twistlock values.yaml
π£
domainπ£
Type: string
"bigbang.dev"
Description: domain to use for virtual service
monitoring.enabledπ£
Type: bool
false
Description: Toggle monitoring integration, only used if init job is enabled, creates required metrics user, serviceMonitor, networkPolicy, etc
serviceMonitor.schemeπ£
Type: string
""
serviceMonitor.tlsConfigπ£
Type: object
{}
Default value (formatted)
{}
ssoπ£
Type: object
{"cert":"","client_id":"","console_url":"","enabled":false,"groups":"","idp_url":"","issuer_uri":"","provider_name":"","provider_type":"shibboleth"}
Default value (formatted)
{
"cert": "",
"client_id": "",
"console_url": "",
"enabled": false,
"groups": "",
"idp_url": "",
"issuer_uri": "",
"provider_name": "",
"provider_type": "shibboleth"
}
Description: Configuration of Twistlockβs SAML SSO capability. This requires init.enabled
=true
, valid credentials, and a valid license. Refer to docs/KEYCLOAK.md for additional information.
sso.enabledπ£
Type: bool
false
Description: Toggle SAML SSO
sso.client_idπ£
Type: string
""
Description: SAML client ID
sso.provider_nameπ£
Type: string
""
Description: SAML Povider Alias (optional)
sso.provider_typeπ£
Type: string
"shibboleth"
Description: SAML Identity Provider. shibboleth
is recommended by Twistlock support for Keycloak
sso.issuer_uriπ£
Type: string
""
Description: Identity Provider url with path to realm, example: https://keycloak.bigbang.dev/auth/realms/baby-yoda
sso.idp_urlπ£
Type: string
""
Description: SAML Identity Provider SSO URL, example: https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/samlβ
sso.console_urlπ£
Type: string
""
Description: Console URL of the Twistlock app. Example: https://twistlock.bigbang.dev
(optional)
sso.groupsπ£
Type: string
""
Description: Groups attribute (optional)
sso.certπ£
Type: string
""` | X.509 Certificate from Identity Provider (i.e. Keycloak). See docs/KEYCLOAK.md for format. Use the
Description: -` syntax for multiline string
istio.enabledπ£
Type: bool
false
Description: Toggle istio integration
istio.mtlsπ£
Type: object
{"mode":"STRICT"}
Default value (formatted)
{
"mode": "STRICT"
}
Description: Default twistlock peer authentication
istio.mtls.modeπ£
Type: string
"STRICT"
Description: STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic
istio.console.enabledπ£
Type: bool
true
Description: Toggle vs creation
istio.console.annotationsπ£
Type: object
{}
Default value (formatted)
{}
Description: Annotations for VS
istio.console.labelsπ£
Type: object
{}
Default value (formatted)
{}
Description: Labels for VS
istio.console.gatewaysπ£
Type: list
["istio-system/main"]
Default value (formatted)
[
"istio-system/main"
]
Description: Gateways for VS
istio.console.hostsπ£
Type: list
["twistlock.{{ .Values.domain }}"]
Default value (formatted)
[
"twistlock.{{ .Values.domain }}"
]
Description: Hosts for VS
networkPolicies.enabledπ£
Type: bool
false
Description: Toggle network policies
networkPolicies.ingressLabelsπ£
Type: object
{"app":"istio-ingressgateway","istio":"ingressgateway"}
Default value (formatted)
{
"app": "istio-ingressgateway",
"istio": "ingressgateway"
}
Description: Labels for ingress pods to allow traffic
networkPolicies.controlPlaneCidrπ£
Type: string
"0.0.0.0/0"
Description: Control Plane CIDR to allow init job communication to the Kubernetes API. Use kubectl get endpoints kubernetes
to get the CIDR range needed for your cluster
networkPolicies.nodeCidrπ£
Type: string
nil
Description: Node CIDR to allow defender to communicate with console. Defaults to allowing β10.0.0.0/8β β172.16.0.0/12β β192.168.0.0/16β β100.64.0.0/10β networks. use kubectl get nodes -owide
and review the INTERNAL-IP
column to derive CIDR range. Must be an IP CIDR range (x.x.x.x/x - ideally a /16 or /24 to include multiple IPs)
imagePullSecretsπ£
Type: list
[]
Default value (formatted)
[]
Description: Defines the secrets to use when pulling the container images NOTE: Only first entry in the list will be used for Defender deployment
selinuxLabelπ£
Type: string
"disable"
Description: Run Twistlock Console and Defender with a dedicated SELinux label. See https://docs.docker.com/engine/reference/run/#security-configuration
systemdπ£
Type: object
{"enabled":false}
Default value (formatted)
{
"enabled": false
}
Description: systemd configuration
systemd.enabledπ£
Type: bool
false
Description: option to install Twistlock as systemd service. true or false
console.dataRecoveryπ£
Type: bool
true
Description: Enables or Disables data recovery. Values: true or false.
console.image.repositoryπ£
Type: string
"registry1.dso.mil/ironbank/twistlock/console/console"
Description: Full image name for console
console.image.tagπ£
Type: string
"22.06.197"
Description: Full image tag for console
console.image.imagePullPolicyπ£
Type: string
"IfNotPresent"
Description: Pull policy for console image
console.ports.managementHttpπ£
Type: int
8081
Description: Enables the management HTTP listener.
console.ports.managementHttpsπ£
Type: int
8083
Description: Enables the management HTTPS listener.
console.ports.communicationπ£
Type: int
8084
Description: Sets the port for communication between the Defender(s) and the Console
console.securityContextπ£
Type: object
{"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":2674,"runAsNonRoot":true,"runAsUser":2674}
Default value (formatted)
{
"capabilities": {
"drop": [
"ALL"
]
},
"readOnlyRootFilesystem": true,
"runAsGroup": 2674,
"runAsNonRoot": true,
"runAsUser": 2674
}
Description: Sets the container security context for the console
console.persistence.sizeπ£
Type: string
"100Gi"
Description: Size of Twistlock PVC
console.persistence.accessModeπ£
Type: string
"ReadWriteOnce"
Description: Access mode for Twistlock PVC
console.syslogAuditIntegrationπ£
Type: object
{"enabled":false}
Default value (formatted)
{
"enabled": false
}
Description: Enable syslog audit feature When integrating with BigBang, make sure to include an exception to Gatekeeper and/or Kyverno for Volume Types.
console.disableCgroupLimitsπ£
Type: bool
false
Description: Controls console containerβs resource constraints. Set to βtrueβ to run without limits. See https://docs.docker.com/engine/reference/run/#runtime-constraints-on-resources
console.licenseπ£
Type: string
""
Description: The license key to use. If not specified, the license must be installed manually.
console.runAsRootπ£
Type: bool
false
Description: Run Twistlock Console processes as root (default false, twistlock user account). Values: true or false
console.credentialsπ£
Type: object
{"password":"change_this_password","username":"admin"}
Default value (formatted)
{
"password": "change_this_password",
"username": "admin"
}
Description: Required if init is enabled. Admin account to use for configuration through API. Will create account if Twistlock is a new install. Otherwise, an existing account needs to be provided.
console.credentials.usernameπ£
Type: string
"admin"
Description: Username of account
console.credentials.passwordπ£
Type: string
"change_this_password"
Description: Password of account
console.additionalUsersπ£
Type: list
[]
Default value (formatted)
[]
Description: Additional users to setup. This requires init.enabled
=true
, valid credentials, and a valid license.
console.updateUsersπ£
Type: bool
false
Description: Toggles whether to update the additionalUsers
if the user is already created (e.g. on upgrades). This would overwrite the existing user configuration.
console.options.enabledπ£
Type: bool
true
Description: Toggle setting all options in this section
console.options.networkπ£
Type: object
{"container":true,"host":true}
Default value (formatted)
{
"container": true,
"host": true
}
Description: Network monitoring options
console.options.network.containerπ£
Type: bool
true
Description: Toggle network monitoring of containers
console.options.network.hostπ£
Type: bool
true
Description: Toggle network monitoring of hosts
console.options.loggingπ£
Type: bool
true
Description: Toggle logging Prisma Cloud events to standard output
console.options.telemetryπ£
Type: bool
false
Description: Toggle sending product usage data to Palo Alto Networks
console.volumeUpgradeπ£
Type: bool
true
Description: This value should be enabled when upgrading from a version <=0.10.0-bb.1 in order to allow the console to run as non-root
console.trustedImagesπ£
Type: object
{"defaultEffect":"alert","enabled":true,"name":"BigBang-Trusted","registryMatches":["registry1.dso.mil/ironbank/*"]}
Default value (formatted)
{
"defaultEffect": "alert",
"enabled": true,
"name": "BigBang-Trusted",
"registryMatches": [
"registry1.dso.mil/ironbank/*"
]
}
Description: Trusted images settings
console.trustedImages.enabledπ£
Type: bool
true
Description: Toggle deployment and updating of trusted image settings
console.trustedImages.registryMatchesπ£
Type: list
["registry1.dso.mil/ironbank/*"]
Default value (formatted)
[
"registry1.dso.mil/ironbank/*"
]
Description: List of regex matches for images to trust
console.trustedImages.nameπ£
Type: string
"BigBang-Trusted"
Description: Name for the group/rule to display in console
console.trustedImages.defaultEffectπ£
Type: string
"alert"
Description: Effect for images that do not match the trusted registry, can be βalertβ or βblockβ
defenderπ£
Type: object
{"certCn":"","clusterName":"","collectLabels":true,"cri":true,"dockerListenerType":"","dockerSocket":"","enabled":true,"image":{"repository":"registry1.dso.mil/ironbank/twistlock/defender/defender","tag":"22.06.197"},"monitorServiceAccounts":true,"privileged":false,"proxy":{},"securityCapabilitiesDrop":["ALL"],"selinux":true,"tolerations":[],"uniqueHostName":false}
Default value (formatted)
{
"certCn": "",
"clusterName": "",
"collectLabels": true,
"cri": true,
"dockerListenerType": "",
"dockerSocket": "",
"enabled": true,
"image": {
"repository": "registry1.dso.mil/ironbank/twistlock/defender/defender",
"tag": "22.06.197"
},
"monitorServiceAccounts": true,
"privileged": false,
"proxy": {},
"securityCapabilitiesDrop": [
"ALL"
],
"selinux": true,
"tolerations": [],
"uniqueHostName": false
}
Description: Configuration of Twistlockβs container defenders. This requires init.enabled
=true
, valid credentials, and a valid license.
defender.imageπ£
Type: object
{"repository":"registry1.dso.mil/ironbank/twistlock/defender/defender","tag":"22.06.197"}
Default value (formatted)
{
"repository": "registry1.dso.mil/ironbank/twistlock/defender/defender",
"tag": "22.06.197"
}
Description: Image for Twistlock defender. Leave blank to use twistlock official repo.
defender.image.repositoryπ£
Type: string
"registry1.dso.mil/ironbank/twistlock/defender/defender"
Description: Repository and path for defender image
defender.image.tagπ£
Type: string
"22.06.197"
Description: Image tag for defender
defender.clusterNameπ£
Type: string
""
Description: Name of cluster
defender.collectLabelsπ£
Type: bool
true
Description: Collect Deployment and Namespace labels
defender.criπ£
Type: bool
true
Description: Use Container Runtime Interface (CRI) instead of Docker
defender.dockerSocketπ£
Type: string
""
Description: Path to Docker socket. Leave blank to use /var/run/docker.sock
defender.tolerationsπ£
Type: list
[]
Default value (formatted)
[]
Description: List of tolerations to be added to the Defender DaemonSet retrieved during the init script
defender.securityCapabilitiesDropπ£
Type: list
["ALL"]
Default value (formatted)
[
"ALL"
]
Description: Sets the container security context dropped capabilities for the defenders
defender.dockerListenerTypeπ£
Type: string
""
Description: Sets the type of the Docker listener (TCP or NONE)
defender.monitorServiceAccountsπ£
Type: bool
true
Description: Monitor service accounts
defender.privilegedπ£
Type: bool
false
Description: Run as privileged. If selinux
is true
, this automatically gets set to false
defender.proxyπ£
Type: object
{}
Default value (formatted)
{}
Description: Proxy settings
defender.selinuxπ£
Type: bool
true
Description: Deploy with SELinux Policy
defender.uniqueHostNameπ£
Type: bool
false
Description: Assign globally unique names to hosts
policiesπ£
Type: object
{"compliance":{"alertThreshold":"medium","enabled":true,"templates":["DISA STIG","NIST SP 800-190"]},"enabled":true,"name":"Default","runtime":{"enabled":true},"vulnerabilities":{"alertThreshold":"medium","enabled":true}}
Default value (formatted)
{
"compliance": {
"alertThreshold": "medium",
"enabled": true,
"templates": [
"DISA STIG",
"NIST SP 800-190"
]
},
"enabled": true,
"name": "Default",
"runtime": {
"enabled": true
},
"vulnerabilities": {
"alertThreshold": "medium",
"enabled": true
}
}
Description: Configures defender policies. This requires init.enabled
=true
, valid credentials, and a valid license.
policies.enabledπ£
Type: bool
true
Description: Toggles configuration of defender policies
policies.nameπ£
Type: string
"Default"
Description: Name to use as prefix to policy rules. NOTE: If you change the name after the initial deployment, you may end up with duplicate policy sets and need to manually cleanup old policies.
policies.vulnerabilitiesπ£
Type: object
{"alertThreshold":"medium","enabled":true}
Default value (formatted)
{
"alertThreshold": "medium",
"enabled": true
}
Description: Vulnerability policies
policies.vulnerabilities.enabledπ£
Type: bool
true
Description: Toggle deployment and updating of vulnerability policies
policies.vulnerabilities.alertThresholdπ£
Type: string
"medium"
Description: The minimum severity to alert on
policies.complianceπ£
Type: object
{"alertThreshold":"medium","enabled":true,"templates":["DISA STIG","NIST SP 800-190"]}
Default value (formatted)
{
"alertThreshold": "medium",
"enabled": true,
"templates": [
"DISA STIG",
"NIST SP 800-190"
]
}
Description: Compliance policies
policies.compliance.enabledπ£
Type: bool
true
Description: Toggle deployment and updating of compliance policies
policies.compliance.templatesπ£
Type: list
["DISA STIG","NIST SP 800-190"]
Default value (formatted)
[
"DISA STIG",
"NIST SP 800-190"
]
Description: The policy templates to use. Valid values are βGDPRβ, βDISA STIGβ, βPCIβ, βNIST SP 800-190β, or βHIPAAβ
policies.compliance.alertThresholdπ£
Type: string
"medium"
Description: If template does not apply, set policy to alert using this severity or higher. Valid values are βlowβ, βmediumβ, βhighβ, or βcriticalβ.
policies.runtimeπ£
Type: object
{"enabled":true}
Default value (formatted)
{
"enabled": true
}
Description: Runtime policies
policies.runtime.enabledπ£
Type: bool
true
Description: Toggle deployment and updating of runtime policies
initπ£
Type: object
{"enabled":true,"image":{"imagePullPolicy":"IfNotPresent","repository":"registry1.dso.mil/ironbank/big-bang/base","tag":"2.0.0"}}
Default value (formatted)
{
"enabled": true,
"image": {
"imagePullPolicy": "IfNotPresent",
"repository": "registry1.dso.mil/ironbank/big-bang/base",
"tag": "2.0.0"
}
}
Description: Initialization job. Sets up users, license, container defenders, default policies, and other settings.
init.enabledπ£
Type: bool
true
Description: Toggles the initialization on or off
init.imageπ£
Type: object
{"imagePullPolicy":"IfNotPresent","repository":"registry1.dso.mil/ironbank/big-bang/base","tag":"2.0.0"}
Default value (formatted)
{
"imagePullPolicy": "IfNotPresent",
"repository": "registry1.dso.mil/ironbank/big-bang/base",
"tag": "2.0.0"
}
Description: Initialization job image configuration
init.image.repositoryπ£
Type: string
"registry1.dso.mil/ironbank/big-bang/base"
Description: Repository and path to initialization image. Image must contain jq
and kubectl
init.image.tagπ£
Type: string
"2.0.0"
Description: Initialization image tag
init.image.imagePullPolicyπ£
Type: string
"IfNotPresent"
Description: Initialization image pull policy
affinityπ£
Type: object
{}
Default value (formatted)
{}
Description: affinity for console pod
nodeSelectorπ£
Type: object
{}
Default value (formatted)
{}
Description: nodeSelector for console pod
tolerationsπ£
Type: list
[]
Default value (formatted)
[]
Description: tolerations for console pod
annotationsπ£
Type: object
{}
Default value (formatted)
{}
Description: annotations for console pod
resourcesπ£
Type: object
{"limits":{"cpu":"250m","memory":"2Gi"},"requests":{"cpu":"250m","memory":"2Gi"}}
Default value (formatted)
{
"limits": {
"cpu": "250m",
"memory": "2Gi"
},
"requests": {
"cpu": "250m",
"memory": "2Gi"
}
}
Description: resources for console pod
openshiftπ£
Type: bool
false
Description: Toggle to setup special configuration for OpenShift clusters
bbtests.enabledπ£
Type: bool
false
Description: Toggle bbtests on/off for CI/Dev
bbtests.cypress.artifactsπ£
Type: bool
true
Description: Toggle creation of cypress artifacts
bbtests.cypress.envsπ£
Type: object
{"cypress_baseUrl":"http://{{ .Release.Name }}-console.{{ .Release.Namespace }}.svc.cluster.local:8081"}
Default value (formatted)
{
"cypress_baseUrl": "http://{{ .Release.Name }}-console.{{ .Release.Namespace }}.svc.cluster.local:8081"
}
Description: Set envs for use in cypress tests
bbtests.scripts.imageπ£
Type: string
"registry1.dso.mil/ironbank/stedolan/jq:1.6"
Description: Image to use for script tests
bbtests.scripts.envsπ£
Type: object
{"desired_version":"{{ .Values.console.image.tag }}","twistlock_host":"https://{{ .Release.Name }}-console.{{ .Release.Namespace }}.svc.cluster.local:8083"}
Default value (formatted)
{
"desired_version": "{{ .Values.console.image.tag }}",
"twistlock_host": "https://{{ .Release.Name }}-console.{{ .Release.Namespace }}.svc.cluster.local:8083"
}
Description: Set envs for use in script tests