Skip to content

twistlock values.yaml💣

domain💣

Type: string

Default value
"bigbang.dev"

Description: domain to use for virtual service

monitoring.enabled💣

Type: bool

Default value
false

Description: Toggle monitoring integration, only used if init job is enabled, creates required metrics user, serviceMonitor, networkPolicy, etc

serviceMonitor.scheme💣

Type: string

Default value
""

serviceMonitor.tlsConfig💣

Type: object

Default value
{}
Default value (formatted)
{}

sso💣

Type: object

Default value
{"cert":"","client_id":"","console_url":"","enabled":false,"groups":"","idp_url":"","issuer_uri":"","provider_name":"","provider_type":"shibboleth"}
Default value (formatted)
{
  "cert": "",
  "client_id": "",
  "console_url": "",
  "enabled": false,
  "groups": "",
  "idp_url": "",
  "issuer_uri": "",
  "provider_name": "",
  "provider_type": "shibboleth"
}

Description: Configuration of Twistlock’s SAML SSO capability. This requires init.enabled=true, valid credentials, and a valid license. Refer to docs/KEYCLOAK.md for additional information.

sso.enabled💣

Type: bool

Default value
false

Description: Toggle SAML SSO

sso.client_id💣

Type: string

Default value
""

Description: SAML client ID

sso.provider_name💣

Type: string

Default value
""

Description: SAML Povider Alias (optional)

sso.provider_type💣

Type: string

Default value
"shibboleth"

Description: SAML Identity Provider. shibboleth is recommended by Twistlock support for Keycloak

sso.issuer_uri💣

Type: string

Default value
""

Description: Identity Provider url with path to realm, example: https://keycloak.bigbang.dev/auth/realms/baby-yoda

sso.idp_url💣

Type: string

Default value
""

Description: SAML Identity Provider SSO URL, example: https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml”

sso.console_url💣

Type: string

Default value
""

Description: Console URL of the Twistlock app. Example: https://twistlock.bigbang.dev (optional)

sso.groups💣

Type: string

Default value
""

Description: Groups attribute (optional)

sso.cert💣

Type: string

Default value
""` | X.509 Certificate from Identity Provider (i.e. Keycloak). See docs/KEYCLOAK.md for format. Use the

Description: -` syntax for multiline string

istio.enabled💣

Type: bool

Default value
false

Description: Toggle istio integration

istio.mtls💣

Type: object

Default value
{"mode":"STRICT"}
Default value (formatted)
{
  "mode": "STRICT"
}

Description: Default twistlock peer authentication

istio.mtls.mode💣

Type: string

Default value
"STRICT"

Description: STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic

istio.console.enabled💣

Type: bool

Default value
true

Description: Toggle vs creation

istio.console.annotations💣

Type: object

Default value
{}
Default value (formatted)
{}

Description: Annotations for VS

istio.console.labels💣

Type: object

Default value
{}
Default value (formatted)
{}

Description: Labels for VS

istio.console.gateways💣

Type: list

Default value
["istio-system/main"]
Default value (formatted)
[
  "istio-system/main"
]

Description: Gateways for VS

istio.console.hosts💣

Type: list

Default value
["twistlock.{{ .Values.domain }}"]
Default value (formatted)
[
  "twistlock.{{ .Values.domain }}"
]

Description: Hosts for VS

networkPolicies.enabled💣

Type: bool

Default value
false

Description: Toggle network policies

networkPolicies.ingressLabels💣

Type: object

Default value
{"app":"istio-ingressgateway","istio":"ingressgateway"}
Default value (formatted)
{
  "app": "istio-ingressgateway",
  "istio": "ingressgateway"
}

Description: Labels for ingress pods to allow traffic

networkPolicies.controlPlaneCidr💣

Type: string

Default value
"0.0.0.0/0"

Description: Control Plane CIDR to allow init job communication to the Kubernetes API. Use kubectl get endpoints kubernetes to get the CIDR range needed for your cluster

networkPolicies.nodeCidr💣

Type: string

Default value
nil

Description: Node CIDR to allow defender to communicate with console. Defaults to allowing “10.0.0.0/8” “172.16.0.0/12” “192.168.0.0/16” “100.64.0.0/10” networks. use kubectl get nodes -owide and review the INTERNAL-IP column to derive CIDR range. Must be an IP CIDR range (x.x.x.x/x - ideally a /16 or /24 to include multiple IPs)

imagePullSecrets💣

Type: list

Default value
[]
Default value (formatted)
[]

Description: Defines the secrets to use when pulling the container images NOTE: Only first entry in the list will be used for Defender deployment

selinuxLabel💣

Type: string

Default value
"disable"

Description: Run Twistlock Console and Defender with a dedicated SELinux label. See https://docs.docker.com/engine/reference/run/#security-configuration

systemd💣

Type: object

Default value
{"enabled":false}
Default value (formatted)
{
  "enabled": false
}

Description: systemd configuration

systemd.enabled💣

Type: bool

Default value
false

Description: option to install Twistlock as systemd service. true or false

console.dataRecovery💣

Type: bool

Default value
true

Description: Enables or Disables data recovery. Values: true or false.

console.image.repository💣

Type: string

Default value
"registry1.dso.mil/ironbank/twistlock/console/console"

Description: Full image name for console

console.image.tag💣

Type: string

Default value
"22.06.197"

Description: Full image tag for console

console.image.imagePullPolicy💣

Type: string

Default value
"IfNotPresent"

Description: Pull policy for console image

console.ports.managementHttp💣

Type: int

Default value
8081

Description: Enables the management HTTP listener.

console.ports.managementHttps💣

Type: int

Default value
8083

Description: Enables the management HTTPS listener.

console.ports.communication💣

Type: int

Default value
8084

Description: Sets the port for communication between the Defender(s) and the Console

console.securityContext💣

Type: object

Default value
{"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":2674,"runAsNonRoot":true,"runAsUser":2674}
Default value (formatted)
{
  "capabilities": {
    "drop": [
      "ALL"
    ]
  },
  "readOnlyRootFilesystem": true,
  "runAsGroup": 2674,
  "runAsNonRoot": true,
  "runAsUser": 2674
}

Description: Sets the container security context for the console

console.persistence.size💣

Type: string

Default value
"100Gi"

Description: Size of Twistlock PVC

console.persistence.accessMode💣

Type: string

Default value
"ReadWriteOnce"

Description: Access mode for Twistlock PVC

console.syslogAuditIntegration💣

Type: object

Default value
{"enabled":false}
Default value (formatted)
{
  "enabled": false
}

Description: Enable syslog audit feature When integrating with BigBang, make sure to include an exception to Gatekeeper and/or Kyverno for Volume Types.

console.disableCgroupLimits💣

Type: bool

Default value
false

Description: Controls console container’s resource constraints. Set to “true” to run without limits. See https://docs.docker.com/engine/reference/run/#runtime-constraints-on-resources

console.license💣

Type: string

Default value
""

Description: The license key to use. If not specified, the license must be installed manually.

console.runAsRoot💣

Type: bool

Default value
false

Description: Run Twistlock Console processes as root (default false, twistlock user account). Values: true or false

console.credentials💣

Type: object

Default value
{"password":"change_this_password","username":"admin"}
Default value (formatted)
{
  "password": "change_this_password",
  "username": "admin"
}

Description: Required if init is enabled. Admin account to use for configuration through API. Will create account if Twistlock is a new install. Otherwise, an existing account needs to be provided.

console.credentials.username💣

Type: string

Default value
"admin"

Description: Username of account

console.credentials.password💣

Type: string

Default value
"change_this_password"

Description: Password of account

console.additionalUsers💣

Type: list

Default value
[]
Default value (formatted)
[]

Description: Additional users to setup. This requires init.enabled=true, valid credentials, and a valid license.

console.updateUsers💣

Type: bool

Default value
false

Description: Toggles whether to update the additionalUsers if the user is already created (e.g. on upgrades). This would overwrite the existing user configuration.

console.options.enabled💣

Type: bool

Default value
true

Description: Toggle setting all options in this section

console.options.network💣

Type: object

Default value
{"container":true,"host":true}
Default value (formatted)
{
  "container": true,
  "host": true
}

Description: Network monitoring options

console.options.network.container💣

Type: bool

Default value
true

Description: Toggle network monitoring of containers

console.options.network.host💣

Type: bool

Default value
true

Description: Toggle network monitoring of hosts

console.options.logging💣

Type: bool

Default value
true

Description: Toggle logging Prisma Cloud events to standard output

console.options.telemetry💣

Type: bool

Default value
false

Description: Toggle sending product usage data to Palo Alto Networks

console.volumeUpgrade💣

Type: bool

Default value
true

Description: This value should be enabled when upgrading from a version <=0.10.0-bb.1 in order to allow the console to run as non-root

console.trustedImages💣

Type: object

Default value
{"defaultEffect":"alert","enabled":true,"name":"BigBang-Trusted","registryMatches":["registry1.dso.mil/ironbank/*"]}
Default value (formatted)
{
  "defaultEffect": "alert",
  "enabled": true,
  "name": "BigBang-Trusted",
  "registryMatches": [
    "registry1.dso.mil/ironbank/*"
  ]
}

Description: Trusted images settings

console.trustedImages.enabled💣

Type: bool

Default value
true

Description: Toggle deployment and updating of trusted image settings

console.trustedImages.registryMatches💣

Type: list

Default value
["registry1.dso.mil/ironbank/*"]
Default value (formatted)
[
  "registry1.dso.mil/ironbank/*"
]

Description: List of regex matches for images to trust

console.trustedImages.name💣

Type: string

Default value
"BigBang-Trusted"

Description: Name for the group/rule to display in console

console.trustedImages.defaultEffect💣

Type: string

Default value
"alert"

Description: Effect for images that do not match the trusted registry, can be “alert” or “block”

defender💣

Type: object

Default value
{"certCn":"","clusterName":"","collectLabels":true,"cri":true,"dockerListenerType":"","dockerSocket":"","enabled":true,"image":{"repository":"registry1.dso.mil/ironbank/twistlock/defender/defender","tag":"22.06.197"},"monitorServiceAccounts":true,"privileged":false,"proxy":{},"securityCapabilitiesDrop":["ALL"],"selinux":true,"tolerations":[],"uniqueHostName":false}
Default value (formatted)
{
  "certCn": "",
  "clusterName": "",
  "collectLabels": true,
  "cri": true,
  "dockerListenerType": "",
  "dockerSocket": "",
  "enabled": true,
  "image": {
    "repository": "registry1.dso.mil/ironbank/twistlock/defender/defender",
    "tag": "22.06.197"
  },
  "monitorServiceAccounts": true,
  "privileged": false,
  "proxy": {},
  "securityCapabilitiesDrop": [
    "ALL"
  ],
  "selinux": true,
  "tolerations": [],
  "uniqueHostName": false
}

Description: Configuration of Twistlock’s container defenders. This requires init.enabled=true, valid credentials, and a valid license.

defender.image💣

Type: object

Default value
{"repository":"registry1.dso.mil/ironbank/twistlock/defender/defender","tag":"22.06.197"}
Default value (formatted)
{
  "repository": "registry1.dso.mil/ironbank/twistlock/defender/defender",
  "tag": "22.06.197"
}

Description: Image for Twistlock defender. Leave blank to use twistlock official repo.

defender.image.repository💣

Type: string

Default value
"registry1.dso.mil/ironbank/twistlock/defender/defender"

Description: Repository and path for defender image

defender.image.tag💣

Type: string

Default value
"22.06.197"

Description: Image tag for defender

defender.clusterName💣

Type: string

Default value
""

Description: Name of cluster

defender.collectLabels💣

Type: bool

Default value
true

Description: Collect Deployment and Namespace labels

defender.cri💣

Type: bool

Default value
true

Description: Use Container Runtime Interface (CRI) instead of Docker

defender.dockerSocket💣

Type: string

Default value
""

Description: Path to Docker socket. Leave blank to use /var/run/docker.sock

defender.tolerations💣

Type: list

Default value
[]
Default value (formatted)
[]

Description: List of tolerations to be added to the Defender DaemonSet retrieved during the init script

defender.securityCapabilitiesDrop💣

Type: list

Default value
["ALL"]
Default value (formatted)
[
  "ALL"
]

Description: Sets the container security context dropped capabilities for the defenders

defender.dockerListenerType💣

Type: string

Default value
""

Description: Sets the type of the Docker listener (TCP or NONE)

defender.monitorServiceAccounts💣

Type: bool

Default value
true

Description: Monitor service accounts

defender.privileged💣

Type: bool

Default value
false

Description: Run as privileged. If selinux is true, this automatically gets set to false

defender.proxy💣

Type: object

Default value
{}
Default value (formatted)
{}

Description: Proxy settings

defender.selinux💣

Type: bool

Default value
true

Description: Deploy with SELinux Policy

defender.uniqueHostName💣

Type: bool

Default value
false

Description: Assign globally unique names to hosts

policies💣

Type: object

Default value
{"compliance":{"alertThreshold":"medium","enabled":true,"templates":["DISA STIG","NIST SP 800-190"]},"enabled":true,"name":"Default","runtime":{"enabled":true},"vulnerabilities":{"alertThreshold":"medium","enabled":true}}
Default value (formatted)
{
  "compliance": {
    "alertThreshold": "medium",
    "enabled": true,
    "templates": [
      "DISA STIG",
      "NIST SP 800-190"
    ]
  },
  "enabled": true,
  "name": "Default",
  "runtime": {
    "enabled": true
  },
  "vulnerabilities": {
    "alertThreshold": "medium",
    "enabled": true
  }
}

Description: Configures defender policies. This requires init.enabled=true, valid credentials, and a valid license.

policies.enabled💣

Type: bool

Default value
true

Description: Toggles configuration of defender policies

policies.name💣

Type: string

Default value
"Default"

Description: Name to use as prefix to policy rules. NOTE: If you change the name after the initial deployment, you may end up with duplicate policy sets and need to manually cleanup old policies.

policies.vulnerabilities💣

Type: object

Default value
{"alertThreshold":"medium","enabled":true}
Default value (formatted)
{
  "alertThreshold": "medium",
  "enabled": true
}

Description: Vulnerability policies

policies.vulnerabilities.enabled💣

Type: bool

Default value
true

Description: Toggle deployment and updating of vulnerability policies

policies.vulnerabilities.alertThreshold💣

Type: string

Default value
"medium"

Description: The minimum severity to alert on

policies.compliance💣

Type: object

Default value
{"alertThreshold":"medium","enabled":true,"templates":["DISA STIG","NIST SP 800-190"]}
Default value (formatted)
{
  "alertThreshold": "medium",
  "enabled": true,
  "templates": [
    "DISA STIG",
    "NIST SP 800-190"
  ]
}

Description: Compliance policies

policies.compliance.enabled💣

Type: bool

Default value
true

Description: Toggle deployment and updating of compliance policies

policies.compliance.templates💣

Type: list

Default value
["DISA STIG","NIST SP 800-190"]
Default value (formatted)
[
  "DISA STIG",
  "NIST SP 800-190"
]

Description: The policy templates to use. Valid values are ‘GDPR’, ‘DISA STIG’, ‘PCI’, ‘NIST SP 800-190’, or ‘HIPAA’

policies.compliance.alertThreshold💣

Type: string

Default value
"medium"

Description: If template does not apply, set policy to alert using this severity or higher. Valid values are ‘low’, ‘medium’, ‘high’, or ‘critical’.

policies.runtime💣

Type: object

Default value
{"enabled":true}
Default value (formatted)
{
  "enabled": true
}

Description: Runtime policies

policies.runtime.enabled💣

Type: bool

Default value
true

Description: Toggle deployment and updating of runtime policies

init💣

Type: object

Default value
{"enabled":true,"image":{"imagePullPolicy":"IfNotPresent","repository":"registry1.dso.mil/ironbank/big-bang/base","tag":"2.0.0"},"resources":{"limits":{"cpu":0.5,"memory":"128Mi"},"requests":{"cpu":0.5,"memory":"128Mi"}}}
Default value (formatted)
{
  "enabled": true,
  "image": {
    "imagePullPolicy": "IfNotPresent",
    "repository": "registry1.dso.mil/ironbank/big-bang/base",
    "tag": "2.0.0"
  },
  "resources": {
    "limits": {
      "cpu": 0.5,
      "memory": "128Mi"
    },
    "requests": {
      "cpu": 0.5,
      "memory": "128Mi"
    }
  }
}

Description: Initialization job. Sets up users, license, container defenders, default policies, and other settings.

init.enabled💣

Type: bool

Default value
true

Description: Toggles the initialization on or off

init.image💣

Type: object

Default value
{"imagePullPolicy":"IfNotPresent","repository":"registry1.dso.mil/ironbank/big-bang/base","tag":"2.0.0"}
Default value (formatted)
{
  "imagePullPolicy": "IfNotPresent",
  "repository": "registry1.dso.mil/ironbank/big-bang/base",
  "tag": "2.0.0"
}

Description: Initialization job image configuration

init.image.repository💣

Type: string

Default value
"registry1.dso.mil/ironbank/big-bang/base"

Description: Repository and path to initialization image. Image must contain jq and kubectl

init.image.tag💣

Type: string

Default value
"2.0.0"

Description: Initialization image tag

init.image.imagePullPolicy💣

Type: string

Default value
"IfNotPresent"

Description: Initialization image pull policy

affinity💣

Type: object

Default value
{}
Default value (formatted)
{}

Description: affinity for console pod

nodeSelector💣

Type: object

Default value
{}
Default value (formatted)
{}

Description: nodeSelector for console pod

tolerations💣

Type: list

Default value
[]
Default value (formatted)
[]

Description: tolerations for console pod

annotations💣

Type: object

Default value
{}
Default value (formatted)
{}

Description: annotations for console pod

resources💣

Type: object

Default value
{"limits":{"cpu":"250m","memory":"2Gi"},"requests":{"cpu":"250m","memory":"2Gi"}}
Default value (formatted)
{
  "limits": {
    "cpu": "250m",
    "memory": "2Gi"
  },
  "requests": {
    "cpu": "250m",
    "memory": "2Gi"
  }
}

Description: resources for console pod

openshift💣

Type: bool

Default value
false

Description: Toggle to setup special configuration for OpenShift clusters

bbtests.enabled💣

Type: bool

Default value
false

Description: Toggle bbtests on/off for CI/Dev

bbtests.cypress.artifacts💣

Type: bool

Default value
true

Description: Toggle creation of cypress artifacts

bbtests.cypress.envs💣

Type: object

Default value
{"cypress_baseUrl":"http://{{ .Release.Name }}-console.{{ .Release.Namespace }}.svc.cluster.local:8081"}
Default value (formatted)
{
  "cypress_baseUrl": "http://{{ .Release.Name }}-console.{{ .Release.Namespace }}.svc.cluster.local:8081"
}

Description: Set envs for use in cypress tests

bbtests.scripts.image💣

Type: string

Default value
"registry1.dso.mil/ironbank/stedolan/jq:1.6"

Description: Image to use for script tests

bbtests.scripts.envs💣

Type: object

Default value
{"desired_version":"{{ .Values.console.image.tag }}","twistlock_host":"https://{{ .Release.Name }}-console.{{ .Release.Namespace }}.svc.cluster.local:8083"}
Default value (formatted)
{
  "desired_version": "{{ .Values.console.image.tag }}",
  "twistlock_host": "https://{{ .Release.Name }}-console.{{ .Release.Namespace }}.svc.cluster.local:8083"
}

Description: Set envs for use in script tests