values.yaml

# Default values for Trend Micro Vision One - Container Security.
# This is a YAML-formatted file.

visionOne:
  ## bootstrap token to be used with Trend Micro Vision One Container Security
  ##
  ## Default value: (none)
  bootstrapToken:
  ## endpoint is the url of Trend Micro Vision One Container Security service
  ## Allows for full endpoint to be provided or the Vision One region (ex: us-1).
  ##
  ## Default value: https://api.xdr.trendmicro.com/external/v2/direct/vcs/external/vcs
  endpoint: https://api.xdr.trendmicro.com/external/v2/direct/vcs/external/vcs

  ## Fields for automated cluster registration only
  ## Cluster name to be used during automated cluster registration. This takes precedence over clusterNamePrefix
  ## clusterName must be less than 64 characters
  ##
  ## Default value: (none)
  clusterName:
  ## Cluster name prefix to be used during automated cluster registration
  ## clusterNamePrefix must be less than 16 characters
  ##
  ## Default value: (none)
  clusterNamePrefix:
  ## Policy ID to be used when registering the cluster. Takes precedence over policy-as-code
  ##
  ## Default value: (none)
  policyId:
  ## Group ID used during automated cluster registration. Defaults to the default cluster group
  ##
  ## This is required for automated cluster registration
  groupId:
  ## Cluster registration key to be used with Trend Vision One Container Security
  ##
  ## Default value: (none)
  clusterRegistrationKey: false

  exclusion:
    ## List of namespaces for which events will not be generated.
    ## This setting helps reduce unnecessary runtime event counts for known privileged components.
    ##
    ## Openshift considers the namespaces listed in `osNsPrefixes` as privileged.
    ## These namespaces are excluded to prevent critical components from being affected by
    ## admission control policies or mitigation mechanisms.
    ## Meaning for each prefixes:
    ##  - openshift: Excludes all namespaces with the openshift prefix
    ##  - kube: Excludes all namespaces with the kube prefix
    ##  - default: Excludes default namespace
    ##  - dedicated-admin: Excludes OpenShift's dedicated admin namespace
    namespaces:
    - kube-system
    osNsPrefixes:
    - openshift
    - kube
    - default
    - dedicated-admin

  scanJobFIPSMode:
    ## Enable to use the FIPS-compliant scan job image instead of the standard scan job image.
    ##
    ## Default value: false
    enabled: false
    ## The digest of the FIPS-compliant scan job image.
    ## Required when scanJobFIPSMode.enabled is true.
    digest: sha256:af7346207631e8815088617665c32f13d1601362df34ec99c6f1de215e7c078f

  pdigFIPSMode:
    ## Enable to use the FIPS-compliant pdig image instead of the standard pdig image.
    ##
    ## Default value: false
    enabled: false
    ## The digest of the FIPS-compliant pdig image.
    ## Required when pdigFIPSMode.enabled is true.
    digest: sha256:038af5fb530d28e84d70d557e2ab28b9b2683167e66f714486ba94059f7ef3a4

  admissionController:
    enabled: true

    ## validationNamespaceSelector is the namespace selector defined for the validating webhook configuration
    ##
    ## For more information about namespace selectors, please see
    ## https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
    ## https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
    validationNamespaceSelector:
      matchExpressions:
      - key: ignoreAdmissionControl
        operator: DoesNotExist

    ## failurePolicy defines the behavior if an unrecognized error or timeout occurs. Enabling
    ## this while not tagging kube-system to be ignored can easily cause the cluster to be
    ## unresponsive.
    ##
    ## Default value: Ignore
    failurePolicy: Ignore

    ## When scannerValidation is enabled, admission-controller validates the user who handle scan jobs for runtime vulnerability scanning feature.
    ## After enabling this, only default scan-manager service account, kube-system components and usernames in the below trustedScanOperators list can handle scan jobs.
    ##
    ## Default value: false
    scannerValidation: false

    ## Specify the source of the imagePullSecrets (kubernetes.io/dockerconfigjson secrets) that provide the private registry credentials needed for image signature verification deployment rules. 
    ## 
    ## Supported values are trendMicroNamespace and customerNamespace
    ## If source is trendMicroNamespace, ensure that the imagePullSecrets have been created in the trendmicro-system namespace.
    ##
    ## Default value if enabled is trendMicroNamespace.
    readPullSecretsFrom: trendMicroNamespace

    ## List of K8s usernames that admission-controller will let handle scan jobs pods
    ##
    ## Default value:
    ##  - aksService
    trustedScanOperators:
    - aksService

    certificate:
      ## commonName is the common name to use in the default signed certificate.
      ##
      ## Default value:
      commonName:

      ## ipAlternativeNames is a list of IP addresses to include as alternate names.
      ## in the default signed certificate.
      ##
      ## Default value: []
      ipAlternativeNames: []

      ## dnsAlternativeNames is a list of DNS names to include as alternate names
      ## in the default signed certificate.
      ##
      ## Default value: []
      dnsAlternativeNames: []

      ## lifetime is the lifetime in days of the default signed certificate.
      ##
      ## Default value: 3650
      lifetime: 3650

    ## webhookTimeoutSeconds defines the timeout used in validating admission webhook.
    ##
    ## Default value: 30
    webhookTimeoutSeconds: 30

    ## logLevel sets the log verbosity level. Supported values are debug, info, and error
    ##
    ## Default value: info
    logLevel: info

  gkeAllowlistSynchronizer:
    enabled: false

  oversight:
    enabled: true

    ## syncPeriod is the time interval that how often Trend Micro Vision One Container Security will evaluate
    ## the running pods.
    ##
    ## Default value: 3600s
    ## Minimum value: 600s
    ##
    syncPeriod: 3600s

    ## pageSize is the maximum page size when fetching list of pods.
    ##
    ## Default value: 100
    ## Minimum value: 1
    ##
    pageSize: 100


    ## logLevel sets the log verbosity level. Supported values are debug, info, and error
    ##
    ## Default value: info
    logLevel: info

  workloadOperator:
    ## logLevel sets the log verbosity level. Supported values are debug, info, and error
    ##
    ## Default value: info
    logLevel: info

  scanManager:
    ## Maximum number of scan jobs running at once.
    ##
    ## Default value: 5
    ## Maximum value: 100
    ## Minimum value: 3
    ##
    maxJobCount: 5
    ## activeDeadlineSeconds is the maximum duration a scan job can run before timing out.
    ##
    ## Default value: 300
    ##
    activeDeadlineSeconds: 300

    ## malwareScanActiveDeadlineSeconds is the maximum duration a malware scan job can run before timing out.
    ##
    ## Default value: 3600
    ##
    malwareScanActiveDeadlineSeconds: 3600

    ## secretScanActiveDeadlineSeconds is the maximum duration a secret scan job can run before timing out.
    ##
    ## Default value: 3600
    ##
    secretScanActiveDeadlineSeconds: 3600

    ## logLevel sets the log verbosity level. Supported values are debug, info, and error
    ##
    ## Default value: info
    logLevel: info

  runtimeSecurity:
    enabled: false
    customRules:
      rulesetTag: customrule
      configmap:
        name: ''
      ociRepository:
        # These fields are subject to change
        enabled: false
        every: 6h0m0s
        ruleFiles: []
        artifactUrls: []
        basicAuthTokenSecretName: ''
        registryCredsSecretName: ''
      params:
        clusterName: ''

  complianceScan:
    enabled: true
    ## activeDeadlineSeconds is the maximum duration a compliance scan job can run before timing out.
    ##
    ## Default value: 600
    ##
    activeDeadlineSeconds: 600

  vulnerabilityScanning:
    enabled: false

  fargateInjector:
    enabled: false
    logLevel: error
    certificate:
      ## commonName is the common name to use in the default signed certificate.
      ##
      ## Default value:
      commonName:

      ## ipAlternativeNames is a list of IP addresses to include as alternate names.
      ## in the default signed certificate.
      ##
      ## Default value: []
      ipAlternativeNames: []

      ## dnsAlternativeNames is a list of DNS names to include as alternate names
      ## in the default signed certificate.
      ##
      ## Default value: []
      dnsAlternativeNames: []

      ## lifetime is the lifetime in days of the default signed certificate.
      ##
      ## Default value: 3650
      lifetime: 3650

    ## failurePolicy defines the behavior if an unrecognized error or timeout occurs. Enabling
    ## this while not tagging kube-system to be ignored can easily cause the cluster to be
    ## unresponsive.
    ##
    ## Default value: Ignore
    failurePolicy: Ignore

  inventoryCollection:
    ## Minimum value: 5m
    ## Maximum value: 1d
    period: 5m

  k8sMetaCollector:
    ## grpc authentication settings
    grpcAuth:
      ## authentication mode, insecure or tls
      type: tls

      ## certificate settings
      certificate:
        ## lifetime is the lifetime in days of the default signed certificate.
        ##
        ## Default value: 3650
        lifetime: 3650

    ## logLevel sets the log verbosity level. Supported values are debug, info, and error
    ##
    ## Default value: info
    logLevel: info

  ## malwareScanning is a section that controls the malware scanning feature.
  malwareScanning:
    enabled: false
    excludedPaths: []
    scanTimeoutSeconds: 300

    # maximum real-time scan events in scout
    # Note: increasing this event count may increase memory usage in the Scout DaemonSet
    maximumEventCount: 10000

    scanner:
      ## scanner is a section that controls the malware scanner engine.
      enableScanCache: false
      scanLog: false
      port: 50051
      logLevel: info

      autoscaling:
        enabled: false
        minReplicas: 1
        maxReplicas: 2
        targetCPUUtilization: 800
      readinessProbe:
        tcpSocket:
          port: 50051
        initialDelaySeconds: 10

   ## secretScanning is a section that controls the secret scanning feature
  secretScanning:
    enabled: false

    ## maxFileSize is the maximum file size in bytes that will be scanned
    ##
    ## Default value: 2097152
    maxFileSize: 2097152 # Bytes

    ## scanTimeoutSeconds is the maximum duration a secret scan job can run before timing out.
    ##
    ## Default value: 300
    scanTimeoutSeconds: 300

  ## fileIntegrityMonitoring is a section that controls the file integrity monitoring feature
  fileIntegrityMonitoring:
    enabled: false

    ## sweepInterval is the time interval at which FIM will refresh containers
    sweepInterval: 1m

  auditLogCollector:
    ## logLevel sets the log verbosity level. Supported values are debug, info, and error
    ##
    ## Default value: info
    logLevel: info

    ## webhookPort is the port for the audit webhook endpoint
    ## Used by Falco to receive K8s audit logs
    ##
    ## Default value: 8030
    webhookPort: 8030

    ## ringBufferSize is the size of the event ring buffer
    ## Only set this if you need to override the default value
    ##
    ## Default value: 10000
    # ringBufferSize: 10000

    ## uploadBatchSize is the number of events to upload in a batch
    ## Only set this if you need to override the default value
    ##
    ## Default value: 10
    # uploadBatchSize: 10

    ## uploadInterval is the interval between batch uploads
    ## Only set this if you need to override the default value
    ##
    ## Default value: 5s
    # uploadInterval: 5s

  apiServerModifier:
    ## logLevel sets the log verbosity level. Supported values are debug, info, and error
    ##
    ## Default value: info
    logLevel: info

    ## failurePolicy defines the behavior if an unrecognized error or timeout occurs.
    ## For Gardener seed cluster deployment, use "Fail" to ensure audit configuration is always injected.
    ##
    ## Default value: Fail
    failurePolicy: Fail

    ## webhookTimeoutSeconds defines the timeout used in mutating webhook.
    ##
    ## Default value: 30
    webhookTimeoutSeconds: 30

    ## tlsConfig contains TLS configuration for the API server modifier webhook
    tlsConfig:
      ## minTLSVersion is the minimum TLS version that the server will accept.
      ## Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants.
      ##
      ## Default value: VersionTLS12
      minTLSVersion: VersionTLS12

      ## cipherSuites is a list of supported secure go cipher suites for TLS 1.2 and 1.3.
      ##
      ## Default value: List of secure cipher suites
      cipherSuites:
      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    certificate:
      ## commonName is the common name to use in the default signed certificate.
      ##
      ## Default value:
      commonName:

      ## ipAlternativeNames is a list of IP addresses to include as alternate names.
      ## in the default signed certificate.
      ##
      ## Default value: []
      ipAlternativeNames: []

      ## dnsAlternativeNames is a list of DNS names to include as alternate names
      ## in the default signed certificate.
      ##
      ## Default value: []
      dnsAlternativeNames: []

      ## lifetime is the lifetime in days of the default signed certificate.
      ##
      ## Default value: 3650
      lifetime: 3650

    ## metricsPort is the port for the metrics endpoint
    ##
    ## Default value: 8040
    metricsPort: 8040

    ## healthProbePort is the port for the health probe endpoint
    ##
    ## Default value: 8050
    healthProbePort: 8050

    ## webhookPort is the port for the mutating webhook endpoint
    ##
    ## Default value: 8060
    webhookPort: 8060

  policyOperator:
    ## reconciliationPeriod is the time interval at which policy operator will reconcile the custom resources
    ## Minimum value: 5m
    ## Maximum value: 1h
    reconciliationPeriod: 5m

    ## policySyncInterval is the time interval at which policy operator will sync the policy config from vision one
    ## Minimum value: 1m
    ## Maximum value: 1h
    policySyncInterval: 5m

    ## clusterPolicyName is the name of the policy that will be reconciled by the policy operator
    ## Only one policy can be reconciled by the policy operator and applied to the cluster
    ## Use the name defined here as the name of the cluster policy custom resource
    ## The policy name will also be used as vision one policy name
    ##
    ## Default value: trendmicro-cluster-policy
    clusterPolicyName: trendmicro-cluster-policy

    ## logLevel sets the log verbosity level. Supported values are debug, info, and error
    ##
    ## Default value: info
    logLevel: info

    ## enableNetworkPolicyCreation allows policy operator to create the Kubernetes network policy if it doesn't exist.
    ## The created network policy is used to perform `isolate` mitigation. The created network policy will not be cleaned up automatically.
    ##
    ## Default value: true
    ##
    enableNetworkPolicyCreation: true

    ## enableRuntimeMitigation allows policy operator to apply runtime mitigation to the pods that violate the policy.
    ## Mitigation sources can include runtime security, malware scans and continuous evaluation of pod spec.
    ## Supported mitigation types are: Terminate, Isolate, and IsolateRestore
    ##
    ## Default value: true
    ##
    enableRuntimeMitigation: true

    ## servicePort is the port that the policy operator will run the http server on to serve the policy config and handle the mitigation requests
    ##
    ## Default value: 8070
    servicePort: 8070

    ## metricsPort is the port for the metrics endpoint
    ##
    ## Default value: 8080
    metricsPort: 8080

    ## healthProbePort is the port for the health probe endpoint
    ##
    ## Default value: 8090
    healthProbePort: 8090

  experimental:
    ## enable the experimental features. Experimental features are not supported in production environments,
    ## considered unstable and may be removed or changed in future releases.
    enabled: false

## Audit Log Collection Configuration
## Enables collection of Kubernetes API server audit logs for RBAC tracking
auditLogCollection:
  ## enabled controls whether audit log collection is enabled
  ##
  ## Default value: false
  enabled: false

  ## provider specifies the audit log provider type
  ## Supported values: selfManaged, eks, aks, gke, gardener
  ##
  ## Default value: ""
  provider: ""

  gardener:
    ## seedCluster determines whether this is a Gardener seed cluster deployment
    ## When true: deploys only seed cluster components (audit-log-collector, api-server-modifier, policy-operator)
    ## When false: deploys standard V1CS components with audit log collection enabled
    ##
    ## Default value: false
    seedCluster: false

    ## CRD Installation Configuration for Seed Cluster
    ## Only applies when seedCluster is true
    crds:
      ## install controls whether CRDs are created in seed cluster mode
      ## When true: CRDs are installed only if they don't already exist (auto-detection via lookup)
      ## When false: CRDs are never installed (force skip)
      ## In non-seed-cluster mode, CRDs are always installed regardless of this setting
      ##
      ## Default value: true
      install: true

  selfManaged:
    ## apiServerManifestPath is the path to the kube-apiserver static pod manifest
    ## Only used when provider is selfManaged
    ##
    ## Default value: /etc/kubernetes/manifests/kube-apiserver.yaml
    apiServerManifestPath: "/etc/kubernetes/manifests/kube-apiserver.yaml"

    ## auditConfigPath is the directory where audit configuration files will be written
    ## Only used when provider is selfManaged
    ##
    ## Default value: /etc/kubernetes/audit
    auditConfigPath: "/etc/kubernetes/audit"

  eks:
    ## AWS region where the EKS cluster is located
    ## Required when provider is eks
    ##
    ## Default value: ""
    region: ""

    ## EKS cluster name
    ## Required when provider is eks
    ##
    ## Default value: ""
    clusterName: ""

  aks:
    ## Azure Event Hub namespace connection string
    ## Required when provider is aks
    ##
    ## Default value: ""
    eventHubConnectionString: ""

    ## Azure Event Hub name
    ## Required when provider is aks
    ##
    ## Default value: ""
    eventHubName: ""

    ## Azure Blob Storage connection string
    ## Required when provider is aks
    ##
    ## Default value: ""
    blobStorageConnectionString: ""

    ## Azure Blob Storage container name
    ## Required when provider is aks
    ##
    ## Default value: ""
    blobStorageContainerName: ""

  gke:
    ## GCP project ID
    ## Required when provider is gke
    ##
    ## Default value: ""
    gcpProjectId: ""

    ## Pub/Sub subscription name for audit logs
    ## Required when provider is gke
    ##
    ## Default value: ""
    pubSubSubscription: ""

    ## GCP service account name for Workload Identity
    ## Required when provider is gke
    ##
    ## Default value: ""
    serviceAccount: ""

spc:
  ## enable the container security mode for Vision One Sovereign Private Cloud
  enabled: false

  ## policySyncInterval is the time interval at which policy operator will sync the policy config from vision one
  ## Minimum value: 10s
  ## Maximum value: 5m
  policySyncInterval: 1m

  ## encryptionKey is the key for encryption when spc is enabled
  ##
  ## Default value: (none)
  encryptionKey:

securityContextConstraints:
  # enable the Security Context Constraints creation in Openshift
  create: true

serviceAccount:
  ## enable the service account creation. Each component with specific permission will use individual service account.
  ## If set to false, the default service account will be used, which might not have sufficient permission and introduce the failure.
  ##
  ## Default value: true
  create: true

  admissionController:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of admissionController template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

  oversight:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of oversight template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

    ## Size of the buffer that will receive mitigation requests
    ##
    ## Default value: 50
    mitigationHandlerBufferSize: 50

    ## Security context constraints to add to the service account
    securityContextConstraints:
      allowHostDirVolumePlugin: false
      allowHostIPC: false
      allowHostNetwork: false
      allowHostPID: false
      allowHostPorts: false
      allowPrivilegedContainer: false
      allowedCapabilities: []
      apiVersion: security.openshift.io/v1
      defaultAddCapabilities: []
      kind: SecurityContextConstraints
      priority:
      readOnlyRootFilesystem: false
      requiredDropCapabilities: []
      runAsUser:
        type: RunAsAny
      seLinuxContext:
        type: MustRunAs
      supplementalGroups:
        type: RunAsAny
      seccompProfiles:
      - '*'

  usage:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of usage template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

  scout:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of scout template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

  scanManager:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of scanManager template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

  scanJob:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of scanJob template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

  complianceScanJob:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of complianceScanJob template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

  workloadOperator:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of jobManager template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

  fargateInjector:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of scout template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

  k8sMetaCollector:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of k8sMetaCollector template
    name: ''

    ## Annotations to add to the service account
    annotations: {}
  policyOperator:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of policyOperator template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

  malwareScanner:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of malwareScanner template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

  runtimeRuleloader:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of runtimeRuleloader template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

  auditLogCollector:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of auditLogCollector template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

  apiServerModifier:
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname of apiServerModifier template
    name: ''

    ## Annotations to add to the service account
    annotations: {}

rbac:
  # Create and use rbac resources
  create: true

networkPolicy:
  ## enabled the network policy.
  ##
  ## Default value: true
  enabled: true
  ## k8s-metacollector network policy, default false
  k8sMetaCollector:
    enabled: false
  ## malwareScanner network policy, default false
  malwareScanner:
    enabled: false

## securityContext specifies the security contexts that we'll apply to the pods.
##
## To use on bottlerocket, set
## securityContext.scout.scout.allowPrivilegeEscalation=true
## securityContext.scout.scout.privileged=true
securityContext:
  ## enabled is a global flag controlling whether security contexts are included at all in the manifest
  ## Default value: true
  enabled: true

  ## default is the default security context that we'll apply at the pod and container level.
  ## if `securityContext.enabled` is true, the `pod` value will be inserted into the `Deployment` manifest
  ## as part of the pod template and the `container` value will be inserted at the container level.
  default:
    pod:
      runAsNonRoot: true
    container:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      # seLinuxOptions: "If unspecified, the container runtime will allocate a random SELinux context for each container": this seems appropriate.
      runAsUser: 65532 # nonroot user
  scanner:
    pod:
      runAsNonRoot: true
    target:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
        add: []
      privileged: false
      readOnlyRootFilesystem: true
      runAsNonRoot: false
      runAsUser: 0 #root user
    init:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      runAsUser: 65532 # nonroot user
  scout:
    pod:
      runAsNonRoot: true
    scout:
      allowPrivilegeEscalation: true
      capabilities:
        drop:
        - ALL
        add:
        - SYS_PTRACE
        - SYS_ADMIN
        - DAC_READ_SEARCH
      privileged: false
      readOnlyRootFilesystem: true
      runAsNonRoot: false
      runAsUser: 0
    downloader:
      privileged: true
      readOnlyRootFilesystem: true
      runAsNonRoot: false
      runAsUser: 0
    falco:
      privileged: true
      readOnlyRootFilesystem: true
      runAsNonRoot: false
      runAsUser: 0

  malwareScanner:
    pod:
      runAsNonRoot: false
    scanner:
      privileged: false
      runAsNonRoot: false
      runAsUser: 0

  runtimeRuleloader:
    pod:
      runAsNonRoot: false
    ruleloader:
      privileged: false
      runAsNonRoot: false
      runAsUser: 0

  auditLogCollector:
    pod:
      runAsNonRoot: false
      seccompProfile:
        type: RuntimeDefault
    container:
      falco:
        privileged: false
        readOnlyRootFilesystem: true
        runAsNonRoot: false
        runAsUser: 0
      auditLogCollector:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
          - ALL
        privileged: false
        readOnlyRootFilesystem: true
        runAsNonRoot: false
        runAsUser: 0

proxy:
  ## httpProxy, if set, will be used as the proxy for outbound HTTP traffic.
  ##
  ## The value may be either a complete URL, a `http://host[:port]` when using a http proxy, or `socks5://host[:port]` when using a socks proxy
  ##
  ## Default value: (none)
  httpProxy:

  ## httpsProxy, if set, will be used as the proxy for outbound HTTPS traffic.
  ## If `httpsProxy` is not set, `httpProxy`
  ## is also checked and will be used if set.
  ##
  ## The value may be either a complete URL, a `http://host[:port]` when using a http proxy, or `socks5://host[:port]` when using a socks proxy
  ##
  ## Default value: (none)
  httpsProxy:

  ## noProxy is a comma-separated list of hosts or CIDR blocks that should not be proxied.
  ##
  ## The value may be a comma-separated list of hosts or CIDR blocks. Ex: "localhost,127.0.0.0/8"
  ##
  ## Default value: (none)
  noProxy:

  ## username, if set, is the user name to provide to the outbound proxy when making requests.
  ##
  ## Default value: (none)
  username:

  ## password, if set, is the password to provide to the outbound proxy when making requests.
  ##
  ## Default value: (none)
  password:

  ## If set to true, Container Security Controllers will not use a proxy when communicating with the Kubernetes service host
  ##
  ## Default value: true
  excludeKubernetesServiceHost: true

  ## self signed certificates, if set, the self signed certificates will be add the in-cluster component's /etc/ssl/certs/ folder
  ##
  ## Default value: (none)
  selfSignedCertificates:
    # Mount a single file from the host node into the container
    # - name: host-file-cert             # Unique volume name
    #   type: hostPath                   # Use "hostPath" to mount a file or directory from the host
    #   path: /root/host-path.crt        # Absolute path to the certificate file or directory on the host

    # Mount a specific key from a Kubernetes Secret as a file into the container
    # - name: secret-cert                # Unique volume name
    #   type: secret                     # Use "secret" to reference a Kubernetes Secret
    #   secretName: my-cert-secret       # Name of the Kubernetes Secret
    #   key: secret.crt                  # Key in the Secret to mount (mounted as /etc/ssl/certs/secret.crt)

    # Mount a specific key from a ConfigMap as a file into the container
    # - name: config-map-cert            # Unique volume name
    #   type: configMap                  # Use "configMap" to reference a Kubernetes ConfigMap
    #   configMapName: my-cert-config    # Name of the Kubernetes ConfigMap
    #   key: config-map.crt              # Key in the ConfigMap to mount (mounted as /etc/ssl/certs/config-map.crt)

logConfig:
  ## devel sets the log mode defaults to development mode if set to true
  ## Development mode defaults encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn)
  ## Production Mode defaults(encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error)
  devel: false

  ## logLevel sets the log verbosity level. Supported values are debug, info, and error
  ## Overrides the logLevel set for each component
  ##
  ## Default value:
  logLevel:

  ## encoder sets the log encoder. Supported values are json and console
  ##
  ## Default value: json
  encoder: json

  ## stackTraceLevel sets the level above which stacktraces are captured
  ## Supported values are info, error or panic
  ##
  ## Default value: error
  stacktraceLevel: error

  ## timeEncoding sets the time encoding format
  ## Supported values are epoch, millis, nano, iso8601, rfc3339 or rfc3339nano
  ##
  ## Default value: rfc3339
  timeEncoding: rfc3339

tlsConfig:
  ## minTLSVersion is the minimum TLS version that the server will accept.
  ## Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants.
  ##
  ## Default value: VersionTLS12
  minTLSVersion: VersionTLS12

  ## cipherSuites is a list of supported secure go cipher suites for TLS 1.2 and 1.3.
  ## The list of supported cipher suites can be found at https://golang.org/pkg/crypto/tls/#pkg-constants
  ##
  ## Default value: List of secure cipher suites
  cipherSuites:
  - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  - TLS_AES_128_GCM_SHA256
  - TLS_AES_256_GCM_SHA384
  - TLS_CHACHA20_POLY1305_SHA256

resources:
  defaults: {}
  oversight:
    requests:
      cpu: 100m
      memory: 20Mi
    limits:
      cpu: 800m
      memory: 1Gi
  usage:
    requests:
      cpu: 100m
      memory: 20Mi
    limits:
      cpu: 800m
      memory: 1Gi
  scout:
    requests:
      cpu: 100m
      memory: 256Mi
    limits:
      cpu: '1'
      memory: 1Gi
  falco:
    requests:
      cpu: 100m
      memory: 512Mi
    limits:
      cpu: '1'
      memory: 1Gi
  scanManager:
    requests:
      cpu: 100m
      memory: 20Mi
    limits:
      cpu: 800m
      memory: 1Gi
  workloadOperator:
    requests:
      cpu: 100m
      memory: 512Mi
    limits:
      cpu: '1'
      memory: 1Gi
  scanner:
    requests:
      cpu: 50m
      memory: 64Mi
    limits:
      ## no cpu limits specified because it can cause cpu throttle
      memory: 512Mi
  fargateInjector:
    requests:
      cpu: 100m
      memory: 256Mi
    limits:
      cpu: '1'
      memory: 512Mi
  complianceScanner:
    requests:
      cpu: 50m
      memory: 64Mi
    limits:
      ## no cpu limits specified because it can cause cpu throttle
      memory: 512Mi
  k8sMetaCollector:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: '1'
      memory: 1Gi
  policyOperator:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: '1'
      memory: 1Gi
  malwareScanner:
    requests:
      cpu: 100m
      memory: 1Gi
    limits:
      cpu: '1'
      memory: 2Gi

  runtimeRuleloader:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: 500m
      memory: 512Mi

  auditLogCollector:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: '1'
      memory: 512Mi

  apiServerModifier:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: 500m
      memory: 256Mi

nodeSelector:
  ## nodeSelector if set, ensures pods are only assigned to a particular set of nodes.
  ## Defaults apply to all pods created by this chart unless overridden by a non default configuration.
  ## For scanner pods, if inheritNodeSelectorScanner is true, then the overrides specified here will be ignored in favor of the owner resource's nodeSelector.
  ##
  ## Type: map[string]string
  ## Default Value: {}
  defaults: {}

  ## inheritNodeSelectorScanner if set, will inherit the nodeSelectors from the owner resource of the pod
  ##  whose images are being scanned to the respective scanner pods.
  ## By default nodeSelectors are not inherited.
  ##
  ## Default Value: false
  inheritNodeSelectorScanner: false

  ## filterNodeSelectorScanner if set, will only inherit the specified nodeSelectors from the owner resource of the pod
  ##  whose images are being scanned to the respective scanner pods.
  ## By default all nodeSelectors are inherited if inheritNodeSelectorScanner is set to true and filterNodeSelectorScanner is not set.
  ##
  ## Type: map[string]string
  ## Default Value: []
  filterNodeSelectorScanner: {}

tolerations:
  ## tolerations if set, allows (but does not require) the pods to schedule onto nodes with matching taints.
  ## Defaults apply to all pods created by this chart unless overridden by a non default configuration.
  ## For scanner pods, if inheritTolerationsScanner is true, then the overrides specified here will be ignored in favor of the owner resource's tolerations.
  ##
  ## Type: list of map[string]string
  ## Default Value: {}
  defaults: []

  ## inheritTolerationsScanner if set, will inherit the tolerations from the owner resource of the pod
  ##  whose images are being scanned to the respective scanner pods.
  ## By default tolerations are not inherited.
  ##
  ## Default Value: false
  inheritTolerationsScanner: false

  ## filterTolerationsScanner if set, will only inherit the specified tolerations from the owner resource of the pod
  ##  whose images are being scanned to the respective scanner pods.
  ## By default all tolerations are inherited if inheritTolerationsScanner is set to true and filterTolerationsScanner is not set.
  ##
  ## Type: list of map[string]string
  ## Default Value: []
  filterTolerationsScanner: []

affinity:
  ## affinity if set, provides the ability constrain which nodes your pod is eligible to be scheduled on, based on labels.
  ## Defaults apply to all pods created by this chart unless overridden by a non default configuration.
  ##
  ## Default Value: {}
  defaults: {}

## replicas if set, allows for additional replica counts to be set for specified pods.
## NOTE: replicas does not apply to scout
##
## Default Value: {}
replicas: {}

## extraLabels is a dictionary of additional labels that will be added to all resources created by this chart.
##
## Default Value: {}
extraLabels: {}

podAnnotations:
  ## podAnnotations if set, applies additional pod annotations to all pods unless overridden by a non default configuration.
  ##
  ## Default Value: {}
  defaults: {}

priorityClassName:
  ## podAnnotations if set, applies priority class to all pods unless overridden by a non default configuration.
  ##
  ## Default Value: (none)
  default:

scout:
  ## If set to true, excludeSameNamespace will add the namespace in which this helm chart is deployed as an excluded namespace.
  ##
  ## Default Value: true
  excludeSameNamespace: true

  falco:
    ## apiUrl, provide the URL Falco should use to connect to the Kubernetes API.
    ##
    ## Default Value: https://$(KUBERNETES_SERVICE_HOST)
    apiUrl: https://$(KUBERNETES_SERVICE_HOST)

    ## extraArgs, if set will apply additional arguments to falco container
    ##
    ## Default Value: []
    extraArgs: []
    ## env, if set will apply additional environment variables to the falco container
    ##
    ## Default Value: []
    env: []

    ## extra configs applied to falco container
    config: {}

    sanitizer_output:
      ## enabled, determines if the output sanitizer feature is enabled
      ##
      ## Default value: false
      enabled: false
      ## At least one pattern is required if enabled is true.
      ##
      ## Expecting key value pairs whose key is falco output fields and value is the regex pattern to be used for matching parts of the output to be redacted.
      ##
      ## example: proc.pcmdline: (?<=--process\s)\s?(\S+)|(?<=--root\s)\s?(\S+)
      patterns:

    docker:
      ## Determines if the docker socket is mounted in the falco container.
      ## Required for docker based runtimes
      enabled: true

      ## socket, determines which socket to mount for enabling docker based runtimes.
      socket: /var/run/docker.sock

    cri:
      ## Determines if the custom cri socket is mounted in the falco container.
      ## Required for cri based runtimes
      enabled: true

      ## socket, determines which socket to mount for enabling cri based runtimes.
      ## Default value: (determined by platform)
      socket:

    dockershim:
      ## Determines if the dockershim socket is mounted in the falco container.
      ## Required for bottlerocket
      enabled: true

      ## socket, determines which socket to mount for enabling dockershim based runtimes.
      ## Default value: (determined by platform)
      socket:

    k0s:
      ## Determines if the k0s socket is mounted in the falco container.
      enabled: true

      ## socket, determines which socket to mount for enabling k0s based runtimes.
      socket:

    k3s:
      ## Determines if the k3s socket is mounted in the falco container.
      enabled: true

      ## socket, determines which socket to mount for enabling k3s based runtimes.
      socket:

    containerd:
      ## Determines if the containerd socket is mounted in the falco container.
      enabled: true

      ## socket, determines which socket to mount for enabling containerd based runtimes.
      socket:

    crio:
      ## Determines if the crio socket is mounted in the falco container.
      enabled: true

      ## socket, determines which socket to mount for enabling crio based runtimes.
      socket:

    ## modernBpf, determine if falco uses ebpf CO-RE if kernel supports.
    ## If it is false or kernel doesn't support ebpf CO-RE, the ebpf driver will be downloaded from Trend Micro Vision One Container Security service.
    ## Default value: true
    modernBpf: true

    ## stdout_enabled sets the status of stdout log output
    ##
    ## Default Value: false
    stdout_enabled: false

    ## syslog_enabled sets the status of syslog output
    ##
    ## Default Value: false
    syslog_enabled: false

    ## least_privileged, determines if falco is running in least privileged mode
    ##
    ## Default Value: false
    least_privileged: false

    ## logLevel sets the log verbosity level for Falco's operational logs. Supported values are "emergency", "alert", "critical",
    ## "error", "warning", "notice", "info", "debug".
    ##
    ## Default value: info
    logLevel: info

    ## ruleset_tags, used for custom rules to identify what ruleset a rule belongs to
    ##
    ## Default Value: []
    ruleset_tags: []

  scout:
    ## falcoInternalEvent, determines how to deal with falco internal event
    ## sysevent: send the internal events as system events to container security backend
    ## log: log the internal events into scout's log
    falcoInternalEvent: [log, sysevent]

    ## extraArgs, if set will apply additional arguments to scout container
    ##
    ## Default Value: []
    extraArgs: []

    ## env, if set will apply additional environment variables to the scout container
    ##
    ## Default Value: []
    env: {}

    ## logLevel sets the log verbosity level. Supported values are debug, info, and error
    ##
    ## Default value: info
    logLevel: info

  downloader:
    ## extraArgs, if set will apply additional arguments to scout container
    ##
    ## Default Value: []
    extraArgs: []

    ## env, if set will apply additional environment variables to the scout container
    ##
    ## Default Value: []
    env: {}

    ## componentType, the type of component to download
    componentType: falco-ebpf-program

    ## componentDir, the directory where the component to be downloaded
    componentDir: /var/component

    ## legacyEbpfKernels, the list of kernel versions that use legacy ebpf
    legacyEbpfKernels: []

malwareScanner:
  defaultExcludedPaths:
  - /proc
  - /dev
  - /sys
  scanWorkerCount: 5

secretScanner:
  defaultExcludedPaths:
  - /proc/*
  - /dev/*
  - /sys/*
  - /var/run/secrets/*
  - /run/secrets/*
  scanWorkerCount: 5

scanner:
  imageAnnotations:
    ## enabled is a global flag controlling whether image annotations are retrieved from the image manifest, the image annotation will be displayed in vulnerability events
    ## Default value: false
    enabled: false
    docker:
      ## Determines if the docker socket is mounted in the scan-job pod.
      ## Required for docker based runtimes
      enabled: true
      ## socket, determines which socket to mount for enabling docker based runtimes.
      socket: /var/run/docker.sock
    cri:
      ## Determines if the cri (containerd or crio) socket is mounted in the scan-job container.
      ## Required for cri based runtimes
      enabled: true
      ## socket, determines which socket to mount for enabling cri based runtimes.
      ## Default value: (determined by platform)
      socket:

runtimeRuleloader:
  ## logLevel sets the log verbosity level for runtimeRuleloader's logs
  ## "error", "warning", "notice", "info", "debug".
  ##
  ## Default value: info
  logLevel: info

images:
  defaults:
    ## Default registry to pull images from. This can be overridden for
    ## each image by specifying the registry attribute at the image level.
    ## If no registry is provided, images will be pulled from your default
    ## registry (which may be Amazon ECR Public Gallery).
    ##
    ## Default value: public.ecr.aws
    registry: public.ecr.aws

    ## Default project / organization to pull images from. This can be
    ## overridden for each image by specifying the project attribute at the
    ## image level.
    ##
    ## Default value: trendmicro/container-security
    project: trendmicro/container-security

    ## Default tag for images to pull. This can be overridden for each image
    ## by specifying the tag attribute at the image level.
    tag: 3.3.5

    ## Default pull policy for images. This can be overridden for each image
    ## by specifying the pullPolicy attribute at the image level.
    ##
    ## Default value: IfNotPresent
    pullPolicy: IfNotPresent

    ## Default secret for pulling images. This can be overridden for each
    ## image by specifying the imagePullSecret attribute at the image level.
    ##
    ## Default value: none
    # imagePullSecret:
  admissionController:
    repository: admission-controller
    digest: sha256:a6df23c958d3d6b8eb43cb19c4e9d426bf661691cc68fd3aa324b4800892014a

  oversight:
    repository: oversight-controller
    digest: sha256:0aec17445c37ce2eaea73345a96427177f56d12931e9f3fb7390c12a19ae5818

  usage:
    repository: usage-controller
    digest: sha256:d49f89742a12869118aaf74cceedb77822412fe85deeb4b6f9c7d0ff37135834

  falco:
    repository: falco
    digest: sha256:e9239ef80d66c88bfda7dfdb90744ae67cc3300c76ba13085525fbceb5455f6a

  scout:
    repository: scout
    digest: sha256:83d23e64464d6020334df1b5aa50bd4ee944ba68343b6c596fcaa54448d3be10

  scanManager:
    repository: scan-manager
    digest: sha256:76f3dae176fa9c4faa57d0a94cd03067b40ac295684dd8f7590354cf81082f58

  scanJob:
    repository: scan-job
    digest: sha256:3e2a3205cad8fb69006754ff4d5f86937b304373462e7270aebe53d7f4bcf161

  complianceScanJob:
    repository: compliance-scan-job
    digest: sha256:4b121bd1c8a882b49bc986c6c753ac0b5b27a1cbd4108022328077b931e2f9ec

  workloadOperator:
    repository: workload-operator
    digest: sha256:220c751642c666f057aec9cb7a550b6aab83dfc25f2c360d57573f7dd3eece46

  fargateInjector:
    repository: fargate-tool
    digest: sha256:c0859c458c5d25ef45bca6204cb7c2b70636f0d61c9532f426979f643edb81a8

  pdig:
    repository: pdig
    digest: sha256:40347e37b66bccc2e64893344ad6fc7bbfb5bdf4adbb44e3014d065fb6ad59e9

  k8sMetaCollector:
    repository: k8s-metacollector
    digest: sha256:6d8f35c2225c91420ebcfba80ba7f1de789f23236a42cb8913339e8ebe8d0774

  policyOperator:
    repository: policy-operator
    digest: sha256:33cf188f77c89b974c27d7971b53f8d40c8d2060ded5411c82962d5bcded8156

  malwareScanner:
    repository: malware-scanner
    digest: sha256:a8c3f2c43abedfe5ab3088f09f25f9950d8e309a188946a161621441019cdd43

  auditLogCollector:
    repository: audit-log-collector
    digest: sha256:829c9fce6a36226d05c5362bb810cf4a26b46bbc0db3d9020c0b07f08dafdd44

  apiServerModifier:
    repository: api-server-modifier
    digest: sha256:b7b39ee0e2c1fa2bbb121c45ee878e407cc81f04b006bce183ea6e6fbf00fe77

##
## Service Gateway Configuration
## Enables Service Gateway proxy support for outbound traffic
##
## Example:
## serviceGateway:
##   enabled: true
##   auth:
##     password: "ABC123456789"
##     expiredDateTime: "2024-12-31T23:59:59Z"
##   appliances:
##     - "192.168.1.100"
##     - "192.168.1.101"
##     - "10.0.0.50"
##   allAppliances: false
##
serviceGateway:
  ## enabled controls whether Service Gateway functionality is enabled
  ##
  ## Default value: false
  enabled: false

  ## allAppliances, when true, retrieves all available service gateway appliances automatically
  ## When false, only uses the appliances specified in the appliances list
  ##
  ## Default value: false
  allAppliances: false

  ## auth contains authentication credentials for Service Gateway
  auth:
    ## password is the Client Security Network credential for Service Gateway authentication
    ## This will be stored in the secret if the secret doesn't exist
    ## After the secret is created, it will use the secret
    ##
    ## Default value: ""
    password: ""

    ## expiredDateTime is the expiration date for the CSN credential
    ## Format: "2024-12-31T23:59:59Z"
    ##
    ## Default value: ""
    expiredDateTime: ""

  ## appliances is a list of Service Gateway appliance endpoints
  ## Each entry should be in the format "ip:port"
  ## Only used when allAppliances is false
  ##
  ## Default value: []
  appliances: []

##
## Determine whether to use existing secrets in the target namespace rather than
## specifying in overrides.yaml. Useful if you want to manage secrets on your own, e.g., in argocd.
##
## When this is enabled, typically you will need these secrets created in your target namespace.
## (names may vary depending on your settings):
##
## - trendmicro-container-security-auth
## - trendmicro-container-security-outbound-proxy-credentials
##
## You can fill overrides.yaml and use helm install --dry-run to generate these secret's
## template.
##
## After deployment, if you update the secret after deployment, you will need to restart pods of
## container security to make changes take effect.
##
useExistingSecrets:
  ## containerSecurityAuth, if set to true, will use the existing secret for container security authentication.
  ## The secret should be named trendmicro-container-security-bootstrap-token in the target namespace if this is enabled.
  ## The secret should contain base64 encoded Vision One bootstrap token in the bootstrap.token field.
  ##
  ## Default value: false
  containerSecurityAuth: false

  ## outboundProxy, if set to true, will use the existing secret for outbound proxy.
  ## The secret should be named trendmicro-container-security-outbound-proxy-credentials in the target namespace if this is enabled.
  ## For secret format, see templates/outbound-proxy.yaml
  ##
  ## Default value: false
  outboundProxy: false

  ## serviceGateway, if set to true, will use the existing secret for service gateway credentials.
  ## The secret should be named trendmicro-container-security-service-gateway-credentials in the target namespace if this is enabled.
  ## For secret format, see templates/service-gateway-secret.yaml
  ##
  ## Default value: false
  serviceGateway: false

  ## operatorSecrets, if set to true, will attempt to reuse existing secret values when deploying.
  ## If these secrets are not found, new values will be generated.
  ## operatorSecrets will be set to true in Helm deployed as part of the OpenShift Operator.
  ##
  ## trendmicro-admission-controller-tls-certificate
  ## trendmicro-scan-manager-tls-certificate
  ## trendmicro-fargate-injector-tls-certificate
  ## trendmicro-k8s-metacollector-tls-certificate
  ## 
  ## Default value: false
  operatorSecrets: false