A module for provisioning an IBM Cloud Security and Compliance Center Workload Protection agent. The module uses sysdig-deploy charts which deploys the following components into your cluster:
- Agent
- Node Analyzer
- KSPM Collector
Security and Compliance Center Workload Protection Instance must be provision beforehand. Instance can be deployed with terraform-ibm-scc-workload-protection module.
module "scc_wp_agent {
source = "terraform-ibm-modules/scc-workload-protection-agent/ibm"
version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
access_key = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
cluster_name = "example-cluster-name"
region = "example-region"
endpoint_type = "public"
name = "example-name"
}
You need the following permissions to run this module.
- Account Management
- IAM Services
- IBM Cloud Security and Compliance Center Workload Protection service
Editor
platform access
- IBM Cloud Security and Compliance Center Workload Protection service
- Kubernetes service
Viewer
platform accessManager
service access
- IAM Services
Name | Version |
---|---|
terraform | >= 1.3.0 |
helm | >= 2.8.0, < 3.0.0 |
No modules.
Name | Type |
---|---|
helm_release.scc_wp_agent | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
access_key | Security and Compliance Workload Protection instance access key. | string |
n/a | yes |
agent_limits_cpu | Specifies the CPU limit for the agent. | string |
"1" |
no |
agent_limits_memory | Specifies the memory limit for the agent. | string |
"1024Mi" |
no |
agent_requests_cpu | Specifies the CPU requested to run in a node for the agent. | string |
"1" |
no |
agent_requests_memory | Specifies the memory requested to run in a node for the agent. | string |
"1024Mi" |
no |
cluster_name | Cluster name to add Security and Compliance Workload Protection agent to. | string |
n/a | yes |
cluster_scanner_deploy | Deploy SCC Workload Protection cluster scanner component. | bool |
true |
no |
cluster_scanner_imagesbomextractor_limits_cpu | Specifies the CPU limit for the image SBOM Extractor that runs on the cluster scanner. | string |
"1" |
no |
cluster_scanner_imagesbomextractor_limits_memory | Specifies the memory limit for the image SBOM Extractor that runs on the cluster scanner. | string |
"350Mi" |
no |
cluster_scanner_imagesbomextractor_requests_cpu | Specifies the CPU requested to run in a node for the image SBOM Extractor that runs on the cluster scanner. | string |
"350m" |
no |
cluster_scanner_imagesbomextractor_requests_memory | Specifies the memory requested to run in a node for the image SBOM Extractor that runs on the cluster scanner. | string |
"350Mi" |
no |
cluster_scanner_runtimestatusintegrator_limits_cpu | Specifies the CPU limit for the runtime status integrator that runs on the cluster scanner. | string |
"1" |
no |
cluster_scanner_runtimestatusintegrator_limits_memory | Specifies the memory limit for the runtime status integrator that runs on the cluster scanner. | string |
"350Mi" |
no |
cluster_scanner_runtimestatusintegrator_requests_cpu | Specifies the CPU requested to run in a node for the runtime status integrator that runs on the cluster scanner. | string |
"350m" |
no |
cluster_scanner_runtimestatusintegrator_requests_memory | Specifies the memory requested to run in a node for the runtime status integrator that runs on the cluster scanner. | string |
"350Mi" |
no |
cluster_shield_deploy | Deploy Cluster Shield component. If enabled, kspm collector and cluster scanner will not be enabled. | bool |
false |
no |
deployment_tag | Sets a global tag that will be included in the components. It represents the mechanism from where the components have been installed (terraform, local...). | string |
"terraform" |
no |
endpoint_type | Specify the endpoint (public or private) for the IBM Cloud Security and Compliance Center Workload Protection service. | string |
"private" |
no |
host_scanner_deploy | Deploy SCC Workload Protection host scanner component. If node_analyzer_deploy false, this component will not be deployed. | bool |
true |
no |
host_scanner_limits_cpu | Specifies the CPU limit for the host scanner that runs on the node analyzer. | string |
"500m" |
no |
host_scanner_limits_memory | Specifies the memory limit for the host scanner that runs on the node analyzer. | string |
"1Gi" |
no |
host_scanner_requests_cpu | Specifies the CPU requested to run in a node for the host scanner that runs on the node analyzer. | string |
"150m" |
no |
host_scanner_requests_memory | Specifies the memory requested to run in a node for the host scanner that runs on the node analyzer. | string |
"512Mi" |
no |
kspm_analyzer_limits_cpu | Specifies the CPU limit for the kspm analyzer that runs on the node analyzer. | string |
"500m" |
no |
kspm_analyzer_limits_memory | Specifies the memory limit for the kspm analyzer that runs on the node analyzer. | string |
"1536Mi" |
no |
kspm_analyzer_requests_cpu | Specifies the CPU requested to run in a node for the kspm analyzer that runs on the node analyzer. | string |
"150m" |
no |
kspm_analyzer_requests_memory | Specifies the memory requested to run in a node for the kspm analyzer that runs on the node analyzer. | string |
"256Mi" |
no |
kspm_collector_limits_cpu | Specifies the CPU limit for the kspm collector. | string |
"500m" |
no |
kspm_collector_limits_memory | Specifies the memory limit for the kspm collector. | string |
"1536Mi" |
no |
kspm_collector_requests_cpu | Specifies the CPU requested to run in a node for the kspm collector. | string |
"150m" |
no |
kspm_collector_requests_memory | Specifies the memory requested to run in a node for the kspm collector. | string |
"256Mi" |
no |
kspm_deploy | Deploy SCC Workload Protection KSPM component. | bool |
true |
no |
name | Helm release name. | string |
n/a | yes |
namespace | Namespace of the Security and Compliance Workload Protection agent. | string |
"ibm-scc-wp" |
no |
node_analyzer_deploy | Deploy SCC Workload Protection node analyzer component. | bool |
true |
no |
region | Region where Security and Compliance Workload Protection instance is created. | string |
n/a | yes |
Name | Description |
---|---|
name | Helm chart release name. |
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.