Optional installation steps for the Snyk Controller with Helm

The installation steps depend on how you want to configure the Snyk Controller to fit your environment. Follow the applicable steps that match your situation.

Use a registry with a self-signed or additional certificate

If your registry is using self-signed or other additional certificates, you must make them available to Snyk monitor. To do this, first place the .crt, .cert, and .key files in a directory and create a ConfigMap:

kubectl create configmap snyk-monitor-certs \
        -n snyk-monitor --from-file=<path_to_certs_folder>

Use the insecure container registry or a registry that uses unqualified images

If you are using an insecure registry or your registry is using unqualified images, you can provide a registries.conf file.

[[registry]]
location = "internal-registry-for-example.net/bar"
insecure = true

For information on the format and more examples, see the GitHub container image documentation. After you create the file, you can use it to create the following ConfigMap:

kubectl create configmap snyk-monitor-registries-conf \
        -n snyk-monitor \
        --from-file=<path_to_registries_conf_file>

Use a proxy for outbound connection to Snyk

If you are using a proxy for the outbound connection to Snyk, you must configure the integration to use that proxy. To configure the proxy, set the following values provided in the Helm Chart:

• http_proxy

• https_proxy

• no_proxy

For example:

Change the logging verbosity

You can change the logging verbosity. Valid levels are INFO, WARN, ERROR and DEBUG. Snyk defaults to INFO. To change the logging verbosity, use the following command:

Enable a Pod Security Policy

By default, the controller runs without a Pod Security Policy. You can enable it by passing a setting:

You can reuse an existing Pod Security Policy by specifying the name. If you do not specify a name, a new policy is created automatically.

Configure the Snyk Controller with PersistentVolumeClaim (PVC)

You can configure the Snyk Controller to use a PersistentVolumeClaim (PVC) instead of the default emptyDir storage medium to temporarily pull images.

To create the PVC, you can use the Helm template provided by the Snyk chart or an already provisioned PVC.

To control the PVC, use the following flags:

• pvc.enabled - instructs the Helm Chart to use a PVC instead of an emptyDir.

• pvc.create - creates the PVC. This is useful when provisioning for the first time.

• pvc.storageClassName - controls the StorageClass of the PVC.

• pvc.name - the name of the PVC to use with Kubernetes.

For example, you can run the following command on installation to provision and create the PVC:

On subsequent upgrades, you can remove the pvc.create flag because the PVC already exists:

Configure the Snyk Controller to exclude specific namespaces

By default, Snyk ignores scanning certain namespaces believed to be internal to Kubernetes. For the full list, see Configuring excluded namespaces. You can change the default, as Snyk allows you to configure the excluded namespaces.

When you add your own list of namespaces to exclude with the excludedNamespaces setting, Snyk overrides the default settings and uses the list of namespaces you provide.

Configure Snyk Controller resources

If more resources are required to deploy the controller, configure the Helm Chart default value for requests and limits with the --set flag.

Configure Snyk Controller workers count

You can adjust the workers number (XX) with the--set flag.

Configure Snyk Controller CPU

If more or less CPU is required in order to deploy the controller, configure the HelmChart default value for requests (X) and limits (Y) with the --set flag.

Configure Snyk Controller initContainers setting

If you use a PersistentVolumeClaim (PVC), instead of the default emptyDir storage, then you must provision volume permissions. To do this, disable the initContainers in the Helm Chart using the --set flag: