|
| 1 | +--- |
| 2 | +title: Kubernetes Reporter Helm Chart |
| 3 | +description: A Helm chart for installing the Kosli K8S reporter as a cronjob to report running images to Kosli at a given cron schedule. |
| 4 | +--- |
| 5 | + |
| 6 | + |
| 7 | + |
| 8 | +A Helm chart for installing the Kosli K8S reporter as a cronjob. |
| 9 | +The chart allows you to create a Kubernetes cronjob and all its necessary RBAC to report running images to Kosli at a given cron schedule. |
| 10 | + |
| 11 | +## Prerequisites |
| 12 | + |
| 13 | +- A Kubernetes cluster (minimum supported version is `v1.21`) |
| 14 | +- Helm v3.0+ |
| 15 | +- If you want to report artifacts from just one namespace, you need to have permissions to `get` and `list` pods in that namespace. |
| 16 | +- If you want to report artifacts from multiple namespaces or entire cluster, you need to have cluster-wide permissions to `get` and `list` pods. |
| 17 | + |
| 18 | +## Installing the chart |
| 19 | + |
| 20 | +To install this chart via the Helm chart repository: |
| 21 | + |
| 22 | +1. Add the Kosli helm repo |
| 23 | +```shell |
| 24 | +helm repo add kosli https://charts.kosli.com/ && helm repo update |
| 25 | +``` |
| 26 | + |
| 27 | +2. Create a secret for the Kosli API token |
| 28 | +```shell |
| 29 | +kubectl create secret generic kosli-api-token --from-literal=key=<your-api-key> |
| 30 | +``` |
| 31 | + |
| 32 | +3. Install the helm chart |
| 33 | + |
| 34 | +A. To report artifacts running in entire cluster (requires cluster-wide read permissions): |
| 35 | + |
| 36 | +```shell |
| 37 | +helm install kosli-reporter kosli/k8s-reporter \ |
| 38 | + --set reporterConfig.kosliOrg=<your-org> \ |
| 39 | + --set reporterConfig.kosliEnvironmentName=<your-env-name> |
| 40 | +``` |
| 41 | + |
| 42 | +B. To report artifacts running in multiple namespaces (requires cluster-wide read permissions): |
| 43 | + |
| 44 | +```shell |
| 45 | +helm install kosli-reporter kosli/k8s-reporter \ |
| 46 | + --set reporterConfig.kosliOrg=<your-org> \ |
| 47 | + --set reporterConfig.kosliEnvironmentName=<your-env-name> \ |
| 48 | + --set reporterConfig.namespaces=<namespace1,namespace2> |
| 49 | +``` |
| 50 | + |
| 51 | +C. To report artifacts running in one namespace (requires namespace-scoped read permissions): |
| 52 | + |
| 53 | +```shell |
| 54 | +helm install kosli-reporter kosli/k8s-reporter \ |
| 55 | + --set reporterConfig.kosliOrg=<your-org> \ |
| 56 | + --set reporterConfig.kosliEnvironmentName=<your-env-name> \ |
| 57 | + --set reporterConfig.namespaces=<namespace1> \ |
| 58 | + --set serviceAccount.permissionScope=namespace |
| 59 | +``` |
| 60 | + |
| 61 | +> Chart source can be found at https://github.com/kosli-dev/cli/tree/main/charts/k8s-reporter |
| 62 | +
|
| 63 | +> See all available [configuration options](#configurations) below. |
| 64 | +
|
| 65 | +## Upgrading the chart |
| 66 | + |
| 67 | +```shell |
| 68 | +helm upgrade kosli-reporter kosli/k8s-reporter ... |
| 69 | +``` |
| 70 | + |
| 71 | +## Uninstalling chart |
| 72 | + |
| 73 | +```shell |
| 74 | +helm uninstall kosli-reporter |
| 75 | +``` |
| 76 | + |
| 77 | +## Configurations |
| 78 | +| Key | Type | Default | Description | |
| 79 | +|-----|------|---------|-------------| |
| 80 | +| cronSchedule | string | `"*/5 * * * *"` | the cron schedule at which the reporter is triggered to report to Kosli | |
| 81 | +| fullnameOverride | string | `""` | overrides the fullname used for the created k8s resources. It has higher precedence than `nameOverride` | |
| 82 | +| image.pullPolicy | string | `"IfNotPresent"` | the kosli reporter image pull policy | |
| 83 | +| image.repository | string | `"ghcr.io/kosli-dev/cli"` | the kosli reporter image repository | |
| 84 | +| image.tag | string | `"v2.11.43"` | the kosli reporter image tag, overrides the image tag whose default is the chart appVersion. | |
| 85 | +| kosliApiToken.secretKey | string | `"key"` | the name of the key in the secret data which contains the Kosli API token | |
| 86 | +| kosliApiToken.secretName | string | `"kosli-api-token"` | the name of the secret containing the kosli API token | |
| 87 | +| nameOverride | string | `""` | overrides the name used for the created k8s resources. If `fullnameOverride` is provided, it has higher precedence than this one | |
| 88 | +| podAnnotations | object | `{}` | | |
| 89 | +| podLabels | object | `{}` | custom labels to add to pods | |
| 90 | +| reporterConfig.dryRun | bool | `false` | whether the dry run mode is enabled or not. In dry run mode, the reporter logs the reports to stdout and does not send them to kosli. | |
| 91 | +| reporterConfig.excludeNamespaces | string | `""` | the namespaces to exclude from scanning and reporting. Cannot be combined with namespaces or namespacesRegex. It is a comma separated list of namespace names. Leave this and excludeNamespacesRegex unset if you want to report what is running in the entire cluster | |
| 92 | +| reporterConfig.excludeNamespacesRegex | string | `""` | the namespaces Regex patterns to exclude from scanning and reporting. Does not have effect if excludeNamespaces is set. Cannot be combined with namespaces or namespacesRegex. Requires cluster-wide permissions. It is a comma separated list of namespace regex patterns. Leave this and excludeNamespaces unset if you want to report what is running in the entire cluster | |
| 93 | +| reporterConfig.httpProxy | string | `""` | the http proxy url | |
| 94 | +| reporterConfig.kosliEnvironmentName | string | `""` | the name of Kosli environment that the k8s cluster/namespace correlates to | |
| 95 | +| reporterConfig.kosliOrg | string | `""` | the name of the Kosli org | |
| 96 | +| reporterConfig.namespaces | string | `""` | the namespaces to scan and report. Cannot be combined with excludeNamespaces or excludeNamespacesRegex. It is a comma separated list of namespace names. Leave this and namespacesRegex unset if you want to report what is running in the entire cluster | |
| 97 | +| reporterConfig.namespacesRegex | string | `""` | the namespaces Regex patterns to scan and report. Does not have effect if namespaces is set. Requires cluster-wide permissions. Cannot be combined with excludeNamespaces or excludeNamespacesRegex. It is a comma separated list of namespace regex patterns. Leave this and namespaces unset if you want to report what is running in the entire cluster | |
| 98 | +| reporterConfig.securityContext | object | `{"allowPrivilegeEscalation":false,"runAsNonRoot":true,"runAsUser":1000}` | the security context for the reporter cronjob Set to null or {} to disable security context entirely (not recommended) For OpenShift, you can omit runAsUser to let OpenShift assign the UID | |
| 99 | +| reporterConfig.securityContext.allowPrivilegeEscalation | bool | `false` | whether to allow privilege escalation | |
| 100 | +| reporterConfig.securityContext.runAsNonRoot | bool | `true` | whether to run as non root | |
| 101 | +| reporterConfig.securityContext.runAsUser | int | `1000` | the user id to run as Omit this field for OpenShift environments to allow automatic UID assignment | |
| 102 | +| resources.limits.cpu | string | `"100m"` | the cpu limit | |
| 103 | +| resources.limits.memory | string | `"256Mi"` | the memory limit | |
| 104 | +| resources.requests.memory | string | `"64Mi"` | the memory request | |
| 105 | +| serviceAccount.annotations | object | `{}` | annotations to add to the service account | |
| 106 | +| serviceAccount.create | bool | `true` | specifies whether a service account should be created | |
| 107 | +| serviceAccount.name | string | `""` | the name of the service account to use. If not set and create is true, a name is generated using the fullname template | |
| 108 | +| serviceAccount.permissionScope | string | `"cluster"` | specifies whether to create a cluster-wide permissions for the service account or namespace-scoped permissions. allowed values are: [cluster, namespace] | |
| 109 | + |
| 110 | +---------------------------------------------- |
| 111 | +Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) |
0 commit comments