Skip to content

Configuration

Configuration of the operator's Pod is done via environment variables at startup.

NAME DEFAULT DESCRIPTION
OPERATOR_NAMESPACE N/A See Install modes
OPERATOR_TARGET_NAMESPACES N/A See Install modes
OPERATOR_EXCLUDE_NAMESPACES N/A A comma separated list of namespaces (or glob patterns) to be excluded from scanning in all namespaces Install mode.
OPERATOR_SERVICE_ACCOUNT starboard-operator The name of the service account assigned to the operator's pod
OPERATOR_LOG_DEV_MODE false The flag to use (or not use) development mode (more human-readable output, extra stack traces and logging information, etc).
OPERATOR_SCAN_JOB_TIMEOUT 5m The length of time to wait before giving up on a scan job
OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT 10 The maximum number of scan jobs create by the operator
OPERATOR_SCAN_JOB_RETRY_AFTER 30s The duration to wait before retrying a failed scan job
OPERATOR_BATCH_DELETE_LIMIT 10 The maximum number of config audit reports deleted by the operator when the plugin's config has changed.
OPERATOR_BATCH_DELETE_DELAY 10s The duration to wait before deleting another batch of config audit reports.
OPERATOR_METRICS_BIND_ADDRESS :8080 The TCP address to bind to for serving Prometheus metrics. It can be set to 0 to disable the metrics serving.
OPERATOR_HEALTH_PROBE_BIND_ADDRESS :9090 The TCP address to bind to for serving health probes, i.e. /healthz/ and /readyz/ endpoints.
OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED true The flag to enable CIS Kubernetes Benchmark scanner
OPERATOR_VULNERABILITY_SCANNER_ENABLED true The flag to enable vulnerability scanner
OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED false The flag to enable plugin-based configuration audit scanner
OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS false The flag to enable config audit scanner to only scan the current revision of a deployment
OPERATOR_CONFIG_AUDIT_SCANNER_BUILTIN true The flag to enable built-in configuration audit scanner
OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS false The flag to enable vulnerability scanner to only scan the current revision of a deployment
OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL "" The flag to set how long a vulnerability report should exist. When a old report is deleted a new one will be created by the controller. It can be set to "" to disabled the TTL for vulnerability scanner.
OPERATOR_LEADER_ELECTION_ENABLED false The flag to enable operator replica leader election
OPERATOR_LEADER_ELECTION_ID starboard-lock The name of the resource lock for leader election
OPERATOR_CLUSTER_COMPLIANCE_ENABLED true The flag to enable Cluster Compliance report generation

Install Modes

The values of the OPERATOR_NAMESPACE and OPERATOR_TARGET_NAMESPACES determine the install mode, which in turn determines the multitenancy support of the operator.

MODE OPERATOR_NAMESPACE OPERATOR_TARGET_NAMESPACES DESCRIPTION
OwnNamespace operators operators The operator can be configured to watch events in the namespace it is deployed in.
SingleNamespace operators foo The operator can be configured to watch for events in a single namespace that the operator is not deployed in.
MultiNamespace operators foo,bar,baz The operator can be configured to watch for events in more than one namespace.
AllNamespaces operators (blank string) The operator can be configured to watch for events in all namespaces.