!!! info "Directory Context" This document is part of the Usage Directory. See the Usage Directory Inventory for related resources.
This guide explains how to use Helm values files to configure and customize the Secure Kubernetes Container Scanning Helm charts. Values files provide a way to specify multiple configuration options in a single file, making it easier to manage complex configurations and maintain consistency across environments.
A values file is a YAML file that contains configuration settings for a Helm chart. The structure mirrors the chart's value hierarchy:
# Example values.yaml for standard-scanner
common-scanner:
scanner-infrastructure:
targetNamespace: scanning-namespace
rbac:
useResourceNames: true
resourceNames:
- app-pod-1
- app-pod-2
safCli:
thresholdConfig:
compliance:
min: 90
failed:
critical:
max: 0
high:
max: 0
testPod:
deploy: false# values-development.yaml
common-scanner:
scanner-infrastructure:
targetNamespace: dev-scanning
rbac:
useLabelSelector: true
podSelectorLabels:
environment: development
safCli:
thresholdConfig:
compliance:
min: 70
failed:
critical:
max: 0
high:
max: 5
medium:
max: 10
testPod:
deploy: true
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 100m
memory: 128Mi# values-production.yaml
common-scanner:
scanner-infrastructure:
targetNamespace: prod-scanning
rbac:
useLabelSelector: true
podSelectorLabels:
environment: production
scan-target: "true"
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/scanner-role
safCli:
thresholdConfig:
compliance:
min: 95
failed:
critical:
max: 0
high:
max: 0
medium:
max: 2
testPod:
deploy: false# values-standard-scanner.yaml
common-scanner:
scanner-infrastructure:
targetNamespace: scanning-namespace
rbac:
rules:
core:
enabled: true
ephemeralContainers:
enabled: false
scripts:
includeScanScript: true
includeDistrolessScanScript: false
includeSidecarScanScript: false
testPod:
deploy: true
image: ubuntu:20.04
command: ["/bin/sh", "-c", "while true; do sleep 3600; done"]# values-distroless-scanner.yaml
common-scanner:
scanner-infrastructure:
targetNamespace: scanning-namespace
rbac:
rules:
core:
enabled: true
ephemeralContainers:
enabled: true
scripts:
includeScanScript: false
includeDistrolessScanScript: true
includeSidecarScanScript: false
testPod:
deploy: true
image: gcr.io/distroless/base:latest
command: ["/bin/sleep", "3600"]
debugContainer:
image: alpine:3.15
timeout: 300
securityContext:
runAsNonRoot: true
runAsUser: 10000
readOnlyRootFilesystem: true# values-sidecar-scanner.yaml
common-scanner:
scanner-infrastructure:
targetNamespace: scanning-namespace
rbac:
rules:
core:
enabled: true
scripts:
includeScanScript: false
includeDistrolessScanScript: false
includeSidecarScanScript: true
testPod:
deploy: true
targetImage: nginx:latest
shareProcessNamespace: true
scanner:
image: chef/inspec:5.18.14
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 200m
memory: 512Mi
securityContext:
runAsNonRoot: true
runAsUser: 10000
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
profiles:
default:
enabled: true
custom:
- name: custom-profile
configMap: custom-profiles
path: /custom-profile# values-aws.yaml
common-scanner:
scanner-infrastructure:
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/scanner-role# values-gke.yaml
common-scanner:
scanner-infrastructure:
serviceAccount:
annotations:
iam.gke.io/gcp-service-account: [email protected]# values-aks.yaml
common-scanner:
scanner-infrastructure:
serviceAccount:
annotations:
azure.workload.identity/client-id: 00000000-0000-0000-0000-000000000000# Install with custom values file
helm install standard-scanner ./helm-charts/standard-scanner -f values-standard-scanner.yamlYou can combine multiple values files:
# Combine base values with environment-specific values
helm install standard-scanner ./helm-charts/standard-scanner \
-f values-standard-scanner.yaml \
-f values-production.yaml \
-f values-aws.yamlValues are merged with later files taking precedence.
You can override specific values:
# Use values file with specific overrides
helm install standard-scanner ./helm-charts/standard-scanner \
-f values-standard-scanner.yaml \
--set common-scanner.scanner-infrastructure.targetNamespace=custom-namespace \
--set testPod.deploy=false# values-template.yaml
common-scanner:
scanner-infrastructure:
targetNamespace: ${NAMESPACE}
rbac:
useLabelSelector: true
podSelectorLabels:
environment: ${ENVIRONMENT}
safCli:
thresholdConfig:
compliance:
min: ${COMPLIANCE_MIN}
testPod:
deploy: ${DEPLOY_TEST_POD}# Replace variables with environment values
envsubst < values-template.yaml > values-generated.yaml
# Install with generated values
helm install standard-scanner ./helm-charts/standard-scanner -f values-generated.yamlValidate your values file before applying:
# Validate values file
helm install --debug --dry-run standard-scanner ./helm-charts/standard-scanner -f values.yaml