Starboard Settings
The Starboard CLI and Starboard Operator both read their configuration settings from a ConfigMap, as well as a secret that holds confidential settings (such as a GitHub token).
The starboard init command creates the starboard ConfigMap and the
starboard secret in the starboard namespace with default settings.
Similarly, the operator ensures the starboard ConfigMap and the starboard
secret in the OPERATOR_NAMESPACE.
You can change the default settings with kubectl patch or kubectl edit
commands.
For example, by default Trivy displays vulnerabilities with all severity levels
(UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL). However, you can opt in to display only
HIGH and CRITICAL vulnerabilities by patching the trivy.severity value
in the starboard ConfigMap:
kubectl patch cm starboard -n <starboard_operator> \
--type merge \
-p "$(cat <<EOF
{
"data": {
"trivy.severity": "HIGH,CRITICAL"
}
}
EOF
)"
To set the GitHub token used by Trivy in Standalone mode add the
trivy.githubToken value to the starboard secret instead:
GITHUB_TOKEN=<your token>
kubectl patch secret starboard -n <starboard_operator> \
--type merge \
-p "$(cat <<EOF
{
"data": {
"trivy.githubToken": "$(echo -n $GITHUB_TOKEN | base64)"
}
}
EOF
)"
The following tables list available configuration settings with their default values.
Tip
You only need to configure the settings for the scanner you are using (i.e. trivy.* parameters are
used if vulnerabilityReports.scanner is set to Trivy). Check
integrations page to see example configuration settings for common use cases.
| CONFIGMAP KEY | DEFAULT | DESCRIPTION |
|---|---|---|
vulnerabilityReports.scanner |
Trivy |
The name of the plugin that generates vulnerability reports. Either Trivy or Aqua. |
configAuditReports.scanner |
Polaris |
The name of the plugin that generates config audit reports. Either Polaris or Conftest. |
trivy.httpProxy |
N/A | The HTTP proxy used by Trivy to download the vulnerabilities database from GitHub. |
trivy.httpsProxy |
N/A | The HTTPS proxy used by Trivy to download the vulnerabilities database from GitHub. |
trivy.noProxy |
N/A | A comma separated list of IPs and domain names that are not subject to proxy settings. |
trivy.severity |
UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL |
A comma separated list of severity levels reported by Trivy |
trivy.imageRef |
docker.io/aquasec/trivy:0.16.0 |
Trivy image reference |
trivy.mode |
Standalone |
Trivy client mode. Either Standalone or ClientServer. Depending on the active mode other settings might be applicable or required. |
trivy.serverURL |
N/A | The endpoint URL of the Trivy server. Required in ClientServer mode. |
trivy.serverTokenHeader |
Trivy-Token |
The name of the HTTP header to send the authentication token to Trivy server. Only application in ClientServer mode when trivy.serverToken is specified. |
trivy.insecureRegistry.<id> |
N/A | The registry to which insecure connections are allowed. There can be multiple registries with different registry <id>. |
aqua.imageRef |
docker.io/aquasec/scanner:5.3 |
Aqua scanner image reference. The tag determines the version of the scanner binary executable and it must be compatible with version of Aqua console. |
aqua.serverURL |
N/A | The endpoint URL of Aqua management console |
kube-bench.imageRef |
docker.io/aquasec/kube-bench:0.5.0 |
kube-bench image reference |
kube-hunter.imageRef |
docker.io/aquasec/kube-hunter:0.4.1 |
kube-hunter image reference |
kube-hunter.quick |
"false" |
Whether to use kube-hunter's "quick" scanning mode (subnet 24). Set to "true" to enable. |
polaris.imageRef |
quay.io/fairwinds/polaris:3.2 |
Polaris image reference |
polaris.config.yaml |
Check the default value here | Polaris configuration file |
conftest.imageRef |
docker.io/openpolicyagent/conftest:v0.25.0 |
Conftest image reference |
| SECRET KEY | DESCRIPTION |
|---|---|
trivy.githubToken |
The GitHub access token used by Trivy to download the vulnerabilities database from GitHub. Only applicable in Standalone mode. |
trivy.serverToken |
The token to authenticate Trivy client with Trivy server. Only applicable in ClientServer mode. |
trivy.serverCustomHeaders |
A comma-separated list of custom HTTP headers sent by Trivy client to Trivy server. Only applicable in ClientServer mode. |
aqua.username |
Aqua management console username |
aqua.password |
Aqua management console password |
Tip
You can find it handy to delete a configuration key, which was not created by default by the
starboard init command. For example, the following kubectl patch command deletes the trivy.httpProxy key:
kubectl patch cm starboard -n <starboard_operator> \
--type json \
-p '[{"op": "remove", "path": "/data/trivy.httpProxy"}]'