The Carbon Black Container Operator implements controllers for Carbon Black Container custom resources definitions (CRDs).
Carbon Black Container Agent Custom Resource
Deploy cbcontainersagents.operator.containers.carbonblack.io to prompt the Operator to deploy the dataplane components.
| Parameter | Description |
|---|---|
spec.account |
Carbon Black Container org key |
spec.clusterName |
Carbon Black Container cluster name (<cluster_group:cluster_name>) |
spec.version |
Carbon Black Container Agent version |
spec.gateways.apiGateway.host |
Carbon Black Container API host |
spec.gateways.coreEventsGateway.host |
Carbon Black Container core events host (for example, health checks) |
spec.gateways.hardeningEventsGateway.host |
Carbon Black Container hardening events host (for example, deleted, validated, and blocked resources) |
spec.gateways.runtimeEventsGateway.host |
Carbon Black Container runtime events host (for example, traffic events) |
| Parameter | Description | Default Value |
|---|---|---|
spec.apiGateway.port |
Carbon Black Container API port | 443 |
spec.accessTokenSecretName |
Carbon Black Container API access token secret name | cbcontainers-access-token |
spec.gateways.coreEventsGateway.port |
Carbon Black Container core events port | 443 |
spec.gateways.hardeningEventsGateway.port |
Carbon Black Container hardening events port | 443 |
spec.gateways.runtimeEventsGateway.port |
Carbon Black Container runtime events port | 443 |
| Parameter | Description | Default Value |
|---|---|---|
spec.components.basic.enforcer.replicasCount |
Carbon Black Container Hardening Enforcer number of replicas | 1 |
spec.components.basic.monitor.image.repository |
Carbon Black Container Monitor image repository | cbartifactory/monitor |
spec.components.basic.enforcer.image.repository |
Carbon Black Container Hardening Enforcer image repository | cbartifactory/guardrails-enforcer |
spec.components.basic.stateReporter.image.repository |
Carbon Black Container Hardening State Reporter image repository | cbartifactory/guardrails-state-reporter |
spec.components.basic.monitor.resources |
Carbon Black Container Monitor resources | {requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "256Mi", cpu: "200m"}} |
spec.components.basic.enforcer.resources |
Carbon Black Container Hardening Enforcer resources | {requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "256Mi", cpu: "200m"}} |
spec.components.basic.stateReporter.resources |
Carbon Black Container Hardening State Reporter resources | {requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "256Mi", cpu: "200m"}} |
| Parameter | Description | Default Value |
|---|---|---|
spec.components.runtimeProtection.enabled |
Carbon Black Container flag to control Runtime components deployment | True |
spec.components.runtimeProtection.resolver.image.repository |
Carbon Black Container Runtime Resolver image repository | cbartifactory/runtime-kubernetes-resolver |
spec.components.runtimeProtection.sensor.image.repository |
Carbon Black Container Runtime Sensor image repository | cbartifactory/runtime-kubernetes-sensor |
spec.components.runtimeProtection.internalGrpcPort |
Carbon Black Container Runtime gRPC port that the resolver exposes for the sensor | 443 |
spec.components.runtimeProtection.resolver.logLevel |
Carbon Black Container Runtime Resolver log level | "panic", "fatal", "error", "warn", "info", "debug", "trace" (default info) |
spec.components.runtimeProtection.resolver.resources |
Carbon Black Container Runtime Resolver resources | {requests: {memory: "64Mi", cpu: "200m"}, limits: {memory: "1024Mi", cpu: "900m"}} |
spec.components.runtimeProtection.sensor.logLevel |
Carbon Black Container Runtime Sensor log level | "panic", "fatal", "error", "warn", "info", "debug", "trace" (default info) |
spec.components.runtimeProtection.sensor.resources |
Carbon Black Container Runtime Sensor resources | {requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "1024Mi", cpu: "500m"}} |
| Parameter | Description | Default Value |
|---|---|---|
spec.components.clusterScanning.enabled |
Carbon Black Container flag to control Cluster Scanning components deployment | True |
spec.components.clusterScanning.imageScanningReporter.image.repository |
Carbon Black Container Image Scanning Reporter image repository | cbartifactory/image-scanning-reporter |
spec.components.clusterScanning.clusterScanner.image.repository |
Carbon Black Container Scanner Agent image repository | cbartifactory/cluster-scanner |
spec.components.clusterScanning.imageScanningReporter.resources |
Carbon Black Container Image Scanning Reporter resources | {requests: {memory: "64Mi", cpu: "200m"}, limits: {memory: "1024Mi", cpu: "900m"}} |
spec.components.clusterScanning.clusterScanner.resources |
Carbon Black Container Cluster Scanner resources | {requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "1024Mi", cpu: "500m"}} |
spec.components.clusterScanning.clusterScanner.k8sContainerEngine.engineType |
Carbon Black Container Cluster Scanner Kubernetes container engine type. One of these options: containerd / docker-daemon / cri-o |
N/A |
spec.components.clusterScanning.clusterScanner.k8sContainerEngine.endpoint |
Carbon Black Container Cluster Scanner Kubernetes container engine endpoint path | N/A |
spec.components.clusterScanning.clusterScanner.k8sContainerEngine.CRIO.storagePath |
Carbon Black Container Cluster Scanner override default image storage path (CRI-O only) | N/A |
spec.components.clusterScanning.clusterScanner.k8sContainerEngine.CRIO.storageConfigPath |
Carbon Black Container Cluster Scanner override default image storage config path (CRI-O only) | N/A |
spec.components.clusterScanning.clusterScanner.k8sContainerEngine.CRIO.configPath |
Carbon Black Container Cluster Scanner override default CRI-O config path (CRI-O only) | N/A |
spec.components.clusterScanning.clusterScanner.cliFlags.enableSecretDetection |
Carbon Black Container Cluster Scanner flag of whether the scan should scan for secrets | False |
spec.components.clusterScanning.clusterScanner.cliFlags.skipDirsOrFiles |
Carbon Black Container Cluster Scanner flag of files or directories to not scan for secrets | N/A |
spec.components.clusterScanning.clusterScanner.cliFlags.scanBaseLayers |
Carbon Black Container Cluster Scanner flag of whether the scan should include the base layers scan for secrets | False |
spec.components.clusterScanning.clusterScanner.cliFlags.ignoreBuildInRegex |
Carbon Black Container Cluster Scanner flag of whether the scan should ignore the built-in regexes of files to skip secret detection | False |
| Parameter | Description | Default Value |
|---|---|---|
labels |
Carbon Black Container component deployment and pod labels | Empty map |
deploymentAnnotations |
Carbon Black Container component deployment annotations | Empty map |
podTemplateAnnotations |
Carbon Black Container component pod annotations | {} |
env |
Carbon Black Container component pod environment variables | Empty map |
image.tag |
Carbon Black Container component image tag | Agent version |
image.pullPolicy |
Carbon Black Container component pull policy | IfNotPresent |
probes.port |
Carbon Black Container component probes port | 8181 |
probes.scheme |
Carbon Black Container component probes scheme | HTTP |
probes.initialDelaySeconds |
Carbon Black Container component probes initial delay seconds | 3 |
probes.timeoutSeconds |
Carbon Black Container component probes timeout seconds | 1 |
probes.periodSeconds |
Carbon Black Container component probes period seconds | 30 |
probes.successThreshold |
Carbon Black Container component probes success threshold | 1 |
probes.failureThreshold |
Carbon Black Container component probes failure threshold | 3 |
prometheus.enabled |
Carbon Black Container component enable Prometheus scraping | False |
prometheus.port |
Carbon Black Container component Prometheus server port | 7071 |
nodeSelector |
Carbon Black Container component node selector | {} |
affinity |
Carbon Black Container component affinity | {} |
| Parameter | Description | Default Value |
|---|---|---|
spec.components.settings.proxy.enabled |
Enables applying the centralized proxy settings to all components | False |
spec.components.settings.proxy.httpProxy |
HTTP proxy server address to use | Empty string |
spec.components.settings.proxy.httpsProxy |
HTTPS proxy server address to use | Empty string |
spec.components.settings.proxy.noProxy |
A comma-separated list of hosts to which to connect without using a proxy | Empty string |
spec.components.settings.proxy.noProxySuffix |
A comma-separated list of hosts to which to append the noProxy list of values |
The API server IP addresses followed by cbcontainers-dataplane.svc.cluster.local |
spec.components.settings.daemonSetsTolerations |
Carbon Black DaemonSet component tolerances | Empty array |
