/armo-helm

Helm charts for the Kubescape cluster solution

Primary LanguageSmartyApache License 2.0Apache-2.0

ARMO cluster components

ARMO Vulnerability Scanning

Version: 1.7.17 Type: application AppVersion: v1.7.17

Docs

Installing ARMO cluster components in a Kubernetes cluster Using Helm:

  1. Add the Vulnerability Scanning Helm Repo
helm repo add armo https://armosec.github.io/armo-helm/
  1. Update helm repo
helm repo update
  1. Install the Helm Chart, use your account ID and give your cluster a name

if you ran kubescape cli tool and submitted, you can get your Account ID from the local cache:

kubescape config view | grep -i accountID

Otherwise, get the account ID from the kubescape SaaS

Run the install command:

helm upgrade --install armo  armo/armo-cluster-components -n armo-system --create-namespace --set accountGuid=<my_account_guid> --set clusterName=`kubectl config current-context`

Add --set clientID=<generated client id> --set secretKey=<generated secret key> if you have generated an auth key

Add --set armoKubescape.serviceMonitor.enabled=true for installing the Prometheus service monitor, read more about Prometheus integration

Chart support

Values

Key Type Default Description
armoCollector.affinity object {} Assign custom affinity rules to the StatefulSet
armoCollector.enabled bool true enable/disable the armoCollector
armoCollector.env[0] object {"name":"PRINT_REPORT","value":"false"} print in verbose mode (print all reported data)
armoCollector.image.repository string "quay.io/kubescape/kollector" source code
armoCollector.nodeSelector object {} Node selector
armoCollector.volumes object [] Additional volumes for the collector
armoCollector.volumeMounts object [] Additional volumeMounts for the collector
armoKubescape.affinity object {} Assign custom affinity rules to the deployment
armoKubescape.downloadArtifacts bool true download policies every scan, we recommend it should remain true, you should change to 'false' when running in an air-gapped environment or when scanning with high frequency (when running with Prometheus)
armoKubescape.enableHostScan bool true enable host scanner feature
armoKubescape.enabled bool true enable/disable kubescape scanning
armoKubescape.image.repository string "quay.io/armosec/kubescape" source code (public repo)
armoKubescape.nodeSelector object {} Node selector
armoKubescape.serviceMonitor.enabled bool false enable/disable service monitor for prometheus (operator) integration
armoKubescape.skipUpdateCheck bool false skip check for a newer version
armoKubescape.submit bool true submit results to ARMO SaaS: https://cloud.armosec.io/
armoKubescape.volumes object [] Additional volumes for Kubescape
armoKubescape.volumeMounts object [] Additional volumeMounts for Kubescape
armoKubescapeScanScheduler.enabled bool true enable/disable a kubescape scheduled scan using a CronJob
armoKubescapeScanScheduler.image.repository string "quay.io/armosec/http_request" source code (public repo)
armoKubescapeScanScheduler.scanSchedule string "0 0 * * *" scan schedule frequency
armoKubescapeScanScheduler.volumes object [] Additional volumes for scan scheduler
armoKubescapeScanScheduler.volumeMounts object [] Additional volumeMounts for scan scheduler
armoNotificationService.affinity object {} Assign custom affinity rules to the deployment
armoNotificationService.enabled bool true enable/disable passing notifications from ARMO SaaS to the armo-web-socket microservice. The notifications are the onDemand scanning and the scanning schedule settings
armoNotificationService.image.repository string "quay.io/kubescape/gateway" source code
armoNotificationService.nodeSelector object {} Node selector
armoNotificationService.volumes object [] Additional volumes for the notification service
armoNotificationService.volumeMounts object [] Additional volumeMounts for the notification service
armoVulnScanner.affinity object {} Assign custom affinity rules to the deployment
armoVulnScanner.enabled bool true enable/disable image vulnerability scanning
armoVulnScanner.image.repository string "quay.io/kubescape/kubevuln" source code
armoVulnScanner.nodeSelector object {} Node selector
armoVulnScanner.volumes object [] Additional volumes for the image vulnerability scanning
armoVulnScanner.volumeMounts object [] Additional volumeMounts for the image vulnerability scanning
armoVulnScanScheduler.enabled bool true enable/disable a image vulnerability scheduled scan using a CronJob
armoVulnScanScheduler.image.repository string "quay.io/armosec/http_request" source code (public repo)
armoVulnScanScheduler.scanSchedule string "0 0 * * *" scan schedule frequency
armoVulnScanScheduler.volumes object [] Additional volumes for scan scheduler
armoVulnScanScheduler.volumeMounts object [] Additional volumeMounts for scan scheduler
armoWebsocket.affinity object {} Assign custom affinity rules to the deployment
armoWebsocket.enabled bool true enable/disable kubescape and image vulnerability scanning
armoWebsocket.image.repository string "quay.io/kubescape/kontroller" source code
armoWebsocket.nodeSelector object {} Node selector
armoWebsocket.volumes object [] Additional volumes for the web socket
armoWebsocket.volumeMounts object [] Additional volumeMounts for the web socket
armoKubescapeHostScanner.volumes object [] Additional volumes for the host scanner
armoKubescapeHostScanner.volumeMounts object [] Additional volumeMounts for the host scanner
aws_iam_role_arn string nil AWS IAM arn role
clientID string "" client ID, read more
addRevisionLabel bool true Add revision label to the components. This will insure the components will restart when updating the helm
cloudRegion string nil cloud region
cloud_provider_engine string nil cloud provider engine
gkeProject string nil GKE project
gke_service_account string nil GKE service account
secretKey string "" secret key, read more
triggerNewImageScan bool false enable/disable trigger image scan for new images
volumes object [] Additional volumes for all containers
volumeMounts object [] Additional volumeMounts for all containers