Optional installation steps for Snyk Controller with Helm
The installation steps to use depend on how you want to configure Snyk Controller to fit your environment. Follow the applicable steps from the list that follows.
Use a registry with a self-signed or additional certificate
If your registry is using self-signed or other additional certificates, you must make those available to Snyk monitor. First place the .crt, .cert, and .key files in a directory and create a ConfigMap:
kubectl create configmap snyk-monitor-certs \
-n snyk-monitor --from-file=<path_to_certs_folder>Use the insecure container registry or a registry that uses unqualified images
If you are using an insecure registry or your registry is using unqualified images, you can provide a registries.conf file.
[[registry]]
location = "internal-registry-for-example.net/bar"
insecure = trueSee the GitHub container image documentation for information on the format and more examples. After you create the file, you can use it to create the following ConfigMap:
kubectl create configmap snyk-monitor-registries-conf \
-n snyk-monitor \
--from-file=<path_to_registries_conf_file>Use a proxy for outbound connection to Snyk
If you are using a proxy for the outbound connection to Snyk, you must configure the integration to use that proxy. To configure the proxy set the following values provided in the Helm Chart:
http_proxyhttps_proxyno_proxy
Example:
helm upgrade --install snyk-monitor snyk-charts/snyk-monitor \
--namespace snyk-monitor \
--set clusterName="Production cluster" \
--set https_proxy=http://192.168.99.100:8080Note that the integration does not support CIDR address ranges or wildcards in the no_proxy value. Only exact matches are supported.
Change the logging verbosity
If you would like to change the logging verbosity, you can do so as follows. Valid levels are INFO, WARN, ERROR and DEBUG. Snyk defaults to INFO.
helm upgrade --install snyk-monitor snyk-charts/snyk-monitor \
--namespace snyk-monitor \
--set clusterName="Production cluster" \
--set log_level="WARN"Enable a Pod Security Policy
By default, the controller will run without a Pod Security Policy. However, this can be enabled by passing a setting:
helm upgrade --install snyk-monitor snyk-charts/snyk-monitor \
--namespace snyk-monitor \
--set clusterName="Production cluster" \
--set psp.enabled=trueYou can reuse an existing Pod Security Policy by specifying the name. If you do not specify a name, a new policy will be created automatically.
helm upgrade --install snyk-monitor snyk-charts/snyk-monitor \
--namespace snyk-monitor \
--set clusterName="Production cluster" \
--set psp.enabled=true \
--set psp.name=somethingConfigure Snyk Controller with PersistentVolumeClaim (PVC)
You can configure the Snyk controller to use a PersistentVolumeClaim (PVC) instead of the default emptyDir storage medium for temporarily pulling images.
To create the PVC, you can use the Helm template provided by the Snyk chart or an already provisioned PVC. Use the following flags to control the PVC:
pvc.enabled - instructs the Helm Chart to use a PVC instead of an emptyDir
pvc.create - whether to create the PVC - this is useful when provisioning for the first time
pvc.storageClassName - controls the StorageClass of the PVC
pvc.name - the name of the PVC to use in Kubernetes
For example, you can run the following command on installation to provision and create the PVC:
helm upgrade --install snyk-monitor snyk-charts/snyk-monitor \
--namespace snyk-monitor \
--set pvc.enabled=true \
--set pvc.create=true \
--set pvc.name="snyk-monitor-pvc"On subsequent upgrades, you can drop the pvc.create flag because the PVC already exists:
helm upgrade --install snyk-monitor snyk-charts/snyk-monitor \
--namespace snyk-monitor \
--set pvc.enabled=true \
--set pvc.name="snyk-monitor-pvc"Configure Snyk Controller to exclude specific namespaces
By default, Snyk ignores scanning certain namespaces believed to be internal to Kubernetes (see the full list on GitHub: snyk/kubernetes-monitor-chart, Configuring excluded namespaces. You can change the default; Snyk allows configuring the excluded namespaces.
When you add your own list of namespaces to exclude with the excludedNamespaces setting, Snyk overrides the default settings and uses the list of namespaces you provide.
helm upgrade --install snyk-monitor snyk-charts/snyk-monitor \
--namespace snyk-monitor \
--set excludedNamespaces="{kube-node-lease,local-path-storage,some_namespace}"Configure Snyk Controller resources
If more resources are required to deploy the controller, configure the Helm Chart default value for requests and limits with the --set flag.
helm upgrade --install snyk-monitor snyk-charts/snyk-monitor \
--namespace snyk-monitor \
--set requests."ephemeral-storage"="50Gi"
--set limits."ephemeral-storage"="50Gi"Configure Snyk Controller workers count
You can adjust the workers number (XX) with the--set flag.
helm upgrade --install snyk-monitor snyk-charts/snyk-monitor \
--namespace snyk-monitor \
--set workers.count="XX"Configure Snyk Controller CPU
If more or less CPU is required in order to deploy the controller, configure the HelmChart default value for requests (X) and limits (Y) with the --set flag.
helm upgrade --install snyk-monitor snyk-charts/snyk-monitor \
--namespace snyk-monitor \
--set requests.cpu="X"
--set limits.cpu="Y"Configure Snyk Controller initContainers setting
If you use a PersistentVolumeClaim (PVC), instead of the default emptyDir storage, then you must provision volume permissions. To do this, disable the initContainers in the Helm Chart using the --set flag:
helm upgrade --install snyk-monitor snyk-charts/snyk-monitor \
--namespace snyk-monitor \
--set initContainers.enabled = falseLast updated
Was this helpful?