Custom Resources Definitions

The Carbon Black Container Operator implements controllers for Carbon Black Container custom resources definitions (CRDs).

Carbon Black Container Agent Custom Resource

Deploy cbcontainersagents.operator.containers.carbonblack.io to prompt the Operator to deploy the dataplane components.

Table 1. Required Parameters
Parameter	Description
`spec.account`	Carbon Black Container org key
`spec.clusterName`	Carbon Black Container cluster name (`<cluster_group:cluster_name>`)
`spec.version`	Carbon Black Container Agent version
`spec.gateways.apiGateway.host`	Carbon Black Container API host
`spec.gateways.coreEventsGateway.host`	Carbon Black Container core events host (for example, health checks)
`spec.gateways.hardeningEventsGateway.host`	Carbon Black Container hardening events host (for example, deleted, validated, and blocked resources)
`spec.gateways.runtimeEventsGateway.host`	Carbon Black Container runtime events host (for example, traffic events)

Table 2. Optional Parameters
Parameter	Description	Default Value
`spec.apiGateway.port`	Carbon Black Container API port	443
`spec.accessTokenSecretName`	Carbon Black Container API access token secret name	cbcontainers-access-token
`spec.gateways.coreEventsGateway.port`	Carbon Black Container core events port	443
`spec.gateways.hardeningEventsGateway.port`	Carbon Black Container hardening events port	443
`spec.gateways.runtimeEventsGateway.port`	Carbon Black Container runtime events port	443

Table 3. Basic Components Optional Parameters
Parameter	Description	Default Value
`spec.components.basic.enforcer.replicasCount`	Carbon Black Container Hardening Enforcer number of replicas	1
`spec.components.basic.monitor.image.repository`	Carbon Black Container Monitor image repository	cbartifactory/monitor
`spec.components.basic.enforcer.image.repository`	Carbon Black Container Hardening Enforcer image repository	cbartifactory/guardrails-enforcer
`spec.components.basic.stateReporter.image.repository`	Carbon Black Container Hardening State Reporter image repository	cbartifactory/guardrails-state-reporter
`spec.components.basic.monitor.resources`	Carbon Black Container Monitor resources	{requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "256Mi", cpu: "200m"}}
`spec.components.basic.enforcer.resources`	Carbon Black Container Hardening Enforcer resources	{requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "256Mi", cpu: "200m"}}
`spec.components.basic.stateReporter.resources`	Carbon Black Container Hardening State Reporter resources	{requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "256Mi", cpu: "200m"}}

Table 4. Runtime Components Optional Parameters
Parameter	Description	Default Value
`spec.components.runtimeProtection.enabled`	Carbon Black Container flag to control Runtime components deployment	True
`spec.components.runtimeProtection.resolver.image.repository`	Carbon Black Container Runtime Resolver image repository	cbartifactory/runtime-kubernetes-resolver
`spec.components.runtimeProtection.sensor.image.repository`	Carbon Black Container Runtime Sensor image repository	cbartifactory/runtime-kubernetes-sensor
`spec.components.runtimeProtection.internalGrpcPort`	Carbon Black Container Runtime gRPC port that the resolver exposes for the sensor	443
`spec.components.runtimeProtection.resolver.logLevel`	Carbon Black Container Runtime Resolver log level	"panic", "fatal", "error", "warn", "info", "debug", "trace" (default info)
`spec.components.runtimeProtection.resolver.resources`	Carbon Black Container Runtime Resolver resources	{requests: {memory: "64Mi", cpu: "200m"}, limits: {memory: "1024Mi", cpu: "900m"}}
`spec.components.runtimeProtection.sensor.logLevel`	Carbon Black Container Runtime Sensor log level	"panic", "fatal", "error", "warn", "info", "debug", "trace" (default info)
`spec.components.runtimeProtection.sensor.resources`	Carbon Black Container Runtime Sensor resources	{requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "1024Mi", cpu: "500m"}}

Table 5. Cluster Scanning Components Optional Parameters
Parameter	Description	Default Value
`spec.components.clusterScanning.enabled`	Carbon Black Container flag to control Cluster Scanning components deployment	True
`spec.components.clusterScanning.imageScanningReporter.image.repository`	Carbon Black Container Image Scanning Reporter image repository	cbartifactory/image-scanning-reporter
`spec.components.clusterScanning.clusterScanner.image.repository`	Carbon Black Container Scanner Agent image repository	cbartifactory/cluster-scanner
`spec.components.clusterScanning.imageScanningReporter.resources`	Carbon Black Container Image Scanning Reporter resources	{requests: {memory: "64Mi", cpu: "200m"}, limits: {memory: "1024Mi", cpu: "900m"}}
`spec.components.clusterScanning.clusterScanner.resources`	Carbon Black Container Cluster Scanner resources	{requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "1024Mi", cpu: "500m"}}
`spec.components.clusterScanning.clusterScanner.k8sContainerEngine.engineType`	Carbon Black Container Cluster Scanner Kubernetes container engine type. One of these options: `containerd` / `docker-daemon` / `cri-o`	N/A
`spec.components.clusterScanning.clusterScanner.k8sContainerEngine.endpoint`	Carbon Black Container Cluster Scanner Kubernetes container engine endpoint path	N/A
`spec.components.clusterScanning.clusterScanner.k8sContainerEngine.CRIO.storagePath`	Carbon Black Container Cluster Scanner override default image storage path (CRI-O only)	N/A
`spec.components.clusterScanning.clusterScanner.k8sContainerEngine.CRIO.storageConfigPath`	Carbon Black Container Cluster Scanner override default image storage config path (CRI-O only)	N/A
`spec.components.clusterScanning.clusterScanner.k8sContainerEngine.CRIO.configPath`	Carbon Black Container Cluster Scanner override default CRI-O config path (CRI-O only)	N/A
`spec.components.clusterScanning.clusterScanner.cliFlags.enableSecretDetection`	Carbon Black Container Cluster Scanner flag of whether the scan should scan for secrets	False
`spec.components.clusterScanning.clusterScanner.cliFlags.skipDirsOrFiles`	Carbon Black Container Cluster Scanner flag of files or directories to not scan for secrets	N/A
`spec.components.clusterScanning.clusterScanner.cliFlags.scanBaseLayers`	Carbon Black Container Cluster Scanner flag of whether the scan should include the base layers scan for secrets	False
`spec.components.clusterScanning.clusterScanner.cliFlags.ignoreBuildInRegex`	Carbon Black Container Cluster Scanner flag of whether the scan should ignore the built-in regexes of files to skip secret detection	False

Table 6. Components Common Optional Parameters
Parameter	Description	Default Value
`labels`	Carbon Black Container component deployment and pod labels	Empty map
`deploymentAnnotations`	Carbon Black Container component deployment annotations	Empty map
`podTemplateAnnotations`	Carbon Black Container component pod annotations	{}
`env`	Carbon Black Container component pod environment variables	Empty map
`image.tag`	Carbon Black Container component image tag	Agent version
`image.pullPolicy`	Carbon Black Container component pull policy	IfNotPresent
`probes.port`	Carbon Black Container component probes port	8181
`probes.scheme`	Carbon Black Container component probes scheme	HTTP
`probes.initialDelaySeconds`	Carbon Black Container component probes initial delay seconds	3
`probes.timeoutSeconds`	Carbon Black Container component probes timeout seconds	1
`probes.periodSeconds`	Carbon Black Container component probes period seconds	30
`probes.successThreshold`	Carbon Black Container component probes success threshold	1
`probes.failureThreshold`	Carbon Black Container component probes failure threshold	3
`prometheus.enabled`	Carbon Black Container component enable Prometheus scraping	False
`prometheus.port`	Carbon Black Container component Prometheus server port	7071
`nodeSelector`	Carbon Black Container component node selector	{}
`affinity`	Carbon Black Container component affinity	{}

Table 7. Centralized Proxy Parameters
Parameter	Description	Default Value
`spec.components.settings.proxy.enabled`	Enables applying the centralized proxy settings to all components	False
`spec.components.settings.proxy.httpProxy`	HTTP proxy server address to use	Empty string
`spec.components.settings.proxy.httpsProxy`	HTTPS proxy server address to use	Empty string
`spec.components.settings.proxy.noProxy`	A comma-separated list of hosts to which to connect without using a proxy	Empty string
`spec.components.settings.proxy.noProxySuffix`	A comma-separated list of hosts to which to append the `noProxy` list of values	The API server IP addresses followed by cbcontainers-dataplane.svc.cluster.local

Table 8. Other Components Optional Parameters

`spec.components.settings.daemonSetsTolerations`	Carbon Black DaemonSet component tolerances	Empty array