divingbell/divingbell/values.yaml

# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Default values for divingbell.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value

images:
  divingbell: 'ubuntu:20.04'
  pull_policy: IfNotPresent

conf:
  chroot_mnt_path: '/mnt'
  log_colors: False
  extra_verbose: False
  apt:
    upgrade: false
    allow_downgrade: false
    strict: false
    blacklistpkgs:
    - telnetd
    - inetutils-telnetd
    - telnetd-ssl
    - nis
    - ntpdate
    pre_install: null
    post_install: null
#  perm:
#    rerun_policy: always
#    86400 = 1 day
#    rerun_interval: 86400
#    ignore_missing: false
#    paths:
#    -
#      path: '/boot/System.map-*'
#      owner: 'root'
#      group: 'root'
#      permissions: '0640'
#    -
#      path: '/etc/shadow'
#      owner: 'root'
#      group: 'shadow'
#      permissions: '0640'
#    -
#      path: '/etc/gshadow'
#      owner: 'root'
#      group: 'shadow'
#      permissions: '0640'
#    -
#      path: '/etc/passwd'
#      owner: 'root'
#      group: 'root'
#      permissions: '0644'
#    -
#      path: '/etc/group'
#      owner: 'root'
#      group: 'root'
#      permissions: '0644'
#    -
#      path: '/var/log/kern.log'
#      owner: 'syslog'
#      group: 'adm'
#      permissions: '0640'
#    -
#      path: '/var/log/auth.log'
#      owner: 'syslog'
#      group: 'adm'
#      permissions: '0640'
#    -
#      path: '/var/log/syslog'
#      owner: 'syslog'
#      group: 'adm'
#      permissions: '0640'

##  data.values.conf.sysctl
#  sysctl:
#    fs.suid_dumpable: '0'
##  data.values.conf.limits
#  limits:
#    nofile:
#      domain: 'root'
#      type: 'soft'
#      item: 'nofile'
#      value: '101'
#    core_dump:
#      domain: '0:'
#      type: 'hard'
#      item: 'core'
#      value: 0
pod:
  mandatory_access_control:
    type: apparmor
    divingbell-apparmor:
      apparmor: runtime/default
    divingbell-apt:
      apt: runtime/default
    divingbell-ethtool:
      ethtool: runtime/default
    divingbell-exec:
      exec: runtime/default
    divingbell-limits:
      limits: runtime/default
    divingbell-mounts:
      mounts: runtime/default
    divingbell-perm:
      perm: runtime/default
    divingbell-sysctl:
      sysctl: runtime/default
    divingbell-uamlite:
      uamlite: runtime/default
  security_context:
    divingbell:
      pod:
        runAsUser: 65534
      container:
        apt:
          readOnlyRootFilesystem: true
          runAsUser: 0
          privileged: true
        apparmor:
          capabilities:
            add:
              - 'MAC_ADMIN'
          readOnlyRootFilesystem: true
          runAsUser : 0
        ethtool:
          capabilities:
            add:
              - 'NET_ADMIN'
          readOnlyRootFilesystem: true
          runAsUser : 0
        exec:
          readOnlyRootFilesystem: true
          runAsUser: 0
          privileged: true
        limits:
          readOnlyRootFilesystem: true
          runAsUser: 0
        mounts:
          readOnlyRootFilesystem: true
          runAsUser: 0
        perm:
          readOnlyRootFilesystem: true
          runAsUser: 0
        sysctl:
          capabilities:
            add:
              - 'SYS_PTRACE'
              - 'SYS_ADMIN'
              - 'SYS_RAWIO'
          readOnlyRootFilesystem: true
          runAsUser: 0
  lifecycle:
    upgrades:
      daemonsets:
        pod_replacement_strategy: RollingUpdate
        ethtool:
          enabled: true
          min_ready_seconds: 0
          max_unavailable: 100%
        mounts:
          enabled: true
          min_ready_seconds: 0
          max_unavailable: 100%
        uamlite:
          enabled: true
          min_ready_seconds: 0
          max_unavailable: 100%
        sysctl:
          enabled: true
          min_ready_seconds: 0
          max_unavailable: 100%
        apt:
          enabled: true
          min_ready_seconds: 0
          max_unavailable: 100%
        limits:
          enabled: true
          min_ready_seconds: 0
          max_unavailable: 100%
        perm:
          enabled: true
          min_ready_seconds: 0
          max_unavailable: 100%
        exec:
          enabled: true
          min_ready_seconds: 0
          max_unavailable: 100%
  resources:
    enabled: false
    apparmor:
      limits:
        memory: "128Mi"
        cpu: "100m"
      requests:
        memory: "128Mi"
        cpu: "100m"
    ethtool:
      limits:
        memory: "128Mi"
        cpu: "100m"
      requests:
        memory: "128Mi"
        cpu: "100m"
    mounts:
      limits:
        memory: "128Mi"
        cpu: "100m"
      requests:
        memory: "128Mi"
        cpu: "100m"
    uamlite:
      limits:
        memory: "128Mi"
        cpu: "100m"
      requests:
        memory: "128Mi"
        cpu: "100m"
    sysctl:
      limits:
        memory: "128Mi"
        cpu: "100m"
      requests:
        memory: "128Mi"
        cpu: "100m"
    limits:
      limits:
        memory: "128Mi"
        cpu: "100m"
      requests:
        memory: "128Mi"
        cpu: "100m"
    perm:
      limits:
        memory: "128Mi"
        cpu: "100m"
      requests:
        memory: "128Mi"
        cpu: "100m"
    apt:
      limits:
        memory: "128Mi"
        cpu: "100m"
      requests:
        memory: "128Mi"
        cpu: "100m"
    exec:
      limits:
        memory: "128Mi"
        cpu: "100m"
      requests:
        memory: "128Mi"
        cpu: "100m"
  probes:
    divingbell:
      apt:
        readiness:
          enabled: true
          params:
            initialDelaySeconds: 30
            periodSeconds: 10
            failureThreshold: 1200
      exec:
        readiness:
          enabled: true
          params:
            initialDelaySeconds: 30
            periodSeconds: 10
            failureThreshold: 1200

network_policy:
  divingbell:
    ingress:
      - {}
    egress:
      - {}

labels:
  apparmor:
    node_selector_key: kubernetes.io/os
    node_selector_value: linux
  apt:
    node_selector_key: kubernetes.io/os
    node_selector_value: linux
  ethtool:
    node_selector_key: kubernetes.io/os
    node_selector_value: linux
  exec:
    node_selector_key: kubernetes.io/os
    node_selector_value: linux
  limits:
    node_selector_key: kubernetes.io/os
    node_selector_value: linux
  mounts:
    node_selector_key: kubernetes.io/os
    node_selector_value: linux
  perm:
    node_selector_key: kubernetes.io/os
    node_selector_value: linux
  sysctl:
    node_selector_key: kubernetes.io/os
    node_selector_value: linux
  uamlite:
    node_selector_key: kubernetes.io/os
    node_selector_value: linux

manifests:
  daemonset_ethtool: true
  daemonset_mounts: true
  daemonset_uamlite: true
  daemonset_sysctl: true
  daemonset_limits: true
  daemonset_apt: true
  daemonset_apt_remove_old_pkgs: true
  daemonset_perm: true
  daemonset_exec: true
  daemonset_apparmor: true
  network_policy: false