Skip to content

twistlock values.yaml📜

domain📜

Type: string

Default value
"dev.bigbang.mil"

Description: domain to use for virtual service

monitoring.enabled📜

Type: bool

Default value
false

Description: Toggle monitoring integration, only used if init job is enabled, creates required metrics user, serviceMonitor, networkPolicy, etc

monitoring.serviceMonitor.scheme📜

Type: string

Default value
""

monitoring.serviceMonitor.tlsConfig📜

Type: object

Default value
{}

sso📜

Type: object

Default value
cert: ''
client_id: ''
console_url: ''
enabled: false
groups: ''
idp_url: ''
issuer_uri: ''
provider_name: ''
provider_type: shibboleth

Description: Configuration of Twistlock’s SAML SSO capability. This requires init.enabled=true, valid credentials, and a valid license. Refer to docs/KEYCLOAK.md for additional information.

sso.enabled📜

Type: bool

Default value
false

Description: Toggle SAML SSO

sso.client_id📜

Type: string

Default value
""

Description: SAML client ID

sso.provider_name📜

Type: string

Default value
""

Description: SAML Povider Alias (optional)

sso.provider_type📜

Type: string

Default value
"shibboleth"

Description: SAML Identity Provider. shibboleth is recommended by Twistlock support for Keycloak

sso.issuer_uri📜

Type: string

Default value
""

Description: Identity Provider url with path to realm, example: https://keycloak.bigbang.dev/auth/realms/baby-yoda

sso.idp_url📜

Type: string

Default value
""

Description: SAML Identity Provider SSO URL, example: https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml”

sso.console_url📜

Type: string

Default value
""

Description: Console URL of the Twistlock app. Example: https://twistlock.bigbang.dev (optional)

sso.groups📜

Type: string

Default value
""

Description: Groups attribute (optional)

sso.cert📜

Type: string

Default value
""` | X.509 Certificate from Identity Provider (i.e. Keycloak). See docs/KEYCLOAK.md for format. Use the 

Description: -` syntax for multiline string

istio.enabled📜

Type: bool

Default value
false

Description: Toggle istio integration

istio.hardened📜

Type: object

Default value
customAuthorizationPolicies: []
customServiceEntries: []
enabled: false
outboundTrafficPolicyMode: REGISTRY_ONLY

Description: Default twistlock peer authentication

istio.tempo.enabled📜

Type: bool

Default value
false

istio.tempo.namespaces[0]📜

Type: string

Default value
"tempo"

istio.tempo.principals[0]📜

Type: string

Default value
"cluster.local/ns/tempo/sa/tempo-tempo"

istio.mtls.mode📜

Type: string

Default value
"STRICT"

Description: STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic

istio.console.enabled📜

Type: bool

Default value
true

Description: Toggle vs creation

istio.console.annotations📜

Type: object

Default value
{}

Description: Annotations for VS

istio.console.labels📜

Type: object

Default value
{}

Description: Labels for VS

istio.console.gateways📜

Type: list

Default value
- istio-system/main

Description: Gateways for VS

istio.console.hosts📜

Type: list

Default value
- twistlock.{{ .Values.domain }}

Description: Hosts for VS

networkPolicies.enabled📜

Type: bool

Default value
false

Description: Toggle network policies

networkPolicies.ingressLabels📜

Type: object

Default value
app: istio-ingressgateway
istio: ingressgateway

Description: Labels for ingress pods to allow traffic

networkPolicies.controlPlaneCidr📜

Type: string

Default value
"0.0.0.0/0"

Description: Control Plane CIDR to allow init job communication to the Kubernetes API. Use kubectl get endpoints kubernetes to get the CIDR range needed for your cluster

networkPolicies.nodeCidr📜

Type: string

Default value
nil

Description: Node CIDR to allow defender to communicate with console. Defaults to allowing “10.0.0.0/8” “172.16.0.0/12” “192.168.0.0/16” “100.64.0.0/10” networks. use kubectl get nodes -owide and review the INTERNAL-IP column to derive CIDR range. Must be an IP CIDR range (x.x.x.x/x - ideally a /16 or /24 to include multiple IPs)

imagePullSecretName📜

Type: string

Default value
"private-registry"

Description: Defines the secret to use when pulling the container images

selinuxLabel📜

Type: string

Default value
"disable"

Description: Run Twistlock Console and Defender with a dedicated SELinux label. See https://docs.docker.com/engine/reference/run/#security-configuration

systemd📜

Type: object

Default value
enabled: false

Description: systemd configuration

systemd.enabled📜

Type: bool

Default value
false

Description: option to install Twistlock as systemd service. true or false

console.dataRecovery📜

Type: bool

Default value
true

Description: Enables or Disables data recovery. Values: true or false.

console.image.repository📜

Type: string

Default value
"registry1.dso.mil/ironbank/twistlock/console/console"

Description: Full image name for console

console.image.tag📜

Type: string

Default value
"33.01.137"

Description: Full image tag for console

console.image.imagePullPolicy📜

Type: string

Default value
"IfNotPresent"

Description: Pull policy for console image

console.ports.managementHttp📜

Type: int

Default value
8081

Description: Enables the management HTTP listener.

console.ports.managementHttps📜

Type: int

Default value
8083

Description: Enables the management HTTPS listener.

console.ports.communication📜

Type: int

Default value
8084

Description: Sets the port for communication between the Defender(s) and the Console

console.securityContext📜

Type: object

Default value
capabilities:
  drop:
  - ALL
readOnlyRootFilesystem: true
runAsGroup: 2674
runAsNonRoot: true
runAsUser: 2674

Description: Sets the container security context for the console

console.persistence.size📜

Type: string

Default value
"100Gi"

Description: Size of Twistlock PVC

console.persistence.accessMode📜

Type: string

Default value
"ReadWriteOnce"

Description: Access mode for Twistlock PVC

console.syslogAuditIntegration📜

Type: object

Default value
enabled: false

Description: Enable syslog audit feature When integrating with BigBang, make sure to include an exception to Gatekeeper and/or Kyverno for Volume Types.

console.disableCgroupLimits📜

Type: bool

Default value
false

Description: Controls console container’s resource constraints. Set to “true” to run without limits. See https://docs.docker.com/engine/reference/run/#runtime-constraints-on-resources

console.license📜

Type: string

Default value
""

Description: The license key to use. If not specified, the license must be installed manually.

console.runAsRoot📜

Type: bool

Default value
false

Description: Run Twistlock Console processes as root (default false, twistlock user account). Values: true or false

console.credentials📜

Type: object

Default value
password: change_this_password
username: admin

Description: Required if init is enabled. Admin account to use for configuration through API. Will create account if Twistlock is a new install. Otherwise, an existing account needs to be provided.

console.credentials.username📜

Type: string

Default value
"admin"

Description: Username of account

console.credentials.password📜

Type: string

Default value
"change_this_password"

Description: Password of account

console.additionalUsers📜

Type: list

Default value
[]

Description: Additional users to setup. This requires init.enabled=true, valid credentials, and a valid license.

console.updateUsers📜

Type: bool

Default value
false

Description: Toggles whether to update the additionalUsers if the user is already created (e.g. on upgrades). This would overwrite the existing user configuration.

console.groups📜

Type: list

Default value
[]

Description: Additional users to setup. This requires init.enabled=true, valid credentials, and a valid license.

console.options.enabled📜

Type: bool

Default value
true

Description: Toggle setting all options in this section

console.options.network📜

Type: object

Default value
container: true
host: true

Description: Network monitoring options

console.options.network.container📜

Type: bool

Default value
true

Description: Toggle network monitoring of containers

console.options.network.host📜

Type: bool

Default value
true

Description: Toggle network monitoring of hosts

console.options.logging📜

Type: bool

Default value
true

Description: Toggle logging Prisma Cloud events to standard output

console.options.telemetry📜

Type: bool

Default value
false

Description: Toggle sending product usage data to Palo Alto Networks

console.volumeUpgrade📜

Type: bool

Default value
true

Description: This value should be enabled when upgrading from a version <=0.10.0-bb.1 in order to allow the console to run as non-root

console.trustedImages📜

Type: object

Default value
defaultEffect: alert
enabled: true
name: BigBang-Trusted
registryMatches:
- registry1.dso.mil/ironbank/*

Description: Trusted images settings

console.trustedImages.enabled📜

Type: bool

Default value
true

Description: Toggle deployment and updating of trusted image settings

console.trustedImages.registryMatches📜

Type: list

Default value
- registry1.dso.mil/ironbank/*

Description: List of regex matches for images to trust

console.trustedImages.name📜

Type: string

Default value
"BigBang-Trusted"

Description: Name for the group/rule to display in console

console.trustedImages.defaultEffect📜

Type: string

Default value
"alert"

Description: Effect for images that do not match the trusted registry, can be “alert” or “block”

defender📜

Type: object

Default value
certCn: ''
clusterName: ''
collectLabels: true
containerRuntime: containerd
dockerListenerType: ''
dockerSocket: ''
enabled: true
image:
  repository: registry1.dso.mil/ironbank/twistlock/defender/defender
  tag: 33.01.137
monitorServiceAccounts: true
priorityClassName: ''
privileged: false
proxy: {}
resources:
  limits:
    cpu: 2
    memory: 2Gi
  requests:
    cpu: 2
    memory: 2Gi
securityCapabilitiesAdd:
- NET_ADMIN
- NET_RAW
- SYS_ADMIN
- SYS_PTRACE
- SYS_CHROOT
- MKNOD
- SETFCAP
- IPC_LOCK
securityCapabilitiesDrop:
- ALL
selinux: true
tolerations: []
uniqueHostName: false

Description: Configuration of Twistlock’s container defenders. This requires init.enabled=true, valid credentials, and a valid license.

defender.image📜

Type: object

Default value
repository: registry1.dso.mil/ironbank/twistlock/defender/defender
tag: 33.01.137

Description: Image for Twistlock defender. Leave blank to use twistlock official repo.

defender.image.repository📜

Type: string

Default value
"registry1.dso.mil/ironbank/twistlock/defender/defender"

Description: Repository and path for defender image

defender.image.tag📜

Type: string

Default value
"33.01.137"

Description: Image tag for defender

defender.clusterName📜

Type: string

Default value
""

Description: Name of cluster

defender.collectLabels📜

Type: bool

Default value
true

Description: Collect Deployment and Namespace labels

defender.containerRuntime📜

Type: string

Default value
"containerd"

Description: Set containerRuntime option for Defenders (“docker”, “containerd”, or “crio”)

defender.dockerSocket📜

Type: string

Default value
""

Description: Path to Docker socket. Leave blank to use /var/run/docker.sock

defender.tolerations📜

Type: list

Default value
[]

Description: List of tolerations to be added to the Defender DaemonSet retrieved during the init script

defender.securityCapabilitiesDrop📜

Type: list

Default value
- ALL

Description: Sets the container security context dropped capabilities for the defenders

defender.securityCapabilitiesAdd📜

Type: list

Default value
- NET_ADMIN
- NET_RAW
- SYS_ADMIN
- SYS_PTRACE
- SYS_CHROOT
- MKNOD
- SETFCAP
- IPC_LOCK

Description: Sets the container security context added capabilities for the defenders

defender.dockerListenerType📜

Type: string

Default value
""

Description: Sets the type of the Docker listener (TCP or NONE)

defender.monitorServiceAccounts📜

Type: bool

Default value
true

Description: Monitor service accounts

defender.privileged📜

Type: bool

Default value
false

Description: Run as privileged. If selinux is true, this automatically gets set to false

defender.proxy📜

Type: object

Default value
{}

Description: Proxy settings

defender.selinux📜

Type: bool

Default value
true

Description: Deploy with SELinux Policy

defender.uniqueHostName📜

Type: bool

Default value
false

Description: Assign globally unique names to hosts

defender.resources📜

Type: object

Default value
limits:
  cpu: 2
  memory: 2Gi
requests:
  cpu: 2
  memory: 2Gi

Description: define resource limits and requests for the Defender DaemonSet

defender.priorityClassName📜

Type: string

Default value
""

Description: Priority Class Name to prioritize pod scheduling

policies📜

Type: object

Default value
compliance:
  alertThreshold: medium
  enabled: true
  templates:
  - DISA STIG
  - NIST SP 800-190
enabled: true
name: Default
runtime:
  enabled: true
vulnerabilities:
  alertThreshold: medium
  enabled: true

Description: Configures defender policies. This requires init.enabled=true, valid credentials, and a valid license.

policies.enabled📜

Type: bool

Default value
true

Description: Toggles configuration of defender policies

policies.name📜

Type: string

Default value
"Default"

Description: Name to use as prefix to policy rules. NOTE: If you change the name after the initial deployment, you may end up with duplicate policy sets and need to manually cleanup old policies.

policies.vulnerabilities📜

Type: object

Default value
alertThreshold: medium
enabled: true

Description: Vulnerability policies

policies.vulnerabilities.enabled📜

Type: bool

Default value
true

Description: Toggle deployment and updating of vulnerability policies

policies.vulnerabilities.alertThreshold📜

Type: string

Default value
"medium"

Description: The minimum severity to alert on

policies.compliance📜

Type: object

Default value
alertThreshold: medium
enabled: true
templates:
- DISA STIG
- NIST SP 800-190

Description: Compliance policies

policies.compliance.enabled📜

Type: bool

Default value
true

Description: Toggle deployment and updating of compliance policies

policies.compliance.templates📜

Type: list

Default value
- DISA STIG
- NIST SP 800-190

Description: The policy templates to use. Valid values are ‘GDPR’, ‘DISA STIG’, ‘PCI’, ‘NIST SP 800-190’, or ‘HIPAA’

policies.compliance.alertThreshold📜

Type: string

Default value
"medium"

Description: If template does not apply, set policy to alert using this severity or higher. Valid values are ‘low’, ‘medium’, ‘high’, or ‘critical’.

policies.runtime📜

Type: object

Default value
enabled: true

Description: Runtime policies

policies.runtime.enabled📜

Type: bool

Default value
true

Description: Toggle deployment and updating of runtime policies

init📜

Type: object

Default value
enabled: true
image:
  imagePullPolicy: IfNotPresent
  repository: registry1.dso.mil/ironbank/big-bang/base
  tag: 2.1.0
resources:
  limits:
    cpu: 0.5
    memory: 256Mi
  requests:
    cpu: 0.5
    memory: 256Mi

Description: Initialization job. Sets up users, license, container defenders, default policies, and other settings.

init.enabled📜

Type: bool

Default value
true

Description: Toggles the initialization on or off

init.image📜

Type: object

Default value
imagePullPolicy: IfNotPresent
repository: registry1.dso.mil/ironbank/big-bang/base
tag: 2.1.0

Description: Initialization job image configuration

init.image.repository📜

Type: string

Default value
"registry1.dso.mil/ironbank/big-bang/base"

Description: Repository and path to initialization image. Image must contain jq and kubectl

init.image.tag📜

Type: string

Default value
"2.1.0"

Description: Initialization image tag

init.image.imagePullPolicy📜

Type: string

Default value
"IfNotPresent"

Description: Initialization image pull policy

affinity📜

Type: object

Default value
{}

Description: affinity for console pod

nodeSelector📜

Type: object

Default value
{}

Description: nodeSelector for console pod

tolerations📜

Type: list

Default value
[]

Description: tolerations for console pod

podLabels📜

Type: object

Default value
{}

Description: labels for console pod

annotations📜

Type: object

Default value
{}

Description: annotations for console pod

resources📜

Type: object

Default value
limits:
  cpu: 250m
  memory: 3Gi
requests:
  cpu: 250m
  memory: 3Gi

Description: resources for console pod

openshift📜

Type: bool

Default value
false

Description: Toggle to setup special configuration for OpenShift clusters

bbtests.enabled📜

Type: bool

Default value
false

Description: Toggle bbtests on/off for CI/Dev

bbtests.scripts.image📜

Type: string

Default value
"registry1.dso.mil/ironbank/stedolan/jq:1.7"

Description: Image to use for script tests

bbtests.scripts.envs📜

Type: object

Default value
desired_version: '{{ .Values.console.image.tag }}'
twistlock_host: http://twistlock-console.twistlock.svc.cluster.local:8081

Description: Set envs for use in script tests

bbtests.cypress.resources.requests.cpu📜

Type: string

Default value
"2"

bbtests.cypress.resources.requests.memory📜

Type: string

Default value
"2Gi"

bbtests.cypress.resources.limits.cpu📜

Type: string

Default value
"2"

bbtests.cypress.resources.limits.memory📜

Type: string

Default value
"2Gi"

bbtests.cypress.artifacts📜

Type: bool

Default value
true

bbtests.cypress.envs.cypress_twistlock_url📜

Type: string

Default value
"http://twistlock-console.twistlock.svc.cluster.local:8081"

bbtests.cypress.envs.cypress_user📜

Type: string

Default value
"admin"

bbtests.cypress.envs.cypress_password📜

Type: string

Default value
"change_this_password"

bbtests.cypress.envs.CYPRESS_experimental_Modify_Obstructive_Third_Party_Code📜

Type: string

Default value
"true"

waitJob.enabled📜

Type: bool

Default value
true

waitJob.scripts.image📜

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.7"

waitJob.permissions.apiGroups📜

Type: object

Default value
{}

waitJob.permissions.resources📜

Type: object

Default value
{}

autoRollingUpgrade.enabled📜

Type: bool

Default value
true

autoRollingUpgrade.image.repository📜

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"

autoRollingUpgrade.image.tag📜

Type: string

Default value
"v1.30.7"

autoRollingUpgrade.pullPolicy📜

Type: string

Default value
"Always"

autoRollingUpgrade.sleepyTime📜

Type: string

Default value
"10"

autoRollingUpgrade.labels📜

Type: object

Default value
{}

autoRollingUpgrade.annotations📜

Type: object

Default value
{}

autoRollingUpgrade.securityContext.capabilities.drop[0]📜

Type: string

Default value
"ALL"

autoRollingUpgrade.podSecurityContext.runAsUser📜

Type: int

Default value
1000

autoRollingUpgrade.podSecurityContext.runAsGroup📜

Type: int

Default value
1000

autoRollingUpgrade.nodeSelector📜

Type: object

Default value
{}

autoRollingUpgrade.affinity📜

Type: object

Default value
{}

autoRollingUpgrade.tolerations📜

Type: list

Default value
[]

autoRollingUpgrade.resources.requests.cpu📜

Type: string

Default value
"100m"

autoRollingUpgrade.resources.requests.memory📜

Type: string

Default value
"256Mi"

autoRollingUpgrade.resources.limits.cpu📜

Type: string

Default value
"100m"

autoRollingUpgrade.resources.limits.memory📜

Type: string

Default value
"256Mi"

autoRollingUpgrade.restartPolicy📜

Type: string

Default value
"Never"