Skip to main content
Version: 0.17.0

Configuration Enterprise

The config file is the single entry point for configuring the agent.

The agent needs the following parameters to be provided in the configuration yaml file:

  • kubeConfigFile: path to the kubernetes config file to access the cluster
  • accountId: unique identifier that signifies the owner of that agent
  • clusterId: unique identifier for the cluster that the agent will run against

There are additional parameters could be provided:

  • logLevel: app log level (default: "info")
  • probesListen: address for the probes server to run on (default: ":9000")
  • metricsAddress: address the metric endpoint binds to (default: ":8080")
  • audit: defines cluster periodical audit configuration including the supported sinks (disabled by default)
  • admission: defines admission control configuration including the supported sinks and webhooks (disabled by default)
  • tfAdmission: defines terraform admission control configuration including the supported sinks (disabled by default)

Example

accountId: "account-id"
clusterId: "cluster-id"
kubeConfigFile: "/.kube/config"
logLevel: "Info"
admission:
   enabled: true
   sinks:
      filesystemSink:
         fileName: admission.txt
audit:
   enabled: true
   writeCompliance: true
   sinks:
      filesystemSink:
         fileName: audit.txt

Validation Sinks Configuration

Kubernetes Events

This sink is used to export validation results as kubernetes native events. Kubernetes event has a retention period and it set by default to 1 hour, you can configure the kubernetes api-server to update the period.

Configuration

sinks:
  k8sEventsSink:
    enabled: true

Flux Notification Controller

This sink sends the validation results to Flux Notification Controller.

Configuration

sinks:
  fluxNotificationSink:
    address: <>

File System

File system sink writes the validation results to a text file. The file will be located at /logs/<filename>

Configuration

sinks:
  fileSystemSink:
    fileName: audit.txt

ElasticSearch

This sink stores the validation results in ElasticSearch.

Configuration

sinks:
  elasticSink:
    address: http://localhost:9200    # ElasticSearch server address
    username: <elastic username>      # User credentials to access ElasticSearch service
    password: <elastic password>      # User credentials to access ElasticSearch service
    indexName: <index_name>           # index name the results would be written in
    insertionMode: <insertion mode>   # It could be a choice of both insert or upsert, it defines the way the document is written.

Insertion modes

  • insert: would give an insight of all the historical data, doesn't update or delete any old records. so the index would contain a log for all validation objects.

  • upsert: Would update the old result of validating an entity against a policy happens in the same day, so the index would only contain the latest validation results for a policy and entity combination per day.