.env-template

#----------------------------------------------------------
#   Base Config
#---------------------------------------------------------

# Optional
# namespaces to scan,leave empty for all namespaces.
K8GUARD_NAMESPACE=

# Required
# unique name for the kubernetes cluster which k8guard is deployed on.
K8GUARD_CLUSTER_NAME=minikube


# Optional
# Safe mode only notifies the violations and won't take any actions.
# Default False
K8GUARD_ACTION_SAFE_MODE=TRUE


# Required
# Number of warnings (notifications) before taking hard actions.
K8GUARD_ACTION_WARNING_COUNT_BEFORE_ACTION=2


# Required
# Wait before notifying the violator again.
# Example 30s for notify violator every 30 seconds, 30m for every 30m, 24h for every day.
K8GUARD_ACTION_DURATION_BETWEEN_NOTIFYING_AGAIN=24h


# Required
# Violation Expiration Duration.
# From first time violation is discovered till end of this duration, no new violation will be registered for same source.
# Hint 120h is for 5 days. that means if violation not resolved by 5 days, it will create a new violation for the owner.
K8GUARD_ACTION_DURATION_VIOLATION_EXPIRES=120h

# Required
# Use of alpha functionality may not be included in some distributions such as Tectonic, or enabled by default
K8GUARD_INCLUDE_ALPHA=TRUE



#----------------------------------------------------------
#   Whitelist/blacklist
#---------------------------------------------------------

# Required
# Allowed container registeries
# Example gcr.io/my-project,docker.mydomain.com
K8GUARD_APPROVED_IMAGE_REPOS=


# Required
# Max Image size in MB.
K8GUARD_APPROVED_IMAGE_SIZE=800


# Optional
# The ingress must have a suffix
# Example something.something.com
K8GUARD_APPROVED_INGRESS_SUFFIXES=


# Optional
# Ignore violations, comma separated values.
# To ignore the violation completely for everything, just add the violation name, e.g. 'PRIVILEGED'
# Alternatively, filter by namespace and/or entity type / name using the format `{namespace}:{entityType}:{entityName}:{value}`.
# When using the `{namespace}:{entityType}:{entityName}:{value}` format, optionally specify `*` to include all of that type, or prefix with `!` to exclude
# Example SINGLE_REPLICA,IMAGE_REPO,IMAGE_SIZE,HOST_VOLUMES,INGRESS_HOST_INVALID,PRIVILEGED,CAPABILITES,*:*:kube2iam:PRIVILEGED
K8GUARD_IGNORED_VIOLATIONS=


# Optional
# The namespaces to ignore, comma separated values
K8GUARD_IGNORE_NAMESPACES=


# Optional
# ignore pods with these prefix, comma separated values
K8GUARD_IGNORE_PODS_PREFIX=

# Optional
# Verify presence of specific  annotations, comma separated values.
# Filter by namespace and/or entity type using the format `{namespace}:{entityType}:{entityName}:{value}`.
# Optionally specify `*` to include all of that type, or prefix with `!` to exclude
K8GUARD_REQUIRED_ANNOTATIONS=

# Optional
# Verify presence of specific  labels, comma separated values.
# Filter by namespace and/or entity type using the format `{namespace}:{entityType}:{entityName}:{value}`.
# Optionally specify `*` to include all of that type, or prefix with `!` to exclude
K8GUARD_REQUIRED_LABELS=

# Optional
# Verify that the following entities are deployed within a specific namespace, comma separated.
# Filter by namespace and/or entity type using the format `{namespace}:{entityType}:{entityName}`.
# Optionally specify `*` to include all of that type, or prefix with `!` to exclude
# Supported entity types are namespace, deployment, daemonset and resourcequota
K8GUARD_REQUIRED_ENTITIES=



#----------------------------------------------------------
#   Kafka Redis Cassandra Memcached
#---------------------------------------------------------

# Optional
# Which caching system to use?  Supported values MEMCACHED and REDIS.  
# Default MEMCACHED
K8GUARD_CACHE_TYPE=

# Required
# Memcached expiration in seconds for stuff like (image size, discover-api response)
K8GUARD_MEMCACHED_HOSTNAME=memcached

K8GUARD_CACHE_EXPIRATION_SECONDS=300

# Optional
# Which messaging system to use?  Supported values KAFKA and RMQ.  
# Default KAFKA
K8GUARD_MESSAGE_BROKER=

# Only required if `K8GUARD_MESSAGE_BROKER=RMQ`
K8GUARD_RMQ_BROKER=redis:6379
K8GUARD_RMQ_ACTION_TOPIC=k8guard-to-action
K8GUARD_RMQ_EVENT_TOPIC=k8guard-events

# Only required if `K8GUARD_MESSAGE_BROKER=KAFKA`
K8GUARD_KAFKA_BROKERS=kafka:9092
K8GUARD_KAFKA_ACTION_TOPIC=k8guard-to-action
# Optional, experimental feature
K8GUARD_KAFKA_EVENT_TOPIC=k8guard-events

# Required
# Cassandra hostname
K8GUARD_ACTION_CASSANDRA_HOSTS=cassandra

# Required
# Cassandra keyspace name
K8GUARD_ACTION_CASSANDRA_KEYSPACE=k8guardkeyspace

# Optional
# Cassandra username - set password in env-creds
K8GUARD_ACTION_CASSANDRA_USERNAME=cassandra

# Optional
K8GUARD_ACTION_CASSANDRA_SSL_HOST_VALIDATION=true

# Optional
# If specified, TLS will be enabled
K8GUARD_ACTION_CASSANDRA_CAPATH=


# Optional, default True
# if set to false it will not try to create a keyspace
K8GUARD_CASSANDRA_CREATE_KEYSPACE=true

# Optional, default True
# if set to false, does not attempt to create tables
K8GUARD_CASSANDRA_CREATE_TABLES=true

#----------------------------------------------------------
#   NOTFICATIONS
#   Dont forget to edit env-creds for credentials
#---------------------------------------------------------
# K8guard will get the email and hipchat handles from namespace annotations from the kubernetnes API.
# the annotation format:
# annotations:
#       "team/email-ids" : "JohnSmith@YOUR-DOMAIN.com"
#       "team/hipchat-ids" : "JohnSmith,JohnBrown,JohnDeer"




# Optional
# Hipchat Room ID to send warning
# Example 3213213
K8GUARD_ACTION_HIPCHAT_ROOM_ID=

# Optional
# the hipchat api base url for your organization
# Example https://REPLACEWITHYOUROWN.hipchat.com/v2/
K8GUARD_ACTION_HIPCHAT_BASE_URL=


# Optional
# Tag the violator in the hipchat room message
# Default false
K8GUARD_ACTION_HIPCHAT_TAG_NAMESPACE_OWNER=FALSE

# Optional
# Slack channel to send warning
K8GUARD_ACTION_SLACK_CHANNEL=

# Optional
# The annotation to grab hipchat ID from the namespace annotations
# Default team/hipchat-ids
K8GUARD_ACTION_ANNOTATION_FORMAT_FOR_CHAT_IDS=team/hipchat-ids


# Optional
# The annotation to grab email from the namespace annotations
# Default team/email-ids
K8GUARD_ACTION_ANNOTATION_FORMAT_FOR_EMAILS=team/email-ids


# Required
# Enable or Disable Emailing
K8GUARD_ACTION_SMTP_SEND_TO_NAMESAPCE_OWNER=FALSE


# Optional
# The smtp server to use to send the emails
K8GUARD_ACTION_SMTP_SERVER=

# Optional
K8GUARD_ACTION_SMTP_PORT=25

# Optional
K8GUARD_ACTION_SMTP_USERNAME=


# Optional
# the email address to use to warning emails from
K8GUARD_ACTION_SMTP_SEND_FROM=donotreply.kubernetes@YOUR-DOMAIN.com


# Optional
# In case the emails fails to send, send fallback email to
K8GUARD_ACTION_SMTP_FALLBACK_SEND_TO=

# Optional
# Footer for emails, e.g. to include links to more information
K8GUARD_ACTION_VIOLATION_EMAIL_FOOTER=

#----------------------------------------------------------
#   Internal Config
#---------------------------------------------------------

# Optional, Experimental feature.
# Writes the api response to a flat file
K8GUARD_OUTPUT_PODS_TO_FILE=FALSE

# Required
# Accepted values debug, info
K8GUARD_LOG_LEVEL=debug


# Optional
# Dry run, Does nothing. (No notification, No Hard Actions)
# Default False
K8GUARD_ACTION_DRY_RUN=FALSE

# Required
# Wait between consuming kafka messages to do action on
K8GUARD_ACTION_DURATION_BETWEEN_CONSUMING_VIOLATIONS=1s