The Carbon Black Container Operator implements controllers for Carbon Black Container custom resources definitions (CRDs).

Carbon Black Container Agent Custom Resource

Deploy cbcontainersagents.operator.containers.carbonblack.io to prompt the Operator to deploy the dataplane components.

Table 1. Required Parameters
Parameter Description
spec.account Carbon Black Container org key
spec.clusterName Carbon Black Container cluster name (<cluster_group:cluster_name>)
spec.version Carbon Black Container Agent version
spec.gateways.apiGateway.host Carbon Black Container API host
spec.gateways.coreEventsGateway.host Carbon Black Container core events host (for example, health checks)
spec.gateways.hardeningEventsGateway.host Carbon Black Container hardening events host (for example, deleted, validated, and blocked resources)
spec.gateways.runtimeEventsGateway.host Carbon Black Container runtime events host (for example, traffic events)
Table 2. Optional Parameters
Parameter Description Default Value
spec.apiGateway.port Carbon Black Container API port 443
spec.accessTokenSecretName Carbon Black Container API access token secret name cbcontainers-access-token
spec.gateways.coreEventsGateway.port Carbon Black Container core events port 443
spec.gateways.hardeningEventsGateway.port Carbon Black Container hardening events port 443
spec.gateways.runtimeEventsGateway.port Carbon Black Container runtime events port 443
Table 3. Basic Components Optional Parameters
Parameter Description Default Value
spec.components.basic.enforcer.replicasCount Carbon Black Container Hardening Enforcer number of replicas 1
spec.components.basic.monitor.image.repository Carbon Black Container Monitor image repository cbartifactory/monitor
spec.components.basic.enforcer.image.repository Carbon Black Container Hardening Enforcer image repository cbartifactory/guardrails-enforcer
spec.components.basic.stateReporter.image.repository Carbon Black Container Hardening State Reporter image repository cbartifactory/guardrails-state-reporter
spec.components.basic.monitor.resources Carbon Black Container Monitor resources {requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "256Mi", cpu: "200m"}}
spec.components.basic.enforcer.resources Carbon Black Container Hardening Enforcer resources {requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "256Mi", cpu: "200m"}}
spec.components.basic.stateReporter.resources Carbon Black Container Hardening State Reporter resources {requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "256Mi", cpu: "200m"}}
Table 4. Runtime Components Optional Parameters
Parameter Description Default Value
spec.components.runtimeProtection.enabled Carbon Black Container flag to control Runtime components deployment True
spec.components.runtimeProtection.resolver.image.repository Carbon Black Container Runtime Resolver image repository cbartifactory/runtime-kubernetes-resolver
spec.components.runtimeProtection.sensor.image.repository Carbon Black Container Runtime Sensor image repository cbartifactory/runtime-kubernetes-sensor
spec.components.runtimeProtection.internalGrpcPort Carbon Black Container Runtime gRPC port that the resolver exposes for the sensor 443
spec.components.runtimeProtection.resolver.logLevel Carbon Black Container Runtime Resolver log level "panic", "fatal", "error", "warn", "info", "debug", "trace" (default info)
spec.components.runtimeProtection.resolver.resources Carbon Black Container Runtime Resolver resources {requests: {memory: "64Mi", cpu: "200m"}, limits: {memory: "1024Mi", cpu: "900m"}}
spec.components.runtimeProtection.sensor.logLevel Carbon Black Container Runtime Sensor log level "panic", "fatal", "error", "warn", "info", "debug", "trace" (default info)
spec.components.runtimeProtection.sensor.resources Carbon Black Container Runtime Sensor resources {requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "1024Mi", cpu: "500m"}}
Table 5. Cluster Scanning Components Optional Parameters
Parameter Description Default Value
spec.components.clusterScanning.enabled Carbon Black Container flag to control Cluster Scanning components deployment True
spec.components.clusterScanning.imageScanningReporter.image.repository Carbon Black Container Image Scanning Reporter image repository cbartifactory/image-scanning-reporter
spec.components.clusterScanning.clusterScanner.image.repository Carbon Black Container Scanner Agent image repository cbartifactory/cluster-scanner
spec.components.clusterScanning.imageScanningReporter.resources Carbon Black Container Image Scanning Reporter resources {requests: {memory: "64Mi", cpu: "200m"}, limits: {memory: "1024Mi", cpu: "900m"}}
spec.components.clusterScanning.clusterScanner.resources Carbon Black Container Cluster Scanner resources {requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "1024Mi", cpu: "500m"}}
spec.components.clusterScanning.clusterScanner.k8sContainerEngine.engineType Carbon Black Container Cluster Scanner Kubernetes container engine type. One of these options: containerd / docker-daemon / cri-o N/A
spec.components.clusterScanning.clusterScanner.k8sContainerEngine.endpoint Carbon Black Container Cluster Scanner Kubernetes container engine endpoint path N/A
spec.components.clusterScanning.clusterScanner.k8sContainerEngine.CRIO.storagePath Carbon Black Container Cluster Scanner override default image storage path (CRI-O only) N/A
spec.components.clusterScanning.clusterScanner.k8sContainerEngine.CRIO.storageConfigPath Carbon Black Container Cluster Scanner override default image storage config path (CRI-O only) N/A
spec.components.clusterScanning.clusterScanner.k8sContainerEngine.CRIO.configPath Carbon Black Container Cluster Scanner override default CRI-O config path (CRI-O only) N/A
spec.components.clusterScanning.clusterScanner.cliFlags.enableSecretDetection Carbon Black Container Cluster Scanner flag of whether the scan should scan for secrets False
spec.components.clusterScanning.clusterScanner.cliFlags.skipDirsOrFiles Carbon Black Container Cluster Scanner flag of files or directories to not scan for secrets N/A
spec.components.clusterScanning.clusterScanner.cliFlags.scanBaseLayers Carbon Black Container Cluster Scanner flag of whether the scan should include the base layers scan for secrets False
spec.components.clusterScanning.clusterScanner.cliFlags.ignoreBuildInRegex Carbon Black Container Cluster Scanner flag of whether the scan should ignore the built-in regexes of files to skip secret detection False
Table 6. Components Common Optional Parameters
Parameter Description Default Value
labels Carbon Black Container component deployment and pod labels Empty map
deploymentAnnotations Carbon Black Container component deployment annotations Empty map
podTemplateAnnotations Carbon Black Container component pod annotations {}
env Carbon Black Container component pod environment variables Empty map
image.tag Carbon Black Container component image tag Agent version
image.pullPolicy Carbon Black Container component pull policy IfNotPresent
probes.port Carbon Black Container component probes port 8181
probes.scheme Carbon Black Container component probes scheme HTTP
probes.initialDelaySeconds Carbon Black Container component probes initial delay seconds 3
probes.timeoutSeconds Carbon Black Container component probes timeout seconds 1
probes.periodSeconds Carbon Black Container component probes period seconds 30
probes.successThreshold Carbon Black Container component probes success threshold 1
probes.failureThreshold Carbon Black Container component probes failure threshold 3
prometheus.enabled Carbon Black Container component enable Prometheus scraping False
prometheus.port Carbon Black Container component Prometheus server port 7071
nodeSelector Carbon Black Container component node selector {}
affinity Carbon Black Container component affinity {}
Table 7. Centralized Proxy Parameters
Parameter Description Default Value
spec.components.settings.proxy.enabled Enables applying the centralized proxy settings to all components False
spec.components.settings.proxy.httpProxy HTTP proxy server address to use Empty string
spec.components.settings.proxy.httpsProxy HTTPS proxy server address to use Empty string
spec.components.settings.proxy.noProxy A comma-separated list of hosts to which to connect without using a proxy Empty string
spec.components.settings.proxy.noProxySuffix A comma-separated list of hosts to which to append the noProxy list of values The API server IP addresses followed by cbcontainers-dataplane.svc.cluster.local
Table 8. Other Components Optional Parameters
spec.components.settings.daemonSetsTolerations Carbon Black DaemonSet component tolerances Empty array