values.yaml

# Default values for smartcheck.
# This is a YAML-formatted file.

## activationCode is the product activation code.
## If you have a valid Container Security Scanner API key, you do not need an activationCode
##
## Default value: (none)
activationCode:

## extraLabels is a dictionary of additional labels that will be added to all resources
## created by this chart.
extraLabels: {}

ipv6:
  ## enabled controls whether the proxy listens on IPv6 addresses internally. This does
  ## not affect whether the load balancer (if service.type is `LoadBalancer`) exposes an IPv6
  ## interface.
  ##
  ## You should only modify this value if you encounter problems deploying with the defaults.
  ## If the `proxy` pod fails to start and reports an error like this:
  ##   [emerg] 1#1: socket() [::]:8080 failed (97: Address family not supported by protocol)
  ## then setting ipv6.enabled=false may resolve the issue.
  ##
  ## Default value: true
  enabled: true

rateLimiting:
  api:
    ## The maximum API request rate (per source IP address) in requests per second.
    ##
    ## Default value: 10
    rate: 10

    ## The allowable burst rate. If this is greater than 0, then requests that exceed
    ## the maximum API request rate will be queued.
    ##
    ## This does not change the rate of requests that are sent to the backend services.
    ## Queued requests will be sent to the backend services at the rate defined in
    ## `rateLimiting.api.rate`.
    ##
    ## Default value: 10
    burst: 10

    ## The HTTP response status code to send when a request is rejected due to the rate
    ## limit being exceeded.
    ##
    ## Default value: 429 (Too many requests)
    status: 429

    ## The size, in megabytes, of the rate limiting memory zone. State monitoring for
    ## about 16,000 IP addresses takes 1 megabyte.
    ##
    ## Default value: 10
    size: 10

proxy:
  ## httpProxy, if set, will be used as the proxy for HTTP traffic from
  ## Deep Security Smart Check.
  ##
  ## The value may be either a complete URL or a `host[:port]`, in which
  ## case the `http` scheme is assumed.
  ##
  ## Default value: (none)
  httpProxy:

  ## httpsProxy, if set, will be used as the proxy for HTTPS traffic from
  ## Deep Security Smart Check. If `httpsProxy` is not set, `httpProxy`
  ## is also checked and will be used if set.
  ##
  ## The value may be either a complete URL or a `host[:port]`, in which
  ## case the `http` scheme is assumed.
  ##
  ## Default value: (none)
  httpsProxy:

  ## noProxy, if set, is a list of hosts or `host:port` combinations which
  ## should not be accessed through the proxy.
  ##
  ## Default value: (none)
  noProxy: []

  ## username, if set, is the user name to provide to the outbound proxy when making requests.
  ##
  ## Default value: (none)
  username:

  ## password, if set, is the password to provide to the outbound proxy when making requests.
  ##
  ## Default value: (none)
  password:

auth:
  ## secretSeed is used as part of the password generation process for
  ## all auto-generated internal passwords, ensuring that each installation of
  ## Deep Security Smart Check has different passwords.
  ##
  ## Default value: {must be provided by the installer}
  secretSeed:

  saml:
    ## enabled controls whether SAML authentication will be enabled.
    ##
    ## `location` is also required to be set for SAML authentication to be fully enabled.
    ##
    ## Default value: false
    enabled: false

    ## location is the location of the SAML assertion consumer service. This should be set to
    ## the DNS name that your users will use to access Deep Security Smart Check, for example
    ## `smartcheck.example.com`. If your users will access Deep Security Smart Check on a non-standard
    ## port, you can include the port number as well, for example `smartcheck.example.com:8443`.
    ## The value will be expanded to set the URL scheme and path if not provided, so if `location` is
    ## set to `smartcheck.example.com`, then the final value will be `https://smartcheck.example.com/saml`).
    ##
    ## If `location` is not set, then SAML authentication will not be enabled regardless of the
    ## setting of `enabled`.
    ##
    ## Default value: (none)
    location:

    ## entityID is the SAML entity ID for Deep Security Smart Check as a service provider.
    ## If not provided, the default is copied from the `location` value after expansion (for example,
    ## if `location` is set to `smartcheck.example.com`, then `entityID` will be
    ## `https://smartcheck.example.com/saml`).
    ##
    ## Default value: derived from the `location` value.
    entityID:

    ## maxRoles is the maximum number of roles that Deep Security Smart Check will permit in a
    ## SAML assertion.
    ##
    ## Default value: 10
    maxRoles: 10

  ## roleName is the name of the default administrator role that the system creates on startup.
  ## If a role with this name already exists, no action will be taken.
  ##
  ## Default value: administrator
  roleName: administrator

  ## auditorRoleName is the name of the default auditor role that the system creates on startup.
  ## If a role with this name already exists, no action will be taken.
  ##
  ## Default value: auditor
  auditorRoleName: auditor

  ## userRoleName is the name of the default user role that the system creates on startup.
  ## If a role with this name already exists, no action will be taken.
  ##
  ## Default value: user
  userRoleName: user

  ## userName is the name of the default administrator user that the system creates on startup.
  ## If a user with this name already exists, no action will be taken.
  ##
  ## Default value: administrator
  userName: administrator

  ## password is the password assigned to the default administrator that the system creates on startup.
  ## If a user with the name `auth.userName` already exists, no action will be taken.
  ##
  ## Default value: a generated password derived from the secretSeed and system details
  password: # autogenerated

  ## audience is the value inserted into the JWT token for authentication.
  ##
  ## Default value: deepsecurity-smartcheck
  audience: deepsecurity-smartcheck

  ## Session tokens are issued for a specific duration.
  ## This must be less than `auth.sessionKeyLifetime`.
  ##
  ## Default value: 1h
  ## Minimum value: 15m
  ## Maximum value: `auth.sessionKeyLifetime`
  sessionDuration: 1h

  ## Session tokens are signed by a key that is rotated every `auth.sessionKeyLifetime`.
  ## This must be greater than `auth.sessionDuration`.
  ##
  ## Default value: 24h
  ## Minimum value: 1h
  ## Maximum value: 168h
  sessionKeyLifetime: 24h

certificate:
  secret:
    ## name is the name of the existing secret that stores the service's certificate and private key.
    ## If this is not provided, the chart will generate a self-signed certificate and private key
    ## for the service to present.
    ##
    ## The secret must exist in the same namespace as the service.
    ##
    ## Default value: none
    name:

    ## certificate is the name of the key inside the secret that stores the service's certificate.
    ## The value of the secret must be the PEM-encoded certificate or certificate chain for the service.
    ## This value is required if `certificate.secret.name` is set.
    ##
    ## Default value: none
    certificate:

    ## privateKey is the name of the key inside the secret that stores the service's private key that
    ## matches the certificate. The value of the secret must be the PEM-encoded private key for the service.
    ## The private key must not be protected by a passphrase.
    ## This value is required if `certificate.secret.name` is set.
    ##
    ## Default value: none
    privateKey:

  ## commonName is the common name to use in the default self-signed certificate.
  ##
  ## Default value: example.com
  commonName: example.com

  ## ipAlternativeNames is a list of IP addresses to include as alternate names.
  ## in the default self-signed certificate.
  ##
  ## Default value: []
  ipAlternativeNames: []

  ## dnsAlternativeNames is a list of DNS names to include as alternate names
  ## in the default self-signed certificate.
  ##
  ## Default value: []
  dnsAlternativeNames: []

  ## lifetime is the lifetime in days of the default self-signed certificate.
  ##
  ## Default value: 3650
  lifetime: 3650

service:
  ## type is the Kubernetes Service type for the `proxy` service that acts as
  ## an entry point to the system.
  ##
  ## LoadBalancer will expose the service externally using the cluster provider's load balancer.
  ## ClusterIP will expose the service on an internal cluster IP address.
  ## NodePort will expose the service on each Node's IP address.
  ##
  ## See also: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services---service-types
  ##
  ## Default value: LoadBalancer
  type: LoadBalancer

  ## httpsPort is the port where the service will listen for HTTPS requests.
  ##
  ## Default value: 443
  httpsPort: 443

  ## httpPort is the port where the service will listen for HTTP requests.
  ## The service will automatically redirect all HTTP requests to HTTPS.
  ##
  ## TODO confirm that this is true (it appears not to be)
  ##
  ## Default value: 80
  httpPort: 80

  ## registryPort is the port where the service will listen for docker registry requests.
  ## It is only valid when dockerRegistry is enabled.
  ##
  ## Default value: 5000
  registryPort: 5000

  ## annotations is arbitrary non-identifying metadata for the `proxy` service.
  ## Some cloud providers support different load balancer settings via annotations.
  ##
  ## Default value: {}
  annotations: {}

  ## loadBalancerSourceRanges is a list of of IP CIDR ranges which Kubernetes will
  ## use to configure firewall exceptions for access to the service.
  ##
  ## See also: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/
  ##
  ## Default value: []
  loadBalancerSourceRanges: []

db:
  ## Application database host
  ##
  ## If you leave this blank, the chart will deploy a Postgres database
  ## instance in the cluster. If you provide a value, you must also provide
  ## credentials in `user` and `password`; these credentials must allow
  ## the application to connect and execute the following commands:
  ##
  ##   CREATE ROLE "user" with PASSWORD 'password' LOGIN
  ##   GRANT "user" to CURRENT_USER
  ##   CREATE DATABASE "database" WITH OWNER "user"
  ##   REVOKE CONNECT ON DATABASE "database" FROM PUBLIC
  ##
  ## The `user` and `password` values for databases created by the application
  ## will be derived from the `auth.secretSeed` and system details.
  ##
  ## Default value: (blank)
  host:

  ## Application database port
  ##
  ## This is the port number that the application database runs on.
  ##
  ## Default value: 5432
  port: 5432

  ## PostgreSQL Database connection pool configuration
  ## maxIdleConnections - the limit of the number of idle connections in the pool. Default Value: 25
  maxIdleConnections:
  ## maxIdleConnections - the limit of the number of open connections in the pool.  Default Value: 25
  maxOpenConnections:
  ## connMaxLifetime - the maximum amount of time a connection may be reused. It is expressed as a duration string.
  ##                   A duration string is a sequence of decimal numbers, each with optional fraction
  ##                   and a unit suffix, such as "24h". Valid time units are "ns", "us", "ms", "s", "m", "h".
  ##                   Default Value: "10m"
  connMaxLifetime:

  tls:
    ## mode:
    ## * disable - No SSL
    ## * require - Always SSL (skip verification)
    ## * verify-ca - Always SSL (verify that the certificate presented by the
    ##   server was signed by a trusted CA)
    ## * verify-full - Always SSL (verify that the certification presented by
    ##   the server was signed by a trusted CA and the server host name
    ##   matches the one in the certificate)
    mode: verify-full

    ## ca: a PEM-encoded value with the certificate authority to trust when
    ## connecting to the database. Use this if `tls.mode` is `verify-ca` or
    ## `verify-full` and you have a private certificate authority.
    ca:
      valueFrom:
        ## secretKeyRef: if set, the name and key of the secret where the CA
        ## PEM file is stored.
        secretKeyRef:
          name:
          key:
        ## secretKeyRef: if set, the name and key of the config map where the CA
        ## PEM file is stored.
        configMapKeyRef:
          name:
          key:
  ## Application database user
  ##
  ## Default value: a generated value derived from the `auth.secretSeed` and system details
  user: # autogenerated

  ## Application database password
  ##
  ## Default value: a generated password derived from the `auth.secretSeed` and system details
  password: # autogenerated

  ## secret is an application database secret used to encrypt data within the
  ## database. The value is put through PBKDF2 key expansion before being used
  ## as an encryption key.
  ##
  ## IMPORTANT: Do not change this value after the initial install as any
  ## encrypted data will not be able to be decrypted.
  ##
  ## Default value: a generated password derived from the secretSeed and system details
  secret: # autogenerated

  ## Additional environment variables for postgres database setup
  ## Database locale can be specified here:
  ## Postgres locale support - https://www.postgresql.org/docs/current/locale.html
  ## For example, if use Postgres on Windows English-United States, it can be 'en-US'
  ## env:
  #    locale_ctype: en-US
  #    locale_collate: en-US
  env: {}

scan:
  results:
    ## ttl is the time-to-live for scan results expressed as a duration string (or 0).
    ## A duration string is a sequence of decimal numbers, each with optional fraction
    ## and a unit suffix, such as "24h". Valid time units are "ns", "us", "ms", "s",
    ## "m", "h".
    ##
    ## Scan results will be purged at some point after the time-to-live expires.
    ## A value of 0 means that scan results will be kept forever.
    ##
    ## Default value: 0 (keep forever)
    ttl: 0

  ## Enable malware scan cache.
  ##
  ## Default value: true
  malwareCache:
    enabled: true

  # Set how long to wait before being able to rescan images through the registry APIs
  # Default value: 24h
  rescanProhibitedDuration:

  sca:
    ## The SCA scanner uses an ephemeral volume to store threat feed
    ## information. This volume is created when the pod is scheduled on a node
    ## and is populated by the sca-feed-consumer container.
    dataVolume:
      ## The amount of space to request for the data volume.
      ##
      ## Default value: 1Gi
      sizeLimit: 1Gi

  openscap:
    ## The OpenSCAP scanner uses an ephemeral volume to store threat feed
    ## information. This volume is created when the pod is scheduled on a node
    ## and is populated by the openscap-feed-consumer container.
    dataVolume:
      ## The amount of space to request for the data volume.
      ##
      ## Default value: 1Gi
      sizeLimit: 1Gi

    ## The OpenSCAP scanner uses an ephemeral volume to store working data
    ## for scans that are in progress. This data includes the compressed
    ## and uncompressed image layer contents as well as scan results.
    workVolume:
      ## The amount of space to request for the work volume.
      ##
      ## Default value: 5Gi
      sizeLimit: 5Gi

  imageScan:
    # Set the timeout for the image scanner.
    # Default value: 10m
    timeout:

  contentScan:
    ## The content scanner uses an ephemeral volume to store working data
    ## for scans that are in progress. This data includes the uncompressed
    ## image layer contents.
    workVolume:
      ## The amount of space to request for the work volume.
      ##
      ## Default value: 1Gi
      sizeLimit: 1Gi

    # Set the timeout for the content scanner.
    # Default value: 5m
    timeout:

  # This references vulnerability scan inside the scan pod
  vulnerabilityScan:
    # Set the timeout for the vulnerability scanner.
    # Default value: 5m
    timeout:

  # This references malware scan inside the scan pod
  malwareScan:
    # Enable the malware scanner
    # Default Value: false
    enabled: false
      # Set the timeout for the malware scanner.
      # Default value: 1m
    timeout:

malwareScan:
  ## Enable detail logging on malware-scan pod.
  ##
  ## Default value: false
  verbose:
    icrc: false
    trendx: false

  ## Control core files cleanup behavior in malware-scan
  ## Core dumple file pattern. default "core*"
  coreFilePattern:
  ## Allowed total core files size limit. default "200Mi"
  totalCoreFilesSize:

  ## The malware-Scan scanner uses an ephemeral volume to store working data
  ## for scans that are in progress. This data includes the compressed and uncompressed files.
  workVolume:
    ## The amount of space to request for the work volume.
    ##
    ## Default value: 500Mi
    sizeLimit: 500Mi

registry:
  ## Enable the built-in registry for pre-registry scanning.
  ##
  ## Default value: false
  enabled: false

  ## Authentication for the built-in registry
  auth:
    ## User name for authentication to the registry
    ##
    ## Default value: empty string
    username: ''

    ## Password for authentication to the registry
    ##
    ## Default value: empty string
    password: ''

  ## The amount of space to request for the registry data volume
  ##
  ## Default value: 5Gi
  dataVolume:
    sizeLimit: 10Gi

vulnerabilityScan:
  ## Boolean value to determine whether or not to overwrite the distribution-specific
  ## severity for a vulnerability with the NVD severity if the NVD severity is higher
  ## 
  ## Default value: true
  appendSeverity: true

  ## Forces the vulnerabilityscan database to be restored everytime the 
  ## vulnerability-scan pod restarts. Can be used to refresh a corrupt vulnerability 
  ## scan database.
  ##
  ## Default value: false
  forceRestoreDB: false

  workVolume:
    ## The amount of space to request for the vulnerability scan working volume
    ##
    ## Default value: 3Gi
    sizeLimit: 3Gi

images:
  defaults:
    ## Default registry to pull images from. This can be overridden for
    ## each image by specifying the registry attribute at the image level.
    ## If no registry is provided, images will be pulled from your default
    ## registry (which may be Docker Hub).
    ##
    ## Default value: blank
    # registry:

    ## Default project / organization to pull images from. This can be
    ## overridden for each image by specifying the project attribute at the
    ## image level.
    ##
    ## Default value: deepsecurity
    # project: deepsecurity

    ## Default tag for images to pull. This can be overridden for each image
    ## by specifying the tag attribute at the image level.
    tag: 1.2.83

    ## Default pull policy for images. This can be overridden for each image
    ## by specifying the pullPolicy attribute at the image level.
    ##
    ## Default value: IfNotPresent
    pullPolicy: IfNotPresent

    ## Default secret for pulling images. This can be overridden for each
    ## image by specifying the imagePullSecret attribute at the image level.
    ##
    ## Default value: none
    # imagePullSecret:
  db:
    repository: db
    digest: sha256:7bf1a6f838771419365ec6b30d5410500692bd779bec4a93a4693d98ded303b7
  auth:
    repository: auth
    digest: sha256:2d6f63ab073749304cabf19e62bb3bbffe0d451a7870aceced905a509f35deed
  malwareScan:
    repository: vscan
    digest: sha256:16b5d4966ef899b8859073cde4cc3f6c42dff3b59ffefc71f41f1533777ff4ac
  contentScan:
    repository: contentscan
    digest: sha256:09dcba488b62c36b04685cd70cead374f3cf19594bc7606e11f1249f00b10da7
  scan:
    repository: scan
    digest: sha256:07f0b67f5022cf5bec50135abc62f47961d102010e5c7147cc1bb3494f81344f
  registryviews:
    repository: registryviews
    digest: sha256:4b12853986fba4f4353890bd2ce4fa507277b0b3c3f13487da41c8f12c20cac8
  docs:
    repository: api-docs
    digest: sha256:1f0acfe29806f6ab331872c157538353c2a7f8bc25e5d77bd986ba013a95e458
  frontend:
    repository: frontend
    digest: sha256:629fe234f9f1ca3fafecc666cd97ef97b1c0e8ae7424af119839eb0feb7f113a
  proxy:
    repository: proxy
    digest: sha256:00bd1635e964c2cacb94d220a1128ac52826d1ce33beb2d6ae25be34a949b8fe
  license:
    repository: license
    digest: sha256:ed8b0b955e0519a8238c7023a768a4a747fac4260959951c6be276385b13583e
  vulnerabilityScan:
    repository: vulnerability-scan
    digest: sha256:0ae7087cf5103f166a218c8c4035380fc996f896900d88289138584f32a8e82b
  tasks:
    repository: tasks
    digest: sha256:d8ab17d8d11a725ff74a76d54f4c4e614c65a7d7ca605225ee2e157b04cdb4eb
  metrics:
    repository: k8s-metrics-reporter
    digest: sha256:013b98a3be5b67a9b3c431473fd3a6ccd70f35a4b362288bbfb773bb0e5fa10b
  openscapScan:
    repository: openscap-scan
    # digest value in docker.io
    digest: sha256:7b99d755566e09483983a4a836c65e91336d6c00118deaa6e6d6aa74a94c0811
  openscapFeedConsumer:
    repository: openscap-feed-consumer
    digest: sha256:6635f235614bd96be2994bdb3dc7630c38f482afe49182b3e6431f6903dad41e
  registry:
    repository: registry
    digest: sha256:037b6b7f1302283ab13036c4427c6b102bc1e5efb2a9a51a10f465ea745334d9
  registryCleaner:
    repository: registry-cleaner
    digest: sha256:60731e84828ff1bc9fac8af1a88c76dcc1a0fe78db2ffacee932e6d60d596d4d
  dbInitializer:
    repository: db-initializer
    digest: sha256:891878b7c8d029158f3333dbc131da41b53d56811847596a321a56f4c9da8b58
  vulnDBInitializer:
    repository: vuln-db-initializer
    digest: sha256:9fca24e14b7220a45dabd1622fb22af836917ab0f27f263bafaec44a111d3980
  imageScan:
    repository: image-scan
    digest: sha256:5fc533fae249c7b331f542c6aff2acdcb76b18514081974d954144a0c0df44f5
  scaScan:
    repository: sca-scan
    digest: sha256:9cd158c8d2405f31ae079cdfef598859510c19d1b5232f3e6ac64f18bb73f379
  scaFeedConsumer:
    repository: sca-feed-consumer

    digest: sha256:5df56c9d3a48b653e0200b7df6e4184f3a2c35df247691e2086342f79442f151
replicas: {}

persistence:
  ## enabled is whether a persistent volume claim should be created for database storage.
  ## If no persistent volume claim is created, then the database will be lost every time the
  ## database container restarts.
  enabled: true

  ## storageClassName is the name of the storage class that should be used for persistent volumes.
  ## If no value is specified, then `storageClassName` is left out of the persistent volume claim.
  ## This value can be overridden for each persistent volume; see below.
  ##
  ## Reference: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class
  ##
  ## Default: blank
  storageClassName:

  db:
    ## size is the amount of persistent volume storage to request for the main application databases.
    ##
    ## Default value: 8Gi
    size: 8Gi #?

    ## storageClassName is the name of the storage class that should be used for persistent volume
    ## used by the application database. If no value is specified, then the value of
    ## `persistence.storageClassName` is used.
    ##
    ## Reference: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class
    ##
    ## Default: blank
    storageClassName:

serviceAccount:
  ## Amazon IAM role ARNs for projected service account.
  ##
  ## If you want to grant the minimal pods to access Amazon Amazon Elastic Container Registry (ECR), set the roleArn accordingly:
  ## registryAccess:
  ##   annotations:
  ##     eks.amazonaws.com/role-arn: arn:aws:iam::[account-id]:role/[AmazonEC2ContainerRegistryReadOnlyRoleName]
  ##
  ## Reference: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
  ##
  ## Default: {}
  registryAccess:
    annotations: {}

resources:
  defaults: {}
    # If you want to specify resources, uncomment the following
    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #  cpu: 100m
    #  memory: 128Mi
    # requests:
    #  cpu: 100m
    #  memory: 128Mi
  db:
    requests:
      cpu: 100m
      memory: 256Mi
    limits:
      cpu: 1000m
      memory: 2Gi
  vulnerabilityScan:
    requests:
      cpu: 200m
      memory: 256Mi
    limits:
      cpu: 800m
      memory: 3Gi

nodeSelector:
  defaults: {}

tolerations:
  defaults: []

affinity:
  defaults: {}

networkPolicy:
  enabled: true

  ## additionalWebhookTargetPorts is a list of destination port numbers that are allowed for web hook targets
  ##
  ## Default value: []
  additionalWebhookTargetPorts: []

  ## additionalRegistryPorts is a list of destination port numbers that are allowed for registry connections
  ##
  ## Default value: []
  additionalRegistryPorts: []

  ## additionalOutboundPorts is a list of destination port numbers that are allowed for outbound connections
  ##
  ## Default value: []
  additionalOutboundPorts: []

# Scheduled system tasks
tasks:
  # The scan task will periodically trigger scans on views that have the `schedule`
  # flag set to `true`.
  scan:
    ## enabled controls whether or not to create the Kubernetes CronJob task that
    ## will trigger the scheduled scan.
    ##
    ## Default value: true
    enabled: true

    ## schedule controls the schedule for the scheduled scan. It is a string in
    ## [cron](https://en.wikipedia.org/wiki/Cron) format.
    ##
    ## Default value: @daily (once a day, at midnight UTC)
    schedule: '@daily'

  # The metrics collector will periodically retrieve metrics from pods that have the
  # `metrics: include` label.
  metricsCollector:
    ## enabled controls whether or not to create the Kubernetes pod that will perform
    ## metrics collection.
    ##
    ## Default value: true
    enabled: true

  metricsReporter:
    ## enabled controls whether or not to create the Kubernetes pod that will perform
    ## metrics reporting.
    ##
    ## Default value: true
    enabled: true

    ## url is the target URL for reporting metrics. If no URL is provided, then metrics
    ## will not be reported.
    ##
    ## Default value: https://licenseupdate.trendmicro.com/fb/bifconnect.ashx
    url: https://licenseupdate.trendmicro.com/fb/bifconnect.ashx

  registryCleaner:
    ## enabled controls whether or not to create the Kubernetes Cronjob task that will
    ## trigger local registry cleaner.
    ##
    ## Default value: true
    enabled: true

    ## schedule controls the schedule for metrics collection. It is a string in
    ## [cron](https://en.wikipedia.org/wiki/Cron) format.
    ##
    ## Default value: @daily
    schedule: '@daily'

cloudOne:
  ## apiKey is the api key used to authenticate with Trend Micro Cloud One - Container Security.
  ## The API key value is provided when creating a scanner in Container Security (either through the UI or through /api/scanners).
  ##
  ## Default value: (none)
  apiKey:

  ## endpoint is the endpoint of the Container Security scan results ingestion service.
  ## Allows for full endpoint to be provided or the Trend Micro Cloud One region (ex: us-1).
  ## The endpoint/region must match the Trend Micro Cloud One region where the scanner API key was created.
  ##
  ## Default value: https://container.us-1.cloudone.trendmicro.com
  endpoint: https://container.us-1.cloudone.trendmicro.com

telemetry:
  ## enabled controls whether telemetry events will be sent.
  ##
  ## Default value: true
  enabled: true

  ## endpoint is the endpoint of the telemetry service.
  ##
  ## Default value: https://telemetry.deepsecurity.trendmicro.com
  endpoint: https://telemetry.deepsecurity.trendmicro.com

  ## interval controls the maximum interval between telemetry data reports
  ##
  ## Default value: 24h
  interval: 24h

  ## publicKey is the public key used when communicating with the telemetry service.
  ##
  ## Default value: (built-in)
  publicKey:

# securityContext specifies the security contexts that we'll apply to the pods.
securityContext:
  ## enabled is a global flag controlling whether security contexts are included at all in the manifest
  ## Default value: true
  enabled: true

  ## default is the default security context that we'll apply at the pod and container level.
  ## if `securityContext.enabled` is true, the `pod` value will be inserted into the `Deployment` manifest
  ## as part of the pod template and the `container` value will be inserted at the container level.
  default:
    pod:
      runAsNonRoot: true
    container:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      # seLinuxOptions: "If unspecified, the container runtime will allocate a random SELinux context for each container": this seems appropriate.
      runAsUser: 1

  db:
    pod:
      runAsNonRoot: true
      fsGroup: 70
    container:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      # seLinuxOptions: "If unspecified, the container runtime will allocate a random SELinux context for each container": this seems appropriate.
      runAsUser: 70

  registry:
    pod:
      runAsUser: 1000

  scan:
    pod:
      runAsNonRoot: true
      # fsGroup: for using projected service account tokens (kubernetes/kubernetes#82573)
      fsGroup: 65534
    container:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      # seLinuxOptions: "If unspecified, the container runtime will allocate a random SELinux context for each container": this seems appropriate.
      runAsUser: 1

  registryviews:
    pod:
      runAsNonRoot: true
      # fsGroup: for using projected service account tokens (kubernetes/kubernetes#82573)
      fsGroup: 65534
    container:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      # seLinuxOptions: "If unspecified, the container runtime will allocate a random SELinux context for each container": this seems appropriate.
      runAsUser: 1

cursor:
  ## secret is an application cursor secret used to encrypt data within the
  ## cursor. The value is put through PBKDF2 key expansion before being used
  ## as an encryption key.
  ##
  ## IMPORTANT: Do not change this value after the initial install as any
  ## encrypted data will not be able to be decrypted.
  ##
  ## Default value: a generated password derived from the secretSeed and system details
  secret:

feed:
  openscap:
    url: https://dstf.trendmicro.com/oval/manifest.json
    interval: 24h

  sca:
    url: https://dstf.trendmicro.com/sca/feed.bin
    interval: 24h