-
Notifications
You must be signed in to change notification settings - Fork 0
/
baski-example.yaml
147 lines (143 loc) · 7.97 KB
/
baski-example.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# The cloud section defines the cloud to use.
cloud:
# OpenStack support is a tricky one due to the varying nature of configurations that can exist across different setups.
# The approach taken with this is a basic kolla-ansible install with no bells and whistles. Any additional configuration must be seriously considered before adding additional code/options to support it.
openstack:
# The location of the clouds.yaml file to use for interaction with OpenStack.
clouds-file: "~/.config/openstack/clouds.yaml"
# The cloud entry in the clouds.yaml file for the OpenStack.
cloud-name: "image-builder"
# This is the network-id which the instance will be attached to for building.
network-id: "network-id"
# The image that will be the source for the image being built.
source-image-id: "source-image"
# The flavor that should be launched to build the image. If you're building the NVIDIA driver into the image then the instance should have a GPU.
flavor-name: "spicy-meatball"
# Whether to attach a config drive. This generally isn't required except for in custom circumstances where the OpenStack setup requires it.
attach-config-drive: false
# Whether to use a floating IP on the instance.
use-floating-ip: true
# The name of the network from which to get a floating IP from.
floating-ip-network-name: "Internet"
# Sets the image visibility once it has been created. The cloud account being used must have permission to do this.
image-visibility: "public"
# The disk format
image-disk-format: "raw"
# the volume type
volume-type: ""
# The size of the storage volume
volume-size: 0
# The rootfs-UUID. In testing this has only been required for bare-metal instances as the bare-metal instance needs know about the rootfs, so it knows what to boot.
rootfs-uuid: "ROOT_FS_UUID"
# Baski presumes there is an S3 endpoint available for the pulling of any items such as the .trivyignore and nvidia files.
# This is because the image builder defaults to this for the Nvidia support, and it is presumed that most if not all people can have/can set up an S3 endpoint for authenticated storage.
s3:
endpoint: "S3_ENDPOINT_URL"
access-key: "ACCESS_KEY"
secret-key: "SECRET_KEY"
# If the S3 endpoint is being used, set this to true to instruct the aws ansible role to do the same.
is-ceph: true
# Build stage options.
build:
# If enabled this will output all the output generated by the make command in the background.
verbose: true
# The OS to build for. This should match the source image.
build-os: "ubuntu-2204"
# The prefix to prepend to the name of the image that is built. The name will result in <prefix>-yymmdd-unique_id.
image-prefix: "kube"
# The repo to use for image building. This will default to the main image builder repo but can be updated if additional functionality is required in a fork.
image-repo: "https://github.com/kubernetes-sigs/image-builder.git"
# The branch to checkout from the image repo
image-repo-branch: "main"
# The crictl version.
crictl-version: "1.26.0"
# The CNI version.
cni-version: "1.2.0"
# The specific version of the CNI Debian package ('kubernetes-cni') to install
cni-deb-version: "1.2.0-2.1"
# The Kubernetes version.
kubernetes-version: "1.28.2"
# The specific version of the Kubernetes Debian packages ('kubeadm', 'kubelet') to install
kubernetes-deb-version: "1.28.2-1.1"
# Any additional debs to install. Currently, Baski only supports ubuntu and flatcar and this will only work with Ubuntu
extra-debs: "nfs-common"
# Whether to add Trivy into the image.
add-trivy: true
# Whether to add Falco into the image.
add-falco: true
# NVIDIA will soon be supported in the image builder https://github.com/kubernetes-sigs/image-builder/pull/1147.
# However, it has a prerequisite that means the operator should provide the NVIDIA license (.tok) and installer (.run) files via an S3 endpoint
# due to license restrictions by NVIDIA. These are not publicly available which is why this requirement is in place.
# The image builder will not provide these files and if they are not supplied, the build will fail.
nvidia:
# enable NVIDIA driver install in the image.
enable-nvidia-support: true
# The NVIDIA driver version to be installed - Currently used for tagging metadata - may be removed in future in favor of parsing the filename.
nvidia-driver-version: "525.85.05"
# The S3 bucket to get the installer and license files from.
nvidia-bucket: "nvidia"
# The installer file name in the bucket.
nvidia-installer-location: "NVIDIA-Linux-x86_64-525.85.05-grid.run"
# The license file name in the bucket.
nvidia-tok-location: "client_configuration_token.tok"
# The feature type to configure the GRIDD service with - see NVIDIA docs for more information on this.
nvidia-gridd-feature-type: "4"
# The additional-images section should be a list of container images to bake into the image.
additional-images: [ ]
# Scan stage options
scan:
# Used to scan a single image - takes an image ID and scans it.
single:
# The ID of the image to be scanned.
image-id: ""
# Used in the `existing` command - takes a wildcard and scans all images that match it.
multiple:
# The image-search is used to filter images. If this string is within the name of the image, it'll be selected for scanning.
image-search: "kube-"
# How many concurrent scans to perform.
concurrency: 2
# Override the cloud.[provider].flavor for the scan. This can help avoid using a large or gpu enabled node just for scanning.
flavor-name: "not-so-spicy-meatball"
# Whether to auto-delete the image. This has been added for automation purposes in the scenario where the image is built then scanned right away.
# Should the scan fail then the image shouldn't be available publicly and so can be automatically deleted from the infrastructure to make sure a vulnerable image is not deployed.
auto-delete-image: false
# This option allows the scan to skip checking the CVE check which would result in a failure should the thresholds below be hit.
# It can be useful for building an image that needs to stick around, even if a scan would fail. Maybe for troubleshooting or review.
skip-cve-check: false
# Minimum severity to check for during the scan.
max-severity-type: MEDIUM
# The bucket name in which the trivyignore file can be located.
scan-bucket: "baski"
# The file path in the bucket to the trivyignore file.
trivyignore-path: ""
# The name of the trivyignore file in the bucket.
trivyignore-filename: ".trivyignore"
# A list of CVEs to add to the ignore list. If a file is also provided, this list will be appended to the list within the file.
# If no file exists, then the file will be created with the list contents
trivyignore-list: [ ]
# Sign stage options
sign:
# The generate step will create a public/private key pair that can be used for image signing.
generate:
# Output path of the generated keys.
path: "."
# Vault can be used to store the certificates. Vault is currently the only supported storage as it's FOSS making it available to anyone.
# Other options could be supported but will not be added by EscherCloud.
vault:
# The Vault endpoint.
url: "https://vault.ENDPOINT/"
# The Vault token.
token: "VAULT_TOKEN"
# The mount path within vault.
mount-path: "kv/baski"
# The name of the secret in the mount path.
secret-name: "signing-keys"
# The ID of the image to sign.
image-id: "" # Used for existing images
# The private key to use in the signing process - this takes precedence over vault.
private-key: ""
# The public key to use in the validation process - this takes precedence over vault.
public-key: ""
# If you would like to validate an image signing, this allows you to put the digest in and validate the image.
# This will be deprecated and then removed soon to make way for fetching the digest from the metadata of the image where it is currently stored.
digest: ""