Zora Helm Chart¶
Zora scans multiple Kubernetes clusters and reports potential issues.
Installing the Chart¶
To install the chart with the release name zora:
helm repo add undistro https://charts.undistro.io --force-update
helm upgrade --install zora undistro/zora \
-n zora-system \
--version 0.6.2 \
--create-namespace --wait
The Helm chart repository has been updated from
https://registry.undistro.io/chartrepo/librarytohttps://charts.undistro.io.The
--force-updateflag is needed to update the repository URL.
These commands deploy Zora on the Kubernetes cluster in the default configuration.
The Parameters section lists the parameters that can be configured during installation.
Tips:
List all charts available in
undistrorepo usinghelm search repo undistroUpdate
undistrochart repository usinghelm repo update undistroList all versions available of
undistro/zorachart usinghelm search repo undistro/zora --versionsList all releases using
helm listGet the notes provided by
zorarelease usinghelm get notes zora -n zora-system
Uninstalling the Chart¶
To uninstall/delete the zora release:
$ helm delete zora
The command removes all the Kubernetes components associated with the chart and deletes the release.
Parameters¶
The following table lists the configurable parameters of the Zora chart and their default values.
| Key | Type | Default | Description |
|---|---|---|---|
| nameOverride | string | "" |
String to partially override fullname template with a string (will prepend the release name) |
| fullnameOverride | string | "" |
String to fully override fullname template with a string |
| saas.workspaceID | string | "" |
Your SaaS workspace ID |
| saas.server | string | "https://zora-dashboard.undistro.io" |
SaaS server URL |
| saas.hooks.image.repository | string | "curlimages/curl" |
SaaS hooks image repository |
| saas.hooks.image.tag | string | "7.88.1" |
SaaS hooks image tag |
| saas.hooks.installURL | string | "{{.Values.saas.server}}/zora/api/v1alpha1/workspaces/{{.Values.saas.workspaceID}}/helmreleases" |
SaaS install hook URL template |
| imageCredentials.create | bool | false |
Specifies whether the secret should be created by providing credentials |
| imageCredentials.registry | string | "ghcr.io" |
Docker registry host |
| imageCredentials.username | string | "" |
Docker registry username |
| imageCredentials.password | string | "" |
Docker registry password |
| imagePullSecrets | list | [] |
Specify docker-registry secret names as an array to be used when imageCredentials.create is false |
| operator.replicaCount | int | 1 |
Number of replicas desired of Zora operator |
| operator.image.repository | string | "ghcr.io/undistro/zora/operator" |
Zora operator image repository |
| operator.image.tag | string | "" |
Overrides the image tag whose default is the chart appVersion |
| operator.image.pullPolicy | string | "IfNotPresent" |
Image pull policy |
| operator.rbac.create | bool | true |
Specifies whether ClusterRoles and ClusterRoleBindings should be created |
| operator.rbac.serviceAccount.create | bool | true |
Specifies whether a service account should be created |
| operator.rbac.serviceAccount.annotations | object | {} |
Annotations to be added to service account |
| operator.rbac.serviceAccount.name | string | "" |
The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
| operator.podAnnotations | object | {"kubectl.kubernetes.io/default-container":"manager"} |
Annotations to be added to pods |
| operator.podSecurityContext | object | {"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532} |
Security Context to add to the pod |
| operator.securityContext | object | {"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true} |
Security Context to add to manager container |
| operator.metricsService.type | string | "ClusterIP" |
Type of metrics service |
| operator.metricsService.port | int | 8443 |
Port of metrics service |
| operator.serviceMonitor.enabled | bool | false |
Specifies whether a Prometheus ServiceMonitor should be enabled |
| operator.resources | object | {"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}} |
Resources to add to manager container |
| operator.rbacProxy.image.repository | string | "gcr.io/kubebuilder/kube-rbac-proxy" |
kube-rbac-proxy image repository |
| operator.rbacProxy.image.tag | string | "v0.13.1" |
kube-rbac-proxy image tag |
| operator.rbacProxy.image.pullPolicy | string | "IfNotPresent" |
Image pull policy |
| operator.rbacProxy.securityContext | object | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true} |
Security Context to add to kube-rbac-proxy container |
| operator.rbacProxy.resources | object | {"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"5m","memory":"64Mi"}} |
Resources to add to kube-rbac-proxy container |
| operator.nodeSelector | object | {} |
Node selection to constrain a Pod to only be able to run on particular Node(s) |
| operator.tolerations | list | [] |
Tolerations for pod assignment |
| operator.affinity | object | {} |
Map of node/pod affinities |
| operator.log.encoding | string | "json" |
Log encoding (one of 'json' or 'console') |
| operator.log.level | string | "info" |
Log level to configure the verbosity of logging. Can be one of 'debug', 'info', 'error', or any integer value > 0 which corresponds to custom debug levels of increasing verbosity |
| operator.log.stacktraceLevel | string | "error" |
Log level at and above which stacktraces are captured (one of 'info', 'error' or 'panic') |
| operator.log.timeEncoding | string | "rfc3339" |
Log time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano') |
| scan.worker.image.repository | string | "ghcr.io/undistro/zora/worker" |
worker image repository |
| scan.worker.image.tag | string | "" |
Overrides the image tag whose default is the chart appVersion |
| scan.defaultPlugins | list | ["popeye","marvin"] |
Names of the default plugins |
| scan.plugins.marvin.enabled | bool | true |
Specifies whether the marvin plugin should be created |
| scan.plugins.marvin.resources | object | {"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}} |
Resources to add to marvin container |
| scan.plugins.marvin.image.repository | string | "ghcr.io/undistro/marvin" |
marvin plugin image repository |
| scan.plugins.marvin.image.tag | string | "v0.2.0" |
marvin plugin image tag |
| scan.plugins.popeye.enabled | bool | true |
Specifies whether the popeye plugin should be created |
| scan.plugins.popeye.skipInternalResources | bool | false |
Specifies whether the following resources should be skipped by popeye scans. 1. resources from kube-system, kube-public and kube-node-lease namespaces; 2. kubernetes system reserved RBAC (prefixed with system:); 3. kube-root-ca.crt configmaps; 4. default namespace; 5. default serviceaccounts; 6. Helm secrets (prefixed with sh.helm.release); 7. Zora components. See popeye configuration file that is used for this case: https://github.com/undistro/zora/blob/main/charts/zora/templates/plugins/popeye-config.yaml |
| scan.plugins.popeye.resources | object | {"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}} |
Resources to add to popeye container |
| scan.plugins.popeye.image.repository | string | "ghcr.io/undistro/popeye" |
popeye plugin image repository |
| scan.plugins.popeye.image.tag | string | "pr252" |
popeye plugin image tag |
| kubexnsImage.repository | string | "ghcr.io/undistro/kubexns" |
kubexns image repository |
| kubexnsImage.tag | string | "v0.1.1" |
kubexns image tag |
| customChecksConfigMap | string | "zora-custom-checks" |
Custom checks ConfigMap name |
Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,
$ helm install zora \
--set server.service.port=8080 undistro/zora
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
$ helm install zora -f values.yaml undistro/zora
Tip: You can use the default values.yaml