twistlock values.yamlπ
domainπ
Type: string
"dev.bigbang.mil"
Description: domain to use for virtual service
monitoring.enabledπ
Type: bool
false
Description: Toggle monitoring integration, only used if init job is enabled, creates required metrics user, serviceMonitor, networkPolicy, etc
monitoring.serviceMonitor.schemeπ
Type: string
""
monitoring.serviceMonitor.tlsConfigπ
Type: object
{}
ssoπ
Type: object
cert: ''
client_id: ''
console_url: ''
enabled: false
groups: ''
idp_url: ''
issuer_uri: ''
provider_name: ''
provider_type: shibboleth
Description: Configuration of Twistlockβs SAML SSO capability. This requires init.enabled=true, valid credentials, and a valid license. Refer to docs/KEYCLOAK.md for additional information.
sso.enabledπ
Type: bool
false
Description: Toggle SAML SSO
sso.client_idπ
Type: string
""
Description: SAML client ID
sso.provider_nameπ
Type: string
""
Description: SAML Povider Alias (optional)
sso.provider_typeπ
Type: string
"shibboleth"
Description: SAML Identity Provider. shibboleth is recommended by Twistlock support for Keycloak
sso.issuer_uriπ
Type: string
""
Description: Identity Provider url with path to realm, example: https://keycloak.bigbang.dev/auth/realms/baby-yoda
sso.idp_urlπ
Type: string
""
Description: SAML Identity Provider SSO URL, example: https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/samlβ
sso.console_urlπ
Type: string
""
Description: Console URL of the Twistlock app. Example: https://twistlock.bigbang.dev (optional)
sso.groupsπ
Type: string
""
Description: Groups attribute (optional)
sso.certπ
Type: string
""` | X.509 Certificate from Identity Provider (i.e. Keycloak). See docs/KEYCLOAK.md for format. Use the
Description: -` syntax for multiline string
istio.enabledπ
Type: bool
false
Description: Toggle istio integration
istio.hardenedπ
Type: object
customAuthorizationPolicies: []
customServiceEntries: []
enabled: false
outboundTrafficPolicyMode: REGISTRY_ONLY
Description: Default twistlock peer authentication
istio.tempo.enabledπ
Type: bool
false
istio.tempo.namespaces[0]π
Type: string
"tempo"
istio.tempo.principals[0]π
Type: string
"cluster.local/ns/tempo/sa/tempo-tempo"
istio.mtls.modeπ
Type: string
"STRICT"
Description: STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic
istio.console.enabledπ
Type: bool
true
Description: Toggle vs creation
istio.console.annotationsπ
Type: object
{}
Description: Annotations for VS
istio.console.labelsπ
Type: object
{}
Description: Labels for VS
istio.console.gatewaysπ
Type: list
- istio-system/main
Description: Gateways for VS
istio.console.hostsπ
Type: list
- twistlock.{{ .Values.domain }}
Description: Hosts for VS
networkPolicies.enabledπ
Type: bool
false
Description: Toggle network policies
networkPolicies.ingressLabelsπ
Type: object
app: istio-ingressgateway
istio: ingressgateway
Description: Labels for ingress pods to allow traffic
networkPolicies.controlPlaneCidrπ
Type: string
"0.0.0.0/0"
Description: Control Plane CIDR to allow init job communication to the Kubernetes API. Use kubectl get endpoints kubernetes to get the CIDR range needed for your cluster
networkPolicies.nodeCidrπ
Type: string
nil
Description: Node CIDR to allow defender to communicate with console. Defaults to allowing β10.0.0.0/8β β172.16.0.0/12β β192.168.0.0/16β β100.64.0.0/10β networks. use kubectl get nodes -owide and review the INTERNAL-IP column to derive CIDR range. Must be an IP CIDR range (x.x.x.x/x - ideally a /16 or /24 to include multiple IPs)
imagePullSecretNameπ
Type: string
"private-registry"
Description: Defines the secret to use when pulling the container images
selinuxLabelπ
Type: string
"disable"
Description: Run Twistlock Console and Defender with a dedicated SELinux label. See https://docs.docker.com/engine/reference/run/#security-configuration
systemdπ
Type: object
enabled: false
Description: systemd configuration
systemd.enabledπ
Type: bool
false
Description: option to install Twistlock as systemd service. true or false
console.dataRecoveryπ
Type: bool
true
Description: Enables or Disables data recovery. Values: true or false.
console.image.repositoryπ
Type: string
"registry1.dso.mil/ironbank/twistlock/console/console"
Description: Full image name for console
console.image.tagπ
Type: string
"33.03.138"
Description: Full image tag for console
console.image.imagePullPolicyπ
Type: string
"IfNotPresent"
Description: Pull policy for console image
console.ports.managementHttpπ
Type: int
8081
Description: Enables the management HTTP listener.
console.ports.managementHttpsπ
Type: int
8083
Description: Enables the management HTTPS listener.
console.ports.communicationπ
Type: int
8084
Description: Sets the port for communication between the Defender(s) and the Console
console.securityContextπ
Type: object
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 2674
runAsNonRoot: true
runAsUser: 2674
Description: Sets the container security context for the console
console.persistence.sizeπ
Type: string
"100Gi"
Description: Size of Twistlock PVC
console.persistence.accessModeπ
Type: string
"ReadWriteOnce"
Description: Access mode for Twistlock PVC
console.syslogAuditIntegrationπ
Type: object
enabled: false
Description: Enable syslog audit feature When integrating with BigBang, make sure to include an exception to Gatekeeper and/or Kyverno for Volume Types.
console.disableCgroupLimitsπ
Type: bool
false
Description: Controls console containerβs resource constraints. Set to βtrueβ to run without limits. See https://docs.docker.com/engine/reference/run/#runtime-constraints-on-resources
console.licenseπ
Type: string
""
Description: The license key to use. If not specified, the license must be installed manually.
console.runAsRootπ
Type: bool
false
Description: Run Twistlock Console processes as root (default false, twistlock user account). Values: true or false
console.credentialsπ
Type: object
password: change_this_password
username: admin
Description: Required if init is enabled. Admin account to use for configuration through API. Will create account if Twistlock is a new install. Otherwise, an existing account needs to be provided.
console.credentials.usernameπ
Type: string
"admin"
Description: Username of account
console.credentials.passwordπ
Type: string
"change_this_password"
Description: Password of account
console.additionalUsersπ
Type: list
[]
Description: Additional users to setup. This requires init.enabled=true, valid credentials, and a valid license.
console.updateUsersπ
Type: bool
false
Description: Toggles whether to update the additionalUsers if the user is already created (e.g. on upgrades). This would overwrite the existing user configuration.
console.groupsπ
Type: list
[]
Description: Additional users to setup. This requires init.enabled=true, valid credentials, and a valid license.
console.options.enabledπ
Type: bool
true
Description: Toggle setting all options in this section
console.options.networkπ
Type: object
container: true
host: true
Description: Network monitoring options
console.options.network.containerπ
Type: bool
true
Description: Toggle network monitoring of containers
console.options.network.hostπ
Type: bool
true
Description: Toggle network monitoring of hosts
console.options.loggingπ
Type: bool
true
Description: Toggle logging Prisma Cloud events to standard output
console.options.telemetryπ
Type: bool
false
Description: Toggle sending product usage data to Palo Alto Networks
console.volumeUpgradeπ
Type: bool
true
Description: This value should be enabled when upgrading from a version <=0.10.0-bb.1 in order to allow the console to run as non-root
console.trustedImagesπ
Type: object
defaultEffect: alert
enabled: true
name: BigBang-Trusted
registryMatches:
- registry1.dso.mil/ironbank/*
Description: Trusted images settings
console.trustedImages.enabledπ
Type: bool
true
Description: Toggle deployment and updating of trusted image settings
console.trustedImages.registryMatchesπ
Type: list
- registry1.dso.mil/ironbank/*
Description: List of regex matches for images to trust
console.trustedImages.nameπ
Type: string
"BigBang-Trusted"
Description: Name for the group/rule to display in console
console.trustedImages.defaultEffectπ
Type: string
"alert"
Description: Effect for images that do not match the trusted registry, can be βalertβ or βblockβ
defenderπ
Type: object
certCn: ''
clusterName: ''
collectLabels: true
containerRuntime: containerd
dockerListenerType: ''
dockerSocket: ''
enabled: true
image:
repository: registry1.dso.mil/ironbank/twistlock/defender/defender
tag: 33.03.138
monitorServiceAccounts: true
priorityClassName: ''
privileged: false
proxy: {}
resources:
limits:
cpu: 2
memory: 2Gi
requests:
cpu: 2
memory: 2Gi
securityCapabilitiesAdd:
- NET_ADMIN
- NET_RAW
- SYS_ADMIN
- SYS_PTRACE
- SYS_CHROOT
- MKNOD
- SETFCAP
- IPC_LOCK
securityCapabilitiesDrop:
- ALL
selinux: true
tolerations: []
uniqueHostName: false
Description: Configuration of Twistlockβs container defenders. This requires init.enabled=true, valid credentials, and a valid license.
defender.imageπ
Type: object
repository: registry1.dso.mil/ironbank/twistlock/defender/defender
tag: 33.03.138
Description: Image for Twistlock defender. Leave blank to use twistlock official repo.
defender.image.repositoryπ
Type: string
"registry1.dso.mil/ironbank/twistlock/defender/defender"
Description: Repository and path for defender image
defender.image.tagπ
Type: string
"33.03.138"
Description: Image tag for defender
defender.clusterNameπ
Type: string
""
Description: Name of cluster
defender.collectLabelsπ
Type: bool
true
Description: Collect Deployment and Namespace labels
defender.containerRuntimeπ
Type: string
"containerd"
Description: Set containerRuntime option for Defenders (βdockerβ, βcontainerdβ, or βcrioβ)
defender.dockerSocketπ
Type: string
""
Description: Path to Docker socket. Leave blank to use /var/run/docker.sock
defender.tolerationsπ
Type: list
[]
Description: List of tolerations to be added to the Defender DaemonSet retrieved during the init script
defender.securityCapabilitiesDropπ
Type: list
- ALL
Description: Sets the container security context dropped capabilities for the defenders
defender.securityCapabilitiesAddπ
Type: list
- NET_ADMIN
- NET_RAW
- SYS_ADMIN
- SYS_PTRACE
- SYS_CHROOT
- MKNOD
- SETFCAP
- IPC_LOCK
Description: Sets the container security context added capabilities for the defenders
defender.dockerListenerTypeπ
Type: string
""
Description: Sets the type of the Docker listener (TCP or NONE)
defender.monitorServiceAccountsπ
Type: bool
true
Description: Monitor service accounts
defender.privilegedπ
Type: bool
false
Description: Run as privileged. If selinux is true, this automatically gets set to false
defender.proxyπ
Type: object
{}
Description: Proxy settings
defender.selinuxπ
Type: bool
true
Description: Deploy with SELinux Policy
defender.uniqueHostNameπ
Type: bool
false
Description: Assign globally unique names to hosts
defender.resourcesπ
Type: object
limits:
cpu: 2
memory: 2Gi
requests:
cpu: 2
memory: 2Gi
Description: define resource limits and requests for the Defender DaemonSet
defender.priorityClassNameπ
Type: string
""
Description: Priority Class Name to prioritize pod scheduling
policiesπ
Type: object
compliance:
alertThreshold: medium
enabled: true
templates:
- DISA STIG
- NIST SP 800-190
enabled: true
name: Default
runtime:
enabled: true
vulnerabilities:
alertThreshold: medium
enabled: true
Description: Configures defender policies. This requires init.enabled=true, valid credentials, and a valid license.
policies.enabledπ
Type: bool
true
Description: Toggles configuration of defender policies
policies.nameπ
Type: string
"Default"
Description: Name to use as prefix to policy rules. NOTE: If you change the name after the initial deployment, you may end up with duplicate policy sets and need to manually cleanup old policies.
policies.vulnerabilitiesπ
Type: object
alertThreshold: medium
enabled: true
Description: Vulnerability policies
policies.vulnerabilities.enabledπ
Type: bool
true
Description: Toggle deployment and updating of vulnerability policies
policies.vulnerabilities.alertThresholdπ
Type: string
"medium"
Description: The minimum severity to alert on
policies.complianceπ
Type: object
alertThreshold: medium
enabled: true
templates:
- DISA STIG
- NIST SP 800-190
Description: Compliance policies
policies.compliance.enabledπ
Type: bool
true
Description: Toggle deployment and updating of compliance policies
policies.compliance.templatesπ
Type: list
- DISA STIG
- NIST SP 800-190
Description: The policy templates to use. Valid values are βGDPRβ, βDISA STIGβ, βPCIβ, βNIST SP 800-190β, or βHIPAAβ
policies.compliance.alertThresholdπ
Type: string
"medium"
Description: If template does not apply, set policy to alert using this severity or higher. Valid values are βlowβ, βmediumβ, βhighβ, or βcriticalβ.
policies.runtimeπ
Type: object
enabled: true
Description: Runtime policies
policies.runtime.enabledπ
Type: bool
true
Description: Toggle deployment and updating of runtime policies
initπ
Type: object
enabled: true
image:
imagePullPolicy: IfNotPresent
repository: registry1.dso.mil/ironbank/big-bang/base
tag: 2.1.0
resources:
limits:
cpu: 0.5
memory: 256Mi
requests:
cpu: 0.5
memory: 256Mi
Description: Initialization job. Sets up users, license, container defenders, default policies, and other settings.
init.enabledπ
Type: bool
true
Description: Toggles the initialization on or off
init.imageπ
Type: object
imagePullPolicy: IfNotPresent
repository: registry1.dso.mil/ironbank/big-bang/base
tag: 2.1.0
Description: Initialization job image configuration
init.image.repositoryπ
Type: string
"registry1.dso.mil/ironbank/big-bang/base"
Description: Repository and path to initialization image. Image must contain jq and kubectl
init.image.tagπ
Type: string
"2.1.0"
Description: Initialization image tag
init.image.imagePullPolicyπ
Type: string
"IfNotPresent"
Description: Initialization image pull policy
affinityπ
Type: object
{}
Description: affinity for console pod
nodeSelectorπ
Type: object
{}
Description: nodeSelector for console pod
tolerationsπ
Type: list
[]
Description: tolerations for console pod
podLabelsπ
Type: object
{}
Description: labels for console pod
annotationsπ
Type: object
{}
Description: annotations for console pod
resourcesπ
Type: object
limits:
cpu: 250m
memory: 3Gi
requests:
cpu: 250m
memory: 3Gi
Description: resources for console pod
openshiftπ
Type: bool
false
Description: Toggle to setup special configuration for OpenShift clusters
bbtests.enabledπ
Type: bool
false
Description: Toggle bbtests on/off for CI/Dev
bbtests.scripts.imageπ
Type: string
"registry1.dso.mil/ironbank/stedolan/jq:1.7.1"
Description: Image to use for script tests
bbtests.scripts.envsπ
Type: object
desired_version: '{{ .Values.console.image.tag }}'
twistlock_host: http://twistlock-console.twistlock.svc.cluster.local:8081
Description: Set envs for use in script tests
bbtests.cypress.resources.requests.cpuπ
Type: string
"2"
bbtests.cypress.resources.requests.memoryπ
Type: string
"2Gi"
bbtests.cypress.resources.limits.cpuπ
Type: string
"2"
bbtests.cypress.resources.limits.memoryπ
Type: string
"2Gi"
bbtests.cypress.artifactsπ
Type: bool
true
bbtests.cypress.envs.cypress_twistlock_urlπ
Type: string
"http://twistlock-console.twistlock.svc.cluster.local:8081"
bbtests.cypress.envs.cypress_userπ
Type: string
"admin"
bbtests.cypress.envs.cypress_passwordπ
Type: string
"change_this_password"
bbtests.cypress.envs.CYPRESS_experimental_Modify_Obstructive_Third_Party_Codeπ
Type: string
"true"
waitJob.enabledπ
Type: bool
true
waitJob.scripts.imageπ
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.9"
waitJob.permissions.apiGroupsπ
Type: object
{}
waitJob.permissions.resourcesπ
Type: object
{}