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource + feature gate to be enabled. (Alpha) Using the + namespace field of dataSourceRef requires the + CrossNamespaceVolumeDataSource feature gate to + be enabled.' + properties: + apiGroup: + description: APIGroup is the group for the resource + being referenced. If APIGroup is not specified, + the specified Kind must be in the core API + group. For any other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type of resource being + referenced + type: string + name: + description: Name is the name of resource being + referenced + type: string + namespace: + description: Namespace is the namespace of resource + being referenced Note that when a namespace + is specified, a gateway.networking.k8s.io/ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept + the reference. See the ReferenceGrant documentation + for details. (Alpha) This field requires the + CrossNamespaceVolumeDataSource feature gate + to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: 'resources represents the minimum resources + the volume should have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed to specify + resource requirements that are lower than previous + value but must still be higher than capacity recorded + in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If Requests + is omitted for a container, it defaults to + Limits if that is explicitly specified, otherwise + to an implementation-defined value. Requests + cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: selector is a label query over volumes + to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: 'storageClassName is the name of the + StorageClass required by the claim. More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeAttributesClassName: + description: 'volumeAttributesClassName may be used + to set the VolumeAttributesClass used by this + claim. If specified, the CSI driver will create + or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This + has a different purpose than storageClassName, + it can be changed after the claim is created. + An empty string value means that no VolumeAttributesClass + will be applied to the claim but it''s not allowed + to reset this field to empty string once it is + set. If unspecified and the PersistentVolumeClaim + is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller + if it exists. If the resource referred to by volumeAttributesClass + does not exist, this PersistentVolumeClaim will + be set to a Pending state, as reflected by the + modifyVolumeStatus field, until such as a resource + exists. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass + (Alpha) Using this field requires the VolumeAttributesClass + feature gate to be enabled.' + type: string + volumeMode: + description: volumeMode defines what type of volume + is required by the claim. Value of Filesystem + is implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource that is + attached to a kubelet's host machine and then exposed to the + pod. + properties: + fsType: + description: 'fsType is the filesystem type to mount. Must + be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" + if unspecified. TODO: how do we prevent errors in the + filesystem from compromising the machine' + type: string + lun: + description: 'lun is Optional: FC target lun number' + format: int32 + type: integer + readOnly: + description: 'readOnly is Optional: Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting in VolumeMounts.' + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target worldwide + names (WWNs)' + items: + type: string + type: array + wwids: + description: 'wwids Optional: FC volume world wide identifiers + (wwids) Either wwids or combination of targetWWNs and + lun must be set, but not both simultaneously.' + items: + type: string + type: array + type: object + flexVolume: + description: flexVolume represents a generic volume resource + that is provisioned/attached using an exec based plugin. + properties: + driver: + description: driver is the name of the driver to use for + this volume. + type: string + fsType: + description: fsType is the filesystem type to mount. Must + be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". The default filesystem depends + on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field holds extra + command options if any.' + type: object + readOnly: + description: 'readOnly is Optional: defaults to false (read/write). + ReadOnly here will force the ReadOnly setting in VolumeMounts.' + type: boolean + secretRef: + description: 'secretRef is Optional: secretRef is reference + to the secret object containing sensitive information + to pass to the plugin scripts. This may be empty if no + secret object is specified. If the secret object contains + more than one secret, all secrets are passed to the plugin + scripts.' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: flocker represents a Flocker volume attached to + a kubelet's host machine. This depends on the Flocker control + service being running + properties: + datasetName: + description: datasetName is Name of the dataset stored as + metadata -> name on the dataset for Flocker should be + considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the dataset. This + is unique identifier of a Flocker dataset + type: string + type: object + gcePersistentDisk: + description: 'gcePersistentDisk represents a GCE Disk resource + that is attached to a kubelet''s host machine and then exposed + to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + properties: + fsType: + description: 'fsType is filesystem type of the volume that + you want to mount. Tip: Ensure that the filesystem type + is supported by the host operating system. Examples: "ext4", + "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem from + compromising the machine' + type: string + partition: + description: 'partition is the partition in the volume that + you want to mount. If omitted, the default is to mount + by volume name. Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume partition + for /dev/sda is "0" (or you can leave the property empty). + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + format: int32 + type: integer + pdName: + description: 'pdName is unique name of the PD resource in + GCE. Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: string + readOnly: + description: 'readOnly here will force the ReadOnly setting + in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: boolean + required: + - pdName + type: object + gitRepo: + description: 'gitRepo represents a git repository at a particular + revision. DEPRECATED: GitRepo is deprecated. To provision + a container with a git repo, mount an EmptyDir into an InitContainer + that clones the repo using git, then mount the EmptyDir into + the Pod''s container.' + properties: + directory: + description: directory is the target directory name. Must + not contain or start with '..'. If '.' is supplied, the + volume directory will be the git repository. Otherwise, + if specified, the volume will contain the git repository + in the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for the specified + revision. + type: string + required: + - repository + type: object + glusterfs: + description: 'glusterfs represents a Glusterfs mount on the + host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md' + properties: + endpoints: + description: 'endpoints is the endpoint name that details + Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + path: + description: 'path is the Glusterfs volume path. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + readOnly: + description: 'readOnly here will force the Glusterfs volume + to be mounted with read-only permissions. Defaults to + false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: 'hostPath represents a pre-existing file or directory + on the host machine that is directly exposed to the container. + This is generally used for system agents or other privileged + things that are allowed to see the host machine. Most containers + will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + --- TODO(jonesdl) We need to restrict who can use host directory + mounts and who can/can not mount host directories as read/write.' + properties: + path: + description: 'path of the directory on the host. If the + path is a symlink, it will follow the link to the real + path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + type: + description: 'type for HostPath Volume Defaults to "" More + info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + required: + - path + type: object + iscsi: + description: 'iscsi represents an ISCSI Disk resource that is + attached to a kubelet''s host machine and then exposed to + the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether support iSCSI + Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether support iSCSI + Session CHAP authentication + type: boolean + fsType: + description: 'fsType is the filesystem type of the volume + that you want to mount. Tip: Ensure that the filesystem + type is supported by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" + if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem from + compromising the machine' + type: string + initiatorName: + description: initiatorName is the custom iSCSI Initiator + Name. If initiatorName is specified with iscsiInterface + simultaneously, new iSCSI interface : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified Name. + type: string + iscsiInterface: + description: iscsiInterface is the interface Name that uses + an iSCSI transport. Defaults to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun number. + format: int32 + type: integer + portals: + description: portals is the iSCSI Target Portal List. The + portal is either an IP or ip_addr:port if the port is + other than default (typically TCP ports 860 and 3260). + items: + type: string + type: array + readOnly: + description: readOnly here will force the ReadOnly setting + in VolumeMounts. Defaults to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret for iSCSI target + and initiator authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: targetPortal is iSCSI Target Portal. The Portal + is either an IP or ip_addr:port if the port is other than + default (typically TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: 'name of the volume. Must be a DNS_LABEL and unique + within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + nfs: + description: 'nfs represents an NFS mount on the host that shares + a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + properties: + path: + description: 'path that is exported by the NFS server. More + info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + readOnly: + description: 'readOnly here will force the NFS export to + be mounted with read-only permissions. Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: boolean + server: + description: 'server is the hostname or IP address of the + NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: 'persistentVolumeClaimVolumeSource represents a + reference to a PersistentVolumeClaim in the same namespace. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'claimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this volume. More + info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + readOnly: + description: readOnly Will force the ReadOnly setting in + VolumeMounts. Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: photonPersistentDisk represents a PhotonController + persistent disk attached and mounted on kubelets host machine + properties: + fsType: + description: fsType is the filesystem type to mount. Must + be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" + if unspecified. + type: string + pdID: + description: pdID is the ID that identifies Photon Controller + persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: portworxVolume represents a portworx volume attached + and mounted on kubelets host machine + properties: + fsType: + description: fSType represents the filesystem type to mount + Must be a filesystem type supported by the host operating + system. Ex. "ext4", "xfs". Implicitly inferred to be "ext4" + if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). ReadOnly + here will force the ReadOnly setting in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies a Portworx volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources secrets, + configmaps, and downward API + properties: + defaultMode: + description: defaultMode are the mode bits used to set permissions + on created files by default. Must be an octal value between + 0000 and 0777 or a decimal value between 0 and 511. YAML + accepts both octal and decimal values, JSON requires decimal + values for mode bits. Directories within the path are + not affected by this setting. This might be in conflict + with other options that affect the file mode, like fsGroup, + and the result can be other mode bits set. + format: int32 + type: integer + sources: + description: sources is the list of volume projections + items: + description: Projection that may be projected along with + other supported volume types + properties: + clusterTrustBundle: + description: "ClusterTrustBundle allows a pod to access + the `.spec.trustBundle` field of ClusterTrustBundle + objects in an auto-updating file. \n Alpha, gated + by the ClusterTrustBundleProjection feature gate. + \n ClusterTrustBundle objects can either be selected + by name, or by the combination of signer name and + a label selector. \n Kubelet performs aggressive + normalization of the PEM contents written into the + pod filesystem. Esoteric PEM features such as inter-block + comments and block headers are stripped. Certificates + are deduplicated. The ordering of certificates within + the file is arbitrary, and Kubelet may change the + order over time." + properties: + labelSelector: + description: Select all ClusterTrustBundles that + match this label selector. Only has effect + if signerName is set. Mutually-exclusive with + name. If unset, interpreted as "match nothing". If + set but empty, interpreted as "match everything". + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: Select a single ClusterTrustBundle + by object name. Mutually-exclusive with signerName + and labelSelector. + type: string + optional: + description: If true, don't block pod startup + if the referenced ClusterTrustBundle(s) aren't + available. If using name, then the named ClusterTrustBundle + is allowed not to exist. If using signerName, + then the combination of signerName and labelSelector + is allowed to match zero ClusterTrustBundles. + type: boolean + path: + description: Relative path from the volume root + to write the bundle. + type: string + signerName: + description: Select all ClusterTrustBundles that + match this signer name. Mutually-exclusive with + name. The contents of all selected ClusterTrustBundles + will be unified and deduplicated. + type: string + required: + - path + type: object + configMap: + description: configMap information about the configMap + data to project + properties: + items: + description: items if unspecified, each key-value + pair in the Data field of the referenced ConfigMap + will be projected into the volume as a file + whose name is the key and content is the value. + If specified, the listed keys will be projected + into the specified paths, and unlisted keys + will not be present. If a key is specified which + is not present in the ConfigMap, the volume + setup will error unless it is marked optional. + Paths must be relative and may not contain the + '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits + used to set permissions on this file. + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. If not specified, the volume + defaultMode will be used. This might be + in conflict with other options that affect + the file mode, like fsGroup, and the result + can be other mode bits set.' + format: int32 + type: integer + path: + description: path is the relative path of + the file to map the key to. May not be + an absolute path. May not contain the + path element '..'. May not start with + the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about the downwardAPI + data to project + properties: + items: + description: Items is a list of DownwardAPIVolume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects a field + of the pod: only annotations, labels, + name and namespace are supported.' + properties: + apiVersion: + description: Version of the schema the + FieldPath is written in terms of, + defaults to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode bits used to + set permissions on this file, must be + an octal value between 0000 and 0777 or + a decimal value between 0 and 511. YAML + accepts both octal and decimal values, + JSON requires decimal values for mode + bits. If not specified, the volume defaultMode + will be used. This might be in conflict + with other options that affect the file + mode, like fsGroup, and the result can + be other mode bits set.' + format: int32 + type: integer + path: + description: 'Required: Path is the relative + path name of the file to be created. Must + not be absolute or contain the ''..'' + path. Must be utf-8 encoded. The first + item of the relative path must not start + with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of the + container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu + and requests.memory) are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults + to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to + select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + secret: + description: secret information about the secret data + to project + properties: + items: + description: items if unspecified, each key-value + pair in the Data field of the referenced Secret + will be projected into the volume as a file + whose name is the key and content is the value. + If specified, the listed keys will be projected + into the specified paths, and unlisted keys + will not be present. If a key is specified which + is not present in the Secret, the volume setup + will error unless it is marked optional. Paths + must be relative and may not contain the '..' + path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits + used to set permissions on this file. + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. If not specified, the volume + defaultMode will be used. This might be + in conflict with other options that affect + the file mode, like fsGroup, and the result + can be other mode bits set.' + format: int32 + type: integer + path: + description: path is the relative path of + the file to map the key to. May not be + an absolute path. May not contain the + path element '..'. May not start with + the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: optional field specify whether the + Secret or its key must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information about + the serviceAccountToken data to project + properties: + audience: + description: audience is the intended audience + of the token. A recipient of a token must identify + itself with an identifier specified in the audience + of the token, and otherwise should reject the + token. The audience defaults to the identifier + of the apiserver. + type: string + expirationSeconds: + description: expirationSeconds is the requested + duration of validity of the service account + token. As the token approaches expiration, the + kubelet volume plugin will proactively rotate + the service account token. The kubelet will + start trying to rotate the token if the token + is older than 80 percent of its time to live + or if the token is older than 24 hours.Defaults + to 1 hour and must be at least 10 minutes. + format: int64 + type: integer + path: + description: path is the path relative to the + mount point of the file to project the token + into. + type: string + required: + - path + type: object + type: object + type: array + type: object + quobyte: + description: quobyte represents a Quobyte mount on the host + that shares a pod's lifetime + properties: + group: + description: group to map volume access to Default is no + group + type: string + readOnly: + description: readOnly here will force the Quobyte volume + to be mounted with read-only permissions. Defaults to + false. + type: boolean + registry: + description: registry represents a single or multiple Quobyte + Registry services specified as a string as host:port pair + (multiple entries are separated with commas) which acts + as the central registry for volumes + type: string + tenant: + description: tenant owning the given Quobyte volume in the + Backend Used with dynamically provisioned Quobyte volumes, + value is set by the plugin + type: string + user: + description: user to map volume access to Defaults to serivceaccount + user + type: string + volume: + description: volume is a string that references an already + created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: 'rbd represents a Rados Block Device mount on the + host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type of the volume + that you want to mount. Tip: Ensure that the filesystem + type is supported by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" + if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem from + compromising the machine' + type: string + image: + description: 'image is the rados image name. More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + keyring: + description: 'keyring is the path to key ring for RBDUser. + Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + monitors: + description: 'monitors is a collection of Ceph monitors. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + items: + type: string + type: array + pool: + description: 'pool is the rados pool name. Default is rbd. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + readOnly: + description: 'readOnly here will force the ReadOnly setting + in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: boolean + secretRef: + description: 'secretRef is name of the authentication secret + for RBDUser. If provided overrides keyring. Default is + nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is the rados user name. Default is admin. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + required: + - image + - monitors + type: object + scaleIO: + description: scaleIO represents a ScaleIO persistent volume + attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type to mount. Must + be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Default is "xfs". + type: string + gateway: + description: gateway is the host address of the ScaleIO + API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name of the ScaleIO + Protection Domain for the configured storage. + type: string + readOnly: + description: readOnly Defaults to false (read/write). ReadOnly + here will force the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: secretRef references to the secret for ScaleIO + user and other sensitive information. If this is not provided, + Login operation will fail. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable SSL communication + with Gateway, default false + type: boolean + storageMode: + description: storageMode indicates whether the storage for + a volume should be ThickProvisioned or ThinProvisioned. + Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage Pool associated + with the protection domain. + type: string + system: + description: system is the name of the storage system as + configured in ScaleIO. + type: string + volumeName: + description: volumeName is the name of a volume already + created in the ScaleIO system that is associated with + this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: 'secret represents a secret that should populate + this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + properties: + defaultMode: + description: 'defaultMode is Optional: mode bits used to + set permissions on created files by default. Must be an + octal value between 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and decimal values, + JSON requires decimal values for mode bits. Defaults to + 0644. Directories within the path are not affected by + this setting. This might be in conflict with other options + that affect the file mode, like fsGroup, and the result + can be other mode bits set.' + format: int32 + type: integer + items: + description: items If unspecified, each key-value pair in + the Data field of the referenced Secret will be projected + into the volume as a file whose name is the key and content + is the value. If specified, the listed keys will be projected + into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in + the Secret, the volume setup will error unless it is marked + optional. Paths must be relative and may not contain the + '..' path or start with '..'. + items: + description: Maps a string key to a path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits used to + set permissions on this file. Must be an octal value + between 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and decimal values, + JSON requires decimal values for mode bits. If not + specified, the volume defaultMode will be used. + This might be in conflict with other options that + affect the file mode, like fsGroup, and the result + can be other mode bits set.' + format: int32 + type: integer + path: + description: path is the relative path of the file + to map the key to. May not be an absolute path. + May not contain the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + optional: + description: optional field specify whether the Secret or + its keys must be defined + type: boolean + secretName: + description: 'secretName is the name of the secret in the + pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: string + type: object + storageos: + description: storageOS represents a StorageOS volume attached + and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type to mount. Must + be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" + if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). ReadOnly + here will force the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: secretRef specifies the secret to use for obtaining + the StorageOS API credentials. If not specified, default + values will be attempted. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: volumeName is the human-readable name of the + StorageOS volume. Volume names are only unique within + a namespace. + type: string + volumeNamespace: + description: volumeNamespace specifies the scope of the + volume within StorageOS. If no namespace is specified + then the Pod's namespace will be used. This allows the + Kubernetes name scoping to be mirrored within StorageOS + for tighter integration. Set VolumeName to any name to + override the default behaviour. Set to "default" if you + are not using namespaces within StorageOS. Namespaces + that do not pre-exist within StorageOS will be created. + type: string + type: object + vsphereVolume: + description: vsphereVolume represents a vSphere volume attached + and mounted on kubelets host machine + properties: + fsType: + description: fsType is filesystem type to mount. Must be + a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" + if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage Policy Based + Management (SPBM) profile ID associated with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage Policy Based + Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies vSphere + volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + web: + description: Defines the web command line flags when starting Alertmanager. + properties: + getConcurrency: + description: Maximum number of GET requests processed concurrently. + This corresponds to the Alertmanager's `--web.get-concurrency` + flag. + format: int32 + type: integer + httpConfig: + description: Defines HTTP parameters for web server. + properties: + headers: + description: List of headers that can be added to HTTP responses. + properties: + contentSecurityPolicy: + description: Set the Content-Security-Policy header to + HTTP responses. Unset if blank. + type: string + strictTransportSecurity: + description: Set the Strict-Transport-Security header + to HTTP responses. Unset if blank. Please make sure + that you use this with care as this header might force + browsers to load Prometheus and the other applications + hosted on the same domain and subdomains over HTTPS. + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security + type: string + xContentTypeOptions: + description: Set the X-Content-Type-Options header to + HTTP responses. Unset if blank. Accepted value is nosniff. + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + enum: + - "" + - NoSniff + type: string + xFrameOptions: + description: Set the X-Frame-Options header to HTTP responses. + Unset if blank. Accepted values are deny and sameorigin. + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + enum: + - "" + - Deny + - SameOrigin + type: string + xXSSProtection: + description: Set the X-XSS-Protection header to all responses. + Unset if blank. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection + type: string + type: object + http2: + description: Enable HTTP/2 support. Note that HTTP/2 is only + supported with TLS. When TLSConfig is not configured, HTTP/2 + will be disabled. Whenever the value of the field changes, + a rolling update will be triggered. + type: boolean + type: object + timeout: + description: Timeout for HTTP requests. This corresponds to the + Alertmanager's `--web.timeout` flag. + format: int32 + type: integer + tlsConfig: + description: Defines the TLS parameters for HTTPS. + properties: + cert: + description: Contains the TLS certificate for the server. + properties: + configMap: + description: ConfigMap containing data to use for the + targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use for the targets. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + cipherSuites: + description: 'List of supported cipher suites for TLS versions + up to TLS 1.2. If empty, Go default cipher suites are used. + Available cipher suites are documented in the go documentation: + https://golang.org/pkg/crypto/tls/#pkg-constants' + items: + type: string + type: array + client_ca: + description: Contains the CA certificate for client certificate + authentication to the server. + properties: + configMap: + description: ConfigMap containing data to use for the + targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use for the targets. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + clientAuthType: + description: 'Server policy for client authentication. Maps + to ClientAuth Policies. For more detail on clientAuth options: + https://golang.org/pkg/crypto/tls/#ClientAuthType' + type: string + curvePreferences: + description: 'Elliptic curves that will be used in an ECDHE + handshake, in preference order. Available curves are documented + in the go documentation: https://golang.org/pkg/crypto/tls/#CurveID' + items: + type: string + type: array + keySecret: + description: Secret containing the TLS key for the server. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + maxVersion: + description: Maximum TLS version that is acceptable. Defaults + to TLS13. + type: string + minVersion: + description: Minimum TLS version that is acceptable. Defaults + to TLS12. + type: string + preferServerCipherSuites: + description: Controls whether the server selects the client's + most preferred cipher suite, or the server's most preferred + cipher suite. If true then the server's preference, as expressed + in the order of elements in cipherSuites, is used. + type: boolean + required: + - cert + - keySecret + type: object + type: object + type: object + status: + description: 'Most recent observed status of the Alertmanager cluster. + Read-only. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + availableReplicas: + description: Total number of available pods (ready for at least minReadySeconds) + targeted by this Alertmanager cluster. + format: int32 + type: integer + conditions: + description: The current state of the Alertmanager object. + items: + description: Condition represents the state of the resources associated + with the Prometheus, Alertmanager or ThanosRuler resource. + properties: + lastTransitionTime: + description: lastTransitionTime is the time of the last update + to the current status property. + format: date-time + type: string + message: + description: Human-readable message indicating details for the + condition's last transition. + type: string + observedGeneration: + description: ObservedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if `.metadata.generation` + is currently 12, but the `.status.conditions[].observedGeneration` + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + type: integer + reason: + description: Reason for the condition's last transition. + type: string + status: + description: Status of the condition. + type: string + type: + description: Type of the condition being reported. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + paused: + description: Represents whether any actions on the underlying managed + objects are being performed. Only delete actions will be performed. + type: boolean + replicas: + description: Total number of non-terminated pods targeted by this + Alertmanager object (their labels match the selector). + format: int32 + type: integer + unavailableReplicas: + description: Total number of unavailable pods targeted by this Alertmanager + object. + format: int32 + type: integer + updatedReplicas: + description: Total number of non-terminated pods targeted by this + Alertmanager object that have the desired version spec. + format: int32 + type: integer + required: + - availableReplicas + - paused + - replicas + - unavailableReplicas + - updatedReplicas + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/kube-prometheus-stack/charts/crds/crds/crd-podmonitors.yaml b/kube-prometheus-stack/charts/crds/crds/crd-podmonitors.yaml new file mode 100644 index 0000000..356adce --- /dev/null +++ b/kube-prometheus-stack/charts/crds/crds/crd-podmonitors.yaml @@ -0,0 +1,742 @@ +# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + operator.prometheus.io/version: 0.72.0 + name: podmonitors.monitoring.coreos.com +spec: + group: monitoring.coreos.com + names: + categories: + - prometheus-operator + kind: PodMonitor + listKind: PodMonitorList + plural: podmonitors + shortNames: + - pmon + singular: podmonitor + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: PodMonitor defines monitoring for a set of pods. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Specification of desired Pod selection for target discovery + by Prometheus. + properties: + attachMetadata: + description: "`attachMetadata` defines additional metadata which is + added to the discovered targets. \n It requires Prometheus >= v2.37.0." + properties: + node: + description: When set to true, Prometheus must have the `get` + permission on the `Nodes` objects. + type: boolean + type: object + jobLabel: + description: "The label to use to retrieve the job name from. `jobLabel` + selects the label from the associated Kubernetes `Pod` object which + will be used as the `job` label for all metrics. \n For example + if `jobLabel` is set to `foo` and the Kubernetes `Pod` object is + labeled with `foo: bar`, then Prometheus adds the `job=\"bar\"` + label to all ingested metrics. \n If the value of this field is + empty, the `job` label of the metrics defaults to the namespace + and name of the PodMonitor object (e.g. `/`)." + type: string + keepDroppedTargets: + description: "Per-scrape limit on the number of targets dropped by + relabeling that will be kept in memory. 0 means no limit. \n It + requires Prometheus >= v2.47.0." + format: int64 + type: integer + labelLimit: + description: "Per-scrape limit on number of labels that will be accepted + for a sample. \n It requires Prometheus >= v2.27.0." + format: int64 + type: integer + labelNameLengthLimit: + description: "Per-scrape limit on length of labels name that will + be accepted for a sample. \n It requires Prometheus >= v2.27.0." + format: int64 + type: integer + labelValueLengthLimit: + description: "Per-scrape limit on length of labels value that will + be accepted for a sample. \n It requires Prometheus >= v2.27.0." + format: int64 + type: integer + namespaceSelector: + description: Selector to select which namespaces the Kubernetes `Pods` + objects are discovered from. + properties: + any: + description: Boolean describing whether all namespaces are selected + in contrast to a list restricting them. + type: boolean + matchNames: + description: List of namespace names to select from. + items: + type: string + type: array + type: object + podMetricsEndpoints: + description: List of endpoints part of this PodMonitor. + items: + description: PodMetricsEndpoint defines an endpoint serving Prometheus + metrics to be scraped by Prometheus. + properties: + authorization: + description: "`authorization` configures the Authorization header + credentials to use when scraping the target. \n Cannot be + set at the same time as `basicAuth`, or `oauth2`." + properties: + credentials: + description: Selects a key of a Secret in the namespace + that contains the credentials for authentication. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: + description: "Defines the authentication type. The value + is case-insensitive. \n \"Basic\" is not a supported value. + \n Default: \"Bearer\"" + type: string + type: object + basicAuth: + description: "`basicAuth` configures the Basic Authentication + credentials to use when scraping the target. \n Cannot be + set at the same time as `authorization`, or `oauth2`." + properties: + password: + description: '`password` specifies a key of a Secret containing + the password for authentication.' + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + username: + description: '`username` specifies a key of a Secret containing + the username for authentication.' + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + bearerTokenSecret: + description: "`bearerTokenSecret` specifies a key of a Secret + containing the bearer token for scraping targets. The secret + needs to be in the same namespace as the PodMonitor object + and readable by the Prometheus Operator. \n Deprecated: use + `authorization` instead." + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + enableHttp2: + description: '`enableHttp2` can be used to disable HTTP2 when + scraping the target.' + type: boolean + filterRunning: + description: "When true, the pods which are not running (e.g. + either in Failed or Succeeded state) are dropped during the + target discovery. \n If unset, the filtering is enabled. \n + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase" + type: boolean + followRedirects: + description: '`followRedirects` defines whether the scrape requests + should follow HTTP 3xx redirects.' + type: boolean + honorLabels: + description: When true, `honorLabels` preserves the metric's + labels when they collide with the target's labels. + type: boolean + honorTimestamps: + description: '`honorTimestamps` controls whether Prometheus + preserves the timestamps when exposed by the target.' + type: boolean + interval: + description: "Interval at which Prometheus scrapes the metrics + from the target. \n If empty, Prometheus uses the global scrape + interval." + pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ + type: string + metricRelabelings: + description: '`metricRelabelings` configures the relabeling + rules to apply to the samples before ingestion.' + items: + description: "RelabelConfig allows dynamic rewriting of the + label set for targets, alerts, scraped samples and remote + write samples. \n More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config" + properties: + action: + default: replace + description: "Action to perform based on the regex matching. + \n `Uppercase` and `Lowercase` actions require Prometheus + >= v2.36.0. `DropEqual` and `KeepEqual` actions require + Prometheus >= v2.41.0. \n Default: \"Replace\"" + enum: + - replace + - Replace + - keep + - Keep + - drop + - Drop + - hashmod + - HashMod + - labelmap + - LabelMap + - labeldrop + - LabelDrop + - labelkeep + - LabelKeep + - lowercase + - Lowercase + - uppercase + - Uppercase + - keepequal + - KeepEqual + - dropequal + - DropEqual + type: string + modulus: + description: "Modulus to take of the hash of the source + label values. \n Only applicable when the action is + `HashMod`." + format: int64 + type: integer + regex: + description: Regular expression against which the extracted + value is matched. + type: string + replacement: + description: "Replacement value against which a Replace + action is performed if the regular expression matches. + \n Regex capture groups are available." + type: string + separator: + description: Separator is the string between concatenated + SourceLabels. + type: string + sourceLabels: + description: The source labels select values from existing + labels. Their content is concatenated using the configured + Separator and matched against the configured regular + expression. + items: + description: LabelName is a valid Prometheus label name + which may only contain ASCII letters, numbers, as + well as underscores. + pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ + type: string + type: array + targetLabel: + description: "Label to which the resulting string is written + in a replacement. \n It is mandatory for `Replace`, + `HashMod`, `Lowercase`, `Uppercase`, `KeepEqual` and + `DropEqual` actions. \n Regex capture groups are available." + type: string + type: object + type: array + oauth2: + description: "`oauth2` configures the OAuth2 settings to use + when scraping the target. \n It requires Prometheus >= 2.27.0. + \n Cannot be set at the same time as `authorization`, or `basicAuth`." + properties: + clientId: + description: '`clientId` specifies a key of a Secret or + ConfigMap containing the OAuth2 client''s ID.' + properties: + configMap: + description: ConfigMap containing data to use for the + targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use for the targets. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + clientSecret: + description: '`clientSecret` specifies a key of a Secret + containing the OAuth2 client''s secret.' + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + endpointParams: + additionalProperties: + type: string + description: '`endpointParams` configures the HTTP parameters + to append to the token URL.' + type: object + scopes: + description: '`scopes` defines the OAuth2 scopes used for + the token request.' + items: + type: string + type: array + tokenUrl: + description: '`tokenURL` configures the URL to fetch the + token from.' + minLength: 1 + type: string + required: + - clientId + - clientSecret + - tokenUrl + type: object + params: + additionalProperties: + items: + type: string + type: array + description: '`params` define optional HTTP URL parameters.' + type: object + path: + description: "HTTP path from which to scrape for metrics. \n + If empty, Prometheus uses the default value (e.g. `/metrics`)." + type: string + port: + description: "Name of the Pod port which this endpoint refers + to. \n It takes precedence over `targetPort`." + type: string + proxyUrl: + description: '`proxyURL` configures the HTTP Proxy URL (e.g. + "http://proxyserver:2195") to go through when scraping the + target.' + type: string + relabelings: + description: "`relabelings` configures the relabeling rules + to apply the target's metadata labels. \n The Operator automatically + adds relabelings for a few standard Kubernetes fields. \n + The original scrape job's name is available via the `__tmp_prometheus_job_name` + label. \n More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config" + items: + description: "RelabelConfig allows dynamic rewriting of the + label set for targets, alerts, scraped samples and remote + write samples. \n More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config" + properties: + action: + default: replace + description: "Action to perform based on the regex matching. + \n `Uppercase` and `Lowercase` actions require Prometheus + >= v2.36.0. `DropEqual` and `KeepEqual` actions require + Prometheus >= v2.41.0. \n Default: \"Replace\"" + enum: + - replace + - Replace + - keep + - Keep + - drop + - Drop + - hashmod + - HashMod + - labelmap + - LabelMap + - labeldrop + - LabelDrop + - labelkeep + - LabelKeep + - lowercase + - Lowercase + - uppercase + - Uppercase + - keepequal + - KeepEqual + - dropequal + - DropEqual + type: string + modulus: + description: "Modulus to take of the hash of the source + label values. \n Only applicable when the action is + `HashMod`." + format: int64 + type: integer + regex: + description: Regular expression against which the extracted + value is matched. + type: string + replacement: + description: "Replacement value against which a Replace + action is performed if the regular expression matches. + \n Regex capture groups are available." + type: string + separator: + description: Separator is the string between concatenated + SourceLabels. + type: string + sourceLabels: + description: The source labels select values from existing + labels. Their content is concatenated using the configured + Separator and matched against the configured regular + expression. + items: + description: LabelName is a valid Prometheus label name + which may only contain ASCII letters, numbers, as + well as underscores. + pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ + type: string + type: array + targetLabel: + description: "Label to which the resulting string is written + in a replacement. \n It is mandatory for `Replace`, + `HashMod`, `Lowercase`, `Uppercase`, `KeepEqual` and + `DropEqual` actions. \n Regex capture groups are available." + type: string + type: object + type: array + scheme: + description: "HTTP scheme to use for scraping. \n `http` and + `https` are the expected values unless you rewrite the `__scheme__` + label via relabeling. \n If empty, Prometheus uses the default + value `http`." + enum: + - http + - https + type: string + scrapeTimeout: + description: "Timeout after which Prometheus considers the scrape + to be failed. \n If empty, Prometheus uses the global scrape + timeout unless it is less than the target's scrape interval + value in which the latter is used." + pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ + type: string + targetPort: + anyOf: + - type: integer + - type: string + description: "Name or number of the target port of the `Pod` + object behind the Service, the port must be specified with + container port property. \n Deprecated: use 'port' instead." + x-kubernetes-int-or-string: true + tlsConfig: + description: TLS configuration to use when scraping the target. + properties: + ca: + description: Certificate authority used when verifying server + certificates. + properties: + configMap: + description: ConfigMap containing data to use for the + targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use for the targets. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + cert: + description: Client certificate to present when doing client-authentication. + properties: + configMap: + description: ConfigMap containing data to use for the + targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use for the targets. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + insecureSkipVerify: + description: Disable target certificate validation. + type: boolean + keySecret: + description: Secret containing the client key file for the + targets. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + serverName: + description: Used to verify the hostname for the targets. + type: string + type: object + trackTimestampsStaleness: + description: "`trackTimestampsStaleness` defines whether Prometheus + tracks staleness of the metrics that have an explicit timestamp + present in scraped data. Has no effect if `honorTimestamps` + is false. \n It requires Prometheus >= v2.48.0." + type: boolean + type: object + type: array + podTargetLabels: + description: '`podTargetLabels` defines the labels which are transferred + from the associated Kubernetes `Pod` object onto the ingested metrics.' + items: + type: string + type: array + sampleLimit: + description: '`sampleLimit` defines a per-scrape limit on the number + of scraped samples that will be accepted.' + format: int64 + type: integer + scrapeClass: + description: The scrape class to apply. + minLength: 1 + type: string + scrapeProtocols: + description: "`scrapeProtocols` defines the protocols to negotiate + during a scrape. It tells clients the protocols supported by Prometheus + in order of preference (from most to least preferred). \n If unset, + Prometheus uses its default value. \n It requires Prometheus >= + v2.49.0." + items: + description: 'ScrapeProtocol represents a protocol used by Prometheus + for scraping metrics. Supported values are: * `OpenMetricsText0.0.1` + * `OpenMetricsText1.0.0` * `PrometheusProto` * `PrometheusText0.0.4`' + enum: + - PrometheusProto + - OpenMetricsText0.0.1 + - OpenMetricsText1.0.0 + - PrometheusText0.0.4 + type: string + type: array + x-kubernetes-list-type: set + selector: + description: Label selector to select the Kubernetes `Pod` objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + targetLimit: + description: '`targetLimit` defines a limit on the number of scraped + targets that will be accepted.' + format: int64 + type: integer + required: + - selector + type: object + required: + - spec + type: object + served: true + storage: true diff --git a/kube-prometheus-stack/charts/crds/crds/crd-probes.yaml b/kube-prometheus-stack/charts/crds/crds/crd-probes.yaml new file mode 100644 index 0000000..3adc316 --- /dev/null +++ b/kube-prometheus-stack/charts/crds/crds/crd-probes.yaml @@ -0,0 +1,759 @@ +# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + operator.prometheus.io/version: 0.72.0 + name: probes.monitoring.coreos.com +spec: + group: monitoring.coreos.com + names: + categories: + - prometheus-operator + kind: Probe + listKind: ProbeList + plural: probes + shortNames: + - prb + singular: probe + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Probe defines monitoring for a set of static targets or ingresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Specification of desired Ingress selection for target discovery + by Prometheus. + properties: + authorization: + description: Authorization section for this endpoint + properties: + credentials: + description: Selects a key of a Secret in the namespace that contains + the credentials for authentication. + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be + defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: + description: "Defines the authentication type. The value is case-insensitive. + \n \"Basic\" is not a supported value. \n Default: \"Bearer\"" + type: string + type: object + basicAuth: + description: 'BasicAuth allow an endpoint to authenticate over basic + authentication. More info: https://prometheus.io/docs/operating/configuration/#endpoint' + properties: + password: + description: '`password` specifies a key of a Secret containing + the password for authentication.' + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be + defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + username: + description: '`username` specifies a key of a Secret containing + the username for authentication.' + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be + defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + bearerTokenSecret: + description: Secret to mount to read bearer token for scraping targets. + The secret needs to be in the same namespace as the probe and accessible + by the Prometheus Operator. + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + interval: + description: Interval at which targets are probed using the configured + prober. If not specified Prometheus' global scrape interval is used. + pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ + type: string + jobName: + description: The job name assigned to scraped metrics by default. + type: string + keepDroppedTargets: + description: "Per-scrape limit on the number of targets dropped by + relabeling that will be kept in memory. 0 means no limit. \n It + requires Prometheus >= v2.47.0." + format: int64 + type: integer + labelLimit: + description: Per-scrape limit on number of labels that will be accepted + for a sample. Only valid in Prometheus versions 2.27.0 and newer. + format: int64 + type: integer + labelNameLengthLimit: + description: Per-scrape limit on length of labels name that will be + accepted for a sample. Only valid in Prometheus versions 2.27.0 + and newer. + format: int64 + type: integer + labelValueLengthLimit: + description: Per-scrape limit on length of labels value that will + be accepted for a sample. Only valid in Prometheus versions 2.27.0 + and newer. + format: int64 + type: integer + metricRelabelings: + description: MetricRelabelConfigs to apply to samples before ingestion. + items: + description: "RelabelConfig allows dynamic rewriting of the label + set for targets, alerts, scraped samples and remote write samples. + \n More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config" + properties: + action: + default: replace + description: "Action to perform based on the regex matching. + \n `Uppercase` and `Lowercase` actions require Prometheus + >= v2.36.0. `DropEqual` and `KeepEqual` actions require Prometheus + >= v2.41.0. \n Default: \"Replace\"" + enum: + - replace + - Replace + - keep + - Keep + - drop + - Drop + - hashmod + - HashMod + - labelmap + - LabelMap + - labeldrop + - LabelDrop + - labelkeep + - LabelKeep + - lowercase + - Lowercase + - uppercase + - Uppercase + - keepequal + - KeepEqual + - dropequal + - DropEqual + type: string + modulus: + description: "Modulus to take of the hash of the source label + values. \n Only applicable when the action is `HashMod`." + format: int64 + type: integer + regex: + description: Regular expression against which the extracted + value is matched. + type: string + replacement: + description: "Replacement value against which a Replace action + is performed if the regular expression matches. \n Regex capture + groups are available." + type: string + separator: + description: Separator is the string between concatenated SourceLabels. + type: string + sourceLabels: + description: The source labels select values from existing labels. + Their content is concatenated using the configured Separator + and matched against the configured regular expression. + items: + description: LabelName is a valid Prometheus label name which + may only contain ASCII letters, numbers, as well as underscores. + pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ + type: string + type: array + targetLabel: + description: "Label to which the resulting string is written + in a replacement. \n It is mandatory for `Replace`, `HashMod`, + `Lowercase`, `Uppercase`, `KeepEqual` and `DropEqual` actions. + \n Regex capture groups are available." + type: string + type: object + type: array + module: + description: 'The module to use for probing specifying how to probe + the target. Example module configuring in the blackbox exporter: + https://github.com/prometheus/blackbox_exporter/blob/master/example.yml' + type: string + oauth2: + description: OAuth2 for the URL. Only valid in Prometheus versions + 2.27.0 and newer. + properties: + clientId: + description: '`clientId` specifies a key of a Secret or ConfigMap + containing the OAuth2 client''s ID.' + properties: + configMap: + description: ConfigMap containing data to use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use for the targets. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + clientSecret: + description: '`clientSecret` specifies a key of a Secret containing + the OAuth2 client''s secret.' + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be + defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + endpointParams: + additionalProperties: + type: string + description: '`endpointParams` configures the HTTP parameters + to append to the token URL.' + type: object + scopes: + description: '`scopes` defines the OAuth2 scopes used for the + token request.' + items: + type: string + type: array + tokenUrl: + description: '`tokenURL` configures the URL to fetch the token + from.' + minLength: 1 + type: string + required: + - clientId + - clientSecret + - tokenUrl + type: object + prober: + description: Specification for the prober to use for probing targets. + The prober.URL parameter is required. Targets cannot be probed if + left empty. + properties: + path: + default: /probe + description: Path to collect metrics from. Defaults to `/probe`. + type: string + proxyUrl: + description: Optional ProxyURL. + type: string + scheme: + description: HTTP scheme to use for scraping. `http` and `https` + are the expected values unless you rewrite the `__scheme__` + label via relabeling. If empty, Prometheus uses the default + value `http`. + enum: + - http + - https + type: string + url: + description: Mandatory URL of the prober. + type: string + required: + - url + type: object + sampleLimit: + description: SampleLimit defines per-scrape limit on number of scraped + samples that will be accepted. + format: int64 + type: integer + scrapeClass: + description: The scrape class to apply. + minLength: 1 + type: string + scrapeProtocols: + description: "`scrapeProtocols` defines the protocols to negotiate + during a scrape. It tells clients the protocols supported by Prometheus + in order of preference (from most to least preferred). \n If unset, + Prometheus uses its default value. \n It requires Prometheus >= + v2.49.0." + items: + description: 'ScrapeProtocol represents a protocol used by Prometheus + for scraping metrics. Supported values are: * `OpenMetricsText0.0.1` + * `OpenMetricsText1.0.0` * `PrometheusProto` * `PrometheusText0.0.4`' + enum: + - PrometheusProto + - OpenMetricsText0.0.1 + - OpenMetricsText1.0.0 + - PrometheusText0.0.4 + type: string + type: array + x-kubernetes-list-type: set + scrapeTimeout: + description: Timeout for scraping metrics from the Prometheus exporter. + If not specified, the Prometheus global scrape timeout is used. + pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ + type: string + targetLimit: + description: TargetLimit defines a limit on the number of scraped + targets that will be accepted. + format: int64 + type: integer + targets: + description: Targets defines a set of static or dynamically discovered + targets to probe. + properties: + ingress: + description: ingress defines the Ingress objects to probe and + the relabeling configuration. If `staticConfig` is also defined, + `staticConfig` takes precedence. + properties: + namespaceSelector: + description: From which namespaces to select Ingress objects. + properties: + any: + description: Boolean describing whether all namespaces + are selected in contrast to a list restricting them. + type: boolean + matchNames: + description: List of namespace names to select from. + items: + type: string + type: array + type: object + relabelingConfigs: + description: 'RelabelConfigs to apply to the label set of + the target before it gets scraped. The original ingress + address is available via the `__tmp_prometheus_ingress_address` + label. It can be used to customize the probed URL. The original + scrape job''s name is available via the `__tmp_prometheus_job_name` + label. More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config' + items: + description: "RelabelConfig allows dynamic rewriting of + the label set for targets, alerts, scraped samples and + remote write samples. \n More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config" + properties: + action: + default: replace + description: "Action to perform based on the regex matching. + \n `Uppercase` and `Lowercase` actions require Prometheus + >= v2.36.0. `DropEqual` and `KeepEqual` actions require + Prometheus >= v2.41.0. \n Default: \"Replace\"" + enum: + - replace + - Replace + - keep + - Keep + - drop + - Drop + - hashmod + - HashMod + - labelmap + - LabelMap + - labeldrop + - LabelDrop + - labelkeep + - LabelKeep + - lowercase + - Lowercase + - uppercase + - Uppercase + - keepequal + - KeepEqual + - dropequal + - DropEqual + type: string + modulus: + description: "Modulus to take of the hash of the source + label values. \n Only applicable when the action is + `HashMod`." + format: int64 + type: integer + regex: + description: Regular expression against which the extracted + value is matched. + type: string + replacement: + description: "Replacement value against which a Replace + action is performed if the regular expression matches. + \n Regex capture groups are available." + type: string + separator: + description: Separator is the string between concatenated + SourceLabels. + type: string + sourceLabels: + description: The source labels select values from existing + labels. Their content is concatenated using the configured + Separator and matched against the configured regular + expression. + items: + description: LabelName is a valid Prometheus label + name which may only contain ASCII letters, numbers, + as well as underscores. + pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ + type: string + type: array + targetLabel: + description: "Label to which the resulting string is + written in a replacement. \n It is mandatory for `Replace`, + `HashMod`, `Lowercase`, `Uppercase`, `KeepEqual` and + `DropEqual` actions. \n Regex capture groups are available." + type: string + type: object + type: array + selector: + description: Selector to select the Ingress objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + staticConfig: + description: 'staticConfig defines the static list of targets + to probe and the relabeling configuration. If `ingress` is also + defined, `staticConfig` takes precedence. More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#static_config.' + properties: + labels: + additionalProperties: + type: string + description: Labels assigned to all metrics scraped from the + targets. + type: object + relabelingConfigs: + description: 'RelabelConfigs to apply to the label set of + the targets before it gets scraped. More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config' + items: + description: "RelabelConfig allows dynamic rewriting of + the label set for targets, alerts, scraped samples and + remote write samples. \n More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config" + properties: + action: + default: replace + description: "Action to perform based on the regex matching. + \n `Uppercase` and `Lowercase` actions require Prometheus + >= v2.36.0. `DropEqual` and `KeepEqual` actions require + Prometheus >= v2.41.0. \n Default: \"Replace\"" + enum: + - replace + - Replace + - keep + - Keep + - drop + - Drop + - hashmod + - HashMod + - labelmap + - LabelMap + - labeldrop + - LabelDrop + - labelkeep + - LabelKeep + - lowercase + - Lowercase + - uppercase + - Uppercase + - keepequal + - KeepEqual + - dropequal + - DropEqual + type: string + modulus: + description: "Modulus to take of the hash of the source + label values. \n Only applicable when the action is + `HashMod`." + format: int64 + type: integer + regex: + description: Regular expression against which the extracted + value is matched. + type: string + replacement: + description: "Replacement value against which a Replace + action is performed if the regular expression matches. + \n Regex capture groups are available." + type: string + separator: + description: Separator is the string between concatenated + SourceLabels. + type: string + sourceLabels: + description: The source labels select values from existing + labels. Their content is concatenated using the configured + Separator and matched against the configured regular + expression. + items: + description: LabelName is a valid Prometheus label + name which may only contain ASCII letters, numbers, + as well as underscores. + pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ + type: string + type: array + targetLabel: + description: "Label to which the resulting string is + written in a replacement. \n It is mandatory for `Replace`, + `HashMod`, `Lowercase`, `Uppercase`, `KeepEqual` and + `DropEqual` actions. \n Regex capture groups are available." + type: string + type: object + type: array + static: + description: The list of hosts to probe. + items: + type: string + type: array + type: object + type: object + tlsConfig: + description: TLS configuration to use when scraping the endpoint. + properties: + ca: + description: Certificate authority used when verifying server + certificates. + properties: + configMap: + description: ConfigMap containing data to use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use for the targets. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + cert: + description: Client certificate to present when doing client-authentication. + properties: + configMap: + description: ConfigMap containing data to use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use for the targets. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + insecureSkipVerify: + description: Disable target certificate validation. + type: boolean + keySecret: + description: Secret containing the client key file for the targets. + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be + defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + serverName: + description: Used to verify the hostname for the targets. + type: string + type: object + type: object + required: + - spec + type: object + served: true + storage: true diff --git a/kube-prometheus-stack/charts/crds/crds/crd-prometheusagents.yaml b/kube-prometheus-stack/charts/crds/crds/crd-prometheusagents.yaml new file mode 100644 index 0000000..bfb0468 --- /dev/null +++ b/kube-prometheus-stack/charts/crds/crds/crd-prometheusagents.yaml @@ -0,0 +1,9041 @@ +# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusagents.yaml +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + operator.prometheus.io/version: 0.72.0 + name: prometheusagents.monitoring.coreos.com +spec: + group: monitoring.coreos.com + names: + categories: + - prometheus-operator + kind: PrometheusAgent + listKind: PrometheusAgentList + plural: prometheusagents + shortNames: + - promagent + singular: prometheusagent + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The version of Prometheus agent + jsonPath: .spec.version + name: Version + type: string + - description: The number of desired replicas + jsonPath: .spec.replicas + name: Desired + type: integer + - description: The number of ready replicas + jsonPath: .status.availableReplicas + name: Ready + type: integer + - jsonPath: .status.conditions[?(@.type == 'Reconciled')].status + name: Reconciled + type: string + - jsonPath: .status.conditions[?(@.type == 'Available')].status + name: Available + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Whether the resource reconciliation is paused or not + jsonPath: .status.paused + name: Paused + priority: 1 + type: boolean + name: v1alpha1 + schema: + openAPIV3Schema: + description: PrometheusAgent defines a Prometheus agent deployment. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Specification of the desired behavior of the Prometheus + agent. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + additionalArgs: + description: "AdditionalArgs allows setting additional arguments for + the 'prometheus' container. \n It is intended for e.g. activating + hidden flags which are not supported by the dedicated configuration + options yet. The arguments are passed as-is to the Prometheus container + which may cause issues if they are invalid or not supported by the + given Prometheus version. \n In case of an argument conflict (e.g. + an argument which is already set by the operator itself) or when + providing an invalid argument, the reconciliation will fail and + an error will be logged." + items: + description: Argument as part of the AdditionalArgs list. + properties: + name: + description: Name of the argument, e.g. "scrape.discovery-reload-interval". + minLength: 1 + type: string + value: + description: Argument value, e.g. 30s. Can be empty for name-only + arguments (e.g. --storage.tsdb.no-lockfile) + type: string + required: + - name + type: object + type: array + additionalScrapeConfigs: + description: 'AdditionalScrapeConfigs allows specifying a key of a + Secret containing additional Prometheus scrape configurations. Scrape + configurations specified are appended to the configurations generated + by the Prometheus Operator. Job configurations specified must have + the form as specified in the official Prometheus documentation: + https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config. + As scrape configs are appended, the user is responsible to make + sure it is valid. Note that using this feature may expose the possibility + to break upgrades of Prometheus. It is advised to review Prometheus + release notes to ensure that no incompatible scrape configs are + going to break Prometheus after the upgrade.' + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + affinity: + description: Defines the Pods' affinity scheduling rules if specified. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the + pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node matches + the corresponding matchExpressions; the node(s) with the + highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding + nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to an update), the system may or may not try to + eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: A null or empty node selector term matches + no objects. The requirements of them are ANDed. The + TopologySelectorTerm type implements a subset of the + NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate + this pod in the same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select which pods will be taken into consideration. + The keys are used to lookup values from the incoming + pod labels, those key-value labels are merged + with `LabelSelector` as `key in (value)` to select + the group of existing pods which pods will be + taken into consideration for the incoming pod's + pod (anti) affinity. Keys that don't exist in + the incoming pod labels will be ignored. The default + value is empty. The same key is forbidden to exist + in both MatchLabelKeys and LabelSelector. Also, + MatchLabelKeys cannot be set when LabelSelector + isn't set. This is an alpha field and requires + enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label + keys to select which pods will be taken into consideration. + The keys are used to lookup values from the incoming + pod labels, those key-value labels are merged + with `LabelSelector` as `key notin (value)` to + select the group of existing pods which pods will + be taken into consideration for the incoming pod's + pod (anti) affinity. Keys that don't exist in + the incoming pod labels will be ignored. The default + value is empty. The same key is forbidden to exist + in both MismatchLabelKeys and LabelSelector. Also, + MismatchLabelKeys cannot be set when LabelSelector + isn't set. This is an alpha field and requires + enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may or may + not try to eventually evict the pod from its node. When + there are multiple elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, i.e. all terms + must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of + pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys + to select which pods will be taken into consideration. + The keys are used to lookup values from the incoming + pod labels, those key-value labels are merged with + `LabelSelector` as `key in (value)` to select the + group of existing pods which pods will be taken into + consideration for the incoming pod's pod (anti) affinity. + Keys that don't exist in the incoming pod labels will + be ignored. The default value is empty. The same key + is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector + isn't set. This is an alpha field and requires enabling + MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label + keys to select which pods will be taken into consideration. + The keys are used to lookup values from the incoming + pod labels, those key-value labels are merged with + `LabelSelector` as `key notin (value)` to select the + group of existing pods which pods will be taken into + consideration for the incoming pod's pod (anti) affinity. + Keys that don't exist in the incoming pod labels will + be ignored. The default value is empty. The same key + is forbidden to exist in both MismatchLabelKeys and + LabelSelector. Also, MismatchLabelKeys cannot be set + when LabelSelector isn't set. This is an alpha field + and requires enabling MatchLabelKeysInPodAffinity + feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied to the + union of the namespaces selected by this field and + the ones listed in the namespaces field. null selector + and null or empty namespaces list means "this pod's + namespace". An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace + names that the term applies to. The term is applied + to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. null or + empty namespaces list and null namespaceSelector means + "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of + any node on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. + avoid putting this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the anti-affinity expressions specified + by this field, but it may choose a node that violates one + or more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select which pods will be taken into consideration. + The keys are used to lookup values from the incoming + pod labels, those key-value labels are merged + with `LabelSelector` as `key in (value)` to select + the group of existing pods which pods will be + taken into consideration for the incoming pod's + pod (anti) affinity. Keys that don't exist in + the incoming pod labels will be ignored. The default + value is empty. The same key is forbidden to exist + in both MatchLabelKeys and LabelSelector. Also, + MatchLabelKeys cannot be set when LabelSelector + isn't set. This is an alpha field and requires + enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label + keys to select which pods will be taken into consideration. + The keys are used to lookup values from the incoming + pod labels, those key-value labels are merged + with `LabelSelector` as `key notin (value)` to + select the group of existing pods which pods will + be taken into consideration for the incoming pod's + pod (anti) affinity. Keys that don't exist in + the incoming pod labels will be ignored. The default + value is empty. The same key is forbidden to exist + in both MismatchLabelKeys and LabelSelector. Also, + MismatchLabelKeys cannot be set when LabelSelector + isn't set. This is an alpha field and requires + enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the anti-affinity requirements + specified by this field cease to be met at some point during + pod execution (e.g. due to a pod label update), the system + may or may not try to eventually evict the pod from its + node. When there are multiple elements, the lists of nodes + corresponding to each podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of + pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys + to select which pods will be taken into consideration. + The keys are used to lookup values from the incoming + pod labels, those key-value labels are merged with + `LabelSelector` as `key in (value)` to select the + group of existing pods which pods will be taken into + consideration for the incoming pod's pod (anti) affinity. + Keys that don't exist in the incoming pod labels will + be ignored. The default value is empty. The same key + is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector + isn't set. This is an alpha field and requires enabling + MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label + keys to select which pods will be taken into consideration. + The keys are used to lookup values from the incoming + pod labels, those key-value labels are merged with + `LabelSelector` as `key notin (value)` to select the + group of existing pods which pods will be taken into + consideration for the incoming pod's pod (anti) affinity. + Keys that don't exist in the incoming pod labels will + be ignored. The default value is empty. The same key + is forbidden to exist in both MismatchLabelKeys and + LabelSelector. Also, MismatchLabelKeys cannot be set + when LabelSelector isn't set. This is an alpha field + and requires enabling MatchLabelKeysInPodAffinity + feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied to the + union of the namespaces selected by this field and + the ones listed in the namespaces field. null selector + and null or empty namespaces list means "this pod's + namespace". An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace + names that the term applies to. The term is applied + to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. null or + empty namespaces list and null namespaceSelector means + "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of + any node on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + apiserverConfig: + description: 'APIServerConfig allows specifying a host and auth methods + to access the Kuberntees API server. If null, Prometheus is assumed + to run inside of the cluster: it will discover the API servers automatically + and use the Pod''s CA certificate and bearer token file at /var/run/secrets/kubernetes.io/serviceaccount/.' + properties: + authorization: + description: "Authorization section for the API server. \n Cannot + be set at the same time as `basicAuth`, `bearerToken`, or `bearerTokenFile`." + properties: + credentials: + description: Selects a key of a Secret in the namespace that + contains the credentials for authentication. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + credentialsFile: + description: File to read a secret from, mutually exclusive + with `credentials`. + type: string + type: + description: "Defines the authentication type. The value is + case-insensitive. \n \"Basic\" is not a supported value. + \n Default: \"Bearer\"" + type: string + type: object + basicAuth: + description: "BasicAuth configuration for the API server. \n Cannot + be set at the same time as `authorization`, `bearerToken`, or + `bearerTokenFile`." + properties: + password: + description: '`password` specifies a key of a Secret containing + the password for authentication.' + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + username: + description: '`username` specifies a key of a Secret containing + the username for authentication.' + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + bearerToken: + description: "*Warning: this field shouldn't be used because the + token value appears in clear-text. Prefer using `authorization`.* + \n Deprecated: this will be removed in a future release." + type: string + bearerTokenFile: + description: "File to read bearer token for accessing apiserver. + \n Cannot be set at the same time as `basicAuth`, `authorization`, + or `bearerToken`. \n Deprecated: this will be removed in a future + release. Prefer using `authorization`." + type: string + host: + description: Kubernetes API address consisting of a hostname or + IP address followed by an optional port number. + type: string + tlsConfig: + description: TLS Config to use for the API server. + properties: + ca: + description: Certificate authority used when verifying server + certificates. + properties: + configMap: + description: ConfigMap containing data to use for the + targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use for the targets. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + caFile: + description: Path to the CA cert in the Prometheus container + to use for the targets. + type: string + cert: + description: Client certificate to present when doing client-authentication. + properties: + configMap: + description: ConfigMap containing data to use for the + targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use for the targets. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + certFile: + description: Path to the client cert file in the Prometheus + container for the targets. + type: string + insecureSkipVerify: + description: Disable target certificate validation. + type: boolean + keyFile: + description: Path to the client key file in the Prometheus + container for the targets. + type: string + keySecret: + description: Secret containing the client key file for the + targets. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + serverName: + description: Used to verify the hostname for the targets. + type: string + type: object + required: + - host + type: object + arbitraryFSAccessThroughSMs: + description: When true, ServiceMonitor, PodMonitor and Probe object + are forbidden to reference arbitrary files on the file system of + the 'prometheus' container. When a ServiceMonitor's endpoint specifies + a `bearerTokenFile` value (e.g. '/var/run/secrets/kubernetes.io/serviceaccount/token'), + a malicious target can get access to the Prometheus service account's + token in the Prometheus' scrape request. Setting `spec.arbitraryFSAccessThroughSM` + to 'true' would prevent the attack. Users should instead provide + the credentials using the `spec.bearerTokenSecret` field. + properties: + deny: + type: boolean + type: object + bodySizeLimit: + description: BodySizeLimit defines per-scrape on response body size. + Only valid in Prometheus versions 2.45.0 and newer. + pattern: (^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$ + type: string + configMaps: + description: ConfigMaps is a list of ConfigMaps in the same namespace + as the Prometheus object, which shall be mounted into the Prometheus + Pods. Each ConfigMap is added to the StatefulSet definition as a + volume named `configmap-`. The ConfigMaps are mounted + into /etc/prometheus/configmaps/ in the 'prometheus' + container. + items: + type: string + type: array + containers: + description: "Containers allows injecting additional containers or + modifying operator generated containers. This can be used to allow + adding an authentication proxy to the Pods or to change the behavior + of an operator generated container. Containers described here modify + an operator generated container if they share the same name and + modifications are done via a strategic merge patch. \n The names + of containers managed by the operator are: * `prometheus` * `config-reloader` + * `thanos-sidecar` \n Overriding containers is entirely outside + the scope of what the maintainers will support and by doing so, + you accept that this behaviour may break at any time without notice." + items: + description: A single application container that you want to run + within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The container image''s + CMD is used if this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. If a variable + cannot be resolved, the reference in the input string will + be unchanged. Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)". Escaped references + will never be expanded, regardless of whether the variable + exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within a shell. + The container image''s ENTRYPOINT is used if this is not provided. + Variable references $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, the reference + in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: + i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether + the variable exists or not. Cannot be updated. More info: + https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set in the container. + Cannot be updated. + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be + a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. + If a variable cannot be resolved, the reference in the + input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable exists + or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports + metadata.name, metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment variables + in the container. The keys defined within a source must be + a C_IDENTIFIER. All invalid keys will be reported as an event + when the container is starting. When a key exists in multiple + sources, the value associated with the last source will take + precedence. Values defined by an Env with a duplicate key + will take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source of a set + of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap must be + defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend to each + key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management + to default or override container images in workload controllers + like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent + otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system should take + in response to container lifecycle events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately after a container + is created. If the handler fails, the container is terminated + and restarted according to its restart policy. Other management + of the container blocks until the hook completes. More + info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's + filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you need + to explicitly call out to that shell. Exit status + of 0 is treated as live/healthy and non-zero is + unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in + httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the + host. Defaults to HTTP. + type: string + required: + - port + type: object + sleep: + description: Sleep represents the duration that the + container should sleep before being terminated. + properties: + seconds: + description: Seconds is the number of seconds to + sleep. + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward compatibility. + There are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately before a container + is terminated due to an API request or management event + such as liveness/startup probe failure, preemption, resource + contention, etc. The handler is not called if the container + crashes or exits. The Pod''s termination grace period + countdown begins before the PreStop hook is executed. + Regardless of the outcome of the handler, the container + will eventually terminate within the Pod''s termination + grace period (unless delayed by finalizers). Other management + of the container blocks until the hook completes or until + the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's + filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you need + to explicitly call out to that shell. Exit status + of 0 is treated as live/healthy and non-zero is + unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in + httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the + host. Defaults to HTTP. + type: string + required: + - port + type: object + sleep: + description: Sleep represents the duration that the + container should sleep before being terminated. + properties: + seconds: + description: Seconds is the number of seconds to + sleep. + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward compatibility. + There are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. Container + will be restarted if the probe fails. Cannot be updated. More + info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for the + command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the + pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP + allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a TCP + port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and the + time when the processes are forcibly halted with a kill + signal. Set this value longer than the expected cleanup + time for your process. If this value is nil, the pod's + terminationGracePeriodSeconds will be used. Otherwise, + this value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity to + shut down). This is a beta field and requires enabling + ProbeTerminationGracePeriod feature gate. Minimum value + is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe times + out. Defaults to 1 second. Minimum value is 1. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as a DNS_LABEL. + Each container in a pod must have a unique name (DNS_LABEL). + Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. Not + specifying a port here DOES NOT prevent that port from being + exposed. Any port which is listening on the default "0.0.0.0" + address inside a container will be accessible from the network. + Modifying this array with strategic merge patch may corrupt + the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. + items: + description: ContainerPort represents a network port in a + single container. + properties: + containerPort: + description: Number of port to expose on the pod's IP + address. This must be a valid port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external port to. + type: string + hostPort: + description: Number of port to expose on the host. If + specified, this must be a valid port number, 0 < x < + 65536. If HostNetwork is specified, this must match + ContainerPort. Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an IANA_SVC_NAME + and unique within the pod. Each named port in a pod + must have a unique name. Name for the port that can + be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, TCP, or SCTP. + Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service readiness. + Container will be removed from service endpoints if the probe + fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for the + command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the + pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP + allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a TCP + port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and the + time when the processes are forcibly halted with a kill + signal. Set this value longer than the expected cleanup + time for your process. If this value is nil, the pod's + terminationGracePeriodSeconds will be used. Otherwise, + this value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity to + shut down). This is a beta field and requires enabling + ProbeTerminationGracePeriod feature gate. Minimum value + is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe times + out. Defaults to 1 second. Minimum value is 1. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents resource resize + policy for the container. + properties: + resourceName: + description: 'Name of the resource to which this resource + resize policy applies. Supported values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when specified resource + is resized. If not specified, it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + description: 'Compute Resources required by this container. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only + be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests + cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + restartPolicy: + description: 'RestartPolicy defines the restart behavior of + individual containers in a pod. This field may only be set + for init containers, and the only allowed value is "Always". + For non-init containers or when this field is not specified, + the restart behavior is defined by the Pod''s restart policy + and the container type. Setting the RestartPolicy as "Always" + for the init container will have the following effect: this + init container will be continually restarted on exit until + all regular containers have terminated. Once all regular containers + have completed, all init containers with restartPolicy "Always" + will be shut down. This lifecycle differs from normal init + containers and is often referred to as a "sidecar" container. + Although this init container still starts in the init container + sequence, it does not wait for the container to complete before + proceeding to the next init container. Instead, the next init + container starts immediately after this init container is + started, or after any startupProbe has successfully completed.' + type: string + securityContext: + description: 'SecurityContext defines the security options the + container should be run with. If set, the fields of SecurityContext + override the equivalent fields of PodSecurityContext. More + info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls whether + a process can gain more privileges than its parent process. + This bool directly controls if the no_new_privs flag will + be set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) run as Privileged + 2) has CAP_SYS_ADMIN Note that this field cannot be set + when spec.os.name is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when running containers. + Defaults to the default set of capabilities granted by + the container runtime. Note that this field cannot be + set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. Processes + in privileged containers are essentially equivalent to + root on the host. Defaults to false. Note that this field + cannot be set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of proc mount to + use for the containers. The default is DefaultProcMount + which uses the container runtime defaults for readonly + paths and masked paths. This requires the ProcMountType + feature flag to be enabled. Note that this field cannot + be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only root + filesystem. Default is false. Note that this field cannot + be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the container + process. Uses runtime default if unset. May also be set + in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a + non-root user. If true, the Kubelet will validate the + image at runtime to ensure that it does not run as UID + 0 (root) and fail to start the container if it does. If + unset or false, no such validation will be performed. + May also be set in PodSecurityContext. If set in both + SecurityContext and PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container + process. Defaults to user specified in image metadata + if unspecified. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to the container. + If unspecified, the container runtime will allocate a + random SELinux context for each container. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this container. + If seccomp options are provided at both the pod & container + level, the container options override the pod options. + Note that this field cannot be set when spec.os.name is + windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile defined + in a file on the node should be used. The profile + must be preconfigured on the node to work. Must be + a descending path, relative to the kubelet's configured + seccomp profile location. Must be set if type is "Localhost". + Must NOT be set for any other type. + type: string + type: + description: "type indicates which kind of seccomp profile + will be applied. Valid options are: \n Localhost - + a profile defined in a file on the node should be + used. RuntimeDefault - the container runtime default + profile should be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied to all + containers. If unspecified, the options from the PodSecurityContext + will be used. If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is + linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission + webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec named + by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container should + be run as a 'Host Process' container. All of a Pod's + containers must have the same effective HostProcess + value (it is not allowed to have a mix of HostProcess + containers and non-HostProcess containers). In addition, + if HostProcess is true then HostNetwork must also + be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the entrypoint + of the container process. Defaults to the user specified + in image metadata if unspecified. May also be set + in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: 'StartupProbe indicates that the Pod has successfully + initialized. If specified, no other probes are executed until + this completes successfully. If this probe fails, the Pod + will be restarted, just as if the livenessProbe failed. This + can be used to provide different probe parameters at the beginning + of a Pod''s lifecycle, when it might take a long time to load + data or warm a cache, than during steady-state operation. + This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for the + command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the + pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP + allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a TCP + port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and the + time when the processes are forcibly halted with a kill + signal. Set this value longer than the expected cleanup + time for your process. If this value is nil, the pod's + terminationGracePeriodSeconds will be used. Otherwise, + this value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity to + shut down). This is a beta field and requires enabling + ProbeTerminationGracePeriod feature gate. Minimum value + is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe times + out. Defaults to 1 second. Minimum value is 1. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate a buffer + for stdin in the container runtime. If this is not set, reads + from stdin in the container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should close the + stdin channel after it has been opened by a single attach. + When stdin is true the stdin stream will remain open across + multiple attach sessions. If stdinOnce is set to true, stdin + is opened on container start, is empty until the first client + attaches to stdin, and then remains open and accepts data + until the client disconnects, at which time stdin is closed + and remains closed until the container is restarted. If this + flag is false, a container processes that reads from stdin + will never receive an EOF. Default is false + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file to which the + container''s termination message will be written is mounted + into the container''s filesystem. Message written is intended + to be brief final status, such as an assertion failure message. + Will be truncated by the node if greater than 4096 bytes. + The total message length across all containers will be limited + to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message should be + populated. File will use the contents of terminationMessagePath + to populate the container status message on both success and + failure. FallbackToLogsOnError will use the last chunk of + container log output if the termination message file is empty + and the container exited with an error. The log output is + limited to 2048 bytes or 80 lines, whichever is smaller. Defaults + to File. Cannot be updated. + type: string + tty: + description: Whether this container should allocate a TTY for + itself, also requires 'stdin' to be true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block devices to be + used by the container. + items: + description: volumeDevice describes a mapping of a raw block + device within a container. + properties: + devicePath: + description: devicePath is the path inside of the container + that the device will be mapped to. + type: string + name: + description: name must match the name of a persistentVolumeClaim + in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's filesystem. + Cannot be updated. + items: + description: VolumeMount describes a mounting of a Volume + within a container. + properties: + mountPath: + description: Path within the container at which the volume + should be mounted. Must not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines how mounts are + propagated from the host to container and the other + way around. When not set, MountPropagationNone is used. + This field is beta in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write otherwise + (false or unspecified). Defaults to false. + type: boolean + subPath: + description: Path within the volume from which the container's + volume should be mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume from which + the container's volume should be mounted. Behaves similarly + to SubPath but environment variable references $(VAR_NAME) + are expanded using the container's environment. Defaults + to "" (volume's root). SubPathExpr and SubPath are mutually + exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not specified, + the container runtime's default will be used, which might + be configured in the container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + enableFeatures: + description: "Enable access to Prometheus feature flags. By default, + no features are enabled. \n Enabling features which are disabled + by default is entirely outside the scope of what the maintainers + will support and by doing so, you accept that this behaviour may + break at any time without notice. \n For more information see https://prometheus.io/docs/prometheus/latest/feature_flags/" + items: + type: string + type: array + enableRemoteWriteReceiver: + description: "Enable Prometheus to be used as a receiver for the Prometheus + remote write protocol. \n WARNING: This is not considered an efficient + way of ingesting samples. Use it with caution for specific low-volume + use cases. It is not suitable for replacing the ingestion via scraping + and turning Prometheus into a push-based metrics collection system. + For more information see https://prometheus.io/docs/prometheus/latest/querying/api/#remote-write-receiver + \n It requires Prometheus >= v2.33.0." + type: boolean + enforcedBodySizeLimit: + description: "When defined, enforcedBodySizeLimit specifies a global + limit on the size of uncompressed response body that will be accepted + by Prometheus. Targets responding with a body larger than this many + bytes will cause the scrape to fail. \n It requires Prometheus >= + v2.28.0." + pattern: (^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$ + type: string + enforcedKeepDroppedTargets: + description: "When defined, enforcedKeepDroppedTargets specifies a + global limit on the number of targets dropped by relabeling that + will be kept in memory. The value overrides any `spec.keepDroppedTargets` + set by ServiceMonitor, PodMonitor, Probe objects unless `spec.keepDroppedTargets` + is greater than zero and less than `spec.enforcedKeepDroppedTargets`. + \n It requires Prometheus >= v2.47.0." + format: int64 + type: integer + enforcedLabelLimit: + description: "When defined, enforcedLabelLimit specifies a global + limit on the number of labels per sample. The value overrides any + `spec.labelLimit` set by ServiceMonitor, PodMonitor, Probe objects + unless `spec.labelLimit` is greater than zero and less than `spec.enforcedLabelLimit`. + \n It requires Prometheus >= v2.27.0." + format: int64 + type: integer + enforcedLabelNameLengthLimit: + description: "When defined, enforcedLabelNameLengthLimit specifies + a global limit on the length of labels name per sample. The value + overrides any `spec.labelNameLengthLimit` set by ServiceMonitor, + PodMonitor, Probe objects unless `spec.labelNameLengthLimit` is + greater than zero and less than `spec.enforcedLabelNameLengthLimit`. + \n It requires Prometheus >= v2.27.0." + format: int64 + type: integer + enforcedLabelValueLengthLimit: + description: "When not null, enforcedLabelValueLengthLimit defines + a global limit on the length of labels value per sample. The value + overrides any `spec.labelValueLengthLimit` set by ServiceMonitor, + PodMonitor, Probe objects unless `spec.labelValueLengthLimit` is + greater than zero and less than `spec.enforcedLabelValueLengthLimit`. + \n It requires Prometheus >= v2.27.0." + format: int64 + type: integer + enforcedNamespaceLabel: + description: "When not empty, a label will be added to \n 1. All metrics + scraped from `ServiceMonitor`, `PodMonitor`, `Probe` and `ScrapeConfig` + objects. 2. All metrics generated from recording rules defined in + `PrometheusRule` objects. 3. All alerts generated from alerting + rules defined in `PrometheusRule` objects. 4. All vector selectors + of PromQL expressions defined in `PrometheusRule` objects. \n The + label will not added for objects referenced in `spec.excludedFromEnforcement`. + \n The label's name is this field's value. The label's value is + the namespace of the `ServiceMonitor`, `PodMonitor`, `Probe` or + `PrometheusRule` object." + type: string + enforcedSampleLimit: + description: "When defined, enforcedSampleLimit specifies a global + limit on the number of scraped samples that will be accepted. This + overrides any `spec.sampleLimit` set by ServiceMonitor, PodMonitor, + Probe objects unless `spec.sampleLimit` is greater than zero and + less than than `spec.enforcedSampleLimit`. \n It is meant to be + used by admins to keep the overall number of samples/series under + a desired limit." + format: int64 + type: integer + enforcedTargetLimit: + description: "When defined, enforcedTargetLimit specifies a global + limit on the number of scraped targets. The value overrides any + `spec.targetLimit` set by ServiceMonitor, PodMonitor, Probe objects + unless `spec.targetLimit` is greater than zero and less than `spec.enforcedTargetLimit`. + \n It is meant to be used by admins to to keep the overall number + of targets under a desired limit." + format: int64 + type: integer + excludedFromEnforcement: + description: "List of references to PodMonitor, ServiceMonitor, Probe + and PrometheusRule objects to be excluded from enforcing a namespace + label of origin. \n It is only applicable if `spec.enforcedNamespaceLabel` + set to true." + items: + description: ObjectReference references a PodMonitor, ServiceMonitor, + Probe or PrometheusRule object. + properties: + group: + default: monitoring.coreos.com + description: Group of the referent. When not specified, it defaults + to `monitoring.coreos.com` + enum: + - monitoring.coreos.com + type: string + name: + description: Name of the referent. When not set, all resources + in the namespace are matched. + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + minLength: 1 + type: string + resource: + description: Resource of the referent. + enum: + - prometheusrules + - servicemonitors + - podmonitors + - probes + - scrapeconfigs + type: string + required: + - namespace + - resource + type: object + type: array + externalLabels: + additionalProperties: + type: string + description: The labels to add to any time series or alerts when communicating + with external systems (federation, remote storage, Alertmanager). + Labels defined by `spec.replicaExternalLabelName` and `spec.prometheusExternalLabelName` + take precedence over this list. + type: object + externalUrl: + description: The external URL under which the Prometheus service is + externally available. This is necessary to generate correct URLs + (for instance if Prometheus is accessible behind an Ingress resource). + type: string + hostAliases: + description: Optional list of hosts and IPs that will be injected + into the Pod's hosts file if specified. + items: + description: HostAlias holds the mapping between IP and hostnames + that will be injected as an entry in the pod's hosts file. + properties: + hostnames: + description: Hostnames for the above IP address. + items: + type: string + type: array + ip: + description: IP address of the host file entry. + type: string + required: + - hostnames + - ip + type: object + type: array + x-kubernetes-list-map-keys: + - ip + x-kubernetes-list-type: map + hostNetwork: + description: "Use the host's network namespace if true. \n Make sure + to understand the security implications if you want to enable it + (https://kubernetes.io/docs/concepts/configuration/overview/). \n + When hostNetwork is enabled, this will set the DNS policy to `ClusterFirstWithHostNet` + automatically." + type: boolean + ignoreNamespaceSelectors: + description: When true, `spec.namespaceSelector` from all PodMonitor, + ServiceMonitor and Probe objects will be ignored. They will only + discover targets within the namespace of the PodMonitor, ServiceMonitor + and Probe object. + type: boolean + image: + description: "Container image name for Prometheus. If specified, it + takes precedence over the `spec.baseImage`, `spec.tag` and `spec.sha` + fields. \n Specifying `spec.version` is still necessary to ensure + the Prometheus Operator knows which version of Prometheus is being + configured. \n If neither `spec.image` nor `spec.baseImage` are + defined, the operator will use the latest upstream version of Prometheus + available at the time when the operator was released." + type: string + imagePullPolicy: + description: Image pull policy for the 'prometheus', 'init-config-reloader' + and 'config-reloader' containers. See https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy + for more details. + enum: + - "" + - Always + - Never + - IfNotPresent + type: string + imagePullSecrets: + description: An optional list of references to Secrets in the same + namespace to use for pulling images from registries. See http://kubernetes.io/docs/user-guide/images#specifying-imagepullsecrets-on-a-pod + items: + description: LocalObjectReference contains enough information to + let you locate the referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + initContainers: + description: "InitContainers allows injecting initContainers to the + Pod definition. Those can be used to e.g. fetch secrets for injection + into the Prometheus configuration from external sources. Any errors + during the execution of an initContainer will lead to a restart + of the Pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + InitContainers described here modify an operator generated init + containers if they share the same name and modifications are done + via a strategic merge patch. \n The names of init container name + managed by the operator are: * `init-config-reloader`. \n Overriding + init containers is entirely outside the scope of what the maintainers + will support and by doing so, you accept that this behaviour may + break at any time without notice." + items: + description: A single application container that you want to run + within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The container image''s + CMD is used if this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. If a variable + cannot be resolved, the reference in the input string will + be unchanged. Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)". Escaped references + will never be expanded, regardless of whether the variable + exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within a shell. + The container image''s ENTRYPOINT is used if this is not provided. + Variable references $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, the reference + in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: + i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether + the variable exists or not. Cannot be updated. More info: + https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set in the container. + Cannot be updated. + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be + a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. + If a variable cannot be resolved, the reference in the + input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable exists + or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports + metadata.name, metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment variables + in the container. The keys defined within a source must be + a C_IDENTIFIER. All invalid keys will be reported as an event + when the container is starting. When a key exists in multiple + sources, the value associated with the last source will take + precedence. Values defined by an Env with a duplicate key + will take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source of a set + of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap must be + defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend to each + key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management + to default or override container images in workload controllers + like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent + otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system should take + in response to container lifecycle events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately after a container + is created. If the handler fails, the container is terminated + and restarted according to its restart policy. Other management + of the container blocks until the hook completes. More + info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's + filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you need + to explicitly call out to that shell. Exit status + of 0 is treated as live/healthy and non-zero is + unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in + httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the + host. Defaults to HTTP. + type: string + required: + - port + type: object + sleep: + description: Sleep represents the duration that the + container should sleep before being terminated. + properties: + seconds: + description: Seconds is the number of seconds to + sleep. + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward compatibility. + There are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately before a container + is terminated due to an API request or management event + such as liveness/startup probe failure, preemption, resource + contention, etc. The handler is not called if the container + crashes or exits. The Pod''s termination grace period + countdown begins before the PreStop hook is executed. + Regardless of the outcome of the handler, the container + will eventually terminate within the Pod''s termination + grace period (unless delayed by finalizers). Other management + of the container blocks until the hook completes or until + the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's + filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you need + to explicitly call out to that shell. Exit status + of 0 is treated as live/healthy and non-zero is + unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in + httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the + host. Defaults to HTTP. + type: string + required: + - port + type: object + sleep: + description: Sleep represents the duration that the + container should sleep before being terminated. + properties: + seconds: + description: Seconds is the number of seconds to + sleep. + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward compatibility. + There are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. Container + will be restarted if the probe fails. Cannot be updated. More + info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for the + command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the + pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP + allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a TCP + port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and the + time when the processes are forcibly halted with a kill + signal. Set this value longer than the expected cleanup + time for your process. If this value is nil, the pod's + terminationGracePeriodSeconds will be used. Otherwise, + this value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity to + shut down). This is a beta field and requires enabling + ProbeTerminationGracePeriod feature gate. Minimum value + is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe times + out. Defaults to 1 second. Minimum value is 1. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as a DNS_LABEL. + Each container in a pod must have a unique name (DNS_LABEL). + Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. Not + specifying a port here DOES NOT prevent that port from being + exposed. Any port which is listening on the default "0.0.0.0" + address inside a container will be accessible from the network. + Modifying this array with strategic merge patch may corrupt + the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. + items: + description: ContainerPort represents a network port in a + single container. + properties: + containerPort: + description: Number of port to expose on the pod's IP + address. This must be a valid port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external port to. + type: string + hostPort: + description: Number of port to expose on the host. If + specified, this must be a valid port number, 0 < x < + 65536. If HostNetwork is specified, this must match + ContainerPort. Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an IANA_SVC_NAME + and unique within the pod. Each named port in a pod + must have a unique name. Name for the port that can + be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, TCP, or SCTP. + Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service readiness. + Container will be removed from service endpoints if the probe + fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for the + command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the + pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP + allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a TCP + port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and the + time when the processes are forcibly halted with a kill + signal. Set this value longer than the expected cleanup + time for your process. If this value is nil, the pod's + terminationGracePeriodSeconds will be used. Otherwise, + this value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity to + shut down). This is a beta field and requires enabling + ProbeTerminationGracePeriod feature gate. Minimum value + is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe times + out. Defaults to 1 second. Minimum value is 1. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents resource resize + policy for the container. + properties: + resourceName: + description: 'Name of the resource to which this resource + resize policy applies. Supported values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when specified resource + is resized. If not specified, it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + description: 'Compute Resources required by this container. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only + be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests + cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + restartPolicy: + description: 'RestartPolicy defines the restart behavior of + individual containers in a pod. This field may only be set + for init containers, and the only allowed value is "Always". + For non-init containers or when this field is not specified, + the restart behavior is defined by the Pod''s restart policy + and the container type. Setting the RestartPolicy as "Always" + for the init container will have the following effect: this + init container will be continually restarted on exit until + all regular containers have terminated. Once all regular containers + have completed, all init containers with restartPolicy "Always" + will be shut down. This lifecycle differs from normal init + containers and is often referred to as a "sidecar" container. + Although this init container still starts in the init container + sequence, it does not wait for the container to complete before + proceeding to the next init container. Instead, the next init + container starts immediately after this init container is + started, or after any startupProbe has successfully completed.' + type: string + securityContext: + description: 'SecurityContext defines the security options the + container should be run with. If set, the fields of SecurityContext + override the equivalent fields of PodSecurityContext. More + info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls whether + a process can gain more privileges than its parent process. + This bool directly controls if the no_new_privs flag will + be set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) run as Privileged + 2) has CAP_SYS_ADMIN Note that this field cannot be set + when spec.os.name is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when running containers. + Defaults to the default set of capabilities granted by + the container runtime. Note that this field cannot be + set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. Processes + in privileged containers are essentially equivalent to + root on the host. Defaults to false. Note that this field + cannot be set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of proc mount to + use for the containers. The default is DefaultProcMount + which uses the container runtime defaults for readonly + paths and masked paths. This requires the ProcMountType + feature flag to be enabled. Note that this field cannot + be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only root + filesystem. Default is false. Note that this field cannot + be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the container + process. Uses runtime default if unset. May also be set + in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a + non-root user. If true, the Kubelet will validate the + image at runtime to ensure that it does not run as UID + 0 (root) and fail to start the container if it does. If + unset or false, no such validation will be performed. + May also be set in PodSecurityContext. If set in both + SecurityContext and PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container + process. Defaults to user specified in image metadata + if unspecified. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to the container. + If unspecified, the container runtime will allocate a + random SELinux context for each container. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this container. + If seccomp options are provided at both the pod & container + level, the container options override the pod options. + Note that this field cannot be set when spec.os.name is + windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile defined + in a file on the node should be used. The profile + must be preconfigured on the node to work. Must be + a descending path, relative to the kubelet's configured + seccomp profile location. Must be set if type is "Localhost". + Must NOT be set for any other type. + type: string + type: + description: "type indicates which kind of seccomp profile + will be applied. Valid options are: \n Localhost - + a profile defined in a file on the node should be + used. RuntimeDefault - the container runtime default + profile should be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied to all + containers. If unspecified, the options from the PodSecurityContext + will be used. If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is + linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission + webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec named + by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container should + be run as a 'Host Process' container. All of a Pod's + containers must have the same effective HostProcess + value (it is not allowed to have a mix of HostProcess + containers and non-HostProcess containers). In addition, + if HostProcess is true then HostNetwork must also + be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the entrypoint + of the container process. Defaults to the user specified + in image metadata if unspecified. May also be set + in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: 'StartupProbe indicates that the Pod has successfully + initialized. If specified, no other probes are executed until + this completes successfully. If this probe fails, the Pod + will be restarted, just as if the livenessProbe failed. This + can be used to provide different probe parameters at the beginning + of a Pod''s lifecycle, when it might take a long time to load + data or warm a cache, than during steady-state operation. + This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for the + command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the + pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP + allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a TCP + port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and the + time when the processes are forcibly halted with a kill + signal. Set this value longer than the expected cleanup + time for your process. If this value is nil, the pod's + terminationGracePeriodSeconds will be used. Otherwise, + this value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity to + shut down). This is a beta field and requires enabling + ProbeTerminationGracePeriod feature gate. Minimum value + is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe times + out. Defaults to 1 second. Minimum value is 1. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate a buffer + for stdin in the container runtime. If this is not set, reads + from stdin in the container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should close the + stdin channel after it has been opened by a single attach. + When stdin is true the stdin stream will remain open across + multiple attach sessions. If stdinOnce is set to true, stdin + is opened on container start, is empty until the first client + attaches to stdin, and then remains open and accepts data + until the client disconnects, at which time stdin is closed + and remains closed until the container is restarted. If this + flag is false, a container processes that reads from stdin + will never receive an EOF. Default is false + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file to which the + container''s termination message will be written is mounted + into the container''s filesystem. Message written is intended + to be brief final status, such as an assertion failure message. + Will be truncated by the node if greater than 4096 bytes. + The total message length across all containers will be limited + to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message should be + populated. File will use the contents of terminationMessagePath + to populate the container status message on both success and + failure. FallbackToLogsOnError will use the last chunk of + container log output if the termination message file is empty + and the container exited with an error. The log output is + limited to 2048 bytes or 80 lines, whichever is smaller. Defaults + to File. Cannot be updated. + type: string + tty: + description: Whether this container should allocate a TTY for + itself, also requires 'stdin' to be true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block devices to be + used by the container. + items: + description: volumeDevice describes a mapping of a raw block + device within a container. + properties: + devicePath: + description: devicePath is the path inside of the container + that the device will be mapped to. + type: string + name: + description: name must match the name of a persistentVolumeClaim + in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's filesystem. + Cannot be updated. + items: + description: VolumeMount describes a mounting of a Volume + within a container. + properties: + mountPath: + description: Path within the container at which the volume + should be mounted. Must not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines how mounts are + propagated from the host to container and the other + way around. When not set, MountPropagationNone is used. + This field is beta in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write otherwise + (false or unspecified). Defaults to false. + type: boolean + subPath: + description: Path within the volume from which the container's + volume should be mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume from which + the container's volume should be mounted. Behaves similarly + to SubPath but environment variable references $(VAR_NAME) + are expanded using the container's environment. Defaults + to "" (volume's root). SubPathExpr and SubPath are mutually + exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not specified, + the container runtime's default will be used, which might + be configured in the container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + keepDroppedTargets: + description: "Per-scrape limit on the number of targets dropped by + relabeling that will be kept in memory. 0 means no limit. \n It + requires Prometheus >= v2.47.0." + format: int64 + type: integer + labelLimit: + description: Per-scrape limit on number of labels that will be accepted + for a sample. Only valid in Prometheus versions 2.45.0 and newer. + format: int64 + type: integer + labelNameLengthLimit: + description: Per-scrape limit on length of labels name that will be + accepted for a sample. Only valid in Prometheus versions 2.45.0 + and newer. + format: int64 + type: integer + labelValueLengthLimit: + description: Per-scrape limit on length of labels value that will + be accepted for a sample. Only valid in Prometheus versions 2.45.0 + and newer. + format: int64 + type: integer + listenLocal: + description: When true, the Prometheus server listens on the loopback + address instead of the Pod IP's address. + type: boolean + logFormat: + description: Log format for Log level for Prometheus and the config-reloader + sidecar. + enum: + - "" + - logfmt + - json + type: string + logLevel: + description: Log level for Prometheus and the config-reloader sidecar. + enum: + - "" + - debug + - info + - warn + - error + type: string + maximumStartupDurationSeconds: + description: Defines the maximum time that the `prometheus` container's + startup probe will wait before being considered failed. The startup + probe will return success after the WAL replay is complete. If set, + the value should be greater than 60 (seconds). Otherwise it will + be equal to 600 seconds (15 minutes). + format: int32 + minimum: 60 + type: integer + minReadySeconds: + description: "Minimum number of seconds for which a newly created + Pod should be ready without any of its container crashing for it + to be considered available. Defaults to 0 (pod will be considered + available as soon as it is ready) \n This is an alpha field from + kubernetes 1.22 until 1.24 which requires enabling the StatefulSetMinReadySeconds + feature gate." + format: int32 + type: integer + nodeSelector: + additionalProperties: + type: string + description: Defines on which Nodes the Pods are scheduled. + type: object + overrideHonorLabels: + description: When true, Prometheus resolves label conflicts by renaming + the labels in the scraped data to "exported_