diff --git a/stable/k8s-inventory/Chart.yaml b/stable/k8s-inventory/Chart.yaml index dbaa61c3..1ec9f4b6 100644 --- a/stable/k8s-inventory/Chart.yaml +++ b/stable/k8s-inventory/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: k8s-inventory -version: 0.4.0 +version: 0.4.1 appVersion: "1.6.0" description: A Helm chart for Kubernetes Automated Inventory, which describes which images are in use in a given Kubernetes Cluster keywords: diff --git a/stable/k8s-inventory/README.md b/stable/k8s-inventory/README.md index e6b00bca..650947cd 100644 --- a/stable/k8s-inventory/README.md +++ b/stable/k8s-inventory/README.md @@ -51,7 +51,7 @@ See the [K8s Inventory repo](https://github.com/anchore/k8s-inventory) for more | `replicaCount` | Number of replicas for the K8s Inventory deployment | `1` | | `image.pullPolicy` | Image pull policy used by the K8s Inventory deployment | `IfNotPresent` | | `image.repository` | Image used for the K8s Inventory deployment | `anchore/k8s-inventory` | -| `image.tag` | Image tag used for the K8s Inventory deployment | `v1.4.0` | +| `image.tag` | Image tag used for the K8s Inventory deployment | `v1.6.0` | | `imagePullSecrets` | secrets where Kubernetes should get the credentials for pulling private images | `[]` | | `nameOverride` | overrides the name set on resources | `""` | | `fullnameOverride` | overrides the fullname set on resources | `""` | @@ -79,35 +79,50 @@ See the [K8s Inventory repo](https://github.com/anchore/k8s-inventory) for more | `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `15` | | `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | | `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | +| `extraVolumes` | mounts additional volumes to each pod | `[]` | +| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | | `useExistingSecret` | Specify whether to use an existing secret | `false` | | `existingSecretName` | if using an existing secret, specify the existing secret name | `""` | ### k8sInventory Parameters ## -| Name | Description | Value | -| ----------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -| `k8sInventory.output` | The output format of the report (options: table, json) | `json` | -| `k8sInventory.quiet` | Determine whether or not to log the inventory report to stdout | `false` | -| `k8sInventory.verboseInventoryReports` | Determine whether or not to log the inventory report to stdout | `false` | -| `k8sInventory.log.structured` | Determine whether or not to use structured logs | `false` | -| `k8sInventory.log.level` | the level of verbosity for logs | `debug` | -| `k8sInventory.log.file` | location to write the log file (default is not to have a log file) | `""` | -| `k8sInventory.kubeconfig.path` | Path should not be changed | `use-in-cluster` | -| `k8sInventory.kubeconfig.cluster` | Tells Anchore which cluster this inventory is coming from | `docker-desktop` | -| `k8sInventory.namespaceSelectors.include` | Which namespaces to search as explicit strings, not regex; Will search all namespaces if empty array | `[]` | -| `k8sInventory.namespaceSelectors.exclude` | Which namespaces to exclude can use explicit strings and/or regexes. | `[]` | -| `k8sInventory.mode` | Can be one of adhoc, periodic (defaults to adhoc) | `periodic` | -| `k8sInventory.pollingIntervalSeconds` | Only respected if mode is periodic | `60` | -| `k8sInventory.kubernetes.requestTimeoutSeconds` | Sets the request timeout for kubernetes API requests | `60` | -| `k8sInventory.kubernetes.requestBatchSize` | Sets the number of objects to iteratively return when listing resources | `100` | -| `k8sInventory.kubernetes.workerPoolSize` | Worker pool size for collecting pods from namespaces. Adjust this if the api-server gets overwhelmed | `100` | -| `k8sInventory.missingTagPolicy.policy` | One of the following options [digest, insert, drop]. Default is 'digest' | `digest` | -| `k8sInventory.missingTagPolicy.tag` | Dummy tag to use. Only applicable if policy is 'insert'. Defaults to UNKNOWN | `UNKNOWN` | -| `k8sInventory.missingRegistryOverride` | | `""` | -| `k8sInventory.ignoreNotRunning` | Ignore images out of pods that are not in a Running state | `true` | -| `k8sInventory.anchore.url` | the url of the anchore platform | `""` | -| `k8sInventory.anchore.user` | the username of the anchore platform. The user specified must be an admin user or have full-control, or read-write RBAC permissions | `""` | -| `k8sInventory.anchore.password` | the password of the anchore platform | `""` | -| `k8sInventory.anchore.account` | the account to send data to | `admin` | -| `k8sInventory.anchore.http.insecure` | whether or not anchore is using ssl/tls | `true` | -| `k8sInventory.anchore.http.timeoutSeconds` | the amount of time in seconds before timing out | `10` | +| Name | Description | Value | +| ----------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `k8sInventory.output` | The output format of the report (options: table, json) | `json` | +| `k8sInventory.quiet` | Determine whether or not to log the inventory report to stdout | `false` | +| `k8sInventory.verboseInventoryReports` | Determine whether or not to log the inventory report to stdout | `false` | +| `k8sInventory.log.structured` | Determine whether or not to use structured logs | `false` | +| `k8sInventory.log.level` | the level of verbosity for logs | `debug` | +| `k8sInventory.log.file` | location to write the log file (default is not to have a log file) | `""` | +| `k8sInventory.kubeconfig.path` | Path should not be changed | `use-in-cluster` | +| `k8sInventory.kubeconfig.cluster` | Tells Anchore which cluster this inventory is coming from | `docker-desktop` | +| `k8sInventory.namespaceSelectors.include` | Which namespaces to search as explicit strings, not regex; Will search all namespaces if empty array | `[]` | +| `k8sInventory.namespaceSelectors.exclude` | Which namespaces to exclude can use explicit strings and/or regexes. | `[]` | +| `k8sInventory.mode` | Can be one of adhoc, periodic (defaults to adhoc) | `periodic` | +| `k8sInventory.pollingIntervalSeconds` | Only respected if mode is periodic | `60` | +| `k8sInventory.kubernetes.requestTimeoutSeconds` | Sets the request timeout for kubernetes API requests | `60` | +| `k8sInventory.kubernetes.requestBatchSize` | Sets the number of objects to iteratively return when listing resources | `100` | +| `k8sInventory.kubernetes.workerPoolSize` | Worker pool size for collecting pods from namespaces. Adjust this if the api-server gets overwhelmed | `100` | +| `k8sInventory.missingTagPolicy.policy` | One of the following options [digest, insert, drop]. Default is 'digest' | `digest` | +| `k8sInventory.missingTagPolicy.tag` | Dummy tag to use. Only applicable if policy is 'insert'. Defaults to UNKNOWN | `UNKNOWN` | +| `k8sInventory.missingRegistryOverride` | | `""` | +| `k8sInventory.ignoreNotRunning` | Ignore images out of pods that are not in a Running state | `true` | +| `k8sInventory.accountRouteByNamespaceLabel.key` | Kubernetes label key to use for determining Anchore account to send to | `""` | +| `k8sInventory.accountRouteByNamespaceLabel.defaultAccount` | Fallback account to send to if Anchore account or label is not found | `admin` | +| `k8sInventory.accountRouteByNamespaceLabel.ignoreNamespaceMissingLabel` | If true exclude sending inventory of namespaces that are missing the label | `false` | +| `k8sInventory.metadataCollection.nodes.annotations` | List of annotations to include (explicit or regex) | `[]` | +| `k8sInventory.metadataCollection.nodes.labels` | List of labels to include (explicit or regex) | `[]` | +| `k8sInventory.metadataCollection.nodes.disable` | Remove all optional node metadata from the inventory report | `false` | +| `k8sInventory.metadataCollection.namespaces.annotations` | List of annotations to include (explicit or regex) | `[]` | +| `k8sInventory.metadataCollection.namespaces.labels` | List of labels to include (explicit or regex) | `[]` | +| `k8sInventory.metadataCollection.namespaces.disable` | Remove all optional namespace metadata from the inventory report | `false` | +| `k8sInventory.metadataCollection.pods.annotations` | List of annotations to include (explicit or regex) | `[]` | +| `k8sInventory.metadataCollection.pods.labels` | List of labels to include (explicit or regex) | `[]` | +| `k8sInventory.metadataCollection.pods.disable` | Remove all optional pod metadata from the inventory report | `false` | +| `k8sInventory.inventoryReportLimits.namespaces` | Maximum number of namespaces to include in a single report. Default of 0 means no limit | `0` | +| `k8sInventory.anchore.url` | the url of the anchore platform | `""` | +| `k8sInventory.anchore.user` | the username of the anchore platform. The user specified must be an admin user or have full-control, or read-write RBAC permissions | `""` | +| `k8sInventory.anchore.password` | the password of the anchore platform | `""` | +| `k8sInventory.anchore.account` | the account to send data to | `admin` | +| `k8sInventory.anchore.http.insecure` | whether or not anchore is using ssl/tls | `true` | +| `k8sInventory.anchore.http.timeoutSeconds` | the amount of time in seconds before timing out | `10` | diff --git a/stable/k8s-inventory/templates/deployment.yaml b/stable/k8s-inventory/templates/deployment.yaml index aaaa895a..2a83b3ca 100644 --- a/stable/k8s-inventory/templates/deployment.yaml +++ b/stable/k8s-inventory/templates/deployment.yaml @@ -75,6 +75,9 @@ spec: - name: config-volume mountPath: /etc/xdg/anchore-k8s-inventory/config.yaml subPath: config.yaml + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} envFrom: {{- if not .Values.injectSecretsViaEnv }} - secretRef: @@ -84,6 +87,9 @@ spec: - name: config-volume configMap: name: {{ include "k8sInventory.fullname" . }} + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/stable/k8s-inventory/values.yaml b/stable/k8s-inventory/values.yaml index 1f0b919b..94fd23dc 100644 --- a/stable/k8s-inventory/values.yaml +++ b/stable/k8s-inventory/values.yaml @@ -114,6 +114,23 @@ probes: failureThreshold: 3 successThreshold: 1 +## @param extraVolumes mounts additional volumes to each pod +## ref: https://kubernetes.io/docs/concepts/storage/volumes/ +## +extraVolumes: [] +# - name: mycerts +# secret: +# secretName: mycerts + +## @param extraVolumeMounts mounts additional volumes to each pod +## ref: https://kubernetes.io/docs/concepts/storage/volumes/ +## +extraVolumeMounts: [] +# - name: mycerts +# mountPath: "/etc/ssl/certs" +# subPath: certs +# readOnly: true + ## @param useExistingSecret Specify whether to use an existing secret ## useExistingSecret: false @@ -209,23 +226,33 @@ k8sInventory: ignoreNamespaceMissingLabel: false ## k8sInventory.metadataCollection Configure/disable metadata collection within a report + ## @param k8sInventory.metadataCollection.nodes.annotations List of annotations to include (explicit or regex) + ## @param k8sInventory.metadataCollection.nodes.labels List of labels to include (explicit or regex) + ## @param k8sInventory.metadataCollection.nodes.disable Remove all optional node metadata from the inventory report + ## @param k8sInventory.metadataCollection.namespaces.annotations List of annotations to include (explicit or regex) + ## @param k8sInventory.metadataCollection.namespaces.labels List of labels to include (explicit or regex) + ## @param k8sInventory.metadataCollection.namespaces.disable Remove all optional namespace metadata from the inventory report + ## @param k8sInventory.metadataCollection.pods.annotations List of annotations to include (explicit or regex) + ## @param k8sInventory.metadataCollection.pods.labels List of labels to include (explicit or regex) + ## @param k8sInventory.metadataCollection.pods.disable Remove all optional pod metadata from the inventory report metadataCollection: nodes: - annotations: [] ## List of annotations to include (explicit or regex) - labels: [] ## List of labels to include (explicit or regex) - disable: false ## Remove all optional node metadata from the inventory report + annotations: [] + labels: [] + disable: false namespaces: - annotations: [] ## List of annotations to include (explicit or regex) - labels: [] ## List of labels to include (explicit or regex) - disable: false ## Remove all optional namespace metadata from the inventory report + annotations: [] + labels: [] + disable: false pods: - annotations: [] ## List of annotations to include (explicit or regex) - labels: [] ## List of labels to include (explicit or regex) - disable: false ## Remove all optional pod metadata from the inventory report + annotations: [] + labels: [] + disable: false ## k8sInventory.inventoryReportLimits Specify size limits of individual reports. If report size exceeds limits it will be broken into multiple batches up to the specified size. + ## @param k8sInventory.inventoryReportLimits.namespaces Maximum number of namespaces to include in a single report. Default of 0 means no limit inventoryReportLimits: - namespaces: 0 ## default of 0 means no limit + namespaces: 0 ## @param k8sInventory.anchore.url the url of the anchore platform ## @param k8sInventory.anchore.user the username of the anchore platform. The user specified must be an admin user or have full-control, or read-write RBAC permissions