UNCLASSIFIED - NO CUI

Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • bb-2524/observability-operatorless
  • 2499-headlamp-integration-with-big-bang
  • Add_dynamic_network_policy
  • update-mattermost-tag-10.6.1-bb.4
  • update-metrics-server-tag-3.12.2-bb.3
  • 2610-set-operatorless-istio-tags
  • update-gitlab-tag-8.10.1-bb.0
  • update-nexus-tag-77.1.0-bb.0
  • update-thanos-tag-15.9.1-bb.3
  • update-mimir-tag-5.5.1-bb.11
  • 2624-update-packages-for-oi
  • update-grafana-tag-8.10.4-bb.1
  • update-kiali-tag-2.6.0-bb.1
  • test-nexus
  • TEST-ONLY-DO-NOT_MERGE-Kyvern0-test
  • update-nexus-tag-77.1.0-bb.1
  • update-elasticsearch-kibana-tag-1.28.0-bb.0
  • update-twistlock-tag-0.19.0-bb.4
  • 2548-resolve-errors-from-enabling-drift-detection-for-mattermost-not-operator
  • 2.49.0 protected
  • 2.49.0-rc.2 protected
  • 2.49.0-rc.1 protected
  • 2.49.0-rc.0 protected
  • 2.48.0 protected
  • 2.48.0-rc.4 protected
  • 2.48.0-rc.3 protected
  • 2.48.0-rc.2 protected
  • 2.48.0-rc.1 protected
  • 2.47.0 protected
  • 2.47.0-rc.2 protected
  • 2.47.0-rc.1 protected
  • 2.47.0-rc.0 protected
  • 2.46.0 protected
  • 2.46.0-rc.0 protected
  • 2.45.1 protected
  • 2.45.1-rc.0 protected
  • 2.45.0 protected
  • 2.45.0-rc.0 protected
  • 2.44.0 protected
40 results
Blame Permalink
1
values.yaml 7.24 KiB 
{{- if or .Values.gatekeeper.enabled .Values.clusterAuditor.enabled }}
{{- include "values-secret" (dict "root" $ "package" (dict "values" (fromYaml (include "bigbang.overlays.gatekeeper" .))) "name" "gatekeeper" "defaults" (include "bigbang.defaults.gatekeeper" .)) }}
{{- end }}

{{- define "bigbang.defaults.gatekeeper" -}}
image:
  pullSecrets:
  - name: private-registry
postInstall:
  labelNamespace:
    enabled: false
    image:
      pullSecrets:
      - name: private-registry
postUpgrade:
  cleanupCRD:
    image:
      pullSecrets:
      - name: private-registry

networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
violations:  # Try to keep this in alpha order to make it easier to find keys

  allowedDockerRegistries:
    parameters:
      repos:
        - registry1.dso.mil
        - registry.dso.mil

  {{- if or .Values.monitoring.enabled .Values.fluentbit.enabled .Values.twistlock.enabled .Values.promtail.enabled }}
  allowedHostFilesystem:
    parameters:
      excludedResources:
      {{- if .Values.monitoring.enabled }}
      # Prometheus-node-exporter needs access to host to get node metrics
      - monitoring/monitoring-monitoring-prometheus-node-exporter-.*
      {{- end }}
      {{- if .Values.fluentbit.enabled }}
      # Fluentbit pods need access to host to get log files
      - logging/logging-fluent-bit-.*
      {{- end }}
      {{- if .Values.twistlock.enabled }}
      - twistlock/twistlock-defender-ds-.*
      {{- end }}
      {{- if .Values.promtail.enabled }}
      # promtail requires hostpath volume mounts
      # https://github.com/grafana/helm-charts/blob/main/charts/promtail/templates/daemonset.yaml#L120
      - logging/logging-promtail-.*
      {{- end }}
  {{- end }}

  {{- if .Values.twistlock.enabled }}
  hostNetworking:
    parameters:
      excludedResources:
        # Twistlock, by default, does its own network monitoring. hostNetworking is enabled by default for this purpose
        # With hostNetworking enabled, Istio sidecar injection is disabled. If this function is disabled, Twistlock wil
        # not be able to self monitor. If both Istio sidecar injection and TL monitoring are disabled, a security gap will
        # be created for network monitoring in Twistlock, so it is  important to make sure at least one is enabled.
        - twistlock/twistlock-defender-ds-.*
  noHostNamespace:
    parameters:
      excludedResources:
        - twistlock/twistlock-defender-ds-.*
  {{- end }}

  imageDigest:
    enabled: false

UNCLASSIFIED - NO CUI