-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathvariables.tf
222 lines (186 loc) · 6.84 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
#general parameters
variable "revision_history_limit" {
type = number
description = "The number of history revisions to keep."
default = 10
}
variable "service_account_name" {
type = string
description = "The Kubernetes ServiceAccount to use for pods."
default = "lacework-admission-sa"
}
variable "image_pull_policy" {
type = string
description = "The pull policy to use when deploying container images. Ex: Always, Never, IfNotPresent"
default = "Always"
}
variable "tolerations" {
type = list(map(string))
description = "A list of Kubernetes Tolerations to apply to the Deployment definition."
default = [{ key = "node-role.kubernetes.io/master", effect = "NoSchedule" }]
}
variable "namespace" {
type = string
description = "The Kubernetes namespace in which to deploy the admission controller and (optionally) the proxy scanner."
default = "lacework"
}
variable "deploy_combined" {
type = bool
description = "Deploy both the admission controller and proxy scanner together if true. If false, only deploy the admission controller."
default = true
}
#admission controller parameters
variable "admission_controller_name" {
type = string
description = "The name for the Lacework admission controller deployment."
default = "lacework-admission-controller"
}
variable "admission_controller_image" {
type = string
description = "The image to use for deploying the Lacework admission controller."
default = "lacework/lacework-admission-controller"
}
variable "admission_controller_image_tag" {
type = string
description = "The image tag to use for deploying the Lacework admission controller."
default = "latest"
}
variable "certs_secret_name" {
type = string
description = "The name of the K8s secret containing the certificates."
default = "lacework-admission-certs"
}
variable "use_self_signed_certs" {
type = bool
description = "Deploy admission controller with self-signed certificates if true. If false, you must define certs in the ca_cert, server_certificate, and server_key variables."
default = true
}
variable "enable_debug_logging" {
type = bool
description = "Enable debug logging on the admission controller."
default = true
}
variable "tls_port" {
type = number
description = "Listening port for admission controller."
default = 8443
}
variable "cert_file_path" {
type = string
description = "Path for server certificate file in admission controller volume."
default = "/certs/admission.crt"
}
variable "cert_key_path" {
type = string
description = "Path for server key file in admission controller volume."
default = "/certs/admission.key"
}
variable "failure_policy" {
type = string
description = "Webhook falure policy (what response the webhook should take if it fails) Ex: Ignore, Fail"
default = "Ignore"
}
variable "webhook_timeout" {
type = number
description = "Timeout in seconds for admission webhook failure."
default = 30
}
variable "excluded_resources" {
type = list(string)
description = "The list of resources skip admission review. Ex: ['Pod', 'Deployment', 'ReplicaSet', 'DaemonSet']"
default = []
}
variable "bypass_scope" {
type = string
description = "The list of namespaces to bypass control of by admission controller. Ex: kube-system,kube-public,lacework,mynamespace"
default = "kube-system,kube-public,lacework,lacework-dev"
}
variable "block_exec" {
type = bool
description = "Block command execution (kubectl exec) on pods by admission controller."
default = false
}
variable "admission_scanner_timeout" {
type = number
description = "Default timeout for communication between admission controller and proxy scanner."
default = 30
}
variable "skip_verify" {
type = bool
description = "Skip SSL verification between the webhook and the proxy scanner."
default = true
}
variable "default_registry" {
type = string
description = "Default registry for proxy scanner to use when none is provided in image name."
default = "index.docker.io"
}
variable "block_on_error" {
type = bool
description = "Block admission request if proxy scanner returns and error."
default = false
}
#certificate parameters
variable "ca_cert" {
type = string
description = "Root certificate for TLS authentication with the K8s api server. If use_self_signed_certs is false, this is required. Otherwise a self-signed cert will be created."
default = ""
}
variable "server_certificate" {
type = string
description = "Certificate for TLS authentication with the K8s api server. If use_self_signed_certs is false, this is required. Otherwise a self-signed cert will be created."
default = ""
}
variable "server_key" {
type = string
description = "Certificate key for TLS authentication with the K8s api server. If use_self_signed_certs is false, this is required. Otherwise a self-signed cert will be created."
default = ""
}
variable "skip_cert" {
type = bool
description = "Skip encrypted communication between admission controller and proxy scanner using certificate. Default is to skip. If set to false, certificate used will be based on use_self_signed_certs setting."
default = true
}
#proxy scanner parameters
variable "proxy_scanner_name" {
type = string
description = "The name for the Lacework proxy scanner deployment."
default = "lacework-proxy-scanner"
}
variable "proxy_scanner_image" {
type = string
description = "The image to use for deploying the Lacework proxy scanner."
default = "lacework/lacework-proxy-scanner"
}
variable "proxy_scanner_image_tag" {
type = string
description = "The image tag to use for deploying the Lacework proxy scanner."
default = "latest"
}
variable "proxy_scanner_log_level" {
type = string
description = "Set the LOG_LEVEL environment variable for proxy scanner. Ex: info, debug"
default = "info"
}
variable "proxy_scanner_token" {
type = string
description = "The token for the Lacework proxy scanner."
}
variable "lacework_account_name" {
type = string
description = "The name of your Lacework account (for the proxy scanner)."
}
variable "static_cache_location" {
type = string
description = "Location of the proxy scanner's cache file."
default = "/opt/lacework/cache"
}
variable "scan_public_registries" {
type = bool
description = "Set to true if you want to scan images from registries that are publicly accessible."
default = false
}
variable "registries" {
type = list(any)
description = "A list of registries to apply to proxy scanner. See proxy scanner configuration documentation for details."
}