Helm Chart Scanning
When scanning directories or Git repositories, Kubescape automatically identifies directories that contain Helm charts.
Whenever a Helm chart is detected, Kubescape renders the chart templates, using the values.yaml file in the chart's root directory. The rendered manifests are then scanned by Kubescape.
You can submit the results to ARMO Platform when scanning Git repositories.
For usage information, check out Repository scanning.
Limitation
- You cannot override the
Values, which are used for the Helm template rendering. Kubescape can't scan Helm charts that are missing default values.
Supported Helm values
| Key | Type | Default | Description |
|---|---|---|---|
| kollector.affinity | object | {} | Assign custom affinity rules to the StatefulSet |
| kollector.enabled | bool | true | Enable/disable the kollector |
| kollector.env[0] | object | {"name":"PRINT_REPORT","value":"false"} | Print in verbose mode (print all reported data) |
| kollector.image.repository | string | "quay.io/kubescape/kollector" | Source code |
| kollector.nodeSelector | object | {} | Node selector |
| kollector.volumes | object | [] | Additional volumes for the collector |
| kollector.volumeMounts | object | [] | Additional volumeMounts for the collector |
| kubescape.affinity | object | {} | Assign custom affinity rules to the deployment |
| kubescape.downloadArtifacts | bool | true | Download policies every scan. We recommend setting this to true. Use 'false' when running in an air-gapped environment or when scanning with high frequency, for example, when running with Prometheus. |
| kubescape.enableHostScan | bool | true | Enable host scanner feature |
| kubescape.enabled | bool | true | Enable/disable kubescape scanning |
| kubescape.image.repository | string | "quay.io/kubescape/kubescape" | Source code (public repo) |
| kubescape.nodeSelector | object | {} | Node selector |
| kubescape.serviceMonitor.enabled | bool | false | Enable/disable service monitor for prometheus (operator) integration |
| kubescape.skipUpdateCheck | bool | false | Skip check for a newer version |
| kubescape.submit | bool | true | Submit results to ARMO Platform: https://cloud.armosec.io/ |
| kubescape.volumes | object | [] | Additional volumes for Kubescape |
| kubescape.volumeMounts | object | [] | Additional volumeMounts for Kubescape |
| kubescapeScheduler.enabled | bool | true | Enable/disable a kubescape scheduled scan using a CronJob |
| kubescapeScheduler.image.repository | string | "quay.io/kubescape/http_request" | Source code (public repo) |
| kubescapeScheduler.scanSchedule | string | "0 0 * * *" | Scan schedule frequency |
| kubescapeScheduler.volumes | object | [] | Additional volumes for scan scheduler |
| kubescapeScheduler.volumeMounts | object | [] | Additional volumeMounts for scan scheduler |
| gateway.affinity | object | {} | Assign custom affinity rules to the deployment |
| gateway.enabled | bool | true | Enable/disable passing notifications from Kubescape SaaS to the Operator microservice. The notifications are the onDemand scanning and the scanning schedule settings |
| gateway.image.repository | string | "quay.io/kubescape/gateway" | Source code |
| gateway.nodeSelector | object | {} | Node selector |
| gateway.volumes | object | [] | Additional volumes for the notification service |
| gateway.volumeMounts | object | [] | Additional volumeMounts for the notification service |
| kubevuln.affinity | object | {} | Assign custom affinity rules to the deployment |
| kubevuln.enabled | bool | true | Enable/disable image vulnerability scanning |
| kubevuln.image.repository | string | "quay.io/kubescape/kubevuln" | Source code |
| kubevuln.nodeSelector | object | {} | Node selector |
| kubevuln.volumes | object | [] | Additional volumes for the image vulnerability scanning |
| kubevuln.volumeMounts | object | [] | Additional volumeMounts for the image vulnerability scanning |
| kubevulnScheduler.enabled | bool | true | Enable/disable a image vulnerability scheduled scan using a CronJob |
| kubevulnScheduler.image.repository | string | "quay.io/kubescape/http_request" | Source code (public repo) |
| kubevulnScheduler.scanSchedule | string | "0 0 * * *" | Scan schedule frequency |
| kubevulnScheduler.volumes | object | [] | Additional volumes for scan scheduler |
| kubevulnScheduler.volumeMounts | object | [] | Additional volumeMounts for scan scheduler |
| operator.affinity | object | {} | Assign custom affinity rules to the deployment |
| operator.enabled | bool | true | Enable/disable kubescape and image vulnerability scanning |
| operator.image.repository | string | "quay.io/kubescape/operator" | Source code |
| operator.nodeSelector | object | {} | Node selector |
| operator.volumes | object | [] | Additional volumes for the web socket |
| operator.volumeMounts | object | [] | Additional volumeMounts for the web socket |
| kubescapeHostScanner.volumes | object | [] | Additional volumes for the host scanner |
| kubescapeHostScanner.volumeMounts | object | [] | Additional volumeMounts for the host scanner |
| awsIamRoleArn | string | nil | AWS IAM arn role |
| clientID | string | "" | Client ID, read more |
| addRevisionLabel | bool | true | Add revision label to the components. This will insure the components will restart when updating the helm |
| cloudRegion | string | nil | Cloud region |
| cloudProviderEngine | string | nil | Cloud provider engine |
| gkeProject | string | nil | GKE project |
| gkeServiceAccount | string | nil | GKE service account |
| secretKey | string | "" | Secret key, read more |
| triggerNewImageScan | bool | false | Enable/disable trigger image scan for new images |
| volumes | object | [] | Additional volumes for all containers |
| volumeMounts | object | [] | Additional volumeMounts for all containers |
Updated 11 months ago